| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Jun 2011 21:54:01 +0100 From: Nick Carter <ncarter100@...il.com> To: David Lamparter <equinox@...c24.net> Cc: Stephen Hemminger <shemminger@...ux-foundation.org>, netdev@...r.kernel.org, davem@...emloft.net Subject: Re: [PATCH] bridge: Forward EAPOL Kconfig option BRIDGE_PAE_FORWARD On 28 June 2011 21:22, David Lamparter <equinox@...c24.net> wrote: > On Tue, Jun 28, 2011 at 09:00:16PM +0100, Nick Carter wrote: >> >> /* If STP is turned off, then forward */ >> >> - if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0) >> >> + if (p->br->stp_enabled == BR_NO_STP && >> >> + (dest[5] == 0 || skb->protocol == htons(ETH_P_PAE))) >> >> goto forward; >> >> Nick >> > >> > That code actually looks quite wrong to me, we should be forwarding all of >> > the 01:80:C2:00:00:0x groups in non-STP mode, especially :0E and :0D. >> > (LLDP and GVRP/MVRP) >> > >> > Pause frames are the one exception that makes the rule, but as the >> > comment a few lines above states, "Pause frames shouldn't be passed up by >> > driver anyway". >> > >> > Btw, what might make sense is a general knob for forwarding those >> > link-local groups, split off from the STP switch so the STP switch >> > controls only the :00 (STP) group. That way you can decide separately >> > whether you want to be LLDP/GVRP/802.1X/... transparent and whether you >> > want to run STP. >> >> Sounds good to me. So we go for :03, :0D, and :0E. We cant touch :02 see: >> commit f01cb5fbea1c1613621f9f32f385e12c1a29dde0 >> Revert "bridge: Forward reserved group addresses if !STP" >> >> > Not sure if it's needed, it can always be done with ebtables... >> What would be the ebtables rules to achieve the forwarding of :03 ? I >> asked this question on the netfilter list and the only response I got >> said ebtables was a filter and could not do this. :03 is hitting >> NF_BR_LOCAL_IN. How would you 'reinject' it so it is forwarded ? > > 'reinject' isn't possible when it hits that code path - which is pretty > much why I'm saying we should be forwarding everything in the non-STP > case. I'm not sure I like this turn off STP and suddenly start forwarding random groups. There is no connection between wanting STP on / off and forwarding pae on / off. There is no dependencies between the protocols. Also on reflection I think a knob per mac group would be better. We are only interested in 3 and if I enable pae forwarding so I can connect virtual machine supplicants, i don't then want to turn on LDP forwarding which will needlessly hit my virtual machines. So how about sysfs ../bridge/pae_forwarding ../bridge/ldp_forwarding ../bridge/mvrp_forwarding > > I have to read up on the bonding interactions, but to my understanding > the only reasonable usage case is to have the bond below the bridge like > eth0 \ > |- bond0 - br0 > eth1 / > then the bonding should receive (and consume) the packets before they > reach the bridge. > > (Some quick googling reveals that hardware switch chips special-drop > 01:80:c2:00:00:01 [802.3x/pause] and :02 [802.3ad/lacp] and nothing > else - for the dumb ones anyway. It also seems like the match for pause > frames usually works on the address, not on the protocol field like we > do it...) 'Enterprise' switches drop :03 [802.1x] Nick > > > -David > > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists