[PATCH iproute2-next V2 0/4] Add support for locked bridge ports (for 802.1X)

[PATCH iproute2-next V2 0/4] Add support for locked bridge ports (for 802.1X)

[Hans Schultz]

This patch set is to complement the kernel locked port patches, such
that iproute2 can be used to lock/unlock a port and check if a port
is locked or not. To lock or unlock a port use the command:

bridge link set dev DEV locked {on | off}


To show the detailed setting of a port, including if the locked flag is
enabled for the port(s), use the command:

bridge -d link show [dev DEV]


Hans Schultz (4):
  bridge: link: add command to set port in locked mode
  ip: iplink_bridge_slave: add locked port flag support
  man8/bridge.8: add locked port feature description and cmd syntax
  man8/ip-link.8: add locked port feature description and cmd syntax

 bridge/link.c                | 13 +++++++++++++
 include/uapi/linux/if_link.h |  1 +
 ip/iplink_bridge_slave.c     |  9 +++++++++
 man/man8/bridge.8            | 11 +++++++++++
 man/man8/ip-link.8.in        |  6 ++++++
 5 files changed, 40 insertions(+)

-- 
2.30.2

[PATCH iproute2-next V2 1/4] bridge: link: add command to set port in locked mode

[Hans Schultz]

Add support for setting a bridge port in locked mode to use with 802.1X,
so that only authorized clients are allowed access through the port.

Syntax: bridge link set dev DEV locked {on, off}

Signed-off-by: Hans Schultz <schultz.hans+netdev@gmail.com>
---
 bridge/link.c                | 13 +++++++++++++
 include/uapi/linux/if_link.h |  1 +
 2 files changed, 14 insertions(+)

diff --git a/bridge/link.c b/bridge/link.c
index 205a2fe7..bb4f0b2d 100644
--- a/bridge/link.c
+++ b/bridge/link.c
@@ -175,6 +175,9 @@ static void print_protinfo(FILE *fp, struct rtattr *attr)
 		if (prtb[IFLA_BRPORT_ISOLATED])
 			print_on_off(PRINT_ANY, "isolated", "isolated %s ",
 				     rta_getattr_u8(prtb[IFLA_BRPORT_ISOLATED]));
+		if (prtb[IFLA_BRPORT_LOCKED])
+			print_on_off(PRINT_ANY, "locked", "locked %s ",
+				     rta_getattr_u8(prtb[IFLA_BRPORT_LOCKED]));
 	} else
 		print_stp_state(rta_getattr_u8(attr));
 }
@@ -275,6 +278,7 @@ static void usage(void)
 		"                               [ neigh_suppress {on | off} ]\n"
 		"                               [ vlan_tunnel {on | off} ]\n"
 		"                               [ isolated {on | off} ]\n"
+		"                               [ locked {on | off} ]\n"
 		"                               [ hwmode {vepa | veb} ]\n"
 		"                               [ backup_port DEVICE ] [ nobackup_port ]\n"
 		"                               [ self ] [ master ]\n"
@@ -303,6 +307,7 @@ static int brlink_modify(int argc, char **argv)
 	__s8 vlan_tunnel = -1;
 	__s8 mcast_flood = -1;
 	__s8 mcast_to_unicast = -1;
+	__s8 locked = -1;
 	__s8 isolated = -1;
 	__s8 hairpin = -1;
 	__s8 bpdu_guard = -1;
@@ -415,6 +420,11 @@ static int brlink_modify(int argc, char **argv)
 			isolated = parse_on_off("isolated", *argv, &ret);
 			if (ret)
 				return ret;
+		} else if (strcmp(*argv, "locked") == 0) {
+			NEXT_ARG();
+			locked = parse_on_off("locked", *argv, &ret);
+			if (ret)
+				return ret;
 		} else if (strcmp(*argv, "backup_port") == 0) {
 			NEXT_ARG();
 			backup_port_idx = ll_name_to_index(*argv);
@@ -489,6 +499,9 @@ static int brlink_modify(int argc, char **argv)
 	if (isolated != -1)
 		addattr8(&req.n, sizeof(req), IFLA_BRPORT_ISOLATED, isolated);
 
+	if (locked >= 0)
+		addattr8(&req.n, sizeof(req), IFLA_BRPORT_LOCKED, locked);
+
 	if (backup_port_idx != -1)
 		addattr32(&req.n, sizeof(req), IFLA_BRPORT_BACKUP_PORT,
 			  backup_port_idx);
diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
index 1d4ed60b..637623bb 100644
--- a/include/uapi/linux/if_link.h
+++ b/include/uapi/linux/if_link.h
@@ -534,6 +534,7 @@ enum {
 	IFLA_BRPORT_MRP_IN_OPEN,
 	IFLA_BRPORT_MCAST_EHT_HOSTS_LIMIT,
 	IFLA_BRPORT_MCAST_EHT_HOSTS_CNT,
+	IFLA_BRPORT_LOCKED,
 	__IFLA_BRPORT_MAX
 };
 #define IFLA_BRPORT_MAX (__IFLA_BRPORT_MAX - 1)
-- 
2.30.2

[PATCH iproute2-next V2 2/4] ip: iplink_bridge_slave: add locked port flag support

[Hans Schultz]

Syntax: ip link set dev DEV type bridge_slave locked {on | off}

Signed-off-by: Hans Schultz <schultz.hans+netdev@gmail.com>
---
 ip/iplink_bridge_slave.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/ip/iplink_bridge_slave.c b/ip/iplink_bridge_slave.c
index 71787586..da14a95e 100644
--- a/ip/iplink_bridge_slave.c
+++ b/ip/iplink_bridge_slave.c
@@ -42,6 +42,7 @@ static void print_explain(FILE *f)
 		"			[ neigh_suppress {on | off} ]\n"
 		"			[ vlan_tunnel {on | off} ]\n"
 		"			[ isolated {on | off} ]\n"
+		"			[ locked {on | off} ]\n"
 		"			[ backup_port DEVICE ] [ nobackup_port ]\n"
 	);
 }
@@ -278,6 +279,10 @@ static void bridge_slave_print_opt(struct link_util *lu, FILE *f,
 		print_on_off(PRINT_ANY, "isolated", "isolated %s ",
 			     rta_getattr_u8(tb[IFLA_BRPORT_ISOLATED]));
 
+	if (tb[IFLA_BRPORT_LOCKED])
+		print_on_off(PRINT_ANY, "locked", "locked %s ",
+			     rta_getattr_u8(tb[IFLA_BRPORT_LOCKED]));
+
 	if (tb[IFLA_BRPORT_BACKUP_PORT]) {
 		int backup_p = rta_getattr_u32(tb[IFLA_BRPORT_BACKUP_PORT]);
 
@@ -393,6 +398,10 @@ static int bridge_slave_parse_opt(struct link_util *lu, int argc, char **argv,
 			NEXT_ARG();
 			bridge_slave_parse_on_off("isolated", *argv, n,
 						  IFLA_BRPORT_ISOLATED);
+		} else if (matches(*argv, "locked") == 0) {
+			NEXT_ARG();
+			bridge_slave_parse_on_off("locked", *argv, n,
+						  IFLA_BRPORT_LOCKED);
 		} else if (matches(*argv, "backup_port") == 0) {
 			int ifindex;
 
-- 
2.30.2

[PATCH iproute2-next V2 3/4] man8/bridge.8: add locked port feature description and cmd syntax

[Hans Schultz]

Signed-off-by: Hans Schultz <schultz.hans+netdev@gmail.com>
---
 man/man8/bridge.8 | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
index 81ce9e6f..cb0ffc16 100644
--- a/man/man8/bridge.8
+++ b/man/man8/bridge.8
@@ -50,6 +50,7 @@ bridge \- show / manipulate bridge addresses and devices
 .BR neigh_suppress " { " on " | " off " } ] [ "
 .BR vlan_tunnel " { " on " | " off " } ] [ "
 .BR isolated " { " on " | " off " } ] [ "
+.BR locked " { " on " | " off " } ] [ "
 .B backup_port
 .IR  DEVICE " ] ["
 .BR nobackup_port " ] [ "
@@ -513,6 +514,16 @@ Controls whether a given port will be isolated, which means it will be
 able to communicate with non-isolated ports only.  By default this
 flag is off.
 
+.TP
+.BR "locked on " or " locked off "
+Controls whether a port will be locked, meaning that hosts behind the
+port will not be able to communicate through the port unless an FDB
+entry with the units MAC address is in the FDB.
+The common use is that hosts are allowed access through authentication
+with the IEEE 802.1X protocol or based on whitelists or like setups.
+By default this flag is off.
+
+
 .TP
 .BI backup_port " DEVICE"
 If the port loses carrier all traffic will be redirected to the
-- 
2.30.2

[PATCH iproute2-next V2 4/4] man8/ip-link.8: add locked port feature description and cmd syntax

[Hans Schultz]

Signed-off-by: Hans Schultz <schultz.hans+netdev@gmail.com>
---
 man/man8/ip-link.8.in | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
index 19a0c9ca..800ef278 100644
--- a/man/man8/ip-link.8.in
+++ b/man/man8/ip-link.8.in
@@ -2376,6 +2376,7 @@ the following additional arguments are supported:
 ] [
 .BR isolated " { " on " | " off " }"
 ] [
+.BR locked " { " on " | " off " }"
 .BR backup_port " DEVICE"
 ] [
 .BR nobackup_port " ]"
@@ -2473,6 +2474,11 @@ is enabled on the port. By default this flag is off.
 - controls whether vlan to tunnel mapping is enabled on the port. By
 default this flag is off.
 
+.BR locked " { " on " | " off " }"
+- sets or unsets a port in locked mode, so that when enabled, hosts
+behind the port cannot communicate through the port unless a FDB entry
+representing the host is in the FDB. By default this flag is off.
+
 .BI backup_port " DEVICE"
 - if the port loses carrier all traffic will be redirected to the
 configured backup port
-- 
2.30.2

Re: [PATCH iproute2-next V2 0/4] Add support for locked bridge ports (for 802.1X)

[patchwork-bot+netdevbpf]

Hello:

This series was applied to iproute2/iproute2-next.git (main)
by David Ahern <dsahern@kernel.org>:

On Mon, 28 Feb 2022 14:36:46 +0100 you wrote:
> This patch set is to complement the kernel locked port patches, such
> that iproute2 can be used to lock/unlock a port and check if a port
> is locked or not. To lock or unlock a port use the command:
> 
> bridge link set dev DEV locked {on | off}
> 
> 
> [...]

Here is the summary with links:
  - [iproute2-next,V2,1/4] bridge: link: add command to set port in locked mode
    (no matching commit)
  - [iproute2-next,V2,2/4] ip: iplink_bridge_slave: add locked port flag support
    https://git.kernel.org/pub/scm/network/iproute2/iproute2-next.git/commit/?id=092af16b7eed
  - [iproute2-next,V2,3/4] man8/bridge.8: add locked port feature description and cmd syntax
    https://git.kernel.org/pub/scm/network/iproute2/iproute2-next.git/commit/?id=d4fe36736dfb
  - [iproute2-next,V2,4/4] man8/ip-link.8: add locked port feature description and cmd syntax
    https://git.kernel.org/pub/scm/network/iproute2/iproute2-next.git/commit/?id=0a685b987c06

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: [PATCH iproute2-next V2 0/4] Add support for locked bridge ports (for 802.1X)

[Hans Schultz]

On mån, feb 28, 2022 at 14:36, Hans Schultz <schultz.hans@gmail.com> wrote:
> This patch set is to complement the kernel locked port patches, such
> that iproute2 can be used to lock/unlock a port and check if a port
> is locked or not. To lock or unlock a port use the command:
>
> bridge link set dev DEV locked {on | off}
>
>
> To show the detailed setting of a port, including if the locked flag is
> enabled for the port(s), use the command:
>
> bridge -d link show [dev DEV]
>
>
> Hans Schultz (4):
>   bridge: link: add command to set port in locked mode
>   ip: iplink_bridge_slave: add locked port flag support
>   man8/bridge.8: add locked port feature description and cmd syntax
>   man8/ip-link.8: add locked port feature description and cmd syntax
>
>  bridge/link.c                | 13 +++++++++++++
>  include/uapi/linux/if_link.h |  1 +
>  ip/iplink_bridge_slave.c     |  9 +++++++++
>  man/man8/bridge.8            | 11 +++++++++++
>  man/man8/ip-link.8.in        |  6 ++++++
>  5 files changed, 40 insertions(+)
>
> -- 
> 2.30.2

Hi!

Would it be an idea to add a switch to iproute2 commands that would list
the supported features of the current version of the command (or all of
iproute2)  instead of having to deduce it indirectly?

F.ex. a feature I am adding will only work indirectly with iproute2, and
thus it will be difficult to determine if the feature is available or
not.

Hans