[PATCH net v5 0/3] macsec: Add support for VLAN filtering in offload mode

[PATCH net v5 0/3] macsec: Add support for VLAN filtering in offload mode

[Cosmin Ratiu]

This short series adds support for VLANs in macsec devices when offload
mode is enabled. This allows VLAN netdevs on top of macsec netdevs to
function, which accidentally used to be the case in the past, but was
broken. This series adds back proper support.

As part of this, the existing nsim-only macsec offload tests were
translated to Python so they can run against real HW and new
traffic-based tests were added for VLAN filter propagation, since
there's currently no uAPI to check VLAN filters.

---

V5:
- Merged tests and macsec lib in a single file.
- Fixed Python linter issues.
- Added CONFIG_MACSEC to tools/testing/selftests/drivers/net/config

V4:
- Migrated nsim-only macsec tests to Python, usable against real hw.
- Ran these tests against both nsim and mlx5.
- Gave up on nsim patches since the tests no longer use them.

V3: https://lore.kernel.org/netdev/20260306151004.2862198-1-cratiu@nvidia.com/t/#u
- Moved back to net.
- Added proper rollback support for VLAN filters in case of failure.
- Added VLAN as a requirement for the new macsec tests.

V2: https://lore.kernel.org/netdev/20260227090227.1552512-1-cratiu@nvidia.com/
- Sent to net-next instead of net because of apparent complexity.
- Changed VLAN filtering to only function in offload mode.
- Added tests.

V1: https://lore.kernel.org/netdev/20260107104723.2750725-1-cratiu@nvidia.com/


Cosmin Ratiu (3):
  selftests: Migrate nsim-only MACsec tests to Python
  selftests: Add MACsec VLAN propagation traffic test
  macsec: Support VLAN-filtering lower devices

 drivers/net/macsec.c                          |  44 ++-
 tools/testing/selftests/drivers/net/Makefile  |   1 +
 tools/testing/selftests/drivers/net/config    |   1 +
 tools/testing/selftests/drivers/net/macsec.py | 305 ++++++++++++++++++
 .../selftests/drivers/net/netdevsim/Makefile  |   1 -
 .../drivers/net/netdevsim/macsec-offload.sh   | 117 -------
 6 files changed, 346 insertions(+), 123 deletions(-)
 create mode 100755 tools/testing/selftests/drivers/net/macsec.py
 delete mode 100755 tools/testing/selftests/drivers/net/netdevsim/macsec-offload.sh

-- 
2.53.0

[PATCH net v5 1/3] selftests: Migrate nsim-only MACsec tests to Python

[Cosmin Ratiu]

Move MACsec offload API and ethtool feature tests from
tools/testing/selftests/drivers/net/netdevsim/macsec-offload.sh to
tools/testing/selftests/drivers/net/macsec.py using the NetDrvEnv
framework so tests can run against both netdevsim (default) and real
hardware (NETIF=ethX). As some real hardware requires macsec to use
encryption, add that to the tests.

Netdevsim-specific limit checks (max SecY, max RX SC) were moved into
separate test cases to avoid failures on real hardware.

Finally, MACSEC was added as a config option to drivers/net/config.

Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
---
 tools/testing/selftests/drivers/net/Makefile  |   1 +
 tools/testing/selftests/drivers/net/config    |   1 +
 tools/testing/selftests/drivers/net/macsec.py | 179 ++++++++++++++++++
 .../selftests/drivers/net/netdevsim/Makefile  |   1 -
 .../drivers/net/netdevsim/macsec-offload.sh   | 117 ------------
 5 files changed, 181 insertions(+), 118 deletions(-)
 create mode 100755 tools/testing/selftests/drivers/net/macsec.py
 delete mode 100755 tools/testing/selftests/drivers/net/netdevsim/macsec-offload.sh

