net/bridge/br_netfilter.c at v2.6.14-rc1

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / net / bridge / br_netfilter.c
at v2.6.14-rc1 1049 lines 30 kB view raw
wrap content
   1/*
   2 *	Handle firewalling
   3 *	Linux ethernet bridge
   4 *
   5 *	Authors:
   6 *	Lennert Buytenhek               <buytenh@gnu.org>
   7 *	Bart De Schuymer (maintainer)	<bdschuym@pandora.be>
   8 *
   9 *	Changes:
  10 *	Apr 29 2003: physdev module support (bdschuym)
  11 *	Jun 19 2003: let arptables see bridged ARP traffic (bdschuym)
  12 *	Oct 06 2003: filter encapsulated IP/ARP VLAN traffic on untagged bridge
  13 *	             (bdschuym)
  14 *	Sep 01 2004: add IPv6 filtering (bdschuym)
  15 *
  16 *	This program is free software; you can redistribute it and/or
  17 *	modify it under the terms of the GNU General Public License
  18 *	as published by the Free Software Foundation; either version
  19 *	2 of the License, or (at your option) any later version.
  20 *
  21 *	Lennert dedicates this file to Kerstin Wurdinger.
  22 */
  23
  24#include <linux/module.h>
  25#include <linux/kernel.h>
  26#include <linux/ip.h>
  27#include <linux/netdevice.h>
  28#include <linux/skbuff.h>
  29#include <linux/if_ether.h>
  30#include <linux/if_vlan.h>
  31#include <linux/netfilter_bridge.h>
  32#include <linux/netfilter_ipv4.h>
  33#include <linux/netfilter_ipv6.h>
  34#include <linux/netfilter_arp.h>
  35#include <linux/in_route.h>
  36#include <net/ip.h>
  37#include <net/ipv6.h>
  38#include <asm/uaccess.h>
  39#include <asm/checksum.h>
  40#include "br_private.h"
  41#ifdef CONFIG_SYSCTL
  42#include <linux/sysctl.h>
  43#endif
  44
  45#define skb_origaddr(skb)	 (((struct bridge_skb_cb *) \
  46				 (skb->nf_bridge->data))->daddr.ipv4)
  47#define store_orig_dstaddr(skb)	 (skb_origaddr(skb) = (skb)->nh.iph->daddr)
  48#define dnat_took_place(skb)	 (skb_origaddr(skb) != (skb)->nh.iph->daddr)
  49
  50#define has_bridge_parent(device)	((device)->br_port != NULL)
  51#define bridge_parent(device)		((device)->br_port->br->dev)
  52
  53#ifdef CONFIG_SYSCTL
  54static struct ctl_table_header *brnf_sysctl_header;
  55static int brnf_call_iptables = 1;
  56static int brnf_call_ip6tables = 1;
  57static int brnf_call_arptables = 1;
  58static int brnf_filter_vlan_tagged = 1;
  59#else
  60#define brnf_filter_vlan_tagged 1
  61#endif
  62
  63#define IS_VLAN_IP (skb->protocol == __constant_htons(ETH_P_8021Q) &&    \
  64	hdr->h_vlan_encapsulated_proto == __constant_htons(ETH_P_IP) &&  \
  65	brnf_filter_vlan_tagged)
  66#define IS_VLAN_IPV6 (skb->protocol == __constant_htons(ETH_P_8021Q) &&    \
  67	hdr->h_vlan_encapsulated_proto == __constant_htons(ETH_P_IPV6) &&  \
  68	brnf_filter_vlan_tagged)
  69#define IS_VLAN_ARP (skb->protocol == __constant_htons(ETH_P_8021Q) &&   \
  70	hdr->h_vlan_encapsulated_proto == __constant_htons(ETH_P_ARP) && \
  71	brnf_filter_vlan_tagged)
  72
  73/* We need these fake structures to make netfilter happy --
  74 * lots of places assume that skb->dst != NULL, which isn't
  75 * all that unreasonable.
  76 *
  77 * Currently, we fill in the PMTU entry because netfilter
  78 * refragmentation needs it, and the rt_flags entry because
  79 * ipt_REJECT needs it.  Future netfilter modules might
  80 * require us to fill additional fields. */
  81static struct net_device __fake_net_device = {
  82	.hard_header_len	= ETH_HLEN
  83};
  84
  85static struct rtable __fake_rtable = {
  86	.u = {
  87		.dst = {
  88			.__refcnt		= ATOMIC_INIT(1),
  89			.dev			= &__fake_net_device,
  90			.path			= &__fake_rtable.u.dst,
  91			.metrics		= {[RTAX_MTU - 1] = 1500},
  92		}
  93	},
  94	.rt_flags	= 0,
  95};
  96
  97
  98/* PF_BRIDGE/PRE_ROUTING *********************************************/
  99/* Undo the changes made for ip6tables PREROUTING and continue the
 100 * bridge PRE_ROUTING hook. */
 101static int br_nf_pre_routing_finish_ipv6(struct sk_buff *skb)
 102{
 103	struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 104
 105	if (nf_bridge->mask & BRNF_PKT_TYPE) {
 106		skb->pkt_type = PACKET_OTHERHOST;
 107		nf_bridge->mask ^= BRNF_PKT_TYPE;
 108	}
 109	nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
 110
 111	skb->dst = (struct dst_entry *)&__fake_rtable;
 112	dst_hold(skb->dst);
 113
 114	skb->dev = nf_bridge->physindev;
 115	if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
 116		skb_push(skb, VLAN_HLEN);
 117		skb->nh.raw -= VLAN_HLEN;
 118	}
 119	NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
 120		       br_handle_frame_finish, 1);
 121
 122	return 0;
 123}
 124
 125static void __br_dnat_complain(void)
 126{
 127	static unsigned long last_complaint;
 128
 129	if (jiffies - last_complaint >= 5 * HZ) {
 130		printk(KERN_WARNING "Performing cross-bridge DNAT requires IP "
 131			"forwarding to be enabled\n");
 132		last_complaint = jiffies;
 133	}
 134}
 135
 136/* This requires some explaining. If DNAT has taken place,
 137 * we will need to fix up the destination Ethernet address,
 138 * and this is a tricky process.
