2022-09-28 15:42:44

by Hans Schultz

[permalink] [raw]
Subject: [PATCH v6 net-next 0/9] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)

From: "Hans J. Schultz" <[email protected]>

This patch set extends the locked port feature for devices
that are behind a locked port, but do not have the ability to
authorize themselves as a supplicant using IEEE 802.1X.
Such devices can be printers, meters or anything related to
fixed installations. Instead of 802.1X authorization, devices
can get access based on their MAC addresses being whitelisted.

For an authorization daemon to detect that a device is trying
to get access through a locked port, the bridge will add the
MAC address of the device to the FDB with a locked flag to it.
Thus the authorization daemon can catch the FDB add event and
check if the MAC address is in the whitelist and if so replace
the FDB entry without the locked flag enabled, and thus open
the port for the device.

This feature is known as MAC-Auth or MAC Authentication Bypass
(MAB) in Cisco terminology, where the full MAB concept involves
additional Cisco infrastructure for authorization. There is no
real authentication process, as the MAC address of the device
is the only input the authorization daemon, in the general
case, has to base the decision if to unlock the port or not.

With this patch set, an implementation of the offloaded case is
supplied for the mv88e6xxx driver. When a packet ingresses on
a locked port, an ATU miss violation event will occur. When
handling such ATU miss violation interrupts, the MAC address of
the device is added to the FDB with a zero destination port
vector (DPV) and the MAC address is communicated through the
switchdev layer to the bridge, so that a FDB entry with the
locked flag enabled can be added.

Log:
v3: Added timers and lists in the driver (mv88e6xxx)
to keep track of and remove locked entries.

v4: Leave out enforcing a limit to the number of
locked entries in the bridge.
Removed the timers in the driver and use the
worker only. Add locked FDB flag to all drivers
using port_fdb_add() from the dsa api and let
all drivers ignore entries with this flag set.
Change how to get the ageing timeout of locked
entries. See global1_atu.c and switchdev.c.
Use struct mv88e6xxx_port for locked entries
variables instead of struct dsa_port.

v5: Added 'mab' flag to enable MAB/MacAuth feature,
in a similar way to the locked feature flag.

In these implementations for the mv88e6xxx, the
switchport must be configured with learning on.

To tell userspace about the behavior of the
locked entries in the driver, a 'blackhole'
FDB flag has been added, which locked FDB
entries coming from the driver gets. Also the
'sticky' flag comes with those locked entries,
as the drivers locked entries cannot roam.

Fixed issues with taking mutex locks, and added
a function to read the fid, that supports all
versions of the chipset family.

v6: Added blackhole FDB flag instead of using sticky
flag, as the blackhole flag corresponds to the
behaviour of the zero-DPV locked entries in the
driver.

Userspace can add blackhole FDB entries with:
# bridge fdb add MAC dev br0 blackhole

Added FDB flags towards driver in DSA layer as u16.

Hans J. Schultz (9):
net: bridge: add locked entry fdb flag to extend locked port feature
net: bridge: add blackhole fdb entry flag
net: switchdev: add support for offloading of the FDB locked flag
net: switchdev: support offloading of the FDB blackhole flag
drivers: net: dsa: add fdb entry flags to drivers
net: dsa: mv88e6xxx: allow reading FID when handling ATU violations
net: dsa: mv88e6xxx: mac-auth/MAB implementation
net: dsa: mv88e6xxx: add blackhole ATU entries
selftests: forwarding: add test of MAC-Auth Bypass to locked port
tests

drivers/net/dsa/b53/b53_common.c | 12 +-
drivers/net/dsa/b53/b53_priv.h | 4 +-
drivers/net/dsa/hirschmann/hellcreek.c | 12 +-
drivers/net/dsa/lan9303-core.c | 12 +-
drivers/net/dsa/lantiq_gswip.c | 12 +-
drivers/net/dsa/microchip/ksz9477.c | 8 +-
drivers/net/dsa/microchip/ksz9477.h | 8 +-
drivers/net/dsa/microchip/ksz_common.c | 14 +-
drivers/net/dsa/mt7530.c | 12 +-
drivers/net/dsa/mv88e6xxx/Makefile | 1 +
drivers/net/dsa/mv88e6xxx/chip.c | 158 +++++++++-
drivers/net/dsa/mv88e6xxx/chip.h | 19 ++
drivers/net/dsa/mv88e6xxx/global1.h | 1 +
drivers/net/dsa/mv88e6xxx/global1_atu.c | 72 ++++-
drivers/net/dsa/mv88e6xxx/port.c | 15 +-
drivers/net/dsa/mv88e6xxx/port.h | 6 +
drivers/net/dsa/mv88e6xxx/switchdev.c | 284 ++++++++++++++++++
drivers/net/dsa/mv88e6xxx/switchdev.h | 37 +++
drivers/net/dsa/ocelot/felix.c | 12 +-
drivers/net/dsa/qca/qca8k-common.c | 10 +-
drivers/net/dsa/qca/qca8k.h | 4 +-
drivers/net/dsa/sja1105/sja1105_main.c | 14 +-
include/linux/if_bridge.h | 1 +
include/net/dsa.h | 7 +-
include/net/switchdev.h | 2 +
include/uapi/linux/if_link.h | 1 +
include/uapi/linux/neighbour.h | 11 +-
net/bridge/br.c | 5 +-
net/bridge/br_fdb.c | 77 ++++-
net/bridge/br_input.c | 20 +-
net/bridge/br_netlink.c | 12 +-
net/bridge/br_private.h | 5 +-
net/bridge/br_switchdev.c | 4 +-
net/core/rtnetlink.c | 9 +
net/dsa/dsa_priv.h | 10 +-
net/dsa/port.c | 32 +-
net/dsa/slave.c | 16 +-
net/dsa/switch.c | 24 +-
.../net/forwarding/bridge_blackhole_fdb.sh | 102 +++++++
.../net/forwarding/bridge_locked_port.sh | 106 ++++++-
.../net/forwarding/bridge_sticky_fdb.sh | 21 +-
tools/testing/selftests/net/forwarding/lib.sh | 18 ++
42 files changed, 1093 insertions(+), 117 deletions(-)
create mode 100644 drivers/net/dsa/mv88e6xxx/switchdev.c
create mode 100644 drivers/net/dsa/mv88e6xxx/switchdev.h
create mode 100755 tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh

--
2.34.1


2022-09-28 18:22:38

by Hans Schultz

[permalink] [raw]
Subject: [PATCH v6 net-next 7/9] net: dsa: mv88e6xxx: mac-auth/MAB implementation

From: "Hans J. Schultz" <[email protected]>

This implementation for the Marvell mv88e6xxx chip series,
is based on handling ATU miss violations occurring when packets
ingress on a port that is locked. The mac address triggering
the ATU miss violation will be added to the ATU with a zero-DPV,
and is then communicated through switchdev to the bridge module,
which adds a fdb entry with the fdb locked flag set. The entry
is kept according to the bridges ageing time, thus simulating a
dynamic entry.

Additionally the driver will set the sticky and masked flags, as
the driver does not support roaming and forwarding from any port
to a locked entry.

As this is essentially a form of CPU based learning, the amount
of locked entries will be limited by a hardcoded value for now,
so as to prevent DOS attacks.

Signed-off-by: Hans J. Schultz <[email protected]>
---
drivers/net/dsa/mv88e6xxx/Makefile | 1 +
drivers/net/dsa/mv88e6xxx/chip.c | 76 +++++--
drivers/net/dsa/mv88e6xxx/chip.h | 19 ++
drivers/net/dsa/mv88e6xxx/global1.h | 1 +
drivers/net/dsa/mv88e6xxx/global1_atu.c | 12 +-
drivers/net/dsa/mv88e6xxx/port.c | 15 +-
drivers/net/dsa/mv88e6xxx/port.h | 6 +
drivers/net/dsa/mv88e6xxx/switchdev.c | 284 ++++++++++++++++++++++++
drivers/net/dsa/mv88e6xxx/switchdev.h | 37 +++
9 files changed, 429 insertions(+), 22 deletions(-)
create mode 100644 drivers/net/dsa/mv88e6xxx/switchdev.c
create mode 100644 drivers/net/dsa/mv88e6xxx/switchdev.h

diff --git a/drivers/net/dsa/mv88e6xxx/Makefile b/drivers/net/dsa/mv88e6xxx/Makefile
index c8eca2b6f959..be903a983780 100644
--- a/drivers/net/dsa/mv88e6xxx/Makefile
+++ b/drivers/net/dsa/mv88e6xxx/Makefile
@@ -15,3 +15,4 @@ mv88e6xxx-objs += port_hidden.o
mv88e6xxx-$(CONFIG_NET_DSA_MV88E6XXX_PTP) += ptp.o
mv88e6xxx-objs += serdes.o
mv88e6xxx-objs += smi.o
+mv88e6xxx-objs += switchdev.o
diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
index 352121cce77e..71843fe87f77 100644
--- a/drivers/net/dsa/mv88e6xxx/chip.c
+++ b/drivers/net/dsa/mv88e6xxx/chip.c
@@ -42,6 +42,7 @@
#include "ptp.h"
#include "serdes.h"
#include "smi.h"
+#include "switchdev.h"

static void assert_reg_lock(struct mv88e6xxx_chip *chip)
{
@@ -924,6 +925,13 @@ static void mv88e6xxx_mac_link_down(struct dsa_switch *ds, int port,
if (err)
dev_err(chip->dev,
"p%d: failed to force MAC link down\n", port);
+ else
+ if (mv88e6xxx_port_is_locked(chip, port)) {
+ err = mv88e6xxx_atu_locked_entry_flush(ds, port);
+ if (err)
+ dev_err(chip->dev,
+ "p%d: failed to clear locked entries\n", port);
+ }
}

static void mv88e6xxx_mac_link_up(struct dsa_switch *ds, int port,
@@ -1690,6 +1698,13 @@ static void mv88e6xxx_port_fast_age(struct dsa_switch *ds, int port)
struct mv88e6xxx_chip *chip = ds->priv;
int err;

+ if (mv88e6xxx_port_is_locked(chip, port)) {
+ err = mv88e6xxx_atu_locked_entry_flush(ds, port);
+ if (err)
+ dev_err(chip->ds->dev, "p%d: failed to clear locked entries: %d\n",
+ port, err);
+ }
+
mv88e6xxx_reg_lock(chip);
err = mv88e6xxx_port_fast_age_fid(chip, port, 0);
mv88e6xxx_reg_unlock(chip);
@@ -1726,11 +1741,11 @@ static int mv88e6xxx_vtu_get(struct mv88e6xxx_chip *chip, u16 vid,
return err;
}

-static int mv88e6xxx_vtu_walk(struct mv88e6xxx_chip *chip,
- int (*cb)(struct mv88e6xxx_chip *chip,
- const struct mv88e6xxx_vtu_entry *entry,
- void *priv),
- void *priv)
+int mv88e6xxx_vtu_walk(struct mv88e6xxx_chip *chip,
+ int (*cb)(struct mv88e6xxx_chip *chip,
+ const struct mv88e6xxx_vtu_entry *entry,
+ void *priv),
+ void *priv)
{
struct mv88e6xxx_vtu_entry entry = {
.vid = mv88e6xxx_max_vid(chip),
@@ -2731,6 +2746,9 @@ static int mv88e6xxx_port_fdb_add(struct dsa_switch *ds, int port,
if (fdb_flags)
return 0;

