[Bridge] physical interface on a bridge

Jørgen Hovland jorgen at hovland.cx
Wed Feb 22 00:42:49 PST 2006


----- Original Message ----- 
From: "Stephen Hemminger" <shemminger at osdl.org>


> On Tue, 21 Feb 2006 21:50:00 +0100
> Jørgen Hovland <jorgen at hovland.cx> wrote:
>
>> Hi
>>
>> Is there a way to either:
>> Find the real ifindex/ifname a mac-address is bound to
>> or
>> Find the real ifindex/ifname of an incoming packet
>> ?
>>
>> I am writing a dhcp server and need to know what real interface the dhcp 
>> request packet came from. An acceptable solution would be to get the 
>> interface by the mac-address, but that can be faked so I would rather get 
>> the interface by knowing where the data actually came from. Data is IP, 
>> UDP broadcast.
>> I _could_ use raw sockets. The problem is when I do that, the program is 
>> using ~8% cpu on a 3.2ghz xeon64 just reading packets without doing 
>> anything due to the amount of traffic passing through the box (~200mbit 
>> and increasing) so that doesn't look like a good idea.
>
> Why should the app care. If forwarding database is working correctly, the 
> source mac
> of the incoming packet will be in the list and any response to it will go 
> out that interface.
>

Well there is no guarantee that the source mac isn't faked. Additionally, 
the hardware address of the dhcp client is put inside a dhcp-packet, which 
also can be faked. So I am stuck with two hardware addresses that I am 
suppposed to believe are correct but have no information about where I 
originally received them from.
I can live with this (I guess all the other dhcp servers do that too), but I 
can't find a way to map a hardware address to a physical interface when 
using bridgemode. I need to know this because the dhcp server will be 
limiting the amount of leases you can get per interface (eg max 5 ips per 
interface). It will also be assigning static IP-addresses based on what 
interface the dhcp packet came from. I will also be using iptables to only 
permit the IP+MAC traffic to/from the real physical interface so if you 
don't use dhcp at all times, the traffic won't be permitted.


>
>> brctl showmacs returns a list of port numbers, but they dont make much 
>> sense to me. They do not seem to be in the same order I added the 
>> interfaces? Is there a mapping here?
>>
>> Example,
>> jorgen at ams41:/$ /tmp/brctl showmacs test0
>> port no mac addr                is local?       ageing timer
>>   2     00:04:e2:a8:3b:d7       no                 0.24
>>   1     00:08:a1:85:39:fd       no                17.31
>> 133     00:0d:88:a3:61:4a       no                 9.90
>>   1     00:14:22:b0:cd:e0       yes                0.00
>> 133     00:16:c7:f5:8f:e2       no                 0.48
>>
>> Port 133 is the 901'th interface (0x385) I added to bridge test0. What 
>> does 133 point to?  The ifindex of this physical interface is 912 (0x390) 
>> (retrieved with SIOCGIFINDEX).
>
> Arbitrary index assigned by bridge for STP usage. Slots get reused as 
> ports are deleted and added.

So there is no way to get the physical interface from a mac address? Is 
there any way at all? Do you plan to add this functionality?
Would you accept a patch if I were to submit any (I can't guarantee anything 
atm) ?
As an example, Cisco IOS support mac lookup just fine.

>
>>
>> Secondly,
>> I seem to be unable to add more than around 1024 interfaces to a single 
>> bridge. Is there a way to increase this limit?
>
> Increase BR_PORT_BITS (you can go up to 15) but you will lose priority 
> bits on the spanning tree.
> Also, why? You performance is going to start to fall off with so many 
> interfaces.  Can't you
> partition to multiple machines?

Perhaps it would be better to split it into multiple bridges. I was planning 
on having 1 bridge per router, and one router will have ~3000 interfaces. I 
will reconsider this. Thank you.

Joergen 




More information about the Bridge mailing list