lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 01 Apr 2015 23:03:02 +0200
From:	Bernhard Thaler <bernhard.thaler@...et.at>
To:	David Miller <davem@...emloft.net>
CC:	stephen@...workplumber.org, bridge@...ts.linux-foundation.org,
	netdev@...r.kernel.org
Subject: Re: [PATCH] bridge: relax BR_GROUPFWD_RESTRICTED to forward LLDP
 frames



On 01.04.2015 21:28, David Miller wrote:
> From: Bernhard Thaler <bernhard.thaler@...et.at>
> Date: Mon, 30 Mar 2015 00:06:02 +0200
> 
>> BR_GROUPFWD_RESTRICTED bitmask restricts users from setting values to
>> /sys/class/net/brX/bridge/group_fwd_mask that allow forwarding of
>> some IEEE 802.1D Table 7-10 Reserved addresses:
>>
>> 	(MAC Control) 802.3		01-80-C2-00-00-01
>> 	(Link Aggregation) 802.3	01-80-C2-00-00-02
>> 	802.1AB LLDP			01-80-C2-00-00-0E
>>
>> Relax BR_GROUPFWD_RESTRICTED to at least forward LLDP frames and document
>> group_fwd_mask.
>>
>> e.g.
>>    echo 16384 > /sys/class/net/brX/bridge/group_fwd_mask
>> allows to forward LLDP frames.
>>
>> Tested on a simple bridge setup with two interfaces. Setting group_fwd_mask
>> as described above lets crafted LLDP frames traverse bridge.
>>
>> Signed-off-by: Bernhard Thaler <bernhard.thaler@...et.at>
> 
> I don't understand why we want to allow forwarding LLDP by default, it
> specifically is the case that an 802.1D bridge is only compliant if it
> does not forward LLDP packets.
> 
> We've blocked forwarding of LLDP by default for such a long time, so I
> argue against this change from the perspective of users expecting LLDP
> to be not forwarded by the Linux bridge by default.
> 
BR_GROUPFWD_DEFAULT is unchanged. By default none of the IEEE 802.1D
Table 7-10 Reserved addresses are forwarded by the bridge (except for
STP BPDUs if STP is turned off on the bridge device).
For users not changing /sys/class/net/brX/bridge/group_fwd_mask there
should be no difference to current default bridge behavior.

Only if users deliberately set group_fwd_mask to a value such as 16384
the bridge will start to forward LLDP frames. Current
BR_GROUPFWD_RESTRICTED value though restricts users from setting such
values to group_fwd_mask.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