From nobody Fri Sep 12 21:04:56 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cNn4T0cwvz66VW1;
	Fri, 12 Sep 2025 21:04:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cNn4S5yDgz3WXj;
	Fri, 12 Sep 2025 21:04:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1757711096;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=X0j2DJk10spahD/dx8Mk0f8OpR37Avs8zxXXnECyZwI=;
	b=R7aURAJ8iYUzcyju98jxCso/Jp7a2jTWrOZW3mo6FwmsHFT9EtuyPlR3JAtuE0CkA6l63b
	nr116Evn/sot9WTXuQtQ5RVqJT6MsFSHKfXd6HG4m/UAnd7tOiESnvBnTJ0lQKkNFSGBVp
	AZa7J4xkC0WK+ZfvdZGVh+wA26moRG7T7uwZ8+4DIKOdTrAkhtVPQoIuQUlbkE18kLWGwv
	cQmaEHS+fgI9NoY9/GEgDL0UcO6SFLKTrE0Ea8EdkXZ5U3doU29JEmxag+2fVVdTfVeRu4
	NFKHsBgQ9yAhpaiC2IwswQ07xCYR2iI0ddcekmaebgnrWGutCDOm38nL7hiK2g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1757711096;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=X0j2DJk10spahD/dx8Mk0f8OpR37Avs8zxXXnECyZwI=;
	b=yoecC1QeW/v2qVL6sPAhoeNS6jnsv7xhb+SfEaBL3yQJxz7kE0qmzHJG4fV2ReZZRWMKyJ
	3zATzRTI57OgzPqgTN6/+f9gvgRo/LOIE1JMWBbA+EFP+KY9zQWp4lwjO1zk0h9I2/Xeu8
	QavQKgds3iSUTpOCc26O5+O+uZjpZmqH+A5KcnIWllDO6I3+o5KJYjBF7r8PZYxywgh6GL
	cvyXjOF6xakUoofHFJKmw0KXbMMixHrMbZawGm5NQloeajHAR6t5ipFfjMWbrwJxHaOPtN
	DM7aFbRUVMDsufxxUGHKx0O9VnuCtL5ext1XUok930JbL2BA+ldvo+15StmqLQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1757711096; a=rsa-sha256; cv=none;
	b=ZGIp7kBHDu5rERH907c6XVNovOBfe7Ylgg35pCmwvB4D91WkuJzDYJSR7f2Czn38qzrcDg
	S6Gkn7gcqCBLxpIeCirKVL1WRe6iUs8Os3uDW/SnbeOOesu4/THffZJJ4rmOOAa1CAay8S
	0ZJSmB5NTP+OVRaQaAgSUcitVmOiiBrcvibQ+C0+sz1oWh65nCNAQHl81G1+hiXS1RlIzQ
	NxTz69czduMJm0ivBaVW5fYRlZheB8+JCPy5DtwAuozmn7dlEM7IoGd0wyOvQMsIi7JEoK
	DgWpZWWFaXFoYP+kdnYrt0JNhhjdmPZLidlKwOq+ULp719u9v3+nICEI0uJKiA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cNn4S51Gmz188Q;
	Fri, 12 Sep 2025 21:04:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58CL4ufv045345;
	Fri, 12 Sep 2025 21:04:56 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58CL4uG6045342;
	Fri, 12 Sep 2025 21:04:56 GMT
	(envelope-from git)
Date: Fri, 12 Sep 2025 21:04:56 GMT
Message-Id: <202509122104.58CL4uG6045342@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Lexi Winter <ivy@FreeBSD.org>
Subject: git: 6a888f62413a - main - bridge: Do outbound VLAN filtering
  in bridge_enqueue
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: ivy
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 6a888f62413a1a6117f5053f124c97277ed18484
Auto-Submitted: auto-generated

The branch main has been updated by ivy:

URL: https://cgit.FreeBSD.org/src/commit/?id=6a888f62413a1a6117f5053f124c97277ed18484

commit 6a888f62413a1a6117f5053f124c97277ed18484
Author:     Lexi Winter <ivy@FreeBSD.org>
AuthorDate: 2025-09-12 21:03:00 +0000
Commit:     Lexi Winter <ivy@FreeBSD.org>
CommitDate: 2025-09-12 21:03:00 +0000

    bridge: Do outbound VLAN filtering in bridge_enqueue
    
    Outbound VLAN filtering wasn't being done for host-originated frames,
    because bridge_output was missing a call to bridge_vfilter_out, like
    in bridge_forward and bridge_broadcast.
    
    Rather than adding another call, move the filtering to bridge_enqueue,
    which ensures all frames will be filtered.  This slightly changes the
    observable behaviour since we now do pfil before vlan filtering, but
    that's probably closer to what users expect anyway.
    
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D52380
---
 sys/net/if_bridge.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index cea7f1cb5e23..d7911a348d87 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -2404,6 +2404,12 @@ bridge_enqueue(struct bridge_softc *sc, struct ifnet *dst_ifp, struct mbuf *m,
 		return (EINVAL);
 	}
 
+	/* Do VLAN filtering. */
+	if (!bridge_vfilter_out(bif, m)) {
+		m_freem(m);
+		return (0);
+	}
+
 	/* We may be sending a fragment so traverse the mbuf */
 	for (; m; m = m0) {
 		m0 = m->m_nextpkt;
@@ -2823,10 +2829,6 @@ bridge_forward(struct bridge_softc *sc, struct bridge_iflist *sbif,
 	if (sbif->bif_flags & dbif->bif_flags & IFBIF_PRIVATE)
 		goto drop;
 
-	/* Do VLAN filtering. */
-	if (!bridge_vfilter_out(dbif, m))
-		goto drop;
-
 	if ((dbif->bif_flags & IFBIF_STP) &&
 	    dbif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING)
 		goto drop;
@@ -3195,10 +3197,6 @@ bridge_broadcast(struct bridge_softc *sc, struct ifnet *src_if,
 		if (sbif && (sbif->bif_flags & dbif->bif_flags & IFBIF_PRIVATE))
 			continue;
 
-		/* Do VLAN filtering. */
-		if (!bridge_vfilter_out(dbif, m))
-			continue;
-
 		if ((dbif->bif_flags & IFBIF_STP) &&
 		    dbif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING)
 			continue;
@@ -3364,6 +3362,14 @@ bridge_vfilter_out(const struct bridge_iflist *dbif, const struct mbuf *m)
 
 	NET_EPOCH_ASSERT();
 
+	/*
+	 * If the interface is in span mode, then bif_sc will be NULL.
+	 * Since the purpose of span interfaces is to receive all frames,
+	 * pass everything.
+	 */
+	if (dbif->bif_sc == NULL)
+		return (true);
+
 	/* If VLAN filtering isn't enabled, pass everything. */
 	if ((dbif->bif_sc->sc_flags & IFBRF_VLANFILTER) == 0)
 		return (true);