From patchwork Thu Mar 17 09:38:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hans S X-Patchwork-Id: 552923 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19F8BC433EF for ; Thu, 17 Mar 2022 09:39:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232072AbiCQJkm (ORCPT ); Thu, 17 Mar 2022 05:40:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49660 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232066AbiCQJkh (ORCPT ); Thu, 17 Mar 2022 05:40:37 -0400 Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6F5FC185962; Thu, 17 Mar 2022 02:39:20 -0700 (PDT) Received: by mail-lf1-x12c.google.com with SMTP id w12so7998330lfr.9; Thu, 17 Mar 2022 02:39:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:organization:content-transfer-encoding; bh=c4q1aukNB19Ywn0yhrK5YppHN0nN9ZnWCosl/BOVje8=; b=HBcQdLeyekvttOcqJyw/c2RfIJxEBHgYmtgQ3kD1Xz3683ZUW4Jw/KOKUVwlroPElG 5pDByd9XOH/i5ZMoYANS4jS4pP9mrMVS7G47zk8KaWVoHvSthe7mHHXvQUkyF3aCESBH x09n0Nid2fsa8RCqAShcyHR01JqSdFESXgzUcBhrb+QkYTgHJ68TnVfuO6+4q56JUoDH lxpqApIUbHTlc+9iMYXHRw5kK0teaRUsJ1STRRsgWdv27ygQy6nJJK8dAtqBuhIEFsJA qQKcS21luVzhyRr8UEBQs/KsUp111+G7zevtkBdtwFjmtB2NLV3y2L5MGJonrAuKoKEJ 0hPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:organization:content-transfer-encoding; bh=c4q1aukNB19Ywn0yhrK5YppHN0nN9ZnWCosl/BOVje8=; b=v39XRQ4NEVPE/bnGmu8otanLcIG3rc9GosFzm+Yjbf9JfsonK2rCsTc3t3cVcBSKLM UgNdivJCmsLpUlLwJR4bRm/QzfBbJQBmw246ol17+K7ZbyWgwL5iXQMuNw2OlLzAXV63 bmiDxrd/Uh7NpVyfc/LTaSVyhgT5c1Y6nxV0owqabmde9jCEpwoVjNb5ogfc22mqUCs3 BfZhqn9NbZXzMA5/8B7zHm8OjekJJaegAAlpbpgDG3Iexbzs4q22OfU+DVtSFwwYh1qn XW3oZ8dq6xRpnXu9Qtydpvh2LhMGwyFO/YVNDOZZJPGiwTAEX1WskxBDIlDS29EoVK5J aUiA== X-Gm-Message-State: AOAM5321qSj+poZ0EUhc+1chkVrc815mtR+B1kOFMEuKqyWMmsXK7USp ET/agpjWXBcB/UiDQ+FiRGU= X-Google-Smtp-Source: ABdhPJykJl4mFrePipnjHt0TpvxaENudHa6jNxkNkOf6DYzLxpODUqNfms27hDJoydvENM6tME91+w== X-Received: by 2002:a05:6512:2214:b0:449:f68c:b4e4 with SMTP id h20-20020a056512221400b00449f68cb4e4mr1505255lfu.289.1647509958750; Thu, 17 Mar 2022 02:39:18 -0700 (PDT) Received: from wse-c0127.beijerelectronics.com ([208.127.141.29]) by smtp.gmail.com with ESMTPSA id w13-20020a2e998d000000b002496199495csm113479lji.55.2022.03.17.02.39.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Mar 2022 02:39:18 -0700 (PDT) From: Hans Schultz X-Google-Original-From: Hans Schultz To: davem@davemloft.net, kuba@kernel.org Cc: netdev@vger.kernel.org, Hans Schultz , Andrew Lunn , Vivien Didelot , Florian Fainelli , Vladimir Oltean , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Shuah Khan , Daniel Borkmann , Ido Schimmel , linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org, linux-kselftest@vger.kernel.org Subject: [PATCH v2 net-next 1/4] net: bridge: add fdb flag to extent locked port feature Date: Thu, 17 Mar 2022 10:38:59 +0100 Message-Id: <20220317093902.1305816-2-schultz.hans+netdev@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220317093902.1305816-1-schultz.hans+netdev@gmail.com> References: <20220317093902.1305816-1-schultz.hans+netdev@gmail.com> MIME-Version: 1.0 Organization: Westermo Network Technologies AB Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org Add an intermediate state for clients behind a locked port to allow for possible opening of the port for said clients. This feature corresponds to the Mac-Auth and MAC Authentication Bypass (MAB) named features. The latter defined by Cisco. Only the kernel can set this FDB entry flag, while userspace can read the flag and remove it by deleting the FDB entry. Signed-off-by: Hans Schultz --- include/uapi/linux/neighbour.h | 1 + net/bridge/br_fdb.c | 6 ++++++ net/bridge/br_input.c | 10 +++++++++- net/bridge/br_private.h | 3 ++- 4 files changed, 18 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h index db05fb55055e..a2df3b9b2f68 100644 --- a/include/uapi/linux/neighbour.h +++ b/include/uapi/linux/neighbour.h @@ -51,6 +51,7 @@ enum { #define NTF_ROUTER (1 << 7) /* Extended flags under NDA_FLAGS_EXT: */ #define NTF_EXT_MANAGED (1 << 0) +#define NTF_EXT_LOCKED (1 << 1) /* * Neighbor Cache Entry States. diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c index 6ccda68bd473..57ec559a85a7 100644 --- a/net/bridge/br_fdb.c +++ b/net/bridge/br_fdb.c @@ -105,6 +105,7 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br, struct nda_cacheinfo ci; struct nlmsghdr *nlh; struct ndmsg *ndm; + u8 ext_flags = 0; nlh = nlmsg_put(skb, portid, seq, type, sizeof(*ndm), flags); if (nlh == NULL) @@ -125,11 +126,16 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br, ndm->ndm_flags |= NTF_EXT_LEARNED; if (test_bit(BR_FDB_STICKY, &fdb->flags)) ndm->ndm_flags |= NTF_STICKY; + if (test_bit(BR_FDB_ENTRY_LOCKED, &fdb->flags)) + ext_flags |= NTF_EXT_LOCKED; if (nla_put(skb, NDA_LLADDR, ETH_ALEN, &fdb->key.addr)) goto nla_put_failure; if (nla_put_u32(skb, NDA_MASTER, br->dev->ifindex)) goto nla_put_failure; + if (nla_put_u8(skb, NDA_FLAGS_EXT, ext_flags)) + goto nla_put_failure; + ci.ndm_used = jiffies_to_clock_t(now - fdb->used); ci.ndm_confirmed = 0; ci.ndm_updated = jiffies_to_clock_t(now - fdb->updated); diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index e0c13fcc50ed..5ef25a496806 100644 --- a/net/bridge/br_input.c +++ b/net/bridge/br_input.c @@ -94,8 +94,16 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb br_fdb_find_rcu(br, eth_hdr(skb)->h_source, vid); if (!fdb_src || READ_ONCE(fdb_src->dst) != p || - test_bit(BR_FDB_LOCAL, &fdb_src->flags)) + test_bit(BR_FDB_LOCAL, &fdb_src->flags) || + test_bit(BR_FDB_ENTRY_LOCKED, &fdb_src->flags)) { + if (!fdb_src) { + unsigned long flags = 0; + + set_bit(BR_FDB_ENTRY_LOCKED, &flags); + br_fdb_update(br, p, eth_hdr(skb)->h_source, vid, flags); + } goto drop; + } } nbp_switchdev_frame_mark(p, skb); diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h index 48bc61ebc211..f5a0b68c4857 100644 --- a/net/bridge/br_private.h +++ b/net/bridge/br_private.h @@ -248,7 +248,8 @@ enum { BR_FDB_ADDED_BY_EXT_LEARN, BR_FDB_OFFLOADED, BR_FDB_NOTIFY, - BR_FDB_NOTIFY_INACTIVE + BR_FDB_NOTIFY_INACTIVE, + BR_FDB_ENTRY_LOCKED, }; struct net_bridge_fdb_key { From patchwork Thu Mar 17 09:39:00 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hans S X-Patchwork-Id: 552399 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F5F0C4332F for ; Thu, 17 Mar 2022 09:39:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232069AbiCQJkm (ORCPT ); Thu, 17 Mar 2022 05:40:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49884 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232068AbiCQJkj (ORCPT ); Thu, 17 Mar 2022 05:40:39 -0400 Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DEAD9186F9F; Thu, 17 Mar 2022 02:39:23 -0700 (PDT) Received: by mail-lf1-x136.google.com with SMTP id w12so7998496lfr.9; Thu, 17 Mar 2022 02:39:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:organization:content-transfer-encoding; bh=uwQnx6pwvh3u1NvgP1tcS0s4NRQpVnBsyx6kEU6UEk4=; b=k2kH5SHw44LX+U1I8vgVRDFxYoHVjCkRGfxHD/XVhACKFuDfdlyhwS79VhJqBVe1Sv ZyLiPp7rGfQu5J9UThvg5umZaEIxmlRYvRHzJHdY4bKA64MnmTClSRh+/5l37fXS+hiE +aoPn89ubtg6jgj9L59kxamoAPiT3Qk812c68GxOzV1AP+EDdGcv/MAAxE1bJHDfA9/b Q3cFIeanOs7HQklTpyEjGuaq0K54NE9OphWdpuCWgxIHDHxHOxbFPJ40VkzCUCvluPJI lYU+T38iERECXUx/1dFg0vEu7Qkjali7PfdqYHFdu8lVGVRwHSSfP9hKMtShBwaEwiMf