lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 6 Nov 2022 13:39:57 +0200 From: Ido Schimmel <idosch@...dia.com> To: netdev@...r.kernel.org Cc: stephen@...workplumber.org, dsahern@...il.com, razor@...ckwall.org, netdev@...io-technology.com, vladimir.oltean@....com, mlxsw@...dia.com, Ido Schimmel <idosch@...dia.com> Subject: [PATCH iproute2-next 4/4] man: bridge: Reword description of "locked" bridge port option Adjust the description to mention the "no_linklocal_learn" bridge option and make sure it is consistent between both the bridge(8) and ip-link(8) man pages. Signed-off-by: Ido Schimmel <idosch@...dia.com> --- man/man8/bridge.8 | 16 ++++++++++------ man/man8/ip-link.8.in | 13 ++++++++++--- 2 files changed, 20 insertions(+), 9 deletions(-) diff --git a/man/man8/bridge.8 b/man/man8/bridge.8 index 1888f707b6d2..e72826d750ca 100644 --- a/man/man8/bridge.8 +++ b/man/man8/bridge.8 @@ -574,12 +574,16 @@ flag is off. .TP .BR "locked on " or " locked off " -Controls whether a port will be locked, meaning that hosts behind the -port will not be able to communicate through the port unless an FDB -entry with the units MAC address is in the FDB. -The common use is that hosts are allowed access through authentication -with the IEEE 802.1X protocol or based on whitelists or like setups. -By default this flag is off. +Controls whether a port is locked or not. When locked, non-link-local frames +received through the port are dropped unless an FDB entry with the MAC source +address points to the port. The common use case is IEEE 802.1X where hosts can +authenticate themselves by exchanging EAPOL frames with an authenticator. After +authentication is complete, the user space control plane can install a matching +FDB entry to allow traffic from the host to be forwarded by the bridge. When +learning is enabled on a locked port, the +.B no_linklocal_learn +bridge option needs to be on to prevent the bridge from learning from received +EAPOL frames. By default this flag is off. .TP .BR "mab on " or " mab off " diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in index 314c07d0fb1f..235c839a417c 100644 --- a/man/man8/ip-link.8.in +++ b/man/man8/ip-link.8.in @@ -2576,9 +2576,16 @@ is enabled on the port. By default this flag is off. default this flag is off. .BR locked " { " on " | " off " }" -- sets or unsets a port in locked mode, so that when enabled, hosts -behind the port cannot communicate through the port unless a FDB entry -representing the host is in the FDB. By default this flag is off. +- controls whether a port is locked or not. When locked, non-link-local frames +received through the port are dropped unless an FDB entry with the MAC source +address points to the port. The common use case is IEEE 802.1X where hosts can +authenticate themselves by exchanging EAPOL frames with an authenticator. After +authentication is complete, the user space control plane can install a matching +FDB entry to allow traffic from the host to be forwarded by the bridge. When +learning is enabled on a locked port, the +.B no_linklocal_learn +bridge option needs to be on to prevent the bridge from learning from received +EAPOL frames. By default this flag is off. .BR mab " { " on " | " off " }" - controls whether MAC Authentication Bypass (MAB) is enabled on the port or -- 2.37.3
Powered by blists - more mailing lists