Skip to content

Prevent traffic assigned to locally terminated VLANs from being forwarded #837

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wkz merged 9 commits into from
Nov 28, 2024
Merged

Prevent traffic assigned to locally terminated VLANs from being forwarded #837

wkz merged 9 commits into from
Nov 28, 2024

Conversation

@wkz
Copy link
Contributor

@wkz wkz commented Nov 26, 2024

Description

Before this change, in a setup like the following, packets assigned to
VLAN 10 were forwarded between the switch ports, even though the
configuration dictates that they should only be locally terminated.

ip link add dev br0 up type bridge vlan_filtering 1
ip link set dev swp1 master br0
ip link set dev swp2 master br0
ip link add dev swp1.10 link swp1 up type vlan id 10
ip link add dev swp2.10 link swp2 up type vlan id 10
swp1.10  br0  swp2.10
      \ /   \ /
      swp1  swp2

Therefore, make sure that VLANs that are added to the VTU to terminate
a VLAN upper interface, rather than to offload bridge VLANs, are
marked as policy entries. As the VTU policy of user ports is already
set to TRAP (to ensure proper standalone port operation), this will
cause all packets assigned to these VLANs to properly terminated.

Checklist

Tick relevant boxes, this PR is-a or has-a:

  • Bugfix
    • Regression tests
    • ChangeLog updates (for next release)
  • Feature
    • YANG model change => revision updated?
    • Regression tests added?
    • ChangeLog updates (for next release)
    • Documentation added?
  • Test changes
    • Checked in changed Readme.adoc (make test-spec)
    • Added new test to group Readme.adoc and yaml file
  • Code style update (formatting, renaming)
  • Refactoring (please detail in commit messages)
  • Build related changes
  • Documentation content changes
    • ChangeLog updated (for major changes)
  • Other (please describe):

@wkz wkz added the ci:main Build default defconfig, not minimal label Nov 26, 2024
@troglobit troglobit added this to the Infix v24.11.1 milestone Nov 26, 2024
@wkz wkz force-pushed the vlan-iface-termination branch from abaf539 to 7f51148 Compare November 26, 2024 21:14
@wkz wkz requested review from mattiaswal and troglobit November 26, 2024 23:54
@troglobit
confd: allow setting IP address directly on dot1Q bridges
963364d 
This patch drops a needless restriction of IP addresses on VLAN filtering
bridges from 2024-03-06.  The obvious use-case is when the bridge is an
untagged member of a VLAN and only ony management VLAN is required.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit troglobit force-pushed the vlan-iface-termination branch 2 times, most recently from 728bfbb to 9ea4d9f Compare November 27, 2024 17:29
mattiaswal
mattiaswal reviewed Nov 28, 2024
View reviewed changes
@troglobit
Copy link
Contributor

troglobit commented Nov 28, 2024

I've had my fingers in this, but the parts by @wkz look good to me to merge. So we only need input from @mattiaswal on the total set, and the late pvid = vid addition for bridges may need some additional offline discussion as well.

wkz and others added 6 commits November 28, 2024 12:52
@wkz
confd: Support PVID configuration on bridges
70e8895
@wkz
statd: Support reporting PVID on bridges
0c88c46 
Now that PVID can be configured on bridges, make sure that we reflect
that in the operational database.
@wkz
test: vlan_iface_termination: Add test
63e1ff1 
This will fail on a system running a vanilla kernel, where the dut's
ports are backed by mv88e6xxx, because:

1. The ports are attached to the same bridge, and are thus in the same
   PVT group.

2. Creation of the VLAN uppers causes the DSA layer to add both ports
   to the same VTU entry.

As a result, hardware behaves as if both ports had been configured as
tagged members of VLAN 10, instead of just terminating incoming
traffic locally.

Add this test to catch hardware which behaves in this way.
@wkz
test: ospf_container: Enable VLAN filtering on br0
6c2ab33 
As it turns out, the setup with a 802.1D bridge in combination with
VLAN uppers stacked on the bridge ports is not possible to support
on mv88e6xxx ports.

Enable VLAN filtering to ensure proper isolation of the locally
terminated VLANs.
@troglobit @wkz
test: safe setup of Infamy swN bridges
b6f9b6d 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@wkz
doc: update ChangeLog
f4557ff 
Signed-off-by: Tobias Waldekranz <tobias@waldekranz.com>
@wkz wkz force-pushed the vlan-iface-termination branch from 9ea4d9f to f4557ff Compare November 28, 2024 11:55
@wkz
test: vlan_iface_termination: Fix test spec issues
ddfdcb4 
- Use standard topology
- Include test case specification in parent README
@wkz wkz requested a review from mattiaswal November 28, 2024 13:25
mattiaswal
mattiaswal approved these changes Nov 28, 2024
View reviewed changes
Copy link
Contributor

@mattiaswal mattiaswal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work 💯 🚀

@wkz wkz merged commit 877e3f3 into main Nov 28, 2024
5 of 6 checks passed
@wkz wkz deleted the vlan-iface-termination branch November 28, 2024 14:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@troglobit troglobit troglobit approved these changes

@mattiaswal mattiaswal mattiaswal approved these changes

Assignees

@wkz wkz

Labels

ci:main Build default defconfig, not minimal

Projects

None yet

Milestone

Infix v24.11.1

Development

Successfully merging this pull request may close these issues.

4 participants

@wkz @troglobit @mattiaswal