[LEDE-DEV] [PATCH] kernel: drop patch hacking bridge to accept EAP only locally

Rafał Miłecki Mon, 12 Mar 2018 06:57:34 -0700

From: Rafał Miłecki <ra...@milecki.pl>

EAPOL frames have wireless interface address specified as destination.
That makes "dst->is_local" condition true for them and results in
upstream code processing frames the same way as OpenWrt/LEDE's hack.


This code could be needed years ago but currently it seems redundant.

Signed-off-by: Rafał Miłecki <ra...@milecki.pl>
---
 .../640-bridge-only-accept-EAP-locally.patch       | 32 ----------------------
 .../hack-4.14/641-bridge_port_isolate.patch        |  2 +-
 .../640-bridge-only-accept-EAP-locally.patch       | 32 ----------------------
 .../generic/hack-4.9/641-bridge_port_isolate.patch |  2 +-
 .../pending-4.4/640-bridge_no_eap_forward.patch    | 23 ----------------
 .../pending-4.4/642-bridge_port_isolate.patch      |  2 +-
 6 files changed, 3 insertions(+), 90 deletions(-)
 delete mode 100644 
target/linux/generic/hack-4.14/640-bridge-only-accept-EAP-locally.patch
 delete mode 100644 
target/linux/generic/hack-4.9/640-bridge-only-accept-EAP-locally.patch
 delete mode 100644 
target/linux/generic/pending-4.4/640-bridge_no_eap_forward.patch

diff --git 
a/target/linux/generic/hack-4.14/640-bridge-only-accept-EAP-locally.patch 
b/target/linux/generic/hack-4.14/640-bridge-only-accept-EAP-locally.patch
deleted file mode 100644
index 83c9cf739f..0000000000
--- a/target/linux/generic/hack-4.14/640-bridge-only-accept-EAP-locally.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From c6905cfdeb31a5c049db3da434b10fa0d3e83569 Mon Sep 17 00:00:00 2001
-From: Felix Fietkau <n...@nbd.name>
-Date: Fri, 7 Jul 2017 17:18:54 +0200
-Subject: bridge: only accept EAP locally
-
-When bridging, do not forward EAP frames to other ports, only deliver
-them locally, regardless of the state.
-
-Signed-off-by: Felix Fietkau <n...@nbd.name>
----
- net/bridge/br_input.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
---- a/net/bridge/br_input.c
-+++ b/net/bridge/br_input.c
-@@ -166,11 +166,14 @@ int br_handle_frame_finish(struct net *n
-               }
-       }
- 
-+      BR_INPUT_SKB_CB(skb)->brdev = br->dev;
-+
-+      if (skb->protocol == htons(ETH_P_PAE))
-+              return br_pass_frame_up(skb);
-+
-       if (p->state == BR_STATE_LEARNING)
-               goto drop;
- 
--      BR_INPUT_SKB_CB(skb)->brdev = br->dev;
--
-       if (IS_ENABLED(CONFIG_INET) && skb->protocol == htons(ETH_P_ARP))
-               br_do_proxy_arp(skb, br, vid, p);
- 
diff --git a/target/linux/generic/hack-4.14/641-bridge_port_isolate.patch 
b/target/linux/generic/hack-4.14/641-bridge_port_isolate.patch
index 538dbd16b0..8f3e0219b0 100644
--- a/target/linux/generic/hack-4.14/641-bridge_port_isolate.patch
+++ b/target/linux/generic/hack-4.14/641-bridge_port_isolate.patch
@@ -46,7 +46,7 @@ Signed-off-by: Felix Fietkau <n...@nbd.name>
                 */
 --- a/net/bridge/br_input.c
 +++ b/net/bridge/br_input.c
-@@ -177,6 +177,9 @@ int br_handle_frame_finish(struct net *n
+@@ -174,6 +174,9 @@ int br_handle_frame_finish(struct net *n
        if (IS_ENABLED(CONFIG_INET) && skb->protocol == htons(ETH_P_ARP))
                br_do_proxy_arp(skb, br, vid, p);
  
