From: Hans Schultz <netdev@kapio-technology.com> To: davem@davemloft.net, kuba@kernel.org Cc: netdev@vger.kernel.org, Hans Schultz <netdev@kapio-technology.com>, Andrew Lunn <andrew@lunn.ch>, Vivien Didelot <vivien.didelot@gmail.com>, Florian Fainelli <f.fainelli@gmail.com>, Vladimir Oltean <olteanv@gmail.com>, Eric Dumazet <edumazet@google.com>, Paolo Abeni <pabeni@redhat.com>, Jiri Pirko <jiri@resnulli.us>, Ivan Vecera <ivecera@redhat.com>, Roopa Prabhu <roopa@nvidia.com>, Nikolay Aleksandrov <razor@blackwall.org>, Shuah Khan <shuah@kernel.org>, Daniel Borkmann <daniel@iogearbox.net>, Ido Schimmel <idosch@nvidia.com>, linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org, linux-kselftest@vger.kernel.org Subject: [PATCH v4 net-next 0/6] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Date: Thu, 7 Jul 2022 17:29:24 +0200 [thread overview] Message-ID: <20220707152930.1789437-1-netdev@kapio-technology.com> (raw) This patch set extends the locked port feature for devices that are behind a locked port, but do not have the ability to authorize themselves as a supplicant using IEEE 802.1X. Such devices can be printers, meters or anything related to fixed installations. Instead of 802.1X authorization, devices can get access based on their MAC addresses being whitelisted. For an authorization daemon to detect that a device is trying to get access through a locked port, the bridge will add the MAC address of the device to the FDB with a locked flag to it. Thus the authorization daemon can catch the FDB add event and check if the MAC address is in the whitelist and if so replace the FDB entry without the locked flag enabled, and thus open the port for the device. This feature is known as MAC-Auth or MAC Authentication Bypass (MAB) in Cisco terminology, where the full MAB concept involves additional Cisco infrastructure for authorization. There is no real authentication process, as the MAC address of the device is the only input the authorization daemon, in the general case, has to base the decision if to unlock the port or not. With this patch set, an implementation of the offloaded case is supplied for the mv88e6xxx driver. When a packet ingresses on a locked port, an ATU miss violation event will occur. When handling such ATU miss violation interrupts, the MAC address of the device is added to the FDB with a zero destination port vector (DPV) and the MAC address is communicated through the switchdev layer to the bridge, so that a FDB entry with the locked flag enabled can be added. Log: v3: Added timers and lists in the driver (mv88e6xxx) to keep track of and remove locked entries. v4: Leave out enforcing a limit to the number of locked entries in the bridge. Removed the timers in the driver and use the worker only. Add locked FDB flag to all drivers using port_fdb_add() from the dsa api and let all drivers ignore entries with this flag set. Change how to get the ageing timeout of locked entries. See global1_atu.c and switchdev.c. Use struct mv88e6xxx_port for locked entries variables instead