[Bridge] [PATCH net-next 09/14] bridge: mcast: Add support for (*, G) with a source list and filter mode

a limit on entries created by user space. Signed-off-by: Ido Schimmel --- Notes: v1: * Use an array instead of a list to store source entries. net/bridge/br_mdb.c | 128 +++- net/bridge/br_private.h | 7 +++ 2 files changed, 132 insertions(+), 3

[Bridge] [PATCH net-next 08/14] bridge: mcast: Avoid arming group timer when (S, G) corresponds to a source

) corresponds to a source or not. The field will be set in a subsequent patch where br_mdb_add_group_sg() is called in order to create a (S, G) entry for each user provided source. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 2 +- net/bridge/br_private.h | 1 + 2 files changed, 2

[Bridge] [PATCH net-next 07/14] bridge: mcast: Add a flag for user installed source entries

entries are created in response to user requests. Signed-off-by: Ido Schimmel --- net/bridge/br_multicast.c | 3 ++- net/bridge/br_private.h | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index 8432b4ea7f28..48170bd3785e

[Bridge] [PATCH net-next 06/14] bridge: mcast: Expose __br_multicast_del_group_src()

to install a corresponding forwarding entry. Signed-off-by: Ido Schimmel --- Notes: v1: * New patch. net/bridge/br_multicast.c | 11 --- net/bridge/br_private.h | 1 + 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/net/bridge/br_multicast.c b/net/bridge

[Bridge] [PATCH net-next 05/14] bridge: mcast: Expose br_multicast_new_group_src()

code (i.e., br_mdb.c) that handles RTM_NEWMDB messages. Signed-off-by: Ido Schimmel --- net/bridge/br_multicast.c | 2 +- net/bridge/br_private.h | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index db4c3900ae95

[Bridge] [PATCH net-next 04/14] bridge: mcast: Add a centralized error path

where the memory will be freed. Note that br_mdb_del() already has one error path and therefore does not require any changes. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/bridge/br_mdb.c b/net/bridge

[Bridge] [PATCH net-next 03/14] bridge: mcast: Place netlink policy before validation functions

functions. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c index e3bd2122d559..fcdd464cf997 100644 --- a/net/bridge/br_mdb.c +++ b/net/bridge/br_mdb.c @@ -663,6 +663,12

[Bridge] [PATCH net-next 02/14] bridge: mcast: Split (*, G) and (S, G) addition into different functions

between both entry types, handle the addition of each entry type in a different function, thereby avoiding the creation of one complex function. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 145 +--- 1 file changed, 96 insertions(+), 49 deletions

[Bridge] [PATCH net-next 01/14] bridge: mcast: Do not derive entry type from its filter mode

filter mode. Subsequent patches will allow user space to set the filter mode of (*, G) entries, making the current assumption incorrect. As a preparation, remove the current assumption and instead determine the entry type from its key, which is a more direct way. Signed-off-by: Ido Schimmel

[Bridge] [PATCH net-next 00/14] bridge: mcast: Extensions for EVPN

251 [8] https://datatracker.ietf.org/doc/html/rfc9251#section-9.1 [9] https://github.com/idosch/iproute2/commits/submit/mdb_v1 [10] https://lore.kernel.org/netdev/20221018120420.561846-1-ido...@nvidia.com/ Ido Schimmel (14): bridge: mcast: Do not derive entry type from its filter mode b

[Bridge] [PATCH net-next v2 9/9] bridge: mcast: Constify 'group' argument in br_multicast_new_port_group()

The 'group' argument is not modified, so mark it as 'const'. It will allow us to constify arguments of the callers of this function in future patches. Signed-off-by: Ido Schimmel --- Notes: v2: * New patch. net/bridge/br_multicast.c | 2 +- net/bridge/br_private.h | 3 ++- 2 files

[Bridge] [PATCH net-next v2 8/9] bridge: mcast: Remove redundant function arguments

Drop the first three arguments and instead extract them from the MDB configuration structure. Signed-off-by: Ido Schimmel Acked-by: Nikolay Aleksandrov --- net/bridge/br_mdb.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c

[Bridge] [PATCH net-next v2 7/9] bridge: mcast: Move checks out of critical section

-by: Ido Schimmel Acked-by: Nikolay Aleksandrov --- net/bridge/br_mdb.c | 36 ++-- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c index d0e018628f5d..d954d8f7cb0a 100644 --- a/net/bridge/br_mdb.c +++ b/net

[Bridge] [PATCH net-next v2 6/9] bridge: mcast: Remove br_mdb_parse()

The parsing of the netlink messages and the validity checks are now performed in br_mdb_config_init() so we can remove br_mdb_parse(). This finally allows us to stop passing netlink attributes deep in the MDB control path and only use the MDB configuration structure. Signed-off-by: Ido Schimmel

[Bridge] [PATCH net-next v2 5/9] bridge: mcast: Use MDB group key from configuration structure

-by: Ido Schimmel Acked-by: Nikolay Aleksandrov --- Notes: v2: * Pass 'cfg' as 'const'. net/bridge/br_mdb.c | 15 +++ 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c index 6017bff8316a..b459886af675 100644 --- a/net/bridge

[Bridge] [PATCH net-next v2 4/9] bridge: mcast: Propagate MDB configuration structure further

As an intermediate step towards only using the new MDB configuration structure, pass it further in the control path instead of passing individual attributes. No functional changes intended. Signed-off-by: Ido Schimmel Acked-by: Nikolay Aleksandrov --- Notes: v2: * Pass 'cfg' as 'const

[Bridge] [PATCH net-next v2 3/9] bridge: mcast: Use MDB configuration structure where possible

. Signed-off-by: Ido Schimmel Acked-by: Nikolay Aleksandrov --- net/bridge/br_mdb.c | 34 +++--- 1 file changed, 15 insertions(+), 19 deletions(-) diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c index c8d78e4ec94e..080516a3ee9c 100644 --- a/net/bridge/br_mdb.c

[Bridge] [PATCH net-next v2 2/9] bridge: mcast: Remove redundant checks

These checks are now redundant as they are performed by br_mdb_config_init() while parsing the RTM_{NEW,DEL}MDB messages. Remove them. Signed-off-by: Ido Schimmel Acked-by: Nikolay Aleksandrov --- net/bridge/br_mdb.c | 63 +++-- 1 file changed, 9

[Bridge] [PATCH net-next v2 0/9] bridge: mcast: Preparations for EVPN extensions

#1: Mark 'nlh' argument as 'const'. * Patch #4: Pass 'cfg' as 'const'. * Patch #5: Pass 'cfg' as 'const'. * Patch #9: New patch. [1] https://lore.kernel.org/netdev/20221018120420.561846-1-ido...@nvidia.com/ [2] https://github.com/idosch/linux/commits/submit/mdb_v1 Ido Schimmel (9): bridge: mcast

[Bridge] [PATCH net-next v2 1/9] bridge: mcast: Centralize netlink attribute parsing

, such as routes and nexthops. Signed-off-by: Ido Schimmel --- Notes: v2: * Remove 'skb' argument from br_mdb_config_init() * Mark 'nlh' argument as 'const'. net/bridge/br_mdb.c | 120 net/bridge/br_private.h | 7 +++ 2 files changed, 127

Re: [Bridge] [PATCH net-next 0/8] bridge: mcast: Preparations for EVPN extensions

On Mon, Dec 05, 2022 at 01:55:05PM +0200, Nikolay Aleksandrov wrote: > One thought (not a big deal) but it would've been ideal if we could > initialize the config > struct once when parsing and then pass it around as a const argument. I know > that its > arguments are currently passed to

Re: [Bridge] [PATCH net-next 1/8] bridge: mcast: Centralize netlink attribute parsing

On Mon, Dec 05, 2022 at 01:34:08PM +0200, Nikolay Aleksandrov wrote: > I just noticed the skb argument is unused. Does it get used in a future > change? Nope :) > Also a minor nit - I think nlh can be a const, nlmsg_parse_deprecated already > uses a const nlh. Removed the 'skb' argument and

[Bridge] [PATCH net-next 8/8] bridge: mcast: Remove redundant function arguments

Drop the first three arguments and instead extract them from the MDB configuration structure. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c index aa5faccf09f8

[Bridge] [PATCH net-next 7/8] bridge: mcast: Move checks out of critical section

-by: Ido Schimmel --- net/bridge/br_mdb.c | 36 ++-- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c index 67b6bc7272d3..aa5faccf09f8 100644 --- a/net/bridge/br_mdb.c +++ b/net/bridge/br_mdb.c @@ -805,24 +805,6

[Bridge] [PATCH net-next 6/8] bridge: mcast: Remove br_mdb_parse()

The parsing of the netlink messages and the validity checks are now performed in br_mdb_config_init() so we can remove br_mdb_parse(). This finally allows us to stop passing netlink attributes deep in the MDB control path and only use the MDB configuration structure. Signed-off-by: Ido Schimmel

[Bridge] [PATCH net-next 5/8] bridge: mcast: Use MDB group key from configuration structure

-by: Ido Schimmel --- net/bridge/br_mdb.c | 15 +++ 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c index 2f9b192500a3..cb4fd27f118f 100644 --- a/net/bridge/br_mdb.c +++ b/net/bridge/br_mdb.c @@ -855,20 +855,19

[Bridge] [PATCH net-next 3/8] bridge: mcast: Use MDB configuration structure where possible

. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 34 +++--- 1 file changed, 15 insertions(+), 19 deletions(-) diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c index 68fd34161a40..cdc71516a51b 100644 --- a/net/bridge/br_mdb.c +++ b/net/bridge/br_mdb.c

[Bridge] [PATCH net-next 4/8] bridge: mcast: Propagate MDB configuration structure further

As an intermediate step towards only using the new MDB configuration structure, pass it further in the control path instead of passing individual attributes. No functional changes intended. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 24 +++- 1 file changed, 11

[Bridge] [PATCH net-next 2/8] bridge: mcast: Remove redundant checks

These checks are now redundant as they are performed by br_mdb_config_init() while parsing the RTM_{NEW,DEL}MDB messages. Remove them. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 63 +++-- 1 file changed, 9 insertions(+), 54 deletions(-) diff

[Bridge] [PATCH net-next 1/8] bridge: mcast: Centralize netlink attribute parsing

, such as routes and nexthops. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 120 net/bridge/br_private.h | 7 +++ 2 files changed, 127 insertions(+) diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c index 321be94c445a..c53050e47a0f 100644

[Bridge] [PATCH net-next 0/8] bridge: mcast: Preparations for EVPN extensions

/20221018120420.561846-1-ido...@nvidia.com/ [2] https://github.com/idosch/linux/commits/submit/mdb_v1 Ido Schimmel (8): bridge: mcast: Centralize netlink attribute parsing bridge: mcast: Remove redundant checks bridge: mcast: Use MDB configuration structure where possible bridge: mcast: Propagate

[Bridge] [PATCH net] bridge: switchdev: Fix memory leaks when changing VLAN protocol

frame+0x46/0xb0 Fixes: 279737939a81 ("net: bridge: Fix VLANs memory leak") Reported-by: Vlad Buslov Tested-by: Vlad Buslov Signed-off-by: Ido Schimmel --- net/bridge/br_vlan.c | 17 ++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/net/bridge/br_vla

[Bridge] [PATCH net-next] bridge: Add missing parentheses

No changes in generated code. Reported-by: Petr Machata Reviewed-by: Petr Machata Signed-off-by: Ido Schimmel --- net/bridge/br_input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index d04d2205ad4e..3027e8f6be15 100644

Re: [Bridge] [PATCH net-next 11/15] mlxsw: spectrum_switchdev: Add locked bridge port support

On Tue, Nov 08, 2022 at 04:59:29PM +0200, Vladimir Oltean wrote: > Can't really figure out from the patch, sorry. Port security works with > LAG offload? Yes. It's just that port security needs to be enabled on each of the member ports. FDB entries that point to a LAG are programmed with a

Re: [Bridge] [PATCH net-next 00/15] mlxsw: Add 802.1X and MAB offload support

+ Vladimir You weren't copied on the patches by mistake. They are available here: https://lore.kernel.org/netdev/cover.1667902754.git.pe...@nvidia.com/ On Tue, Nov 08, 2022 at 11:47:06AM +0100, Petr Machata wrote: > Ido Schimmel writes: > > This patchset adds 802.1X [1] and MAB [2

Re: [Bridge] [RFC PATCH net-next 00/16] bridge: Add MAC Authentication Bypass (MAB) support with offload

On Sun, Nov 06, 2022 at 01:04:36PM +0100, net...@kapio-technology.com wrote: > On 2022-10-25 12:00, Ido Schimmel wrote: > > Merge plan > > == > > > > We need to agree on a merge plan that allows us to start submitting > > patches for inclusion and

Re: [Bridge] [RFC PATCH net-next 10/16] mlxsw: spectrum_switchdev: Add support for locked FDB notifications

On Thu, Nov 03, 2022 at 10:31:52PM +, Vladimir Oltean wrote: > Hi Ido, > > On Mon, Oct 31, 2022 at 10:32:10AM +0200, Vladimir Oltean wrote: > > On Sun, Oct 30, 2022 at 10:23:07AM +0200, Ido Schimmel wrote: > > > Right. I'm quite reluctant to add the MAB flag to > &

Re: [Bridge] [RFC PATCH net-next 17/19] bridge: mcast: Allow user space to add (*, G) with a source list and filter mode

On Wed, Oct 19, 2022 at 04:28:23PM +0300, Nikolay Aleksandrov wrote: > On 18/10/2022 15:04, Ido Schimmel wrote: > > +static int br_mdb_config_src_list_init(struct nlattr *src_list, > > + struct br_mdb_config *cfg, > > +

[Bridge] [PATCH net-next 2/2] selftests: forwarding: Add MAC Authentication Bypass (MAB) test cases

flushed from a port when MAB is disabled. Signed-off-by: Hans J. Schultz Signed-off-by: Ido Schimmel --- Notes: v1: * Adjust commit message. * Add FDB flushing test case. Changes made by me: * Reword commit message. * Remove blackhole tests as they are not rele

[Bridge] [PATCH net-next 1/2] bridge: Add MAC Authentication Bypass (MAB) support

re pure 802.1X deployments that are not interested in notifications about locked FDB entries. Signed-off-by: Hans J. Schultz Signed-off-by: Ido Schimmel --- Notes: v1: * Extend commit message. * Adjust extack message. * Flush locked FDB entries when MAB is disabled. * Refresh locked FDB ent

[Bridge] [PATCH net-next 0/2] bridge: Add MAC Authentication Bypass (MAB) support

Patch #1 adds MAB support in the bridge driver. See the commit message for motivation, design choices and implementation details. Patch #2 adds corresponding test cases. Follow-up patchsets will add offload support in mlxsw and mv88e6xxx. Hans J. Schultz (2): bridge: Add MAC Authentication

[Bridge] [PATCH net] bridge: Fix flushing of dynamic FDB entries

:00:00:00:01 self permanent 01:00:5e:00:00:01 self permanent Fixes: 1f78ee14eeac ("net: bridge: fdb: add support for fine-grained flushing") Signed-off-by: Ido Schimmel --- net/bridge/br_netlink.c | 2 +- net/bridge/br_sysfs_br.c | 2 +- 2 files changed, 2 insertions(+), 2 deletion

Re: [Bridge] [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support

On Sun, Oct 30, 2022 at 11:09:31PM +0100, net...@kapio-technology.com wrote: > On 2022-10-25 12:00, Ido Schimmel wrote: > > @@ -943,6 +946,14 @@ static int br_setport(struct net_bridge_port *p, > > struct nlattr *tb[], > > br_set_port_flag(p, tb, IFLA_

Re: [Bridge] [RFC PATCH net-next 04/16] bridge: switchdev: Allow device drivers to install locked FDB entries

On Thu, Oct 27, 2022 at 11:27:48PM +, Vladimir Oltean wrote: > On Tue, Oct 25, 2022 at 01:00:12PM +0300, Ido Schimmel wrote: > > From: "Hans J. Schultz" > > > > When the bridge is offloaded to hardware, FDB entries are learned and > > aged-out by the hard

Re: [Bridge] [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support

On Fri, Oct 28, 2022 at 09:45:52AM +0200, net...@kapio-technology.com wrote: > On 2022-10-28 00:58, Vladimir Oltean wrote: > > > I was going to ask if we should bother to add code to prohibit packets > > from being forwarded to an FDB entry that was learned as LOCKED, since > > that FDB entry is

Re: [Bridge] [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support

On Thu, Oct 27, 2022 at 10:58:32PM +, Vladimir Oltean wrote: > Hi Ido, > > Thanks for the commit message. It is very good. > > On Tue, Oct 25, 2022 at 01:00:09PM +0300, Ido Schimmel wrote: > > From: "Hans J. Schultz" > > > > Hosts that support 802

Re: [Bridge] [RFC PATCH net-next 03/16] bridge: switchdev: Let device drivers determine FDB offload indication

On Thu, Oct 27, 2022 at 11:10:41PM +, Vladimir Oltean wrote: > On Tue, Oct 25, 2022 at 01:00:11PM +0300, Ido Schimmel wrote: > > Currently, FDB entries that are notified to the bridge via > > 'SWITCHDEV_FDB_ADD_TO_BRIDGE' are always marked as offloaded. With

Re: [Bridge] [RFC PATCH net-next 10/16] mlxsw: spectrum_switchdev: Add support for locked FDB notifications

On Thu, Oct 27, 2022 at 11:39:40PM +, Vladimir Oltean wrote: > On Tue, Oct 25, 2022 at 01:00:18PM +0300, Ido Schimmel wrote: > > In Spectrum, learning happens in parallel to the security checks. > > Therefore, regardless of the result of the security checks, a learning &

Re: [Bridge] [RFC PATCH net-next 00/16] bridge: Add MAC Authentication Bypass (MAB) support with offload

On Tue, Oct 25, 2022 at 04:09:07PM +0200, net...@kapio-technology.com wrote: > On 2022-10-25 12:00, Ido Schimmel wrote: > > > > Future work > > === > > > > The hostapd fork by Westermo is using dynamic FDB entries to authorize > > hosts [3]. Cha

Re: [Bridge] [RFC PATCH net-next 00/19] bridge: mcast: Extensions for EVPN

On Tue, Oct 18, 2022 at 12:21:12PM -0700, Jakub Kicinski wrote: > On Tue, 18 Oct 2022 15:04:01 +0300 Ido Schimmel wrote: > > [ MDBE_ATTR_SRC_LIST ] // new > > [ MDBE_SRC_LIST_ENTRY ] > > [ MDBE_SRCATTR_ADDRESS ] > >

[Bridge] [RFC PATCH net-next 16/16] selftests: mlxsw: Add a test for invalid locked bridge port configurations

Test that locked bridge port configurations that are not supported by mlxsw are rejected. Signed-off-by: Ido Schimmel --- .../selftests/drivers/net/mlxsw/rtnetlink.sh | 31 +++ 1 file changed, 31 insertions(+) diff --git a/tools/testing/selftests/drivers/net/mlxsw/rtnetlink.sh

[Bridge] [RFC PATCH net-next 15/16] selftests: mlxsw: Add a test for locked port trap

Test that packets received via a locked bridge port whose {SMAC, VID} does not appear in the bridge's FDB or appears with a different port, trigger the "locked_port" packet trap. Signed-off-by: Ido Schimmel --- .../net/mlxsw/devlink_trap_l2_drops.sh| 105

[Bridge] [RFC PATCH net-next 14/16] selftests: mlxsw: Add a test for EAPOL trap

Test that packets with a destination MAC of 01:80:C2:00:00:03 trigger the "eapol" packet trap. Signed-off-by: Ido Schimmel --- .../drivers/net/mlxsw/devlink_trap_control.sh | 22 +++ 1 file changed, 22 insertions(+) diff --git a/tools/testing/selftests/drivers

[Bridge] [RFC PATCH net-next 13/16] selftests: devlink_lib: Split out helper

Merely checking whether a trap counter incremented or not without logging a test result is useful on its own. Split this functionality to a helper which will be used by subsequent patches. Signed-off-by: Ido Schimmel --- .../selftests/net/forwarding/devlink_lib.sh | 19 --- 1

[Bridge] [RFC PATCH net-next 12/16] mlxsw: spectrum_switchdev: Add locked bridge port support

bridge port that has VLAN uppers. # bridge link set dev swp1 locked on # ip link add link swp1 name swp1.10 type vlan id 10 Error: mlxsw_spectrum: VLAN uppers are not supported on a locked port. Signed-off-by: Ido Schimmel --- .../net/ethernet/mellanox/mlxsw/spectrum.c| 4

[Bridge] [RFC PATCH net-next 11/16] mlxsw: spectrum_switchdev: Use extack in bridge port flag validation

. Signed-off-by: Ido Schimmel --- .../net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c index

[Bridge] [RFC PATCH net-next 10/16] mlxsw: spectrum_switchdev: Add support for locked FDB notifications

is enabled. User space can then decide to authorize the host by clearing the "locked" flag, which will cause the entry to be programmed to the device. Signed-off-by: Ido Schimmel --- .../net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 12 1 file changed, 12 insertion

[Bridge] [RFC PATCH net-next 09/16] mlxsw: spectrum_switchdev: Prepare for locked FDB notifications

Subsequent patches will need to report locked FDB entries to the bridge driver. Prepare for that by adding a 'locked' argument to mlxsw_sp_fdb_call_notifiers() according to which the 'locked' bit is set in the FDB notification info. For now, always pass 'false'. Signed-off-by: Ido Schimmel

[Bridge] [RFC PATCH net-next 08/16] mlxsw: spectrum: Add an API to configure security checks

Add an API to enable or disable security checks on a local port. It will be used by subsequent patches when the 'BR_PORT_LOCKED' flag is toggled. Signed-off-by: Ido Schimmel --- drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 18 ++ drivers/net/ethernet/mellanox/mlxsw

[Bridge] [RFC PATCH net-next 07/16] mlxsw: reg: Add Switch Port FDB Security Register

Add the Switch Port FDB Security Register (SPFSR) that allows enabling and disabling security checks on a given local port. In Linux terms, it allows locking / unlocking a port. Signed-off-by: Ido Schimmel --- drivers/net/ethernet/mellanox/mlxsw/reg.h | 34 +++ 1 file

[Bridge] [RFC PATCH net-next 06/16] mlxsw: spectrum_trap: Register 802.1X packet traps with devlink

ck failure. Signed-off-by: Ido Schimmel --- drivers/net/ethernet/mellanox/mlxsw/reg.h | 1 + .../ethernet/mellanox/mlxsw/spectrum_trap.c | 25 +++ drivers/net/ethernet/mellanox/mlxsw/trap.h| 2 ++ 3 files changed, 28 insertions(+) diff --git a/drivers/net/ethernet/mell

[Bridge] [RFC PATCH net-next 05/16] devlink: Add packet traps for 802.1X operation

e locked bridge port check. Signed-off-by: Ido Schimmel --- Documentation/networking/devlink/devlink-trap.rst | 13 + include/net/devlink.h | 9 + net/core/devlink.c| 3 +++ 3 files changed, 25 insertions(+) diff -

