* [PATCH v6 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
@ 2022-09-28 17:49 Hans Schultz
2022-09-29 16:11 ` Jakub Kicinski
0 siblings, 1 reply; 7+ messages in thread
From: Hans Schultz @ 2022-09-28 17:49 UTC (permalink / raw)
To: davem, kuba
Cc: netdev, Hans J. Schultz, Florian Fainelli, Andrew Lunn,
Vivien Didelot, Vladimir Oltean, Eric Dumazet, Paolo Abeni,
Kurt Kanzenbach, Hauke Mehrtens, Woojung Huh, UNGLinuxDriver,
Sean Wang, Landen Chao, DENG Qingfang, Matthias Brugger,
Claudiu Manoil, Alexandre Belloni, Jiri Pirko, Ivan Vecera,
Roopa Prabhu, Nikolay Aleksandrov, Shuah Khan, Russell King,
Christian Marangi, Daniel Borkmann, Yuwei Wang, Petr Machata,
Ido Schimmel, Florent Fourcot, Hans Schultz, Joachim Wiberg,
Amit Cohen, linux-kernel, linux-arm-kernel, linux-mediatek,
bridge, linux-kselftest
From: "Hans J. Schultz" <netdev@kapio-technology.com>
Verify that the MAC-Auth mechanism works by adding a FDB entry with the
locked flag set, denying access until the FDB entry is replaced with a
FDB entry without the locked flag set.
Add test of blackhole fdb entries, verifying that there is no forwarding
to a blackhole entry from any port, and that the blackhole entry can be
replaced.
Also add a test that verifies that sticky FDB entries cannot roam (this
is not needed for now, but should in general be present anyhow for future
applications).
Signed-off-by: Hans J. Schultz <netdev@kapio-technology.com>
---
.../net/forwarding/bridge_blackhole_fdb.sh | 102 +++++++++++++++++
.../net/forwarding/bridge_locked_port.sh | 106 +++++++++++++++++-
.../net/forwarding/bridge_sticky_fdb.sh | 21 +++-
tools/testing/selftests/net/forwarding/lib.sh | 18 +++
4 files changed, 245 insertions(+), 2 deletions(-)
create mode 100755 tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh
diff --git a/tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh b/tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh
new file mode 100755
index 000000000000..54b1a51e1ed6
--- /dev/null
+++ b/tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh
@@ -0,0 +1,102 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+
+ALL_TESTS="blackhole_fdb"
+NUM_NETIFS=4
+source lib.sh
+
+switch_create()
+{
+ ip link add dev br0 type bridge
+
+ ip link set dev $swp1 master br0
+ ip link set dev $swp2 master br0
+
+ ip link set dev br0 up
+ ip link set dev $h1 up
+ ip link set dev $swp1 up
+ ip link set dev $h2 up
+ ip link set dev $swp2 up
+
+ tc qdisc add dev $swp2 clsact
+}
+
+switch_destroy()
+{
+ tc qdisc del dev $swp2 clsact
+
+ ip link set dev $swp2 down
+ ip link set dev $h2 down
+ ip link set dev $swp1 down
+ ip link set dev $h1 down
+
+ ip link del dev br0
+}
+
+setup_prepare()
+{
+ h1=${NETIFS[p1]}
+ swp1=${NETIFS[p2]}
+ h2=${NETIFS[p3]}
+ swp2=${NETIFS[p4]}
+
+ switch_create
+}
+
+cleanup()
+{
+ pre_cleanup
+ switch_destroy
+}
+
+# Check that there is no egress with blackhole entry and that blackhole entries can be replaced
+blackhole_fdb()
+{
+ RET=0
+
+ check_blackhole_fdb_support || return 0
+
+ tc filter add dev $swp2 egress protocol ip pref 1 handle 1 flower \
+ dst_ip 192.0.2.2 ip_proto udp dst_port 12345 action pass
+
+ $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \
+ -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q
+
+ tc_check_packets "dev $swp2 egress" 1 1
+ check_err $? "Packet not seen on egress before adding blackhole entry"
+
+ bridge fdb add `mac_get $h2` dev br0 blackhole
+ bridge fdb get `mac_get $h2` br br0 | grep -q blackhole
+ check_err $? "Blackhole entry not found"
+
+ $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \
+ -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q
+
+ tc_check_packets "dev $swp2 egress" 1 1
+ check_err $? "Packet seen on egress after adding blackhole entry"
+
+ # Check blackhole entries can be replaced.
+ bridge fdb replace `mac_get $h2` dev $swp2 master static
+ bridge fdb get `mac_get $h2` br br0 | grep -q blackhole
+ check_fail $? "Blackhole entry found after replacement"
+
+ $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \
+ -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q
+
+ tc_check_packets "dev $swp2 egress" 1 2
+ check_err $? "Packet not seen on egress after replacing blackhole entry"
+
+ bridge fdb del `mac_get $h2` dev $swp2 master static
+ tc filter del dev $swp2 egress protocol ip pref 1 handle 1 flower
+
+ log_test "Blackhole FDB entry"
+}
+
+trap cleanup EXIT
+
+setup_prepare
+setup_wait
+
+tests_run
+
+exit $EXIT_STATUS
diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
index 5b02b6b60ce7..59b8b7666eab 100755
--- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
+++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
@@ -1,7 +1,15 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
-ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan"
+ALL_TESTS="
+ locked_port_ipv4
+ locked_port_ipv6
+ locked_port_vlan
+ locked_port_mab
+ locked_port_station_move
+ locked_port_mab_station_move
+"
+
NUM_NETIFS=4
CHECK_TC="no"
source lib.sh
@@ -166,6 +174,102 @@ locked_port_ipv6()
log_test "Locked port ipv6"
}
+locked_port_mab()
+{
+ RET=0
+ check_locked_port_support || return 0
+
+ ping_do $h1 192.0.2.2
+ check_err $? "MAB: Ping did not work before locking port"
+
+ bridge link set dev $swp1 locked on
+ check_port_mab_support $swp1 || return 0
+
+ ping_do $h1 192.0.2.2
+ check_fail $? "MAB: Ping worked on locked port without FDB entry"
+
+ bridge fdb show | grep `mac_get $h1` | grep -q "locked"
+ check_err $? "MAB: No locked fdb entry after ping on locked port"
+
+ bridge fdb replace `mac_get $h1` dev $swp1 master static
+
+ ping_do $h1 192.0.2.2
+ check_err $? "MAB: Ping did not work with fdb entry without locked flag"
+
+ bridge fdb del `mac_get $h1` dev $swp1 master
+ bridge link set dev $swp1 locked off mab off
+
+ log_test "Locked port MAB"
+}
+
+# No roaming allowed to a simple locked port
+locked_port_station_move()
+{
+ local mac=a0:b0:c0:c0:b0:a0
+
+ RET=0
+ check_locked_port_support || return 0
+
+ bridge link set dev $swp1 locked on
+
+ $MZ $h1 -q -t udp -a $mac -b rand
+ bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "master br0"
+ check_fail $? "Locked port station move: FDB entry on first injection"
+
+ $MZ $h2 -q -t udp -a $mac -b rand
+ bridge fdb show dev $swp2 | grep "$mac vlan 1" | grep -q "master br0"
+ check_err $? "Locked port station move: Entry not found on unlocked port"
+
+ $MZ $h1 -q -t udp -a $mac -b rand
+ bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "master br0"
+ check_fail $? "Locked port station move: entry roamed to locked port"
+
+ bridge link set dev $swp1 locked off
+
+ log_test "Locked port station move"
+}
+
+# Roaming to and from a MAB enabled port should work if sticky flag is not set
+locked_port_mab_station_move()
+{
+ local mac=10:20:30:30:20:10
+
+ RET=0
+ check_locked_port_support || return 0
+
+ bridge link set dev $swp1 locked on
+
+ check_port_mab_support $swp1 || return 0
+
+ $MZ $h1 -q -t udp -a $mac -b rand
+ if bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "permanent"; then
+ echo "SKIP: Roaming not possible with local flag, skipping test..."
+ bridge link set dev $swp1 locked off mab off
+ return $ksft_skip
+ fi
+
+ bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "locked"
+ check_err $? "MAB station move: no locked entry on first injection"
+
+ $MZ $h2 -q -t udp -a $mac -b rand
+ bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "locked"
+ check_fail $? "MAB station move: locked entry did not move"
+
+ bridge fdb show dev $swp2 | grep "$mac vlan 1" | grep -q "locked"
+ check_fail $? "MAB station move: roamed entry to unlocked port had locked flag on"
+
+ bridge fdb show dev $swp2 | grep "$mac vlan 1" | grep -q "master br0"
+ check_err $? "MAB station move: roamed entry not found"
+
+ $MZ $h1 -q -t udp -a $mac -b rand
+ bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep "master br0" | grep -q "locked"
+ check_fail $? "MAB station move: entry roamed back to locked port"
+
+ bridge link set dev $swp1 locked off mab off
+
+ log_test "Locked port MAB station move"
+}
+
trap cleanup EXIT
setup_prepare
diff --git a/tools/testing/selftests/net/forwarding/bridge_sticky_fdb.sh b/tools/testing/selftests/net/forwarding/bridge_sticky_fdb.sh
index 1f8ef0eff862..bca77bc3fe09 100755
--- a/tools/testing/selftests/net/forwarding/bridge_sticky_fdb.sh
+++ b/tools/testing/selftests/net/forwarding/bridge_sticky_fdb.sh
@@ -1,7 +1,7 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
-ALL_TESTS="sticky"
+ALL_TESTS="sticky sticky_no_roaming"
NUM_NETIFS=4
TEST_MAC=de:ad:be:ef:13:37
source lib.sh
@@ -59,6 +59,25 @@ sticky()
log_test "Sticky fdb entry"
}
+# No roaming allowed with the sticky flag set
+sticky_no_roaming()
+{
+ local mac=a8:b4:c2:c2:b4:a8
+
+ RET=0
+
+ bridge link set dev $swp2 learning on
+ bridge fdb add $mac dev $swp1 master static sticky
+ bridge fdb show dev $swp1 | grep "$mac master br0" | grep -q sticky
+ check_err $? "Sticky no roaming: No sticky FDB entry found after adding"
+
+ $MZ $h2 -q -t udp -c 10 -d 100msec -a $mac -b rand
+ bridge fdb show dev $swp2 | grep "$mac master br0" | grep -q sticky
+ check_fail $? "Sticky no roaming: Sticky entry roamed"
+
+ log_test "Sticky no roaming"
+}
+
trap cleanup EXIT
setup_prepare
diff --git a/tools/testing/selftests/net/forwarding/lib.sh b/tools/testing/selftests/net/forwarding/lib.sh
index 3ffb9d6c0950..642fbf217c20 100755
--- a/tools/testing/selftests/net/forwarding/lib.sh
+++ b/tools/testing/selftests/net/forwarding/lib.sh
@@ -137,6 +137,24 @@ check_locked_port_support()
fi
}
+check_port_mab_support()
+{
+ local dev=$1;
+
+ if ! bridge link set dev $dev mab on 2>/dev/null; then
+ echo "SKIP: iproute2 too old; MacAuth feature not supported."
+ return $ksft_skip
+ fi
+}
+
+check_blackhole_fdb_support()
+{
+ if ! bridge fdb help | grep -q "blackhole"; then
+ echo "SKIP: Blackhole fdb feature not supported."
+ return $ksft_skip
+ fi
+}
+
if [[ "$(id -u)" -ne 0 ]]; then
echo "SKIP: need root privileges"
exit $ksft_skip
--
2.34.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v6 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
2022-09-28 17:49 [PATCH v6 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans Schultz
@ 2022-09-29 16:11 ` Jakub Kicinski
2022-09-29 16:17 ` netdev
0 siblings, 1 reply; 7+ messages in thread
From: Jakub Kicinski @ 2022-09-29 16:11 UTC (permalink / raw)
To: Hans Schultz
Cc: davem, netdev, Florian Fainelli, Andrew Lunn, Vivien Didelot,
Vladimir Oltean, Eric Dumazet, Paolo Abeni, Kurt Kanzenbach,
Hauke Mehrtens, Woojung Huh, UNGLinuxDriver, Sean Wang,
Landen Chao, DENG Qingfang, Matthias Brugger, Claudiu Manoil,
Alexandre Belloni, Jiri Pirko, Ivan Vecera, Roopa Prabhu,
Nikolay Aleksandrov, Shuah Khan, Russell King, Christian Marangi,
Daniel Borkmann, Yuwei Wang, Petr Machata, Ido Schimmel,
Florent Fourcot, Hans Schultz, Joachim Wiberg, Amit Cohen,
linux-kernel, linux-arm-kernel, linux-mediatek, bridge,
linux-kselftest
On Wed, 28 Sep 2022 19:49:04 +0200 Hans Schultz wrote:
> From: "Hans J. Schultz" <netdev@kapio-technology.com>
>
> Verify that the MAC-Auth mechanism works by adding a FDB entry with the
> locked flag set, denying access until the FDB entry is replaced with a
> FDB entry without the locked flag set.
>
> Add test of blackhole fdb entries, verifying that there is no forwarding
> to a blackhole entry from any port, and that the blackhole entry can be
> replaced.
>
> Also add a test that verifies that sticky FDB entries cannot roam (this
> is not needed for now, but should in general be present anyhow for future
> applications).
If you were trying to repost just the broken patches - that's not gonna
work :(
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v6 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
2022-09-29 16:11 ` Jakub Kicinski
@ 2022-09-29 16:17 ` netdev
2022-09-29 16:22 ` Jakub Kicinski
0 siblings, 1 reply; 7+ messages in thread
From: netdev @ 2022-09-29 16:17 UTC (permalink / raw)
To: Jakub Kicinski
Cc: davem, netdev, Florian Fainelli, Andrew Lunn, Vivien Didelot,
Vladimir Oltean, Eric Dumazet, Paolo Abeni, Kurt Kanzenbach,
Hauke Mehrtens, Woojung Huh, UNGLinuxDriver, Sean Wang,
Landen Chao, DENG Qingfang, Matthias Brugger, Claudiu Manoil,
Alexandre Belloni, Jiri Pirko, Ivan Vecera, Roopa Prabhu,
Nikolay Aleksandrov, Shuah Khan, Russell King, Christian Marangi,
Daniel Borkmann, Yuwei Wang, Petr Machata, Ido Schimmel,
Florent Fourcot, Hans Schultz, Joachim Wiberg, Amit Cohen,
linux-kernel, linux-arm-kernel, linux-mediatek, bridge,
linux-kselftest
On 2022-09-29 18:11, Jakub Kicinski wrote:
> On Wed, 28 Sep 2022 19:49:04 +0200 Hans Schultz wrote:
>> From: "Hans J. Schultz" <netdev@kapio-technology.com>
>>
>> Verify that the MAC-Auth mechanism works by adding a FDB entry with
>> the
>> locked flag set, denying access until the FDB entry is replaced with a
>> FDB entry without the locked flag set.
>>
>> Add test of blackhole fdb entries, verifying that there is no
>> forwarding
>> to a blackhole entry from any port, and that the blackhole entry can
>> be
>> replaced.
>>
>> Also add a test that verifies that sticky FDB entries cannot roam
>> (this
>> is not needed for now, but should in general be present anyhow for
>> future
>> applications).
>
> If you were trying to repost just the broken patches - that's not gonna
> work :(
Sorry, I do not understand what 'broken' patches you are referring to?
I think that the locked port tests should be working?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v6 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
2022-09-29 16:17 ` netdev
@ 2022-09-29 16:22 ` Jakub Kicinski
0 siblings, 0 replies; 7+ messages in thread
From: Jakub Kicinski @ 2022-09-29 16:22 UTC (permalink / raw)
To: netdev
Cc: davem, netdev, Florian Fainelli, Andrew Lunn, Vivien Didelot,
Vladimir Oltean, Eric Dumazet, Paolo Abeni, Kurt Kanzenbach,
Hauke Mehrtens, Woojung Huh, UNGLinuxDriver, Sean Wang,
Landen Chao, DENG Qingfang, Matthias Brugger, Claudiu Manoil,
Alexandre Belloni, Jiri Pirko, Ivan Vecera, Roopa Prabhu,
Nikolay Aleksandrov, Shuah Khan, Russell King, Christian Marangi,
Daniel Borkmann, Yuwei Wang, Petr Machata, Ido Schimmel,
Florent Fourcot, Hans Schultz, Joachim Wiberg, Amit Cohen,
linux-kernel, linux-arm-kernel, linux-mediatek, bridge,
linux-kselftest
On Thu, 29 Sep 2022 18:17:40 +0200 netdev@kapio-technology.com wrote:
> > If you were trying to repost just the broken patches - that's not gonna
> > work :(
>
> Sorry, I do not understand what 'broken' patches you are referring to?
>
> I think that the locked port tests should be working?
Ignore it then. v6 does not build, see my other reply.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v6 net-next 0/9] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)
@ 2022-09-28 15:02 Hans Schultz
2022-09-28 15:02 ` [PATCH v6 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans Schultz
0 siblings, 1 reply; 7+ messages in thread
From: Hans Schultz @ 2022-09-28 15:02 UTC (permalink / raw)
To: davem, kuba
Cc: netdev, Hans J. Schultz, Florian Fainelli, Andrew Lunn,
Vivien Didelot, Vladimir Oltean, Eric Dumazet, Paolo Abeni,
Kurt Kanzenbach, Hauke Mehrtens, Woojung Huh, UNGLinuxDriver,
Sean Wang, Landen Chao, DENG Qingfang, Matthias Brugger,
Claudiu Manoil, Alexandre Belloni, Jiri Pirko, Ivan Vecera,
Roopa Prabhu, Nikolay Aleksandrov, Shuah Khan, Russell King,
Christian Marangi, Daniel Borkmann, Yuwei Wang, Petr Machata,
Ido Schimmel, Florent Fourcot, Hans Schultz, Joachim Wiberg,
Amit Cohen, linux-kernel, linux-arm-kernel, linux-mediatek,
bridge, linux-kselftest
From: "Hans J. Schultz" <netdev@kapio-technology.com>
This patch set extends the locked port feature for devices
that are behind a locked port, but do not have the ability to
authorize themselves as a supplicant using IEEE 802.1X.
Such devices can be printers, meters or anything related to
fixed installations. Instead of 802.1X authorization, devices
can get access based on their MAC addresses being whitelisted.
For an authorization daemon to detect that a device is trying
to get access through a locked port, the bridge will add the
MAC address of the device to the FDB with a locked flag to it.
