Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
d9e50ea8
Commit
d9e50ea8
authored
Dec 04, 2002
by
Nick Fedchik
Committed by
James Morris
Dec 04, 2002
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[BRIDGE]: ebtables vlan match fixes and cleanups.
parent
b14efc2e
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
85 additions
and
144 deletions
+85
-144
net/bridge/netfilter/Kconfig
net/bridge/netfilter/Kconfig
+1
-1
net/bridge/netfilter/ebt_vlan.c
net/bridge/netfilter/ebt_vlan.c
+84
-143
No files found.
net/bridge/netfilter/Kconfig
View file @
d9e50ea8
...
@@ -70,7 +70,7 @@ config BRIDGE_EBT_ARPF
...
@@ -70,7 +70,7 @@ config BRIDGE_EBT_ARPF
<file:Documentation/modules.txt>. If unsure, say `N'.
<file:Documentation/modules.txt>. If unsure, say `N'.
config BRIDGE_EBT_VLANF
config BRIDGE_EBT_VLANF
tristate "ebt: 802.1Q VLAN filter support
(EXPERIMENTAL)
"
tristate "ebt: 802.1Q VLAN filter support"
depends on BRIDGE_NF_EBTABLES
depends on BRIDGE_NF_EBTABLES
help
help
This option adds the 802.1Q vlan match, which allows the filtering of
This option adds the 802.1Q vlan match, which allows the filtering of
...
...
net/bridge/netfilter/ebt_vlan.c
View file @
d9e50ea8
...
@@ -25,17 +25,17 @@
...
@@ -25,17 +25,17 @@
#include <linux/netfilter_bridge/ebt_vlan.h>
#include <linux/netfilter_bridge/ebt_vlan.h>
static
unsigned
char
debug
;
static
unsigned
char
debug
;
#define MODULE_VERSION "0.
4 (" __DATE__ " " __TIME__ ")
"
#define MODULE_VERSION "0.
6
"
MODULE_PARM
(
debug
,
"0-1b"
);
MODULE_PARM
(
debug
,
"0-1b"
);
MODULE_PARM_DESC
(
debug
,
"debug=1 is turn on debug messages"
);
MODULE_PARM_DESC
(
debug
,
"debug=1 is turn on debug messages"
);
MODULE_AUTHOR
(
"Nick Fedchik <nick@fedchik.org.ua>"
);
MODULE_AUTHOR
(
"Nick Fedchik <nick@fedchik.org.ua>"
);
MODULE_DESCRIPTION
(
"802.1Q match module (ebtables extension), v"
MODULE_DESCRIPTION
(
"802.1Q match module (ebtables extension), v"
MODULE_VERSION
);
MODULE_VERSION
);
MODULE_LICENSE
(
"GPL"
);
MODULE_LICENSE
(
"GPL"
);
#define DEBUG_MSG(...) if (debug) printk (KERN_DEBUG
__FILE__ ":
" __VA_ARGS__)
#define DEBUG_MSG(...) if (debug) printk (KERN_DEBUG
"ebt_vlan:
" __VA_ARGS__)
#define INV_FLAG(_inv_flag_) (info->invflags & _inv_flag_) ? "!" : ""
#define INV_FLAG(_inv_flag_) (info->invflags & _inv_flag_) ? "!" : ""
#define GET_BITMASK(_BIT_MASK_) info->bitmask & _BIT_MASK_
#define GET_BITMASK(_BIT_MASK_) info->bitmask & _BIT_MASK_
#define SET_BITMASK(_BIT_MASK_) info->bitmask |= _BIT_MASK_
#define SET_BITMASK(_BIT_MASK_) info->bitmask |= _BIT_MASK_
...
@@ -59,11 +59,10 @@ MODULE_LICENSE ("GPL");
...
