aboutsummaryrefslogtreecommitdiffstats
path: root/net/bridge
diff options
context:
space:
mode:
Diffstat (limited to 'net/bridge')
-rw-r--r--net/bridge/br_device.c8
-rw-r--r--net/bridge/br_forward.c12
-rw-r--r--net/bridge/br_input.c6
-rw-r--r--net/bridge/br_multicast.c2
-rw-r--r--net/bridge/br_netfilter.c263
-rw-r--r--net/bridge/br_stp_bpdu.c2
-rw-r--r--net/bridge/netfilter/ebt_802_3.c6
-rw-r--r--net/bridge/netfilter/ebt_among.c25
-rw-r--r--net/bridge/netfilter/ebt_arp.c8
-rw-r--r--net/bridge/netfilter/ebt_arpreply.c8
-rw-r--r--net/bridge/netfilter/ebt_dnat.c10
-rw-r--r--net/bridge/netfilter/ebt_ip.c16
-rw-r--r--net/bridge/netfilter/ebt_ip6.c37
-rw-r--r--net/bridge/netfilter/ebt_limit.c9
-rw-r--r--net/bridge/netfilter/ebt_log.c8
-rw-r--r--net/bridge/netfilter/ebt_mark.c10
-rw-r--r--net/bridge/netfilter/ebt_mark_m.c10
-rw-r--r--net/bridge/netfilter/ebt_nflog.c6
-rw-r--r--net/bridge/netfilter/ebt_pkttype.c6
-rw-r--r--net/bridge/netfilter/ebt_redirect.c10
-rw-r--r--net/bridge/netfilter/ebt_snat.c10
-rw-r--r--net/bridge/netfilter/ebt_stp.c8
-rw-r--r--net/bridge/netfilter/ebt_ulog.c36
-rw-r--r--net/bridge/netfilter/ebt_vlan.c52
-rw-r--r--net/bridge/netfilter/ebtables.c23
25 files changed, 233 insertions, 358 deletions
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
index 074c59690fc5..f15f9c4a0dd2 100644
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -17,6 +17,7 @@
17#include <linux/etherdevice.h> 17#include <linux/etherdevice.h>
18#include <linux/ethtool.h> 18#include <linux/ethtool.h>
19#include <linux/list.h> 19#include <linux/list.h>
20#include <linux/netfilter_bridge.h>
20 21
21#include <asm/uaccess.h> 22#include <asm/uaccess.h>
22#include "br_private.h" 23#include "br_private.h"
@@ -30,6 +31,13 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
30 struct net_bridge_mdb_entry *mdst; 31 struct net_bridge_mdb_entry *mdst;
31 struct br_cpu_netstats *brstats = this_cpu_ptr(br->stats); 32 struct br_cpu_netstats *brstats = this_cpu_ptr(br->stats);
32 33
34#ifdef CONFIG_BRIDGE_NETFILTER
35 if (skb->nf_bridge && (skb->nf_bridge->mask & BRNF_BRIDGED_DNAT)) {
36 br_nf_pre_routing_finish_bridge_slow(skb);
37 return NETDEV_TX_OK;
38 }
39#endif
40
33 brstats->tx_packets++; 41 brstats->tx_packets++;
34 brstats->tx_bytes += skb->len; 42 brstats->tx_bytes += skb->len;
35 43
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index 92ad9feb199d..a98ef1393097 100644
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -45,7 +45,7 @@ int br_dev_queue_push_xmit(struct sk_buff *skb)
45 if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb)) 45 if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb))
46 kfree_skb(skb); 46 kfree_skb(skb);
47 else { 47 else {
48 /* ip_refrag calls ip_fragment, doesn't copy the MAC header. */ 48 /* ip_fragment doesn't copy the MAC header */
49 if (nf_bridge_maybe_copy_header(skb)) 49 if (nf_bridge_maybe_copy_header(skb))
50 kfree_skb(skb); 50 kfree_skb(skb);
51 else { 51 else {
@@ -66,7 +66,7 @@ int br_dev_queue_push_xmit(struct sk_buff *skb)
66 66
67int br_forward_finish(struct sk_buff *skb) 67int br_forward_finish(struct sk_buff *skb)
68{ 68{
69 return NF_HOOK(PF_BRIDGE, NF_BR_POST_ROUTING, skb, NULL, skb->dev, 69 return NF_HOOK(NFPROTO_BRIDGE, NF_BR_POST_ROUTING, skb, NULL, skb->dev,
70 br_dev_queue_push_xmit); 70 br_dev_queue_push_xmit);
71 71
72} 72}
@@ -84,8 +84,8 @@ static void __br_deliver(const struct net_bridge_port *to, struct sk_buff *skb)
84 } 84 }
85#endif 85#endif
86 skb->dev = to->dev; 86 skb->dev = to->dev;
87 NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, 87 NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
88 br_forward_finish); 88 br_forward_finish);
89#ifdef CONFIG_NET_POLL_CONTROLLER 89#ifdef CONFIG_NET_POLL_CONTROLLER
90 if (skb->dev->npinfo) 90 if (skb->dev->npinfo)
91 skb->dev->npinfo->netpoll->dev = br->dev; 91 skb->dev->npinfo->netpoll->dev = br->dev;
@@ -105,8 +105,8 @@ static void __br_forward(const struct net_bridge_port *to, struct sk_buff *skb)
105 skb->dev = to->dev; 105 skb->dev = to->dev;
106 skb_forward_csum(skb); 106 skb_forward_csum(skb);
107 107
108 NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, indev, skb->dev, 108 NF_HOOK(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, indev, skb->dev,
109 br_forward_finish); 109 br_forward_finish);
110} 110}
111 111
112/* called with rcu_read_lock */ 112/* called with rcu_read_lock */
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index e7f4c1d02f57..d36e700f7a26 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -33,7 +33,7 @@ static int br_pass_frame_up(struct sk_buff *skb)
33 indev = skb->dev; 33 indev = skb->dev;
34 skb->dev = brdev; 34 skb->dev = brdev;
35 35
36 return NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, indev, NULL, 36 return NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, indev, NULL,
37 netif_receive_skb); 37 netif_receive_skb);
38} 38}
39 39
@@ -156,7 +156,7 @@ struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb)
156 if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0) 156 if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0)
157 goto forward; 157 goto forward;
158 158
159 if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev, 159 if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
160 NULL, br_handle_local_finish)) 160 NULL, br_handle_local_finish))
161 return NULL; /* frame consumed by filter */ 161 return NULL; /* frame consumed by filter */
162 else 162 else
@@ -177,7 +177,7 @@ forward:
177 if (!compare_ether_addr(p->br->dev->dev_addr, dest)) 177 if (!compare_ether_addr(p->br->dev->dev_addr, dest))
178 skb->pkt_type = PACKET_HOST; 178 skb->pkt_type = PACKET_HOST;
179 179
180 NF_HOOK(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, 180 NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
181 br_handle_frame_finish); 181 br_handle_frame_finish);
182 break; 182 break;
183 default: 183 default:
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 7128abdce45f..c8419e240316 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -814,7 +814,7 @@ static void __br_multicast_send_query(struct net_bridge *br,
814 if (port) { 814 if (port) {
815 __skb_push(skb, sizeof(struct ethhdr)); 815 __skb_push(skb, sizeof(struct ethhdr));
816 skb->dev = port->dev; 816 skb->dev = port->dev;
817 NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, 817 NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
818 dev_queue_xmit); 818 dev_queue_xmit);
819 } else 819 } else
820 netif_rx(skb); 820 netif_rx(skb);
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 4c4977d12fd6..93f80fefa496 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -3,15 +3,8 @@
3 * Linux ethernet bridge 3 * Linux ethernet bridge
4 * 4 *
5 * Authors: 5 * Authors:
6 * Lennert Buytenhek <buytenh@gnu.org> 6 * Lennert Buytenhek <buytenh@gnu.org>
7 * Bart De Schuymer (maintainer) <bdschuym@pandora.be> 7 * Bart De Schuymer <bdschuym@pandora.be>
8 *
9 * Changes:
10 * Apr 29 2003: physdev module support (bdschuym)
11 * Jun 19 2003: let arptables see bridged ARP traffic (bdschuym)
12 * Oct 06 2003: filter encapsulated IP/ARP VLAN traffic on untagged bridge
13 * (bdschuym)
14 * Sep 01 2004: add IPv6 filtering (bdschuym)
15 * 8 *
16 * This program is free software; you can redistribute it and/or 9 * This program is free software; you can redistribute it and/or
17 * modify it under the terms of the GNU General Public License 10 * modify it under the terms of the GNU General Public License
@@ -204,15 +197,24 @@ static inline void nf_bridge_save_header(struct sk_buff *skb)
204 skb->nf_bridge->data, header_size); 197 skb->nf_bridge->data, header_size);
205} 198}
206 199
207/* 200static inline void nf_bridge_update_protocol(struct sk_buff *skb)
208 * When forwarding bridge frames, we save a copy of the original 201{
209 * header before processing. 202 if (skb->nf_bridge->mask & BRNF_8021Q)
203 skb->protocol = htons(ETH_P_8021Q);
204 else if (skb->nf_bridge->mask & BRNF_PPPoE)
205 skb->protocol = htons(ETH_P_PPP_SES);
206}
207
208/* Fill in the header for fragmented IP packets handled by
209 * the IPv4 connection tracking code.
