Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp2493867imw; Sun, 17 Jul 2022 10:01:19 -0700 (PDT) X-Google-Smtp-Source: AGRyM1td9A5W8PuNvtBd2g7+TwbUTFR8i3Fu/gRVoKJiGU4KwgBx1BHI95ObLFq6/HcisNG4C+wt X-Received: by 2002:aa7:88cc:0:b0:51c:319e:772c with SMTP id k12-20020aa788cc000000b0051c319e772cmr24270913pff.41.1658077279222; Sun, 17 Jul 2022 10:01:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658077279; cv=none; d=google.com; s=arc-20160816; b=L+zcZl0oAwr4YWMB8P7P84ZxRATHIxvA2tObdGOW27eSa2OLkFpYz45hGTwp5Vz4Sc WTs5H7Zwp7OqfgUPfV3ZSxcPH/Psz4cHQXmdi+Ol3p4u43QZOi8ua2Ih+henHbXaPDRl RU1eFxM+t6ehWJY+L8/Di15rcxVtmeyhY5L/lC20QLJ8HT41QholzKsndaYp2Rl/ppWR oVVfa+oK+eHj+0PxDiPlo7e29odzWPMk2UU0keBkyjcrA+p1Mhhs4W7mIGg8EjtiZW0w Z+wFpsgEV7X4Cn7jn+aTKGbPV1NGC3BtPDF07hN+TW2iJIOTh512gRVQsOIVdO2xMDzA l71w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=rwSneiH5xSNmTYynHVLLuzHsfAWoKgKKKN3H7FS7rMk=; b=JPz0AgFAKB4VCxWBW3lFVxG3/dJr7CSEdvm3ljjtQ6iLMe9rRJKt5JFszO3giCPI5F JYCFUqId5YMotz1hJ0HaXyoOUfCfYyjbjYpB/1lHMBLT8BmLYZ6XP4uuV6kQJcwU1AM1 c+jMuRI45Pc+QQUqK4rv3YjOXigYTxgVn1ILjzE7M1xkv2/JAzllTDuO2XtZZCKws/+a bNeydEfTbq62QLUozy5UhyehtqPZ/JQevj+wVURjrqRuyfe0P9dOOF/WzS3FnjT9ohpY tXk1tdaisALJ+J4ZkFGuaST2oYJkbIUAAmoX34VYWZmzfdjitYChhCtJhhrggPoKMLaK eIrg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="Aa/n1738"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a8-20020a170902ecc800b0016bb9574bfesi13504994plh.256.2022.07.17.10.01.04; Sun, 17 Jul 2022 10:01:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="Aa/n1738"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232819AbiGQQZF (ORCPT + 99 others); Sun, 17 Jul 2022 12:25:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51864 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229536AbiGQQZE (ORCPT ); Sun, 17 Jul 2022 12:25:04 -0400 Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 86C0513CE6; Sun, 17 Jul 2022 09:25:03 -0700 (PDT) Received: by mail-wr1-x435.google.com with SMTP id a5so13756606wrx.12; Sun, 17 Jul 2022 09:25:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rwSneiH5xSNmTYynHVLLuzHsfAWoKgKKKN3H7FS7rMk=; b=Aa/n1738ntBuPAWlhWhRZjFLdhg8myxMR8iZ6ftlyCeOiQ/9YT8wiSQDcg0c7UVHIb 2Zf+Xsi8VkZXPDEp01hK59xKVY+ZeOj4PS2UxKfYEv4K3yTRf9K2tX6EMzePC9j4jIKH KqE0qziR4v/rSbMbLc6LQsa3oLHRC90c3EkGtQFBzwWt46gIvb/hbxlvPS5EVjBA8Y6A oA+BKnFpc7syZFnPPTRyec4XOuVWoPrd0uyUJ4vobAUIhE09YyViry6TZxnnzAauydiz qsFW/1eGnCix7ZOzsUHc/RXx+Lpk23JF/BP9ido13S6OxIOCNapP3PBFdxuYeYy9NFdW 2UuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rwSneiH5xSNmTYynHVLLuzHsfAWoKgKKKN3H7FS7rMk=; b=FdDQGPf5JD/zrbwFO3Kw9nRo7F+Wq0BPW0jaLz9/JIInHr0dJ085tUiO2p7Rj/4I+p dthNc8xGz73jjuQlVKoRC8puI4SRtFLtXyluGbAr3HM2LU3UuCA9D/jQaoepm626Ki+/ cQZ3DwErbPJGVM8L0gwkMrZrxa6SbCjXmGjBk4XR/vAx78+63JebxV3ctArvvESet5su iAPlm+gqWX4zNEv65zLJM4QBAPm/rdDNTf/yOhNgvklt7qK3rTK6k0tn6wmTzYey3RS/ Cbvx/4Z1F/AfGDIxEtKVnbXncXMJnDf6QaVr+jRjEmG19lZAL0icPtP292TgW4QM2w8Z yqdA== X-Gm-Message-State: AJIora/8lpWZLT0Fz8fbB5XEORa/RNp2VWDC+MdEXwJkQP53tQc/6B2v EhWxF7PrFbYDDX6TK+YCPKVKhs+UYR3k8sy2g98= X-Received: by 2002:a5d:6a88:0:b0:21d:6ee4:1fb1 with SMTP id s8-20020a5d6a88000000b0021d6ee41fb1mr19575491wru.249.1658075102011; Sun, 17 Jul 2022 09:25:02 -0700 (PDT) MIME-Version: 1.0 References: <20220630111634.610320-1-hans@kapio-technology.com> <20220717134610.k3nw6mam256yxj37@skbuf> <20220717140325.p5ox5mhqedbyyiz4@skbuf> In-Reply-To: <20220717140325.p5ox5mhqedbyyiz4@skbuf> From: Hans S Date: Sun, 17 Jul 2022 18:22:57 +0200 Message-ID: Subject: Re: [PATCH net-next v1 1/1] net: bridge: ensure that link-local traffic cannot unlock a locked port To: Vladimir Oltean Cc: Ido Schimmel , "David S. Miller" , Jakub Kicinski , netdev@vger.kernel.org, Andrew Lunn , Vivien Didelot , Florian Fainelli , Eric Dumazet , Paolo Abeni , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Shuah Khan , Daniel Borkmann , Hans Schultz , linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org, linux-kselftest@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jul 17, 2022 at 4:03 PM Vladimir Oltean wrote: > > On Sun, Jul 17, 2022 at 04:46:10PM +0300, Vladimir Oltean wrote: > > Here, what happens is that a locked port learns the MAC SA from the > > traffic it didn't drop, i.e. link-local. In other words, the bridge > > behaves as expected and instructed: +locked +learning will cause just > > that. It's the administrator's fault for not disabling learning. > > It's also the mv88e6xxx driver's fault for not validating the "locked" + > > "learning" brport flag *combination* until it properly supports "+locked > > +learning" (the feature you are currently working on). > > > > I'm still confused why we don't just say that "+locked -learning" means > > plain 802.1X, "+locked +learning" means MAB where we learn locked FDB entries. > > Or is it the problem that a "+locked +learning" bridge port will learn > MAC SA from link-local traffic, but it will create FDB entries without > the locked flag while doing so? The mv88e6xxx driver should react to the > 'locked' flag from both directions (ADD_TO_DEVICE too, not just ADD_TO_BRIDGE). Yes, it creates an FDB entry in the bridge without the locked flag set, and sends an ADD_TO_DEVICE notice with it. And furthermore link-local packets include of course EAPOL packets, so that's why +learning is a problem.