network: bridge: add support for NO_LL_LEARN

When using locked ports on a bridge link-local learning needs to be disabled to prevent the kernel from learning and automatically unlocking hosts based on link-local traffic. So add support for enabling NO_LL_LEARN for bridges.
2026-04-14 00:14:32 +09:00 · 2024-12-10 16:45:20 +01:00
parent 6566b4306a
commit d7de242ce7
6 changed files with 27 additions and 0 deletions
--- a/man/systemd.netdev.xml
+++ b/man/systemd.netdev.xml
@@ -456,6 +456,16 @@
          <xi:include href="version-info.xml" xpointer="v257"/>
        </listitem>
      </varlistentry>
+      <varlistentry>
+        <term><varname>LinkLocalLearning=</varname></term>
+        <listitem>
+          <para>Takes a boolean. This enables learning source addresses from link local frames. When unset, the
+          kernel's default will be used.
+          </para>
+
+          <xi:include href="version-info.xml" xpointer="v258"/>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/src/network/netdev/bridge.c
+++ b/src/network/netdev/bridge.c
@@ -47,6 +47,7 @@ static int netdev_bridge_set_handler(sd_netlink *rtnl, sd_netlink_message *m, Ne

 static int netdev_bridge_post_create_message(NetDev *netdev, sd_netlink_message *req) {
        Bridge *b = BRIDGE(netdev);
+        struct br_boolopt_multi bm = {};
        int r;

        r = sd_netlink_message_open_container(req, IFLA_LINKINFO);
@@ -142,6 +143,17 @@ static int netdev_bridge_post_create_message(NetDev *netdev, sd_netlink_message
                        return r;
        }

+        if (b->linklocal_learn >= 0) {
+                bm.optmask |= 1 << BR_BOOLOPT_NO_LL_LEARN;
+                SET_FLAG(bm.optval, 1 << BR_BOOLOPT_NO_LL_LEARN, !b->linklocal_learn);
+        }
+
+        if (bm.optmask != 0) {
+                r = sd_netlink_message_append_data(req, IFLA_BR_MULTI_BOOLOPT, &bm, sizeof(bm));
+                if (r < 0)
+                        return r;
+        }
+
        r = sd_netlink_message_close_container(req);
        if (r < 0)
                return r;
@@ -279,6 +291,7 @@ static void bridge_init(NetDev *netdev) {
        b->default_pvid = VLANID_INVALID;
        b->forward_delay = USEC_INFINITY;
        b->ageing_time = USEC_INFINITY;
+        b->linklocal_learn = -1;
 }

 static bool bridge_can_set_mac(NetDev *netdev, const struct hw_addr_data *hw_addr) {
--- a/src/network/netdev/bridge.h
+++ b/src/network/netdev/bridge.h
@@ -21,6 +21,7 @@ typedef struct Bridge {
        uint8_t igmp_version;
        uint32_t fdb_max_learned;
        bool fdb_max_learned_set;
+        int linklocal_learn;

        usec_t forward_delay;
        usec_t hello_time;
--- a/src/network/netdev/netdev-gperf.gperf
+++ b/src/network/netdev/netdev-gperf.gperf
@@ -236,6 +236,7 @@ Bridge.VLANProtocol,                      config_parse_vlanprotocol,
 Bridge.STP,                               config_parse_tristate,                     0,                             offsetof(Bridge, stp)
 Bridge.MulticastIGMPVersion,              config_parse_uint8,                        0,                             offsetof(Bridge, igmp_version)
 Bridge.FDBMaxLearned,                     config_parse_bridge_fdb_max_learned,       0,                             offsetof(Bridge, fdb_max_learned)
+Bridge.LinkLocalLearning,                 config_parse_tristate,                     0,                             offsetof(Bridge, linklocal_learn)
 VRF.TableId,                              config_parse_uint32,                       0,                             offsetof(Vrf, table) /* deprecated */
 VRF.Table,                                config_parse_uint32,                       0,                             offsetof(Vrf, table)
 BareUDP.DestinationPort,                  config_parse_ip_port,                      0,                             offsetof(BareUDP, dest_port)
--- a/test/test-network/conf/25-bridge.netdev
+++ b/test/test-network/conf/25-bridge.netdev
@@ -18,3 +18,4 @@ VLANProtocol=802.1ad
 STP=true
 MulticastIGMPVersion=3
 FDBMaxLearned=4
+LinkLocalLearning=no
--- a/test/test-network/systemd-networkd-tests.py
+++ b/test/test-network/systemd-networkd-tests.py
@@ -1682,6 +1682,7 @@ class NetworkdNetDevTests(unittest.TestCase, Utilities):
        self.assertEqual(1,         int(read_link_attr('bridge99', 'bridge', 'multicast_snooping')))
        self.assertEqual(1,         int(read_link_attr('bridge99', 'bridge', 'stp_state')))
        self.assertEqual(3,         int(read_link_attr('bridge99', 'bridge', 'multicast_igmp_version')))
+        self.assertEqual(1,         int(read_link_attr('bridge99', 'bridge', 'no_linklocal_learn')))

        output = networkctl_status('bridge99')
        print(output)