aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--net/bridge/br_netfilter.c116
1 files changed, 63 insertions, 53 deletions
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 70a395baaa01..cf18d0235ccb 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -136,7 +136,7 @@ static void __br_dnat_complain(void)
136 136
137 if (jiffies - last_complaint >= 5 * HZ) { 137 if (jiffies - last_complaint >= 5 * HZ) {
138 printk(KERN_WARNING "Performing cross-bridge DNAT requires IP " 138 printk(KERN_WARNING "Performing cross-bridge DNAT requires IP "
139 "forwarding to be enabled\n"); 139 "forwarding to be enabled\n");
140 last_complaint = jiffies; 140 last_complaint = jiffies;
141 } 141 }
142} 142}
@@ -218,12 +218,17 @@ static int br_nf_pre_routing_finish(struct sk_buff *skb)
218 nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING; 218 nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
219 219
220 if (dnat_took_place(skb)) { 220 if (dnat_took_place(skb)) {
221 if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, 221 if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev)) {
222 dev)) {
223 struct rtable *rt; 222 struct rtable *rt;
224 struct flowi fl = { .nl_u = 223 struct flowi fl = {
225 { .ip4_u = { .daddr = iph->daddr, .saddr = 0 , 224 .nl_u = {
226 .tos = RT_TOS(iph->tos)} }, .proto = 0}; 225 .ip4_u = {
226 .daddr = iph->daddr,
227 .saddr = 0,
228 .tos = RT_TOS(iph->tos) },
229 },
230 .proto = 0,
231 };
227 232
228 if (!ip_route_output_key(&rt, &fl)) { 233 if (!ip_route_output_key(&rt, &fl)) {
229 /* - Bridged-and-DNAT'ed traffic doesn't 234 /* - Bridged-and-DNAT'ed traffic doesn't
@@ -257,8 +262,7 @@ bridged_dnat:
257 1); 262 1);
258 return 0; 263 return 0;
259 } 264 }
260 memcpy(eth_hdr(skb)->h_dest, dev->dev_addr, 265 memcpy(eth_hdr(skb)->h_dest, dev->dev_addr, ETH_ALEN);
261 ETH_ALEN);
262 skb->pkt_type = PACKET_HOST; 266 skb->pkt_type = PACKET_HOST;
263 } 267 }
264 } else { 268 } else {
@@ -297,10 +301,10 @@ static struct net_device *setup_pre_routing(struct sk_buff *skb)
297/* We only check the length. A bridge shouldn't do any hop-by-hop stuff anyway */ 301/* We only check the length. A bridge shouldn't do any hop-by-hop stuff anyway */
298static int check_hbh_len(struct sk_buff *skb) 302static int check_hbh_len(struct sk_buff *skb)
299{ 303{
300 unsigned char *raw = (u8*)(skb->nh.ipv6h+1); 304 unsigned char *raw = (u8 *) (skb->nh.ipv6h + 1);
301 u32 pkt_len; 305 u32 pkt_len;
302 int off = raw - skb->nh.raw; 306 int off = raw - skb->nh.raw;
303 int len = (raw[1]+1)<<3; 307 int len = (raw[1] + 1) << 3;
304 308
305 if ((raw + len) - skb->data > skb_headlen(skb)) 309 if ((raw + len) - skb->data > skb_headlen(skb))
306 goto bad; 310 goto bad;
@@ -309,7 +313,7 @@ static int check_hbh_len(struct sk_buff *skb)
309 len -= 2; 313 len -= 2;
310 314
311 while (len > 0) { 315 while (len > 0) {
312 int optlen = skb->nh.raw[off+1]+2; 316 int optlen = skb->nh.raw[off + 1] + 2;
313 317
314 switch (skb->nh.raw[off]) { 318 switch (skb->nh.raw[off]) {
315 case IPV6_TLV_PAD0: 319 case IPV6_TLV_PAD0:
@@ -320,16 +324,16 @@ static int check_hbh_len(struct sk_buff *skb)
320 break; 324 break;
321 325
322 case IPV6_TLV_JUMBO: 326 case IPV6_TLV_JUMBO:
323 if (skb->nh.raw[off+1] != 4 || (off&3) != 2) 327 if (skb->nh.raw[off + 1] != 4 || (off & 3) != 2)
324 goto bad; 328 goto bad;
325 pkt_len = ntohl(*(u32*)(skb->nh.raw+off+2)); 329 pkt_len = ntohl(*(u32 *) (skb->nh.raw + off + 2));
326 if (pkt_len <= IPV6_MAXPLEN || 330 if (pkt_len <= IPV6_MAXPLEN ||
327 skb->nh.ipv6h->payload_len) 331 skb->nh.ipv6h->payload_len)
