aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2015-09-25 17:52:51 -0400
committerPablo Neira Ayuso <pablo@netfilter.org>2015-09-29 14:21:32 -0400
commitc1444c6357217cea405415b4c96491d4057b0746 (patch)
tree2edb51f56b43e799ef7e2def66304b6cf5dfb07c
parent5f5d74d723146c5b97c7318b5851af15b30e3304 (diff)
bridge: Pass net into br_validate_ipv4 and br_validate_ipv6
The network namespace is easiliy available in state->net so use it. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat
-rw-r--r--include/net/netfilter/br_netfilter.h4
-rw-r--r--net/bridge/br_netfilter_hooks.c19
-rw-r--r--net/bridge/br_netfilter_ipv6.c11
3 files changed, 16 insertions, 18 deletions
diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h
index c93c75fa41ad..e8d1448425a7 100644
--- a/include/net/netfilter/br_netfilter.h
+++ b/include/net/netfilter/br_netfilter.h
@@ -45,12 +45,12 @@ struct net_device *setup_pre_routing(struct sk_buff *skb);
45void br_netfilter_enable(void); 45void br_netfilter_enable(void);
46 46
47#if IS_ENABLED(CONFIG_IPV6) 47#if IS_ENABLED(CONFIG_IPV6)
48int br_validate_ipv6(struct sk_buff *skb); 48int br_validate_ipv6(struct net *net, struct sk_buff *skb);
49unsigned int br_nf_pre_routing_ipv6(void *priv, 49unsigned int br_nf_pre_routing_ipv6(void *priv,
50 struct sk_buff *skb, 50 struct sk_buff *skb,
51 const struct nf_hook_state *state); 51 const struct nf_hook_state *state);
52#else 52#else
53static inline int br_validate_ipv6(struct sk_buff *skb) 53static inline int br_validate_ipv6(struct net *net, struct sk_buff *skb)
54{ 54{
55 return -1; 55 return -1;
56} 56}
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index e21e44c13e07..13f03671c88d 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -189,10 +189,9 @@ static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb)
189 * expected format 189 * expected format
190 */ 190 */
191 191
192static int br_validate_ipv4(struct sk_buff *skb) 192static int br_validate_ipv4(struct net *net, struct sk_buff *skb)
193{ 193{
194 const struct iphdr *iph; 194 const struct iphdr *iph;
195 struct net_device *dev = skb->dev;
196 u32 len; 195 u32 len;
197 196
198 if (!pskb_may_pull(skb, sizeof(struct iphdr))) 197 if (!pskb_may_pull(skb, sizeof(struct iphdr)))
@@ -213,13 +212,13 @@ static int br_validate_ipv4(struct sk_buff *skb)
213 212
214 len = ntohs(iph->tot_len); 213 len = ntohs(iph->tot_len);
215 if (skb->len < len) { 214 if (skb->len < len) {
216 IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INTRUNCATEDPKTS); 215 IP_INC_STATS_BH(net, IPSTATS_MIB_INTRUNCATEDPKTS);
217 goto drop; 216 goto drop;
218 } else if (len < (iph->ihl*4)) 217 } else if (len < (iph->ihl*4))
219 goto inhdr_error; 218 goto inhdr_error;
220 219
221 if (pskb_trim_rcsum(skb, len)) { 220 if (pskb_trim_rcsum(skb, len)) {
222 IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INDISCARDS); 221 IP_INC_STATS_BH(net, IPSTATS_MIB_INDISCARDS);
223 goto drop; 222 goto drop;
224 } 223 }
225 224
@@ -232,7 +231,7 @@ static int br_validate_ipv4(struct sk_buff *skb)
232 return 0; 231 return 0;
233 232
234inhdr_error: 233inhdr_error:
235 IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INHDRERRORS); 234 IP_INC_STATS_BH(net, IPSTATS_MIB_INHDRERRORS);
236drop: 235drop:
237 return -1; 236 return -1;
238} 237}
@@ -497,7 +496,7 @@ static unsigned int br_nf_pre_routing(void *priv,
497 496
498 nf_bridge_pull_encap_header_rcsum(skb); 497 nf_bridge_pull_encap_header_rcsum(skb);
499 498
500 if (br_validate_ipv4(skb)) 499 if (br_validate_ipv4(state->net, skb))
501 return NF_DROP; 500 return NF_DROP;
502 501
503 nf_bridge_put(skb->nf_bridge); 502 nf_bridge_put(skb->nf_bridge);
@@ -609,13 +608,13 @@ static unsigned int br_nf_forward_ip(void *priv,
609 } 608 }
610 609
611 if (pf == NFPROTO_IPV4) { 610 if (pf == NFPROTO_IPV4) {
612 if (br_validate_ipv4(skb)) 611 if (br_validate_ipv4(state->net, skb))
613 return NF_DROP; 612 return NF_DROP;
614 IPCB(skb)->frag_max_size = nf_bridge->frag_max_size; 613 IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
615 } 614 }
616 615
617 if (pf == NFPROTO_IPV6) { 616 if (pf == NFPROTO_IPV6) {
618 if (br_validate_ipv6(skb)) 617 if (br_validate_ipv6(state->net, skb))
619 return NF_DROP; 618 return NF_DROP;
620 IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size; 619 IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
621 } 620 }
@@ -747,7 +746,7 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
747 if (skb->protocol == htons(ETH_P_IP)) { 746 if (skb->protocol == htons(ETH_P_IP)) {
748 struct brnf_frag_data *data; 747 struct brnf_frag_data *data;
749 748
750 if (br_validate_ipv4(skb)) 749 if (br_validate_ipv4(net, skb))
751 goto drop; 750 goto drop;
752 751
753 IPCB(skb)->frag_max_size = nf_bridge->frag_max_size; 752 IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
@@ -772,7 +771,7 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
772 const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops(); 771 const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
773 struct brnf_frag_data *data; 772 struct brnf_frag_data *data;
774 773
775 if (br_validate_ipv6(skb)) 774 if (br_validate_ipv6(net, skb))
776 goto drop; 775 goto drop;
777 776
778 IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size; 777 IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
index c51cc3fd50d9..d61f56efc8dc 100644
--- a/net/bridge/br_netfilter_ipv6.c
+++ b/net/bridge/br_netfilter_ipv6.c
@@ -100,10 +100,9 @@ bad:
100 return -1; 100 return -1;
101} 101}
102 102
103int br_validate_ipv6(struct sk_buff *skb) 103int br_validate_ipv6(struct net *net, struct sk_buff *skb)
104{ 104{
105 const struct ipv6hdr *hdr; 105 const struct ipv6hdr *hdr;
106 struct net_device *dev = skb->dev;
107 struct inet6_dev *idev = __in6_dev_get(skb->dev); 106 struct inet6_dev *idev = __in6_dev_get(skb->dev);
108 u32 pkt_len; 107 u32 pkt_len;
109 u8 ip6h_len = sizeof(struct ipv6hdr); 108 u8 ip6h_len = sizeof(struct ipv6hdr);
@@ -123,12 +122,12 @@ int br_validate_ipv6(struct sk_buff *skb)
123 122
124 if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) { 123 if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
125 if (pkt_len + ip6h_len > skb->len) { 124 if (pkt_len + ip6h_len > skb->len) {
126 IP6_INC_STATS_BH(dev_net(dev), idev, 125 IP6_INC_STATS_BH(net, idev,
127 IPSTATS_MIB_INTRUNCATEDPKTS); 126 IPSTATS_MIB_INTRUNCATEDPKTS);
128 goto drop; 127 goto drop;
129 } 128 }
130 if (pskb_trim_rcsum(skb, pkt_len + ip6h_len)) { 129 if (pskb_trim_rcsum(skb, pkt_len + ip6h_len)) {
131 IP6_INC_STATS_BH(dev_net(dev), idev, 130 IP6_INC_STATS_BH(net, idev,
132 IPSTATS_MIB_INDISCARDS); 131 IPSTATS_MIB_INDISCARDS);
133 goto drop; 132 goto drop;
134 } 133 }
@@ -143,7 +142,7 @@ int br_validate_ipv6(struct sk_buff *skb)
143 return 0; 142 return 0;
144 143
145inhdr_error: 144inhdr_error:
146 IP6_INC_STATS_BH(dev_net(dev), idev, IPSTATS_MIB_INHDRERRORS); 145 IP6_INC_STATS_BH(net, idev, IPSTATS_MIB_INHDRERRORS);
147drop: 146drop:
148 return -1; 147 return -1;
149} 148}
@@ -224,7 +223,7 @@ unsigned int br_nf_pre_routing_ipv6(void *priv,
224{ 223{
225 struct nf_bridge_info *nf_bridge; 224 struct nf_bridge_info *nf_bridge;
226 225
227 if (br_validate_ipv6(skb)) 226 if (br_validate_ipv6(state->net, skb))
228 return NF_DROP; 227 return NF_DROP;
229 228
230 nf_bridge_put(skb->nf_bridge); 229 nf_bridge_put(skb->nf_bridge);
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-15 09:05:30 -0400