On 8 November 2022 06:47:09 GMT-04:00, Petr Machata wrote:
>From: Ido Schimmel
>
>Reflect the 'BR_PORT_MAB' flag to device drivers so that:
>
>* Drivers that support MAB could act upon the flag being toggled.
>* Drivers that do not support MAB will prevent MAB from being enabled.
>
>Signed-off-by
On 8 November 2022 06:47:07 GMT-04:00, Petr Machata wrote:
>From: Ido Schimmel
>
>Currently, FDB entries that are notified to the bridge via
>'SWITCHDEV_FDB_ADD_TO_BRIDGE' are always marked as offloaded. With MAB
>enabled, this will no longer be universally true. Device drivers will
>report locke
On 8 November 2022 06:47:08 GMT-04:00, Petr Machata wrote:
>From: Hans J. Schultz
>
>When the bridge is offloaded to hardware, FDB entries are learned and
>aged-out by the hardware. Some device drivers synchronize the hardware
>and software FDBs by generating switchdev events towards the bridge.
On Tue, Nov 08, 2022 at 12:59:00PM +0200, Ido Schimmel wrote:
> + Vladimir
>
> You weren't copied on the patches by mistake. They are available here:
> https://lore.kernel.org/netdev/cover.1667902754.git.pe...@nvidia.com/
Thanks for copying me. The patches look great to my eyes. I didn't go
into
On Tue, Nov 08, 2022 at 11:47:20AM +0100, Petr Machata wrote:
> From: Ido Schimmel
>
> Test that packets received via a locked bridge port whose {SMAC, VID}
> does not appear in the bridge's FDB or appears with a different port,
> trigger the "locked_port" packet trap.
>
> Signed-off-by: Ido Sch
On Tue, Nov 08, 2022 at 11:47:19AM +0100, Petr Machata wrote:
> From: Ido Schimmel
>
> Test that packets with a destination MAC of 01:80:C2:00:00:03 trigger
> the "eapol" packet trap.
>
> Signed-off-by: Ido Schimmel
> Reviewed-by: Petr Machata
> Signed-off-by: Petr Machata
> ---
Reviewed-by:
On Tue, Nov 08, 2022 at 11:47:17AM +0100, Petr Machata wrote:
> From: Ido Schimmel
>
> Add locked bridge port support by reacting to changes in the
> 'BR_PORT_LOCKED' flag. When set, enable security checks on the local
> port via the previously added SPFSR register.
>
> When security checks are
On Tue, Nov 08, 2022 at 11:47:21AM +0100, Petr Machata wrote:
> From: Ido Schimmel
>
> Test that locked bridge port configurations that are not supported by
> mlxsw are rejected.
>
> Signed-off-by: Ido Schimmel
> Reviewed-by: Petr Machata
> Signed-off-by: Petr Machata
> ---
Reviewed-by: Vlad
On Tue, Nov 08, 2022 at 11:47:10AM +0100, Petr Machata wrote:
> The "locked_port" drop trap can be enabled to gain visibility into
> packets that were dropped by the device due to the locked bridge port
> check.
Pretty cool.
The action of all devlink DROP traps can be changed to e.g. CONTROL, rig
On Tue, Nov 08, 2022 at 11:47:09AM +0100, Petr Machata wrote:
> From: Ido Schimmel
>
> Reflect the 'BR_PORT_MAB' flag to device drivers so that:
>
> * Drivers that support MAB could act upon the flag being toggled.
> * Drivers that do not support MAB will prevent MAB from being enabled.
>
> Sig
On Tue, Nov 08, 2022 at 11:47:08AM +0100, Petr Machata wrote:
> From: Hans J. Schultz
>
> When the bridge is offloaded to hardware, FDB entries are learned and
> aged-out by the hardware. Some device drivers synchronize the hardware
> and software FDBs by generating switchdev events towards the b
On Tue, Nov 08, 2022 at 11:47:07AM +0100, Petr Machata wrote:
> From: Ido Schimmel
>
> Currently, FDB entries that are notified to the bridge via
> 'SWITCHDEV_FDB_ADD_TO_BRIDGE' are always marked as offloaded. With MAB
> enabled, this will no longer be universally true. Device drivers will
> repo
+ Vladimir
You weren't copied on the patches by mistake. They are available here:
https://lore.kernel.org/netdev/cover.1667902754.git.pe...@nvidia.com/
On Tue, Nov 08, 2022 at 11:47:06AM +0100, Petr Machata wrote:
> Ido Schimmel writes:
>
> This patchset adds 802.1X [1] and MAB [2] offload supp
From: Ido Schimmel
Test that packets received via a locked bridge port whose {SMAC, VID}
does not appear in the bridge's FDB or appears with a different port,
trigger the "locked_port" packet trap.
Signed-off-by: Ido Schimmel
Reviewed-by: Petr Machata
Signed-off-by: Petr Machata
---
.../net/
From: Ido Schimmel
Add locked bridge port support by reacting to changes in the
'BR_PORT_LOCKED' flag. When set, enable security checks on the local
port via the previously added SPFSR register.
When security checks are enabled, an incoming packet will trigger an FDB
lookup with the packet's sou
From: Ido Schimmel
Test that locked bridge port configurations that are not supported by
mlxsw are rejected.
Signed-off-by: Ido Schimmel
Reviewed-by: Petr Machata
Signed-off-by: Petr Machata
---
.../selftests/drivers/net/mlxsw/rtnetlink.sh | 31 +++
1 file changed, 31 insert
From: Ido Schimmel
Test that packets with a destination MAC of 01:80:C2:00:00:03 trigger
the "eapol" packet trap.
Signed-off-by: Ido Schimmel
Reviewed-by: Petr Machata
Signed-off-by: Petr Machata
---
.../drivers/net/mlxsw/devlink_trap_control.sh | 22 +++
1 file changed, 22 i
From: Ido Schimmel
Merely checking whether a trap counter incremented or not without
logging a test result is useful on its own. Split this functionality to
a helper which will be used by subsequent patches.
Signed-off-by: Ido Schimmel
Reviewed-by: Petr Machata
Signed-off-by: Petr Machata
---
From: Ido Schimmel
Propagate extack to mlxsw_sp_port_attr_br_pre_flags_set() in order to
communicate error messages related to bridge port flag validation.
Example:
# bridge link set dev swp1 locked on
Error: mlxsw_spectrum: Unsupported bridge port flag.
More error messages will be added in
From: Ido Schimmel
Subsequent patches will need to report locked FDB entries to the bridge
driver. Prepare for that by adding a 'locked' argument to
mlxsw_sp_fdb_call_notifiers() according to which the 'locked' bit is set
in the FDB notification info. For now, always pass 'false'.
Signed-off-by:
From: Ido Schimmel
Add the Switch Port FDB Security Register (SPFSR) that allows enabling
and disabling security checks on a given local port. In Linux terms, it
allows locking / unlocking a port.
Signed-off-by: Ido Schimmel
Reviewed-by: Petr Machata
Signed-off-by: Petr Machata
---
drivers/n
From: Ido Schimmel
In Spectrum, learning happens in parallel to the security checks.
Therefore, regardless of the result of the security checks, a learning
notification will be generated by the device and polled later on by the
driver.
Currently, the driver reacts to learning notifications by pr
From: Ido Schimmel
Register the previously added packet traps with devlink. This allows
user space to tune their policers and in the case of the locked port
trap, user space can set its action to "trap" in order to gain
visibility into packets that were discarded by the device due to the
locked p
From: Ido Schimmel
Add an API to enable or disable security checks on a local port. It will
be used by subsequent patches when the 'BR_PORT_LOCKED' flag is toggled.
Signed-off-by: Ido Schimmel
Reviewed-by: Petr Machata
Signed-off-by: Petr Machata
---
drivers/net/ethernet/mellanox/mlxsw/spect
From: Ido Schimmel
Reflect the 'BR_PORT_MAB' flag to device drivers so that:
* Drivers that support MAB could act upon the flag being toggled.
* Drivers that do not support MAB will prevent MAB from being enabled.
Signed-off-by: Ido Schimmel
Reviewed-by: Petr Machata
Signed-off-by: Petr Macha
From: Ido Schimmel
Add packet traps for 802.1X operation. The "eapol" control trap is used
to trap EAPOL packets and is required for the correct operation of the
control plane. The "locked_port" drop trap can be enabled to gain
visibility into packets that were dropped by the device due to the
lo
From: Hans J. Schultz
When the bridge is offloaded to hardware, FDB entries are learned and
aged-out by the hardware. Some device drivers synchronize the hardware
and software FDBs by generating switchdev events towards the bridge.
When a port is locked, the hardware must not learn autonomously,
From: Ido Schimmel
Currently, FDB entries that are notified to the bridge via
'SWITCHDEV_FDB_ADD_TO_BRIDGE' are always marked as offloaded. With MAB
enabled, this will no longer be universally true. Device drivers will
report locked FDB entries to the bridge to let it know that the
corresponding
Ido Schimmel writes:
This patchset adds 802.1X [1] and MAB [2] offload support in mlxsw.
Patches #1-#3 add the required switchdev interfaces.
Patches #4-#5 add the required packet traps for 802.1X.
Patches #6-#10 are small preparations in mlxsw.
Patch #11 adds locked bridge port support in ml
29 matches
Mail list logo