From: Vlad Yasevich <vyasevic@xxxxxxxxxx> Date: Mon, 02 Jun 2014 10:22:10 -0400 > On 05/30/2014 06:48 PM, David Miller wrote: >> From: Toshiaki Makita <makita.toshiaki@xxxxxxxxxxxxx> >> Date: Mon, 26 May 2014 15:15:53 +0900 >> >>> br_handle_local_finish() is allowing us to insert an FDB entry with >>> disallowed vlan. For example, when port 1 and 2 are communicating in >>> vlan 10, and even if vlan 10 is disallowed on port 3, port 3 can >>> interfere with their communication by spoofed src mac address with >>> vlan id 10. >>> >>> Note: Even if it is judged that a frame should not be learned, it should >>> not be dropped because it is destined for not forwarding layer but higher >>> layer. See IEEE 802.1Q-2011 8.13.10. >>> >>> Signed-off-by: Toshiaki Makita <makita.toshiaki@xxxxxxxxxxxxx> >> >> In reference to Vlad's suggestion to try to reuse the logic of the >> existing br_allowed_ingress() function, I don't think that's so >> easy. >> >> As stated already, it drops packets whilst we don't want that here. >> >> Another difference is that it does vlan_untag(), which we also do >> not want here. >> >> Let's just stay with this version of the fix, Vlad if you're OK with >> that can you please give your ACK? Thanks. >> > > > Acked-by: Vlad Yasevich <vyasevic@xxxxxxxxxx> Applied, thanks everyone. > I need to spend a little time and figure out how to make it more re-usable. Ok.
