Re: [PATCH net-next V4 03/13] bridge: Validate that vlan is permitted on ingress

[PATCH net-next V4 00/13] Add basic VLAN support to bridges · Vlad Yasevich <hidden> · 2012-12-19
[PATCH net-next V4 02/13] bridge: Add vlan filtering infrastructure · Vlad Yasevich <hidden> · 2012-12-19
Re: [PATCH net-next V4 02/13] bridge: Add vlan filtering infrastructure · Shmulik Ladkani <hidden> · 2012-12-20
Re: [PATCH net-next V4 02/13] bridge: Add vlan filtering infrastructure · Vlad Yasevich <hidden> · 2012-12-20
[PATCH net-next V4 03/13] bridge: Validate that vlan is permitted on ingress · Vlad Yasevich <hidden> · 2012-12-19
Re: [PATCH net-next V4 03/13] bridge: Validate that vlan is permitted on ingress · Cong Wang <hidden> · 2012-12-20
Re: [PATCH net-next V4 03/13] bridge: Validate that vlan is permitted on ingress · Shmulik Ladkani <hidden> · 2012-12-20
Re: [PATCH net-next V4 03/13] bridge: Validate that vlan is permitted on ingress · Vlad Yasevich <hidden> · 2012-12-20
Re: [PATCH net-next V4 03/13] bridge: Validate that vlan is permitted on ingress · Shmulik Ladkani <hidden> · 2012-12-20
Re: [PATCH net-next V4 03/13] bridge: Validate that vlan is permitted on ingress · Vlad Yasevich <hidden> · 2012-12-20
Re: [PATCH net-next V4 03/13] bridge: Validate that vlan is permitted on ingress · Shmulik Ladkani <hidden> · 2012-12-20
Re: [PATCH net-next V4 03/13] bridge: Validate that vlan is permitted on ingress · Shmulik Ladkani <hidden> · 2012-12-21
[PATCH net-next V4 04/13] bridge: Verify that a vlan is allowed to egress on give port · Vlad Yasevich <hidden> · 2012-12-19
Re: [PATCH net-next V4 04/13] bridge: Verify that a vlan is allowed to egress on give port · Shmulik Ladkani <hidden> · 2012-12-20
[PATCH net-next V4 06/13] bridge: Add vlan to unicast fdb entries · Vlad Yasevich <hidden> · 2012-12-19
[PATCH net-next V4 09/13] bridge: Add vlan support to static neighbors · Vlad Yasevich <hidden> · 2012-12-19
[PATCH net-next V4 11/13] bridge: Implement untagged vlan handling · Vlad Yasevich <hidden> · 2012-12-19
[PATCH net-next V4 12/13] bridge: Dump vlan information from a bridge port · Vlad Yasevich <hidden> · 2012-12-19
[PATCH net-next V4 13/13] bridge: Add vlan support for local fdb entries · Vlad Yasevich <hidden> · 2012-12-19
[PATCH net-next V4 07/13] bridge: Add vlan id to multicast groups · Vlad Yasevich <hidden> · 2012-12-19
Re: [PATCH net-next V4 07/13] bridge: Add vlan id to multicast groups · Cong Wang <hidden> · 2012-12-20
[PATCH net-next V4 05/13] bridge: Cache vlan in the cb for faster egress lookup. · Vlad Yasevich <hidden> · 2012-12-19
[PATCH net-next V4 08/13] bridge: Add netlink interface to configure vlans on bridge ports · Vlad Yasevich <hidden> · 2012-12-19
Re: [PATCH net-next V4 08/13] bridge: Add netlink interface to configure vlans on bridge ports · Cong Wang <hidden> · 2012-12-20
[PATCH net-next V4 10/13] bridge: Add the ability to configure untagged vlans · Vlad Yasevich <hidden> · 2012-12-19
[PATCH net-next V4 01/13] vlan: wrap hw-acceleration calls in separate functions. · Vlad Yasevich <hidden> · 2012-12-19
Re: [PATCH net-next V4 00/13] Add basic VLAN support to bridges · Andrew Collins <hidden> · 2012-12-19
Re: [PATCH net-next V4 00/13] Add basic VLAN support to bridges · Vlad Yasevich <hidden> · 2012-12-19
Re: [PATCH net-next V4 00/13] Add basic VLAN support to bridges · Vitalii Demianets <hidden> · 2012-12-20
Re: [PATCH net-next V4 00/13] Add basic VLAN support to bridges · Stephen Hemminger <hidden> · 2012-12-20

From: Shmulik Ladkani <hidden>
Date: 2012-12-20 14:07:21

Hi Vlad,

On Wed, 19 Dec 2012 12:48:14 -0500 Vlad Yasevich [off-list ref] wrote:

+static bool br_allowed_ingress(struct net_bridge_port *p, struct sk_buff *skb)
+{
+	struct net_port_vlan *pve;
+	u16 vid;
+
+	/* If there are no vlan in the permitted list, all packets are
+	 * permitted.
+	 */
+	if (list_empty(&p->vlan_list))
+		return true;

I assumed the default policy would be Drop in such case, otherwise
leaking between vlan domains is possible.
Or maybe, ingress policy when port isn't a member of ingress VID should
be configurable (drop/allow).

+	vid = br_get_vlan(skb);
+	pve = nbp_vlan_find(p, vid);

Why search by iterating through NBP's vlan_list?
You know the VID (hence may fetch the net_bridge_vlan from the hash), so
why don't you directly consult the net_bridge_vlan's port_bitmap?

quoted hunk ↗ jump to hunk

@@ -54,6 +74,9 @@ int br_handle_frame_finish(struct sk_buff *skb)
 	if (!p || p->state == BR_STATE_DISABLED)
 		goto drop;
 
+	if (!br_allowed_ingress(p, skb))
+		goto drop;
+

This condition should be also encorporated upon "ingress" at the "bridge
master port" (that is, early at br_dev_xmit).
Think of the "bridge master port" as yet another port:
upon "ingress" (meaning, tx packets from the ip stack), we should
also enforce any ingress permission rules.

Regards,
Shmulik

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help