diff --git a/tools/testing/selftests/drivers/net/Makefile b/tools/testing/selftests/drivers/net/Makefile
index 8154d6d429d3..5e045dde0273 100644
--- a/tools/testing/selftests/drivers/net/Makefile
+++ b/tools/testing/selftests/drivers/net/Makefile
@@ -13,6 +13,7 @@ TEST_GEN_FILES := \
 TEST_PROGS := \
 	gro.py \
 	hds.py \
+	macsec.py \
 	napi_id.py \
 	napi_threaded.py \
 	netpoll_basic.py \
diff --git a/tools/testing/selftests/drivers/net/config b/tools/testing/selftests/drivers/net/config
index 77ccf83d87e0..d4b31a317c09 100644
--- a/tools/testing/selftests/drivers/net/config
+++ b/tools/testing/selftests/drivers/net/config
@@ -3,6 +3,7 @@ CONFIG_DEBUG_INFO_BTF=y
 CONFIG_DEBUG_INFO_BTF_MODULES=n
 CONFIG_INET_PSP=y
 CONFIG_IPV6=y
+CONFIG_MACSEC=m
 CONFIG_NETCONSOLE=m
 CONFIG_NETCONSOLE_DYNAMIC=y
 CONFIG_NETCONSOLE_EXTENDED_LOG=y
diff --git a/tools/testing/selftests/drivers/net/macsec.py b/tools/testing/selftests/drivers/net/macsec.py
new file mode 100755
index 000000000000..a17b9f7ef584
--- /dev/null
+++ b/tools/testing/selftests/drivers/net/macsec.py
@@ -0,0 +1,179 @@
+#!/usr/bin/env python3
+# SPDX-License-Identifier: GPL-2.0
+
+"""MACsec tests."""
+
+import os
+
+from lib.py import ksft_run, ksft_exit, ksft_eq, ksft_raises
+from lib.py import CmdExitFailure, KsftSkipEx
+from lib.py import NetDrvEpEnv
+from lib.py import cmd, ip, defer, ethtool
+
+# Unique prefix per run to avoid collisions in the shared netns.
+# Keep it short: IFNAMSIZ is 16 (incl. NUL), and VLAN names append ".<vid>".
+MACSEC_PFX = f"ms{os.getpid()}_"
+
+
+def _macsec_name(idx=0):
+    return f"{MACSEC_PFX}{idx}"
+
+
+def _get_macsec_offload(dev):
+    """Returns macsec offload mode string from ip -d link show."""
+    info = ip(f"-d link show dev {dev}", json=True)[0]
+    return info.get("linkinfo", {}).get("info_data", {}).get("offload")
+
+
+def _require_ip_macsec_offload():
+    """SKIP if local iproute2 doesn't understand 'ip macsec offload'."""
+    out = cmd("ip macsec help", fail=False)
+    if "offload" not in out.stdout + out.stderr:
+        raise KsftSkipEx("iproute2 too old, missing macsec offload")
+
+
+def _require_macsec_offload(cfg):
+    """SKIP if local device doesn't support macsec-hw-offload."""
+    _require_ip_macsec_offload()
+    try:
+        feat = ethtool(f"-k {cfg.ifname}", json=True)[0]
+    except (CmdExitFailure, IndexError) as e:
+        raise KsftSkipEx(
+            f"can't query features: {e}") from e
+    if not feat.get("macsec-hw-offload", {}).get("active"):
+        raise KsftSkipEx("macsec-hw-offload not supported")
+
+
+def test_offload_api(cfg) -> None:
+    """MACsec offload API: create SecY, add SA/rx, toggle offload."""
+
+    _require_macsec_offload(cfg)
+    ms0 = _macsec_name(0)
+    ms1 = _macsec_name(1)
+    ms2 = _macsec_name(2)
+
+    # Create 3 SecY with offload
+    ip(f"link add link {cfg.ifname} {ms0} type macsec "
+       f"port 4 encrypt on offload mac")
+    defer(ip, f"link del {ms0}")
+
+    ip(f"link add link {cfg.ifname} {ms1} type macsec "
+       f"address aa:bb:cc:dd:ee:ff port 5 encrypt on offload mac")
+    defer(ip, f"link del {ms1}")
+
+    ip(f"link add link {cfg.ifname} {ms2} type macsec "
+       f"sci abbacdde01020304 encrypt on offload mac")
+    defer(ip, f"link del {ms2}")
+
+    # Add TX SA
+    ip(f"macsec add {ms0} tx sa 0 pn 1024 on "
+       "key 01 12345678901234567890123456789012")
+
+    # Add RX SC + SA
+    ip(f"macsec add {ms0} rx port 1234 address 1c:ed:de:ad:be:ef")
+    ip(f"macsec add {ms0} rx port 1234 address 1c:ed:de:ad:be:ef "
+       "sa 0 pn 1 on key 00 0123456789abcdef0123456789abcdef")
+
+    # Can't disable offload when SAs are configured
+    with ksft_raises(CmdExitFailure):
+        ip(f"link set {ms0} type macsec offload off")
+    with ksft_raises(CmdExitFailure):
+        ip(f"macsec offload {ms0} off")
+
+    # Toggle offload via rtnetlink on SA-free device
+    ip(f"link set {ms2} type macsec offload off")
+    ip(f"link set {ms2} type macsec encrypt on offload mac")
+
+    # Toggle offload via genetlink
+    ip(f"macsec offload {ms2} off")
+    ip(f"macsec offload {ms2} mac")
+
+
+def test_max_secy(cfg) -> None:
+    """nsim-only test for max number of SecYs."""
+
+    cfg.require_nsim()
+    _require_ip_macsec_offload()
+    ms0 = _macsec_name(0)
+    ms1 = _macsec_name(1)
+    ms2 = _macsec_name(2)
+    ms3 = _macsec_name(3)
+
+    ip(f"link add link {cfg.ifname} {ms0} type macsec "
+       f"port 4 encrypt on offload mac")
+    defer(ip, f"link del {ms0}")
+
+    ip(f"link add link {cfg.ifname} {ms1} type macsec "
+       f"address aa:bb:cc:dd:ee:ff port 5 encrypt on offload mac")
+    defer(ip, f"link del {ms1}")
+
+    ip(f"link add link {cfg.ifname} {ms2} type macsec "
+       f"sci abbacdde01020304 encrypt on offload mac")
+    defer(ip, f"link del {ms2}")
+    with ksft_raises(CmdExitFailure):
+        ip(f"link add link {cfg.ifname} {ms3} "
+           f"type macsec port 8 encrypt on offload mac")
+
+
+def test_max_sc(cfg) -> None:
+    """nsim-only test for max number of SCs."""
+
+    cfg.require_nsim()
+    _require_ip_macsec_offload()
+    ms0 = _macsec_name(0)
+
+    ip(f"link add link {cfg.ifname} {ms0} type macsec "
+       f"port 4 encrypt on offload mac")
+    defer(ip, f"link del {ms0}")
+    ip(f"macsec add {ms0} rx port 1234 address 1c:ed:de:ad:be:ef")