[Bridge] [RFC PATCH net-next 04/16] bridge: switchdev: Allow device drivers to install locked FDB entries

tics are implemented in the software data path. Signed-off-by: Hans J. Schultz Signed-off-by: Ido Schimmel --- Notes: Changes made by me: * Reword commit message. * Forbid locked entries when MAB is not enabled. * Forbid roaming of locked entries. * Avoid setting 'locked

[Bridge] [RFC PATCH net-next 03/16] bridge: switchdev: Let device drivers determine FDB offload indication

authorization, but it does not mean that these entries are necessarily programmed in the underlying hardware. Solve this by determining the offload indication based of the 'offloaded' bit in the FDB notification. Signed-off-by: Ido Schimmel --- Notes: Needs auditing to see which device drivers

[Bridge] [RFC PATCH net-next 02/16] selftests: forwarding: Add MAC Authentication Bypass (MAB) test cases

eby authenticating the host and allowing it to communicate via the bridge. * Test that an entry cannot roam to a locked port, but that it can roam to an unlocked port. * Test that MAB can only be enabled on a port that is both locked and has learning enabled. Signed-off-by: Hans J. Schultz

[Bridge] [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support

h locked and has learning enabled. A new option is added because there are pure 802.1X deployments that are not interested in notifications about "locked" FDB entries. Signed-off-by: Hans J. Schultz Signed-off-by: Ido Schimmel --- Notes: Changes made by me: * Rewo

[Bridge] [RFC PATCH net-next 00/16] bridge: Add MAC Authentication Bypass (MAB) support with offload

selftests: forwarding: Add MAC Authentication Bypass (MAB) test cases bridge: switchdev: Allow device drivers to install locked FDB entries Ido Schimmel (13): bridge: switchdev: Let device drivers determine FDB offload indication devlink: Add packet traps for 802.1X operation mlxsw

Re: [Bridge] [PATCH v8 net-next 10/12] net: dsa: mv88e6xxx: mac-auth/MAB implementation

On Sat, Oct 22, 2022 at 05:49:51PM +0300, Vladimir Oltean wrote: > On Sat, Oct 22, 2022 at 04:49:50PM +0300, Ido Schimmel wrote: > > In the above scenario, learning does not need to be on for the bridge to > > populate its FDB, but rather for the bridge to refresh the dynamic

Re: [Bridge] [PATCH v8 net-next 10/12] net: dsa: mv88e6xxx: mac-auth/MAB implementation

On Fri, Oct 21, 2022 at 09:14:11PM +0300, Vladimir Oltean wrote: > On Fri, Oct 21, 2022 at 07:39:34PM +0200, net...@kapio-technology.com wrote: > > Well, with this change, to have MAB working, the bridge would need learning > > on > > of course, but how things work with the bridge according to

Re: [Bridge] [PATCH v8 net-next 05/12] net: dsa: propagate the locked flag down through the DSA layer

On Thu, Oct 20, 2022 at 05:11:04PM +0300, Vladimir Oltean wrote: > On Thu, Oct 20, 2022 at 04:57:35PM +0300, Ido Schimmel wrote: > > > Right now this packet isn't generated, right? > > > > Right. We don't support BR_PORT_LOCKED so these checks are not currently

Re: [Bridge] [PATCH v8 net-next 05/12] net: dsa: propagate the locked flag down through the DSA layer

On Thu, Oct 20, 2022 at 05:04:00PM +0300, Vladimir Oltean wrote: > On Thu, Oct 20, 2022 at 04:57:35PM +0300, Ido Schimmel wrote: > > On Thu, Oct 20, 2022 at 04:35:06PM +0300, Vladimir Oltean wrote: > > > On Thu, Oct 20, 2022 at 04:24:16PM +0300, Ido Schimmel wrote: > >

Re: [Bridge] [PATCH v8 net-next 05/12] net: dsa: propagate the locked flag down through the DSA layer

On Thu, Oct 20, 2022 at 04:35:06PM +0300, Vladimir Oltean wrote: > On Thu, Oct 20, 2022 at 04:24:16PM +0300, Ido Schimmel wrote: > > On Thu, Oct 20, 2022 at 04:02:24PM +0300, Vladimir Oltean wrote: > > > On Tue, Oct 18, 2022 at 06:56:12PM +0200, Hans J. Schultz wrote: > >

Re: [Bridge] [PATCH v8 net-next 05/12] net: dsa: propagate the locked flag down through the DSA layer

On Thu, Oct 20, 2022 at 04:02:24PM +0300, Vladimir Oltean wrote: > On Tue, Oct 18, 2022 at 06:56:12PM +0200, Hans J. Schultz wrote: > > @@ -3315,6 +3316,7 @@ static int dsa_slave_fdb_event(struct net_device *dev, > > struct dsa_port *dp = dsa_slave_to_port(dev); > > bool host_addr =

Re: [Bridge] [PATCH v8 net-next 02/12] net: bridge: add blackhole fdb entry flag

; > Thus the command will be alike to: > bridge fdb add MAC dev br0 local blackhole > > Signed-off-by: Hans J. Schultz Looks OK to me. See one comment below. Reviewed-by: Ido Schimmel [...] > @@ -1140,7 +1148,7 @@ static int __br_fdb_add(struct ndmsg *ndm, struct &

Re: [Bridge] [PATCH v8 net-next 01/12] net: bridge: add locked entry fdb flag to extend locked port feature

lag and remove it by replacing or deleting the FDB entry. > > Locked entries will age out with the set bridge ageing time. > > Signed-off-by: Hans J. Schultz Overall looks OK to me. See one comment below. Reviewed-by: Ido Schimmel [...] > @@ -1178,6 +1192,14 @@ int br

Re: [Bridge] [PATCH v8 net-next 12/12] selftests: forwarding: add MAB tests to locked port tests

cannot roam from an unlocked port to a locked port. > > Add test of blackhole fdb entries, verifying that there is no forwarding > to a blackhole entry from any port, and that the blackhole entry can be > replaced. > > Signed-off-by: Hans J. Schultz Reviewed-by: Ido Schimmel Tested-by: Ido Schimmel

Re: [Bridge] [PATCH v8 net-next 00/12] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)

On Wed, Oct 19, 2022 at 11:58:09AM -0700, Jakub Kicinski wrote: > FWIW half of this posting got stuck on the "email pipes" for a day.. > somehow. Let's give Ido and others a chance to have a look but you'll > need to repost even if it's flawless because the build bots can't deal > with a delay

[Bridge] [RFC PATCH net-next 19/19] bridge: mcast: Support replacement of MDB port group entries

grp 239.1.1.1 temp filter_mode include source_list 192.0.2.4/259.44,192.0.2.3/259.44 proto bgp 0.00 Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 103 ++-- net/bridge/br_private.h | 1 + 2 files changed, 99 insertions(+), 5 deletions

[Bridge] [RFC PATCH net-next 18/19] bridge: mcast: Allow user space to specify MDB entry routing protocol

grp 239.1.1.1 src 192.0.2.1 permanent filter_mode include proto zebra dev br0 port dummy10 grp 239.1.1.1 permanent filter_mode exclude proto static Signed-off-by: Ido Schimmel --- include/uapi/linux/if_bridge.h | 1 + net/bridge/br_mdb.c| 10 -- net/bridge/br_private.h

[Bridge] [RFC PATCH net-next 17/19] bridge: mcast: Allow user space to add (*, G) with a source list and filter mode

Signed-off-by: Ido Schimmel --- include/uapi/linux/if_bridge.h | 20 + net/bridge/br_mdb.c| 132 + 2 files changed, 152 insertions(+) diff --git a/include/uapi/linux/if_bridge.h b/include/uapi/linux/if_bridge.h index a86a7e7b811f..0d9fe73fc48c 100644

[Bridge] [RFC PATCH net-next 16/19] bridge: mcast: Add support for (*, G) with a source list and filter mode

a limit on entries created by user space. For example, by adding a new argument to br_multicast_new_group_src(). Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 130 +++- net/bridge/br_private.h | 7 +++ 2 files changed, 134 insertions(+), 3

[Bridge] [RFC PATCH net-next 15/19] bridge: mcast: Avoid arming group timer when (S, G) corresponds to a source

) corresponds to a source or not. The field will be set in a subsequent patch where br_mdb_add_group_sg() is called in order to create a (S, G) entry for each user provided source. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 2 +- net/bridge/br_private.h | 1 + 2 files changed, 2

[Bridge] [RFC PATCH net-next 14/19] bridge: mcast: Add a flag for user installed source entries

entries are created in response to user requests. Signed-off-by: Ido Schimmel --- net/bridge/br_multicast.c | 3 ++- net/bridge/br_private.h | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index 14f72d11f4a2..5d2dd114c54c

[Bridge] [RFC PATCH net-next 13/19] bridge: mcast: Expose br_multicast_new_group_src()

code (i.e., br_mdb.c) that handles RTM_NEWMDB messages. Signed-off-by: Ido Schimmel --- net/bridge/br_multicast.c | 2 +- net/bridge/br_private.h | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index 09140bc8c15e

[Bridge] [RFC PATCH net-next 12/19] bridge: mcast: Add a centralized error path

where the memory will be freed. Note that br_mdb_del() already has one error path and therefore does not require any changes. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/bridge/br_mdb.c b/net/bridge

[Bridge] [RFC PATCH net-next 11/19] bridge: mcast: Place netlink policy before validation functions

functions. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c index a48eef866974..26740df62fd6 100644 --- a/net/bridge/br_mdb.c +++ b/net/bridge/br_mdb.c @@ -663,6 +663,12

