1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -53,7 +53,7 @@ EXPORT_SYMBOL_GPL(br_dev_queue_push_xmit
int br_forward_finish(struct sk_buff *skb)
{
- return NF_HOOK(NFPROTO_BRIDGE, NF_BR_POST_ROUTING, skb, NULL, skb->dev,
+ return BR_HOOK(NFPROTO_BRIDGE, NF_BR_POST_ROUTING, skb, NULL, skb->dev,
br_dev_queue_push_xmit);
}
@@ -77,7 +77,7 @@ static void __br_deliver(const struct ne
return;
}
- NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
+ BR_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
br_forward_finish);
}
@@ -98,7 +98,7 @@ static void __br_forward(const struct ne
skb->dev = to->dev;
skb_forward_csum(skb);
- NF_HOOK(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, indev, skb->dev,
+ BR_HOOK(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, indev, skb->dev,
br_forward_finish);
}
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -55,7 +55,7 @@ static int br_pass_frame_up(struct sk_bu
if (!skb)
return NET_RX_DROP;
- return NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, indev, NULL,
+ return BR_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, indev, NULL,
netif_receive_skb);
}
@@ -280,7 +280,7 @@ rx_handler_result_t br_handle_frame(stru
}
/* Deliver packet to local host only */
- if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
+ if (BR_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
NULL, br_handle_local_finish)) {
return RX_HANDLER_CONSUMED; /* consumed by filter */
} else {
@@ -295,7 +295,7 @@ forward:
if (ether_addr_equal(p->br->dev->dev_addr, dest))
skb->pkt_type = PACKET_HOST;
- if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
+ if (BR_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
br_handle_local_finish))
break;
@@ -317,7 +317,7 @@ forward:
if (ether_addr_equal(p->br->dev->dev_addr, dest))
skb->pkt_type = PACKET_HOST;
- NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
+ BR_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
br_handle_frame_finish);
break;
default:
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -814,7 +814,7 @@ static void __br_multicast_send_query(st
if (port) {
skb->dev = port->dev;
- NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
+ BR_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
br_dev_queue_push_xmit);
} else {
br_multicast_select_own_querier(br, ip, skb);
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -74,6 +74,15 @@ static int brnf_pass_vlan_indev __read_m
#define IS_ARP(skb) \
(!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_ARP))
+int brnf_call_ebtables __read_mostly = 0;
+EXPORT_SYMBOL_GPL(brnf_call_ebtables);
+
+bool br_netfilter_run_hooks(void)
+{
+ return brnf_call_iptables | brnf_call_ip6tables | brnf_call_arptables |
+ brnf_call_ebtables;
+}
+
static inline __be16 vlan_proto(const struct sk_buff *skb)
{
if (vlan_tx_tag_present(skb))
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -769,6 +769,24 @@ static inline void br_nf_core_fini(void)
#define br_netfilter_rtable_init(x)
#endif
+#if IS_BUILTIN(CONFIG_BRIDGE_NETFILTER)
+extern int brnf_call_ebtables;
+bool br_netfilter_run_hooks(void);
+#else
+#define br_netfilter_run_hooks() false
+#endif
+
+static inline int
+BR_HOOK(uint8_t pf, unsigned int hook, struct sk_buff *skb,
+ struct net_device *in, struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+{
+ if (!br_netfilter_run_hooks())
+ return okfn(skb);
+
+ return NF_HOOK(pf, hook, skb, in, out, okfn);
+}
+
/* br_stp.c */
void br_log_state(const struct net_bridge_port *p);
void br_set_state(struct net_bridge_port *p, unsigned int state);
--- a/net/bridge/br_stp_bpdu.c
+++ b/net/bridge/br_stp_bpdu.c
@@ -54,7 +54,7 @@ static void br_send_bpdu(struct net_brid
skb_reset_mac_header(skb);
- NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
+ BR_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
dev_queue_xmit);
}
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2414,11 +2414,19 @@ static int __init ebtables_init(void)
}
printk(KERN_INFO "Ebtables v2.0 registered\n");
+
+#if IS_BUILTIN(CONFIG_BRIDGE_NETFILTER)
+ brnf_call_ebtables = 1;
+#endif
+
return 0;
}
static void __exit ebtables_fini(void)
{
+#if IS_BUILTIN(CONFIG_BRIDGE_NETFILTER)
+ brnf_call_ebtables = 0;
+#endif
nf_unregister_sockopt(&ebt_sockopts);
xt_unregister_target(&ebt_standard_target);
printk(KERN_INFO "Ebtables v2.0 unregistered\n");
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -177,11 +177,11 @@ config NETFILTER_ADVANCED
If unsure, say Y.
config BRIDGE_NETFILTER
- tristate "Bridged IP/ARP packets filtering"
+ bool "Bridged IP/ARP packets filtering"
depends on BRIDGE
depends on NETFILTER && INET
depends on NETFILTER_ADVANCED
- default m
+ default y
---help---
Enabling this option will let arptables resp. iptables see bridged
ARP resp. IP traffic. If you want a bridging firewall, you probably
|
