Macvlan bridge mode currently does not handle the case where an
external source shares its MAC address with a local macvlan interface.
When such a frame arrives, macvlan_hash_lookup() matches the source
MAC to the local macvlan, and macvlan_multicast_rx() assumes bridge
ports already received the frame during local transmission. Since the
frame actually originated externally, bridge ports never saw it.
This situation arises with protocols like VRRP, where multiple hosts
use the same virtual MAC address.
Support this by passing NULL as the source device and including
MACVLAN_MODE_BRIDGE in the mode mask for the else branch of
macvlan_multicast_rx(). This ensures all VEPA and bridge mode macvlan
interfaces receive incoming multicast regardless of source MAC
matching. The trade-off is that looped-back locally-originated
multicasts may be delivered to bridge ports a second time, but
multicast consumers already handle duplicate frames.
Signed-off-by: Kibaek Yoo <psykibaek@gmail.com>
Link: https://patch.msgid.link/20260228071613.4360-1-psykibaek@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
MACVLAN_MODE_BRIDGE);
else
/*
- * flood only to VEPA ports, bridge ports
- * already saw the frame on the way out.
+ * Flood to VEPA and bridge ports. We cannot distinguish
+ * a looped-back locally-originated multicast from one
+ * sent by an external source sharing the same source MAC
+ * (e.g., VRRP virtual MAC), so deliver to bridge ports
+ * as well to ensure correct reception in all cases.
*/
- macvlan_broadcast(skb, port, src->dev,
- MACVLAN_MODE_VEPA);
+ macvlan_broadcast(skb, port, NULL,
+ MACVLAN_MODE_VEPA |
+ MACVLAN_MODE_BRIDGE);
}
static void macvlan_process_broadcast(struct work_struct *w)
projects / thirdparty / kernel / linux.git / commitdiff
