br_netfilter_hooks.c source code [linux/net/bridge/br_netfilter_hooks.c]

1	// SPDX-License-Identifier: GPL-2.0-or-later
2	/*
3	* Handle firewalling
4	* Linux ethernet bridge
5	*
6	* Authors:
7	* Lennert Buytenhek <buytenh@gnu.org>
8	* Bart De Schuymer <bdschuym@pandora.be>
9	*
10	* Lennert dedicates this file to Kerstin Wurdinger.
11	*/
12
13	#include <linux/module.h>
14	#include <linux/kernel.h>
15	#include <linux/slab.h>
16	#include <linux/ip.h>
17	#include <linux/netdevice.h>
18	#include <linux/skbuff.h>
19	#include <linux/if_arp.h>
20	#include <linux/if_ether.h>
21	#include <linux/if_vlan.h>
22	#include <linux/if_pppox.h>
23	#include <linux/ppp_defs.h>
24	#include <linux/netfilter_bridge.h>
25	#include <uapi/linux/netfilter_bridge.h>
26	#include <linux/netfilter_ipv4.h>
27	#include <linux/netfilter_ipv6.h>
28	#include <linux/netfilter_arp.h>
29	#include <linux/in_route.h>
30	#include <linux/rculist.h>
31	#include <linux/inetdevice.h>
32
33	#include <net/ip.h>
34	#include <net/ipv6.h>
35	#include <net/addrconf.h>
36	#include <net/route.h>
37	#include <net/netfilter/br_netfilter.h>
38	#include <net/netns/generic.h>
39
40	#include <linux/uaccess.h>
41	#include "br_private.h"
42	#ifdef CONFIG_SYSCTL
43	#include <linux/sysctl.h>
44	#endif
45
46	static unsigned int brnf_net_id __read_mostly;
47
48	struct brnf_net {
49	bool enabled;
50
51	#ifdef CONFIG_SYSCTL
52	struct ctl_table_header *ctl_hdr;
53	#endif
54
55	/ default value is 1 /
56	int call_iptables;
57	int call_ip6tables;
58	int call_arptables;
59
60	/ default value is 0 /
61	int filter_vlan_tagged;
62	int filter_pppoe_tagged;
63	int pass_vlan_indev;
64	};
65
66	#define IS_IP(skb) \
67	(!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_IP))
68
69	#define IS_IPV6(skb) \
70	(!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_IPV6))
71
72	#define IS_ARP(skb) \
73	(!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_ARP))
74
75	static inline __be16 vlan_proto(const struct sk_buff *skb)
76	{
77	if (skb_vlan_tag_present(skb))
78	return skb->protocol;
79	else if (skb->protocol == htons(ETH_P_8021Q))
80	return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
81	else
82	return `0`;
83	}
84
85	static inline bool is_vlan_ip(const struct sk_buff skb, const* struct net *net)
86	{
87	struct brnf_net *brnet = net_generic(net, id: brnf_net_id);
88
89	return vlan_proto(skb) == htons(ETH_P_IP) && brnet->filter_vlan_tagged;
90	}
91
92	static inline bool is_vlan_ipv6(const struct sk_buff *skb,
93	const struct net *net)
94	{
95	struct brnf_net *brnet = net_generic(net, id: brnf_net_id);
96
97	return vlan_proto(skb) == htons(ETH_P_IPV6) &&
98	brnet->filter_vlan_tagged;
99	}
100
101	static inline bool is_vlan_arp(const struct sk_buff skb, const* struct net *net)
102	{
103	struct brnf_net *brnet = net_generic(net, id: brnf_net_id);
104
105	return vlan_proto(skb) == htons(ETH_P_ARP) && brnet->filter_vlan_tagged;
106	}
107
108	static inline __be16 pppoe_proto(const struct sk_buff *skb)
109	{
110	return ((__be16 )(skb_mac_header(skb) + ETH_HLEN +
111	sizeof(struct pppoe_hdr)));
112	}
113
114	static inline bool is_pppoe_ip(const struct sk_buff skb, const* struct net *net)
115	{
116	struct brnf_net *brnet = net_generic(net, id: brnf_net_id);
117
118	return skb->protocol == htons(ETH_P_PPP_SES) &&
119	pppoe_proto(skb) == htons(PPP_IP) && brnet->filter_pppoe_tagged;
120	}
121
122	static inline bool is_pppoe_ipv6(const struct sk_buff *skb,
123	const struct net *net)
124	{
125	struct brnf_net *brnet = net_generic(net, id: brnf_net_id);
126
127	return skb->protocol == htons(ETH_P_PPP_SES) &&
128	pppoe_proto(skb) == htons(PPP_IPV6) &&
129	brnet->filter_pppoe_tagged;
130	}
131
132	/ largest possible L2 header, see br_nf_dev_queue_xmit() /
133	#define NF_BRIDGE_MAX_MAC_HEADER_LENGTH (PPPOE_SES_HLEN + ETH_HLEN)
134
135	struct brnf_frag_data {
136	char mac[NF_BRIDGE_MAX_MAC_HEADER_LENGTH];
137	u8 encap_size;
138	u8 size;
139	u16 vlan_tci;
140	__be16 vlan_proto;
141	};
142
143	static DEFINE_PER_CPU(struct brnf_frag_data, brnf_frag_data_storage);
144
145	static void nf_bridge_info_free(struct sk_buff *skb)
146	{
147	skb_ext_del(skb, id: SKB_EXT_BRIDGE_NF);
148	}
149
150	static inline struct net_device bridge_parent(const* struct net_device *dev)
151	{
152	struct net_bridge_port *port;
153
154	port = br_port_get_rcu(dev);
155	return port ? port->br->dev : NULL;
156	}
157
158	static inline struct nf_bridge_info nf_bridge_unshare(struct* sk_buff *skb)
159	{
160	return skb_ext_add(skb, id: SKB_EXT_BRIDGE_NF);
161	}
162
163	unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb)
164	{
165	switch (skb->protocol) {
166	case __cpu_to_be16(ETH_P_8021Q):
167	return VLAN_HLEN;
168	case __cpu_to_be16(ETH_P_PPP_SES):
169	return PPPOE_SES_HLEN;
170	default:
171	return `0`;
172	}
173	}
174
175	static inline void nf_bridge_pull_encap_header(struct sk_buff *skb)
176	{
177	unsigned int len = nf_bridge_encap_header_len(skb);
178
179	skb_pull(skb, len);
180	skb->network_header += len;
181	}
182
183	static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb)
184	{
185	unsigned int len = nf_bridge_encap_header_len(skb);
186
187	skb_pull_rcsum(skb, len);
188	skb->network_header += len;
189	}
190
191	/ When handing a packet over to the IP layer*
192	* check whether we have a skb that is in the
193	* expected format
194	*/
195
196	static int br_validate_ipv4(struct net net, struct* sk_buff *skb)
197	{
198	const struct iphdr *iph;
199	u32 len;
200
201	if (!pskb_may_pull(skb, len: sizeof(struct iphdr)))
202	goto inhdr_error;
203
204	iph = ip_hdr(skb);
205
206	/ Basic sanity checks /
207	if (iph->ihl < `5` \|\| iph->version != `4`)
208	goto inhdr_error;
209
210	if (!pskb_may_pull(skb, len: iph->ihl*`4`))
211	goto inhdr_error;
212
213	iph = ip_hdr(skb);
214	if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
215	goto csum_error;
216
217	len = skb_ip_totlen(skb);
218	if (skb->len < len) {
219	__IP_INC_STATS(net, IPSTATS_MIB_INTRUNCATEDPKTS);
220	goto drop;
221	} else if (len < (iph->ihl*`4`))
222	goto inhdr_error;
223
224	if (pskb_trim_rcsum(skb, len)) {
225	__IP_INC_STATS(net, IPSTATS_MIB_INDISCARDS);
226	goto drop;
227	}
228
229	memset(IPCB(skb), `0`, sizeof(struct inet_skb_parm));
230	/ We should really parse IP options here but until*
231	* somebody who actually uses IP options complains to
232	* us we'll just silently ignore the options because
233	* we're lazy!
234	*/
235	return `0`;
236
237	csum_error:
238	__IP_INC_STATS(net, IPSTATS_MIB_CSUMERRORS);
239	inhdr_error:
240	__IP_INC_STATS(net, IPSTATS_MIB_INHDRERRORS);
241	drop:
242	return -`1`;
243	}
244
245	void nf_bridge_update_protocol(struct sk_buff *skb)
246	{
247	const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
248
249	switch (nf_bridge->orig_proto) {
250	case BRNF_PROTO_8021Q:
251	skb->protocol = htons(ETH_P_8021Q);
252	break;
253	case BRNF_PROTO_PPPOE:
254	skb->protocol = htons(ETH_P_PPP_SES);
255	break;
256	case BRNF_PROTO_UNCHANGED:
257	break;
258	}
259	}
260
261	/ Obtain the correct destination MAC address, while preserving the original*
262	* source MAC address. If we already know this address, we just copy it. If we
263	* don't, we use the neighbour framework to find out. In both cases, we make
264	* sure that br_handle_frame_finish() is called afterwards.
265	*/
266	int br_nf_pre_routing_finish_bridge(struct net net, struct* sock sk, struct* sk_buff *skb)
267	{
268	struct neighbour *neigh;
269	struct dst_entry *dst;
270
271	skb->dev = bridge_parent(dev: skb->dev);
272	if (!skb->dev)
273	goto free_skb;
274	dst = skb_dst(skb);
275	neigh = dst_neigh_lookup_skb(dst, skb);
276	if (neigh) {
277	struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
278	int ret;
279
280	if ((READ_ONCE(neigh->nud_state) & NUD_CONNECTED) &&
281	READ_ONCE(neigh->hh.hh_len)) {
282	neigh_hh_bridge(hh: &neigh->hh, skb);
283	skb->dev = nf_bridge->physindev;
284	ret = br_handle_frame_finish(net, sk, skb);
285	} else {
286	/ the neighbour function below overwrites the complete*
287	* MAC header, so we save the Ethernet source address and
288	* protocol number.
289	*/
290	skb_copy_from_linear_data_offset(skb,
291	offset: -(ETH_HLEN-ETH_ALEN),
292	to: nf_bridge->neigh_header,
293	ETH_HLEN-ETH_ALEN);
294	/ tell br_dev_xmit to continue with forwarding /
295	nf_bridge->bridged_dnat = `1`;
296	/ FIXME Need to refragment /
297	ret = READ_ONCE(neigh->output)(neigh, skb);
298	}
299	neigh_release(neigh);
300	return ret;
301	}
302	free_skb:
303	kfree_skb(skb);
304	return `0`;
305	}
306
307	static inline bool
308	br_nf_ipv4_daddr_was_changed(const struct sk_buff *skb,
309	const struct nf_bridge_info *nf_bridge)
310	{
311	return ip_hdr(skb)->daddr != nf_bridge->ipv4_daddr;
312	}
313
314	/ This requires some explaining. If DNAT has taken place,*
315	* we will need to fix up the destination Ethernet address.
316	* This is also true when SNAT takes place (for the reply direction).
317	*
318	* There are two cases to consider:
319	* 1. The packet was DNAT'ed to a device in the same bridge
320	* port group as it was received on. We can still bridge
321	* the packet.
322	* 2. The packet was DNAT'ed to a different device, either
323	* a non-bridged device or another bridge port group.
324	* The packet will need to be routed.
325	*
326	* The correct way of distinguishing between these two cases is to
327	* call ip_route_input() and to look at skb->dst->dev, which is
328	* changed to the destination device if ip_route_input() succeeds.
