Up until now there was no way to specifically target the VLAN attributes and
membership of the CPU port of a DSA switch. This forced drivers to either
always have the CPU port be "VLAN tagged" (b53) in every VLAN that gets added
to the front-panel/user facing ports, or when the switch supports it, use an
"unmodified" semantic (mv88e6xxx).
This is less than ideal because there are cases where we might not even want to
have the CPU port be part of the same VLAN than its user facing ports, e.g: to
isolate a group of noisy stations. There are also cases where we want to
control exactly how the CPU port receives VLAN traffic such that proper
separation/identification can occur.
Make this possible by flagging events targeting an orig_dev which is a bridge
master and using that as a hint to mean that we want to configure the
CPU/management port. This is compatible with multiple bridges over the same
switch in that, an user still has the responsibility to create separate
broadcast domains with separate VLAN databases/IDs per bridge.
Signed-off-by: Florian Fainelli <[email protected]>
---
Andrew, Vivien,
Could you test this on mv88e6xxx to make sure there is no regression? Thanks
net/dsa/port.c | 4 ++--
net/dsa/switch.c | 5 ++++-
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/dsa/port.c b/net/dsa/port.c
index ed0595459df1..37385e491117 100644
--- a/net/dsa/port.c
+++ b/net/dsa/port.c
@@ -253,7 +253,7 @@ int dsa_port_vlan_add(struct dsa_port *dp,
};
if (netif_is_bridge_master(vlan->obj.orig_dev))
- return -EOPNOTSUPP;
+ info.port = dp->cpu_dp->index;
if (br_vlan_enabled(dp->bridge_dev))
return dsa_port_notify(dp, DSA_NOTIFIER_VLAN_ADD, &info);
@@ -271,7 +271,7 @@ int dsa_port_vlan_del(struct dsa_port *dp,
};
if (netif_is_bridge_master(vlan->obj.orig_dev))
- return -EOPNOTSUPP;
+ info.port = dp->cpu_dp->index;
if (br_vlan_enabled(dp->bridge_dev))
return dsa_port_notify(dp, DSA_NOTIFIER_VLAN_DEL, &info);
diff --git a/net/dsa/switch.c b/net/dsa/switch.c
index b93511726069..d69bcc8f9ba2 100644
--- a/net/dsa/switch.c
+++ b/net/dsa/switch.c
@@ -211,8 +211,11 @@ static int dsa_switch_vlan_add(struct dsa_switch *ds,
bitmap_zero(members, ds->num_ports);
if (ds->index == info->sw_index)
set_bit(info->port, members);
+ /* CPU port is configured via dsa_port_vlan_add() with events
+ * targeting the bridge device
+ */
for (port = 0; port < ds->num_ports; port++)
- if (dsa_is_cpu_port(ds, port) || dsa_is_dsa_port(ds, port))
+ if (dsa_is_dsa_port(ds, port))
set_bit(port, members);
if (switchdev_trans_ph_prepare(trans))
--
2.14.1
Florian Fainelli <[email protected]> writes:
> if (netif_is_bridge_master(vlan->obj.orig_dev))
> - return -EOPNOTSUPP;
> + info.port = dp->cpu_dp->index;
The condition above will trigger also when a VLAN is added on a member
port, and there's no other port with that VLAN. In that case the VLAN
comes without the BRIDGE_VLAN_INFO_BRENTRY flag. In mlxsw we have this
to get the bridge VLANs:
if (netif_is_bridge_master(orig_dev)) {
[...]
if ((vlan->flags & BRIDGE_VLAN_INFO_BRENTRY) &&
[...]
This doesn't appear to be done in DSA unless I'm missing something.
Thanks,
Petr
On Mon, Jun 25, 2018 at 12:13:10PM +0300, Petr Machata wrote:
> Florian Fainelli <[email protected]> writes:
>
> > if (netif_is_bridge_master(vlan->obj.orig_dev))
> > - return -EOPNOTSUPP;
> > + info.port = dp->cpu_dp->index;
>
> The condition above will trigger also when a VLAN is added on a member
> port, and there's no other port with that VLAN. In that case the VLAN
> comes without the BRIDGE_VLAN_INFO_BRENTRY flag. In mlxsw we have this
> to get the bridge VLANs:
>
> if (netif_is_bridge_master(orig_dev)) {
> [...]
> if ((vlan->flags & BRIDGE_VLAN_INFO_BRENTRY) &&
> [...]
>
> This doesn't appear to be done in DSA unless I'm missing something.
Petr's right. This will trigger for VLANs added on 'not cpu ports' if the VLAN
is not already a member.
This command has BRIDGE_VLAN_INFO_BRENTRY set:
bridge vlan add dev br0 vid 100 pvid untagged self
I had the same issue on my CPSW RFC and solved it
exactly the same was as Petr suggested.
>
> Thanks,
> Petr
Regards
Ilias
On 06/25/2018 02:17 AM, Ilias Apalodimas wrote:
> On Mon, Jun 25, 2018 at 12:13:10PM +0300, Petr Machata wrote:
>> Florian Fainelli <[email protected]> writes:
>>
>>> if (netif_is_bridge_master(vlan->obj.orig_dev))
>>> - return -EOPNOTSUPP;
>>> + info.port = dp->cpu_dp->index;
>>
>> The condition above will trigger also when a VLAN is added on a member
>> port, and there's no other port with that VLAN. In that case the VLAN
>> comes without the BRIDGE_VLAN_INFO_BRENTRY flag. In mlxsw we have this
>> to get the bridge VLANs:
>>
>> if (netif_is_bridge_master(orig_dev)) {
>> [...]
>> if ((vlan->flags & BRIDGE_VLAN_INFO_BRENTRY) &&
>> [...]
>>
>> This doesn't appear to be done in DSA unless I'm missing something.
> Petr's right. This will trigger for VLANs added on 'not cpu ports' if the VLAN
> is not already a member.
>
> This command has BRIDGE_VLAN_INFO_BRENTRY set:
> bridge vlan add dev br0 vid 100 pvid untagged self
> I had the same issue on my CPSW RFC and solved it
> exactly the same was as Petr suggested.
Humm, there must be something obvious I am missing, but the following
don't exactly result in what I would expect after adding a check for
vlan->flags & BRIDGE_VLAN_INFO_BRENTRY:
brctl addbr br0
echo 1 > /sys/class/net/br0/bridge/vlan_filtering
brctl addif br0 lan1
#1 results in lan1 being programmed with VID 1, PVID, untagged, but not
the CPU port. I would have sort of expected that the bridge layer would
also push the configuration to br0/CPU port since this is the default VLAN:
bridge vlan show dev br0
port vlan ids
br0 1 PVID Egress Untagged
But it does not.
bridge vlan add vid 2 dev lan1
#2 same thing, results in only lan1 being programmed with VID 2, tagged
but that is expected because we are creating the VLAN only for the
user-facing port.
bridge vlan add vid 3 dev br0 self
#3 results in the CPU port being programmed with VID 3, tagged, again,
this is expected because we are only programming the bridge master/CPU
port here.
Does #1 also happen for cpsw and mlxsw or do you actually get events
about the bridge's default VLAN configuration? Or does the switch driver
actually need to obtain that at the time the port is enslaved somehow?
Thanks!
--
Florian
Florian Fainelli <[email protected]> writes:
> On 06/25/2018 02:17 AM, Ilias Apalodimas wrote:
>> On Mon, Jun 25, 2018 at 12:13:10PM +0300, Petr Machata wrote:
>>> Florian Fainelli <[email protected]> writes:
>>>
>>>> if (netif_is_bridge_master(vlan->obj.orig_dev))
>>>> - return -EOPNOTSUPP;
>>>> + info.port = dp->cpu_dp->index;
>>>
>>> The condition above will trigger also when a VLAN is added on a member
>>> port, and there's no other port with that VLAN. In that case the VLAN
>>> comes without the BRIDGE_VLAN_INFO_BRENTRY flag. In mlxsw we have this
>>> to get the bridge VLANs:
>>>
>>> if (netif_is_bridge_master(orig_dev)) {
>>> [...]
>>> if ((vlan->flags & BRIDGE_VLAN_INFO_BRENTRY) &&
>>> [...]
>>>
>>> This doesn't appear to be done in DSA unless I'm missing something.
>> Petr's right. This will trigger for VLANs added on 'not cpu ports' if the VLAN
>> is not already a member.
>>
>> This command has BRIDGE_VLAN_INFO_BRENTRY set:
>> bridge vlan add dev br0 vid 100 pvid untagged self
>> I had the same issue on my CPSW RFC and solved it
>> exactly the same was as Petr suggested.
>
> Humm, there must be something obvious I am missing, but the following
> don't exactly result in what I would expect after adding a check for
> vlan->flags & BRIDGE_VLAN_INFO_BRENTRY:
>
> brctl addbr br0
> echo 1 > /sys/class/net/br0/bridge/vlan_filtering
> brctl addif br0 lan1
From what I see, the CPU port is configured with VLAN 1 as soon as the
bridge is created:
# brctl addbr br
# bridge v sh dev br
port vlan ids
br 1 PVID Egress Untagged
I expect there are events for this (but I didn't check), but the driver
won't see them, because it doesn't have any ports attached to the bridge
yet.
> #1 results in lan1 being programmed with VID 1, PVID, untagged, but not
> the CPU port. I would have sort of expected that the bridge layer would
> also push the configuration to br0/CPU port since this is the default VLAN:
>
> bridge vlan show dev br0
> port vlan ids
> br0 1 PVID Egress Untagged
OK, apparently we are talking past each other. When you say "CPU port",
is "br0" not what you have in mind? Because I see 1 configured at br0 in
your listings.
> bridge vlan add vid 2 dev lan1
>
> #2 same thing, results in only lan1 being programmed with VID 2, tagged
> but that is expected because we are creating the VLAN only for the
> user-facing port.
>
> bridge vlan add vid 3 dev br0 self
>
> #3 results in the CPU port being programmed with VID 3, tagged, again,
> this is expected because we are only programming the bridge master/CPU
> port here.
>
> Does #1 also happen for cpsw and mlxsw or do you actually get events
> about the bridge's default VLAN configuration? Or does the switch driver
> actually need to obtain that at the time the port is enslaved somehow?
I don't think we care about the CPU port in mlxsw. If the packet matches
one of the local MACs, it gets trapped anyway, so all this stuff is then
handled in slow path.
Petr
On 08/14/2018 11:17 AM, Petr Machata wrote:
> Florian Fainelli <[email protected]> writes:
>
>> On 06/25/2018 02:17 AM, Ilias Apalodimas wrote:
>>> On Mon, Jun 25, 2018 at 12:13:10PM +0300, Petr Machata wrote:
>>>> Florian Fainelli <[email protected]> writes:
>>>>
>>>>> if (netif_is_bridge_master(vlan->obj.orig_dev))
>>>>> - return -EOPNOTSUPP;
>>>>> + info.port = dp->cpu_dp->index;
>>>>
>>>> The condition above will trigger also when a VLAN is added on a member
>>>> port, and there's no other port with that VLAN. In that case the VLAN
>>>> comes without the BRIDGE_VLAN_INFO_BRENTRY flag. In mlxsw we have this
>>>> to get the bridge VLANs:
>>>>
>>>> if (netif_is_bridge_master(orig_dev)) {
>>>> [...]
>>>> if ((vlan->flags & BRIDGE_VLAN_INFO_BRENTRY) &&
>>>> [...]
>>>>
>>>> This doesn't appear to be done in DSA unless I'm missing something.
>>> Petr's right. This will trigger for VLANs added on 'not cpu ports' if the VLAN
>>> is not already a member.
>>>
>>> This command has BRIDGE_VLAN_INFO_BRENTRY set:
>>> bridge vlan add dev br0 vid 100 pvid untagged self
>>> I had the same issue on my CPSW RFC and solved it
>>> exactly the same was as Petr suggested.
>>
>> Humm, there must be something obvious I am missing, but the following
>> don't exactly result in what I would expect after adding a check for
>> vlan->flags & BRIDGE_VLAN_INFO_BRENTRY:
>>
>> brctl addbr br0
>> echo 1 > /sys/class/net/br0/bridge/vlan_filtering
>> brctl addif br0 lan1
>
> From what I see, the CPU port is configured with VLAN 1 as soon as the
> bridge is created:
>
> # brctl addbr br
> # bridge v sh dev br
> port vlan ids
> br 1 PVID Egress Untagged
>
> I expect there are events for this (but I didn't check), but the driver
> won't see them, because it doesn't have any ports attached to the bridge
> yet.
Correct, there are no ports attached yet.
>
>> #1 results in lan1 being programmed with VID 1, PVID, untagged, but not
>> the CPU port. I would have sort of expected that the bridge layer would
>> also push the configuration to br0/CPU port since this is the default VLAN:
>>
>> bridge vlan show dev br0
>> port vlan ids
>> br0 1 PVID Egress Untagged
>
> OK, apparently we are talking past each other. When you say "CPU port",
> is "br0" not what you have in mind? Because I see 1 configured at br0 in
> your listings.
Yes, when I write "CPU/management" port, I mean br0 here, or at least,
when we see an event targeting br0, we re-generate it to target the
CPU/management port of the switch here.
VLAN 1 is definitively added to the br0 interface as a BR_ENTRY but we
also need to program the CPU port of the switch to be in this VLAN entry.
>
>> bridge vlan add vid 2 dev lan1
>>
>> #2 same thing, results in only lan1 being programmed with VID 2, tagged
>> but that is expected because we are creating the VLAN only for the
>> user-facing port.
>>
>> bridge vlan add vid 3 dev br0 self
>>
>> #3 results in the CPU port being programmed with VID 3, tagged, again,
>> this is expected because we are only programming the bridge master/CPU
>> port here.
>>
>> Does #1 also happen for cpsw and mlxsw or do you actually get events
>> about the bridge's default VLAN configuration? Or does the switch driver
>> actually need to obtain that at the time the port is enslaved somehow?
>
> I don't think we care about the CPU port in mlxsw. If the packet matches
> one of the local MACs, it gets trapped anyway, so all this stuff is then
> handled in slow path.
OK, that makes sense, you really don't have a notion of a CPU/management
port like we do in DSA switches.
On those switches, the Ethernet MAC is connected to the management port
of the switch, and so, at the time you enslave the first user-facing
port, we must configure both the CPU/management port of the switch as
well as the user-facing port to be within the desired VLAN IDs (and
attributes) in order for packets to ingress (when vlan_filtering is
enabled).
I suppose the way forward is to either query the bridge layer for the
default_pvid at the time of enslavement of the ports, or, "replay" the
event that led to the creation of the default br0 VLAN entry? First
option means we can make this specific to DSA (and similar
configurations) whereas the other means we might have to update all
switchdev drivers and possibly ignore that "replay" event.
Does that make sense?
--
Florian
On Fri, Aug 10, 2018 at 04:58:10PM -0700, Florian Fainelli wrote:
> On 06/25/2018 02:17 AM, Ilias Apalodimas wrote:
> > On Mon, Jun 25, 2018 at 12:13:10PM +0300, Petr Machata wrote:
> >> Florian Fainelli <[email protected]> writes:
> >>
> >>> if (netif_is_bridge_master(vlan->obj.orig_dev))
> >>> - return -EOPNOTSUPP;
> >>> + info.port = dp->cpu_dp->index;
> >>
> >> The condition above will trigger also when a VLAN is added on a member
> >> port, and there's no other port with that VLAN. In that case the VLAN
> >> comes without the BRIDGE_VLAN_INFO_BRENTRY flag. In mlxsw we have this
> >> to get the bridge VLANs:
> >>
> >> if (netif_is_bridge_master(orig_dev)) {
> >> [...]
> >> if ((vlan->flags & BRIDGE_VLAN_INFO_BRENTRY) &&
> >> [...]
> >>
> >> This doesn't appear to be done in DSA unless I'm missing something.
> > Petr's right. This will trigger for VLANs added on 'not cpu ports' if the VLAN
> > is not already a member.
> >
> > This command has BRIDGE_VLAN_INFO_BRENTRY set:
> > bridge vlan add dev br0 vid 100 pvid untagged self
> > I had the same issue on my CPSW RFC and solved it
> > exactly the same was as Petr suggested.
>
> Humm, there must be something obvious I am missing, but the following
> don't exactly result in what I would expect after adding a check for
> vlan->flags & BRIDGE_VLAN_INFO_BRENTRY:
>
> brctl addbr br0
> echo 1 > /sys/class/net/br0/bridge/vlan_filtering
> brctl addif br0 lan1
>
> #1 results in lan1 being programmed with VID 1, PVID, untagged, but not
> the CPU port. I would have sort of expected that the bridge layer would
> also push the configuration to br0/CPU port since this is the default VLAN:
>
> bridge vlan show dev br0
> port vlan ids
> br0 1 PVID Egress Untagged
>
> But it does not.
>
> bridge vlan add vid 2 dev lan1
>
> #2 same thing, results in only lan1 being programmed with VID 2, tagged
> but that is expected because we are creating the VLAN only for the
> user-facing port.
>
> bridge vlan add vid 3 dev br0 self
>
> #3 results in the CPU port being programmed with VID 3, tagged, again,
> this is expected because we are only programming the bridge master/CPU
> port here.
>
> Does #1 also happen for cpsw and mlxsw or do you actually get events
> about the bridge's default VLAN configuration? Or does the switch driver
> actually need to obtain that at the time the port is enslaved somehow?
As long as ports are attached you get the events (one event per attached port
iirc)
if the event is checked against BRIDGE_VLAN_INFO_BRENTRY, the only way to add a
VLAN to the cpu port is via 'bridge vlan add vid 3 dev br0 self'
>
> Thanks!
> --
> Florian
/Ilias
On 08/28/2018 01:32 AM, Ilias Apalodimas wrote:
> On Fri, Aug 10, 2018 at 04:58:10PM -0700, Florian Fainelli wrote:
>> On 06/25/2018 02:17 AM, Ilias Apalodimas wrote:
>>> On Mon, Jun 25, 2018 at 12:13:10PM +0300, Petr Machata wrote:
>>>> Florian Fainelli <[email protected]> writes:
>>>>
>>>>> if (netif_is_bridge_master(vlan->obj.orig_dev))
>>>>> - return -EOPNOTSUPP;
>>>>> + info.port = dp->cpu_dp->index;
>>>>
>>>> The condition above will trigger also when a VLAN is added on a member
>>>> port, and there's no other port with that VLAN. In that case the VLAN
>>>> comes without the BRIDGE_VLAN_INFO_BRENTRY flag. In mlxsw we have this
>>>> to get the bridge VLANs:
>>>>
>>>> if (netif_is_bridge_master(orig_dev)) {
>>>> [...]
>>>> if ((vlan->flags & BRIDGE_VLAN_INFO_BRENTRY) &&
>>>> [...]
>>>>
>>>> This doesn't appear to be done in DSA unless I'm missing something.
>>> Petr's right. This will trigger for VLANs added on 'not cpu ports' if the VLAN
>>> is not already a member.
>>>
>>> This command has BRIDGE_VLAN_INFO_BRENTRY set:
>>> bridge vlan add dev br0 vid 100 pvid untagged self
>>> I had the same issue on my CPSW RFC and solved it
>>> exactly the same was as Petr suggested.
>>
>> Humm, there must be something obvious I am missing, but the following
>> don't exactly result in what I would expect after adding a check for
>> vlan->flags & BRIDGE_VLAN_INFO_BRENTRY:
>>
>> brctl addbr br0
>> echo 1 > /sys/class/net/br0/bridge/vlan_filtering
>> brctl addif br0 lan1
>>
>> #1 results in lan1 being programmed with VID 1, PVID, untagged, but not
>> the CPU port. I would have sort of expected that the bridge layer would
>> also push the configuration to br0/CPU port since this is the default VLAN:
>>
>> bridge vlan show dev br0
>> port vlan ids
>> br0 1 PVID Egress Untagged
>>
>> But it does not.
>>
>> bridge vlan add vid 2 dev lan1
>>
>> #2 same thing, results in only lan1 being programmed with VID 2, tagged
>> but that is expected because we are creating the VLAN only for the
>> user-facing port.
>>
>> bridge vlan add vid 3 dev br0 self
>>
>> #3 results in the CPU port being programmed with VID 3, tagged, again,
>> this is expected because we are only programming the bridge master/CPU
>> port here.
>>
>> Does #1 also happen for cpsw and mlxsw or do you actually get events
>> about the bridge's default VLAN configuration? Or does the switch driver
>> actually need to obtain that at the time the port is enslaved somehow?
> As long as ports are attached you get the events (one event per attached port
> iirc)
> if the event is checked against BRIDGE_VLAN_INFO_BRENTRY, the only way to add a
> VLAN to the cpu port is via 'bridge vlan add vid 3 dev br0 self'
Do we have a guarantee that upon port enslavement, whatever default_pvid
is configured on the bridge master device also happens to be the port's
default_pvid settings as well?
--
Florian
вт, 28 авг. 2018 г. в 20:00, Florian Fainelli <[email protected]>:
>
> On 08/28/2018 01:32 AM, Ilias Apalodimas wrote:
> > On Fri, Aug 10, 2018 at 04:58:10PM -0700, Florian Fainelli wrote:
> >> On 06/25/2018 02:17 AM, Ilias Apalodimas wrote:
> >>> On Mon, Jun 25, 2018 at 12:13:10PM +0300, Petr Machata wrote:
> >>>> Florian Fainelli <[email protected]> writes:
> >>>>
> >>>>> if (netif_is_bridge_master(vlan->obj.orig_dev))
> >>>>> - return -EOPNOTSUPP;
> >>>>> + info.port = dp->cpu_dp->index;
> >>>>
> >>>> The condition above will trigger also when a VLAN is added on a member
> >>>> port, and there's no other port with that VLAN. In that case the VLAN
> >>>> comes without the BRIDGE_VLAN_INFO_BRENTRY flag. In mlxsw we have this
> >>>> to get the bridge VLANs:
> >>>>
> >>>> if (netif_is_bridge_master(orig_dev)) {
> >>>> [...]
> >>>> if ((vlan->flags & BRIDGE_VLAN_INFO_BRENTRY) &&
> >>>> [...]
> >>>>
> >>>> This doesn't appear to be done in DSA unless I'm missing something.
> >>> Petr's right. This will trigger for VLANs added on 'not cpu ports' if the VLAN
> >>> is not already a member.
> >>>
> >>> This command has BRIDGE_VLAN_INFO_BRENTRY set:
> >>> bridge vlan add dev br0 vid 100 pvid untagged self
> >>> I had the same issue on my CPSW RFC and solved it
> >>> exactly the same was as Petr suggested.
> >>
> >> Humm, there must be something obvious I am missing, but the following
> >> don't exactly result in what I would expect after adding a check for
> >> vlan->flags & BRIDGE_VLAN_INFO_BRENTRY:
> >>
> >> brctl addbr br0
> >> echo 1 > /sys/class/net/br0/bridge/vlan_filtering
> >> brctl addif br0 lan1
> >>
> >> #1 results in lan1 being programmed with VID 1, PVID, untagged, but not
> >> the CPU port. I would have sort of expected that the bridge layer would
> >> also push the configuration to br0/CPU port since this is the default VLAN:
> >>
> >> bridge vlan show dev br0
> >> port vlan ids
> >> br0 1 PVID Egress Untagged
> >>
> >> But it does not.
> >>
> >> bridge vlan add vid 2 dev lan1
> >>
> >> #2 same thing, results in only lan1 being programmed with VID 2, tagged
> >> but that is expected because we are creating the VLAN only for the
> >> user-facing port.
> >>
> >> bridge vlan add vid 3 dev br0 self
> >>
> >> #3 results in the CPU port being programmed with VID 3, tagged, again,
> >> this is expected because we are only programming the bridge master/CPU
> >> port here.
> >>
> >> Does #1 also happen for cpsw and mlxsw or do you actually get events
> >> about the bridge's default VLAN configuration? Or does the switch driver
> >> actually need to obtain that at the time the port is enslaved somehow?
> > As long as ports are attached you get the events (one event per attached port
> > iirc)
> > if the event is checked against BRIDGE_VLAN_INFO_BRENTRY, the only way to add a
> > VLAN to the cpu port is via 'bridge vlan add vid 3 dev br0 self'
>
> Do we have a guarantee that upon port enslavement, whatever default_pvid
> is configured on the bridge master device also happens to be the port's
> default_pvid settings as well?
I think default pvid is per port thing. I.e. each port can have it's
own pvid (i.e. it will tag with vlan id not tagged incoming packet to
that port),
I did not exactly understand use case. With adding vlan filtering to
cpu port you filter out packets from other vlan groups to cpu port.
This might be useful
only for multicast packes or missing fbd entry on some dsa port. Is
filtering multicast a main problem to solve here?
Linux is missing vlan ingress policy. I.e. filtering (echo 1 >
/sys/br0/vlan_filter) has to be case of 3 policies: secure (default
now), check and fallback. With current secure mode it
might work, but with check mode it will be needed to add all vlans to
cpu port. Btw, on some hardware vlan ingress policies are also per
port, not per bridge.
Best regards,
Maxim.
> --
> Florian
--
Best regards,
Maxim Uvarov
On 08/28/2018 12:08 PM, Maxim Uvarov wrote:
> вт, 28 авг. 2018 г. в 20:00, Florian Fainelli <[email protected]>:
>>
>> On 08/28/2018 01:32 AM, Ilias Apalodimas wrote:
>>> On Fri, Aug 10, 2018 at 04:58:10PM -0700, Florian Fainelli wrote:
>>>> On 06/25/2018 02:17 AM, Ilias Apalodimas wrote:
>>>>> On Mon, Jun 25, 2018 at 12:13:10PM +0300, Petr Machata wrote:
>>>>>> Florian Fainelli <[email protected]> writes:
>>>>>>
>>>>>>> if (netif_is_bridge_master(vlan->obj.orig_dev))
>>>>>>> - return -EOPNOTSUPP;
>>>>>>> + info.port = dp->cpu_dp->index;
>>>>>>
>>>>>> The condition above will trigger also when a VLAN is added on a member
>>>>>> port, and there's no other port with that VLAN. In that case the VLAN
>>>>>> comes without the BRIDGE_VLAN_INFO_BRENTRY flag. In mlxsw we have this
>>>>>> to get the bridge VLANs:
>>>>>>
>>>>>> if (netif_is_bridge_master(orig_dev)) {
>>>>>> [...]
>>>>>> if ((vlan->flags & BRIDGE_VLAN_INFO_BRENTRY) &&
>>>>>> [...]
>>>>>>
>>>>>> This doesn't appear to be done in DSA unless I'm missing something.
>>>>> Petr's right. This will trigger for VLANs added on 'not cpu ports' if the VLAN
>>>>> is not already a member.
>>>>>
>>>>> This command has BRIDGE_VLAN_INFO_BRENTRY set:
>>>>> bridge vlan add dev br0 vid 100 pvid untagged self
>>>>> I had the same issue on my CPSW RFC and solved it
>>>>> exactly the same was as Petr suggested.
>>>>
>>>> Humm, there must be something obvious I am missing, but the following
>>>> don't exactly result in what I would expect after adding a check for
>>>> vlan->flags & BRIDGE_VLAN_INFO_BRENTRY:
>>>>
>>>> brctl addbr br0
>>>> echo 1 > /sys/class/net/br0/bridge/vlan_filtering
>>>> brctl addif br0 lan1
>>>>
>>>> #1 results in lan1 being programmed with VID 1, PVID, untagged, but not
>>>> the CPU port. I would have sort of expected that the bridge layer would
>>>> also push the configuration to br0/CPU port since this is the default VLAN:
>>>>
>>>> bridge vlan show dev br0
>>>> port vlan ids
>>>> br0 1 PVID Egress Untagged
>>>>
>>>> But it does not.
