linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH net v3] bridge: ebtables: fix reception of frames DNAT-ed to bridge device/port
@ 2017-04-19 19:47 Linus Lüssing
  2017-04-25  9:10 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Linus Lüssing @ 2017-04-19 19:47 UTC (permalink / raw)
  To: netdev
  Cc: David S . Miller, Stephen Hemminger, Pablo Neira Ayuso,
	Jozsef Kadlecsik, bridge, netfilter-devel, coreteam,
	linux-kernel, Linus Lüssing

When trying to redirect bridged frames to the bridge device itself or
a bridge port (brouting) via the dnat target then this currently fails:

The ethernet destination of the frame is dnat'ed to the MAC address of
the bridge device or port just fine. However, the IP code drops it in
the beginning of ip_input.c/ip_rcv() as the dnat target left
the skb->pkt_type as PACKET_OTHERHOST.

Fixing this by resetting skb->pkt_type to an appropriate type after
dnat'ing.

Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>

---

Changelog v3:
- moved pkt_type fixup into ebtable dnat code
  -> v1/v2 only fixed it for prerouting/dnat so far, now tested
     and verified that v3 fixes it for brouting/dnat, too
- updated commit message

Changelog v2:
- refrain from altering pkt_type for multicast packets
  with a unicast destination MAC
---
 net/bridge/netfilter/ebt_dnat.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 4e0b0c3..21acb53 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -9,6 +9,7 @@
  */
 #include <linux/module.h>
 #include <net/sock.h>
+#include "../br_private.h"
 #include <linux/netfilter.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_bridge/ebtables.h>
@@ -18,11 +19,32 @@ static unsigned int
 ebt_dnat_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	const struct ebt_nat_info *info = par->targinfo;
+	struct net_device *dev;
 
 	if (!skb_make_writable(skb, 0))
 		return EBT_DROP;
 
 	ether_addr_copy(eth_hdr(skb)->h_dest, info->mac);
+
+	if (is_multicast_ether_addr(info->mac)) {
+		if (is_broadcast_ether_addr(info->mac))
+			skb->pkt_type = PACKET_BROADCAST;
+		else
+			skb->pkt_type = PACKET_MULTICAST;
+	} else {
+		rcu_read_lock();
+		if (xt_hooknum(par) != NF_BR_BROUTING)
+			dev = br_port_get_rcu(xt_in(par))->br->dev;
+		else
+			dev = xt_in(par);
+
+		if (ether_addr_equal(info->mac, dev->dev_addr))
+			skb->pkt_type = PACKET_HOST;
+		else
+			skb->pkt_type = PACKET_OTHERHOST;
+		rcu_read_unlock();
+	}
+
 	return info->target;
 }
 
-- 
2.1.4

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH net v3] bridge: ebtables: fix reception of frames DNAT-ed to bridge device/port
  2017-04-19 19:47 [PATCH net v3] bridge: ebtables: fix reception of frames DNAT-ed to bridge device/port Linus Lüssing
@ 2017-04-25  9:10 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2017-04-25  9:10 UTC (permalink / raw)
  To: Linus Lüssing
  Cc: netdev, David S . Miller, Stephen Hemminger, Jozsef Kadlecsik,
	bridge, netfilter-devel, coreteam, linux-kernel

On Wed, Apr 19, 2017 at 09:47:33PM +0200, Linus Lüssing wrote:
> When trying to redirect bridged frames to the bridge device itself or
> a bridge port (brouting) via the dnat target then this currently fails:
> 
> The ethernet destination of the frame is dnat'ed to the MAC address of
> the bridge device or port just fine. However, the IP code drops it in
> the beginning of ip_input.c/ip_rcv() as the dnat target left
> the skb->pkt_type as PACKET_OTHERHOST.
> 
> Fixing this by resetting skb->pkt_type to an appropriate type after
> dnat'ing.

Applied, thanks.

One comment below.
> @@ -18,11 +19,32 @@ static unsigned int
>  ebt_dnat_tg(struct sk_buff *skb, const struct xt_action_param *par)
>  {
>  	const struct ebt_nat_info *info = par->targinfo;
> +	struct net_device *dev;
>  
>  	if (!skb_make_writable(skb, 0))
>  		return EBT_DROP;
>  
>  	ether_addr_copy(eth_hdr(skb)->h_dest, info->mac);
> +
> +	if (is_multicast_ether_addr(info->mac)) {
> +		if (is_broadcast_ether_addr(info->mac))
> +			skb->pkt_type = PACKET_BROADCAST;
> +		else
> +			skb->pkt_type = PACKET_MULTICAST;
> +	} else {
> +		rcu_read_lock();

I'm going to manually remove this explicit rcu_read_lock() here, no
need to resend. We're guaranteed to run from packet path with read
side lock from netfilter hooks. So we just save some cycles from
running this unnecessary nesting.

Let me know if I'm missing anything. Thanks!

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-04-25  9:10 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-19 19:47 [PATCH net v3] bridge: ebtables: fix reception of frames DNAT-ed to bridge device/port Linus Lüssing
2017-04-25  9:10 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).