1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17#include <linux/module.h>
18#include <linux/kernel.h>
19#include <linux/slab.h>
20#include <linux/ip.h>
21#include <linux/netdevice.h>
22#include <linux/skbuff.h>
23#include <linux/if_arp.h>
24#include <linux/if_ether.h>
25#include <linux/if_vlan.h>
26#include <linux/if_pppox.h>
27#include <linux/ppp_defs.h>
28#include <linux/netfilter_bridge.h>
29#include <linux/netfilter_ipv4.h>
30#include <linux/netfilter_ipv6.h>
31#include <linux/netfilter_arp.h>
32#include <linux/in_route.h>
33#include <linux/inetdevice.h>
34
35#include <net/ip.h>
36#include <net/ipv6.h>
37#include <net/route.h>
38
39#include <asm/uaccess.h>
40#include "br_private.h"
41#ifdef CONFIG_SYSCTL
42#include <linux/sysctl.h>
43#endif
44
45#define skb_origaddr(skb) (((struct bridge_skb_cb *) \
46 (skb->nf_bridge->data))->daddr.ipv4)
47#define store_orig_dstaddr(skb) (skb_origaddr(skb) = ip_hdr(skb)->daddr)
48#define dnat_took_place(skb) (skb_origaddr(skb) != ip_hdr(skb)->daddr)
49
50#ifdef CONFIG_SYSCTL
51static struct ctl_table_header *brnf_sysctl_header;
52static int brnf_call_iptables __read_mostly = 1;
53static int brnf_call_ip6tables __read_mostly = 1;
54static int brnf_call_arptables __read_mostly = 1;
55static int brnf_filter_vlan_tagged __read_mostly = 0;
56static int brnf_filter_pppoe_tagged __read_mostly = 0;
57static int brnf_pass_vlan_indev __read_mostly = 0;
58#else
59#define brnf_call_iptables 1
60#define brnf_call_ip6tables 1
61#define brnf_call_arptables 1
62#define brnf_filter_vlan_tagged 0
63#define brnf_filter_pppoe_tagged 0
64#define brnf_pass_vlan_indev 0
65#endif
66
67#define IS_IP(skb) \
68 (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_IP))
69
70#define IS_IPV6(skb) \
71 (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_IPV6))
72
73#define IS_ARP(skb) \
74 (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_ARP))
75
76static inline __be16 vlan_proto(const struct sk_buff *skb)
77{
78 if (vlan_tx_tag_present(skb))
79 return skb->protocol;
80 else if (skb->protocol == htons(ETH_P_8021Q))
81 return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
82 else
83 return 0;
84}
85
86#define IS_VLAN_IP(skb) \
87 (vlan_proto(skb) == htons(ETH_P_IP) && \
88 brnf_filter_vlan_tagged)
89
90#define IS_VLAN_IPV6(skb) \
91 (vlan_proto(skb) == htons(ETH_P_IPV6) && \
92 brnf_filter_vlan_tagged)
93
94#define IS_VLAN_ARP(skb) \
95 (vlan_proto(skb) == htons(ETH_P_ARP) && \
96 brnf_filter_vlan_tagged)
97
98static inline __be16 pppoe_proto(const struct sk_buff *skb)
99{
100 return *((__be16 *)(skb_mac_header(skb) + ETH_HLEN +
101 sizeof(struct pppoe_hdr)));
102}
103
104#define IS_PPPOE_IP(skb) \
105 (skb->protocol == htons(ETH_P_PPP_SES) && \
106 pppoe_proto(skb) == htons(PPP_IP) && \
107 brnf_filter_pppoe_tagged)
108
109#define IS_PPPOE_IPV6(skb) \
110 (skb->protocol == htons(ETH_P_PPP_SES) && \
111 pppoe_proto(skb) == htons(PPP_IPV6) && \
112 brnf_filter_pppoe_tagged)
113
114static void fake_update_pmtu(struct dst_entry *dst, struct sock *sk,
115 struct sk_buff *skb, u32 mtu)
116{
117}
118
119static void fake_redirect(struct dst_entry *dst, struct sock *sk,
120 struct sk_buff *skb)
121{
122}
123
124static u32 *fake_cow_metrics(struct dst_entry *dst, unsigned long old)
125{
126 return NULL;
127}
128
129static struct neighbour *fake_neigh_lookup(const struct dst_entry *dst,
130 struct sk_buff *skb,
131 const void *daddr)
132{
133 return NULL;
134}
135
136static unsigned int fake_mtu(const struct dst_entry *dst)
137{
138 return dst->dev->mtu;
139}
140
141static struct dst_ops fake_dst_ops = {
142 .family = AF_INET,
143 .protocol = cpu_to_be16(ETH_P_IP),
144 .update_pmtu = fake_update_pmtu,
145 .redirect = fake_redirect,
146 .cow_metrics = fake_cow_metrics,
147 .neigh_lookup = fake_neigh_lookup,
148 .mtu = fake_mtu,
149};
150
151
152
153
154
155
156
157
158static const u32 br_dst_default_metrics[RTAX_MAX] = {
159 [RTAX_MTU - 1] = 1500,
160};
161
162void br_netfilter_rtable_init(struct net_bridge *br)
163{
164 struct rtable *rt = &br->fake_rtable;
165
166 atomic_set(&rt->dst.__refcnt, 1);
167 rt->dst.dev = br->dev;
168 rt->dst.path = &rt->dst;
169 dst_init_metrics(&rt->dst, br_dst_default_metrics, true);
170 rt->dst.flags = DST_NOXFRM | DST_NOPEER | DST_FAKE_RTABLE;
171 rt->dst.ops = &fake_dst_ops;
172}
173
174static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
175{
176 struct net_bridge_port *port;
177
178 port = br_port_get_rcu(dev);
179 return port ? &port->br->fake_rtable : NULL;
180}
181
182static inline struct net_device *bridge_parent(const struct net_device *dev)
183{
184 struct net_bridge_port *port;
185
186 port = br_port_get_rcu(dev);
187 return port ? port->br->dev : NULL;
188}
189
190static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
191{
192 skb->nf_bridge = kzalloc(sizeof(struct nf_bridge_info), GFP_ATOMIC);
193 if (likely(skb->nf_bridge))
194 atomic_set(&(skb->nf_bridge->use), 1);
195
196 return skb->nf_bridge;
197}
198
199static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb)
200{
201 struct nf_bridge_info *nf_bridge = skb->nf_bridge;
202
203 if (atomic_read(&nf_bridge->use) > 1) {
204 struct nf_bridge_info *tmp = nf_bridge_alloc(skb);
205
206 if (tmp) {
207 memcpy(tmp, nf_bridge, sizeof(struct nf_bridge_info));
208 atomic_set(&tmp->use, 1);
209 }
210 nf_bridge_put(nf_bridge);
211 nf_bridge = tmp;
212 }
213 return nf_bridge;
214}
215
216static inline void nf_bridge_push_encap_header(struct sk_buff *skb)
217{
218 unsigned int len = nf_bridge_encap_header_len(skb);
219
220 skb_push(skb, len);
221 skb->network_header -= len;
222}
223
224static inline void nf_bridge_pull_encap_header(struct sk_buff *skb)
225{
226 unsigned int len = nf_bridge_encap_header_len(skb);
227
228 skb_pull(skb, len);
229 skb->network_header += len;
230}
231
232static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb)
233{
234 unsigned int len = nf_bridge_encap_header_len(skb);
235
236 skb_pull_rcsum(skb, len);
237 skb->network_header += len;
238}
239
240static inline void nf_bridge_save_header(struct sk_buff *skb)
241{
242 int header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);
243
244 skb_copy_from_linear_data_offset(skb, -header_size,
245 skb->nf_bridge->data, header_size);
246}
247
248static inline void nf_bridge_update_protocol(struct sk_buff *skb)
249{
250 if (skb->nf_bridge->mask & BRNF_8021Q)
