From: Toshiaki Makita <redacted>
Date: Mon, 26 May 2014 15:15:53 +0900

br_handle_local_finish() is allowing us to insert an FDB entry with
disallowed vlan. For example, when port 1 and 2 are communicating in
vlan 10, and even if vlan 10 is disallowed on port 3, port 3 can
interfere with their communication by spoofed src mac address with
vlan id 10.

Note: Even if it is judged that a frame should not be learned, it should
not be dropped because it is destined for not forwarding layer but higher
layer. See IEEE 802.1Q-2011 8.13.10.

Signed-off-by: Toshiaki Makita <redacted>

In reference to Vlad's suggestion to try to reuse the logic of the
existing br_allowed_ingress() function, I don't think that's so
easy.

As stated already, it drops packets whilst we don't want that here.

Another difference is that it does vlan_untag(), which we also do
not want here.

Let's just stay with this version of the fix, Vlad if you're OK with
that can you please give your ACK?  Thanks.