Message ID | 1355939304-21804-5-git-send-email-vyasevic@redhat.com |
---|---|
State | Awaiting Upstream, archived |
Delegated to: | David Miller |
Headers | show |
Hi Vlad, On Wed, 19 Dec 2012 12:48:15 -0500 Vlad Yasevich <vyasevic@redhat.com> wrote: > /* Don't forward packets to originating port or forwarding diasabled */ > static inline int should_deliver(const struct net_bridge_port *p, > const struct sk_buff *skb) > { > return (((p->flags & BR_HAIRPIN_MODE) || skb->dev != p->dev) && > + br_allowed_egress(p, skb) && > p->state == BR_STATE_FORWARDING); > } This should be also encorporated into 'br_pass_frame_up' somehow. Egress permission when leaving the bridge towards IP stack ("egress" on the "bridge master port" from bridging point-of-view) should be validated according to master port's membership. Regards, Shmulik -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c index 02015a5..0c7ffc2 100644 --- a/net/bridge/br_forward.c +++ b/net/bridge/br_forward.c @@ -26,11 +26,29 @@ static int deliver_clone(const struct net_bridge_port *prev, void (*__packet_hook)(const struct net_bridge_port *p, struct sk_buff *skb)); +static inline bool br_allowed_egress(const struct net_bridge_port *p, + const struct sk_buff *skb) +{ + struct net_port_vlan *pve; + u16 vid; + + if (list_empty(&p->vlan_list)) + return true; + + vid = br_get_vlan(skb); + pve = nbp_vlan_find(p, vid); + if (pve) + return true; + + return false; +} + /* Don't forward packets to originating port or forwarding diasabled */ static inline int should_deliver(const struct net_bridge_port *p, const struct sk_buff *skb) { return (((p->flags & BR_HAIRPIN_MODE) || skb->dev != p->dev) && + br_allowed_egress(p, skb) && p->state == BR_STATE_FORWARDING); } diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h index 1ba76b4..5090134 100644 --- a/net/bridge/br_private.h +++ b/net/bridge/br_private.h @@ -202,6 +202,7 @@ static inline u16 br_get_vlan(const struct sk_buff *skb) if (vlan_tx_tag_present(skb)) return vlan_tx_tag_get(skb) & VLAN_VID_MASK; + /* Untagged and VLAN 0 traffic is handled the same way */ if (vlan_get_tag(skb, &tag)) return 0;
When bridge forwards a frame, make sure that a frame is allowed to egress on that port. Signed-off-by: Vlad Yasevich <vyasevic@redhat.com> --- net/bridge/br_forward.c | 18 ++++++++++++++++++ net/bridge/br_private.h | 1 + 2 files changed, 19 insertions(+), 0 deletions(-)