1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Handle firewalling 4 * Linux ethernet bridge 5 * 6 * Authors: 7 * Lennert Buytenhek <buytenh@gnu.org> 8 * Bart De Schuymer <bdschuym@pandora.be> 9 * 10 * Lennert dedicates this file to Kerstin Wurdinger. 11 */ 12 13 #include <linux/module.h> 14 #include <linux/kernel.h> 15 #include <linux/slab.h> 16 #include <linux/ip.h> 17 #include <linux/netdevice.h> 18 #include <linux/skbuff.h> 19 #include <linux/if_arp.h> 20 #include <linux/if_ether.h> 21 #include <linux/if_vlan.h> 22 #include <linux/if_pppox.h> 23 #include <linux/ppp_defs.h> 24 #include <linux/netfilter_bridge.h> 25 #include <uapi/linux/netfilter_bridge.h> 26 #include <linux/netfilter_ipv4.h> 27 #include <linux/netfilter_ipv6.h> 28 #include <linux/netfilter_arp.h> 29 #include <linux/in_route.h> 30 #include <linux/rculist.h> 31 #include <linux/inetdevice.h> 32 33 #include <net/ip.h> 34 #include <net/ipv6.h> 35 #include <net/addrconf.h> 36 #include <net/route.h> 37 #include <net/netfilter/br_netfilter.h> 38 #include <net/netns/generic.h> 39 40 #include <linux/uaccess.h> 41 #include "br_private.h" 42 #ifdef CONFIG_SYSCTL 43 #include <linux/sysctl.h> 44 #endif 45 46 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 47 #include <net/netfilter/nf_conntrack_core.h> 48 #endif 49 50 static unsigned int brnf_net_id __read_mostly; 51 52 struct brnf_net { 53 bool enabled; 54 55 #ifdef CONFIG_SYSCTL 56 struct ctl_table_header *ctl_hdr; 57 #endif 58 59 /* default value is 1 */ 60 int call_iptables; 61 int call_ip6tables; 62 int call_arptables; 63 64 /* default value is 0 */ 65 int filter_vlan_tagged; 66 int filter_pppoe_tagged; 67 int pass_vlan_indev; 68 }; 69 70 #define IS_IP(skb) \ 71 (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_IP)) 72 73 #define IS_IPV6(skb) \ 74 (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_IPV6)) 75 76 #define IS_ARP(skb) \ 77 (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_ARP)) 78 79 static inline __be16 vlan_proto(const struct sk_buff *skb) 80 { 81 if (skb_vlan_tag_present(skb)) 82 return skb->protocol; 83 else if (skb->protocol == htons(ETH_P_8021Q)) 84 return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto; 85 else 86 return 0; 87 } 88 89 static inline bool is_vlan_ip(const struct sk_buff *skb, const struct net *net) 90 { 91 struct brnf_net *brnet = net_generic(net, brnf_net_id); 92 93 return vlan_proto(skb) == htons(ETH_P_IP) && brnet->filter_vlan_tagged; 94 } 95 96 static inline bool is_vlan_ipv6(const struct sk_buff *skb, 97 const struct net *net) 98 { 99 struct brnf_net *brnet = net_generic(net, brnf_net_id); 100 101 return vlan_proto(skb) == htons(ETH_P_IPV6) && 102 brnet->filter_vlan_tagged; 103 } 104 105 static inline bool is_vlan_arp(const struct sk_buff *skb, const struct net *net) 106 { 107 struct brnf_net *brnet = net_generic(net, brnf_net_id); 108 109 return vlan_proto(skb) == htons(ETH_P_ARP) && brnet->filter_vlan_tagged; 110 } 111 112 static inline __be16 pppoe_proto(const struct sk_buff *skb) 113 { 114 return *((__be16 *)(skb_mac_header(skb) + ETH_HLEN + 115 sizeof(struct pppoe_hdr))); 116 } 117 118 static inline bool is_pppoe_ip(const struct sk_buff *skb, const struct net *net) 119 { 120 struct brnf_net *brnet = net_generic(net, brnf_net_id); 121 122 return skb->protocol == htons(ETH_P_PPP_SES) && 123 pppoe_proto(skb) == htons(PPP_IP) && brnet->filter_pppoe_tagged; 124 } 125 126 static inline bool is_pppoe_ipv6(const struct sk_buff *skb, 127 const struct net *net) 128 { 129 struct brnf_net *brnet = net_generic(net, brnf_net_id); 130 131 return skb->protocol == htons(ETH_P_PPP_SES) && 132 pppoe_proto(skb) == htons(PPP_IPV6) && 133 brnet->filter_pppoe_tagged; 134 } 135 136 /* largest possible L2 header, see br_nf_dev_queue_xmit() */ 137 #define NF_BRIDGE_MAX_MAC_HEADER_LENGTH (PPPOE_SES_HLEN + ETH_HLEN) 138 139 struct brnf_frag_data { 140 char mac[NF_BRIDGE_MAX_MAC_HEADER_LENGTH]; 141 u8 encap_size; 142 u8 size; 143 u16 vlan_tci; 144 __be16 vlan_proto; 145 }; 146 147 static DEFINE_PER_CPU(struct brnf_frag_data, brnf_frag_data_storage); 148 149 static void nf_bridge_info_free(struct sk_buff *skb) 150 { 151 skb_ext_del(skb, SKB_EXT_BRIDGE_NF); 152 } 153 154 static inline struct net_device *bridge_parent(const struct net_device *dev) 155 { 156 struct net_bridge_port *port; 157 158 port = br_port_get_rcu(dev); 159 return port ? port->br->dev : NULL; 160 } 161 162 static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb) 163 { 164 return skb_ext_add(skb, SKB_EXT_BRIDGE_NF); 165 } 166 167 unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb) 168 { 169 switch (skb->protocol) { 170 case __cpu_to_be16(ETH_P_8021Q): 171 return VLAN_HLEN; 172 case __cpu_to_be16(ETH_P_PPP_SES): 173 return PPPOE_SES_HLEN; 174 default: 175 return 0; 176 } 177 } 178 179 static inline void nf_bridge_pull_encap_header(struct sk_buff *skb) 180 { 181 unsigned int len = nf_bridge_encap_header_len(skb); 182 183 skb_pull(skb, len); 184 skb->network_header += len; 185 } 186 187 static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb) 188 { 189 unsigned int len = nf_bridge_encap_header_len(skb); 190 191 skb_pull_rcsum(skb, len); 192 skb->network_header += len; 193 } 194 195 /* When handing a packet over to the IP layer 196 * check whether we have a skb that is in the 197 * expected format 198 */ 199 200 static int br_validate_ipv4(struct net *net, struct sk_buff *skb) 201 { 202 const struct iphdr *iph; 203 u32 len; 204 205 if (!pskb_may_pull(skb, sizeof(struct iphdr))) 206 goto inhdr_error; 207 208 iph = ip_hdr(skb); 209 210 /* Basic sanity checks */ 211 if (iph->ihl < 5 || iph->version != 4) 212 goto inhdr_error; 213 214 if (!pskb_may_pull(skb, iph->ihl*4)) 215 goto inhdr_error; 216 217 iph = ip_hdr(skb); 218 if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl))) 219 goto csum_error; 220 221 len = skb_ip_totlen(skb); 222 if (skb->len < len) { 223 __IP_INC_STATS(net, IPSTATS_MIB_INTRUNCATEDPKTS); 224 goto drop; 225 } else if (len < (iph->ihl*4)) 226 goto inhdr_error; 227 228 if (pskb_trim_rcsum(skb, len)) { 229 __IP_INC_STATS(net, IPSTATS_MIB_INDISCARDS); 230 goto drop; 231 } 232 233 memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); 234 /* We should really parse IP options here but until 235 * somebody who actually uses IP options complains to 236 * us we'll just silently ignore the options because 237 * we're lazy! 238 */ 239 return 0; 240 241 csum_error: 242 __IP_INC_STATS(net, IPSTATS_MIB_CSUMERRORS); 243 inhdr_error: 244 __IP_INC_STATS(net, IPSTATS_MIB_INHDRERRORS); 245 drop: 246 return -1; 247 } 248 249 void nf_bridge_update_protocol(struct sk_buff *skb) 250 { 251 const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 252 253 switch (nf_bridge->orig_proto) { 254 case BRNF_PROTO_8021Q: 255 skb->protocol = htons(ETH_P_8021Q); 256 break; 257 case BRNF_PROTO_PPPOE: 258 skb->protocol = htons(ETH_P_PPP_SES); 259 break; 260 case BRNF_PROTO_UNCHANGED: 261 break; 262 } 263 } 264 265 /* Obtain the correct destination MAC address, while preserving the original 266 * source MAC address. If we already know this address, we just copy it. If we 267 * don't, we use the neighbour framework to find out. In both cases, we make 268 * sure that br_handle_frame_finish() is called afterwards. 269 */ 270 int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_buff *skb) 271 { 272 struct neighbour *neigh; 273 struct dst_entry *dst; 274 275 skb->dev = bridge_parent(skb->dev); 276 if (!skb->dev) 277 goto free_skb; 278 dst = skb_dst(skb); 279 neigh = dst_neigh_lookup_skb(dst, skb); 280 if (neigh) { 281 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 282 int ret; 283 284 if ((READ_ONCE(neigh->nud_state) & NUD_CONNECTED) && 285 READ_ONCE(neigh->hh.hh_len)) { 286 struct net_device *br_indev; 287 288 br_indev = nf_bridge_get_physindev(skb, net); 289 if (!br_indev) { 290 neigh_release(neigh); 291 goto free_skb; 292 } 293 294 neigh_hh_bridge(&neigh->hh, skb); 295 skb->dev = br_indev; 296 297 ret = br_handle_frame_finish(net, sk, skb); 298 } else { 299 /* the neighbour function below overwrites the complete 300 * MAC header, so we save the Ethernet source address and 301 * protocol number. 302 */ 303 skb_copy_from_linear_data_offset(skb, 304 -(ETH_HLEN-ETH_ALEN), 305 nf_bridge->neigh_header, 306 ETH_HLEN-ETH_ALEN); 307 /* tell br_dev_xmit to continue with forwarding */ 308 nf_bridge->bridged_dnat = 1; 309 /* FIXME Need to refragment */ 310 ret = READ_ONCE(neigh->output)(neigh, skb); 311 } 312 neigh_release(neigh); 313 return ret; 314 } 315 free_skb: 316 kfree_skb(skb); 317 return 0; 318 } 319 320 static inline bool 321 br_nf_ipv4_daddr_was_changed(const struct sk_buff *skb, 322 const struct nf_bridge_info *nf_bridge) 323 { 324 return ip_hdr(skb)->daddr != nf_bridge->ipv4_daddr; 325 } 326 327 /* This requires some explaining. If DNAT has taken place, 328 * we will need to fix up the destination Ethernet address. 329 * This is also true when SNAT takes place (for the reply direction). 330 * 331 * There are two cases to consider: 332 * 1. The packet was DNAT'ed to a device in the same bridge 333 * port group as it was received on. We can still bridge 334 * the packet. 335 * 2. The packet was DNAT'ed to a different device, either 336 * a non-bridged device or another bridge port group. 337 * The packet will need to be routed. 338 * 339 * The correct way of distinguishing between these two cases is to 340 * call ip_route_input() and to look at skb->dst->dev, which is 341 * changed to the destination device if ip_route_input() succeeds. 342 * 343 * Let's first consider the case that ip_route_input() succeeds: 344 * 345 * If the output device equals the logical bridge device the packet 346 * came in on, we can consider this bridging. The corresponding MAC 347 * address will be obtained in br_nf_pre_routing_finish_bridge. 348 * Otherwise, the packet is considered to be routed and we just 349 * change the destination MAC address so that the packet will 350 * later be passed up to the IP stack to be routed. For a redirected 351 * packet, ip_route_input() will give back the localhost as output device, 352 * which differs from the bridge device. 353 * 354 * Let's now consider the case that ip_route_input() fails: 355 * 356 * This can be because the destination address is martian, in which case 357 * the packet will be dropped. 358 * If IP forwarding is disabled, ip_route_input() will fail, while 359 * ip_route_output_key() can return success. The source 360 * address for ip_route_output_key() is set to zero, so ip_route_output_key() 361 * thinks we're handling a locally generated packet and won't care 362 * if IP forwarding is enabled. If the output device equals the logical bridge 363 * device, we proceed as if ip_route_input() succeeded. If it differs from the 364 * logical bridge port or if ip_route_output_key() fails we drop the packet. 365 */ 366 static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_buff *skb) 367 { 368 struct net_device *dev = skb->dev, *br_indev; 369 struct iphdr *iph = ip_hdr(skb); 370 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 371 struct rtable *rt; 372 int err; 373 374 br_indev = nf_bridge_get_physindev(skb, net); 375 if (!br_indev) { 376 kfree_skb(skb); 377 return 0; 378 } 379 380 nf_bridge->frag_max_size = IPCB(skb)->frag_max_size; 381 382 if (nf_bridge->pkt_otherhost) { 383 skb->pkt_type = PACKET_OTHERHOST; 384 nf_bridge->pkt_otherhost = false; 385 } 386 nf_bridge->in_prerouting = 0; 387 if (br_nf_ipv4_daddr_was_changed(skb, nf_bridge)) { 388 if ((err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))) { 389 struct in_device *in_dev = __in_dev_get_rcu(dev); 390 391 /* If err equals -EHOSTUNREACH the error is due to a 392 * martian destination or due to the fact that 393 * forwarding is disabled. For most martian packets, 394 * ip_route_output_key() will fail. It won't fail for 2 types of 395 * martian destinations: loopback destinations and destination 396 * 0.0.0.0. In both cases the packet will be dropped because the 397 * destination is the loopback device and not the bridge. */ 398 if (err != -EHOSTUNREACH || !in_dev || IN_DEV_FORWARD(in_dev)) 399 goto free_skb; 400 401 rt = ip_route_output(net, iph->daddr, 0, 402 RT_TOS(iph->tos), 0); 403 if (!IS_ERR(rt)) { 404 /* - Bridged-and-DNAT'ed traffic doesn't 405 * require ip_forwarding. */ 406 if (rt->dst.dev == dev) { 407 skb_dst_drop(skb); 408 skb_dst_set(skb, &rt->dst); 409 goto bridged_dnat; 410 } 411 ip_rt_put(rt); 412 } 413 free_skb: 414 kfree_skb(skb); 415 return 0; 416 } else { 417 if (skb_dst(skb)->dev == dev) { 418 bridged_dnat: 419 skb->dev = br_indev; 420 nf_bridge_update_protocol(skb); 421 nf_bridge_push_encap_header(skb); 422 br_nf_hook_thresh(NF_BR_PRE_ROUTING, 423 net, sk, skb, skb->dev, 424 NULL, 425 br_nf_pre_routing_finish_bridge); 426 return 0; 427 } 428 ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr); 429 skb->pkt_type = PACKET_HOST; 430 } 431 } else { 432 rt = bridge_parent_rtable(br_indev); 433 if (!rt) { 434 kfree_skb(skb); 435 return 0; 436 } 437 skb_dst_drop(skb); 438 skb_dst_set_noref(skb, &rt->dst); 439 } 440 441 skb->dev = br_indev; 442 nf_bridge_update_protocol(skb); 443 nf_bridge_push_encap_header(skb); 444 br_nf_hook_thresh(NF_BR_PRE_ROUTING, net, sk, skb, skb->dev, NULL, 445 br_handle_frame_finish); 446 return 0; 447 } 448 449 static struct net_device *brnf_get_logical_dev(struct sk_buff *skb, 450 const struct net_device *dev, 451 const struct net *net) 452 { 453 struct net_device *vlan, *br; 454 struct brnf_net *brnet = net_generic(net, brnf_net_id); 455 456 br = bridge_parent(dev); 457 458 if (brnet->pass_vlan_indev == 0 || !skb_vlan_tag_present(skb)) 459 return br; 460 461 vlan = __vlan_find_dev_deep_rcu(br, skb->vlan_proto, 462 skb_vlan_tag_get(skb) & VLAN_VID_MASK); 463 464 return vlan ? vlan : br; 465 } 466 467 /* Some common code for IPv4/IPv6 */ 468 struct net_device *setup_pre_routing(struct sk_buff *skb, const struct net *net) 469 { 470 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 471 472 if (skb->pkt_type == PACKET_OTHERHOST) { 473 skb->pkt_type = PACKET_HOST; 474 nf_bridge->pkt_otherhost = true; 475 } 476 477 nf_bridge->in_prerouting = 1; 478 nf_bridge->physinif = skb->dev->ifindex; 479 skb->dev = brnf_get_logical_dev(skb, skb->dev, net); 480 481 if (skb->protocol == htons(ETH_P_8021Q)) 482 nf_bridge->orig_proto = BRNF_PROTO_8021Q; 483 else if (skb->protocol == htons(ETH_P_PPP_SES)) 484 nf_bridge->orig_proto = BRNF_PROTO_PPPOE; 485 486 /* Must drop socket now because of tproxy. */ 487 skb_orphan(skb); 488 return skb->dev; 489 } 490 491 /* Direct IPv6 traffic to br_nf_pre_routing_ipv6. 492 * Replicate the checks that IPv4 does on packet reception. 493 * Set skb->dev to the bridge device (i.e. parent of the 494 * receiving device) to make netfilter happy, the REDIRECT 495 * target in particular. Save the original destination IP 496 * address to be able to detect DNAT afterwards. */ 497 static unsigned int br_nf_pre_routing(void *priv, 498 struct sk_buff *skb, 499 const struct nf_hook_state *state) 500 { 501 struct nf_bridge_info *nf_bridge; 502 struct net_bridge_port *p; 503 struct net_bridge *br; 504 __u32 len = nf_bridge_encap_header_len(skb); 505 struct brnf_net *brnet; 506 507 if (unlikely(!pskb_may_pull(skb, len))) 508 return NF_DROP; 509 510 p = br_port_get_rcu(state->in); 511 if (p == NULL) 512 return NF_DROP; 513 br = p->br; 514 515 brnet = net_generic(state->net, brnf_net_id); 516 if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || 517 is_pppoe_ipv6(skb, state->net)) { 518 if (!brnet->call_ip6tables && 519 !br_opt_get(br, BROPT_NF_CALL_IP6TABLES)) 520 return NF_ACCEPT; 521 if (!ipv6_mod_enabled()) { 522 pr_warn_once("Module ipv6 is disabled, so call_ip6tables is not supported."); 523 return NF_DROP; 524 } 525 526 nf_bridge_pull_encap_header_rcsum(skb); 527 return br_nf_pre_routing_ipv6(priv, skb, state); 528 } 529 530 if (!brnet->call_iptables && !br_opt_get(br, BROPT_NF_CALL_IPTABLES)) 531 return NF_ACCEPT; 532 533 if (!IS_IP(skb) && !is_vlan_ip(skb, state->net) && 534 !is_pppoe_ip(skb, state->net)) 535 return NF_ACCEPT; 536 537 nf_bridge_pull_encap_header_rcsum(skb); 538 539 if (br_validate_ipv4(state->net, skb)) 540 return NF_DROP; 541 542 if (!nf_bridge_alloc(skb)) 543 return NF_DROP; 544 if (!setup_pre_routing(skb, state->net)) 545 return NF_DROP; 546 547 nf_bridge = nf_bridge_info_get(skb); 548 nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr; 549 550 skb->protocol = htons(ETH_P_IP); 551 skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4; 552 553 NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb, 554 skb->dev, NULL, 555 br_nf_pre_routing_finish); 556 557 return NF_STOLEN; 558 } 559 560 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 561 /* conntracks' nf_confirm logic cannot handle cloned skbs referencing 562 * the same nf_conn entry, which will happen for multicast (broadcast) 563 * Frames on bridges. 564 * 565 * Example: 566 * macvlan0 567 * br0 568 * ethX ethY 569 * 570 * ethX (or Y) receives multicast or broadcast packet containing 571 * an IP packet, not yet in conntrack table. 572 * 573 * 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting. 574 * -> skb->_nfct now references a unconfirmed entry 575 * 2. skb is broad/mcast packet. bridge now passes clones out on each bridge 576 * interface. 577 * 3. skb gets passed up the stack. 578 * 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb 579 * and schedules a work queue to send them out on the lower devices. 580 * 581 * The clone skb->_nfct is not a copy, it is the same entry as the 582 * original skb. The macvlan rx handler then returns RX_HANDLER_PASS. 583 * 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb. 584 * 585 * The Macvlan broadcast worker and normal confirm path will race. 586 * 587 * This race will not happen if step 2 already confirmed a clone. In that 588 * case later steps perform skb_clone() with skb->_nfct already confirmed (in 589 * hash table). This works fine. 590 * 591 * But such confirmation won't happen when eb/ip/nftables rules dropped the 592 * packets before they reached the nf_confirm step in postrouting. 593 * 594 * Work around this problem by explicit confirmation of the entry at 595 * LOCAL_IN time, before upper layer has a chance to clone the unconfirmed 596 * entry. 597 * 598 */ 599 static unsigned int br_nf_local_in(void *priv, 600 struct sk_buff *skb, 601 const struct nf_hook_state *state) 602 { 603 bool promisc = BR_INPUT_SKB_CB(skb)->promisc; 604 struct nf_conntrack *nfct = skb_nfct(skb); 605 const struct nf_ct_hook *ct_hook; 606 struct nf_conn *ct; 607 int ret; 608 609 if (promisc) { 610 nf_reset_ct(skb); 611 return NF_ACCEPT; 612 } 613 614 if (!nfct || skb->pkt_type == PACKET_HOST) 615 return NF_ACCEPT; 616 617 ct = container_of(nfct, struct nf_conn, ct_general); 618 if (likely(nf_ct_is_confirmed(ct))) 619 return NF_ACCEPT; 620 621 WARN_ON_ONCE(skb_shared(skb)); 622 WARN_ON_ONCE(refcount_read(&nfct->use) != 1); 623 624 /* We can't call nf_confirm here, it would create a dependency 625 * on nf_conntrack module. 626 */ 627 ct_hook = rcu_dereference(nf_ct_hook); 628 if (!ct_hook) { 629 skb->_nfct = 0ul; 630 nf_conntrack_put(nfct); 631 return NF_ACCEPT; 632 } 633 634 nf_bridge_pull_encap_header(skb); 635 ret = ct_hook->confirm(skb); 636 switch (ret & NF_VERDICT_MASK) { 637 case NF_STOLEN: 638 return NF_STOLEN; 639 default: 640 nf_bridge_push_encap_header(skb); 641 break; 642 } 643 644 ct = container_of(nfct, struct nf_conn, ct_general); 645 WARN_ON_ONCE(!nf_ct_is_confirmed(ct)); 646 647 return ret; 648 } 649 #endif 650 651 /* PF_BRIDGE/FORWARD *************************************************/ 652 static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb) 653 { 654 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 655 struct net_device *in; 656 657 if (!IS_ARP(skb) && !is_vlan_arp(skb, net)) { 658 659 if (skb->protocol == htons(ETH_P_IP)) 660 nf_bridge->frag_max_size = IPCB(skb)->frag_max_size; 661 662 if (skb->protocol == htons(ETH_P_IPV6)) 663 nf_bridge->frag_max_size = IP6CB(skb)->frag_max_size; 664 665 in = nf_bridge_get_physindev(skb, net); 666 if (!in) { 667 kfree_skb(skb); 668 return 0; 669 } 670 if (nf_bridge->pkt_otherhost) { 671 skb->pkt_type = PACKET_OTHERHOST; 672 nf_bridge->pkt_otherhost = false; 673 } 674 nf_bridge_update_protocol(skb); 675 } else { 676 in = *((struct net_device **)(skb->cb)); 677 } 678 nf_bridge_push_encap_header(skb); 679 680 br_nf_hook_thresh(NF_BR_FORWARD, net, sk, skb, in, skb->dev, 681 br_forward_finish); 682 return 0; 683 } 684 685 686 /* This is the 'purely bridged' case. For IP, we pass the packet to 687 * netfilter with indev and outdev set to the bridge device, 688 * but we are still able to filter on the 'real' indev/outdev 689 * because of the physdev module. For ARP, indev and outdev are the 690 * bridge ports. */ 691 static unsigned int br_nf_forward_ip(void *priv, 692 struct sk_buff *skb, 693 const struct nf_hook_state *state) 694 { 695 struct nf_bridge_info *nf_bridge; 696 struct net_device *parent; 697 u_int8_t pf; 698 699 nf_bridge = nf_bridge_info_get(skb); 700 if (!nf_bridge) 701 return NF_ACCEPT; 702 703 /* Need exclusive nf_bridge_info since we might have multiple 704 * different physoutdevs. */ 705 if (!nf_bridge_unshare(skb)) 706 return NF_DROP; 707 708 nf_bridge = nf_bridge_info_get(skb); 709 if (!nf_bridge) 710 return NF_DROP; 711 712 parent = bridge_parent(state->out); 713 if (!parent) 714 return NF_DROP; 715 716 if (IS_IP(skb) || is_vlan_ip(skb, state->net) || 717 is_pppoe_ip(skb, state->net)) 718 pf = NFPROTO_IPV4; 719 else if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || 720 is_pppoe_ipv6(skb, state->net)) 721 pf = NFPROTO_IPV6; 722 else 723 return NF_ACCEPT; 724 725 nf_bridge_pull_encap_header(skb); 726 727 if (skb->pkt_type == PACKET_OTHERHOST) { 728 skb->pkt_type = PACKET_HOST; 729 nf_bridge->pkt_otherhost = true; 730 } 731 732 if (pf == NFPROTO_IPV4) { 733 if (br_validate_ipv4(state->net, skb)) 734 return NF_DROP; 735 IPCB(skb)->frag_max_size = nf_bridge->frag_max_size; 736 } 737 738 if (pf == NFPROTO_IPV6) { 739 if (br_validate_ipv6(state->net, skb)) 740 return NF_DROP; 741 IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size; 742 } 743 744 nf_bridge->physoutdev = skb->dev; 745 if (pf == NFPROTO_IPV4) 746 skb->protocol = htons(ETH_P_IP); 747 else 748 skb->protocol = htons(ETH_P_IPV6); 749 750 NF_HOOK(pf, NF_INET_FORWARD, state->net, NULL, skb, 751 brnf_get_logical_dev(skb, state->in, state->net), 752 parent, br_nf_forward_finish); 753 754 return NF_STOLEN; 755 } 756 757 static unsigned int br_nf_forward_arp(void *priv, 758 struct sk_buff *skb, 759 const struct nf_hook_state *state) 760 { 761 struct net_bridge_port *p; 762 struct net_bridge *br; 763 struct net_device **d = (struct net_device **)(skb->cb); 764 struct brnf_net *brnet; 765 766 p = br_port_get_rcu(state->out); 767 if (p == NULL) 768 return NF_ACCEPT; 769 br = p->br; 770 771 brnet = net_generic(state->net, brnf_net_id); 772 if (!brnet->call_arptables && !br_opt_get(br, BROPT_NF_CALL_ARPTABLES)) 773 return NF_ACCEPT; 774 775 if (!IS_ARP(skb)) { 776 if (!is_vlan_arp(skb, state->net)) 777 return NF_ACCEPT; 778 nf_bridge_pull_encap_header(skb); 779 } 780 781 if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr)))) 782 return NF_DROP; 783 784 if (arp_hdr(skb)->ar_pln != 4) { 785 if (is_vlan_arp(skb, state->net)) 786 nf_bridge_push_encap_header(skb); 787 return NF_ACCEPT; 788 } 789 *d = state->in; 790 NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, state->net, state->sk, skb, 791 state->in, state->out, br_nf_forward_finish); 792 793 return NF_STOLEN; 794 } 795 796 static int br_nf_push_frag_xmit(struct net *net, struct sock *sk, struct sk_buff *skb) 797 { 798 struct brnf_frag_data *data; 799 int err; 800 801 data = this_cpu_ptr(&brnf_frag_data_storage); 802 err = skb_cow_head(skb, data->size); 803 804 if (err) { 805 kfree_skb(skb); 806 return 0; 807 } 808 809 if (data->vlan_proto) 810 __vlan_hwaccel_put_tag(skb, data->vlan_proto, data->vlan_tci); 811 812 skb_copy_to_linear_data_offset(skb, -data->size, data->mac, data->size); 813 __skb_push(skb, data->encap_size); 814 815 nf_bridge_info_free(skb); 816 return br_dev_queue_push_xmit(net, sk, skb); 817 } 818 819 static int 820 br_nf_ip_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, 821 int (*output)(struct net *, struct sock *, struct sk_buff *)) 822 { 823 unsigned int mtu = ip_skb_dst_mtu(sk, skb); 824 struct iphdr *iph = ip_hdr(skb); 825 826 if (unlikely(((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) || 827 (IPCB(skb)->frag_max_size && 828 IPCB(skb)->frag_max_size > mtu))) { 829 IP_INC_STATS(net, IPSTATS_MIB_FRAGFAILS); 830 kfree_skb(skb); 831 return -EMSGSIZE; 832 } 833 834 return ip_do_fragment(net, sk, skb, output); 835 } 836 837 static unsigned int nf_bridge_mtu_reduction(const struct sk_buff *skb) 838 { 839 const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 840 841 if (nf_bridge->orig_proto == BRNF_PROTO_PPPOE) 842 return PPPOE_SES_HLEN; 843 return 0; 844 } 845 846 static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff *skb) 847 { 848 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 849 unsigned int mtu, mtu_reserved; 850 851 mtu_reserved = nf_bridge_mtu_reduction(skb); 852 mtu = skb->dev->mtu; 853 854 if (nf_bridge->pkt_otherhost) { 855 skb->pkt_type = PACKET_OTHERHOST; 856 nf_bridge->pkt_otherhost = false; 857 } 858 859 if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu) 860 mtu = nf_bridge->frag_max_size; 861 862 nf_bridge_update_protocol(skb); 863 nf_bridge_push_encap_header(skb); 864 865 if (skb_is_gso(skb) || skb->len + mtu_reserved <= mtu) { 866 nf_bridge_info_free(skb); 867 return br_dev_queue_push_xmit(net, sk, skb); 868 } 869 870 /* This is wrong! We should preserve the original fragment 871 * boundaries by preserving frag_list rather than refragmenting. 872 */ 873 if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) && 874 skb->protocol == htons(ETH_P_IP)) { 875 struct brnf_frag_data *data; 876 877 if (br_validate_ipv4(net, skb)) 878 goto drop; 879 880 IPCB(skb)->frag_max_size = nf_bridge->frag_max_size; 881 882 data = this_cpu_ptr(&brnf_frag_data_storage); 883 884 if (skb_vlan_tag_present(skb)) { 885 data->vlan_tci = skb->vlan_tci; 886 data->vlan_proto = skb->vlan_proto; 887 } else { 888 data->vlan_proto = 0; 889 } 890 891 data->encap_size = nf_bridge_encap_header_len(skb); 892 data->size = ETH_HLEN + data->encap_size; 893 894 skb_copy_from_linear_data_offset(skb, -data->size, data->mac, 895 data->size); 896 897 return br_nf_ip_fragment(net, sk, skb, br_nf_push_frag_xmit); 898 } 899 if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) && 900 skb->protocol == htons(ETH_P_IPV6)) { 901 const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops(); 902 struct brnf_frag_data *data; 903 904 if (br_validate_ipv6(net, skb)) 905 goto drop; 906 907 IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size; 908 909 data = this_cpu_ptr(&brnf_frag_data_storage); 910 data->encap_size = nf_bridge_encap_header_len(skb); 911 data->size = ETH_HLEN + data->encap_size; 912 913 skb_copy_from_linear_data_offset(skb, -data->size, data->mac, 914 data->size); 915 916 if (v6ops) 917 return v6ops->fragment(net, sk, skb, br_nf_push_frag_xmit); 918 919 kfree_skb(skb); 920 return -EMSGSIZE; 921 } 922 nf_bridge_info_free(skb); 923 return br_dev_queue_push_xmit(net, sk, skb); 924 drop: 925 kfree_skb(skb); 926 return 0; 927 } 928 929 /* PF_BRIDGE/POST_ROUTING ********************************************/ 930 static unsigned int br_nf_post_routing(void *priv, 931 struct sk_buff *skb, 932 const struct nf_hook_state *state) 933 { 934 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 935 struct net_device *realoutdev = bridge_parent(skb->dev); 936 u_int8_t pf; 937 938 /* if nf_bridge is set, but ->physoutdev is NULL, this packet came in 939 * on a bridge, but was delivered locally and is now being routed: 940 * 941 * POST_ROUTING was already invoked from the ip stack. 942 */ 943 if (!nf_bridge || !nf_bridge->physoutdev) 944 return NF_ACCEPT; 945 946 if (!realoutdev) 947 return NF_DROP; 948 949 if (IS_IP(skb) || is_vlan_ip(skb, state->net) || 950 is_pppoe_ip(skb, state->net)) 951 pf = NFPROTO_IPV4; 952 else if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || 953 is_pppoe_ipv6(skb, state->net)) 954 pf = NFPROTO_IPV6; 955 else 956 return NF_ACCEPT; 957 958 if (skb->pkt_type == PACKET_OTHERHOST) { 959 skb->pkt_type = PACKET_HOST; 960 nf_bridge->pkt_otherhost = true; 961 } 962 963 nf_bridge_pull_encap_header(skb); 964 if (pf == NFPROTO_IPV4) 965 skb->protocol = htons(ETH_P_IP); 966 else 967 skb->protocol = htons(ETH_P_IPV6); 968 969 NF_HOOK(pf, NF_INET_POST_ROUTING, state->net, state->sk, skb, 970 NULL, realoutdev, 971 br_nf_dev_queue_xmit); 972 973 return NF_STOLEN; 974 } 975 976 /* IP/SABOTAGE *****************************************************/ 977 /* Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING 978 * for the second time. */ 979 static unsigned int ip_sabotage_in(void *priv, 980 struct sk_buff *skb, 981 const struct nf_hook_state *state) 982 { 983 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 984 985 if (nf_bridge) { 986 if (nf_bridge->sabotage_in_done) 987 return NF_ACCEPT; 988 989 if (!nf_bridge->in_prerouting && 990 !netif_is_l3_master(skb->dev) && 991 !netif_is_l3_slave(skb->dev)) { 992 nf_bridge->sabotage_in_done = 1; 993 state->okfn(state->net, state->sk, skb); 994 return NF_STOLEN; 995 } 996 } 997 998 return NF_ACCEPT; 999 } 1000 1001 /* This is called when br_netfilter has called into iptables/netfilter, 1002 * and DNAT has taken place on a bridge-forwarded packet. 1003 * 1004 * neigh->output has created a new MAC header, with local br0 MAC 1005 * as saddr. 1006 * 1007 * This restores the original MAC saddr of the bridged packet 1008 * before invoking bridge forward logic to transmit the packet. 1009 */ 1010 static void br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb) 1011 { 1012 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 1013 struct net_device *br_indev; 1014 1015 br_indev = nf_bridge_get_physindev(skb, dev_net(skb->dev)); 1016 if (!br_indev) { 1017 kfree_skb(skb); 1018 return; 1019 } 1020 1021 skb_pull(skb, ETH_HLEN); 1022 nf_bridge->bridged_dnat = 0; 1023 1024 BUILD_BUG_ON(sizeof(nf_bridge->neigh_header) != (ETH_HLEN - ETH_ALEN)); 1025 1026 skb_copy_to_linear_data_offset(skb, -(ETH_HLEN - ETH_ALEN), 1027 nf_bridge->neigh_header, 1028 ETH_HLEN - ETH_ALEN); 1029 skb->dev = br_indev; 1030 1031 nf_bridge->physoutdev = NULL; 1032 br_handle_frame_finish(dev_net(skb->dev), NULL, skb); 1033 } 1034 1035 static int br_nf_dev_xmit(struct sk_buff *skb) 1036 { 1037 const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 1038 1039 if (nf_bridge && nf_bridge->bridged_dnat) { 1040 br_nf_pre_routing_finish_bridge_slow(skb); 1041 return 1; 1042 } 1043 return 0; 1044 } 1045 1046 static const struct nf_br_ops br_ops = { 1047 .br_dev_xmit_hook = br_nf_dev_xmit, 1048 }; 1049 1050 /* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because 1051 * br_dev_queue_push_xmit is called afterwards */ 1052 static const struct nf_hook_ops br_nf_ops[] = { 1053 { 1054 .hook = br_nf_pre_routing, 1055 .pf = NFPROTO_BRIDGE, 1056 .hooknum = NF_BR_PRE_ROUTING, 1057 .priority = NF_BR_PRI_BRNF, 1058 }, 1059 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 1060 { 1061 .hook = br_nf_local_in, 1062 .pf = NFPROTO_BRIDGE, 1063 .hooknum = NF_BR_LOCAL_IN, 1064 .priority = NF_BR_PRI_LAST, 1065 }, 1066 #endif 1067 { 1068 .hook = br_nf_forward_ip, 1069 .pf = NFPROTO_BRIDGE, 1070 .hooknum = NF_BR_FORWARD, 1071 .priority = NF_BR_PRI_BRNF - 1, 1072 }, 1073 { 1074 .hook = br_nf_forward_arp, 1075 .pf = NFPROTO_BRIDGE, 1076 .hooknum = NF_BR_FORWARD, 1077 .priority = NF_BR_PRI_BRNF, 1078 }, 1079 { 1080 .hook = br_nf_post_routing, 1081 .pf = NFPROTO_BRIDGE, 1082 .hooknum = NF_BR_POST_ROUTING, 1083 .priority = NF_BR_PRI_LAST, 1084 }, 1085 { 1086 .hook = ip_sabotage_in, 1087 .pf = NFPROTO_IPV4, 1088 .hooknum = NF_INET_PRE_ROUTING, 1089 .priority = NF_IP_PRI_FIRST, 1090 }, 1091 { 1092 .hook = ip_sabotage_in, 1093 .pf = NFPROTO_IPV6, 1094 .hooknum = NF_INET_PRE_ROUTING, 1095 .priority = NF_IP6_PRI_FIRST, 1096 }, 1097 }; 1098 1099 static int brnf_device_event(struct notifier_block *unused, unsigned long event, 1100 void *ptr) 1101 { 1102 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 1103 struct brnf_net *brnet; 1104 struct net *net; 1105 int ret; 1106 1107 if (event != NETDEV_REGISTER || !netif_is_bridge_master(dev)) 1108 return NOTIFY_DONE; 1109 1110 ASSERT_RTNL(); 1111 1112 net = dev_net(dev); 1113 brnet = net_generic(net, brnf_net_id); 1114 if (brnet->enabled) 1115 return NOTIFY_OK; 1116 1117 ret = nf_register_net_hooks(net, br_nf_ops, ARRAY_SIZE(br_nf_ops)); 1118 if (ret) 1119 return NOTIFY_BAD; 1120 1121 brnet->enabled = true; 1122 return NOTIFY_OK; 1123 } 1124 1125 static struct notifier_block brnf_notifier __read_mostly = { 1126 .notifier_call = brnf_device_event, 1127 }; 1128 1129 /* recursively invokes nf_hook_slow (again), skipping already-called 1130 * hooks (< NF_BR_PRI_BRNF). 1131 * 1132 * Called with rcu read lock held. 1133 */ 1134 int br_nf_hook_thresh(unsigned int hook, struct net *net, 1135 struct sock *sk, struct sk_buff *skb, 1136 struct net_device *indev, 1137 struct net_device *outdev, 1138 int (*okfn)(struct net *, struct sock *, 1139 struct sk_buff *)) 1140 { 1141 const struct nf_hook_entries *e; 1142 struct nf_hook_state state; 1143 struct nf_hook_ops **ops; 1144 unsigned int i; 1145 int ret; 1146 1147 e = rcu_dereference(net->nf.hooks_bridge[hook]); 1148 if (!e) 1149 return okfn(net, sk, skb); 1150 1151 ops = nf_hook_entries_get_hook_ops(e); 1152 for (i = 0; i < e->num_hook_entries; i++) { 1153 /* These hooks have already been called */ 1154 if (ops[i]->priority < NF_BR_PRI_BRNF) 1155 continue; 1156 1157 /* These hooks have not been called yet, run them. */ 1158 if (ops[i]->priority > NF_BR_PRI_BRNF) 1159 break; 1160 1161 /* take a closer look at NF_BR_PRI_BRNF. */ 1162 if (ops[i]->hook == br_nf_pre_routing) { 1163 /* This hook diverted the skb to this function, 1164 * hooks after this have not been run yet. 1165 */ 1166 i++; 1167 break; 1168 } 1169 } 1170 1171 nf_hook_state_init(&state, hook, NFPROTO_BRIDGE, indev, outdev, 1172 sk, net, okfn); 1173 1174 ret = nf_hook_slow(skb, &state, e, i); 1175 if (ret == 1) 1176 ret = okfn(net, sk, skb); 1177 1178 return ret; 1179 } 1180 1181 #ifdef CONFIG_SYSCTL 1182 static 1183 int brnf_sysctl_call_tables(struct ctl_table *ctl, int write, 1184 void *buffer, size_t *lenp, loff_t *ppos) 1185 { 1186 int ret; 1187 1188 ret = proc_dointvec(ctl, write, buffer, lenp, ppos); 1189 1190 if (write && *(int *)(ctl->data)) 1191 *(int *)(ctl->data) = 1; 1192 return ret; 1193 } 1194 1195 static struct ctl_table brnf_table[] = { 1196 { 1197 .procname = "bridge-nf-call-arptables", 1198 .maxlen = sizeof(int), 1199 .mode = 0644, 1200 .proc_handler = brnf_sysctl_call_tables, 1201 }, 1202 { 1203 .procname = "bridge-nf-call-iptables", 1204 .maxlen = sizeof(int), 1205 .mode = 0644, 1206 .proc_handler = brnf_sysctl_call_tables, 1207 }, 1208 { 1209 .procname = "bridge-nf-call-ip6tables", 1210 .maxlen = sizeof(int), 1211 .mode = 0644, 1212 .proc_handler = brnf_sysctl_call_tables, 1213 }, 1214 { 1215 .procname = "bridge-nf-filter-vlan-tagged", 1216 .maxlen = sizeof(int), 1217 .mode = 0644, 1218 .proc_handler = brnf_sysctl_call_tables, 1219 }, 1220 { 1221 .procname = "bridge-nf-filter-pppoe-tagged", 1222 .maxlen = sizeof(int), 1223 .mode = 0644, 1224 .proc_handler = brnf_sysctl_call_tables, 1225 }, 1226 { 1227 .procname = "bridge-nf-pass-vlan-input-dev", 1228 .maxlen = sizeof(int), 1229 .mode = 0644, 1230 .proc_handler = brnf_sysctl_call_tables, 1231 }, 1232 { } 1233 }; 1234 1235 static inline void br_netfilter_sysctl_default(struct brnf_net *brnf) 1236 { 1237 brnf->call_iptables = 1; 1238 brnf->call_ip6tables = 1; 1239 brnf->call_arptables = 1; 1240 brnf->filter_vlan_tagged = 0; 1241 brnf->filter_pppoe_tagged = 0; 1242 brnf->pass_vlan_indev = 0; 1243 } 1244 1245 static int br_netfilter_sysctl_init_net(struct net *net) 1246 { 1247 struct ctl_table *table = brnf_table; 1248 struct brnf_net *brnet; 1249 1250 if (!net_eq(net, &init_net)) { 1251 table = kmemdup(table, sizeof(brnf_table), GFP_KERNEL); 1252 if (!table) 1253 return -ENOMEM; 1254 } 1255 1256 brnet = net_generic(net, brnf_net_id); 1257 table[0].data = &brnet->call_arptables; 1258 table[1].data = &brnet->call_iptables; 1259 table[2].data = &brnet->call_ip6tables; 1260 table[3].data = &brnet->filter_vlan_tagged; 1261 table[4].data = &brnet->filter_pppoe_tagged; 1262 table[5].data = &brnet->pass_vlan_indev; 1263 1264 br_netfilter_sysctl_default(brnet); 1265 1266 brnet->ctl_hdr = register_net_sysctl_sz(net, "net/bridge", table, 1267 ARRAY_SIZE(brnf_table)); 1268 if (!brnet->ctl_hdr) { 1269 if (!net_eq(net, &init_net)) 1270 kfree(table); 1271 1272 return -ENOMEM; 1273 } 1274 1275 return 0; 1276 } 1277 1278 static void br_netfilter_sysctl_exit_net(struct net *net, 1279 struct brnf_net *brnet) 1280 { 1281 struct ctl_table *table = brnet->ctl_hdr->ctl_table_arg; 1282 1283 unregister_net_sysctl_table(brnet->ctl_hdr); 1284 if (!net_eq(net, &init_net)) 1285 kfree(table); 1286 } 1287 1288 static int __net_init brnf_init_net(struct net *net) 1289 { 1290 return br_netfilter_sysctl_init_net(net); 1291 } 1292 #endif 1293 1294 static void __net_exit brnf_exit_net(struct net *net) 1295 { 1296 struct brnf_net *brnet; 1297 1298 brnet = net_generic(net, brnf_net_id); 1299 if (brnet->enabled) { 1300 nf_unregister_net_hooks(net, br_nf_ops, ARRAY_SIZE(br_nf_ops)); 1301 brnet->enabled = false; 1302 } 1303 1304 #ifdef CONFIG_SYSCTL 1305 br_netfilter_sysctl_exit_net(net, brnet); 1306 #endif 1307 } 1308 1309 static struct pernet_operations brnf_net_ops __read_mostly = { 1310 #ifdef CONFIG_SYSCTL 1311 .init = brnf_init_net, 1312 #endif 1313 .exit = brnf_exit_net, 1314 .id = &brnf_net_id, 1315 .size = sizeof(struct brnf_net), 1316 }; 1317 1318 static int __init br_netfilter_init(void) 1319 { 1320 int ret; 1321 1322 ret = register_pernet_subsys(&brnf_net_ops); 1323 if (ret < 0) 1324 return ret; 1325 1326 ret = register_netdevice_notifier(&brnf_notifier); 1327 if (ret < 0) { 1328 unregister_pernet_subsys(&brnf_net_ops); 1329 return ret; 1330 } 1331 1332 RCU_INIT_POINTER(nf_br_ops, &br_ops); 1333 printk(KERN_NOTICE "Bridge firewalling registered\n"); 1334 return 0; 1335 } 1336 1337 static void __exit br_netfilter_fini(void) 1338 { 1339 RCU_INIT_POINTER(nf_br_ops, NULL); 1340 unregister_netdevice_notifier(&brnf_notifier); 1341 unregister_pernet_subsys(&brnf_net_ops); 1342 } 1343 1344 module_init(br_netfilter_init); 1345 module_exit(br_netfilter_fini); 1346 1347 MODULE_LICENSE("GPL"); 1348 MODULE_AUTHOR("Lennert Buytenhek <buytenh@gnu.org>"); 1349 MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>"); 1350 MODULE_DESCRIPTION("Linux ethernet netfilter firewall bridge"); 1351