bridge: add group_fwd_mask support for multicast forwarding (PTP)

[VaishnavSreekumar]

Adds support for configuring the group_fwd_mask attribute in the bridge CNI plugin. This allows the Linux bridge to forward specific link-local multicast frames (e.g., LLDP, PTP, or LACP) that are typically dropped by default.

Why is this needed?

Currently, the Linux kernel allows overriding default bridge behavior via /sys/class/net//bridge/group_fwd_mask, but the CNI bridge plugin lacks an interface to expose this configuration. This is a blocker for high-precision networking environments, specifically:

PTP (IEEE 1588): Used for sub-microsecond clock synchronization.

Telecom Profiles: Environments utilizing G.8275.1 that require specific multicast forwarding.

Changes

Schema Update: Added GroupFwdMask as an optional integer field to the NetConf struct.

Sysfs Integration: Implemented logic to write the user-defined mask to the bridge's sysfs path during setup.

Validation: Included checks to ensure the value is only applied when explicitly set, maintaining default kernel behavior otherwise.

Proposed Configuration

Users can now specify the mask in their CNI configuration file:

JSON

{
  "type": "bridge",
  "name": "mynet",
  "bridge": "cni0",
  "groupFwdMask": 16384,
  "ipam": {
    "type": "host-local",
    "subnet": "10.10.0.0/16"
  }
}

Technical Details

Backward Compatibility: Fully backward compatible; if the field is omitted, no changes are made to the bridge mask.

Target Version: Intended for integration into upcoming Kubernetes network driver releases.

Testing Done

Verified that the group_fwd_mask file in /sys is correctly updated when the CNI is invoked.

Confirmed that PTP traffic (multicast MAC 01-80-C2-00-00-0E) is forwarded when the mask is set appropriately.

Release note

bridge: add group_fwd_mask configuration to control multicast forwarding behavior