Acked-by: Gert Doering <[email protected]>
Your patch has been applied to the master branch.
Stared at the code, did quite a bit of testing, found interesting effects.
What this patch does is "client-to-client isolation according to pvid"
(so if you have clients with "vlan-pvid 200" in their ccd/ file, and
other clients with "vlan-pvid 207", only those with the same ID can
talk to each other). This is as desired.
What it also does is completely break TAP-to-client communication if
"--vlan-tagging" is enabled - broadcasts ("...incoming_tun()") are
broadcasted everywhere, but unicast packets are never delivered as
they are looked up with a dst PVID of "0" while the "...incoming_link()"
part has learned then with the correct per-client pvid (defaulting
to "@1"). The necessary adjustments for this are coming in a later
patch in the series, but it makes testing individual bits a bit
more complex (I hacked multi.c to use a non-0 server pvid and that
made tap<->client work again, so the basics are sound).
If --vlan-tagging is disabled, all tests pass. So this is not breaking
existing functionality, just not adding all required new bits yet.
(And it's not touching any non-TAP code paths anyway)
commit 1c57ea76a256330314d53999bce3e09644b420f9
Author: Antonio Quartulli
Date: Wed Oct 9 16:34:17 2019 +0200
VLAN: filter multicast and client-to-client unicast traffic
Signed-off-by: Fabian Knittel <[email protected]>
Signed-off-by: Antonio Quartulli <[email protected]>
Acked-by: Gert Doering <[email protected]>
Message-Id: <[email protected]>
URL:
https://www.mail-archive.com/[email protected]/msg18922.html
Signed-off-by: Gert Doering <[email protected]>
--
kind regards,
Gert Doering
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
