/*
 *      Handle firewalling
 *      Linux ethernet bridge
 *
 *      Authors:
 *      Lennert Buytenhek               <buytenh@gnu.org>
 *      Bart De Schuymer (maintainer)   <bdschuym@pandora.be>
 *
 *      Changes:
 *      Apr 29 2003: physdev module support (bdschuym)
 *      Jun 19 2003: let arptables see bridged ARP traffic (bdschuym)
 *      Oct 06 2003: filter encapsulated IP/ARP VLAN traffic on untagged bridge
 *                   (bdschuym)
 *      Sep 01 2004: add IPv6 filtering (bdschuym)
 *
 *      This program is free software; you can redistribute it and/or
 *      modify it under the terms of the GNU General Public License
 *      as published by the Free Software Foundation; either version
 *      2 of the License, or (at your option) any later version.
 *
 *      Lennert dedicates this file to Kerstin Wurdinger.
 */

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/ip.h>
#include <linux/netdevice.h>
#include <linux/skbuff.h>
#include <linux/if_arp.h>
#include <linux/if_ether.h>
#include <linux/if_vlan.h>
#include <linux/if_pppox.h>
#include <linux/ppp_defs.h>
#include <linux/netfilter_bridge.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
#include <linux/netfilter_arp.h>
#include <linux/in_route.h>
#include <linux/inetdevice.h>

#include <net/ip.h>
#include <net/ipv6.h>
#include <net/route.h>

#include <asm/uaccess.h>
#include "br_private.h"
#ifdef CONFIG_SYSCTL
#include <linux/sysctl.h>
#endif

#define skb_origaddr(skb)        (((struct bridge_skb_cb *) \
                                 (skb->nf_bridge->data))->daddr.ipv4)
#define store_orig_dstaddr(skb)  (skb_origaddr(skb) = ip_hdr(skb)->daddr)
#define dnat_took_place(skb)     (skb_origaddr(skb) != ip_hdr(skb)->daddr)

#ifdef CONFIG_SYSCTL
static struct ctl_table_header *brnf_sysctl_header;
static int brnf_call_iptables __read_mostly = 1;
static int brnf_call_ip6tables __read_mostly = 1;
static int brnf_call_arptables __read_mostly = 1;
static int brnf_filter_vlan_tagged __read_mostly = 0;
static int brnf_filter_pppoe_tagged __read_mostly = 0;
#else
#define brnf_filter_vlan_tagged 0
#define brnf_filter_pppoe_tagged 0
#endif

static inline __be16 vlan_proto(const struct sk_buff *skb)
{
        return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
}

#define IS_VLAN_IP(skb) \
        (skb->protocol == htons(ETH_P_8021Q) && \
         vlan_proto(skb) == htons(ETH_P_IP) &&  \
         brnf_filter_vlan_tagged)

#define IS_VLAN_IPV6(skb) \
        (skb->protocol == htons(ETH_P_8021Q) && \
         vlan_proto(skb) == htons(ETH_P_IPV6) &&\
         brnf_filter_vlan_tagged)

#define IS_VLAN_ARP(skb) \
        (skb->protocol == htons(ETH_P_8021Q) && \
         vlan_proto(skb) == htons(ETH_P_ARP) && \
         brnf_filter_vlan_tagged)

static inline __be16 pppoe_proto(const struct sk_buff *skb)
{
        return *((__be16 *)(skb_mac_header(skb) + ETH_HLEN +
                            sizeof(struct pppoe_hdr)));
}

#define IS_PPPOE_IP(skb) \
        (skb->protocol == htons(ETH_P_PPP_SES) && \
         pppoe_proto(skb) == htons(PPP_IP) && \
         brnf_filter_pppoe_tagged)

#define IS_PPPOE_IPV6(skb) \
        (skb->protocol == htons(ETH_P_PPP_SES) && \
         pppoe_proto(skb) == htons(PPP_IPV6) && \
         brnf_filter_pppoe_tagged)

static void fake_update_pmtu(struct dst_entry *dst, u32 mtu)
{
}

static struct dst_ops fake_dst_ops = {
        .family =               AF_INET,
        .protocol =             cpu_to_be16(ETH_P_IP),
        .update_pmtu =          fake_update_pmtu,
        .entries =              ATOMIC_INIT(0),
};

/*
 * Initialize bogus route table used to keep netfilter happy.
 * Currently, we fill in the PMTU entry because netfilter
 * refragmentation needs it, and the rt_flags entry because
 * ipt_REJECT needs it.  Future netfilter modules might
 * require us to fill additional fields.
 */
void br_netfilter_rtable_init(struct net_bridge *br)
{
        struct rtable *rt = &br->fake_rtable;

        atomic_set(&rt->u.dst.__refcnt, 1);
        rt->u.dst.dev = br->dev;
        rt->u.dst.path = &rt->u.dst;
        rt->u.dst.metrics[RTAX_MTU - 1] = 1500;
        rt->u.dst.flags = DST_NOXFRM;
        rt->u.dst.ops = &fake_dst_ops;
}

static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
{
        struct net_bridge_port *port = rcu_dereference(dev->br_port);

        return port ? &port->br->fake_rtable : NULL;
}

static inline struct net_device *bridge_parent(const struct net_device *dev)
{
        struct net_bridge_port *port = rcu_dereference(dev->br_port);

        return port ? port->br->dev : NULL;
}

static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
{
        skb->nf_bridge = kzalloc(sizeof(struct nf_bridge_info), GFP_ATOMIC);
        if (likely(skb->nf_bridge))
                atomic_set(&(skb->nf_bridge->use), 1);

        return skb->nf_bridge;
}

static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb)
{
        struct nf_bridge_info *nf_bridge = skb->nf_bridge;

        if (atomic_read(&nf_bridge->use) > 1) {
                struct nf_bridge_info *tmp = nf_bridge_alloc(skb);

                if (tmp) {
                        memcpy(tmp, nf_bridge, sizeof(struct nf_bridge_info));
                        atomic_set(&tmp->use, 1);
                        nf_bridge_put(nf_bridge);
                }
                nf_bridge = tmp;
        }
        return nf_bridge;
}

static inline void nf_bridge_push_encap_header(struct sk_buff *skb)
{
        unsigned int len = nf_bridge_encap_header_len(skb);

        skb_push(skb, len);
        skb->network_header -= len;
}

static inline void nf_bridge_pull_encap_header(struct sk_buff *skb)
{
        unsigned int len = nf_bridge_encap_header_len(skb);

        skb_pull(skb, len);
        skb->network_header += len;
}

static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb)
{
        unsigned int len = nf_bridge_encap_header_len(skb);

        skb_pull_rcsum(skb, len);
        skb->network_header += len;
}

static inline void nf_bridge_save_header(struct sk_buff *skb)
{
        int header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);

        skb_copy_from_linear_data_offset(skb, -header_size,
                                         skb->nf_bridge->data, header_size);
}

/*
 * When forwarding bridge frames, we save a copy of the original
 * header before processing.
 */
int nf_bridge_copy_header(struct sk_buff *skb)
{
        int err;
        int header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);

        err = skb_cow_head(skb, header_size);
        if (err)
                return err;

        skb_copy_to_linear_data_offset(skb, -header_size,
                                       skb->nf_bridge->data, header_size);
        __skb_push(skb, nf_bridge_encap_header_len(skb));
        return 0;
}

/* PF_BRIDGE/PRE_ROUTING *********************************************/
/* Undo the changes made for ip6tables PREROUTING and continue the
 * bridge PRE_ROUTING hook. */
static int br_nf_pre_routing_finish_ipv6(struct sk_buff *skb)
{
        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
        struct rtable *rt;

        if (nf_bridge->mask & BRNF_PKT_TYPE) {
                skb->pkt_type = PACKET_OTHERHOST;
                nf_bridge->mask ^= BRNF_PKT_TYPE;
        }
        nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;

        rt = bridge_parent_rtable(nf_bridge->physindev);
        if (!rt) {
                kfree_skb(skb);
                return 0;
        }
        dst_hold(&rt->u.dst);
        skb_dst_set(skb, &rt->u.dst);

        skb->dev = nf_bridge->physindev;
        nf_bridge_push_encap_header(skb);
        NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
                       br_handle_frame_finish, 1);

        return 0;
}

static void __br_dnat_complain(void)
{
        static unsigned long last_complaint;

        if (jiffies - last_complaint >= 5 * HZ) {
                printk(KERN_WARNING "Performing cross-bridge DNAT requires IP "
                       "forwarding to be enabled\n");
                last_complaint = jiffies;
        }
}

/* This requires some explaining. If DNAT has taken place,
 * we will need to fix up the destination Ethernet address,
 * and this is a tricky process.
 *
 * There are two cases to consider:
 * 1. The packet was DNAT'ed to a device in the same bridge
 *    port group as it was received on. We can still bridge
 *    the packet.
 * 2. The packet was DNAT'ed to a different device, either
 *    a non-bridged device or another bridge port group.
 *    The packet will need to be routed.
 *
 * The correct way of distinguishing between these two cases is to
 * call ip_route_input() and to look at skb->dst->dev, which is
 * changed to the destination device if ip_route_input() succeeds.
 *
 * Let us first consider the case that ip_route_input() succeeds:
 *
 * If skb->dst->dev equals the logical bridge device the packet
 * came in on, we can consider this bridging. The packet is passed
 * through the neighbour output function to build a new destination
 * MAC address, which will make the packet enter br_nf_local_out()
 * not much later. In that function it is assured that the iptables
 * FORWARD chain is traversed for the packet.
 *
 * Otherwise, the packet is considered to be routed and we just
 * change the destination MAC address so that the packet will
 * later be passed up to the IP stack to be routed. For a redirected
 * packet, ip_route_input() will give back the localhost as output device,
 * which differs from the bridge device.
 *
 * Let us now consider the case that ip_route_input() fails:
 *
 * This can be because the destination address is martian, in which case
 * the packet will be dropped.
 * After a "echo '0' > /proc/sys/net/ipv4/ip_forward" ip_route_input()
 * will fail, while __ip_route_output_key() will return success. The source
 * address for __ip_route_output_key() is set to zero, so __ip_route_output_key
 * thinks we're handling a locally generated packet and won't care
 * if IP forwarding is allowed. We send a warning message to the users's
 * log telling her to put IP forwarding on.
 *
 * ip_route_input() will also fail if there is no route available.
 * In that case we just drop the packet.
 *
 * --Lennert, 20020411
 * --Bart, 20020416 (updated)
 * --Bart, 20021007 (updated)
 * --Bart, 20062711 (updated) */
static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
{
        if (skb->pkt_type == PACKET_OTHERHOST) {
                skb->pkt_type = PACKET_HOST;
                skb->nf_bridge->mask |= BRNF_PKT_TYPE;
        }
        skb->nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;

        skb->dev = bridge_parent(skb->dev);
        if (skb->dev) {
                struct dst_entry *dst = skb_dst(skb);

                nf_bridge_pull_encap_header(skb);

                if (dst->hh)
                        return neigh_hh_output(dst->hh, skb);
                else if (dst->neighbour)
                        return dst->neighbour->output(skb);
        }
        kfree_skb(skb);
        return 0;
}

static int br_nf_pre_routing_finish(struct sk_buff *skb)
{
        struct net_device *dev = skb->dev;
        struct iphdr *iph = ip_hdr(skb);
        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
        struct rtable *rt;
        int err;

        if (nf_bridge->mask & BRNF_PKT_TYPE) {
                skb->pkt_type = PACKET_OTHERHOST;
                nf_bridge->mask ^= BRNF_PKT_TYPE;
        }
        nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
        if (dnat_took_place(skb)) {
                if ((err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))) {
                        struct flowi fl = {
                                .nl_u = {
                                        .ip4_u = {
                                                 .daddr = iph->daddr,
                                                 .saddr = 0,
                                                 .tos = RT_TOS(iph->tos) },
                                },
                                .proto = 0,
                        };
                        struct in_device *in_dev = __in_dev_get_rcu(dev);

                        /* If err equals -EHOSTUNREACH the error is due to a
                         * martian destination or due to the fact that
                         * forwarding is disabled. For most martian packets,
                         * ip_route_output_key() will fail. It won't fail for 2 types of
                         * martian destinations: loopback destinations and destination
                         * 0.0.0.0. In both cases the packet will be dropped because the
                         * destination is the loopback device and not the bridge. */
                        if (err != -EHOSTUNREACH || !in_dev || IN_DEV_FORWARD(in_dev))
                                goto free_skb;

