lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20221106113957.2725173-5-idosch@nvidia.com>
Date:   Sun,  6 Nov 2022 13:39:57 +0200
From:   Ido Schimmel <idosch@...dia.com>
To:     netdev@...r.kernel.org
Cc:     stephen@...workplumber.org, dsahern@...il.com, razor@...ckwall.org,
        netdev@...io-technology.com, vladimir.oltean@....com,
        mlxsw@...dia.com, Ido Schimmel <idosch@...dia.com>
Subject: [PATCH iproute2-next 4/4] man: bridge: Reword description of "locked" bridge port option

Adjust the description to mention the "no_linklocal_learn" bridge option
and make sure it is consistent between both the bridge(8) and ip-link(8)
man pages.

Signed-off-by: Ido Schimmel <idosch@...dia.com>
---
 man/man8/bridge.8     | 16 ++++++++++------
 man/man8/ip-link.8.in | 13 ++++++++++---
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
index 1888f707b6d2..e72826d750ca 100644
--- a/man/man8/bridge.8
+++ b/man/man8/bridge.8
@@ -574,12 +574,16 @@ flag is off.
 
 .TP
 .BR "locked on " or " locked off "
-Controls whether a port will be locked, meaning that hosts behind the
-port will not be able to communicate through the port unless an FDB
-entry with the units MAC address is in the FDB.
-The common use is that hosts are allowed access through authentication
-with the IEEE 802.1X protocol or based on whitelists or like setups.
-By default this flag is off.
+Controls whether a port is locked or not. When locked, non-link-local frames
+received through the port are dropped unless an FDB entry with the MAC source
+address points to the port. The common use case is IEEE 802.1X where hosts can
+authenticate themselves by exchanging EAPOL frames with an authenticator. After
+authentication is complete, the user space control plane can install a matching
+FDB entry to allow traffic from the host to be forwarded by the bridge. When
+learning is enabled on a locked port, the
+.B no_linklocal_learn
+bridge option needs to be on to prevent the bridge from learning from received
+EAPOL frames. By default this flag is off.
 
 .TP
 .BR "mab on " or " mab off "
diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
index 314c07d0fb1f..235c839a417c 100644
--- a/man/man8/ip-link.8.in
+++ b/man/man8/ip-link.8.in
@@ -2576,9 +2576,16 @@ is enabled on the port. By default this flag is off.
 default this flag is off.
 
 .BR locked " { " on " | " off " }"
-- sets or unsets a port in locked mode, so that when enabled, hosts
-behind the port cannot communicate through the port unless a FDB entry
-representing the host is in the FDB. By default this flag is off.
+- controls whether a port is locked or not. When locked, non-link-local frames
+received through the port are dropped unless an FDB entry with the MAC source
+address points to the port. The common use case is IEEE 802.1X where hosts can
+authenticate themselves by exchanging EAPOL frames with an authenticator. After
+authentication is complete, the user space control plane can install a matching
+FDB entry to allow traffic from the host to be forwarded by the bridge. When
+learning is enabled on a locked port, the
+.B no_linklocal_learn
+bridge option needs to be on to prevent the bridge from learning from received
+EAPOL frames. By default this flag is off.
 
 .BR mab " { " on " | " off " }"
 - controls whether MAC Authentication Bypass (MAB) is enabled on the port or
-- 
2.37.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