the bridge port in locked
mode, which is also supported by various switchcore chipsets.
Signed-off-by: Hans Schultz
---
include/linux/if_bridge.h| 1 +
include/uapi/linux/if_link.h | 1 +
net/bridge/br_input.c| 10 +-
net/bridge/br_netlink.c | 6 +-
4 files
As the locked mode feature is in the hot path of the bridge modules
reception of packets, it needs to be refactored to use jump labels
for optimization.
Signed-off-by: Hans Schultz
---
net/bridge/br_input.c | 22 ++
net/bridge/br_netlink.c | 6 ++
net/bridge
On mån, feb 07, 2022 at 14:53, Andrew Lunn wrote:
>> > + if (p->flags & BR_PORT_LOCKED) {
>> > + fdb_entry = br_fdb_find_rcu(br, eth_hdr(skb)->h_source, vid);
>> > + if (!(fdb_entry && fdb_entry->dst == p))
>> > + goto drop;
>>
>> I'm not familiar with 802.1X s
Various switchcores support setting ports in locked mode, so that
clients behind locked ports cannot send traffic through the port
unless a fdb entry is added with the clients MAC address.
Signed-off-by: Hans Schultz
---
net/bridge/br_switchdev.c | 2 +-
1 file changed, 1 insertion(+), 1
the bridge port in locked
mode, which is also supported by various switchcore chipsets.
Signed-off-by: Hans Schultz
---
include/linux/if_bridge.h| 1 +
include/uapi/linux/if_link.h | 1 +
net/bridge/br_input.c| 10 +-
net/bridge/br_netlink.c | 6 +-
4 files
On mån, feb 07, 2022 at 12:49, Ido Schimmel wrote:
> On Mon, Feb 07, 2022 at 11:07:39AM +0100, Hans Schultz wrote:
>> In a 802.1X scenario, clients connected to a bridge port shall not
>> be allowed to have traffic forwarded until fully authenticated.
>> A static fdb ent
On tor, feb 10, 2022 at 10:31, Nikolay Aleksandrov wrote:
> On 09/02/2022 15:05, Hans Schultz wrote:
>> From: Hans Schultz
>>
>> As the locked mode feature is in the hot path of the bridge modules
>> reception of packets, it needs to be refactored to use jump
Various switchcores support setting ports in locked mode, so that
clients behind locked ports cannot send traffic through the port
unless a fdb entry is added with the clients MAC address.
Among the switchcores that support this feature is the Marvell
mv88e6xxx family.
Signed-off-by: Hans
From: Hans Schultz
As the locked mode feature is in the hot path of the bridge modules
reception of packets, it needs to be refactored to use jump labels
for optimization.
Signed-off-by: Hans Schultz
Signed-off-by: Hans Schultz
---
net/bridge/br_input.c | 22 ++
net
https://github.com/westermo/hostapd/tree/bridge_driver .
The relevant components work transparently in relation to if it is the
bridge module or the offloaded switchcore case that is in use.
Hans Schultz (5):
net: bridge: Add support for bridge port in locked mode
net: bridge: Add suppor
the bridge port in locked
mode, which is also supported by various switchcore chipsets.
Signed-off-by: Hans Schultz
---
include/linux/if_bridge.h| 1 +
include/uapi/linux/if_link.h | 1 +
net/bridge/br_input.c| 10 +-
net/bridge/br_netlink.c | 6 +-
4 files
Various switchcores support setting ports in locked mode, so that
clients behind locked ports cannot send traffic through the port
unless a fdb entry is added with the clients MAC address.
Signed-off-by: Hans Schultz
---
net/bridge/br_switchdev.c | 2 +-
1 file changed, 1 insertion(+), 1
Among the switchcores that support this feature is the Marvell
mv88e6xxx family.
Signed-off-by: Hans Schultz
---
net/dsa/port.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/dsa/port.c b/net/dsa/port.c
index bd78192e0e47..01ed22ed74a1 100644
--- a/net/dsa/port.c
ned-off-by: Hans Schultz
---
drivers/net/dsa/mv88e6xxx/chip.c | 9 -
drivers/net/dsa/mv88e6xxx/port.c | 33
drivers/net/dsa/mv88e6xxx/port.h | 9 -
3 files changed, 49 insertions(+), 2 deletions(-)
diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/d
These tests check that the basic locked port feature works, so that no 'host'
can communicate (ping) through a locked port unless the MAC address of the
'host' interface is in the forwarding database of the bridge.
Signed-off-by: Hans Schultz
---
.../testing/selftests/net
On sön, feb 20, 2022 at 11:12, Ido Schimmel wrote:
> On Fri, Feb 18, 2022 at 04:51:48PM +0100, Hans Schultz wrote:
>> These tests check that the basic locked port feature works, so that no 'host'
>> can communicate (ping) through a locked port unless the MAC address of t
On sön, feb 20, 2022 at 11:21, Ido Schimmel wrote:
> On Sat, Feb 19, 2022 at 12:00:34PM +0200, Vladimir Oltean wrote:
>> On Fri, Feb 18, 2022 at 04:51:47PM +0100, Hans Schultz wrote:
>> > diff --git a/drivers/net/dsa/mv88e6xxx/port.c
>> > b/drivers/net/dsa/
https://github.com/westermo/hostapd/tree/bridge_driver .
The relevant components work transparently in relation to if it is the
bridge module or the offloaded switchcore case that is in use.
Hans Schultz (5):
net: bridge: Add support for bridge port in locked mode
net: bridge: Add suppor
the bridge port in locked
mode, which is also supported by various switchcore chipsets.
Signed-off-by: Hans Schultz
Acked-by: Nikolay Aleksandrov
Reviewed-by: Ido Schimmel
---
include/linux/if_bridge.h| 1 +
include/uapi/linux/if_link.h | 1 +
net/bridge/br_input.c| 11
Various switchcores support setting ports in locked mode, so that
clients behind locked ports cannot send traffic through the port
unless a fdb entry is added with the clients MAC address.
Signed-off-by: Hans Schultz
Acked-by: Nikolay Aleksandrov
Reviewed-by: Ido Schimmel
---
net/bridge
Ensures that the DSA switch driver gets notified of changes to the
BR_PORT_LOCKED flag as well, for the case when a DSA port joins or
leaves a LAG that is a bridge port.
Signed-off-by: Hans Schultz
Reviewed-by: Vladimir Oltean
---
net/dsa/port.c | 4 ++--
1 file changed, 2 insertions(+), 2
ned-off-by: Hans Schultz
---
drivers/net/dsa/mv88e6xxx/chip.c | 9 -
drivers/net/dsa/mv88e6xxx/port.c | 29 +
drivers/net/dsa/mv88e6xxx/port.h | 9 -
3 files changed, 45 insertions(+), 2 deletions(-)
diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drive
These tests check that the basic locked port feature works, so that
no 'host' can communicate (ping) through a locked port unless the
MAC address of the 'host' interface is in the forwarding database of
the bridge.
Signed-off-by: Hans Schultz
---
.../testing/selftests/net
On tis, feb 22, 2022 at 19:00, Ido Schimmel wrote:
> On Tue, Feb 22, 2022 at 02:28:18PM +0100, Hans Schultz wrote:
>> diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
>> b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
>> new file
On tis, feb 22, 2022 at 11:15, Jakub Kicinski wrote:
> On Tue, 22 Feb 2022 14:28:13 +0100 Hans Schultz wrote:
>> This series starts by adding support for SA filtering to the bridge,
>> which is then allowed to be offloaded to switchdev devices. Furthermore
>> an offload
https://github.com/westermo/hostapd/tree/bridge_driver .
The relevant components work transparently in relation to if it is the
bridge module or the offloaded switchcore case that is in use.
Hans Schultz (5):
net: bridge: Add support for bridge port in locked mode
net: bridge: Add suppor
the bridge port in locked
mode, which is also supported by various switchcore chipsets.
Signed-off-by: Hans Schultz
Acked-by: Nikolay Aleksandrov
Reviewed-by: Ido Schimmel
---
include/linux/if_bridge.h| 1 +
include/uapi/linux/if_link.h | 1 +
net/bridge/br_input.c| 11
Various switchcores support setting ports in locked mode, so that
clients behind locked ports cannot send traffic through the port
unless a fdb entry is added with the clients MAC address.
Signed-off-by: Hans Schultz
Acked-by: Nikolay Aleksandrov
Reviewed-by: Ido Schimmel
---
net/bridge
Ensures that the DSA switch driver gets notified of changes to the
BR_PORT_LOCKED flag as well, for the case when a DSA port joins or
leaves a LAG that is a bridge port.
Signed-off-by: Hans Schultz
Reviewed-by: Vladimir Oltean
---
net/dsa/port.c | 4 ++--
1 file changed, 2 insertions(+), 2
ned-off-by: Hans Schultz
---
drivers/net/dsa/mv88e6xxx/chip.c | 9 -
drivers/net/dsa/mv88e6xxx/port.c | 29 +
drivers/net/dsa/mv88e6xxx/port.h | 9 -
3 files changed, 45 insertions(+), 2 deletions(-)
diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drive
These tests check that the basic locked port feature works, so that
no 'host' can communicate (ping) through a locked port unless the
MAC address of the 'host' interface is in the forwarding database of
the bridge.
Signed-off-by: Hans Schultz
Acked-by: Ido Schimmel
---
.
through the
switchdev layer to the bridge, so that a FDB entry with the
locked flag enabled can be added.
Hans Schultz (3):
net: bridge: add fdb flag to extent locked port feature
net: switchdev: add support for offloading of fdb locked flag
net: dsa: mv88e6xxx: mac-auth/MAB implementation
Add an intermediate state for clients behind a locked port to allow for
possible opening of the port for said clients. This feature corresponds
to the Mac-Auth and MAC Authentication Bypass (MAB) named features. The
latter defined by Cisco.
Signed-off-by: Hans Schultz
---
include/uapi/linux
Used for Mac-auth/MAB feature in the offloaded case.
Signed-off-by: Hans Schultz
---
include/net/switchdev.h | 3 ++-
net/bridge/br.c | 3 ++-
net/bridge/br_fdb.c | 7 +--
net/bridge/br_private.h | 2 +-
4 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/include/net
locked
flag set.
Note: The locked port must have learning enabled for the ATU
miss violation to occur.
Signed-off-by: Hans Schultz
---
drivers/net/dsa/mv88e6xxx/Makefile| 1 +
drivers/net/dsa/mv88e6xxx/chip.c | 10 +--
drivers/net/dsa/mv88e6xxx/chip.h | 5
through the
switchdev layer to the bridge, so that a FDB entry with the
locked flag enabled can be added.
Hans Schultz (3):
net: bridge: add fdb flag to extent locked port feature
net: switchdev: add support for offloading of fdb locked flag
net: dsa: mv88e6xxx: mac-auth/MAB implementation
Add an intermediate state for clients behind a locked port to allow for
possible opening of the port for said clients. This feature corresponds
to the Mac-Auth and MAC Authentication Bypass (MAB) named features. The
latter defined by Cisco.
Signed-off-by: Hans Schultz
---
include/uapi/linux
Used for Mac-auth/MAB feature in the offloaded case.
Signed-off-by: Hans Schultz
---
include/net/switchdev.h | 3 ++-
net/bridge/br.c | 3 ++-
net/bridge/br_fdb.c | 7 +--
net/bridge/br_private.h | 2 +-
4 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/include/net
locked
flag set.
Note: The locked port must have learning enabled for the ATU
miss violation to occur.
