1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Handle firewalling
4 * Linux ethernet bridge
5 *
6 * Authors:
7 * Lennert Buytenhek <buytenh@gnu.org>
8 * Bart De Schuymer <bdschuym@pandora.be>
9 *
10 * Lennert dedicates this file to Kerstin Wurdinger.
11 */
12
13 #include <linux/module.h>
14 #include <linux/kernel.h>
15 #include <linux/slab.h>
16 #include <linux/ip.h>
17 #include <linux/netdevice.h>
18 #include <linux/skbuff.h>
19 #include <linux/if_arp.h>
20 #include <linux/if_ether.h>
21 #include <linux/if_vlan.h>
22 #include <linux/if_pppox.h>
23 #include <linux/ppp_defs.h>
24 #include <linux/netfilter_bridge.h>
25 #include <uapi/linux/netfilter_bridge.h>
26 #include <linux/netfilter_ipv4.h>
27 #include <linux/netfilter_ipv6.h>
28 #include <linux/netfilter_arp.h>
29 #include <linux/in_route.h>
30 #include <linux/rculist.h>
31 #include <linux/inetdevice.h>
32
33 #include <net/ip.h>
34 #include <net/ipv6.h>
35 #include <net/addrconf.h>
36 #include <net/dst_metadata.h>
37 #include <net/route.h>
38 #include <net/netfilter/br_netfilter.h>
39 #include <net/netns/generic.h>
40 #include <net/inet_dscp.h>
41
42 #include <linux/uaccess.h>
43 #include "br_private.h"
44 #ifdef CONFIG_SYSCTL
45 #include <linux/sysctl.h>
46 #endif
47
48 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
49 #include <net/netfilter/nf_conntrack_core.h>
50 #endif
51
52 static unsigned int brnf_net_id __read_mostly;
53
54 struct brnf_net {
55 bool enabled;
56
57 #ifdef CONFIG_SYSCTL
58 struct ctl_table_header *ctl_hdr;
59 #endif
60
61 /* default value is 1 */
62 int call_iptables;
63 int call_ip6tables;
64 int call_arptables;
65
66 /* default value is 0 */
67 int filter_vlan_tagged;
68 int filter_pppoe_tagged;
69 int pass_vlan_indev;
70 };
71
72 #define IS_IP(skb) \
73 (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_IP))
74
75 #define IS_IPV6(skb) \
76 (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_IPV6))
77
78 #define IS_ARP(skb) \
79 (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_ARP))
80
vlan_proto(const struct sk_buff * skb)81 static inline __be16 vlan_proto(const struct sk_buff *skb)
82 {
83 if (skb_vlan_tag_present(skb))
84 return skb->protocol;
85 else if (skb->protocol == htons(ETH_P_8021Q))
86 return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
87 else
88 return 0;
89 }
90
is_vlan_ip(const struct sk_buff * skb,const struct net * net)91 static inline bool is_vlan_ip(const struct sk_buff *skb, const struct net *net)
92 {
93 struct brnf_net *brnet = net_generic(net, brnf_net_id);
94
95 return vlan_proto(skb) == htons(ETH_P_IP) && brnet->filter_vlan_tagged;
96 }
97
is_vlan_ipv6(const struct sk_buff * skb,const struct net * net)98 static inline bool is_vlan_ipv6(const struct sk_buff *skb,
99 const struct net *net)
100 {
101 struct brnf_net *brnet = net_generic(net, brnf_net_id);
102
103 return vlan_proto(skb) == htons(ETH_P_IPV6) &&
104 brnet->filter_vlan_tagged;
105 }
106
is_vlan_arp(const struct sk_buff * skb,const struct net * net)107 static inline bool is_vlan_arp(const struct sk_buff *skb, const struct net *net)
108 {
109 struct brnf_net *brnet = net_generic(net, brnf_net_id);
110
111 return vlan_proto(skb) == htons(ETH_P_ARP) && brnet->filter_vlan_tagged;
112 }
113
pppoe_proto(const struct sk_buff * skb)114 static inline __be16 pppoe_proto(const struct sk_buff *skb)
115 {
116 return *((__be16 *)(skb_mac_header(skb) + ETH_HLEN +
117 sizeof(struct pppoe_hdr)));
118 }
119
is_pppoe_ip(const struct sk_buff * skb,const struct net * net)120 static inline bool is_pppoe_ip(const struct sk_buff *skb, const struct net *net)
121 {
122 struct brnf_net *brnet = net_generic(net, brnf_net_id);
123
124 return skb->protocol == htons(ETH_P_PPP_SES) &&
125 pppoe_proto(skb) == htons(PPP_IP) && brnet->filter_pppoe_tagged;
126 }
127
is_pppoe_ipv6(const struct sk_buff * skb,const struct net * net)128 static inline bool is_pppoe_ipv6(const struct sk_buff *skb,
129 const struct net *net)
130 {
131 struct brnf_net *brnet = net_generic(net, brnf_net_id);
132
133 return skb->protocol == htons(ETH_P_PPP_SES) &&
134 pppoe_proto(skb) == htons(PPP_IPV6) &&
135 brnet->filter_pppoe_tagged;
136 }
137
138 /* largest possible L2 header, see br_nf_dev_queue_xmit() */
139 #define NF_BRIDGE_MAX_MAC_HEADER_LENGTH (PPPOE_SES_HLEN + ETH_HLEN)
140
141 struct brnf_frag_data {
142 local_lock_t bh_lock;
143 char mac[NF_BRIDGE_MAX_MAC_HEADER_LENGTH];
144 u8 encap_size;
145 u8 size;
146 u16 vlan_tci;
147 __be16 vlan_proto;
148 };
149
150 static DEFINE_PER_CPU(struct brnf_frag_data, brnf_frag_data_storage) = {
151 .bh_lock = INIT_LOCAL_LOCK(bh_lock),
152 };
153
nf_bridge_info_free(struct sk_buff * skb)154 static void nf_bridge_info_free(struct sk_buff *skb)
155 {
156 skb_ext_del(skb, SKB_EXT_BRIDGE_NF);
157 }
158
bridge_parent(const struct net_device * dev)159 static inline struct net_device *bridge_parent(const struct net_device *dev)
160 {
161 struct net_bridge_port *port;
162
163 port = br_port_get_rcu(dev);
164 return port ? port->br->dev : NULL;
165 }
166
nf_bridge_unshare(struct sk_buff * skb)167 static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb)
168 {
169 return skb_ext_add(skb, SKB_EXT_BRIDGE_NF);
170 }
171
nf_bridge_encap_header_len(const struct sk_buff * skb)172 unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb)
173 {
174 switch (skb->protocol) {
175 case __cpu_to_be16(ETH_P_8021Q):
176 return VLAN_HLEN;
177 case __cpu_to_be16(ETH_P_PPP_SES):
178 return PPPOE_SES_HLEN;
179 default:
180 return 0;
181 }
182 }
183
nf_bridge_pull_encap_header(struct sk_buff * skb)184 static inline void nf_bridge_pull_encap_header(struct sk_buff *skb)
185 {
186 unsigned int len = nf_bridge_encap_header_len(skb);
187
188 skb_pull(skb, len);
189 skb->network_header += len;
190 }
191
nf_bridge_pull_encap_header_rcsum(struct sk_buff * skb)192 static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb)
193 {
194 unsigned int len = nf_bridge_encap_header_len(skb);
195
196 skb_pull_rcsum(skb, len);
197 skb->network_header += len;
198 }
199
200 /* When handing a packet over to the IP layer
201 * check whether we have a skb that is in the
202 * expected format
203 */
204
br_validate_ipv4(struct net * net,struct sk_buff * skb)205 static int br_validate_ipv4(struct net *net, struct sk_buff *skb)
206 {
207 const struct iphdr *iph;
208 u32 len;
209
210 if (!pskb_may_pull(skb, sizeof(struct iphdr)))
211 goto inhdr_error;
212
213 iph = ip_hdr(skb);
214
215 /* Basic sanity checks */
216 if (iph->ihl < 5 || iph->version != 4)
217 goto inhdr_error;
218
219 if (!pskb_may_pull(skb, iph->ihl*4))
220 goto inhdr_error;
221
222 iph = ip_hdr(skb);
223 if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
224 goto csum_error;
225
226 len = skb_ip_totlen(skb);
227 if (skb->len < len) {
228 __IP_INC_STATS(net, IPSTATS_MIB_INTRUNCATEDPKTS);
229 goto drop;
230 } else if (len < (iph->ihl*4))
231 goto inhdr_error;
232
233 if (pskb_trim_rcsum(skb, len)) {
234 __IP_INC_STATS(net, IPSTATS_MIB_INDISCARDS);
235 goto drop;
236 }
237
238 memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
239 /* We should really parse IP options here but until
240 * somebody who actually uses IP options complains to
241 * us we'll just silently ignore the options because
242 * we're lazy!
243 */
244 return 0;
245
246 csum_error:
247 __IP_INC_STATS(net, IPSTATS_MIB_CSUMERRORS);
248 inhdr_error:
249 __IP_INC_STATS(net, IPSTATS_MIB_INHDRERRORS);
250 drop:
251 return -1;
252 }
253
nf_bridge_update_protocol(struct sk_buff * skb)254 void nf_bridge_update_protocol(struct sk_buff *skb)
255 {
256 const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
257
258 switch (nf_bridge->orig_proto) {
259 case BRNF_PROTO_8021Q:
260 skb->protocol = htons(ETH_P_8021Q);
261 break;
262 case BRNF_PROTO_PPPOE:
263 skb->protocol = htons(ETH_P_PPP_SES);
264 break;
265 case BRNF_PROTO_UNCHANGED:
266 break;
267 }
268 }
269
270 /* Obtain the correct destination MAC address, while preserving the original
271 * source MAC address. If we already know this address, we just copy it. If we
272 * don't, we use the neighbour framework to find out. In both cases, we make
273 * sure that br_handle_frame_finish() is called afterwards.
274 */
br_nf_pre_routing_finish_bridge(struct net * net,struct sock * sk,struct sk_buff * skb)275 int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_buff *skb)
276 {
277 struct neighbour *neigh;
278 struct dst_entry *dst;
279
280 skb->dev = bridge_parent(skb->dev);
281 if (!skb->dev)
282 goto free_skb;
283 dst = skb_dst(skb);
284 neigh = dst_neigh_lookup_skb(dst, skb);
285 if (neigh) {
286 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
287 int ret;
288
289 if ((READ_ONCE(neigh->nud_state) & NUD_CONNECTED) &&
290 READ_ONCE(neigh->hh.hh_len)) {
291 struct net_device *br_indev;
292
293 br_indev = nf_bridge_get_physindev(skb, net);
294 if (!br_indev) {
295 neigh_release(neigh);
296 goto free_skb;
297 }
298
299 neigh_hh_bridge(&neigh->hh, skb);
300 skb->dev = br_indev;
301
302 ret = br_handle_frame_finish(net, sk, skb);
303 } else {
304 /* the neighbour function below overwrites the complete
305 * MAC header, so we save the Ethernet source address and
306 * protocol number.
307 */
308 skb_copy_from_linear_data_offset(skb,
309 -(ETH_HLEN-ETH_ALEN),
310 nf_bridge->neigh_header,
311 ETH_HLEN-ETH_ALEN);
312 /* tell br_dev_xmit to continue with forwarding */
313 nf_bridge->bridged_dnat = 1;
314 /* FIXME Need to refragment */
315 ret = READ_ONCE(neigh->output)(neigh, skb);
316 }
317 neigh_release(neigh);
318 return ret;
319 }
320 free_skb:
321 kfree_skb(skb);
322 return 0;
323 }
324
325 static inline bool
br_nf_ipv4_daddr_was_changed(const struct sk_buff * skb,const struct nf_bridge_info * nf_bridge)326 br_nf_ipv4_daddr_was_changed(const struct sk_buff *skb,
327 const struct nf_bridge_info *nf_bridge)
328 {
329 return ip_hdr(skb)->daddr != nf_bridge->ipv4_daddr;
330 }
331
332 /* This requires some explaining. If DNAT has taken place,
333 * we will need to fix up the destination Ethernet address.
334 * This is also true when SNAT takes place (for the reply direction).
335 *
336 * There are two cases to consider:
337 * 1. The packet was DNAT'ed to a device in the same bridge
338 * port group as it was received on. We can still bridge
339 * the packet.
340 * 2. The packet was DNAT'ed to a different device, either
341 * a non-bridged device or another bridge port group.
342 * The packet will need to be routed.
343 *
344 * The correct way of distinguishing between these two cases is to
345 * call ip_route_input() and to look at skb->dst->dev, which is
346 * changed to the destination device if ip_route_input() succeeds.
347 *
348 * Let's first consider the case that ip_route_input() succeeds:
349 *
350 * If the output device equals the logical bridge device the packet
351 * came in on, we can consider this bridging. The corresponding MAC
352 * address will be obtained in br_nf_pre_routing_finish_bridge.
353 * Otherwise, the packet is considered to be routed and we just
354 * change the destination MAC address so that the packet will
355 * later be passed up to the IP stack to be routed. For a redirected
356 * packet, ip_route_input() will give back the localhost as output device,
357 * which differs from the bridge device.
358 *
359 * Let's now consider the case that ip_route_input() fails:
360 *
361 * This can be because the destination address is martian, in which case
362 * the packet will be dropped.
363 * If IP forwarding is disabled, ip_route_input() will fail, while
364 * ip_route_output_key() can return success. The source
365 * address for ip_route_output_key() is set to zero, so ip_route_output_key()
366 * thinks we're handling a locally generated packet and won't care
367 * if IP forwarding is enabled. If the output device equals the logical bridge
368 * device, we proceed as if ip_route_input() succeeded. If it differs from the
369 * logical bridge port or if ip_route_output_key() fails we drop the packet.
370 */
br_nf_pre_routing_finish(struct net * net,struct sock * sk,struct sk_buff * skb)371 static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
372 {
373 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
374 struct net_device *dev = skb->dev, *br_indev;
375 const struct iphdr *iph = ip_hdr(skb);
376 enum skb_drop_reason reason;
377 struct rtable *rt;
378
379 br_indev = nf_bridge_get_physindev(skb, net);
380 if (!br_indev) {
381 kfree_skb(skb);
382 return 0;
383 }
384
385 nf_bridge->frag_max_size = IPCB(skb)->frag_max_size;
386
387 if (nf_bridge->pkt_otherhost) {
388 skb->pkt_type = PACKET_OTHERHOST;
389 nf_bridge->pkt_otherhost = false;
390 }
391 nf_bridge->in_prerouting = 0;
392 if (br_nf_ipv4_daddr_was_changed(skb, nf_bridge)) {
393 reason = ip_route_input(skb, iph->daddr, iph->saddr,
394 ip4h_dscp(iph), dev);
395 if (reason) {
396 kfree_skb_reason(skb, reason);
397 return 0;
398 } else {
399 if (skb_dst(skb)->dev == dev) {
400 skb->dev = br_indev;
401 nf_bridge_update_protocol(skb);
402 nf_bridge_push_encap_header(skb);
403 br_nf_hook_thresh(NF_BR_PRE_ROUTING,
404 net, sk, skb, skb->dev,
405 NULL,
406 br_nf_pre_routing_finish_bridge);
407 return 0;
408 }
409 ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr);
410 skb->pkt_type = PACKET_HOST;
411 }
412 } else {
413 rt = bridge_parent_rtable(br_indev);
414 if (!rt) {
415 kfree_skb(skb);
416 return 0;
417 }
418 skb_dst_drop(skb);
419 skb_dst_set_noref(skb, &rt->dst);
420 }
421
422 skb->dev = br_indev;
423 nf_bridge_update_protocol(skb);
424 nf_bridge_push_encap_header(skb);
425 br_nf_hook_thresh(NF_BR_PRE_ROUTING, net, sk, skb, skb->dev, NULL,
426 br_handle_frame_finish);
427 return 0;
428 }
429
brnf_get_logical_dev(struct sk_buff * skb,const struct net_device * dev,const struct net * net)430 static struct net_device *brnf_get_logical_dev(struct sk_buff *skb,
431 const struct net_device *dev,
432 const struct net *net)
433 {
434 struct net_device *vlan, *br;
435 struct brnf_net *brnet = net_generic(net, brnf_net_id);
436
437 br = bridge_parent(dev);
438
439 if (brnet->pass_vlan_indev == 0 || !skb_vlan_tag_present(skb))
440 return br;
441
442 vlan = __vlan_find_dev_deep_rcu(br, skb->vlan_proto,
443 skb_vlan_tag_get(skb) & VLAN_VID_MASK);
444
445 return vlan ? vlan : br;
446 }
447
448 /* Some common code for IPv4/IPv6 */
setup_pre_routing(struct sk_buff * skb,const struct net * net)449 struct net_device *setup_pre_routing(struct sk_buff *skb, const struct net *net)
450 {
451 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
452
453 if (skb->pkt_type == PACKET_OTHERHOST) {
454 skb->pkt_type = PACKET_HOST;
455 nf_bridge->pkt_otherhost = true;
456 }
457
458 nf_bridge->in_prerouting = 1;
459 nf_bridge->physinif = skb->dev->ifindex;
460 skb->dev = brnf_get_logical_dev(skb, skb->dev, net);
461
462 if (skb->protocol == htons(ETH_P_8021Q))
463 nf_bridge->orig_proto = BRNF_PROTO_8021Q;
464 else if (skb->protocol == htons(ETH_P_PPP_SES))
465 nf_bridge->orig_proto = BRNF_PROTO_PPPOE;
466
467 /* Must drop socket now because of tproxy. */
468 skb_orphan(skb);
469 return skb->dev;
470 }
471
472 /* Direct IPv6 traffic to br_nf_pre_routing_ipv6.
473 * Replicate the checks that IPv4 does on packet reception.
474 * Set skb->dev to the bridge device (i.e. parent of the
475 * receiving device) to make netfilter happy, the REDIRECT
476 * target in particular. Save the original destination IP
477 * address to be able to detect DNAT afterwards. */
br_nf_pre_routing(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)478 static unsigned int br_nf_pre_routing(void *priv,
479 struct sk_buff *skb,
480 const struct nf_hook_state *state)
481 {
482 struct nf_bridge_info *nf_bridge;
483 struct net_bridge_port *p;
484 struct net_bridge *br;
485 __u32 len = nf_bridge_encap_header_len(skb);
486 struct brnf_net *brnet;
487
488 if (unlikely(!pskb_may_pull(skb, len)))
489 return NF_DROP_REASON(skb, SKB_DROP_REASON_PKT_TOO_SMALL, 0);
490
491 p = br_port_get_rcu(state->in);
492 if (p == NULL)
493 return NF_DROP_REASON(skb, SKB_DROP_REASON_DEV_READY, 0);
494 br = p->br;
495
496 brnet = net_generic(state->net, brnf_net_id);
497 if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) ||
498 is_pppoe_ipv6(skb, state->net)) {
499 if (!brnet->call_ip6tables &&
500 !br_opt_get(br, BROPT_NF_CALL_IP6TABLES))
501 return NF_ACCEPT;
502 if (!ipv6_mod_enabled()) {
503 pr_warn_once("Module ipv6 is disabled, so call_ip6tables is not supported.");
504 return NF_DROP_REASON(skb, SKB_DROP_REASON_IPV6DISABLED, 0);
505 }
506
507 nf_bridge_pull_encap_header_rcsum(skb);
508 return br_nf_pre_routing_ipv6(priv, skb, state);
509 }
510
511 if (!brnet->call_iptables && !br_opt_get(br, BROPT_NF_CALL_IPTABLES))
512 return NF_ACCEPT;
513
514 if (!IS_IP(skb) && !is_vlan_ip(skb, state->net) &&
515 !is_pppoe_ip(skb, state->net))
516 return NF_ACCEPT;
517
518 nf_bridge_pull_encap_header_rcsum(skb);
519
520 if (br_validate_ipv4(state->net, skb))
521 return NF_DROP_REASON(skb, SKB_DROP_REASON_IP_INHDR, 0);
522
523 if (!nf_bridge_alloc(skb))
524 return NF_DROP_REASON(skb, SKB_DROP_REASON_NOMEM, 0);
525 if (!setup_pre_routing(skb, state->net))
526 return NF_DROP_REASON(skb, SKB_DROP_REASON_DEV_READY, 0);
527
528 nf_bridge = nf_bridge_info_get(skb);
529 nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr;
530
531 skb->protocol = htons(ETH_P_IP);
532 skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4;
533
534 NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb,
535 skb->dev, NULL,
536 br_nf_pre_routing_finish);
537
538 return NF_STOLEN;
539 }
540
541 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
542 /* conntracks' nf_confirm logic cannot handle cloned skbs referencing
543 * the same nf_conn entry, which will happen for multicast (broadcast)
544 * Frames on bridges.
545 *
546 * Example:
547 * macvlan0
548 * br0
549 * ethX ethY
550 *
551 * ethX (or Y) receives multicast or broadcast packet containing
552 * an IP packet, not yet in conntrack table.
553 *
554 * 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting.
555 * -> skb->_nfct now references a unconfirmed entry
556 * 2. skb is broad/mcast packet. bridge now passes clones out on each bridge
557 * interface.
558 * 3. skb gets passed up the stack.
559 * 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb
560 * and schedules a work queue to send them out on the lower devices.
561 *
562 * The clone skb->_nfct is not a copy, it is the same entry as the
563 * original skb. The macvlan rx handler then returns RX_HANDLER_PASS.
564 * 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb.
565 *
566 * The Macvlan broadcast worker and normal confirm path will race.
567 *
568 * This race will not happen if step 2 already confirmed a clone. In that
569 * case later steps perform skb_clone() with skb->_nfct already confirmed (in
570 * hash table). This works fine.
571 *
572 * But such confirmation won't happen when eb/ip/nftables rules dropped the
573 * packets before they reached the nf_confirm step in postrouting.
574 *
575 * Work around this problem by explicit confirmation of the entry at
576 * LOCAL_IN time, before upper layer has a chance to clone the unconfirmed
577 * entry.
578 *
579 */
br_nf_local_in(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)580 static unsigned int br_nf_local_in(void *priv,
581 struct sk_buff *skb,
582 const struct nf_hook_state *state)
583 {
584 bool promisc = BR_INPUT_SKB_CB(skb)->promisc;
585 struct nf_conntrack *nfct = skb_nfct(skb);
586 const struct nf_ct_hook *ct_hook;
587 struct nf_conn *ct;
588 int ret;
589
590 if (promisc) {
591 nf_reset_ct(skb);
592 return NF_ACCEPT;
593 }
594
595 if (!nfct || skb->pkt_type == PACKET_HOST)
596 return NF_ACCEPT;
597
598 ct = container_of(nfct, struct nf_conn, ct_general);
599 if (likely(nf_ct_is_confirmed(ct)))
600 return NF_ACCEPT;
601
602 if (WARN_ON_ONCE(refcount_read(&nfct->use) != 1)) {
603 nf_reset_ct(skb);
604 return NF_ACCEPT;
605 }
606
607 WARN_ON_ONCE(skb_shared(skb));
608
609 /* We can't call nf_confirm here, it would create a dependency
610 * on nf_conntrack module.
611 */
612 ct_hook = rcu_dereference(nf_ct_hook);
613 if (!ct_hook) {
614 skb->_nfct = 0ul;
615 nf_conntrack_put(nfct);
616 return NF_ACCEPT;
617 }
618
619 nf_bridge_pull_encap_header(skb);
620 ret = ct_hook->confirm(skb);
621 switch (ret & NF_VERDICT_MASK) {
622 case NF_STOLEN:
623 return NF_STOLEN;
624 default:
625 nf_bridge_push_encap_header(skb);
626 break;
627 }
628
629 return ret;
630 }
631 #endif
632
633 /* PF_BRIDGE/FORWARD *************************************************/
br_nf_forward_finish(struct net * net,struct sock * sk,struct sk_buff * skb)634 static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
635 {
636 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
637 struct net_device *in;
638
639 if (!IS_ARP(skb) && !is_vlan_arp(skb, net)) {
640
641 if (skb->protocol == htons(ETH_P_IP))
642 nf_bridge->frag_max_size = IPCB(skb)->frag_max_size;
643
644 if (skb->protocol == htons(ETH_P_IPV6))
645 nf_bridge->frag_max_size = IP6CB(skb)->frag_max_size;
646
647 in = nf_bridge_get_physindev(skb, net);
648 if (!in) {
649 kfree_skb(skb);
650 return 0;
651 }
652 if (nf_bridge->pkt_otherhost) {
653 skb->pkt_type = PACKET_OTHERHOST;
654 nf_bridge->pkt_otherhost = false;
655 }
656 nf_bridge_update_protocol(skb);
657 } else {
658 in = *((struct net_device **)(skb->cb));
659 }
660 nf_bridge_push_encap_header(skb);
661
662 br_nf_hook_thresh(NF_BR_FORWARD, net, sk, skb, in, skb->dev,
663 br_forward_finish);
664 return 0;
665 }
666
667
br_nf_forward_ip(struct sk_buff * skb,const struct nf_hook_state * state,u8 pf)668 static unsigned int br_nf_forward_ip(struct sk_buff *skb,
669 const struct nf_hook_state *state,
670 u8 pf)
671 {
672 struct nf_bridge_info *nf_bridge;
673 struct net_device *parent;
674
675 nf_bridge = nf_bridge_info_get(skb);
676 if (!nf_bridge)
677 return NF_ACCEPT;
678
679 /* Need exclusive nf_bridge_info since we might have multiple
680 * different physoutdevs. */
681 if (!nf_bridge_unshare(skb))
682 return NF_DROP_REASON(skb, SKB_DROP_REASON_NOMEM, 0);
683
684 nf_bridge = nf_bridge_info_get(skb);
685 if (!nf_bridge)
686 return NF_DROP_REASON(skb, SKB_DROP_REASON_NOMEM, 0);
687
688 parent = bridge_parent(state->out);
689 if (!parent)
690 return NF_DROP_REASON(skb, SKB_DROP_REASON_DEV_READY, 0);
691
692 nf_bridge_pull_encap_header(skb);
693
694 if (skb->pkt_type == PACKET_OTHERHOST) {
695 skb->pkt_type = PACKET_HOST;
696 nf_bridge->pkt_otherhost = true;
697 }
698
699 if (pf == NFPROTO_IPV4) {
700 if (br_validate_ipv4(state->net, skb))
701 return NF_DROP_REASON(skb, SKB_DROP_REASON_IP_INHDR, 0);
702 IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
703 skb->protocol = htons(ETH_P_IP);
704 } else if (pf == NFPROTO_IPV6) {
705 if (br_validate_ipv6(state->net, skb))
706 return NF_DROP_REASON(skb, SKB_DROP_REASON_IP_INHDR, 0);
707 IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
708 skb->protocol = htons(ETH_P_IPV6);
709 } else {
710 WARN_ON_ONCE(1);
711 return NF_DROP;
712 }
713
714 nf_bridge->physoutdev = skb->dev;
715
716 NF_HOOK(pf, NF_INET_FORWARD, state->net, NULL, skb,
717 brnf_get_logical_dev(skb, state->in, state->net),
718 parent, br_nf_forward_finish);
719
720 return NF_STOLEN;
721 }
722
br_nf_forward_arp(struct sk_buff * skb,const struct nf_hook_state * state)723 static unsigned int br_nf_forward_arp(struct sk_buff *skb,
724 const struct nf_hook_state *state)
725 {
726 struct net_bridge_port *p;
727 struct net_bridge *br;
728 struct net_device **d = (struct net_device **)(skb->cb);
729 struct brnf_net *brnet;
730
731 p = br_port_get_rcu(state->out);
732 if (p == NULL)
733 return NF_ACCEPT;
734 br = p->br;
735
736 brnet = net_generic(state->net, brnf_net_id);
737 if (!brnet->call_arptables && !br_opt_get(br, BROPT_NF_CALL_ARPTABLES))
738 return NF_ACCEPT;
739
740 if (is_vlan_arp(skb, state->net))
741 nf_bridge_pull_encap_header(skb);
742
743 if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr))))
744 return NF_DROP_REASON(skb, SKB_DROP_REASON_PKT_TOO_SMALL, 0);
745
746 if (arp_hdr(skb)->ar_pln != 4) {
747 if (is_vlan_arp(skb, state->net))
748 nf_bridge_push_encap_header(skb);
749 return NF_ACCEPT;
750 }
751 *d = state->in;
752 NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, state->net, state->sk, skb,
753 state->in, state->out, br_nf_forward_finish);
754
755 return NF_STOLEN;
756 }
757
758 /* This is the 'purely bridged' case. For IP, we pass the packet to
759 * netfilter with indev and outdev set to the bridge device,
760 * but we are still able to filter on the 'real' indev/outdev
761 * because of the physdev module. For ARP, indev and outdev are the
762 * bridge ports.
763 */
br_nf_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)764 static unsigned int br_nf_forward(void *priv,
765 struct sk_buff *skb,
766 const struct nf_hook_state *state)
767 {
768 if (IS_IP(skb) || is_vlan_ip(skb, state->net) ||
769 is_pppoe_ip(skb, state->net))
770 return br_nf_forward_ip(skb, state, NFPROTO_IPV4);
771 if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) ||
772 is_pppoe_ipv6(skb, state->net))
773 return br_nf_forward_ip(skb, state, NFPROTO_IPV6);
774 if (IS_ARP(skb) || is_vlan_arp(skb, state->net))
775 return br_nf_forward_arp(skb, state);
776
777 return NF_ACCEPT;
778 }
779
br_nf_push_frag_xmit(struct net * net,struct sock * sk,struct sk_buff * skb)780 static int br_nf_push_frag_xmit(struct net *net, struct sock *sk, struct sk_buff *skb)
781 {
782 struct brnf_frag_data *data;
783 int err;
784
785 data = this_cpu_ptr(&brnf_frag_data_storage);
786 err = skb_cow_head(skb, data->size);
787
788 if (err) {
789 kfree_skb(skb);
790 return 0;
791 }
792
793 if (data->vlan_proto)
794 __vlan_hwaccel_put_tag(skb, data->vlan_proto, data->vlan_tci);
795
796 skb_copy_to_linear_data_offset(skb, -data->size, data->mac, data->size);
797 __skb_push(skb, data->encap_size);
798
799 nf_bridge_info_free(skb);
800 return br_dev_queue_push_xmit(net, sk, skb);
801 }
802
803 static int
br_nf_ip_fragment(struct net * net,struct sock * sk,struct sk_buff * skb,int (* output)(struct net *,struct sock *,struct sk_buff *))804 br_nf_ip_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
805 int (*output)(struct net *, struct sock *, struct sk_buff *))
806 {
807 unsigned int mtu = ip_skb_dst_mtu(sk, skb);
808 struct iphdr *iph = ip_hdr(skb);
809
810 if (unlikely(((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) ||
811 (IPCB(skb)->frag_max_size &&
812 IPCB(skb)->frag_max_size > mtu))) {
813 IP_INC_STATS(net, IPSTATS_MIB_FRAGFAILS);
814 kfree_skb(skb);
815 return -EMSGSIZE;
816 }
817
818 return ip_do_fragment(net, sk, skb, output);
819 }
820
nf_bridge_mtu_reduction(const struct sk_buff * skb)821 static unsigned int nf_bridge_mtu_reduction(const struct sk_buff *skb)
822 {
823 const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
824
825 if (nf_bridge->orig_proto == BRNF_PROTO_PPPOE)
826 return PPPOE_SES_HLEN;
827 return 0;
828 }
829
br_nf_dev_queue_xmit(struct net * net,struct sock * sk,struct sk_buff * skb)830 static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff *skb)
831 {
832 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
833 unsigned int mtu, mtu_reserved;
834 int ret;
835
836 mtu_reserved = nf_bridge_mtu_reduction(skb);
837 mtu = skb->dev->mtu;
838
839 if (nf_bridge->pkt_otherhost) {
840 skb->pkt_type = PACKET_OTHERHOST;
841 nf_bridge->pkt_otherhost = false;
842 }
843
844 if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu)
845 mtu = nf_bridge->frag_max_size;
846
847 nf_bridge_update_protocol(skb);
848 nf_bridge_push_encap_header(skb);
849
850 if (skb_is_gso(skb) || skb->len + mtu_reserved <= mtu) {
851 nf_bridge_info_free(skb);
852 return br_dev_queue_push_xmit(net, sk, skb);
853 }
854
855 /* Fragmentation on metadata/template dst is not supported */
856 if (unlikely(!skb_valid_dst(skb)))
857 goto drop;
858
859 /* This is wrong! We should preserve the original fragment
860 * boundaries by preserving frag_list rather than refragmenting.
