Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp1093548ioo; Fri, 27 May 2022 01:00:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxudIzP36h/e8zjG4W+L3HGR3azFR2HxTzKD/DEQ6SOsvDTbyDxi8WFwnggz+PJegrF0lnj X-Received: by 2002:a05:6402:424d:b0:42b:6da1:bd25 with SMTP id g13-20020a056402424d00b0042b6da1bd25mr23802446edb.107.1653638405431; Fri, 27 May 2022 01:00:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653638405; cv=none; d=google.com; s=arc-20160816; b=MXxwaOVi7kYcp2+ecWI01hi02HwHrxROLOjx8km9amDHGxZCncViJR5Zsr1X0oNmn5 Z55hvdJjRDvGdwa270zivnRF+Inc1iflf3j8Q/aucrm4q/CuMEn1UWUd1smq+gQBHSJe bDqvwoN+JcFl/KXqCmUdpXf9wdD3QuxKtyuAmhwu8Z4uE0CReEpQMrSuNwmfWSIbXDtB u/XB1PXF5AEsAJdm6GouE9d1beQJh9RIILHRmxxpv6MEyD/PC4I91Oe1ncayc6xB5KYX 4TwaodGBk8GkiJCWnVbwU1x4rPzaOmurzTqha0lEoGbk5mLrVyQhSr3tvZCaMyvto9rr 2LsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:feedback-id :dkim-signature; bh=vnwACNqhZoOoXwIiQWU2wL/gnnhq0onDp8LHcdhWTNg=; b=Hw0b3BE03oVPgwPxtFPVHaU130wiju/PJr2fO78mB1/5yEjhnQ7un7h/Vz3HjN5hxL xHxfW55qU6CSTGZPUjoDf4oNupOgzA5FtZ66VUl0fgoIv7KntFf5uCMpKzDNug/k1aqz EW3c5or1lpVTR5r0Tu/p7mE6qow0pl+Ipw9aQf4VBYwUfhTqb2e542H+bDet2OJxWcn8 MMGOlLkbazXTGcaMSWoZkOXqrT6T0+9/UpyknadlQpqftwpFjtkgjIKouBTRojQ2rCE+ qUaBfLb1yh2WmMeDl26X/8YnM0FkolYbn2vPCB43IraHqZNyEb5phHlRA3Oo0PAAb67x m4yw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b="OuVZF/6d"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w11-20020a17090652cb00b006ff25a5a0d2si3537206ejn.352.2022.05.27.00.59.38; Fri, 27 May 2022 01:00:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b="OuVZF/6d"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236557AbiEZONe (ORCPT + 99 others); Thu, 26 May 2022 10:13:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51308 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231806AbiEZONa (ORCPT ); Thu, 26 May 2022 10:13:30 -0400 Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CB393C1ED5; Thu, 26 May 2022 07:13:29 -0700 (PDT) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 2BB18320095B; Thu, 26 May 2022 10:13:27 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Thu, 26 May 2022 10:13:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1653574406; x=1653660806; bh=vnwACNqhZoOoXwIiQWU2wL/gnnhq 0onDp8LHcdhWTNg=; b=OuVZF/6dfxHAylAnDM80GjsVlw5t/W0/v3Ac/hSkZlW3 6budAzqVou/8FMEF8bHQ3QdbUIZLRaBN6+Os28Hbm5QJzyZTQWOK6NHeuvozpG4X Dw6IKF742xWjTvOZGmrHJNkcQ4/nE8in2JOlJP4BZYDtYTde62kx6igeR8uCeLaw lqwvqMNvwbUWySqZ0dgh0eUEAl8kttTvhPlDv8Lms6Jmn8JNq/2E0/cIkjolRT16 dzsbcLrSWh204ftIGEj/i3JiG2LTn1gJ60yBTGlDpbTwsAmMXpxVCzBa1AOlCDl0 NrjltsJu1VRuvFQMfz7Z7AaD39FdaMLbY5wxNbs+Rw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrjeejgdejvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpeffhffvvefukfhfgggtuggjsehttdertddttddvnecuhfhrohhmpefkughoucfu tghhihhmmhgvlhcuoehiughoshgthhesihguohhstghhrdhorhhgqeenucggtffrrghtth gvrhhnpedvudefveekheeugeeftddvveefgfduieefudeifefgleekheegleegjeejgeeg hfenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehiug hoshgthhesihguohhstghhrdhorhhg X-ME-Proxy: Feedback-ID: i494840e7:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 26 May 2022 10:13:24 -0400 (EDT) Date: Thu, 26 May 2022 17:13:22 +0300 From: Ido Schimmel To: Hans Schultz Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org, Hans Schultz , Andrew Lunn , Vivien Didelot , Florian Fainelli , Vladimir Oltean , Eric Dumazet , Paolo Abeni , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Shuah Khan , Daniel Borkmann , Ido Schimmel , linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH V3 net-next 1/4] net: bridge: add fdb flag to extent locked port feature Message-ID: References: <20220524152144.40527-1-schultz.hans+netdev@gmail.com> <20220524152144.40527-2-schultz.hans+netdev@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220524152144.40527-2-schultz.hans+netdev@gmail.com> X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 24, 2022 at 05:21:41PM +0200, Hans Schultz wrote: > Add an intermediate state for clients behind a locked port to allow for > possible opening of the port for said clients. This feature corresponds > to the Mac-Auth and MAC Authentication Bypass (MAB) named features. The > latter defined by Cisco. > Locked FDB entries will be limited in number, so as to prevent DOS > attacks by spamming the port with random entries. The limit will be > a per port limit as it is a port based feature and that the port flushes > all FDB entries on link down. Why locked FDB entries need a special treatment compared to regular entries? A port that has learning enabled can be spammed with random source MACs just as well. The authorization daemon that is monitoring FDB notifications can have a policy to shut down a port if the rate / number of locked entries is above a given threshold. I don't think this kind of policy belongs in the kernel. If it resides in user space, then the threshold can be adjusted. Currently it's hard coded to 64 and I don't see how user space can change or monitor it.