net: RFC3069, private VLAN proxy arp support

This is to be used together with switch technologies, like RFC3069,
that where the individual ports are not allowed to communicate with
each other, but they are allowed to talk to the upstream router.  As
described in RFC 3069, it is possible to allow these hosts to
communicate through the upstream router by proxy_arp'ing.

This patch basically allow proxy arp replies back to the same
interface (from which the ARP request/solicitation was received).

Tunable per device via proc "proxy_arp_pvlan":
  /proc/sys/net/ipv4/conf/*/proxy_arp_pvlan

This switch technology is known by different vendor names:
 - In RFC 3069 it is called VLAN Aggregation.
 - Cisco and Allied Telesyn call it Private VLAN.
 - Hewlett-Packard call it Source-Port filtering or port-isolation.
 - Ericsson call it MAC-Forced Forwarding (RFC Draft).

Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 6 insertions, 1 deletions

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index e446496f564f..1cc339441e7d 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1988,8 +1988,13 @@ static int __mkroute_input(struct sk_buff *skb,
         if (skb->protocol != htons(ETH_P_IP)) {
                 /* Not IP (i.e. ARP). Do not create route, if it is
                  * invalid for proxy arp. DNAT routes are always valid.
+                 *
+                 * Proxy arp feature have been extended to allow, ARP
+                 * replies back to the same interface, to support
+                 * Private VLAN switch technologies. See arp.c.
                  */
-                if (out_dev == in_dev) {
+                if (out_dev == in_dev &&
+                    IN_DEV_PROXY_ARP_PVLAN(in_dev) == 0) {
                         err = -EINVAL;
                         goto cleanup;
                 }