diff --git a/sbin/ifconfig/ifbridge.c b/sbin/ifconfig/ifbridge.c --- a/sbin/ifconfig/ifbridge.c +++ b/sbin/ifconfig/ifbridge.c @@ -697,18 +697,6 @@ do_bridgeflag(ctx, val, IFBIF_PRIVATE, 0); } -static void -setbridge_vlanfilter(if_ctx *ctx, const char *val, int dummy __unused) -{ - do_bridgeflag(ctx, val, IFBIF_VLANFILTER, 1); -} - -static void -unsetbridge_vlanfilter(if_ctx *ctx, const char *val, int dummy __unused) -{ - do_bridgeflag(ctx, val, IFBIF_VLANFILTER, 0); -} - static int parse_vlans(ifbvlan_set_t *set, const char *str) { @@ -905,28 +893,26 @@ DEF_CMD_ARG2("ifpriority", setbridge_ifpriority), DEF_CMD_ARG2("ifpathcost", setbridge_ifpathcost), DEF_CMD_ARG2("ifmaxaddr", setbridge_ifmaxaddr), - DEF_CMD_ARG("vlanfilter", setbridge_vlanfilter), - DEF_CMD_ARG("-vlanfilter", unsetbridge_vlanfilter), DEF_CMD_ARG2("untagged", setbridge_untagged), DEF_CMD_ARG("-untagged", unsetbridge_untagged), DEF_CMD_ARG2("tagged", setbridge_tagged), DEF_CMD_ARG2("+tagged", addbridge_tagged), DEF_CMD_ARG2("-tagged", delbridge_tagged), + DEF_CMD_ARG("qinq", setbridge_qinq), + DEF_CMD_ARG("-qinq", unsetbridge_qinq), DEF_CMD_ARG("timeout", setbridge_timeout), DEF_CMD_ARG("private", setbridge_private), DEF_CMD_ARG("-private", unsetbridge_private), - DEF_CMD("defvlanfilter", (int32_t)IFBRF_DEFVLANFILTER, + DEF_CMD("vlanfilter", (int32_t)IFBRF_VLANFILTER, setbridge_flags), - DEF_CMD("-defvlanfilter", (int32_t)IFBRF_DEFVLANFILTER, + DEF_CMD("-vlanfilter", (int32_t)IFBRF_VLANFILTER, unsetbridge_flags), - DEF_CMD_ARG("defuntagged", setbridge_defuntagged), - DEF_CMD("-defuntagged", 0, unsetbridge_defuntagged), DEF_CMD("defqinq", (int32_t)IFBRF_DEFQINQ, setbridge_flags), DEF_CMD("-defqinq", (int32_t)IFBRF_DEFQINQ, unsetbridge_flags), - DEF_CMD_ARG("qinq", setbridge_qinq), - DEF_CMD_ARG("-qinq", unsetbridge_qinq), + DEF_CMD_ARG("defuntagged", setbridge_defuntagged), + DEF_CMD("-defuntagged", 0, unsetbridge_defuntagged), }; static struct afswtch af_bridge = { diff --git a/sbin/ifconfig/ifconfig.8 b/sbin/ifconfig/ifconfig.8 --- a/sbin/ifconfig/ifconfig.8 +++ b/sbin/ifconfig/ifconfig.8 @@ -2702,25 +2702,13 @@ section of .Xr bridge 4 . .Bl -tag -width indent -.It Cm vlanfilter Ar interface -Enable VLAN filtering on an interface. -.It Cm -vlanfilter Ar interface -Disable VLAN filtering on an interface. -.It Cm defvlanfilter -Enable the -.Cm vlanfilter -option by default on newly added members. -.It Cm -defvlanfilter -Do not enable the -.Cm vlanfilter -option by default on newly added members. -This is the default behavior. +.It Cm vlanfilter +Enable VLAN filtering on the bridge. +.It Cm -vlanfilter +Disable VLAN filtering on the bridge. +This is the default. .It Cm untagged Ar interface Ar vlan-id Set the untagged VLAN identifier for an interface. -.Pp -Setting -.Cm untagged -will automatically enable VLAN filtering on the interface. .It Cm -untagged Ar interface Ar vlan-id Clear the untagged VLAN