diff --git 
a/target/linux/generic/hack-4.9/640-bridge-only-accept-EAP-locally.patch 
b/target/linux/generic/hack-4.9/640-bridge-only-accept-EAP-locally.patch
deleted file mode 100644
index ba87420b32..0000000000
--- a/target/linux/generic/hack-4.9/640-bridge-only-accept-EAP-locally.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From c6905cfdeb31a5c049db3da434b10fa0d3e83569 Mon Sep 17 00:00:00 2001
-From: Felix Fietkau <n...@nbd.name>
-Date: Fri, 7 Jul 2017 17:18:54 +0200
-Subject: bridge: only accept EAP locally
-
-When bridging, do not forward EAP frames to other ports, only deliver
-them locally, regardless of the state.
-
-Signed-off-by: Felix Fietkau <n...@nbd.name>
----
- net/bridge/br_input.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
---- a/net/bridge/br_input.c
-+++ b/net/bridge/br_input.c
-@@ -164,11 +164,14 @@ int br_handle_frame_finish(struct net *n
-               }
-       }
- 
-+      BR_INPUT_SKB_CB(skb)->brdev = br->dev;
-+
-+      if (skb->protocol == htons(ETH_P_PAE))
-+              return br_pass_frame_up(skb);
-+
-       if (p->state == BR_STATE_LEARNING)
-               goto drop;
- 
--      BR_INPUT_SKB_CB(skb)->brdev = br->dev;
--
-       if (IS_ENABLED(CONFIG_INET) && skb->protocol == htons(ETH_P_ARP))
-               br_do_proxy_arp(skb, br, vid, p);
- 
diff --git a/target/linux/generic/hack-4.9/641-bridge_port_isolate.patch 
b/target/linux/generic/hack-4.9/641-bridge_port_isolate.patch
index 0d0b2c73ff..9c797f5a4d 100644
--- a/target/linux/generic/hack-4.9/641-bridge_port_isolate.patch
+++ b/target/linux/generic/hack-4.9/641-bridge_port_isolate.patch
@@ -46,7 +46,7 @@ Signed-off-by: Felix Fietkau <n...@nbd.name>
                        continue;
 --- a/net/bridge/br_input.c
 +++ b/net/bridge/br_input.c
-@@ -175,6 +175,9 @@ int br_handle_frame_finish(struct net *n
+@@ -172,6 +172,9 @@ int br_handle_frame_finish(struct net *n
        if (IS_ENABLED(CONFIG_INET) && skb->protocol == htons(ETH_P_ARP))
                br_do_proxy_arp(skb, br, vid, p);
  
diff --git a/target/linux/generic/pending-4.4/640-bridge_no_eap_forward.patch 
b/target/linux/generic/pending-4.4/640-bridge_no_eap_forward.patch
deleted file mode 100644
index a6dfb4ee59..0000000000
--- a/target/linux/generic/pending-4.4/640-bridge_no_eap_forward.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From: Felix Fietkau <n...@nbd.name>
-Subject: [PATCH] bridge: no EAP forward
-
-When bridging, do not forward EAP frames to other ports, only deliver
-them locally.
-Fixes WPA authentication issues with multiples APs that are connected to
-each other via bridges.
----
---- a/net/bridge/br_input.c
-+++ b/net/bridge/br_input.c
-@@ -169,7 +169,11 @@ int br_handle_frame_finish(struct net *n
-       if (IS_ENABLED(CONFIG_INET) && skb->protocol == htons(ETH_P_ARP))
-               br_do_proxy_arp(skb, br, vid, p);
- 
--      if (is_broadcast_ether_addr(dest)) {
-+      if (skb->protocol == htons(ETH_P_PAE)) {
-+              skb2 = skb;
-+              /* Do not forward 802.1x/EAP frames */
-+              skb = NULL;
-+      } else if (is_broadcast_ether_addr(dest)) {
-               skb2 = skb;
-               unicast = false;
-       } else if (is_multicast_ether_addr(dest)) {
diff --git a/target/linux/generic/pending-4.4/642-bridge_port_isolate.patch 
b/target/linux/generic/pending-4.4/642-bridge_port_isolate.patch
index 02dfea4659..85632af8a6 100644
--- a/target/linux/generic/pending-4.4/642-bridge_port_isolate.patch
+++ b/target/linux/generic/pending-4.4/642-bridge_port_isolate.patch
@@ -48,7 +48,7 @@ Isolating individual bridge ports
  
 --- a/net/bridge/br_input.c
 +++ b/net/bridge/br_input.c
-@@ -192,8 +192,8 @@ int br_handle_frame_finish(struct net *n
+@@ -188,8 +188,8 @@ int br_handle_frame_finish(struct net *n
  
                unicast = false;
                br->dev->stats.multicast++;
-- 
2.11.0


_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] [PATCH] kernel: drop patch hacking bridge to accept EAP only locally

Reply via email to