| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 10 Jun 2019 17:44:06 +0800
From: wenxu@...oud.cn
To: roopa@...ulusnetworks.com, nikolay@...ulusnetworks.com
Cc: bridge@...ts.linux-foundation.org, netdev@...r.kernel.org
Subject: [PATCH net-next] bridge: Set the pvid for untaged packet before prerouting
From: wenxu <wenxu@...oud.cn>
bridge vlan add dev veth1 vid 200 pvid untagged
bridge vlan add dev veth2 vid 200 pvid untagged
nft add table bridge firewall
nft add chain bridge firewall zones { type filter hook prerouting priority - 300 \; }
nft add rule bridge firewall zones counter ct zone set vlan id map { 100 : 1, 200 : 2 }
As above set the bridge port with pvid, the received packet don't contain
the vlan tag which means the packet should belong to vlan 200 through pvid.
User can do conntrack base base on vlan id and map the vlan id to zone id
in the prerouting hook.
Signed-off-by: wenxu <wenxu@...oud.cn>
---
net/bridge/br_input.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 21b74e7..31b44bc 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -341,6 +341,13 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
}
forward:
+ if (br_opt_get(p->br, BROPT_VLAN_ENABLED) && !skb_vlan_tag_present(skb)) {
+ u16 pvid = br_get_pvid(nbp_vlan_group_rcu(p));
+
+ if (pvid)
+ __vlan_hwaccel_put_tag(skb, p->br->vlan_proto, pvid);
+ }
+
switch (p->state) {
case BR_STATE_FORWARDING:
case BR_STATE_LEARNING:
--
1.8.3.1
Powered by blists - more mailing lists