lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAEFUPH0cU-5ZJ_qAevp1DENYrUkSO4zipUTg0vzLmgz16nPbbw@mail.gmail.com>
Date: Wed, 23 Apr 2025 06:26:40 -0700
From: SIMON BABY <simonkbaby@...il.com>
To: Ido Schimmel <idosch@...sch.org>
Cc: netdev@...r.kernel.org
Subject: Re: query on EAPOL multicast packet with linux bridge interface

Thank you Ido.

Here is the details of my setup:

I have a microchip CPU connected to an 11 port marvell 88E6390 switch.
I am using the marvel  linux DSA driver  so that all the switch ports
(lan1, lan2, lan3 etc) are part of the linux kernel.

I am using hostapd as an authenticator.

An 802.1x client device is connected to port lan1 and binds this port
(lan1) to hostapd daemon, I can see EAPOL packets are being forwarded
to a radius server.

I have created a bridge with vlan filtering with below commands and
bind the bridge (br0) with hostapd daemon. Now EAPOL packets are not
forwarded.

ip link add name br0 type bridge vlan_filtering 1
ip link set dev lan1 master br0
ip link set dev lan2 master br0
bridge vlan add dev lan1 vid 10 pvid untagged
bridge vlan add dev lan2 vid 10 pvid untagged
ip link set dev br0 up
ip link set dev lan1 up
ip link set dev lan2 up
ip link add link br0 name br0.10 type vlan id 10
ip link set dev br0.10 up
ip addr add 192.168.2.1/24 dev br0.10
bridge vlan add vid 10 dev br0 self

bridge vlan show
port              vlan-id
lan1              10 PVID Egress Untagged
lan2              10 PVID Egress Untagged
br0                10

echo 8 > /sys/class/net/br0/bridge/group_fwd_mask
cat /sys/class/net/br0/bridge/group_fwd_mask
0x8

root@...a7g5ek-tdy-sd:~# cat /etc/hostapd.conf
##### hostapd configuration file ##############################################
# Empty lines and lines starting with # are ignored

# Example configuration file for wired authenticator. See hostapd.conf for
# more details.
interface=br0
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>passing br0 as interface to
hostapd.
driver=wired



Regards
Simon


On Wed, Apr 23, 2025 at 4:42 AM Ido Schimmel <idosch@...sch.org> wrote:
>
> On Tue, Apr 22, 2025 at 06:42:58PM -0700, SIMON BABY wrote:
> > Hello,
> >
> > I have a difficulty with making EAPOL packet forwarding with the Linux
> > bridge interface.
> >
> >  I have configured the group_fwd_mask parameter with the below value.
> >
> >  echo 8 > /sys/class/net/br0/bridge/group_fwd_mask
> >
> > I still could not see the EAPOL packets being forwarded  from the
> > linux bridge interface . However I can see the EAPOL packets are
> > forwarded if I use it as a regular interface.
> >
> > Do we have any more settings?
>
> What do you mean by "linux bridge interface"? The bridge device itself
> or a bridge port? Also, what is "regular interface"?
>
> The following script [1] seems to work fine for me:
>
> EAPOL packets on h2 without group_fwd_mask: 0
> EAPOL packets on h2 with group_fwd_mask: 1
>
> Can you adjust it to show the problem you are referring to?
>
> Thanks
>
> [1]
> #!/bin/bash
>
> # Setup
> #
> for ns in h1 h2 br; do
>         ip netns add $ns
>         ip -n $ns link set dev lo up
> done
>
> ip -n h1 link add name veth0 type veth peer name veth1 netns br
> ip -n h2 link add name veth2 type veth peer name veth3 netns br
>
> ip -n h1 link set dev veth0 up
> ip -n h2 link set dev veth2 up
>
> ip -n br link add name br0 up type bridge
> ip -n br link set dev veth1 up master br0
> ip -n br link set dev veth3 up master br0
>
> tc -n h2 qdisc add dev veth2 clsact
> tc -n h2 filter add dev veth2 ingress pref 1 proto all \
>         flower dst_mac 01:80:c2:00:00:03 action pass
>
> # Without group_fwd_mask
> #
> ip netns exec h1 mausezahn veth0 -a own -b 01:80:c2:00:00:03 -c 1 -q
> sleep 1
> pkt=$(tc -n h2 -s -j -p filter show dev veth2 ingress | \
>         jq ".[] | select(.options.handle == 1) | .options.actions[0].stats.packets")
>
> echo "EAPOL packets on h2 without group_fwd_mask: $pkt"
>
> # With group_fwd_mask
> #
> ip -n br link set dev br0 type bridge group_fwd_mask 0x0008
> ip netns exec h1 mausezahn veth0 -a own -b 01:80:c2:00:00:03 -c 1 -q
> sleep 1
> pkt=$(tc -n h2 -s -j -p filter show dev veth2 ingress | \
>         jq ".[] | select(.options.handle == 1) | .options.actions[0].stats.packets")
> echo "EAPOL packets on h2 with group_fwd_mask: $pkt"
>
> # Cleanup
> #
> for ns in h1 h2 br; do
>         ip netns del $ns
> done

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