diff options
author | David Ahern <dsahern@kernel.org> | 2022-03-04 09:18:24 -0700 |
---|---|---|
committer | David Ahern <dsahern@kernel.org> | 2022-03-04 09:18:24 -0700 |
commit | 0a9f3008e108df0903567fb64129d6b717fa2f91 (patch) | |
tree | 9a71bff3a305a4c96e79ab104145cca79db12f1a | |
parent | 04a0077deb5de919477c3965985c0780aca20e47 (diff) | |
parent | 0a685b987c06a50d644483527b9c09712dd2b40d (diff) | |
download | iproute2-0a9f3008e108df0903567fb64129d6b717fa2f91.tar.gz |
Merge branch '802.1X-locked-bridge-ports' into next
Hans Schultz says:
====================
This patch set is to complement the kernel locked port patches, such
that iproute2 can be used to lock/unlock a port and check if a port
is locked or not. To lock or unlock a port use the command:
bridge link set dev DEV locked {on | off}
To show the detailed setting of a port, including if the locked flag is
enabled for the port(s), use the command:
bridge -d link show [dev DEV]
====================
Signed-off-by: David Ahern <dsahern@kernel.org>
-rw-r--r-- | bridge/link.c | 13 | ||||
-rw-r--r-- | ip/iplink_bridge_slave.c | 9 | ||||
-rw-r--r-- | man/man8/bridge.8 | 11 | ||||
-rw-r--r-- | man/man8/ip-link.8.in | 6 |
4 files changed, 39 insertions, 0 deletions
diff --git a/bridge/link.c b/bridge/link.c index bc7837a94..dc3fc7adb 100644 --- a/bridge/link.c +++ b/bridge/link.c @@ -175,6 +175,9 @@ static void print_protinfo(FILE *fp, struct rtattr *attr) if (prtb[IFLA_BRPORT_ISOLATED]) print_on_off(PRINT_ANY, "isolated", "isolated %s ", rta_getattr_u8(prtb[IFLA_BRPORT_ISOLATED])); + if (prtb[IFLA_BRPORT_LOCKED]) + print_on_off(PRINT_ANY, "locked", "locked %s ", + rta_getattr_u8(prtb[IFLA_BRPORT_LOCKED])); } else print_stp_state(rta_getattr_u8(attr)); } @@ -269,6 +272,7 @@ static void usage(void) " [ neigh_suppress {on | off} ]\n" " [ vlan_tunnel {on | off} ]\n" " [ isolated {on | off} ]\n" + " [ locked {on | off} ]\n" " [ hwmode {vepa | veb} ]\n" " [ backup_port DEVICE ] [ nobackup_port ]\n" " [ self ] [ master ]\n" @@ -297,6 +301,7 @@ static int brlink_modify(int argc, char **argv) __s8 vlan_tunnel = -1; __s8 mcast_flood = -1; __s8 mcast_to_unicast = -1; + __s8 locked = -1; __s8 isolated = -1; __s8 hairpin = -1; __s8 bpdu_guard = -1; @@ -409,6 +414,11 @@ static int brlink_modify(int argc, char **argv) isolated = parse_on_off("isolated", *argv, &ret); if (ret) return ret; + } else if (strcmp(*argv, "locked") == 0) { + NEXT_ARG(); + locked = parse_on_off("locked", *argv, &ret); + if (ret) + return ret; } else if (strcmp(*argv, "backup_port") == 0) { NEXT_ARG(); backup_port_idx = ll_name_to_index(*argv); @@ -483,6 +493,9 @@ static int brlink_modify(int argc, char **argv) if (isolated != -1) addattr8(&req.n, sizeof(req), IFLA_BRPORT_ISOLATED, isolated); + if (locked >= 0) + addattr8(&req.n, sizeof(req), IFLA_BRPORT_LOCKED, locked); + if (backup_port_idx != -1) addattr32(&req.n, sizeof(req), IFLA_BRPORT_BACKUP_PORT, backup_port_idx); diff --git a/ip/iplink_bridge_slave.c b/ip/iplink_bridge_slave.c index 717875864..da14a95eb 100644 --- a/ip/iplink_bridge_slave.c +++ b/ip/iplink_bridge_slave.c @@ -42,6 +42,7 @@ static void print_explain(FILE *f) " [ neigh_suppress {on | off} ]\n" " [ vlan_tunnel {on | off} ]\n" " [ isolated {on | off} ]\n" + " [ locked {on | off} ]\n" " [ backup_port DEVICE ] [ nobackup_port ]\n" ); } @@ -278,6 +279,10 @@ static void bridge_slave_print_opt(struct link_util *lu, FILE *f, print_on_off(PRINT_ANY, "isolated", "isolated %s ", rta_getattr_u8(tb[IFLA_BRPORT_ISOLATED])); + if (tb[IFLA_BRPORT_LOCKED]) + print_on_off(PRINT_ANY, "locked", "locked %s ", + rta_getattr_u8(tb[IFLA_BRPORT_LOCKED])); + if (tb[IFLA_BRPORT_BACKUP_PORT]) { int backup_p = rta_getattr_u32(tb[IFLA_BRPORT_BACKUP_PORT]); @@ -393,6 +398,10 @@ static int bridge_slave_parse_opt(struct link_util *lu, int argc, char **argv, NEXT_ARG(); bridge_slave_parse_on_off("isolated", *argv, n, IFLA_BRPORT_ISOLATED); + } else if (matches(*argv, "locked") == 0) { + NEXT_ARG(); + bridge_slave_parse_on_off("locked", *argv, n, + IFLA_BRPORT_LOCKED); } else if (matches(*argv, "backup_port") == 0) { int ifindex; diff --git a/man/man8/bridge.8 b/man/man8/bridge.8 index 81ce9e6f7..cb0ffc166 100644 --- a/man/man8/bridge.8 +++ b/man/man8/bridge.8 @@ -50,6 +50,7 @@ bridge \- show / manipulate bridge addresses and devices .BR neigh_suppress " { " on " | " off " } ] [ " .BR vlan_tunnel " { " on " | " off " } ] [ " .BR isolated " { " on " | " off " } ] [ " +.BR locked " { " on " | " off " } ] [ " .B backup_port .IR DEVICE " ] [" .BR nobackup_port " ] [ " @@ -514,6 +515,16 @@ able to communicate with non-isolated ports only. By default this flag is off. .TP +.BR "locked on " or " locked off " +Controls whether a port will be locked, meaning that hosts behind the +port will not be able to communicate through the port unless an FDB +entry with the units MAC address is in the FDB. +The common use is that hosts are allowed access through authentication +with the IEEE 802.1X protocol or based on whitelists or like setups. +By default this flag is off. + + +.TP .BI backup_port " DEVICE" If the port loses carrier all traffic will be redirected to the configured backup port diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in index 5f5b835cb..822904d0d 100644 --- a/man/man8/ip-link.8.in +++ b/man/man8/ip-link.8.in @@ -2391,6 +2391,7 @@ the following additional arguments are supported: ] [ .BR isolated " { " on " | " off " }" ] [ +.BR locked " { " on " | " off " }" .BR backup_port " DEVICE" ] [ .BR nobackup_port " ]" @@ -2488,6 +2489,11 @@ is enabled on the port. By default this flag is off. - controls whether vlan to tunnel mapping is enabled on the port. By default this flag is off. +.BR locked " { " on " | " off " }" +- sets or unsets a port in locked mode, so that when enabled, hosts +behind the port cannot communicate through the port unless a FDB entry +representing the host is in the FDB. By default this flag is off. + .BI backup_port " DEVICE" - if the port loses carrier all traffic will be redirected to the configured backup port |