Page MenuHomeFreeBSD
Differential D51227

bridge: make 802.1ad (Q-in-Q) configurable
ClosedPublic
Actions

Authored by ivy on Jul 9 2025, 6:41 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Aug 18, 11:17 PM
Unknown Object (File)
Fri, Aug 15, 6:28 AM
Unknown Object (File)
Fri, Aug 15, 3:07 AM
Unknown Object (File)
Thu, Aug 14, 11:12 AM
Unknown Object (File)
Sat, Aug 9, 4:45 PM
Unknown Object (File)
Tue, Aug 5, 7:33 PM
Unknown Object (File)
Thu, Jul 31, 12:10 PM
Unknown Object (File)
Jul 14 2025, 10:37 PM
View All 12 Files
Subscribers
ae
glebius
imp
melifaro
pauamma_gundo.com
ziaee

Details

Reviewers
des
kevans
p.mousavizadeh_protonmail.com
pauamma_gundo.com
Group Reviewers
network
manpages
Commits
rGd43ac3b76ef7: bridge: Make 802.1ad (Q-in-Q) configurable
Summary

Allowing tag stacking by default can permit VLAN-hopping attacks in
certain configurations. To mitigate this, disallow sending Q-in-Q
frames by default unless the new "qinq" option is enabled on the
interface. The bridge flag "defqinq" can be used to restore the
previous behaviour of allowing Q-in-Q on all interfaces.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 65330
Build 62213: arc lint + arc unit

Event Timeline

ivy created this revision.Jul 9 2025, 6:41 PM
Herald added subscribers: ziaee, glebius, melifaro and 2 others. · View Herald TranscriptJul 9 2025, 6:41 PM
ivy requested review of this revision.Jul 9 2025, 6:41 PM
Harbormaster completed remote builds in B65305: Diff 158232.Jul 9 2025, 6:41 PM
ivy added a parent revision: D51185: bridge.4: Improve VLAN documentation.Jul 9 2025, 6:42 PM
ivy added a reviewer: p.mousavizadeh_protonmail.com.
ivy added a reviewer: manpages.
ivy added a child revision: D51228: bridge: make vlanfilter a bridge flag.Jul 9 2025, 7:36 PM
pauamma_gundo.com accepted this revision.Jul 10 2025, 12:42 AM
pauamma_gundo.com added a subscriber: pauamma_gundo.com.

With this typo fixed (either way) the manual page change appears consistent with the change summary.

share/man/man4/bridge.4
555

or maybe "not the interface receiving..."

This revision is now accepted and ready to land.Jul 10 2025, 12:42 AM
ivy updated this revision to Diff 158295.Jul 11 2025, 3:03 AM

tyop fix

This revision now requires review to proceed.Jul 11 2025, 3:03 AM
Harbormaster completed remote builds in B65330: Diff 158295.Jul 11 2025, 3:03 AM
ivy added inline comments.Jul 11 2025, 3:04 AM
share/man/man4/bridge.4
555

to keep plural agreement i changed this to "the interface", which i think is what i meant to write originally.

kevans accepted this revision.Thu, Jul 31, 2:34 PM
This revision is now accepted and ready to land.Thu, Jul 31, 2:34 PM
Closed by commit rGd43ac3b76ef7: bridge: Make 802.1ad (Q-in-Q) configurable (authored by ivy). · Explain WhyTue, Aug 5, 7:26 PM
This revision was automatically updated to reflect the committed changes.
ivy added a commit: rGd43ac3b76ef7: bridge: Make 802.1ad (Q-in-Q) configurable.

Revision Contents
Changeset List

PathSize
sbin/
ifconfig/
18 lines
20 lines
share/
man/
man4/
42 lines
sys/
net/
24 lines
6 lines
tests/
sys/
net/
36 lines

Diff 158295

View Options

sbin/ifconfig/ifbridge.c

Loading...
View Options

sbin/ifconfig/ifconfig.8

Loading...
View Options

share/man/man4/bridge.4

Loading...
View Options

sys/net/if_bridge.c

Loading...
View Options

sys/net/if_bridgevar.h

Loading...
View Options

tests/sys/net/if_bridge_test.sh

Loading...