> On 10 Mar 2021, at 23:07, Klemens Nanni <k...@openbsd.org> wrote:
>
> On Tue, Mar 09, 2021 at 08:48:14PM +0100, Klemens Nanni wrote:
>> Simple addition of VEB right before BRIDGE.
> New diff sorting the section alphabetically between UMB and VLAN,
> thanks jmc.
>
>> All text is copied from other already existing sections, i.e. link flag
>> handling from TPMR and the rest from BIDGE.
>>
>> Contrary to BRIDGE, I deliberately added a synopsis for VEB such that
>> there's a simple overwie, especially since veb(4) currently does not
>> explain *how* to use the described features.
>>
>> While TPMR and VEB use the same wording for link flags, their semantics
>> are different, i.e. both different flags and swapped polarity for those
>> flags.
>>
>> Feedback? OK?
ok after you fix one little thing below.
>
> Index: ifconfig.8
> ===================================================================
> RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v
> retrieving revision 1.365
> diff -u -p -r1.365 ifconfig.8
> --- ifconfig.8 9 Mar 2021 19:39:20 -0000 1.365
> +++ ifconfig.8 10 Mar 2021 13:05:38 -0000
> @@ -2044,6 +2044,104 @@ As soon as the interface is marked as "u
> .Xr umb 4
> device will try to establish a data connection with the service provider.
> .El
> +.Sh VEB
> +.nr nS 1
> +.Bk -words
> +.Nm ifconfig
> +.Ar veb-interface
> +.Op Cm add Ar child-iface
> +.Op Cm addspan Ar child-iface
> +.Op Cm del Ar child-iface
> +.Op Cm delspan Ar child-iface
> +.Op Oo Fl Oc Ns Cm discover Ar child-iface
> +.It Oo Fl Oc Ns Cm learn Ar child-iface
> +.Op Oo Fl Oc Ns Cm link0
> +.Op Oo Fl Oc Ns Cm link1
> +.Op Oo Fl Oc Ns Cm protected Ar child-iface ids
> +.Ek
> +.nr nS 0
> +.Pp
> +The following options are available for a
> +.Xr veb 4
> +interface:
> +.Bl -tag -width Ds
> +.It Cm add Ar child-iface
> +Add
> +.Ar child-iface
> +as a member.
> +.It Cm addspan Ar child-iface
> +Add
> +.Ar child-iface
> +as a span port on the bridge.
> +.It Cm del Ar child-iface
> +Remove the member
> +.Ar child-iface .
> +.It Cm delspan Ar child-iface
> +Delete
> +.Ar child-iface
> +from the list of span ports of the bridge.
> +.It Cm discover Ar child-iface
> +Mark
> +.Ar child-iface
> +so that packets are sent out of the interface
> +if the destination port of the packet is unknown.
> +If the bridge has no address cache entry for the destination of
> +a packet, meaning that there is no static entry and no dynamically learned
> +entry for the destination, the bridge will forward the packet to all member
> +interfaces that have this flag set.
> +This is the default for interfaces added to the bridge.
> +.It Cm -discover Ar child-iface
> +Mark
> +.Ar child-iface
> +so that packets are not sent out of the interface
> +if the destination port of the packet is unknown.
> +Turning this flag
> +off means that the bridge will not send packets out of this interface
> +unless the packet is a broadcast packet, multicast packet, or a
> +packet with a destination address found on the interface's segment.
> +This, in combination with static address cache entries,
> +prevents potentially sensitive packets from being sent on
> +segments that have no need to see the packet.
> +.It Cm learn Ar child-iface
> +Mark
> +.Ar child-iface
> +so that the source address of packets received from
> +the interface
> +are entered into the address cache.
> +This is the default for interfaces added to the bridge.
> +.It Cm -learn Ar child-iface
> +Mark
> +.Ar child-iface
> +so that the source address of packets received from interface
> +are not entered into the address cache.
> +.It Cm link0
> +Disable the filtering of 802.1Q VLAN and QinQ SVLAN packets.
> +.It Cm -link0
> +Enable the filtering of 802.1Q VLAN and QinQ SVLAN packets.
> +Packets will appear to enter or leave the member port interfaces.
I dont think this line above should be here.
> +This is the default.
> +.It Cm link1
> +Enable the filtering of IPv4 and IPv6 packets with
> +.Xr pf 4 .
> +.It Cm -link1
> +Disable the filtering of IPv4 and IPv6 packets with
> +.Xr pf 4 .
> +This is the default.
Is it worth noting that vport(4) members of a veb(4) are different to other
ports? The answer to this question doesnt affect my ok, the diff should go in
and we can tweak this later.
> +.It Cm protected Ar child-iface ids
> +Put
> +.Ar interface
> +in protected domains.
> +.Ar ids
> +is a comma delimited list of domain IDs, between 1 and 31, to put the
> +interface in.
> +Interfaces that are part of a protected domain cannot forward traffic to any
> +other interface in that domain.
> +Interfaces do not belong to any protected domain by default.
> +.It Cm -protected Ar child-iface
> +Remove
> +.Ar child-iface
> +from all protected domains.
> +.El
> .Sh VLAN
> .nr nS 1
> .Bk -words
veb also supports bridge rules btw.