                        if (!ip_route_output_key(dev_net(dev), &rt, &fl)) {
                                /* - Bridged-and-DNAT'ed traffic doesn't
                                 *   require ip_forwarding. */
                                if (((struct dst_entry *)rt)->dev == dev) {
                                        skb_dst_set(skb, (struct dst_entry *)rt);
                                        goto bridged_dnat;
                                }
                                /* we are sure that forwarding is disabled, so printing
                                 * this message is no problem. Note that the packet could
                                 * still have a martian destination address, in which case
                                 * the packet could be dropped even if forwarding were enabled */
                                __br_dnat_complain();
                                dst_release((struct dst_entry *)rt);
                        }
free_skb:
                        kfree_skb(skb);
                        return 0;
                } else {
                        if (skb_dst(skb)->dev == dev) {
bridged_dnat:
                                /* Tell br_nf_local_out this is a
                                 * bridged frame */
                                nf_bridge->mask |= BRNF_BRIDGED_DNAT;
                                skb->dev = nf_bridge->physindev;
                                nf_bridge_push_encap_header(skb);
                                NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING,
                                               skb, skb->dev, NULL,
                                               br_nf_pre_routing_finish_bridge,
                                               1);
                                return 0;
                        }
                        memcpy(eth_hdr(skb)->h_dest, dev->dev_addr, ETH_ALEN);
                        skb->pkt_type = PACKET_HOST;
                }
        } else {
                rt = bridge_parent_rtable(nf_bridge->physindev);
                if (!rt) {
                        kfree_skb(skb);
                        return 0;
                }
                dst_hold(&rt->u.dst);
                skb_dst_set(skb, &rt->u.dst);
        }

        skb->dev = nf_bridge->physindev;
        nf_bridge_push_encap_header(skb);
        NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
                       br_handle_frame_finish, 1);

        return 0;
}

/* Some common code for IPv4/IPv6 */
static struct net_device *setup_pre_routing(struct sk_buff *skb)
{
        struct nf_bridge_info *nf_bridge = skb->nf_bridge;

        if (skb->pkt_type == PACKET_OTHERHOST) {
                skb->pkt_type = PACKET_HOST;
                nf_bridge->mask |= BRNF_PKT_TYPE;
        }

        nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING;
        nf_bridge->physindev = skb->dev;
        skb->dev = bridge_parent(skb->dev);

        return skb->dev;
}

/* We only check the length. A bridge shouldn't do any hop-by-hop stuff anyway */
static int check_hbh_len(struct sk_buff *skb)
{
        unsigned char *raw = (u8 *)(ipv6_hdr(skb) + 1);
        u32 pkt_len;
        const unsigned char *nh = skb_network_header(skb);
        int off = raw - nh;
        int len = (raw[1] + 1) << 3;

        if ((raw + len) - skb->data > skb_headlen(skb))
                goto bad;

        off += 2;
        len -= 2;

        while (len > 0) {
                int optlen = nh[off + 1] + 2;

                switch (nh[off]) {
                case IPV6_TLV_PAD0:
                        optlen = 1;
                        break;

                case IPV6_TLV_PADN:
                        break;

                case IPV6_TLV_JUMBO:
                        if (nh[off + 1] != 4 || (off & 3) != 2)
                                goto bad;
                        pkt_len = ntohl(*(__be32 *) (nh + off + 2));
                        if (pkt_len <= IPV6_MAXPLEN ||
                            ipv6_hdr(skb)->payload_len)
                                goto bad;
                        if (pkt_len > skb->len - sizeof(struct ipv6hdr))
                                goto bad;
                        if (pskb_trim_rcsum(skb,
                                            pkt_len + sizeof(struct ipv6hdr)))
                                goto bad;
                        nh = skb_network_header(skb);
                        break;
                default:
                        if (optlen > len)
                                goto bad;
                        break;
                }
                off += optlen;
                len -= optlen;
        }
        if (len == 0)
                return 0;
bad:
        return -1;

}

/* Replicate the checks that IPv6 does on packet reception and pass the packet
 * to ip6tables, which doesn't support NAT, so things are fairly simple. */
static unsigned int br_nf_pre_routing_ipv6(unsigned int hook,
                                           struct sk_buff *skb,
                                           const struct net_device *in,
                                           const struct net_device *out,
                                           int (*okfn)(struct sk_buff *))
{
        struct ipv6hdr *hdr;
        u32 pkt_len;

        if (skb->len < sizeof(struct ipv6hdr))
                goto inhdr_error;

        if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
                goto inhdr_error;

        hdr = ipv6_hdr(skb);

        if (hdr->version != 6)
                goto inhdr_error;

        pkt_len = ntohs(hdr->payload_len);

        if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
                if (pkt_len + sizeof(struct ipv6hdr) > skb->len)
                        goto inhdr_error;
                if (pskb_trim_rcsum(skb, pkt_len + sizeof(struct ipv6hdr)))
                        goto inhdr_error;
        }
        if (hdr->nexthdr == NEXTHDR_HOP && check_hbh_len(skb))
                goto inhdr_error;

        nf_bridge_put(skb->nf_bridge);
        if (!nf_bridge_alloc(skb))
                return NF_DROP;
        if (!setup_pre_routing(skb))
                return NF_DROP;

        NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
                br_nf_pre_routing_finish_ipv6);

        return NF_STOLEN;

inhdr_error:
        return NF_DROP;
}

/* Direct IPv6 traffic to br_nf_pre_routing_ipv6.
 * Replicate the checks that IPv4 does on packet reception.
 * Set skb->dev to the bridge device (i.e. parent of the
 * receiving device) to make netfilter happy, the REDIRECT
 * target in particular.  Save the original destination IP
 * address to be able to detect DNAT afterwards. */
static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
                                      const struct net_device *in,
                                      const struct net_device *out,
                                      int (*okfn)(struct sk_buff *))
{
        struct iphdr *iph;
        __u32 len = nf_bridge_encap_header_len(skb);

        if (unlikely(!pskb_may_pull(skb, len)))
                goto out;

        if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
            IS_PPPOE_IPV6(skb)) {
#ifdef CONFIG_SYSCTL
                if (!brnf_call_ip6tables)
                        return NF_ACCEPT;
#endif
                nf_bridge_pull_encap_header_rcsum(skb);
                return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
        }
#ifdef CONFIG_SYSCTL
        if (!brnf_call_iptables)
                return NF_ACCEPT;
#endif

        if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb) &&
            !IS_PPPOE_IP(skb))
                return NF_ACCEPT;

        nf_bridge_pull_encap_header_rcsum(skb);

        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
                goto inhdr_error;

        iph = ip_hdr(skb);
        if (iph->ihl < 5 || iph->version != 4)
                goto inhdr_error;

        if (!pskb_may_pull(skb, 4 * iph->ihl))
                goto inhdr_error;

        iph = ip_hdr(skb);
        if (ip_fast_csum((__u8 *) iph, iph->ihl) != 0)
                goto inhdr_error;

        len = ntohs(iph->tot_len);
        if (skb->len < len || len < 4 * iph->ihl)
                goto inhdr_error;

        pskb_trim_rcsum(skb, len);

        nf_bridge_put(skb->nf_bridge);
        if (!nf_bridge_alloc(skb))
                return NF_DROP;
        if (!setup_pre_routing(skb))
                return NF_DROP;
        store_orig_dstaddr(skb);

        NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
                br_nf_pre_routing_finish);

        return NF_STOLEN;

inhdr_error:
//      IP_INC_STATS_BH(IpInHdrErrors);
out:
        return NF_DROP;
}


/* PF_BRIDGE/LOCAL_IN ************************************************/
/* The packet is locally destined, which requires a real
 * dst_entry, so detach the fake one.  On the way up, the
 * packet would pass through PRE_ROUTING again (which already
 * took place when the packet entered the bridge), but we
 * register an IPv4 PRE_ROUTING 'sabotage' hook that will
 * prevent this from happening. */
static unsigned int br_nf_local_in(unsigned int hook, struct sk_buff *skb,
                                   const struct net_device *in,
                                   const struct net_device *out,
                                   int (*okfn)(struct sk_buff *))
{
        struct rtable *rt = skb_rtable(skb);

        if (rt && rt == bridge_parent_rtable(in))
                skb_dst_drop(skb);

        return NF_ACCEPT;
}

/* PF_BRIDGE/FORWARD *************************************************/
static int br_nf_forward_finish(struct sk_buff *skb)
{
        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
        struct net_device *in;

        if (skb->protocol != htons(ETH_P_ARP) && !IS_VLAN_ARP(skb)) {
                in = nf_bridge->physindev;
                if (nf_bridge->mask & BRNF_PKT_TYPE) {
                        skb->pkt_type = PACKET_OTHERHOST;
                        nf_bridge->mask ^= BRNF_PKT_TYPE;
                }
        } else {
                in = *((struct net_device **)(skb->cb));
        }
        nf_bridge_push_encap_header(skb);
        NF_HOOK_THRESH(PF_BRIDGE, NF_BR_FORWARD, skb, in,
                       skb->dev, br_forward_finish, 1);
        return 0;
}

/* This is the 'purely bridged' case.  For IP, we pass the packet to
 * netfilter with indev and outdev set to the bridge device,
 * but we are still able to filter on the 'real' indev/outdev
 * because of the physdev module. For ARP, indev and outdev are the
 * bridge ports. */
static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,
                                     const struct net_device *in,
                                     const struct net_device *out,
                                     int (*okfn)(struct sk_buff *))
{
        struct nf_bridge_info *nf_bridge;
        struct net_device *parent;
        u_int8_t pf;

        if (!skb->nf_bridge)
                return NF_ACCEPT;

        /* Need exclusive nf_bridge_info since we might have multiple
         * different physoutdevs. */
        if (!nf_bridge_unshare(skb))
                return NF_DROP;

        parent = bridge_parent(out);
        if (!parent)
                return NF_DROP;

        if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) ||
            IS_PPPOE_IP(skb))
                pf = PF_INET;
        else if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
                 IS_PPPOE_IPV6(skb))
                pf = PF_INET6;
        else
                return NF_ACCEPT;

        nf_bridge_pull_encap_header(skb);

        nf_bridge = skb->nf_bridge;
        if (skb->pkt_type == PACKET_OTHERHOST) {
                skb->pkt_type = PACKET_HOST;
                nf_bridge->mask |= BRNF_PKT_TYPE;
        }

        /* The physdev module checks on this */
        nf_bridge->mask |= BRNF_BRIDGED;
        nf_bridge->physoutdev = skb->dev;

        NF_HOOK(pf, NF_INET_FORWARD, skb, bridge_parent(in), parent,
                br_nf_forward_finish);

        return NF_STOLEN;
}

static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
                                      const struct net_device *in,
                                      const struct net_device *out,
                                      int (*okfn)(struct sk_buff *))
{
        struct net_device **d = (struct net_device **)(skb->cb);

#ifdef CONFIG_SYSCTL
        if (!brnf_call_arptables)
                return NF_ACCEPT;
#endif

        if (skb->protocol != htons(ETH_P_ARP)) {
                if (!IS_VLAN_ARP(skb))
                        return NF_ACCEPT;
                nf_bridge_pull_encap_header(skb);
        }

        if (arp_hdr(skb)->ar_pln != 4) {
                if (IS_VLAN_ARP(skb))
                        nf_bridge_push_encap_header(skb);
                return NF_ACCEPT;
        }
        *d = (struct net_device *)in;
        NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, skb, (struct net_device *)in,
                (struct net_device *)out, br_nf_forward_finish);

        return NF_STOLEN;
}

/* PF_BRIDGE/LOCAL_OUT ***********************************************
 *
 * This function sees both locally originated IP packets and forwarded
 * IP packets (in both cases the destination device is a bridge
 * device). It also sees bridged-and-DNAT'ed packets.
 *
 * If (nf_bridge->mask & BRNF_BRIDGED_DNAT) then the packet is bridged
 * and we fake the PF_BRIDGE/FORWARD hook. The function br_nf_forward()
 * will then fake the PF_INET/FORWARD hook. br_nf_local_out() has priority
 * NF_BR_PRI_FIRST, so no relevant PF_BRIDGE/INPUT functions have been nor
 * will be executed.
 */
static unsigned int br_nf_local_out(unsigned int hook, struct sk_buff *skb,
                                    const struct net_device *in,
                                    const struct net_device *out,
                                    int (*okfn)(struct sk_buff *))
{
        struct net_device *realindev;
        struct nf_bridge_info *nf_bridge;

        if (!skb->nf_bridge)
                return NF_ACCEPT;

        /* Need exclusive nf_bridge_info since we might have multiple
         * different physoutdevs. */
        if (!nf_bridge_unshare(skb))
                return NF_DROP;

        nf_bridge = skb->nf_bridge;
        if (!(nf_bridge->mask & BRNF_BRIDGED_DNAT))
                return NF_ACCEPT;

        /* Bridged, take PF_BRIDGE/FORWARD.
         * (see big note in front of br_nf_pre_routing_finish) */
        nf_bridge->physoutdev = skb->dev;
        realindev = nf_bridge->physindev;

        if (nf_bridge->mask & BRNF_PKT_TYPE) {
                skb->pkt_type = PACKET_OTHERHOST;
                nf_bridge->mask ^= BRNF_PKT_TYPE;
        }
        nf_bridge_push_encap_header(skb);

        NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, realindev, skb->dev,
                br_forward_finish);
        return NF_STOLEN;
}

#if defined(CONFIG_NF_CONNTRACK_IPV4) || defined(CONFIG_NF_CONNTRACK_IPV4_MODULE)
static int br_nf_dev_queue_xmit(struct sk_buff *skb)
{
        if (skb->nfct != NULL &&
            (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb)) &&
            skb->len > skb->dev->mtu &&
            !skb_is_gso(skb))
                return ip_fragment(skb, br_dev_queue_push_xmit);
        else
                return br_dev_queue_push_xmit(skb);
}
#else
static int br_nf_dev_queue_xmit(struct sk_buff *skb)
{
        return br_dev_queue_push_xmit(skb);
}
#endif

/* PF_BRIDGE/POST_ROUTING ********************************************/
static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
                                       const struct net_device *in,
                                       const struct net_device *out,
                                       int (*okfn)(struct sk_buff *))
{
        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
        struct net_device *realoutdev = bridge_parent(skb->dev);
        u_int8_t pf;

#ifdef CONFIG_NETFILTER_DEBUG
        /* Be very paranoid. This probably won't happen anymore, but let's
         * keep the check just to be sure... */
        if (skb_mac_header(skb) < skb->head ||
            skb_mac_header(skb) + ETH_HLEN > skb->data) {
                printk(KERN_CRIT "br_netfilter: Argh!! br_nf_post_routing: "
                       "bad mac.raw pointer.\n");
                goto print_error;
        }
#endif

        if (!nf_bridge)
                return NF_ACCEPT;

        if (!(nf_bridge->mask & (BRNF_BRIDGED | BRNF_BRIDGED_DNAT)))
                return NF_ACCEPT;

        if (!realoutdev)
                return NF_DROP;

        if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) ||
            IS_PPPOE_IP(skb))
                pf = PF_INET;
        else if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
                 IS_PPPOE_IPV6(skb))
                pf = PF_INET6;
        else
                return NF_ACCEPT;

#ifdef CONFIG_NETFILTER_DEBUG
        if (skb_dst(skb) == NULL) {
                printk(KERN_INFO "br_netfilter post_routing: skb->dst == NULL\n");
                goto print_error;
        }
#endif

        /* We assume any code from br_dev_queue_push_xmit onwards doesn't care
         * about the value of skb->pkt_type. */
        if (skb->pkt_type == PACKET_OTHERHOST) {
                skb->pkt_type = PACKET_HOST;
                nf_bridge->mask |= BRNF_PKT_TYPE;
        }

        nf_bridge_pull_encap_header(skb);
        nf_bridge_save_header(skb);

        NF_HOOK(pf, NF_INET_POST_ROUTING, skb, NULL, realoutdev,
                br_nf_dev_queue_xmit);

        return NF_STOLEN;

#ifdef CONFIG_NETFILTER_DEBUG
print_error:
        if (skb->dev != NULL) {
                printk("[%s]", skb->dev->name);
                if (realoutdev)
                        printk("[%s]", realoutdev->name);
        }
        printk(" head:%p, raw:%p, data:%p\n", skb->head, skb_mac_header(skb),
               skb->data);
        dump_stack();
        return NF_ACCEPT;
#endif
}

/* IP/SABOTAGE *****************************************************/
/* Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING
 * for the second time. */
static unsigned int ip_sabotage_in(unsigned int hook, struct sk_buff *skb,
                                   const struct net_device *in,
                                   const struct net_device *out,
                                   int (*okfn)(struct sk_buff *))
{
        if (skb->nf_bridge &&
            !(skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)) {
                return NF_STOP;
        }

        return NF_ACCEPT;
}

/* For br_nf_local_out we need (prio = NF_BR_PRI_FIRST), to insure that innocent
 * PF_BRIDGE/NF_BR_LOCAL_OUT functions don't get bridged traffic as input.
 * For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
 * ip_refrag() can return NF_STOLEN. */
static struct nf_hook_ops br_nf_ops[] __read_mostly = {
        {
                .hook = br_nf_pre_routing,
                .owner = THIS_MODULE,
                .pf = PF_BRIDGE,
                .hooknum = NF_BR_PRE_ROUTING,
                .priority = NF_BR_PRI_BRNF,
        },
        {
                .hook = br_nf_local_in,
                .owner = THIS_MODULE,
                .pf = PF_BRIDGE,
                .hooknum = NF_BR_LOCAL_IN,
                .priority = NF_BR_PRI_BRNF,
        },
        {
                .hook = br_nf_forward_ip,
                .owner = THIS_MODULE,
                .pf = PF_BRIDGE,
                .hooknum = NF_BR_FORWARD,
                .priority = NF_BR_PRI_BRNF - 1,
        },
        {
                .hook = br_nf_forward_arp,
                .owner = THIS_MODULE,
                .pf = PF_BRIDGE,
                .hooknum = NF_BR_FORWARD,
                .priority = NF_BR_PRI_BRNF,
        },
        {
                .hook = br_nf_local_out,
                .owner = THIS_MODULE,
                .pf = PF_BRIDGE,
                .hooknum = NF_BR_LOCAL_OUT,
                .priority = NF_BR_PRI_FIRST,
        },
        {
                .hook = br_nf_post_routing,
                .owner = THIS_MODULE,
                .pf = PF_BRIDGE,
                .hooknum = NF_BR_POST_ROUTING,
                .priority = NF_BR_PRI_LAST,
        },
        {
                .hook = ip_sabotage_in,
                .owner = THIS_MODULE,
                .pf = PF_INET,
                .hooknum = NF_INET_PRE_ROUTING,
                .priority = NF_IP_PRI_FIRST,
        },
        {
                .hook = ip_sabotage_in,
                .owner = THIS_MODULE,
                .pf = PF_INET6,
                .hooknum = NF_INET_PRE_ROUTING,
                .priority = NF_IP6_PRI_FIRST,
        },
};

#ifdef CONFIG_SYSCTL
static
int brnf_sysctl_call_tables(ctl_table * ctl, int write,
                            void __user * buffer, size_t * lenp, loff_t * ppos)
{
        int ret;

        ret = proc_dointvec(ctl, write, buffer, lenp, ppos);

        if (write && *(int *)(ctl->data))
                *(int *)(ctl->data) = 1;
        return ret;
}

static ctl_table brnf_table[] = {
        {
                .procname       = "bridge-nf-call-arptables",
                .data           = &brnf_call_arptables,
                .maxlen         = sizeof(int),
                .mode           = 0644,
                .proc_handler   = brnf_sysctl_call_tables,
        },
        {
                .procname       = "bridge-nf-call-iptables",
                .data           = &brnf_call_iptables,
                .maxlen         = sizeof(int),
                .mode           = 0644,
                .proc_handler   = brnf_sysctl_call_tables,
        },
        {
                .procname       = "bridge-nf-call-ip6tables",
                .data           = &brnf_call_ip6tables,
                .maxlen         = sizeof(int),
                .mode           = 0644,
                .proc_handler   = brnf_sysctl_call_tables,

        },
        {
                .procname       = "bridge-nf-filter-vlan-tagged",
                .data           = &brnf_filter_vlan_tagged,
                .maxlen         = sizeof(int),
                .mode           = 0644,
                .proc_handler   = brnf_sysctl_call_tables,
        },
        {
                .procname       = "bridge-nf-filter-pppoe-tagged",
                .data           = &brnf_filter_pppoe_tagged,
                .maxlen         = sizeof(int),
                .mode           = 0644,
                .proc_handler   = brnf_sysctl_call_tables,
        },
        { .ctl_name = 0 }
};

static struct ctl_path brnf_path[] = {
        { .procname = "net", .ctl_name = CTL_NET, },
        { .procname = "bridge", .ctl_name = NET_BRIDGE, },
        { }
};
#endif

int __init br_netfilter_init(void)
{
        int ret;

        ret = nf_register_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
        if (ret < 0)
                return ret;
#ifdef CONFIG_SYSCTL
        brnf_sysctl_header = register_sysctl_paths(brnf_path, brnf_table);
        if (brnf_sysctl_header == NULL) {
                printk(KERN_WARNING
                       "br_netfilter: can't register to sysctl.\n");
                nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
                return -ENOMEM;
        }
#endif
        printk(KERN_NOTICE "Bridge firewalling registered\n");
        return 0;
}

void br_netfilter_fini(void)
{
        nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
#ifdef CONFIG_SYSCTL
        unregister_sysctl_table(brnf_sysctl_header);
#endif
}