• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Kernel module to match the bridge port in and
3  * out device for IP packets coming into contact with a bridge. */
4 
5 /* (C) 2001-2003 Bart De Schuymer <bdschuym@pandora.be>
6  */
7 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
8 
9 #include <linux/if.h>
10 #include <linux/module.h>
11 #include <linux/skbuff.h>
12 #include <linux/netfilter_bridge.h>
13 #include <linux/netfilter/x_tables.h>
14 #include <uapi/linux/netfilter/xt_physdev.h>
15 
16 MODULE_LICENSE("GPL");
17 MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
18 MODULE_DESCRIPTION("Xtables: Bridge physical device match");
19 MODULE_ALIAS("ipt_physdev");
20 MODULE_ALIAS("ip6t_physdev");
21 
22 
23 static bool
physdev_mt(const struct sk_buff * skb,struct xt_action_param * par)24 physdev_mt(const struct sk_buff *skb, struct xt_action_param *par)
25 {
26 	const struct xt_physdev_info *info = par->matchinfo;
27 	const struct net_device *physdev;
28 	unsigned long ret;
29 	const char *indev, *outdev;
30 
31 	/* Not a bridged IP packet or no info available yet:
32 	 * LOCAL_OUT/mangle and LOCAL_OUT/nat don't know if
33 	 * the destination device will be a bridge. */
34 	if (!nf_bridge_info_exists(skb)) {
35 		/* Return MATCH if the invert flags of the used options are on */
36 		if ((info->bitmask & XT_PHYSDEV_OP_BRIDGED) &&
37 		    !(info->invert & XT_PHYSDEV_OP_BRIDGED))
38 			return false;
39 		if ((info->bitmask & XT_PHYSDEV_OP_ISIN) &&
40 		    !(info->invert & XT_PHYSDEV_OP_ISIN))
41 			return false;
42 		if ((info->bitmask & XT_PHYSDEV_OP_ISOUT) &&
43 		    !(info->invert & XT_PHYSDEV_OP_ISOUT))
44 			return false;
45 		if ((info->bitmask & XT_PHYSDEV_OP_IN) &&
46 		    !(info->invert & XT_PHYSDEV_OP_IN))
47 			return false;
48 		if ((info->bitmask & XT_PHYSDEV_OP_OUT) &&
49 		    !(info->invert & XT_PHYSDEV_OP_OUT))
50 			return false;
51 		return true;
52 	}
53 
54 	physdev = nf_bridge_get_physoutdev(skb);
55 	outdev = physdev ? physdev->name : NULL;
56 
57 	/* This only makes sense in the FORWARD and POSTROUTING chains */
58 	if ((info->bitmask & XT_PHYSDEV_OP_BRIDGED) &&
59 	    (!!outdev ^ !(info->invert & XT_PHYSDEV_OP_BRIDGED)))
60 		return false;
61 
62 	physdev = nf_bridge_get_physindev(skb);
63 	indev = physdev ? physdev->name : NULL;
64 
65 	if ((info->bitmask & XT_PHYSDEV_OP_ISIN &&
66 	    (!indev ^ !!(info->invert & XT_PHYSDEV_OP_ISIN))) ||
67 	    (info->bitmask & XT_PHYSDEV_OP_ISOUT &&
68 	    (!outdev ^ !!(info->invert & XT_PHYSDEV_OP_ISOUT))))
69 		return false;
70 
71 	if (!(info->bitmask & XT_PHYSDEV_OP_IN))
72 		goto match_outdev;
73 
74 	if (indev) {
75 		ret = ifname_compare_aligned(indev, info->physindev,
76 					     info->in_mask);
77 
78 		if (!ret ^ !(info->invert & XT_PHYSDEV_OP_IN))
79 			return false;
80 	}
81 
82 match_outdev:
83 	if (!(info->bitmask & XT_PHYSDEV_OP_OUT))
84 		return true;
85 
86 	if (!outdev)
87 		return false;
88 
89 	ret = ifname_compare_aligned(outdev, info->physoutdev, info->out_mask);
90 
91 	return (!!ret ^ !(info->invert & XT_PHYSDEV_OP_OUT));
92 }
93 
physdev_mt_check(const struct xt_mtchk_param * par)94 static int physdev_mt_check(const struct xt_mtchk_param *par)
95 {
96 	const struct xt_physdev_info *info = par->matchinfo;
97 	static bool brnf_probed __read_mostly;
98 
99 	if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
100 	    info->bitmask & ~XT_PHYSDEV_OP_MASK)
101 		return -EINVAL;
102 	if (info->bitmask & (XT_PHYSDEV_OP_OUT | XT_PHYSDEV_OP_ISOUT) &&
103 	    (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
104 	     info->invert & XT_PHYSDEV_OP_BRIDGED) &&
105 	    par->hook_mask & (1 << NF_INET_LOCAL_OUT)) {
106 		pr_info_ratelimited("--physdev-out and --physdev-is-out only supported in the FORWARD and POSTROUTING chains with bridged traffic\n");
107 		return -EINVAL;
108 	}
109 
110 	if (!brnf_probed) {
111 		brnf_probed = true;
112 		request_module("br_netfilter");
113 	}
114 
115 	return 0;
116 }
117 
118 static struct xt_match physdev_mt_reg __read_mostly = {
119 	.name       = "physdev",
120 	.revision   = 0,
121 	.family     = NFPROTO_UNSPEC,
122 	.checkentry = physdev_mt_check,
123 	.match      = physdev_mt,
124 	.matchsize  = sizeof(struct xt_physdev_info),
125 	.me         = THIS_MODULE,
126 };
127 
physdev_mt_init(void)128 static int __init physdev_mt_init(void)
129 {
130 	return xt_register_match(&physdev_mt_reg);
131 }
132 
physdev_mt_exit(void)133 static void __exit physdev_mt_exit(void)
134 {
135 	xt_unregister_match(&physdev_mt_reg);
136 }
137 
138 module_init(physdev_mt_init);
139 module_exit(physdev_mt_exit);
140