Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e5de75bf authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: bridge: move DNAT helper to br_netfilter 



Only one caller, there is no need to keep this in a header.
Move it to br_netfilter.c where this belongs to.

Based on patch from Florian Westphal.

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 7a8d831d

include/linux/netfilter_bridge.h

+0 −12
Original line number Diff line number Diff line
@@ -44,18 +44,6 @@ static inline unsigned int nf_bridge_mtu_reduction(const struct sk_buff *skb) 
}



int br_handle_frame_finish(struct sk_buff *skb);

/* Only used in br_device.c */

static inline int br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb)

{

	struct nf_bridge_info *nf_bridge = skb->nf_bridge;



	skb_pull(skb, ETH_HLEN);

	nf_bridge->mask ^= BRNF_BRIDGED_DNAT;

	skb_copy_to_linear_data_offset(skb, -(ETH_HLEN-ETH_ALEN),

				       skb->nf_bridge->data, ETH_HLEN-ETH_ALEN);

	skb->dev = nf_bridge->physindev;

	return br_handle_frame_finish(skb);

}



/* This is called by the IP fragmenting code and it ensures there is

 * enough room for the encapsulating header (if there is one). */

net/bridge/br_device.c

+1 −4
Original line number Diff line number Diff line
@@ -36,13 +36,10 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev) 
	u16 vid = 0;



	rcu_read_lock();

#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)

	if (skb->nf_bridge && (skb->nf_bridge->mask & BRNF_BRIDGED_DNAT)) {

		br_nf_pre_routing_finish_bridge_slow(skb);

	if (br_nf_prerouting_finish_bridge(skb)) {

		rcu_read_unlock();

		return NETDEV_TX_OK;

	}

#endif



	u64_stats_update_begin(&brstats->syncp);

	brstats->tx_packets++;

net/bridge/br_netfilter.c

+32 −0
Original line number Diff line number Diff line
@@ -892,6 +892,38 @@ static unsigned int ip_sabotage_in(const struct nf_hook_ops *ops, 
	return NF_ACCEPT;

}



/* This is called when br_netfilter has called into iptables/netfilter,

 * and DNAT has taken place on a bridge-forwarded packet.

 *

 * neigh->output has created a new MAC header, with local br0 MAC

 * as saddr.

 *

 * This restores the original MAC saddr of the bridged packet

 * before invoking bridge forward logic to transmit the packet.

 */

static void br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb)

{

	struct nf_bridge_info *nf_bridge = skb->nf_bridge;



	skb_pull(skb, ETH_HLEN);

	nf_bridge->mask &= ~BRNF_BRIDGED_DNAT;



	skb_copy_to_linear_data_offset(skb, -(ETH_HLEN-ETH_ALEN),

				       skb->nf_bridge->data, ETH_HLEN-ETH_ALEN);

	skb->dev = nf_bridge->physindev;

	br_handle_frame_finish(skb);

}



int br_nf_prerouting_finish_bridge(struct sk_buff *skb)

{

	if (skb->nf_bridge && (skb->nf_bridge->mask & BRNF_BRIDGED_DNAT)) {

		br_nf_pre_routing_finish_bridge_slow(skb);

		return 1;

	}

	return 0;

}

EXPORT_SYMBOL_GPL(br_nf_prerouting_finish_bridge);



void br_netfilter_enable(void)

{

}

net/bridge/br_private.h

+5 −0
Original line number Diff line number Diff line
@@ -764,10 +764,15 @@ static inline int br_vlan_enabled(struct net_bridge *br) 


/* br_netfilter.c */

#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)

int br_nf_prerouting_finish_bridge(struct sk_buff *skb);

int br_nf_core_init(void);

void br_nf_core_fini(void);

void br_netfilter_rtable_init(struct net_bridge *);

#else

static inline int br_nf_prerouting_finish_bridge(struct sk_buff *skb)

{

        return 0;

}

static inline int br_nf_core_init(void) { return 0; }

static inline void br_nf_core_fini(void) {}

#define br_netfilter_rtable_init(x)