 139 *
 140 * There are two cases to consider:
 141 * 1. The packet was DNAT'ed to a device in the same bridge
 142 *    port group as it was received on. We can still bridge
 143 *    the packet.
 144 * 2. The packet was DNAT'ed to a different device, either
 145 *    a non-bridged device or another bridge port group.
 146 *    The packet will need to be routed.
 147 *
 148 * The correct way of distinguishing between these two cases is to
 149 * call ip_route_input() and to look at skb->dst->dev, which is
 150 * changed to the destination device if ip_route_input() succeeds.
 151 *
 152 * Let us first consider the case that ip_route_input() succeeds:
 153 *
 154 * If skb->dst->dev equals the logical bridge device the packet
 155 * came in on, we can consider this bridging. We then call
 156 * skb->dst->output() which will make the packet enter br_nf_local_out()
 157 * not much later. In that function it is assured that the iptables
 158 * FORWARD chain is traversed for the packet.
 159 *
 160 * Otherwise, the packet is considered to be routed and we just
 161 * change the destination MAC address so that the packet will
 162 * later be passed up to the IP stack to be routed.
 163 *
 164 * Let us now consider the case that ip_route_input() fails:
 165 *
 166 * After a "echo '0' > /proc/sys/net/ipv4/ip_forward" ip_route_input()
 167 * will fail, while __ip_route_output_key() will return success. The source
 168 * address for __ip_route_output_key() is set to zero, so __ip_route_output_key
 169 * thinks we're handling a locally generated packet and won't care
 170 * if IP forwarding is allowed. We send a warning message to the users's
 171 * log telling her to put IP forwarding on.
 172 *
 173 * ip_route_input() will also fail if there is no route available.
 174 * In that case we just drop the packet.
 175 *
 176 * --Lennert, 20020411
 177 * --Bart, 20020416 (updated)
 178 * --Bart, 20021007 (updated) */
 179static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
 180{
 181	if (skb->pkt_type == PACKET_OTHERHOST) {
 182		skb->pkt_type = PACKET_HOST;
 183		skb->nf_bridge->mask |= BRNF_PKT_TYPE;
 184	}
 185	skb->nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
 186
 187	skb->dev = bridge_parent(skb->dev);
 188	if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
 189		skb_pull(skb, VLAN_HLEN);
 190		skb->nh.raw += VLAN_HLEN;
 191	}
 192	skb->dst->output(skb);
 193	return 0;
 194}
 195
 196static int br_nf_pre_routing_finish(struct sk_buff *skb)
 197{
 198	struct net_device *dev = skb->dev;
 199	struct iphdr *iph = skb->nh.iph;
 200	struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 201
 202	if (nf_bridge->mask & BRNF_PKT_TYPE) {
 203		skb->pkt_type = PACKET_OTHERHOST;
 204		nf_bridge->mask ^= BRNF_PKT_TYPE;
 205	}
 206	nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
 207
 208	if (dnat_took_place(skb)) {
 209		if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos,
 210		    dev)) {
 211			struct rtable *rt;
 212			struct flowi fl = { .nl_u = 
 213			{ .ip4_u = { .daddr = iph->daddr, .saddr = 0 ,
 214				     .tos = RT_TOS(iph->tos)} }, .proto = 0};
 215
 216			if (!ip_route_output_key(&rt, &fl)) {
 217				/* Bridged-and-DNAT'ed traffic doesn't
 218				 * require ip_forwarding. */
 219				if (((struct dst_entry *)rt)->dev == dev) {
 220					skb->dst = (struct dst_entry *)rt;
 221					goto bridged_dnat;
 222				}
 223				__br_dnat_complain();
 224				dst_release((struct dst_entry *)rt);
 225			}
 226			kfree_skb(skb);
 227			return 0;
 228		} else {
 229			if (skb->dst->dev == dev) {
 230bridged_dnat:
 231				/* Tell br_nf_local_out this is a
 232				 * bridged frame */
 233				nf_bridge->mask |= BRNF_BRIDGED_DNAT;
 234				skb->dev = nf_bridge->physindev;
 235				if (skb->protocol ==
 236				    __constant_htons(ETH_P_8021Q)) {
 237					skb_push(skb, VLAN_HLEN);
 238					skb->nh.raw -= VLAN_HLEN;
 239				}
 240				NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING,
 241					       skb, skb->dev, NULL,
 242					       br_nf_pre_routing_finish_bridge,
 243					       1);
 244				return 0;
 245			}
 246			memcpy(eth_hdr(skb)->h_dest, dev->dev_addr,
 247			       ETH_ALEN);
 248			skb->pkt_type = PACKET_HOST;
 249		}
 250	} else {
 251		skb->dst = (struct dst_entry *)&__fake_rtable;
 252		dst_hold(skb->dst);
 253	}
 254
 255	skb->dev = nf_bridge->physindev;
 256	if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
 257		skb_push(skb, VLAN_HLEN);
 258		skb->nh.raw -= VLAN_HLEN;
 259	}
 260	NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
 261		       br_handle_frame_finish, 1);
 262
 263	return 0;
 264}
 265
 266/* Some common code for IPv4/IPv6 */
 267static void setup_pre_routing(struct sk_buff *skb)
 268{
 269	struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 270
 271	if (skb->pkt_type == PACKET_OTHERHOST) {
 272		skb->pkt_type = PACKET_HOST;
 273		nf_bridge->mask |= BRNF_PKT_TYPE;
 274	}
 275
 276	nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING;
 277	nf_bridge->physindev = skb->dev;
 278	skb->dev = bridge_parent(skb->dev);
 279}
 280
 281/* We only check the length. A bridge shouldn't do any hop-by-hop stuff anyway */
 282static int check_hbh_len(struct sk_buff *skb)
 283{
 284	unsigned char *raw = (u8*)(skb->nh.ipv6h+1);
 285	u32 pkt_len;
 286	int off = raw - skb->nh.raw;
 287	int len = (raw[1]+1)<<3;
 288
 289	if ((raw + len) - skb->data > skb_headlen(skb))
 290		goto bad;
 291
 292	off += 2;
 293	len -= 2;
 294
 295	while (len > 0) {
 296		int optlen = raw[off+1]+2;
 297
 298		switch (skb->nh.raw[off]) {
 299		case IPV6_TLV_PAD0:
 300			optlen = 1;
 301			break;
 302
 303		case IPV6_TLV_PADN:
 304			break;
 305
 306		case IPV6_TLV_JUMBO:
 307			if (skb->nh.raw[off+1] != 4 || (off&3) != 2)
 308				goto bad;
 309
 310			pkt_len = ntohl(*(u32*)(skb->nh.raw+off+2));
 311
 312			if (pkt_len > skb->len - sizeof(struct ipv6hdr))
 313				goto bad;
 314			if (pkt_len + sizeof(struct ipv6hdr) < skb->len) {
 315				if (__pskb_trim(skb,
 316				    pkt_len + sizeof(struct ipv6hdr)))
 317					goto bad;
 318				if (skb->ip_summed == CHECKSUM_HW)
 319					skb->ip_summed = CHECKSUM_NONE;
 320			}
 321			break;
 322		default:
 323			if (optlen > len)
 324				goto bad;
 325			break;
 326		}
 327		off += optlen;
 328		len -= optlen;
 329	}
 330	if (len == 0)
 331		return 0;
 332bad:
 333	return -1;
 334
 335}
 336
 337/* Replicate the checks that IPv6 does on packet reception and pass the packet
 338 * to ip6tables, which doesn't support NAT, so things are fairly simple. */
 339static unsigned int br_nf_pre_routing_ipv6(unsigned int hook,
 340   struct sk_buff *skb, const struct net_device *in,
 341   const struct net_device *out, int (*okfn)(struct sk_buff *))
 342{
 343	struct ipv6hdr *hdr;
 344	u32 pkt_len;
 345	struct nf_bridge_info *nf_bridge;
 346
 347	if (skb->len < sizeof(struct ipv6hdr))
 348		goto inhdr_error;
 349
 350	if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
 351		goto inhdr_error;
 352
 353	hdr = skb->nh.ipv6h;
 354
 355	if (hdr->version != 6)
 356		goto inhdr_error;
 357
 358	pkt_len = ntohs(hdr->payload_len);
 359
 360	if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
 361		if (pkt_len + sizeof(struct ipv6hdr) > skb->len)
 362			goto inhdr_error;
 363		if (pkt_len + sizeof(struct ipv6hdr) < skb->len) {
 364			if (__pskb_trim(skb, pkt_len + sizeof(struct ipv6hdr)))
 365				goto inhdr_error;
 366			if (skb->ip_summed == CHECKSUM_HW)
 367				skb->ip_summed = CHECKSUM_NONE;
 368		}
 369	}
 370	if (hdr->nexthdr == NEXTHDR_HOP && check_hbh_len(skb))
 371			goto inhdr_error;
 372
 373	if ((nf_bridge = nf_bridge_alloc(skb)) == NULL)
 374		return NF_DROP;
 375	setup_pre_routing(skb);
 376
 377	NF_HOOK(PF_INET6, NF_IP6_PRE_ROUTING, skb, skb->dev, NULL,
 378		br_nf_pre_routing_finish_ipv6);
 379
 380	return NF_STOLEN;
 381
 382inhdr_error:
 383	return NF_DROP;
 384}
 385
 386/* Direct IPv6 traffic to br_nf_pre_routing_ipv6.
 387 * Replicate the checks that IPv4 does on packet reception.
 388 * Set skb->dev to the bridge device (i.e. parent of the
 389 * receiving device) to make netfilter happy, the REDIRECT
 390 * target in particular.  Save the original destination IP
 391 * address to be able to detect DNAT afterwards. */
 392static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb,
 393   const struct net_device *in, const struct net_device *out,
 394   int (*okfn)(struct sk_buff *))
 395{
 396	struct iphdr *iph;
 397	__u32 len;
 398	struct sk_buff *skb = *pskb;
 399	struct nf_bridge_info *nf_bridge;
 400	struct vlan_ethhdr *hdr = vlan_eth_hdr(*pskb);
 401
 402	if (skb->protocol == __constant_htons(ETH_P_IPV6) || IS_VLAN_IPV6) {
 403#ifdef CONFIG_SYSCTL
 404		if (!brnf_call_ip6tables)
 405			return NF_ACCEPT;
 406#endif
 407		if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL)
 408			goto out;
 409
 410		if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
 411			skb_pull(skb, VLAN_HLEN);
 412			(skb)->nh.raw += VLAN_HLEN;
 413		}
 414		return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
 415	}
 416#ifdef CONFIG_SYSCTL
 417	if (!brnf_call_iptables)
 418		return NF_ACCEPT;
 419#endif
 420
 421	if (skb->protocol != __constant_htons(ETH_P_IP) && !IS_VLAN_IP)
 422		return NF_ACCEPT;
 423
 424	if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL)
 425		goto out;
 426
 427	if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
 428		skb_pull(skb, VLAN_HLEN);
 429		(skb)->nh.raw += VLAN_HLEN;
 430	}
 431
 432	if (!pskb_may_pull(skb, sizeof(struct iphdr)))
 433		goto inhdr_error;
 434
 435	iph = skb->nh.iph;
 436	if (iph->ihl < 5 || iph->version != 4)
 437		goto inhdr_error;
 438
 439	if (!pskb_may_pull(skb, 4*iph->ihl))
 440		goto inhdr_error;
 441
 442	iph = skb->nh.iph;
 443	if (ip_fast_csum((__u8 *)iph, iph->ihl) != 0)
 444		goto inhdr_error;
 445
 446	len = ntohs(iph->tot_len);
 447	if (skb->len < len || len < 4*iph->ihl)
 448		goto inhdr_error;
 449
 450	if (skb->len > len) {
 451		__pskb_trim(skb, len);
 452		if (skb->ip_summed == CHECKSUM_HW)
 453			skb->ip_summed = CHECKSUM_NONE;
 454	}
 455
 456	if ((nf_bridge = nf_bridge_alloc(skb)) == NULL)
 457		return NF_DROP;
 458	setup_pre_routing(skb);
 459	store_orig_dstaddr(skb);
 460
 461	NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, skb->dev, NULL,
 462		br_nf_pre_routing_finish);
 463
 464	return NF_STOLEN;
 465
 466inhdr_error:
 467//	IP_INC_STATS_BH(IpInHdrErrors);
 468out:
 469	return NF_DROP;
 470}
 471
 472
 473/* PF_BRIDGE/LOCAL_IN ************************************************/
 474/* The packet is locally destined, which requires a real
 475 * dst_entry, so detach the fake one.  On the way up, the
 476 * packet would pass through PRE_ROUTING again (which already
 477 * took place when the packet entered the bridge), but we
 478 * register an IPv4 PRE_ROUTING 'sabotage' hook that will
 479 * prevent this from happening. */
 480static unsigned int br_nf_local_in(unsigned int hook, struct sk_buff **pskb,
 481   const struct net_device *in, const struct net_device *out,
 482   int (*okfn)(struct sk_buff *))
 483{
 484	struct sk_buff *skb = *pskb;
 485
 486	if (skb->dst == (struct dst_entry *)&__fake_rtable) {
 487		dst_release(skb->dst);
 488		skb->dst = NULL;
 489	}
 490
 491	return NF_ACCEPT;
 492}
 493
 494
 495/* PF_BRIDGE/FORWARD *************************************************/
 496static int br_nf_forward_finish(struct sk_buff *skb)
 497{
 498	struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 499	struct net_device *in;
 500	struct vlan_ethhdr *hdr = vlan_eth_hdr(skb);
 501
 502	if (skb->protocol != __constant_htons(ETH_P_ARP) && !IS_VLAN_ARP) {
 503		in = nf_bridge->physindev;
 504		if (nf_bridge->mask & BRNF_PKT_TYPE) {
 505			skb->pkt_type = PACKET_OTHERHOST;
 506			nf_bridge->mask ^= BRNF_PKT_TYPE;
 507		}
 508	} else {
 509		in = *((struct net_device **)(skb->cb));
 510	}
 511	if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
 512		skb_push(skb, VLAN_HLEN);
 513		skb->nh.raw -= VLAN_HLEN;
 514	}
 515	NF_HOOK_THRESH(PF_BRIDGE, NF_BR_FORWARD, skb, in,
 516			skb->dev, br_forward_finish, 1);
 517	return 0;
 518}
 519
 520/* This is the 'purely bridged' case.  For IP, we pass the packet to
 521 * netfilter with indev and outdev set to the bridge device,
 522 * but we are still able to filter on the 'real' indev/outdev
 523 * because of the physdev module. For ARP, indev and outdev are the
 524 * bridge ports. */
 525static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff **pskb,
 526   const struct net_device *in, const struct net_device *out,
 527   int (*okfn)(struct sk_buff *))
 528{
 529	struct sk_buff *skb = *pskb;
 530	struct nf_bridge_info *nf_bridge;
 531	struct vlan_ethhdr *hdr = vlan_eth_hdr(skb);
 532	int pf;
 533
 534	if (!skb->nf_bridge)
 535		return NF_ACCEPT;
 536
 537	if (skb->protocol == __constant_htons(ETH_P_IP) || IS_VLAN_IP)
 538		pf = PF_INET;
 539	else
 540		pf = PF_INET6;
 541
 542	if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
 543		skb_pull(*pskb, VLAN_HLEN);
 544		(*pskb)->nh.raw += VLAN_HLEN;
 545	}
 546
 547	nf_bridge = skb->nf_bridge;
 548	if (skb->pkt_type == PACKET_OTHERHOST) {
 549		skb->pkt_type = PACKET_HOST;
 550		nf_bridge->mask |= BRNF_PKT_TYPE;
 551	}
 552
 553	/* The physdev module checks on this */
 554	nf_bridge->mask |= BRNF_BRIDGED;
 555	nf_bridge->physoutdev = skb->dev;
 556
 557	NF_HOOK(pf, NF_IP_FORWARD, skb, bridge_parent(in),
 558		bridge_parent(out), br_nf_forward_finish);
 559
 560	return NF_STOLEN;
 561}
 562
 563static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff **pskb,
 564   const struct net_device *in, const struct net_device *out,
 565   int (*okfn)(struct sk_buff *))
 566{
 567	struct sk_buff *skb = *pskb;
 568	struct vlan_ethhdr *hdr = vlan_eth_hdr(skb);
 569	struct net_device **d = (struct net_device **)(skb->cb);
 570
 571#ifdef CONFIG_SYSCTL
 572	if (!brnf_call_arptables)
 573		return NF_ACCEPT;
 574#endif
 575
 576	if (skb->protocol != __constant_htons(ETH_P_ARP)) {
 577		if (!IS_VLAN_ARP)
 578			return NF_ACCEPT;
 579		skb_pull(*pskb, VLAN_HLEN);
 580		(*pskb)->nh.raw += VLAN_HLEN;
 581	}
 582
 583	if (skb->nh.arph->ar_pln != 4) {
 584		if (IS_VLAN_ARP) {
 585			skb_push(*pskb, VLAN_HLEN);
 586			(*pskb)->nh.raw -= VLAN_HLEN;
 587		}
 588		return NF_ACCEPT;
 589	}
 590	*d = (struct net_device *)in;
 591	NF_HOOK(NF_ARP, NF_ARP_FORWARD, skb, (struct net_device *)in,
 592		(struct net_device *)out, br_nf_forward_finish);
 593
 594	return NF_STOLEN;
 595}
 596
 597
 598/* PF_BRIDGE/LOCAL_OUT ***********************************************/
 599static int br_nf_local_out_finish(struct sk_buff *skb)
 600{
 601	if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
 602		skb_push(skb, VLAN_HLEN);
 603		skb->nh.raw -= VLAN_HLEN;
 604	}
 605
 606	NF_HOOK_THRESH(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
 607			br_forward_finish, NF_BR_PRI_FIRST + 1);
 608
 609	return 0;
 610}
 611
 612/* This function sees both locally originated IP packets and forwarded
 613 * IP packets (in both cases the destination device is a bridge
 614 * device). It also sees bridged-and-DNAT'ed packets.
 615 * To be able to filter on the physical bridge devices (with the physdev
 616 * module), we steal packets destined to a bridge device away from the
 617 * PF_INET/FORWARD and PF_INET/OUTPUT hook functions, and give them back later,
 618 * when we have determined the real output device. This is done in here.
 619 *
 620 * If (nf_bridge->mask & BRNF_BRIDGED_DNAT) then the packet is bridged
 621 * and we fake the PF_BRIDGE/FORWARD hook. The function br_nf_forward()
 622 * will then fake the PF_INET/FORWARD hook. br_nf_local_out() has priority
 623 * NF_BR_PRI_FIRST, so no relevant PF_BRIDGE/INPUT functions have been nor
 624 * will be executed.
 625 * Otherwise, if nf_bridge->physindev is NULL, the bridge-nf code never touched
 626 * this packet before, and so the packet was locally originated. We fake
 627 * the PF_INET/LOCAL_OUT hook.
 628 * Finally, if nf_bridge->physindev isn't NULL, then the packet was IP routed,
 629 * so we fake the PF_INET/FORWARD hook. ip_sabotage_out() makes sure
 630 * even routed packets that didn't arrive on a bridge interface have their
 631 * nf_bridge->physindev set. */
 632static unsigned int br_nf_local_out(unsigned int hook, struct sk_buff **pskb,
 633   const struct net_device *in, const struct net_device *out,
 634   int (*okfn)(struct sk_buff *))
 635{
 636	struct net_device *realindev, *realoutdev;
 637	struct sk_buff *skb = *pskb;
 638	struct nf_bridge_info *nf_bridge;
 639	struct vlan_ethhdr *hdr = vlan_eth_hdr(skb);
 640	int pf;
 641
 642	if (!skb->nf_bridge)
 643		return NF_ACCEPT;
 644
 645	if (skb->protocol == __constant_htons(ETH_P_IP) || IS_VLAN_IP)
 646		pf = PF_INET;
 647	else
 648		pf = PF_INET6;
 649
 650#ifdef CONFIG_NETFILTER_DEBUG
 651	/* Sometimes we get packets with NULL ->dst here (for example,
 652	 * running a dhcp client daemon triggers this). This should now
 653	 * be fixed, but let's keep the check around. */
 654	if (skb->dst == NULL) {
 655		printk(KERN_CRIT "br_netfilter: skb->dst == NULL.");
 656		return NF_ACCEPT;
 657	}
 658#endif
 659
 660	nf_bridge = skb->nf_bridge;
 661	nf_bridge->physoutdev = skb->dev;
 662	realindev = nf_bridge->physindev;
 663
 664	/* Bridged, take PF_BRIDGE/FORWARD.
