From: David Miller <davem@davemloft.net>
To: idosch@mellanox.com
Cc: john.fastabend@gmail.com, yotamg@mellanox.com,
netdev@vger.kernel.org, bridge@lists.linux-foundation.org,
fw@strlen.de, jiri@mellanox.com, nogahf@mellanox.com,
eladr@mellanox.com, ogerlitz@mellanox.com
Subject: Re: [PATCH net] bridge: Fix incorrect re-injection of LLDP packets
Date: Mon, 25 Jul 2016 10:54:16 -0700 (PDT) [thread overview]
Message-ID: <20160725.105416.2123454512115321360.davem@davemloft.net> (raw)
In-Reply-To: <1469188580-12657-1-git-send-email-idosch@mellanox.com>
From: Ido Schimmel <idosch@mellanox.com>
Date: Fri, 22 Jul 2016 14:56:20 +0300
> Commit 8626c56c8279 ("bridge: fix potential use-after-free when hook
> returns QUEUE or STOLEN verdict") caused LLDP packets arriving through a
> bridge port to be re-injected to the Rx path with skb->dev set to the
> bridge device, but this breaks the lldpad daemon.
>
> The lldpad daemon opens a packet socket with protocol set to ETH_P_LLDP
> for any valid device on the system, which doesn't not include soft
> devices such as bridge and VLAN.
>
> Since packet sockets (ptype_base) are processed in the Rx path after the
> Rx handler, LLDP packets with skb->dev set to the bridge device never
> reach the lldpad daemon.
>
> Fix this by making the bridge's Rx handler re-inject LLDP packets with
> RX_HANDLER_PASS, which effectively restores the behaviour prior to the
> mentioned commit.
>
> This means netfilter will never receive LLDP packets coming through a
> bridge port, as I don't see a way in which we can have okfn() consume
> the packet without breaking existing behaviour. I've already carried out
> a similar fix for STP packets in commit 56fae404fb2c ("bridge: Fix
> incorrect re-injection of STP packets").
>
> Fixes: 8626c56c8279 ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict")
> Signed-off-by: Ido Schimmel <idosch@mellanox.com>
> Reviewed-by: Jiri Pirko <jiri@mellanox.com>
Applied, but... sigh... nothing about bridging and netfilter is clean,
what a mess.
prev parent reply other threads:[~2016-07-25 17:54 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-22 11:56 [PATCH net] bridge: Fix incorrect re-injection of LLDP packets Ido Schimmel
2016-07-25 17:54 ` David Miller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160725.105416.2123454512115321360.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=bridge@lists.linux-foundation.org \
--cc=eladr@mellanox.com \
--cc=fw@strlen.de \
--cc=idosch@mellanox.com \
--cc=jiri@mellanox.com \
--cc=john.fastabend@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=nogahf@mellanox.com \
--cc=ogerlitz@mellanox.com \
--cc=yotamg@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).