Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
br_netfilter.c
Go to the documentation of this file.
1 /*
2  * Handle firewalling
3  * Linux ethernet bridge
4  *
5  * Authors:
6  * Lennert Buytenhek <[email protected]>
7  * Bart De Schuymer <[email protected]>
8  *
9  * This program is free software; you can redistribute it and/or
10  * modify it under the terms of the GNU General Public License
11  * as published by the Free Software Foundation; either version
12  * 2 of the License, or (at your option) any later version.
13  *
14  * Lennert dedicates this file to Kerstin Wurdinger.
15  */
16 
17 #include <linux/module.h>
18 #include <linux/kernel.h>
19 #include <linux/slab.h>
20 #include <linux/ip.h>
21 #include <linux/netdevice.h>
22 #include <linux/skbuff.h>
23 #include <linux/if_arp.h>
24 #include <linux/if_ether.h>
25 #include <linux/if_vlan.h>
26 #include <linux/if_pppox.h>
27 #include <linux/ppp_defs.h>
28 #include <linux/netfilter_bridge.h>
29 #include <linux/netfilter_ipv4.h>
30 #include <linux/netfilter_ipv6.h>
31 #include <linux/netfilter_arp.h>
32 #include <linux/in_route.h>
33 #include <linux/inetdevice.h>
34 
35 #include <net/ip.h>
36 #include <net/ipv6.h>
37 #include <net/route.h>
38 
39 #include <asm/uaccess.h>
40 #include "br_private.h"
41 #ifdef CONFIG_SYSCTL
42 #include <linux/sysctl.h>
43 #endif
44 
45 #define skb_origaddr(skb) (((struct bridge_skb_cb *) \
46  (skb->nf_bridge->data))->daddr.ipv4)
47 #define store_orig_dstaddr(skb) (skb_origaddr(skb) = ip_hdr(skb)->daddr)
48 #define dnat_took_place(skb) (skb_origaddr(skb) != ip_hdr(skb)->daddr)
49 
50 #ifdef CONFIG_SYSCTL
51 static struct ctl_table_header *brnf_sysctl_header;
52 static int brnf_call_iptables __read_mostly = 1;
53 static int brnf_call_ip6tables __read_mostly = 1;
54 static int brnf_call_arptables __read_mostly = 1;
57 static int brnf_pass_vlan_indev __read_mostly = 0;
58 #else
59 #define brnf_call_iptables 1
60 #define brnf_call_ip6tables 1
61 #define brnf_call_arptables 1
62 #define brnf_filter_vlan_tagged 0
63 #define brnf_filter_pppoe_tagged 0
64 #define brnf_pass_vlan_indev 0
65 #endif
66 
67 #define IS_IP(skb) \
68  (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_IP))
69 
70 #define IS_IPV6(skb) \
71  (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_IPV6))
72 
73 #define IS_ARP(skb) \
74  (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_ARP))
75 
76 static inline __be16 vlan_proto(const struct sk_buff *skb)
77 {
78  if (vlan_tx_tag_present(skb))
79  return skb->protocol;
80  else if (skb->protocol == htons(ETH_P_8021Q))
81  return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
82  else
83  return 0;
84 }
85 
86 #define IS_VLAN_IP(skb) \
87  (vlan_proto(skb) == htons(ETH_P_IP) && \
88  brnf_filter_vlan_tagged)
89 
90 #define IS_VLAN_IPV6(skb) \
91  (vlan_proto(skb) == htons(ETH_P_IPV6) && \
92  brnf_filter_vlan_tagged)
93 
94 #define IS_VLAN_ARP(skb) \
95  (vlan_proto(skb) == htons(ETH_P_ARP) && \
96  brnf_filter_vlan_tagged)
97 
98 static inline __be16 pppoe_proto(const struct sk_buff *skb)
99 {
100  return *((__be16 *)(skb_mac_header(skb) + ETH_HLEN +
101  sizeof(struct pppoe_hdr)));
102 }
103 
104 #define IS_PPPOE_IP(skb) \
105  (skb->protocol == htons(ETH_P_PPP_SES) && \
106  pppoe_proto(skb) == htons(PPP_IP) && \
107  brnf_filter_pppoe_tagged)
108 
109 #define IS_PPPOE_IPV6(skb) \
110  (skb->protocol == htons(ETH_P_PPP_SES) && \
111  pppoe_proto(skb) == htons(PPP_IPV6) && \
112  brnf_filter_pppoe_tagged)
113 
114 static void fake_update_pmtu(struct dst_entry *dst, struct sock *sk,
115  struct sk_buff *skb, u32 mtu)
116 {
117 }
118 
119 static void fake_redirect(struct dst_entry *dst, struct sock *sk,
120  struct sk_buff *skb)
121 {
122 }
123 
124 static u32 *fake_cow_metrics(struct dst_entry *dst, unsigned long old)
125 {
126  return NULL;
127 }
128 
129 static struct neighbour *fake_neigh_lookup(const struct dst_entry *dst,
130  struct sk_buff *skb,
131  const void *daddr)
132 {
133  return NULL;
134 }
135 
136 static unsigned int fake_mtu(const struct dst_entry *dst)
137 {
138  return dst->dev->mtu;
139 }
140 
141 static struct dst_ops fake_dst_ops = {
142  .family = AF_INET,
143  .protocol = cpu_to_be16(ETH_P_IP),
144  .update_pmtu = fake_update_pmtu,
145  .redirect = fake_redirect,
146  .cow_metrics = fake_cow_metrics,
147  .neigh_lookup = fake_neigh_lookup,
148  .mtu = fake_mtu,
149 };
150 
151 /*
152  * Initialize bogus route table used to keep netfilter happy.
153  * Currently, we fill in the PMTU entry because netfilter
154  * refragmentation needs it, and the rt_flags entry because
155  * ipt_REJECT needs it. Future netfilter modules might
156  * require us to fill additional fields.
157  */
158 static const u32 br_dst_default_metrics[RTAX_MAX] = {
159  [RTAX_MTU - 1] = 1500,
160 };
161 
163 {
164  struct rtable *rt = &br->fake_rtable;
165 
166  atomic_set(&rt->dst.__refcnt, 1);
167  rt->dst.dev = br->dev;
168  rt->dst.path = &rt->dst;
169  dst_init_metrics(&rt->dst, br_dst_default_metrics, true);
170  rt->dst.flags = DST_NOXFRM | DST_NOPEER | DST_FAKE_RTABLE;
171  rt->dst.ops = &fake_dst_ops;
172 }
173 
174 static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
175 {
176  struct net_bridge_port *port;
177 
178  port = br_port_get_rcu(dev);
179  return port ? &port->br->fake_rtable : NULL;
180 }
181 
182 static inline struct net_device *bridge_parent(const struct net_device *dev)
183 {
184  struct net_bridge_port *port;
185 
186  port = br_port_get_rcu(dev);
187  return port ? port->br->dev : NULL;
188 }
189 
190 static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
191 {
192  skb->nf_bridge = kzalloc(sizeof(struct nf_bridge_info), GFP_ATOMIC);
193  if (likely(skb->nf_bridge))
194  atomic_set(&(skb->nf_bridge->use), 1);
195 
196  return skb->nf_bridge;
197 }
198 
199 static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb)
200 {
201  struct nf_bridge_info *nf_bridge = skb->nf_bridge;
202 
203  if (atomic_read(&nf_bridge->use) > 1) {
204  struct nf_bridge_info *tmp = nf_bridge_alloc(skb);
205 
206  if (tmp) {
207  memcpy(tmp, nf_bridge, sizeof(struct nf_bridge_info));
208  atomic_set(&tmp->use, 1);
209  }
210  nf_bridge_put(nf_bridge);
211  nf_bridge = tmp;
212  }
213  return nf_bridge;
214 }
215 
216 static inline void nf_bridge_push_encap_header(struct sk_buff *skb)
217 {
218  unsigned int len = nf_bridge_encap_header_len(skb);
219 
220  skb_push(skb, len);
221  skb->network_header -= len;
222 }
223 
224 static inline void nf_bridge_pull_encap_header(struct sk_buff *skb)
225 {
226  unsigned int len = nf_bridge_encap_header_len(skb);
227 
228  skb_pull(skb, len);
229  skb->network_header += len;
230 }
231 
232 static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb)
233 {
234  unsigned int len = nf_bridge_encap_header_len(skb);
235 
236  skb_pull_rcsum(skb, len);
237  skb->network_header += len;
238 }
239 
240 static inline void nf_bridge_save_header(struct sk_buff *skb)
241 {
242  int header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);
243 
244  skb_copy_from_linear_data_offset(skb, -header_size,
245  skb->nf_bridge->data, header_size);
246 }
247 
248 static inline void nf_bridge_update_protocol(struct sk_buff *skb)
249 {
250  if (skb->nf_bridge->mask & BRNF_8021Q)
251  skb->protocol = htons(ETH_P_8021Q);
252  else if (skb->nf_bridge->mask & BRNF_PPPoE)
253  skb->protocol = htons(ETH_P_PPP_SES);
254 }
255 
256 /* When handing a packet over to the IP layer
257  * check whether we have a skb that is in the
258  * expected format
259  */
260 
261 static int br_parse_ip_options(struct sk_buff *skb)
262 {
263  struct ip_options *opt;
264  const struct iphdr *iph;
265  struct net_device *dev = skb->dev;
266  u32 len;
267 
268  if (!pskb_may_pull(skb, sizeof(struct iphdr)))
269  goto inhdr_error;
270 
271  iph = ip_hdr(skb);
272  opt = &(IPCB(skb)->opt);
273 
274  /* Basic sanity checks */
275  if (iph->ihl < 5 || iph->version != 4)
276  goto inhdr_error;
277 
278  if (!pskb_may_pull(skb, iph->ihl*4))
279  goto inhdr_error;
280 
281  iph = ip_hdr(skb);
282  if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
283  goto inhdr_error;
284 
285  len = ntohs(iph->tot_len);
286  if (skb->len < len) {
288  goto drop;
289  } else if (len < (iph->ihl*4))
290  goto inhdr_error;
291 
292  if (pskb_trim_rcsum(skb, len)) {
294  goto drop;
295  }
296 
297  memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
298  if (iph->ihl == 5)
299  return 0;
300 
301  opt->optlen = iph->ihl*4 - sizeof(struct iphdr);
302  if (ip_options_compile(dev_net(dev), opt, skb))
303  goto inhdr_error;
304 
305  /* Check correct handling of SRR option */
306  if (unlikely(opt->srr)) {
307  struct in_device *in_dev = __in_dev_get_rcu(dev);
308  if (in_dev && !IN_DEV_SOURCE_ROUTE(in_dev))
309  goto drop;
310 
311  if (ip_options_rcv_srr(skb))
312  goto drop;
313  }
314 
315  return 0;
316 
317 inhdr_error:
319 drop:
320  return -1;
321 }
322 
323 /* Fill in the header for fragmented IP packets handled by
324  * the IPv4 connection tracking code.
325  */
327 {
328  int err;
329  unsigned int header_size;
330 
331  nf_bridge_update_protocol(skb);
332  header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);
333  err = skb_cow_head(skb, header_size);
334  if (err)
335  return err;
336 
337  skb_copy_to_linear_data_offset(skb, -header_size,
338  skb->nf_bridge->data, header_size);
339  __skb_push(skb, nf_bridge_encap_header_len(skb));
340  return 0;
341 }
342 
343 /* PF_BRIDGE/PRE_ROUTING *********************************************/
344 /* Undo the changes made for ip6tables PREROUTING and continue the
345  * bridge PRE_ROUTING hook. */
346 static int br_nf_pre_routing_finish_ipv6(struct sk_buff *skb)
347 {
348  struct nf_bridge_info *nf_bridge = skb->nf_bridge;
349  struct rtable *rt;
350 
351  if (nf_bridge->mask & BRNF_PKT_TYPE) {
352  skb->pkt_type = PACKET_OTHERHOST;
353  nf_bridge->mask ^= BRNF_PKT_TYPE;
354  }
355  nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
356 
357  rt = bridge_parent_rtable(nf_bridge->physindev);
358  if (!rt) {
359  kfree_skb(skb);
360  return 0;
361  }
362  skb_dst_set_noref(skb, &rt->dst);
363 
364  skb->dev = nf_bridge->physindev;
365  nf_bridge_update_protocol(skb);
366  nf_bridge_push_encap_header(skb);
367  NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
369 
370  return 0;
371 }
372 
373 /* Obtain the correct destination MAC address, while preserving the original
374  * source MAC address. If we already know this address, we just copy it. If we
375  * don't, we use the neighbour framework to find out. In both cases, we make
376  * sure that br_handle_frame_finish() is called afterwards.
377  */
378 static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
379 {
380  struct nf_bridge_info *nf_bridge = skb->nf_bridge;
381  struct neighbour *neigh;
382  struct dst_entry *dst;
383 
384  skb->dev = bridge_parent(skb->dev);
385  if (!skb->dev)
386  goto free_skb;
387  dst = skb_dst(skb);
388  neigh = dst_neigh_lookup_skb(dst, skb);
389  if (neigh) {
390  int ret;
391 
392  if (neigh->hh.hh_len) {
393  neigh_hh_bridge(&neigh->hh, skb);
394  skb->dev = nf_bridge->physindev;
395  ret = br_handle_frame_finish(skb);
396  } else {
397  /* the neighbour function below overwrites the complete
398  * MAC header, so we save the Ethernet source address and
399  * protocol number.
400  */
401  skb_copy_from_linear_data_offset(skb,
402  -(ETH_HLEN-ETH_ALEN),
403  skb->nf_bridge->data,
405  /* tell br_dev_xmit to continue with forwarding */
406  nf_bridge->mask |= BRNF_BRIDGED_DNAT;
407  ret = neigh->output(neigh, skb);
408  }
409  neigh_release(neigh);
410  return ret;
411  }
412 free_skb:
413  kfree_skb(skb);
414  return 0;
415 }
416 
417 /* This requires some explaining. If DNAT has taken place,
418  * we will need to fix up the destination Ethernet address.
419  *
420  * There are two cases to consider:
421  * 1. The packet was DNAT'ed to a device in the same bridge
422  * port group as it was received on. We can still bridge
423  * the packet.
424  * 2. The packet was DNAT'ed to a different device, either
425  * a non-bridged device or another bridge port group.
426  * The packet will need to be routed.
427  *
428  * The correct way of distinguishing between these two cases is to
429  * call ip_route_input() and to look at skb->dst->dev, which is
430  * changed to the destination device if ip_route_input() succeeds.
431  *
432  * Let's first consider the case that ip_route_input() succeeds:
433  *
434  * If the output device equals the logical bridge device the packet
435  * came in on, we can consider this bridging. The corresponding MAC
436  * address will be obtained in br_nf_pre_routing_finish_bridge.
437  * Otherwise, the packet is considered to be routed and we just
438  * change the destination MAC address so that the packet will
439  * later be passed up to the IP stack to be routed. For a redirected
440  * packet, ip_route_input() will give back the localhost as output device,
441  * which differs from the bridge device.
442  *
443  * Let's now consider the case that ip_route_input() fails:
444  *
445  * This can be because the destination address is martian, in which case
446  * the packet will be dropped.
447  * If IP forwarding is disabled, ip_route_input() will fail, while
448  * ip_route_output_key() can return success. The source
449  * address for ip_route_output_key() is set to zero, so ip_route_output_key()
450  * thinks we're handling a locally generated packet and won't care
451  * if IP forwarding is enabled. If the output device equals the logical bridge
452  * device, we proceed as if ip_route_input() succeeded. If it differs from the
453  * logical bridge port or if ip_route_output_key() fails we drop the packet.
454  */
455 static int br_nf_pre_routing_finish(struct sk_buff *skb)
456 {
457  struct net_device *dev = skb->dev;
458  struct iphdr *iph = ip_hdr(skb);
459  struct nf_bridge_info *nf_bridge = skb->nf_bridge;
460  struct rtable *rt;
461  int err;
462 
463  if (nf_bridge->mask & BRNF_PKT_TYPE) {
464  skb->pkt_type = PACKET_OTHERHOST;
465  nf_bridge->mask ^= BRNF_PKT_TYPE;
466  }
467  nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
468  if (dnat_took_place(skb)) {
469  if ((err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))) {
470  struct in_device *in_dev = __in_dev_get_rcu(dev);
471 
472  /* If err equals -EHOSTUNREACH the error is due to a
473  * martian destination or due to the fact that
474  * forwarding is disabled. For most martian packets,
475  * ip_route_output_key() will fail. It won't fail for 2 types of
476  * martian destinations: loopback destinations and destination
477  * 0.0.0.0. In both cases the packet will be dropped because the
478  * destination is the loopback device and not the bridge. */
479  if (err != -EHOSTUNREACH || !in_dev || IN_DEV_FORWARD(in_dev))
480  goto free_skb;
481 
482  rt = ip_route_output(dev_net(dev), iph->daddr, 0,
483  RT_TOS(iph->tos), 0);
484  if (!IS_ERR(rt)) {
485  /* - Bridged-and-DNAT'ed traffic doesn't
486  * require ip_forwarding. */
487  if (rt->dst.dev == dev) {
488  skb_dst_set(skb, &rt->dst);
489  goto bridged_dnat;
490  }
491  ip_rt_put(rt);
492  }
493 free_skb:
494  kfree_skb(skb);
495  return 0;
496  } else {
497  if (skb_dst(skb)->dev == dev) {
498 bridged_dnat:
499  skb->dev = nf_bridge->physindev;
500  nf_bridge_update_protocol(skb);
501  nf_bridge_push_encap_header(skb);
502  NF_HOOK_THRESH(NFPROTO_BRIDGE,
504  skb, skb->dev, NULL,
505  br_nf_pre_routing_finish_bridge,
506  1);
507  return 0;
508  }
509  memcpy(eth_hdr(skb)->h_dest, dev->dev_addr, ETH_ALEN);
510  skb->pkt_type = PACKET_HOST;
511  }
512  } else {
513  rt = bridge_parent_rtable(nf_bridge->physindev);
514  if (!rt) {
515  kfree_skb(skb);
516  return 0;
517  }
518  skb_dst_set_noref(skb, &rt->dst);
519  }
520 
521  skb->dev = nf_bridge->physindev;
522  nf_bridge_update_protocol(skb);
523  nf_bridge_push_encap_header(skb);
524  NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
526 
527  return 0;
528 }
529 
530 static struct net_device *brnf_get_logical_dev(struct sk_buff *skb, const struct net_device *dev)
531 {
532  struct net_device *vlan, *br;
533 
534  br = bridge_parent(dev);
535  if (brnf_pass_vlan_indev == 0 || !vlan_tx_tag_present(skb))
536  return br;
537 
539 
540  return vlan ? vlan : br;
541 }
542 
543 /* Some common code for IPv4/IPv6 */
544 static struct net_device *setup_pre_routing(struct sk_buff *skb)
545 {
546  struct nf_bridge_info *nf_bridge = skb->nf_bridge;
547 
548  if (skb->pkt_type == PACKET_OTHERHOST) {
549  skb->pkt_type = PACKET_HOST;
550  nf_bridge->mask |= BRNF_PKT_TYPE;
551  }
552 
553  nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING;
554  nf_bridge->physindev = skb->dev;
555  skb->dev = brnf_get_logical_dev(skb, skb->dev);
556  if (skb->protocol == htons(ETH_P_8021Q))
557  nf_bridge->mask |= BRNF_8021Q;
558  else if (skb->protocol == htons(ETH_P_PPP_SES))
559  nf_bridge->mask |= BRNF_PPPoE;
560 
561  return skb->dev;
562 }
563 
564 /* We only check the length. A bridge shouldn't do any hop-by-hop stuff anyway */
565 static int check_hbh_len(struct sk_buff *skb)
566 {
567  unsigned char *raw = (u8 *)(ipv6_hdr(skb) + 1);
568  u32 pkt_len;
569  const unsigned char *nh = skb_network_header(skb);
570  int off = raw - nh;
571  int len = (raw[1] + 1) << 3;
572 
573  if ((raw + len) - skb->data > skb_headlen(skb))
574  goto bad;
575 
576  off += 2;
577  len -= 2;
578 
579  while (len > 0) {
580  int optlen = nh[off + 1] + 2;
581 
582  switch (nh[off]) {
583  case IPV6_TLV_PAD1:
584  optlen = 1;
585  break;
586 
587  case IPV6_TLV_PADN:
588  break;
589 
590  case IPV6_TLV_JUMBO:
591  if (nh[off + 1] != 4 || (off & 3) != 2)
592  goto bad;
593  pkt_len = ntohl(*(__be32 *) (nh + off + 2));
594  if (pkt_len <= IPV6_MAXPLEN ||
595  ipv6_hdr(skb)->payload_len)
596  goto bad;
597  if (pkt_len > skb->len - sizeof(struct ipv6hdr))
598  goto bad;
599  if (pskb_trim_rcsum(skb,
600  pkt_len + sizeof(struct ipv6hdr)))
601  goto bad;
602  nh = skb_network_header(skb);
603  break;
604  default:
605  if (optlen > len)
606  goto bad;
607  break;
608  }
609  off += optlen;
610  len -= optlen;
611  }
612  if (len == 0)
613  return 0;
614 bad:
615  return -1;
616 
617 }
618 
619 /* Replicate the checks that IPv6 does on packet reception and pass the packet
620  * to ip6tables, which doesn't support NAT, so things are fairly simple. */
621 static unsigned int br_nf_pre_routing_ipv6(unsigned int hook,
622  struct sk_buff *skb,
623  const struct net_device *in,
624  const struct net_device *out,
625  int (*okfn)(struct sk_buff *))
626 {
627  const struct ipv6hdr *hdr;
628  u32 pkt_len;
629 
630  if (skb->len < sizeof(struct ipv6hdr))
631  return NF_DROP;
632 
633  if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
634  return NF_DROP;
635 
636  hdr = ipv6_hdr(skb);
637 
638  if (hdr->version != 6)
639  return NF_DROP;
640 
641  pkt_len = ntohs(hdr->payload_len);
642 
643  if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
644  if (pkt_len + sizeof(struct ipv6hdr) > skb->len)
645  return NF_DROP;
646  if (pskb_trim_rcsum(skb, pkt_len + sizeof(struct ipv6hdr)))
647  return NF_DROP;
648  }
649  if (hdr->nexthdr == NEXTHDR_HOP && check_hbh_len(skb))
650  return NF_DROP;
651 
652  nf_bridge_put(skb->nf_bridge);
653  if (!nf_bridge_alloc(skb))
654  return NF_DROP;
655  if (!setup_pre_routing(skb))
656  return NF_DROP;
657 
658  skb->protocol = htons(ETH_P_IPV6);
660  br_nf_pre_routing_finish_ipv6);
661 
662  return NF_STOLEN;
663 }
664 
665 /* Direct IPv6 traffic to br_nf_pre_routing_ipv6.
666  * Replicate the checks that IPv4 does on packet reception.
667  * Set skb->dev to the bridge device (i.e. parent of the
668  * receiving device) to make netfilter happy, the REDIRECT
669  * target in particular. Save the original destination IP
670  * address to be able to detect DNAT afterwards. */
671 static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
672  const struct net_device *in,
673  const struct net_device *out,
674  int (*okfn)(struct sk_buff *))
675 {
676  struct net_bridge_port *p;
677  struct net_bridge *br;
678  __u32 len = nf_bridge_encap_header_len(skb);
679 
680  if (unlikely(!pskb_may_pull(skb, len)))
681  return NF_DROP;
682 
683  p = br_port_get_rcu(in);
684  if (p == NULL)
685  return NF_DROP;
686  br = p->br;
687 
688  if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb)) {
689  if (!brnf_call_ip6tables && !br->nf_call_ip6tables)
690  return NF_ACCEPT;
691 
692  nf_bridge_pull_encap_header_rcsum(skb);
693  return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
694  }
695 
696  if (!brnf_call_iptables && !br->nf_call_iptables)
697  return NF_ACCEPT;
698 
699  if (!IS_IP(skb) && !IS_VLAN_IP(skb) && !IS_PPPOE_IP(skb))
700  return NF_ACCEPT;
701 
702  nf_bridge_pull_encap_header_rcsum(skb);
703 
704  if (br_parse_ip_options(skb))
705  return NF_DROP;
706 
707  nf_bridge_put(skb->nf_bridge);
708  if (!nf_bridge_alloc(skb))
709  return NF_DROP;
710  if (!setup_pre_routing(skb))
711  return NF_DROP;
712  store_orig_dstaddr(skb);
713  skb->protocol = htons(ETH_P_IP);
714 
716  br_nf_pre_routing_finish);
717 
718  return NF_STOLEN;
719 }
720 
721 
722 /* PF_BRIDGE/LOCAL_IN ************************************************/
723 /* The packet is locally destined, which requires a real
724  * dst_entry, so detach the fake one. On the way up, the
725  * packet would pass through PRE_ROUTING again (which already
726  * took place when the packet entered the bridge), but we
727  * register an IPv4 PRE_ROUTING 'sabotage' hook that will
728  * prevent this from happening. */
729 static unsigned int br_nf_local_in(unsigned int hook, struct sk_buff *skb,
730  const struct net_device *in,
731  const struct net_device *out,
732  int (*okfn)(struct sk_buff *))
733 {
734  br_drop_fake_rtable(skb);
735  return NF_ACCEPT;
736 }
737 
738 /* PF_BRIDGE/FORWARD *************************************************/
739 static int br_nf_forward_finish(struct sk_buff *skb)
740 {
741  struct nf_bridge_info *nf_bridge = skb->nf_bridge;
742  struct net_device *in;
743 
744  if (!IS_ARP(skb) && !IS_VLAN_ARP(skb)) {
745  in = nf_bridge->physindev;
746  if (nf_bridge->mask & BRNF_PKT_TYPE) {
747  skb->pkt_type = PACKET_OTHERHOST;
748  nf_bridge->mask ^= BRNF_PKT_TYPE;
749  }
750  nf_bridge_update_protocol(skb);
751  } else {
752  in = *((struct net_device **)(skb->cb));
753  }
754  nf_bridge_push_encap_header(skb);
755 
756  NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, in,
757  skb->dev, br_forward_finish, 1);
758  return 0;
759 }
760 
761 
762 /* This is the 'purely bridged' case. For IP, we pass the packet to
763  * netfilter with indev and outdev set to the bridge device,
764  * but we are still able to filter on the 'real' indev/outdev
765  * because of the physdev module. For ARP, indev and outdev are the
766  * bridge ports. */
767 static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,
768  const struct net_device *in,
769  const struct net_device *out,
770  int (*okfn)(struct sk_buff *))
771 {
772  struct nf_bridge_info *nf_bridge;
773  struct net_device *parent;
774  u_int8_t pf;
775 
776  if (!skb->nf_bridge)
777  return NF_ACCEPT;
778 
779  /* Need exclusive nf_bridge_info since we might have multiple
780  * different physoutdevs. */
781  if (!nf_bridge_unshare(skb))
782  return NF_DROP;
783 
784  parent = bridge_parent(out);
785  if (!parent)
786  return NF_DROP;
787 
788  if (IS_IP(skb) || IS_VLAN_IP(skb) || IS_PPPOE_IP(skb))
789  pf = NFPROTO_IPV4;
790  else if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb))
791  pf = NFPROTO_IPV6;
792  else
793  return NF_ACCEPT;
794 
795  nf_bridge_pull_encap_header(skb);
796 
797  nf_bridge = skb->nf_bridge;
798  if (skb->pkt_type == PACKET_OTHERHOST) {
799  skb->pkt_type = PACKET_HOST;
800  nf_bridge->mask |= BRNF_PKT_TYPE;
801  }
802 
803  if (pf == NFPROTO_IPV4 && br_parse_ip_options(skb))
804  return NF_DROP;
805 
806  /* The physdev module checks on this */
807  nf_bridge->mask |= BRNF_BRIDGED;
808  nf_bridge->physoutdev = skb->dev;
809  if (pf == NFPROTO_IPV4)
810  skb->protocol = htons(ETH_P_IP);
811  else
812  skb->protocol = htons(ETH_P_IPV6);
813 
814  NF_HOOK(pf, NF_INET_FORWARD, skb, brnf_get_logical_dev(skb, in), parent,
815  br_nf_forward_finish);
816 
817  return NF_STOLEN;
818 }
819 
820 static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
821  const struct net_device *in,
822  const struct net_device *out,
823  int (*okfn)(struct sk_buff *))
824 {
825  struct net_bridge_port *p;
826  struct net_bridge *br;
827  struct net_device **d = (struct net_device **)(skb->cb);
828 
829  p = br_port_get_rcu(out);
830  if (p == NULL)
831  return NF_ACCEPT;
832  br = p->br;
833 
834  if (!brnf_call_arptables && !br->nf_call_arptables)
835  return NF_ACCEPT;
836 
837  if (!IS_ARP(skb)) {
838  if (!IS_VLAN_ARP(skb))
839  return NF_ACCEPT;
840  nf_bridge_pull_encap_header(skb);
841  }
842 
843  if (arp_hdr(skb)->ar_pln != 4) {
844  if (IS_VLAN_ARP(skb))
845  nf_bridge_push_encap_header(skb);
846  return NF_ACCEPT;
847  }
848  *d = (struct net_device *)in;
849  NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, skb, (struct net_device *)in,
850  (struct net_device *)out, br_nf_forward_finish);
851 
852  return NF_STOLEN;
853 }
854 
855 #if IS_ENABLED(CONFIG_NF_CONNTRACK_IPV4)
856 static int br_nf_dev_queue_xmit(struct sk_buff *skb)
857 {
858  int ret;
859 
860  if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) &&
861  skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu &&
862  !skb_is_gso(skb)) {
863  if (br_parse_ip_options(skb))
864  /* Drop invalid packet */
865  return NF_DROP;
867  } else
868  ret = br_dev_queue_push_xmit(skb);
869 
870  return ret;
871 }
872 #else
873 static int br_nf_dev_queue_xmit(struct sk_buff *skb)
874 {
875  return br_dev_queue_push_xmit(skb);
876 }
877 #endif
878 
879 /* PF_BRIDGE/POST_ROUTING ********************************************/
880 static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
881  const struct net_device *in,
882  const struct net_device *out,
883  int (*okfn)(struct sk_buff *))
884 {
885  struct nf_bridge_info *nf_bridge = skb->nf_bridge;
886  struct net_device *realoutdev = bridge_parent(skb->dev);
887  u_int8_t pf;
888 
889  if (!nf_bridge || !(nf_bridge->mask & BRNF_BRIDGED))
890  return NF_ACCEPT;
891 
892  if (!realoutdev)
893  return NF_DROP;
894 
895  if (IS_IP(skb) || IS_VLAN_IP(skb) || IS_PPPOE_IP(skb))
896  pf = NFPROTO_IPV4;
897  else if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb))
898  pf = NFPROTO_IPV6;
899  else
900  return NF_ACCEPT;
901 
902  /* We assume any code from br_dev_queue_push_xmit onwards doesn't care
903  * about the value of skb->pkt_type. */
904  if (skb->pkt_type == PACKET_OTHERHOST) {
905  skb->pkt_type = PACKET_HOST;
906  nf_bridge->mask |= BRNF_PKT_TYPE;
907  }
908 
909  nf_bridge_pull_encap_header(skb);
910  nf_bridge_save_header(skb);
911  if (pf == NFPROTO_IPV4)
912  skb->protocol = htons(ETH_P_IP);
913  else
914  skb->protocol = htons(ETH_P_IPV6);
915 
916  NF_HOOK(pf, NF_INET_POST_ROUTING, skb, NULL, realoutdev,
917  br_nf_dev_queue_xmit);
918 
919  return NF_STOLEN;
920 }
921 
922 /* IP/SABOTAGE *****************************************************/
923 /* Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING
924  * for the second time. */
925 static unsigned int ip_sabotage_in(unsigned int hook, struct sk_buff *skb,
926  const struct net_device *in,
927  const struct net_device *out,
928  int (*okfn)(struct sk_buff *))
929 {
930  if (skb->nf_bridge &&
931  !(skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)) {
