git.baikalelectronics.ru Git - kernel.git/commit

author	Ido Schimmel <idosch@mellanox.com>
	Tue, 7 Jun 2016 09:06:58 +0000 (12:06 +0300)
committer	David S. Miller <davem@davemloft.net>
	Sat, 11 Jun 2016 05:41:58 +0000 (22:41 -0700)
commit	ed88a618fb73dee2610f9bd4984355284f4ffadc
tree	ef84fa18a293ad9d0264e37b1c682cb64f745451	tree \| snapshot
parent	1241f7e0f47412f08d50e6b91ba63cff47defb9e	commit \| diff

bridge: Fix incorrect re-injection of STP packets

Commit ee08ac34afb6 ("bridge: fix potential use-after-free when hook
returns QUEUE or STOLEN verdict") fixed incorrect usage of NF_HOOK's
return value by consuming packets in okfn via br_pass_frame_up().

However, this function re-injects packets to the Rx path with skb->dev
set to the bridge device, which breaks kernel's STP, as all STP packets
appear to originate from the bridge device itself.

Instead, if STP is enabled and bridge isn't a 802.1ad bridge, then learn
packet's SMAC and inject it back to the Rx path for further processing
by the packet handlers.

The patch also makes netfilter's behavior consistent with regards to
packets destined to the Bridge Group Address, as no hook registered at
LOCAL_IN will ever be called, regardless if STP is enabled or not.

Cc: Florian Westphal <fw@strlen.de>
Cc: Shmulik Ladkani <shmulik.ladkani@gmail.com>
Cc: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Fixes: ee08ac34afb6 ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>