2
0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-09-04 20:19:47 +08:00

net: dsa: mv88e6xxx: Improve isolation of standalone ports

Clear MapDA on standalone ports to bypass any ATU lookup that might
point the packet in the wrong direction. This means that all packets
are flooded using the PVT config. So make sure that standalone ports
are only allowed to communicate with the local upstream port.

Here is a scenario in which this is needed:

   CPU
    |     .----.
.---0---. | .--0--.
|  sw0  | | | sw1 |
'-1-2-3-' | '-1-2-'
      '---'

- sw0p1 and sw1p1 are bridged
- sw0p2 and sw1p2 are in standalone mode
- Learning must be enabled on sw0p3 in order for hardware forwarding
  to work properly between bridged ports

1. A packet with SA :aa comes in on sw1p2
   1a. Egresses sw1p0
   1b. Ingresses sw0p3, ATU adds an entry for :aa towards port 3
   1c. Egresses sw0p0

2. A packet with DA :aa comes in on sw0p2
   2a. If an ATU lookup is done at this point, the packet will be
       incorrectly forwarded towards sw0p3. With this change in place,
       the ATU is bypassed and the packet is forwarded in accordance
       with the PVT, which only contains the CPU port.

Signed-off-by: Tobias Waldekranz <tobias@waldekranz.com>
Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Tobias Waldekranz 2022-02-03 11:16:53 +01:00 committed by David S. Miller
parent b566967c3c
commit 7af4a361a6
4 changed files with 43 additions and 10 deletions

View File

@ -1290,8 +1290,15 @@ static u16 mv88e6xxx_port_vlan(struct mv88e6xxx_chip *chip, int dev, int port)
pvlan = 0; pvlan = 0;
/* Frames from user ports can egress any local DSA links and CPU ports, /* Frames from standalone user ports can only egress on the
* as well as any local member of their bridge group. * upstream port.
*/
if (!dsa_port_bridge_dev_get(dp))
return BIT(dsa_switch_upstream_port(ds));
/* Frames from bridged user ports can egress any local DSA
* links and CPU ports, as well as any local member of their
* bridge group.
*/ */
dsa_switch_for_each_port(other_dp, ds) dsa_switch_for_each_port(other_dp, ds)
if (other_dp->type == DSA_PORT_TYPE_CPU || if (other_dp->type == DSA_PORT_TYPE_CPU ||
@ -2487,6 +2494,10 @@ static int mv88e6xxx_port_bridge_join(struct dsa_switch *ds, int port,
if (err) if (err)
goto unlock; goto unlock;
err = mv88e6xxx_port_set_map_da(chip, port, true);
if (err)
return err;
err = mv88e6xxx_port_commit_pvid(chip, port); err = mv88e6xxx_port_commit_pvid(chip, port);
if (err) if (err)
goto unlock; goto unlock;
@ -2521,6 +2532,12 @@ static void mv88e6xxx_port_bridge_leave(struct dsa_switch *ds, int port,
mv88e6xxx_port_vlan_map(chip, port)) mv88e6xxx_port_vlan_map(chip, port))
dev_err(ds->dev, "failed to remap in-chip Port VLAN\n"); dev_err(ds->dev, "failed to remap in-chip Port VLAN\n");
err = mv88e6xxx_port_set_map_da(chip, port, false);
if (err)
dev_err(ds->dev,
"port %d failed to restore map-DA: %pe\n",
port, ERR_PTR(err));
err = mv88e6xxx_port_commit_pvid(chip, port); err = mv88e6xxx_port_commit_pvid(chip, port);
if (err) if (err)
dev_err(ds->dev, dev_err(ds->dev,
@ -2918,12 +2935,13 @@ static int mv88e6xxx_setup_port(struct mv88e6xxx_chip *chip, int port)
return err; return err;
/* Port Control 2: don't force a good FCS, set the MTU size to /* Port Control 2: don't force a good FCS, set the MTU size to
* 10222 bytes, disable 802.1q tags checking, don't discard tagged or * 10222 bytes, disable 802.1q tags checking, don't discard
* untagged frames on this port, do a destination address lookup on all * tagged or untagged frames on this port, skip destination
* received packets as usual, disable ARP mirroring and don't send a * address lookup on user ports, disable ARP mirroring and don't
* copy of all transmitted/received frames on this port to the CPU. * send a copy of all transmitted/received frames on this port
* to the CPU.
*/ */
err = mv88e6xxx_port_set_map_da(chip, port); err = mv88e6xxx_port_set_map_da(chip, port, !dsa_is_user_port(ds, port));
if (err) if (err)
return err; return err;

View File

@ -1278,7 +1278,7 @@ int mv88e6xxx_port_drop_untagged(struct mv88e6xxx_chip *chip, int port,
return mv88e6xxx_port_write(chip, port, MV88E6XXX_PORT_CTL2, new); return mv88e6xxx_port_write(chip, port, MV88E6XXX_PORT_CTL2, new);
} }
int mv88e6xxx_port_set_map_da(struct mv88e6xxx_chip *chip, int port) int mv88e6xxx_port_set_map_da(struct mv88e6xxx_chip *chip, int port, bool map)
{ {
u16 reg; u16 reg;
int err; int err;
@ -1287,7 +1287,10 @@ int mv88e6xxx_port_set_map_da(struct mv88e6xxx_chip *chip, int port)
if (err) if (err)
return err; return err;
reg |= MV88E6XXX_PORT_CTL2_MAP_DA; if (map)
reg |= MV88E6XXX_PORT_CTL2_MAP_DA;
else
reg &= ~MV88E6XXX_PORT_CTL2_MAP_DA;
return mv88e6xxx_port_write(chip, port, MV88E6XXX_PORT_CTL2, reg); return mv88e6xxx_port_write(chip, port, MV88E6XXX_PORT_CTL2, reg);
} }

View File

@ -425,7 +425,7 @@ int mv88e6185_port_get_cmode(struct mv88e6xxx_chip *chip, int port, u8 *cmode);
int mv88e6352_port_get_cmode(struct mv88e6xxx_chip *chip, int port, u8 *cmode); int mv88e6352_port_get_cmode(struct mv88e6xxx_chip *chip, int port, u8 *cmode);
int mv88e6xxx_port_drop_untagged(struct mv88e6xxx_chip *chip, int port, int mv88e6xxx_port_drop_untagged(struct mv88e6xxx_chip *chip, int port,
bool drop_untagged); bool drop_untagged);
int mv88e6xxx_port_set_map_da(struct mv88e6xxx_chip *chip, int port); int mv88e6xxx_port_set_map_da(struct mv88e6xxx_chip *chip, int port, bool map);
int mv88e6095_port_set_upstream_port(struct mv88e6xxx_chip *chip, int port, int mv88e6095_port_set_upstream_port(struct mv88e6xxx_chip *chip, int port,
int upstream_port); int upstream_port);
int mv88e6xxx_port_set_mirror(struct mv88e6xxx_chip *chip, int port, int mv88e6xxx_port_set_mirror(struct mv88e6xxx_chip *chip, int port,

View File

@ -591,6 +591,18 @@ static inline bool dsa_is_upstream_port(struct dsa_switch *ds, int port)
return port == dsa_upstream_port(ds, port); return port == dsa_upstream_port(ds, port);
} }
/* Return the local port used to reach the CPU port */
static inline unsigned int dsa_switch_upstream_port(struct dsa_switch *ds)
{
struct dsa_port *dp;
dsa_switch_for_each_available_port(dp, ds) {
return dsa_upstream_port(ds, dp->index);
}
return ds->num_ports;
}
/* Return true if @upstream_ds is an upstream switch of @downstream_ds, meaning /* Return true if @upstream_ds is an upstream switch of @downstream_ds, meaning
* that the routing port from @downstream_ds to @upstream_ds is also the port * that the routing port from @downstream_ds to @upstream_ds is also the port
* which @downstream_ds uses to reach its dedicated CPU. * which @downstream_ds uses to reach its dedicated CPU.