Block traffic to a specific host with the command: bridge fdb add <MAC> vlan <vid> dev br0 blackhole
The blackhole FDB entries can be added, deleted and replaced with ordinary FDB entries.
Signed-off-by: Hans Schultz netdev@kapio-technology.com --- bridge/fdb.c | 7 ++++++- include/uapi/linux/neighbour.h | 4 ++++ man/man8/bridge.8 | 6 ++++++ 3 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/bridge/fdb.c b/bridge/fdb.c index 0fbe9bd3..2160f1c2 100644 --- a/bridge/fdb.c +++ b/bridge/fdb.c @@ -38,7 +38,7 @@ static void usage(void) fprintf(stderr, "Usage: bridge fdb { add | append | del | replace } ADDR dev DEV\n" " [ self ] [ master ] [ use ] [ router ] [ extern_learn ]\n" - " [ sticky ] [ local | static | dynamic ] [ vlan VID ]\n" + " [ sticky ] [ local | static | dynamic ] [blackhole] [ vlan VID ]\n" " { [ dst IPADDR ] [ port PORT] [ vni VNI ] | [ nhid NHID ] }\n" " [ via DEV ] [ src_vni VNI ]\n" " bridge fdb [ show [ br BRDEV ] [ brport DEV ] [ vlan VID ]\n" @@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags, __u8 ext_flags) if (flags & NTF_STICKY) print_string(PRINT_ANY, NULL, "%s ", "sticky");
+ if (ext_flags & NTF_EXT_BLACKHOLE) + print_string(PRINT_ANY, NULL, "%s ", "blackhole"); + if (ext_flags & NTF_EXT_LOCKED) print_string(PRINT_ANY, NULL, "%s ", "locked");
@@ -493,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv) req.ndm.ndm_flags |= NTF_EXT_LEARNED; } else if (matches(*argv, "sticky") == 0) { req.ndm.ndm_flags |= NTF_STICKY; + } else if (matches(*argv, "blackhole") == 0) { + ext_flags |= NTF_EXT_BLACKHOLE; } else { if (strcmp(*argv, "to") == 0) NEXT_ARG(); diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h index 4dda051b..cc7d540e 100644 --- a/include/uapi/linux/neighbour.h +++ b/include/uapi/linux/neighbour.h @@ -54,6 +54,7 @@ enum { /* Extended flags under NDA_FLAGS_EXT: */ #define NTF_EXT_MANAGED (1 << 0) #define NTF_EXT_LOCKED (1 << 1) +#define NTF_EXT_BLACKHOLE (1 << 2)
/* * Neighbor Cache Entry States. @@ -91,6 +92,9 @@ enum { * NTF_EXT_LOCKED flagged FDB entries are placeholder entries used with the * locked port feature, that ensures that an entry exists while at the same * time dropping packets on ingress with src MAC and VID matching the entry. + * + * NTF_EXT_BLACKHOLE flagged FDB entries ensure that no forwarding is allowed + * from any port to the destination MAC, VID pair associated with it. */
struct nda_cacheinfo { diff --git a/man/man8/bridge.8 b/man/man8/bridge.8 index 40250477..af2e7db2 100644 --- a/man/man8/bridge.8 +++ b/man/man8/bridge.8 @@ -699,6 +699,12 @@ controller learnt dynamic entry. Kernel will not age such an entry. - this entry will not change its port due to learning. .sp
+.B blackhole +- this is an entry that denies all forwarding from any port to a destination +matching the entry. It can be added by userspace, but the flag is mostly set +from a hardware driver. +.sp + .in -8 The next command line parameters apply only when the specified device