From: Felix Fietkau <nbd@nbd.name> Subject: [PATCH] bridge: port isolate Isolating individual bridge ports --- --- a/net/bridge/br_private.h +++ b/net/bridge/br_private.h @@ -172,6 +172,7 @@ struct net_bridge_port #define BR_FLOOD 0x00000040 #define BR_AUTO_MASK (BR_FLOOD | BR_LEARNING) #define BR_PROMISC 0x00000080 +#define BR_ISOLATE_MODE 0x00000100 #ifdef CONFIG_BRIDGE_IGMP_SNOOPING struct bridge_mcast_own_query ip4_own_query; --- a/net/bridge/br_sysfs_if.c +++ b/net/bridge/br_sysfs_if.c @@ -171,6 +171,22 @@ BRPORT_ATTR_FLAG(root_block, BR_ROOT_BLO BRPORT_ATTR_FLAG(learning, BR_LEARNING); BRPORT_ATTR_FLAG(unicast_flood, BR_FLOOD); +static ssize_t show_isolate_mode(struct net_bridge_port *p, char *buf) +{ + int isolate_mode = (p->flags & BR_ISOLATE_MODE) ? 1 : 0; + return sprintf(buf, "%d\n", isolate_mode); +} +static ssize_t store_isolate_mode(struct net_bridge_port *p, unsigned long v) +{ + if (v) + p->flags |= BR_ISOLATE_MODE; + else + p->flags &= ~BR_ISOLATE_MODE; + return 0; +} +static BRPORT_ATTR(isolate_mode, S_IRUGO | S_IWUSR, + show_isolate_mode, store_isolate_mode); + #ifdef CONFIG_BRIDGE_IGMP_SNOOPING static ssize_t show_multicast_router(struct net_bridge_port *p, char *buf) { @@ -213,6 +229,7 @@ static const struct brport_attribute *br &brport_attr_multicast_router, &brport_attr_multicast_fast_leave, #endif + &brport_attr_isolate_mode, NULL }; --- a/net/bridge/br_input.c +++ b/net/bridge/br_input.c @@ -120,8 +120,8 @@ int br_handle_frame_finish(struct sk_buf unicast = false; br->dev->stats.multicast++; - } else if ((dst = __br_fdb_get(br, dest, vid)) && - dst->is_local) { + } else if ((p->flags & BR_ISOLATE_MODE) || + ((dst = __br_fdb_get(br, dest, vid)) && dst->is_local)) { skb2 = skb; /* Do not forward the packet since it's local. */ skb = NULL; --- a/net/bridge/br_forward.c +++ b/net/bridge/br_forward.c @@ -117,7 +117,7 @@ EXPORT_SYMBOL_GPL(br_deliver); /* called with rcu_read_lock */ void br_forward(const struct net_bridge_port *to, struct sk_buff *skb, struct sk_buff *skb0) { - if (should_deliver(to, skb)) { + if (should_deliver(to, skb) && !(to->flags & BR_ISOLATE_MODE)) { if (skb0) deliver_clone(to, skb, __br_forward); else @@ -173,7 +173,7 @@ static void br_flood(struct net_bridge * struct sk_buff *skb0, void (*__packet_hook)(const struct net_bridge_port *p, struct sk_buff *skb), - bool unicast) + bool unicast, bool forward) { struct net_bridge_port *p; struct net_bridge_port *prev; @@ -181,6 +181,8 @@ static void br_flood(struct net_bridge * prev = NULL; list_for_each_entry_rcu(p, &br->port_list, list) { + if (forward && (p->flags & BR_ISOLATE_MODE)) + continue; /* Do not flood unicast traffic to ports that turn it off */ if (unicast && !(p->flags & BR_FLOOD)) continue; @@ -207,14 +209,14 @@ out: /* called with rcu_read_lock */ void br_flood_deliver(struct net_bridge *br, struct sk_buff *skb, bool unicast) { - br_flood(br, skb, NULL, __br_deliver, unicast); + br_flood(br, skb, NULL, __br_deliver, unicast, false); } /* called under bridge lock */ void br_flood_forward(struct net_bridge *br, struct sk_buff *skb, struct sk_buff *skb2, bool unicast) { - br_flood(br, skb, skb2, __br_forward, unicast); + br_flood(br, skb, skb2, __br_forward, unicast, true); } #ifdef CONFIG_BRIDGE_IGMP_SNOOPING