[NETFILTER]: add correct bridging support to nfnetlink_{queue,log}
This patch adds support for passing the real 'physical' device ifindex down to userspace via nfnetlink_log and nfnetlink_queue. This feature basically obsoletes net/bridge/netfilter/ebt_ulog.c, and it is likely ebt_ulog.c will die with one of the next couple of patches. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
f6ebe77f95
commit
fbcd923c3e
4 changed files with 120 additions and 0 deletions
|
@ -40,6 +40,8 @@ enum nfulnl_attr_type {
|
|||
NFULA_TIMESTAMP, /* nfulnl_msg_packet_timestamp */
|
||||
NFULA_IFINDEX_INDEV, /* u_int32_t ifindex */
|
||||
NFULA_IFINDEX_OUTDEV, /* u_int32_t ifindex */
|
||||
NFULA_IFINDEX_PHYSINDEV, /* u_int32_t ifindex */
|
||||
NFULA_IFINDEX_PHYSOUTDEV, /* u_int32_t ifindex */
|
||||
NFULA_HWADDR, /* nfulnl_msg_packet_hw */
|
||||
NFULA_PAYLOAD, /* opaque data payload */
|
||||
NFULA_PREFIX, /* string prefix */
|
||||
|
|
|
@ -36,6 +36,8 @@ enum nfqnl_attr_type {
|
|||
NFQA_TIMESTAMP, /* nfqnl_msg_packet_timestamp */
|
||||
NFQA_IFINDEX_INDEV, /* u_int32_t ifindex */
|
||||
NFQA_IFINDEX_OUTDEV, /* u_int32_t ifindex */
|
||||
NFQA_IFINDEX_PHYSINDEV, /* u_int32_t ifindex */
|
||||
NFQA_IFINDEX_PHYSOUTDEV, /* u_int32_t ifindex */
|
||||
NFQA_HWADDR, /* nfqnl_msg_packet_hw */
|
||||
NFQA_PAYLOAD, /* opaque data payload */
|
||||
|
||||
|
|
|
@ -33,6 +33,10 @@
|
|||
|
||||
#include <asm/atomic.h>
|
||||
|
||||
#ifdef CONFIG_BRIDGE_NETFILTER
|
||||
#include "../bridge/br_private.h"
|
||||
#endif
|
||||
|
||||
#define NFULNL_NLBUFSIZ_DEFAULT 4096
|
||||
#define NFULNL_TIMEOUT_DEFAULT 100 /* every second */
|
||||
#define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */
|
||||
|
@ -412,14 +416,64 @@ __build_packet_message(struct nfulnl_instance *inst,
|
|||
|
||||
if (indev) {
|
||||
tmp_uint = htonl(indev->ifindex);
|
||||
#ifndef CONFIG_BRIDGE_NETFILTER
|
||||
NFA_PUT(inst->skb, NFULA_IFINDEX_INDEV, sizeof(tmp_uint),
|
||||
&tmp_uint);
|
||||
#else
|
||||
if (pf == PF_BRIDGE) {
|
||||
/* Case 1: outdev is physical input device, we need to
|
||||
* look for bridge group (when called from
|
||||
* netfilter_bridge) */
|
||||
NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSINDEV,
|
||||
sizeof(tmp_uint), &tmp_uint);
|
||||
/* this is the bridge group "brX" */
|
||||
tmp_uint = htonl(indev->br_port->br->dev->ifindex);
|
||||
NFA_PUT(inst->skb, NFULA_IFINDEX_INDEV,
|
||||
sizeof(tmp_uint), &tmp_uint);
|
||||
} else {
|
||||
/* Case 2: indev is bridge group, we need to look for
|
||||
* physical device (when called from ipv4) */
|
||||
NFA_PUT(inst->skb, NFULA_IFINDEX_INDEV,
|
||||
sizeof(tmp_uint), &tmp_uint);
|
||||
if (skb->nf_bridge && skb->nf_bridge->physindev) {
|
||||
tmp_uint =
|
||||
htonl(skb->nf_bridge->physindev->ifindex);
|
||||
NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSINDEV,
|
||||
sizeof(tmp_uint), &tmp_uint);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
if (outdev) {
|
||||
tmp_uint = htonl(outdev->ifindex);
|
||||
#ifndef CONFIG_BRIDGE_NETFILTER
|
||||
NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV, sizeof(tmp_uint),
|
||||
&tmp_uint);
|
||||
#else
|
||||
if (pf == PF_BRIDGE) {
|
||||
/* Case 1: outdev is physical output device, we need to
|
||||
* look for bridge group (when called from
|
||||
* netfilter_bridge) */
|
||||
NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSOUTDEV,
|
||||
sizeof(tmp_uint), &tmp_uint);
|
||||
/* this is the bridge group "brX" */
|
||||
tmp_uint = htonl(outdev->br_port->br->dev->ifindex);
|
||||
NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV,
|
||||
sizeof(tmp_uint), &tmp_uint);
|
||||
} else {
|
||||
/* Case 2: indev is a bridge group, we need to look
|
||||
* for physical device (when called from ipv4) */
|
||||
NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV,
|
||||
sizeof(tmp_uint), &tmp_uint);
|
||||
if (skb->nf_bridge) {
|
||||
tmp_uint =
|
||||
htonl(skb->nf_bridge->physoutdev->ifindex);
|
||||
NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSOUTDEV,
|
||||
sizeof(tmp_uint), &tmp_uint);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
if (skb->nfmark) {
|
||||
|
@ -536,6 +590,10 @@ nfulnl_log_packet(unsigned int pf,
|
|||
+ NFA_SPACE(sizeof(struct nfulnl_msg_packet_hdr))
|
||||
+ NFA_SPACE(sizeof(u_int32_t)) /* ifindex */
|
||||
+ NFA_SPACE(sizeof(u_int32_t)) /* ifindex */
|
||||
#ifdef CONFIG_BRIDGE_NETFILTER
|
||||
+ NFA_SPACE(sizeof(u_int32_t)) /* ifindex */
|
||||
+ NFA_SPACE(sizeof(u_int32_t)) /* ifindex */
|
||||
#endif
|
||||
+ NFA_SPACE(sizeof(u_int32_t)) /* mark */
|
||||
+ NFA_SPACE(sizeof(u_int32_t)) /* uid */
|
||||
+ NFA_SPACE(NFULNL_PREFIXLEN) /* prefix */
|
||||
|
|
|
@ -30,6 +30,10 @@
|
|||
|
||||
#include <asm/atomic.h>
|
||||
|
||||
#ifdef CONFIG_BRIDGE_NETFILTER
|
||||
#include "../bridge/br_private.h"
|
||||
#endif
|
||||
|
||||
#define NFQNL_QMAX_DEFAULT 1024
|
||||
|
||||
#if 0
|
||||
|
@ -361,6 +365,10 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
|
|||
size = NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_hdr))
|
||||
+ NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */
|
||||
+ NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */
|
||||
#ifdef CONFIG_BRIDGE_NETFILTER
|
||||
+ NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */
|
||||
+ NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */
|
||||
#endif
|
||||
+ NLMSG_SPACE(sizeof(u_int32_t)) /* mark */
|
||||
+ NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_hw))
|
||||
+ NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_timestamp));
|
||||
|
@ -412,12 +420,62 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
|
|||
|
||||
if (entry->info->indev) {
|
||||
tmp_uint = htonl(entry->info->indev->ifindex);
|
||||
#ifndef CONFIG_BRIDGE_NETFILTER
|
||||
NFA_PUT(skb, NFQA_IFINDEX_INDEV, sizeof(tmp_uint), &tmp_uint);
|
||||
#else
|
||||
if (entry->info->pf == PF_BRIDGE) {
|
||||
/* Case 1: indev is physical input device, we need to
|
||||
* look for bridge group (when called from
|
||||
* netfilter_bridge) */
|
||||
NFA_PUT(skb, NFQA_IFINDEX_PHYSINDEV, sizeof(tmp_uint),
|
||||
&tmp_uint);
|
||||
/* this is the bridge group "brX" */
|
||||
tmp_uint = htonl(entry->info->indev->br_port->br->dev->ifindex);
|
||||
NFA_PUT(skb, NFQA_IFINDEX_INDEV, sizeof(tmp_uint),
|
||||
&tmp_uint);
|
||||
} else {
|
||||
/* Case 2: indev is bridge group, we need to look for
|
||||
* physical device (when called from ipv4) */
|
||||
NFA_PUT(skb, NFQA_IFINDEX_INDEV, sizeof(tmp_uint),
|
||||
&tmp_uint);
|
||||
if (entry->skb->nf_bridge
|
||||
&& entry->skb->nf_bridge->physindev) {
|
||||
tmp_uint = htonl(entry->skb->nf_bridge->physindev->ifindex);
|
||||
NFA_PUT(skb, NFQA_IFINDEX_PHYSINDEV,
|
||||
sizeof(tmp_uint), &tmp_uint);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
if (entry->info->outdev) {
|
||||
tmp_uint = htonl(entry->info->outdev->ifindex);
|
||||
#ifndef CONFIG_BRIDGE_NETFILTER
|
||||
NFA_PUT(skb, NFQA_IFINDEX_OUTDEV, sizeof(tmp_uint), &tmp_uint);
|
||||
#else
|
||||
if (entry->info->pf == PF_BRIDGE) {
|
||||
/* Case 1: outdev is physical output device, we need to
|
||||
* look for bridge group (when called from
|
||||
* netfilter_bridge) */
|
||||
NFA_PUT(skb, NFQA_IFINDEX_PHYSOUTDEV, sizeof(tmp_uint),
|
||||
&tmp_uint);
|
||||
/* this is the bridge group "brX" */
|
||||
tmp_uint = htonl(entry->info->outdev->br_port->br->dev->ifindex);
|
||||
NFA_PUT(skb, NFQA_IFINDEX_OUTDEV, sizeof(tmp_uint),
|
||||
&tmp_uint);
|
||||
} else {
|
||||
/* Case 2: outdev is bridge group, we need to look for
|
||||
* physical output device (when called from ipv4) */
|
||||
NFA_PUT(skb, NFQA_IFINDEX_OUTDEV, sizeof(tmp_uint),
|
||||
&tmp_uint);
|
||||
if (entry->skb->nf_bridge
|
||||
&& entry->skb->nf_bridge->physoutdev) {
|
||||
tmp_uint = htonl(entry->skb->nf_bridge->physoutdev->ifindex);
|
||||
NFA_PUT(skb, NFQA_IFINDEX_PHYSOUTDEV,
|
||||
sizeof(tmp_uint), &tmp_uint);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
if (entry->skb->nfmark) {
|
||||
|
|
Loading…
Reference in a new issue