From: Ido Schimmel <idosch@nvidia.com>
To: Hans S <schultz.hans@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
netdev@vger.kernel.org, Andrew Lunn <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Florian Fainelli <f.fainelli@gmail.com>,
Vladimir Oltean <olteanv@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Jiri Pirko <jiri@resnulli.us>,
Ivan Vecera <ivecera@redhat.com>, Roopa Prabhu <roopa@nvidia.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Shuah Khan <shuah@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Hans Schultz <schultz.hans+netdev@gmail.com>,
linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH net-next v1 1/1] net: bridge: ensure that link-local traffic cannot unlock a locked port
Date: Fri, 1 Jul 2022 20:00:45 +0300 [thread overview]
Message-ID: <Yr8oPba83rpJE3GV@shredder> (raw)
In-Reply-To: <CAKUejP5w0Dn8y9gyDryNYy7LOUytqZsG+qqqC8JhRcvyC13=hQ@mail.gmail.com>
On Fri, Jul 01, 2022 at 06:07:10PM +0200, Hans S wrote:
> There is several issues when learning is turned off with the mv88e6xxx driver:
Please don't top-post...
>
> Mac-Auth requires learning turned on, otherwise there will be no miss
> violation interrupts afair.
> Refreshing of ATU entries does not work with learning turn off, as the
> PAV is set to zero when learning is turned off.
> This then further eliminates the use of the HoldAt1 feature and
> age-out interrupts.
>
> With dynamic ATU entries (an upcoming patch set), an authorized unit
> gets a dynamic ATU entry, and if it goes quiet for 5 minutes, it's
> entry will age out and thus get removed.
> That also solves the port relocation issue as if a device relocates to
> another port it will be able to get access again after 5 minutes.
You assume I'm familiar with mv88e6xxx, when in fact I'm not. Here is
what I think you are saying:
1. When a port is locked and a packet is received with a SA that is not
in the FDB, it will only generate a miss violation if learning is
enabled. In which case, you will notify the bridge driver about this
entry as externally learned and locked entry.
2. When a port is locked and a packet is received with a SA that matches
a different port, it will be dropped regardless if learning is enabled
or not.
3. From the above I conclude that the HW will not auto-populate its FDB
when a port is locked.
4. FDB entries that point to a port that does not have learning enabled
are not subject to ageing (why?).
Assuming the above is correct, in order for mv88e6xxx to work correctly,
it needs to enable learning on all locked ports, but it should happen
regardless of the bridge driver learning configuration let alone impose
any limitations on it. In fact, hostapd must disable learning for all
locked ports.
next prev parent reply other threads:[~2022-07-01 17:01 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20220630111634.610320-1-hans@kapio-technology.com>
2022-06-30 11:17 ` [PATCH net-next v1 1/1] net: bridge: ensure that link-local traffic cannot unlock a locked port Nikolay Aleksandrov
2022-06-30 11:37 ` Ido Schimmel
2022-07-01 7:47 ` Hans S
2022-07-01 13:51 ` Ido Schimmel
2022-07-01 15:27 ` Vladimir Oltean
2022-07-01 15:44 ` Ido Schimmel
2022-07-01 16:07 ` Hans S
2022-07-01 17:00 ` Ido Schimmel [this message]
2022-07-01 19:17 ` Hans S
2022-07-03 7:00 ` Ido Schimmel
2022-07-04 7:54 ` Hans S
2022-07-04 10:59 ` Ido Schimmel
2022-07-04 14:36 ` Hans S
2022-07-05 10:53 ` Ido Schimmel
2022-07-17 13:46 ` Vladimir Oltean
2022-07-17 14:03 ` Vladimir Oltean
2022-07-17 16:22 ` Hans S
2022-07-17 18:38 ` Vladimir Oltean
2022-07-17 19:20 ` Hans S
2022-07-21 11:45 ` Vladimir Oltean
2022-07-21 14:06 ` Hans S
2022-07-24 8:09 ` Hans S
2022-07-29 5:23 ` Hans S
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yr8oPba83rpJE3GV@shredder \
--to=idosch@nvidia.com \
--cc=andrew@lunn.ch \
--cc=bridge@lists.linux-foundation.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=schultz.hans+netdev@gmail.com \
--cc=schultz.hans@gmail.com \
--cc=shuah@kernel.org \
--cc=vivien.didelot@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).