iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

br_netfilter: use single forward hook for ip and arp

Browse Source 
br_netfilter registers two forward hooks, one for ip and one for arp.

Just use a common function for both and then call the arp/ip helper
as needed.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Florian Westphal
2023-10-20 13:14:25 +02:00
committed by Pablo Neira Ayuso
parent 3cb03edb4d
commit ee6f05dcd6
1 changed files with 34 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
net/bridge/br_netfilter_hooks.c
View File

@ -570,18 +570,12 @@ static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff
} }
/* This is the 'purely bridged' case. For IP, we pass the packet to static unsigned int br_nf_forward_ip(struct sk_buff *skb,
* netfilter with indev and outdev set to the bridge device, const struct nf_hook_state *state,
* but we are still able to filter on the 'real' indev/outdev u8 pf)
* because of the physdev module. For ARP, indev and outdev are the
* bridge ports. */
static unsigned int br_nf_forward_ip(void *priv,
struct sk_buff *skb,
const struct nf_hook_state *state)
{ {
struct nf_bridge_info *nf_bridge; struct nf_bridge_info *nf_bridge;
struct net_device *parent; struct net_device *parent;
u_int8_t pf;
nf_bridge = nf_bridge_info_get(skb); nf_bridge = nf_bridge_info_get(skb);
if (!nf_bridge) if (!nf_bridge)
@ -600,15 +594,6 @@ static unsigned int br_nf_forward_ip(void *priv,
if (!parent) if (!parent)
return NF_DROP_REASON(skb, SKB_DROP_REASON_DEV_READY, 0); return NF_DROP_REASON(skb, SKB_DROP_REASON_DEV_READY, 0);
if (IS_IP(skb) || is_vlan_ip(skb, state->net) ||
is_pppoe_ip(skb, state->net))
pf = NFPROTO_IPV4;
else if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) ||
is_pppoe_ipv6(skb, state->net))
pf = NFPROTO_IPV6;
else
return NF_ACCEPT;
nf_bridge_pull_encap_header(skb); nf_bridge_pull_encap_header(skb);
if (skb->pkt_type == PACKET_OTHERHOST) { if (skb->pkt_type == PACKET_OTHERHOST) {
@ -620,19 +605,18 @@ static unsigned int br_nf_forward_ip(void *priv,
if (br_validate_ipv4(state->net, skb)) if (br_validate_ipv4(state->net, skb))
return NF_DROP_REASON(skb, SKB_DROP_REASON_IP_INHDR, 0); return NF_DROP_REASON(skb, SKB_DROP_REASON_IP_INHDR, 0);
IPCB(skb)->frag_max_size = nf_bridge->frag_max_size; IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
} skb->protocol = htons(ETH_P_IP);
} else if (pf == NFPROTO_IPV6) {
if (pf == NFPROTO_IPV6) {
if (br_validate_ipv6(state->net, skb)) if (br_validate_ipv6(state->net, skb))
return NF_DROP_REASON(skb, SKB_DROP_REASON_IP_INHDR, 0); return NF_DROP_REASON(skb, SKB_DROP_REASON_IP_INHDR, 0);
IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size; IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
skb->protocol = htons(ETH_P_IPV6);
} else {
WARN_ON_ONCE(1);
return NF_DROP;
} }
nf_bridge->physoutdev = skb->dev; nf_bridge->physoutdev = skb->dev;
if (pf == NFPROTO_IPV4)
skb->protocol = htons(ETH_P_IP);
else
skb->protocol = htons(ETH_P_IPV6);
NF_HOOK(pf, NF_INET_FORWARD, state->net, NULL, skb, NF_HOOK(pf, NF_INET_FORWARD, state->net, NULL, skb,
brnf_get_logical_dev(skb, state->in, state->net), brnf_get_logical_dev(skb, state->in, state->net),
@ -641,8 +625,7 @@ static unsigned int br_nf_forward_ip(void *priv,
return NF_STOLEN; return NF_STOLEN;
} }
static unsigned int br_nf_forward_arp(void *priv, static unsigned int br_nf_forward_arp(struct sk_buff *skb,
struct sk_buff *skb,
const struct nf_hook_state *state) const struct nf_hook_state *state)
{ {
struct net_bridge_port *p; struct net_bridge_port *p;
@ -659,11 +642,8 @@ static unsigned int br_nf_forward_arp(void *priv,
if (!brnet->call_arptables && !br_opt_get(br, BROPT_NF_CALL_ARPTABLES)) if (!brnet->call_arptables && !br_opt_get(br, BROPT_NF_CALL_ARPTABLES))
return NF_ACCEPT; return NF_ACCEPT;
if (!IS_ARP(skb)) { if (is_vlan_arp(skb, state->net))
if (!is_vlan_arp(skb, state->net))
return NF_ACCEPT;
nf_bridge_pull_encap_header(skb); nf_bridge_pull_encap_header(skb);
}
if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr)))) if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr))))
return NF_DROP_REASON(skb, SKB_DROP_REASON_PKT_TOO_SMALL, 0); return NF_DROP_REASON(skb, SKB_DROP_REASON_PKT_TOO_SMALL, 0);
@ -680,6 +660,28 @@ static unsigned int br_nf_forward_arp(void *priv,
return NF_STOLEN; return NF_STOLEN;
} }
/* This is the 'purely bridged' case. For IP, we pass the packet to
* netfilter with indev and outdev set to the bridge device,
* but we are still able to filter on the 'real' indev/outdev
* because of the physdev module. For ARP, indev and outdev are the
* bridge ports.
*/
static unsigned int br_nf_forward(void *priv,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
if (IS_IP(skb) || is_vlan_ip(skb, state->net) ||
is_pppoe_ip(skb, state->net))
return br_nf_forward_ip(skb, state, NFPROTO_IPV4);
if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) ||
is_pppoe_ipv6(skb, state->net))
return br_nf_forward_ip(skb, state, NFPROTO_IPV6);
if (IS_ARP(skb) || is_vlan_arp(skb, state->net))
return br_nf_forward_arp(skb, state);
return NF_ACCEPT;
}
static int br_nf_push_frag_xmit(struct net *net, struct sock *sk, struct sk_buff *skb) static int br_nf_push_frag_xmit(struct net *net, struct sock *sk, struct sk_buff *skb)
{ {
struct brnf_frag_data *data; struct brnf_frag_data *data;
@ -937,13 +939,7 @@ static const struct nf_hook_ops br_nf_ops[] = {
.priority = NF_BR_PRI_BRNF, .priority = NF_BR_PRI_BRNF,
}, },
{ {
.hook = br_nf_forward_ip, .hook = br_nf_forward,
.pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_FORWARD,
.priority = NF_BR_PRI_BRNF - 1,
},
{
.hook = br_nf_forward_arp,
.pf = NFPROTO_BRIDGE, .pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_FORWARD, .hooknum = NF_BR_FORWARD,
.priority = NF_BR_PRI_BRNF, .priority = NF_BR_PRI_BRNF,