@@ -184,6 +184,9 @@ static void print_protinfo(FILE *fp, struct rtattr *attr)
if (prtb[IFLA_BRPORT_LOCKED])
print_on_off(PRINT_ANY, "locked", "locked %s ",
rta_getattr_u8(prtb[IFLA_BRPORT_LOCKED]));
+ if (prtb[IFLA_BRPORT_MAB])
+ print_on_off(PRINT_ANY, "mab", "mab %s ",
+ rta_getattr_u8(prtb[IFLA_BRPORT_MAB]));
} else
print_stp_state(rta_getattr_u8(attr));
}
@@ -283,6 +286,7 @@ static void usage(void)
" [ vlan_tunnel {on | off} ]\n"
" [ isolated {on | off} ]\n"
" [ locked {on | off} ]\n"
+ " [ mab {on | off} ]\n"
" [ hwmode {vepa | veb} ]\n"
" [ backup_port DEVICE ] [ nobackup_port ]\n"
" [ self ] [ master ]\n"
@@ -314,6 +318,7 @@ static int brlink_modify(int argc, char **argv)
__s8 bcast_flood = -1;
__s8 mcast_to_unicast = -1;
__s8 locked = -1;
+ __s8 macauth = -1;
__s8 isolated = -1;
__s8 hairpin = -1;
__s8 bpdu_guard = -1;
@@ -439,6 +444,11 @@ static int brlink_modify(int argc, char **argv)
locked = parse_on_off("locked", *argv, &ret);
if (ret)
return ret;
+ } else if (strcmp(*argv, "mab") == 0) {
+ NEXT_ARG();
+ macauth = parse_on_off("mab", *argv, &ret);
+ if (ret)
+ return ret;
} else if (strcmp(*argv, "backup_port") == 0) {
NEXT_ARG();
backup_port_idx = ll_name_to_index(*argv);
@@ -522,6 +532,9 @@ static int brlink_modify(int argc, char **argv)
if (locked >= 0)
addattr8(&req.n, sizeof(req), IFLA_BRPORT_LOCKED, locked);
+ if (macauth >= 0)
+ addattr8(&req.n, sizeof(req), IFLA_BRPORT_MAB, macauth);
+
if (backup_port_idx != -1)
addattr32(&req.n, sizeof(req), IFLA_BRPORT_BACKUP_PORT,
backup_port_idx);
@@ -44,6 +44,7 @@ static void print_explain(FILE *f)
" [ vlan_tunnel {on | off} ]\n"
" [ isolated {on | off} ]\n"
" [ locked {on | off} ]\n"
+ " [ mab {on | off} ]\n"
" [ backup_port DEVICE ] [ nobackup_port ]\n"
);
}
@@ -288,6 +289,10 @@ static void bridge_slave_print_opt(struct link_util *lu, FILE *f,
print_on_off(PRINT_ANY, "locked", "locked %s ",
rta_getattr_u8(tb[IFLA_BRPORT_LOCKED]));
+ if (tb[IFLA_BRPORT_MAB])
+ print_on_off(PRINT_ANY, "mab", "mab %s ",
+ rta_getattr_u8(tb[IFLA_BRPORT_MAB]));
+
if (tb[IFLA_BRPORT_BACKUP_PORT]) {
int backup_p = rta_getattr_u32(tb[IFLA_BRPORT_BACKUP_PORT]);
@@ -411,6 +416,10 @@ static int bridge_slave_parse_opt(struct link_util *lu, int argc, char **argv,
NEXT_ARG();
bridge_slave_parse_on_off("locked", *argv, n,
IFLA_BRPORT_LOCKED);
+ } else if (strcmp(*argv, "mab") == 0) {
+ NEXT_ARG();
+ bridge_slave_parse_on_off("mab", *argv, n,
+ IFLA_BRPORT_MAB);
} else if (matches(*argv, "backup_port") == 0) {
int ifindex;
@@ -54,6 +54,7 @@ bridge \- show / manipulate bridge addresses and devices
.BR vlan_tunnel " { " on " | " off " } ] [ "
.BR isolated " { " on " | " off " } ] [ "
.BR locked " { " on " | " off " } ] [ "
+.BR mab " { " on " | " off " } ] [ "
.B backup_port
.IR DEVICE " ] ["
.BR nobackup_port " ] [ "
@@ -580,6 +581,21 @@ The common use is that hosts are allowed access through authentication
with the IEEE 802.1X protocol or based on whitelists or like setups.
By default this flag is off.
+.TP
+.BR "mab on " or " mab off "
+Controls whether MAC Authentication Bypass (MAB) is enabled on the port or not.
+MAB can only be enabled on a locked port that has learning enabled. When
+enabled, FDB entries are learned from received traffic and have the "locked"
+FDB flag set. The flag can only be set by the kernel and it indicates that the
+FDB entry cannot be used to authenticate the corresponding host. User space can
+decide to authenticate the host by replacing the FDB entry and clearing the
+"locked" FDB flag. Locked FDB entries can roam to unlocked (authorized) ports
+in which case the "locked" flag is cleared. FDB entries cannot roam to locked
+ports regardless of MAB being enabled or not. Therefore, locked FDB entries are
+only created if an FDB entry with the given {MAC, VID} does not already exist.
+This behavior prevents unauthenticated hosts from disrupting traffic destined
+to already authenticated hosts. Locked FDB entries act like regular dynamic
+entries with respect to forwarding and aging. By default this flag is off.
.TP
.BI backup_port " DEVICE"
@@ -2471,6 +2471,9 @@ the following additional arguments are supported:
.BR isolated " { " on " | " off " }"
] [
.BR locked " { " on " | " off " }"
+] [
+.BR mab " { " on " | " off " }"
+] [
.BR backup_port " DEVICE"
] [
.BR nobackup_port " ]"
@@ -2577,6 +2580,21 @@ default this flag is off.
behind the port cannot communicate through the port unless a FDB entry
representing the host is in the FDB. By default this flag is off.
+.BR mab " { " on " | " off " }"
+- controls whether MAC Authentication Bypass (MAB) is enabled on the port or
+not. MAB can only be enabled on a locked port that has learning enabled. When
+enabled, FDB entries are learned from received traffic and have the "locked"
+FDB flag set. The flag can only be set by the kernel and it indicates that the
+FDB entry cannot be used to authenticate the corresponding host. User space can
+decide to authenticate the host by replacing the FDB entry and clearing the
+"locked" FDB flag. Locked FDB entries can roam to unlocked (authorized) ports
+in which case the "locked" flag is cleared. FDB entries cannot roam to locked
+ports regardless of MAB being enabled or not. Therefore, locked FDB entries are
+only created if an FDB entry with the given {MAC, VID} does not already exist.
+This behavior prevents unauthenticated hosts from disrupting traffic destined
+to already authenticated hosts. Locked FDB entries act like regular dynamic
+entries with respect to forwarding and aging. By default this flag is off.
+
.BI backup_port " DEVICE"
- if the port loses carrier all traffic will be redirected to the
configured backup port