From: Ido Schimmel <idosch@nvidia.com>
To: "Hans J. Schultz" <netdev@kapio-technology.com>
Cc: Andrew Lunn <andrew@lunn.ch>,
Alexandre Belloni <alexandre.belloni@bootlin.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Kurt Kanzenbach <kurt@linutronix.de>,
Eric Dumazet <edumazet@google.com>,
linux-kselftest@vger.kernel.org,
Joachim Wiberg <troglobit@gmail.com>,
Shuah Khan <shuah@kernel.org>, Ivan Vecera <ivecera@redhat.com>,
Florian Fainelli <f.fainelli@gmail.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Florent Fourcot <florent.fourcot@wifirst.fr>,
bridge@lists.linux-foundation.org,
Russell King <linux@armlinux.org.uk>,
linux-arm-kernel@lists.infradead.org,
Roopa Prabhu <roopa@nvidia.com>,
kuba@kernel.org, Paolo Abeni <pabeni@redhat.com>,
Vivien Didelot <vivien.didelot@gmail.com>,
Woojung Huh <woojung.huh@microchip.com>,
Landen Chao <Landen.Chao@mediatek.com>,
Jiri Pirko <jiri@resnulli.us>, Amit Cohen <amcohen@nvidia.com>,
Christian Marangi <ansuelsmth@gmail.com>,
Hauke Mehrtens <hauke@hauke-m.de>,
Hans Schultz <schultz.hans@gmail.com>,
Sean Wang <sean.wang@mediatek.com>,
DENG Qingfang <dqfext@gmail.com>,
Claudiu Manoil <claudiu.manoil@nxp.com>,
linux-mediatek@lists.infradead.org,
Matthias Brugger <matthias.bgg@gmail.com>,
Yuwei Wang <wangyuweihx@gmail.com>,
Petr Machata <petrm@nvidia.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
UNGLinuxDriver@microchip.com, Vladimir Oltean <olteanv@gmail.com>,
davem@davemloft.net
Subject: Re: [Bridge] [PATCH v7 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
Date: Thu, 13 Oct 2022 15:06:07 +0300 [thread overview]
Message-ID: <Y0f/L9IT6dbwlZAg@shredder> (raw)
In-Reply-To: <20221009174052.1927483-10-netdev@kapio-technology.com>
On Sun, Oct 09, 2022 at 07:40:52PM +0200, Hans J. Schultz wrote:
> +locked_port_mab()
> +{
> + RET=0
> + check_port_mab_support || return 0
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work before locking port"
> +
> + bridge link set dev $swp1 locked on mab on
> +
> + ping_do $h1 192.0.2.2
> + check_fail $? "MAB: Ping worked on mab enabled port without FDB entry"
> +
> + bridge fdb get `mac_get $h1` vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "locked"
> + check_err $? "MAB: No locked FDB entry after ping on mab enabled port"
> +
> + bridge fdb replace `mac_get $h1` dev $swp1 master static
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work with FDB entry without locked flag"
> +
> + bridge fdb del `mac_get $h1` dev $swp1 master
> + bridge link set dev $swp1 locked off mab off
> +
> + log_test "Locked port MAB"
> +}
> +
> +# Check that entries cannot roam from an unlocked port to a locked port.
> +locked_port_station_move()
> +{
> + local mac=a0:b0:c0:c0:b0:a0
> +
> + RET=0
> + check_locked_port_support || return 0
> +
> + bridge link set dev $swp1 locked on learning on
> +
> + $MZ $h1 -q -c 5 -d 100msec -t udp -a $mac -b rand
> + bridge fdb show dev $swp1 | grep -q $mac
> + check_fail $? "Locked port station move: FDB entry on first injection"
> +
> + $MZ $h2 -q -c 5 -d 100msec -t udp -a $mac -b rand
> + bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "master br0"
> + check_err $? "Locked port station move: Entry not found on unlocked port"
> +
> + $MZ $h1 -q -c 5 -d 100msec -t udp -a $mac -b rand
> + bridge fdb get $mac vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "master br0"
> + check_fail $? "Locked port station move: entry roamed to locked port"
> +
> + bridge fdb del $mac vlan 1 dev $swp2 master
> + bridge link set dev $swp1 locked off learning off
> +
> + log_test "Locked port station move"
> +}
> +
> +# Roaming to and from a MAB enabled port should work if blackhole flag is not set
> +locked_port_mab_station_move()
> +{
> + local mac=10:20:30:30:20:10
> +
> + RET=0
> + check_port_mab_support || return 0
> +
> + bridge link set dev $swp1 locked on mab on
> +
> + $MZ $h1 -q -c 5 -d 100 mesc -t udp -a $mac -b rand
> + if bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "blackhole"; then
> + echo "SKIP: Roaming not possible with blackhole flag, skipping test..."
> + bridge link set dev $swp1 locked off mab off
> + return $ksft_skip
> + fi
> +
> + bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "locked"
> + check_err $? "MAB station move: no locked entry on first injection"
> +
> + $MZ $h2 -q -c 5 -d 100msec -t udp -a $mac -b rand
> + bridge fdb get $mac vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "locked"
> + check_fail $? "MAB station move: locked entry did not move"
> +
> + bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "locked"
> + check_fail $? "MAB station move: roamed entry to unlocked port had locked flag on"
> +
> + bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "master br0"
> + check_err $? "MAB station move: roamed entry not found"
> +
> + bridge fdb del $mac vlan 1 dev $swp2 master
> + bridge link set dev $swp1 locked off mab off
> +
> + log_test "Locked port MAB station move"
> +}
Looks OK to me. I made some change to make sure we are using "bridge fdb
get" in a consistent manner instead of relying on iproute2 dump output
too much. Please consider including them in the next version.
FYI, I ran your version and mine with veth pairs and both are OK.
diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
index fbe558f25e44..f0bc0bcbc246 100755
--- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
+++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
@@ -187,7 +187,7 @@ locked_port_mab()
ping_do $h1 192.0.2.2
check_fail $? "MAB: Ping worked on mab enabled port without FDB entry"
- bridge fdb get `mac_get $h1` vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "locked"
+ bridge fdb get `mac_get $h1` br br0 vlan 1 | grep "dev $swp1" | grep -q "locked"
check_err $? "MAB: No locked FDB entry after ping on mab enabled port"
bridge fdb replace `mac_get $h1` dev $swp1 master static
@@ -212,15 +212,15 @@ locked_port_station_move()
bridge link set dev $swp1 locked on learning on
$MZ $h1 -q -c 5 -d 100msec -t udp -a $mac -b rand
- bridge fdb show dev $swp1 | grep -q $mac
+ bridge fdb get $mac br br0 vlan 1 &> /dev/null
check_fail $? "Locked port station move: FDB entry on first injection"
$MZ $h2 -q -c 5 -d 100msec -t udp -a $mac -b rand
- bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "master br0"
+ bridge fdb get $mac br br0 vlan 1 | grep -q "dev $swp2"
check_err $? "Locked port station move: Entry not found on unlocked port"
$MZ $h1 -q -c 5 -d 100msec -t udp -a $mac -b rand
- bridge fdb get $mac vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "master br0"
+ bridge fdb get $mac br br0 vlan 1 | grep -q "dev $swp1"
check_fail $? "Locked port station move: entry roamed to locked port"
bridge fdb del $mac vlan 1 dev $swp2 master
@@ -229,7 +229,8 @@ locked_port_station_move()
log_test "Locked port station move"
}
-# Roaming to and from a MAB enabled port should work if blackhole flag is not set
+# Check that entries can roam from a locked port if blackhole FDB flag is not
+# set.
