LXR linux/net/bridge/br_netfilter

   1/*
   2 *      Handle firewalling
   3 *      Linux ethernet bridge
   4 *
   5 *      Authors:
   6 *      Lennert Buytenhek               <buytenh@gnu.org>
   7 *      Bart De Schuymer                <bdschuym@pandora.be>
   8 *
   9 *      This program is free software; you can redistribute it and/or
  10 *      modify it under the terms of the GNU General Public License
  11 *      as published by the Free Software Foundation; either version
  12 *      2 of the License, or (at your option) any later version.
  13 *
  14 *      Lennert dedicates this file to Kerstin Wurdinger.
  15 */
  16
  17#include <linux/module.h>
  18#include <linux/kernel.h>
  19#include <linux/slab.h>
  20#include <linux/ip.h>
  21#include <linux/netdevice.h>
  22#include <linux/skbuff.h>
  23#include <linux/if_arp.h>
  24#include <linux/if_ether.h>
  25#include <linux/if_vlan.h>
  26#include <linux/if_pppox.h>
  27#include <linux/ppp_defs.h>
  28#include <linux/netfilter_bridge.h>
  29#include <linux/netfilter_ipv4.h>
  30#include <linux/netfilter_ipv6.h>
  31#include <linux/netfilter_arp.h>
  32#include <linux/in_route.h>
  33#include <linux/rculist.h>
  34#include <linux/inetdevice.h>
  35
  36#include <net/ip.h>
  37#include <net/ipv6.h>
  38#include <net/addrconf.h>
  39#include <net/route.h>
  40#include <net/netfilter/br_netfilter.h>
  41#include <net/netns/generic.h>
  42
  43#include <asm/uaccess.h>
  44#include "br_private.h"
  45#ifdef CONFIG_SYSCTL
  46#include <linux/sysctl.h>
  47#endif
  48
  49static int brnf_net_id __read_mostly;
  50
  51struct brnf_net {
  52        bool enabled;
  53};
  54
  55#ifdef CONFIG_SYSCTL
  56static struct ctl_table_header *brnf_sysctl_header;
  57static int brnf_call_iptables __read_mostly = 1;
  58static int brnf_call_ip6tables __read_mostly = 1;
  59static int brnf_call_arptables __read_mostly = 1;
  60static int brnf_filter_vlan_tagged __read_mostly;
  61static int brnf_filter_pppoe_tagged __read_mostly;
  62static int brnf_pass_vlan_indev __read_mostly;
  63#else
  64#define brnf_call_iptables 1
  65#define brnf_call_ip6tables 1
  66#define brnf_call_arptables 1
  67#define brnf_filter_vlan_tagged 0
  68#define brnf_filter_pppoe_tagged 0
  69#define brnf_pass_vlan_indev 0
  70#endif
  71
  72#define IS_IP(skb) \
  73        (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_IP))
  74
  75#define IS_IPV6(skb) \
  76        (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_IPV6))
  77
  78#define IS_ARP(skb) \
  79        (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_ARP))
  80
  81static inline __be16 vlan_proto(const struct sk_buff *skb)
  82{
  83        if (skb_vlan_tag_present(skb))
  84                return skb->protocol;
  85        else if (skb->protocol == htons(ETH_P_8021Q))
  86                return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
  87        else
  88                return 0;
  89}
  90
  91#define IS_VLAN_IP(skb) \
  92        (vlan_proto(skb) == htons(ETH_P_IP) && \
  93         brnf_filter_vlan_tagged)
  94
  95#define IS_VLAN_IPV6(skb) \
  96        (vlan_proto(skb) == htons(ETH_P_IPV6) && \
  97         brnf_filter_vlan_tagged)
  98
  99#define IS_VLAN_ARP(skb) \
 100        (vlan_proto(skb) == htons(ETH_P_ARP) && \
 101         brnf_filter_vlan_tagged)
 102
 103static inline __be16 pppoe_proto(const struct sk_buff *skb)
 104{
 105        return *((__be16 *)(skb_mac_header(skb) + ETH_HLEN +
 106                            sizeof(struct pppoe_hdr)));
 107}
 108
 109#define IS_PPPOE_IP(skb) \
 110        (skb->protocol == htons(ETH_P_PPP_SES) && \
 111         pppoe_proto(skb) == htons(PPP_IP) && \
 112         brnf_filter_pppoe_tagged)
 113
 114#define IS_PPPOE_IPV6(skb) \
 115        (skb->protocol == htons(ETH_P_PPP_SES) && \
 116         pppoe_proto(skb) == htons(PPP_IPV6) && \
 117         brnf_filter_pppoe_tagged)
 118
 119/* largest possible L2 header, see br_nf_dev_queue_xmit() */
 120#define NF_BRIDGE_MAX_MAC_HEADER_LENGTH (PPPOE_SES_HLEN + ETH_HLEN)
 121
 122struct brnf_frag_data {
 123        char mac[NF_BRIDGE_MAX_MAC_HEADER_LENGTH];
 124        u8 encap_size;
 125        u8 size;
 126        u16 vlan_tci;
 127        __be16 vlan_proto;
 128};
 129
 130static DEFINE_PER_CPU(struct brnf_frag_data, brnf_frag_data_storage);
 131
 132static void nf_bridge_info_free(struct sk_buff *skb)
 133{
 134        if (skb->nf_bridge) {
 135                nf_bridge_put(skb->nf_bridge);
 136                skb->nf_bridge = NULL;
 137        }
 138}
 139
 140static inline struct net_device *bridge_parent(const struct net_device *dev)
 141{
 142        struct net_bridge_port *port;
 143
 144        port = br_port_get_rcu(dev);
 145        return port ? port->br->dev : NULL;
 146}
 147
 148static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb)
 149{
 150        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 151
 152        if (atomic_read(&nf_bridge->use) > 1) {
 153                struct nf_bridge_info *tmp = nf_bridge_alloc(skb);
 154
 155                if (tmp) {
 156                        memcpy(tmp, nf_bridge, sizeof(struct nf_bridge_info));
 157                        atomic_set(&tmp->use, 1);
 158                }
 159                nf_bridge_put(nf_bridge);
 160                nf_bridge = tmp;
 161        }
 162        return nf_bridge;
 163}
 164
 165unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb)
 166{
 167        switch (skb->protocol) {
 168        case __cpu_to_be16(ETH_P_8021Q):
 169                return VLAN_HLEN;
 170        case __cpu_to_be16(ETH_P_PPP_SES):
 171                return PPPOE_SES_HLEN;
 172        default:
 173                return 0;
 174        }
 175}
 176
 177static inline void nf_bridge_pull_encap_header(struct sk_buff *skb)
 178{
 179        unsigned int len = nf_bridge_encap_header_len(skb);
 180
 181        skb_pull(skb, len);
 182        skb->network_header += len;
 183}
 184
 185static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb)
 186{
 187        unsigned int len = nf_bridge_encap_header_len(skb);
 188
 189        skb_pull_rcsum(skb, len);
 190        skb->network_header += len;
 191}
 192
 193/* When handing a packet over to the IP layer
 194 * check whether we have a skb that is in the
 195 * expected format
 196 */
 197
 198static int br_validate_ipv4(struct net *net, struct sk_buff *skb)
 199{
 200        const struct iphdr *iph;
 201        u32 len;
 202
 203        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
 204                goto inhdr_error;
 205
 206        iph = ip_hdr(skb);
 207
 208        /* Basic sanity checks */
 209        if (iph->ihl < 5 || iph->version != 4)
 210                goto inhdr_error;
 211
 212        if (!pskb_may_pull(skb, iph->ihl*4))
 213                goto inhdr_error;
 214
 215        iph = ip_hdr(skb);
 216        if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
 217                goto inhdr_error;
 218
 219        len = ntohs(iph->tot_len);
 220        if (skb->len < len) {
 221                __IP_INC_STATS(net, IPSTATS_MIB_INTRUNCATEDPKTS);
 222                goto drop;
 223        } else if (len < (iph->ihl*4))
 224                goto inhdr_error;
 225
 226        if (pskb_trim_rcsum(skb, len)) {
 227                __IP_INC_STATS(net, IPSTATS_MIB_INDISCARDS);
 228                goto drop;
 229        }
 230
 231        memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
 232        /* We should really parse IP options here but until
 233         * somebody who actually uses IP options complains to
 234         * us we'll just silently ignore the options because
 235         * we're lazy!
 236         */
 237        return 0;
 238
 239inhdr_error:
 240        __IP_INC_STATS(net, IPSTATS_MIB_INHDRERRORS);
 241drop:
 242        return -1;
 243}
 244
 245void nf_bridge_update_protocol(struct sk_buff *skb)
 246{
 247        switch (skb->nf_bridge->orig_proto) {
 248        case BRNF_PROTO_8021Q:
 249                skb->protocol = htons(ETH_P_8021Q);
 250                break;
 251        case BRNF_PROTO_PPPOE:
 252                skb->protocol = htons(ETH_P_PPP_SES);
 253                break;
 254        case BRNF_PROTO_UNCHANGED:
 255                break;
 256        }
 257}
 258
 259/* Obtain the correct destination MAC address, while preserving the original
 260 * source MAC address. If we already know this address, we just copy it. If we
 261 * don't, we use the neighbour framework to find out. In both cases, we make
 262 * sure that br_handle_frame_finish() is called afterwards.
 263 */
 264int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_buff *skb)
 265{
 266        struct neighbour *neigh;
 267        struct dst_entry *dst;
 268
 269        skb->dev = bridge_parent(skb->dev);
 270        if (!skb->dev)
 271                goto free_skb;
 272        dst = skb_dst(skb);
 273        neigh = dst_neigh_lookup_skb(dst, skb);
 274        if (neigh) {
 275                struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
 276                int ret;
 277
 278                if (neigh->hh.hh_len) {
 279                        neigh_hh_bridge(&neigh->hh, skb);
 280                        skb->dev = nf_bridge->physindev;
 281                        ret = br_handle_frame_finish(net, sk, skb);
 282                } else {
 283                        /* the neighbour function below overwrites the complete
 284                         * MAC header, so we save the Ethernet source address and
 285                         * protocol number.
 286                         */
 287                        skb_copy_from_linear_data_offset(skb,
 288                                                         -(ETH_HLEN-ETH_ALEN),
 289                                                         nf_bridge->neigh_header,
 290                                                         ETH_HLEN-ETH_ALEN);
 291                        /* tell br_dev_xmit to continue with forwarding */
 292                        nf_bridge->bridged_dnat = 1;
 293                        /* FIXME Need to refragment */
 294                        ret = neigh->output(neigh, skb);
 295                }
 296                neigh_release(neigh);
 297                return ret;
 298        }
 299free_skb:
 300        kfree_skb(skb);
 301        return 0;
 302}
 303
 304static inline bool
 305br_nf_ipv4_daddr_was_changed(const struct sk_buff *skb,
 306                             const struct nf_bridge_info *nf_bridge)
 307{
 308        return ip_hdr(skb)->daddr != nf_bridge->ipv4_daddr;
 309}
 310
 311/* This requires some explaining. If DNAT has taken place,
 312 * we will need to fix up the destination Ethernet address.
