lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Nov 2007 09:36:26 -0800 From: Stephen Hemminger <shemminger@...ux-foundation.org> To: Johannes Berg <johannes@...solutions.net> Cc: netdev <netdev@...r.kernel.org>, bridge <bridge@...ux-foundation.org> Subject: Re: [RFC] bridging: don't forward EAPOL frames On Thu, 22 Nov 2007 14:23:28 +0100 Johannes Berg <johannes@...solutions.net> wrote: > This patch makes the bridging code drop EAPOL frames as recommended by > 802.1X-2004 in C.3.3. > > Is this really the right place to put it? > --- > include/linux/if_ether.h | 1 + > include/net/ieee80211.h | 6 ------ > net/bridge/br_input.c | 3 +++ > 3 files changed, 4 insertions(+), 6 deletions(-) > > --- everything.orig/include/linux/if_ether.h 2007-11-22 11:47:14.178686360 +0100 > +++ everything/include/linux/if_ether.h 2007-11-22 11:48:21.438679036 +0100 > @@ -74,6 +74,7 @@ > #define ETH_P_ATMFATE 0x8884 /* Frame-based ATM Transport > * over Ethernet > */ > +#define ETH_P_PAE 0x888E /* Port Access Entity (IEEE 802.1X) */ > #define ETH_P_AOE 0x88A2 /* ATA over Ethernet */ > #define ETH_P_TIPC 0x88CA /* TIPC */ > > --- everything.orig/include/net/ieee80211.h 2007-11-22 11:46:29.908682888 +0100 > +++ everything/include/net/ieee80211.h 2007-11-22 11:48:51.908679037 +0100 > @@ -183,12 +183,6 @@ const char *escape_essid(const char *ess > #endif > #include <net/iw_handler.h> /* new driver API */ > > -#ifndef ETH_P_PAE > -#define ETH_P_PAE 0x888E /* Port Access Entity (IEEE 802.1X) */ > -#endif /* ETH_P_PAE */ > - > -#define ETH_P_PREAUTH 0x88C7 /* IEEE 802.11i pre-authentication */ > - > #ifndef ETH_P_80211_RAW > #define ETH_P_80211_RAW (ETH_P_ECONET + 1) > #endif > --- everything.orig/net/bridge/br_input.c 2007-11-22 11:54:44.798683106 +0100 > +++ everything/net/bridge/br_input.c 2007-11-22 11:57:23.248680285 +0100 > @@ -145,6 +145,9 @@ struct sk_buff *br_handle_frame(struct n > } > } > > + if (unlikely(skb->protocol = htons(ETH_P_PAE))) > + goto drop; > + > switch (p->state) { > case BR_STATE_FORWARDING: Not needed because the bridge is already handling it: 1) If running STP (ie true bridge), then all link local multicast is only received by the bridge and never forwarded. 2) If not running sTP (ie invisible bridge), then it will be forwarded. Despite what the standards say, many users are using bridging code for invisible firewalls etc, and in those cases they want STP and EAPOL frames to be forwarded. -- Stephen Hemminger <shemminger@...ux-foundation.org> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists