Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp789652pxp; Fri, 11 Mar 2022 15:11:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJylIFVLcg3BmuFd7c6zPCPgJDODT3L4scgQTbBk77ZRbsM6TuRm8s01eX5055S4UNvGqWwT X-Received: by 2002:a17:902:d50f:b0:152:249:ea60 with SMTP id b15-20020a170902d50f00b001520249ea60mr13383585plg.120.1647040274058; Fri, 11 Mar 2022 15:11:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1647040274; cv=none; d=google.com; s=arc-20160816; b=WWZ9thpsY6hxhrsVQU6hxdtyvIclcsvyrGg26MYR/v1qOT1Nqorwm0R4BjovhPGS5f +Fz6zXL4vLPBATOz0lM9G/sWPdG7YVMb4Jb7kGxOvtKnWL/mabhAGLoYmmBI/100HLnp 8tMyb5gE/MXDXEPB5mZdTw16DDfhQrePrPsI2xyZ+ox1sk9ZvZX0uywVqB1nio3mUSrF Y1fPHuY6JuftAsoK7bFVjVzvgEp0myQP1X8KhNMQaK2kY2ZUTvr1/RkYmerHT7K3Cf+S BMcAanZf2B8xkfvuKlqCivSqnams31+886fDsSrcmOSV/AnqubgDxhwYgDxsH371JRLp z4+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=eWVv6eZyJg/+eUaoLT3dUwImTgfJSRuKymGltshbh80=; b=RHlDaH6NOfiqLPqORdM+hcuclx/Ds7KcVv6vrBNgnaDAbDKoIOD9TNa9S5c68Xx431 81L7TiP8ZBGky6fbidzjPBgjt9KZF1XAuVMofLTUMZmUjASCrl/5lEWjvB66xO2U3I8j yo2tanwfc+cRF1hMLwlCvLcpFSc92lM5VqEYzsNCBKHr+4Dom3R7+KIID5yjKCiywCqB 0ZXOElXT+kLJaJJcvpMX7WTL0Tp/cbmKLjigIs9uyjSq7xMb3DwpH+duTqyrT6doX5EW waxrXPSK64XItx2B7oDjESI/0UEMsxFKshXT5E+NB+Amp+Ng2rqp9iyhBbEh39rAtF3x XdwQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@blackwall-org.20210112.gappssmtp.com header.s=20210112 header.b=t7ALIPtw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id c21-20020a056a00249500b004f77417312csi7026209pfv.113.2022.03.11.15.11.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Mar 2022 15:11:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@blackwall-org.20210112.gappssmtp.com header.s=20210112 header.b=t7ALIPtw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2120A3AAFDD; Fri, 11 Mar 2022 14:09:14 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243563AbiCJOYS (ORCPT + 99 others); Thu, 10 Mar 2022 09:24:18 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43434 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245059AbiCJOUW (ORCPT ); Thu, 10 Mar 2022 09:20:22 -0500 Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5A524B0C56 for ; Thu, 10 Mar 2022 06:18:50 -0800 (PST) Received: by mail-lj1-x22e.google.com with SMTP id l12so7886342ljh.12 for ; Thu, 10 Mar 2022 06:18:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blackwall-org.20210112.gappssmtp.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=eWVv6eZyJg/+eUaoLT3dUwImTgfJSRuKymGltshbh80=; b=t7ALIPtw3FdXJEbivsDE3RXilGcI4LV6NZYNfsWaSRTH6omQWzDYIA0tmwsHGbNr67 egYoSkwO7q3t/m4u4zyTsFoeR+4oUxKD1s8HksaEci2TecLoN7NXYq6TtsnOG+DTMvpo SIaK3KH3enNAKLMC9xa73KIHTlJwf57TUmKQlQ4GbDIVJK8Pr5NXSosQe83VUu4dtNE7 d3VZAKYTFYs9mrBebIuNxsc0ZQ4lLxALwlq39XFyL7Yle7Pnq0VhyjD3aFcATyqFdKvE kx6MQ7Bv3ASpRIzZfoV9FBhel6UcyaZ6z1FEWcIFVNTc6Zo4Cn9xtaP9u/7A6VJAuVFe xIug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=eWVv6eZyJg/+eUaoLT3dUwImTgfJSRuKymGltshbh80=; b=EXjKZNz3KRKrRtTJYyWRX7FAqEMhYvTM0HMjMkE/3RYk0RtEVVLvJBcH1FU4KROXgi mTYn/wpPv6DsKpT41PhY2+84LO3hj44hhEa+ATcN1pTL4TqGg9WqlKd0Lye6VkORrt/A 1sYthfTfz5hesbO/5M5AbeiQbcut/a7xZayBO6hycGS/gjGG2/qMSFMvvj18f3l6wO/g SPreoD2A2ygt91YNKzCMjE2xjnqK696vasrLSnJD/0N7xx1RLroPh9+UtyYWbbP9UzDq l7vd7xlaaO9XMFmagoKHKd7XyqTYFYCbbT8ewyaoszM9G7MVfdykLe9rx6zxCpRG2YLw uBRg== X-Gm-Message-State: AOAM533nzryfABm8EerkQqYiPpqPy5w/bVEvNmhcK7d69vSUm9Aw06CI o5GeLQDncnjpF6rm230VVqEOjg== X-Received: by 2002:a2e:2f0e:0:b0:246:1a59:8f04 with SMTP id v14-20020a2e2f0e000000b002461a598f04mr3253760ljv.409.1646921928481; Thu, 10 Mar 2022 06:18:48 -0800 (PST) Received: from [192.168.51.243] ([78.128.78.220]) by smtp.gmail.com with ESMTPSA id bt23-20020a056512261700b00443e7fa1c26sm1000809lfb.261.2022.03.10.06.18.46 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 10 Mar 2022 06:18:48 -0800 (PST) Message-ID: <7ed798dd-49c1-171b-4b72-4e2b2c9c660d@blackwall.org> Date: Thu, 10 Mar 2022 16:18:45 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Subject: Re: [PATCH iproute2-next 0/3] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Content-Language: en-US To: Hans Schultz , davem@davemloft.net, kuba@kernel.org Cc: netdev@vger.kernel.org, Hans Schultz , Andrew Lunn , Vivien Didelot , Florian Fainelli , Vladimir Oltean , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Daniel Borkmann , Ido Schimmel , linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org References: <20220310133617.575673-1-schultz.hans+netdev@gmail.com> From: Nikolay Aleksandrov In-Reply-To: <20220310133617.575673-1-schultz.hans+netdev@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 10/03/2022 15:36, Hans Schultz wrote: > This patch set extends the locked port feature for devices > that are behind a locked port, but do not have the ability to > authorize themselves as a supplicant using IEEE 802.1X. > Such devices can be printers, meters or anything related to > fixed installations. Instead of 802.1X authorization, devices > can get access based on their MAC addresses being whitelisted. > > For an authorization daemon to detect that a device is trying > to get access through a locked port, the bridge will add the > MAC address of the device to the FDB with a locked flag to it. > Thus the authorization daemon can catch the FDB add event and > check if the MAC address is in the whitelist and if so replace > the FDB entry without the locked flag enabled, and thus open > the port for the device. > > This feature is known as MAC-Auth or MAC Authentication Bypass > (MAB) in Cisco terminology, where the full MAB concept involves > additional Cisco infrastructure for authorization. There is no > real authentication process, as the MAC address of the device > is the only input the authorization daemon, in the general > case, has to base the decision if to unlock the port or not. > > With this patch set, an implementation of the offloaded case is > supplied for the mv88e6xxx driver. When a packet ingresses on > a locked port, an ATU miss violation event will occur. When > handling such ATU miss violation interrupts, the MAC address of > the device is added to the FDB with a zero destination port > vector (DPV) and the MAC address is communicated through the > switchdev layer to the bridge, so that a FDB entry with the > locked flag enabled can be added. > > Hans Schultz (3): > net: bridge: add fdb flag to extent locked port feature > net: switchdev: add support for offloading of fdb locked flag > net: dsa: mv88e6xxx: mac-auth/MAB implementation > > drivers/net/dsa/mv88e6xxx/Makefile | 1 + > drivers/net/dsa/mv88e6xxx/chip.c | 10 +-- > drivers/net/dsa/mv88e6xxx/chip.h | 5 ++ > drivers/net/dsa/mv88e6xxx/global1.h | 1 + > drivers/net/dsa/mv88e6xxx/global1_atu.c | 29 +++++++- > .../net/dsa/mv88e6xxx/mv88e6xxx_switchdev.c | 67 +++++++++++++++++++ > .../net/dsa/mv88e6xxx/mv88e6xxx_switchdev.h | 20 ++++++ > drivers/net/dsa/mv88e6xxx/port.c | 11 +++ > drivers/net/dsa/mv88e6xxx/port.h | 1 + > include/net/switchdev.h | 3 +- > include/uapi/linux/neighbour.h | 1 + > net/bridge/br.c | 3 +- > net/bridge/br_fdb.c | 13 +++- > net/bridge/br_input.c | 11 ++- > net/bridge/br_private.h | 5 +- > 15 files changed, 167 insertions(+), 14 deletions(-) > create mode 100644 drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.c > create mode 100644 drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.h > This doesn't look like an iproute2 patch-set. I think you've messed the target in the subject.