Thus the authorization daemon can catch the FDB add event and
check if the MAC address is in the whitelist and if so replace
the FDB entry without the locked flag enabled, and thus open
the port for the device.
This feature is known as MAC-Auth or MAC Authentication Bypass
(MAB) in Cisco terminology, where the full MAB concept involves
additional Cisco infrastructure for authorization. There is no
real authentication process, as the MAC address of the device
is the only input the authorization daemon, in the general
case, has to base the decision if to unlock the port or not.
With this patch set, an implementation of the offloaded case is
supplied for the mv88e6xxx driver. When a packet ingresses on
a locked port, an ATU miss violation event will occur. When
handling such ATU miss violation interrupts, the MAC address of
the device is added to the FDB with a zero destination port
vector (DPV) and the MAC address is communicated through the
switchdev layer to the bridge, so that a FDB entry with the
locked flag enabled can be added.
Log:
v3: Added timers and lists in the driver (mv88e6xxx)
to keep track of and remove locked entries.
v4: Leave out enforcing a limit to the number of
locked entries in the bridge.
Removed the timers in the driver and use the
worker only. Add locked FDB flag to all drivers
using port_fdb_add() from the dsa api and let
all drivers ignore entries with this flag set.
Change how to get the ageing timeout of locked
entries. See global1_atu.c and switchdev.c.
Use struct mv88e6xxx_port for locked entries
variables instead of struct dsa_port.
v5: Added 'mab' flag to enable MAB/MacAuth feature,
in a similar way to the locked feature flag.
In these implementations for the mv88e6xxx, the
switchport must be configured with learning on.
To tell userspace about the behavior of the
locked entries in the driver, a 'blackhole'
FDB flag has been added, which locked FDB
entries coming from the driver gets. Also the
'sticky' flag comes with those locked entries,
as the drivers locked entries cannot roam.
Fixed issues with taking mutex locks, and added
a function to read the fid, that supports all
versions of the chipset family.
v6: Added blackhole FDB flag instead of using sticky
flag, as the blackhole flag corresponds to the
behaviour of the zero-DPV locked entries in the
driver.
Userspace can add blackhole FDB entries with:
# bridge fdb add MAC dev br0 blackhole
Added FDB flags towards driver in DSA layer as u16.
Hans J. Schultz (9):
net: bridge: add locked entry fdb flag to extend locked port feature
net: bridge: add blackhole fdb entry flag
net: switchdev: add support for offloading of the FDB locked flag
net: switchdev: support offloading of the FDB blackhole flag
drivers: net: dsa: add fdb entry flags to drivers
net: dsa: mv88e6xxx: allow reading FID when handling ATU violations
net: dsa: mv88e6xxx: mac-auth/MAB implementation
net: dsa: mv88e6xxx: add blackhole ATU entries
selftests: forwarding: add test of MAC-Auth Bypass to locked port
tests
drivers/net/dsa/b53/b53_common.c | 12 +-
drivers/net/dsa/b53/b53_priv.h | 4 +-
drivers/net/dsa/hirschmann/hellcreek.c | 12 +-
drivers/net/dsa/lan9303-core.c | 12 +-
drivers/net/dsa/lantiq_gswip.c | 12 +-
drivers/net/dsa/microchip/ksz9477.c | 8 +-
drivers/net/dsa/microchip/ksz9477.h | 8 +-
drivers/net/dsa/microchip/ksz_common.c | 14 +-
drivers/net/dsa/mt7530.c | 12 +-
drivers/net/dsa/mv88e6xxx/Makefile | 1 +
drivers/net/dsa/mv88e6xxx/chip.c | 158 +++++++++-
drivers/net/dsa/mv88e6xxx/chip.h | 19 ++
drivers/net/dsa/mv88e6xxx/global1.h | 1 +
drivers/net/dsa/mv88e6xxx/global1_atu.c | 72 ++++-
drivers/net/dsa/mv88e6xxx/port.c | 15 +-
drivers/net/dsa/mv88e6xxx/port.h | 6 +
drivers/net/dsa/mv88e6xxx/switchdev.c | 284 ++++++++++++++++++
drivers/net/dsa/mv88e6xxx/switchdev.h | 37 +++
drivers/net/dsa/ocelot/felix.c | 12 +-
drivers/net/dsa/qca/qca8k-common.c | 10 +-
drivers/net/dsa/qca/qca8k.h | 4 +-
drivers/net/dsa/sja1105/sja1105_main.c | 14 +-
include/linux/if_bridge.h | 1 +
include/net/dsa.h | 7 +-
include/net/switchdev.h | 2 +
include/uapi/linux/if_link.h | 1 +
include/uapi/linux/neighbour.h | 11 +-
net/bridge/br.c | 5 +-
net/bridge/br_fdb.c | 77 ++++-
net/bridge/br_input.c | 20 +-
net/bridge/br_netlink.c | 12 +-
net/bridge/br_private.h | 5 +-
net/bridge/br_switchdev.c | 4 +-
net/core/rtnetlink.c | 9 +
net/dsa/dsa_priv.h | 10 +-
net/dsa/port.c | 32 +-
net/dsa/slave.c | 16 +-
net/dsa/switch.c | 24 +-
.../net/forwarding/bridge_blackhole_fdb.sh | 102 +++++++
.../net/forwarding/bridge_locked_port.sh | 106 ++++++-
.../net/forwarding/bridge_sticky_fdb.sh | 21 +-
tools/testing/selftests/net/forwarding/lib.sh | 18 ++
42 files changed, 1093 insertions(+), 117 deletions(-)
create mode 100644 drivers/net/dsa/mv88e6xxx/switchdev.c
create mode 100644 drivers/net/dsa/mv88e6xxx/switchdev.h
create mode 100755 tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh
--
2.34.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v6 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
2022-09-28 15:02 [PATCH v6 net-next 0/9] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
@ 2022-09-28 15:02 ` Hans Schultz
2022-10-03 13:40 ` Ido Schimmel
0 siblings, 1 reply; 7+ messages in thread
From: Hans Schultz @ 2022-09-28 15:02 UTC (permalink / raw)
To: davem, kuba
Cc: netdev, Hans J. Schultz, Florian Fainelli, Andrew Lunn,
Vivien Didelot, Vladimir Oltean, Eric Dumazet, Paolo Abeni,
Kurt Kanzenbach, Hauke Mehrtens, Woojung Huh, UNGLinuxDriver,
Sean Wang, Landen Chao, DENG Qingfang, Matthias Brugger,
Claudiu Manoil, Alexandre Belloni, Jiri Pirko, Ivan Vecera,
Roopa Prabhu, Nikolay Aleksandrov, Shuah Khan, Russell King,
Christian Marangi, Daniel Borkmann, Yuwei Wang, Petr Machata,
Ido Schimmel, Florent Fourcot, Hans Schultz, Joachim Wiberg,
Amit Cohen, linux-kernel, linux-arm-kernel, linux-mediatek,
bridge, linux-kselftest
From: "Hans J. Schultz" <netdev@kapio-technology.com>
Verify that the MAC-Auth mechanism works by adding a FDB entry with the
locked flag set, denying access until the FDB entry is replaced with a
FDB entry without the locked flag set.
