netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Hans Schultz <netdev@kapio-technology.com>
To: davem@davemloft.net, kuba@kernel.org
Cc: netdev@vger.kernel.org,
	Hans Schultz <netdev@kapio-technology.com>,
	Andrew Lunn <andrew@lunn.ch>,
	Vivien Didelot <vivien.didelot@gmail.com>,
	Florian Fainelli <f.fainelli@gmail.com>,
	Vladimir Oltean <olteanv@gmail.com>,
	Eric Dumazet <edumazet@google.com>,
	Paolo Abeni <pabeni@redhat.com>, Jiri Pirko <jiri@resnulli.us>,
	Ivan Vecera <ivecera@redhat.com>, Roopa Prabhu <roopa@nvidia.com>,
	Nikolay Aleksandrov <razor@blackwall.org>,
	Shuah Khan <shuah@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Ido Schimmel <idosch@nvidia.com>,
	linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org,
	linux-kselftest@vger.kernel.org
Subject: [PATCH v4 net-next 6/6] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
Date: Thu,  7 Jul 2022 17:29:30 +0200	[thread overview]
Message-ID: <20220707152930.1789437-7-netdev@kapio-technology.com> (raw)
In-Reply-To: <20220707152930.1789437-1-netdev@kapio-technology.com>

Verify that the MAC-Auth mechanism works by adding a FDB entry with the
locked flag set, denying access until the FDB entry is replaced with a
FDB entry without the locked flag set.

Signed-off-by: Hans Schultz <netdev@kapio-technology.com>
---
 .../net/forwarding/bridge_locked_port.sh      | 30 ++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
index 5b02b6b60ce7..1ee12d7b5c8b 100755
--- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
+++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 # SPDX-License-Identifier: GPL-2.0
 
-ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan"
+ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan locked_port_mab"
 NUM_NETIFS=4
 CHECK_TC="no"
 source lib.sh
@@ -166,6 +166,34 @@ locked_port_ipv6()
 	log_test "Locked port ipv6"
 }
 
+locked_port_mab()
+{
+	RET=0
+	check_locked_port_support || return 0
+
+	ping_do $h1 192.0.2.2
+	check_err $? "MAB: Ping did not work before locking port"
+
+	bridge link set dev $swp1 locked on
+	bridge link set dev $swp1 learning on
+
+	ping_do $h1 192.0.2.2
+	check_fail $? "MAB: Ping worked on locked port without FDB entry"
+
+	bridge fdb show | grep `mac_get $h1` | grep -q "locked"
+	check_err $? "MAB: No locked fdb entry after ping on locked port"
+
+	bridge fdb replace `mac_get $h1` dev $swp1 master static
+
+	ping_do $h1 192.0.2.2
+	check_err $? "MAB: Ping did not work with fdb entry without locked flag"
+
+	bridge fdb del `mac_get $h1` dev $swp1 master
+	bridge link set dev $swp1 learning off
+	bridge link set dev $swp1 locked off
+
+	log_test "Locked port MAB"
+}
 trap cleanup EXIT
 
 setup_prepare
-- 
2.30.2


  parent reply	other threads:[~2022-07-07 15:30 UTC|newest]

Thread overview: 59+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-07-07 15:29 [PATCH v4 net-next 0/6] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
2022-07-07 15:29 ` [PATCH v4 net-next 1/6] net: bridge: add locked entry fdb flag to extend locked port feature Hans Schultz
2022-07-10  8:20   ` Ido Schimmel
2022-07-07 15:29 ` [PATCH v4 net-next 2/6] net: switchdev: add support for offloading of fdb locked flag Hans Schultz
2022-07-08  8:54   ` Vladimir Oltean
2022-08-02  8:27     ` netdev
2022-08-02 10:13     ` netdev
2022-07-07 15:29 ` [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers Hans Schultz
2022-07-08  7:12   ` kernel test robot
2022-07-08  8:49   ` Vladimir Oltean
2022-07-08  9:06     ` netdev
2022-07-08  9:15       ` Vladimir Oltean
2022-07-08  9:27         ` netdev
2022-07-08  9:50         ` netdev
2022-07-08 11:56           ` Vladimir Oltean
2022-07-08 12:34             ` netdev
2022-07-10  8:35               ` Ido Schimmel
2022-07-13  7:09                 ` netdev
2022-07-13 12:39                   ` Ido Schimmel
2022-07-17 12:21                     ` netdev
2022-07-17 12:57                       ` Vladimir Oltean
2022-07-17 13:09                         ` netdev
2022-07-17 13:59                           ` Vladimir Oltean
2022-07-17 14:57                             ` netdev
2022-07-17 15:08                               ` Vladimir Oltean
2022-07-17 16:10                                 ` netdev
2022-07-21 11:54                                   ` Vladimir Oltean
2022-07-17 15:20                       ` Ido Schimmel
2022-07-17 15:53                         ` netdev
2022-07-21 11:59                           ` Vladimir Oltean
2022-07-21 13:27                             ` Ido Schimmel
2022-07-21 14:20                               ` Vladimir Oltean
2022-07-24 11:10                                 ` Ido Schimmel
2022-08-01 11:57                                   ` netdev
2022-08-01 13:14                                   ` netdev
2022-08-02 12:54                             ` netdev
2022-08-01 15:33                     ` netdev
2022-08-09  9:20                       ` Ido Schimmel
2022-08-09 20:00                         ` netdev
2022-08-10  7:21                           ` Ido Schimmel
2022-08-10  8:40                             ` netdev
2022-08-11 11:28                               ` Ido Schimmel
2022-08-12 15:33                                 ` netdev
2022-08-16  7:51                             ` netdev
2022-08-17  6:21                               ` Ido Schimmel
2022-07-21 11:51           ` Vladimir Oltean
2022-07-08 20:39   ` kernel test robot
2022-07-07 15:29 ` [PATCH v4 net-next 4/6] net: dsa: mv88e6xxx: allow reading FID when handling ATU violations Hans Schultz
2022-07-07 15:29 ` [PATCH v4 net-next 5/6] net: dsa: mv88e6xxx: mac-auth/MAB implementation Hans Schultz
2022-07-08  9:46   ` kernel test robot
2022-07-17  0:47   ` Vladimir Oltean
2022-07-17 12:34     ` netdev
2022-07-21 12:04       ` Vladimir Oltean
2022-08-19  8:28     ` netdev
2022-07-07 15:29 ` Hans Schultz [this message]
2022-07-10  7:29   ` [PATCH v4 net-next 6/6] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Ido Schimmel
2022-07-12 12:28     ` netdev
2022-07-08  1:00 ` [PATCH v4 net-next 0/6] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Jakub Kicinski
2022-08-11  5:09 ` Benjamin Poirier

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220707152930.1789437-7-netdev@kapio-technology.com \
    --to=netdev@kapio-technology.com \
    --cc=andrew@lunn.ch \
    --cc=bridge@lists.linux-foundation.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=f.fainelli@gmail.com \
    --cc=idosch@nvidia.com \
    --cc=ivecera@redhat.com \
    --cc=jiri@resnulli.us \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=olteanv@gmail.com \
    --cc=pabeni@redhat.com \
    --cc=razor@blackwall.org \
    --cc=roopa@nvidia.com \
    --cc=shuah@kernel.org \
    --cc=vivien.didelot@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).