This patch sets the pktinfo for IPv4/IPv6 traffic. Therefore, we can check the
meta l4proto for IPv4/IPv6 traffic in bridge, before we don't have enough
information to do it.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@xxxxxxxxx>
---
net/bridge/netfilter/nf_tables_bridge.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index d468c19..0a0f0ca 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
+++ b/net/bridge/netfilter/nf_tables_bridge.c
@@ -16,6 +16,8 @@
#include <net/netfilter/nf_tables_bridge.h>
#include <linux/ip.h>
#include <linux/ipv6.h>
+#include <net/netfilter/nf_tables_ipv4.h>
+#include <net/netfilter/nf_tables_ipv6.h>
int nft_bridge_iphdr_validate(struct sk_buff *skb)
{
@@ -71,8 +73,21 @@ nft_do_chain_bridge(const struct nf_hook_ops *ops,
{
struct nft_pktinfo pkt;
- nft_set_pktinfo(&pkt, ops, skb, in, out);
+ switch (eth_hdr(skb)->h_proto) {
+ case htons(ETH_P_IP):
+ if (!nft_bridge_iphdr_validate(skb))
+ break;
+ nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
+ return nft_do_chain(&pkt, ops);
+ case htons(ETH_P_IPV6):
+ if (!nft_bridge_ip6hdr_validate(skb))
+ break;
+ if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0)
+ break;
+ return nft_do_chain(&pkt, ops);
+ }
+ nft_set_pktinfo(&pkt, ops, skb, in, out);
return nft_do_chain(&pkt, ops);
}
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
