aboutsummaryrefslogtreecommitdiffstats
path: root/net/bridge
diff options
context:
space:
mode:
Diffstat (limited to 'net/bridge')
-rw-r--r--net/bridge/Kconfig6
-rw-r--r--net/bridge/br.c2
-rw-r--r--net/bridge/br_device.c122
-rw-r--r--net/bridge/br_fdb.c15
-rw-r--r--net/bridge/br_forward.c34
-rw-r--r--net/bridge/br_if.c14
-rw-r--r--net/bridge/br_input.c12
-rw-r--r--net/bridge/br_ioctl.c2
-rw-r--r--net/bridge/br_multicast.c687
-rw-r--r--net/bridge/br_netfilter.c266
-rw-r--r--net/bridge/br_netlink.c8
-rw-r--r--net/bridge/br_notify.c11
-rw-r--r--net/bridge/br_private.h57
-rw-r--r--net/bridge/br_stp.c11
-rw-r--r--net/bridge/br_stp_bpdu.c2
-rw-r--r--net/bridge/br_stp_if.c16
-rw-r--r--net/bridge/br_stp_timer.c24
-rw-r--r--net/bridge/br_sysfs_br.c2
-rw-r--r--net/bridge/br_sysfs_if.c32
-rw-r--r--net/bridge/netfilter/ebt_802_3.c8
-rw-r--r--net/bridge/netfilter/ebt_among.c27
-rw-r--r--net/bridge/netfilter/ebt_arp.c10
-rw-r--r--net/bridge/netfilter/ebt_arpreply.c10
-rw-r--r--net/bridge/netfilter/ebt_dnat.c12
-rw-r--r--net/bridge/netfilter/ebt_ip.c18
-rw-r--r--net/bridge/netfilter/ebt_ip6.c39
-rw-r--r--net/bridge/netfilter/ebt_limit.c11
-rw-r--r--net/bridge/netfilter/ebt_log.c10
-rw-r--r--net/bridge/netfilter/ebt_mark.c12
-rw-r--r--net/bridge/netfilter/ebt_mark_m.c12
-rw-r--r--net/bridge/netfilter/ebt_nflog.c8
-rw-r--r--net/bridge/netfilter/ebt_pkttype.c8
-rw-r--r--net/bridge/netfilter/ebt_redirect.c12
-rw-r--r--net/bridge/netfilter/ebt_snat.c12
-rw-r--r--net/bridge/netfilter/ebt_stp.c10
-rw-r--r--net/bridge/netfilter/ebt_ulog.c38
-rw-r--r--net/bridge/netfilter/ebt_vlan.c54
-rw-r--r--net/bridge/netfilter/ebtables.c56
38 files changed, 1131 insertions, 559 deletions
diff --git a/net/bridge/Kconfig b/net/bridge/Kconfig
index d115d5cea5b6..9190ae462cb4 100644
--- a/net/bridge/Kconfig
+++ b/net/bridge/Kconfig
@@ -33,14 +33,14 @@ config BRIDGE
33 If unsure, say N. 33 If unsure, say N.
34 34
35config BRIDGE_IGMP_SNOOPING 35config BRIDGE_IGMP_SNOOPING
36 bool "IGMP snooping" 36 bool "IGMP/MLD snooping"
37 depends on BRIDGE 37 depends on BRIDGE
38 depends on INET 38 depends on INET
39 default y 39 default y
40 ---help--- 40 ---help---
41 If you say Y here, then the Ethernet bridge will be able selectively 41 If you say Y here, then the Ethernet bridge will be able selectively
42 forward multicast traffic based on IGMP traffic received from each 42 forward multicast traffic based on IGMP/MLD traffic received from
43 port. 43 each port.
44 44
45 Say N to exclude this support and reduce the binary size. 45 Say N to exclude this support and reduce the binary size.
46 46
diff --git a/net/bridge/br.c b/net/bridge/br.c
index e1241c76239a..76357b547752 100644
--- a/net/bridge/br.c
+++ b/net/bridge/br.c
@@ -38,7 +38,7 @@ static int __init br_init(void)
38 38
39 err = stp_proto_register(&br_stp_proto); 39 err = stp_proto_register(&br_stp_proto);
40 if (err < 0) { 40 if (err < 0) {
41 printk(KERN_ERR "bridge: can't register sap for STP\n"); 41 pr_err("bridge: can't register sap for STP\n");
42 return err; 42 return err;
43 } 43 }
44 44
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
index 90a9024e5c1e..753fc4221f3c 100644
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -13,8 +13,11 @@
13 13
14#include <linux/kernel.h> 14#include <linux/kernel.h>
15#include <linux/netdevice.h> 15#include <linux/netdevice.h>
16#include <linux/netpoll.h>
16#include <linux/etherdevice.h> 17#include <linux/etherdevice.h>
17#include <linux/ethtool.h> 18#include <linux/ethtool.h>
19#include <linux/list.h>
20#include <linux/netfilter_bridge.h>
18 21
19#include <asm/uaccess.h> 22#include <asm/uaccess.h>
20#include "br_private.h" 23#include "br_private.h"
@@ -26,16 +29,24 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
26 const unsigned char *dest = skb->data; 29 const unsigned char *dest = skb->data;
27 struct net_bridge_fdb_entry *dst; 30 struct net_bridge_fdb_entry *dst;
28 struct net_bridge_mdb_entry *mdst; 31 struct net_bridge_mdb_entry *mdst;
32 struct br_cpu_netstats *brstats = this_cpu_ptr(br->stats);
29 33
30 BR_INPUT_SKB_CB(skb)->brdev = dev; 34#ifdef CONFIG_BRIDGE_NETFILTER
35 if (skb->nf_bridge && (skb->nf_bridge->mask & BRNF_BRIDGED_DNAT)) {
36 br_nf_pre_routing_finish_bridge_slow(skb);
37 return NETDEV_TX_OK;
38 }
39#endif
40
41 brstats->tx_packets++;
42 brstats->tx_bytes += skb->len;
31 43
32 dev->stats.tx_packets++; 44 BR_INPUT_SKB_CB(skb)->brdev = dev;
33 dev->stats.tx_bytes += skb->len;
34 45
35 skb_reset_mac_header(skb); 46 skb_reset_mac_header(skb);
36 skb_pull(skb, ETH_HLEN); 47 skb_pull(skb, ETH_HLEN);
37 48
38 if (dest[0] & 1) { 49 if (is_multicast_ether_addr(dest)) {
39 if (br_multicast_rcv(br, NULL, skb)) 50 if (br_multicast_rcv(br, NULL, skb))
40 goto out; 51 goto out;
41 52
@@ -81,6 +92,31 @@ static int br_dev_stop(struct net_device *dev)
81 return 0; 92 return 0;
82} 93}
83 94
95static struct net_device_stats *br_get_stats(struct net_device *dev)
96{
97 struct net_bridge *br = netdev_priv(dev);
98 struct net_device_stats *stats = &dev->stats;
99 struct br_cpu_netstats sum = { 0 };
100 unsigned int cpu;
101
102 for_each_possible_cpu(cpu) {
103 const struct br_cpu_netstats *bstats
104 = per_cpu_ptr(br->stats, cpu);
105
106 sum.tx_bytes += bstats->tx_bytes;
107 sum.tx_packets += bstats->tx_packets;
108 sum.rx_bytes += bstats->rx_bytes;
109 sum.rx_packets += bstats->rx_packets;
110 }
111
112 stats->tx_bytes = sum.tx_bytes;
113 stats->tx_packets = sum.tx_packets;
114 stats->rx_bytes = sum.rx_bytes;
115 stats->rx_packets = sum.rx_packets;
116
117 return stats;
118}
119
84static int br_change_mtu(struct net_device *dev, int new_mtu) 120static int br_change_mtu(struct net_device *dev, int new_mtu)
85{ 121{
86 struct net_bridge *br = netdev_priv(dev); 122 struct net_bridge *br = netdev_priv(dev);
@@ -162,6 +198,70 @@ static int br_set_tx_csum(struct net_device *dev, u32 data)
162 return 0; 198 return 0;
163} 199}
164 200
201#ifdef CONFIG_NET_POLL_CONTROLLER
202static bool br_devices_support_netpoll(struct net_bridge *br)
203{
204 struct net_bridge_port *p;
205 bool ret = true;
206 int count = 0;
207 unsigned long flags;
208
209 spin_lock_irqsave(&br->lock, flags);
210 list_for_each_entry(p, &br->port_list, list) {
211 count++;
212 if ((p->dev->priv_flags & IFF_DISABLE_NETPOLL) ||
213 !p->dev->netdev_ops->ndo_poll_controller)
214 ret = false;
215 }
216 spin_unlock_irqrestore(&br->lock, flags);
217 return count != 0 && ret;
218}
219
220void br_netpoll_cleanup(struct net_device *dev)
221{
222 struct net_bridge *br = netdev_priv(dev);
223 struct net_bridge_port *p, *n;
224 const struct net_device_ops *ops;
225
226 br->dev->npinfo = NULL;
227 list_for_each_entry_safe(p, n, &br->port_list, list) {
228 if (p->dev) {
229 ops = p->dev->netdev_ops;
230 if (ops->ndo_netpoll_cleanup)
231 ops->ndo_netpoll_cleanup(p->dev);
232 else
233 p->dev->npinfo = NULL;
234 }
235 }
236}
237
238void br_netpoll_disable(struct net_bridge *br,
239 struct net_device *dev)
240{
241 if (br_devices_support_netpoll(br))
242 br->dev->priv_flags &= ~IFF_DISABLE_NETPOLL;
243 if (dev->netdev_ops->ndo_netpoll_cleanup)
244 dev->netdev_ops->ndo_netpoll_cleanup(dev);
245 else
246 dev->npinfo = NULL;
247}
248
249void br_netpoll_enable(struct net_bridge *br,
250 struct net_device *dev)
251{
252 if (br_devices_support_netpoll(br)) {
253 br->dev->priv_flags &= ~IFF_DISABLE_NETPOLL;
254 if (br->dev->npinfo)
255 dev->npinfo = br->dev->npinfo;
256 } else if (!(br->dev->priv_flags & IFF_DISABLE_NETPOLL)) {
257 br->dev->priv_flags |= IFF_DISABLE_NETPOLL;
258 br_info(br,"new device %s does not support netpoll (disabling)",
259 dev->name);
260 }
261}
262
263#endif
264
165static const struct ethtool_ops br_ethtool_ops = { 265static const struct ethtool_ops br_ethtool_ops = {
166 .get_drvinfo = br_getinfo, 266 .get_drvinfo = br_getinfo,
167 .get_link = ethtool_op_get_link, 267 .get_link = ethtool_op_get_link,
@@ -180,19 +280,31 @@ static const struct net_device_ops br_netdev_ops = {
180 .ndo_open = br_dev_open, 280 .ndo_open = br_dev_open,
181 .ndo_stop = br_dev_stop, 281 .ndo_stop = br_dev_stop,
182 .ndo_start_xmit = br_dev_xmit, 282 .ndo_start_xmit = br_dev_xmit,
283 .ndo_get_stats = br_get_stats,
183 .ndo_set_mac_address = br_set_mac_address, 284 .ndo_set_mac_address = br_set_mac_address,
184 .ndo_set_multicast_list = br_dev_set_multicast_list, 285 .ndo_set_multicast_list = br_dev_set_multicast_list,
185 .ndo_change_mtu = br_change_mtu, 286 .ndo_change_mtu = br_change_mtu,
186 .ndo_do_ioctl = br_dev_ioctl, 287 .ndo_do_ioctl = br_dev_ioctl,
288#ifdef CONFIG_NET_POLL_CONTROLLER
289 .ndo_netpoll_cleanup = br_netpoll_cleanup,
290#endif
187}; 291};
188 292
293static void br_dev_free(struct net_device *dev)
294{
295 struct net_bridge *br = netdev_priv(dev);
296
297 free_percpu(br->stats);
298 free_netdev(dev);
299}
300
189void br_dev_setup(struct net_device *dev) 301void br_dev_setup(struct net_device *dev)
190{ 302{
191 random_ether_addr(dev->dev_addr); 303 random_ether_addr(dev->dev_addr);
192 ether_setup(dev); 304 ether_setup(dev);
193 305
194 dev->netdev_ops = &br_netdev_ops; 306 dev->netdev_ops = &br_netdev_ops;
195 dev->destructor = free_netdev; 307 dev->destructor = br_dev_free;
196 SET_ETHTOOL_OPS(dev, &br_ethtool_ops); 308 SET_ETHTOOL_OPS(dev, &br_ethtool_ops);
197 dev->tx_queue_len = 0; 309 dev->tx_queue_len = 0;
198 dev->priv_flags = IFF_EBRIDGE; 310 dev->priv_flags = IFF_EBRIDGE;
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index 9101a4e56201..b01dde35a69e 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -128,7 +128,7 @@ void br_fdb_cleanup(unsigned long _data)
128{ 128{
129 struct net_bridge *br = (struct net_bridge *)_data; 129 struct net_bridge *br = (struct net_bridge *)_data;
130 unsigned long delay = hold_time(br); 130 unsigned long delay = hold_time(br);
131 unsigned long next_timer = jiffies + br->forward_delay; 131 unsigned long next_timer = jiffies + br->ageing_time;
132 int i; 132 int i;
133 133
134 spin_lock_bh(&br->hash_lock); 134 spin_lock_bh(&br->hash_lock);
@@ -149,9 +149,7 @@ void br_fdb_cleanup(unsigned long _data)
149 } 149 }
150 spin_unlock_bh(&br->hash_lock); 150 spin_unlock_bh(&br->hash_lock);
151 151
152 /* Add HZ/4 to ensure we round the jiffies upwards to be after the next 152 mod_timer(&br->gc_timer, round_jiffies_up(next_timer));
153 * timer, otherwise we might round down and will have no-op run. */
154 mod_timer(&br->gc_timer, round_jiffies(next_timer + HZ/4));
155} 153}
156 154
157/* Completely flush all dynamic entries in forwarding database.*/ 155/* Completely flush all dynamic entries in forwarding database.*/
@@ -353,8 +351,7 @@ static int fdb_insert(struct net_bridge *br, struct net_bridge_port *source,
353 */ 351 */
354 if (fdb->is_local) 352 if (fdb->is_local)
355 return 0; 353 return 0;
356 354 br_warn(br, "adding interface %s with same address "
357 printk(KERN_WARNING "%s adding interface with same address "
358 "as a received packet\n", 355 "as a received packet\n",
359 source->dev->name); 356 source->dev->name);
360 fdb_delete(fdb); 357 fdb_delete(fdb);
@@ -397,9 +394,9 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
397 /* attempt to update an entry for a local interface */ 394 /* attempt to update an entry for a local interface */
398 if (unlikely(fdb->is_local)) { 395 if (unlikely(fdb->is_local)) {
399 if (net_ratelimit()) 396 if (net_ratelimit())
400 printk(KERN_WARNING "%s: received packet with " 397 br_warn(br, "received packet on %s with "
401 "own address as source address\n", 398 "own address as source address\n",
402 source->dev->name); 399 source->dev->name);
403 } else { 400 } else {
404 /* fastpath: update of existing entry */ 401 /* fastpath: update of existing entry */
405 fdb->dst = source; 402 fdb->dst = source;
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index 7a241c396981..595da45f9088 100644
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -15,6 +15,7 @@
15#include <linux/slab.h> 15#include <linux/slab.h>
16#include <linux/kernel.h> 16#include <linux/kernel.h>
17#include <linux/netdevice.h> 17#include <linux/netdevice.h>
18#include <linux/netpoll.h>
18#include <linux/skbuff.h> 19#include <linux/skbuff.h>
19#include <linux/if_vlan.h> 20#include <linux/if_vlan.h>
20#include <linux/netfilter_bridge.h> 21#include <linux/netfilter_bridge.h>
@@ -44,12 +45,11 @@ int br_dev_queue_push_xmit(struct sk_buff *skb)
44 if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb)) 45 if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb))
45 kfree_skb(skb); 46 kfree_skb(skb);
46 else { 47 else {
47 /* ip_refrag calls ip_fragment, doesn't copy the MAC header. */ 48 /* ip_fragment doesn't copy the MAC header */
48 if (nf_bridge_maybe_copy_header(skb)) 49 if (nf_bridge_maybe_copy_header(skb))
49 kfree_skb(skb); 50 kfree_skb(skb);
50 else { 51 else {
51 skb_push(skb, ETH_HLEN); 52 skb_push(skb, ETH_HLEN);
52
53 dev_queue_xmit(skb); 53 dev_queue_xmit(skb);
54 } 54 }
55 } 55 }
@@ -59,7 +59,7 @@ int br_dev_queue_push_xmit(struct sk_buff *skb)
59 59
60int br_forward_finish(struct sk_buff *skb) 60int br_forward_finish(struct sk_buff *skb)
61{ 61{
62 return NF_HOOK(PF_BRIDGE, NF_BR_POST_ROUTING, skb, NULL, skb->dev, 62 return NF_HOOK(NFPROTO_BRIDGE, NF_BR_POST_ROUTING, skb, NULL, skb->dev,
63 br_dev_queue_push_xmit); 63 br_dev_queue_push_xmit);
64 64
65} 65}
@@ -67,8 +67,8 @@ int br_forward_finish(struct sk_buff *skb)
67static void __br_deliver(const struct net_bridge_port *to, struct sk_buff *skb) 67static void __br_deliver(const struct net_bridge_port *to, struct sk_buff *skb)
68{ 68{
69 skb->dev = to->dev; 69 skb->dev = to->dev;
70 NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, 70 NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
71 br_forward_finish); 71 br_forward_finish);
72} 72}
73 73
74static void __br_forward(const struct net_bridge_port *to, struct sk_buff *skb) 74static void __br_forward(const struct net_bridge_port *to, struct sk_buff *skb)
@@ -84,8 +84,8 @@ static void __br_forward(const struct net_bridge_port *to, struct sk_buff *skb)
84 skb->dev = to->dev; 84 skb->dev = to->dev;
85 skb_forward_csum(skb); 85 skb_forward_csum(skb);
86 86
87 NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, indev, skb->dev, 87 NF_HOOK(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, indev, skb->dev,
88 br_forward_finish); 88 br_forward_finish);
89} 89}
90 90
91/* called with rcu_read_lock */ 91/* called with rcu_read_lock */
@@ -119,10 +119,10 @@ static int deliver_clone(const struct net_bridge_port *prev,
119 void (*__packet_hook)(const struct net_bridge_port *p, 119 void (*__packet_hook)(const struct net_bridge_port *p,
120 struct sk_buff *skb)) 120 struct sk_buff *skb))
121{ 121{
122 struct net_device *dev = BR_INPUT_SKB_CB(skb)->brdev;
123
122 skb = skb_clone(skb, GFP_ATOMIC); 124 skb = skb_clone(skb, GFP_ATOMIC);
123 if (!skb) { 125 if (!skb) {
124 struct net_device *dev = BR_INPUT_SKB_CB(skb)->brdev;
125
126 dev->stats.tx_dropped++; 126 dev->stats.tx_dropped++;
127 return -ENOMEM; 127 return -ENOMEM;
128 } 128 }
@@ -208,17 +208,15 @@ static void br_multicast_flood(struct net_bridge_mdb_entry *mdst,
208{ 208{
209 struct net_device *dev = BR_INPUT_SKB_CB(skb)->brdev; 209 struct net_device *dev = BR_INPUT_SKB_CB(skb)->brdev;
210 struct net_bridge *br = netdev_priv(dev); 210 struct net_bridge *br = netdev_priv(dev);
211 struct net_bridge_port *port; 211 struct net_bridge_port *prev = NULL;
212 struct net_bridge_port *lport, *rport;
213 struct net_bridge_port *prev;
214 struct net_bridge_port_group *p; 212 struct net_bridge_port_group *p;
215 struct hlist_node *rp; 213 struct hlist_node *rp;
216 214
217 prev = NULL; 215 rp = rcu_dereference(br->router_list.first);
218 216 p = mdst ? rcu_dereference(mdst->ports) : NULL;
219 rp = br->router_list.first;
220 p = mdst ? mdst->ports : NULL;
221 while (p || rp) { 217 while (p || rp) {
218 struct net_bridge_port *port, *lport, *rport;
219
222 lport = p ? p->port : NULL; 220 lport = p ? p->port : NULL;
223 rport = rp ? hlist_entry(rp, struct net_bridge_port, rlist) : 221 rport = rp ? hlist_entry(rp, struct net_bridge_port, rlist) :
224 NULL; 222 NULL;
@@ -231,9 +229,9 @@ static void br_multicast_flood(struct net_bridge_mdb_entry *mdst,
231 goto out; 229 goto out;
232 230
233 if ((unsigned long)lport >= (unsigned long)port) 231 if ((unsigned long)lport >= (unsigned long)port)
234 p = p->next; 232 p = rcu_dereference(p->next);
235 if ((unsigned long)rport >= (unsigned long)port) 233 if ((unsigned long)rport >= (unsigned long)port)
236 rp = rp->next; 234 rp = rcu_dereference(rp->next);
237 } 235 }
238 236
239 if (!prev) 237 if (!prev)
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index 0b6b1f2ff7ac..18b245e2c00e 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -13,6 +13,7 @@
13 13
14#include <linux/kernel.h> 14#include <linux/kernel.h>
15#include <linux/netdevice.h> 15#include <linux/netdevice.h>
16#include <linux/netpoll.h>
16#include <linux/ethtool.h> 17#include <linux/ethtool.h>
17#include <linux/if_arp.h> 18#include <linux/if_arp.h>
18#include <linux/module.h> 19#include <linux/module.h>
@@ -132,7 +133,7 @@ static void del_nbp(struct net_bridge_port *p)
132 struct net_bridge *br = p->br; 133 struct net_bridge *br = p->br;
133 struct net_device *dev = p->dev; 134 struct net_device *dev = p->dev;
134 135
135 sysfs_remove_link(br->ifobj, dev->name); 136 sysfs_remove_link(br->ifobj, p->dev->name);
136 137
137 dev_set_promiscuity(dev, -1); 138 dev_set_promiscuity(dev, -1);
138 139
@@ -153,6 +154,7 @@ static void del_nbp(struct net_bridge_port *p)
153 kobject_uevent(&p->kobj, KOBJ_REMOVE); 154 kobject_uevent(&p->kobj, KOBJ_REMOVE);
154 kobject_del(&p->kobj); 155 kobject_del(&p->kobj);
155 156
157 br_netpoll_disable(br, dev);
156 call_rcu(&p->rcu, destroy_nbp_rcu); 158 call_rcu(&p->rcu, destroy_nbp_rcu);
157} 159}
158 160
@@ -165,6 +167,8 @@ static void del_br(struct net_bridge *br, struct list_head *head)
165 del_nbp(p); 167 del_nbp(p);
166 } 168 }
167 169
170 br_netpoll_cleanup(br->dev);
171
168 del_timer_sync(&br->gc_timer); 172 del_timer_sync(&br->gc_timer);
169 173
170 br_sysfs_delbr(br->dev); 174 br_sysfs_delbr(br->dev);
@@ -186,6 +190,12 @@ static struct net_device *new_bridge_dev(struct net *net, const char *name)
186 br = netdev_priv(dev); 190 br = netdev_priv(dev);
187 br->dev = dev; 191 br->dev = dev;
188 192
193 br->stats = alloc_percpu(struct br_cpu_netstats);
194 if (!br->stats) {
195 free_netdev(dev);
196 return NULL;
197 }
198
189 spin_lock_init(&br->lock); 199 spin_lock_init(&br->lock);
190 INIT_LIST_HEAD(&br->port_list); 200 INIT_LIST_HEAD(&br->port_list);
191 spin_lock_init(&br->hash_lock); 201 spin_lock_init(&br->hash_lock);
@@ -438,6 +448,8 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
438 448
439 kobject_uevent(&p->kobj, KOBJ_ADD); 449 kobject_uevent(&p->kobj, KOBJ_ADD);
440 450
451 br_netpoll_enable(br, dev);
452
441 return 0; 453 return 0;
442err2: 454err2:
443 br_fdb_delete_by_port(br, p, 1); 455 br_fdb_delete_by_port(br, p, 1);
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index a82dde2d2ead..d36e700f7a26 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -24,14 +24,16 @@ const u8 br_group_address[ETH_ALEN] = { 0x01, 0x80, 0xc2, 0x00, 0x00, 0x00 };
24static int br_pass_frame_up(struct sk_buff *skb) 24static int br_pass_frame_up(struct sk_buff *skb)
25{ 25{
26 struct net_device *indev, *brdev = BR_INPUT_SKB_CB(skb)->brdev; 26 struct net_device *indev, *brdev = BR_INPUT_SKB_CB(skb)->brdev;
27 struct net_bridge *br = netdev_priv(brdev);
28 struct br_cpu_netstats *brstats = this_cpu_ptr(br->stats);
27 29
28 brdev->stats.rx_packets++; 30 brstats->rx_packets++;
29 brdev->stats.rx_bytes += skb->len; 31 brstats->rx_bytes += skb->len;
30 32
31 indev = skb->dev; 33 indev = skb->dev;
32 skb->dev = brdev; 34 skb->dev = brdev;
33 35
34 return NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, indev, NULL, 36 return NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, indev, NULL,
35 netif_receive_skb); 37 netif_receive_skb);
36} 38}
37 39
@@ -154,7 +156,7 @@ struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb)
154 if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0) 156 if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0)
155 goto forward; 157 goto forward;
156 158
157 if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev, 159 if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
158 NULL, br_handle_local_finish)) 160 NULL, br_handle_local_finish))
159 return NULL; /* frame consumed by filter */ 161 return NULL; /* frame consumed by filter */
160 else 162 else
@@ -175,7 +177,7 @@ forward:
175 if (!compare_ether_addr(p->br->dev->dev_addr, dest)) 177 if (!compare_ether_addr(p->br->dev->dev_addr, dest))
176 skb->pkt_type = PACKET_HOST; 178 skb->pkt_type = PACKET_HOST;
177 179
178 NF_HOOK(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, 180 NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
179 br_handle_frame_finish); 181 br_handle_frame_finish);
180 break; 182 break;
181 default: 183 default:
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
index 995afc4b04dc..cb43312b846e 100644
--- a/net/bridge/br_ioctl.c
+++ b/net/bridge/br_ioctl.c
@@ -412,6 +412,6 @@ int br_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
412 412
413 } 413 }
414 414
415 pr_debug("Bridge does not support ioctl 0x%x\n", cmd); 415 br_debug(br, "Bridge does not support ioctl 0x%x\n", cmd);
416 return -EOPNOTSUPP; 416 return -EOPNOTSUPP;
417} 417}
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index eaa0e1bae49b..27ae946363f1 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -24,22 +24,75 @@
24#include <linux/slab.h> 24#include <linux/slab.h>
25#include <linux/timer.h> 25#include <linux/timer.h>
26#include <net/ip.h> 26#include <net/ip.h>
27#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
28#include <net/ipv6.h>
29#include <net/mld.h>
30#include <net/addrconf.h>
31#include <net/ip6_checksum.h>
32#endif
27 33
28#include "br_private.h" 34#include "br_private.h"
29 35
30static inline int br_ip_hash(struct net_bridge_mdb_htable *mdb, __be32 ip) 36#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
37static inline int ipv6_is_local_multicast(const struct in6_addr *addr)
31{ 38{
32 return jhash_1word(mdb->secret, (u32)ip) & (mdb->max - 1); 39 if (ipv6_addr_is_multicast(addr) &&
40 IPV6_ADDR_MC_SCOPE(addr) <= IPV6_ADDR_SCOPE_LINKLOCAL)
41 return 1;
42 return 0;
43}
44#endif
45
46static inline int br_ip_equal(const struct br_ip *a, const struct br_ip *b)
47{
48 if (a->proto != b->proto)
49 return 0;
50 switch (a->proto) {
51 case htons(ETH_P_IP):
52 return a->u.ip4 == b->u.ip4;
53#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
54 case htons(ETH_P_IPV6):
55 return ipv6_addr_equal(&a->u.ip6, &b->u.ip6);
56#endif
57 }
58 return 0;
59}
60
61static inline int __br_ip4_hash(struct net_bridge_mdb_htable *mdb, __be32 ip)
62{
63 return jhash_1word(mdb->secret, (__force u32)ip) & (mdb->max - 1);
64}
65
66#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
67static inline int __br_ip6_hash(struct net_bridge_mdb_htable *mdb,
68 const struct in6_addr *ip)
69{
70 return jhash2((__force u32 *)ip->s6_addr32, 4, mdb->secret) & (mdb->max - 1);
71}
72#endif
73
74static inline int br_ip_hash(struct net_bridge_mdb_htable *mdb,
75 struct br_ip *ip)
76{
77 switch (ip->proto) {
78 case htons(ETH_P_IP):
79 return __br_ip4_hash(mdb, ip->u.ip4);
80#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
81 case htons(ETH_P_IPV6):
82 return __br_ip6_hash(mdb, &ip->u.ip6);
83#endif
84 }
85 return 0;
33} 86}
34 87
35static struct net_bridge_mdb_entry *__br_mdb_ip_get( 88static struct net_bridge_mdb_entry *__br_mdb_ip_get(
36 struct net_bridge_mdb_htable *mdb, __be32 dst, int hash) 89 struct net_bridge_mdb_htable *mdb, struct br_ip *dst, int hash)
37{ 90{
38 struct net_bridge_mdb_entry *mp; 91 struct net_bridge_mdb_entry *mp;
39 struct hlist_node *p; 92 struct hlist_node *p;
40 93
41 hlist_for_each_entry_rcu(mp, p, &mdb->mhash[hash], hlist[mdb->ver]) { 94 hlist_for_each_entry_rcu(mp, p, &mdb->mhash[hash], hlist[mdb->ver]) {
42 if (dst == mp->addr) 95 if (br_ip_equal(&mp->addr, dst))
43 return mp; 96 return mp;
44 } 97 }
45 98
@@ -47,7 +100,7 @@ static struct net_bridge_mdb_entry *__br_mdb_ip_get(
47} 100}
48 101
49static struct net_bridge_mdb_entry *br_mdb_ip_get( 102static struct net_bridge_mdb_entry *br_mdb_ip_get(
50 struct net_bridge_mdb_htable *mdb, __be32 dst) 103 struct net_bridge_mdb_htable *mdb, struct br_ip *dst)
51{ 104{
52 if (!mdb) 105 if (!mdb)
53 return NULL; 106 return NULL;
@@ -55,20 +108,58 @@ static struct net_bridge_mdb_entry *br_mdb_ip_get(
55 return __br_mdb_ip_get(mdb, dst, br_ip_hash(mdb, dst)); 108 return __br_mdb_ip_get(mdb, dst, br_ip_hash(mdb, dst));
56} 109}
57 110
111static struct net_bridge_mdb_entry *br_mdb_ip4_get(
112 struct net_bridge_mdb_htable *mdb, __be32 dst)
113{
114 struct br_ip br_dst;
115
116 br_dst.u.ip4 = dst;
117 br_dst.proto = htons(ETH_P_IP);
118
119 return br_mdb_ip_get(mdb, &br_dst);
120}
121
122#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
123static struct net_bridge_mdb_entry *br_mdb_ip6_get(
124 struct net_bridge_mdb_htable *mdb, const struct in6_addr *dst)
125{
126 struct br_ip br_dst;
127
128 ipv6_addr_copy(&br_dst.u.ip6, dst);
129 br_dst.proto = htons(ETH_P_IPV6);
130
131 return br_mdb_ip_get(mdb, &br_dst);
132}
133#endif
134
58struct net_bridge_mdb_entry *br_mdb_get(struct net_bridge *br, 135struct net_bridge_mdb_entry *br_mdb_get(struct net_bridge *br,
59 struct sk_buff *skb) 136 struct sk_buff *skb)
60{ 137{
138 struct net_bridge_mdb_htable *mdb = br->mdb;
139 struct br_ip ip;
140
61 if (br->multicast_disabled) 141 if (br->multicast_disabled)
62 return NULL; 142 return NULL;
63 143
144 if (BR_INPUT_SKB_CB(skb)->igmp)
145 return NULL;
146
147 ip.proto = skb->protocol;
148
64 switch (skb->protocol) { 149 switch (skb->protocol) {
65 case htons(ETH_P_IP): 150 case htons(ETH_P_IP):
66 if (BR_INPUT_SKB_CB(skb)->igmp) 151 ip.u.ip4 = ip_hdr(skb)->daddr;
67 break; 152 break;
68 return br_mdb_ip_get(br->mdb, ip_hdr(skb)->daddr); 153#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
154 case htons(ETH_P_IPV6):
155 ipv6_addr_copy(&ip.u.ip6, &ipv6_hdr(skb)->daddr);
156 break;
157#endif
158 default:
159 return NULL;
69 } 160 }
70 161
71 return NULL; 162 return br_mdb_ip_get(mdb, &ip);
72} 163}
73 164
74static void br_mdb_free(struct rcu_head *head) 165static void br_mdb_free(struct rcu_head *head)
@@ -95,7 +186,7 @@ static int br_mdb_copy(struct net_bridge_mdb_htable *new,
95 for (i = 0; i < old->max; i++) 186 for (i = 0; i < old->max; i++)
96 hlist_for_each_entry(mp, p, &old->mhash[i], hlist[old->ver]) 187 hlist_for_each_entry(mp, p, &old->mhash[i], hlist[old->ver])
97 hlist_add_head(&mp->hlist[new->ver], 188 hlist_add_head(&mp->hlist[new->ver],
98 &new->mhash[br_ip_hash(new, mp->addr)]); 189 &new->mhash[br_ip_hash(new, &mp->addr)]);
99 190
100 if (!elasticity) 191 if (!elasticity)
101 return 0; 192 return 0;
@@ -163,7 +254,7 @@ static void br_multicast_del_pg(struct net_bridge *br,
163 struct net_bridge_port_group *p; 254 struct net_bridge_port_group *p;
164 struct net_bridge_port_group **pp; 255 struct net_bridge_port_group **pp;
165 256
166 mp = br_mdb_ip_get(mdb, pg->addr); 257 mp = br_mdb_ip_get(mdb, &pg->addr);
167 if (WARN_ON(!mp)) 258 if (WARN_ON(!mp))
168 return; 259 return;
169 260
@@ -171,7 +262,7 @@ static void br_multicast_del_pg(struct net_bridge *br,
171 if (p != pg) 262 if (p != pg)
172 continue; 263 continue;
173 264
174 *pp = p->next; 265 rcu_assign_pointer(*pp, p->next);
175 hlist_del_init(&p->mglist); 266 hlist_del_init(&p->mglist);
176 del_timer(&p->timer); 267 del_timer(&p->timer);
177 del_timer(&p->query_timer); 268 del_timer(&p->query_timer);
@@ -249,8 +340,8 @@ out:
249 return 0; 340 return 0;
250} 341}
251 342
252static struct sk_buff *br_multicast_alloc_query(struct net_bridge *br, 343static struct sk_buff *br_ip4_multicast_alloc_query(struct net_bridge *br,
253 __be32 group) 344 __be32 group)
254{ 345{
255 struct sk_buff *skb; 346 struct sk_buff *skb;
256 struct igmphdr *ih; 347 struct igmphdr *ih;
@@ -314,12 +405,104 @@ out:
314 return skb; 405 return skb;
315} 406}
316 407
408#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
409static struct sk_buff *br_ip6_multicast_alloc_query(struct net_bridge *br,
410 struct in6_addr *group)
411{
412 struct sk_buff *skb;
413 struct ipv6hdr *ip6h;
414 struct mld_msg *mldq;
415 struct ethhdr *eth;
416 u8 *hopopt;
417 unsigned long interval;
418
419 skb = netdev_alloc_skb_ip_align(br->dev, sizeof(*eth) + sizeof(*ip6h) +
420 8 + sizeof(*mldq));
421 if (!skb)
422 goto out;
423
424 skb->protocol = htons(ETH_P_IPV6);
425
426 /* Ethernet header */
427 skb_reset_mac_header(skb);
428 eth = eth_hdr(skb);
429
430 memcpy(eth->h_source, br->dev->dev_addr, 6);
431 ipv6_eth_mc_map(group, eth->h_dest);
432 eth->h_proto = htons(ETH_P_IPV6);
433 skb_put(skb, sizeof(*eth));
434
435 /* IPv6 header + HbH option */
436 skb_set_network_header(skb, skb->len);
437 ip6h = ipv6_hdr(skb);
438
439 *(__force __be32 *)ip6h = htonl(0x60000000);
440 ip6h->payload_len = 8 + sizeof(*mldq);
441 ip6h->nexthdr = IPPROTO_HOPOPTS;
442 ip6h->hop_limit = 1;
443 ipv6_addr_set(&ip6h->saddr, 0, 0, 0, 0);
444 ipv6_addr_set(&ip6h->daddr, htonl(0xff020000), 0, 0, htonl(1));
445
446 hopopt = (u8 *)(ip6h + 1);
447 hopopt[0] = IPPROTO_ICMPV6; /* next hdr */
448 hopopt[1] = 0; /* length of HbH */
449 hopopt[2] = IPV6_TLV_ROUTERALERT; /* Router Alert */
450 hopopt[3] = 2; /* Length of RA Option */
451 hopopt[4] = 0; /* Type = 0x0000 (MLD) */
452 hopopt[5] = 0;
453 hopopt[6] = IPV6_TLV_PAD0; /* Pad0 */
454 hopopt[7] = IPV6_TLV_PAD0; /* Pad0 */
455
456 skb_put(skb, sizeof(*ip6h) + 8);
457
458 /* ICMPv6 */
459 skb_set_transport_header(skb, skb->len);
460 mldq = (struct mld_msg *) icmp6_hdr(skb);
461
462 interval = ipv6_addr_any(group) ? br->multicast_last_member_interval :
463 br->multicast_query_response_interval;
464
465 mldq->mld_type = ICMPV6_MGM_QUERY;
466 mldq->mld_code = 0;
467 mldq->mld_cksum = 0;
468 mldq->mld_maxdelay = htons((u16)jiffies_to_msecs(interval));
469 mldq->mld_reserved = 0;
470 ipv6_addr_copy(&mldq->mld_mca, group);
471
472 /* checksum */
473 mldq->mld_cksum = csum_ipv6_magic(&ip6h->saddr, &ip6h->daddr,
474 sizeof(*mldq), IPPROTO_ICMPV6,
475 csum_partial(mldq,
476 sizeof(*mldq), 0));
477 skb_put(skb, sizeof(*mldq));
478
479 __skb_pull(skb, sizeof(*eth));
480
481out:
482 return skb;
483}
484#endif
485
486static struct sk_buff *br_multicast_alloc_query(struct net_bridge *br,
487 struct br_ip *addr)
488{
489 switch (addr->proto) {
490 case htons(ETH_P_IP):
491 return br_ip4_multicast_alloc_query(br, addr->u.ip4);
492#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
493 case htons(ETH_P_IPV6):
494 return br_ip6_multicast_alloc_query(br, &addr->u.ip6);
495#endif
496 }
497 return NULL;
498}
499
317static void br_multicast_send_group_query(struct net_bridge_mdb_entry *mp) 500static void br_multicast_send_group_query(struct net_bridge_mdb_entry *mp)
318{ 501{
319 struct net_bridge *br = mp->br; 502 struct net_bridge *br = mp->br;
320 struct sk_buff *skb; 503 struct sk_buff *skb;
321 504
322 skb = br_multicast_alloc_query(br, mp->addr); 505 skb = br_multicast_alloc_query(br, &mp->addr);
323 if (!skb) 506 if (!skb)
324 goto timer; 507 goto timer;
325 508
@@ -353,7 +536,7 @@ static void br_multicast_send_port_group_query(struct net_bridge_port_group *pg)
353 struct net_bridge *br = port->br; 536 struct net_bridge *br = port->br;
354 struct sk_buff *skb; 537 struct sk_buff *skb;
355 538
356 skb = br_multicast_alloc_query(br, pg->addr); 539 skb = br_multicast_alloc_query(br, &pg->addr);
357 if (!skb) 540 if (!skb)
358 goto timer; 541 goto timer;
359 542
@@ -383,8 +566,8 @@ out:
383} 566}
384 567
385static struct net_bridge_mdb_entry *br_multicast_get_group( 568static struct net_bridge_mdb_entry *br_multicast_get_group(
386 struct net_bridge *br, struct net_bridge_port *port, __be32 group, 569 struct net_bridge *br, struct net_bridge_port *port,
387 int hash) 570 struct br_ip *group, int hash)
388{ 571{
389 struct net_bridge_mdb_htable *mdb = br->mdb; 572 struct net_bridge_mdb_htable *mdb = br->mdb;
390 struct net_bridge_mdb_entry *mp; 573 struct net_bridge_mdb_entry *mp;
@@ -396,9 +579,8 @@ static struct net_bridge_mdb_entry *br_multicast_get_group(
396 579
397 hlist_for_each_entry(mp, p, &mdb->mhash[hash], hlist[mdb->ver]) { 580 hlist_for_each_entry(mp, p, &mdb->mhash[hash], hlist[mdb->ver]) {
398 count++; 581 count++;
399 if (unlikely(group == mp->addr)) { 582 if (unlikely(br_ip_equal(group, &mp->addr)))
400 return mp; 583 return mp;
401 }
402 } 584 }
403 585
404 elasticity = 0; 586 elasticity = 0;
@@ -406,10 +588,9 @@ static struct net_bridge_mdb_entry *br_multicast_get_group(
406 588
407 if (unlikely(count > br->hash_elasticity && count)) { 589 if (unlikely(count > br->hash_elasticity && count)) {
408 if (net_ratelimit()) 590 if (net_ratelimit())
409 printk(KERN_INFO "%s: Multicast hash table " 591 br_info(br, "Multicast hash table "
410 "chain limit reached: %s\n", 592 "chain limit reached: %s\n",
411 br->dev->name, port ? port->dev->name : 593 port ? port->dev->name : br->dev->name);
412 br->dev->name);
413 594
414 elasticity = br->hash_elasticity; 595 elasticity = br->hash_elasticity;
415 } 596 }
@@ -417,11 +598,9 @@ static struct net_bridge_mdb_entry *br_multicast_get_group(
417 if (mdb->size >= max) { 598 if (mdb->size >= max) {
418 max *= 2; 599 max *= 2;
419 if (unlikely(max >= br->hash_max)) { 600 if (unlikely(max >= br->hash_max)) {
420 printk(KERN_WARNING "%s: Multicast hash table maximum " 601 br_warn(br, "Multicast hash table maximum "
421 "reached, disabling snooping: %s, %d\n", 602 "reached, disabling snooping: %s, %d\n",
422 br->dev->name, port ? port->dev->name : 603 port ? port->dev->name : br->dev->name, max);
423 br->dev->name,
424 max);
425 err = -E2BIG; 604 err = -E2BIG;
426disable: 605disable:
427 br->multicast_disabled = 1; 606 br->multicast_disabled = 1;
@@ -432,22 +611,19 @@ disable:
432 if (max > mdb->max || elasticity) { 611 if (max > mdb->max || elasticity) {
433 if (mdb->old) { 612 if (mdb->old) {
434 if (net_ratelimit()) 613 if (net_ratelimit())
435 printk(KERN_INFO "%s: Multicast hash table " 614 br_info(br, "Multicast hash table "
436 "on fire: %s\n", 615 "on fire: %s\n",
437 br->dev->name, port ? port->dev->name : 616 port ? port->dev->name : br->dev->name);
438 br->dev->name);
439 err = -EEXIST; 617 err = -EEXIST;
440 goto err; 618 goto err;
441 } 619 }
442 620
443 err = br_mdb_rehash(&br->mdb, max, elasticity); 621 err = br_mdb_rehash(&br->mdb, max, elasticity);
444 if (err) { 622 if (err) {
445 printk(KERN_WARNING "%s: Cannot rehash multicast " 623 br_warn(br, "Cannot rehash multicast "
446 "hash table, disabling snooping: " 624 "hash table, disabling snooping: %s, %d, %d\n",
447 "%s, %d, %d\n", 625 port ? port->dev->name : br->dev->name,
448 br->dev->name, port ? port->dev->name : 626 mdb->size, err);
449 br->dev->name,
450 mdb->size, err);
451 goto disable; 627 goto disable;
452 } 628 }
453 629
@@ -463,7 +639,8 @@ err:
463} 639}
464 640
465static struct net_bridge_mdb_entry *br_multicast_new_group( 641static struct net_bridge_mdb_entry *br_multicast_new_group(
466 struct net_bridge *br, struct net_bridge_port *port, __be32 group) 642 struct net_bridge *br, struct net_bridge_port *port,
643 struct br_ip *group)
467{ 644{
468 struct net_bridge_mdb_htable *mdb = br->mdb; 645 struct net_bridge_mdb_htable *mdb = br->mdb;
469 struct net_bridge_mdb_entry *mp; 646 struct net_bridge_mdb_entry *mp;
@@ -496,7 +673,7 @@ rehash:
496 goto out; 673 goto out;
497 674
498 mp->br = br; 675 mp->br = br;
499 mp->addr = group; 676 mp->addr = *group;
500 setup_timer(&mp->timer, br_multicast_group_expired, 677 setup_timer(&mp->timer, br_multicast_group_expired,
501 (unsigned long)mp); 678 (unsigned long)mp);
502 setup_timer(&mp->query_timer, br_multicast_group_query_expired, 679 setup_timer(&mp->query_timer, br_multicast_group_query_expired,
@@ -510,7 +687,8 @@ out:
510} 687}
511 688
512static int br_multicast_add_group(struct net_bridge *br, 689static int br_multicast_add_group(struct net_bridge *br,
513 struct net_bridge_port *port, __be32 group) 690 struct net_bridge_port *port,
691 struct br_ip *group)
514{ 692{
515 struct net_bridge_mdb_entry *mp; 693 struct net_bridge_mdb_entry *mp;
516 struct net_bridge_port_group *p; 694 struct net_bridge_port_group *p;
@@ -518,9 +696,6 @@ static int br_multicast_add_group(struct net_bridge *br,
518 unsigned long now = jiffies; 696 unsigned long now = jiffies;
519 int err; 697 int err;
520 698
521 if (ipv4_is_local_multicast(group))
522 return 0;
523
524 spin_lock(&br->multicast_lock); 699 spin_lock(&br->multicast_lock);
525 if (!netif_running(br->dev) || 700 if (!netif_running(br->dev) ||
526 (port && port->state == BR_STATE_DISABLED)) 701 (port && port->state == BR_STATE_DISABLED))
@@ -549,7 +724,7 @@ static int br_multicast_add_group(struct net_bridge *br,
549 if (unlikely(!p)) 724 if (unlikely(!p))
550 goto err; 725 goto err;
551 726
552 p->addr = group; 727 p->addr = *group;
553 p->port = port; 728 p->port = port;
554 p->next = *pp; 729 p->next = *pp;
555 hlist_add_head(&p->mglist, &port->mglist); 730 hlist_add_head(&p->mglist, &port->mglist);
@@ -570,6 +745,38 @@ err:
570 return err; 745 return err;
571} 746}
572 747
748static int br_ip4_multicast_add_group(struct net_bridge *br,
749 struct net_bridge_port *port,
750 __be32 group)
751{
752 struct br_ip br_group;
753
754 if (ipv4_is_local_multicast(group))
755 return 0;
756
757 br_group.u.ip4 = group;
758 br_group.proto = htons(ETH_P_IP);
759
760 return br_multicast_add_group(br, port, &br_group);
761}
762
763#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
764static int br_ip6_multicast_add_group(struct net_bridge *br,
765 struct net_bridge_port *port,
766 const struct in6_addr *group)
767{
768 struct br_ip br_group;
769
770 if (ipv6_is_local_multicast(group))
771 return 0;
772
773 ipv6_addr_copy(&br_group.u.ip6, group);
774 br_group.proto = htons(ETH_P_IP);
775
776 return br_multicast_add_group(br, port, &br_group);
777}
778#endif
779
573static void br_multicast_router_expired(unsigned long data) 780static void br_multicast_router_expired(unsigned long data)
574{ 781{
575 struct net_bridge_port *port = (void *)data; 782 struct net_bridge_port *port = (void *)data;
@@ -591,29 +798,45 @@ static void br_multicast_local_router_expired(unsigned long data)
591{ 798{
592} 799}
593 800
594static void br_multicast_send_query(struct net_bridge *br, 801static void __br_multicast_send_query(struct net_bridge *br,
595 struct net_bridge_port *port, u32 sent) 802 struct net_bridge_port *port,
803 struct br_ip *ip)
596{ 804{
597 unsigned long time;
598 struct sk_buff *skb; 805 struct sk_buff *skb;
599 806
600 if (!netif_running(br->dev) || br->multicast_disabled || 807 skb = br_multicast_alloc_query(br, ip);
601 timer_pending(&br->multicast_querier_timer))
602 return;
603
604 skb = br_multicast_alloc_query(br, 0);
605 if (!skb) 808 if (!skb)
606 goto timer; 809 return;
607 810
608 if (port) { 811 if (port) {
609 __skb_push(skb, sizeof(struct ethhdr)); 812 __skb_push(skb, sizeof(struct ethhdr));
610 skb->dev = port->dev; 813 skb->dev = port->dev;
611 NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, 814 NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
612 dev_queue_xmit); 815 dev_queue_xmit);
613 } else 816 } else
614 netif_rx(skb); 817 netif_rx(skb);
818}
819
820static void br_multicast_send_query(struct net_bridge *br,
821 struct net_bridge_port *port, u32 sent)
822{
823 unsigned long time;
824 struct br_ip br_group;
825
826 if (!netif_running(br->dev) || br->multicast_disabled ||
827 timer_pending(&br->multicast_querier_timer))
828 return;
829
830 memset(&br_group.u, 0, sizeof(br_group.u));
831
832 br_group.proto = htons(ETH_P_IP);
833 __br_multicast_send_query(br, port, &br_group);
834
835#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
836 br_group.proto = htons(ETH_P_IPV6);
837 __br_multicast_send_query(br, port, &br_group);
838#endif
615 839
616timer:
617 time = jiffies; 840 time = jiffies;
618 time += sent < br->multicast_startup_query_count ? 841 time += sent < br->multicast_startup_query_count ?
619 br->multicast_startup_query_interval : 842 br->multicast_startup_query_interval :
@@ -698,9 +921,9 @@ void br_multicast_disable_port(struct net_bridge_port *port)
698 spin_unlock(&br->multicast_lock); 921 spin_unlock(&br->multicast_lock);
699} 922}
700 923
701static int br_multicast_igmp3_report(struct net_bridge *br, 924static int br_ip4_multicast_igmp3_report(struct net_bridge *br,
702 struct net_bridge_port *port, 925 struct net_bridge_port *port,
703 struct sk_buff *skb) 926 struct sk_buff *skb)
704{ 927{
705 struct igmpv3_report *ih; 928 struct igmpv3_report *ih;
706 struct igmpv3_grec *grec; 929 struct igmpv3_grec *grec;
@@ -745,7 +968,7 @@ static int br_multicast_igmp3_report(struct net_bridge *br,
745 continue; 968 continue;
746 } 969 }
747 970
748 err = br_multicast_add_group(br, port, group); 971 err = br_ip4_multicast_add_group(br, port, group);
749 if (err) 972 if (err)
750 break; 973 break;
751 } 974 }
@@ -753,24 +976,87 @@ static int br_multicast_igmp3_report(struct net_bridge *br,
753 return err; 976 return err;
754} 977}
755 978
979#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
980static int br_ip6_multicast_mld2_report(struct net_bridge *br,
981 struct net_bridge_port *port,
982 struct sk_buff *skb)
983{
984 struct icmp6hdr *icmp6h;
985 struct mld2_grec *grec;
986 int i;
987 int len;
988 int num;
989 int err = 0;
990
991 if (!pskb_may_pull(skb, sizeof(*icmp6h)))
992 return -EINVAL;
993
994 icmp6h = icmp6_hdr(skb);
995 num = ntohs(icmp6h->icmp6_dataun.un_data16[1]);
996 len = sizeof(*icmp6h);
997
998 for (i = 0; i < num; i++) {
999 __be16 *nsrcs, _nsrcs;
1000
1001 nsrcs = skb_header_pointer(skb,
1002 len + offsetof(struct mld2_grec,
1003 grec_mca),
1004 sizeof(_nsrcs), &_nsrcs);
1005 if (!nsrcs)
1006 return -EINVAL;
1007
1008 if (!pskb_may_pull(skb,
1009 len + sizeof(*grec) +
1010 sizeof(struct in6_addr) * (*nsrcs)))
1011 return -EINVAL;
1012
1013 grec = (struct mld2_grec *)(skb->data + len);
1014 len += sizeof(*grec) + sizeof(struct in6_addr) * (*nsrcs);
1015
1016 /* We treat these as MLDv1 reports for now. */
1017 switch (grec->grec_type) {
1018 case MLD2_MODE_IS_INCLUDE:
1019 case MLD2_MODE_IS_EXCLUDE:
1020 case MLD2_CHANGE_TO_INCLUDE:
1021 case MLD2_CHANGE_TO_EXCLUDE:
1022 case MLD2_ALLOW_NEW_SOURCES:
1023 case MLD2_BLOCK_OLD_SOURCES:
1024 break;
1025
1026 default:
1027 continue;
1028 }
1029
1030 err = br_ip6_multicast_add_group(br, port, &grec->grec_mca);
1031 if (!err)
1032 break;
1033 }
1034
1035 return err;
1036}
1037#endif
1038
1039/*
1040 * Add port to rotuer_list
1041 * list is maintained ordered by pointer value
1042 * and locked by br->multicast_lock and RCU
1043 */
756static void br_multicast_add_router(struct net_bridge *br, 1044static void br_multicast_add_router(struct net_bridge *br,
757 struct net_bridge_port *port) 1045 struct net_bridge_port *port)
758{ 1046{
759 struct hlist_node *p; 1047 struct net_bridge_port *p;
760 struct hlist_node **h; 1048 struct hlist_node *n, *slot = NULL;
761 1049
762 for (h = &br->router_list.first; 1050 hlist_for_each_entry(p, n, &br->router_list, rlist) {
763 (p = *h) && 1051 if ((unsigned long) port >= (unsigned long) p)
764 (unsigned long)container_of(p, struct net_bridge_port, rlist) > 1052 break;
765 (unsigned long)port; 1053 slot = n;
766 h = &p->next) 1054 }
767 ; 1055
768 1056 if (slot)
769 port->rlist.pprev = h; 1057 hlist_add_after_rcu(slot, &port->rlist);
770 port->rlist.next = p; 1058 else
771 rcu_assign_pointer(*h, &port->rlist); 1059 hlist_add_head_rcu(&port->rlist, &br->router_list);
772 if (p)
773 p->pprev = &port->rlist.next;
774} 1060}
775 1061
776static void br_multicast_mark_router(struct net_bridge *br, 1062static void br_multicast_mark_router(struct net_bridge *br,
@@ -800,7 +1086,7 @@ timer:
800 1086
801static void br_multicast_query_received(struct net_bridge *br, 1087static void br_multicast_query_received(struct net_bridge *br,
802 struct net_bridge_port *port, 1088 struct net_bridge_port *port,
803 __be32 saddr) 1089 int saddr)
804{ 1090{
805 if (saddr) 1091 if (saddr)
806 mod_timer(&br->multicast_querier_timer, 1092 mod_timer(&br->multicast_querier_timer,
@@ -811,9 +1097,9 @@ static void br_multicast_query_received(struct net_bridge *br,
811 br_multicast_mark_router(br, port); 1097 br_multicast_mark_router(br, port);
812} 1098}
813 1099
814static int br_multicast_query(struct net_bridge *br, 1100static int br_ip4_multicast_query(struct net_bridge *br,
815 struct net_bridge_port *port, 1101 struct net_bridge_port *port,
816 struct sk_buff *skb) 1102 struct sk_buff *skb)
817{ 1103{
818 struct iphdr *iph = ip_hdr(skb); 1104 struct iphdr *iph = ip_hdr(skb);
819 struct igmphdr *ih = igmp_hdr(skb); 1105 struct igmphdr *ih = igmp_hdr(skb);
@@ -831,7 +1117,7 @@ static int br_multicast_query(struct net_bridge *br,
831 (port && port->state == BR_STATE_DISABLED)) 1117 (port && port->state == BR_STATE_DISABLED))
832 goto out; 1118 goto out;
833 1119
834 br_multicast_query_received(br, port, iph->saddr); 1120 br_multicast_query_received(br, port, !!iph->saddr);
835 1121
836 group = ih->group; 1122 group = ih->group;
837 1123
@@ -859,7 +1145,7 @@ static int br_multicast_query(struct net_bridge *br,
859 if (!group) 1145 if (!group)
860 goto out; 1146 goto out;
861 1147
862 mp = br_mdb_ip_get(br->mdb, group); 1148 mp = br_mdb_ip4_get(br->mdb, group);
863 if (!mp) 1149 if (!mp)
864 goto out; 1150 goto out;
865 1151
@@ -883,9 +1169,78 @@ out:
883 return err; 1169 return err;
884} 1170}
885 1171
1172#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
1173static int br_ip6_multicast_query(struct net_bridge *br,
1174 struct net_bridge_port *port,
1175 struct sk_buff *skb)
1176{
1177 struct ipv6hdr *ip6h = ipv6_hdr(skb);
1178 struct mld_msg *mld = (struct mld_msg *) icmp6_hdr(skb);
1179 struct net_bridge_mdb_entry *mp;
1180 struct mld2_query *mld2q;
1181 struct net_bridge_port_group *p, **pp;
1182 unsigned long max_delay;
1183 unsigned long now = jiffies;
1184 struct in6_addr *group = NULL;
1185 int err = 0;
1186
1187 spin_lock(&br->multicast_lock);
1188 if (!netif_running(br->dev) ||
1189 (port && port->state == BR_STATE_DISABLED))
1190 goto out;
1191
1192 br_multicast_query_received(br, port, !ipv6_addr_any(&ip6h->saddr));
1193
1194 if (skb->len == sizeof(*mld)) {
1195 if (!pskb_may_pull(skb, sizeof(*mld))) {
1196 err = -EINVAL;
1197 goto out;
1198 }
1199 mld = (struct mld_msg *) icmp6_hdr(skb);
1200 max_delay = msecs_to_jiffies(htons(mld->mld_maxdelay));
1201 if (max_delay)
1202 group = &mld->mld_mca;
1203 } else if (skb->len >= sizeof(*mld2q)) {
1204 if (!pskb_may_pull(skb, sizeof(*mld2q))) {
1205 err = -EINVAL;
1206 goto out;
1207 }
1208 mld2q = (struct mld2_query *)icmp6_hdr(skb);
1209 if (!mld2q->mld2q_nsrcs)
1210 group = &mld2q->mld2q_mca;
1211 max_delay = mld2q->mld2q_mrc ? MLDV2_MRC(mld2q->mld2q_mrc) : 1;
1212 }
1213
1214 if (!group)
1215 goto out;
1216
1217 mp = br_mdb_ip6_get(br->mdb, group);
1218 if (!mp)
1219 goto out;
1220
1221 max_delay *= br->multicast_last_member_count;
1222 if (!hlist_unhashed(&mp->mglist) &&
1223 (timer_pending(&mp->timer) ?
1224 time_after(mp->timer.expires, now + max_delay) :
1225 try_to_del_timer_sync(&mp->timer) >= 0))
1226 mod_timer(&mp->timer, now + max_delay);
1227
1228 for (pp = &mp->ports; (p = *pp); pp = &p->next) {
1229 if (timer_pending(&p->timer) ?
1230 time_after(p->timer.expires, now + max_delay) :
1231 try_to_del_timer_sync(&p->timer) >= 0)
1232 mod_timer(&mp->timer, now + max_delay);
1233 }
1234
1235out:
1236 spin_unlock(&br->multicast_lock);
1237 return err;
1238}
1239#endif
1240
886static void br_multicast_leave_group(struct net_bridge *br, 1241static void br_multicast_leave_group(struct net_bridge *br,
887 struct net_bridge_port *port, 1242 struct net_bridge_port *port,
888 __be32 group) 1243 struct br_ip *group)
889{ 1244{
890 struct net_bridge_mdb_htable *mdb; 1245 struct net_bridge_mdb_htable *mdb;
891 struct net_bridge_mdb_entry *mp; 1246 struct net_bridge_mdb_entry *mp;
@@ -893,9 +1248,6 @@ static void br_multicast_leave_group(struct net_bridge *br,
893 unsigned long now; 1248 unsigned long now;
894 unsigned long time; 1249 unsigned long time;
895 1250
896 if (ipv4_is_local_multicast(group))
897 return;
898
899 spin_lock(&br->multicast_lock); 1251 spin_lock(&br->multicast_lock);
900 if (!netif_running(br->dev) || 1252 if (!netif_running(br->dev) ||
901 (port && port->state == BR_STATE_DISABLED) || 1253 (port && port->state == BR_STATE_DISABLED) ||
@@ -946,6 +1298,38 @@ out:
946 spin_unlock(&br->multicast_lock); 1298 spin_unlock(&br->multicast_lock);
947} 1299}
948 1300
1301static void br_ip4_multicast_leave_group(struct net_bridge *br,
1302 struct net_bridge_port *port,
1303 __be32 group)
1304{
1305 struct br_ip br_group;
1306
1307 if (ipv4_is_local_multicast(group))
1308 return;
1309
1310 br_group.u.ip4 = group;
1311 br_group.proto = htons(ETH_P_IP);
1312
1313 br_multicast_leave_group(br, port, &br_group);
1314}
1315
1316#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
1317static void br_ip6_multicast_leave_group(struct net_bridge *br,
1318 struct net_bridge_port *port,
1319 const struct in6_addr *group)
1320{
1321 struct br_ip br_group;
1322
1323 if (ipv6_is_local_multicast(group))
1324 return;
1325
1326 ipv6_addr_copy(&br_group.u.ip6, group);
1327 br_group.proto = htons(ETH_P_IPV6);
1328
1329 br_multicast_leave_group(br, port, &br_group);
1330}
1331#endif
1332
949static int br_multicast_ipv4_rcv(struct net_bridge *br, 1333static int br_multicast_ipv4_rcv(struct net_bridge *br,
950 struct net_bridge_port *port, 1334 struct net_bridge_port *port,
951 struct sk_buff *skb) 1335 struct sk_buff *skb)
@@ -1000,8 +1384,6 @@ static int br_multicast_ipv4_rcv(struct net_bridge *br,
1000 if (!pskb_may_pull(skb2, sizeof(*ih))) 1384 if (!pskb_may_pull(skb2, sizeof(*ih)))
1001 goto out; 1385 goto out;
1002 1386
1003 iph = ip_hdr(skb2);
1004
1005 switch (skb2->ip_summed) { 1387 switch (skb2->ip_summed) {
1006 case CHECKSUM_COMPLETE: 1388 case CHECKSUM_COMPLETE:
1007 if (!csum_fold(skb2->csum)) 1389 if (!csum_fold(skb2->csum))
@@ -1022,16 +1404,16 @@ static int br_multicast_ipv4_rcv(struct net_bridge *br,
1022 case IGMP_HOST_MEMBERSHIP_REPORT: 1404 case IGMP_HOST_MEMBERSHIP_REPORT:
1023 case IGMPV2_HOST_MEMBERSHIP_REPORT: 1405 case IGMPV2_HOST_MEMBERSHIP_REPORT:
1024 BR_INPUT_SKB_CB(skb2)->mrouters_only = 1; 1406 BR_INPUT_SKB_CB(skb2)->mrouters_only = 1;
1025 err = br_multicast_add_group(br, port, ih->group); 1407 err = br_ip4_multicast_add_group(br, port, ih->group);
1026 break; 1408 break;
1027 case IGMPV3_HOST_MEMBERSHIP_REPORT: 1409 case IGMPV3_HOST_MEMBERSHIP_REPORT:
1028 err = br_multicast_igmp3_report(br, port, skb2); 1410 err = br_ip4_multicast_igmp3_report(br, port, skb2);
1029 break; 1411 break;
1030 case IGMP_HOST_MEMBERSHIP_QUERY: 1412 case IGMP_HOST_MEMBERSHIP_QUERY:
1031 err = br_multicast_query(br, port, skb2); 1413 err = br_ip4_multicast_query(br, port, skb2);
1032 break; 1414 break;
1033 case IGMP_HOST_LEAVE_MESSAGE: 1415 case IGMP_HOST_LEAVE_MESSAGE:
1034 br_multicast_leave_group(br, port, ih->group); 1416 br_ip4_multicast_leave_group(br, port, ih->group);
1035 break; 1417 break;
1036 } 1418 }
1037 1419
@@ -1043,6 +1425,123 @@ err_out:
1043 return err; 1425 return err;
1044} 1426}
1045 1427
1428#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
1429static int br_multicast_ipv6_rcv(struct net_bridge *br,
1430 struct net_bridge_port *port,
1431 struct sk_buff *skb)
1432{
1433 struct sk_buff *skb2 = skb;
1434 struct ipv6hdr *ip6h;
1435 struct icmp6hdr *icmp6h;
1436 u8 nexthdr;
1437 unsigned len;
1438 unsigned offset;
1439 int err;
1440
1441 if (!pskb_may_pull(skb, sizeof(*ip6h)))
1442 return -EINVAL;
1443
1444 ip6h = ipv6_hdr(skb);
1445
1446 /*
1447 * We're interested in MLD messages only.
1448 * - Version is 6
1449 * - MLD has always Router Alert hop-by-hop option
1450 * - But we do not support jumbrograms.
1451 */
1452 if (ip6h->version != 6 ||
1453 ip6h->nexthdr != IPPROTO_HOPOPTS ||
1454 ip6h->payload_len == 0)
1455 return 0;
1456
1457 len = ntohs(ip6h->payload_len);
1458 if (skb->len < len)
1459 return -EINVAL;
1460
1461 nexthdr = ip6h->nexthdr;
1462 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
1463
1464 if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
1465 return 0;
1466
1467 /* Okay, we found ICMPv6 header */
1468 skb2 = skb_clone(skb, GFP_ATOMIC);
1469 if (!skb2)
1470 return -ENOMEM;
1471
1472 len -= offset - skb_network_offset(skb2);
1473
1474 __skb_pull(skb2, offset);
1475 skb_reset_transport_header(skb2);
1476
1477 err = -EINVAL;
1478 if (!pskb_may_pull(skb2, sizeof(*icmp6h)))
1479 goto out;
1480
1481 icmp6h = icmp6_hdr(skb2);
1482
1483 switch (icmp6h->icmp6_type) {
1484 case ICMPV6_MGM_QUERY:
1485 case ICMPV6_MGM_REPORT:
1486 case ICMPV6_MGM_REDUCTION:
1487 case ICMPV6_MLD2_REPORT:
1488 break;
1489 default:
1490 err = 0;
1491 goto out;
1492 }
1493
1494 /* Okay, we found MLD message. Check further. */
1495 if (skb2->len > len) {
1496 err = pskb_trim_rcsum(skb2, len);
1497 if (err)
1498 goto out;
1499 }
1500
1501 switch (skb2->ip_summed) {
1502 case CHECKSUM_COMPLETE:
1503 if (!csum_fold(skb2->csum))
1504 break;
1505 /*FALLTHROUGH*/
1506 case CHECKSUM_NONE:
1507 skb2->csum = 0;
1508 if (skb_checksum_complete(skb2))
1509 goto out;
1510 }
1511
1512 err = 0;
1513
1514 BR_INPUT_SKB_CB(skb)->igmp = 1;
1515
1516 switch (icmp6h->icmp6_type) {
1517 case ICMPV6_MGM_REPORT:
1518 {
1519 struct mld_msg *mld = (struct mld_msg *)icmp6h;
1520 BR_INPUT_SKB_CB(skb2)->mrouters_only = 1;
1521 err = br_ip6_multicast_add_group(br, port, &mld->mld_mca);
1522 break;
1523 }
1524 case ICMPV6_MLD2_REPORT:
1525 err = br_ip6_multicast_mld2_report(br, port, skb2);
1526 break;
1527 case ICMPV6_MGM_QUERY:
1528 err = br_ip6_multicast_query(br, port, skb2);
1529 break;
1530 case ICMPV6_MGM_REDUCTION:
1531 {
1532 struct mld_msg *mld = (struct mld_msg *)icmp6h;
1533 br_ip6_multicast_leave_group(br, port, &mld->mld_mca);
1534 }
1535 }
1536
1537out:
1538 __skb_push(skb2, offset);
1539 if (skb2 != skb)
1540 kfree_skb(skb2);
1541 return err;
1542}
1543#endif
1544
1046int br_multicast_rcv(struct net_bridge *br, struct net_bridge_port *port, 1545int br_multicast_rcv(struct net_bridge *br, struct net_bridge_port *port,
1047 struct sk_buff *skb) 1546 struct sk_buff *skb)
1048{ 1547{
@@ -1055,6 +1554,10 @@ int br_multicast_rcv(struct net_bridge *br, struct net_bridge_port *port,
1055 switch (skb->protocol) { 1554 switch (skb->protocol) {
1056 case htons(ETH_P_IP): 1555 case htons(ETH_P_IP):
1057 return br_multicast_ipv4_rcv(br, port, skb); 1556 return br_multicast_ipv4_rcv(br, port, skb);
1557#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
1558 case htons(ETH_P_IPV6):
1559 return br_multicast_ipv6_rcv(br, port, skb);
1560#endif
1058 } 1561 }
1059 1562
1060 return 0; 1563 return 0;
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 4c4977d12fd6..8fb75f89c4aa 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -3,15 +3,8 @@
3 * Linux ethernet bridge 3 * Linux ethernet bridge
4 * 4 *
5 * Authors: 5 * Authors:
6 * Lennert Buytenhek <buytenh@gnu.org> 6 * Lennert Buytenhek <buytenh@gnu.org>
7 * Bart De Schuymer (maintainer) <bdschuym@pandora.be> 7 * Bart De Schuymer <bdschuym@pandora.be>
8 *
9 * Changes:
10 * Apr 29 2003: physdev module support (bdschuym)
11 * Jun 19 2003: let arptables see bridged ARP traffic (bdschuym)
12 * Oct 06 2003: filter encapsulated IP/ARP VLAN traffic on untagged bridge
13 * (bdschuym)
14 * Sep 01 2004: add IPv6 filtering (bdschuym)
15 * 8 *
16 * This program is free software; you can redistribute it and/or 9 * This program is free software; you can redistribute it and/or
17 * modify it under the terms of the GNU General Public License 10 * modify it under the terms of the GNU General Public License
@@ -204,15 +197,24 @@ static inline void nf_bridge_save_header(struct sk_buff *skb)
204 skb->nf_bridge->data, header_size); 197 skb->nf_bridge->data, header_size);
205} 198}
206 199
207/* 200static inline void nf_bridge_update_protocol(struct sk_buff *skb)
208 * When forwarding bridge frames, we save a copy of the original 201{
209 * header before processing. 202 if (skb->nf_bridge->mask & BRNF_8021Q)
203 skb->protocol = htons(ETH_P_8021Q);
204 else if (skb->nf_bridge->mask & BRNF_PPPoE)
205 skb->protocol = htons(ETH_P_PPP_SES);
206}
207
208/* Fill in the header for fragmented IP packets handled by
209 * the IPv4 connection tracking code.
210 */ 210 */
211int nf_bridge_copy_header(struct sk_buff *skb) 211int nf_bridge_copy_header(struct sk_buff *skb)
212{ 212{
213 int err; 213 int err;
214 int header_size = ETH_HLEN + nf_bridge_encap_header_len(skb); 214 unsigned int header_size;
215 215
216 nf_bridge_update_protocol(skb);
217 header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);
216 err = skb_cow_head(skb, header_size); 218 err = skb_cow_head(skb, header_size);
217 if (err) 219 if (err)
218 return err; 220 return err;
@@ -246,27 +248,48 @@ static int br_nf_pre_routing_finish_ipv6(struct sk_buff *skb)
246 skb_dst_set(skb, &rt->u.dst); 248 skb_dst_set(skb, &rt->u.dst);
247 249
248 skb->dev = nf_bridge->physindev; 250 skb->dev = nf_bridge->physindev;
251 nf_bridge_update_protocol(skb);
249 nf_bridge_push_encap_header(skb); 252 nf_bridge_push_encap_header(skb);
250 NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, 253 NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
251 br_handle_frame_finish, 1); 254 br_handle_frame_finish, 1);
252 255
253 return 0; 256 return 0;
254} 257}
255 258
256static void __br_dnat_complain(void) 259/* Obtain the correct destination MAC address, while preserving the original
260 * source MAC address. If we already know this address, we just copy it. If we
261 * don't, we use the neighbour framework to find out. In both cases, we make
262 * sure that br_handle_frame_finish() is called afterwards.
263 */
264static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
257{ 265{
258 static unsigned long last_complaint; 266 struct nf_bridge_info *nf_bridge = skb->nf_bridge;
267 struct dst_entry *dst;
259 268
260 if (jiffies - last_complaint >= 5 * HZ) { 269 skb->dev = bridge_parent(skb->dev);
261 printk(KERN_WARNING "Performing cross-bridge DNAT requires IP " 270 if (!skb->dev)
262 "forwarding to be enabled\n"); 271 goto free_skb;
263 last_complaint = jiffies; 272 dst = skb_dst(skb);
273 if (dst->hh) {
274 neigh_hh_bridge(dst->hh, skb);
275 skb->dev = nf_bridge->physindev;
276 return br_handle_frame_finish(skb);
277 } else if (dst->neighbour) {
278 /* the neighbour function below overwrites the complete
279 * MAC header, so we save the Ethernet source address and
280 * protocol number. */
281 skb_copy_from_linear_data_offset(skb, -(ETH_HLEN-ETH_ALEN), skb->nf_bridge->data, ETH_HLEN-ETH_ALEN);
282 /* tell br_dev_xmit to continue with forwarding */
283 nf_bridge->mask |= BRNF_BRIDGED_DNAT;
284 return dst->neighbour->output(skb);
264 } 285 }
286free_skb:
287 kfree_skb(skb);
288 return 0;
265} 289}
266 290
267/* This requires some explaining. If DNAT has taken place, 291/* This requires some explaining. If DNAT has taken place,
268 * we will need to fix up the destination Ethernet address, 292 * we will need to fix up the destination Ethernet address.
269 * and this is a tricky process.
270 * 293 *
271 * There are two cases to consider: 294 * There are two cases to consider:
272 * 1. The packet was DNAT'ed to a device in the same bridge 295 * 1. The packet was DNAT'ed to a device in the same bridge
@@ -280,62 +303,29 @@ static void __br_dnat_complain(void)
280 * call ip_route_input() and to look at skb->dst->dev, which is 303 * call ip_route_input() and to look at skb->dst->dev, which is
281 * changed to the destination device if ip_route_input() succeeds. 304 * changed to the destination device if ip_route_input() succeeds.
282 * 305 *
283 * Let us first consider the case that ip_route_input() succeeds: 306 * Let's first consider the case that ip_route_input() succeeds:
284 *
285 * If skb->dst->dev equals the logical bridge device the packet
286 * came in on, we can consider this bridging. The packet is passed
287 * through the neighbour output function to build a new destination
288 * MAC address, which will make the packet enter br_nf_local_out()
289 * not much later. In that function it is assured that the iptables
290 * FORWARD chain is traversed for the packet.
291 * 307 *
308 * If the output device equals the logical bridge device the packet
309 * came in on, we can consider this bridging. The corresponding MAC
310 * address will be obtained in br_nf_pre_routing_finish_bridge.
292 * Otherwise, the packet is considered to be routed and we just 311 * Otherwise, the packet is considered to be routed and we just
293 * change the destination MAC address so that the packet will 312 * change the destination MAC address so that the packet will
294 * later be passed up to the IP stack to be routed. For a redirected 313 * later be passed up to the IP stack to be routed. For a redirected
295 * packet, ip_route_input() will give back the localhost as output device, 314 * packet, ip_route_input() will give back the localhost as output device,
296 * which differs from the bridge device. 315 * which differs from the bridge device.
297 * 316 *
298 * Let us now consider the case that ip_route_input() fails: 317 * Let's now consider the case that ip_route_input() fails:
299 * 318 *
300 * This can be because the destination address is martian, in which case 319 * This can be because the destination address is martian, in which case
301 * the packet will be dropped. 320 * the packet will be dropped.
302 * After a "echo '0' > /proc/sys/net/ipv4/ip_forward" ip_route_input() 321 * If IP forwarding is disabled, ip_route_input() will fail, while
303 * will fail, while __ip_route_output_key() will return success. The source 322 * ip_route_output_key() can return success. The source
304 * address for __ip_route_output_key() is set to zero, so __ip_route_output_key 323 * address for ip_route_output_key() is set to zero, so ip_route_output_key()
305 * thinks we're handling a locally generated packet and won't care 324 * thinks we're handling a locally generated packet and won't care
306 * if IP forwarding is allowed. We send a warning message to the users's 325 * if IP forwarding is enabled. If the output device equals the logical bridge
307 * log telling her to put IP forwarding on. 326 * device, we proceed as if ip_route_input() succeeded. If it differs from the
308 * 327 * logical bridge port or if ip_route_output_key() fails we drop the packet.
309 * ip_route_input() will also fail if there is no route available. 328 */
310 * In that case we just drop the packet.
311 *
312 * --Lennert, 20020411
313 * --Bart, 20020416 (updated)
314 * --Bart, 20021007 (updated)
315 * --Bart, 20062711 (updated) */
316static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
317{
318 if (skb->pkt_type == PACKET_OTHERHOST) {
319 skb->pkt_type = PACKET_HOST;
320 skb->nf_bridge->mask |= BRNF_PKT_TYPE;
321 }
322 skb->nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
323
324 skb->dev = bridge_parent(skb->dev);
325 if (skb->dev) {
326 struct dst_entry *dst = skb_dst(skb);
327
328 nf_bridge_pull_encap_header(skb);
329
330 if (dst->hh)
331 return neigh_hh_output(dst->hh, skb);
332 else if (dst->neighbour)
333 return dst->neighbour->output(skb);
334 }
335 kfree_skb(skb);
336 return 0;
337}
338
339static int br_nf_pre_routing_finish(struct sk_buff *skb) 329static int br_nf_pre_routing_finish(struct sk_buff *skb)
340{ 330{
341 struct net_device *dev = skb->dev; 331 struct net_device *dev = skb->dev;
@@ -379,11 +369,6 @@ static int br_nf_pre_routing_finish(struct sk_buff *skb)
379 skb_dst_set(skb, (struct dst_entry *)rt); 369 skb_dst_set(skb, (struct dst_entry *)rt);
380 goto bridged_dnat; 370 goto bridged_dnat;
381 } 371 }
382 /* we are sure that forwarding is disabled, so printing
383 * this message is no problem. Note that the packet could
384 * still have a martian destination address, in which case
385 * the packet could be dropped even if forwarding were enabled */
386 __br_dnat_complain();
387 dst_release((struct dst_entry *)rt); 372 dst_release((struct dst_entry *)rt);
388 } 373 }
389free_skb: 374free_skb:
@@ -392,12 +377,11 @@ free_skb:
392 } else { 377 } else {
393 if (skb_dst(skb)->dev == dev) { 378 if (skb_dst(skb)->dev == dev) {
394bridged_dnat: 379bridged_dnat:
395 /* Tell br_nf_local_out this is a
396 * bridged frame */
397 nf_bridge->mask |= BRNF_BRIDGED_DNAT;
398 skb->dev = nf_bridge->physindev; 380 skb->dev = nf_bridge->physindev;
381 nf_bridge_update_protocol(skb);
399 nf_bridge_push_encap_header(skb); 382 nf_bridge_push_encap_header(skb);
400 NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, 383 NF_HOOK_THRESH(NFPROTO_BRIDGE,
384 NF_BR_PRE_ROUTING,
401 skb, skb->dev, NULL, 385 skb, skb->dev, NULL,
402 br_nf_pre_routing_finish_bridge, 386 br_nf_pre_routing_finish_bridge,
403 1); 387 1);
@@ -417,8 +401,9 @@ bridged_dnat:
417 } 401 }
418 402
419 skb->dev = nf_bridge->physindev; 403 skb->dev = nf_bridge->physindev;
404 nf_bridge_update_protocol(skb);
420 nf_bridge_push_encap_header(skb); 405 nf_bridge_push_encap_header(skb);
421 NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, 406 NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
422 br_handle_frame_finish, 1); 407 br_handle_frame_finish, 1);
423 408
424 return 0; 409 return 0;
@@ -437,6 +422,10 @@ static struct net_device *setup_pre_routing(struct sk_buff *skb)
437 nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING; 422 nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING;
438 nf_bridge->physindev = skb->dev; 423 nf_bridge->physindev = skb->dev;
439 skb->dev = bridge_parent(skb->dev); 424 skb->dev = bridge_parent(skb->dev);
425 if (skb->protocol == htons(ETH_P_8021Q))
426 nf_bridge->mask |= BRNF_8021Q;
427 else if (skb->protocol == htons(ETH_P_PPP_SES))
428 nf_bridge->mask |= BRNF_PPPoE;
440 429
441 return skb->dev; 430 return skb->dev;
442} 431}
@@ -535,7 +524,8 @@ static unsigned int br_nf_pre_routing_ipv6(unsigned int hook,
535 if (!setup_pre_routing(skb)) 524 if (!setup_pre_routing(skb))
536 return NF_DROP; 525 return NF_DROP;
537 526
538 NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, 527 skb->protocol = htons(ETH_P_IPV6);
528 NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
539 br_nf_pre_routing_finish_ipv6); 529 br_nf_pre_routing_finish_ipv6);
540 530
541 return NF_STOLEN; 531 return NF_STOLEN;
@@ -601,14 +591,18 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
601 591
602 pskb_trim_rcsum(skb, len); 592 pskb_trim_rcsum(skb, len);
603 593
594 /* BUG: Should really parse the IP options here. */
595 memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
596
604 nf_bridge_put(skb->nf_bridge); 597 nf_bridge_put(skb->nf_bridge);
605 if (!nf_bridge_alloc(skb)) 598 if (!nf_bridge_alloc(skb))
606 return NF_DROP; 599 return NF_DROP;
607 if (!setup_pre_routing(skb)) 600 if (!setup_pre_routing(skb))
608 return NF_DROP; 601 return NF_DROP;
609 store_orig_dstaddr(skb); 602 store_orig_dstaddr(skb);
603 skb->protocol = htons(ETH_P_IP);
610 604
611 NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, 605 NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
612 br_nf_pre_routing_finish); 606 br_nf_pre_routing_finish);
613 607
614 return NF_STOLEN; 608 return NF_STOLEN;
@@ -652,11 +646,13 @@ static int br_nf_forward_finish(struct sk_buff *skb)
652 skb->pkt_type = PACKET_OTHERHOST; 646 skb->pkt_type = PACKET_OTHERHOST;
653 nf_bridge->mask ^= BRNF_PKT_TYPE; 647 nf_bridge->mask ^= BRNF_PKT_TYPE;
654 } 648 }
649 nf_bridge_update_protocol(skb);
655 } else { 650 } else {
656 in = *((struct net_device **)(skb->cb)); 651 in = *((struct net_device **)(skb->cb));
657 } 652 }
658 nf_bridge_push_encap_header(skb); 653 nf_bridge_push_encap_header(skb);
659 NF_HOOK_THRESH(PF_BRIDGE, NF_BR_FORWARD, skb, in, 654
655 NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, in,
660 skb->dev, br_forward_finish, 1); 656 skb->dev, br_forward_finish, 1);
661 return 0; 657 return 0;
662} 658}
@@ -707,6 +703,10 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,
707 /* The physdev module checks on this */ 703 /* The physdev module checks on this */
708 nf_bridge->mask |= BRNF_BRIDGED; 704 nf_bridge->mask |= BRNF_BRIDGED;
709 nf_bridge->physoutdev = skb->dev; 705 nf_bridge->physoutdev = skb->dev;
706 if (pf == PF_INET)
707 skb->protocol = htons(ETH_P_IP);
708 else
709 skb->protocol = htons(ETH_P_IPV6);
710 710
711 NF_HOOK(pf, NF_INET_FORWARD, skb, bridge_parent(in), parent, 711 NF_HOOK(pf, NF_INET_FORWARD, skb, bridge_parent(in), parent,
712 br_nf_forward_finish); 712 br_nf_forward_finish);
@@ -744,60 +744,11 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
744 return NF_STOLEN; 744 return NF_STOLEN;
745} 745}
746 746
747/* PF_BRIDGE/LOCAL_OUT ***********************************************
748 *
749 * This function sees both locally originated IP packets and forwarded
750 * IP packets (in both cases the destination device is a bridge
751 * device). It also sees bridged-and-DNAT'ed packets.
752 *
753 * If (nf_bridge->mask & BRNF_BRIDGED_DNAT) then the packet is bridged
754 * and we fake the PF_BRIDGE/FORWARD hook. The function br_nf_forward()
755 * will then fake the PF_INET/FORWARD hook. br_nf_local_out() has priority
756 * NF_BR_PRI_FIRST, so no relevant PF_BRIDGE/INPUT functions have been nor
757 * will be executed.
758 */
759static unsigned int br_nf_local_out(unsigned int hook, struct sk_buff *skb,
760 const struct net_device *in,
761 const struct net_device *out,
762 int (*okfn)(struct sk_buff *))
763{
764 struct net_device *realindev;
765 struct nf_bridge_info *nf_bridge;
766
767 if (!skb->nf_bridge)
768 return NF_ACCEPT;
769
770 /* Need exclusive nf_bridge_info since we might have multiple
771 * different physoutdevs. */
772 if (!nf_bridge_unshare(skb))
773 return NF_DROP;
774
775 nf_bridge = skb->nf_bridge;
776 if (!(nf_bridge->mask & BRNF_BRIDGED_DNAT))
777 return NF_ACCEPT;
778
779 /* Bridged, take PF_BRIDGE/FORWARD.
780 * (see big note in front of br_nf_pre_routing_finish) */
781 nf_bridge->physoutdev = skb->dev;
782 realindev = nf_bridge->physindev;
783
784 if (nf_bridge->mask & BRNF_PKT_TYPE) {
785 skb->pkt_type = PACKET_OTHERHOST;
786 nf_bridge->mask ^= BRNF_PKT_TYPE;
787 }
788 nf_bridge_push_encap_header(skb);
789
790 NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, realindev, skb->dev,
791 br_forward_finish);
792 return NF_STOLEN;
793}
794
795#if defined(CONFIG_NF_CONNTRACK_IPV4) || defined(CONFIG_NF_CONNTRACK_IPV4_MODULE) 747#if defined(CONFIG_NF_CONNTRACK_IPV4) || defined(CONFIG_NF_CONNTRACK_IPV4_MODULE)
796static int br_nf_dev_queue_xmit(struct sk_buff *skb) 748static int br_nf_dev_queue_xmit(struct sk_buff *skb)
797{ 749{
798 if (skb->nfct != NULL && 750 if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) &&
799 (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb)) && 751 skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu &&
800 skb->len > skb->dev->mtu &&
801 !skb_is_gso(skb)) 752 !skb_is_gso(skb))
802 return ip_fragment(skb, br_dev_queue_push_xmit); 753 return ip_fragment(skb, br_dev_queue_push_xmit);
803 else 754 else
@@ -820,21 +771,7 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
820 struct net_device *realoutdev = bridge_parent(skb->dev); 771 struct net_device *realoutdev = bridge_parent(skb->dev);
821 u_int8_t pf; 772 u_int8_t pf;
822 773
823#ifdef CONFIG_NETFILTER_DEBUG 774 if (!nf_bridge || !(nf_bridge->mask & BRNF_BRIDGED))
824 /* Be very paranoid. This probably won't happen anymore, but let's
825 * keep the check just to be sure... */
826 if (skb_mac_header(skb) < skb->head ||
827 skb_mac_header(skb) + ETH_HLEN > skb->data) {
828 printk(KERN_CRIT "br_netfilter: Argh!! br_nf_post_routing: "
829 "bad mac.raw pointer.\n");
830 goto print_error;
831 }
832#endif
833
834 if (!nf_bridge)
835 return NF_ACCEPT;
836
837 if (!(nf_bridge->mask & (BRNF_BRIDGED | BRNF_BRIDGED_DNAT)))
838 return NF_ACCEPT; 775 return NF_ACCEPT;
839 776
840 if (!realoutdev) 777 if (!realoutdev)
@@ -849,13 +786,6 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
849 else 786 else
850 return NF_ACCEPT; 787 return NF_ACCEPT;
851 788
852#ifdef CONFIG_NETFILTER_DEBUG
853 if (skb_dst(skb) == NULL) {
854 printk(KERN_INFO "br_netfilter post_routing: skb->dst == NULL\n");
855 goto print_error;
856 }
857#endif
858
859 /* We assume any code from br_dev_queue_push_xmit onwards doesn't care 789 /* We assume any code from br_dev_queue_push_xmit onwards doesn't care
860 * about the value of skb->pkt_type. */ 790 * about the value of skb->pkt_type. */
861 if (skb->pkt_type == PACKET_OTHERHOST) { 791 if (skb->pkt_type == PACKET_OTHERHOST) {
@@ -865,24 +795,15 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
865 795
866 nf_bridge_pull_encap_header(skb); 796 nf_bridge_pull_encap_header(skb);
867 nf_bridge_save_header(skb); 797 nf_bridge_save_header(skb);
798 if (pf == PF_INET)
799 skb->protocol = htons(ETH_P_IP);
800 else
801 skb->protocol = htons(ETH_P_IPV6);
868 802
869 NF_HOOK(pf, NF_INET_POST_ROUTING, skb, NULL, realoutdev, 803 NF_HOOK(pf, NF_INET_POST_ROUTING, skb, NULL, realoutdev,
870 br_nf_dev_queue_xmit); 804 br_nf_dev_queue_xmit);
871 805
872 return NF_STOLEN; 806 return NF_STOLEN;
873
874#ifdef CONFIG_NETFILTER_DEBUG
875print_error:
876 if (skb->dev != NULL) {
877 printk("[%s]", skb->dev->name);
878 if (realoutdev)
879 printk("[%s]", realoutdev->name);
880 }
881 printk(" head:%p, raw:%p, data:%p\n", skb->head, skb_mac_header(skb),
882 skb->data);
883 dump_stack();
884 return NF_ACCEPT;
885#endif
886} 807}
887 808
888/* IP/SABOTAGE *****************************************************/ 809/* IP/SABOTAGE *****************************************************/
@@ -901,10 +822,8 @@ static unsigned int ip_sabotage_in(unsigned int hook, struct sk_buff *skb,
901 return NF_ACCEPT; 822 return NF_ACCEPT;
902} 823}
903 824
904/* For br_nf_local_out we need (prio = NF_BR_PRI_FIRST), to insure that innocent 825/* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
905 * PF_BRIDGE/NF_BR_LOCAL_OUT functions don't get bridged traffic as input. 826 * br_dev_queue_push_xmit is called afterwards */
906 * For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
907 * ip_refrag() can return NF_STOLEN. */
908static struct nf_hook_ops br_nf_ops[] __read_mostly = { 827static struct nf_hook_ops br_nf_ops[] __read_mostly = {
909 { 828 {
910 .hook = br_nf_pre_routing, 829 .hook = br_nf_pre_routing,
@@ -935,13 +854,6 @@ static struct nf_hook_ops br_nf_ops[] __read_mostly = {
935 .priority = NF_BR_PRI_BRNF, 854 .priority = NF_BR_PRI_BRNF,
936 }, 855 },
937 { 856 {
938 .hook = br_nf_local_out,
939 .owner = THIS_MODULE,
940 .pf = PF_BRIDGE,
941 .hooknum = NF_BR_LOCAL_OUT,
942 .priority = NF_BR_PRI_FIRST,
943 },
944 {
945 .hook = br_nf_post_routing, 857 .hook = br_nf_post_routing,
946 .owner = THIS_MODULE, 858 .owner = THIS_MODULE,
947 .pf = PF_BRIDGE, 859 .pf = PF_BRIDGE,
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index aa56ac2c8829..fe0a79018ab2 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -42,8 +42,8 @@ static int br_fill_ifinfo(struct sk_buff *skb, const struct net_bridge_port *por
42 struct nlmsghdr *nlh; 42 struct nlmsghdr *nlh;
43 u8 operstate = netif_running(dev) ? dev->operstate : IF_OPER_DOWN; 43 u8 operstate = netif_running(dev) ? dev->operstate : IF_OPER_DOWN;
44 44
45 pr_debug("br_fill_info event %d port %s master %s\n", 45 br_debug(br, "br_fill_info event %d port %s master %s\n",
46 event, dev->name, br->dev->name); 46 event, dev->name, br->dev->name);
47 47
48 nlh = nlmsg_put(skb, pid, seq, event, sizeof(*hdr), flags); 48 nlh = nlmsg_put(skb, pid, seq, event, sizeof(*hdr), flags);
49 if (nlh == NULL) 49 if (nlh == NULL)
@@ -87,7 +87,9 @@ void br_ifinfo_notify(int event, struct net_bridge_port *port)
87 struct sk_buff *skb; 87 struct sk_buff *skb;
88 int err = -ENOBUFS; 88 int err = -ENOBUFS;
89 89
90 pr_debug("bridge notify event=%d\n", event); 90 br_debug(port->br, "port %u(%s) event %d\n",
91 (unsigned)port->port_no, port->dev->name, event);
92
91 skb = nlmsg_new(br_nlmsg_size(), GFP_ATOMIC); 93 skb = nlmsg_new(br_nlmsg_size(), GFP_ATOMIC);
92 if (skb == NULL) 94 if (skb == NULL)
93 goto errout; 95 goto errout;
diff --git a/net/bridge/br_notify.c b/net/bridge/br_notify.c
index 763a3ec292e5..717e1fd6133c 100644
--- a/net/bridge/br_notify.c
+++ b/net/bridge/br_notify.c
@@ -34,6 +34,7 @@ static int br_device_event(struct notifier_block *unused, unsigned long event, v
34 struct net_device *dev = ptr; 34 struct net_device *dev = ptr;
35 struct net_bridge_port *p = dev->br_port; 35 struct net_bridge_port *p = dev->br_port;
36 struct net_bridge *br; 36 struct net_bridge *br;
37 int err;
37 38
38 /* not a port of a bridge */ 39 /* not a port of a bridge */
39 if (p == NULL) 40 if (p == NULL)
@@ -82,6 +83,16 @@ static int br_device_event(struct notifier_block *unused, unsigned long event, v
82 case NETDEV_UNREGISTER: 83 case NETDEV_UNREGISTER:
83 br_del_if(br, dev); 84 br_del_if(br, dev);
84 break; 85 break;
86
87 case NETDEV_CHANGENAME:
88 err = br_sysfs_renameif(p);
89 if (err)
90 return notifier_from_errno(err);
91 break;
92
93 case NETDEV_PRE_TYPE_CHANGE:
94 /* Forbid underlaying device to change its type. */
95 return NOTIFY_BAD;
85 } 96 }
86 97
87 /* Events that may cause spanning tree to refresh */ 98 /* Events that may cause spanning tree to refresh */
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 846d7d1e2075..0f4a74bc6a9b 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -45,6 +45,17 @@ struct mac_addr
45 unsigned char addr[6]; 45 unsigned char addr[6];
46}; 46};
47 47
48struct br_ip
49{
50 union {
51 __be32 ip4;
52#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
53 struct in6_addr ip6;
54#endif
55 } u;
56 __be16 proto;
57};
58
48struct net_bridge_fdb_entry 59struct net_bridge_fdb_entry
49{ 60{
50 struct hlist_node hlist; 61 struct hlist_node hlist;
@@ -64,7 +75,7 @@ struct net_bridge_port_group {
64 struct rcu_head rcu; 75 struct rcu_head rcu;
65 struct timer_list timer; 76 struct timer_list timer;
66 struct timer_list query_timer; 77 struct timer_list query_timer;
67 __be32 addr; 78 struct br_ip addr;
68 u32 queries_sent; 79 u32 queries_sent;
69}; 80};
70 81
@@ -77,7 +88,7 @@ struct net_bridge_mdb_entry
77 struct rcu_head rcu; 88 struct rcu_head rcu;
78 struct timer_list timer; 89 struct timer_list timer;
79 struct timer_list query_timer; 90 struct timer_list query_timer;
80 __be32 addr; 91 struct br_ip addr;
81 u32 queries_sent; 92 u32 queries_sent;
82}; 93};
83 94
@@ -128,6 +139,17 @@ struct net_bridge_port
128 struct hlist_head mglist; 139 struct hlist_head mglist;
129 struct hlist_node rlist; 140 struct hlist_node rlist;
130#endif 141#endif
142
143#ifdef CONFIG_SYSFS
144 char sysfs_name[IFNAMSIZ];
145#endif
146};
147
148struct br_cpu_netstats {
149 unsigned long rx_packets;
150 unsigned long rx_bytes;
151 unsigned long tx_packets;
152 unsigned long tx_bytes;
131}; 153};
132 154
133struct net_bridge 155struct net_bridge
@@ -135,6 +157,8 @@ struct net_bridge
135 spinlock_t lock; 157 spinlock_t lock;
136 struct list_head port_list; 158 struct list_head port_list;
137 struct net_device *dev; 159 struct net_device *dev;
160
161 struct br_cpu_netstats __percpu *stats;
138 spinlock_t hash_lock; 162 spinlock_t hash_lock;
139 struct hlist_head hash[BR_HASH_SIZE]; 163 struct hlist_head hash[BR_HASH_SIZE];
140 unsigned long feature_mask; 164 unsigned long feature_mask;
@@ -220,6 +244,21 @@ struct br_input_skb_cb {
220# define BR_INPUT_SKB_CB_MROUTERS_ONLY(__skb) (0) 244# define BR_INPUT_SKB_CB_MROUTERS_ONLY(__skb) (0)
221#endif 245#endif
222 246
247#define br_printk(level, br, format, args...) \
248 printk(level "%s: " format, (br)->dev->name, ##args)
249
250#define br_err(__br, format, args...) \
251 br_printk(KERN_ERR, __br, format, ##args)
252#define br_warn(__br, format, args...) \
253 br_printk(KERN_WARNING, __br, format, ##args)
254#define br_notice(__br, format, args...) \
255 br_printk(KERN_NOTICE, __br, format, ##args)
256#define br_info(__br, format, args...) \
257 br_printk(KERN_INFO, __br, format, ##args)
258
259#define br_debug(br, format, args...) \
260 pr_debug("%s: " format, (br)->dev->name, ##args)
261
223extern struct notifier_block br_device_notifier; 262extern struct notifier_block br_device_notifier;
224extern const u8 br_group_address[ETH_ALEN]; 263extern const u8 br_group_address[ETH_ALEN];
225 264
@@ -233,6 +272,18 @@ static inline int br_is_root_bridge(const struct net_bridge *br)
233extern void br_dev_setup(struct net_device *dev); 272extern void br_dev_setup(struct net_device *dev);
234extern netdev_tx_t br_dev_xmit(struct sk_buff *skb, 273extern netdev_tx_t br_dev_xmit(struct sk_buff *skb,
235 struct net_device *dev); 274 struct net_device *dev);
275#ifdef CONFIG_NET_POLL_CONTROLLER
276extern void br_netpoll_cleanup(struct net_device *dev);
277extern void br_netpoll_enable(struct net_bridge *br,
278 struct net_device *dev);
279extern void br_netpoll_disable(struct net_bridge *br,
280 struct net_device *dev);
281#else
282#define br_netpoll_cleanup(br)
283#define br_netpoll_enable(br, dev)
284#define br_netpoll_disable(br, dev)
285
286#endif
236 287
237/* br_fdb.c */ 288/* br_fdb.c */
238extern int br_fdb_init(void); 289extern int br_fdb_init(void);
@@ -433,6 +484,7 @@ extern void br_ifinfo_notify(int event, struct net_bridge_port *port);
433/* br_sysfs_if.c */ 484/* br_sysfs_if.c */
434extern const struct sysfs_ops brport_sysfs_ops; 485extern const struct sysfs_ops brport_sysfs_ops;
435extern int br_sysfs_addif(struct net_bridge_port *p); 486extern int br_sysfs_addif(struct net_bridge_port *p);
487extern int br_sysfs_renameif(struct net_bridge_port *p);
436 488
437/* br_sysfs_br.c */ 489/* br_sysfs_br.c */
438extern int br_sysfs_addbr(struct net_device *dev); 490extern int br_sysfs_addbr(struct net_device *dev);
@@ -441,6 +493,7 @@ extern void br_sysfs_delbr(struct net_device *dev);
441#else 493#else
442 494
443#define br_sysfs_addif(p) (0) 495#define br_sysfs_addif(p) (0)
496#define br_sysfs_renameif(p) (0)
444#define br_sysfs_addbr(dev) (0) 497#define br_sysfs_addbr(dev) (0)
445#define br_sysfs_delbr(dev) do { } while(0) 498#define br_sysfs_delbr(dev) do { } while(0)
446#endif /* CONFIG_SYSFS */ 499#endif /* CONFIG_SYSFS */
diff --git a/net/bridge/br_stp.c b/net/bridge/br_stp.c
index edcf14b560f6..57186d84d2bd 100644
--- a/net/bridge/br_stp.c
+++ b/net/bridge/br_stp.c
@@ -31,10 +31,9 @@ static const char *const br_port_state_names[] = {
31 31
32void br_log_state(const struct net_bridge_port *p) 32void br_log_state(const struct net_bridge_port *p)
33{ 33{
34 pr_info("%s: port %d(%s) entering %s state\n", 34 br_info(p->br, "port %u(%s) entering %s state\n",
35 p->br->dev->name, p->port_no, p->dev->name, 35 (unsigned) p->port_no, p->dev->name,
36 br_port_state_names[p->state]); 36 br_port_state_names[p->state]);
37
38} 37}
39 38
40/* called under bridge lock */ 39/* called under bridge lock */
@@ -300,7 +299,7 @@ void br_topology_change_detection(struct net_bridge *br)
300 if (br->stp_enabled != BR_KERNEL_STP) 299 if (br->stp_enabled != BR_KERNEL_STP)
301 return; 300 return;
302 301
303 pr_info("%s: topology change detected, %s\n", br->dev->name, 302 br_info(br, "topology change detected, %s\n",
304 isroot ? "propagating" : "sending tcn bpdu"); 303 isroot ? "propagating" : "sending tcn bpdu");
305 304
306 if (isroot) { 305 if (isroot) {
@@ -469,8 +468,8 @@ void br_received_config_bpdu(struct net_bridge_port *p, struct br_config_bpdu *b
469void br_received_tcn_bpdu(struct net_bridge_port *p) 468void br_received_tcn_bpdu(struct net_bridge_port *p)
470{ 469{
471 if (br_is_designated_port(p)) { 470 if (br_is_designated_port(p)) {
472 pr_info("%s: received tcn bpdu on port %i(%s)\n", 471 br_info(p->br, "port %u(%s) received tcn bpdu\n",
473 p->br->dev->name, p->port_no, p->dev->name); 472 (unsigned) p->port_no, p->dev->name);
474 473
475 br_topology_change_detection(p->br); 474 br_topology_change_detection(p->br);
476 br_topology_change_acknowledge(p); 475 br_topology_change_acknowledge(p);
diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c
index d66cce11f3bf..217bd225a42f 100644
--- a/net/bridge/br_stp_bpdu.c
+++ b/net/bridge/br_stp_bpdu.c
@@ -50,7 +50,7 @@ static void br_send_bpdu(struct net_bridge_port *p,
50 50
51 llc_mac_hdr_init(skb, p->dev->dev_addr, p->br->group_addr); 51 llc_mac_hdr_init(skb, p->dev->dev_addr, p->br->group_addr);
52 52
53 NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, 53 NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
54 dev_queue_xmit); 54 dev_queue_xmit);
55} 55}
56 56
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
index d527119e9f54..1d8826914cbf 100644
--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -85,17 +85,16 @@ void br_stp_enable_port(struct net_bridge_port *p)
85{ 85{
86 br_init_port(p); 86 br_init_port(p);
87 br_port_state_selection(p->br); 87 br_port_state_selection(p->br);
88 br_log_state(p);
88} 89}
89 90
90/* called under bridge lock */ 91/* called under bridge lock */
91void br_stp_disable_port(struct net_bridge_port *p) 92void br_stp_disable_port(struct net_bridge_port *p)
92{ 93{
93 struct net_bridge *br; 94 struct net_bridge *br = p->br;
94 int wasroot; 95 int wasroot;
95 96
96 br = p->br; 97 br_log_state(p);
97 printk(KERN_INFO "%s: port %i(%s) entering %s state\n",
98 br->dev->name, p->port_no, p->dev->name, "disabled");
99 98
100 wasroot = br_is_root_bridge(br); 99 wasroot = br_is_root_bridge(br);
101 br_become_designated_port(p); 100 br_become_designated_port(p);
@@ -127,11 +126,10 @@ static void br_stp_start(struct net_bridge *br)
127 r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC); 126 r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
128 if (r == 0) { 127 if (r == 0) {
129 br->stp_enabled = BR_USER_STP; 128 br->stp_enabled = BR_USER_STP;
130 printk(KERN_INFO "%s: userspace STP started\n", br->dev->name); 129 br_debug(br, "userspace STP started\n");
131 } else { 130 } else {
132 br->stp_enabled = BR_KERNEL_STP; 131 br->stp_enabled = BR_KERNEL_STP;
133 printk(KERN_INFO "%s: starting userspace STP failed, " 132 br_debug(br, "using kernel STP\n");
134 "starting kernel STP\n", br->dev->name);
135 133
136 /* To start timers on any ports left in blocking */ 134 /* To start timers on any ports left in blocking */
137 spin_lock_bh(&br->lock); 135 spin_lock_bh(&br->lock);
@@ -148,9 +146,7 @@ static void br_stp_stop(struct net_bridge *br)
148 146
149 if (br->stp_enabled == BR_USER_STP) { 147 if (br->stp_enabled == BR_USER_STP) {
150 r = call_usermodehelper(BR_STP_PROG, argv, envp, 1); 148 r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
151 printk(KERN_INFO "%s: userspace STP stopped, return code %d\n", 149 br_info(br, "userspace STP stopped, return code %d\n", r);
152 br->dev->name, r);
153
154 150
155 /* To start timers on any ports left in blocking */ 151 /* To start timers on any ports left in blocking */
156 spin_lock_bh(&br->lock); 152 spin_lock_bh(&br->lock);
diff --git a/net/bridge/br_stp_timer.c b/net/bridge/br_stp_timer.c
index 772a140bfdf0..7b22456023c5 100644
--- a/net/bridge/br_stp_timer.c
+++ b/net/bridge/br_stp_timer.c
@@ -35,7 +35,7 @@ static void br_hello_timer_expired(unsigned long arg)
35{ 35{
36 struct net_bridge *br = (struct net_bridge *)arg; 36 struct net_bridge *br = (struct net_bridge *)arg;
37 37
38 pr_debug("%s: hello timer expired\n", br->dev->name); 38 br_debug(br, "hello timer expired\n");
39 spin_lock(&br->lock); 39 spin_lock(&br->lock);
40 if (br->dev->flags & IFF_UP) { 40 if (br->dev->flags & IFF_UP) {
41 br_config_bpdu_generation(br); 41 br_config_bpdu_generation(br);
@@ -55,13 +55,9 @@ static void br_message_age_timer_expired(unsigned long arg)
55 if (p->state == BR_STATE_DISABLED) 55 if (p->state == BR_STATE_DISABLED)
56 return; 56 return;
57 57
58 58 br_info(br, "port %u(%s) neighbor %.2x%.2x.%pM lost\n",
59 pr_info("%s: neighbor %.2x%.2x.%.2x:%.2x:%.2x:%.2x:%.2x:%.2x lost on port %d(%s)\n", 59 (unsigned) p->port_no, p->dev->name,
60 br->dev->name, 60 id->prio[0], id->prio[1], &id->addr);
61 id->prio[0], id->prio[1],
62 id->addr[0], id->addr[1], id->addr[2],
63 id->addr[3], id->addr[4], id->addr[5],
64 p->port_no, p->dev->name);
65 61
66 /* 62 /*
67 * According to the spec, the message age timer cannot be 63 * According to the spec, the message age timer cannot be
@@ -87,8 +83,8 @@ static void br_forward_delay_timer_expired(unsigned long arg)
87 struct net_bridge_port *p = (struct net_bridge_port *) arg; 83 struct net_bridge_port *p = (struct net_bridge_port *) arg;
88 struct net_bridge *br = p->br; 84 struct net_bridge *br = p->br;
89 85
90 pr_debug("%s: %d(%s) forward delay timer\n", 86 br_debug(br, "port %u(%s) forward delay timer\n",
91 br->dev->name, p->port_no, p->dev->name); 87 (unsigned) p->port_no, p->dev->name);
92 spin_lock(&br->lock); 88 spin_lock(&br->lock);
93 if (p->state == BR_STATE_LISTENING) { 89 if (p->state == BR_STATE_LISTENING) {
94 p->state = BR_STATE_LEARNING; 90 p->state = BR_STATE_LEARNING;
@@ -107,7 +103,7 @@ static void br_tcn_timer_expired(unsigned long arg)
107{ 103{
108 struct net_bridge *br = (struct net_bridge *) arg; 104 struct net_bridge *br = (struct net_bridge *) arg;
109 105
110 pr_debug("%s: tcn timer expired\n", br->dev->name); 106 br_debug(br, "tcn timer expired\n");
111 spin_lock(&br->lock); 107 spin_lock(&br->lock);
112 if (br->dev->flags & IFF_UP) { 108 if (br->dev->flags & IFF_UP) {
113 br_transmit_tcn(br); 109 br_transmit_tcn(br);
@@ -121,7 +117,7 @@ static void br_topology_change_timer_expired(unsigned long arg)
121{ 117{
122 struct net_bridge *br = (struct net_bridge *) arg; 118 struct net_bridge *br = (struct net_bridge *) arg;
123 119
124 pr_debug("%s: topo change timer expired\n", br->dev->name); 120 br_debug(br, "topo change timer expired\n");
125 spin_lock(&br->lock); 121 spin_lock(&br->lock);
126 br->topology_change_detected = 0; 122 br->topology_change_detected = 0;
127 br->topology_change = 0; 123 br->topology_change = 0;
@@ -132,8 +128,8 @@ static void br_hold_timer_expired(unsigned long arg)
132{ 128{
133 struct net_bridge_port *p = (struct net_bridge_port *) arg; 129 struct net_bridge_port *p = (struct net_bridge_port *) arg;
134 130
135 pr_debug("%s: %d(%s) hold timer expired\n", 131 br_debug(p->br, "port %u(%s) hold timer expired\n",
136 p->br->dev->name, p->port_no, p->dev->name); 132 (unsigned) p->port_no, p->dev->name);
137 133
138 spin_lock(&p->br->lock); 134 spin_lock(&p->br->lock);
139 if (p->config_pending) 135 if (p->config_pending)
diff --git a/net/bridge/br_sysfs_br.c b/net/bridge/br_sysfs_br.c
index dd321e39e621..486b8f3861d2 100644
--- a/net/bridge/br_sysfs_br.c
+++ b/net/bridge/br_sysfs_br.c
@@ -659,7 +659,7 @@ static struct attribute_group bridge_group = {
659 * 659 *
660 * Returns the number of bytes read. 660 * Returns the number of bytes read.
661 */ 661 */
662static ssize_t brforward_read(struct kobject *kobj, 662static ssize_t brforward_read(struct file *filp, struct kobject *kobj,
663 struct bin_attribute *bin_attr, 663 struct bin_attribute *bin_attr,
664 char *buf, loff_t off, size_t count) 664 char *buf, loff_t off, size_t count)
665{ 665{
diff --git a/net/bridge/br_sysfs_if.c b/net/bridge/br_sysfs_if.c
index 0b9916489d6b..fd5799c9bc8d 100644
--- a/net/bridge/br_sysfs_if.c
+++ b/net/bridge/br_sysfs_if.c
@@ -246,7 +246,7 @@ const struct sysfs_ops brport_sysfs_ops = {
246/* 246/*
247 * Add sysfs entries to ethernet device added to a bridge. 247 * Add sysfs entries to ethernet device added to a bridge.
248 * Creates a brport subdirectory with bridge attributes. 248 * Creates a brport subdirectory with bridge attributes.
249 * Puts symlink in bridge's brport subdirectory 249 * Puts symlink in bridge's brif subdirectory
250 */ 250 */
251int br_sysfs_addif(struct net_bridge_port *p) 251int br_sysfs_addif(struct net_bridge_port *p)
252{ 252{
@@ -257,15 +257,37 @@ int br_sysfs_addif(struct net_bridge_port *p)
257 err = sysfs_create_link(&p->kobj, &br->dev->dev.kobj, 257 err = sysfs_create_link(&p->kobj, &br->dev->dev.kobj,
258 SYSFS_BRIDGE_PORT_LINK); 258 SYSFS_BRIDGE_PORT_LINK);
259 if (err) 259 if (err)
260 goto out2; 260 return err;
261 261
262 for (a = brport_attrs; *a; ++a) { 262 for (a = brport_attrs; *a; ++a) {
263 err = sysfs_create_file(&p->kobj, &((*a)->attr)); 263 err = sysfs_create_file(&p->kobj, &((*a)->attr));
264 if (err) 264 if (err)
265 goto out2; 265 return err;
266 } 266 }
267 267
268 err = sysfs_create_link(br->ifobj, &p->kobj, p->dev->name); 268 strlcpy(p->sysfs_name, p->dev->name, IFNAMSIZ);
269out2: 269 return sysfs_create_link(br->ifobj, &p->kobj, p->sysfs_name);
270}
271
272/* Rename bridge's brif symlink */
273int br_sysfs_renameif(struct net_bridge_port *p)
274{
275 struct net_bridge *br = p->br;
276 int err;
277
278 /* If a rename fails, the rollback will cause another
279 * rename call with the existing name.
280 */
281 if (!strncmp(p->sysfs_name, p->dev->name, IFNAMSIZ))
282 return 0;
283
284 err = sysfs_rename_link(br->ifobj, &p->kobj,
285 p->sysfs_name, p->dev->name);
286 if (err)
287 netdev_notice(br->dev, "unable to rename link %s to %s",
288 p->sysfs_name, p->dev->name);
289 else
290 strlcpy(p->sysfs_name, p->dev->name, IFNAMSIZ);
291
270 return err; 292 return err;
271} 293}
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index 5d1176758ca5..2a449b7ab8fa 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -13,7 +13,7 @@
13#include <linux/netfilter_bridge/ebt_802_3.h> 13#include <linux/netfilter_bridge/ebt_802_3.h>
14 14
15static bool 15static bool
16ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par) 16ebt_802_3_mt(const struct sk_buff *skb, struct xt_action_param *par)
17{ 17{
18 const struct ebt_802_3_info *info = par->matchinfo; 18 const struct ebt_802_3_info *info = par->matchinfo;
19 const struct ebt_802_3_hdr *hdr = ebt_802_3_hdr(skb); 19 const struct ebt_802_3_hdr *hdr = ebt_802_3_hdr(skb);
@@ -36,14 +36,14 @@ ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par)
36 return true; 36 return true;
37} 37}
38 38
39static bool ebt_802_3_mt_check(const struct xt_mtchk_param *par) 39static int ebt_802_3_mt_check(const struct xt_mtchk_param *par)
40{ 40{
41 const struct ebt_802_3_info *info = par->matchinfo; 41 const struct ebt_802_3_info *info = par->matchinfo;
42 42
43 if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK) 43 if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK)
44 return false; 44 return -EINVAL;
45 45
46 return true; 46 return 0;
47} 47}
48 48
49static struct xt_match ebt_802_3_mt_reg __read_mostly = { 49static struct xt_match ebt_802_3_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index b595f091f35b..8b84c581be30 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -7,6 +7,7 @@
7 * August, 2003 7 * August, 2003
8 * 8 *
9 */ 9 */
10#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10#include <linux/ip.h> 11#include <linux/ip.h>
11#include <linux/if_arp.h> 12#include <linux/if_arp.h>
12#include <linux/module.h> 13#include <linux/module.h>
@@ -128,7 +129,7 @@ static int get_ip_src(const struct sk_buff *skb, __be32 *addr)
128} 129}
129 130
130static bool 131static bool
131ebt_among_mt(const struct sk_buff *skb, const struct xt_match_param *par) 132ebt_among_mt(const struct sk_buff *skb, struct xt_action_param *par)
132{ 133{
133 const struct ebt_among_info *info = par->matchinfo; 134 const struct ebt_among_info *info = par->matchinfo;
134 const char *dmac, *smac; 135 const char *dmac, *smac;
@@ -171,7 +172,7 @@ ebt_among_mt(const struct sk_buff *skb, const struct xt_match_param *par)
171 return true; 172 return true;
172} 173}
173 174
174static bool ebt_among_mt_check(const struct xt_mtchk_param *par) 175static int ebt_among_mt_check(const struct xt_mtchk_param *par)
175{ 176{
176 const struct ebt_among_info *info = par->matchinfo; 177 const struct ebt_among_info *info = par->matchinfo;
177 const struct ebt_entry_match *em = 178 const struct ebt_entry_match *em =
@@ -186,24 +187,20 @@ static bool ebt_among_mt_check(const struct xt_mtchk_param *par)
186 expected_length += ebt_mac_wormhash_size(wh_src); 187 expected_length += ebt_mac_wormhash_size(wh_src);
187 188
188 if (em->match_size != EBT_ALIGN(expected_length)) { 189 if (em->match_size != EBT_ALIGN(expected_length)) {
189 printk(KERN_WARNING 190 pr_info("wrong size: %d against expected %d, rounded to %Zd\n",
190 "ebtables: among: wrong size: %d " 191 em->match_size, expected_length,
191 "against expected %d, rounded to %Zd\n", 192 EBT_ALIGN(expected_length));
192 em->match_size, expected_length, 193 return -EINVAL;
193 EBT_ALIGN(expected_length));
194 return false;
195 } 194 }
196 if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) { 195 if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) {
197 printk(KERN_WARNING 196 pr_info("dst integrity fail: %x\n", -err);
198 "ebtables: among: dst integrity fail: %x\n", -err); 197 return -EINVAL;
199 return false;
200 } 198 }
201 if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) { 199 if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) {
202 printk(KERN_WARNING 200 pr_info("src integrity fail: %x\n", -err);
203 "ebtables: among: src integrity fail: %x\n", -err); 201 return -EINVAL;
204 return false;
205 } 202 }
206 return true; 203 return 0;
207} 204}
208 205
209static struct xt_match ebt_among_mt_reg __read_mostly = { 206static struct xt_match ebt_among_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index e727697c5847..cd457b891b27 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -16,7 +16,7 @@
16#include <linux/netfilter_bridge/ebt_arp.h> 16#include <linux/netfilter_bridge/ebt_arp.h>
17 17
18static bool 18static bool
19ebt_arp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 19ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
20{ 20{
21 const struct ebt_arp_info *info = par->matchinfo; 21 const struct ebt_arp_info *info = par->matchinfo;
22 const struct arphdr *ah; 22 const struct arphdr *ah;
@@ -100,7 +100,7 @@ ebt_arp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
100 return true; 100 return true;
101} 101}
102 102
103static bool ebt_arp_mt_check(const struct xt_mtchk_param *par) 103static int ebt_arp_mt_check(const struct xt_mtchk_param *par)
104{ 104{
105 const struct ebt_arp_info *info = par->matchinfo; 105 const struct ebt_arp_info *info = par->matchinfo;
106 const struct ebt_entry *e = par->entryinfo; 106 const struct ebt_entry *e = par->entryinfo;
@@ -108,10 +108,10 @@ static bool ebt_arp_mt_check(const struct xt_mtchk_param *par)
108 if ((e->ethproto != htons(ETH_P_ARP) && 108 if ((e->ethproto != htons(ETH_P_ARP) &&
109 e->ethproto != htons(ETH_P_RARP)) || 109 e->ethproto != htons(ETH_P_RARP)) ||
110 e->invflags & EBT_IPROTO) 110 e->invflags & EBT_IPROTO)
111 return false; 111 return -EINVAL;
112 if (info->bitmask & ~EBT_ARP_MASK || info->invflags & ~EBT_ARP_MASK) 112 if (info->bitmask & ~EBT_ARP_MASK || info->invflags & ~EBT_ARP_MASK)
113 return false; 113 return -EINVAL;
114 return true; 114 return 0;
115} 115}
116 116
117static struct xt_match ebt_arp_mt_reg __read_mostly = { 117static struct xt_match ebt_arp_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c
index f392e9d93f53..070cf134a22f 100644
--- a/net/bridge/netfilter/ebt_arpreply.c
+++ b/net/bridge/netfilter/ebt_arpreply.c
@@ -16,7 +16,7 @@
16#include <linux/netfilter_bridge/ebt_arpreply.h> 16#include <linux/netfilter_bridge/ebt_arpreply.h>
17 17
18static unsigned int 18static unsigned int
19ebt_arpreply_tg(struct sk_buff *skb, const struct xt_target_param *par) 19ebt_arpreply_tg(struct sk_buff *skb, const struct xt_action_param *par)
20{ 20{
21 const struct ebt_arpreply_info *info = par->targinfo; 21 const struct ebt_arpreply_info *info = par->targinfo;
22 const __be32 *siptr, *diptr; 22 const __be32 *siptr, *diptr;
@@ -57,17 +57,17 @@ ebt_arpreply_tg(struct sk_buff *skb, const struct xt_target_param *par)
57 return info->target; 57 return info->target;
58} 58}
59 59
60static bool ebt_arpreply_tg_check(const struct xt_tgchk_param *par) 60static int ebt_arpreply_tg_check(const struct xt_tgchk_param *par)
61{ 61{
62 const struct ebt_arpreply_info *info = par->targinfo; 62 const struct ebt_arpreply_info *info = par->targinfo;
63 const struct ebt_entry *e = par->entryinfo; 63 const struct ebt_entry *e = par->entryinfo;
64 64
65 if (BASE_CHAIN && info->target == EBT_RETURN) 65 if (BASE_CHAIN && info->target == EBT_RETURN)
66 return false; 66 return -EINVAL;
67 if (e->ethproto != htons(ETH_P_ARP) || 67 if (e->ethproto != htons(ETH_P_ARP) ||
68 e->invflags & EBT_IPROTO) 68 e->invflags & EBT_IPROTO)
69 return false; 69 return -EINVAL;
70 return true; 70 return 0;
71} 71}
72 72
73static struct xt_target ebt_arpreply_tg_reg __read_mostly = { 73static struct xt_target ebt_arpreply_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 2bb40d728a35..c59f7bfae6e2 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -15,7 +15,7 @@
15#include <linux/netfilter_bridge/ebt_nat.h> 15#include <linux/netfilter_bridge/ebt_nat.h>
16 16
17static unsigned int 17static unsigned int
18ebt_dnat_tg(struct sk_buff *skb, const struct xt_target_param *par) 18ebt_dnat_tg(struct sk_buff *skb, const struct xt_action_param *par)
19{ 19{
20 const struct ebt_nat_info *info = par->targinfo; 20 const struct ebt_nat_info *info = par->targinfo;
21 21
@@ -26,13 +26,13 @@ ebt_dnat_tg(struct sk_buff *skb, const struct xt_target_param *par)
26 return info->target; 26 return info->target;
27} 27}
28 28
29static bool ebt_dnat_tg_check(const struct xt_tgchk_param *par) 29static int ebt_dnat_tg_check(const struct xt_tgchk_param *par)
30{ 30{
31 const struct ebt_nat_info *info = par->targinfo; 31 const struct ebt_nat_info *info = par->targinfo;
32 unsigned int hook_mask; 32 unsigned int hook_mask;
33 33
34 if (BASE_CHAIN && info->target == EBT_RETURN) 34 if (BASE_CHAIN && info->target == EBT_RETURN)
35 return false; 35 return -EINVAL;
36 36
37 hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); 37 hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS);
38 if ((strcmp(par->table, "nat") != 0 || 38 if ((strcmp(par->table, "nat") != 0 ||
@@ -40,10 +40,10 @@ static bool ebt_dnat_tg_check(const struct xt_tgchk_param *par)
40 (1 << NF_BR_LOCAL_OUT)))) && 40 (1 << NF_BR_LOCAL_OUT)))) &&
41 (strcmp(par->table, "broute") != 0 || 41 (strcmp(par->table, "broute") != 0 ||
42 hook_mask & ~(1 << NF_BR_BROUTING))) 42 hook_mask & ~(1 << NF_BR_BROUTING)))
43 return false; 43 return -EINVAL;
44 if (INVALID_TARGET) 44 if (INVALID_TARGET)
45 return false; 45 return -EINVAL;
46 return true; 46 return 0;
47} 47}
48 48
49static struct xt_target ebt_dnat_tg_reg __read_mostly = { 49static struct xt_target ebt_dnat_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c
index 5de6df6f86b8..23bca62d58d2 100644
--- a/net/bridge/netfilter/ebt_ip.c
+++ b/net/bridge/netfilter/ebt_ip.c
@@ -25,7 +25,7 @@ struct tcpudphdr {
25}; 25};
26 26
27static bool 27static bool
28ebt_ip_mt(const struct sk_buff *skb, const struct xt_match_param *par) 28ebt_ip_mt(const struct sk_buff *skb, struct xt_action_param *par)
29{ 29{
30 const struct ebt_ip_info *info = par->matchinfo; 30 const struct ebt_ip_info *info = par->matchinfo;
31 const struct iphdr *ih; 31 const struct iphdr *ih;
@@ -77,31 +77,31 @@ ebt_ip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
77 return true; 77 return true;
78} 78}
79 79
80static bool ebt_ip_mt_check(const struct xt_mtchk_param *par) 80static int ebt_ip_mt_check(const struct xt_mtchk_param *par)
81{ 81{
82 const struct ebt_ip_info *info = par->matchinfo; 82 const struct ebt_ip_info *info = par->matchinfo;
83 const struct ebt_entry *e = par->entryinfo; 83 const struct ebt_entry *e = par->entryinfo;
84 84
85 if (e->ethproto != htons(ETH_P_IP) || 85 if (e->ethproto != htons(ETH_P_IP) ||
86 e->invflags & EBT_IPROTO) 86 e->invflags & EBT_IPROTO)
87 return false; 87 return -EINVAL;
88 if (info->bitmask & ~EBT_IP_MASK || info->invflags & ~EBT_IP_MASK) 88 if (info->bitmask & ~EBT_IP_MASK || info->invflags & ~EBT_IP_MASK)
89 return false; 89 return -EINVAL;
90 if (info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT)) { 90 if (info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT)) {
91 if (info->invflags & EBT_IP_PROTO) 91 if (info->invflags & EBT_IP_PROTO)
92 return false; 92 return -EINVAL;
93 if (info->protocol != IPPROTO_TCP && 93 if (info->protocol != IPPROTO_TCP &&
94 info->protocol != IPPROTO_UDP && 94 info->protocol != IPPROTO_UDP &&
95 info->protocol != IPPROTO_UDPLITE && 95 info->protocol != IPPROTO_UDPLITE &&
96 info->protocol != IPPROTO_SCTP && 96 info->protocol != IPPROTO_SCTP &&
97 info->protocol != IPPROTO_DCCP) 97 info->protocol != IPPROTO_DCCP)
98 return false; 98 return -EINVAL;
99 } 99 }
100 if (info->bitmask & EBT_IP_DPORT && info->dport[0] > info->dport[1]) 100 if (info->bitmask & EBT_IP_DPORT && info->dport[0] > info->dport[1])
101 return false; 101 return -EINVAL;
102 if (info->bitmask & EBT_IP_SPORT && info->sport[0] > info->sport[1]) 102 if (info->bitmask & EBT_IP_SPORT && info->sport[0] > info->sport[1])
103 return false; 103 return -EINVAL;
104 return true; 104 return 0;
105} 105}
106 106
107static struct xt_match ebt_ip_mt_reg __read_mostly = { 107static struct xt_match ebt_ip_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index bbf2534ef026..50a46afc2bcc 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -4,7 +4,7 @@
4 * Authors: 4 * Authors:
5 * Manohar Castelino <manohar.r.castelino@intel.com> 5 * Manohar Castelino <manohar.r.castelino@intel.com>
6 * Kuo-Lang Tseng <kuo-lang.tseng@intel.com> 6 * Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
7 * Jan Engelhardt <jengelh@computergmbh.de> 7 * Jan Engelhardt <jengelh@medozas.de>
8 * 8 *
9 * Summary: 9 * Summary:
10 * This is just a modification of the IPv4 code written by 10 * This is just a modification of the IPv4 code written by
@@ -28,15 +28,13 @@ struct tcpudphdr {
28}; 28};
29 29
30static bool 30static bool
31ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par) 31ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par)
32{ 32{
33 const struct ebt_ip6_info *info = par->matchinfo; 33 const struct ebt_ip6_info *info = par->matchinfo;
34 const struct ipv6hdr *ih6; 34 const struct ipv6hdr *ih6;
35 struct ipv6hdr _ip6h; 35 struct ipv6hdr _ip6h;
36 const struct tcpudphdr *pptr; 36 const struct tcpudphdr *pptr;
37 struct tcpudphdr _ports; 37 struct tcpudphdr _ports;
38 struct in6_addr tmp_addr;
39 int i;
40 38
41 ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h); 39 ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h);
42 if (ih6 == NULL) 40 if (ih6 == NULL)
@@ -44,18 +42,10 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
44 if (info->bitmask & EBT_IP6_TCLASS && 42 if (info->bitmask & EBT_IP6_TCLASS &&
45 FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS)) 43 FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS))
46 return false; 44 return false;
47 for (i = 0; i < 4; i++) 45 if (FWINV(ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk,
48 tmp_addr.in6_u.u6_addr32[i] = ih6->saddr.in6_u.u6_addr32[i] & 46 &info->saddr), EBT_IP6_SOURCE) ||
49 info->smsk.in6_u.u6_addr32[i]; 47 FWINV(ipv6_masked_addr_cmp(&ih6->daddr, &info->dmsk,
50 if (info->bitmask & EBT_IP6_SOURCE && 48 &info->daddr), EBT_IP6_DEST))
51 FWINV((ipv6_addr_cmp(&tmp_addr, &info->saddr) != 0),
52 EBT_IP6_SOURCE))
53 return false;
54 for (i = 0; i < 4; i++)
55 tmp_addr.in6_u.u6_addr32[i] = ih6->daddr.in6_u.u6_addr32[i] &
56 info->dmsk.in6_u.u6_addr32[i];
57 if (info->bitmask & EBT_IP6_DEST &&
58 FWINV((ipv6_addr_cmp(&tmp_addr, &info->daddr) != 0), EBT_IP6_DEST))
59 return false; 49 return false;
60 if (info->bitmask & EBT_IP6_PROTO) { 50 if (info->bitmask & EBT_IP6_PROTO) {
61 uint8_t nexthdr = ih6->nexthdr; 51 uint8_t nexthdr = ih6->nexthdr;
@@ -90,30 +80,30 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
90 return true; 80 return true;
91} 81}
92 82
93static bool ebt_ip6_mt_check(const struct xt_mtchk_param *par) 83static int ebt_ip6_mt_check(const struct xt_mtchk_param *par)
94{ 84{
95 const struct ebt_entry *e = par->entryinfo; 85 const struct ebt_entry *e = par->entryinfo;
96 struct ebt_ip6_info *info = par->matchinfo; 86 struct ebt_ip6_info *info = par->matchinfo;
97 87
98 if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO) 88 if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO)
99 return false; 89 return -EINVAL;
100 if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK) 90 if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK)
101 return false; 91 return -EINVAL;
102 if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) { 92 if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) {
103 if (info->invflags & EBT_IP6_PROTO) 93 if (info->invflags & EBT_IP6_PROTO)
104 return false; 94 return -EINVAL;
105 if (info->protocol != IPPROTO_TCP && 95 if (info->protocol != IPPROTO_TCP &&
106 info->protocol != IPPROTO_UDP && 96 info->protocol != IPPROTO_UDP &&
107 info->protocol != IPPROTO_UDPLITE && 97 info->protocol != IPPROTO_UDPLITE &&
108 info->protocol != IPPROTO_SCTP && 98 info->protocol != IPPROTO_SCTP &&
109 info->protocol != IPPROTO_DCCP) 99 info->protocol != IPPROTO_DCCP)
110 return false; 100 return -EINVAL;
111 } 101 }
112 if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1]) 102 if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1])
113 return false; 103 return -EINVAL;
114 if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1]) 104 if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1])
115 return false; 105 return -EINVAL;
116 return true; 106 return 0;
117} 107}
118 108
119static struct xt_match ebt_ip6_mt_reg __read_mostly = { 109static struct xt_match ebt_ip6_mt_reg __read_mostly = {
@@ -139,4 +129,5 @@ static void __exit ebt_ip6_fini(void)
139module_init(ebt_ip6_init); 129module_init(ebt_ip6_init);
140module_exit(ebt_ip6_fini); 130module_exit(ebt_ip6_fini);
141MODULE_DESCRIPTION("Ebtables: IPv6 protocol packet match"); 131MODULE_DESCRIPTION("Ebtables: IPv6 protocol packet match");
132MODULE_AUTHOR("Kuo-Lang Tseng <kuo-lang.tseng@intel.com>");
142MODULE_LICENSE("GPL"); 133MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index 7a8182710eb3..517e78befcb2 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -10,6 +10,7 @@
10 * September, 2003 10 * September, 2003
11 * 11 *
12 */ 12 */
13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13#include <linux/module.h> 14#include <linux/module.h>
14#include <linux/netdevice.h> 15#include <linux/netdevice.h>
15#include <linux/spinlock.h> 16#include <linux/spinlock.h>
@@ -31,7 +32,7 @@ static DEFINE_SPINLOCK(limit_lock);
31#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ) 32#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
32 33
33static bool 34static bool
34ebt_limit_mt(const struct sk_buff *skb, const struct xt_match_param *par) 35ebt_limit_mt(const struct sk_buff *skb, struct xt_action_param *par)
35{ 36{
36 struct ebt_limit_info *info = (void *)par->matchinfo; 37 struct ebt_limit_info *info = (void *)par->matchinfo;
37 unsigned long now = jiffies; 38 unsigned long now = jiffies;
@@ -64,16 +65,16 @@ user2credits(u_int32_t user)
64 return (user * HZ * CREDITS_PER_JIFFY) / EBT_LIMIT_SCALE; 65 return (user * HZ * CREDITS_PER_JIFFY) / EBT_LIMIT_SCALE;
65} 66}
66 67
67static bool ebt_limit_mt_check(const struct xt_mtchk_param *par) 68static int ebt_limit_mt_check(const struct xt_mtchk_param *par)
68{ 69{
69 struct ebt_limit_info *info = par->matchinfo; 70 struct ebt_limit_info *info = par->matchinfo;
70 71
71 /* Check for overflow. */ 72 /* Check for overflow. */
72 if (info->burst == 0 || 73 if (info->burst == 0 ||
73 user2credits(info->avg * info->burst) < user2credits(info->avg)) { 74 user2credits(info->avg * info->burst) < user2credits(info->avg)) {
74 printk("Overflow in ebt_limit, try lower: %u/%u\n", 75 pr_info("overflow, try lower: %u/%u\n",
75 info->avg, info->burst); 76 info->avg, info->burst);
76 return false; 77 return -EINVAL;
77 } 78 }
78 79
79 /* User avg in seconds * EBT_LIMIT_SCALE: convert to jiffies * 128. */ 80 /* User avg in seconds * EBT_LIMIT_SCALE: convert to jiffies * 128. */
@@ -81,7 +82,7 @@ static bool ebt_limit_mt_check(const struct xt_mtchk_param *par)
81 info->credit = user2credits(info->avg * info->burst); 82 info->credit = user2credits(info->avg * info->burst);
82 info->credit_cap = user2credits(info->avg * info->burst); 83 info->credit_cap = user2credits(info->avg * info->burst);
83 info->cost = user2credits(info->avg); 84 info->cost = user2credits(info->avg);
84 return true; 85 return 0;
85} 86}
86 87
87 88
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index e873924ddb5d..6e5a8bb9b940 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -24,16 +24,16 @@
24 24
25static DEFINE_SPINLOCK(ebt_log_lock); 25static DEFINE_SPINLOCK(ebt_log_lock);
26 26
27static bool ebt_log_tg_check(const struct xt_tgchk_param *par) 27static int ebt_log_tg_check(const struct xt_tgchk_param *par)
28{ 28{
29 struct ebt_log_info *info = par->targinfo; 29 struct ebt_log_info *info = par->targinfo;
30 30
31 if (info->bitmask & ~EBT_LOG_MASK) 31 if (info->bitmask & ~EBT_LOG_MASK)
32 return false; 32 return -EINVAL;
33 if (info->loglevel >= 8) 33 if (info->loglevel >= 8)
34 return false; 34 return -EINVAL;
35 info->prefix[EBT_LOG_PREFIX_SIZE - 1] = '\0'; 35 info->prefix[EBT_LOG_PREFIX_SIZE - 1] = '\0';
36 return true; 36 return 0;
37} 37}
38 38
39struct tcpudphdr 39struct tcpudphdr
@@ -171,7 +171,7 @@ out:
171} 171}
172 172
173static unsigned int 173static unsigned int
174ebt_log_tg(struct sk_buff *skb, const struct xt_target_param *par) 174ebt_log_tg(struct sk_buff *skb, const struct xt_action_param *par)
175{ 175{
176 const struct ebt_log_info *info = par->targinfo; 176 const struct ebt_log_info *info = par->targinfo;
177 struct nf_loginfo li; 177 struct nf_loginfo li;
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c
index 2b5ce533d6b9..66697cbd0a8b 100644
--- a/net/bridge/netfilter/ebt_mark.c
+++ b/net/bridge/netfilter/ebt_mark.c
@@ -19,7 +19,7 @@
19#include <linux/netfilter_bridge/ebt_mark_t.h> 19#include <linux/netfilter_bridge/ebt_mark_t.h>
20 20
21static unsigned int 21static unsigned int
22ebt_mark_tg(struct sk_buff *skb, const struct xt_target_param *par) 22ebt_mark_tg(struct sk_buff *skb, const struct xt_action_param *par)
23{ 23{
24 const struct ebt_mark_t_info *info = par->targinfo; 24 const struct ebt_mark_t_info *info = par->targinfo;
25 int action = info->target & -16; 25 int action = info->target & -16;
@@ -36,21 +36,21 @@ ebt_mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
36 return info->target | ~EBT_VERDICT_BITS; 36 return info->target | ~EBT_VERDICT_BITS;
37} 37}
38 38
39static bool ebt_mark_tg_check(const struct xt_tgchk_param *par) 39static int ebt_mark_tg_check(const struct xt_tgchk_param *par)
40{ 40{
41 const struct ebt_mark_t_info *info = par->targinfo; 41 const struct ebt_mark_t_info *info = par->targinfo;
42 int tmp; 42 int tmp;
43 43
44 tmp = info->target | ~EBT_VERDICT_BITS; 44 tmp = info->target | ~EBT_VERDICT_BITS;
45 if (BASE_CHAIN && tmp == EBT_RETURN) 45 if (BASE_CHAIN && tmp == EBT_RETURN)
46 return false; 46 return -EINVAL;
47 if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) 47 if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0)
48 return false; 48 return -EINVAL;
49 tmp = info->target & ~EBT_VERDICT_BITS; 49 tmp = info->target & ~EBT_VERDICT_BITS;
50 if (tmp != MARK_SET_VALUE && tmp != MARK_OR_VALUE && 50 if (tmp != MARK_SET_VALUE && tmp != MARK_OR_VALUE &&
51 tmp != MARK_AND_VALUE && tmp != MARK_XOR_VALUE) 51 tmp != MARK_AND_VALUE && tmp != MARK_XOR_VALUE)
52 return false; 52 return -EINVAL;
53 return true; 53 return 0;
54} 54}
55#ifdef CONFIG_COMPAT 55#ifdef CONFIG_COMPAT
56struct compat_ebt_mark_t_info { 56struct compat_ebt_mark_t_info {
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c
index 8de8c396d913..d98baefc4c7e 100644
--- a/net/bridge/netfilter/ebt_mark_m.c
+++ b/net/bridge/netfilter/ebt_mark_m.c
@@ -13,7 +13,7 @@
13#include <linux/netfilter_bridge/ebt_mark_m.h> 13#include <linux/netfilter_bridge/ebt_mark_m.h>
14 14
15static bool 15static bool
16ebt_mark_mt(const struct sk_buff *skb, const struct xt_match_param *par) 16ebt_mark_mt(const struct sk_buff *skb, struct xt_action_param *par)
17{ 17{
18 const struct ebt_mark_m_info *info = par->matchinfo; 18 const struct ebt_mark_m_info *info = par->matchinfo;
19 19
@@ -22,17 +22,17 @@ ebt_mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
22 return ((skb->mark & info->mask) == info->mark) ^ info->invert; 22 return ((skb->mark & info->mask) == info->mark) ^ info->invert;
23} 23}
24 24
25static bool ebt_mark_mt_check(const struct xt_mtchk_param *par) 25static int ebt_mark_mt_check(const struct xt_mtchk_param *par)
26{ 26{
27 const struct ebt_mark_m_info *info = par->matchinfo; 27 const struct ebt_mark_m_info *info = par->matchinfo;
28 28
29 if (info->bitmask & ~EBT_MARK_MASK) 29 if (info->bitmask & ~EBT_MARK_MASK)
30 return false; 30 return -EINVAL;
31 if ((info->bitmask & EBT_MARK_OR) && (info->bitmask & EBT_MARK_AND)) 31 if ((info->bitmask & EBT_MARK_OR) && (info->bitmask & EBT_MARK_AND))
32 return false; 32 return -EINVAL;
33 if (!info->bitmask) 33 if (!info->bitmask)
34 return false; 34 return -EINVAL;
35 return true; 35 return 0;
36} 36}
37 37
38 38
diff --git a/net/bridge/netfilter/ebt_nflog.c b/net/bridge/netfilter/ebt_nflog.c
index 40dbd248b9ae..5be68bbcc341 100644
--- a/net/bridge/netfilter/ebt_nflog.c
+++ b/net/bridge/netfilter/ebt_nflog.c
@@ -20,7 +20,7 @@
20#include <net/netfilter/nf_log.h> 20#include <net/netfilter/nf_log.h>
21 21
22static unsigned int 22static unsigned int
23ebt_nflog_tg(struct sk_buff *skb, const struct xt_target_param *par) 23ebt_nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
24{ 24{
25 const struct ebt_nflog_info *info = par->targinfo; 25 const struct ebt_nflog_info *info = par->targinfo;
26 struct nf_loginfo li; 26 struct nf_loginfo li;
@@ -35,14 +35,14 @@ ebt_nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
35 return EBT_CONTINUE; 35 return EBT_CONTINUE;
36} 36}
37 37
38static bool ebt_nflog_tg_check(const struct xt_tgchk_param *par) 38static int ebt_nflog_tg_check(const struct xt_tgchk_param *par)
39{ 39{
40 struct ebt_nflog_info *info = par->targinfo; 40 struct ebt_nflog_info *info = par->targinfo;
41 41
42 if (info->flags & ~EBT_NFLOG_MASK) 42 if (info->flags & ~EBT_NFLOG_MASK)
43 return false; 43 return -EINVAL;
44 info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0'; 44 info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0';
45 return true; 45 return 0;
46} 46}
47 47
48static struct xt_target ebt_nflog_tg_reg __read_mostly = { 48static struct xt_target ebt_nflog_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c
index e2a07e6cbef3..496a56515307 100644
--- a/net/bridge/netfilter/ebt_pkttype.c
+++ b/net/bridge/netfilter/ebt_pkttype.c
@@ -13,21 +13,21 @@
13#include <linux/netfilter_bridge/ebt_pkttype.h> 13#include <linux/netfilter_bridge/ebt_pkttype.h>
14 14
15static bool 15static bool
16ebt_pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par) 16ebt_pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par)
17{ 17{
18 const struct ebt_pkttype_info *info = par->matchinfo; 18 const struct ebt_pkttype_info *info = par->matchinfo;
19 19
20 return (skb->pkt_type == info->pkt_type) ^ info->invert; 20 return (skb->pkt_type == info->pkt_type) ^ info->invert;
21} 21}
22 22
23static bool ebt_pkttype_mt_check(const struct xt_mtchk_param *par) 23static int ebt_pkttype_mt_check(const struct xt_mtchk_param *par)
24{ 24{
25 const struct ebt_pkttype_info *info = par->matchinfo; 25 const struct ebt_pkttype_info *info = par->matchinfo;
26 26
27 if (info->invert != 0 && info->invert != 1) 27 if (info->invert != 0 && info->invert != 1)
28 return false; 28 return -EINVAL;
29 /* Allow any pkt_type value */ 29 /* Allow any pkt_type value */
30 return true; 30 return 0;
31} 31}
32 32
33static struct xt_match ebt_pkttype_mt_reg __read_mostly = { 33static struct xt_match ebt_pkttype_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
index 9be8fbcd370b..9e19166ba453 100644
--- a/net/bridge/netfilter/ebt_redirect.c
+++ b/net/bridge/netfilter/ebt_redirect.c
@@ -16,7 +16,7 @@
16#include <linux/netfilter_bridge/ebt_redirect.h> 16#include <linux/netfilter_bridge/ebt_redirect.h>
17 17
18static unsigned int 18static unsigned int
19ebt_redirect_tg(struct sk_buff *skb, const struct xt_target_param *par) 19ebt_redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
20{ 20{
21 const struct ebt_redirect_info *info = par->targinfo; 21 const struct ebt_redirect_info *info = par->targinfo;
22 22
@@ -32,23 +32,23 @@ ebt_redirect_tg(struct sk_buff *skb, const struct xt_target_param *par)
32 return info->target; 32 return info->target;
33} 33}
34 34
35static bool ebt_redirect_tg_check(const struct xt_tgchk_param *par) 35static int ebt_redirect_tg_check(const struct xt_tgchk_param *par)
36{ 36{
37 const struct ebt_redirect_info *info = par->targinfo; 37 const struct ebt_redirect_info *info = par->targinfo;
38 unsigned int hook_mask; 38 unsigned int hook_mask;
39 39
40 if (BASE_CHAIN && info->target == EBT_RETURN) 40 if (BASE_CHAIN && info->target == EBT_RETURN)
41 return false; 41 return -EINVAL;
42 42
43 hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); 43 hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS);
44 if ((strcmp(par->table, "nat") != 0 || 44 if ((strcmp(par->table, "nat") != 0 ||
45 hook_mask & ~(1 << NF_BR_PRE_ROUTING)) && 45 hook_mask & ~(1 << NF_BR_PRE_ROUTING)) &&
46 (strcmp(par->table, "broute") != 0 || 46 (strcmp(par->table, "broute") != 0 ||
47 hook_mask & ~(1 << NF_BR_BROUTING))) 47 hook_mask & ~(1 << NF_BR_BROUTING)))
48 return false; 48 return -EINVAL;
49 if (INVALID_TARGET) 49 if (INVALID_TARGET)
50 return false; 50 return -EINVAL;
51 return true; 51 return 0;
52} 52}
53 53
54static struct xt_target ebt_redirect_tg_reg __read_mostly = { 54static struct xt_target ebt_redirect_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 9c7b520765a2..f8f0bd1a1d51 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -17,7 +17,7 @@
17#include <linux/netfilter_bridge/ebt_nat.h> 17#include <linux/netfilter_bridge/ebt_nat.h>
18 18
19static unsigned int 19static unsigned int
20ebt_snat_tg(struct sk_buff *skb, const struct xt_target_param *par) 20ebt_snat_tg(struct sk_buff *skb, const struct xt_action_param *par)
21{ 21{
22 const struct ebt_nat_info *info = par->targinfo; 22 const struct ebt_nat_info *info = par->targinfo;
23 23
@@ -42,21 +42,21 @@ out:
42 return info->target | ~EBT_VERDICT_BITS; 42 return info->target | ~EBT_VERDICT_BITS;
43} 43}
44 44
45static bool ebt_snat_tg_check(const struct xt_tgchk_param *par) 45static int ebt_snat_tg_check(const struct xt_tgchk_param *par)
46{ 46{
47 const struct ebt_nat_info *info = par->targinfo; 47 const struct ebt_nat_info *info = par->targinfo;
48 int tmp; 48 int tmp;
49 49
50 tmp = info->target | ~EBT_VERDICT_BITS; 50 tmp = info->target | ~EBT_VERDICT_BITS;
51 if (BASE_CHAIN && tmp == EBT_RETURN) 51 if (BASE_CHAIN && tmp == EBT_RETURN)
52 return false; 52 return -EINVAL;
53 53
54 if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) 54 if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0)
55 return false; 55 return -EINVAL;
56 tmp = info->target | EBT_VERDICT_BITS; 56 tmp = info->target | EBT_VERDICT_BITS;
57 if ((tmp & ~NAT_ARP_BIT) != ~NAT_ARP_BIT) 57 if ((tmp & ~NAT_ARP_BIT) != ~NAT_ARP_BIT)
58 return false; 58 return -EINVAL;
59 return true; 59 return 0;
60} 60}
61 61
62static struct xt_target ebt_snat_tg_reg __read_mostly = { 62static struct xt_target ebt_snat_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 92a93d363765..5b33a2e634a6 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -120,7 +120,7 @@ static bool ebt_filter_config(const struct ebt_stp_info *info,
120} 120}
121 121
122static bool 122static bool
123ebt_stp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 123ebt_stp_mt(const struct sk_buff *skb, struct xt_action_param *par)
124{ 124{
125 const struct ebt_stp_info *info = par->matchinfo; 125 const struct ebt_stp_info *info = par->matchinfo;
126 const struct stp_header *sp; 126 const struct stp_header *sp;
@@ -153,7 +153,7 @@ ebt_stp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
153 return true; 153 return true;
154} 154}
155 155
156static bool ebt_stp_mt_check(const struct xt_mtchk_param *par) 156static int ebt_stp_mt_check(const struct xt_mtchk_param *par)
157{ 157{
158 const struct ebt_stp_info *info = par->matchinfo; 158 const struct ebt_stp_info *info = par->matchinfo;
159 const uint8_t bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00}; 159 const uint8_t bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00};
@@ -162,13 +162,13 @@ static bool ebt_stp_mt_check(const struct xt_mtchk_param *par)
162 162
163 if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK || 163 if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK ||
164 !(info->bitmask & EBT_STP_MASK)) 164 !(info->bitmask & EBT_STP_MASK))
165 return false; 165 return -EINVAL;
166 /* Make sure the match only receives stp frames */ 166 /* Make sure the match only receives stp frames */
167 if (compare_ether_addr(e->destmac, bridge_ula) || 167 if (compare_ether_addr(e->destmac, bridge_ula) ||
168 compare_ether_addr(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC)) 168 compare_ether_addr(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC))
169 return false; 169 return -EINVAL;
170 170
171 return true; 171 return 0;
172} 172}
173 173
174static struct xt_match ebt_stp_mt_reg __read_mostly = { 174static struct xt_match ebt_stp_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index f9560f3dbdc7..ae3c7cef1484 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -27,7 +27,7 @@
27 * flushed even if it is not full yet. 27 * flushed even if it is not full yet.
