From: netdev@kapio-technology.com
To: Ido Schimmel <idosch@nvidia.com>
Cc: Ivan Vecera <ivecera@redhat.com>, Andrew Lunn <andrew@lunn.ch>,
Florian Fainelli <f.fainelli@gmail.com>,
Jiri Pirko <jiri@resnulli.us>,
Daniel Borkmann <daniel@iogearbox.net>,
netdev@vger.kernel.org, Nikolay Aleksandrov <razor@blackwall.org>,
bridge@lists.linux-foundation.org, linux-kernel@vger.kernel.org,
Vivien Didelot <vivien.didelot@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
linux-kselftest@vger.kernel.org, Roopa Prabhu <roopa@nvidia.com>,
kuba@kernel.org, Vladimir Oltean <olteanv@gmail.com>,
Shuah Khan <shuah@kernel.org>,
davem@davemloft.net
Subject: Re: [Bridge] [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers
Date: Sun, 21 Aug 2022 15:43:04 +0200 [thread overview]
Message-ID: <ce4266571b2b47ae8d56bd1f790cb82a@kapio-technology.com> (raw)
In-Reply-To: <YwHZ1J9DZW00aJDU@shredder>
On 2022-08-21 09:08, Ido Schimmel wrote:
> On Fri, Aug 19, 2022 at 11:51:11AM +0200, netdev@kapio-technology.com
> wrote:
>> On 2022-08-14 16:55, Ido Schimmel wrote:
>> > On Fri, Aug 12, 2022 at 02:29:48PM +0200, netdev@kapio-technology.com
>> > wrote:
>> > > On 2022-08-11 13:28, Ido Schimmel wrote:
>> > >
>> > > > > > I'm talking about roaming, not forwarding. Let's say you have a locked
>> > > > > > entry with MAC X pointing to port Y. Now you get a packet with SMAC X
>> > > > > > from port Z which is unlocked. Will the FDB entry roam to port Z? I
>> > > > > > think it should, but at least in current implementation it seems that
>> > > > > > the "locked" flag will not be reset and having locked entries pointing
>> > > > > > to an unlocked port looks like a bug.
>>
>> I have made the locked entries sticky in the bridge, so that they
>> don't move
>> to other ports.
>
> Please make sure that this design choice is explained in the commit
> message. To be clear, it cannot be "this is how device X happens to
> work".
>
The real issue I think is that the locked entry should mask the MAC
address involved (as the description I gave for zero-DPV entries and
actually also storm prevention entries ensure), so that there is no
forwarding to the address on any port, otherwise it will allow one-way
traffic to a host that is not trusted. Thus flooding of unknown unicast
on a locked port should of course be disabled ('flood off'), so that
there is no way of sending to an unauthorized silent host behind the
locked port.
The issue with the locked entry appearing on another SW bridge port from
where it originated, I think is more of a cosmetic bug, though I could
be mistaken. But adding the sticky flag to locked entries ensures that
they do not move to another port.
This of course does that instant roaming is not possible, but I think
that the right approach is to use the ageing out of entries to allow the
station move/roaming.
The case of unwanted traffic to a MAC behind a locked port with a locked
entry is what I would regard as more worthy of a selftest. The sticky
flag I know will ensure that the locked entries do not move to other
ports, and since it is only in the bridge this can be tested (e.g. using
'bridge fdb show dev DEV'), I think that the test would be superfluos.
What do you think of that and my other consideration for a test?
>> I have now created the flag to enable Mac-Auth/MAB with iproute2:
>> bridge link set dev DEV macauth on|off
>
> You have 'macauth' here, but 'mab' in the output below. They need to
> match. I prefer the latter unless you have a good reason to use
> 'macauth'.
>
>>
>> with the example output from 'bridge -d link show dev DEV' when
>> macauth is
>> enabled:
>> 1: ethX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state
>> forwarding priority 32 cost 19
>> hairpin off guard off root_block off fastleave off learning on
>> flood off
>> mcast_flood on bcast_flood on mcast_router 1 mcast_to_unicast off
>> neigh_suppress off vlan_tunnel off isolated off locked mab on
>>
>> The flag itself in the code is called BR_PORT_MACAUTH.
>>
>> >
>> > Fine by me, but I'm not sure everyone agrees.
I will change it in iproute2 to:
bridge link set dev DEV mab on|off
next prev parent reply other threads:[~2022-08-21 13:43 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-12 12:29 [Bridge] [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers netdev
2022-08-14 14:55 ` Ido Schimmel
2022-08-19 9:51 ` netdev
2022-08-21 7:08 ` Ido Schimmel
2022-08-21 13:43 ` netdev [this message]
2022-08-22 5:40 ` Ido Schimmel
2022-08-22 7:49 ` netdev
2022-08-23 6:48 ` Ido Schimmel
2022-08-23 7:13 ` netdev
2022-08-23 7:24 ` Ido Schimmel
2022-08-23 7:37 ` netdev
2022-08-23 12:36 ` Ido Schimmel
2022-08-24 7:07 ` netdev
2022-08-23 11:41 ` netdev
2022-08-25 9:36 ` Ido Schimmel
2022-08-25 10:28 ` netdev
2022-08-25 15:14 ` netdev
2022-08-24 20:29 ` netdev
2022-08-25 9:23 ` Ido Schimmel
2022-08-25 10:27 ` netdev
2022-08-25 11:58 ` Ido Schimmel
2022-08-25 13:41 ` netdev
-- strict thread matches above, loose matches on Subject: below --
2022-07-07 15:29 [Bridge] [PATCH v4 net-next 0/6] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
2022-07-07 15:29 ` [Bridge] [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers Hans Schultz
2022-07-08 8:49 ` Vladimir Oltean
2022-07-08 9:06 ` netdev
2022-07-08 9:15 ` Vladimir Oltean
2022-07-08 9:27 ` netdev
2022-07-08 9:50 ` netdev
2022-07-08 11:56 ` Vladimir Oltean
2022-07-08 12:34 ` netdev
2022-07-10 8:35 ` Ido Schimmel
2022-07-13 7:09 ` netdev
2022-07-13 12:39 ` Ido Schimmel
2022-07-17 12:21 ` netdev
2022-07-17 12:57 ` Vladimir Oltean
2022-07-17 13:09 ` netdev
2022-07-17 13:59 ` Vladimir Oltean
2022-07-17 14:57 ` netdev
2022-07-17 15:08 ` Vladimir Oltean
2022-07-17 16:10 ` netdev
2022-07-21 11:54 ` Vladimir Oltean
2022-07-17 15:20 ` Ido Schimmel
2022-07-17 15:53 ` netdev
2022-07-21 11:59 ` Vladimir Oltean
2022-07-21 13:27 ` Ido Schimmel
2022-07-21 14:20 ` Vladimir Oltean
2022-07-24 11:10 ` Ido Schimmel
2022-08-01 11:57 ` netdev
2022-08-01 13:14 ` netdev
2022-08-02 12:54 ` netdev
2022-08-01 15:33 ` netdev
2022-08-09 9:20 ` Ido Schimmel
2022-08-09 20:00 ` netdev
2022-08-10 7:21 ` Ido Schimmel
2022-08-10 8:40 ` netdev
2022-08-11 11:28 ` Ido Schimmel
2022-08-12 15:33 ` netdev
2022-08-16 7:51 ` netdev
2022-08-17 6:21 ` Ido Schimmel
2022-07-21 11:51 ` Vladimir Oltean
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ce4266571b2b47ae8d56bd1f790cb82a@kapio-technology.com \
--to=netdev@kapio-technology.com \
--cc=andrew@lunn.ch \
--cc=bridge@lists.linux-foundation.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=idosch@nvidia.com \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=shuah@kernel.org \
--cc=vivien.didelot@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).