[Bridge] [RFC PATCH net-next 10/19] bridge: mcast: Split (*, G) and (S, G) addition into different functions

between both entry types, handle the addition of each entry type in a different function, thereby avoiding the creation of one complex function. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 145 +--- 1 file changed, 96 insertions(+), 49 deletions

[Bridge] [RFC PATCH net-next 09/19] bridge: mcast: Do not derive entry type from its filter mode

filter mode. Subsequent patches will allow user space to set the filter mode of (*, G) entries, making the current assumption incorrect. As a preparation, remove the current assumption and instead determine the entry type from its key, which is a more direct way. Signed-off-by: Ido Schimmel

[Bridge] [RFC PATCH net-next 08/19] bridge: mcast: Remove redundant function arguments

Drop the first three arguments and instead extract them from the MDB configuration structure. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c index aa5faccf09f8

[Bridge] [RFC PATCH net-next 06/19] bridge: mcast: Remove br_mdb_parse()

The parsing of the netlink messages and the validity checks are now performed in br_mdb_config_init() so we can remove br_mdb_parse(). This finally allows us to stop passing netlink attributes deep in the MDB control path and only use the MDB configuration structure. Signed-off-by: Ido Schimmel

[Bridge] [RFC PATCH net-next 07/19] bridge: mcast: Move checks out of critical section

-by: Ido Schimmel --- net/bridge/br_mdb.c | 36 ++-- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c index 67b6bc7272d3..aa5faccf09f8 100644 --- a/net/bridge/br_mdb.c +++ b/net/bridge/br_mdb.c @@ -805,24 +805,6

[Bridge] [RFC PATCH net-next 05/19] bridge: mcast: Use MDB group key from configuration structure

-by: Ido Schimmel --- net/bridge/br_mdb.c | 15 +++ 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c index 2f9b192500a3..cb4fd27f118f 100644 --- a/net/bridge/br_mdb.c +++ b/net/bridge/br_mdb.c @@ -855,20 +855,19

[Bridge] [RFC PATCH net-next 04/19] bridge: mcast: Propagate MDB configuration structure further

As an intermediate step towards only using the new MDB configuration structure, pass it further in the control path instead of passing individual attributes. No functional changes intended. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 24 +++- 1 file changed, 11

[Bridge] [RFC PATCH net-next 03/19] bridge: mcast: Use MDB configuration structure where possible

. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 34 +++--- 1 file changed, 15 insertions(+), 19 deletions(-) diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c index 68fd34161a40..cdc71516a51b 100644 --- a/net/bridge/br_mdb.c +++ b/net/bridge/br_mdb.c

[Bridge] [RFC PATCH net-next 02/19] bridge: mcast: Remove redundant checks

These checks are now redundant as they are performed by br_mdb_config_init() while parsing the RTM_{NEW,DEL}MDB messages. Remove them. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 63 +++-- 1 file changed, 9 insertions(+), 54 deletions(-) diff

[Bridge] [RFC PATCH net-next 01/19] bridge: mcast: Centralize netlink attribute parsing

, such as routes and nexthops. Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 120 net/bridge/br_private.h | 7 +++ 2 files changed, 127 insertions(+) diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c index 321be94c445a..c53050e47a0f 100644

[Bridge] [RFC PATCH net-next 00/19] bridge: mcast: Extensions for EVPN

ttps://datatracker.ietf.org/doc/html/rfc9251#section-9.1 [9] https://github.com/idosch/iproute2/commits/submit/mdb_rfc_v1 Ido Schimmel (19): bridge: mcast: Centralize netlink attribute parsing bridge: mcast: Remove redundant checks bridge: mcast: Use MDB configuration structure where pos

[Bridge] [PATCH net-next 4/4] bridge: mcast: Simplify MDB entry creation

Before creating a new MDB entry, br_multicast_new_group() will call br_mdb_ip_get() to see if one exists and return it if so. Therefore, simply call br_multicast_new_group() and omit the call to br_mdb_ip_get(). Signed-off-by: Ido Schimmel --- net/bridge/br_mdb.c | 11 +++ 1 file

[Bridge] [PATCH net-next 3/4] bridge: mcast: Use spin_lock() instead of spin_lock_bh()

IGMPv3 / MLDv2 Membership Reports are only processed from the data path with softIRQ disabled, so there is no need to call spin_lock_bh(). Use spin_lock() instead. This is consistent with how other IGMP / MLD packets are processed. Signed-off-by: Ido Schimmel --- net/bridge/br_multicast.c | 8

[Bridge] [PATCH net-next 1/4] selftests: bridge_vlan_mcast: Delete qdiscs during cleanup

cleanup. Signed-off-by: Ido Schimmel --- tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh index 8748d1b1d95b

<    1   2   3   4   5   6   7   >