filter MAC Bridge component Reserved address

im considering converting ethernet addresses into uint64_ts to make
comparisons (and masking) easier. im trialling it here, and it
doesn't seem like the worst.

1 files changed, 21 insertions, 1 deletions

diff --git a/sys/net/if_veb.c b/sys/net/if_veb.c
index 739a451225a..7cb9c91a616 100644
--- a/sys/net/if_veb.c
+++ b/sys/net/if_veb.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_veb.c,v 1.1 2021/02/23 03:30:04 dlg Exp $ */
+/*	$OpenBSD: if_veb.c,v 1.2 2021/02/23 04:40:27 dlg Exp $ */
 
 /*
  * Copyright (c) 2021 David Gwynne <dlg@openbsd.org>
@@ -57,6 +57,18 @@
 #include <net/if_vlan_var.h>
 #endif
 
+union veb_addr {
+	struct ether_addr		ea;
+	uint64_t			word;
+};
+
+static const union veb_addr veb_8021_group = {
+	.ea = { 0x01, 0x80, 0xc2, 0x00, 0x00, 0x00 }
+};
+static const union veb_addr veb_8021_group_mask = {
+	.ea = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xf0 }
+};
+
 struct veb_rule {
 	TAILQ_ENTRY(veb_rule)		vr_entry;
 	SMR_TAILQ_ENTRY(veb_rule)	vr_lentry[2];
@@ -614,6 +626,7 @@ veb_port_input(struct ifnet *ifp0, struct mbuf *m, void *brport)
 	struct veb_softc *sc = p->p_veb;
 	struct ifnet *ifp = &sc->sc_if;
 	struct ether_header *eh;
+	union veb_addr dst = { .word = 0 };
 #if NBPFILTER > 0
 	caddr_t if_bpf;
 #endif
@@ -626,6 +639,13 @@ veb_port_input(struct ifnet *ifp0, struct mbuf *m, void *brport)
 	if (!ISSET(ifp->if_flags, IFF_RUNNING))
 		return (m);
 
+	eh = mtod(m, struct ether_header *);
+	dst.ea = *(struct ether_addr *)eh->ether_dhost;
+
+	/* Is this a MAC Bridge component Reserved address? */
+	if ((dst.word & veb_8021_group_mask.word) == veb_8021_group.word)
+		goto drop;
+
 #if NVLAN > 0
 	/*
 	 * If the underlying interface removed the VLAN header itself,