 313 * This is also true when SNAT takes place (for the reply direction).
 314 *
 315 * There are two cases to consider:
 316 * 1. The packet was DNAT'ed to a device in the same bridge
 317 *    port group as it was received on. We can still bridge
 318 *    the packet.
 319 * 2. The packet was DNAT'ed to a different device, either
 320 *    a non-bridged device or another bridge port group.
 321 *    The packet will need to be routed.
 322 *
 323 * The correct way of distinguishing between these two cases is to
 324 * call ip_route_input() and to look at skb->dst->dev, which is
 325 * changed to the destination device if ip_route_input() succeeds.
 326 *
 327 * Let's first consider the case that ip_route_input() succeeds:
 328 *
 329 * If the output device equals the logical bridge device the packet
 330 * came in on, we can consider this bridging. The corresponding MAC
 331 * address will be obtained in br_nf_pre_routing_finish_bridge.
 332 * Otherwise, the packet is considered to be routed and we just
 333 * change the destination MAC address so that the packet will
 334 * later be passed up to the IP stack to be routed. For a redirected
 335 * packet, ip_route_input() will give back the localhost as output device,
 336 * which differs from the bridge device.
 337 *
 338 * Let's now consider the case that ip_route_input() fails:
 339 *
 340 * This can be because the destination address is martian, in which case
 341 * the packet will be dropped.
 342 * If IP forwarding is disabled, ip_route_input() will fail, while
 343 * ip_route_output_key() can return success. The source
 344 * address for ip_route_output_key() is set to zero, so ip_route_output_key()
 345 * thinks we're handling a locally generated packet and won't care
 346 * if IP forwarding is enabled. If the output device equals the logical bridge
 347 * device, we proceed as if ip_route_input() succeeded. If it differs from the
 348 * logical bridge port or if ip_route_output_key() fails we drop the packet.
 349 */
 350static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
 351{
 352        struct net_device *dev = skb->dev;
 353        struct iphdr *iph = ip_hdr(skb);
 354        struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
 355        struct rtable *rt;
 356        int err;
 357
 358        nf_bridge->frag_max_size = IPCB(skb)->frag_max_size;
 359
 360        if (nf_bridge->pkt_otherhost) {
 361                skb->pkt_type = PACKET_OTHERHOST;
 362                nf_bridge->pkt_otherhost = false;
 363        }
 364        nf_bridge->in_prerouting = 0;
 365        if (br_nf_ipv4_daddr_was_changed(skb, nf_bridge)) {
 366                if ((err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))) {
 367                        struct in_device *in_dev = __in_dev_get_rcu(dev);
 368
 369                        /* If err equals -EHOSTUNREACH the error is due to a
 370                         * martian destination or due to the fact that
 371                         * forwarding is disabled. For most martian packets,
 372                         * ip_route_output_key() will fail. It won't fail for 2 types of
 373                         * martian destinations: loopback destinations and destination
 374                         * 0.0.0.0. In both cases the packet will be dropped because the
 375                         * destination is the loopback device and not the bridge. */
 376                        if (err != -EHOSTUNREACH || !in_dev || IN_DEV_FORWARD(in_dev))
 377                                goto free_skb;
 378
 379                        rt = ip_route_output(net, iph->daddr, 0,
 380                                             RT_TOS(iph->tos), 0);
 381                        if (!IS_ERR(rt)) {
 382                                /* - Bridged-and-DNAT'ed traffic doesn't
 383                                 *   require ip_forwarding. */
 384                                if (rt->dst.dev == dev) {
 385                                        skb_dst_set(skb, &rt->dst);
 386                                        goto bridged_dnat;
 387                                }
 388                                ip_rt_put(rt);
 389                        }
 390free_skb:
 391                        kfree_skb(skb);
 392                        return 0;
 393                } else {
 394                        if (skb_dst(skb)->dev == dev) {
 395bridged_dnat:
 396                                skb->dev = nf_bridge->physindev;
 397                                nf_bridge_update_protocol(skb);
 398                                nf_bridge_push_encap_header(skb);
 399                                br_nf_hook_thresh(NF_BR_PRE_ROUTING,
 400                                                  net, sk, skb, skb->dev,
 401                                                  NULL,
 402                                                  br_nf_pre_routing_finish);
 403                                return 0;
 404                        }
 405                        ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr);
 406                        skb->pkt_type = PACKET_HOST;
 407                }
 408        } else {
 409                rt = bridge_parent_rtable(nf_bridge->physindev);
 410                if (!rt) {
 411                        kfree_skb(skb);
 412                        return 0;
 413                }
 414                skb_dst_set_noref(skb, &rt->dst);
 415        }
 416
 417        skb->dev = nf_bridge->physindev;
 418        nf_bridge_update_protocol(skb);
 419        nf_bridge_push_encap_header(skb);
 420        br_nf_hook_thresh(NF_BR_PRE_ROUTING, net, sk, skb, skb->dev, NULL,
 421                          br_handle_frame_finish);
 422        return 0;
 423}
 424
 425static struct net_device *brnf_get_logical_dev(struct sk_buff *skb, const struct net_device *dev)
 426{
 427        struct net_device *vlan, *br;
 428
 429        br = bridge_parent(dev);
 430        if (brnf_pass_vlan_indev == 0 || !skb_vlan_tag_present(skb))
 431                return br;
 432
 433        vlan = __vlan_find_dev_deep_rcu(br, skb->vlan_proto,
 434                                    skb_vlan_tag_get(skb) & VLAN_VID_MASK);
 435
 436        return vlan ? vlan : br;
 437}
 438
 439/* Some common code for IPv4/IPv6 */
 440struct net_device *setup_pre_routing(struct sk_buff *skb)
 441{
 442        struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
 443
 444        if (skb->pkt_type == PACKET_OTHERHOST) {
 445                skb->pkt_type = PACKET_HOST;
 446                nf_bridge->pkt_otherhost = true;
 447        }
 448
 449        nf_bridge->in_prerouting = 1;
 450        nf_bridge->physindev = skb->dev;
 451        skb->dev = brnf_get_logical_dev(skb, skb->dev);
 452
 453        if (skb->protocol == htons(ETH_P_8021Q))
 454                nf_bridge->orig_proto = BRNF_PROTO_8021Q;
 455        else if (skb->protocol == htons(ETH_P_PPP_SES))
 456                nf_bridge->orig_proto = BRNF_PROTO_PPPOE;
 457
 458        /* Must drop socket now because of tproxy. */
 459        skb_orphan(skb);
 460        return skb->dev;
 461}
 462
 463/* Direct IPv6 traffic to br_nf_pre_routing_ipv6.
 464 * Replicate the checks that IPv4 does on packet reception.
 465 * Set skb->dev to the bridge device (i.e. parent of the
 466 * receiving device) to make netfilter happy, the REDIRECT
 467 * target in particular.  Save the original destination IP
 468 * address to be able to detect DNAT afterwards. */
 469static unsigned int br_nf_pre_routing(void *priv,
 470                                      struct sk_buff *skb,
 471                                      const struct nf_hook_state *state)
 472{
 473        struct nf_bridge_info *nf_bridge;
 474        struct net_bridge_port *p;
 475        struct net_bridge *br;
 476        __u32 len = nf_bridge_encap_header_len(skb);
 477
 478        if (unlikely(!pskb_may_pull(skb, len)))
 479                return NF_DROP;
 480
 481        p = br_port_get_rcu(state->in);
 482        if (p == NULL)
 483                return NF_DROP;
 484        br = p->br;
 485
 486        if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb)) {
 487                if (!brnf_call_ip6tables && !br->nf_call_ip6tables)
 488                        return NF_ACCEPT;
 489
 490                nf_bridge_pull_encap_header_rcsum(skb);
 491                return br_nf_pre_routing_ipv6(priv, skb, state);
 492        }
 493
 494        if (!brnf_call_iptables && !br->nf_call_iptables)
 495                return NF_ACCEPT;
 496
 497        if (!IS_IP(skb) && !IS_VLAN_IP(skb) && !IS_PPPOE_IP(skb))
 498                return NF_ACCEPT;
 499
 500        nf_bridge_pull_encap_header_rcsum(skb);
 501
 502        if (br_validate_ipv4(state->net, skb))
 503                return NF_DROP;
 504
 505        nf_bridge_put(skb->nf_bridge);
 506        if (!nf_bridge_alloc(skb))
 507                return NF_DROP;
 508        if (!setup_pre_routing(skb))
 509                return NF_DROP;
 510
 511        nf_bridge = nf_bridge_info_get(skb);
 512        nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr;
 513
 514        skb->protocol = htons(ETH_P_IP);
 515
 516        NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb,
 517                skb->dev, NULL,
 518                br_nf_pre_routing_finish);
 519
 520        return NF_STOLEN;
 521}
 522
 523
 524/* PF_BRIDGE/LOCAL_IN ************************************************/
 525/* The packet is locally destined, which requires a real
 526 * dst_entry, so detach the fake one.  On the way up, the
 527 * packet would pass through PRE_ROUTING again (which already
 528 * took place when the packet entered the bridge), but we
 529 * register an IPv4 PRE_ROUTING 'sabotage' hook that will
 530 * prevent this from happening. */
 531static unsigned int br_nf_local_in(void *priv,
 532                                   struct sk_buff *skb,
 533                                   const struct nf_hook_state *state)
 534{
 535        br_drop_fake_rtable(skb);
 536        return NF_ACCEPT;
 537}
 538
 539/* PF_BRIDGE/FORWARD *************************************************/
 540static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
 541{
 542        struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
 543        struct net_device *in;
 544
 545        if (!IS_ARP(skb) && !IS_VLAN_ARP(skb)) {
 546
 547                if (skb->protocol == htons(ETH_P_IP))
 548                        nf_bridge->frag_max_size = IPCB(skb)->frag_max_size;
 549
 550                if (skb->protocol == htons(ETH_P_IPV6))
 551                        nf_bridge->frag_max_size = IP6CB(skb)->frag_max_size;
 552
 553                in = nf_bridge->physindev;
 554                if (nf_bridge->pkt_otherhost) {
 555                        skb->pkt_type = PACKET_OTHERHOST;
 556                        nf_bridge->pkt_otherhost = false;
 557                }
 558                nf_bridge_update_protocol(skb);
 559        } else {
 560                in = *((struct net_device **)(skb->cb));
 561        }
 562        nf_bridge_push_encap_header(skb);
 563
 564        NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_FORWARD, net, sk, skb,
 565                       in, skb->dev, br_forward_finish, 1);
 566        return 0;
 567}
 568
 569
 570/* This is the 'purely bridged' case.  For IP, we pass the packet to
 571 * netfilter with indev and outdev set to the bridge device,
 572 * but we are still able to filter on the 'real' indev/outdev
 573 * because of the physdev module. For ARP, indev and outdev are the
 574 * bridge ports. */
