Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial multicast filtering support for bridge #309

Merged
merged 22 commits into from
Mar 7, 2024
Merged

Initial multicast filtering support for bridge #309

merged 22 commits into from
Mar 7, 2024

Conversation

troglobit
Copy link
Contributor

@troglobit troglobit commented Feb 23, 2024
edited
Loading

Initial IGMP/MLD filtering support for the Linux bridge model. This PR brings per-bridge and per-VLAN settings to control basic multicast snooping1 settings:

  • Enable multicast snooping on the bridge, or per VLAN
  • Adjust querier mode (off, auto, proxy/NULL-only)
  • Adjust query interval (1-1024 sec)

We have verified that the built-in querier function of the kernel works, in particular in a non-VLAN filtering setup. However, since it only supports proxy/NULL queries in a per-VLAN setup we've decided against using it at all. So all querier functionality is handled by a userspace daemon instead.

The upstream kernel support for multicast filtering is still a bit limited. For example:

  1. the only way to enable filtering of layer-2 (MAC) multicast, is to enable multicast snooping
  2. flooding of unknown multicast stops as soon as the bridge learns of a querier
  3. flooding of unknown layer-2 (MAC) multicast also stops as soon as there's a querier

To that end a couple of kernel patches are added to fix the last two issues. These patches are also published on our open kernel repo for the currently used kernel, along with any iproute2 patches needed to control these features. The idea is to upstream them at a later date. (After the next big customer release.)

The next PR in this series will focus on:

  • MDB, both setting static/permanent entries and reading operational data
  • Per VLAN tests
  • Querier election tests
  • Advanced multicast filtering tests, e.g., mixed mdb entries with dynamic groups

Footnotes

  1. Unfortunately there is currently no way in the Linux bridge to enable filtering but not snooping. So when we use the term snooping it may also refer to filtering. We have discussed submitting kernel patches to address this issue but are time limited atm.

@troglobit troglobit linked an issue Feb 23, 2024 that may be closed by this pull request
Initial support for bridge multicast-snooping #303
Closed
9 tasks
@troglobit troglobit force-pushed the multicast-snooping branch 2 times, most recently from 857baf8 to 8d34c23 Compare February 29, 2024 09:38
@troglobit troglobit force-pushed the multicast-snooping branch 3 times, most recently from 28e3e23 to 9642d51 Compare March 5, 2024 08:52
@troglobit troglobit marked this pull request as ready for review March 6, 2024 05:52
@troglobit troglobit requested review from mattiaswal, rical and wkz and removed request for rical March 6, 2024 05:52
@troglobit troglobit added the enhancement New feature or request label Mar 6, 2024
@troglobit troglobit added this to the Infix v24.03 milestone Mar 6, 2024
wkz
wkz reviewed Mar 6, 2024
View reviewed changes
Copy link
Contributor

@wkz wkz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome job guys!

src/confd/yang/infix-if-bridge@2024-02-19.yang Outdated Show resolved Hide resolved
src/confd/yang/infix-if-bridge@2024-02-19.yang Show resolved Hide resolved
src/confd/src/ietf-interfaces.c Outdated Show resolved Hide resolved
src/confd/src/ietf-interfaces.c Outdated Show resolved Hide resolved
test/case/infix_interfaces/igmp_basic.py Outdated Show resolved Hide resolved
test/case/infix_interfaces/igmp_vlan.py Outdated Show resolved Hide resolved
test/case/infix_interfaces/igmp_vlan.py Outdated Show resolved Hide resolved
test/case/infix_interfaces/igmp_vlan.py Outdated Show resolved Hide resolved
test/case/infix_interfaces/igmp_vlan.py Outdated Show resolved Hide resolved
test/infamy/multicast.py Show resolved Hide resolved
troglobit and others added 16 commits March 7, 2024 10:39
@troglobit
confd: initial multicast filtering support for bridge model
3dc386b 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
confd: disable bridge's dumpster diving when vlan filtering
4478ccd 
With VLAN filtering on a bridge we cannot use the mcast_query_use_ifaddr
mechanism.  This because even if the bridge may have an address it is
likely not on the same subnet as that of the VLAN, and the multicast
code in the kernel does not look at VLAN interfaecs on top of bridge
for a relevant adddress.

