- 05 Nov, 2022 6 commits
-
-
Edward Cree authored
Support matching on ip_frag and ip_firstfrag. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Edward Cree authored
Support matching on IP protocol, Type of Service, Time To Live, source and destination addresses, with masking if supported by the hardware. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Edward Cree authored
Support matching on EtherType, VLANs and ethernet source/destination addresses, with masking if supported by the hardware. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Edward Cree authored
Offloaded TC rules always match on recirc_id in the MAE, so we should check that the MAE reported support for this match before attempting to insert the rule. These checks allow us to fail early, avoiding the PCIe round-trip to firmware for an MC_CMD_MAE_ACTION_RULE_INSERT that will only fail, and more importantly providing a more informative error message that identifies which match field is unsupported. Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Nathan Chancellor authored
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/net/ethernet/renesas/rswitch.c:1533:20: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = rswitch_start_xmit, ^~~~~~~~~~~~~~~~~~ 1 error generated. ->ndo_start_xmit() in 'struct net_device_ops' expects a return type of 'netdev_tx_t', not 'int'. Adjust the return type of rswitch_start_xmit() to match the prototype's to resolve the warning and CFI failure. Link: https://github.com/ClangBuiltLinux/linux/issues/1750Signed-off-by: Nathan Chancellor <nathan@kernel.org> Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20221103220032.2142122-1-nathan@kernel.orgSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Zhengchao Shao authored
Now ip_metrics_convert() is only called by ip_fib_metrics_init(). Before ip_fib_metrics_init() invokes ip_metrics_convert(), it checks whether input parameter fc_mx is NULL. Therefore, ip_metrics_convert() doesn't need to check fc_mx. Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> Reviewed-by: David Ahern <dsahern@kernel.org> Link: https://lore.kernel.org/r/20221104022513.168868-1-shaozhengchao@huawei.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
- 04 Nov, 2022 33 commits
-
-
David S. Miller authored
Alex Elder says: ==================== net: ipa: support more endpoints This series adds support for more than 32 IPA endpoints. To do this, five registers whose bits represent endpoint state are replicated as needed to represent endpoints beyond 32. For existing platforms, the number of endpoints is never greater than 32, so there is just one of each register. IPA v5.0+ supports more than that though; these changes prepare the code for that. Beyond that, the IPA fields that represent endpoints in a 32-bit bitmask are updated to support an arbitrary number of these endpoint registers. (There is one exception, explained in patch 7.) The first two patches are some sort of unrelated cleanups, making use of a helper function introduced recently. The third and fourth use parameterized functions to determine the register offset for registers that represent endpoints. The last five convert fields representing endpoints to allow more than 32 endpoints to be represented. Since v1, I have implemented Jakub's suggestions: - Don't print a message on (bitmap) memory allocation failure - Do not do "mass null checks" when allocating bitmaps - Rework some code to ensure error path is sane ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alex Elder authored
Replace the 32-bit unsigned used to track enabled endpoints with a Linux bitmap, to allow an arbitrary number of endpoints to be represented. Signed-off-by: Alex Elder <elder@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alex Elder authored
Replace the 32-bit unsigned used to track endpoints that have completed setup with a Linux bitmap, to allow an arbitrary number of endpoints to be represented. Rework the error handling in ipa_endpoint_init() so the defined endpoint bitmap is freed if an error occurs early. Once endpoints have been initialized, ipa_endpoint_exit() is used to recover if the set of filtered endpoints is invalid. Signed-off-by: Alex Elder <elder@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alex Elder authored
Prior to IPA v5.0, there could be no more than 32 endpoints. A filter table begins with a bitmap indicating which endpoints have a filter defined. That bitmap is currently assumed to fit in a 32-bit value. Starting with IPA v5.0, more than 32 endpoints are supported, so it's conceivable that a TX endpoint has an ID that exceeds 32. Increase the size of the field representing endpoints that support filtering to 64 bits. Rename the bitmap field "filtered". Unlike other similar fields, we do not use an (arbitrarily long) Linux bitmap for this purpose. The reason is that if a filter table ever *did* need to support more than 64 TX endpoints, its format would change in ways we can't anticipate. Have ipa_endpoint_init() return a negative errno rather than a mask that indicates which endpoints support filtering, and have that function assign the "filtered" field directly. Signed-off-by: Alex Elder <elder@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alex Elder authored
