From: Hans Schultz <schultz.hans@gmail.com>
To: Ido Schimmel <idosch@idosch.org>, Hans Schultz <schultz.hans@gmail.com>
Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
Andrew Lunn <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Florian Fainelli <f.fainelli@gmail.com>,
Vladimir Oltean <olteanv@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Jiri Pirko <jiri@resnulli.us>,
Ivan Vecera <ivecera@redhat.com>, Roopa Prabhu <roopa@nvidia.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Shuah Khan <shuah@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Ido Schimmel <idosch@nvidia.com>,
linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH V3 net-next 1/4] net: bridge: add fdb flag to extent locked port feature
Date: Fri, 27 May 2022 18:00:56 +0200 [thread overview]
Message-ID: <86a6b33qyv.fsf@gmail.com> (raw)
In-Reply-To: <YpCgxtJf9Qe7fTFd@shredder>
>
> As far as the bridge is concerned, locked entries are not really
> different from regular learned entries in terms of processing and since
> we don't have limits for regular entries I don't think we should have
> limits for locked entries.
>
> I do understand the problem you have in mv88e6xxx and I think it would
> be wise to hard code a reasonable limit there. It can be adjusted over
> time based on feedback and possibly exposed to user space.
>
> Just to give you another data point about how this works in other
> devices, I can say that at least in Spectrum this works a bit
> differently. Packets that ingress via a locked port and incur an FDB
> miss are trapped to the CPU where they should be injected into the Rx
> path so that the bridge will create the 'locked' FDB entry and notify it
> to user space. The packets are obviously rated limited as the CPU cannot
> handle billions of packets per second, unlike the ASIC. The limit is not
> per bridge port (or even per bridge), but instead global to the entire
> device.
Ahh, I see. I think that the best is for those FDB entries to be created
as dynamic entries, so that user-space does not have to keep track of
unauthorized entries.
Also the mv88e6xxx chipsets have a 'hold at one' feature, for authorized
entries, so that if a device goes quiet after being authorized the
driver can signal to the software bridge and further to userspace that
an authorized device has gone quiet, and the entry can then be
removed. This though requires user added dynamic entries in the ATU, or
you can call it synthetically 'learned' entries.
next prev parent reply other threads:[~2022-05-27 16:02 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-24 15:21 [PATCH V3 net-next 0/4] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
2022-05-24 15:21 ` [PATCH V3 net-next 1/4] net: bridge: add fdb flag to extent locked port feature Hans Schultz
2022-05-24 15:39 ` Nikolay Aleksandrov
2022-05-24 16:08 ` Hans Schultz
2022-05-24 16:21 ` Hans Schultz
2022-05-25 8:06 ` Nikolay Aleksandrov
2022-05-25 8:34 ` Hans Schultz
2022-05-25 8:38 ` Nikolay Aleksandrov
2022-05-25 9:11 ` Hans Schultz
2022-05-25 10:18 ` Nikolay Aleksandrov
2022-07-06 18:13 ` Vladimir Oltean
2022-07-06 19:38 ` Nikolay Aleksandrov
2022-07-06 20:21 ` Vladimir Oltean
2022-07-06 21:01 ` Nikolay Aleksandrov
2022-07-07 14:08 ` Nikolay Aleksandrov
2022-07-07 17:15 ` Vladimir Oltean
2022-07-07 17:26 ` Nikolay Aleksandrov
2022-07-08 6:38 ` Hans S
2022-05-26 14:13 ` Ido Schimmel
2022-05-27 8:52 ` Hans Schultz
2022-05-27 9:58 ` Ido Schimmel
2022-05-27 16:00 ` Hans Schultz [this message]
2022-05-31 9:34 ` Hans Schultz
2022-05-31 14:23 ` Ido Schimmel
2022-05-31 15:49 ` Hans Schultz
2022-06-02 9:17 ` Hans Schultz
2022-06-02 9:33 ` Nikolay Aleksandrov
2022-06-02 10:17 ` Hans Schultz
2022-06-02 10:30 ` Nikolay Aleksandrov
2022-06-02 10:39 ` Ido Schimmel
2022-06-02 11:36 ` Hans Schultz
2022-06-02 11:55 ` Ido Schimmel
2022-06-02 12:08 ` Hans Schultz
2022-06-02 12:18 ` Ido Schimmel
2022-06-02 13:27 ` Hans S
2022-05-24 15:21 ` [PATCH V3 net-next 2/4] net: switchdev: add support for offloading of fdb locked flag Hans Schultz
2022-06-27 16:06 ` Vladimir Oltean
2022-05-24 15:21 ` [PATCH V3 net-next 3/4] net: dsa: mv88e6xxx: mac-auth/MAB implementation Hans Schultz
2022-05-24 21:36 ` kernel test robot
2022-06-27 12:58 ` Hans S
2022-06-27 18:05 ` Vladimir Oltean
2022-06-28 12:26 ` Hans S
2022-07-05 15:05 ` Hans S
2022-07-06 13:28 ` Vladimir Oltean
2022-07-06 13:48 ` Hans S
2022-07-06 8:55 ` Vladimir Oltean
2022-07-06 10:12 ` Hans S
2022-07-06 14:23 ` Hans S
2022-07-06 14:33 ` Vladimir Oltean
2022-07-06 15:38 ` Hans S
2022-07-07 6:54 ` Hans S
2022-05-24 15:21 ` [PATCH V3 net-next 4/4] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans Schultz
2022-05-26 14:27 ` Ido Schimmel
2022-05-27 9:07 ` Hans Schultz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86a6b33qyv.fsf@gmail.com \
--to=schultz.hans@gmail.com \
--cc=andrew@lunn.ch \
--cc=bridge@lists.linux-foundation.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=idosch@idosch.org \
--cc=idosch@nvidia.com \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=shuah@kernel.org \
--cc=vivien.didelot@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).