root/net/bridge/br_netfilter_hooks.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. vlan_proto
  2. is_vlan_ip
  3. is_vlan_ipv6
  4. is_vlan_arp
  5. pppoe_proto
  6. is_pppoe_ip
  7. is_pppoe_ipv6
  8. nf_bridge_info_free
  9. bridge_parent
  10. nf_bridge_unshare
  11. nf_bridge_encap_header_len
  12. nf_bridge_pull_encap_header
  13. nf_bridge_pull_encap_header_rcsum
  14. br_validate_ipv4
  15. nf_bridge_update_protocol
  16. br_nf_pre_routing_finish_bridge
  17. br_nf_ipv4_daddr_was_changed
  18. br_nf_pre_routing_finish
  19. brnf_get_logical_dev
  20. setup_pre_routing
  21. br_nf_pre_routing
  22. br_nf_forward_finish
  23. br_nf_forward_ip
  24. br_nf_forward_arp
  25. br_nf_push_frag_xmit
  26. br_nf_ip_fragment
  27. nf_bridge_mtu_reduction
  28. br_nf_dev_queue_xmit
  29. br_nf_post_routing
  30. ip_sabotage_in
  31. br_nf_pre_routing_finish_bridge_slow
  32. br_nf_dev_xmit
  33. brnf_device_event
  34. br_nf_hook_thresh
  35. brnf_sysctl_call_tables
  36. br_netfilter_sysctl_default
  37. br_netfilter_sysctl_init_net
  38. br_netfilter_sysctl_exit_net
  39. brnf_init_net
  40. brnf_exit_net
  41. br_netfilter_init
  42. br_netfilter_fini
   1 // SPDX-License-Identifier: GPL-2.0-or-later
   2 /*
   3  *      Handle firewalling
   4  *      Linux ethernet bridge
   5  *
   6  *      Authors:
   7  *      Lennert Buytenhek               <buytenh@gnu.org>
   8  *      Bart De Schuymer                <bdschuym@pandora.be>
   9  *
  10  *      Lennert dedicates this file to Kerstin Wurdinger.
  11  */
  12 
  13 #include <linux/module.h>
  14 #include <linux/kernel.h>
  15 #include <linux/slab.h>
  16 #include <linux/ip.h>
  17 #include <linux/netdevice.h>
  18 #include <linux/skbuff.h>
  19 #include <linux/if_arp.h>
  20 #include <linux/if_ether.h>
  21 #include <linux/if_vlan.h>
  22 #include <linux/if_pppox.h>
  23 #include <linux/ppp_defs.h>
  24 #include <linux/netfilter_bridge.h>
  25 #include <uapi/linux/netfilter_bridge.h>
  26 #include <linux/netfilter_ipv4.h>
  27 #include <linux/netfilter_ipv6.h>
  28 #include <linux/netfilter_arp.h>
  29 #include <linux/in_route.h>
  30 #include <linux/rculist.h>
  31 #include <linux/inetdevice.h>
  32 
  33 #include <net/ip.h>
  34 #include <net/ipv6.h>
  35 #include <net/addrconf.h>
  36 #include <net/route.h>
  37 #include <net/netfilter/br_netfilter.h>
  38 #include <net/netns/generic.h>
  39 
  40 #include <linux/uaccess.h>
  41 #include "br_private.h"
  42 #ifdef CONFIG_SYSCTL
  43 #include <linux/sysctl.h>
  44 #endif
  45 
  46 static unsigned int brnf_net_id __read_mostly;
  47 
  48 struct brnf_net {
  49         bool enabled;
  50 
  51 #ifdef CONFIG_SYSCTL
  52         struct ctl_table_header *ctl_hdr;
  53 #endif
  54 
  55         /* default value is 1 */
  56         int call_iptables;
  57         int call_ip6tables;
  58         int call_arptables;
  59 
  60         /* default value is 0 */
  61         int filter_vlan_tagged;
  62         int filter_pppoe_tagged;
  63         int pass_vlan_indev;
  64 };
  65 
  66 #define IS_IP(skb) \
  67         (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_IP))
  68 
  69 #define IS_IPV6(skb) \
  70         (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_IPV6))
  71 
  72 #define IS_ARP(skb) \
  73         (!skb_vlan_tag_present(skb) && skb->protocol == htons(ETH_P_ARP))
  74 
  75 static inline __be16 vlan_proto(const struct sk_buff *skb)
  76 {
  77         if (skb_vlan_tag_present(skb))
  78                 return skb->protocol;
  79         else if (skb->protocol == htons(ETH_P_8021Q))
  80                 return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
  81         else
  82                 return 0;
  83 }
  84 
  85 static inline bool is_vlan_ip(const struct sk_buff *skb, const struct net *net)
  86 {
  87         struct brnf_net *brnet = net_generic(net, brnf_net_id);
  88 
  89         return vlan_proto(skb) == htons(ETH_P_IP) && brnet->filter_vlan_tagged;
  90 }
  91 
  92 static inline bool is_vlan_ipv6(const struct sk_buff *skb,
  93                                 const struct net *net)
  94 {
  95         struct brnf_net *brnet = net_generic(net, brnf_net_id);
  96 
  97         return vlan_proto(skb) == htons(ETH_P_IPV6) &&
  98                brnet->filter_vlan_tagged;
  99 }
 100 
 101 static inline bool is_vlan_arp(const struct sk_buff *skb, const struct net *net)
 102 {
 103         struct brnf_net *brnet = net_generic(net, brnf_net_id);
 104 
 105         return vlan_proto(skb) == htons(ETH_P_ARP) && brnet->filter_vlan_tagged;
 106 }
 107 
 108 static inline __be16 pppoe_proto(const struct sk_buff *skb)
 109 {
 110         return *((__be16 *)(skb_mac_header(skb) + ETH_HLEN +
 111                             sizeof(struct pppoe_hdr)));
 112 }
 113 
 114 static inline bool is_pppoe_ip(const struct sk_buff *skb, const struct net *net)
 115 {
 116         struct brnf_net *brnet = net_generic(net, brnf_net_id);
 117 
 118         return skb->protocol == htons(ETH_P_PPP_SES) &&
 119                pppoe_proto(skb) == htons(PPP_IP) && brnet->filter_pppoe_tagged;
 120 }
 121 
 122 static inline bool is_pppoe_ipv6(const struct sk_buff *skb,
 123                                  const struct net *net)
 124 {
 125         struct brnf_net *brnet = net_generic(net, brnf_net_id);
 126 
 127         return skb->protocol == htons(ETH_P_PPP_SES) &&
 128                pppoe_proto(skb) == htons(PPP_IPV6) &&
 129                brnet->filter_pppoe_tagged;
 130 }
 131 
 132 /* largest possible L2 header, see br_nf_dev_queue_xmit() */
 133 #define NF_BRIDGE_MAX_MAC_HEADER_LENGTH (PPPOE_SES_HLEN + ETH_HLEN)
 134 
 135 struct brnf_frag_data {
 136         char mac[NF_BRIDGE_MAX_MAC_HEADER_LENGTH];
 137         u8 encap_size;
 138         u8 size;
 139         u16 vlan_tci;
 140         __be16 vlan_proto;
 141 };
 142 
 143 static DEFINE_PER_CPU(struct brnf_frag_data, brnf_frag_data_storage);
 144 
 145 static void nf_bridge_info_free(struct sk_buff *skb)
 146 {
 147         skb_ext_del(skb, SKB_EXT_BRIDGE_NF);
 148 }
 149 
 150 static inline struct net_device *bridge_parent(const struct net_device *dev)
 151 {
 152         struct net_bridge_port *port;
 153 
 154         port = br_port_get_rcu(dev);
 155         return port ? port->br->dev : NULL;
 156 }
 157 
 158 static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb)
 159 {
 160         return skb_ext_add(skb, SKB_EXT_BRIDGE_NF);
 161 }
 162 
 163 unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb)
 164 {
 165         switch (skb->protocol) {
 166         case __cpu_to_be16(ETH_P_8021Q):
 167                 return VLAN_HLEN;
 168         case __cpu_to_be16(ETH_P_PPP_SES):
 169                 return PPPOE_SES_HLEN;
 170         default:
 171                 return 0;
 172         }
 173 }
 174 
 175 static inline void nf_bridge_pull_encap_header(struct sk_buff *skb)
 176 {
 177         unsigned int len = nf_bridge_encap_header_len(skb);
 178 
 179         skb_pull(skb, len);
 180         skb->network_header += len;
 181 }
 182 
 183 static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb)
 184 {
 185         unsigned int len = nf_bridge_encap_header_len(skb);
 186 
 187         skb_pull_rcsum(skb, len);
 188         skb->network_header += len;
 189 }
 190 
 191 /* When handing a packet over to the IP layer
 192  * check whether we have a skb that is in the
 193  * expected format
 194  */
 195 
 196 static int br_validate_ipv4(struct net *net, struct sk_buff *skb)
 197 {
 198         const struct iphdr *iph;
 199         u32 len;
 200 
 201         if (!pskb_may_pull(skb, sizeof(struct iphdr)))
 202                 goto inhdr_error;
 203 
 204         iph = ip_hdr(skb);
 205 
 206         /* Basic sanity checks */
 207         if (iph->ihl < 5 || iph->version != 4)
 208                 goto inhdr_error;
 209 
 210         if (!pskb_may_pull(skb, iph->ihl*4))
 211                 goto inhdr_error;
 212 
 213         iph = ip_hdr(skb);
 214         if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
 215                 goto csum_error;
 216 
 217         len = ntohs(iph->tot_len);
 218         if (skb->len < len) {
 219                 __IP_INC_STATS(net, IPSTATS_MIB_INTRUNCATEDPKTS);
 220                 goto drop;
 221         } else if (len < (iph->ihl*4))
 222                 goto inhdr_error;
 223 
 224         if (pskb_trim_rcsum(skb, len)) {
 225                 __IP_INC_STATS(net, IPSTATS_MIB_INDISCARDS);
 226                 goto drop;
 227         }
 228 
 229         memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
 230         /* We should really parse IP options here but until
 231          * somebody who actually uses IP options complains to
 232          * us we'll just silently ignore the options because
 233          * we're lazy!
 234          */
 235         return 0;
 236 
 237 csum_error:
 238         __IP_INC_STATS(net, IPSTATS_MIB_CSUMERRORS);
 239 inhdr_error:
 240         __IP_INC_STATS(net, IPSTATS_MIB_INHDRERRORS);
 241 drop:
 242         return -1;
 243 }
 244 
 245 void nf_bridge_update_protocol(struct sk_buff *skb)
 246 {
 247         const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
 248 
 249         switch (nf_bridge->orig_proto) {
 250         case BRNF_PROTO_8021Q:
 251                 skb->protocol = htons(ETH_P_8021Q);
 252                 break;
 253         case BRNF_PROTO_PPPOE:
 254                 skb->protocol = htons(ETH_P_PPP_SES);
 255                 break;
 256         case BRNF_PROTO_UNCHANGED:
 257                 break;
 258         }
 259 }
 260 
 261 /* Obtain the correct destination MAC address, while preserving the original
 262  * source MAC address. If we already know this address, we just copy it. If we
 263  * don't, we use the neighbour framework to find out. In both cases, we make
 264  * sure that br_handle_frame_finish() is called afterwards.
 265  */
 266 int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_buff *skb)
 267 {
 268         struct neighbour *neigh;
 269         struct dst_entry *dst;
 270 
 271         skb->dev = bridge_parent(skb->dev);
 272         if (!skb->dev)
 273                 goto free_skb;
 274         dst = skb_dst(skb);
 275         neigh = dst_neigh_lookup_skb(dst, skb);
 276         if (neigh) {
 277                 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
 278                 int ret;
 279 
 280                 if ((neigh->nud_state & NUD_CONNECTED) && neigh->hh.hh_len) {
 281                         neigh_hh_bridge(&neigh->hh, skb);
 282                         skb->dev = nf_bridge->physindev;
 283                         ret = br_handle_frame_finish(net, sk, skb);
 284                 } else {
 285                         /* the neighbour function below overwrites the complete
 286                          * MAC header, so we save the Ethernet source address and
 287                          * protocol number.
