On Tue, Mar 15, 2022 at 09:59:49AM +0100, Hans Schultz wrote: > On mån, mar 14, 2022 at 17:50, Ido Schimmel <idosch@xxxxxxxxxx> wrote: > > On Thu, Mar 10, 2022 at 03:23:17PM +0100, Hans Schultz wrote: > >> This patch set extends the locked port feature for devices > >> that are behind a locked port, but do not have the ability to > >> authorize themselves as a supplicant using IEEE 802.1X. > >> Such devices can be printers, meters or anything related to > >> fixed installations. Instead of 802.1X authorization, devices > >> can get access based on their MAC addresses being whitelisted. > >> > >> For an authorization daemon to detect that a device is trying > >> to get access through a locked port, the bridge will add the > >> MAC address of the device to the FDB with a locked flag to it. > >> Thus the authorization daemon can catch the FDB add event and > >> check if the MAC address is in the whitelist and if so replace > >> the FDB entry without the locked flag enabled, and thus open > >> the port for the device. > >> > >> This feature is known as MAC-Auth or MAC Authentication Bypass > >> (MAB) in Cisco terminology, where the full MAB concept involves > >> additional Cisco infrastructure for authorization. There is no > >> real authentication process, as the MAC address of the device > >> is the only input the authorization daemon, in the general > >> case, has to base the decision if to unlock the port or not. > >> > >> With this patch set, an implementation of the offloaded case is > >> supplied for the mv88e6xxx driver. When a packet ingresses on > >> a locked port, an ATU miss violation event will occur. When > > > > When do you get an ATU miss violation? In case there is no FDB entry for > > the SA or also when there is an FDB entry, but it points to a different > > port? I see that the bridge will only create a "locked" FDB entry in > > case there is no existing entry, but it will not transition an existing > > entry to "locked" state. I guess ATU miss refers to an actual miss and > > not mismatch. > > > > On a locked port, I get ATU miss violations when there is no FDB entry > for the SA, while if there is an entry but it is not assigned to the > port, then I get an ATU member violation (which I have now masked on > locked ports to limit unwanted interrupts). > > So it seems to me that my 'ATU miss' corresponds to your MISS and my > 'ATU member' corresponds to your MISMATCH. Since I inject an entry with > destination port vector (DPV) zero I get member violations after the > first miss violation. Which causes packets to be silently dropped by the device? Sounds OK, I just want to verify I understand the behavior. > > > The HW I work with doesn't have the ability to generate such > > notifications, but it can trap packets on MISS (no entry) or MISMATCH > > (exists, but with different port). I believe that in order to support > > this feature we need to inject MISS-ed packets to the Rx path so that > > eventually the bridge itself will create the "locked" entry as opposed > > to notifying the bridge about the entry as in your case. > > > > This seems to me to be the way forward in your case. What kind or family > of chips is your HW based on? Nvidia Spectrum ASICs. Some users mentioned 802.1X support, but a requirement never materialized so we didn't work on it. > > >> handling such ATU miss violation interrupts, the MAC address of > >> the device is added to the FDB with a zero destination port > >> vector (DPV) and the MAC address is communicated through the > >> switchdev layer to the bridge, so that a FDB entry with the > >> locked flag enabled can be added. > >> > >> Hans Schultz (3): > >> net: bridge: add fdb flag to extent locked port feature > >> net: switchdev: add support for offloading of fdb locked flag > >> net: dsa: mv88e6xxx: mac-auth/MAB implementation > > > > Please extend tools/testing/selftests/net/forwarding/bridge_locked_port.sh > > with new test cases for this code. > > > > Shall do. Thanks! > > >> > >> drivers/net/dsa/mv88e6xxx/Makefile | 1 + > >> drivers/net/dsa/mv88e6xxx/chip.c | 10 +-- > >> drivers/net/dsa/mv88e6xxx/chip.h | 5 ++ > >> drivers/net/dsa/mv88e6xxx/global1.h | 1 + > >> drivers/net/dsa/mv88e6xxx/global1_atu.c | 29 +++++++- > >> .../net/dsa/mv88e6xxx/mv88e6xxx_switchdev.c | 67 +++++++++++++++++++ > >> .../net/dsa/mv88e6xxx/mv88e6xxx_switchdev.h | 20 ++++++ > >> drivers/net/dsa/mv88e6xxx/port.c | 11 +++ > >> drivers/net/dsa/mv88e6xxx/port.h | 1 + > >> include/net/switchdev.h | 3 +- > >> include/uapi/linux/neighbour.h | 1 + > >> net/bridge/br.c | 3 +- > >> net/bridge/br_fdb.c | 13 +++- > >> net/bridge/br_input.c | 11 ++- > >> net/bridge/br_private.h | 5 +- > >> 15 files changed, 167 insertions(+), 14 deletions(-) > >> create mode 100644 drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.c > >> create mode 100644 drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.h > >> > >> -- > >> 2.30.2 > >>
