[PATCH net-next 0/5] net: dsa: mv88e6xxx: Improve standalone port isolation

From: Tobias Waldekranz <tobias@waldekranz.com>
To: davem@davemloft.net, kuba@kernel.org
Cc: netdev@vger.kernel.org
Subject: [PATCH net-next 0/5] net: dsa: mv88e6xxx: Improve standalone port isolation
Date: Mon, 31 Jan 2022 16:46:50 +0100	[thread overview]
Message-ID: <20220131154655.1614770-1-tobias@waldekranz.com> (raw)

The ideal isolation between standalone ports satisfies two properties:
1. Packets from one standalone port must not be forwarded to any other
   port.
2. Packets from a standalone port must be sent to the CPU port.

mv88e6xxx solves (1) by isolating standalone ports using the PVT. Up
to this point though, (2) has not guaranteed; as the ATU is still
consulted, there is a chance that incoming packets never reach the CPU
if its DA has previously been used as the SA of an earlier packet (see
1/5 for more details). This is typically not a problem, except for one
very useful setup in which switch ports are looped in order to run the
bridge kselftests in tools/testing/selftests/net/forwarding. This
series attempts to solve (2).

Ideally, we could simply use the "ForceMap" bit of more modern chips
(Agate and newer) to classify all incoming packets as MGMT. This is
not available on older silicon that is still widely used (Opal Plus
chips like the 6097 for example).

Instead, this series takes a two pronged approach:

1/5: Always clear MapDA on standalone ports to make sure that no ATU
     entry can lead packets astray. This solves (2) for single-chip
     systems.

2/5: Trivial prep work for 4/5.
3/5: Trivial prep work for 4/5.

4/5: On multi-chip systems though, this is not enough. On the incoming
     chip, the packet will be forced out towards the CPU thanks to
     1/5, but on any intermediate chips the ATU is still consulted. We
     override this behavior by marking the reserved standalone VID (0)
     as a policy VID, the DSA ports' VID policy is set to TRAP. This
     will cause the packet to be reclassified as MGMT on the first
     intermediate chip, after which it's a straight shot towards the
     CPU.

Finally, we allow more tests to be run on mv88e6xxx:

5/5: The bridge_vlan{,un}aware suites sets an ageing_time of 10s on
     the bridge it creates, but mv88e6xxx has a minimum supported time
     of 15s. Allow this time to be overridden in forwarding.config.

With this series in place, mv88e6xxx passes the following kselftest
suites:

- bridge_port_isolation.sh
- bridge_sticky_fdb.sh
- bridge_vlan_aware.sh
- bridge_vlan_unaware.sh

Tobias Waldekranz (5):
  net: dsa: mv88e6xxx: Improve isolation of standalone ports
  net: dsa: mv88e6xxx: Support policy entries in the VTU
  net: dsa: mv88e6xxx: Enable port policy support on 6097
  net: dsa: mv88e6xxx: Improve multichip isolation of standalone ports
  selftests: net: bridge: Parameterize ageing timeout

 drivers/net/dsa/mv88e6xxx/chip.c              | 96 ++++++++++++++-----
 drivers/net/dsa/mv88e6xxx/chip.h              |  1 +
 drivers/net/dsa/mv88e6xxx/global1.h           |  1 +
 drivers/net/dsa/mv88e6xxx/global1_vtu.c       |  5 +-
 drivers/net/dsa/mv88e6xxx/port.c              |  7 +-
 drivers/net/dsa/mv88e6xxx/port.h              |  2 +-
 include/net/dsa.h                             | 12 +++
 .../net/forwarding/bridge_vlan_aware.sh       |  5 +-
 .../net/forwarding/bridge_vlan_unaware.sh     |  5 +-
 .../net/forwarding/forwarding.config.sample   |  2 +
 tools/testing/selftests/net/forwarding/lib.sh |  1 +
 11 files changed, 103 insertions(+), 34 deletions(-)

-- 
2.25.1