On 1/26/26 3:00 PM, Ales Musil via dev wrote: > The RFC defines a Virtual Router Redundancy Protocol [0], in order > for that protocol to work the workload might "spoof" MAC address > within ARP or ND request/response. This wasn't allowed as the port > security is specifically designed against spoofing and checks if > the port security MAC address is the same for source of ARP/ND > and the inner source/target address. To make the port security > compliant add an option which when enabled will add extra flows > that match on the MAC specified by the option (within the range) > or any MACs. > > [0] https://datatracker.ietf.org/doc/html/rfc5798 > Reported-at: https://issues.redhat.com/browse/FDP-2979 > Signed-off-by: Ales Musil <[email protected]> > --- > v2: Rebase on top of latest main. > Add missing checks in the test. > Rename the option to "port-security-allow-vrrpv3-arp-nd". > Allow the list of MACs to be specified in the option.
I don't think we finished the discussion on v1, and it seems like v2 is taking the "worst of both worlds" approach when it comes to user experience, i.e. having a very long option name and also forcing to specify all the MAC addresses twice. Why can't we just allow all the specified MAC addresses and not require listing them again in the port_security column? Best regards, Ilya Maximets. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
