lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 6 Nov 2022 13:39:56 +0200 From: Ido Schimmel <idosch@...dia.com> To: netdev@...r.kernel.org Cc: stephen@...workplumber.org, dsahern@...il.com, razor@...ckwall.org, netdev@...io-technology.com, vladimir.oltean@....com, mlxsw@...dia.com, Ido Schimmel <idosch@...dia.com> Subject: [PATCH iproute2-next 3/4] bridge: link: Add MAC Authentication Bypass (MAB) support From: Hans Schultz <netdev@...io-technology.com> Add MAB support in bridge(8) and ip(8), allowing these utilities to enable / disable MAB and display its current status. Signed-off-by: Hans Schultz <netdev@...io-technology.com> Signed-off-by: Ido Schimmel <idosch@...dia.com> --- Notes: Changes made by me: * Reword commit message. * Reword man page. * Use strcmp() instead of matches(). bridge/link.c | 13 +++++++++++++ ip/iplink_bridge_slave.c | 9 +++++++++ man/man8/bridge.8 | 16 ++++++++++++++++ man/man8/ip-link.8.in | 18 ++++++++++++++++++ 4 files changed, 56 insertions(+) diff --git a/bridge/link.c b/bridge/link.c index fef3a9ef22fb..337731dff26b 100644 --- a/bridge/link.c +++ b/bridge/link.c @@ -184,6 +184,9 @@ static void print_protinfo(FILE *fp, struct rtattr *attr) if (prtb[IFLA_BRPORT_LOCKED]) print_on_off(PRINT_ANY, "locked", "locked %s ", rta_getattr_u8(prtb[IFLA_BRPORT_LOCKED])); + if (prtb[IFLA_BRPORT_MAB]) + print_on_off(PRINT_ANY, "mab", "mab %s ", + rta_getattr_u8(prtb[IFLA_BRPORT_MAB])); } else print_stp_state(rta_getattr_u8(attr)); } @@ -283,6 +286,7 @@ static void usage(void) " [ vlan_tunnel {on | off} ]\n" " [ isolated {on | off} ]\n" " [ locked {on | off} ]\n" + " [ mab {on | off} ]\n" " [ hwmode {vepa | veb} ]\n" " [ backup_port DEVICE ] [ nobackup_port ]\n" " [ self ] [ master ]\n" @@ -314,6 +318,7 @@ static int brlink_modify(int argc, char **argv) __s8 bcast_flood = -1; __s8 mcast_to_unicast = -1; __s8 locked = -1; + __s8 macauth = -1; __s8 isolated = -1; __s8 hairpin = -1; __s8 bpdu_guard = -1; @@ -439,6 +444,11 @@ static int brlink_modify(int argc, char **argv) locked = parse_on_off("locked", *argv, &ret); if (ret) return ret; + } else if (strcmp(*argv, "mab") == 0) { + NEXT_ARG(); + macauth = parse_on_off("mab", *argv, &ret); + if (ret) + return ret; } else if (strcmp(*argv, "backup_port") == 0) { NEXT_ARG(); backup_port_idx = ll_name_to_index(*argv); @@ -522,6 +532,9 @@ static int brlink_modify(int argc, char **argv) if (locked >= 0) addattr8(&req.n, sizeof(req), IFLA_BRPORT_LOCKED, locked); + if (macauth >= 0) + addattr8(&req.n, sizeof(req), IFLA_BRPORT_MAB, macauth); + if (backup_port_idx != -1) addattr32(&req.n, sizeof(req), IFLA_BRPORT_BACKUP_PORT, backup_port_idx); diff --git a/ip/iplink_bridge_slave.c b/ip/iplink_bridge_slave.c index 98d172134847..ca4b264e64e7 100644 --- a/ip/iplink_bridge_slave.c +++ b/ip/iplink_bridge_slave.c @@ -44,6 +44,7 @@ static void print_explain(FILE *f) " [ vlan_tunnel {on | off} ]\n" " [ isolated {on | off} ]\n" " [ locked {on | off} ]\n" + " [ mab {on | off} ]\n" " [ backup_port DEVICE ] [ nobackup_port ]\n" ); } @@ -288,6 +289,10 @@ static void bridge_slave_print_opt(struct link_util *lu, FILE *f, print_on_off(PRINT_ANY, "locked", "locked %s ", rta_getattr_u8(tb[IFLA_BRPORT_LOCKED])); + if (tb[IFLA_BRPORT_MAB]) + print_on_off(PRINT_ANY, "mab", "mab %s ", + rta_getattr_u8(tb[IFLA_BRPORT_MAB])); + if (tb[IFLA_BRPORT_BACKUP_PORT]) { int backup_p = rta_getattr_u32(tb[IFLA_BRPORT_BACKUP_PORT]); @@ -411,6 +416,10 @@ static int bridge_slave_parse_opt(struct link_util *lu, int argc, char **argv, NEXT_ARG(); bridge_slave_parse_on_off("locked", *argv, n, IFLA_BRPORT_LOCKED); + } else if (strcmp(*argv, "mab") == 0) { + NEXT_ARG(); + bridge_slave_parse_on_off("mab", *argv, n, + IFLA_BRPORT_MAB); } else if (matches(*argv, "backup_port") == 0) { int ifindex; diff --git a/man/man8/bridge.8 b/man/man8/bridge.8 index d4df772ea3b2..1888f707b6d2 100644 --- a/man/man8/bridge.8 +++ b/man/man8/bridge.8 @@ -54,6 +54,7 @@ bridge \- show / manipulate bridge addresses and devices .BR vlan_tunnel " { " on " | " off " } ] [ " .BR isolated " { " on " | " off " } ] [ " .BR locked " { " on " | " off " } ] [ " +.BR mab " { " on " | " off " } ] [ " .B backup_port .IR DEVICE " ] [" .BR nobackup_port " ] [ " @@ -580,6 +581,21 @@ The common use is that hosts are allowed access through authentication with the IEEE 802.1X protocol or based on whitelists or like setups. By default this flag is off. +.TP +.BR "mab on " or " mab off " +Controls whether MAC Authentication Bypass (MAB) is enabled on the port or not. +MAB can only be enabled on a locked port that has learning enabled. When +enabled, FDB entries are learned from received traffic and have the "locked" +FDB flag set. The flag can only be set by the kernel and it indicates that the +FDB entry cannot be used to authenticate the corresponding host. User space can +decide to authenticate the host by replacing the FDB entry and clearing the +"locked" FDB flag. Locked FDB entries can roam to unlocked (authorized) ports +in which case the "locked" flag is cleared. FDB entries cannot roam to locked +ports regardless of MAB being enabled or not. Therefore, locked FDB entries are +only created if an FDB entry with the given {MAC, VID} does not already exist. +This behavior prevents unauthenticated hosts from disrupting traffic destined +to already authenticated hosts. Locked FDB entries act like regular dynamic +entries with respect to forwarding and aging. By default this flag is off. .TP .BI backup_port " DEVICE" diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in index 88ad9d7baab7..314c07d0fb1f 100644 --- a/man/man8/ip-link.8.in +++ b/man/man8/ip-link.8.in @@ -2471,6 +2471,9 @@ the following additional arguments are supported: .BR isolated " { " on " | " off " }" ] [ .BR locked " { " on " | " off " }" +] [ +.BR mab " { " on " | " off " }" +] [ .BR backup_port " DEVICE" ] [ .BR nobackup_port " ]" @@ -2577,6 +2580,21 @@ default this flag is off. behind the port cannot communicate through the port unless a FDB entry representing the host is in the FDB. By default this flag is off. +.BR mab " { " on " | " off " }" +- controls whether MAC Authentication Bypass (MAB) is enabled on the port or +not. MAB can only be enabled on a locked port that has learning enabled. When +enabled, FDB entries are learned from received traffic and have the "locked" +FDB flag set. The flag can only be set by the kernel and it indicates that the +FDB entry cannot be used to authenticate the corresponding host. User space can +decide to authenticate the host by replacing the FDB entry and clearing the +"locked" FDB flag. Locked FDB entries can roam to unlocked (authorized) ports +in which case the "locked" flag is cleared. FDB entries cannot roam to locked +ports regardless of MAB being enabled or not. Therefore, locked FDB entries are +only created if an FDB entry with the given {MAC, VID} does not already exist. +This behavior prevents unauthenticated hosts from disrupting traffic destined +to already authenticated hosts. Locked FDB entries act like regular dynamic +entries with respect to forwarding and aging. By default this flag is off. + .BI backup_port " DEVICE" - if the port loses carrier all traffic will be redirected to the configured backup port -- 2.37.3
Powered by blists - more mailing lists