xref: /linux-6.15/net/netfilter/xt_physdev.c (revision 8802f616) 
1 /* Kernel module to match the bridge port in and
2  * out device for IP packets coming into contact with a bridge. */
3 
4 /* (C) 2001-2003 Bart De Schuymer <[email protected]>
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License version 2 as
8  * published by the Free Software Foundation.
9  */
10 
11 #include <linux/module.h>
12 #include <linux/skbuff.h>
13 #include <linux/netfilter_bridge.h>
14 #include <linux/netfilter/xt_physdev.h>
15 #include <linux/netfilter/x_tables.h>
16 #include <linux/netfilter_bridge.h>
17 #define MATCH   1
18 #define NOMATCH 0
19 
20 MODULE_LICENSE("GPL");
21 MODULE_AUTHOR("Bart De Schuymer <[email protected]>");
22 MODULE_DESCRIPTION("iptables bridge physical device match module");
23 MODULE_ALIAS("ipt_physdev");
24 MODULE_ALIAS("ip6t_physdev");
25 
26 static int
27 match(const struct sk_buff *skb,
28       const struct net_device *in,
29       const struct net_device *out,
30       const struct xt_match *match,
31       const void *matchinfo,
32       int offset,
33       unsigned int protoff,
34       int *hotdrop)
35 {
36 	int i;
37 	static const char nulldevname[IFNAMSIZ];
38 	const struct xt_physdev_info *info = matchinfo;
39 	unsigned int ret;
40 	const char *indev, *outdev;
41 	struct nf_bridge_info *nf_bridge;
42 
43 	/* Not a bridged IP packet or no info available yet:
44 	 * LOCAL_OUT/mangle and LOCAL_OUT/nat don't know if
45 	 * the destination device will be a bridge. */
46 	if (!(nf_bridge = skb->nf_bridge)) {
47 		/* Return MATCH if the invert flags of the used options are on */
48 		if ((info->bitmask & XT_PHYSDEV_OP_BRIDGED) &&
49 		    !(info->invert & XT_PHYSDEV_OP_BRIDGED))
50 			return NOMATCH;
51 		if ((info->bitmask & XT_PHYSDEV_OP_ISIN) &&
52 		    !(info->invert & XT_PHYSDEV_OP_ISIN))
53 			return NOMATCH;
54 		if ((info->bitmask & XT_PHYSDEV_OP_ISOUT) &&
55 		    !(info->invert & XT_PHYSDEV_OP_ISOUT))
56 			return NOMATCH;
57 		if ((info->bitmask & XT_PHYSDEV_OP_IN) &&
58 		    !(info->invert & XT_PHYSDEV_OP_IN))
59 			return NOMATCH;
60 		if ((info->bitmask & XT_PHYSDEV_OP_OUT) &&
61 		    !(info->invert & XT_PHYSDEV_OP_OUT))
62 			return NOMATCH;
63 		return MATCH;
64 	}
65 
66 	/* This only makes sense in the FORWARD and POSTROUTING chains */
67 	if ((info->bitmask & XT_PHYSDEV_OP_BRIDGED) &&
68 	    (!!(nf_bridge->mask & BRNF_BRIDGED) ^
69 	    !(info->invert & XT_PHYSDEV_OP_BRIDGED)))
70 		return NOMATCH;
71 
72 	if ((info->bitmask & XT_PHYSDEV_OP_ISIN &&
73 	    (!nf_bridge->physindev ^ !!(info->invert & XT_PHYSDEV_OP_ISIN))) ||
74 	    (info->bitmask & XT_PHYSDEV_OP_ISOUT &&
75 	    (!nf_bridge->physoutdev ^ !!(info->invert & XT_PHYSDEV_OP_ISOUT))))
76 		return NOMATCH;
77 
78 	if (!(info->bitmask & XT_PHYSDEV_OP_IN))
79 		goto match_outdev;
80 	indev = nf_bridge->physindev ? nf_bridge->physindev->name : nulldevname;
81 	for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned int); i++) {
82 		ret |= (((const unsigned int *)indev)[i]
83 			^ ((const unsigned int *)info->physindev)[i])
84 			& ((const unsigned int *)info->in_mask)[i];
85 	}
86 
87 	if ((ret == 0) ^ !(info->invert & XT_PHYSDEV_OP_IN))
88 		return NOMATCH;
89 
90 match_outdev:
91 	if (!(info->bitmask & XT_PHYSDEV_OP_OUT))
92 		return MATCH;
93 	outdev = nf_bridge->physoutdev ?
94 		 nf_bridge->physoutdev->name : nulldevname;
95 	for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned int); i++) {
96 		ret |= (((const unsigned int *)outdev)[i]
97 			^ ((const unsigned int *)info->physoutdev)[i])
98 			& ((const unsigned int *)info->out_mask)[i];
99 	}
100 
101 	return (ret != 0) ^ !(info->invert & XT_PHYSDEV_OP_OUT);
102 }
103 
104 static int
105 checkentry(const char *tablename,
106 		       const void *ip,
107 		       const struct xt_match *match,
108 		       void *matchinfo,
109 		       unsigned int matchsize,
110 		       unsigned int hook_mask)
111 {
112 	const struct xt_physdev_info *info = matchinfo;
113 
114 	if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
115 	    info->bitmask & ~XT_PHYSDEV_OP_MASK)
116 		return 0;
117 	if (brnf_deferred_hooks == 0 &&
118 	    info->bitmask & XT_PHYSDEV_OP_OUT &&
119 	    (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
120 	     info->invert & XT_PHYSDEV_OP_BRIDGED) &&
121 	    hook_mask & ((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
122 	                 (1 << NF_IP_POST_ROUTING))) {
123 		printk(KERN_WARNING "physdev match: using --physdev-out in the "
124 		       "OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
125 		       "traffic is deprecated and breaks other things, it will "
126 		       "be removed in January 2007. See Documentation/"
127 		       "feature-removal-schedule.txt for details. This doesn't "
128 		       "affect you in case you're using it for purely bridged "
129 		       "traffic.\n");
130 		brnf_deferred_hooks = 1;
131 	}
132 	return 1;
133 }
134 
135 static struct xt_match physdev_match = {
136 	.name		= "physdev",
137 	.match		= match,
138 	.matchsize	= sizeof(struct xt_physdev_info),
139 	.checkentry	= checkentry,
140 	.family		= AF_INET,
141 	.me		= THIS_MODULE,
142 };
143 
144 static struct xt_match physdev6_match = {
145 	.name		= "physdev",
146 	.match		= match,
147 	.matchsize	= sizeof(struct xt_physdev_info),
148 	.checkentry	= checkentry,
149 	.family		= AF_INET6,
150 	.me		= THIS_MODULE,
151 };
152 
153 static int __init xt_physdev_init(void)
154 {
155 	int ret;
156 
157 	ret = xt_register_match(&physdev_match);
158 	if (ret < 0)
159 		return ret;
160 
161 	ret = xt_register_match(&physdev6_match);
162 	if (ret < 0)
163 		xt_unregister_match(&physdev_match);
164 
165 	return ret;
166 }
167 
168 static void __exit xt_physdev_fini(void)
169 {
170 	xt_unregister_match(&physdev_match);
171 	xt_unregister_match(&physdev6_match);
172 }
173 
174 module_init(xt_physdev_init);
175 module_exit(xt_physdev_fini);
176