本文共 6409 字,大约阅读时间需要 21 分钟。
作者:lwyang?
内核版本:Linux-4.20.8
处理本地数据包的情况,即数据包目的mac地址是本地的单播数据、广播、组播和网桥处于混杂模式时都需要交给上层处理,在处理完NF_BR_PRE_ROUTING链后会调用br_pass_frame_up进入上层处理
static int br_pass_frame_up(struct sk_buff *skb){ struct net_device *indev, *brdev = BR_INPUT_SKB_CB(skb)->brdev; struct net_bridge *br = netdev_priv(brdev); struct net_bridge_vlan_group *vg; struct pcpu_sw_netstats *brstats = this_cpu_ptr(br->stats); //统计网桥设备上的收包流量数据 u64_stats_update_begin(&brstats->syncp); brstats->rx_packets++; brstats->rx_bytes += skb->len; u64_stats_update_end(&brstats->syncp); //获取网桥设备上的vlan组 vg = br_vlan_group_rcu(br); /* Bridge is just like any other port. Make sure the * packet is allowed except in promisc modue when someone * may be running packet capture. */ if (!(brdev->flags & IFF_PROMISC) && !br_allowed_egress(vg, skb)) { kfree_skb(skb); return NET_RX_DROP; } //记录数据包的收包网络设备 indev = skb->dev; //将数据包的收包设备改为网桥设备 //当再次进入__netif_receive_skb_core时就不会再次进入桥处理了,因为网桥上没有注册rx_handler 函数 skb->dev = brdev; //配置数据包vlan相关信息 skb = br_handle_vlan(br, NULL, vg, skb); if (!skb) return NET_RX_DROP; /* update the multicast stats if the packet is IGMP/MLD */ //如果数据包是组播,更新组播数据包的统计信息 br_multicast_count(br, NULL, skb, br_multicast_igmp_type(skb), BR_MCAST_DIR_TX); //进入NF_BR_LOCAL_IN 钩子点进行处理,最后调用br_netif_receive_skb 函数 return NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, dev_net(indev), NULL, skb, indev, NULL, br_netif_receive_skb);} 最后会重新调用netif_receive_skb,但此时skb->dev已经替换为网桥设备,网桥上没有注册rx_handler,因此不会再次进入桥处理,然后会调用ptype协议链上对应的协议处理函数进入上层处理
不是发往本地的数据包,但在fdb表中能找到对应的表项,则进行转发br_forward,若在fdb表中找不到对应表项就进行洪泛br_flood
void br_forward(const struct net_bridge_port *to, struct sk_buff *skb, bool local_rcv, bool local_orig){ ... if (should_deliver(to, skb)) { //如果local_rcv 置为1,则表明端口为混杂模式,先克隆一份数据包再进行转发,避免对发往本地的数据包产生影响 if (local_rcv) deliver_clone(to, skb, local_orig); else __br_forward(to, skb, local_orig); return; }out: if (!local_rcv) kfree_skb(skb);}static void __br_forward(const struct net_bridge_port *to, struct sk_buff *skb, bool local_orig){ struct net_bridge_vlan_group *vg; struct net_device *indev; struct net *net; int br_hook; //获取vlan组,这个组中有许多的vlanid,br_handle_vlan函数就是要在这个组中查找自己的vid vg = nbp_vlan_group_rcu(to); //添加vlan的相关配置 skb = br_handle_vlan(to->br, to, vg, skb); if (!skb) return; //记录数据包的原始收包网络设备 indev = skb->dev; //将skb的dev修改为出口网络设备 skb->dev = to->dev; //如果local_orig 标志位(判断是否从本地发出的数据包)为false,就进入NF_BR_FORWARD 钩子点; //若为true,就进入NF_BR_LOCAL_OUT 钩子点 if (!local_orig) { if (skb_warn_if_lro(skb)) { kfree_skb(skb); return; } //若不是从本地发出的数据包,进入NF_BR_FORWARD 链处理 br_hook = NF_BR_FORWARD; skb_forward_csum(skb); net = dev_net(indev); } else { ... //若是从本地发出的数据包,进入NF_BR_LOCAL_OUT 链处理 br_hook = NF_BR_LOCAL_OUT; net = dev_net(skb->dev); indev = NULL; } //进入钩子点,最后执行br_forward_finish函数 NF_HOOK(NFPROTO_BRIDGE, br_hook, net, NULL, skb, indev, skb->dev, br_forward_finish);} __br_forward函数会根据数据包的来源(根据local_orig)分别进入不同的钩子点:如果数据包是从本地发出的,就会进入NF_BR_LOCAL_OUT钩子点,如果是完成NF_BR_PRE_ROUTING链后过来的数据包,则会进入NF_BR_FORWARD钩子点。在执行完各钩子点上注册的函数后最后会调用br_forward_finish完成转发进入NF_BR_POST_ROUTING
int br_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb){ skb->tstamp = 0; return NF_HOOK(NFPROTO_BRIDGE, NF_BR_POST_ROUTING, net, sk, skb, NULL, skb->dev, br_dev_queue_push_xmit);} 在br_dev_queue_push_xmit中会先skb_push(skb, ETH_HLEN);将data指针上移指向2层(以太网)头部,然后调用dev_queue_xmit完成数据的发送
接下来看下对未知单播进行洪泛的处理br_flood
void br_flood(struct net_bridge *br, struct sk_buff *skb, enum br_pkt_type pkt_type, bool local_rcv, bool local_orig){ u8 igmp_type = br_multicast_igmp_type(skb); struct net_bridge_port *prev = NULL; struct net_bridge_port *p; //遍历网桥设备的port_list,取出所有的网桥端口 list_for_each_entry_rcu(p, &br->port_list, list) { /* Do not flood unicast traffic to ports that turn it off, nor * other traffic if flood off, except for traffic we originate */ //判断网桥端口的flags是否符合数据包类型 switch (pkt_type) { case BR_PKT_UNICAST: if (!(p->flags & BR_FLOOD)) continue; break; case BR_PKT_MULTICAST: if (!(p->flags & BR_MCAST_FLOOD) && skb->dev != br->dev) continue; break; case BR_PKT_BROADCAST: if (!(p->flags & BR_BCAST_FLOOD) && skb->dev != br->dev) continue; break; } /* Do not flood to ports that enable proxy ARP */ if (p->flags & BR_PROXYARP) continue; if ((p->flags & (BR_PROXYARP_WIFI | BR_NEIGH_SUPPRESS)) && BR_INPUT_SKB_CB(skb)->proxyarp_replied) continue; prev = maybe_deliver(prev, p, skb, local_orig); if (IS_ERR(prev)) goto out; if (prev == p) br_multicast_count(p->br, p, skb, igmp_type, BR_MCAST_DIR_TX); } if (!prev) goto out; if (local_rcv) deliver_clone(prev, skb, local_orig); else __br_forward(prev, skb, local_orig); return;out: if (!local_rcv) kfree_skb(skb);} br_flood最后也是调用__br_forward根据目的端口进行的转发
【思考】
可以看到br_forward,br_flood等函数最后都有一位local_orig的布尔值,这个标志为真表示数据包是从本地发出的,这样做的好处是可以复用br_forward,br_flood等函数,只用修改此布尔值就行了 上面看了转发情况时,local_orig为false,表示数据包不是本地发出,是进行转发的,下面看下当数据包从本地发出,此标志为true的情况
NF_BR_POST_ROUTING链中最后会执行br_dev_queue_push_xmit,然后会调用dev_queue_xmit,接下来就会调用.ndo_start_xmit(return ops->ndo_start_xmit(skb, dev);),即br_dev_xmit
static const struct net_device_ops br_netdev_ops = { .ndo_start_xmit = br_dev_xmit, ...}netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev){ ... skb_reset_mac_header(skb); eth = eth_hdr(skb); //将data指针指向2层头部 skb_pull(skb, ETH_HLEN); dest = eth_hdr(skb)->h_dest; if (is_broadcast_ether_addr(dest)) { br_flood(br, skb, BR_PKT_BROADCAST, false, true); } else if (is_multicast_ether_addr(dest)) { if (unlikely(netpoll_tx_running(dev))) { br_flood(br, skb, BR_PKT_MULTICAST, false, true); goto out; } if (br_multicast_rcv(br, NULL, skb, vid)) { kfree_skb(skb); goto out; } mdst = br_mdb_get(br, skb, vid); if ((mdst || BR_INPUT_SKB_CB_MROUTERS_ONLY(skb)) && br_multicast_querier_exists(br, eth_hdr(skb))) br_multicast_flood(mdst, skb, false, true); else br_flood(br, skb, BR_PKT_MULTICAST, false, true); } else if ((dst = br_fdb_find_rcu(br, dest, vid)) != NULL) { br_forward(dst->dst, skb, false, true); } else { br_flood(br, skb, BR_PKT_UNICAST, false, true); } 上面的数据包是从本地发出的,在进行数据包发送路径的判断后,发送函数br_forward,br_flood等函数的最后一个布尔值local_orig为置为true,表明此数据包是从本地发出,在br_forward中就会根据此布尔值将数据包放入NF_BR_LOCAL_OUT钩子点,而不会进入了NF_BR_FORWARD
以上仅代表个人理解,如若觉得有理解不当的地方还请不吝赐教?
转载地址:http://yfhpi.baihongyu.com/