 575static unsigned int br_nf_forward_ip(void *priv,
 576                                     struct sk_buff *skb,
 577                                     const struct nf_hook_state *state)
 578{
 579        struct nf_bridge_info *nf_bridge;
 580        struct net_device *parent;
 581        u_int8_t pf;
 582
 583        if (!skb->nf_bridge)
 584                return NF_ACCEPT;
 585
 586        /* Need exclusive nf_bridge_info since we might have multiple
 587         * different physoutdevs. */
 588        if (!nf_bridge_unshare(skb))
 589                return NF_DROP;
 590
 591        nf_bridge = nf_bridge_info_get(skb);
 592        if (!nf_bridge)
 593                return NF_DROP;
 594
 595        parent = bridge_parent(state->out);
 596        if (!parent)
 597                return NF_DROP;
 598
 599        if (IS_IP(skb) || IS_VLAN_IP(skb) || IS_PPPOE_IP(skb))
 600                pf = NFPROTO_IPV4;
 601        else if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb))
 602                pf = NFPROTO_IPV6;
 603        else
 604                return NF_ACCEPT;
 605
 606        nf_bridge_pull_encap_header(skb);
 607
 608        if (skb->pkt_type == PACKET_OTHERHOST) {
 609                skb->pkt_type = PACKET_HOST;
 610                nf_bridge->pkt_otherhost = true;
 611        }
 612
 613        if (pf == NFPROTO_IPV4) {
 614                if (br_validate_ipv4(state->net, skb))
 615                        return NF_DROP;
 616                IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
 617        }
 618
 619        if (pf == NFPROTO_IPV6) {
 620                if (br_validate_ipv6(state->net, skb))
 621                        return NF_DROP;
 622                IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
 623        }
 624
 625        nf_bridge->physoutdev = skb->dev;
 626        if (pf == NFPROTO_IPV4)
 627                skb->protocol = htons(ETH_P_IP);
 628        else
 629                skb->protocol = htons(ETH_P_IPV6);
 630
 631        NF_HOOK(pf, NF_INET_FORWARD, state->net, NULL, skb,
 632                brnf_get_logical_dev(skb, state->in),
 633                parent, br_nf_forward_finish);
 634
 635        return NF_STOLEN;
 636}
 637
 638static unsigned int br_nf_forward_arp(void *priv,
 639                                      struct sk_buff *skb,
 640                                      const struct nf_hook_state *state)
 641{
 642        struct net_bridge_port *p;
 643        struct net_bridge *br;
 644        struct net_device **d = (struct net_device **)(skb->cb);
 645
 646        p = br_port_get_rcu(state->out);
 647        if (p == NULL)
 648                return NF_ACCEPT;
 649        br = p->br;
 650
 651        if (!brnf_call_arptables && !br->nf_call_arptables)
 652                return NF_ACCEPT;
 653
 654        if (!IS_ARP(skb)) {
 655                if (!IS_VLAN_ARP(skb))
 656                        return NF_ACCEPT;
 657                nf_bridge_pull_encap_header(skb);
 658        }
 659
 660        if (arp_hdr(skb)->ar_pln != 4) {
 661                if (IS_VLAN_ARP(skb))
 662                        nf_bridge_push_encap_header(skb);
 663                return NF_ACCEPT;
 664        }
 665        *d = state->in;
 666        NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, state->net, state->sk, skb,
 667                state->in, state->out, br_nf_forward_finish);
 668
 669        return NF_STOLEN;
 670}
 671
 672static int br_nf_push_frag_xmit(struct net *net, struct sock *sk, struct sk_buff *skb)
 673{
 674        struct brnf_frag_data *data;
 675        int err;
 676
 677        data = this_cpu_ptr(&brnf_frag_data_storage);
 678        err = skb_cow_head(skb, data->size);
 679
 680        if (err) {
 681                kfree_skb(skb);
 682                return 0;
 683        }
 684
 685        if (data->vlan_tci) {
 686                skb->vlan_tci = data->vlan_tci;
 687                skb->vlan_proto = data->vlan_proto;
 688        }
 689
 690        skb_copy_to_linear_data_offset(skb, -data->size, data->mac, data->size);
 691        __skb_push(skb, data->encap_size);
 692
 693        nf_bridge_info_free(skb);
 694        return br_dev_queue_push_xmit(net, sk, skb);
 695}
 696
 697static int
 698br_nf_ip_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
 699                  int (*output)(struct net *, struct sock *, struct sk_buff *))
 700{
 701        unsigned int mtu = ip_skb_dst_mtu(sk, skb);
 702        struct iphdr *iph = ip_hdr(skb);
 703
 704        if (unlikely(((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) ||
 705                     (IPCB(skb)->frag_max_size &&
 706                      IPCB(skb)->frag_max_size > mtu))) {
 707                IP_INC_STATS(net, IPSTATS_MIB_FRAGFAILS);
 708                kfree_skb(skb);
 709                return -EMSGSIZE;
 710        }
 711
 712        return ip_do_fragment(net, sk, skb, output);
 713}
 714
 715static unsigned int nf_bridge_mtu_reduction(const struct sk_buff *skb)
 716{
 717        if (skb->nf_bridge->orig_proto == BRNF_PROTO_PPPOE)
 718                return PPPOE_SES_HLEN;
 719        return 0;
 720}
 721
 722static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff *skb)
 723{
 724        struct nf_bridge_info *nf_bridge;
 725        unsigned int mtu_reserved;
 726
 727        mtu_reserved = nf_bridge_mtu_reduction(skb);
 728
 729        if (skb_is_gso(skb) || skb->len + mtu_reserved <= skb->dev->mtu) {
 730                nf_bridge_info_free(skb);
 731                return br_dev_queue_push_xmit(net, sk, skb);
 732        }
 733
 734        nf_bridge = nf_bridge_info_get(skb);
 735
 736        /* This is wrong! We should preserve the original fragment
 737         * boundaries by preserving frag_list rather than refragmenting.
 738         */
 739        if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) &&
 740            skb->protocol == htons(ETH_P_IP)) {
 741                struct brnf_frag_data *data;
 742
 743                if (br_validate_ipv4(net, skb))
 744                        goto drop;
 745
 746                IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
 747
 748                nf_bridge_update_protocol(skb);
 749
 750                data = this_cpu_ptr(&brnf_frag_data_storage);
 751
 752                data->vlan_tci = skb->vlan_tci;
 753                data->vlan_proto = skb->vlan_proto;
 754                data->encap_size = nf_bridge_encap_header_len(skb);
 755                data->size = ETH_HLEN + data->encap_size;
 756
 757                skb_copy_from_linear_data_offset(skb, -data->size, data->mac,
 758                                                 data->size);
 759
 760                return br_nf_ip_fragment(net, sk, skb, br_nf_push_frag_xmit);
 761        }
 762        if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) &&
 763            skb->protocol == htons(ETH_P_IPV6)) {
 764                const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
 765                struct brnf_frag_data *data;
 766
 767                if (br_validate_ipv6(net, skb))
 768                        goto drop;
 769
 770                IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
 771
 772                nf_bridge_update_protocol(skb);
 773
 774                data = this_cpu_ptr(&brnf_frag_data_storage);
 775                data->encap_size = nf_bridge_encap_header_len(skb);
 776                data->size = ETH_HLEN + data->encap_size;
 777
 778                skb_copy_from_linear_data_offset(skb, -data->size, data->mac,
 779                                                 data->size);
 780
 781                if (v6ops)
 782                        return v6ops->fragment(net, sk, skb, br_nf_push_frag_xmit);
 783
 784                kfree_skb(skb);
 785                return -EMSGSIZE;
 786        }
 787        nf_bridge_info_free(skb);
 788        return br_dev_queue_push_xmit(net, sk, skb);
 789 drop:
 790        kfree_skb(skb);
 791        return 0;
 792}
 793
 794/* PF_BRIDGE/POST_ROUTING ********************************************/
 795static unsigned int br_nf_post_routing(void *priv,
 796                                       struct sk_buff *skb,
 797                                       const struct nf_hook_state *state)
 798{
 799        struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
 800        struct net_device *realoutdev = bridge_parent(skb->dev);
 801        u_int8_t pf;
 802
 803        /* if nf_bridge is set, but ->physoutdev is NULL, this packet came in
 804         * on a bridge, but was delivered locally and is now being routed:
 805         *
 806         * POST_ROUTING was already invoked from the ip stack.
 807         */
 808        if (!nf_bridge || !nf_bridge->physoutdev)
 809                return NF_ACCEPT;
 810
 811        if (!realoutdev)
 812                return NF_DROP;
 813
 814        if (IS_IP(skb) || IS_VLAN_IP(skb) || IS_PPPOE_IP(skb))
 815                pf = NFPROTO_IPV4;
 816        else if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb))
 817                pf = NFPROTO_IPV6;
 818        else
 819                return NF_ACCEPT;
 820
 821        /* We assume any code from br_dev_queue_push_xmit onwards doesn't care
 822         * about the value of skb->pkt_type. */
 823        if (skb->pkt_type == PACKET_OTHERHOST) {
 824                skb->pkt_type = PACKET_HOST;
 825                nf_bridge->pkt_otherhost = true;
 826        }
 827
 828        nf_bridge_pull_encap_header(skb);
 829        if (pf == NFPROTO_IPV4)
 830                skb->protocol = htons(ETH_P_IP);
 831        else
 832                skb->protocol = htons(ETH_P_IPV6);
 833
 834        NF_HOOK(pf, NF_INET_POST_ROUTING, state->net, state->sk, skb,
 835                NULL, realoutdev,
 836                br_nf_dev_queue_xmit);
 837
 838        return NF_STOLEN;
 839}
 840
 841/* IP/SABOTAGE *****************************************************/
 842/* Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING
 843 * for the second time. */
 844static unsigned int ip_sabotage_in(void *priv,
 845                                   struct sk_buff *skb,
 846                                   const struct nf_hook_state *state)
 847{
 848        if (skb->nf_bridge && !skb->nf_bridge->in_prerouting)
 849                return NF_STOP;
 850
 851        return NF_ACCEPT;
 852}
 853
 854/* This is called when br_netfilter has called into iptables/netfilter,
 855 * and DNAT has taken place on a bridge-forwarded packet.
 856 *
 857 * neigh->output has created a new MAC header, with local br0 MAC
 858 * as saddr.
 859 *
 860 * This restores the original MAC saddr of the bridged packet
 861 * before invoking bridge forward logic to transmit the packet.
 862 */
 863static void br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb)
 864{
 865        struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
 866
 867        skb_pull(skb, ETH_HLEN);
 868        nf_bridge->bridged_dnat = 0;
 869
 870        BUILD_BUG_ON(sizeof(nf_bridge->neigh_header) != (ETH_HLEN - ETH_ALEN));
 871
 872        skb_copy_to_linear_data_offset(skb, -(ETH_HLEN - ETH_ALEN),
 873                                       nf_bridge->neigh_header,
 874                                       ETH_HLEN - ETH_ALEN);
 875        skb->dev = nf_bridge->physindev;
 876
 877        nf_bridge->physoutdev = NULL;
 878        br_handle_frame_finish(dev_net(skb->dev), NULL, skb);
 879}
 880
 881static int br_nf_dev_xmit(struct sk_buff *skb)
 882{
 883        if (skb->nf_bridge && skb->nf_bridge->bridged_dnat) {
 884                br_nf_pre_routing_finish_bridge_slow(skb);
 885                return 1;
 886        }
 887        return 0;
 888}
 889
 890static const struct nf_br_ops br_ops = {
 891        .br_dev_xmit_hook =     br_nf_dev_xmit,
 892};
 893
 894void br_netfilter_enable(void)
 895{
 896}
 897EXPORT_SYMBOL_GPL(br_netfilter_enable);
 898
 899/* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
 900 * br_dev_queue_push_xmit is called afterwards */
 901static struct nf_hook_ops br_nf_ops[] __read_mostly = {
 902        {
 903                .hook = br_nf_pre_routing,
 904                .pf = NFPROTO_BRIDGE,
 905                .hooknum = NF_BR_PRE_ROUTING,
 906                .priority = NF_BR_PRI_BRNF,
 907        },
 908        {
 909                .hook = br_nf_local_in,
 910                .pf = NFPROTO_BRIDGE,
 911                .hooknum = NF_BR_LOCAL_IN,
 912                .priority = NF_BR_PRI_BRNF,
 913        },
 914        {
 915                .hook = br_nf_forward_ip,
 916                .pf = NFPROTO_BRIDGE,
 917                .hooknum = NF_BR_FORWARD,
 918                .priority = NF_BR_PRI_BRNF - 1,
 919        },
 920        {
 921                .hook = br_nf_forward_arp,
 922                .pf = NFPROTO_BRIDGE,
 923                .hooknum = NF_BR_FORWARD,
 924                .priority = NF_BR_PRI_BRNF,
 925        },
 926        {
 927                .hook = br_nf_post_routing,
 928                .pf = NFPROTO_BRIDGE,
 929                .hooknum = NF_BR_POST_ROUTING,
 930                .priority = NF_BR_PRI_LAST,
 931        },
 932        {
 933                .hook = ip_sabotage_in,
 934                .pf = NFPROTO_IPV4,
 935                .hooknum = NF_INET_PRE_ROUTING,
 936                .priority = NF_IP_PRI_FIRST,
 937        },
 938        {
 939                .hook = ip_sabotage_in,
 940                .pf = NFPROTO_IPV6,
 941                .hooknum = NF_INET_PRE_ROUTING,
 942                .priority = NF_IP6_PRI_FIRST,
 943        },
 944};
 945
 946static int brnf_device_event(struct notifier_block *unused, unsigned long event,
 947                             void *ptr)
 948{
 949        struct net_device *dev = netdev_notifier_info_to_dev(ptr);
 950        struct brnf_net *brnet;
 951        struct net *net;
 952        int ret;
 953
 954        if (event != NETDEV_REGISTER || !(dev->priv_flags & IFF_EBRIDGE))
 955                return NOTIFY_DONE;
 956
 957        ASSERT_RTNL();
 958
 959        net = dev_net(dev);
 960        brnet = net_generic(net, brnf_net_id);
 961        if (brnet->enabled)
 962                return NOTIFY_OK;
 963
 964        ret = nf_register_net_hooks(net, br_nf_ops, ARRAY_SIZE(br_nf_ops));
 965        if (ret)
 966                return NOTIFY_BAD;
 967
 968        brnet->enabled = true;
 969        return NOTIFY_OK;
 970}
 971
 972static void __net_exit brnf_exit_net(struct net *net)
 973{
 974        struct brnf_net *brnet = net_generic(net, brnf_net_id);
 975
 976        if (!brnet->enabled)
 977                return;
 978
 979        nf_unregister_net_hooks(net, br_nf_ops, ARRAY_SIZE(br_nf_ops));
 980        brnet->enabled = false;
 981}
 982
 983static struct pernet_operations brnf_net_ops __read_mostly = {
 984        .exit = brnf_exit_net,
 985        .id   = &brnf_net_id,
 986        .size = sizeof(struct brnf_net),
 987};
 988
 989static struct notifier_block brnf_notifier __read_mostly = {
 990        .notifier_call = brnf_device_event,
 991};
 992
 993/* recursively invokes nf_hook_slow (again), skipping already-called
 994 * hooks (< NF_BR_PRI_BRNF).
