On 2022-10-28 00:58, Vladimir Oltean wrote:
I was going to ask if we should bother to add code to prohibit packets
from being forwarded to an FDB entry that was learned as LOCKED, since
that FDB entry is more of a "ghost" and not something fully committed?
I think that it is a security flaw if there is any forwarding to
BR_FDB_LOCKED
entries. I can imagine a host behind a locked port with no credentials,
that gets a BR_FDB_LOCKED entry and has a friend on another non-locked
port
who can now communicate uni-directional to the host with the
BR_FDB_LOCKED
entry. It should not be too hard to create a scheme using UDP packets or
other for that.
