From fc8936f7e4477d854a50d90188b2f90cd0b9e87f Mon Sep 17 00:00:00 2001 From: David Gwynne Date: Tue, 23 Feb 2021 04:40:28 +0000 Subject: filter MAC Bridge component Reserved address im considering converting ethernet addresses into uint64_ts to make comparisons (and masking) easier. im trialling it here, and it doesn't seem like the worst. --- sys/net/if_veb.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/sys/net/if_veb.c b/sys/net/if_veb.c index 739a451225a..7cb9c91a616 100644 --- a/sys/net/if_veb.c +++ b/sys/net/if_veb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_veb.c,v 1.1 2021/02/23 03:30:04 dlg Exp $ */ +/* $OpenBSD: if_veb.c,v 1.2 2021/02/23 04:40:27 dlg Exp $ */ /* * Copyright (c) 2021 David Gwynne @@ -57,6 +57,18 @@ #include #endif +union veb_addr { + struct ether_addr ea; + uint64_t word; +}; + +static const union veb_addr veb_8021_group = { + .ea = { 0x01, 0x80, 0xc2, 0x00, 0x00, 0x00 } +}; +static const union veb_addr veb_8021_group_mask = { + .ea = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xf0 } +}; + struct veb_rule { TAILQ_ENTRY(veb_rule) vr_entry; SMR_TAILQ_ENTRY(veb_rule) vr_lentry[2]; @@ -614,6 +626,7 @@ veb_port_input(struct ifnet *ifp0, struct mbuf *m, void *brport) struct veb_softc *sc = p->p_veb; struct ifnet *ifp = &sc->sc_if; struct ether_header *eh; + union veb_addr dst = { .word = 0 }; #if NBPFILTER > 0 caddr_t if_bpf; #endif @@ -626,6 +639,13 @@ veb_port_input(struct ifnet *ifp0, struct mbuf *m, void *brport) if (!ISSET(ifp->if_flags, IFF_RUNNING)) return (m); + eh = mtod(m, struct ether_header *); + dst.ea = *(struct ether_addr *)eh->ether_dhost; + + /* Is this a MAC Bridge component Reserved address? */ + if ((dst.word & veb_8021_group_mask.word) == veb_8021_group.word) + goto drop; + #if NVLAN > 0 /* * If the underlying interface removed the VLAN header itself, -- cgit v1.2.3