Received: by 2002:a05:6358:e9c4:b0:b2:91dc:71ab with SMTP id hc4csp6328233rwb; Tue, 9 Aug 2022 13:15:40 -0700 (PDT) X-Google-Smtp-Source: AA6agR6uJIjPzABa5CYkqEMQKqUDSSQQRD2RD0wNpIgH9QeDH9X+5R/DZPeuiwryo2oVKnEkOl9J X-Received: by 2002:a05:6402:43c4:b0:43b:c5eb:c9dd with SMTP id p4-20020a05640243c400b0043bc5ebc9ddmr23203742edc.402.1660076140636; Tue, 09 Aug 2022 13:15:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660076140; cv=none; d=google.com; s=arc-20160816; b=zfFhSzaXz0KynMCLwzRHYWvXm14CHFNPwka0yTLqSUuI0pWXI5OZx0nWCHww+Z9WSk hamewFbZ3Cs0/x0J6AQuJEb1+rKSFKM6OSHwGpncDwlg73XrvK1pFIQhtNI7eRKPlB/T +fGvevSNx9D2fhaFvLi5Cn6svnoGHcvkPNm0h5go8/CV2vlpgwaLrdsv1bYUuKbqep7J z1o54IJ6J8ekTpSW9MgssIV3ArUsydXypF9wdX+j8C9ylkd8kqdbkSMWJF2gbtkyDLNN 9IYLpnnfhsMAP5CUJpD33b6lfr3sHKiECEqdKocclk2b5ph1SbyfIieINZpFASIHWo+c CxjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:message-id:user-agent :references:in-reply-to:subject:cc:to:from:date:mime-version; bh=8VwTkdh317uyxUZs7Z4GgBdQIAwIWFmdrAyT81OeKZM=; b=cL7fM7DcbkxS80ovRjidJqUGr+NoTB3GMZJplOGrvqqXGbyXOSwmfHHGvIavVYI8ed 7kJjFtXb5CJA6fGCak9nZdyeH2DYfLk80IpIqYTghR5prl/eHFnXLGkV7ReCK6cL96OM 2nVEbkku4qN8y14w90D59ON9aLbPSUeQXlWoCA0p5AbA90tErXsw3xvtcSxCqwZIf5qA g3RdGNIdiHHnjhLLfKHx+Q3P4fJLj8PYJ3IJtC5HaBGocWCTCm0asSYTqOR8G1js0Zyt O0JORA5v61M2RWVzp8rZs0H1BAx6CFvikxf3YBa4Cg9oGbmlFsYQe+qXmimEzxAD4v+o WmRA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qf20-20020a1709077f1400b007269661baf2si2521716ejc.475.2022.08.09.13.15.13; Tue, 09 Aug 2022 13:15:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344655AbiHIUDD (ORCPT + 99 others); Tue, 9 Aug 2022 16:03:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55098 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346132AbiHIUAy (ORCPT ); Tue, 9 Aug 2022 16:00:54 -0400 Received: from mailout-taastrup.gigahost.dk (mailout-taastrup.gigahost.dk [46.183.139.199]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0C769CF9; Tue, 9 Aug 2022 13:00:51 -0700 (PDT) Received: from mailout.gigahost.dk (mailout.gigahost.dk [89.186.169.112]) by mailout-taastrup.gigahost.dk (Postfix) with ESMTP id CA12218849F2; Tue, 9 Aug 2022 20:00:49 +0000 (UTC) Received: from smtp.gigahost.dk (smtp.gigahost.dk [89.186.169.109]) by mailout.gigahost.dk (Postfix) with ESMTP id B35F725032B7; Tue, 9 Aug 2022 20:00:49 +0000 (UTC) Received: by smtp.gigahost.dk (Postfix, from userid 1000) id A6770A1A0047; Tue, 9 Aug 2022 20:00:49 +0000 (UTC) X-Screener-Id: 413d8c6ce5bf6eab4824d0abaab02863e8e3f662 MIME-Version: 1.0 Date: Tue, 09 Aug 2022 22:00:49 +0200 From: netdev@kapio-technology.com To: Ido Schimmel Cc: Vladimir Oltean , davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org, Andrew Lunn , Vivien Didelot , Florian Fainelli , Eric Dumazet , Paolo Abeni , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Shuah Khan , Daniel Borkmann , linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers In-Reply-To: References: <20220708084904.33otb6x256huddps@skbuf> <20220708091550.2qcu3tyqkhgiudjg@skbuf> <20220708115624.rrjzjtidlhcqczjv@skbuf> <723e2995314b41ff323272536ef27341@kapio-technology.com> <79683d9cf122e22b66b5da3bbbb0ee1f@kapio-technology.com> User-Agent: Gigahost Webmail Message-ID: <6c6fe135ce7b5b118289dc370135b0d3@kapio-technology.com> X-Sender: netdev@kapio-technology.com Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022-08-09 11:20, Ido Schimmel wrote: > On Mon, Aug 01, 2022 at 05:33:49PM +0200, netdev@kapio-technology.com > wrote: >> On 2022-07-13 14:39, Ido Schimmel wrote: >> >> > >> > What are "Storm Prevention" and "zero-DPV" FDB entries? >> > >> >> For the zero-DPV entries, I can summarize: >> >> Since a CPU can become saturated from constant SA Miss Violations from >> a >> denied source, source MAC address are masked by loading a zero-DPV >> (Destination Port Vector) entry in the ATU. As the address now appears >> in >> the database it will not cause more Miss Violations. ANY port trying >> to send >> a frame to this unauthorized address is discarded. Any locked port >> trying to >> use this unauthorized address has its frames discarded too (as the >> ports SA >> bit is not set in the ATU entry). > > What happens to unlocked ports that have learning enabled and are > trying > to use this address as SMAC? AFAICT, at least in the bridge driver, the > locked entry will roam, but will keep the "locked" flag, which is > probably not what we want. Let's see if we can agree on these semantics > for a "locked" entry: The next version of this will block forwarding to locked entries in the bridge, so they will behave like the zero-DPV entries. > > 1. It discards packets with matching DMAC, regardless of ingress port. > I > read the document [1] you linked to in a different reply and could not > find anything against this approach, so this might be fine or at least > not very significant. > > Note that this means that "locked" entries need to be notified to > device > drivers so that they will install a matching entry in the HW FDB. Okay, so as V4 does (just without the error noted). > > 2. It is not refreshed and has ageing enabled. That is, after initial > installation it will be removed by the bridge driver after configured > ageing time unless converted to a regular (unlocked) entry. > > I assume this allows you to remove the timer implementation from your > driver and let the bridge driver notify you about the removal of this > entry. Okay, but only if the scheme is not so that the driver creates the locked entries itself, unless you indicate that the driver notifies the bridge, which then notifies back to the driver and installs the zero-DPV entry? If not I think the current implementation for the mv88e6xxx is fine. > > 3. With regards to roaming, the entry cannot roam between locked ports > (they need to have learning disabled anyway), but can roam to an > unlocked port, in which case it becomes a regular entry that can roam > and age. > > If we agree on these semantics, then I can try to verify that at least > Spectrum can support them (it seems mv88e6xxx can). The consensus here is that at least for the mv88e6xxx, learning should be on and link local learning should be blocked by the userspace setting you pointed to earlier. > > P.S. Sorry for the delay, I'm busy with other tasks at the moment. I understand :-) > > [1] > https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/MAB/MAB_Dep_Guide.html#wp392522