5 虚拟网桥

Linux下的Bridge也是一种虚拟设备，这多少和vlan有点相似，它依赖于一个或多个从设备。与VLAN不同的是，它不是虚拟出和从设备同一层次的镜像设备，而是虚拟出一个高一层次的设备，并把从设备虚拟化为端口port，且同时处理各个从设备的数据收发及转发，再加上netfilter框架的一些东西，使得它的实现相比vlan复杂得多。

linux下配置网桥的命令：

brctl addbr br0 /* 创建虚拟网桥br0 */
brctl addif br0 eth0 /* 把物理设备eth0虚拟成网桥的端口 */
brctl addif br0 eth1 /* 把物理设备eth1虚拟成网桥的端口 */
ifconfig br0 192.168.1.1 /* 配置虚拟网桥设备的IP */

创建虚拟网桥

brctl addbr br0

/* 用户空间brctl程序 */

/* @brname = "br0" */
int br_add_bridge(const char *brname)
{
    ioctl(br_socket_fd, SIOCBRADDBR, brname);
}

内核初始化时，注册了回调函数br_ioctl_deviceless_stub()，用户空间的ioctl最终调用到该函数。

static int (*br_ioctl_hook) (struct net *, unsigned int cmd, void __user *arg);

static int __init br_init(void)
{
    /* 设置br_ioctl_hook = br_ioctl_deviceless_stub */
    brioctl_set(br_ioctl_deviceless_stub);
}

static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg)
{
    struct socket *sock;
    struct sock *sk;
    void __user *argp = (void __user *)arg;
    int pid, err;
    struct net *net;

    switch (cmd) {
    case SIOCBRADDBR:
    case SIOCBRDELBR:
        if (!br_ioctl_hook)
            request_module("bridge"); /* 加载模块 */

        if (br_ioctl_hook)
            err = br_ioctl_hook(net, cmd, argp); /* br_ioctl_deviceless_stub() */
    }
}

static const struct file_operations socket_file_ops = {
    .unlocked_ioctl = sock_ioctl,
};

br_ioctl_deviceless_stub()根据用户空间的命令，执行相应的内核操作。如果是增加一个虚拟网桥，则调用br_add_bridge()。

int br_ioctl_deviceless_stub(struct net *net, unsigned int cmd, void __user *uarg)
{
    switch (cmd) {
    case SIOCBRADDBR:
    case SIOCBRDELBR:
    {
        char buf[IFNAMSIZ];

        if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
            return -EPERM;

        if (copy_from_user(buf, uarg, IFNAMSIZ))
            return -EFAULT;

        buf[IFNAMSIZ-1] = 0;
        if (cmd == SIOCBRADDBR)
            return br_add_bridge(net, buf);

        return br_del_bridge(net, buf);
    }
    }
    return -EOPNOTSUPP;
}

br_add_bridge()完成网桥设备的动态创建、初始化，并添加到系统中。参数@name就是用户空间命令brctl addbr br0的网桥名称“br0”。

int br_add_bridge(struct net *net, const char *name)
{
    struct net_device *dev;
    int res;

    dev = alloc_netdev(sizeof(struct net_bridge), name, NET_NAME_UNKNOWN,
               br_dev_setup);
    dev_net_set(dev, net);
    dev->rtnl_link_ops = &br_link_ops;

    res = register_netdev(dev);
    return res;
}

#define alloc_netdev(sizeof_priv, name, name_assign_type, setup) \
    alloc_netdev_mqs(sizeof_priv, name, name_assign_type, setup, 1, 1)

br_dev_setup()初始化net_bridge与net_devcie结构体，以及虚拟网桥的组播、生成树协议的参数。

void br_dev_setup(struct net_device *dev)
{
    struct net_bridge *br = netdev_priv(dev); /*因为net_device分配的内存是在
                net_bridge后面，且是连续的内存空间，所以通过dev可以获得br的起始地址 */

    eth_hw_addr_random(dev); /* dev.dev_addr设置成随机本地单播mac地址 */
    ether_setup(dev); /* 设置以太网属性，包括mtu，包头长度，广播地址等等。
                         dev->priv_flags = IFF_XMIT_DST_RELEASE | 
                                           IFF_XMIT_DST_RELEASE_PERM |
                                           IFF_TX_SKB_SHARING*/

    dev->netdev_ops = &br_netdev_ops; /* 挂接网桥的驱动程序 */
    dev->destructor = br_dev_free;
    dev->ethtool_ops = &br_ethtool_ops;
    SET_NETDEV_DEVTYPE(dev, &br_type);
    dev->priv_flags = IFF_EBRIDGE | IFF_NO_QUEUE;

    dev->features = COMMON_FEATURES | NETIF_F_LLTX | NETIF_F_NETNS_LOCAL |
            NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_STAG_TX;
    dev->hw_features = COMMON_FEATURES | NETIF_F_HW_VLAN_CTAG_TX |
               NETIF_F_HW_VLAN_STAG_TX;
    dev->vlan_features = COMMON_FEATURES;

    br->dev = dev; /* struct net_bridge的成员dev指向struct net_device */
    spin_lock_init(&br->lock);
    INIT_LIST_HEAD(&br->port_list);
    spin_lock_init(&br->hash_lock);

    br->bridge_id.prio[0] = 0x80;
    br->bridge_id.prio[1] = 0x00;

