Verify that the MAC-Auth mechanism works by adding a FDB entry with the
locked flag set. denying access until the FDB entry is replaced with a
FDB entry without the locked flag set.
Signed-off-by: Hans Schultz <schultz.hans+netdev@xxxxxxxxx>
---
.../net/forwarding/bridge_locked_port.sh | 29 ++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
index 6e98efa6d371..2f9519e814b6 100755
--- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
+++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
@@ -1,7 +1,7 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
-ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan"
+ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan locked_port_mab"
NUM_NETIFS=4
CHECK_TC="no"
source lib.sh
@@ -170,6 +170,33 @@ locked_port_ipv6()
log_test "Locked port ipv6"
}
+locked_port_mab()
+{
+ RET=0
+ check_locked_port_support || return 0
+
+ ping_do $h1 192.0.2.2
+ check_err $? "MAB: Ping did not work before locking port"
+
+ bridge link set dev $swp1 locked on
+ bridge link set dev $swp1 learning on
+
+ ping_do $h1 192.0.2.2
+ check_fail $? "MAB: Ping worked on port just locked"
+
+ if ! bridge fdb show | grep `mac_get $h1` | grep -q "locked"; then
+ RET=1
+ retmsg="MAB: No locked fdb entry after ping on locked port"
+ fi
+
+ bridge fdb del `mac_get $h1` dev $swp1 master
+ bridge fdb add `mac_get $h1` dev $swp1 master static
+
+ ping_do $h1 192.0.2.2
+ check_err $? "MAB: Ping did not work with fdb entry without locked flag"
+
+ log_test "Locked port MAB"
+}
trap cleanup EXIT
setup_prepare
--
2.30.2
