From nobody Fri Sep 19 01:19:54 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cSZRv2TY5z68LRj;
	Fri, 19 Sep 2025 01:19:55 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cSZRt66fkz49Z1;
	Fri, 19 Sep 2025 01:19:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1758244794;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=uiqFQdDwmp82FbzXQLyxEZyjR47pVJLEgF1d0FyJP5M=;
	b=mc9t6UTkpQGODxzMcBfUtpC3n5DLSYzK29HdM2RKtK+D0/8Mn3vKPNuO8w2INw1yeGc/87
	eMxApJyx+xZHPP9eKWkv+4Hs8jYnZanivB1/ZCm03cywow4Rg4HQcNwZDOO09CYJkltAKs
	1PnIZ/vIW8egEy0WpmKZGkc1s70+LX3frL/w8HOCzF+hJ903DyEXUhFujBjKWRpAACo/ry
	SEExxA4Xl2hHneaXphErNASitbo/11GrECMDCE/Pi4kbHijBEFfjzq0384T91ow+SSqure
	3TzGFdi9uh6EAOI73STEJhOLIhnWHuvjx1H0qXSaAFe6Xk3nCeYTZbr0vpjaSw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1758244794;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=uiqFQdDwmp82FbzXQLyxEZyjR47pVJLEgF1d0FyJP5M=;
	b=YeMbcY/MeVG7uqBB9nmrgaOb9+0qmHRp4mTp6gFz94/N8eQ5ttvaLcUKu62Fg5KCpAijIB
	3U0K/6kRwySBYNnNxkC3AwrGh3/6CW3QRRfhwFgsRFjhL+vd/k0FN7WQ5RJmRiXzUI5xYU
	G+gkXD2dHOmR/mqUsXGhHCXfXDTlNsbOJnvk8tOpfsXMh/7YDt0z2bp2+RP5zg8yQmEorE
	9XxUd2ce5aAiKaeKk4YH6t3OVwjYf8Pwbu6xjdoUchN+QqR0pgHjPUtE+o4cT6rba6f1Om
	60oOPLQTh7fhOCwuAx2X9cvVOnNVgaKfdO7T/qbR3a+0L7uQJ56iTb8nuppw0A==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1758244794; a=rsa-sha256; cv=none;
	b=F3K/wH93WMuHBBMdQNP9Pm3kTObt9mnEN/8i2LluHUd7hLClT1t1T4FP4WTQkc5q9a//4q
	A/CqxFCgj0zUSb6Ui5ryHC60RdBLKg/gIyQVWnn6nBOMzwLDBPX5zOQOw8VisIyo5S2nEX
	f+hztCS/cbvMDg4hw8LvPoKJMRfNh84bPtVoJxp/UpVYYRYBiXLAd/CbNbCC7aTWMYFY2E
	J2Kxx1EZVWqB1eoBBMmJID/BzjMnmBvrX23MLpe3MGXpAT06l5aT1iX0bdblac2PmtSVhu
	W+ZDEeV7tyl/oJhzFEnJ/Sam4gHXyhIUzUzIEvkqdAihLXGKSdwoTR6VV1H+uw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cSZRt58bPzcBN;
	Fri, 19 Sep 2025 01:19:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58J1Jskg067126;
	Fri, 19 Sep 2025 01:19:54 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58J1JsGg067123;
	Fri, 19 Sep 2025 01:19:54 GMT
	(envelope-from git)
Date: Fri, 19 Sep 2025 01:19:54 GMT
Message-Id: <202509190119.58J1JsGg067123@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Lexi Winter <ivy@FreeBSD.org>
Subject: git: bcf3a9e04069 - stable/15 - bridge: Do outbound VLAN
  filtering in bridge_enqueue
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: ivy
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: bcf3a9e04069301679cf12535fb8427ba0e7d239
Auto-Submitted: auto-generated

The branch stable/15 has been updated by ivy:

URL: https://cgit.FreeBSD.org/src/commit/?id=bcf3a9e04069301679cf12535fb8427ba0e7d239

commit bcf3a9e04069301679cf12535fb8427ba0e7d239
Author:     Lexi Winter <ivy@FreeBSD.org>
AuthorDate: 2025-09-12 21:03:00 +0000
Commit:     Lexi Winter <ivy@FreeBSD.org>
CommitDate: 2025-09-19 01:17:28 +0000

    bridge: Do outbound VLAN filtering in bridge_enqueue
    
    Outbound VLAN filtering wasn't being done for host-originated frames,
    because bridge_output was missing a call to bridge_vfilter_out, like
    in bridge_forward and bridge_broadcast.
    
    Rather than adding another call, move the filtering to bridge_enqueue,
    which ensures all frames will be filtered.  This slightly changes the
    observable behaviour since we now do pfil before vlan filtering, but
    that's probably closer to what users expect anyway.
    
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D52380
    
    (cherry picked from commit 6a888f62413a1a6117f5053f124c97277ed18484)
---
 sys/net/if_bridge.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index cea7f1cb5e23..d7911a348d87 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -2404,6 +2404,12 @@ bridge_enqueue(struct bridge_softc *sc, struct ifnet *dst_ifp, struct mbuf *m,
 		return (EINVAL);
 	}
 
+	/* Do VLAN filtering. */
+	if (!bridge_vfilter_out(bif, m)) {
+		m_freem(m);
+		return (0);
+	}
+
 	/* We may be sending a fragment so traverse the mbuf */
 	for (; m; m = m0) {
 		m0 = m->m_nextpkt;
@@ -2823,10 +2829,6 @@ bridge_forward(struct bridge_softc *sc, struct bridge_iflist *sbif,
 	if (sbif->bif_flags & dbif->bif_flags & IFBIF_PRIVATE)
 		goto drop;
 
-	/* Do VLAN filtering. */
-	if (!bridge_vfilter_out(dbif, m))
-		goto drop;
-
 	if ((dbif->bif_flags & IFBIF_STP) &&
 	    dbif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING)
 		goto drop;
@@ -3195,10 +3197,6 @@ bridge_broadcast(struct bridge_softc *sc, struct ifnet *src_if,
 		if (sbif && (sbif->bif_flags & dbif->bif_flags & IFBIF_PRIVATE))
 			continue;
 
-		/* Do VLAN filtering. */
-		if (!bridge_vfilter_out(dbif, m))
-			continue;
-
 		if ((dbif->bif_flags & IFBIF_STP) &&
 		    dbif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING)
 			continue;
@@ -3364,6 +3362,14 @@ bridge_vfilter_out(const struct bridge_iflist *dbif, const struct mbuf *m)
 
 	NET_EPOCH_ASSERT();
 
+	/*
+	 * If the interface is in span mode, then bif_sc will be NULL.
+	 * Since the purpose of span interfaces is to receive all frames,
+	 * pass everything.
+	 */
+	if (dbif->bif_sc == NULL)
+		return (true);
+
 	/* If VLAN filtering isn't enabled, pass everything. */
 	if ((dbif->bif_sc->sc_flags & IFBRF_VLANFILTER) == 0)
 		return (true);