Hi,
On Thu, Apr 01, 2010 at 01:49:02PM +0200, David Sommerseth wrote:
> >From a security and not the least from a performance perspective, the
> OpenVPN clients should only receive traffic which hits it's own VLAN
> (ie. the server does the "filtering" before sending data to the client).
> I'm not sure if I saw this in code or not ... but if it is in place and
> somebody could point me to the patch which does it, I would be happy.
The patch description (part 0) says so:
----------------- snip -------------------
Packets coming in from the TAP device are assumed to be tagged with
IEEE 802.1Q headers. OpenVPN removes the tag, remembers the VID and
routes the packet to the destination client(s) on the other side of the
secure tunnel which have a matching VID.
----------------- snip -------------------
I have not yet reviewed the source to check whether this really takes
place.
Something else I need to check: the "standard" mroute code hashes based
on ethernet address (in tap mode). What happens if the same MAC address
shows up for two different VLAN IDs? (Not very likely for virtual
ethernet devices, though, but this can happen in real-world scenarios).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
