diff options
| author | Florian Westphal <fw@strlen.de> | 2012-03-05 20:22:54 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-03-06 14:43:49 -0500 |
| commit | 739e4505a0e8209622dc71743bfa1c804eacf7f4 (patch) | |
| tree | df98d368f510e4e58f93e10bb8c77a8f7094b036 /net/bridge | |
| parent | a157b9d5b5b626e46eba2ac4e342da8db25cabc4 (diff) | |
bridge: netfilter: don't call iptables on vlan packets if sysctl is off
When net.bridge.bridge-nf-filter-vlan-tagged is 0 (default), vlan packets
arriving should not be sent to ip(6)tables by bridge netfilter.
However, it turns out that we currently always send VLAN packets to
netfilter, if ..
a), CONFIG_VLAN_8021Q is enabled ; or
b), CONFIG_VLAN_8021Q is not set but rx vlan offload is enabled
on the bridge port.
This is because bridge netfilter treats skb with
skb->protocol == ETH_P_IP{V6} as "non-vlan packet".
With rx vlan offload on or CONFIG_VLAN_8021Q=y, the vlan header has
already been removed here, and we cannot rely on skb->protocol alone.
Fix this by only using skb->protocol if the skb has no vlan tag,
or if a vlan tag is present and filter-vlan-tagged bridge netfilter
sysctl is enabled.
We cannot remove the skb->protocol == htons(ETH_P_8021Q) test
because the vlan tag is still around in the CONFIG_VLAN_8021Q=n &&
"ethtool -K $itf rxvlan off" case.
reproducer:
iptables -t raw -I PREROUTING -i br0
iptables -t raw -I PREROUTING -i br0.1
Then send packets to an ip address configured on br0.1 interface.
Even with net.bridge.bridge-nf-filter-vlan-tagged=0, the 1st rule
will match instead of the 2nd one.
With this patch applied, the 2nd rule will match instead.
In the non-local address case, netfilter won't be consulted after
this patch unless the sysctl is switched on.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/bridge')
| -rw-r--r-- | net/bridge/br_netfilter.c | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index 84122472656c..dec4f3817133 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c | |||
| @@ -62,6 +62,15 @@ static int brnf_filter_pppoe_tagged __read_mostly = 0; | |||
| 62 | #define brnf_filter_pppoe_tagged 0 | 62 | #define brnf_filter_pppoe_tagged 0 |
| 63 | #endif | 63 | #endif |
| 64 | 64 | ||
| 65 | #define IS_IP(skb) \ | ||
| 66 | (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_IP)) | ||
| 67 | |||
| 68 | #define IS_IPV6(skb) \ | ||
| 69 | (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_IPV6)) | ||
| 70 | |||
| 71 | #define IS_ARP(skb) \ | ||
| 72 | (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_ARP)) | ||
| 73 | |||
| 65 | static inline __be16 vlan_proto(const struct sk_buff *skb) | 74 | static inline __be16 vlan_proto(const struct sk_buff *skb) |
| 66 | { | 75 | { |
| 67 | if (vlan_tx_tag_present(skb)) | 76 | if (vlan_tx_tag_present(skb)) |
| @@ -639,8 +648,7 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb, | |||
| 639 | return NF_DROP; | 648 | return NF_DROP; |
| 640 | br = p->br; | 649 | br = p->br; |
| 641 | 650 | ||
| 642 | if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) || | 651 | if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb)) { |
| 643 | IS_PPPOE_IPV6(skb)) { | ||
| 644 | if (!brnf_call_ip6tables && !br->nf_call_ip6tables) | 652 | if (!brnf_call_ip6tables && !br->nf_call_ip6tables) |
| 645 | return NF_ACCEPT; | 653 | return NF_ACCEPT; |
| 646 | 654 | ||
| @@ -651,8 +659,7 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb, | |||
| 651 | if (!brnf_call_iptables && !br->nf_call_iptables) | 659 | if (!brnf_call_iptables && !br->nf_call_iptables) |
| 652 | return NF_ACCEPT; | 660 | return NF_ACCEPT; |
| 653 | 661 | ||
| 654 | if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb) && | 662 | if (!IS_IP(skb) && !IS_VLAN_IP(skb) && !IS_PPPOE_IP(skb)) |
| 655 | !IS_PPPOE_IP(skb)) | ||
| 656 | return NF_ACCEPT; | 663 | return NF_ACCEPT; |
| 657 | 664 | ||
| 658 | nf_bridge_pull_encap_header_rcsum(skb); | 665 | nf_bridge_pull_encap_header_rcsum(skb); |
| @@ -701,7 +708,7 @@ static int br_nf_forward_finish(struct sk_buff *skb) | |||
| 701 | struct nf_bridge_info *nf_bridge = skb->nf_bridge; | 708 | struct nf_bridge_info *nf_bridge = skb->nf_bridge; |
| 702 | struct net_device *in; | 709 | struct net_device *in; |
| 703 | 710 | ||
| 704 | if (skb->protocol != htons(ETH_P_ARP) && !IS_VLAN_ARP(skb)) { | 711 | if (!IS_ARP(skb) && !IS_VLAN_ARP(skb)) { |
| 705 | in = nf_bridge->physindev; | 712 | in = nf_bridge->physindev; |
| 706 | if (nf_bridge->mask & BRNF_PKT_TYPE) { | 713 | if (nf_bridge->mask & BRNF_PKT_TYPE) { |
| 707 | skb->pkt_type = PACKET_OTHERHOST; | 714 | skb->pkt_type = PACKET_OTHERHOST; |
| @@ -718,6 +725,7 @@ static int br_nf_forward_finish(struct sk_buff *skb) | |||
| 718 | return 0; | 725 | return 0; |
| 719 | } | 726 | } |
| 720 | 727 | ||
| 728 | |||
| 721 | /* This is the 'purely bridged' case. For IP, we pass the packet to | 729 | /* This is the 'purely bridged' case. For IP, we pass the packet to |
| 722 | * netfilter with indev and outdev set to the bridge device, | 730 | * netfilter with indev and outdev set to the bridge device, |
| 723 | * but we are still able to filter on the 'real' indev/outdev | 731 | * but we are still able to filter on the 'real' indev/outdev |
| @@ -744,11 +752,9 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb, | |||
| 744 | if (!parent) | 752 | if (!parent) |
| 745 | return NF_DROP; | 753 | return NF_DROP; |
| 746 | 754 | ||
| 747 | if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) || | 755 | if (IS_IP(skb) || IS_VLAN_IP(skb) || IS_PPPOE_IP(skb)) |
| 748 | IS_PPPOE_IP(skb)) | ||
| 749 | pf = PF_INET; | 756 | pf = PF_INET; |
| 750 | else if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) || | 757 | else if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb)) |
| 751 | IS_PPPOE_IPV6(skb)) | ||
| 752 | pf = PF_INET6; | 758 | pf = PF_INET6; |
| 753 | else | 759 | else |
| 754 | return NF_ACCEPT; | 760 | return NF_ACCEPT; |
| @@ -795,7 +801,7 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb, | |||
| 795 | if (!brnf_call_arptables && !br->nf_call_arptables) | 801 | if (!brnf_call_arptables && !br->nf_call_arptables) |
| 796 | return NF_ACCEPT; | 802 | return NF_ACCEPT; |
| 797 | 803 | ||
| 798 | if (skb->protocol != htons(ETH_P_ARP)) { | 804 | if (!IS_ARP(skb)) { |
| 799 | if (!IS_VLAN_ARP(skb)) | 805 | if (!IS_VLAN_ARP(skb)) |
| 800 | return NF_ACCEPT; | 806 | return NF_ACCEPT; |
| 801 | nf_bridge_pull_encap_header(skb); | 807 | nf_bridge_pull_encap_header(skb); |
| @@ -853,11 +859,9 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb, | |||
| 853 | if (!realoutdev) | 859 | if (!realoutdev) |
| 854 | return NF_DROP; | 860 | return NF_DROP; |
| 855 | 861 | ||
| 856 | if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) || | 862 | if (IS_IP(skb) || IS_VLAN_IP(skb) || IS_PPPOE_IP(skb)) |
| 857 | IS_PPPOE_IP(skb)) | ||
| 858 | pf = PF_INET; | 863 | pf = PF_INET; |
| 859 | else if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) || | 864 | else if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb)) |
| 860 | IS_PPPOE_IPV6(skb)) | ||
| 861 | pf = PF_INET6; | 865 | pf = PF_INET6; |
| 862 | else | 866 | else |
| 863 | return NF_ACCEPT; | 867 | return NF_ACCEPT; |