Signed-off-by: Hans Schultz
---
drivers/net/dsa/mv88e6xxx/Makefile| 1 +
drivers/net/dsa/mv88e6xxx/chip.c | 10 +--
drivers/net/dsa/mv88e6xxx/chip.h | 5
On tor, mar 10, 2022 at 16:18, Nikolay Aleksandrov wrote:
> On 10/03/2022 15:36, Hans Schultz wrote:
>> This patch set extends the locked port feature for devices
>> that are behind a locked port, but do not have the ability to
>> authorize themselves as a supplicant using
On tor, mar 10, 2022 at 16:28, Vladimir Oltean wrote:
> On Thu, Mar 10, 2022 at 03:23:20PM +0100, Hans Schultz wrote:
>> This implementation for the Marvell mv88e6xxx chip series, is
>> based on handling ATU miss violations occurring when packets
>> ingress on a port th
On tor, mar 10, 2022 at 16:42, Nikolay Aleksandrov wrote:
> On 10/03/2022 16:23, Hans Schultz wrote:
>> Add an intermediate state for clients behind a locked port to allow for
>> possible opening of the port for said clients. This feature corresponds
>> to the Mac-Auth a
On tor, mar 10, 2022 at 17:07, Vladimir Oltean wrote:
> On Thu, Mar 10, 2022 at 04:00:52PM +0100, Hans Schultz wrote:
>> >> + brport = dsa_port_to_bridge_port(dp);
>> >
>> > Since this is threaded interrupt context, I suppose it could race with
>> > dsa_p
On tor, mar 10, 2022 at 16:28, Vladimir Oltean wrote:
> On Thu, Mar 10, 2022 at 03:23:20PM +0100, Hans Schultz wrote:
>> This implementation for the Marvell mv88e6xxx chip series, is
>> based on handling ATU miss violations occurring when packets
>> ingress on a port th
On tor, mar 10, 2022 at 17:57, Nikolay Aleksandrov wrote:
> On 10/03/2022 17:38, Hans Schultz wrote:
>> On tor, mar 10, 2022 at 16:42, Nikolay Aleksandrov
>> wrote:
>>> On 10/03/2022 16:23, Hans Schultz wrote:
>>>> Add an intermediate state for clien
On tor, mar 10, 2022 at 18:14, Nikolay Aleksandrov wrote:
> On 10/03/2022 18:11, Hans Schultz wrote:
>> On tor, mar 10, 2022 at 17:57, Nikolay Aleksandrov
>> wrote:
>>> On 10/03/2022 17:38, Hans Schultz wrote:
>>>> On tor, mar 10, 2022 at 16:42, Nikolay Alek
On tor, mar 10, 2022 at 18:05, Vladimir Oltean wrote:
> On Thu, Mar 10, 2022 at 04:51:15PM +0100, Hans Schultz wrote:
>> On tor, mar 10, 2022 at 17:07, Vladimir Oltean wrote:
>> > On Thu, Mar 10, 2022 at 04:00:52PM +0100, Hans Schultz wrote:
>> >> >> +
On tor, mar 10, 2022 at 15:54, Andrew Lunn wrote:
>> +if (mv88e6xxx_port_is_locked(chip, chip->ports[spid].port))
>> +err =
>> mv88e6xxx_switchdev_handle_atu_miss_violation(chip,
>> +
>> chip->
On tor, mar 10, 2022 at 16:28, Vladimir Oltean wrote:
> On Thu, Mar 10, 2022 at 03:23:20PM +0100, Hans Schultz wrote:
>> This implementation for the Marvell mv88e6xxx chip series, is
>> based on handling ATU miss violations occurring when packets
>> ingress on a port th
On mån, mar 14, 2022 at 17:30, Ido Schimmel wrote:
> On Thu, Mar 10, 2022 at 03:23:18PM +0100, Hans Schultz wrote:
>> Add an intermediate state for clients behind a locked port to allow for
>> possible opening of the port for said clients. This feature corresponds
>> to
On mån, mar 14, 2022 at 17:50, Ido Schimmel wrote:
> On Thu, Mar 10, 2022 at 03:23:17PM +0100, Hans Schultz wrote:
>> This patch set extends the locked port feature for devices
>> that are behind a locked port, but do not have the ability to
>> authorize themselves as a
On ons, mar 16, 2022 at 17:18, Florian Fainelli wrote:
> On 3/10/2022 6:23 AM, Hans Schultz wrote:
>> This patch set extends the locked port feature for devices
>> that are behind a locked port, but do not have the ability to
>> authorize themselves as a supplicant using
On tor, mar 17, 2022 at 01:34, Vladimir Oltean wrote:
> On Mon, Mar 14, 2022 at 11:46:51AM +0100, Hans Schultz wrote:
>> >> @@ -396,6 +414,13 @@ static irqreturn_t
>> >> mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id)
>> >>
userspace can read
the flag and remove it by deleting the FDB entry.
Signed-off-by: Hans Schultz
---
include/uapi/linux/neighbour.h | 1 +
net/bridge/br_fdb.c| 6 ++
net/bridge/br_input.c | 10 +-
net/bridge/br_private.h| 3 ++-
4 files changed, 18 insertions
through the
switchdev layer to the bridge, so that a FDB entry with the
locked flag enabled can be added.
Hans Schultz (4):
net: bridge: add fdb flag to extent locked port feature
net: switchdev: add support for offloading of fdb locked flag
net: dsa: mv88e6xxx: mac-auth/MAB implementation
Used for Mac-auth/MAB feature in the offloaded case.
Signed-off-by: Hans Schultz
---
include/net/switchdev.h | 3 ++-
net/bridge/br.c | 3 ++-
net/bridge/br_fdb.c | 7 +--
net/bridge/br_private.h | 2 +-
4 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/include/net
locked
flag set.
Note: The locked port must have learning enabled for the ATU
miss violation to occur.
Signed-off-by: Hans Schultz
---
drivers/net/dsa/mv88e6xxx/Makefile| 1 +
drivers/net/dsa/mv88e6xxx/chip.c | 10 +--
drivers/net/dsa/mv88e6xxx/chip.h | 5
Verify that the MAC-Auth mechanism works by adding a FDB entry with the
locked flag set. denying access until the FDB entry is replaced with a
FDB entry without the locked flag set.
Signed-off-by: Hans Schultz
---
.../net/forwarding/bridge_locked_port.sh | 29 ++-
1 file
On tor, mar 17, 2022 at 15:44, Ido Schimmel wrote:
> On Thu, Mar 17, 2022 at 10:38:59AM +0100, Hans Schultz wrote:
>> Add an intermediate state for clients behind a locked port to allow for
>> possible opening of the port for said clients. This feature corresponds
>> to
On tor, mar 17, 2022 at 17:36, Vladimir Oltean wrote:
> On Thu, Mar 17, 2022 at 03:19:46PM +0100, Andrew Lunn wrote:
>> On Thu, Mar 17, 2022 at 09:52:15AM +0100, Hans Schultz wrote:
>> > On tor, mar 17, 2022 at 01:34, Vladimir Oltean wrote:
>> > > On Mon, Mar 14,
On tor, mar 17, 2022 at 18:18, Vladimir Oltean wrote:
> On Thu, Mar 17, 2022 at 05:07:15PM +0100, Hans Schultz wrote:
>> On tor, mar 17, 2022 at 17:36, Vladimir Oltean wrote:
>> > On Thu, Mar 17, 2022 at 03:19:46PM +0100, Andrew Lunn wrote:
>> >> On Thu, Mar 17,
On tor, mar 17, 2022 at 19:20, Vladimir Oltean wrote:
> On Thu, Mar 17, 2022 at 05:58:26PM +0100, Hans Schultz wrote:
>> On tor, mar 17, 2022 at 18:18, Vladimir Oltean wrote:
>> > On Thu, Mar 17, 2022 at 05:07:15PM +0100, Hans Schultz wrote:
>> >> On tor, mar 17,
On fre, mar 18, 2022 at 14:14, Vladimir Oltean wrote:
> On Fri, Mar 18, 2022 at 11:04:36AM +0100, Hans Schultz wrote:
>> On tor, mar 17, 2022 at 19:20, Vladimir Oltean wrote:
>> > On Thu, Mar 17, 2022 at 05:58:26PM +0100, Hans Schultz wrote:
>> >> On tor, mar 17,
On tor, mar 17, 2022 at 16:57, Ido Schimmel wrote:
> On Thu, Mar 17, 2022 at 10:39:02AM +0100, Hans Schultz wrote:
>> Verify that the MAC-Auth mechanism works by adding a FDB entry with the
>> locked flag set. denying access until the FDB entry is replaced with a
>> FDB ent
On tor, mar 17, 2022 at 15:19, Andrew Lunn wrote:
> On Thu, Mar 17, 2022 at 09:52:15AM +0100, Hans Schultz wrote:
>> On tor, mar 17, 2022 at 01:34, Vladimir Oltean wrote:
>> > On Mon, Mar 14, 2022 at 11:46:51AM +0100, Hans Schultz wrote:
>> >> >> @@
On fre, mar 18, 2022 at 15:19, Vladimir Oltean wrote:
> On Fri, Mar 18, 2022 at 02:10:26PM +0100, Hans Schultz wrote:
>> In the offloaded case there is no difference between static and dynamic
>> flags, which I see as a general issue. (The resulting ATU entry is static
>> in
On tis, mar 22, 2022 at 13:08, Vladimir Oltean wrote:
> On Tue, Mar 22, 2022 at 12:01:13PM +0100, Hans Schultz wrote:
>> On fre, mar 18, 2022 at 15:19, Vladimir Oltean wrote:
>> > On Fri, Mar 18, 2022 at 02:10:26PM +0100, Hans Schultz wrote:
>> >> In the offload
On tis, mar 22, 2022 at 14:21, Hans Schultz wrote:
> On tis, mar 22, 2022 at 13:08, Vladimir Oltean wrote:
>> On Tue, Mar 22, 2022 at 12:01:13PM +0100, Hans Schultz wrote:
>>> On fre, mar 18, 2022 at 15:19, Vladimir Oltean wrote:
>>> > On Fri, Mar 18, 2022 at
On tis, mar 22, 2022 at 13:08, Vladimir Oltean wrote:
> On Tue, Mar 22, 2022 at 12:01:13PM +0100, Hans Schultz wrote:
>> On fre, mar 18, 2022 at 15:19, Vladimir Oltean wrote:
>> > On Fri, Mar 18, 2022 at 02:10:26PM +0100, Hans Schultz wrote:
>> >> In the offload
On ons, mar 23, 2022 at 12:16, Vladimir Oltean wrote:
> On Wed, Mar 23, 2022 at 11:13:51AM +0100, Hans Schultz wrote:
>> On tis, mar 22, 2022 at 13:08, Vladimir Oltean wrote:
>> > On Tue, Mar 22, 2022 at 12:01:13PM +0100, Hans Schultz wrote:
>> >> On fre, mar 18,
On ons, mar 23, 2022 at 12:16, Vladimir Oltean wrote:
> On Wed, Mar 23, 2022 at 11:13:51AM +0100, Hans Schultz wrote:
>> On tis, mar 22, 2022 at 13:08, Vladimir Oltean wrote:
>> > On Tue, Mar 22, 2022 at 12:01:13PM +0100, Hans Schultz wrote:
>> >> On fre, mar 18,
On ons, mar 23, 2022 at 13:21, Vladimir Oltean wrote:
> On Wed, Mar 23, 2022 at 11:57:16AM +0100, Hans Schultz wrote:
>> >> >> Another issue I see, is that there is a deadlock or similar issue when
>> >> >> receiving violations and running 'brid
On tor, mar 17, 2022 at 10:39, Hans Schultz wrote:
> Used for Mac-auth/MAB feature in the offloaded case.
>
> Signed-off-by: Hans Schultz
> ---
> include/net/switchdev.h | 3 ++-
> net/bridge/br.c | 3 ++-
> net/bridge/br_fdb.c | 7 +--
> net/bridge/
On ons, mar 23, 2022 at 14:35, Vladimir Oltean wrote:
> On Wed, Mar 23, 2022 at 01:29:52PM +0100, Hans Schultz wrote:
>> On tor, mar 17, 2022 at 10:39, Hans Schultz wrote:
>> > Used for Mac-auth/MAB feature in the offloaded case.
>> >
>> > Signed-off-by: Hans
On ons, mar 23, 2022 at 14:35, Vladimir Oltean wrote:
> On Wed, Mar 23, 2022 at 01:29:52PM +0100, Hans Schultz wrote:
>> On tor, mar 17, 2022 at 10:39, Hans Schultz wrote:
>> > Used for Mac-auth/MAB feature in the offloaded case.
>> >
>> > Signed-off-by: Hans
On ons, mar 23, 2022 at 16:43, Vladimir Oltean wrote:
> On Wed, Mar 23, 2022 at 01:49:32PM +0100, Hans Schultz wrote:
>> >> Does someone have an idea why there at this point is no option to add a
>> >> dynamic fdb entry?
>> >>
>> >> The f
On ons, mar 23, 2022 at 16:43, Vladimir Oltean wrote:
> On Wed, Mar 23, 2022 at 01:49:32PM +0100, Hans Schultz wrote:
>> >> Does someone have an idea why there at this point is no option to add a
>> >> dynamic fdb entry?
>> >>
>> >> The f
On tor, mar 24, 2022 at 13:09, Vladimir Oltean wrote:
> On Thu, Mar 24, 2022 at 11:32:08AM +0100, Hans Schultz wrote:
>> On ons, mar 23, 2022 at 16:43, Vladimir Oltean wrote:
>> > On Wed, Mar 23, 2022 at 01:49:32PM +0100, Hans Schultz wrote:
>> >> >> Does so
On tor, mar 24, 2022 at 16:27, Vladimir Oltean wrote:
> On Thu, Mar 24, 2022 at 12:23:39PM +0100, Hans Schultz wrote:
>> On tor, mar 24, 2022 at 13:09, Vladimir Oltean wrote:
>> > On Thu, Mar 24, 2022 at 11:32:08AM +0100, Hans Schultz wrote:
>> >> On ons, mar 23,
On tor, mar 24, 2022 at 16:27, Vladimir Oltean wrote:
> On Thu, Mar 24, 2022 at 12:23:39PM +0100, Hans Schultz wrote:
>> On tor, mar 24, 2022 at 13:09, Vladimir Oltean wrote:
>> > On Thu, Mar 24, 2022 at 11:32:08AM +0100, Hans Schultz wrote:
>> >> On ons, mar 23,
On fre, mar 25, 2022 at 15:21, Vladimir Oltean wrote:
> On Fri, Mar 25, 2022 at 08:50:34AM +0100, Hans Schultz wrote:
>> On tor, mar 24, 2022 at 16:27, Vladimir Oltean wrote:
>> > On Thu, Mar 24, 2022 at 12:23:39PM +0100, Hans Schultz wrote:
>> >> On tor, mar 24,
On fre, mar 25, 2022 at 16:00, Vladimir Oltean wrote:
> On Fri, Mar 25, 2022 at 02:48:36PM +0100, Hans Schultz wrote:
>> > If you'd cache the locked ATU entry in the mv88e6xxx driver, and you'd
>> > notify switchdev only if the entry is new to the cache, then yo
On fre, mar 25, 2022 at 22:30, Vladimir Oltean wrote:
> On Fri, Mar 25, 2022 at 05:01:59PM +0100, Hans Schultz wrote:
>> > An attacker sweeping through the 2^47 source MAC address range is a
>> > problem regardless of the implementations proposed so far, no?
>>
>&g
On mån, mar 28, 2022 at 11:48, Vladimir Oltean wrote:
> On Mon, Mar 28, 2022 at 09:38:33AM +0200, Hans Schultz wrote:
>> On fre, mar 25, 2022 at 22:30, Vladimir Oltean wrote:
>> > On Fri, Mar 25, 2022 at 05:01:59PM +0100, Hans Schultz wrote:
>> >> > An attacker
through the
switchdev layer to the bridge, so that a FDB entry with the
locked flag enabled can be added.
Hans Schultz (4):
net: bridge: add fdb flag to extent locked port feature
net: switchdev: add support for offloading of fdb locked flag
net: dsa: mv88e6xxx: mac-auth/MAB implementation
Used for Mac-auth/MAB feature in the offloaded case.
Signed-off-by: Hans Schultz
---
include/net/dsa.h | 6 ++
include/net/switchdev.h | 3 ++-
net/bridge/br.c | 3 ++-
net/bridge/br_fdb.c | 7 +--
net/bridge/br_private.h | 2 +-
5 files changed, 16 insertions(+), 5
.
