[PATCH net-next v1 0/1] enable locked port feature with learning

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This patch is related to the patch set
"Add support for locked bridge ports (for 802.1X)"
Link: https://lore.kernel.org/netdev/20220223101650.1212814-1-schultz.hans+netdev@xxxxxxxxx/

This patch makes the locked port feature work with learning turned on,
which is enabled with the command:

bridge link set dev DEV learning on

Without this patch, multicast packets like EAPOL packets will create a
fdb entry when ingressing on a locked port with learning turned on, thus
unintentionally opening up the port for traffic for the said MAC.

Some switchcore features like Mac-Auth and refreshing of FDB entries,
require learning enables on some switchcores, f.ex. the mv88e6xxx family.
Other features may apply too.

Since many switchcores trap or mirror various multicast packets to the
CPU, they will unintentionally unlock the port for the SA mac in
question unless prevented by this patch.

Hans Schultz (1):
  net: bridge: ensure that multicast packets cannot unlock a locked port

 net/bridge/br_input.c | 1 +
 1 file changed, 1 insertion(+)

-- 
2.30.2




[Index of Archives]     [Netdev]     [AoE Tools]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]     [Video 4 Linux]

  Powered by Linux