Ido Schimmel
2022-Aug-27 18:21 UTC
[Bridge] [PATCH v5 net-next 6/6] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
On Fri, Aug 26, 2022 at 01:45:38PM +0200, Hans Schultz wrote:> -ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan" > +ALL_TESTS=" > + locked_port_ipv4 > + locked_port_ipv6 > + locked_port_vlan > + locked_port_mab > + locked_port_station_move > + locked_port_mab_station_move > +" > + > NUM_NETIFS=4 > CHECK_TC="no" > source lib.sh > @@ -166,6 +174,103 @@ locked_port_ipv6() > log_test "Locked port ipv6" > } > > +locked_port_mab() > +{ > + RET=0 > + check_locked_port_support || return 0 > + > + ping_do $h1 192.0.2.2 > + check_err $? "MAB: Ping did not work before locking port" > + > + bridge link set dev $swp1 locked on > + bridge link set dev $swp1 learning on"locked on learning on" is counter intuitive and IMO very much a misconfiguration that we should have disallowed when the "locked" option was introduced. It is my understanding that the only reason we are even talking about it is because mv88e6xxx needs it for MAB for some reason. Please avoid leaking this implementation detail to user space and instead use the "MAB" flag to enable learning if you need it in mv88e6xxx.> + if ! bridge link set dev $swp1 mab on 2>/dev/null; then > + echo "SKIP: iproute2 too old; MacAuth feature not supported." > + return $ksft_skip > + fiPlease add a similar function to check_locked_port_support() and invoke it next to it.> + > + ping_do $h1 192.0.2.2 > + check_fail $? "MAB: Ping worked on locked port without FDB entry" > + > + bridge fdb show | grep `mac_get $h1` | grep -q "locked" > + check_err $? "MAB: No locked fdb entry after ping on locked port" > + > + bridge fdb replace `mac_get $h1` dev $swp1 master static > + > + ping_do $h1 192.0.2.2 > + check_err $? "MAB: Ping did not work with fdb entry without locked flag" > + > + bridge fdb del `mac_get $h1` dev $swp1 masterMissing: bridge link set dev $swp1 mab off> + bridge link set dev $swp1 learning offCan be removed assuming we get rid of "learning on" above.> + bridge link set dev $swp1 locked off > + > + log_test "Locked port MAB" > +} > + > +# No roaming allowed to a simple locked port > +locked_port_station_move() > +{ > + local mac=a0:b0:c0:c0:b0:a0 > + > + RET=0 > + check_locked_port_support || return 0 > + > + bridge link set dev $swp1 locked on > + bridge link set dev $swp1 learning onSame comment as above.> + > + $MZ $h1 -q -t udp -a $mac -b rand > + bridge fdb show dev $swp1 | grep -q "$mac vlan 1 master br0" > + check_fail $? "Locked port station move: FDB entry on first injection" > + > + $MZ $h2 -q -t udp -a $mac -b rand > + bridge fdb show dev $swp2 | grep -q "$mac vlan 1 master br0" > + check_err $? "Locked port station move: Entry not found on unlocked port"Looks like this is going to fail with offloaded data path as according to fdb_print_flags() in iproute2 both the "extern_learn" and "offload" flags will be printed before "master". I suggest using "bridge fdb get" instead (didn't test, might need small tweaks, but you will figure it): bridge fdb get $mac br br0 vlan 1 master 2> /dev/null | grep -q "$swp2" Same in other places where "bridge fdb show" is used.> + > + $MZ $h1 -q -t udp -a $mac -b rand > + bridge fdb show dev $swp1 | grep -q "$mac vlan 1 master br0" > + check_fail $? "Locked port station move: entry roamed to locked port"Missing: bridge link set dev $swp1 locked off bridge fdb del $mac dev $swp1 master vlan 1> + > + log_test "Locked port station move" > +} > + > +# Roaming to and from a MAB enabled port should work if sticky flag is not set > +locked_port_mab_station_move() > +{ > + local mac=10:20:30:30:20:10 > + > + RET=0 > + check_locked_port_support || return 0 > + > + bridge link set dev $swp1 locked on > + bridge link set dev $swp1 learning onSame comment as above.> + if ! bridge link set dev $swp1 mab on 2>/dev/null; thenSame comment as above.> + echo "SKIP: iproute2 too old; MacAuth feature not supported." > + return $ksft_skip > + fi > + > + $MZ $h1 -q -t udp -a $mac -b rand > + if bridge fdb show dev $swp1 | grep -q "$mac vlan 1 master br0" | grep -q sticky; thenWill need to change to "permanent" instead of "sticky".> + echo "SKIP: Roaming not possible with sticky flag, run sticky flag roaming test" > + return $ksft_skipMissing cleanup before the return.> + fi > + > + bridge fdb show dev $swp1 | grep -q "$mac vlan 1 master br0 locked" > + check_err $? "MAB station move: no locked entry on first injection" > + > + $MZ $h2 -q -t udp -a $mac -b rand > + bridge fdb show dev $swp1 | grep -q "$mac vlan 1 master br0 locked" > + check_fail $? "MAB station move: locked entry did not move" > + > + bridge fdb show dev $swp2 | grep -q "$mac vlan 1 master br0"Need to check that it does not roam with the "locked" flag set.> + check_err $? "MAB station move: roamed entry not found" > + > + $MZ $h1 -q -t udp -a $mac -b rand > + bridge fdb show dev $swp1 | grep -q "$mac vlan 1 master br0 locked" > + check_err $? "MAB station move: entry did not roam back to locked port"This will need to change to "check_fail" assuming we don't allow roaming from an authorized port to an unauthorized port, which I believe makes sense.> +Missing cleanup.> + log_test "Locked port MAB station move" > +} > + > trap cleanup EXIT > > setup_prepare
netdev at kapio-technology.com
2022-Aug-28 12:00 UTC
[Bridge] [PATCH v5 net-next 6/6] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
On 2022-08-27 20:21, Ido Schimmel wrote:> On Fri, Aug 26, 2022 at 01:45:38PM +0200, Hans Schultz wrote: >> +locked_port_mab() >> +{ >> + RET=0 >> + check_locked_port_support || return 0 >> + >> + ping_do $h1 192.0.2.2 >> + check_err $? "MAB: Ping did not work before locking port" >> + >> + bridge link set dev $swp1 locked on >> + bridge link set dev $swp1 learning on > > "locked on learning on" is counter intuitive and IMO very much a > misconfiguration that we should have disallowed when the "locked" > option > was introduced. It is my understanding that the only reason we are even > talking about it is because mv88e6xxx needs it for MAB for some reason.As the way mv88e6xxx implements "learning off" is to remove port association for ingress packets on a port, but that breaks many other things such as refreshing ATU entries and violation interrupts, so it is needed and the question is then what is the worst to have 'learning on' on a locked port or to have the locked port enabling learning in the driver silently? Opinions seem to differ. Note that even on locked ports without MAB, port association on ingress is still needed in future as I have a dynamic ATU patch set coming, that uses age out violation and hardware refreshing to let the hardware keep the dynamic entries as long as the authorized station is sending, but will age the entry out if the station keeps silent for the ageing time. But that patch set is dependent on this patch set, and I don't think I can send it before this is accepted...> Please avoid leaking this implementation detail to user space and > instead use the "MAB" flag to enable learning if you need it in > mv88e6xxx. >
netdev at kapio-technology.com
2022-Aug-29 16:07 UTC
[Bridge] [PATCH v5 net-next 6/6] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
On 2022-08-27 20:21, Ido Schimmel wrote:> On Fri, Aug 26, 2022 at 01:45:38PM +0200, Hans Schultz wrote:>> + $MZ $h2 -q -t udp -a $mac -b rand >> + bridge fdb show dev $swp2 | grep -q "$mac vlan 1 master br0" >> + check_err $? "Locked port station move: Entry not found on unlocked >> port" > > Looks like this is going to fail with offloaded data path as according > to fdb_print_flags() in iproute2 both the "extern_learn" and "offload" > flags will be printed before "master". >The output shows like: 74:e1:e1:2c:4f:18 dev eth8 vlan 1 master br0 extern_learn offload sticky locked blackhole "sticky" will of course become "permanent", but I can still make it more resilient by piping grep. I suppose that I will keep the "sticky_no_roaming" test even though it is not really needed here anymore?
Ido Schimmel
2022-Sep-03 14:49 UTC
[Bridge] [PATCH v5 net-next 6/6] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests
On Mon, Aug 29, 2022 at 06:07:59PM +0200, netdev at kapio-technology.com wrote:> On 2022-08-27 20:21, Ido Schimmel wrote: > > On Fri, Aug 26, 2022 at 01:45:38PM +0200, Hans Schultz wrote: > > > > + $MZ $h2 -q -t udp -a $mac -b rand > > > + bridge fdb show dev $swp2 | grep -q "$mac vlan 1 master br0" > > > + check_err $? "Locked port station move: Entry not found on > > > unlocked port" > > > > Looks like this is going to fail with offloaded data path as according > > to fdb_print_flags() in iproute2 both the "extern_learn" and "offload" > > flags will be printed before "master". > > > > The output shows like: > 74:e1:e1:2c:4f:18 dev eth8 vlan 1 master br0 extern_learn offload sticky > locked blackhole > > "sticky" will of course become "permanent", but I can still make it more > resilient by piping grep.OK.> > I suppose that I will keep the "sticky_no_roaming" test even though it is > not really needed here anymore?You can send it separately if you want.