[LEDE-DEV] [PATCH] kernel: drop patch hacking bridge to accept EAP only locally

Mon Mar 12 06:56:28 PDT 2018

From: Rafał Miłecki <rafal at milecki.pl>

EAPOL frames have wireless interface address specified as destination.
That makes "dst->is_local" condition true for them and results in
upstream code processing frames the same way as OpenWrt/LEDE's hack.

This code could be needed years ago but currently it seems redundant.

Signed-off-by: Rafał Miłecki <rafal at milecki.pl>
---
 .../640-bridge-only-accept-EAP-locally.patch       | 32 ----------------------
 .../hack-4.14/641-bridge_port_isolate.patch        |  2 +-
 .../640-bridge-only-accept-EAP-locally.patch       | 32 ----------------------
 .../generic/hack-4.9/641-bridge_port_isolate.patch |  2 +-
 .../pending-4.4/640-bridge_no_eap_forward.patch    | 23 ----------------
 .../pending-4.4/642-bridge_port_isolate.patch      |  2 +-
 6 files changed, 3 insertions(+), 90 deletions(-)
 delete mode 100644 target/linux/generic/hack-4.14/640-bridge-only-accept-EAP-locally.patch
 delete mode 100644 target/linux/generic/hack-4.9/640-bridge-only-accept-EAP-locally.patch
 delete mode 100644 target/linux/generic/pending-4.4/640-bridge_no_eap_forward.patch

diff --git a/target/linux/generic/hack-4.14/640-bridge-only-accept-EAP-locally.patch b/target/linux/generic/hack-4.14/640-bridge-only-accept-EAP-locally.patch
deleted file mode 100644
index 83c9cf739f..0000000000
--- a/target/linux/generic/hack-4.14/640-bridge-only-accept-EAP-locally.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From c6905cfdeb31a5c049db3da434b10fa0d3e83569 Mon Sep 17 00:00:00 2001
-From: Felix Fietkau <nbd at nbd.name>
-Date: Fri, 7 Jul 2017 17:18:54 +0200
-Subject: bridge: only accept EAP locally
-
-When bridging, do not forward EAP frames to other ports, only deliver
-them locally, regardless of the state.
-
-Signed-off-by: Felix Fietkau <nbd at nbd.name>
----
- net/bridge/br_input.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
---- a/net/bridge/br_input.c
-+++ b/net/bridge/br_input.c
-@@ -166,11 +166,14 @@ int br_handle_frame_finish(struct net *n
- 		}
- 	}
- 
-+	BR_INPUT_SKB_CB(skb)->brdev = br->dev;
-+
-+	if (skb->protocol == htons(ETH_P_PAE))
-+		return br_pass_frame_up(skb);
-+
- 	if (p->state == BR_STATE_LEARNING)
- 		goto drop;
- 
--	BR_INPUT_SKB_CB(skb)->brdev = br->dev;
--
- 	if (IS_ENABLED(CONFIG_INET) && skb->protocol == htons(ETH_P_ARP))
- 		br_do_proxy_arp(skb, br, vid, p);
- 
diff --git a/target/linux/generic/hack-4.14/641-bridge_port_isolate.patch b/target/linux/generic/hack-4.14/641-bridge_port_isolate.patch
index 538dbd16b0..8f3e0219b0 100644
--- a/target/linux/generic/hack-4.14/641-bridge_port_isolate.patch
+++ b/target/linux/generic/hack-4.14/641-bridge_port_isolate.patch
@@ -46,7 +46,7 @@ Signed-off-by: Felix Fietkau <nbd at nbd.name>
  		 */
 --- a/net/bridge/br_input.c
 +++ b/net/bridge/br_input.c
-@@ -177,6 +177,9 @@ int br_handle_frame_finish(struct net *n
+@@ -174,6 +174,9 @@ int br_handle_frame_finish(struct net *n
  	if (IS_ENABLED(CONFIG_INET) && skb->protocol == htons(ETH_P_ARP))
  		br_do_proxy_arp(skb, br, vid, p);
  
