aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/netfilter/nfnetlink_log.h2
-rw-r--r--include/linux/netfilter/nfnetlink_queue.h2
-rw-r--r--net/netfilter/nfnetlink_log.c58
-rw-r--r--net/netfilter/nfnetlink_queue.c58
4 files changed, 120 insertions, 0 deletions
diff --git a/include/linux/netfilter/nfnetlink_log.h b/include/linux/netfilter/nfnetlink_log.h
index 420ff4625cbf..a61836a083e7 100644
--- a/include/linux/netfilter/nfnetlink_log.h
+++ b/include/linux/netfilter/nfnetlink_log.h
@@ -40,6 +40,8 @@ enum nfulnl_attr_type {
40 NFULA_TIMESTAMP, /* nfulnl_msg_packet_timestamp */ 40 NFULA_TIMESTAMP, /* nfulnl_msg_packet_timestamp */
41 NFULA_IFINDEX_INDEV, /* u_int32_t ifindex */ 41 NFULA_IFINDEX_INDEV, /* u_int32_t ifindex */
42 NFULA_IFINDEX_OUTDEV, /* u_int32_t ifindex */ 42 NFULA_IFINDEX_OUTDEV, /* u_int32_t ifindex */
43 NFULA_IFINDEX_PHYSINDEV, /* u_int32_t ifindex */
44 NFULA_IFINDEX_PHYSOUTDEV, /* u_int32_t ifindex */
43 NFULA_HWADDR, /* nfulnl_msg_packet_hw */ 45 NFULA_HWADDR, /* nfulnl_msg_packet_hw */
44 NFULA_PAYLOAD, /* opaque data payload */ 46 NFULA_PAYLOAD, /* opaque data payload */
45 NFULA_PREFIX, /* string prefix */ 47 NFULA_PREFIX, /* string prefix */
diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h
index e142b0ff7c08..2d8d2b2cfcaa 100644
--- a/include/linux/netfilter/nfnetlink_queue.h
+++ b/include/linux/netfilter/nfnetlink_queue.h
@@ -36,6 +36,8 @@ enum nfqnl_attr_type {
36 NFQA_TIMESTAMP, /* nfqnl_msg_packet_timestamp */ 36 NFQA_TIMESTAMP, /* nfqnl_msg_packet_timestamp */
37 NFQA_IFINDEX_INDEV, /* u_int32_t ifindex */ 37 NFQA_IFINDEX_INDEV, /* u_int32_t ifindex */
38 NFQA_IFINDEX_OUTDEV, /* u_int32_t ifindex */ 38 NFQA_IFINDEX_OUTDEV, /* u_int32_t ifindex */
39 NFQA_IFINDEX_PHYSINDEV, /* u_int32_t ifindex */
40 NFQA_IFINDEX_PHYSOUTDEV, /* u_int32_t ifindex */
39 NFQA_HWADDR, /* nfqnl_msg_packet_hw */ 41 NFQA_HWADDR, /* nfqnl_msg_packet_hw */
40 NFQA_PAYLOAD, /* opaque data payload */ 42 NFQA_PAYLOAD, /* opaque data payload */
41 43
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 11584289c262..464c9fa2934b 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -33,6 +33,10 @@
33 33
34#include <asm/atomic.h> 34#include <asm/atomic.h>
35 35
36#ifdef CONFIG_BRIDGE_NETFILTER
37#include "../bridge/br_private.h"
38#endif
39
36#define NFULNL_NLBUFSIZ_DEFAULT 4096 40#define NFULNL_NLBUFSIZ_DEFAULT 4096
37#define NFULNL_TIMEOUT_DEFAULT 100 /* every second */ 41#define NFULNL_TIMEOUT_DEFAULT 100 /* every second */
38#define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */ 42#define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */
@@ -412,14 +416,64 @@ __build_packet_message(struct nfulnl_instance *inst,
412 416
413 if (indev) { 417 if (indev) {
414 tmp_uint = htonl(indev->ifindex); 418 tmp_uint = htonl(indev->ifindex);
419#ifndef CONFIG_BRIDGE_NETFILTER
415 NFA_PUT(inst->skb, NFULA_IFINDEX_INDEV, sizeof(tmp_uint), 420 NFA_PUT(inst->skb, NFULA_IFINDEX_INDEV, sizeof(tmp_uint),
416 &tmp_uint); 421 &tmp_uint);
422#else
423 if (pf == PF_BRIDGE) {
424 /* Case 1: outdev is physical input device, we need to
425 * look for bridge group (when called from
426 * netfilter_bridge) */
427 NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSINDEV,
428 sizeof(tmp_uint), &tmp_uint);
429 /* this is the bridge group "brX" */
430 tmp_uint = htonl(indev->br_port->br->dev->ifindex);
431 NFA_PUT(inst->skb, NFULA_IFINDEX_INDEV,
432 sizeof(tmp_uint), &tmp_uint);
433 } else {
434 /* Case 2: indev is bridge group, we need to look for
435 * physical device (when called from ipv4) */
436 NFA_PUT(inst->skb, NFULA_IFINDEX_INDEV,
437 sizeof(tmp_uint), &tmp_uint);
438 if (skb->nf_bridge && skb->nf_bridge->physindev) {
439 tmp_uint =
440 htonl(skb->nf_bridge->physindev->ifindex);
441 NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSINDEV,
442 sizeof(tmp_uint), &tmp_uint);
443 }
444 }
445#endif
417 } 446 }
418 447
419 if (outdev) { 448 if (outdev) {
420 tmp_uint = htonl(outdev->ifindex); 449 tmp_uint = htonl(outdev->ifindex);
450#ifndef CONFIG_BRIDGE_NETFILTER
421 NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV, sizeof(tmp_uint), 451 NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV, sizeof(tmp_uint),
422 &tmp_uint); 452 &tmp_uint);
453#else
454 if (pf == PF_BRIDGE) {
455 /* Case 1: outdev is physical output device, we need to
456 * look for bridge group (when called from
457 * netfilter_bridge) */
458 NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSOUTDEV,
459 sizeof(tmp_uint), &tmp_uint);
460 /* this is the bridge group "brX" */
461 tmp_uint = htonl(outdev->br_port->br->dev->ifindex);
462 NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV,
463 sizeof(tmp_uint), &tmp_uint);
464 } else {
465 /* Case 2: indev is a bridge group, we need to look
466 * for physical device (when called from ipv4) */
467 NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV,
468 sizeof(tmp_uint), &tmp_uint);
469 if (skb->nf_bridge) {
470 tmp_uint =
471 htonl(skb->nf_bridge->physoutdev->ifindex);
472 NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSOUTDEV,
473 sizeof(tmp_uint), &tmp_uint);
474 }
475 }
476#endif
423 } 477 }
424 478
425 if (skb->nfmark) { 479 if (skb->nfmark) {
@@ -536,6 +590,10 @@ nfulnl_log_packet(unsigned int pf,
536 + NFA_SPACE(sizeof(struct nfulnl_msg_packet_hdr)) 590 + NFA_SPACE(sizeof(struct nfulnl_msg_packet_hdr))
537 + NFA_SPACE(sizeof(u_int32_t)) /* ifindex */ 591 + NFA_SPACE(sizeof(u_int32_t)) /* ifindex */
538 + NFA_SPACE(sizeof(u_int32_t)) /* ifindex */ 592 + NFA_SPACE(sizeof(u_int32_t)) /* ifindex */
593#ifdef CONFIG_BRIDGE_NETFILTER
594 + NFA_SPACE(sizeof(u_int32_t)) /* ifindex */
595 + NFA_SPACE(sizeof(u_int32_t)) /* ifindex */
596#endif
539 + NFA_SPACE(sizeof(u_int32_t)) /* mark */ 597 + NFA_SPACE(sizeof(u_int32_t)) /* mark */
540 + NFA_SPACE(sizeof(u_int32_t)) /* uid */ 598 + NFA_SPACE(sizeof(u_int32_t)) /* uid */
541 + NFA_SPACE(NFULNL_PREFIXLEN) /* prefix */ 599 + NFA_SPACE(NFULNL_PREFIXLEN) /* prefix */
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 04323ee1eb8d..bf9223084b4a 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -30,6 +30,10 @@
30 30
31#include <asm/atomic.h> 31#include <asm/atomic.h>
32 32
33#ifdef CONFIG_BRIDGE_NETFILTER
34#include "../bridge/br_private.h"
35#endif
36
33#define NFQNL_QMAX_DEFAULT 1024 37#define NFQNL_QMAX_DEFAULT 1024
34 38
35#if 0 39#if 0
@@ -361,6 +365,10 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
361 size = NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_hdr)) 365 size = NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_hdr))
362 + NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */ 366 + NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */
363 + NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */ 367 + NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */
368#ifdef CONFIG_BRIDGE_NETFILTER
369 + NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */
370 + NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */
371#endif
364 + NLMSG_SPACE(sizeof(u_int32_t)) /* mark */ 372 + NLMSG_SPACE(sizeof(u_int32_t)) /* mark */
365 + NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_hw)) 373 + NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_hw))
366 + NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_timestamp)); 374 + NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_timestamp));
@@ -412,12 +420,62 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
412 420
413 if (entry->info->indev) { 421 if (entry->info->indev) {
414 tmp_uint = htonl(entry->info->indev->ifindex); 422 tmp_uint = htonl(entry->info->indev->ifindex);
423#ifndef CONFIG_BRIDGE_NETFILTER
415 NFA_PUT(skb, NFQA_IFINDEX_INDEV, sizeof(tmp_uint), &tmp_uint); 424 NFA_PUT(skb, NFQA_IFINDEX_INDEV, sizeof(tmp_uint), &tmp_uint);
425#else
426 if (entry->info->pf == PF_BRIDGE) {
427 /* Case 1: indev is physical input device, we need to
428 * look for bridge group (when called from
429 * netfilter_bridge) */
430 NFA_PUT(skb, NFQA_IFINDEX_PHYSINDEV, sizeof(tmp_uint),
431 &tmp_uint);
432 /* this is the bridge group "brX" */
433 tmp_uint = htonl(entry->info->indev->br_port->br->dev->ifindex);
434 NFA_PUT(skb, NFQA_IFINDEX_INDEV, sizeof(tmp_uint),
435 &tmp_uint);
436 } else {
437 /* Case 2: indev is bridge group, we need to look for
438 * physical device (when called from ipv4) */
439 NFA_PUT(skb, NFQA_IFINDEX_INDEV, sizeof(tmp_uint),
440 &tmp_uint);
441 if (entry->skb->nf_bridge
442 && entry->skb->nf_bridge->physindev) {
443 tmp_uint = htonl(entry->skb->nf_bridge->physindev->ifindex);
444 NFA_PUT(skb, NFQA_IFINDEX_PHYSINDEV,
445 sizeof(tmp_uint), &tmp_uint);
446 }
447 }
448#endif
416 } 449 }
417 450
418 if (entry->info->outdev) { 451 if (entry->info->outdev) {
419 tmp_uint = htonl(entry->info->outdev->ifindex); 452 tmp_uint = htonl(entry->info->outdev->ifindex);
453#ifndef CONFIG_BRIDGE_NETFILTER
420 NFA_PUT(skb, NFQA_IFINDEX_OUTDEV, sizeof(tmp_uint), &tmp_uint); 454 NFA_PUT(skb, NFQA_IFINDEX_OUTDEV, sizeof(tmp_uint), &tmp_uint);
455#else
456 if (entry->info->pf == PF_BRIDGE) {
457 /* Case 1: outdev is physical output device, we need to
458 * look for bridge group (when called from
459 * netfilter_bridge) */
460 NFA_PUT(skb, NFQA_IFINDEX_PHYSOUTDEV, sizeof(tmp_uint),
461 &tmp_uint);
462 /* this is the bridge group "brX" */
463 tmp_uint = htonl(entry->info->outdev->br_port->br->dev->ifindex);
464 NFA_PUT(skb, NFQA_IFINDEX_OUTDEV, sizeof(tmp_uint),
465 &tmp_uint);
466 } else {
467 /* Case 2: outdev is bridge group, we need to look for
468 * physical output device (when called from ipv4) */
469 NFA_PUT(skb, NFQA_IFINDEX_OUTDEV, sizeof(tmp_uint),
470 &tmp_uint);
471 if (entry->skb->nf_bridge
472 && entry->skb->nf_bridge->physoutdev) {
473 tmp_uint = htonl(entry->skb->nf_bridge->physoutdev->ifindex);
474 NFA_PUT(skb, NFQA_IFINDEX_PHYSOUTDEV,
475 sizeof(tmp_uint), &tmp_uint);
476 }
477 }
478#endif
421 } 479 }
422 480
423 if (entry->skb->nfmark) { 481 if (entry->skb->nfmark) {