With this change, client-to-client communications are possible only if
clients were configured with the same PVID.
At the same time also broadcast packets are now forwarded only to hosts
belonging to the originator VLAN.
Signed-off-by: Fabian Knittel <fabian.knit...@lettink.de>
Signed-off-by: Antonio Quartulli <a...@unstable.cc>
---
src/openvpn/multi.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 95b33e7a..e733ca9a 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -2643,10 +2643,12 @@ multi_process_incoming_link(struct multi_context *m,
struct multi_instance *inst
}
else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
{
+ uint16_t vid = 0;
#ifdef ENABLE_PF
struct mroute_addr edest;
mroute_addr_reset(&edest);
#endif
+
if (m->top.options.vlan_tagging)
{
if (vlan_is_tagged(&c->c2.to_tun))
@@ -2655,6 +2657,10 @@ multi_process_incoming_link(struct multi_context *m,
struct multi_instance *inst
msg(D_VLAN_DEBUG, "dropping incoming VLAN-tagged
frame");
c->c2.to_tun.len = 0;
}
+ else
+ {
+ vid = c->options.vlan_pvid;
+ }
}
/* extract packet source and dest addresses */
mroute_flags = mroute_extract_addr_from_packet(&src,
@@ -2665,7 +2671,7 @@ multi_process_incoming_link(struct multi_context *m,
struct multi_instance *inst
#else
NULL,
#endif
- 0,
+ vid,
&c->c2.to_tun,
DEV_TYPE_TAP);
@@ -2678,7 +2684,8 @@ multi_process_incoming_link(struct multi_context *m,
struct multi_instance *inst
{
if (mroute_flags &
(MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
{
- multi_bcast(m, &c->c2.to_tun, m->pending,
NULL, 0);
+ multi_bcast(m, &c->c2.to_tun, m->pending, NULL,
+ vid);
}
else /* try client-to-client routing */
{
--
2.23.0
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
