Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp911725pxp; Wed, 16 Mar 2022 21:03:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzKda52ZWfP2T9FvZH2f2KztfXhC/eQ6d3djyqA3/p779SFKxzbluikhiris4gPdFIPFgEz X-Received: by 2002:a62:1904:0:b0:4f6:ff26:c8f with SMTP id 4-20020a621904000000b004f6ff260c8fmr2487082pfz.29.1647489807662; Wed, 16 Mar 2022 21:03:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647489807; cv=none; d=google.com; s=arc-20160816; b=iCUd/zNJOHLC5QG4woIOeTjoT9+f8FQBdQBaQJS2AqiEurgwAmC9JJyVRUGuHJaBEz L3teLr6ozvmOQBO0G0qtOiQ5I1O91HvWGuGoEmWA4yytE7K5YZlBLpAU+RQjuOb0NVvd fB/zNhSu215144v8D//DClxvhVQ3P0zmHGTv7GiBUhPAiwRTvIhIg7BwNKOkaaWrHEH/ m2ZMbNMquvvInkeWzubN/XiWTZviVhuF3JNMH3wKO6Q491FWkie/ThFZbuLgI87znCkl RUPOweNZmUOvf86YOljmuVFOl+J+/s+uk3B+/UUghJNsF4LgaMyttpho5yff5+kM9+/z 0N7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=nD1zjfgHJtc84ORONQo90iFLDqy65e7NHPqJ7KGjDrw=; b=sYgCvZGM/Uk9awOQh4W7au8Sze4djOkGReX1pU5oRih3Y1Ite6hifn7d44f/f+YnP0 ogmAuc35ZFEDSGfeOTnNEcNIcNIC+mw207QgUM0ZE6/ndT4DIWlEFVrDa747GN9Hg790 VxJPWXSX99REhEMZAlvUw4+AEiwTyF4LklqmFUJ352v49zj7kPKhONcJ4+Z4CATQT9K6 DLzWt9m+nV/bEMfsnZJ9Z4PNvwkuJTiFRzAb8v+hpu43X3Qg92zNaE4M9tonMr/EdiH2 xNMq5mT1qSE3WkoPtNAt8a/WEzY2zZv/cSOWIAuA3J6daPbK8NEe8o9qy3tEass71Snu 6WBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=XtmsdeDB; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id m13-20020a63580d000000b003816cefccacsi963747pgb.22.2022.03.16.21.03.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Mar 2022 21:03:27 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=XtmsdeDB; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id CA8B39027B; Wed, 16 Mar 2022 20:45:37 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242747AbiCNPv4 (ORCPT + 99 others); Mon, 14 Mar 2022 11:51:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58318 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231625AbiCNPvz (ORCPT ); Mon, 14 Mar 2022 11:51:55 -0400 Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB6BB1A82D; Mon, 14 Mar 2022 08:50:44 -0700 (PDT) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id B67863201F96; Mon, 14 Mar 2022 11:50:42 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Mon, 14 Mar 2022 11:50:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=nD1zjfgHJtc84ORON Qo90iFLDqy65e7NHPqJ7KGjDrw=; b=XtmsdeDB97EvQUiWEzAglCxyC9pkGLcJV X9hGE0DTnL+idBbquV/+wf6rG6WpWRWt7UtKncp4H1qRGTb7j6RXk1U8LXlSWojh u1bbpEJykrDKgrnhamAzEY4pXVavZHH7pkZjuBJbRtRKDO2FrqvUV0pqq6Su7xWp rUW2GGEFnPwyW9jYYS0K8weMSq3cmomGOsciAXA2ULBV3+oGt6mGystLNUfsxUjb iOfPpg9saZdcBnAys9912BaYkOMgnktC6tbLBT0zBIdpAiGDRZ3Lo/ONTq5v+RAX clZCe+LkzpET2kNxdExq40bF0G+5A8EDRk4vPpusTzdA3x/WBosHQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddruddvkedgkedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehttdertddttddvnecuhfhrohhmpefkughoucfu tghhihhmmhgvlhcuoehiughoshgthhesihguohhstghhrdhorhhgqeenucggtffrrghtth gvrhhnpedtffekkeefudffveegueejffejhfetgfeuuefgvedtieehudeuueekhfduheel teenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehiug hoshgthhesihguohhstghhrdhorhhg X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 14 Mar 2022 11:50:41 -0400 (EDT) Date: Mon, 14 Mar 2022 17:50:38 +0200 From: Ido Schimmel To: Hans Schultz Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org, Hans Schultz , Andrew Lunn , Vivien Didelot , Florian Fainelli , Vladimir Oltean , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Daniel Borkmann , Ido Schimmel , linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org Subject: Re: [PATCH net-next 0/3] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Message-ID: References: <20220310142320.611738-1-schultz.hans+netdev@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220310142320.611738-1-schultz.hans+netdev@gmail.com> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 