On 05/30/2014 06:48 PM, David Miller wrote: > From: Toshiaki Makita <makita.toshi...@lab.ntt.co.jp> > Date: Mon, 26 May 2014 15:15:53 +0900 > >> br_handle_local_finish() is allowing us to insert an FDB entry with >> disallowed vlan. For example, when port 1 and 2 are communicating in >> vlan 10, and even if vlan 10 is disallowed on port 3, port 3 can >> interfere with their communication by spoofed src mac address with >> vlan id 10. >> >> Note: Even if it is judged that a frame should not be learned, it should >> not be dropped because it is destined for not forwarding layer but higher >> layer. See IEEE 802.1Q-2011 8.13.10. >> >> Signed-off-by: Toshiaki Makita <makita.toshi...@lab.ntt.co.jp> > > In reference to Vlad's suggestion to try to reuse the logic of the > existing br_allowed_ingress() function, I don't think that's so > easy. > > As stated already, it drops packets whilst we don't want that here. > > Another difference is that it does vlan_untag(), which we also do > not want here. > > Let's just stay with this version of the fix, Vlad if you're OK with > that can you please give your ACK? Thanks. >
Acked-by: Vlad Yasevich <vyase...@redhat.com> I need to spend a little time and figure out how to make it more re-usable. -vlad
