On Sun, Apr 30, 2023 at 9:03 PM Nicolas Bouliane <nicb...@gmail.com> wrote:
>
> This make it possible to prevent port flooding
> by simply disabling the discover bit per interface.
> ---
> sys/net/if_veb.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/sys/net/if_veb.c b/sys/net/if_veb.c
> index c5f865b7154..58d48312e41 100644
> --- a/sys/net/if_veb.c
> +++ b/sys/net/if_veb.c
> @@ -985,7 +985,7 @@ veb_broadcast(struct veb_softc *sc, struct veb_port
*rp, struct mbuf *m0,
> continue;
> }
>
> - if (!ISSET(tp->p_bif_flags, IFBIF_DISCOVER) &&
> + if (!ISSET(tp->p_bif_flags, IFBIF_DISCOVER) ||
> !ISSET(m0->m_flags, M_BCAST | M_MCAST)) {
> /* don't flood unknown unicast */
> continue;
> --
My patch is half-baked, but I basically want a way to group VMs that are
allowed
to talk together. The opposite of the "protected" option on the veb bridge.
I spoke directly with David Gwynne on IRC. He gave me some pointers.
I will come up with something else.
-Nick
