shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-29 06:50:16 +03:00
Code

network: bridge: add support for IFLA_BRPORT_LOCKED

Browse Source 
Since linux commit a21d9a670d81103db7f788de1a4a4a6e4b891a0b ("net:
bridge: Add support for bridge port in locked mode"), included since
v5.18,  it is possible to set bridge ports to locked.

Locked ports do not learn automatically, and discard any traffic from
unknown source MACs. To allow traffic, the userspace authenticator is
expected to create fdb entries for authenticated hosts.

Add support to systemd-network for setting the new attribute for bridge
ports.
This commit is contained in:
Jonas Gorski 2024-12-02 11:54:09 +01:00
parent d7de242ce7
commit a434de6056
8 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
man/systemd.network.xml
View File

@ -4624,6 +4624,15 @@ ServerAddress=192.168.0.1/24</programlisting>
<xi:include href="version-info.xml" xpointer="v234"/>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>Locked=</varname></term>
<listitem>
<para>Takes a boolean. Configures whether the port is "locked" and does not allow traffic forwarded
until fully authenticated, e.g. via 802.1x. When unset, the kernel's default will be used.</para>
<xi:include href="version-info.xml" xpointer="v258"/>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

1
src/libsystemd/sd-netlink/netlink-types-rtnl.c
View File

@ -485,6 +485,7 @@ static const struct NLAPolicy rtnl_bridge_port_policies[] = {
[IFLA_BRPORT_MRP_IN_OPEN] = BUILD_POLICY(U8),
[IFLA_BRPORT_MCAST_EHT_HOSTS_LIMIT] = BUILD_POLICY(U32),
[IFLA_BRPORT_MCAST_EHT_HOSTS_CNT] = BUILD_POLICY(U32),
[IFLA_BRPORT_LOCKED] = BUILD_POLICY(U8),
};
static const NLAPolicySetUnionElement rtnl_link_info_slave_data_policy_set_union_elements[] = {

1
src/network/networkd-network-gperf.gperf
View File

@ -383,6 +383,7 @@ Bridge.ProxyARP, config_parse_tristate,
Bridge.ProxyARPWiFi, config_parse_tristate, 0, offsetof(Network, bridge_proxy_arp_wifi)
Bridge.Priority, config_parse_bridge_port_priority, 0, offsetof(Network, priority)
Bridge.MulticastRouter, config_parse_multicast_router, 0, offsetof(Network, multicast_router)
Bridge.Locked, config_parse_tristate, 0, offsetof(Network, bridge_locked)
BridgeFDB.MACAddress, config_parse_fdb_hwaddr, 0, 0
BridgeFDB.VLANId, config_parse_fdb_vlan_id, 0, 0
BridgeFDB.Destination, config_parse_fdb_destination, 0, 0

1
src/network/networkd-network.c
View File

@ -456,6 +456,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
.bridge_proxy_arp_wifi = -1,
.priority = LINK_BRIDGE_PORT_PRIORITY_INVALID,
.multicast_router = _MULTICAST_ROUTER_INVALID,
.bridge_locked = -1,
.bridge_vlan_pvid = BRIDGE_VLAN_KEEP_PVID,

1
src/network/networkd-network.h
View File

@ -297,6 +297,7 @@ struct Network {
uint32_t cost;
uint16_t priority;
MulticastRouter multicast_router;
int bridge_locked;
/* Bridge VLAN */
uint16_t bridge_vlan_pvid;

6
src/network/networkd-setlink.c
View File

@ -320,6 +320,12 @@ static int link_configure_fill_message(
return r;
}
if (link->network->bridge_locked >= 0) {
r = sd_netlink_message_append_u8(req, IFLA_BRPORT_LOCKED, link->network->bridge_locked);
if (r < 0)
return r;
}
r = sd_netlink_message_close_container(req);
if (r < 0)
return r;

1
test/test-network/conf/26-bridge-slave-interface-2.network
View File

@ -10,3 +10,4 @@ Bridge=bridge99
[Bridge]
Priority=0
Locked=true

1
test/test-network/systemd-networkd-tests.py
View File

@ -5790,6 +5790,7 @@ class NetworkdBridgeTests(unittest.TestCase, Utilities):
output = check_output('bridge -d link show test1')
print(output)
self.check_bridge_port_attr('bridge99', 'test1', 'priority', '0')
self.assertIn('locked on', output)
def test_bridge_property(self):
copy_network_unit('11-dummy.netdev', '12-dummy.netdev', '26-bridge.netdev',