]>
Commit | Line | Data |
---|---|---|
b6f8e74b KT |
1 | diff -urN linux-2.2.20br/include/linux/ip_fw.h linux-2.2.20brfw/include/linux/ip_fw.h |
2 | --- linux-2.2.20br/include/linux/ip_fw.h Mon Dec 10 16:39:01 2001 | |
3 | +++ linux-2.2.20brfw/include/linux/ip_fw.h Mon Dec 10 16:43:24 2001 | |
4 | @@ -28,6 +28,7 @@ | |
5 | #include <linux/ip.h> | |
6 | #include <linux/tcp.h> | |
7 | #include <linux/udp.h> | |
8 | +#include <linux/skbuff.h> | |
9 | #endif /* __KERNEL__ */ | |
10 | #define IP_FW_MAX_LABEL_LENGTH 8 | |
11 | typedef char ip_chainlabel[IP_FW_MAX_LABEL_LENGTH+1]; | |
12 | @@ -188,6 +189,10 @@ | |
13 | #ifdef CONFIG_IP_MASQUERADE | |
14 | extern int ip_masq_uctl(int, char *, int); | |
15 | #endif | |
16 | +extern int ip_fw_check_from_bridge(const char *brifname, | |
17 | + struct sk_buff *skb, | |
18 | + struct iphdr *ip, | |
19 | + const char *destifname); | |
20 | #endif /* KERNEL */ | |
21 | ||
22 | #endif /* _IP_FWCHAINS_H */ | |
23 | diff -urN linux-2.2.20br/net/Makefile linux-2.2.20brfw/net/Makefile | |
24 | --- linux-2.2.20br/net/Makefile Mon Dec 10 16:24:28 2001 | |
25 | +++ linux-2.2.20brfw/net/Makefile Mon Dec 10 16:43:24 2001 | |
26 | @@ -59,6 +59,7 @@ | |
27 | ||
28 | ifeq ($(CONFIG_BRIDGE),y) | |
29 | SUB_DIRS += bridge | |
30 | +MOD_SUB_DIRS += bridge | |
31 | else | |
32 | ifeq ($(CONFIG_BRIDGE),m) | |
33 | MOD_SUB_DIRS += bridge | |
34 | diff -urN linux-2.2.20br/net/bridge/Makefile linux-2.2.20brfw/net/bridge/Makefile | |
35 | --- linux-2.2.20br/net/bridge/Makefile Mon Dec 10 16:24:28 2001 | |
36 | +++ linux-2.2.20brfw/net/bridge/Makefile Mon Dec 10 16:43:24 2001 | |
37 | @@ -8,9 +8,9 @@ | |
38 | # Note 2! The CFLAGS definition is now in the main makefile... | |
39 | ||
40 | O_TARGET := bridge.o | |
41 | -O_OBJS := br.o br_device.o br_fdb.o br_forward.o br_if.o br_input.o \ | |
42 | - br_ioctl.o br_notify.o br_stp.o br_stp_bpdu.o \ | |
43 | - br_stp_if.o br_stp_timer.o | |
44 | +O_OBJS := br.o br_device.o br_fdb.o br_forward.o br_fw.o br_if.o \ | |
45 | + br_input.o br_ioctl.o br_notify.o br_stp.o \ | |
46 | + br_stp_bpdu.o br_stp_if.o br_stp_timer.o | |
47 | M_OBJS := $(O_TARGET) | |
48 | ||
49 | include $(TOPDIR)/Rules.make | |
50 | diff -urN linux-2.2.20br/net/bridge/br.c linux-2.2.20brfw/net/bridge/br.c | |
51 | --- linux-2.2.20br/net/bridge/br.c Mon Dec 10 16:25:36 2001 | |
52 | +++ linux-2.2.20brfw/net/bridge/br.c Mon Dec 10 16:43:24 2001 | |
53 | @@ -41,10 +41,10 @@ | |
54 | br_ioctl_hook = br_ioctl_deviceless_stub; | |
55 | register_netdevice_notifier(&br_device_notifier); | |
56 | ||
57 | - return 0; | |
58 | + return brfw_init(); | |
59 | } | |
60 | ||
61 | -#ifdef MODULE | |
62 | +#ifdef CONFIG_BRIDGE_MODULE | |
63 | EXPORT_NO_SYMBOLS; | |
64 | ||
65 | int init_module(void) | |
66 | @@ -54,6 +54,7 @@ | |
67 | ||
68 | void cleanup_module(void) | |
69 | { | |
70 | + brfw_uninit(); | |
71 | unregister_netdevice_notifier(&br_device_notifier); | |
72 | br_ioctl_hook = NULL; | |
73 | br_handle_frame_hook = NULL; | |
74 | diff -urN linux-2.2.20br/net/bridge/br_forward.c linux-2.2.20brfw/net/bridge/br_forward.c | |
75 | --- linux-2.2.20br/net/bridge/br_forward.c Mon Dec 10 16:24:28 2001 | |
76 | +++ linux-2.2.20brfw/net/bridge/br_forward.c Mon Dec 10 16:43:24 2001 | |
77 | @@ -24,10 +24,20 @@ | |
78 | ||
79 | static inline int should_forward(struct net_bridge_port *p, struct sk_buff *skb) | |
80 | { | |
81 | - if (skb->dev != p->dev && p->state == BR_STATE_FORWARDING) | |
82 | - return 1; | |
83 | + struct sk_buff *sk; | |
84 | ||
85 | - return 0; | |
86 | + if (skb->dev == p->dev || p->state != BR_STATE_FORWARDING) | |
87 | + return 0; | |
88 | + | |
89 | + sk = skb; | |
90 | + if (call_fw_firewall(PF_BRIDGE, p->dev, skb->mac.raw, | |
91 | + p->dev->name, &sk) != FW_ACCEPT) | |
92 | + return 0; | |
93 | + | |
94 | + if (skb != sk) | |
95 | + printk(KERN_CRIT "br: prepare for armageddon!\n"); | |
96 | + | |
97 | + return 1; | |
98 | } | |
99 | ||
100 | static void __br_forward(struct net_bridge_port *to, struct sk_buff *skb) | |
101 | diff -urN linux-2.2.20br/net/bridge/br_fw.c linux-2.2.20brfw/net/bridge/br_fw.c | |
102 | --- linux-2.2.20br/net/bridge/br_fw.c Thu Jan 1 01:00:00 1970 | |
103 | +++ linux-2.2.20brfw/net/bridge/br_fw.c Mon Dec 10 16:43:24 2001 | |
104 | @@ -0,0 +1,93 @@ | |
105 | +/* | |
106 | + * Firewall for the ethernet bridge, using ipchains | |
107 | + * Linux ethernet bridge | |
108 | + * | |
109 | + * Authors: | |
110 | + * Lennert Buytenhek <buytenh@gnu.org> | |
111 | + * Joachim Ott <ott@ardala.han.de> | |
112 | + * | |
113 | + * $Id$ | |
114 | + * | |
115 | + * This program is free software; you can redistribute it and/or | |
116 | + * modify it under the terms of the GNU General Public License | |
117 | + * as published by the Free Software Foundation; either version | |
118 | + * 2 of the License, or (at your option) any later version. | |
119 | + */ | |
120 | + | |
121 | +#include <linux/config.h> | |
122 | +#include <linux/kernel.h> | |
123 | +#include <linux/netdevice.h> | |
124 | +#include <linux/init.h> | |
125 | +#include <linux/firewall.h> | |
126 | +#include <linux/ip_fw.h> | |
127 | +#include <linux/if_bridge.h> | |
128 | +#include <asm/uaccess.h> | |
129 | +#include "br_private.h" | |
130 | + | |
131 | + | |
132 | + | |
133 | +int brfw_forward_check(struct firewall_ops *this, int pf, struct device *dev, | |
134 | + void *phdr, void *arg, struct sk_buff **pskb) | |
135 | +{ | |
136 | + struct net_bridge *br; | |
137 | + int err; | |
138 | + struct iphdr *ip; | |
139 | + unsigned char *ptr; | |
140 | + struct sk_buff *skb; | |
141 | + | |
142 | + br = dev->br_port->br; | |
143 | + skb = *pskb; | |
144 | + ptr = skb->data; | |
145 | + ip = (struct iphdr *)(ptr + ETH_HLEN); | |
146 | + | |
147 | + if (ptr[12] != 0x08 || ptr[13] != 0x00) /* ETH_P_IP */ | |
148 | + return FW_ACCEPT; | |
149 | + | |
150 | + err = ip_fw_check_from_bridge(br->name, skb, ip, arg); | |
151 | + if (err != FW_SKIP) | |
152 | + return err; | |
153 | + | |
154 | + return FW_ACCEPT; | |
155 | +} | |
156 | + | |
157 | +int brfw_input_check(struct firewall_ops *this, int pf, struct device *dev, | |
158 | + void *phdr, void *arg, struct sk_buff **pskb) | |
159 | +{ | |
160 | + return FW_ACCEPT; | |
161 | +} | |
162 | + | |
163 | +int brfw_output_check(struct firewall_ops *this, int pf, struct device *dev, | |
164 | + void *phdr, void *arg, struct sk_buff **pskb) | |
165 | +{ | |
166 | + return FW_ACCEPT; | |
167 | +} | |
