diff options
-rw-r--r-- | include/linux/netfilter/nfnetlink_log.h | 2 | ||||
-rw-r--r-- | include/linux/netfilter/nfnetlink_queue.h | 2 | ||||
-rw-r--r-- | net/netfilter/nfnetlink_log.c | 58 | ||||
-rw-r--r-- | net/netfilter/nfnetlink_queue.c | 58 |
4 files changed, 120 insertions, 0 deletions
diff --git a/include/linux/netfilter/nfnetlink_log.h b/include/linux/netfilter/nfnetlink_log.h index 420ff4625cbf..a61836a083e7 100644 --- a/include/linux/netfilter/nfnetlink_log.h +++ b/include/linux/netfilter/nfnetlink_log.h | |||
@@ -40,6 +40,8 @@ enum nfulnl_attr_type { | |||
40 | NFULA_TIMESTAMP, /* nfulnl_msg_packet_timestamp */ | 40 | NFULA_TIMESTAMP, /* nfulnl_msg_packet_timestamp */ |
41 | NFULA_IFINDEX_INDEV, /* u_int32_t ifindex */ | 41 | NFULA_IFINDEX_INDEV, /* u_int32_t ifindex */ |
42 | NFULA_IFINDEX_OUTDEV, /* u_int32_t ifindex */ | 42 | NFULA_IFINDEX_OUTDEV, /* u_int32_t ifindex */ |
43 | NFULA_IFINDEX_PHYSINDEV, /* u_int32_t ifindex */ | ||
44 | NFULA_IFINDEX_PHYSOUTDEV, /* u_int32_t ifindex */ | ||
43 | NFULA_HWADDR, /* nfulnl_msg_packet_hw */ | 45 | NFULA_HWADDR, /* nfulnl_msg_packet_hw */ |
44 | NFULA_PAYLOAD, /* opaque data payload */ | 46 | NFULA_PAYLOAD, /* opaque data payload */ |
45 | NFULA_PREFIX, /* string prefix */ | 47 | NFULA_PREFIX, /* string prefix */ |
diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h index e142b0ff7c08..2d8d2b2cfcaa 100644 --- a/include/linux/netfilter/nfnetlink_queue.h +++ b/include/linux/netfilter/nfnetlink_queue.h | |||
@@ -36,6 +36,8 @@ enum nfqnl_attr_type { | |||
36 | NFQA_TIMESTAMP, /* nfqnl_msg_packet_timestamp */ | 36 | NFQA_TIMESTAMP, /* nfqnl_msg_packet_timestamp */ |
37 | NFQA_IFINDEX_INDEV, /* u_int32_t ifindex */ | 37 | NFQA_IFINDEX_INDEV, /* u_int32_t ifindex */ |
38 | NFQA_IFINDEX_OUTDEV, /* u_int32_t ifindex */ | 38 | NFQA_IFINDEX_OUTDEV, /* u_int32_t ifindex */ |
39 | NFQA_IFINDEX_PHYSINDEV, /* u_int32_t ifindex */ | ||
40 | NFQA_IFINDEX_PHYSOUTDEV, /* u_int32_t ifindex */ | ||
39 | NFQA_HWADDR, /* nfqnl_msg_packet_hw */ | 41 | NFQA_HWADDR, /* nfqnl_msg_packet_hw */ |
40 | NFQA_PAYLOAD, /* opaque data payload */ | 42 | NFQA_PAYLOAD, /* opaque data payload */ |
41 | 43 | ||
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index 11584289c262..464c9fa2934b 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c | |||
@@ -33,6 +33,10 @@ | |||
33 | 33 | ||
34 | #include <asm/atomic.h> | 34 | #include <asm/atomic.h> |
35 | 35 | ||
36 | #ifdef CONFIG_BRIDGE_NETFILTER | ||
37 | #include "../bridge/br_private.h" | ||
38 | #endif | ||
39 | |||
36 | #define NFULNL_NLBUFSIZ_DEFAULT 4096 | 40 | #define NFULNL_NLBUFSIZ_DEFAULT 4096 |
37 | #define NFULNL_TIMEOUT_DEFAULT 100 /* every second */ | 41 | #define NFULNL_TIMEOUT_DEFAULT 100 /* every second */ |
38 | #define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */ | 42 | #define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */ |
@@ -412,14 +416,64 @@ __build_packet_message(struct nfulnl_instance *inst, | |||
412 | 416 | ||
413 | if (indev) { | 417 | if (indev) { |
414 | tmp_uint = htonl(indev->ifindex); | 418 | tmp_uint = htonl(indev->ifindex); |
419 | #ifndef CONFIG_BRIDGE_NETFILTER | ||
415 | NFA_PUT(inst->skb, NFULA_IFINDEX_INDEV, sizeof(tmp_uint), | 420 | NFA_PUT(inst->skb, NFULA_IFINDEX_INDEV, sizeof(tmp_uint), |
416 | &tmp_uint); | 421 | &tmp_uint); |
422 | #else | ||
423 | if (pf == PF_BRIDGE) { | ||
424 | /* Case 1: outdev is physical input device, we need to | ||
425 | * look for bridge group (when called from | ||
426 | * netfilter_bridge) */ | ||
427 | NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSINDEV, | ||
428 | sizeof(tmp_uint), &tmp_uint); | ||
429 | /* this is the bridge group "brX" */ | ||
430 | tmp_uint = htonl(indev->br_port->br->dev->ifindex); | ||
431 | NFA_PUT(inst->skb, NFULA_IFINDEX_INDEV, | ||
432 | sizeof(tmp_uint), &tmp_uint); | ||
433 | } else { | ||
434 | /* Case 2: indev is bridge group, we need to look for | ||
435 | * physical device (when called from ipv4) */ | ||
436 | NFA_PUT(inst->skb, NFULA_IFINDEX_INDEV, | ||
437 | sizeof(tmp_uint), &tmp_uint); | ||
438 | if (skb->nf_bridge && skb->nf_bridge->physindev) { | ||
439 | tmp_uint = | ||
440 | htonl(skb->nf_bridge->physindev->ifindex); | ||
441 | NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSINDEV, | ||
442 | sizeof(tmp_uint), &tmp_uint); | ||
443 | } | ||
444 | } | ||
445 | #endif | ||
417 | } | 446 | } |
418 | 447 | ||
419 | if (outdev) { | 448 | if (outdev) { |
420 | tmp_uint = htonl(outdev->ifindex); | 449 | tmp_uint = htonl(outdev->ifindex); |
450 | #ifndef CONFIG_BRIDGE_NETFILTER | ||
421 | NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV, sizeof(tmp_uint), | 451 | NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV, sizeof(tmp_uint), |
422 | &tmp_uint); | 452 | &tmp_uint); |
453 | #else | ||
454 | if (pf == PF_BRIDGE) { | ||
455 | /* Case 1: outdev is physical output device, we need to | ||
456 | * look for bridge group (when called from | ||
457 | * netfilter_bridge) */ | ||
458 | NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSOUTDEV, | ||
459 | sizeof(tmp_uint), &tmp_uint); | ||
460 | /* this is the bridge group "brX" */ | ||
461 | tmp_uint = htonl(outdev->br_port->br->dev->ifindex); | ||
462 | NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV, | ||
463 | sizeof(tmp_uint), &tmp_uint); | ||
464 | } else { | ||
465 | /* Case 2: indev is a bridge group, we need to look | ||
466 | * for physical device (when called from ipv4) */ | ||
467 | NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV, | ||
468 | sizeof(tmp_uint), &tmp_uint); | ||
469 | if (skb->nf_bridge) { | ||
470 | tmp_uint = | ||
471 | htonl(skb->nf_bridge->physoutdev->ifindex); | ||
472 | NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSOUTDEV, | ||
473 | sizeof(tmp_uint), &tmp_uint); | ||
474 | } | ||
475 | } | ||
476 | #endif | ||
423 | } | 477 | } |
424 | 478 | ||
425 | if (skb->nfmark) { | 479 | if (skb->nfmark) { |
@@ -536,6 +590,10 @@ nfulnl_log_packet(unsigned int pf, | |||
536 | + NFA_SPACE(sizeof(struct nfulnl_msg_packet_hdr)) | 590 | + NFA_SPACE(sizeof(struct nfulnl_msg_packet_hdr)) |
537 | + NFA_SPACE(sizeof(u_int32_t)) /* ifindex */ | 591 | + NFA_SPACE(sizeof(u_int32_t)) /* ifindex */ |
538 | + NFA_SPACE(sizeof(u_int32_t)) /* ifindex */ | 592 | + NFA_SPACE(sizeof(u_int32_t)) /* ifindex */ |
593 | #ifdef CONFIG_BRIDGE_NETFILTER | ||
594 | + NFA_SPACE(sizeof(u_int32_t)) /* ifindex */ | ||
595 | + NFA_SPACE(sizeof(u_int32_t)) /* ifindex */ | ||
596 | #endif | ||
539 | + NFA_SPACE(sizeof(u_int32_t)) /* mark */ | 597 | + NFA_SPACE(sizeof(u_int32_t)) /* mark */ |
540 | + NFA_SPACE(sizeof(u_int32_t)) /* uid */ | 598 | + NFA_SPACE(sizeof(u_int32_t)) /* uid */ |
541 | + NFA_SPACE(NFULNL_PREFIXLEN) /* prefix */ | 599 | + NFA_SPACE(NFULNL_PREFIXLEN) /* prefix */ |
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 04323ee1eb8d..bf9223084b4a 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c | |||
@@ -30,6 +30,10 @@ | |||
30 | 30 | ||
31 | #include <asm/atomic.h> | 31 | #include <asm/atomic.h> |
32 | 32 | ||
33 | #ifdef CONFIG_BRIDGE_NETFILTER | ||
34 | #include "../bridge/br_private.h" | ||
35 | #endif | ||
36 | |||
33 | #define NFQNL_QMAX_DEFAULT 1024 | 37 | #define NFQNL_QMAX_DEFAULT 1024 |
34 | 38 | ||
35 | #if 0 | 39 | #if 0 |
@@ -361,6 +365,10 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, | |||
361 | size = NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_hdr)) | 365 | size = NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_hdr)) |
362 | + NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */ | 366 | + NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */ |
363 | + NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */ | 367 | + NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */ |
368 | #ifdef CONFIG_BRIDGE_NETFILTER | ||
369 | + NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */ | ||
370 | + NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */ | ||
371 | #endif | ||
364 | + NLMSG_SPACE(sizeof(u_int32_t)) /* mark */ | 372 | + NLMSG_SPACE(sizeof(u_int32_t)) /* mark */ |
365 | + NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_hw)) | 373 | + NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_hw)) |
366 | + NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_timestamp)); | 374 | + NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_timestamp)); |
@@ -412,12 +420,62 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, | |||
412 | 420 | ||
413 | if (entry->info->indev) { | 421 | if (entry->info->indev) { |
414 | tmp_uint = htonl(entry->info->indev->ifindex); | 422 | tmp_uint = htonl(entry->info->indev->ifindex); |
423 | #ifndef CONFIG_BRIDGE_NETFILTER | ||
415 | NFA_PUT(skb, NFQA_IFINDEX_INDEV, sizeof(tmp_uint), &tmp_uint); | 424 | NFA_PUT(skb, NFQA_IFINDEX_INDEV, sizeof(tmp_uint), &tmp_uint); |
425 | #else | ||
426 | if (entry->info->pf == PF_BRIDGE) { | ||
427 | /* Case 1: indev is physical input device, we need to | ||
428 | * look for bridge group (when called from | ||
429 | * netfilter_bridge) */ | ||
430 | NFA_PUT(skb, NFQA_IFINDEX_PHYSINDEV, sizeof(tmp_uint), | ||
431 | &tmp_uint); | ||
432 | /* this is the bridge group "brX" */ | ||
433 | tmp_uint = htonl(entry->info->indev->br_port->br->dev->ifindex); | ||
434 | NFA_PUT(skb, NFQA_IFINDEX_INDEV, sizeof(tmp_uint), | ||
435 | &tmp_uint); | ||
436 | } else { | ||
437 | /* Case 2: indev is bridge group, we need to look for | ||
438 | * physical device (when called from ipv4) */ | ||
439 | NFA_PUT(skb, NFQA_IFINDEX_INDEV, sizeof(tmp_uint), | ||
440 | &tmp_uint); | ||
441 | if (entry->skb->nf_bridge | ||
442 | && entry->skb->nf_bridge->physindev) { | ||
443 | tmp_uint = htonl(entry->skb->nf_bridge->physindev->ifindex); | ||
444 | NFA_PUT(skb, NFQA_IFINDEX_PHYSINDEV, | ||
445 | sizeof(tmp_uint), &tmp_uint); | ||
446 | } | ||
447 | } | ||
448 | #endif | ||
416 | } | 449 | } |
417 | 450 | ||
418 | if (entry->info->outdev) { | 451 | if (entry->info->outdev) { |
419 | tmp_uint = htonl(entry->info->outdev->ifindex); | 452 | tmp_uint = htonl(entry->info->outdev->ifindex); |
453 | #ifndef CONFIG_BRIDGE_NETFILTER | ||
420 | NFA_PUT(skb, NFQA_IFINDEX_OUTDEV, sizeof(tmp_uint), &tmp_uint); | 454 | NFA_PUT(skb, NFQA_IFINDEX_OUTDEV, sizeof(tmp_uint), &tmp_uint); |
455 | #else | ||
456 | if (entry->info->pf == PF_BRIDGE) { | ||
457 | /* Case 1: outdev is physical output device, we need to | ||
458 | * look for bridge group (when called from | ||
459 | * netfilter_bridge) */ | ||
460 | NFA_PUT(skb, NFQA_IFINDEX_PHYSOUTDEV, sizeof(tmp_uint), | ||
461 | &tmp_uint); | ||
462 | /* this is the bridge group "brX" */ | ||
463 | tmp_uint = htonl(entry->info->outdev->br_port->br->dev->ifindex); | ||
464 | NFA_PUT(skb, NFQA_IFINDEX_OUTDEV, sizeof(tmp_uint), | ||
465 | &tmp_uint); | ||
466 | } else { | ||
467 | /* Case 2: outdev is bridge group, we need to look for | ||
468 | * physical output device (when called from ipv4) */ | ||
469 | NFA_PUT(skb, NFQA_IFINDEX_OUTDEV, sizeof(tmp_uint), | ||
470 | &tmp_uint); | ||
471 | if (entry->skb->nf_bridge | ||
472 | && entry->skb->nf_bridge->physoutdev) { | ||
473 | tmp_uint = htonl(entry->skb->nf_bridge->physoutdev->ifindex); | ||
474 | NFA_PUT(skb, NFQA_IFINDEX_PHYSOUTDEV, | ||
475 | sizeof(tmp_uint), &tmp_uint); | ||
476 | } | ||
477 | } | ||
478 | #endif | ||
421 | } | 479 | } |
422 | 480 | ||
423 | if (entry->skb->nfmark) { | 481 | if (entry->skb->nfmark) { |