From: Antonio Quartulli <a@unstable.cc>
Date: Wed, 9 Oct 2019 14:34:17 +0000 (+0200)
Subject: VLAN: filter multicast and client-to-client unicast traffic
X-Git-Tag: v2.5_beta1~255
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1c57ea76a256330314d53999bce3e09644b420f9;p=thirdparty%2Fopenvpn.git

VLAN: filter multicast and client-to-client unicast traffic

With this change, client-to-client communications are possible only if
clients were configured with the same PVID.

At the same time also broadcast packets are now forwarded only to hosts
belonging to the originator VLAN.

Signed-off-by: Fabian Knittel <fabian.knittel@lettink.de>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20191009143422.9419-5-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18922.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 95b33e7ab..e733ca9ab 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -2643,10 +2643,12 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
             }
             else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
             {
+                uint16_t vid = 0;
 #ifdef ENABLE_PF
                 struct mroute_addr edest;
                 mroute_addr_reset(&edest);
 #endif
+
                 if (m->top.options.vlan_tagging)
                 {
                     if (vlan_is_tagged(&c->c2.to_tun))
@@ -2655,6 +2657,10 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
                         msg(D_VLAN_DEBUG, "dropping incoming VLAN-tagged frame");
                         c->c2.to_tun.len = 0;
                     }
+                    else
+                    {
+                        vid = c->options.vlan_pvid;
+                    }
                 }
                 /* extract packet source and dest addresses */
                 mroute_flags = mroute_extract_addr_from_packet(&src,
@@ -2665,7 +2671,7 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
 #else
                                                                NULL,
 #endif
-                                                               0,
+                                                               vid,
                                                                &c->c2.to_tun,
                                                                DEV_TYPE_TAP);
 
@@ -2678,7 +2684,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
                         {
                             if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
                             {
-                                multi_bcast(m, &c->c2.to_tun, m->pending, NULL, 0);
+                                multi_bcast(m, &c->c2.to_tun, m->pending, NULL,
+                                            vid);
                             }
                             else /* try client-to-client routing */
                             {