>>>>
>>>> bridge vlan add vid 2 dev lan1
>>>>
>>>> #2 same thing, results in only lan1 being programmed with VID 2, tagged
>>>> but that is expected because we are creating the VLAN only for the
>>>> user-facing port.
>>>>
>>>> bridge vlan add vid 3 dev br0 self
>>>>
>>>> #3 results in the CPU port being programmed with VID 3, tagged, again,
>>>> this is expected because we are only programming the bridge master/CPU
>>>> port here.
>>>>
>>>> Does #1 also happen for cpsw and mlxsw or do you actually get events
>>>> about the bridge's default VLAN configuration? Or does the switch driver
>>>> actually need to obtain that at the time the port is enslaved somehow?
>>> As long as ports are attached you get the events (one event per attached port
>>> iirc)
>>> if the event is checked against BRIDGE_VLAN_INFO_BRENTRY, the only way to add a
>>> VLAN to the cpu port is via 'bridge vlan add vid 3 dev br0 self'
>>
>> Do we have a guarantee that upon port enslavement, whatever default_pvid
>> is configured on the bridge master device also happens to be the port's
>> default_pvid settings as well?
>
> I think default pvid is per port thing. I.e. each port can have it's
> own pvid (i.e. it will tag with vlan id not tagged incoming packet to
> that port),
We are talking about the bridge master device's default_pvid which can
be set prior to any port being enslaved into the bridge. As of today, if
you enslave a port of a switch into a bridge, you need to properly
configure the CPU/management port as well otherwise things just wont' be
working. At the time we enslave the first port into the bridge, there is
no notification AFAICT that is generated to tell us about what the
bridge master device's default_pvid is.
> I did not exactly understand use case. With adding vlan filtering to
> cpu port you filter out packets from other vlan groups to cpu port.
> This might be useful
> only for multicast packes or missing fbd entry on some dsa port. Is
> filtering multicast a main problem to solve here?
> Linux is missing vlan ingress policy. I.e. filtering (echo 1 >
> /sys/br0/vlan_filter) has to be case of 3 policies: secure (default
> now), check and fallback. With current secure mode it
> might work, but with check mode it will be needed to add all vlans to
> cpu port. Btw, on some hardware vlan ingress policies are also per
> port, not per bridge.
The general use case is that the CPU port on switches that have such a
thing is just a normal port on which you should be able to configure
exactly the VLAN membership and attributes.
With DSA switches today, we cannot do that, because there is no network
interface exposed for the CPU port (and there should not be one), so
when you target the bridge master device, e.g: br0, we can generate
events towards the switch driver that map to the CPU port.
There are many reasons for trying to do that, if we don't support such a
thing, then we need to have the CPU port be part of all VLAN IDs that
get added to ports, as a tagged member (because if untagged, you can't
differentiate traffic anymore).
Regarding your suggestion, we could certainly change vlan_filtering to
take several values:
0: disabled
1: secure
2: check
Or something like that.
--
Florian
вт, 28 авг. 2018 г. в 22:17, Florian Fainelli <[email protected]>:
>
> On 08/28/2018 12:08 PM, Maxim Uvarov wrote:
> > вт, 28 авг. 2018 г. в 20:00, Florian Fainelli <[email protected]>:
> >>
> >> On 08/28/2018 01:32 AM, Ilias Apalodimas wrote:
> >>> On Fri, Aug 10, 2018 at 04:58:10PM -0700, Florian Fainelli wrote:
> >>>> On 06/25/2018 02:17 AM, Ilias Apalodimas wrote:
> >>>>> On Mon, Jun 25, 2018 at 12:13:10PM +0300, Petr Machata wrote:
> >>>>>> Florian Fainelli <[email protected]> writes:
> >>>>>>
> >>>>>>> if (netif_is_bridge_master(vlan->obj.orig_dev))
> >>>>>>> - return -EOPNOTSUPP;
> >>>>>>> + info.port = dp->cpu_dp->index;
> >>>>>>
> >>>>>> The condition above will trigger also when a VLAN is added on a member
> >>>>>> port, and there's no other port with that VLAN. In that case the VLAN
> >>>>>> comes without the BRIDGE_VLAN_INFO_BRENTRY flag. In mlxsw we have this
> >>>>>> to get the bridge VLANs:
> >>>>>>
> >>>>>> if (netif_is_bridge_master(orig_dev)) {
> >>>>>> [...]