Add test of blackhole fdb entries, verifying that there is no forwarding
to a blackhole entry from any port, and that the blackhole entry can be
replaced.
Also add a test that verifies that sticky FDB entries cannot roam (this
is not needed for now, but should in general be present anyhow for future
applications).
Signed-off-by: Hans J. Schultz <netdev@kapio-technology.com>
---
.../net/forwarding/bridge_blackhole_fdb.sh | 102 +++++++++++++++++
.../net/forwarding/bridge_locked_port.sh | 106 +++++++++++++++++-
.../net/forwarding/bridge_sticky_fdb.sh | 21 +++-
tools/testing/selftests/net/forwarding/lib.sh | 18 +++
4 files changed, 245 insertions(+), 2 deletions(-)
create mode 100755 tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh
diff --git a/tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh b/tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh
new file mode 100755
index 000000000000..54b1a51e1ed6
--- /dev/null
+++ b/tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh
@@ -0,0 +1,102 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+
+ALL_TESTS="blackhole_fdb"
+NUM_NETIFS=4
+source lib.sh
+
+switch_create()
+{
+ ip link add dev br0 type bridge
+
+ ip link set dev $swp1 master br0
+ ip link set dev $swp2 master br0
+
+ ip link set dev br0 up
+ ip link set dev $h1 up
+ ip link set dev $swp1 up
+ ip link set dev $h2 up
+ ip link set dev $swp2 up
+
+ tc qdisc add dev $swp2 clsact
+}
+
+switch_destroy()
+{
+ tc qdisc del dev $swp2 clsact
+
+ ip link set dev $swp2 down
+ ip link set dev $h2 down
+ ip link set dev $swp1 down
+ ip link set dev $h1 down
+
+ ip link del dev br0
+}
+
+setup_prepare()
+{
+ h1=${NETIFS[p1]}
+ swp1=${NETIFS[p2]}
+ h2=${NETIFS[p3]}
+ swp2=${NETIFS[p4]}
+
+ switch_create
+}
+
+cleanup()
+{
+ pre_cleanup
+ switch_destroy
+}
+
+# Check that there is no egress with blackhole entry and that blackhole entries can be replaced
+blackhole_fdb()
+{
+ RET=0
+
+ check_blackhole_fdb_support || return 0
+
+ tc filter add dev $swp2 egress protocol ip pref 1 handle 1 flower \
+ dst_ip 192.0.2.2 ip_proto udp dst_port 12345 action pass
+
+ $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \
+ -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q
+
+ tc_check_packets "dev $swp2 egress" 1 1
+ check_err $? "Packet not seen on egress before adding blackhole entry"
+
+ bridge fdb add `mac_get $h2` dev br0 blackhole
+ bridge fdb get `mac_get $h2` br br0 | grep -q blackhole
+ check_err $? "Blackhole entry not found"
+
+ $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \
+ -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q
+
+ tc_check_packets "dev $swp2 egress" 1 1
+ check_err $? "Packet seen on egress after adding blackhole entry"
+
+ # Check blackhole entries can be replaced.
+ bridge fdb replace `mac_get $h2` dev $swp2 master static
+ bridge fdb get `mac_get $h2` br br0 | grep -q blackhole
+ check_fail $? "Blackhole entry found after replacement"
+
+ $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \
+ -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q
+
+ tc_check_packets "dev $swp2 egress" 1 2
+ check_err $? "Packet not seen on egress after replacing blackhole entry"
+
+ bridge fdb del `mac_get $h2` dev $swp2 master static
+ tc filter del dev $swp2 egress protocol ip pref 1 handle 1 flower
+
+ log_test "Blackhole FDB entry"
+}
+
+trap cleanup EXIT
+
+setup_prepare
+setup_wait
+
+tests_run
+
+exit $EXIT_STATUS
diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
index 5b02b6b60ce7..59b8b7666eab 100755
--- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
+++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
@@ -1,7 +1,15 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
-ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan"
+ALL_TESTS="
+ locked_port_ipv4
+ locked_port_ipv6
+ locked_port_vlan
+ locked_port_mab
+ locked_port_station_move
+ locked_port_mab_station_move
+"
+
NUM_NETIFS=4
CHECK_TC="no"
source lib.sh
@@ -166,6 +174,102 @@ locked_port_ipv6()
log_test "Locked port ipv6"
}
+locked_port_mab()
+{
+ RET=0
+ check_locked_port_support || return 0
+
+ ping_do $h1 192.0.2.2
+ check_err $? "MAB: Ping did not work before locking port"
+
+ bridge link set dev $swp1 locked on
+ check_port_mab_support $swp1 || return 0
+
+ ping_do $h1 192.0.2.2
+ check_fail $? "MAB: Ping worked on locked port without FDB entry"
+
+ bridge fdb show | grep `mac_get $h1` | grep -q "locked"
+ check_err $? "MAB: No locked fdb entry after ping on locked port"
+
+ bridge fdb replace `mac_get $h1` dev $swp1 master static
+
+ ping_do $h1 192.0.2.2
+ check_err $? "MAB: Ping did not work with fdb entry without locked flag"
+
+ bridge fdb del `mac_get $h1` dev $swp1 master
+ bridge link set dev $swp1 locked off mab off
+
+ log_test "Locked port MAB"
+}
+
+# No roaming allowed to a simple locked port
+locked_port_station_move()
+{
+ local mac=a0:b0:c0:c0:b0:a0
+
+ RET=0
+ check_locked_port_support || return 0
+
+ bridge link set dev $swp1 locked on
+
+ $MZ $h1 -q -t udp -a $mac -b rand
+ bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "master br0"
+ check_fail $? "Locked port station move: FDB entry on first injection"
+
+ $MZ $h2 -q -t udp -a $mac -b rand
+ bridge fdb show dev $swp2 | grep "$mac vlan 1" | grep -q "master br0"
+ check_err $? "Locked port station move: Entry not found on unlocked port"
+
+ $MZ $h1 -q -t udp -a $mac -b rand
+ bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "master br0"
+ check_fail $? "Locked port station move: entry roamed to locked port"
+
+ bridge link set dev $swp1 locked off
+
+ log_test "Locked port station move"
+}
+
+# Roaming to and from a MAB enabled port should work if sticky flag is not set
+locked_port_mab_station_move()
+{
+ local mac=10:20:30:30:20:10
+
+ RET=0
+ check_locked_port_support || return 0
+
+ bridge link set dev $swp1 locked on
+
+ check_port_mab_support $swp1 || return 0
+
+ $MZ $h1 -q -t udp -a $mac -b rand
+ if bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "permanent"; then
+ echo "SKIP: Roaming not possible with local flag, skipping test..."