diff --git a/target/linux/generic/hack-4.9/640-bridge-only-accept-EAP-locally.patch b/target/linux/generic/hack-4.9/640-bridge-only-accept-EAP-locally.patch
deleted file mode 100644
index ba87420b32..0000000000
--- a/target/linux/generic/hack-4.9/640-bridge-only-accept-EAP-locally.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From c6905cfdeb31a5c049db3da434b10fa0d3e83569 Mon Sep 17 00:00:00 2001
-From: Felix Fietkau <nbd at nbd.name>
-Date: Fri, 7 Jul 2017 17:18:54 +0200
-Subject: bridge: only accept EAP locally
-
-When bridging, do not forward EAP frames to other ports, only deliver
-them locally, regardless of the state.
-
-Signed-off-by: Felix Fietkau <nbd at nbd.name>
----
- net/bridge/br_input.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
---- a/net/bridge/br_input.c
-+++ b/net/bridge/br_input.c
-@@ -164,11 +164,14 @@ int br_handle_frame_finish(struct net *n
- 		}
- 	}
- 
-+	BR_INPUT_SKB_CB(skb)->brdev = br->dev;
-+
-+	if (skb->protocol == htons(ETH_P_PAE))
-+		return br_pass_frame_up(skb);
-+
- 	if (p->state == BR_STATE_LEARNING)
- 		goto drop;
- 
--	BR_INPUT_SKB_CB(skb)->brdev = br->dev;
--
- 	if (IS_ENABLED(CONFIG_INET) && skb->protocol == htons(ETH_P_ARP))
- 		br_do_proxy_arp(skb, br, vid, p);
- 
diff --git a/target/linux/generic/hack-4.9/641-bridge_port_isolate.patch b/target/linux/generic/hack-4.9/641-bridge_port_isolate.patch
index 0d0b2c73ff..9c797f5a4d 100644
--- a/target/linux/generic/hack-4.9/641-bridge_port_isolate.patch
+++ b/target/linux/generic/hack-4.9/641-bridge_port_isolate.patch
@@ -46,7 +46,7 @@ Signed-off-by: Felix Fietkau <nbd at nbd.name>
  			continue;
 --- a/net/bridge/br_input.c
 +++ b/net/bridge/br_input.c
-@@ -175,6 +175,9 @@ int br_handle_frame_finish(struct net *n
+@@ -172,6 +172,9 @@ int br_handle_frame_finish(struct net *n
  	if (IS_ENABLED(CONFIG_INET) && skb->protocol == htons(ETH_P_ARP))
  		br_do_proxy_arp(skb, br, vid, p);
  
diff --git a/target/linux/generic/pending-4.4/640-bridge_no_eap_forward.patch b/target/linux/generic/pending-4.4/640-bridge_no_eap_forward.patch
deleted file mode 100644
index a6dfb4ee59..0000000000
--- a/target/linux/generic/pending-4.4/640-bridge_no_eap_forward.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From: Felix Fietkau <nbd at nbd.name>
-Subject: [PATCH] bridge: no EAP forward
-
-When bridging, do not forward EAP frames to other ports, only deliver
-them locally.
-Fixes WPA authentication issues with multiples APs that are connected to
-each other via bridges.
----
---- a/net/bridge/br_input.c
-+++ b/net/bridge/br_input.c
-@@ -169,7 +169,11 @@ int br_handle_frame_finish(struct net *n
- 	if (IS_ENABLED(CONFIG_INET) && skb->protocol == htons(ETH_P_ARP))
- 		br_do_proxy_arp(skb, br, vid, p);
- 
--	if (is_broadcast_ether_addr(dest)) {
-+	if (skb->protocol == htons(ETH_P_PAE)) {
-+		skb2 = skb;
-+		/* Do not forward 802.1x/EAP frames */
-+		skb = NULL;
-+	} else if (is_broadcast_ether_addr(dest)) {
- 		skb2 = skb;
- 		unicast = false;
- 	} else if (is_multicast_ether_addr(dest)) {
diff --git a/target/linux/generic/pending-4.4/642-bridge_port_isolate.patch b/target/linux/generic/pending-4.4/642-bridge_port_isolate.patch
index 02dfea4659..85632af8a6 100644
--- a/target/linux/generic/pending-4.4/642-bridge_port_isolate.patch
+++ b/target/linux/generic/pending-4.4/642-bridge_port_isolate.patch
@@ -48,7 +48,7 @@ Isolating individual bridge ports
  
 --- a/net/bridge/br_input.c
 +++ b/net/bridge/br_input.c
-@@ -192,8 +192,8 @@ int br_handle_frame_finish(struct net *n
+@@ -188,8 +188,8 @@ int br_handle_frame_finish(struct net *n
  
  		unicast = false;
  		br->dev->stats.multicast++;
-- 
2.11.0


