bridge: add support for isolated option

This patch adds support for the new isolated port option which, if set,
would allow the isolated ports to communicate only with non-isolated
ports and the bridge device. The option can be set via the bridge or ip
link type bridge_slave commands, e.g.:
$ ip link set dev eth0 type bridge_slave isolated on
$ bridge link set dev eth0 isolated on

Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David Ahern <dsahern@gmail.com>

bridge/link.c

@@ -152,6 +152,9 @@ static void print_protinfo(FILE *fp, struct rtattr *attr)
 		if (prtb[IFLA_BRPORT_VLAN_TUNNEL])
 			print_onoff(fp, "vlan_tunnel",
 				    rta_getattr_u8(prtb[IFLA_BRPORT_VLAN_TUNNEL]));
+		if (prtb[IFLA_BRPORT_ISOLATED])
+			print_onoff(fp, "isolated",
+				    rta_getattr_u8(prtb[IFLA_BRPORT_ISOLATED]));
 	} else
 		print_portstate(rta_getattr_u8(attr));
 }
@@ -250,6 +253,7 @@ static void usage(void)
 	fprintf(stderr,	"                               [ mcast_flood {on | off} ]\n");
 	fprintf(stderr,	"                               [ neigh_suppress {on | off} ]\n");
 	fprintf(stderr,	"                               [ vlan_tunnel {on | off} ]\n");
+	fprintf(stderr,	"                               [ isolated {on | off} ]\n");
 	fprintf(stderr, "                               [ hwmode {vepa | veb} ]\n");
 	fprintf(stderr, "                               [ self ] [ master ]\n");
 	fprintf(stderr, "       bridge link show [dev DEV]\n");
@@ -291,6 +295,7 @@ static int brlink_modify(int argc, char **argv)
 	__s8 flood = -1;
 	__s8 vlan_tunnel = -1;
 	__s8 mcast_flood = -1;
+	__s8 isolated = -1;
 	__s8 hairpin = -1;
 	__s8 bpdu_guard = -1;
 	__s8 fast_leave = -1;
@@ -386,6 +391,10 @@ static int brlink_modify(int argc, char **argv)
 			if (!on_off("vlan_tunnel", &vlan_tunnel,
 				    *argv))
 				return -1;
+		} else if (strcmp(*argv, "isolated") == 0) {
+			NEXT_ARG();
+			if (!on_off("isolated", &isolated, *argv))
+				return -1;
 		} else {
 			usage();
 		}
@@ -444,6 +453,8 @@ static int brlink_modify(int argc, char **argv)
 	if (vlan_tunnel != -1)
 		addattr8(&req.n, sizeof(req), IFLA_BRPORT_VLAN_TUNNEL,
 			 vlan_tunnel);
+	if (isolated != -1)
+		addattr8(&req.n, sizeof(req), IFLA_BRPORT_ISOLATED, isolated);
 
 	addattr_nest_end(&req.n, nest);
 

ip/iplink_bridge_slave.c

@@ -40,6 +40,7 @@ static void print_explain(FILE *f)
 		"                        [ group_fwd_mask MASK ]\n"
 		"                        [ neigh_suppress {on | off} ]\n"
 		"                        [ vlan_tunnel {on | off} ]\n"
+		"                        [ isolated {on | off} ]\n"
 	);
 }
 
@@ -274,6 +275,10 @@ static void bridge_slave_print_opt(struct link_util *lu, FILE *f,
 	if (tb[IFLA_BRPORT_VLAN_TUNNEL])
 		_print_onoff(f, "vlan_tunnel", "vlan_tunnel",
 			     rta_getattr_u8(tb[IFLA_BRPORT_VLAN_TUNNEL]));
+
+	if (tb[IFLA_BRPORT_ISOLATED])
+		_print_onoff(f, "isolated", "isolated",
+			     rta_getattr_u8(tb[IFLA_BRPORT_ISOLATED]));
 }
 
 static void bridge_slave_parse_on_off(char *arg_name, char *arg_val,
@@ -379,6 +384,10 @@ static int bridge_slave_parse_opt(struct link_util *lu, int argc, char **argv,
 			NEXT_ARG();
 			bridge_slave_parse_on_off("vlan_tunnel", *argv, n,
 						  IFLA_BRPORT_VLAN_TUNNEL);
+		} else if (matches(*argv, "isolated") == 0) {
+			NEXT_ARG();
+			bridge_slave_parse_on_off("isolated", *argv, n,
+						  IFLA_BRPORT_ISOLATED);
 		} else if (matches(*argv, "help") == 0) {
 			explain();
 			return -1;

man/man8/bridge.8

@@ -48,6 +48,7 @@ bridge \- show / manipulate bridge addresses and devices
 .BR mcast_flood " { " on " | " off " } ] [ "
 .BR neigh_suppress " { " on " | " off " } ] [ "
 .BR vlan_tunnel " { " on " | " off " } ] [ "
+.BR isolated " { " on " | " off " } ] [ "
 .BR self " ] [ " master " ]"
 
 .ti -8
@@ -345,6 +346,11 @@ Controls whether neigh discovery (arp and nd) proxy and suppression is enabled o
 .BR "vlan_tunnel on " or " vlan_tunnel off "
 Controls whether vlan to tunnel mapping is enabled on the port. By default this flag is off.
 
+.TP
+.BR "isolated on " or " isolated off "
+Controls whether a given port will be isolated, which means it will be able to communicate with non-isolated ports only.
+By default this flag is off.
+
 .TP
 .BI self
 link setting is configured on specified physical device

man/man8/ip-link.8.in

@@ -2068,9 +2068,11 @@ the following additional arguments are supported:
 ] [
 .BR group_fwd_mask " MASK"
 ] [
-.BR neigh_suppress " { " on " | " off " } ]"
+.BR neigh_suppress " { " on " | " off " }"
 ] [
-.BR vlan_tunnel " { " on " | " off " } ]"
+.BR vlan_tunnel " { " on " | " off " }"
+] [
+.BR isolated " { " on " | " off " } ]"
 
 .in +8
 .sp