Re: bridge(4) VLAN filtering

Reply: Lexi Winter : "Re: bridge(4) VLAN filtering"
In reply to: Lexi Winter : "bridge(4) VLAN filtering"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Matthew Grooms <mgrooms_at_shrew.net>
Date: Fri, 04 Apr 2025 21:21:40 UTC
On 4/4/25 13:47, Lexi Winter wrote:
> hello,
>
> over the last few days i have been doing a bit of work on VLAN filtering
> for bridge(4), which i thought i'd mention here in case anyone is
> interested.  the purpose of this is to extend the existing bridge VLAN
> support to make it more generally useful.
>
> the full changeset / diff is available at [0], including documentation
> and basic ATF tests.
>
> a summary of the new features:
>
> - a bridge member's PVID may be configured using ifpvid:
>
> 	ifconfig bridge0 ifpvid ix0 20
>
>    setting a PVID enables VLAN filtering on the member interface and
>    restricts it to only send/receives frames on that specific VLAN.
>    untagged incoming frames will be assigned to the correct VLAN.
>
> - a bridge member's port type may be configured using iftype:
>
> 	ifconfig bridge0 iftype ix0 <access|trunk|hybrid>
>
>    access ports may only send/receive untagged frames; trunk ports may
>    only send/receive frames with a non-zero .1q tag; hybrid ports may
>    send/receive either type of frame.
>
> - for trunk and hybrid ports, the list of permitted VLANs may be set
>    using +ifvlans/-ifvlans:
>
>    	ifconfig bridge0 +ifvlans ix0 100-599
> 	ifconfig bridge0 -ifvlans ix0 105,300
>
>    the port will only be allowed to communicate on the VLANs in its
>    access list (plus its PVID).
>
> - the VLAN configuration for a port is displayed in ifconfig:
>
>          member: test2a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>                  ifmaxaddr 0 port 5 priority 128 path cost 2000 pvid 1 type trunk vlans 20
>
> - when bridging between different port types (e.g. an access port and a
>    trunk port), the bridge will add or remove .1q tags as required.
>
> - an SVI for a particular vlan may be created on the bridge using
>    vlan(4):
>
> 	ifconfig vlan20 create vlan 20 vlandev bridge0
>
>    the SVI interface will send/receive traffic for that particular VLAN.
>
> to make review a bit easier, my plan is to submit this as smaller
> changesets of self-contained features.  to start with that's two minor
> bug fixes:
>
> https://github.com/freebsd/freebsd-src/pull/1639
> https://github.com/freebsd/freebsd-src/pull/1637
>
> and the first actual feature which is the ifconfig 'ifpvid' option:
>
> https://github.com/freebsd/freebsd-src/pull/1634
>
> if anyone has any comments/questions or would like to review this (or
> even commit it!) do feel free - obviously, this requires a fair amount
> of testing and i certainly wouldn't recommend using it in production
> yet.  this is my first time writing any non-trivial kernel code, so it's
> quite possible everything is completely wrong.
>
> [0] https://github.com/freebsd/freebsd-src/compare/main...llfw:freebsd-src:lf/dev/bridge-1q

Looks awesome. Thanks for working on this. Any idea what the overhead is 
wrt packet forwarding rate? Any performance numbers comparing your 
bridge access port feature vs vlan + bridge?

-Matthew