[Bridge] [PATCH net-next v1 1/1] net: bridge: ensure that link-local traffic cannot unlock a locked port

Ethernet Bridge development
 help / color / mirror / Atom feed

From: Hans Schultz <hans@kapio-technology.com>
To: davem@davemloft.net, kuba@kernel.org
Cc: Ivan Vecera <ivecera@redhat.com>, Andrew Lunn <andrew@lunn.ch>,
	Florian Fainelli <f.fainelli@gmail.com>,
	Jiri Pirko <jiri@resnulli.us>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Hans Schultz <hans@kapio-technology.com>,
	netdev@vger.kernel.org, Nikolay Aleksandrov <razor@blackwall.org>,
	bridge@lists.linux-foundation.org,
	Hans Schultz <schultz.hans+netdev@gmail.com>,
	Ido Schimmel <idosch@nvidia.com>,
	linux-kernel@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
	linux-kselftest@vger.kernel.org, Roopa Prabhu <roopa@nvidia.com>,
	Paolo Abeni <pabeni@redhat.com>,
	Vladimir Oltean <olteanv@gmail.com>,
	Shuah Khan <shuah@kernel.org>,
	Vivien Didelot <vivien.didelot@gmail.com>
Subject: [Bridge] [PATCH net-next v1 1/1] net: bridge: ensure that link-local traffic cannot unlock a locked port
Date: Thu, 30 Jun 2022 13:16:34 +0200	[thread overview]
Message-ID: <20220630111634.610320-1-hans@kapio-technology.com> (raw)

This patch is related to the patch set
"Add support for locked bridge ports (for 802.1X)"
Link: https://lore.kernel.org/netdev/20220223101650.1212814-1-schultz.hans+netdev@gmail.com/

This patch makes the locked port feature work with learning turned on,
which is enabled with the command:

bridge link set dev DEV learning on

Without this patch, link local traffic (01:80:c2) like EAPOL packets will
create a fdb entry when ingressing on a locked port with learning turned
on, thus unintentionally opening up the port for traffic for the said MAC.

Some switchcore features like Mac-Auth and refreshing of FDB entries,
require learning enables on some switchcores, f.ex. the mv88e6xxx family.
Other features may apply too.

Since many switchcores trap or mirror various multicast packets to the
CPU, link local traffic will unintentionally unlock the port for the
SA mac in question unless prevented by this patch.

Signed-off-by: Hans Schultz <hans@kapio-technology.com>
---
 net/bridge/br_input.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 68b3e850bcb9..a3ce0a151817 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -215,6 +215,7 @@ static void __br_handle_local_finish(struct sk_buff *skb)
 	if ((p->flags & BR_LEARNING) &&
 	    nbp_state_should_learn(p) &&
 	    !br_opt_get(p->br, BROPT_NO_LL_LEARN) &&
+	    !(p->flags & BR_PORT_LOCKED) &&
 	    br_should_learn(p, skb, &vid))
 		br_fdb_update(p->br, p, eth_hdr(skb)->h_source, vid, 0);
 }
-- 
2.30.2

next             reply	other threads:[~2022-06-30 11:16 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-06-30 11:16 Hans Schultz [this message]
2022-06-30 11:17 ` [Bridge] [PATCH net-next v1 1/1] net: bridge: ensure that link-local traffic cannot unlock a locked port Nikolay Aleksandrov
2022-06-30 11:37 ` Ido Schimmel
2022-06-30 12:54   ` Hans Schultz
2022-07-01  7:47   ` Hans S
2022-07-01 13:51     ` Ido Schimmel
2022-07-01 15:27       ` Vladimir Oltean
2022-07-01 15:44         ` Ido Schimmel
2022-07-01 16:07       ` Hans S
2022-07-01 17:00         ` Ido Schimmel
2022-07-01 19:17           ` Hans S
2022-07-03  7:00             ` Ido Schimmel
2022-07-04  7:54               ` Hans S
2022-07-04 10:59                 ` Ido Schimmel
2022-07-04 14:36                   ` Hans S
2022-07-05 10:53                     ` Ido Schimmel
2022-07-17 13:46         ` Vladimir Oltean
2022-07-17 14:03           ` Vladimir Oltean
2022-07-17 16:22             ` Hans S
2022-07-17 18:38               ` Vladimir Oltean
2022-07-17 19:20                 ` Hans S
2022-07-21 11:45                   ` Vladimir Oltean
2022-07-21 14:06                     ` Hans S
2022-07-24  8:09                     ` Hans S
2022-07-29  5:23                       ` Hans S

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:68b3e850bcb dfblob:a3ce0a15181 )
 OR (
bs:"[Bridge] [PATCH net-next v1 1/1] net: bridge: ensure that link-local traffic cannot unlock a locked port" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220630111634.610320-1-hans@kapio-technology.com \
    --to=hans@kapio-technology.com \
    --cc=andrew@lunn.ch \
    --cc=bridge@lists.linux-foundation.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=f.fainelli@gmail.com \
    --cc=idosch@nvidia.com \
    --cc=ivecera@redhat.com \
    --cc=jiri@resnulli.us \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=olteanv@gmail.com \
    --cc=pabeni@redhat.com \
    --cc=razor@blackwall.org \
    --cc=roopa@nvidia.com \
    --cc=schultz.hans+netdev@gmail.com \
    --cc=shuah@kernel.org \
    --cc=vivien.didelot@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox