* [Bridge] [PATCH v2 iproute2-next 1/4] include: uapi: MacAuth and Blackhole feature header changes
@ 2022-10-04 15:20 Hans Schultz
2022-10-04 15:20 ` [Bridge] [PATCH v2 iproute2-next 2/4] bridge: fdb: show locked FDB entries flag in output Hans Schultz
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Hans Schultz @ 2022-10-04 15:20 UTC (permalink / raw
To: davem, kuba
Cc: Andrew Lunn, Alexandre Belloni, Nikolay Aleksandrov,
Kurt Kanzenbach, Eric Dumazet, linux-kselftest, Hans Schultz,
Joachim Wiberg, Shuah Khan, Ivan Vecera, Florian Fainelli,
Daniel Borkmann, Ido Schimmel, bridge, Russell King,
linux-arm-kernel, Roopa Prabhu, Paolo Abeni, Vivien Didelot,
Woojung Huh, Landen Chao, Jiri Pirko, Amit Cohen,
Christian Marangi, Hauke Mehrtens, Hans Schultz, Sean Wang,
DENG Qingfang, Claudiu Manoil, linux-mediatek, Matthias Brugger,
Yuwei Wang, Petr Machata, netdev, linux-kernel, UNGLinuxDriver,
Vladimir Oltean, Florent Fourcot
Signed-off-by: Hans Schultz <netdev@kapio-technology.com>
---
include/uapi/linux/if_link.h | 1 +
include/uapi/linux/neighbour.h | 11 ++++++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
index 7494cffb..58a002de 100644
--- a/include/uapi/linux/if_link.h
+++ b/include/uapi/linux/if_link.h
@@ -559,6 +559,7 @@ enum {
IFLA_BRPORT_MCAST_EHT_HOSTS_LIMIT,
IFLA_BRPORT_MCAST_EHT_HOSTS_CNT,
IFLA_BRPORT_LOCKED,
+ IFLA_BRPORT_MAB,
__IFLA_BRPORT_MAX
};
#define IFLA_BRPORT_MAX (__IFLA_BRPORT_MAX - 1)
diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h
index a998bf76..cc7d540e 100644
--- a/include/uapi/linux/neighbour.h
+++ b/include/uapi/linux/neighbour.h
@@ -52,7 +52,9 @@ enum {
#define NTF_STICKY (1 << 6)
#define NTF_ROUTER (1 << 7)
/* Extended flags under NDA_FLAGS_EXT: */
-#define NTF_EXT_MANAGED (1 << 0)
+#define NTF_EXT_MANAGED (1 << 0)
+#define NTF_EXT_LOCKED (1 << 1)
+#define NTF_EXT_BLACKHOLE (1 << 2)
/*
* Neighbor Cache Entry States.
@@ -86,6 +88,13 @@ enum {
* NTF_EXT_MANAGED flagged neigbor entries are managed by the kernel on behalf
* of a user space control plane, and automatically refreshed so that (if
* possible) they remain in NUD_REACHABLE state.
+ *
+ * NTF_EXT_LOCKED flagged FDB entries are placeholder entries used with the
+ * locked port feature, that ensures that an entry exists while at the same
+ * time dropping packets on ingress with src MAC and VID matching the entry.
+ *
+ * NTF_EXT_BLACKHOLE flagged FDB entries ensure that no forwarding is allowed
+ * from any port to the destination MAC, VID pair associated with it.
*/
struct nda_cacheinfo {
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Bridge] [PATCH v2 iproute2-next 2/4] bridge: fdb: show locked FDB entries flag in output
2022-10-04 15:20 [Bridge] [PATCH v2 iproute2-next 1/4] include: uapi: MacAuth and Blackhole feature header changes Hans Schultz
@ 2022-10-04 15:20 ` Hans Schultz
2022-10-13 8:35 ` Ido Schimmel
2022-10-04 15:20 ` [Bridge] [PATCH v2 iproute2-next 3/4] bridge: link: enable MacAuth/MAB feature Hans Schultz
2022-10-04 15:20 ` [Bridge] [PATCH v2 iproute2-next 4/4] bridge: fdb: enable FDB blackhole feature Hans Schultz
2 siblings, 1 reply; 6+ messages in thread
From: Hans Schultz @ 2022-10-04 15:20 UTC (permalink / raw
To: davem, kuba
Cc: Andrew Lunn, Alexandre Belloni, Nikolay Aleksandrov,
Kurt Kanzenbach, Eric Dumazet, linux-kselftest, Hans Schultz,
Joachim Wiberg, Shuah Khan, Ivan Vecera, Florian Fainelli,
Daniel Borkmann, Ido Schimmel, bridge, Russell King,
linux-arm-kernel, Roopa Prabhu, Paolo Abeni, Vivien Didelot,
Woojung Huh, Landen Chao, Jiri Pirko, Amit Cohen,
Christian Marangi, Hauke Mehrtens, Hans Schultz, Sean Wang,
DENG Qingfang, Claudiu Manoil, linux-mediatek, Matthias Brugger,
Yuwei Wang, Petr Machata, netdev, linux-kernel, UNGLinuxDriver,
Vladimir Oltean, Florent Fourcot
Signed-off-by: Hans Schultz <netdev@kapio-technology.com>
---
bridge/fdb.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/bridge/fdb.c b/bridge/fdb.c
index 5f71bde0..f1f0a5bb 100644
--- a/bridge/fdb.c
+++ b/bridge/fdb.c
@@ -93,7 +93,7 @@ static int state_a2n(unsigned int *s, const char *arg)
return 0;
}
-static void fdb_print_flags(FILE *fp, unsigned int flags)
+static void fdb_print_flags(FILE *fp, unsigned int flags, __u8 ext_flags)
{
open_json_array(PRINT_JSON,
is_json_context() ? "flags" : "");
@@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags)
if (flags & NTF_STICKY)
print_string(PRINT_ANY, NULL, "%s ", "sticky");
+ if (ext_flags & NTF_EXT_LOCKED)
+ print_string(PRINT_ANY, NULL, "%s ", "locked");
+
close_json_array(PRINT_JSON, NULL);
}
@@ -144,6 +147,7 @@ int print_fdb(struct nlmsghdr *n, void *arg)
struct ndmsg *r = NLMSG_DATA(n);
int len = n->nlmsg_len;
struct rtattr *tb[NDA_MAX+1];
+ __u32 ext_flags = 0;
__u16 vid = 0;
if (n->nlmsg_type != RTM_NEWNEIGH && n->nlmsg_type != RTM_DELNEIGH) {
@@ -170,6 +174,9 @@ int print_fdb(struct nlmsghdr *n, void *arg)
parse_rtattr(tb, NDA_MAX, NDA_RTA(r),
n->nlmsg_len - NLMSG_LENGTH(sizeof(*r)));
+ if (tb[NDA_FLAGS_EXT])
+ ext_flags = rta_getattr_u32(tb[NDA_FLAGS_EXT]);
+
if (tb[NDA_VLAN])
vid = rta_getattr_u16(tb[NDA_VLAN]);
@@ -266,7 +273,7 @@ int print_fdb(struct nlmsghdr *n, void *arg)
if (show_stats && tb[NDA_CACHEINFO])
fdb_print_stats(fp, RTA_DATA(tb[NDA_CACHEINFO]));
- fdb_print_flags(fp, r->ndm_flags);
+ fdb_print_flags(fp, r->ndm_flags, ext_flags);
if (tb[NDA_MASTER])
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Bridge] [PATCH v2 iproute2-next 3/4] bridge: link: enable MacAuth/MAB feature
2022-10-04 15:20 [Bridge] [PATCH v2 iproute2-next 1/4] include: uapi: MacAuth and Blackhole feature header changes Hans Schultz
2022-10-04 15:20 ` [Bridge] [PATCH v2 iproute2-next 2/4] bridge: fdb: show locked FDB entries flag in output Hans Schultz
@ 2022-10-04 15:20 ` Hans Schultz
2022-10-04 15:20 ` [Bridge] [PATCH v2 iproute2-next 4/4] bridge: fdb: enable FDB blackhole feature Hans Schultz
2 siblings, 0 replies; 6+ messages in thread
From: Hans Schultz @ 2022-10-04 15:20 UTC (permalink / raw
To: davem, kuba
Cc: Andrew Lunn, Alexandre Belloni, Nikolay Aleksandrov,
Kurt Kanzenbach, Eric Dumazet, linux-kselftest, Hans Schultz,
Joachim Wiberg, Shuah Khan, Ivan Vecera, Florian Fainelli,
Daniel Borkmann, Ido Schimmel, bridge, Russell King,
linux-arm-kernel, Roopa Prabhu, Paolo Abeni, Vivien Didelot,
Woojung Huh, Landen Chao, Jiri Pirko, Amit Cohen,
Christian Marangi, Hauke Mehrtens, Hans Schultz, Sean Wang,
DENG Qingfang, Claudiu Manoil, linux-mediatek, Matthias Brugger,
Yuwei Wang, Petr Machata, netdev, linux-kernel, UNGLinuxDriver,
Vladimir Oltean, Florent Fourcot
The MAB feature can be enabled on a locked port with the command:
bridge link set dev <DEV> mab on
Examples of output when the feature is enabled:
$ bridge -d link show dev eth1
1: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master testbr state forwarding priority 32 cost 2
hairpin off guard off root_block off fastleave off learning on flood on mcast_flood on bcast_flood on mcast_router 1 mcast_to_unicast off neigh_suppress off vlan_tunnel off isolated off locked on mab on
$ bridge -d -j -p link show dev eth1
[ {
"ifindex": 1,
"ifname": "eth1",
"flags": [ "BROADCAST","MULTICAST","UP","LOWER_UP" ],
"mtu": 1500,
"master": "br0",
"state": "forwarding",
"priority": 32,
"cost": 2,
"hairpin": false,
"guard": false,
"root_block": false,
"fastleave": false,
"learning": true,
"flood": true,
"mcast_flood": true,
"bcast_flood": true,
"mcast_router": 1,
"mcast_to_unicast": false,
"neigh_suppress": false,
"vlan_tunnel": false,
"isolated": false,
"locked": true,
"mab": true
} ]
Signed-off-by: Hans Schultz <netdev@kapio-technology.com>
---
bridge/link.c | 13 +++++++++++++
ip/iplink_bridge_slave.c | 9 +++++++++
man/man8/bridge.8 | 12 ++++++++++++
man/man8/ip-link.8.in | 14 ++++++++++++++
4 files changed, 48 insertions(+)
diff --git a/bridge/link.c b/bridge/link.c
index 3810fa04..25a45860 100644
--- a/bridge/link.c
+++ b/bridge/link.c
@@ -184,6 +184,9 @@ static void print_protinfo(FILE *fp, struct rtattr *attr)
if (prtb[IFLA_BRPORT_LOCKED])
print_on_off(PRINT_ANY, "locked", "locked %s ",
rta_getattr_u8(prtb[IFLA_BRPORT_LOCKED]));
+ if (prtb[IFLA_BRPORT_MAB])
+ print_on_off(PRINT_ANY, "mab", "mab %s ",
+ rta_getattr_u8(prtb[IFLA_BRPORT_MAB]));
} else
print_stp_state(rta_getattr_u8(attr));
}
@@ -281,6 +284,7 @@ static void usage(void)
" [ vlan_tunnel {on | off} ]\n"
" [ isolated {on | off} ]\n"
" [ locked {on | off} ]\n"
+ " [ mab {on | off} ]\n"
" [ hwmode {vepa | veb} ]\n"
" [ backup_port DEVICE ] [ nobackup_port ]\n"
" [ self ] [ master ]\n"
@@ -312,6 +316,7 @@ static int brlink_modify(int argc, char **argv)
__s8 bcast_flood = -1;
__s8 mcast_to_unicast = -1;
__s8 locked = -1;
+ __s8 macauth = -1;
__s8 isolated = -1;
__s8 hairpin = -1;
__s8 bpdu_guard = -1;
@@ -437,6 +442,11 @@ static int brlink_modify(int argc, char **argv)
locked = parse_on_off("locked", *argv, &ret);
if (ret)
return ret;
+ } else if (strcmp(*argv, "mab") == 0) {
+ NEXT_ARG();
+ macauth = parse_on_off("mab", *argv, &ret);
+ if (ret)
+ return ret;
} else if (strcmp(*argv, "backup_port") == 0) {
NEXT_ARG();
backup_port_idx = ll_name_to_index(*argv);
@@ -520,6 +530,9 @@ static int brlink_modify(int argc, char **argv)
if (locked >= 0)
addattr8(&req.n, sizeof(req), IFLA_BRPORT_LOCKED, locked);
+ if (macauth >= 0)
+ addattr8(&req.n, sizeof(req), IFLA_BRPORT_MAB, macauth);
+
if (backup_port_idx != -1)
addattr32(&req.n, sizeof(req), IFLA_BRPORT_BACKUP_PORT,
backup_port_idx);
diff --git a/ip/iplink_bridge_slave.c b/ip/iplink_bridge_slave.c
index 98d17213..e5262bdb 100644
--- a/ip/iplink_bridge_slave.c
+++ b/ip/iplink_bridge_slave.c
@@ -44,6 +44,7 @@ static void print_explain(FILE *f)
" [ vlan_tunnel {on | off} ]\n"
" [ isolated {on | off} ]\n"
" [ locked {on | off} ]\n"
+ " [ mab {on | off} ]\n"
" [ backup_port DEVICE ] [ nobackup_port ]\n"
);
}
@@ -288,6 +289,10 @@ static void bridge_slave_print_opt(struct link_util *lu, FILE *f,
print_on_off(PRINT_ANY, "locked", "locked %s ",
rta_getattr_u8(tb[IFLA_BRPORT_LOCKED]));
+ if (tb[IFLA_BRPORT_MAB])
+ print_on_off(PRINT_ANY, "mab", "mab %s ",
+ rta_getattr_u8(tb[IFLA_BRPORT_MAB]));
+
if (tb[IFLA_BRPORT_BACKUP_PORT]) {
int backup_p = rta_getattr_u32(tb[IFLA_BRPORT_BACKUP_PORT]);
@@ -411,6 +416,10 @@ static int bridge_slave_parse_opt(struct link_util *lu, int argc, char **argv,
NEXT_ARG();
bridge_slave_parse_on_off("locked", *argv, n,
IFLA_BRPORT_LOCKED);
+ } else if (matches(*argv, "mab") == 0) {
+ NEXT_ARG();
+ bridge_slave_parse_on_off("mab", *argv, n,
+ IFLA_BRPORT_MAB);
} else if (matches(*argv, "backup_port") == 0) {
int ifindex;
diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
index d4df772e..f4f1d807 100644
--- a/man/man8/bridge.8
+++ b/man/man8/bridge.8
@@ -54,6 +54,7 @@ bridge \- show / manipulate bridge addresses and devices
.BR vlan_tunnel " { " on " | " off " } ] [ "
.BR isolated " { " on " | " off " } ] [ "
.BR locked " { " on " | " off " } ] [ "
+.BR mab " { " on " | " off " } ] [ "
.B backup_port
.IR DEVICE " ] ["
.BR nobackup_port " ] [ "
@@ -580,6 +581,17 @@ The common use is that hosts are allowed access through authentication
with the IEEE 802.1X protocol or based on whitelists or like setups.
By default this flag is off.
+.TP
+.BR "mab on " or " mab off "
+Enables or disables the MAB/MacAuth feature. This feature can only be
+enabled on a port that is in locked mode, and when enabled it extends the
+locked port feature so that a host can get access through a locked
+port based on acceptlists, thus it is a much simpler procedure for a
+device to become authorized than f.ex. the 802.1X protocol, and is used
+for devices that are not capable of password or crypto based authorization
+methods.
+The feature triggers a 'locked' FDB entry when a host tries to communicate
+through the MAB enabled port.
.TP
.BI backup_port " DEVICE"
diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
index fc9d62fc..5f31f80a 100644
--- a/man/man8/ip-link.8.in
+++ b/man/man8/ip-link.8.in
@@ -2454,6 +2454,9 @@ the following additional arguments are supported:
.BR isolated " { " on " | " off " }"
] [
.BR locked " { " on " | " off " }"
+] [
+.BR mab " { " on " | " off " }"
+] [
.BR backup_port " DEVICE"
] [
.BR nobackup_port " ]"
@@ -2560,6 +2563,17 @@ default this flag is off.
behind the port cannot communicate through the port unless a FDB entry
representing the host is in the FDB. By default this flag is off.
+.BR mab " { " on " | " off " }"
+- Enables or disables the MAB/MacAuth feature. This feature can only be
+enabled on a port that is in locked mode, and when enabled it extends the
+locked port feature so that a host can get access through a locked
+port based on acceptlists, thus it is a much simpler procedure for a
+device to become authorized than f.ex. the 802.1X protocol, and is used
+for devices that are not capable of password or crypto based authorization
+methods.
+The feature triggers a 'locked' FDB entry when a host tries to communicate
+through the MAB enabled port.
+
.BI backup_port " DEVICE"
- if the port loses carrier all traffic will be redirected to the
configured backup port
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Bridge] [PATCH v2 iproute2-next 4/4] bridge: fdb: enable FDB blackhole feature
2022-10-04 15:20 [Bridge] [PATCH v2 iproute2-next 1/4] include: uapi: MacAuth and Blackhole feature header changes Hans Schultz
2022-10-04 15:20 ` [Bridge] [PATCH v2 iproute2-next 2/4] bridge: fdb: show locked FDB entries flag in output Hans Schultz
2022-10-04 15:20 ` [Bridge] [PATCH v2 iproute2-next 3/4] bridge: link: enable MacAuth/MAB feature Hans Schultz
@ 2022-10-04 15:20 ` Hans Schultz
2022-10-13 8:44 ` Ido Schimmel
2 siblings, 1 reply; 6+ messages in thread
From: Hans Schultz @ 2022-10-04 15:20 UTC (permalink / raw
To: davem, kuba
Cc: Andrew Lunn, Alexandre Belloni, Nikolay Aleksandrov,
Kurt Kanzenbach, Eric Dumazet, linux-kselftest, Hans Schultz,
Joachim Wiberg, Shuah Khan, Ivan Vecera, Florian Fainelli,
Daniel Borkmann, Ido Schimmel, bridge, Russell King,
linux-arm-kernel, Roopa Prabhu, Paolo Abeni, Vivien Didelot,
Woojung Huh, Landen Chao, Jiri Pirko, Amit Cohen,
Christian Marangi, Hauke Mehrtens, Hans Schultz, Sean Wang,
DENG Qingfang, Claudiu Manoil, linux-mediatek, Matthias Brugger,
Yuwei Wang, Petr Machata, netdev, linux-kernel, UNGLinuxDriver,
Vladimir Oltean, Florent Fourcot
Block traffic to a specific host with the command:
bridge fdb add <MAC> vlan <vid> dev br0 blackhole
Blackhole FDB entries can be added, deleted and replaced with
ordinary FDB entries.
Example with output:
$ bridge fdb add 10:10:10:10:10:10 dev br0 blackhole
$ bridge -d fdb show dev br0
10:10:10:10:10:10 vlan 1 blackhole master br0 permanent
10:10:10:10:10:10 blackhole master br0 permanent
$ bridge -d -j -p fdb show dev br0
[ {
"mac": "10:10:10:10:10:10",
"vlan": 1,
"flags": [ "blackhole" ],
"master": "br0",
"state": "permanent"
},{
"mac": "10:10:10:10:10:10",
"flags": [ "blackhole" ],
"master": "br0",
"state": "permanent"
} ]
Signed-off-by: Hans Schultz <netdev@kapio-technology.com>
---
bridge/fdb.c | 13 ++++++++++++-
man/man8/bridge.8 | 12 ++++++++++++
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/bridge/fdb.c b/bridge/fdb.c
index f1f0a5bb..1c8c50a8 100644
--- a/bridge/fdb.c
+++ b/bridge/fdb.c
@@ -38,7 +38,7 @@ static void usage(void)
fprintf(stderr,
"Usage: bridge fdb { add | append | del | replace } ADDR dev DEV\n"
" [ self ] [ master ] [ use ] [ router ] [ extern_learn ]\n"
- " [ sticky ] [ local | static | dynamic ] [ vlan VID ]\n"
+ " [ sticky ] [ local | static | dynamic ] [ blackhole ] [ vlan VID ]\n"
" { [ dst IPADDR ] [ port PORT] [ vni VNI ] | [ nhid NHID ] }\n"
" [ via DEV ] [ src_vni VNI ]\n"
" bridge fdb [ show [ br BRDEV ] [ brport DEV ] [ vlan VID ]\n"
@@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags, __u8 ext_flags)
if (flags & NTF_STICKY)
print_string(PRINT_ANY, NULL, "%s ", "sticky");
+ if (ext_flags & NTF_EXT_BLACKHOLE)
+ print_string(PRINT_ANY, NULL, "%s ", "blackhole");
+
if (ext_flags & NTF_EXT_LOCKED)
print_string(PRINT_ANY, NULL, "%s ", "locked");
@@ -421,6 +424,7 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
char *endptr;
short vid = -1;
__u32 nhid = 0;
+ __u32 ext_flags = 0;
while (argc > 0) {
if (strcmp(*argv, "dev") == 0) {
@@ -492,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
req.ndm.ndm_flags |= NTF_EXT_LEARNED;
} else if (matches(*argv, "sticky") == 0) {
req.ndm.ndm_flags |= NTF_STICKY;
+ } else if (matches(*argv, "blackhole") == 0) {
+ ext_flags |= NTF_EXT_BLACKHOLE;
} else {
if (strcmp(*argv, "to") == 0)
NEXT_ARG();
@@ -534,6 +540,11 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
if (dst_ok)
addattr_l(&req.n, sizeof(req), NDA_DST, &dst.data, dst.bytelen);
+ if (ext_flags &&
+ addattr_l(&req.n, sizeof(req), NDA_FLAGS_EXT, &ext_flags,
+ sizeof(ext_flags)) < 0)
+ return -1;
+
if (vid >= 0)
addattr16(&req.n, sizeof(req), NDA_VLAN, vid);
if (nhid > 0)
diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
index f4f1d807..0119a2a9 100644
--- a/man/man8/bridge.8
+++ b/man/man8/bridge.8
@@ -85,6 +85,13 @@ bridge \- show / manipulate bridge addresses and devices
.B nhid
.IR NHID " } "
+.ti -8
+.BR "bridge fdb" " { " add " | " del " } "
+.I LLADR
+.B dev
+.IR BRDEV " [ "
+.BR self " ] [ " local " ] [ " blackhole " ] "
+
.ti -8
.BR "bridge fdb" " [ [ " show " ] [ "
.B br
@@ -701,6 +708,11 @@ controller learnt dynamic entry. Kernel will not age such an entry.
- this entry will not change its port due to learning.
.sp
+.B blackhole
+- this entry will silently discard all matching packets. The entry must
+be added as a local permanent entry.
+.sp
+
.in -8
The next command line parameters apply only
when the specified device
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [Bridge] [PATCH v2 iproute2-next 2/4] bridge: fdb: show locked FDB entries flag in output
2022-10-04 15:20 ` [Bridge] [PATCH v2 iproute2-next 2/4] bridge: fdb: show locked FDB entries flag in output Hans Schultz
@ 2022-10-13 8:35 ` Ido Schimmel
0 siblings, 0 replies; 6+ messages in thread
From: Ido Schimmel @ 2022-10-13 8:35 UTC (permalink / raw
To: Hans Schultz
Cc: Andrew Lunn, Alexandre Belloni, Nikolay Aleksandrov,
Kurt Kanzenbach, Eric Dumazet, linux-kselftest, Joachim Wiberg,
Shuah Khan, Ivan Vecera, Florian Fainelli, Daniel Borkmann,
Florent Fourcot, bridge, Russell King, linux-arm-kernel,
Roopa Prabhu, kuba, Paolo Abeni, Vivien Didelot, Woojung Huh,
Landen Chao, Jiri Pirko, Amit Cohen, Christian Marangi,
Hauke Mehrtens, Hans Schultz, Sean Wang, DENG Qingfang,
Claudiu Manoil, linux-mediatek, Matthias Brugger, Yuwei Wang,
Petr Machata, netdev, linux-kernel, UNGLinuxDriver,
Vladimir Oltean, davem
On Tue, Oct 04, 2022 at 05:20:34PM +0200, Hans Schultz wrote:
> Signed-off-by: Hans Schultz <netdev@kapio-technology.com>
Don't leave the commit message empty. Explain the change and include an
example output showing the "locked" flag.
> ---
> bridge/fdb.c | 11 +++++++++--
Still missing a description of the "locked" flag from the man page.
Something like:
"
locked - this entry was added by the kernel in response to a host trying
to communicate behind a bridge port with MAB enabled. User space can
authenticate the host by clearing the flag. The flag cannot be set by
user space.
"
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/bridge/fdb.c b/bridge/fdb.c
> index 5f71bde0..f1f0a5bb 100644
> --- a/bridge/fdb.c
> +++ b/bridge/fdb.c
> @@ -93,7 +93,7 @@ static int state_a2n(unsigned int *s, const char *arg)
> return 0;
> }
>
> -static void fdb_print_flags(FILE *fp, unsigned int flags)
> +static void fdb_print_flags(FILE *fp, unsigned int flags, __u8 ext_flags)
s/__u8/__u32/
> {
> open_json_array(PRINT_JSON,
> is_json_context() ? "flags" : "");
> @@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags)
> if (flags & NTF_STICKY)
> print_string(PRINT_ANY, NULL, "%s ", "sticky");
>
> + if (ext_flags & NTF_EXT_LOCKED)
> + print_string(PRINT_ANY, NULL, "%s ", "locked");
> +
> close_json_array(PRINT_JSON, NULL);
> }
>
> @@ -144,6 +147,7 @@ int print_fdb(struct nlmsghdr *n, void *arg)
> struct ndmsg *r = NLMSG_DATA(n);
> int len = n->nlmsg_len;
> struct rtattr *tb[NDA_MAX+1];
> + __u32 ext_flags = 0;
> __u16 vid = 0;
>
> if (n->nlmsg_type != RTM_NEWNEIGH && n->nlmsg_type != RTM_DELNEIGH) {
> @@ -170,6 +174,9 @@ int print_fdb(struct nlmsghdr *n, void *arg)
> parse_rtattr(tb, NDA_MAX, NDA_RTA(r),
> n->nlmsg_len - NLMSG_LENGTH(sizeof(*r)));
>
> + if (tb[NDA_FLAGS_EXT])
> + ext_flags = rta_getattr_u32(tb[NDA_FLAGS_EXT]);
> +
> if (tb[NDA_VLAN])
> vid = rta_getattr_u16(tb[NDA_VLAN]);
>
> @@ -266,7 +273,7 @@ int print_fdb(struct nlmsghdr *n, void *arg)
> if (show_stats && tb[NDA_CACHEINFO])
> fdb_print_stats(fp, RTA_DATA(tb[NDA_CACHEINFO]));
>
> - fdb_print_flags(fp, r->ndm_flags);
> + fdb_print_flags(fp, r->ndm_flags, ext_flags);
>
>
> if (tb[NDA_MASTER])
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Bridge] [PATCH v2 iproute2-next 4/4] bridge: fdb: enable FDB blackhole feature
2022-10-04 15:20 ` [Bridge] [PATCH v2 iproute2-next 4/4] bridge: fdb: enable FDB blackhole feature Hans Schultz
@ 2022-10-13 8:44 ` Ido Schimmel
0 siblings, 0 replies; 6+ messages in thread
From: Ido Schimmel @ 2022-10-13 8:44 UTC (permalink / raw
To: Hans Schultz
Cc: Andrew Lunn, Alexandre Belloni, Nikolay Aleksandrov,
Kurt Kanzenbach, Eric Dumazet, linux-kselftest, Joachim Wiberg,
Shuah Khan, Ivan Vecera, Florian Fainelli, Daniel Borkmann,
Florent Fourcot, bridge, Russell King, linux-arm-kernel,
Roopa Prabhu, kuba, Paolo Abeni, Vivien Didelot, Woojung Huh,
Landen Chao, Jiri Pirko, Amit Cohen, Christian Marangi,
Hauke Mehrtens, Hans Schultz, Sean Wang, DENG Qingfang,
Claudiu Manoil, linux-mediatek, Matthias Brugger, Yuwei Wang,
Petr Machata, netdev, linux-kernel, UNGLinuxDriver,
Vladimir Oltean, davem
On Tue, Oct 04, 2022 at 05:20:36PM +0200, Hans Schultz wrote:
> Block traffic to a specific host with the command:
> bridge fdb add <MAC> vlan <vid> dev br0 blackhole
>
> Blackhole FDB entries can be added, deleted and replaced with
> ordinary FDB entries.
>
> Example with output:
>
> $ bridge fdb add 10:10:10:10:10:10 dev br0 blackhole
> $ bridge -d fdb show dev br0
> 10:10:10:10:10:10 vlan 1 blackhole master br0 permanent
> 10:10:10:10:10:10 blackhole master br0 permanent
> $ bridge -d -j -p fdb show dev br0
> [ {
> "mac": "10:10:10:10:10:10",
> "vlan": 1,
> "flags": [ "blackhole" ],
> "master": "br0",
> "state": "permanent"
> },{
> "mac": "10:10:10:10:10:10",
> "flags": [ "blackhole" ],
> "master": "br0",
> "state": "permanent"
> } ]
>
> Signed-off-by: Hans Schultz <netdev@kapio-technology.com>
> ---
> bridge/fdb.c | 13 ++++++++++++-
> man/man8/bridge.8 | 12 ++++++++++++
> 2 files changed, 24 insertions(+), 1 deletion(-)
>
> diff --git a/bridge/fdb.c b/bridge/fdb.c
> index f1f0a5bb..1c8c50a8 100644
> --- a/bridge/fdb.c
> +++ b/bridge/fdb.c
> @@ -38,7 +38,7 @@ static void usage(void)
> fprintf(stderr,
> "Usage: bridge fdb { add | append | del | replace } ADDR dev DEV\n"
> " [ self ] [ master ] [ use ] [ router ] [ extern_learn ]\n"
> - " [ sticky ] [ local | static | dynamic ] [ vlan VID ]\n"
> + " [ sticky ] [ local | static | dynamic ] [ blackhole ] [ vlan VID ]\n"
> " { [ dst IPADDR ] [ port PORT] [ vni VNI ] | [ nhid NHID ] }\n"
> " [ via DEV ] [ src_vni VNI ]\n"
> " bridge fdb [ show [ br BRDEV ] [ brport DEV ] [ vlan VID ]\n"
> @@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags, __u8 ext_flags)
> if (flags & NTF_STICKY)
> print_string(PRINT_ANY, NULL, "%s ", "sticky");
>
> + if (ext_flags & NTF_EXT_BLACKHOLE)
> + print_string(PRINT_ANY, NULL, "%s ", "blackhole");
> +
> if (ext_flags & NTF_EXT_LOCKED)
> print_string(PRINT_ANY, NULL, "%s ", "locked");
>
> @@ -421,6 +424,7 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
> char *endptr;
> short vid = -1;
> __u32 nhid = 0;
> + __u32 ext_flags = 0;
>
> while (argc > 0) {
> if (strcmp(*argv, "dev") == 0) {
> @@ -492,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
> req.ndm.ndm_flags |= NTF_EXT_LEARNED;
> } else if (matches(*argv, "sticky") == 0) {
> req.ndm.ndm_flags |= NTF_STICKY;
> + } else if (matches(*argv, "blackhole") == 0) {
> + ext_flags |= NTF_EXT_BLACKHOLE;
The policy seems to be to use strcmp() instead of matches() in new code:
https://lore.kernel.org/netdev/f7251b13-dbf2-f86c-6c2a-2c037b208017@gmail.com/
> } else {
> if (strcmp(*argv, "to") == 0)
> NEXT_ARG();
> @@ -534,6 +540,11 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
> if (dst_ok)
> addattr_l(&req.n, sizeof(req), NDA_DST, &dst.data, dst.bytelen);
>
> + if (ext_flags &&
> + addattr_l(&req.n, sizeof(req), NDA_FLAGS_EXT, &ext_flags,
> + sizeof(ext_flags)) < 0)
addattr32() ?
I will check the kernel patches now. I wouldn't submit a new version to
iproute2-next until the kernel patches are accepted.
> + return -1;
> +
> if (vid >= 0)
> addattr16(&req.n, sizeof(req), NDA_VLAN, vid);
> if (nhid > 0)
> diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
> index f4f1d807..0119a2a9 100644
> --- a/man/man8/bridge.8
> +++ b/man/man8/bridge.8
> @@ -85,6 +85,13 @@ bridge \- show / manipulate bridge addresses and devices
> .B nhid
> .IR NHID " } "
>
> +.ti -8
> +.BR "bridge fdb" " { " add " | " del " } "
> +.I LLADR
> +.B dev
> +.IR BRDEV " [ "
> +.BR self " ] [ " local " ] [ " blackhole " ] "
> +
> .ti -8
> .BR "bridge fdb" " [ [ " show " ] [ "
> .B br
> @@ -701,6 +708,11 @@ controller learnt dynamic entry. Kernel will not age such an entry.
> - this entry will not change its port due to learning.
> .sp
>
> +.B blackhole
> +- this entry will silently discard all matching packets. The entry must
> +be added as a local permanent entry.
> +.sp
> +
> .in -8
> The next command line parameters apply only
> when the specified device
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-10-13 8:44 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-10-04 15:20 [Bridge] [PATCH v2 iproute2-next 1/4] include: uapi: MacAuth and Blackhole feature header changes Hans Schultz
2022-10-04 15:20 ` [Bridge] [PATCH v2 iproute2-next 2/4] bridge: fdb: show locked FDB entries flag in output Hans Schultz
2022-10-13 8:35 ` Ido Schimmel
2022-10-04 15:20 ` [Bridge] [PATCH v2 iproute2-next 3/4] bridge: link: enable MacAuth/MAB feature Hans Schultz
2022-10-04 15:20 ` [Bridge] [PATCH v2 iproute2-next 4/4] bridge: fdb: enable FDB blackhole feature Hans Schultz
2022-10-13 8:44 ` Ido Schimmel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).