+    with ksft_raises(CmdExitFailure):
+        ip(f"macsec add {ms0} rx port 1235 address 1c:ed:de:ad:be:ef")
+
+
+def test_offload_state(cfg) -> None:
+    """Offload state reflects configuration changes."""
+
+    _require_macsec_offload(cfg)
+    ms0 = _macsec_name(0)
+
+    # Create with offload on
+    ip(f"link add link {cfg.ifname} {ms0} type macsec "
+       f"encrypt on offload mac")
+    cleanup = defer(ip, f"link del {ms0}")
+
+    ksft_eq(_get_macsec_offload(ms0), "mac",
+            "created with offload: should be mac")
+
+    ip(f"link set {ms0} type macsec offload off")
+    ksft_eq(_get_macsec_offload(ms0), "off",
+            "offload disabled: should be off")
+
+    ip(f"link set {ms0} type macsec encrypt on offload mac")
+    ksft_eq(_get_macsec_offload(ms0), "mac",
+            "offload re-enabled: should be mac")
+
+    # Delete and recreate without offload
+    cleanup.exec()
+    ip(f"link add link {cfg.ifname} {ms0} type macsec")
+    defer(ip, f"link del {ms0}")
+    ksft_eq(_get_macsec_offload(ms0), "off",
+            "created without offload: should be off")
+
+    ip(f"link set {ms0} type macsec encrypt on offload mac")
+    ksft_eq(_get_macsec_offload(ms0), "mac",
+            "offload enabled after create: should be mac")
+
+
+def main() -> None:
+    """Main program."""
+    with NetDrvEpEnv(__file__) as cfg:
+        ksft_run([test_offload_api,
+                  test_max_secy,
+                  test_max_sc,
+                  test_offload_state,
+                  ], args=(cfg,))
+    ksft_exit()
+
+
+if __name__ == "__main__":
+    main()
diff --git a/tools/testing/selftests/drivers/net/netdevsim/Makefile b/tools/testing/selftests/drivers/net/netdevsim/Makefile
index 1a228c5430f5..9808c2fbae9e 100644
--- a/tools/testing/selftests/drivers/net/netdevsim/Makefile
+++ b/tools/testing/selftests/drivers/net/netdevsim/Makefile
@@ -11,7 +11,6 @@ TEST_PROGS := \
 	fib.sh \
 	fib_notifications.sh \
 	hw_stats_l3.sh \
-	macsec-offload.sh \
 	nexthop.sh \
 	peer.sh \
 	psample.sh \
diff --git a/tools/testing/selftests/drivers/net/netdevsim/macsec-offload.sh b/tools/testing/selftests/drivers/net/netdevsim/macsec-offload.sh
deleted file mode 100755
index 98033e6667d2..000000000000
--- a/tools/testing/selftests/drivers/net/netdevsim/macsec-offload.sh
+++ /dev/null
@@ -1,117 +0,0 @@
-#!/bin/bash
-# SPDX-License-Identifier: GPL-2.0-only
-
-source ethtool-common.sh
-
-NSIM_NETDEV=$(make_netdev)
-MACSEC_NETDEV=macsec_nsim
-
-set -o pipefail
-
-if ! ethtool -k $NSIM_NETDEV | grep -q 'macsec-hw-offload: on'; then
-    echo "SKIP: netdevsim doesn't support MACsec offload"
-    exit 4
-fi
-
-if ! ip link add link $NSIM_NETDEV $MACSEC_NETDEV type macsec offload mac 2>/dev/null; then
-    echo "SKIP: couldn't create macsec device"
-    exit 4
-fi
-ip link del $MACSEC_NETDEV
-
-#
-# test macsec offload API
-#
-
-ip link add link $NSIM_NETDEV "${MACSEC_NETDEV}" type macsec port 4 offload mac
-check $?
-
-ip link add link $NSIM_NETDEV "${MACSEC_NETDEV}2" type macsec address "aa:bb:cc:dd:ee:ff" port 5 offload mac
-check $?
-
-ip link add link $NSIM_NETDEV "${MACSEC_NETDEV}3" type macsec sci abbacdde01020304 offload mac
-check $?
-
-ip link add link $NSIM_NETDEV "${MACSEC_NETDEV}4" type macsec port 8 offload mac 2> /dev/null
-check $? '' '' 1
-
-ip macsec add "${MACSEC_NETDEV}" tx sa 0 pn 1024 on key 01 12345678901234567890123456789012
-check $?
-
-ip macsec add "${MACSEC_NETDEV}" rx port 1234 address "1c:ed:de:ad:be:ef"
-check $?
-
-ip macsec add "${MACSEC_NETDEV}" rx port 1234 address "1c:ed:de:ad:be:ef" sa 0 pn 1 on \
-    key 00 0123456789abcdef0123456789abcdef
-check $?
-
-ip macsec add "${MACSEC_NETDEV}" rx port 1235 address "1c:ed:de:ad:be:ef" 2> /dev/null
-check $? '' '' 1
-
-# can't disable macsec offload when SAs are configured
-ip link set "${MACSEC_NETDEV}" type macsec offload off 2> /dev/null
-check $? '' '' 1
-
-ip macsec offload "${MACSEC_NETDEV}" off 2> /dev/null
-check $? '' '' 1
-
-# toggle macsec offload via rtnetlink
-ip link set "${MACSEC_NETDEV}2" type macsec offload off
-check $?
-
-ip link set "${MACSEC_NETDEV}2" type macsec offload mac
-check $?
-
-# toggle macsec offload via genetlink
-ip macsec offload "${MACSEC_NETDEV}2" off
-check $?
-
-ip macsec offload "${MACSEC_NETDEV}2" mac
-check $?
-
-for dev in ${MACSEC_NETDEV}{,2,3} ; do
-    ip link del $dev
-    check $?
-done
-
-
-#
-# test ethtool features when toggling offload
-#
-
-ip link add link $NSIM_NETDEV $MACSEC_NETDEV type macsec offload mac
-TMP_FEATS_ON_1="$(ethtool -k $MACSEC_NETDEV)"
-
-ip link set $MACSEC_NETDEV type macsec offload off
-TMP_FEATS_OFF_1="$(ethtool -k $MACSEC_NETDEV)"
-
-ip link set $MACSEC_NETDEV type macsec offload mac
-TMP_FEATS_ON_2="$(ethtool -k $MACSEC_NETDEV)"
-
-[ "$TMP_FEATS_ON_1" = "$TMP_FEATS_ON_2" ]
-check $?
-
-ip link del $MACSEC_NETDEV
-
-ip link add link $NSIM_NETDEV $MACSEC_NETDEV type macsec
-check $?
-
-TMP_FEATS_OFF_2="$(ethtool -k $MACSEC_NETDEV)"
-[ "$TMP_FEATS_OFF_1" = "$TMP_FEATS_OFF_2" ]
-check $?
-
-ip link set $MACSEC_NETDEV type macsec offload mac
-check $?
-
-TMP_FEATS_ON_3="$(ethtool -k $MACSEC_NETDEV)"
-[ "$TMP_FEATS_ON_1" = "$TMP_FEATS_ON_3" ]
-check $?
-
-
-if [ $num_errors -eq 0 ]; then
-    echo "PASSED all $((num_passes)) checks"
-    exit 0
-else
-    echo "FAILED $num_errors/$((num_errors+num_passes)) checks"
-    exit 1
-fi
-- 
2.53.0

