lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <1423043467-11148-2-git-send-email-jouni@codeaurora.org> Date: Wed, 4 Feb 2015 11:51:06 +0200 From: Jouni Malinen <jouni@...eaurora.org> To: David Miller <davem@...emloft.net> Cc: netdev@...r.kernel.org, Kyeyoon Park <kyeyoonp@...eaurora.org>, Jouni Malinen <jouni@...eaurora.org> Subject: [PATCH 2/3] bridge: Selectively prevent bridge port flooding for proxy ARP From: Kyeyoon Park <kyeyoonp@...eaurora.org> Rather than completely blocking the bridge port flooding when BR_PROXYARP is enabled, selectively prevent bridge port flooding for the proxy ARP relevant frames. This is done by marking the "skb" with this info when proxy ARP code executes. Signed-off-by: Kyeyoon Park <kyeyoonp@...eaurora.org> Signed-off-by: Jouni Malinen <jouni@...eaurora.org> --- net/bridge/br_forward.c | 3 ++- net/bridge/br_input.c | 6 +++++- net/bridge/br_private.h | 1 + 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c index f96933a..81b4bed 100644 --- a/net/bridge/br_forward.c +++ b/net/bridge/br_forward.c @@ -186,7 +186,8 @@ static void br_flood(struct net_bridge *br, struct sk_buff *skb, continue; /* Do not flood to ports that enable proxy ARP */ - if (p->flags & BR_PROXYARP) + if (p->flags & BR_PROXYARP && + BR_INPUT_SKB_CB(skb)->proxyarp_replied) continue; prev = maybe_deliver(prev, p, skb, __packet_hook); diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index cfd46c6..41d1d3f 100644 --- a/net/bridge/br_input.c +++ b/net/bridge/br_input.c @@ -68,6 +68,8 @@ static void br_do_proxy_arp(struct sk_buff *skb, struct net_bridge *br, u8 *arpptr, *sha; __be32 sip, tip; + BR_INPUT_SKB_CB(skb)->proxyarp_replied = false; + if (dev->flags & IFF_NOARP) return; @@ -105,9 +107,11 @@ static void br_do_proxy_arp(struct sk_buff *skb, struct net_bridge *br, } f = __br_fdb_get(br, n->ha, vid); - if (f && f->dst->flags & BR_PROXYARP) + if (f && f->dst->flags & BR_PROXYARP) { arp_send(ARPOP_REPLY, ETH_P_ARP, sip, skb->dev, tip, sha, n->ha, sha); + BR_INPUT_SKB_CB(skb)->proxyarp_replied = true; + } neigh_release(n); } diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h index de09199..c32e279 100644 --- a/net/bridge/br_private.h +++ b/net/bridge/br_private.h @@ -305,6 +305,7 @@ struct br_input_skb_cb { #endif u16 frag_max_size; + bool proxyarp_replied; #ifdef CONFIG_BRIDGE_VLAN_FILTERING bool vlan_filtered; -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists