Merge branch '802.1X-locked-bridge-ports' into next

Hans Schultz  says:

====================

This patch set is to complement the kernel locked port patches, such
that iproute2 can be used to lock/unlock a port and check if a port
is locked or not. To lock or unlock a port use the command:

bridge link set dev DEV locked {on | off}

To show the detailed setting of a port, including if the locked flag is
enabled for the port(s), use the command:

bridge -d link show [dev DEV]

====================

Signed-off-by: David Ahern <dsahern@kernel.org>

4 files changed, 39 insertions, 0 deletions

diff --git a/bridge/link.c b/bridge/link.c
index bc7837a94..dc3fc7adb 100644
--- a/bridge/link.c
+++ b/bridge/link.c
@@ -175,6 +175,9 @@ static void print_protinfo(FILE *fp, struct rtattr *attr)
 		if (prtb[IFLA_BRPORT_ISOLATED])
 			print_on_off(PRINT_ANY, "isolated", "isolated %s ",
 				     rta_getattr_u8(prtb[IFLA_BRPORT_ISOLATED]));
+		if (prtb[IFLA_BRPORT_LOCKED])
+			print_on_off(PRINT_ANY, "locked", "locked %s ",
+				     rta_getattr_u8(prtb[IFLA_BRPORT_LOCKED]));
 	} else
 		print_stp_state(rta_getattr_u8(attr));
 }
@@ -269,6 +272,7 @@ static void usage(void)
 		"                               [ neigh_suppress {on | off} ]\n"
 		"                               [ vlan_tunnel {on | off} ]\n"
 		"                               [ isolated {on | off} ]\n"
+		"                               [ locked {on | off} ]\n"
 		"                               [ hwmode {vepa | veb} ]\n"
 		"                               [ backup_port DEVICE ] [ nobackup_port ]\n"
 		"                               [ self ] [ master ]\n"
@@ -297,6 +301,7 @@ static int brlink_modify(int argc, char **argv)
 	__s8 vlan_tunnel = -1;
 	__s8 mcast_flood = -1;
 	__s8 mcast_to_unicast = -1;
+	__s8 locked = -1;
 	__s8 isolated = -1;
 	__s8 hairpin = -1;
 	__s8 bpdu_guard = -1;
@@ -409,6 +414,11 @@ static int brlink_modify(int argc, char **argv)
 			isolated = parse_on_off("isolated", *argv, &ret);
 			if (ret)
 				return ret;
+		} else if (strcmp(*argv, "locked") == 0) {
+			NEXT_ARG();
+			locked = parse_on_off("locked", *argv, &ret);
+			if (ret)
+				return ret;
 		} else if (strcmp(*argv, "backup_port") == 0) {
 			NEXT_ARG();
 			backup_port_idx = ll_name_to_index(*argv);
@@ -483,6 +493,9 @@ static int brlink_modify(int argc, char **argv)
 	if (isolated != -1)
 		addattr8(&req.n, sizeof(req), IFLA_BRPORT_ISOLATED, isolated);
 
+	if (locked >= 0)
+		addattr8(&req.n, sizeof(req), IFLA_BRPORT_LOCKED, locked);
+
 	if (backup_port_idx != -1)
 		addattr32(&req.n, sizeof(req), IFLA_BRPORT_BACKUP_PORT,
 			  backup_port_idx);
diff --git a/ip/iplink_bridge_slave.c b/ip/iplink_bridge_slave.c
index 717875864..da14a95eb 100644
--- a/ip/iplink_bridge_slave.c
+++ b/ip/iplink_bridge_slave.c
@@ -42,6 +42,7 @@ static void print_explain(FILE *f)
 		"			[ neigh_suppress {on | off} ]\n"
 		"			[ vlan_tunnel {on | off} ]\n"
 		"			[ isolated {on | off} ]\n"
+		"			[ locked {on | off} ]\n"
 		"			[ backup_port DEVICE ] [ nobackup_port ]\n"
 	);
 }
@@ -278,6 +279,10 @@ static void bridge_slave_print_opt(struct link_util *lu, FILE *f,
 		print_on_off(PRINT_ANY, "isolated", "isolated %s ",
 			     rta_getattr_u8(tb[IFLA_BRPORT_ISOLATED]));
 
+	if (tb[IFLA_BRPORT_LOCKED])
+		print_on_off(PRINT_ANY, "locked", "locked %s ",
+			     rta_getattr_u8(tb[IFLA_BRPORT_LOCKED]));
+
 	if (tb[IFLA_BRPORT_BACKUP_PORT]) {
 		int backup_p = rta_getattr_u32(tb[IFLA_BRPORT_BACKUP_PORT]);
 
@@ -393,6 +398,10 @@ static int bridge_slave_parse_opt(struct link_util *lu, int argc, char **argv,
 			NEXT_ARG();
 			bridge_slave_parse_on_off("isolated", *argv, n,
 						  IFLA_BRPORT_ISOLATED);
+		} else if (matches(*argv, "locked") == 0) {
+			NEXT_ARG();
+			bridge_slave_parse_on_off("locked", *argv, n,
+						  IFLA_BRPORT_LOCKED);
 		} else if (matches(*argv, "backup_port") == 0) {
 			int ifindex;
 
diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
index 81ce9e6f7..cb0ffc166 100644
--- a/man/man8/bridge.8
+++ b/man/man8/bridge.8
@@ -50,6 +50,7 @@ bridge \- show / manipulate bridge addresses and devices
 .BR neigh_suppress " { " on " | " off " } ] [ "
 .BR vlan_tunnel " { " on " | " off " } ] [ "
 .BR isolated " { " on " | " off " } ] [ "
+.BR locked " { " on " | " off " } ] [ "
 .B backup_port
 .IR  DEVICE " ] ["
 .BR nobackup_port " ] [ "
@@ -514,6 +515,16 @@ able to communicate with non-isolated ports only.  By default this
 flag is off.
 
 .TP
+.BR "locked on " or " locked off "
+Controls whether a port will be locked, meaning that hosts behind the
+port will not be able to communicate through the port unless an FDB
+entry with the units MAC address is in the FDB.
+The common use is that hosts are allowed access through authentication
+with the IEEE 802.1X protocol or based on whitelists or like setups.
+By default this flag is off.
+
+
+.TP
 .BI backup_port " DEVICE"
 If the port loses carrier all traffic will be redirected to the
 configured backup port
diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
index 5f5b835cb..822904d0d 100644
--- a/man/man8/ip-link.8.in
+++ b/man/man8/ip-link.8.in
@@ -2391,6 +2391,7 @@ the following additional arguments are supported:
 ] [
 .BR isolated " { " on " | " off " }"
 ] [
+.BR locked " { " on " | " off " }"
 .BR backup_port " DEVICE"
 ] [
 .BR nobackup_port " ]"
@@ -2488,6 +2489,11 @@ is enabled on the port. By default this flag is off.
 - controls whether vlan to tunnel mapping is enabled on the port. By
 default this flag is off.
 
+.BR locked " { " on " | " off " }"
+- sets or unsets a port in locked mode, so that when enabled, hosts
+behind the port cannot communicate through the port unless a FDB entry
+representing the host is in the FDB. By default this flag is off.
+
 .BI backup_port " DEVICE"
 - if the port loses carrier all traffic will be redirected to the
 configured backup port