 288                          */
 289                         skb_copy_from_linear_data_offset(skb,
 290                                                          -(ETH_HLEN-ETH_ALEN),
 291                                                          nf_bridge->neigh_header,
 292                                                          ETH_HLEN-ETH_ALEN);
 293                         /* tell br_dev_xmit to continue with forwarding */
 294                         nf_bridge->bridged_dnat = 1;
 295                         /* FIXME Need to refragment */
 296                         ret = neigh->output(neigh, skb);
 297                 }
 298                 neigh_release(neigh);
 299                 return ret;
 300         }
 301 free_skb:
 302         kfree_skb(skb);
 303         return 0;
 304 }
 305 
 306 static inline bool
 307 br_nf_ipv4_daddr_was_changed(const struct sk_buff *skb,
 308                              const struct nf_bridge_info *nf_bridge)
 309 {
 310         return ip_hdr(skb)->daddr != nf_bridge->ipv4_daddr;
 311 }
 312 
 313 /* This requires some explaining. If DNAT has taken place,
 314  * we will need to fix up the destination Ethernet address.
 315  * This is also true when SNAT takes place (for the reply direction).
 316  *
 317  * There are two cases to consider:
 318  * 1. The packet was DNAT'ed to a device in the same bridge
 319  *    port group as it was received on. We can still bridge
 320  *    the packet.
 321  * 2. The packet was DNAT'ed to a different device, either
 322  *    a non-bridged device or another bridge port group.
 323  *    The packet will need to be routed.
 324  *
 325  * The correct way of distinguishing between these two cases is to
 326  * call ip_route_input() and to look at skb->dst->dev, which is
 327  * changed to the destination device if ip_route_input() succeeds.
 328  *
 329  * Let's first consider the case that ip_route_input() succeeds:
 330  *
 331  * If the output device equals the logical bridge device the packet
 332  * came in on, we can consider this bridging. The corresponding MAC
 333  * address will be obtained in br_nf_pre_routing_finish_bridge.
 334  * Otherwise, the packet is considered to be routed and we just
 335  * change the destination MAC address so that the packet will
 336  * later be passed up to the IP stack to be routed. For a redirected
 337  * packet, ip_route_input() will give back the localhost as output device,
 338  * which differs from the bridge device.
 339  *
 340  * Let's now consider the case that ip_route_input() fails:
 341  *
 342  * This can be because the destination address is martian, in which case
 343  * the packet will be dropped.
 344  * If IP forwarding is disabled, ip_route_input() will fail, while
 345  * ip_route_output_key() can return success. The source
 346  * address for ip_route_output_key() is set to zero, so ip_route_output_key()
 347  * thinks we're handling a locally generated packet and won't care
 348  * if IP forwarding is enabled. If the output device equals the logical bridge
 349  * device, we proceed as if ip_route_input() succeeded. If it differs from the
 350  * logical bridge port or if ip_route_output_key() fails we drop the packet.
 351  */
 352 static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
 353 {
 354         struct net_device *dev = skb->dev;
 355         struct iphdr *iph = ip_hdr(skb);
 356         struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
 357         struct rtable *rt;
 358         int err;
 359 
 360         nf_bridge->frag_max_size = IPCB(skb)->frag_max_size;
 361 
 362         if (nf_bridge->pkt_otherhost) {
 363                 skb->pkt_type = PACKET_OTHERHOST;
 364                 nf_bridge->pkt_otherhost = false;
 365         }
 366         nf_bridge->in_prerouting = 0;
 367         if (br_nf_ipv4_daddr_was_changed(skb, nf_bridge)) {
 368                 if ((err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))) {
 369                         struct in_device *in_dev = __in_dev_get_rcu(dev);
 370 
 371                         /* If err equals -EHOSTUNREACH the error is due to a
 372                          * martian destination or due to the fact that
 373                          * forwarding is disabled. For most martian packets,
 374                          * ip_route_output_key() will fail. It won't fail for 2 types of
 375                          * martian destinations: loopback destinations and destination
 376                          * 0.0.0.0. In both cases the packet will be dropped because the
 377                          * destination is the loopback device and not the bridge. */
 378                         if (err != -EHOSTUNREACH || !in_dev || IN_DEV_FORWARD(in_dev))
 379                                 goto free_skb;
 380 
 381                         rt = ip_route_output(net, iph->daddr, 0,
 382                                              RT_TOS(iph->tos), 0);
 383                         if (!IS_ERR(rt)) {
 384                                 /* - Bridged-and-DNAT'ed traffic doesn't
 385                                  *   require ip_forwarding. */
 386                                 if (rt->dst.dev == dev) {
 387                                         skb_dst_set(skb, &rt->dst);
 388                                         goto bridged_dnat;
 389                                 }
 390                                 ip_rt_put(rt);
 391                         }
 392 free_skb:
 393                         kfree_skb(skb);
 394                         return 0;
 395                 } else {
 396                         if (skb_dst(skb)->dev == dev) {
 397 bridged_dnat:
 398                                 skb->dev = nf_bridge->physindev;
 399                                 nf_bridge_update_protocol(skb);
 400                                 nf_bridge_push_encap_header(skb);
 401                                 br_nf_hook_thresh(NF_BR_PRE_ROUTING,
 402                                                   net, sk, skb, skb->dev,
 403                                                   NULL,
 404                                                   br_nf_pre_routing_finish_bridge);
 405                                 return 0;
 406                         }
 407                         ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr);
 408                         skb->pkt_type = PACKET_HOST;
 409                 }
 410         } else {
 411                 rt = bridge_parent_rtable(nf_bridge->physindev);
 412                 if (!rt) {
 413                         kfree_skb(skb);
 414                         return 0;
 415                 }
 416                 skb_dst_set_noref(skb, &rt->dst);
 417         }
 418 
 419         skb->dev = nf_bridge->physindev;
 420         nf_bridge_update_protocol(skb);
 421         nf_bridge_push_encap_header(skb);
 422         br_nf_hook_thresh(NF_BR_PRE_ROUTING, net, sk, skb, skb->dev, NULL,
 423                           br_handle_frame_finish);
 424         return 0;
 425 }
 426 
 427 static struct net_device *brnf_get_logical_dev(struct sk_buff *skb,
 428                                                const struct net_device *dev,
 429                                                const struct net *net)
 430 {
 431         struct net_device *vlan, *br;
 432         struct brnf_net *brnet = net_generic(net, brnf_net_id);
 433 
 434         br = bridge_parent(dev);
 435 
 436         if (brnet->pass_vlan_indev == 0 || !skb_vlan_tag_present(skb))
 437                 return br;
 438 
 439         vlan = __vlan_find_dev_deep_rcu(br, skb->vlan_proto,
 440                                     skb_vlan_tag_get(skb) & VLAN_VID_MASK);
 441 
 442         return vlan ? vlan : br;
 443 }
 444 
 445 /* Some common code for IPv4/IPv6 */
 446 struct net_device *setup_pre_routing(struct sk_buff *skb, const struct net *net)
 447 {
 448         struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
 449 
 450         if (skb->pkt_type == PACKET_OTHERHOST) {
 451                 skb->pkt_type = PACKET_HOST;
 452                 nf_bridge->pkt_otherhost = true;
 453         }
 454 
 455         nf_bridge->in_prerouting = 1;
 456         nf_bridge->physindev = skb->dev;
 457         skb->dev = brnf_get_logical_dev(skb, skb->dev, net);
 458 
 459         if (skb->protocol == htons(ETH_P_8021Q))
 460                 nf_bridge->orig_proto = BRNF_PROTO_8021Q;
 461         else if (skb->protocol == htons(ETH_P_PPP_SES))
 462                 nf_bridge->orig_proto = BRNF_PROTO_PPPOE;
 463 
 464         /* Must drop socket now because of tproxy. */
 465         skb_orphan(skb);
 466         return skb->dev;
 467 }
 468 
 469 /* Direct IPv6 traffic to br_nf_pre_routing_ipv6.
 470  * Replicate the checks that IPv4 does on packet reception.
 471  * Set skb->dev to the bridge device (i.e. parent of the
 472  * receiving device) to make netfilter happy, the REDIRECT
 473  * target in particular.  Save the original destination IP
 474  * address to be able to detect DNAT afterwards. */
 475 static unsigned int br_nf_pre_routing(void *priv,
 476                                       struct sk_buff *skb,
 477                                       const struct nf_hook_state *state)
 478 {
 479         struct nf_bridge_info *nf_bridge;
 480         struct net_bridge_port *p;
 481         struct net_bridge *br;
 482         __u32 len = nf_bridge_encap_header_len(skb);
 483         struct brnf_net *brnet;
 484 
 485         if (unlikely(!pskb_may_pull(skb, len)))
 486                 return NF_DROP;
 487 
 488         p = br_port_get_rcu(state->in);
 489         if (p == NULL)
 490                 return NF_DROP;
 491         br = p->br;
 492 
 493         brnet = net_generic(state->net, brnf_net_id);
 494         if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) ||
 495             is_pppoe_ipv6(skb, state->net)) {
 496                 if (!brnet->call_ip6tables &&
 497                     !br_opt_get(br, BROPT_NF_CALL_IP6TABLES))
 498                         return NF_ACCEPT;
 499                 if (!ipv6_mod_enabled()) {
 500                         pr_warn_once("Module ipv6 is disabled, so call_ip6tables is not supported.");
 501                         return NF_DROP;
 502                 }
 503 
 504                 nf_bridge_pull_encap_header_rcsum(skb);
 505                 return br_nf_pre_routing_ipv6(priv, skb, state);
 506         }
 507 
 508         if (!brnet->call_iptables && !br_opt_get(br, BROPT_NF_CALL_IPTABLES))
 509                 return NF_ACCEPT;
 510 
 511         if (!IS_IP(skb) && !is_vlan_ip(skb, state->net) &&
 512             !is_pppoe_ip(skb, state->net))
 513                 return NF_ACCEPT;
 514 
 515         nf_bridge_pull_encap_header_rcsum(skb);
 516 
 517         if (br_validate_ipv4(state->net, skb))
 518                 return NF_DROP;
 519 
 520         if (!nf_bridge_alloc(skb))
 521                 return NF_DROP;
 522         if (!setup_pre_routing(skb, state->net))
 523                 return NF_DROP;
 524 
 525         nf_bridge = nf_bridge_info_get(skb);
 526         nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr;
 527 
 528         skb->protocol = htons(ETH_P_IP);
 529         skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4;
 530 
 531         NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb,
 532                 skb->dev, NULL,
 533                 br_nf_pre_routing_finish);
 534 
 535         return NF_STOLEN;
 536 }
 537 
 538 
 539 /* PF_BRIDGE/FORWARD *************************************************/
 540 static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
 541 {
 542         struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
 543         struct net_device *in;
 544 
 545         if (!IS_ARP(skb) && !is_vlan_arp(skb, net)) {
 546 
 547                 if (skb->protocol == htons(ETH_P_IP))
 548                         nf_bridge->frag_max_size = IPCB(skb)->frag_max_size;
 549 
 550                 if (skb->protocol == htons(ETH_P_IPV6))
 551                         nf_bridge->frag_max_size = IP6CB(skb)->frag_max_size;
 552 
 553                 in = nf_bridge->physindev;
 554                 if (nf_bridge->pkt_otherhost) {
 555                         skb->pkt_type = PACKET_OTHERHOST;
 556                         nf_bridge->pkt_otherhost = false;
 557                 }
 558                 nf_bridge_update_protocol(skb);
 559         } else {
 560                 in = *((struct net_device **)(skb->cb));
 561         }
 562         nf_bridge_push_encap_header(skb);
 563 
 564         br_nf_hook_thresh(NF_BR_FORWARD, net, sk, skb, in, skb->dev,
 565                           br_forward_finish);
 566         return 0;
 567 }
 568 
 569 
 570 /* This is the 'purely bridged' case.  For IP, we pass the packet to
 571  * netfilter with indev and outdev set to the bridge device,
 572  * but we are still able to filter on the 'real' indev/outdev
 573  * because of the physdev module. For ARP, indev and outdev are the
 574  * bridge ports. */
 575 static unsigned int br_nf_forward_ip(void *priv,
 576                                      struct sk_buff *skb,
 577                                      const struct nf_hook_state *state)
 578 {
 579         struct nf_bridge_info *nf_bridge;
 580         struct net_device *parent;
 581         u_int8_t pf;
 582 
 583         nf_bridge = nf_bridge_info_get(skb);
 584         if (!nf_bridge)
 585                 return NF_ACCEPT;
 586 
 587         /* Need exclusive nf_bridge_info since we might have multiple
 588          * different physoutdevs. */
 589         if (!nf_bridge_unshare(skb))
 590                 return NF_DROP;
 591 
 592         nf_bridge = nf_bridge_info_get(skb);
 593         if (!nf_bridge)
 594                 return NF_DROP;
 595 
 596         parent = bridge_parent(state->out);
 597         if (!parent)
 598                 return NF_DROP;
 599 
 600         if (IS_IP(skb) || is_vlan_ip(skb, state->net) ||
 601             is_pppoe_ip(skb, state->net))
 602                 pf = NFPROTO_IPV4;
 603         else if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) ||
 604                  is_pppoe_ipv6(skb, state->net))
 605                 pf = NFPROTO_IPV6;
 606         else
 607                 return NF_ACCEPT;
 608 
 609         nf_bridge_pull_encap_header(skb);
 610 
 611         if (skb->pkt_type == PACKET_OTHERHOST) {
 612                 skb->pkt_type = PACKET_HOST;
 613                 nf_bridge->pkt_otherhost = true;
 614         }
 615 
 616         if (pf == NFPROTO_IPV4) {
 617                 if (br_validate_ipv4(state->net, skb))
 618                         return NF_DROP;
 619                 IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
 620         }
 621 
 622         if (pf == NFPROTO_IPV6) {
 623                 if (br_validate_ipv6(state->net, skb))
 624                         return NF_DROP;
 625                 IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
 626         }
 627 
 628         nf_bridge->physoutdev = skb->dev;
 629         if (pf == NFPROTO_IPV4)
 630                 skb->protocol = htons(ETH_P_IP);
 631         else
 632                 skb->protocol = htons(ETH_P_IPV6);
 633 
 634         NF_HOOK(pf, NF_INET_FORWARD, state->net, NULL, skb,
 635                 brnf_get_logical_dev(skb, state->in, state->net),
 636                 parent, br_nf_forward_finish);
 637 
 638         return NF_STOLEN;
 639 }
 640 
 641 static unsigned int br_nf_forward_arp(void *priv,
 642                                       struct sk_buff *skb,
 643                                       const struct nf_hook_state *state)
 644 {
 645         struct net_bridge_port *p;
 646         struct net_bridge *br;
 647         struct net_device **d = (struct net_device **)(skb->cb);
 648         struct brnf_net *brnet;
 649 
 650         p = br_port_get_rcu(state->out);
 651         if (p == NULL)
 652                 return NF_ACCEPT;
 653         br = p->br;
 654 
 655         brnet = net_generic(state->net, brnf_net_id);
 656         if (!brnet->call_arptables && !br_opt_get(br, BROPT_NF_CALL_ARPTABLES))
 657                 return NF_ACCEPT;
 658 
 659         if (!IS_ARP(skb)) {
 660                 if (!is_vlan_arp(skb, state->net))
 661                         return NF_ACCEPT;
 662                 nf_bridge_pull_encap_header(skb);
 663         }
 664 
 665         if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr))))
 666                 return NF_DROP;
 667 
 668         if (arp_hdr(skb)->ar_pln != 4) {
 669                 if (is_vlan_arp(skb, state->net))
 670                         nf_bridge_push_encap_header(skb);
 671                 return NF_ACCEPT;
 672         }
 673         *d = state->in;
 674         NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, state->net, state->sk, skb,
 675                 state->in, state->out, br_nf_forward_finish);
 676 
 677         return NF_STOLEN;
 678 }
 679 
 680 static int br_nf_push_frag_xmit(struct net *net, struct sock *sk, struct sk_buff *skb)
 681 {
 682         struct brnf_frag_data *data;
 683         int err;
 684 
 685         data = this_cpu_ptr(&brnf_frag_data_storage);
 686         err = skb_cow_head(skb, data->size);
 687 
 688         if (err) {
 689                 kfree_skb(skb);
 690                 return 0;
 691         }
 692 
 693         if (data->vlan_proto)
 694                 __vlan_hwaccel_put_tag(skb, data->vlan_proto, data->vlan_tci);
 695 
 696         skb_copy_to_linear_data_offset(skb, -data->size, data->mac, data->size);
 697         __skb_push(skb, data->encap_size);
 698 
 699         nf_bridge_info_free(skb);
 700         return br_dev_queue_push_xmit(net, sk, skb);
 701 }
 702 
 703 static int
 704 br_nf_ip_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
 705                   int (*output)(struct net *, struct sock *, struct sk_buff *))
 706 {
 707         unsigned int mtu = ip_skb_dst_mtu(sk, skb);
 708         struct iphdr *iph = ip_hdr(skb);
 709 
 710         if (unlikely(((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) ||
 711                      (IPCB(skb)->frag_max_size &&
 712                       IPCB(skb)->frag_max_size > mtu))) {
 713                 IP_INC_STATS(net, IPSTATS_MIB_FRAGFAILS);
 714                 kfree_skb(skb);
 715                 return -EMSGSIZE;
 716         }
 717 
 718         return ip_do_fragment(net, sk, skb, output);
 719 }
 720 
 721 static unsigned int nf_bridge_mtu_reduction(const struct sk_buff *skb)
 722 {
 723         const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
 724 
 725         if (nf_bridge->orig_proto == BRNF_PROTO_PPPOE)
 726                 return PPPOE_SES_HLEN;
 727         return 0;
 728 }
 729 
 730 static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff *skb)
 731 {
 732         struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
 733         unsigned int mtu, mtu_reserved;
 734 
 735         mtu_reserved = nf_bridge_mtu_reduction(skb);
 736         mtu = skb->dev->mtu;
 737 
 738         if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu)
 739                 mtu = nf_bridge->frag_max_size;
 740 
 741         if (skb_is_gso(skb) || skb->len + mtu_reserved <= mtu) {
 742                 nf_bridge_info_free(skb);
 743                 return br_dev_queue_push_xmit(net, sk, skb);
 744         }
 745 
 746         /* This is wrong! We should preserve the original fragment
 747          * boundaries by preserving frag_list rather than refragmenting.
 748          */
 749         if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) &&
 750             skb->protocol == htons(ETH_P_IP)) {
 751                 struct brnf_frag_data *data;
 752 
 753                 if (br_validate_ipv4(net, skb))
 754                         goto drop;
 755 
 756                 IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
 757 
 758                 nf_bridge_update_protocol(skb);
 759 
 760                 data = this_cpu_ptr(&brnf_frag_data_storage);
 761 
 762                 if (skb_vlan_tag_present(skb)) {
 763                         data->vlan_tci = skb->vlan_tci;
 764                         data->vlan_proto = skb->vlan_proto;
 765                 } else {
 766                         data->vlan_proto = 0;
 767                 }
 768 
 769                 data->encap_size = nf_bridge_encap_header_len(skb);
 770                 data->size = ETH_HLEN + data->encap_size;
 771 
 772                 skb_copy_from_linear_data_offset(skb, -data->size, data->mac,
 773                                                  data->size);
 774 
 775                 return br_nf_ip_fragment(net, sk, skb, br_nf_push_frag_xmit);
 776         }
 777         if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) &&
 778             skb->protocol == htons(ETH_P_IPV6)) {
 779                 const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
 780                 struct brnf_frag_data *data;
 781 
 782                 if (br_validate_ipv6(net, skb))
 783                         goto drop;
 784 
 785                 IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
 786 
 787                 nf_bridge_update_protocol(skb);
 788 
 789                 data = this_cpu_ptr(&brnf_frag_data_storage);
 790                 data->encap_size = nf_bridge_encap_header_len(skb);
 791                 data->size = ETH_HLEN + data->encap_size;
 792 
 793                 skb_copy_from_linear_data_offset(skb, -data->size, data->mac,
 794                                                  data->size);
 795 
 796                 if (v6ops)
 797                         return v6ops->fragment(net, sk, skb, br_nf_push_frag_xmit);
 798 
 799                 kfree_skb(skb);
 800                 return -EMSGSIZE;
 801         }
 802         nf_bridge_info_free(skb);
 803         return br_dev_queue_push_xmit(net, sk, skb);
 804  drop:
 805         kfree_skb(skb);
 806         return 0;
 807 }
 808 
 809 /* PF_BRIDGE/POST_ROUTING ********************************************/
 810 static unsigned int br_nf_post_routing(void *priv,
 811                                        struct sk_buff *skb,
 812                                        const struct nf_hook_state *state)
 813 {
 814         struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
 815         struct net_device *realoutdev = bridge_parent(skb->dev);
 816         u_int8_t pf;
 817 
 818         /* if nf_bridge is set, but ->physoutdev is NULL, this packet came in
 819          * on a bridge, but was delivered locally and is now being routed:
 820          *
 821          * POST_ROUTING was already invoked from the ip stack.
 822          */
 823         if (!nf_bridge || !nf_bridge->physoutdev)
 824                 return NF_ACCEPT;
 825 
 826         if (!realoutdev)
 827                 return NF_DROP;
 828 
 829         if (IS_IP(skb) || is_vlan_ip(skb, state->net) ||
 830             is_pppoe_ip(skb, state->net))
 831                 pf = NFPROTO_IPV4;
 832         else if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) ||
 833                  is_pppoe_ipv6(skb, state->net))
 834                 pf = NFPROTO_IPV6;
 835         else
 836                 return NF_ACCEPT;
 837 
 838         /* We assume any code from br_dev_queue_push_xmit onwards doesn't care
 839          * about the value of skb->pkt_type. */
 840         if (skb->pkt_type == PACKET_OTHERHOST) {
 841                 skb->pkt_type = PACKET_HOST;
 842                 nf_bridge->pkt_otherhost = true;
 843         }
 844 
 845         nf_bridge_pull_encap_header(skb);
 846         if (pf == NFPROTO_IPV4)
 847                 skb->protocol = htons(ETH_P_IP);
 848         else
 849                 skb->protocol = htons(ETH_P_IPV6);
 850 
 851         NF_HOOK(pf, NF_INET_POST_ROUTING, state->net, state->sk, skb,
 852                 NULL, realoutdev,
 853                 br_nf_dev_queue_xmit);
 854 
 855         return NF_STOLEN;
 856 }
 857 
 858 /* IP/SABOTAGE *****************************************************/
 859 /* Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING
 860  * for the second time. */
 861 static unsigned int ip_sabotage_in(void *priv,
 862                                    struct sk_buff *skb,
 863                                    const struct nf_hook_state *state)
 864 {
 865         struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
 866 
 867         if (nf_bridge && !nf_bridge->in_prerouting &&
 868             !netif_is_l3_master(skb->dev) &&
 869             !netif_is_l3_slave(skb->dev)) {
 870                 state->okfn(state->net, state->sk, skb);
 871                 return NF_STOLEN;
 872         }
 873 
 874         return NF_ACCEPT;
 875 }
 876 
 877 /* This is called when br_netfilter has called into iptables/netfilter,
 878  * and DNAT has taken place on a bridge-forwarded packet.
 879  *
 880  * neigh->output has created a new MAC header, with local br0 MAC
 881  * as saddr.