> >>>>>> if ((vlan->flags & BRIDGE_VLAN_INFO_BRENTRY) &&
> >>>>>> [...]
> >>>>>>
> >>>>>> This doesn't appear to be done in DSA unless I'm missing something.
> >>>>> Petr's right. This will trigger for VLANs added on 'not cpu ports' if the VLAN
> >>>>> is not already a member.
> >>>>>
> >>>>> This command has BRIDGE_VLAN_INFO_BRENTRY set:
> >>>>> bridge vlan add dev br0 vid 100 pvid untagged self
> >>>>> I had the same issue on my CPSW RFC and solved it
> >>>>> exactly the same was as Petr suggested.
> >>>>
> >>>> Humm, there must be something obvious I am missing, but the following
> >>>> don't exactly result in what I would expect after adding a check for
> >>>> vlan->flags & BRIDGE_VLAN_INFO_BRENTRY:
> >>>>
> >>>> brctl addbr br0
> >>>> echo 1 > /sys/class/net/br0/bridge/vlan_filtering
> >>>> brctl addif br0 lan1
> >>>>
> >>>> #1 results in lan1 being programmed with VID 1, PVID, untagged, but not
> >>>> the CPU port. I would have sort of expected that the bridge layer would
> >>>> also push the configuration to br0/CPU port since this is the default VLAN:
> >>>>
> >>>> bridge vlan show dev br0
> >>>> port vlan ids
> >>>> br0 1 PVID Egress Untagged
> >>>>
> >>>> But it does not.
> >>>>
> >>>> bridge vlan add vid 2 dev lan1
> >>>>
> >>>> #2 same thing, results in only lan1 being programmed with VID 2, tagged
> >>>> but that is expected because we are creating the VLAN only for the
> >>>> user-facing port.
> >>>>
> >>>> bridge vlan add vid 3 dev br0 self
> >>>>
> >>>> #3 results in the CPU port being programmed with VID 3, tagged, again,
> >>>> this is expected because we are only programming the bridge master/CPU
> >>>> port here.
> >>>>
> >>>> Does #1 also happen for cpsw and mlxsw or do you actually get events
> >>>> about the bridge's default VLAN configuration? Or does the switch driver
> >>>> actually need to obtain that at the time the port is enslaved somehow?
> >>> As long as ports are attached you get the events (one event per attached port
> >>> iirc)
> >>> if the event is checked against BRIDGE_VLAN_INFO_BRENTRY, the only way to add a
> >>> VLAN to the cpu port is via 'bridge vlan add vid 3 dev br0 self'
> >>
> >> Do we have a guarantee that upon port enslavement, whatever default_pvid
> >> is configured on the bridge master device also happens to be the port's
> >> default_pvid settings as well?
> >
> > I think default pvid is per port thing. I.e. each port can have it's
> > own pvid (i.e. it will tag with vlan id not tagged incoming packet to
> > that port),
>
> We are talking about the bridge master device's default_pvid which can
> be set prior to any port being enslaved into the bridge. As of today, if
> you enslave a port of a switch into a bridge, you need to properly
> configure the CPU/management port as well otherwise things just wont' be
> working. At the time we enslave the first port into the bridge, there is
> no notification AFAICT that is generated to tell us about what the
> bridge master device's default_pvid is.
>
> > I did not exactly understand use case. With adding vlan filtering to
> > cpu port you filter out packets from other vlan groups to cpu port.
> > This might be useful
> > only for multicast packes or missing fbd entry on some dsa port. Is
> > filtering multicast a main problem to solve here?
> > Linux is missing vlan ingress policy. I.e. filtering (echo 1 >
> > /sys/br0/vlan_filter) has to be case of 3 policies: secure (default
> > now), check and fallback. With current secure mode it
> > might work, but with check mode it will be needed to add all vlans to
> > cpu port. Btw, on some hardware vlan ingress policies are also per
> > port, not per bridge.
>
> The general use case is that the CPU port on switches that have such a
> thing is just a normal port on which you should be able to configure
> exactly the VLAN membership and attributes.
>
that has to be good feature to add.
> With DSA switches today, we cannot do that, because there is no network
> interface exposed for the CPU port (and there should not be one), so
> when you target the bridge master device, e.g: br0, we can generate
> events towards the switch driver that map to the CPU port.
>
> There are many reasons for trying to do that, if we don't support such a
> thing, then we need to have the CPU port be part of all VLAN IDs that
> get added to ports, as a tagged member (because if untagged, you can't
> differentiate traffic anymore).
>
> Regarding your suggestion, we could certainly change vlan_filtering to
> take several values:
>
> 0: disabled
> 1: secure
> 2: check
>
> Or something like that.
I think that will work.
Maxim.
> --
> Florian
--
Best regards,
Maxim Uvarov