mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-27 21:03:32 +00:00
bridge: Pass net into br_validate_ipv4 and br_validate_ipv6
The network namespace is easiliy available in state->net so use it. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
5f5d74d723
commit
c1444c6357
3 changed files with 16 additions and 18 deletions
|
@ -45,12 +45,12 @@ struct net_device *setup_pre_routing(struct sk_buff *skb);
|
||||||
void br_netfilter_enable(void);
|
void br_netfilter_enable(void);
|
||||||
|
|
||||||
#if IS_ENABLED(CONFIG_IPV6)
|
#if IS_ENABLED(CONFIG_IPV6)
|
||||||
int br_validate_ipv6(struct sk_buff *skb);
|
int br_validate_ipv6(struct net *net, struct sk_buff *skb);
|
||||||
unsigned int br_nf_pre_routing_ipv6(void *priv,
|
unsigned int br_nf_pre_routing_ipv6(void *priv,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct nf_hook_state *state);
|
const struct nf_hook_state *state);
|
||||||
#else
|
#else
|
||||||
static inline int br_validate_ipv6(struct sk_buff *skb)
|
static inline int br_validate_ipv6(struct net *net, struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
|
@ -189,10 +189,9 @@ static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb)
|
||||||
* expected format
|
* expected format
|
||||||
*/
|
*/
|
||||||
|
|
||||||
static int br_validate_ipv4(struct sk_buff *skb)
|
static int br_validate_ipv4(struct net *net, struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
const struct iphdr *iph;
|
const struct iphdr *iph;
|
||||||
struct net_device *dev = skb->dev;
|
|
||||||
u32 len;
|
u32 len;
|
||||||
|
|
||||||
if (!pskb_may_pull(skb, sizeof(struct iphdr)))
|
if (!pskb_may_pull(skb, sizeof(struct iphdr)))
|
||||||
|
@ -213,13 +212,13 @@ static int br_validate_ipv4(struct sk_buff *skb)
|
||||||
|
|
||||||
len = ntohs(iph->tot_len);
|
len = ntohs(iph->tot_len);
|
||||||
if (skb->len < len) {
|
if (skb->len < len) {
|
||||||
IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INTRUNCATEDPKTS);
|
IP_INC_STATS_BH(net, IPSTATS_MIB_INTRUNCATEDPKTS);
|
||||||
goto drop;
|
goto drop;
|
||||||
} else if (len < (iph->ihl*4))
|
} else if (len < (iph->ihl*4))
|
||||||
goto inhdr_error;
|
goto inhdr_error;
|
||||||
|
|
||||||
if (pskb_trim_rcsum(skb, len)) {
|
if (pskb_trim_rcsum(skb, len)) {
|
||||||
IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INDISCARDS);
|
IP_INC_STATS_BH(net, IPSTATS_MIB_INDISCARDS);
|
||||||
goto drop;
|
goto drop;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -232,7 +231,7 @@ static int br_validate_ipv4(struct sk_buff *skb)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
inhdr_error:
|
inhdr_error:
|
||||||
IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INHDRERRORS);
|
IP_INC_STATS_BH(net, IPSTATS_MIB_INHDRERRORS);
|
||||||
drop:
|
drop:
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
@ -497,7 +496,7 @@ static unsigned int br_nf_pre_routing(void *priv,
|
||||||
|
|
||||||
nf_bridge_pull_encap_header_rcsum(skb);
|
nf_bridge_pull_encap_header_rcsum(skb);
|
||||||
|
|
||||||
if (br_validate_ipv4(skb))
|
if (br_validate_ipv4(state->net, skb))
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
|
|
||||||
nf_bridge_put(skb->nf_bridge);
|
nf_bridge_put(skb->nf_bridge);
|
||||||
|
@ -609,13 +608,13 @@ static unsigned int br_nf_forward_ip(void *priv,
|
||||||
}
|
}
|
||||||
|
|
||||||
if (pf == NFPROTO_IPV4) {
|
if (pf == NFPROTO_IPV4) {
|
||||||
if (br_validate_ipv4(skb))
|
if (br_validate_ipv4(state->net, skb))
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
|
IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (pf == NFPROTO_IPV6) {
|
if (pf == NFPROTO_IPV6) {
|
||||||
if (br_validate_ipv6(skb))
|
if (br_validate_ipv6(state->net, skb))
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
|
IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
|
||||||
}
|
}
|
||||||
|
@ -747,7 +746,7 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
|
||||||
if (skb->protocol == htons(ETH_P_IP)) {
|
if (skb->protocol == htons(ETH_P_IP)) {
|
||||||
struct brnf_frag_data *data;
|
struct brnf_frag_data *data;
|
||||||
|
|
||||||
if (br_validate_ipv4(skb))
|
if (br_validate_ipv4(net, skb))
|
||||||
goto drop;
|
goto drop;
|
||||||
|
|
||||||
IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
|
IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
|
||||||
|
@ -772,7 +771,7 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
|
||||||
const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
|
const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
|
||||||
struct brnf_frag_data *data;
|
struct brnf_frag_data *data;
|
||||||
|
|
||||||
if (br_validate_ipv6(skb))
|
if (br_validate_ipv6(net, skb))
|
||||||
goto drop;
|
goto drop;
|
||||||
|
|
||||||
IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
|
IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
|
||||||
|
|
|
@ -100,10 +100,9 @@ static int br_nf_check_hbh_len(struct sk_buff *skb)
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
int br_validate_ipv6(struct sk_buff *skb)
|
int br_validate_ipv6(struct net *net, struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
const struct ipv6hdr *hdr;
|
const struct ipv6hdr *hdr;
|
||||||
struct net_device *dev = skb->dev;
|
|
||||||
struct inet6_dev *idev = __in6_dev_get(skb->dev);
|
struct inet6_dev *idev = __in6_dev_get(skb->dev);
|
||||||
u32 pkt_len;
|
u32 pkt_len;
|
||||||
u8 ip6h_len = sizeof(struct ipv6hdr);
|
u8 ip6h_len = sizeof(struct ipv6hdr);
|
||||||
|
@ -123,12 +122,12 @@ int br_validate_ipv6(struct sk_buff *skb)
|
||||||
|
|
||||||
if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
|
if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
|
||||||
if (pkt_len + ip6h_len > skb->len) {
|
if (pkt_len + ip6h_len > skb->len) {
|
||||||
IP6_INC_STATS_BH(dev_net(dev), idev,
|
IP6_INC_STATS_BH(net, idev,
|
||||||
IPSTATS_MIB_INTRUNCATEDPKTS);
|
IPSTATS_MIB_INTRUNCATEDPKTS);
|
||||||
goto drop;
|
goto drop;
|
||||||
}
|
}
|
||||||
if (pskb_trim_rcsum(skb, pkt_len + ip6h_len)) {
|
if (pskb_trim_rcsum(skb, pkt_len + ip6h_len)) {
|
||||||
IP6_INC_STATS_BH(dev_net(dev), idev,
|
IP6_INC_STATS_BH(net, idev,
|
||||||
IPSTATS_MIB_INDISCARDS);
|
IPSTATS_MIB_INDISCARDS);
|
||||||
goto drop;
|
goto drop;
|
||||||
}
|
}
|
||||||
|
@ -143,7 +142,7 @@ int br_validate_ipv6(struct sk_buff *skb)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
inhdr_error:
|
inhdr_error:
|
||||||
IP6_INC_STATS_BH(dev_net(dev), idev, IPSTATS_MIB_INHDRERRORS);
|
IP6_INC_STATS_BH(net, idev, IPSTATS_MIB_INHDRERRORS);
|
||||||
drop:
|
drop:
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
@ -224,7 +223,7 @@ unsigned int br_nf_pre_routing_ipv6(void *priv,
|
||||||
{
|
{
|
||||||
struct nf_bridge_info *nf_bridge;
|
struct nf_bridge_info *nf_bridge;
|
||||||
|
|
||||||
if (br_validate_ipv6(skb))
|
if (br_validate_ipv6(state->net, skb))
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
|
|
||||||
nf_bridge_put(skb->nf_bridge);
|
nf_bridge_put(skb->nf_bridge);
|
||||||
|
|
Loading…
Reference in a new issue