10, 2022 at 03:23:17PM +0100, Hans Schultz wrote: > This patch set extends the locked port feature for devices > that are behind a locked port, but do not have the ability to > authorize themselves as a supplicant using IEEE 802.1X. > Such devices can be printers, meters or anything related to > fixed installations. Instead of 802.1X authorization, devices > can get access based on their MAC addresses being whitelisted. > > For an authorization daemon to detect that a device is trying > to get access through a locked port, the bridge will add the > MAC address of the device to the FDB with a locked flag to it. > Thus the authorization daemon can catch the FDB add event and > check if the MAC address is in the whitelist and if so replace > the FDB entry without the locked flag enabled, and thus open > the port for the device. > > This feature is known as MAC-Auth or MAC Authentication Bypass > (MAB) in Cisco terminology, where the full MAB concept involves > additional Cisco infrastructure for authorization. There is no > real authentication process, as the MAC address of the device > is the only input the authorization daemon, in the general > case, has to base the decision if to unlock the port or not. > > With this patch set, an implementation of the offloaded case is > supplied for the mv88e6xxx driver. When a packet ingresses on > a locked port, an ATU miss violation event will occur. When When do you get an ATU miss violation? In case there is no FDB entry for the SA or also when there is an FDB entry, but it points to a different port? I see that the bridge will only create a "locked" FDB entry in case there is no existing entry, but it will not transition an existing entry to "locked" state. I guess ATU miss refers to an actual miss and not mismatch. The HW I work with doesn't have the ability to generate such notifications, but it can trap packets on MISS (no entry) or MISMATCH (exists, but with different port). I believe that in order to support this feature we need to inject MISS-ed packets to the Rx path so that eventually the bridge itself will create the "locked" entry as opposed to notifying the bridge about the entry as in your case. > handling such ATU miss violation interrupts, the MAC address of > the device is added to the FDB with a zero destination port > vector (DPV) and the MAC address is communicated through the > switchdev layer to the bridge, so that a FDB entry with the > locked flag enabled can be added. > > Hans Schultz (3): > net: bridge: add fdb flag to extent locked port feature > net: switchdev: add support for offloading of fdb locked flag > net: dsa: mv88e6xxx: mac-auth/MAB implementation Please extend tools/testing/selftests/net/forwarding/bridge_locked_port.sh with new test cases for this code. > > drivers/net/dsa/mv88e6xxx/Makefile | 1 + > drivers/net/dsa/mv88e6xxx/chip.c | 10 +-- > drivers/net/dsa/mv88e6xxx/chip.h | 5 ++ > drivers/net/dsa/mv88e6xxx/global1.h | 1 + > drivers/net/dsa/mv88e6xxx/global1_atu.c | 29 +++++++- > .../net/dsa/mv88e6xxx/mv88e6xxx_switchdev.c | 67 +++++++++++++++++++ > .../net/dsa/mv88e6xxx/mv88e6xxx_switchdev.h | 20 ++++++ > drivers/net/dsa/mv88e6xxx/port.c | 11 +++ > drivers/net/dsa/mv88e6xxx/port.h | 1 + > include/net/switchdev.h | 3 +- > include/uapi/linux/neighbour.h | 1 + > net/bridge/br.c | 3 +- > net/bridge/br_fdb.c | 13 +++- > net/bridge/br_input.c | 11 ++- > net/bridge/br_private.h | 5 +- > 15 files changed, 167 insertions(+), 14 deletions(-) > create mode 100644 drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.c > create mode 100644 drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.h > > -- > 2.30.2 >