Re: [Bridge] linux bridge does not bridge bpdu packets

Re: [Bridge] linux bridge does not bridge bpdu packets

[Cameron Schaus]

Roman Glebov wrote:

>The problem is : all stp packets which come to one side of the Bridge are
>not forwarded to the other side. Which distrubs stp when this device is
>put inbetween of two stp capable devices.
>It forwards all traffik through it.
>Normal udp/tcp traffik is forwarded.
>
>I switched stp on it "off" so it does not participate in Spanning tree
>communications.
>  
>
I don't think you are doing anything wrong.  I asked this question a 
while back, and was told that this behaviour conforms to the 802 spec.
Please see: 
https://lists.linux-foundation.org/pipermail/bridge/2006-December/005169.html

Cam

[Bridge] linux bridge does not bridge bpdu packets

[Roman Glebov]

Hallo,

i have here transparent linux based bridge.

The problem is : all stp packets which come to one side of the Bridge are
not forwarded to the other side. Which distrubs stp when this device is
put inbetween of two stp capable devices.
It forwards all traffik through it.
Normal udp/tcp traffik is forwarded.

I switched stp on it "off" so it does not participate in Spanning tree
communications.

It is a very simple setup :
br0 with eth0 and eht1 as ports. without any additional firewall rules.


I am using 2.6.18-4-686 debian kernel(testing).

i even did setfd br0 0.


What am i doing wrong ?

Do i need to use ebtables to explicitely forward the traffic?


With regards,
Roman Glebov

Re: [Bridge] linux bridge does not bridge bpdu packets

[Roman Glebov]

Hallo,

Thank you very much for that suggestion.

I need that it forwards that functionality.
Because it should be completely transparent.

I think i will patch the kernel


With regards,

Roman Glebov

> Roman Glebov wrote:
>
>>The problem is : all stp packets which come to one side of the Bridge are
>>not forwarded to the other side. Which distrubs stp when this device is
>>put inbetween of two stp capable devices.
>>It forwards all traffik through it.
>>Normal udp/tcp traffik is forwarded.
>>
>>I switched stp on it "off" so it does not participate in Spanning tree
>>communications.
>>
>>
> I don't think you are doing anything wrong.  I asked this question a
> while back, and was told that this behaviour conforms to the 802 spec.
> Please see:
> https://lists.linux-foundation.org/pipermail/bridge/2006-December/005169.html
>
> Cam
>
>

Re: [Bridge] linux bridge does not bridge bpdu packets

[Stephen Hemminger]

Roman Glebov wrote:
> Hallo,
>
> i have here transparent linux based bridge.
>
> The problem is : all stp packets which come to one side of the Bridge are
> not forwarded to the other side. Which distrubs stp when this device is
> put inbetween of two stp capable devices.
> It forwards all traffik through it.
> Normal udp/tcp traffik is forwarded.
>
> I switched stp on it "off" so it does not participate in Spanning tree
> communications.
>
> It is a very simple setup :
> br0 with eth0 and eht1 as ports. without any additional firewall rules.
>
>
> I am using 2.6.18-4-686 debian kernel(testing).
>
> i even did setfd br0 0.
>
>
> What am i doing wrong ?
>
> Do i need to use ebtables to explicitely forward the traffic?
>   
Turn on STP in the bridge, it will then receive process and send it's 
own STP BPDU's.

Re: [Bridge] linux bridge does not bridge bpdu packets

[Roman Glebov]

> Roman Glebov wrote:
>> Hallo,
>>
>> i have here transparent linux based bridge.
>>
>> The problem is : all stp packets which come to one side of the Bridge
>> are
>> not forwarded to the other side. Which distrubs stp when this device is
>> put inbetween of two stp capable devices.
>> It forwards all traffik through it.
>> Normal udp/tcp traffik is forwarded.
>>
>> I switched stp on it "off" so it does not participate in Spanning tree
>> communications.
>>
>> It is a very simple setup :
>> br0 with eth0 and eht1 as ports. without any additional firewall rules.
>>
>>
>> I am using 2.6.18-4-686 debian kernel(testing).
>>
>> i even did setfd br0 0.
>>
>>
>> What am i doing wrong ?
>>
>> Do i need to use ebtables to explicitely forward the traffic?
>>
> Turn on STP in the bridge, it will then receive process and send it's
> own STP BPDU's.
>
>


this makes my "stealth" bridge not stealphy anymore!
because you can see in bptu packets its mac.

That is what i want to prevent.
I want it to be completely transparent and not seen in the network traffic.

So should i patch the kernel for it ?

Roman Glebov

Re: [Bridge] linux bridge does not bridge bpdu packets

[Roman Glebov]

Hallo
when i disable all lines in net/bridge/br.c which are related to following
lines:

static struct llc_sap *br_stp_sap;
..
        br_stp_sap = llc_sap_open(LLC_SAP_BSPAN, br_stp_rcv);
        if (!br_stp_sap) {
                printk(KERN_ERR "bridge: can't register sap for STP\n");
                return -EADDRINUSE;
        }
...

Will i get as result that all stp packets are passed untouched other the
bridge ?

With regards,
Roman Glebov

>> Roman Glebov wrote:
>>> Hallo,
>>>
>>> i have here transparent linux based bridge.
>>>
>>> The problem is : all stp packets which come to one side of the Bridge
>>> are
>>> not forwarded to the other side. Which distrubs stp when this device is
>>> put inbetween of two stp capable devices.
>>> It forwards all traffik through it.
>>> Normal udp/tcp traffik is forwarded.
>>>
>>> I switched stp on it "off" so it does not participate in Spanning tree
>>> communications.
>>>
>>> It is a very simple setup :
>>> br0 with eth0 and eht1 as ports. without any additional firewall rules.
>>>
>>>
>>> I am using 2.6.18-4-686 debian kernel(testing).
>>>
>>> i even did setfd br0 0.
>>>
>>>
>>> What am i doing wrong ?
>>>
>>> Do i need to use ebtables to explicitely forward the traffic?
>>>
>> Turn on STP in the bridge, it will then receive process and send it's
>> own STP BPDU's.
>>
>>
>
>
> this makes my "stealth" bridge not stealphy anymore!
> because you can see in bptu packets its mac.
>
> That is what i want to prevent.
> I want it to be completely transparent and not seen in the network
> traffic.
>
> So should i patch the kernel for it ?
>
> Roman Glebov
> _______________________________________________
> Bridge mailing list
> Bridge@lists.linux-foundation.org
> https://lists.linux-foundation.org/mailman/listinfo/bridge
>

Re: [Bridge] linux bridge does not bridge bpdu packets

[Stephen Hemminger]

> > this makes my "stealth" bridge not stealphy anymore!
> > because you can see in bptu packets its mac.
> >
> > That is what i want to prevent.
> > I want it to be completely transparent and not seen in the network
> > traffic.
> >
> > So should i patch the kernel for it ?

Hmm.. My first priority is to make sure that the bridge
code is stable for users, ie it doesn't cause network disasters.
Second, is following the standard, and third is making it
useful for all the wierd tricks (like being fully transparent)
that everyone seems to want the code to do.

But in this case, I think if STP is disabled, the bridge would
be more stable if it just forwarded the spanning tree packets.
The rationale is that if someone leaves STP off on one bridge,
but there are multiple paths from a bridge that is using spanning
tree; then the bridge that is doing STP will see and break the
potentially disastrous network loop.

Therefore, I suggest the following (probably not until 2.6.22)
change:

From 6188ced799c07054c64b0e15a645c674b0d256b8 Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <shemminger@linux-foundation.org>
Date: Mon, 23 Apr 2007 16:54:20 -0700
Subject: [PATCH] bridge: forward STP BPDU's if not doing spanning tree

If not doing spanning tree protocol than it is safer to just forward
any STP BPDU's received. This allows any device using STP to still
detect loops if there is a misconnected transparent bridge.

Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
---
 net/bridge/br_input.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 8a55276..85605bd 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -131,8 +131,9 @@ struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb)
 	if (!is_valid_ether_addr(eth_hdr(skb)->h_source))
 		goto drop;
 
-	if (unlikely(is_link_local(dest))) {
-		skb->pkt_type = PACKET_HOST;
+	/* Don't forward 802.1x packets */
+	if (p->br->stp_enabled != BR_NO_STP && is_link_local(dest)) {
+		skb->pkt_type = PACKET_MULTICAST;
 
 		return (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
 				NULL, br_handle_local_finish) == 0) ? skb : NULL;
-- 
1.5.0.6

[Bridge] Re: linux bridge does not bridge bpdu packets

[Benny Amorsen]

>>>>> "SH" == Stephen Hemminger <shemminger@linux-foundation.org> writes:

SH> -	if (unlikely(is_link_local(dest))) {
SH> -		skb->pkt_type = PACKET_HOST;
SH> +	/* Don't forward 802.1x packets */
SH> +	if (p->br->stp_enabled != BR_NO_STP && is_link_local(dest)) {
SH> +		skb->pkt_type = PACKET_MULTICAST;

Maybe I'm stupid here, but why change behaviour even in the case where
STP is enabled? (The PACKET_HOST -> PACKET_MULTICAST change)


/Benny