 665	 * (see big note in front of br_nf_pre_routing_finish) */
 666	if (nf_bridge->mask & BRNF_BRIDGED_DNAT) {
 667		if (nf_bridge->mask & BRNF_PKT_TYPE) {
 668			skb->pkt_type = PACKET_OTHERHOST;
 669			nf_bridge->mask ^= BRNF_PKT_TYPE;
 670		}
 671		if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
 672			skb_push(skb, VLAN_HLEN);
 673			skb->nh.raw -= VLAN_HLEN;
 674		}
 675
 676		NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, realindev,
 677			skb->dev, br_forward_finish);
 678		goto out;
 679	}
 680	realoutdev = bridge_parent(skb->dev);
 681
 682#if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE)
 683	/* iptables should match -o br0.x */
 684	if (nf_bridge->netoutdev)
 685		realoutdev = nf_bridge->netoutdev;
 686#endif
 687	if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
 688		skb_pull(skb, VLAN_HLEN);
 689		(*pskb)->nh.raw += VLAN_HLEN;
 690	}
 691	/* IP forwarded traffic has a physindev, locally
 692	 * generated traffic hasn't. */
 693	if (realindev != NULL) {
 694		if (!(nf_bridge->mask & BRNF_DONT_TAKE_PARENT) &&
 695		    has_bridge_parent(realindev))
 696			realindev = bridge_parent(realindev);
 697
 698		NF_HOOK_THRESH(pf, NF_IP_FORWARD, skb, realindev,
 699			       realoutdev, br_nf_local_out_finish,
 700			       NF_IP_PRI_BRIDGE_SABOTAGE_FORWARD + 1);
 701	} else {
 702		NF_HOOK_THRESH(pf, NF_IP_LOCAL_OUT, skb, realindev,
 703			       realoutdev, br_nf_local_out_finish,
 704			       NF_IP_PRI_BRIDGE_SABOTAGE_LOCAL_OUT + 1);
 705	}
 706
 707out:
 708	return NF_STOLEN;
 709}
 710
 711
 712/* PF_BRIDGE/POST_ROUTING ********************************************/
 713static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb,
 714   const struct net_device *in, const struct net_device *out,
 715   int (*okfn)(struct sk_buff *))
 716{
 717	struct sk_buff *skb = *pskb;
 718	struct nf_bridge_info *nf_bridge = (*pskb)->nf_bridge;
 719	struct vlan_ethhdr *hdr = vlan_eth_hdr(skb);
 720	struct net_device *realoutdev = bridge_parent(skb->dev);
 721	int pf;
 722
 723#ifdef CONFIG_NETFILTER_DEBUG
 724	/* Be very paranoid. This probably won't happen anymore, but let's
 725	 * keep the check just to be sure... */
 726	if (skb->mac.raw < skb->head || skb->mac.raw + ETH_HLEN > skb->data) {
 727		printk(KERN_CRIT "br_netfilter: Argh!! br_nf_post_routing: "
 728				 "bad mac.raw pointer.");
 729		goto print_error;
 730	}
 731#endif
 732
 733	if (!nf_bridge)
 734		return NF_ACCEPT;
 735
 736	if (skb->protocol == __constant_htons(ETH_P_IP) || IS_VLAN_IP)
 737		pf = PF_INET;
 738	else
 739		pf = PF_INET6;
 740
 741#ifdef CONFIG_NETFILTER_DEBUG
 742	if (skb->dst == NULL) {
 743		printk(KERN_CRIT "br_netfilter: skb->dst == NULL.");
 744		goto print_error;
 745	}
 746#endif
 747
 748	/* We assume any code from br_dev_queue_push_xmit onwards doesn't care
 749	 * about the value of skb->pkt_type. */
 750	if (skb->pkt_type == PACKET_OTHERHOST) {
 751		skb->pkt_type = PACKET_HOST;
 752		nf_bridge->mask |= BRNF_PKT_TYPE;
 753	}
 754
 755	if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
 756		skb_pull(skb, VLAN_HLEN);
 757		skb->nh.raw += VLAN_HLEN;
 758	}
 759
 760	nf_bridge_save_header(skb);
 761
 762#if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE)
 763	if (nf_bridge->netoutdev)
 764		realoutdev = nf_bridge->netoutdev;
 765#endif
 766	NF_HOOK(pf, NF_IP_POST_ROUTING, skb, NULL, realoutdev,
 767	        br_dev_queue_push_xmit);
 768
 769	return NF_STOLEN;
 770
 771#ifdef CONFIG_NETFILTER_DEBUG
 772print_error:
 773	if (skb->dev != NULL) {
 774		printk("[%s]", skb->dev->name);
 775		if (has_bridge_parent(skb->dev))
 776			printk("[%s]", bridge_parent(skb->dev)->name);
 777	}
 778	printk(" head:%p, raw:%p, data:%p\n", skb->head, skb->mac.raw,
 779					      skb->data);
 780	return NF_ACCEPT;
 781#endif
 782}
 783
 784
 785/* IP/SABOTAGE *****************************************************/
 786/* Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING
 787 * for the second time. */
 788static unsigned int ip_sabotage_in(unsigned int hook, struct sk_buff **pskb,
 789   const struct net_device *in, const struct net_device *out,
 790   int (*okfn)(struct sk_buff *))
 791{
 792	if ((*pskb)->nf_bridge &&
 793	    !((*pskb)->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)) {
 794		return NF_STOP;
 795	}
 796
 797	return NF_ACCEPT;
 798}
 799
 800/* Postpone execution of PF_INET(6)/FORWARD, PF_INET(6)/LOCAL_OUT
 801 * and PF_INET(6)/POST_ROUTING until we have done the forwarding
 802 * decision in the bridge code and have determined nf_bridge->physoutdev. */
 803static unsigned int ip_sabotage_out(unsigned int hook, struct sk_buff **pskb,
 804   const struct net_device *in, const struct net_device *out,
 805   int (*okfn)(struct sk_buff *))
 806{
 807	struct sk_buff *skb = *pskb;
 808
 809	if ((out->hard_start_xmit == br_dev_xmit &&
 810	    okfn != br_nf_forward_finish &&
 811	    okfn != br_nf_local_out_finish &&
 812	    okfn != br_dev_queue_push_xmit)
 813#if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE)
 814	    || ((out->priv_flags & IFF_802_1Q_VLAN) &&
 815	    VLAN_DEV_INFO(out)->real_dev->hard_start_xmit == br_dev_xmit)
 816#endif
 817	    ) {
 818		struct nf_bridge_info *nf_bridge;
 819
 820		if (!skb->nf_bridge) {
 821#ifdef CONFIG_SYSCTL
 822			/* This code is executed while in the IP(v6) stack,
 823			   the version should be 4 or 6. We can't use
 824			   skb->protocol because that isn't set on
 825			   PF_INET(6)/LOCAL_OUT. */
 826			struct iphdr *ip = skb->nh.iph;
 827
 828			if (ip->version == 4 && !brnf_call_iptables)
 829				return NF_ACCEPT;
 830			else if (ip->version == 6 && !brnf_call_ip6tables)
 831				return NF_ACCEPT;
 832#endif
 833			if (hook == NF_IP_POST_ROUTING)
 834				return NF_ACCEPT;
 835			if (!nf_bridge_alloc(skb))
 836				return NF_DROP;
 837		}
 838
 839		nf_bridge = skb->nf_bridge;
 840
 841		/* This frame will arrive on PF_BRIDGE/LOCAL_OUT and we
 842		 * will need the indev then. For a brouter, the real indev
 843		 * can be a bridge port, so we make sure br_nf_local_out()
 844		 * doesn't use the bridge parent of the indev by using
 845		 * the BRNF_DONT_TAKE_PARENT mask. */
 846		if (hook == NF_IP_FORWARD && nf_bridge->physindev == NULL) {
 847			nf_bridge->mask |= BRNF_DONT_TAKE_PARENT;
 848			nf_bridge->physindev = (struct net_device *)in;
 849		}
 850#if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE)
 851		/* the iptables outdev is br0.x, not br0 */
 852		if (out->priv_flags & IFF_802_1Q_VLAN)
 853			nf_bridge->netoutdev = (struct net_device *)out;
 854#endif
 855		return NF_STOP;
 856	}
 857
 858	return NF_ACCEPT;
 859}
 860
 861/* For br_nf_local_out we need (prio = NF_BR_PRI_FIRST), to insure that innocent
 862 * PF_BRIDGE/NF_BR_LOCAL_OUT functions don't get bridged traffic as input.
 863 * For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
 864 * ip_refrag() can return NF_STOLEN. */
 865static struct nf_hook_ops br_nf_ops[] = {
 866	{ .hook = br_nf_pre_routing, 
 867	  .owner = THIS_MODULE, 
 868	  .pf = PF_BRIDGE, 
 869	  .hooknum = NF_BR_PRE_ROUTING, 
 870	  .priority = NF_BR_PRI_BRNF, },
 871	{ .hook = br_nf_local_in,
 872	  .owner = THIS_MODULE,
 873	  .pf = PF_BRIDGE,
 874	  .hooknum = NF_BR_LOCAL_IN,
 875	  .priority = NF_BR_PRI_BRNF, },
 876	{ .hook = br_nf_forward_ip,
 877	  .owner = THIS_MODULE,
 878	  .pf = PF_BRIDGE,
 879	  .hooknum = NF_BR_FORWARD,
 880	  .priority = NF_BR_PRI_BRNF - 1, },
 881	{ .hook = br_nf_forward_arp,
 882	  .owner = THIS_MODULE,
 883	  .pf = PF_BRIDGE,
 884	  .hooknum = NF_BR_FORWARD,
 885	  .priority = NF_BR_PRI_BRNF, },
 886	{ .hook = br_nf_local_out,
 887	  .owner = THIS_MODULE,
 888	  .pf = PF_BRIDGE,
 889	  .hooknum = NF_BR_LOCAL_OUT,
 890	  .priority = NF_BR_PRI_FIRST, },
 891	{ .hook = br_nf_post_routing,
 892	  .owner = THIS_MODULE,
 893	  .pf = PF_BRIDGE,
 894	  .hooknum = NF_BR_POST_ROUTING,
 895	  .priority = NF_BR_PRI_LAST, },
 896	{ .hook = ip_sabotage_in,
 897	  .owner = THIS_MODULE,
 898	  .pf = PF_INET,
 899	  .hooknum = NF_IP_PRE_ROUTING,
 900	  .priority = NF_IP_PRI_FIRST, },
 901	{ .hook = ip_sabotage_in,
 902	  .owner = THIS_MODULE,
 903	  .pf = PF_INET6,
 904	  .hooknum = NF_IP6_PRE_ROUTING,
 905	  .priority = NF_IP6_PRI_FIRST, },
 906	{ .hook = ip_sabotage_out,
 907	  .owner = THIS_MODULE,
 908	  .pf = PF_INET,
 909	  .hooknum = NF_IP_FORWARD,
 910	  .priority = NF_IP_PRI_BRIDGE_SABOTAGE_FORWARD, },
 911	{ .hook = ip_sabotage_out,
 912	  .owner = THIS_MODULE,
 913	  .pf = PF_INET6,
 914	  .hooknum = NF_IP6_FORWARD,
 915	  .priority = NF_IP6_PRI_BRIDGE_SABOTAGE_FORWARD, },
 916	{ .hook = ip_sabotage_out,
 917	  .owner = THIS_MODULE,
 918	  .pf = PF_INET,
 919	  .hooknum = NF_IP_LOCAL_OUT,
 920	  .priority = NF_IP_PRI_BRIDGE_SABOTAGE_LOCAL_OUT, },
 921	{ .hook = ip_sabotage_out,
 922	  .owner = THIS_MODULE,
 923	  .pf = PF_INET6,
 924	  .hooknum = NF_IP6_LOCAL_OUT,
 925	  .priority = NF_IP6_PRI_BRIDGE_SABOTAGE_LOCAL_OUT, },
 926	{ .hook = ip_sabotage_out,
 927	  .owner = THIS_MODULE,
 928	  .pf = PF_INET,
 929	  .hooknum = NF_IP_POST_ROUTING,
 930	  .priority = NF_IP_PRI_FIRST, },
 931	{ .hook = ip_sabotage_out,
 932	  .owner = THIS_MODULE,
 933	  .pf = PF_INET6,
 934	  .hooknum = NF_IP6_POST_ROUTING,
 935	  .priority = NF_IP6_PRI_FIRST, },
 936};
 937
 938#ifdef CONFIG_SYSCTL
 939static
 940int brnf_sysctl_call_tables(ctl_table *ctl, int write, struct file * filp,
 941			void __user *buffer, size_t *lenp, loff_t *ppos)
 942{
 943	int ret;
 944
 945	ret = proc_dointvec(ctl, write, filp, buffer, lenp, ppos);
 946
 947	if (write && *(int *)(ctl->data))
 948		*(int *)(ctl->data) = 1;
 949	return ret;
 950}
 951
 952static ctl_table brnf_table[] = {
 953	{
 954		.ctl_name	= NET_BRIDGE_NF_CALL_ARPTABLES,
 955		.procname	= "bridge-nf-call-arptables",
 956		.data		= &brnf_call_arptables,
 957		.maxlen		= sizeof(int),
 958		.mode		= 0644,
 959		.proc_handler	= &brnf_sysctl_call_tables,
 960	},
 961	{
 962		.ctl_name	= NET_BRIDGE_NF_CALL_IPTABLES,
 963		.procname	= "bridge-nf-call-iptables",
 964		.data		= &brnf_call_iptables,
 965		.maxlen		= sizeof(int),
 966		.mode		= 0644,
 967		.proc_handler	= &brnf_sysctl_call_tables,
 968	},
 969	{
 970		.ctl_name	= NET_BRIDGE_NF_CALL_IP6TABLES,
 971		.procname	= "bridge-nf-call-ip6tables",
 972		.data		= &brnf_call_ip6tables,
 973		.maxlen		= sizeof(int),
 974		.mode		= 0644,
 975		.proc_handler	= &brnf_sysctl_call_tables,
 976	},
 977	{
 978		.ctl_name	= NET_BRIDGE_NF_FILTER_VLAN_TAGGED,
 979		.procname	= "bridge-nf-filter-vlan-tagged",
 980		.data		= &brnf_filter_vlan_tagged,
 981		.maxlen		= sizeof(int),
 982		.mode		= 0644,
 983		.proc_handler	= &brnf_sysctl_call_tables,
 984	},
 985	{ .ctl_name = 0 }
 986};
 987
 988static ctl_table brnf_bridge_table[] = {
 989	{
 990		.ctl_name	= NET_BRIDGE,
 991		.procname	= "bridge",
 992		.mode		= 0555,
 993		.child		= brnf_table,
 994	},
 995	{ .ctl_name = 0 }
 996};
 997
 998static ctl_table brnf_net_table[] = {
 999	{
1000		.ctl_name	= CTL_NET,
1001		.procname	= "net",
1002		.mode		= 0555,
1003		.child		= brnf_bridge_table,
1004	},
1005	{ .ctl_name = 0 }
1006};
1007#endif
1008
1009int br_netfilter_init(void)
1010{
1011	int i;
1012
1013	for (i = 0; i < ARRAY_SIZE(br_nf_ops); i++) {
1014		int ret;
1015
1016		if ((ret = nf_register_hook(&br_nf_ops[i])) >= 0)
1017			continue;
1018
1019		while (i--)
1020			nf_unregister_hook(&br_nf_ops[i]);
1021
1022		return ret;
1023	}
1024
1025#ifdef CONFIG_SYSCTL
1026	brnf_sysctl_header = register_sysctl_table(brnf_net_table, 0);
1027	if (brnf_sysctl_header == NULL) {
1028		printk(KERN_WARNING "br_netfilter: can't register to sysctl.\n");
1029		for (i = 0; i < ARRAY_SIZE(br_nf_ops); i++)
1030			nf_unregister_hook(&br_nf_ops[i]);
1031		return -EFAULT;
1032	}
1033#endif
1034
1035	printk(KERN_NOTICE "Bridge firewalling registered\n");
1036
1037	return 0;
1038}
1039
1040void br_netfilter_fini(void)
1041{
1042	int i;
1043
1044	for (i = ARRAY_SIZE(br_nf_ops) - 1; i >= 0; i--)
1045		nf_unregister_hook(&br_nf_ops[i]);
1046#ifdef CONFIG_SYSCTL
1047	unregister_sysctl_table(brnf_sysctl_header);
1048#endif
1049}
Configure Feed

Configure Feed
