Linus Lüssing
2017-Mar-15 03:18 UTC
[Bridge] [PATCH net] bridge: ebtables: fix reception of frames DNAT-ed to bridge device
When trying to redirect bridged frames to the bridge device itself
via the ebtables nat-prerouting chain and the dnat target then this
currently fails:
The ethernet destination of the frame is dnat'ed to the MAC address of
the bridge itself just fine and the correctly altered frame can even
be captured via a tcpdump on br0 (with or without promisc mode).
However, the IP code drops it in the beginning of ip_input.c/ip_rcv()
as the dnat target did not update the skb->pkt_type. If after
dnat'ing the packet is now destined to us then the skb->pkt_type
needs to be updated from PACKET_OTHERHOST to PACKET_HOST, too.
Signed-off-by: Linus L?ssing <linus.luessing at c0d3.blue>
---
net/bridge/br_input.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 013f2290b..ec83175 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -198,8 +198,12 @@ int br_handle_frame_finish(struct net *net, struct sock
*sk, struct sk_buff *skb
if (dst) {
unsigned long now = jiffies;
- if (dst->is_local)
+ if (dst->is_local) {
+ /* fix up potential DNAT mess */
+ skb->pkt_type = PACKET_HOST;
+
return br_pass_frame_up(skb);
+ }
if (now != dst->used)
dst->used = now;
--
2.1.4
Florian Westphal
2017-Mar-15 10:26 UTC
[Bridge] [PATCH net] bridge: ebtables: fix reception of frames DNAT-ed to bridge device
Linus L?ssing <linus.luessing at c0d3.blue> wrote:> When trying to redirect bridged frames to the bridge device itself > via the ebtables nat-prerouting chain and the dnat target then this > currently fails: > > The ethernet destination of the frame is dnat'ed to the MAC address of > the bridge itself just fine and the correctly altered frame can even > be captured via a tcpdump on br0 (with or without promisc mode). > > However, the IP code drops it in the beginning of ip_input.c/ip_rcv() > as the dnat target did not update the skb->pkt_type.Right, thats the reason why ebtables also has ebt_redirect target which does this pkt_type fixup.> - if (dst->is_local) > + if (dst->is_local) { > + /* fix up potential DNAT mess */ > + skb->pkt_type = PACKET_HOST; > + > return br_pass_frame_up(skb); > + }I don't mind this change though (i.e. I don't see how this would bite us later).
Pablo Neira Ayuso
2017-Mar-15 10:34 UTC
[Bridge] [PATCH net] bridge: ebtables: fix reception of frames DNAT-ed to bridge device
On Wed, Mar 15, 2017 at 04:18:11AM +0100, Linus L?ssing wrote:> When trying to redirect bridged frames to the bridge device itself > via the ebtables nat-prerouting chain and the dnat target then this > currently fails: > > The ethernet destination of the frame is dnat'ed to the MAC address of > the bridge itself just fine and the correctly altered frame can even > be captured via a tcpdump on br0 (with or without promisc mode). > > However, the IP code drops it in the beginning of ip_input.c/ip_rcv() > as the dnat target did not update the skb->pkt_type. If after > dnat'ing the packet is now destined to us then the skb->pkt_type > needs to be updated from PACKET_OTHERHOST to PACKET_HOST, too. > > Signed-off-by: Linus L?ssing <linus.luessing at c0d3.blue> > --- > net/bridge/br_input.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c > index 013f2290b..ec83175 100644 > --- a/net/bridge/br_input.c > +++ b/net/bridge/br_input.c > @@ -198,8 +198,12 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb > if (dst) { > unsigned long now = jiffies; > > - if (dst->is_local) > + if (dst->is_local) { > + /* fix up potential DNAT mess */ > + skb->pkt_type = PACKET_HOST;I would like to find a way to fix this from ebtables itself, so we don't need to add this code to the bridge core path. AFAICS, from prerouting we don't know the dst yet, so we cannot know if this packet is local from there.
Pablo Neira Ayuso
2017-Mar-15 10:42 UTC
[Bridge] [PATCH net] bridge: ebtables: fix reception of frames DNAT-ed to bridge device
On Wed, Mar 15, 2017 at 11:26:08AM +0100, Florian Westphal wrote:> Linus L?ssing <linus.luessing at c0d3.blue> wrote: > > When trying to redirect bridged frames to the bridge device itself > > via the ebtables nat-prerouting chain and the dnat target then this > > currently fails: > > > > The ethernet destination of the frame is dnat'ed to the MAC address of > > the bridge itself just fine and the correctly altered frame can even > > be captured via a tcpdump on br0 (with or without promisc mode). > > > > However, the IP code drops it in the beginning of ip_input.c/ip_rcv() > > as the dnat target did not update the skb->pkt_type. > > Right, thats the reason why ebtables also has ebt_redirect target > which does this pkt_type fixup.I'm missing then why redirect is not then just enough for Linus usecase.