aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--net/bridge/br_netfilter.c53
1 files changed, 38 insertions, 15 deletions
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 7cac3fb9f809..b5018166b0e5 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -51,9 +51,6 @@
51#define store_orig_dstaddr(skb) (skb_origaddr(skb) = (skb)->nh.iph->daddr) 51#define store_orig_dstaddr(skb) (skb_origaddr(skb) = (skb)->nh.iph->daddr)
52#define dnat_took_place(skb) (skb_origaddr(skb) != (skb)->nh.iph->daddr) 52#define dnat_took_place(skb) (skb_origaddr(skb) != (skb)->nh.iph->daddr)
53 53
54#define has_bridge_parent(device) ((device)->br_port != NULL)
55#define bridge_parent(device) ((device)->br_port->br->dev)
56
57#ifdef CONFIG_SYSCTL 54#ifdef CONFIG_SYSCTL
58static struct ctl_table_header *brnf_sysctl_header; 55static struct ctl_table_header *brnf_sysctl_header;
59static int brnf_call_iptables = 1; 56static int brnf_call_iptables = 1;
@@ -98,6 +95,12 @@ static struct rtable __fake_rtable = {
98 .rt_flags = 0, 95 .rt_flags = 0,
99}; 96};
100 97
98static inline struct net_device *bridge_parent(const struct net_device *dev)
99{
100 struct net_bridge_port *port = rcu_dereference(dev->br_port);
101
102 return port ? port->br->dev : NULL;
103}
101 104
102/* PF_BRIDGE/PRE_ROUTING *********************************************/ 105/* PF_BRIDGE/PRE_ROUTING *********************************************/
103/* Undo the changes made for ip6tables PREROUTING and continue the 106/* Undo the changes made for ip6tables PREROUTING and continue the
@@ -189,11 +192,15 @@ static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
189 skb->nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING; 192 skb->nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
190 193
191 skb->dev = bridge_parent(skb->dev); 194 skb->dev = bridge_parent(skb->dev);
192 if (skb->protocol == __constant_htons(ETH_P_8021Q)) { 195 if (!skb->dev)
193 skb_pull(skb, VLAN_HLEN); 196 kfree_skb(skb);
194 skb->nh.raw += VLAN_HLEN; 197 else {
198 if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
199 skb_pull(skb, VLAN_HLEN);
200 skb->nh.raw += VLAN_HLEN;
201 }
202 skb->dst->output(skb);
195 } 203 }
196 skb->dst->output(skb);
197 return 0; 204 return 0;
198} 205}
199 206
@@ -270,7 +277,7 @@ bridged_dnat:
270} 277}
271 278
272/* Some common code for IPv4/IPv6 */ 279/* Some common code for IPv4/IPv6 */
273static void setup_pre_routing(struct sk_buff *skb) 280static struct net_device *setup_pre_routing(struct sk_buff *skb)
274{ 281{
275 struct nf_bridge_info *nf_bridge = skb->nf_bridge; 282 struct nf_bridge_info *nf_bridge = skb->nf_bridge;
276 283
@@ -282,6 +289,8 @@ static void setup_pre_routing(struct sk_buff *skb)
282 nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING; 289 nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING;
283 nf_bridge->physindev = skb->dev; 290 nf_bridge->physindev = skb->dev;
284 skb->dev = bridge_parent(skb->dev); 291 skb->dev = bridge_parent(skb->dev);
292
293 return skb->dev;
285} 294}
286 295
287/* We only check the length. A bridge shouldn't do any hop-by-hop stuff anyway */ 296/* We only check the length. A bridge shouldn't do any hop-by-hop stuff anyway */
@@ -376,7 +385,8 @@ static unsigned int br_nf_pre_routing_ipv6(unsigned int hook,
376 nf_bridge_put(skb->nf_bridge); 385 nf_bridge_put(skb->nf_bridge);
377 if ((nf_bridge = nf_bridge_alloc(skb)) == NULL) 386 if ((nf_bridge = nf_bridge_alloc(skb)) == NULL)
378 return NF_DROP; 387 return NF_DROP;
379 setup_pre_routing(skb); 388 if (!setup_pre_routing(skb))
389 return NF_DROP;
380 390
381 NF_HOOK(PF_INET6, NF_IP6_PRE_ROUTING, skb, skb->dev, NULL, 391 NF_HOOK(PF_INET6, NF_IP6_PRE_ROUTING, skb, skb->dev, NULL,
382 br_nf_pre_routing_finish_ipv6); 392 br_nf_pre_routing_finish_ipv6);
@@ -465,7 +475,8 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb,
465 nf_bridge_put(skb->nf_bridge); 475 nf_bridge_put(skb->nf_bridge);
466 if ((nf_bridge = nf_bridge_alloc(skb)) == NULL) 476 if ((nf_bridge = nf_bridge_alloc(skb)) == NULL)
467 return NF_DROP; 477 return NF_DROP;
468 setup_pre_routing(skb); 478 if (!setup_pre_routing(skb))
479 return NF_DROP;
469 store_orig_dstaddr(skb); 480 store_orig_dstaddr(skb);
470 481
471 NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, skb->dev, NULL, 482 NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, skb->dev, NULL,
@@ -539,11 +550,16 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff **pskb,
539 struct sk_buff *skb = *pskb; 550 struct sk_buff *skb = *pskb;
540 struct nf_bridge_info *nf_bridge; 551 struct nf_bridge_info *nf_bridge;
541 struct vlan_ethhdr *hdr = vlan_eth_hdr(skb); 552 struct vlan_ethhdr *hdr = vlan_eth_hdr(skb);
553 struct net_device *parent;
542 int pf; 554 int pf;
543 555
544 if (!skb->nf_bridge) 556 if (!skb->nf_bridge)
545 return NF_ACCEPT; 557 return NF_ACCEPT;
546 558
559 parent = bridge_parent(out);
560 if (!parent)
561 return NF_DROP;
562
547 if (skb->protocol == __constant_htons(ETH_P_IP) || IS_VLAN_IP) 563 if (skb->protocol == __constant_htons(ETH_P_IP) || IS_VLAN_IP)
548 pf = PF_INET; 564 pf = PF_INET;
549 else 565 else
@@ -564,8 +580,8 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff **pskb,
564 nf_bridge->mask |= BRNF_BRIDGED; 580 nf_bridge->mask |= BRNF_BRIDGED;
565 nf_bridge->physoutdev = skb->dev; 581 nf_bridge->physoutdev = skb->dev;
566 582
567 NF_HOOK(pf, NF_IP_FORWARD, skb, bridge_parent(in), 583 NF_HOOK(pf, NF_IP_FORWARD, skb, bridge_parent(in), parent,
568 bridge_parent(out), br_nf_forward_finish); 584 br_nf_forward_finish);
569 585
570 return NF_STOLEN; 586 return NF_STOLEN;
571} 587}
@@ -688,6 +704,8 @@ static unsigned int br_nf_local_out(unsigned int hook, struct sk_buff **pskb,
688 goto out; 704 goto out;
689 } 705 }
690 realoutdev = bridge_parent(skb->dev); 706 realoutdev = bridge_parent(skb->dev);
707 if (!realoutdev)
708 return NF_DROP;
691 709
692#if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE) 710#if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE)
693 /* iptables should match -o br0.x */ 711 /* iptables should match -o br0.x */
@@ -701,9 +719,11 @@ static unsigned int br_nf_local_out(unsigned int hook, struct sk_buff **pskb,
701 /* IP forwarded traffic has a physindev, locally 719 /* IP forwarded traffic has a physindev, locally
702 * generated traffic hasn't. */ 720 * generated traffic hasn't. */
703 if (realindev != NULL) { 721 if (realindev != NULL) {
704 if (!(nf_bridge->mask & BRNF_DONT_TAKE_PARENT) && 722 if (!(nf_bridge->mask & BRNF_DONT_TAKE_PARENT) ) {
705 has_bridge_parent(realindev)) 723 struct net_device *parent = bridge_parent(realindev);
706 realindev = bridge_parent(realindev); 724 if (parent)
725 realindev = parent;
726 }
707 727
708 NF_HOOK_THRESH(pf, NF_IP_FORWARD, skb, realindev, 728 NF_HOOK_THRESH(pf, NF_IP_FORWARD, skb, realindev,
709 realoutdev, br_nf_local_out_finish, 729 realoutdev, br_nf_local_out_finish,
@@ -743,6 +763,9 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb,
743 if (!nf_bridge) 763 if (!nf_bridge)
744 return NF_ACCEPT; 764 return NF_ACCEPT;
745 765
766 if (!realoutdev)
767 return NF_DROP;
768
746 if (skb->protocol == __constant_htons(ETH_P_IP) || IS_VLAN_IP) 769 if (skb->protocol == __constant_htons(ETH_P_IP) || IS_VLAN_IP)
747 pf = PF_INET; 770 pf = PF_INET;
748 else 771 else
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-08 14:17:30 -0500