From b01e7c8f456da465be6da4d07c2c30b9872dc840 Mon Sep 17 00:00:00 2001 From: dlg Date: Tue, 23 Feb 2021 05:23:02 +0000 Subject: [PATCH] implement support for the blocknonip port flag. --- sys/net/if_veb.c | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/sys/net/if_veb.c b/sys/net/if_veb.c index e9b0a2fd8bb..5e2d522656a 100644 --- a/sys/net/if_veb.c +++ b/sys/net/if_veb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_veb.c,v 1.3 2021/02/23 05:01:00 dlg Exp $ */ +/* $OpenBSD: if_veb.c,v 1.4 2021/02/23 05:23:02 dlg Exp $ */ /* * Copyright (c) 2021 David Gwynne @@ -70,7 +70,7 @@ static const union veb_addr veb_8021_group_mask = { }; /* SIOCBRDGIFFLGS, SIOCBRDGIFFLGS */ -#define VEB_IFBIF_FLAGS (IFBIF_LEARNING|IFBIF_DISCOVER) +#define VEB_IFBIF_FLAGS (IFBIF_LEARNING|IFBIF_DISCOVER|IFBIF_BLOCKNONIP) struct veb_rule { TAILQ_ENTRY(veb_rule) vr_entry; @@ -360,6 +360,25 @@ veb_span(struct veb_softc *sc, struct mbuf *m0) smr_read_leave(); } +static int +veb_ip_filter(const struct mbuf *m) +{ + const struct ether_header *eh; + + eh = mtod(m, struct ether_header *); + switch (ntohs(eh->ether_type)) { + case ETHERTYPE_IP: + case ETHERTYPE_ARP: + case ETHERTYPE_REVARP: + case ETHERTYPE_IPV6: + return (0); + default: + break; + } + + return (1); +} + static int veb_vlan_filter(const struct mbuf *m) { @@ -681,6 +700,10 @@ veb_port_input(struct ifnet *ifp0, struct mbuf *m, void *brport) veb_span(sc, m); + if (ISSET(p->p_bif_flags, IFBIF_BLOCKNONIP) && + veb_ip_filter(m)) + goto drop; + if (!ISSET(ifp->if_flags, IFF_LINK2) && veb_vlan_filter(m)) goto drop; -- 2.20.1