Linux Kernel Selftest development
 help / color / mirror / Atom feed
From: netdev@kapio-technology.com
To: Ido Schimmel <idosch@nvidia.com>
Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
	Florian Fainelli <f.fainelli@gmail.com>,
	Andrew Lunn <andrew@lunn.ch>,
	Vivien Didelot <vivien.didelot@gmail.com>,
	Vladimir Oltean <olteanv@gmail.com>,
	Eric Dumazet <edumazet@google.com>,
	Paolo Abeni <pabeni@redhat.com>,
	Kurt Kanzenbach <kurt@linutronix.de>,
	Hauke Mehrtens <hauke@hauke-m.de>,
	Woojung Huh <woojung.huh@microchip.com>,
	UNGLinuxDriver@microchip.com, Sean Wang <sean.wang@mediatek.com>,
	Landen Chao <Landen.Chao@mediatek.com>,
	DENG Qingfang <dqfext@gmail.com>,
	Matthias Brugger <matthias.bgg@gmail.com>,
	Claudiu Manoil <claudiu.manoil@nxp.com>,
	Alexandre Belloni <alexandre.belloni@bootlin.com>,
	Jiri Pirko <jiri@resnulli.us>, Ivan Vecera <ivecera@redhat.com>,
	Roopa Prabhu <roopa@nvidia.com>,
	Nikolay Aleksandrov <razor@blackwall.org>,
	Shuah Khan <shuah@kernel.org>,
	Christian Marangi <ansuelsmth@gmail.com>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Yuwei Wang <wangyuweihx@gmail.com>,
	linux-kernel@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org,
	linux-mediatek@lists.infradead.org,
	bridge@lists.linux-foundation.org,
	linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v5 net-next 6/6] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
Date: Mon, 29 Aug 2022 14:04:42 +0200	[thread overview]
Message-ID: <9e1a9eb218bbaa0d36cb98ff5d4b97d7@kapio-technology.com> (raw)
In-Reply-To: <Ywyj1VF1wlYqlHb6@shredder>

On 2022-08-29 13:32, Ido Schimmel wrote:
>> The final decision on this rests with you I would say.
> 
> If the requirement for this feature (with or without MAB) is to work
> with dynamic entries (which is not what is currently implemented in the
> selftests), then learning needs to be enabled for the sole reason of
> refreshing the dynamic entries added by user space. That is, updating
> 'fdb->updated' with current jiffies value.
> 
> So, is this the requirement? I checked the hostapd fork you posted some
> time ago and I get the impression that the answer is yes [1], but I 
> want
> to verify I'm not missing something.
> 
> [1] 
> https://github.com/westermo/hostapd/commit/95dc96f9e89131b2319f5eae8ae7ac99868b7cd0#diff-338b6fad34b4bdb015d7d96930974bd96796b754257473b6c91527789656d6edR11
> 
> 

I cannot say that it is a requirement with respect to the bridge 
implementation, but it is with the driver implementation. But you are 
right that it is to be used with dynamic entries.

>> > # ip link set dev swp1 up
>> > # ip link set dev swp2 up
>> > # ip link set dev br0 up
>> >
>> > 2. Assuming h1 behind swp1 was authorized using 802.1X:
>> >
>> > # bridge fdb replace $H1_MAC dev swp1 master dynamic
>> 
>> With the new MAB flag 'replace' is not needed when MAB is not enabled.
> 
> Yes, but replace works in both cases.
> 

Yes, of course.

>> 
>> >
>> > 3. Assuming 802.1X authentication failed for h2 behind swp2, enable MAB:
>> >
>> > # bridge link set dev swp2 mab on
>> >
>> > 4. Assuming $H2_MAC is in our allow list:
>> >
>> > # bridge fdb replace $H2_MAC dev swp2 master dynamic
>> >
>> > Learning is on in order to refresh the dynamic entries that user space
>> > installed.
>> 
>> Yes, port association is needed for those reasons. :-)
> 
> Given that the current tests use "static" entries that cannot age, is
> there a reason to have "learning on"?
> 

Port association is needed for MAB to work at all on mv88e6xxx, but for 
802.1X port association is only needed for dynamic ATU entries.

>> 
>> >
>> > (*) Need to add support for this option in iproute2. Already exposed
>> > over netlink (see 'IFLA_BR_MULTI_BOOLOPT').
>> 
>> Should I do that in this patch set?
> 
> No, I'm saying that this option is already exposed over netlink, but
> missing iproute2 support. No kernel changes needed.

Oh yes, I meant in the iproute2 accompanying patch set to this one?

  reply	other threads:[~2022-08-29 12:22 UTC|newest]

Thread overview: 69+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-26 11:45 [PATCH v5 net-next 0/6] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
2022-08-26 11:45 ` [PATCH v5 net-next 1/6] net: bridge: add locked entry fdb flag to extend locked port feature Hans Schultz
2022-08-27 11:30   ` Nikolay Aleksandrov
2022-08-27 13:17     ` Ido Schimmel
2022-08-27 13:54       ` Nikolay Aleksandrov
2022-08-28 11:24       ` netdev
2022-08-28 11:21     ` netdev
2022-08-29 11:09     ` netdev
2022-08-29 11:43     ` netdev
2022-08-29 14:02     ` netdev
2022-08-29 16:12       ` Ido Schimmel
2022-08-29 16:26         ` netdev
2022-08-30 14:19         ` netdev
2022-09-03 14:27           ` Ido Schimmel
2022-08-27 15:19   ` Ido Schimmel
2022-08-28 10:23     ` netdev
2022-08-29  7:52       ` Ido Schimmel
2022-08-29  8:04         ` netdev
2022-08-29  9:51         ` Nikolay Aleksandrov
2022-08-29  9:32     ` netdev
2022-08-29 11:01     ` netdev
2022-08-29 11:34     ` netdev
2022-08-26 11:45 ` [PATCH v5 net-next 2/6] net: switchdev: add support for offloading of fdb locked flag Hans Schultz
2022-08-27 15:46   ` Ido Schimmel
2022-08-27 15:52     ` Nikolay Aleksandrov
2022-08-28 11:27     ` netdev
2022-08-27 18:34   ` Ido Schimmel
2022-08-26 11:45 ` [PATCH v5 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers Hans Schultz
2022-08-26 11:45 ` [PATCH v5 net-next 4/6] net: dsa: mv88e6xxx: allow reading FID when handling ATU violations Hans Schultz
2022-08-26 11:45 ` [PATCH v5 net-next 5/6] net: dsa: mv88e6xxx: MacAuth/MAB implementation Hans Schultz
2022-08-26 11:45 ` [PATCH v5 net-next 6/6] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans Schultz
2022-08-27 18:21   ` Ido Schimmel
2022-08-28 12:00     ` netdev
2022-08-29  7:40       ` Ido Schimmel
2022-08-29  8:01         ` netdev
2022-08-29 11:32           ` Ido Schimmel
2022-08-29 12:04             ` netdev [this message]
2022-08-29 14:37               ` Ido Schimmel
2022-08-29 15:08                 ` netdev
2022-08-29 16:03                   ` Ido Schimmel
2022-08-29 16:13                     ` netdev
2022-09-03 14:47                       ` Ido Schimmel
2022-09-07 21:10                         ` netdev
2022-09-08  7:59                           ` Ido Schimmel
2022-09-08 11:14                             ` netdev
2022-09-08 11:20                               ` Vladimir Oltean
2022-09-09 13:11                                 ` netdev
2022-09-11  0:13                                   ` Vladimir Oltean
2022-09-11  9:23                                     ` netdev
2022-09-12  9:08                                       ` Ido Schimmel
2022-09-20 21:29                                         ` netdev
2022-09-21  7:15                                           ` Ido Schimmel
2022-09-22 20:35                                             ` netdev
2022-09-27 15:19                                               ` [Bridge] " Petr Machata
2022-09-23 11:34                                             ` netdev
2022-09-23 12:21                                               ` netdev
2022-09-23 12:01                                             ` netdev
2022-09-27  8:33                                             ` netdev
2022-09-28  6:59                                               ` Ido Schimmel
2022-09-28  7:29                                                 ` netdev
2022-09-28  7:47                                                 ` netdev
2022-09-28  8:46                                                   ` Ido Schimmel
2022-09-28 10:16                                                     ` netdev
2022-09-28 10:19                                                     ` netdev
2022-09-29 22:26                                                     ` netdev
2022-09-21 19:53                                         ` netdev
2022-08-29  8:55         ` netdev
2022-08-29 16:07     ` netdev
2022-09-03 14:49       ` Ido Schimmel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9e1a9eb218bbaa0d36cb98ff5d4b97d7@kapio-technology.com \
    --to=netdev@kapio-technology.com \
    --cc=Landen.Chao@mediatek.com \
    --cc=UNGLinuxDriver@microchip.com \
    --cc=alexandre.belloni@bootlin.com \
    --cc=andrew@lunn.ch \
    --cc=ansuelsmth@gmail.com \
    --cc=bridge@lists.linux-foundation.org \
    --cc=claudiu.manoil@nxp.com \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=dqfext@gmail.com \
    --cc=edumazet@google.com \
    --cc=f.fainelli@gmail.com \
    --cc=hauke@hauke-m.de \
    --cc=idosch@nvidia.com \
    --cc=ivecera@redhat.com \
    --cc=jiri@resnulli.us \
    --cc=kuba@kernel.org \
    --cc=kurt@linutronix.de \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=linux-mediatek@lists.infradead.org \
    --cc=matthias.bgg@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=olteanv@gmail.com \
    --cc=pabeni@redhat.com \
    --cc=razor@blackwall.org \
    --cc=roopa@nvidia.com \
    --cc=sean.wang@mediatek.com \
    --cc=shuah@kernel.org \
    --cc=vivien.didelot@gmail.com \
    --cc=wangyuweihx@gmail.com \
    --cc=woojung.huh@microchip.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox