On Thu, Oct 20, 2022 at 06:23:37PM +0300, Ido Schimmel wrote: > 3. Miss. FDB entry not found. Here I was thinking to always tell the > packet to go to the software data path so that it will trigger the > creation of the "locked" entry if MAB is enabled. If MAB is not enabled, > it will simply be dropped by the bridge. We can't control it per port in > hardware, which is why the BR_PORT_MAB flag is not consulted. Ah, ok, this is the part I was missing, so you can't control an FDB miss to generate a learn frame only on some ports. But in principle, it still is the BR_PORT_MAB flag the one which requires these frames to be generated, not BR_PORT_LOCKED. You can have all ports LOCKED but not MAB, and no learn frames will be necessary to be sent to the CPU. Only EAPOL, which is link-local multicast, will reach software for further processing and unlock the port for a certain MAC DA.