28 * 28 *
29 */ 29 */
30 30#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
31#include <linux/module.h> 31#include <linux/module.h>
32#include <linux/slab.h> 32#include <linux/slab.h>
33#include <linux/spinlock.h> 33#include <linux/spinlock.h>
@@ -44,9 +44,6 @@
44#include <net/sock.h> 44#include <net/sock.h>
45#include "../br_private.h" 45#include "../br_private.h"
46 46
47#define PRINTR(format, args...) do { if (net_ratelimit()) \
48 printk(format , ## args); } while (0)
49
50static unsigned int nlbufsiz = NLMSG_GOODSIZE; 47static unsigned int nlbufsiz = NLMSG_GOODSIZE;
51module_param(nlbufsiz, uint, 0600); 48module_param(nlbufsiz, uint, 0600);
52MODULE_PARM_DESC(nlbufsiz, "netlink buffer size (number of bytes) " 49MODULE_PARM_DESC(nlbufsiz, "netlink buffer size (number of bytes) "
@@ -107,15 +104,14 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size)
107 n = max(size, nlbufsiz); 104 n = max(size, nlbufsiz);
108 skb = alloc_skb(n, GFP_ATOMIC); 105 skb = alloc_skb(n, GFP_ATOMIC);
109 if (!skb) { 106 if (!skb) {
110 PRINTR(KERN_ERR "ebt_ulog: can't alloc whole buffer " 107 pr_debug("cannot alloc whole buffer of size %ub!\n", n);
111 "of size %ub!\n", n);
112 if (n > size) { 108 if (n > size) {
113 /* try to allocate only as much as we need for 109 /* try to allocate only as much as we need for
114 * current packet */ 110 * current packet */
115 skb = alloc_skb(size, GFP_ATOMIC); 111 skb = alloc_skb(size, GFP_ATOMIC);
116 if (!skb) 112 if (!skb)
117 PRINTR(KERN_ERR "ebt_ulog: can't even allocate " 113 pr_debug("cannot even allocate "
118 "buffer of size %ub\n", size); 114 "buffer of size %ub\n", size);
119 } 115 }
120 } 116 }
121 117
@@ -142,8 +138,7 @@ static void ebt_ulog_packet(unsigned int hooknr, const struct sk_buff *skb,
142 138
143 size = NLMSG_SPACE(sizeof(*pm) + copy_len); 139 size = NLMSG_SPACE(sizeof(*pm) + copy_len);
144 if (size > nlbufsiz) { 140 if (size > nlbufsiz) {
145 PRINTR("ebt_ulog: Size %Zd needed, but nlbufsiz=%d\n", 141 pr_debug("Size %Zd needed, but nlbufsiz=%d\n", size, nlbufsiz);
146 size, nlbufsiz);
147 return; 142 return;
148 } 143 }
149 144
@@ -217,8 +212,8 @@ unlock:
217 return; 212 return;
218 213
219nlmsg_failure: 214nlmsg_failure:
220 printk(KERN_CRIT "ebt_ulog: error during NLMSG_PUT. This should " 215 pr_debug("error during NLMSG_PUT. This should "
221 "not happen, please report to author.\n"); 216 "not happen, please report to author.\n");
222 goto unlock; 217 goto unlock;
223alloc_failure: 218alloc_failure:
224 goto unlock; 219 goto unlock;
@@ -248,26 +243,26 @@ static void ebt_log_packet(u_int8_t pf, unsigned int hooknum,
248} 243}
249 244
250static unsigned int 245static unsigned int
251ebt_ulog_tg(struct sk_buff *skb, const struct xt_target_param *par) 246ebt_ulog_tg(struct sk_buff *skb, const struct xt_action_param *par)
252{ 247{
253 ebt_ulog_packet(par->hooknum, skb, par->in, par->out, 248 ebt_ulog_packet(par->hooknum, skb, par->in, par->out,
254 par->targinfo, NULL); 249 par->targinfo, NULL);
255 return EBT_CONTINUE; 250 return EBT_CONTINUE;
256} 251}
257 252
258static bool ebt_ulog_tg_check(const struct xt_tgchk_param *par) 253static int ebt_ulog_tg_check(const struct xt_tgchk_param *par)
259{ 254{
260 struct ebt_ulog_info *uloginfo = par->targinfo; 255 struct ebt_ulog_info *uloginfo = par->targinfo;
261 256
262 if (uloginfo->nlgroup > 31) 257 if (uloginfo->nlgroup > 31)
263 return false; 258 return -EINVAL;
264 259
265 uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0'; 260 uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0';
266 261
267 if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN) 262 if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN)
268 uloginfo->qthreshold = EBT_ULOG_MAX_QLEN; 263 uloginfo->qthreshold = EBT_ULOG_MAX_QLEN;
269 264
270 return true; 265 return 0;
271} 266}
272 267
273static struct xt_target ebt_ulog_tg_reg __read_mostly = { 268static struct xt_target ebt_ulog_tg_reg __read_mostly = {
@@ -292,8 +287,8 @@ static int __init ebt_ulog_init(void)
292 int i; 287 int i;
293 288
294 if (nlbufsiz >= 128*1024) { 289 if (nlbufsiz >= 128*1024) {
295 printk(KERN_NOTICE "ebt_ulog: Netlink buffer has to be <= 128kB," 290 pr_warning("Netlink buffer has to be <= 128kB,"
296 " please try a smaller nlbufsiz parameter.\n"); 291 " please try a smaller nlbufsiz parameter.\n");
297 return -EINVAL; 292 return -EINVAL;
298 } 293 }
299 294
@@ -306,13 +301,10 @@ static int __init ebt_ulog_init(void)
306 ebtulognl = netlink_kernel_create(&init_net, NETLINK_NFLOG, 301 ebtulognl = netlink_kernel_create(&init_net, NETLINK_NFLOG,
307 EBT_ULOG_MAXNLGROUPS, NULL, NULL, 302 EBT_ULOG_MAXNLGROUPS, NULL, NULL,
308 THIS_MODULE); 303 THIS_MODULE);
309 if (!ebtulognl) { 304 if (!ebtulognl)
310 printk(KERN_WARNING KBUILD_MODNAME ": out of memory trying to "
311 "call netlink_kernel_create\n");
312 ret = -ENOMEM; 305 ret = -ENOMEM;
313 } else if ((ret = xt_register_target(&ebt_ulog_tg_reg)) != 0) { 306 else if ((ret = xt_register_target(&ebt_ulog_tg_reg)) != 0)
314 netlink_kernel_release(ebtulognl); 307 netlink_kernel_release(ebtulognl);
315 }
316 308
317 if (ret == 0) 309 if (ret == 0)
318 nf_log_register(NFPROTO_BRIDGE, &ebt_ulog_logger); 310 nf_log_register(NFPROTO_BRIDGE, &ebt_ulog_logger);
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index be1dd2e1f615..87b53b3a921d 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -26,22 +26,17 @@
26#include <linux/netfilter_bridge/ebtables.h> 26#include <linux/netfilter_bridge/ebtables.h>
27#include <linux/netfilter_bridge/ebt_vlan.h> 27#include <linux/netfilter_bridge/ebt_vlan.h>
28 28
29static int debug;
30#define MODULE_VERS "0.6" 29#define MODULE_VERS "0.6"
31 30
32module_param(debug, int, 0);
33MODULE_PARM_DESC(debug, "debug=1 is turn on debug messages");
34MODULE_AUTHOR("Nick Fedchik <nick@fedchik.org.ua>"); 31MODULE_AUTHOR("Nick Fedchik <nick@fedchik.org.ua>");
35MODULE_DESCRIPTION("Ebtables: 802.1Q VLAN tag match"); 32MODULE_DESCRIPTION("Ebtables: 802.1Q VLAN tag match");
36MODULE_LICENSE("GPL"); 33MODULE_LICENSE("GPL");
37 34
38
39#define DEBUG_MSG(args...) if (debug) printk (KERN_DEBUG "ebt_vlan: " args)
40#define GET_BITMASK(_BIT_MASK_) info->bitmask & _BIT_MASK_ 35#define GET_BITMASK(_BIT_MASK_) info->bitmask & _BIT_MASK_
41#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; } 36#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; }
42 37
43static bool 38static bool
44ebt_vlan_mt(const struct sk_buff *skb, const struct xt_match_param *par) 39ebt_vlan_mt(const struct sk_buff *skb, struct xt_action_param *par)
45{ 40{
46 const struct ebt_vlan_info *info = par->matchinfo; 41 const struct ebt_vlan_info *info = par->matchinfo;
47 const struct vlan_hdr *fp; 42 const struct vlan_hdr *fp;
@@ -84,32 +79,31 @@ ebt_vlan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
84 return true; 79 return true;
85} 80}
86 81
87static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par) 82static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
88{ 83{
89 struct ebt_vlan_info *info = par->matchinfo; 84 struct ebt_vlan_info *info = par->matchinfo;
90 const struct ebt_entry *e = par->entryinfo; 85 const struct ebt_entry *e = par->entryinfo;
91 86
92 /* Is it 802.1Q frame checked? */ 87 /* Is it 802.1Q frame checked? */
93 if (e->ethproto != htons(ETH_P_8021Q)) { 88 if (e->ethproto != htons(ETH_P_8021Q)) {
94 DEBUG_MSG 89 pr_debug("passed entry proto %2.4X is not 802.1Q (8100)\n",
95 ("passed entry proto %2.4X is not 802.1Q (8100)\n", 90 ntohs(e->ethproto));
96 (unsigned short) ntohs(e->ethproto)); 91 return -EINVAL;
97 return false;
98 } 92 }
99 93
100 /* Check for bitmask range 94 /* Check for bitmask range
101 * True if even one bit is out of mask */ 95 * True if even one bit is out of mask */
102 if (info->bitmask & ~EBT_VLAN_MASK) { 96 if (info->bitmask & ~EBT_VLAN_MASK) {
103 DEBUG_MSG("bitmask %2X is out of mask (%2X)\n", 97 pr_debug("bitmask %2X is out of mask (%2X)\n",
104 info->bitmask, EBT_VLAN_MASK); 98 info->bitmask, EBT_VLAN_MASK);
105 return false; 99 return -EINVAL;
106 } 100 }
107 101
108 /* Check for inversion flags range */ 102 /* Check for inversion flags range */
109 if (info->invflags & ~EBT_VLAN_MASK) { 103 if (info->invflags & ~EBT_VLAN_MASK) {
110 DEBUG_MSG("inversion flags %2X is out of mask (%2X)\n", 104 pr_debug("inversion flags %2X is out of mask (%2X)\n",
111 info->invflags, EBT_VLAN_MASK); 105 info->invflags, EBT_VLAN_MASK);
112 return false; 106 return -EINVAL;
113 } 107 }
114 108
115 /* Reserved VLAN ID (VID) values 109 /* Reserved VLAN ID (VID) values
@@ -121,10 +115,9 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
121 if (GET_BITMASK(EBT_VLAN_ID)) { 115 if (GET_BITMASK(EBT_VLAN_ID)) {
122 if (!!info->id) { /* if id!=0 => check vid range */ 116 if (!!info->id) { /* if id!=0 => check vid range */
123 if (info->id > VLAN_GROUP_ARRAY_LEN) { 117 if (info->id > VLAN_GROUP_ARRAY_LEN) {
124 DEBUG_MSG 118 pr_debug("id %d is out of range (1-4096)\n",
125 ("id %d is out of range (1-4096)\n", 119 info->id);
126 info->id); 120 return -EINVAL;
127 return false;
128 } 121 }
129 /* Note: This is valid VLAN-tagged frame point. 122 /* Note: This is valid VLAN-tagged frame point.
130 * Any value of user_priority are acceptable, 123 * Any value of user_priority are acceptable,
@@ -137,9 +130,9 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
137 130
138 if (GET_BITMASK(EBT_VLAN_PRIO)) { 131 if (GET_BITMASK(EBT_VLAN_PRIO)) {
139 if ((unsigned char) info->prio > 7) { 132 if ((unsigned char) info->prio > 7) {
140 DEBUG_MSG("prio %d is out of range (0-7)\n", 133 pr_debug("prio %d is out of range (0-7)\n",
141 info->prio); 134 info->prio);
142 return false; 135 return -EINVAL;
143 } 136 }
144 } 137 }
145 /* Check for encapsulated proto range - it is possible to be 138 /* Check for encapsulated proto range - it is possible to be
@@ -147,14 +140,13 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
147 * if_ether.h: ETH_ZLEN 60 - Min. octets in frame sans FCS */ 140 * if_ether.h: ETH_ZLEN 60 - Min. octets in frame sans FCS */
148 if (GET_BITMASK(EBT_VLAN_ENCAP)) { 141 if (GET_BITMASK(EBT_VLAN_ENCAP)) {
149 if ((unsigned short) ntohs(info->encap) < ETH_ZLEN) { 142 if ((unsigned short) ntohs(info->encap) < ETH_ZLEN) {
150 DEBUG_MSG 143 pr_debug("encap frame length %d is less than "
151 ("encap frame length %d is less than minimal\n", 144 "minimal\n", ntohs(info->encap));
152 ntohs(info->encap)); 145 return -EINVAL;
153 return false;
154 } 146 }
155 } 147 }
156 148
157 return true; 149 return 0;
158} 150}
159 151
160static struct xt_match ebt_vlan_mt_reg __read_mostly = { 152static struct xt_match ebt_vlan_mt_reg __read_mostly = {
@@ -169,9 +161,7 @@ static struct xt_match ebt_vlan_mt_reg __read_mostly = {
169 161
170static int __init ebt_vlan_init(void) 162static int __init ebt_vlan_init(void)
171{ 163{
172 DEBUG_MSG("ebtables 802.1Q extension module v" 164 pr_debug("ebtables 802.1Q extension module v" MODULE_VERS "\n");
173 MODULE_VERS "\n");
174 DEBUG_MSG("module debug=%d\n", !!debug);
175 return xt_register_match(&ebt_vlan_mt_reg); 165 return xt_register_match(&ebt_vlan_mt_reg);
176} 166}
177 167
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index f0865fd1e3ec..59ca00e40dec 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -14,8 +14,7 @@
14 * as published by the Free Software Foundation; either version 14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version. 15 * 2 of the License, or (at your option) any later version.
16 */ 16 */
17 17#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18
19#include <linux/kmod.h> 18#include <linux/kmod.h>
20#include <linux/module.h> 19#include <linux/module.h>
21#include <linux/vmalloc.h> 20#include <linux/vmalloc.h>
@@ -87,7 +86,7 @@ static struct xt_target ebt_standard_target = {
87 86
88static inline int 87static inline int
89ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb, 88ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
90 struct xt_target_param *par) 89 struct xt_action_param *par)
91{ 90{
92 par->target = w->u.watcher; 91 par->target = w->u.watcher;
93 par->targinfo = w->data; 92 par->targinfo = w->data;
@@ -96,8 +95,9 @@ ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
96 return 0; 95 return 0;
97} 96}
98 97
99static inline int ebt_do_match (struct ebt_entry_match *m, 98static inline int
100 const struct sk_buff *skb, struct xt_match_param *par) 99ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb,
100 struct xt_action_param *par)
101{ 101{
102 par->match = m->u.match; 102 par->match = m->u.match;
103 par->matchinfo = m->data; 103 par->matchinfo = m->data;
@@ -186,15 +186,13 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
186 struct ebt_entries *chaininfo; 186 struct ebt_entries *chaininfo;
187 const char *base; 187 const char *base;
188 const struct ebt_table_info *private; 188 const struct ebt_table_info *private;
189 bool hotdrop = false; 189 struct xt_action_param acpar;
190 struct xt_match_param mtpar;
191 struct xt_target_param tgpar;
192 190
193 mtpar.family = tgpar.family = NFPROTO_BRIDGE; 191 acpar.family = NFPROTO_BRIDGE;
194 mtpar.in = tgpar.in = in; 192 acpar.in = in;
195 mtpar.out = tgpar.out = out; 193 acpar.out = out;
196 mtpar.hotdrop = &hotdrop; 194 acpar.hotdrop = false;
197 mtpar.hooknum = tgpar.hooknum = hook; 195 acpar.hooknum = hook;
198 196
199 read_lock_bh(&table->lock); 197 read_lock_bh(&table->lock);
200 private = table->private; 198 private = table->private;
@@ -215,9 +213,9 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
215 if (ebt_basic_match(point, eth_hdr(skb), in, out)) 213 if (ebt_basic_match(point, eth_hdr(skb), in, out))
216 goto letscontinue; 214 goto letscontinue;
217 215
218 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0) 216 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
219 goto letscontinue; 217 goto letscontinue;
220 if (hotdrop) { 218 if (acpar.hotdrop) {
221 read_unlock_bh(&table->lock); 219 read_unlock_bh(&table->lock);
222 return NF_DROP; 220 return NF_DROP;
223 } 221 }
@@ -228,7 +226,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
228 226
229 /* these should only watch: not modify, nor tell us 227 /* these should only watch: not modify, nor tell us
230 what to do with the packet */ 228 what to do with the packet */
231 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar); 229 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &acpar);
232 230
233 t = (struct ebt_entry_target *) 231 t = (struct ebt_entry_target *)
234 (((char *)point) + point->target_offset); 232 (((char *)point) + point->target_offset);
@@ -236,9 +234,9 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
236 if (!t->u.target->target) 234 if (!t->u.target->target)
237 verdict = ((struct ebt_standard_target *)t)->verdict; 235 verdict = ((struct ebt_standard_target *)t)->verdict;
238 else { 236 else {
239 tgpar.target = t->u.target; 237 acpar.target = t->u.target;
240 tgpar.targinfo = t->data; 238 acpar.targinfo = t->data;
241 verdict = t->u.target->target(skb, &tgpar); 239 verdict = t->u.target->target(skb, &acpar);
242 } 240 }
243 if (verdict == EBT_ACCEPT) { 241 if (verdict == EBT_ACCEPT) {
244 read_unlock_bh(&table->lock); 242 read_unlock_bh(&table->lock);
@@ -363,12 +361,9 @@ ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
363 left - sizeof(struct ebt_entry_match) < m->match_size) 361 left - sizeof(struct ebt_entry_match) < m->match_size)
364 return -EINVAL; 362 return -EINVAL;
365 363
366 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE, 364 match = xt_request_find_match(NFPROTO_BRIDGE, m->u.name, 0);
367 m->u.name, 0), "ebt_%s", m->u.name);
368 if (IS_ERR(match)) 365 if (IS_ERR(match))
369 return PTR_ERR(match); 366 return PTR_ERR(match);
370 if (match == NULL)
371 return -ENOENT;
372 m->u.match = match; 367 m->u.match = match;
373 368
374 par->match = match; 369 par->match = match;
@@ -397,13 +392,9 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
397 left - sizeof(struct ebt_entry_watcher) < w->watcher_size) 392 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
398 return -EINVAL; 393 return -EINVAL;
399 394
400 watcher = try_then_request_module( 395 watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
401 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
402 "ebt_%s", w->u.name);
403 if (IS_ERR(watcher)) 396 if (IS_ERR(watcher))
404 return PTR_ERR(watcher); 397 return PTR_ERR(watcher);
405 if (watcher == NULL)
406 return -ENOENT;
407 w->u.watcher = watcher; 398 w->u.watcher = watcher;
408 399
409 par->target = watcher; 400 par->target = watcher;
@@ -716,15 +707,10 @@ ebt_check_entry(struct ebt_entry *e, struct net *net,
716 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); 707 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
717 gap = e->next_offset - e->target_offset; 708 gap = e->next_offset - e->target_offset;
718 709
719 target = try_then_request_module( 710 target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0);
720 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
721 "ebt_%s", t->u.name);
722 if (IS_ERR(target)) { 711 if (IS_ERR(target)) {
723 ret = PTR_ERR(target); 712 ret = PTR_ERR(target);
724 goto cleanup_watchers; 713 goto cleanup_watchers;
725 } else if (target == NULL) {
726 ret = -ENOENT;
727 goto cleanup_watchers;
728 } 714 }
729 715
730 t->u.target = target; 716 t->u.target = target;
@@ -2128,7 +2114,7 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
2128 return ret; 2114 return ret;
2129 new_offset += ret; 2115 new_offset += ret;
2130 if (offsets_update && new_offset) { 2116 if (offsets_update && new_offset) {
2131 pr_debug("ebtables: change offset %d to %d\n", 2117 pr_debug("change offset %d to %d\n",
2132 offsets_update[i], offsets[j] + new_offset); 2118 offsets_update[i], offsets[j] + new_offset);
2133 offsets_update[i] = offsets[j] + new_offset; 2119 offsets_update[i] = offsets[j] + new_offset;
2134 } 2120 }