    /* 设置组播地址 = ｛0x01, 0x80, 0xc2, 0x00, 0x00, 0x00｝ */
    ether_addr_copy(br->group_addr, eth_reserved_addr_base);

    /* 设置生成树参数 */
    br->stp_enabled = BR_NO_STP;
    br->group_fwd_mask = BR_GROUPFWD_DEFAULT;
    br->group_fwd_mask_required = BR_GROUPFWD_DEFAULT;
    br->designated_root = br->bridge_id;
    br->bridge_max_age = br->max_age = 20 * HZ;
    br->bridge_hello_time = br->hello_time = 2 * HZ;
    br->bridge_forward_delay = br->forward_delay = 15 * HZ;
    br->ageing_time = BR_DEFAULT_AGEING_TIME;

    br_netfilter_rtable_init(br); /* netfilter */
    br_stp_timer_init(br); /* 设备生成树定时器的回调函数 */
    br_multicast_init(br); /* 设置组播参数，及组播定时器的回调函数 */
}

br_dev_init()初始化vid1，创建本机mac地址转发表。

static int br_dev_init(struct net_device *dev)
{
    struct net_bridge *br = netdev_priv(dev);

    br_vlan_init(br);
}

int br_vlan_init(struct net_bridge *br)
{
    br->vlan_proto = htons(ETH_P_8021Q); /* vlan协议标识符0x8100 */
    br->default_pvid = 1; /* 默认pvid = 1  */
    return br_vlan_add(br, 1,
               BRIDGE_VLAN_INFO_PVID | BRIDGE_VLAN_INFO_UNTAGGED);
}

int br_vlan_add(struct net_bridge *br, u16 vid, u16 flags)
{
    struct net_port_vlans *pv = NULL;

    pv = kzalloc(sizeof(*pv), GFP_KERNEL);
    pv->parent.br = br; /* 配置vlan所属网桥，即vlan对哪个网桥生效 */
    __vlan_add(pv, vid, flags);
}

static int __vlan_add(struct net_port_vlans *v, u16 vid, u16 flags)
{
    struct net_bridge_port *p = NULL;
    struct net_bridge *br;
    struct net_device *dev;
    int err;

    if (test_bit(vid, v->vlan_bitmap)) { /* 要添加的vlan，是否已经存在了 */
        __vlan_add_flags(v, vid, flags); /* 如果vlan已经存在，则根据br_vlan_add()
                        的标志位参数，设置或删除pvid，设置或删除untagged_bitmap[] */
        return 0;
    }

/* 如果是新添加的vlan则继续往下执行 */

    if (v->port_idx) {
        p = v->parent.port;
        br = p->br;
        dev = p->dev;
    } else {
        br = v->parent.br;
        dev = br->dev;
    }

    if (p) {
        /* Add VLAN to the device filter if it is supported.
         * This ensures tagged traffic enters the bridge when
         * promiscuous mode is disabled by br_manage_promisc().
         */
        vlan_vid_add(dev, br->vlan_proto, vid);
    }

    /* 添加设备的mac地址到桥转发表 */
    br_fdb_insert(br, p, dev->dev_addr, vid);

    set_bit(vid, v->vlan_bitmap);
    v->num_vlans++;
    __vlan_add_flags(v, vid, flags);

    return 0;

out_filt:
    if (p)
        vlan_vid_del(dev, br->vlan_proto, vid);
    return err;
}

int br_fdb_insert(struct net_bridge *br, struct net_bridge_port *source,
          const unsigned char *addr, u16 vid)
{
    fdb_insert(br, source, addr, vid);
}

static int fdb_insert(struct net_bridge *br, struct net_bridge_port *source,
          const unsigned char *addr, u16 vid)
{
    /* 通过mac地址与vid组合，计算hash键值 */
    struct hlist_head *head = &br->hash[br_mac_hash(addr, vid)];
    struct net_bridge_fdb_entry *fdb;

    /* 全0 mac地址，或者多播地址不应该加入转发表 */
    if (!is_valid_ether_addr(addr))
        return -EINVAL;

    fdb = fdb_find(head, addr, vid); /* br.hash[]表保存mac转发表，遍历此表，返回
                        匹配mac地址与vid的fdb结构体 */
    /* 如果mac地址、vid组合已经存在，且属于本端口，则直接返回。
       如果已经存在，但不属于本端口，说明发生了地址迁移，则刷新fdb：先删除fdb，再添加 */
    if (fdb) {
        if (fdb->is_local)
            return 0;
        fdb_delete(br, fdb);
    }

    /* 如果fdb不存在要添加的mac+vid表项，则创建fdb，并添加到br->hash[]链表里。
       这里创建了设备自身的mac+vid1表项。 */
    fdb = fdb_create(head, source, addr, vid);
    fdb->is_local = fdb->is_static = 1; /* 把表项设置为本地、静态（不被老化） */
    fdb_add_hw_addr(br, addr);
    fdb_notify(br, fdb, RTM_NEWNEIGH); /* 创建netlink消息并发送 */
    return 0;
}

图中dev没有指向br的指针，那怎么从dev获取到br呢？因为dev与br是同时申请的连续内存空间，所以通过dev的指针+dev的size，就可以获得br的指针了。

添加网桥端口

brctl addif br0 eth0

/* 用户空间brctl程序 */

/* @bridge = "br0", @dev = "eth0" */
int br_add_interface(const char *bridge, const char *dev)
{
    struct ifreq ifr;
    int ifindex = if_nametoindex(dev);

    if (ifindex == 0) 
        return ENODEV;
    
    strncpy(ifr.ifr_name, bridge, IFNAMSIZ);
    ifr.ifr_ifindex = ifindex;
    ioctl(br_socket_fd, SIOCBRADDIF, &ifr);
}

创建的网桥设备“br0”已经挂接了驱动程序br_netdev_ops，所以对“br0”进行添加端口从设备时，会调用到br_netdev_ops->ndo_do_ioctl()，即br_dev_ioctl()。

/* @rq.ifr_name = "br0", @rq.ifr_ifindex = "eth0转化的ifindex" */
int br_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
{
    struct net_bridge *br = netdev_priv(dev);

    switch (cmd) {
    case SIOCBRADDIF:
    case SIOCBRDELIF:
        return add_del_if(br, rq->ifr_ifindex, cmd == SIOCBRADDIF);
    }
}

static int add_del_if(struct net_bridge *br, int ifindex, int isadd)
{
    struct net *net = dev_net(br->dev);
    struct net_device *dev;
    int ret;

    if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
        return -EPERM;

    /* 匹配@ifindex：在创建网桥时，网桥生成了一个ifindex，并通过list_netdevice()把
       net->dev_index_head[].first指向dev.index_hlist，这样通过net就获取到了
       dev.ifindex */
    dev = __dev_get_by_index(net, ifindex);

    if (isadd)
        br_add_if(br, dev);
    else
        br_del_if(br, dev);
}

int br_add_if(struct net_bridge *br, struct net_device *dev)
{
    if ((dev->flags & IFF_LOOPBACK) ||
        dev->type != ARPHRD_ETHER || dev->addr_len != ETH_ALEN ||
        !is_valid_ether_addr(dev->dev_addr) ||
        netdev_uses_dsa(dev))
        return -EINVAL;

    /* 虚拟网桥不能当做端口加入到另一个虚拟网桥中，即虚拟网桥不能桥接虚拟网桥，会出现回
       环。因为虚拟网桥的dev->netdev_ops = &br_netdev_ops，所以可作为判断依据 */
    if (dev->netdev_ops->ndo_start_xmit == br_dev_xmit)
        return -ELOOP;

    /* 判断设备是否已经加入到其他网桥里了，判断依据dev->priv_flags & IFF_BRIDGE_PORT
       */
    if (br_port_exists(dev))
        return -EBUSY;

    /* 某些设备是不能桥接的 */
    if (dev->priv_flags & IFF_DONT_BRIDGE)
        return -EOPNOTSUPP;

    p = new_nbp(br, dev); /* 创建网桥端口数据并初始化 */
}

static struct net_bridge_port *new_nbp(struct net_bridge *br,
                       struct net_device *dev)
{
    int index;
    struct net_bridge_port *p;

    index = find_portno(br); /* 获取最小可用端口号 */
    if (index < 0)
        return ERR_PTR(index);

    p = kzalloc(sizeof(*p), GFP_KERNEL);
    if (p == NULL)
        return ERR_PTR(-ENOMEM);

    p->br = br;
    dev_hold(dev);
    p->dev = dev;
    p->path_cost = port_cost(dev);
    p->priority = 0x8000 >> BR_PORT_BITS;
    p->port_no = index;
    p->flags = BR_LEARNING | BR_FLOOD;
    br_init_port(p);
    br_set_state(p, BR_STATE_DISABLED);
    br_stp_port_timer_init(p);
    br_multicast_add_port(p);

    return p;
}