 995 *
 996 * Called with rcu read lock held.
 997 */
 998int br_nf_hook_thresh(unsigned int hook, struct net *net,
 999                      struct sock *sk, struct sk_buff *skb,
1000                      struct net_device *indev,

1001                      struct net_device *outdev,
1002                      int (*okfn)(struct net *, struct sock *,
1003                                  struct sk_buff *))
1004{
1005        struct nf_hook_entry *elem;
1006        struct nf_hook_state state;
1007        int ret;
1008
1009        elem = rcu_dereference(net->nf.hooks[NFPROTO_BRIDGE][hook]);
1010
1011        while (elem && (elem->ops.priority <= NF_BR_PRI_BRNF))
1012                elem = rcu_dereference(elem->next);
1013
1014        if (!elem)
1015                return okfn(net, sk, skb);
1016
1017        /* We may already have this, but read-locks nest anyway */
1018        rcu_read_lock();
1019        nf_hook_state_init(&state, elem, hook, NF_BR_PRI_BRNF + 1,
1020                           NFPROTO_BRIDGE, indev, outdev, sk, net, okfn);
1021
1022        ret = nf_hook_slow(skb, &state);
1023        rcu_read_unlock();
1024        if (ret == 1)
1025                ret = okfn(net, sk, skb);
1026
1027        return ret;
1028}
1029
1030#ifdef CONFIG_SYSCTL
1031static
1032int brnf_sysctl_call_tables(struct ctl_table *ctl, int write,
1033                            void __user *buffer, size_t *lenp, loff_t *ppos)
1034{
1035        int ret;
1036
1037        ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
1038
1039        if (write && *(int *)(ctl->data))
1040                *(int *)(ctl->data) = 1;
1041        return ret;
1042}
1043
1044static struct ctl_table brnf_table[] = {
1045        {
1046                .procname       = "bridge-nf-call-arptables",
1047                .data           = &brnf_call_arptables,
1048                .maxlen         = sizeof(int),
1049                .mode           = 0644,
1050                .proc_handler   = brnf_sysctl_call_tables,
1051        },
1052        {
1053                .procname       = "bridge-nf-call-iptables",
1054                .data           = &brnf_call_iptables,
1055                .maxlen         = sizeof(int),
1056                .mode           = 0644,
1057                .proc_handler   = brnf_sysctl_call_tables,
1058        },
1059        {
1060                .procname       = "bridge-nf-call-ip6tables",
1061                .data           = &brnf_call_ip6tables,
1062                .maxlen         = sizeof(int),
1063                .mode           = 0644,
1064                .proc_handler   = brnf_sysctl_call_tables,
1065        },
1066        {
1067                .procname       = "bridge-nf-filter-vlan-tagged",
1068                .data           = &brnf_filter_vlan_tagged,
1069                .maxlen         = sizeof(int),
1070                .mode           = 0644,
1071                .proc_handler   = brnf_sysctl_call_tables,
1072        },
1073        {
1074                .procname       = "bridge-nf-filter-pppoe-tagged",
1075                .data           = &brnf_filter_pppoe_tagged,
1076                .maxlen         = sizeof(int),
1077                .mode           = 0644,
1078                .proc_handler   = brnf_sysctl_call_tables,
1079        },
1080        {
1081                .procname       = "bridge-nf-pass-vlan-input-dev",
1082                .data           = &brnf_pass_vlan_indev,
1083                .maxlen         = sizeof(int),
1084                .mode           = 0644,
1085                .proc_handler   = brnf_sysctl_call_tables,
1086        },
1087        { }
1088};
1089#endif
1090
1091static int __init br_netfilter_init(void)
1092{
1093        int ret;
1094
1095        ret = register_pernet_subsys(&brnf_net_ops);
1096        if (ret < 0)
1097                return ret;
1098
1099        ret = register_netdevice_notifier(&brnf_notifier);
1100        if (ret < 0) {
1101                unregister_pernet_subsys(&brnf_net_ops);
1102                return ret;
1103        }
1104
1105#ifdef CONFIG_SYSCTL
1106        brnf_sysctl_header = register_net_sysctl(&init_net, "net/bridge", brnf_table);
1107        if (brnf_sysctl_header == NULL) {
1108                printk(KERN_WARNING
1109                       "br_netfilter: can't register to sysctl.\n");
1110                unregister_netdevice_notifier(&brnf_notifier);
1111                unregister_pernet_subsys(&brnf_net_ops);
1112                return -ENOMEM;
1113        }
1114#endif
1115        RCU_INIT_POINTER(nf_br_ops, &br_ops);
1116        printk(KERN_NOTICE "Bridge firewalling registered\n");
1117        return 0;
1118}
1119
1120static void __exit br_netfilter_fini(void)
1121{
1122        RCU_INIT_POINTER(nf_br_ops, NULL);
1123        unregister_netdevice_notifier(&brnf_notifier);
1124        unregister_pernet_subsys(&brnf_net_ops);
1125#ifdef CONFIG_SYSCTL
1126        unregister_net_sysctl_table(brnf_sysctl_header);
1127#endif
1128}
1129
1130module_init(br_netfilter_init);
1131module_exit(br_netfilter_fini);
1132
1133MODULE_LICENSE("GPL");
1134MODULE_AUTHOR("Lennert Buytenhek <buytenh@gnu.org>");
1135MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
1136MODULE_DESCRIPTION("Linux ethernet netfilter firewall bridge");
1137