From: Ido Schimmel <idosch@nvidia.com>
To: Hans Schultz <hans@kapio-technology.com>
Cc: Ivan Vecera <ivecera@redhat.com>, Andrew Lunn <andrew@lunn.ch>,
Florian Fainelli <f.fainelli@gmail.com>,
Jiri Pirko <jiri@resnulli.us>,
Daniel Borkmann <daniel@iogearbox.net>,
netdev@vger.kernel.org, Nikolay Aleksandrov <razor@blackwall.org>,
bridge@lists.linux-foundation.org,
Hans Schultz <schultz.hans+netdev@gmail.com>,
Vivien Didelot <vivien.didelot@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
linux-kselftest@vger.kernel.org, Roopa Prabhu <roopa@nvidia.com>,
kuba@kernel.org, Vladimir Oltean <olteanv@gmail.com>,
Shuah Khan <shuah@kernel.org>,
davem@davemloft.net, linux-kernel@vger.kernel.org
Subject: Re: [Bridge] [PATCH net-next v1 1/1] net: bridge: ensure that link-local traffic cannot unlock a locked port
Date: Thu, 30 Jun 2022 14:37:56 +0300 [thread overview]
Message-ID: <Yr2LFI1dx6Oc7QBo@shredder> (raw)
In-Reply-To: <20220630111634.610320-1-hans@kapio-technology.com>
On Thu, Jun 30, 2022 at 01:16:34PM +0200, Hans Schultz wrote:
> This patch is related to the patch set
> "Add support for locked bridge ports (for 802.1X)"
> Link: https://lore.kernel.org/netdev/20220223101650.1212814-1-schultz.hans+netdev@gmail.com/
>
> This patch makes the locked port feature work with learning turned on,
> which is enabled with the command:
>
> bridge link set dev DEV learning on
>
> Without this patch, link local traffic (01:80:c2) like EAPOL packets will
> create a fdb entry when ingressing on a locked port with learning turned
> on, thus unintentionally opening up the port for traffic for the said MAC.
>
> Some switchcore features like Mac-Auth and refreshing of FDB entries,
> require learning enables on some switchcores, f.ex. the mv88e6xxx family.
> Other features may apply too.
>
> Since many switchcores trap or mirror various multicast packets to the
> CPU, link local traffic will unintentionally unlock the port for the
> SA mac in question unless prevented by this patch.
Why not just teach hostapd to do:
echo 1 > /sys/class/net/br0/bridge/no_linklocal_learn
?
WARNING: multiple messages have this Message-ID (diff)
From: Ido Schimmel <idosch@nvidia.com>
To: Hans Schultz <hans@kapio-technology.com>
Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
Andrew Lunn <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Florian Fainelli <f.fainelli@gmail.com>,
Vladimir Oltean <olteanv@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Jiri Pirko <jiri@resnulli.us>,
Ivan Vecera <ivecera@redhat.com>, Roopa Prabhu <roopa@nvidia.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Shuah Khan <shuah@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Hans Schultz <schultz.hans+netdev@gmail.com>,
linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH net-next v1 1/1] net: bridge: ensure that link-local traffic cannot unlock a locked port
Date: Thu, 30 Jun 2022 14:37:56 +0300 [thread overview]
Message-ID: <Yr2LFI1dx6Oc7QBo@shredder> (raw)
In-Reply-To: <20220630111634.610320-1-hans@kapio-technology.com>
On Thu, Jun 30, 2022 at 01:16:34PM +0200, Hans Schultz wrote:
> This patch is related to the patch set
> "Add support for locked bridge ports (for 802.1X)"
> Link: https://lore.kernel.org/netdev/20220223101650.1212814-1-schultz.hans+netdev@gmail.com/
>
> This patch makes the locked port feature work with learning turned on,
> which is enabled with the command:
>
> bridge link set dev DEV learning on
>
> Without this patch, link local traffic (01:80:c2) like EAPOL packets will
> create a fdb entry when ingressing on a locked port with learning turned
> on, thus unintentionally opening up the port for traffic for the said MAC.
>
> Some switchcore features like Mac-Auth and refreshing of FDB entries,
> require learning enables on some switchcores, f.ex. the mv88e6xxx family.
> Other features may apply too.
>
> Since many switchcores trap or mirror various multicast packets to the
> CPU, link local traffic will unintentionally unlock the port for the
> SA mac in question unless prevented by this patch.
Why not just teach hostapd to do:
echo 1 > /sys/class/net/br0/bridge/no_linklocal_learn
?
next prev parent reply other threads:[~2022-06-30 11:37 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-30 11:16 [Bridge] [PATCH net-next v1 1/1] net: bridge: ensure that link-local traffic cannot unlock a locked port Hans Schultz
2022-06-30 11:17 ` Nikolay Aleksandrov
2022-06-30 11:17 ` Nikolay Aleksandrov
2022-06-30 11:37 ` Ido Schimmel [this message]
2022-06-30 11:37 ` Ido Schimmel
2022-06-30 12:54 ` [Bridge] " Hans Schultz
2022-07-01 7:47 ` Hans S
2022-07-01 7:47 ` Hans S
2022-07-01 13:51 ` [Bridge] " Ido Schimmel
2022-07-01 13:51 ` Ido Schimmel
2022-07-01 15:27 ` [Bridge] " Vladimir Oltean
2022-07-01 15:27 ` Vladimir Oltean
2022-07-01 15:44 ` [Bridge] " Ido Schimmel
2022-07-01 15:44 ` Ido Schimmel
2022-07-01 16:07 ` [Bridge] " Hans S
2022-07-01 16:07 ` Hans S
2022-07-01 17:00 ` [Bridge] " Ido Schimmel
2022-07-01 17:00 ` Ido Schimmel
2022-07-01 19:17 ` [Bridge] " Hans S
2022-07-01 19:17 ` Hans S
2022-07-03 7:00 ` [Bridge] " Ido Schimmel
2022-07-03 7:00 ` Ido Schimmel
2022-07-04 7:54 ` [Bridge] " Hans S
2022-07-04 7:54 ` Hans S
2022-07-04 10:59 ` [Bridge] " Ido Schimmel
2022-07-04 10:59 ` Ido Schimmel
2022-07-04 14:36 ` [Bridge] " Hans S
2022-07-04 14:36 ` Hans S
2022-07-05 10:53 ` [Bridge] " Ido Schimmel
2022-07-05 10:53 ` Ido Schimmel
2022-07-17 13:46 ` [Bridge] " Vladimir Oltean
2022-07-17 13:46 ` Vladimir Oltean
2022-07-17 14:03 ` [Bridge] " Vladimir Oltean
2022-07-17 14:03 ` Vladimir Oltean
2022-07-17 16:22 ` [Bridge] " Hans S
2022-07-17 16:22 ` Hans S
2022-07-17 18:38 ` [Bridge] " Vladimir Oltean
2022-07-17 18:38 ` Vladimir Oltean
2022-07-17 19:20 ` [Bridge] " Hans S
2022-07-17 19:20 ` Hans S
2022-07-21 11:45 ` [Bridge] " Vladimir Oltean
2022-07-21 11:45 ` Vladimir Oltean
2022-07-21 14:06 ` [Bridge] " Hans S
2022-07-21 14:06 ` Hans S
2022-07-24 8:09 ` [Bridge] " Hans S
2022-07-24 8:09 ` Hans S
2022-07-29 5:23 ` [Bridge] " Hans S
2022-07-29 5:23 ` Hans S
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yr2LFI1dx6Oc7QBo@shredder \
--to=idosch@nvidia.com \
--cc=andrew@lunn.ch \
--cc=bridge@lists.linux-foundation.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=hans@kapio-technology.com \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=schultz.hans+netdev@gmail.com \
--cc=shuah@kernel.org \
--cc=vivien.didelot@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.