+ bridge link set dev $swp1 locked off mab off
+ return $ksft_skip
+ fi
+
+ bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "locked"
+ check_err $? "MAB station move: no locked entry on first injection"
+
+ $MZ $h2 -q -t udp -a $mac -b rand
+ bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "locked"
+ check_fail $? "MAB station move: locked entry did not move"
+
+ bridge fdb show dev $swp2 | grep "$mac vlan 1" | grep -q "locked"
+ check_fail $? "MAB station move: roamed entry to unlocked port had locked flag on"
+
+ bridge fdb show dev $swp2 | grep "$mac vlan 1" | grep -q "master br0"
+ check_err $? "MAB station move: roamed entry not found"
+
+ $MZ $h1 -q -t udp -a $mac -b rand
+ bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep "master br0" | grep -q "locked"
+ check_fail $? "MAB station move: entry roamed back to locked port"
+
+ bridge link set dev $swp1 locked off mab off
+
+ log_test "Locked port MAB station move"
+}
+
trap cleanup EXIT
setup_prepare
diff --git a/tools/testing/selftests/net/forwarding/bridge_sticky_fdb.sh b/tools/testing/selftests/net/forwarding/bridge_sticky_fdb.sh
index 1f8ef0eff862..bca77bc3fe09 100755
--- a/tools/testing/selftests/net/forwarding/bridge_sticky_fdb.sh
+++ b/tools/testing/selftests/net/forwarding/bridge_sticky_fdb.sh
@@ -1,7 +1,7 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
-ALL_TESTS="sticky"
+ALL_TESTS="sticky sticky_no_roaming"
NUM_NETIFS=4
TEST_MAC=de:ad:be:ef:13:37
source lib.sh
@@ -59,6 +59,25 @@ sticky()
log_test "Sticky fdb entry"
}
+# No roaming allowed with the sticky flag set
+sticky_no_roaming()
+{
+ local mac=a8:b4:c2:c2:b4:a8
+
+ RET=0
+
+ bridge link set dev $swp2 learning on
+ bridge fdb add $mac dev $swp1 master static sticky
+ bridge fdb show dev $swp1 | grep "$mac master br0" | grep -q sticky
+ check_err $? "Sticky no roaming: No sticky FDB entry found after adding"
+
+ $MZ $h2 -q -t udp -c 10 -d 100msec -a $mac -b rand
+ bridge fdb show dev $swp2 | grep "$mac master br0" | grep -q sticky
+ check_fail $? "Sticky no roaming: Sticky entry roamed"
+
+ log_test "Sticky no roaming"
+}
+
trap cleanup EXIT
setup_prepare
diff --git a/tools/testing/selftests/net/forwarding/lib.sh b/tools/testing/selftests/net/forwarding/lib.sh
index 3ffb9d6c0950..642fbf217c20 100755
--- a/tools/testing/selftests/net/forwarding/lib.sh
+++ b/tools/testing/selftests/net/forwarding/lib.sh
@@ -137,6 +137,24 @@ check_locked_port_support()
fi
}
+check_port_mab_support()
+{
+ local dev=$1;
+
+ if ! bridge link set dev $dev mab on 2>/dev/null; then
+ echo "SKIP: iproute2 too old; MacAuth feature not supported."
+ return $ksft_skip
+ fi
+}
+
+check_blackhole_fdb_support()
+{
+ if ! bridge fdb help | grep -q "blackhole"; then
+ echo "SKIP: Blackhole fdb feature not supported."
+ return $ksft_skip
+ fi
+}
+
if [[ "$(id -u)" -ne 0 ]]; then
echo "SKIP: need root privileges"
exit $ksft_skip
--
2.34.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v6 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
2022-09-28 15:02 ` [PATCH v6 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans Schultz
@ 2022-10-03 13:40 ` Ido Schimmel
2022-10-08 11:34 ` netdev
0 siblings, 1 reply; 7+ messages in thread
From: Ido Schimmel @ 2022-10-03 13:40 UTC (permalink / raw)
To: Hans Schultz
Cc: davem, kuba, netdev, Florian Fainelli, Andrew Lunn,
Vivien Didelot, Vladimir Oltean, Eric Dumazet, Paolo Abeni,
Kurt Kanzenbach, Hauke Mehrtens, Woojung Huh, UNGLinuxDriver,
Sean Wang, Landen Chao, DENG Qingfang, Matthias Brugger,
Claudiu Manoil, Alexandre Belloni, Jiri Pirko, Ivan Vecera,
Roopa Prabhu, Nikolay Aleksandrov, Shuah Khan, Russell King,
Christian Marangi, Daniel Borkmann, Yuwei Wang, Petr Machata,
Florent Fourcot, Hans Schultz, Joachim Wiberg, Amit Cohen,
linux-kernel, linux-arm-kernel, linux-mediatek, bridge,
linux-kselftest
On Wed, Sep 28, 2022 at 05:02:56PM +0200, Hans Schultz wrote:
> From: "Hans J. Schultz" <netdev@kapio-technology.com>
>
> Verify that the MAC-Auth mechanism works by adding a FDB entry with the
> locked flag set, denying access until the FDB entry is replaced with a
> FDB entry without the locked flag set.
