From: Vladimir Oltean <olteanv@gmail.com>
To: Hangbin Liu <liuhangbin@gmail.com>
Cc: netdev@vger.kernel.org, "David S . Miller" <davem@davemloft.net>,
David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Ido Schimmel <idosch@idosch.org>,
Nikolay Aleksandrov <razor@blackwall.org>,
Roopa Prabhu <roopa@nvidia.com>,
Stephen Hemminger <stephen@networkplumber.org>,
Florian Westphal <fw@strlen.de>, Andrew Lunn <andrew@lunn.ch>,
Florian Fainelli <f.fainelli@gmail.com>,
Jiri Pirko <jiri@resnulli.us>,
Marc Muehlfeld <mmuehlfe@redhat.com>
Subject: Re: [PATCH net-next 02/10] net: bridge: add document for IFLA_BRPORT enum
Date: Mon, 20 Nov 2023 13:31:27 +0200 [thread overview]
Message-ID: <20231120113127.mih5yjsm2246jvrl@skbuf> (raw)
In-Reply-To: <20231117093145.1563511-3-liuhangbin@gmail.com> <20231117093145.1563511-3-liuhangbin@gmail.com>
On Fri, Nov 17, 2023 at 05:31:37PM +0800, Hangbin Liu wrote:
> + * @IFLA_BRPORT_LEARNING
> + * Controls whether a given port will learn *source* MAC addresses from
> + * received traffic or not. By default this flag is on.
Also controls whether dynamic FDB entries (which can also be added by
software) will be refreshed by incoming traffic.
This is subtle but important in certain use cases (below).
> + * @IFLA_BRPORT_LOCKED
> + * Controls whether a port will be locked, meaning that hosts behind the
> + * port will not be able to communicate through the port unless an FDB
> + * entry with the unit's MAC address is in the FDB. The common use case is
> + * that hosts are allowed access through authentication with the IEEE 802.1X
> + * protocol or based on whitelists. By default this flag is off.
Here seems like a good place to add this warning:
Secure 802.1X deployments should always use the BR_BOOLOPT_NO_LL_LEARN
flag, to not permit the bridge to populate its FDB based on link-local
(EAPOL) traffic received on the port.
> + *
> + * @IFLA_BRPORT_MAB
Controls whether a port will use MAC Authentication Bypass (MAB), a
technique through which select MAC addresses may be allowed on a locked
port, without using 802.1X authentication. Packets with an unknown source
MAC address generate a "locked" FDB entry on the incoming bridge port.
The common use case is for user space to react to these bridge FDB
notifications and optionally replace the locked FDB entry with a normal
one, allowing traffic to pass for whitelisted MAC addresses.
Setting this flag also requires IFLA_BRPORT_LOCKED and IFLA_BRPORT_LEARNING.
IFLA_BRPORT_LOCKED ensures that unauthorized data packets are dropped,
and IFLA_BRPORT_LEARNING allows the dynamic FDB entries installed by
user space (as replacements for the locked FDB entries) to be refreshed
and/or aged out.
(source: https://lore.kernel.org/netdev/20221018165619.134535-11-netdev@kapio-technology.com/)
next prev parent reply other threads:[~2023-11-20 11:31 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-17 9:31 [PATCH net-next 00/10] Doc: update bridge doc Hangbin Liu
2023-11-17 9:31 ` [PATCH net-next 01/10] net: bridge: add document for IFLA_BR enum Hangbin Liu
2023-11-18 17:45 ` Jakub Kicinski
2023-11-21 3:28 ` Hangbin Liu
2023-11-21 16:21 ` Jakub Kicinski
2023-11-23 14:07 ` Hangbin Liu
2023-11-19 16:46 ` Vladimir Oltean
2023-11-19 18:21 ` Andrew Lunn
2023-11-21 3:10 ` Hangbin Liu
2023-11-21 3:06 ` Hangbin Liu
2023-11-17 9:31 ` [PATCH net-next 02/10] net: bridge: add document for IFLA_BRPORT enum Hangbin Liu
2023-11-20 11:31 ` Vladimir Oltean [this message]
2023-11-21 3:10 ` Hangbin Liu
2023-11-17 9:31 ` [PATCH net-next 03/10] net: bridge: add document for bridge sysfs attribute Hangbin Liu
2023-11-17 9:31 ` [PATCH net-next 04/10] docs: bridge: Add kAPI/uAPI fields Hangbin Liu
2023-11-17 9:31 ` [PATCH net-next 05/10] docs: bridge: add STP doc Hangbin Liu
2023-11-20 11:39 ` Vladimir Oltean
2023-11-21 3:02 ` Hangbin Liu
2023-11-24 13:18 ` Nikolay Aleksandrov
2023-11-24 14:01 ` Hangbin Liu
2023-12-03 20:12 ` Stephen Hemminger
2023-11-17 9:31 ` [PATCH net-next 06/10] docs: bridge: add VLAN doc Hangbin Liu
2023-11-17 9:31 ` [PATCH net-next 07/10] docs: bridge: add multicast doc Hangbin Liu
2023-11-17 9:31 ` [PATCH net-next 08/10] docs: bridge: add switchdev doc Hangbin Liu
2023-11-20 11:56 ` Vladimir Oltean
2023-11-17 9:31 ` [PATCH net-next 09/10] docs: bridge: add netfilter doc Hangbin Liu
2023-11-17 9:31 ` [PATCH net-next 10/10] docs: bridge: add other features Hangbin Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231120113127.mih5yjsm2246jvrl@skbuf \
--to=olteanv@gmail.com \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=fw@strlen.de \
--cc=idosch@idosch.org \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=liuhangbin@gmail.com \
--cc=mmuehlfe@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox