On 2022-08-27 17:19, Ido Schimmel wrote:
How about the below (untested):
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index 68b3e850bcb9..9143a94a1c57 100644 --- a/net/bridge/br_input.c +++ b/net/bridge/br_input.c @@ -109,9 +109,18 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb struct net_bridge_fdb_entry *fdb_src = br_fdb_find_rcu(br, eth_hdr(skb)->h_source, vid);
if (!fdb_src || READ_ONCE(fdb_src->dst) != p ||
test_bit(BR_FDB_LOCAL, &fdb_src->flags))
if (!fdb_src) {
if (p->flags & BR_PORT_MAB) {
__set_bit(BR_FDB_ENTRY_LOCKED, &flags);
br_fdb_update(br, p,
eth_hdr(skb)->h_source,
vid, flags);
}
goto drop;
} else if (READ_ONCE(fdb_src->dst) != p ||
test_bit(BR_FDB_LOCAL, &fdb_src->flags) ||
test_bit(BR_FDB_LOCKED, &fdb_src->flags)) { goto drop;
} }
The semantics are very clear, IMO. On FDB miss, add a locked FDB entry and drop the packet. On FDB mismatch, drop the packet.
Entry can roam from an unauthorized port to an authorized port, but not the other way around. Not sure what is the use case for allowing roaming between unauthorized ports.
Note that with the above, locked entries are not refreshed and will therefore age out unless replaced by user space.
Okay, I got the semantics (locked/unlocked vs unauthorized/authorized) reversed, so I will go with your suggestion.