On 26/01/2023 19:01, Petr Machata wrote: > The MDB maintained by the bridge is limited. When the bridge is configured > for IGMP / MLD snooping, a buggy or malicious client can easily exhaust its > capacity. In SW datapath, the capacity is configurable through the > IFLA_BR_MCAST_HASH_MAX parameter, but ultimately is finite. Obviously a > similar limit exists in the HW datapath for purposes of offloading. > > In order to prevent the issue of unilateral exhaustion of MDB resources, > introduce two parameters in each of two contexts: > > - Per-port and per-port-VLAN number of MDB entries that the port > is member in. > > - Per-port and (when BROPT_MCAST_VLAN_SNOOPING_ENABLED is enabled) > per-port-VLAN maximum permitted number of MDB entries, or 0 for > no limit. > > The per-port multicast context is used for tracking of MDB entries for the > port as a whole. This is available for all bridges. > > The per-port-VLAN multicast context is then only available on > VLAN-filtering bridges on VLANs that have multicast snooping on. > > With these changes in place, it will be possible to configure MDB limit for > bridge as a whole, or any one port as a whole, or any single port-VLAN. > > Note that unlike the global limit, exhaustion of the per-port and > per-port-VLAN maximums does not cause disablement of multicast snooping. > It is also permitted to configure the local limit larger than hash_max, > even though that is not useful. > > In this patch, introduce only the accounting for number of entries, and the > max field itself, but not the means to toggle the max. The next patch > introduces the netlink APIs to toggle and read the values. > > Note that the per-port-VLAN mcast_max_groups value gets reset when VLAN > snooping is enabled. The reason for this is that while VLAN snooping is > disabled, permanent entries can be added above the limit imposed by the > configured maximum. Under those circumstances, whatever caused the VLAN > context enablement, would need to be rolled back, adding a fair amount of > code that would be rarely hit and tricky to maintain. At the same time, > the feature that this would enable is IMHO not interesting: I posit that > the usefulness of keeping mcast_max_groups intact across > mcast_vlan_snooping toggles is marginal at best. > > Signed-off-by: Petr Machata <petrm@xxxxxxxxxx> > Reviewed-by: Ido Schimmel <idosch@xxxxxxxxxx> > --- > net/bridge/br_multicast.c | 131 +++++++++++++++++++++++++++++++++++++- > net/bridge/br_private.h | 2 + > 2 files changed, 132 insertions(+), 1 deletion(-) > Acked-by: Nikolay Aleksandrov <razor@xxxxxxxxxxxxx>