identifier for an interface. .It Cm defuntagged Ar vlan-id @@ -2743,27 +2731,15 @@ or the value .Dq all meaning all VLANs (1-4094). -.Pp -Setting -.Cm tagged -will automatically enable VLAN filtering on the interface. .It Cm +tagged Ar interface Ar vlan-list Add the provided list of VLAN IDs to the interface's VLAN access list. The list should be formatted as described for .Cm tagged . -.Pp -Setting -.Cm +tagged -will automatically enable VLAN filtering on the interface. .It Cm -tagged Ar interface Ar vlan-list Remove the provided list of VLAN IDs from the interface's VLAN access list. The list should be formatted as described for .Cm tagged . -.Pp -Setting -.Cm -tagged -will automatically enable VLAN filtering on the interface. .It Cm qinq Ar interface Allow this interface to send 802.1ad .Dq Q-in-Q diff --git a/share/man/man4/bridge.4 b/share/man/man4/bridge.4 --- a/share/man/man4/bridge.4 +++ b/share/man/man4/bridge.4 @@ -420,30 +420,18 @@ .Pp VLAN filtering is enabled by setting the .Cm vlanfilter -flag on member interfaces: +flag on the bridge: .Bd -literal -offset indent -ifconfig bridge0 addm ix0 -ifconfig bridge0 vlanfilter ix0 -.Ed -.Pp -While both legacy and VLAN filtering interfaces can co-exist in the -same bridge, this is not recommended. -Instead, VLAN filtering should be enabled using the -.Cm defvlanfilter -flag when the bridge is created, which causes all interfaces added to -the bridge to have VLAN filtering enabled by default: -.Bd -literal -offset indent -ifconfig bridge0 create defvlanfilter -ifconfig bridge0 addm ix0 +ifconfig bridge0 vlanfilter .Ed .Pp -VLAN filtering bridge members can be identified by the presence of the +VLAN filtering bridges can be identified by the presence of the .Dq VLANFILTER flag in the output of .Xr ifconfig 8 . .Pp -By default, a VLAN filtering interface is not permitted to pass any -traffic on the bridge. +By default, member interfaces are not permitted to pass any traffic on +the bridge. To allow untagged frames on an interface, the interface's Port VLAN ID (PVID) can be configured using the .Xr ifconfig 8 @@ -462,7 +450,7 @@ .Cm defuntagged command when the bridge is created: .Bd -literal -offset indent -ifconfig bridge0 create defvlanfilter defuntagged 100 +ifconfig bridge0 create vlanfilter defuntagged 100 .Ed .Pp This will cause all newly-added bridge members to be configured with @@ -586,12 +574,12 @@ machine and jail interfaces, to communicate on any VLAN. In most cases this is not desirable, so converting this configuration to a VLAN filtering bridge can be done by setting the -.Cm defvlanfilter +.Cm vlanfilter and .Cm defuntagged options on the bridge: .Bd -literal -offset indent -ifconfig bridge0 create defvlanfilter defuntagged 1 +ifconfig bridge0 create vlanfilter defuntagged 1 ifconfig bridge0 addm ix0 ifconfig bridge0 addm tap0 ifconfig bridge0 addm epair0a @@ -627,7 +615,7 @@ This configuration can be replaced with a single VLAN filtering bridge as follows: .Bd -literal -offset indent -ifconfig bridge0 create defvlanfilter +ifconfig bridge0 create vlanfilter ifconfig bridge0 addm ix0 tagged ix0 100,200 ifconfig bridge0 addm em0 untagged em0 100 ifconfig bridge0 addm em1 untagged em1 100 @@ -857,7 +845,7 @@ consisting of all 8 ports on a single VLAN and with Rapid Spanning Tree enabled: .Bd -literal -offset indent -ifconfig bridge0 create defvlanfilter defuntagged 1 +ifconfig bridge0 create vlanfilter defuntagged 1 ifconfig bridge0 \e addm fxp0 stp fxp0 \e addm fxp1 stp fxp1 \e @@ -885,7 +873,7 @@ can be run on the bridge VLAN interface: .Bd -literal -offset indent cloned_interfaces="bridge0" -ifconfig_bridge0="defvlanfilter defuntagged 1 addm em0 addm em1" +ifconfig_bridge0="vlanfilter defuntagged 1 addm em0 addm em1" ifconfig_em0="up" ifconfig_em1="up" vlans_bridge0="100" diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c --- a/sys/net/if_bridge.c +++ b/sys/net/if_bridge.c @@ -1470,10 +1470,8 @@ bif->bif_ifp = ifs; bif->bif_flags = IFBIF_LEARNING | IFBIF_DISCOVER; bif->bif_savedcaps = ifs->if_capenable; - if (sc->sc_flags & IFBRF_DEFVLANFILTER) { - bif->bif_flags |= IFBIF_VLANFILTER; + if (sc->sc_flags & IFBRF_VLANFILTER) bif->bif_pvid = sc->sc_defpvid; - } if (sc->sc_flags & IFBRF_DEFQINQ) bif->bif_flags |= IFBIF_QINQ; @@ -1942,6 +1940,9 @@ struct ifbreq *req = arg; struct bridge_iflist *bif; + if ((sc->sc_flags & IFBRF_VLANFILTER) == 0) + return (EXTERROR(EINVAL, "VLAN filtering not enabled")); + bif = bridge_lookup_member(sc, req->ifbr_ifsname); if (bif == NULL) return (EXTERROR(ENOENT, "Interface is not a bridge member")); @@ -1949,8 +1950,6 @@ if (req->ifbr_pvid > DOT1Q_VID_MAX) return (EXTERROR(EINVAL, "Invalid VLAN ID")); - if (req->ifbr_pvid != DOT1Q_VID_NULL) - bif->bif_flags |= IFBIF_VLANFILTER; bif->bif_pvid = req->ifbr_pvid; return (0); } @@ -1961,6 +1960,9 @@ struct ifbif_vlan_req *req = arg; struct bridge_iflist *bif; + if ((sc->sc_flags & IFBRF_VLANFILTER) == 0) + return (EXTERROR(EINVAL, "VLAN filtering not enabled")); + bif = bridge_lookup_member(sc, req->bv_ifname); if (bif == NULL) return (EXTERROR(ENOENT, "Interface is not a bridge member")); @@ -1992,12 +1994,6 @@ "Unsupported BRDGSIFVLANSET operation")); } - /* - * The only reason to modify the VLAN access list is to use VLAN - * filtering on this interface, so enable it automatically. - */ - bif->bif_flags |= IFBIF_VLANFILTER; - return (0); } @@ -2370,7 +2366,7 @@ * outgoing interface matches the VLAN ID of the frame, remove * the VLAN header. */ - if ((bif->bif_flags & IFBIF_VLANFILTER) && + if ((sc->sc_flags & IFBRF_VLANFILTER) && bif->bif_pvid != DOT1Q_VID_NULL && VLANTAGOF(m) == bif->bif_pvid) { m->m_flags &= ~M_VLANTAG; @@ -3240,7 +3236,7 @@ return (false); /* If VLAN filtering isn't enabled, pass everything. */ - if ((sbif->bif_flags & IFBIF_VLANFILTER) == 0) + if ((sbif->bif_sc->sc_flags & IFBRF_VLANFILTER) == 0) return (true); /* If Q-in-Q is disabled, check for stacked tags. */ @@ -3298,7 +3294,7 @@ NET_EPOCH_ASSERT(); /* If VLAN filtering isn't enabled, pass everything. */ - if ((dbif->bif_flags & IFBIF_VLANFILTER) == 0) + if ((dbif->bif_sc->sc_flags & IFBRF_VLANFILTER) == 0) return (true); vlan = VLANTAGOF(m); diff --git a/sys/net/if_bridgevar.h b/sys/net/if_bridgevar.h --- a/sys/net/if_bridgevar.h +++ b/sys/net/if_bridgevar.h @@ -135,10 +135,10 @@ /* BRDGSFLAGS, Bridge flags (non-interface-specific) */ typedef uint32_t ifbr_flags_t; -#define IFBRF_DEFVLANFILTER (1U<<0) /* enable vlanfilter by default */ +#define IFBRF_VLANFILTER (1U<<0) /* VLAN filtering enabled */ #define IFBRF_DEFQINQ (1U<<1) /* 802.1ad Q-in-Q allowed */ -#define IFBRFBITS "\020\01DEFVLANFILTER\02DEFQINQ" +#define IFBRFBITS "\020\01VLANFILTER\02DEFQINQ" /* * Generic bridge control request. @@ -173,12 +173,12 @@ #define IFBIF_BSTP_ADMEDGE 0x0200 /* member stp admin edge enabled */ #define IFBIF_BSTP_ADMCOST 0x0400 /* member stp admin path cost */ #define IFBIF_PRIVATE 0x0800 /* if is a private segment */ -#define IFBIF_VLANFILTER 0x1000 /* if does vlan filtering */ +/* was IFBIF_VLANFILTER 0x1000 */ #define IFBIF_QINQ 0x2000 /* if allows 802.1ad Q-in-Q */ #define IFBIFBITS "\020\001LEARNING\002DISCOVER\003STP\004SPAN" \ "\005STICKY\014PRIVATE\006EDGE\007AUTOEDGE\010PTP" \ - "\011AUTOPTP\015VLANFILTER\016QINQ" + "\011AUTOPTP\016QINQ" #define IFBIFMASK ~(IFBIF_BSTP_EDGE|IFBIF_BSTP_AUTOEDGE|IFBIF_BSTP_PTP| \ IFBIF_BSTP_AUTOPTP|IFBIF_BSTP_ADMEDGE| \ IFBIF_BSTP_ADMCOST) /* not saved */ diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh --- a/tests/sys/net/if_bridge_test.sh +++ b/tests/sys/net/if_bridge_test.sh @@ -852,7 +852,7 @@ bridge=$(vnet_mkbridge) - ifconfig ${bridge} up + ifconfig ${bridge} vlanfilter up ifconfig ${epone}a up ifconfig ${eptwo}a up ifconfig ${bridge} addm ${epone}a untagged ${epone}a 20 @@ -891,16 +891,18 @@ vnet_mkjail one ${epone}b vnet_mkjail two ${eptwo}b - jexec one ifconfig ${epone}b 192.0.2.1/24 up - jexec two ifconfig ${eptwo}b 192.0.2.2/24 up + atf_check -s exit:0 jexec one ifconfig ${epone}b 192.0.2.1/24 up + atf_check -s exit:0 jexec two ifconfig ${eptwo}b 192.0.2.2/24 up bridge=$(vnet_mkbridge) - ifconfig ${bridge} up - ifconfig ${epone}a up - ifconfig ${eptwo}a up - ifconfig ${bridge} addm ${epone}a untagged ${epone}a 20 - ifconfig ${bridge} addm ${eptwo}a untagged ${eptwo}a 30 + atf_check -s exit:0 ifconfig ${bridge} vlanfilter up + atf_check -s exit:0 ifconfig ${epone}a up + atf_check -s exit:0 ifconfig ${eptwo}a up + atf_check -s exit:0 ifconfig ${bridge} \ + addm ${epone}a untagged ${epone}a 20 + atf_check -s exit:0 ifconfig ${bridge} \ + addm ${eptwo}a untagged ${eptwo}a 30 atf_check -s exit:2 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 atf_check -s exit:2 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 @@ -930,18 +932,22 @@ vnet_mkjail two ${eptwo}b # Create two tagged interfaces on the appropriate VLANs - jexec one ifconfig ${epone}b up - jexec one ifconfig ${epone}b.20 create 192.0.2.1/24 up - jexec two ifconfig ${eptwo}b up - jexec two ifconfig ${eptwo}b.20 create 192.0.2.2/24 up + atf_check -s exit:0 jexec one ifconfig ${epone}b up + atf_check -s exit:0 jexec one ifconfig ${epone}b.20 \ + create 192.0.2.1/24 up + atf_check -s exit:0 jexec two ifconfig ${eptwo}b up + atf_check -s exit:0 jexec two ifconfig ${eptwo}b.20 \ + create 192.0.2.2/24 up bridge=$(vnet_mkbridge) - ifconfig ${bridge} up - ifconfig ${epone}a up - ifconfig ${eptwo}a up - ifconfig ${bridge} addm ${epone}a untagged ${epone}a 20 - ifconfig ${bridge} addm ${eptwo}a untagged ${eptwo}a 20 + atf_check -s exit:0 ifconfig ${bridge} vlanfilter up + atf_check -s exit:0 ifconfig ${epone}a up + atf_check -s exit:0 ifconfig ${eptwo}a up + atf_check -s exit:0 ifconfig ${bridge} \ + addm ${epone}a untagged ${epone}a 20 + atf_check -s exit:0 ifconfig ${bridge} \ + addm ${eptwo}a untagged ${eptwo}a 20 # Tagged frames should not be passed. atf_check -s exit:2 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 @@ -975,18 +981,20 @@ # This forces the bridge to add and remove .1q tags to bridge the # traffic. - jexec one ifconfig ${epone}b 192.0.2.1/24 up - jexec two ifconfig ${eptwo}b up - jexec two ifconfig ${eptwo}b.20 create 192.0.2.2/24 up + atf_check -s exit:0 jexec one ifconfig ${epone}b 192.0.2.1/24 up + atf_check -s exit:0 jexec two ifconfig ${eptwo}b up + atf_check -s exit:0 jexec two ifconfig ${eptwo}b.20 create 192.0.2.2/24 up bridge=$(vnet_mkbridge) - ifconfig ${bridge} addm ${epone}a untagged ${epone}a 20 - ifconfig ${bridge} addm ${eptwo}a + atf_check -s exit:0 ifconfig ${bridge} vlanfilter up + atf_check -s exit:0 ifconfig ${bridge} \ + addm ${epone}a untagged ${epone}a 20 + atf_check -s exit:0 ifconfig ${bridge} addm ${eptwo}a \ + tagged ${eptwo}a 20 - ifconfig ${bridge} up - ifconfig ${epone}a up - ifconfig ${eptwo}a up + atf_check -s exit:0 ifconfig ${epone}a up + atf_check -s exit:0 ifconfig ${eptwo}a up atf_check -s exit:0 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 atf_check -s exit:0 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 @@ -1018,18 +1026,20 @@ vnet_mkjail one ${epone}b vnet_mkjail two ${eptwo}b - jexec one ifconfig ${epone}b up - jexec one ifconfig ${epone}b.20 create 192.0.2.1/24 up - jexec two ifconfig ${eptwo}b up - jexec two ifconfig ${eptwo}b.20 create 192.0.2.2/24 up + atf_check -s exit:0 jexec one ifconfig ${epone}b up + atf_check -s exit:0 jexec one ifconfig ${epone}b.20 \ + create 192.0.2.1/24 up + atf_check -s exit:0 jexec two ifconfig ${eptwo}b up + atf_check -s exit:0 jexec two ifconfig ${eptwo}b.20 \ + create 192.0.2.2/24 up bridge=$(vnet_mkbridge) - ifconfig ${bridge} up - ifconfig ${epone}a up - ifconfig ${eptwo}a up - ifconfig ${bridge} addm ${epone}a vlanfilter ${epone}a - ifconfig ${bridge} addm ${eptwo}a vlanfilter ${eptwo}a + atf_check -s exit:0 ifconfig ${bridge} vlanfilter up + atf_check -s exit:0 ifconfig ${epone}a up + atf_check -s exit:0 ifconfig ${eptwo}a up + atf_check -s exit:0 ifconfig ${bridge} addm ${epone}a + atf_check -s exit:0 ifconfig ${bridge} addm ${eptwo}a # Right now there are no VLANs on the access list, so everything # should be blocked. @@ -1049,15 +1059,15 @@ atf_check -s exit:0 ifconfig ${bridge} -untagged ${eptwo}a # Add VLANs 10-30 to the access list; now access should be allowed. - ifconfig ${bridge} +tagged ${epone}a 10-30 - ifconfig ${bridge} +tagged ${eptwo}a 10-30 + atf_check -s exit:0 ifconfig ${bridge} +tagged ${epone}a 10-30 + atf_check -s exit:0 ifconfig ${bridge} +tagged ${eptwo}a 10-30 atf_check -s exit:0 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 atf_check -s exit:0 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 # Remove vlan 20 from the access list, now access should be blocked # again. - ifconfig ${bridge} -tagged ${epone}a 20 - ifconfig ${bridge} -tagged ${eptwo}a 20 + atf_check -s exit:0 ifconfig ${bridge} -tagged ${epone}a 20 + atf_check -s exit:0 ifconfig ${bridge} -tagged ${eptwo}a 20 atf_check -s exit:2 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 atf_check -s exit:2 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 } @@ -1084,9 +1094,10 @@ ep=$(vnet_mkepair) bridge=$(vnet_mkbridge) + atf_check -s exit:0 ifconfig ${bridge} vlanfilter up - ifconfig ${bridge} addm ${ep}a vlanfilter ${ep}a up - ifconfig ${ep}a up + atf_check -s exit:0 ifconfig ${bridge} addm ${ep}a + atf_check -s exit:0 ifconfig ${ep}a up # To start with, no vlans should be configured. atf_check -s exit:0 -o not-match:"tagged" ifconfig ${bridge} @@ -1143,18 +1154,20 @@ vnet_mkjail one ${epone}b - jexec one ifconfig ${epone}b up - jexec one ifconfig ${epone}b.20 create 192.0.2.1/24 up + atf_check -s exit:0 jexec one ifconfig ${epone}b up + atf_check -s exit:0 jexec one ifconfig ${epone}b.20 \ + create 192.0.2.1/24 up bridge=$(vnet_mkbridge) - ifconfig ${bridge} up - ifconfig ${epone}a up - ifconfig ${bridge} addm ${epone}a tagged ${epone}a 20 + atf_check -s exit:0 ifconfig ${bridge} vlanfilter up + atf_check -s exit:0 ifconfig ${epone}a up + atf_check -s exit:0 ifconfig ${bridge} addm ${epone}a \ + tagged ${epone}a 20 svi=$(vnet_mkvlan) - ifconfig ${svi} vlan 20 vlandev ${bridge} - ifconfig ${svi} inet 192.0.2.2/24 up + atf_check -s exit:0 ifconfig ${svi} vlan 20 vlandev ${bridge} + atf_check -s exit:0 ifconfig ${svi} inet 192.0.2.2/24 up atf_check -s exit:0 -o ignore ping -c 3 -t 1 192.0.2.1 } @@ -1202,7 +1215,7 @@ bridge=$(vnet_mkbridge) - atf_check -s exit:0 ifconfig ${bridge} defvlanfilter defqinq up + atf_check -s exit:0 ifconfig ${bridge} vlanfilter defqinq up atf_check -s exit:0 ifconfig ${epone}a up atf_check -s exit:0 ifconfig ${eptwo}a up atf_check -s exit:0 ifconfig ${bridge} addm ${epone}a