macvlan: Allow setting multicast filter on all macvlan types

Currently, macvlan code restricts multicast and unicast
filter setting only to passthru devices.  As a result,
if a guest using macvtap wants to receive multicast
traffic, it has to set IFF_ALLMULTI or IFF_PROMISC.

This patch makes it possible to use the fdb interface
to add multicast addresses to the filter thus allowing
a guest to receive only targeted multicast traffic.

CC: John Fastabend <john.r.fastabend@intel.com>
CC: Michael S. Tsirkin <mst@redhat.com>
CC: Jason Wang <jasowang@redhat.com>
Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
---
 drivers/net/macvlan.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

On 08/15/2014 10:04 AM, Vladislav Yasevich wrote:
> Currently, macvlan code restricts multicast and unicast
> filter setting only to passthru devices.  As a result,
> if a guest using macvtap wants to receive multicast
> traffic, it has to set IFF_ALLMULTI or IFF_PROMISC.
> 
> This patch makes it possible to use the fdb interface
> to add multicast addresses to the filter thus allowing
> a guest to receive only targeted multicast traffic.
> 
> CC: John Fastabend <john.r.fastabend@intel.com>
> CC: Michael S. Tsirkin <mst@redhat.com>
> CC: Jason Wang <jasowang@redhat.com>
> Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
> ---

Acked-by: John Fastabend <john.r.fastabend@intel.com>

Looks good to me. Although I am trying to recall why
we restrict unicast addresses? It looks like an additional
check could be made to detect duplicate MAC addresses
in fdb_add and then we could support this as well. But
I might be missing why this wasn't supported originally.

Thanks,
John
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On 08/15/2014 03:04 PM, John Fastabend wrote:
> On 08/15/2014 10:04 AM, Vladislav Yasevich wrote:
>> Currently, macvlan code restricts multicast and unicast
>> filter setting only to passthru devices.  As a result,
>> if a guest using macvtap wants to receive multicast
>> traffic, it has to set IFF_ALLMULTI or IFF_PROMISC.
>>
>> This patch makes it possible to use the fdb interface
>> to add multicast addresses to the filter thus allowing
>> a guest to receive only targeted multicast traffic.
>>
>> CC: John Fastabend <john.r.fastabend@intel.com>
>> CC: Michael S. Tsirkin <mst@redhat.com>
>> CC: Jason Wang <jasowang@redhat.com>
>> Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
>> ---
> 
> Acked-by: John Fastabend <john.r.fastabend@intel.com>
> 
> Looks good to me. Although I am trying to recall why
> we restrict unicast addresses? It looks like an additional
> check could be made to detect duplicate MAC addresses
> in fdb_add and then we could support this as well.

Additional unicasts can be easily supported in VEPA mode,
but VEB would require additional lookups in forwarding mode
to determine if the packet should be switched locally or not.

I don't think we would need any more duplicate checking
since we use the _excl() variants which already return error
on duplicates.  Thus no 2 macvlans would be able to add
the same unicast address to the same lower device.

-vlad

> But
> I might be missing why this wasn't supported originally.
> 
> Thanks,
> John
> 


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Fri, Aug 15, 2014 at 01:04:59PM -0400, Vladislav Yasevich wrote:
> Currently, macvlan code restricts multicast and unicast
> filter setting only to passthru devices.  As a result,
> if a guest using macvtap wants to receive multicast
> traffic, it has to set IFF_ALLMULTI or IFF_PROMISC.
> 
> This patch makes it possible to use the fdb interface
> to add multicast addresses to the filter thus allowing
> a guest to receive only targeted multicast traffic.
> 
> CC: John Fastabend <john.r.fastabend@intel.com>
> CC: Michael S. Tsirkin <mst@redhat.com>
> CC: Jason Wang <jasowang@redhat.com>
> Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>

Acked-by: Michael S. Tsirkin <mst@redhat.com>

> ---
>  drivers/net/macvlan.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
> index ef8a5c2..fad4b9e 100644
> --- a/drivers/net/macvlan.c
> +++ b/drivers/net/macvlan.c
> @@ -739,7 +739,10 @@ static int macvlan_fdb_add(struct ndmsg *ndm, struct nlattr *tb[],
>  	struct macvlan_dev *vlan = netdev_priv(dev);
>  	int err = -EINVAL;
>  
> -	if (!vlan->port->passthru)
> +	/* Support unicast filter only on passthru devices.
> +	 * Multicast filter should be allowed on all devices.
> +	 */
> +	if (!vlan->port->passthru && is_unicast_ether_addr(addr))
>  		return -EOPNOTSUPP;
>  
>  	if (flags & NLM_F_REPLACE)
> @@ -760,7 +763,10 @@ static int macvlan_fdb_del(struct ndmsg *ndm, struct nlattr *tb[],
>  	struct macvlan_dev *vlan = netdev_priv(dev);
>  	int err = -EINVAL;
>  
> -	if (!vlan->port->passthru)
> +	/* Support unicast filter only on passthru devices.
> +	 * Multicast filter should be allowed on all devices.
> +	 */
> +	if (!vlan->port->passthru && is_unicast_ether_addr(addr))
>  		return -EOPNOTSUPP;
>  
>  	if (is_unicast_ether_addr(addr))
> -- 
> 1.9.3
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Fri, Aug 15, 2014 at 12:04:28PM -0700, John Fastabend wrote:
> On 08/15/2014 10:04 AM, Vladislav Yasevich wrote:
> > Currently, macvlan code restricts multicast and unicast
> > filter setting only to passthru devices.  As a result,
> > if a guest using macvtap wants to receive multicast
> > traffic, it has to set IFF_ALLMULTI or IFF_PROMISC.
> > 
> > This patch makes it possible to use the fdb interface
> > to add multicast addresses to the filter thus allowing
> > a guest to receive only targeted multicast traffic.
> > 
> > CC: John Fastabend <john.r.fastabend@intel.com>
> > CC: Michael S. Tsirkin <mst@redhat.com>
> > CC: Jason Wang <jasowang@redhat.com>
> > Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
> > ---
> 
> Acked-by: John Fastabend <john.r.fastabend@intel.com>
> 
> Looks good to me. Although I am trying to recall why
> we restrict unicast addresses? It looks like an additional
> check could be made to detect duplicate MAC addresses
> in fdb_add and then we could support this as well. But
> I might be missing why this wasn't supported originally.
> 
> Thanks,
> John

It's not just another macvlan: we need to avoid
conflicts with the underlying device itself.

Although I note that the relevant check when
creating macvlans in macvlan_addr_busy
isn't very robust either: if device address is later
reprogrammed, we can get a conflict.
But it seems better to fix that rather than propagate
the bug in more places.

We would also need to populate the mac hash.

So a bit more code would be needed.

From: Vladislav Yasevich <vyasevic@redhat.com>
Date: Fri, 15 Aug 2014 13:04:59 -0400

> Currently, macvlan code restricts multicast and unicast
> filter setting only to passthru devices.  As a result,
> if a guest using macvtap wants to receive multicast
> traffic, it has to set IFF_ALLMULTI or IFF_PROMISC.
> 
> This patch makes it possible to use the fdb interface
> to add multicast addresses to the filter thus allowing
> a guest to receive only targeted multicast traffic.
> 
> CC: John Fastabend <john.r.fastabend@intel.com>
> CC: Michael S. Tsirkin <mst@redhat.com>
> CC: Jason Wang <jasowang@redhat.com>
> Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>

Applied, thanks Vlad.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html