From: Hans Schultz <schultz.hans@gmail.com>
To: Ido Schimmel <idosch@idosch.org>, Hans Schultz <schultz.hans@gmail.com>
Cc: Ivan Vecera <ivecera@redhat.com>, Andrew Lunn <andrew@lunn.ch>,
Florian Fainelli <f.fainelli@gmail.com>,
Jiri Pirko <jiri@resnulli.us>,
Daniel Borkmann <daniel@iogearbox.net>,
netdev@vger.kernel.org, Nikolay Aleksandrov <razor@blackwall.org>,
bridge@lists.linux-foundation.org, linux-kernel@vger.kernel.org,
Vivien Didelot <vivien.didelot@gmail.com>,
Ido Schimmel <idosch@nvidia.com>, Roopa Prabhu <roopa@nvidia.com>,
kuba@kernel.org, Vladimir Oltean <olteanv@gmail.com>,
davem@davemloft.net
Subject: Re: [Bridge] [PATCH net-next 1/3] net: bridge: add fdb flag to extent locked port feature
Date: Tue, 15 Mar 2022 09:48:52 +0100 [thread overview]
Message-ID: <86h77zha8b.fsf@gmail.com> (raw)
In-Reply-To: <Yi9fqkQ9wH3Duqhg@shredder>
On mån, mar 14, 2022 at 17:30, Ido Schimmel <idosch@idosch.org> wrote:
> On Thu, Mar 10, 2022 at 03:23:18PM +0100, Hans Schultz wrote:
>> Add an intermediate state for clients behind a locked port to allow for
>> possible opening of the port for said clients. This feature corresponds
>> to the Mac-Auth and MAC Authentication Bypass (MAB) named features. The
>> latter defined by Cisco.
>>
>> Signed-off-by: Hans Schultz <schultz.hans+netdev@gmail.com>
>> ---
>> include/uapi/linux/neighbour.h | 1 +
>> net/bridge/br_fdb.c | 6 ++++++
>> net/bridge/br_input.c | 11 ++++++++++-
>> net/bridge/br_private.h | 3 ++-
>> 4 files changed, 19 insertions(+), 2 deletions(-)
>>
>> diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h
>> index db05fb55055e..83115a592d58 100644
>> --- a/include/uapi/linux/neighbour.h
>> +++ b/include/uapi/linux/neighbour.h
>> @@ -208,6 +208,7 @@ enum {
>> NFEA_UNSPEC,
>> NFEA_ACTIVITY_NOTIFY,
>> NFEA_DONT_REFRESH,
>> + NFEA_LOCKED,
>> __NFEA_MAX
>> };
>> #define NFEA_MAX (__NFEA_MAX - 1)
>> diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
>> index 6ccda68bd473..396dcf3084cf 100644
>> --- a/net/bridge/br_fdb.c
>> +++ b/net/bridge/br_fdb.c
>> @@ -105,6 +105,7 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br,
>> struct nda_cacheinfo ci;
>> struct nlmsghdr *nlh;
>> struct ndmsg *ndm;
>> + u8 ext_flags = 0;
>>
>> nlh = nlmsg_put(skb, portid, seq, type, sizeof(*ndm), flags);
>> if (nlh == NULL)
>> @@ -125,11 +126,16 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br,
>> ndm->ndm_flags |= NTF_EXT_LEARNED;
>> if (test_bit(BR_FDB_STICKY, &fdb->flags))
>> ndm->ndm_flags |= NTF_STICKY;
>> + if (test_bit(BR_FDB_ENTRY_LOCKED, &fdb->flags))
>> + ext_flags |= 1 << NFEA_LOCKED;
>>
>> if (nla_put(skb, NDA_LLADDR, ETH_ALEN, &fdb->key.addr))
>> goto nla_put_failure;
>> if (nla_put_u32(skb, NDA_MASTER, br->dev->ifindex))
>> goto nla_put_failure;
>> + if (nla_put_u8(skb, NDA_FDB_EXT_ATTRS, ext_flags))
>> + goto nla_put_failure;
>> +
>> ci.ndm_used = jiffies_to_clock_t(now - fdb->used);
>> ci.ndm_confirmed = 0;
>> ci.ndm_updated = jiffies_to_clock_t(now - fdb->updated);
>> diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
>> index e0c13fcc50ed..897908484b18 100644
>> --- a/net/bridge/br_input.c
>> +++ b/net/bridge/br_input.c
>> @@ -75,6 +75,7 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
>> struct net_bridge_mcast *brmctx;
>> struct net_bridge_vlan *vlan;
>> struct net_bridge *br;
>> + unsigned long flags = 0;
>> u16 vid = 0;
>> u8 state;
>>
>> @@ -94,8 +95,16 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
>> br_fdb_find_rcu(br, eth_hdr(skb)->h_source, vid);
>>
>> if (!fdb_src || READ_ONCE(fdb_src->dst) != p ||
>> - test_bit(BR_FDB_LOCAL, &fdb_src->flags))
>> + test_bit(BR_FDB_LOCAL, &fdb_src->flags)) {
>> + if (!fdb_src) {
>> + set_bit(BR_FDB_ENTRY_LOCKED, &flags);
>
> This flag is read-only for user space, right? That is, the kernel needs
> to reject it during netlink policy validation.
>
Yes, the flag is only readable from user space, unless there is a wish
to change that.
>> + br_fdb_update(br, p, eth_hdr(skb)->h_source, vid, flags);
>> + }
>> goto drop;
>> + } else {
>
> IIUC, we get here in case there is a non-local FDB entry with the SA
> that points to our port. Can you write it as:
>
Yes, looks like that's more optimal. :)
> if (!fdb_src || READ_ONCE(fdb_src->dst) != p ||
> test_bit(BR_FDB_LOCAL, &fdb_src->flags) ||
> test_bit(BR_FDB_ENTRY_LOCKED, &fdb_src->flags)) {
> if (!fdb_src) {
> ...
> }
> goto drop;
> }
>
>> + if (test_bit(BR_FDB_ENTRY_LOCKED, &fdb_src->flags))
>> + goto drop;
>> + }
>> }
>>
>> nbp_switchdev_frame_mark(p, skb);
>> diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
>> index 48bc61ebc211..f5a0b68c4857 100644
>> --- a/net/bridge/br_private.h
>> +++ b/net/bridge/br_private.h
>> @@ -248,7 +248,8 @@ enum {
>> BR_FDB_ADDED_BY_EXT_LEARN,
>> BR_FDB_OFFLOADED,
>> BR_FDB_NOTIFY,
>> - BR_FDB_NOTIFY_INACTIVE
>> + BR_FDB_NOTIFY_INACTIVE,
>> + BR_FDB_ENTRY_LOCKED,
>> };
>>
>> struct net_bridge_fdb_key {
>> --
>> 2.30.2
>>
WARNING: multiple messages have this Message-ID (diff)
From: Hans Schultz <schultz.hans@gmail.com>
To: Ido Schimmel <idosch@idosch.org>, Hans Schultz <schultz.hans@gmail.com>
Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
Andrew Lunn <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Florian Fainelli <f.fainelli@gmail.com>,
Vladimir Oltean <olteanv@gmail.com>,
Jiri Pirko <jiri@resnulli.us>, Ivan Vecera <ivecera@redhat.com>,
Roopa Prabhu <roopa@nvidia.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Ido Schimmel <idosch@nvidia.com>,
linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org
Subject: Re: [PATCH net-next 1/3] net: bridge: add fdb flag to extent locked port feature
Date: Tue, 15 Mar 2022 09:48:52 +0100 [thread overview]
Message-ID: <86h77zha8b.fsf@gmail.com> (raw)
In-Reply-To: <Yi9fqkQ9wH3Duqhg@shredder>
On mån, mar 14, 2022 at 17:30, Ido Schimmel <idosch@idosch.org> wrote:
> On Thu, Mar 10, 2022 at 03:23:18PM +0100, Hans Schultz wrote:
>> Add an intermediate state for clients behind a locked port to allow for
>> possible opening of the port for said clients. This feature corresponds
>> to the Mac-Auth and MAC Authentication Bypass (MAB) named features. The
>> latter defined by Cisco.
>>
>> Signed-off-by: Hans Schultz <schultz.hans+netdev@gmail.com>
>> ---
>> include/uapi/linux/neighbour.h | 1 +
>> net/bridge/br_fdb.c | 6 ++++++
>> net/bridge/br_input.c | 11 ++++++++++-
>> net/bridge/br_private.h | 3 ++-
>> 4 files changed, 19 insertions(+), 2 deletions(-)
>>
>> diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h
>> index db05fb55055e..83115a592d58 100644
>> --- a/include/uapi/linux/neighbour.h
>> +++ b/include/uapi/linux/neighbour.h
>> @@ -208,6 +208,7 @@ enum {
>> NFEA_UNSPEC,
>> NFEA_ACTIVITY_NOTIFY,
>> NFEA_DONT_REFRESH,
>> + NFEA_LOCKED,
>> __NFEA_MAX
>> };
>> #define NFEA_MAX (__NFEA_MAX - 1)
>> diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
>> index 6ccda68bd473..396dcf3084cf 100644
>> --- a/net/bridge/br_fdb.c
>> +++ b/net/bridge/br_fdb.c
>> @@ -105,6 +105,7 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br,
>> struct nda_cacheinfo ci;
>> struct nlmsghdr *nlh;
>> struct ndmsg *ndm;
>> + u8 ext_flags = 0;
>>
>> nlh = nlmsg_put(skb, portid, seq, type, sizeof(*ndm), flags);
>> if (nlh == NULL)
>> @@ -125,11 +126,16 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br,
>> ndm->ndm_flags |= NTF_EXT_LEARNED;
>> if (test_bit(BR_FDB_STICKY, &fdb->flags))
>> ndm->ndm_flags |= NTF_STICKY;
>> + if (test_bit(BR_FDB_ENTRY_LOCKED, &fdb->flags))
>> + ext_flags |= 1 << NFEA_LOCKED;
>>
>> if (nla_put(skb, NDA_LLADDR, ETH_ALEN, &fdb->key.addr))
>> goto nla_put_failure;
>> if (nla_put_u32(skb, NDA_MASTER, br->dev->ifindex))
>> goto nla_put_failure;
>> + if (nla_put_u8(skb, NDA_FDB_EXT_ATTRS, ext_flags))
>> + goto nla_put_failure;
>> +
>> ci.ndm_used = jiffies_to_clock_t(now - fdb->used);
>> ci.ndm_confirmed = 0;
>> ci.ndm_updated = jiffies_to_clock_t(now - fdb->updated);
>> diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
>> index e0c13fcc50ed..897908484b18 100644
>> --- a/net/bridge/br_input.c
>> +++ b/net/bridge/br_input.c
>> @@ -75,6 +75,7 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
>> struct net_bridge_mcast *brmctx;
>> struct net_bridge_vlan *vlan;
>> struct net_bridge *br;
>> + unsigned long flags = 0;
>> u16 vid = 0;
>> u8 state;
>>
>> @@ -94,8 +95,16 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
>> br_fdb_find_rcu(br, eth_hdr(skb)->h_source, vid);
>>
>> if (!fdb_src || READ_ONCE(fdb_src->dst) != p ||
>> - test_bit(BR_FDB_LOCAL, &fdb_src->flags))
>> + test_bit(BR_FDB_LOCAL, &fdb_src->flags)) {
>> + if (!fdb_src) {
>> + set_bit(BR_FDB_ENTRY_LOCKED, &flags);
>
> This flag is read-only for user space, right? That is, the kernel needs
> to reject it during netlink policy validation.
>
Yes, the flag is only readable from user space, unless there is a wish
to change that.
>> + br_fdb_update(br, p, eth_hdr(skb)->h_source, vid, flags);
>> + }
>> goto drop;
>> + } else {
>
> IIUC, we get here in case there is a non-local FDB entry with the SA
> that points to our port. Can you write it as:
>
Yes, looks like that's more optimal. :)
> if (!fdb_src || READ_ONCE(fdb_src->dst) != p ||
> test_bit(BR_FDB_LOCAL, &fdb_src->flags) ||
> test_bit(BR_FDB_ENTRY_LOCKED, &fdb_src->flags)) {
> if (!fdb_src) {
> ...
> }
> goto drop;
> }
>
>> + if (test_bit(BR_FDB_ENTRY_LOCKED, &fdb_src->flags))
>> + goto drop;
>> + }
>> }
>>
>> nbp_switchdev_frame_mark(p, skb);
>> diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
>> index 48bc61ebc211..f5a0b68c4857 100644
>> --- a/net/bridge/br_private.h
>> +++ b/net/bridge/br_private.h
>> @@ -248,7 +248,8 @@ enum {
>> BR_FDB_ADDED_BY_EXT_LEARN,
>> BR_FDB_OFFLOADED,
>> BR_FDB_NOTIFY,
>> - BR_FDB_NOTIFY_INACTIVE
>> + BR_FDB_NOTIFY_INACTIVE,
>> + BR_FDB_ENTRY_LOCKED,
>> };
>>
>> struct net_bridge_fdb_key {
>> --
>> 2.30.2
>>
next prev parent reply other threads:[~2022-03-15 8:48 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-10 14:23 [Bridge] [PATCH net-next 0/3] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
2022-03-10 14:23 ` Hans Schultz
2022-03-10 14:23 ` [Bridge] [PATCH net-next 1/3] net: bridge: add fdb flag to extent locked port feature Hans Schultz
2022-03-10 14:23 ` Hans Schultz
2022-03-10 14:42 ` [Bridge] " Nikolay Aleksandrov
2022-03-10 14:42 ` Nikolay Aleksandrov
2022-03-10 15:38 ` [Bridge] " Hans Schultz
2022-03-10 15:38 ` Hans Schultz
2022-03-10 15:57 ` [Bridge] " Nikolay Aleksandrov
2022-03-10 15:57 ` Nikolay Aleksandrov
2022-03-10 16:11 ` [Bridge] " Hans Schultz
2022-03-10 16:11 ` Hans Schultz
2022-03-10 16:14 ` [Bridge] " Nikolay Aleksandrov
2022-03-10 16:14 ` Nikolay Aleksandrov
2022-03-10 16:33 ` [Bridge] " Hans Schultz
2022-03-10 16:33 ` Hans Schultz
2022-03-14 15:30 ` [Bridge] " Ido Schimmel
2022-03-14 15:30 ` Ido Schimmel
2022-03-15 8:48 ` Hans Schultz [this message]
2022-03-15 8:48 ` Hans Schultz
2022-03-15 11:00 ` [Bridge] " Ido Schimmel
2022-03-15 11:00 ` Ido Schimmel
2022-03-10 14:23 ` [Bridge] [PATCH net-next 2/3] net: switchdev: add support for offloading of fdb locked flag Hans Schultz
2022-03-10 14:23 ` Hans Schultz
2022-03-10 14:23 ` [Bridge] [PATCH net-next 3/3] net: dsa: mv88e6xxx: mac-auth/MAB implementation Hans Schultz
2022-03-10 14:23 ` Hans Schultz
2022-03-10 14:28 ` [Bridge] " Vladimir Oltean
2022-03-10 14:28 ` Vladimir Oltean
2022-03-10 15:00 ` [Bridge] " Hans Schultz
2022-03-10 15:00 ` Hans Schultz
2022-03-10 15:07 ` [Bridge] " Vladimir Oltean
2022-03-10 15:07 ` Vladimir Oltean
2022-03-10 15:51 ` [Bridge] " Hans Schultz
2022-03-10 15:51 ` Hans Schultz
2022-03-10 16:05 ` [Bridge] " Vladimir Oltean
2022-03-10 16:05 ` Vladimir Oltean
2022-03-10 16:40 ` [Bridge] " Hans Schultz
2022-03-10 16:40 ` Hans Schultz
2022-03-10 15:57 ` [Bridge] " Hans Schultz
2022-03-10 15:57 ` Hans Schultz
2022-03-14 10:46 ` [Bridge] " Hans Schultz
2022-03-14 10:46 ` Hans Schultz
2022-03-16 23:34 ` [Bridge] " Vladimir Oltean
2022-03-16 23:34 ` Vladimir Oltean
2022-03-17 8:52 ` [Bridge] " Hans Schultz
2022-03-17 8:52 ` Hans Schultz
2022-03-17 14:19 ` [Bridge] " Andrew Lunn
2022-03-17 14:19 ` Andrew Lunn
2022-03-17 15:36 ` [Bridge] " Vladimir Oltean
2022-03-17 15:36 ` Vladimir Oltean
2022-03-17 16:07 ` [Bridge] " Hans Schultz
2022-03-17 16:07 ` Hans Schultz
2022-03-17 16:18 ` [Bridge] " Vladimir Oltean
2022-03-17 16:18 ` Vladimir Oltean
2022-03-17 16:58 ` [Bridge] " Hans Schultz
2022-03-17 16:58 ` Hans Schultz
2022-03-17 17:20 ` [Bridge] " Vladimir Oltean
2022-03-17 17:20 ` Vladimir Oltean
2022-03-18 10:04 ` [Bridge] " Hans Schultz
2022-03-18 10:04 ` Hans Schultz
2022-03-18 12:14 ` [Bridge] " Vladimir Oltean
2022-03-18 12:14 ` Vladimir Oltean
2022-03-18 13:10 ` [Bridge] " Hans Schultz
2022-03-18 13:10 ` Hans Schultz
2022-03-18 13:19 ` [Bridge] " Vladimir Oltean
2022-03-18 13:19 ` Vladimir Oltean
2022-03-22 11:01 ` [Bridge] " Hans Schultz
2022-03-22 11:01 ` Hans Schultz
2022-03-22 11:08 ` [Bridge] " Vladimir Oltean
2022-03-22 11:08 ` Vladimir Oltean
2022-03-22 13:21 ` [Bridge] " Hans Schultz
2022-03-22 13:21 ` Hans Schultz
2022-03-22 14:47 ` [Bridge] " Hans Schultz
2022-03-22 14:47 ` Hans Schultz
2022-03-23 10:13 ` [Bridge] " Hans Schultz
2022-03-23 10:13 ` Hans Schultz
2022-03-23 10:16 ` [Bridge] " Vladimir Oltean
2022-03-23 10:16 ` Vladimir Oltean
2022-03-23 10:46 ` [Bridge] " Hans Schultz
2022-03-23 10:46 ` Hans Schultz
2022-03-23 10:57 ` [Bridge] " Hans Schultz
2022-03-23 10:57 ` Hans Schultz
2022-03-23 11:21 ` [Bridge] " Vladimir Oltean
2022-03-23 11:21 ` Vladimir Oltean
2022-03-23 11:43 ` [Bridge] " Hans Schultz
2022-03-23 11:43 ` Hans Schultz
2022-03-23 11:54 ` [Bridge] " Vladimir Oltean
2022-03-23 11:54 ` Vladimir Oltean
2022-03-21 14:51 ` [Bridge] " Hans Schultz
2022-03-21 14:51 ` Hans Schultz
2022-03-10 14:54 ` [Bridge] " Andrew Lunn
2022-03-10 14:54 ` Andrew Lunn
2022-03-11 7:59 ` [Bridge] " Hans Schultz
2022-03-11 7:59 ` Hans Schultz
2022-03-14 15:50 ` [Bridge] [PATCH net-next 0/3] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Ido Schimmel
2022-03-14 15:50 ` Ido Schimmel
2022-03-15 8:59 ` [Bridge] " Hans Schultz
2022-03-15 8:59 ` Hans Schultz
2022-03-15 11:11 ` [Bridge] " Ido Schimmel
2022-03-15 11:11 ` Ido Schimmel
2022-03-17 0:18 ` [Bridge] " Florian Fainelli
2022-03-17 0:18 ` Florian Fainelli
2022-03-17 8:29 ` [Bridge] " Hans Schultz
2022-03-17 8:29 ` Hans Schultz
2022-03-17 18:42 ` [Bridge] " Vladimir Oltean
2022-03-17 18:42 ` Vladimir Oltean
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86h77zha8b.fsf@gmail.com \
--to=schultz.hans@gmail.com \
--cc=andrew@lunn.ch \
--cc=bridge@lists.linux-foundation.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=f.fainelli@gmail.com \
--cc=idosch@idosch.org \
--cc=idosch@nvidia.com \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=vivien.didelot@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.