Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp1595311rwe; Sat, 27 Aug 2022 11:35:24 -0700 (PDT) X-Google-Smtp-Source: AA6agR4RB8SLjbG+4gE35K52aINx7GG8OTDN1Ex9BI7RGo2Fz5lXXx8heho9dGfpeQhOcNrMzYJ4 X-Received: by 2002:aa7:c585:0:b0:448:24ee:b202 with SMTP id g5-20020aa7c585000000b0044824eeb202mr2645984edq.167.1661625324389; Sat, 27 Aug 2022 11:35:24 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1661625324; cv=pass; d=google.com; s=arc-20160816; b=GsYbo9L6mVMKoTdX5BCG8FU0HdNpT5NhUQyP354z+9pTm5/yYrVv1iQpdt0pGomK/P +WBsNOq7Jjrw3gw9dhbcQKMVSWS8yiP52DAKpNK6lNhkXYvjS+e1fguRK+v7xZ6EzJx3 kroPZQtIfC3NitQuAt/YemdBBp9h6T0yd+FPNUD4u9y6715mmK53kLzQpAVFw1lkrNOr L4ZNi2TCUew/98rqn+SMCY2pwM3G7aQ6yTt4bC6cfM1ll8mm+JTAhvwax8AghOY27N5v QjN6se1UyynO4V39Bn515UGYjXORU57pPJzaJu3StdhDYnUevh8dmHXsPPWzgAaGQC6W LtkA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:in-reply-to:content-disposition :references:message-id:subject:cc:to:from:date:dkim-signature; bh=8qydGxQSqpZ6GetVPeC2IuOqyVuL9vwfb0MkvjQX6/g=; b=By6PfODMOF07/+O/qNRybAhlICHBXmc+7keO3wX8em3RL0GfaWPaG5hjwav38xXDeE II6G4YE8mp6qsdt3w7z/Bq5MHMpk4sL2cv0V3/Tabjbsz33fn91ZkFI7DdmEgwuNTtYJ RaADwW75EuaP5XZiiz41gIO1nbqJLpcKEicOsyzdT9I9pdLzh7Vn/H3no7ZZ/Aab1+JC MxwI5SW6OhiB7FIJBMVBP65otK0Ahx3EIk8wlzU2oyxo0DvSg18kUbBZPfdDk7vJe2/x nDFbD5LS3WgFFcFe4AU7nwMa1CYgLXGC7b+weCw1VKvXs9GSjrcnNOBftB21o7rXDris eyBA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@Nvidia.com header.s=selector2 header.b="t2FHPb3/"; arc=pass (i=1 spf=pass spfdomain=nvidia.com dkim=pass dkdomain=nvidia.com dmarc=pass fromdomain=nvidia.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=nvidia.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dd13-20020a1709069b8d00b00730e5c46ed9si4242507ejc.15.2022.08.27.11.34.58; Sat, 27 Aug 2022 11:35:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@Nvidia.com header.s=selector2 header.b="t2FHPb3/"; arc=pass (i=1 spf=pass spfdomain=nvidia.com dkim=pass dkdomain=nvidia.com dmarc=pass fromdomain=nvidia.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=nvidia.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230137AbiH0SWD (ORCPT + 99 others); Sat, 27 Aug 2022 14:22:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40222 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229445AbiH0SWB (ORCPT ); Sat, 27 Aug 2022 14:22:01 -0400 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2073.outbound.protection.outlook.com [40.107.92.73]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 09EA47EFC0; Sat, 27 Aug 2022 11:22:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ewo7ppF0vzy5D8xBeg1aE/obwyGSWE81Dbjpbxn+uJoya4olvgmEB0Hmpp0tvXaO54KJbf9BeXtBkWqv5YXxRPJ9ugurfBP574wXPtD+lCrWtQcdu04fMrBnNwSZ1y4f8DRpmqn4SGeMrgN9W3hRpheCN1XyQzYcPQbJrbr9RqMZlC5s1SkP/FfHMsChZJhc54PMMVbpALgxzGJ8riSIY9F4ykXsvwCe9A1aCP/djwzBHYadsKDxsVF7QOAzTX6qIjbwJSBm5mpydR6G04kckVYm/Y3dHiLzK5jAnihJ0kOPmRkKcZat1d1rATCbs1U+GP9HxBGw1gmveF81ywrm/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8qydGxQSqpZ6GetVPeC2IuOqyVuL9vwfb0MkvjQX6/g=; b=T/p1b1PA4iMB3UW5b1XwGEptxdGrfPlQQ1EQ3uzTbzv4mzsdJYezORF+LTot3m/+edKiCSvWeI0GJPbCpl0EmBOX5Az7o8fordDBxwU82Mv+MvQ78Qa8EqVgdmgzsDLRuLp7/qYPzmGd5bH9MMFxYBx2eMibtYrGrjFimzWOlXuU4Ajzm8byHH1R3uajqtkdaDBhD6cwRTPeGItR0L2QjknUGQH1yFn2fL+t4KeTSgsNmLuBHg3KCvcQxcztMoev718geDiA4OfHTuo+G8h/XZsynTrpVjsmnvlf8VcIorWEcYvVIPVqk0ok4h2WwmKfJ6A0/ySnfSgUdO86/fouTA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8qydGxQSqpZ6GetVPeC2IuOqyVuL9vwfb0MkvjQX6/g=; b=t2FHPb3/P0xuvz4ENKTVu9EvOnvjwZ6nOFux7hdyD3HXjO85+haQoWAYWtVbvvFx8n8r3FX+9Ck2o0WxEfDdKHsIUgaXAS0tZRGI7pq64bEbRFro8264/gB9fHP64KBqGHHPEiiPNfiOmRvxG0TmHAY2nvEHRA68RsDxLpu1WgbEMY8h1okJTi4k/HnI4dfGCzGDMg4CbxSuqoJdjz5GJKpQ4FnGYzvFrh+DwvOIbSbWmjauKsb+DL1HIY3q5pHXqZuW77+1FIEyvVDklebJgQ4Wm2ZfwzOgE/GalFQc2Y56FV/O8MM/P8ogQRiFgZIf0dFlDybRvDvx9S2EHPbXsw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; Received: from PH7SPRMB0001.namprd12.prod.outlook.com (2603:10b6:510:13c::20) by BN6PR12MB1300.namprd12.prod.outlook.com (2603:10b6:404:1a::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5566.14; Sat, 27 Aug 2022 18:21:58 +0000 Received: from PH7SPRMB0001.namprd12.prod.outlook.com ([fe80::3ca6:ba11:2893:980e]) by PH7SPRMB0001.namprd12.prod.outlook.com ([fe80::3ca6:ba11:2893:980e%6]) with mapi id 15.20.5504.025; Sat, 27 Aug 2022 18:21:57 +0000 Date: Sat, 27 Aug 2022 21:21:50 +0300 From: Ido Schimmel To: Hans Schultz Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org, Florian Fainelli , Andrew Lunn , Vivien Didelot , Vladimir Oltean , Eric Dumazet , Paolo Abeni , Kurt Kanzenbach , Hauke Mehrtens , Woojung Huh , UNGLinuxDriver@microchip.com, Sean Wang , Landen Chao , DENG Qingfang , Matthias Brugger , Claudiu Manoil , Alexandre Belloni , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Shuah Khan , Christian Marangi , Daniel Borkmann , Yuwei Wang , linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, bridge@lists.linux-foundation.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH v5 net-next 6/6] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Message-ID: References: <20220826114538.705433-1-netdev@kapio-technology.com> <20220826114538.705433-7-netdev@kapio-technology.com> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220826114538.705433-7-netdev@kapio-technology.com> X-ClientProxiedBy: VI1P194CA0034.EURP194.PROD.OUTLOOK.COM (2603:10a6:803:3c::23) To PH7SPRMB0001.namprd12.prod.outlook.com (2603:10b6:510:13c::20) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 8d3c5ac1-dbcd-4063-23d5-08da885906a0 X-MS-TrafficTypeDiagnostic: BN6PR12MB1300:EE_ X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: +/kO5VUKuam35uKdBco8RV5il9R/L4kimP7MswcXFnB7xTQJjtug/gHps8exLd48VQ2wQLsYdh/IqKapDI+xYLdUO0my+kzZez4AP16JRC6NXSjHggwBUtZXYwgsmH1I2TB4VS/W1hRX1d2dpFmXYgOtyZo7kZtqixJyKH/cGLHnSBCZNMVvShh0KftT0fTMkaVocym7L2918vR2QJsR2Y8h1C5s4z7OhnzAO3AcYvz7cGqgKZ+y1YxA5r1ytHmHb4hkiUfMb3JtRVIi6c4R9QmbdiGHoqpnXximydvnq4Zi4XSCf0+/aGzjAgF4zU+sg5Akp7jP0ObqNjzCkeG3fubdO/0nCHAahq+HyjxFbmv5vo4rFconhzRrCp78ybQ4RSppEnMomQ8yj9rKb4jH68+EOKTEjQjz93wsqGIqjUvNztXWBT9aOs9T6u8uspZGfA18iNZ0SZeiSaXODao8rySEX3J54gQl6vggIqSytsa+FsQWE483h8cy4flXBY4N4QPICsyxvmhtnwb2WStsF4XHtHmnPWXjF7YTa2EalfO04W+CfzicfLb4DMCD9wecNjSHBRKszv2Wj2lPkpxnjroa0vX4m18gHsk4K+JlnFB/VIFy1SvsoSl0867vjJ69Ve+/VnMyNKhBxMGto1bist+QMOoO9NmceE47lQnwXM3kx5Z8iVc2D6iTFXGnmD7FBee/519RTPYKLAMhCUhLUQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7SPRMB0001.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(4636009)(7916004)(366004)(346002)(376002)(396003)(136003)(39860400002)(478600001)(41300700001)(6486002)(6916009)(316002)(83380400001)(54906003)(186003)(6506007)(66476007)(86362001)(6512007)(33716001)(38100700002)(26005)(9686003)(7406005)(66556008)(8676002)(8936002)(7416002)(5660300002)(2906002)(6666004)(66946007)(4326008);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?goZrBipmLOCYbsvfqrQruQYXc75MmDfBC9H2WTFrqvkwwClrQz44btlaH6Qz?= =?us-ascii?Q?OaAgbhcMSP7+CuEfk+FZniU12JaVlKUBf1IO5GNb48eiXLhDajj75D88say4?= =?us-ascii?Q?9hErh6Luhzi8FK313jzqL1bMtbnCXJwQrVz9xIIzAcIQYDoUoT/Zeo/Y8iZ0?= =?us-ascii?Q?G7U0zmlZq0JRQCO29NJqhQHWGQ5Vci9UszP55/CWdTCSNkcv0P9aofY3ssmW?= =?us-ascii?Q?kIYg3eR2RtVRqzszNjsdnmU3dEN6+ikXF1M1qdSvV4XkmxMmbSN9jQsvkDWM?= =?us-ascii?Q?3u6P7Y80Gm2isg/hII3dr2xhRt93QeoApxBmZyWDfNGaVSJQHe0xm1yC28jK?= =?us-ascii?Q?tRurI2xyWNVDUPQzjGvKGGgx4OYDB/z1sQPbcPgLRlNtff35jhZKBTTT91x/?= =?us-ascii?Q?nv/CZsrlcr6CWwnDYyMrdV9oZuFqnDNCKHxCq7gHe+Xw/OPfB7UQTH6Qbjn2?= =?us-ascii?Q?bUe/G3oWCarY48FILOwxAVGAKdAqs3/YDSwG2tp8RlWxEY8qjCm73heIauJd?= =?us-ascii?Q?hAh96o7rALToeMikM2Bl4FzrgG/zNZA32gaSumJGGR4+ipDqNZVbpDtk+Xu0?= =?us-ascii?Q?LV1b0P9DjkeiS1rje8HgepxAElCNT/QQgc9OCQOUK/oifeVr3LqAvlhJjuHQ?= =?us-ascii?Q?sEWmT73tgDjpWXCx48grMgmzKBFC5pRtG/8Ets00BEdeW5abeYnxzhECzG3c?= =?us-ascii?Q?uc+bAnnx/s6lFYq295HMBqctO4bjqQ8Bi4RCYdzP/E5AbQsSgnKIrReXLnJn?= =?us-ascii?Q?NmEDO+gXHf2lyzXeO4+hRYRBbW7XhfzqcSXdVDbiCKCFSJd34E4W2bIEcqlM?= =?us-ascii?Q?LIztY3tEkRJlLWfUAj/L77bjegLCSzUY1xsOnQdYv41s9+hNBwQjmxW5fnR1?= =?us-ascii?Q?JRXqAHdKlKigfUsLKwr1ClS76J+DhH9iZ3l1vM5j8hy3OtpDsG4X1AKPGHyI?= =?us-ascii?Q?CDaMH6irJEvUHCVJuI8I3Ei3xRFl6sl/rMeOWNcrwX+ILoydSiLrFBE+jckS?= =?us-ascii?Q?2sveRsD4PdzCU0h8q7FowxZ9RNdTN8zJfSsjNcHCTt6jUsBbKIvJWdJuFTaO?= =?us-ascii?Q?udgBqLA37X8pojpOHalaaJlzDgLcPgFWvYsC20906t7mFstkWPpxS4NHn6rC?= =?us-ascii?Q?M5wDvSOlQ1/vtJQibC72VmVVev3AiX689tmDFCv8jSIb6sHD8gkY9SXo60fj?= =?us-ascii?Q?jMzId8rNNIk/5BgzVlG46Jfv7smo1vVUudl7ELXeSatE8WIu5VhlQXNhbR8i?= =?us-ascii?Q?fl50WNEZfWUkYiDxArqJTwoFdck25ZDQH1/6eeYhL6nFAQhk3+6gZmBJGBla?= =?us-ascii?Q?CCUHsIOVNpSNLN0U3DjW1uODVohVuj9dcvmnR0StxNP4Z45wD9glN+0JUyrH?= =?us-ascii?Q?2xtlhuHrRVB+KZagn5k9njKNBiT3zsyqt16YDWVz4VPEci7SibFeUE7PQb9S?= =?us-ascii?Q?PprgXLPGo8qJewECdTsuobt7w5iDKCW/MotbW+LftV8VKIacOcvrzuwmE5N8?= =?us-ascii?Q?DZSSt6PSmfqogEP3nnO8yx+TMpL83X7/SZn9CMEZlUAbGqYhCCGKImAheAiq?