Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp976664pxp;
        Wed, 16 Mar 2022 23:13:12 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyfsE8tKyliY26hh80EHpndCORdXfCJsc32gixSdrHCeMkfw0pthwBj0NBDX3Y7XpA0ceYN
X-Received: by 2002:a17:902:c951:b0:153:4103:543e with SMTP id i17-20020a170902c95100b001534103543emr3586141pla.70.1647497592623;
        Wed, 16 Mar 2022 23:13:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1647497592; cv=none;
        d=google.com; s=arc-20160816;
        b=CHfOpQw8verTXMNQ7OyuRoKLjn72tAj/6AqQjYnLciAdOEgpf8TDtG8Eyd6Dj7r7k7
         Pm12GORD4IhTZL61PAqnqvPWF12iNE8O4ZAOZ57KWouMy93/CfKjQprrV/jFPm1NC+Mg
         EnJxisWFfBDGxc2CqIEZ4eA5fQknwjiMEtjNkmaIj6ZnpOvA8OTHS/mlQMnMTKate/t6
         1gtwX/oME135BYPEp6tB09wjx3rMbu3oDMRcI69AEfGOtToAT51s4DO8AaY6qmWkLHLT
         yUGhhZAjNo0hqcqeqpFLXw5RJ2lKbZOLfK/sQjIIM9wScj/4EOiejfZa0Fwa1OAQuZFH
         FL0A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=ARERQSDKxTIHCnmFYNI1ElJI4Oo2Aq2UKhPNaAbSNg4=;
        b=YA1+93K13CnbgJzM/3V7G50Ct4b8NIpHVs/Xcxo2emVvK3JMWi1Sm7fpaRs5MljRVX
         CE3bJ0I2/ygylebHKoxua7pTTI2sEK8DnsKsyH5dzhYD6TWx3itG9gtEzLARGKv6kxDB
         tTf+pHuWJxSugkw9uz9xXngu9IGfbilm6vKPUAjI08JoYFPJjsGTiVW4kpotvn4irsf4
         izdoy6fz62bLcOY2afd7tECAiBI0xTXfFYZPESfvLOPgHhpWMc4LkMIZoyvbXr9ULWLu
         s8QAdlprmhWCddQxD30o4m+izyXJSlNyKstiICHpkda71cq5pZoxbIMHDc/TOfN6a8i2
         wdQA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=Sg3427dW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id a9-20020a056a000c8900b004f77fae8711si4930895pfv.117.2022.03.16.23.13.12
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Mar 2022 23:13:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=Sg3427dW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id AE7EB17C407;
	Wed, 16 Mar 2022 21:56:16 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1345632AbiCPXgI (ORCPT <rfc822;recursive.nomad@gmail.com>
        + 99 others); Wed, 16 Mar 2022 19:36:08 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39642 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232408AbiCPXgH (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 16 Mar 2022 19:36:07 -0400
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0CAD2167DF;
        Wed, 16 Mar 2022 16:34:52 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id ja24so1958841ejc.11;
        Wed, 16 Mar 2022 16:34:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=ARERQSDKxTIHCnmFYNI1ElJI4Oo2Aq2UKhPNaAbSNg4=;
        b=Sg3427dW092vAOLJR2XEcQ/K29NB/DZt5twKJ8gVmA9TrPScdCEOtwyPlsi4FCZsiQ
         bN6oZmE9p4etd9Y6inAr5Puw1utDZX1rFnBWQ/Kpw1SJwyJvdV92GzUsabqabxxpvrUw
         SuzDuuIWz9zSPEAhmuwzs5F3vzZwI94orfMmhn15cY4No379IIbQ/JRjSzJKRW3gtKKD
         rxnRnwNQyJvEIEh4HtC9XgiNZGXrJ4PnKGxAYhTfEkNyZz1Hr0L41eJNWrJGUv7Avdcz
         DmvCS0goyAE/O66WKrs1t7lWQet5Au9SV2XSJTjXfMpLlMmnET6Qdd40ZCIJXPmUKBRG
         Fj5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=ARERQSDKxTIHCnmFYNI1ElJI4Oo2Aq2UKhPNaAbSNg4=;
        b=xYAT4y0G75ohW22UICSAs5bWNIe9pFlR27c19Qs/ibS/r6TDfGlwEaxIiqKNszVl8z
         dVXsjJpDnTPsP+BWH1/AA+exNUMUPjzaKdxL4cHnpeuO7xKAJ93KbzMHZfJtybAsdXU9
         kB8IYI8b/gtRXpywn1ve+lYHQtn24PCTVKooSSpHoIvv4j06HKEBM6oaRk/q1AH3tnTq
         IlFYShQnGoThH/LT8kppB2AKGnv1iuSXH/0s+C/nxgsiT8hd+b+YF66gVIiTyYaK1Uaz
         c91kyauEW1WBbDqy1FeBVMsmYULaHAEy8ReZpb5VcyXB6OhifRRzOiknCMuAQP8zFdW4
         /gFQ==
X-Gm-Message-State: AOAM531bg0w0LvVl8OWZNsT9xvjJOtECzblHIPeYo/8ECg2athyDyLzP
        x0KmHUDxPEFUPipWfCCpLpw=
X-Received: by 2002:a17:906:a398:b0:6ce:71b:deff with SMTP id k24-20020a170906a39800b006ce071bdeffmr1962568ejz.204.1647473690310;
        Wed, 16 Mar 2022 16:34:50 -0700 (PDT)
