From: Jakub Slepecki <jakub.slepecki@intel.com>
To: intel-wired-lan@lists.osuosl.org
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
przemyslaw.kitszel@intel.com, anthony.l.nguyen@intel.com,
michal.swiatkowski@linux.intel.com, jakub.slepecki@intel.com,
aleksandr.loktionov@intel.com
Subject: [PATCH iwl-next v3 0/8] ice: in VEB, prevent "cross-vlan" traffic
Date: Tue, 20 Jan 2026 11:34:31 +0100 [thread overview]
Message-ID: <20260120103440.892326-1-jakub.slepecki@intel.com> (raw)
Currently, packets that match MAC address of a VF will be sent to loopback
even if they would cross VLAN boundaries. Effectively, this drops them.
In this patch series, we aim to address this behaviour by adding MAC,VLAN
to complement what MAC-only filters do to select packets for loopback.
To reproduce the issue have an E810 ($pfa) connected to another adapter
($pfb), then:
# echo 2 >/sys/class/net/$pfa/device/sriov_numvfs
# ip l set $pfa vf 0 vlan 4
# ip l set $pfa vf 1 vlan 7
# ip l set $pfa_vf0 netns $pfa_vf0_netns up
# ip l set $pfa_vf1 netns $pfa_vf1_netns up
# ip netns exec $pfa_vf0_netns ip a add 10.0.0.1/24 dev $pfa_vf0
# ip netns exec $pfa_vf1_netns ip a add 10.0.0.2/24 dev $pfa_vf1
And for the $pfb:
# echo 2 >/sys/class/net/$pfb/device/sriov_numvfs
# ip l set $pfb vf 0 trust on spoof off vlan 4
# ip l set $pfb vf 1 trust on spoof off vlan 7
# ip l add $br type bridge
# ip l set $pfb_vf0 master $br up
# ip l set $pfb_vf1 master $br up
# ip l set $br up
We expect $pfa_vf0 to be able to reach $pfa_vf1 through the $br on
the link partner. Instead, ARP is unable to resolve 10.0.0.2/24.
ARP request is fine because it's broadcastd and bounces off $br, but
ARP reply is stuck in the internal switch because the destination MAC
matches $pfa_vf0 and filter restricts it to the loopback.
In testing I used: ip utility, iproute2-6.1.0, libbpf 1.3.0
Changes in v3:
- Improve structure of reproduction description in cover letter.
- LB_LAN masks and values no longer rely on boolean promotion.
- ice_fill_sw_info() deals with u8 the entire time instead of building
building lb_en and lan_en values at the end from booleans.
- Refer to reproduction in cover letter in current 5/8.
- Fixed some slip-ups "this patch" and "this commit" in commit
messages across the series. I did not consider this change for
reviewed-by drop.
Changes in v2:
- Use FIELD_GET et al. when handling fi.lb_en and fi.lan_en.
- Rename /LB_LAN/ s/_MASK/_M/ because one of uses would need to break
line.
- Close open parenthesis in ice_vsi_update_bridge_mode() description.
- Explain returns in ice_vsi_update_bridge_mode().
v2: https://lore.kernel.org/intel-wired-lan/20251125083456.28822-1-jakub.slepecki@intel.com/T/
v1: https://lore.kernel.org/intel-wired-lan/20251120162813.37942-1-jakub.slepecki@intel.com/T/
Jakub Slepecki (7):
ice: in dvm, use outer VLAN in MAC,VLAN lookup
ice: allow creating mac,vlan filters along mac filters
ice: do not check for zero mac when creating mac filters
ice: allow overriding lan_en, lb_en in switch
ice: update mac,vlan rules when toggling between VEB and VEPA
ice: add functions to query for vsi's pvids
ice: in VEB, prevent "cross-vlan" traffic from hitting loopback
Michal Swiatkowski (1):
ice: add mac vlan to filter API
drivers/net/ethernet/intel/ice/ice_fltr.c | 104 +++++++++++++++++-
drivers/net/ethernet/intel/ice/ice_fltr.h | 10 +-
drivers/net/ethernet/intel/ice/ice_lib.c | 56 ++++++++++
drivers/net/ethernet/intel/ice/ice_lib.h | 2 +
drivers/net/ethernet/intel/ice/ice_main.c | 56 +++++++---
drivers/net/ethernet/intel/ice/ice_switch.c | 79 +++++++++----
drivers/net/ethernet/intel/ice/ice_switch.h | 13 ++-
drivers/net/ethernet/intel/ice/ice_vf_lib.c | 8 +-
.../net/ethernet/intel/ice/ice_vlan_mode.c | 12 ++
9 files changed, 295 insertions(+), 45 deletions(-)
--
2.43.0
next reply other threads:[~2026-01-20 10:34 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-20 10:34 Jakub Slepecki [this message]
2026-01-20 10:34 ` [PATCH iwl-next v3 1/8] ice: in dvm, use outer VLAN in MAC,VLAN lookup Jakub Slepecki
2026-01-20 10:34 ` [PATCH iwl-next v3 2/8] ice: allow creating mac,vlan filters along mac filters Jakub Slepecki
2026-01-20 10:34 ` [PATCH iwl-next v3 3/8] ice: do not check for zero mac when creating " Jakub Slepecki
2026-01-26 23:21 ` Tony Nguyen
2026-01-27 10:31 ` Jakub Slepecki
2026-01-27 18:45 ` Tony Nguyen
2026-01-20 10:34 ` [PATCH iwl-next v3 4/8] ice: allow overriding lan_en, lb_en in switch Jakub Slepecki
2026-01-20 10:34 ` [PATCH iwl-next v3 5/8] ice: update mac,vlan rules when toggling between VEB and VEPA Jakub Slepecki
2026-01-20 10:34 ` [PATCH iwl-next v3 6/8] ice: add functions to query for vsi's pvids Jakub Slepecki
2026-01-20 10:34 ` [PATCH iwl-next v3 7/8] ice: add mac vlan to filter API Jakub Slepecki
2026-01-20 10:34 ` [PATCH iwl-next v3 8/8] ice: in VEB, prevent "cross-vlan" traffic from hitting loopback Jakub Slepecki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260120103440.892326-1-jakub.slepecki@intel.com \
--to=jakub.slepecki@intel.com \
--cc=aleksandr.loktionov@intel.com \
--cc=anthony.l.nguyen@intel.com \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=michal.swiatkowski@linux.intel.com \
--cc=netdev@vger.kernel.org \
--cc=przemyslaw.kitszel@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox