[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-bridge
Subject:    Re: [Bridge] [PATCH net] bridge: Fix incorrect re-injection of LLDP packets
From:       David Miller <davem () davemloft ! net>
Date:       2016-07-25 17:54:16
Message-ID: 20160725.105416.2123454512115321360.davem () davemloft ! net
[Download RAW message or body]

From: Ido Schimmel <idosch@mellanox.com>
Date: Fri, 22 Jul 2016 14:56:20 +0300

> Commit 8626c56c8279 ("bridge: fix potential use-after-free when hook
> returns QUEUE or STOLEN verdict") caused LLDP packets arriving through a
> bridge port to be re-injected to the Rx path with skb->dev set to the
> bridge device, but this breaks the lldpad daemon.
> 
> The lldpad daemon opens a packet socket with protocol set to ETH_P_LLDP
> for any valid device on the system, which doesn't not include soft
> devices such as bridge and VLAN.
> 
> Since packet sockets (ptype_base) are processed in the Rx path after the
> Rx handler, LLDP packets with skb->dev set to the bridge device never
> reach the lldpad daemon.
> 
> Fix this by making the bridge's Rx handler re-inject LLDP packets with
> RX_HANDLER_PASS, which effectively restores the behaviour prior to the
> mentioned commit.
> 
> This means netfilter will never receive LLDP packets coming through a
> bridge port, as I don't see a way in which we can have okfn() consume
> the packet without breaking existing behaviour. I've already carried out
> a similar fix for STP packets in commit 56fae404fb2c ("bridge: Fix
> incorrect re-injection of STP packets").
> 
> Fixes: 8626c56c8279 ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict")
> Signed-off-by: Ido Schimmel <idosch@mellanox.com>
> Reviewed-by: Jiri Pirko <jiri@mellanox.com>

Applied, but... sigh... nothing about bridging and netfilter is clean,
what a mess.
[prev in list] [next in list] [prev in thread] [next in thread]