linux-arm-kernel.lists.infradead.org archive mirror
 help / color / mirror / Atom feed
* [PATCH iproute2-next 1/2] bridge: link: enable MacAuth/MAB feature
@ 2022-09-29 15:21 Hans Schultz
  2022-09-29 15:21 ` [PATCH iproute2-next 2/2] bridge: fdb: enable FDB blackhole feature Hans Schultz
  2022-10-01 14:59 ` [PATCH iproute2-next 1/2] bridge: link: enable MacAuth/MAB feature Ido Schimmel
  0 siblings, 2 replies; 12+ messages in thread
From: Hans Schultz @ 2022-09-29 15:21 UTC (permalink / raw)
  To: davem, kuba
  Cc: netdev, Hans Schultz, Florian Fainelli, Andrew Lunn,
	Vivien Didelot, Vladimir Oltean, Eric Dumazet, Paolo Abeni,
	Kurt Kanzenbach, Hauke Mehrtens, Woojung Huh, UNGLinuxDriver,
	Sean Wang, Landen Chao, DENG Qingfang, Matthias Brugger,
	Claudiu Manoil, Alexandre Belloni, Jiri Pirko, Ivan Vecera,
	Roopa Prabhu, Nikolay Aleksandrov, Shuah Khan, Russell King,
	Christian Marangi, Daniel Borkmann, Yuwei Wang, Petr Machata,
	Ido Schimmel, Florent Fourcot, Hans Schultz, Joachim Wiberg,
	Amit Cohen, linux-kernel, linux-arm-kernel, linux-mediatek,
	bridge, linux-kselftest

The MAB feature can be enabled on a locked port with the command:
bridge link set dev <DEV> mab on

Signed-off-by: Hans Schultz <netdev@kapio-technology.com>
---
 bridge/fdb.c                   | 17 +++++++++++++++--
 bridge/link.c                  | 21 ++++++++++++++++++---
 include/uapi/linux/if_link.h   |  1 +
 include/uapi/linux/neighbour.h |  7 ++++++-
 ip/iplink_bridge_slave.c       | 16 +++++++++++++---
 man/man8/bridge.8              | 10 ++++++++++
 man/man8/ip-link.8.in          |  8 ++++++++
 7 files changed, 71 insertions(+), 9 deletions(-)

diff --git a/bridge/fdb.c b/bridge/fdb.c
index 5f71bde0..0fbe9bd3 100644
--- a/bridge/fdb.c
+++ b/bridge/fdb.c
@@ -93,7 +93,7 @@ static int state_a2n(unsigned int *s, const char *arg)
 	return 0;
 }
 
-static void fdb_print_flags(FILE *fp, unsigned int flags)
+static void fdb_print_flags(FILE *fp, unsigned int flags, __u8 ext_flags)
 {
 	open_json_array(PRINT_JSON,
 			is_json_context() ?  "flags" : "");
@@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags)
 	if (flags & NTF_STICKY)
 		print_string(PRINT_ANY, NULL, "%s ", "sticky");
 
+	if (ext_flags & NTF_EXT_LOCKED)
+		print_string(PRINT_ANY, NULL, "%s ", "locked");
+
 	close_json_array(PRINT_JSON, NULL);
 }
 
@@ -144,6 +147,7 @@ int print_fdb(struct nlmsghdr *n, void *arg)
 	struct ndmsg *r = NLMSG_DATA(n);
 	int len = n->nlmsg_len;
 	struct rtattr *tb[NDA_MAX+1];
+	__u32 ext_flags = 0;
 	__u16 vid = 0;
 
 	if (n->nlmsg_type != RTM_NEWNEIGH && n->nlmsg_type != RTM_DELNEIGH) {
@@ -170,6 +174,9 @@ int print_fdb(struct nlmsghdr *n, void *arg)
 	parse_rtattr(tb, NDA_MAX, NDA_RTA(r),
 		     n->nlmsg_len - NLMSG_LENGTH(sizeof(*r)));
 
+	if (tb[NDA_FLAGS_EXT])
+		ext_flags = rta_getattr_u32(tb[NDA_FLAGS_EXT]);
+
 	if (tb[NDA_VLAN])
 		vid = rta_getattr_u16(tb[NDA_VLAN]);
 
@@ -266,7 +273,7 @@ int print_fdb(struct nlmsghdr *n, void *arg)
 	if (show_stats && tb[NDA_CACHEINFO])
 		fdb_print_stats(fp, RTA_DATA(tb[NDA_CACHEINFO]));
 
-	fdb_print_flags(fp, r->ndm_flags);
+	fdb_print_flags(fp, r->ndm_flags, ext_flags);
 
 
 	if (tb[NDA_MASTER])
@@ -414,6 +421,7 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
 	char *endptr;
 	short vid = -1;
 	__u32 nhid = 0;
+	__u32 ext_flags = 0;
 
 	while (argc > 0) {
 		if (strcmp(*argv, "dev") == 0) {
@@ -527,6 +535,11 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
 	if (dst_ok)
 		addattr_l(&req.n, sizeof(req), NDA_DST, &dst.data, dst.bytelen);
 
+	if (ext_flags &&
+	    addattr_l(&req.n, sizeof(req), NDA_FLAGS_EXT, &ext_flags,
+		      sizeof(ext_flags)) < 0)
+		return -1;
+
 	if (vid >= 0)
 		addattr16(&req.n, sizeof(req), NDA_VLAN, vid);
 	if (nhid > 0)
diff --git a/bridge/link.c b/bridge/link.c
index 3810fa04..dd69d7c3 100644
--- a/bridge/link.c
+++ b/bridge/link.c
@@ -181,9 +181,14 @@ static void print_protinfo(FILE *fp, struct rtattr *attr)
 		if (prtb[IFLA_BRPORT_ISOLATED])
 			print_on_off(PRINT_ANY, "isolated", "isolated %s ",
 				     rta_getattr_u8(prtb[IFLA_BRPORT_ISOLATED]));
-		if (prtb[IFLA_BRPORT_LOCKED])
-			print_on_off(PRINT_ANY, "locked", "locked %s ",
-				     rta_getattr_u8(prtb[IFLA_BRPORT_LOCKED]));
+		if (prtb[IFLA_BRPORT_LOCKED]) {
+			if (prtb[IFLA_BRPORT_MAB] && rta_getattr_u8(prtb[IFLA_BRPORT_MAB]))
+				print_on_off(PRINT_ANY, "locked mab", "locked mab %s ",
+					     rta_getattr_u8(prtb[IFLA_BRPORT_LOCKED]));
+			else
+				print_on_off(PRINT_ANY, "locked", "locked %s ",
+					     rta_getattr_u8(prtb[IFLA_BRPORT_LOCKED]));
+		}
 	} else
 		print_stp_state(rta_getattr_u8(attr));
 }
@@ -281,6 +286,7 @@ static void usage(void)
 		"                               [ vlan_tunnel {on | off} ]\n"
 		"                               [ isolated {on | off} ]\n"
 		"                               [ locked {on | off} ]\n"
+		"                               [ mab {on | off} ]\n"
 		"                               [ hwmode {vepa | veb} ]\n"
 		"                               [ backup_port DEVICE ] [ nobackup_port ]\n"
 		"                               [ self ] [ master ]\n"
@@ -312,6 +318,7 @@ static int brlink_modify(int argc, char **argv)
 	__s8 bcast_flood = -1;
 	__s8 mcast_to_unicast = -1;
 	__s8 locked = -1;
+	__s8 macauth = -1;
 	__s8 isolated = -1;
 	__s8 hairpin = -1;
 	__s8 bpdu_guard = -1;
@@ -437,6 +444,11 @@ static int brlink_modify(int argc, char **argv)
 			locked = parse_on_off("locked", *argv, &ret);
 			if (ret)
 				return ret;
+		} else if (strcmp(*argv, "mab") == 0) {
+			NEXT_ARG();
+			macauth = parse_on_off("mab", *argv, &ret);
+			if (ret)
+				return ret;
 		} else if (strcmp(*argv, "backup_port") == 0) {
 			NEXT_ARG();
 			backup_port_idx = ll_name_to_index(*argv);
@@ -520,6 +532,9 @@ static int brlink_modify(int argc, char **argv)
 	if (locked >= 0)
 		addattr8(&req.n, sizeof(req), IFLA_BRPORT_LOCKED, locked);
 
+	if (macauth >= 0)
+		addattr8(&req.n, sizeof(req), IFLA_BRPORT_MAB, macauth);
+
 	if (backup_port_idx != -1)
 		addattr32(&req.n, sizeof(req), IFLA_BRPORT_BACKUP_PORT,
 			  backup_port_idx);
diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
index 7494cffb..58a002de 100644
--- a/include/uapi/linux/if_link.h
+++ b/include/uapi/linux/if_link.h
@@ -559,6 +559,7 @@ enum {
 	IFLA_BRPORT_MCAST_EHT_HOSTS_LIMIT,
 	IFLA_BRPORT_MCAST_EHT_HOSTS_CNT,
 	IFLA_BRPORT_LOCKED,
+	IFLA_BRPORT_MAB,
 	__IFLA_BRPORT_MAX
 };
 #define IFLA_BRPORT_MAX (__IFLA_BRPORT_MAX - 1)
diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h
index a998bf76..4dda051b 100644
--- a/include/uapi/linux/neighbour.h
+++ b/include/uapi/linux/neighbour.h
@@ -52,7 +52,8 @@ enum {
 #define NTF_STICKY	(1 << 6)
 #define NTF_ROUTER	(1 << 7)
 /* Extended flags under NDA_FLAGS_EXT: */
-#define NTF_EXT_MANAGED	(1 << 0)
+#define NTF_EXT_MANAGED		(1 << 0)
+#define NTF_EXT_LOCKED		(1 << 1)
 
 /*
  *	Neighbor Cache Entry States.
@@ -86,6 +87,10 @@ enum {
  * NTF_EXT_MANAGED flagged neigbor entries are managed by the kernel on behalf
  * of a user space control plane, and automatically refreshed so that (if
  * possible) they remain in NUD_REACHABLE state.
+ *
+ * NTF_EXT_LOCKED flagged FDB entries are placeholder entries used with the
+ * locked port feature, that ensures that an entry exists while at the same
+ * time dropping packets on ingress with src MAC and VID matching the entry.
  */
 
 struct nda_cacheinfo {
diff --git a/ip/iplink_bridge_slave.c b/ip/iplink_bridge_slave.c
index 98d17213..0c0894eb 100644
--- a/ip/iplink_bridge_slave.c
+++ b/ip/iplink_bridge_slave.c
@@ -44,6 +44,7 @@ static void print_explain(FILE *f)
 		"			[ vlan_tunnel {on | off} ]\n"
 		"			[ isolated {on | off} ]\n"
 		"			[ locked {on | off} ]\n"
+		"                       [ mab {on | off} ]\n"
 		"			[ backup_port DEVICE ] [ nobackup_port ]\n"
 	);
 }
@@ -284,9 +285,14 @@ static void bridge_slave_print_opt(struct link_util *lu, FILE *f,
 		print_on_off(PRINT_ANY, "isolated", "isolated %s ",
 			     rta_getattr_u8(tb[IFLA_BRPORT_ISOLATED]));
 
-	if (tb[IFLA_BRPORT_LOCKED])
-		print_on_off(PRINT_ANY, "locked", "locked %s ",
-			     rta_getattr_u8(tb[IFLA_BRPORT_LOCKED]));
+	if (tb[IFLA_BRPORT_LOCKED]) {
+		if (tb[IFLA_BRPORT_MAB] && rta_getattr_u8(tb[IFLA_BRPORT_MAB]))
+			print_on_off(PRINT_ANY, "locked mab", "locked mab %s ",
+				     rta_getattr_u8(tb[IFLA_BRPORT_LOCKED]));
+		else
+			print_on_off(PRINT_ANY, "locked", "locked %s ",
+				     rta_getattr_u8(tb[IFLA_BRPORT_LOCKED]));
+	}
 
 	if (tb[IFLA_BRPORT_BACKUP_PORT]) {
 		int backup_p = rta_getattr_u32(tb[IFLA_BRPORT_BACKUP_PORT]);
@@ -411,6 +417,10 @@ static int bridge_slave_parse_opt(struct link_util *lu, int argc, char **argv,
 			NEXT_ARG();
 			bridge_slave_parse_on_off("locked", *argv, n,
 						  IFLA_BRPORT_LOCKED);
+		} else if (matches(*argv, "mab") == 0) {
+			NEXT_ARG();
+			bridge_slave_parse_on_off("mab", *argv, n,
+						  IFLA_BRPORT_MAB);
 		} else if (matches(*argv, "backup_port") == 0) {
 			int ifindex;
 
diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
index d4df772e..40250477 100644
--- a/man/man8/bridge.8
+++ b/man/man8/bridge.8
@@ -54,6 +54,7 @@ bridge \- show / manipulate bridge addresses and devices
 .BR vlan_tunnel " { " on " | " off " } ] [ "
 .BR isolated " { " on " | " off " } ] [ "
 .BR locked " { " on " | " off " } ] [ "
+.BR mab " { " on " | " off " } ] [ "
 .B backup_port
 .IR  DEVICE " ] ["
 .BR nobackup_port " ] [ "
@@ -580,6 +581,15 @@ The common use is that hosts are allowed access through authentication
 with the IEEE 802.1X protocol or based on whitelists or like setups.
 By default this flag is off.
 
+.TP
+.RB "mab on " or " mab off "
+Enables or disables the MAB/MacAuth feature. This feature can only be
+activated on a port that is in locked mode, and when enabled it extends the
+locked port feature so that MAC address can get access through a locked
+port based on acceptlists, thus it is a much simpler procedure for a
+device to become authorized than f.ex. the 802.1X protocol, and is used
+for devices that are not capable of password or crypto based authorization
+methods.
 
 .TP
 .BI backup_port " DEVICE"
diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
index fc9d62fc..187ca7ca 100644
--- a/man/man8/ip-link.8.in
+++ b/man/man8/ip-link.8.in
@@ -2454,6 +2454,9 @@ the following additional arguments are supported:
 .BR isolated " { " on " | " off " }"
 ] [
 .BR locked " { " on " | " off " }"
+] [
+.BR mab " { " on " | " off " }"
+] [
 .BR backup_port " DEVICE"
 ] [
 .BR nobackup_port " ]"
@@ -2560,6 +2563,11 @@ default this flag is off.
 behind the port cannot communicate through the port unless a FDB entry
 representing the host is in the FDB. By default this flag is off.
 
+.BR mab " { " on " | " off " }"
+- enables or disables the MAB/MacAuth feature on a locked port. It is
+thus possible for a device to gain authorization on a locked port based
+on acceptlists.
+
 .BI backup_port " DEVICE"
 - if the port loses carrier all traffic will be redirected to the
 configured backup port
-- 
2.34.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply related	[flat|nested] 12+ messages in thread

* [PATCH iproute2-next 2/2] bridge: fdb: enable FDB blackhole feature
  2022-09-29 15:21 [PATCH iproute2-next 1/2] bridge: link: enable MacAuth/MAB feature Hans Schultz
@ 2022-09-29 15:21 ` Hans Schultz
  2022-09-29 15:43   ` [Bridge] " Stephen Hemminger
  2022-10-01 15:38   ` Ido Schimmel
  2022-10-01 14:59 ` [PATCH iproute2-next 1/2] bridge: link: enable MacAuth/MAB feature Ido Schimmel
  1 sibling, 2 replies; 12+ messages in thread
From: Hans Schultz @ 2022-09-29 15:21 UTC (permalink / raw)
  To: davem, kuba
  Cc: netdev, Hans Schultz, Florian Fainelli, Andrew Lunn,
	Vivien Didelot, Vladimir Oltean, Eric Dumazet, Paolo Abeni,
	Kurt Kanzenbach, Hauke Mehrtens, Woojung Huh, UNGLinuxDriver,
	Sean Wang, Landen Chao, DENG Qingfang, Matthias Brugger,
	Claudiu Manoil, Alexandre Belloni, Jiri Pirko, Ivan Vecera,
	Roopa Prabhu, Nikolay Aleksandrov, Shuah Khan, Russell King,
	Christian Marangi, Daniel Borkmann, Yuwei Wang, Petr Machata,
	Ido Schimmel, Florent Fourcot, Hans Schultz, Joachim Wiberg,
	Amit Cohen, linux-kernel, linux-arm-kernel, linux-mediatek,
	bridge, linux-kselftest

Block traffic to a specific host with the command:
bridge fdb add <MAC> vlan <vid> dev br0 blackhole

The blackhole FDB entries can be added, deleted and replaced with
ordinary FDB entries.

Signed-off-by: Hans Schultz <netdev@kapio-technology.com>
---
 bridge/fdb.c                   | 7 ++++++-
 include/uapi/linux/neighbour.h | 4 ++++
 man/man8/bridge.8              | 6 ++++++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/bridge/fdb.c b/bridge/fdb.c
index 0fbe9bd3..2160f1c2 100644
--- a/bridge/fdb.c
+++ b/bridge/fdb.c
@@ -38,7 +38,7 @@ static void usage(void)
 	fprintf(stderr,
 		"Usage: bridge fdb { add | append | del | replace } ADDR dev DEV\n"
 		"              [ self ] [ master ] [ use ] [ router ] [ extern_learn ]\n"
-		"              [ sticky ] [ local | static | dynamic ] [ vlan VID ]\n"
+		"              [ sticky ] [ local | static | dynamic ] [blackhole] [ vlan VID ]\n"
 		"              { [ dst IPADDR ] [ port PORT] [ vni VNI ] | [ nhid NHID ] }\n"
 		"	       [ via DEV ] [ src_vni VNI ]\n"
 		"       bridge fdb [ show [ br BRDEV ] [ brport DEV ] [ vlan VID ]\n"
@@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags, __u8 ext_flags)
 	if (flags & NTF_STICKY)
 		print_string(PRINT_ANY, NULL, "%s ", "sticky");
 
+	if (ext_flags & NTF_EXT_BLACKHOLE)
+		print_string(PRINT_ANY, NULL, "%s ", "blackhole");
+
 	if (ext_flags & NTF_EXT_LOCKED)
 		print_string(PRINT_ANY, NULL, "%s ", "locked");
 
@@ -493,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
 			req.ndm.ndm_flags |= NTF_EXT_LEARNED;
 		} else if (matches(*argv, "sticky") == 0) {
 			req.ndm.ndm_flags |= NTF_STICKY;
+		} else if (matches(*argv, "blackhole") == 0) {
+			ext_flags |= NTF_EXT_BLACKHOLE;
 		} else {
 			if (strcmp(*argv, "to") == 0)
 				NEXT_ARG();
diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h
index 4dda051b..cc7d540e 100644
--- a/include/uapi/linux/neighbour.h
+++ b/include/uapi/linux/neighbour.h
@@ -54,6 +54,7 @@ enum {
 /* Extended flags under NDA_FLAGS_EXT: */
 #define NTF_EXT_MANAGED		(1 << 0)
 #define NTF_EXT_LOCKED		(1 << 1)
+#define NTF_EXT_BLACKHOLE	(1 << 2)
 
 /*
  *	Neighbor Cache Entry States.
@@ -91,6 +92,9 @@ enum {
  * NTF_EXT_LOCKED flagged FDB entries are placeholder entries used with the
  * locked port feature, that ensures that an entry exists while at the same
  * time dropping packets on ingress with src MAC and VID matching the entry.
+ *
+ * NTF_EXT_BLACKHOLE flagged FDB entries ensure that no forwarding is allowed
+ * from any port to the destination MAC, VID pair associated with it.
  */
 
 struct nda_cacheinfo {
diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
index 40250477..af2e7db2 100644
--- a/man/man8/bridge.8
+++ b/man/man8/bridge.8
@@ -699,6 +699,12 @@ controller learnt dynamic entry. Kernel will not age such an entry.
 - this entry will not change its port due to learning.
 .sp
 
+.B blackhole
+- this is an entry that denies all forwarding from any port to a destination
+matching the entry. It can be added by userspace, but the flag is mostly set
+from a hardware driver.
+.sp
+
 .in -8
 The next command line parameters apply only
 when the specified device
-- 
2.34.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply related	[flat|nested] 12+ messages in thread

* Re: [Bridge] [PATCH iproute2-next 2/2] bridge: fdb: enable FDB blackhole feature
  2022-09-29 15:21 ` [PATCH iproute2-next 2/2] bridge: fdb: enable FDB blackhole feature Hans Schultz
@ 2022-09-29 15:43   ` Stephen Hemminger
  2022-09-29 16:14     ` netdev
  2022-10-01 15:38   ` Ido Schimmel
  1 sibling, 1 reply; 12+ messages in thread
From: Stephen Hemminger @ 2022-09-29 15:43 UTC (permalink / raw)
  To: Hans Schultz
  Cc: davem, kuba, Andrew Lunn, Alexandre Belloni, Nikolay Aleksandrov,
	Kurt Kanzenbach, Eric Dumazet, linux-kselftest, Joachim Wiberg,
	Shuah Khan, Ivan Vecera, Florian Fainelli, Daniel Borkmann,
	Ido Schimmel, bridge, Russell King, linux-arm-kernel,
	Roopa Prabhu, Paolo Abeni, Vivien Didelot, Woojung Huh,
	Landen Chao, Jiri Pirko, Amit Cohen, Christian Marangi,
	Hauke Mehrtens, Hans Schultz, Sean Wang, DENG Qingfang,
	Claudiu Manoil, linux-mediatek, Matthias Brugger, Yuwei Wang,
	Petr Machata, netdev, linux-kernel, UNGLinuxDriver,
	Vladimir Oltean, Florent Fourcot

On Thu, 29 Sep 2022 17:21:37 +0200
Hans Schultz <netdev@kapio-technology.com> wrote:

>  
> @@ -493,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
>  			req.ndm.ndm_flags |= NTF_EXT_LEARNED;
>  		} else if (matches(*argv, "sticky") == 0) {
>  			req.ndm.ndm_flags |= NTF_STICKY;
> +		} else if (matches(*argv, "blackhole") == 0) {
> +			ext_flags |= NTF_EXT_BLACKHOLE;
>  		} else {
>  			if (strcmp(*argv, "to") == 0)
>  				NEXT_ARG();

The parsing of flags is weird here, most of the flags are compared with strcmp()
but some use matches()..  I should have used strcmp() all the time; but at the
time did not realize what kind of confusion matches() can cause.

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [Bridge] [PATCH iproute2-next 2/2] bridge: fdb: enable FDB blackhole feature
  2022-09-29 15:43   ` [Bridge] " Stephen Hemminger
@ 2022-09-29 16:14     ` netdev
  0 siblings, 0 replies; 12+ messages in thread
From: netdev @ 2022-09-29 16:14 UTC (permalink / raw)
  To: Stephen Hemminger
  Cc: davem, kuba, Andrew Lunn, Alexandre Belloni, Nikolay Aleksandrov,
	Kurt Kanzenbach, Eric Dumazet, linux-kselftest, Joachim Wiberg,
	Shuah Khan, Ivan Vecera, Florian Fainelli, Daniel Borkmann,
	Ido Schimmel, bridge, Russell King, linux-arm-kernel,
	Roopa Prabhu, Paolo Abeni, Vivien Didelot, Woojung Huh,
	Landen Chao, Jiri Pirko, Amit Cohen, Christian Marangi,
	Hauke Mehrtens, Hans Schultz, Sean Wang, DENG Qingfang,
	Claudiu Manoil, linux-mediatek, Matthias Brugger, Yuwei Wang,
	Petr Machata, netdev, linux-kernel, UNGLinuxDriver,
	Vladimir Oltean, Florent Fourcot

On 2022-09-29 17:43, Stephen Hemminger wrote:
> On Thu, 29 Sep 2022 17:21:37 +0200
> Hans Schultz <netdev@kapio-technology.com> wrote:
> 
>> 
>> @@ -493,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int 
>> argc, char **argv)
>>  			req.ndm.ndm_flags |= NTF_EXT_LEARNED;
>>  		} else if (matches(*argv, "sticky") == 0) {
>>  			req.ndm.ndm_flags |= NTF_STICKY;
>> +		} else if (matches(*argv, "blackhole") == 0) {
>> +			ext_flags |= NTF_EXT_BLACKHOLE;
>>  		} else {
>>  			if (strcmp(*argv, "to") == 0)
>>  				NEXT_ARG();
> 
> The parsing of flags is weird here, most of the flags are compared with 
> strcmp()
> but some use matches()..  I should have used strcmp() all the time; but 
> at the
> time did not realize what kind of confusion matches() can cause.

Maybe just change all of them then, and then how about using strncmp() 
and maybe also strnlen() instead?

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH iproute2-next 1/2] bridge: link: enable MacAuth/MAB feature
  2022-09-29 15:21 [PATCH iproute2-next 1/2] bridge: link: enable MacAuth/MAB feature Hans Schultz
  2022-09-29 15:21 ` [PATCH iproute2-next 2/2] bridge: fdb: enable FDB blackhole feature Hans Schultz
@ 2022-10-01 14:59 ` Ido Schimmel
  2022-10-01 21:32   ` netdev
  2022-10-02 15:20   ` netdev
  1 sibling, 2 replies; 12+ messages in thread
From: Ido Schimmel @ 2022-10-01 14:59 UTC (permalink / raw)
  To: Hans Schultz
  Cc: davem, kuba, netdev, Florian Fainelli, Andrew Lunn,
	Vivien Didelot, Vladimir Oltean, Eric Dumazet, Paolo Abeni,
	Kurt Kanzenbach, Hauke Mehrtens, Woojung Huh, UNGLinuxDriver,
	Sean Wang, Landen Chao, DENG Qingfang, Matthias Brugger,
	Claudiu Manoil, Alexandre Belloni, Jiri Pirko, Ivan Vecera,
	Roopa Prabhu, Nikolay Aleksandrov, Shuah Khan, Russell King,
	Christian Marangi, Daniel Borkmann, Yuwei Wang, Petr Machata,
	Florent Fourcot, Hans Schultz, Joachim Wiberg, Amit Cohen,
	linux-kernel, linux-arm-kernel, linux-mediatek, bridge,
	linux-kselftest

On Thu, Sep 29, 2022 at 05:21:36PM +0200, Hans Schultz wrote:
> The MAB feature can be enabled on a locked port with the command:
> bridge link set dev <DEV> mab on

Please provide regular and JSON output in the commit message.

> 
> Signed-off-by: Hans Schultz <netdev@kapio-technology.com>
> ---
>  bridge/fdb.c                   | 17 +++++++++++++++--
>  bridge/link.c                  | 21 ++++++++++++++++++---
>  include/uapi/linux/if_link.h   |  1 +
>  include/uapi/linux/neighbour.h |  7 ++++++-

IIRC, in the past David asked to either not send the uAPI files or send
them as a first patch which he then uses as a hint to sync the files
himself.

>  ip/iplink_bridge_slave.c       | 16 +++++++++++++---
>  man/man8/bridge.8              | 10 ++++++++++
>  man/man8/ip-link.8.in          |  8 ++++++++
>  7 files changed, 71 insertions(+), 9 deletions(-)
> 
> diff --git a/bridge/fdb.c b/bridge/fdb.c
> index 5f71bde0..0fbe9bd3 100644
> --- a/bridge/fdb.c
> +++ b/bridge/fdb.c
> @@ -93,7 +93,7 @@ static int state_a2n(unsigned int *s, const char *arg)
>  	return 0;
>  }
>  
> -static void fdb_print_flags(FILE *fp, unsigned int flags)
> +static void fdb_print_flags(FILE *fp, unsigned int flags, __u8 ext_flags)
>  {
>  	open_json_array(PRINT_JSON,
>  			is_json_context() ?  "flags" : "");
> @@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags)
>  	if (flags & NTF_STICKY)
>  		print_string(PRINT_ANY, NULL, "%s ", "sticky");
>  
> +	if (ext_flags & NTF_EXT_LOCKED)
> +		print_string(PRINT_ANY, NULL, "%s ", "locked");
> +
>  	close_json_array(PRINT_JSON, NULL);
>  }

This is a separate change. Make one patch for the MAB option and another
for the new "locked" FDB flag.

>  
> @@ -144,6 +147,7 @@ int print_fdb(struct nlmsghdr *n, void *arg)
>  	struct ndmsg *r = NLMSG_DATA(n);
>  	int len = n->nlmsg_len;
>  	struct rtattr *tb[NDA_MAX+1];
> +	__u32 ext_flags = 0;
>  	__u16 vid = 0;
>  
>  	if (n->nlmsg_type != RTM_NEWNEIGH && n->nlmsg_type != RTM_DELNEIGH) {
> @@ -170,6 +174,9 @@ int print_fdb(struct nlmsghdr *n, void *arg)
>  	parse_rtattr(tb, NDA_MAX, NDA_RTA(r),
>  		     n->nlmsg_len - NLMSG_LENGTH(sizeof(*r)));
>  
> +	if (tb[NDA_FLAGS_EXT])
> +		ext_flags = rta_getattr_u32(tb[NDA_FLAGS_EXT]);
> +
>  	if (tb[NDA_VLAN])
>  		vid = rta_getattr_u16(tb[NDA_VLAN]);
>  
> @@ -266,7 +273,7 @@ int print_fdb(struct nlmsghdr *n, void *arg)
>  	if (show_stats && tb[NDA_CACHEINFO])
>  		fdb_print_stats(fp, RTA_DATA(tb[NDA_CACHEINFO]));
>  
> -	fdb_print_flags(fp, r->ndm_flags);
> +	fdb_print_flags(fp, r->ndm_flags, ext_flags);
>  
>  
>  	if (tb[NDA_MASTER])
> @@ -414,6 +421,7 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
>  	char *endptr;
>  	short vid = -1;
>  	__u32 nhid = 0;
> +	__u32 ext_flags = 0;
>  
>  	while (argc > 0) {
>  		if (strcmp(*argv, "dev") == 0) {
> @@ -527,6 +535,11 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
>  	if (dst_ok)
>  		addattr_l(&req.n, sizeof(req), NDA_DST, &dst.data, dst.bytelen);
>  
> +	if (ext_flags &&
> +	    addattr_l(&req.n, sizeof(req), NDA_FLAGS_EXT, &ext_flags,
> +		      sizeof(ext_flags)) < 0)
> +		return -1;
> +

I believe this belongs with the "blackhole" patch.

>  	if (vid >= 0)
>  		addattr16(&req.n, sizeof(req), NDA_VLAN, vid);
>  	if (nhid > 0)
> diff --git a/bridge/link.c b/bridge/link.c
> index 3810fa04..dd69d7c3 100644
> --- a/bridge/link.c
> +++ b/bridge/link.c
> @@ -181,9 +181,14 @@ static void print_protinfo(FILE *fp, struct rtattr *attr)
>  		if (prtb[IFLA_BRPORT_ISOLATED])
>  			print_on_off(PRINT_ANY, "isolated", "isolated %s ",
>  				     rta_getattr_u8(prtb[IFLA_BRPORT_ISOLATED]));
> -		if (prtb[IFLA_BRPORT_LOCKED])
> -			print_on_off(PRINT_ANY, "locked", "locked %s ",
> -				     rta_getattr_u8(prtb[IFLA_BRPORT_LOCKED]));
> +		if (prtb[IFLA_BRPORT_LOCKED]) {
> +			if (prtb[IFLA_BRPORT_MAB] && rta_getattr_u8(prtb[IFLA_BRPORT_MAB]))
> +				print_on_off(PRINT_ANY, "locked mab", "locked mab %s ",
> +					     rta_getattr_u8(prtb[IFLA_BRPORT_LOCKED]));
> +			else
> +				print_on_off(PRINT_ANY, "locked", "locked %s ",
> +					     rta_getattr_u8(prtb[IFLA_BRPORT_LOCKED]));
> +		}

These a separate flags and need to be dumped independently. The fact
that MAB can only be enabled when the port is locked is enforced by the
kernel.

>  	} else
>  		print_stp_state(rta_getattr_u8(attr));
>  }
> @@ -281,6 +286,7 @@ static void usage(void)
>  		"                               [ vlan_tunnel {on | off} ]\n"
>  		"                               [ isolated {on | off} ]\n"
>  		"                               [ locked {on | off} ]\n"
> +		"                               [ mab {on | off} ]\n"
>  		"                               [ hwmode {vepa | veb} ]\n"
>  		"                               [ backup_port DEVICE ] [ nobackup_port ]\n"
>  		"                               [ self ] [ master ]\n"
> @@ -312,6 +318,7 @@ static int brlink_modify(int argc, char **argv)
>  	__s8 bcast_flood = -1;
>  	__s8 mcast_to_unicast = -1;
>  	__s8 locked = -1;
> +	__s8 macauth = -1;
>  	__s8 isolated = -1;
>  	__s8 hairpin = -1;
>  	__s8 bpdu_guard = -1;
> @@ -437,6 +444,11 @@ static int brlink_modify(int argc, char **argv)
>  			locked = parse_on_off("locked", *argv, &ret);
>  			if (ret)
>  				return ret;
> +		} else if (strcmp(*argv, "mab") == 0) {
> +			NEXT_ARG();
> +			macauth = parse_on_off("mab", *argv, &ret);
> +			if (ret)
> +				return ret;
>  		} else if (strcmp(*argv, "backup_port") == 0) {
>  			NEXT_ARG();
>  			backup_port_idx = ll_name_to_index(*argv);
> @@ -520,6 +532,9 @@ static int brlink_modify(int argc, char **argv)
>  	if (locked >= 0)
>  		addattr8(&req.n, sizeof(req), IFLA_BRPORT_LOCKED, locked);
>  
> +	if (macauth >= 0)
> +		addattr8(&req.n, sizeof(req), IFLA_BRPORT_MAB, macauth);
> +
>  	if (backup_port_idx != -1)
>  		addattr32(&req.n, sizeof(req), IFLA_BRPORT_BACKUP_PORT,
>  			  backup_port_idx);
> diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
> index 7494cffb..58a002de 100644
> --- a/include/uapi/linux/if_link.h
> +++ b/include/uapi/linux/if_link.h
> @@ -559,6 +559,7 @@ enum {
>  	IFLA_BRPORT_MCAST_EHT_HOSTS_LIMIT,
>  	IFLA_BRPORT_MCAST_EHT_HOSTS_CNT,
>  	IFLA_BRPORT_LOCKED,
> +	IFLA_BRPORT_MAB,
>  	__IFLA_BRPORT_MAX
>  };
>  #define IFLA_BRPORT_MAX (__IFLA_BRPORT_MAX - 1)
> diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h
> index a998bf76..4dda051b 100644
> --- a/include/uapi/linux/neighbour.h
> +++ b/include/uapi/linux/neighbour.h
> @@ -52,7 +52,8 @@ enum {
>  #define NTF_STICKY	(1 << 6)
>  #define NTF_ROUTER	(1 << 7)
>  /* Extended flags under NDA_FLAGS_EXT: */
> -#define NTF_EXT_MANAGED	(1 << 0)
> +#define NTF_EXT_MANAGED		(1 << 0)
> +#define NTF_EXT_LOCKED		(1 << 1)
>  
>  /*
>   *	Neighbor Cache Entry States.
> @@ -86,6 +87,10 @@ enum {
>   * NTF_EXT_MANAGED flagged neigbor entries are managed by the kernel on behalf
>   * of a user space control plane, and automatically refreshed so that (if
>   * possible) they remain in NUD_REACHABLE state.
> + *
> + * NTF_EXT_LOCKED flagged FDB entries are placeholder entries used with the
> + * locked port feature, that ensures that an entry exists while at the same
> + * time dropping packets on ingress with src MAC and VID matching the entry.
>   */
>  
>  struct nda_cacheinfo {
> diff --git a/ip/iplink_bridge_slave.c b/ip/iplink_bridge_slave.c
> index 98d17213..0c0894eb 100644
> --- a/ip/iplink_bridge_slave.c
> +++ b/ip/iplink_bridge_slave.c
> @@ -44,6 +44,7 @@ static void print_explain(FILE *f)
>  		"			[ vlan_tunnel {on | off} ]\n"
>  		"			[ isolated {on | off} ]\n"
>  		"			[ locked {on | off} ]\n"
> +		"                       [ mab {on | off} ]\n"
>  		"			[ backup_port DEVICE ] [ nobackup_port ]\n"
>  	);
>  }
> @@ -284,9 +285,14 @@ static void bridge_slave_print_opt(struct link_util *lu, FILE *f,
>  		print_on_off(PRINT_ANY, "isolated", "isolated %s ",
>  			     rta_getattr_u8(tb[IFLA_BRPORT_ISOLATED]));
>  
> -	if (tb[IFLA_BRPORT_LOCKED])
> -		print_on_off(PRINT_ANY, "locked", "locked %s ",
> -			     rta_getattr_u8(tb[IFLA_BRPORT_LOCKED]));
> +	if (tb[IFLA_BRPORT_LOCKED]) {
> +		if (tb[IFLA_BRPORT_MAB] && rta_getattr_u8(tb[IFLA_BRPORT_MAB]))
> +			print_on_off(PRINT_ANY, "locked mab", "locked mab %s ",
> +				     rta_getattr_u8(tb[IFLA_BRPORT_LOCKED]));
> +		else
> +			print_on_off(PRINT_ANY, "locked", "locked %s ",
> +				     rta_getattr_u8(tb[IFLA_BRPORT_LOCKED]));
> +	}

Same comment as before.

>  
>  	if (tb[IFLA_BRPORT_BACKUP_PORT]) {
>  		int backup_p = rta_getattr_u32(tb[IFLA_BRPORT_BACKUP_PORT]);
> @@ -411,6 +417,10 @@ static int bridge_slave_parse_opt(struct link_util *lu, int argc, char **argv,
>  			NEXT_ARG();
>  			bridge_slave_parse_on_off("locked", *argv, n,
>  						  IFLA_BRPORT_LOCKED);
> +		} else if (matches(*argv, "mab") == 0) {
> +			NEXT_ARG();
> +			bridge_slave_parse_on_off("mab", *argv, n,
> +						  IFLA_BRPORT_MAB);
>  		} else if (matches(*argv, "backup_port") == 0) {
>  			int ifindex;
>  
> diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
> index d4df772e..40250477 100644
> --- a/man/man8/bridge.8
> +++ b/man/man8/bridge.8
> @@ -54,6 +54,7 @@ bridge \- show / manipulate bridge addresses and devices
>  .BR vlan_tunnel " { " on " | " off " } ] [ "
>  .BR isolated " { " on " | " off " } ] [ "
>  .BR locked " { " on " | " off " } ] [ "
> +.BR mab " { " on " | " off " } ] [ "
>  .B backup_port
>  .IR  DEVICE " ] ["
>  .BR nobackup_port " ] [ "
> @@ -580,6 +581,15 @@ The common use is that hosts are allowed access through authentication
>  with the IEEE 802.1X protocol or based on whitelists or like setups.
>  By default this flag is off.
>  
> +.TP
> +.RB "mab on " or " mab off "
> +Enables or disables the MAB/MacAuth feature. This feature can only be
> +activated on a port that is in locked mode, and when enabled it extends the

s/activated/enabled/

> +locked port feature so that MAC address can get access through a locked

s/MAC address/a host/ ?

> +port based on acceptlists, thus it is a much simpler procedure for a
> +device to become authorized than f.ex. the 802.1X protocol, and is used
> +for devices that are not capable of password or crypto based authorization
> +methods.

This is a high level description of the option, but it is missing the
part that ties it to the "locked" FDB entries.

Speaking of which, the "locked" flag needs to be described in
man/man8/bridge.8 (in a different patch)

>  
>  .TP
>  .BI backup_port " DEVICE"
> diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
> index fc9d62fc..187ca7ca 100644
> --- a/man/man8/ip-link.8.in
> +++ b/man/man8/ip-link.8.in
> @@ -2454,6 +2454,9 @@ the following additional arguments are supported:
>  .BR isolated " { " on " | " off " }"
>  ] [
>  .BR locked " { " on " | " off " }"
> +] [
> +.BR mab " { " on " | " off " }"
> +] [
>  .BR backup_port " DEVICE"
>  ] [
>  .BR nobackup_port " ]"
> @@ -2560,6 +2563,11 @@ default this flag is off.
>  behind the port cannot communicate through the port unless a FDB entry
>  representing the host is in the FDB. By default this flag is off.
>  
> +.BR mab " { " on " | " off " }"
> +- enables or disables the MAB/MacAuth feature on a locked port. It is
> +thus possible for a device to gain authorization on a locked port based
> +on acceptlists.

Why not just copy-paste the previous description?

> +
>  .BI backup_port " DEVICE"
>  - if the port loses carrier all traffic will be redirected to the
>  configured backup port
> -- 
> 2.34.1
> 

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH iproute2-next 2/2] bridge: fdb: enable FDB blackhole feature
  2022-09-29 15:21 ` [PATCH iproute2-next 2/2] bridge: fdb: enable FDB blackhole feature Hans Schultz
  2022-09-29 15:43   ` [Bridge] " Stephen Hemminger
@ 2022-10-01 15:38   ` Ido Schimmel
  2022-10-01 21:37     ` netdev
  2022-10-03 18:23     ` netdev
  1 sibling, 2 replies; 12+ messages in thread
From: Ido Schimmel @ 2022-10-01 15:38 UTC (permalink / raw)
  To: Hans Schultz
  Cc: davem, kuba, netdev, Florian Fainelli, Andrew Lunn,
	Vivien Didelot, Vladimir Oltean, Eric Dumazet, Paolo Abeni,
	Kurt Kanzenbach, Hauke Mehrtens, Woojung Huh, UNGLinuxDriver,
	Sean Wang, Landen Chao, DENG Qingfang, Matthias Brugger,
	Claudiu Manoil, Alexandre Belloni, Jiri Pirko, Ivan Vecera,
	Roopa Prabhu, Nikolay Aleksandrov, Shuah Khan, Russell King,
	Christian Marangi, Daniel Borkmann, Yuwei Wang, Petr Machata,
	Florent Fourcot, Hans Schultz, Joachim Wiberg, Amit Cohen,
	linux-kernel, linux-arm-kernel, linux-mediatek, bridge,
	linux-kselftest

On Thu, Sep 29, 2022 at 05:21:37PM +0200, Hans Schultz wrote:
> Block traffic to a specific host with the command:
> bridge fdb add <MAC> vlan <vid> dev br0 blackhole

Please add an example with regular and JSON output.

> 
> The blackhole FDB entries can be added, deleted and replaced with
> ordinary FDB entries.
> 
> Signed-off-by: Hans Schultz <netdev@kapio-technology.com>
> ---
>  bridge/fdb.c                   | 7 ++++++-
>  include/uapi/linux/neighbour.h | 4 ++++
>  man/man8/bridge.8              | 6 ++++++
>  3 files changed, 16 insertions(+), 1 deletion(-)
> 
> diff --git a/bridge/fdb.c b/bridge/fdb.c
> index 0fbe9bd3..2160f1c2 100644
> --- a/bridge/fdb.c
> +++ b/bridge/fdb.c
> @@ -38,7 +38,7 @@ static void usage(void)
>  	fprintf(stderr,
>  		"Usage: bridge fdb { add | append | del | replace } ADDR dev DEV\n"
>  		"              [ self ] [ master ] [ use ] [ router ] [ extern_learn ]\n"
> -		"              [ sticky ] [ local | static | dynamic ] [ vlan VID ]\n"
> +		"              [ sticky ] [ local | static | dynamic ] [blackhole] [ vlan VID ]\n"

[ blackhole ]