210 */ 210 */
211int nf_bridge_copy_header(struct sk_buff *skb) 211int nf_bridge_copy_header(struct sk_buff *skb)
212{ 212{
213 int err; 213 int err;
214 int header_size = ETH_HLEN + nf_bridge_encap_header_len(skb); 214 unsigned int header_size;
215 215
216 nf_bridge_update_protocol(skb);
217 header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);
216 err = skb_cow_head(skb, header_size); 218 err = skb_cow_head(skb, header_size);
217 if (err) 219 if (err)
218 return err; 220 return err;
@@ -246,27 +248,48 @@ static int br_nf_pre_routing_finish_ipv6(struct sk_buff *skb)
246 skb_dst_set(skb, &rt->u.dst); 248 skb_dst_set(skb, &rt->u.dst);
247 249
248 skb->dev = nf_bridge->physindev; 250 skb->dev = nf_bridge->physindev;
251 nf_bridge_update_protocol(skb);
249 nf_bridge_push_encap_header(skb); 252 nf_bridge_push_encap_header(skb);
250 NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, 253 NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
251 br_handle_frame_finish, 1); 254 br_handle_frame_finish, 1);
252 255
253 return 0; 256 return 0;
254} 257}
255 258
256static void __br_dnat_complain(void) 259/* Obtain the correct destination MAC address, while preserving the original
260 * source MAC address. If we already know this address, we just copy it. If we
261 * don't, we use the neighbour framework to find out. In both cases, we make
262 * sure that br_handle_frame_finish() is called afterwards.
263 */
264static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
257{ 265{
258 static unsigned long last_complaint; 266 struct nf_bridge_info *nf_bridge = skb->nf_bridge;
267 struct dst_entry *dst;
259 268
260 if (jiffies - last_complaint >= 5 * HZ) { 269 skb->dev = bridge_parent(skb->dev);
261 printk(KERN_WARNING "Performing cross-bridge DNAT requires IP " 270 if (!skb->dev)
262 "forwarding to be enabled\n"); 271 goto free_skb;
263 last_complaint = jiffies; 272 dst = skb_dst(skb);
273 if (dst->hh) {
274 neigh_hh_bridge(dst->hh, skb);
275 skb->dev = nf_bridge->physindev;
276 return br_handle_frame_finish(skb);
277 } else if (dst->neighbour) {
278 /* the neighbour function below overwrites the complete
279 * MAC header, so we save the Ethernet source address and
280 * protocol number. */
281 skb_copy_from_linear_data_offset(skb, -(ETH_HLEN-ETH_ALEN), skb->nf_bridge->data, ETH_HLEN-ETH_ALEN);
282 /* tell br_dev_xmit to continue with forwarding */
283 nf_bridge->mask |= BRNF_BRIDGED_DNAT;
284 return dst->neighbour->output(skb);
264 } 285 }
286free_skb:
287 kfree_skb(skb);
288 return 0;
265} 289}
266 290
267/* This requires some explaining. If DNAT has taken place, 291/* This requires some explaining. If DNAT has taken place,
268 * we will need to fix up the destination Ethernet address, 292 * we will need to fix up the destination Ethernet address.
269 * and this is a tricky process.
270 * 293 *
271 * There are two cases to consider: 294 * There are two cases to consider:
272 * 1. The packet was DNAT'ed to a device in the same bridge 295 * 1. The packet was DNAT'ed to a device in the same bridge
@@ -280,62 +303,29 @@ static void __br_dnat_complain(void)
280 * call ip_route_input() and to look at skb->dst->dev, which is 303 * call ip_route_input() and to look at skb->dst->dev, which is
281 * changed to the destination device if ip_route_input() succeeds. 304 * changed to the destination device if ip_route_input() succeeds.
282 * 305 *
283 * Let us first consider the case that ip_route_input() succeeds: 306 * Let's first consider the case that ip_route_input() succeeds:
284 *
285 * If skb->dst->dev equals the logical bridge device the packet
286 * came in on, we can consider this bridging. The packet is passed
287 * through the neighbour output function to build a new destination
288 * MAC address, which will make the packet enter br_nf_local_out()
289 * not much later. In that function it is assured that the iptables
290 * FORWARD chain is traversed for the packet.
291 * 307 *
308 * If the output device equals the logical bridge device the packet
309 * came in on, we can consider this bridging. The corresponding MAC
310 * address will be obtained in br_nf_pre_routing_finish_bridge.
292 * Otherwise, the packet is considered to be routed and we just 311 * Otherwise, the packet is considered to be routed and we just
293 * change the destination MAC address so that the packet will 312 * change the destination MAC address so that the packet will
294 * later be passed up to the IP stack to be routed. For a redirected 313 * later be passed up to the IP stack to be routed. For a redirected
295 * packet, ip_route_input() will give back the localhost as output device, 314 * packet, ip_route_input() will give back the localhost as output device,
296 * which differs from the bridge device. 315 * which differs from the bridge device.
297 * 316 *
298 * Let us now consider the case that ip_route_input() fails: 317 * Let's now consider the case that ip_route_input() fails:
299 * 318 *
300 * This can be because the destination address is martian, in which case 319 * This can be because the destination address is martian, in which case
301 * the packet will be dropped. 320 * the packet will be dropped.
302 * After a "echo '0' > /proc/sys/net/ipv4/ip_forward" ip_route_input() 321 * If IP forwarding is disabled, ip_route_input() will fail, while
303 * will fail, while __ip_route_output_key() will return success. The source 322 * ip_route_output_key() can return success. The source
304 * address for __ip_route_output_key() is set to zero, so __ip_route_output_key 323 * address for ip_route_output_key() is set to zero, so ip_route_output_key()
305 * thinks we're handling a locally generated packet and won't care 324 * thinks we're handling a locally generated packet and won't care
306 * if IP forwarding is allowed. We send a warning message to the users's 325 * if IP forwarding is enabled. If the output device equals the logical bridge
307 * log telling her to put IP forwarding on. 326 * device, we proceed as if ip_route_input() succeeded. If it differs from the
308 * 327 * logical bridge port or if ip_route_output_key() fails we drop the packet.
309 * ip_route_input() will also fail if there is no route available. 328 */
310 * In that case we just drop the packet.
311 *
312 * --Lennert, 20020411
313 * --Bart, 20020416 (updated)
314 * --Bart, 20021007 (updated)
315 * --Bart, 20062711 (updated) */
316static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
317{
318 if (skb->pkt_type == PACKET_OTHERHOST) {
319 skb->pkt_type = PACKET_HOST;
320 skb->nf_bridge->mask |= BRNF_PKT_TYPE;
321 }
322 skb->nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
323
324 skb->dev = bridge_parent(skb->dev);
325 if (skb->dev) {
326 struct dst_entry *dst = skb_dst(skb);
327
328 nf_bridge_pull_encap_header(skb);
329
330 if (dst->hh)
331 return neigh_hh_output(dst->hh, skb);
332 else if (dst->neighbour)
333 return dst->neighbour->output(skb);
334 }
335 kfree_skb(skb);
336 return 0;
337}
338
339static int br_nf_pre_routing_finish(struct sk_buff *skb) 329static int br_nf_pre_routing_finish(struct sk_buff *skb)
340{ 330{
341 struct net_device *dev = skb->dev; 331 struct net_device *dev = skb->dev;
@@ -379,11 +369,6 @@ static int br_nf_pre_routing_finish(struct sk_buff *skb)
379 skb_dst_set(skb, (struct dst_entry *)rt); 369 skb_dst_set(skb, (struct dst_entry *)rt);
380 goto bridged_dnat; 370 goto bridged_dnat;
381 } 371 }
382 /* we are sure that forwarding is disabled, so printing
383 * this message is no problem. Note that the packet could
384 * still have a martian destination address, in which case
385 * the packet could be dropped even if forwarding were enabled */
386 __br_dnat_complain();
387 dst_release((struct dst_entry *)rt); 372 dst_release((struct dst_entry *)rt);
388 } 373 }
389free_skb: 374free_skb:
@@ -392,12 +377,11 @@ free_skb:
392 } else { 377 } else {
393 if (skb_dst(skb)->dev == dev) { 378 if (skb_dst(skb)->dev == dev) {
394bridged_dnat: 379bridged_dnat:
395 /* Tell br_nf_local_out this is a
396 * bridged frame */
397 nf_bridge->mask |= BRNF_BRIDGED_DNAT;
398 skb->dev = nf_bridge->physindev; 380 skb->dev = nf_bridge->physindev;
381 nf_bridge_update_protocol(skb);
399 nf_bridge_push_encap_header(skb); 382 nf_bridge_push_encap_header(skb);
400 NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, 383 NF_HOOK_THRESH(NFPROTO_BRIDGE,
384 NF_BR_PRE_ROUTING,
401 skb, skb->dev, NULL, 385 skb, skb->dev, NULL,
402 br_nf_pre_routing_finish_bridge, 386 br_nf_pre_routing_finish_bridge,
403 1); 387 1);
@@ -417,8 +401,9 @@ bridged_dnat:
417 } 401 }
418 402
419 skb->dev = nf_bridge->physindev; 403 skb->dev = nf_bridge->physindev;
404 nf_bridge_update_protocol(skb);
420 nf_bridge_push_encap_header(skb); 405 nf_bridge_push_encap_header(skb);
421 NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, 406 NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
422 br_handle_frame_finish, 1); 407 br_handle_frame_finish, 1);
423 408
424 return 0; 409 return 0;
@@ -437,6 +422,10 @@ static struct net_device *setup_pre_routing(struct sk_buff *skb)
437 nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING; 422 nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING;
438 nf_bridge->physindev = skb->dev; 423 nf_bridge->physindev = skb->dev;
439 skb->dev = bridge_parent(skb->dev); 424 skb->dev = bridge_parent(skb->dev);
425 if (skb->protocol == htons(ETH_P_8021Q))
426 nf_bridge->mask |= BRNF_8021Q;
427 else if (skb->protocol == htons(ETH_P_PPP_SES))
428 nf_bridge->mask |= BRNF_PPPoE;
440 429
441 return skb->dev; 430 return skb->dev;
442} 431}
@@ -535,7 +524,8 @@ static unsigned int br_nf_pre_routing_ipv6(unsigned int hook,
535 if (!setup_pre_routing(skb)) 524 if (!setup_pre_routing(skb))
536 return NF_DROP; 525 return NF_DROP;
537 526
538 NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, 527 skb->protocol = htons(ETH_P_IPV6);
528 NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
539 br_nf_pre_routing_finish_ipv6); 529 br_nf_pre_routing_finish_ipv6);
540 530
541 return NF_STOLEN; 531 return NF_STOLEN;
@@ -607,8 +597,9 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
607 if (!setup_pre_routing(skb)) 597 if (!setup_pre_routing(skb))
608 return NF_DROP; 598 return NF_DROP;
609 store_orig_dstaddr(skb); 599 store_orig_dstaddr(skb);
600 skb->protocol = htons(ETH_P_IP);
610 601
611 NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, 602 NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
612 br_nf_pre_routing_finish); 603 br_nf_pre_routing_finish);
613 604
614 return NF_STOLEN; 605 return NF_STOLEN;
@@ -655,8 +646,10 @@ static int br_nf_forward_finish(struct sk_buff *skb)
655 } else { 646 } else {
656 in = *((struct net_device **)(skb->cb)); 647 in = *((struct net_device **)(skb->cb));
657 } 648 }
649 nf_bridge_update_protocol(skb);
658 nf_bridge_push_encap_header(skb); 650 nf_bridge_push_encap_header(skb);
659 NF_HOOK_THRESH(PF_BRIDGE, NF_BR_FORWARD, skb, in, 651
652 NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, in,
660 skb->dev, br_forward_finish, 1); 653 skb->dev, br_forward_finish, 1);
661 return 0; 654 return 0;
662} 655}
@@ -707,6 +700,10 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,
707 /* The physdev module checks on this */ 700 /* The physdev module checks on this */
708 nf_bridge->mask |= BRNF_BRIDGED; 701 nf_bridge->mask |= BRNF_BRIDGED;
709 nf_bridge->physoutdev = skb->dev; 702 nf_bridge->physoutdev = skb->dev;
703 if (pf == PF_INET)
704 skb->protocol = htons(ETH_P_IP);
705 else
706 skb->protocol = htons(ETH_P_IPV6);
710 707
711 NF_HOOK(pf, NF_INET_FORWARD, skb, bridge_parent(in), parent, 708 NF_HOOK(pf, NF_INET_FORWARD, skb, bridge_parent(in), parent,
712 br_nf_forward_finish); 709 br_nf_forward_finish);
@@ -744,60 +741,11 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
744 return NF_STOLEN; 741 return NF_STOLEN;
745} 742}
746 743
747/* PF_BRIDGE/LOCAL_OUT ***********************************************
748 *
749 * This function sees both locally originated IP packets and forwarded
750 * IP packets (in both cases the destination device is a bridge
751 * device). It also sees bridged-and-DNAT'ed packets.
752 *
753 * If (nf_bridge->mask & BRNF_BRIDGED_DNAT) then the packet is bridged
754 * and we fake the PF_BRIDGE/FORWARD hook. The function br_nf_forward()
755 * will then fake the PF_INET/FORWARD hook. br_nf_local_out() has priority
756 * NF_BR_PRI_FIRST, so no relevant PF_BRIDGE/INPUT functions have been nor
757 * will be executed.
758 */
759static unsigned int br_nf_local_out(unsigned int hook, struct sk_buff *skb,
760 const struct net_device *in,
761 const struct net_device *out,
762 int (*okfn)(struct sk_buff *))
763{
764 struct net_device *realindev;
765 struct nf_bridge_info *nf_bridge;
766
767 if (!skb->nf_bridge)
768 return NF_ACCEPT;
769
770 /* Need exclusive nf_bridge_info since we might have multiple
771 * different physoutdevs. */
772 if (!nf_bridge_unshare(skb))
773 return NF_DROP;
774
775 nf_bridge = skb->nf_bridge;
776 if (!(nf_bridge->mask & BRNF_BRIDGED_DNAT))
777 return NF_ACCEPT;
778
779 /* Bridged, take PF_BRIDGE/FORWARD.
780 * (see big note in front of br_nf_pre_routing_finish) */
781 nf_bridge->physoutdev = skb->dev;
782 realindev = nf_bridge->physindev;
783
784 if (nf_bridge->mask & BRNF_PKT_TYPE) {
785 skb->pkt_type = PACKET_OTHERHOST;
786 nf_bridge->mask ^= BRNF_PKT_TYPE;
787 }
788 nf_bridge_push_encap_header(skb);
789
790 NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, realindev, skb->dev,
791 br_forward_finish);
792 return NF_STOLEN;
793}
794
795#if defined(CONFIG_NF_CONNTRACK_IPV4) || defined(CONFIG_NF_CONNTRACK_IPV4_MODULE) 744#if defined(CONFIG_NF_CONNTRACK_IPV4) || defined(CONFIG_NF_CONNTRACK_IPV4_MODULE)
796static int br_nf_dev_queue_xmit(struct sk_buff *skb) 745static int br_nf_dev_queue_xmit(struct sk_buff *skb)
797{ 746{
798 if (skb->nfct != NULL && 747 if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) &&
799 (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb)) && 748 skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu &&
800 skb->len > skb->dev->mtu &&
801 !skb_is_gso(skb)) 749 !skb_is_gso(skb))
802 return ip_fragment(skb, br_dev_queue_push_xmit); 750 return ip_fragment(skb, br_dev_queue_push_xmit);
803 else 751 else
@@ -820,21 +768,7 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
820 struct net_device *realoutdev = bridge_parent(skb->dev); 768 struct net_device *realoutdev = bridge_parent(skb->dev);
821 u_int8_t pf; 769 u_int8_t pf;
822 770
823#ifdef CONFIG_NETFILTER_DEBUG 771 if (!nf_bridge || !(nf_bridge->mask & BRNF_BRIDGED))
824 /* Be very paranoid. This probably won't happen anymore, but let's
825 * keep the check just to be sure... */
826 if (skb_mac_header(skb) < skb->head ||
827 skb_mac_header(skb) + ETH_HLEN > skb->data) {
828 printk(KERN_CRIT "br_netfilter: Argh!! br_nf_post_routing: "
829 "bad mac.raw pointer.\n");
830 goto print_error;
831 }
832#endif
833
834 if (!nf_bridge)
835 return NF_ACCEPT;
836
837 if (!(nf_bridge->mask & (BRNF_BRIDGED | BRNF_BRIDGED_DNAT)))
838 return NF_ACCEPT; 772 return NF_ACCEPT;
839 773
840 if (!realoutdev) 774 if (!realoutdev)
@@ -849,13 +783,6 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
849 else 783 else
850 return NF_ACCEPT; 784 return NF_ACCEPT;
851 785
852#ifdef CONFIG_NETFILTER_DEBUG
853 if (skb_dst(skb) == NULL) {
854 printk(KERN_INFO "br_netfilter post_routing: skb->dst == NULL\n");
855 goto print_error;
856 }
857#endif
858
859 /* We assume any code from br_dev_queue_push_xmit onwards doesn't care 786 /* We assume any code from br_dev_queue_push_xmit onwards doesn't care
860 * about the value of skb->pkt_type. */ 787 * about the value of skb->pkt_type. */
861 if (skb->pkt_type == PACKET_OTHERHOST) { 788 if (skb->pkt_type == PACKET_OTHERHOST) {
@@ -865,24 +792,15 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
865 792
866 nf_bridge_pull_encap_header(skb); 793 nf_bridge_pull_encap_header(skb);
867 nf_bridge_save_header(skb); 794 nf_bridge_save_header(skb);
795 if (pf == PF_INET)
796 skb->protocol = htons(ETH_P_IP);
797 else
798 skb->protocol = htons(ETH_P_IPV6);
868 799
869 NF_HOOK(pf, NF_INET_POST_ROUTING, skb, NULL, realoutdev, 800 NF_HOOK(pf, NF_INET_POST_ROUTING, skb, NULL, realoutdev,
870 br_nf_dev_queue_xmit); 801 br_nf_dev_queue_xmit);
871 802
872 return NF_STOLEN; 803 return NF_STOLEN;
873
874#ifdef CONFIG_NETFILTER_DEBUG
875print_error:
876 if (skb->dev != NULL) {
877 printk("[%s]", skb->dev->name);
878 if (realoutdev)
879 printk("[%s]", realoutdev->name);
880 }
881 printk(" head:%p, raw:%p, data:%p\n", skb->head, skb_mac_header(skb),
882 skb->data);
883 dump_stack();
884 return NF_ACCEPT;
885#endif
886} 804}
887 805
888/* IP/SABOTAGE *****************************************************/ 806/* IP/SABOTAGE *****************************************************/
@@ -901,10 +819,8 @@ static unsigned int ip_sabotage_in(unsigned int hook, struct sk_buff *skb,
901 return NF_ACCEPT; 819 return NF_ACCEPT;
902} 820}
903 821
904/* For br_nf_local_out we need (prio = NF_BR_PRI_FIRST), to insure that innocent 822/* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
905 * PF_BRIDGE/NF_BR_LOCAL_OUT functions don't get bridged traffic as input. 823 * br_dev_queue_push_xmit is called afterwards */
906 * For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
907 * ip_refrag() can return NF_STOLEN. */
908static struct nf_hook_ops br_nf_ops[] __read_mostly = { 824static struct nf_hook_ops br_nf_ops[] __read_mostly = {
909 { 825 {
910 .hook = br_nf_pre_routing, 826 .hook = br_nf_pre_routing,
@@ -935,13 +851,6 @@ static struct nf_hook_ops br_nf_ops[] __read_mostly = {
935 .priority = NF_BR_PRI_BRNF, 851 .priority = NF_BR_PRI_BRNF,
936 }, 852 },
937 { 853 {
938 .hook = br_nf_local_out,
939 .owner = THIS_MODULE,
940 .pf = PF_BRIDGE,
941 .hooknum = NF_BR_LOCAL_OUT,
942 .priority = NF_BR_PRI_FIRST,
943 },
944 {
945 .hook = br_nf_post_routing, 854 .hook = br_nf_post_routing,
946 .owner = THIS_MODULE, 855 .owner = THIS_MODULE,
947 .pf = PF_BRIDGE, 856 .pf = PF_BRIDGE,
diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c
index d66cce11f3bf..217bd225a42f 100644
--- a/net/bridge/br_stp_bpdu.c
+++ b/net/bridge/br_stp_bpdu.c
@@ -50,7 +50,7 @@ static void br_send_bpdu(struct net_bridge_port *p,
50 50
51 llc_mac_hdr_init(skb, p->dev->dev_addr, p->br->group_addr); 51 llc_mac_hdr_init(skb, p->dev->dev_addr, p->br->group_addr);
52 52
53 NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, 53 NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
54 dev_queue_xmit); 54 dev_queue_xmit);
55} 55}
56 56
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index 5d1176758ca5..f7de8dbc3422 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -36,14 +36,14 @@ ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par)
36 return true; 36 return true;
37} 37}
38 38
39static bool ebt_802_3_mt_check(const struct xt_mtchk_param *par) 39static int ebt_802_3_mt_check(const struct xt_mtchk_param *par)
40{ 40{
41 const struct ebt_802_3_info *info = par->matchinfo; 41 const struct ebt_802_3_info *info = par->matchinfo;
42 42
43 if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK) 43 if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK)
44 return false; 44 return -EINVAL;
45 45
46 return true; 46 return 0;
47} 47}
48 48
49static struct xt_match ebt_802_3_mt_reg __read_mostly = { 49static struct xt_match ebt_802_3_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index b595f091f35b..20068e03fa81 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -7,6 +7,7 @@
7 * August, 2003 7 * August, 2003
8 * 8 *
9 */ 9 */
10#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10#include <linux/ip.h> 11#include <linux/ip.h>
11#include <linux/if_arp.h> 12#include <linux/if_arp.h>
12#include <linux/module.h> 13#include <linux/module.h>
@@ -171,7 +172,7 @@ ebt_among_mt(const struct sk_buff *skb, const struct xt_match_param *par)
171 return true; 172 return true;
172} 173}
173 174
174static bool ebt_among_mt_check(const struct xt_mtchk_param *par) 175static int ebt_among_mt_check(const struct xt_mtchk_param *par)
175{ 176{
176 const struct ebt_among_info *info = par->matchinfo; 177 const struct ebt_among_info *info = par->matchinfo;
177 const struct ebt_entry_match *em = 178 const struct ebt_entry_match *em =
@@ -186,24 +187,20 @@ static bool ebt_among_mt_check(const struct xt_mtchk_param *par)
186 expected_length += ebt_mac_wormhash_size(wh_src); 187 expected_length += ebt_mac_wormhash_size(wh_src);
187 188
188 if (em->match_size != EBT_ALIGN(expected_length)) { 189 if (em->match_size != EBT_ALIGN(expected_length)) {
189 printk(KERN_WARNING 190 pr_info("wrong size: %d against expected %d, rounded to %Zd\n",
190 "ebtables: among: wrong size: %d " 191 em->match_size, expected_length,
191 "against expected %d, rounded to %Zd\n", 192 EBT_ALIGN(expected_length));
192 em->match_size, expected_length, 193 return -EINVAL;
193 EBT_ALIGN(expected_length));
194 return false;
195 } 194 }
196 if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) { 195 if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) {
197 printk(KERN_WARNING 196 pr_info("dst integrity fail: %x\n", -err);
198 "ebtables: among: dst integrity fail: %x\n", -err); 197 return -EINVAL;
199 return false;
200 } 198 }
201 if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) { 199 if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) {
202 printk(KERN_WARNING 200 pr_info("src integrity fail: %x\n", -err);
203 "ebtables: among: src integrity fail: %x\n", -err); 201 return -EINVAL;
204 return false;
205 } 202 }
206 return true; 203 return 0;
207} 204}
208 205
209static struct xt_match ebt_among_mt_reg __read_mostly = { 206static struct xt_match ebt_among_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index e727697c5847..952150cd5e7d 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -100,7 +100,7 @@ ebt_arp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
100 return true; 100 return true;
101} 101}
102 102
103static bool ebt_arp_mt_check(const struct xt_mtchk_param *par) 103static int ebt_arp_mt_check(const struct xt_mtchk_param *par)
104{ 104{
105 const struct ebt_arp_info *info = par->matchinfo; 105 const struct ebt_arp_info *info = par->matchinfo;
106 const struct ebt_entry *e = par->entryinfo; 106 const struct ebt_entry *e = par->entryinfo;
@@ -108,10 +108,10 @@ static bool ebt_arp_mt_check(const struct xt_mtchk_param *par)
108 if ((e->ethproto != htons(ETH_P_ARP) && 108 if ((e->ethproto != htons(ETH_P_ARP) &&
109 e->ethproto != htons(ETH_P_RARP)) || 109 e->ethproto != htons(ETH_P_RARP)) ||
110 e->invflags & EBT_IPROTO) 110 e->invflags & EBT_IPROTO)
111 return false; 111 return -EINVAL;
112 if (info->bitmask & ~EBT_ARP_MASK || info->invflags & ~EBT_ARP_MASK) 112 if (info->bitmask & ~EBT_ARP_MASK || info->invflags & ~EBT_ARP_MASK)
113 return false; 113 return -EINVAL;
114 return true; 114 return 0;
115} 115}
116 116
117static struct xt_match ebt_arp_mt_reg __read_mostly = { 117static struct xt_match ebt_arp_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c
index f392e9d93f53..4581adb27583 100644
--- a/net/bridge/netfilter/ebt_arpreply.c
+++ b/net/bridge/netfilter/ebt_arpreply.c
@@ -57,17 +57,17 @@ ebt_arpreply_tg(struct sk_buff *skb, const struct xt_target_param *par)
57 return info->target; 57 return info->target;
58} 58}
59 59
60static bool ebt_arpreply_tg_check(const struct xt_tgchk_param *par) 60static int ebt_arpreply_tg_check(const struct xt_tgchk_param *par)
61{ 61{
62 const struct ebt_arpreply_info *info = par->targinfo; 62 const struct ebt_arpreply_info *info = par->targinfo;
63 const struct ebt_entry *e = par->entryinfo; 63 const struct ebt_entry *e = par->entryinfo;
64 64
65 if (BASE_CHAIN && info->target == EBT_RETURN) 65 if (BASE_CHAIN && info->target == EBT_RETURN)
66 return false; 66 return -EINVAL;
67 if (e->ethproto != htons(ETH_P_ARP) || 67 if (e->ethproto != htons(ETH_P_ARP) ||
68 e->invflags & EBT_IPROTO) 68 e->invflags & EBT_IPROTO)
69 return false; 69 return -EINVAL;
70 return true; 70 return 0;
71} 71}
72 72
73static struct xt_target ebt_arpreply_tg_reg __read_mostly = { 73static struct xt_target ebt_arpreply_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 2bb40d728a35..59d5b7c8a557 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -26,13 +26,13 @@ ebt_dnat_tg(struct sk_buff *skb, const struct xt_target_param *par)
26 return info->target; 26 return info->target;
27} 27}
28 28
29static bool ebt_dnat_tg_check(const struct xt_tgchk_param *par) 29static int ebt_dnat_tg_check(const struct xt_tgchk_param *par)
30{ 30{
31 const struct ebt_nat_info *info = par->targinfo; 31 const struct ebt_nat_info *info = par->targinfo;
32 unsigned int hook_mask; 32 unsigned int hook_mask;
33 33
34 if (BASE_CHAIN && info->target == EBT_RETURN) 34 if (BASE_CHAIN && info->target == EBT_RETURN)
35 return false; 35 return -EINVAL;
36 36
37 hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); 37 hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS);
38 if ((strcmp(par->table, "nat") != 0 || 38 if ((strcmp(par->table, "nat") != 0 ||
@@ -40,10 +40,10 @@ static bool ebt_dnat_tg_check(const struct xt_tgchk_param *par)
40 (1 << NF_BR_LOCAL_OUT)))) && 40 (1 << NF_BR_LOCAL_OUT)))) &&
41 (strcmp(par->table, "broute") != 0 || 41 (strcmp(par->table, "broute") != 0 ||
42 hook_mask & ~(1 << NF_BR_BROUTING))) 42 hook_mask & ~(1 << NF_BR_BROUTING)))
43 return false; 43 return -EINVAL;
44 if (INVALID_TARGET) 44 if (INVALID_TARGET)
45 return false; 45 return -EINVAL;
46 return true; 46 return 0;
47} 47}
48 48
49static struct xt_target ebt_dnat_tg_reg __read_mostly = { 49static struct xt_target ebt_dnat_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c
index 5de6df6f86b8..a1c76c7e5219 100644
--- a/net/bridge/netfilter/ebt_ip.c
+++ b/net/bridge/netfilter/ebt_ip.c
@@ -77,31 +77,31 @@ ebt_ip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
77 return true; 77 return true;
78} 78}
79 79
80static bool ebt_ip_mt_check(const struct xt_mtchk_param *par) 80static int ebt_ip_mt_check(const struct xt_mtchk_param *par)
81{ 81{
82 const struct ebt_ip_info *info = par->matchinfo; 82 const struct ebt_ip_info *info = par->matchinfo;
83 const struct ebt_entry *e = par->entryinfo; 83 const struct ebt_entry *e = par->entryinfo;
84 84
85 if (e->ethproto != htons(ETH_P_IP) || 85 if (e->ethproto != htons(ETH_P_IP) ||
86 e->invflags & EBT_IPROTO) 86 e->invflags & EBT_IPROTO)
87 return false; 87 return -EINVAL;
88 if (info->bitmask & ~EBT_IP_MASK || info->invflags & ~EBT_IP_MASK) 88 if (info->bitmask & ~EBT_IP_MASK || info->invflags & ~EBT_IP_MASK)
