linux/net
Florian Westphal 739e4505a0 bridge: netfilter: don't call iptables on vlan packets if sysctl is off
When net.bridge.bridge-nf-filter-vlan-tagged is 0 (default), vlan packets
arriving should not be sent to ip(6)tables by bridge netfilter.

However, it turns out that we currently always send VLAN packets to
netfilter, if ..
a), CONFIG_VLAN_8021Q is enabled ; or
b), CONFIG_VLAN_8021Q is not set but rx vlan offload is enabled
   on the bridge port.

This is because bridge netfilter treats skb with
skb->protocol == ETH_P_IP{V6} as "non-vlan packet".

With rx vlan offload on or CONFIG_VLAN_8021Q=y, the vlan header has
already been removed here, and we cannot rely on skb->protocol alone.

Fix this by only using skb->protocol if the skb has no vlan tag,
or if a vlan tag is present and filter-vlan-tagged bridge netfilter
sysctl is enabled.

We cannot remove the skb->protocol == htons(ETH_P_8021Q) test
because the vlan tag is still around in the CONFIG_VLAN_8021Q=n &&
"ethtool -K $itf rxvlan off" case.

reproducer:
iptables -t raw -I PREROUTING -i br0
iptables -t raw -I PREROUTING -i br0.1

Then send packets to an ip address configured on br0.1 interface.
Even with net.bridge.bridge-nf-filter-vlan-tagged=0, the 1st rule
will match instead of the 2nd one.

With this patch applied, the 2nd rule will match instead.
In the non-local address case, netfilter won't be consulted after
this patch unless the sysctl is switched on.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-03-06 14:43:49 -05:00
..
9p virtio: rename virtqueue_add_buf_gfp to virtqueue_add_buf 2012-01-12 15:44:42 +10:30
802 net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
8021q vlan: static functions 2011-12-14 02:39:30 -05:00
appletalk net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
atm atm: clip: remove clip_tbl 2012-02-22 02:23:25 -05:00
ax25 ax25: avoid overflows in ax25_setsockopt() 2011-12-28 14:08:08 -05:00
batman-adv batman-adv: Fix merge error. 2011-12-16 15:07:28 -05:00
bluetooth Bluetooth: Fix possible use after free in delete path 2012-02-15 13:09:26 +02:00
bridge bridge: netfilter: don't call iptables on vlan packets if sysctl is off 2012-03-06 14:43:49 -05:00
caif caif: Bugfix double kfree_skb upon xmit failure 2012-02-02 14:35:12 -05:00
can can: remove references to berlios mailinglist 2011-10-17 19:22:46 -04:00
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2012-02-02 15:47:33 -08:00
core rtnetlink: fix rtnl_calcit() and rtnl_dump_ifinfo() 2012-03-04 22:02:55 -05:00
dcb net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
dccp inet_diag: Rename inet_diag_req into inet_diag_req_v2 2012-01-11 12:56:06 -08:00
decnet Merge branch 'for-linus' of git://selinuxproject.org/~jmorris/linux-security 2012-01-14 18:36:33 -08:00
dns_resolver
dsa dsa: Move switch drivers to new directory drivers/net/dsa 2011-11-29 00:21:36 -05:00
econet net: Remove all uses of LL_ALLOCATED_SPACE 2011-11-18 14:37:09 -05:00
ethernet net: don't clear IFF_XMIT_DST_RELEASE in ether_setup 2011-09-15 14:49:44 -04:00
ieee802154 net: Remove all uses of LL_ALLOCATED_SPACE 2011-11-18 14:37:09 -05:00
ipv4 tcp: fix tcp_shift_skb_data() to not shift SACKed data below snd_una 2012-03-06 14:43:49 -05:00
ipv6 ipsec: be careful of non existing mac headers 2012-02-23 16:50:45 -05:00
ipx net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
irda irda: use msecs_to_jiffies() rather than manual calculation 2011-12-21 15:46:22 -05:00
iucv af_iucv: get rid of state IUCV_SEVERED 2011-12-20 14:05:03 -05:00
key net: use IS_ENABLED(CONFIG_IPV6) 2011-12-11 18:25:16 -05:00
l2tp l2tp: l2tp_ip - fix possible oops on packet receive 2012-01-25 21:45:00 -05:00
lapb wan: make LAPB callbacks const 2011-09-16 19:20:20 -04:00
llc llc: Fix race condition in llc_ui_recvmsg 2012-01-24 15:33:19 -05:00
mac80211 mac80211: Fix a warning on changing to monitor mode from STA 2012-02-21 14:45:27 -05:00
netfilter netfilter: ctnetlink: remove incorrect spin_[un]lock_bh on NAT module autoload 2012-03-06 14:43:49 -05:00
netlabel net: reintroduce missing rcu_assign_pointer() calls 2012-01-12 12:26:56 -08:00
netlink Merge branch 'for-linus' of git://selinuxproject.org/~jmorris/linux-security 2012-01-14 18:36:33 -08:00
netrom netrom: avoid overflows in nr_setsockopt() 2011-12-28 14:08:08 -05:00
nfc NFC: Export a new attribute nfcid1 in target info 2012-01-04 14:30:43 -05:00
openvswitch openvswitch: Fix multipart datapath dumps. 2012-01-17 23:56:19 -05:00
packet Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2011-12-30 13:04:14 -05:00
phonet net: reintroduce missing rcu_assign_pointer() calls 2012-01-12 12:26:56 -08:00
rds rds: Make rds_sock_lock BH rather than IRQ safe. 2012-01-24 17:03:44 -05:00
rfkill Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem 2012-01-05 10:13:24 -05:00
rose net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
rxrpc RxRPC: Fix kcalloc parameters swapped 2012-02-14 14:41:55 -05:00
sched netem: fix dequeue 2012-02-19 18:57:50 -05:00
sctp Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2012-01-08 13:21:22 -08:00
sunrpc SUNRPC: Fix machine creds in generic_create_cred and generic_match 2012-01-23 14:03:46 -08:00
tipc tipc: rename struct bearer_name to struct tipc_bearer_names 2011-12-29 21:53:30 -05:00
unix af_unix: fix EPOLLET regression for stream sockets 2012-01-30 12:45:07 -05:00
wanrouter wanrouter: Remove kernel_lock annotations 2011-11-07 13:27:30 -05:00
wimax net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
wireless nl80211: fix old station flags compatibility 2012-01-11 15:14:50 -05:00
x25 net:x25: use IS_ENABLED 2011-12-16 15:49:52 -05:00
xfrm Merge branch 'for-linus' of git://selinuxproject.org/~jmorris/linux-security 2012-01-14 18:36:33 -08:00
compat.c net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
Kconfig net: Add Open vSwitch kernel components. 2011-12-03 09:35:17 -08:00
Makefile net: Add Open vSwitch kernel components. 2011-12-03 09:35:17 -08:00
nonet.c
socket.c net: reintroduce missing rcu_assign_pointer() calls 2012-01-12 12:26:56 -08:00
sysctl_net.c net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00