FEX-Emu/linux
1
0
Fork 0
mirror of https://github.com/FEX-Emu/linux.git synced 2024-12-16 05:50:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
739e4505a0
linux/net
History
Florian Westphal 739e4505a0 bridge: netfilter: don't call iptables on vlan packets if sysctl is off 
When net.bridge.bridge-nf-filter-vlan-tagged is 0 (default), vlan packets
arriving should not be sent to ip(6)tables by bridge netfilter.

However, it turns out that we currently always send VLAN packets to
netfilter, if ..
a), CONFIG_VLAN_8021Q is enabled ; or
b), CONFIG_VLAN_8021Q is not set but rx vlan offload is enabled
   on the bridge port.

This is because bridge netfilter treats skb with
skb->protocol == ETH_P_IP{V6} as "non-vlan packet".

With rx vlan offload on or CONFIG_VLAN_8021Q=y, the vlan header has
already been removed here, and we cannot rely on skb->protocol alone.

Fix this by only using skb->protocol if the skb has no vlan tag,
or if a vlan tag is present and filter-vlan-tagged bridge netfilter
sysctl is enabled.

We cannot remove the skb->protocol == htons(ETH_P_8021Q) test
because the vlan tag is still around in the CONFIG_VLAN_8021Q=n &&
"ethtool -K $itf rxvlan off" case.

reproducer:
iptables -t raw -I PREROUTING -i br0
iptables -t raw -I PREROUTING -i br0.1

Then send packets to an ip address configured on br0.1 interface.
Even with net.bridge.bridge-nf-filter-vlan-tagged=0, the 1st rule
will match instead of the 2nd one.

With this patch applied, the 2nd rule will match instead.
In the non-local address case, netfilter won't be consulted after
this patch unless the sysctl is switched on.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-03-06 14:43:49 -05:00
..
9p virtio: rename virtqueue_add_buf_gfp to virtqueue_add_buf 2012-01-12 15:44:42 +10:30
802
8021q
appletalk
atm atm: clip: remove clip_tbl 2012-02-22 02:23:25 -05:00
ax25 ax25: avoid overflows in ax25_setsockopt() 2011-12-28 14:08:08 -05:00
batman-adv batman-adv: Fix merge error. 2011-12-16 15:07:28 -05:00
bluetooth Bluetooth: Fix possible use after free in delete path 2012-02-15 13:09:26 +02:00
bridge bridge: netfilter: don't call iptables on vlan packets if sysctl is off 2012-03-06 14:43:49 -05:00
caif caif: Bugfix double kfree_skb upon xmit failure 2012-02-02 14:35:12 -05:00
can
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2012-02-02 15:47:33 -08:00
core rtnetlink: fix rtnl_calcit() and rtnl_dump_ifinfo() 2012-03-04 22:02:55 -05:00
dcb
dccp inet_diag: Rename inet_diag_req into inet_diag_req_v2 2012-01-11 12:56:06 -08:00
decnet Merge branch 'for-linus' of git://selinuxproject.org/~jmorris/linux-security 2012-01-14 18:36:33 -08:00
dns_resolver
dsa
econet
ethernet
ieee802154
ipv4 tcp: fix tcp_shift_skb_data() to not shift SACKed data below snd_una 2012-03-06 14:43:49 -05:00
ipv6 ipsec: be careful of non existing mac headers 2012-02-23 16:50:45 -05:00
ipx
irda irda: use msecs_to_jiffies() rather than manual calculation 2011-12-21 15:46:22 -05:00
iucv af_iucv: get rid of state IUCV_SEVERED 2011-12-20 14:05:03 -05:00
key
l2tp l2tp: l2tp_ip - fix possible oops on packet receive 2012-01-25 21:45:00 -05:00
lapb
llc llc: Fix race condition in llc_ui_recvmsg 2012-01-24 15:33:19 -05:00
mac80211 mac80211: Fix a warning on changing to monitor mode from STA 2012-02-21 14:45:27 -05:00
netfilter netfilter: ctnetlink: remove incorrect spin_[un]lock_bh on NAT module autoload 2012-03-06 14:43:49 -05:00
netlabel net: reintroduce missing rcu_assign_pointer() calls 2012-01-12 12:26:56 -08:00
netlink Merge branch 'for-linus' of git://selinuxproject.org/~jmorris/linux-security 2012-01-14 18:36:33 -08:00
netrom netrom: avoid overflows in nr_setsockopt() 2011-12-28 14:08:08 -05:00
nfc NFC: Export a new attribute nfcid1 in target info 2012-01-04 14:30:43 -05:00
openvswitch openvswitch: Fix multipart datapath dumps. 2012-01-17 23:56:19 -05:00
packet Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2011-12-30 13:04:14 -05:00
phonet net: reintroduce missing rcu_assign_pointer() calls 2012-01-12 12:26:56 -08:00
rds rds: Make rds_sock_lock BH rather than IRQ safe. 2012-01-24 17:03:44 -05:00
rfkill Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem 2012-01-05 10:13:24 -05:00
rose
rxrpc RxRPC: Fix kcalloc parameters swapped 2012-02-14 14:41:55 -05:00
sched netem: fix dequeue 2012-02-19 18:57:50 -05:00
sctp Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2012-01-08 13:21:22 -08:00
sunrpc SUNRPC: Fix machine creds in generic_create_cred and generic_match 2012-01-23 14:03:46 -08:00
tipc tipc: rename struct bearer_name to struct tipc_bearer_names 2011-12-29 21:53:30 -05:00
unix af_unix: fix EPOLLET regression for stream sockets 2012-01-30 12:45:07 -05:00
wanrouter
wimax
wireless nl80211: fix old station flags compatibility 2012-01-11 15:14:50 -05:00
x25 net:x25: use IS_ENABLED 2011-12-16 15:49:52 -05:00
xfrm Merge branch 'for-linus' of git://selinuxproject.org/~jmorris/linux-security 2012-01-14 18:36:33 -08:00
compat.c
Kconfig
Makefile
nonet.c
socket.c net: reintroduce missing rcu_assign_pointer() calls 2012-01-12 12:26:56 -08:00
sysctl_net.c