[packages/kernel.git] / bridge-ipchains-against-1.0.2-against-2.2.20.diff

diff -urN linux-2.2.20br/include/linux/ip_fw.h linux-2.2.20brfw/include/linux/ip_fw.h
--- linux-2.2.20br/include/linux/ip_fw.h	Mon Dec 10 16:39:01 2001
+++ linux-2.2.20brfw/include/linux/ip_fw.h	Mon Dec 10 16:43:24 2001
@@ -28,6 +28,7 @@
 #include <linux/ip.h>
 #include <linux/tcp.h>
 #include <linux/udp.h>
+#include <linux/skbuff.h>
 #endif /* __KERNEL__ */
 #define IP_FW_MAX_LABEL_LENGTH 8
 typedef char ip_chainlabel[IP_FW_MAX_LABEL_LENGTH+1];
@@ -188,6 +189,10 @@
 #ifdef CONFIG_IP_MASQUERADE
 extern int ip_masq_uctl(int, char *, int);
 #endif
+extern int ip_fw_check_from_bridge(const char *brifname,
+				   struct sk_buff *skb,
+				   struct iphdr *ip,
+				   const char *destifname);
 #endif /* KERNEL */
 
 #endif /* _IP_FWCHAINS_H */
diff -urN linux-2.2.20br/net/Makefile linux-2.2.20brfw/net/Makefile
--- linux-2.2.20br/net/Makefile	Mon Dec 10 16:24:28 2001
+++ linux-2.2.20brfw/net/Makefile	Mon Dec 10 16:43:24 2001
@@ -59,6 +59,7 @@
 
 ifeq ($(CONFIG_BRIDGE),y)
 SUB_DIRS += bridge
+MOD_SUB_DIRS += bridge
 else
   ifeq ($(CONFIG_BRIDGE),m)
     MOD_SUB_DIRS += bridge
diff -urN linux-2.2.20br/net/bridge/Makefile linux-2.2.20brfw/net/bridge/Makefile
--- linux-2.2.20br/net/bridge/Makefile	Mon Dec 10 16:24:28 2001
+++ linux-2.2.20brfw/net/bridge/Makefile	Mon Dec 10 16:43:24 2001
@@ -8,9 +8,9 @@
 # Note 2! The CFLAGS definition is now in the main makefile...
 
 O_TARGET	:= bridge.o
-O_OBJS		:= br.o br_device.o br_fdb.o br_forward.o br_if.o br_input.o \
-			br_ioctl.o br_notify.o br_stp.o br_stp_bpdu.o \
-			br_stp_if.o br_stp_timer.o
+O_OBJS		:= br.o br_device.o br_fdb.o br_forward.o br_fw.o br_if.o \
+			br_input.o br_ioctl.o br_notify.o br_stp.o \
+			br_stp_bpdu.o br_stp_if.o br_stp_timer.o
 M_OBJS		:= $(O_TARGET)
 
 include $(TOPDIR)/Rules.make
diff -urN linux-2.2.20br/net/bridge/br.c linux-2.2.20brfw/net/bridge/br.c
--- linux-2.2.20br/net/bridge/br.c	Mon Dec 10 16:25:36 2001
+++ linux-2.2.20brfw/net/bridge/br.c	Mon Dec 10 16:43:24 2001
@@ -41,10 +41,10 @@
 	br_ioctl_hook = br_ioctl_deviceless_stub;
 	register_netdevice_notifier(&br_device_notifier);
 
-	return 0;
+	return brfw_init();
 }
 
-#ifdef MODULE
+#ifdef CONFIG_BRIDGE_MODULE
 EXPORT_NO_SYMBOLS;
 
 int init_module(void)
@@ -54,6 +54,7 @@
 
 void cleanup_module(void)
 {
+	brfw_uninit();
 	unregister_netdevice_notifier(&br_device_notifier);
 	br_ioctl_hook = NULL;
 	br_handle_frame_hook = NULL;
diff -urN linux-2.2.20br/net/bridge/br_forward.c linux-2.2.20brfw/net/bridge/br_forward.c
--- linux-2.2.20br/net/bridge/br_forward.c	Mon Dec 10 16:24:28 2001
+++ linux-2.2.20brfw/net/bridge/br_forward.c	Mon Dec 10 16:43:24 2001
@@ -24,10 +24,20 @@
 
 static inline int should_forward(struct net_bridge_port *p, struct sk_buff *skb)
 {
-	if (skb->dev != p->dev && p->state == BR_STATE_FORWARDING)
-		return 1;
+	struct sk_buff *sk;
 
-	return 0;
+	if (skb->dev == p->dev || p->state != BR_STATE_FORWARDING)
+		return 0;
+
+	sk = skb;
+	if (call_fw_firewall(PF_BRIDGE, p->dev, skb->mac.raw,
+			     p->dev->name, &sk) != FW_ACCEPT)
+		return 0;
+
+	if (skb != sk)
+		printk(KERN_CRIT "br: prepare for armageddon!\n");
+
+	return 1;
 }
 
 static void __br_forward(struct net_bridge_port *to, struct sk_buff *skb)
diff -urN linux-2.2.20br/net/bridge/br_fw.c linux-2.2.20brfw/net/bridge/br_fw.c
--- linux-2.2.20br/net/bridge/br_fw.c	Thu Jan  1 01:00:00 1970
+++ linux-2.2.20brfw/net/bridge/br_fw.c	Mon Dec 10 16:43:24 2001
@@ -0,0 +1,93 @@
+/*
+ *	Firewall for the ethernet bridge, using ipchains
+ *	Linux ethernet bridge
+ *
+ *	Authors:
+ *	Lennert Buytenhek		<buytenh@gnu.org>
+ *	Joachim Ott			<ott@ardala.han.de>
+ *
+ *	$Id$
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License
+ *	as published by the Free Software Foundation; either version
+ *	2 of the License, or (at your option) any later version.
+ */
+
+#include <linux/config.h>
+#include <linux/kernel.h>
+#include <linux/netdevice.h>
+#include <linux/init.h>
+#include <linux/firewall.h>
+#include <linux/ip_fw.h>
+#include <linux/if_bridge.h>
+#include <asm/uaccess.h>
+#include "br_private.h"
+
+
+
+int brfw_forward_check(struct firewall_ops *this, int pf, struct device *dev,
+		       void *phdr, void *arg, struct sk_buff **pskb)
+{
+	struct net_bridge *br;
+	int err;
+	struct iphdr *ip;
+	unsigned char *ptr;
+	struct sk_buff *skb;
+
+	br = dev->br_port->br;
+	skb = *pskb;
+	ptr = skb->data;
+	ip = (struct iphdr *)(ptr + ETH_HLEN);
+
+	if (ptr[12] != 0x08 || ptr[13] != 0x00)		/* ETH_P_IP */
+		return FW_ACCEPT;
+
+	err = ip_fw_check_from_bridge(br->name, skb, ip, arg);
+	if (err != FW_SKIP)
+		return err;
+
+	return FW_ACCEPT;
+}
+
+int brfw_input_check(struct firewall_ops *this, int pf, struct device *dev,
+		     void *phdr, void *arg, struct sk_buff **pskb)
+{
+	return FW_ACCEPT;
+}
+
+int brfw_output_check(struct firewall_ops *this, int pf, struct device *dev,
+		      void *phdr, void *arg, struct sk_buff **pskb)
+{
+	return FW_ACCEPT;
+}
+
+
+
+
+struct firewall_ops brfw_ops =
+{
+	NULL,
+	brfw_forward_check,
+	brfw_input_check,
+	brfw_output_check,
+	PF_BRIDGE,
+	0
+};
+
+__initfunc(int brfw_init(void))
+{
+	printk(KERN_INFO "NET4: Ethernet Bridge Firewall 001 for NET4.0\n");
+
+	if (register_firewall(PF_BRIDGE, &brfw_ops) < 0) {
+		printk(KERN_ALERT "br: unable to register PF_BRIDGE firewall\n");
+		return 1;
+	}
+
+	return 0;
+}
+
+void brfw_uninit(void)
+{
+	unregister_firewall(PF_BRIDGE, &brfw_ops);
+}
diff -urN linux-2.2.20br/net/bridge/br_private.h linux-2.2.20brfw/net/bridge/br_private.h
--- linux-2.2.20br/net/bridge/br_private.h	Mon Dec 10 16:39:30 2001
+++ linux-2.2.20brfw/net/bridge/br_private.h	Mon Dec 10 16:43:24 2001
@@ -166,6 +166,10 @@
 	      struct sk_buff *skb,
 	      int clone);
 
+/* br_fw.c */
+int brfw_init(void);
+void brfw_uninit(void);
+
 /* br_if.c */
 int br_add_bridge(char *name);
 int br_del_bridge(char *name);
diff -urN linux-2.2.20br/net/ipv4/ip_fw.c linux-2.2.20brfw/net/ipv4/ip_fw.c
--- linux-2.2.20br/net/ipv4/ip_fw.c	Sun Mar 25 18:31:12 2001
+++ linux-2.2.20brfw/net/ipv4/ip_fw.c	Mon Dec 10 16:43:24 2001
@@ -841,6 +841,25 @@
 #endif
 }
 
+#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
+int ip_fw_check_from_bridge(const char *brifname, struct sk_buff *skb, struct iphdr *ip, const char *destifname)
+{
+	struct ip_chain *chain;
+	int ret;
+
+	ret = FW_SKIP;
+	if (ip->ihl * 4 >= sizeof(struct iphdr) &&
+	    skb->len >= sizeof(struct iphdr)) {
+		if ((chain = find_label((char *)brifname)) != NULL) {
+			ret = ip_fw_check(ip, destifname, NULL, chain,
+					  skb, SLOT_NUMBER(), 0);
+		}
+	}
+
+	return ret;
+}
+#endif
+
 /* Must have write lock & interrupts off for any of these */
 
 /* This function sets all the byte counters in a chain to zero.  The
diff -urN linux-2.2.20br/net/netsyms.c linux-2.2.20brfw/net/netsyms.c
--- linux-2.2.20br/net/netsyms.c	Mon Dec 10 16:24:28 2001
+++ linux-2.2.20brfw/net/netsyms.c	Mon Dec 10 16:43:24 2001
@@ -17,6 +17,7 @@
 #include <linux/trdevice.h>
 #include <linux/fcdevice.h>
 #include <linux/ioport.h>
+#include <linux/ip_fw.h>
 #include <net/neighbour.h>
 #include <net/snmp.h>
 #include <net/dst.h>
@@ -224,6 +225,7 @@
 
 #if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
 EXPORT_SYMBOL(br_handle_frame_hook);
+EXPORT_SYMBOL(ip_fw_check_from_bridge);
 #endif
 EXPORT_SYMBOL(br_ioctl_hook);
Commit	Line	Data
b6f8e74b KT	1	diff -urN linux-2.2.20br/include/linux/ip_fw.h linux-2.2.20brfw/include/linux/ip_fw.h
	2	--- linux-2.2.20br/include/linux/ip_fw.h Mon Dec 10 16:39:01 2001
	3	+++ linux-2.2.20brfw/include/linux/ip_fw.h Mon Dec 10 16:43:24 2001
	4	@@ -28,6 +28,7 @@
	5	#include <linux/ip.h>
	6	#include <linux/tcp.h>
	7	#include <linux/udp.h>
	8	+#include <linux/skbuff.h>
	9	#endif /* __KERNEL__ */
	10	#define IP_FW_MAX_LABEL_LENGTH 8
	11	typedef char ip_chainlabel[IP_FW_MAX_LABEL_LENGTH+1];
	12	@@ -188,6 +189,10 @@
	13	#ifdef CONFIG_IP_MASQUERADE
	14	extern int ip_masq_uctl(int, char *, int);
	15	#endif
	16	+extern int ip_fw_check_from_bridge(const char *brifname,
	17	+ struct sk_buff *skb,
	18	+ struct iphdr *ip,
	19	+ const char *destifname);
	20	#endif /* KERNEL */
	21
	22	#endif /* _IP_FWCHAINS_H */
	23	diff -urN linux-2.2.20br/net/Makefile linux-2.2.20brfw/net/Makefile
	24	--- linux-2.2.20br/net/Makefile Mon Dec 10 16:24:28 2001
	25	+++ linux-2.2.20brfw/net/Makefile Mon Dec 10 16:43:24 2001
	26	@@ -59,6 +59,7 @@
	27
	28	ifeq ($(CONFIG_BRIDGE),y)
	29	SUB_DIRS += bridge
	30	+MOD_SUB_DIRS += bridge
	31	else
	32	ifeq ($(CONFIG_BRIDGE),m)
	33	MOD_SUB_DIRS += bridge
	34	diff -urN linux-2.2.20br/net/bridge/Makefile linux-2.2.20brfw/net/bridge/Makefile
	35	--- linux-2.2.20br/net/bridge/Makefile Mon Dec 10 16:24:28 2001
	36	+++ linux-2.2.20brfw/net/bridge/Makefile Mon Dec 10 16:43:24 2001
	37	@@ -8,9 +8,9 @@
	38	# Note 2! The CFLAGS definition is now in the main makefile...
	39
	40	O_TARGET := bridge.o
	41	-O_OBJS := br.o br_device.o br_fdb.o br_forward.o br_if.o br_input.o \
	42	- br_ioctl.o br_notify.o br_stp.o br_stp_bpdu.o \
	43	- br_stp_if.o br_stp_timer.o
	44	+O_OBJS := br.o br_device.o br_fdb.o br_forward.o br_fw.o br_if.o \
	45	+ br_input.o br_ioctl.o br_notify.o br_stp.o \
	46	+ br_stp_bpdu.o br_stp_if.o br_stp_timer.o
	47	M_OBJS := $(O_TARGET)
	48
	49	include $(TOPDIR)/Rules.make
	50	diff -urN linux-2.2.20br/net/bridge/br.c linux-2.2.20brfw/net/bridge/br.c
	51	--- linux-2.2.20br/net/bridge/br.c Mon Dec 10 16:25:36 2001
	52	+++ linux-2.2.20brfw/net/bridge/br.c Mon Dec 10 16:43:24 2001
	53	@@ -41,10 +41,10 @@
	54	br_ioctl_hook = br_ioctl_deviceless_stub;
	55	register_netdevice_notifier(&br_device_notifier);
	56
	57	- return 0;
	58	+ return brfw_init();
	59	}
	60
	61	-#ifdef MODULE
	62	+#ifdef CONFIG_BRIDGE_MODULE
	63	EXPORT_NO_SYMBOLS;
	64
65	int init_module(void)
66	@@ -54,6 +54,7 @@
67
68	void cleanup_module(void)
69	{
70	+ brfw_uninit();
71	unregister_netdevice_notifier(&br_device_notifier);
72	br_ioctl_hook = NULL;
73	br_handle_frame_hook = NULL;
