Richard Weinberger
2012-Jan-03 13:26 UTC
[Bridge] xt_physdev has no effect if net.bridge.bridge-nf-call-iptables=0
Hi! Here is a fix for the problem I've reported yesterday. http://marc.info/?l=netfilter-devel&m=132555432331663&w=2 Please review the patch carefully, I'm not a br_netfilter ninja. 8-) Thanks, //richard
Richard Weinberger
2012-Jan-03 13:26 UTC
[Bridge] [PATCH] netfilter: Fix br_nf_pre_routing() in conjunction with bridge-nf-call-ip(6)tables=0
If net.bridge.bridge-nf-call-iptables or net.bridge.bridge-nf-call-ip6tables are set to zero xt_physdev has no effect because skb->nf_bridge has not been set up. Signed-off-by: Richard Weinberger <richard at nod.at> --- net/bridge/br_netfilter.c | 31 +++++++++++++++++++++++-------- 1 files changed, 23 insertions(+), 8 deletions(-) diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index fa8b8f7..f38a8e4 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c @@ -576,10 +576,12 @@ static unsigned int br_nf_pre_routing_ipv6(unsigned int hook, struct sk_buff *skb, const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) + int (*okfn)(struct sk_buff *), + struct net_bridge *br) { const struct ipv6hdr *hdr; u32 pkt_len; + struct nf_bridge_info *nf_bridge; if (skb->len < sizeof(struct ipv6hdr)) return NF_DROP; @@ -606,6 +608,15 @@ static unsigned int br_nf_pre_routing_ipv6(unsigned int hook, nf_bridge_put(skb->nf_bridge); if (!nf_bridge_alloc(skb)) return NF_DROP; + + if (!brnf_call_ip6tables && !br->nf_call_ip6tables) { + nf_bridge = skb->nf_bridge; + nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING; + nf_bridge->physindev = skb->dev; + + return NF_ACCEPT; + } + if (!setup_pre_routing(skb)) return NF_DROP; @@ -629,6 +640,7 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb, { struct net_bridge_port *p; struct net_bridge *br; + struct nf_bridge_info *nf_bridge; __u32 len = nf_bridge_encap_header_len(skb); if (unlikely(!pskb_may_pull(skb, len))) @@ -641,16 +653,10 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb, if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb)) { - if (!brnf_call_ip6tables && !br->nf_call_ip6tables) - return NF_ACCEPT; - nf_bridge_pull_encap_header_rcsum(skb); - return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn); + return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn, br); } - if (!brnf_call_iptables && !br->nf_call_iptables) - return NF_ACCEPT; - if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb) && !IS_PPPOE_IP(skb)) return NF_ACCEPT; @@ -663,6 +669,15 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb, nf_bridge_put(skb->nf_bridge); if (!nf_bridge_alloc(skb)) return NF_DROP; + + if (!brnf_call_iptables && !br->nf_call_iptables) { + nf_bridge = skb->nf_bridge; + nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING; + nf_bridge->physindev = skb->dev; + + return NF_ACCEPT; + } + if (!setup_pre_routing(skb)) return NF_DROP; store_orig_dstaddr(skb); -- 1.7.7.3