search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'hwmon-for-v6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git...
[linux.git] / net / bridge / br_input.c
blobceaa5a89b947fc574ee2a05003db3de7cc9797b1
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Handle incoming frames
4 * Linux ethernet bridge
5 *
6 * Authors:
7 * Lennert Buytenhek <buytenh@gnu.org>
8 */
9
10 #include <linux/slab.h>
11 #include <linux/kernel.h>
12 #include <linux/netdevice.h>
13 #include <linux/etherdevice.h>
14 #include <linux/netfilter_bridge.h>
15 #ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
16 #include <net/netfilter/nf_queue.h>
17 #endif
18 #include <linux/neighbour.h>
19 #include <net/arp.h>
20 #include <net/dsa.h>
21 #include <linux/export.h>
22 #include <linux/rculist.h>
23 #include "br_private.h"
24 #include "br_private_tunnel.h"
25
26 static int
27 br_netif_receive_skb(struct net *net, struct sock *sk, struct sk_buff *skb)
28 {
29 br_drop_fake_rtable(skb);
30 return netif_receive_skb(skb);
31 }
32
33 static int br_pass_frame_up(struct sk_buff *skb, bool promisc)
34 {
35 struct net_device *indev, *brdev = BR_INPUT_SKB_CB(skb)->brdev;
36 struct net_bridge *br = netdev_priv(brdev);
37 struct net_bridge_vlan_group *vg;
38
39 dev_sw_netstats_rx_add(brdev, skb->len);
40
41 vg = br_vlan_group_rcu(br);
42
43 /* Reset the offload_fwd_mark because there could be a stacked
44 * bridge above, and it should not think this bridge it doing
45 * that bridge's work forwarding out its ports.
46 */
47 br_switchdev_frame_unmark(skb);
48
49 /* Bridge is just like any other port. Make sure the
50 * packet is allowed except in promisc mode when someone
51 * may be running packet capture.
52 */
53 if (!(brdev->flags & IFF_PROMISC) &&
54 !br_allowed_egress(vg, skb)) {
55 kfree_skb(skb);
56 return NET_RX_DROP;
57 }
58
59 indev = skb->dev;
60 skb->dev = brdev;
61 skb = br_handle_vlan(br, NULL, vg, skb);
62 if (!skb)
63 return NET_RX_DROP;
64 /* update the multicast stats if the packet is IGMP/MLD */
65 br_multicast_count(br, NULL, skb, br_multicast_igmp_type(skb),
66 BR_MCAST_DIR_TX);
67
68 BR_INPUT_SKB_CB(skb)->promisc = promisc;
69
70 return NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
71 dev_net(indev), NULL, skb, indev, NULL,
72 br_netif_receive_skb);
73 }
74
75 /* note: already called with rcu_read_lock */
76 int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
77 {
78 struct net_bridge_port *p = br_port_get_rcu(skb->dev);
79 enum br_pkt_type pkt_type = BR_PKT_UNICAST;
80 struct net_bridge_fdb_entry *dst = NULL;
81 struct net_bridge_mcast_port *pmctx;
82 struct net_bridge_mdb_entry *mdst;
83 bool local_rcv, mcast_hit = false;
84 struct net_bridge_mcast *brmctx;
85 struct net_bridge_vlan *vlan;
86 struct net_bridge *br;
87 bool promisc;
88 u16 vid = 0;
89 u8 state;
90
91 if (!p)
92 goto drop;
93
94 br = p->br;
95
96 if (br_mst_is_enabled(br)) {
97 state = BR_STATE_FORWARDING;
98 } else {
99 if (p->state == BR_STATE_DISABLED)
100 goto drop;
101
102 state = p->state;
103 }
104
105 brmctx = &p->br->multicast_ctx;
106 pmctx = &p->multicast_ctx;
107 if (!br_allowed_ingress(p->br, nbp_vlan_group_rcu(p), skb, &vid,
108 &state, &vlan))
109 goto out;
110
111 if (p->flags & BR_PORT_LOCKED) {
112 struct net_bridge_fdb_entry *fdb_src =
113 br_fdb_find_rcu(br, eth_hdr(skb)->h_source, vid);
114
115 if (!fdb_src) {
116 /* FDB miss. Create locked FDB entry if MAB is enabled
117 * and drop the packet.
118 */
119 if (p->flags & BR_PORT_MAB)
120 br_fdb_update(br, p, eth_hdr(skb)->h_source,
121 vid, BIT(BR_FDB_LOCKED));
122 goto drop;
123 } else if (READ_ONCE(fdb_src->dst) != p ||
124 test_bit(BR_FDB_LOCAL, &fdb_src->flags)) {
125 /* FDB mismatch. Drop the packet without roaming. */
126 goto drop;
127 } else if (test_bit(BR_FDB_LOCKED, &fdb_src->flags)) {
128 /* FDB match, but entry is locked. Refresh it and drop
129 * the packet.
130 */
131 br_fdb_update(br, p, eth_hdr(skb)->h_source, vid,
132 BIT(BR_FDB_LOCKED));
133 goto drop;
134 }
135 }
136
137 nbp_switchdev_frame_mark(p, skb);
138
139 /* insert into forwarding database after filtering to avoid spoofing */
140 if (p->flags & BR_LEARNING)
141 br_fdb_update(br, p, eth_hdr(skb)->h_source, vid, 0);
142
143 promisc = !!(br->dev->flags & IFF_PROMISC);
144 local_rcv = promisc;
145
146 if (is_multicast_ether_addr(eth_hdr(skb)->h_dest)) {
147 /* by definition the broadcast is also a multicast address */
148 if (is_broadcast_ether_addr(eth_hdr(skb)->h_dest)) {
149 pkt_type = BR_PKT_BROADCAST;
150 local_rcv = true;
151 } else {
152 pkt_type = BR_PKT_MULTICAST;
153 if (br_multicast_rcv(&brmctx, &pmctx, vlan, skb, vid))
154 goto drop;
155 }
156 }
157
158 if (state == BR_STATE_LEARNING)
159 goto drop;
160
161 BR_INPUT_SKB_CB(skb)->brdev = br->dev;
162 BR_INPUT_SKB_CB(skb)->src_port_isolated = !!(p->flags & BR_ISOLATED);
163
164 if (IS_ENABLED(CONFIG_INET) &&
165 (skb->protocol == htons(ETH_P_ARP) ||
166 skb->protocol == htons(ETH_P_RARP))) {
167 br_do_proxy_suppress_arp(skb, br, vid, p);
168 } else if (IS_ENABLED(CONFIG_IPV6) &&
169 skb->protocol == htons(ETH_P_IPV6) &&
170 br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED) &&
171 pskb_may_pull(skb, sizeof(struct ipv6hdr) +
172 sizeof(struct nd_msg)) &&
173 ipv6_hdr(skb)->nexthdr == IPPROTO_ICMPV6) {
174 struct nd_msg *msg, _msg;
175
176 msg = br_is_nd_neigh_msg(skb, &_msg);
177 if (msg)
178 br_do_suppress_nd(skb, br, vid, p, msg);
179 }
180
181 switch (pkt_type) {
182 case BR_PKT_MULTICAST:
183 mdst = br_mdb_entry_skb_get(brmctx, skb, vid);
184 if ((mdst || BR_INPUT_SKB_CB_MROUTERS_ONLY(skb)) &&
185 br_multicast_querier_exists(brmctx, eth_hdr(skb), mdst)) {
186 if ((mdst && mdst->host_joined) ||
187 br_multicast_is_router(brmctx, skb)) {
188 local_rcv = true;
189 DEV_STATS_INC(br->dev, multicast);
190 }
191 mcast_hit = true;
192 } else {
193 local_rcv = true;
194 DEV_STATS_INC(br->dev, multicast);
195 }
196 break;
197 case BR_PKT_UNICAST:
198 dst = br_fdb_find_rcu(br, eth_hdr(skb)->h_dest, vid);
199 break;
200 default:
201 break;
202 }
203
204 if (dst) {
205 unsigned long now = jiffies;
206
207 if (test_bit(BR_FDB_LOCAL, &dst->flags))
208 return br_pass_frame_up(skb, false);
209
210 if (now != dst->used)
211 dst->used = now;
212 br_forward(dst->dst, skb, local_rcv, false);
213 } else {
214 if (!mcast_hit)
215 br_flood(br, skb, pkt_type, local_rcv, false, vid);
216 else
217 br_multicast_flood(mdst, skb, brmctx, local_rcv, false);
218 }
219
220 if (local_rcv)
221 return br_pass_frame_up(skb, promisc);
222
223 out:
224 return 0;
225 drop:
226 kfree_skb(skb);
227 goto out;
228 }
229 EXPORT_SYMBOL_GPL(br_handle_frame_finish);
230
231 static void __br_handle_local_finish(struct sk_buff *skb)
232 {
233 struct net_bridge_port *p = br_port_get_rcu(skb->dev);
234 u16 vid = 0;
235
236 /* check if vlan is allowed, to avoid spoofing */
237 if ((p->flags & BR_LEARNING) &&
238 nbp_state_should_learn(p) &&
239 !br_opt_get(p->br, BROPT_NO_LL_LEARN) &&
240 br_should_learn(p, skb, &vid))
241 br_fdb_update(p->br, p, eth_hdr(skb)->h_source, vid, 0);
242 }
243
244 /* note: already called with rcu_read_lock */
245 static int br_handle_local_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
246 {
247 __br_handle_local_finish(skb);
248
249 /* return 1 to signal the okfn() was called so it's ok to use the skb */
250 return 1;
251 }
252
253 static int nf_hook_bridge_pre(struct sk_buff *skb, struct sk_buff **pskb)
254 {
255 #ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
256 struct nf_hook_entries *e = NULL;
257 struct nf_hook_state state;
258 unsigned int verdict, i;
259 struct net *net;
260 int ret;
261
262 net = dev_net(skb->dev);
263 #ifdef HAVE_JUMP_LABEL
264 if (!static_key_false(&nf_hooks_needed[NFPROTO_BRIDGE][NF_BR_PRE_ROUTING]))
265 goto frame_finish;
266 #endif
267
268 e = rcu_dereference(net->nf.hooks_bridge[NF_BR_PRE_ROUTING]);
269 if (!e)
270 goto frame_finish;
271
272 nf_hook_state_init(&state, NF_BR_PRE_ROUTING,
273 NFPROTO_BRIDGE, skb->dev, NULL, NULL,
274 net, br_handle_frame_finish);
275
276 for (i = 0; i < e->num_hook_entries; i++) {
277 verdict = nf_hook_entry_hookfn(&e->hooks[i], skb, &state);
278 switch (verdict & NF_VERDICT_MASK) {
279 case NF_ACCEPT:
280 if (BR_INPUT_SKB_CB(skb)->br_netfilter_broute) {
281 *pskb = skb;
282 return RX_HANDLER_PASS;
283 }
284 break;
285 case NF_DROP:
286 kfree_skb(skb);
287 return RX_HANDLER_CONSUMED;
288 case NF_QUEUE:
289 ret = nf_queue(skb, &state, i, verdict);
290 if (ret == 1)
291 continue;
292 return RX_HANDLER_CONSUMED;
293 default: /* STOLEN */
294 return RX_HANDLER_CONSUMED;
295 }
296 }
297 frame_finish:
298 net = dev_net(skb->dev);
299 br_handle_frame_finish(net, NULL, skb);
300 #else
301 br_handle_frame_finish(dev_net(skb->dev), NULL, skb);
302 #endif
303 return RX_HANDLER_CONSUMED;
304 }
305
306 /* Return 0 if the frame was not processed otherwise 1
307 * note: already called with rcu_read_lock
308 */
309 static int br_process_frame_type(struct net_bridge_port *p,
310 struct sk_buff *skb)
311 {
312 struct br_frame_type *tmp;
313
314 hlist_for_each_entry_rcu(tmp, &p->br->frame_type_list, list)
315 if (unlikely(tmp->type == skb->protocol))
316 return tmp->frame_handler(p, skb);
317
318 return 0;
319 }
320
321 /*
322 * Return NULL if skb is handled
323 * note: already called with rcu_read_lock
324 */
325 static rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
326 {
327 struct net_bridge_port *p;
328 struct sk_buff *skb = *pskb;
329 const unsigned char *dest = eth_hdr(skb)->h_dest;
330
331 if (unlikely(skb->pkt_type == PACKET_LOOPBACK))
332 return RX_HANDLER_PASS;
333
334 if (!is_valid_ether_addr(eth_hdr(skb)->h_source))
335 goto drop;
336
337 skb = skb_share_check(skb, GFP_ATOMIC);
338 if (!skb)
339 return RX_HANDLER_CONSUMED;
340
341 memset(skb->cb, 0, sizeof(struct br_input_skb_cb));
342 br_tc_skb_miss_set(skb, false);
343
344 p = br_port_get_rcu(skb->dev);
345 if (p->flags & BR_VLAN_TUNNEL)
346 br_handle_ingress_vlan_tunnel(skb, p, nbp_vlan_group_rcu(p));
347
348 if (unlikely(is_link_local_ether_addr(dest))) {
349 u16 fwd_mask = p->br->group_fwd_mask_required;
350
351 /*
352 * See IEEE 802.1D Table 7-10 Reserved addresses
353 *
354 * Assignment Value
355 * Bridge Group Address 01-80-C2-00-00-00
356 * (MAC Control) 802.3 01-80-C2-00-00-01
357 * (Link Aggregation) 802.3 01-80-C2-00-00-02
358 * 802.1X PAE address 01-80-C2-00-00-03
359 *
360 * 802.1AB LLDP 01-80-C2-00-00-0E
361 *
362 * Others reserved for future standardization
363 */
364 fwd_mask |= p->group_fwd_mask;
365 switch (dest[5]) {
366 case 0x00: /* Bridge Group Address */
367 /* If STP is turned off,
368 then must forward to keep loop detection */
369 if (p->br->stp_enabled == BR_NO_STP ||
370 fwd_mask & (1u << dest[5]))
371 goto forward;
372 *pskb = skb;
373 __br_handle_local_finish(skb);
374 return RX_HANDLER_PASS;
375
376 case 0x01: /* IEEE MAC (Pause) */
377 goto drop;
378
379 case 0x0E: /* 802.1AB LLDP */
380 fwd_mask |= p->br->group_fwd_mask;
381 if (fwd_mask & (1u << dest[5]))
382 goto forward;
383 *pskb = skb;
384 __br_handle_local_finish(skb);
385 return RX_HANDLER_PASS;
386
387 default:
388 /* Allow selective forwarding for most other protocols */
389 fwd_mask |= p->br->group_fwd_mask;
390 if (fwd_mask & (1u << dest[5]))
391 goto forward;
392 }
393
394 BR_INPUT_SKB_CB(skb)->promisc = false;
395
396 /* The else clause should be hit when nf_hook():
397 * - returns < 0 (drop/error)
398 * - returns = 0 (stolen/nf_queue)
399 * Thus return 1 from the okfn() to signal the skb is ok to pass
400 */
401 if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
402 dev_net(skb->dev), NULL, skb, skb->dev, NULL,
403 br_handle_local_finish) == 1) {
404 return RX_HANDLER_PASS;
405 } else {
406 return RX_HANDLER_CONSUMED;
407 }
408 }
409
410 if (unlikely(br_process_frame_type(p, skb)))
411 return RX_HANDLER_PASS;
412
413 forward:
414 if (br_mst_is_enabled(p->br))
415 goto defer_stp_filtering;
416
417 switch (p->state) {
418 case BR_STATE_FORWARDING:
419 case BR_STATE_LEARNING:
420 defer_stp_filtering:
421 if (ether_addr_equal(p->br->dev->dev_addr, dest))
422 skb->pkt_type = PACKET_HOST;
423
424 return nf_hook_bridge_pre(skb, pskb);
425 default:
426 drop:
427 kfree_skb(skb);
428 }
429 return RX_HANDLER_CONSUMED;
430 }
431
432 /* This function has no purpose other than to appease the br_port_get_rcu/rtnl
433 * helpers which identify bridged ports according to the rx_handler installed
434 * on them (so there _needs_ to be a bridge rx_handler even if we don't need it
435 * to do anything useful). This bridge won't support traffic to/from the stack,
436 * but only hardware bridging. So return RX_HANDLER_PASS so we don't steal
437 * frames from the ETH_P_XDSA packet_type handler.
438 */
439 static rx_handler_result_t br_handle_frame_dummy(struct sk_buff **pskb)
440 {
441 return RX_HANDLER_PASS;
442 }
443
444 rx_handler_func_t *br_get_rx_handler(const struct net_device *dev)
445 {
446 if (netdev_uses_dsa(dev))
447 return br_handle_frame_dummy;
448
449 return br_handle_frame;
450 }
451
452 void br_add_frame(struct net_bridge *br, struct br_frame_type *ft)
453 {
454 hlist_add_head_rcu(&ft->list, &br->frame_type_list);
455 }
456
457 void br_del_frame(struct net_bridge *br, struct br_frame_type *ft)
458 {
459 struct br_frame_type *tmp;
460
461 hlist_for_each_entry(tmp, &br->frame_type_list, list)
462 if (ft == tmp) {
463 hlist_del_rcu(&ft->list);
464 return;
465 }
466 }
Linux Kernel