>
> Add test of blackhole fdb entries, verifying that there is no forwarding
> to a blackhole entry from any port, and that the blackhole entry can be
> replaced.
>
> Also add a test that verifies that sticky FDB entries cannot roam (this
> is not needed for now, but should in general be present anyhow for future
> applications).
The sticky selftests are not related to this set and need to be posted
separately.
>
> Signed-off-by: Hans J. Schultz <netdev@kapio-technology.com>
> ---
> .../net/forwarding/bridge_blackhole_fdb.sh | 102 +++++++++++++++++
> .../net/forwarding/bridge_locked_port.sh | 106 +++++++++++++++++-
> .../net/forwarding/bridge_sticky_fdb.sh | 21 +++-
> tools/testing/selftests/net/forwarding/lib.sh | 18 +++
> 4 files changed, 245 insertions(+), 2 deletions(-)
> create mode 100755 tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh
>
> diff --git a/tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh b/tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh
> new file mode 100755
> index 000000000000..54b1a51e1ed6
> --- /dev/null
> +++ b/tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh
> @@ -0,0 +1,102 @@
> +#!/bin/bash
> +# SPDX-License-Identifier: GPL-2.0
> +
> +ALL_TESTS="blackhole_fdb"
> +NUM_NETIFS=4
> +source lib.sh
> +
> +switch_create()
> +{
> + ip link add dev br0 type bridge
> +
> + ip link set dev $swp1 master br0
> + ip link set dev $swp2 master br0
> +
> + ip link set dev br0 up
> + ip link set dev $h1 up
> + ip link set dev $swp1 up
> + ip link set dev $h2 up
> + ip link set dev $swp2 up
> +
> + tc qdisc add dev $swp2 clsact
There are indentation problems in this file. The coding style is to
indent using tabs that are 8 characters deep, not spaces.
> +}
This is not how the selftests are usually constructed. We have
h1_create(), h2_create() and switch_create() and the hosts use VRFs via
simple_if_init(). Look at bridge_locked_port.sh, for example.
> +
> +switch_destroy()
> +{
> + tc qdisc del dev $swp2 clsact
> +
> + ip link set dev $swp2 down
> + ip link set dev $h2 down
> + ip link set dev $swp1 down
> + ip link set dev $h1 down
> +
> + ip link del dev br0
> +}
> +
> +setup_prepare()
> +{
> + h1=${NETIFS[p1]}
> + swp1=${NETIFS[p2]}
> + h2=${NETIFS[p3]}
> + swp2=${NETIFS[p4]}
> +
> + switch_create
> +}
> +
> +cleanup()
> +{
> + pre_cleanup
> + switch_destroy
> +}
> +
> +# Check that there is no egress with blackhole entry and that blackhole entries can be replaced
> +blackhole_fdb()
> +{
> + RET=0
> +
> + check_blackhole_fdb_support || return 0
> +
> + tc filter add dev $swp2 egress protocol ip pref 1 handle 1 flower \
> + dst_ip 192.0.2.2 ip_proto udp dst_port 12345 action pass
> +
> + $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \
> + -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q
> +
> + tc_check_packets "dev $swp2 egress" 1 1
> + check_err $? "Packet not seen on egress before adding blackhole entry"
> +
> + bridge fdb add `mac_get $h2` dev br0 blackhole
> + bridge fdb get `mac_get $h2` br br0 | grep -q blackhole
> + check_err $? "Blackhole entry not found"
> +
> + $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \
> + -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q
> +
> + tc_check_packets "dev $swp2 egress" 1 1
> + check_err $? "Packet seen on egress after adding blackhole entry"
> +
> + # Check blackhole entries can be replaced.
> + bridge fdb replace `mac_get $h2` dev $swp2 master static
> + bridge fdb get `mac_get $h2` br br0 | grep -q blackhole
> + check_fail $? "Blackhole entry found after replacement"
> +
> + $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \
> + -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q
> +
> + tc_check_packets "dev $swp2 egress" 1 2
> + check_err $? "Packet not seen on egress after replacing blackhole entry"
> +
> + bridge fdb del `mac_get $h2` dev $swp2 master static
> + tc filter del dev $swp2 egress protocol ip pref 1 handle 1 flower
> +
> + log_test "Blackhole FDB entry"
> +}
> +
> +trap cleanup EXIT
> +
> +setup_prepare
> +setup_wait
> +
> +tests_run
> +
> +exit $EXIT_STATUS
> diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> index 5b02b6b60ce7..59b8b7666eab 100755
> --- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> +++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> @@ -1,7 +1,15 @@
> #!/bin/bash
> # SPDX-License-Identifier: GPL-2.0
>
> -ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan"
> +ALL_TESTS="
> + locked_port_ipv4
> + locked_port_ipv6
> + locked_port_vlan
> + locked_port_mab
> + locked_port_station_move
> + locked_port_mab_station_move
> +"
> +
> NUM_NETIFS=4
> CHECK_TC="no"
> source lib.sh
> @@ -166,6 +174,102 @@ locked_port_ipv6()
> log_test "Locked port ipv6"
> }
>
> +locked_port_mab()
> +{
> + RET=0
> + check_locked_port_support || return 0
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work before locking port"
> +
> + bridge link set dev $swp1 locked on
> + check_port_mab_support $swp1 || return 0
Move this check to the beginning of the test and instead do:
bridge link set dev $swp1 locked on mab on
See the comment at the end regarding check_port_mab_support()
> +
> + ping_do $h1 192.0.2.2
> + check_fail $? "MAB: Ping worked on locked port without FDB entry"
> +
> + bridge fdb show | grep `mac_get $h1` | grep -q "locked"
Use "bridge fdb get" like in the blackhole test instead of dumping the
entire FDB.
> + check_err $? "MAB: No locked fdb entry after ping on locked port"
> +
> + bridge fdb replace `mac_get $h1` dev $swp1 master static
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work with fdb entry without locked flag"
> +
> + bridge fdb del `mac_get $h1` dev $swp1 master
> + bridge link set dev $swp1 locked off mab off
> +
> + log_test "Locked port MAB"
> +}
> +
> +# No roaming allowed to a simple locked port
# Check that entries cannot roam from an unlocked port to a locked port.
> +locked_port_station_move()
> +{
> + local mac=a0:b0:c0:c0:b0:a0
> +
> + RET=0
> + check_locked_port_support || return 0
> +
> + bridge link set dev $swp1 locked on
It is quite pointless to check that an entry cannot roam to a port that
has learning disabled... Need:
bridge link set dev $swp1 locked on learning on
> +
> + $MZ $h1 -q -t udp -a $mac -b rand
> + bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "master br0"
bridge fdb get ...
