diff options
-rw-r--r-- | include/linux/netfilter_bridge.h | 26 | ||||
-rw-r--r-- | net/bridge/br_forward.c | 5 | ||||
-rw-r--r-- | net/bridge/br_netfilter.c | 27 |
3 files changed, 33 insertions, 25 deletions
diff --git a/include/linux/netfilter_bridge.h b/include/linux/netfilter_bridge.h index 427c67ff89e9..274fe4b33155 100644 --- a/include/linux/netfilter_bridge.h +++ b/include/linux/netfilter_bridge.h | |||
@@ -47,26 +47,12 @@ enum nf_br_hook_priorities { | |||
47 | 47 | ||
48 | 48 | ||
49 | /* Only used in br_forward.c */ | 49 | /* Only used in br_forward.c */ |
50 | static inline | 50 | extern int nf_bridge_copy_header(struct sk_buff *skb); |
51 | int nf_bridge_maybe_copy_header(struct sk_buff *skb) | 51 | static inline int nf_bridge_maybe_copy_header(struct sk_buff *skb) |
52 | { | 52 | { |
53 | int err; | 53 | if (skb->nf_bridge) |
54 | 54 | return nf_bridge_copy_header(skb); | |
55 | if (skb->nf_bridge) { | 55 | return 0; |
56 | if (skb->protocol == __constant_htons(ETH_P_8021Q)) { | ||
57 | err = skb_cow(skb, 18); | ||
58 | if (err) | ||
59 | return err; | ||
60 | memcpy(skb->data - 18, skb->nf_bridge->data, 18); | ||
61 | skb_push(skb, 4); | ||
62 | } else { | ||
63 | err = skb_cow(skb, 16); | ||
64 | if (err) | ||
65 | return err; | ||
66 | memcpy(skb->data - 16, skb->nf_bridge->data, 16); | ||
67 | } | ||
68 | } | ||
69 | return 0; | ||
70 | } | 56 | } |
71 | 57 | ||
72 | /* This is called by the IP fragmenting code and it ensures there is | 58 | /* This is called by the IP fragmenting code and it ensures there is |
@@ -90,6 +76,8 @@ struct bridge_skb_cb { | |||
90 | }; | 76 | }; |
91 | 77 | ||
92 | extern int brnf_deferred_hooks; | 78 | extern int brnf_deferred_hooks; |
79 | #else | ||
80 | #define nf_bridge_maybe_copy_header(skb) (0) | ||
93 | #endif /* CONFIG_BRIDGE_NETFILTER */ | 81 | #endif /* CONFIG_BRIDGE_NETFILTER */ |
94 | 82 | ||
95 | #endif /* __KERNEL__ */ | 83 | #endif /* __KERNEL__ */ |
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c index 864fbbc7b24d..191b861e5e53 100644 --- a/net/bridge/br_forward.c +++ b/net/bridge/br_forward.c | |||
@@ -38,13 +38,10 @@ int br_dev_queue_push_xmit(struct sk_buff *skb) | |||
38 | if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb)) | 38 | if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb)) |
39 | kfree_skb(skb); | 39 | kfree_skb(skb); |
40 | else { | 40 | else { |
41 | #ifdef CONFIG_BRIDGE_NETFILTER | ||
42 | /* ip_refrag calls ip_fragment, doesn't copy the MAC header. */ | 41 | /* ip_refrag calls ip_fragment, doesn't copy the MAC header. */ |
43 | if (nf_bridge_maybe_copy_header(skb)) | 42 | if (nf_bridge_maybe_copy_header(skb)) |
44 | kfree_skb(skb); | 43 | kfree_skb(skb); |
45 | else | 44 | else { |
46 | #endif | ||
47 | { | ||
48 | skb_push(skb, ETH_HLEN); | 45 | skb_push(skb, ETH_HLEN); |
49 | 46 | ||
50 | dev_queue_xmit(skb); | 47 | dev_queue_xmit(skb); |
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index 05b3de888243..b498efcfe451 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c | |||
@@ -127,14 +127,37 @@ static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb) | |||
127 | 127 | ||
128 | static inline void nf_bridge_save_header(struct sk_buff *skb) | 128 | static inline void nf_bridge_save_header(struct sk_buff *skb) |
129 | { | 129 | { |
130 | int header_size = 16; | 130 | int header_size = ETH_HLEN; |
131 | 131 | ||
132 | if (skb->protocol == htons(ETH_P_8021Q)) | 132 | if (skb->protocol == htons(ETH_P_8021Q)) |
133 | header_size = 18; | 133 | header_size += VLAN_HLEN; |
134 | 134 | ||
135 | memcpy(skb->nf_bridge->data, skb->data - header_size, header_size); | 135 | memcpy(skb->nf_bridge->data, skb->data - header_size, header_size); |
136 | } | 136 | } |
137 | 137 | ||
138 | /* | ||
139 | * When forwarding bridge frames, we save a copy of the original | ||
140 | * header before processing. | ||
141 | */ | ||
142 | int nf_bridge_copy_header(struct sk_buff *skb) | ||
143 | { | ||
144 | int err; | ||
145 | int header_size = ETH_HLEN; | ||
146 | |||
147 | if (skb->protocol == htons(ETH_P_8021Q)) | ||
148 | header_size += VLAN_HLEN; | ||
149 | |||
150 | err = skb_cow(skb, header_size); | ||
151 | if (err) | ||
152 | return err; | ||
153 | |||
154 | memcpy(skb->data - header_size, skb->nf_bridge->data, header_size); | ||
155 | |||
156 | if (skb->protocol == htons(ETH_P_8021Q)) | ||
157 | __skb_push(skb, VLAN_HLEN); | ||
158 | return 0; | ||
159 | } | ||
160 | |||
138 | /* PF_BRIDGE/PRE_ROUTING *********************************************/ | 161 | /* PF_BRIDGE/PRE_ROUTING *********************************************/ |
139 | /* Undo the changes made for ip6tables PREROUTING and continue the | 162 | /* Undo the changes made for ip6tables PREROUTING and continue the |
140 | * bridge PRE_ROUTING hook. */ | 163 | * bridge PRE_ROUTING hook. */ |