locked_port_mab_station_move()
{
local mac=10:20:30:30:20:10
@@ -246,19 +247,16 @@ locked_port_mab_station_move()
return $ksft_skip
fi
- bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "locked"
+ bridge fdb get $mac br br0 vlan 1 | grep "dev $swp1" | grep -q "locked"
check_err $? "MAB station move: no locked entry on first injection"
$MZ $h2 -q -c 5 -d 100msec -t udp -a $mac -b rand
- bridge fdb get $mac vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "locked"
- check_fail $? "MAB station move: locked entry did not move"
+ bridge fdb get $mac br br0 vlan 1 | grep -q "dev $swp2"
+ check_err $? "MAB station move: roamed entry not found"
- bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "locked"
+ bridge fdb get $mac br br0 vlan 1 | grep -q "locked"
check_fail $? "MAB station move: roamed entry to unlocked port had locked flag on"
- bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "master br0"
- check_err $? "MAB station move: roamed entry not found"
-
bridge fdb del $mac vlan 1 dev $swp2 master
bridge link set dev $swp1 locked off mab off
WARNING: multiple messages have this Message-ID (diff)
From: Ido Schimmel <idosch@nvidia.com>
To: "Hans J. Schultz" <netdev@kapio-technology.com>
Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
Florian Fainelli <f.fainelli@gmail.com>,
Andrew Lunn <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Vladimir Oltean <olteanv@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
Kurt Kanzenbach <kurt@linutronix.de>,
Hauke Mehrtens <hauke@hauke-m.de>,
Woojung Huh <woojung.huh@microchip.com>,
UNGLinuxDriver@microchip.com, Sean Wang <sean.wang@mediatek.com>,
Landen Chao <Landen.Chao@mediatek.com>,
DENG Qingfang <dqfext@gmail.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
Claudiu Manoil <claudiu.manoil@nxp.com>,
Alexandre Belloni <alexandre.belloni@bootlin.com>,
Jiri Pirko <jiri@resnulli.us>, Ivan Vecera <ivecera@redhat.com>,
Roopa Prabhu <roopa@nvidia.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Shuah Khan <shuah@kernel.org>,
Russell King <linux@armlinux.org.uk>,
Christian Marangi <ansuelsmth@gmail.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Yuwei Wang <wangyuweihx@gmail.com>,
Petr Machata <petrm@nvidia.com>,
Florent Fourcot <florent.fourcot@wifirst.fr>,
Hans Schultz <schultz.hans@gmail.com>,
Joachim Wiberg <troglobit@gmail.com>,
Amit Cohen <amcohen@nvidia.com>,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org,
bridge@lists.linux-foundation.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v7 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
Date: Thu, 13 Oct 2022 15:06:07 +0300 [thread overview]
Message-ID: <Y0f/L9IT6dbwlZAg@shredder> (raw)
In-Reply-To: <20221009174052.1927483-10-netdev@kapio-technology.com>
On Sun, Oct 09, 2022 at 07:40:52PM +0200, Hans J. Schultz wrote:
> +locked_port_mab()
> +{
> + RET=0
> + check_port_mab_support || return 0
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work before locking port"
> +
> + bridge link set dev $swp1 locked on mab on
> +
> + ping_do $h1 192.0.2.2
> + check_fail $? "MAB: Ping worked on mab enabled port without FDB entry"
> +
> + bridge fdb get `mac_get $h1` vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "locked"
> + check_err $? "MAB: No locked FDB entry after ping on mab enabled port"
> +
> + bridge fdb replace `mac_get $h1` dev $swp1 master static
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work with FDB entry without locked flag"
> +
> + bridge fdb del `mac_get $h1` dev $swp1 master
> + bridge link set dev $swp1 locked off mab off
> +
> + log_test "Locked port MAB"
> +}
> +
> +# Check that entries cannot roam from an unlocked port to a locked port.
> +locked_port_station_move()
> +{
> + local mac=a0:b0:c0:c0:b0:a0
> +
> + RET=0
> + check_locked_port_support || return 0
> +
> + bridge link set dev $swp1 locked on learning on
> +
> + $MZ $h1 -q -c 5 -d 100msec -t udp -a $mac -b rand
> + bridge fdb show dev $swp1 | grep -q $mac
> + check_fail $? "Locked port station move: FDB entry on first injection"
> +
> + $MZ $h2 -q -c 5 -d 100msec -t udp -a $mac -b rand
> + bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "master br0"
> + check_err $? "Locked port station move: Entry not found on unlocked port"
> +
> + $MZ $h1 -q -c 5 -d 100msec -t udp -a $mac -b rand
> + bridge fdb get $mac vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "master br0"
> + check_fail $? "Locked port station move: entry roamed to locked port"
> +
> + bridge fdb del $mac vlan 1 dev $swp2 master
> + bridge link set dev $swp1 locked off learning off
> +
> + log_test "Locked port station move"
> +}
> +
> +# Roaming to and from a MAB enabled port should work if blackhole flag is not set
> +locked_port_mab_station_move()
> +{
> + local mac=10:20:30:30:20:10
> +
> + RET=0
> + check_port_mab_support || return 0
> +
> + bridge link set dev $swp1 locked on mab on
> +
> + $MZ $h1 -q -c 5 -d 100 mesc -t udp -a $mac -b rand
> + if bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "blackhole"; then
> + echo "SKIP: Roaming not possible with blackhole flag, skipping test..."
