Re: [PATCH bpf-next] bpf: Add BPF_FIB_LOOKUP_VLAN flag to bpf_fib_lookup() helper

From: Toke Høiland-Jørgensen

Date: Tue Jun 09 2026 - 16:17:40 EST

Avinash Duduskar <avinash.duduskar@xxxxxxxxx> writes:

> bpf_fib_lookup() returns the FIB-resolved egress ifindex straight
> from the fib result. When the egress is a VLAN device, the returned
> ifindex is the VLAN netdev's, which has no XDP xmit handler; XDP
> programs that want to forward the frame (e.g. xdp-forward) must
> instead target the underlying physical device and push the VLAN tag
> themselves. Today the program has no way to learn either the
> underlying ifindex or the VLAN tag without maintaining its own
> VLAN-to-ifindex map in userspace and refreshing it on netlink
> events.
>
> Add BPF_FIB_LOOKUP_VLAN. When the caller sets this flag and the fib
> result is a VLAN device, populate the existing output fields
> params->h_vlan_proto and params->h_vlan_TCI from the VLAN device,
> and replace params->ifindex with the underlying real device's
> ifindex. params->h_vlan_TCI carries the VID only, with PCP and DEI
> bits zero; a consumer wanting to set egress priority writes PCP
> itself. Only the immediate parent is resolved; stacked VLANs (QinQ)
> are not walked. When the flag is not set, behaviour is unchanged:
> h_vlan_proto and h_vlan_TCI are zeroed and ifindex is left at the
> FIB result.
>
> This lets an XDP redirect target the physical device and learn the
> tag to push in a single lookup, which xdp-forward's optional VLAN
> mode (xdp-project/xdp-tools#504) wants from the kernel side.
>
> The change extends bpf_fib_set_fwd_params() to take the egress dev
> and the lookup flags so the VLAN swap happens in the same place the
> vlan output fields are zeroed by default. Both IPv4 and IPv6
> callers pass through. The helper's input semantics are unchanged.
> Under !CONFIG_VLAN_8021Q, is_vlan_dev() returns false and the new
> block is a no-op.
>
> Suggested-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
> Signed-off-by: Avinash Duduskar <avinash.duduskar@xxxxxxxxx>

Other than the bots' comment, I think we should make this bidirectional.
I.e., it should also be possible to supply the vlan tag from the packet
when doing the lookup.

This requires a second flag, which has to be exclusive with
BPF_FIB_LOOKUP_TBID, as the tbid field unfortunately overlaps with the
VLAN fields (so they can't be used together as input).

-Toke