lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aAkMhl3klxYx-n2Q@shredder>
Date: Wed, 23 Apr 2025 18:51:34 +0300
From: Ido Schimmel <idosch@...sch.org>
To: SIMON BABY <simonkbaby@...il.com>
Cc: netdev@...r.kernel.org
Subject: Re: query on EAPOL multicast packet with linux bridge interface

(Please avoid top posting)

On Wed, Apr 23, 2025 at 06:26:40AM -0700, SIMON BABY wrote:
> Thank you Ido.
> 
> Here is the details of my setup:
> 
> I have a microchip CPU connected to an 11 port marvell 88E6390 switch.
> I am using the marvel  linux DSA driver  so that all the switch ports
> (lan1, lan2, lan3 etc) are part of the linux kernel.
> 
> I am using hostapd as an authenticator.
> 
> An 802.1x client device is connected to port lan1 and binds this port
> (lan1) to hostapd daemon, I can see EAPOL packets are being forwarded
> to a radius server.
> 
> I have created a bridge with vlan filtering with below commands and
> bind the bridge (br0) with hostapd daemon. Now EAPOL packets are not
> forwarded.

Do you see the EAPOL packets when running tcpdump on 'lan1' and 'br0'?
Does the result change if you pass '-p' to tcpdump?

> 
> ip link add name br0 type bridge vlan_filtering 1
> ip link set dev lan1 master br0
> ip link set dev lan2 master br0
> bridge vlan add dev lan1 vid 10 pvid untagged
> bridge vlan add dev lan2 vid 10 pvid untagged
> ip link set dev br0 up
> ip link set dev lan1 up
> ip link set dev lan2 up
> ip link add link br0 name br0.10 type vlan id 10
> ip link set dev br0.10 up
> ip addr add 192.168.2.1/24 dev br0.10
> bridge vlan add vid 10 dev br0 self
> 
> bridge vlan show
> port              vlan-id
> lan1              10 PVID Egress Untagged
> lan2              10 PVID Egress Untagged
> br0                10
> 
> echo 8 > /sys/class/net/br0/bridge/group_fwd_mask
> cat /sys/class/net/br0/bridge/group_fwd_mask
> 0x8
> 
> root@...a7g5ek-tdy-sd:~# cat /etc/hostapd.conf
> ##### hostapd configuration file ##############################################
> # Empty lines and lines starting with # are ignored
> 
> # Example configuration file for wired authenticator. See hostapd.conf for
> # more details.
> interface=br0

I have zero experience with hostapd, but I assume it opens a packet
socket on the specified interface to receive the EAPOL packets. When
listening on 'br0' you should see the EAPOL packets with a VLAN tag
which could be a problem for hostapd. When you told it to listen on
'lan1' it received the EAPOL packets without a VLAN. I would try to
specify 'br0.10' and see if it helps. hostapd should observe the packets
without a VLAN tag in this case.

> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>passing br0 as interface to
> hostapd.
> driver=wired
> 
> 
> 
> Regards
> Simon

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