251 skb->protocol = htons(ETH_P_8021Q);
252 else if (skb->nf_bridge->mask & BRNF_PPPoE)
253 skb->protocol = htons(ETH_P_PPP_SES);
254}
255
256
257
258
259
260
261static int br_parse_ip_options(struct sk_buff *skb)
262{
263 struct ip_options *opt;
264 const struct iphdr *iph;
265 struct net_device *dev = skb->dev;
266 u32 len;
267
268 if (!pskb_may_pull(skb, sizeof(struct iphdr)))
269 goto inhdr_error;
270
271 iph = ip_hdr(skb);
272 opt = &(IPCB(skb)->opt);
273
274
275 if (iph->ihl < 5 || iph->version != 4)
276 goto inhdr_error;
277
278 if (!pskb_may_pull(skb, iph->ihl*4))
279 goto inhdr_error;
280
281 iph = ip_hdr(skb);
282 if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
283 goto inhdr_error;
284
285 len = ntohs(iph->tot_len);
286 if (skb->len < len) {
287 IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INTRUNCATEDPKTS);
288 goto drop;
289 } else if (len < (iph->ihl*4))
290 goto inhdr_error;
291
292 if (pskb_trim_rcsum(skb, len)) {
293 IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INDISCARDS);
294 goto drop;
295 }
296
297 memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
298 if (iph->ihl == 5)
299 return 0;
300
301 opt->optlen = iph->ihl*4 - sizeof(struct iphdr);
302 if (ip_options_compile(dev_net(dev), opt, skb))
303 goto inhdr_error;
304
305
306 if (unlikely(opt->srr)) {
307 struct in_device *in_dev = __in_dev_get_rcu(dev);
308 if (in_dev && !IN_DEV_SOURCE_ROUTE(in_dev))
309 goto drop;
310
311 if (ip_options_rcv_srr(skb))
312 goto drop;
313 }
314
315 return 0;
316
317inhdr_error:
318 IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INHDRERRORS);
319drop:
320 return -1;
321}
322
323
324
325
326int nf_bridge_copy_header(struct sk_buff *skb)
327{
328 int err;
329 unsigned int header_size;
330
331 nf_bridge_update_protocol(skb);
332 header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);
333 err = skb_cow_head(skb, header_size);
334 if (err)
335 return err;
336
337 skb_copy_to_linear_data_offset(skb, -header_size,
338 skb->nf_bridge->data, header_size);
339 __skb_push(skb, nf_bridge_encap_header_len(skb));
340 return 0;
341}
342
343
344
345
346static int br_nf_pre_routing_finish_ipv6(struct sk_buff *skb)
347{
348 struct nf_bridge_info *nf_bridge = skb->nf_bridge;
349 struct rtable *rt;
350
351 if (nf_bridge->mask & BRNF_PKT_TYPE) {
352 skb->pkt_type = PACKET_OTHERHOST;
353 nf_bridge->mask ^= BRNF_PKT_TYPE;
354 }
355 nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
356
357 rt = bridge_parent_rtable(nf_bridge->physindev);
358 if (!rt) {
359 kfree_skb(skb);
360 return 0;
361 }
362 skb_dst_set_noref(skb, &rt->dst);
363
364 skb->dev = nf_bridge->physindev;
365 nf_bridge_update_protocol(skb);
366 nf_bridge_push_encap_header(skb);
367 NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
368 br_handle_frame_finish, 1);
369
370 return 0;
371}
372
373
374
375
376
377
378static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
379{
380 struct nf_bridge_info *nf_bridge = skb->nf_bridge;
381 struct neighbour *neigh;
382 struct dst_entry *dst;
383
384 skb->dev = bridge_parent(skb->dev);
385 if (!skb->dev)
386 goto free_skb;
387 dst = skb_dst(skb);
388 neigh = dst_neigh_lookup_skb(dst, skb);
389 if (neigh) {
390 int ret;
391
392 if (neigh->hh.hh_len) {
393 neigh_hh_bridge(&neigh->hh, skb);
394 skb->dev = nf_bridge->physindev;
395 ret = br_handle_frame_finish(skb);
396 } else {
397
398
399
400
401 skb_copy_from_linear_data_offset(skb,
402 -(ETH_HLEN-ETH_ALEN),
403 skb->nf_bridge->data,
404 ETH_HLEN-ETH_ALEN);
405
406 nf_bridge->mask |= BRNF_BRIDGED_DNAT;
407 ret = neigh->output(neigh, skb);
408 }
409 neigh_release(neigh);
410 return ret;
411 }
412free_skb:
413 kfree_skb(skb);
414 return 0;
415}
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455static int br_nf_pre_routing_finish(struct sk_buff *skb)
456{
457 struct net_device *dev = skb->dev;
458 struct iphdr *iph = ip_hdr(skb);
459 struct nf_bridge_info *nf_bridge = skb->nf_bridge;
460 struct rtable *rt;
461 int err;
462
463 if (nf_bridge->mask & BRNF_PKT_TYPE) {
464 skb->pkt_type = PACKET_OTHERHOST;
465 nf_bridge->mask ^= BRNF_PKT_TYPE;
466 }
467 nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
468 if (dnat_took_place(skb)) {
469 if ((err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))) {
470 struct in_device *in_dev = __in_dev_get_rcu(dev);
471
472
473
474
475
476
477
478
479 if (err != -EHOSTUNREACH || !in_dev || IN_DEV_FORWARD(in_dev))
480 goto free_skb;
481
482 rt = ip_route_output(dev_net(dev), iph->daddr, 0,
483 RT_TOS(iph->tos), 0);
484 if (!IS_ERR(rt)) {
485
486
487 if (rt->dst.dev == dev) {
488 skb_dst_set(skb, &rt->dst);
489 goto bridged_dnat;
490 }
491 ip_rt_put(rt);
492 }
493free_skb:
494 kfree_skb(skb);
495 return 0;
496 } else {
497 if (skb_dst(skb)->dev == dev) {
498bridged_dnat:
499 skb->dev = nf_bridge->physindev;
500 nf_bridge_update_protocol(skb);
501 nf_bridge_push_encap_header(skb);
502 NF_HOOK_THRESH(NFPROTO_BRIDGE,
503 NF_BR_PRE_ROUTING,
504 skb, skb->dev, NULL,
505 br_nf_pre_routing_finish_bridge,
506 1);
507 return 0;
508 }
509 memcpy(eth_hdr(skb)->h_dest, dev->dev_addr, ETH_ALEN);
510 skb->pkt_type = PACKET_HOST;
511 }
512 } else {
513 rt = bridge_parent_rtable(nf_bridge->physindev);
514 if (!rt) {
515 kfree_skb(skb);
516 return 0;
517 }
518 skb_dst_set_noref(skb, &rt->dst);
519 }
520
521 skb->dev = nf_bridge->physindev;
522 nf_bridge_update_protocol(skb);
523 nf_bridge_push_encap_header(skb);
524 NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
525 br_handle_frame_finish, 1);
526
527 return 0;
528}
529
530static struct net_device *brnf_get_logical_dev(struct sk_buff *skb, const struct net_device *dev)
531{
532 struct net_device *vlan, *br;
533
534 br = bridge_parent(dev);
535 if (brnf_pass_vlan_indev == 0 || !vlan_tx_tag_present(skb))
536 return br;
537
538 vlan = __vlan_find_dev_deep(br, skb->vlan_proto,
539 vlan_tx_tag_get(skb) & VLAN_VID_MASK);
540
541 return vlan ? vlan : br;
542}
543
544
545static struct net_device *setup_pre_routing(struct sk_buff *skb)
546{
547 struct nf_bridge_info *nf_bridge = skb->nf_bridge;
548
549 if (skb->pkt_type == PACKET_OTHERHOST) {
550 skb->pkt_type = PACKET_HOST;
551 nf_bridge->mask |= BRNF_PKT_TYPE;
552 }
553
554 nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING;
555 nf_bridge->physindev = skb->dev;
556 skb->dev = brnf_get_logical_dev(skb, skb->dev);
