From: Ido Schimmel <idosch@nvidia.com>
To: Jonas Gorski <jonas.gorski@bisdn.de>
Cc: Vladimir Oltean <vladimir.oltean@nxp.com>,
Roopa Prabhu <roopa@nvidia.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
Hans Schultz <schultz.hans@gmail.com>,
"Hans J. Schultz" <netdev@kapio-technology.com>,
bridge@lists.linux.dev, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH RFC] net: bridge: handle ports in locked mode for ll learning
Date: Sun, 15 Dec 2024 11:35:12 +0200 [thread overview]
Message-ID: <Z16i0MArCT_46dKa@shredder> (raw)
In-Reply-To: <3bdc6e3c-49d4-46ec-9c36-85e324e5e2b4@bisdn.de>
On Fri, Dec 13, 2024 at 12:25:20PM +0100, Jonas Gorski wrote:
> So in conclusion, I agree with the original patch. Shall I resend it? Should
> I extend the commit message?
Yes. I would use something like:
"
There are legitimate use cases for enabling learning on a locked bridge
port such as MAC Authentication Bypass (MAB) or when user space
authorizes hosts using dynamic FDB entries.
Currently, by default, the bridge will autonomously populate its FDB
with addresses learned from link-local frames. This is true even when a
port is locked which defeats the purpose of the "locked" bridge port
option. The behavior can be controlled by the "no_linklocal_learn"
bridge option, but it is easy to miss which leads to insecure
configurations.
Fix this by skipping learning from link-local frames when a port is
locked.
Fixes: a21d9a670d81 ("net: bridge: Add support for bridge port in locked mode")
"
prev parent reply other threads:[~2024-12-15 9:35 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-10 14:06 [PATCH RFC] net: bridge: handle ports in locked mode for ll learning Jonas Gorski
2024-12-10 14:34 ` Vladimir Oltean
2024-12-10 14:47 ` Jonas Gorski
2024-12-10 14:55 ` Vladimir Oltean
2024-12-10 15:28 ` Jonas Gorski
2024-12-11 8:42 ` Ido Schimmel
2024-12-11 10:32 ` Jonas Gorski
2024-12-11 14:50 ` Ido Schimmel
2024-12-12 9:50 ` Jonas Gorski
2024-12-12 12:25 ` Ido Schimmel
2024-12-13 11:25 ` Jonas Gorski
2024-12-15 9:35 ` Ido Schimmel [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z16i0MArCT_46dKa@shredder \
--to=idosch@nvidia.com \
--cc=bridge@lists.linux.dev \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jonas.gorski@bisdn.de \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@kapio-technology.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=schultz.hans@gmail.com \
--cc=vladimir.oltean@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).