lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAEFUPH0kh73VU8TmbS3Jx8jJ_RjwbQStx5deV25Ji5a3ZQp-xQ@mail.gmail.com>
Date: Wed, 23 Apr 2025 22:59:35 -0700
From: SIMON BABY <simonkbaby@...il.com>
To: Ido Schimmel <idosch@...sch.org>
Cc: netdev@...r.kernel.org
Subject: Re: query on EAPOL multicast packet with linux bridge interface

On Wed, Apr 23, 2025 at 8:51 AM Ido Schimmel <idosch@...sch.org> wrote:
>
> (Please avoid top posting)
>
> On Wed, Apr 23, 2025 at 06:26:40AM -0700, SIMON BABY wrote:
> > Thank you Ido.
> >
> > Here is the details of my setup:
> >
> > I have a microchip CPU connected to an 11 port marvell 88E6390 switch.
> > I am using the marvel  linux DSA driver  so that all the switch ports
> > (lan1, lan2, lan3 etc) are part of the linux kernel.
> >
> > I am using hostapd as an authenticator.
> >
> > An 802.1x client device is connected to port lan1 and binds this port
> > (lan1) to hostapd daemon, I can see EAPOL packets are being forwarded
> > to a radius server.
> >
> > I have created a bridge with vlan filtering with below commands and
> > bind the bridge (br0) with hostapd daemon. Now EAPOL packets are not
> > forwarded.
>
> Do you see the EAPOL packets when running tcpdump on 'lan1' and 'br0'?
> Does the result change if you pass '-p' to tcpdump?
>
> >
> > ip link add name br0 type bridge vlan_filtering 1
> > ip link set dev lan1 master br0
> > ip link set dev lan2 master br0
> > bridge vlan add dev lan1 vid 10 pvid untagged
> > bridge vlan add dev lan2 vid 10 pvid untagged
> > ip link set dev br0 up
> > ip link set dev lan1 up
> > ip link set dev lan2 up
> > ip link add link br0 name br0.10 type vlan id 10
> > ip link set dev br0.10 up
> > ip addr add 192.168.2.1/24 dev br0.10
> > bridge vlan add vid 10 dev br0 self
> >
> > bridge vlan show
> > port              vlan-id
> > lan1              10 PVID Egress Untagged
> > lan2              10 PVID Egress Untagged
> > br0                10
> >
> > echo 8 > /sys/class/net/br0/bridge/group_fwd_mask
> > cat /sys/class/net/br0/bridge/group_fwd_mask
> > 0x8
> >
> > root@...a7g5ek-tdy-sd:~# cat /etc/hostapd.conf
> > ##### hostapd configuration file ##############################################
> > # Empty lines and lines starting with # are ignored
> >
> > # Example configuration file for wired authenticator. See hostapd.conf for
> > # more details.
> > interface=br0
>
> I have zero experience with hostapd, but I assume it opens a packet
> socket on the specified interface to receive the EAPOL packets. When
> listening on 'br0' you should see the EAPOL packets with a VLAN tag
> which could be a problem for hostapd. When you told it to listen on
> 'lan1' it received the EAPOL packets without a VLAN. I would try to
> specify 'br0.10' and see if it helps. hostapd should observe the packets
> without a VLAN tag in this case.
>
> > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>passing br0 as interface to
> > hostapd.
> > driver=wired
> >
> >
> >
> > Regards
> > Simon


Hello Ido,

I tried with br0.10 and still did not see EAPOL packets are
forwarding. Below are the tcpdump logs with lan5 and br0.10.


root@...a7g5ek-tdy-sd:~# tcpdump -i br0.10 ether proto 0x888e -p
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br0.10, link-type EN10MB (Ethernet), snapshot length 262144 bytes

br0: port 5(lan5) entered disabled state
mv88e6085 e2800000.ethernet-ffffffff:10 lan5: Link is Down
mv88e6085 e2800000.ethernet-ffffffff:10 lan5: Link is Up -
100Mbps/Full - flow control rx/tx
br0: port 5(lan5) entered blocking state
br0: port 5(lan5) entered forwarding state
18:15:59.243997 EAP packet (0) v2, len 5
18:16:02.245922 EAP packet (0) v2, len 5
18:16:08.252660 EAP packet (0) v2, len 5



root@...a7g5ek-tdy-sd:~# tcpdump -i lan5 ether proto 0x888e -p
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lan5, link-type EN10MB (Ethernet), snapshot length 262144 bytes


br0: port 5(lan5) entered disabled state
mv88e6085 e2800000.ethernet-ffffffff:10 lan5: Link is Down
mv88e6085 e2800000.ethernet-ffffffff:10 lan5: Link is Up -
100Mbps/Full - flow control rx/tx
br0: port 5(lan5) entered blocking state
br0: port 5(lan5) entered forwarding state
18:18:00.558929 EAPOL start (1) v1, len 0
18:18:00.566422 EAP packet (0) v2, len 5
18:18:00.580678 EAP packet (0) v1, len 28
18:18:00.688667 EAP packet (0) v2, len 6
18:18:00.711016 EAP packet (0) v1, len 172
18:18:00.866300 EAP packet (0) v2, len 1004
18:18:00.867310 EAP packet (0) v1, len 6
18:18:00.871946 EAP packet (0) v2, len 1004
18:18:00.872795 EAP packet (0) v1, len 6
18:18:00.877155 EAP packet (0) v2, len 1004
18:18:00.878087 EAP packet (0) v1, len 6
18:18:00.882673 EAP packet (0) v2, len 866
18:18:00.893136 EAP packet (0) v1, len 1492
18:18:00.898185 EAP packet (0) v2, len 6
18:18:00.899091 EAP packet (0) v1, len 903
18:18:01.912476 EAP packet (0) v2, len 4


Regards
Simon

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