LXR linux/net/bridge/br

   1/*
   2 *      Handle firewalling
   3 *      Linux ethernet bridge
   4 *
   5 *      Authors:
   6 *      Lennert Buytenhek               <buytenh@gnu.org>
   7 *      Bart De Schuymer                <bdschuym@pandora.be>
   8 *
   9 *      This program is free software; you can redistribute it and/or
  10 *      modify it under the terms of the GNU General Public License
  11 *      as published by the Free Software Foundation; either version
  12 *      2 of the License, or (at your option) any later version.
  13 *
  14 *      Lennert dedicates this file to Kerstin Wurdinger.
  15 */
  16
  17#include <linux/module.h>
  18#include <linux/kernel.h>
  19#include <linux/slab.h>
  20#include <linux/ip.h>
  21#include <linux/netdevice.h>
  22#include <linux/skbuff.h>
  23#include <linux/if_arp.h>
  24#include <linux/if_ether.h>
  25#include <linux/if_vlan.h>
  26#include <linux/if_pppox.h>
  27#include <linux/ppp_defs.h>
  28#include <linux/netfilter_bridge.h>
  29#include <linux/netfilter_ipv4.h>
  30#include <linux/netfilter_ipv6.h>
  31#include <linux/netfilter_arp.h>
  32#include <linux/in_route.h>
  33#include <linux/inetdevice.h>
  34
  35#include <net/ip.h>
  36#include <net/ipv6.h>
  37#include <net/route.h>
  38
  39#include <asm/uaccess.h>
  40#include "br_private.h"
  41#ifdef CONFIG_SYSCTL
  42#include <linux/sysctl.h>
  43#endif
  44
  45#define skb_origaddr(skb)        (((struct bridge_skb_cb *) \
  46                                 (skb->nf_bridge->data))->daddr.ipv4)
  47#define store_orig_dstaddr(skb)  (skb_origaddr(skb) = ip_hdr(skb)->daddr)
  48#define dnat_took_place(skb)     (skb_origaddr(skb) != ip_hdr(skb)->daddr)
  49
  50#ifdef CONFIG_SYSCTL
  51static struct ctl_table_header *brnf_sysctl_header;
  52static int brnf_call_iptables __read_mostly = 1;
  53static int brnf_call_ip6tables __read_mostly = 1;
  54static int brnf_call_arptables __read_mostly = 1;
  55static int brnf_filter_vlan_tagged __read_mostly = 0;
  56static int brnf_filter_pppoe_tagged __read_mostly = 0;
  57static int brnf_pass_vlan_indev __read_mostly = 0;
  58#else
  59#define brnf_call_iptables 1
  60#define brnf_call_ip6tables 1
  61#define brnf_call_arptables 1
  62#define brnf_filter_vlan_tagged 0
  63#define brnf_filter_pppoe_tagged 0
  64#define brnf_pass_vlan_indev 0
  65#endif
  66
  67#define IS_IP(skb) \
  68        (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_IP))
  69
  70#define IS_IPV6(skb) \
  71        (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_IPV6))
  72
  73#define IS_ARP(skb) \
  74        (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_ARP))
  75
  76static inline __be16 vlan_proto(const struct sk_buff *skb)
  77{
  78        if (vlan_tx_tag_present(skb))
  79                return skb->protocol;
  80        else if (skb->protocol == htons(ETH_P_8021Q))
  81                return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
  82        else
  83                return 0;
  84}
  85
  86#define IS_VLAN_IP(skb) \
  87        (vlan_proto(skb) == htons(ETH_P_IP) && \
  88         brnf_filter_vlan_tagged)
  89
  90#define IS_VLAN_IPV6(skb) \
  91        (vlan_proto(skb) == htons(ETH_P_IPV6) && \
  92         brnf_filter_vlan_tagged)
  93
  94#define IS_VLAN_ARP(skb) \
  95        (vlan_proto(skb) == htons(ETH_P_ARP) && \
  96         brnf_filter_vlan_tagged)
  97
  98static inline __be16 pppoe_proto(const struct sk_buff *skb)
  99{
 100        return *((__be16 *)(skb_mac_header(skb) + ETH_HLEN +
 101                            sizeof(struct pppoe_hdr)));
 102}
 103
 104#define IS_PPPOE_IP(skb) \
 105        (skb->protocol == htons(ETH_P_PPP_SES) && \
 106         pppoe_proto(skb) == htons(PPP_IP) && \
 107         brnf_filter_pppoe_tagged)
 108
 109#define IS_PPPOE_IPV6(skb) \
 110        (skb->protocol == htons(ETH_P_PPP_SES) && \
 111         pppoe_proto(skb) == htons(PPP_IPV6) && \
 112         brnf_filter_pppoe_tagged)
 113
 114static void fake_update_pmtu(struct dst_entry *dst, struct sock *sk,
 115                             struct sk_buff *skb, u32 mtu)
 116{
 117}
 118
 119static void fake_redirect(struct dst_entry *dst, struct sock *sk,
 120                          struct sk_buff *skb)
 121{
 122}
 123
 124static u32 *fake_cow_metrics(struct dst_entry *dst, unsigned long old)
 125{
 126        return NULL;
 127}
 128
 129static struct neighbour *fake_neigh_lookup(const struct dst_entry *dst,
 130                                           struct sk_buff *skb,
 131                                           const void *daddr)
 132{
 133        return NULL;
 134}
 135
 136static unsigned int fake_mtu(const struct dst_entry *dst)
 137{
 138        return dst->dev->mtu;
 139}
 140
 141static struct dst_ops fake_dst_ops = {
 142        .family =               AF_INET,
 143        .protocol =             cpu_to_be16(ETH_P_IP),
 144        .update_pmtu =          fake_update_pmtu,
 145        .redirect =             fake_redirect,
 146        .cow_metrics =          fake_cow_metrics,
 147        .neigh_lookup =         fake_neigh_lookup,
 148        .mtu =                  fake_mtu,
 149};
 150
 151/*
 152 * Initialize bogus route table used to keep netfilter happy.