+ if (mv88e6xxx_port_is_locked(chip, port))
+ mv88e6xxx_atu_locked_entry_find_purge(ds, port, addr, vid);
+
mv88e6xxx_reg_lock(chip);
err = mv88e6xxx_port_db_load_purge(chip, port, addr, vid,
MV88E6XXX_G1_ATU_DATA_STATE_UC_STATIC);
@@ -2744,16 +2762,21 @@ static int mv88e6xxx_port_fdb_del(struct dsa_switch *ds, int port,
u16 fdb_flags, struct dsa_db db)
{
struct mv88e6xxx_chip *chip = ds->priv;
- int err;
+ bool locked_found = false;
+ int err = 0;

/* Ignore entries with flags set */
if (fdb_flags)
return 0;

- mv88e6xxx_reg_lock(chip);
- err = mv88e6xxx_port_db_load_purge(chip, port, addr, vid, 0);
- mv88e6xxx_reg_unlock(chip);
+ if (mv88e6xxx_port_is_locked(chip, port))
+ locked_found = mv88e6xxx_atu_locked_entry_find_purge(ds, port, addr, vid);

+ if (!locked_found) {
+ mv88e6xxx_reg_lock(chip);
+ err = mv88e6xxx_port_db_load_purge(chip, port, addr, vid, 0);
+ mv88e6xxx_reg_unlock(chip);
+ }
return err;
}

@@ -3849,11 +3872,18 @@ static int mv88e6xxx_setup(struct dsa_switch *ds)

static int mv88e6xxx_port_setup(struct dsa_switch *ds, int port)
{
- return mv88e6xxx_setup_devlink_regions_port(ds, port);
+ int err;
+
+ err = mv88e6xxx_setup_devlink_regions_port(ds, port);
+ if (!err)
+ return mv88e6xxx_init_violation_handler(ds, port);
+
+ return err;
}

static void mv88e6xxx_port_teardown(struct dsa_switch *ds, int port)
{
+ mv88e6xxx_teardown_violation_handler(ds, port);
mv88e6xxx_teardown_devlink_regions_port(ds, port);
}

@@ -6528,7 +6558,7 @@ static int mv88e6xxx_port_pre_bridge_flags(struct dsa_switch *ds, int port,
const struct mv88e6xxx_ops *ops;

if (flags.mask & ~(BR_LEARNING | BR_FLOOD | BR_MCAST_FLOOD |
- BR_BCAST_FLOOD | BR_PORT_LOCKED))
+ BR_BCAST_FLOOD | BR_PORT_LOCKED | BR_PORT_MAB))
return -EINVAL;

ops = chip->info->ops;
@@ -6549,13 +6579,13 @@ static int mv88e6xxx_port_bridge_flags(struct dsa_switch *ds, int port,
struct mv88e6xxx_chip *chip = ds->priv;
int err = -EOPNOTSUPP;

- mv88e6xxx_reg_lock(chip);
-
if (flags.mask & BR_LEARNING) {
bool learning = !!(flags.val & BR_LEARNING);
u16 pav = learning ? (1 << port) : 0;

+ mv88e6xxx_reg_lock(chip);
err = mv88e6xxx_port_set_assoc_vector(chip, port, pav);
+ mv88e6xxx_reg_unlock(chip);
if (err)
goto out;
}
@@ -6563,8 +6593,10 @@ static int mv88e6xxx_port_bridge_flags(struct dsa_switch *ds, int port,
if (flags.mask & BR_FLOOD) {
bool unicast = !!(flags.val & BR_FLOOD);

+ mv88e6xxx_reg_lock(chip);
err = chip->info->ops->port_set_ucast_flood(chip, port,
unicast);
+ mv88e6xxx_reg_unlock(chip);
if (err)
goto out;
}
@@ -6572,8 +6604,10 @@ static int mv88e6xxx_port_bridge_flags(struct dsa_switch *ds, int port,
if (flags.mask & BR_MCAST_FLOOD) {
bool multicast = !!(flags.val & BR_MCAST_FLOOD);

+ mv88e6xxx_reg_lock(chip);
err = chip->info->ops->port_set_mcast_flood(chip, port,
multicast);
+ mv88e6xxx_reg_unlock(chip);
if (err)
goto out;
}
@@ -6581,20 +6615,34 @@ static int mv88e6xxx_port_bridge_flags(struct dsa_switch *ds, int port,
if (flags.mask & BR_BCAST_FLOOD) {
bool broadcast = !!(flags.val & BR_BCAST_FLOOD);

+ mv88e6xxx_reg_lock(chip);
err = mv88e6xxx_port_broadcast_sync(chip, port, broadcast);
+ mv88e6xxx_reg_unlock(chip);
if (err)
goto out;
}

+ if (flags.mask & BR_PORT_MAB) {
+ chip->ports[port].mab = !!(flags.val & BR_PORT_MAB);
+
+ if (!chip->ports[port].mab)
+ err = mv88e6xxx_atu_locked_entry_flush(ds, port);
+ else
+ err = 0;
+ }
+
if (flags.mask & BR_PORT_LOCKED) {
bool locked = !!(flags.val & BR_PORT_LOCKED);

+ mv88e6xxx_reg_lock(chip);
err = mv88e6xxx_port_set_lock(chip, port, locked);
+ mv88e6xxx_reg_unlock(chip);
if (err)
goto out;
+
+ chip->ports[port].locked = locked;
}
out:
- mv88e6xxx_reg_unlock(chip);

return err;
}
diff --git a/drivers/net/dsa/mv88e6xxx/chip.h b/drivers/net/dsa/mv88e6xxx/chip.h
index e693154cf803..180fbcf596fa 100644
--- a/drivers/net/dsa/mv88e6xxx/chip.h
+++ b/drivers/net/dsa/mv88e6xxx/chip.h
@@ -280,6 +280,16 @@ struct mv88e6xxx_port {
unsigned int serdes_irq;
char serdes_irq_name[64];
struct devlink_region *region;
+
+ /* Locked port and MacAuth control flags */
+ bool locked;
+ bool mab;
+
+ /* List and maintenance of ATU locked entries */
+ struct mutex ale_list_lock;
+ struct list_head ale_list;
+ struct delayed_work ale_work;
+ int ale_cnt;
};

enum mv88e6xxx_region_id {
@@ -399,6 +409,9 @@ struct mv88e6xxx_chip {
int egress_dest_port;
int ingress_dest_port;

+ /* Keep the register written age time for easy access */
+ u8 age_time;
+
/* Per-port timestamping resources. */
struct mv88e6xxx_port_hwtstamp port_hwtstamp[DSA_MAX_PORTS];

@@ -802,6 +815,12 @@ static inline void mv88e6xxx_reg_unlock(struct mv88e6xxx_chip *chip)
mutex_unlock(&chip->reg_lock);
}

+int mv88e6xxx_vtu_walk(struct mv88e6xxx_chip *chip,
+ int (*cb)(struct mv88e6xxx_chip *chip,
+ const struct mv88e6xxx_vtu_entry *entry,
+ void *priv),
+ void *priv);
+
int mv88e6xxx_fid_map(struct mv88e6xxx_chip *chip, unsigned long *bitmap);

#endif /* _MV88E6XXX_CHIP_H */
diff --git a/drivers/net/dsa/mv88e6xxx/global1.h b/drivers/net/dsa/mv88e6xxx/global1.h
index 65958b2a0d3a..503fbf216670 100644
--- a/drivers/net/dsa/mv88e6xxx/global1.h
+++ b/drivers/net/dsa/mv88e6xxx/global1.h
@@ -136,6 +136,7 @@
#define MV88E6XXX_G1_ATU_DATA_TRUNK 0x8000
#define MV88E6XXX_G1_ATU_DATA_TRUNK_ID_MASK 0x00f0
#define MV88E6XXX_G1_ATU_DATA_PORT_VECTOR_MASK 0x3ff0
+#define MV88E6XXX_G1_ATU_DATA_PORT_VECTOR_NO_EGRESS 0x0000
#define MV88E6XXX_G1_ATU_DATA_STATE_MASK 0x000f
#define MV88E6XXX_G1_ATU_DATA_STATE_UC_UNUSED 0x0000
#define MV88E6XXX_G1_ATU_DATA_STATE_UC_AGE_1_OLDEST 0x0001
diff --git a/drivers/net/dsa/mv88e6xxx/global1_atu.c b/drivers/net/dsa/mv88e6xxx/global1_atu.c
index d9dfa1159cde..67907cd00b87 100644
--- a/drivers/net/dsa/mv88e6xxx/global1_atu.c
+++ b/drivers/net/dsa/mv88e6xxx/global1_atu.c
@@ -12,6 +12,8 @@

#include "chip.h"
#include "global1.h"
+#include "port.h"
+#include "switchdev.h"

/* Offset 0x01: ATU FID Register */

@@ -54,6 +56,7 @@ int mv88e6xxx_g1_atu_set_age_time(struct mv88e6xxx_chip *chip,

/* Round to nearest multiple of coeff */
age_time = (msecs + coeff / 2) / coeff;
+ chip->age_time = age_time;

err = mv88e6xxx_g1_read(chip, MV88E6XXX_G1_ATU_CTL, &val);
if (err)
@@ -426,6 +429,8 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id)
if (err)
goto out;

+ mv88e6xxx_reg_unlock(chip);
+
spid = entry.state;

if (val & MV88E6XXX_G1_ATU_OP_AGE_OUT_VIOLATION) {
@@ -446,6 +451,12 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id)
"ATU miss violation for %pM portvec %x spid %d\n",
entry.mac, entry.portvec, spid);
chip->ports[spid].atu_miss_violation++;
+
+ if (fid && chip->ports[spid].mab)
+ err = mv88e6xxx_handle_violation(chip, spid, &entry, fid,
+ MV88E6XXX_G1_ATU_OP_MISS_VIOLATION);
+ if (err)
+ goto out;
}

if (val & MV88E6XXX_G1_ATU_OP_FULL_VIOLATION) {
@@ -454,7 +465,6 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id)
entry.mac, entry.portvec, spid);
chip->ports[spid].atu_full_violation++;
}
- mv88e6xxx_reg_unlock(chip);

return IRQ_HANDLED;

diff --git a/drivers/net/dsa/mv88e6xxx/port.c b/drivers/net/dsa/mv88e6xxx/port.c
index 5c4195c635b0..67e457ce67ae 100644
--- a/drivers/net/dsa/mv88e6xxx/port.c
+++ b/drivers/net/dsa/mv88e6xxx/port.c
@@ -14,9 +14,11 @@
#include <linux/phylink.h>

#include "chip.h"
+#include "global1.h"
#include "global2.h"
#include "port.h"
#include "serdes.h"
+#include "switchdev.h"

int mv88e6xxx_port_read(struct mv88e6xxx_chip *chip, int port, int reg,
u16 *val)
@@ -1240,13 +1242,12 @@ int mv88e6xxx_port_set_lock(struct mv88e6xxx_chip *chip, int port,
if (err)
return err;

- err = mv88e6xxx_port_read(chip, port, MV88E6XXX_PORT_ASSOC_VECTOR, &reg);
- if (err)
- return err;
-
- reg &= ~MV88E6XXX_PORT_ASSOC_VECTOR_LOCKED_PORT;
- if (locked)
- reg |= MV88E6XXX_PORT_ASSOC_VECTOR_LOCKED_PORT;
+ reg = 0;
+ if (locked) {
+ reg = (1 << port);
+ reg |= MV88E6XXX_PORT_ASSOC_VECTOR_IGNORE_WRONG |
+ MV88E6XXX_PORT_ASSOC_VECTOR_LOCKED_PORT;
+ }

return mv88e6xxx_port_write(chip, port, MV88E6XXX_PORT_ASSOC_VECTOR, reg);
}
diff --git a/drivers/net/dsa/mv88e6xxx/port.h b/drivers/net/dsa/mv88e6xxx/port.h
index cb04243f37c1..9475bc6e95a2 100644
--- a/drivers/net/dsa/mv88e6xxx/port.h
+++ b/drivers/net/dsa/mv88e6xxx/port.h
@@ -231,6 +231,7 @@
#define MV88E6XXX_PORT_ASSOC_VECTOR_LOCKED_PORT 0x2000
#define MV88E6XXX_PORT_ASSOC_VECTOR_IGNORE_WRONG 0x1000
#define MV88E6XXX_PORT_ASSOC_VECTOR_REFRESH_LOCKED 0x0800
+#define MV88E6XXX_PORT_ASSOC_VECTOR_PAV_MASK 0x07ff

/* Offset 0x0C: Port ATU Control */
#define MV88E6XXX_PORT_ATU_CTL 0x0c
@@ -375,6 +376,11 @@ int mv88e6xxx_port_set_pvid(struct mv88e6xxx_chip *chip, int port, u16 pvid);
int mv88e6xxx_port_set_lock(struct mv88e6xxx_chip *chip, int port,
bool locked);

+static inline bool mv88e6xxx_port_is_locked(struct mv88e6xxx_chip *chip, int port)
+{
+ return chip->ports[port].locked;
+}
+
int mv88e6xxx_port_set_8021q_mode(struct mv88e6xxx_chip *chip, int port,
u16 mode);
int mv88e6095_port_tag_remap(struct mv88e6xxx_chip *chip, int port);
diff --git a/drivers/net/dsa/mv88e6xxx/switchdev.c b/drivers/net/dsa/mv88e6xxx/switchdev.c
new file mode 100644
index 000000000000..327dbc0cfc3c
--- /dev/null
+++ b/drivers/net/dsa/mv88e6xxx/switchdev.c
@@ -0,0 +1,284 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * switchdev.c
+ *
+ * Authors:
+ * Hans J. Schultz <[email protected]>
+ *
+ */
+
+#include <net/switchdev.h>
+#include <linux/list.h>
+#include "chip.h"
+#include "global1.h"
+#include "switchdev.h"
+
+static void mv88e6xxx_atu_locked_entry_purge(struct mv88e6xxx_atu_locked_entry *ale,
+ bool notify, bool take_nl_lock)
+{
+ struct switchdev_notifier_fdb_info info = {
+ .addr = ale->mac,
+ .vid = ale->vid,
+ .locked = true,
+ .offloaded = true,
+ };
+ struct mv88e6xxx_atu_entry entry;
+ struct net_device *brport;
+ struct dsa_port *dp;
+
+ entry.portvec = MV88E6XXX_G1_ATU_DATA_PORT_VECTOR_NO_EGRESS;
+ entry.state = MV88E6XXX_G1_ATU_DATA_STATE_UC_UNUSED;
+ entry.trunk = false;
+ ether_addr_copy(entry.mac, ale->mac);
+
+ mv88e6xxx_reg_lock(ale->chip);
+ mv88e6xxx_g1_atu_loadpurge(ale->chip, ale->fid, &entry);
+ mv88e6xxx_reg_unlock(ale->chip);
+
+ dp = dsa_to_port(ale->chip->ds, ale->port);
+
+ if (notify) {
+ if (take_nl_lock)
+ rtnl_lock();
+ brport = dsa_port_to_bridge_port(dp);
+
+ if (brport) {
+ call_switchdev_notifiers(SWITCHDEV_FDB_DEL_TO_BRIDGE,
+ brport, &info.info, NULL);
+ } else {
+ dev_err(ale->chip->dev, "No bridge port for dsa port belonging to port %d\n",
+ ale->port);
+ }
+ if (take_nl_lock)
+ rtnl_unlock();
+ }
+
+ list_del(&ale->list);
+ kfree(ale);
+}
+
+static void mv88e6xxx_atu_locked_entry_cleanup(struct work_struct *work)
+{
+ struct mv88e6xxx_port *p = container_of(work, struct mv88e6xxx_port, ale_work.work);
+ struct mv88e6xxx_atu_locked_entry *ale, *tmp;
+
+ mutex_lock(&p->ale_list_lock);
+ list_for_each_entry_safe(ale, tmp, &p->ale_list, list) {
+ if (time_after(jiffies, ale->expires)) {
+ mv88e6xxx_atu_locked_entry_purge(ale, true, true);
+ p->ale_cnt--;
+ }
+ }
+ mutex_unlock(&p->ale_list_lock);
+
+ mod_delayed_work(system_long_wq, &p->ale_work, msecs_to_jiffies(100));
+}
+
+static int mv88e6xxx_new_atu_locked_entry(struct mv88e6xxx_chip *chip, const unsigned char *addr,
+ int port, u16 fid, u16 vid,
+ struct mv88e6xxx_atu_locked_entry **alep)
+{
+ struct mv88e6xxx_atu_locked_entry *ale;
+ unsigned long now, age_time;
+
+ ale = kmalloc(sizeof(*ale), GFP_ATOMIC);
+ if (!ale)
+ return -ENOMEM;
+
+ ether_addr_copy(ale->mac, addr);
+ ale->chip = chip;
+ ale->port = port;
+ ale->fid = fid;
+ ale->vid = vid;
+ now = jiffies;
+ age_time = chip->age_time * chip->info->age_time_coeff;
+ ale->expires = now + age_time;
+
+ *alep = ale;
+ return 0;
+}
+
+struct mv88e6xxx_fid_search_ctx {
+ u16 fid_search;
+ u16 vid_found;
+};
+
+static int mv88e6xxx_find_vid_on_matching_fid(struct mv88e6xxx_chip *chip,
+ const struct mv88e6xxx_vtu_entry *entry,
+ void *priv)
+{
+ struct mv88e6xxx_fid_search_ctx *ctx = priv;
+
+ if (ctx->fid_search == entry->fid) {
+ ctx->vid_found = entry->vid;
+ return 1;
+ }
+
+ return 0;
+}
+
+int mv88e6xxx_handle_violation(struct mv88e6xxx_chip *chip, int port,
+ struct mv88e6xxx_atu_entry *entry,
+ u16 fid, u16 type)
+{
+ struct switchdev_notifier_fdb_info info = {
+ .addr = entry->mac,
+ .vid = 0,
+ .is_local = true,
+ .locked = true,
+ .blackhole = true,
+ .offloaded = true,
+ };
+ struct mv88e6xxx_atu_locked_entry *ale;
+ struct mv88e6xxx_fid_search_ctx ctx;
+ struct net_device *brport;
+ struct mv88e6xxx_port *p;
+ struct dsa_port *dp;
+ int err;
+
+ if (!mv88e6xxx_is_invalid_port(chip, port))
+ p = &chip->ports[port];
+ else
+ return -ENODEV;
+
+ ctx.fid_search = fid;
+ mv88e6xxx_reg_lock(chip);
+ err = mv88e6xxx_vtu_walk(chip, mv88e6xxx_find_vid_on_matching_fid, &ctx);
+ mv88e6xxx_reg_unlock(chip);
+ if (err < 0)
+ return err;
+ if (err == 1)
+ info.vid = ctx.vid_found;
+ else
+ return -ENODATA;
+
+ switch (type) {
+ case MV88E6XXX_G1_ATU_OP_MISS_VIOLATION:
+ mutex_lock(&p->ale_list_lock);
+ if (p->ale_cnt >= ATU_LOCKED_ENTRIES_MAX)
+ goto exit;
+ mutex_unlock(&p->ale_list_lock);
+ entry->portvec = MV88E6XXX_G1_ATU_DATA_PORT_VECTOR_NO_EGRESS;
+ entry->state = MV88E6XXX_G1_ATU_DATA_STATE_UC_STATIC;
+ entry->trunk = false;
+
+ mv88e6xxx_reg_lock(chip);
+ err = mv88e6xxx_g1_atu_loadpurge(chip, fid, entry);
+ if (err)
+ goto fail;
+ mv88e6xxx_reg_unlock(chip);
+
+ dp = dsa_to_port(chip->ds, port);
+ err = mv88e6xxx_new_atu_locked_entry(chip, entry->mac, port, fid,
+ info.vid, &ale);
+ if (err)
+ return err;
+
+ mutex_lock(&p->ale_list_lock);
+ list_add(&ale->list, &p->ale_list);
+ p->ale_cnt++;
+ mutex_unlock(&p->ale_list_lock);
+
+ rtnl_lock();
+ brport = dsa_port_to_bridge_port(dp);
+ if (!brport) {
+ rtnl_unlock();
+ return -ENODEV;
+ }
+ err = call_switchdev_notifiers(SWITCHDEV_FDB_ADD_TO_BRIDGE,
+ brport, &info.info, NULL);
+ rtnl_unlock();
+ break;
+ }
+
+ return err;
+
+fail:
+ mv88e6xxx_reg_unlock(chip);
+ return err;
+
+exit:
+ mutex_unlock(&p->ale_list_lock);
+ return 0;
+}
+
+bool mv88e6xxx_atu_locked_entry_find_purge(struct dsa_switch *ds, int port,
+ const unsigned char *addr, u16 vid)
+{
+ struct mv88e6xxx_atu_locked_entry *ale, *tmp;
+ struct mv88e6xxx_chip *chip = ds->priv;
+ struct mv88e6xxx_port *p;
+ bool found = false;
+
+ p = &chip->ports[port];
+ mutex_lock(&p->ale_list_lock);
+ list_for_each_entry_safe(ale, tmp, &p->ale_list, list) {
+ if (ether_addr_equal(ale->mac, addr) == 0) {
+ if (ale->vid == vid) {
+ mv88e6xxx_atu_locked_entry_purge(ale, false, false);
+ p->ale_cnt--;
+ found = true;
+ break;
+ }
+ }
+ }
+ mutex_unlock(&p->ale_list_lock);
+ return found;
+}
+
+int mv88e6xxx_atu_locked_entry_flush(struct dsa_switch *ds, int port)
+{
+ struct mv88e6xxx_atu_locked_entry *ale, *tmp;
+ struct mv88e6xxx_chip *chip = ds->priv;
+ struct mv88e6xxx_port *p;
+
+ if (!mv88e6xxx_is_invalid_port(chip, port))
+ p = &chip->ports[port];
+ else
+ return -ENODEV;
+
+ mutex_lock(&p->ale_list_lock);
+ list_for_each_entry_safe(ale, tmp, &p->ale_list, list) {
+ mv88e6xxx_atu_locked_entry_purge(ale, true, false);
+ p->ale_cnt--;
+ }
+ mutex_unlock(&p->ale_list_lock);
+
+ return 0;
+}
+
+int mv88e6xxx_init_violation_handler(struct dsa_switch *ds, int port)
+{
+ struct mv88e6xxx_chip *chip = ds->priv;
+ struct mv88e6xxx_port *p;
+
+ if (!mv88e6xxx_is_invalid_port(chip, port))
+ p = &chip->ports[port];
+ else
+ return -ENODEV;
+
+ INIT_LIST_HEAD(&p->ale_list);
+ mutex_init(&p->ale_list_lock);
+ p->ale_cnt = 0;
+ INIT_DELAYED_WORK(&p->ale_work, mv88e6xxx_atu_locked_entry_cleanup);
+ mod_delayed_work(system_long_wq, &p->ale_work, msecs_to_jiffies(500));
+
+ return 0;
+}
+
+int mv88e6xxx_teardown_violation_handler(struct dsa_switch *ds, int port)
+{
+ struct mv88e6xxx_chip *chip = ds->priv;
+ struct mv88e6xxx_port *p;
+
+ if (!mv88e6xxx_is_invalid_port(chip, port))
+ p = &chip->ports[port];
+ else
+ return -ENODEV;
+
+ cancel_delayed_work(&p->ale_work);
+ mv88e6xxx_atu_locked_entry_flush(ds, port);
+ mutex_destroy(&p->ale_list_lock);
+
+ return 0;
+}
diff --git a/drivers/net/dsa/mv88e6xxx/switchdev.h b/drivers/net/dsa/mv88e6xxx/switchdev.h
new file mode 100644
index 000000000000..df2005c36f47
--- /dev/null
+++ b/drivers/net/dsa/mv88e6xxx/switchdev.h
@@ -0,0 +1,37 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * switchdev.h
+ *
+ * Authors:
+ * Hans J. Schultz <[email protected]>
+ *
+ */
+
+#ifndef DRIVERS_NET_DSA_MV88E6XXX_SWITCHDEV_H_
+#define DRIVERS_NET_DSA_MV88E6XXX_SWITCHDEV_H_
+
+#include <net/switchdev.h>
+#include "chip.h"
+
+#define ATU_LOCKED_ENTRIES_MAX 64
+
+struct mv88e6xxx_atu_locked_entry {
+ struct list_head list;
+ struct mv88e6xxx_chip *chip;
+ int port;
+ u8 mac[ETH_ALEN];
+ u16 fid;
+ u16 vid;
+ unsigned long expires;
+};
+
+int mv88e6xxx_handle_violation(struct mv88e6xxx_chip *chip, int port,
+ struct mv88e6xxx_atu_entry *entry,
+ u16 fid, u16 type);
+bool mv88e6xxx_atu_locked_entry_find_purge(struct dsa_switch *ds, int port,
+ const unsigned char *addr, u16 vid);
+int mv88e6xxx_atu_locked_entry_flush(struct dsa_switch *ds, int port);
+int mv88e6xxx_init_violation_handler(struct dsa_switch *ds, int port);
+int mv88e6xxx_teardown_violation_handler(struct dsa_switch *ds, int port);
+
+#endif /* DRIVERS_NET_DSA_MV88E6XXX_SWITCHDEV_H_ */
--
2.34.1

