• Ido Schimmel's avatar
    mlxsw: spectrum_switchdev: Add locked bridge port support · 25ed8088
    Ido Schimmel authored
    Add locked bridge port support by reacting to changes in the
    'BR_PORT_LOCKED' flag. When set, enable security checks on the local
    port via the previously added SPFSR register.
    
    When security checks are enabled, an incoming packet will trigger an FDB
    lookup with the packet's source MAC and the FID it was classified to. If
    an FDB entry was not found or was found to be pointing to a different
    port, the packet will be dropped. Such packets increment the
    "discard_ingress_general" ethtool counter. For added visibility, user
    space can trap such packets to the CPU by enabling the "locked_port"
    trap. Example:
    
     # devlink trap set pci/0000:06:00.0 trap locked_port action trap
    
    Unlike other configurations done via bridge port flags (e.g., learning,
    flooding), security checks are enabled in the device on a per-port basis
    and not on a per-{port, VLAN} basis. As such, scenarios where user space
    can configure different locking settings for different VLANs configured
    on a port need to be vetoed. To that end, veto the following scenarios:
    
    1. Locking is set on a bridge port that is a VLAN upper
    
    2. Locking is set on a bridge port that has VLAN uppers
    
    3. VLAN upper is configured on a locked bridge port
    
    Examples:
    
     # bridge link set dev swp1.10 locked on
     Error: mlxsw_spectrum: Locked flag cannot be set on a VLAN upper.
    
     # ip link add link swp1 name swp1.10 type vlan id 10
     # bridge link set dev swp1 locked on
     Error: mlxsw_spectrum: Locked flag cannot be set on a bridge port that has VLAN uppers.
    
     # bridge link set dev swp1 locked on
     # ip link add link swp1 name swp1.10 type vlan id 10
     Error: mlxsw_spectrum: VLAN uppers are not supported on a locked port.
    Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
    Reviewed-by: default avatarPetr Machata <petrm@nvidia.com>
    Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
    Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
    25ed8088
spectrum.c 152 KB