From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Miller <davem@davemloft.net>
Subject: Re: [PATCH net] bridge: Prevent insertion of FDB entry
 with disallowed vlan
Date: Mon, 02 Jun 2014 13:38:51 -0700 (PDT)
Message-ID: <20140602.133851.291905043809990099.davem@davemloft.net>
References: <1401084953-10135-1-git-send-email-makita.toshiaki@lab.ntt.co.jp>
	<20140530.154857.23436038195529720.davem@davemloft.net>
	<538C8892.8030800@redhat.com>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: stephen@networkplumber.org, netdev@vger.kernel.org,
	bridge@lists.linux-foundation.org
To: vyasevic@redhat.com
Return-path: <bridge-bounces@lists.linux-foundation.org>
In-Reply-To: <538C8892.8030800@redhat.com>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bridge>,
	<mailto:bridge-request@lists.linux-foundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bridge/>
List-Post: <mailto:bridge@lists.linux-foundation.org>
List-Help: <mailto:bridge-request@lists.linux-foundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bridge>,
	<mailto:bridge-request@lists.linux-foundation.org?subject=subscribe>
Sender: bridge-bounces@lists.linux-foundation.org
Errors-To: bridge-bounces@lists.linux-foundation.org
List-Id: netdev.vger.kernel.org

From: Vlad Yasevich <vyasevic@redhat.com>
Date: Mon, 02 Jun 2014 10:22:10 -0400

> On 05/30/2014 06:48 PM, David Miller wrote:
>> From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
>> Date: Mon, 26 May 2014 15:15:53 +0900
>> 
>>> br_handle_local_finish() is allowing us to insert an FDB entry with
>>> disallowed vlan. For example, when port 1 and 2 are communicating in
>>> vlan 10, and even if vlan 10 is disallowed on port 3, port 3 can
>>> interfere with their communication by spoofed src mac address with
>>> vlan id 10.
>>>
>>> Note: Even if it is judged that a frame should not be learned, it should
>>> not be dropped because it is destined for not forwarding layer but higher
>>> layer. See IEEE 802.1Q-2011 8.13.10.
>>>
>>> Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
>> 
>> In reference to Vlad's suggestion to try to reuse the logic of the
>> existing br_allowed_ingress() function, I don't think that's so
>> easy.
>> 
>> As stated already, it drops packets whilst we don't want that here.
>> 
>> Another difference is that it does vlan_untag(), which we also do
>> not want here.
>> 
>> Let's just stay with this version of the fix, Vlad if you're OK with
>> that can you please give your ACK?  Thanks.
>> 
> 
> 
> Acked-by: Vlad Yasevich <vyasevic@redhat.com>

Applied, thanks everyone.

> I need to spend a little time and figure out how to make it more re-usable.

Ok.