devlink: Add packet traps for 802.1X operation

Add packet traps for 802.1X operation. The "eapol" control trap is used
to trap EAPOL packets and is required for the correct operation of the
control plane. The "locked_port" drop trap can be enabled to gain
visibility into packets that were dropped by the device due to the
locked bridge port check.

Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/Documentation/networking/devlink/devlink-trap.rst b/Documentation/networking/devlink/devlink-trap.rst
index 90d1381b88deeb0de244a66af890a4fdc4843731..2c14dfe69b3a145a1a38cfbe913e76110c0f4a3c 100644 (file)
--- a/Documentation/networking/devlink/devlink-trap.rst
+++ b/Documentation/networking/devlink/devlink-trap.rst
@@ -485,6 +485,16 @@ be added to the following table:
      - Traps incoming packets that the device decided to drop because
        the destination MAC is not configured in the MAC table and
        the interface is not in promiscuous mode
+   * - ``eapol``
+     - ``control``
+     - Traps "Extensible Authentication Protocol over LAN" (EAPOL) packets
+       specified in IEEE 802.1X
+   * - ``locked_port``
+     - ``drop``
+     - Traps packets that the device decided to drop because they failed the
+       locked bridge port check. That is, packets that were received via a
+       locked port and whose {SMAC, VID} does not correspond to an FDB entry
+       pointing to the port
 
 Driver-specific Packet Traps
 ============================
@@ -589,6 +599,9 @@ narrow. The description of these groups must be added to the following table:
    * - ``parser_error_drops``
      - Contains packet traps for packets that were marked by the device during
        parsing as erroneous
+   * - ``eapol``
+     - Contains packet traps for "Extensible Authentication Protocol over LAN"
+       (EAPOL) packets specified in IEEE 802.1X
 
 Packet Trap Policers
 ====================

diff --git a/include/net/devlink.h b/include/net/devlink.h
index fa6e936af1a5269cca5454a34fdc362c9f0a28f7..611a23a3deb2d0c3e5fe47f359c097706458db95 100644 (file)
--- a/include/net/devlink.h
+++ b/include/net/devlink.h
@@ -894,6 +894,8 @@ enum devlink_trap_generic_id {
        DEVLINK_TRAP_GENERIC_ID_ESP_PARSING,
        DEVLINK_TRAP_GENERIC_ID_BLACKHOLE_NEXTHOP,
        DEVLINK_TRAP_GENERIC_ID_DMAC_FILTER,
+       DEVLINK_TRAP_GENERIC_ID_EAPOL,
+       DEVLINK_TRAP_GENERIC_ID_LOCKED_PORT,
 
        /* Add new generic trap IDs above */
        __DEVLINK_TRAP_GENERIC_ID_MAX,
@@ -930,6 +932,7 @@ enum devlink_trap_group_generic_id {
        DEVLINK_TRAP_GROUP_GENERIC_ID_ACL_SAMPLE,
        DEVLINK_TRAP_GROUP_GENERIC_ID_ACL_TRAP,
        DEVLINK_TRAP_GROUP_GENERIC_ID_PARSER_ERROR_DROPS,
+       DEVLINK_TRAP_GROUP_GENERIC_ID_EAPOL,
 
        /* Add new generic trap group IDs above */
        __DEVLINK_TRAP_GROUP_GENERIC_ID_MAX,
@@ -1121,6 +1124,10 @@ enum devlink_trap_group_generic_id {
        "blackhole_nexthop"
 #define DEVLINK_TRAP_GENERIC_NAME_DMAC_FILTER \
        "dmac_filter"
+#define DEVLINK_TRAP_GENERIC_NAME_EAPOL \
+       "eapol"
+#define DEVLINK_TRAP_GENERIC_NAME_LOCKED_PORT \
+       "locked_port"
 
 #define DEVLINK_TRAP_GROUP_GENERIC_NAME_L2_DROPS \
        "l2_drops"
@@ -1174,6 +1181,8 @@ enum devlink_trap_group_generic_id {
        "acl_trap"
 #define DEVLINK_TRAP_GROUP_GENERIC_NAME_PARSER_ERROR_DROPS \
        "parser_error_drops"
+#define DEVLINK_TRAP_GROUP_GENERIC_NAME_EAPOL \
+       "eapol"
 
 #define DEVLINK_TRAP_GENERIC(_type, _init_action, _id, _group_id,            \
                             _metadata_cap)                                   \

diff --git a/net/core/devlink.c b/net/core/devlink.c
index ea0b319385fc0bd7314195c1bc967e370d9ae2cf..6bbe230c4ec59a68a3c8ff756099b7645c26f6a0 100644 (file)
--- a/net/core/devlink.c
+++ b/net/core/devlink.c
@@ -11734,6 +11734,8 @@ static const struct devlink_trap devlink_trap_generic[] = {
        DEVLINK_TRAP(ESP_PARSING, DROP),
        DEVLINK_TRAP(BLACKHOLE_NEXTHOP, DROP),
        DEVLINK_TRAP(DMAC_FILTER, DROP),
+       DEVLINK_TRAP(EAPOL, CONTROL),
+       DEVLINK_TRAP(LOCKED_PORT, DROP),
 };
 
 #define DEVLINK_TRAP_GROUP(_id)                                                      \
@@ -11769,6 +11771,7 @@ static const struct devlink_trap_group devlink_trap_group_generic[] = {
        DEVLINK_TRAP_GROUP(ACL_SAMPLE),
        DEVLINK_TRAP_GROUP(ACL_TRAP),
        DEVLINK_TRAP_GROUP(PARSER_ERROR_DROPS),
+       DEVLINK_TRAP_GROUP(EAPOL),
 };
 
 static int devlink_trap_generic_verify(const struct devlink_trap *trap)