Since linux commit
a21d9a670d81103db7f788de1a4a4a6e4b891a0b ("net:
bridge: Add support for bridge port in locked mode"), included since
v5.18, it is possible to set bridge ports to locked.
Locked ports do not learn automatically, and discard any traffic from
unknown source MACs. To allow traffic, the userspace authenticator is
expected to create fdb entries for authenticated hosts.
Add support to systemd-network for setting the new attribute for bridge
ports.
<xi:include href="version-info.xml" xpointer="v234"/>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>Locked=</varname></term>
+ <listitem>
+ <para>Takes a boolean. Configures whether the port is "locked" and does not allow traffic forwarded
+ until fully authenticated, e.g. via 802.1x. When unset, the kernel's default will be used.</para>
+
+ <xi:include href="version-info.xml" xpointer="v258"/>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
[IFLA_BRPORT_MRP_IN_OPEN] = BUILD_POLICY(U8),
[IFLA_BRPORT_MCAST_EHT_HOSTS_LIMIT] = BUILD_POLICY(U32),
[IFLA_BRPORT_MCAST_EHT_HOSTS_CNT] = BUILD_POLICY(U32),
+ [IFLA_BRPORT_LOCKED] = BUILD_POLICY(U8),
};
static const NLAPolicySetUnionElement rtnl_link_info_slave_data_policy_set_union_elements[] = {
Bridge.ProxyARPWiFi, config_parse_tristate, 0, offsetof(Network, bridge_proxy_arp_wifi)
Bridge.Priority, config_parse_bridge_port_priority, 0, offsetof(Network, priority)
Bridge.MulticastRouter, config_parse_multicast_router, 0, offsetof(Network, multicast_router)
+Bridge.Locked, config_parse_tristate, 0, offsetof(Network, bridge_locked)
BridgeFDB.MACAddress, config_parse_fdb_hwaddr, 0, 0
BridgeFDB.VLANId, config_parse_fdb_vlan_id, 0, 0
BridgeFDB.Destination, config_parse_fdb_destination, 0, 0
.bridge_proxy_arp_wifi = -1,
.priority = LINK_BRIDGE_PORT_PRIORITY_INVALID,
.multicast_router = _MULTICAST_ROUTER_INVALID,
+ .bridge_locked = -1,
.bridge_vlan_pvid = BRIDGE_VLAN_KEEP_PVID,
uint32_t cost;
uint16_t priority;
MulticastRouter multicast_router;
+ int bridge_locked;
/* Bridge VLAN */
uint16_t bridge_vlan_pvid;
return r;
}
+ if (link->network->bridge_locked >= 0) {
+ r = sd_netlink_message_append_u8(req, IFLA_BRPORT_LOCKED, link->network->bridge_locked);
+ if (r < 0)
+ return r;
+ }
+
r = sd_netlink_message_close_container(req);
if (r < 0)
return r;
[Bridge]
Priority=0
+Locked=true
output = check_output('bridge -d link show test1')
print(output)
self.check_bridge_port_attr('bridge99', 'test1', 'priority', '0')
+ self.assertIn('locked on', output)
def test_bridge_property(self):
copy_network_unit('11-dummy.netdev', '12-dummy.netdev', '26-bridge.netdev',
projects / thirdparty / systemd.git / commitdiff