of struct dsa_port. Hans Schultz (6): net: bridge: add locked entry fdb flag to extend locked port feature net: switchdev: add support for offloading of fdb locked flag drivers: net: dsa: add locked fdb entry flag to drivers net: dsa: mv88e6xxx: allow reading FID when handling ATU violations net: dsa: mv88e6xxx: mac-auth/MAB implementation selftests: forwarding: add test of MAC-Auth Bypass to locked port tests drivers/net/dsa/b53/b53_common.c | 5 + drivers/net/dsa/b53/b53_priv.h | 1 + drivers/net/dsa/hirschmann/hellcreek.c | 5 + drivers/net/dsa/lan9303-core.c | 5 + drivers/net/dsa/lantiq_gswip.c | 5 + drivers/net/dsa/microchip/ksz9477.c | 5 + drivers/net/dsa/mt7530.c | 5 + drivers/net/dsa/mv88e6xxx/Makefile | 1 + drivers/net/dsa/mv88e6xxx/chip.c | 54 +++- drivers/net/dsa/mv88e6xxx/chip.h | 15 + drivers/net/dsa/mv88e6xxx/global1.h | 1 + drivers/net/dsa/mv88e6xxx/global1_atu.c | 32 +- drivers/net/dsa/mv88e6xxx/port.c | 30 +- drivers/net/dsa/mv88e6xxx/port.h | 2 + drivers/net/dsa/mv88e6xxx/switchdev.c | 280 ++++++++++++++++++ drivers/net/dsa/mv88e6xxx/switchdev.h | 37 +++ drivers/net/dsa/ocelot/felix.c | 5 + drivers/net/dsa/qca8k.c | 5 + drivers/net/dsa/sja1105/sja1105_main.c | 5 + include/net/dsa.h | 7 + include/net/switchdev.h | 1 + include/uapi/linux/neighbour.h | 1 + net/bridge/br.c | 3 +- net/bridge/br_fdb.c | 19 +- net/bridge/br_input.c | 10 +- net/bridge/br_private.h | 5 +- net/bridge/br_switchdev.c | 1 + net/dsa/dsa_priv.h | 4 +- net/dsa/port.c | 7 +- net/dsa/slave.c | 4 +- net/dsa/switch.c | 10 +- .../net/forwarding/bridge_locked_port.sh | 30 +- 32 files changed, 566 insertions(+), 34 deletions(-) create mode 100644 drivers/net/dsa/mv88e6xxx/switchdev.c create mode 100644 drivers/net/dsa/mv88e6xxx/switchdev.h -- 2.30.2
WARNING: multiple messages have this Message-ID (diff)
From: Hans Schultz <netdev@kapio-technology.com> To: davem@davemloft.net, kuba@kernel.org Cc: Ivan Vecera <ivecera@redhat.com>, Andrew Lunn <andrew@lunn.ch>, Florian Fainelli <f.fainelli@gmail.com>, Jiri Pirko <jiri@resnulli.us>, Daniel Borkmann <daniel@iogearbox.net>, netdev@vger.kernel.org, Nikolay Aleksandrov <razor@blackwall.org>, Roopa Prabhu <roopa@nvidia.com>, linux-kernel@vger.kernel.org, Ido Schimmel <idosch@nvidia.com>, bridge@lists.linux-foundation.org, Eric Dumazet <edumazet@google.com>, linux-kselftest@vger.kernel.org, Hans Schultz <netdev@kapio-technology.com>, Paolo Abeni <pabeni@redhat.com>, Vladimir Oltean <olteanv@gmail.com>, Shuah Khan <shuah@kernel.org>, Vivien Didelot <vivien.didelot@gmail.com> Subject: [Bridge] [PATCH v4 net-next 0/6] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Date: Thu, 7 Jul 2022 17:29:24 +0200 [thread overview] Message-ID: <20220707152930.1789437-1-netdev@kapio-technology.com> (raw) This patch set extends the locked port feature for devices that are behind a locked port, but do not have the ability to authorize themselves as a supplicant using IEEE 802.1X. Such devices can be printers, meters or anything related to fixed installations. Instead of 802.1X