net/bridge/br_netfilter_hooks.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /*
0003  *  Handle firewalling
0004  *  Linux ethernet bridge
0005  *
0006  *  Authors:
0007  *  Lennert Buytenhek       <buytenh@gnu.org>
0008  *  Bart De Schuymer        <bdschuym@pandora.be>
0009  *
0010  *  Lennert dedicates this file to Kerstin Wurdinger.
0011  */
0012
0013 #include <linux/module.h>
0014 #include <linux/kernel.h>
0015 #include <linux/slab.h>
0016 #include <linux/ip.h>
0017 #include <linux/netdevice.h>
0018 #include <linux/skbuff.h>
0019 #include <linux/if_arp.h>
0020 #include <linux/if_ether.h>
0021 #include <linux/if_vlan.h>
0022 #include <linux/if_pppox.h>
0023 #include <linux/ppp_defs.h>
0024 #include <linux/netfilter_bridge.h>
0025 #include <uapi/linux/netfilter_bridge.h>
0026 #include <linux/netfilter_ipv4.h>
0027 #include <linux/netfilter_ipv6.h>
0028 #include <linux/netfilter_arp.h>
0029 #include <linux/in_route.h>
0030 #include <linux/rculist.h>
0031 #include <linux/inetdevice.h>
0032
0033 #include <net/ip.h>
0034 #include <net/ipv6.h>
0035 #include <net/addrconf.h>
0036 #include <net/route.h>
0037 #include <net/netfilter/br_netfilter.h>
0038 #include <net/netns/generic.h>
0039
0040 #include <linux/uaccess.h>
0041 #include "br_private.h"
0042 #ifdef CONFIG_SYSCTL
0043 #include <linux/sysctl.h>
0044 #endif
0045
0046 static unsigned int brnf_net_id __read_mostly;
0047
0048 struct brnf_net {
0049     bool enabled;
0050
0051 #ifdef CONFIG_SYSCTL
0052     struct ctl_table_header *ctl_hdr;
0053 #endif
0054
0055     /* default value is 1 */
0056     int call_iptables;
0057     int call_ip6tables;
0058     int call_arptables;
0059
0060     /* default value is 0 */
0061     int filter_vlan_tagged;
0062     int filter_pppoe_tagged;
0063     int pass_vlan_indev;
0064 };
0065
0066 #define IS_IP(skb) \
0067     (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_IP))
0068
0069 #define IS_IPV6(skb) \
0070     (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_IPV6))
0071
0072 #define IS_ARP(skb) \
0073     (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_ARP))
0074
0075 static inline __be16 vlan_proto(const struct sk_buff *skb)
0076 {
0077     if (skb_vlan_tag_present(skb))
0078         return skb->protocol;
0079     else if (skb->protocol == htons(ETH_P_8021Q))
0080         return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
0081     else
0082         return 0;
0083 }
0084
0085 static inline bool is_vlan_ip(const struct sk_buff *skb, const struct net *net)
0086 {
0087     struct brnf_net *brnet = net_generic(net, brnf_net_id);
0088
0089     return vlan_proto(skb) == htons(ETH_P_IP) && brnet->filter_vlan_tagged;
0090 }
0091
0092 static inline bool is_vlan_ipv6(const struct sk_buff *skb,
0093                 const struct net *net)
0094 {
0095     struct brnf_net *brnet = net_generic(net, brnf_net_id);
0096
0097     return vlan_proto(skb) == htons(ETH_P_IPV6) &&
0098            brnet->filter_vlan_tagged;
0099 }
0100
0101 static inline bool is_vlan_arp(const struct sk_buff *skb, const struct net *net)
0102 {
0103     struct brnf_net *brnet = net_generic(net, brnf_net_id);
0104
0105     return vlan_proto(skb) == htons(ETH_P_ARP) && brnet->filter_vlan_tagged;
0106 }
0107
0108 static inline __be16 pppoe_proto(const struct sk_buff *skb)
0109 {
0110     return *((__be16 *)(skb_mac_header(skb) + ETH_HLEN +
0111                 sizeof(struct pppoe_hdr)));
0112 }
0113
0114 static inline bool is_pppoe_ip(const struct sk_buff *skb, const struct net *net)
0115 {
0116     struct brnf_net *brnet = net_generic(net, brnf_net_id);
0117
0118     return skb->protocol == htons(ETH_P_PPP_SES) &&
0119            pppoe_proto(skb) == htons(PPP_IP) && brnet->filter_pppoe_tagged;
0120 }
0121
0122 static inline bool is_pppoe_ipv6(const struct sk_buff *skb,
0123                  const struct net *net)
0124 {
0125     struct brnf_net *brnet = net_generic(net, brnf_net_id);
0126
0127     return skb->protocol == htons(ETH_P_PPP_SES) &&
0128            pppoe_proto(skb) == htons(PPP_IPV6) &&
0129            brnet->filter_pppoe_tagged;
0130 }
0131
0132 /* largest possible L2 header, see br_nf_dev_queue_xmit() */
0133 #define NF_BRIDGE_MAX_MAC_HEADER_LENGTH (PPPOE_SES_HLEN + ETH_HLEN)
0134
0135 struct brnf_frag_data {
0136     char mac[NF_BRIDGE_MAX_MAC_HEADER_LENGTH];
0137     u8 encap_size;
0138     u8 size;
0139     u16 vlan_tci;
0140     __be16 vlan_proto;
0141 };
0142
0143 static DEFINE_PER_CPU(struct brnf_frag_data, brnf_frag_data_storage);
0144
0145 static void nf_bridge_info_free(struct sk_buff *skb)
0146 {
0147     skb_ext_del(skb, SKB_EXT_BRIDGE_NF);
0148 }
0149
0150 static inline struct net_device *bridge_parent(const struct net_device *dev)
0151 {
0152     struct net_bridge_port *port;
0153
0154     port = br_port_get_rcu(dev);
0155     return port ? port->br->dev : NULL;
0156 }
0157
0158 static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb)
0159 {
0160     return skb_ext_add(skb, SKB_EXT_BRIDGE_NF);
0161 }
0162
0163 unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb)
0164 {
0165     switch (skb->protocol) {
0166     case __cpu_to_be16(ETH_P_8021Q):
0167         return VLAN_HLEN;
0168     case __cpu_to_be16(ETH_P_PPP_SES):
0169         return PPPOE_SES_HLEN;
0170     default:
0171         return 0;
0172     }
0173 }
0174
0175 static inline void nf_bridge_pull_encap_header(struct sk_buff *skb)
0176 {
0177     unsigned int len = nf_bridge_encap_header_len(skb);
0178
0179     skb_pull(skb, len);
0180     skb->network_header += len;
0181 }
0182
0183 static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb)
0184 {
0185     unsigned int len = nf_bridge_encap_header_len(skb);
0186
0187     skb_pull_rcsum(skb, len);
0188     skb->network_header += len;
0189 }
0190
0191 /* When handing a packet over to the IP layer
0192  * check whether we have a skb that is in the
0193  * expected format
0194  */
0195
0196 static int br_validate_ipv4(struct net *net, struct sk_buff *skb)
0197 {
0198     const struct iphdr *iph;
0199     u32 len;
0200
0201     if (!pskb_may_pull(skb, sizeof(struct iphdr)))
0202         goto inhdr_error;
0203
0204     iph = ip_hdr(skb);
0205
0206     /* Basic sanity checks */
0207     if (iph->ihl < 5 || iph->version != 4)
0208         goto inhdr_error;
0209
0210     if (!pskb_may_pull(skb, iph->ihl*4))
0211         goto inhdr_error;
0212
0213     iph = ip_hdr(skb);
0214     if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
0215         goto csum_error;
0216
0217     len = ntohs(iph->tot_len);
0218     if (skb->len < len) {
0219         __IP_INC_STATS(net, IPSTATS_MIB_INTRUNCATEDPKTS);
0220         goto drop;
0221     } else if (len < (iph->ihl*4))
0222         goto inhdr_error;
0223
0224     if (pskb_trim_rcsum(skb, len)) {
0225         __IP_INC_STATS(net, IPSTATS_MIB_INDISCARDS);
0226         goto drop;
0227     }
0228
0229     memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
0230     /* We should really parse IP options here but until
0231      * somebody who actually uses IP options complains to
0232      * us we'll just silently ignore the options because
0233      * we're lazy!
0234      */
0235     return 0;
0236
0237 csum_error:
0238     __IP_INC_STATS(net, IPSTATS_MIB_CSUMERRORS);
0239 inhdr_error:
0240     __IP_INC_STATS(net, IPSTATS_MIB_INHDRERRORS);
0241 drop:
0242     return -1;
0243 }
0244
0245 void nf_bridge_update_protocol(struct sk_buff *skb)
0246 {
0247     const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
0248
0249     switch (nf_bridge->orig_proto) {
0250     case BRNF_PROTO_8021Q:
0251         skb->protocol = htons(ETH_P_8021Q);
0252         break;
0253     case BRNF_PROTO_PPPOE:
0254         skb->protocol = htons(ETH_P_PPP_SES);
0255         break;
0256     case BRNF_PROTO_UNCHANGED:
0257         break;
0258     }
0259 }
0260
0261 /* Obtain the correct destination MAC address, while preserving the original
0262  * source MAC address. If we already know this address, we just copy it. If we
0263  * don't, we use the neighbour framework to find out. In both cases, we make
0264  * sure that br_handle_frame_finish() is called afterwards.
0265  */
0266 int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_buff *skb)
0267 {
0268     struct neighbour *neigh;
0269     struct dst_entry *dst;
0270
0271     skb->dev = bridge_parent(skb->dev);
0272     if (!skb->dev)
0273         goto free_skb;
0274     dst = skb_dst(skb);
0275     neigh = dst_neigh_lookup_skb(dst, skb);
0276     if (neigh) {
0277         struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
0278         int ret;
0279
0280         if ((neigh->nud_state & NUD_CONNECTED) && neigh->hh.hh_len) {
0281             neigh_hh_bridge(&neigh->hh, skb);
0282             skb->dev = nf_bridge->physindev;
0283             ret = br_handle_frame_finish(net, sk, skb);
0284         } else {
0285             /* the neighbour function below overwrites the complete
0286              * MAC header, so we save the Ethernet source address and
0287              * protocol number.
0288              */
0289             skb_copy_from_linear_data_offset(skb,
0290                              -(ETH_HLEN-ETH_ALEN),
0291                              nf_bridge->neigh_header,
0292                              ETH_HLEN-ETH_ALEN);
0293             /* tell br_dev_xmit to continue with forwarding */
0294             nf_bridge->bridged_dnat = 1;
0295             /* FIXME Need to refragment */
0296             ret = neigh->output(neigh, skb);
0297         }
0298         neigh_release(neigh);
0299         return ret;
0300     }
0301 free_skb:
0302     kfree_skb(skb);
0303     return 0;
0304 }
0305
0306 static inline bool
0307 br_nf_ipv4_daddr_was_changed(const struct sk_buff *skb,
0308                  const struct nf_bridge_info *nf_bridge)
0309 {
0310     return ip_hdr(skb)->daddr != nf_bridge->ipv4_daddr;
0311 }
0312
0313 /* This requires some explaining. If DNAT has taken place,
0314  * we will need to fix up the destination Ethernet address.
0315  * This is also true when SNAT takes place (for the reply direction).
0316  *
0317  * There are two cases to consider:
0318  * 1. The packet was DNAT'ed to a device in the same bridge
0319  *    port group as it was received on. We can still bridge
0320  *    the packet.
0321  * 2. The packet was DNAT'ed to a different device, either
0322  *    a non-bridged device or another bridge port group.
0323  *    The packet will need to be routed.
0324  *
0325  * The correct way of distinguishing between these two cases is to
0326  * call ip_route_input() and to look at skb->dst->dev, which is
0327  * changed to the destination device if ip_route_input() succeeds.
0328  *
0329  * Let's first consider the case that ip_route_input() succeeds:
0330  *
0331  * If the output device equals the logical bridge device the packet
0332  * came in on, we can consider this bridging. The corresponding MAC
0333  * address will be obtained in br_nf_pre_routing_finish_bridge.
0334  * Otherwise, the packet is considered to be routed and we just
0335  * change the destination MAC address so that the packet will
0336  * later be passed up to the IP stack to be routed. For a redirected
0337  * packet, ip_route_input() will give back the localhost as output device,
0338  * which differs from the bridge device.
0339  *
0340  * Let's now consider the case that ip_route_input() fails:
0341  *
0342  * This can be because the destination address is martian, in which case
0343  * the packet will be dropped.
0344  * If IP forwarding is disabled, ip_route_input() will fail, while
0345  * ip_route_output_key() can return success. The source
0346  * address for ip_route_output_key() is set to zero, so ip_route_output_key()
0347  * thinks we're handling a locally generated packet and won't care
0348  * if IP forwarding is enabled. If the output device equals the logical bridge
0349  * device, we proceed as if ip_route_input() succeeded. If it differs from the
0350  * logical bridge port or if ip_route_output_key() fails we drop the packet.
0351  */
0352 static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
0353 {
0354     struct net_device *dev = skb->dev;
0355     struct iphdr *iph = ip_hdr(skb);
0356     struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
0357     struct rtable *rt;
0358     int err;
0359
0360     nf_bridge->frag_max_size = IPCB(skb)->frag_max_size;
0361
0362     if (nf_bridge->pkt_otherhost) {
0363         skb->pkt_type = PACKET_OTHERHOST;
0364         nf_bridge->pkt_otherhost = false;
0365     }
0366     nf_bridge->in_prerouting = 0;
0367     if (br_nf_ipv4_daddr_was_changed(skb, nf_bridge)) {
0368         if ((err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))) {
0369             struct in_device *in_dev = __in_dev_get_rcu(dev);
0370
0371             /* If err equals -EHOSTUNREACH the error is due to a
0372              * martian destination or due to the fact that
0373              * forwarding is disabled. For most martian packets,
0374              * ip_route_output_key() will fail. It won't fail for 2 types of
0375              * martian destinations: loopback destinations and destination
0376              * 0.0.0.0. In both cases the packet will be dropped because the
0377              * destination is the loopback device and not the bridge. */
0378             if (err != -EHOSTUNREACH || !in_dev || IN_DEV_FORWARD(in_dev))
0379                 goto free_skb;
0380
0381             rt = ip_route_output(net, iph->daddr, 0,
0382                          RT_TOS(iph->tos), 0);
0383             if (!IS_ERR(rt)) {
0384                 /* - Bridged-and-DNAT'ed traffic doesn't
0385                  *   require ip_forwarding. */
0386                 if (rt->dst.dev == dev) {
0387                     skb_dst_drop(skb);
0388                     skb_dst_set(skb, &rt->dst);
0389                     goto bridged_dnat;
0390                 }
0391                 ip_rt_put(rt);
0392             }
0393 free_skb:
0394             kfree_skb(skb);
0395             return 0;
0396         } else {
0397             if (skb_dst(skb)->dev == dev) {
0398 bridged_dnat:
0399                 skb->dev = nf_bridge->physindev;
0400                 nf_bridge_update_protocol(skb);
0401                 nf_bridge_push_encap_header(skb);
0402                 br_nf_hook_thresh(NF_BR_PRE_ROUTING,
0403                           net, sk, skb, skb->dev,
0404                           NULL,
0405                           br_nf_pre_routing_finish_bridge);
0406                 return 0;
0407             }
0408             ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr);
0409             skb->pkt_type = PACKET_HOST;
0410         }
0411     } else {
0412         rt = bridge_parent_rtable(nf_bridge->physindev);
0413         if (!rt) {
0414             kfree_skb(skb);
0415             return 0;
0416         }
0417         skb_dst_drop(skb);
0418         skb_dst_set_noref(skb, &rt->dst);
0419     }
0420
0421     skb->dev = nf_bridge->physindev;
0422     nf_bridge_update_protocol(skb);
0423     nf_bridge_push_encap_header(skb);
0424     br_nf_hook_thresh(NF_BR_PRE_ROUTING, net, sk, skb, skb->dev, NULL,
0425               br_handle_frame_finish);
0426     return 0;
0427 }
0428
0429 static struct net_device *brnf_get_logical_dev(struct sk_buff *skb,
0430                            const struct net_device *dev,
0431                            const struct net *net)
0432 {
0433     struct net_device *vlan, *br;
0434     struct brnf_net *brnet = net_generic(net, brnf_net_id);
0435
0436     br = bridge_parent(dev);
0437
0438     if (brnet->pass_vlan_indev == 0 || !skb_vlan_tag_present(skb))
0439         return br;
0440
0441     vlan = __vlan_find_dev_deep_rcu(br, skb->vlan_proto,
0442                     skb_vlan_tag_get(skb) & VLAN_VID_MASK);
0443
0444     return vlan ? vlan : br;
0445 }
0446
0447 /* Some common code for IPv4/IPv6 */
0448 struct net_device *setup_pre_routing(struct sk_buff *skb, const struct net *net)
0449 {
0450     struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
0451
0452     if (skb->pkt_type == PACKET_OTHERHOST) {
0453         skb->pkt_type = PACKET_HOST;
0454         nf_bridge->pkt_otherhost = true;
0455     }
0456
0457     nf_bridge->in_prerouting = 1;
0458     nf_bridge->physindev = skb->dev;
0459     skb->dev = brnf_get_logical_dev(skb, skb->dev, net);
0460
0461     if (skb->protocol == htons(ETH_P_8021Q))
0462         nf_bridge->orig_proto = BRNF_PROTO_8021Q;
0463     else if (skb->protocol == htons(ETH_P_PPP_SES))
0464         nf_bridge->orig_proto = BRNF_PROTO_PPPOE;
0465
0466     /* Must drop socket now because of tproxy. */
0467     skb_orphan(skb);
0468     return skb->dev;
0469 }
0470
0471 /* Direct IPv6 traffic to br_nf_pre_routing_ipv6.
