Re: [PATCH] net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode

From: David Miller
Date: Wed May 02 2018 - 11:08:55 EST


From: Grygorii Strashko <grygorii.strashko@xxxxxx>
Date: Tue, 1 May 2018 12:41:22 -0500

> In dual_mac mode packets arrived on one port should not be forwarded by
> switch hw to another port. Only Linux Host can forward packets between
> ports. The below test case (reported in [1]) shows that packet arrived on
> one port can be leaked to anoter (reproducible with dual port evms):
> - connect port 1 (eth0) to linux Host 0 and run tcpdump or Wireshark
> - connect port 2 (eth1) to linux Host 1 with vlan 1 configured
> - ping <IPx> from Host 1 through vlan 1 interface.
> ARP packets will be seen on Host 0.
>
> Issue happens because dual_mac mode is implemnted using two vlans: 1 (Port
> 1+Port 0) and 2 (Port 2+Port 0), so there are vlan records created for for
> each vlan. By default, the ALE will find valid vlan record in its table
> when vlan 1 tagged packet arrived on Port 2 and so forwards packet to all
> ports which are vlan 1 members (like Port.
>
> To avoid such behaviorr the ALE VLAN ID Ingress Check need to be enabled
> for each external CPSW port (ALE_PORTCTLn.VID_INGRESS_CHECK) so ALE will
> drop ingress packets if Rx port is not VLAN member.
>
> Signed-off-by: Grygorii Strashko <grygorii.strashko@xxxxxx>

Applied and queued up for -stable, thank you.