lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Nov 2023 11:10:58 +0800 From: Hangbin Liu <liuhangbin@...il.com> To: Vladimir Oltean <olteanv@...il.com> Cc: netdev@...r.kernel.org, "David S . Miller" <davem@...emloft.net>, David Ahern <dsahern@...nel.org>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Ido Schimmel <idosch@...sch.org>, Nikolay Aleksandrov <razor@...ckwall.org>, Roopa Prabhu <roopa@...dia.com>, Stephen Hemminger <stephen@...workplumber.org>, Florian Westphal <fw@...len.de>, Andrew Lunn <andrew@...n.ch>, Florian Fainelli <f.fainelli@...il.com>, Jiri Pirko <jiri@...nulli.us>, Marc Muehlfeld <mmuehlfe@...hat.com> Subject: Re: [PATCH net-next 02/10] net: bridge: add document for IFLA_BRPORT enum On Mon, Nov 20, 2023 at 01:31:27PM +0200, Vladimir Oltean wrote: > On Fri, Nov 17, 2023 at 05:31:37PM +0800, Hangbin Liu wrote: > > + * @IFLA_BRPORT_LEARNING > > + * Controls whether a given port will learn *source* MAC addresses from > > + * received traffic or not. By default this flag is on. > > Also controls whether dynamic FDB entries (which can also be added by > software) will be refreshed by incoming traffic. > > This is subtle but important in certain use cases (below). > > > + * @IFLA_BRPORT_LOCKED > > + * Controls whether a port will be locked, meaning that hosts behind the > > + * port will not be able to communicate through the port unless an FDB > > + * entry with the unit's MAC address is in the FDB. The common use case is > > + * that hosts are allowed access through authentication with the IEEE 802.1X > > + * protocol or based on whitelists. By default this flag is off. > > Here seems like a good place to add this warning: > > Secure 802.1X deployments should always use the BR_BOOLOPT_NO_LL_LEARN > flag, to not permit the bridge to populate its FDB based on link-local > (EAPOL) traffic received on the port. > > > + * > > + * @IFLA_BRPORT_MAB > > Controls whether a port will use MAC Authentication Bypass (MAB), a > technique through which select MAC addresses may be allowed on a locked > port, without using 802.1X authentication. Packets with an unknown source > MAC address generate a "locked" FDB entry on the incoming bridge port. > The common use case is for user space to react to these bridge FDB > notifications and optionally replace the locked FDB entry with a normal > one, allowing traffic to pass for whitelisted MAC addresses. > > Setting this flag also requires IFLA_BRPORT_LOCKED and IFLA_BRPORT_LEARNING. > IFLA_BRPORT_LOCKED ensures that unauthorized data packets are dropped, > and IFLA_BRPORT_LEARNING allows the dynamic FDB entries installed by > user space (as replacements for the locked FDB entries) to be refreshed > and/or aged out. > > (source: https://lore.kernel.org/netdev/20221018165619.134535-11-netdev@kapio-technology.com/) Tanks for the doc, I will update the patch. Hangbin
Powered by blists - more mailing lists