From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC6EBC00140 for ; Wed, 24 Aug 2022 07:07:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234411AbiHXHHa (ORCPT ); Wed, 24 Aug 2022 03:07:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39220 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230002AbiHXHH2 (ORCPT ); Wed, 24 Aug 2022 03:07:28 -0400 Received: from mailout-taastrup.gigahost.dk (mailout-taastrup.gigahost.dk [46.183.139.199]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2A77885FE2; Wed, 24 Aug 2022 00:07:26 -0700 (PDT) Received: from mailout.gigahost.dk (mailout.gigahost.dk [89.186.169.112]) by mailout-taastrup.gigahost.dk (Postfix) with ESMTP id 84B0B1884C76; Wed, 24 Aug 2022 07:07:23 +0000 (UTC) Received: from smtp.gigahost.dk (smtp.gigahost.dk [89.186.169.109]) by mailout.gigahost.dk (Postfix) with ESMTP id 6880E25032B8; Wed, 24 Aug 2022 07:07:23 +0000 (UTC) Received: by smtp.gigahost.dk (Postfix, from userid 1000) id 5802FA1A0052; Wed, 24 Aug 2022 07:07:23 +0000 (UTC) X-Screener-Id: 413d8c6ce5bf6eab4824d0abaab02863e8e3f662 MIME-Version: 1.0 Date: Wed, 24 Aug 2022 09:07:23 +0200 From: netdev@kapio-technology.com To: Ido Schimmel Cc: Vladimir Oltean , davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org, Andrew Lunn , Vivien Didelot , Florian Fainelli , Eric Dumazet , Paolo Abeni , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Shuah Khan , Daniel Borkmann , linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers In-Reply-To: References: <34dd1318a878494e7ab595f8727c7d7d@kapio-technology.com> <9dcb4db4a77811308c56fe5b9b7c5257@kapio-technology.com> <553c573ad6a2ddfccfc47c7847cc5fb7@kapio-technology.com> User-Agent: Gigahost Webmail Message-ID: <5390cb1d1485db40a71bb3fbf674b67a@kapio-technology.com> X-Sender: netdev@kapio-technology.com Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022-08-23 14:36, Ido Schimmel wrote: > On Tue, Aug 23, 2022 at 09:37:54AM +0200, netdev@kapio-technology.com > wrote: > > "learning on locked on" is really a misconfiguration, but it can also > happen today and entries do not roam with the "locked" flag for the > simple reason that it does not exist. I see two options: > > 1. Do not clear / set "locked" flag during roaming. Given learning > should be disabled on locked ports, then the only half interesting case > is roaming to an unlocked port. Keeping the "locked" flag basically > means "if you were to lock the port, then the presence of this entry is > not enough to let traffic with the SA be forwarded by the bridge". > Unlikely that anyone will do that. > > 2. Always set "locked" flag for learned entries (new & roamed) on > locked > ports and clear it for learned entries on unlocked ports. > > Both options are consistent in how they treat the "locked" flag (either > always do nothing or always set/clear) and both do not impact the > integrity of the solution when configured correctly (disabling learning > on locked ports). I guess users will find option 2 easier to understand > / work with. Roaming to a locked port with an entry without the locked bit set would open the port for said MAC without necessary authorization. Thus I think that the only real option is the 2. case. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 32A174055D DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org AD63740544 MIME-Version: 1.0 Date: Wed, 24 Aug 2022 09:07:23 +0200 From: netdev@kapio-technology.com In-Reply-To: References: <34dd1318a878494e7ab595f8727c7d7d@kapio-technology.com> <9dcb4db4a77811308c56fe5b9b7c5257@kapio-technology.com> <553c573ad6a2ddfccfc47c7847cc5fb7@kapio-technology.com> Message-ID: <5390cb1d1485db40a71bb3fbf674b67a@kapio-technology.com> Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Bridge] [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers List-Id: Linux Ethernet Bridging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Ido Schimmel Cc: Ivan Vecera , Andrew Lunn , Florian Fainelli , Jiri Pirko , Daniel Borkmann , netdev@vger.kernel.org, Nikolay Aleksandrov , bridge@lists.linux-foundation.org, linux-kernel@vger.kernel.org, Vivien Didelot , Eric Dumazet , Paolo Abeni , linux-kselftest@vger.kernel.org, Roopa Prabhu , kuba@kernel.org, Vladimir Oltean , Shuah Khan , davem@davemloft.net On 2022-08-23 14:36, Ido Schimmel wrote: > On Tue, Aug 23, 2022 at 09:37:54AM +0200, netdev@kapio-technology.com > wrote: > > "learning on locked on" is really a misconfiguration, but it can also > happen today and entries do not roam with the "locked" flag for the > simple reason that it does not exist. I see two options: > > 1. Do not clear / set "locked" flag during roaming. Given learning > should be disabled on locked ports, then the only half interesting case > is roaming to an unlocked port. Keeping the "locked" flag basically > means "if you were to lock the port, then the presence of this entry is > not enough to let traffic with the SA be forwarded by the bridge". > Unlikely that anyone will do that. > > 2. Always set "locked" flag for learned entries (new & roamed) on > locked > ports and clear it for learned entries on unlocked ports. > > Both options are consistent in how they treat the "locked" flag (either > always do nothing or always set/clear) and both do not impact the > integrity of the solution when configured correctly (disabling learning > on locked ports). I guess users will find option 2 easier to understand > / work with. Roaming to a locked port with an entry without the locked bit set would open the port for said MAC without necessary authorization. Thus I think that the only real option is the 2. case.