RE: [Intel-wired-lan] [PATCH iwl-next v4 0/7] ice: in VEB, prevent "cross-vlan" traffic

[Romanowski, Rafal]

> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@xxxxxxxxxx> On Behalf Of Jakub
> Slepecki
> Sent: Wednesday, February 4, 2026 16:44
> To: intel-wired-lan@xxxxxxxxxxxxxxxx
> Cc: linux-kernel@xxxxxxxxxxxxxxx; netdev@xxxxxxxxxxxxxxx; Kitszel, Przemyslaw
> <przemyslaw.kitszel@xxxxxxxxx>; Nguyen, Anthony L
> <anthony.l.nguyen@xxxxxxxxx>; michal.swiatkowski@xxxxxxxxxxxxxxx; Slepecki,
> Jakub <jakub.slepecki@xxxxxxxxx>; Loktionov, Aleksandr
> <aleksandr.loktionov@xxxxxxxxx>
> Subject: [Intel-wired-lan] [PATCH iwl-next v4 0/7] ice: in VEB, prevent "cross-
> vlan" traffic
> 
> Currently, packets that match MAC address of a VF will be sent to loopback even
> if they would cross VLAN boundaries.  Effectively, this drops them.
> In this patch series, we aim to address this behaviour by adding MAC,VLAN to
> complement what MAC-only filters do to select packets for loopback.
> 
> To reproduce the issue have an E810 ($pfa) connected to another adapter ($pfb),
> then:
> 
>     # echo 2 >/sys/class/net/$pfa/device/sriov_numvfs
>     # ip l set $pfa vf 0 vlan 4
>     # ip l set $pfa vf 1 vlan 7
>     # ip l set $pfa_vf0 netns $pfa_vf0_netns up
>     # ip l set $pfa_vf1 netns $pfa_vf1_netns up
>     # ip netns exec $pfa_vf0_netns ip a add 10.0.0.1/24 dev $pfa_vf0
>     # ip netns exec $pfa_vf1_netns ip a add 10.0.0.2/24 dev $pfa_vf1
> 
> And for the $pfb:
> 
>     # echo 2 >/sys/class/net/$pfb/device/sriov_numvfs
>     # ip l set $pfb vf 0 trust on spoof off vlan 4
>     # ip l set $pfb vf 1 trust on spoof off vlan 7
>     # ip l add $br type bridge
>     # ip l set $pfb_vf0 master $br up
>     # ip l set $pfb_vf1 master $br up
>     # ip l set $br up
> 
> We expect $pfa_vf0 to be able to reach $pfa_vf1 through the $br on the link
> partner.  Instead, ARP is unable to resolve 10.0.0.2/24.
> ARP request is fine because it's broadcastd and bounces off $br, but ARP reply is
> stuck in the internal switch because the destination MAC matches $pfa_vf0 and
> filter restricts it to the loopback.
> 
> In testing I used: ip utility, iproute2-6.1.0, libbpf 1.3.0
> 
> Changes in v4:
>   - Removed "ice: do not check for zero mac when creating mac filters"
>     patch.
> 
> Changes in v3:
>   - Improve structure of reproduction description in cover letter.
>   - LB_LAN masks and values no longer rely on boolean promotion.
>   - ice_fill_sw_info() deals with u8 the entire time instead of building
>     building lb_en and lan_en values at the end from booleans.
>   - Refer to reproduction in cover letter in current 4/7.
>   - Fixed some slip-ups "this patch" and "this commit" in commit
>     messages across the series.  I did not consider this change for
>     reviewed-by drop.
> 
> Changes in v2:
>   - Use FIELD_GET et al. when handling fi.lb_en and fi.lan_en.
>   - Rename /LB_LAN/ s/_MASK/_M/ because one of uses would need to break
>     line.
>   - Close open parenthesis in ice_vsi_update_bridge_mode() description.
>   - Explain returns in ice_vsi_update_bridge_mode().
> 
> v3: https://lore.kernel.org/intel-wired-lan/20260120103440.892326-1-
> jakub.slepecki@xxxxxxxxx/T/
> v2: https://lore.kernel.org/intel-wired-lan/20251125083456.28822-1-
> jakub.slepecki@xxxxxxxxx/T/
> v1: https://lore.kernel.org/intel-wired-lan/20251120162813.37942-1-
> jakub.slepecki@xxxxxxxxx/T/
> 
> Jakub Slepecki (6):
>   ice: in dvm, use outer VLAN in MAC,VLAN lookup
>   ice: allow creating mac,vlan filters along mac filters
>   ice: allow overriding lan_en, lb_en in switch
>   ice: update mac,vlan rules when toggling between VEB and VEPA
>   ice: add functions to query for vsi's pvids
>   ice: in VEB, prevent "cross-vlan" traffic from hitting loopback
> 
> Michal Swiatkowski (1):
>   ice: add mac vlan to filter API
> 
>  drivers/net/ethernet/intel/ice/ice_fltr.c      |  104 ++++++++++++++-
>  drivers/net/ethernet/intel/ice/ice_fltr.h      |   10 +
>  drivers/net/ethernet/intel/ice/ice_lib.c       |   56 ++++++++
>  drivers/net/ethernet/intel/ice/ice_lib.h       |    2
>  drivers/net/ethernet/intel/ice/ice_main.c      |   56 ++++++--
>  drivers/net/ethernet/intel/ice/ice_switch.c    |   83 ++++++++---
>  drivers/net/ethernet/intel/ice/ice_switch.h    |   24 ++-
>  drivers/net/ethernet/intel/ice/ice_vf_lib.c    |    8 -
>  drivers/net/ethernet/intel/ice/ice_vlan_mode.c |   12 +
>  9 files changed, 306 insertions(+), 49 deletions(-)
> 
> --
> 2.43.0

Tested-by: Rafal Romanowski <rafal.romanowski@xxxxxxxxx>