br_netfilter_hooks.c (31974B)
1// SPDX-License-Identifier: GPL-2.0-or-later 2/* 3 * Handle firewalling 4 * Linux ethernet bridge 5 * 6 * Authors: 7 * Lennert Buytenhek <buytenh@gnu.org> 8 * Bart De Schuymer <bdschuym@pandora.be> 9 * 10 * Lennert dedicates this file to Kerstin Wurdinger. 11 */ 12 13#include <linux/module.h> 14#include <linux/kernel.h> 15#include <linux/slab.h> 16#include <linux/ip.h> 17#include <linux/netdevice.h> 18#include <linux/skbuff.h> 19#include <linux/if_arp.h> 20#include <linux/if_ether.h> 21#include <linux/if_vlan.h> 22#include <linux/if_pppox.h> 23#include <linux/ppp_defs.h> 24#include <linux/netfilter_bridge.h> 25#include <uapi/linux/netfilter_bridge.h> 26#include <linux/netfilter_ipv4.h> 27#include <linux/netfilter_ipv6.h> 28#include <linux/netfilter_arp.h> 29#include <linux/in_route.h> 30#include <linux/rculist.h> 31#include <linux/inetdevice.h> 32 33#include <net/ip.h> 34#include <net/ipv6.h> 35#include <net/addrconf.h> 36#include <net/route.h> 37#include <net/netfilter/br_netfilter.h> 38#include <net/netns/generic.h> 39 40#include <linux/uaccess.h> 41#include "br_private.h" 42#ifdef CONFIG_SYSCTL 43#include <linux/sysctl.h> 44#endif 45 46static unsigned int brnf_net_id __read_mostly; 47 48struct brnf_net { 49 bool enabled; 50 51#ifdef CONFIG_SYSCTL 52 struct ctl_table_header *ctl_hdr; 53#endif 54 55 /* default value is 1 */ 56 int call_iptables; 57 int call_ip6tables; 58 int call_arptables; 59 60 /* default value is 0 */ 61 int filter_vlan_tagged; 62 int filter_pppoe_tagged; 63 int pass_vlan_indev; 64}; 65 66#define IS_IP(skb) \ 67 (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_IP)) 68 69#define IS_IPV6(skb) \ 70 (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_IPV6)) 71 72#define IS_ARP(skb) \ 73 (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_ARP)) 74 75static inline __be16 vlan_proto(const struct sk_buff *skb) 76{ 77 if (skb_vlan_tag_present(skb)) 78 return skb->protocol; 79 else if (skb->protocol == htons(ETH_P_8021Q)) 80 return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto; 81 else 82 return 0; 83} 84 85static inline bool is_vlan_ip(const struct sk_buff *skb, const struct net *net) 86{ 87 struct brnf_net *brnet = net_generic(net, brnf_net_id); 88 89 return vlan_proto(skb) == htons(ETH_P_IP) && brnet->filter_vlan_tagged; 90} 91 92static inline bool is_vlan_ipv6(const struct sk_buff *skb, 93 const struct net *net) 94{ 95 struct brnf_net *brnet = net_generic(net, brnf_net_id); 96 97 return vlan_proto(skb) == htons(ETH_P_IPV6) && 98 brnet->filter_vlan_tagged; 99} 100 101static inline bool is_vlan_arp(const struct sk_buff *skb, const struct net *net) 102{ 103 struct brnf_net *brnet = net_generic(net, brnf_net_id); 104 105 return vlan_proto(skb) == htons(ETH_P_ARP) && brnet->filter_vlan_tagged; 106} 107 108static inline __be16 pppoe_proto(const struct sk_buff *skb) 109{ 110 return *((__be16 *)(skb_mac_header(skb) + ETH_HLEN + 111 sizeof(struct pppoe_hdr))); 112} 113 114static inline bool is_pppoe_ip(const struct sk_buff *skb, const struct net *net) 115{ 116 struct brnf_net *brnet = net_generic(net, brnf_net_id); 117 118 return skb->protocol == htons(ETH_P_PPP_SES) && 119 pppoe_proto(skb) == htons(PPP_IP) && brnet->filter_pppoe_tagged; 120} 121 122static inline bool is_pppoe_ipv6(const struct sk_buff *skb, 123 const struct net *net) 124{ 125 struct brnf_net *brnet = net_generic(net, brnf_net_id); 126 127 return skb->protocol == htons(ETH_P_PPP_SES) && 128 pppoe_proto(skb) == htons(PPP_IPV6) && 129 brnet->filter_pppoe_tagged; 130} 131 132/* largest possible L2 header, see br_nf_dev_queue_xmit() */ 133#define NF_BRIDGE_MAX_MAC_HEADER_LENGTH (PPPOE_SES_HLEN + ETH_HLEN) 134 135struct brnf_frag_data { 136 char mac[NF_BRIDGE_MAX_MAC_HEADER_LENGTH]; 137 u8 encap_size; 138 u8 size; 139 u16 vlan_tci; 140 __be16 vlan_proto; 141}; 142 143static DEFINE_PER_CPU(struct brnf_frag_data, brnf_frag_data_storage); 144 145static void nf_bridge_info_free(struct sk_buff *skb) 146{ 147 skb_ext_del(skb, SKB_EXT_BRIDGE_NF); 148} 149 150static inline struct net_device *bridge_parent(const struct net_device *dev) 151{ 152 struct net_bridge_port *port; 153 154 port = br_port_get_rcu(dev); 155 return port ? port->br->dev : NULL; 156} 157 158static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb) 159{ 160 return skb_ext_add(skb, SKB_EXT_BRIDGE_NF); 161} 162 163unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb) 164{ 165 switch (skb->protocol) { 166 case __cpu_to_be16(ETH_P_8021Q): 167 return VLAN_HLEN; 168 case __cpu_to_be16(ETH_P_PPP_SES): 169 return PPPOE_SES_HLEN; 170 default: 171 return 0; 172 } 173} 174 175static inline void nf_bridge_pull_encap_header(struct sk_buff *skb) 176{ 177 unsigned int len = nf_bridge_encap_header_len(skb); 178 179 skb_pull(skb, len); 180 skb->network_header += len; 181} 182 183static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb) 184{ 185 unsigned int len = nf_bridge_encap_header_len(skb); 186 187 skb_pull_rcsum(skb, len); 188 skb->network_header += len; 189} 190 191/* When handing a packet over to the IP layer 192 * check whether we have a skb that is in the 193 * expected format 194 */ 195 196static int br_validate_ipv4(struct net *net, struct sk_buff *skb) 197{ 198 const struct iphdr *iph; 199 u32 len; 200 201 if (!pskb_may_pull(skb, sizeof(struct iphdr))) 202 goto inhdr_error; 203 204 iph = ip_hdr(skb); 205 206 /* Basic sanity checks */ 207 if (iph->ihl < 5 || iph->version != 4) 208 goto inhdr_error; 209 210 if (!pskb_may_pull(skb, iph->ihl*4)) 211 goto inhdr_error; 212 213 iph = ip_hdr(skb); 214 if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl))) 215 goto csum_error; 216 217 len = ntohs(iph->tot_len); 218 if (skb->len < len) { 219 __IP_INC_STATS(net, IPSTATS_MIB_INTRUNCATEDPKTS); 220 goto drop; 221 } else if (len < (iph->ihl*4)) 222 goto inhdr_error; 223 224 if (pskb_trim_rcsum(skb, len)) { 225 __IP_INC_STATS(net, IPSTATS_MIB_INDISCARDS); 226 goto drop; 227 } 228 229 memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); 230 /* We should really parse IP options here but until 231 * somebody who actually uses IP options complains to 232 * us we'll just silently ignore the options because 233 * we're lazy! 234 */ 235 return 0; 236 237csum_error: 238 __IP_INC_STATS(net, IPSTATS_MIB_CSUMERRORS); 239inhdr_error: 240 __IP_INC_STATS(net, IPSTATS_MIB_INHDRERRORS); 241drop: 242 return -1; 243} 244 245void nf_bridge_update_protocol(struct sk_buff *skb) 246{ 247 const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 248 249 switch (nf_bridge->orig_proto) { 250 case BRNF_PROTO_8021Q: 251 skb->protocol = htons(ETH_P_8021Q); 252 break; 253 case BRNF_PROTO_PPPOE: 254 skb->protocol = htons(ETH_P_PPP_SES); 255 break; 256 case BRNF_PROTO_UNCHANGED: 257 break; 258 } 259} 260 261/* Obtain the correct destination MAC address, while preserving the original 262 * source MAC address. If we already know this address, we just copy it. If we 263 * don't, we use the neighbour framework to find out. In both cases, we make 264 * sure that br_handle_frame_finish() is called afterwards. 265 */ 266int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_buff *skb) 267{ 268 struct neighbour *neigh; 269 struct dst_entry *dst; 270 271 skb->dev = bridge_parent(skb->dev); 272 if (!skb->dev) 273 goto free_skb; 274 dst = skb_dst(skb); 275 neigh = dst_neigh_lookup_skb(dst, skb); 276 if (neigh) { 277 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 278 int ret; 279 280 if ((neigh->nud_state & NUD_CONNECTED) && neigh->hh.hh_len) { 281 neigh_hh_bridge(&neigh->hh, skb); 282 skb->dev = nf_bridge->physindev; 283 ret = br_handle_frame_finish(net, sk, skb); 284 } else { 285 /* the neighbour function below overwrites the complete 286 * MAC header, so we save the Ethernet source address and 287 * protocol number. 288 */ 289 skb_copy_from_linear_data_offset(skb, 290 -(ETH_HLEN-ETH_ALEN), 291 nf_bridge->neigh_header, 292 ETH_HLEN-ETH_ALEN); 293 /* tell br_dev_xmit to continue with forwarding */ 294 nf_bridge->bridged_dnat = 1; 295 /* FIXME Need to refragment */ 296 ret = neigh->output(neigh, skb); 297 } 298 neigh_release(neigh); 299 return ret; 300 } 301free_skb: 302 kfree_skb(skb); 303 return 0; 304} 305 306static inline bool 307br_nf_ipv4_daddr_was_changed(const struct sk_buff *skb, 308 const struct nf_bridge_info *nf_bridge) 309{ 310 return ip_hdr(skb)->daddr != nf_bridge->ipv4_daddr; 311} 312 313/* This requires some explaining. If DNAT has taken place, 314 * we will need to fix up the destination Ethernet address. 315 * This is also true when SNAT takes place (for the reply direction). 316 * 317 * There are two cases to consider: 318 * 1. The packet was DNAT'ed to a device in the same bridge 319 * port group as it was received on. We can still bridge 320 * the packet. 