Re: [PATCH net] macsec: Support VLAN-filtering lower devices

[Sabrina Dubroca <sd@queasysnail.net>]

2026-01-12, 10:32:17 +0000, Cosmin Ratiu wrote:
> On Sat, 2026-01-10 at 23:45 +0100, Sabrina Dubroca wrote:
> > 2026-01-09, 13:50:24 +0000, Cosmin Ratiu wrote:
> > 
> > > Would you like to see any tweaks to the proposed patch?
> > 
> > Well, updating the lower device's VLAN filters when not using offload
> > is undesireable, so macsec_vlan_rx_{add,kill}_vid should check that
> > offload is used, but then we'd have to remove/re-add then when
> > offload
> > is toggled after some vlan devices have been created on top of the
> > macsec device.  Keeping track of all the ids we've pushed down via
> > macsec_vlan_rx_add_vid seems a bit unreasonable, but maybe we can
> > call vlan_{get,drop}_rx_*_filter_info when we toggle macsec offload?
> > (not sure if that will have the behavior we want)
> > 
> 
> Perhaps "undesirable" is too strong of a word. I would use "unneeded".
> Having the encrypted VLANs in the lower dev HW filter can't do too much
> harm, except maybe allowing some non-macsec packets with those vlans
> when previously they wouldn't be allowed.

Well, if an admin has the filters working and suddenly starts seeing
packets that should have been filtered out, they may get confused.

> But remember what happened before the mentioned "Fixes" patch: the
> lower device was put in promisc mode because it didn't advertise
> IFF_UNICAST_FLT so it would have received all packets anyway.
> So this fix is strictly better, simple enough that it can be understood
> to be harmless.

Ok.

> The vlan_{get,drop}_rx_*_filter_info functions simply call device
> notifiers when the VLAN filter flags change, they're not useful for
> obtaining the list of VLANs. The upper devs keep track of those.

But that notifier gets caught in vlan_device_event, which calls
vlan_filter_push_vids. That iterates all existing vlans and pushes
them into the real device. That's why I thought it might work here,
but I haven't tried.

> If I engineer the fix we're discussing here (which would make macsec
> keep track of VLANs), it would be significantly more complicated, and
> it belonging into net instead of net-next could be called into
> question.

Sure, if we have to implement all that in macsec, I would agree to
take the current patch, and do the tracking later in net-next. In that
case, please just add a note to the commit message about the offload
vs non-offload behavior we're discussing here.

Either way, it would also be good to add some selftests.

-- 
Sabrina