74	diff -urN linux-2.2.20br/net/bridge/br_forward.c linux-2.2.20brfw/net/bridge/br_forward.c
75	--- linux-2.2.20br/net/bridge/br_forward.c Mon Dec 10 16:24:28 2001
76	+++ linux-2.2.20brfw/net/bridge/br_forward.c Mon Dec 10 16:43:24 2001
77	@@ -24,10 +24,20 @@
78
79	static inline int should_forward(struct net_bridge_port p, struct sk_buff skb)
80	{
81	- if (skb->dev != p->dev && p->state == BR_STATE_FORWARDING)
82	- return 1;
83	+ struct sk_buff *sk;
84
85	- return 0;
86	+ if (skb->dev == p->dev \|\| p->state != BR_STATE_FORWARDING)
87	+ return 0;
88	+
89	+ sk = skb;
90	+ if (call_fw_firewall(PF_BRIDGE, p->dev, skb->mac.raw,
91	+ p->dev->name, &sk) != FW_ACCEPT)
92	+ return 0;
93	+
94	+ if (skb != sk)
95	+ printk(KERN_CRIT "br: prepare for armageddon!\n");
96	+
97	+ return 1;
98	}
99
100	static void __br_forward(struct net_bridge_port to, struct sk_buff skb)
101	diff -urN linux-2.2.20br/net/bridge/br_fw.c linux-2.2.20brfw/net/bridge/br_fw.c
102	--- linux-2.2.20br/net/bridge/br_fw.c Thu Jan 1 01:00:00 1970
103	+++ linux-2.2.20brfw/net/bridge/br_fw.c Mon Dec 10 16:43:24 2001
104	@@ -0,0 +1,93 @@
105	+/*
106	+ * Firewall for the ethernet bridge, using ipchains
107	+ * Linux ethernet bridge
108	+ *
109	+ * Authors:
110	+ * Lennert Buytenhek <buytenh@gnu.org>
111	+ * Joachim Ott <ott@ardala.han.de>
112	+ *
113	+ * $Id$
114	+ *
115	+ * This program is free software; you can redistribute it and/or
116	+ * modify it under the terms of the GNU General Public License
117	+ * as published by the Free Software Foundation; either version
118	+ * 2 of the License, or (at your option) any later version.
119	+ */
120	+
121	+#include <linux/config.h>
122	+#include <linux/kernel.h>
123	+#include <linux/netdevice.h>
124	+#include <linux/init.h>
125	+#include <linux/firewall.h>
126	+#include <linux/ip_fw.h>
127	+#include <linux/if_bridge.h>
128	+#include <asm/uaccess.h>
129	+#include "br_private.h"
130	+
131	+
132	+
133	+int brfw_forward_check(struct firewall_ops this, int pf, struct device dev,
134	+ void phdr, void arg, struct sk_buff **pskb)
135	+{
136	+ struct net_bridge *br;
137	+ int err;
138	+ struct iphdr *ip;
139	+ unsigned char *ptr;
140	+ struct sk_buff *skb;
141	+
142	+ br = dev->br_port->br;
143	+ skb = *pskb;
144	+ ptr = skb->data;
145	+ ip = (struct iphdr *)(ptr + ETH_HLEN);
146	+
147	+ if (ptr[12] != 0x08 \|\| ptr[13] != 0x00) /* ETH_P_IP */
148	+ return FW_ACCEPT;
149	+
150	+ err = ip_fw_check_from_bridge(br->name, skb, ip, arg);
151	+ if (err != FW_SKIP)
152	+ return err;
153	+
154	+ return FW_ACCEPT;
155	+}
156	+
157	+int brfw_input_check(struct firewall_ops this, int pf, struct device dev,
158	+ void phdr, void arg, struct sk_buff **pskb)
159	+{
160	+ return FW_ACCEPT;
161	+}
162	+
163	+int brfw_output_check(struct firewall_ops this, int pf, struct device dev,
164	+ void phdr, void arg, struct sk_buff **pskb)
165	+{
166	+ return FW_ACCEPT;
167	+}
168	+
169	+
170	+
171	+
172	+struct firewall_ops brfw_ops =
173	+{
174	+ NULL,
175	+ brfw_forward_check,
176	+ brfw_input_check,
177	+ brfw_output_check,
178	+ PF_BRIDGE,
179	+ 0
180	+};
181	+
182	+__initfunc(int brfw_init(void))
183	+{
184	+ printk(KERN_INFO "NET4: Ethernet Bridge Firewall 001 for NET4.0\n");
185	+
186	+ if (register_firewall(PF_BRIDGE, &brfw_ops) < 0) {
187	+ printk(KERN_ALERT "br: unable to register PF_BRIDGE firewall\n");
188	+ return 1;
189	+ }
190	+
191	+ return 0;
192	+}
193	+
194	+void brfw_uninit(void)
195	+{
196	+ unregister_firewall(PF_BRIDGE, &brfw_ops);
197	+}
198	diff -urN linux-2.2.20br/net/bridge/br_private.h linux-2.2.20brfw/net/bridge/br_private.h
199	--- linux-2.2.20br/net/bridge/br_private.h Mon Dec 10 16:39:30 2001
200	+++ linux-2.2.20brfw/net/bridge/br_private.h Mon Dec 10 16:43:24 2001
201	@@ -166,6 +166,10 @@
202	struct sk_buff *skb,
203	int clone);
204
205	+/* br_fw.c */
206	+int brfw_init(void);
207	+void brfw_uninit(void);
208	+
209	/* br_if.c */
210	int br_add_bridge(char *name);
211	int br_del_bridge(char *name);
212	diff -urN linux-2.2.20br/net/ipv4/ip_fw.c linux-2.2.20brfw/net/ipv4/ip_fw.c
213	--- linux-2.2.20br/net/ipv4/ip_fw.c Sun Mar 25 18:31:12 2001
214	+++ linux-2.2.20brfw/net/ipv4/ip_fw.c Mon Dec 10 16:43:24 2001
215	@@ -841,6 +841,25 @@
216	#endif
217	}
218
219	+#if defined(CONFIG_BRIDGE) \|\| defined(CONFIG_BRIDGE_MODULE)
220	+int ip_fw_check_from_bridge(const char brifname, struct sk_buff skb, struct iphdr ip, const char destifname)
221	+{
222	+ struct ip_chain *chain;
223	+ int ret;
224	+
225	+ ret = FW_SKIP;
226	+ if (ip->ihl * 4 >= sizeof(struct iphdr) &&
227	+ skb->len >= sizeof(struct iphdr)) {
228	+ if ((chain = find_label((char *)brifname)) != NULL) {
229	+ ret = ip_fw_check(ip, destifname, NULL, chain,
230	+ skb, SLOT_NUMBER(), 0);
231	+ }
232	+ }
233	+
234	+ return ret;
235	+}
236	+#endif
237	+
238	/* Must have write lock & interrupts off for any of these */
239
240	/* This function sets all the byte counters in a chain to zero. The
241	diff -urN linux-2.2.20br/net/netsyms.c linux-2.2.20brfw/net/netsyms.c
242	--- linux-2.2.20br/net/netsyms.c Mon Dec 10 16:24:28 2001
243	+++ linux-2.2.20brfw/net/netsyms.c Mon Dec 10 16:43:24 2001
244	@@ -17,6 +17,7 @@
245	#include <linux/trdevice.h>
246	#include <linux/fcdevice.h>
247	#include <linux/ioport.h>
248	+#include <linux/ip_fw.h>
249	#include <net/neighbour.h>
250	#include <net/snmp.h>
251	#include <net/dst.h>
252	@@ -224,6 +225,7 @@
253
254	#if defined(CONFIG_BRIDGE) \|\| defined(CONFIG_BRIDGE_MODULE)
255	EXPORT_SYMBOL(br_handle_frame_hook);
256	+EXPORT_SYMBOL(ip_fw_check_from_bridge);
257	#endif
258	EXPORT_SYMBOL(br_ioctl_hook);
259