Received: from skbuf ([188.26.57.45])
        by smtp.gmail.com with ESMTPSA id l9-20020a170906078900b006dac5f336f8sm1505354ejc.124.2022.03.16.16.34.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Mar 2022 16:34:49 -0700 (PDT)
Date:   Thu, 17 Mar 2022 01:34:47 +0200
From:   Vladimir Oltean <olteanv@gmail.com>
To:     Hans Schultz <schultz.hans@gmail.com>
Cc:     davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
        Andrew Lunn <andrew@lunn.ch>,
        Vivien Didelot <vivien.didelot@gmail.com>,
        Florian Fainelli <f.fainelli@gmail.com>,
        Jiri Pirko <jiri@resnulli.us>,
        Ivan Vecera <ivecera@redhat.com>,
        Roopa Prabhu <roopa@nvidia.com>,
        Nikolay Aleksandrov <razor@blackwall.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Ido Schimmel <idosch@nvidia.com>, linux-kernel@vger.kernel.org,
        bridge@lists.linux-foundation.org
Subject: Re: [PATCH net-next 3/3] net: dsa: mv88e6xxx: mac-auth/MAB
 implementation
Message-ID: <20220316233447.kwyirxckgancdqmh@skbuf>
References: <20220310142320.611738-1-schultz.hans+netdev@gmail.com>
 <20220310142320.611738-4-schultz.hans+netdev@gmail.com>
 <20220310142836.m5onuelv4jej5gvs@skbuf>
 <86r17495gk.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <86r17495gk.fsf@gmail.com>
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE,
	SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Mar 14, 2022 at 11:46:51AM +0100, Hans Schultz wrote:
> >> @@ -396,6 +414,13 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id)
> >>  				    "ATU miss violation for %pM portvec %x spid %d\n",
> >>  				    entry.mac, entry.portvec, spid);
> >>  		chip->ports[spid].atu_miss_violation++;
> >> +		if (mv88e6xxx_port_is_locked(chip, chip->ports[spid].port))
> >> +			err = mv88e6xxx_switchdev_handle_atu_miss_violation(chip,
> >> +									    chip->ports[spid].port,
> >> +									    &entry,
> >> +									    fid);
> >
> > Do we want to suppress the ATU miss violation warnings if we're going to
> > notify the bridge, or is it better to keep them for some reason?
> > My logic is that they're part of normal operation, so suppressing makes
> > sense.
> >
> 
> I have been seeing many ATU member violations after the miss violation is
> handled (using ping), and I think it could be considered to suppress the ATU member
> violations interrupts by setting the IgnoreWrongData bit for the
> port (sect 4.4.7). This would be something to do whenever a port is set in locked mode?

So the first packet with a given MAC SA triggers an ATU miss violation
interrupt.

You program that MAC SA into the ATU with a destination port mask of all
zeroes. This suppresses further ATU miss interrupts for this MAC SA, but
now generates ATU member violations, because the MAC SA _is_ present in
the ATU, but not towards the expected port (in fact, towards _no_ port).

Especially if user space decides it doesn't want to authorize this MAC
SA, it really becomes a problem because this is now a vector for denial
of service, with every packet triggering an ATU member violation
interrupt.

So your suggestion is to set the IgnoreWrongData bit on locked ports,
and this will suppress the actual member violation interrupts for
traffic coming from these ports.

So if the user decides to unplug a previously authorized printer from
switch port 1 and move it to port 2, how is this handled? If there isn't
a mechanism in place to delete the locked FDB entry when the printer
goes away, then by setting IgnoreWrongData you're effectively also
suppressing migration notifications.

Oh, btw, my question was: could you consider suppressing the _prints_ on
an ATU miss violation on a locked port?