Re: [PATCH v3 net-next 3/3] net: dsa: mv88e6xxx: mac-auth/MAB implementation

From: netdev
Date: Sat Jan 07 2023 - 05:32:21 EST

On 2023-01-06 17:41, Vladimir Oltean wrote:
On Fri, Jan 06, 2023 at 05:05:29PM +0100, Hans J. Schultz wrote:
This implementation for the Marvell mv88e6xxx chip series is based on
handling ATU miss violations occurring when packets ingress on a port
that is locked with learning on. This will trigger a
SWITCHDEV_FDB_ADD_TO_BRIDGE event, which will result in the bridge module
adding a locked FDB entry. This bridge FDB entry will not age out as
it has the extern_learn flag set.

Userspace daemons can listen to these events and either accept or deny
access for the host, by either replacing the locked FDB entry with a
simple entry or leave the locked entry.

If the host MAC address is already present on another port, a ATU
member violation will occur, but to no real effect, and the packet will
be dropped in hardware. Statistics on these violations can be shown with
the command and example output of interest:

ethtool -S ethX
NIC statistics:
...
atu_member_violation: 5
atu_miss_violation: 23
...

Where ethX is the interface of the MAB enabled port.

Furthermore, as added vlan interfaces where the vid is not added to the
VTU will cause ATU miss violations reporting the FID as
MV88E6XXX_FID_STANDALONE, we need to check and skip the miss violations
handling in this case.

Signed-off-by: Hans J. Schultz <netdev@xxxxxxxxxxxxxxxxxxxx>
---

Please add Acked-by/Reviewed-by tags when posting new versions. However,
there's no need to repost patches *only* to add the tags. The upstream
maintainer will do that for acks received on the version they apply.

If a tag was not added on purpose, please state why and what changed.

Missing tags:

Reviewed-by: Vladimir Oltean <olteanv@xxxxxxxxx>


Please allow at least 24 hours between patch submissions to give time
for other review comments.

I presume that since I move the exit tag 'out' to this patch, it has changed and the review tag is reset?