Santiago Garcia Mantinan | 3 May 18:23 2011
Picon

Bugs fixed on Debian's bridge-utils

Hi!

As the Debian's maintainer of bridge-utils on my last upload to Debian I
cared to comment the source stating the bugs we had fixed on bridge-utils on
Debian that are still opened on your upstream version, you can get the patch
directly from our debian sources and forget about the debian dir, but I have
cut that out for you and what remains is this:

--- bridge-utils-1.5.orig/doc/brctl.8
+++ bridge-utils-1.5/doc/brctl.8
 <at>  <at>  -89,7 +89,7  <at>  <at> 
 .B brctl showmacs <brname>
 shows a list of learned MAC addresses for this bridge.

-.B brctl setageingtime <brname> <time>
+.B brctl setageing <brname> <time>
 sets the ethernet (MAC) address ageing time, in seconds. After <time>
 seconds of not having seen a frame coming from a certain address, the
 bridge will time out (delete) that address from the Forwarding
--- bridge-utils-1.5.orig/brctl/brctl.c
+++ bridge-utils-1.5/brctl/brctl.c
 <at>  <at>  -69,7 +69,8  <at>  <at> 
 	argc -= optind;
 	argv += optind;
 	if ((cmd = command_lookup(*argv)) == NULL) {
-		fprintf(stderr, "never heard of command [%s]\n", argv[1]);
+/* Debian bug #406907 */
+		fprintf(stderr, "never heard of command [%s]\n", argv[0]);
 		goto help;
 	}
(Continue reading)

Stephen Hemminger | 3 May 18:28 2011

Re: Bugs fixed on Debian's bridge-utils

On Tue, 3 May 2011 18:23:43 +0200
Santiago Garcia Mantinan <manty <at> debian.org> wrote:

> Hi!
> 
> As the Debian's maintainer of bridge-utils on my last upload to Debian I
> cared to comment the source stating the bugs we had fixed on bridge-utils on
> Debian that are still opened on your upstream version, you can get the patch
> directly from our debian sources and forget about the debian dir, but I have
> cut that out for you and what remains is this:
> 
> --- bridge-utils-1.5.orig/doc/brctl.8
> +++ bridge-utils-1.5/doc/brctl.8
>  <at>  <at>  -89,7 +89,7  <at>  <at> 
>  .B brctl showmacs <brname>
>  shows a list of learned MAC addresses for this bridge.
>  
> -.B brctl setageingtime <brname> <time>
> +.B brctl setageing <brname> <time>
>  sets the ethernet (MAC) address ageing time, in seconds. After <time>
>  seconds of not having seen a frame coming from a certain address, the
>  bridge will time out (delete) that address from the Forwarding
> --- bridge-utils-1.5.orig/brctl/brctl.c
> +++ bridge-utils-1.5/brctl/brctl.c
>  <at>  <at>  -69,7 +69,8  <at>  <at> 
>  	argc -= optind;
>  	argv += optind;
>  	if ((cmd = command_lookup(*argv)) == NULL) {
> -		fprintf(stderr, "never heard of command [%s]\n", argv[1]);
> +/* Debian bug #406907 */
(Continue reading)

IMS | 4 May 15:21 2011
Picon

Bridge and authentication

Hello,
I'm trying to configure an Ubuntu server with 2 wired interfaces set as a bridge and I want a radius authentication on each interfaces.

I'm able to set my configuration files to have a bridge between the 2 interfaces without authentication.
I'm able to set my configuration files to have an authentication on each interfaces but without the bridge.
I don't know how to configure my files to have both authentication and bridge !
Can someone help me ?

I give you my /etc/network/interface not working :
# loopback interface
auto lo
iface lo inet loopback
# network interface
auto eth0
iface eth0 inet manual

auto eth1
iface eth1 inet manual

auto br0
iface br0 inet dhcp
bridge_ports eth0 eth1

wpa-iface eth0  #How to add eth1 ? If I add a new line it's not working
wpa-bridge br0
wpa-driver wired
wpa-conf /etc/wpa_supplicant/wired.conf


The wired.conf file for information :
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
ap_scan=0
#On configure la re-authentification rapide pour protocoles EAP
#fast_reauth=1

network={
        ssid="lan"
        key_mgmt=IEEE8021X
        eapol_flags=0
        eap=MD5
        identity="labo"
        password="test"
}

With this configuration, it's working if my interface eth0 is connected, but it's not working if it's eth1 which is connected.
Could you tell me what I need to add in my configuration file ?

Thanks for your help.

Sebastien.

_______________________________________________
Bridge mailing list
Bridge <at> lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/bridge
Stephen Hemminger | 4 May 19:32 2011

Re: Bridge and authentication

On Wed, 4 May 2011 15:21:41 +0200
IMS <ims77.dev <at> gmail.com> wrote:

> Hello,
> I'm trying to configure an Ubuntu server with 2 wired interfaces set as a
> bridge and I want a radius authentication on each interfaces.
> 
> I'm able to set my configuration files to have a bridge between the 2
> interfaces without authentication.
> I'm able to set my configuration files to have an authentication on each
> interfaces but without the bridge.
> I don't know how to configure my files to have both authentication and
> bridge !
> Can someone help me ?
> 
> I give you my /etc/network/interface not working :
> *# loopback interface**
> auto lo**
> iface lo inet loopback**
> # network interface**
> auto eth0**
> iface eth0 inet manual**
> **
> auto eth1**
> iface eth1 inet manual**
> **
> auto br0**
> iface br0 inet dhcp**
> bridge_ports eth0 eth1**
> **
> wpa-iface eth0  #*How to add eth1 ? If I add a new line it's not working
> *wpa-bridge br0**
> wpa-driver wired**
> wpa-conf /etc/wpa_supplicant/wired.conf*
> 
> 
> The wired.conf file for information :
> *ctrl_interface=/var/run/wpa_supplicant**
> ctrl_interface_group=0**
> ap_scan=0**
> #On configure la re-authentification rapide pour protocoles EAP**
> #fast_reauth=1**
> **
> network={**
>         ssid="lan"**
>         key_mgmt=IEEE8021X**
>         eapol_flags=0**
>         eap=MD5**
>         identity="labo"**
>         password="test"**
> }*
> 
> With this configuration, it's working if my interface eth0 is connected, but
> it's not working if it's eth1 which is connected.
> Could you tell me what I need to add in my configuration file ?
> 
> Thanks for your help.
> 
> Sebastien.

Once you put interfaces into a bridge, all applications and services
should use the bridge interface not the underlying ethernet devices
because packets received on the underlying device will be absorbed
by the bridge and not processed for the ethernet device.

--

-- 
IMS | 5 May 08:49 2011
Picon

Re: Bridge and authentication

First, thanks for your response.
My code is inspired from the ubuntu documentation but there was only one interface in the example (https://help.ubuntu.com/community/Network802.1xAuthentication)
Do you means it's not possible to do it with two interfaces ? I should be connected and authenticated on the 2 interfaces to be able to use the bridge ?
Or should I authenticate the bridge ? if so how to do that !?

If someone has a valid example with 2 Ethernet interfaces I'm interested by !

Sebastien.

--------------------------------------------------------------------------------------------------------------

> Hello,
> I'm trying to configure an Ubuntu server with 2 wired interfaces set as a
> bridge and I want a radius authentication on each interfaces.
>
> I'm able to set my configuration files to have a bridge between the 2
> interfaces without authentication.
> I'm able to set my configuration files to have an authentication on each
> interfaces but without the bridge.
> I don't know how to configure my files to have both authentication and
> bridge !
> Can someone help me ?
>
> I give you my /etc/network/interface not working :
> *# loopback interface**
> auto lo**
> iface lo inet loopback**
> # network interface**
> auto eth0**
> iface eth0 inet manual**
> **
> auto eth1**
> iface eth1 inet manual**
> **
> auto br0**
> iface br0 inet dhcp**
> bridge_ports eth0 eth1**
> **
> wpa-iface eth0  #*How to add eth1 ? If I add a new line it's not working
> *wpa-bridge br0**
> wpa-driver wired**
> wpa-conf /etc/wpa_supplicant/wired.conf*
>
>
> The wired.conf file for information :
> *ctrl_interface=/var/run/wpa_supplicant**
> ctrl_interface_group=0**
> ap_scan=0**
> #On configure la re-authentification rapide pour protocoles EAP**
> #fast_reauth=1**
> **
> network={**
>         ssid="lan"**
>         key_mgmt=IEEE8021X**
>         eapol_flags=0**
>         eap=MD5**
>         identity="labo"**
>         password="test"**
> }*
>
> With this configuration, it's working if my interface eth0 is connected, but
> it's not working if it's eth1 which is connected.
> Could you tell me what I need to add in my configuration file ?
>
> Thanks for your help.
>
> Sebastien.

Once you put interfaces into a bridge, all applications and services
should use the bridge interface not the underlying ethernet devices
because packets received on the underlying device will be absorbed
by the bridge and not processed for the ethernet device.
_______________________________________________
Bridge mailing list
Bridge <at> lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/bridge
Trellert | 6 May 11:04 2011
Picon

using a bridge to change mac address

Hello

 

I have the following situation:

 

My ISP gives me an IP address with DHCP, but only to the mac address 00:11:22:33:44:55 (which is their preconfigurated device)

 

As I want to use another device and not their preconfigurated device, i decided to put a linux computer (lets call it "bridgePC") acting as a bridge between those 2.

 

bridgePC configuration:

 

Eth0 – connected to ISP

Eth1 – connected to my device

 

brctl addbr br0

brctl addif br0 eth0

brctl addif br0 eth1

ifconfig eth0 0.0.0.0 up

ifconfig eth1 0.0.0.0 up

ifconfig br0 up

 

For testing purposes connected another linux pc ("testPC") to the bridgePC (eth1).

 

I start the dhcp client and it keeps searching.. i dont get an IP from my ISP which is expected since I have the wrong mac address.

 

Now, on testPC i changed the mac address to the required 00:11:22:33:44:55 from my ISP.

 

An bam, I receive an IP via DHCP from my ISP.

 

So, my bridgePC is working and is acting 100% transparent.

 

Now of course, the device I want to use is not a Linux PC and therefore I cant just simply change my mac address of my device.

 

So I have to use bridgePC to change the outgoing packets as if they were coming from 00:11:22:33:44:55

I tried with the following:

 

ebtables -t nat -A POSTROUTING -o eth0 -j snat --to-source bc:05:43:cb:ce:c1

 

But still not receiving an IP.

Does anyone have an idea?

 

Thanks,

 

Steve M.

_______________________________________________
Bridge mailing list
Bridge <at> lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/bridge
Michał Mirosław | 7 May 13:48 2011
Picon

[RFC PATCH] net: fold dev_disable_lro() into netdev_fix_features()

This moves checks that device is forwarding from bridge, IPv4 and IPv6
code into netdev_fix_features(). As a side effect, after device is no longer
forwarding it gets LRO back. This also means that user is not allowed to
enable LRO after device is put to forwarding mode.

This patch depends on removal of discrete offload setting ethtool ops.

Signed-off-by: Michał Mirosław <mirq-linux <at> rere.qmqm.pl>
---
 include/linux/netdevice.h |    1 -
 net/bridge/br_if.c        |    6 +++---
 net/core/dev.c            |   41 +++++++++++++++++++++--------------------
 net/ipv4/devinet.c        |   20 +++++++++-----------
 net/ipv6/addrconf.c       |    7 +++----
 5 files changed, 36 insertions(+), 39 deletions(-)

diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 7be3ca2..3a8c21d 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
 <at>  <at>  -1627,7 +1627,6  <at>  <at>  extern struct net_device	*__dev_get_by_name(struct net *net, const char *name);
 extern int		dev_alloc_name(struct net_device *dev, const char *name);
 extern int		dev_open(struct net_device *dev);
 extern int		dev_close(struct net_device *dev);
-extern void		dev_disable_lro(struct net_device *dev);
 extern int		dev_queue_xmit(struct sk_buff *skb);
 extern int		register_netdevice(struct net_device *dev);
 extern void		unregister_netdevice_queue(struct net_device *dev,
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index 5dbdfdf..62aab1e 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
 <at>  <at>  -158,6 +158,8  <at>  <at>  static void del_nbp(struct net_bridge_port *p)
 	br_netpoll_disable(p);

 	call_rcu(&p->rcu, destroy_nbp_rcu);
+
+	netdev_update_features(dev);
 }

 /* called with RTNL */
 <at>  <at>  -368,11 +370,9  <at>  <at>  int br_add_if(struct net_bridge *br, struct net_device *dev)

 	dev->priv_flags |= IFF_BRIDGE_PORT;

-	dev_disable_lro(dev);
-
 	list_add_rcu(&p->list, &br->port_list);

-	netdev_update_features(br->dev);
+	netdev_update_features(dev);

 	spin_lock_bh(&br->lock);
 	changed_addr = br_stp_recalculate_bridge_id(br);
diff --git a/net/core/dev.c b/net/core/dev.c
index 7193499..3d646c9 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
 <at>  <at>  -132,6 +132,7  <at>  <at> 
 #include <trace/events/skb.h>
 #include <linux/pci.h>
 #include <linux/inetdevice.h>
+#include <net/addrconf.h>
 #include <linux/cpu_rmap.h>

 #include "net-sysfs.h"
 <at>  <at>  -1294,26 +1295,6  <at>  <at>  int dev_close(struct net_device *dev)
 EXPORT_SYMBOL(dev_close);

 
-/**
- *	dev_disable_lro - disable Large Receive Offload on a device
- *	 <at> dev: device
- *
- *	Disable Large Receive Offload (LRO) on a net device.  Must be
- *	called under RTNL.  This is needed if received packets may be
- *	forwarded to another interface.
- */
-void dev_disable_lro(struct net_device *dev)
-{
-	dev->wanted_features &= ~NETIF_F_LRO;
-	netdev_update_features(dev);
-
-	if (unlikely(dev->features & NETIF_F_LRO))
-		netdev_WARN(dev, "failed to disable LRO!\n");
-
-}
-EXPORT_SYMBOL(dev_disable_lro);
-
-
 static int dev_boot_phase = 1;

 /**
 <at>  <at>  -5239,6 +5220,26  <at>  <at>  u32 netdev_fix_features(struct net_device *dev, u32 features)
 		}
 	}

+	if (features & NETIF_F_LRO) {
+		struct in_device *in4_dev;
+		struct inet6_dev *in6_dev;
+
+		/* disable LRO for bridge ports */
+		if (dev->priv_flags & IFF_BRIDGE_PORT) {
+			netdev_info(dev, "Disabling LRO for bridge port.\n");
+			features &= NETIF_F_LRO;
+		} else /* ... or when forwarding IPv4 */
+		if (((in4_dev = __in_dev_get_rtnl(dev))) &&
+		    IN_DEV_CONF_GET(in4_dev, FORWARDING)) {
+			netdev_info(dev, "Disabling LRO for IPv4 router port.\n");
+			features &= NETIF_F_LRO;
+		} else /* ... or when forwarding IPv6 */
+		if (((in6_dev = __in6_dev_get(dev))) && in6_dev->cnf.forwarding) {
+			netdev_info(dev, "Disabling LRO for IPv6 router port.\n");
+			features &= NETIF_F_LRO;
+		}
+	}
+
 	return features;
 }
 EXPORT_SYMBOL(netdev_fix_features);
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index cd9ca08..e9c0557 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
 <at>  <at>  -245,8 +245,6  <at>  <at>  static struct in_device *inetdev_init(struct net_device *dev)
 	in_dev->arp_parms = neigh_parms_alloc(dev, &arp_tbl);
 	if (!in_dev->arp_parms)
 		goto out_kfree;
-	if (IPV4_DEVCONF(in_dev->cnf, FORWARDING))
-		dev_disable_lro(dev);
 	/* Reference in_dev->dev */
 	dev_hold(dev);
 	/* Account for reference dev->ip_ptr (below) */
 <at>  <at>  -259,6 +257,8  <at>  <at>  static struct in_device *inetdev_init(struct net_device *dev)

 	/* we can receive as soon as ip_ptr is set -- do this last */
 	rcu_assign_pointer(dev->ip_ptr, in_dev);
+
+	netdev_update_features(dev);
 out:
 	return in_dev;
 out_kfree:
 <at>  <at>  -1475,14 +1475,12  <at>  <at>  static void inet_forward_change(struct net *net)
 	IPV4_DEVCONF_DFLT(net, FORWARDING) = on;

 	for_each_netdev(net, dev) {
-		struct in_device *in_dev;
-		if (on)
-			dev_disable_lro(dev);
-		rcu_read_lock();
-		in_dev = __in_dev_get_rcu(dev);
-		if (in_dev)
+		struct in_device *in_dev = __in_dev_get_rtnl(dev);
+
+		if (in_dev) {
 			IN_DEV_CONF_SET(in_dev, FORWARDING, on);
-		rcu_read_unlock();
+			netdev_update_features(in_dev->dev);
+		}
 	}
 }

 <at>  <at>  -1527,11 +1525,11  <at>  <at>  static int devinet_sysctl_forward(ctl_table *ctl, int write,
 			}
 			if (valp == &IPV4_DEVCONF_ALL(net, FORWARDING)) {
 				inet_forward_change(net);
-			} else if (*valp) {
+			} else {
 				struct ipv4_devconf *cnf = ctl->extra1;
 				struct in_device *idev =
 					container_of(cnf, struct in_device, cnf);
-				dev_disable_lro(idev->dev);
+				netdev_update_features(idev->dev);
 			}
 			rtnl_unlock();
 			rt_cache_flush(net, 0);
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index f2f9b2e..d1344ac 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
 <at>  <at>  -370,8 +370,6  <at>  <at>  static struct inet6_dev * ipv6_add_dev(struct net_device *dev)
 		kfree(ndev);
 		return NULL;
 	}
-	if (ndev->cnf.forwarding)
-		dev_disable_lro(dev);
 	/* We refer to the device */
 	dev_hold(dev);

 <at>  <at>  -435,6 +433,7  <at>  <at>  static struct inet6_dev * ipv6_add_dev(struct net_device *dev)
 	addrconf_sysctl_register(ndev);
 	/* protected by rtnl_lock */
 	rcu_assign_pointer(dev->ip6_ptr, ndev);
+	netdev_update_features(dev);

 	/* Join all-node multicast group */
 	ipv6_dev_mc_inc(dev, &in6addr_linklocal_allnodes);
 <at>  <at>  -469,8 +468,6  <at>  <at>  static void dev_forward_change(struct inet6_dev *idev)
 	if (!idev)
 		return;
 	dev = idev->dev;
-	if (idev->cnf.forwarding)
-		dev_disable_lro(dev);
 	if (dev && (dev->flags & IFF_MULTICAST)) {
 		if (idev->cnf.forwarding)
 			ipv6_dev_mc_inc(dev, &in6addr_linklocal_allrouters);
 <at>  <at>  -486,6 +483,8  <at>  <at>  static void dev_forward_change(struct inet6_dev *idev)
 		else
 			addrconf_leave_anycast(ifa);
 	}
+
+	netdev_update_features(dev);
 }

 
--

-- 
1.7.2.5

_______________________________________________
Bridge mailing list
Bridge <at> lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/bridge
David Miller | 9 May 21:08 2011
Picon

Re: [RFC PATCH] net: fold dev_disable_lro() into netdev_fix_features()

From: Michał Mirosław <mirq-linux <at> rere.qmqm.pl>
Date: Sat,  7 May 2011 13:48:02 +0200 (CEST)

> This moves checks that device is forwarding from bridge, IPv4 and IPv6
> code into netdev_fix_features(). As a side effect, after device is no longer
> forwarding it gets LRO back. This also means that user is not allowed to
> enable LRO after device is put to forwarding mode.
> 
> This patch depends on removal of discrete offload setting ethtool ops.
> 
> Signed-off-by: Michał Mirosław <mirq-linux <at> rere.qmqm.pl>

We need to keep the check in the protocols because we don't want to
be testing protocol specific device state in generic code like
net/core/dev.c
_______________________________________________
Bridge mailing list
Bridge <at> lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/bridge
Stephen Hemminger | 10 May 05:15 2011

Re: Bug#625914: linux-image-2.6.38-2-amd64: bridging is not interacting well with multicast in 2.6.38-4

On Tue, 10 May 2011 03:38:44 +0100
Ben Hutchings <ben <at> decadent.org.uk> wrote:

> On Fri, 2011-05-06 at 13:12 -0700, Noah Meyerhans wrote:
> > Package: linux-2.6
> > Version: 2.6.38-3
> > Severity: normal
> > 
> > Hi. I've got a system that hosts several kvm virtual hosts.  The VMs
> > access the network via tap devices bridged with a physical interface.
> > After upgrading to linux-image-2.6.38-2-amd64_2.6.38-4, I noticed that
> > the virtualhosts were not autoconfiguring their IPv6 interfaces.
> > Debugging revealed that no multicast was passing over the bridge.
> > 
> > The bridge configuration is:
> > bridge name     bridge id               STP enabled     interfaces
> > br0             8000.0002e3080eb5       no              eth1
> >                                                         tap0
> >                                                         tap1
> >                                                         tap2
> > 
> > If I attach tcpdump to br0, I can see multicast (e.g. IPv6 Neighbor
> > Solicitation) packets.  However, if I attach tcpdump to eth1, I do not
> > see multicast packets sourced from one of the VMs.
> > 
> > Downgrading to 2.6.38-3 solves the problem.
> 
> This is pretty weird.  Debian version 2.6.38-3 has a few bridging
> changes from stable 2.6.38.3 and 2.6.38.4, but they don't look like they
> would cause this.
> 
> Ben.

There are two possible explainations:
  1. In 2.6.37 and kernels the bridge uses IGMP snooping, there were several
     fixes to that in the stable kernel; especially related to IPv6.

  2. There was also a recent change to block link local multicast
     address. But that should impact what you are doing.
Ben Hutchings | 10 May 14:42 2011
Picon

Re: Bug#625914: linux-image-2.6.38-2-amd64: bridging is not interacting well with multicast in 2.6.38-4

On Mon, 2011-05-09 at 21:38 -0700, Noah Meyerhans wrote:
> On Tue, May 10, 2011 at 03:38:44AM +0100, Ben Hutchings wrote:
> > This is pretty weird.  Debian version 2.6.38-3 has a few bridging
> > changes from stable 2.6.38.3 and 2.6.38.4, but they don't look like they
> > would cause this.
> 
> I have apparently filed the bug against the wrong version of Debian's
> kernel.  2.6.38-3 is not affected, and works as expected.  The change
> was introduced in -4.  That may have been clear from the report itself,
> but the report was filed against -3.  I've fixed that in the BTS.

I gathered that, and then made the same mistake in writing the above!
The version with the regression, 2.6.38-4, includes the changes from
stable 2.6.38.3 and 2.6.38.4

Ben.

> I've also confirmed that -5 is affected, to no great surprise.
> 
> I'll investigate further.
> 
> noah
> 

--

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
_______________________________________________
Bridge mailing list
Bridge <at> lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/bridge

Gmane