861 */
862 if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) &&
863 skb->protocol == htons(ETH_P_IP)) {
864 struct brnf_frag_data *data;
865
866 if (br_validate_ipv4(net, skb))
867 goto drop;
868
869 IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
870
871 local_lock_nested_bh(&brnf_frag_data_storage.bh_lock);
872 data = this_cpu_ptr(&brnf_frag_data_storage);
873
874 if (skb_vlan_tag_present(skb)) {
875 data->vlan_tci = skb->vlan_tci;
876 data->vlan_proto = skb->vlan_proto;
877 } else {
878 data->vlan_proto = 0;
879 }
880
881 data->encap_size = nf_bridge_encap_header_len(skb);
882 data->size = ETH_HLEN + data->encap_size;
883
884 skb_copy_from_linear_data_offset(skb, -data->size, data->mac,
885 data->size);
886
887 ret = br_nf_ip_fragment(net, sk, skb, br_nf_push_frag_xmit);
888 local_unlock_nested_bh(&brnf_frag_data_storage.bh_lock);
889 return ret;
890 }
891 if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) &&
892 skb->protocol == htons(ETH_P_IPV6)) {
893 const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
894 struct brnf_frag_data *data;
895
896 if (br_validate_ipv6(net, skb))
897 goto drop;
898
899 IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
900
901 local_lock_nested_bh(&brnf_frag_data_storage.bh_lock);
902 data = this_cpu_ptr(&brnf_frag_data_storage);
903 data->encap_size = nf_bridge_encap_header_len(skb);
904 data->size = ETH_HLEN + data->encap_size;
905
906 skb_copy_from_linear_data_offset(skb, -data->size, data->mac,
907 data->size);
908
909 if (v6ops) {
910 ret = v6ops->fragment(net, sk, skb, br_nf_push_frag_xmit);
911 local_unlock_nested_bh(&brnf_frag_data_storage.bh_lock);
912 return ret;
913 }
914 local_unlock_nested_bh(&brnf_frag_data_storage.bh_lock);
915
916 kfree_skb(skb);
917 return -EMSGSIZE;
918 }
919 nf_bridge_info_free(skb);
920 return br_dev_queue_push_xmit(net, sk, skb);
921 drop:
922 kfree_skb(skb);
923 return 0;
924 }
925
926 /* PF_BRIDGE/POST_ROUTING ********************************************/
br_nf_post_routing(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)927 static unsigned int br_nf_post_routing(void *priv,
928 struct sk_buff *skb,
929 const struct nf_hook_state *state)
930 {
931 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
932 struct net_device *realoutdev = bridge_parent(skb->dev);
933 u_int8_t pf;
934
935 /* if nf_bridge is set, but ->physoutdev is NULL, this packet came in
936 * on a bridge, but was delivered locally and is now being routed:
937 *
938 * POST_ROUTING was already invoked from the ip stack.
939 */
940 if (!nf_bridge || !nf_bridge->physoutdev)
941 return NF_ACCEPT;
942
943 if (!realoutdev)
944 return NF_DROP_REASON(skb, SKB_DROP_REASON_DEV_READY, 0);
945
946 if (IS_IP(skb) || is_vlan_ip(skb, state->net) ||
947 is_pppoe_ip(skb, state->net))
948 pf = NFPROTO_IPV4;
949 else if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) ||
950 is_pppoe_ipv6(skb, state->net))
951 pf = NFPROTO_IPV6;
952 else
953 return NF_ACCEPT;
954
955 if (skb->pkt_type == PACKET_OTHERHOST) {
956 skb->pkt_type = PACKET_HOST;
957 nf_bridge->pkt_otherhost = true;
958 }
959
960 nf_bridge_pull_encap_header(skb);
961 if (pf == NFPROTO_IPV4)
962 skb->protocol = htons(ETH_P_IP);
963 else
964 skb->protocol = htons(ETH_P_IPV6);
965
966 NF_HOOK(pf, NF_INET_POST_ROUTING, state->net, state->sk, skb,
967 NULL, realoutdev,
968 br_nf_dev_queue_xmit);
969
970 return NF_STOLEN;
971 }
972
973 /* IP/SABOTAGE *****************************************************/
974 /* Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING
975 * for the second time. */
ip_sabotage_in(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)976 static unsigned int ip_sabotage_in(void *priv,
977 struct sk_buff *skb,
978 const struct nf_hook_state *state)
979 {
980 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
981
982 if (nf_bridge) {
983 if (nf_bridge->sabotage_in_done)
984 return NF_ACCEPT;
985
986 if (!nf_bridge->in_prerouting &&
987 !netif_is_l3_master(skb->dev) &&
988 !netif_is_l3_slave(skb->dev)) {
989 nf_bridge->sabotage_in_done = 1;
990 state->okfn(state->net, state->sk, skb);
991 return NF_STOLEN;
992 }
993 }
994
995 return NF_ACCEPT;
996 }
997
998 /* This is called when br_netfilter has called into iptables/netfilter,
999 * and DNAT has taken place on a bridge-forwarded packet.
1000 *
1001 * neigh->output has created a new MAC header, with local br0 MAC
1002 * as saddr.
1003 *
1004 * This restores the original MAC saddr of the bridged packet
1005 * before invoking bridge forward logic to transmit the packet.
1006 */
br_nf_pre_routing_finish_bridge_slow(struct sk_buff * skb)1007 static void br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb)
1008 {
1009 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
1010 struct net_device *br_indev;
1011
1012 br_indev = nf_bridge_get_physindev(skb, dev_net(skb->dev));
1013 if (!br_indev) {
1014 kfree_skb(skb);
1015 return;
1016 }
1017
1018 skb_pull(skb, ETH_HLEN);
1019 nf_bridge->bridged_dnat = 0;
1020
1021 BUILD_BUG_ON(sizeof(nf_bridge->neigh_header) != (ETH_HLEN - ETH_ALEN));
1022
1023 skb_copy_to_linear_data_offset(skb, -(ETH_HLEN - ETH_ALEN),
1024 nf_bridge->neigh_header,
1025 ETH_HLEN - ETH_ALEN);
1026 skb->dev = br_indev;
1027
1028 nf_bridge->physoutdev = NULL;
1029 br_handle_frame_finish(dev_net(skb->dev), NULL, skb);
1030 }
1031
br_nf_dev_xmit(struct sk_buff * skb)1032 static int br_nf_dev_xmit(struct sk_buff *skb)
1033 {
1034 const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
1035
1036 if (nf_bridge && nf_bridge->bridged_dnat) {
1037 br_nf_pre_routing_finish_bridge_slow(skb);
1038 return 1;
1039 }
1040 return 0;
1041 }
1042
1043 static const struct nf_br_ops br_ops = {
1044 .br_dev_xmit_hook = br_nf_dev_xmit,
1045 };
1046
1047 /* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
1048 * br_dev_queue_push_xmit is called afterwards */
1049 static const struct nf_hook_ops br_nf_ops[] = {
1050 {
1051 .hook = br_nf_pre_routing,
1052 .pf = NFPROTO_BRIDGE,
1053 .hooknum = NF_BR_PRE_ROUTING,
1054 .priority = NF_BR_PRI_BRNF,
1055 },
1056 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
1057 {
1058 .hook = br_nf_local_in,
1059 .pf = NFPROTO_BRIDGE,
1060 .hooknum = NF_BR_LOCAL_IN,
1061 .priority = NF_BR_PRI_LAST,
1062 },
1063 #endif
1064 {
1065 .hook = br_nf_forward,
1066 .pf = NFPROTO_BRIDGE,
1067 .hooknum = NF_BR_FORWARD,
1068 .priority = NF_BR_PRI_BRNF,
1069 },
1070 {
1071 .hook = br_nf_post_routing,
1072 .pf = NFPROTO_BRIDGE,
1073 .hooknum = NF_BR_POST_ROUTING,
1074 .priority = NF_BR_PRI_LAST,
1075 },
1076 {
1077 .hook = ip_sabotage_in,
1078 .pf = NFPROTO_IPV4,
1079 .hooknum = NF_INET_PRE_ROUTING,
1080 .priority = NF_IP_PRI_FIRST,
1081 },
1082 {
1083 .hook = ip_sabotage_in,
1084 .pf = NFPROTO_IPV6,
1085 .hooknum = NF_INET_PRE_ROUTING,
1086 .priority = NF_IP6_PRI_FIRST,
1087 },
1088 };
1089
brnf_device_event(struct notifier_block * unused,unsigned long event,void * ptr)1090 static int brnf_device_event(struct notifier_block *unused, unsigned long event,
1091 void *ptr)
1092 {
1093 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
1094 struct brnf_net *brnet;
1095 struct net *net;
1096 int ret;
1097
1098 if (event != NETDEV_REGISTER || !netif_is_bridge_master(dev))
1099 return NOTIFY_DONE;
1100
1101 ASSERT_RTNL();
1102
1103 net = dev_net(dev);
1104 brnet = net_generic(net, brnf_net_id);
1105 if (brnet->enabled)
1106 return NOTIFY_OK;
1107
1108 ret = nf_register_net_hooks(net, br_nf_ops, ARRAY_SIZE(br_nf_ops));
1109 if (ret)
1110 return NOTIFY_BAD;
1111
1112 brnet->enabled = true;
1113 return NOTIFY_OK;
1114 }
1115
1116 static struct notifier_block brnf_notifier __read_mostly = {
1117 .notifier_call = brnf_device_event,
1118 };
1119
1120 /* recursively invokes nf_hook_slow (again), skipping already-called
1121 * hooks (< NF_BR_PRI_BRNF).
1122 *
1123 * Called with rcu read lock held.
1124 */
br_nf_hook_thresh(unsigned int hook,struct net * net,struct sock * sk,struct sk_buff * skb,struct net_device * indev,struct net_device * outdev,int (* okfn)(struct net *,struct sock *,struct sk_buff *))1125 int br_nf_hook_thresh(unsigned int hook, struct net *net,
1126 struct sock *sk, struct sk_buff *skb,
1127 struct net_device *indev,
1128 struct net_device *outdev,
1129 int (*okfn)(struct net *, struct sock *,
1130 struct sk_buff *))
1131 {
1132 const struct nf_hook_entries *e;
1133 struct nf_hook_state state;
1134 struct nf_hook_ops **ops;
1135 unsigned int i;
1136 int ret;
1137
1138 e = rcu_dereference(net->nf.hooks_bridge[hook]);
1139 if (!e)
1140 return okfn(net, sk, skb);
1141
1142 ops = nf_hook_entries_get_hook_ops(e);
1143 for (i = 0; i < e->num_hook_entries; i++) {
1144 /* These hooks have already been called */
1145 if (ops[i]->priority < NF_BR_PRI_BRNF)
1146 continue;
1147
1148 /* These hooks have not been called yet, run them. */
1149 if (ops[i]->priority > NF_BR_PRI_BRNF)
1150 break;
1151
1152 /* take a closer look at NF_BR_PRI_BRNF. */
1153 if (ops[i]->hook == br_nf_pre_routing) {
1154 /* This hook diverted the skb to this function,
1155 * hooks after this have not been run yet.
1156 */
1157 i++;
1158 break;
1159 }
1160 }
1161
1162 nf_hook_state_init(&state, hook, NFPROTO_BRIDGE, indev, outdev,
1163 sk, net, okfn);
1164
1165 ret = nf_hook_slow(skb, &state, e, i);
1166 if (ret == 1)
1167 ret = okfn(net, sk, skb);
1168
1169 return ret;
1170 }
1171
1172 #ifdef CONFIG_SYSCTL
1173 static
brnf_sysctl_call_tables(const struct ctl_table * ctl,int write,void * buffer,size_t * lenp,loff_t * ppos)1174 int brnf_sysctl_call_tables(const struct ctl_table *ctl, int write,
1175 void *buffer, size_t *lenp, loff_t *ppos)
1176 {
1177 int ret;
1178
1179 ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
1180
1181 if (write && *(int *)(ctl->data))
1182 *(int *)(ctl->data) = 1;
1183 return ret;
1184 }
1185
1186 static struct ctl_table brnf_table[] = {
1187 {
1188 .procname = "bridge-nf-call-arptables",
1189 .maxlen = sizeof(int),
1190 .mode = 0644,
1191 .proc_handler = brnf_sysctl_call_tables,
1192 },
1193 {
1194 .procname = "bridge-nf-call-iptables",
1195 .maxlen = sizeof(int),
1196 .mode = 0644,
1197 .proc_handler = brnf_sysctl_call_tables,
1198 },
1199 {
1200 .procname = "bridge-nf-call-ip6tables",
1201 .maxlen = sizeof(int),
1202 .mode = 0644,
1203 .proc_handler = brnf_sysctl_call_tables,
1204 },
1205 {
1206 .procname = "bridge-nf-filter-vlan-tagged",
1207 .maxlen = sizeof(int),
1208 .mode = 0644,
1209 .proc_handler = brnf_sysctl_call_tables,
1210 },
1211 {
1212 .procname = "bridge-nf-filter-pppoe-tagged",
1213 .maxlen = sizeof(int),
1214 .mode = 0644,
1215 .proc_handler = brnf_sysctl_call_tables,
1216 },
1217 {
1218 .procname = "bridge-nf-pass-vlan-input-dev",
1219 .maxlen = sizeof(int),
1220 .mode = 0644,
1221 .proc_handler = brnf_sysctl_call_tables,
1222 },
1223 };
1224
br_netfilter_sysctl_default(struct brnf_net * brnf)1225 static inline void br_netfilter_sysctl_default(struct brnf_net *brnf)
1226 {
1227 brnf->call_iptables = 1;
1228 brnf->call_ip6tables = 1;
1229 brnf->call_arptables = 1;
1230 brnf->filter_vlan_tagged = 0;
1231 brnf->filter_pppoe_tagged = 0;
1232 brnf->pass_vlan_indev = 0;
1233 }
1234
br_netfilter_sysctl_init_net(struct net * net)1235 static int br_netfilter_sysctl_init_net(struct net *net)
1236 {
1237 struct ctl_table *table = brnf_table;
1238 struct brnf_net *brnet;
1239
1240 if (!net_eq(net, &init_net)) {
1241 table = kmemdup(table, sizeof(brnf_table), GFP_KERNEL);
1242 if (!table)
1243 return -ENOMEM;
1244 }
1245
1246 brnet = net_generic(net, brnf_net_id);
1247 table[0].data = &brnet->call_arptables;
1248 table[1].data = &brnet->call_iptables;
1249 table[2].data = &brnet->call_ip6tables;
1250 table[3].data = &brnet->filter_vlan_tagged;
1251 table[4].data = &brnet->filter_pppoe_tagged;
1252 table[5].data = &brnet->pass_vlan_indev;
1253
1254 br_netfilter_sysctl_default(brnet);
1255
1256 brnet->ctl_hdr = register_net_sysctl_sz(net, "net/bridge", table,
1257 ARRAY_SIZE(brnf_table));
1258 if (!brnet->ctl_hdr) {
1259 if (!net_eq(net, &init_net))
1260 kfree(table);
1261
1262 return -ENOMEM;
1263 }
1264
1265 return 0;
1266 }
1267
br_netfilter_sysctl_exit_net(struct net * net,struct brnf_net * brnet)1268 static void br_netfilter_sysctl_exit_net(struct net *net,
1269 struct brnf_net *brnet)
1270 {
1271 const struct ctl_table *table = brnet->ctl_hdr->ctl_table_arg;
1272
1273 unregister_net_sysctl_table(brnet->ctl_hdr);
1274 if (!net_eq(net, &init_net))
1275 kfree(table);
1276 }
1277
brnf_init_net(struct net * net)1278 static int __net_init brnf_init_net(struct net *net)
1279 {
1280 return br_netfilter_sysctl_init_net(net);
1281 }
1282 #endif
1283
brnf_exit_net(struct net * net)1284 static void __net_exit brnf_exit_net(struct net *net)
1285 {
1286 struct brnf_net *brnet;
1287
1288 brnet = net_generic(net, brnf_net_id);
1289 if (brnet->enabled) {
1290 nf_unregister_net_hooks(net, br_nf_ops, ARRAY_SIZE(br_nf_ops));
1291 brnet->enabled = false;
1292 }
1293
1294 #ifdef CONFIG_SYSCTL
1295 br_netfilter_sysctl_exit_net(net, brnet);
1296 #endif
1297 }
1298
1299 static struct pernet_operations brnf_net_ops __read_mostly = {
1300 #ifdef CONFIG_SYSCTL
1301 .init = brnf_init_net,
1302 #endif
1303 .exit = brnf_exit_net,
1304 .id = &brnf_net_id,
1305 .size = sizeof(struct brnf_net),
1306 };
1307
br_netfilter_init(void)1308 static int __init br_netfilter_init(void)
1309 {
1310 int ret;
1311
1312 ret = register_pernet_subsys(&brnf_net_ops);
1313 if (ret < 0)
1314 return ret;
1315
1316 ret = register_netdevice_notifier(&brnf_notifier);
1317 if (ret < 0) {
1318 unregister_pernet_subsys(&brnf_net_ops);
1319 return ret;
1320 }
1321
1322 RCU_INIT_POINTER(nf_br_ops, &br_ops);
1323 printk(KERN_NOTICE "Bridge firewalling registered\n");
1324 return 0;
1325 }
1326
br_netfilter_fini(void)1327 static void __exit br_netfilter_fini(void)
1328 {
1329 RCU_INIT_POINTER(nf_br_ops, NULL);
1330 unregister_netdevice_notifier(&brnf_notifier);
1331 unregister_pernet_subsys(&brnf_net_ops);
1332 }
1333
1334 module_init(br_netfilter_init);
1335 module_exit(br_netfilter_fini);
1336
1337 MODULE_LICENSE("GPL");
1338 MODULE_AUTHOR("Lennert Buytenhek <buytenh@gnu.org>");
1339 MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
1340 MODULE_DESCRIPTION("Linux ethernet netfilter firewall bridge");
1341