@@ -59,11 +59,10 @@ MODULE_LICENSE ("GPL");
* 1 - miss (rule params not acceptable to the parsed frame)
* 1 - miss (rule params not acceptable to the parsed frame)
*/
*/
static
int
static
int
ebt_filter_vlan
(
const
struct
sk_buff
*
skb
,
ebt_filter_vlan
(
const
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
net_device
*
out
,
const
void
*
data
,
const
void
*
data
,
unsigned
int
datalen
)
unsigned
int
datalen
)
{
{
struct
ebt_vlan_info
*
info
=
(
struct
ebt_vlan_info
*
)
data
;
/* userspace data */
struct
ebt_vlan_info
*
info
=
(
struct
ebt_vlan_info
*
)
data
;
/* userspace data */
struct
vlan_ethhdr
*
frame
=
(
struct
vlan_ethhdr
*
)
skb
->
mac
.
raw
;
/* Passed tagged frame */
struct
vlan_ethhdr
*
frame
=
(
struct
vlan_ethhdr
*
)
skb
->
mac
.
raw
;
/* Passed tagged frame */
...
@@ -75,62 +74,35 @@ ebt_filter_vlan (const struct sk_buff *skb,
...
@@ -75,62 +74,35 @@ ebt_filter_vlan (const struct sk_buff *skb,
/*
/*
* Tag Control Information (TCI) consists of the following elements:
* Tag Control Information (TCI) consists of the following elements:
* - User_priority. This field allows the tagged frame to carry user_priority
* - User_priority. The user_priority field is three bits in length,
* information across Bridged LANs in which individual LAN segments may be unable to signal
* interpreted as a binary number.
* priority information (e.g., 802.3/Ethernet segments).
* - Canonical Format Indicator (CFI). The Canonical Format Indicator
* The user_priority field is three bits in length,
* (CFI) is a single bit flag value. Currently ignored.
* interpreted as a binary number. The user_priority is therefore
* - VLAN Identifier (VID). The VID is encoded as
* capable of representing eight priority levels, 0 through 7.
* an unsigned binary number.
* The use and interpretation of this field is defined in ISO/IEC 15802-3.
* - Canonical Format Indicator (CFI). This field is used,
* in 802.3/Ethernet, to signal the presence or absence
* of a RIF field, and, in combination with the Non-canonical Format Indicator (NCFI) carried
* in the RIF, to signal the bit order of address information carried in the encapsulated
* frame. The Canonical Format Indicator (CFI) is a single bit flag value.
* - VLAN Identifier (VID). This field uniquely identifies the VLAN to
* which the frame belongs. The twelve-bit VLAN Identifier (VID) field
* uniquely identify the VLAN to which the frame belongs.
* The VID is encoded as an unsigned binary number.
*/
*/
TCI
=
ntohs
(
frame
->
h_vlan_TCI
);
TCI
=
ntohs
(
frame
->
h_vlan_TCI
);
id
=
TCI
&
0xFFF
;
id
=
TCI
&
VLAN_VID_MASK
;
prio
=
TCI
>>
13
;
prio
=
(
TCI
>>
13
)
&
0x7
;
encap
=
frame
->
h_vlan_encapsulated_proto
;
encap
=
frame
->
h_vlan_encapsulated_proto
;
/*
* First step is to check is null VLAN ID present
* in the parsed frame
*/
if
(
!
(
id
))
{
/*
/*
* Checking VLAN Identifier (VID)
* Checking VLAN Identifier (VID)
*/
*/
if
(
GET_BITMASK
(
EBT_VLAN_ID
))
{
/* Is VLAN ID parsed? */
if
(
GET_BITMASK
(
EBT_VLAN_ID
))
{
/* Is VLAN ID parsed? */
EXIT_ON_MISMATCH
(
id
,
EBT_VLAN_ID
);
EXIT_ON_MISMATCH
(
id
,
EBT_VLAN_ID
);
DEBUG_MSG
(
"matched rule id=%s%d for frame id=%d
\n
"
,
INV_FLAG
(
EBT_VLAN_ID
),
info
->
id
,
id
);
}
}
}
else
{
/*
/*
* Checking user_priority
* Checking user_priority
*/
*/
if
(
GET_BITMASK
(
EBT_VLAN_PRIO
))
{
/* Is VLAN user_priority parsed? */
if
(
GET_BITMASK
(
EBT_VLAN_PRIO
))
{
/* Is VLAN user_priority parsed? */
EXIT_ON_MISMATCH
(
prio
,
EBT_VLAN_PRIO
);
EXIT_ON_MISMATCH
(
prio
,
EBT_VLAN_PRIO
);
DEBUG_MSG
(
"matched rule prio=%s%d for frame prio=%d
\n
"
,
INV_FLAG
(
EBT_VLAN_PRIO
),
info
->
prio
,
prio
);
}
}
}
/*
/*
* Checking Encapsulated Proto (Length/Type) field
* Checking Encapsulated Proto (Length/Type) field
*/
*/
if
(
GET_BITMASK
(
EBT_VLAN_ENCAP
))
{
/* Is VLAN Encap parsed? */
if
(
GET_BITMASK
(
EBT_VLAN_ENCAP
))
{
/* Is VLAN Encap parsed? */
EXIT_ON_MISMATCH
(
encap
,
EBT_VLAN_ENCAP
);
EXIT_ON_MISMATCH
(
encap
,
EBT_VLAN_ENCAP
);
DEBUG_MSG
(
"matched encap=%s%2.4X for frame encap=%2.4X
\n
"
,
INV_FLAG
(
EBT_VLAN_ENCAP
),
ntohs
(
info
->
encap
),
ntohs
(
encap
));
}
}
/*
/*
* All possible extension parameters was parsed.
* All possible extension parameters was parsed.
...
@@ -141,7 +113,7 @@ ebt_filter_vlan (const struct sk_buff *skb,
...
@@ -141,7 +113,7 @@ ebt_filter_vlan (const struct sk_buff *skb,
/*
/*
* Function description: ebt_vlan_check() is called when userspace
* Function description: ebt_vlan_check() is called when userspace
* delivers the table to the kernel,
* delivers the table
entry
to the kernel,
* and to check that userspace doesn't give a bad table.
* and to check that userspace doesn't give a bad table.
* Parameters:
* Parameters:
* const char *tablename - table name string
* const char *tablename - table name string
...
@@ -154,29 +126,29 @@ ebt_filter_vlan (const struct sk_buff *skb,
...
@@ -154,29 +126,29 @@ ebt_filter_vlan (const struct sk_buff *skb,
* 1 - miss (rule params is out of range, invalid, incompatible, etc.)
* 1 - miss (rule params is out of range, invalid, incompatible, etc.)
*/
*/
static
int
static
int
ebt_check_vlan
(
const
char
*
tablename
,
ebt_check_vlan
(
const
char
*
tablename
,
unsigned
int
hooknr
,
unsigned
int
hooknr
,
const
struct
ebt_entry
*
e
,
void
*
data
,
const
struct
ebt_entry
*
e
,
void
*
data
,
unsigned
int
datalen
)
unsigned
int
datalen
)
{
{
struct
ebt_vlan_info
*
info
=
(
struct
ebt_vlan_info
*
)
data
;
struct
ebt_vlan_info
*
info
=
(
struct
ebt_vlan_info
*
)
data
;
/*
/*
* Parameters buffer overflow check
* Parameters buffer overflow check
*/
*/
if
(
datalen
!=
sizeof
(
struct
ebt_vlan_info
))
{
if
(
datalen
!=
sizeof
(
struct
ebt_vlan_info
))
{
DEBUG_MSG
DEBUG_MSG
(
"pa
rams
size %d is not eq to ebt_vlan_info (%d)
\n
"
,
(
"pa
ssed
size %d is not eq to ebt_vlan_info (%d)
\n
"
,
datalen
,
sizeof
(
struct
ebt_vlan_info
));
datalen
,
sizeof
(
struct
ebt_vlan_info
));
return
-
EINVAL
;
return
-
EINVAL
;
}
}
/*
/*
* Is it 802.1Q frame checked?
* Is it 802.1Q frame checked?
*/
*/
if
(
e
->
ethproto
!=
__constant_htons
(
ETH_P_8021Q
))
{
if
(
e
->
ethproto
!=
__constant_htons
(
ETH_P_8021Q
))
{
DEBUG_MSG
(
"passed entry proto %2.4X is not 802.1Q (8100)
\n
"
,
DEBUG_MSG
(
unsigned
short
)
ntohs
(
e
->
ethproto
));
(
"passed entry proto %2.4X is not 802.1Q (8100)
\n
"
,
(
unsigned
short
)
ntohs
(
e
->
ethproto
));
return
-
EINVAL
;
return
-
EINVAL
;
}
}
...
@@ -185,7 +157,7 @@ ebt_check_vlan (const char *tablename,
...
@@ -185,7 +157,7 @@ ebt_check_vlan (const char *tablename,
* True if even one bit is out of mask
* True if even one bit is out of mask
*/
*/
if
(
info
->
bitmask
&
~
EBT_VLAN_MASK
)
{
if
(
info
->
bitmask
&
~
EBT_VLAN_MASK
)
{
DEBUG_MSG
(
"bitmask %2X is out of mask (%2X)
\n
"
,
DEBUG_MSG
(
"bitmask %2X is out of mask (%2X)
\n
"
,
info
->
bitmask
,
EBT_VLAN_MASK
);
info
->
bitmask
,
EBT_VLAN_MASK
);
return
-
EINVAL
;
return
-
EINVAL
;
}
}
...
@@ -194,7 +166,7 @@ ebt_check_vlan (const char *tablename,
...
@@ -194,7 +166,7 @@ ebt_check_vlan (const char *tablename,
* Check for inversion flags range
* Check for inversion flags range
*/
*/
if
(
info
->
invflags
&
~
EBT_VLAN_MASK
)
{
if
(
info
->
invflags
&
~
EBT_VLAN_MASK
)
{
DEBUG_MSG
(
"inversion flags %2X is out of mask (%2X)
\n
"
,
DEBUG_MSG
(
"inversion flags %2X is out of mask (%2X)
\n
"
,
info
->
invflags
,
EBT_VLAN_MASK
);
info
->
invflags
,
EBT_VLAN_MASK
);
return
-
EINVAL
;
return
-
EINVAL
;
}
}
...
@@ -202,44 +174,33 @@ ebt_check_vlan (const char *tablename,
...
@@ -202,44 +174,33 @@ ebt_check_vlan (const char *tablename,
/*
/*
* Reserved VLAN ID (VID) values
* Reserved VLAN ID (VID) values
* -----------------------------
* -----------------------------
* 0 - The null VLAN ID. Indicates that the tag header contains only user_priority information;
* 0 - The null VLAN ID.
* no VLAN identifier is present in the frame. This VID value shall not be
* 1 - The default Port VID (PVID)
* configured as a PVID, configured in any Filtering Database entry, or used in any
* 0x0FFF - Reserved for implementation use.
* Management operation.
* if_vlan.h: VLAN_GROUP_ARRAY_LEN 4096.
*
* 1 - The default Port VID (PVID) value used for classifying frames on ingress through a Bridge
* Port. The PVID value can be changed by management on a per-Port basis.
*
* 0x0FFF - Reserved for implementation use. This VID value shall not be configured as a
* PVID or transmitted in a tag header.
*
* The remaining values of VID are available for general use as VLAN identifiers.
* A Bridge may implement the ability to support less than the full range of VID values;
* i.e., for a given implementation,
* an upper limit, N, is defined for the VID values supported, where N is less than or equal to 4094.
* All implementations shall support the use of all VID values in the range 0 through their defined maximum
* VID, N.
*
* For Linux, N = 4094.
*/
*/
if
(
GET_BITMASK
(
EBT_VLAN_ID
))
{
/* when vlan-id param was spec-ed */
if
(
GET_BITMASK
(
EBT_VLAN_ID
))
{
/* when vlan-id param was spec-ed */
if
(
!!
info
->
id
)
{
/* if id!=0 => check vid range */
if
(
!!
info
->
id
)
{
/* if id!=0 => check vid range */
if
(
info
->
id
>
4094
)
{
/* check if id > than (0x0FFE) */
if
(
info
->
id
>
VLAN_GROUP_ARRAY_LEN
)
{
DEBUG_MSG
DEBUG_MSG
(
"
vlan id %d is out of range (1-4094
)
\n
"
,
(
"
id %d is out of range (1-4096
)
\n
"
,
info
->
id
);
info
->
id
);
return
-
EINVAL
;
return
-
EINVAL
;
}
}
/*
/*
* Note: This is valid VLAN-tagged frame point.
* Note: This is valid VLAN-tagged frame point.
* Any value of user_priority are acceptable, but could be ignored
* Any value of user_priority are acceptable,
* according to 802.1Q Std.
* but should be ignored according to 802.1Q Std.
* So we just drop the prio flag.
*/
*/
}
else
{
info
->
bitmask
&=
~
EBT_VLAN_PRIO
;
}
/*
/*
* if id=0 (null VLAN ID) => Check for user_priority range
* Else, id=0 (null VLAN ID) => user_priority range (any?)
*/
*/
if
(
GET_BITMASK
(
EBT_VLAN_PRIO
))
{
}
if
(
GET_BITMASK
(
EBT_VLAN_PRIO
))
{
if
((
unsigned
char
)
info
->
prio
>
7
)
{
if
((
unsigned
char
)
info
->
prio
>
7
)
{
DEBUG_MSG
DEBUG_MSG
(
"prio %d is out of range (0-7)
\n
"
,
(
"prio %d is out of range (0-7)
\n
"
,
...
@@ -248,37 +209,19 @@ ebt_check_vlan (const char *tablename,
...
@@ -248,37 +209,19 @@ ebt_check_vlan (const char *tablename,
}
}
}
}
/*
/*
* Note2: This is valid priority-tagged frame point
* Check for encapsulated proto range - it is possible to be
* with null VID field.
* any value for u_short range.
*/
}
}
else
{
/* VLAN Id not set */
if
(
GET_BITMASK
(
EBT_VLAN_PRIO
))
{
/* But user_priority is set - abnormal! */
info
->
id
=
0
;
/* Set null VID (case for Priority-tagged frames) */
SET_BITMASK
(
EBT_VLAN_ID
);
/* and set id flag */
}
}
/*
* Check for encapsulated proto range - it is possible to be any value for u_short range.
* When relaying a tagged frame between 802.3/Ethernet MACs,
* a Bridge may adjust the padding field such that
* the minimum size of a transmitted tagged frame is 68 octets (7.2).
* if_ether.h: ETH_ZLEN 60 - Min. octets in frame sans FCS
* if_ether.h: ETH_ZLEN 60 - Min. octets in frame sans FCS
*/
*/
if
(
GET_BITMASK
(
EBT_VLAN_ENCAP
))
{
if
(
GET_BITMASK
(
EBT_VLAN_ENCAP
))
{
if
((
unsigned
short
)
ntohs
(
info
->
encap
)
<
ETH_ZLEN
)
{
if
((
unsigned
short
)
ntohs
(
info
->
encap
)
<
ETH_ZLEN
)
{
DEBUG_MSG
DEBUG_MSG
(
"encap
packet length %d is less than minimal %d
\n
"
,
(
"encap
frame length %d is less than minimal
\n
"
,
ntohs
(
info
->
encap
),
ETH_ZLEN
);
ntohs
(
info
->
encap
)
);
return
-
EINVAL
;
return
-
EINVAL
;
}
}
}
}
/*
* Otherwise is all correct
*/
DEBUG_MSG
(
"802.1Q tagged frame checked (%s table, %d hook)
\n
"
,
tablename
,
hooknr
);
return
0
;
return
0
;
}
}
...
@@ -293,24 +236,22 @@ static struct ebt_match filter_vlan = {
...
@@ -293,24 +236,22 @@ static struct ebt_match filter_vlan = {
/*
/*
* Module initialization function.
* Module initialization function.
* Called when module is loaded to kernelspace
*/
*/
static
int
__init
init
(
void
)
static
int
__init
init
(
void
)
{
{
DEBUG_MSG
(
"ebtables 802.1Q extension module v"
DEBUG_MSG
(
"ebtables 802.1Q extension module v"
MODULE_VERSION
"
\n
"
);
MODULE_VERSION
"
\n
"
);
DEBUG_MSG
(
"module debug=%d
\n
"
,
!!
debug
);
DEBUG_MSG
(
"module debug=%d
\n
"
,
!!
debug
);
return
ebt_register_match
(
&
filter_vlan
);
return
ebt_register_match
(
&
filter_vlan
);
}
}
/*
/*
* Module "finalization" function
* Module "finalization" function
* Called when download module from kernelspace
*/
*/
static
void
__exit
fini
(
void
)
static
void
__exit
fini
(
void
)
{
{
ebt_unregister_match
(
&
filter_vlan
);
ebt_unregister_match
(
&
filter_vlan
);
}
}
module_init
(
init
);
module_init
(
init
);
module_exit
(
fini
);
module_exit
(
fini
);
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment