lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Nov 2023 13:31:27 +0200
From: Vladimir Oltean <>
To: Hangbin Liu <>
Cc:, "David S . Miller" <>,
	David Ahern <>,
	Eric Dumazet <>,
	Jakub Kicinski <>, Paolo Abeni <>,
	Ido Schimmel <>,
	Nikolay Aleksandrov <>,
	Roopa Prabhu <>,
	Stephen Hemminger <>,
	Florian Westphal <>, Andrew Lunn <>,
	Florian Fainelli <>,
	Jiri Pirko <>, Marc Muehlfeld <>
Subject: Re: [PATCH net-next 02/10] net: bridge: add document for IFLA_BRPORT

On Fri, Nov 17, 2023 at 05:31:37PM +0800, Hangbin Liu wrote:
> + *   Controls whether a given port will learn *source* MAC addresses from
> + *   received traffic or not. By default this flag is on.

Also controls whether dynamic FDB entries (which can also be added by
software) will be refreshed by incoming traffic.

This is subtle but important in certain use cases (below).

> + *   Controls whether a port will be locked, meaning that hosts behind the
> + *   port will not be able to communicate through the port unless an FDB
> + *   entry with the unit's MAC address is in the FDB. The common use case is
> + *   that hosts are allowed access through authentication with the IEEE 802.1X
> + *   protocol or based on whitelists. By default this flag is off.

Here seems like a good place to add this warning:

Secure 802.1X deployments should always use the BR_BOOLOPT_NO_LL_LEARN
flag, to not permit the bridge to populate its FDB based on link-local
(EAPOL) traffic received on the port.

> + *

Controls whether a port will use MAC Authentication Bypass (MAB), a
technique through which select MAC addresses may be allowed on a locked
port, without using 802.1X authentication. Packets with an unknown source
MAC address generate a "locked" FDB entry on the incoming bridge port.
The common use case is for user space to react to these bridge FDB
notifications and optionally replace the locked FDB entry with a normal
one, allowing traffic to pass for whitelisted MAC addresses.

Setting this flag also requires IFLA_BRPORT_LOCKED and IFLA_BRPORT_LEARNING.
IFLA_BRPORT_LOCKED ensures that unauthorized data packets are dropped,
and IFLA_BRPORT_LEARNING allows the dynamic FDB entries installed by
user space (as replacements for the locked FDB entries) to be refreshed
and/or aged out.


Powered by blists - more mailing lists