authorization, devices can get access based on their MAC addresses being whitelisted. For an authorization daemon to detect that a device is trying to get access through a locked port, the bridge will add the MAC address of the device to the FDB with a locked flag to it. Thus the authorization daemon can catch the FDB add event and check if the MAC address is in the whitelist and if so replace the FDB entry without the locked flag enabled, and thus open the port for the device. This feature is known as MAC-Auth or MAC Authentication Bypass (MAB) in Cisco terminology, where the full MAB concept involves additional Cisco infrastructure for authorization. There is no real authentication process, as the MAC address of the device is the only input the authorization daemon, in the general case, has to base the decision if to unlock the port or not. With this patch set, an implementation of the offloaded case is supplied for the mv88e6xxx driver. When a packet ingresses on a locked port, an ATU miss violation event will occur. When handling such ATU miss violation interrupts, the MAC address of the device is added to the FDB with a zero destination port vector (DPV) and the MAC address is communicated through the switchdev layer to the bridge, so that a FDB entry with the locked flag enabled can be added. Log: v3: Added timers and lists in the driver (mv88e6xxx) to keep track of and remove locked entries. v4: Leave out enforcing a limit to the number of locked entries in the bridge. Removed the timers in the driver and use the worker only. Add locked FDB flag to all drivers using port_fdb_add() from the dsa api and let all drivers ignore entries with this flag set. Change how to get the ageing timeout of locked entries. See global1_atu.c and switchdev.c. Use struct mv88e6xxx_port for locked entries variables instead of struct dsa_port. Hans Schultz (6): net: bridge: add locked entry fdb flag to extend locked port feature net: switchdev: add support for offloading of fdb locked flag drivers: net: dsa: add locked fdb entry flag to drivers net: dsa: mv88e6xxx: allow reading FID when handling ATU violations net: dsa: mv88e6xxx: mac-auth/MAB implementation selftests: forwarding: add test of MAC-Auth Bypass to locked port tests drivers/net/dsa/b53/b53_common.c | 5 + drivers/net/dsa/b53/b53_priv.h | 1 + drivers/net/dsa/hirschmann/hellcreek.c | 5 + drivers/net/dsa/lan9303-core.c | 5 + drivers/net/dsa/lantiq_gswip.c | 5 + drivers/net/dsa/microchip/ksz9477.c | 5 + drivers/net/dsa/mt7530.c | 5 + drivers/net/dsa/mv88e6xxx/Makefile | 1 + drivers/net/dsa/mv88e6xxx/chip.c | 54 +++- drivers/net/dsa/mv88e6xxx/chip.h | 15 + drivers/net/dsa/mv88e6xxx/global1.h | 1 + drivers/net/dsa/mv88e6xxx/global1_atu.c | 32 +- drivers/net/dsa/mv88e6xxx/port.c | 30 +- drivers/net/dsa/mv88e6xxx/port.h | 2 + drivers/net/dsa/mv88e6xxx/switchdev.c | 280 ++++++++++++++++++ drivers/net/dsa/mv88e6xxx/switchdev.h | 37 +++ drivers/net/dsa/ocelot/felix.c | 5 + drivers/net/dsa/qca8k.c | 5 + drivers/net/dsa/sja1105/sja1105_main.c | 5 + include/net/dsa.h | 7 + include/net/switchdev.h | 1 + include/uapi/linux/neighbour.h | 1 + net/bridge/br.c | 3 +- net/bridge/br_fdb.c | 19 +- net/bridge/br_input.c | 10 +- net/bridge/br_private.h | 5 +- net/bridge/br_switchdev.c | 1 + net/dsa/dsa_priv.h | 4 +- net/dsa/port.c | 7 +- net/dsa/slave.c | 4 +- net/dsa/switch.c | 10 +- .../net/forwarding/bridge_locked_port.sh | 30 +- 32 files changed, 566 insertions(+), 34 deletions(-) create mode 100644 drivers/net/dsa/mv88e6xxx/switchdev.c create mode 100644 drivers/net/dsa/mv88e6xxx/switchdev.h -- 2.30.2
next reply other threads:[~2022-07-07 15:29 UTC|newest] Thread overview: 115+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-07-07 15:29 Hans Schultz [this message] 2022-07-07 15:29 ` [Bridge] [PATCH v4 net-next 0/6] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz 2022-07-07 15:29 ` [PATCH v4 net-next 1/6] net: bridge: add locked entry fdb flag to extend locked port feature Hans Schultz 2022-07-07 15:29 ` [Bridge] " Hans Schultz 2022-07-10 8:20 ` Ido Schimmel 2022-07-10 8:20 ` [Bridge] " Ido Schimmel 2022-07-07 15:29 ` [PATCH v4 net-next 2/6] net: switchdev: add support for offloading of fdb locked flag Hans Schultz 2022-07-07 15:29 ` [Bridge] " Hans Schultz 2022-07-08 8:54 ` Vladimir Oltean 2022-07-08 8:54 ` [Bridge] " Vladimir Oltean 2022-08-02 8:27 ` netdev 2022-08-02 8:27 ` [Bridge] " netdev 2022-08-02 10:13 ` netdev 2022-08-02 10:13 ` [Bridge] " netdev 2022-07-07 15:29 ` [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers Hans Schultz 2022-07-07 15:29 ` [Bridge] " Hans Schultz 2022-07-08 7:12 ` kernel test robot 2022-07-08 8:49 ` Vladimir Oltean 2022-07-08 8:49 ` [Bridge] " Vladimir Oltean 2022-07-08 9:06 ` netdev 2022-07-08 9:06 ` [Bridge] " netdev 2022-07-08 9:15 ` Vladimir Oltean 2022-07-08 9:15 ` [Bridge] " Vladimir Oltean 2022-07-08 9:27 ` netdev 2022-07-08 9:27 ` [Bridge] " netdev 2022-07-08 9:50 ` netdev 2022-07-08 9:50 ` [Bridge] " netdev 2022-07-08 11:56 ` Vladimir Oltean 2022-07-08 11:56 ` [Bridge] " Vladimir Oltean 2022-07-08 12:34 ` netdev 2022-07-08 12:34 ` [Bridge] " netdev 2022-07-10 8:35 ` Ido Schimmel 2022-07-10 8:35 ` [Bridge] " Ido Schimmel 2022-07-13 7:09 ` netdev 2022-07-13 7:09 ` [Bridge] " netdev 2022-07-13 12:39 ` Ido Schimmel 2022-07-13 12:39 ` [Bridge] " Ido Schimmel 2022-07-17 12:21 ` netdev 2022-07-17 12:21 ` [Bridge] " netdev 2022-07-17 12:57 ` Vladimir Oltean 2022-07-17 12:57 ` [Bridge] " Vladimir Oltean 2022-07-17 13:09 ` netdev 2022-07-17 13:09 ` [Bridge] " netdev 2022-07-17 13:59 ` Vladimir Oltean 2022-07-17 13:59 ` [Bridge] " Vladimir Oltean 2022-07-17 14:57 ` netdev 2022-07-17 14:57 ` [Bridge] " netdev 2022-07-17 15:08 ` Vladimir Oltean 2022-07-17 15:08 ` [Bridge] " Vladimir Oltean 2022-07-17 16:10 ` netdev 2022-07-17 16:10 ` [Bridge] " netdev 2022-07-21 11:54 ` Vladimir Oltean 2022-07-21 11:54 ` [Bridge] " Vladimir Oltean 2022-07-17 15:20 ` Ido Schimmel 2022-07-17 15:20 ` [Bridge] " Ido Schimmel 2022-07-17 15:53 ` netdev 2022-07-17 15:53 ` [Bridge] " netdev 2022-07-21 11:59 ` Vladimir Oltean 2022-07-21 11:59 ` [Bridge] " Vladimir Oltean 2022-07-21 13:27 ` Ido Schimmel 2022-07-21 13:27 ` [Bridge] " Ido Schimmel 2022-07-21 14:20 ` Vladimir Oltean 2022-07-21 14:20 ` [Bridge] " Vladimir Oltean 2022-07-24 11:10 ` Ido Schimmel 2022-07-24 11:10 ` [Bridge] " Ido Schimmel 2022-08-01 11:57 ` netdev 2022-08-01 11:57 ` [Bridge] " netdev 2022-08-01 13:14 ` netdev 2022-08-01 13:14 ` [Bridge] " netdev 2022-08-02 12:54 ` netdev 2022-08-02 12:54 ` [Bridge] " netdev 2022-08-01 15:33 ` netdev 2022-08-01 15:33 ` [Bridge] " netdev 2022-08-09 9:20 ` Ido Schimmel 2022-08-09 9:20 ` [Bridge] " Ido Schimmel 2022-08-09 20:00 ` netdev 2022-08-09 20:00 ` [Bridge] " netdev 2022-08-10 7:21 ` Ido Schimmel 2022-08-10 7:21 ` [Bridge] " Ido Schimmel 2022-08-10 8:40 ` netdev 2022-08-10 8:40 ` [Bridge] " netdev 2022-08-11 11:28 ` Ido Schimmel 2022-08-11 11:28 ` [Bridge] " Ido Schimmel 2022-08-12 15:33 ` netdev 2022-08-12 15:33 ` [Bridge] " netdev 2022-08-16 7:51 ` netdev 2022-08-16 7:51 ` [Bridge] " netdev 2022-08-17 6:21 ` Ido Schimmel 2022-08-17 6:21 ` [Bridge] " Ido Schimmel 2022-07-21 11:51 ` Vladimir Oltean 2022-07-21 11:51 ` [Bridge] " Vladimir Oltean 2022-07-08 20:39 ` kernel test robot 2022-07-07 15:29 ` [PATCH v4 net-next 4/6] net: dsa: mv88e6xxx: allow reading FID when handling ATU violations Hans Schultz 2022-07-07 15:29 ` [Bridge] " Hans Schultz 2022-07-07 15:29 ` [PATCH v4 net-next 5/6] net: dsa: mv88e6xxx: mac-auth/MAB implementation Hans Schultz 2022-07-07 15:29 ` [Bridge] " Hans Schultz 2022-07-08 9:46 ` kernel test robot 2022-07-17 0:47 ` Vladimir Oltean 2022-07-17 0:47 ` [Bridge] " Vladimir Oltean 2022-07-17 12:34 ` netdev 2022-07-17 12:34 ` [Bridge] " netdev 2022-07-21 12:04 ` Vladimir Oltean 2022-07-21 12:04 ` [Bridge] " Vladimir Oltean 2022-08-19 8:28 ` netdev 2022-08-19 8:28 ` [Bridge] " netdev 2022-07-07 15:29 ` [PATCH v4 net-next 6/6] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans Schultz 2022-07-07 15:29 ` [Bridge] " Hans Schultz 2022-07-10 7:29 ` Ido Schimmel 2022-07-10 7:29 ` [Bridge] " Ido Schimmel 2022-07-12 12:28 ` netdev 2022-07-12 12:28 ` [Bridge] " netdev 2022-07-08 1:00 ` [PATCH v4 net-next 0/6] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Jakub Kicinski 2022-07-08 1:00 ` [Bridge] " Jakub Kicinski 2022-08-11 5:09 ` Benjamin Poirier 2022-08-11 5:09 ` [Bridge] " Benjamin Poirier
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20220707152930.1789437-1-netdev@kapio-technology.com \ --to=netdev@kapio-technology.com \ --cc=andrew@lunn.ch \ --cc=bridge@lists.linux-foundation.org \ --cc=daniel@iogearbox.net \ --cc=davem@davemloft.net \ --cc=edumazet@google.com \ --cc=f.fainelli@gmail.com \ --cc=idosch@nvidia.com \ --cc=ivecera@redhat.com \ --cc=jiri@resnulli.us \ --cc=kuba@kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-kselftest@vger.kernel.org \ --cc=netdev@vger.kernel.org \ --cc=olteanv@gmail.com \ --cc=pabeni@redhat.com \ --cc=razor@blackwall.org \ --cc=roopa@nvidia.com \ --cc=shuah@kernel.org \ --cc=vivien.didelot@gmail.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.