329	*
330	* Let's first consider the case that ip_route_input() succeeds:
331	*
332	* If the output device equals the logical bridge device the packet
333	* came in on, we can consider this bridging. The corresponding MAC
334	* address will be obtained in br_nf_pre_routing_finish_bridge.
335	* Otherwise, the packet is considered to be routed and we just
336	* change the destination MAC address so that the packet will
337	* later be passed up to the IP stack to be routed. For a redirected
338	* packet, ip_route_input() will give back the localhost as output device,
339	* which differs from the bridge device.
340	*
341	* Let's now consider the case that ip_route_input() fails:
342	*
343	* This can be because the destination address is martian, in which case
344	* the packet will be dropped.
345	* If IP forwarding is disabled, ip_route_input() will fail, while
346	* ip_route_output_key() can return success. The source
347	* address for ip_route_output_key() is set to zero, so ip_route_output_key()
348	* thinks we're handling a locally generated packet and won't care
349	* if IP forwarding is enabled. If the output device equals the logical bridge
350	* device, we proceed as if ip_route_input() succeeded. If it differs from the
351	* logical bridge port or if ip_route_output_key() fails we drop the packet.
352	*/
353	static int br_nf_pre_routing_finish(struct net net, struct* sock sk, struct* sk_buff *skb)
354	{
355	struct net_device *dev = skb->dev;
356	struct iphdr *iph = ip_hdr(skb);
357	struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
358	struct rtable *rt;
359	int err;
360
361	nf_bridge->frag_max_size = IPCB(skb)->frag_max_size;
362
363	if (nf_bridge->pkt_otherhost) {
364	skb->pkt_type = PACKET_OTHERHOST;
365	nf_bridge->pkt_otherhost = false;
366	}
367	nf_bridge->in_prerouting = `0`;
368	if (br_nf_ipv4_daddr_was_changed(skb, nf_bridge)) {
369	if ((err = ip_route_input(skb, dst: iph->daddr, src: iph->saddr, tos: iph->tos, devin: dev))) {
370	struct in_device *in_dev = __in_dev_get_rcu(dev);
371
372	/ If err equals -EHOSTUNREACH the error is due to a*
373	* martian destination or due to the fact that
374	* forwarding is disabled. For most martian packets,
375	* ip_route_output_key() will fail. It won't fail for 2 types of
376	* martian destinations: loopback destinations and destination
377	* 0.0.0.0. In both cases the packet will be dropped because the
378	* destination is the loopback device and not the bridge. */
379	if (err != -EHOSTUNREACH \|\| !in_dev \|\| IN_DEV_FORWARD(in_dev))
380	goto free_skb;
381
382	rt = ip_route_output(net, daddr: iph->daddr, saddr: `0`,
383	RT_TOS(iph->tos), oif: `0`);
384	if (!IS_ERR(ptr: rt)) {
385	/ - Bridged-and-DNAT'ed traffic doesn't*
386	* require ip_forwarding. */
387	if (rt->dst.dev == dev) {
388	skb_dst_drop(skb);
389	skb_dst_set(skb, dst: &rt->dst);
390	goto bridged_dnat;
391	}
392	ip_rt_put(rt);
393	}
394	free_skb:
395	kfree_skb(skb);
396	return `0`;
397	} else {
398	if (skb_dst(skb)->dev == dev) {
399	bridged_dnat:
400	skb->dev = nf_bridge->physindev;
401	nf_bridge_update_protocol(skb);
402	nf_bridge_push_encap_header(skb);
403	br_nf_hook_thresh(NF_BR_PRE_ROUTING,
404	net, sk, skb, indev: skb->dev,
405	NULL,
406	okfn: br_nf_pre_routing_finish_bridge);
407	return `0`;
408	}
409	ether_addr_copy(dst: eth_hdr(skb)->h_dest, src: dev->dev_addr);
410	skb->pkt_type = PACKET_HOST;
411	}
412	} else {
413	rt = bridge_parent_rtable(dev: nf_bridge->physindev);
414	if (!rt) {
415	kfree_skb(skb);
416	return `0`;
417	}
418	skb_dst_drop(skb);
419	skb_dst_set_noref(skb, dst: &rt->dst);
420	}
421
422	skb->dev = nf_bridge->physindev;
423	nf_bridge_update_protocol(skb);
424	nf_bridge_push_encap_header(skb);
425	br_nf_hook_thresh(NF_BR_PRE_ROUTING, net, sk, skb, indev: skb->dev, NULL,
426	okfn: br_handle_frame_finish);
427	return `0`;
428	}
429
430	static struct net_device brnf_get_logical_dev(struct* sk_buff *skb,
431	const struct net_device *dev,
432	const struct net *net)
433	{
434	struct net_device vlan, br;
435	struct brnf_net *brnet = net_generic(net, id: brnf_net_id);
436
437	br = bridge_parent(dev);
438
439	if (brnet->pass_vlan_indev == `0` \|\| !skb_vlan_tag_present(skb))
440	return br;
441
442	vlan = __vlan_find_dev_deep_rcu(real_dev: br, vlan_proto: skb->vlan_proto,
443	skb_vlan_tag_get(skb) & VLAN_VID_MASK);
444
445	return vlan ? vlan : br;
446	}
447
448	/ Some common code for IPv4/IPv6 /
449	struct net_device setup_pre_routing(struct* sk_buff skb, const* struct net *net)
450	{
451	struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
452
453	if (skb->pkt_type == PACKET_OTHERHOST) {
454	skb->pkt_type = PACKET_HOST;
455	nf_bridge->pkt_otherhost = true;
456	}
457
458	nf_bridge->in_prerouting = `1`;
459	nf_bridge->physindev = skb->dev;
460	skb->dev = brnf_get_logical_dev(skb, dev: skb->dev, net);
461
462	if (skb->protocol == htons(ETH_P_8021Q))
463	nf_bridge->orig_proto = BRNF_PROTO_8021Q;
464	else if (skb->protocol == htons(ETH_P_PPP_SES))
465	nf_bridge->orig_proto = BRNF_PROTO_PPPOE;
466
467	/ Must drop socket now because of tproxy. /
468	skb_orphan(skb);
469	return skb->dev;
470	}
471
472	/ Direct IPv6 traffic to br_nf_pre_routing_ipv6.*
473	* Replicate the checks that IPv4 does on packet reception.
