From: Vladimir Oltean <olteanv@gmail.com>
To: Hans Schultz <schultz.hans@gmail.com>
Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
Andrew Lunn <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Florian Fainelli <f.fainelli@gmail.com>,
Jiri Pirko <jiri@resnulli.us>, Ivan Vecera <ivecera@redhat.com>,
Roopa Prabhu <roopa@nvidia.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Ido Schimmel <idosch@nvidia.com>,
linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org
Subject: Re: [PATCH net-next 3/3] net: dsa: mv88e6xxx: mac-auth/MAB implementation
Date: Thu, 17 Mar 2022 01:34:47 +0200 [thread overview]
Message-ID: <20220316233447.kwyirxckgancdqmh@skbuf> (raw)
In-Reply-To: <86r17495gk.fsf@gmail.com>
On Mon, Mar 14, 2022 at 11:46:51AM +0100, Hans Schultz wrote:
> >> @@ -396,6 +414,13 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id)
> >> "ATU miss violation for %pM portvec %x spid %d\n",
> >> entry.mac, entry.portvec, spid);
> >> chip->ports[spid].atu_miss_violation++;
> >> + if (mv88e6xxx_port_is_locked(chip, chip->ports[spid].port))
> >> + err = mv88e6xxx_switchdev_handle_atu_miss_violation(chip,
> >> + chip->ports[spid].port,
> >> + &entry,
> >> + fid);
> >
> > Do we want to suppress the ATU miss violation warnings if we're going to
> > notify the bridge, or is it better to keep them for some reason?
> > My logic is that they're part of normal operation, so suppressing makes
> > sense.
> >
>
> I have been seeing many ATU member violations after the miss violation is
> handled (using ping), and I think it could be considered to suppress the ATU member
> violations interrupts by setting the IgnoreWrongData bit for the
> port (sect 4.4.7). This would be something to do whenever a port is set in locked mode?
So the first packet with a given MAC SA triggers an ATU miss violation
interrupt.
You program that MAC SA into the ATU with a destination port mask of all
zeroes. This suppresses further ATU miss interrupts for this MAC SA, but
now generates ATU member violations, because the MAC SA _is_ present in
the ATU, but not towards the expected port (in fact, towards _no_ port).
Especially if user space decides it doesn't want to authorize this MAC
SA, it really becomes a problem because this is now a vector for denial
of service, with every packet triggering an ATU member violation
interrupt.
So your suggestion is to set the IgnoreWrongData bit on locked ports,
and this will suppress the actual member violation interrupts for
traffic coming from these ports.
So if the user decides to unplug a previously authorized printer from
switch port 1 and move it to port 2, how is this handled? If there isn't
a mechanism in place to delete the locked FDB entry when the printer
goes away, then by setting IgnoreWrongData you're effectively also
suppressing migration notifications.
Oh, btw, my question was: could you consider suppressing the _prints_ on
an ATU miss violation on a locked port?
next prev parent reply other threads:[~2022-03-16 23:34 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-10 14:23 [PATCH net-next 0/3] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
2022-03-10 14:23 ` [PATCH net-next 1/3] net: bridge: add fdb flag to extent locked port feature Hans Schultz
2022-03-10 14:42 ` Nikolay Aleksandrov
2022-03-10 15:38 ` Hans Schultz
2022-03-10 15:57 ` Nikolay Aleksandrov
2022-03-10 16:11 ` Hans Schultz
2022-03-10 16:14 ` Nikolay Aleksandrov
2022-03-10 16:33 ` Hans Schultz
2022-03-14 15:30 ` Ido Schimmel
2022-03-15 8:48 ` Hans Schultz
2022-03-15 11:00 ` Ido Schimmel
2022-03-10 14:23 ` [PATCH net-next 2/3] net: switchdev: add support for offloading of fdb locked flag Hans Schultz
2022-03-10 14:23 ` [PATCH net-next 3/3] net: dsa: mv88e6xxx: mac-auth/MAB implementation Hans Schultz
2022-03-10 14:28 ` Vladimir Oltean
2022-03-10 15:00 ` Hans Schultz
2022-03-10 15:07 ` Vladimir Oltean
2022-03-10 15:51 ` Hans Schultz
2022-03-10 16:05 ` Vladimir Oltean
2022-03-10 16:40 ` Hans Schultz
2022-03-10 15:57 ` Hans Schultz
2022-03-14 10:46 ` Hans Schultz
2022-03-16 23:34 ` Vladimir Oltean [this message]
2022-03-17 8:52 ` Hans Schultz
2022-03-17 14:19 ` Andrew Lunn
2022-03-17 15:36 ` Vladimir Oltean
2022-03-17 16:07 ` Hans Schultz
2022-03-17 16:18 ` Vladimir Oltean
2022-03-17 16:58 ` Hans Schultz
2022-03-17 17:20 ` Vladimir Oltean
2022-03-18 10:04 ` Hans Schultz
2022-03-18 12:14 ` Vladimir Oltean
2022-03-18 13:10 ` Hans Schultz
2022-03-18 13:19 ` Vladimir Oltean
2022-03-22 11:01 ` Hans Schultz
2022-03-22 11:08 ` Vladimir Oltean
2022-03-22 13:21 ` Hans Schultz
2022-03-22 14:47 ` Hans Schultz
2022-03-23 10:13 ` Hans Schultz
2022-03-23 10:16 ` Vladimir Oltean
2022-03-23 10:46 ` Hans Schultz
2022-03-23 10:57 ` Hans Schultz
2022-03-23 11:21 ` Vladimir Oltean
2022-03-23 11:43 ` Hans Schultz
2022-03-23 11:54 ` Vladimir Oltean
2022-03-21 14:51 ` Hans Schultz
2022-03-10 14:54 ` Andrew Lunn
2022-03-11 7:59 ` Hans Schultz
2022-03-14 15:50 ` [PATCH net-next 0/3] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Ido Schimmel
2022-03-15 8:59 ` Hans Schultz
2022-03-15 11:11 ` Ido Schimmel
2022-03-17 0:18 ` Florian Fainelli
2022-03-17 8:29 ` Hans Schultz
2022-03-17 18:42 ` Vladimir Oltean
-- strict thread matches above, loose matches on Subject: below --
2022-12-05 18:59 [PATCH net-next 0/3] mv88e6xxx: Add MAB offload support Hans J. Schultz
2022-12-05 18:59 ` [PATCH net-next 3/3] net: dsa: mv88e6xxx: mac-auth/MAB implementation Hans J. Schultz
2022-12-06 12:53 ` Ido Schimmel
2022-12-06 16:36 ` netdev
2022-12-07 20:29 ` Vladimir Oltean
2022-12-08 12:28 ` netdev
2022-12-08 13:35 ` Vladimir Oltean
2022-12-08 14:41 ` netdev
2022-12-08 14:43 ` Vladimir Oltean
2022-12-08 16:03 ` netdev
2022-12-08 16:09 ` Vladimir Oltean
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220316233447.kwyirxckgancdqmh@skbuf \
--to=olteanv@gmail.com \
--cc=andrew@lunn.ch \
--cc=bridge@lists.linux-foundation.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=f.fainelli@gmail.com \
--cc=idosch@nvidia.com \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=schultz.hans@gmail.com \
--cc=vivien.didelot@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox