From nobody Fri Apr  4 18:47:48 2025
X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTnfc3js9z5sFNC
	for <freebsd-net@mlmmj.nyi.freebsd.org>; Fri, 04 Apr 2025 18:47:52 +0000 (UTC)
	(envelope-from lexi@hemlock.eden.le-fay.org)
Received: from fuchsia.eden.le-fay.org (fuchsia.eden.le-fay.org [81.187.47.195])
	by mx1.freebsd.org (Postfix) with ESMTP id 4ZTnfb4Mbsz3gZ9
	for <freebsd-net@freebsd.org>; Fri, 04 Apr 2025 18:47:51 +0000 (UTC)
	(envelope-from lexi@hemlock.eden.le-fay.org)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=none (mx1.freebsd.org: domain of lexi@hemlock.eden.le-fay.org has no SPF policy when checking 81.187.47.195) smtp.mailfrom=lexi@hemlock.eden.le-fay.org
Received: from hemlock.eden.le-fay.org (hemlock.eden.le-fay.org [IPv6:2001:8b0:aab5:c401::1:5])
	by fuchsia.eden.le-fay.org (Postfix) with ESMTP id A5ADE22564
	for <freebsd-net@freebsd.org>; Fri, 04 Apr 2025 18:47:48 +0000 (UTC)
Received: by hemlock.eden.le-fay.org (Postfix, from userid 10006)
	id 6BD934A8CB; Fri, 04 Apr 2025 19:47:48 +0100 (BST)
Date: Fri, 4 Apr 2025 19:47:48 +0100
From: Lexi Winter <lexi@hemlock.eden.le-fay.org>
To: freebsd-net@freebsd.org
Subject: bridge(4) VLAN filtering
Message-ID: <Z_ApVMypCNgruB2K@hemlock.eden.le-fay.org>
Mail-Followup-To: freebsd-net@freebsd.org
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spamd-Result: default: False [2.78 / 15.00];
	AUTH_NA(1.00)[];
	NEURAL_SPAM_MEDIUM(1.00)[0.997];
	NEURAL_SPAM_LONG(0.85)[0.853];
	MIME_GOOD(-0.10)[text/plain];
	RCVD_NO_TLS_LAST(0.10)[];
	NEURAL_HAM_SHORT(-0.07)[-0.068];
	RCPT_COUNT_ONE(0.00)[1];
	ASN(0.00)[asn:20712, ipnet:81.187.0.0/16, country:GB];
	MIME_TRACE(0.00)[0:+];
	ARC_NA(0.00)[];
	MISSING_XM_UA(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	R_DKIM_NA(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-net@freebsd.org];
	RCVD_COUNT_TWO(0.00)[2];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCVD_IN_DNSWL_NONE(0.00)[81.187.47.195:from];
	TO_DN_NONE(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	DMARC_NA(0.00)[le-fay.org];
	R_SPF_NA(0.00)[no SPF record]
X-Rspamd-Queue-Id: 4ZTnfb4Mbsz3gZ9
X-Spamd-Bar: ++

hello,

over the last few days i have been doing a bit of work on VLAN filtering
for bridge(4), which i thought i'd mention here in case anyone is
interested.  the purpose of this is to extend the existing bridge VLAN
support to make it more generally useful.

the full changeset / diff is available at [0], including documentation
and basic ATF tests.

a summary of the new features:

- a bridge member's PVID may be configured using ifpvid:

	ifconfig bridge0 ifpvid ix0 20

  setting a PVID enables VLAN filtering on the member interface and
  restricts it to only send/receives frames on that specific VLAN.
  untagged incoming frames will be assigned to the correct VLAN.

- a bridge member's port type may be configured using iftype:

	ifconfig bridge0 iftype ix0 <access|trunk|hybrid>

  access ports may only send/receive untagged frames; trunk ports may
  only send/receive frames with a non-zero .1q tag; hybrid ports may
  send/receive either type of frame.

- for trunk and hybrid ports, the list of permitted VLANs may be set
  using +ifvlans/-ifvlans:

  	ifconfig bridge0 +ifvlans ix0 100-599
	ifconfig bridge0 -ifvlans ix0 105,300

  the port will only be allowed to communicate on the VLANs in its
  access list (plus its PVID).

- the VLAN configuration for a port is displayed in ifconfig:

        member: test2a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 5 priority 128 path cost 2000 pvid 1 type trunk vlans 20

- when bridging between different port types (e.g. an access port and a
  trunk port), the bridge will add or remove .1q tags as required.

- an SVI for a particular vlan may be created on the bridge using
  vlan(4):

	ifconfig vlan20 create vlan 20 vlandev bridge0

  the SVI interface will send/receive traffic for that particular VLAN.

to make review a bit easier, my plan is to submit this as smaller
changesets of self-contained features.  to start with that's two minor
bug fixes:

https://github.com/freebsd/freebsd-src/pull/1639
https://github.com/freebsd/freebsd-src/pull/1637

and the first actual feature which is the ifconfig 'ifpvid' option:

https://github.com/freebsd/freebsd-src/pull/1634

if anyone has any comments/questions or would like to review this (or
even commit it!) do feel free - obviously, this requires a fair amount
of testing and i certainly wouldn't recommend using it in production
yet.  this is my first time writing any non-trivial kernel code, so it's
quite possible everything is completely wrong.

[0] https://github.com/freebsd/freebsd-src/compare/main...llfw:freebsd-src:lf/dev/bridge-1q