| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YjNMS6aFG+93ejj5@shredder>
Date: Thu, 17 Mar 2022 16:57:15 +0200
From: Ido Schimmel <idosch@...sch.org>
To: Hans Schultz <schultz.hans@...il.com>
Cc: davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org,
Hans Schultz <schultz.hans+netdev@...il.com>,
Andrew Lunn <andrew@...n.ch>,
Vivien Didelot <vivien.didelot@...il.com>,
Florian Fainelli <f.fainelli@...il.com>,
Vladimir Oltean <olteanv@...il.com>,
Jiri Pirko <jiri@...nulli.us>,
Ivan Vecera <ivecera@...hat.com>,
Roopa Prabhu <roopa@...dia.com>,
Nikolay Aleksandrov <razor@...ckwall.org>,
Shuah Khan <shuah@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Ido Schimmel <idosch@...dia.com>, linux-kernel@...r.kernel.org,
bridge@...ts.linux-foundation.org, linux-kselftest@...r.kernel.org
Subject: Re: [PATCH v2 net-next 4/4] selftests: forwarding: add test of
MAC-Auth Bypass to locked port tests
On Thu, Mar 17, 2022 at 10:39:02AM +0100, Hans Schultz wrote:
> Verify that the MAC-Auth mechanism works by adding a FDB entry with the
> locked flag set. denying access until the FDB entry is replaced with a
> FDB entry without the locked flag set.
>
> Signed-off-by: Hans Schultz <schultz.hans+netdev@...il.com>
> ---
> .../net/forwarding/bridge_locked_port.sh | 29 ++++++++++++++++++-
> 1 file changed, 28 insertions(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> index 6e98efa6d371..2f9519e814b6 100755
> --- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> +++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> @@ -1,7 +1,7 @@
> #!/bin/bash
> # SPDX-License-Identifier: GPL-2.0
>
> -ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan"
> +ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan locked_port_mab"
> NUM_NETIFS=4
> CHECK_TC="no"
> source lib.sh
> @@ -170,6 +170,33 @@ locked_port_ipv6()
> log_test "Locked port ipv6"
> }
>
> +locked_port_mab()
> +{
> + RET=0
> + check_locked_port_support || return 0
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work before locking port"
> +
> + bridge link set dev $swp1 locked on
> + bridge link set dev $swp1 learning on
> +
> + ping_do $h1 192.0.2.2
> + check_fail $? "MAB: Ping worked on port just locked"
> +
> + if ! bridge fdb show | grep `mac_get $h1` | grep -q "locked"; then
> + RET=1
> + retmsg="MAB: No locked fdb entry after ping on locked port"
> + fi
bridge fdb show | grep `mac_get $h1 | grep -q "locked"
check_err $? "MAB: No locked fdb entry after ping on locked port"
> +
> + bridge fdb del `mac_get $h1` dev $swp1 master
> + bridge fdb add `mac_get $h1` dev $swp1 master static
bridge fdb replace `mac_get $h1` dev $swp1 master static
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work with fdb entry without locked flag"
> +
> + log_test "Locked port MAB"
Clean up after the test to revert to initial state:
bridge fdb del `mac_get $h1` dev $swp1 master
bridge link set dev $swp1 locked off
> +}
> trap cleanup EXIT
>
> setup_prepare
> --
> 2.30.2
>
Powered by blists - more mailing lists