2022-09-28 18:23:06

by Hans Schultz

[permalink] [raw]
Subject: [PATCH v6 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests

From: "Hans J. Schultz" <[email protected]>

Verify that the MAC-Auth mechanism works by adding a FDB entry with the
locked flag set, denying access until the FDB entry is replaced with a
FDB entry without the locked flag set.

Add test of blackhole fdb entries, verifying that there is no forwarding
to a blackhole entry from any port, and that the blackhole entry can be
replaced.

Also add a test that verifies that sticky FDB entries cannot roam (this
is not needed for now, but should in general be present anyhow for future
applications).

Signed-off-by: Hans J. Schultz <[email protected]>
---
.../net/forwarding/bridge_blackhole_fdb.sh | 102 +++++++++++++++++
.../net/forwarding/bridge_locked_port.sh | 106 +++++++++++++++++-
.../net/forwarding/bridge_sticky_fdb.sh | 21 +++-
tools/testing/selftests/net/forwarding/lib.sh | 18 +++
4 files changed, 245 insertions(+), 2 deletions(-)
create mode 100755 tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh

diff --git a/tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh b/tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh
new file mode 100755
index 000000000000..54b1a51e1ed6
--- /dev/null
+++ b/tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh
@@ -0,0 +1,102 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+
+ALL_TESTS="blackhole_fdb"
+NUM_NETIFS=4
+source lib.sh
+
+switch_create()
+{
+ ip link add dev br0 type bridge
+
+ ip link set dev $swp1 master br0
+ ip link set dev $swp2 master br0
+
+ ip link set dev br0 up
+ ip link set dev $h1 up
+ ip link set dev $swp1 up
+ ip link set dev $h2 up
+ ip link set dev $swp2 up
+
+ tc qdisc add dev $swp2 clsact
+}
+
+switch_destroy()
+{
+ tc qdisc del dev $swp2 clsact
+
+ ip link set dev $swp2 down
+ ip link set dev $h2 down
+ ip link set dev $swp1 down
+ ip link set dev $h1 down
+
+ ip link del dev br0
+}
+
+setup_prepare()
+{
+ h1=${NETIFS[p1]}
+ swp1=${NETIFS[p2]}
+ h2=${NETIFS[p3]}
+ swp2=${NETIFS[p4]}
+
+ switch_create
+}
+
+cleanup()
+{
+ pre_cleanup
+ switch_destroy
+}
+
+# Check that there is no egress with blackhole entry and that blackhole entries can be replaced
+blackhole_fdb()
+{
+ RET=0
+
+ check_blackhole_fdb_support || return 0
+
+ tc filter add dev $swp2 egress protocol ip pref 1 handle 1 flower \
+ dst_ip 192.0.2.2 ip_proto udp dst_port 12345 action pass
+
+ $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \
+ -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q
+
+ tc_check_packets "dev $swp2 egress" 1 1
+ check_err $? "Packet not seen on egress before adding blackhole entry"
+
+ bridge fdb add `mac_get $h2` dev br0 blackhole
+ bridge fdb get `mac_get $h2` br br0 | grep -q blackhole
+ check_err $? "Blackhole entry not found"
+
+ $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \
+ -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q
+
+ tc_check_packets "dev $swp2 egress" 1 1
+ check_err $? "Packet seen on egress after adding blackhole entry"
+
+ # Check blackhole entries can be replaced.
+ bridge fdb replace `mac_get $h2` dev $swp2 master static
+ bridge fdb get `mac_get $h2` br br0 | grep -q blackhole
+ check_fail $? "Blackhole entry found after replacement"
+
+ $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \
+ -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q
+
+ tc_check_packets "dev $swp2 egress" 1 2
+ check_err $? "Packet not seen on egress after replacing blackhole entry"
+
+ bridge fdb del `mac_get $h2` dev $swp2 master static
+ tc filter del dev $swp2 egress protocol ip pref 1 handle 1 flower
+
+ log_test "Blackhole FDB entry"
+}
+
+trap cleanup EXIT
+
+setup_prepare
+setup_wait
+
+tests_run
+
+exit $EXIT_STATUS
diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
index 5b02b6b60ce7..59b8b7666eab 100755
--- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
+++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
@@ -1,7 +1,15 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0

-ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan"
+ALL_TESTS="
+ locked_port_ipv4
+ locked_port_ipv6
+ locked_port_vlan
+ locked_port_mab
+ locked_port_station_move
+ locked_port_mab_station_move
+"
+
NUM_NETIFS=4
CHECK_TC="no"
source lib.sh
@@ -166,6 +174,102 @@ locked_port_ipv6()
log_test "Locked port ipv6"
}

+locked_port_mab()
+{
+ RET=0
+ check_locked_port_support || return 0
+
+ ping_do $h1 192.0.2.2
+ check_err $? "MAB: Ping did not work before locking port"
+
+ bridge link set dev $swp1 locked on
+ check_port_mab_support $swp1 || return 0
+
+ ping_do $h1 192.0.2.2
+ check_fail $? "MAB: Ping worked on locked port without FDB entry"
+
+ bridge fdb show | grep `mac_get $h1` | grep -q "locked"
+ check_err $? "MAB: No locked fdb entry after ping on locked port"
+
+ bridge fdb replace `mac_get $h1` dev $swp1 master static
+
+ ping_do $h1 192.0.2.2
+ check_err $? "MAB: Ping did not work with fdb entry without locked flag"
+
+ bridge fdb del `mac_get $h1` dev $swp1 master
+ bridge link set dev $swp1 locked off mab off
+
+ log_test "Locked port MAB"
+}
+
+# No roaming allowed to a simple locked port
+locked_port_station_move()
+{
+ local mac=a0:b0:c0:c0:b0:a0
+
+ RET=0
+ check_locked_port_support || return 0
+
+ bridge link set dev $swp1 locked on
+
+ $MZ $h1 -q -t udp -a $mac -b rand
+ bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "master br0"
+ check_fail $? "Locked port station move: FDB entry on first injection"
+
+ $MZ $h2 -q -t udp -a $mac -b rand
+ bridge fdb show dev $swp2 | grep "$mac vlan 1" | grep -q "master br0"
+ check_err $? "Locked port station move: Entry not found on unlocked port"
+
+ $MZ $h1 -q -t udp -a $mac -b rand
+ bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "master br0"
+ check_fail $? "Locked port station move: entry roamed to locked port"
+
+ bridge link set dev $swp1 locked off
+
+ log_test "Locked port station move"
+}
+
+# Roaming to and from a MAB enabled port should work if sticky flag is not set
+locked_port_mab_station_move()
+{
+ local mac=10:20:30:30:20:10
+
+ RET=0
+ check_locked_port_support || return 0
+
+ bridge link set dev $swp1 locked on
+
+ check_port_mab_support $swp1 || return 0
+
+ $MZ $h1 -q -t udp -a $mac -b rand
+ if bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "permanent"; then
+ echo "SKIP: Roaming not possible with local flag, skipping test..."
+ bridge link set dev $swp1 locked off mab off
+ return $ksft_skip
+ fi
+
+ bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "locked"
+ check_err $? "MAB station move: no locked entry on first injection"
+
+ $MZ $h2 -q -t udp -a $mac -b rand
+ bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "locked"
+ check_fail $? "MAB station move: locked entry did not move"
+
+ bridge fdb show dev $swp2 | grep "$mac vlan 1" | grep -q "locked"
+ check_fail $? "MAB station move: roamed entry to unlocked port had locked flag on"
+
+ bridge fdb show dev $swp2 | grep "$mac vlan 1" | grep -q "master br0"
+ check_err $? "MAB station move: roamed entry not found"
+
+ $MZ $h1 -q -t udp -a $mac -b rand
+ bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep "master br0" | grep -q "locked"
+ check_fail $? "MAB station move: entry roamed back to locked port"
+
+ bridge link set dev $swp1 locked off mab off
+
+ log_test "Locked port MAB station move"
+}
+
trap cleanup EXIT

setup_prepare
diff --git a/tools/testing/selftests/net/forwarding/bridge_sticky_fdb.sh b/tools/testing/selftests/net/forwarding/bridge_sticky_fdb.sh
index 1f8ef0eff862..bca77bc3fe09 100755
--- a/tools/testing/selftests/net/forwarding/bridge_sticky_fdb.sh
+++ b/tools/testing/selftests/net/forwarding/bridge_sticky_fdb.sh
@@ -1,7 +1,7 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0

-ALL_TESTS="sticky"
+ALL_TESTS="sticky sticky_no_roaming"
NUM_NETIFS=4
TEST_MAC=de:ad:be:ef:13:37
source lib.sh
@@ -59,6 +59,25 @@ sticky()
log_test "Sticky fdb entry"
}

+# No roaming allowed with the sticky flag set
+sticky_no_roaming()
+{
+ local mac=a8:b4:c2:c2:b4:a8
+
+ RET=0
+
+ bridge link set dev $swp2 learning on
+ bridge fdb add $mac dev $swp1 master static sticky
+ bridge fdb show dev $swp1 | grep "$mac master br0" | grep -q sticky
+ check_err $? "Sticky no roaming: No sticky FDB entry found after adding"
+
+ $MZ $h2 -q -t udp -c 10 -d 100msec -a $mac -b rand
+ bridge fdb show dev $swp2 | grep "$mac master br0" | grep -q sticky
+ check_fail $? "Sticky no roaming: Sticky entry roamed"
+
+ log_test "Sticky no roaming"
+}
+
trap cleanup EXIT

setup_prepare
diff --git a/tools/testing/selftests/net/forwarding/lib.sh b/tools/testing/selftests/net/forwarding/lib.sh
index 3ffb9d6c0950..642fbf217c20 100755
--- a/tools/testing/selftests/net/forwarding/lib.sh
+++ b/tools/testing/selftests/net/forwarding/lib.sh
@@ -137,6 +137,24 @@ check_locked_port_support()
fi
}

+check_port_mab_support()
+{
+ local dev=$1;
+
+ if ! bridge link set dev $dev mab on 2>/dev/null; then
+ echo "SKIP: iproute2 too old; MacAuth feature not supported."
+ return $ksft_skip
+ fi
+}
+
+check_blackhole_fdb_support()
+{
+ if ! bridge fdb help | grep -q "blackhole"; then
+ echo "SKIP: Blackhole fdb feature not supported."
+ return $ksft_skip
+ fi
+}
+
if [[ "$(id -u)" -ne 0 ]]; then
echo "SKIP: need root privileges"
exit $ksft_skip
--
2.34.1

2022-09-28 18:47:26

by Hans Schultz

[permalink] [raw]
Subject: [PATCH v6 net-next 8/9] net: dsa: mv88e6xxx: add blackhole ATU entries

From: "Hans J. Schultz" <[email protected]>

Blackhole FDB entries can now be added, deleted or replaced in the
driver ATU.