[PATCH net v5 2/3] selftests: Add MACsec VLAN propagation traffic test

[Cosmin Ratiu]

Add macsec_traffic.py using NetDrvEpEnv to verify VLAN filter
propagation through offloaded macsec devices via actual traffic.

Test creates macsec tunnels with matching SAs on both endpoints,
stacks VLANs on top, and verifies connectivity with ping. Covers:
- Offloaded macsec with VLAN (filters propagate to HW)
- Software macsec with VLAN (no HW filter propagation)
- Toggle offload on/off and verify traffic still works

On netdevsim this is a smoke test (stub offload, no real encryption).
On real hardware this validates actual VLAN filter propagation.

Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
---
 tools/testing/selftests/drivers/net/macsec.py | 126 ++++++++++++++++++
 1 file changed, 126 insertions(+)

diff --git a/tools/testing/selftests/drivers/net/macsec.py b/tools/testing/selftests/drivers/net/macsec.py
index a17b9f7ef584..68915caca7fd 100755
--- a/tools/testing/selftests/drivers/net/macsec.py
+++ b/tools/testing/selftests/drivers/net/macsec.py
@@ -6,10 +6,14 @@
 import os
 
 from lib.py import ksft_run, ksft_exit, ksft_eq, ksft_raises
+from lib.py import ksft_variants, KsftNamedVariant
 from lib.py import CmdExitFailure, KsftSkipEx
 from lib.py import NetDrvEpEnv
 from lib.py import cmd, ip, defer, ethtool
 
+MACSEC_KEY = "12345678901234567890123456789012"
+MACSEC_VLAN_VID = 10
+
 # Unique prefix per run to avoid collisions in the shared netns.
 # Keep it short: IFNAMSIZ is 16 (incl. NUL), and VLAN names append ".<vid>".
 MACSEC_PFX = f"ms{os.getpid()}_"
@@ -25,6 +29,16 @@ def _get_macsec_offload(dev):
     return info.get("linkinfo", {}).get("info_data", {}).get("offload")
 
 
+def _require_ip_macsec(cfg):
+    """SKIP if iproute2 on local or remote lacks 'ip macsec' support."""
+    for host in [None, cfg.remote]:
+        out = cmd("ip macsec help", fail=False, host=host)
+        if "macsec" not in out.stdout + out.stderr:
+            where = "remote" if host else "local"
+            raise KsftSkipEx(f"iproute2 too old on {where},"
+                             " missing macsec support")
+
+
 def _require_ip_macsec_offload():
     """SKIP if local iproute2 doesn't understand 'ip macsec offload'."""
     out = cmd("ip macsec help", fail=False)
@@ -44,6 +58,78 @@ def _require_macsec_offload(cfg):
         raise KsftSkipEx("macsec-hw-offload not supported")
 
 
+def _get_mac(ifname, host=None):
+    """Gets MAC address of an interface."""
+    dev = ip(f"-d link show dev {ifname}", json=True, host=host)
+    return dev[0]["address"]
+
+
+def _setup_macsec_sa(cfg, name):
+    """Adds matching TX/RX SAs on both ends."""
+    local_mac = _get_mac(name)
+    remote_mac = _get_mac(name, host=cfg.remote)
+
+    ip(f"macsec add {name} tx sa 0 pn 1 on key 01 {MACSEC_KEY}")
+    ip(f"macsec add {name} rx port 1 address {remote_mac}")
+    ip(f"macsec add {name} rx port 1 address {remote_mac} "
+       f"sa 0 pn 1 on key 02 {MACSEC_KEY}")
+
+    ip(f"macsec add {name} tx sa 0 pn 1 on key 02 {MACSEC_KEY}",
+       host=cfg.remote)
+    ip(f"macsec add {name} rx port 1 address {local_mac}", host=cfg.remote)
+    ip(f"macsec add {name} rx port 1 address {local_mac} "
+       f"sa 0 pn 1 on key 01 {MACSEC_KEY}", host=cfg.remote)
+
+
+def _setup_macsec_devs(cfg, name, offload):
+    """Creates macsec devices on both ends.
+
+    Only the local device gets HW offload; the remote always uses software
+    MACsec since it may not support offload at all.
+    """
+    offload_arg = "mac" if offload else "off"
+
+    ip(f"link add link {cfg.ifname} {name} "
+       f"type macsec encrypt on offload {offload_arg}")
+    defer(ip, f"link del {name}")
+    ip(f"link add link {cfg.remote_ifname} {name} "
+       f"type macsec encrypt on", host=cfg.remote)
+    defer(ip, f"link del {name}", host=cfg.remote)
+
+
+def _set_offload(name, offload):
+    """Sets offload on the local macsec device only."""
+    offload_arg = "mac" if offload else "off"
+
+    ip(f"link set {name} type macsec encrypt on offload {offload_arg}")
+
+
+def _setup_vlans(cfg, name, vid):
+    """Adds VLANs on top of existing macsec devs."""
+    vlan_name = f"{name}.{vid}"
+
+    ip(f"link add link {name} {vlan_name} type vlan id {vid}")
+    defer(ip, f"link del {vlan_name}")
+    ip(f"link add link {name} {vlan_name} type vlan id {vid}", host=cfg.remote)
+    defer(ip, f"link del {vlan_name}", host=cfg.remote)
+
+
+def _setup_vlan_ips(cfg, name, vid):
+    """Adds VLANs and IPs and brings up the macsec + VLAN devices."""
+    local_ip = "198.51.100.1"
+    remote_ip = "198.51.100.2"
+    vlan_name = f"{name}.{vid}"
+
+    ip(f"addr add {local_ip}/24 dev {vlan_name}")
+    ip(f"addr add {remote_ip}/24 dev {vlan_name}", host=cfg.remote)
+    ip(f"link set {name} up")
+    ip(f"link set {name} up", host=cfg.remote)
+    ip(f"link set {vlan_name} up")
+    ip(f"link set {vlan_name} up", host=cfg.remote)
+
+    return vlan_name, remote_ip
+
+
 def test_offload_api(cfg) -> None:
     """MACsec offload API: create SecY, add SA/rx, toggle offload."""
 
@@ -164,6 +250,44 @@ def test_offload_state(cfg) -> None:
             "offload enabled after create: should be mac")
 
 
+@ksft_variants([
+    KsftNamedVariant("offloaded", True),
+    KsftNamedVariant("software", False),
+])
+def test_vlan(cfg, offload) -> None:
+    """Ping through VLAN-over-macsec."""
+
+    _require_ip_macsec(cfg)
+    if offload:
+        _require_macsec_offload(cfg)
+    else:
+        _require_ip_macsec_offload()
+    name = _macsec_name()
+    _setup_macsec_devs(cfg, name, offload=offload)
+    _setup_macsec_sa(cfg, name)
+    _setup_vlans(cfg, name, MACSEC_VLAN_VID)
+    vlan_name, remote_ip = _setup_vlan_ips(cfg, name, MACSEC_VLAN_VID)
+    cmd(f"ping -I {vlan_name} -c 1 -W 5 {remote_ip}")
+
+
+@ksft_variants([
+    KsftNamedVariant("on_to_off", True),
+    KsftNamedVariant("off_to_on", False),
+])
+def test_vlan_toggle(cfg, offload) -> None:
+    """Toggle offload: VLAN filters propagate/remove correctly."""
+
+    _require_ip_macsec(cfg)
+    _require_macsec_offload(cfg)
+    name = _macsec_name()
+    _setup_macsec_devs(cfg, name, offload=offload)
+    _setup_vlans(cfg, name, MACSEC_VLAN_VID)
+    _set_offload(name, offload=not offload)
+    vlan_name, remote_ip = _setup_vlan_ips(cfg, name, MACSEC_VLAN_VID)
+    _setup_macsec_sa(cfg, name)
+    cmd(f"ping -I {vlan_name} -c 1 -W 5 {remote_ip}")
+
+
 def main() -> None:
     """Main program."""
     with NetDrvEpEnv(__file__) as cfg:
@@ -171,6 +295,8 @@ def main() -> None:
                   test_max_secy,
                   test_max_sc,
                   test_offload_state,
+                  test_vlan,
+                  test_vlan_toggle,
                   ], args=(cfg,))
     ksft_exit()
 
-- 
2.53.0

[PATCH net v5 3/3] macsec: Support VLAN-filtering lower devices

[Cosmin Ratiu]

VLAN-filtering is done through two netdev features
(NETIF_F_HW_VLAN_CTAG_FILTER and NETIF_F_HW_VLAN_STAG_FILTER) and two
netdev ops (ndo_vlan_rx_add_vid and ndo_vlan_rx_kill_vid).

Implement these and advertise the features if the lower device supports
them. This allows proper VLAN filtering to work on top of macsec
devices, when the lower device is capable of VLAN filtering.
As a concrete example, having this chain of interfaces now works:
vlan_filtering_capable_dev(1) -> macsec_dev(2) -> macsec_vlan_dev(3)

Before the mentioned commit this used to accidentally work because the
macsec device (and thus the lower device) was put in promiscuous mode
and the VLAN filter was not used. But after commit [1] correctly made
the macsec driver expose the IFF_UNICAST_FLT flag, promiscuous mode was
no longer used and VLAN filters on dev 1 kicked in. Without support in
dev 2 for propagating VLAN filters down, the register_vlan_dev ->
vlan_vid_add -> __vlan_vid_add -> vlan_add_rx_filter_info call from dev
3 is silently eaten (because vlan_hw_filter_capable returns false and
vlan_add_rx_filter_info silently succeeds).

For macsec, VLAN filters are only relevant for offload, otherwise
the VLANs are encrypted and the lower devices don't care about them. So
VLAN filters are only passed on to lower devices in offload mode.
Flipping between offload modes now needs to offload/unoffload the
filters with vlan_{get,drop}_rx_*_filter_info().

To avoid the back-and-forth filter updating during rollback, the setting
of macsec->offload is moved after the add/del secy ops. This is safe
since none of the code called from those requires macsec->offload.

Fixes: 0349659fd72f ("macsec: set IFF_UNICAST_FLT priv flag")
Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
---
 drivers/net/macsec.c | 44 +++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 39 insertions(+), 5 deletions(-)

diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index f6cad0746a02..3bdb6f3fae8e 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -2616,14 +2616,22 @@ static int macsec_update_offload(struct net_device *dev, enum macsec_offload off
 	if (!ops)
 		return -EOPNOTSUPP;
 
