lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Jun 2011 17:02:57 +0200 From: David Lamparter <equinox@...c24.net> To: Nick Carter <ncarter100@...il.com> Cc: Stephen Hemminger <shemminger@...ux-foundation.org>, netdev@...r.kernel.org, davem@...emloft.net Subject: Re: [PATCH] bridge: Forward EAPOL Kconfig option BRIDGE_PAE_FORWARD On Sat, Jun 25, 2011 at 12:33:05AM +0100, Nick Carter wrote: > @@ -98,6 +98,14 @@ int br_handle_frame_finish(struct sk_buff *skb) > } > > if (skb) { > + /* Prevent Crosstalk where a Supplicant on one Port attempts to > + * interfere with authentications occurring on another Port. > + * (IEEE Std 802.1X-2001 C.3.3) > + */ > + if (unlikely(!br->pae_forward && > + skb->protocol == htons(ETH_P_PAE))) > + goto drop; > + > if (dst) > br_forward(dst->dst, skb, skb2); > else > @@ -166,6 +174,10 @@ struct sk_buff *br_handle_frame(struct sk_buff *skb) > if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0) > goto forward; > > + /* Check if PAE frame should be forwarded */ > + if (p->br->pae_forward && skb->protocol == htons(ETH_P_PAE)) > + goto forward; > + > if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev, > NULL, br_handle_local_finish)) > return NULL; /* frame consumed by filter */ No, please don't. Linux bridging has two "grand" modes: dumb and STP enabled. If we're running a dumb bridge, we behave like an ethernet hub without any intelligence, and in that case we should absolutely forward 802.1X frames. We may have (e.g. VM) client(s) that want to authenticate with a physical switch. (For the spec, this counts as "repeater", not "bridge"/"switch") If we're running with STP enabled, then 802.1X traffic should already be caught by the general ethernet link-local multicast drop (which applies to 01:80:c2:/24 and therefore catches 802.1X too.) -David -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists