aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorFlorian Westphal2013-04-17 17:45:24 -0500
committerGreg Kroah-Hartman2013-05-11 15:53:56 -0500
commit6fc08dc6f89960aaf27149f8031009fdc8062a70 (patch)
tree603d6cb0b0d19b86fe2b8beac64f01290857b25e /net
parent79293de3160850689a436a072f51037493db73b8 (diff)
downloadkernel-video-6fc08dc6f89960aaf27149f8031009fdc8062a70.tar.gz
kernel-video-6fc08dc6f89960aaf27149f8031009fdc8062a70.tar.xz
kernel-video-6fc08dc6f89960aaf27149f8031009fdc8062a70.zip
netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too
commit f83a7ea2075ca896f2dbf07672bac9cf3682ff74 upstream. Alex Efros reported rpfilter module doesn't match following packets: IN=br.qemu SRC=192.168.2.1 DST=192.168.2.255 [ .. ] (netfilter bugzilla #814). Problem is that network stack arranges for the locally generated broadcasts to appear on the interface they were sent out, so the IFF_LOOPBACK check doesn't trigger. As -m rpfilter is restricted to PREROUTING, we can check for existing rtable instead, it catches locally-generated broad/multicast case, too. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/netfilter/ipt_rpfilter.c8
-rw-r--r--net/ipv6/netfilter/ip6t_rpfilter.c8
2 files changed, 14 insertions, 2 deletions
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index c30130062cd..c49dcd0284a 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -66,6 +66,12 @@ static bool rpfilter_lookup_reverse(struct flowi4 *fl4,
66 return dev_match; 66 return dev_match;
67} 67}
68 68
69static bool rpfilter_is_local(const struct sk_buff *skb)
70{
71 const struct rtable *rt = skb_rtable(skb);
72 return rt && (rt->rt_flags & RTCF_LOCAL);
73}
74
69static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par) 75static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
70{ 76{
71 const struct xt_rpfilter_info *info; 77 const struct xt_rpfilter_info *info;
@@ -76,7 +82,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
76 info = par->matchinfo; 82 info = par->matchinfo;
77 invert = info->flags & XT_RPFILTER_INVERT; 83 invert = info->flags & XT_RPFILTER_INVERT;
78 84
79 if (par->in->flags & IFF_LOOPBACK) 85 if (rpfilter_is_local(skb))
80 return true ^ invert; 86 return true ^ invert;
81 87
82 iph = ip_hdr(skb); 88 iph = ip_hdr(skb);
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
index 5060d54199a..e0983f3648a 100644
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -71,6 +71,12 @@ static bool rpfilter_lookup_reverse6(const struct sk_buff *skb,
71 return ret; 71 return ret;
72} 72}
73 73
74static bool rpfilter_is_local(const struct sk_buff *skb)
75{
76 const struct rt6_info *rt = (const void *) skb_dst(skb);
77 return rt && (rt->rt6i_flags & RTF_LOCAL);
78}
79
74static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par) 80static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
75{ 81{
76 const struct xt_rpfilter_info *info = par->matchinfo; 82 const struct xt_rpfilter_info *info = par->matchinfo;
@@ -78,7 +84,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
78 struct ipv6hdr *iph; 84 struct ipv6hdr *iph;
79 bool invert = info->flags & XT_RPFILTER_INVERT; 85 bool invert = info->flags & XT_RPFILTER_INVERT;
80 86
81 if (par->in->flags & IFF_LOOPBACK) 87 if (rpfilter_is_local(skb))
82 return true ^ invert; 88 return true ^ invert;
83 89
84 iph = ipv6_hdr(skb); 90 iph = ipv6_hdr(skb);