89 return false; 89 return -EINVAL;
90 if (info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT)) { 90 if (info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT)) {
91 if (info->invflags & EBT_IP_PROTO) 91 if (info->invflags & EBT_IP_PROTO)
92 return false; 92 return -EINVAL;
93 if (info->protocol != IPPROTO_TCP && 93 if (info->protocol != IPPROTO_TCP &&
94 info->protocol != IPPROTO_UDP && 94 info->protocol != IPPROTO_UDP &&
95 info->protocol != IPPROTO_UDPLITE && 95 info->protocol != IPPROTO_UDPLITE &&
96 info->protocol != IPPROTO_SCTP && 96 info->protocol != IPPROTO_SCTP &&
97 info->protocol != IPPROTO_DCCP) 97 info->protocol != IPPROTO_DCCP)
98 return false; 98 return -EINVAL;
99 } 99 }
100 if (info->bitmask & EBT_IP_DPORT && info->dport[0] > info->dport[1]) 100 if (info->bitmask & EBT_IP_DPORT && info->dport[0] > info->dport[1])
101 return false; 101 return -EINVAL;
102 if (info->bitmask & EBT_IP_SPORT && info->sport[0] > info->sport[1]) 102 if (info->bitmask & EBT_IP_SPORT && info->sport[0] > info->sport[1])
103 return false; 103 return -EINVAL;
104 return true; 104 return 0;
105} 105}
106 106
107static struct xt_match ebt_ip_mt_reg __read_mostly = { 107static struct xt_match ebt_ip_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index bbf2534ef026..33f8413f05ad 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -4,7 +4,7 @@
4 * Authors: 4 * Authors:
5 * Manohar Castelino <manohar.r.castelino@intel.com> 5 * Manohar Castelino <manohar.r.castelino@intel.com>
6 * Kuo-Lang Tseng <kuo-lang.tseng@intel.com> 6 * Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
7 * Jan Engelhardt <jengelh@computergmbh.de> 7 * Jan Engelhardt <jengelh@medozas.de>
8 * 8 *
9 * Summary: 9 * Summary:
10 * This is just a modification of the IPv4 code written by 10 * This is just a modification of the IPv4 code written by
@@ -35,8 +35,6 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
35 struct ipv6hdr _ip6h; 35 struct ipv6hdr _ip6h;
36 const struct tcpudphdr *pptr; 36 const struct tcpudphdr *pptr;
37 struct tcpudphdr _ports; 37 struct tcpudphdr _ports;
38 struct in6_addr tmp_addr;
39 int i;
40 38
41 ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h); 39 ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h);
42 if (ih6 == NULL) 40 if (ih6 == NULL)
@@ -44,18 +42,10 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
44 if (info->bitmask & EBT_IP6_TCLASS && 42 if (info->bitmask & EBT_IP6_TCLASS &&
45 FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS)) 43 FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS))
46 return false; 44 return false;
47 for (i = 0; i < 4; i++) 45 if (FWINV(ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk,
48 tmp_addr.in6_u.u6_addr32[i] = ih6->saddr.in6_u.u6_addr32[i] & 46 &info->saddr), EBT_IP6_SOURCE) ||
49 info->smsk.in6_u.u6_addr32[i]; 47 FWINV(ipv6_masked_addr_cmp(&ih6->daddr, &info->dmsk,
50 if (info->bitmask & EBT_IP6_SOURCE && 48 &info->daddr), EBT_IP6_DEST))
51 FWINV((ipv6_addr_cmp(&tmp_addr, &info->saddr) != 0),
52 EBT_IP6_SOURCE))
53 return false;
54 for (i = 0; i < 4; i++)
55 tmp_addr.in6_u.u6_addr32[i] = ih6->daddr.in6_u.u6_addr32[i] &
56 info->dmsk.in6_u.u6_addr32[i];
57 if (info->bitmask & EBT_IP6_DEST &&
58 FWINV((ipv6_addr_cmp(&tmp_addr, &info->daddr) != 0), EBT_IP6_DEST))
59 return false; 49 return false;
60 if (info->bitmask & EBT_IP6_PROTO) { 50 if (info->bitmask & EBT_IP6_PROTO) {
61 uint8_t nexthdr = ih6->nexthdr; 51 uint8_t nexthdr = ih6->nexthdr;
@@ -90,30 +80,30 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
90 return true; 80 return true;
91} 81}
92 82
93static bool ebt_ip6_mt_check(const struct xt_mtchk_param *par) 83static int ebt_ip6_mt_check(const struct xt_mtchk_param *par)
94{ 84{
95 const struct ebt_entry *e = par->entryinfo; 85 const struct ebt_entry *e = par->entryinfo;
96 struct ebt_ip6_info *info = par->matchinfo; 86 struct ebt_ip6_info *info = par->matchinfo;
97 87
98 if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO) 88 if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO)
99 return false; 89 return -EINVAL;
100 if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK) 90 if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK)
101 return false; 91 return -EINVAL;
102 if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) { 92 if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) {
103 if (info->invflags & EBT_IP6_PROTO) 93 if (info->invflags & EBT_IP6_PROTO)
104 return false; 94 return -EINVAL;
105 if (info->protocol != IPPROTO_TCP && 95 if (info->protocol != IPPROTO_TCP &&
106 info->protocol != IPPROTO_UDP && 96 info->protocol != IPPROTO_UDP &&
107 info->protocol != IPPROTO_UDPLITE && 97 info->protocol != IPPROTO_UDPLITE &&
108 info->protocol != IPPROTO_SCTP && 98 info->protocol != IPPROTO_SCTP &&
109 info->protocol != IPPROTO_DCCP) 99 info->protocol != IPPROTO_DCCP)
110 return false; 100 return -EINVAL;
111 } 101 }
112 if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1]) 102 if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1])
113 return false; 103 return -EINVAL;
114 if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1]) 104 if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1])
115 return false; 105 return -EINVAL;
116 return true; 106 return 0;
117} 107}
118 108
119static struct xt_match ebt_ip6_mt_reg __read_mostly = { 109static struct xt_match ebt_ip6_mt_reg __read_mostly = {
@@ -139,4 +129,5 @@ static void __exit ebt_ip6_fini(void)
139module_init(ebt_ip6_init); 129module_init(ebt_ip6_init);
140module_exit(ebt_ip6_fini); 130module_exit(ebt_ip6_fini);
141MODULE_DESCRIPTION("Ebtables: IPv6 protocol packet match"); 131MODULE_DESCRIPTION("Ebtables: IPv6 protocol packet match");
132MODULE_AUTHOR("Kuo-Lang Tseng <kuo-lang.tseng@intel.com>");
142MODULE_LICENSE("GPL"); 133MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index 7a8182710eb3..4b0e2e53fa57 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -10,6 +10,7 @@
10 * September, 2003 10 * September, 2003
11 * 11 *
12 */ 12 */
13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13#include <linux/module.h> 14#include <linux/module.h>
14#include <linux/netdevice.h> 15#include <linux/netdevice.h>
15#include <linux/spinlock.h> 16#include <linux/spinlock.h>
@@ -64,16 +65,16 @@ user2credits(u_int32_t user)
64 return (user * HZ * CREDITS_PER_JIFFY) / EBT_LIMIT_SCALE; 65 return (user * HZ * CREDITS_PER_JIFFY) / EBT_LIMIT_SCALE;
65} 66}
66 67
67static bool ebt_limit_mt_check(const struct xt_mtchk_param *par) 68static int ebt_limit_mt_check(const struct xt_mtchk_param *par)
68{ 69{
69 struct ebt_limit_info *info = par->matchinfo; 70 struct ebt_limit_info *info = par->matchinfo;
70 71
71 /* Check for overflow. */ 72 /* Check for overflow. */
72 if (info->burst == 0 || 73 if (info->burst == 0 ||
73 user2credits(info->avg * info->burst) < user2credits(info->avg)) { 74 user2credits(info->avg * info->burst) < user2credits(info->avg)) {
74 printk("Overflow in ebt_limit, try lower: %u/%u\n", 75 pr_info("overflow, try lower: %u/%u\n",
75 info->avg, info->burst); 76 info->avg, info->burst);
76 return false; 77 return -EINVAL;
77 } 78 }
78 79
79 /* User avg in seconds * EBT_LIMIT_SCALE: convert to jiffies * 128. */ 80 /* User avg in seconds * EBT_LIMIT_SCALE: convert to jiffies * 128. */
@@ -81,7 +82,7 @@ static bool ebt_limit_mt_check(const struct xt_mtchk_param *par)
81 info->credit = user2credits(info->avg * info->burst); 82 info->credit = user2credits(info->avg * info->burst);
82 info->credit_cap = user2credits(info->avg * info->burst); 83 info->credit_cap = user2credits(info->avg * info->burst);
83 info->cost = user2credits(info->avg); 84 info->cost = user2credits(info->avg);
84 return true; 85 return 0;
85} 86}
86 87
87 88
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index e873924ddb5d..c46024156539 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -24,16 +24,16 @@
24 24
25static DEFINE_SPINLOCK(ebt_log_lock); 25static DEFINE_SPINLOCK(ebt_log_lock);
26 26
27static bool ebt_log_tg_check(const struct xt_tgchk_param *par) 27static int ebt_log_tg_check(const struct xt_tgchk_param *par)
28{ 28{
29 struct ebt_log_info *info = par->targinfo; 29 struct ebt_log_info *info = par->targinfo;
30 30
31 if (info->bitmask & ~EBT_LOG_MASK) 31 if (info->bitmask & ~EBT_LOG_MASK)
32 return false; 32 return -EINVAL;
33 if (info->loglevel >= 8) 33 if (info->loglevel >= 8)
34 return false; 34 return -EINVAL;
35 info->prefix[EBT_LOG_PREFIX_SIZE - 1] = '\0'; 35 info->prefix[EBT_LOG_PREFIX_SIZE - 1] = '\0';
36 return true; 36 return 0;
37} 37}
38 38
39struct tcpudphdr 39struct tcpudphdr
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c
index 2b5ce533d6b9..126e536ff8f4 100644
--- a/net/bridge/netfilter/ebt_mark.c
+++ b/net/bridge/netfilter/ebt_mark.c
@@ -36,21 +36,21 @@ ebt_mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
36 return info->target | ~EBT_VERDICT_BITS; 36 return info->target | ~EBT_VERDICT_BITS;
37} 37}
38 38
39static bool ebt_mark_tg_check(const struct xt_tgchk_param *par) 39static int ebt_mark_tg_check(const struct xt_tgchk_param *par)
40{ 40{
41 const struct ebt_mark_t_info *info = par->targinfo; 41 const struct ebt_mark_t_info *info = par->targinfo;
42 int tmp; 42 int tmp;
43 43
44 tmp = info->target | ~EBT_VERDICT_BITS; 44 tmp = info->target | ~EBT_VERDICT_BITS;
45 if (BASE_CHAIN && tmp == EBT_RETURN) 45 if (BASE_CHAIN && tmp == EBT_RETURN)
46 return false; 46 return -EINVAL;
47 if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) 47 if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0)
48 return false; 48 return -EINVAL;
49 tmp = info->target & ~EBT_VERDICT_BITS; 49 tmp = info->target & ~EBT_VERDICT_BITS;
50 if (tmp != MARK_SET_VALUE && tmp != MARK_OR_VALUE && 50 if (tmp != MARK_SET_VALUE && tmp != MARK_OR_VALUE &&
51 tmp != MARK_AND_VALUE && tmp != MARK_XOR_VALUE) 51 tmp != MARK_AND_VALUE && tmp != MARK_XOR_VALUE)
52 return false; 52 return -EINVAL;
53 return true; 53 return 0;
54} 54}
55#ifdef CONFIG_COMPAT 55#ifdef CONFIG_COMPAT
56struct compat_ebt_mark_t_info { 56struct compat_ebt_mark_t_info {
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c
index 8de8c396d913..e4366c0a1a43 100644
--- a/net/bridge/netfilter/ebt_mark_m.c
+++ b/net/bridge/netfilter/ebt_mark_m.c
@@ -22,17 +22,17 @@ ebt_mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
22 return ((skb->mark & info->mask) == info->mark) ^ info->invert; 22 return ((skb->mark & info->mask) == info->mark) ^ info->invert;
23} 23}
24 24
25static bool ebt_mark_mt_check(const struct xt_mtchk_param *par) 25static int ebt_mark_mt_check(const struct xt_mtchk_param *par)
26{ 26{
27 const struct ebt_mark_m_info *info = par->matchinfo; 27 const struct ebt_mark_m_info *info = par->matchinfo;
28 28
29 if (info->bitmask & ~EBT_MARK_MASK) 29 if (info->bitmask & ~EBT_MARK_MASK)
30 return false; 30 return -EINVAL;
31 if ((info->bitmask & EBT_MARK_OR) && (info->bitmask & EBT_MARK_AND)) 31 if ((info->bitmask & EBT_MARK_OR) && (info->bitmask & EBT_MARK_AND))
32 return false; 32 return -EINVAL;
33 if (!info->bitmask) 33 if (!info->bitmask)
34 return false; 34 return -EINVAL;
35 return true; 35 return 0;
36} 36}
37 37
38 38
diff --git a/net/bridge/netfilter/ebt_nflog.c b/net/bridge/netfilter/ebt_nflog.c
index 40dbd248b9ae..22e2ad5f23e8 100644
--- a/net/bridge/netfilter/ebt_nflog.c
+++ b/net/bridge/netfilter/ebt_nflog.c
@@ -35,14 +35,14 @@ ebt_nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
35 return EBT_CONTINUE; 35 return EBT_CONTINUE;
36} 36}
37 37
38static bool ebt_nflog_tg_check(const struct xt_tgchk_param *par) 38static int ebt_nflog_tg_check(const struct xt_tgchk_param *par)
39{ 39{
40 struct ebt_nflog_info *info = par->targinfo; 40 struct ebt_nflog_info *info = par->targinfo;
41 41
42 if (info->flags & ~EBT_NFLOG_MASK) 42 if (info->flags & ~EBT_NFLOG_MASK)
43 return false; 43 return -EINVAL;
44 info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0'; 44 info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0';
45 return true; 45 return 0;
46} 46}
47 47
48static struct xt_target ebt_nflog_tg_reg __read_mostly = { 48static struct xt_target ebt_nflog_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c
index e2a07e6cbef3..f34bcc3197bd 100644
--- a/net/bridge/netfilter/ebt_pkttype.c
+++ b/net/bridge/netfilter/ebt_pkttype.c
@@ -20,14 +20,14 @@ ebt_pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par)
20 return (skb->pkt_type == info->pkt_type) ^ info->invert; 20 return (skb->pkt_type == info->pkt_type) ^ info->invert;
21} 21}
22 22
23static bool ebt_pkttype_mt_check(const struct xt_mtchk_param *par) 23static int ebt_pkttype_mt_check(const struct xt_mtchk_param *par)
24{ 24{
25 const struct ebt_pkttype_info *info = par->matchinfo; 25 const struct ebt_pkttype_info *info = par->matchinfo;
26 26
27 if (info->invert != 0 && info->invert != 1) 27 if (info->invert != 0 && info->invert != 1)
28 return false; 28 return -EINVAL;
29 /* Allow any pkt_type value */ 29 /* Allow any pkt_type value */
30 return true; 30 return 0;
31} 31}
32 32
33static struct xt_match ebt_pkttype_mt_reg __read_mostly = { 33static struct xt_match ebt_pkttype_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
index 9be8fbcd370b..a6044a6f2383 100644
--- a/net/bridge/netfilter/ebt_redirect.c
+++ b/net/bridge/netfilter/ebt_redirect.c
@@ -32,23 +32,23 @@ ebt_redirect_tg(struct sk_buff *skb, const struct xt_target_param *par)
32 return info->target; 32 return info->target;
33} 33}
34 34
35static bool ebt_redirect_tg_check(const struct xt_tgchk_param *par) 35static int ebt_redirect_tg_check(const struct xt_tgchk_param *par)
36{ 36{
37 const struct ebt_redirect_info *info = par->targinfo; 37 const struct ebt_redirect_info *info = par->targinfo;
38 unsigned int hook_mask; 38 unsigned int hook_mask;
39 39
40 if (BASE_CHAIN && info->target == EBT_RETURN) 40 if (BASE_CHAIN && info->target == EBT_RETURN)
41 return false; 41 return -EINVAL;
42 42
43 hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); 43 hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS);
44 if ((strcmp(par->table, "nat") != 0 || 44 if ((strcmp(par->table, "nat") != 0 ||
45 hook_mask & ~(1 << NF_BR_PRE_ROUTING)) && 45 hook_mask & ~(1 << NF_BR_PRE_ROUTING)) &&
46 (strcmp(par->table, "broute") != 0 || 46 (strcmp(par->table, "broute") != 0 ||
47 hook_mask & ~(1 << NF_BR_BROUTING))) 47 hook_mask & ~(1 << NF_BR_BROUTING)))
48 return false; 48 return -EINVAL;
49 if (INVALID_TARGET) 49 if (INVALID_TARGET)
50 return false; 50 return -EINVAL;
51 return true; 51 return 0;
52} 52}
53 53
54static struct xt_target ebt_redirect_tg_reg __read_mostly = { 54static struct xt_target ebt_redirect_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 9c7b520765a2..79caca34ae2b 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -42,21 +42,21 @@ out:
42 return info->target | ~EBT_VERDICT_BITS; 42 return info->target | ~EBT_VERDICT_BITS;
43} 43}
44 44
45static bool ebt_snat_tg_check(const struct xt_tgchk_param *par) 45static int ebt_snat_tg_check(const struct xt_tgchk_param *par)
46{ 46{
47 const struct ebt_nat_info *info = par->targinfo; 47 const struct ebt_nat_info *info = par->targinfo;
48 int tmp; 48 int tmp;
49 49
50 tmp = info->target | ~EBT_VERDICT_BITS; 50 tmp = info->target | ~EBT_VERDICT_BITS;
51 if (BASE_CHAIN && tmp == EBT_RETURN) 51 if (BASE_CHAIN && tmp == EBT_RETURN)
52 return false; 52 return -EINVAL;
53 53
54 if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) 54 if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0)
55 return false; 55 return -EINVAL;
56 tmp = info->target | EBT_VERDICT_BITS; 56 tmp = info->target | EBT_VERDICT_BITS;
57 if ((tmp & ~NAT_ARP_BIT) != ~NAT_ARP_BIT) 57 if ((tmp & ~NAT_ARP_BIT) != ~NAT_ARP_BIT)
58 return false; 58 return -EINVAL;
59 return true; 59 return 0;
60} 60}
61 61
62static struct xt_target ebt_snat_tg_reg __read_mostly = { 62static struct xt_target ebt_snat_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 92a93d363765..02f28fdda393 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -153,7 +153,7 @@ ebt_stp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
153 return true; 153 return true;
154} 154}
155 155
156static bool ebt_stp_mt_check(const struct xt_mtchk_param *par) 156static int ebt_stp_mt_check(const struct xt_mtchk_param *par)
157{ 157{
158 const struct ebt_stp_info *info = par->matchinfo; 158 const struct ebt_stp_info *info = par->matchinfo;
159 const uint8_t bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00}; 159 const uint8_t bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00};
@@ -162,13 +162,13 @@ static bool ebt_stp_mt_check(const struct xt_mtchk_param *par)
162 162
163 if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK || 163 if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK ||
164 !(info->bitmask & EBT_STP_MASK)) 164 !(info->bitmask & EBT_STP_MASK))
165 return false; 165 return -EINVAL;
166 /* Make sure the match only receives stp frames */ 166 /* Make sure the match only receives stp frames */
167 if (compare_ether_addr(e->destmac, bridge_ula) || 167 if (compare_ether_addr(e->destmac, bridge_ula) ||
168 compare_ether_addr(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC)) 168 compare_ether_addr(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC))
169 return false; 169 return -EINVAL;
170 170
171 return true; 171 return 0;
172} 172}
173 173
174static struct xt_match ebt_stp_mt_reg __read_mostly = { 174static struct xt_match ebt_stp_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index f9560f3dbdc7..852f37c27659 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -27,7 +27,7 @@
27 * flushed even if it is not full yet. 27 * flushed even if it is not full yet.