= =?us-ascii?Q?znDaL4bRwfz2kccugeDOfEcG/PGtRULr2BeiWDFq?= X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8d3c5ac1-dbcd-4063-23d5-08da885906a0 X-MS-Exchange-CrossTenant-AuthSource: PH7SPRMB0001.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Aug 2022 18:21:57.4720 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: CwM9nFxh0pG2pkowscrkNWgLAdX5BkoDC7drD5Xr8tekRmRRYbB3+huusU8tgwdrinIz0A+MsxZRUqcmPwmrPg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR12MB1300 X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_SPF_HELO, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 26, 2022 at 01:45:38PM +0200, Hans Schultz wrote: > -ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan" > +ALL_TESTS=" > + locked_port_ipv4 > + locked_port_ipv6 > + locked_port_vlan > + locked_port_mab > + locked_port_station_move > + locked_port_mab_station_move > +" > + > NUM_NETIFS=4 > CHECK_TC="no" > source lib.sh > @@ -166,6 +174,103 @@ locked_port_ipv6() > log_test "Locked port ipv6" > } > > +locked_port_mab() > +{ > + RET=0 > + check_locked_port_support || return 0 > + > + ping_do $h1 192.0.2.2 > + check_err $? "MAB: Ping did not work before locking port" > + > + bridge link set dev $swp1 locked on > + bridge link set dev $swp1 learning on "locked on learning on" is counter intuitive and IMO very much a misconfiguration that we should have disallowed when the "locked" option was introduced. It is my understanding that the only reason we are even talking about it is because mv88e6xxx needs it for MAB for some reason. Please avoid leaking this implementation detail to user space and instead use the "MAB" flag to enable learning if you need it in mv88e6xxx. > + if ! bridge link set dev $swp1 mab on 2>/dev/null; then > + echo "SKIP: iproute2 too old; MacAuth feature not supported." > + return $ksft_skip > + fi Please add a similar function to check_locked_port_support() and invoke it next to it. > + > + ping_do $h1 192.0.2.2 > + check_fail $? "MAB: Ping worked on locked port without FDB entry" > + > + bridge fdb show | grep `mac_get $h1` | grep -q "locked" > + check_err $? "MAB: No locked fdb entry after ping on locked port" > + > + bridge fdb replace `mac_get $h1` dev $swp1 master static > + > + ping_do $h1 192.0.2.2 > + check_err $? "MAB: Ping did not work with fdb entry without locked flag" > + > + bridge fdb del `mac_get $h1` dev $swp1 master Missing: bridge link set dev $swp1 mab off > + bridge link set dev $swp1 learning off Can be removed assuming we get rid of "learning on" above. > + bridge link set dev $swp1 locked off > + > + log_test "Locked port MAB" > +} > + > +# No roaming allowed to a simple locked port > +locked_port_station_move() > +{ > + local mac=a0:b0:c0:c0:b0:a0 > + > + RET=0 > + check_locked_port_support || return 0 > + > + bridge link set dev $swp1 locked on > + bridge link set dev $swp1 learning on Same comment