diff options
-rw-r--r-- | include/linux/netfilter_bridge.h | 9 | ||||
-rw-r--r-- | include/net/dst.h | 1 | ||||
-rw-r--r-- | net/bridge/br_forward.c | 1 | ||||
-rw-r--r-- | net/bridge/br_netfilter.c | 8 |
4 files changed, 13 insertions, 6 deletions
diff --git a/include/linux/netfilter_bridge.h b/include/linux/netfilter_bridge.h index 0ddd161f3b0..31d2844e657 100644 --- a/include/linux/netfilter_bridge.h +++ b/include/linux/netfilter_bridge.h | |||
@@ -104,9 +104,18 @@ struct bridge_skb_cb { | |||
104 | } daddr; | 104 | } daddr; |
105 | }; | 105 | }; |
106 | 106 | ||
107 | static inline void br_drop_fake_rtable(struct sk_buff *skb) | ||
108 | { | ||
109 | struct dst_entry *dst = skb_dst(skb); | ||
110 | |||
111 | if (dst && (dst->flags & DST_FAKE_RTABLE)) | ||
112 | skb_dst_drop(skb); | ||
113 | } | ||
114 | |||
107 | #else | 115 | #else |
108 | #define nf_bridge_maybe_copy_header(skb) (0) | 116 | #define nf_bridge_maybe_copy_header(skb) (0) |
109 | #define nf_bridge_pad(skb) (0) | 117 | #define nf_bridge_pad(skb) (0) |
118 | #define br_drop_fake_rtable(skb) do { } while (0) | ||
110 | #endif /* CONFIG_BRIDGE_NETFILTER */ | 119 | #endif /* CONFIG_BRIDGE_NETFILTER */ |
111 | 120 | ||
112 | #endif /* __KERNEL__ */ | 121 | #endif /* __KERNEL__ */ |
diff --git a/include/net/dst.h b/include/net/dst.h index ff4da42fcfc..bed833d9796 100644 --- a/include/net/dst.h +++ b/include/net/dst.h | |||
@@ -59,6 +59,7 @@ struct dst_entry { | |||
59 | #define DST_NOCACHE 0x0010 | 59 | #define DST_NOCACHE 0x0010 |
60 | #define DST_NOCOUNT 0x0020 | 60 | #define DST_NOCOUNT 0x0020 |
61 | #define DST_NOPEER 0x0040 | 61 | #define DST_NOPEER 0x0040 |
62 | #define DST_FAKE_RTABLE 0x0080 | ||
62 | 63 | ||
63 | short error; | 64 | short error; |
64 | short obsolete; | 65 | short obsolete; |
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c index 61f65344e71..a2098e3de50 100644 --- a/net/bridge/br_forward.c +++ b/net/bridge/br_forward.c | |||
@@ -47,6 +47,7 @@ int br_dev_queue_push_xmit(struct sk_buff *skb) | |||
47 | kfree_skb(skb); | 47 | kfree_skb(skb); |
48 | } else { | 48 | } else { |
49 | skb_push(skb, ETH_HLEN); | 49 | skb_push(skb, ETH_HLEN); |
50 | br_drop_fake_rtable(skb); | ||
50 | dev_queue_xmit(skb); | 51 | dev_queue_xmit(skb); |
51 | } | 52 | } |
52 | 53 | ||
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index dec4f381713..d7f49b63ab0 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c | |||
@@ -156,7 +156,7 @@ void br_netfilter_rtable_init(struct net_bridge *br) | |||
156 | rt->dst.dev = br->dev; | 156 | rt->dst.dev = br->dev; |
157 | rt->dst.path = &rt->dst; | 157 | rt->dst.path = &rt->dst; |
158 | dst_init_metrics(&rt->dst, br_dst_default_metrics, true); | 158 | dst_init_metrics(&rt->dst, br_dst_default_metrics, true); |
159 | rt->dst.flags = DST_NOXFRM | DST_NOPEER; | 159 | rt->dst.flags = DST_NOXFRM | DST_NOPEER | DST_FAKE_RTABLE; |
160 | rt->dst.ops = &fake_dst_ops; | 160 | rt->dst.ops = &fake_dst_ops; |
161 | } | 161 | } |
162 | 162 | ||
@@ -694,11 +694,7 @@ static unsigned int br_nf_local_in(unsigned int hook, struct sk_buff *skb, | |||
694 | const struct net_device *out, | 694 | const struct net_device *out, |
695 | int (*okfn)(struct sk_buff *)) | 695 | int (*okfn)(struct sk_buff *)) |
696 | { | 696 | { |
697 | struct rtable *rt = skb_rtable(skb); | 697 | br_drop_fake_rtable(skb); |
698 | |||
699 | if (rt && rt == bridge_parent_rtable(in)) | ||
700 | skb_dst_drop(skb); | ||
701 | |||
702 | return NF_ACCEPT; | 698 | return NF_ACCEPT; |
703 | } | 699 | } |
704 | 700 | ||