bridge: Implement vlan ingress/egress policy with PVID.

At ingress, any untagged traffic is assigned to the PVID. Any tagged traffic is filtered according to membership bitmap. At egress, if the vlan matches the PVID, the frame is sent untagged. Otherwise the frame is sent tagged. Signed-off-by: Vlad Yasevich <vyasevic@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Vlad Yasevich <vyasevic@redhat.com> 2013-02-13 07:00:14 -0500
committer: David S. Miller <davem@davemloft.net> 2013-02-13 19:42:15 -0500
commit: 7885198861fc9a3dfdc6bb90dc0ba12689d6cd57 (patch)
tree: a75ed0f9b3fe72be08dcb13216c87f4f8e37bb75 /net/bridge/br_vlan.c
parent: 6cbdceeb1cb12c7d620161925a8c3e81daadb2e4 (diff)
1 files changed, 78 insertions, 5 deletions
diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index f2bf5a197ea3..20057de56db0 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -66,12 +66,68 @@ static void __vlan_flush(struct net_port_vlans *v)
        kfree_rcu(v, rcu);
 }
-/* Called under RCU */
+/* Strip the tag from the packet.  Will return skb with tci set 0.  */
-bool br_allowed_ingress(struct net_bridge *br, struct net_port_vlans *v,
+static struct sk_buff *br_vlan_untag(struct sk_buff *skb)
-                        struct sk_buff *skb)
+{
+        if (skb->protocol != htons(ETH_P_8021Q)) {
+                skb->vlan_tci = 0;
+                return skb;
+        }
+        skb->vlan_tci = 0;
+        skb = vlan_untag(skb);
+        if (skb)
+                skb->vlan_tci = 0;
+        return skb;
+}
+struct sk_buff *br_handle_vlan(struct net_bridge *br,
+                               const struct net_port_vlans *pv,
+                               struct sk_buff *skb)
 {
        u16 vid;
+        if (!br->vlan_enabled)
+                goto out;
+        /* At this point, we know that the frame was filtered and contains
+         * a valid vlan id.  If the vlan id matches the pvid of current port
+         * send untagged; otherwise, send taged.
+         */
+        br_vlan_get_tag(skb, &vid);
+        if (vid == br_get_pvid(pv))
+                skb = br_vlan_untag(skb);
+        else {
+                /* Egress policy says "send tagged".  If output device
+                 * is the  bridge, we need to add the VLAN header
+                 * ourselves since we'll be going through the RX path.
+                 * Sending to ports puts the frame on the TX path and
+                 * we let dev_hard_start_xmit() add the header.
+                 */
+                if (skb->protocol != htons(ETH_P_8021Q) &&
+                    pv->port_idx == 0) {
+                        /* vlan_put_tag expects skb->data to point to
+                         * mac header.
+                         */
+                        skb_push(skb, ETH_HLEN);
+                        skb = __vlan_put_tag(skb, skb->vlan_tci);
+                        if (!skb)
+                                goto out;
+                        /* put skb->data back to where it was */
+                        skb_pull(skb, ETH_HLEN);
+                        skb->vlan_tci = 0;
+                }
+        }
+out:
+        return skb;
+}
+/* Called under RCU */
+bool br_allowed_ingress(struct net_bridge *br, struct net_port_vlans *v,
+                        struct sk_buff *skb, u16 *vid)
+{
        /* If VLAN filtering is disabled on the bridge, all packets are
         * permitted.
         */
@@ -84,8 +140,25 @@ bool br_allowed_ingress(struct net_bridge *br, struct net_port_vlans *v,
        if (!v)
                return false;
-        br_vlan_get_tag(skb, &vid);
+        if (br_vlan_get_tag(skb, vid)) {
-        if (test_bit(vid, v->vlan_bitmap))
+                u16 pvid = br_get_pvid(v);
+                /* Frame did not have a tag.  See if pvid is set
+                 * on this port.  That tells us which vlan untagged
+                 * traffic belongs to.
+                 */
+                if (pvid == VLAN_N_VID)
+                        return false;
+                /* PVID is set on this port.  Any untagged ingress
+                 * frame is considered to belong to this vlan.
+                 */
+                __vlan_hwaccel_put_tag(skb, pvid);
+                return true;
+        }
+        /* Frame had a valid vlan tag.  See if vlan is allowed */
+        if (test_bit(*vid, v->vlan_bitmap))
                return true;
        return false;
author	Vlad Yasevich <vyasevic@redhat.com>	2013-02-13 07:00:14 -0500
committer	David S. Miller <davem@davemloft.net>	2013-02-13 19:42:15 -0500
commit	7885198861fc9a3dfdc6bb90dc0ba12689d6cd57 (patch)
tree	a75ed0f9b3fe72be08dcb13216c87f4f8e37bb75 /net/bridge/br_vlan.c
parent	6cbdceeb1cb12c7d620161925a8c3e81daadb2e4 (diff)

diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c index f2bf5a197ea3..20057de56db0 100644 --- a/net/bridge/br_vlan.c +++ b/net/bridge/br_vlan.c
@@ -66,12 +66,68 @@ static void __vlan_flush(struct net_port_vlans *v)
66	kfree_rcu(v, rcu);	66	kfree_rcu(v, rcu);
67	}	67	}
68		68
69	/* Called under RCU */	69	/* Strip the tag from the packet. Will return skb with tci set 0. */
70	bool br_allowed_ingress(struct net_bridge br, struct net_port_vlans v,	70	static struct sk_buff br_vlan_untag(struct sk_buff skb)
71	struct sk_buff *skb)	71	{
		72	if (skb->protocol != htons(ETH_P_8021Q)) {
		73	skb->vlan_tci = 0;
		74	return skb;
		75	}
		76
		77	skb->vlan_tci = 0;
		78	skb = vlan_untag(skb);
		79	if (skb)
		80	skb->vlan_tci = 0;
		81
		82	return skb;
		83	}
		84
		85	struct sk_buff br_handle_vlan(struct net_bridge br,
		86	const struct net_port_vlans *pv,
		87	struct sk_buff *skb)
72	{	88	{
73	u16 vid;	89	u16 vid;
74		90
		91	if (!br->vlan_enabled)
		92	goto out;
		93
		94	/* At this point, we know that the frame was filtered and contains
		95	* a valid vlan id. If the vlan id matches the pvid of current port
		96	* send untagged; otherwise, send taged.
		97	*/
		98	br_vlan_get_tag(skb, &vid);
		99	if (vid == br_get_pvid(pv))
		100	skb = br_vlan_untag(skb);
		101	else {
		102	/* Egress policy says "send tagged". If output device
		103	* is the bridge, we need to add the VLAN header
		104	* ourselves since we'll be going through the RX path.
		105	* Sending to ports puts the frame on the TX path and
		106	* we let dev_hard_start_xmit() add the header.
		107	*/
		108	if (skb->protocol != htons(ETH_P_8021Q) &&
		109	pv->port_idx == 0) {
		110	/* vlan_put_tag expects skb->data to point to
		111	* mac header.
		112	*/
		113	skb_push(skb, ETH_HLEN);
		114	skb = __vlan_put_tag(skb, skb->vlan_tci);
		115	if (!skb)
		116	goto out;
		117	/* put skb->data back to where it was */
		118	skb_pull(skb, ETH_HLEN);
		119	skb->vlan_tci = 0;
		120	}
		121	}
		122
		123	out:
		124	return skb;
		125	}
		126
		127	/* Called under RCU */
		128	bool br_allowed_ingress(struct net_bridge br, struct net_port_vlans v,
		129	struct sk_buff skb, u16 vid)
		130	{
75	/* If VLAN filtering is disabled on the bridge, all packets are	131	/* If VLAN filtering is disabled on the bridge, all packets are
76	* permitted.	132	* permitted.
77	*/	133	*/
@@ -84,8 +140,25 @@ bool br_allowed_ingress(struct net_bridge br, struct net_port_vlans v,
84	if (!v)	140	if (!v)
85	return false;	141	return false;
86		142
87	br_vlan_get_tag(skb, &vid);	143	if (br_vlan_get_tag(skb, vid)) {
88	if (test_bit(vid, v->vlan_bitmap))	144	u16 pvid = br_get_pvid(v);
		145
		146	/* Frame did not have a tag. See if pvid is set
		147	* on this port. That tells us which vlan untagged
		148	* traffic belongs to.
		149	*/
		150	if (pvid == VLAN_N_VID)
		151	return false;
		152
		153	/* PVID is set on this port. Any untagged ingress
		154	* frame is considered to belong to this vlan.
		155	*/
		156	__vlan_hwaccel_put_tag(skb, pvid);
		157	return true;
		158	}
		159
		160	/* Frame had a valid vlan tag. See if vlan is allowed */
		161	if (test_bit(*vid, v->vlan_bitmap))
89	return true;	162	return true;
90		163
91	return false;	164	return false;