aboutsummaryrefslogtreecommitdiffstats
path: root/net/bridge
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2015-07-09 03:03:10 -0400
committerDavid S. Miller <davem@davemloft.net>2015-07-09 03:03:10 -0400
commitace15bbb39d7cdfa1f376badbc7e0633eed7d899 (patch)
tree1bb6c202bac16c491307ee05c0e0aa3abc5fa395 /net/bridge
parentc936835c1ec6f871f32c9b87a7708700320075b3 (diff)
parent86e8971800381c3a8d8d9327f83b1f97ccb04a4f (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for your net tree. This batch mostly comes with patches to address fallout from the previous merge window cycle, they are: 1) Use entry->state.hook_list from nf_queue() instead of the global nf_hooks which is not valid when used from NFPROTO_NETDEV, this should cause no problems though since we have no userspace queueing for that family, but let's fix this now for the sake of correctness. Patch from Eric W. Biederman. 2) Fix compilation breakage in bridge netfilter if CONFIG_NF_DEFRAG_IPV4 is not set, from Bernhard Thaler. 3) Use percpu jumpstack in arptables too, now that there's a single copy of the rule blob we can't store the return address there anymore. Patch from Florian Westphal. 4) Fix a skb leak in the xmit path of bridge netfilter, problem there since 2.6.37 although it should be not possible to hit invalid traffic there, also from Florian. 5) Eric Leblond reports that when loading a large ruleset with many missing modules after a fresh boot, nf_tables can take long time commit it. Fix this by processing the full batch until the end, even on missing modules, then abort only once and restart processing. 6) Add bridge netfilter files to the MAINTAINER files. 7) Fix a net_device refcount leak in the new IPV6 bridge netfilter code, from Julien Grall. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/bridge')
-rw-r--r--net/bridge/br_netfilter_hooks.c16
-rw-r--r--net/bridge/br_netfilter_ipv6.c2
2 files changed, 12 insertions, 6 deletions
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index d89f4fac0bc5..c8b9bcfe997e 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -111,7 +111,7 @@ static inline __be16 pppoe_proto(const struct sk_buff *skb)
111/* largest possible L2 header, see br_nf_dev_queue_xmit() */ 111/* largest possible L2 header, see br_nf_dev_queue_xmit() */
112#define NF_BRIDGE_MAX_MAC_HEADER_LENGTH (PPPOE_SES_HLEN + ETH_HLEN) 112#define NF_BRIDGE_MAX_MAC_HEADER_LENGTH (PPPOE_SES_HLEN + ETH_HLEN)
113 113
114#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) 114#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) || IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
115struct brnf_frag_data { 115struct brnf_frag_data {
116 char mac[NF_BRIDGE_MAX_MAC_HEADER_LENGTH]; 116 char mac[NF_BRIDGE_MAX_MAC_HEADER_LENGTH];
117 u8 encap_size; 117 u8 encap_size;
@@ -694,6 +694,7 @@ static int br_nf_push_frag_xmit(struct sock *sk, struct sk_buff *skb)
694} 694}
695#endif 695#endif
696 696
697#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4)
697static int br_nf_ip_fragment(struct sock *sk, struct sk_buff *skb, 698static int br_nf_ip_fragment(struct sock *sk, struct sk_buff *skb,
698 int (*output)(struct sock *, struct sk_buff *)) 699 int (*output)(struct sock *, struct sk_buff *))
699{ 700{
@@ -712,6 +713,7 @@ static int br_nf_ip_fragment(struct sock *sk, struct sk_buff *skb,
712 713
713 return ip_do_fragment(sk, skb, output); 714 return ip_do_fragment(sk, skb, output);
714} 715}
716#endif
715 717
716static unsigned int nf_bridge_mtu_reduction(const struct sk_buff *skb) 718static unsigned int nf_bridge_mtu_reduction(const struct sk_buff *skb)
717{ 719{
@@ -742,7 +744,7 @@ static int br_nf_dev_queue_xmit(struct sock *sk, struct sk_buff *skb)
742 struct brnf_frag_data *data; 744 struct brnf_frag_data *data;
743 745
744 if (br_validate_ipv4(skb)) 746 if (br_validate_ipv4(skb))
745 return NF_DROP; 747 goto drop;
746 748
747 IPCB(skb)->frag_max_size = nf_bridge->frag_max_size; 749 IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
748 750
@@ -767,7 +769,7 @@ static int br_nf_dev_queue_xmit(struct sock *sk, struct sk_buff *skb)
767 struct brnf_frag_data *data; 769 struct brnf_frag_data *data;
768 770
769 if (br_validate_ipv6(skb)) 771 if (br_validate_ipv6(skb))
770 return NF_DROP; 772 goto drop;
771 773
772 IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size; 774 IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
773 775
@@ -782,12 +784,16 @@ static int br_nf_dev_queue_xmit(struct sock *sk, struct sk_buff *skb)
782 784
783 if (v6ops) 785 if (v6ops)
784 return v6ops->fragment(sk, skb, br_nf_push_frag_xmit); 786 return v6ops->fragment(sk, skb, br_nf_push_frag_xmit);
785 else 787
786 return -EMSGSIZE; 788 kfree_skb(skb);
789 return -EMSGSIZE;
787 } 790 }
788#endif 791#endif
789 nf_bridge_info_free(skb); 792 nf_bridge_info_free(skb);
790 return br_dev_queue_push_xmit(sk, skb); 793 return br_dev_queue_push_xmit(sk, skb);
794 drop:
795 kfree_skb(skb);
796 return 0;
791} 797}
792 798
793/* PF_BRIDGE/POST_ROUTING ********************************************/ 799/* PF_BRIDGE/POST_ROUTING ********************************************/
diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
index 6d12d2675c80..13b7d1e3d185 100644
--- a/net/bridge/br_netfilter_ipv6.c
+++ b/net/bridge/br_netfilter_ipv6.c
@@ -104,7 +104,7 @@ int br_validate_ipv6(struct sk_buff *skb)
104{ 104{
105 const struct ipv6hdr *hdr; 105 const struct ipv6hdr *hdr;
106 struct net_device *dev = skb->dev; 106 struct net_device *dev = skb->dev;
107 struct inet6_dev *idev = in6_dev_get(skb->dev); 107 struct inet6_dev *idev = __in6_dev_get(skb->dev);
108 u32 pkt_len; 108 u32 pkt_len;
109 u8 ip6h_len = sizeof(struct ipv6hdr); 109 u8 ip6h_len = sizeof(struct ipv6hdr);
110 110
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-31 16:19:48 -0400