From patchwork Wed Oct  9 03:34:17 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Antonio Quartulli <a@unstable.cc>
X-Patchwork-Id: 857
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6])
	by backend30.mail.ord1d.rsapps.net with LMTP id kL9oAePwnV1qMQAAIUCqbw
	for <patchwork@openvpn.net>; Wed, 09 Oct 2019 10:38:27 -0400
Received: from proxy4.mail.ord1d.rsapps.net ([172.30.191.6])
	by director11.mail.ord1d.rsapps.net with LMTP id wOQiAePwnV3+DQAAvGGmqA
	; Wed, 09 Oct 2019 10:38:27 -0400
Received: from smtp19.gate.ord1d ([172.30.191.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy4.mail.ord1d.rsapps.net with LMTP id YBXfAOPwnV2BcQAAiYrejw
	; Wed, 09 Oct 2019 10:38:27 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp19.gate.ord1d.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil;
 dis=none) header.from=unstable.cc
X-Suspicious-Flag: YES
X-Classification-ID: 73ab462c-eaa2-11e9-9e24-525400d67fa8-1-1
Received: from [216.105.38.7] ([216.105.38.7:49732]
 helo=lists.sourceforge.net)
	by smtp19.gate.ord1d.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id F8/B5-07025-2E0FD9D5; Wed, 09 Oct 2019 10:38:26 -0400
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1iID5m-0004VB-E0; Wed, 09 Oct 2019 14:37:30 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 (envelope-from <a@unstable.cc>) id 1iID5l-0004V4-7l
 for openvpn-devel@lists.sourceforge.net; Wed, 09 Oct 2019 14:37:29 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=s8gRI18mOoO8758PZ0okRLkaObl1FWfuqoJhMgkzGkU=; b=Dy4oKFJY7PgrUVOKkkYoDLNDZ7
 QPJEbedyqGFNMJdmNgdcCB0lbQlYzFuYGuAQYavxhQbvNomTvpcNMsXdnX+f5PeyBiMVa7K6wuEz5
 dH7lKvD9f742Aibk3CsPujyuKqeRqmOAj6Stcr3OGKQqCBvVyO86LRm65d6CVXrvCe3E=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=s8gRI18mOoO8758PZ0okRLkaObl1FWfuqoJhMgkzGkU=; b=cE6SnJs6j29QUwxnLNyiKWD3ga
 mv7QMEy9cert+yPC6z8RbrVD9MoPK1atqVr81beRhYiY3i6ji07IH9PGSuTQCZikPMyYbZonx+LOs
 FHHJ4dlduDgcw/32/rnEb2o+ChBvqUBIyDNmZ4wfBCJh4rWQW6Adh3GQJSnnVYf+2+/w=;
Received: from s2.neomailbox.net ([5.148.176.60])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2)
 id 1iID5j-00BOLp-8v
 for openvpn-devel@lists.sourceforge.net; Wed, 09 Oct 2019 14:37:29 +0000
From: Antonio Quartulli <a@unstable.cc>
To: openvpn-devel@lists.sourceforge.net
Date: Wed,  9 Oct 2019 16:34:17 +0200
Message-Id: <20191009143422.9419-5-a@unstable.cc>
In-Reply-To: <20191009143422.9419-1-a@unstable.cc>
References: <20191009143422.9419-1-a@unstable.cc>
MIME-Version: 1.0
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
 See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information. [URIs: lettink.de]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/, no
 trust [5.148.176.60 listed in list.dnswl.org]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 AWL AWL: Adjusted score from AWL reputation of From: address
X-Headers-End: 1iID5j-00BOLp-8v
Subject: [Openvpn-devel] [PATCH 4/9] VLAN: filter multicast and
 client-to-client unicast traffic
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Cc: Antonio Quartulli <a@unstable.cc>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

With this change, client-to-client communications are possible only if
clients were configured with the same PVID.

At the same time also broadcast packets are now forwarded only to hosts
belonging to the originator VLAN.

Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/multi.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 95b33e7a..e733ca9a 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -2643,10 +2643,12 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
             }
             else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
             {
+                uint16_t vid = 0;
 #ifdef ENABLE_PF
                 struct mroute_addr edest;
                 mroute_addr_reset(&edest);
 #endif
+
                 if (m->top.options.vlan_tagging)
                 {
                     if (vlan_is_tagged(&c->c2.to_tun))
@@ -2655,6 +2657,10 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
                         msg(D_VLAN_DEBUG, "dropping incoming VLAN-tagged frame");
                         c->c2.to_tun.len = 0;
                     }
+                    else
+                    {
+                        vid = c->options.vlan_pvid;
+                    }
                 }
                 /* extract packet source and dest addresses */
                 mroute_flags = mroute_extract_addr_from_packet(&src,
@@ -2665,7 +2671,7 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
 #else
                                                                NULL,
 #endif
-                                                               0,
+                                                               vid,
                                                                &c->c2.to_tun,
                                                                DEV_TYPE_TAP);
 
@@ -2678,7 +2684,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
                         {
                             if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
                             {
-                                multi_bcast(m, &c->c2.to_tun, m->pending, NULL, 0);
+                                multi_bcast(m, &c->c2.to_tun, m->pending, NULL,
+                                            vid);
                             }
                             else /* try client-to-client routing */
                             {