diff options
author | Vlad Yasevich <vyasevic@redhat.com> | 2013-02-13 12:00:10 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-02-13 19:41:46 -0500 |
commit | a37b85c9fbd1dc69fbec3985763f373203eaf9e3 (patch) | |
tree | 3585bf258d87459b48b2d94b66dac9de729ef699 /net/bridge/br_private.h | |
parent | 243a2e63f5f47763b802e9dee8dbf1611a1c1322 (diff) | |
download | lwn-a37b85c9fbd1dc69fbec3985763f373203eaf9e3.tar.gz lwn-a37b85c9fbd1dc69fbec3985763f373203eaf9e3.zip |
bridge: Validate that vlan is permitted on ingress
When a frame arrives on a port or transmitted by the bridge,
if we have VLANs configured, validate that a given VLAN is allowed
to enter the bridge.
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/bridge/br_private.h')
-rw-r--r-- | net/bridge/br_private.h | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h index 1f3b309beea8..ed7c764ee9da 100644 --- a/net/bridge/br_private.h +++ b/net/bridge/br_private.h @@ -552,6 +552,8 @@ static inline void br_mdb_uninit(void) /* br_vlan.c */ #ifdef CONFIG_BRIDGE_VLAN_FILTERING +extern bool br_allowed_ingress(struct net_bridge *br, struct net_port_vlans *v, + struct sk_buff *skb); extern int br_vlan_add(struct net_bridge *br, u16 vid); extern int br_vlan_delete(struct net_bridge *br, u16 vid); extern void br_vlan_flush(struct net_bridge *br); @@ -559,7 +561,43 @@ extern int br_vlan_filter_toggle(struct net_bridge *br, unsigned long val); extern int nbp_vlan_add(struct net_bridge_port *port, u16 vid); extern int nbp_vlan_delete(struct net_bridge_port *port, u16 vid); extern void nbp_vlan_flush(struct net_bridge_port *port); + +static inline struct net_port_vlans *br_get_vlan_info( + const struct net_bridge *br) +{ + return rcu_dereference(br->vlan_info); +} + +static inline struct net_port_vlans *nbp_get_vlan_info( + const struct net_bridge_port *p) +{ + return rcu_dereference(p->vlan_info); +} + +/* Since bridge now depends on 8021Q module, but the time bridge sees the + * skb, the vlan tag will always be present if the frame was tagged. + */ +static inline int br_vlan_get_tag(const struct sk_buff *skb, u16 *vid) +{ + int err = 0; + + if (vlan_tx_tag_present(skb)) + *vid = vlan_tx_tag_get(skb) & VLAN_VID_MASK; + else { + *vid = 0; + err = -EINVAL; + } + + return err; +} #else +static inline bool br_allowed_ingress(struct net_bridge *br, + struct net_port_vlans *v, + struct sk_buff *skb) +{ + return true; +} + static inline int br_vlan_add(struct net_bridge *br, u16 vid) { return -EOPNOTSUPP; @@ -588,6 +626,21 @@ static inline void nbp_vlan_flush(struct net_bridge_port *port) { } +static inline struct net_port_vlans *br_get_vlan_info( + const struct net_bridge *br) +{ + return NULL; +} +static inline struct net_port_vlans *nbp_get_vlan_info( + const struct net_bridge_port *p) +{ + return NULL; +} + +static inline u16 br_vlan_get_tag(const struct sk_buff *skb) +{ + return 0; +} #endif /* br_netfilter.c */ |