Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp1530032rwb; Fri, 19 Aug 2022 05:24:49 -0700 (PDT) X-Google-Smtp-Source: AA6agR5v72hh9a8VPmz3eiu8rdz8e2MEeZGuo8mXPR7viB32SFHOkXQKI8rTdLs0jDF4n9bo2xRN X-Received: by 2002:a65:4c0e:0:b0:41b:c11a:c006 with SMTP id u14-20020a654c0e000000b0041bc11ac006mr6261509pgq.299.1660911888746; Fri, 19 Aug 2022 05:24:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660911888; cv=none; d=google.com; s=arc-20160816; b=N1Dznc/1ziHfVRS8UhZg3N/HmXtLy/BtlxOrECaW/Rh+zj4tdnUso9+nIpjdjxaG54 b5pnokAZ6ftwka5K21vTaKVGrLtmRKeONiRYjpRpAoyrftkJ3p+TWsT+ONarGkBBvzGq qgZZRc6ECyqhd3detIVC4ryA3qcokWA7+3n8y03YKuvYi3/spzvIY54Xa9VsINKodJrD 12iiUmy/WNuj0r+wxvigeSQcFKjQJP2b2LM5LdsAAXHGmYihKuOkKciMacHXtlEMEZzt ppjmE5Min4yNfw0W/OhTu2NCEHg/dJ+tSOuXxQRA34QWPLyTpsJtLbob6p+qu3hPRfgu kouA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:message-id:user-agent :references:in-reply-to:subject:cc:to:from:date:mime-version; bh=A6YOgrR8pbnV8kmkycXStE66gz6YhGjiH8B1Wt0LED4=; b=Cb/wOSht21cB8ItMHfELYP0qPnQYKPfQJ6kREqVSfpEgY/6qTugQSp9QYOdn85IpPL zipfnm/w6GrwwLZYdPtahmRCeiQreKFDLb2hdeLoClkn6fK+/nL/mC5MTVmCdRXsuPNc tikijmS81WPOmG0BwIcW4mJjrmtzlfRnM7qCF8gANDT65WvdyXKEqmFaEo8iJ5Yb708X gD7zQ6HAbLY/f7rTfVS1Zudrp6l6tzj7XrSSC/cUugVgBk8JXsmG9h40kBiQq35ucg1s d/d8ctuWQIa1GqF6rxdpicGvXUHrEBS0YkId0XgMBNyJJF3zaLo8zfFe0g3TnMSn0snz BFSw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id pm15-20020a17090b3c4f00b001efc2d68f86si6171812pjb.61.2022.08.19.05.24.36; Fri, 19 Aug 2022 05:24:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348475AbiHSMTL (ORCPT + 99 others); Fri, 19 Aug 2022 08:19:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50594 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347929AbiHSMTI (ORCPT ); Fri, 19 Aug 2022 08:19:08 -0400 Received: from mailout-taastrup.gigahost.dk (mailout-taastrup.gigahost.dk [46.183.139.199]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BC5BFE9A99; Fri, 19 Aug 2022 05:19:06 -0700 (PDT) Received: from mailout.gigahost.dk (mailout.gigahost.dk [89.186.169.112]) by mailout-taastrup.gigahost.dk (Postfix) with ESMTP id 6AB43188488D; Fri, 19 Aug 2022 12:18:34 +0000 (UTC) Received: from smtp.gigahost.dk (smtp.gigahost.dk [89.186.169.109]) by mailout.gigahost.dk (Postfix) with ESMTP id B357F2503313; Fri, 19 Aug 2022 12:18:23 +0000 (UTC) Received: by smtp.gigahost.dk (Postfix, from userid 1000) id 02302A1A5E40; Fri, 19 Aug 2022 09:51:11 +0000 (UTC) X-Screener-Id: 413d8c6ce5bf6eab4824d0abaab02863e8e3f662 MIME-Version: 1.0 Date: Fri, 19 Aug 2022 11:51:11 +0200 From: netdev@kapio-technology.com To: Ido Schimmel Cc: Vladimir Oltean , davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org, Andrew Lunn , Vivien Didelot , Florian Fainelli , Eric Dumazet , Paolo Abeni , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Shuah Khan , Daniel Borkmann , linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers In-Reply-To: References: <5a4cfc6246f621d006af69d4d1f61ed1@kapio-technology.com> User-Agent: Gigahost Webmail Message-ID: <34dd1318a878494e7ab595f8727c7d7d@kapio-technology.com> X-Sender: netdev@kapio-technology.com Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022-08-14 16:55, Ido Schimmel wrote: > On Fri, Aug 12, 2022 at 02:29:48PM +0200, netdev@kapio-technology.com > wrote: >> On 2022-08-11 13:28, Ido Schimmel wrote: >> >> > > > I'm talking about roaming, not forwarding. Let's say you have a locked >> > > > entry with MAC X pointing to port Y. Now you get a packet with SMAC X >> > > > from port Z which is unlocked. Will the FDB entry roam to port Z? I >> > > > think it should, but at least in current implementation it seems that >> > > > the "locked" flag will not be reset and having locked entries pointing >> > > > to an unlocked port looks like a bug. I have made the locked entries sticky in the bridge, so that they don't move to other ports. >> > > > >> > > >> >> In general I have been thinking that the said setup is a network >> configuration error as I was arguing in an earlier conversation with >> Vladimir. In this setup we must remember that SMAC X becomes DMAC X in >> the >> return traffic on the open port. But the question arises to me why MAC >> X >> would be behind the locked port without getting authed while being >> behind an >> open port too? >> In a real life setup, I don't think you would want random hosts behind >> a >> locked port in the MAB case, but only the hosts you will let through. >> Other >> hosts should be regarded as intruders. >> >> If we are talking about a station move, then the locked entry will age >> out >> and MAC X will function normally on the open port after the timeout, >> which >> was a case that was taken up in earlier discussions. >> >> But I will anyhow do some testing with this 'edge case' (of being >> behind >> both a locked and an unlocked port) if I may call it so, and see to >> that the >> offloaded and non-offloaded cases correspond to each other, and will >> work >> satisfactory. > > It would be best to implement these as additional test cases in the > current selftest. Then you can easily test with both veth pairs and > loopbacks and see that the hardware and software data paths behave the > same. > How many loops would be needed to have a selftest with a HUB and a MAC on both a locked and an unlocked port? >> >> I think it will be good to have a flag to enable the mac-auth/MAB >> feature, >> and I suggest just calling the flag 'mab', as it is short. I have now created the flag to enable Mac-Auth/MAB with iproute2: bridge link set dev DEV macauth on|off with the example output from 'bridge -d link show dev DEV' when macauth is enabled: 1: ethX: mtu 1500 master br0 state forwarding priority 32 cost 19 hairpin off guard off root_block off fastleave off learning on flood off mcast_flood on bcast_flood on mcast_router 1 mcast_to_unicast off neigh_suppress off vlan_tunnel off isolated off locked mab on The flag itself in the code is called BR_PORT_MACAUTH. > > Fine by me, but I'm not sure everyone agrees.