February 2022 - Linux-kselftest-mirror

[PATCH net-next v5 0/5] Add support for locked bridge ports (for 802.1X)

by Hans Schultz

This series starts by adding support for SA filtering to the bridge, which is then allowed to be offloaded to switchdev devices. Furthermore an offloading implementation is supplied for the mv88e6xxx driver. Public Local Area Networks are often deployed such that there is a risk of unauthorized or unattended clients getting access to the LAN. To prevent such access we introduce SA filtering, such that ports designated as secure ports are set in locked mode, so that only authorized source MAC addresses are given access by adding them to the bridges forwarding database. Incoming packets with source MAC addresses that are not in the forwarding database of the bridge are discarded. It is then the task of user space daemons to populate the bridge's forwarding database with static entries of authorized entities. The most common approach is to use the IEEE 802.1X protocol to take care of the authorization of allowed users to gain access by opening for the source address of the authorized host. With the current use of the bridge parameter in hostapd, there is a limitation in using this for IEEE 802.1X port authentication. It depends on hostapd attaching the port on which it has a successful authentication to the bridge, but that only allows for a single authentication per port. This patch set allows for the use of IEEE 802.1X port authentication in a more general network context with multiple 802.1X aware hosts behind a single port as depicted, which is a commonly used commercial use-case, as it is only the number of available entries in the forwarding database that limits the number of authenticated clients. +--------------------------------+ | | | Bridge/Authenticator | | | +-------------+------------------+ 802.1X port | | | +------+-------+ | | | Hub/Switch | | | +-+----------+-+ | | +--+--+ +--+--+ | | | | Hosts | a | | b | . . . | | | | +-----+ +-----+ The 802.1X standard involves three different components, a Supplicant (Host), an Authenticator (Network Access Point) and an Authentication Server which is typically a Radius server. This patch set thus enables the bridge module together with an authenticator application to serve as an Authenticator on designated ports. For the bridge to become an IEEE 802.1X Authenticator, a solution using hostapd with the bridge driver can be found at https://github.com/westermo/hostapd/tree/bridge_driver . The relevant components work transparently in relation to if it is the bridge module or the offloaded switchcore case that is in use. Hans Schultz (5): net: bridge: Add support for bridge port in locked mode net: bridge: Add support for offloading of locked port flag net: dsa: Include BR_PORT_LOCKED in the list of synced brport flags net: dsa: mv88e6xxx: Add support for bridge port locked mode selftests: forwarding: tests of locked port feature drivers/net/dsa/mv88e6xxx/chip.c | 9 +- drivers/net/dsa/mv88e6xxx/port.c | 29 +++ drivers/net/dsa/mv88e6xxx/port.h | 9 +- include/linux/if_bridge.h | 1 + include/uapi/linux/if_link.h | 1 + net/bridge/br_input.c | 11 +- net/bridge/br_netlink.c | 6 +- net/bridge/br_switchdev.c | 2 +- net/dsa/port.c | 4 +- .../testing/selftests/net/forwarding/Makefile | 1 + .../net/forwarding/bridge_locked_port.sh | 180 ++++++++++++++++++ tools/testing/selftests/net/forwarding/lib.sh | 8 + 12 files changed, 254 insertions(+), 7 deletions(-) create mode 100755 tools/testing/selftests/net/forwarding/bridge_locked_port.sh -- 2.30.2

2 years, 2 months

2
6
0 0

[REGRESSION] lkft kselftest for next-20220216

by lkft＠linaro.org

## Build * kernel: 5.17.0-rc4 * git: https://gitlab.com/Linaro/lkft/mirrors/next/linux-next * git branch: master * git commit: 763a906a02e961eedabab7dbedd16904a3bd0184 * git describe: next-20220216 * test details: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20220216 ## Test Regressions (compared to next-20220124) * i386, kselftest-seccomp - seccomp.seccomp_bpf.TSYNC.siblings_fail_prctl - seccomp.seccomp_bpf.TSYNC.two_siblings_with_one_divergence - seccomp.seccomp_bpf.TSYNC.two_siblings_with_one_divergence_no_tid_in_err * juno-r2, kselftest-seccomp - seccomp.seccomp_bpf.TSYNC.siblings_fail_prctl - seccomp.seccomp_bpf.TSYNC.two_siblings_with_one_divergence - seccomp.seccomp_bpf.TSYNC.two_siblings_with_one_divergence_no_tid_in_err * qemu_x86_64, kselftest-seccomp - seccomp.seccomp_bpf - seccomp.seccomp_bpf.TSYNC.siblings_fail_prctl - seccomp.seccomp_bpf.TSYNC.two_siblings_with_one_divergence - seccomp.seccomp_bpf.TSYNC.two_siblings_with_one_divergence_no_tid_in_err * x15, kselftest-capabilities - capabilities.test_execve * x15, kselftest-cgroup - cgroup.test_freezer - cgroup.test_kill - cgroup.test_kill.test_cgkill_simple * x15, kselftest-core - core.close_range_test * x86, kselftest-net - net.gro.sh * x86, kselftest-seccomp - seccomp.seccomp_bpf.TSYNC.siblings_fail_prctl - seccomp.seccomp_bpf.TSYNC.two_siblings_with_one_divergence - seccomp.seccomp_bpf.TSYNC.two_siblings_with_one_divergence_no_tid_in_err ## Metric Regressions (compared to next-20220124) No metric regressions found. Reported-by: Linux Kernel Functional Testing <lkft(a)linaro.org> ## Test Fixes (compared to next-20220124) * hi6220-hikey, kselftest-rseq - rseq.basic_percpu_ops_test - rseq.basic_test - rseq.param_test - rseq.param_test_benchmark - rseq.param_test_compare_twice * hi6220-hikey, kselftest-rtc - rtc.rtctest * i386, kselftest-rtc - rtc.rtctest * i386, kselftest-seccomp - seccomp.seccomp_bpf.global.user_notification_filter_empty - seccomp.seccomp_bpf.global.user_notification_filter_empty_threaded * juno-r2, kselftest-cgroup - cgroup.test_freezer - cgroup.test_freezer.test_cgfreezer_ptrace * juno-r2, kselftest-cpufreq - cpufreq.main.sh * juno-r2, kselftest-seccomp - seccomp.seccomp_bpf.global.user_notification_filter_empty - seccomp.seccomp_bpf.global.user_notification_filter_empty_threaded * qemu_arm, kselftest-cpufreq - cpufreq.main.sh * qemu_arm, kselftest-rtc - rtc.rtctest * qemu_arm, kselftest-zram - zram.zram.sh * qemu_i386, kselftest-cpufreq - cpufreq.main.sh * qemu_i386, kselftest-rseq - rseq.basic_percpu_ops_test - rseq.basic_test - rseq.param_test - rseq.param_test_benchmark - rseq.param_test_compare_twice - rseq.run_param_test.sh * qemu_i386, kselftest-rtc - rtc.rtctest * qemu_x86_64, kselftest-cpufreq - cpufreq.main.sh * qemu_x86_64, kselftest-rseq - rseq.basic_percpu_ops_test - rseq.basic_test - rseq.param_test - rseq.param_test_benchmark - rseq.param_test_compare_twice - rseq.run_param_test.sh * x15, kselftest-capabilities - capabilities.test_execve * x15, kselftest-cgroup - cgroup.test_freezer - cgroup.test_kill - cgroup.test_kill.test_cgkill_simple * x15, kselftest-core - core.close_range_test * x86, kselftest-lkdtm - lkdtm.ARRAY_BOUNDS.sh * x86, kselftest-rtc - rtc.rtctest * x86, kselftest-seccomp - seccomp.seccomp_bpf.global.user_notification_filter_empty - seccomp.seccomp_bpf.global.user_notification_filter_empty_threaded ## Metric Fixes (compared to next-20220124) No metric fixes found. ## Test result summary total: 4565, pass: 2481, fail: 568, skip: 1516, xfail: 0 ## Build Summary ## Test suites summary * kselftest-android * kselftest-arm64 * kselftest-arm64/arm64.btitest.bti_c_func * kselftest-arm64/arm64.btitest.bti_j_func * kselftest-arm64/arm64.btitest.bti_jc_func * kselftest-arm64/arm64.btitest.bti_none_func * kselftest-arm64/arm64.btitest.nohint_func * kselftest-arm64/arm64.btitest.paciasp_func * kselftest-arm64/arm64.nobtitest.bti_c_func * kselftest-arm64/arm64.nobtitest.bti_j_func * kselftest-arm64/arm64.nobtitest.bti_jc_func * kselftest-arm64/arm64.nobtitest.bti_none_func * kselftest-arm64/arm64.nobtitest.nohint_func * kselftest-arm64/arm64.nobtitest.paciasp_func * kselftest-bpf * kselftest-breakpoints * kselftest-capabilities * kselftest-cgroup * kselftest-clone3 * kselftest-core * kselftest-cpu-hotplug * kselftest-cpufreq * kselftest-drivers * kselftest-efivarfs * kselftest-filesystems * kselftest-firmware * kselftest-fpu * kselftest-futex * kselftest-gpio * kselftest-intel_pstate * kselftest-ipc * kselftest-ir * kselftest-kcmp * kselftest-kexec * kselftest-kvm * kselftest-lib * kselftest-livepatch * kselftest-lkdtm * kselftest-membarrier * kselftest-net * kselftest-netfilter * kselftest-nsfs * kselftest-openat2 * kselftest-pid_namespace * kselftest-pidfd * kselftest-proc * kselftest-pstore * kselftest-ptrace * kselftest-rseq * kselftest-rtc * kselftest-seccomp * kselftest-sigaltstack * kselftest-size * kselftest-splice * kselftest-static_keys * kselftest-sync * kselftest-sysctl * kselftest-tc-testing * kselftest-timens * kselftest-timers * kselftest-tmpfs * kselftest-tpm2 * kselftest-user * kselftest-vm * kselftest-x86 * kselftest-zram -- Linaro LKFT https://lkft.linaro.org

2 years, 2 months

1
0
0 0

[PATCH AUTOSEL 5.4 09/13] selftests/ftrace: Do not trace do_softirq because of PREEMPT_RT

by Sasha Levin

From: Krzysztof Kozlowski <krzysztof.kozlowski(a)canonical.com> [ Upstream commit 6fec1ab67f8d60704cc7de64abcfd389ab131542 ] The PREEMPT_RT patchset does not use do_softirq() function thus trying to filter for do_softirq fails for such kernel: echo do_softirq ftracetest: 81: echo: echo: I/O error Choose some other visible function for the test. The function does not have to be actually executed during the test, because it is only testing filter API interface. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)canonical.com> Reviewed-by: Shuah Khan <skhan(a)linuxfoundation.org> Acked-by: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Reviewed-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Signed-off-by: Shuah Khan <skhan(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- .../selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc index 51f6e6146bd93..951b4311930c5 100644 --- a/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc +++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc @@ -22,7 +22,7 @@ fail() { # mesg FILTER=set_ftrace_filter FUNC1="schedule" -FUNC2="do_softirq" +FUNC2="scheduler_tick" ALL_FUNCS="#### all functions enabled ####" -- 2.34.1

2 years, 2 months

1
0
0 0

[PATCH AUTOSEL 5.10 13/18] selftests/ftrace: Do not trace do_softirq because of PREEMPT_RT

by Sasha Levin

From: Krzysztof Kozlowski <krzysztof.kozlowski(a)canonical.com> [ Upstream commit 6fec1ab67f8d60704cc7de64abcfd389ab131542 ] The PREEMPT_RT patchset does not use do_softirq() function thus trying to filter for do_softirq fails for such kernel: echo do_softirq ftracetest: 81: echo: echo: I/O error Choose some other visible function for the test. The function does not have to be actually executed during the test, because it is only testing filter API interface. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)canonical.com> Reviewed-by: Shuah Khan <skhan(a)linuxfoundation.org> Acked-by: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Reviewed-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Signed-off-by: Shuah Khan <skhan(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- .../selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc index e96e279e0533a..25432b8cd5bd2 100644 --- a/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc +++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc @@ -19,7 +19,7 @@ fail() { # mesg FILTER=set_ftrace_filter FUNC1="schedule" -FUNC2="do_softirq" +FUNC2="scheduler_tick" ALL_FUNCS="#### all functions enabled ####" -- 2.34.1

2 years, 2 months

1
0
0 0

[PATCH AUTOSEL 5.10 12/18] selftests/seccomp: Fix seccomp failure by adding missing headers

by Sasha Levin

From: Sherry Yang <sherry.yang(a)oracle.com> [ Upstream commit 21bffcb76ee2fbafc7d5946cef10abc9df5cfff7 ] seccomp_bpf failed on tests 47 global.user_notification_filter_empty and 48 global.user_notification_filter_empty_threaded when it's tested on updated kernel but with old kernel headers. Because old kernel headers don't have definition of macro __NR_clone3 which is required for these two tests. Since under selftests/, we can install headers once for all tests (the default INSTALL_HDR_PATH is usr/include), fix it by adding usr/include to the list of directories to be searched. Use "-isystem" to indicate it's a system directory as the real kernel headers directories are. Signed-off-by: Sherry Yang <sherry.yang(a)oracle.com> Tested-by: Sherry Yang <sherry.yang(a)oracle.com> Reviewed-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Shuah Khan <skhan(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- tools/testing/selftests/seccomp/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/seccomp/Makefile b/tools/testing/selftests/seccomp/Makefile index 0ebfe8b0e147f..585f7a0c10cbe 100644 --- a/tools/testing/selftests/seccomp/Makefile +++ b/tools/testing/selftests/seccomp/Makefile @@ -1,5 +1,5 @@ # SPDX-License-Identifier: GPL-2.0 -CFLAGS += -Wl,-no-as-needed -Wall +CFLAGS += -Wl,-no-as-needed -Wall -isystem ../../../../usr/include/ LDFLAGS += -lpthread TEST_GEN_PROGS := seccomp_bpf seccomp_benchmark -- 2.34.1

2 years, 2 months

1
0
0 0

[PATCH AUTOSEL 5.15 21/28] selftests/ftrace: Do not trace do_softirq because of PREEMPT_RT

by Sasha Levin

From: Krzysztof Kozlowski <krzysztof.kozlowski(a)canonical.com> [ Upstream commit 6fec1ab67f8d60704cc7de64abcfd389ab131542 ] The PREEMPT_RT patchset does not use do_softirq() function thus trying to filter for do_softirq fails for such kernel: echo do_softirq ftracetest: 81: echo: echo: I/O error Choose some other visible function for the test. The function does not have to be actually executed during the test, because it is only testing filter API interface. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)canonical.com> Reviewed-by: Shuah Khan <skhan(a)linuxfoundation.org> Acked-by: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Reviewed-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Signed-off-by: Shuah Khan <skhan(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- .../selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc index e96e279e0533a..25432b8cd5bd2 100644 --- a/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc +++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc @@ -19,7 +19,7 @@ fail() { # mesg FILTER=set_ftrace_filter FUNC1="schedule" -FUNC2="do_softirq" +FUNC2="scheduler_tick" ALL_FUNCS="#### all functions enabled ####" -- 2.34.1

2 years, 2 months

1
0
0 0

[PATCH AUTOSEL 5.15 19/28] selftests/seccomp: Fix seccomp failure by adding missing headers

by Sasha Levin

From: Sherry Yang <sherry.yang(a)oracle.com> [ Upstream commit 21bffcb76ee2fbafc7d5946cef10abc9df5cfff7 ] seccomp_bpf failed on tests 47 global.user_notification_filter_empty and 48 global.user_notification_filter_empty_threaded when it's tested on updated kernel but with old kernel headers. Because old kernel headers don't have definition of macro __NR_clone3 which is required for these two tests. Since under selftests/, we can install headers once for all tests (the default INSTALL_HDR_PATH is usr/include), fix it by adding usr/include to the list of directories to be searched. Use "-isystem" to indicate it's a system directory as the real kernel headers directories are. Signed-off-by: Sherry Yang <sherry.yang(a)oracle.com> Tested-by: Sherry Yang <sherry.yang(a)oracle.com> Reviewed-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Shuah Khan <skhan(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- tools/testing/selftests/seccomp/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/seccomp/Makefile b/tools/testing/selftests/seccomp/Makefile index 0ebfe8b0e147f..585f7a0c10cbe 100644 --- a/tools/testing/selftests/seccomp/Makefile +++ b/tools/testing/selftests/seccomp/Makefile @@ -1,5 +1,5 @@ # SPDX-License-Identifier: GPL-2.0 -CFLAGS += -Wl,-no-as-needed -Wall +CFLAGS += -Wl,-no-as-needed -Wall -isystem ../../../../usr/include/ LDFLAGS += -lpthread TEST_GEN_PROGS := seccomp_bpf seccomp_benchmark -- 2.34.1

2 years, 2 months

1
0
0 0

[PATCH AUTOSEL 5.16 23/30] selftests/ftrace: Do not trace do_softirq because of PREEMPT_RT

by Sasha Levin

From: Krzysztof Kozlowski <krzysztof.kozlowski(a)canonical.com> [ Upstream commit 6fec1ab67f8d60704cc7de64abcfd389ab131542 ] The PREEMPT_RT patchset does not use do_softirq() function thus trying to filter for do_softirq fails for such kernel: echo do_softirq ftracetest: 81: echo: echo: I/O error Choose some other visible function for the test. The function does not have to be actually executed during the test, because it is only testing filter API interface. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)canonical.com> Reviewed-by: Shuah Khan <skhan(a)linuxfoundation.org> Acked-by: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Reviewed-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Signed-off-by: Shuah Khan <skhan(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- .../selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc index e96e279e0533a..25432b8cd5bd2 100644 --- a/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc +++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc @@ -19,7 +19,7 @@ fail() { # mesg FILTER=set_ftrace_filter FUNC1="schedule" -FUNC2="do_softirq" +FUNC2="scheduler_tick" ALL_FUNCS="#### all functions enabled ####" -- 2.34.1

2 years, 2 months

1
0
0 0

[PATCH AUTOSEL 5.16 21/30] selftests/seccomp: Fix seccomp failure by adding missing headers

by Sasha Levin

From: Sherry Yang <sherry.yang(a)oracle.com> [ Upstream commit 21bffcb76ee2fbafc7d5946cef10abc9df5cfff7 ] seccomp_bpf failed on tests 47 global.user_notification_filter_empty and 48 global.user_notification_filter_empty_threaded when it's tested on updated kernel but with old kernel headers. Because old kernel headers don't have definition of macro __NR_clone3 which is required for these two tests. Since under selftests/, we can install headers once for all tests (the default INSTALL_HDR_PATH is usr/include), fix it by adding usr/include to the list of directories to be searched. Use "-isystem" to indicate it's a system directory as the real kernel headers directories are. Signed-off-by: Sherry Yang <sherry.yang(a)oracle.com> Tested-by: Sherry Yang <sherry.yang(a)oracle.com> Reviewed-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Shuah Khan <skhan(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- tools/testing/selftests/seccomp/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/seccomp/Makefile b/tools/testing/selftests/seccomp/Makefile index 0ebfe8b0e147f..585f7a0c10cbe 100644 --- a/tools/testing/selftests/seccomp/Makefile +++ b/tools/testing/selftests/seccomp/Makefile @@ -1,5 +1,5 @@ # SPDX-License-Identifier: GPL-2.0 -CFLAGS += -Wl,-no-as-needed -Wall +CFLAGS += -Wl,-no-as-needed -Wall -isystem ../../../../usr/include/ LDFLAGS += -lpthread TEST_GEN_PROGS := seccomp_bpf seccomp_benchmark -- 2.34.1

2 years, 2 months

1
0
0 0

[PATCH net-next v3 0/5] Add support for locked bridge ports (for 802.1X)

by Hans Schultz

This series starts by adding support for SA filtering to the bridge, which is then allowed to be offloaded to switchdev devices. Furthermore an offloading implementation is supplied for the mv88e6xxx driver. Public Local Area Networks are often deployed such that there is a risk of unauthorized or unattended clients getting access to the LAN. To prevent such access we introduce SA filtering, such that ports designated as secure ports are set in locked mode, so that only authorized source MAC addresses are given access by adding them to the bridges forwarding database. Incoming packets with source MAC addresses that are not in the forwarding database of the bridge are discarded. It is then the task of user space daemons to populate the bridge's forwarding database with static entries of authorized entities. The most common approach is to use the IEEE 802.1X protocol to take care of the authorization of allowed users to gain access by opening for the source address of the authorized host. With the current use of the bridge parameter in hostapd, there is a limitation in using this for IEEE 802.1X port authentication. It depends on hostapd attaching the port on which it has a successful authentication to the bridge, but that only allows for a single authentication per port. This patch set allows for the use of IEEE 802.1X port authentication in a more general network context with multiple 802.1X aware hosts behind a single port as depicted, which is a commonly used commercial use-case, as it is only the number of available entries in the forwarding database that limits the number of authenticated clients. +--------------------------------+ | | | Bridge/Authenticator | | | +-------------+------------------+ 802.1X port | | | +------+-------+ | | | Hub/Switch | | | +-+----------+-+ | | +--+--+ +--+--+ | | | | Hosts | a | | b | . . . | | | | +-----+ +-----+ The 802.1X standard involves three different components, a Supplicant (Host), an Authenticator (Network Access Point) and an Authentication Server which is typically a Radius server. This patch set thus enables the bridge module together with an authenticator application to serve as an Authenticator on designated ports. For the bridge to become an IEEE 802.1X Authenticator, a solution using hostapd with the bridge driver can be found at https://github.com/westermo/hostapd/tree/bridge_driver . The relevant components work transparently in relation to if it is the bridge module or the offloaded switchcore case that is in use. Hans Schultz (5): net: bridge: Add support for bridge port in locked mode net: bridge: Add support for offloading of locked port flag net: dsa: Add support for offloaded locked port flag net: dsa: mv88e6xxx: Add support for bridge port locked mode selftests: forwarding: tests of locked port feature drivers/net/dsa/mv88e6xxx/chip.c | 9 +- drivers/net/dsa/mv88e6xxx/port.c | 33 ++++ drivers/net/dsa/mv88e6xxx/port.h | 9 +- include/linux/if_bridge.h | 1 + include/uapi/linux/if_link.h | 1 + net/bridge/br_input.c | 10 +- net/bridge/br_netlink.c | 6 +- net/bridge/br_switchdev.c | 2 +- net/dsa/port.c | 4 +- .../testing/selftests/net/forwarding/Makefile | 1 + .../net/forwarding/bridge_locked_port.sh | 174 ++++++++++++++++++ tools/testing/selftests/net/forwarding/lib.sh | 16 ++ 12 files changed, 259 insertions(+), 7 deletions(-) create mode 100755 tools/testing/selftests/net/forwarding/bridge_locked_port.sh -- 2.30.2

2 years, 2 months

5
17
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror February 2022