From 827a02f0343c58d3efc3ba3b381ed8de392f71fc Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@nbd.name>
Date: Fri, 3 Nov 2023 07:58:59 +0100
Subject: [PATCH] bridge: add support for configuring vlans for
 auth=1,auth_status=false

This allows detecting MAC addresses via FDB learning, or snooping
unauthenticated packets on a dedicated VLAN

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 bridge.c | 9 +++++++--
 device.c | 7 +++++++
 device.h | 2 ++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/bridge.c b/bridge.c
index 26f1782..63306c5 100644
--- a/bridge.c
+++ b/bridge.c
@@ -571,14 +571,19 @@ bridge_member_enable_vlans(struct bridge_member *bm)
 	struct device *dev = bm->dev.dev;
 	struct bridge_vlan *vlan;
 
+	if (dev->settings.auth) {
+		bridge_hotplug_set_member_vlans(bst, dev->config_auth_vlans, bm,
+						!dev->auth_status, true);
+		bridge_hotplug_set_member_vlans(bst, dev->auth_vlans, bm,
+						dev->auth_status, true);
+	}
+
 	if (dev->settings.auth && !dev->auth_status)
 		return;
 
 	bridge_member_add_extra_vlans(bm);
 	vlist_for_each_element(&bst->dev.vlans, vlan, node)
 		bridge_set_member_vlan(bm, vlan, true);
-	if (dev->settings.auth && dev->auth_vlans)
-		bridge_hotplug_set_member_vlans(bst, dev->auth_vlans, bm, true, true);
 }
 
 static int
diff --git a/device.c b/device.c
index ec4f11b..9a9e249 100644
--- a/device.c
+++ b/device.c
@@ -63,6 +63,7 @@ static const struct blobmsg_policy dev_attrs[__DEV_ATTR_MAX] = {
 	[DEV_ATTR_DROP_UNSOLICITED_NA] = { .name = "drop_unsolicited_na", .type = BLOBMSG_TYPE_BOOL },
 	[DEV_ATTR_ARP_ACCEPT] = { .name = "arp_accept", .type = BLOBMSG_TYPE_BOOL },
 	[DEV_ATTR_AUTH] = { .name = "auth", .type = BLOBMSG_TYPE_BOOL },
+	[DEV_ATTR_AUTH_VLAN] = { .name = "auth_vlan", BLOBMSG_TYPE_ARRAY },
 	[DEV_ATTR_SPEED] = { .name = "speed", .type = BLOBMSG_TYPE_INT32 },
 	[DEV_ATTR_DUPLEX] = { .name = "duplex", .type = BLOBMSG_TYPE_BOOL },
 	[DEV_ATTR_VLAN] = { .name = "vlan", .type = BLOBMSG_TYPE_ARRAY },
@@ -542,6 +543,11 @@ device_init_settings(struct device *dev, struct blob_attr **tb)
 		s->autoneg = blobmsg_get_bool(cur);
 		s->flags |= DEV_OPT_AUTONEG;
 	}
+
+	cur = tb[DEV_ATTR_AUTH_VLAN];
+	free(dev->config_auth_vlans);
+	dev->config_auth_vlans = cur ? blob_memdup(cur) : NULL;
+
 	device_set_extra_vlans(dev, tb[DEV_ATTR_VLAN]);
 	device_set_disabled(dev, disabled);
 }
@@ -1000,6 +1006,7 @@ device_free(struct device *dev)
 	free(dev->auth_vlans);
 	free(dev->config);
 	device_cleanup(dev);
+	free(dev->config_auth_vlans);
 	free(dev->extra_vlan);
 	dev->type->free(dev);
 	__devlock--;
diff --git a/device.h b/device.h
index 804efb3..12927de 100644
--- a/device.h
+++ b/device.h
@@ -60,6 +60,7 @@ enum {
 	DEV_ATTR_DROP_UNSOLICITED_NA,
 	DEV_ATTR_ARP_ACCEPT,
 	DEV_ATTR_AUTH,
+	DEV_ATTR_AUTH_VLAN,
 	DEV_ATTR_SPEED,
 	DEV_ATTR_DUPLEX,
 	DEV_ATTR_VLAN,
@@ -238,6 +239,7 @@ struct device {
 
 	struct vlist_tree vlans;
 	struct kvlist vlan_aliases;
+	struct blob_attr *config_auth_vlans;
 	struct blob_attr *auth_vlans;
 
 	char ifname[IFNAMSIZ];
-- 
2.30.2