[NETFILTER]: bridge netfilter: add deferred output hooks to feature-removal-schedule

Add bridge netfilter deferred output hooks to feature-removal-schedule and disable them by default. Until their removal they will be activated by the physdev match when needed. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Patrick McHardy <kaber@trash.net> 2006-07-25 01:54:55 -0400
committer: David S. Miller <davem@davemloft.net> 2006-07-25 01:54:55 -0400
commit: 10ea6ac895418bd0d23900e3330daa6ba0836d26 (patch)
tree: 299c04f0a248bf2432f1d729f792221c7ed26515 /net
parent: 28658c8967da9083be83af0a37be3b190bae79da (diff)
2 files changed, 20 insertions, 0 deletions
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index cbc8a389a0a8..05b3de888243 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -61,6 +61,9 @@ static int brnf_filter_vlan_tagged = 1;
 #define brnf_filter_vlan_tagged 1
 #endif
+int brnf_deferred_hooks;
+EXPORT_SYMBOL_GPL(brnf_deferred_hooks);
 static __be16 inline vlan_proto(const struct sk_buff *skb)
 {
        return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
@@ -890,6 +893,8 @@ static unsigned int ip_sabotage_out(unsigned int hook, struct sk_buff **pskb,
                                return NF_ACCEPT;
                        else if (ip->version == 6 && !brnf_call_ip6tables)
                                return NF_ACCEPT;
+                        else if (!brnf_deferred_hooks)
+                                return NF_ACCEPT;
 #endif
                        if (hook == NF_IP_POST_ROUTING)
                                return NF_ACCEPT;
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 5fe4c9df17f5..a9f4f6f3c628 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -113,6 +113,21 @@ checkentry(const char *tablename,
        if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
            info->bitmask & ~XT_PHYSDEV_OP_MASK)
                return 0;
+        if (brnf_deferred_hooks == 0 &&
+            info->bitmask & XT_PHYSDEV_OP_OUT &&
+            (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
+             info->invert & XT_PHYSDEV_OP_BRIDGED) &&
+            hook_mask & ((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
+                         (1 << NF_IP_POST_ROUTING))) {
+                printk(KERN_WARNING "physdev match: using --physdev-out in the "
+                       "OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
+                       "traffic is deprecated and breaks other things, it will "
+                       "be removed in January 2007. See Documentation/"
+                       "feature-removal-schedule.txt for details. This doesn't "
+                       "affect you in case you're using it for purely bridged "
+                       "traffic.\n");
+                brnf_deferred_hooks = 1;
+        }
        return 1;
 }
author	Patrick McHardy <kaber@trash.net>	2006-07-25 01:54:55 -0400
committer	David S. Miller <davem@davemloft.net>	2006-07-25 01:54:55 -0400
commit	10ea6ac895418bd0d23900e3330daa6ba0836d26 (patch)
tree	299c04f0a248bf2432f1d729f792221c7ed26515 /net
parent	28658c8967da9083be83af0a37be3b190bae79da (diff)

diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index cbc8a389a0a8..05b3de888243 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c
@@ -61,6 +61,9 @@ static int brnf_filter_vlan_tagged = 1;
61	#define brnf_filter_vlan_tagged 1	61	#define brnf_filter_vlan_tagged 1
62	#endif	62	#endif
63		63
		64	int brnf_deferred_hooks;
		65	EXPORT_SYMBOL_GPL(brnf_deferred_hooks);
		66
64	static __be16 inline vlan_proto(const struct sk_buff *skb)	67	static __be16 inline vlan_proto(const struct sk_buff *skb)
65	{	68	{
66	return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;	69	return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
@@ -890,6 +893,8 @@ static unsigned int ip_sabotage_out(unsigned int hook, struct sk_buff **pskb,
890	return NF_ACCEPT;	893	return NF_ACCEPT;
891	else if (ip->version == 6 && !brnf_call_ip6tables)	894	else if (ip->version == 6 && !brnf_call_ip6tables)
892	return NF_ACCEPT;	895	return NF_ACCEPT;
		896	else if (!brnf_deferred_hooks)
		897	return NF_ACCEPT;
893	#endif	898	#endif
894	if (hook == NF_IP_POST_ROUTING)	899	if (hook == NF_IP_POST_ROUTING)
895	return NF_ACCEPT;	900	return NF_ACCEPT;


diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c index 5fe4c9df17f5..a9f4f6f3c628 100644 --- a/net/netfilter/xt_physdev.c +++ b/net/netfilter/xt_physdev.c
@@ -113,6 +113,21 @@ checkentry(const char *tablename,
113	if (!(info->bitmask & XT_PHYSDEV_OP_MASK) \|\|	113	if (!(info->bitmask & XT_PHYSDEV_OP_MASK) \|\|
114	info->bitmask & ~XT_PHYSDEV_OP_MASK)	114	info->bitmask & ~XT_PHYSDEV_OP_MASK)
115	return 0;	115	return 0;
		116	if (brnf_deferred_hooks == 0 &&
		117	info->bitmask & XT_PHYSDEV_OP_OUT &&
		118	(!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) \|\|
		119	info->invert & XT_PHYSDEV_OP_BRIDGED) &&
		120	hook_mask & ((1 << NF_IP_LOCAL_OUT) \| (1 << NF_IP_FORWARD) \|
		121	(1 << NF_IP_POST_ROUTING))) {
		122	printk(KERN_WARNING "physdev match: using --physdev-out in the "
		123	"OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
		124	"traffic is deprecated and breaks other things, it will "
		125	"be removed in January 2007. See Documentation/"
		126	"feature-removal-schedule.txt for details. This doesn't "
		127	"affect you in case you're using it for purely bridged "
		128	"traffic.\n");
		129	brnf_deferred_hooks = 1;
		130	}
116	return 1;	131	return 1;
117	}	132	}
118		133