LXR linux/net/bridge/br

   1/*
   2 *      Handle firewalling
   3 *      Linux ethernet bridge
   4 *
   5 *      Authors:
   6 *      Lennert Buytenhek               <buytenh@gnu.org>
   7 *      Bart De Schuymer (maintainer)   <bdschuym@pandora.be>
   8 *
   9 *      Changes:
  10 *      Apr 29 2003: physdev module support (bdschuym)
  11 *      Jun 19 2003: let arptables see bridged ARP traffic (bdschuym)
  12 *      Oct 06 2003: filter encapsulated IP/ARP VLAN traffic on untagged bridge
  13 *                   (bdschuym)
  14 *      Sep 01 2004: add IPv6 filtering (bdschuym)
  15 *
  16 *      This program is free software; you can redistribute it and/or
  17 *      modify it under the terms of the GNU General Public License
  18 *      as published by the Free Software Foundation; either version
  19 *      2 of the License, or (at your option) any later version.
  20 *
  21 *      Lennert dedicates this file to Kerstin Wurdinger.
  22 */
  23
  24#include <linux/module.h>
  25#include <linux/kernel.h>
  26#include <linux/ip.h>
  27#include <linux/netdevice.h>
  28#include <linux/skbuff.h>
  29#include <linux/if_arp.h>
  30#include <linux/if_ether.h>
  31#include <linux/if_vlan.h>
  32#include <linux/if_pppox.h>
  33#include <linux/ppp_defs.h>
  34#include <linux/netfilter_bridge.h>
  35#include <linux/netfilter_ipv4.h>
  36#include <linux/netfilter_ipv6.h>
  37#include <linux/netfilter_arp.h>
  38#include <linux/in_route.h>
  39#include <linux/inetdevice.h>
  40
  41#include <net/ip.h>
  42#include <net/ipv6.h>
  43#include <net/route.h>
  44
  45#include <asm/uaccess.h>
  46#include "br_private.h"
  47#ifdef CONFIG_SYSCTL
  48#include <linux/sysctl.h>
  49#endif
  50
  51#define skb_origaddr(skb)        (((struct bridge_skb_cb *) \
  52                                 (skb->nf_bridge->data))->daddr.ipv4)
  53#define store_orig_dstaddr(skb)  (skb_origaddr(skb) = ip_hdr(skb)->daddr)
  54#define dnat_took_place(skb)     (skb_origaddr(skb) != ip_hdr(skb)->daddr)
  55
  56#ifdef CONFIG_SYSCTL
  57static struct ctl_table_header *brnf_sysctl_header;
  58static int brnf_call_iptables __read_mostly = 1;
  59static int brnf_call_ip6tables __read_mostly = 1;
  60static int brnf_call_arptables __read_mostly = 1;
  61static int brnf_filter_vlan_tagged __read_mostly = 1;
  62static int brnf_filter_pppoe_tagged __read_mostly = 1;
  63#else
  64#define brnf_filter_vlan_tagged 1
  65#define brnf_filter_pppoe_tagged 1
  66#endif
  67
  68static inline __be16 vlan_proto(const struct sk_buff *skb)
  69{
  70        return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
  71}
  72
  73#define IS_VLAN_IP(skb) \
  74        (skb->protocol == htons(ETH_P_8021Q) && \
  75         vlan_proto(skb) == htons(ETH_P_IP) &&  \
  76         brnf_filter_vlan_tagged)
  77
  78#define IS_VLAN_IPV6(skb) \
  79        (skb->protocol == htons(ETH_P_8021Q) && \
  80         vlan_proto(skb) == htons(ETH_P_IPV6) &&\
  81         brnf_filter_vlan_tagged)
  82
  83#define IS_VLAN_ARP(skb) \
  84        (skb->protocol == htons(ETH_P_8021Q) && \
  85         vlan_proto(skb) == htons(ETH_P_ARP) && \
  86         brnf_filter_vlan_tagged)
  87
  88static inline __be16 pppoe_proto(const struct sk_buff *skb)
  89{
  90        return *((__be16 *)(skb_mac_header(skb) + ETH_HLEN +
  91                            sizeof(struct pppoe_hdr)));
  92}
  93
  94#define IS_PPPOE_IP(skb) \
  95        (skb->protocol == htons(ETH_P_PPP_SES) && \
  96         pppoe_proto(skb) == htons(PPP_IP) && \
  97         brnf_filter_pppoe_tagged)
  98
  99#define IS_PPPOE_IPV6(skb) \
 100        (skb->protocol == htons(ETH_P_PPP_SES) && \
 101         pppoe_proto(skb) == htons(PPP_IPV6) && \
 102         brnf_filter_pppoe_tagged)
 103
 104static void fake_update_pmtu(struct dst_entry *dst, u32 mtu)
 105{
 106}
 107
 108static struct dst_ops fake_dst_ops = {
 109        .family =               AF_INET,
 110        .protocol =             __constant_htons(ETH_P_IP),
 111        .update_pmtu =          fake_update_pmtu,
 112        .entry_size =           sizeof(struct rtable),
 113        .entries =              ATOMIC_INIT(0),
 114};
 115
 116/*
 117 * Initialize bogus route table used to keep netfilter happy.
 118 * Currently, we fill in the PMTU entry because netfilter
 119 * refragmentation needs it, and the rt_flags entry because
 120 * ipt_REJECT needs it.  Future netfilter modules might
 121 * require us to fill additional fields.
 122 */
 123void br_netfilter_rtable_init(struct net_bridge *br)
 124{
 125        struct rtable *rt = &br->fake_rtable;
 126
 127        atomic_set(&rt->u.dst.__refcnt, 1);
 128        rt->u.dst.dev = br->dev;
 129        rt->u.dst.path = &rt->u.dst;
 130        rt->u.dst.metrics[RTAX_MTU - 1] = 1500;
 131        rt->u.dst.flags = DST_NOXFRM;
 132        rt->u.dst.ops = &fake_dst_ops;
 133}
 134
 135static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
 136{
 137        struct net_bridge_port *port = rcu_dereference(dev->br_port);
 138
 139        return port ? &port->br->fake_rtable : NULL;
 140}
 141
 142static inline struct net_device *bridge_parent(const struct net_device *dev)
 143{
 144        struct net_bridge_port *port = rcu_dereference(dev->br_port);
 145
 146        return port ? port->br->dev : NULL;
 147}
 148
 149static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
 150{
 151        skb->nf_bridge = kzalloc(sizeof(struct nf_bridge_info), GFP_ATOMIC);
 152        if (likely(skb->nf_bridge))
 153                atomic_set(&(skb->nf_bridge->use), 1);
 154
 155        return skb->nf_bridge;
 156}
 157
 158static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb)
 159{
 160        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 161
 162        if (atomic_read(&nf_bridge->use) > 1) {
 163                struct nf_bridge_info *tmp = nf_bridge_alloc(skb);
 164
 165                if (tmp) {
 166                        memcpy(tmp, nf_bridge, sizeof(struct nf_bridge_info));
 167                        atomic_set(&tmp->use, 1);
 168                        nf_bridge_put(nf_bridge);
 169                }
 170                nf_bridge = tmp;
 171        }
 172        return nf_bridge;
 173}
 174
 175static inline void nf_bridge_push_encap_header(struct sk_buff *skb)
 176{
 177        unsigned int len = nf_bridge_encap_header_len(skb);
 178
 179        skb_push(skb, len);
 180        skb->network_header -= len;
 181}
 182
 183static inline void nf_bridge_pull_encap_header(struct sk_buff *skb)
 184{
 185        unsigned int len = nf_bridge_encap_header_len(skb);
 186
 187        skb_pull(skb, len);
 188        skb->network_header += len;
 189}
 190
 191static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb)
 192{
 193        unsigned int len = nf_bridge_encap_header_len(skb);
 194
 195        skb_pull_rcsum(skb, len);
 196        skb->network_header += len;
 197}
 198
 199static inline void nf_bridge_save_header(struct sk_buff *skb)
 200{
 201        int header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);
 202
 203        skb_copy_from_linear_data_offset(skb, -header_size,
 204                                         skb->nf_bridge->data, header_size);
 205}
 206
 207/*
 208 * When forwarding bridge frames, we save a copy of the original
 209 * header before processing.
 210 */
 211int nf_bridge_copy_header(struct sk_buff *skb)
 212{
 213        int err;
 214        int header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);
 215
 216        err = skb_cow_head(skb, header_size);
 217        if (err)
 218                return err;
 219
 220        skb_copy_to_linear_data_offset(skb, -header_size,
 221                                       skb->nf_bridge->data, header_size);
 222        __skb_push(skb, nf_bridge_encap_header_len(skb));
 223        return 0;
 224}
 225
 226/* PF_BRIDGE/PRE_ROUTING *********************************************/
 227/* Undo the changes made for ip6tables PREROUTING and continue the
 228 * bridge PRE_ROUTING hook. */
 229static int br_nf_pre_routing_finish_ipv6(struct sk_buff *skb)
 230{
 231        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 232
 233        if (nf_bridge->mask & BRNF_PKT_TYPE) {
 234                skb->pkt_type = PACKET_OTHERHOST;
 235                nf_bridge->mask ^= BRNF_PKT_TYPE;
 236        }
 237        nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
 238
 239        skb->rtable = bridge_parent_rtable(nf_bridge->physindev);
 240        if (!skb->rtable) {
 241                kfree_skb(skb);
 242                return 0;
 243        }
 244        dst_hold(&skb->rtable->u.dst);
 245
 246        skb->dev = nf_bridge->physindev;
 247        nf_bridge_push_encap_header(skb);
 248        NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
 249                       br_handle_frame_finish, 1);
 250
 251        return 0;
 252}
 253
 254static void __br_dnat_complain(void)
 255{
 256        static unsigned long last_complaint;
 257
 258        if (jiffies - last_complaint >= 5 * HZ) {
 259                printk(KERN_WARNING "Performing cross-bridge DNAT requires IP "
 260                       "forwarding to be enabled\n");
 261                last_complaint = jiffies;
 262        }
 263}
 264
 265/* This requires some explaining. If DNAT has taken place,
 266 * we will need to fix up the destination Ethernet address,
 267 * and this is a tricky process.
 268 *
 269 * There are two cases to consider:
 270 * 1. The packet was DNAT'ed to a device in the same bridge
 271 *    port group as it was received on. We can still bridge
 272 *    the packet.
 273 * 2. The packet was DNAT'ed to a different device, either
 274 *    a non-bridged device or another bridge port group.
 275 *    The packet will need to be routed.
 276 *
 277 * The correct way of distinguishing between these two cases is to
 278 * call ip_route_input() and to look at skb->dst->dev, which is
 279 * changed to the destination device if ip_route_input() succeeds.
 280 *
 281 * Let us first consider the case that ip_route_input() succeeds:
 282 *
 283 * If skb->dst->dev equals the logical bridge device the packet
 284 * came in on, we can consider this bridging. The packet is passed
 285 * through the neighbour output function to build a new destination
 286 * MAC address, which will make the packet enter br_nf_local_out()
 287 * not much later. In that function it is assured that the iptables
 288 * FORWARD chain is traversed for the packet.
 289 *
 290 * Otherwise, the packet is considered to be routed and we just
 291 * change the destination MAC address so that the packet will
 292 * later be passed up to the IP stack to be routed. For a redirected
 293 * packet, ip_route_input() will give back the localhost as output device,
 294 * which differs from the bridge device.
 295 *
 296 * Let us now consider the case that ip_route_input() fails:
 297 *
 298 * This can be because the destination address is martian, in which case
 299 * the packet will be dropped.
 300 * After a "echo '0' > /proc/sys/net/ipv4/ip_forward" ip_route_input()
 301 * will fail, while __ip_route_output_key() will return success. The source
 302 * address for __ip_route_output_key() is set to zero, so __ip_route_output_key
 303 * thinks we're handling a locally generated packet and won't care
 304 * if IP forwarding is allowed. We send a warning message to the users's
 305 * log telling her to put IP forwarding on.
 306 *
 307 * ip_route_input() will also fail if there is no route available.
 308 * In that case we just drop the packet.
 309 *
 310 * --Lennert, 20020411
 311 * --Bart, 20020416 (updated)
 312 * --Bart, 20021007 (updated)
 313 * --Bart, 20062711 (updated) */
 314static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
 315{
 316        if (skb->pkt_type == PACKET_OTHERHOST) {
 317                skb->pkt_type = PACKET_HOST;
 318                skb->nf_bridge->mask |= BRNF_PKT_TYPE;
 319        }
 320        skb->nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
 321
 322        skb->dev = bridge_parent(skb->dev);
 323        if (skb->dev) {
 324                struct dst_entry *dst = skb->dst;
 325
 326                nf_bridge_pull_encap_header(skb);
 327
 328                if (dst->hh)
 329                        return neigh_hh_output(dst->hh, skb);
 330                else if (dst->neighbour)
 331                        return dst->neighbour->output(skb);
 332        }
 333        kfree_skb(skb);
 334        return 0;
 335}
 336
 337static int br_nf_pre_routing_finish(struct sk_buff *skb)
 338{
 339        struct net_device *dev = skb->dev;
 340        struct iphdr *iph = ip_hdr(skb);
 341        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 342        int err;
 343
 344        if (nf_bridge->mask & BRNF_PKT_TYPE) {
 345                skb->pkt_type = PACKET_OTHERHOST;
 346                nf_bridge->mask ^= BRNF_PKT_TYPE;
 347        }
 348        nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
 349        if (dnat_took_place(skb)) {
 350                if ((err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))) {
 351                        struct rtable *rt;
 352                        struct flowi fl = {
 353                                .nl_u = {
 354                                        .ip4_u = {
 355                                                 .daddr = iph->daddr,
 356                                                 .saddr = 0,
 357                                                 .tos = RT_TOS(iph->tos) },
 358                                },
 359                                .proto = 0,
 360                        };
 361                        struct in_device *in_dev = __in_dev_get_rcu(dev);
 362
 363                        /* If err equals -EHOSTUNREACH the error is due to a
 364                         * martian destination or due to the fact that
 365                         * forwarding is disabled. For most martian packets,
 366                         * ip_route_output_key() will fail. It won't fail for 2 types of
 367                         * martian destinations: loopback destinations and destination
 368                         * 0.0.0.0. In both cases the packet will be dropped because the
 369                         * destination is the loopback device and not the bridge. */
 370                        if (err != -EHOSTUNREACH || !in_dev || IN_DEV_FORWARD(in_dev))
 371                                goto free_skb;
 372
 373                        if (!ip_route_output_key(&init_net, &rt, &fl)) {
 374                                /* - Bridged-and-DNAT'ed traffic doesn't
 375                                 *   require ip_forwarding. */
 376                                if (((struct dst_entry *)rt)->dev == dev) {
 377                                        skb->dst = (struct dst_entry *)rt;
 378                                        goto bridged_dnat;
 379                                }
 380                                /* we are sure that forwarding is disabled, so printing
 381                                 * this message is no problem. Note that the packet could
 382                                 * still have a martian destination address, in which case
 383                                 * the packet could be dropped even if forwarding were enabled */
 384                                __br_dnat_complain();
 385                                dst_release((struct dst_entry *)rt);
 386                        }
 387free_skb:
 388                        kfree_skb(skb);
 389                        return 0;
 390                } else {
 391                        if (skb->dst->dev == dev) {
 392bridged_dnat:
 393                                /* Tell br_nf_local_out this is a
 394                                 * bridged frame */
 395                                nf_bridge->mask |= BRNF_BRIDGED_DNAT;
 396                                skb->dev = nf_bridge->physindev;
 397                                nf_bridge_push_encap_header(skb);
 398                                NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING,
 399                                               skb, skb->dev, NULL,
 400                                               br_nf_pre_routing_finish_bridge,
 401                                               1);
 402                                return 0;
 403                        }
 404                        memcpy(eth_hdr(skb)->h_dest, dev->dev_addr, ETH_ALEN);
 405                        skb->pkt_type = PACKET_HOST;
 406                }
 407        } else {
 408                skb->rtable = bridge_parent_rtable(nf_bridge->physindev);
 409                if (!skb->rtable) {
 410                        kfree_skb(skb);
 411                        return 0;
 412                }
 413                dst_hold(&skb->rtable->u.dst);
 414        }
 415
 416        skb->dev = nf_bridge->physindev;
 417        nf_bridge_push_encap_header(skb);
 418        NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
 419                       br_handle_frame_finish, 1);
 420
 421        return 0;
 422}
 423
 424/* Some common code for IPv4/IPv6 */
 425static struct net_device *setup_pre_routing(struct sk_buff *skb)
 426{
 427        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 428
 429        if (skb->pkt_type == PACKET_OTHERHOST) {
 430                skb->pkt_type = PACKET_HOST;
 431                nf_bridge->mask |= BRNF_PKT_TYPE;
 432        }
 433
 434        nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING;
 435        nf_bridge->physindev = skb->dev;
 436        skb->dev = bridge_parent(skb->dev);
 437
 438        return skb->dev;
 439}
 440
 441/* We only check the length. A bridge shouldn't do any hop-by-hop stuff anyway */
 442static int check_hbh_len(struct sk_buff *skb)
 443{
 444        unsigned char *raw = (u8 *)(ipv6_hdr(skb) + 1);
 445        u32 pkt_len;
 446        const unsigned char *nh = skb_network_header(skb);
 447        int off = raw - nh;
 448        int len = (raw[1] + 1) << 3;
 449
 450        if ((raw + len) - skb->data > skb_headlen(skb))
 451                goto bad;
 452
 453        off += 2;
 454        len -= 2;
 455
 456        while (len > 0) {
 457                int optlen = nh[off + 1] + 2;
 458
 459                switch (nh[off]) {
 460                case IPV6_TLV_PAD0:
 461                        optlen = 1;
 462                        break;
 463
 464                case IPV6_TLV_PADN:
 465                        break;
 466
 467                case IPV6_TLV_JUMBO:
 468                        if (nh[off + 1] != 4 || (off & 3) != 2)
 469                                goto bad;
 470                        pkt_len = ntohl(*(__be32 *) (nh + off + 2));
 471                        if (pkt_len <= IPV6_MAXPLEN ||
 472                            ipv6_hdr(skb)->payload_len)
 473                                goto bad;
 474                        if (pkt_len > skb->len - sizeof(struct ipv6hdr))
 475                                goto bad;
 476                        if (pskb_trim_rcsum(skb,
 477                                            pkt_len + sizeof(struct ipv6hdr)))
 478                                goto bad;
 479                        nh = skb_network_header(skb);
 480                        break;
 481                default:
 482                        if (optlen > len)
 483                                goto bad;
 484                        break;
 485                }
 486                off += optlen;
 487                len -= optlen;
 488        }
 489        if (len == 0)
 490                return 0;
 491bad:
 492        return -1;
 493
 494}
 495
 496/* Replicate the checks that IPv6 does on packet reception and pass the packet
 497 * to ip6tables, which doesn't support NAT, so things are fairly simple. */
 498static unsigned int br_nf_pre_routing_ipv6(unsigned int hook,
 499                                           struct sk_buff *skb,
 500                                           const struct net_device *in,
 501                                           const struct net_device *out,
 502                                           int (*okfn)(struct sk_buff *))
 503{
 504        struct ipv6hdr *hdr;
 505        u32 pkt_len;
 506
 507        if (skb->len < sizeof(struct ipv6hdr))
 508                goto inhdr_error;
 509
 510        if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
 511                goto inhdr_error;
 512
 513        hdr = ipv6_hdr(skb);
 514
 515        if (hdr->version != 6)
 516                goto inhdr_error;
 517
 518        pkt_len = ntohs(hdr->payload_len);
 519
 520        if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
 521                if (pkt_len + sizeof(struct ipv6hdr) > skb->len)
 522                        goto inhdr_error;
 523                if (pskb_trim_rcsum(skb, pkt_len + sizeof(struct ipv6hdr)))
 524                        goto inhdr_error;
 525        }
 526        if (hdr->nexthdr == NEXTHDR_HOP && check_hbh_len(skb))
 527                goto inhdr_error;
 528
 529        nf_bridge_put(skb->nf_bridge);
 530        if (!nf_bridge_alloc(skb))
 531                return NF_DROP;
 532        if (!setup_pre_routing(skb))
 533                return NF_DROP;
 534
 535        NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
 536                br_nf_pre_routing_finish_ipv6);
 537
 538        return NF_STOLEN;
 539
 540inhdr_error:
 541        return NF_DROP;
 542}
 543
 544/* Direct IPv6 traffic to br_nf_pre_routing_ipv6.
 545 * Replicate the checks that IPv4 does on packet reception.
 546 * Set skb->dev to the bridge device (i.e. parent of the
 547 * receiving device) to make netfilter happy, the REDIRECT
 548 * target in particular.  Save the original destination IP
 549 * address to be able to detect DNAT afterwards. */
 550static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
 551                                      const struct net_device *in,
 552                                      const struct net_device *out,
 553                                      int (*okfn)(struct sk_buff *))
 554{
 555        struct iphdr *iph;
 556        __u32 len = nf_bridge_encap_header_len(skb);
 557
 558        if (unlikely(!pskb_may_pull(skb, len)))
 559                goto out;
 560
 561        if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
 562            IS_PPPOE_IPV6(skb)) {
 563#ifdef CONFIG_SYSCTL
 564                if (!brnf_call_ip6tables)
 565                        return NF_ACCEPT;
 566#endif
 567                nf_bridge_pull_encap_header_rcsum(skb);
 568                return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
 569        }
 570#ifdef CONFIG_SYSCTL
 571        if (!brnf_call_iptables)
 572                return NF_ACCEPT;
 573#endif
 574
 575        if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb) &&
 576            !IS_PPPOE_IP(skb))
 577                return NF_ACCEPT;
 578
 579        nf_bridge_pull_encap_header_rcsum(skb);
 580
 581        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
 582                goto inhdr_error;
 583
 584        iph = ip_hdr(skb);
 585        if (iph->ihl < 5 || iph->version != 4)
 586                goto inhdr_error;
 587
 588        if (!pskb_may_pull(skb, 4 * iph->ihl))
 589                goto inhdr_error;
 590
 591        iph = ip_hdr(skb);
 592        if (ip_fast_csum((__u8 *) iph, iph->ihl) != 0)
 593                goto inhdr_error;
 594
 595        len = ntohs(iph->tot_len);
 596        if (skb->len < len || len < 4 * iph->ihl)
 597                goto inhdr_error;
 598
 599        pskb_trim_rcsum(skb, len);
 600
 601        nf_bridge_put(skb->nf_bridge);
 602        if (!nf_bridge_alloc(skb))
 603                return NF_DROP;
 604        if (!setup_pre_routing(skb))
 605                return NF_DROP;
 606        store_orig_dstaddr(skb);
 607
 608        NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
 609                br_nf_pre_routing_finish);
 610
 611        return NF_STOLEN;
 612
 613inhdr_error:
 614//      IP_INC_STATS_BH(IpInHdrErrors);
 615out:
 616        return NF_DROP;
 617}
 618
 619
 620/* PF_BRIDGE/LOCAL_IN ************************************************/
 621/* The packet is locally destined, which requires a real
 622 * dst_entry, so detach the fake one.  On the way up, the
 623 * packet would pass through PRE_ROUTING again (which already
 624 * took place when the packet entered the bridge), but we
 625 * register an IPv4 PRE_ROUTING 'sabotage' hook that will
 626 * prevent this from happening. */
 627static unsigned int br_nf_local_in(unsigned int hook, struct sk_buff *skb,
 628                                   const struct net_device *in,
 629                                   const struct net_device *out,
 630                                   int (*okfn)(struct sk_buff *))
 631{
 632        if (skb->rtable && skb->rtable == bridge_parent_rtable(in)) {
 633                dst_release(&skb->rtable->u.dst);
 634                skb->rtable = NULL;
 635        }
 636
 637        return NF_ACCEPT;
 638}
 639
 640/* PF_BRIDGE/FORWARD *************************************************/
 641static int br_nf_forward_finish(struct sk_buff *skb)
 642{
 643        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 644        struct net_device *in;
 645
 646        if (skb->protocol != htons(ETH_P_ARP) && !IS_VLAN_ARP(skb)) {
 647                in = nf_bridge->physindev;
 648                if (nf_bridge->mask & BRNF_PKT_TYPE) {
 649                        skb->pkt_type = PACKET_OTHERHOST;
 650                        nf_bridge->mask ^= BRNF_PKT_TYPE;
 651                }
 652        } else {
 653                in = *((struct net_device **)(skb->cb));
 654        }
 655        nf_bridge_push_encap_header(skb);
 656        NF_HOOK_THRESH(PF_BRIDGE, NF_BR_FORWARD, skb, in,
 657                       skb->dev, br_forward_finish, 1);
 658        return 0;
 659}
 660
 661/* This is the 'purely bridged' case.  For IP, we pass the packet to
 662 * netfilter with indev and outdev set to the bridge device,
 663 * but we are still able to filter on the 'real' indev/outdev
 664 * because of the physdev module. For ARP, indev and outdev are the
 665 * bridge ports. */
 666static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,
 667                                     const struct net_device *in,
 668                                     const struct net_device *out,
 669                                     int (*okfn)(struct sk_buff *))
 670{
 671        struct nf_bridge_info *nf_bridge;
 672        struct net_device *parent;
 673        int pf;
 674
 675        if (!skb->nf_bridge)
 676                return NF_ACCEPT;
 677
 678        /* Need exclusive nf_bridge_info since we might have multiple
 679         * different physoutdevs. */
 680        if (!nf_bridge_unshare(skb))
 681                return NF_DROP;
 682
 683        parent = bridge_parent(out);
 684        if (!parent)
 685                return NF_DROP;
 686
 687        if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) ||
 688            IS_PPPOE_IP(skb))
 689                pf = PF_INET;
 690        else
 691                pf = PF_INET6;
 692
 693        nf_bridge_pull_encap_header(skb);
 694
 695        nf_bridge = skb->nf_bridge;
 696        if (skb->pkt_type == PACKET_OTHERHOST) {
 697                skb->pkt_type = PACKET_HOST;
 698                nf_bridge->mask |= BRNF_PKT_TYPE;
 699        }
 700
 701        /* The physdev module checks on this */
 702        nf_bridge->mask |= BRNF_BRIDGED;
 703        nf_bridge->physoutdev = skb->dev;
 704
 705        NF_HOOK(pf, NF_INET_FORWARD, skb, bridge_parent(in), parent,
 706                br_nf_forward_finish);
 707
 708        return NF_STOLEN;
 709}
 710
 711static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
 712                                      const struct net_device *in,
 713                                      const struct net_device *out,
 714                                      int (*okfn)(struct sk_buff *))
 715{
 716        struct net_device **d = (struct net_device **)(skb->cb);
 717
 718#ifdef CONFIG_SYSCTL
 719        if (!brnf_call_arptables)
 720                return NF_ACCEPT;
 721#endif
 722
 723        if (skb->protocol != htons(ETH_P_ARP)) {
 724                if (!IS_VLAN_ARP(skb))
 725                        return NF_ACCEPT;
 726                nf_bridge_pull_encap_header(skb);
 727        }
 728
 729        if (arp_hdr(skb)->ar_pln != 4) {
 730                if (IS_VLAN_ARP(skb))
 731                        nf_bridge_push_encap_header(skb);
 732                return NF_ACCEPT;
 733        }
 734        *d = (struct net_device *)in;
 735        NF_HOOK(NF_ARP, NF_ARP_FORWARD, skb, (struct net_device *)in,
 736                (struct net_device *)out, br_nf_forward_finish);
 737
 738        return NF_STOLEN;
 739}
 740
 741/* PF_BRIDGE/LOCAL_OUT ***********************************************
 742 *
 743 * This function sees both locally originated IP packets and forwarded
 744 * IP packets (in both cases the destination device is a bridge
 745 * device). It also sees bridged-and-DNAT'ed packets.
 746 *
 747 * If (nf_bridge->mask & BRNF_BRIDGED_DNAT) then the packet is bridged
 748 * and we fake the PF_BRIDGE/FORWARD hook. The function br_nf_forward()
 749 * will then fake the PF_INET/FORWARD hook. br_nf_local_out() has priority
 750 * NF_BR_PRI_FIRST, so no relevant PF_BRIDGE/INPUT functions have been nor
 751 * will be executed.
 752 */
 753static unsigned int br_nf_local_out(unsigned int hook, struct sk_buff *skb,
 754                                    const struct net_device *in,
 755                                    const struct net_device *out,
 756                                    int (*okfn)(struct sk_buff *))
 757{
 758        struct net_device *realindev;
 759        struct nf_bridge_info *nf_bridge;
 760
 761        if (!skb->nf_bridge)
 762                return NF_ACCEPT;
 763
 764        /* Need exclusive nf_bridge_info since we might have multiple
 765         * different physoutdevs. */
 766        if (!nf_bridge_unshare(skb))
 767                return NF_DROP;
 768
 769        nf_bridge = skb->nf_bridge;
 770        if (!(nf_bridge->mask & BRNF_BRIDGED_DNAT))
 771                return NF_ACCEPT;
 772
 773        /* Bridged, take PF_BRIDGE/FORWARD.
 774         * (see big note in front of br_nf_pre_routing_finish) */
 775        nf_bridge->physoutdev = skb->dev;
 776        realindev = nf_bridge->physindev;
 777
 778        if (nf_bridge->mask & BRNF_PKT_TYPE) {
 779                skb->pkt_type = PACKET_OTHERHOST;
 780                nf_bridge->mask ^= BRNF_PKT_TYPE;
 781        }
 782        nf_bridge_push_encap_header(skb);
 783
 784        NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, realindev, skb->dev,
 785                br_forward_finish);
 786        return NF_STOLEN;
 787}
 788
 789static int br_nf_dev_queue_xmit(struct sk_buff *skb)
 790{
 791        if (skb->protocol == htons(ETH_P_IP) &&
 792            skb->len > skb->dev->mtu &&
 793            !skb_is_gso(skb))
 794                return ip_fragment(skb, br_dev_queue_push_xmit);
 795        else
 796                return br_dev_queue_push_xmit(skb);
 797}
 798
 799/* PF_BRIDGE/POST_ROUTING ********************************************/
 800static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
 801                                       const struct net_device *in,
 802                                       const struct net_device *out,
 803                                       int (*okfn)(struct sk_buff *))
 804{
 805        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 806        struct net_device *realoutdev = bridge_parent(skb->dev);
 807        int pf;
 808
 809#ifdef CONFIG_NETFILTER_DEBUG
 810        /* Be very paranoid. This probably won't happen anymore, but let's
 811         * keep the check just to be sure... */
 812        if (skb_mac_header(skb) < skb->head ||
 813            skb_mac_header(skb) + ETH_HLEN > skb->data) {
 814                printk(KERN_CRIT "br_netfilter: Argh!! br_nf_post_routing: "
 815                       "bad mac.raw pointer.\n");
 816                goto print_error;
 817        }
 818#endif
 819
 820        if (!nf_bridge)
 821                return NF_ACCEPT;
 822
 823        if (!(nf_bridge->mask & (BRNF_BRIDGED | BRNF_BRIDGED_DNAT)))
 824                return NF_ACCEPT;
 825
 826        if (!realoutdev)
 827                return NF_DROP;
 828
 829        if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) ||
 830            IS_PPPOE_IP(skb))
 831                pf = PF_INET;
 832        else
 833                pf = PF_INET6;
 834
 835#ifdef CONFIG_NETFILTER_DEBUG
 836        if (skb->dst == NULL) {
 837                printk(KERN_INFO "br_netfilter post_routing: skb->dst == NULL\n");
 838                goto print_error;
 839        }
 840#endif
 841
 842        /* We assume any code from br_dev_queue_push_xmit onwards doesn't care
 843         * about the value of skb->pkt_type. */
 844        if (skb->pkt_type == PACKET_OTHERHOST) {
 845                skb->pkt_type = PACKET_HOST;
 846                nf_bridge->mask |= BRNF_PKT_TYPE;
 847        }
 848
 849        nf_bridge_pull_encap_header(skb);
 850        nf_bridge_save_header(skb);
 851
 852        NF_HOOK(pf, NF_INET_POST_ROUTING, skb, NULL, realoutdev,
 853                br_nf_dev_queue_xmit);
 854
 855        return NF_STOLEN;
 856
 857#ifdef CONFIG_NETFILTER_DEBUG
 858print_error:
 859        if (skb->dev != NULL) {
 860                printk("[%s]", skb->dev->name);
 861                if (realoutdev)
 862                        printk("[%s]", realoutdev->name);
 863        }
 864        printk(" head:%p, raw:%p, data:%p\n", skb->head, skb_mac_header(skb),
 865               skb->data);
 866        dump_stack();
 867        return NF_ACCEPT;
 868#endif
 869}
 870
 871/* IP/SABOTAGE *****************************************************/
 872/* Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING
 873 * for the second time. */
 874static unsigned int ip_sabotage_in(unsigned int hook, struct sk_buff *skb,
 875                                   const struct net_device *in,
 876                                   const struct net_device *out,
 877                                   int (*okfn)(struct sk_buff *))
 878{
 879        if (skb->nf_bridge &&
 880            !(skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)) {
 881                return NF_STOP;
 882        }
 883
 884        return NF_ACCEPT;
 885}
 886
 887/* For br_nf_local_out we need (prio = NF_BR_PRI_FIRST), to insure that innocent
 888 * PF_BRIDGE/NF_BR_LOCAL_OUT functions don't get bridged traffic as input.
 889 * For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
 890 * ip_refrag() can return NF_STOLEN. */
 891static struct nf_hook_ops br_nf_ops[] __read_mostly = {
 892        { .hook = br_nf_pre_routing,
 893          .owner = THIS_MODULE,
 894          .pf = PF_BRIDGE,
 895          .hooknum = NF_BR_PRE_ROUTING,
 896          .priority = NF_BR_PRI_BRNF, },
 897        { .hook = br_nf_local_in,
 898          .owner = THIS_MODULE,
 899          .pf = PF_BRIDGE,
 900          .hooknum = NF_BR_LOCAL_IN,
 901          .priority = NF_BR_PRI_BRNF, },
 902        { .hook = br_nf_forward_ip,
 903          .owner = THIS_MODULE,
 904          .pf = PF_BRIDGE,
 905          .hooknum = NF_BR_FORWARD,
 906          .priority = NF_BR_PRI_BRNF - 1, },
 907        { .hook = br_nf_forward_arp,
 908          .owner = THIS_MODULE,
 909          .pf = PF_BRIDGE,
 910          .hooknum = NF_BR_FORWARD,
 911          .priority = NF_BR_PRI_BRNF, },
 912        { .hook = br_nf_local_out,
 913          .owner = THIS_MODULE,
 914          .pf = PF_BRIDGE,
 915          .hooknum = NF_BR_LOCAL_OUT,
 916          .priority = NF_BR_PRI_FIRST, },
 917        { .hook = br_nf_post_routing,
 918          .owner = THIS_MODULE,
 919          .pf = PF_BRIDGE,
 920          .hooknum = NF_BR_POST_ROUTING,
 921          .priority = NF_BR_PRI_LAST, },
 922        { .hook = ip_sabotage_in,
 923          .owner = THIS_MODULE,
 924          .pf = PF_INET,
 925          .hooknum = NF_INET_PRE_ROUTING,
 926          .priority = NF_IP_PRI_FIRST, },
 927        { .hook = ip_sabotage_in,
 928          .owner = THIS_MODULE,
 929          .pf = PF_INET6,
 930          .hooknum = NF_INET_PRE_ROUTING,
 931          .priority = NF_IP6_PRI_FIRST, },
 932};
 933
 934#ifdef CONFIG_SYSCTL
 935static
 936int brnf_sysctl_call_tables(ctl_table * ctl, int write, struct file *filp,
 937                            void __user * buffer, size_t * lenp, loff_t * ppos)
 938{
 939        int ret;
 940
 941        ret = proc_dointvec(ctl, write, filp, buffer, lenp, ppos);
 942
 943        if (write && *(int *)(ctl->data))
 944                *(int *)(ctl->data) = 1;
 945        return ret;
 946}
 947
 948static ctl_table brnf_table[] = {
 949        {
 950                .procname       = "bridge-nf-call-arptables",
 951                .data           = &brnf_call_arptables,
 952                .maxlen         = sizeof(int),
 953                .mode           = 0644,
 954                .proc_handler   = &brnf_sysctl_call_tables,
 955        },
 956        {
 957                .procname       = "bridge-nf-call-iptables",
 958                .data           = &brnf_call_iptables,
 959                .maxlen         = sizeof(int),
 960                .mode           = 0644,
 961                .proc_handler   = &brnf_sysctl_call_tables,
 962        },
 963        {
 964                .procname       = "bridge-nf-call-ip6tables",
 965                .data           = &brnf_call_ip6tables,
 966                .maxlen         = sizeof(int),
 967                .mode           = 0644,
 968                .proc_handler   = &brnf_sysctl_call_tables,
 969        },
 970        {
 971                .procname       = "bridge-nf-filter-vlan-tagged",
 972                .data           = &brnf_filter_vlan_tagged,
 973                .maxlen         = sizeof(int),
 974                .mode           = 0644,
 975                .proc_handler   = &brnf_sysctl_call_tables,
 976        },
 977        {
 978                .procname       = "bridge-nf-filter-pppoe-tagged",
 979                .data           = &brnf_filter_pppoe_tagged,
 980                .maxlen         = sizeof(int),
 981                .mode           = 0644,
 982                .proc_handler   = &brnf_sysctl_call_tables,
 983        },
 984        { .ctl_name = 0 }
 985};
 986
 987static struct ctl_path brnf_path[] = {
 988        { .procname = "net", .ctl_name = CTL_NET, },
 989        { .procname = "bridge", .ctl_name = NET_BRIDGE, },
 990        { }
 991};
 992#endif
 993
 994int __init br_netfilter_init(void)
 995{
 996        int ret;
 997
 998        ret = nf_register_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
 999        if (ret < 0)
1000                return ret;

1001#ifdef CONFIG_SYSCTL
1002        brnf_sysctl_header = register_sysctl_paths(brnf_path, brnf_table);
1003        if (brnf_sysctl_header == NULL) {
1004                printk(KERN_WARNING
1005                       "br_netfilter: can't register to sysctl.\n");
1006                nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
1007                return -ENOMEM;
1008        }
1009#endif
1010        printk(KERN_NOTICE "Bridge firewalling registered\n");
1011        return 0;
1012}
1013
1014void br_netfilter_fini(void)
1015{
1016        nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
1017#ifdef CONFIG_SYSCTL
1018        unregister_sysctl_table(brnf_sysctl_header);
1019#endif
1020}
1021