On Mon, 29 May 2023 14:48:28 +0300 Ido Schimmel wrote: > For EVPN non-DF (Designated Forwarder) filtering we need to be able to > prevent decapsulated traffic from being flooded to a multi-homed host. > Filtering of multicast and broadcast traffic can be achieved using the > following flower filter: > > # tc filter add dev bond0 egress pref 1 proto all flower indev vxlan0 dst_mac 01:00:00:00:00:00/01:00:00:00:00:00 action drop > > Unlike broadcast and multicast traffic, it is not currently possible to > filter unknown unicast traffic. The classification into unknown unicast > is performed by the bridge driver, but is not visible to other layers > such as tc. > > Solve this by adding a new 'l2_miss' bit to the tc skb extension. Clear > the bit whenever a packet enters the bridge (received from a bridge port > or transmitted via the bridge) and set it if the packet did not match an > FDB or MDB entry. If there is no skb extension and the bit needs to be > cleared, then do not allocate one as no extension is equivalent to the > bit being cleared. The bit is not set for broadcast packets as they > never perform a lookup and therefore never incur a miss. Acked-by: Jakub Kicinski <kuba@xxxxxxxxxx>