-	macsec->offload = offload;
-
 	ctx.secy = &macsec->secy;
 	ret = offload == MACSEC_OFFLOAD_OFF ? macsec_offload(ops->mdo_del_secy, &ctx)
 					    : macsec_offload(ops->mdo_add_secy, &ctx);
-	if (ret) {
-		macsec->offload = prev_offload;
+	if (ret)
 		return ret;
+
+	/* Remove VLAN filters when disabling offload. */
+	if (offload == MACSEC_OFFLOAD_OFF) {
+		vlan_drop_rx_ctag_filter_info(dev);
+		vlan_drop_rx_stag_filter_info(dev);
+	}
+	macsec->offload = offload;
+	/* Add VLAN filters when enabling offload. */
+	if (prev_offload == MACSEC_OFFLOAD_OFF) {
+		vlan_get_rx_ctag_filter_info(dev);
+		vlan_get_rx_stag_filter_info(dev);
 	}
 
 	macsec_set_head_tail_room(dev);
@@ -3486,7 +3494,8 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb,
 }
 
 #define MACSEC_FEATURES \
-	(NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST)
+	(NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \
+	 NETIF_F_HW_VLAN_STAG_FILTER | NETIF_F_HW_VLAN_CTAG_FILTER)
 
 #define MACSEC_OFFLOAD_FEATURES \
 	(MACSEC_FEATURES | NETIF_F_GSO_SOFTWARE | NETIF_F_SOFT_FEATURES | \
@@ -3707,6 +3716,29 @@ static int macsec_set_mac_address(struct net_device *dev, void *p)
 	return err;
 }
 
+static int macsec_vlan_rx_add_vid(struct net_device *dev,
+				  __be16 proto, u16 vid)
+{
+	struct macsec_dev *macsec = netdev_priv(dev);
+
+	if (!macsec_is_offloaded(macsec))
+		return 0;
+
+	return vlan_vid_add(macsec->real_dev, proto, vid);
+}
+
+static int macsec_vlan_rx_kill_vid(struct net_device *dev,
+				   __be16 proto, u16 vid)
+{
+	struct macsec_dev *macsec = netdev_priv(dev);
+
+	if (!macsec_is_offloaded(macsec))
+		return 0;
+
+	vlan_vid_del(macsec->real_dev, proto, vid);
+	return 0;
+}
+
 static int macsec_change_mtu(struct net_device *dev, int new_mtu)
 {
 	struct macsec_dev *macsec = macsec_priv(dev);
@@ -3748,6 +3780,8 @@ static const struct net_device_ops macsec_netdev_ops = {
 	.ndo_set_rx_mode	= macsec_dev_set_rx_mode,
 	.ndo_change_rx_flags	= macsec_dev_change_rx_flags,
 	.ndo_set_mac_address	= macsec_set_mac_address,
+	.ndo_vlan_rx_add_vid	= macsec_vlan_rx_add_vid,
+	.ndo_vlan_rx_kill_vid	= macsec_vlan_rx_kill_vid,
 	.ndo_start_xmit		= macsec_start_xmit,
 	.ndo_get_stats64	= macsec_get_stats64,
 	.ndo_get_iflink		= macsec_get_iflink,
-- 
2.53.0

Re: [PATCH net v5 0/3] macsec: Add support for VLAN filtering in offload mode

[Sabrina Dubroca]

2026-03-23, 14:36:30 +0200, Cosmin Ratiu wrote:
> V4:
> - Migrated nsim-only macsec tests to Python, usable against real hw.
> - Ran these tests against both nsim and mlx5.
> - Gave up on nsim patches since the tests no longer use them.

Why not? Being able to test without accessing real HW is still useful.

-- 
Sabrina

Re: [PATCH net v5 0/3] macsec: Add support for VLAN filtering in offload mode

[Cosmin Ratiu]

On Mon, 2026-03-23 at 15:28 +0100, Sabrina Dubroca wrote:
> 2026-03-23, 14:36:30 +0200, Cosmin Ratiu wrote:
> > V4:
> > - Migrated nsim-only macsec tests to Python, usable against real
> > hw.
> > - Ran these tests against both nsim and mlx5.
> > - Gave up on nsim patches since the tests no longer use them.
> 
> Why not? Being able to test without accessing real HW is still
> useful.
> 
The tests now send macsec traffic over VLANs and nsim, it's just that
nsim doesn't deal with VLAN filters at all and there are no stubbed
vlan filters in debugfs, since real hw doesn't have that interface.

Cosmin.

Re: [PATCH net v5 0/3] macsec: Add support for VLAN filtering in offload mode

[Sabrina Dubroca]

2026-03-23, 14:42:00 +0000, Cosmin Ratiu wrote:
> On Mon, 2026-03-23 at 15:28 +0100, Sabrina Dubroca wrote:
> > 2026-03-23, 14:36:30 +0200, Cosmin Ratiu wrote:
> > > V4:
> > > - Migrated nsim-only macsec tests to Python, usable against real
> > > hw.
> > > - Ran these tests against both nsim and mlx5.
> > > - Gave up on nsim patches since the tests no longer use them.
> > 
> > Why not? Being able to test without accessing real HW is still
> > useful.
> > 
> The tests now send macsec traffic over VLANs and nsim, it's just that
> nsim doesn't deal with VLAN filters at all and there are no stubbed
> vlan filters in debugfs, since real hw doesn't have that interface.

Since netdevsim doesn't deal with VLAN filters at all, the "tests
should be written so that they can run both against ``netdevsim`` and
a real device" bit of the docs doesn't fully apply here?

Anyway, I think the original tests had value, even if they're more
limited in some ways than traffic tests. HW/driver behavior could be
hiding problems in the stack with VLAN propagation, those simpler
tests don't have that risk.

-- 
Sabrina

Re: [PATCH net v5 2/3] selftests: Add MACsec VLAN propagation traffic test

[Jakub Kicinski]

On Mon, 23 Mar 2026 14:36:32 +0200 Cosmin Ratiu wrote:
> Add macsec_traffic.py using NetDrvEpEnv to verify VLAN filter
> propagation through offloaded macsec devices via actual traffic.
> 
> Test creates macsec tunnels with matching SAs on both endpoints,
> stacks VLANs on top, and verifies connectivity with ping. Covers:
> - Offloaded macsec with VLAN (filters propagate to HW)
> - Software macsec with VLAN (no HW filter propagation)
> - Toggle offload on/off and verify traffic still works
> 
> On netdevsim this is a smoke test (stub offload, no real encryption).
> On real hardware this validates actual VLAN filter propagation.

