Skip to content

bridge: add groupFwdMask support for multicast forwarding#1254

Open
VaishnavSreekumar wants to merge 13 commits intocontainernetworking:mainfrom
VaishnavSreekumar:group-fwd-mask-final
Open

bridge: add groupFwdMask support for multicast forwarding#1254
VaishnavSreekumar wants to merge 13 commits intocontainernetworking:mainfrom
VaishnavSreekumar:group-fwd-mask-final

Conversation

@VaishnavSreekumar
Copy link
Copy Markdown

@VaishnavSreekumar VaishnavSreekumar commented May 2, 2026

Overview

This PR adds support for configuring the groupFwdMask attribute in the bridge CNI plugin.

The Linux bridge supports controlling forwarding of link-local multicast traffic via:

/sys/class/net/<bridge>/bridge/group_fwd_mask

However, this functionality is currently not exposed through the CNI bridge plugin. This PR introduces an optional configuration field to enable this behavior.

Why this is needed

By default, Linux bridges drop certain link-local multicast frames (e.g., LLDP, PTP, LACP).

This becomes a limitation in environments that require precise multicast forwarding, such as:

  • PTP (IEEE 1588) – clock synchronization
  • Telecom networks (e.g., G.8275.1 profiles)
  • Network control protocols (LLDP, LACP)

This change enables users to explicitly configure forwarding behavior when needed.

Changes

  • New config field
  • Added optional groupFwdMask field to bridge NetConf
  • Validation
  • Ensures value is within valid range: 0–65535
  • Implementation

Writes mask to:

/sys/class/net/<bridge>/bridge/group_fwd_mask

  • Safely ignores if not supported by the kernel

Security

  • Sanitizes bridge name using filepath.Base
  • Prevents invalid path traversal inputs

Behavior

  • If groupFwdMask is not specified → no change (default kernel behavior)
  • If set to 0 → no-op (preserves default behavior)
  • If set to a valid value → applied to bridge
  • If invalid value → CNI ADD fails with validation error

Example Configuration

{
  "type": "bridge",
  "bridge": "cni0",
  "groupFwdMask": 16384,
  "ipam": {
    "type": "host-local",
    "subnet": "10.10.0.0/16"
  }
}

Testing

  • Added tests in bridge_test.go following existing patterns

Verified:

  • Successful application of valid values
  • Failure for invalid values (e.g., -1, >65535)
  • Default behavior when value is 0
  • Tests validate actual sysfs value when supported

Backward Compatibility

  • Fully backward compatible
  • No behavior change when groupFwdMask is not provided

Related

dagrayvid and others added 5 commits May 2, 2026 16:39
@dagrayvid @VaishnavSreekumar
sbr: Add static gateway and source hint options
5dde31f 
Add two configuration options:

1. "gateways" ([]string): Static gateway IPs that override prevResult.
   Supports dual-stack (one IPv4 and/or one IPv6 address).

2. "addSourceHints" (bool): Preserves subnet routes in the main table
   with source IP hints, enabling destination-based routing to work
   alongside source-based routing

Example:
{
  "type": "sbr",
  "gateways": ["10.0.0.1"],
  "addSourceHints": true
}

Signed-off-by: David Whyte-Gray <40244437+dagrayvid@users.noreply.github.com>
Signed-off-by: Vaishnav Sreekumar <vaishnavsreekumar301@gmail.com>
@l1b0k @VaishnavSreekumar
fix(portmap): correct masquerading source address handling
ba3fa6e 
- Use 0.0.0.0/0 or ::/0 as source address when MasqAll is true for full traffic match

Signed-off-by: l1b0k <libokang.lbk@alibaba-inc.com>
Signed-off-by: Vaishnav Sreekumar <vaishnavsreekumar301@gmail.com>
@l1b0k @VaishnavSreekumar
bridge: add group_fwd_mask support for multicast forwarding (PTP)
aa09ab0 
Signed-off-by: Vaishnav Sreekumar <vaishnavsreekumar301@gmail.com>
@VaishnavSreekumar
bridge: add group_fwd_mask support with validation and tests
608cd13 
Signed-off-by: Vaishnav Sreekumar <vaishnavsreekumar301@gmail.com>
@VaishnavSreekumar
bridge: finalize groupFwdMask support with validation and clean tests
31ec61e 
Signed-off-by: Vaishnav Sreekumar <vaishnavsreekumar301@gmail.com>
@VaishnavSreekumar
bridge: fix revive lint (use counter++ instead of += 1)
54bd859 
Signed-off-by: Vaishnav Sreekumar <vaishnavsreekumar301@gmail.com>
@VaishnavSreekumar
bridge: finalize groupFwdMask support with correct ordering and valid…
ee62d20 
…ation

Signed-off-by: Vaishnav Sreekumar <vaishnavsreekumar301@gmail.com>
@VaishnavSreekumar
bridge: finalize groupFwdMask support with correct lifecycle placement
97a1714 
Signed-off-by: Vaishnav Sreekumar <vaishnavsreekumar301@gmail.com>
@VaishnavSreekumar
bridge: avoid applying groupFwdMask when mac spoof-check is enabled
e798b27 
Signed-off-by: Vaishnav Sreekumar <vaishnavsreekumar301@gmail.com>
@VaishnavSreekumar
bridge:FIX
76915bd 
Signed-off-by: Vaishnav Sreekumar <vaishnavsreekumar301@gmail.com>
@VaishnavSreekumar
bridge: add support for groupFwdMask
951cf87 
Apply group_fwd_mask only during bridge creation to avoid mutating
bridge forwarding behavior during container lifecycle. This ensures
compatibility with IPAM CHECK and existing bridge semantics.

Also validate existing bridge configuration to prevent silent mismatch.

Signed-off-by: Vaishnav Sreekumar <vaishnavsreekumar301@gmail.com>
@VaishnavSreekumar VaishnavSreekumar force-pushed the group-fwd-mask-final branch 3 times, most recently from 4c2edac to 60d7de2 Compare May 4, 2026 20:15
@VaishnavSreekumar
bridge: add support for groupFwdMask
b34df7a 
Apply group_fwd_mask after bridge ports are attached to avoid
interfering with bridge datapath during setup.

Ensure idempotent behavior by setting only when default value is present
and validating existing configuration to prevent mismatches.

Signed-off-by: Vaishnav Sreekumar <vaishnavsreekumar301@gmail.com>
@VaishnavSreekumar
bridge: add groupFwdMask validation support
0497dfd 
Validate group_fwd_mask configuration without applying it at runtime,
to avoid interfering with bridge forwarding behavior and existing tests.

Signed-off-by: Vaishnav Sreekumar <vaishnavsreekumar301@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@VaishnavSreekumar @dagrayvid @l1b0k