321 * 2. The packet was DNAT'ed to a different device, either 322 * a non-bridged device or another bridge port group. 323 * The packet will need to be routed. 324 * 325 * The correct way of distinguishing between these two cases is to 326 * call ip_route_input() and to look at skb->dst->dev, which is 327 * changed to the destination device if ip_route_input() succeeds. 328 * 329 * Let's first consider the case that ip_route_input() succeeds: 330 * 331 * If the output device equals the logical bridge device the packet 332 * came in on, we can consider this bridging. The corresponding MAC 333 * address will be obtained in br_nf_pre_routing_finish_bridge. 334 * Otherwise, the packet is considered to be routed and we just 335 * change the destination MAC address so that the packet will 336 * later be passed up to the IP stack to be routed. For a redirected 337 * packet, ip_route_input() will give back the localhost as output device, 338 * which differs from the bridge device. 339 * 340 * Let's now consider the case that ip_route_input() fails: 341 * 342 * This can be because the destination address is martian, in which case 343 * the packet will be dropped. 344 * If IP forwarding is disabled, ip_route_input() will fail, while 345 * ip_route_output_key() can return success. The source 346 * address for ip_route_output_key() is set to zero, so ip_route_output_key() 347 * thinks we're handling a locally generated packet and won't care 348 * if IP forwarding is enabled. If the output device equals the logical bridge 349 * device, we proceed as if ip_route_input() succeeded. If it differs from the 350 * logical bridge port or if ip_route_output_key() fails we drop the packet. 351 */ 352static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_buff *skb) 353{ 354 struct net_device *dev = skb->dev; 355 struct iphdr *iph = ip_hdr(skb); 356 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 357 struct rtable *rt; 358 int err; 359 360 nf_bridge->frag_max_size = IPCB(skb)->frag_max_size; 361 362 if (nf_bridge->pkt_otherhost) { 363 skb->pkt_type = PACKET_OTHERHOST; 364 nf_bridge->pkt_otherhost = false; 365 } 366 nf_bridge->in_prerouting = 0; 367 if (br_nf_ipv4_daddr_was_changed(skb, nf_bridge)) { 368 if ((err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))) { 369 struct in_device *in_dev = __in_dev_get_rcu(dev); 370 371 /* If err equals -EHOSTUNREACH the error is due to a 372 * martian destination or due to the fact that 373 * forwarding is disabled. For most martian packets, 374 * ip_route_output_key() will fail. It won't fail for 2 types of 375 * martian destinations: loopback destinations and destination 376 * 0.0.0.0. In both cases the packet will be dropped because the 377 * destination is the loopback device and not the bridge. */ 378 if (err != -EHOSTUNREACH || !in_dev || IN_DEV_FORWARD(in_dev)) 379 goto free_skb; 380 381 rt = ip_route_output(net, iph->daddr, 0, 382 RT_TOS(iph->tos), 0); 383 if (!IS_ERR(rt)) { 384 /* - Bridged-and-DNAT'ed traffic doesn't 385 * require ip_forwarding. */ 386 if (rt->dst.dev == dev) { 387 skb_dst_set(skb, &rt->dst); 388 goto bridged_dnat; 389 } 390 ip_rt_put(rt); 391 } 392free_skb: 393 kfree_skb(skb); 394 return 0; 395 } else { 396 if (skb_dst(skb)->dev == dev) { 397bridged_dnat: 398 skb->dev = nf_bridge->physindev; 399 nf_bridge_update_protocol(skb); 400 nf_bridge_push_encap_header(skb); 401 br_nf_hook_thresh(NF_BR_PRE_ROUTING, 402 net, sk, skb, skb->dev, 403 NULL, 404 br_nf_pre_routing_finish_bridge); 405 return 0; 406 } 407 ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr); 408 skb->pkt_type = PACKET_HOST; 409 } 410 } else { 411 rt = bridge_parent_rtable(nf_bridge->physindev); 412 if (!rt) { 413 kfree_skb(skb); 414 return 0; 415 } 416 skb_dst_set_noref(skb, &rt->dst); 417 } 418 419 skb->dev = nf_bridge->physindev; 420 nf_bridge_update_protocol(skb); 421 nf_bridge_push_encap_header(skb); 422 br_nf_hook_thresh(NF_BR_PRE_ROUTING, net, sk, skb, skb->dev, NULL, 423 br_handle_frame_finish); 424 return 0; 425} 426 427static struct net_device *brnf_get_logical_dev(struct sk_buff *skb, 428 const struct net_device *dev, 429 const struct net *net) 430{ 431 struct net_device *vlan, *br; 432 struct brnf_net *brnet = net_generic(net, brnf_net_id); 433 434 br = bridge_parent(dev); 435 436 if (brnet->pass_vlan_indev == 0 || !skb_vlan_tag_present(skb)) 437 return br; 438 439 vlan = __vlan_find_dev_deep_rcu(br, skb->vlan_proto, 440 skb_vlan_tag_get(skb) & VLAN_VID_MASK); 441 442 return vlan ? vlan : br; 443} 444 445/* Some common code for IPv4/IPv6 */ 446struct net_device *setup_pre_routing(struct sk_buff *skb, const struct net *net) 447{ 448 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 449 450 if (skb->pkt_type == PACKET_OTHERHOST) { 451 skb->pkt_type = PACKET_HOST; 452 nf_bridge->pkt_otherhost = true; 453 } 454 455 nf_bridge->in_prerouting = 1; 456 nf_bridge->physindev = skb->dev; 457 skb->dev = brnf_get_logical_dev(skb, skb->dev, net); 458 459 if (skb->protocol == htons(ETH_P_8021Q)) 460 nf_bridge->orig_proto = BRNF_PROTO_8021Q; 461 else if (skb->protocol == htons(ETH_P_PPP_SES)) 462 nf_bridge->orig_proto = BRNF_PROTO_PPPOE; 463 464 /* Must drop socket now because of tproxy. */ 465 skb_orphan(skb); 466 return skb->dev; 467} 468 469/* Direct IPv6 traffic to br_nf_pre_routing_ipv6. 470 * Replicate the checks that IPv4 does on packet reception. 471 * Set skb->dev to the bridge device (i.e. parent of the 472 * receiving device) to make netfilter happy, the REDIRECT 473 * target in particular. Save the original destination IP 474 * address to be able to detect DNAT afterwards. */ 475static unsigned int br_nf_pre_routing(void *priv, 476 struct sk_buff *skb, 477 const struct nf_hook_state *state) 478{ 479 struct nf_bridge_info *nf_bridge; 480 struct net_bridge_port *p; 481 struct net_bridge *br; 482 __u32 len = nf_bridge_encap_header_len(skb); 483 struct brnf_net *brnet; 484 485 if (unlikely(!pskb_may_pull(skb, len))) 486 return NF_DROP; 487 488 p = br_port_get_rcu(state->in); 489 if (p == NULL) 490 return NF_DROP; 491 br = p->br; 492 493 brnet = net_generic(state->net, brnf_net_id); 494 if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || 495 is_pppoe_ipv6(skb, state->net)) { 496 if (!brnet->call_ip6tables && 497 !br_opt_get(br, BROPT_NF_CALL_IP6TABLES)) 498 return NF_ACCEPT; 499 if (!ipv6_mod_enabled()) { 500 pr_warn_once("Module ipv6 is disabled, so call_ip6tables is not supported."); 501 return NF_DROP; 502 } 503 504 nf_bridge_pull_encap_header_rcsum(skb); 505 return br_nf_pre_routing_ipv6(priv, skb, state); 506 } 507 508 if (!brnet->call_iptables && !br_opt_get(br, BROPT_NF_CALL_IPTABLES)) 509 return NF_ACCEPT; 510 511 if (!IS_IP(skb) && !is_vlan_ip(skb, state->net) && 512 !is_pppoe_ip(skb, state->net)) 513 return NF_ACCEPT; 514 515 nf_bridge_pull_encap_header_rcsum(skb); 516 517 if (br_validate_ipv4(state->net, skb)) 518 return NF_DROP; 519 520 if (!nf_bridge_alloc(skb)) 521 return NF_DROP; 522 if (!setup_pre_routing(skb, state->net)) 523 return NF_DROP; 524 525 nf_bridge = nf_bridge_info_get(skb); 526 nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr; 527 528 skb->protocol = htons(ETH_P_IP); 529 skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4; 530 531 NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb, 532 skb->dev, NULL, 533 br_nf_pre_routing_finish); 534 535 return NF_STOLEN; 536} 537 538 539/* PF_BRIDGE/FORWARD *************************************************/ 540static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb) 541{ 542 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 543 struct net_device *in; 544 545 if (!IS_ARP(skb) && !is_vlan_arp(skb, net)) { 546 547 if (skb->protocol == htons(ETH_P_IP)) 548 nf_bridge->frag_max_size = IPCB(skb)->frag_max_size; 549 550 if (skb->protocol == htons(ETH_P_IPV6)) 551 nf_bridge->frag_max_size = IP6CB(skb)->frag_max_size; 552 553 in = nf_bridge->physindev; 554 if (nf_bridge->pkt_otherhost) { 555 skb->pkt_type = PACKET_OTHERHOST; 556 nf_bridge->pkt_otherhost = false; 557 } 558 nf_bridge_update_protocol(skb); 559 } else { 560 in = *((struct net_device **)(skb->cb)); 561 } 562 nf_bridge_push_encap_header(skb); 563 564 br_nf_hook_thresh(NF_BR_FORWARD, net, sk, skb, in, skb->dev, 565 br_forward_finish); 566 return 0; 567} 568 569 570/* This is the 'purely bridged' case. For IP, we pass the packet to 571 * netfilter with indev and outdev set to the bridge device, 572 * but we are still able to filter on the 'real' indev/outdev 573 * because of the physdev module. For ARP, indev and outdev are the 574 * bridge ports. */ 575static unsigned int br_nf_forward_ip(void *priv, 576 struct sk_buff *skb, 577 const struct nf_hook_state *state) 578{ 579 struct nf_bridge_info *nf_bridge; 580 struct net_device *parent; 581 u_int8_t pf; 582 583 nf_bridge = nf_bridge_info_get(skb); 584 if (!nf_bridge) 585 return NF_ACCEPT; 586 587 /* Need exclusive nf_bridge_info since we might have multiple 588 * different physoutdevs. */ 589 if (!nf_bridge_unshare(skb)) 590 return NF_DROP; 591 592 nf_bridge = nf_bridge_info_get(skb); 593 if (!nf_bridge) 594 return NF_DROP; 595 596 parent = bridge_parent(state->out); 597 if (!parent) 598 return NF_DROP; 599 600 if (IS_IP(skb) || is_vlan_ip(skb, state->net) || 601 is_pppoe_ip(skb, state->net)) 602 pf = NFPROTO_IPV4; 603 else if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || 604 is_pppoe_ipv6(skb, state->net)) 605 pf = NFPROTO_IPV6; 606 else 607 return NF_ACCEPT; 608 609 nf_bridge_pull_encap_header(skb); 610 611 if (skb->pkt_type == PACKET_OTHERHOST) { 612 skb->pkt_type = PACKET_HOST; 613 nf_bridge->pkt_otherhost = true; 614 } 615 616 if (pf == NFPROTO_IPV4) { 617 if (br_validate_ipv4(state->net, skb)) 618 return NF_DROP; 619 IPCB(skb)->frag_max_size = nf_bridge->frag_max_size; 620 } 621 622 if (pf == NFPROTO_IPV6) { 623 if (br_validate_ipv6(state->net, skb)) 624 return NF_DROP; 625 IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size; 626 } 627 628 nf_bridge->physoutdev = skb->dev; 629 if (pf == NFPROTO_IPV4) 630 skb->protocol = htons(ETH_P_IP); 631 else 632 skb->protocol = htons(ETH_P_IPV6); 633 634 NF_HOOK(pf, NF_INET_FORWARD, state->net, NULL, skb, 635 brnf_get_logical_dev(skb, state->in, state->net), 636 parent, br_nf_forward_finish); 637 638 return NF_STOLEN; 639} 640 641static unsigned int br_nf_forward_arp(void *priv, 642 struct sk_buff *skb, 643 const struct nf_hook_state *state) 644{ 645 struct net_bridge_port *p; 646 struct net_bridge *br; 647 struct net_device **d = (struct net_device **)(skb->cb); 648 struct brnf_net *brnet; 649 650 p = br_port_get_rcu(state->out); 651 if (p == NULL) 652 return NF_ACCEPT; 653 br = p->br; 654 655 brnet = net_generic(state->net, brnf_net_id); 656 if (!brnet->call_arptables && !br_opt_get(br, BROPT_NF_CALL_ARPTABLES)) 657 return NF_ACCEPT; 658 659 if (!IS_ARP(skb)) { 660 if (!is_vlan_arp(skb, state->net)) 661 return NF_ACCEPT; 662 nf_bridge_pull_encap_header(skb); 663 } 664 665 if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr)))) 666 return NF_DROP; 667 668 if (arp_hdr(skb)->ar_pln != 4) { 669 if (is_vlan_arp(skb, state->net)) 670 nf_bridge_push_encap_header(skb); 671 return NF_ACCEPT; 672 } 673 *d = state->in; 674 NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, state->net, state->sk, skb, 675 state->in, state->out, br_nf_forward_finish); 676 677 return NF_STOLEN; 678} 679 680static int br_nf_push_frag_xmit(struct net *net, struct sock *sk, struct sk_buff *skb) 681{ 682 struct brnf_frag_data *data; 683 int err; 684 685 data = this_cpu_ptr(&brnf_frag_data_storage); 686 err = skb_cow_head(skb, data->size); 687 688 if (err) { 689 kfree_skb(skb); 690 return 0; 691 } 692 693 if (data->vlan_proto) 694 __vlan_hwaccel_put_tag(skb, data->vlan_proto, data->vlan_tci); 695 696 skb_copy_to_linear_data_offset(skb, -data->size, data->mac, data->size); 697 __skb_push(skb, data->encap_size); 698 699 nf_bridge_info_free(skb); 700 return br_dev_queue_push_xmit(net, sk, skb); 701} 702 703static int 704br_nf_ip_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, 705 int (*output)(struct net *, struct sock *, struct sk_buff *)) 706{ 707 unsigned int mtu = ip_skb_dst_mtu(sk, skb); 708 struct iphdr *iph = ip_hdr(skb); 709 710 if (unlikely(((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) || 711 (IPCB(skb)->frag_max_size && 712 IPCB(skb)->frag_max_size > mtu))) { 713 IP_INC_STATS(net, IPSTATS_MIB_FRAGFAILS); 714 kfree_skb(skb); 715 return -EMSGSIZE; 716 } 717 718 return ip_do_fragment(net, sk, skb, output); 719} 720 721static unsigned int nf_bridge_mtu_reduction(const struct sk_buff *skb) 722{ 723 const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 724 725 if (nf_bridge->orig_proto == BRNF_PROTO_PPPOE) 726 return PPPOE_SES_HLEN; 727 return 0; 728} 729 730static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff *skb) 731{ 732 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 733 unsigned int mtu, mtu_reserved; 734 735 mtu_reserved = nf_bridge_mtu_reduction(skb); 736 mtu = skb->dev->mtu; 737 738 if (nf_bridge->pkt_otherhost) { 739 skb->pkt_type = PACKET_OTHERHOST; 740 nf_bridge->pkt_otherhost = false; 741 } 742 743 if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu) 744 mtu = nf_bridge->frag_max_size; 745 746 nf_bridge_update_protocol(skb); 747 nf_bridge_push_encap_header(skb); 748 749 if (skb_is_gso(skb) || skb->len + mtu_reserved <= mtu) { 750 nf_bridge_info_free(skb); 751 return br_dev_queue_push_xmit(net, sk, skb); 752 } 753 754 /* This is wrong! We should preserve the original fragment 755 * boundaries by preserving frag_list rather than refragmenting. 