bridge: Pass net into br_validate_ipv4 and br_validate_ipv6
authorEric W. Biederman <ebiederm@xmission.com>
Fri, 25 Sep 2015 21:52:51 +0000 (16:52 -0500)
committerPablo Neira Ayuso <pablo@netfilter.org>
Tue, 29 Sep 2015 18:21:32 +0000 (20:21 +0200)
The network namespace is easiliy available in state->net so use it.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include/net/netfilter/br_netfilter.h
net/bridge/br_netfilter_hooks.c
net/bridge/br_netfilter_ipv6.c

index c93c75fa41ad70a80783971b13a64d17f4b6dec9..e8d1448425a717facd1a6cfb71d72a9dfacc3ed7 100644 (file)
@@ -45,12 +45,12 @@ struct net_device *setup_pre_routing(struct sk_buff *skb);
 void br_netfilter_enable(void);
 
 #if IS_ENABLED(CONFIG_IPV6)
-int br_validate_ipv6(struct sk_buff *skb);
+int br_validate_ipv6(struct net *net, struct sk_buff *skb);
 unsigned int br_nf_pre_routing_ipv6(void *priv,
                                    struct sk_buff *skb,
                                    const struct nf_hook_state *state);
 #else
-static inline int br_validate_ipv6(struct sk_buff *skb)
+static inline int br_validate_ipv6(struct net *net, struct sk_buff *skb)
 {
        return -1;
 }
index e21e44c13e07d4e597dd1ed6f535a19178baade0..13f03671c88d43640d74bbac5aea57e4e8fd7171 100644 (file)
@@ -189,10 +189,9 @@ static inline void nf_bridge_pull_encap_header_rcsum(struct sk_buff *skb)
  * expected format
  */
 
-static int br_validate_ipv4(struct sk_buff *skb)
+static int br_validate_ipv4(struct net *net, struct sk_buff *skb)
 {
        const struct iphdr *iph;
-       struct net_device *dev = skb->dev;
        u32 len;
 
        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
@@ -213,13 +212,13 @@ static int br_validate_ipv4(struct sk_buff *skb)
 
        len = ntohs(iph->tot_len);
        if (skb->len < len) {
-               IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INTRUNCATEDPKTS);
+               IP_INC_STATS_BH(net, IPSTATS_MIB_INTRUNCATEDPKTS);
                goto drop;
        } else if (len < (iph->ihl*4))
                goto inhdr_error;
 
        if (pskb_trim_rcsum(skb, len)) {
-               IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INDISCARDS);
+               IP_INC_STATS_BH(net, IPSTATS_MIB_INDISCARDS);
                goto drop;
        }
 
@@ -232,7 +231,7 @@ static int br_validate_ipv4(struct sk_buff *skb)
        return 0;
 
 inhdr_error:
-       IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INHDRERRORS);
+       IP_INC_STATS_BH(net, IPSTATS_MIB_INHDRERRORS);
 drop:
        return -1;
 }
@@ -497,7 +496,7 @@ static unsigned int br_nf_pre_routing(void *priv,
 
        nf_bridge_pull_encap_header_rcsum(skb);
 
-       if (br_validate_ipv4(skb))
+       if (br_validate_ipv4(state->net, skb))
                return NF_DROP;
 
        nf_bridge_put(skb->nf_bridge);
@@ -609,13 +608,13 @@ static unsigned int br_nf_forward_ip(void *priv,
        }
 
        if (pf == NFPROTO_IPV4) {
-               if (br_validate_ipv4(skb))
+               if (br_validate_ipv4(state->net, skb))
                        return NF_DROP;
                IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
        }
 
        if (pf == NFPROTO_IPV6) {
-               if (br_validate_ipv6(skb))
+               if (br_validate_ipv6(state->net, skb))
                        return NF_DROP;
                IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
        }
@@ -747,7 +746,7 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
        if (skb->protocol == htons(ETH_P_IP)) {
                struct brnf_frag_data *data;
 
-               if (br_validate_ipv4(skb))
+               if (br_validate_ipv4(net, skb))
                        goto drop;
 
                IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
@@ -772,7 +771,7 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
                const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
                struct brnf_frag_data *data;
 
-               if (br_validate_ipv6(skb))
+               if (br_validate_ipv6(net, skb))
                        goto drop;
 
                IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
index c51cc3fd50d92f0d504136edb919f571d7442748..d61f56efc8dc3a2bc7ca440ae07f301a7cb6eaed 100644 (file)
@@ -100,10 +100,9 @@ bad:
        return -1;
 }
 
-int br_validate_ipv6(struct sk_buff *skb)
+int br_validate_ipv6(struct net *net, struct sk_buff *skb)
 {
        const struct ipv6hdr *hdr;
-       struct net_device *dev = skb->dev;
        struct inet6_dev *idev = __in6_dev_get(skb->dev);
        u32 pkt_len;
        u8 ip6h_len = sizeof(struct ipv6hdr);
@@ -123,12 +122,12 @@ int br_validate_ipv6(struct sk_buff *skb)
 
        if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
                if (pkt_len + ip6h_len > skb->len) {
-                       IP6_INC_STATS_BH(dev_net(dev), idev,
+                       IP6_INC_STATS_BH(net, idev,
                                         IPSTATS_MIB_INTRUNCATEDPKTS);
                        goto drop;
                }
                if (pskb_trim_rcsum(skb, pkt_len + ip6h_len)) {
-                       IP6_INC_STATS_BH(dev_net(dev), idev,
+                       IP6_INC_STATS_BH(net, idev,
                                         IPSTATS_MIB_INDISCARDS);
                        goto drop;
                }
@@ -143,7 +142,7 @@ int br_validate_ipv6(struct sk_buff *skb)
        return 0;
 
 inhdr_error:
-       IP6_INC_STATS_BH(dev_net(dev), idev, IPSTATS_MIB_INHDRERRORS);
+       IP6_INC_STATS_BH(net, idev, IPSTATS_MIB_INHDRERRORS);
 drop:
        return -1;
 }
@@ -224,7 +223,7 @@ unsigned int br_nf_pre_routing_ipv6(void *priv,
 {
        struct nf_bridge_info *nf_bridge;
 
-       if (br_validate_ipv6(skb))
+       if (br_validate_ipv6(state->net, skb))
                return NF_DROP;
 
        nf_bridge_put(skb->nf_bridge);