Details

Reviewers

des
kevans
kp
adrian

Group Reviewers

network
manpages

Commits

rG032d32c2c276: bridge: add per-interface vlan access list

Summary

The new ifconfig options 'ifvlan', '+ifvlans' and '-ifvlans' allow the
vlan access list of a bridge port to be configured.

Incoming tagged frames will be dropped if the incoming vlan tag isn't
in the port's access list.

Outgoing frames will be dropped if the outgoing vlan ID isn't in the
port's access list (e.g., for BUM traffic).

This is only enabled if the port's pvid is set to something other than
zero, which is treated as the flag to enable vlan filtering.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

ivy created this revision.May 23 2025, 11:55 PM

Herald added subscribers: ziaee, glebius, melifaro and 2 others. · View Herald TranscriptMay 23 2025, 11:55 PM

ivy requested review of this revision.May 23 2025, 11:55 PM

Harbormaster completed remote builds in B64398: Diff 155960.May 23 2025, 11:55 PM

ivy added a parent revision: D50500: bridge: transparently add and remove VLAN tags.May 23 2025, 11:56 PM

kevans added inline comments.May 24 2025, 12:01 AM

sbin/ifconfig/ifbridge.c
160	Declaration needs to move up to the top of this block at a minimum, when someone provides more useful feedback to warrant another iteration.

ivy added inline comments.May 24 2025, 12:04 AM

sbin/ifconfig/ifbridge.c
160	i keep forgetting we're not allowed to do this. i'll fix it in my local branch.

ivy added a child revision: D50504: allow vlan(4) interfaces to be created on a bridge(4).May 24 2025, 12:11 AM

ivy marked an inline comment as done.May 24 2025, 12:16 AM

kp accepted this revision as: kp.May 27 2025, 9:08 AM

kp added inline comments.

sbin/ifconfig/ifbridge.c
154	Maybe <= DOT1Q_VID_MAX ?
sys/net/if_bridge.c
1943	(Random example picked) This might be easier if you used BITSET(9). It has macros for bitwise AND/OR/XOR/.. on the entire set at once.

This revision is now accepted and ready to land.May 27 2025, 9:08 AM

guest-patmaddox added a subscriber: guest-patmaddox.May 27 2025, 3:54 PM

update for new vlan filtering behaviour

This revision now requires review to proceed.May 28 2025, 9:32 AM

Harbormaster completed remote builds in B64493: Diff 156157.May 28 2025, 9:32 AM

ivy added inline comments.May 28 2025, 9:41 AM

sbin/ifconfig/ifbridge.c
154	we can't use `DOT1Q_VID_*` here since they're behind `_KERNEL`. i've been meaning to fix that and move them to a different header, but i might do that in a followup commit (and fix this at the same time) rather than adding more commits to this stack.
sys/net/if_bridge.c
1943	according to the manual page, `bitset(9)` isn't available to userland unless `_WANT_FREEBSD_BITSET` is defined, which means every userland program that includes `if_bridgevar.h` would have to do that. i'm not very fond of that since it makes the header unnecessarily difficult to use.

ivy mentioned this in D50570: sys/net: move DOT1Q_VID_* constants to ethernet.h.May 28 2025, 10:47 AM

ivy added inline comments.May 28 2025, 2:53 PM

sbin/ifconfig/ifbridge.c
154	i decided to just do this: D50570. i'll fix this if that's approved.

ivy added a parent revision: D50570: sys/net: move DOT1Q_VID_* constants to ethernet.h.May 28 2025, 2:54 PM

use DOT1Q_VID_* constants consistently, now they're available to userland.

also neaten up parse_vlans() a little.

Harbormaster completed remote builds in B64509: Diff 156211.May 28 2025, 5:00 PM

kp accepted this revision as: kp.May 28 2025, 7:54 PM

kp added inline comments.

sbin/ifconfig/ifbridge.c

765

We have three near-identical functions here. It might be worth doing something like

static void
setbridge_tagged(if_ctx *ctx, const char *ifn, const char *vlans, int cmd)
...

static void
addbridge_tagged(if_ctx *ctx, const char *ifn, const char *vlans)
{
    setbridge_tagged(ctx, ifn, vlans, BRDG_VLAN_OP_SET);
}

This revision is now accepted and ready to land.May 28 2025, 7:54 PM

remove some redundant code in ifconfig
use bitset(9) for ifbvlan_set_t instead of rolling our own

This revision now requires review to proceed.May 29 2025, 2:33 AM

Harbormaster completed remote builds in B64526: Diff 156243.May 29 2025, 2:33 AM

adrian accepted this revision.Tue, Jun 24, 5:38 AM

This revision is now accepted and ready to land.Tue, Jun 24, 5:38 AM

crest_freebsd_rlwinm.de added a subscriber: crest_freebsd_rlwinm.de.Tue, Jun 24, 9:08 PM

des accepted this revision.Wed, Jul 2, 7:23 AM

des added inline comments.

lib/libifconfig/libifconfig_bridge.c
122
132
135
sbin/ifconfig/ifbridge.c
767	(or you can initialize to `{ 0 }`)

Closed by commit rG032d32c2c276: bridge: add per-interface vlan access list (authored by ivy). · Explain WhySat, Jul 5, 7:14 AM

This revision was automatically updated to reflect the committed changes.

ivy added a commit: rG032d32c2c276: bridge: add per-interface vlan access list.

bridge: add vlan filtering support
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 158001

lib/libifconfig/libifconfig.h

lib/libifconfig/libifconfig_bridge.c

sbin/ifconfig/ifbridge.c

sbin/ifconfig/ifconfig.8

share/man/man4/bridge.4

sys/net/if_bridge.c

sys/net/if_bridgevar.h

tests/sys/net/if_bridge_test.sh

bridge: add vlan filtering supportClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 158001

lib/libifconfig/libifconfig.h

lib/libifconfig/libifconfig_bridge.c

sbin/ifconfig/ifbridge.c

sbin/ifconfig/ifconfig.8

share/man/man4/bridge.4

sys/net/if_bridge.c

sys/net/if_bridgevar.h

tests/sys/net/if_bridge_test.sh

bridge: add vlan filtering support
ClosedPublic
Actions

Revision Contents
Changeset List