 882  *
 883  * This restores the original MAC saddr of the bridged packet
 884  * before invoking bridge forward logic to transmit the packet.
 885  */
 886 static void br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb)
 887 {
 888         struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
 889 
 890         skb_pull(skb, ETH_HLEN);
 891         nf_bridge->bridged_dnat = 0;
 892 
 893         BUILD_BUG_ON(sizeof(nf_bridge->neigh_header) != (ETH_HLEN - ETH_ALEN));
 894 
 895         skb_copy_to_linear_data_offset(skb, -(ETH_HLEN - ETH_ALEN),
 896                                        nf_bridge->neigh_header,
 897                                        ETH_HLEN - ETH_ALEN);
 898         skb->dev = nf_bridge->physindev;
 899 
 900         nf_bridge->physoutdev = NULL;
 901         br_handle_frame_finish(dev_net(skb->dev), NULL, skb);
 902 }
 903 
 904 static int br_nf_dev_xmit(struct sk_buff *skb)
 905 {
 906         const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
 907 
 908         if (nf_bridge && nf_bridge->bridged_dnat) {
 909                 br_nf_pre_routing_finish_bridge_slow(skb);
 910                 return 1;
 911         }
 912         return 0;
 913 }
 914 
 915 static const struct nf_br_ops br_ops = {
 916         .br_dev_xmit_hook =     br_nf_dev_xmit,
 917 };
 918 
 919 /* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
 920  * br_dev_queue_push_xmit is called afterwards */
 921 static const struct nf_hook_ops br_nf_ops[] = {
 922         {
 923                 .hook = br_nf_pre_routing,
 924                 .pf = NFPROTO_BRIDGE,
 925                 .hooknum = NF_BR_PRE_ROUTING,
 926                 .priority = NF_BR_PRI_BRNF,
 927         },
 928         {
 929                 .hook = br_nf_forward_ip,
 930                 .pf = NFPROTO_BRIDGE,
 931                 .hooknum = NF_BR_FORWARD,
 932                 .priority = NF_BR_PRI_BRNF - 1,
 933         },
 934         {
 935                 .hook = br_nf_forward_arp,
 936                 .pf = NFPROTO_BRIDGE,
 937                 .hooknum = NF_BR_FORWARD,
 938                 .priority = NF_BR_PRI_BRNF,
 939         },
 940         {
 941                 .hook = br_nf_post_routing,
 942                 .pf = NFPROTO_BRIDGE,
 943                 .hooknum = NF_BR_POST_ROUTING,
 944                 .priority = NF_BR_PRI_LAST,
 945         },
 946         {
 947                 .hook = ip_sabotage_in,
 948                 .pf = NFPROTO_IPV4,
 949                 .hooknum = NF_INET_PRE_ROUTING,
 950                 .priority = NF_IP_PRI_FIRST,
 951         },
 952         {
 953                 .hook = ip_sabotage_in,
 954                 .pf = NFPROTO_IPV6,
 955                 .hooknum = NF_INET_PRE_ROUTING,
 956                 .priority = NF_IP6_PRI_FIRST,
 957         },
 958 };
 959 
 960 static int brnf_device_event(struct notifier_block *unused, unsigned long event,
 961                              void *ptr)
 962 {
 963         struct net_device *dev = netdev_notifier_info_to_dev(ptr);
 964         struct brnf_net *brnet;
 965         struct net *net;
 966         int ret;
 967 
 968         if (event != NETDEV_REGISTER || !(dev->priv_flags & IFF_EBRIDGE))
 969                 return NOTIFY_DONE;
 970 
 971         ASSERT_RTNL();
 972 
 973         net = dev_net(dev);
 974         brnet = net_generic(net, brnf_net_id);
 975         if (brnet->enabled)
 976                 return NOTIFY_OK;
 977 
 978         ret = nf_register_net_hooks(net, br_nf_ops, ARRAY_SIZE(br_nf_ops));
 979         if (ret)
 980                 return NOTIFY_BAD;
 981 
 982         brnet->enabled = true;
 983         return NOTIFY_OK;
 984 }
 985 
 986 static struct notifier_block brnf_notifier __read_mostly = {
 987         .notifier_call = brnf_device_event,
 988 };
 989 
 990 /* recursively invokes nf_hook_slow (again), skipping already-called
 991  * hooks (< NF_BR_PRI_BRNF).
 992  *
 993  * Called with rcu read lock held.
 994  */
 995 int br_nf_hook_thresh(unsigned int hook, struct net *net,
 996                       struct sock *sk, struct sk_buff *skb,
 997                       struct net_device *indev,
 998                       struct net_device *outdev,
 999                       int (*okfn)(struct net *, struct sock *,
1000                                   struct sk_buff *))
1001 {
1002         const struct nf_hook_entries *e;
1003         struct nf_hook_state state;
1004         struct nf_hook_ops **ops;
1005         unsigned int i;
1006         int ret;
1007 
1008         e = rcu_dereference(net->nf.hooks_bridge[hook]);
1009         if (!e)
1010                 return okfn(net, sk, skb);
1011 
1012         ops = nf_hook_entries_get_hook_ops(e);
1013         for (i = 0; i < e->num_hook_entries &&
1014               ops[i]->priority <= NF_BR_PRI_BRNF; i++)
1015                 ;
1016 
1017         nf_hook_state_init(&state, hook, NFPROTO_BRIDGE, indev, outdev,
1018                            sk, net, okfn);
1019 
1020         ret = nf_hook_slow(skb, &state, e, i);
1021         if (ret == 1)
1022                 ret = okfn(net, sk, skb);
1023 
1024         return ret;
1025 }
1026 
1027 #ifdef CONFIG_SYSCTL
1028 static
1029 int brnf_sysctl_call_tables(struct ctl_table *ctl, int write,
1030                             void __user *buffer, size_t *lenp, loff_t *ppos)
1031 {
1032         int ret;
1033 
1034         ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
1035 
1036         if (write && *(int *)(ctl->data))
1037                 *(int *)(ctl->data) = 1;
1038         return ret;
1039 }
1040 
1041 static struct ctl_table brnf_table[] = {
1042         {
1043                 .procname       = "bridge-nf-call-arptables",
1044                 .maxlen         = sizeof(int),
1045                 .mode           = 0644,
1046                 .proc_handler   = brnf_sysctl_call_tables,
1047         },
1048         {
1049                 .procname       = "bridge-nf-call-iptables",
1050                 .maxlen         = sizeof(int),
1051                 .mode           = 0644,
1052                 .proc_handler   = brnf_sysctl_call_tables,
1053         },
1054         {
1055                 .procname       = "bridge-nf-call-ip6tables",
1056                 .maxlen         = sizeof(int),
1057                 .mode           = 0644,
1058                 .proc_handler   = brnf_sysctl_call_tables,
1059         },
1060         {
1061                 .procname       = "bridge-nf-filter-vlan-tagged",
1062                 .maxlen         = sizeof(int),
1063                 .mode           = 0644,
1064                 .proc_handler   = brnf_sysctl_call_tables,
1065         },
1066         {
1067                 .procname       = "bridge-nf-filter-pppoe-tagged",
1068                 .maxlen         = sizeof(int),
1069                 .mode           = 0644,
1070                 .proc_handler   = brnf_sysctl_call_tables,
1071         },
1072         {
1073                 .procname       = "bridge-nf-pass-vlan-input-dev",
1074                 .maxlen         = sizeof(int),
1075                 .mode           = 0644,
1076                 .proc_handler   = brnf_sysctl_call_tables,
1077         },
1078         { }
1079 };
1080 
1081 static inline void br_netfilter_sysctl_default(struct brnf_net *brnf)
1082 {
1083         brnf->call_iptables = 1;
1084         brnf->call_ip6tables = 1;
1085         brnf->call_arptables = 1;
1086         brnf->filter_vlan_tagged = 0;
1087         brnf->filter_pppoe_tagged = 0;
1088         brnf->pass_vlan_indev = 0;
1089 }
1090 
1091 static int br_netfilter_sysctl_init_net(struct net *net)
1092 {
1093         struct ctl_table *table = brnf_table;
1094         struct brnf_net *brnet;
1095 
1096         if (!net_eq(net, &init_net)) {
1097                 table = kmemdup(table, sizeof(brnf_table), GFP_KERNEL);
1098                 if (!table)
1099                         return -ENOMEM;
1100         }
1101 
1102         brnet = net_generic(net, brnf_net_id);
1103         table[0].data = &brnet->call_arptables;
1104         table[1].data = &brnet->call_iptables;
1105         table[2].data = &brnet->call_ip6tables;
1106         table[3].data = &brnet->filter_vlan_tagged;
1107         table[4].data = &brnet->filter_pppoe_tagged;
1108         table[5].data = &brnet->pass_vlan_indev;
1109 
1110         br_netfilter_sysctl_default(brnet);
1111 
1112         brnet->ctl_hdr = register_net_sysctl(net, "net/bridge", table);
1113         if (!brnet->ctl_hdr) {
1114                 if (!net_eq(net, &init_net))
1115                         kfree(table);
1116 
1117                 return -ENOMEM;
1118         }
1119 
1120         return 0;
1121 }
1122 
1123 static void br_netfilter_sysctl_exit_net(struct net *net,
1124                                          struct brnf_net *brnet)
1125 {
1126         struct ctl_table *table = brnet->ctl_hdr->ctl_table_arg;
1127 
1128         unregister_net_sysctl_table(brnet->ctl_hdr);
1129         if (!net_eq(net, &init_net))
1130                 kfree(table);
1131 }
1132 
1133 static int __net_init brnf_init_net(struct net *net)
1134 {
1135         return br_netfilter_sysctl_init_net(net);
1136 }
1137 #endif
1138 
1139 static void __net_exit brnf_exit_net(struct net *net)
1140 {
1141         struct brnf_net *brnet;
1142 
1143         brnet = net_generic(net, brnf_net_id);
1144         if (brnet->enabled) {
1145                 nf_unregister_net_hooks(net, br_nf_ops, ARRAY_SIZE(br_nf_ops));
1146                 brnet->enabled = false;
1147         }
1148 
1149 #ifdef CONFIG_SYSCTL
1150         br_netfilter_sysctl_exit_net(net, brnet);
1151 #endif
1152 }
1153 
1154 static struct pernet_operations brnf_net_ops __read_mostly = {
1155 #ifdef CONFIG_SYSCTL
1156         .init = brnf_init_net,
1157 #endif
1158         .exit = brnf_exit_net,
1159         .id   = &brnf_net_id,
1160         .size = sizeof(struct brnf_net),
1161 };
1162 
1163 static int __init br_netfilter_init(void)
1164 {
1165         int ret;
1166 
1167         ret = register_pernet_subsys(&brnf_net_ops);
1168         if (ret < 0)
1169                 return ret;
1170 
1171         ret = register_netdevice_notifier(&brnf_notifier);
1172         if (ret < 0) {
1173                 unregister_pernet_subsys(&brnf_net_ops);
1174                 return ret;
1175         }
1176 
1177         RCU_INIT_POINTER(nf_br_ops, &br_ops);
1178         printk(KERN_NOTICE "Bridge firewalling registered\n");
1179         return 0;
1180 }
1181 
1182 static void __exit br_netfilter_fini(void)
1183 {
1184         RCU_INIT_POINTER(nf_br_ops, NULL);
1185         unregister_netdevice_notifier(&brnf_notifier);
1186         unregister_pernet_subsys(&brnf_net_ops);
1187 }
1188 
1189 module_init(br_netfilter_init);
1190 module_exit(br_netfilter_fini);
1191 
1192 MODULE_LICENSE("GPL");
1193 MODULE_AUTHOR("Lennert Buytenhek <buytenh@gnu.org>");
1194 MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
1195 MODULE_DESCRIPTION("Linux ethernet netfilter firewall bridge");
/* [<][>][^][v][top][bottom][index][help] */