From: Ido Schimmel <idosch@nvidia.com>
To: netdev@vger.kernel.org, bridge@lists.linux-foundation.org
Cc: petrm@nvidia.com, ivecera@redhat.com,
netdev@kapio-technology.com, razor@blackwall.org,
roopa@nvidia.com, Ido Schimmel <idosch@nvidia.com>,
vladimir.oltean@nxp.com, edumazet@google.com, mlxsw@nvidia.com,
jiri@nvidia.com, kuba@kernel.org, pabeni@redhat.com,
davem@davemloft.net
Subject: [Bridge] [RFC PATCH net-next 00/16] bridge: Add MAC Authentication Bypass (MAB) support with offload
Date: Tue, 25 Oct 2022 13:00:08 +0300 [thread overview]
Message-ID: <20221025100024.1287157-1-idosch@nvidia.com> (raw)
This patchset is based on Hans' work from [1][2]. It adds MAB support in
the bridge driver and 802.1X (with MAB) offload support in mlxsw.
Patchset overview
=================
Patch #1 adds MAB support in the bridge driver. See the commit message
for motivation and design choices.
Patch #2 adds a selftest.
Patches #3-#4 extend the switchdev interfaces to allow device drivers to
install locked FDB entries in the bridge driver. Required for MAB
offload support.
The rest of the patches add 802.1X and MAB offload support in mlxsw.
Specifically:
Patches #5-#6 add the required packet traps for 802.1X.
Patches #7-#11 are small preparations.
Patch #12 adds locked bridge port support in mlxsw.
Patches #13-#16 add mlxsw selftests.
Future work
===========
The hostapd fork by Westermo is using dynamic FDB entries to authorize
hosts [3]. Changes are required in switchdev to allow such entries to be
offloaded. Hans already indicated he is working on that [4]. It should
not necessitate any uAPI changes so I do not view it as a blocker (Hans,
please confirm).
Merge plan
==========
We need to agree on a merge plan that allows us to start submitting
patches for inclusion and finally conclude this work. In my experience,
it is best to work in small batches. I therefore propose the following
plan:
* Add MAB support in the bridge driver. This corresponds to patches
#1-#2.
* Switchdev extensions for MAB offload together with mlxsw
support. This corresponds to patches #3-#16. I can reduce the number
of patches by splitting out the selftests to a separate submission.
* mv88e6xxx support. I believe the blackhole stuff is an optimization,
so I suggest getting initial MAB offload support without that. Support
for blackhole entries together with offload can be added in a separate
submission.
* Switchdev extensions for dynamic FDB entries together with mv88e6xxx
support. I can follow up with mlxsw support afterwards.
[1] https://lore.kernel.org/netdev/20221018165619.134535-1-netdev@kapio-technology.com/
[2] https://lore.kernel.org/netdev/20221004152036.7848-1-netdev@kapio-technology.com/
[3] https://github.com/westermo/hostapd/blob/bridge_driver/hostapd/hostapd_auth_deauth.sh#L11
[4] https://lore.kernel.org/netdev/a11af0d07a79adbd2ac3d242b36dec7e@kapio-technology.com/
Hans J. Schultz (3):
bridge: Add MAC Authentication Bypass (MAB) support
selftests: forwarding: Add MAC Authentication Bypass (MAB) test cases
bridge: switchdev: Allow device drivers to install locked FDB entries
Ido Schimmel (13):
bridge: switchdev: Let device drivers determine FDB offload indication
devlink: Add packet traps for 802.1X operation
mlxsw: spectrum_trap: Register 802.1X packet traps with devlink
mlxsw: reg: Add Switch Port FDB Security Register
mlxsw: spectrum: Add an API to configure security checks
mlxsw: spectrum_switchdev: Prepare for locked FDB notifications
mlxsw: spectrum_switchdev: Add support for locked FDB notifications
mlxsw: spectrum_switchdev: Use extack in bridge port flag validation
mlxsw: spectrum_switchdev: Add locked bridge port support
selftests: devlink_lib: Split out helper
selftests: mlxsw: Add a test for EAPOL trap
selftests: mlxsw: Add a test for locked port trap
selftests: mlxsw: Add a test for invalid locked bridge port
configurations
.../networking/devlink/devlink-trap.rst | 13 +++
drivers/net/ethernet/mellanox/mlxsw/reg.h | 35 ++++++
.../net/ethernet/mellanox/mlxsw/spectrum.c | 22 ++++
.../net/ethernet/mellanox/mlxsw/spectrum.h | 5 +-
.../mellanox/mlxsw/spectrum_switchdev.c | 64 +++++++++--
.../ethernet/mellanox/mlxsw/spectrum_trap.c | 25 +++++
drivers/net/ethernet/mellanox/mlxsw/trap.h | 2 +
include/linux/if_bridge.h | 1 +
include/net/devlink.h | 9 ++
include/net/switchdev.h | 1 +
include/uapi/linux/if_link.h | 1 +
include/uapi/linux/neighbour.h | 8 +-
net/bridge/br.c | 5 +-
net/bridge/br_fdb.c | 46 +++++++-
net/bridge/br_input.c | 15 ++-
net/bridge/br_netlink.c | 13 ++-
net/bridge/br_private.h | 5 +-
net/bridge/br_switchdev.c | 1 +
net/core/devlink.c | 3 +
net/core/rtnetlink.c | 5 +
.../drivers/net/mlxsw/devlink_trap_control.sh | 22 ++++
.../net/mlxsw/devlink_trap_l2_drops.sh | 105 ++++++++++++++++++
.../selftests/drivers/net/mlxsw/rtnetlink.sh | 31 ++++++
.../net/forwarding/bridge_locked_port.sh | 101 ++++++++++++++++-
.../selftests/net/forwarding/devlink_lib.sh | 19 ++--
tools/testing/selftests/net/forwarding/lib.sh | 8 ++
26 files changed, 535 insertions(+), 30 deletions(-)
--
2.37.3
next reply other threads:[~2022-10-25 10:00 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-25 10:00 Ido Schimmel [this message]
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support Ido Schimmel
2022-10-25 11:00 ` Nikolay Aleksandrov
2022-10-27 22:58 ` Vladimir Oltean
2022-10-28 7:45 ` netdev
2022-10-30 12:59 ` Ido Schimmel
2022-10-30 12:48 ` Ido Schimmel
2022-10-30 22:09 ` netdev
2022-10-31 14:43 ` Ido Schimmel
2022-10-31 16:40 ` netdev
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 02/16] selftests: forwarding: Add MAC Authentication Bypass (MAB) test cases Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 03/16] bridge: switchdev: Let device drivers determine FDB offload indication Ido Schimmel
2022-10-27 23:10 ` Vladimir Oltean
2022-10-30 9:25 ` Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 04/16] bridge: switchdev: Allow device drivers to install locked FDB entries Ido Schimmel
2022-10-25 11:03 ` Nikolay Aleksandrov
2022-10-27 23:27 ` Vladimir Oltean
2022-10-30 13:38 ` Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 05/16] devlink: Add packet traps for 802.1X operation Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 06/16] mlxsw: spectrum_trap: Register 802.1X packet traps with devlink Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 07/16] mlxsw: reg: Add Switch Port FDB Security Register Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 08/16] mlxsw: spectrum: Add an API to configure security checks Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 09/16] mlxsw: spectrum_switchdev: Prepare for locked FDB notifications Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 10/16] mlxsw: spectrum_switchdev: Add support " Ido Schimmel
2022-10-27 23:39 ` Vladimir Oltean
2022-10-30 8:23 ` Ido Schimmel
2022-10-31 8:32 ` Vladimir Oltean
2022-11-03 22:31 ` Vladimir Oltean
2022-11-03 22:54 ` Ido Schimmel
2022-11-03 23:03 ` Vladimir Oltean
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 11/16] mlxsw: spectrum_switchdev: Use extack in bridge port flag validation Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 12/16] mlxsw: spectrum_switchdev: Add locked bridge port support Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 13/16] selftests: devlink_lib: Split out helper Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 14/16] selftests: mlxsw: Add a test for EAPOL trap Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 15/16] selftests: mlxsw: Add a test for locked port trap Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 16/16] selftests: mlxsw: Add a test for invalid locked bridge port configurations Ido Schimmel
2022-10-25 14:09 ` [Bridge] [RFC PATCH net-next 00/16] bridge: Add MAC Authentication Bypass (MAB) support with offload netdev
2022-10-25 17:43 ` Ido Schimmel
2022-10-27 23:49 ` Vladimir Oltean
2022-11-06 12:04 ` netdev
2022-11-06 13:21 ` Ido Schimmel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221025100024.1287157-1-idosch@nvidia.com \
--to=idosch@nvidia.com \
--cc=bridge@lists.linux-foundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=ivecera@redhat.com \
--cc=jiri@nvidia.com \
--cc=kuba@kernel.org \
--cc=mlxsw@nvidia.com \
--cc=netdev@kapio-technology.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=petrm@nvidia.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=vladimir.oltean@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).