Same in other places
> + check_fail $? "Locked port station move: FDB entry on first injection"
> +
> + $MZ $h2 -q -t udp -a $mac -b rand
> + bridge fdb show dev $swp2 | grep "$mac vlan 1" | grep -q "master br0"
> + check_err $? "Locked port station move: Entry not found on unlocked port"
> +
> + $MZ $h1 -q -t udp -a $mac -b rand
> + bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "master br0"
> + check_fail $? "Locked port station move: entry roamed to locked port"
> +
> + bridge link set dev $swp1 locked off
bridge link set dev $swp1 locked off learning off
And need to delete the FDB entry pointing to $swp2
> +
> + log_test "Locked port station move"
> +}
> +
> +# Roaming to and from a MAB enabled port should work if sticky flag is not set
# Check that entries can roam from a locked port to an unlocked port.
> +locked_port_mab_station_move()
> +{
> + local mac=10:20:30:30:20:10
> +
> + RET=0
> + check_locked_port_support || return 0
> +
> + bridge link set dev $swp1 locked on
> +
> + check_port_mab_support $swp1 || return 0
Move to the beginning of the test
> +
> + $MZ $h1 -q -t udp -a $mac -b rand
# Some device drivers report locked entries to the bridge driver as
# permanent entries that cannot roam. In such cases there is no point in
# checking that locked entries can roam to an unlocked port.
> + if bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "permanent"; then
> + echo "SKIP: Roaming not possible with local flag, skipping test..."
> + bridge link set dev $swp1 locked off mab off
> + return $ksft_skip
> + fi
> +
> + bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "locked"
> + check_err $? "MAB station move: no locked entry on first injection"
> +
> + $MZ $h2 -q -t udp -a $mac -b rand
> + bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "locked"
> + check_fail $? "MAB station move: locked entry did not move"
> +
> + bridge fdb show dev $swp2 | grep "$mac vlan 1" | grep -q "locked"
> + check_fail $? "MAB station move: roamed entry to unlocked port had locked flag on"
> +
> + bridge fdb show dev $swp2 | grep "$mac vlan 1" | grep -q "master br0"
> + check_err $? "MAB station move: roamed entry not found"
First check that the entry roamed to $swp2 using "bridge fdb get", then
check that the locked flag is not set on it.
> +
> + $MZ $h1 -q -t udp -a $mac -b rand
> + bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep "master br0" | grep -q "locked"
> + check_fail $? "MAB station move: entry roamed back to locked port"
This was already checked in locked_port_station_move()
> +
Need to delete the FBD entry from $swp2.
> + bridge link set dev $swp1 locked off mab off
> +
> + log_test "Locked port MAB station move"
> +}
> +
> trap cleanup EXIT
[...]
> diff --git a/tools/testing/selftests/net/forwarding/lib.sh b/tools/testing/selftests/net/forwarding/lib.sh
> index 3ffb9d6c0950..642fbf217c20 100755
> --- a/tools/testing/selftests/net/forwarding/lib.sh
> +++ b/tools/testing/selftests/net/forwarding/lib.sh
> @@ -137,6 +137,24 @@ check_locked_port_support()
> fi
> }
>
> +check_port_mab_support()
> +{
> + local dev=$1;
Why this helper needs a device, but check_locked_port_support() does
not? Please change this helper to work like check_locked_port_support().
> +
> + if ! bridge link set dev $dev mab on 2>/dev/null; then
> + echo "SKIP: iproute2 too old; MacAuth feature not supported."
> + return $ksft_skip
> + fi
> +}
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v6 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
2022-10-03 13:40 ` Ido Schimmel
@ 2022-10-08 11:34 ` netdev
0 siblings, 0 replies; 7+ messages in thread
From: netdev @ 2022-10-08 11:34 UTC (permalink / raw)
To: Ido Schimmel
Cc: davem, kuba, netdev, Florian Fainelli, Andrew Lunn,
Vivien Didelot, Vladimir Oltean, Eric Dumazet, Paolo Abeni,
Kurt Kanzenbach, Hauke Mehrtens, Woojung Huh, UNGLinuxDriver,
Sean Wang, Landen Chao, DENG Qingfang, Matthias Brugger,
Claudiu Manoil, Alexandre Belloni, Jiri Pirko, Ivan Vecera,
Roopa Prabhu, Nikolay Aleksandrov, Shuah Khan, Russell King,
Christian Marangi, Daniel Borkmann, Yuwei Wang, Petr Machata,
Florent Fourcot, Hans Schultz, Joachim Wiberg, Amit Cohen,
linux-kernel, linux-arm-kernel, linux-mediatek, bridge,
linux-kselftest
On 2022-10-03 15:40, Ido Schimmel wrote:
>> +locked_port_station_move()
>> +{
>> + local mac=a0:b0:c0:c0:b0:a0
>> +
>> + RET=0
>> + check_locked_port_support || return 0
>> +
>> + bridge link set dev $swp1 locked on
>
> It is quite pointless to check that an entry cannot roam to a port that
> has learning disabled... Need:
>
> bridge link set dev $swp1 locked on learning on
>
>> +
>> + $MZ $h1 -q -t udp -a $mac -b rand
>> + bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "master
>> br0"
>
> bridge fdb get ...
>
> Same in other places
>
It seems that the output of 'bridge fdb get' does not respect the dev it
is given as input and outputs the (MAC,vlan) when found on another
dev...
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-10-08 11:34 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-28 17:49 [PATCH v6 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans Schultz
2022-09-29 16:11 ` Jakub Kicinski
2022-09-29 16:17 ` netdev
2022-09-29 16:22 ` Jakub Kicinski
-- strict thread matches above, loose matches on Subject: below --
2022-09-28 15:02 [PATCH v6 net-next 0/9] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
2022-09-28 15:02 ` [PATCH v6 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans Schultz
2022-10-03 13:40 ` Ido Schimmel
2022-10-08 11:34 ` netdev
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).