Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933524AbdCaQ4d (ORCPT ); Fri, 31 Mar 2017 12:56:33 -0400 Received: from mail.savoirfairelinux.com ([208.88.110.44]:40220 "EHLO mail.savoirfairelinux.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933217AbdCaQ4c (ORCPT ); Fri, 31 Mar 2017 12:56:32 -0400 From: Vivien Didelot To: Andrew Lunn Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel@savoirfairelinux.com, "David S. Miller" , Florian Fainelli Subject: Re: [PATCH net-next v2 9/9] net: dsa: mv88e6xxx: add cross-chip bridging In-Reply-To: <20170331163949.GI12814@lunn.ch> References: <20170330213715.9666-1-vivien.didelot@savoirfairelinux.com> <20170330213715.9666-10-vivien.didelot@savoirfairelinux.com> <20170331163949.GI12814@lunn.ch> Date: Fri, 31 Mar 2017 12:55:03 -0400 Message-ID: <87d1cxqtco.fsf@weeman.i-did-not-set--mail-host-address--so-tickle-me> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1036 Lines: 27 Hi Andrew, Andrew Lunn writes: > On Thu, Mar 30, 2017 at 05:37:15PM -0400, Vivien Didelot wrote: >> Implement the DSA cross-chip bridging operations by remapping the local >> ports an external source port can egress frames to, when this cross-chip >> port joins or leaves a bridge. >> >> The PVT is no longer configured with all ones allowing any external >> frame to egress any local port. Only DSA and CPU ports, as well as >> bridge group members, can egress frames on local ports. > > With the ZII devel B, we have two switches with PVT, and one > without. What happens in this setup? Can the non-PVT switch leak > frames out user ports which should otherwise be blocked? If CONFIG_BRIDGE_VLAN_FILTERING isn't enabled in the kernel, the non-PVT switch would indeed have no mean to restrict arbitrary external frames. So in that setup, yes the switch can theorically leak frames. With a VLAN-filtering aware system, the VTU policy and 802.1Q Secure port mode should guard against that. Thanks, Vivien