xref: /linux-6.15/net/netfilter/xt_physdev.c (revision d289bf7b) 
1 /* Kernel module to match the bridge port in and
2  * out device for IP packets coming into contact with a bridge. */
3 
4 /* (C) 2001-2003 Bart De Schuymer <[email protected]>
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License version 2 as
8  * published by the Free Software Foundation.
9  */
10 
11 #include <linux/module.h>
12 #include <linux/skbuff.h>
13 #include <linux/netfilter_bridge.h>
14 #include <linux/netfilter/xt_physdev.h>
15 #include <linux/netfilter/x_tables.h>
16 
17 MODULE_LICENSE("GPL");
18 MODULE_AUTHOR("Bart De Schuymer <[email protected]>");
19 MODULE_DESCRIPTION("Xtables: Bridge physical device match");
20 MODULE_ALIAS("ipt_physdev");
21 MODULE_ALIAS("ip6t_physdev");
22 
23 static bool
24 physdev_mt(const struct sk_buff *skb, const struct net_device *in,
25            const struct net_device *out, const struct xt_match *match,
26            const void *matchinfo, int offset, unsigned int protoff,
27            bool *hotdrop)
28 {
29 	int i;
30 	static const char nulldevname[IFNAMSIZ];
31 	const struct xt_physdev_info *info = matchinfo;
32 	bool ret;
33 	const char *indev, *outdev;
34 	const struct nf_bridge_info *nf_bridge;
35 
36 	/* Not a bridged IP packet or no info available yet:
37 	 * LOCAL_OUT/mangle and LOCAL_OUT/nat don't know if
38 	 * the destination device will be a bridge. */
39 	if (!(nf_bridge = skb->nf_bridge)) {
40 		/* Return MATCH if the invert flags of the used options are on */
41 		if ((info->bitmask & XT_PHYSDEV_OP_BRIDGED) &&
42 		    !(info->invert & XT_PHYSDEV_OP_BRIDGED))
43 			return false;
44 		if ((info->bitmask & XT_PHYSDEV_OP_ISIN) &&
45 		    !(info->invert & XT_PHYSDEV_OP_ISIN))
46 			return false;
47 		if ((info->bitmask & XT_PHYSDEV_OP_ISOUT) &&
48 		    !(info->invert & XT_PHYSDEV_OP_ISOUT))
49 			return false;
50 		if ((info->bitmask & XT_PHYSDEV_OP_IN) &&
51 		    !(info->invert & XT_PHYSDEV_OP_IN))
52 			return false;
53 		if ((info->bitmask & XT_PHYSDEV_OP_OUT) &&
54 		    !(info->invert & XT_PHYSDEV_OP_OUT))
55 			return false;
56 		return true;
57 	}
58 
59 	/* This only makes sense in the FORWARD and POSTROUTING chains */
60 	if ((info->bitmask & XT_PHYSDEV_OP_BRIDGED) &&
61 	    (!!(nf_bridge->mask & BRNF_BRIDGED) ^
62 	    !(info->invert & XT_PHYSDEV_OP_BRIDGED)))
63 		return false;
64 
65 	if ((info->bitmask & XT_PHYSDEV_OP_ISIN &&
66 	    (!nf_bridge->physindev ^ !!(info->invert & XT_PHYSDEV_OP_ISIN))) ||
67 	    (info->bitmask & XT_PHYSDEV_OP_ISOUT &&
68 	    (!nf_bridge->physoutdev ^ !!(info->invert & XT_PHYSDEV_OP_ISOUT))))
69 		return false;
70 
71 	if (!(info->bitmask & XT_PHYSDEV_OP_IN))
72 		goto match_outdev;
73 	indev = nf_bridge->physindev ? nf_bridge->physindev->name : nulldevname;
74 	for (i = 0, ret = false; i < IFNAMSIZ/sizeof(unsigned int); i++) {
75 		ret |= (((const unsigned int *)indev)[i]
76 			^ ((const unsigned int *)info->physindev)[i])
77 			& ((const unsigned int *)info->in_mask)[i];
78 	}
79 
80 	if (!ret ^ !(info->invert & XT_PHYSDEV_OP_IN))
81 		return false;
82 
83 match_outdev:
84 	if (!(info->bitmask & XT_PHYSDEV_OP_OUT))
85 		return true;
86 	outdev = nf_bridge->physoutdev ?
87 		 nf_bridge->physoutdev->name : nulldevname;
88 	for (i = 0, ret = false; i < IFNAMSIZ/sizeof(unsigned int); i++) {
89 		ret |= (((const unsigned int *)outdev)[i]
90 			^ ((const unsigned int *)info->physoutdev)[i])
91 			& ((const unsigned int *)info->out_mask)[i];
92 	}
93 
94 	return ret ^ !(info->invert & XT_PHYSDEV_OP_OUT);
95 }
96 
97 static bool
98 physdev_mt_check(const char *tablename, const void *ip,
99                  const struct xt_match *match, void *matchinfo,
100                  unsigned int hook_mask)
101 {
102 	const struct xt_physdev_info *info = matchinfo;
103 
104 	if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
105 	    info->bitmask & ~XT_PHYSDEV_OP_MASK)
106 		return false;
107 	if (info->bitmask & XT_PHYSDEV_OP_OUT &&
108 	    (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
109 	     info->invert & XT_PHYSDEV_OP_BRIDGED) &&
110 	    hook_mask & ((1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
111 			 (1 << NF_INET_POST_ROUTING))) {
112 		printk(KERN_WARNING "physdev match: using --physdev-out in the "
113 		       "OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
114 		       "traffic is not supported anymore.\n");
115 		if (hook_mask & (1 << NF_INET_LOCAL_OUT))
116 			return false;
117 	}
118 	return true;
119 }
120 
121 static struct xt_match physdev_mt_reg[] __read_mostly = {
122 	{
123 		.name		= "physdev",
124 		.family		= AF_INET,
125 		.checkentry	= physdev_mt_check,
126 		.match		= physdev_mt,
127 		.matchsize	= sizeof(struct xt_physdev_info),
128 		.me		= THIS_MODULE,
129 	},
130 	{
131 		.name		= "physdev",
132 		.family		= AF_INET6,
133 		.checkentry	= physdev_mt_check,
134 		.match		= physdev_mt,
135 		.matchsize	= sizeof(struct xt_physdev_info),
136 		.me		= THIS_MODULE,
137 	},
138 };
139 
140 static int __init physdev_mt_init(void)
141 {
142 	return xt_register_matches(physdev_mt_reg, ARRAY_SIZE(physdev_mt_reg));
143 }
144 
145 static void __exit physdev_mt_exit(void)
146 {
147 	xt_unregister_matches(physdev_mt_reg, ARRAY_SIZE(physdev_mt_reg));
148 }
149 
150 module_init(physdev_mt_init);
151 module_exit(physdev_mt_exit);
152