28 * 28 *
29 */ 29 */
30 30#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
31#include <linux/module.h> 31#include <linux/module.h>
32#include <linux/slab.h> 32#include <linux/slab.h>
33#include <linux/spinlock.h> 33#include <linux/spinlock.h>
@@ -44,9 +44,6 @@
44#include <net/sock.h> 44#include <net/sock.h>
45#include "../br_private.h" 45#include "../br_private.h"
46 46
47#define PRINTR(format, args...) do { if (net_ratelimit()) \
48 printk(format , ## args); } while (0)
49
50static unsigned int nlbufsiz = NLMSG_GOODSIZE; 47static unsigned int nlbufsiz = NLMSG_GOODSIZE;
51module_param(nlbufsiz, uint, 0600); 48module_param(nlbufsiz, uint, 0600);
52MODULE_PARM_DESC(nlbufsiz, "netlink buffer size (number of bytes) " 49MODULE_PARM_DESC(nlbufsiz, "netlink buffer size (number of bytes) "
@@ -107,15 +104,14 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size)
107 n = max(size, nlbufsiz); 104 n = max(size, nlbufsiz);
108 skb = alloc_skb(n, GFP_ATOMIC); 105 skb = alloc_skb(n, GFP_ATOMIC);
109 if (!skb) { 106 if (!skb) {
110 PRINTR(KERN_ERR "ebt_ulog: can't alloc whole buffer " 107 pr_debug("cannot alloc whole buffer of size %ub!\n", n);
111 "of size %ub!\n", n);
112 if (n > size) { 108 if (n > size) {
113 /* try to allocate only as much as we need for 109 /* try to allocate only as much as we need for
114 * current packet */ 110 * current packet */
115 skb = alloc_skb(size, GFP_ATOMIC); 111 skb = alloc_skb(size, GFP_ATOMIC);
116 if (!skb) 112 if (!skb)
117 PRINTR(KERN_ERR "ebt_ulog: can't even allocate " 113 pr_debug("cannot even allocate "
118 "buffer of size %ub\n", size); 114 "buffer of size %ub\n", size);
119 } 115 }
120 } 116 }
121 117
@@ -142,8 +138,7 @@ static void ebt_ulog_packet(unsigned int hooknr, const struct sk_buff *skb,
142 138
143 size = NLMSG_SPACE(sizeof(*pm) + copy_len); 139 size = NLMSG_SPACE(sizeof(*pm) + copy_len);
144 if (size > nlbufsiz) { 140 if (size > nlbufsiz) {
145 PRINTR("ebt_ulog: Size %Zd needed, but nlbufsiz=%d\n", 141 pr_debug("Size %Zd needed, but nlbufsiz=%d\n", size, nlbufsiz);
146 size, nlbufsiz);
147 return; 142 return;
148 } 143 }
149 144
@@ -217,8 +212,8 @@ unlock:
217 return; 212 return;
218 213
219nlmsg_failure: 214nlmsg_failure:
220 printk(KERN_CRIT "ebt_ulog: error during NLMSG_PUT. This should " 215 pr_debug("error during NLMSG_PUT. This should "
221 "not happen, please report to author.\n"); 216 "not happen, please report to author.\n");
222 goto unlock; 217 goto unlock;
223alloc_failure: 218alloc_failure:
224 goto unlock; 219 goto unlock;
@@ -255,19 +250,19 @@ ebt_ulog_tg(struct sk_buff *skb, const struct xt_target_param *par)
255 return EBT_CONTINUE; 250 return EBT_CONTINUE;
256} 251}
257 252
258static bool ebt_ulog_tg_check(const struct xt_tgchk_param *par) 253static int ebt_ulog_tg_check(const struct xt_tgchk_param *par)
259{ 254{
260 struct ebt_ulog_info *uloginfo = par->targinfo; 255 struct ebt_ulog_info *uloginfo = par->targinfo;
261 256
262 if (uloginfo->nlgroup > 31) 257 if (uloginfo->nlgroup > 31)
263 return false; 258 return -EINVAL;
264 259
265 uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0'; 260 uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0';
266 261
267 if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN) 262 if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN)
268 uloginfo->qthreshold = EBT_ULOG_MAX_QLEN; 263 uloginfo->qthreshold = EBT_ULOG_MAX_QLEN;
269 264
270 return true; 265 return 0;
271} 266}
272 267
273static struct xt_target ebt_ulog_tg_reg __read_mostly = { 268static struct xt_target ebt_ulog_tg_reg __read_mostly = {
@@ -292,8 +287,8 @@ static int __init ebt_ulog_init(void)
292 int i; 287 int i;
293 288
294 if (nlbufsiz >= 128*1024) { 289 if (nlbufsiz >= 128*1024) {
295 printk(KERN_NOTICE "ebt_ulog: Netlink buffer has to be <= 128kB," 290 pr_warning("Netlink buffer has to be <= 128kB,"
296 " please try a smaller nlbufsiz parameter.\n"); 291 " please try a smaller nlbufsiz parameter.\n");
297 return -EINVAL; 292 return -EINVAL;
298 } 293 }
299 294
@@ -306,13 +301,10 @@ static int __init ebt_ulog_init(void)
306 ebtulognl = netlink_kernel_create(&init_net, NETLINK_NFLOG, 301 ebtulognl = netlink_kernel_create(&init_net, NETLINK_NFLOG,
307 EBT_ULOG_MAXNLGROUPS, NULL, NULL, 302 EBT_ULOG_MAXNLGROUPS, NULL, NULL,
308 THIS_MODULE); 303 THIS_MODULE);
309 if (!ebtulognl) { 304 if (!ebtulognl)
310 printk(KERN_WARNING KBUILD_MODNAME ": out of memory trying to "
311 "call netlink_kernel_create\n");
312 ret = -ENOMEM; 305 ret = -ENOMEM;
313 } else if ((ret = xt_register_target(&ebt_ulog_tg_reg)) != 0) { 306 else if ((ret = xt_register_target(&ebt_ulog_tg_reg)) != 0)
314 netlink_kernel_release(ebtulognl); 307 netlink_kernel_release(ebtulognl);
315 }
316 308
317 if (ret == 0) 309 if (ret == 0)
318 nf_log_register(NFPROTO_BRIDGE, &ebt_ulog_logger); 310 nf_log_register(NFPROTO_BRIDGE, &ebt_ulog_logger);
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index be1dd2e1f615..bf8ae5c7a0c5 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -26,17 +26,12 @@
26#include <linux/netfilter_bridge/ebtables.h> 26#include <linux/netfilter_bridge/ebtables.h>
27#include <linux/netfilter_bridge/ebt_vlan.h> 27#include <linux/netfilter_bridge/ebt_vlan.h>
28 28
29static int debug;
30#define MODULE_VERS "0.6" 29#define MODULE_VERS "0.6"
31 30
32module_param(debug, int, 0);
33MODULE_PARM_DESC(debug, "debug=1 is turn on debug messages");
34MODULE_AUTHOR("Nick Fedchik <nick@fedchik.org.ua>"); 31MODULE_AUTHOR("Nick Fedchik <nick@fedchik.org.ua>");
35MODULE_DESCRIPTION("Ebtables: 802.1Q VLAN tag match"); 32MODULE_DESCRIPTION("Ebtables: 802.1Q VLAN tag match");
36MODULE_LICENSE("GPL"); 33MODULE_LICENSE("GPL");
37 34
38
39#define DEBUG_MSG(args...) if (debug) printk (KERN_DEBUG "ebt_vlan: " args)
40#define GET_BITMASK(_BIT_MASK_) info->bitmask & _BIT_MASK_ 35#define GET_BITMASK(_BIT_MASK_) info->bitmask & _BIT_MASK_
41#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; } 36#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; }
42 37
@@ -84,32 +79,31 @@ ebt_vlan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
84 return true; 79 return true;
85} 80}
86 81
87static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par) 82static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
88{ 83{
89 struct ebt_vlan_info *info = par->matchinfo; 84 struct ebt_vlan_info *info = par->matchinfo;
90 const struct ebt_entry *e = par->entryinfo; 85 const struct ebt_entry *e = par->entryinfo;
91 86
92 /* Is it 802.1Q frame checked? */ 87 /* Is it 802.1Q frame checked? */
93 if (e->ethproto != htons(ETH_P_8021Q)) { 88 if (e->ethproto != htons(ETH_P_8021Q)) {
94 DEBUG_MSG 89 pr_debug("passed entry proto %2.4X is not 802.1Q (8100)\n",
95 ("passed entry proto %2.4X is not 802.1Q (8100)\n", 90 ntohs(e->ethproto));
96 (unsigned short) ntohs(e->ethproto)); 91 return -EINVAL;
97 return false;
98 } 92 }
99 93
100 /* Check for bitmask range 94 /* Check for bitmask range
101 * True if even one bit is out of mask */ 95 * True if even one bit is out of mask */
102 if (info->bitmask & ~EBT_VLAN_MASK) { 96 if (info->bitmask & ~EBT_VLAN_MASK) {
103 DEBUG_MSG("bitmask %2X is out of mask (%2X)\n", 97 pr_debug("bitmask %2X is out of mask (%2X)\n",
104 info->bitmask, EBT_VLAN_MASK); 98 info->bitmask, EBT_VLAN_MASK);
105 return false; 99 return -EINVAL;
106 } 100 }
107 101
108 /* Check for inversion flags range */ 102 /* Check for inversion flags range */
109 if (info->invflags & ~EBT_VLAN_MASK) { 103 if (info->invflags & ~EBT_VLAN_MASK) {
110 DEBUG_MSG("inversion flags %2X is out of mask (%2X)\n", 104 pr_debug("inversion flags %2X is out of mask (%2X)\n",
111 info->invflags, EBT_VLAN_MASK); 105 info->invflags, EBT_VLAN_MASK);
112 return false; 106 return -EINVAL;
113 } 107 }
114 108
115 /* Reserved VLAN ID (VID) values 109 /* Reserved VLAN ID (VID) values
@@ -121,10 +115,9 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
121 if (GET_BITMASK(EBT_VLAN_ID)) { 115 if (GET_BITMASK(EBT_VLAN_ID)) {
122 if (!!info->id) { /* if id!=0 => check vid range */ 116 if (!!info->id) { /* if id!=0 => check vid range */
123 if (info->id > VLAN_GROUP_ARRAY_LEN) { 117 if (info->id > VLAN_GROUP_ARRAY_LEN) {
124 DEBUG_MSG 118 pr_debug("id %d is out of range (1-4096)\n",
125 ("id %d is out of range (1-4096)\n", 119 info->id);
126 info->id); 120 return -EINVAL;
127 return false;
128 } 121 }
129 /* Note: This is valid VLAN-tagged frame point. 122 /* Note: This is valid VLAN-tagged frame point.
130 * Any value of user_priority are acceptable, 123 * Any value of user_priority are acceptable,
@@ -137,9 +130,9 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
137 130
138 if (GET_BITMASK(EBT_VLAN_PRIO)) { 131 if (GET_BITMASK(EBT_VLAN_PRIO)) {
139 if ((unsigned char) info->prio > 7) { 132 if ((unsigned char) info->prio > 7) {
140 DEBUG_MSG("prio %d is out of range (0-7)\n", 133 pr_debug("prio %d is out of range (0-7)\n",
141 info->prio); 134 info->prio);
142 return false; 135 return -EINVAL;
143 } 136 }
144 } 137 }
145 /* Check for encapsulated proto range - it is possible to be 138 /* Check for encapsulated proto range - it is possible to be
@@ -147,14 +140,13 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
147 * if_ether.h: ETH_ZLEN 60 - Min. octets in frame sans FCS */ 140 * if_ether.h: ETH_ZLEN 60 - Min. octets in frame sans FCS */
148 if (GET_BITMASK(EBT_VLAN_ENCAP)) { 141 if (GET_BITMASK(EBT_VLAN_ENCAP)) {
149 if ((unsigned short) ntohs(info->encap) < ETH_ZLEN) { 142 if ((unsigned short) ntohs(info->encap) < ETH_ZLEN) {
150 DEBUG_MSG 143 pr_debug("encap frame length %d is less than "
151 ("encap frame length %d is less than minimal\n", 144 "minimal\n", ntohs(info->encap));
152 ntohs(info->encap)); 145 return -EINVAL;
153 return false;
154 } 146 }
155 } 147 }
156 148
157 return true; 149 return 0;
158} 150}
159 151
160static struct xt_match ebt_vlan_mt_reg __read_mostly = { 152static struct xt_match ebt_vlan_mt_reg __read_mostly = {
@@ -169,9 +161,7 @@ static struct xt_match ebt_vlan_mt_reg __read_mostly = {
169 161
170static int __init ebt_vlan_init(void) 162static int __init ebt_vlan_init(void)
171{ 163{
172 DEBUG_MSG("ebtables 802.1Q extension module v" 164 pr_debug("ebtables 802.1Q extension module v" MODULE_VERS "\n");
173 MODULE_VERS "\n");
174 DEBUG_MSG("module debug=%d\n", !!debug);
175 return xt_register_match(&ebt_vlan_mt_reg); 165 return xt_register_match(&ebt_vlan_mt_reg);
176} 166}
177 167
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index f0865fd1e3ec..1d8c2c0a7470 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -14,8 +14,7 @@
14 * as published by the Free Software Foundation; either version 14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version. 15 * 2 of the License, or (at your option) any later version.
16 */ 16 */
17 17#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18
19#include <linux/kmod.h> 18#include <linux/kmod.h>
20#include <linux/module.h> 19#include <linux/module.h>
21#include <linux/vmalloc.h> 20#include <linux/vmalloc.h>
@@ -363,12 +362,9 @@ ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
363 left - sizeof(struct ebt_entry_match) < m->match_size) 362 left - sizeof(struct ebt_entry_match) < m->match_size)
364 return -EINVAL; 363 return -EINVAL;
365 364
366 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE, 365 match = xt_request_find_match(NFPROTO_BRIDGE, m->u.name, 0);
367 m->u.name, 0), "ebt_%s", m->u.name);
368 if (IS_ERR(match)) 366 if (IS_ERR(match))
369 return PTR_ERR(match); 367 return PTR_ERR(match);
370 if (match == NULL)
371 return -ENOENT;
372 m->u.match = match; 368 m->u.match = match;
373 369
374 par->match = match; 370 par->match = match;
@@ -397,13 +393,9 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
397 left - sizeof(struct ebt_entry_watcher) < w->watcher_size) 393 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
398 return -EINVAL; 394 return -EINVAL;
399 395
400 watcher = try_then_request_module( 396 watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
401 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
402 "ebt_%s", w->u.name);
403 if (IS_ERR(watcher)) 397 if (IS_ERR(watcher))
404 return PTR_ERR(watcher); 398 return PTR_ERR(watcher);
405 if (watcher == NULL)
406 return -ENOENT;
407 w->u.watcher = watcher; 399 w->u.watcher = watcher;
408 400
409 par->target = watcher; 401 par->target = watcher;
@@ -716,15 +708,10 @@ ebt_check_entry(struct ebt_entry *e, struct net *net,
716 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); 708 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
717 gap = e->next_offset - e->target_offset; 709 gap = e->next_offset - e->target_offset;
718 710
719 target = try_then_request_module( 711 target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0);
720 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
721 "ebt_%s", t->u.name);
722 if (IS_ERR(target)) { 712 if (IS_ERR(target)) {
723 ret = PTR_ERR(target); 713 ret = PTR_ERR(target);
724 goto cleanup_watchers; 714 goto cleanup_watchers;
725 } else if (target == NULL) {
726 ret = -ENOENT;
727 goto cleanup_watchers;
728 } 715 }
729 716
730 t->u.target = target; 717 t->u.target = target;
@@ -2128,7 +2115,7 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
2128 return ret; 2115 return ret;
2129 new_offset += ret; 2116 new_offset += ret;
2130 if (offsets_update && new_offset) { 2117 if (offsets_update && new_offset) {
2131 pr_debug("ebtables: change offset %d to %d\n", 2118 pr_debug("change offset %d to %d\n",
2132 offsets_update[i], offsets[j] + new_offset); 2119 offsets_update[i], offsets[j] + new_offset);
2133 offsets_update[i] = offsets[j] + new_offset; 2120 offsets_update[i] = offsets[j] + new_offset;
2134 } 2121 }
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-28 21:34:07 -0500