Hans Schultz
2022-Jun-30 10:05 UTC
[Bridge] [PATCH net-next v1 0/1] enable locked port feature with learning
This patch is related to the patch set "Add support for locked bridge ports (for 802.1X)" Link: https://lore.kernel.org/netdev/20220223101650.1212814-1-schultz.hans+netdev at gmail.com/ This patch makes the locked port feature work with learning turned on, which is enabled with the command: bridge link set dev DEV learning on Without this patch, multicast packets like EAPOL packets will create a fdb entry when ingressing on a locked port with learning turned on, thus unintentionally opening up the port for traffic for the said MAC. Some switchcore features like Mac-Auth and refreshing of FDB entries, require learning enables on some switchcores, f.ex. the mv88e6xxx family. Other features may apply too. Since many switchcores trap or mirror various multicast packets to the CPU, they will unintentionally unlock the port for the SA mac in question unless prevented by this patch. Hans Schultz (1): net: bridge: ensure that multicast packets cannot unlock a locked port net/bridge/br_input.c | 1 + 1 file changed, 1 insertion(+) -- 2.30.2
Hans Schultz
2022-Jun-30 10:05 UTC
[Bridge] [PATCH net-next v1 1/1] net: bridge: ensure that multicast packets cannot unlock a locked port
This makes it possible to use the locked port feature with learning turned on which is needed for various driver features. Signed-off-by: Hans Schultz <hans at kapio-technology.com> --- net/bridge/br_input.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index 68b3e850bcb9..a3ce0a151817 100644 --- a/net/bridge/br_input.c +++ b/net/bridge/br_input.c @@ -215,6 +215,7 @@ static void __br_handle_local_finish(struct sk_buff *skb) if ((p->flags & BR_LEARNING) && nbp_state_should_learn(p) && !br_opt_get(p->br, BROPT_NO_LL_LEARN) && + !(p->flags & BR_PORT_LOCKED) && br_should_learn(p, skb, &vid)) br_fdb_update(p->br, p, eth_hdr(skb)->h_source, vid, 0); } -- 2.30.2
Nikolay Aleksandrov
2022-Jun-30 10:22 UTC
[Bridge] [PATCH net-next v1 1/1] net: bridge: ensure that multicast packets cannot unlock a locked port
On 30/06/2022 13:05, Hans Schultz wrote:> This makes it possible to use the locked port feature with learning > turned on which is needed for various driver features. > > Signed-off-by: Hans Schultz <hans at kapio-technology.com> > --- > net/bridge/br_input.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c > index 68b3e850bcb9..a3ce0a151817 100644 > --- a/net/bridge/br_input.c > +++ b/net/bridge/br_input.c > @@ -215,6 +215,7 @@ static void __br_handle_local_finish(struct sk_buff *skb) > if ((p->flags & BR_LEARNING) && > nbp_state_should_learn(p) && > !br_opt_get(p->br, BROPT_NO_LL_LEARN) && > + !(p->flags & BR_PORT_LOCKED) && > br_should_learn(p, skb, &vid)) > br_fdb_update(p->br, p, eth_hdr(skb)->h_source, vid, 0); > }hmm this is called for link-local traffic (01:80:c2), the title is misleading please include the real traffic type because it doesn't concern mcast Also please include the long explanation from the 0 patch in this one and drop the cover letter, it's good to have the info. Thanks, Nik