Signed-off-by: Hans J. Schultz <[email protected]>
---
drivers/net/dsa/mv88e6xxx/chip.c | 78 ++++++++++++++++++++++++++++++--
1 file changed, 74 insertions(+), 4 deletions(-)

diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
index 71843fe87f77..a17f30e5d4a6 100644
--- a/drivers/net/dsa/mv88e6xxx/chip.c
+++ b/drivers/net/dsa/mv88e6xxx/chip.c
@@ -2735,6 +2735,72 @@ static int mv88e6xxx_vlan_msti_set(struct dsa_switch *ds,
return err;
}

+struct mv88e6xxx_vid_search_ctx {
+ u16 vid_search;
+ u16 fid_found;
+};
+
+static int mv88e6xxx_find_fid_on_matching_vid(struct mv88e6xxx_chip *chip,
+ const struct mv88e6xxx_vtu_entry *entry,
+ void *priv)
+{
+ struct mv88e6xxx_vid_search_ctx *ctx = priv;
+
+ if (ctx->vid_search == entry->vid) {
+ ctx->fid_found = entry->fid;
+ return 1;
+ }
+
+ return 0;
+}
+
+static int mv88e6xxx_blackhole_fdb_loadpurge(struct dsa_switch *ds,
+ const unsigned char *addr, u16 vid, u8 state)
+{
+ struct mv88e6xxx_chip *chip = ds->priv;
+ struct mv88e6xxx_vid_search_ctx ctx;
+ struct mv88e6xxx_atu_entry entry;
+ u16 fid = 0;
+ int err;
+
+ ether_addr_copy(entry.mac, addr);
+ entry.portvec = MV88E6XXX_G1_ATU_DATA_PORT_VECTOR_NO_EGRESS;
+ entry.state = state;
+ entry.trunk = false;
+
+ ctx.vid_search = vid;
+ mv88e6xxx_reg_lock(chip);
+ err = mv88e6xxx_vtu_walk(chip, mv88e6xxx_find_fid_on_matching_vid, &ctx);
+ mv88e6xxx_reg_unlock(chip);
+ if (err < 0)
+ return err;
+ if (err == 1)
+ fid = ctx.fid_found;
+ else
+ return -ENODATA;
+
+ if (!fid)
+ return -ENODATA;
+
+ mv88e6xxx_reg_lock(chip);
+ err = mv88e6xxx_g1_atu_loadpurge(chip, fid, &entry);
+ mv88e6xxx_reg_unlock(chip);
+
+ return err;
+}
+
+int mv88e6xxx_blackhole_fdb_add(struct dsa_switch *ds, const unsigned char *addr, u16 vid)
+{
+ return mv88e6xxx_blackhole_fdb_loadpurge(ds, addr, vid,
+ MV88E6XXX_G1_ATU_DATA_STATE_UC_STATIC);
+}
+
+int mv88e6xxx_blackhole_fdb_del(struct dsa_switch *ds, const unsigned char *addr, u16 vid)
+{
+ return mv88e6xxx_blackhole_fdb_loadpurge(ds, addr, vid,
+ MV88E6XXX_G1_ATU_DATA_STATE_UC_UNUSED);
+}
+
static int mv88e6xxx_port_fdb_add(struct dsa_switch *ds, int port,
const unsigned char *addr, u16 vid,
u16 fdb_flags, struct dsa_db db)
@@ -2742,9 +2808,12 @@ static int mv88e6xxx_port_fdb_add(struct dsa_switch *ds, int port,
struct mv88e6xxx_chip *chip = ds->priv;
int err;

- /* Ignore entries with flags set */
- if (fdb_flags)
+ if (fdb_flags & DSA_FDB_FLAG_LOCKED)
return 0;
+ if (fdb_flags & DSA_FDB_FLAG_BLACKHOLE) {
+ mv88e6xxx_blackhole_fdb_del(ds, addr, vid);
+ return mv88e6xxx_blackhole_fdb_add(ds, addr, vid);
+ }

if (mv88e6xxx_port_is_locked(chip, port))
mv88e6xxx_atu_locked_entry_find_purge(ds, port, addr, vid);
@@ -2765,9 +2834,10 @@ static int mv88e6xxx_port_fdb_del(struct dsa_switch *ds, int port,
bool locked_found = false;
int err = 0;

- /* Ignore entries with flags set */
- if (fdb_flags)
+ if (fdb_flags & DSA_FDB_FLAG_LOCKED)
return 0;
+ if (fdb_flags & DSA_FDB_FLAG_BLACKHOLE)
+ return mv88e6xxx_blackhole_fdb_del(ds, addr, vid);

if (mv88e6xxx_port_is_locked(chip, port))
locked_found = mv88e6xxx_atu_locked_entry_find_purge(ds, port, addr, vid);
--
2.34.1

2022-09-28 19:16:22

by Hans Schultz

[permalink] [raw]
Subject: [PATCH v6 net-next 6/9] net: dsa: mv88e6xxx: allow reading FID when handling ATU violations

From: "Hans J. Schultz" <[email protected]>

The FID is needed to get hold of which VID was involved in a violation,
thus the need to be able to read the FID.

For convenience the function mv88e6xxx_g1_atu_op() has been used to read
ATU violations, but the function invalidates reading the fid, so to both
read ATU violations without zeroing the fid, and read the fid, functions
have been added to ensure both are done correctly.

Signed-off-by: Hans J. Schultz <[email protected]>
---
drivers/net/dsa/mv88e6xxx/global1_atu.c | 60 ++++++++++++++++++++++---
1 file changed, 55 insertions(+), 5 deletions(-)

diff --git a/drivers/net/dsa/mv88e6xxx/global1_atu.c b/drivers/net/dsa/mv88e6xxx/global1_atu.c
index 40bd67a5c8e9..d9dfa1159cde 100644
--- a/drivers/net/dsa/mv88e6xxx/global1_atu.c
+++ b/drivers/net/dsa/mv88e6xxx/global1_atu.c
@@ -114,6 +114,19 @@ static int mv88e6xxx_g1_atu_op_wait(struct mv88e6xxx_chip *chip)
return mv88e6xxx_g1_wait_bit(chip, MV88E6XXX_G1_ATU_OP, bit, 0);
}

+static int mv88e6xxx_g1_read_atu_violation(struct mv88e6xxx_chip *chip)
+{
+ int err;
+
+ err = mv88e6xxx_g1_write(chip, MV88E6XXX_G1_ATU_OP,
+ MV88E6XXX_G1_ATU_OP_BUSY |
+ MV88E6XXX_G1_ATU_OP_GET_CLR_VIOLATION);
+ if (err)
+ return err;
+
+ return mv88e6xxx_g1_atu_op_wait(chip);
+}
+
static int mv88e6xxx_g1_atu_op(struct mv88e6xxx_chip *chip, u16 fid, u16 op)
{
u16 val;
@@ -159,6 +172,41 @@ int mv88e6xxx_g1_atu_get_next(struct mv88e6xxx_chip *chip, u16 fid)
return mv88e6xxx_g1_atu_op(chip, fid, MV88E6XXX_G1_ATU_OP_GET_NEXT_DB);
}

+static int mv88e6xxx_g1_atu_fid_read(struct mv88e6xxx_chip *chip, u16 *fid)
+{
+ u16 val = 0, upper = 0, op = 0;
+ int err = -EOPNOTSUPP;
+
+ if (mv88e6xxx_num_databases(chip) > 256) {
+ err = mv88e6xxx_g1_read(chip, MV88E6352_G1_ATU_FID, &val);
+ val &= 0xfff;
+ if (err)
+ return err;
+ } else {
+ err = mv88e6xxx_g1_read(chip, MV88E6XXX_G1_ATU_OP, &op);
+ if (err)
+ return err;
+ if (mv88e6xxx_num_databases(chip) > 64) {
+ /* ATU DBNum[7:4] are located in ATU Control 15:12 */
+ err = mv88e6xxx_g1_read(chip, MV88E6XXX_G1_ATU_CTL, &upper);
+ if (err)
+ return err;
+
+ upper = (upper >> 8) & 0x00f0;
+ } else if (mv88e6xxx_num_databases(chip) > 16) {
+ /* ATU DBNum[5:4] are located in ATU Operation 9:8 */
+
+ upper = (op >> 4) & 0x30;
+ }
+ /* ATU DBNum[3:0] are located in ATU Operation 3:0 */
+
+ val = (op & 0xf) | upper;
+ }
+ *fid = val;
+
+ return err;
+}
+
/* Offset 0x0C: ATU Data Register */

static int mv88e6xxx_g1_atu_data_read(struct mv88e6xxx_chip *chip,
@@ -353,14 +401,12 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id)
{
struct mv88e6xxx_chip *chip = dev_id;
struct mv88e6xxx_atu_entry entry;
- int spid;
- int err;
- u16 val;
+ int err, spid;
+ u16 val, fid;

mv88e6xxx_reg_lock(chip);

- err = mv88e6xxx_g1_atu_op(chip, 0,
- MV88E6XXX_G1_ATU_OP_GET_CLR_VIOLATION);
+ err = mv88e6xxx_g1_read_atu_violation(chip);
if (err)
goto out;

@@ -368,6 +414,10 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id)
if (err)
goto out;

+ err = mv88e6xxx_g1_atu_fid_read(chip, &fid);
+ if (err)
+ goto out;
+
err = mv88e6xxx_g1_atu_data_read(chip, &entry);
if (err)
goto out;
--
2.34.1

2022-09-29 16:14:15

by Jakub Kicinski

[permalink] [raw]
Subject: Re: [PATCH v6 net-next 0/9] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)

On Wed, 28 Sep 2022 17:02:47 +0200 Hans Schultz wrote:
> From: "Hans J. Schultz" <[email protected]>
>
> This patch set extends the locked port feature for devices
> that are behind a locked port, but do not have the ability to
> authorize themselves as a supplicant using IEEE 802.1X.
> Such devices can be printers, meters or anything related to
> fixed installations. Instead of 802.1X authorization, devices
> can get access based on their MAC addresses being whitelisted.

Try a allmodconfig build on latest net-next, seems broken.

2022-09-29 17:21:35

by Hans Schultz

[permalink] [raw]
Subject: Re: [PATCH v6 net-next 0/9] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)

On 2022-09-29 18:10, Jakub Kicinski wrote:
> On Wed, 28 Sep 2022 17:02:47 +0200 Hans Schultz wrote:
>> From: "Hans J. Schultz" <[email protected]>
>>
>> This patch set extends the locked port feature for devices
>> that are behind a locked port, but do not have the ability to
>> authorize themselves as a supplicant using IEEE 802.1X.
>> Such devices can be printers, meters or anything related to
>> fixed installations. Instead of 802.1X authorization, devices
>> can get access based on their MAC addresses being whitelisted.
>
> Try a allmodconfig build on latest net-next, seems broken.