932  return NF_STOP;
933  }
934 
935  return NF_ACCEPT;
936 }
937 
938 /* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
939  * br_dev_queue_push_xmit is called afterwards */
940 static struct nf_hook_ops br_nf_ops[] __read_mostly = {
941  {
942  .hook = br_nf_pre_routing,
943  .owner = THIS_MODULE,
944  .pf = NFPROTO_BRIDGE,
945  .hooknum = NF_BR_PRE_ROUTING,
946  .priority = NF_BR_PRI_BRNF,
947  },
948  {
949  .hook = br_nf_local_in,
950  .owner = THIS_MODULE,
951  .pf = NFPROTO_BRIDGE,
952  .hooknum = NF_BR_LOCAL_IN,
953  .priority = NF_BR_PRI_BRNF,
954  },
955  {
956  .hook = br_nf_forward_ip,
957  .owner = THIS_MODULE,
958  .pf = NFPROTO_BRIDGE,
959  .hooknum = NF_BR_FORWARD,
960  .priority = NF_BR_PRI_BRNF - 1,
961  },
962  {
963  .hook = br_nf_forward_arp,
964  .owner = THIS_MODULE,
965  .pf = NFPROTO_BRIDGE,
966  .hooknum = NF_BR_FORWARD,
967  .priority = NF_BR_PRI_BRNF,
968  },
969  {
970  .hook = br_nf_post_routing,
971  .owner = THIS_MODULE,
972  .pf = NFPROTO_BRIDGE,
973  .hooknum = NF_BR_POST_ROUTING,
974  .priority = NF_BR_PRI_LAST,
975  },
976  {
977  .hook = ip_sabotage_in,
978  .owner = THIS_MODULE,
979  .pf = NFPROTO_IPV4,
980  .hooknum = NF_INET_PRE_ROUTING,
981  .priority = NF_IP_PRI_FIRST,
982  },
983  {
984  .hook = ip_sabotage_in,
985  .owner = THIS_MODULE,
986  .pf = NFPROTO_IPV6,
987  .hooknum = NF_INET_PRE_ROUTING,
988  .priority = NF_IP6_PRI_FIRST,
989  },
990 };
991 
992 #ifdef CONFIG_SYSCTL
993 static
994 int brnf_sysctl_call_tables(ctl_table * ctl, int write,
995  void __user * buffer, size_t * lenp, loff_t * ppos)
996 {
997  int ret;
998 
999  ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
1000 
1001  if (write && *(int *)(ctl->data))
1002  *(int *)(ctl->data) = 1;
1003  return ret;
1004 }
1005 
1006 static ctl_table brnf_table[] = {
1007  {
1008  .procname = "bridge-nf-call-arptables",
1009  .data = &brnf_call_arptables,
1010  .maxlen = sizeof(int),
1011  .mode = 0644,
1012  .proc_handler = brnf_sysctl_call_tables,
1013  },
1014  {
1015  .procname = "bridge-nf-call-iptables",
1016  .data = &brnf_call_iptables,
1017  .maxlen = sizeof(int),
1018  .mode = 0644,
1019  .proc_handler = brnf_sysctl_call_tables,
1020  },
1021  {
1022  .procname = "bridge-nf-call-ip6tables",
1023  .data = &brnf_call_ip6tables,
1024  .maxlen = sizeof(int),
1025  .mode = 0644,
1026  .proc_handler = brnf_sysctl_call_tables,
1027  },
1028  {
1029  .procname = "bridge-nf-filter-vlan-tagged",
1030  .data = &brnf_filter_vlan_tagged,
1031  .maxlen = sizeof(int),
1032  .mode = 0644,
1033  .proc_handler = brnf_sysctl_call_tables,
1034  },
1035  {
1036  .procname = "bridge-nf-filter-pppoe-tagged",
1037  .data = &brnf_filter_pppoe_tagged,
1038  .maxlen = sizeof(int),
1039  .mode = 0644,
1040  .proc_handler = brnf_sysctl_call_tables,
1041  },
1042  {
1043  .procname = "bridge-nf-pass-vlan-input-dev",
1044  .data = &brnf_pass_vlan_indev,
1045  .maxlen = sizeof(int),
1046  .mode = 0644,
1047  .proc_handler = brnf_sysctl_call_tables,
1048  },
1049  { }
1050 };
1051 #endif
1052 
1054 {
1055  int ret;
1056 
1057  ret = dst_entries_init(&fake_dst_ops);
1058  if (ret < 0)
1059  return ret;
1060 
1061  ret = nf_register_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
1062  if (ret < 0) {
1063  dst_entries_destroy(&fake_dst_ops);
1064  return ret;
1065  }
1066 #ifdef CONFIG_SYSCTL
1067  brnf_sysctl_header = register_net_sysctl(&init_net, "net/bridge", brnf_table);
1068  if (brnf_sysctl_header == NULL) {
1070  "br_netfilter: can't register to sysctl.\n");
1071  nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
1072  dst_entries_destroy(&fake_dst_ops);
1073  return -ENOMEM;
1074  }
1075 #endif
1076  printk(KERN_NOTICE "Bridge firewalling registered\n");
1077  return 0;
1078 }
1079 
1081 {
1082  nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
1083 #ifdef CONFIG_SYSCTL
1084  unregister_net_sysctl_table(brnf_sysctl_header);
1085 #endif
1086  dst_entries_destroy(&fake_dst_ops);
1087 }