Re: [Bridge] [PATCH v2 net-next 4/4] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ido Schimmel <idosch@idosch.org>
To: Hans Schultz <schultz.hans@gmail.com>
Cc: Ivan Vecera <ivecera@redhat.com>, Andrew Lunn <andrew@lunn.ch>,
	Florian Fainelli <f.fainelli@gmail.com>,
	Jiri Pirko <jiri@resnulli.us>,
	Daniel Borkmann <daniel@iogearbox.net>,
	netdev@vger.kernel.org, Nikolay Aleksandrov <razor@blackwall.org>,
	bridge@lists.linux-foundation.org, linux-kernel@vger.kernel.org,
	Vivien Didelot <vivien.didelot@gmail.com>,
	Ido Schimmel <idosch@nvidia.com>,
	linux-kselftest@vger.kernel.org, Roopa Prabhu <roopa@nvidia.com>,
	kuba@kernel.org, Vladimir Oltean <olteanv@gmail.com>,
	Shuah Khan <shuah@kernel.org>,
	davem@davemloft.net
Subject: Re: [Bridge] [PATCH v2 net-next 4/4] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
Date: Sun, 20 Mar 2022 09:52:33 +0200	[thread overview]
Message-ID: <YjbdQUVYkhkbdp3L@shredder> (raw)
In-Reply-To: <86mthnw9gr.fsf@gmail.com>

On Fri, Mar 18, 2022 at 04:45:24PM +0100, Hans Schultz wrote:
> On tor, mar 17, 2022 at 16:57, Ido Schimmel <idosch@idosch.org> wrote:
> > On Thu, Mar 17, 2022 at 10:39:02AM +0100, Hans Schultz wrote:
> >> Verify that the MAC-Auth mechanism works by adding a FDB entry with the
> >> locked flag set. denying access until the FDB entry is replaced with a
> >> FDB entry without the locked flag set.
> >> 
> >> Signed-off-by: Hans Schultz <schultz.hans+netdev@gmail.com>
> >> ---
> >>  .../net/forwarding/bridge_locked_port.sh      | 29 ++++++++++++++++++-
> >>  1 file changed, 28 insertions(+), 1 deletion(-)
> >> 
> >> diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> >> index 6e98efa6d371..2f9519e814b6 100755
> >> --- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> >> +++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> >> @@ -1,7 +1,7 @@
> >>  #!/bin/bash
> >>  # SPDX-License-Identifier: GPL-2.0
> >>  
> >> -ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan"
> >> +ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan locked_port_mab"
> >>  NUM_NETIFS=4
> >>  CHECK_TC="no"
> >>  source lib.sh
> >> @@ -170,6 +170,33 @@ locked_port_ipv6()
> >>  	log_test "Locked port ipv6"
> >>  }
> >>  
> >> +locked_port_mab()
> >> +{
> >> +	RET=0
> >> +	check_locked_port_support || return 0
> >> +
> >> +	ping_do $h1 192.0.2.2
> >> +	check_err $? "MAB: Ping did not work before locking port"
> >> +
> >> +	bridge link set dev $swp1 locked on
> >> +	bridge link set dev $swp1 learning on
> >> +
> >> +	ping_do $h1 192.0.2.2
> >> +	check_fail $? "MAB: Ping worked on port just locked"
> >> +
> >> +	if ! bridge fdb show | grep `mac_get $h1` | grep -q "locked"; then
> >> +		RET=1
> >> +		retmsg="MAB: No locked fdb entry after ping on locked port"
> >> +	fi
> >
> > bridge fdb show | grep `mac_get $h1 | grep -q "locked"
> > check_err $? "MAB: No locked fdb entry after ping on locked port"
> >
> >> +
> >> +	bridge fdb del `mac_get $h1` dev $swp1 master
> >> +	bridge fdb add `mac_get $h1` dev $swp1 master static
> >
> > bridge fdb replace `mac_get $h1` dev $swp1 master static
> >
> Unfortunately for some reason 'replace' does not work in several of the
> tests, while when replaced with 'del+add', they work.

Is it because the 'locked' flag is not removed following the replace? At
least I don't see where it's handled in fdb_add_entry(). If so, please
fix it and use "bridge fdb replace" in the test.

> 
> >> +
> >> +	ping_do $h1 192.0.2.2
> >> +	check_err $? "MAB: Ping did not work with fdb entry without locked flag"
> >> +
> >> +	log_test "Locked port MAB"
> >
> > Clean up after the test to revert to initial state:
> >
> > bridge fdb del `mac_get $h1` dev $swp1 master
> > bridge link set dev $swp1 locked off
> >
> >
> >> +}
> >>  trap cleanup EXIT
> >>  
> >>  setup_prepare
> >> -- 
> >> 2.30.2
> >>

WARNING: multiple messages have this Message-ID (diff)

From: Ido Schimmel <idosch@idosch.org>
To: Hans Schultz <schultz.hans@gmail.com>
Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
	Andrew Lunn <andrew@lunn.ch>,
	Vivien Didelot <vivien.didelot@gmail.com>,
	Florian Fainelli <f.fainelli@gmail.com>,
	Vladimir Oltean <olteanv@gmail.com>,
	Jiri Pirko <jiri@resnulli.us>, Ivan Vecera <ivecera@redhat.com>,
	Roopa Prabhu <roopa@nvidia.com>,
	Nikolay Aleksandrov <razor@blackwall.org>,
	Shuah Khan <shuah@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Ido Schimmel <idosch@nvidia.com>,
	linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org,
	linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v2 net-next 4/4] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
Date: Sun, 20 Mar 2022 09:52:33 +0200	[thread overview]
Message-ID: <YjbdQUVYkhkbdp3L@shredder> (raw)
In-Reply-To: <86mthnw9gr.fsf@gmail.com>

On Fri, Mar 18, 2022 at 04:45:24PM +0100, Hans Schultz wrote:
> On tor, mar 17, 2022 at 16:57, Ido Schimmel <idosch@idosch.org> wrote:
> > On Thu, Mar 17, 2022 at 10:39:02AM +0100, Hans Schultz wrote:
> >> Verify that the MAC-Auth mechanism works by adding a FDB entry with the
> >> locked flag set. denying access until the FDB entry is replaced with a
> >> FDB entry without the locked flag set.
> >> 
> >> Signed-off-by: Hans Schultz <schultz.hans+netdev@gmail.com>
> >> ---
> >>  .../net/forwarding/bridge_locked_port.sh      | 29 ++++++++++++++++++-
> >>  1 file changed, 28 insertions(+), 1 deletion(-)
> >> 
> >> diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> >> index 6e98efa6d371..2f9519e814b6 100755
> >> --- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> >> +++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> >> @@ -1,7 +1,7 @@
> >>  #!/bin/bash
> >>  # SPDX-License-Identifier: GPL-2.0
> >>  
> >> -ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan"
> >> +ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan locked_port_mab"
> >>  NUM_NETIFS=4
> >>  CHECK_TC="no"
> >>  source lib.sh
> >> @@ -170,6 +170,33 @@ locked_port_ipv6()
> >>  	log_test "Locked port ipv6"
> >>  }
> >>  
> >> +locked_port_mab()
> >> +{
> >> +	RET=0
> >> +	check_locked_port_support || return 0
> >> +
> >> +	ping_do $h1 192.0.2.2
> >> +	check_err $? "MAB: Ping did not work before locking port"
> >> +
> >> +	bridge link set dev $swp1 locked on
> >> +	bridge link set dev $swp1 learning on
> >> +
> >> +	ping_do $h1 192.0.2.2
> >> +	check_fail $? "MAB: Ping worked on port just locked"
> >> +
> >> +	if ! bridge fdb show | grep `mac_get $h1` | grep -q "locked"; then
> >> +		RET=1
> >> +		retmsg="MAB: No locked fdb entry after ping on locked port"
> >> +	fi
> >
> > bridge fdb show | grep `mac_get $h1 | grep -q "locked"
> > check_err $? "MAB: No locked fdb entry after ping on locked port"
> >
> >> +
> >> +	bridge fdb del `mac_get $h1` dev $swp1 master
> >> +	bridge fdb add `mac_get $h1` dev $swp1 master static
> >
> > bridge fdb replace `mac_get $h1` dev $swp1 master static
> >
> Unfortunately for some reason 'replace' does not work in several of the
> tests, while when replaced with 'del+add', they work.

Is it because the 'locked' flag is not removed following the replace? At
least I don't see where it's handled in fdb_add_entry(). If so, please
fix it and use "bridge fdb replace" in the test.

> 
> >> +
> >> +	ping_do $h1 192.0.2.2
> >> +	check_err $? "MAB: Ping did not work with fdb entry without locked flag"
> >> +
> >> +	log_test "Locked port MAB"
> >
> > Clean up after the test to revert to initial state:
> >
> > bridge fdb del `mac_get $h1` dev $swp1 master
> > bridge link set dev $swp1 locked off
> >
> >
> >> +}
> >>  trap cleanup EXIT
> >>  
> >>  setup_prepare
> >> -- 
> >> 2.30.2
> >>

next prev parent reply	other threads:[~2022-03-20  7:52 UTC|newest]

Thread overview: 72+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-17  9:38 [Bridge] [PATCH v2 net-next 0/4] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
2022-03-17  9:38 ` Hans Schultz
2022-03-17  9:38 ` [Bridge] [PATCH v2 net-next 1/4] net: bridge: add fdb flag to extent locked port feature Hans Schultz
2022-03-17  9:38   ` Hans Schultz
2022-03-17  9:47   ` [Bridge] " Nikolay Aleksandrov
2022-03-17  9:47     ` Nikolay Aleksandrov
2022-03-17 13:44   ` [Bridge] " Ido Schimmel
2022-03-17 13:44     ` Ido Schimmel
2022-03-17 13:54     ` [Bridge] " Nikolay Aleksandrov
2022-03-17 13:54       ` Nikolay Aleksandrov
2022-03-17 14:50     ` [Bridge] " Hans Schultz
2022-03-17 14:50       ` Hans Schultz
2022-03-17 14:59       ` [Bridge] " Ido Schimmel
2022-03-17 14:59         ` Ido Schimmel
2022-03-17  9:39 ` [Bridge] [PATCH v2 net-next 2/4] net: switchdev: add support for offloading of fdb locked flag Hans Schultz
2022-03-17  9:39   ` Hans Schultz
2022-03-23 12:29   ` [Bridge] " Hans Schultz
2022-03-23 12:29     ` Hans Schultz
2022-03-23 12:35     ` [Bridge] " Vladimir Oltean
2022-03-23 12:35       ` Vladimir Oltean
2022-03-23 12:49       ` [Bridge] " Hans Schultz
2022-03-23 12:49         ` Hans Schultz
2022-03-23 14:43         ` [Bridge] " Vladimir Oltean
2022-03-23 14:43           ` Vladimir Oltean
2022-03-23 15:03           ` [Bridge] " Hans Schultz
2022-03-23 15:03             ` Hans Schultz
2022-03-24 10:32           ` [Bridge] " Hans Schultz
2022-03-24 10:32             ` Hans Schultz
2022-03-24 11:09             ` [Bridge] " Vladimir Oltean
2022-03-24 11:09               ` Vladimir Oltean
2022-03-24 11:23               ` [Bridge] " Hans Schultz
2022-03-24 11:23                 ` Hans Schultz
2022-03-24 14:27                 ` [Bridge] " Vladimir Oltean
2022-03-24 14:27                   ` Vladimir Oltean
2022-03-25  7:50                   ` [Bridge] " Hans Schultz
2022-03-25  7:50                     ` Hans Schultz
2022-03-25 13:21                     ` [Bridge] " Vladimir Oltean
2022-03-25 13:21                       ` Vladimir Oltean
2022-03-25 13:48                       ` [Bridge] " Hans Schultz
2022-03-25 13:48                         ` Hans Schultz
2022-03-25 14:00                         ` [Bridge] " Vladimir Oltean
2022-03-25 14:00                           ` Vladimir Oltean
2022-03-25 16:01                           ` [Bridge] " Hans Schultz
2022-03-25 16:01                             ` Hans Schultz
2022-03-25 20:30                             ` [Bridge] " Vladimir Oltean
2022-03-25 20:30                               ` Vladimir Oltean
2022-03-28  7:38                               ` [Bridge] " Hans Schultz
2022-03-28  7:38                                 ` Hans Schultz
2022-03-28  8:48                                 ` [Bridge] " Vladimir Oltean
2022-03-28  8:48                                   ` Vladimir Oltean
2022-03-28  9:31                                   ` [Bridge] " Hans Schultz
2022-03-28  9:31                                     ` Hans Schultz
2022-03-28 15:12                                     ` [Bridge] " Vladimir Oltean
2022-03-28 15:12                                       ` Vladimir Oltean
2022-03-25  9:24                   ` [Bridge] " Hans Schultz
2022-03-25  9:24                     ` Hans Schultz
2022-03-23 14:42       ` [Bridge] " Hans Schultz
2022-03-23 14:42         ` Hans Schultz
2022-03-17  9:39 ` [Bridge] [PATCH v2 net-next 3/4] net: dsa: mv88e6xxx: mac-auth/MAB implementation Hans Schultz
2022-03-17  9:39   ` Hans Schultz
2022-03-17 15:26   ` [Bridge] " Jakub Kicinski
2022-03-17 15:26     ` Jakub Kicinski
2022-03-17 19:27   ` [Bridge] " Vladimir Oltean
2022-03-17 19:27     ` Vladimir Oltean
2022-03-17  9:39 ` [Bridge] [PATCH v2 net-next 4/4] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans Schultz
2022-03-17  9:39   ` Hans Schultz
2022-03-17 14:57   ` [Bridge] " Ido Schimmel
2022-03-17 14:57     ` Ido Schimmel
2022-03-18 15:45     ` [Bridge] " Hans Schultz
2022-03-18 15:45       ` Hans Schultz
2022-03-20  7:52       ` Ido Schimmel [this message]
2022-03-20  7:52         ` Ido Schimmel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YjbdQUVYkhkbdp3L@shredder \
    --to=idosch@idosch.org \
    --cc=andrew@lunn.ch \
    --cc=bridge@lists.linux-foundation.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=f.fainelli@gmail.com \
    --cc=idosch@nvidia.com \
    --cc=ivecera@redhat.com \
    --cc=jiri@resnulli.us \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=olteanv@gmail.com \
    --cc=razor@blackwall.org \
    --cc=roopa@nvidia.com \
    --cc=schultz.hans@gmail.com \
    --cc=shuah@kernel.org \
    --cc=vivien.didelot@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.