From: Stephen Hemminger <stephen@networkplumber.org>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, Stephen Hemminger <stephen@networkplumber.org>
Subject: [PATCH net-next 01/10] vxlan: only migrate dynamic FDB entries
Date: Tue, 4 Jun 2013 21:24:05 -0700 [thread overview]
Message-ID: <1370406254-6341-1-git-send-email-stephen@networkplumber.org> (raw)
Only migrate dynamic forwarding table entries, don't modify
static entries. If packet received from incorrect source IP address
assume it is an imposter and drop it.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
Should go to -stable as well.
---
drivers/net/vxlan.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index 8111565..536082a 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -604,8 +604,8 @@ skip:
/* Watch incoming packets to learn mapping between Ethernet address
* and Tunnel endpoint.
*/
-static void vxlan_snoop(struct net_device *dev,
- __be32 src_ip, const u8 *src_mac)
+static int vxlan_snoop(struct net_device *dev,
+ __be32 src_ip, const u8 *src_mac)
{
struct vxlan_dev *vxlan = netdev_priv(dev);
struct vxlan_fdb *f;
@@ -614,7 +614,11 @@ static void vxlan_snoop(struct net_device *dev,
f = vxlan_find_mac(vxlan, src_mac);
if (likely(f)) {
if (likely(f->remote.remote_ip == src_ip))
- return;
+ return 0;
+
+ /* Don't migrate static entries, drop packets */
+ if (!(f->flags & NTF_SELF))
+ return 1;
if (net_ratelimit())
netdev_info(dev,
@@ -634,6 +638,8 @@ static void vxlan_snoop(struct net_device *dev,
0, NTF_SELF);
spin_unlock(&vxlan->hash_lock);
}
+
+ return 0;
}
@@ -766,8 +772,9 @@ static int vxlan_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
vxlan->dev->dev_addr) == 0)
goto drop;
- if (vxlan->flags & VXLAN_F_LEARN)
- vxlan_snoop(skb->dev, oip->saddr, eth_hdr(skb)->h_source);
+ if ((vxlan->flags & VXLAN_F_LEARN) &&
+ vxlan_snoop(skb->dev, oip->saddr, eth_hdr(skb)->h_source))
+ goto drop;
__skb_tunnel_rx(skb, vxlan->dev);
skb_reset_network_header(skb);
--
1.7.10.4
next reply other threads:[~2013-06-05 4:24 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-05 4:24 Stephen Hemminger [this message]
2013-06-05 4:24 ` [PATCH net-next 02/10] vxlan: handle skb_clone failure Stephen Hemminger
2013-06-05 6:59 ` Cong Wang
2013-06-05 14:05 ` David Stevens
2013-06-06 0:47 ` Cong Wang
2013-06-06 1:31 ` Stephen Hemminger
2013-06-05 12:50 ` David Stevens
2013-06-05 4:24 ` [PATCH net-next 03/10] vxlan: move IGMP join/leave to work queue Stephen Hemminger
2013-06-05 6:47 ` Cong Wang
2013-06-05 7:29 ` Mike Rapoport
2013-06-05 8:00 ` Cong Wang
2013-06-05 15:41 ` Stephen Hemminger
2013-06-08 8:23 ` Mike Rapoport
2013-06-05 15:42 ` Stephen Hemminger
2013-06-06 0:49 ` Cong Wang
2013-06-05 15:37 ` [PATCH net] vxlan: fix crash on module removal Stephen Hemminger
2013-06-06 1:11 ` Cong Wang
2013-06-06 1:32 ` Stephen Hemminger
2013-06-05 4:24 ` [PATCH net-next 04/10] vxlan: send notification when MAC migrates Stephen Hemminger
2013-06-05 4:24 ` [PATCH net-next 05/10] vxlan: make vxlan_xmit_one void Stephen Hemminger
2013-06-05 12:54 ` David Stevens
2013-06-05 4:24 ` [PATCH net-next 06/10] vxlan: convert remotes list to list_rcu Stephen Hemminger
2013-06-05 4:24 ` [PATCH net-next 07/10] vxlan: port module param should be ushort Stephen Hemminger
2013-06-05 13:35 ` Sergei Shtylyov
2013-06-05 4:24 ` [PATCH net-next 08/10] vxlan: use initializer for dummy structures Stephen Hemminger
2013-06-05 4:24 ` [PATCH net-next 09/10] vxlan: whitespace cleanup Stephen Hemminger
2013-06-05 12:55 ` David Stevens
2013-06-05 4:24 ` [PATCH net-next 10/10] vxlan: version 0.2 Stephen Hemminger
2013-06-05 6:23 ` [PATCH net-next 01/10] vxlan: only migrate dynamic FDB entries Cong Wang
2013-06-06 23:16 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1370406254-6341-1-git-send-email-stephen@networkplumber.org \
--to=stephen@networkplumber.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).