Skip to content

Commit

Permalink
selftests: forwarding: Add MAC Authentication Bypass (MAB) test cases
Browse files Browse the repository at this point in the history 
Add four test cases to verify MAB functionality:

* Verify that a locked FDB entry can be generated by the bridge,
  preventing a host from communicating via the bridge. Test that user
  space can clear the "locked" flag by replacing the entry, thereby
  authenticating the host and allowing it to communicate via the bridge.

* Test that an entry cannot roam to a locked port, but that it can roam
  to an unlocked port.

* Test that MAB can only be enabled on a port that is both locked and
  has learning enabled.

* Test that locked FDB entries are flushed from a port when MAB is
  disabled.

Signed-off-by: Hans J. Schultz <netdev@kapio-technology.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
  • Loading branch information
Hans J. Schultz authored and Jakub Kicinski committed Nov 4, 2022
1 parent a35ec8e commit 4a331d3
Show file tree
Hide file tree
Showing 2 changed files with 162 additions and 1 deletion.
155 changes: 154 additions & 1 deletion tools/testing/selftests/net/forwarding/bridge_locked_port.sh
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,16 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0

ALL_TESTS="locked_port_ipv4 locked_port_ipv6 locked_port_vlan"
ALL_TESTS="
locked_port_ipv4
locked_port_ipv6
locked_port_vlan
locked_port_mab
locked_port_mab_roam
locked_port_mab_config
locked_port_mab_flush
"

NUM_NETIFS=4
CHECK_TC="no"
source lib.sh
Expand Down Expand Up @@ -166,6 +175,150 @@ locked_port_ipv6()
log_test "Locked port ipv6"
}

locked_port_mab()
{
RET=0
check_port_mab_support || return 0

ping_do $h1 192.0.2.2
check_err $? "Ping did not work before locking port"

bridge link set dev $swp1 learning on locked on

ping_do $h1 192.0.2.2
check_fail $? "Ping worked on a locked port without an FDB entry"

bridge fdb get `mac_get $h1` br br0 vlan 1 &> /dev/null
check_fail $? "FDB entry created before enabling MAB"

bridge link set dev $swp1 learning on locked on mab on

ping_do $h1 192.0.2.2
check_fail $? "Ping worked on MAB enabled port without an FDB entry"

bridge fdb get `mac_get $h1` br br0 vlan 1 | grep "dev $swp1" | grep -q "locked"
check_err $? "Locked FDB entry not created"

bridge fdb replace `mac_get $h1` dev $swp1 master static

ping_do $h1 192.0.2.2
check_err $? "Ping did not work after replacing FDB entry"

bridge fdb get `mac_get $h1` br br0 vlan 1 | grep "dev $swp1" | grep -q "locked"
check_fail $? "FDB entry marked as locked after replacement"

bridge fdb del `mac_get $h1` dev $swp1 master
bridge link set dev $swp1 learning off locked off mab off

log_test "Locked port MAB"
}

# Check that entries cannot roam to a locked port, but that entries can roam
# to an unlocked port.
locked_port_mab_roam()
{
local mac=a0:b0:c0:c0:b0:a0

RET=0
check_port_mab_support || return 0

bridge link set dev $swp1 learning on locked on mab on

$MZ $h1 -q -c 5 -d 100msec -t udp -a $mac -b rand
bridge fdb get $mac br br0 vlan 1 | grep "dev $swp1" | grep -q "locked"
check_err $? "No locked entry on first injection"

$MZ $h2 -q -c 5 -d 100msec -t udp -a $mac -b rand
bridge fdb get $mac br br0 vlan 1 | grep -q "dev $swp2"
check_err $? "Entry did not roam to an unlocked port"

bridge fdb get $mac br br0 vlan 1 | grep -q "locked"
check_fail $? "Entry roamed with locked flag on"

$MZ $h1 -q -c 5 -d 100msec -t udp -a $mac -b rand
bridge fdb get $mac br br0 vlan 1 | grep -q "dev $swp1"
check_fail $? "Entry roamed back to locked port"

bridge fdb del $mac vlan 1 dev $swp2 master
bridge link set dev $swp1 learning off locked off mab off

log_test "Locked port MAB roam"
}

# Check that MAB can only be enabled on a port that is both locked and has
# learning enabled.
locked_port_mab_config()
{
RET=0
check_port_mab_support || return 0

bridge link set dev $swp1 learning on locked off mab on &> /dev/null
check_fail $? "MAB enabled while port is unlocked"

bridge link set dev $swp1 learning off locked on mab on &> /dev/null
check_fail $? "MAB enabled while port has learning disabled"

bridge link set dev $swp1 learning on locked on mab on
check_err $? "Failed to enable MAB when port is locked and has learning enabled"

bridge link set dev $swp1 learning off locked off mab off

log_test "Locked port MAB configuration"
}

# Check that locked FDB entries are flushed from a port when MAB is disabled.
locked_port_mab_flush()
{
local locked_mac1=00:01:02:03:04:05
local unlocked_mac1=00:01:02:03:04:06
local locked_mac2=00:01:02:03:04:07
local unlocked_mac2=00:01:02:03:04:08

RET=0
check_port_mab_support || return 0

bridge link set dev $swp1 learning on locked on mab on
bridge link set dev $swp2 learning on locked on mab on

# Create regular and locked FDB entries on each port.
bridge fdb add $unlocked_mac1 dev $swp1 vlan 1 master static
bridge fdb add $unlocked_mac2 dev $swp2 vlan 1 master static

$MZ $h1 -q -c 5 -d 100msec -t udp -a $locked_mac1 -b rand
bridge fdb get $locked_mac1 br br0 vlan 1 | grep "dev $swp1" | \
grep -q "locked"
check_err $? "Failed to create locked FDB entry on first port"

$MZ $h2 -q -c 5 -d 100msec -t udp -a $locked_mac2 -b rand
bridge fdb get $locked_mac2 br br0 vlan 1 | grep "dev $swp2" | \
grep -q "locked"
check_err $? "Failed to create locked FDB entry on second port"

# Disable MAB on the first port and check that only the first locked
# FDB entry was flushed.
bridge link set dev $swp1 mab off

bridge fdb get $unlocked_mac1 br br0 vlan 1 &> /dev/null
check_err $? "Regular FDB entry on first port was flushed after disabling MAB"

bridge fdb get $unlocked_mac2 br br0 vlan 1 &> /dev/null
check_err $? "Regular FDB entry on second port was flushed after disabling MAB"

bridge fdb get $locked_mac1 br br0 vlan 1 &> /dev/null
check_fail $? "Locked FDB entry on first port was not flushed after disabling MAB"

bridge fdb get $locked_mac2 br br0 vlan 1 &> /dev/null
check_err $? "Locked FDB entry on second port was flushed after disabling MAB"

bridge fdb del $unlocked_mac2 dev $swp2 vlan 1 master static
bridge fdb del $unlocked_mac1 dev $swp1 vlan 1 master static

bridge link set dev $swp2 learning on locked off mab off
bridge link set dev $swp1 learning off locked off mab off

log_test "Locked port MAB FDB flush"
}

trap cleanup EXIT

setup_prepare
Expand Down
8 changes: 8 additions & 0 deletions tools/testing/selftests/net/forwarding/lib.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,14 @@ check_locked_port_support()
fi
}

check_port_mab_support()
{
if ! bridge -d link show | grep -q "mab"; then
echo "SKIP: iproute2 too old; MacAuth feature not supported."
return $ksft_skip
fi
}

if [[ "$(id -u)" -ne 0 ]]; then
echo "SKIP: need root privileges"
exit $ksft_skip
Expand Down

0 comments on commit 4a331d3

Please sign in to comment.