netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ido Schimmel <idosch@idosch.org>
To: Hans Schultz <schultz.hans@gmail.com>
Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
	Hans Schultz <schultz.hans+netdev@gmail.com>,
	Andrew Lunn <andrew@lunn.ch>,
	Vivien Didelot <vivien.didelot@gmail.com>,
	Florian Fainelli <f.fainelli@gmail.com>,
	Vladimir Oltean <olteanv@gmail.com>,
	Jiri Pirko <jiri@resnulli.us>, Ivan Vecera <ivecera@redhat.com>,
	Roopa Prabhu <roopa@nvidia.com>,
	Nikolay Aleksandrov <razor@blackwall.org>,
	Shuah Khan <shuah@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Ido Schimmel <idosch@nvidia.com>,
	linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org,
	linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v2 net-next 4/4] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
Date: Thu, 17 Mar 2022 16:57:15 +0200	[thread overview]
Message-ID: <YjNMS6aFG+93ejj5@shredder> (raw)
In-Reply-To: <20220317093902.1305816-5-schultz.hans+netdev@gmail.com>

On Thu, Mar 17, 2022 at 10:39:02AM +0100, Hans Schultz wrote:
> Verify that the MAC-Auth mechanism works by adding a FDB entry with the
> locked flag set. denying access until the FDB entry is replaced with a
> FDB entry without the locked flag set.
> 
> Signed-off-by: Hans Schultz <schultz.hans+netdev@gmail.com>
> ---
>  .../net/forwarding/bridge_locked_port.sh      | 29 ++++++++++++++++++-
>  1 file changed, 28 insertions(+), 1 deletion(-)
> 
> diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> index 6e98efa6d371..2f9519e814b6 100755
> --- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> +++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> @@ -1,7 +1,7 @@
>  #!/bin/bash
>  # SPDX-License-Identifier: GPL-2.0
>  
> -ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan"
> +ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan locked_port_mab"
>  NUM_NETIFS=4
>  CHECK_TC="no"
>  source lib.sh
> @@ -170,6 +170,33 @@ locked_port_ipv6()
>  	log_test "Locked port ipv6"
>  }
>  
> +locked_port_mab()
> +{
> +	RET=0
> +	check_locked_port_support || return 0
> +
> +	ping_do $h1 192.0.2.2
> +	check_err $? "MAB: Ping did not work before locking port"
> +
> +	bridge link set dev $swp1 locked on
> +	bridge link set dev $swp1 learning on
> +
> +	ping_do $h1 192.0.2.2
> +	check_fail $? "MAB: Ping worked on port just locked"
> +
> +	if ! bridge fdb show | grep `mac_get $h1` | grep -q "locked"; then
> +		RET=1
> +		retmsg="MAB: No locked fdb entry after ping on locked port"
> +	fi

bridge fdb show | grep `mac_get $h1 | grep -q "locked"
check_err $? "MAB: No locked fdb entry after ping on locked port"

> +
> +	bridge fdb del `mac_get $h1` dev $swp1 master
> +	bridge fdb add `mac_get $h1` dev $swp1 master static

bridge fdb replace `mac_get $h1` dev $swp1 master static

> +
> +	ping_do $h1 192.0.2.2
> +	check_err $? "MAB: Ping did not work with fdb entry without locked flag"
> +
> +	log_test "Locked port MAB"

Clean up after the test to revert to initial state:

bridge fdb del `mac_get $h1` dev $swp1 master
bridge link set dev $swp1 locked off


> +}
>  trap cleanup EXIT
>  
>  setup_prepare
> -- 
> 2.30.2
> 

  reply	other threads:[~2022-03-17 14:57 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-17  9:38 [PATCH v2 net-next 0/4] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
2022-03-17  9:38 ` [PATCH v2 net-next 1/4] net: bridge: add fdb flag to extent locked port feature Hans Schultz
2022-03-17  9:47   ` Nikolay Aleksandrov
2022-03-17 13:44   ` Ido Schimmel
2022-03-17 13:54     ` Nikolay Aleksandrov
2022-03-17 14:50     ` Hans Schultz
2022-03-17 14:59       ` Ido Schimmel
2022-03-17  9:39 ` [PATCH v2 net-next 2/4] net: switchdev: add support for offloading of fdb locked flag Hans Schultz
2022-03-23 12:29   ` Hans Schultz
2022-03-23 12:35     ` Vladimir Oltean
2022-03-23 12:49       ` Hans Schultz
2022-03-23 14:43         ` Vladimir Oltean
2022-03-23 15:03           ` Hans Schultz
2022-03-24 10:32           ` Hans Schultz
2022-03-24 11:09             ` Vladimir Oltean
2022-03-24 11:23               ` Hans Schultz
2022-03-24 14:27                 ` Vladimir Oltean
2022-03-25  7:50                   ` Hans Schultz
2022-03-25 13:21                     ` Vladimir Oltean
2022-03-25 13:48                       ` Hans Schultz
2022-03-25 14:00                         ` Vladimir Oltean
2022-03-25 16:01                           ` Hans Schultz
2022-03-25 20:30                             ` Vladimir Oltean
2022-03-28  7:38                               ` Hans Schultz
2022-03-28  8:48                                 ` Vladimir Oltean
2022-03-28  9:31                                   ` Hans Schultz
2022-03-28 15:12                                     ` Vladimir Oltean
2022-03-25  9:24                   ` Hans Schultz
2022-03-23 14:42       ` Hans Schultz
2022-03-17  9:39 ` [PATCH v2 net-next 3/4] net: dsa: mv88e6xxx: mac-auth/MAB implementation Hans Schultz
2022-03-17 15:26   ` Jakub Kicinski
2022-03-17 19:27   ` Vladimir Oltean
2022-03-17  9:39 ` [PATCH v2 net-next 4/4] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans Schultz
2022-03-17 14:57   ` Ido Schimmel [this message]
2022-03-18 15:45     ` Hans Schultz
2022-03-20  7:52       ` Ido Schimmel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YjNMS6aFG+93ejj5@shredder \
    --to=idosch@idosch.org \
    --cc=andrew@lunn.ch \
    --cc=bridge@lists.linux-foundation.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=f.fainelli@gmail.com \
    --cc=idosch@nvidia.com \
    --cc=ivecera@redhat.com \
    --cc=jiri@resnulli.us \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=olteanv@gmail.com \
    --cc=razor@blackwall.org \
    --cc=roopa@nvidia.com \
    --cc=schultz.hans+netdev@gmail.com \
    --cc=schultz.hans@gmail.com \
    --cc=shuah@kernel.org \
    --cc=vivien.didelot@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).