as above. > + > + $MZ $h1 -q -t udp -a $mac -b rand > + bridge fdb show dev $swp1 | grep -q "$mac vlan 1 master br0" > + check_fail $? "Locked port station move: FDB entry on first injection" > + > + $MZ $h2 -q -t udp -a $mac -b rand > + bridge fdb show dev $swp2 | grep -q "$mac vlan 1 master br0" > + check_err $? "Locked port station move: Entry not found on unlocked port" Looks like this is going to fail with offloaded data path as according to fdb_print_flags() in iproute2 both the "extern_learn" and "offload" flags will be printed before "master". I suggest using "bridge fdb get" instead (didn't test, might need small tweaks, but you will figure it): bridge fdb get $mac br br0 vlan 1 master 2> /dev/null | grep -q "$swp2" Same in other places where "bridge fdb show" is used. > + > + $MZ $h1 -q -t udp -a $mac -b rand > + bridge fdb show dev $swp1 | grep -q "$mac vlan 1 master br0" > + check_fail $? "Locked port station move: entry roamed to locked port" Missing: bridge link set dev $swp1 locked off bridge fdb del $mac dev $swp1 master vlan 1 > + > + log_test "Locked port station move" > +} > + > +# Roaming to and from a MAB enabled port should work if sticky flag is not set > +locked_port_mab_station_move() > +{ > + local mac=10:20:30:30:20:10 > + > + RET=0 > + check_locked_port_support || return 0 > + > + bridge link set dev $swp1 locked on > + bridge link set dev $swp1 learning on Same comment as above. > + if ! bridge link set dev $swp1 mab on 2>/dev/null; then Same comment as above. > + echo "SKIP: iproute2 too old; MacAuth feature not supported." > + return $ksft_skip > + fi > + > + $MZ $h1 -q -t udp -a $mac -b rand > + if bridge fdb show dev $swp1 | grep -q "$mac vlan 1 master br0" | grep -q sticky; then Will need to change to "permanent" instead of "sticky". > + echo "SKIP: Roaming not possible with sticky flag, run sticky flag roaming test" > + return $ksft_skip Missing cleanup before the return. > + fi > + > + bridge fdb show dev $swp1 | grep -q "$mac vlan 1 master br0 locked" > + check_err $? "MAB station move: no locked entry on first injection" > + > + $MZ $h2 -q -t udp -a $mac -b rand > + bridge fdb show dev $swp1 | grep -q "$mac vlan 1 master br0 locked" > + check_fail $? "MAB station move: locked entry did not move" > + > + bridge fdb show dev $swp2 | grep -q "$mac vlan 1 master br0" Need to check that it does not roam with the "locked" flag set. > + check_err $? "MAB station move: roamed entry not found" > + > + $MZ $h1 -q -t udp -a $mac -b rand > + bridge fdb show dev $swp1 | grep -q "$mac vlan 1 master br0 locked" > + check_err $? "MAB station move: entry did not roam back to locked port" This will need to change to "check_fail" assuming we don't allow roaming from an authorized port to an unauthorized port, which I believe makes sense. > + Missing cleanup. > + log_test "Locked port MAB station move" > +} > + > trap cleanup EXIT > > setup_prepare