tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: bridge: port sysctls to use brnf_net

This ports the sysctls to use struct brnf_net.

With this patch we make it possible to namespace the br_netfilter module in
the following patch.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Christian Brauner and committed by
Pablo Neira Ayuso ff6d090d 9911c113

+107 -60
+2 -1
include/net/netfilter/br_netfilter.h
··· 42 42 return port ? &port->br->fake_rtable : NULL; 43 43 } 44 44 45 - struct net_device *setup_pre_routing(struct sk_buff *skb); 45 + struct net_device *setup_pre_routing(struct sk_buff *skb, 46 + const struct net *net); 46 47 47 48 #if IS_ENABLED(CONFIG_IPV6) 48 49 int br_validate_ipv6(struct net *net, struct sk_buff *skb);
+104 -58
net/bridge/br_netfilter_hooks.c
··· 49 49 50 50 static unsigned int brnf_net_id __read_mostly; 51 51 52 - struct brnf_net { 53 - bool enabled; 54 - }; 55 - 56 52 #ifdef CONFIG_SYSCTL 57 53 static struct ctl_table_header *brnf_sysctl_header; 58 - static int brnf_call_iptables __read_mostly = 1; 59 - static int brnf_call_ip6tables __read_mostly = 1; 60 - static int brnf_call_arptables __read_mostly = 1; 61 - static int brnf_filter_vlan_tagged __read_mostly; 62 - static int brnf_filter_pppoe_tagged __read_mostly; 63 - static int brnf_pass_vlan_indev __read_mostly; 64 - #else 65 - #define brnf_call_iptables 1 66 - #define brnf_call_ip6tables 1 67 - #define brnf_call_arptables 1 68 - #define brnf_filter_vlan_tagged 0 69 - #define brnf_filter_pppoe_tagged 0 70 - #define brnf_pass_vlan_indev 0 71 54 #endif 55 + 56 + struct brnf_net { 57 + bool enabled; 58 + 59 + /* default value is 1 */ 60 + int call_iptables; 61 + int call_ip6tables; 62 + int call_arptables; 63 + 64 + /* default value is 0 */ 65 + int filter_vlan_tagged; 66 + int filter_pppoe_tagged; 67 + int pass_vlan_indev; 68 + }; 72 69 73 70 #define IS_IP(skb) \ 74 71 (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_IP)) ··· 86 89 return 0; 87 90 } 88 91 89 - #define IS_VLAN_IP(skb) \ 90 - (vlan_proto(skb) == htons(ETH_P_IP) && \ 91 - brnf_filter_vlan_tagged) 92 + static inline bool is_vlan_ip(const struct sk_buff *skb, const struct net *net) 93 + { 94 + struct brnf_net *brnet = net_generic(net, brnf_net_id); 92 95 93 - #define IS_VLAN_IPV6(skb) \ 94 - (vlan_proto(skb) == htons(ETH_P_IPV6) && \ 95 - brnf_filter_vlan_tagged) 96 + return vlan_proto(skb) == htons(ETH_P_IP) && brnet->filter_vlan_tagged; 97 + } 96 98 97 - #define IS_VLAN_ARP(skb) \ 98 - (vlan_proto(skb) == htons(ETH_P_ARP) && \ 99 - brnf_filter_vlan_tagged) 99 + static inline bool is_vlan_ipv6(const struct sk_buff *skb, 100 + const struct net *net) 101 + { 102 + struct brnf_net *brnet = net_generic(net, brnf_net_id); 103 + 104 + return vlan_proto(skb) == htons(ETH_P_IPV6) && 105 + brnet->filter_vlan_tagged; 106 + } 107 + 108 + static inline bool is_vlan_arp(const struct sk_buff *skb, const struct net *net) 109 + { 110 + struct brnf_net *brnet = net_generic(net, brnf_net_id); 111 + 112 + return vlan_proto(skb) == htons(ETH_P_ARP) && brnet->filter_vlan_tagged; 113 + } 100 114 101 