> + bridge link set dev $swp1 locked off mab off
> + return $ksft_skip
> + fi
> +
> + bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "locked"
> + check_err $? "MAB station move: no locked entry on first injection"
> +
> + $MZ $h2 -q -c 5 -d 100msec -t udp -a $mac -b rand
> + bridge fdb get $mac vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "locked"
> + check_fail $? "MAB station move: locked entry did not move"
> +
> + bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "locked"
> + check_fail $? "MAB station move: roamed entry to unlocked port had locked flag on"
> +
> + bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "master br0"
> + check_err $? "MAB station move: roamed entry not found"
> +
> + bridge fdb del $mac vlan 1 dev $swp2 master
> + bridge link set dev $swp1 locked off mab off
> +
> + log_test "Locked port MAB station move"
> +}
Looks OK to me. I made some change to make sure we are using "bridge fdb
get" in a consistent manner instead of relying on iproute2 dump output
too much. Please consider including them in the next version.
FYI, I ran your version and mine with veth pairs and both are OK.
diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
index fbe558f25e44..f0bc0bcbc246 100755
--- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
+++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
@@ -187,7 +187,7 @@ locked_port_mab()
ping_do $h1 192.0.2.2
check_fail $? "MAB: Ping worked on mab enabled port without FDB entry"
- bridge fdb get `mac_get $h1` vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "locked"
+ bridge fdb get `mac_get $h1` br br0 vlan 1 | grep "dev $swp1" | grep -q "locked"
check_err $? "MAB: No locked FDB entry after ping on mab enabled port"
bridge fdb replace `mac_get $h1` dev $swp1 master static
@@ -212,15 +212,15 @@ locked_port_station_move()
bridge link set dev $swp1 locked on learning on
$MZ $h1 -q -c 5 -d 100msec -t udp -a $mac -b rand
- bridge fdb show dev $swp1 | grep -q $mac
+ bridge fdb get $mac br br0 vlan 1 &> /dev/null
check_fail $? "Locked port station move: FDB entry on first injection"
$MZ $h2 -q -c 5 -d 100msec -t udp -a $mac -b rand
- bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "master br0"
+ bridge fdb get $mac br br0 vlan 1 | grep -q "dev $swp2"
check_err $? "Locked port station move: Entry not found on unlocked port"
$MZ $h1 -q -c 5 -d 100msec -t udp -a $mac -b rand
- bridge fdb get $mac vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "master br0"
+ bridge fdb get $mac br br0 vlan 1 | grep -q "dev $swp1"
check_fail $? "Locked port station move: entry roamed to locked port"
bridge fdb del $mac vlan 1 dev $swp2 master
@@ -229,7 +229,8 @@ locked_port_station_move()
log_test "Locked port station move"
}
-# Roaming to and from a MAB enabled port should work if blackhole flag is not set
+# Check that entries can roam from a locked port if blackhole FDB flag is not
+# set.
locked_port_mab_station_move()
{
local mac=10:20:30:30:20:10
@@ -246,19 +247,16 @@ locked_port_mab_station_move()
return $ksft_skip
fi
- bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "locked"
+ bridge fdb get $mac br br0 vlan 1 | grep "dev $swp1" | grep -q "locked"
check_err $? "MAB station move: no locked entry on first injection"
$MZ $h2 -q -c 5 -d 100msec -t udp -a $mac -b rand
- bridge fdb get $mac vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "locked"
- check_fail $? "MAB station move: locked entry did not move"
+ bridge fdb get $mac br br0 vlan 1 | grep -q "dev $swp2"
+ check_err $? "MAB station move: roamed entry not found"
- bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "locked"
+ bridge fdb get $mac br br0 vlan 1 | grep -q "locked"
check_fail $? "MAB station move: roamed entry to unlocked port had locked flag on"
- bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "master br0"
- check_err $? "MAB station move: roamed entry not found"
-
bridge fdb del $mac vlan 1 dev $swp2 master
bridge link set dev $swp1 locked off mab off
WARNING: multiple messages have this Message-ID (diff)
From: Ido Schimmel <idosch@nvidia.com>
To: "Hans J. Schultz" <netdev@kapio-technology.com>
Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
Florian Fainelli <f.fainelli@gmail.com>,
Andrew Lunn <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Vladimir Oltean <olteanv@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
Kurt Kanzenbach <kurt@linutronix.de>,
Hauke Mehrtens <hauke@hauke-m.de>,
Woojung Huh <woojung.huh@microchip.com>,
UNGLinuxDriver@microchip.com, Sean Wang <sean.wang@mediatek.com>,
Landen Chao <Landen.Chao@mediatek.com>,
DENG Qingfang <dqfext@gmail.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
Claudiu Manoil <claudiu.manoil@nxp.com>,
Alexandre Belloni <alexandre.belloni@bootlin.com>,
Jiri Pirko <jiri@resnulli.us>, Ivan Vecera <ivecera@redhat.com>,
Roopa Prabhu <roopa@nvidia.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Shuah Khan <shuah@kernel.org>,
Russell King <linux@armlinux.org.uk>,
Christian Marangi <ansuelsmth@gmail.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Yuwei Wang <wangyuweihx@gmail.com>,
Petr Machata <petrm@nvidia.com>,
Florent Fourcot <florent.fourcot@wifirst.fr>,
Hans Schultz <schultz.hans@gmail.com>,
Joachim Wiberg <troglobit@gmail.com>,
Amit Cohen <amcohen@nvidia.com>,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org,
bridge@lists.linux-foundation.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v7 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
Date: Thu, 13 Oct 2022 15:06:07 +0300 [thread overview]
Message-ID: <Y0f/L9IT6dbwlZAg@shredder> (raw)
In-Reply-To: <20221009174052.1927483-10-netdev@kapio-technology.com>
On Sun, Oct 09, 2022 at 07:40:52PM +0200, Hans J. Schultz wrote:
> +locked_port_mab()
> +{
> + RET=0
> + check_port_mab_support || return 0
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work before locking port"
> +
> + bridge link set dev $swp1 locked on mab on
> +
> + ping_do $h1 192.0.2.2
> + check_fail $? "MAB: Ping worked on mab enabled port without FDB entry"
> +
> + bridge fdb get `mac_get $h1` vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "locked"
> + check_err $? "MAB: No locked FDB entry after ping on mab enabled port"
> +
> + bridge fdb replace `mac_get $h1` dev $swp1 master static
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work with FDB entry without locked flag"
> +
> + bridge fdb del `mac_get $h1` dev $swp1 master
> + bridge link set dev $swp1 locked off mab off
> +
> + log_test "Locked port MAB"
> +}
> +
> +# Check that entries cannot roam from an unlocked port to a locked port.
> +locked_port_station_move()
> +{
> + local mac=a0:b0:c0:c0:b0:a0
> +
> + RET=0
> + check_locked_port_support || return 0
> +
> + bridge link set dev $swp1 locked on learning on
> +
> + $MZ $h1 -q -c 5 -d 100msec -t udp -a $mac -b rand
> + bridge fdb show dev $swp1 | grep -q $mac
> + check_fail $? "Locked port station move: FDB entry on first injection"
> +
> + $MZ $h2 -q -c 5 -d 100msec -t udp -a $mac -b rand
> + bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "master br0"
> + check_err $? "Locked port station move: Entry not found on unlocked port"
> +
> + $MZ $h1 -q -c 5 -d 100msec -t udp -a $mac -b rand
> + bridge fdb get $mac vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "master br0"
> + check_fail $? "Locked port station move: entry roamed to locked port"
> +
> + bridge fdb del $mac vlan 1 dev $swp2 master
> + bridge link set dev $swp1 locked off learning off
> +
> + log_test "Locked port station move"
> +}
> +
> +# Roaming to and from a MAB enabled port should work if blackhole flag is not set
> +locked_port_mab_station_move()
> +{
> + local mac=10:20:30:30:20:10
> +
> + RET=0
> + check_port_mab_support || return 0
> +
> + bridge link set dev $swp1 locked on mab on
> +
> + $MZ $h1 -q -c 5 -d 100 mesc -t udp -a $mac -b rand
> + if bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "blackhole"; then
> + echo "SKIP: Roaming not possible with blackhole flag, skipping test..."
> + bridge link set dev $swp1 locked off mab off
> + return $ksft_skip
> + fi
> +
> + bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "locked"
> + check_err $? "MAB station move: no locked entry on first injection"
> +
> + $MZ $h2 -q -c 5 -d 100msec -t udp -a $mac -b rand
> + bridge fdb get $mac vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "locked"
> + check_fail $? "MAB station move: locked entry did not move"
> +
> + bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "locked"
> + check_fail $? "MAB station move: roamed entry to unlocked port had locked flag on"
> +
> + bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "master br0"
> + check_err $? "MAB station move: roamed entry not found"
> +
> + bridge fdb del $mac vlan 1 dev $swp2 master
> + bridge link set dev $swp1 locked off mab off
> +
> + log_test "Locked port MAB station move"
> +}
Looks OK to me. I made some change to make sure we are using "bridge fdb
get" in a consistent manner instead of relying on iproute2 dump output
too much. Please consider including them in the next version.
FYI, I ran your version and mine with veth pairs and both are OK.
diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
index fbe558f25e44..f0bc0bcbc246 100755
--- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
+++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
@@ -187,7 +187,7 @@ locked_port_mab()
ping_do $h1 192.0.2.2
check_fail $? "MAB: Ping worked on mab enabled port without FDB entry"
- bridge fdb get `mac_get $h1` vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "locked"
+ bridge fdb get `mac_get $h1` br br0 vlan 1 | grep "dev $swp1" | grep -q "locked"
check_err $? "MAB: No locked FDB entry after ping on mab enabled port"
bridge fdb replace `mac_get $h1` dev $swp1 master static
@@ -212,15 +212,15 @@ locked_port_station_move()
bridge link set dev $swp1 locked on learning on
$MZ $h1 -q -c 5 -d 100msec -t udp -a $mac -b rand
- bridge fdb show dev $swp1 | grep -q $mac
+ bridge fdb get $mac br br0 vlan 1 &> /dev/null
check_fail $? "Locked port station move: FDB entry on first injection"
$MZ $h2 -q -c 5 -d 100msec -t udp -a $mac -b rand
- bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "master br0"
+ bridge fdb get $mac br br0 vlan 1 | grep -q "dev $swp2"
check_err $? "Locked port station move: Entry not found on unlocked port"
$MZ $h1 -q -c 5 -d 100msec -t udp -a $mac -b rand
- bridge fdb get $mac vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "master br0"
+ bridge fdb get $mac br br0 vlan 1 | grep -q "dev $swp1"
check_fail $? "Locked port station move: entry roamed to locked port"
bridge fdb del $mac vlan 1 dev $swp2 master
@@ -229,7 +229,8 @@ locked_port_station_move()
log_test "Locked port station move"
}
-# Roaming to and from a MAB enabled port should work if blackhole flag is not set
+# Check that entries can roam from a locked port if blackhole FDB flag is not
+# set.
locked_port_mab_station_move()
{
local mac=10:20:30:30:20:10
@@ -246,19 +247,16 @@ locked_port_mab_station_move()
return $ksft_skip
fi
- bridge fdb show dev $swp1 | grep "$mac vlan 1" | grep -q "locked"
+ bridge fdb get $mac br br0 vlan 1 | grep "dev $swp1" | grep -q "locked"
check_err $? "MAB station move: no locked entry on first injection"
$MZ $h2 -q -c 5 -d 100msec -t udp -a $mac -b rand
- bridge fdb get $mac vlan 1 dev $swp1 | grep "dev $swp1 vlan 1" | grep -q "locked"
- check_fail $? "MAB station move: locked entry did not move"
+ bridge fdb get $mac br br0 vlan 1 | grep -q "dev $swp2"
+ check_err $? "MAB station move: roamed entry not found"
- bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "locked"
+ bridge fdb get $mac br br0 vlan 1 | grep -q "locked"
check_fail $? "MAB station move: roamed entry to unlocked port had locked flag on"
- bridge fdb get $mac vlan 1 dev $swp2 | grep "dev $swp2 vlan 1" | grep -q "master br0"
- check_err $? "MAB station move: roamed entry not found"
-
bridge fdb del $mac vlan 1 dev $swp2 master
bridge link set dev $swp1 locked off mab off
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-10-13 12:06 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-09 17:40 [Bridge] [PATCH v7 net-next 0/9] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-09 17:40 ` [Bridge] [PATCH v7 net-next 1/9] net: bridge: add locked entry fdb flag to extend locked port feature Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-13 12:41 ` [Bridge] " Ido Schimmel
2022-10-13 12:41 ` Ido Schimmel
2022-10-13 12:41 ` Ido Schimmel
2022-10-09 17:40 ` [Bridge] [PATCH v7 net-next 2/9] net: bridge: add blackhole fdb entry flag Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-13 13:29 ` [Bridge] " Ido Schimmel