>  		"              { [ dst IPADDR ] [ port PORT] [ vni VNI ] | [ nhid NHID ] }\n"
>  		"	       [ via DEV ] [ src_vni VNI ]\n"
>  		"       bridge fdb [ show [ br BRDEV ] [ brport DEV ] [ vlan VID ]\n"
> @@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags, __u8 ext_flags)
>  	if (flags & NTF_STICKY)
>  		print_string(PRINT_ANY, NULL, "%s ", "sticky");
>  
> +	if (ext_flags & NTF_EXT_BLACKHOLE)
> +		print_string(PRINT_ANY, NULL, "%s ", "blackhole");
> +
>  	if (ext_flags & NTF_EXT_LOCKED)
>  		print_string(PRINT_ANY, NULL, "%s ", "locked");
>  
> @@ -493,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
>  			req.ndm.ndm_flags |= NTF_EXT_LEARNED;
>  		} else if (matches(*argv, "sticky") == 0) {
>  			req.ndm.ndm_flags |= NTF_STICKY;
> +		} else if (matches(*argv, "blackhole") == 0) {
> +			ext_flags |= NTF_EXT_BLACKHOLE;
>  		} else {
>  			if (strcmp(*argv, "to") == 0)
>  				NEXT_ARG();
> diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h
> index 4dda051b..cc7d540e 100644
> --- a/include/uapi/linux/neighbour.h
> +++ b/include/uapi/linux/neighbour.h
> @@ -54,6 +54,7 @@ enum {
>  /* Extended flags under NDA_FLAGS_EXT: */
>  #define NTF_EXT_MANAGED		(1 << 0)
>  #define NTF_EXT_LOCKED		(1 << 1)
> +#define NTF_EXT_BLACKHOLE	(1 << 2)
>  
>  /*
>   *	Neighbor Cache Entry States.
> @@ -91,6 +92,9 @@ enum {
>   * NTF_EXT_LOCKED flagged FDB entries are placeholder entries used with the
>   * locked port feature, that ensures that an entry exists while at the same
>   * time dropping packets on ingress with src MAC and VID matching the entry.
> + *
> + * NTF_EXT_BLACKHOLE flagged FDB entries ensure that no forwarding is allowed
> + * from any port to the destination MAC, VID pair associated with it.
>   */
>  
>  struct nda_cacheinfo {
> diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
> index 40250477..af2e7db2 100644
> --- a/man/man8/bridge.8
> +++ b/man/man8/bridge.8
> @@ -699,6 +699,12 @@ controller learnt dynamic entry. Kernel will not age such an entry.
>  - this entry will not change its port due to learning.
>  .sp

Need to patch the "SYNOPSIS" section as well

>  
> +.B blackhole
> +- this is an entry that denies all forwarding from any port to a destination
> +matching the entry. It can be added by userspace, but the flag is mostly set
> +from a hardware driver.

I'm not sure the last sentence belongs in the man page. We have no way
of knowing if it is true and it can change with time.

How about:

"this entry will silently discard all matching packets. The entry must
be added as a local permanent entry."

> +.sp
> +
>  .in -8
>  The next command line parameters apply only
>  when the specified device
> -- 
> 2.34.1
> 

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH iproute2-next 1/2] bridge: link: enable MacAuth/MAB feature
  2022-10-01 14:59 ` [PATCH iproute2-next 1/2] bridge: link: enable MacAuth/MAB feature Ido Schimmel
@ 2022-10-01 21:32   ` netdev
  2022-10-02  7:34     ` Ido Schimmel
  2022-10-02 15:20   ` netdev
  1 sibling, 1 reply; 12+ messages in thread
From: netdev @ 2022-10-01 21:32 UTC (permalink / raw)
  To: Ido Schimmel
  Cc: davem, kuba, netdev, Florian Fainelli, Andrew Lunn,
	Vivien Didelot, Vladimir Oltean, Eric Dumazet, Paolo Abeni,
	Kurt Kanzenbach, Hauke Mehrtens, Woojung Huh, UNGLinuxDriver,
	Sean Wang, Landen Chao, DENG Qingfang, Matthias Brugger,
	Claudiu Manoil, Alexandre Belloni, Jiri Pirko, Ivan Vecera,
	Roopa Prabhu, Nikolay Aleksandrov, Shuah Khan, Russell King,
	Christian Marangi, Daniel Borkmann, Yuwei Wang, Petr Machata,
	Florent Fourcot, Hans Schultz, Joachim Wiberg, Amit Cohen,
	linux-kernel, linux-arm-kernel, linux-mediatek, bridge,
	linux-kselftest

On 2022-10-01 16:59, Ido Schimmel wrote:
> On Thu, Sep 29, 2022 at 05:21:36PM +0200, Hans Schultz wrote:
>> The MAB feature can be enabled on a locked port with the command:
>> bridge link set dev <DEV> mab on
> 
> Please provide regular and JSON output in the commit message.
> 

How would the JSON version look like in this example?


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH iproute2-next 2/2] bridge: fdb: enable FDB blackhole feature
  2022-10-01 15:38   ` Ido Schimmel
@ 2022-10-01 21:37     ` netdev
  2022-10-03 18:23     ` netdev
  1 sibling, 0 replies; 12+ messages in thread
From: netdev @ 2022-10-01 21:37 UTC (permalink / raw)
  To: Ido Schimmel
  Cc: davem, kuba, netdev, Florian Fainelli, Andrew Lunn,
	Vivien Didelot, Vladimir Oltean, Eric Dumazet, Paolo Abeni,
	Kurt Kanzenbach, Hauke Mehrtens, Woojung Huh, UNGLinuxDriver,
	Sean Wang, Landen Chao, DENG Qingfang, Matthias Brugger,
	Claudiu Manoil, Alexandre Belloni, Jiri Pirko, Ivan Vecera,
	Roopa Prabhu, Nikolay Aleksandrov, Shuah Khan, Russell King,
	Christian Marangi, Daniel Borkmann, Yuwei Wang, Petr Machata,
	Florent Fourcot, Hans Schultz, Joachim Wiberg, Amit Cohen,
	linux-kernel, linux-arm-kernel, linux-mediatek, bridge,
	linux-kselftest

On 2022-10-01 17:38, Ido Schimmel wrote:

> 
> I'm not sure the last sentence belongs in the man page. We have no way
> of knowing if it is true and it can change with time.
> 
> How about:
> 
> "this entry will silently discard all matching packets. The entry must
> be added as a local permanent entry."
> 

Fine with me...

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH iproute2-next 1/2] bridge: link: enable MacAuth/MAB feature
  2022-10-01 21:32   ` netdev
@ 2022-10-02  7:34     ` Ido Schimmel
  0 siblings, 0 replies; 12+ messages in thread
From: Ido Schimmel @ 2022-10-02  7:34 UTC (permalink / raw)
  To: netdev
  Cc: davem, kuba, netdev, Florian Fainelli, Andrew Lunn,
	Vivien Didelot, Vladimir Oltean, Eric Dumazet, Paolo Abeni,
	Kurt Kanzenbach, Hauke Mehrtens, Woojung Huh, UNGLinuxDriver,
	Sean Wang, Landen Chao, DENG Qingfang, Matthias Brugger,
	Claudiu Manoil, Alexandre Belloni, Jiri Pirko, Ivan Vecera,
	Roopa Prabhu, Nikolay Aleksandrov, Shuah Khan, Russell King,
	Christian Marangi, Daniel Borkmann, Yuwei Wang, Petr Machata,
	Florent Fourcot, Hans Schultz, Joachim Wiberg, Amit Cohen,
	linux-kernel, linux-arm-kernel, linux-mediatek, bridge,
	linux-kselftest

On Sat, Oct 01, 2022 at 11:32:52PM +0200, netdev@kapio-technology.com wrote:
> On 2022-10-01 16:59, Ido Schimmel wrote:
> > On Thu, Sep 29, 2022 at 05:21:36PM +0200, Hans Schultz wrote:
> > > The MAB feature can be enabled on a locked port with the command:
> > > bridge link set dev <DEV> mab on
> > 
> > Please provide regular and JSON output in the commit message.
> > 
> 
> How would the JSON version look like in this example?