d+OQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:organization:content-transfer-encoding; bh=uwQnx6pwvh3u1NvgP1tcS0s4NRQpVnBsyx6kEU6UEk4=; b=7a9NqKHifCJzmQuYW3QcnQocbV+2/h/FH7kb7suMNjvC1aCnQ7ndkPqcqaFoVdWRFK IpZW3/Npdvuqdk1rc+agb+nKGCJdkfOWmXf/E12AU2+OhyUfR7ikm9BfaEPR98M7ICS9 N8pEc+R8CTYZDGFyQVwmDdZbuRJyXVzWC6zbn3J91mJE6zvSvJv8z+q5iICyE3/D7cMT qnPMKbDWLea4uEL8c5UdWg/yC3bdqhK3Bycr7TkAL0LrXrRAmsKdVQ1XKvryhIVlHZBh LUJKuTxoIPdO5n5/pGcCPXynZo79ubSnGTGM6u+JITbB4sPcMxEzoBtXqYi2Q8gGuIFK twMA== X-Gm-Message-State: AOAM533yN0NtIbUb7ZsjHG3N1EiTdlR+H6DKWOdQO+dyhvKFvADvtgDN KO8ybOzCVjLAkq4k1CplY6c= X-Google-Smtp-Source: ABdhPJz2ESit2pwtBK0+dp42fWwk772KaV2IroyT2+W3Q+GDPLm+wy9O37fS8qnrLVrRU105KSbOYA== X-Received: by 2002:a05:6512:32c2:b0:448:942a:3362 with SMTP id f2-20020a05651232c200b00448942a3362mr2368898lfg.356.1647509961939; Thu, 17 Mar 2022 02:39:21 -0700 (PDT) Received: from wse-c0127.beijerelectronics.com ([208.127.141.29]) by smtp.gmail.com with ESMTPSA id w13-20020a2e998d000000b002496199495csm113479lji.55.2022.03.17.02.39.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Mar 2022 02:39:21 -0700 (PDT) From: Hans Schultz X-Google-Original-From: Hans Schultz To: davem@davemloft.net, kuba@kernel.org Cc: netdev@vger.kernel.org, Hans Schultz , Andrew Lunn , Vivien Didelot , Florian Fainelli , Vladimir Oltean , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Shuah Khan , Daniel Borkmann , Ido Schimmel , linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org, linux-kselftest@vger.kernel.org Subject: [PATCH v2 net-next 2/4] net: switchdev: add support for offloading of fdb locked flag Date: Thu, 17 Mar 2022 10:39:00 +0100 Message-Id: <20220317093902.1305816-3-schultz.hans+netdev@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220317093902.1305816-1-schultz.hans+netdev@gmail.com> References: <20220317093902.1305816-1-schultz.hans+netdev@gmail.com> MIME-Version: 1.0 Organization: Westermo Network Technologies AB Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org Used for Mac-auth/MAB feature in the offloaded case. Signed-off-by: Hans Schultz --- include/net/switchdev.h | 3 ++- net/bridge/br.c | 3 ++- net/bridge/br_fdb.c | 7 +++++-- net/bridge/br_private.h | 2 +- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/include/net/switchdev.h b/include/net/switchdev.h index 3e424d40fae3..d5d923411f5e 100644 --- a/include/net/switchdev.h +++ b/include/net/switchdev.h @@ -229,7 +229,8 @@ struct switchdev_notifier_fdb_info { u16 vid; u8 added_by_user:1, is_local:1, - offloaded:1; + offloaded:1, + locked:1; }; struct switchdev_notifier_port_obj_info { diff --git a/net/bridge/br.c b/net/bridge/br.c index b1dea3febeea..adcdbecbc218 100644 --- a/net/bridge/br.c +++ b/net/bridge/br.c @@ -166,7 +166,8 @@ static int br_switchdev_event(struct notifier_block *unused, case SWITCHDEV_FDB_ADD_TO_BRIDGE: fdb_info = ptr; err = br_fdb_external_learn_add(br, p, fdb_info->addr, - fdb_info->vid, false); + fdb_info->vid, false, + fdb_info->locked); if (err) { err = notifier_from_errno(err); break; diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c index 57ec559a85a7..57aa1955d34d 100644 --- a/net/bridge/br_fdb.c +++ b/net/bridge/br_fdb.c @@ -987,7 +987,7 @@ static int __br_fdb_add(struct ndmsg *ndm, struct net_bridge *br, "FDB entry towards bridge must be permanent"); return -EINVAL; } - err = br_fdb_external_learn_add(br, p, addr, vid, true); + err = br_fdb_external_learn_add(br, p, addr, vid, true, false); } else { spin_lock_bh(&br->hash_lock); err = fdb_add_entry(br, p, addr, ndm, nlh_flags, vid, nfea_tb); @@ -1216,7 +1216,7 @@ void br_fdb_unsync_static(struct net_bridge *br, struct net_bridge_port *p) int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, const unsigned char *addr, u16 vid, - bool swdev_notify) + bool swdev_notify, bool locked) { struct net_bridge_fdb_entry *fdb; bool modified = false; @@ -1236,6 +1236,9 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, if (!p) flags |= BIT(BR_FDB_LOCAL); + if (locked) + flags |= BIT(BR_FDB_ENTRY_LOCKED); + fdb = fdb_create(br, p, addr, vid, flags); if (!fdb) { err = -ENOMEM; diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h index f5a0b68c4857..3275e33b112f 100644 --- a/net/bridge/br_private.h +++ b/net/bridge/br_private.h @@ -790,7 +790,7 @@ int br_fdb_sync_static(struct net_bridge *br, struct net_bridge_port *p); void br_fdb_unsync_static(struct net_bridge *br, struct net_bridge_port *p); int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, const unsigned char *addr, u16 vid, - bool swdev_notify); + bool swdev_notify, bool locked); int br_fdb_external_learn_del(struct net_bridge *br, struct net_bridge_port *p, const unsigned char *addr, u16 vid, bool swdev_notify); From patchwork Thu Mar 17 09:39:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hans S X-Patchwork-Id: 552922 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B893C433EF for ; Thu, 17 Mar 2022 09:39:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232078AbiCQJko (ORCPT ); Thu, 17 Mar 2022 05:40:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50280 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232087AbiCQJkn (ORCPT ); Thu, 17 Mar 2022 05:40:43 -0400 Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B569A187BB0; Thu, 17 Mar 2022 02:39:26 -0700 (PDT) Received: by mail-lf1-x135.google.com with SMTP id bt26so8040628lfb.3; Thu, 17 Mar 2022 02:39:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:organization:content-transfer-encoding; bh=1iNgbwecG9CLhXeg2gQUBxDFDV574dX3fCv9EKwDpt4=; b=HXENDTyM/Sdta2Lj8Zcpjj5NFT7bAkeICoOGVLvwn7i9kQ04150a87KR339/nXjh/r c0bqAB+ZKbzvSwyj+6Fn9lJ69REzcTneYEtixxdOSUaZdY1ZI0YIp33ToLuRdEMK8BUX Pg3OhkrunR1fNB7tRzGxb5lPx51P0NHePGWvXwvCBKUZeeVd9oluKZc9BptLUiQDVII6 kH10dymWI8PMVkAV2aStuOLAlyWKP8jw3hhsEmI/HJ2zm8zCiMl4ROHyINKbDUPVV9wO V8wxma7y5CkBWFuWuudSr08iFZOPKQPD0hpwFiA6AGgmjg5K1BlZ/OfCf+jLPJczeEQ7 5H6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:organization:content-transfer-encoding; bh=1iNgbwecG9CLhXeg2gQUBxDFDV574dX3fCv9EKwDpt4=; b=jT9fyxuw0d6YMlZlTrhXRyl0xeDnmJOVB5WNSyEG4fHWdKwGLlm5tWCYe3b361TrK0 MozG208FPFfTLX7O/4ESQB4KJuu1xNMhQQJO5f9IiAWS69ghLZSQYlAroh/rrNOXodgV /BgrsitPQdfaG1AUpu10bXNTc0YVCd0KuGb6Mp6indDeMN06vQC4ObwKRWeiof2tKuti bvn4G5C4cMcR0hXsqgX84o2frtTiJGFNS6W/zogWcNVT8H23tMaxrUy+nQfRaL6Ygomb FjnHuYYy68rzQKxO7//XlB0I1f6S2w+HnkvqoqoA4PIJOTIeqXIIG0ommMoVdSvWC3jk 2dtg== X-Gm-Message-State: AOAM530zblyb5D4v8Jij/kJ9c8Mb7YcNM9gaZ9czF/Wkh8nhjKdRCFfI a5NiqmDECF92U5b2jVS05vA= X-Google-Smtp-Source: ABdhPJz7ZIV+tE9KhR33mvEXNsDVK1LOVgoI8AsaySYOAy4FcoH5Ek527dxqd7T9+wzuomja+yGxaA== X-Received: by 2002:a05:6512:3584:b0:448:26af:11c2 with SMTP id m4-20020a056512358400b0044826af11c2mr2256791lfr.391.1647509964927; Thu, 17 Mar 2022 02:39:24 -0700 (PDT) Received: from wse-c0127.beijerelectronics.com ([208.127.141.29]) by smtp.gmail.com with ESMTPSA id w13-20020a2e998d000000b002496199495csm113479lji.55.2022.03.17.02.39.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Mar 2022 02:39:24 -0700 (PDT) From: Hans Schultz X-Google-Original-From: Hans Schultz To: davem@davemloft.net, kuba@kernel.org Cc: netdev@vger.kernel.org, Hans Schultz , Andrew Lunn , Vivien Didelot , Florian Fainelli , Vladimir Oltean , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Shuah Khan , Daniel Borkmann , Ido Schimmel , linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org, linux-kselftest@vger.kernel.org Subject: [PATCH v2 net-next 3/4] net: dsa: mv88e6xxx: mac-auth/MAB implementation Date: Thu, 17 Mar 2022 10:39:01 +0100 Message-Id: <20220317093902.1305816-4-schultz.hans+netdev@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220317093902.1305816-1-schultz.hans+netdev@gmail.com> References: <20220317093902.1305816-1-schultz.hans+netdev@gmail.com> MIME-Version: 1.0 Organization: Westermo Network Technologies AB Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org This implementation for the Marvell mv88e6xxx chip series, is based on handling ATU miss violations occurring when packets ingress on a port that is locked. The mac address triggering the ATU miss violation is communicated through switchdev to the bridge module, which adds a fdb entry with the fdb locked flag set. Note: The locked port must have learning enabled for the ATU miss violation to occur. Signed-off-by: Hans Schultz --- drivers/net/dsa/mv88e6xxx/Makefile | 1 + drivers/net/dsa/mv88e6xxx/chip.c | 10 +-- drivers/net/dsa/mv88e6xxx/chip.h | 5 ++ drivers/net/dsa/mv88e6xxx/global1.h | 1 + drivers/net/dsa/mv88e6xxx/global1_atu.c | 29 ++++++- .../net/dsa/mv88e6xxx/mv88e6xxx_switchdev.c | 75 +++++++++++++++++++ .../net/dsa/mv88e6xxx/mv88e6xxx_switchdev.h | 20 +++++ drivers/net/dsa/mv88e6xxx/port.c | 17 ++++- drivers/net/dsa/mv88e6xxx/port.h | 1 + 9 files changed, 150 insertions(+), 9 deletions(-) create mode 100644 drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.c create mode 100644 drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.h diff --git a/drivers/net/dsa/mv88e6xxx/Makefile b/drivers/net/dsa/mv88e6xxx/Makefile index c8eca2b6f959..3ca57709730d 100644 --- a/drivers/net/dsa/mv88e6xxx/Makefile +++ b/drivers/net/dsa/mv88e6xxx/Makefile @@ -15,3 +15,4 @@ mv88e6xxx-objs += port_hidden.o mv88e6xxx-$(CONFIG_NET_DSA_MV88E6XXX_PTP) += ptp.o mv88e6xxx-objs += serdes.o mv88e6xxx-objs += smi.o +mv88e6xxx-objs += mv88e6xxx_switchdev.o \ No newline at end of file diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c index 84b90fc36c58..e1b6bd738085 100644 --- a/drivers/net/dsa/mv88e6xxx/chip.c +++ b/drivers/net/dsa/mv88e6xxx/chip.c @@ -1714,11 +1714,11 @@ static int mv88e6xxx_vtu_get(struct mv88e6xxx_chip *chip, u16 vid, return err; } -static int mv88e6xxx_vtu_walk(struct mv88e6xxx_chip *chip, - int (*cb)(struct mv88e6xxx_chip *chip, - const struct mv88e6xxx_vtu_entry *entry, - void *priv), - void *priv) +int mv88e6xxx_vtu_walk(struct mv88e6xxx_chip *chip, + int (*cb)(struct mv88e6xxx_chip *chip, + const struct mv88e6xxx_vtu_entry *entry, + void *priv), + void *priv) { struct mv88e6xxx_vtu_entry entry = { .vid = mv88e6xxx_max_vid(chip), diff --git a/drivers/net/dsa/mv88e6xxx/chip.h b/drivers/net/dsa/mv88e6xxx/chip.h index 30b92a265613..64e8fc470fdf 100644 --- a/drivers/net/dsa/mv88e6xxx/chip.h +++ b/drivers/net/dsa/mv88e6xxx/chip.h @@ -763,6 +763,11 @@ static inline void mv88e6xxx_reg_unlock(struct mv88e6xxx_chip *chip) mutex_unlock(&chip->reg_lock); } +int mv88e6xxx_vtu_walk(struct mv88e6xxx_chip *chip, + int (*cb)(struct mv88e6xxx_chip *chip, + const struct mv88e6xxx_vtu_entry *entry, + void *priv), + void *priv); int mv88e6xxx_fid_map(struct mv88e6xxx_chip *chip, unsigned long *bitmap); #endif /* _MV88E6XXX_CHIP_H */ diff --git a/drivers/net/dsa/mv88e6xxx/global1.h b/drivers/net/dsa/mv88e6xxx/global1.h index 2c1607c858a1..729cc0610d9a 100644 --- a/drivers/net/dsa/mv88e6xxx/global1.h +++ b/drivers/net/dsa/mv88e6xxx/global1.h @@ -136,6 +136,7 @@ #define MV88E6XXX_G1_ATU_DATA_TRUNK 0x8000 #define MV88E6XXX_G1_ATU_DATA_TRUNK_ID_MASK 0x00f0 #define MV88E6XXX_G1_ATU_DATA_PORT_VECTOR_MASK 0x3ff0 +#define MV88E6XXX_G1_ATU_DATA_PORT_VECTOR_NO_EGRESS 0x0000 #define MV88E6XXX_G1_ATU_DATA_STATE_MASK 0x000f #define MV88E6XXX_G1_ATU_DATA_STATE_UC_UNUSED 0x0000 #define MV88E6XXX_G1_ATU_DATA_STATE_UC_AGE_1_OLDEST 0x0001 diff --git a/drivers/net/dsa/mv88e6xxx/global1_atu.c b/drivers/net/dsa/mv88e6xxx/global1_atu.c index 40bd67a5c8e9..afa54fe8667e 100644 --- a/drivers/net/dsa/mv88e6xxx/global1_atu.c +++ b/drivers/net/dsa/mv88e6xxx/global1_atu.c @@ -12,6 +12,8 @@ #include "chip.h" #include "global1.h" +#include "port.h" +#include "mv88e6xxx_switchdev.h" /* Offset 0x01: ATU FID Register */ @@ -114,6 +116,18 @@ static int mv88e6xxx_g1_atu_op_wait(struct mv88e6xxx_chip *chip) return mv88e6xxx_g1_wait_bit(chip, MV88E6XXX_G1_ATU_OP, bit, 0); } +static int mv88e6xxx_g1_read_atu_violation(struct mv88e6xxx_chip *chip) +{ + int err; + + err = mv88e6xxx_g1_write(chip, MV88E6XXX_G1_ATU_OP, + MV88E6XXX_G1_ATU_OP_BUSY | MV88E6XXX_G1_ATU_OP_GET_CLR_VIOLATION); + if (err) + return err; + + return mv88e6xxx_g1_atu_op_wait(chip); +} + static int mv88e6xxx_g1_atu_op(struct mv88e6xxx_chip *chip, u16 fid, u16 op) { u16 val; @@ -356,11 +370,11 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id) int spid; int err; u16 val; + u16 fid; mv88e6xxx_reg_lock(chip); - err = mv88e6xxx_g1_atu_op(chip, 0, - MV88E6XXX_G1_ATU_OP_GET_CLR_VIOLATION); + err = mv88e6xxx_g1_read_atu_violation(chip); if (err) goto out; @@ -368,6 +382,10 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id) if (err) goto out; + err = mv88e6xxx_g1_read(chip, MV88E6352_G1_ATU_FID, &fid); + if (err) + goto out; + err = mv88e6xxx_g1_atu_data_read(chip, &entry); if (err) goto out; @@ -396,6 +414,13 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id) "ATU miss violation for %pM portvec %x spid %d\n", entry.mac, entry.portvec, spid); chip->ports[spid].atu_miss_violation++; + if (mv88e6xxx_port_is_locked(chip, chip->ports[spid].port)) + err = mv88e6xxx_switchdev_handle_atu_miss_violation(chip, + chip->ports[spid].port, + &entry, + fid); + if (err) + goto out; } if (val & MV88E6XXX_G1_ATU_OP_FULL_VIOLATION) { diff --git a/drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.c b/drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.c new file mode 100644 index 000000000000..574ae7680720 --- /dev/null +++ b/drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.c @@ -0,0 +1,75 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * mv88e6xxx_switchdev.c + * + * Authors: + * Hans J. Schultz + * + */ + +#include +#include "chip.h" +#include "global1.h" + +struct mv88e6xxx_fid_search_ctx { + u16 fid_search; + u16 vid_found; +}; + +static int mv88e6xxx_find_vid_on_matching_fid(struct mv88e6xxx_chip *chip, + const struct mv88e6xxx_vtu_entry *entry, + void *priv) +{ + struct mv88e6xxx_fid_search_ctx *ctx = priv; + + if (ctx->fid_search == entry->fid) { + ctx->vid_found = entry->vid; + return 1; + } + return 0; +} + +int mv88e6xxx_switchdev_handle_atu_miss_violation(struct mv88e6xxx_chip *chip, + int port, + struct mv88e6xxx_atu_entry *entry, + u16 fid) +{ + struct switchdev_notifier_fdb_info info = { + .addr = entry->mac, + .vid = 0, + .added_by_user = false, + .is_local = false, + .offloaded = true, + .locked = true, + }; + struct mv88e6xxx_fid_search_ctx ctx; + struct netlink_ext_ack *extack; + struct net_device *brport; + struct dsa_port *dp; + int err; + + ctx.fid_search = fid; + err = mv88e6xxx_vtu_walk(chip, mv88e6xxx_find_vid_on_matching_fid, &ctx); + if (err < 0) + return err; + if (err == 1) + info.vid = ctx.vid_found; + else + return -ENODATA; + + dp = dsa_to_port(chip->ds, port); + brport = dsa_port_to_bridge_port(dp); + if (!brport) + return -ENODEV; + + rtnl_lock(); + err = call_switchdev_notifiers(SWITCHDEV_FDB_ADD_TO_BRIDGE, brport, &info.info, extack); + if (err) + goto out; + entry->portvec = MV88E6XXX_G1_ATU_DATA_PORT_VECTOR_NO_EGRESS; + err = mv88e6xxx_g1_atu_loadpurge(chip, fid, entry); + +out: + rtnl_unlock(); + return err; +} diff --git a/drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.h b/drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.h new file mode 100644 index 000000000000..127f3098f745 --- /dev/null +++ b/drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.h @@ -0,0 +1,20 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later + * + * mv88e6xxx_switchdev.h + * + * Authors: + * Hans J. Schultz + * + */ + +#ifndef DRIVERS_NET_DSA_MV88E6XXX_MV88E6XXX_SWITCHDEV_H_ +#define DRIVERS_NET_DSA_MV88E6XXX_MV88E6XXX_SWITCHDEV_H_ + +#include + +int mv88e6xxx_switchdev_handle_atu_miss_violation(struct mv88e6xxx_chip *chip, + int port, + struct mv88e6xxx_atu_entry *entry, + u16 fid); + +#endif /* DRIVERS_NET_DSA_MV88E6XXX_MV88E6XXX_SWITCHDEV_H_ */ diff --git a/drivers/net/dsa/mv88e6xxx/port.c b/drivers/net/dsa/mv88e6xxx/port.c index 795b3128768f..4656a6a3e93e 100644 --- a/drivers/net/dsa/mv88e6xxx/port.c +++ b/drivers/net/dsa/mv88e6xxx/port.c @@ -1239,6 +1239,17 @@ int mv88e6xxx_port_set_mirror(struct mv88e6xxx_chip *chip, int port, return err; } +bool mv88e6xxx_port_is_locked(struct mv88e6xxx_chip *chip, int port) +{ + u16 reg; + + if (mv88e6xxx_port_read(chip, port, MV88E6XXX_PORT_CTL0, ®)) + return false; + if (!(reg & MV88E6XXX_PORT_CTL0_SA_FILT_DROP_ON_LOCK)) + return false; + return true; +} + int mv88e6xxx_port_set_lock(struct mv88e6xxx_chip *chip, int port, bool locked) { @@ -1261,9 +1272,11 @@ int mv88e6xxx_port_set_lock(struct mv88e6xxx_chip *chip, int port, if (err) return err; - reg &= ~MV88E6XXX_PORT_ASSOC_VECTOR_LOCKED_PORT; + reg &= ~(MV88E6XXX_PORT_ASSOC_VECTOR_LOCKED_PORT | + MV88E6XXX_PORT_ASSOC_VECTOR_IGNORE_WRONG); if (locked) - reg |= MV88E6XXX_PORT_ASSOC_VECTOR_LOCKED_PORT; + reg |= MV88E6XXX_PORT_ASSOC_VECTOR_LOCKED_PORT | + MV88E6XXX_PORT_ASSOC_VECTOR_IGNORE_WRONG; return mv88e6xxx_port_write(chip, port, MV88E6XXX_PORT_ASSOC_VECTOR, reg); } diff --git a/drivers/net/dsa/mv88e6xxx/port.h b/drivers/net/dsa/mv88e6xxx/port.h index e0a705d82019..09ea8f1615bb 100644 --- a/drivers/net/dsa/mv88e6xxx/port.h +++ b/drivers/net/dsa/mv88e6xxx/port.h @@ -374,6 +374,7 @@ int mv88e6xxx_port_set_fid(struct mv88e6xxx_chip *chip, int port, u16 fid); int mv88e6xxx_port_get_pvid(struct mv88e6xxx_chip *chip, int port, u16 *pvid); int mv88e6xxx_port_set_pvid(struct mv88e6xxx_chip *chip, int port, u16 pvid); +bool mv88e6xxx_port_is_locked(struct mv88e6xxx_chip *chip, int port); int mv88e6xxx_port_set_lock(struct mv88e6xxx_chip *chip, int port, bool locked); From patchwork Thu Mar 17 09:39:02 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hans S X-Patchwork-Id: 552398 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AF748C433F5 for ; Thu, 17 Mar 2022 09:39:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232105AbiCQJlH (ORCPT ); Thu, 17 Mar 2022 05:41:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52304 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232112AbiCQJlF (ORCPT ); Thu, 17 Mar 2022 05:41:05 -0400 Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5E95A18A3FE; Thu, 17 Mar 2022 02:39:29 -0700 (PDT) Received: by mail-lj1-x232.google.com with SMTP id bn33so6453039ljb.6; Thu, 17 Mar 2022 02:39:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:organization:content-transfer-encoding; bh=Rzca7XlJ3nGkRZRrrr3Av3J4sdu0DWRxi2d5ZWbv6Pg=; b=qMJYU9bvcIwzFO/6T3IGHQlUDY2nf8R0HceNbhjVGNu30qxD2oLqM33Q7BtWqV5gjX rnPbltg8xm5RjaYcPIkPW8ZpJOFCa4bvN1PrySyJYrgYyANBHmgXzN+4IDabjbOi0Haj 3JLY8qYTUQYuj8nwjl2ZzH1yGO70LoA4FbDxuMmnu15N6/qSsKLepCeFgPoX1/8sOnpy k/GTyj2UO7qABKzgz40LSXS7pqIM4Cdn9r9c8l9JOdpflybjkaI15regv2D9YHBWMEeb qRnUH8zS12ZOATaCaesIlZUSY83wifNQEawIvw0JyoYv8l/NwVuNlFxsWNoJB0zAm/NW tdSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:organization:content-transfer-encoding; bh=Rzca7XlJ3nGkRZRrrr3Av3J4sdu0DWRxi2d5ZWbv6Pg=; b=2xJd0XEq6MswToUpLSQK6ZS3uOAPRatgfjr48tg3ZkC4ecZSvW3CYSYFlQ6Pxq6mFD 1xRnaKAy8VCB3LjS/PM5SWYhH0cOCtoNEyRbDcc/HPFfBUvlePlycfi42/rfkDbvKEuW OkKysdgQPjRAXkLdRNACEfDYuaPpPItQVEyffgLLWDZmDPTGBN2aT9yPjBuXeV6eWYBK W8YJ3jYiIQesg4tTiQQh2B1kd8Zw6YC7UJaLpUNfKc/9OKnYhONKqyfO/USycAg3fUVT N/wdpjdQcwIecaqJTTGZtSjfb58e16hYovbZoxbgoXkbvNMyfLn3oiWjhcKiPn6j0mto iYMg== X-Gm-Message-State: AOAM532ZNsHf5W8EAH6jnjh3gHOxrT7JGg1Fh79wURTF2b4QP2To1M+N B1tDTWlaPGI1ZXNZoW3p8YM= X-Google-Smtp-Source: ABdhPJyn9gqazX/j3OpRrVKTgyvCZMLd5NLNYKb/X05EDTG7+95nNuZlXHbmzlHFY1TmyL4xEx4z/g== X-Received: by 2002:a05:651c:2008:b0:248:49e:c105 with SMTP id s8-20020a05651c200800b00248049ec105mr2332459ljo.327.1647509967749; Thu, 17 Mar 2022 02:39:27 -0700 (PDT) Received: from wse-c0127.beijerelectronics.com ([208.127.141.29]) by smtp.gmail.com with ESMTPSA id w13-20020a2e998d000000b002496199495csm113479lji.55.2022.03.17.02.39.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Mar 2022 02:39:27 -0700 (PDT) From: Hans Schultz X-Google-Original-From: Hans Schultz To: davem@davemloft.net, kuba@kernel.org Cc: netdev@vger.kernel.org, Hans Schultz , Andrew Lunn , Vivien Didelot , Florian Fainelli , Vladimir Oltean , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Shuah Khan , Daniel Borkmann , Ido Schimmel , linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org, linux-kselftest@vger.kernel.org Subject: [PATCH v2 net-next 4/4] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Date: Thu, 17 Mar 2022 10:39:02 +0100 Message-Id: <20220317093902.1305816-5-schultz.hans+netdev@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220317093902.1305816-1-schultz.hans+netdev@gmail.com> References: <20220317093902.1305816-1-schultz.hans+netdev@gmail.com> MIME-Version: 1.0 Organization: Westermo Network Technologies AB Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org Verify that the MAC-Auth mechanism works by adding a FDB entry with the locked flag set. denying access until the FDB entry is replaced with a FDB entry without the locked flag set. Signed-off-by: Hans Schultz --- .../net/forwarding/bridge_locked_port.sh | 29 ++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh index 6e98efa6d371..2f9519e814b6 100755 --- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh +++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh @@ -1,7 +1,7 @@ #!/bin/bash # SPDX-License-Identifier: GPL-2.0 -ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan" +ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan locked_port_mab" NUM_NETIFS=4 CHECK_TC="no" source lib.sh @@ -170,6 +170,33 @@ locked_port_ipv6() log_test "Locked port ipv6" } +locked_port_mab() +{ + RET=0 + check_locked_port_support || return 0 + + ping_do $h1 192.0.2.2 + check_err $? "MAB: Ping did not work before locking port" + + bridge link set dev $swp1 locked on + bridge link set dev $swp1 learning on + + ping_do $h1 192.0.2.2 + check_fail $? "MAB: Ping worked on port just locked" + + if ! bridge fdb show | grep `mac_get $h1` | grep -q "locked"; then + RET=1 + retmsg="MAB: No locked fdb entry after ping on locked port" + fi + + bridge fdb del `mac_get $h1` dev $swp1 master + bridge fdb add `mac_get $h1` dev $swp1 master static + + ping_do $h1 192.0.2.2 + check_err $? "MAB: Ping did not work with fdb entry without locked flag" + + log_test "Locked port MAB" +} trap cleanup EXIT setup_prepare