474	* Set skb->dev to the bridge device (i.e. parent of the
475	* receiving device) to make netfilter happy, the REDIRECT
476	* target in particular. Save the original destination IP
477	* address to be able to detect DNAT afterwards. */
478	static unsigned int br_nf_pre_routing(void *priv,
479	struct sk_buff *skb,
480	const struct nf_hook_state *state)
481	{
482	struct nf_bridge_info *nf_bridge;
483	struct net_bridge_port *p;
484	struct net_bridge *br;
485	__u32 len = nf_bridge_encap_header_len(skb);
486	struct brnf_net *brnet;
487
488	if (unlikely(!pskb_may_pull(skb, len)))
489	return NF_DROP_REASON(skb, reason: SKB_DROP_REASON_PKT_TOO_SMALL, err: `0`);
490
491	p = br_port_get_rcu(dev: state->in);
492	if (p == NULL)
493	return NF_DROP_REASON(skb, reason: SKB_DROP_REASON_DEV_READY, err: `0`);
494	br = p->br;
495
496	brnet = net_generic(net: state->net, id: brnf_net_id);
497	if (IS_IPV6(skb) \|\| is_vlan_ipv6(skb, net: state->net) \|\|
498	is_pppoe_ipv6(skb, net: state->net)) {
499	if (!brnet->call_ip6tables &&
500	!br_opt_get(br, opt: BROPT_NF_CALL_IP6TABLES))
501	return NF_ACCEPT;
502	if (!ipv6_mod_enabled()) {
503	pr_warn_once("Module ipv6 is disabled, so call_ip6tables is not supported.");
504	return NF_DROP_REASON(skb, reason: SKB_DROP_REASON_IPV6DISABLED, err: `0`);
505	}
506
507	nf_bridge_pull_encap_header_rcsum(skb);
508	return br_nf_pre_routing_ipv6(priv, skb, state);
509	}
510
511	if (!brnet->call_iptables && !br_opt_get(br, opt: BROPT_NF_CALL_IPTABLES))
512	return NF_ACCEPT;
513
514	if (!IS_IP(skb) && !is_vlan_ip(skb, net: state->net) &&
515	!is_pppoe_ip(skb, net: state->net))
516	return NF_ACCEPT;
517
518	nf_bridge_pull_encap_header_rcsum(skb);
519
520	if (br_validate_ipv4(net: state->net, skb))
521	return NF_DROP_REASON(skb, reason: SKB_DROP_REASON_IP_INHDR, err: `0`);
522
523	if (!nf_bridge_alloc(skb))
524	return NF_DROP_REASON(skb, reason: SKB_DROP_REASON_NOMEM, err: `0`);
525	if (!setup_pre_routing(skb, net: state->net))
526	return NF_DROP_REASON(skb, reason: SKB_DROP_REASON_DEV_READY, err: `0`);
527
528	nf_bridge = nf_bridge_info_get(skb);
529	nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr;
530
531	skb->protocol = htons(ETH_P_IP);
532	skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * `4`;
533
534	NF_HOOK(pf: NFPROTO_IPV4, hook: NF_INET_PRE_ROUTING, net: state->net, sk: state->sk, skb,
535	in: skb->dev, NULL,
536	okfn: br_nf_pre_routing_finish);
537
538	return NF_STOLEN;
539	}
540
541
542	/ PF_BRIDGE/FORWARD ************************************************/
543	static int br_nf_forward_finish(struct net net, struct* sock sk, struct* sk_buff *skb)
544	{
545	struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
546	struct net_device *in;
547
548	if (!IS_ARP(skb) && !is_vlan_arp(skb, net)) {
549
550	if (skb->protocol == htons(ETH_P_IP))
551	nf_bridge->frag_max_size = IPCB(skb)->frag_max_size;
552
553	if (skb->protocol == htons(ETH_P_IPV6))
554	nf_bridge->frag_max_size = IP6CB(skb)->frag_max_size;
555
556	in = nf_bridge->physindev;
557	if (nf_bridge->pkt_otherhost) {
558	skb->pkt_type = PACKET_OTHERHOST;
559	nf_bridge->pkt_otherhost = false;
560	}
561	nf_bridge_update_protocol(skb);
562	} else {
563	in = ((struct* net_device **)(skb->cb));
564	}
565	nf_bridge_push_encap_header(skb);
566
567	br_nf_hook_thresh(NF_BR_FORWARD, net, sk, skb, indev: in, outdev: skb->dev,
568	okfn: br_forward_finish);
569	return `0`;
570	}
571
572
573	static unsigned int br_nf_forward_ip(struct sk_buff *skb,
574	const struct nf_hook_state *state,
575	u8 pf)
576	{
577	struct nf_bridge_info *nf_bridge;
578	struct net_device *parent;
579
580	nf_bridge = nf_bridge_info_get(skb);
581	if (!nf_bridge)
582	return NF_ACCEPT;
583
584	/ Need exclusive nf_bridge_info since we might have multiple*
585	* different physoutdevs. */
586	if (!nf_bridge_unshare(skb))
587	return NF_DROP_REASON(skb, reason: SKB_DROP_REASON_NOMEM, err: `0`);
588
589	nf_bridge = nf_bridge_info_get(skb);
590	if (!nf_bridge)
591	return NF_DROP_REASON(skb, reason: SKB_DROP_REASON_NOMEM, err: `0`);
592
593	parent = bridge_parent(dev: state->out);
594	if (!parent)
595	return NF_DROP_REASON(skb, reason: SKB_DROP_REASON_DEV_READY, err: `0`);
596
597	nf_bridge_pull_encap_header(skb);
598
599	if (skb->pkt_type == PACKET_OTHERHOST) {
600	skb->pkt_type = PACKET_HOST;
601	nf_bridge->pkt_otherhost = true;
602	}
603
604	if (pf == NFPROTO_IPV4) {
605	if (br_validate_ipv4(net: state->net, skb))
606	return NF_DROP_REASON(skb, reason: SKB_DROP_REASON_IP_INHDR, err: `0`);
607	IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
608	skb->protocol = htons(ETH_P_IP);
609	} else if (pf == NFPROTO_IPV6) {
610	if (br_validate_ipv6(net: state->net, skb))
611	return NF_DROP_REASON(skb, reason: SKB_DROP_REASON_IP_INHDR, err: `0`);
612	IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
613	skb->protocol = htons(ETH_P_IPV6);
614	} else {
615	WARN_ON_ONCE(`1`);
616	return NF_DROP;
617	}
618
619	nf_bridge->physoutdev = skb->dev;
620
621	NF_HOOK(pf, hook: NF_INET_FORWARD, net: state->net, NULL, skb,
622	in: brnf_get_logical_dev(skb, dev: state->in, net: state->net),
623	out: parent, okfn: br_nf_forward_finish);
624
625	return NF_STOLEN;
626	}
627
628	static unsigned int br_nf_forward_arp(struct sk_buff *skb,
629	const struct nf_hook_state *state)
630	{
631	struct net_bridge_port *p;
632	struct net_bridge *br;
633	struct net_device d = (struct net_device )(skb->cb);
634	struct brnf_net *brnet;
635
636	p = br_port_get_rcu(dev: state->out);
637	if (p == NULL)
638	return NF_ACCEPT;
639	br = p->br;
640
641	brnet = net_generic(net: state->net, id: brnf_net_id);
642	if (!brnet->call_arptables && !br_opt_get(br, opt: BROPT_NF_CALL_ARPTABLES))
643	return NF_ACCEPT;
644
645	if (is_vlan_arp(skb, net: state->net))
646	nf_bridge_pull_encap_header(skb);
647
648	if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr))))
649	return NF_DROP_REASON(skb, reason: SKB_DROP_REASON_PKT_TOO_SMALL, err: `0`);
650
651	if (arp_hdr(skb)->ar_pln != `4`) {
652	if (is_vlan_arp(skb, net: state->net))
653	nf_bridge_push_encap_header(skb);
654	return NF_ACCEPT;
655	}
656	*d = state->in;
657	NF_HOOK(pf: NFPROTO_ARP, NF_ARP_FORWARD, net: state->net, sk: state->sk, skb,
658	in: state->in, out: state->out, okfn: br_nf_forward_finish);
659
660	return NF_STOLEN;
661	}
662
663	/ This is the 'purely bridged' case. For IP, we pass the packet to*
664	* netfilter with indev and outdev set to the bridge device,
665	* but we are still able to filter on the 'real' indev/outdev
666	* because of the physdev module. For ARP, indev and outdev are the
667	* bridge ports.
668	*/
669	static unsigned int br_nf_forward(void *priv,
670	struct sk_buff *skb,
671	const struct nf_hook_state *state)
672	{
673	if (IS_IP(skb) \|\| is_vlan_ip(skb, net: state->net) \|\|
674	is_pppoe_ip(skb, net: state->net))
675	return br_nf_forward_ip(skb, state, pf: NFPROTO_IPV4);
676	if (IS_IPV6(skb) \|\| is_vlan_ipv6(skb, net: state->net) \|\|
677	is_pppoe_ipv6(skb, net: state->net))
678	return br_nf_forward_ip(skb, state, pf: NFPROTO_IPV6);
679	if (IS_ARP(skb) \|\| is_vlan_arp(skb, net: state->net))
680	return br_nf_forward_arp(skb, state);
681
682	return NF_ACCEPT;
683	}
684
685	static int br_nf_push_frag_xmit(struct net net, struct* sock sk, struct* sk_buff *skb)
686	{
687	struct brnf_frag_data *data;
688	int err;
689
690	data = this_cpu_ptr(&brnf_frag_data_storage);
691	err = skb_cow_head(skb, headroom: data->size);
692
693	if (err) {
694	kfree_skb(skb);
695	return `0`;
696	}
697
698	if (data->vlan_proto)
699	__vlan_hwaccel_put_tag(skb, vlan_proto: data->vlan_proto, vlan_tci: data->vlan_tci);
700
701	skb_copy_to_linear_data_offset(skb, offset: -data->size, from: data->mac, len: data->size);
702	__skb_push(skb, len: data->encap_size);
703
704	nf_bridge_info_free(skb);
705	return br_dev_queue_push_xmit(net, sk, skb);
706	}
707
708	static int
709	br_nf_ip_fragment(struct net net, struct* sock sk, struct* sk_buff *skb,
710	int (output)(struct* net , struct* sock , struct* sk_buff *))
711	{
712	unsigned int mtu = ip_skb_dst_mtu(sk, skb);
713	struct iphdr *iph = ip_hdr(skb);
714
715	if (unlikely(((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) \|\|
716	(IPCB(skb)->frag_max_size &&
717	IPCB(skb)->frag_max_size > mtu))) {
718	IP_INC_STATS(net, IPSTATS_MIB_FRAGFAILS);
719	kfree_skb(skb);
720	return -EMSGSIZE;
721	}
722
723	return ip_do_fragment(net, sk, skb, output);
724	}
725
726	static unsigned int nf_bridge_mtu_reduction(const struct sk_buff *skb)
727	{
728	const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
729
730	if (nf_bridge->orig_proto == BRNF_PROTO_PPPOE)
731	return PPPOE_SES_HLEN;
732	return `0`;
733	}
734
735	static int br_nf_dev_queue_xmit(struct net net, struct* sock sk, struct* sk_buff *skb)
736	{
737	struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
738	unsigned int mtu, mtu_reserved;
739
740	mtu_reserved = nf_bridge_mtu_reduction(skb);
741	mtu = skb->dev->mtu;
742
743	if (nf_bridge->pkt_otherhost) {
744	skb->pkt_type = PACKET_OTHERHOST;
745	nf_bridge->pkt_otherhost = false;
746	}
747
748	if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu)
749	mtu = nf_bridge->frag_max_size;
750
751	nf_bridge_update_protocol(skb);
752	nf_bridge_push_encap_header(skb);
753
754	if (skb_is_gso(skb) \|\| skb->len + mtu_reserved <= mtu) {
755	nf_bridge_info_free(skb);
756	return br_dev_queue_push_xmit(net, sk, skb);
757	}
758
759	/ This is wrong! We should preserve the original fragment*
760	* boundaries by preserving frag_list rather than refragmenting.
761	*/
762	if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) &&
763	skb->protocol == htons(ETH_P_IP)) {
764	struct brnf_frag_data *data;
765
766	if (br_validate_ipv4(net, skb))
767	goto drop;
768
769	IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
770
771	data = this_cpu_ptr(&brnf_frag_data_storage);
772
773	if (skb_vlan_tag_present(skb)) {
774	data->vlan_tci = skb->vlan_tci;
775	data->vlan_proto = skb->vlan_proto;
776	} else {
777	data->vlan_proto = `0`;
778	}
779
780	data->encap_size = nf_bridge_encap_header_len(skb);
781	data->size = ETH_HLEN + data->encap_size;
782
783	skb_copy_from_linear_data_offset(skb, offset: -data->size, to: data->mac,
784	len: data->size);
785
786	return br_nf_ip_fragment(net, sk, skb, output: br_nf_push_frag_xmit);
787	}
788	if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) &&
789	skb->protocol == htons(ETH_P_IPV6)) {
790	const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
791	struct brnf_frag_data *data;
792
793	if (br_validate_ipv6(net, skb))
794	goto drop;
795
796	IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
797
798	data = this_cpu_ptr(&brnf_frag_data_storage);
799	data->encap_size = nf_bridge_encap_header_len(skb);
800	data->size = ETH_HLEN + data->encap_size;
801
802	skb_copy_from_linear_data_offset(skb, offset: -data->size, to: data->mac,
803	len: data->size);
804
805	if (v6ops)
806	return v6ops->fragment(net, sk, skb, br_nf_push_frag_xmit);
807
808	kfree_skb(skb);
809	return -EMSGSIZE;
810	}
811	nf_bridge_info_free(skb);
812	return br_dev_queue_push_xmit(net, sk, skb);
813	drop:
814	kfree_skb(skb);
815	return `0`;
816	}
817
818	/ PF_BRIDGE/POST_ROUTING *******************************************/
819	static unsigned int br_nf_post_routing(void *priv,
820	struct sk_buff *skb,
821	const struct nf_hook_state *state)
822	{
823	struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
824	struct net_device *realoutdev = bridge_parent(dev: skb->dev);
825	u_int8_t pf;
826
827	/ if nf_bridge is set, but ->physoutdev is NULL, this packet came in*
828	* on a bridge, but was delivered locally and is now being routed:
829	*
830	* POST_ROUTING was already invoked from the ip stack.
831	*/
832	if (!nf_bridge \|\| !nf_bridge->physoutdev)
833	return NF_ACCEPT;
834
835	if (!realoutdev)
836	return NF_DROP_REASON(skb, reason: SKB_DROP_REASON_DEV_READY, err: `0`);
837
838	if (IS_IP(skb) \|\| is_vlan_ip(skb, net: state->net) \|\|
839	is_pppoe_ip(skb, net: state->net))
840	pf = NFPROTO_IPV4;
841	else if (IS_IPV6(skb) \|\| is_vlan_ipv6(skb, net: state->net) \|\|
842	is_pppoe_ipv6(skb, net: state->net))
843	pf = NFPROTO_IPV6;
844	else
845	return NF_ACCEPT;
846
847	if (skb->pkt_type == PACKET_OTHERHOST) {
848	skb->pkt_type = PACKET_HOST;
849	nf_bridge->pkt_otherhost = true;
850	}
851
852	nf_bridge_pull_encap_header(skb);
853	if (pf == NFPROTO_IPV4)
854	skb->protocol = htons(ETH_P_IP);
855	else
856	skb->protocol = htons(ETH_P_IPV6);
857
858	NF_HOOK(pf, hook: NF_INET_POST_ROUTING, net: state->net, sk: state->sk, skb,
859	NULL, out: realoutdev,
860	okfn: br_nf_dev_queue_xmit);
861
862	return NF_STOLEN;
863	}
864
865	/ IP/SABOTAGE ****************************************************/
866	/ Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING*
867	* for the second time. */
868	static unsigned int ip_sabotage_in(void *priv,
869	struct sk_buff *skb,
870	const struct nf_hook_state *state)
871	{
872	struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
873
874	if (nf_bridge) {
875	if (nf_bridge->sabotage_in_done)
876	return NF_ACCEPT;
877
878	if (!nf_bridge->in_prerouting &&
879	!netif_is_l3_master(dev: skb->dev) &&
880	!netif_is_l3_slave(dev: skb->dev)) {
881	nf_bridge->sabotage_in_done = `1`;
882	state->okfn(state->net, state->sk, skb);
883	return NF_STOLEN;
884	}
885	}
886
887	return NF_ACCEPT;
888	}
889
890	/ This is called when br_netfilter has called into iptables/netfilter,*
891	* and DNAT has taken place on a bridge-forwarded packet.
892	*
893	* neigh->output has created a new MAC header, with local br0 MAC
894	* as saddr.
895	*
896	* This restores the original MAC saddr of the bridged packet
897	* before invoking bridge forward logic to transmit the packet.
898	*/
899	static void br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb)
900	{
901	struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
902
903	skb_pull(skb, ETH_HLEN);
904	nf_bridge->bridged_dnat = `0`;
905
906	BUILD_BUG_ON(sizeof(nf_bridge->neigh_header) != (ETH_HLEN - ETH_ALEN));
907
908	skb_copy_to_linear_data_offset(skb, offset: -(ETH_HLEN - ETH_ALEN),
909	from: nf_bridge->neigh_header,
910	ETH_HLEN - ETH_ALEN);
911	skb->dev = nf_bridge->physindev;
912
913	nf_bridge->physoutdev = NULL;
914	br_handle_frame_finish(net: dev_net(dev: skb->dev), NULL, skb);
915	}
916
917	static int br_nf_dev_xmit(struct sk_buff *skb)
918	{
919	const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
920
921	if (nf_bridge && nf_bridge->bridged_dnat) {
922	br_nf_pre_routing_finish_bridge_slow(skb);
923	return `1`;
924	}
925	return `0`;
926	}
927
928	static const struct nf_br_ops br_ops = {
929	.br_dev_xmit_hook = br_nf_dev_xmit,
930	};
931
932	/ For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because*
933	* br_dev_queue_push_xmit is called afterwards */
934	static const struct nf_hook_ops br_nf_ops[] = {
935	{
936	.hook = br_nf_pre_routing,
937	.pf = NFPROTO_BRIDGE,
938	.hooknum = NF_BR_PRE_ROUTING,
939	.priority = NF_BR_PRI_BRNF,
940	},
941	{
942	.hook = br_nf_forward,
943	.pf = NFPROTO_BRIDGE,
944	.hooknum = NF_BR_FORWARD,
945	.priority = NF_BR_PRI_BRNF,
946	},
947	{
948	.hook = br_nf_post_routing,
949	.pf = NFPROTO_BRIDGE,
950	.hooknum = NF_BR_POST_ROUTING,
951	.priority = NF_BR_PRI_LAST,
952	},
953	{
954	.hook = ip_sabotage_in,
955	.pf = NFPROTO_IPV4,
956	.hooknum = NF_INET_PRE_ROUTING,
957	.priority = NF_IP_PRI_FIRST,
958	},
959	{
960	.hook = ip_sabotage_in,
961	.pf = NFPROTO_IPV6,
962	.hooknum = NF_INET_PRE_ROUTING,
963	.priority = NF_IP6_PRI_FIRST,
964	},
965	};
966
967	static int brnf_device_event(struct notifier_block unused, unsigned* long event,
968	void *ptr)
969	{
970	struct net_device *dev = netdev_notifier_info_to_dev(info: ptr);
971	struct brnf_net *brnet;
972	struct net *net;
973	int ret;
974
975	if (event != NETDEV_REGISTER \|\| !netif_is_bridge_master(dev))
976	return NOTIFY_DONE;
977
978	ASSERT_RTNL();
979
980	net = dev_net(dev);
981	brnet = net_generic(net, id: brnf_net_id);
982	if (brnet->enabled)
983	return NOTIFY_OK;
984
985	ret = nf_register_net_hooks(net, reg: br_nf_ops, ARRAY_SIZE(br_nf_ops));
986	if (ret)
987	return NOTIFY_BAD;
988
989	brnet->enabled = true;
990	return NOTIFY_OK;
991	}
992
993	static struct notifier_block brnf_notifier __read_mostly = {
994	.notifier_call = brnf_device_event,
995	};
996
997	/ recursively invokes nf_hook_slow (again), skipping already-called*
998	* hooks (< NF_BR_PRI_BRNF).
999	*
1000	* Called with rcu read lock held.
1001	*/
1002	int br_nf_hook_thresh(unsigned int hook, struct net *net,
1003	struct sock sk, struct* sk_buff *skb,
1004	struct net_device *indev,
1005	struct net_device *outdev,
1006	int (okfn)(struct* net , struct* sock *,
1007	struct sk_buff *))
1008	{
1009	const struct nf_hook_entries *e;
1010	struct nf_hook_state state;
1011	struct nf_hook_ops **ops;
1012	unsigned int i;
1013	int ret;
1014
1015	e = rcu_dereference(net->nf.hooks_bridge[hook]);
1016	if (!e)
1017	return okfn(net, sk, skb);
1018
1019	ops = nf_hook_entries_get_hook_ops(e);
1020	for (i = `0`; i < e->num_hook_entries; i++) {
1021	/ These hooks have already been called /
1022	if (ops[i]->priority < NF_BR_PRI_BRNF)
1023	continue;
1024
1025	/ These hooks have not been called yet, run them. /
1026	if (ops[i]->priority > NF_BR_PRI_BRNF)
1027	break;
1028
1029	/ take a closer look at NF_BR_PRI_BRNF. /
1030	if (ops[i]->hook == br_nf_pre_routing) {
1031	/ This hook diverted the skb to this function,*
1032	* hooks after this have not been run yet.
1033	*/
1034	i++;
1035	break;
1036	}
1037	}
1038
1039	nf_hook_state_init(p: &state, hook, pf: NFPROTO_BRIDGE, indev, outdev,
1040	sk, net, okfn);
1041
1042	ret = nf_hook_slow(skb, state: &state, e, i);
1043	if (ret == `1`)
1044	ret = okfn(net, sk, skb);
1045
1046	return ret;
1047	}
1048
1049	#ifdef CONFIG_SYSCTL
1050	static
1051	int brnf_sysctl_call_tables(struct ctl_table ctl, int* write,
1052	void buffer, size_t lenp, loff_t *ppos)
1053	{
1054	int ret;
1055
1056	ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
1057
1058	if (write && (int* *)(ctl->data))
1059	(int* *)(ctl->data) = `1`;
1060	return ret;
1061	}
1062
1063	static struct ctl_table brnf_table[] = {
1064	{
1065	.procname = "bridge-nf-call-arptables",
1066	.maxlen = sizeof(int),
1067	.mode = `0644`,
1068	.proc_handler = brnf_sysctl_call_tables,
1069	},
1070	{
1071	.procname = "bridge-nf-call-iptables",
1072	.maxlen = sizeof(int),
1073	.mode = `0644`,
1074	.proc_handler = brnf_sysctl_call_tables,
1075	},
1076	{
1077	.procname = "bridge-nf-call-ip6tables",
1078	.maxlen = sizeof(int),
1079	.mode = `0644`,
1080	.proc_handler = brnf_sysctl_call_tables,
1081	},
1082	{
1083	.procname = "bridge-nf-filter-vlan-tagged",
1084	.maxlen = sizeof(int),
1085	.mode = `0644`,
1086	.proc_handler = brnf_sysctl_call_tables,
1087	},
1088	{
1089	.procname = "bridge-nf-filter-pppoe-tagged",
1090	.maxlen = sizeof(int),
1091	.mode = `0644`,
1092	.proc_handler = brnf_sysctl_call_tables,
1093	},
1094	{
1095	.procname = "bridge-nf-pass-vlan-input-dev",
1096	.maxlen = sizeof(int),
1097	.mode = `0644`,
1098	.proc_handler = brnf_sysctl_call_tables,
1099	},
1100	{ }
1101	};
1102
1103	static inline void br_netfilter_sysctl_default(struct brnf_net *brnf)
1104	{
1105	brnf->call_iptables = `1`;
1106	brnf->call_ip6tables = `1`;
1107	brnf->call_arptables = `1`;
1108	brnf->filter_vlan_tagged = `0`;
1109	brnf->filter_pppoe_tagged = `0`;
1110	brnf->pass_vlan_indev = `0`;
1111	}
1112
1113	static int br_netfilter_sysctl_init_net(struct net *net)
1114	{
1115	struct ctl_table *table = brnf_table;
1116	struct brnf_net *brnet;
1117
1118	if (!net_eq(net1: net, net2: &init_net)) {
1119	table = kmemdup(p: table, size: sizeof(brnf_table), GFP_KERNEL);
1120	if (!table)
1121	return -ENOMEM;
1122	}
1123
1124	brnet = net_generic(net, id: brnf_net_id);
1125	table[`0`].data = &brnet->call_arptables;
1126	table[`1`].data = &brnet->call_iptables;
1127	table[`2`].data = &brnet->call_ip6tables;
1128	table[`3`].data = &brnet->filter_vlan_tagged;
1129	table[`4`].data = &brnet->filter_pppoe_tagged;
1130	table[`5`].data = &brnet->pass_vlan_indev;
1131
1132	br_netfilter_sysctl_default(brnf: brnet);
1133
1134	brnet->ctl_hdr = register_net_sysctl_sz(net, path: "net/bridge", table,
1135	ARRAY_SIZE(brnf_table));
1136	if (!brnet->ctl_hdr) {
1137	if (!net_eq(net1: net, net2: &init_net))
1138	kfree(objp: table);
1139
1140	return -ENOMEM;
1141	}
1142
1143	return `0`;
1144	}
1145
1146	static void br_netfilter_sysctl_exit_net(struct net *net,
1147	struct brnf_net *brnet)
1148	{
1149	struct ctl_table *table = brnet->ctl_hdr->ctl_table_arg;
1150
1151	unregister_net_sysctl_table(header: brnet->ctl_hdr);
1152	if (!net_eq(net1: net, net2: &init_net))
1153	kfree(objp: table);
1154	}
1155
1156	static int __net_init brnf_init_net(struct net *net)
1157	{
1158	return br_netfilter_sysctl_init_net(net);
1159	}
1160	#endif
1161
1162	static void __net_exit brnf_exit_net(struct net *net)
1163	{
1164	struct brnf_net *brnet;
1165
1166	brnet = net_generic(net, id: brnf_net_id);
1167	if (brnet->enabled) {
1168	nf_unregister_net_hooks(net, reg: br_nf_ops, ARRAY_SIZE(br_nf_ops));
1169	brnet->enabled = false;
1170	}
1171
1172	#ifdef CONFIG_SYSCTL
1173	br_netfilter_sysctl_exit_net(net, brnet);
1174	#endif
1175	}
1176
1177	static struct pernet_operations brnf_net_ops __read_mostly = {
1178	#ifdef CONFIG_SYSCTL
1179	.init = brnf_init_net,
1180	#endif
1181	.exit = brnf_exit_net,
1182	.id = &brnf_net_id,
1183	.size = sizeof(struct brnf_net),
1184	};
1185
1186	static int __init br_netfilter_init(void)
1187	{
1188	int ret;
1189
1190	ret = register_pernet_subsys(&brnf_net_ops);
1191	if (ret < `0`)
1192	return ret;
1193
1194	ret = register_netdevice_notifier(nb: &brnf_notifier);
1195	if (ret < `0`) {
1196	unregister_pernet_subsys(&brnf_net_ops);
1197	return ret;
1198	}
1199
1200	RCU_INIT_POINTER(nf_br_ops, &br_ops);
1201	printk(KERN_NOTICE "Bridge firewalling registered\n");
1202	return `0`;
1203	}
1204
1205	static void __exit br_netfilter_fini(void)
1206	{
1207	RCU_INIT_POINTER(nf_br_ops, NULL);
1208	unregister_netdevice_notifier(nb: &brnf_notifier);
1209	unregister_pernet_subsys(&brnf_net_ops);
1210	}
1211
1212	module_init(br_netfilter_init);
1213	module_exit(br_netfilter_fini);
1214
1215	MODULE_LICENSE("GPL");
1216	MODULE_AUTHOR("Lennert Buytenhek <buytenh@gnu.org>");
1217	MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
1218	MODULE_DESCRIPTION("Linux ethernet netfilter firewall bridge");
1219

source code of linux/net/bridge/br_netfilter_hooks.c