| Message ID | 20230130173429.3577450-1-netdev@kapio-technology.com |
|---|---|
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2308905wrn;
Mon, 30 Jan 2023 09:40:42 -0800 (PST)
X-Google-Smtp-Source:
AMrXdXsXplJuXzoPSFKhhIoUL0zu9TtSqRDaCLV6OYSAyXigNoaP6AOhJRvOvp0zUuK4rjuRbycq
X-Received: by 2002:a17:907:7e9c:b0:86e:2c11:9bca with SMTP id
qb28-20020a1709077e9c00b0086e2c119bcamr71462831ejc.30.1675100442190;
Mon, 30 Jan 2023 09:40:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1675100442; cv=none;
d=google.com; s=arc-20160816;
b=eg0KnBhuo6pB8evbGB3N+N5tEGGrzk8jZjpWF46fA4k11mFNcfBN3QfS/VIoooC5D/
C+7IAiEh1ova+K0aeMi6JCfvN0mkRl04KOd7ulsNeZKiSK5GL876J3bwjX5+PcI+ZRlu
o5h1PpzGCKNdbJOnCUOUjzf3VyHsbTDZ7X5KNGQTo+CcrddcisMaTCi1xnhoP8e1moue
F8nbdDZEcpHrMwzCc8Bb7SzvCHdVfNV5ga4mlbTO2vyq5ybcqJcMRub0ZCBC/m5n6aNs
1LRNUdArCZCQjYUTs/W4cFc7UXtWjdWbGBSkJDG758E+zcrtPVnfOJwj6x46IuFlyqwQ
cihA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:organization
:mime-version:message-id:date:subject:cc:to:from;
bh=sqmNNEiCXIaM8UJhJyTt2KjrxWih+bSWok7FYl+nb2I=;
b=Dcy9PEDYWm9LVtKnMyi2z9ZKcpH6zjTBex2Jqn6RPZJTHroPlH2METhtooLugTL+jV
JfGyiDl4pDaByMn0KBuMiXD0/pzp74U7jXh60Bu5vOyFqH+vKak4aa67Fkm4FEuSEGma
NY33jAcxLqWF/QQH78NryrOt/px4SalOYffNyW44NcDavPK/3BynJXpkanJcSfCVxlEW
9FY5JotIFFzoZBaqpNQhxJXM1zubSHGA3eWMnfkQ4umtb3Q74iJIGZ+aDH52XSc25sn9
ZBCsW/CZyTpyhfhFZSmeUlnYhp/rakO+Q8Jz1KA9CHKbWuuFZ6sMd9ji1+pCKiMt04Fk
CfOA==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
fx34-20020a1709069ea200b008787aa103e3si13870262ejc.90.2023.01.30.09.40.18;
Mon, 30 Jan 2023 09:40:42 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S236847AbjA3RhN (ORCPT <rfc822;n2h9z4@gmail.com> + 99 others);
Mon, 30 Jan 2023 12:37:13 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51738 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S233265AbjA3RgZ (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 30 Jan 2023 12:36:25 -0500
Received: from mailout-taastrup.gigahost.dk (mailout-taastrup.gigahost.dk
[46.183.139.199])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F2E027A80;
Mon, 30 Jan 2023 09:36:22 -0800 (PST)
Received: from mailout.gigahost.dk (mailout.gigahost.dk [89.186.169.112])
by mailout-taastrup.gigahost.dk (Postfix) with ESMTP id 5A3FF18837A9;
Mon, 30 Jan 2023 17:36:20 +0000 (UTC)
Received: from smtp.gigahost.dk (smtp.gigahost.dk [89.186.169.109])
by mailout.gigahost.dk (Postfix) with ESMTP id 44A1E250007B;
Mon, 30 Jan 2023 17:36:20 +0000 (UTC)
Received: by smtp.gigahost.dk (Postfix, from userid 1000)
id 36D119B403E5; Mon, 30 Jan 2023 17:36:20 +0000 (UTC)
X-Screener-Id: 413d8c6ce5bf6eab4824d0abaab02863e8e3f662
Received: from fujitsu.vestervang (2-104-116-184-cable.dk.customer.tdc.net
[2.104.116.184])
by smtp.gigahost.dk (Postfix) with ESMTPSA id 8A86091201E3;
Mon, 30 Jan 2023 17:36:19 +0000 (UTC)
From: "Hans J. Schultz" <netdev@kapio-technology.com>
To: davem@davemloft.net, kuba@kernel.org
Cc: netdev@vger.kernel.org, "Hans J. Schultz" <netdev@kapio-technology.com>,
Florian Fainelli <f.fainelli@gmail.com>, Andrew Lunn <andrew@lunn.ch>,
Vladimir Oltean <olteanv@gmail.com>, Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Kurt Kanzenbach <kurt@linutronix.de>,
Hauke Mehrtens <hauke@hauke-m.de>, Woojung Huh <woojung.huh@microchip.com>,
UNGLinuxDriver@microchip.com (maintainer:MICROCHIP KSZ SERIES ETHERNET SWITCH
DRIVER), Sean Wang <sean.wang@mediatek.com>,
Landen Chao <Landen.Chao@mediatek.com>, DENG Qingfang <dqfext@gmail.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
Claudiu Manoil <claudiu.manoil@nxp.com>,
Alexandre Belloni <alexandre.belloni@bootlin.com>, =?utf-8?b?Q2zDqW1lbnQg?=
=?utf-8?b?TMOpZ2Vy?= <clement.leger@bootlin.com>,
Jiri Pirko <jiri@resnulli.us>, Ivan Vecera <ivecera@redhat.com>,
Roopa Prabhu <roopa@nvidia.com>, Nikolay Aleksandrov <razor@blackwall.org>,
Russell King <linux@armlinux.org.uk>,
Christian Marangi <ansuelsmth@gmail.com>,
linux-kernel@vger.kernel.org (open list),
linux-arm-kernel@lists.infradead.org (moderated list:ARM/Mediatek SoC
support),
linux-mediatek@lists.infradead.org (moderated list:ARM/Mediatek SoC support),
linux-renesas-soc@vger.kernel.org (open list:RENESAS RZ/N1 A5PSW SWITCH
DRIVER), bridge@lists.linux-foundation.org (moderated list:ETHERNET BRIDGE)
Subject: [PATCH net-next 0/5] ATU and FDB synchronization on locked ports
Date: Mon, 30 Jan 2023 18:34:24 +0100
Message-Id: <20230130173429.3577450-1-netdev@kapio-technology.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Organization: Westermo Network Technologies AB
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW,
SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1756470121550501551?=
X-GMAIL-MSGID: =?utf-8?q?1756470121550501551?=
|
| Series |
ATU and FDB synchronization on locked ports
|
|
Message
Hans Schultz
Jan. 30, 2023, 5:34 p.m. UTC
This patch set makes it possible to have synchronized dynamic ATU and FDB entries on locked ports. As locked ports are not able to automatically learn, they depend on userspace added entries, where userspace can add static or dynamic entries. The lifetime of static entries are completely dependent on userspace intervention, and thus not of interest here. We are only concerned with dynamic entries, which can be added with a command like: bridge fdb replace ADDR dev <DEV> master dynamic We choose only to support this feature on locked ports, as it involves utilizing the CPU to handle ATU related switchcore events (typically interrupts) and thus can result in significant performance loss if exposed to heavy traffic. On locked ports it is important for userspace to know when an authorized station has become silent, hence not breaking the communication of a station that has been authorized based on the MAC-Authentication Bypass (MAB) scheme. Thus if the station keeps being active after authorization, it will continue to have an open port as long as it is active. Only after a silent period will it have to be reauthorized. As the ageing process in the ATU is dependent on incoming traffic to the switchcore port, it is necessary for the ATU to signal that an entry has aged out, so that the FDB can be updated at the correct time. This patch set includes a solution for the Marvell mv88e6xxx driver, where for this driver we use the Hold-At-One feature so that an age-out violation interrupt occurs when a station has been silent for the system-set age time. The age out violation interrupt allows the switchcore driver to remove both the ATU and the FDB entry at the same time. It is up to the maintainers of other switchcore drivers to implement the feature for their specific driver. Hans J. Schultz (5): net: bridge: add dynamic flag to switchdev notifier net: dsa: propagate flags down towards drivers drivers: net: dsa: add fdb entry flags incoming to switchcore drivers net: bridge: ensure FDB offloaded flag is handled as needed net: dsa: mv88e6xxx: implementation of dynamic ATU entries drivers/net/dsa/b53/b53_common.c | 12 ++++- drivers/net/dsa/b53/b53_priv.h | 4 +- drivers/net/dsa/hirschmann/hellcreek.c | 12 ++++- drivers/net/dsa/lan9303-core.c | 12 ++++- drivers/net/dsa/lantiq_gswip.c | 12 ++++- drivers/net/dsa/microchip/ksz9477.c | 8 ++-- drivers/net/dsa/microchip/ksz9477.h | 8 ++-- drivers/net/dsa/microchip/ksz_common.c | 14 ++++-- drivers/net/dsa/mt7530.c | 12 ++++- drivers/net/dsa/mv88e6xxx/chip.c | 24 ++++++++-- drivers/net/dsa/mv88e6xxx/global1_atu.c | 21 +++++++++ drivers/net/dsa/mv88e6xxx/port.c | 6 ++- drivers/net/dsa/mv88e6xxx/switchdev.c | 61 +++++++++++++++++++++++++ drivers/net/dsa/mv88e6xxx/switchdev.h | 5 ++ drivers/net/dsa/mv88e6xxx/trace.h | 5 ++ drivers/net/dsa/ocelot/felix.c | 12 ++++- drivers/net/dsa/qca/qca8k-common.c | 12 ++++- drivers/net/dsa/qca/qca8k.h | 4 +- drivers/net/dsa/rzn1_a5psw.c | 12 ++++- drivers/net/dsa/sja1105/sja1105_main.c | 19 ++++++-- include/net/dsa.h | 6 ++- include/net/switchdev.h | 1 + net/bridge/br_fdb.c | 5 +- net/bridge/br_switchdev.c | 2 + net/dsa/port.c | 28 +++++++----- net/dsa/port.h | 8 ++-- net/dsa/slave.c | 17 +++++-- net/dsa/switch.c | 30 ++++++++---- net/dsa/switch.h | 1 + 29 files changed, 299 insertions(+), 74 deletions(-)
Comments
On Mon, Jan 30, 2023 at 06:34:24PM +0100, Hans J. Schultz wrote: > This patch set makes it possible to have synchronized dynamic ATU and FDB > entries on locked ports. As locked ports are not able to automatically > learn, they depend on userspace added entries, where userspace can add > static or dynamic entries. The lifetime of static entries are completely > dependent on userspace intervention, and thus not of interest here. We > are only concerned with dynamic entries, which can be added with a > command like: > > bridge fdb replace ADDR dev <DEV> master dynamic > > We choose only to support this feature on locked ports, as it involves > utilizing the CPU to handle ATU related switchcore events (typically > interrupts) and thus can result in significant performance loss if > exposed to heavy traffic. Not sure I understand this reasoning. I was under the impression that hostapd is installing dynamic entries instead of static ones since the latter are not flushed when carrier is lost. Therefore, with static entries it is possible to unplug a host (potentially plugging a different one) and not lose authentication. > > On locked ports it is important for userspace to know when an authorized > station has become silent, hence not breaking the communication of a > station that has been authorized based on the MAC-Authentication Bypass > (MAB) scheme. Thus if the station keeps being active after authorization, > it will continue to have an open port as long as it is active. Only after > a silent period will it have to be reauthorized. As the ageing process in > the ATU is dependent on incoming traffic to the switchcore port, it is > necessary for the ATU to signal that an entry has aged out, so that the > FDB can be updated at the correct time. Why mention MAB at all? Don't you want user space to always use dynamic entries to authenticate hosts regardless of 802.1X/MAB? > > This patch set includes a solution for the Marvell mv88e6xxx driver, where > for this driver we use the Hold-At-One feature so that an age-out > violation interrupt occurs when a station has been silent for the > system-set age time. The age out violation interrupt allows the switchcore > driver to remove both the ATU and the FDB entry at the same time. > > It is up to the maintainers of other switchcore drivers to implement the > feature for their specific driver. > > Hans J. Schultz (5): > net: bridge: add dynamic flag to switchdev notifier > net: dsa: propagate flags down towards drivers > drivers: net: dsa: add fdb entry flags incoming to switchcore drivers > net: bridge: ensure FDB offloaded flag is handled as needed > net: dsa: mv88e6xxx: implementation of dynamic ATU entries Will try to review tomorrow, but it looks like this set is missing selftests. What about extending bridge_locked_port.sh?
