Ido Schimmel
2022-Mar-17 13:44 UTC
[Bridge] [PATCH v2 net-next 1/4] net: bridge: add fdb flag to extent locked port feature
On Thu, Mar 17, 2022 at 10:38:59AM +0100, Hans Schultz wrote:> Add an intermediate state for clients behind a locked port to allow for > possible opening of the port for said clients. This feature corresponds > to the Mac-Auth and MAC Authentication Bypass (MAB) named features. The > latter defined by Cisco. > Only the kernel can set this FDB entry flag, while userspace can read > the flag and remove it by deleting the FDB entry.Can you explain where this flag is rejected by the kernel? Nik, it seems the bridge ignores 'NDA_FLAGS_EXT', but I think that for new flags we should do a better job and reject unsupported configurations. WDYT? The neighbour code will correctly reject the new flag due to 'NTF_EXT_MASK'.
Nikolay Aleksandrov
2022-Mar-17 13:54 UTC
[Bridge] [PATCH v2 net-next 1/4] net: bridge: add fdb flag to extent locked port feature
On 17/03/2022 15:44, Ido Schimmel wrote:> On Thu, Mar 17, 2022 at 10:38:59AM +0100, Hans Schultz wrote: >> Add an intermediate state for clients behind a locked port to allow for >> possible opening of the port for said clients. This feature corresponds >> to the Mac-Auth and MAC Authentication Bypass (MAB) named features. The >> latter defined by Cisco. >> Only the kernel can set this FDB entry flag, while userspace can read >> the flag and remove it by deleting the FDB entry. > > Can you explain where this flag is rejected by the kernel? > > Nik, it seems the bridge ignores 'NDA_FLAGS_EXT', but I think that for > new flags we should do a better job and reject unsupported > configurations. WDYT? >Definitely, I agree.> The neighbour code will correctly reject the new flag due to > 'NTF_EXT_MASK'.
Hans Schultz
2022-Mar-17 14:50 UTC
[Bridge] [PATCH v2 net-next 1/4] net: bridge: add fdb flag to extent locked port feature
On tor, mar 17, 2022 at 15:44, Ido Schimmel <idosch at idosch.org> wrote:> On Thu, Mar 17, 2022 at 10:38:59AM +0100, Hans Schultz wrote: >> Add an intermediate state for clients behind a locked port to allow for >> possible opening of the port for said clients. This feature corresponds >> to the Mac-Auth and MAC Authentication Bypass (MAB) named features. The >> latter defined by Cisco. >> Only the kernel can set this FDB entry flag, while userspace can read >> the flag and remove it by deleting the FDB entry. > > Can you explain where this flag is rejected by the kernel? >Is it an effort to set the flag from iproute2 on adding a fdb entry?> Nik, it seems the bridge ignores 'NDA_FLAGS_EXT', but I think that for > new flags we should do a better job and reject unsupported > configurations. WDYT? > > The neighbour code will correctly reject the new flag due to > 'NTF_EXT_MASK'.