I have all different switch drivers enabled and I see no compile
warnings or errors. I guess I will get a robot update if that is the
case, but please be specific as to what does not build.

2022-09-29 18:44:17

by Jakub Kicinski

[permalink] [raw]
Subject: Re: [PATCH v6 net-next 0/9] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)

On Thu, 29 Sep 2022 18:37:09 +0200 [email protected] wrote:
> On 2022-09-29 18:10, Jakub Kicinski wrote:
> > On Wed, 28 Sep 2022 17:02:47 +0200 Hans Schultz wrote:
> >> From: "Hans J. Schultz" <[email protected]>
> >>
> >> This patch set extends the locked port feature for devices
> >> that are behind a locked port, but do not have the ability to
> >> authorize themselves as a supplicant using IEEE 802.1X.
> >> Such devices can be printers, meters or anything related to
> >> fixed installations. Instead of 802.1X authorization, devices
> >> can get access based on their MAC addresses being whitelisted.
> >
> > Try a allmodconfig build on latest net-next, seems broken.
>
> I have all different switch drivers enabled and I see no compile
> warnings or errors.

Just do what I told you - rebase on net-next, allmodconfig.

> I guess I will get a robot update if that is the
> case but please be specific as to what does not build.

The maintainers simply don't have time to hold everyone by the hand.
Sometimes I wish it was still okay to yell at people who post code
which does not build. Oh well.

../drivers/net/dsa/qca/qca8k-common.c:810:5: error: conflicting types for ‘qca8k_port_fdb_del’
int qca8k_port_fdb_del(struct dsa_switch *ds, int port,
^~~~~~~~~~~~~~~~~~
In file included from ../drivers/net/dsa/qca/qca8k-common.c:13:
../drivers/net/dsa/qca/qca8k.h:483:5: note: previous declaration of ‘qca8k_port_fdb_del’ was here
int qca8k_port_fdb_del(struct dsa_switch *ds, int port,
^~~~~~~~~~~~~~~~~~
../drivers/net/dsa/qca/qca8k-common.c: In function ‘qca8k_port_fdb_del’:
../drivers/net/dsa/qca/qca8k-common.c:818:6: error: ‘fdb_flags’ undeclared (first use in this function); did you mean ‘tsq_flags’?
if (fdb_flags)
^~~~~~~~~
tsq_flags
../drivers/net/dsa/qca/qca8k-common.c:818:6: note: each undeclared identifier is reported only once for each function it appears in
make[5]: *** [../scripts/Makefile.build:249: drivers/net/dsa/qca/qca8k-common.o] Error 1
make[5]: *** Waiting for unfinished jobs....
make[4]: *** [../scripts/Makefile.build:465: drivers/net/dsa/qca] Error 2
make[4]: *** Waiting for unfinished jobs....
../drivers/net/dsa/sja1105/sja1105_main.c: In function ‘sja1105_fast_age’:
../drivers/net/dsa/sja1105/sja1105_main.c:1941:61: error: incompatible type for argument 5 of ‘sja1105_fdb_del’
rc = sja1105_fdb_del(ds, port, macaddr, l2_lookup.vlanid, db);
^~
../drivers/net/dsa/sja1105/sja1105_main.c:1831:11: note: expected ‘u16’ {aka ‘short unsigned int’} but argument is of type ‘struct dsa_db’
u16 fdb_flags, struct dsa_db db)
~~~~^~~~~~~~~
../drivers/net/dsa/sja1105/sja1105_main.c:1941:8: error: too few arguments to function ‘sja1105_fdb_del’
rc = sja1105_fdb_del(ds, port, macaddr, l2_lookup.vlanid, db);
^~~~~~~~~~~~~~~
../drivers/net/dsa/sja1105/sja1105_main.c:1829:12: note: declared here
static int sja1105_fdb_del(struct dsa_switch *ds, int port,
^~~~~~~~~~~~~~~
../drivers/net/dsa/sja1105/sja1105_main.c: In function ‘sja1105_mdb_del’:
../drivers/net/dsa/sja1105/sja1105_main.c:1962:56: error: incompatible type for argument 5 of ‘sja1105_fdb_del’
return sja1105_fdb_del(ds, port, mdb->addr, mdb->vid, db);
^~
../drivers/net/dsa/sja1105/sja1105_main.c:1831:11: note: expected ‘u16’ {aka ‘short unsigned int’} but argument is of type ‘struct dsa_db’
u16 fdb_flags, struct dsa_db db)
~~~~^~~~~~~~~
../drivers/net/dsa/sja1105/sja1105_main.c:1962:9: error: too few arguments to function ‘sja1105_fdb_del’
return sja1105_fdb_del(ds, port, mdb->addr, mdb->vid, db);
^~~~~~~~~~~~~~~
../drivers/net/dsa/sja1105/sja1105_main.c:1829:12: note: declared here
static int sja1105_fdb_del(struct dsa_switch *ds, int port,
^~~~~~~~~~~~~~~
../drivers/net/dsa/sja1105/sja1105_main.c:1963:1: error: control reaches end of non-void function [-Werror=return-type]
}
^
cc1: some warnings being treated as errors
make[5]: *** [../scripts/Makefile.build:249: drivers/net/dsa/sja1105/sja1105_main.o] Error 1
make[5]: *** Waiting for unfinished jobs....
make[4]: *** [../scripts/Makefile.build:465: drivers/net/dsa/sja1105] Error 2
make[3]: *** [../scripts/Makefile.build:465: drivers/net/dsa] Error 2
make[3]: *** Waiting for unfinished jobs....
make[2]: *** [../scripts/Makefile.build:465: drivers/net] Error 2
make[1]: *** [/home/kicinski/linux/Makefile:1852: drivers] Error 2
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:222: __sub-make] Error 2

2022-09-30 05:55:26

by Hans Schultz

[permalink] [raw]
Subject: Re: [PATCH v6 net-next 0/9] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)

On 2022-09-29 20:27, Jakub Kicinski wrote:
> On Thu, 29 Sep 2022 18:37:09 +0200 [email protected] wrote:
>> On 2022-09-29 18:10, Jakub Kicinski wrote:
>> > On Wed, 28 Sep 2022 17:02:47 +0200 Hans Schultz wrote:
>> >> From: "Hans J. Schultz" <[email protected]>
>> >>
>> >> This patch set extends the locked port feature for devices
>> >> that are behind a locked port, but do not have the ability to
>> >> authorize themselves as a supplicant using IEEE 802.1X.
>> >> Such devices can be printers, meters or anything related to
>> >> fixed installations. Instead of 802.1X authorization, devices
>> >> can get access based on their MAC addresses being whitelisted.
>> >
>> > Try a allmodconfig build on latest net-next, seems broken.

Obviously my method of selecting all switchcore drivers with sub-options
under menuconfig was not sufficient, and I didn't know of the
allmodconfig option, otherwise I would have used it.

So the question is if I should repost the fixed patch-set or I need to
make a new version?

Anyhow I hope that there will not be problems when running the
selftests, as I have not been able to do so with my system, so there can
be more that needs to be changed.

If anyone needs it, here is the compile fix patch:

diff --git a/drivers/net/dsa/qca/qca8k-common.c
b/drivers/net/dsa/qca/qca8k-common.c
index 0c5f49de6729..e26a9a483955 100644
--- a/drivers/net/dsa/qca/qca8k-common.c
+++ b/drivers/net/dsa/qca/qca8k-common.c
@@ -809,7 +809,7 @@ int qca8k_port_fdb_add(struct dsa_switch *ds, int
port,

int qca8k_port_fdb_del(struct dsa_switch *ds, int port,
const unsigned char *addr, u16 vid,
- struct dsa_db db)
+ u16 fdb_flags, struct dsa_db db)
{
struct qca8k_priv *priv = (struct qca8k_priv *)ds->priv;
u16 port_mask = BIT(port);
diff --git a/drivers/net/dsa/sja1105/sja1105_main.c
b/drivers/net/dsa/sja1105/sja1105_main.c
index 1f12a5b89c91..526177813d53 100644
--- a/drivers/net/dsa/sja1105/sja1105_main.c
+++ b/drivers/net/dsa/sja1105/sja1105_main.c
@@ -1938,7 +1938,7 @@ static void sja1105_fast_age(struct dsa_switch
*ds, int port)

u64_to_ether_addr(l2_lookup.macaddr, macaddr);

- rc = sja1105_fdb_del(ds, port, macaddr, l2_lookup.vlanid, db);
+ rc = sja1105_fdb_del(ds, port, macaddr, l2_lookup.vlanid, 0, db);
if (rc) {
dev_err(ds->dev,
"Failed to delete FDB entry %pM vid %lld: %pe\n",
@@ -1952,14 +1952,14 @@ static int sja1105_mdb_add(struct dsa_switch
*ds, int port,
const struct switchdev_obj_port_mdb *mdb,
struct dsa_db db)
{
- return sja1105_fdb_add(ds, port, mdb->addr, mdb->vid, false, db);
+ return sja1105_fdb_add(ds, port, mdb->addr, mdb->vid, 0, db);
}

static int sja1105_mdb_del(struct dsa_switch *ds, int port,
const struct switchdev_obj_port_mdb *mdb,
struct dsa_db db)
{
- return sja1105_fdb_del(ds, port, mdb->addr, mdb->vid, db);
+ return sja1105_fdb_del(ds, port, mdb->addr, mdb->vid, 0, db);
}

/* Common function for unicast and broadcast flood configuration.

2022-09-30 14:32:43

by Ido Schimmel

[permalink] [raw]
Subject: Re: [PATCH v6 net-next 0/9] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)

On Fri, Sep 30, 2022 at 07:42:37AM +0200, [email protected] wrote:
> Obviously my method of selecting all switchcore drivers with sub-options
> under menuconfig was not sufficient, and I didn't know of the allmodconfig
> option, otherwise I would have used it.

You can see build issues on patchwork:

https://patchwork.kernel.org/project/netdevbpf/patch/[email protected]/

Also:

https://docs.kernel.org/next/process/maintainer-netdev.html#what-level-of-testing-is-expected-before-i-submit-my-change

https://docs.kernel.org/next/process/maintainer-netdev.html#can-i-reproduce-the-checks-from-patchwork-on-my-local-machine

https://docs.kernel.org/next/process/maintainer-netdev.html#running-all-the-builds-and-checks-locally-is-a-pain-can-i-post-my-patches-and-have-the-patchwork-bot-validate-them

> So the question is if I should repost the fixed patch-set or I need to make
> a new version?

A new fixed version (v7) is required, but wait for this version to be
reviewed first.

> Anyhow I hope that there will not be problems when running the selftests, as
> I have not been able to do so with my system, so there can be more that
> needs to be changed.

It's not really acceptable to post tests that you haven't run... What
exactly is the issue? You should be able to run the tests with veth
pairs in a VM.

2022-09-30 15:04:06

by Jakub Kicinski

[permalink] [raw]
Subject: Re: [PATCH v6 net-next 0/9] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)

On Fri, 30 Sep 2022 17:05:20 +0300 Ido Schimmel wrote:
> You can see build issues on patchwork:

Overall a helpful response, but that part you got wrong.

Do not point people to patchwork checks, please. It will only encourage
people to post stuff they haven't build tested themselves.

It's documented:

https://www.kernel.org/doc/html/latest/process/maintainer-netdev.html#running-all-the-builds-and-checks-locally-is-a-pain-can-i-post-my-patches-and-have-the-patchwork-bot-validate-them

Only people who helped write the code and maintain the infra can decide
how to use it which means me, Kees, or Hangbin. Please and thank you :S

2022-09-30 15:15:47

by Hans Schultz

[permalink] [raw]
Subject: Re: [PATCH v6 net-next 0/9] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)

On 2022-09-30 16:05, Ido Schimmel wrote:
> On Fri, Sep 30, 2022 at 07:42:37AM +0200, [email protected]
> wrote:
>> Obviously my method of selecting all switchcore drivers with
>> sub-options
>> under menuconfig was not sufficient, and I didn't know of the
>> allmodconfig
>> option, otherwise I would have used it.
>
> You can see build issues on patchwork:
>
> https://patchwork.kernel.org/project/netdevbpf/patch/[email protected]/
>
> Also:
>
> https://docs.kernel.org/next/process/maintainer-netdev.html#what-level-of-testing-is-expected-before-i-submit-my-change
>
> https://docs.kernel.org/next/process/maintainer-netdev.html#can-i-reproduce-the-checks-from-patchwork-on-my-local-machine
>
> https://docs.kernel.org/next/process/maintainer-netdev.html#running-all-the-builds-and-checks-locally-is-a-pain-can-i-post-my-patches-and-have-the-patchwork-bot-validate-them
>
>> So the question is if I should repost the fixed patch-set or I need to
>> make
>> a new version?
>
> A new fixed version (v7) is required, but wait for this version to be
> reviewed first.
>
>> Anyhow I hope that there will not be problems when running the
>> selftests, as
>> I have not been able to do so with my system, so there can be more
>> that
>> needs to be changed.
>
> It's not really acceptable to post tests that you haven't run... What
> exactly is the issue? You should be able to run the tests with veth
> pairs in a VM.

It is only the blackhole test that I have not been able to run as is,
but I have stepped it manually as far as I could.
My environment has changed lately and in that context the building of
the selftests fails and I don't know why,I just get some error
messagesabout missing header files, and setting up a whole system like
f.ex. linuxfromscratch with the necessary libs and tools to run it in a
VM is too time consuming a task at the moment.

If there is some freely available system for the purpose out there
besides my own system based on Buildroot that does not work now, please
let me know...

2022-09-30 15:19:37

by Jakub Kicinski

[permalink] [raw]
Subject: Re: [PATCH v6 net-next 0/9] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)

On Fri, 30 Sep 2022 18:04:12 +0300 Ido Schimmel wrote:
> On Fri, Sep 30, 2022 at 07:52:04AM -0700, Jakub Kicinski wrote:
> > On Fri, 30 Sep 2022 17:05:20 +0300 Ido Schimmel wrote:
> > > You can see build issues on patchwork:
> >
> > Overall a helpful response, but that part you got wrong.
> >
> > Do not point people to patchwork checks, please. It will only encourage
> > people to post stuff they haven't build tested themselves.
> >
> > It's documented:
> >
> > https://www.kernel.org/doc/html/latest/process/maintainer-netdev.html#running-all-the-builds-and-checks-locally-is-a-pain-can-i-post-my-patches-and-have-the-patchwork-bot-validate-them
>
> Did you read my reply? I specifically included this link so that you
> won't tell me I'm encouraging people to build test their patches by
> posting to netdev.

Yeah, I noticed the link after, but I think my point stands.

You show someone the patchwork checks and then at the end of the "also"
section put a link on how it's not okay to abuse it. Not a clear enough
instruction.

*never* point people to the patchwork checks, *please*

2022-09-30 15:29:33

by Ido Schimmel

[permalink] [raw]
Subject: Re: [PATCH v6 net-next 0/9] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)

On Fri, Sep 30, 2022 at 07:52:04AM -0700, Jakub Kicinski wrote:
> On Fri, 30 Sep 2022 17:05:20 +0300 Ido Schimmel wrote:
> > You can see build issues on patchwork:
>
> Overall a helpful response, but that part you got wrong.
>
> Do not point people to patchwork checks, please. It will only encourage
> people to post stuff they haven't build tested themselves.
>
> It's documented:
>
> https://www.kernel.org/doc/html/latest/process/maintainer-netdev.html#running-all-the-builds-and-checks-locally-is-a-pain-can-i-post-my-patches-and-have-the-patchwork-bot-validate-them

Did you read my reply? I specifically included this link so that you
won't tell me I'm encouraging people to build test their patches by
posting to netdev.

2022-09-30 15:40:14

by Hans Schultz

[permalink] [raw]
Subject: Re: [PATCH v6 net-next 0/9] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)

On 2022-09-30 16:05, Ido Schimmel wrote:
> What exactly is the issue? You should be able to run the tests with
> veth
> pairs in a VM.

First there is an issue with alsa missing for some mixer tests, then
there is several reports of sys/capability.h missing, and then just
really many obscure problems that look like wrong lib versions are in
place. Here is some of the long log of errors etc... :(


In file included from lib/elf.c:8:
include/test_util.h: In function ‘align_up’:
include/test_util.h:134:7: warning: format ‘%lu’ expects argument of
type ‘long unsigned int’, but argument 6 has type ‘uint64_t’ {aka ‘long
long unsigned int’} [-Wformat=]
134 | "size not a power of 2: %lu", size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
| |
| uint64_t {aka long long
unsigned int}
include/test_util.h:54:43: note: in definition of macro ‘TEST_ASSERT’
54 | test_assert((e), #e, __FILE__, __LINE__, fmt, ##__VA_ARGS__)
| ^~~
include/test_util.h:134:33: note: format string is defined here
134 | "size not a power of 2: %lu", size);
| ~~^
| |
| long unsigned int
| %llu
include/test_util.h: In function ‘align_ptr_up’:
include/test_util.h:150:9: warning: cast to pointer from integer of
different size [-Wint-to-pointer-cast]
150 | return (void *)align_up((unsigned long)x, size);
| ^
In file included from include/kvm_util.h:10,
from lib/elf.c:13:
include/kvm_util_base.h: At top level:
include/kvm_util_base.h:93:26: error: field ‘stats_header’ has
incomplete type
93 | struct kvm_stats_header stats_header;
| ^~~~~~~~~~~~
In file included from ../../../include/linux/kernel.h:8,
from ../../../include/linux/list.h:7,
from ../../../include/linux/hashtable.h:10,
from include/kvm_util_base.h:13,
from include/kvm_util.h:10,
from lib/elf.c:13:
include/kvm_util_base.h: In function ‘kvm_vm_reset_dirty_ring’:
include/kvm_util_base.h:308:24: error: ‘KVM_RESET_DIRTY_RINGS’
undeclared (first use in this function); did you mean
‘KVM_GET_DIRTY_LOG’?
308 | return __vm_ioctl(vm, KVM_RESET_DIRTY_RINGS, NULL);
| ^~~~~~~~~~~~~~~~~~~~~
../../../include/linux/build_bug.h:79:56: note: in definition of macro
‘__static_assert’
79 | #define __static_assert(expr, msg, ...) _Static_assert(expr,
msg)
| ^~~~
include/kvm_util_base.h:193:2: note: in expansion of macro
‘static_assert’
193 | static_assert(!_IOC_SIZE(cmd) || sizeof(*arg) ==
_IOC_SIZE(cmd), ""); \
| ^~~~~~~~~~~~~
include/kvm_util_base.h:216:2: note: in expansion of macro
‘kvm_do_ioctl’
216 | kvm_do_ioctl((vm)->fd, cmd, arg); \
| ^~~~~~~~~~~~
include/kvm_util_base.h:308:9: note: in expansion of macro ‘__vm_ioctl’
308 | return __vm_ioctl(vm, KVM_RESET_DIRTY_RINGS, NULL);
| ^~~~~~~~~~
include/kvm_util_base.h:308:24: note: each undeclared identifier is
reported only once for each function it appears in
308 | return __vm_ioctl(vm, KVM_RESET_DIRTY_RINGS, NULL);
| ^~~~~~~~~~~~~~~~~~~~~
../../../include/linux/build_bug.h:79:56: note: in definition of macro
‘__static_assert’
79 | #define __static_assert(expr, msg, ...) _Static_assert(expr,
msg)
| ^~~~
include/kvm_util_base.h:193:2: note: in expansion of macro
‘static_assert’
193 | static_assert(!_IOC_SIZE(cmd) || sizeof(*arg) ==
_IOC_SIZE(cmd), ""); \
| ^~~~~~~~~~~~~
include/kvm_util_base.h:216:2: note: in expansion of macro
‘kvm_do_ioctl’
216 | kvm_do_ioctl((vm)->fd, cmd, arg); \
| ^~~~~~~~~~~~
include/kvm_util_base.h:308:9: note: in expansion of macro ‘__vm_ioctl’
308 | return __vm_ioctl(vm, KVM_RESET_DIRTY_RINGS, NULL);
| ^~~~~~~~~~
include/kvm_util_base.h:193:16: error: expression in static assertion is
not an integer
193 | static_assert(!_IOC_SIZE(cmd) || sizeof(*arg) ==
_IOC_SIZE(cmd), ""); \
| ^
../../../include/linux/build_bug.h:79:56: note: in definition of macro
‘__static_assert’
79 | #define __static_assert(expr, msg, ...) _Static_assert(expr,
msg)
| ^~~~
include/kvm_util_base.h:193:2: note: in expansion of macro
‘static_assert’
193 | static_assert(!_IOC_SIZE(cmd) || sizeof(*arg) ==
_IOC_SIZE(cmd), ""); \
| ^~~~~~~~~~~~~
include/kvm_util_base.h:216:2: note: in expansion of macro
‘kvm_do_ioctl’
216 | kvm_do_ioctl((vm)->fd, cmd, arg); \
| ^~~~~~~~~~~~
include/kvm_util_base.h:308:9: note: in expansion of macro ‘__vm_ioctl’
308 | return __vm_ioctl(vm, KVM_RESET_DIRTY_RINGS, NULL);
| ^~~~~~~~~~
include/kvm_util_base.h: In function ‘vm_get_stats_fd’:
include/kvm_util_base.h:313:26: error: ‘KVM_GET_STATS_FD’ undeclared
(first use in this function); did you mean ‘KVM_GET_SREGS’?
313 | int fd = __vm_ioctl(vm, KVM_GET_STATS_FD, NULL);
| ^~~~~~~~~~~~~~~~

2022-10-01 22:07:08

by Hans Schultz

[permalink] [raw]
Subject: Re: [PATCH v6 net-next 0/9] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)

On 2022-09-30 16:05, Ido Schimmel wrote:
>
> It's not really acceptable to post tests that you haven't run... What
> exactly is the issue? You should be able to run the tests with veth
> pairs in a VM.

Sorry about that, I have now got something up and running by using live
Ubuntu on a USB...

2022-10-03 14:02:44

by Ido Schimmel

[permalink] [raw]
Subject: Re: [PATCH v6 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests

On Wed, Sep 28, 2022 at 05:02:56PM +0200, Hans Schultz wrote:
> From: "Hans J. Schultz" <[email protected]>
>
> Verify that the MAC-Auth mechanism works by adding a FDB entry with the
> locked flag set, denying access until the FDB entry is replaced with a
> FDB entry without the locked flag set.
>
> Add test of blackhole fdb entries, verifying that there is no forwarding
> to a blackhole entry from any port, and that the blackhole entry can be
> replaced.
>
> Also add a test that verifies that sticky FDB entries cannot roam (this
> is not needed for now, but should in general be present anyhow for future
> applications).

The sticky selftests are not related to this set and need to be posted
separately.

