提交 c1444c63 编写于 作者: E Eric W. Biederman 提交者: Pablo Neira Ayuso

bridge: Pass net into br_validate_ipv4 and br_validate_ipv6

The network namespace is easiliy available in state->net so use it.
Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
上级 5f5d74d7
...@@ -45,12 +45,12 @@ struct net_device *setup_pre_routing(struct sk_buff *skb); ...@@ -45,12 +45,12 @@ struct net_device *setup_pre_routing(struct sk_buff *skb);
void br_netfilter_enable(void); void br_netfilter_enable(void);
#if IS_ENABLED(CONFIG_IPV6) #if IS_ENABLED(CONFIG_IPV6)
int br_validate_ipv6(struct sk_buff *skb); int br_validate_ipv6(struct net *net, struct sk_buff *skb);
unsigned int br_nf_pre_routing_ipv6(void *priv, unsigned int br_nf_pre_routing_ipv6(void *priv,
struct sk_buff *skb, struct sk_buff *skb,
const struct nf_hook_state *state); const struct nf_hook_state *state);
#else #else
static inline int br_validate_ipv6(struct sk_buff *skb) static inline int br_validate_ipv6(struct net *net, struct sk_buff *skb)
{ {
return -1; return -1;
} }
......
...@@ -189,10 +189,9 @@ static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb) ...@@ -189,10 +189,9 @@ static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb)
* expected format * expected format
*/ */
static int br_validate_ipv4(struct sk_buff *skb) static int br_validate_ipv4(struct net *net, struct sk_buff *skb)
{ {
const struct iphdr *iph; const struct iphdr *iph;
struct net_device *dev = skb->dev;
u32 len; u32 len;
if (!pskb_may_pull(skb, sizeof(struct iphdr))) if (!pskb_may_pull(skb, sizeof(struct iphdr)))
...@@ -213,13 +212,13 @@ static int br_validate_ipv4(struct sk_buff *skb) ...@@ -213,13 +212,13 @@ static int br_validate_ipv4(struct sk_buff *skb)
len = ntohs(iph->tot_len); len = ntohs(iph->tot_len);
if (skb->len < len) { if (skb->len < len) {
IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INTRUNCATEDPKTS); IP_INC_STATS_BH(net, IPSTATS_MIB_INTRUNCATEDPKTS);
goto drop; goto drop;
} else if (len < (iph->ihl*4)) } else if (len < (iph->ihl*4))
goto inhdr_error; goto inhdr_error;
if (pskb_trim_rcsum(skb, len)) { if (pskb_trim_rcsum(skb, len)) {
IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INDISCARDS); IP_INC_STATS_BH(net, IPSTATS_MIB_INDISCARDS);
goto drop; goto drop;
} }
...@@ -232,7 +231,7 @@ static int br_validate_ipv4(struct sk_buff *skb) ...@@ -232,7 +231,7 @@ static int br_validate_ipv4(struct sk_buff *skb)
return 0; return 0;
inhdr_error: inhdr_error:
IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INHDRERRORS); IP_INC_STATS_BH(net, IPSTATS_MIB_INHDRERRORS);
drop: drop:
return -1; return -1;
} }
...@@ -497,7 +496,7 @@ static unsigned int br_nf_pre_routing(void *priv, ...@@ -497,7 +496,7 @@ static unsigned int br_nf_pre_routing(void *priv,
nf_bridge_pull_encap_header_rcsum(skb); nf_bridge_pull_encap_header_rcsum(skb);
if (br_validate_ipv4(skb)) if (br_validate_ipv4(state->net, skb))
return NF_DROP; return NF_DROP;
nf_bridge_put(skb->nf_bridge); nf_bridge_put(skb->nf_bridge);
...@@ -609,13 +608,13 @@ static unsigned int br_nf_forward_ip(void *priv, ...@@ -609,13 +608,13 @@ static unsigned int br_nf_forward_ip(void *priv,
} }
if (pf == NFPROTO_IPV4) { if (pf == NFPROTO_IPV4) {
if (br_validate_ipv4(skb)) if (br_validate_ipv4(state->net, skb))
return NF_DROP; return NF_DROP;
IPCB(skb)->frag_max_size = nf_bridge->frag_max_size; IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
} }
if (pf == NFPROTO_IPV6) { if (pf == NFPROTO_IPV6) {
if (br_validate_ipv6(skb)) if (br_validate_ipv6(state->net, skb))
return NF_DROP; return NF_DROP;
IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size; IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
} }
...@@ -747,7 +746,7 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff ...@@ -747,7 +746,7 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
if (skb->protocol == htons(ETH_P_IP)) { if (skb->protocol == htons(ETH_P_IP)) {
struct brnf_frag_data *data; struct brnf_frag_data *data;
if (br_validate_ipv4(skb)) if (br_validate_ipv4(net, skb))
goto drop; goto drop;
IPCB(skb)->frag_max_size = nf_bridge->frag_max_size; IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
...@@ -772,7 +771,7 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff ...@@ -772,7 +771,7 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops(); const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
struct brnf_frag_data *data; struct brnf_frag_data *data;
if (br_validate_ipv6(skb)) if (br_validate_ipv6(net, skb))
goto drop; goto drop;
IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size; IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
......
...@@ -100,10 +100,9 @@ static int br_nf_check_hbh_len(struct sk_buff *skb) ...@@ -100,10 +100,9 @@ static int br_nf_check_hbh_len(struct sk_buff *skb)
return -1; return -1;
} }
int br_validate_ipv6(struct sk_buff *skb) int br_validate_ipv6(struct net *net, struct sk_buff *skb)
{ {
const struct ipv6hdr *hdr; const struct ipv6hdr *hdr;
struct net_device *dev = skb->dev;
struct inet6_dev *idev = __in6_dev_get(skb->dev); struct inet6_dev *idev = __in6_dev_get(skb->dev);
u32 pkt_len; u32 pkt_len;
u8 ip6h_len = sizeof(struct ipv6hdr); u8 ip6h_len = sizeof(struct ipv6hdr);
...@@ -123,12 +122,12 @@ int br_validate_ipv6(struct sk_buff *skb) ...@@ -123,12 +122,12 @@ int br_validate_ipv6(struct sk_buff *skb)
if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) { if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
if (pkt_len + ip6h_len > skb->len) { if (pkt_len + ip6h_len > skb->len) {
IP6_INC_STATS_BH(dev_net(dev), idev, IP6_INC_STATS_BH(net, idev,
IPSTATS_MIB_INTRUNCATEDPKTS); IPSTATS_MIB_INTRUNCATEDPKTS);
goto drop; goto drop;
} }
if (pskb_trim_rcsum(skb, pkt_len + ip6h_len)) { if (pskb_trim_rcsum(skb, pkt_len + ip6h_len)) {
IP6_INC_STATS_BH(dev_net(dev), idev, IP6_INC_STATS_BH(net, idev,
IPSTATS_MIB_INDISCARDS); IPSTATS_MIB_INDISCARDS);
goto drop; goto drop;
} }
...@@ -143,7 +142,7 @@ int br_validate_ipv6(struct sk_buff *skb) ...@@ -143,7 +142,7 @@ int br_validate_ipv6(struct sk_buff *skb)
return 0; return 0;
inhdr_error: inhdr_error:
IP6_INC_STATS_BH(dev_net(dev), idev, IPSTATS_MIB_INHDRERRORS); IP6_INC_STATS_BH(net, idev, IPSTATS_MIB_INHDRERRORS);
drop: drop:
return -1; return -1;
} }
...@@ -224,7 +223,7 @@ unsigned int br_nf_pre_routing_ipv6(void *priv, ...@@ -224,7 +223,7 @@ unsigned int br_nf_pre_routing_ipv6(void *priv,
{ {
struct nf_bridge_info *nf_bridge; struct nf_bridge_info *nf_bridge;
if (br_validate_ipv6(skb)) if (br_validate_ipv6(state->net, skb))
return NF_DROP; return NF_DROP;
nf_bridge_put(skb->nf_bridge); nf_bridge_put(skb->nf_bridge);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册