| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 1 Oct 2022 17:59:30 +0300
From: Ido Schimmel <idosch@...dia.com>
To: Hans Schultz <netdev@...io-technology.com>
Cc: davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org,
Florian Fainelli <f.fainelli@...il.com>,
Andrew Lunn <andrew@...n.ch>,
Vivien Didelot <vivien.didelot@...il.com>,
Vladimir Oltean <olteanv@...il.com>,
Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>,
Kurt Kanzenbach <kurt@...utronix.de>,
Hauke Mehrtens <hauke@...ke-m.de>,
Woojung Huh <woojung.huh@...rochip.com>,
UNGLinuxDriver@...rochip.com, Sean Wang <sean.wang@...iatek.com>,
Landen Chao <Landen.Chao@...iatek.com>,
DENG Qingfang <dqfext@...il.com>,
Matthias Brugger <matthias.bgg@...il.com>,
Claudiu Manoil <claudiu.manoil@....com>,
Alexandre Belloni <alexandre.belloni@...tlin.com>,
Jiri Pirko <jiri@...nulli.us>,
Ivan Vecera <ivecera@...hat.com>,
Roopa Prabhu <roopa@...dia.com>,
Nikolay Aleksandrov <razor@...ckwall.org>,
Shuah Khan <shuah@...nel.org>,
Russell King <linux@...linux.org.uk>,
Christian Marangi <ansuelsmth@...il.com>,
Daniel Borkmann <daniel@...earbox.net>,
Yuwei Wang <wangyuweihx@...il.com>,
Petr Machata <petrm@...dia.com>,
Florent Fourcot <florent.fourcot@...irst.fr>,
Hans Schultz <schultz.hans@...il.com>,
Joachim Wiberg <troglobit@...il.com>,
Amit Cohen <amcohen@...dia.com>, linux-kernel@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org,
linux-mediatek@...ts.infradead.org,
bridge@...ts.linux-foundation.org, linux-kselftest@...r.kernel.org
Subject: Re: [PATCH iproute2-next 1/2] bridge: link: enable MacAuth/MAB
feature
On Thu, Sep 29, 2022 at 05:21:36PM +0200, Hans Schultz wrote:
> The MAB feature can be enabled on a locked port with the command:
> bridge link set dev <DEV> mab on
Please provide regular and JSON output in the commit message.
>
> Signed-off-by: Hans Schultz <netdev@...io-technology.com>
> ---
> bridge/fdb.c | 17 +++++++++++++++--
> bridge/link.c | 21 ++++++++++++++++++---
> include/uapi/linux/if_link.h | 1 +
> include/uapi/linux/neighbour.h | 7 ++++++-
IIRC, in the past David asked to either not send the uAPI files or send
them as a first patch which he then uses as a hint to sync the files
himself.
> ip/iplink_bridge_slave.c | 16 +++++++++++++---
> man/man8/bridge.8 | 10 ++++++++++
> man/man8/ip-link.8.in | 8 ++++++++
> 7 files changed, 71 insertions(+), 9 deletions(-)
>
> diff --git a/bridge/fdb.c b/bridge/fdb.c
> index 5f71bde0..0fbe9bd3 100644
> --- a/bridge/fdb.c
> +++ b/bridge/fdb.c
> @@ -93,7 +93,7 @@ static int state_a2n(unsigned int *s, const char *arg)
> return 0;
> }
>
> -static void fdb_print_flags(FILE *fp, unsigned int flags)
> +static void fdb_print_flags(FILE *fp, unsigned int flags, __u8 ext_flags)
> {
> open_json_array(PRINT_JSON,
> is_json_context() ? "flags" : "");
> @@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags)
> if (flags & NTF_STICKY)
> print_string(PRINT_ANY, NULL, "%s ", "sticky");
>
> + if (ext_flags & NTF_EXT_LOCKED)
> + print_string(PRINT_ANY, NULL, "%s ", "locked");
> +
> close_json_array(PRINT_JSON, NULL);
> }
This is a separate change. Make one patch for the MAB option and another
for the new "locked" FDB flag.
>
> @@ -144,6 +147,7 @@ int print_fdb(struct nlmsghdr *n, void *arg)
> struct ndmsg *r = NLMSG_DATA(n);
> int len = n->nlmsg_len;
> struct rtattr *tb[NDA_MAX+1];
> + __u32 ext_flags = 0;
> __u16 vid = 0;
>
> if (n->nlmsg_type != RTM_NEWNEIGH && n->nlmsg_type != RTM_DELNEIGH) {
> @@ -170,6 +174,9 @@ int print_fdb(struct nlmsghdr *n, void *arg)
> parse_rtattr(tb, NDA_MAX, NDA_RTA(r),
> n->nlmsg_len - NLMSG_LENGTH(sizeof(*r)));
>
> + if (tb[NDA_FLAGS_EXT])
> + ext_flags = rta_getattr_u32(tb[NDA_FLAGS_EXT]);
> +
> if (tb[NDA_VLAN])
> vid = rta_getattr_u16(tb[NDA_VLAN]);
>
> @@ -266,7 +273,7 @@ int print_fdb(struct nlmsghdr *n, void *arg)
> if (show_stats && tb[NDA_CACHEINFO])
> fdb_print_stats(fp, RTA_DATA(tb[NDA_CACHEINFO]));
>
> - fdb_print_flags(fp, r->ndm_flags);
> + fdb_print_flags(fp, r->ndm_flags, ext_flags);
>
>
> if (tb[NDA_MASTER])
> @@ -414,6 +421,7 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
> char *endptr;
> short vid = -1;
> __u32 nhid = 0;
> + __u32 ext_flags = 0;
>
> while (argc > 0) {
> if (strcmp(*argv, "dev") == 0) {
> @@ -527,6 +535,11 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
> if (dst_ok)
> addattr_l(&req.n, sizeof(req), NDA_DST, &dst.data, dst.bytelen);
>
> + if (ext_flags &&
> + addattr_l(&req.n, sizeof(req), NDA_FLAGS_EXT, &ext_flags,
> + sizeof(ext_flags)) < 0)
> + return -1;
> +
I believe this belongs with the "blackhole" patch.
> if (vid >= 0)
> addattr16(&req.n, sizeof(req), NDA_VLAN, vid);
> if (nhid > 0)
> diff --git a/bridge/link.c b/bridge/link.c
> index 3810fa04..dd69d7c3 100644
> --- a/bridge/link.c
> +++ b/bridge/link.c
> @@ -181,9 +181,14 @@ static void print_protinfo(FILE *fp, struct rtattr *attr)
> if (prtb[IFLA_BRPORT_ISOLATED])
> print_on_off(PRINT_ANY, "isolated", "isolated %s ",
> rta_getattr_u8(prtb[IFLA_BRPORT_ISOLATED]));
> - if (prtb[IFLA_BRPORT_LOCKED])
> - print_on_off(PRINT_ANY, "locked", "locked %s ",
> - rta_getattr_u8(prtb[IFLA_BRPORT_LOCKED]));
> + if (prtb[IFLA_BRPORT_LOCKED]) {
> + if (prtb[IFLA_BRPORT_MAB] && rta_getattr_u8(prtb[IFLA_BRPORT_MAB]))
> + print_on_off(PRINT_ANY, "locked mab", "locked mab %s ",
> + rta_getattr_u8(prtb[IFLA_BRPORT_LOCKED]));
> + else
> + print_on_off(PRINT_ANY, "locked", "locked %s ",
> + rta_getattr_u8(prtb[IFLA_BRPORT_LOCKED]));
> + }
These a separate flags and need to be dumped independently. The fact
that MAB can only be enabled when the port is locked is enforced by the
kernel.
> } else
> print_stp_state(rta_getattr_u8(attr));
> }
> @@ -281,6 +286,7 @@ static void usage(void)
> " [ vlan_tunnel {on | off} ]\n"
> " [ isolated {on | off} ]\n"
> " [ locked {on | off} ]\n"
> + " [ mab {on | off} ]\n"
> " [ hwmode {vepa | veb} ]\n"
> " [ backup_port DEVICE ] [ nobackup_port ]\n"
> " [ self ] [ master ]\n"
> @@ -312,6 +318,7 @@ static int brlink_modify(int argc, char **argv)
> __s8 bcast_flood = -1;
> __s8 mcast_to_unicast = -1;
> __s8 locked = -1;
> + __s8 macauth = -1;
> __s8 isolated = -1;
> __s8 hairpin = -1;
> __s8 bpdu_guard = -1;
> @@ -437,6 +444,11 @@ static int brlink_modify(int argc, char **argv)
> locked = parse_on_off("locked", *argv, &ret);
> if (ret)
> return ret;
> + } else if (strcmp(*argv, "mab") == 0) {
> + NEXT_ARG();
> + macauth = parse_on_off("mab", *argv, &ret);
> + if (ret)
> + return ret;
> } else if (strcmp(*argv, "backup_port") == 0) {
> NEXT_ARG();
> backup_port_idx = ll_name_to_index(*argv);
> @@ -520,6 +532,9 @@ static int brlink_modify(int argc, char **argv)
> if (locked >= 0)
> addattr8(&req.n, sizeof(req), IFLA_BRPORT_LOCKED, locked);
>
> + if (macauth >= 0)
> + addattr8(&req.n, sizeof(req), IFLA_BRPORT_MAB, macauth);
> +
> if (backup_port_idx != -1)
> addattr32(&req.n, sizeof(req), IFLA_BRPORT_BACKUP_PORT,
> backup_port_idx);
> diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
> index 7494cffb..58a002de 100644
> --- a/include/uapi/linux/if_link.h
> +++ b/include/uapi/linux/if_link.h
> @@ -559,6 +559,7 @@ enum {
> IFLA_BRPORT_MCAST_EHT_HOSTS_LIMIT,
> IFLA_BRPORT_MCAST_EHT_HOSTS_CNT,
> IFLA_BRPORT_LOCKED,
> + IFLA_BRPORT_MAB,
> __IFLA_BRPORT_MAX
> };
> #define IFLA_BRPORT_MAX (__IFLA_BRPORT_MAX - 1)
> diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h
> index a998bf76..4dda051b 100644
> --- a/include/uapi/linux/neighbour.h
> +++ b/include/uapi/linux/neighbour.h
> @@ -52,7 +52,8 @@ enum {
> #define NTF_STICKY (1 << 6)
> #define NTF_ROUTER (1 << 7)
> /* Extended flags under NDA_FLAGS_EXT: */
> -#define NTF_EXT_MANAGED (1 << 0)
> +#define NTF_EXT_MANAGED (1 << 0)
> +#define NTF_EXT_LOCKED (1 << 1)
>
> /*
> * Neighbor Cache Entry States.
> @@ -86,6 +87,10 @@ enum {
> * NTF_EXT_MANAGED flagged neigbor entries are managed by the kernel on behalf
> * of a user space control plane, and automatically refreshed so that (if
> * possible) they remain in NUD_REACHABLE state.
> + *
> + * NTF_EXT_LOCKED flagged FDB entries are placeholder entries used with the
> + * locked port feature, that ensures that an entry exists while at the same
> + * time dropping packets on ingress with src MAC and VID matching the entry.
> */
>
> struct nda_cacheinfo {
> diff --git a/ip/iplink_bridge_slave.c b/ip/iplink_bridge_slave.c
> index 98d17213..0c0894eb 100644
> --- a/ip/iplink_bridge_slave.c
> +++ b/ip/iplink_bridge_slave.c
> @@ -44,6 +44,7 @@ static void print_explain(FILE *f)
> " [ vlan_tunnel {on | off} ]\n"
> " [ isolated {on | off} ]\n"
> " [ locked {on | off} ]\n"
> + " [ mab {on | off} ]\n"
> " [ backup_port DEVICE ] [ nobackup_port ]\n"
> );
> }
> @@ -284,9 +285,14 @@ static void bridge_slave_print_opt(struct link_util *lu, FILE *f,
> print_on_off(PRINT_ANY, "isolated", "isolated %s ",
> rta_getattr_u8(tb[IFLA_BRPORT_ISOLATED]));
>
> - if (tb[IFLA_BRPORT_LOCKED])
> - print_on_off(PRINT_ANY, "locked", "locked %s ",
> - rta_getattr_u8(tb[IFLA_BRPORT_LOCKED]));
> + if (tb[IFLA_BRPORT_LOCKED]) {
> + if (tb[IFLA_BRPORT_MAB] && rta_getattr_u8(tb[IFLA_BRPORT_MAB]))
> + print_on_off(PRINT_ANY, "locked mab", "locked mab %s ",
> + rta_getattr_u8(tb[IFLA_BRPORT_LOCKED]));
> + else
> + print_on_off(PRINT_ANY, "locked", "locked %s ",
> + rta_getattr_u8(tb[IFLA_BRPORT_LOCKED]));
> + }
Same comment as before.
>
> if (tb[IFLA_BRPORT_BACKUP_PORT]) {
> int backup_p = rta_getattr_u32(tb[IFLA_BRPORT_BACKUP_PORT]);
> @@ -411,6 +417,10 @@ static int bridge_slave_parse_opt(struct link_util *lu, int argc, char **argv,
> NEXT_ARG();
> bridge_slave_parse_on_off("locked", *argv, n,
> IFLA_BRPORT_LOCKED);
> + } else if (matches(*argv, "mab") == 0) {
> + NEXT_ARG();
> + bridge_slave_parse_on_off("mab", *argv, n,
> + IFLA_BRPORT_MAB);
> } else if (matches(*argv, "backup_port") == 0) {
> int ifindex;
>
> diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
> index d4df772e..40250477 100644
> --- a/man/man8/bridge.8
> +++ b/man/man8/bridge.8
> @@ -54,6 +54,7 @@ bridge \- show / manipulate bridge addresses and devices
> .BR vlan_tunnel " { " on " | " off " } ] [ "
> .BR isolated " { " on " | " off " } ] [ "
> .BR locked " { " on " | " off " } ] [ "
> +.BR mab " { " on " | " off " } ] [ "
> .B backup_port
> .IR DEVICE " ] ["
> .BR nobackup_port " ] [ "
> @@ -580,6 +581,15 @@ The common use is that hosts are allowed access through authentication
> with the IEEE 802.1X protocol or based on whitelists or like setups.
> By default this flag is off.
>
> +.TP
> +.RB "mab on " or " mab off "
> +Enables or disables the MAB/MacAuth feature. This feature can only be
> +activated on a port that is in locked mode, and when enabled it extends the
s/activated/enabled/
> +locked port feature so that MAC address can get access through a locked
s/MAC address/a host/ ?
> +port based on acceptlists, thus it is a much simpler procedure for a
> +device to become authorized than f.ex. the 802.1X protocol, and is used
> +for devices that are not capable of password or crypto based authorization
> +methods.
This is a high level description of the option, but it is missing the
part that ties it to the "locked" FDB entries.
Speaking of which, the "locked" flag needs to be described in
man/man8/bridge.8 (in a different patch)
>
> .TP
> .BI backup_port " DEVICE"
> diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
> index fc9d62fc..187ca7ca 100644
> --- a/man/man8/ip-link.8.in
> +++ b/man/man8/ip-link.8.in
> @@ -2454,6 +2454,9 @@ the following additional arguments are supported:
> .BR isolated " { " on " | " off " }"
> ] [
> .BR locked " { " on " | " off " }"
> +] [
> +.BR mab " { " on " | " off " }"
> +] [
> .BR backup_port " DEVICE"
> ] [
> .BR nobackup_port " ]"
> @@ -2560,6 +2563,11 @@ default this flag is off.
> behind the port cannot communicate through the port unless a FDB entry
> representing the host is in the FDB. By default this flag is off.
>
> +.BR mab " { " on " | " off " }"
> +- enables or disables the MAB/MacAuth feature on a locked port. It is
> +thus possible for a device to gain authorization on a locked port based
> +on acceptlists.
Why not just copy-paste the previous description?
> +
> .BI backup_port " DEVICE"
> - if the port loses carrier all traffic will be redirected to the
> configured backup port
> --
> 2.34.1
>
Powered by blists - more mailing lists