Thread (59 messages) 59 messages, 6 authors, 2022-08-19

Re: [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers

From: <hidden>
Date: 2022-08-09 20:03:08
Also in: bridge, linux-kselftest, lkml

On 2022-08-09 11:20, Ido Schimmel wrote:
On Mon, Aug 01, 2022 at 05:33:49PM +0200, netdev@kapio-technology.com 
wrote:
quoted
On 2022-07-13 14:39, Ido Schimmel wrote:
quoted
What are "Storm Prevention" and "zero-DPV" FDB entries?
For the zero-DPV entries, I can summarize:

Since a CPU can become saturated from constant SA Miss Violations from 
a
denied source, source MAC address are masked by loading a zero-DPV
(Destination Port Vector) entry in the ATU. As the address now appears 
in
the database it will not cause more Miss Violations. ANY port trying 
to send
a frame to this unauthorized address is discarded. Any locked port 
trying to
use this unauthorized address has its frames discarded too (as the 
ports SA
bit is not set in the ATU entry).
What happens to unlocked ports that have learning enabled and are 
trying
to use this address as SMAC? AFAICT, at least in the bridge driver, the
locked entry will roam, but will keep the "locked" flag, which is
probably not what we want. Let's see if we can agree on these semantics
for a "locked" entry:
The next version of this will block forwarding to locked entries in the 
bridge, so they will behave like the zero-DPV entries.
1. It discards packets with matching DMAC, regardless of ingress port. 
I
read the document [1] you linked to in a different reply and could not
find anything against this approach, so this might be fine or at least
not very significant.

Note that this means that "locked" entries need to be notified to 
device
drivers so that they will install a matching entry in the HW FDB.
Okay, so as V4 does (just without the error noted).
2. It is not refreshed and has ageing enabled. That is, after initial
installation it will be removed by the bridge driver after configured
ageing time unless converted to a regular (unlocked) entry.

I assume this allows you to remove the timer implementation from your
driver and let the bridge driver notify you about the removal of this
entry.
Okay, but only if the scheme is not so that the driver creates the 
locked entries itself, unless you indicate that the driver notifies the 
bridge, which then notifies back to the driver and installs the zero-DPV 
entry? If not I think the current implementation for the mv88e6xxx is 
fine.
3. With regards to roaming, the entry cannot roam between locked ports
(they need to have learning disabled anyway), but can roam to an
unlocked port, in which case it becomes a regular entry that can roam
and age.

If we agree on these semantics, then I can try to verify that at least
Spectrum can support them (it seems mv88e6xxx can).
The consensus here is that at least for the mv88e6xxx, learning should 
be on and link local learning should be blocked by the userspace setting 
you pointed to earlier.
P.S. Sorry for the delay, I'm busy with other tasks at the moment.
I understand :-)
[1] 
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/MAB/MAB_Dep_Guide.html#wp392522
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help