From: Hans Schultz <netdev@kapio-technology.com>
To: davem@davemloft.net, kuba@kernel.org
Cc: netdev@vger.kernel.org,
Hans Schultz <netdev@kapio-technology.com>,
Andrew Lunn <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Florian Fainelli <f.fainelli@gmail.com>,
Vladimir Oltean <olteanv@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Jiri Pirko <jiri@resnulli.us>,
Ivan Vecera <ivecera@redhat.com>, Roopa Prabhu <roopa@nvidia.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Shuah Khan <shuah@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Ido Schimmel <idosch@nvidia.com>,
linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org,
linux-kselftest@vger.kernel.org
Subject: [PATCH v4 net-next 1/6] net: bridge: add locked entry fdb flag to extend locked port feature
Date: Thu, 7 Jul 2022 17:29:25 +0200 [thread overview]
Message-ID: <20220707152930.1789437-2-netdev@kapio-technology.com> (raw)
In-Reply-To: <20220707152930.1789437-1-netdev@kapio-technology.com>
Add an intermediate state for clients behind a locked port to allow for
possible opening of the port for said clients. The clients mac address
will be added with the locked flag set, denying access through the port
for the mac address, but also creating a new FDB add event giving
userspace daemons the ability to unlock the mac address. This feature
corresponds to the Mac-Auth and MAC Authentication Bypass (MAB) named
features. The latter defined by Cisco.
Only the kernel can set this FDB entry flag, while userspace can read
the flag and remove it by replacing or deleting the FDB entry.
Signed-off-by: Hans Schultz <netdev@kapio-technology.com>
---
include/uapi/linux/neighbour.h | 1 +
net/bridge/br_fdb.c | 12 ++++++++++++
net/bridge/br_input.c | 10 +++++++++-
net/bridge/br_private.h | 3 ++-
4 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h
index 39c565e460c7..76d65b481086 100644
--- a/include/uapi/linux/neighbour.h
+++ b/include/uapi/linux/neighbour.h
@@ -53,6 +53,7 @@ enum {
#define NTF_ROUTER (1 << 7)
/* Extended flags under NDA_FLAGS_EXT: */
#define NTF_EXT_MANAGED (1 << 0)
+#define NTF_EXT_LOCKED (1 << 1)
/*
* Neighbor Cache Entry States.
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index e7f4fccb6adb..ee9064a536ae 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -105,6 +105,7 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br,
struct nda_cacheinfo ci;
struct nlmsghdr *nlh;
struct ndmsg *ndm;
+ u32 ext_flags = 0;
nlh = nlmsg_put(skb, portid, seq, type, sizeof(*ndm), flags);
if (nlh == NULL)
@@ -125,11 +126,16 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br,
ndm->ndm_flags |= NTF_EXT_LEARNED;
if (test_bit(BR_FDB_STICKY, &fdb->flags))
ndm->ndm_flags |= NTF_STICKY;
+ if (test_bit(BR_FDB_ENTRY_LOCKED, &fdb->flags))
+ ext_flags |= NTF_EXT_LOCKED;
if (nla_put(skb, NDA_LLADDR, ETH_ALEN, &fdb->key.addr))
goto nla_put_failure;
if (nla_put_u32(skb, NDA_MASTER, br->dev->ifindex))
goto nla_put_failure;
+ if (nla_put_u32(skb, NDA_FLAGS_EXT, ext_flags))
+ goto nla_put_failure;
+
ci.ndm_used = jiffies_to_clock_t(now - fdb->used);
ci.ndm_confirmed = 0;
ci.ndm_updated = jiffies_to_clock_t(now - fdb->updated);
@@ -171,6 +177,7 @@ static inline size_t fdb_nlmsg_size(void)
return NLMSG_ALIGN(sizeof(struct ndmsg))
+ nla_total_size(ETH_ALEN) /* NDA_LLADDR */
+ nla_total_size(sizeof(u32)) /* NDA_MASTER */
+ + nla_total_size(sizeof(u32)) /* NDA_FLAGS_EXT */
+ nla_total_size(sizeof(u16)) /* NDA_VLAN */
+ nla_total_size(sizeof(struct nda_cacheinfo))
+ nla_total_size(0) /* NDA_FDB_EXT_ATTRS */
@@ -1082,6 +1089,11 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
modified = true;
}
+ if (test_bit(BR_FDB_ENTRY_LOCKED, &fdb->flags)) {
+ clear_bit(BR_FDB_ENTRY_LOCKED, &fdb->flags);
+ modified = true;
+ }
+
if (fdb_handle_notify(fdb, notify))
modified = true;
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 68b3e850bcb9..3d15548cfda6 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -110,8 +110,16 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
br_fdb_find_rcu(br, eth_hdr(skb)->h_source, vid);
if (!fdb_src || READ_ONCE(fdb_src->dst) != p ||
- test_bit(BR_FDB_LOCAL, &fdb_src->flags))
+ test_bit(BR_FDB_LOCAL, &fdb_src->flags) ||
+ test_bit(BR_FDB_ENTRY_LOCKED, &fdb_src->flags)) {
+ if (!fdb_src) {
+ unsigned long flags = 0;
+
+ __set_bit(BR_FDB_ENTRY_LOCKED, &flags);
+ br_fdb_update(br, p, eth_hdr(skb)->h_source, vid, flags);
+ }
goto drop;
+ }
}
nbp_switchdev_frame_mark(p, skb);
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 06e5f6faa431..47a3598d25c8 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -251,7 +251,8 @@ enum {
BR_FDB_ADDED_BY_EXT_LEARN,
BR_FDB_OFFLOADED,
BR_FDB_NOTIFY,
- BR_FDB_NOTIFY_INACTIVE
+ BR_FDB_NOTIFY_INACTIVE,
+ BR_FDB_ENTRY_LOCKED,
};
struct net_bridge_fdb_key {
--
2.30.2
WARNING: multiple messages have this Message-ID (diff)
From: Hans Schultz <netdev@kapio-technology.com>
To: davem@davemloft.net, kuba@kernel.org
Cc: Ivan Vecera <ivecera@redhat.com>, Andrew Lunn <andrew@lunn.ch>,
Florian Fainelli <f.fainelli@gmail.com>,
Jiri Pirko <jiri@resnulli.us>,
Daniel Borkmann <daniel@iogearbox.net>,
netdev@vger.kernel.org, Nikolay Aleksandrov <razor@blackwall.org>,
Roopa Prabhu <roopa@nvidia.com>,
linux-kernel@vger.kernel.org, Ido Schimmel <idosch@nvidia.com>,
bridge@lists.linux-foundation.org,
Eric Dumazet <edumazet@google.com>,
linux-kselftest@vger.kernel.org,
Hans Schultz <netdev@kapio-technology.com>,
Paolo Abeni <pabeni@redhat.com>,
Vladimir Oltean <olteanv@gmail.com>,
Shuah Khan <shuah@kernel.org>,
Vivien Didelot <vivien.didelot@gmail.com>
Subject: [Bridge] [PATCH v4 net-next 1/6] net: bridge: add locked entry fdb flag to extend locked port feature
Date: Thu, 7 Jul 2022 17:29:25 +0200 [thread overview]
Message-ID: <20220707152930.1789437-2-netdev@kapio-technology.com> (raw)
In-Reply-To: <20220707152930.1789437-1-netdev@kapio-technology.com>
Add an intermediate state for clients behind a locked port to allow for
possible opening of the port for said clients. The clients mac address
will be added with the locked flag set, denying access through the port
for the mac address, but also creating a new FDB add event giving
userspace daemons the ability to unlock the mac address. This feature
corresponds to the Mac-Auth and MAC Authentication Bypass (MAB) named
features. The latter defined by Cisco.
Only the kernel can set this FDB entry flag, while userspace can read
the flag and remove it by replacing or deleting the FDB entry.
Signed-off-by: Hans Schultz <netdev@kapio-technology.com>
---
include/uapi/linux/neighbour.h | 1 +
net/bridge/br_fdb.c | 12 ++++++++++++
net/bridge/br_input.c | 10 +++++++++-
net/bridge/br_private.h | 3 ++-
4 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h
index 39c565e460c7..76d65b481086 100644
--- a/include/uapi/linux/neighbour.h
+++ b/include/uapi/linux/neighbour.h
@@ -53,6 +53,7 @@ enum {
#define NTF_ROUTER (1 << 7)
/* Extended flags under NDA_FLAGS_EXT: */
#define NTF_EXT_MANAGED (1 << 0)
+#define NTF_EXT_LOCKED (1 << 1)
/*
* Neighbor Cache Entry States.
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index e7f4fccb6adb..ee9064a536ae 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -105,6 +105,7 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br,
struct nda_cacheinfo ci;
struct nlmsghdr *nlh;
struct ndmsg *ndm;
+ u32 ext_flags = 0;
nlh = nlmsg_put(skb, portid, seq, type, sizeof(*ndm), flags);
if (nlh == NULL)
@@ -125,11 +126,16 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br,
ndm->ndm_flags |= NTF_EXT_LEARNED;
if (test_bit(BR_FDB_STICKY, &fdb->flags))
ndm->ndm_flags |= NTF_STICKY;
+ if (test_bit(BR_FDB_ENTRY_LOCKED, &fdb->flags))
+ ext_flags |= NTF_EXT_LOCKED;
if (nla_put(skb, NDA_LLADDR, ETH_ALEN, &fdb->key.addr))
goto nla_put_failure;
if (nla_put_u32(skb, NDA_MASTER, br->dev->ifindex))
goto nla_put_failure;
+ if (nla_put_u32(skb, NDA_FLAGS_EXT, ext_flags))
+ goto nla_put_failure;
+
ci.ndm_used = jiffies_to_clock_t(now - fdb->used);
ci.ndm_confirmed = 0;
ci.ndm_updated = jiffies_to_clock_t(now - fdb->updated);
@@ -171,6 +177,7 @@ static inline size_t fdb_nlmsg_size(void)
return NLMSG_ALIGN(sizeof(struct ndmsg))
+ nla_total_size(ETH_ALEN) /* NDA_LLADDR */
+ nla_total_size(sizeof(u32)) /* NDA_MASTER */
+ + nla_total_size(sizeof(u32)) /* NDA_FLAGS_EXT */
+ nla_total_size(sizeof(u16)) /* NDA_VLAN */
+ nla_total_size(sizeof(struct nda_cacheinfo))
+ nla_total_size(0) /* NDA_FDB_EXT_ATTRS */
@@ -1082,6 +1089,11 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
modified = true;
}
+ if (test_bit(BR_FDB_ENTRY_LOCKED, &fdb->flags)) {
+ clear_bit(BR_FDB_ENTRY_LOCKED, &fdb->flags);
+ modified = true;
+ }
+
if (fdb_handle_notify(fdb, notify))
modified = true;
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 68b3e850bcb9..3d15548cfda6 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -110,8 +110,16 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
br_fdb_find_rcu(br, eth_hdr(skb)->h_source, vid);
if (!fdb_src || READ_ONCE(fdb_src->dst) != p ||
- test_bit(BR_FDB_LOCAL, &fdb_src->flags))
+ test_bit(BR_FDB_LOCAL, &fdb_src->flags) ||
+ test_bit(BR_FDB_ENTRY_LOCKED, &fdb_src->flags)) {
+ if (!fdb_src) {
+ unsigned long flags = 0;
+
+ __set_bit(BR_FDB_ENTRY_LOCKED, &flags);
+ br_fdb_update(br, p, eth_hdr(skb)->h_source, vid, flags);
+ }
goto drop;
+ }
}
nbp_switchdev_frame_mark(p, skb);
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 06e5f6faa431..47a3598d25c8 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -251,7 +251,8 @@ enum {
BR_FDB_ADDED_BY_EXT_LEARN,
BR_FDB_OFFLOADED,
BR_FDB_NOTIFY,
- BR_FDB_NOTIFY_INACTIVE
+ BR_FDB_NOTIFY_INACTIVE,
+ BR_FDB_ENTRY_LOCKED,
};
struct net_bridge_fdb_key {
--
2.30.2
next prev parent reply other threads:[~2022-07-07 15:29 UTC|newest]
Thread overview: 115+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-07 15:29 [PATCH v4 net-next 0/6] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-07 15:29 ` Hans Schultz [this message]
2022-07-07 15:29 ` [Bridge] [PATCH v4 net-next 1/6] net: bridge: add locked entry fdb flag to extend locked port feature Hans Schultz
2022-07-10 8:20 ` Ido Schimmel
2022-07-10 8:20 ` [Bridge] " Ido Schimmel
2022-07-07 15:29 ` [PATCH v4 net-next 2/6] net: switchdev: add support for offloading of fdb locked flag Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-08 8:54 ` Vladimir Oltean
2022-07-08 8:54 ` [Bridge] " Vladimir Oltean
2022-08-02 8:27 ` netdev
2022-08-02 8:27 ` [Bridge] " netdev
2022-08-02 10:13 ` netdev
2022-08-02 10:13 ` [Bridge] " netdev
2022-07-07 15:29 ` [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-08 7:12 ` kernel test robot
2022-07-08 8:49 ` Vladimir Oltean
2022-07-08 8:49 ` [Bridge] " Vladimir Oltean
2022-07-08 9:06 ` netdev
2022-07-08 9:06 ` [Bridge] " netdev
2022-07-08 9:15 ` Vladimir Oltean
2022-07-08 9:15 ` [Bridge] " Vladimir Oltean
2022-07-08 9:27 ` netdev
2022-07-08 9:27 ` [Bridge] " netdev
2022-07-08 9:50 ` netdev
2022-07-08 9:50 ` [Bridge] " netdev
2022-07-08 11:56 ` Vladimir Oltean
2022-07-08 11:56 ` [Bridge] " Vladimir Oltean
2022-07-08 12:34 ` netdev
2022-07-08 12:34 ` [Bridge] " netdev
2022-07-10 8:35 ` Ido Schimmel
2022-07-10 8:35 ` [Bridge] " Ido Schimmel
2022-07-13 7:09 ` netdev
2022-07-13 7:09 ` [Bridge] " netdev
2022-07-13 12:39 ` Ido Schimmel
2022-07-13 12:39 ` [Bridge] " Ido Schimmel
2022-07-17 12:21 ` netdev
2022-07-17 12:21 ` [Bridge] " netdev
2022-07-17 12:57 ` Vladimir Oltean
2022-07-17 12:57 ` [Bridge] " Vladimir Oltean
2022-07-17 13:09 ` netdev
2022-07-17 13:09 ` [Bridge] " netdev
2022-07-17 13:59 ` Vladimir Oltean
2022-07-17 13:59 ` [Bridge] " Vladimir Oltean
2022-07-17 14:57 ` netdev
2022-07-17 14:57 ` [Bridge] " netdev
2022-07-17 15:08 ` Vladimir Oltean
2022-07-17 15:08 ` [Bridge] " Vladimir Oltean
2022-07-17 16:10 ` netdev
2022-07-17 16:10 ` [Bridge] " netdev
2022-07-21 11:54 ` Vladimir Oltean
2022-07-21 11:54 ` [Bridge] " Vladimir Oltean
2022-07-17 15:20 ` Ido Schimmel
2022-07-17 15:20 ` [Bridge] " Ido Schimmel
