| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 May 2022 17:27:44 +0300
From: Ido Schimmel <idosch@...sch.org>
To: Hans Schultz <schultz.hans@...il.com>
Cc: davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org,
Hans Schultz <schultz.hans+netdev@...il.com>,
Andrew Lunn <andrew@...n.ch>,
Vivien Didelot <vivien.didelot@...il.com>,
Florian Fainelli <f.fainelli@...il.com>,
Vladimir Oltean <olteanv@...il.com>,
Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>, Jiri Pirko <jiri@...nulli.us>,
Ivan Vecera <ivecera@...hat.com>,
Roopa Prabhu <roopa@...dia.com>,
Nikolay Aleksandrov <razor@...ckwall.org>,
Shuah Khan <shuah@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Ido Schimmel <idosch@...dia.com>, linux-kernel@...r.kernel.org,
bridge@...ts.linux-foundation.org, linux-kselftest@...r.kernel.org
Subject: Re: [PATCH V3 net-next 4/4] selftests: forwarding: add test of
MAC-Auth Bypass to locked port tests
On Tue, May 24, 2022 at 05:21:44PM +0200, Hans Schultz wrote:
> Verify that the MAC-Auth mechanism works by adding a FDB entry with the
> locked flag set. denying access until the FDB entry is replaced with a
> FDB entry without the locked flag set.
>
> Signed-off-by: Hans Schultz <schultz.hans+netdev@...il.com>
> ---
> .../net/forwarding/bridge_locked_port.sh | 42 ++++++++++++++++---
> 1 file changed, 36 insertions(+), 6 deletions(-)
>
> diff --git a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> index 5b02b6b60ce7..50b9048d044a 100755
> --- a/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> +++ b/tools/testing/selftests/net/forwarding/bridge_locked_port.sh
> @@ -1,7 +1,7 @@
> #!/bin/bash
> # SPDX-License-Identifier: GPL-2.0
>
> -ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan"
> +ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan locked_port_mab"
> NUM_NETIFS=4
> CHECK_TC="no"
> source lib.sh
> @@ -94,13 +94,13 @@ locked_port_ipv4()
> ping_do $h1 192.0.2.2
> check_fail $? "Ping worked after locking port, but before adding FDB entry"
>
> - bridge fdb add `mac_get $h1` dev $swp1 master static
> + bridge fdb replace `mac_get $h1` dev $swp1 master static
>
> ping_do $h1 192.0.2.2
> check_err $? "Ping did not work after locking port and adding FDB entry"
>
> bridge link set dev $swp1 locked off
> - bridge fdb del `mac_get $h1` dev $swp1 master static
> + bridge fdb del `mac_get $h1` dev $swp1 master
>
> ping_do $h1 192.0.2.2
> check_err $? "Ping did not work after unlocking port and removing FDB entry."
> @@ -124,13 +124,13 @@ locked_port_vlan()
> ping_do $h1.100 198.51.100.2
> check_fail $? "Ping through vlan worked after locking port, but before adding FDB entry"
>
> - bridge fdb add `mac_get $h1` dev $swp1 vlan 100 master static
> + bridge fdb replace `mac_get $h1` dev $swp1 master static
>
> ping_do $h1.100 198.51.100.2
> check_err $? "Ping through vlan did not work after locking port and adding FDB entry"
>
> bridge link set dev $swp1 locked off
> - bridge fdb del `mac_get $h1` dev $swp1 vlan 100 master static
> + bridge fdb del `mac_get $h1` dev $swp1 vlan 100 master
>
> ping_do $h1.100 198.51.100.2
> check_err $? "Ping through vlan did not work after unlocking port and removing FDB entry"
> @@ -153,7 +153,8 @@ locked_port_ipv6()
> ping6_do $h1 2001:db8:1::2
> check_fail $? "Ping6 worked after locking port, but before adding FDB entry"
>
> - bridge fdb add `mac_get $h1` dev $swp1 master static
> + bridge fdb replace `mac_get $h1` dev $swp1 master static
> +
> ping6_do $h1 2001:db8:1::2
> check_err $? "Ping6 did not work after locking port and adding FDB entry"
>
> @@ -166,6 +167,35 @@ locked_port_ipv6()
> log_test "Locked port ipv6"
> }
Why did you change s/add/replace/? Also, from the subject and commit
message I understand the patch is about adding a new test, not changing
existing ones.
>
> +locked_port_mab()
> +{
> + RET=0
> + check_locked_port_support || return 0
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work before locking port"
> +
> + bridge link set dev $swp1 locked on
> + bridge link set dev $swp1 learning on
> +
> + bridge fdb del `mac_get $h1` dev $swp1 master
Why the delete is needed? Aren't you getting errors on trying to delete
a non-existing entry? In previous test cases learning is disabled and it
seems the FDB entry is cleaned up.
> +
> + ping_do $h1 192.0.2.2
> + check_fail $? "MAB: Ping worked on locked port without FDB entry"
> +
> + bridge fdb show | grep `mac_get $h1` | grep -q "locked"
> + check_err $? "MAB: No locked fdb entry after ping on locked port"
> +
> + bridge fdb replace `mac_get $h1` dev $swp1 master static
> +
> + ping_do $h1 192.0.2.2
> + check_err $? "MAB: Ping did not work with fdb entry without locked flag"
> +
> + bridge fdb del `mac_get $h1` dev $swp1 master
bridge link set dev $swp1 learning off
> + bridge link set dev $swp1 locked off
> +
> + log_test "Locked port MAB"
> +}
> trap cleanup EXIT
>
> setup_prepare
> --
> 2.30.2
>
Powered by blists - more mailing lists