On Mon, Apr 08, 2013 at 11:58:48 -0700, Stephen Hemminger wrote: > The standard way to do this is to use netfilter. Considering the > additional device flags and skb flag changes, I am not sure that your > method is better. To make it a bit more clear: 1) the skb flag will be used on the "receiving end-point" by batman-adv to mark received packets and so instruct the bridge to do not forward them to restricted interfaces. 2) the IFF_ flag is used by batman-adv on the "sending side" to determine whether a packet has been originated by a restricted interface and so instruct the remote endpoint to mark the skb when received. 3) to make the bridge code general enough, I decided to let it mark packets coming from restricted interfaces as well so that it can also apply the policy at 1) locally, without any further setting. The logic described in 1) is therefore applied by the bridge even for local packets (not passing through batman-adv) Point 3) is the only one where netfilter might help. But using two mechanism to achieve one goal looked not sane to me and therefore I decided to to do it this way. And actually the code allowing point 3 is only: + skb->bridge_restricted = !!(skb->dev->flags & IFF_BRIDGE_RESTRICTED); I hope this summary did not create further confusion :) Thanks, > > On Mon, Apr 8, 2013 at 10:41 AM, Antonio Quartulli > <antonio@xxxxxxxxxxxxx> wrote: > > This new flag tells whether a network device has to be > > considered as restricted in the new bridge forwarding logic. > > > > Signed-off-by: Antonio Quartulli <antonio@xxxxxxxxxxxxx> > > --- > > include/uapi/linux/if.h | 1 + > > net/core/dev.c | 2 +- > > 2 files changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/include/uapi/linux/if.h b/include/uapi/linux/if.h > > index 1ec407b..5c3a9bd 100644 > > --- a/include/uapi/linux/if.h > > +++ b/include/uapi/linux/if.h > > @@ -83,6 +83,7 @@ > > #define IFF_SUPP_NOFCS 0x80000 /* device supports sending custom FCS */ > > #define IFF_LIVE_ADDR_CHANGE 0x100000 /* device supports hardware address > > * change when it's running */ > > +#define IFF_BRIDGE_RESTRICTED 0x200000 /* device is bridge-restricted */ > > > > > > #define IF_GET_IFACE 0x0001 /* for querying only */ > > diff --git a/net/core/dev.c b/net/core/dev.c > > index 3655ff9..49eafc8 100644 > > --- a/net/core/dev.c > > +++ b/net/core/dev.c > > @@ -4627,7 +4627,7 @@ int __dev_change_flags(struct net_device *dev, unsigned int flags) > > > > dev->flags = (flags & (IFF_DEBUG | IFF_NOTRAILERS | IFF_NOARP | > > IFF_DYNAMIC | IFF_MULTICAST | IFF_PORTSEL | > > - IFF_AUTOMEDIA)) | > > + IFF_AUTOMEDIA | IFF_BRIDGE_RESTRICTED)) | > > (dev->flags & (IFF_UP | IFF_VOLATILE | IFF_PROMISC | > > IFF_ALLMULTI)); > > > > -- > > 1.8.1.5 > > -- Antonio Quartulli ..each of us alone is worth nothing.. Ernesto "Che" Guevara
Attachment:
pgpbpESJq2ncl.pgp
Description: PGP signature