From: Ido Schimmel <idosch@idosch.org>
To: Hans Schultz <schultz.hans@gmail.com>
Cc: Ivan Vecera <ivecera@redhat.com>, Andrew Lunn <andrew@lunn.ch>,
Florian Fainelli <f.fainelli@gmail.com>,
Jiri Pirko <jiri@resnulli.us>,
Daniel Borkmann <daniel@iogearbox.net>,
netdev@vger.kernel.org, Nikolay Aleksandrov <razor@blackwall.org>,
bridge@lists.linux-foundation.org,
Eric Dumazet <edumazet@google.com>,
Ido Schimmel <idosch@nvidia.com>,
Vivien Didelot <vivien.didelot@gmail.com>,
Hans Schultz <schultz.hans+netdev@gmail.com>,
Paolo Abeni <pabeni@redhat.com>,
linux-kselftest@vger.kernel.org, Roopa Prabhu <roopa@nvidia.com>,
kuba@kernel.org, Vladimir Oltean <olteanv@gmail.com>,
Shuah Khan <shuah@kernel.org>,
davem@davemloft.net, linux-kernel@vger.kernel.org
Subject: Re: [Bridge] [PATCH V3 net-next 4/4] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
Date: Thu, 26 May 2022 17:27:44 +0300 [thread overview]
Message-ID: <Yo+OYN/rjdB7wfQu@shredder> (raw)
In-Reply-To: <20220524152144.40527-5-schultz.hans+netdev@gmail.com>
On Tue, May 24, 2022 at 05:21:44PM +0200, Hans Schultz wrote:
> Verify that the MAC-Auth mechanism works by adding a FDB entry with the
> locked flag set. denying access until the FDB entry is replaced with a
> FDB entry without the locked flag set.
>
> Signed-off-by: Hans Schultz <schultz.hans+netdev@gmail.com>
> ---
> .../net/forwarding/bridge_locked_port.sh | 42 ++++++++++++++++---
> 1 file changed, 36 insertions(+), 6 deletions(-)
>
> diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> index 5b02b6b60ce7..50b9048d044a 100755
> --- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> +++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> @@ -1,7 +1,7 @@
> #!/bin/bash
> # SPDX-License-Identifier: GPL-2.0
>
> -ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan"
> +ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan locked_port_mab"
> NUM_NETIFS=4
> CHECK_TC="no"
> source lib.sh
> @@ -94,13 +94,13 @@ locked_port_ipv4()
> ping_do $h1 192.0.2.2
> check_fail $? "Ping worked after locking port, but before adding FDB entry"
>
> - bridge fdb add `mac_get $h1` dev $swp1 master static
> + bridge fdb replace `mac_get $h1` dev $swp1 master static
>
> ping_do $h1 192.0.2.2
> check_err $? "Ping did not work after locking port and adding FDB entry"
>
> bridge link set dev $swp1 locked off
> - bridge fdb del `mac_get $h1` dev $swp1 master static
> + bridge fdb del `mac_get $h1` dev $swp1 master
>
> ping_do $h1 192.0.2.2
> check_err $? "Ping did not work after unlocking port and removing FDB entry."
> @@ -124,13 +124,13 @@ locked_port_vlan()
> ping_do $h1.100 198.51.100.2
> check_fail $? "Ping through vlan worked after locking port, but before adding FDB entry"
>
> - bridge fdb add `mac_get $h1` dev $swp1 vlan 100 master static
> + bridge fdb replace `mac_get $h1` dev $swp1 master static
>
> ping_do $h1.100 198.51.100.2
> check_err $? "Ping through vlan did not work after locking port and adding FDB entry"
>
> bridge link set dev $swp1 locked off
> - bridge fdb del `mac_get $h1` dev $swp1 vlan 100 master static
> + bridge fdb del `mac_get $h1` dev $swp1 vlan 100 master
>
> ping_do $h1.100 198.51.100.2
> check_err $? "Ping through vlan did not work after unlocking port and removing FDB entry"
> @@ -153,7 +153,8 @@ locked_port_ipv6()
> ping6_do $h1 2001:db8:1::2
> check_fail $? "Ping6 worked after locking port, but before adding FDB entry"
>
> - bridge fdb add `mac_get $h1` dev $swp1 master static
> + bridge fdb replace `mac_get $h1` dev $swp1 master static
> +
> ping6_do $h1 2001:db8:1::2
> check_err $? "Ping6 did not work after locking port and adding FDB entry"
>
> @@ -166,6 +167,35 @@ locked_port_ipv6()
> log_test "Locked port ipv6"
> }
Why did you change s/add/replace/? Also, from the subject and commit
message I understand the patch is about adding a new test, not changing
existing ones.
>
> +locked_port_mab()
> +{
> + RET=0
> + check_locked_port_support || return 0
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work before locking port"
> +
> + bridge link set dev $swp1 locked on
> + bridge link set dev $swp1 learning on
> +
> + bridge fdb del `mac_get $h1` dev $swp1 master
Why the delete is needed? Aren't you getting errors on trying to delete
a non-existing entry? In previous test cases learning is disabled and it
seems the FDB entry is cleaned up.
> +
> + ping_do $h1 192.0.2.2
> + check_fail $? "MAB: Ping worked on locked port without FDB entry"
> +
> + bridge fdb show | grep `mac_get $h1` | grep -q "locked"
> + check_err $? "MAB: No locked fdb entry after ping on locked port"
> +
> + bridge fdb replace `mac_get $h1` dev $swp1 master static
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work with fdb entry without locked flag"
> +
> + bridge fdb del `mac_get $h1` dev $swp1 master
bridge link set dev $swp1 learning off
> + bridge link set dev $swp1 locked off
> +
> + log_test "Locked port MAB"
> +}
> trap cleanup EXIT
>
> setup_prepare
> --
> 2.30.2
>
WARNING: multiple messages have this Message-ID (diff)
From: Ido Schimmel <idosch@idosch.org>
To: Hans Schultz <schultz.hans@gmail.com>
Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
Hans Schultz <schultz.hans+netdev@gmail.com>,
Andrew Lunn <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Florian Fainelli <f.fainelli@gmail.com>,
Vladimir Oltean <olteanv@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Jiri Pirko <jiri@resnulli.us>,
Ivan Vecera <ivecera@redhat.com>, Roopa Prabhu <roopa@nvidia.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Shuah Khan <shuah@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Ido Schimmel <idosch@nvidia.com>,
linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH V3 net-next 4/4] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
Date: Thu, 26 May 2022 17:27:44 +0300 [thread overview]
Message-ID: <Yo+OYN/rjdB7wfQu@shredder> (raw)
In-Reply-To: <20220524152144.40527-5-schultz.hans+netdev@gmail.com>
On Tue, May 24, 2022 at 05:21:44PM +0200, Hans Schultz wrote:
> Verify that the MAC-Auth mechanism works by adding a FDB entry with the
> locked flag set. denying access until the FDB entry is replaced with a
> FDB entry without the locked flag set.
>
> Signed-off-by: Hans Schultz <schultz.hans+netdev@gmail.com>
> ---
> .../net/forwarding/bridge_locked_port.sh | 42 ++++++++++++++++---
> 1 file changed, 36 insertions(+), 6 deletions(-)
>
> diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> index 5b02b6b60ce7..50b9048d044a 100755
> --- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> +++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> @@ -1,7 +1,7 @@
> #!/bin/bash
> # SPDX-License-Identifier: GPL-2.0
>
> -ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan"
> +ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan locked_port_mab"
> NUM_NETIFS=4
> CHECK_TC="no"
> source lib.sh
> @@ -94,13 +94,13 @@ locked_port_ipv4()
> ping_do $h1 192.0.2.2
> check_fail $? "Ping worked after locking port, but before adding FDB entry"
>
> - bridge fdb add `mac_get $h1` dev $swp1 master static
> + bridge fdb replace `mac_get $h1` dev $swp1 master static
>
> ping_do $h1 192.0.2.2
> check_err $? "Ping did not work after locking port and adding FDB entry"
>
> bridge link set dev $swp1 locked off
> - bridge fdb del `mac_get $h1` dev $swp1 master static
> + bridge fdb del `mac_get $h1` dev $swp1 master
>
> ping_do $h1 192.0.2.2
> check_err $? "Ping did not work after unlocking port and removing FDB entry."
> @@ -124,13 +124,13 @@ locked_port_vlan()
> ping_do $h1.100 198.51.100.2
> check_fail $? "Ping through vlan worked after locking port, but before adding FDB entry"
>
> - bridge fdb add `mac_get $h1` dev $swp1 vlan 100 master static
> + bridge fdb replace `mac_get $h1` dev $swp1 master static
>
> ping_do $h1.100 198.51.100.2
> check_err $? "Ping through vlan did not work after locking port and adding FDB entry"
>
> bridge link set dev $swp1 locked off
> - bridge fdb del `mac_get $h1` dev $swp1 vlan 100 master static
> + bridge fdb del `mac_get $h1` dev $swp1 vlan 100 master
>
> ping_do $h1.100 198.51.100.2
> check_err $? "Ping through vlan did not work after unlocking port and removing FDB entry"
> @@ -153,7 +153,8 @@ locked_port_ipv6()
> ping6_do $h1 2001:db8:1::2
> check_fail $? "Ping6 worked after locking port, but before adding FDB entry"
>
> - bridge fdb add `mac_get $h1` dev $swp1 master static
> + bridge fdb replace `mac_get $h1` dev $swp1 master static
> +
> ping6_do $h1 2001:db8:1::2
> check_err $? "Ping6 did not work after locking port and adding FDB entry"
>
> @@ -166,6 +167,35 @@ locked_port_ipv6()
> log_test "Locked port ipv6"
> }
Why did you change s/add/replace/? Also, from the subject and commit
message I understand the patch is about adding a new test, not changing
existing ones.
>
> +locked_port_mab()
> +{
> + RET=0
> + check_locked_port_support || return 0
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work before locking port"
> +
> + bridge link set dev $swp1 locked on
> + bridge link set dev $swp1 learning on
> +
> + bridge fdb del `mac_get $h1` dev $swp1 master
Why the delete is needed? Aren't you getting errors on trying to delete
a non-existing entry? In previous test cases learning is disabled and it
seems the FDB entry is cleaned up.
> +
> + ping_do $h1 192.0.2.2
> + check_fail $? "MAB: Ping worked on locked port without FDB entry"
> +
> + bridge fdb show | grep `mac_get $h1` | grep -q "locked"
> + check_err $? "MAB: No locked fdb entry after ping on locked port"
> +
> + bridge fdb replace `mac_get $h1` dev $swp1 master static
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work with fdb entry without locked flag"
> +
> + bridge fdb del `mac_get $h1` dev $swp1 master
bridge link set dev $swp1 learning off
> + bridge link set dev $swp1 locked off
> +
> + log_test "Locked port MAB"
> +}
> trap cleanup EXIT
>
> setup_prepare
> --
> 2.30.2
>
next prev parent reply other threads:[~2022-05-26 14:27 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-24 15:21 [Bridge] [PATCH V3 net-next 0/4] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
2022-05-24 15:21 ` Hans Schultz
2022-05-24 15:21 ` [Bridge] [PATCH V3 net-next 1/4] net: bridge: add fdb flag to extent locked port feature Hans Schultz
2022-05-24 15:21 ` Hans Schultz
2022-05-24 15:39 ` [Bridge] " Nikolay Aleksandrov
2022-05-24 15:39 ` Nikolay Aleksandrov
2022-05-24 16:08 ` [Bridge] " Hans Schultz
2022-05-24 16:08 ` Hans Schultz
2022-05-24 16:21 ` [Bridge] " Hans Schultz
2022-05-24 16:21 ` Hans Schultz
2022-05-25 8:06 ` [Bridge] " Nikolay Aleksandrov
2022-05-25 8:06 ` Nikolay Aleksandrov
2022-05-25 8:34 ` [Bridge] " Hans Schultz
2022-05-25 8:34 ` Hans Schultz
2022-05-25 8:38 ` [Bridge] " Nikolay Aleksandrov
2022-05-25 8:38 ` Nikolay Aleksandrov
2022-05-25 9:11 ` [Bridge] " Hans Schultz
2022-05-25 9:11 ` Hans Schultz
2022-05-25 10:18 ` [Bridge] " Nikolay Aleksandrov
2022-05-25 10:18 ` Nikolay Aleksandrov
2022-07-06 18:13 ` [Bridge] " Vladimir Oltean
2022-07-06 18:13 ` Vladimir Oltean
2022-07-06 19:38 ` [Bridge] " Nikolay Aleksandrov
2022-07-06 19:38 ` Nikolay Aleksandrov
2022-07-06 20:21 ` [Bridge] " Vladimir Oltean
2022-07-06 20:21 ` Vladimir Oltean
2022-07-06 21:01 ` [Bridge] " Nikolay Aleksandrov
2022-07-06 21:01 ` Nikolay Aleksandrov
2022-07-07 14:08 ` [Bridge] " Nikolay Aleksandrov
2022-07-07 14:08 ` Nikolay Aleksandrov
2022-07-07 17:15 ` [Bridge] " Vladimir Oltean
2022-07-07 17:15 ` Vladimir Oltean
2022-07-07 17:26 ` [Bridge] " Nikolay Aleksandrov
2022-07-07 17:26 ` Nikolay Aleksandrov
2022-07-08 6:38 ` [Bridge] " Hans S
2022-07-08 6:38 ` Hans S
2022-05-26 14:13 ` [Bridge] " Ido Schimmel
2022-05-26 14:13 ` Ido Schimmel
2022-05-27 8:52 ` [Bridge] " Hans Schultz
2022-05-27 8:52 ` Hans Schultz
2022-05-27 9:58 ` [Bridge] " Ido Schimmel
2022-05-27 9:58 ` Ido Schimmel
2022-05-27 16:00 ` [Bridge] " Hans Schultz
2022-05-27 16:00 ` Hans Schultz
2022-05-31 9:34 ` [Bridge] " Hans Schultz
2022-05-31 9:34 ` Hans Schultz
2022-05-31 14:23 ` [Bridge] " Ido Schimmel
2022-05-31 14:23 ` Ido Schimmel
2022-05-31 15:49 ` [Bridge] " Hans Schultz
2022-05-31 15:49 ` Hans Schultz
2022-06-02 9:17 ` [Bridge] " Hans Schultz
2022-06-02 9:17 ` Hans Schultz
2022-06-02 9:33 ` [Bridge] " Nikolay Aleksandrov
2022-06-02 9:33 ` Nikolay Aleksandrov
2022-06-02 10:17 ` [Bridge] " Hans Schultz
2022-06-02 10:17 ` Hans Schultz
2022-06-02 10:30 ` [Bridge] " Nikolay Aleksandrov
2022-06-02 10:30 ` Nikolay Aleksandrov
2022-06-02 10:39 ` [Bridge] " Ido Schimmel
2022-06-02 10:39 ` Ido Schimmel
2022-06-02 11:36 ` [Bridge] " Hans Schultz
2022-06-02 11:36 ` Hans Schultz
2022-06-02 11:55 ` [Bridge] " Ido Schimmel
2022-06-02 11:55 ` Ido Schimmel
2022-06-02 12:08 ` [Bridge] " Hans Schultz
2022-06-02 12:08 ` Hans Schultz
2022-06-02 12:18 ` [Bridge] " Ido Schimmel
2022-06-02 12:18 ` Ido Schimmel
2022-06-02 12:53 ` [Bridge] " Hans S
2022-06-02 13:27 ` Hans S
2022-06-02 13:27 ` Hans S
2022-05-24 15:21 ` [Bridge] [PATCH V3 net-next 2/4] net: switchdev: add support for offloading of fdb locked flag Hans Schultz
2022-05-24 15:21 ` Hans Schultz
2022-06-27 16:06 ` [Bridge] " Vladimir Oltean
2022-06-27 16:06 ` Vladimir Oltean
2022-05-24 15:21 ` [Bridge] [PATCH V3 net-next 3/4] net: dsa: mv88e6xxx: mac-auth/MAB implementation Hans Schultz
2022-05-24 15:21 ` Hans Schultz
2022-05-24 21:36 ` kernel test robot
2022-06-27 12:58 ` [Bridge] " Hans S
2022-06-27 12:58 ` Hans S
2022-06-27 18:05 ` [Bridge] " Vladimir Oltean
2022-06-27 18:05 ` Vladimir Oltean
2022-06-28 12:26 ` [Bridge] " Hans S
2022-06-28 12:26 ` Hans S
2022-07-05 15:05 ` [Bridge] " Hans S
2022-07-05 15:05 ` Hans S
2022-07-06 13:28 ` [Bridge] " Vladimir Oltean
2022-07-06 13:28 ` Vladimir Oltean
2022-07-06 13:48 ` [Bridge] " Hans S
2022-07-06 13:48 ` Hans S
2022-07-06 8:55 ` [Bridge] " Vladimir Oltean
2022-07-06 8:55 ` Vladimir Oltean
2022-07-06 10:12 ` [Bridge] " Hans S
2022-07-06 10:12 ` Hans S
2022-07-06 14:23 ` [Bridge] " Hans S
2022-07-06 14:23 ` Hans S
2022-07-06 14:33 ` [Bridge] " Vladimir Oltean
2022-07-06 14:33 ` Vladimir Oltean
2022-07-06 15:38 ` [Bridge] " Hans S
2022-07-06 15:38 ` Hans S
2022-07-07 6:54 ` [Bridge] " Hans S
2022-07-07 6:54 ` Hans S
2022-05-24 15:21 ` [Bridge] [PATCH V3 net-next 4/4] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans Schultz
2022-05-24 15:21 ` Hans Schultz
2022-05-26 14:27 ` Ido Schimmel [this message]
2022-05-26 14:27 ` Ido Schimmel
2022-05-27 9:07 ` [Bridge] " Hans Schultz
2022-05-27 9:07 ` Hans Schultz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yo+OYN/rjdB7wfQu@shredder \
--to=idosch@idosch.org \
--cc=andrew@lunn.ch \
--cc=bridge@lists.linux-foundation.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=idosch@nvidia.com \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=schultz.hans+netdev@gmail.com \
--cc=schultz.hans@gmail.com \
--cc=shuah@kernel.org \
--cc=vivien.didelot@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.