netdev at kapio-technology.com
2022-Oct-30 22:09 UTC
[Bridge] [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support
On 2022-10-25 12:00, Ido Schimmel wrote:> diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c > index 5aeb3646e74c..bbc82c70b091 100644 > --- a/net/bridge/br_netlink.c > +++ b/net/bridge/br_netlink.c > @@ -188,6 +188,7 @@ static inline size_t br_port_info_size(void) > + nla_total_size(1) /* IFLA_BRPORT_NEIGH_SUPPRESS */ > + nla_total_size(1) /* IFLA_BRPORT_ISOLATED */ > + nla_total_size(1) /* IFLA_BRPORT_LOCKED */ > + + nla_total_size(1) /* IFLA_BRPORT_MAB */ > + nla_total_size(sizeof(struct ifla_bridge_id)) /* > IFLA_BRPORT_ROOT_ID */ > + nla_total_size(sizeof(struct ifla_bridge_id)) /* > IFLA_BRPORT_BRIDGE_ID */ > + nla_total_size(sizeof(u16)) /* IFLA_BRPORT_DESIGNATED_PORT */ > @@ -274,7 +275,8 @@ static int br_port_fill_attrs(struct sk_buff *skb, > nla_put_u8(skb, IFLA_BRPORT_MRP_IN_OPEN, > !!(p->flags & BR_MRP_LOST_IN_CONT)) || > nla_put_u8(skb, IFLA_BRPORT_ISOLATED, !!(p->flags & BR_ISOLATED)) > || > - nla_put_u8(skb, IFLA_BRPORT_LOCKED, !!(p->flags & > BR_PORT_LOCKED))) > + nla_put_u8(skb, IFLA_BRPORT_LOCKED, !!(p->flags & > BR_PORT_LOCKED)) || > + nla_put_u8(skb, IFLA_BRPORT_MAB, !!(p->flags & BR_PORT_MAB))) > return -EMSGSIZE; > > timerval = br_timer_value(&p->message_age_timer); > @@ -876,6 +878,7 @@ static const struct nla_policy > br_port_policy[IFLA_BRPORT_MAX + 1] = { > [IFLA_BRPORT_NEIGH_SUPPRESS] = { .type = NLA_U8 }, > [IFLA_BRPORT_ISOLATED] = { .type = NLA_U8 }, > [IFLA_BRPORT_LOCKED] = { .type = NLA_U8 }, > + [IFLA_BRPORT_MAB] = { .type = NLA_U8 }, > [IFLA_BRPORT_BACKUP_PORT] = { .type = NLA_U32 }, > [IFLA_BRPORT_MCAST_EHT_HOSTS_LIMIT] = { .type = NLA_U32 }, > }; > @@ -943,6 +946,14 @@ static int br_setport(struct net_bridge_port *p, > struct nlattr *tb[], > br_set_port_flag(p, tb, IFLA_BRPORT_NEIGH_SUPPRESS, > BR_NEIGH_SUPPRESS); > br_set_port_flag(p, tb, IFLA_BRPORT_ISOLATED, BR_ISOLATED); > br_set_port_flag(p, tb, IFLA_BRPORT_LOCKED, BR_PORT_LOCKED); > + br_set_port_flag(p, tb, IFLA_BRPORT_MAB, BR_PORT_MAB); > + > + if ((p->flags & BR_PORT_MAB) && > + (!(p->flags & BR_PORT_LOCKED) || !(p->flags & BR_LEARNING))) { > + NL_SET_ERR_MSG(extack, "MAB can only be enabled on a locked port > with learning enabled");It's a bit odd to get this message when turning off learning on a port with MAB on, e.g.... # bridge link set dev a2 learning off Error: MAB can only be enabled on a locked port with learning enabled.
Ido Schimmel
2022-Oct-31 14:43 UTC
[Bridge] [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support
On Sun, Oct 30, 2022 at 11:09:31PM +0100, netdev at kapio-technology.com wrote:> On 2022-10-25 12:00, Ido Schimmel wrote: > > @@ -943,6 +946,14 @@ static int br_setport(struct net_bridge_port *p, > > struct nlattr *tb[], > > br_set_port_flag(p, tb, IFLA_BRPORT_NEIGH_SUPPRESS, > > BR_NEIGH_SUPPRESS); > > br_set_port_flag(p, tb, IFLA_BRPORT_ISOLATED, BR_ISOLATED); > > br_set_port_flag(p, tb, IFLA_BRPORT_LOCKED, BR_PORT_LOCKED); > > + br_set_port_flag(p, tb, IFLA_BRPORT_MAB, BR_PORT_MAB); > > + > > + if ((p->flags & BR_PORT_MAB) && > > + (!(p->flags & BR_PORT_LOCKED) || !(p->flags & BR_LEARNING))) { > > + NL_SET_ERR_MSG(extack, "MAB can only be enabled on a locked port > > with learning enabled"); > > It's a bit odd to get this message when turning off learning on a port with > MAB on, e.g.... > > # bridge link set dev a2 learning off > Error: MAB can only be enabled on a locked port with learning enabled.It's better if you suggest something else. How about: "Bridge port must be locked and have learning enabled when MAB is enabled" ?