diff options
-rw-r--r-- | net/bridge/br_netfilter.c | 50 |
1 files changed, 27 insertions, 23 deletions
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index ea34aa505af2..6fc9ecc4eb39 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c | |||
@@ -61,15 +61,25 @@ static int brnf_filter_vlan_tagged = 1; | |||
61 | #define brnf_filter_vlan_tagged 1 | 61 | #define brnf_filter_vlan_tagged 1 |
62 | #endif | 62 | #endif |
63 | 63 | ||
64 | #define IS_VLAN_IP (skb->protocol == htons(ETH_P_8021Q) && \ | 64 | static __be16 inline vlan_proto(const struct sk_buff *skb) |
65 | hdr->h_vlan_encapsulated_proto == htons(ETH_P_IP) && \ | 65 | { |
66 | brnf_filter_vlan_tagged) | 66 | return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto; |
67 | #define IS_VLAN_IPV6 (skb->protocol == htons(ETH_P_8021Q) && \ | 67 | } |
68 | hdr->h_vlan_encapsulated_proto == htons(ETH_P_IPV6) && \ | 68 | |
69 | brnf_filter_vlan_tagged) | 69 | #define IS_VLAN_IP(skb) \ |
70 | #define IS_VLAN_ARP (skb->protocol == htons(ETH_P_8021Q) && \ | 70 | (skb->protocol == htons(ETH_P_8021Q) && \ |
71 | hdr->h_vlan_encapsulated_proto == htons(ETH_P_ARP) && \ | 71 | vlan_proto(skb) == htons(ETH_P_IP) && \ |
72 | brnf_filter_vlan_tagged) | 72 | brnf_filter_vlan_tagged) |
73 | |||
74 | #define IS_VLAN_IPV6(skb) \ | ||
75 | (skb->protocol == htons(ETH_P_8021Q) && \ | ||
76 | vlan_proto(skb) == htons(ETH_P_IPV6) &&\ | ||
77 | brnf_filter_vlan_tagged) | ||
78 | |||
79 | #define IS_VLAN_ARP(skb) \ | ||
80 | (skb->protocol == htons(ETH_P_8021Q) && \ | ||
81 | vlan_proto(skb) == htons(ETH_P_ARP) && \ | ||
82 | brnf_filter_vlan_tagged) | ||
73 | 83 | ||
74 | /* We need these fake structures to make netfilter happy -- | 84 | /* We need these fake structures to make netfilter happy -- |
75 | * lots of places assume that skb->dst != NULL, which isn't | 85 | * lots of places assume that skb->dst != NULL, which isn't |
@@ -419,9 +429,8 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb, | |||
419 | __u32 len; | 429 | __u32 len; |
420 | struct sk_buff *skb = *pskb; | 430 | struct sk_buff *skb = *pskb; |
421 | struct nf_bridge_info *nf_bridge; | 431 | struct nf_bridge_info *nf_bridge; |
422 | struct vlan_ethhdr *hdr = vlan_eth_hdr(*pskb); | ||
423 | 432 | ||
424 | if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6) { | 433 | if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb)) { |
425 | #ifdef CONFIG_SYSCTL | 434 | #ifdef CONFIG_SYSCTL |
426 | if (!brnf_call_ip6tables) | 435 | if (!brnf_call_ip6tables) |
427 | return NF_ACCEPT; | 436 | return NF_ACCEPT; |
@@ -440,7 +449,7 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb, | |||
440 | return NF_ACCEPT; | 449 | return NF_ACCEPT; |
441 | #endif | 450 | #endif |
442 | 451 | ||
443 | if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP) | 452 | if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb)) |
444 | return NF_ACCEPT; | 453 | return NF_ACCEPT; |
445 | 454 | ||
446 | if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL) | 455 | if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL) |
@@ -521,9 +530,8 @@ static int br_nf_forward_finish(struct sk_buff *skb) | |||
521 | { | 530 | { |
522 | struct nf_bridge_info *nf_bridge = skb->nf_bridge; | 531 | struct nf_bridge_info *nf_bridge = skb->nf_bridge; |
523 | struct net_device *in; | 532 | struct net_device *in; |
524 | struct vlan_ethhdr *hdr = vlan_eth_hdr(skb); | ||
525 | 533 | ||
526 | if (skb->protocol != htons(ETH_P_ARP) && !IS_VLAN_ARP) { | 534 | if (skb->protocol != htons(ETH_P_ARP) && !IS_VLAN_ARP(skb)) { |
527 | in = nf_bridge->physindev; | 535 | in = nf_bridge->physindev; |
528 | if (nf_bridge->mask & BRNF_PKT_TYPE) { | 536 | if (nf_bridge->mask & BRNF_PKT_TYPE) { |
529 | skb->pkt_type = PACKET_OTHERHOST; | 537 | skb->pkt_type = PACKET_OTHERHOST; |
@@ -553,7 +561,6 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff **pskb, | |||
553 | { | 561 | { |
554 | struct sk_buff *skb = *pskb; | 562 | struct sk_buff *skb = *pskb; |
555 | struct nf_bridge_info *nf_bridge; | 563 | struct nf_bridge_info *nf_bridge; |
556 | struct vlan_ethhdr *hdr = vlan_eth_hdr(skb); | ||
557 | struct net_device *parent; | 564 | struct net_device *parent; |
558 | int pf; | 565 | int pf; |
559 | 566 | ||
@@ -564,7 +571,7 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff **pskb, | |||
564 | if (!parent) | 571 | if (!parent) |
565 | return NF_DROP; | 572 | return NF_DROP; |
566 | 573 | ||
567 | if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP) | 574 | if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb)) |
568 | pf = PF_INET; | 575 | pf = PF_INET; |
569 | else | 576 | else |
570 | pf = PF_INET6; | 577 | pf = PF_INET6; |
@@ -596,7 +603,6 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff **pskb, | |||
596 | int (*okfn)(struct sk_buff *)) | 603 | int (*okfn)(struct sk_buff *)) |
597 | { | 604 | { |
598 | struct sk_buff *skb = *pskb; | 605 | struct sk_buff *skb = *pskb; |
599 | struct vlan_ethhdr *hdr = vlan_eth_hdr(skb); | ||
600 | struct net_device **d = (struct net_device **)(skb->cb); | 606 | struct net_device **d = (struct net_device **)(skb->cb); |
601 | 607 | ||
602 | #ifdef CONFIG_SYSCTL | 608 | #ifdef CONFIG_SYSCTL |
@@ -605,14 +611,14 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff **pskb, | |||
605 | #endif | 611 | #endif |
606 | 612 | ||
607 | if (skb->protocol != htons(ETH_P_ARP)) { | 613 | if (skb->protocol != htons(ETH_P_ARP)) { |
608 | if (!IS_VLAN_ARP) | 614 | if (!IS_VLAN_ARP(skb)) |
609 | return NF_ACCEPT; | 615 | return NF_ACCEPT; |
610 | skb_pull(*pskb, VLAN_HLEN); | 616 | skb_pull(*pskb, VLAN_HLEN); |
611 | (*pskb)->nh.raw += VLAN_HLEN; | 617 | (*pskb)->nh.raw += VLAN_HLEN; |
612 | } | 618 | } |
613 | 619 | ||
614 | if (skb->nh.arph->ar_pln != 4) { | 620 | if (skb->nh.arph->ar_pln != 4) { |
615 | if (IS_VLAN_ARP) { | 621 | if (IS_VLAN_ARP(skb)) { |
616 | skb_push(*pskb, VLAN_HLEN); | 622 | skb_push(*pskb, VLAN_HLEN); |
617 | (*pskb)->nh.raw -= VLAN_HLEN; | 623 | (*pskb)->nh.raw -= VLAN_HLEN; |
618 | } | 624 | } |
@@ -667,13 +673,12 @@ static unsigned int br_nf_local_out(unsigned int hook, struct sk_buff **pskb, | |||
667 | struct net_device *realindev, *realoutdev; | 673 | struct net_device *realindev, *realoutdev; |
668 | struct sk_buff *skb = *pskb; | 674 | struct sk_buff *skb = *pskb; |
669 | struct nf_bridge_info *nf_bridge; | 675 | struct nf_bridge_info *nf_bridge; |
670 | struct vlan_ethhdr *hdr = vlan_eth_hdr(skb); | ||
671 | int pf; | 676 | int pf; |
672 | 677 | ||
673 | if (!skb->nf_bridge) | 678 | if (!skb->nf_bridge) |
674 | return NF_ACCEPT; | 679 | return NF_ACCEPT; |
675 | 680 | ||
676 | if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP) | 681 | if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb)) |
677 | pf = PF_INET; | 682 | pf = PF_INET; |
678 | else | 683 | else |
679 | pf = PF_INET6; | 684 | pf = PF_INET6; |
@@ -752,7 +757,6 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb, | |||
752 | { | 757 | { |
753 | struct sk_buff *skb = *pskb; | 758 | struct sk_buff *skb = *pskb; |
754 | struct nf_bridge_info *nf_bridge = (*pskb)->nf_bridge; | 759 | struct nf_bridge_info *nf_bridge = (*pskb)->nf_bridge; |
755 | struct vlan_ethhdr *hdr = vlan_eth_hdr(skb); | ||
756 | struct net_device *realoutdev = bridge_parent(skb->dev); | 760 | struct net_device *realoutdev = bridge_parent(skb->dev); |
757 | int pf; | 761 | int pf; |
758 | 762 | ||
@@ -772,7 +776,7 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb, | |||
772 | if (!realoutdev) | 776 | if (!realoutdev) |
773 | return NF_DROP; | 777 | return NF_DROP; |
774 | 778 | ||
775 | if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP) | 779 | if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb)) |
776 | pf = PF_INET; | 780 | pf = PF_INET; |
777 | else | 781 | else |
778 | pf = PF_INET6; | 782 | pf = PF_INET6; |