On 2024-10-24, Y C <yogi9...@gmail.com> wrote:
> --000000000000699c670625358ae8
> Content-Type: text/plain; charset="UTF-8"
>
> Hi Everyone
>
> I made modifications to the OpenBSD bridge code (/sys/net/if_bridge.c) to
> allow the forwarding of 802.1X EAPOL packets between interfaces of the
> bridge.
>
> I changed the following:
>
> @@ -1221,6 +1221,10 @@ bridge_process(struct ifnet *ifp, struct
> m);
> if (m == NULL)
> goto bad;
> + } else if (eh->ether_dhost[ETHER_ADDR_LEN - 1] == 3) {
> + if (ntohs(eh->ether_type) != ETHERTYPE_EAPOL) {
> + goto bad;
> + }
That's negating a check that a bridge is supposed to do (see the comment
above the code you touched, or IEEE 802.1D or ISO/IEC 15802-3..)
It's not because of spoofing, it's because a bridge is not supposed to
forward those frames.
Do you need more than two ports for this? If not then tpmr(4) is
probably the better bridge-like device type to use.
--
Please keep replies on the mailing list.
