| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <86mthnw9gr.fsf@gmail.com>
Date: Fri, 18 Mar 2022 16:45:24 +0100
From: Hans Schultz <schultz.hans@...il.com>
To: Ido Schimmel <idosch@...sch.org>,
Hans Schultz <schultz.hans@...il.com>
Cc: davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org,
Andrew Lunn <andrew@...n.ch>,
Vivien Didelot <vivien.didelot@...il.com>,
Florian Fainelli <f.fainelli@...il.com>,
Vladimir Oltean <olteanv@...il.com>,
Jiri Pirko <jiri@...nulli.us>,
Ivan Vecera <ivecera@...hat.com>,
Roopa Prabhu <roopa@...dia.com>,
Nikolay Aleksandrov <razor@...ckwall.org>,
Shuah Khan <shuah@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Ido Schimmel <idosch@...dia.com>, linux-kernel@...r.kernel.org,
bridge@...ts.linux-foundation.org, linux-kselftest@...r.kernel.org
Subject: Re: [PATCH v2 net-next 4/4] selftests: forwarding: add test of
MAC-Auth Bypass to locked port tests
On tor, mar 17, 2022 at 16:57, Ido Schimmel <idosch@...sch.org> wrote:
> On Thu, Mar 17, 2022 at 10:39:02AM +0100, Hans Schultz wrote:
>> Verify that the MAC-Auth mechanism works by adding a FDB entry with the
>> locked flag set. denying access until the FDB entry is replaced with a
>> FDB entry without the locked flag set.
>>
>> Signed-off-by: Hans Schultz <schultz.hans+netdev@...il.com>
>> ---
>> .../net/forwarding/bridge_locked_port.sh | 29 ++++++++++++++++++-
>> 1 file changed, 28 insertions(+), 1 deletion(-)
>>
>> diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
>> index 6e98efa6d371..2f9519e814b6 100755
>> --- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
>> +++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
>> @@ -1,7 +1,7 @@
>> #!/bin/bash
>> # SPDX-License-Identifier: GPL-2.0
>>
>> -ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan"
>> +ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan locked_port_mab"
>> NUM_NETIFS=4
>> CHECK_TC="no"
>> source lib.sh
>> @@ -170,6 +170,33 @@ locked_port_ipv6()
>> log_test "Locked port ipv6"
>> }
>>
>> +locked_port_mab()
>> +{
>> + RET=0
>> + check_locked_port_support || return 0
>> +
>> + ping_do $h1 192.0.2.2
>> + check_err $? "MAB: Ping did not work before locking port"
>> +
>> + bridge link set dev $swp1 locked on
>> + bridge link set dev $swp1 learning on
>> +
>> + ping_do $h1 192.0.2.2
>> + check_fail $? "MAB: Ping worked on port just locked"
>> +
>> + if ! bridge fdb show | grep `mac_get $h1` | grep -q "locked"; then
>> + RET=1
>> + retmsg="MAB: No locked fdb entry after ping on locked port"
>> + fi
>
> bridge fdb show | grep `mac_get $h1 | grep -q "locked"
> check_err $? "MAB: No locked fdb entry after ping on locked port"
>
>> +
>> + bridge fdb del `mac_get $h1` dev $swp1 master
>> + bridge fdb add `mac_get $h1` dev $swp1 master static
>
> bridge fdb replace `mac_get $h1` dev $swp1 master static
>
Unfortunately for some reason 'replace' does not work in several of the
tests, while when replaced with 'del+add', they work.
>> +
>> + ping_do $h1 192.0.2.2
>> + check_err $? "MAB: Ping did not work with fdb entry without locked flag"
>> +
>> + log_test "Locked port MAB"
>
> Clean up after the test to revert to initial state:
>
> bridge fdb del `mac_get $h1` dev $swp1 master
> bridge link set dev $swp1 locked off
>
>
>> +}
>> trap cleanup EXIT
>>
>> setup_prepare
>> --
>> 2.30.2
>>
Powered by blists - more mailing lists