 153 * Currently, we fill in the PMTU entry because netfilter
 154 * refragmentation needs it, and the rt_flags entry because
 155 * ipt_REJECT needs it.  Future netfilter modules might
 156 * require us to fill additional fields.
 157 */
 158static const u32 br_dst_default_metrics[RTAX_MAX] = {
 159        [RTAX_MTU - 1] = 1500,
 160};
 161
 162void br_netfilter_rtable_init(struct net_bridge *br)
 163{
 164        struct rtable *rt = &br->fake_rtable;
 165
 166        atomic_set(&rt->dst.__refcnt, 1);
 167        rt->dst.dev = br->dev;
 168        rt->dst.path = &rt->dst;
 169        dst_init_metrics(&rt->dst, br_dst_default_metrics, true);
 170        rt->dst.flags   = DST_NOXFRM | DST_NOPEER | DST_FAKE_RTABLE;
 171        rt->dst.ops = &fake_dst_ops;
 172}
 173
 174static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
 175{
 176        struct net_bridge_port *port;
 177
 178        port = br_port_get_rcu(dev);
 179        return port ? &port->br->fake_rtable : NULL;
 180}
 181
 182static inline struct net_device *bridge_parent(const struct net_device *dev)
 183{
 184        struct net_bridge_port *port;
 185
 186        port = br_port_get_rcu(dev);
 187        return port ? port->br->dev : NULL;
 188}
 189
 190static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
 191{
 192        skb->nf_bridge = kzalloc(sizeof(struct nf_bridge_info), GFP_ATOMIC);
 193        if (likely(skb->nf_bridge))
 194                atomic_set(&(skb->nf_bridge->use), 1);
 195
 196        return skb->nf_bridge;
 197}
 198
 199static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb)
 200{
 201        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 202
 203        if (atomic_read(&nf_bridge->use) > 1) {
 204                struct nf_bridge_info *tmp = nf_bridge_alloc(skb);
 205
 206                if (tmp) {
 207                        memcpy(tmp, nf_bridge, sizeof(struct nf_bridge_info));
 208                        atomic_set(&tmp->use, 1);
 209                }
 210                nf_bridge_put(nf_bridge);
 211                nf_bridge = tmp;
 212        }
 213        return nf_bridge;
 214}
 215
 216static inline void nf_bridge_push_encap_header(struct sk_buff *skb)
 217{
 218        unsigned int len = nf_bridge_encap_header_len(skb);
 219
 220        skb_push(skb, len);
 221        skb->network_header -= len;
 222}
 223
 224static inline void nf_bridge_pull_encap_header(struct sk_buff *skb)
 225{
 226        unsigned int len = nf_bridge_encap_header_len(skb);
 227
 228        skb_pull(skb, len);
 229        skb->network_header += len;
 230}
 231
 232static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb)
 233{
 234        unsigned int len = nf_bridge_encap_header_len(skb);
 235
 236        skb_pull_rcsum(skb, len);
 237        skb->network_header += len;
 238}
 239
 240static inline void nf_bridge_save_header(struct sk_buff *skb)
 241{
 242        int header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);
 243
 244        skb_copy_from_linear_data_offset(skb, -header_size,
 245                                         skb->nf_bridge->data, header_size);
 246}
 247
 248static inline void nf_bridge_update_protocol(struct sk_buff *skb)
 249{
 250        if (skb->nf_bridge->mask & BRNF_8021Q)
 251                skb->protocol = htons(ETH_P_8021Q);
 252        else if (skb->nf_bridge->mask & BRNF_PPPoE)
 253                skb->protocol = htons(ETH_P_PPP_SES);
 254}
 255
 256/* When handing a packet over to the IP layer
 257 * check whether we have a skb that is in the
 258 * expected format
 259 */
 260
 261static int br_parse_ip_options(struct sk_buff *skb)
 262{
 263        struct ip_options *opt;
 264        const struct iphdr *iph;
 265        struct net_device *dev = skb->dev;
 266        u32 len;
 267
 268        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
 269                goto inhdr_error;
 270
 271        iph = ip_hdr(skb);
 272        opt = &(IPCB(skb)->opt);
 273
 274        /* Basic sanity checks */
 275        if (iph->ihl < 5 || iph->version != 4)
 276                goto inhdr_error;
 277
 278        if (!pskb_may_pull(skb, iph->ihl*4))
 279                goto inhdr_error;
 280
 281        iph = ip_hdr(skb);
 282        if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
 283                goto inhdr_error;
 284
 285        len = ntohs(iph->tot_len);
 286        if (skb->len < len) {
 287                IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INTRUNCATEDPKTS);
 288                goto drop;
 289        } else if (len < (iph->ihl*4))
 290                goto inhdr_error;
 291
 292        if (pskb_trim_rcsum(skb, len)) {
 293                IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INDISCARDS);
 294                goto drop;
 295        }
 296
 297        memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
 298        if (iph->ihl == 5)
 299                return 0;
 300
 301        opt->optlen = iph->ihl*4 - sizeof(struct iphdr);
 302        if (ip_options_compile(dev_net(dev), opt, skb))
 303                goto inhdr_error;
 304
 305        /* Check correct handling of SRR option */
 306        if (unlikely(opt->srr)) {
 307                struct in_device *in_dev = __in_dev_get_rcu(dev);
 308                if (in_dev && !IN_DEV_SOURCE_ROUTE(in_dev))
 309                        goto drop;
 310
 311                if (ip_options_rcv_srr(skb))
 312                        goto drop;
 313        }
 314
 315        return 0;
 316
 317inhdr_error:
 318        IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INHDRERRORS);
 319drop:
 320        return -1;
 321}
 322
 323/* Fill in the header for fragmented IP packets handled by
 324 * the IPv4 connection tracking code.
 325 */
 326int nf_bridge_copy_header(struct sk_buff *skb)
 327{
 328        int err;
 329        unsigned int header_size;
 330
 331        nf_bridge_update_protocol(skb);
 332        header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);
 333        err = skb_cow_head(skb, header_size);
 334        if (err)
 335                return err;
 336
 337        skb_copy_to_linear_data_offset(skb, -header_size,
 338                                       skb->nf_bridge->data, header_size);
 339        __skb_push(skb, nf_bridge_encap_header_len(skb));
 340        return 0;
 341}
 342
 343/* PF_BRIDGE/PRE_ROUTING *********************************************/
 344/* Undo the changes made for ip6tables PREROUTING and continue the
 345 * bridge PRE_ROUTING hook. */
 346static int br_nf_pre_routing_finish_ipv6(struct sk_buff *skb)
 347{
 348        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 349        struct rtable *rt;
 350
 351        if (nf_bridge->mask & BRNF_PKT_TYPE) {
 352                skb->pkt_type = PACKET_OTHERHOST;
 353                nf_bridge->mask ^= BRNF_PKT_TYPE;
 354        }
 355        nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
 356
 357        rt = bridge_parent_rtable(nf_bridge->physindev);
 358        if (!rt) {
 359                kfree_skb(skb);
 360                return 0;
 361        }
 362        skb_dst_set_noref(skb, &rt->dst);
 363
 364        skb->dev = nf_bridge->physindev;
 365        nf_bridge_update_protocol(skb);
 366        nf_bridge_push_encap_header(skb);
 367        NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
 368                       br_handle_frame_finish, 1);
 369
 370        return 0;
 371}
 372
 373/* Obtain the correct destination MAC address, while preserving the original
 374 * source MAC address. If we already know this address, we just copy it. If we
 375 * don't, we use the neighbour framework to find out. In both cases, we make
 376 * sure that br_handle_frame_finish() is called afterwards.
 377 */
 378static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
 379{
 380        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 381        struct neighbour *neigh;
 382        struct dst_entry *dst;
 383
 384        skb->dev = bridge_parent(skb->dev);
 385        if (!skb->dev)
 386                goto free_skb;
 387        dst = skb_dst(skb);
 388        neigh = dst_neigh_lookup_skb(dst, skb);
 389        if (neigh) {
 390                int ret;
 391
 392                if (neigh->hh.hh_len) {
 393                        neigh_hh_bridge(&neigh->hh, skb);
 394                        skb->dev = nf_bridge->physindev;
 395                        ret = br_handle_frame_finish(skb);
 396                } else {
 397                        /* the neighbour function below overwrites the complete
 398                         * MAC header, so we save the Ethernet source address and
 399                         * protocol number.
 400                         */
 401                        skb_copy_from_linear_data_offset(skb,
 402                                                         -(ETH_HLEN-ETH_ALEN),
 403                                                         skb->nf_bridge->data,
 404                                                         ETH_HLEN-ETH_ALEN);
 405                        /* tell br_dev_xmit to continue with forwarding */
 406                        nf_bridge->mask |= BRNF_BRIDGED_DNAT;
 407                        ret = neigh->output(neigh, skb);
 408                }
 409                neigh_release(neigh);
 410                return ret;
 411        }
 412free_skb:
 413        kfree_skb(skb);
 414        return 0;
 415}
 416
 417/* This requires some explaining. If DNAT has taken place,
 418 * we will need to fix up the destination Ethernet address.
 419 *
 420 * There are two cases to consider:
 421 * 1. The packet was DNAT'ed to a device in the same bridge
 422 *    port group as it was received on. We can still bridge
 423 *    the packet.
 424 * 2. The packet was DNAT'ed to a different device, either
 425 *    a non-bridged device or another bridge port group.
 426 *    The packet will need to be routed.
 427 *
 428 * The correct way of distinguishing between these two cases is to
 429 * call ip_route_input() and to look at skb->dst->dev, which is
 430 * changed to the destination device if ip_route_input() succeeds.
 431 *
 432 * Let's first consider the case that ip_route_input() succeeds:
 433 *
 434 * If the output device equals the logical bridge device the packet
 435 * came in on, we can consider this bridging. The corresponding MAC
 436 * address will be obtained in br_nf_pre_routing_finish_bridge.
 437 * Otherwise, the packet is considered to be routed and we just
 438 * change the destination MAC address so that the packet will
 439 * later be passed up to the IP stack to be routed. For a redirected
 440 * packet, ip_route_input() will give back the localhost as output device,
 441 * which differs from the bridge device.
 442 *
 443 * Let's now consider the case that ip_route_input() fails:
 444 *
 445 * This can be because the destination address is martian, in which case
 446 * the packet will be dropped.
 447 * If IP forwarding is disabled, ip_route_input() will fail, while
 448 * ip_route_output_key() can return success. The source
 449 * address for ip_route_output_key() is set to zero, so ip_route_output_key()
 450 * thinks we're handling a locally generated packet and won't care
 451 * if IP forwarding is enabled. If the output device equals the logical bridge
 452 * device, we proceed as if ip_route_input() succeeded. If it differs from the
 453 * logical bridge port or if ip_route_output_key() fails we drop the packet.
 454 */
 455static int br_nf_pre_routing_finish(struct sk_buff *skb)
 456{
 457        struct net_device *dev = skb->dev;
 458        struct iphdr *iph = ip_hdr(skb);
 459        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 460        struct rtable *rt;
 461        int err;
 462
 463        if (nf_bridge->mask & BRNF_PKT_TYPE) {
 464                skb->pkt_type = PACKET_OTHERHOST;
 465                nf_bridge->mask ^= BRNF_PKT_TYPE;
 466        }
 467        nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
 468        if (dnat_took_place(skb)) {
 469                if ((err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))) {
 470                        struct in_device *in_dev = __in_dev_get_rcu(dev);
 471
 472                        /* If err equals -EHOSTUNREACH the error is due to a
 473                         * martian destination or due to the fact that
 474                         * forwarding is disabled. For most martian packets,
 475                         * ip_route_output_key() will fail. It won't fail for 2 types of
 476                         * martian destinations: loopback destinations and destination
 477                         * 0.0.0.0. In both cases the packet will be dropped because the
 478                         * destination is the loopback device and not the bridge. */
 479                        if (err != -EHOSTUNREACH || !in_dev || IN_DEV_FORWARD(in_dev))
 480                                goto free_skb;
 481
 482                        rt = ip_route_output(dev_net(dev), iph->daddr, 0,
 483                                             RT_TOS(iph->tos), 0);
 484                        if (!IS_ERR(rt)) {
 485                                /* - Bridged-and-DNAT'ed traffic doesn't
 486                                 *   require ip_forwarding. */
 487                                if (rt->dst.dev == dev) {
 488                                        skb_dst_set(skb, &rt->dst);
 489                                        goto bridged_dnat;
 490                                }
 491                                ip_rt_put(rt);
 492                        }
 493free_skb:
 494                        kfree_skb(skb);
 495                        return 0;
 496                } else {
 497                        if (skb_dst(skb)->dev == dev) {
 498bridged_dnat:
 499                                skb->dev = nf_bridge->physindev;
 500                                nf_bridge_update_protocol(skb);
 501                                nf_bridge_push_encap_header(skb);
 502                                NF_HOOK_THRESH(NFPROTO_BRIDGE,
 503                                               NF_BR_PRE_ROUTING,
 504                                               skb, skb->dev, NULL,
 505                                               br_nf_pre_routing_finish_bridge,
 506                                               1);
 507                                return 0;
 508                        }
 509                        memcpy(eth_hdr(skb)->h_dest, dev->dev_addr, ETH_ALEN);
 510                        skb->pkt_type = PACKET_HOST;
 511                }
 512        } else {
 513                rt = bridge_parent_rtable(nf_bridge->physindev);
 514                if (!rt) {
 515                        kfree_skb(skb);
 516                        return 0;
 517                }
 518                skb_dst_set_noref(skb, &rt->dst);
 519        }
 520
 521        skb->dev = nf_bridge->physindev;
 522        nf_bridge_update_protocol(skb);
 523        nf_bridge_push_encap_header(skb);
 524        NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
 525                       br_handle_frame_finish, 1);
 526
 527        return 0;
 528}
 529
 530static struct net_device *brnf_get_logical_dev(struct sk_buff *skb, const struct net_device *dev)
 531{
 532        struct net_device *vlan, *br;
 533
 534        br = bridge_parent(dev);
 535        if (brnf_pass_vlan_indev == 0 || !vlan_tx_tag_present(skb))
 536                return br;
 537
 538        vlan = __vlan_find_dev_deep(br, vlan_tx_tag_get(skb) & VLAN_VID_MASK);
 539
 540        return vlan ? vlan : br;
 541}
 542
 543/* Some common code for IPv4/IPv6 */
 544static struct net_device *setup_pre_routing(struct sk_buff *skb)
 545{
 546        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 547
 548        if (skb->pkt_type == PACKET_OTHERHOST) {
 549                skb->pkt_type = PACKET_HOST;
 550                nf_bridge->mask |= BRNF_PKT_TYPE;
 551        }
 552
 553        nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING;
 554        nf_bridge->physindev = skb->dev;
 555        skb->dev = brnf_get_logical_dev(skb, skb->dev);
 556        if (skb->protocol == htons(ETH_P_8021Q))
 557                nf_bridge->mask |= BRNF_8021Q;
 558        else if (skb->protocol == htons(ETH_P_PPP_SES))
 559                nf_bridge->mask |= BRNF_PPPoE;
 560
 561        return skb->dev;
 562}
 563
 564/* We only check the length. A bridge shouldn't do any hop-by-hop stuff anyway */
 565static int check_hbh_len(struct sk_buff *skb)
 566{
 567        unsigned char *raw = (u8 *)(ipv6_hdr(skb) + 1);
 568        u32 pkt_len;
 569        const unsigned char *nh = skb_network_header(skb);
 570        int off = raw - nh;
 571        int len = (raw[1] + 1) << 3;
 572
 573        if ((raw + len) - skb->data > skb_headlen(skb))
 574                goto bad;
 575
 576        off += 2;
 577        len -= 2;
 578
 579        while (len > 0) {
 580                int optlen = nh[off + 1] + 2;
 581
 582                switch (nh[off]) {
 583                case IPV6_TLV_PAD1:
 584                        optlen = 1;
 585                        break;
 586
 587                case IPV6_TLV_PADN:
 588                        break;
 589
 590                case IPV6_TLV_JUMBO:
 591                        if (nh[off + 1] != 4 || (off & 3) != 2)
 592                                goto bad;
 593                        pkt_len = ntohl(*(__be32 *) (nh + off + 2));
 594                        if (pkt_len <= IPV6_MAXPLEN ||
 595                            ipv6_hdr(skb)->payload_len)
 596                                goto bad;
 597                        if (pkt_len > skb->len - sizeof(struct ipv6hdr))
 598                                goto bad;
 599                        if (pskb_trim_rcsum(skb,
 600                                            pkt_len + sizeof(struct ipv6hdr)))
 601                                goto bad;
 602                        nh = skb_network_header(skb);
 603                        break;
 604                default:
 605                        if (optlen > len)
 606                                goto bad;
 607                        break;
 608                }
 609                off += optlen;
 610                len -= optlen;
 611        }
 612        if (len == 0)
 613                return 0;
 614bad:
 615        return -1;
 616
 617}
 618
 619/* Replicate the checks that IPv6 does on packet reception and pass the packet
 620 * to ip6tables, which doesn't support NAT, so things are fairly simple. */
 621static unsigned int br_nf_pre_routing_ipv6(unsigned int hook,
 622                                           struct sk_buff *skb,
 623                                           const struct net_device *in,
 624                                           const struct net_device *out,
 625                                           int (*okfn)(struct sk_buff *))
 626{
 627        const struct ipv6hdr *hdr;
 628        u32 pkt_len;
 629
 630        if (skb->len < sizeof(struct ipv6hdr))
 631                return NF_DROP;
 632
 633        if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
 634                return NF_DROP;
 635
 636        hdr = ipv6_hdr(skb);
 637
 638        if (hdr->version != 6)
 639                return NF_DROP;
 640
 641        pkt_len = ntohs(hdr->payload_len);
 642
 643        if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
 644                if (pkt_len + sizeof(struct ipv6hdr) > skb->len)
 645                        return NF_DROP;
 646                if (pskb_trim_rcsum(skb, pkt_len + sizeof(struct ipv6hdr)))
 647                        return NF_DROP;
 648        }
 649        if (hdr->nexthdr == NEXTHDR_HOP && check_hbh_len(skb))
 650                return NF_DROP;
 651
 652        nf_bridge_put(skb->nf_bridge);
 653        if (!nf_bridge_alloc(skb))
 654                return NF_DROP;
 655        if (!setup_pre_routing(skb))
 656                return NF_DROP;
 657
 658        skb->protocol = htons(ETH_P_IPV6);
 659        NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
 660                br_nf_pre_routing_finish_ipv6);
 661
 662        return NF_STOLEN;
 663}
 664
 665/* Direct IPv6 traffic to br_nf_pre_routing_ipv6.
 666 * Replicate the checks that IPv4 does on packet reception.
 667 * Set skb->dev to the bridge device (i.e. parent of the
 668 * receiving device) to make netfilter happy, the REDIRECT
 669 * target in particular.  Save the original destination IP
 670 * address to be able to detect DNAT afterwards. */
 671static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
 672                                      const struct net_device *in,
 673                                      const struct net_device *out,
 674                                      int (*okfn)(struct sk_buff *))
 675{
 676        struct net_bridge_port *p;
 677        struct net_bridge *br;
 678        __u32 len = nf_bridge_encap_header_len(skb);
 679
 680        if (unlikely(!pskb_may_pull(skb, len)))
 681                return NF_DROP;
 682
 683        p = br_port_get_rcu(in);
 684        if (p == NULL)
 685                return NF_DROP;
 686        br = p->br;
 687
 688        if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb)) {
 689                if (!brnf_call_ip6tables && !br->nf_call_ip6tables)
 690                        return NF_ACCEPT;
 691
 692                nf_bridge_pull_encap_header_rcsum(skb);
 693                return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
 694        }
 695
 696        if (!brnf_call_iptables && !br->nf_call_iptables)
 697                return NF_ACCEPT;
 698
 699        if (!IS_IP(skb) && !IS_VLAN_IP(skb) && !IS_PPPOE_IP(skb))
 700                return NF_ACCEPT;
 701
 702        nf_bridge_pull_encap_header_rcsum(skb);
 703
 704        if (br_parse_ip_options(skb))
 705                return NF_DROP;
 706
 707        nf_bridge_put(skb->nf_bridge);
 708        if (!nf_bridge_alloc(skb))
 709                return NF_DROP;
 710        if (!setup_pre_routing(skb))
 711                return NF_DROP;
 712        store_orig_dstaddr(skb);
 713        skb->protocol = htons(ETH_P_IP);
 714
 715        NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
 716                br_nf_pre_routing_finish);
 717
 718        return NF_STOLEN;
 719}
 720
 721
 722/* PF_BRIDGE/LOCAL_IN ************************************************/
 723/* The packet is locally destined, which requires a real
 724 * dst_entry, so detach the fake one.  On the way up, the
 725 * packet would pass through PRE_ROUTING again (which already
 726 * took place when the packet entered the bridge), but we
 727 * register an IPv4 PRE_ROUTING 'sabotage' hook that will
 728 * prevent this from happening. */
 729static unsigned int br_nf_local_in(unsigned int hook, struct sk_buff *skb,
 730                                   const struct net_device *in,
 731                                   const struct net_device *out,
 732                                   int (*okfn)(struct sk_buff *))
 733{
 734        br_drop_fake_rtable(skb);
 735        return NF_ACCEPT;
 736}
 737
 738/* PF_BRIDGE/FORWARD *************************************************/
 739static int br_nf_forward_finish(struct sk_buff *skb)
 740{
 741        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 742        struct net_device *in;
 743
 744        if (!IS_ARP(skb) && !IS_VLAN_ARP(skb)) {
 745                in = nf_bridge->physindev;
 746                if (nf_bridge->mask & BRNF_PKT_TYPE) {
 747                        skb->pkt_type = PACKET_OTHERHOST;
 748                        nf_bridge->mask ^= BRNF_PKT_TYPE;
 749                }
 750                nf_bridge_update_protocol(skb);
 751        } else {
 752                in = *((struct net_device **)(skb->cb));
 753        }
 754        nf_bridge_push_encap_header(skb);
 755
 756        NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, in,
 757                       skb->dev, br_forward_finish, 1);
 758        return 0;
 759}
 760
 761
 762/* This is the 'purely bridged' case.  For IP, we pass the packet to
 763 * netfilter with indev and outdev set to the bridge device,
 764 * but we are still able to filter on the 'real' indev/outdev
 765 * because of the physdev module. For ARP, indev and outdev are the
 766 * bridge ports. */
 767static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,
 768                                     const struct net_device *in,
 769                                     const struct net_device *out,
 770                                     int (*okfn)(struct sk_buff *))
 771{
 772        struct nf_bridge_info *nf_bridge;
 773        struct net_device *parent;
 774        u_int8_t pf;
 775
 776        if (!skb->nf_bridge)
 777                return NF_ACCEPT;
 778
 779        /* Need exclusive nf_bridge_info since we might have multiple
 780         * different physoutdevs. */
 781        if (!nf_bridge_unshare(skb))
 782                return NF_DROP;
 783
 784        parent = bridge_parent(out);
 785        if (!parent)
 786                return NF_DROP;
 787
 788        if (IS_IP(skb) || IS_VLAN_IP(skb) || IS_PPPOE_IP(skb))
 789                pf = NFPROTO_IPV4;
 790        else if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb))
 791                pf = NFPROTO_IPV6;
 792        else
 793                return NF_ACCEPT;
 794
 795        nf_bridge_pull_encap_header(skb);
 796
 797        nf_bridge = skb->nf_bridge;
 798        if (skb->pkt_type == PACKET_OTHERHOST) {
 799                skb->pkt_type = PACKET_HOST;
 800                nf_bridge->mask |= BRNF_PKT_TYPE;
 801        }
 802
 803        if (pf == NFPROTO_IPV4 && br_parse_ip_options(skb))
 804                return NF_DROP;
 805
 806        /* The physdev module checks on this */
 807        nf_bridge->mask |= BRNF_BRIDGED;
 808        nf_bridge->physoutdev = skb->dev;
 809        if (pf == NFPROTO_IPV4)
 810                skb->protocol = htons(ETH_P_IP);
 811        else
 812                skb->protocol = htons(ETH_P_IPV6);
 813
 814        NF_HOOK(pf, NF_INET_FORWARD, skb, brnf_get_logical_dev(skb, in), parent,
 815                br_nf_forward_finish);
 816
 817        return NF_STOLEN;
 818}
 819
 820static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
 821                                      const struct net_device *in,
 822                                      const struct net_device *out,
 823                                      int (*okfn)(struct sk_buff *))
 824{
 825        struct net_bridge_port *p;
 826        struct net_bridge *br;
 827        struct net_device **d = (struct net_device **)(skb->cb);
 828
 829        p = br_port_get_rcu(out);
 830        if (p == NULL)
 831                return NF_ACCEPT;
 832        br = p->br;
 833
 834        if (!brnf_call_arptables && !br->nf_call_arptables)
 835                return NF_ACCEPT;
 836
 837        if (!IS_ARP(skb)) {
 838                if (!IS_VLAN_ARP(skb))
 839                        return NF_ACCEPT;
 840                nf_bridge_pull_encap_header(skb);
 841        }
 842
 843        if (arp_hdr(skb)->ar_pln != 4) {
 844                if (IS_VLAN_ARP(skb))
 845                        nf_bridge_push_encap_header(skb);
 846                return NF_ACCEPT;
 847        }
 848        *d = (struct net_device *)in;
 849        NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, skb, (struct net_device *)in,
 850                (struct net_device *)out, br_nf_forward_finish);
 851
 852        return NF_STOLEN;
 853}
 854
 855#if IS_ENABLED(CONFIG_NF_CONNTRACK_IPV4)
 856static int br_nf_dev_queue_xmit(struct sk_buff *skb)
 857{
 858        int ret;
 859
 860        if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) &&
 861            skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu &&
 862            !skb_is_gso(skb)) {
 863                if (br_parse_ip_options(skb))
 864                        /* Drop invalid packet */
 865                        return NF_DROP;
 866                ret = ip_fragment(skb, br_dev_queue_push_xmit);
 867        } else
 868                ret = br_dev_queue_push_xmit(skb);
 869
 870        return ret;
 871}
 872#else
 873static int br_nf_dev_queue_xmit(struct sk_buff *skb)
 874{
 875        return br_dev_queue_push_xmit(skb);
 876}
 877#endif
 878
 879/* PF_BRIDGE/POST_ROUTING ********************************************/
 880static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
 881                                       const struct net_device *in,
 882                                       const struct net_device *out,
 883                                       int (*okfn)(struct sk_buff *))
 884{
 885        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 886        struct net_device *realoutdev = bridge_parent(skb->dev);
 887        u_int8_t pf;
 888
 889        if (!nf_bridge || !(nf_bridge->mask & BRNF_BRIDGED))
 890                return NF_ACCEPT;
 891
 892        if (!realoutdev)
 893                return NF_DROP;
 894
 895        if (IS_IP(skb) || IS_VLAN_IP(skb) || IS_PPPOE_IP(skb))
 896                pf = NFPROTO_IPV4;
 897        else if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb))
 898                pf = NFPROTO_IPV6;
 899        else
 900                return NF_ACCEPT;
 901
 902        /* We assume any code from br_dev_queue_push_xmit onwards doesn't care
 903         * about the value of skb->pkt_type. */
 904        if (skb->pkt_type == PACKET_OTHERHOST) {
 905                skb->pkt_type = PACKET_HOST;
 906                nf_bridge->mask |= BRNF_PKT_TYPE;
 907        }
 908
 909        nf_bridge_pull_encap_header(skb);
 910        nf_bridge_save_header(skb);
 911        if (pf == NFPROTO_IPV4)
 912                skb->protocol = htons(ETH_P_IP);
 913        else
 914                skb->protocol = htons(ETH_P_IPV6);
 915
 916        NF_HOOK(pf, NF_INET_POST_ROUTING, skb, NULL, realoutdev,
 917                br_nf_dev_queue_xmit);
 918
 919        return NF_STOLEN;
 920}
 921
 922/* IP/SABOTAGE *****************************************************/
 923/* Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING
 924 * for the second time. */
 925static unsigned int ip_sabotage_in(unsigned int hook, struct sk_buff *skb,
 926                                   const struct net_device *in,
 927                                   const struct net_device *out,
 928                                   int (*okfn)(struct sk_buff *))
 929{
 930        if (skb->nf_bridge &&
 931            !(skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)) {
 932                return NF_STOP;
 933        }
 934
 935        return NF_ACCEPT;
 936}
 937
 938/* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
 939 * br_dev_queue_push_xmit is called afterwards */
 940static struct nf_hook_ops br_nf_ops[] __read_mostly = {
 941        {
 942                .hook = br_nf_pre_routing,
 943                .owner = THIS_MODULE,
 944                .pf = NFPROTO_BRIDGE,
 945                .hooknum = NF_BR_PRE_ROUTING,
 946                .priority = NF_BR_PRI_BRNF,
 947        },
 948        {
 949                .hook = br_nf_local_in,
 950                .owner = THIS_MODULE,
 951                .pf = NFPROTO_BRIDGE,
 952                .hooknum = NF_BR_LOCAL_IN,
 953                .priority = NF_BR_PRI_BRNF,
 954        },
 955        {
 956                .hook = br_nf_forward_ip,
 957                .owner = THIS_MODULE,
 958                .pf = NFPROTO_BRIDGE,
 959                .hooknum = NF_BR_FORWARD,
 960                .priority = NF_BR_PRI_BRNF - 1,
 961        },
 962        {
 963                .hook = br_nf_forward_arp,
 964                .owner = THIS_MODULE,
 965                .pf = NFPROTO_BRIDGE,
 966                .hooknum = NF_BR_FORWARD,
 967                .priority = NF_BR_PRI_BRNF,
 968        },
 969        {
 970                .hook = br_nf_post_routing,
 971                .owner = THIS_MODULE,
 972                .pf = NFPROTO_BRIDGE,
 973                .hooknum = NF_BR_POST_ROUTING,
 974                .priority = NF_BR_PRI_LAST,
 975        },
 976        {
 977                .hook = ip_sabotage_in,
 978                .owner = THIS_MODULE,
 979                .pf = NFPROTO_IPV4,
 980                .hooknum = NF_INET_PRE_ROUTING,
 981                .priority = NF_IP_PRI_FIRST,
 982        },
 983        {
 984                .hook = ip_sabotage_in,
 985                .owner = THIS_MODULE,
 986                .pf = NFPROTO_IPV6,
 987                .hooknum = NF_INET_PRE_ROUTING,
 988                .priority = NF_IP6_PRI_FIRST,
 989        },
 990};
 991
 992#ifdef CONFIG_SYSCTL
 993static
 994int brnf_sysctl_call_tables(ctl_table * ctl, int write,
 995                            void __user * buffer, size_t * lenp, loff_t * ppos)
 996{
 997        int ret;
 998
 999        ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
1000

1001        if (write && *(int *)(ctl->data))
1002                *(int *)(ctl->data) = 1;
1003        return ret;
1004}
1005
1006static ctl_table brnf_table[] = {
1007        {
1008                .procname       = "bridge-nf-call-arptables",
1009                .data           = &brnf_call_arptables,
1010                .maxlen         = sizeof(int),
1011                .mode           = 0644,
1012                .proc_handler   = brnf_sysctl_call_tables,
1013        },
1014        {
1015                .procname       = "bridge-nf-call-iptables",
1016                .data           = &brnf_call_iptables,
1017                .maxlen         = sizeof(int),
1018                .mode           = 0644,
1019                .proc_handler   = brnf_sysctl_call_tables,
1020        },
1021        {
1022                .procname       = "bridge-nf-call-ip6tables",
1023                .data           = &brnf_call_ip6tables,
1024                .maxlen         = sizeof(int),
1025                .mode           = 0644,
1026                .proc_handler   = brnf_sysctl_call_tables,
1027        },
1028        {
1029                .procname       = "bridge-nf-filter-vlan-tagged",
1030                .data           = &brnf_filter_vlan_tagged,
1031                .maxlen         = sizeof(int),
1032                .mode           = 0644,
1033                .proc_handler   = brnf_sysctl_call_tables,
1034        },
1035        {
1036                .procname       = "bridge-nf-filter-pppoe-tagged",
1037                .data           = &brnf_filter_pppoe_tagged,
1038                .maxlen         = sizeof(int),
1039                .mode           = 0644,
1040                .proc_handler   = brnf_sysctl_call_tables,
1041        },
1042        {
1043                .procname       = "bridge-nf-pass-vlan-input-dev",
1044                .data           = &brnf_pass_vlan_indev,
1045                .maxlen         = sizeof(int),
1046                .mode           = 0644,
1047                .proc_handler   = brnf_sysctl_call_tables,
1048        },
1049        { }
1050};
1051#endif
1052
1053int __init br_netfilter_init(void)
1054{
1055        int ret;
1056
1057        ret = dst_entries_init(&fake_dst_ops);
1058        if (ret < 0)
1059                return ret;
1060
1061        ret = nf_register_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
1062        if (ret < 0) {
1063                dst_entries_destroy(&fake_dst_ops);
1064                return ret;
1065        }
1066#ifdef CONFIG_SYSCTL
1067        brnf_sysctl_header = register_net_sysctl(&init_net, "net/bridge", brnf_table);
1068        if (brnf_sysctl_header == NULL) {
1069                printk(KERN_WARNING
1070                       "br_netfilter: can't register to sysctl.\n");
1071                nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
1072                dst_entries_destroy(&fake_dst_ops);
1073                return -ENOMEM;
1074        }
1075#endif
1076        printk(KERN_NOTICE "Bridge firewalling registered\n");
1077        return 0;
1078}
1079
1080void br_netfilter_fini(void)
1081{
1082        nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
1083#ifdef CONFIG_SYSCTL
1084        unregister_net_sysctl_table(brnf_sysctl_header);
1085#endif
1086        dst_entries_destroy(&fake_dst_ops);
1087}
1088