Signed-off-by: Hans Schultz
---
include/uapi/linux/neighbour.h | 1 +
net/bridge/br_fdb.c| 11 +++
net/bridge/br_if.c | 1 +
net/bridge/br_input.c | 11 ++-
net/bridge/br_private.h| 7 ++-
5 files changed, 29 insertions(+), 2
Verify that the MAC-Auth mechanism works by adding a FDB entry with the
locked flag set. denying access until the FDB entry is replaced with a
FDB entry without the locked flag set.
Signed-off-by: Hans Schultz
---
.../net/forwarding/bridge_locked_port.sh | 42 ---
1 file
locked
flag set. The entry is kept according to the bridges ageing
time, thus simulating a dynamic entry.
Note: The locked port must have learning enabled for the ATU
miss violation to occur.
Signed-off-by: Hans Schultz
---
drivers/net/dsa/mv88e6xxx/Makefile| 1 +
drivers/net/dsa
>
> Hi Hans,
> So this approach has a fundamental problem, f->dst is changed without any
> synchronization
> you cannot rely on it and thus you cannot account for these entries properly.
> We must be very
> careful if we try to add any new synchronization not to affect performance as
> well.
> M
>
> Hi Hans,
> So this approach has a fundamental problem, f->dst is changed without any
> synchronization
> you cannot rely on it and thus you cannot account for these entries properly.
> We must be very
> careful if we try to add any new synchronization not to affect performance as
> well.
> M
On ons, maj 25, 2022 at 11:06, Nikolay Aleksandrov wrote:
> On 24/05/2022 19:21, Hans Schultz wrote:
>>>
>>> Hi Hans,
>>> So this approach has a fundamental problem, f->dst is changed without any
>>> synchronization
>>> you cannot rely
On ons, maj 25, 2022 at 11:38, Nikolay Aleksandrov wrote:
> On 25/05/2022 11:34, Hans Schultz wrote:
>> On ons, maj 25, 2022 at 11:06, Nikolay Aleksandrov
>> wrote:
>>> On 24/05/2022 19:21, Hans Schultz wrote:
>>>>>
>>>>> Hi Hans,
>&
On tor, maj 26, 2022 at 17:13, Ido Schimmel wrote:
> On Tue, May 24, 2022 at 05:21:41PM +0200, Hans Schultz wrote:
>> Add an intermediate state for clients behind a locked port to allow for
>> possible opening of the port for said clients. This feature corresponds
>> to
On tor, maj 26, 2022 at 17:27, Ido Schimmel wrote:
> On Tue, May 24, 2022 at 05:21:44PM +0200, Hans Schultz wrote:
>> Verify that the MAC-Auth mechanism works by adding a FDB entry with the
>> locked flag set. denying access until the FDB entry is replaced with a
>> FDB ent
>
> As far as the bridge is concerned, locked entries are not really
> different from regular learned entries in terms of processing and since
> we don't have limits for regular entries I don't think we should have
> limits for locked entries.
>
> I do understand the problem you have in mv88e6xxx a
> Just to give you another data point about how this works in other
> devices, I can say that at least in Spectrum this works a bit
> differently. Packets that ingress via a locked port and incur an FDB
> miss are trapped to the CPU where they should be injected into the Rx
> path so that the bridg
On tis, maj 31, 2022 at 17:23, Ido Schimmel wrote:
> On Tue, May 31, 2022 at 11:34:21AM +0200, Hans Schultz wrote:
>> > Just to give you another data point about how this works in other
>> > devices, I can say that at least in Spectrum this works a bit
>> > different
On tis, maj 31, 2022 at 17:23, Ido Schimmel wrote:
> On Tue, May 31, 2022 at 11:34:21AM +0200, Hans Schultz wrote:
>> > Just to give you another data point about how this works in other
>> > devices, I can say that at least in Spectrum this works a bit
>> > different
On tor, jun 02, 2022 at 12:33, Nikolay Aleksandrov wrote:
> On 02/06/2022 12:17, Hans Schultz wrote:
>> On tis, maj 31, 2022 at 17:23, Ido Schimmel wrote:
>>> On Tue, May 31, 2022 at 11:34:21AM +0200, Hans Schultz wrote:
>> Another issue is that
>> bridge fdb
1 - 100 of 163 matches
Mail list logo
