xref: /linux-6.15/net/netfilter/xt_physdev.c (revision eb2bce7f) 
1 /* Kernel module to match the bridge port in and
2  * out device for IP packets coming into contact with a bridge. */
3 
4 /* (C) 2001-2003 Bart De Schuymer <[email protected]>
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License version 2 as
8  * published by the Free Software Foundation.
9  */
10 
11 #include <linux/module.h>
12 #include <linux/skbuff.h>
13 #include <linux/netfilter_bridge.h>
14 #include <linux/netfilter/xt_physdev.h>
15 #include <linux/netfilter/x_tables.h>
16 #include <linux/netfilter_bridge.h>
17 #define MATCH   1
18 #define NOMATCH 0
19 
20 MODULE_LICENSE("GPL");
21 MODULE_AUTHOR("Bart De Schuymer <[email protected]>");
22 MODULE_DESCRIPTION("iptables bridge physical device match module");
23 MODULE_ALIAS("ipt_physdev");
24 MODULE_ALIAS("ip6t_physdev");
25 
26 static int
27 match(const struct sk_buff *skb,
28       const struct net_device *in,
29       const struct net_device *out,
30       const struct xt_match *match,
31       const void *matchinfo,
32       int offset,
33       unsigned int protoff,
34       int *hotdrop)
35 {
36 	int i;
37 	static const char nulldevname[IFNAMSIZ];
38 	const struct xt_physdev_info *info = matchinfo;
39 	unsigned int ret;
40 	const char *indev, *outdev;
41 	struct nf_bridge_info *nf_bridge;
42 
43 	/* Not a bridged IP packet or no info available yet:
44 	 * LOCAL_OUT/mangle and LOCAL_OUT/nat don't know if
45 	 * the destination device will be a bridge. */
46 	if (!(nf_bridge = skb->nf_bridge)) {
47 		/* Return MATCH if the invert flags of the used options are on */
48 		if ((info->bitmask & XT_PHYSDEV_OP_BRIDGED) &&
49 		    !(info->invert & XT_PHYSDEV_OP_BRIDGED))
50 			return NOMATCH;
51 		if ((info->bitmask & XT_PHYSDEV_OP_ISIN) &&
52 		    !(info->invert & XT_PHYSDEV_OP_ISIN))
53 			return NOMATCH;
54 		if ((info->bitmask & XT_PHYSDEV_OP_ISOUT) &&
55 		    !(info->invert & XT_PHYSDEV_OP_ISOUT))
56 			return NOMATCH;
57 		if ((info->bitmask & XT_PHYSDEV_OP_IN) &&
58 		    !(info->invert & XT_PHYSDEV_OP_IN))
59 			return NOMATCH;
60 		if ((info->bitmask & XT_PHYSDEV_OP_OUT) &&
61 		    !(info->invert & XT_PHYSDEV_OP_OUT))
62 			return NOMATCH;
63 		return MATCH;
64 	}
65 
66 	/* This only makes sense in the FORWARD and POSTROUTING chains */
67 	if ((info->bitmask & XT_PHYSDEV_OP_BRIDGED) &&
68 	    (!!(nf_bridge->mask & BRNF_BRIDGED) ^
69 	    !(info->invert & XT_PHYSDEV_OP_BRIDGED)))
70 		return NOMATCH;
71 
72 	if ((info->bitmask & XT_PHYSDEV_OP_ISIN &&
73 	    (!nf_bridge->physindev ^ !!(info->invert & XT_PHYSDEV_OP_ISIN))) ||
74 	    (info->bitmask & XT_PHYSDEV_OP_ISOUT &&
75 	    (!nf_bridge->physoutdev ^ !!(info->invert & XT_PHYSDEV_OP_ISOUT))))
76 		return NOMATCH;
77 
78 	if (!(info->bitmask & XT_PHYSDEV_OP_IN))
79 		goto match_outdev;
80 	indev = nf_bridge->physindev ? nf_bridge->physindev->name : nulldevname;
81 	for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned int); i++) {
82 		ret |= (((const unsigned int *)indev)[i]
83 			^ ((const unsigned int *)info->physindev)[i])
84 			& ((const unsigned int *)info->in_mask)[i];
85 	}
86 
87 	if ((ret == 0) ^ !(info->invert & XT_PHYSDEV_OP_IN))
88 		return NOMATCH;
89 
90 match_outdev:
91 	if (!(info->bitmask & XT_PHYSDEV_OP_OUT))
92 		return MATCH;
93 	outdev = nf_bridge->physoutdev ?
94 		 nf_bridge->physoutdev->name : nulldevname;
95 	for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned int); i++) {
96 		ret |= (((const unsigned int *)outdev)[i]
97 			^ ((const unsigned int *)info->physoutdev)[i])
98 			& ((const unsigned int *)info->out_mask)[i];
99 	}
100 
101 	return (ret != 0) ^ !(info->invert & XT_PHYSDEV_OP_OUT);
102 }
103 
104 static int
105 checkentry(const char *tablename,
106 		       const void *ip,
107 		       const struct xt_match *match,
108 		       void *matchinfo,
109 		       unsigned int hook_mask)
110 {
111 	const struct xt_physdev_info *info = matchinfo;
112 
113 	if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
114 	    info->bitmask & ~XT_PHYSDEV_OP_MASK)
115 		return 0;
116 	if (info->bitmask & XT_PHYSDEV_OP_OUT &&
117 	    (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
118 	     info->invert & XT_PHYSDEV_OP_BRIDGED) &&
119 	    hook_mask & ((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
120 			 (1 << NF_IP_POST_ROUTING))) {
121 		printk(KERN_WARNING "physdev match: using --physdev-out in the "
122 		       "OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
123 		       "traffic is not supported anymore.\n");
124 		if (hook_mask & (1 << NF_IP_LOCAL_OUT))
125 			return 0;
126 	}
127 	return 1;
128 }
129 
130 static struct xt_match xt_physdev_match[] = {
131 	{
132 		.name		= "physdev",
133 		.family		= AF_INET,
134 		.checkentry	= checkentry,
135 		.match		= match,
136 		.matchsize	= sizeof(struct xt_physdev_info),
137 		.me		= THIS_MODULE,
138 	},
139 	{
140 		.name		= "physdev",
141 		.family		= AF_INET6,
142 		.checkentry	= checkentry,
143 		.match		= match,
144 		.matchsize	= sizeof(struct xt_physdev_info),
145 		.me		= THIS_MODULE,
146 	},
147 };
148 
149 static int __init xt_physdev_init(void)
150 {
151 	return xt_register_matches(xt_physdev_match,
152 				   ARRAY_SIZE(xt_physdev_match));
153 }
154 
155 static void __exit xt_physdev_fini(void)
156 {
157 	xt_unregister_matches(xt_physdev_match, ARRAY_SIZE(xt_physdev_match));
158 }
159 
160 module_init(xt_physdev_init);
161 module_exit(xt_physdev_fini);
162