From c91b18e8c5d97391d9843ce0d18600f7eadb6519 Mon Sep 17 00:00:00 2001
From: Christian Weisgerber <naddy@cvs.openbsd.org>
Date: Thu, 16 Oct 2008 14:23:36 +0000
Subject: Drop promiscuously received packets if the vlan interface is not in
 promiscuous mode itself.  Closes PR 5012.  With claudio@.

ok claudio@, henning@
---
 sys/net/if_vlan.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

(limited to 'sys/net')

diff --git a/sys/net/if_vlan.c b/sys/net/if_vlan.c
index fc1fe501f17..c2f48b5b5e3 100644
--- a/sys/net/if_vlan.c
+++ b/sys/net/if_vlan.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_vlan.c,v 1.74 2008/09/02 17:35:16 chl Exp $	*/
+/*	$OpenBSD: if_vlan.c,v 1.75 2008/10/16 14:23:35 naddy Exp $	*/
 
 /*
  * Copyright 1998 Massachusetts Institute of Technology
@@ -315,6 +315,21 @@ vlan_input(eh, m)
 		bpf_mtap_hdr(ifv->ifv_if.if_bpf, (char *)eh, ETHER_HDR_LEN,
 		    m, BPF_DIRECTION_IN);
 #endif
+
+	/*
+	 * Drop promiscuously received packets if we are not in
+	 * promiscuous mode.
+	 */
+	if ((m->m_flags & (M_BCAST|M_MCAST)) == 0 &&
+	    (ifp->if_flags & IFF_PROMISC) &&
+	    (ifv->ifv_if.if_flags & IFF_PROMISC) == 0) {
+		struct arpcom *ac = &ifv->ifv_ac;
+		if (bcmp(ac->ac_enaddr, eh->ether_dhost, ETHER_ADDR_LEN)) {
+			m_freem(m);
+			return (0);
+		}
+	}
+
 	ifv->ifv_if.if_ipackets++;
 	ether_input(&ifv->ifv_if, eh, m);
 
-- 
cgit v1.2.3