168 | + | |
169 | + | |
170 | + | |
171 | + | |
172 | +struct firewall_ops brfw_ops = | |
173 | +{ | |
174 | + NULL, | |
175 | + brfw_forward_check, | |
176 | + brfw_input_check, | |
177 | + brfw_output_check, | |
178 | + PF_BRIDGE, | |
179 | + 0 | |
180 | +}; | |
181 | + | |
182 | +__initfunc(int brfw_init(void)) | |
183 | +{ | |
184 | + printk(KERN_INFO "NET4: Ethernet Bridge Firewall 001 for NET4.0\n"); | |
185 | + | |
186 | + if (register_firewall(PF_BRIDGE, &brfw_ops) < 0) { | |
187 | + printk(KERN_ALERT "br: unable to register PF_BRIDGE firewall\n"); | |
188 | + return 1; | |
189 | + } | |
190 | + | |
191 | + return 0; | |
192 | +} | |
193 | + | |
194 | +void brfw_uninit(void) | |
195 | +{ | |
196 | + unregister_firewall(PF_BRIDGE, &brfw_ops); | |
197 | +} | |
198 | diff -urN linux-2.2.20br/net/bridge/br_private.h linux-2.2.20brfw/net/bridge/br_private.h | |
199 | --- linux-2.2.20br/net/bridge/br_private.h Mon Dec 10 16:39:30 2001 | |
200 | +++ linux-2.2.20brfw/net/bridge/br_private.h Mon Dec 10 16:43:24 2001 | |
201 | @@ -166,6 +166,10 @@ | |
202 | struct sk_buff *skb, | |
203 | int clone); | |
204 | ||
205 | +/* br_fw.c */ | |
206 | +int brfw_init(void); | |
207 | +void brfw_uninit(void); | |
208 | + | |
209 | /* br_if.c */ | |
210 | int br_add_bridge(char *name); | |
211 | int br_del_bridge(char *name); | |
212 | diff -urN linux-2.2.20br/net/ipv4/ip_fw.c linux-2.2.20brfw/net/ipv4/ip_fw.c | |
213 | --- linux-2.2.20br/net/ipv4/ip_fw.c Sun Mar 25 18:31:12 2001 | |
214 | +++ linux-2.2.20brfw/net/ipv4/ip_fw.c Mon Dec 10 16:43:24 2001 | |
215 | @@ -841,6 +841,25 @@ | |
216 | #endif | |
217 | } | |
218 | ||
219 | +#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE) | |
220 | +int ip_fw_check_from_bridge(const char *brifname, struct sk_buff *skb, struct iphdr *ip, const char *destifname) | |
221 | +{ | |
222 | + struct ip_chain *chain; | |
223 | + int ret; | |
224 | + | |
225 | + ret = FW_SKIP; | |
226 | + if (ip->ihl * 4 >= sizeof(struct iphdr) && | |
227 | + skb->len >= sizeof(struct iphdr)) { | |
228 | + if ((chain = find_label((char *)brifname)) != NULL) { | |
229 | + ret = ip_fw_check(ip, destifname, NULL, chain, | |
230 | + skb, SLOT_NUMBER(), 0); | |
231 | + } | |
232 | + } | |
233 | + | |
234 | + return ret; | |
235 | +} | |
236 | +#endif | |
237 | + | |
238 | /* Must have write lock & interrupts off for any of these */ | |
239 | ||
240 | /* This function sets all the byte counters in a chain to zero. The | |
241 | diff -urN linux-2.2.20br/net/netsyms.c linux-2.2.20brfw/net/netsyms.c | |
242 | --- linux-2.2.20br/net/netsyms.c Mon Dec 10 16:24:28 2001 | |
243 | +++ linux-2.2.20brfw/net/netsyms.c Mon Dec 10 16:43:24 2001 | |
244 | @@ -17,6 +17,7 @@ | |
245 | #include <linux/trdevice.h> | |
246 | #include <linux/fcdevice.h> | |
247 | #include <linux/ioport.h> | |
248 | +#include <linux/ip_fw.h> | |
249 | #include <net/neighbour.h> | |
250 | #include <net/snmp.h> | |
251 | #include <net/dst.h> | |
252 | @@ -224,6 +225,7 @@ | |
253 | ||
254 | #if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE) | |
255 | EXPORT_SYMBOL(br_handle_frame_hook); | |
256 | +EXPORT_SYMBOL(ip_fw_check_from_bridge); | |
257 | #endif | |
258 | EXPORT_SYMBOL(br_ioctl_hook); | |
259 |