1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Handle firewalling 4 * Linux ethernet bridge 5 * 6 * Authors: 7 * Lennert Buytenhek <buytenh@gnu.org> 8 * Bart De Schuymer <bdschuym@pandora.be> 9 * 10 * Lennert dedicates this file to Kerstin Wurdinger. 11 */ 12 13 #include <linux/module.h> 14 #include <linux/kernel.h> 15 #include <linux/slab.h> 16 #include <linux/ip.h> 17 #include <linux/netdevice.h> 18 #include <linux/skbuff.h> 19 #include <linux/if_arp.h> 20 #include <linux/if_ether.h> 21 #include <linux/if_vlan.h> 22 #include <linux/if_pppox.h> 23 #include <linux/ppp_defs.h> 24 #include <linux/netfilter_bridge.h> 25 #include <uapi/linux/netfilter_bridge.h> 26 #include <linux/netfilter_ipv4.h> 27 #include <linux/netfilter_ipv6.h> 28 #include <linux/netfilter_arp.h> 29 #include <linux/in_route.h> 30 #include <linux/rculist.h> 31 #include <linux/inetdevice.h> 32 33 #include <net/ip.h> 34 #include <net/ipv6.h> 35 #include <net/addrconf.h> 36 #include <net/dst_metadata.h> 37 #include <net/route.h> 38 #include <net/netfilter/br_netfilter.h> 39 #include <net/netns/generic.h> 40 #include <net/inet_dscp.h> 41 42 #include <linux/uaccess.h> 43 #include "br_private.h" 44 #ifdef CONFIG_SYSCTL 45 #include <linux/sysctl.h> 46 #endif 47 48 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 49 #include <net/netfilter/nf_conntrack_core.h> 50 #endif 51 52 static unsigned int brnf_net_id __read_mostly; 53 54 struct brnf_net { 55 bool enabled; 56 57 #ifdef CONFIG_SYSCTL 58 struct ctl_table_header *ctl_hdr; 59 #endif 60 61 /* default value is 1 */ 62 int call_iptables; 63 int call_ip6tables; 64 int call_arptables; 65 66 /* default value is 0 */ 67 int filter_vlan_tagged; 68 int filter_pppoe_tagged; 69 int pass_vlan_indev; 70 }; 71 72 #define IS_IP(skb) \ 73 (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_IP)) 74 75 #define IS_IPV6(skb) \ 76 (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_IPV6)) 77 78 #define IS_ARP(skb) \ 79 (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_ARP)) 80 81 static inline __be16 vlan_proto(const struct sk_buff *skb) 82 { 83 if (skb_vlan_tag_present(skb)) 84 return skb->protocol; 85 else if (skb->protocol == htons(ETH_P_8021Q)) 86 return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto; 87 else 88 return 0; 89 } 90 91 static inline bool is_vlan_ip(const struct sk_buff *skb, const struct net *net) 92 { 93 struct brnf_net *brnet = net_generic(net, brnf_net_id); 94 95 return vlan_proto(skb) == htons(ETH_P_IP) && brnet->filter_vlan_tagged; 96 } 97 98 static inline bool is_vlan_ipv6(const struct sk_buff *skb, 99 const struct net *net) 100 { 101 struct brnf_net *brnet = net_generic(net, brnf_net_id); 102 103 return vlan_proto(skb) == htons(ETH_P_IPV6) && 104 brnet->filter_vlan_tagged; 105 } 106 107 static inline bool is_vlan_arp(const struct sk_buff *skb, const struct net *net) 108 { 109 struct brnf_net *brnet = net_generic(net, brnf_net_id); 110 111 return vlan_proto(skb) == htons(ETH_P_ARP) && brnet->filter_vlan_tagged; 112 } 113 114 static inline __be16 pppoe_proto(const struct sk_buff *skb) 115 { 116 return *((__be16 *)(skb_mac_header(skb) + ETH_HLEN + 117 sizeof(struct pppoe_hdr))); 118 } 119 120 static inline bool is_pppoe_ip(const struct sk_buff *skb, const struct net *net) 121 { 122 struct brnf_net *brnet = net_generic(net, brnf_net_id); 123 124 return skb->protocol == htons(ETH_P_PPP_SES) && 125 pppoe_proto(skb) == htons(PPP_IP) && brnet->filter_pppoe_tagged; 126 } 127 128 static inline bool is_pppoe_ipv6(const struct sk_buff *skb, 129 const struct net *net) 130 { 131 struct brnf_net *brnet = net_generic(net, brnf_net_id); 132 133 return skb->protocol == htons(ETH_P_PPP_SES) && 134 pppoe_proto(skb) == htons(PPP_IPV6) && 135 brnet->filter_pppoe_tagged; 136 } 137 138 /* largest possible L2 header, see br_nf_dev_queue_xmit() */ 139 #define NF_BRIDGE_MAX_MAC_HEADER_LENGTH (PPPOE_SES_HLEN + ETH_HLEN) 140 141 struct brnf_frag_data { 142 local_lock_t bh_lock; 143 char mac[NF_BRIDGE_MAX_MAC_HEADER_LENGTH]; 144 u8 encap_size; 145 u8 size; 146 u16 vlan_tci; 147 __be16 vlan_proto; 148 }; 149 150 static DEFINE_PER_CPU(struct brnf_frag_data, brnf_frag_data_storage) = { 151 .bh_lock = INIT_LOCAL_LOCK(bh_lock), 152 }; 153 154 static void nf_bridge_info_free(struct sk_buff *skb) 155 { 156 skb_ext_del(skb, SKB_EXT_BRIDGE_NF); 157 } 158 159 static inline struct net_device *bridge_parent(const struct net_device *dev) 160 { 161 struct net_bridge_port *port; 162 163 port = br_port_get_rcu(dev); 164 return port ? port->br->dev : NULL; 165 } 166 167 static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb) 168 { 169 return skb_ext_add(skb, SKB_EXT_BRIDGE_NF); 170 } 171 172 unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb) 173 { 174 switch (skb->protocol) { 175 case __cpu_to_be16(ETH_P_8021Q): 176 return VLAN_HLEN; 177 case __cpu_to_be16(ETH_P_PPP_SES): 178 return PPPOE_SES_HLEN; 179 default: 180 return 0; 181 } 182 } 183 184 static inline void nf_bridge_pull_encap_header(struct sk_buff *skb) 185 { 186 unsigned int len = nf_bridge_encap_header_len(skb); 187 188 skb_pull(skb, len); 189 skb->network_header += len; 190 } 191 192 static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb) 193 { 194 unsigned int len = nf_bridge_encap_header_len(skb); 195 196 skb_pull_rcsum(skb, len); 197 skb->network_header += len; 198 } 199 200 /* When handing a packet over to the IP layer 201 * check whether we have a skb that is in the 202 * expected format 203 */ 204 205 static int br_validate_ipv4(struct net *net, struct sk_buff *skb) 206 { 207 const struct iphdr *iph; 208 u32 len; 209 210 if (!pskb_may_pull(skb, sizeof(struct iphdr))) 211 goto inhdr_error; 212 213 iph = ip_hdr(skb); 214 215 /* Basic sanity checks */ 216 if (iph->ihl < 5 || iph->version != 4) 217 goto inhdr_error; 218 219 if (!pskb_may_pull(skb, iph->ihl*4)) 220 goto inhdr_error; 221 222 iph = ip_hdr(skb); 223 if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl))) 224 goto csum_error; 225 226 len = skb_ip_totlen(skb); 227 if (skb->len < len) { 228 __IP_INC_STATS(net, IPSTATS_MIB_INTRUNCATEDPKTS); 229 goto drop; 230 } else if (len < (iph->ihl*4)) 231 goto inhdr_error; 232 233 if (pskb_trim_rcsum(skb, len)) { 234 __IP_INC_STATS(net, IPSTATS_MIB_INDISCARDS); 235 goto drop; 236 } 237 238 memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); 239 /* We should really parse IP options here but until 240 * somebody who actually uses IP options complains to 241 * us we'll just silently ignore the options because 242 * we're lazy! 243 */ 244 return 0; 245 246 csum_error: 247 __IP_INC_STATS(net, IPSTATS_MIB_CSUMERRORS); 248 inhdr_error: 249 __IP_INC_STATS(net, IPSTATS_MIB_INHDRERRORS); 250 drop: 251 return -1; 252 } 253 254 void nf_bridge_update_protocol(struct sk_buff *skb) 255 { 256 const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 257 258 switch (nf_bridge->orig_proto) { 259 case BRNF_PROTO_8021Q: 260 skb->protocol = htons(ETH_P_8021Q); 261 break; 262 case BRNF_PROTO_PPPOE: 263 skb->protocol = htons(ETH_P_PPP_SES); 264 break; 265 case BRNF_PROTO_UNCHANGED: 266 break; 267 } 268 } 269 270 /* Obtain the correct destination MAC address, while preserving the original 271 * source MAC address. If we already know this address, we just copy it. If we 272 * don't, we use the neighbour framework to find out. In both cases, we make 273 * sure that br_handle_frame_finish() is called afterwards. 274 */ 275 int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_buff *skb) 276 { 277 struct neighbour *neigh; 278 struct dst_entry *dst; 279 280 skb->dev = bridge_parent(skb->dev); 281 if (!skb->dev) 282 goto free_skb; 283 dst = skb_dst(skb); 284 neigh = dst_neigh_lookup_skb(dst, skb); 285 if (neigh) { 286 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 287 int ret; 288 289 if ((READ_ONCE(neigh->nud_state) & NUD_CONNECTED) && 290 READ_ONCE(neigh->hh.hh_len)) { 291 struct net_device *br_indev; 292 293 br_indev = nf_bridge_get_physindev(skb, net); 294 if (!br_indev) { 295 neigh_release(neigh); 296 goto free_skb; 297 } 298 299 neigh_hh_bridge(&neigh->hh, skb); 300 skb->dev = br_indev; 301 302 ret = br_handle_frame_finish(net, sk, skb); 303 } else { 304 /* the neighbour function below overwrites the complete 305 * MAC header, so we save the Ethernet source address and 306 * protocol number. 307 */ 308 skb_copy_from_linear_data_offset(skb, 309 -(ETH_HLEN-ETH_ALEN), 310 nf_bridge->neigh_header, 311 ETH_HLEN-ETH_ALEN); 312 /* tell br_dev_xmit to continue with forwarding */ 313 nf_bridge->bridged_dnat = 1; 314 /* FIXME Need to refragment */ 315 ret = READ_ONCE(neigh->output)(neigh, skb); 316 } 317 neigh_release(neigh); 318 return ret; 319 } 320 free_skb: 321 kfree_skb(skb); 322 return 0; 323 } 324 325 static inline bool 326 br_nf_ipv4_daddr_was_changed(const struct sk_buff *skb, 327 const struct nf_bridge_info *nf_bridge) 328 { 329 return ip_hdr(skb)->daddr != nf_bridge->ipv4_daddr; 330 } 331 332 /* This requires some explaining. If DNAT has taken place, 333 * we will need to fix up the destination Ethernet address. 334 * This is also true when SNAT takes place (for the reply direction). 335 * 336 * There are two cases to consider: 337 * 1. The packet was DNAT'ed to a device in the same bridge 338 * port group as it was received on. We can still bridge 339 * the packet. 340 * 2. The packet was DNAT'ed to a different device, either 341 * a non-bridged device or another bridge port group. 342 * The packet will need to be routed. 343 * 344 * The correct way of distinguishing between these two cases is to 345 * call ip_route_input() and to look at skb->dst->dev, which is 346 * changed to the destination device if ip_route_input() succeeds. 347 * 348 * Let's first consider the case that ip_route_input() succeeds: 349 * 350 * If the output device equals the logical bridge device the packet 351 * came in on, we can consider this bridging. The corresponding MAC 352 * address will be obtained in br_nf_pre_routing_finish_bridge. 353 * Otherwise, the packet is considered to be routed and we just 354 * change the destination MAC address so that the packet will 355 * later be passed up to the IP stack to be routed. For a redirected 356 * packet, ip_route_input() will give back the localhost as output device, 357 * which differs from the bridge device. 358 * 359 * Let's now consider the case that ip_route_input() fails: 360 * 361 * This can be because the destination address is martian, in which case 362 * the packet will be dropped. 363 * If IP forwarding is disabled, ip_route_input() will fail, while 364 * ip_route_output_key() can return success. The source 365 * address for ip_route_output_key() is set to zero, so ip_route_output_key() 366 * thinks we're handling a locally generated packet and won't care 367 * if IP forwarding is enabled. If the output device equals the logical bridge 368 * device, we proceed as if ip_route_input() succeeded. If it differs from the 369 * logical bridge port or if ip_route_output_key() fails we drop the packet. 370 */ 371 static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_buff *skb) 372 { 373 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 374 struct net_device *dev = skb->dev, *br_indev; 375 const struct iphdr *iph = ip_hdr(skb); 376 enum skb_drop_reason reason; 377 struct rtable *rt; 378 379 br_indev = nf_bridge_get_physindev(skb, net); 380 if (!br_indev) { 381 kfree_skb(skb); 382 return 0; 383 } 384 385 nf_bridge->frag_max_size = IPCB(skb)->frag_max_size; 386 387 if (nf_bridge->pkt_otherhost) { 388 skb->pkt_type = PACKET_OTHERHOST; 389 nf_bridge->pkt_otherhost = false; 390 } 391 nf_bridge->in_prerouting = 0; 392 if (br_nf_ipv4_daddr_was_changed(skb, nf_bridge)) { 393 reason = ip_route_input(skb, iph->daddr, iph->saddr, 394 ip4h_dscp(iph), dev); 395 if (reason) { 396 kfree_skb_reason(skb, reason); 397 return 0; 398 } else { 399 if (skb_dst(skb)->dev == dev) { 400 skb->dev = br_indev; 401 nf_bridge_update_protocol(skb); 402 nf_bridge_push_encap_header(skb); 403 br_nf_hook_thresh(NF_BR_PRE_ROUTING, 404 net, sk, skb, skb->dev, 405 NULL, 406 br_nf_pre_routing_finish_bridge); 407 return 0; 408 } 409 ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr); 410 skb->pkt_type = PACKET_HOST; 411 } 412 } else { 413 rt = bridge_parent_rtable(br_indev); 414 if (!rt) { 415 kfree_skb(skb); 416 return 0; 417 } 418 skb_dst_drop(skb); 419 skb_dst_set_noref(skb, &rt->dst); 420 } 421 422 skb->dev = br_indev; 423 nf_bridge_update_protocol(skb); 424 nf_bridge_push_encap_header(skb); 425 br_nf_hook_thresh(NF_BR_PRE_ROUTING, net, sk, skb, skb->dev, NULL, 426 br_handle_frame_finish); 427 return 0; 428 } 429 430 static struct net_device *brnf_get_logical_dev(struct sk_buff *skb, 431 const struct net_device *dev, 432 const struct net *net) 433 { 434 struct net_device *vlan, *br; 435 struct brnf_net *brnet = net_generic(net, brnf_net_id); 436 437 br = bridge_parent(dev); 438 439 if (brnet->pass_vlan_indev == 0 || !skb_vlan_tag_present(skb)) 440 return br; 441 442 vlan = __vlan_find_dev_deep_rcu(br, skb->vlan_proto, 443 skb_vlan_tag_get(skb) & VLAN_VID_MASK); 444 445 return vlan ? vlan : br; 446 } 447 448 /* Some common code for IPv4/IPv6 */ 449 struct net_device *setup_pre_routing(struct sk_buff *skb, const struct net *net) 450 { 451 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 452 453 if (skb->pkt_type == PACKET_OTHERHOST) { 454 skb->pkt_type = PACKET_HOST; 455 nf_bridge->pkt_otherhost = true; 456 } 457 458 nf_bridge->in_prerouting = 1; 459 nf_bridge->physinif = skb->dev->ifindex; 460 skb->dev = brnf_get_logical_dev(skb, skb->dev, net); 461 462 if (skb->protocol == htons(ETH_P_8021Q)) 463 nf_bridge->orig_proto = BRNF_PROTO_8021Q; 464 else if (skb->protocol == htons(ETH_P_PPP_SES)) 465 nf_bridge->orig_proto = BRNF_PROTO_PPPOE; 466 467 /* Must drop socket now because of tproxy. */ 468 skb_orphan(skb); 469 return skb->dev; 470 } 471 472 /* Direct IPv6 traffic to br_nf_pre_routing_ipv6. 473 * Replicate the checks that IPv4 does on packet reception. 474 * Set skb->dev to the bridge device (i.e. parent of the 475 * receiving device) to make netfilter happy, the REDIRECT 476 * target in particular. Save the original destination IP 477 * address to be able to detect DNAT afterwards. */ 478 static unsigned int br_nf_pre_routing(void *priv, 479 struct sk_buff *skb, 480 const struct nf_hook_state *state) 481 { 482 struct nf_bridge_info *nf_bridge; 483 struct net_bridge_port *p; 484 struct net_bridge *br; 485 __u32 len = nf_bridge_encap_header_len(skb); 486 struct brnf_net *brnet; 487 488 if (unlikely(!pskb_may_pull(skb, len))) 489 return NF_DROP_REASON(skb, SKB_DROP_REASON_PKT_TOO_SMALL, 0); 490 491 p = br_port_get_rcu(state->in); 492 if (p == NULL) 493 return NF_DROP_REASON(skb, SKB_DROP_REASON_DEV_READY, 0); 494 br = p->br; 495 496 brnet = net_generic(state->net, brnf_net_id); 497 if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || 498 is_pppoe_ipv6(skb, state->net)) { 499 if (!brnet->call_ip6tables && 500 !br_opt_get(br, BROPT_NF_CALL_IP6TABLES)) 501 return NF_ACCEPT; 502 if (!ipv6_mod_enabled()) { 503 pr_warn_once("Module ipv6 is disabled, so call_ip6tables is not supported."); 504 return NF_DROP_REASON(skb, SKB_DROP_REASON_IPV6DISABLED, 0); 505 } 506 507 nf_bridge_pull_encap_header_rcsum(skb); 508 return br_nf_pre_routing_ipv6(priv, skb, state); 509 } 510 511 if (!brnet->call_iptables && !br_opt_get(br, BROPT_NF_CALL_IPTABLES)) 512 return NF_ACCEPT; 513 514 if (!IS_IP(skb) && !is_vlan_ip(skb, state->net) && 515 !is_pppoe_ip(skb, state->net)) 516 return NF_ACCEPT; 517 518 nf_bridge_pull_encap_header_rcsum(skb); 519 520 if (br_validate_ipv4(state->net, skb)) 521 return NF_DROP_REASON(skb, SKB_DROP_REASON_IP_INHDR, 0); 522 523 if (!nf_bridge_alloc(skb)) 524 return NF_DROP_REASON(skb, SKB_DROP_REASON_NOMEM, 0); 525 if (!setup_pre_routing(skb, state->net)) 526 return NF_DROP_REASON(skb, SKB_DROP_REASON_DEV_READY, 0); 527 528 nf_bridge = nf_bridge_info_get(skb); 529 nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr; 530 531 skb->protocol = htons(ETH_P_IP); 532 skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4; 533 534 NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb, 535 skb->dev, NULL, 536 br_nf_pre_routing_finish); 537 538 return NF_STOLEN; 539 } 540 541 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 542 /* conntracks' nf_confirm logic cannot handle cloned skbs referencing 543 * the same nf_conn entry, which will happen for multicast (broadcast) 544 * Frames on bridges. 545 * 546 * Example: 547 * macvlan0 548 * br0 549 * ethX ethY 550 * 551 * ethX (or Y) receives multicast or broadcast packet containing 552 * an IP packet, not yet in conntrack table. 553 * 554 * 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting. 555 * -> skb->_nfct now references a unconfirmed entry 556 * 2. skb is broad/mcast packet. bridge now passes clones out on each bridge 557 * interface. 558 * 3. skb gets passed up the stack. 559 * 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb 560 * and schedules a work queue to send them out on the lower devices. 561 * 562 * The clone skb->_nfct is not a copy, it is the same entry as the 563 * original skb. The macvlan rx handler then returns RX_HANDLER_PASS. 564 * 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb. 565 * 566 * The Macvlan broadcast worker and normal confirm path will race. 567 * 568 * This race will not happen if step 2 already confirmed a clone. In that 569 * case later steps perform skb_clone() with skb->_nfct already confirmed (in 570 * hash table). This works fine. 571 * 572 * But such confirmation won't happen when eb/ip/nftables rules dropped the 573 * packets before they reached the nf_confirm step in postrouting. 574 * 575 * Work around this problem by explicit confirmation of the entry at 576 * LOCAL_IN time, before upper layer has a chance to clone the unconfirmed 577 * entry. 578 * 579 */ 580 static unsigned int br_nf_local_in(void *priv, 581 struct sk_buff *skb, 582 const struct nf_hook_state *state) 583 { 584 bool promisc = BR_INPUT_SKB_CB(skb)->promisc; 585 struct nf_conntrack *nfct = skb_nfct(skb); 586 const struct nf_ct_hook *ct_hook; 587 struct nf_conn *ct; 588 int ret; 589 590 if (promisc) { 591 nf_reset_ct(skb); 592 return NF_ACCEPT; 593 } 594 595 if (!nfct || skb->pkt_type == PACKET_HOST) 596 return NF_ACCEPT; 597 598 ct = container_of(nfct, struct nf_conn, ct_general); 599 if (likely(nf_ct_is_confirmed(ct))) 600 return NF_ACCEPT; 601 602 if (WARN_ON_ONCE(refcount_read(&nfct->use) != 1)) { 603 nf_reset_ct(skb); 604 return NF_ACCEPT; 605 } 606 607 WARN_ON_ONCE(skb_shared(skb)); 608 609 /* We can't call nf_confirm here, it would create a dependency 610 * on nf_conntrack module. 611 */ 612 ct_hook = rcu_dereference(nf_ct_hook); 613 if (!ct_hook) { 614 skb->_nfct = 0ul; 615 nf_conntrack_put(nfct); 616 return NF_ACCEPT; 617 } 618 619 nf_bridge_pull_encap_header(skb); 620 ret = ct_hook->confirm(skb); 621 switch (ret & NF_VERDICT_MASK) { 622 case NF_STOLEN: 623 return NF_STOLEN; 624 default: 625 nf_bridge_push_encap_header(skb); 626 break; 627 } 628 629 ct = container_of(nfct, struct nf_conn, ct_general); 630 WARN_ON_ONCE(!nf_ct_is_confirmed(ct)); 631 632 return ret; 633 } 634 #endif 635 636 /* PF_BRIDGE/FORWARD *************************************************/ 637 static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb) 638 { 639 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 640 struct net_device *in; 641 642 if (!IS_ARP(skb) && !is_vlan_arp(skb, net)) { 643 644 if (skb->protocol == htons(ETH_P_IP)) 645 nf_bridge->frag_max_size = IPCB(skb)->frag_max_size; 646 647 if (skb->protocol == htons(ETH_P_IPV6)) 648 nf_bridge->frag_max_size = IP6CB(skb)->frag_max_size; 649 650 in = nf_bridge_get_physindev(skb, net); 651 if (!in) { 652 kfree_skb(skb); 653 return 0; 654 } 655 if (nf_bridge->pkt_otherhost) { 656 skb->pkt_type = PACKET_OTHERHOST; 657 nf_bridge->pkt_otherhost = false; 658 } 659 nf_bridge_update_protocol(skb); 660 } else { 661 in = *((struct net_device **)(skb->cb)); 662 } 663 nf_bridge_push_encap_header(skb); 664 665 br_nf_hook_thresh(NF_BR_FORWARD, net, sk, skb, in, skb->dev, 666 br_forward_finish); 667 return 0; 668 } 669 670 671 static unsigned int br_nf_forward_ip(struct sk_buff *skb, 672 const struct nf_hook_state *state, 673 u8 pf) 674 { 675 struct nf_bridge_info *nf_bridge; 676 struct net_device *parent; 677 678 nf_bridge = nf_bridge_info_get(skb); 679 if (!nf_bridge) 680 return NF_ACCEPT; 681 682 /* Need exclusive nf_bridge_info since we might have multiple 683 * different physoutdevs. */ 684 if (!nf_bridge_unshare(skb)) 685 return NF_DROP_REASON(skb, SKB_DROP_REASON_NOMEM, 0); 686 687 nf_bridge = nf_bridge_info_get(skb); 688 if (!nf_bridge) 689 return NF_DROP_REASON(skb, SKB_DROP_REASON_NOMEM, 0); 690 691 parent = bridge_parent(state->out); 692 if (!parent) 693 return NF_DROP_REASON(skb, SKB_DROP_REASON_DEV_READY, 0); 694 695 nf_bridge_pull_encap_header(skb); 696 697 if (skb->pkt_type == PACKET_OTHERHOST) { 698 skb->pkt_type = PACKET_HOST; 699 nf_bridge->pkt_otherhost = true; 700 } 701 702 if (pf == NFPROTO_IPV4) { 703 if (br_validate_ipv4(state->net, skb)) 704 return NF_DROP_REASON(skb, SKB_DROP_REASON_IP_INHDR, 0); 705 IPCB(skb)->frag_max_size = nf_bridge->frag_max_size; 706 skb->protocol = htons(ETH_P_IP); 707 } else if (pf == NFPROTO_IPV6) { 708 if (br_validate_ipv6(state->net, skb)) 709 return NF_DROP_REASON(skb, SKB_DROP_REASON_IP_INHDR, 0); 710 IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size; 711 skb->protocol = htons(ETH_P_IPV6); 712 } else { 713 WARN_ON_ONCE(1); 714 return NF_DROP; 715 } 716 717 nf_bridge->physoutdev = skb->dev; 718 719 NF_HOOK(pf, NF_INET_FORWARD, state->net, NULL, skb, 720 brnf_get_logical_dev(skb, state->in, state->net), 721 parent, br_nf_forward_finish); 722 723 return NF_STOLEN; 724 } 725 726 static unsigned int br_nf_forward_arp(struct sk_buff *skb, 727 const struct nf_hook_state *state) 728 { 729 struct net_bridge_port *p; 730 struct net_bridge *br; 731 struct net_device **d = (struct net_device **)(skb->cb); 732 struct brnf_net *brnet; 733 734 p = br_port_get_rcu(state->out); 735 if (p == NULL) 736 return NF_ACCEPT; 737 br = p->br; 738 739 brnet = net_generic(state->net, brnf_net_id); 740 if (!brnet->call_arptables && !br_opt_get(br, BROPT_NF_CALL_ARPTABLES)) 741 return NF_ACCEPT; 742 743 if (is_vlan_arp(skb, state->net)) 744 nf_bridge_pull_encap_header(skb); 745 746 if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr)))) 747 return NF_DROP_REASON(skb, SKB_DROP_REASON_PKT_TOO_SMALL, 0); 748 749 if (arp_hdr(skb)->ar_pln != 4) { 750 if (is_vlan_arp(skb, state->net)) 751 nf_bridge_push_encap_header(skb); 752 return NF_ACCEPT; 753 } 754 *d = state->in; 755 NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, state->net, state->sk, skb, 756 state->in, state->out, br_nf_forward_finish); 757 758 return NF_STOLEN; 759 } 760 761 /* This is the 'purely bridged' case. For IP, we pass the packet to 762 * netfilter with indev and outdev set to the bridge device, 763 * but we are still able to filter on the 'real' indev/outdev 764 * because of the physdev module. For ARP, indev and outdev are the 765 * bridge ports. 766 */ 767 static unsigned int br_nf_forward(void *priv, 768 struct sk_buff *skb, 769 const struct nf_hook_state *state) 770 { 771 if (IS_IP(skb) || is_vlan_ip(skb, state->net) || 772 is_pppoe_ip(skb, state->net)) 773 return br_nf_forward_ip(skb, state, NFPROTO_IPV4); 774 if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || 775 is_pppoe_ipv6(skb, state->net)) 776 return br_nf_forward_ip(skb, state, NFPROTO_IPV6); 777 if (IS_ARP(skb) || is_vlan_arp(skb, state->net)) 778 return br_nf_forward_arp(skb, state); 779 780 return NF_ACCEPT; 781 } 782 783 static int br_nf_push_frag_xmit(struct net *net, struct sock *sk, struct sk_buff *skb) 784 { 785 struct brnf_frag_data *data; 786 int err; 787 788 data = this_cpu_ptr(&brnf_frag_data_storage); 789 err = skb_cow_head(skb, data->size); 790 791 if (err) { 792 kfree_skb(skb); 793 return 0; 794 } 795 796 if (data->vlan_proto) 797 __vlan_hwaccel_put_tag(skb, data->vlan_proto, data->vlan_tci); 798 799 skb_copy_to_linear_data_offset(skb, -data->size, data->mac, data->size); 800 __skb_push(skb, data->encap_size); 801 802 nf_bridge_info_free(skb); 803 return br_dev_queue_push_xmit(net, sk, skb); 804 } 805 806 static int 807 br_nf_ip_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, 808 int (*output)(struct net *, struct sock *, struct sk_buff *)) 809 { 810 unsigned int mtu = ip_skb_dst_mtu(sk, skb); 811 struct iphdr *iph = ip_hdr(skb); 812 813 if (unlikely(((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) || 814 (IPCB(skb)->frag_max_size && 815 IPCB(skb)->frag_max_size > mtu))) { 816 IP_INC_STATS(net, IPSTATS_MIB_FRAGFAILS); 817 kfree_skb(skb); 818 return -EMSGSIZE; 819 } 820 821 return ip_do_fragment(net, sk, skb, output); 822 } 823 824 static unsigned int nf_bridge_mtu_reduction(const struct sk_buff *skb) 825 { 826 const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 827 828 if (nf_bridge->orig_proto == BRNF_PROTO_PPPOE) 829 return PPPOE_SES_HLEN; 830 return 0; 831 } 832 833 static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff *skb) 834 { 835 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 836 unsigned int mtu, mtu_reserved; 837 int ret; 838 839 mtu_reserved = nf_bridge_mtu_reduction(skb); 840 mtu = skb->dev->mtu; 841 842 if (nf_bridge->pkt_otherhost) { 843 skb->pkt_type = PACKET_OTHERHOST; 844 nf_bridge->pkt_otherhost = false; 845 } 846 847 if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu) 848 mtu = nf_bridge->frag_max_size; 849 850 nf_bridge_update_protocol(skb); 851 nf_bridge_push_encap_header(skb); 852 853 if (skb_is_gso(skb) || skb->len + mtu_reserved <= mtu) { 854 nf_bridge_info_free(skb); 855 return br_dev_queue_push_xmit(net, sk, skb); 856 } 857 858 /* Fragmentation on metadata/template dst is not supported */ 859 if (unlikely(!skb_valid_dst(skb))) 860 goto drop; 861 862 /* This is wrong! We should preserve the original fragment 863 * boundaries by preserving frag_list rather than refragmenting. 864 */ 865 if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) && 866 skb->protocol == htons(ETH_P_IP)) { 867 struct brnf_frag_data *data; 868 869 if (br_validate_ipv4(net, skb)) 870 goto drop; 871 872 IPCB(skb)->frag_max_size = nf_bridge->frag_max_size; 873 874 local_lock_nested_bh(&brnf_frag_data_storage.bh_lock); 875 data = this_cpu_ptr(&brnf_frag_data_storage); 876 877 if (skb_vlan_tag_present(skb)) { 878 data->vlan_tci = skb->vlan_tci; 879 data->vlan_proto = skb->vlan_proto; 880 } else { 881 data->vlan_proto = 0; 882 } 883 884 data->encap_size = nf_bridge_encap_header_len(skb); 885 data->size = ETH_HLEN + data->encap_size; 886 887 skb_copy_from_linear_data_offset(skb, -data->size, data->mac, 888 data->size); 889 890 ret = br_nf_ip_fragment(net, sk, skb, br_nf_push_frag_xmit); 891 local_unlock_nested_bh(&brnf_frag_data_storage.bh_lock); 892 return ret; 893 } 894 if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) && 895 skb->protocol == htons(ETH_P_IPV6)) { 896 const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops(); 897 struct brnf_frag_data *data; 898 899 if (br_validate_ipv6(net, skb)) 900 goto drop; 901 902 IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size; 903 904 local_lock_nested_bh(&brnf_frag_data_storage.bh_lock); 905 data = this_cpu_ptr(&brnf_frag_data_storage); 906 data->encap_size = nf_bridge_encap_header_len(skb); 907 data->size = ETH_HLEN + data->encap_size; 908 909 skb_copy_from_linear_data_offset(skb, -data->size, data->mac, 910 data->size); 911 912 if (v6ops) { 913 ret = v6ops->fragment(net, sk, skb, br_nf_push_frag_xmit); 914 local_unlock_nested_bh(&brnf_frag_data_storage.bh_lock); 915 return ret; 916 } 917 local_unlock_nested_bh(&brnf_frag_data_storage.bh_lock); 918 919 kfree_skb(skb); 920 return -EMSGSIZE; 921 } 922 nf_bridge_info_free(skb); 923 return br_dev_queue_push_xmit(net, sk, skb); 924 drop: 925 kfree_skb(skb); 926 return 0; 927 } 928 929 /* PF_BRIDGE/POST_ROUTING ********************************************/ 930 static unsigned int br_nf_post_routing(void *priv, 931 struct sk_buff *skb, 932 const struct nf_hook_state *state) 933 { 934 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 935 struct net_device *realoutdev = bridge_parent(skb->dev); 936 u_int8_t pf; 937 938 /* if nf_bridge is set, but ->physoutdev is NULL, this packet came in 939 * on a bridge, but was delivered locally and is now being routed: 940 * 941 * POST_ROUTING was already invoked from the ip stack. 942 */ 943 if (!nf_bridge || !nf_bridge->physoutdev) 944 return NF_ACCEPT; 945 946 if (!realoutdev) 947 return NF_DROP_REASON(skb, SKB_DROP_REASON_DEV_READY, 0); 948 949 if (IS_IP(skb) || is_vlan_ip(skb, state->net) || 950 is_pppoe_ip(skb, state->net)) 951 pf = NFPROTO_IPV4; 952 else if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || 953 is_pppoe_ipv6(skb, state->net)) 954 pf = NFPROTO_IPV6; 955 else 956 return NF_ACCEPT; 957 958 if (skb->pkt_type == PACKET_OTHERHOST) { 959 skb->pkt_type = PACKET_HOST; 960 nf_bridge->pkt_otherhost = true; 961 } 962 963 nf_bridge_pull_encap_header(skb); 964 if (pf == NFPROTO_IPV4) 965 skb->protocol = htons(ETH_P_IP); 966 else 967 skb->protocol = htons(ETH_P_IPV6); 968 969 NF_HOOK(pf, NF_INET_POST_ROUTING, state->net, state->sk, skb, 970 NULL, realoutdev, 971 br_nf_dev_queue_xmit); 972 973 return NF_STOLEN; 974 } 975 976 /* IP/SABOTAGE *****************************************************/ 977 /* Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING 978 * for the second time. */ 979 static unsigned int ip_sabotage_in(void *priv, 980 struct sk_buff *skb, 981 const struct nf_hook_state *state) 982 { 983 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 984 985 if (nf_bridge) { 986 if (nf_bridge->sabotage_in_done) 987 return NF_ACCEPT; 988 989 if (!nf_bridge->in_prerouting && 990 !netif_is_l3_master(skb->dev) && 991 !netif_is_l3_slave(skb->dev)) { 992 nf_bridge->sabotage_in_done = 1; 993 state->okfn(state->net, state->sk, skb); 994 return NF_STOLEN; 995 } 996 } 997 998 return NF_ACCEPT; 999 } 1000 1001 /* This is called when br_netfilter has called into iptables/netfilter, 1002 * and DNAT has taken place on a bridge-forwarded packet. 1003 * 1004 * neigh->output has created a new MAC header, with local br0 MAC 1005 * as saddr. 1006 * 1007 * This restores the original MAC saddr of the bridged packet 1008 * before invoking bridge forward logic to transmit the packet. 1009 */ 1010 static void br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb) 1011 { 1012 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 1013 struct net_device *br_indev; 1014 1015 br_indev = nf_bridge_get_physindev(skb, dev_net(skb->dev)); 1016 if (!br_indev) { 1017 kfree_skb(skb); 1018 return; 1019 } 1020 1021 skb_pull(skb, ETH_HLEN); 1022 nf_bridge->bridged_dnat = 0; 1023 1024 BUILD_BUG_ON(sizeof(nf_bridge->neigh_header) != (ETH_HLEN - ETH_ALEN)); 1025 1026 skb_copy_to_linear_data_offset(skb, -(ETH_HLEN - ETH_ALEN), 1027 nf_bridge->neigh_header, 1028 ETH_HLEN - ETH_ALEN); 1029 skb->dev = br_indev; 1030 1031 nf_bridge->physoutdev = NULL; 1032 br_handle_frame_finish(dev_net(skb->dev), NULL, skb); 1033 } 1034 1035 static int br_nf_dev_xmit(struct sk_buff *skb) 1036 { 1037 const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 1038 1039 if (nf_bridge && nf_bridge->bridged_dnat) { 1040 br_nf_pre_routing_finish_bridge_slow(skb); 1041 return 1; 1042 } 1043 return 0; 1044 } 1045 1046 static const struct nf_br_ops br_ops = { 1047 .br_dev_xmit_hook = br_nf_dev_xmit, 1048 }; 1049 1050 /* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because 1051 * br_dev_queue_push_xmit is called afterwards */ 1052 static const struct nf_hook_ops br_nf_ops[] = { 1053 { 1054 .hook = br_nf_pre_routing, 1055 .pf = NFPROTO_BRIDGE, 1056 .hooknum = NF_BR_PRE_ROUTING, 1057 .priority = NF_BR_PRI_BRNF, 1058 }, 1059 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 1060 { 1061 .hook = br_nf_local_in, 1062 .pf = NFPROTO_BRIDGE, 1063 .hooknum = NF_BR_LOCAL_IN, 1064 .priority = NF_BR_PRI_LAST, 1065 }, 1066 #endif 1067 { 1068 .hook = br_nf_forward, 1069 .pf = NFPROTO_BRIDGE, 1070 .hooknum = NF_BR_FORWARD, 1071 .priority = NF_BR_PRI_BRNF, 1072 }, 1073 { 1074 .hook = br_nf_post_routing, 1075 .pf = NFPROTO_BRIDGE, 1076 .hooknum = NF_BR_POST_ROUTING, 1077 .priority = NF_BR_PRI_LAST, 1078 }, 1079 { 1080 .hook = ip_sabotage_in, 1081 .pf = NFPROTO_IPV4, 1082 .hooknum = NF_INET_PRE_ROUTING, 1083 .priority = NF_IP_PRI_FIRST, 1084 }, 1085 { 1086 .hook = ip_sabotage_in, 1087 .pf = NFPROTO_IPV6, 1088 .hooknum = NF_INET_PRE_ROUTING, 1089 .priority = NF_IP6_PRI_FIRST, 1090 }, 1091 }; 1092 1093 static int brnf_device_event(struct notifier_block *unused, unsigned long event, 1094 void *ptr) 1095 { 1096 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 1097 struct brnf_net *brnet; 1098 struct net *net; 1099 int ret; 1100 1101 if (event != NETDEV_REGISTER || !netif_is_bridge_master(dev)) 1102 return NOTIFY_DONE; 1103 1104 ASSERT_RTNL(); 1105 1106 net = dev_net(dev); 1107 brnet = net_generic(net, brnf_net_id); 1108 if (brnet->enabled) 1109 return NOTIFY_OK; 1110 1111 ret = nf_register_net_hooks(net, br_nf_ops, ARRAY_SIZE(br_nf_ops)); 1112 if (ret) 1113 return NOTIFY_BAD; 1114 1115 brnet->enabled = true; 1116 return NOTIFY_OK; 1117 } 1118 1119 static struct notifier_block brnf_notifier __read_mostly = { 1120 .notifier_call = brnf_device_event, 1121 }; 1122 1123 /* recursively invokes nf_hook_slow (again), skipping already-called 1124 * hooks (< NF_BR_PRI_BRNF). 1125 * 1126 * Called with rcu read lock held. 1127 */ 1128 int br_nf_hook_thresh(unsigned int hook, struct net *net, 1129 struct sock *sk, struct sk_buff *skb, 1130 struct net_device *indev, 1131 struct net_device *outdev, 1132 int (*okfn)(struct net *, struct sock *, 1133 struct sk_buff *)) 1134 { 1135 const struct nf_hook_entries *e; 1136 struct nf_hook_state state; 1137 struct nf_hook_ops **ops; 1138 unsigned int i; 1139 int ret; 1140 1141 e = rcu_dereference(net->nf.hooks_bridge[hook]); 1142 if (!e) 1143 return okfn(net, sk, skb); 1144 1145 ops = nf_hook_entries_get_hook_ops(e); 1146 for (i = 0; i < e->num_hook_entries; i++) { 1147 /* These hooks have already been called */ 1148 if (ops[i]->priority < NF_BR_PRI_BRNF) 1149 continue; 1150 1151 /* These hooks have not been called yet, run them. */ 1152 if (ops[i]->priority > NF_BR_PRI_BRNF) 1153 break; 1154 1155 /* take a closer look at NF_BR_PRI_BRNF. */ 1156 if (ops[i]->hook == br_nf_pre_routing) { 1157 /* This hook diverted the skb to this function, 1158 * hooks after this have not been run yet. 1159 */ 1160 i++; 1161 break; 1162 } 1163 } 1164 1165 nf_hook_state_init(&state, hook, NFPROTO_BRIDGE, indev, outdev, 1166 sk, net, okfn); 1167 1168 ret = nf_hook_slow(skb, &state, e, i); 1169 if (ret == 1) 1170 ret = okfn(net, sk, skb); 1171 1172 return ret; 1173 } 1174 1175 #ifdef CONFIG_SYSCTL 1176 static 1177 int brnf_sysctl_call_tables(const struct ctl_table *ctl, int write, 1178 void *buffer, size_t *lenp, loff_t *ppos) 1179 { 1180 int ret; 1181 1182 ret = proc_dointvec(ctl, write, buffer, lenp, ppos); 1183 1184 if (write && *(int *)(ctl->data)) 1185 *(int *)(ctl->data) = 1; 1186 return ret; 1187 } 1188 1189 static struct ctl_table brnf_table[] = { 1190 { 1191 .procname = "bridge-nf-call-arptables", 1192 .maxlen = sizeof(int), 1193 .mode = 0644, 1194 .proc_handler = brnf_sysctl_call_tables, 1195 }, 1196 { 1197 .procname = "bridge-nf-call-iptables", 1198 .maxlen = sizeof(int), 1199 .mode = 0644, 1200 .proc_handler = brnf_sysctl_call_tables, 1201 }, 1202 { 1203 .procname = "bridge-nf-call-ip6tables", 1204 .maxlen = sizeof(int), 1205 .mode = 0644, 1206 .proc_handler = brnf_sysctl_call_tables, 1207 }, 1208 { 1209 .procname = "bridge-nf-filter-vlan-tagged", 1210 .maxlen = sizeof(int), 1211 .mode = 0644, 1212 .proc_handler = brnf_sysctl_call_tables, 1213 }, 1214 { 1215 .procname = "bridge-nf-filter-pppoe-tagged", 1216 .maxlen = sizeof(int), 1217 .mode = 0644, 1218 .proc_handler = brnf_sysctl_call_tables, 1219 }, 1220 { 1221 .procname = "bridge-nf-pass-vlan-input-dev", 1222 .maxlen = sizeof(int), 1223 .mode = 0644, 1224 .proc_handler = brnf_sysctl_call_tables, 1225 }, 1226 }; 1227 1228 static inline void br_netfilter_sysctl_default(struct brnf_net *brnf) 1229 { 1230 brnf->call_iptables = 1; 1231 brnf->call_ip6tables = 1; 1232 brnf->call_arptables = 1; 1233 brnf->filter_vlan_tagged = 0; 1234 brnf->filter_pppoe_tagged = 0; 1235 brnf->pass_vlan_indev = 0; 1236 } 1237 1238 static int br_netfilter_sysctl_init_net(struct net *net) 1239 { 1240 struct ctl_table *table = brnf_table; 1241 struct brnf_net *brnet; 1242 1243 if (!net_eq(net, &init_net)) { 1244 table = kmemdup(table, sizeof(brnf_table), GFP_KERNEL); 1245 if (!table) 1246 return -ENOMEM; 1247 } 1248 1249 brnet = net_generic(net, brnf_net_id); 1250 table[0].data = &brnet->call_arptables; 1251 table[1].data = &brnet->call_iptables; 1252 table[2].data = &brnet->call_ip6tables; 1253 table[3].data = &brnet->filter_vlan_tagged; 1254 table[4].data = &brnet->filter_pppoe_tagged; 1255 table[5].data = &brnet->pass_vlan_indev; 1256 1257 br_netfilter_sysctl_default(brnet); 1258 1259 brnet->ctl_hdr = register_net_sysctl_sz(net, "net/bridge", table, 1260 ARRAY_SIZE(brnf_table)); 1261 if (!brnet->ctl_hdr) { 1262 if (!net_eq(net, &init_net)) 1263 kfree(table); 1264 1265 return -ENOMEM; 1266 } 1267 1268 return 0; 1269 } 1270 1271 static void br_netfilter_sysctl_exit_net(struct net *net, 1272 struct brnf_net *brnet) 1273 { 1274 const struct ctl_table *table = brnet->ctl_hdr->ctl_table_arg; 1275 1276 unregister_net_sysctl_table(brnet->ctl_hdr); 1277 if (!net_eq(net, &init_net)) 1278 kfree(table); 1279 } 1280 1281 static int __net_init brnf_init_net(struct net *net) 1282 { 1283 return br_netfilter_sysctl_init_net(net); 1284 } 1285 #endif 1286 1287 static void __net_exit brnf_exit_net(struct net *net) 1288 { 1289 struct brnf_net *brnet; 1290 1291 brnet = net_generic(net, brnf_net_id); 1292 if (brnet->enabled) { 1293 nf_unregister_net_hooks(net, br_nf_ops, ARRAY_SIZE(br_nf_ops)); 1294 brnet->enabled = false; 1295 } 1296 1297 #ifdef CONFIG_SYSCTL 1298 br_netfilter_sysctl_exit_net(net, brnet); 1299 #endif 1300 } 1301 1302 static struct pernet_operations brnf_net_ops __read_mostly = { 1303 #ifdef CONFIG_SYSCTL 1304 .init = brnf_init_net, 1305 #endif 1306 .exit = brnf_exit_net, 1307 .id = &brnf_net_id, 1308 .size = sizeof(struct brnf_net), 1309 }; 1310 1311 static int __init br_netfilter_init(void) 1312 { 1313 int ret; 1314 1315 ret = register_pernet_subsys(&brnf_net_ops); 1316 if (ret < 0) 1317 return ret; 1318 1319 ret = register_netdevice_notifier(&brnf_notifier); 1320 if (ret < 0) { 1321 unregister_pernet_subsys(&brnf_net_ops); 1322 return ret; 1323 } 1324 1325 RCU_INIT_POINTER(nf_br_ops, &br_ops); 1326 printk(KERN_NOTICE "Bridge firewalling registered\n"); 1327 return 0; 1328 } 1329 1330 static void __exit br_netfilter_fini(void) 1331 { 1332 RCU_INIT_POINTER(nf_br_ops, NULL); 1333 unregister_netdevice_notifier(&brnf_notifier); 1334 unregister_pernet_subsys(&brnf_net_ops); 1335 } 1336 1337 module_init(br_netfilter_init); 1338 module_exit(br_netfilter_fini); 1339 1340 MODULE_LICENSE("GPL"); 1341 MODULE_AUTHOR("Lennert Buytenhek <buytenh@gnu.org>"); 1342 MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>"); 1343 MODULE_DESCRIPTION("Linux ethernet netfilter firewall bridge"); 1344