CONFIG_VLAN_8021Q (and possibly other things) are missing from
 tools/testing/selftests/drivers/net/config
-- 
pw-bot: cr

Re: [PATCH net v5 0/3] macsec: Add support for VLAN filtering in offload mode

[Jakub Kicinski]

On Mon, 23 Mar 2026 16:02:59 +0100 Sabrina Dubroca wrote:
> 2026-03-23, 14:42:00 +0000, Cosmin Ratiu wrote:
> > On Mon, 2026-03-23 at 15:28 +0100, Sabrina Dubroca wrote:  
> > > Why not? Being able to test without accessing real HW is still
> > > useful.
> > >   
> > The tests now send macsec traffic over VLANs and nsim, it's just that
> > nsim doesn't deal with VLAN filters at all and there are no stubbed
> > vlan filters in debugfs, since real hw doesn't have that interface.  
> 
> Since netdevsim doesn't deal with VLAN filters at all, the "tests
> should be written so that they can run both against ``netdevsim`` and
> a real device" bit of the docs doesn't fully apply here?
> 
> Anyway, I think the original tests had value, even if they're more
> limited in some ways than traffic tests. HW/driver behavior could be
> hiding problems in the stack with VLAN propagation, those simpler
> tests don't have that risk.

To be clear running the HW test without NETIF= should provide
similar functionality to what the old tests could do. It's entirely
okay to add netdevsim-specific subtests/test cases or asserts.

Is there anything specific that you'd like to be tested?
Let's not make this about HW tests vs nsim-only tests.

Re: [PATCH net v5 0/3] macsec: Add support for VLAN filtering in offload mode

[Sabrina Dubroca]

2026-03-23, 09:32:43 -0700, Jakub Kicinski wrote:
> On Mon, 23 Mar 2026 16:02:59 +0100 Sabrina Dubroca wrote:
> > 2026-03-23, 14:42:00 +0000, Cosmin Ratiu wrote:
> > > On Mon, 2026-03-23 at 15:28 +0100, Sabrina Dubroca wrote:  
> > > > Why not? Being able to test without accessing real HW is still
> > > > useful.
> > > >   
> > > The tests now send macsec traffic over VLANs and nsim, it's just that
> > > nsim doesn't deal with VLAN filters at all and there are no stubbed
> > > vlan filters in debugfs, since real hw doesn't have that interface.  
> > 
> > Since netdevsim doesn't deal with VLAN filters at all, the "tests
> > should be written so that they can run both against ``netdevsim`` and
> > a real device" bit of the docs doesn't fully apply here?
> > 
> > Anyway, I think the original tests had value, even if they're more
> > limited in some ways than traffic tests. HW/driver behavior could be
> > hiding problems in the stack with VLAN propagation, those simpler
> > tests don't have that risk.
> 
> To be clear running the HW test without NETIF= should provide
> similar functionality to what the old tests could do. It's entirely
> okay to add netdevsim-specific subtests/test cases or asserts.
>
> Is there anything specific that you'd like to be tested?

In v2/v3, nsim was exposing a debugfs file that contained the list of
VLAN filters on that interface, and the selftest was grepping through
that file to check if the correct entry was added/removed after each
operation. I see that as testing the actual propagation of filters,
while the traffic tests check the visible behavior of stack+driver+HW,
which may not be correlated to actual propagation.

> Let's not make this about HW tests vs nsim-only tests.

That was not my intention. But since nsim doesn't currently implement
VLAN filters, it seems running the HW test on nsim doesn't test
anything at all.

-- 
Sabrina

Re: [PATCH net v5 0/3] macsec: Add support for VLAN filtering in offload mode

[Cosmin Ratiu]

On Mon, 2026-03-23 at 18:17 +0100, Sabrina Dubroca wrote:
> 2026-03-23, 09:32:43 -0700, Jakub Kicinski wrote:
> > On Mon, 23 Mar 2026 16:02:59 +0100 Sabrina Dubroca wrote:
> > > 2026-03-23, 14:42:00 +0000, Cosmin Ratiu wrote:
> > > > On Mon, 2026-03-23 at 15:28 +0100, Sabrina Dubroca wrote:  
> > > > > Why not? Being able to test without accessing real HW is
> > > > > still
> > > > > useful.
> > > > >   
> > > > The tests now send macsec traffic over VLANs and nsim, it's
> > > > just that
> > > > nsim doesn't deal with VLAN filters at all and there are no
> > > > stubbed
> > > > vlan filters in debugfs, since real hw doesn't have that
> > > > interface.  
> > > 
> > > Since netdevsim doesn't deal with VLAN filters at all, the "tests
> > > should be written so that they can run both against ``netdevsim``
> > > and
> > > a real device" bit of the docs doesn't fully apply here?
> > > 
> > > Anyway, I think the original tests had value, even if they're
> > > more
> > > limited in some ways than traffic tests. HW/driver behavior could
> > > be
> > > hiding problems in the stack with VLAN propagation, those simpler
> > > tests don't have that risk.
> > 
> > To be clear running the HW test without NETIF= should provide
> > similar functionality to what the old tests could do. It's entirely
> > okay to add netdevsim-specific subtests/test cases or asserts.
> > 
> > Is there anything specific that you'd like to be tested?
> 
> In v2/v3, nsim was exposing a debugfs file that contained the list of
> VLAN filters on that interface, and the selftest was grepping through
> that file to check if the correct entry was added/removed after each
> operation. I see that as testing the actual propagation of filters,
> while the traffic tests check the visible behavior of
> stack+driver+HW,
> which may not be correlated to actual propagation.
> 
> > Let's not make this about HW tests vs nsim-only tests.
> 
> That was not my intention. But since nsim doesn't currently implement
> VLAN filters, it seems running the HW test on nsim doesn't test
> anything at all.
> 

The problem with using the nsim-only VLAN filter debugfs is that it's a
test-only interface for figuring out a property of the stack. Real HW
doesn't have that interface and thus the tests actually have to
generate traffic to ensure VLANs are propagated.

The new VLAN tests don't actually ensure anything on nsim, given that
it doesn't support VLANs. But on real HW they do - without the last
patch, the new tests fail on any hw supporting VLANs and MACsec.

Adding back the nsim debugfs file and test assertions guarded by "if
cfg._ns" would ensure filter propagation correctness, but would feel
non-Pythonic and a little hacky given that the same assertion can't
work on real HW.

So what would you like to happen? Bring back nsim patches + nsim-
specific test assertions?

Cosmin.

Re: [PATCH net v5 0/3] macsec: Add support for VLAN filtering in offload mode

[Sabrina Dubroca]

2026-03-24, 14:27:12 +0000, Cosmin Ratiu wrote:
> On Mon, 2026-03-23 at 18:17 +0100, Sabrina Dubroca wrote:
> > 2026-03-23, 09:32:43 -0700, Jakub Kicinski wrote:
> > > On Mon, 23 Mar 2026 16:02:59 +0100 Sabrina Dubroca wrote:
> > > > 2026-03-23, 14:42:00 +0000, Cosmin Ratiu wrote:
> > > > > On Mon, 2026-03-23 at 15:28 +0100, Sabrina Dubroca wrote:  
> > > > > > Why not? Being able to test without accessing real HW is
> > > > > > still
> > > > > > useful.
> > > > > >   
> > > > > The tests now send macsec traffic over VLANs and nsim, it's
> > > > > just that
> > > > > nsim doesn't deal with VLAN filters at all and there are no
> > > > > stubbed
> > > > > vlan filters in debugfs, since real hw doesn't have that
> > > > > interface.  
> > > > 
> > > > Since netdevsim doesn't deal with VLAN filters at all, the "tests
> > > > should be written so that they can run both against ``netdevsim``
> > > > and
> > > > a real device" bit of the docs doesn't fully apply here?
> > > > 
> > > > Anyway, I think the original tests had value, even if they're
> > > > more
> > > > limited in some ways than traffic tests. HW/driver behavior could
> > > > be
> > > > hiding problems in the stack with VLAN propagation, those simpler
> > > > tests don't have that risk.
> > > 
> > > To be clear running the HW test without NETIF= should provide
> > > similar functionality to what the old tests could do. It's entirely
> > > okay to add netdevsim-specific subtests/test cases or asserts.
> > > 
> > > Is there anything specific that you'd like to be tested?
> > 
> > In v2/v3, nsim was exposing a debugfs file that contained the list of
> > VLAN filters on that interface, and the selftest was grepping through
> > that file to check if the correct entry was added/removed after each
> > operation. I see that as testing the actual propagation of filters,
> > while the traffic tests check the visible behavior of
> > stack+driver+HW,
> > which may not be correlated to actual propagation.
> > 
> > > Let's not make this about HW tests vs nsim-only tests.
> > 
> > That was not my intention. But since nsim doesn't currently implement
> > VLAN filters, it seems running the HW test on nsim doesn't test
> > anything at all.
> > 
> 
> The problem with using the nsim-only VLAN filter debugfs is that it's a
> test-only interface for figuring out a property of the stack.

That's the whole point of netdevsim.

> Real HW
> doesn't have that interface and thus the tests actually have to
> generate traffic to ensure VLANs are propagated.
> 
> The new VLAN tests don't actually ensure anything on nsim, given that
> it doesn't support VLANs. But on real HW they do - without the last
> patch, the new tests fail on any hw supporting VLANs and MACsec.

Well, they ensure that something in the stack+driver+HW combination is
doing something that lets traffic go through. It's useful, but we can
learn something extra from netdevsim.

> Adding back the nsim debugfs file and test assertions guarded by "if
> cfg._ns" would ensure filter propagation correctness, but would feel
> non-Pythonic and a little hacky given that the same assertion can't
> work on real HW.

I think that's fine. The tests are anyway python wrappers around
iproute commands, it's neither "Pythonic" nor pretty.
Jakub, any objection?

> So what would you like to happen? Bring back nsim patches + nsim-
> specific test assertions?

Yes, IMO that would be best.

-- 
Sabrina

Re: [PATCH net v5 0/3] macsec: Add support for VLAN filtering in offload mode

[Jakub Kicinski]

On Tue, 24 Mar 2026 16:18:30 +0100 Sabrina Dubroca wrote:
> > Adding back the nsim debugfs file and test assertions guarded by "if
> > cfg._ns" would ensure filter propagation correctness, but would feel
> > non-Pythonic and a little hacky given that the same assertion can't
> > work on real HW.  
> 
> I think that's fine. The tests are anyway python wrappers around
> iproute commands, it's neither "Pythonic" nor pretty.
> Jakub, any objection?

No objections, I already added this nasty little piece of code in gro.py

    try:
        # Disable TSO for local tests
        cfg.require_nsim()  # will raise KsftXfailEx if not running on nsim

        _set_ethtool_feat(cfg.remote_ifname, cfg.remote_feat,
                          {"tcp-segmentation-offload": False},
                          host=cfg.remote)
    except KsftXfailEx:
        pass

I agree with Cosmin that the check feels a bit non-Pythonic. Dunno
if the try except ends up being any better tho :S

Let's not use "if cfg._ns" tho, please add a method that will return
true / false (or feel free to come up with a cleaner way if you can
think of it). We definitely don't want to encourage nsim-only checks,
if you add new methods please mention in their documentation that we
strongly prefer if the authors can think of a way to prove correctness
that would also work on real HW.