756 */ 757 if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) && 758 skb->protocol == htons(ETH_P_IP)) { 759 struct brnf_frag_data *data; 760 761 if (br_validate_ipv4(net, skb)) 762 goto drop; 763 764 IPCB(skb)->frag_max_size = nf_bridge->frag_max_size; 765 766 data = this_cpu_ptr(&brnf_frag_data_storage); 767 768 if (skb_vlan_tag_present(skb)) { 769 data->vlan_tci = skb->vlan_tci; 770 data->vlan_proto = skb->vlan_proto; 771 } else { 772 data->vlan_proto = 0; 773 } 774 775 data->encap_size = nf_bridge_encap_header_len(skb); 776 data->size = ETH_HLEN + data->encap_size; 777 778 skb_copy_from_linear_data_offset(skb, -data->size, data->mac, 779 data->size); 780 781 return br_nf_ip_fragment(net, sk, skb, br_nf_push_frag_xmit); 782 } 783 if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) && 784 skb->protocol == htons(ETH_P_IPV6)) { 785 const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops(); 786 struct brnf_frag_data *data; 787 788 if (br_validate_ipv6(net, skb)) 789 goto drop; 790 791 IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size; 792 793 data = this_cpu_ptr(&brnf_frag_data_storage); 794 data->encap_size = nf_bridge_encap_header_len(skb); 795 data->size = ETH_HLEN + data->encap_size; 796 797 skb_copy_from_linear_data_offset(skb, -data->size, data->mac, 798 data->size); 799 800 if (v6ops) 801 return v6ops->fragment(net, sk, skb, br_nf_push_frag_xmit); 802 803 kfree_skb(skb); 804 return -EMSGSIZE; 805 } 806 nf_bridge_info_free(skb); 807 return br_dev_queue_push_xmit(net, sk, skb); 808 drop: 809 kfree_skb(skb); 810 return 0; 811} 812 813/* PF_BRIDGE/POST_ROUTING ********************************************/ 814static unsigned int br_nf_post_routing(void *priv, 815 struct sk_buff *skb, 816 const struct nf_hook_state *state) 817{ 818 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 819 struct net_device *realoutdev = bridge_parent(skb->dev); 820 u_int8_t pf; 821 822 /* if nf_bridge is set, but ->physoutdev is NULL, this packet came in 823 * on a bridge, but was delivered locally and is now being routed: 824 * 825 * POST_ROUTING was already invoked from the ip stack. 826 */ 827 if (!nf_bridge || !nf_bridge->physoutdev) 828 return NF_ACCEPT; 829 830 if (!realoutdev) 831 return NF_DROP; 832 833 if (IS_IP(skb) || is_vlan_ip(skb, state->net) || 834 is_pppoe_ip(skb, state->net)) 835 pf = NFPROTO_IPV4; 836 else if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || 837 is_pppoe_ipv6(skb, state->net)) 838 pf = NFPROTO_IPV6; 839 else 840 return NF_ACCEPT; 841 842 if (skb->pkt_type == PACKET_OTHERHOST) { 843 skb->pkt_type = PACKET_HOST; 844 nf_bridge->pkt_otherhost = true; 845 } 846 847 nf_bridge_pull_encap_header(skb); 848 if (pf == NFPROTO_IPV4) 849 skb->protocol = htons(ETH_P_IP); 850 else 851 skb->protocol = htons(ETH_P_IPV6); 852 853 NF_HOOK(pf, NF_INET_POST_ROUTING, state->net, state->sk, skb, 854 NULL, realoutdev, 855 br_nf_dev_queue_xmit); 856 857 return NF_STOLEN; 858} 859 860/* IP/SABOTAGE *****************************************************/ 861/* Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING 862 * for the second time. */ 863static unsigned int ip_sabotage_in(void *priv, 864 struct sk_buff *skb, 865 const struct nf_hook_state *state) 866{ 867 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 868 869 if (nf_bridge && !nf_bridge->in_prerouting && 870 !netif_is_l3_master(skb->dev) && 871 !netif_is_l3_slave(skb->dev)) { 872 state->okfn(state->net, state->sk, skb); 873 return NF_STOLEN; 874 } 875 876 return NF_ACCEPT; 877} 878 879/* This is called when br_netfilter has called into iptables/netfilter, 880 * and DNAT has taken place on a bridge-forwarded packet. 