0472  * Replicate the checks that IPv4 does on packet reception.
0473  * Set skb->dev to the bridge device (i.e. parent of the
0474  * receiving device) to make netfilter happy, the REDIRECT
0475  * target in particular.  Save the original destination IP
0476  * address to be able to detect DNAT afterwards. */
0477 static unsigned int br_nf_pre_routing(void *priv,
0478                       struct sk_buff *skb,
0479                       const struct nf_hook_state *state)
0480 {
0481     struct nf_bridge_info *nf_bridge;
0482     struct net_bridge_port *p;
0483     struct net_bridge *br;
0484     __u32 len = nf_bridge_encap_header_len(skb);
0485     struct brnf_net *brnet;
0486
0487     if (unlikely(!pskb_may_pull(skb, len)))
0488         return NF_DROP;
0489
0490     p = br_port_get_rcu(state->in);
0491     if (p == NULL)
0492         return NF_DROP;
0493     br = p->br;
0494
0495     brnet = net_generic(state->net, brnf_net_id);
0496     if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) ||
0497         is_pppoe_ipv6(skb, state->net)) {
0498         if (!brnet->call_ip6tables &&
0499             !br_opt_get(br, BROPT_NF_CALL_IP6TABLES))
0500             return NF_ACCEPT;
0501         if (!ipv6_mod_enabled()) {
0502             pr_warn_once("Module ipv6 is disabled, so call_ip6tables is not supported.");
0503             return NF_DROP;
0504         }
0505
0506         nf_bridge_pull_encap_header_rcsum(skb);
0507         return br_nf_pre_routing_ipv6(priv, skb, state);
0508     }
0509
0510     if (!brnet->call_iptables && !br_opt_get(br, BROPT_NF_CALL_IPTABLES))
0511         return NF_ACCEPT;
0512
0513     if (!IS_IP(skb) && !is_vlan_ip(skb, state->net) &&
0514         !is_pppoe_ip(skb, state->net))
0515         return NF_ACCEPT;
0516
0517     nf_bridge_pull_encap_header_rcsum(skb);
0518
0519     if (br_validate_ipv4(state->net, skb))
0520         return NF_DROP;
0521
0522     if (!nf_bridge_alloc(skb))
0523         return NF_DROP;
0524     if (!setup_pre_routing(skb, state->net))
0525         return NF_DROP;
0526
0527     nf_bridge = nf_bridge_info_get(skb);
0528     nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr;
0529
0530     skb->protocol = htons(ETH_P_IP);
0531     skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4;
0532
0533     NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb,
0534         skb->dev, NULL,
0535         br_nf_pre_routing_finish);
0536
0537     return NF_STOLEN;
0538 }
0539
0540
0541 /* PF_BRIDGE/FORWARD *************************************************/
0542 static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
0543 {
0544     struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
0545     struct net_device *in;
0546
0547     if (!IS_ARP(skb) && !is_vlan_arp(skb, net)) {
0548
0549         if (skb->protocol == htons(ETH_P_IP))
0550             nf_bridge->frag_max_size = IPCB(skb)->frag_max_size;
0551
0552         if (skb->protocol == htons(ETH_P_IPV6))
0553             nf_bridge->frag_max_size = IP6CB(skb)->frag_max_size;
0554
0555         in = nf_bridge->physindev;
0556         if (nf_bridge->pkt_otherhost) {
0557             skb->pkt_type = PACKET_OTHERHOST;
0558             nf_bridge->pkt_otherhost = false;
0559         }
0560         nf_bridge_update_protocol(skb);
0561     } else {
0562         in = *((struct net_device **)(skb->cb));
0563     }
0564     nf_bridge_push_encap_header(skb);
0565
0566     br_nf_hook_thresh(NF_BR_FORWARD, net, sk, skb, in, skb->dev,
0567               br_forward_finish);
0568     return 0;
0569 }
0570
0571
0572 /* This is the 'purely bridged' case.  For IP, we pass the packet to
0573  * netfilter with indev and outdev set to the bridge device,
0574  * but we are still able to filter on the 'real' indev/outdev
0575  * because of the physdev module. For ARP, indev and outdev are the
0576  * bridge ports. */
0577 static unsigned int br_nf_forward_ip(void *priv,
0578                      struct sk_buff *skb,
0579                      const struct nf_hook_state *state)
0580 {
0581     struct nf_bridge_info *nf_bridge;
0582     struct net_device *parent;
0583     u_int8_t pf;
0584
0585     nf_bridge = nf_bridge_info_get(skb);
0586     if (!nf_bridge)
0587         return NF_ACCEPT;
0588
0589     /* Need exclusive nf_bridge_info since we might have multiple
0590      * different physoutdevs. */
0591     if (!nf_bridge_unshare(skb))
0592         return NF_DROP;
0593
0594     nf_bridge = nf_bridge_info_get(skb);
0595     if (!nf_bridge)
0596         return NF_DROP;
0597
0598     parent = bridge_parent(state->out);
0599     if (!parent)
0600         return NF_DROP;
0601
0602     if (IS_IP(skb) || is_vlan_ip(skb, state->net) ||
0603         is_pppoe_ip(skb, state->net))
0604         pf = NFPROTO_IPV4;
0605     else if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) ||
0606          is_pppoe_ipv6(skb, state->net))
0607         pf = NFPROTO_IPV6;
0608     else
0609         return NF_ACCEPT;
0610
0611     nf_bridge_pull_encap_header(skb);
0612
0613     if (skb->pkt_type == PACKET_OTHERHOST) {
0614         skb->pkt_type = PACKET_HOST;
0615         nf_bridge->pkt_otherhost = true;
0616     }
0617
0618     if (pf == NFPROTO_IPV4) {
0619         if (br_validate_ipv4(state->net, skb))
0620             return NF_DROP;
0621         IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
0622     }
0623
0624     if (pf == NFPROTO_IPV6) {
0625         if (br_validate_ipv6(state->net, skb))
0626             return NF_DROP;
0627         IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
0628     }
0629
0630     nf_bridge->physoutdev = skb->dev;
0631     if (pf == NFPROTO_IPV4)
0632         skb->protocol = htons(ETH_P_IP);
0633     else
0634         skb->protocol = htons(ETH_P_IPV6);
0635
0636     NF_HOOK(pf, NF_INET_FORWARD, state->net, NULL, skb,
0637         brnf_get_logical_dev(skb, state->in, state->net),
0638         parent, br_nf_forward_finish);
0639
0640     return NF_STOLEN;
0641 }
0642
0643 static unsigned int br_nf_forward_arp(void *priv,
0644                       struct sk_buff *skb,
0645                       const struct nf_hook_state *state)
0646 {
0647     struct net_bridge_port *p;
0648     struct net_bridge *br;
0649     struct net_device **d = (struct net_device **)(skb->cb);
0650     struct brnf_net *brnet;
0651
0652     p = br_port_get_rcu(state->out);
0653     if (p == NULL)
0654         return NF_ACCEPT;
0655     br = p->br;
0656
0657     brnet = net_generic(state->net, brnf_net_id);
0658     if (!brnet->call_arptables && !br_opt_get(br, BROPT_NF_CALL_ARPTABLES))
0659         return NF_ACCEPT;
0660
0661     if (!IS_ARP(skb)) {
0662         if (!is_vlan_arp(skb, state->net))
0663             return NF_ACCEPT;
0664         nf_bridge_pull_encap_header(skb);
0665     }
0666
0667     if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr))))
0668         return NF_DROP;
0669
0670     if (arp_hdr(skb)->ar_pln != 4) {
0671         if (is_vlan_arp(skb, state->net))
0672             nf_bridge_push_encap_header(skb);
0673         return NF_ACCEPT;
0674     }
0675     *d = state->in;
0676     NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, state->net, state->sk, skb,
0677         state->in, state->out, br_nf_forward_finish);
0678
0679     return NF_STOLEN;
0680 }
0681
0682 static int br_nf_push_frag_xmit(struct net *net, struct sock *sk, struct sk_buff *skb)
0683 {
0684     struct brnf_frag_data *data;
0685     int err;
0686
0687     data = this_cpu_ptr(&brnf_frag_data_storage);
0688     err = skb_cow_head(skb, data->size);
0689
0690     if (err) {
0691         kfree_skb(skb);
0692         return 0;
0693     }
0694
0695     if (data->vlan_proto)
0696         __vlan_hwaccel_put_tag(skb, data->vlan_proto, data->vlan_tci);
0697
0698     skb_copy_to_linear_data_offset(skb, -data->size, data->mac, data->size);
0699     __skb_push(skb, data->encap_size);
0700
0701     nf_bridge_info_free(skb);
0702     return br_dev_queue_push_xmit(net, sk, skb);
0703 }
0704
0705 static int
0706 br_nf_ip_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
0707           int (*output)(struct net *, struct sock *, struct sk_buff *))
0708 {
0709     unsigned int mtu = ip_skb_dst_mtu(sk, skb);
0710     struct iphdr *iph = ip_hdr(skb);
0711
0712     if (unlikely(((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) ||
0713              (IPCB(skb)->frag_max_size &&
0714               IPCB(skb)->frag_max_size > mtu))) {
0715         IP_INC_STATS(net, IPSTATS_MIB_FRAGFAILS);
0716         kfree_skb(skb);
0717         return -EMSGSIZE;
0718     }
0719
0720     return ip_do_fragment(net, sk, skb, output);
0721 }
0722
0723 static unsigned int nf_bridge_mtu_reduction(const struct sk_buff *skb)
0724 {
0725     const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
0726
0727     if (nf_bridge->orig_proto == BRNF_PROTO_PPPOE)
0728         return PPPOE_SES_HLEN;
0729     return 0;
0730 }
0731
0732 static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff *skb)
0733 {
0734     struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
0735     unsigned int mtu, mtu_reserved;
0736
0737     mtu_reserved = nf_bridge_mtu_reduction(skb);
0738     mtu = skb->dev->mtu;
0739
0740     if (nf_bridge->pkt_otherhost) {
0741         skb->pkt_type = PACKET_OTHERHOST;
0742         nf_bridge->pkt_otherhost = false;
0743     }
0744
0745     if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu)
0746         mtu = nf_bridge->frag_max_size;
0747
0748     nf_bridge_update_protocol(skb);
0749     nf_bridge_push_encap_header(skb);
0750
0751     if (skb_is_gso(skb) || skb->len + mtu_reserved <= mtu) {
0752         nf_bridge_info_free(skb);
0753         return br_dev_queue_push_xmit(net, sk, skb);
0754     }
0755
0756     /* This is wrong! We should preserve the original fragment
0757      * boundaries by preserving frag_list rather than refragmenting.
0758      */
0759     if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) &&
0760         skb->protocol == htons(ETH_P_IP)) {
0761         struct brnf_frag_data *data;
0762
0763         if (br_validate_ipv4(net, skb))
0764             goto drop;
0765
0766         IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
0767
0768         data = this_cpu_ptr(&brnf_frag_data_storage);
0769
0770         if (skb_vlan_tag_present(skb)) {
0771             data->vlan_tci = skb->vlan_tci;
0772             data->vlan_proto = skb->vlan_proto;
0773         } else {
0774             data->vlan_proto = 0;
0775         }
0776
0777         data->encap_size = nf_bridge_encap_header_len(skb);
0778         data->size = ETH_HLEN + data->encap_size;
0779
0780         skb_copy_from_linear_data_offset(skb, -data->size, data->mac,
0781                          data->size);
0782
0783         return br_nf_ip_fragment(net, sk, skb, br_nf_push_frag_xmit);
0784     }
0785     if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) &&
0786         skb->protocol == htons(ETH_P_IPV6)) {
0787         const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
0788         struct brnf_frag_data *data;
0789
0790         if (br_validate_ipv6(net, skb))
0791             goto drop;
0792
0793         IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
0794
0795         data = this_cpu_ptr(&brnf_frag_data_storage);
0796         data->encap_size = nf_bridge_encap_header_len(skb);
0797         data->size = ETH_HLEN + data->encap_size;
0798
0799         skb_copy_from_linear_data_offset(skb, -data->size, data->mac,
0800                          data->size);
0801
0802         if (v6ops)
0803             return v6ops->fragment(net, sk, skb, br_nf_push_frag_xmit);
0804
0805         kfree_skb(skb);
0806         return -EMSGSIZE;
0807     }
0808     nf_bridge_info_free(skb);
0809     return br_dev_queue_push_xmit(net, sk, skb);
0810  drop:
0811     kfree_skb(skb);
0812     return 0;
0813 }
0814
0815 /* PF_BRIDGE/POST_ROUTING ********************************************/
0816 static unsigned int br_nf_post_routing(void *priv,
0817                        struct sk_buff *skb,
0818                        const struct nf_hook_state *state)
0819 {
0820     struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
0821     struct net_device *realoutdev = bridge_parent(skb->dev);
0822     u_int8_t pf;
0823
0824     /* if nf_bridge is set, but ->physoutdev is NULL, this packet came in
0825      * on a bridge, but was delivered locally and is now being routed:
0826      *
0827      * POST_ROUTING was already invoked from the ip stack.
0828      */
0829     if (!nf_bridge || !nf_bridge->physoutdev)
0830         return NF_ACCEPT;
0831
0832     if (!realoutdev)
0833         return NF_DROP;
0834
0835     if (IS_IP(skb) || is_vlan_ip(skb, state->net) ||
0836         is_pppoe_ip(skb, state->net))
0837         pf = NFPROTO_IPV4;
0838     else if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) ||
0839          is_pppoe_ipv6(skb, state->net))
0840         pf = NFPROTO_IPV6;
0841     else
0842         return NF_ACCEPT;
0843
0844     if (skb->pkt_type == PACKET_OTHERHOST) {
0845         skb->pkt_type = PACKET_HOST;
0846         nf_bridge->pkt_otherhost = true;
0847     }
0848
0849     nf_bridge_pull_encap_header(skb);
0850     if (pf == NFPROTO_IPV4)
0851         skb->protocol = htons(ETH_P_IP);
0852     else
0853         skb->protocol = htons(ETH_P_IPV6);
0854
0855     NF_HOOK(pf, NF_INET_POST_ROUTING, state->net, state->sk, skb,
0856         NULL, realoutdev,
0857         br_nf_dev_queue_xmit);
0858
0859     return NF_STOLEN;
0860 }
0861
0862 /* IP/SABOTAGE *****************************************************/
0863 /* Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING
0864  * for the second time. */
0865 static unsigned int ip_sabotage_in(void *priv,
0866                    struct sk_buff *skb,
0867                    const struct nf_hook_state *state)
0868 {
0869     struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
0870
0871     if (nf_bridge && !nf_bridge->in_prerouting &&
0872         !netif_is_l3_master(skb->dev) &&
0873         !netif_is_l3_slave(skb->dev)) {
0874         state->okfn(state->net, state->sk, skb);
0875         return NF_STOLEN;
0876     }
0877
0878     return NF_ACCEPT;
0879 }
0880
0881 /* This is called when br_netfilter has called into iptables/netfilter,
0882  * and DNAT has taken place on a bridge-forwarded packet.
0883  *
0884  * neigh->output has created a new MAC header, with local br0 MAC
0885  * as saddr.
0886  *
0887  * This restores the original MAC saddr of the bridged packet
0888  * before invoking bridge forward logic to transmit the packet.
0889  */
0890 static void br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb)
0891 {
0892     struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
0893
0894     skb_pull(skb, ETH_HLEN);
0895     nf_bridge->bridged_dnat = 0;
0896
0897     BUILD_BUG_ON(sizeof(nf_bridge->neigh_header) != (ETH_HLEN - ETH_ALEN));
0898
0899     skb_copy_to_linear_data_offset(skb, -(ETH_HLEN - ETH_ALEN),
0900                        nf_bridge->neigh_header,
0901                        ETH_HLEN - ETH_ALEN);
0902     skb->dev = nf_bridge->physindev;
0903
0904     nf_bridge->physoutdev = NULL;
0905     br_handle_frame_finish(dev_net(skb->dev), NULL, skb);
0906 }
0907
0908 static int br_nf_dev_xmit(struct sk_buff *skb)
0909 {
0910     const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
0911
0912     if (nf_bridge && nf_bridge->bridged_dnat) {
0913         br_nf_pre_routing_finish_bridge_slow(skb);
0914         return 1;
0915     }
0916     return 0;
0917 }
0918
0919 static const struct nf_br_ops br_ops = {
0920     .br_dev_xmit_hook = br_nf_dev_xmit,
0921 };
0922
0923 /* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
0924  * br_dev_queue_push_xmit is called afterwards */
0925 static const struct nf_hook_ops br_nf_ops[] = {
0926     {
0927         .hook = br_nf_pre_routing,
0928         .pf = NFPROTO_BRIDGE,
0929         .hooknum = NF_BR_PRE_ROUTING,
0930         .priority = NF_BR_PRI_BRNF,
0931     },
0932     {
0933         .hook = br_nf_forward_ip,
0934         .pf = NFPROTO_BRIDGE,
0935         .hooknum = NF_BR_FORWARD,
0936         .priority = NF_BR_PRI_BRNF - 1,
0937     },
0938     {
0939         .hook = br_nf_forward_arp,
0940         .pf = NFPROTO_BRIDGE,
0941         .hooknum = NF_BR_FORWARD,
0942         .priority = NF_BR_PRI_BRNF,
0943     },
0944     {
0945         .hook = br_nf_post_routing,
0946         .pf = NFPROTO_BRIDGE,
0947         .hooknum = NF_BR_POST_ROUTING,
0948         .priority = NF_BR_PRI_LAST,
0949     },
0950     {
0951         .hook = ip_sabotage_in,
0952         .pf = NFPROTO_IPV4,
0953         .hooknum = NF_INET_PRE_ROUTING,
0954         .priority = NF_IP_PRI_FIRST,
0955     },
0956     {
0957         .hook = ip_sabotage_in,
0958         .pf = NFPROTO_IPV6,
0959         .hooknum = NF_INET_PRE_ROUTING,
0960         .priority = NF_IP6_PRI_FIRST,
0961     },
0962 };
0963
0964 static int brnf_device_event(struct notifier_block *unused, unsigned long event,
0965                  void *ptr)
0966 {
0967     struct net_device *dev = netdev_notifier_info_to_dev(ptr);
0968     struct brnf_net *brnet;
0969     struct net *net;
0970     int ret;
0971
0972     if (event != NETDEV_REGISTER || !netif_is_bridge_master(dev))
0973         return NOTIFY_DONE;
0974
0975     ASSERT_RTNL();
0976
0977     net = dev_net(dev);
0978     brnet = net_generic(net, brnf_net_id);
0979     if (brnet->enabled)
0980         return NOTIFY_OK;
0981
0982     ret = nf_register_net_hooks(net, br_nf_ops, ARRAY_SIZE(br_nf_ops));
0983     if (ret)
0984         return NOTIFY_BAD;
0985
0986     brnet->enabled = true;
0987     return NOTIFY_OK;
0988 }
0989
0990 static struct notifier_block brnf_notifier __read_mostly = {
0991     .notifier_call = brnf_device_event,
0992 };
0993
0994 /* recursively invokes nf_hook_slow (again), skipping already-called
0995  * hooks (< NF_BR_PRI_BRNF).
0996  *
0997  * Called with rcu read lock held.
0998  */
0999 int br_nf_hook_thresh(unsigned int hook, struct net *net,
1000               struct sock *sk, struct sk_buff *skb,
1001               struct net_device *indev,
1002               struct net_device *outdev,
1003               int (*okfn)(struct net *, struct sock *,
1004                   struct sk_buff *))
1005 {
1006     const struct nf_hook_entries *e;
1007     struct nf_hook_state state;
1008     struct nf_hook_ops **ops;
1009     unsigned int i;
1010     int ret;
1011
1012     e = rcu_dereference(net->nf.hooks_bridge[hook]);
1013     if (!e)
1014         return okfn(net, sk, skb);
1015
1016     ops = nf_hook_entries_get_hook_ops(e);
1017     for (i = 0; i < e->num_hook_entries; i++) {
1018         /* These hooks have already been called */
1019         if (ops[i]->priority < NF_BR_PRI_BRNF)
1020             continue;
1021
1022         /* These hooks have not been called yet, run them. */
1023         if (ops[i]->priority > NF_BR_PRI_BRNF)
1024             break;
1025
1026         /* take a closer look at NF_BR_PRI_BRNF. */
1027         if (ops[i]->hook == br_nf_pre_routing) {
1028             /* This hook diverted the skb to this function,
1029              * hooks after this have not been run yet.
1030              */
1031             i++;
1032             break;
1033         }
1034     }
1035
1036     nf_hook_state_init(&state, hook, NFPROTO_BRIDGE, indev, outdev,
1037                sk, net, okfn);
1038
1039     ret = nf_hook_slow(skb, &state, e, i);
1040     if (ret == 1)
1041         ret = okfn(net, sk, skb);
1042
1043     return ret;
1044 }
1045
1046 #ifdef CONFIG_SYSCTL
1047 static
1048 int brnf_sysctl_call_tables(struct ctl_table *ctl, int write,
1049                 void *buffer, size_t *lenp, loff_t *ppos)
1050 {
1051     int ret;
1052
1053     ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
1054
1055     if (write && *(int *)(ctl->data))
1056         *(int *)(ctl->data) = 1;
1057     return ret;
1058 }
1059
1060 static struct ctl_table brnf_table[] = {
1061     {
1062         .procname   = "bridge-nf-call-arptables",
1063         .maxlen     = sizeof(int),
1064         .mode       = 0644,
1065         .proc_handler   = brnf_sysctl_call_tables,
1066     },
1067     {
1068         .procname   = "bridge-nf-call-iptables",
1069         .maxlen     = sizeof(int),
1070         .mode       = 0644,
1071         .proc_handler   = brnf_sysctl_call_tables,
1072     },
1073     {
1074         .procname   = "bridge-nf-call-ip6tables",
1075         .maxlen     = sizeof(int),
1076         .mode       = 0644,
1077         .proc_handler   = brnf_sysctl_call_tables,
1078     },
1079     {
1080         .procname   = "bridge-nf-filter-vlan-tagged",
1081         .maxlen     = sizeof(int),
1082         .mode       = 0644,
1083         .proc_handler   = brnf_sysctl_call_tables,
1084     },
1085     {
1086         .procname   = "bridge-nf-filter-pppoe-tagged",
1087         .maxlen     = sizeof(int),
1088         .mode       = 0644,
1089         .proc_handler   = brnf_sysctl_call_tables,
1090     },
1091     {
1092         .procname   = "bridge-nf-pass-vlan-input-dev",
1093         .maxlen     = sizeof(int),
1094         .mode       = 0644,
1095         .proc_handler   = brnf_sysctl_call_tables,
1096     },
1097     { }
1098 };
1099
1100 static inline void br_netfilter_sysctl_default(struct brnf_net *brnf)
1101 {
1102     brnf->call_iptables = 1;
1103     brnf->call_ip6tables = 1;
1104     brnf->call_arptables = 1;
1105     brnf->filter_vlan_tagged = 0;
1106     brnf->filter_pppoe_tagged = 0;
1107     brnf->pass_vlan_indev = 0;
1108 }
1109
1110 static int br_netfilter_sysctl_init_net(struct net *net)
1111 {
1112     struct ctl_table *table = brnf_table;
1113     struct brnf_net *brnet;
1114
1115     if (!net_eq(net, &init_net)) {
1116         table = kmemdup(table, sizeof(brnf_table), GFP_KERNEL);
1117         if (!table)
1118             return -ENOMEM;
1119     }
1120
1121     brnet = net_generic(net, brnf_net_id);
1122     table[0].data = &brnet->call_arptables;
1123     table[1].data = &brnet->call_iptables;
1124     table[2].data = &brnet->call_ip6tables;
1125     table[3].data = &brnet->filter_vlan_tagged;
1126     table[4].data = &brnet->filter_pppoe_tagged;
1127     table[5].data = &brnet->pass_vlan_indev;
1128
1129     br_netfilter_sysctl_default(brnet);
1130
1131     brnet->ctl_hdr = register_net_sysctl(net, "net/bridge", table);
1132     if (!brnet->ctl_hdr) {
1133         if (!net_eq(net, &init_net))
1134             kfree(table);
1135
1136         return -ENOMEM;
1137     }
1138
1139     return 0;
1140 }
1141
1142 static void br_netfilter_sysctl_exit_net(struct net *net,
1143                      struct brnf_net *brnet)
1144 {
1145     struct ctl_table *table = brnet->ctl_hdr->ctl_table_arg;
1146
1147     unregister_net_sysctl_table(brnet->ctl_hdr);
1148     if (!net_eq(net, &init_net))
1149         kfree(table);
1150 }
1151
1152 static int __net_init brnf_init_net(struct net *net)
1153 {
1154     return br_netfilter_sysctl_init_net(net);
1155 }
1156 #endif
1157
1158 static void __net_exit brnf_exit_net(struct net *net)
1159 {
1160     struct brnf_net *brnet;
1161
1162     brnet = net_generic(net, brnf_net_id);
1163     if (brnet->enabled) {
1164         nf_unregister_net_hooks(net, br_nf_ops, ARRAY_SIZE(br_nf_ops));
1165         brnet->enabled = false;
1166     }
1167
1168 #ifdef CONFIG_SYSCTL
1169     br_netfilter_sysctl_exit_net(net, brnet);
1170 #endif
1171 }
1172
1173 static struct pernet_operations brnf_net_ops __read_mostly = {
1174 #ifdef CONFIG_SYSCTL
1175     .init = brnf_init_net,
1176 #endif
1177     .exit = brnf_exit_net,
1178     .id   = &brnf_net_id,
1179     .size = sizeof(struct brnf_net),
1180 };
1181
1182 static int __init br_netfilter_init(void)
1183 {
1184     int ret;
1185
1186     ret = register_pernet_subsys(&brnf_net_ops);
1187     if (ret < 0)
1188         return ret;
1189
1190     ret = register_netdevice_notifier(&brnf_notifier);
1191     if (ret < 0) {
1192         unregister_pernet_subsys(&brnf_net_ops);
1193         return ret;
1194     }
1195
1196     RCU_INIT_POINTER(nf_br_ops, &br_ops);
1197     printk(KERN_NOTICE "Bridge firewalling registered\n");
1198     return 0;
1199 }
1200
1201 static void __exit br_netfilter_fini(void)
1202 {
1203     RCU_INIT_POINTER(nf_br_ops, NULL);
1204     unregister_netdevice_notifier(&brnf_notifier);
1205     unregister_pernet_subsys(&brnf_net_ops);
1206 }
1207
1208 module_init(br_netfilter_init);
1209 module_exit(br_netfilter_fini);
1210
1211 MODULE_LICENSE("GPL");
1212 MODULE_AUTHOR("Lennert Buytenhek <buytenh@gnu.org>");
1213 MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
1214 MODULE_DESCRIPTION("Linux ethernet netfilter firewall bridge");