From: Vlad Yasevich <vyasevic@redhat.com>
To: Shmulik Ladkani <shmulik.ladkani@gmail.com>
Cc: netdev@vger.kernel.org, shemminger@vyatta.com,
bridge@lists.linux-foundation.org, davem@davemloft.net,
mst@redhat.com
Subject: Re: [Bridge] [PATCH net-next V6 03/14] bridge: Validate that vlan is permitted on ingress
Date: Mon, 21 Jan 2013 01:58:56 -0000 [thread overview]
Message-ID: <50FCA0DA.7000008@redhat.com> (raw)
In-Reply-To: <20130121002710.5189a959.shmulik.ladkani@gmail.com>
On 01/20/2013 05:27 PM, Shmulik Ladkani wrote:
> Hi Vlad,
>
> On Wed, 16 Jan 2013 13:17:58 -0500 Vlad Yasevich <vyasevic@redhat.com> wrote:
>> @@ -45,6 +45,9 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
>> brstats->tx_bytes += skb->len;
>> u64_stats_update_end(&brstats->syncp);
>>
>> + if (!br_allowed_ingress(&br->vlan_info, skb))
>> + goto out;
>> +
>
> Shouldn't you consume the 'skb' in case "not allowed"? the 'out' label
> doesn't take care of that.
>
>> +bool br_allowed_ingress(struct net_port_vlans *v, struct sk_buff *skb)
>> +{
>> + struct net_port_vlan *pve;
>> + u16 vid;
>> +
>> + /* If there are no vlan in the permitted list, all packets are
>> + * permitted.
>> + */
>> + if (list_empty(&v->vlan_list))
>> + return true;
>
> Rethinking this, after discussed at [1].
> The above means the port having no vlans is actually a member of every
> possible vlan.
> IMO it might not be what users expect, and may complicate things.
>
> Maybe we should adapt a simpler approach:
> If the bridge is a vlan enabled bridge, and the port is not a member of
> the given vid, drop.
> If the bridge is "vlan disabled", then all packets are permitted.
>
this is hybrid configuration where some ports have vlan filtering
enabled while others do not.
Currently the default is to act as a non-vlan bridge when there is no
configuration. I'll consider adding a configuration nob to switch the
behavior so that strict filtering can be enforced.
-vlad
> Regards,
> Shmulik
>
> [1]
> http://marc.info/?l=linux-netdev&m=135602065425514&w=2
>
next prev parent reply other threads:[~2013-01-21 1:58 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-16 18:18 [Bridge] [PATCH net-next V6 00/14] Add basic VLAN support to bridges Vlad Yasevich
2013-01-16 18:18 ` [Bridge] [PATCH net-next V6 01/14] vlan: wrap hw-acceleration calls in separate functions Vlad Yasevich
2013-01-16 22:03 ` Michał Mirosław
2013-01-16 18:18 ` [Bridge] [PATCH net-next V6 02/14] bridge: Add vlan filtering infrastructure Vlad Yasevich
2013-01-18 1:57 ` Michał Mirosław
2013-01-20 17:59 ` Vlad Yasevich
2013-01-20 19:39 ` Stephen Hemminger
2013-01-21 1:51 ` Vlad Yasevich
2013-01-21 11:45 ` Shmulik Ladkani
2013-01-22 14:31 ` Vlad Yasevich
2013-01-22 15:55 ` Shmulik Ladkani
2013-01-22 16:27 ` Vlad Yasevich
2013-01-20 21:39 ` Shmulik Ladkani
2013-01-21 1:56 ` Vlad Yasevich
2013-01-16 18:18 ` [Bridge] [PATCH net-next V6 03/14] bridge: Validate that vlan is permitted on ingress Vlad Yasevich
2013-01-20 22:27 ` Shmulik Ladkani
2013-01-21 1:58 ` Vlad Yasevich [this message]
2013-01-16 18:18 ` [Bridge] [PATCH net-next V6 04/14] bridge: Verify that a vlan is allowed to egress on give port Vlad Yasevich
2013-01-16 18:18 ` [Bridge] [PATCH net-next V6 05/14] bridge: Cache vlan in the cb for faster egress lookup Vlad Yasevich
2013-01-16 18:18 ` [Bridge] [PATCH net-next V6 06/14] bridge: Add netlink interface to configure vlans on bridge ports Vlad Yasevich
2013-01-16 18:18 ` [Bridge] [PATCH net-next V6 07/14] bridge: Add the ability to configure pvid Vlad Yasevich
2013-01-16 18:18 ` [Bridge] [PATCH net-next V6 08/14] bridge: Implement vlan ingress/egress policy Vlad Yasevich
2013-01-16 18:18 ` [Bridge] [PATCH net-next V6 09/14] bridge: API to configure egress policy Vlad Yasevich
2013-01-16 18:18 ` [Bridge] [PATCH net-next V6 10/14] bridge: Add vlan to unicast fdb entries Vlad Yasevich
2013-01-16 18:18 ` [Bridge] [PATCH net-next V6 11/14] bridge: Add vlan id to multicast groups Vlad Yasevich
2013-01-16 18:18 ` [Bridge] [PATCH net-next V6 12/14] bridge: Add vlan support to static neighbors Vlad Yasevich
2013-01-16 18:18 ` [Bridge] [PATCH net-next V6 13/14] bridge: Add vlan support for local fdb entries Vlad Yasevich
2013-01-16 18:18 ` [Bridge] [PATCH net-next V6 14/14] bridge: Dump vlan information from a bridge port Vlad Yasevich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50FCA0DA.7000008@redhat.com \
--to=vyasevic@redhat.com \
--cc=bridge@lists.linux-foundation.org \
--cc=davem@davemloft.net \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=shemminger@vyatta.com \
--cc=shmulik.ladkani@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.