557 if (skb->protocol == htons(ETH_P_8021Q))
558 nf_bridge->mask |= BRNF_8021Q;
559 else if (skb->protocol == htons(ETH_P_PPP_SES))
560 nf_bridge->mask |= BRNF_PPPoE;
561
562 return skb->dev;
563}
564
565
566static int check_hbh_len(struct sk_buff *skb)
567{
568 unsigned char *raw = (u8 *)(ipv6_hdr(skb) + 1);
569 u32 pkt_len;
570 const unsigned char *nh = skb_network_header(skb);
571 int off = raw - nh;
572 int len = (raw[1] + 1) << 3;
573
574 if ((raw + len) - skb->data > skb_headlen(skb))
575 goto bad;
576
577 off += 2;
578 len -= 2;
579
580 while (len > 0) {
581 int optlen = nh[off + 1] + 2;
582
583 switch (nh[off]) {
584 case IPV6_TLV_PAD1:
585 optlen = 1;
586 break;
587
588 case IPV6_TLV_PADN:
589 break;
590
591 case IPV6_TLV_JUMBO:
592 if (nh[off + 1] != 4 || (off & 3) != 2)
593 goto bad;
594 pkt_len = ntohl(*(__be32 *) (nh + off + 2));
595 if (pkt_len <= IPV6_MAXPLEN ||
596 ipv6_hdr(skb)->payload_len)
597 goto bad;
598 if (pkt_len > skb->len - sizeof(struct ipv6hdr))
599 goto bad;
600 if (pskb_trim_rcsum(skb,
601 pkt_len + sizeof(struct ipv6hdr)))
602 goto bad;
603 nh = skb_network_header(skb);
604 break;
605 default:
606 if (optlen > len)
607 goto bad;
608 break;
609 }
610 off += optlen;
611 len -= optlen;
612 }
613 if (len == 0)
614 return 0;
615bad:
616 return -1;
617
618}
619
620
621
622static unsigned int br_nf_pre_routing_ipv6(unsigned int hook,
623 struct sk_buff *skb,
624 const struct net_device *in,
625 const struct net_device *out,
626 int (*okfn)(struct sk_buff *))
627{
628 const struct ipv6hdr *hdr;
629 u32 pkt_len;
630
631 if (skb->len < sizeof(struct ipv6hdr))
632 return NF_DROP;
633
634 if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
635 return NF_DROP;
636
637 hdr = ipv6_hdr(skb);
638
639 if (hdr->version != 6)
640 return NF_DROP;
641
642 pkt_len = ntohs(hdr->payload_len);
643
644 if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
645 if (pkt_len + sizeof(struct ipv6hdr) > skb->len)
646 return NF_DROP;
647 if (pskb_trim_rcsum(skb, pkt_len + sizeof(struct ipv6hdr)))
648 return NF_DROP;
649 }
650 if (hdr->nexthdr == NEXTHDR_HOP && check_hbh_len(skb))
651 return NF_DROP;
652
653 nf_bridge_put(skb->nf_bridge);
654 if (!nf_bridge_alloc(skb))
655 return NF_DROP;
656 if (!setup_pre_routing(skb))
657 return NF_DROP;
658
659 skb->protocol = htons(ETH_P_IPV6);
660 NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
661 br_nf_pre_routing_finish_ipv6);
662
663 return NF_STOLEN;
664}
665
666
667
668
669
670
671
672static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
673 const struct net_device *in,
674 const struct net_device *out,
675 int (*okfn)(struct sk_buff *))
676{
677 struct net_bridge_port *p;
678 struct net_bridge *br;
679 __u32 len = nf_bridge_encap_header_len(skb);
680
681 if (unlikely(!pskb_may_pull(skb, len)))
682 return NF_DROP;
683
684 p = br_port_get_rcu(in);
685 if (p == NULL)
686 return NF_DROP;
687 br = p->br;
688
689 if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb)) {
690 if (!brnf_call_ip6tables && !br->nf_call_ip6tables)
691 return NF_ACCEPT;
692
693 nf_bridge_pull_encap_header_rcsum(skb);
694 return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
695 }
696
697 if (!brnf_call_iptables && !br->nf_call_iptables)
698 return NF_ACCEPT;
699
700 if (!IS_IP(skb) && !IS_VLAN_IP(skb) && !IS_PPPOE_IP(skb))
701 return NF_ACCEPT;
702
703 nf_bridge_pull_encap_header_rcsum(skb);
704
705 if (br_parse_ip_options(skb))
706 return NF_DROP;
707
708 nf_bridge_put(skb->nf_bridge);
709 if (!nf_bridge_alloc(skb))
710 return NF_DROP;
711 if (!setup_pre_routing(skb))
712 return NF_DROP;
713 store_orig_dstaddr(skb);
714 skb->protocol = htons(ETH_P_IP);
715
716 NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
717 br_nf_pre_routing_finish);
718
719 return NF_STOLEN;
720}
721
722
723
724
725
726
727
728
729
730static unsigned int br_nf_local_in(unsigned int hook, struct sk_buff *skb,
731 const struct net_device *in,
732 const struct net_device *out,
733 int (*okfn)(struct sk_buff *))
734{
735 br_drop_fake_rtable(skb);
736 return NF_ACCEPT;
737}
738
739
740static int br_nf_forward_finish(struct sk_buff *skb)
741{
742 struct nf_bridge_info *nf_bridge = skb->nf_bridge;
743 struct net_device *in;
744
745 if (!IS_ARP(skb) && !IS_VLAN_ARP(skb)) {
746 in = nf_bridge->physindev;
747 if (nf_bridge->mask & BRNF_PKT_TYPE) {
748 skb->pkt_type = PACKET_OTHERHOST;
749 nf_bridge->mask ^= BRNF_PKT_TYPE;
750 }
751 nf_bridge_update_protocol(skb);
752 } else {
753 in = *((struct net_device **)(skb->cb));
754 }
755 nf_bridge_push_encap_header(skb);
756
757 NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, in,
758 skb->dev, br_forward_finish, 1);
759 return 0;
760}
761
762
763
764
765
766
767
768static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,
769 const struct net_device *in,
770 const struct net_device *out,
771 int (*okfn)(struct sk_buff *))
772{
773 struct nf_bridge_info *nf_bridge;
774 struct net_device *parent;
775 u_int8_t pf;
776
777 if (!skb->nf_bridge)
778 return NF_ACCEPT;
779
780
781
782 if (!nf_bridge_unshare(skb))
783 return NF_DROP;
784
785 parent = bridge_parent(out);
786 if (!parent)
787 return NF_DROP;
788
789 if (IS_IP(skb) || IS_VLAN_IP(skb) || IS_PPPOE_IP(skb))
790 pf = NFPROTO_IPV4;
791 else if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb))
792 pf = NFPROTO_IPV6;
793 else
794 return NF_ACCEPT;
795
796 nf_bridge_pull_encap_header(skb);
797
798 nf_bridge = skb->nf_bridge;
799 if (skb->pkt_type == PACKET_OTHERHOST) {
800 skb->pkt_type = PACKET_HOST;
801 nf_bridge->mask |= BRNF_PKT_TYPE;
802 }
803
804 if (pf == NFPROTO_IPV4 && br_parse_ip_options(skb))
805 return NF_DROP;
806
807
808 nf_bridge->mask |= BRNF_BRIDGED;
809 nf_bridge->physoutdev = skb->dev;
810 if (pf == NFPROTO_IPV4)
811 skb->protocol = htons(ETH_P_IP);
812 else
813 skb->protocol = htons(ETH_P_IPV6);
814
815 NF_HOOK(pf, NF_INET_FORWARD, skb, brnf_get_logical_dev(skb, in), parent,
816 br_nf_forward_finish);
817
818 return NF_STOLEN;
819}
820
821static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
822 const struct net_device *in,
823 const struct net_device *out,
824 int (*okfn)(struct sk_buff *))
825{
826 struct net_bridge_port *p;
827 struct net_bridge *br;
828 struct net_device **d = (struct net_device **)(skb->cb);
829
830 p = br_port_get_rcu(out);
831 if (p == NULL)
832 return NF_ACCEPT;
833 br = p->br;
834
835 if (!brnf_call_arptables && !br->nf_call_arptables)
836 return NF_ACCEPT;
837
838 if (!IS_ARP(skb)) {
839 if (!IS_VLAN_ARP(skb))
840 return NF_ACCEPT;
841 nf_bridge_pull_encap_header(skb);
842 }
843
844 if (arp_hdr(skb)->ar_pln != 4) {
845 if (IS_VLAN_ARP(skb))
846 nf_bridge_push_encap_header(skb);
847 return NF_ACCEPT;
848 }
849 *d = (struct net_device *)in;
850 NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, skb, (struct net_device *)in,
851 (struct net_device *)out, br_nf_forward_finish);
852
853 return NF_STOLEN;
854}
855
856#if IS_ENABLED(CONFIG_NF_CONNTRACK_IPV4)
857static int br_nf_dev_queue_xmit(struct sk_buff *skb)
858{
859 int ret;
860
861 if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) &&
862 skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu &&
863 !skb_is_gso(skb)) {
864 if (br_parse_ip_options(skb))
865
866 return NF_DROP;
867 ret = ip_fragment(skb, br_dev_queue_push_xmit);
868 } else
869 ret = br_dev_queue_push_xmit(skb);
870
871 return ret;
872}
873#else
874static int br_nf_dev_queue_xmit(struct sk_buff *skb)
875{
876 return br_dev_queue_push_xmit(skb);
877}
878#endif
879
880
881static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
882 const struct net_device *in,
883 const struct net_device *out,
884 int (*okfn)(struct sk_buff *))
885{
886 struct nf_bridge_info *nf_bridge = skb->nf_bridge;
887 struct net_device *realoutdev = bridge_parent(skb->dev);
888 u_int8_t pf;
889
890 if (!nf_bridge || !(nf_bridge->mask & BRNF_BRIDGED))
891 return NF_ACCEPT;
892
893 if (!realoutdev)
894 return NF_DROP;
895
896 if (IS_IP(skb) || IS_VLAN_IP(skb) || IS_PPPOE_IP(skb))
897 pf = NFPROTO_IPV4;
898 else if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb))
899 pf = NFPROTO_IPV6;
900 else
901 return NF_ACCEPT;
902
903
904
905 if (skb->pkt_type == PACKET_OTHERHOST) {
906 skb->pkt_type = PACKET_HOST;
907 nf_bridge->mask |= BRNF_PKT_TYPE;
908 }
909
910 nf_bridge_pull_encap_header(skb);
911 nf_bridge_save_header(skb);
912 if (pf == NFPROTO_IPV4)
913 skb->protocol = htons(ETH_P_IP);
914 else
915 skb->protocol = htons(ETH_P_IPV6);
916
917 NF_HOOK(pf, NF_INET_POST_ROUTING, skb, NULL, realoutdev,
918 br_nf_dev_queue_xmit);
919
920 return NF_STOLEN;
921}
922
923
924
925
926static unsigned int ip_sabotage_in(unsigned int hook, struct sk_buff *skb,
927 const struct net_device *in,
928 const struct net_device *out,
929 int (*okfn)(struct sk_buff *))
930{
931 if (skb->nf_bridge &&
932 !(skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)) {
933 return NF_STOP;
934 }
935
936 return NF_ACCEPT;
937}
938
939
940
941static struct nf_hook_ops br_nf_ops[] __read_mostly = {
942 {
943 .hook = br_nf_pre_routing,
944 .owner = THIS_MODULE,
945 .pf = NFPROTO_BRIDGE,
946 .hooknum = NF_BR_PRE_ROUTING,
947 .priority = NF_BR_PRI_BRNF,
948 },
949 {
950 .hook = br_nf_local_in,
951 .owner = THIS_MODULE,
952 .pf = NFPROTO_BRIDGE,
953 .hooknum = NF_BR_LOCAL_IN,
954 .priority = NF_BR_PRI_BRNF,
955 },
956 {
957 .hook = br_nf_forward_ip,
958 .owner = THIS_MODULE,
959 .pf = NFPROTO_BRIDGE,
960 .hooknum = NF_BR_FORWARD,
961 .priority = NF_BR_PRI_BRNF - 1,
962 },
963 {
964 .hook = br_nf_forward_arp,
965 .owner = THIS_MODULE,
966 .pf = NFPROTO_BRIDGE,
967 .hooknum = NF_BR_FORWARD,
968 .priority = NF_BR_PRI_BRNF,
969 },
970 {
971 .hook = br_nf_post_routing,
972 .owner = THIS_MODULE,
973 .pf = NFPROTO_BRIDGE,
974 .hooknum = NF_BR_POST_ROUTING,
975 .priority = NF_BR_PRI_LAST,
976 },
977 {
978 .hook = ip_sabotage_in,
979 .owner = THIS_MODULE,
980 .pf = NFPROTO_IPV4,
981 .hooknum = NF_INET_PRE_ROUTING,
982 .priority = NF_IP_PRI_FIRST,
983 },
984 {
985 .hook = ip_sabotage_in,
986 .owner = THIS_MODULE,
987 .pf = NFPROTO_IPV6,
988 .hooknum = NF_INET_PRE_ROUTING,
989 .priority = NF_IP6_PRI_FIRST,
990 },
991};
992
993#ifdef CONFIG_SYSCTL
994static
995int brnf_sysctl_call_tables(ctl_table * ctl, int write,
996 void __user * buffer, size_t * lenp, loff_t * ppos)
997{
998 int ret;
999
1000 ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
1001
1002 if (write && *(int *)(ctl->data))
1003 *(int *)(ctl->data) = 1;
1004 return ret;
1005}
1006
1007static ctl_table brnf_table[] = {
1008 {
1009 .procname = "bridge-nf-call-arptables",
1010 .data = &brnf_call_arptables,
1011 .maxlen = sizeof(int),
1012 .mode = 0644,
1013 .proc_handler = brnf_sysctl_call_tables,
1014 },
1015 {
1016 .procname = "bridge-nf-call-iptables",
1017 .data = &brnf_call_iptables,
1018 .maxlen = sizeof(int),
1019 .mode = 0644,
1020 .proc_handler = brnf_sysctl_call_tables,
1021 },
1022 {
1023 .procname = "bridge-nf-call-ip6tables",
1024 .data = &brnf_call_ip6tables,
1025 .maxlen = sizeof(int),
1026 .mode = 0644,
1027 .proc_handler = brnf_sysctl_call_tables,
1028 },
1029 {
1030 .procname = "bridge-nf-filter-vlan-tagged",
1031 .data = &brnf_filter_vlan_tagged,
1032 .maxlen = sizeof(int),
1033 .mode = 0644,
1034 .proc_handler = brnf_sysctl_call_tables,
1035 },
1036 {
1037 .procname = "bridge-nf-filter-pppoe-tagged",
1038 .data = &brnf_filter_pppoe_tagged,
1039 .maxlen = sizeof(int),
1040 .mode = 0644,
1041 .proc_handler = brnf_sysctl_call_tables,
1042 },
1043 {
1044 .procname = "bridge-nf-pass-vlan-input-dev",
1045 .data = &brnf_pass_vlan_indev,
1046 .maxlen = sizeof(int),
1047 .mode = 0644,
1048 .proc_handler = brnf_sysctl_call_tables,
1049 },
1050 { }
1051};
1052#endif
1053
1054int __init br_netfilter_init(void)
1055{
1056 int ret;
1057
1058 ret = dst_entries_init(&fake_dst_ops);
1059 if (ret < 0)
1060 return ret;
1061
1062 ret = nf_register_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
1063 if (ret < 0) {
1064 dst_entries_destroy(&fake_dst_ops);
1065 return ret;
1066 }
1067#ifdef CONFIG_SYSCTL
1068 brnf_sysctl_header = register_net_sysctl(&init_net, "net/bridge", brnf_table);
1069 if (brnf_sysctl_header == NULL) {
1070 printk(KERN_WARNING
1071 "br_netfilter: can't register to sysctl.\n");
1072 nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
1073 dst_entries_destroy(&fake_dst_ops);
1074 return -ENOMEM;
1075 }
1076#endif
1077 printk(KERN_NOTICE "Bridge firewalling registered\n");
1078 return 0;
1079}
1080
1081void br_netfilter_fini(void)
1082{
1083 nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
1084#ifdef CONFIG_SYSCTL
1085 unregister_net_sysctl_table(brnf_sysctl_header);
1086#endif
1087 dst_entries_destroy(&fake_dst_ops);
1088}
1089