Similar to the previous patch, replace the 32-bit unsigned used to track endpoints supported by hardware with a Linux bitmap, to allow an arbitrary number of endpoints to be represented. Move ipa_endpoint_deconfig() above ipa_endpoint_config() and use it in the error path of the latter function. Signed-off-by: Alex Elder <elder@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alex Elder authored
IPA v5.0 supports more than 32 endpoints, so we will be unable to represent endpoints defined in the configuration data with a 32-bit value. To prepare for that, convert the field in the IPA structure representing defined endpoints to be a Linux bitmap. Convert loops based on that field into for_each_set_bit() calls over the new bitmap. Note that the loop in ipa_endpoint_config() still assumes there are 32 or fewer endpoints (when comparing against the available endpoint bit mask); that assumption goes away in the next patch. Signed-off-by: Alex Elder <elder@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alex Elder authored
The SUSPEND_INFO, SUSPEND_EN, SUSPEND_CLR registers represent endpoint IDs in a bit mask. When more than 32 endpoints are supported, these registers will be replicated as needed to represent the number of supported endpoints. Update the definitions of these registers to have a stride of 4 bytes, and update the code that operates them to select the proper offset and bit. Signed-off-by: Alex Elder <elder@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alex Elder authored
Starting with IPA v5.0, a single IPA instance can have more than 32 endpoints defined. To handle this, each register that holds a bitmap of IPA endpoints is replicated as needed to represent the available endpoints. To prepare for this, registers that represent endpoint IDs in a bit mask will be defined to have a parameter, with a stride value of 4 bytes. The first 32 endpoints are represented in the first 32-bit register, then the next (up to) 32 endpoints at an offset 4 bytes higher. When accessing such a register, the endpoint ID divided by 32 determines the offset, and the endpoint ID modulo 32 defines the endpoint's bit position within the register. The first two registers we'll update for this are STATE_AGGR_ACTIVE and AGGR_FORCE_CLOSE. Until more than 32 endpoints are supported, this change has no practical effect. Signed-off-by: Alex Elder <elder@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alex Elder authored
Similar to the previous commit, pass flags rather than a memory region ID to ipa_table_reset_add(), and there use ipa_table_mem() to look up the memory region affected based on those flags. Currently all eight of these table memory regions are assumed to exist, because they all have canaries within them. Stop assuming that will always be the case, and in ipa_table_reset_add() allow these memory regions to be non-existent. Signed-off-by: Alex Elder <elder@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alex Elder authored
Recently ipa_table_mem() was added as a way to look up one of 8 possible memory regions by indicating whether it was a filter or route table, hashed or not, and IPv6 or not. We can simplify the interface to ipa_table_init_add() by passing two flags to it instead of the opcode and both hashed and non-hashed memory region IDs. The "filter" and "ipv6" flags are sufficient to determine the opcode to use, and with ipa_table_mem() can look up the correct memory region as well. It's possible to not have hashed tables, but we already verify the number of entries in a filter or routing table is nonzero. Stop assuming a hashed table entry exists in ipa_table_init_add(). Signed-off-by: Alex Elder <elder@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Colin Ian King authored
Variable total_payload_len is being used to accumulate payload lengths however it is never read or used afterwards. It is redundant and can be removed. Signed-off-by: Colin Ian King <colin.i.king@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queueJakub Kicinski authored
Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2022-11-02 (i40e, iavf) This series contains updates to i40e and iavf drivers. Joe Damato adds tracepoint information to i40e_napi_poll to expose helpful debug information for users who'd like to get a better understanding of how their NIC is performing as they adjust various parameters and tuning knobs. Note: this does not touch any XDP related code paths. This tracepoint will only work when not using XDP. Care has been taken to avoid changing control flow in i40e_napi_poll with this change. Alicja adds error messaging for unsupported duplex settings for i40e. Ye Xingchen replaces use of __FUNCTION__ with __func__ for iavf. Bartosz changes tense of device removal message to be more clear on the action for iavf. * '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue: iavf: Change information about device removal in dmesg iavf: Replace __FUNCTION__ with __func__ i40e: Add appropriate error message logged for incorrect duplex setting i40e: Add i40e_napi_poll tracepoint i40e: Record number of RXes cleaned during NAPI i40e: Record number TXes cleaned during NAPI i40e: Store the irq number in i40e_q_vector ==================== Link: https://lore.kernel.org/r/20221102211011.2944983-1-anthony.l.nguyen@intel.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queueJakub Kicinski authored
Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2022-11-02 (e1000e, e1000, igc) This series contains updates to e1000e, e1000, and igc drivers. For e1000e, Sasha adds a new board type to help distinguish platforms and adds device id support for upcoming platforms. He also adds trace points for CSME flows to aid in debugging. Ani removes unnecessary kmap_atomic call for e1000 and e1000e. Muhammad sets speed based transmit offsets for launchtime functionality to reduce latency for igc. * '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue: igc: Correct the launchtime offset e1000: Remove unnecessary use of kmap_atomic() e1000e: Remove unnecessary use of kmap_atomic() e1000e: Add e1000e trace module e1000e: Add support for the next LOM generation e1000e: Separate MTP board type from ADP ==================== Link: https://lore.kernel.org/r/20221102203957.2944396-1-anthony.l.nguyen@intel.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Nathan Chancellor authored
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/net/hamradio/baycom_epp.c:1119:25: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = baycom_send_packet, ^~~~~~~~~~~~~~~~~~ 1 error generated. ->ndo_start_xmit() in 'struct net_device_ops' expects a return type of 'netdev_tx_t', not 'int'. Adjust the return type of baycom_send_packet() to match the prototype's to resolve the warning and CFI failure. Link: https://github.com/ClangBuiltLinux/linux/issues/1750Signed-off-by: Nathan Chancellor <nathan@kernel.org> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20221102160610.1186145-1-nathan@kernel.orgSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Nathan Chancellor authored
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/net/ethernet/ti/netcp_core.c:1944:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = netcp_ndo_start_xmit, ^~~~~~~~~~~~~~~~~~~~ 1 error generated. ->ndo_start_xmit() in 'struct net_device_ops' expects a return type of 'netdev_tx_t', not 'int'. Adjust the return type of netcp_ndo_start_xmit() to match the prototype's to resolve the warning and CFI failure. Link: https://github.com/ClangBuiltLinux/linux/issues/1750Signed-off-by: Nathan Chancellor <nathan@kernel.org> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20221102160933.1601260-1-nathan@kernel.orgSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Christophe JAILLET authored
strtobool() is the same as kstrtobool(). However, the latter is more used within the kernel. In order to remove strtobool() and slightly simplify kstrtox.h, switch to the other function name. While at it, include the corresponding header file (<linux/kstrtox.h>). Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Link: https://lore.kernel.org/r/d4432a67b6f769cac0a9ec910ac725298b64e102.1667336095.git.christophe.jaillet@wanadoo.frSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jakub Kicinski authored
Jiri Pirko says: ==================== net: fix netdev to devlink_port linkage and expose to user Currently, the info about linkage from netdev to the related devlink_port instance is done using ndo_get_devlink_port(). This is not sufficient, as it is up to the driver to implement it and some of them don't do that. Also it leads to a lot of unnecessary boilerplate code in all the drivers. Instead of that, introduce a possibility for driver to expose this relationship by new SET_NETDEV_DEVLINK_PORT macro which stores it into dev->devlink_port. It is ensured by the driver init/fini flows that the devlink_port pointer does not change during the netdev lifetime. Devlink port is always registered before netdev register and unregistered after netdev unregister. Benefit from this linkage setup and remove explicit calls from driver to devlink_port_type_eth_set() and clear(). Many of the driver didn't use it correctly anyway. Let the devlink.c to track associated netdev events and adjust type and type pointer accordingly. Also use this events to to keep track on ifname change and remove RTNL lock taking from devlink_nl_port_fill(). Finally, remove the ndo_get_devlink_port() ndo which is no longer used and expose devlink_port handle as a new netdev netlink attribute to the user. That way, during the ifname->devlink_port lookup, userspace app does not have to dump whole devlink port list and instead it can just do a simple RTM_GETLINK query. ==================== Link: https://lore.kernel.org/r/20221102160211.662752-1-jiri@resnulli.usSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jiri Pirko authored
Expose devlink port handle related to netdev over rtnetlink. Introduce a new nested IFLA attribute to carry the info. Call into devlink code to fill-up the nest with existing devlink attributes that are used over devlink netlink. Signed-off-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jiri Pirko authored
Remove ndo_get_devlink_port which is no longer used alongside with the implementations in drivers. Signed-off-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jiri Pirko authored
Use newly introduced devlink_port pointer instead of getting it calling to ndo_get_devlink_port op. Signed-off-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jiri Pirko authored
By the time port unregister is called. There should be no type set. Make sure that the driver cleared it before and warn in case it didn't. This enforces symmetricity with type set and port register. Signed-off-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jiri Pirko authored
To avoid a need to take RTNL mutex in port_fill() function, benefit from the introduce infrastructure that tracks netdevice notifier events. Store the ifindex and ifname upon register and change name events. Remove the rtnl_held bool propagated down to port_fill() function as it is no longer needed. Signed-off-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jiri Pirko authored
It is ensured by the netdevice notifier event processing, that only netdev pointers from the same net namespaces are filled. Remove the net namespace check from devlink_nl_port_fill() as it is no longer needed. Signed-off-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jiri Pirko authored
Since devlink_port_type_eth_set() should no longer be called by any driver with netdev pointer as it should rather use SET_NETDEV_DEVLINK_PORT, remove the netdev arg. Add a warn to type_clear() Signed-off-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jiri Pirko authored
Benefit from the previously implemented tracking of netdev events in devlink code and instead of calling devlink_port_type_eth_set() and devlink_port_type_clear() to set devlink port type and link to related netdev, use SET_NETDEV_DEVLINK_PORT() macro to assign devlink_port pointer to netdevice which is about to be registered. Signed-off-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jiri Pirko authored
Currently, ethernet drivers are using devlink_port_type_eth_set() and devlink_port_type_clear() to set devlink port type and link to related netdev. Instead of calling them directly, let the driver use SET_NETDEV_DEVLINK_PORT macro to assign devlink_port pointer and let devlink to track it. Note the devlink port pointer is static during the time netdevice is registered. In devlink code, use per-namespace netdev notifier to track the netdevices with devlink_port assigned and change the internal devlink_port type and related type pointer accordingly. Signed-off-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jiri Pirko authored
Follow-up patch is going to introduce a netdevice notifier event processing which is called with RTNL mutex held. Processing of this will eventually lead to call to port_notity() and port_fill() which currently takes RTNL mutex internally. So as a temporary solution, propagate a bool indicating if the mutex is already held. This will go away in one of the follow-up patches. Signed-off-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jiri Pirko authored
As __devlink_port_type_set() is going to be called directly from netdevice notifier event handle in one of the follow-up patches, move the port_type_netdev_checks() call there. Signed-off-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jiri Pirko authored
As __devlink_port_type_set() is going to be called directly from netdevice notifier event handle in one of the follow-up patches, move the port_type_warn_schedule() call there. Signed-off-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jiri Pirko authored
Instead of storing type_dev as a void pointer, convert it to union and use it to store either struct net_device or struct ib_device pointer. Signed-off-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jakub Kicinski authored
Ido Schimmel says: ==================== bridge: Add MAC Authentication Bypass (MAB) support Patch #1 adds MAB support in the bridge driver. See the commit message for motivation, design choices and implementation details. Patch #2 adds corresponding test cases. Follow-up patchsets will add offload support in mlxsw and mv88e6xxx. ==================== Link: https://lore.kernel.org/r/20221101193922.2125323-1-idosch@nvidia.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Hans J. Schultz authored
Add four test cases to verify MAB functionality: * Verify that a locked FDB entry can be generated by the bridge, preventing a host from communicating via the bridge. Test that user space can clear the "locked" flag by replacing the entry, thereby authenticating the host and allowing it to communicate via the bridge. * Test that an entry cannot roam to a locked port, but that it can roam to an unlocked port. * Test that MAB can only be enabled on a port that is both locked and has learning enabled. * Test that locked FDB entries are flushed from a port when MAB is disabled. Signed-off-by: Hans J. Schultz <netdev@kapio-technology.com> Signed-off-by: Ido Schimmel <idosch@nvidia.com> Acked-by: Nikolay Aleksandrov <razor@blackwall.org> Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
Hans J. Schultz authored
Hosts that support 802.1X authentication are able to authenticate themselves by exchanging EAPOL frames with an authenticator (Ethernet bridge, in this case) and an authentication server. Access to the network is only granted by the authenticator to successfully authenticated hosts. The above is implemented in the bridge using the "locked" bridge port option. When enabled, link-local frames (e.g., EAPOL) can be locally received by the bridge, but all other frames are dropped unless the host is authenticated. That is, unless the user space control plane installed an FDB entry according to which the source address of the frame is located behind the locked ingress port. The entry can be dynamic, in which case learning needs to be enabled so that the entry will be refreshed by incoming traffic. There are deployments in which not all the devices connected to the authenticator (the bridge) support 802.1X. Such devices can include printers and cameras. One option to support such deployments is to unlock the bridge ports connecting these devices, but a slightly more secure option is to use MAB. When MAB is enabled, the MAC address of the connected device is used as the user name and password for the authentication. For MAB to work, the user space control plane needs to be notified about MAC addresses that are trying to gain access so that they will be compared against an allow list. This can be implemented via the regular learning process with the sole difference that learned FDB entries are installed with a new "locked" flag indicating that the entry cannot be used to authenticate the device. The flag cannot be set by user space, but user space can clear the flag by replacing the entry, thereby authenticating the device. Locked FDB entries implement the following semantics with regards to roaming, aging and forwarding: 1. Roaming: Locked FDB entries can roam to unlocked (authorized) ports, in which case the "locked" flag is cleared. FDB entries cannot roam to locked ports regardless of MAB being enabled or not. Therefore, locked FDB entries are only created if an FDB entry with the given {MAC, VID} does not already exist. This behavior prevents unauthenticated devices from disrupting traffic destined to already authenticated devices. 2. Aging: Locked FDB entries age and refresh by incoming traffic like regular entries. 3. Forwarding: Locked FDB entries forward traffic like regular entries. If user space detects an unauthorized MAC behind a locked port and wishes to prevent traffic with this MAC DA from reaching the host, it can do so using tc or a different mechanism. Enable the above behavior using a new bridge port option called "mab". It can only be enabled on a bridge port that is both locked and has learning enabled. Locked FDB entries are flushed from the port once MAB is disabled. A new option is added because there are pure 802.1X deployments that are not interested in notifications about locked FDB entries. Signed-off-by: Hans J. Schultz <netdev@kapio-technology.com> Signed-off-by: Ido Schimmel <idosch@nvidia.com> Acked-by: Nikolay Aleksandrov <razor@blackwall.org> Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
- 03 Nov, 2022 1 commit
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netJakub Kicinski authored
No conflicts. Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-