bridge: Validate that vlan is permitted on ingress

When a frame arrives on a port or transmitted by the bridge, if we have VLANs configured, validate that a given VLAN is allowed to enter the bridge. Signed-off-by: Vlad Yasevich <vyasevic@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Vlad Yasevich <vyasevic@redhat.com> 2013-02-13 12:00:10 +0000
committer: David S. Miller <davem@davemloft.net> 2013-02-13 19:41:46 -0500
commit: a37b85c9fbd1dc69fbec3985763f373203eaf9e3 (patch)
tree: 3585bf258d87459b48b2d94b66dac9de729ef699 /net/bridge/br_input.c
parent: 243a2e63f5f47763b802e9dee8dbf1611a1c1322 (diff)
download: linux-a37b85c9fbd1dc69fbec3985763f373203eaf9e3.tar.gz
linux-a37b85c9fbd1dc69fbec3985763f373203eaf9e3.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 4b34207419b1..4ef3f6b17bd0 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -17,6 +17,7 @@
 #include <linux/etherdevice.h>
 #include <linux/netfilter_bridge.h>
 #include <linux/export.h>
+#include <linux/rculist.h>
 #include "br_private.h"
 
 /* Hook for brouter */
@@ -54,6 +55,9 @@ int br_handle_frame_finish(struct sk_buff *skb)
 	if (!p || p->state == BR_STATE_DISABLED)
 		goto drop;
 
+	if (!br_allowed_ingress(p->br, nbp_get_vlan_info(p), skb))
+		goto drop;
+
 	/* insert into forwarding database after filtering to avoid spoofing */
 	br = p->br;
 	br_fdb_update(br, p, eth_hdr(skb)->h_source);
author	Vlad Yasevich <vyasevic@redhat.com>	2013-02-13 12:00:10 +0000
committer	David S. Miller <davem@davemloft.net>	2013-02-13 19:41:46 -0500
commit	a37b85c9fbd1dc69fbec3985763f373203eaf9e3 (patch)
tree	3585bf258d87459b48b2d94b66dac9de729ef699 /net/bridge/br_input.c
parent	243a2e63f5f47763b802e9dee8dbf1611a1c1322 (diff)
download	linux-a37b85c9fbd1dc69fbec3985763f373203eaf9e3.tar.gz linux-a37b85c9fbd1dc69fbec3985763f373203eaf9e3.tar.xz