network: bridge: add support for IFLA_BRPORT_MAB

author Jonas Gorski <jonas.gorski@bisdn.de>

Fri, 24 Jan 2025 12:15:06 +0000 (13:15 +0100)

committer Jonas Gorski <jonas.gorski@bisdn.de>

Tue, 28 Jan 2025 11:22:26 +0000 (12:22 +0100)
author Jonas Gorski <jonas.gorski@bisdn.de>
Fri, 24 Jan 2025 12:15:06 +0000 (13:15 +0100)
committer Jonas Gorski <jonas.gorski@bisdn.de>
Tue, 28 Jan 2025 11:22:26 +0000 (12:22 +0100)
diff --git a/man/systemd.network.xml b/man/systemd.network.xml

index edb15cf4aa506849e0e7485cf131ffa47a7974c9..f2777e640fa2c13f0c6d28fe1dd13d30d1795008 100644 (file)
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@@ -4630,6 +4630,15 @@ ServerAddress=192.168.0.1/24</programlisting>
            <para>Takes a boolean. Configures whether the port is "locked" and does not allow traffic forwarded
            until fully authenticated, e.g. via 802.1x. When unset, the kernel's default will be used.</para>
  
+          <xi:include href="version-info.xml" xpointer="v258"/>
+        </listitem>
+        <term><varname>MACAuthenticationBypass=</varname></term>
+        <listitem>
+          <para>Takes a boolean. Configures whether a locked port has "MAC Authentication Bypass" enabled and
+          creates newly learned fdb entries in a "locked" state. User space can authenticate these entries by
+          clearing the locked flag. Requires Learning to be enabled. When unset, the kernel's default will be
+          used.</para>
+
            <xi:include href="version-info.xml" xpointer="v258"/>
          </listitem>
        </varlistentry>
diff --git a/src/libsystemd/sd-netlink/netlink-types-rtnl.c b/src/libsystemd/sd-netlink/netlink-types-rtnl.c

index c0e820486dbe1429bd2e0525c97a448dc94c5e62..187d9b6756aa3cc1ce1fa248f7e5f9f8c58447f1 100644 (file)
--- a/src/libsystemd/sd-netlink/netlink-types-rtnl.c
+++ b/src/libsystemd/sd-netlink/netlink-types-rtnl.c
@@ -486,6 +486,7 @@ static const struct NLAPolicy rtnl_bridge_port_policies[] = {
          [IFLA_BRPORT_MCAST_EHT_HOSTS_LIMIT] = BUILD_POLICY(U32),
          [IFLA_BRPORT_MCAST_EHT_HOSTS_CNT]   = BUILD_POLICY(U32),
          [IFLA_BRPORT_LOCKED]                = BUILD_POLICY(U8),
+        [IFLA_BRPORT_MAB]                   = BUILD_POLICY(U8),
  };
  
  static const NLAPolicySetUnionElement rtnl_link_info_slave_data_policy_set_union_elements[] = {
diff --git a/src/network/networkd-network-gperf.gperf b/src/network/networkd-network-gperf.gperf

index 30f71480298d68fb0d9c5776c269ebd6bde05eb3..bdbb3ad2c8a90b29ac0581ac3033c5b8baf5ab1d 100644 (file)
--- a/src/network/networkd-network-gperf.gperf
+++ b/src/network/networkd-network-gperf.gperf
@@ -384,6 +384,7 @@ Bridge.ProxyARPWiFi,                         config_parse_tristate,
  Bridge.Priority,                             config_parse_bridge_port_priority,                        0,                             offsetof(Network, priority)
  Bridge.MulticastRouter,                      config_parse_multicast_router,                            0,                             offsetof(Network, multicast_router)
  Bridge.Locked,                               config_parse_tristate,                                    0,                             offsetof(Network, bridge_locked)
+Bridge.MACAuthenticationBypass,              config_parse_tristate,                                    0,                             offsetof(Network, bridge_mac_authentication_bypass)
  BridgeFDB.MACAddress,                        config_parse_fdb_hwaddr,                                  0,                             0
  BridgeFDB.VLANId,                            config_parse_fdb_vlan_id,                                 0,                             0
  BridgeFDB.Destination,                       config_parse_fdb_destination,                             0,                             0
diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c

index 82f39e2f800b8d8fbb6be325a6b70a868c66bb38..080e184ae144215f4061740772fb113cc46ee18c 100644 (file)
--- a/src/network/networkd-network.c
+++ b/src/network/networkd-network.c
@@ -457,6 +457,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
                  .priority = LINK_BRIDGE_PORT_PRIORITY_INVALID,
                  .multicast_router = _MULTICAST_ROUTER_INVALID,
                  .bridge_locked = -1,
+                .bridge_mac_authentication_bypass = -1,
  
                  .bridge_vlan_pvid = BRIDGE_VLAN_KEEP_PVID,
  
diff --git a/src/network/networkd-network.h b/src/network/networkd-network.h

index 95407279e33c1083032a9f5ed2dd55b6a17000b1..cec5f98d5bb07f3cb94dcba2d21ea1ba19c6bab7 100644 (file)
--- a/src/network/networkd-network.h
+++ b/src/network/networkd-network.h
@@ -298,6 +298,7 @@ struct Network {
          uint16_t priority;
          MulticastRouter multicast_router;
          int bridge_locked;
+        int bridge_mac_authentication_bypass;
  
          /* Bridge VLAN */
          uint16_t bridge_vlan_pvid;
diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c

index b973ffea98e19edc9c17d3e44ac8df4d80184f2b..2f4a6c6e035c8c6d63eb6b74f2464cc597cd8cb7 100644 (file)
--- a/src/network/networkd-setlink.c
+++ b/src/network/networkd-setlink.c
@@ -326,6 +326,12 @@ static int link_configure_fill_message(
                                  return r;
                  }
  
+                if (link->network->bridge_mac_authentication_bypass >= 0) {
+                        r = sd_netlink_message_append_u8(req, IFLA_BRPORT_MAB, link->network->bridge_mac_authentication_bypass);
+                        if (r < 0)
+                                return r;
+                }
+
                  r = sd_netlink_message_close_container(req);
                  if (r < 0)
                          return r;
diff --git a/test/test-network/conf/26-bridge-slave-interface-2.network b/test/test-network/conf/26-bridge-slave-interface-2.network

index 6eb955dc4bc4cb75a0fd1618e9d66c821cd8d3c8..c76f17201f353538c9d4c5126d90b4372686f940 100644 (file)
--- a/test/test-network/conf/26-bridge-slave-interface-2.network
+++ b/test/test-network/conf/26-bridge-slave-interface-2.network
@@ -11,3 +11,4 @@ Bridge=bridge99
  [Bridge]
  Priority=0
  Locked=true
+MACAuthenticationBypass=true
diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py

index 2d1309da28917d063e81985f6c919bfd0037cd0a..d073e007af534c9ffe0422b72c6398bfa6a7a80d 100755 (executable)
--- a/test/test-network/systemd-networkd-tests.py
+++ b/test/test-network/systemd-networkd-tests.py
@@ -5791,6 +5791,8 @@ class NetworkdBridgeTests(unittest.TestCase, Utilities):
          print(output)
          self.check_bridge_port_attr('bridge99', 'test1', 'priority',               '0')
          self.assertIn('locked on', output)
+        if ' mab ' in output: # This is new in kernel and iproute2 v6.2
+            self.assertIn('mab on', output)
  
      def test_bridge_property(self):
          copy_network_unit('11-dummy.netdev', '12-dummy.netdev', '26-bridge.netdev',
author	Jonas Gorski <jonas.gorski@bisdn.de>
	Fri, 24 Jan 2025 12:15:06 +0000 (13:15 +0100)
committer	Jonas Gorski <jonas.gorski@bisdn.de>
	Tue, 28 Jan 2025 11:22:26 +0000 (12:22 +0100)
man/systemd.network.xml		patch \| blob \| blame \| history
src/libsystemd/sd-netlink/netlink-types-rtnl.c		patch \| blob \| blame \| history
src/network/networkd-network-gperf.gperf		patch \| blob \| blame \| history
src/network/networkd-network.c		patch \| blob \| blame \| history
src/network/networkd-network.h		patch \| blob \| blame \| history
src/network/networkd-setlink.c		patch \| blob \| blame \| history
test/test-network/conf/26-bridge-slave-interface-2.network		patch \| blob \| blame \| history
test/test-network/systemd-networkd-tests.py		patch \| blob \| blame \| history