Page MenuHomeFreeBSD
Differential D51227

bridge: make 802.1ad (Q-in-Q) configurable
ClosedPublic
Actions

Authored by ivy on Jul 9 2025, 6:41 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Oct 11, 3:16 AM
Unknown Object (File)
Sat, Oct 11, 3:16 AM
Unknown Object (File)
Sat, Oct 11, 3:16 AM
Unknown Object (File)
Sat, Oct 11, 3:16 AM
Unknown Object (File)
Fri, Oct 10, 8:25 PM
Unknown Object (File)
Fri, Oct 10, 2:48 AM
Unknown Object (File)
Mon, Sep 22, 12:58 AM
Unknown Object (File)
Sep 12 2025, 7:01 AM
View All 28 Files
Subscribers
ae
glebius
imp
melifaro
pauamma_gundo.com
ziaee

Details

Reviewers
des
kevans
p.mousavizadeh_protonmail.com
pauamma_gundo.com
Group Reviewers
network
manpages
Commits
rGd43ac3b76ef7: bridge: Make 802.1ad (Q-in-Q) configurable
Summary

Allowing tag stacking by default can permit VLAN-hopping attacks in
certain configurations. To mitigate this, disallow sending Q-in-Q
frames by default unless the new "qinq" option is enabled on the
interface. The bridge flag "defqinq" can be used to restore the
previous behaviour of allowing Q-in-Q on all interfaces.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

ivy created this revision.Jul 9 2025, 6:41 PM
Herald added subscribers: ziaee, glebius, melifaro and 2 others. · View Herald TranscriptJul 9 2025, 6:41 PM
ivy requested review of this revision.Jul 9 2025, 6:41 PM
Harbormaster completed remote builds in B65305: Diff 158232.Jul 9 2025, 6:41 PM
ivy added a parent revision: D51185: bridge.4: Improve VLAN documentation.Jul 9 2025, 6:42 PM
ivy added a reviewer: p.mousavizadeh_protonmail.com.
ivy added a reviewer: manpages.
ivy added a child revision: D51228: bridge: make vlanfilter a bridge flag.Jul 9 2025, 7:36 PM
pauamma_gundo.com accepted this revision.Jul 10 2025, 12:42 AM
pauamma_gundo.com added a subscriber: pauamma_gundo.com.

With this typo fixed (either way) the manual page change appears consistent with the change summary.

share/man/man4/bridge.4
555 ↗(On Diff #158232)

or maybe "not the interface receiving..."

This revision is now accepted and ready to land.Jul 10 2025, 12:42 AM
ivy updated this revision to Diff 158295.Jul 11 2025, 3:03 AM

tyop fix

This revision now requires review to proceed.Jul 11 2025, 3:03 AM
Harbormaster completed remote builds in B65330: Diff 158295.Jul 11 2025, 3:03 AM
ivy added inline comments.Jul 11 2025, 3:04 AM
share/man/man4/bridge.4
555 ↗(On Diff #158232)

to keep plural agreement i changed this to "the interface", which i think is what i meant to write originally.

kevans accepted this revision.Jul 31 2025, 2:34 PM
This revision is now accepted and ready to land.Jul 31 2025, 2:34 PM
Closed by commit rGd43ac3b76ef7: bridge: Make 802.1ad (Q-in-Q) configurable (authored by ivy). · Explain WhyAug 5 2025, 7:26 PM
This revision was automatically updated to reflect the committed changes.
ivy added a commit: rGd43ac3b76ef7: bridge: Make 802.1ad (Q-in-Q) configurable.

Revision Contents
Changeset List

PathSize
sbin/
ifconfig/
18 lines
20 lines
sys/
net/
24 lines
8 lines
tests/
sys/
net/
36 lines

Diff 159803

View Options

sbin/ifconfig/ifbridge.c

Loading...
View Options

sbin/ifconfig/ifconfig.8

Loading...
View Options

sys/net/if_bridge.c

Loading...
View Options

sys/net/if_bridgevar.h

Loading...
View Options

tests/sys/net/if_bridge_test.sh

Loading...