From nobody Wed Jun  4 06:22:39 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bByDd13Jpz5xY2V;
	Wed, 04 Jun 2025 06:22:41 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bByDb6sw3z44Ck;
	Wed, 04 Jun 2025 06:22:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1749018160;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=RtfQk7N4aaVSfMLzipyVQsGMGMIN0GFjG6EBPvKnwO4=;
	b=yffcLwIJ6BnX5d0Cy0jTOyYGHntd0S4y8sLIR0CiuvAL1NMThMyb6kAI/yoz+OOZa2QXZc
	QWXi86cY0BFQRsR4stz9LiC4JyJpzXAtulQ6EmhMpbBWyUCtwUQNf43lobU+dY7A/Ne4yL
	krtoZOCxYLciu4dg/20MCYfMG9S0Hypyp2ZkQbDJvgmKD8j0KWqa/BkMg/UMr1Gd7/KvBh
	ymaRiipjB7RQ5+mEpYxTgaEeqqGP68Z/ck53BaXa8HqGPwqbaeepoKxXL/fJY/xC+AN1XX
	HYoBo0YGKpjKWCknbVifudVrkFhYfJ/aG5uNdaMaTuFx0IemkUTYHiH8jlhRdg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1749018160;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=RtfQk7N4aaVSfMLzipyVQsGMGMIN0GFjG6EBPvKnwO4=;
	b=E52oY8tkNj3VrwXwQjc9bLF8BpVmsRFU/FWh3+27CNKVFt3f8veDVGlPQZ5KBPt0UIkTvX
	MEVUd/bINEJ5PTDAe4vd7sZ+wj3+NfeE9J71HANprf7HQoV1VwgI2BScK8lQrsghT+73HD
	9YxE5dDrGt0i32fcr51mFB9FSEDNUTBjc70dZwBFWlQ4v0yvVrVnu2JamkDoelNBBKvmip
	RtCNdr9r/1psBmnf6000RjH5l5keOQsNDplPicrXFKt3MmxVXgMzV33ZxnIwZ10hhv91IS
	DH8fVAA9ew3RPvfaYvzmF/e4m6Ft36Ry1NtKPio8Gt0wCvAWi8tq0QBtl87vFg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1749018160; a=rsa-sha256; cv=none;
	b=GhUBPYzj48piFJoDZ4LpIXhMj8kty0lQjp1p+nzOf7+kdVkCMXVDu8xSbRHQxu0wRU2he9
	KSToOCtujj2GitGMl9iusi0uc8m2WAYiNV+EDFF0gxIpQ2vgjBjViMIuZ+Kp6GbyRLlmWq
	ryMsDVEoBAc04FZZBiz8ybqQyTBChkpAPiM7mzI2VZ0Mvj7sr2iUfQSLSc6ZCogqOGGLvv
	17UO5WuRW4GrUijB/a+aUxgvw+B+4IYJLf0RSSADC9gJzLu/n9Zk0w6PkDJGBmZouQQ9Sz
	WV+e8x8tEJyJGXcPx9tyE0GU2BaGVNf4fDSVhv3OzU6gTaKSFtDdtNe1WfWW1Q==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bByDb4MsYz1B0X;
	Wed, 04 Jun 2025 06:22:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 5546Md16032163;
	Wed, 4 Jun 2025 06:22:39 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 5546Mdsr032160;
	Wed, 4 Jun 2025 06:22:39 GMT
	(envelope-from git)
Date: Wed, 4 Jun 2025 06:22:39 GMT
Message-Id: <202506040622.5546Mdsr032160@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Lexi Winter <ivy@FreeBSD.org>
Subject: git: a5fe142e0844 - main - bridge: fix vlan(4) on a bridge
  member
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: ivy
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: a5fe142e08447c7116b89159c110d02e860ac6a1
Auto-Submitted: auto-generated

The branch main has been updated by ivy:

URL: https://cgit.FreeBSD.org/src/commit/?id=a5fe142e08447c7116b89159c110d02e860ac6a1

commit a5fe142e08447c7116b89159c110d02e860ac6a1
Author:     Lexi Winter <ivy@FreeBSD.org>
AuthorDate: 2025-06-04 06:05:12 +0000
Commit:     Lexi Winter <ivy@FreeBSD.org>
CommitDate: 2025-06-04 06:05:12 +0000

    bridge: fix vlan(4) on a bridge member
    
    If an interface is a bridge member, and a vlan(4) is also created on
    that interface, and net.link.bridge.member_ifaddrs=0, then vlan(4)
    will never see any incoming frames because bridge doesn't pass them
    to the host for processing.
    
    Work around this by checking for locally-addressed frames using the
    MAC address of the interface we received the frame on, but only if
    the frame has a .1q tag and there's a vlan trunk on the interface.
    
    This behaviour is almost certainly "wrong" and it's not clear if we
    really want to support this, but it did work in the past and the
    member_ifaddrs change was not supposed to break it, so this restores
    the previous behaviour.
    
    PR:     287150
    MFC after:      1 week
    Reviewed by:    kevans, des
    Approved by:    kevans (mentor), des (mentor)
    Differential Revision:  https://reviews.freebsd.org/D50623
---
 sys/net/if_bridge.c             | 23 ++++++++-----------
 tests/sys/net/if_bridge_test.sh | 51 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+), 13 deletions(-)

diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index 9338d28437d0..82a530042413 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -2778,22 +2778,19 @@ bridge_input(struct ifnet *ifp, struct mbuf *m)
 	do { GRAB_OUR_PACKETS(bifp) } while (0);
 
 	/*
-	 * We only need to check members interfaces if member_ifaddrs is
-	 * enabled; otherwise we should have never traffic destined for a
-	 * member's lladdr.
+	 * Check the interface the packet arrived on.  For tagged frames,
+	 * we need to do this even if member_ifaddrs is disabled because
+	 * vlan(4) might need to handle the traffic.
 	 */
-
-	if (V_member_ifaddrs) {
-		/*
-		 * Give a chance for ifp at first priority. This will help when
-		 * the packet comes through the interface like VLAN's with the
-		 * same MACs on several interfaces from the same bridge. This
-		 * also will save some CPU cycles in case the destination
-		 * interface and the input interface (eq ifp) are the same.
-		 */
+	if (V_member_ifaddrs || (vlan && ifp->if_vlantrunk))
 		do { GRAB_OUR_PACKETS(ifp) } while (0);
 
-		/* Now check the all bridge members. */
+	/*
+	 * We only need to check other members interface if member_ifaddrs
+	 * is enabled; otherwise we should have never traffic destined for
+	 * a member's lladdr.
+	 */
+	if (V_member_ifaddrs) {
 		CK_LIST_FOREACH(bif2, &sc->sc_iflist, bif_next) {
 			GRAB_OUR_PACKETS(bif2->bif_ifp)
 		}
diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh
index f9a36126fe59..2c6b039048e3 100755
--- a/tests/sys/net/if_bridge_test.sh
+++ b/tests/sys/net/if_bridge_test.sh
@@ -779,6 +779,56 @@ member_ifaddrs_disabled_cleanup()
 	vnet_cleanup
 }
 
+#
+# Test kern/287150: when member_ifaddrs=0, and a physical interface which is in
+# a bridge also has a vlan(4) on it, tagged packets are not correctly passed to
+# vlan(4).
+atf_test_case "member_ifaddrs_vlan" "cleanup"
+member_ifaddrs_vlan_head()
+{
+	atf_set descr 'kern/287150: vlan and bridge on the same interface'
+	atf_set require.user root
+}
+
+member_ifaddrs_vlan_body()
+{
+	vnet_init
+	vnet_init_bridge
+
+	epone=$(vnet_mkepair)
+	eptwo=$(vnet_mkepair)
+
+	# The first jail has an epair with an IP address on vlan 20.
+	vnet_mkjail one ${epone}a
+	atf_check -s exit:0 jexec one ifconfig ${epone}a up
+	atf_check -s exit:0 jexec one \
+	    ifconfig ${epone}a.20 create inet 192.0.2.1/24 up
+
+	# The second jail has an epair with an IP address on vlan 20,
+	# which is also in a bridge.
+	vnet_mkjail two ${epone}b
+
+	jexec two ifconfig
+	atf_check -s exit:0 -o save:bridge jexec two ifconfig bridge create
+	bridge=$(cat bridge)
+	atf_check -s exit:0 jexec two ifconfig ${bridge} addm ${epone}b up
+
+	atf_check -s exit:0 -o ignore jexec two \
+	    sysctl net.link.bridge.member_ifaddrs=0
+	atf_check -s exit:0 jexec two ifconfig ${epone}b up
+	atf_check -s exit:0 jexec two \
+	    ifconfig ${epone}b.20 create inet 192.0.2.2/24 up
+
+	# Make sure the two jails can communicate over the vlan.
+	atf_check -s exit:0 -o ignore jexec one ping -c 3 -t 1 192.0.2.2
+	atf_check -s exit:0 -o ignore jexec two ping -c 3 -t 1 192.0.2.1
+}
+
+member_ifaddrs_vlan_cleanup()
+{
+	vnet_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "bridge_transmit_ipv4_unicast"
@@ -796,4 +846,5 @@ atf_init_test_cases()
 	atf_add_test_case "many_bridge_members"
 	atf_add_test_case "member_ifaddrs_enabled"
 	atf_add_test_case "member_ifaddrs_disabled"
+	atf_add_test_case "member_ifaddrs_vlan"
 }