>
> Signed-off-by: Hans J. Schultz <[email protected]>
> ---
> .../net/forwarding/bridge_blackhole_fdb.sh | 102 +++++++++++++++++
> .../net/forwarding/bridge_locked_port.sh | 106 +++++++++++++++++-
> .../net/forwarding/bridge_sticky_fdb.sh | 21 +++-
> tools/testing/selftests/net/forwarding/lib.sh | 18 +++
> 4 files changed, 245 insertions(+), 2 deletions(-)
> create mode 100755 tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh
>
> diff --git a/tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh b/tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh
> new file mode 100755
> index 000000000000..54b1a51e1ed6
> --- /dev/null
> +++ b/tools/testing/selftests/net/forwarding/bridge_blackhole_fdb.sh
> @@ -0,0 +1,102 @@
> +#!/bin/bash
> +# SPDX-License-Identifier: GPL-2.0
> +
> +ALL_TESTS="blackhole_fdb"
> +NUM_NETIFS=4
> +source lib.sh
> +
> +switch_create()
> +{
> + ip link add dev br0 type bridge
> +
> + ip link set dev $swp1 master br0
> + ip link set dev $swp2 master br0
> +
> + ip link set dev br0 up
> + ip link set dev $h1 up
> + ip link set dev $swp1 up
> + ip link set dev $h2 up
> + ip link set dev $swp2 up
> +
> + tc qdisc add dev $swp2 clsact

There are indentation problems in this file. The coding style is to
indent using tabs that are 8 characters deep, not spaces.

> +}

This is not how the selftests are usually constructed. We have
h1_create(), h2_create() and switch_create() and the hosts use VRFs via
simple_if_init(). Look at bridge_locked_port.sh, for example.

> +
> +switch_destroy()
> +{
> + tc qdisc del dev $swp2 clsact
> +
> + ip link set dev $swp2 down
> + ip link set dev $h2 down
> + ip link set dev $swp1 down
> + ip link set dev $h1 down
> +
> + ip link del dev br0
> +}
> +
> +setup_prepare()
> +{
> + h1=${NETIFS[p1]}
> + swp1=${NETIFS[p2]}
> + h2=${NETIFS[p3]}
> + swp2=${NETIFS[p4]}
> +
> + switch_create
> +}
> +
> +cleanup()
> +{
> + pre_cleanup
> + switch_destroy
> +}
> +
> +# Check that there is no egress with blackhole entry and that blackhole entries can be replaced
> +blackhole_fdb()
> +{
> + RET=0
> +
> + check_blackhole_fdb_support || return 0
> +
> + tc filter add dev $swp2 egress protocol ip pref 1 handle 1 flower \
> + dst_ip 192.0.2.2 ip_proto udp dst_port 12345 action pass
> +
> + $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \
> + -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q
> +
> + tc_check_packets "dev $swp2 egress" 1 1
> + check_err $? "Packet not seen on egress before adding blackhole entry"
> +
> + bridge fdb add `mac_get $h2` dev br0 blackhole
> + bridge fdb get `mac_get $h2` br br0 | grep -q blackhole
> + check_err $? "Blackhole entry not found"
> +
> + $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \
> + -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q
> +
> + tc_check_packets "dev $swp2 egress" 1 1
> + check_err $? "Packet seen on egress after adding blackhole entry"
> +
> + # Check blackhole entries can be replaced.
> + bridge fdb replace `mac_get $h2` dev $swp2 master static
> + bridge fdb get `mac_get $h2` br br0 | grep -q blackhole
> + check_fail $? "Blackhole entry found after replacement"
> +
> + $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \
> + -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q
> +
> + tc_check_packets "dev $swp2 egress" 1 2
> + check_err $? "Packet not seen on egress after replacing blackhole entry"
> +
> + bridge fdb del `mac_get $h2` dev $swp2 master static
> + tc filter del dev $swp2 egress protocol ip pref 1 handle 1 flower
> +
> + log_test "Blackhole FDB entry"
> +}
> +
> +trap cleanup EXIT
> +
> +setup_prepare
> +setup_wait
> +
> +tests_run
> +
> +exit $EXIT_STATUS
> diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> index 5b02b6b60ce7..59b8b7666eab 100755
> --- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> +++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> @@ -1,7 +1,15 @@
> #!/bin/bash
> # SPDX-License-Identifier: GPL-2.0
>
> -ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan"
> +ALL_TESTS="
> + locked_port_ipv4
> + locked_port_ipv6
> + locked_port_vlan
> + locked_port_mab
> + locked_port_station_move
> + locked_port_mab_station_move
> +"
> +
> NUM_NETIFS=4
> CHECK_TC="no"
> source lib.sh
> @@ -166,6 +174,102 @@ locked_port_ipv6()
> log_test "Locked port ipv6"
> }
>
> +locked_port_mab()
> +{
> + RET=0
> + check_locked_port_support || return 0
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work before locking port"
> +
> + bridge link set dev $swp1 locked on
> + check_port_mab_support $swp1 || return 0

Move this check to the beginning of the test and instead do:

bridge link set dev $swp1 locked on mab on

See the comment at the end regarding check_port_mab_support()

> +
> + ping_do $h1 192.0.2.2
> + check_fail $? "MAB: Ping worked on locked port without FDB entry"
> +
> + bridge fdb show | grep `mac_get $h1` | grep -q "locked"

Use "bridge fdb get" like in the blackhole test instead of dumping the
entire FDB.

> + check_err $? "MAB: No locked fdb entry after ping on locked port"
> +
> + bridge fdb replace `mac_get $h1` dev $swp1 master static
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work with fdb entry without locked flag"
> +
> + bridge fdb del `mac_get $h1` dev $swp1 master
> + bridge link set dev $swp1 locked off mab off
> +
> + log_test "Locked port MAB"
> +}
> +
> +# No roaming allowed to a simple locked port

# Check that entries cannot roam from an unlocked port to a locked port.

> +locked_port_station_move()
> +{
> + local mac=a0:b0:c0:c0:b0:a0
> +
> + RET=0
> + check_locked_port_support || return 0
> +
> + bridge link set dev $swp1 locked on

It is quite pointless to check that an entry cannot roam to a port that
has learning disabled... Need:

bridge link set dev $swp1 locked on learning on

> +
> + $MZ $h1 -q -t udp -a $mac -b rand
> + bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "master br0"

bridge fdb get ...

Same in other places

> + check_fail $? "Locked port station move: FDB entry on first injection"
> +
> + $MZ $h2 -q -t udp -a $mac -b rand
> + bridge fdb show dev $swp2 | grep "$mac vlan 1" | grep -q "master br0"
> + check_err $? "Locked port station move: Entry not found on unlocked port"
> +
> + $MZ $h1 -q -t udp -a $mac -b rand
> + bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "master br0"
> + check_fail $? "Locked port station move: entry roamed to locked port"
> +
> + bridge link set dev $swp1 locked off

bridge link set dev $swp1 locked off learning off

And need to delete the FDB entry pointing to $swp2

> +
> + log_test "Locked port station move"
> +}
> +
> +# Roaming to and from a MAB enabled port should work if sticky flag is not set

# Check that entries can roam from a locked port to an unlocked port.

> +locked_port_mab_station_move()
> +{
> + local mac=10:20:30:30:20:10
> +
> + RET=0
> + check_locked_port_support || return 0
> +
> + bridge link set dev $swp1 locked on
> +
> + check_port_mab_support $swp1 || return 0

Move to the beginning of the test

> +
> + $MZ $h1 -q -t udp -a $mac -b rand

# Some device drivers report locked entries to the bridge driver as
# permanent entries that cannot roam. In such cases there is no point in
# checking that locked entries can roam to an unlocked port.

> + if bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "permanent"; then
> + echo "SKIP: Roaming not possible with local flag, skipping test..."
> + bridge link set dev $swp1 locked off mab off
> + return $ksft_skip
> + fi
> +
> + bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "locked"
> + check_err $? "MAB station move: no locked entry on first injection"
> +
> + $MZ $h2 -q -t udp -a $mac -b rand
> + bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "locked"
> + check_fail $? "MAB station move: locked entry did not move"
> +
> + bridge fdb show dev $swp2 | grep "$mac vlan 1" | grep -q "locked"
> + check_fail $? "MAB station move: roamed entry to unlocked port had locked flag on"
> +
> + bridge fdb show dev $swp2 | grep "$mac vlan 1" | grep -q "master br0"
> + check_err $? "MAB station move: roamed entry not found"

First check that the entry roamed to $swp2 using "bridge fdb get", then
check that the locked flag is not set on it.

> +
> + $MZ $h1 -q -t udp -a $mac -b rand
> + bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep "master br0" | grep -q "locked"
> + check_fail $? "MAB station move: entry roamed back to locked port"

This was already checked in locked_port_station_move()

> +

Need to delete the FBD entry from $swp2.

> + bridge link set dev $swp1 locked off mab off
> +
> + log_test "Locked port MAB station move"
> +}
> +
> trap cleanup EXIT

[...]

> diff --git a/tools/testing/selftests/net/forwarding/lib.sh b/tools/testing/selftests/net/forwarding/lib.sh
> index 3ffb9d6c0950..642fbf217c20 100755
> --- a/tools/testing/selftests/net/forwarding/lib.sh
> +++ b/tools/testing/selftests/net/forwarding/lib.sh
> @@ -137,6 +137,24 @@ check_locked_port_support()
> fi
> }
>
> +check_port_mab_support()
> +{
> + local dev=$1;

Why this helper needs a device, but check_locked_port_support() does
not? Please change this helper to work like check_locked_port_support().

> +
> + if ! bridge link set dev $dev mab on 2>/dev/null; then
> + echo "SKIP: iproute2 too old; MacAuth feature not supported."
> + return $ksft_skip
> + fi
> +}

2022-10-06 12:31:25

by Hans Schultz

[permalink] [raw]
Subject: Re: [PATCH v6 net-next 8/9] net: dsa: mv88e6xxx: add blackhole ATU entries

On 2022-09-28 17:02, Hans Schultz wrote:
> From: "Hans J. Schultz" <[email protected]>
>
> Blackhole FDB entries can now be added, deleted or replaced in the
> driver ATU.
>
> Signed-off-by: Hans J. Schultz <[email protected]>
> ---
> drivers/net/dsa/mv88e6xxx/chip.c | 78 ++++++++++++++++++++++++++++++--
> 1 file changed, 74 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/net/dsa/mv88e6xxx/chip.c
> b/drivers/net/dsa/mv88e6xxx/chip.c
> index 71843fe87f77..a17f30e5d4a6 100644
> --- a/drivers/net/dsa/mv88e6xxx/chip.c
> +++ b/drivers/net/dsa/mv88e6xxx/chip.c
> @@ -2735,6 +2735,72 @@ static int mv88e6xxx_vlan_msti_set(struct
> dsa_switch *ds,
> return err;
> }
>
> +struct mv88e6xxx_vid_search_ctx {
> + u16 vid_search;
> + u16 fid_found;
> +};
> +
> +static int mv88e6xxx_find_fid_on_matching_vid(struct mv88e6xxx_chip
> *chip,
> + const struct mv88e6xxx_vtu_entry *entry,
> + void *priv)
> +{
> + struct mv88e6xxx_vid_search_ctx *ctx = priv;
> +

FYI: I have already made updates to this part to use mv88e6xxx_vtu_get()
instead of the walk, which also fixes a problem when vid=0 in this
implementation.

2022-10-08 11:40:35

by Hans Schultz

[permalink] [raw]
Subject: Re: [PATCH v6 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests

On 2022-10-03 15:40, Ido Schimmel wrote:
>> +locked_port_station_move()
>> +{
>> + local mac=a0:b0:c0:c0:b0:a0
>> +
>> + RET=0
>> + check_locked_port_support || return 0
>> +
>> + bridge link set dev $swp1 locked on
>
> It is quite pointless to check that an entry cannot roam to a port that
> has learning disabled... Need:
>
> bridge link set dev $swp1 locked on learning on
>
>> +
>> + $MZ $h1 -q -t udp -a $mac -b rand
>> + bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "master
>> br0"
>
> bridge fdb get ...
>
> Same in other places
>

It seems that the output of 'bridge fdb get' does not respect the dev it
is given as input and outputs the (MAC,vlan) when found on another
dev...