This patchset is based on Hans' work from [1][2]. It adds MAB support in the bridge driver and 802.1X (with MAB) offload support in mlxsw. Patchset overview ================= Patch #1 adds MAB support in the bridge driver. See the commit message for motivation and design choices. Patch #2 adds a selftest. Patches #3-#4 extend the switchdev interfaces to allow device drivers to install locked FDB entries in the bridge driver. Required for MAB offload support. The rest of the patches add 802.1X and MAB offload support in mlxsw. Specifically: Patches #5-#6 add the required packet traps for 802.1X. Patches #7-#11 are small preparations. Patch #12 adds locked bridge port support in mlxsw. Patches #13-#16 add mlxsw selftests. Future work =========== The hostapd fork by Westermo is using dynamic FDB entries to authorize hosts [3]. Changes are required in switchdev to allow such entries to be offloaded. Hans already indicated he is working on that [4]. It should not necessitate any uAPI changes so I do not view it as a blocker (Hans, please confirm). Merge plan ========== We need to agree on a merge plan that allows us to start submitting patches for inclusion and finally conclude this work. In my experience, it is best to work in small batches. I therefore propose the following plan: * Add MAB support in the bridge driver. This corresponds to patches #1-#2. * Switchdev extensions for MAB offload together with mlxsw support. This corresponds to patches #3-#16. I can reduce the number of patches by splitting out the selftests to a separate submission. * mv88e6xxx support. I believe the blackhole stuff is an optimization, so I suggest getting initial MAB offload support without that. Support for blackhole entries together with offload can be added in a separate submission. * Switchdev extensions for dynamic FDB entries together with mv88e6xxx support. I can follow up with mlxsw support afterwards. [1] https://lore.kernel.org/netdev/20221018165619.134535-1-netdev@xxxxxxxxxxxxxxxxxxxx/ [2] https://lore.kernel.org/netdev/20221004152036.7848-1-netdev@xxxxxxxxxxxxxxxxxxxx/ [3] https://github.com/westermo/hostapd/blob/bridge_driver/hostapd/hostapd_auth_deauth.sh#L11 [4] https://lore.kernel.org/netdev/a11af0d07a79adbd2ac3d242b36dec7e@xxxxxxxxxxxxxxxxxxxx/ Hans J. Schultz (3): bridge: Add MAC Authentication Bypass (MAB) support selftests: forwarding: Add MAC Authentication Bypass (MAB) test cases bridge: switchdev: Allow device drivers to install locked FDB entries Ido Schimmel (13): bridge: switchdev: Let device drivers determine FDB offload indication devlink: Add packet traps for 802.1X operation mlxsw: spectrum_trap: Register 802.1X packet traps with devlink mlxsw: reg: Add Switch Port FDB Security Register mlxsw: spectrum: Add an API to configure security checks mlxsw: spectrum_switchdev: Prepare for locked FDB notifications mlxsw: spectrum_switchdev: Add support for locked FDB notifications mlxsw: spectrum_switchdev: Use extack in bridge port flag validation mlxsw: spectrum_switchdev: Add locked bridge port support selftests: devlink_lib: Split out helper selftests: mlxsw: Add a test for EAPOL trap selftests: mlxsw: Add a test for locked port trap selftests: mlxsw: Add a test for invalid locked bridge port configurations .../networking/devlink/devlink-trap.rst | 13 +++ drivers/net/ethernet/mellanox/mlxsw/reg.h | 35 ++++++ .../net/ethernet/mellanox/mlxsw/spectrum.c | 22 ++++ .../net/ethernet/mellanox/mlxsw/spectrum.h | 5 +- .../mellanox/mlxsw/spectrum_switchdev.c | 64 +++++++++-- .../ethernet/mellanox/mlxsw/spectrum_trap.c | 25 +++++ drivers/net/ethernet/mellanox/mlxsw/trap.h | 2 + include/linux/if_bridge.h | 1 + include/net/devlink.h | 9 ++ include/net/switchdev.h | 1 + include/uapi/linux/if_link.h | 1 + include/uapi/linux/neighbour.h | 8 +- net/bridge/br.c | 5 +- net/bridge/br_fdb.c | 46 +++++++- net/bridge/br_input.c | 15 ++- net/bridge/br_netlink.c | 13 ++- net/bridge/br_private.h | 5 +- net/bridge/br_switchdev.c | 1 + net/core/devlink.c | 3 + net/core/rtnetlink.c | 5 + .../drivers/net/mlxsw/devlink_trap_control.sh | 22 ++++ .../net/mlxsw/devlink_trap_l2_drops.sh | 105 ++++++++++++++++++ .../selftests/drivers/net/mlxsw/rtnetlink.sh | 31 ++++++ .../net/forwarding/bridge_locked_port.sh | 101 ++++++++++++++++- .../selftests/net/forwarding/devlink_lib.sh | 19 ++-- tools/testing/selftests/net/forwarding/lib.sh | 8 ++ 26 files changed, 535 insertions(+), 30 deletions(-) -- 2.37.3
