| Message ID | 20131010193551.462fc1f8@nehalam.linuxnetplumber.net |
|---|---|
| State | RFC, archived |
| Delegated to: | David Miller |
| Headers | show |
On 2013-10-11 4:35 AM, Stephen Hemminger wrote: > This is what I was thinking would be better. > > Don't want these packets leaking into PRE_ROUTEING chain or have > any chance to get flooded out other ports. > > Compile tested only... > > I could use another goto instead but that becomes spaghetti and > never like to jump back into a block. [...] > forward: > switch (p->state) { > + case BR_STATE_DISABLED: > + if (!ether_addr_equal(p->br->dev->dev_addr, dest)) > + goto drop; Checking against the bridge device address isn't enough, WPA EAPOL packets are addressed to the wifi device MAC address. - Felix -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, 11 Oct 2013 12:18:15 +0200 Felix Fietkau <nbd@openwrt.org> wrote: > On 2013-10-11 4:35 AM, Stephen Hemminger wrote: > > This is what I was thinking would be better. > > > > Don't want these packets leaking into PRE_ROUTEING chain or have > > any chance to get flooded out other ports. > > > > Compile tested only... > > > > I could use another goto instead but that becomes spaghetti and > > never like to jump back into a block. > [...] > > forward: > > switch (p->state) { > > + case BR_STATE_DISABLED: > > + if (!ether_addr_equal(p->br->dev->dev_addr, dest)) > > + goto drop; > Checking against the bridge device address isn't enough, WPA EAPOL > packets are addressed to the wifi device MAC address. Correct, this should be skb->dev->dev_addr which matchs against the MAC address that frame arrived on. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
--- a/net/bridge/br_input.c 2013-10-06 14:48:24.946450042 -0700 +++ b/net/bridge/br_input.c 2013-10-10 19:32:14.227926344 -0700 @@ -152,6 +152,16 @@ static int br_handle_local_finish(struct return 0; /* process further */ } +/* Deliver packet to local host only */ +static rx_handler_result_t br_local_only(struct sk_buff *skb) +{ + if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev, + NULL, br_handle_local_finish)) + return RX_HANDLER_CONSUMED; /* consumed by filter */ + else + return RX_HANDLER_PASS; /* continue processing */ +} + /* * Return NULL if skb is handled * note: already called with rcu_read_lock @@ -206,18 +216,20 @@ rx_handler_result_t br_handle_frame(stru goto forward; } - /* Deliver packet to local host only */ - if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev, - NULL, br_handle_local_finish)) { - return RX_HANDLER_CONSUMED; /* consumed by filter */ - } else { - *pskb = skb; - return RX_HANDLER_PASS; /* continue processing */ - } + *pskb = skb; + return br_local_only(skb); } forward: switch (p->state) { + case BR_STATE_DISABLED: + if (!ether_addr_equal(p->br->dev->dev_addr, dest)) + goto drop; + + skb->pkt_type = PACKET_HOST; + *pskb = skb; + return br_local_only(skb); + case BR_STATE_FORWARDING: rhook = rcu_dereference(br_should_route_hook); if (rhook) {