$ bridge -d link show dev dummy10
558: dummy10: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 master br0 state disabled priority 32 cost 100 
    hairpin off guard off root_block off fastleave off learning on flood on mcast_flood on mcast_to_unicast off neigh_suppress off vlan_tunnel off isolated off

$ bridge -d -j -p link show dev dummy10
[ {
        "ifindex": 558,
        "ifname": "dummy10",
        "flags": [ "BROADCAST","NOARP","UP","LOWER_UP" ],
        "mtu": 1500,
        "master": "br0",
        "state": "disabled",
        "priority": 32,
        "cost": 100,
        "hairpin": false,
        "guard": false,
        "root_block": false,
        "fastleave": false,
        "learning": true,
        "flood": true,
        "mcast_flood": true,
        "mcast_to_unicast": false,
        "neigh_suppress": false,
        "vlan_tunnel": false,
        "isolated": false
    } ]

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH iproute2-next 1/2] bridge: link: enable MacAuth/MAB feature
  2022-10-01 14:59 ` [PATCH iproute2-next 1/2] bridge: link: enable MacAuth/MAB feature Ido Schimmel
  2022-10-01 21:32   ` netdev
@ 2022-10-02 15:20   ` netdev
  2022-10-03  8:08     ` Ido Schimmel
  1 sibling, 1 reply; 12+ messages in thread
From: netdev @ 2022-10-02 15:20 UTC (permalink / raw)
  To: Ido Schimmel
  Cc: davem, kuba, netdev, Florian Fainelli, Andrew Lunn,
	Vivien Didelot, Vladimir Oltean, Eric Dumazet, Paolo Abeni,
	Kurt Kanzenbach, Hauke Mehrtens, Woojung Huh, UNGLinuxDriver,
	Sean Wang, Landen Chao, DENG Qingfang, Matthias Brugger,
	Claudiu Manoil, Alexandre Belloni, Jiri Pirko, Ivan Vecera,
	Roopa Prabhu, Nikolay Aleksandrov, Shuah Khan, Russell King,
	Christian Marangi, Daniel Borkmann, Yuwei Wang, Petr Machata,
	Florent Fourcot, Hans Schultz, Joachim Wiberg, Amit Cohen,
	linux-kernel, linux-arm-kernel, linux-mediatek, bridge,
	linux-kselftest

On 2022-10-01 16:59, Ido Schimmel wrote:
> 
> IIRC, in the past David asked to either not send the uAPI files or send
> them as a first patch which he then uses as a hint to sync the files
> himself.
> 

Does that imply that I make a patch in the beginning for the 
include/uapi changes wrt the Locked flag and another in the same manner 
for the Blackhole, or just one patch for both of them as the very first 
patch?

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH iproute2-next 1/2] bridge: link: enable MacAuth/MAB feature
  2022-10-02 15:20   ` netdev
@ 2022-10-03  8:08     ` Ido Schimmel
  0 siblings, 0 replies; 12+ messages in thread
From: Ido Schimmel @ 2022-10-03  8:08 UTC (permalink / raw)
  To: netdev
  Cc: Ido Schimmel, davem, kuba, netdev, Florian Fainelli, Andrew Lunn,
	Vivien Didelot, Vladimir Oltean, Eric Dumazet, Paolo Abeni,
	Kurt Kanzenbach, Hauke Mehrtens, Woojung Huh, UNGLinuxDriver,
	Sean Wang, Landen Chao, DENG Qingfang, Matthias Brugger,
	Claudiu Manoil, Alexandre Belloni, Jiri Pirko, Ivan Vecera,
	Roopa Prabhu, Nikolay Aleksandrov, Shuah Khan, Russell King,
	Christian Marangi, Daniel Borkmann, Yuwei Wang, Petr Machata,
	Florent Fourcot, Hans Schultz, Joachim Wiberg, Amit Cohen,
	linux-kernel, linux-arm-kernel, linux-mediatek, bridge,
	linux-kselftest

On Sun, Oct 02, 2022 at 05:20:31PM +0200, netdev@kapio-technology.com wrote:
> On 2022-10-01 16:59, Ido Schimmel wrote:
> > 
> > IIRC, in the past David asked to either not send the uAPI files or send
> > them as a first patch which he then uses as a hint to sync the files
> > himself.
> > 
> 
> Does that imply that I make a patch in the beginning for the include/uapi
> changes wrt the Locked flag and another in the same manner for the
> Blackhole, or just one patch for both of them as the very first patch?

One patch for both as the very first patch. Example:

https://lore.kernel.org/netdev/cover.1615985531.git.petrm@nvidia.com/
https://lore.kernel.org/netdev/ad9b63d5c76d9ef045dfed6dc9b5ab946e62e450.1615985531.git.petrm@nvidia.com/

The patch is obviously not needed if the uAPI files were already updated
by David.

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH iproute2-next 2/2] bridge: fdb: enable FDB blackhole feature
  2022-10-01 15:38   ` Ido Schimmel
  2022-10-01 21:37     ` netdev
@ 2022-10-03 18:23     ` netdev
  1 sibling, 0 replies; 12+ messages in thread
From: netdev @ 2022-10-03 18:23 UTC (permalink / raw)
  To: Ido Schimmel
  Cc: davem, kuba, netdev, Florian Fainelli, Andrew Lunn,
	Vivien Didelot, Vladimir Oltean, Eric Dumazet, Paolo Abeni,
	Kurt Kanzenbach, Hauke Mehrtens, Woojung Huh, UNGLinuxDriver,
	Sean Wang, Landen Chao, DENG Qingfang, Matthias Brugger,
	Claudiu Manoil, Alexandre Belloni, Jiri Pirko, Ivan Vecera,
	Roopa Prabhu, Nikolay Aleksandrov, Shuah Khan, Russell King,
	Christian Marangi, Daniel Borkmann, Yuwei Wang, Petr Machata,
	Florent Fourcot, Hans Schultz, Joachim Wiberg, Amit Cohen,
	linux-kernel, linux-arm-kernel, linux-mediatek, bridge,
	linux-kselftest

On 2022-10-01 17:38, Ido Schimmel wrote:
> 
> Need to patch the "SYNOPSIS" section as well
> 

Does this look right to you for the addition to the "SYNOPSIS"?...

bridge fdb { add | del } LLADR dev BRDEV [ self ] [ local ] [ blackhole 
]


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2022-10-03 18:26 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-29 15:21 [PATCH iproute2-next 1/2] bridge: link: enable MacAuth/MAB feature Hans Schultz
2022-09-29 15:21 ` [PATCH iproute2-next 2/2] bridge: fdb: enable FDB blackhole feature Hans Schultz
2022-09-29 15:43   ` [Bridge] " Stephen Hemminger
2022-09-29 16:14     ` netdev
2022-10-01 15:38   ` Ido Schimmel
2022-10-01 21:37     ` netdev
2022-10-03 18:23     ` netdev
2022-10-01 14:59 ` [PATCH iproute2-next 1/2] bridge: link: enable MacAuth/MAB feature Ido Schimmel
2022-10-01 21:32   ` netdev
2022-10-02  7:34     ` Ido Schimmel
2022-10-02 15:20   ` netdev
2022-10-03  8:08     ` Ido Schimmel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).