Re: [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2022-08-23 14:36, Ido Schimmel wrote:
On Tue, Aug 23, 2022 at 09:37:54AM +0200, netdev@xxxxxxxxxxxxxxxxxxxx wrote:

"learning on locked on" is really a misconfiguration, but it can also
happen today and entries do not roam with the "locked" flag for the
simple reason that it does not exist. I see two options:

1. Do not clear / set "locked" flag during roaming. Given learning
should be disabled on locked ports, then the only half interesting case
is roaming to an unlocked port. Keeping the "locked" flag basically
means "if you were to lock the port, then the presence of this entry is
not enough to let traffic with the SA be forwarded by the bridge".
Unlikely that anyone will do that.

2. Always set "locked" flag for learned entries (new & roamed) on locked
ports and clear it for learned entries on unlocked ports.

Both options are consistent in how they treat the "locked" flag (either
always do nothing or always set/clear) and both do not impact the
integrity of the solution when configured correctly (disabling learning
on locked ports). I guess users will find option 2 easier to understand
/ work with.

Roaming to a locked port with an entry without the locked bit set would open the port for said MAC without necessary authorization. Thus I think that the only real option is the 2. case.



[Index of Archives]     [Netdev]     [AoE Tools]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]     [Video 4 Linux]

  Powered by Linux