From 3a1b3b9bc9a9e84aee68c7bbdcfd65106bf9de7e Mon Sep 17 00:00:00 2001 From: dlg Date: Fri, 26 Feb 2021 01:57:20 +0000 Subject: [PATCH] try do a better job of filtering 802.1 reserved group addresses. if the bridge is supposed to carry vlan packets, assuming it's an s-vlan component and should allow certain group addresses to cross between "customer" bridges. i should probably let some of these groups fall back through to the calling ether_input rather than drop them. --- sys/net/if_veb.c | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/sys/net/if_veb.c b/sys/net/if_veb.c index 1ce668e26f5..44e1e0faa18 100644 --- a/sys/net/if_veb.c +++ b/sys/net/if_veb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_veb.c,v 1.11 2021/02/26 01:42:47 dlg Exp $ */ +/* $OpenBSD: if_veb.c,v 1.12 2021/02/26 01:57:20 dlg Exp $ */ /* * Copyright (c) 2021 David Gwynne @@ -939,8 +939,27 @@ veb_port_input(struct ifnet *ifp0, struct mbuf *m, void *brport) dst = ether_addr_to_e64((struct ether_addr *)eh->ether_dhost); /* Is this a MAC Bridge component Reserved address? */ - if (ETH64_IS_8021_RSVD(dst)) - goto drop; + if (ETH64_IS_8021_RSVD(dst)) { + if (!ISSET(ifp->if_flags, IFF_LINK0)) { + /* + * letting vlans through implies this is + * an s-vlan component. + */ + goto drop; + } + + /* look at the last nibble of the 802.1 reserved address */ + switch (dst & 0xf) { + case 0x0: /* Nearest Customer Bridge Group Address */ + case 0xb: /* EDE-SS PEP (IEEE Std 802.1AEcg) */ + case 0xc: /* reserved */ + case 0xd: /* Provider Bridge MVRP Address */ + case 0xf: /* reserved */ + break; + default: + goto drop; + } + } #if NVLAN > 0 /* -- 2.20.1