Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp2938207rwe; Mon, 29 Aug 2022 03:04:37 -0700 (PDT) X-Google-Smtp-Source: AA6agR6jHamQKP7HYWB7Dklz1pJSJGnBhnppVlXoHDJrIPeoJ/xmjihYxamZW9dr1ZccOUKy73+z X-Received: by 2002:a17:907:3f88:b0:73e:484d:9d6c with SMTP id hr8-20020a1709073f8800b0073e484d9d6cmr10110231ejc.283.1661767477770; Mon, 29 Aug 2022 03:04:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661767477; cv=none; d=google.com; s=arc-20160816; b=rSJyZQmmZ+aL3l2jfCn4DNMVSCGoK2akDPzMJ/5y/aXeFrZw/ypFPK6PW1MTCyMESV oJHUwh3DUVKhpIePV79w/fIuHgvv6rUCzfLVFeEY0/58zo5k4ddblUsrf7Np4NXhKPTL nMigjJUkO9KInjSKa6S1VMD1IvSIbizGhsq29UBizeRo0pG5l4YFyaHCWTIspk2LV4xG vg4CZVKbkFOH0576rxsGhqUB+82jkEYP8uTFyCyF/0ZbGSeyqzqMe7/JlwBeDmh4t6yM MZQ2G0Js+e9lVPG6PBSK7h6hErniEa0zT/a+b/upon2S0T16n94J1yYDTTFoPqdsN+lx tDRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:message-id:user-agent :references:in-reply-to:subject:cc:to:from:date:mime-version; bh=qj/D2il57D5t/YetyfJIs9q+4PtBHhH2BwEQ71uq+2U=; b=EiOhig1olKBQU1qxGAI/5Cuo2mXdvhr2n8luIcYSi8+fal65zlzcqiwmfk8rlIxRMk GPEltwirsj4qojiDYi+FteNBoQRwJ7hBdXVcMvT6AIzdKSNY3G7zt9twYPBy256EBM/u Nk9Wexo63nCumAAk6Qr9up7H3bAbGJZSko88R8rpOjsV0wnLpKDGTIMuRjU2WnO18aw6 rRfCSyEkGC00heUJ6a4Fc+4+PMbVbPy35PcesH7VA7eWcKzrLUxQ55Z1SfnwaaU/fE8X 6v3mdaR4kJG2RtNfeX+t/oFd9sQn4Lq/C3xoeQxJJulgHnBDUOr4lRxvJDmjQVNrz/ZS bKzw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y10-20020a170906524a00b0073d72dbfdf8si5666442ejm.220.2022.08.29.03.04.11; Mon, 29 Aug 2022 03:04:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229701AbiH2Jcg (ORCPT + 99 others); Mon, 29 Aug 2022 05:32:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37648 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229671AbiH2Jcd (ORCPT ); Mon, 29 Aug 2022 05:32:33 -0400 Received: from mailout-taastrup.gigahost.dk (mailout-taastrup.gigahost.dk [46.183.139.199]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C65405466D; Mon, 29 Aug 2022 02:32:31 -0700 (PDT) Received: from mailout.gigahost.dk (mailout.gigahost.dk [89.186.169.112]) by mailout-taastrup.gigahost.dk (Postfix) with ESMTP id 22BC1188493F; Mon, 29 Aug 2022 09:32:30 +0000 (UTC) Received: from smtp.gigahost.dk (smtp.gigahost.dk [89.186.169.109]) by mailout.gigahost.dk (Postfix) with ESMTP id 10FD125032B7; Mon, 29 Aug 2022 09:32:30 +0000 (UTC) Received: by smtp.gigahost.dk (Postfix, from userid 1000) id 0C1E59EC0005; Mon, 29 Aug 2022 09:32:30 +0000 (UTC) X-Screener-Id: 413d8c6ce5bf6eab4824d0abaab02863e8e3f662 MIME-Version: 1.0 Date: Mon, 29 Aug 2022 11:32:29 +0200 From: netdev@kapio-technology.com To: Ido Schimmel Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org, Florian Fainelli , Andrew Lunn , Vivien Didelot , Vladimir Oltean , Eric Dumazet , Paolo Abeni , Kurt Kanzenbach , Hauke Mehrtens , Woojung Huh , UNGLinuxDriver@microchip.com, Sean Wang , Landen Chao , DENG Qingfang , Matthias Brugger , Claudiu Manoil , Alexandre Belloni , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Shuah Khan , Christian Marangi , Daniel Borkmann , Yuwei Wang , linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, bridge@lists.linux-foundation.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH v5 net-next 1/6] net: bridge: add locked entry fdb flag to extend locked port feature In-Reply-To: References: <20220826114538.705433-1-netdev@kapio-technology.com> <20220826114538.705433-2-netdev@kapio-technology.com> User-Agent: Gigahost Webmail Message-ID: <42392a323bdc5324e1e4682fca378c90@kapio-technology.com> X-Sender: netdev@kapio-technology.com Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022-08-27 17:19, Ido Schimmel wrote: > On Fri, Aug 26, 2022 at 01:45:33PM +0200, Hans Schultz wrote: > How about the below (untested): > > diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c > index 68b3e850bcb9..9143a94a1c57 100644 > --- a/net/bridge/br_input.c > +++ b/net/bridge/br_input.c > @@ -109,9 +109,18 @@ int br_handle_frame_finish(struct net *net, > struct sock *sk, struct sk_buff *skb > struct net_bridge_fdb_entry *fdb_src = > br_fdb_find_rcu(br, eth_hdr(skb)->h_source, > vid); > > - if (!fdb_src || READ_ONCE(fdb_src->dst) != p || > - test_bit(BR_FDB_LOCAL, &fdb_src->flags)) > + if (!fdb_src) { > + if (p->flags & BR_PORT_MAB) { > + __set_bit(BR_FDB_ENTRY_LOCKED, &flags); > + br_fdb_update(br, p, > eth_hdr(skb)->h_source, > + vid, flags); > + } > + goto drop; > + } else if (READ_ONCE(fdb_src->dst) != p || > + test_bit(BR_FDB_LOCAL, &fdb_src->flags) || > + test_bit(BR_FDB_LOCKED, &fdb_src->flags)) { > goto drop; > + } > } > > The semantics are very clear, IMO. On FDB miss, add a locked FDB entry > and drop the packet. On FDB mismatch, drop the packet. > > Entry can roam from an unauthorized port to an authorized port, but not > the other way around. Not sure what is the use case for allowing > roaming > between unauthorized ports. > > Note that with the above, locked entries are not refreshed and will > therefore age out unless replaced by user space. > Okay I was under the impression that entries should be able to roam freely between authorized and unauthorized ports in the bridge as long as the locked flag is on when roaming to the MAB enabled port. As you know roaming is not a big issue with mv88e6xxx. As I see this code, an entry cannot roam to an authorized port as there is no update after the port mismatch check and the packet is dropped as it should in this case in the locked section.