From: Toshiaki Makita <makita.toshiaki@xxxxxxxxxxxxx> Date: Mon, 26 May 2014 15:15:53 +0900 > br_handle_local_finish() is allowing us to insert an FDB entry with > disallowed vlan. For example, when port 1 and 2 are communicating in > vlan 10, and even if vlan 10 is disallowed on port 3, port 3 can > interfere with their communication by spoofed src mac address with > vlan id 10. > > Note: Even if it is judged that a frame should not be learned, it should > not be dropped because it is destined for not forwarding layer but higher > layer. See IEEE 802.1Q-2011 8.13.10. > > Signed-off-by: Toshiaki Makita <makita.toshiaki@xxxxxxxxxxxxx> In reference to Vlad's suggestion to try to reuse the logic of the existing br_allowed_ingress() function, I don't think that's so easy. As stated already, it drops packets whilst we don't want that here. Another difference is that it does vlan_untag(), which we also do not want here. Let's just stay with this version of the fix, Vlad if you're OK with that can you please give your ACK? Thanks.
