Details

Reviewers

kp
philip

Group Reviewers

manpages
network

Commits

rG08f47db5d580: netgraph/ng_bridge: Introduce "uplink" ports without MAC learning
rG882cbdeb21dc: netgraph/ng_bridge: Introduce "uplink" ports without MAC learning
rGf961caf2184c: netgraph/ng_bridge: Introduce "uplink" ports without MAC learning

Summary

The ng_bridge(4) node is designed to work in moderately small environments. Connecting such a node to a larger network rapidly fills the MAC table for no reason. It even become complicated to obtain data from the gettable message, because the result is too large to transmit.

This patch introduces, two new functionality bits on the hooks:

Allow or disallow MAC address learning for incoming patckets.
Allow or disallow sending unknown MACs through this hook.

Uplinks are characterized by denied learing while sending out unknowns.
Normal links are charaterized by allowed learning and sending out unknowns.

In a later patch the node will have a "private" mode, where normal links do not sent out unknowns. This mode will be extended to more "intelligent" filtering, so that ARP or ND will only be passed to the correct link, not distributed to all others.

A further step is to implement ICMP sniffing and controlling multicast distribution.

Test Plan

First create a bridge between host and outside world and attach a sniffer node.

# ngctl
+ mkpeer bridge b link99
+ connect bge0: b upper link0
+ connect bge0: b lower uplink1
+ mkpeer b eiface link1 ether
# tcpdump -nei ngeth1

Observe the traffic for a while, then query the MAC table:

# ngctl msg: bge0.upper gettable

For an unpatched node, you will see either a large table, a binary dump, or an error indicating insufficent socket space.

For a patched node, you will see your own host mac only.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

donner created this revision.Mar 4 2020, 9:18 PM

Herald added a reviewer: manpages. · View Herald TranscriptMar 4 2020, 9:18 PM

Herald added subscribers: Contributor Reviews (src), melifaro, imp. · View Herald Transcript

Harbormaster completed remote builds in B29789: Diff 69184.Mar 4 2020, 9:18 PM

donner added a reviewer: network.Mar 4 2020, 9:20 PM

afedorov added a subscriber: afedorov.Mar 5 2020, 11:12 AM

Is it really useful to have multiple uplinks?

In D23963#526951, @aleksandr.fedorov_itglobal.com wrote:

Is it really useful to have multiple uplinks?

That's a very good question.

IMHO alternative solutions are:

A single "uplink" hook, which is almost the same code complexity, while losing the fexibility
A new API command to alter the flags of each hook individually (which is a mid term change)

I choosed "uplinkX" to provide a simple as well as atomic way to create new hooks into a already busy bridge.

What's your idea?

I look at this issue from network virtualization point of view.
I have a plan (and patches) for adding native Netgraph support to the Bhyve network backend through ng_socket(4).
For this case, it is very interesting to be able to create ng_bridge(4) with the following options:

One "uplink" hook with learning turned off, but all unknown MAC's go through it.
The rest of the hooks have learning enabled, but unknown MAC's are not sent to them.

We use a similar algorithm with vale (4) + bhyve.

I want to create such networks:

[Bhyve vm's or Jail's] --- links[1...N](learnMac = 1, sendUnknown = 0) --- ng_bridge(4) --- link0 (learnMac = 0, sendUnknown = 1) ---- ng_ether(4)

Therefore, I think the second option is better:

Add flags for each hook: learnMac, sendUnknown (you've already done this).
Add new messages NGM_BRIDGE_ (GET | SET) _FLAGS.
If desired, add default flags for each bridge that initialized the new linkX hook and related messages.

afedorov added inline comments.Mar 19 2020, 3:33 PM

sys/netgraph/ng_bridge.c
94	Maybe better to use unsigned values.
342	To match the style: *prefix

You can check the man page using textproc/igor and "mandoc -Tlint".

share/man/man4/ng_bridge.4
101	You need to make a line break after a sentence stop.

dab added a subscriber: dab.Apr 29 2020, 12:43 PM

dab added inline comments.

share/man/man4/ng_bridge.4
100	s/does no/does not/
101	I don't think it is common usage to start a sentence with "i.e.", nor is it common usage to capitalize such an abbreviation. Such an abbreviation is usually followed by a comma. Suggest: the internal address table small; i.e., it's desirable to connect That would also address the newline after full stop issue. :-)
107	s/send out/sent out/
187	s/quering/querying/

danfe added a subscriber: danfe.Apr 29 2020, 2:29 PM

danfe added inline comments.

share/man/man4/ng_bridge.4
101	Apart from the above (line break, comma after i.e.), contraction should be expanded: it's -> it is.

Fix various man page issues.

Harbormaster completed remote builds in B30793: Diff 71153.Apr 29 2020, 3:02 PM

donner marked 6 inline comments as done.Apr 29 2020, 3:03 PM

Fix issues in the code, i.e. bitfields are unsigned, spacing style, braces style.

Harbormaster completed remote builds in B30795: Diff 71154.Apr 29 2020, 3:06 PM

donner marked 2 inline comments as done.Apr 29 2020, 3:07 PM

Rebase to r366170.

Harbormaster completed remote builds in B33824: Diff 77543.Sep 25 2020, 7:26 PM

Converted local repository from subversion to git

Added:

Determine the ng_bridge forwarding mode from the order of hooks
Update manual page for modified default behaviour

I do have massive problems with "unknown" MACs, i.e. packets send to
the uplink hook. The default behaviour of the bridge is to replicate
all those frames to all hooks, which cause cognestion on downlink
interfaces. So the change is obvious.

In order to keep the default behaviour for existing setups, and keep
the API unchanged, the trigger is simple: If the first attached hook
is a new "uplink" hook, the new behaviour is enabled.

Separate API calls to obtain and modify the per hook settings will
come later.

Harbormaster completed remote builds in B36026: Diff 81875.Jan 8 2021, 12:06 PM

donner mentioned this in D28123: netgraph/ng_bridge: become multithreaded.Jan 14 2021, 6:40 AM

Remove the functional extension from this review. It will come as a
separate stacked one to ease reviewing.

This code has been running in production since more than a year.

Harbormaster completed remote builds in B36716: Diff 83387.Feb 5 2021, 7:33 AM

donner added reviewers: kp, philip.Feb 5 2021, 7:34 AM

donner mentioned this in D28487: netgraph/ng_bridge: Derive forwarding mode from first attached hook.Feb 5 2021, 8:07 AM

donner added a child revision: D28487: netgraph/ng_bridge: Derive forwarding mode from first attached hook.Feb 5 2021, 8:08 AM

afedorov added inline comments.Feb 5 2021, 10:49 AM

sys/netgraph/ng_bridge.c
541	Is this debug output really needed?

Remove debug output

Harbormaster completed remote builds in B36718: Diff 83392.Feb 5 2021, 11:25 AM

donner marked an inline comment as done.Feb 5 2021, 11:25 AM

Approved by: kp (mentor)

sys/netgraph/ng_bridge.c
383	This check is redundant. malloc(M_WAITOK) never fails. It may wait forever, but will never return NULL. This was already redundant before this patch, so we can address this later.

This revision is now accepted and ready to land.Feb 5 2021, 2:03 PM

yuripv added a subscriber: yuripv.Feb 5 2021, 2:51 PM

yuripv added inline comments.

share/man/man4/ng_bridge.4
160–161	just a note as `.Dv` seems to be misused throughout this entire man page -- `.Dv` does not seem to be the correct choice for `struct ng_bridge_link_stats`, use `.Vt`? and for `link`, may be `.Va`?
sys/netgraph/ng_bridge.c
454–455	no space between `*` and variable names.
455	const?
533	might be more readable with braces around multiline statements

Incooperate suggestions.

This revision now requires review to proceed.Feb 5 2021, 8:39 PM

donner added inline comments.Feb 5 2021, 8:39 PM

sys/netgraph/ng_bridge.c
383	Adding a link to a busy bridge should not be stall the bridge function, so I'd prefer to fail.
455	good point
533	This would violate style(9) ... at least a bit.

Harbormaster completed remote builds in B36745: Diff 83444.Feb 5 2021, 8:40 PM

donner marked an inline comment as done.Feb 5 2021, 8:40 PM

donner added inline comments.

share/man/man4/ng_bridge.4
160–161	I'd like to keep it consistent for the moment and fix this issue in a separate review.

donner added a child revision: D28510: ng_bridge.4: Use more suitable manual macros.Feb 5 2021, 9:27 PM

This revision was not accepted when it landed; it landed in state Needs Review.Feb 6 2021, 10:12 AM

Closed by commit rGf961caf2184c: netgraph/ng_bridge: Introduce "uplink" ports without MAC learning (authored by donner). · Explain Why

This revision was automatically updated to reflect the committed changes.

donner marked an inline comment as done.

donner added a commit: rGf961caf2184c: netgraph/ng_bridge: Introduce "uplink" ports without MAC learning.

donner added a commit: rG882cbdeb21dc: netgraph/ng_bridge: Introduce "uplink" ports without MAC learning.Feb 22 2021, 8:38 AM

donner added a commit: rG08f47db5d580: netgraph/ng_bridge: Introduce "uplink" ports without MAC learning.Feb 25 2021, 8:15 AM

netgraph/ng_bridge: Introduce "uplink" ports without MAC learning
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 83448

share/man/man4/ng_bridge.4

sys/netgraph/ng_bridge.h

sys/netgraph/ng_bridge.c

netgraph/ng_bridge: Introduce "uplink" ports without MAC learningClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 83448

share/man/man4/ng_bridge.4

sys/netgraph/ng_bridge.h

sys/netgraph/ng_bridge.c

netgraph/ng_bridge: Introduce "uplink" ports without MAC learning
ClosedPublic
Actions

Revision Contents
Changeset List