Patchwork [2/2] bridge: pass through 802.1X & co. in 'dumb' mode

login
register
mail settings
Submitter David Lamparter
Date June 28, 2011, 10:03 p.m.
Message ID <1309298599-11266-2-git-send-email-equinox@diac24.net>
Download mbox | patch
Permalink /patch/102492/
State Deferred
Delegated to: David Miller
Headers show

Comments

David Lamparter - June 28, 2011, 10:03 p.m.
when operating without STP, we're a dumb switch and should be able to
forward ethernet management protocols like 802.1X, LLDP and GVRP.

if this is not desired, it can be enacted as local policy through
ebtables.

if we're in STP mode we basically claim to be an intelligent switch and
should implement these protocols properly (in userspace).

Signed-off-by: David Lamparter <equinox@diac24.net>
---
compile-tested only

 net/bridge/br_input.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)
Nick Carter - June 29, 2011, 10:56 p.m.
On 28 June 2011 23:03, David Lamparter <equinox@diac24.net> wrote:
> when operating without STP, we're a dumb switch and should be able to
> forward ethernet management protocols like 802.1X, LLDP and GVRP.
I don't like the idea of tying STP on / off with the forwarding of
these other protocols.  These other protocols are not dependent on
STP.  These diffs change the default behaviour so that if someone
writes an 802.1X authenticator in userspace then all deployments will
have to turn STP on to be able to use it !!

If I was a sysadmin and I configured 'bridge_stp off' in say
/etc/interfaces, i would be very surprised and alarmed to find I had
turned *on* forwarding a load of protocols.

Also many of these addresses are reserved for future use.  Do we
really want to forward them before we know what they will be used for
?
Nick
>
> if this is not desired, it can be enacted as local policy through
> ebtables.
>
> if we're in STP mode we basically claim to be an intelligent switch and
> should implement these protocols properly (in userspace).
>
> Signed-off-by: David Lamparter <equinox@diac24.net>
> ---
> compile-tested only
>
>  net/bridge/br_input.c |    9 ++++++---
>  1 files changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
> index c873db5..4cee1b5 100644
> --- a/net/bridge/br_input.c
> +++ b/net/bridge/br_input.c
> @@ -167,16 +167,19 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
>                if (dest[5] == 0x01 || dest[5] == 0x02)
>                        return RX_HANDLER_PASS;
>
> -               /* If STP is turned off, then forward */
> -               if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0)
> +               /* If STP is turned off, we're a dumb switch and therefore
> +                * forward the remaining link-locals. (STP, 802.1X, LLDP,
> +                * GVRP & co.) */
> +               if (p->br->stp_enabled == BR_NO_STP)
>                        goto forward;
>
>                if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
>                            NULL, br_handle_local_finish)) {
>                        return RX_HANDLER_CONSUMED; /* consumed by filter */
>                } else {
> +                       /* stay on physdev for userspace implementation */
>                        *pskb = skb;
> -                       return RX_HANDLER_PASS; /* continue processing */
> +                       return RX_HANDLER_PASS;
>                }
>        }
>
> --
> 1.7.5.3
>
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index c873db5..4cee1b5 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -167,16 +167,19 @@  rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
 		if (dest[5] == 0x01 || dest[5] == 0x02)
 			return RX_HANDLER_PASS;
 
-		/* If STP is turned off, then forward */
-		if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0)
+		/* If STP is turned off, we're a dumb switch and therefore
+		 * forward the remaining link-locals. (STP, 802.1X, LLDP,
+		 * GVRP & co.) */
+		if (p->br->stp_enabled == BR_NO_STP)
 			goto forward;
 
 		if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
 			    NULL, br_handle_local_finish)) {
 			return RX_HANDLER_CONSUMED; /* consumed by filter */
 		} else {
+			/* stay on physdev for userspace implementation */
 			*pskb = skb;
-			return RX_HANDLER_PASS;	/* continue processing */
+			return RX_HANDLER_PASS;
 		}
 	}