net: bridge: Add support for bridge port in locked mode

In a 802.1X scenario, clients connected to a bridge port shall not
be allowed to have traffic forwarded until fully authenticated.
A static fdb entry of the clients MAC address for the bridge port
unlocks the client and allows bidirectional communication.

This scenario is facilitated with setting the bridge port in locked
mode, which is also supported by various switchcore chipsets.

Signed-off-by: Hans Schultz <schultz.hans+netdev@gmail.com>
Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/linux/if_bridge.h b/include/linux/if_bridge.h
index 509e18c7e7408e1fd7223ed4498a005d4c1415ac..3aae023a9353ffc52ccc5de9e11c178c58c37a2e 100644 (file)
--- a/include/linux/if_bridge.h
+++ b/include/linux/if_bridge.h
@@ -58,6 +58,7 @@ struct br_ip_list {
 #define BR_MRP_LOST_CONT       BIT(18)
 #define BR_MRP_LOST_IN_CONT    BIT(19)
 #define BR_TX_FWD_OFFLOAD      BIT(20)
+#define BR_PORT_LOCKED         BIT(21)
 
 #define BR_DEFAULT_AGEING_TIME (300 * HZ)
 

diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
index e1ba2d51b717b7ac7f06e94ac9791cf4c8a5ab6f..be09d2ad4b5df1ce97459e340f8cecd0fa4f347d 100644 (file)
--- a/include/uapi/linux/if_link.h
+++ b/include/uapi/linux/if_link.h
@@ -537,6 +537,7 @@ enum {
        IFLA_BRPORT_MRP_IN_OPEN,
        IFLA_BRPORT_MCAST_EHT_HOSTS_LIMIT,
        IFLA_BRPORT_MCAST_EHT_HOSTS_CNT,
+       IFLA_BRPORT_LOCKED,
        __IFLA_BRPORT_MAX
 };
 #define IFLA_BRPORT_MAX (__IFLA_BRPORT_MAX - 1)

diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index b50382f957c12a28d54a640833d546df8ae54700..e0c13fcc50ed4cf95cecbcb388eed8f31215cfe4 100644 (file)
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -81,6 +81,7 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
        if (!p || p->state == BR_STATE_DISABLED)
                goto drop;
 
+       br = p->br;
        brmctx = &p->br->multicast_ctx;
        pmctx = &p->multicast_ctx;
        state = p->state;
@@ -88,10 +89,18 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
                                &state, &vlan))
                goto out;
 
+       if (p->flags & BR_PORT_LOCKED) {
+               struct net_bridge_fdb_entry *fdb_src =
+                       br_fdb_find_rcu(br, eth_hdr(skb)->h_source, vid);
+
+               if (!fdb_src || READ_ONCE(fdb_src->dst) != p ||
+                   test_bit(BR_FDB_LOCAL, &fdb_src->flags))
+                       goto drop;
+       }
+
        nbp_switchdev_frame_mark(p, skb);
 
        /* insert into forwarding database after filtering to avoid spoofing */
-       br = p->br;
        if (p->flags & BR_LEARNING)
                br_fdb_update(br, p, eth_hdr(skb)->h_source, vid, 0);
 

diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index 2ff83d84230d3136747dbd12507d071855b53cf6..7d4432ca9a204e85e8fad25922e7cfcc09f66d95 100644 (file)
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -184,6 +184,7 @@ static inline size_t br_port_info_size(void)
                + nla_total_size(1)     /* IFLA_BRPORT_VLAN_TUNNEL */
                + nla_total_size(1)     /* IFLA_BRPORT_NEIGH_SUPPRESS */
                + nla_total_size(1)     /* IFLA_BRPORT_ISOLATED */
+               + nla_total_size(1)     /* IFLA_BRPORT_LOCKED */
                + nla_total_size(sizeof(struct ifla_bridge_id)) /* IFLA_BRPORT_ROOT_ID */
                + nla_total_size(sizeof(struct ifla_bridge_id)) /* IFLA_BRPORT_BRIDGE_ID */
                + nla_total_size(sizeof(u16))   /* IFLA_BRPORT_DESIGNATED_PORT */
@@ -269,7 +270,8 @@ static int br_port_fill_attrs(struct sk_buff *skb,
                                                          BR_MRP_LOST_CONT)) ||
            nla_put_u8(skb, IFLA_BRPORT_MRP_IN_OPEN,
                       !!(p->flags & BR_MRP_LOST_IN_CONT)) ||
-           nla_put_u8(skb, IFLA_BRPORT_ISOLATED, !!(p->flags & BR_ISOLATED)))
+           nla_put_u8(skb, IFLA_BRPORT_ISOLATED, !!(p->flags & BR_ISOLATED)) ||
+           nla_put_u8(skb, IFLA_BRPORT_LOCKED, !!(p->flags & BR_PORT_LOCKED)))
                return -EMSGSIZE;
 
        timerval = br_timer_value(&p->message_age_timer);
@@ -827,6 +829,7 @@ static const struct nla_policy br_port_policy[IFLA_BRPORT_MAX + 1] = {
        [IFLA_BRPORT_GROUP_FWD_MASK] = { .type = NLA_U16 },
        [IFLA_BRPORT_NEIGH_SUPPRESS] = { .type = NLA_U8 },
        [IFLA_BRPORT_ISOLATED]  = { .type = NLA_U8 },
+       [IFLA_BRPORT_LOCKED] = { .type = NLA_U8 },
        [IFLA_BRPORT_BACKUP_PORT] = { .type = NLA_U32 },
        [IFLA_BRPORT_MCAST_EHT_HOSTS_LIMIT] = { .type = NLA_U32 },
 };
@@ -893,6 +896,7 @@ static int br_setport(struct net_bridge_port *p, struct nlattr *tb[],
        br_set_port_flag(p, tb, IFLA_BRPORT_VLAN_TUNNEL, BR_VLAN_TUNNEL);
        br_set_port_flag(p, tb, IFLA_BRPORT_NEIGH_SUPPRESS, BR_NEIGH_SUPPRESS);
        br_set_port_flag(p, tb, IFLA_BRPORT_ISOLATED, BR_ISOLATED);
+       br_set_port_flag(p, tb, IFLA_BRPORT_LOCKED, BR_PORT_LOCKED);
 
        changed_mask = old_flags ^ p->flags;