8e2f311a68
Following command: iptables -D FORWARD -m physdev ... causes connectivity loss in some setups. Reason is that iptables userspace will probe kernel for the module revision of the physdev patch, and physdev has an artificial dependency on br_netfilter (xt_physdev use makes no sense unless a br_netfilter module is loaded). This causes the "phydev" module to be loaded, which in turn enables the "call-iptables" infrastructure. bridged packets might then get dropped by the iptables ruleset. The better fix would be to change the "call-iptables" defaults to 0 and enforce explicit setting to 1, but that breaks backwards compatibility. This does the next best thing: add a request_module call to checkentry. This was a stray '-D ... -m physdev' won't activate br_netfilter anymore. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
67 lines
1.7 KiB
C
67 lines
1.7 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _BR_NETFILTER_H_
|
|
#define _BR_NETFILTER_H_
|
|
|
|
#include "../../../net/bridge/br_private.h"
|
|
|
|
static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
|
|
{
|
|
struct nf_bridge_info *b = skb_ext_add(skb, SKB_EXT_BRIDGE_NF);
|
|
|
|
if (b)
|
|
memset(b, 0, sizeof(*b));
|
|
|
|
return b;
|
|
}
|
|
|
|
void nf_bridge_update_protocol(struct sk_buff *skb);
|
|
|
|
int br_nf_hook_thresh(unsigned int hook, struct net *net, struct sock *sk,
|
|
struct sk_buff *skb, struct net_device *indev,
|
|
struct net_device *outdev,
|
|
int (*okfn)(struct net *, struct sock *,
|
|
struct sk_buff *));
|
|
|
|
unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb);
|
|
|
|
static inline void nf_bridge_push_encap_header(struct sk_buff *skb)
|
|
{
|
|
unsigned int len = nf_bridge_encap_header_len(skb);
|
|
|
|
skb_push(skb, len);
|
|
skb->network_header -= len;
|
|
}
|
|
|
|
int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_buff *skb);
|
|
|
|
static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
|
|
{
|
|
struct net_bridge_port *port;
|
|
|
|
port = br_port_get_rcu(dev);
|
|
return port ? &port->br->fake_rtable : NULL;
|
|
}
|
|
|
|
struct net_device *setup_pre_routing(struct sk_buff *skb);
|
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
int br_validate_ipv6(struct net *net, struct sk_buff *skb);
|
|
unsigned int br_nf_pre_routing_ipv6(void *priv,
|
|
struct sk_buff *skb,
|
|
const struct nf_hook_state *state);
|
|
#else
|
|
static inline int br_validate_ipv6(struct net *net, struct sk_buff *skb)
|
|
{
|
|
return -1;
|
|
}
|
|
|
|
static inline unsigned int
|
|
br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
|
const struct nf_hook_state *state)
|
|
{
|
|
return NF_ACCEPT;
|
|
}
|
|
#endif
|
|
|
|
#endif /* _BR_NETFILTER_H_ */
|