From: Ido Schimmel <idosch@nvidia.com>
To: netdev@vger.kernel.org, bridge@lists.linux-foundation.org
Cc: davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com,
edumazet@google.com, jiri@nvidia.com, petrm@nvidia.com,
ivecera@redhat.com, roopa@nvidia.com, razor@blackwall.org,
netdev@kapio-technology.com, vladimir.oltean@nxp.com,
mlxsw@nvidia.com, Ido Schimmel <idosch@nvidia.com>
Subject: [RFC PATCH net-next 05/16] devlink: Add packet traps for 802.1X operation
Date: Tue, 25 Oct 2022 13:00:13 +0300 [thread overview]
Message-ID: <20221025100024.1287157-6-idosch@nvidia.com> (raw)
In-Reply-To: <20221025100024.1287157-1-idosch@nvidia.com>
Add packet traps for 802.1X operation. The "eapol" control trap is used
to trap EAPOL packets and is required for the correct operation of the
control plane. The "locked_port" drop trap can be enabled to gain
visibility into packets that were dropped by the device due to the
locked bridge port check.
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
Documentation/networking/devlink/devlink-trap.rst | 13 +++++++++++++
include/net/devlink.h | 9 +++++++++
net/core/devlink.c | 3 +++
3 files changed, 25 insertions(+)
diff --git a/Documentation/networking/devlink/devlink-trap.rst b/Documentation/networking/devlink/devlink-trap.rst
index 90d1381b88de..2c14dfe69b3a 100644
--- a/Documentation/networking/devlink/devlink-trap.rst
+++ b/Documentation/networking/devlink/devlink-trap.rst
@@ -485,6 +485,16 @@ be added to the following table:
- Traps incoming packets that the device decided to drop because
the destination MAC is not configured in the MAC table and
the interface is not in promiscuous mode
+ * - ``eapol``
+ - ``control``
+ - Traps "Extensible Authentication Protocol over LAN" (EAPOL) packets
+ specified in IEEE 802.1X
+ * - ``locked_port``
+ - ``drop``
+ - Traps packets that the device decided to drop because they failed the
+ locked bridge port check. That is, packets that were received via a
+ locked port and whose {SMAC, VID} does not correspond to an FDB entry
+ pointing to the port
Driver-specific Packet Traps
============================
@@ -589,6 +599,9 @@ narrow. The description of these groups must be added to the following table:
* - ``parser_error_drops``
- Contains packet traps for packets that were marked by the device during
parsing as erroneous
+ * - ``eapol``
+ - Contains packet traps for "Extensible Authentication Protocol over LAN"
+ (EAPOL) packets specified in IEEE 802.1X
Packet Trap Policers
====================
diff --git a/include/net/devlink.h b/include/net/devlink.h
index ba6b8b094943..afd9999a9b2a 100644
--- a/include/net/devlink.h
+++ b/include/net/devlink.h
@@ -885,6 +885,8 @@ enum devlink_trap_generic_id {
DEVLINK_TRAP_GENERIC_ID_ESP_PARSING,
DEVLINK_TRAP_GENERIC_ID_BLACKHOLE_NEXTHOP,
DEVLINK_TRAP_GENERIC_ID_DMAC_FILTER,
+ DEVLINK_TRAP_GENERIC_ID_EAPOL,
+ DEVLINK_TRAP_GENERIC_ID_LOCKED_PORT,
/* Add new generic trap IDs above */
__DEVLINK_TRAP_GENERIC_ID_MAX,
@@ -921,6 +923,7 @@ enum devlink_trap_group_generic_id {
DEVLINK_TRAP_GROUP_GENERIC_ID_ACL_SAMPLE,
DEVLINK_TRAP_GROUP_GENERIC_ID_ACL_TRAP,
DEVLINK_TRAP_GROUP_GENERIC_ID_PARSER_ERROR_DROPS,
+ DEVLINK_TRAP_GROUP_GENERIC_ID_EAPOL,
/* Add new generic trap group IDs above */
__DEVLINK_TRAP_GROUP_GENERIC_ID_MAX,
@@ -1112,6 +1115,10 @@ enum devlink_trap_group_generic_id {
"blackhole_nexthop"
#define DEVLINK_TRAP_GENERIC_NAME_DMAC_FILTER \
"dmac_filter"
+#define DEVLINK_TRAP_GENERIC_NAME_EAPOL \
+ "eapol"
+#define DEVLINK_TRAP_GENERIC_NAME_LOCKED_PORT \
+ "locked_port"
#define DEVLINK_TRAP_GROUP_GENERIC_NAME_L2_DROPS \
"l2_drops"
@@ -1165,6 +1172,8 @@ enum devlink_trap_group_generic_id {
"acl_trap"
#define DEVLINK_TRAP_GROUP_GENERIC_NAME_PARSER_ERROR_DROPS \
"parser_error_drops"
+#define DEVLINK_TRAP_GROUP_GENERIC_NAME_EAPOL \
+ "eapol"
#define DEVLINK_TRAP_GENERIC(_type, _init_action, _id, _group_id, \
_metadata_cap) \
diff --git a/net/core/devlink.c b/net/core/devlink.c
index 89baa7c0938b..dc54182f2e57 100644
--- a/net/core/devlink.c
+++ b/net/core/devlink.c
@@ -11624,6 +11624,8 @@ static const struct devlink_trap devlink_trap_generic[] = {
DEVLINK_TRAP(ESP_PARSING, DROP),
DEVLINK_TRAP(BLACKHOLE_NEXTHOP, DROP),
DEVLINK_TRAP(DMAC_FILTER, DROP),
+ DEVLINK_TRAP(EAPOL, CONTROL),
+ DEVLINK_TRAP(LOCKED_PORT, DROP),
};
#define DEVLINK_TRAP_GROUP(_id) \
@@ -11659,6 +11661,7 @@ static const struct devlink_trap_group devlink_trap_group_generic[] = {
DEVLINK_TRAP_GROUP(ACL_SAMPLE),
DEVLINK_TRAP_GROUP(ACL_TRAP),
DEVLINK_TRAP_GROUP(PARSER_ERROR_DROPS),
+ DEVLINK_TRAP_GROUP(EAPOL),
};
static int devlink_trap_generic_verify(const struct devlink_trap *trap)
--
2.37.3
next prev parent reply other threads:[~2022-10-25 10:08 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-25 10:00 [RFC PATCH net-next 00/16] bridge: Add MAC Authentication Bypass (MAB) support with offload Ido Schimmel
2022-10-25 10:00 ` [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support Ido Schimmel
2022-10-25 11:00 ` Nikolay Aleksandrov
2022-10-27 22:58 ` Vladimir Oltean
2022-10-28 7:45 ` netdev
2022-10-30 12:59 ` Ido Schimmel
2022-10-30 12:48 ` Ido Schimmel
2022-10-30 22:09 ` netdev
2022-10-31 14:43 ` Ido Schimmel
2022-10-31 16:40 ` netdev
2022-10-25 10:00 ` [RFC PATCH net-next 02/16] selftests: forwarding: Add MAC Authentication Bypass (MAB) test cases Ido Schimmel
2022-10-25 10:00 ` [RFC PATCH net-next 03/16] bridge: switchdev: Let device drivers determine FDB offload indication Ido Schimmel
2022-10-27 23:10 ` Vladimir Oltean
2022-10-30 9:25 ` Ido Schimmel
2022-10-25 10:00 ` [RFC PATCH net-next 04/16] bridge: switchdev: Allow device drivers to install locked FDB entries Ido Schimmel
2022-10-25 11:03 ` Nikolay Aleksandrov
2022-10-27 23:27 ` Vladimir Oltean
2022-10-30 13:38 ` Ido Schimmel
2022-10-25 10:00 ` Ido Schimmel [this message]
2022-10-25 10:00 ` [RFC PATCH net-next 06/16] mlxsw: spectrum_trap: Register 802.1X packet traps with devlink Ido Schimmel
2022-10-25 10:00 ` [RFC PATCH net-next 07/16] mlxsw: reg: Add Switch Port FDB Security Register Ido Schimmel
2022-10-25 10:00 ` [RFC PATCH net-next 08/16] mlxsw: spectrum: Add an API to configure security checks Ido Schimmel
2022-10-25 10:00 ` [RFC PATCH net-next 09/16] mlxsw: spectrum_switchdev: Prepare for locked FDB notifications Ido Schimmel
2022-10-25 10:00 ` [RFC PATCH net-next 10/16] mlxsw: spectrum_switchdev: Add support " Ido Schimmel
2022-10-27 23:39 ` Vladimir Oltean
2022-10-30 8:23 ` Ido Schimmel
2022-10-31 8:32 ` Vladimir Oltean
2022-11-03 22:31 ` Vladimir Oltean
2022-11-03 22:54 ` Ido Schimmel
2022-11-03 23:03 ` Vladimir Oltean
2022-10-25 10:00 ` [RFC PATCH net-next 11/16] mlxsw: spectrum_switchdev: Use extack in bridge port flag validation Ido Schimmel
2022-10-25 10:00 ` [RFC PATCH net-next 12/16] mlxsw: spectrum_switchdev: Add locked bridge port support Ido Schimmel
2022-10-25 10:00 ` [RFC PATCH net-next 13/16] selftests: devlink_lib: Split out helper Ido Schimmel
2022-10-25 10:00 ` [RFC PATCH net-next 14/16] selftests: mlxsw: Add a test for EAPOL trap Ido Schimmel
2022-10-25 10:00 ` [RFC PATCH net-next 15/16] selftests: mlxsw: Add a test for locked port trap Ido Schimmel
2022-10-25 10:00 ` [RFC PATCH net-next 16/16] selftests: mlxsw: Add a test for invalid locked bridge port configurations Ido Schimmel
2022-10-25 14:09 ` [RFC PATCH net-next 00/16] bridge: Add MAC Authentication Bypass (MAB) support with offload netdev
2022-10-25 17:43 ` Ido Schimmel
2022-10-27 23:49 ` Vladimir Oltean
2022-11-06 12:04 ` netdev
2022-11-06 13:21 ` Ido Schimmel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221025100024.1287157-6-idosch@nvidia.com \
--to=idosch@nvidia.com \
--cc=bridge@lists.linux-foundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=ivecera@redhat.com \
--cc=jiri@nvidia.com \
--cc=kuba@kernel.org \
--cc=mlxsw@nvidia.com \
--cc=netdev@kapio-technology.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=petrm@nvidia.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=vladimir.oltean@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).