[PATCH net-next 00/10] DSA unicast filtering

From: Vladimir Oltean <vladimir.oltean@nxp.com>
To: netdev@vger.kernel.org
Cc: Jakub Kicinski <kuba@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	Florian Fainelli <f.fainelli@gmail.com>,
	Andrew Lunn <andrew@lunn.ch>,
	Vivien Didelot <vivien.didelot@gmail.com>,
	Vladimir Oltean <olteanv@gmail.com>,
	Ido Schimmel <idosch@nvidia.com>,
	Tobias Waldekranz <tobias@waldekranz.com>,
	Claudiu Manoil <claudiu.manoil@nxp.com>,
	Alexandre Belloni <alexandre.belloni@bootlin.com>,
	UNGLinuxDriver@microchip.com
Subject: [PATCH net-next 00/10] DSA unicast filtering
Date: Wed,  2 Mar 2022 21:14:07 +0200	[thread overview]
Message-ID: <20220302191417.1288145-1-vladimir.oltean@nxp.com> (raw)

This series doesn't attempt anything extremely brave, it just changes
the way in which standalone ports which support FDB isolation work.

Up until now, DSA has recommended that switch drivers configure
standalone ports in a separate VID/FID with learning disabled, and with
the CPU port as the only destination, reached trivially via flooding.
That works, except that standalone ports will deliver all packets to the
CPU. We can leverage the hardware FDB as a MAC DA filter, and disable
flooding towards the CPU port, to force the dropping of packets with
unknown MAC DA.

We handle port promiscuity by re-enabling flooding towards the CPU port.
This is relevant because the bridge puts its automatic (learning +
flooding) ports in promiscuous mode, and this makes some things work
automagically, like for example bridging with a foreign interface.
We don't delve yet into the territory of managing CPU flooding more
aggressively while under a bridge.

The only switch driver that benefits from this work right now is the
NXP LS1028A switch (felix). The others need to implement FDB isolation
first, before DSA is going to install entries to the port's standalone
database. Otherwise, these entries might collide with bridge FDB/MDB
entries.

This work was done mainly to have all the required features in place
before somebody starts seriously architecting DSA support for multiple
CPU ports. Otherwise it is much more difficult to bolt these features on
top of multiple CPU ports.

Vladimir Oltean (10):
  net: dsa: remove workarounds for changing master promisc/allmulti only
    while up
  net: dsa: rename the host FDB and MDB methods to contain the "bridge"
    namespace
  net: dsa: install secondary unicast and multicast addresses as host
    FDB/MDB
  net: dsa: install the primary unicast MAC address as standalone port
    host FDB
  net: dsa: manage flooding on the CPU ports
  net: dsa: felix: migrate host FDB and MDB entries when changing tag
    proto
  net: dsa: felix: migrate flood settings from NPI to tag_8021q CPU port
  net: dsa: felix: start off with flooding disabled on the CPU port
  net: dsa: felix: stop clearing CPU flooding in felix_setup_tag_8021q
  net: mscc: ocelot: accept configuring bridge port flags on the NPI
    port

 drivers/net/dsa/ocelot/felix.c     | 241 ++++++++++++++++++++------
 drivers/net/ethernet/mscc/ocelot.c |   3 +
 include/net/dsa.h                  |   7 +
 net/dsa/dsa.c                      |  40 +++++
 net/dsa/dsa_priv.h                 |  53 +++++-
 net/dsa/port.c                     | 160 +++++++++++++-----
 net/dsa/slave.c                    | 261 +++++++++++++++++++++++------
 7 files changed, 609 insertions(+), 156 deletions(-)

-- 
2.25.1