115 static inline __be16 pppoe_proto(const struct sk_buff *skb) 102 116 { ··· 115 107 sizeof(struct pppoe_hdr))); 116 108 } 117 109 118 - #define IS_PPPOE_IP(skb) \ 119 - (skb->protocol == htons(ETH_P_PPP_SES) && \ 120 - pppoe_proto(skb) == htons(PPP_IP) && \ 121 - brnf_filter_pppoe_tagged) 110 + static inline bool is_pppoe_ip(const struct sk_buff *skb, const struct net *net) 111 + { 112 + struct brnf_net *brnet = net_generic(net, brnf_net_id); 122 113 123 - #define IS_PPPOE_IPV6(skb) \ 124 - (skb->protocol == htons(ETH_P_PPP_SES) && \ 125 - pppoe_proto(skb) == htons(PPP_IPV6) && \ 126 - brnf_filter_pppoe_tagged) 114 + return skb->protocol == htons(ETH_P_PPP_SES) && 115 + pppoe_proto(skb) == htons(PPP_IP) && brnet->filter_pppoe_tagged; 116 + } 117 + 118 + static inline bool is_pppoe_ipv6(const struct sk_buff *skb, 119 + const struct net *net) 120 + { 121 + struct brnf_net *brnet = net_generic(net, brnf_net_id); 122 + 123 + return skb->protocol == htons(ETH_P_PPP_SES) && 124 + pppoe_proto(skb) == htons(PPP_IPV6) && 125 + brnet->filter_pppoe_tagged; 126 + } 127 127 128 128 /* largest possible L2 header, see br_nf_dev_queue_xmit() */ 129 129 #define NF_BRIDGE_MAX_MAC_HEADER_LENGTH (PPPOE_SES_HLEN + ETH_HLEN) ··· 428 412 return 0; 429 413 } 430 414 431 - static struct net_device *brnf_get_logical_dev(struct sk_buff *skb, const struct net_device *dev) 415 + static struct net_device *brnf_get_logical_dev(struct sk_buff *skb, 416 + const struct net_device *dev, 417 + const struct net *net) 432 418 { 433 419 struct net_device *vlan, *br; 420 + struct brnf_net *brnet = net_generic(net, brnf_net_id); 434 421 435 422 br = bridge_parent(dev); 436 - if (brnf_pass_vlan_indev == 0 || !skb_vlan_tag_present(skb)) 423 + 424 + if (brnet->pass_vlan_indev == 0 || !skb_vlan_tag_present(skb)) 437 425 return br; 438 426 439 427 vlan = __vlan_find_dev_deep_rcu(br, skb->vlan_proto, ··· 447 427 } 448 428 449 429 /* Some common code for IPv4/IPv6 */ 450 - struct net_device *setup_pre_routing(struct sk_buff *skb) 430 + struct net_device *setup_pre_routing(struct sk_buff *skb, const struct net *net) 451 431 { 452 432 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 453 433 ··· 458 438 459 439 nf_bridge->in_prerouting = 1; 460 440 nf_bridge->physindev = skb->dev; 461 - skb->dev = brnf_get_logical_dev(skb, skb->dev); 441 + skb->dev = brnf_get_logical_dev(skb, skb->dev, net); 462 442 463 443 if (skb->protocol == htons(ETH_P_8021Q)) 464 444 nf_bridge->orig_proto = BRNF_PROTO_8021Q; ··· 484 464 struct net_bridge_port *p; 485 465 struct net_bridge *br; 486 466 __u32 len = nf_bridge_encap_header_len(skb); 467 + struct brnf_net *brnet; 487 468 488 469 if (unlikely(!pskb_may_pull(skb, len))) 489 470 return NF_DROP; ··· 494 473 return NF_DROP; 495 474 br = p->br; 496 475 497 - if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb)) { 498 - if (!brnf_call_ip6tables && 476 + brnet = net_generic(state->net, brnf_net_id); 477 + if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || 478 + is_pppoe_ipv6(skb, state->net)) { 479 + if (!brnet->call_ip6tables && 499 480 !br_opt_get(br, BROPT_NF_CALL_IP6TABLES)) 500 481 return NF_ACCEPT; 501 482 ··· 505 482 return br_nf_pre_routing_ipv6(priv, skb, state); 506 483 } 507 484 508 - if (!brnf_call_iptables && !br_opt_get(br, BROPT_NF_CALL_IPTABLES)) 485 + if (!brnet->call_iptables && !br_opt_get(br, BROPT_NF_CALL_IPTABLES)) 509 486 return NF_ACCEPT; 510 487 511 - if (!IS_IP(skb) && !IS_VLAN_IP(skb) && !IS_PPPOE_IP(skb)) 488 + if (!IS_IP(skb) && !is_vlan_ip(skb, state->net) && 489 + !is_pppoe_ip(skb, state->net)) 512 490 return NF_ACCEPT; 513 491 514 492 nf_bridge_pull_encap_header_rcsum(skb); ··· 519 495 520 496 if (!nf_bridge_alloc(skb)) 521 497 return NF_DROP; 522 - if (!setup_pre_routing(skb)) 498 + if (!setup_pre_routing(skb, state->net)) 523 499 return NF_DROP; 524 500 525 501 nf_bridge = nf_bridge_info_get(skb); ··· 542 518 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 543 519 struct net_device *in; 544 520 545 - if (!IS_ARP(skb) && !IS_VLAN_ARP(skb)) { 521 + if (!IS_ARP(skb) && !is_vlan_arp(skb, net)) { 546 522 547 523 if (skb->protocol == htons(ETH_P_IP)) 548 524 nf_bridge->frag_max_size = IPCB(skb)->frag_max_size; ··· 597 573 if (!parent) 598 574 return NF_DROP; 599 575 600 - if (IS_IP(skb) || IS_VLAN_IP(skb) || IS_PPPOE_IP(skb)) 576 + if (IS_IP(skb) || is_vlan_ip(skb, state->net) || 577 + is_pppoe_ip(skb, state->net)) 601 578 pf = NFPROTO_IPV4; 602 - else if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb)) 579 + else if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || 580 + is_pppoe_ipv6(skb, state->net)) 603 581 pf = NFPROTO_IPV6; 604 582 else 605 583 return NF_ACCEPT; ··· 632 606 skb->protocol = htons(ETH_P_IPV6); 633 607 634 608 NF_HOOK(pf, NF_INET_FORWARD, state->net, NULL, skb, 635 - brnf_get_logical_dev(skb, state->in), 609 + brnf_get_logical_dev(skb, state->in, state->net), 636 610 parent, br_nf_forward_finish); 637 611 638 612 return NF_STOLEN; ··· 645 619 struct net_bridge_port *p; 646 620 struct net_bridge *br; 647 621 struct net_device **d = (struct net_device **)(skb->cb); 622 + struct brnf_net *brnet; 648 623 649 624 p = br_port_get_rcu(state->out); 650 625 if (p == NULL) 651 626 return NF_ACCEPT; 652 627 br = p->br; 653 628 654 - if (!brnf_call_arptables && !br_opt_get(br, BROPT_NF_CALL_ARPTABLES)) 629 + brnet = net_generic(state->net, brnf_net_id); 630 + if (!brnet->call_arptables && !br_opt_get(br, BROPT_NF_CALL_ARPTABLES)) 655 631 return NF_ACCEPT; 656 632 657 633 if (!IS_ARP(skb)) { 658 - if (!IS_VLAN_ARP(skb)) 634 + if (!is_vlan_arp(skb, state->net)) 659 635 return NF_ACCEPT; 660 636 nf_bridge_pull_encap_header(skb); 661 637 } 662 638 663 639 if (arp_hdr(skb)->ar_pln != 4) { 664 - if (IS_VLAN_ARP(skb)) 640 + if (is_vlan_arp(skb, state->net)) 665 641 nf_bridge_push_encap_header(skb); 666 642 return NF_ACCEPT; 667 643 } ··· 823 795 if (!realoutdev) 824 796 return NF_DROP; 825 797 826 - if (IS_IP(skb) || IS_VLAN_IP(skb) || IS_PPPOE_IP(skb)) 798 + if (IS_IP(skb) || is_vlan_ip(skb, state->net) || 799 + is_pppoe_ip(skb, state->net)) 827 800 pf = NFPROTO_IPV4; 828 - else if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb)) 801 + else if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || 802 + is_pppoe_ipv6(skb, state->net)) 829 803 pf = NFPROTO_IPV6; 830 804 else 831 805 return NF_ACCEPT; ··· 1055 1025 static struct ctl_table brnf_table[] = { 1056 1026 { 1057 1027 .procname = "bridge-nf-call-arptables", 1058 - .data = &brnf_call_arptables, 1059 1028 .maxlen = sizeof(int), 1060 1029 .mode = 0644, 1061 1030 .proc_handler = brnf_sysctl_call_tables, 1062 1031 }, 1063 1032 { 1064 1033 .procname = "bridge-nf-call-iptables", 1065 - .data = &brnf_call_iptables, 1066 1034 .maxlen = sizeof(int), 1067 1035 .mode = 0644, 1068 1036 .proc_handler = brnf_sysctl_call_tables, 1069 1037 }, 1070 1038 { 1071 1039 .procname = "bridge-nf-call-ip6tables", 1072 - .data = &brnf_call_ip6tables, 1073 1040 .maxlen = sizeof(int), 1074 1041 .mode = 0644, 1075 1042 .proc_handler = brnf_sysctl_call_tables, 1076 1043 }, 1077 1044 { 1078 1045 .procname = "bridge-nf-filter-vlan-tagged", 1079 - .data = &brnf_filter_vlan_tagged, 1080 1046 .maxlen = sizeof(int), 1081 1047 .mode = 0644, 1082 1048 .proc_handler = brnf_sysctl_call_tables, 1083 1049 }, 1084 1050 { 1085 1051 .procname = "bridge-nf-filter-pppoe-tagged", 1086 - .data = &brnf_filter_pppoe_tagged, 1087 1052 .maxlen = sizeof(int), 1088 1053 .mode = 0644, 1089 1054 .proc_handler = brnf_sysctl_call_tables, 1090 1055 }, 1091 1056 { 1092 1057 .procname = "bridge-nf-pass-vlan-input-dev", 1093 - .data = &brnf_pass_vlan_indev, 1094 1058 .maxlen = sizeof(int), 1095 1059 .mode = 0644, 1096 1060 .proc_handler = brnf_sysctl_call_tables, 1097 1061 }, 1098 1062 { } 1099 1063 }; 1064 + 1065 + static inline void br_netfilter_sysctl_default(struct brnf_net *brnf) 1066 + { 1067 + brnf->call_iptables = 1; 1068 + brnf->call_ip6tables = 1; 1069 + brnf->call_arptables = 1; 1070 + brnf->filter_vlan_tagged = 0; 1071 + brnf->filter_pppoe_tagged = 0; 1072 + brnf->pass_vlan_indev = 0; 1073 + } 1074 + 1100 1075 #endif 1101 1076 1102 1077 static int __init br_netfilter_init(void) 1103 1078 { 1104 1079 int ret; 1080 + struct brnf_net *brnet; 1105 1081 1106 1082 ret = register_pernet_subsys(&brnf_net_ops); 1107 1083 if (ret < 0) ··· 1120 1084 } 1121 1085 1122 1086 #ifdef CONFIG_SYSCTL 1087 + brnet = net_generic(&init_net, brnf_net_id); 1088 + brnf_table[0].data = &brnet->call_arptables; 1089 + brnf_table[1].data = &brnet->call_iptables; 1090 + brnf_table[2].data = &brnet->call_ip6tables; 1091 + brnf_table[3].data = &brnet->filter_vlan_tagged; 1092 + brnf_table[4].data = &brnet->filter_pppoe_tagged; 1093 + brnf_table[5].data = &brnet->pass_vlan_indev; 1094 + 1095 + br_netfilter_sysctl_default(brnet); 1096 + 1123 1097 brnf_sysctl_header = register_net_sysctl(&init_net, "net/bridge", brnf_table); 1124 1098 if (brnf_sysctl_header == NULL) { 1125 1099 printk(KERN_WARNING
+1 -1
net/bridge/br_netfilter_ipv6.c
··· 228 228 nf_bridge = nf_bridge_alloc(skb); 229 229 if (!nf_bridge) 230 230 return NF_DROP; 231 - if (!setup_pre_routing(skb)) 231 + if (!setup_pre_routing(skb, state->net)) 232 232 return NF_DROP; 233 233 234 234 nf_bridge = nf_bridge_info_get(skb);