Message ID | 1381409570-1892-1-git-send-email-nbd@openwrt.org |
---|---|
State | Rejected, archived |
Delegated to: | David Miller |
Headers | show |
On Thu, 10 Oct 2013 14:52:50 +0200 Felix Fietkau <nbd@openwrt.org> wrote: > When an ethernet device is enslaved to a bridge, and the bridge STP > detects loss of carrier (or operational state down), then normally > packet receiption is blocked. > > This breaks control applications like WPA which maybe expecting to > receive packets to negotiate to bring link up. The bridge needs to > block forwarding packets from these disabled ports, but there is no > hard requirement to not allow local packet delivery. > > Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> > Signed-off-by: Felix Fietkau <nbd@openwrt.org> No. This will cause duplicate packets to be delivered. If doing a link layer protocol like WPA then it should be done directly on the underlying device, not the bridge itself. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 2013-10-10 10:36 PM, Stephen Hemminger wrote: > On Thu, 10 Oct 2013 14:52:50 +0200 > Felix Fietkau <nbd@openwrt.org> wrote: > >> When an ethernet device is enslaved to a bridge, and the bridge STP >> detects loss of carrier (or operational state down), then normally >> packet receiption is blocked. >> >> This breaks control applications like WPA which maybe expecting to >> receive packets to negotiate to bring link up. The bridge needs to >> block forwarding packets from these disabled ports, but there is no >> hard requirement to not allow local packet delivery. >> >> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> >> Signed-off-by: Felix Fietkau <nbd@openwrt.org> > > No. This will cause duplicate packets to be delivered. How? I haven't observed any duplications in my tests with this patch. > If doing a link layer protocol like WPA then it should be done directly > on the underlying device, not the bridge itself. When the ETH_P_PAE protocol is set for the packet socket inside wpa_supplicant, the bridge steals all packets before the protocol handler gets them. In __netif_receive_skb_core, only ptype_all gets processed before the rx handler, not ptype_base. - Felix -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, 10 Oct 2013 22:56:33 +0200 Felix Fietkau <nbd@openwrt.org> wrote: > On 2013-10-10 10:36 PM, Stephen Hemminger wrote: > > On Thu, 10 Oct 2013 14:52:50 +0200 > > Felix Fietkau <nbd@openwrt.org> wrote: > > > >> When an ethernet device is enslaved to a bridge, and the bridge STP > >> detects loss of carrier (or operational state down), then normally > >> packet receiption is blocked. > >> > >> This breaks control applications like WPA which maybe expecting to > >> receive packets to negotiate to bring link up. The bridge needs to > >> block forwarding packets from these disabled ports, but there is no > >> hard requirement to not allow local packet delivery. > >> > >> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> > >> Signed-off-by: Felix Fietkau <nbd@openwrt.org> > > > > No. This will cause duplicate packets to be delivered. > How? I haven't observed any duplications in my tests with this patch. The purpose of DISABLED state is to break loops in the bridge tree. If packet is flooded by another bridge (Broadcast Unknown or Multicast) then it will go down both paths. > > > If doing a link layer protocol like WPA then it should be done directly > > on the underlying device, not the bridge itself. > When the ETH_P_PAE protocol is set for the packet socket inside > wpa_supplicant, the bridge steals all packets before the protocol > handler gets them. > In __netif_receive_skb_core, only ptype_all gets processed before the rx > handler, not ptype_base. Thought it was using direct type all. Or at least the link local multicast address. Can you revise it to only accept packets directed to link local multicast address or local address, and go through the local_finish handler. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 2013-10-10 11:52 PM, Stephen Hemminger wrote: > On Thu, 10 Oct 2013 22:56:33 +0200 > Felix Fietkau <nbd@openwrt.org> wrote: > >> On 2013-10-10 10:36 PM, Stephen Hemminger wrote: >> > On Thu, 10 Oct 2013 14:52:50 +0200 >> > Felix Fietkau <nbd@openwrt.org> wrote: >> > >> >> When an ethernet device is enslaved to a bridge, and the bridge STP >> >> detects loss of carrier (or operational state down), then normally >> >> packet receiption is blocked. >> >> >> >> This breaks control applications like WPA which maybe expecting to >> >> receive packets to negotiate to bring link up. The bridge needs to >> >> block forwarding packets from these disabled ports, but there is no >> >> hard requirement to not allow local packet delivery. >> >> >> >> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> >> >> Signed-off-by: Felix Fietkau <nbd@openwrt.org> >> > >> > No. This will cause duplicate packets to be delivered. >> How? I haven't observed any duplications in my tests with this patch. > > The purpose of DISABLED state is to break loops in the bridge tree. > If packet is flooded by another bridge (Broadcast Unknown or Multicast) > then it will go down both paths. Ah, right. >> > If doing a link layer protocol like WPA then it should be done directly >> > on the underlying device, not the bridge itself. >> When the ETH_P_PAE protocol is set for the packet socket inside >> wpa_supplicant, the bridge steals all packets before the protocol >> handler gets them. >> In __netif_receive_skb_core, only ptype_all gets processed before the rx >> handler, not ptype_base. > > Thought it was using direct type all. Or at least the link local multicast > address. > > Can you revise it to only accept packets directed to link local multicast > address or local address, and go through the local_finish handler. The destination address in WPA EAPOL packets from the AP is set to the MAC address of the client, which may not be the same as the one from the bridge. - Felix -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index a2fd37e..0a8a8cd 100644 --- a/net/bridge/br_input.c +++ b/net/bridge/br_input.c @@ -146,9 +146,11 @@ static int br_handle_local_finish(struct sk_buff *skb) struct net_bridge_port *p = br_port_get_rcu(skb->dev); u16 vid = 0; - br_vlan_get_tag(skb, &vid); - if (p->flags & BR_LEARNING) - br_fdb_update(p->br, p, eth_hdr(skb)->h_source, vid); + if (p->state != BR_STATE_DISABLED) { + br_vlan_get_tag(skb, &vid); + if (p->flags & BR_LEARNING) + br_fdb_update(p->br, p, eth_hdr(skb)->h_source, vid); + } return 0; /* process further */ } @@ -218,6 +220,18 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb) forward: switch (p->state) { + case BR_STATE_DISABLED: + if (ether_addr_equal(p->br->dev->dev_addr, dest)) + skb->pkt_type = PACKET_HOST; + + if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, + br_handle_local_finish)) + break; + + BR_INPUT_SKB_CB(skb)->brdev = p->br->dev; + br_pass_frame_up(skb); + break; + case BR_STATE_FORWARDING: rhook = rcu_dereference(br_should_route_hook); if (rhook) {