881 * 882 * neigh->output has created a new MAC header, with local br0 MAC 883 * as saddr. 884 * 885 * This restores the original MAC saddr of the bridged packet 886 * before invoking bridge forward logic to transmit the packet. 887 */ 888static void br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb) 889{ 890 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 891 892 skb_pull(skb, ETH_HLEN); 893 nf_bridge->bridged_dnat = 0; 894 895 BUILD_BUG_ON(sizeof(nf_bridge->neigh_header) != (ETH_HLEN - ETH_ALEN)); 896 897 skb_copy_to_linear_data_offset(skb, -(ETH_HLEN - ETH_ALEN), 898 nf_bridge->neigh_header, 899 ETH_HLEN - ETH_ALEN); 900 skb->dev = nf_bridge->physindev; 901 902 nf_bridge->physoutdev = NULL; 903 br_handle_frame_finish(dev_net(skb->dev), NULL, skb); 904} 905 906static int br_nf_dev_xmit(struct sk_buff *skb) 907{ 908 const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 909 910 if (nf_bridge && nf_bridge->bridged_dnat) { 911 br_nf_pre_routing_finish_bridge_slow(skb); 912 return 1; 913 } 914 return 0; 915} 916 917static const struct nf_br_ops br_ops = { 918 .br_dev_xmit_hook = br_nf_dev_xmit, 919}; 920 921/* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because 922 * br_dev_queue_push_xmit is called afterwards */ 923static const struct nf_hook_ops br_nf_ops[] = { 924 { 925 .hook = br_nf_pre_routing, 926 .pf = NFPROTO_BRIDGE, 927 .hooknum = NF_BR_PRE_ROUTING, 928 .priority = NF_BR_PRI_BRNF, 929 }, 930 { 931 .hook = br_nf_forward_ip, 932 .pf = NFPROTO_BRIDGE, 933 .hooknum = NF_BR_FORWARD, 934 .priority = NF_BR_PRI_BRNF - 1, 935 }, 936 { 937 .hook = br_nf_forward_arp, 938 .pf = NFPROTO_BRIDGE, 939 .hooknum = NF_BR_FORWARD, 940 .priority = NF_BR_PRI_BRNF, 941 }, 942 { 943 .hook = br_nf_post_routing, 944 .pf = NFPROTO_BRIDGE, 945 .hooknum = NF_BR_POST_ROUTING, 946 .priority = NF_BR_PRI_LAST, 947 }, 948 { 949 .hook = ip_sabotage_in, 950 .pf = NFPROTO_IPV4, 951 .hooknum = NF_INET_PRE_ROUTING, 952 .priority = NF_IP_PRI_FIRST, 953 }, 954 { 955 .hook = ip_sabotage_in, 956 .pf = NFPROTO_IPV6, 957 .hooknum = NF_INET_PRE_ROUTING, 958 .priority = NF_IP6_PRI_FIRST, 959 }, 960}; 961 962static int brnf_device_event(struct notifier_block *unused, unsigned long event, 963 void *ptr) 964{ 965 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 966 struct brnf_net *brnet; 967 struct net *net; 968 int ret; 969 970 if (event != NETDEV_REGISTER || !netif_is_bridge_master(dev)) 971 return NOTIFY_DONE; 972 973 ASSERT_RTNL(); 974 975 net = dev_net(dev); 976 brnet = net_generic(net, brnf_net_id); 977 if (brnet->enabled) 978 return NOTIFY_OK; 979 980 ret = nf_register_net_hooks(net, br_nf_ops, ARRAY_SIZE(br_nf_ops)); 981 if (ret) 982 return NOTIFY_BAD; 983 984 brnet->enabled = true; 985 return NOTIFY_OK; 986} 987 988static struct notifier_block brnf_notifier __read_mostly = { 989 .notifier_call = brnf_device_event, 990}; 991 992/* recursively invokes nf_hook_slow (again), skipping already-called 993 * hooks (< NF_BR_PRI_BRNF). 994 * 995 * Called with rcu read lock held. 996 */ 997int br_nf_hook_thresh(unsigned int hook, struct net *net, 998 struct sock *sk, struct sk_buff *skb, 999 struct net_device *indev, 1000 struct net_device *outdev, 1001 int (*okfn)(struct net *, struct sock *, 1002 struct sk_buff *)) 1003{ 1004 const struct nf_hook_entries *e; 1005 struct nf_hook_state state; 1006 struct nf_hook_ops **ops; 1007 unsigned int i; 1008 int ret; 1009 1010 e = rcu_dereference(net->nf.hooks_bridge[hook]); 1011 if (!e) 1012 return okfn(net, sk, skb); 1013 1014 ops = nf_hook_entries_get_hook_ops(e); 1015 for (i = 0; i < e->num_hook_entries; i++) { 1016 /* These hooks have already been called */ 1017 if (ops[i]->priority < NF_BR_PRI_BRNF) 1018 continue; 1019 1020 /* These hooks have not been called yet, run them. */ 1021 if (ops[i]->priority > NF_BR_PRI_BRNF) 1022 break; 1023 1024 /* take a closer look at NF_BR_PRI_BRNF. */ 1025 if (ops[i]->hook == br_nf_pre_routing) { 1026 /* This hook diverted the skb to this function, 1027 * hooks after this have not been run yet. 1028 */ 1029 i++; 1030 break; 1031 } 1032 } 1033 1034 nf_hook_state_init(&state, hook, NFPROTO_BRIDGE, indev, outdev, 1035 sk, net, okfn); 1036 1037 ret = nf_hook_slow(skb, &state, e, i); 1038 if (ret == 1) 1039 ret = okfn(net, sk, skb); 1040 1041 return ret; 1042} 1043 1044#ifdef CONFIG_SYSCTL 1045static 1046int brnf_sysctl_call_tables(struct ctl_table *ctl, int write, 1047 void *buffer, size_t *lenp, loff_t *ppos) 1048{ 1049 int ret; 1050 1051 ret = proc_dointvec(ctl, write, buffer, lenp, ppos); 1052 1053 if (write && *(int *)(ctl->data)) 1054 *(int *)(ctl->data) = 1; 1055 return ret; 1056} 1057 1058static struct ctl_table brnf_table[] = { 1059 { 1060 .procname = "bridge-nf-call-arptables", 1061 .maxlen = sizeof(int), 1062 .mode = 0644, 1063 .proc_handler = brnf_sysctl_call_tables, 1064 }, 1065 { 1066 .procname = "bridge-nf-call-iptables", 1067 .maxlen = sizeof(int), 1068 .mode = 0644, 1069 .proc_handler = brnf_sysctl_call_tables, 1070 }, 1071 { 1072 .procname = "bridge-nf-call-ip6tables", 1073 .maxlen = sizeof(int), 1074 .mode = 0644, 1075 .proc_handler = brnf_sysctl_call_tables, 1076 }, 1077 { 1078 .procname = "bridge-nf-filter-vlan-tagged", 1079 .maxlen = sizeof(int), 1080 .mode = 0644, 1081 .proc_handler = brnf_sysctl_call_tables, 1082 }, 1083 { 1084 .procname = "bridge-nf-filter-pppoe-tagged", 1085 .maxlen = sizeof(int), 1086 .mode = 0644, 1087 .proc_handler = brnf_sysctl_call_tables, 1088 }, 1089 { 1090 .procname = "bridge-nf-pass-vlan-input-dev", 1091 .maxlen = sizeof(int), 1092 .mode = 0644, 1093 .proc_handler = brnf_sysctl_call_tables, 1094 }, 1095 { } 1096}; 1097 1098static inline void br_netfilter_sysctl_default(struct brnf_net *brnf) 1099{ 1100 brnf->call_iptables = 1; 1101 brnf->call_ip6tables = 1; 1102 brnf->call_arptables = 1; 1103 brnf->filter_vlan_tagged = 0; 1104 brnf->filter_pppoe_tagged = 0; 1105 brnf->pass_vlan_indev = 0; 1106} 1107 1108static int br_netfilter_sysctl_init_net(struct net *net) 1109{ 1110 struct ctl_table *table = brnf_table; 1111 struct brnf_net *brnet; 1112 1113 if (!net_eq(net, &init_net)) { 1114 table = kmemdup(table, sizeof(brnf_table), GFP_KERNEL); 1115 if (!table) 1116 return -ENOMEM; 1117 } 1118 1119 brnet = net_generic(net, brnf_net_id); 1120 table[0].data = &brnet->call_arptables; 1121 table[1].data = &brnet->call_iptables; 1122 table[2].data = &brnet->call_ip6tables; 1123 table[3].data = &brnet->filter_vlan_tagged; 1124 table[4].data = &brnet->filter_pppoe_tagged; 1125 table[5].data = &brnet->pass_vlan_indev; 1126 1127 br_netfilter_sysctl_default(brnet); 1128 1129 brnet->ctl_hdr = register_net_sysctl(net, "net/bridge", table); 1130 if (!brnet->ctl_hdr) { 1131 if (!net_eq(net, &init_net)) 1132 kfree(table); 1133 1134 return -ENOMEM; 1135 } 1136 1137 return 0; 1138} 1139 1140static void br_netfilter_sysctl_exit_net(struct net *net, 1141 struct brnf_net *brnet) 1142{ 1143 struct ctl_table *table = brnet->ctl_hdr->ctl_table_arg; 1144 1145 unregister_net_sysctl_table(brnet->ctl_hdr); 1146 if (!net_eq(net, &init_net)) 1147 kfree(table); 1148} 1149 1150static int __net_init brnf_init_net(struct net *net) 1151{ 1152 return br_netfilter_sysctl_init_net(net); 1153} 1154#endif 1155 1156static void __net_exit brnf_exit_net(struct net *net) 1157{ 1158 struct brnf_net *brnet; 1159 1160 brnet = net_generic(net, brnf_net_id); 1161 if (brnet->enabled) { 1162 nf_unregister_net_hooks(net, br_nf_ops, ARRAY_SIZE(br_nf_ops)); 1163 brnet->enabled = false; 1164 } 1165 1166#ifdef CONFIG_SYSCTL 1167 br_netfilter_sysctl_exit_net(net, brnet); 1168#endif 1169} 1170 1171static struct pernet_operations brnf_net_ops __read_mostly = { 1172#ifdef CONFIG_SYSCTL 1173 .init = brnf_init_net, 1174#endif 1175 .exit = brnf_exit_net, 1176 .id = &brnf_net_id, 1177 .size = sizeof(struct brnf_net), 1178}; 1179 1180static int __init br_netfilter_init(void) 1181{ 1182 int ret; 1183 1184 ret = register_pernet_subsys(&brnf_net_ops); 1185 if (ret < 0) 1186 return ret; 1187 1188 ret = register_netdevice_notifier(&brnf_notifier); 1189 if (ret < 0) { 1190 unregister_pernet_subsys(&brnf_net_ops); 1191 return ret; 1192 } 1193 1194 RCU_INIT_POINTER(nf_br_ops, &br_ops); 1195 printk(KERN_NOTICE "Bridge firewalling registered\n"); 1196 return 0; 1197} 1198 1199static void __exit br_netfilter_fini(void) 1200{ 1201 RCU_INIT_POINTER(nf_br_ops, NULL); 1202 unregister_netdevice_notifier(&brnf_notifier); 1203 unregister_pernet_subsys(&brnf_net_ops); 1204} 1205 1206module_init(br_netfilter_init); 1207module_exit(br_netfilter_fini); 1208 1209MODULE_LICENSE("GPL"); 1210MODULE_AUTHOR("Lennert Buytenhek <buytenh@gnu.org>"); 1211MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>"); 1212MODULE_DESCRIPTION("Linux ethernet netfilter firewall bridge");