328 goto bad; 332 goto bad;
329 if (pkt_len > skb->len - sizeof(struct ipv6hdr)) 333 if (pkt_len > skb->len - sizeof(struct ipv6hdr))
330 goto bad; 334 goto bad;
331 if (pskb_trim_rcsum(skb, 335 if (pskb_trim_rcsum(skb,
332 pkt_len+sizeof(struct ipv6hdr))) 336 pkt_len + sizeof(struct ipv6hdr)))
333 goto bad; 337 goto bad;
334 break; 338 break;
335 default: 339 default:
@@ -350,8 +354,10 @@ bad:
350/* Replicate the checks that IPv6 does on packet reception and pass the packet 354/* Replicate the checks that IPv6 does on packet reception and pass the packet
351 * to ip6tables, which doesn't support NAT, so things are fairly simple. */ 355 * to ip6tables, which doesn't support NAT, so things are fairly simple. */
352static unsigned int br_nf_pre_routing_ipv6(unsigned int hook, 356static unsigned int br_nf_pre_routing_ipv6(unsigned int hook,
353 struct sk_buff *skb, const struct net_device *in, 357 struct sk_buff *skb,
354 const struct net_device *out, int (*okfn)(struct sk_buff *)) 358 const struct net_device *in,
359 const struct net_device *out,
360 int (*okfn)(struct sk_buff *))
355{ 361{
356 struct ipv6hdr *hdr; 362 struct ipv6hdr *hdr;
357 u32 pkt_len; 363 u32 pkt_len;
@@ -381,9 +387,9 @@ static unsigned int br_nf_pre_routing_ipv6(unsigned int hook,
381 } 387 }
382 } 388 }
383 if (hdr->nexthdr == NEXTHDR_HOP && check_hbh_len(skb)) 389 if (hdr->nexthdr == NEXTHDR_HOP && check_hbh_len(skb))
384 goto inhdr_error; 390 goto inhdr_error;
385 391
386 nf_bridge_put(skb->nf_bridge); 392 nf_bridge_put(skb->nf_bridge);
387 if ((nf_bridge = nf_bridge_alloc(skb)) == NULL) 393 if ((nf_bridge = nf_bridge_alloc(skb)) == NULL)
388 return NF_DROP; 394 return NF_DROP;
389 if (!setup_pre_routing(skb)) 395 if (!setup_pre_routing(skb))
@@ -452,15 +458,15 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb,
452 if (iph->ihl < 5 || iph->version != 4) 458 if (iph->ihl < 5 || iph->version != 4)
453 goto inhdr_error; 459 goto inhdr_error;
454 460
455 if (!pskb_may_pull(skb, 4*iph->ihl)) 461 if (!pskb_may_pull(skb, 4 * iph->ihl))
456 goto inhdr_error; 462 goto inhdr_error;
457 463
458 iph = skb->nh.iph; 464 iph = skb->nh.iph;
459 if (ip_fast_csum((__u8 *)iph, iph->ihl) != 0) 465 if (ip_fast_csum((__u8 *) iph, iph->ihl) != 0)
460 goto inhdr_error; 466 goto inhdr_error;
461 467
462 len = ntohs(iph->tot_len); 468 len = ntohs(iph->tot_len);
463 if (skb->len < len || len < 4*iph->ihl) 469 if (skb->len < len || len < 4 * iph->ihl)
464 goto inhdr_error; 470 goto inhdr_error;
465 471
466 if (skb->len > len) { 472 if (skb->len > len) {
@@ -469,7 +475,7 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb,
469 skb->ip_summed = CHECKSUM_NONE; 475 skb->ip_summed = CHECKSUM_NONE;
470 } 476 }
471 477
472 nf_bridge_put(skb->nf_bridge); 478 nf_bridge_put(skb->nf_bridge);
473 if ((nf_bridge = nf_bridge_alloc(skb)) == NULL) 479 if ((nf_bridge = nf_bridge_alloc(skb)) == NULL)
474 return NF_DROP; 480 return NF_DROP;
475 if (!setup_pre_routing(skb)) 481 if (!setup_pre_routing(skb))
@@ -482,7 +488,7 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb,
482 return NF_STOLEN; 488 return NF_STOLEN;
483 489
484inhdr_error: 490inhdr_error:
485// IP_INC_STATS_BH(IpInHdrErrors); 491// IP_INC_STATS_BH(IpInHdrErrors);
486out: 492out:
487 return NF_DROP; 493 return NF_DROP;
488} 494}
@@ -496,8 +502,9 @@ out:
496 * register an IPv4 PRE_ROUTING 'sabotage' hook that will 502 * register an IPv4 PRE_ROUTING 'sabotage' hook that will
497 * prevent this from happening. */ 503 * prevent this from happening. */
498static unsigned int br_nf_local_in(unsigned int hook, struct sk_buff **pskb, 504static unsigned int br_nf_local_in(unsigned int hook, struct sk_buff **pskb,
499 const struct net_device *in, const struct net_device *out, 505 const struct net_device *in,
500 int (*okfn)(struct sk_buff *)) 506 const struct net_device *out,
507 int (*okfn)(struct sk_buff *))
501{ 508{
502 struct sk_buff *skb = *pskb; 509 struct sk_buff *skb = *pskb;
503 510
@@ -509,7 +516,6 @@ static unsigned int br_nf_local_in(unsigned int hook, struct sk_buff **pskb,
509 return NF_ACCEPT; 516 return NF_ACCEPT;
510} 517}
511 518
512
513/* PF_BRIDGE/FORWARD *************************************************/ 519/* PF_BRIDGE/FORWARD *************************************************/
514static int br_nf_forward_finish(struct sk_buff *skb) 520static int br_nf_forward_finish(struct sk_buff *skb)
515{ 521{
@@ -531,7 +537,7 @@ static int br_nf_forward_finish(struct sk_buff *skb)
531 skb->nh.raw -= VLAN_HLEN; 537 skb->nh.raw -= VLAN_HLEN;
532 } 538 }
533 NF_HOOK_THRESH(PF_BRIDGE, NF_BR_FORWARD, skb, in, 539 NF_HOOK_THRESH(PF_BRIDGE, NF_BR_FORWARD, skb, in,
534 skb->dev, br_forward_finish, 1); 540 skb->dev, br_forward_finish, 1);
535 return 0; 541 return 0;
536} 542}
537 543
@@ -541,8 +547,9 @@ static int br_nf_forward_finish(struct sk_buff *skb)
541 * because of the physdev module. For ARP, indev and outdev are the 547 * because of the physdev module. For ARP, indev and outdev are the
542 * bridge ports. */ 548 * bridge ports. */
543static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff **pskb, 549static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff **pskb,
544 const struct net_device *in, const struct net_device *out, 550 const struct net_device *in,
545 int (*okfn)(struct sk_buff *)) 551 const struct net_device *out,
552 int (*okfn)(struct sk_buff *))
546{ 553{
547 struct sk_buff *skb = *pskb; 554 struct sk_buff *skb = *pskb;
548 struct nf_bridge_info *nf_bridge; 555 struct nf_bridge_info *nf_bridge;
@@ -584,8 +591,9 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff **pskb,
584} 591}
585 592
586static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff **pskb, 593static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff **pskb,
587 const struct net_device *in, const struct net_device *out, 594 const struct net_device *in,
588 int (*okfn)(struct sk_buff *)) 595 const struct net_device *out,
596 int (*okfn)(struct sk_buff *))
589{ 597{
590 struct sk_buff *skb = *pskb; 598 struct sk_buff *skb = *pskb;
591 struct vlan_ethhdr *hdr = vlan_eth_hdr(skb); 599 struct vlan_ethhdr *hdr = vlan_eth_hdr(skb);
@@ -617,7 +625,6 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff **pskb,
617 return NF_STOLEN; 625 return NF_STOLEN;
618} 626}
619 627
620
621/* PF_BRIDGE/LOCAL_OUT ***********************************************/ 628/* PF_BRIDGE/LOCAL_OUT ***********************************************/
622static int br_nf_local_out_finish(struct sk_buff *skb) 629static int br_nf_local_out_finish(struct sk_buff *skb)
623{ 630{
@@ -627,7 +634,7 @@ static int br_nf_local_out_finish(struct sk_buff *skb)
627 } 634 }
628 635
629 NF_HOOK_THRESH(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, 636 NF_HOOK_THRESH(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
630 br_forward_finish, NF_BR_PRI_FIRST + 1); 637 br_forward_finish, NF_BR_PRI_FIRST + 1);
631 638
632 return 0; 639 return 0;
633} 640}
@@ -653,8 +660,9 @@ static int br_nf_local_out_finish(struct sk_buff *skb)
653 * even routed packets that didn't arrive on a bridge interface have their 660 * even routed packets that didn't arrive on a bridge interface have their
654 * nf_bridge->physindev set. */ 661 * nf_bridge->physindev set. */
655static unsigned int br_nf_local_out(unsigned int hook, struct sk_buff **pskb, 662static unsigned int br_nf_local_out(unsigned int hook, struct sk_buff **pskb,
656 const struct net_device *in, const struct net_device *out, 663 const struct net_device *in,
657 int (*okfn)(struct sk_buff *)) 664 const struct net_device *out,
665 int (*okfn)(struct sk_buff *))
658{ 666{
659 struct net_device *realindev, *realoutdev; 667 struct net_device *realindev, *realoutdev;
660 struct sk_buff *skb = *pskb; 668 struct sk_buff *skb = *pskb;
@@ -716,7 +724,7 @@ static unsigned int br_nf_local_out(unsigned int hook, struct sk_buff **pskb,
716 /* IP forwarded traffic has a physindev, locally 724 /* IP forwarded traffic has a physindev, locally
717 * generated traffic hasn't. */ 725 * generated traffic hasn't. */
718 if (realindev != NULL) { 726 if (realindev != NULL) {
719 if (!(nf_bridge->mask & BRNF_DONT_TAKE_PARENT) ) { 727 if (!(nf_bridge->mask & BRNF_DONT_TAKE_PARENT)) {
720 struct net_device *parent = bridge_parent(realindev); 728 struct net_device *parent = bridge_parent(realindev);
721 if (parent) 729 if (parent)
722 realindev = parent; 730 realindev = parent;
@@ -738,8 +746,9 @@ out:
738 746
739/* PF_BRIDGE/POST_ROUTING ********************************************/ 747/* PF_BRIDGE/POST_ROUTING ********************************************/
740static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb, 748static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb,
741 const struct net_device *in, const struct net_device *out, 749 const struct net_device *in,
742 int (*okfn)(struct sk_buff *)) 750 const struct net_device *out,
751 int (*okfn)(struct sk_buff *))
743{ 752{
744 struct sk_buff *skb = *pskb; 753 struct sk_buff *skb = *pskb;
745 struct nf_bridge_info *nf_bridge = (*pskb)->nf_bridge; 754 struct nf_bridge_info *nf_bridge = (*pskb)->nf_bridge;
@@ -752,7 +761,7 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb,
752 * keep the check just to be sure... */ 761 * keep the check just to be sure... */
753 if (skb->mac.raw < skb->head || skb->mac.raw + ETH_HLEN > skb->data) { 762 if (skb->mac.raw < skb->head || skb->mac.raw + ETH_HLEN > skb->data) {
754 printk(KERN_CRIT "br_netfilter: Argh!! br_nf_post_routing: " 763 printk(KERN_CRIT "br_netfilter: Argh!! br_nf_post_routing: "
755 "bad mac.raw pointer."); 764 "bad mac.raw pointer.");
756 goto print_error; 765 goto print_error;
757 } 766 }
758#endif 767#endif
@@ -794,7 +803,7 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb,
794 realoutdev = nf_bridge->netoutdev; 803 realoutdev = nf_bridge->netoutdev;
795#endif 804#endif
796 NF_HOOK(pf, NF_IP_POST_ROUTING, skb, NULL, realoutdev, 805 NF_HOOK(pf, NF_IP_POST_ROUTING, skb, NULL, realoutdev,
797 br_dev_queue_push_xmit); 806 br_dev_queue_push_xmit);
798 807
799 return NF_STOLEN; 808 return NF_STOLEN;
800 809
@@ -806,18 +815,18 @@ print_error:
806 printk("[%s]", realoutdev->name); 815 printk("[%s]", realoutdev->name);
807 } 816 }
808 printk(" head:%p, raw:%p, data:%p\n", skb->head, skb->mac.raw, 817 printk(" head:%p, raw:%p, data:%p\n", skb->head, skb->mac.raw,
809 skb->data); 818 skb->data);
810 return NF_ACCEPT; 819 return NF_ACCEPT;
811#endif 820#endif
812} 821}
813 822
814
815/* IP/SABOTAGE *****************************************************/ 823/* IP/SABOTAGE *****************************************************/
816/* Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING 824/* Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING
817 * for the second time. */ 825 * for the second time. */
818static unsigned int ip_sabotage_in(unsigned int hook, struct sk_buff **pskb, 826static unsigned int ip_sabotage_in(unsigned int hook, struct sk_buff **pskb,
819 const struct net_device *in, const struct net_device *out, 827 const struct net_device *in,
820 int (*okfn)(struct sk_buff *)) 828 const struct net_device *out,
829 int (*okfn)(struct sk_buff *))
821{ 830{
822 if ((*pskb)->nf_bridge && 831 if ((*pskb)->nf_bridge &&
823 !((*pskb)->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)) { 832 !((*pskb)->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)) {
@@ -831,18 +840,18 @@ static unsigned int ip_sabotage_in(unsigned int hook, struct sk_buff **pskb,
831 * and PF_INET(6)/POST_ROUTING until we have done the forwarding 840 * and PF_INET(6)/POST_ROUTING until we have done the forwarding
832 * decision in the bridge code and have determined nf_bridge->physoutdev. */ 841 * decision in the bridge code and have determined nf_bridge->physoutdev. */
833static unsigned int ip_sabotage_out(unsigned int hook, struct sk_buff **pskb, 842static unsigned int ip_sabotage_out(unsigned int hook, struct sk_buff **pskb,
834 const struct net_device *in, const struct net_device *out, 843 const struct net_device *in,
835 int (*okfn)(struct sk_buff *)) 844 const struct net_device *out,
845 int (*okfn)(struct sk_buff *))
836{ 846{
837 struct sk_buff *skb = *pskb; 847 struct sk_buff *skb = *pskb;
838 848
839 if ((out->hard_start_xmit == br_dev_xmit && 849 if ((out->hard_start_xmit == br_dev_xmit &&
840 okfn != br_nf_forward_finish && 850 okfn != br_nf_forward_finish &&
841 okfn != br_nf_local_out_finish && 851 okfn != br_nf_local_out_finish && okfn != br_dev_queue_push_xmit)
842 okfn != br_dev_queue_push_xmit)
843#if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE) 852#if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE)
844 || ((out->priv_flags & IFF_802_1Q_VLAN) && 853 || ((out->priv_flags & IFF_802_1Q_VLAN) &&
845 VLAN_DEV_INFO(out)->real_dev->hard_start_xmit == br_dev_xmit) 854 VLAN_DEV_INFO(out)->real_dev->hard_start_xmit == br_dev_xmit)
846#endif 855#endif
847 ) { 856 ) {
848 struct nf_bridge_info *nf_bridge; 857 struct nf_bridge_info *nf_bridge;
@@ -967,8 +976,8 @@ static struct nf_hook_ops br_nf_ops[] = {
967 976
968#ifdef CONFIG_SYSCTL 977#ifdef CONFIG_SYSCTL
969static 978static
970int brnf_sysctl_call_tables(ctl_table *ctl, int write, struct file * filp, 979int brnf_sysctl_call_tables(ctl_table * ctl, int write, struct file *filp,
971 void __user *buffer, size_t *lenp, loff_t *ppos) 980 void __user * buffer, size_t * lenp, loff_t * ppos)
972{ 981{
973 int ret; 982 int ret;
974 983
@@ -1055,7 +1064,8 @@ int br_netfilter_init(void)
1055#ifdef CONFIG_SYSCTL 1064#ifdef CONFIG_SYSCTL
1056 brnf_sysctl_header = register_sysctl_table(brnf_net_table, 0); 1065 brnf_sysctl_header = register_sysctl_table(brnf_net_table, 0);
1057 if (brnf_sysctl_header == NULL) { 1066 if (brnf_sysctl_header == NULL) {
1058 printk(KERN_WARNING "br_netfilter: can't register to sysctl.\n"); 1067 printk(KERN_WARNING
1068 "br_netfilter: can't register to sysctl.\n");
1059 for (i = 0; i < ARRAY_SIZE(br_nf_ops); i++) 1069 for (i = 0; i < ARRAY_SIZE(br_nf_ops); i++)
1060 nf_unregister_hook(&br_nf_ops[i]); 1070 nf_unregister_hook(&br_nf_ops[i]);
1061 return -EFAULT; 1071 return -EFAULT;
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-31 12:41:29 -0500