bridge: Validate that vlan is permitted on ingress

When a frame arrives on a port or transmitted by the bridge,
if we have VLANs configured, validate that a given VLAN is allowed
to enter the bridge.

Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 25 insertions, 0 deletions

diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index 209464ef5242..8b4bcd8ff46e 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -64,6 +64,31 @@ static void __vlan_flush(struct net_port_vlans *v)
         kfree_rcu(v, rcu);
 }
 
+/* Called under RCU */
+bool br_allowed_ingress(struct net_bridge *br, struct net_port_vlans *v,
+                        struct sk_buff *skb)
+{
+        u16 vid;
+
+        /* If VLAN filtering is disabled on the bridge, all packets are
+         * permitted.
+         */
+        if (!br->vlan_enabled)
+                return true;
+
+        /* If there are no vlan in the permitted list, all packets are
+         * rejected.
+         */
+        if (!v)
+                return false;
+
+        br_vlan_get_tag(skb, &vid);
+        if (test_bit(vid, v->vlan_bitmap))
+                return true;
+
+        return false;
+}
+
 /* Must be protected by RTNL */
 int br_vlan_add(struct net_bridge *br, u16 vid)
 {