On Fri, Oct 28, 2022 at 09:45:52AM +0200, netdev@xxxxxxxxxxxxxxxxxxxx wrote: > On 2022-10-28 00:58, Vladimir Oltean wrote: > > > I was going to ask if we should bother to add code to prohibit packets > > from being forwarded to an FDB entry that was learned as LOCKED, since > > that FDB entry is more of a "ghost" and not something fully committed? > > I think that it is a security flaw if there is any forwarding to > BR_FDB_LOCKED > entries. I can imagine a host behind a locked port with no credentials, > that gets a BR_FDB_LOCKED entry and has a friend on another non-locked port > who can now communicate uni-directional to the host with the BR_FDB_LOCKED > entry. It should not be too hard to create a scheme using UDP packets or > other for that. User space knows that the MAC is not authorized (otherwise it would have cleared the "locked" flag) and can choose to mitigate this corner case (or not) by shutting down the port, installing flower filters or doing something else entirely. I think it is best to defer such policy decisions to user space instead of overloading the "locked" flag with more meaning which will likely result in more checks in the fast path for a corner case of a use case that is quite obscure to begin with.
