br_netfilter: use single forward hook for ip and arp

}

/* This is the 'purely bridged' case.  For IP, we pass the packet to

 * netfilter with indev and outdev set to the bridge device,

 * but we are still able to filter on the 'real' indev/outdev

 * because of the physdev module. For ARP, indev and outdev are the

 * bridge ports. */

static unsigned int br_nf_forward_ip(void *priv,

				     struct sk_buff *skb,

				     const struct nf_hook_state *state)

static unsigned int br_nf_forward_ip(struct sk_buff *skb,

				     const struct nf_hook_state *state,

				     u8 pf)

{

	struct nf_bridge_info *nf_bridge;

	struct net_device *parent;

	u_int8_t pf;

	nf_bridge = nf_bridge_info_get(skb);

	if (!nf_bridge)

	if (!parent)

		return NF_DROP_REASON(skb, SKB_DROP_REASON_DEV_READY, 0);

	if (IS_IP(skb) || is_vlan_ip(skb, state->net) ||

	    is_pppoe_ip(skb, state->net))

		pf = NFPROTO_IPV4;

	else if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) ||

		 is_pppoe_ipv6(skb, state->net))

		pf = NFPROTO_IPV6;

	else

		return NF_ACCEPT;

	nf_bridge_pull_encap_header(skb);

	if (skb->pkt_type == PACKET_OTHERHOST) {

		if (br_validate_ipv4(state->net, skb))

			return NF_DROP_REASON(skb, SKB_DROP_REASON_IP_INHDR, 0);

		IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;

	}

	if (pf == NFPROTO_IPV6) {

		skb->protocol = htons(ETH_P_IP);

	} else if (pf == NFPROTO_IPV6) {

		if (br_validate_ipv6(state->net, skb))

			return NF_DROP_REASON(skb, SKB_DROP_REASON_IP_INHDR, 0);

		IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;

		skb->protocol = htons(ETH_P_IPV6);

	} else {

		WARN_ON_ONCE(1);

		return NF_DROP;

	}

	nf_bridge->physoutdev = skb->dev;

	if (pf == NFPROTO_IPV4)

		skb->protocol = htons(ETH_P_IP);

	else

		skb->protocol = htons(ETH_P_IPV6);

	NF_HOOK(pf, NF_INET_FORWARD, state->net, NULL, skb,

		brnf_get_logical_dev(skb, state->in, state->net),

	return NF_STOLEN;

}

static unsigned int br_nf_forward_arp(void *priv,

				      struct sk_buff *skb,

static unsigned int br_nf_forward_arp(struct sk_buff *skb,

				      const struct nf_hook_state *state)

{

	struct net_bridge_port *p;

	if (!brnet->call_arptables && !br_opt_get(br, BROPT_NF_CALL_ARPTABLES))

		return NF_ACCEPT;

	if (!IS_ARP(skb)) {

		if (!is_vlan_arp(skb, state->net))

			return NF_ACCEPT;

	if (is_vlan_arp(skb, state->net))

		nf_bridge_pull_encap_header(skb);

	}

	if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr))))

		return NF_DROP_REASON(skb, SKB_DROP_REASON_PKT_TOO_SMALL, 0);

	return NF_STOLEN;

}

/* This is the 'purely bridged' case.  For IP, we pass the packet to

 * netfilter with indev and outdev set to the bridge device,

 * but we are still able to filter on the 'real' indev/outdev

 * because of the physdev module. For ARP, indev and outdev are the

 * bridge ports.

 */

static unsigned int br_nf_forward(void *priv,

				  struct sk_buff *skb,

				  const struct nf_hook_state *state)

{

	if (IS_IP(skb) || is_vlan_ip(skb, state->net) ||

	    is_pppoe_ip(skb, state->net))

		return br_nf_forward_ip(skb, state, NFPROTO_IPV4);

	if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) ||

	    is_pppoe_ipv6(skb, state->net))

		return br_nf_forward_ip(skb, state, NFPROTO_IPV6);

	if (IS_ARP(skb) || is_vlan_arp(skb, state->net))

		return br_nf_forward_arp(skb, state);

	return NF_ACCEPT;

}

static int br_nf_push_frag_xmit(struct net *net, struct sock *sk, struct sk_buff *skb)

{

	struct brnf_frag_data *data;

		.priority = NF_BR_PRI_BRNF,

	},

	{

		.hook = br_nf_forward_ip,

		.pf = NFPROTO_BRIDGE,

		.hooknum = NF_BR_FORWARD,

		.priority = NF_BR_PRI_BRNF - 1,

	},

	{

		.hook = br_nf_forward_arp,

		.hook = br_nf_forward,

		.pf = NFPROTO_BRIDGE,

		.hooknum = NF_BR_FORWARD,

		.priority = NF_BR_PRI_BRNF,