2022-07-17 15:53 ` netdev
2022-07-17 15:53 ` [Bridge] " netdev
2022-07-21 11:59 ` Vladimir Oltean
2022-07-21 11:59 ` [Bridge] " Vladimir Oltean
2022-07-21 13:27 ` Ido Schimmel
2022-07-21 13:27 ` [Bridge] " Ido Schimmel
2022-07-21 14:20 ` Vladimir Oltean
2022-07-21 14:20 ` [Bridge] " Vladimir Oltean
2022-07-24 11:10 ` Ido Schimmel
2022-07-24 11:10 ` [Bridge] " Ido Schimmel
2022-08-01 11:57 ` netdev
2022-08-01 11:57 ` [Bridge] " netdev
2022-08-01 13:14 ` netdev
2022-08-01 13:14 ` [Bridge] " netdev
2022-08-02 12:54 ` netdev
2022-08-02 12:54 ` [Bridge] " netdev
2022-08-01 15:33 ` netdev
2022-08-01 15:33 ` [Bridge] " netdev
2022-08-09 9:20 ` Ido Schimmel
2022-08-09 9:20 ` [Bridge] " Ido Schimmel
2022-08-09 20:00 ` netdev
2022-08-09 20:00 ` [Bridge] " netdev
2022-08-10 7:21 ` Ido Schimmel
2022-08-10 7:21 ` [Bridge] " Ido Schimmel
2022-08-10 8:40 ` netdev
2022-08-10 8:40 ` [Bridge] " netdev
2022-08-11 11:28 ` Ido Schimmel
2022-08-11 11:28 ` [Bridge] " Ido Schimmel
2022-08-12 15:33 ` netdev
2022-08-12 15:33 ` [Bridge] " netdev
2022-08-16 7:51 ` netdev
2022-08-16 7:51 ` [Bridge] " netdev
2022-08-17 6:21 ` Ido Schimmel
2022-08-17 6:21 ` [Bridge] " Ido Schimmel
2022-07-21 11:51 ` Vladimir Oltean
2022-07-21 11:51 ` [Bridge] " Vladimir Oltean
2022-07-08 20:39 ` kernel test robot
2022-07-07 15:29 ` [PATCH v4 net-next 4/6] net: dsa: mv88e6xxx: allow reading FID when handling ATU violations Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-07 15:29 ` [PATCH v4 net-next 5/6] net: dsa: mv88e6xxx: mac-auth/MAB implementation Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-08 9:46 ` kernel test robot
2022-07-17 0:47 ` Vladimir Oltean
2022-07-17 0:47 ` [Bridge] " Vladimir Oltean
2022-07-17 12:34 ` netdev
2022-07-17 12:34 ` [Bridge] " netdev
2022-07-21 12:04 ` Vladimir Oltean
2022-07-21 12:04 ` [Bridge] " Vladimir Oltean
2022-08-19 8:28 ` netdev
2022-08-19 8:28 ` [Bridge] " netdev
2022-07-07 15:29 ` [PATCH v4 net-next 6/6] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-10 7:29 ` Ido Schimmel
2022-07-10 7:29 ` [Bridge] " Ido Schimmel
2022-07-12 12:28 ` netdev
2022-07-12 12:28 ` [Bridge] " netdev
2022-07-08 1:00 ` [PATCH v4 net-next 0/6] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Jakub Kicinski
2022-07-08 1:00 ` [Bridge] " Jakub Kicinski
2022-08-11 5:09 ` Benjamin Poirier
2022-08-11 5:09 ` [Bridge] " Benjamin Poirier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220707152930.1789437-2-netdev@kapio-technology.com \
--to=netdev@kapio-technology.com \
--cc=andrew@lunn.ch \
--cc=bridge@lists.linux-foundation.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=idosch@nvidia.com \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=shuah@kernel.org \
--cc=vivien.didelot@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.