• Hans J. Schultz's avatar
    net: dsa: mv88e6xxx: mac-auth/MAB implementation · 830763b9
    Hans J. Schultz authored
    This implementation for the Marvell mv88e6xxx chip series is based on
    handling ATU miss violations occurring when packets ingress on a port
    that is locked with learning on. This will trigger a
    SWITCHDEV_FDB_ADD_TO_BRIDGE event, which will result in the bridge module
    adding a locked FDB entry. This bridge FDB entry will not age out as
    it has the extern_learn flag set.
    
    Userspace daemons can listen to these events and either accept or deny
    access for the host, by either replacing the locked FDB entry with a
    simple entry or leave the locked entry.
    
    If the host MAC address is already present on another port, a ATU
    member violation will occur, but to no real effect, and the packet will
    be dropped in hardware. Statistics on these violations can be shown with
    the command and example output of interest:
    
    ethtool -S ethX
    NIC statistics:
    ...
         atu_member_violation: 5
         atu_miss_violation: 23
    ...
    
    Where ethX is the interface of the MAB enabled port.
    
    Furthermore, as added vlan interfaces where the vid is not added to the
    VTU will cause ATU miss violations reporting the FID as
    MV88E6XXX_FID_STANDALONE, we need to check and skip the miss violations
    handling in this case.
    Signed-off-by: default avatarHans J. Schultz <netdev@kapio-technology.com>
    Reviewed-by: default avatarVladimir Oltean <olteanv@gmail.com>
    Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
    830763b9
switchdev.c 1.55 KB