On 2023-01-31 20:25, Ido Schimmel wrote: > > Will try to review tomorrow, but it looks like this set is missing > selftests. What about extending bridge_locked_port.sh? I knew you would take this up. :-) But I am not sure that it's so easy to have selftests here as it is timing based and it would take the 5+ minutes just waiting to test in the stadard case, and there is opnly support for mv88e6xxx driver with this patch set.
On Thu, Feb 02, 2023 at 08:37:08AM +0100, netdev@kapio-technology.com wrote: > On 2023-01-31 20:25, Ido Schimmel wrote: > > > > Will try to review tomorrow, but it looks like this set is missing > > selftests. What about extending bridge_locked_port.sh? > > I knew you would take this up. :-) > But I am not sure that it's so easy to have selftests here as it is timing > based and it would take the 5+ minutes just waiting to test in the stadard > case, and there is opnly support for mv88e6xxx driver with this patch set. The ageing time is configurable: See commit 081197591769 ("selftests: net: bridge: Parameterize ageing timeout"). Please add test cases in the next version.
On 2023-02-02 16:43, Ido Schimmel wrote: > On Thu, Feb 02, 2023 at 08:37:08AM +0100, netdev@kapio-technology.com > wrote: >> On 2023-01-31 20:25, Ido Schimmel wrote: >> > >> > Will try to review tomorrow, but it looks like this set is missing >> > selftests. What about extending bridge_locked_port.sh? >> >> I knew you would take this up. :-) >> But I am not sure that it's so easy to have selftests here as it is >> timing >> based and it would take the 5+ minutes just waiting to test in the >> stadard >> case, and there is opnly support for mv88e6xxx driver with this patch >> set. > > The ageing time is configurable: See commit 081197591769 ("selftests: > net: bridge: Parameterize ageing timeout"). Please add test cases in > the > next version. When I was looking at configuring the ageing time last time, my finding was that the ageing time could not be set very low as there was some part in the DSA layer etc, and confusion wrt units. I think the minimum secured was like around 2 min. (not validated), which is not that much of an improvement for fast testing. If you know what would be a good low timeout to set, I would like to know.
On Thu, Feb 02, 2023 at 05:19:07PM +0100, netdev@kapio-technology.com wrote: > On 2023-02-02 16:43, Ido Schimmel wrote: > > On Thu, Feb 02, 2023 at 08:37:08AM +0100, netdev@kapio-technology.com > > wrote: > > > On 2023-01-31 20:25, Ido Schimmel wrote: > > > > > > > > Will try to review tomorrow, but it looks like this set is missing > > > > selftests. What about extending bridge_locked_port.sh? > > > > > > I knew you would take this up. :-) > > > But I am not sure that it's so easy to have selftests here as it is > > > timing > > > based and it would take the 5+ minutes just waiting to test in the > > > stadard > > > case, and there is opnly support for mv88e6xxx driver with this > > > patch set. > > > > The ageing time is configurable: See commit 081197591769 ("selftests: > > net: bridge: Parameterize ageing timeout"). Please add test cases in the > > next version. > > When I was looking at configuring the ageing time last time, my finding was > that the ageing time could not be set very low as there was some part in the > DSA layer etc, and confusion wrt units. I think the minimum secured was like > around 2 min. (not validated), which is not that much of an improvement for > fast testing. If you know what would be a good low timeout to set, I would > like to know. My point is that the ageing time is parametrized via 'LOW_AGEING_TIME' in forwarding.config so just use '$LOW_AGEING_TIME' in the selftest and set it as high as it needs to be for mv88e6xxx in your own forwarding.config.
On 2023-01-31 20:25, Ido Schimmel wrote: >> command like: >> >> bridge fdb replace ADDR dev <DEV> master dynamic >> >> We choose only to support this feature on locked ports, as it involves >> utilizing the CPU to handle ATU related switchcore events (typically >> interrupts) and thus can result in significant performance loss if >> exposed to heavy traffic. > > Not sure I understand this reasoning. I was under the impression that > hostapd is installing dynamic entries instead of static ones since the > latter are not flushed when carrier is lost. Therefore, with static > entries it is possible to unplug a host (potentially plugging a > different one) and not lose authentication. > Both auth schemes 802.1X and MAB install dynamic entries as you point out, and both use locked ports. In the case of non locked ports, they just learn normally and age and refresh their entries, so the use case of a userspace added dynamic FDB entry is hard for me to see. And having userspace being notified of an ordinary event that a FDB entry has been aged out could maybe be used, but for the reasons mentioned it is not supported here. >> >> On locked ports it is important for userspace to know when an >> authorized >> station has become silent, hence not breaking the communication of a >> station that has been authorized based on the MAC-Authentication >> Bypass >> (MAB) scheme. Thus if the station keeps being active after >> authorization, >> it will continue to have an open port as long as it is active. Only >> after >> a silent period will it have to be reauthorized. As the ageing process >> in >> the ATU is dependent on incoming traffic to the switchcore port, it is >> necessary for the ATU to signal that an entry has aged out, so that >> the >> FDB can be updated at the correct time. > > Why mention MAB at all? Don't you want user space to always use dynamic > entries to authenticate hosts regardless of 802.1X/MAB? Yes, you are right about that. I guess it came about as this was developed much in the same time and with the code of MAB.
On Thu, Feb 02, 2023 at 06:36:14PM +0200, Ido Schimmel wrote: > On Thu, Feb 02, 2023 at 05:19:07PM +0100, netdev@kapio-technology.com wrote: > > On 2023-02-02 16:43, Ido Schimmel wrote: > > > On Thu, Feb 02, 2023 at 08:37:08AM +0100, netdev@kapio-technology.com wrote: > > > > On 2023-01-31 20:25, Ido Schimmel wrote: > > > > > > > > > > Will try to review tomorrow, but it looks like this set is missing > > > > > selftests. What about extending bridge_locked_port.sh? > > > > > > > > I knew you would take this up. :-) > > > > But I am not sure that it's so easy to have selftests here as it is timing > > > > based and it would take the 5+ minutes just waiting to test in the stadard > > > > case, and there is opnly support for mv88e6xxx driver with this > > > > patch set. > > > > > > The ageing time is configurable: See commit 081197591769 ("selftests: > > > net: bridge: Parameterize ageing timeout"). Please add test cases in the > > > next version. > > > > When I was looking at configuring the ageing time last time, my finding was > > that the ageing time could not be set very low as there was some part in the > > DSA layer etc, and confusion wrt units. I think the minimum secured was like > > around 2 min. (not validated), which is not that much of an improvement for > > fast testing. If you know what would be a good low timeout to set, I would > > like to know. > > My point is that the ageing time is parametrized via 'LOW_AGEING_TIME' > in forwarding.config so just use '$LOW_AGEING_TIME' in the selftest and > set it as high as it needs to be for mv88e6xxx in your own > forwarding.config. FWIW, we have a forwarding.config file in tools/testing/selftests/drivers/net/dsa/. So you could cd to that folder, edit the file with your variable, and run the symlinked script from there. > as there was some part in the DSA layer etc if (ds->ageing_time_min && ageing_time < ds->ageing_time_min) return -ERANGE; High tech, advanced software..... You could print the ds->ageing_time_min variable. For mv88e6xxx, my 6390 and 6190 report 3750. I have to admit the ageing time units are confusing, but Tobias Waldekranz kindly explained in one of those commit messages that Ido linked to that these represent "centiseconds" (or 37.5 seconds). And I think we discussed the units with you before. And in general, it's not hard to find the answer if you search for it, I know I could find it. Please stop trying to find silly excuses to always go through the path of minimal resistance.