| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEFUPH3W83KhQG0vAF_iovFfu218HWCkKD56xNOfSB3_FhAFRw@mail.gmail.com>
Date: Thu, 8 May 2025 22:08:18 -0700
From: SIMON BABY <simonkbaby@...il.com>
To: Vladimir Oltean <olteanv@...il.com>
Cc: Ido Schimmel <idosch@...sch.org>, netdev@...r.kernel.org
Subject: Re: query on EAPOL multicast packet with linux bridge interface
On Sun, Apr 27, 2025 at 11:55 PM SIMON BABY <simonkbaby@...il.com> wrote:
>
> Hi,
>
> Can someone please suggest if we need all the patches in the link
> below for 802.1x to work on a bridge interface with DSA marvel ports
> ?
> https://lore.kernel.org/lkml/20221022115505.nlnkfy2xrgrq74li@skbuf/T/
>
> I also noticed that the iproute2 package in my kernel version does not
> include the "locked" port option. Is that the cause for the EAPOL
> packets forwarding issue on the bridge interface ?
>
> Regards
> Simon
>
>
>
>
>
> On Thu, Apr 24, 2025 at 3:22 AM Vladimir Oltean <olteanv@...il.com> wrote:
> >
> > Hello Simon,
> >
> > On Wed, Apr 23, 2025 at 06:26:40AM -0700, SIMON BABY wrote:
> > > Thank you Ido.
> > >
> > > Here is the details of my setup:
> > >
> > > I have a microchip CPU connected to an 11 port marvell 88E6390 switch.
> > > I am using the marvel linux DSA driver so that all the switch ports
> > > (lan1, lan2, lan3 etc) are part of the linux kernel.
> > >
> > > I am using hostapd as an authenticator.
> > >
> > > An 802.1x client device is connected to port lan1 and binds this port
> > > (lan1) to hostapd daemon, I can see EAPOL packets are being forwarded
> > > to a radius server.
> > >
> > > I have created a bridge with vlan filtering with below commands and
> > > bind the bridge (br0) with hostapd daemon. Now EAPOL packets are not
> > > forwarded.
> > >
> > > ip link add name br0 type bridge vlan_filtering 1
> > > ip link set dev lan1 master br0
> > > ip link set dev lan2 master br0
> > > bridge vlan add dev lan1 vid 10 pvid untagged
> > > bridge vlan add dev lan2 vid 10 pvid untagged
> > > ip link set dev br0 up
> > > ip link set dev lan1 up
> > > ip link set dev lan2 up
> > > ip link add link br0 name br0.10 type vlan id 10
> > > ip link set dev br0.10 up
> > > ip addr add 192.168.2.1/24 dev br0.10
> > > bridge vlan add vid 10 dev br0 self
> > >
> > > bridge vlan show
> > > port vlan-id
> > > lan1 10 PVID Egress Untagged
> > > lan2 10 PVID Egress Untagged
> > > br0 10
> > >
> > > echo 8 > /sys/class/net/br0/bridge/group_fwd_mask
> > > cat /sys/class/net/br0/bridge/group_fwd_mask
> > > 0x8
> > >
> > > root@...a7g5ek-tdy-sd:~# cat /etc/hostapd.conf
> > > ##### hostapd configuration file ##############################################
> > > # Empty lines and lines starting with # are ignored
> > >
> > > # Example configuration file for wired authenticator. See hostapd.conf for
> > > # more details.
> > > interface=br0
> > > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>passing br0 as interface to
> > > hostapd.
> > > driver=wired
> >
> > Could you please clarify what is the expected data path of EAPOL packets?
> > (I also have no experience with hostapd)
> > Is the forwarding to the RADIUS server something that is handled by
> > hostapd, through an IP socket, or is the kernel responsible for doing
> > that automatically somehow? Is the RADIUS server IP accessible? Does
> > hostapd log the reception of EAPOL packets? I'm trying to understand
> > whether the problem is that hostapd is not receiving or not sending
> > packets.
> >
> > I think the hostapd.conf "interface" option can be overridden by '-i'
> > command line options. I'm wondering if there's any chance that is going
> > on, and hostapd is not listening on br0.
> >
> > I don't understand the need for group_fwd_mask. In my image, you don't
> > need software forwarding of EAPOL packets among bridge ports (which that
> > option provides). You only need EAPOL frames to be received by a packet
> > socket, and routed using IP to the RADIUS server, correct? Can't you
> > just specify multiple '-i' options to hostapd, for the individual bridge
> > ports like lan1, lan2, and skip the bridge data path processing for
> > these packets, as happens by default when no group_fwd_mask is specified?
> >
> > Are you also using some other bridge port options, like 'locked', which
> > you are not showing in the steps above?
Hello,
I have some improvement with my 802.1x testing.
I have enabled the "locked port" feature and it stopped all traffic
except "EAPOL".
I am using hostapd_cli tool for monitoring the 802.1x traffic.
I see that after the authentication success, the fdb is added with a
new STA mac address. Is it done automatically with the latest 802.1x
package?
I see below logs with hostapd_cli tool.
root@...a7g5ek-tdy-sd:~# hostapd_cli -i br0.50
<3>CTRL-EVENT-EAP-STARTED 00:0e:c6:88:75:e7
<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
<3>CTRL-EVENT-EAP-SUCCESS2 00:0e:c6:88:75:e7
<3>AP-STA-CONNECTED 00:0e:c6:88:75:e7
root@...a7g5ek-tdy-sd:~# bridge fdb show | grep 00:0e:c6:88:75:e7
00:0e:c6:88:75:e7 dev lan1 vlan 50 master br0
>>>>>>>>>>>>>>>> got this entry in the FDB.
root@...a7g5ek-tdy-sd:~#
Once I make the interface down, I don’t see any event with
hostapd_cli and the fdb entry got removed automatically.
I thought I would see the event AP-STA-DISCONNECTED with hostapd_cli.
Can you please suggest if I am supposed to see AP-STA-DISCONNECTED
when the interface goes down after the successful authentication ?
Do I need to do anything from the user space for the FDB entries when
we see the events AP-STA-CONNECTED and AP-STA-DISCONNECTED ?
Regards
Simon
Powered by blists - more mailing lists