2022-10-13 13:29 ` Ido Schimmel
2022-10-13 13:29 ` Ido Schimmel
2022-10-09 17:40 ` [Bridge] [PATCH v7 net-next 3/9] net: switchdev: add support for offloading of the FDB locked flag Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-13 14:06 ` [Bridge] " Ido Schimmel
2022-10-13 14:06 ` Ido Schimmel
2022-10-13 14:06 ` Ido Schimmel
2022-10-13 18:58 ` [Bridge] " netdev
2022-10-13 18:58 ` netdev
2022-10-13 18:58 ` netdev
2022-10-18 6:22 ` [Bridge] " Ido Schimmel
2022-10-18 6:22 ` Ido Schimmel
2022-10-18 6:22 ` Ido Schimmel
2022-10-18 13:47 ` [Bridge] " netdev
2022-10-18 13:47 ` netdev
2022-10-18 13:47 ` netdev
2022-10-18 14:29 ` [Bridge] " netdev
2022-10-18 14:29 ` netdev
2022-10-18 14:29 ` netdev
2022-10-09 17:40 ` [Bridge] [PATCH v7 net-next 4/9] net: switchdev: support offloading of the FDB blackhole flag Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-13 14:21 ` [Bridge] " Ido Schimmel
2022-10-13 14:21 ` Ido Schimmel
2022-10-13 14:21 ` Ido Schimmel
2022-10-09 17:40 ` [Bridge] [PATCH v7 net-next 5/9] drivers: net: dsa: add fdb entry flags to drivers Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-11 4:51 ` kernel test robot
2022-10-09 17:40 ` [Bridge] [PATCH v7 net-next 6/9] net: dsa: mv88e6xxx: allow reading FID when handling ATU violations Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-09 17:40 ` [Bridge] [PATCH v7 net-next 7/9] net: dsa: mv88e6xxx: mac-auth/MAB implementation Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-09 17:40 ` [Bridge] [PATCH v7 net-next 8/9] net: dsa: mv88e6xxx: add blackhole ATU entries Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-10 7:45 ` kernel test robot
2022-10-10 12:54 ` kernel test robot
2022-10-10 13:59 ` netdev
2022-10-10 13:59 ` netdev
2022-10-09 17:40 ` [Bridge] [PATCH v7 net-next 9/9] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-09 17:40 ` Hans J. Schultz
2022-10-12 9:46 ` [Bridge] " netdev
2022-10-12 9:46 ` netdev
2022-10-12 9:46 ` netdev
2022-10-13 14:28 ` [Bridge] " Ido Schimmel
2022-10-13 14:28 ` Ido Schimmel
2022-10-13 14:28 ` Ido Schimmel
2022-10-13 15:17 ` [Bridge] " netdev
2022-10-13 15:17 ` netdev
2022-10-13 15:17 ` netdev
2022-10-13 18:13 ` [Bridge] " Ido Schimmel
2022-10-13 18:13 ` Ido Schimmel
2022-10-13 18:13 ` Ido Schimmel
2022-10-13 12:06 ` Ido Schimmel [this message]
2022-10-13 12:06 ` Ido Schimmel
2022-10-13 12:06 ` Ido Schimmel
2022-10-13 12:16 ` [Bridge] " Ido Schimmel
2022-10-13 12:16 ` Ido Schimmel
2022-10-13 12:16 ` Ido Schimmel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y0f/L9IT6dbwlZAg@shredder \
--to=idosch@nvidia.com \
--cc=Landen.Chao@mediatek.com \
--cc=UNGLinuxDriver@microchip.com \
--cc=alexandre.belloni@bootlin.com \
--cc=amcohen@nvidia.com \
--cc=andrew@lunn.ch \
--cc=ansuelsmth@gmail.com \
--cc=bridge@lists.linux-foundation.org \
--cc=claudiu.manoil@nxp.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dqfext@gmail.com \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=florent.fourcot@wifirst.fr \
--cc=hauke@hauke-m.de \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=kurt@linutronix.de \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux@armlinux.org.uk \
--cc=matthias.bgg@gmail.com \
--cc=netdev@kapio-technology.com \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=pabeni@redhat.com \
--cc=petrm@nvidia.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=schultz.hans@gmail.com \
--cc=sean.wang@mediatek.com \
--cc=shuah@kernel.org \
--cc=troglobit@gmail.com \
--cc=vivien.didelot@gmail.com \
--cc=wangyuweihx@gmail.com \
--cc=woojung.huh@microchip.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.