For these cases we have to use querierd, or a multicast router.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
confd: improve debug messages, include ifname everywhere
60aafd6 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
confd: add support for bridge port flooding control
181d184 
This patch adds BUM flooding control per port.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
confd: initial mdb support, per bridge and per VLAN
fad5adc 
Note, no VLAN id, or other VLAN specific information is contained in the
MDB entries, only forwarding information and per-port state.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@mattiaswal @troglobit
infamy: Add new class to test multicast
bd5820e 
Depends on having mtools v3+ on test PC, so add it to the docker.
@mattiaswal @troglobit
test: Add a new topoligy to test IGMP
3de9abc 
With 3 data connections between host and DUT.
@mattiaswal @troglobit
test: add new test igmp_basic
617e06e 
Simple test that tests (without VLAN):
* Multicast flooding works
* Join works as expected
@troglobit
confd: disable IPv4LL & IPv6LL on bridge port interfaces
a8a5341 
A bridge port cannot communicate on layer-3 while acting as a bridge
port.  Removing the port from the bridge re-enables the link-local
addresses, if any, from the configuration.

Fix #327

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
test: allow test container to run tcpdump (cap-net-raw)
45cf453 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
patches/linux: forward port bridge flood unknown multicast
26363c0 
This is a forward-port of one of my bridge patches to handle RFC4541
style flooding of unknown multicast.

https://lore.kernel.org/netdev/20220411133837.318876-9-troglobit@gmail.com/

Changes since this thread: use inferred mctx (VLAN multicast context)
from br_handle_frame_finish() and br_dev_xmit(), which should fix the
per-VLAN multicast handling issue pointed out by Nikolay.

Todo before next patch series, add new option instead of breaking the
existing functionality for the current mcast_flood flag.  E.g., add a
mcast_flood_always, since the current flag stops flooding when there is
a known querier on the LAN.

See the above thread for details.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
patches/linux: ignore router ports when forwarding MAC multicast
e21b92d 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
patches/iproute2: add support for bridge mcast_flood_always
47999d3 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
confd: always flood unknown IP/MAC multicast according to mcast_flood
9114b38 
An RFC conforming multicast snooping bridge should forward all unknown
multicast (IP & MAC) on ports where the mcast_flood flag is set.  The
upstream kernel does not (yet) support this, but the KernelKit branch
of the kernel and iproute2 now support it.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@mattiaswal @troglobit
test: igmp_basic: speed up test, remove unnecessary long timeout
612ae2c 
And cleanup ASCII picture
@mattiaswal @troglobit
test: Add new test igmp_vlan and add igmp tests to suite
c658331
troglobit and others added 3 commits March 7, 2024 10:50
@troglobit
package/querierd: add per-interface service template
a28f0ea 
Since Infix supports per-VLAN querier parameters, like query interval,
we currently need to run a separate querierd per VLAN interface.  The
replacement, mcd, will handle this automatically in its .conf file.

Also, ensure we install the daemon configuration file as an example, and
thus creating the /etc/querierd/ directory for where .conf files for
each interface will be generated.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
confd: detect bridge per-VLAN interfaces and start querierd
590699f 
In a VLAN filtering bridge setup we want to be able to support an
external IGMP/MLD querier running from userspace, because the bridge
multicast code can only generate proxy/NULL querys per VLAN.

This patch is a refactor to allow just that.  If a VLAN on the bridge
has an upper interface, matching the bridge name and VID, we generate
a profile for querierd and enable the service.

For all other cases we try to disable any running querierd.  It is up
to the daemon to figure out if it has a usable IP address to use as
the query source IP or use 0.0.0.0.

Since the logic for selecting a proper IP address must be handled by
the daemon in the per-VLAN setup, we revert back to also use it for
the stand-alone unfiltered bridge case as well.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@mattiaswal @troglobit
test: igmp_vlan: Speed up test significantly
cb04338 
Remove a lot of extra sleeps.
@troglobit troglobit requested a review from wkz March 7, 2024 09:54
@troglobit troglobit linked an issue Mar 7, 2024 that may be closed by this pull request
New data forward test: verify bridge-port pvid and VLAN filtering #59
Closed
wkz
wkz approved these changes Mar 7, 2024
View reviewed changes
Copy link
Contributor

@wkz wkz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥇

mattiaswal
mattiaswal approved these changes Mar 7, 2024
View reviewed changes
Copy link
Contributor

@mattiaswal mattiaswal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

mattiaswal and others added 3 commits March 7, 2024 11:32
@mattiaswal
test: igmp_basic: Speed up test and some renaming
ccbcada 
Rename to more distinct names for netns and hostports
@troglobit @mattiaswal
patches/iproute: backport bridge mdb replace support
1bfe7be 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit @mattiaswal
confd: restrict mdb group to iana-rt-types:ip-multicast-group-address
bcba9d1 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@mattiaswal mattiaswal merged commit f2cc620 into main Mar 7, 2024
2 checks passed
@mattiaswal mattiaswal deleted the multicast-snooping branch March 7, 2024 11:45
@troglobit troglobit mentioned this pull request Jul 2, 2024
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wkz wkz wkz approved these changes

@mattiaswal mattiaswal mattiaswal approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Infix & C:o
Status: Done
Milestone
Infix v24.04
3 participants
@troglobit @wkz @mattiaswal