Re: [PATCH v8 net-next 10/12] net: dsa: mv88e6xxx: mac-auth/MAB implementation
From: Oleksandr Mazur
Date: Sat Oct 22 2022 - 08:56:08 EST
> I hope the following script will exemplify what I mean.
..
Oh, i get it now.
Frankly speaking we haven't stumbled across such scenario / issue before. But i can tell it does indeed seems a bit broken;
I think there are 2 options here:
1. The setup itself seems insecure, and user should be aware of such behavior / issue;
2. Bridge indeed should not learn MACs if BR_PORT_LOCKED is set. E.g. learning condition should be something like: not BR_PORT_locked and learning is on;
> I don't understand the last step. Why is the BR_PORT_LOCKED flag disabled?
> If disabled, the port will receive frames with any unknown MAC SA,
> not just the authorized ones.
Sorry for the confusion. Basically, what i described what i would expect from a daemon (e.g. daemon would disable LOCKED); So just ignore that part.