On 2022-08-23 14:36, Ido Schimmel wrote:
On Tue, Aug 23, 2022 at 09:37:54AM +0200, netdev@xxxxxxxxxxxxxxxxxxxx
wrote:
"learning on locked on" is really a misconfiguration, but it can also
happen today and entries do not roam with the "locked" flag for the
simple reason that it does not exist. I see two options:
1. Do not clear / set "locked" flag during roaming. Given learning
should be disabled on locked ports, then the only half interesting case
is roaming to an unlocked port. Keeping the "locked" flag basically
means "if you were to lock the port, then the presence of this entry is
not enough to let traffic with the SA be forwarded by the bridge".
Unlikely that anyone will do that.
2. Always set "locked" flag for learned entries (new & roamed) on
locked
ports and clear it for learned entries on unlocked ports.
Both options are consistent in how they treat the "locked" flag (either
always do nothing or always set/clear) and both do not impact the
integrity of the solution when configured correctly (disabling learning
on locked ports). I guess users will find option 2 easier to understand
/ work with.
Roaming to a locked port with an entry without the locked bit set would
open the port for said MAC without necessary authorization. Thus I think
that the only real option is the 2. case.