summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2015-09-14 18:06:27 +0300
committerPablo Neira Ayuso <pablo@netfilter.org>2015-09-14 19:08:33 +0300
commit63cdbc06b357dcb3a7104a421ee4a4550d7fadfd (patch)
tree2fb2ea7a51b185f2786f4ee61773b470b9a5eb7a
parent205ee117d4dc4a11ac3bd9638bb9b2e839f4de9a (diff)
downloadlinux-63cdbc06b357dcb3a7104a421ee4a4550d7fadfd.tar.xz
netfilter: bridge: fix routing of bridge frames with call-iptables=1
We can't re-use the physoutdev storage area. 1. When using NFQUEUE in PREROUTING, we attempt to bump a bogus refcnt since nf_bridge->physoutdev is garbage (ipv4/ipv6 address) 2. for same reason, we crash in physdev match in FORWARD or later if skb is routed instead of bridged. This increases nf_bridge_info to 40 bytes, but we have no other choice. Fixes: 72b1e5e4cac7 ("netfilter: bridge: reduce nf_bridge_info to 32 bytes again") Reported-by: Sander Eikelenboom <linux@eikelenboom.it> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--include/linux/skbuff.h6
1 files changed, 3 insertions, 3 deletions
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 2738d355cdf9..9987af080fa0 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -179,6 +179,9 @@ struct nf_bridge_info {
u8 bridged_dnat:1;
__u16 frag_max_size;
struct net_device *physindev;
+
+ /* always valid & non-NULL from FORWARD on, for physdev match */
+ struct net_device *physoutdev;
union {
/* prerouting: detect dnat in orig/reply direction */
__be32 ipv4_daddr;
@@ -189,9 +192,6 @@ struct nf_bridge_info {
* skb is out in neigh layer.
*/
char neigh_header[8];
-
- /* always valid & non-NULL from FORWARD on, for physdev match */
- struct net_device *physoutdev;
};
};
#endif