• Linus Lüssing's avatar
    bridge: fix netfilter/NF_BR_LOCAL_OUT for own, locally generated queries · f0b4eece
    Linus Lüssing authored
    Ebtables on the OUTPUT chain (NF_BR_LOCAL_OUT) would not work as expected
    for both locally generated IGMP and MLD queries. The IP header specific
    filter options are off by 14 Bytes for netfilter (actual output on
    interfaces is fine).
    
    NF_HOOK() expects the skb->data to point to the IP header, not the
    ethernet one (while dev_queue_xmit() does not). Luckily there is an
    br_dev_queue_push_xmit() helper function already - let's just use that.
    
    Introduced by eb1d1641
    ("bridge: Add core IGMP snooping support")
    
    Ebtables example:
    
    $ ebtables -I OUTPUT -p IPv6 -o eth1 --logical-out br0 \
    	--log --log-level 6 --log-ip6 --log-prefix="~EBT: " -j DROP
    
    before (broken):
    
    ~EBT:  IN= OUT=eth1 MAC source = 02:04:64:a4:39:c2 \
    	MAC dest = 33:33:00:00:00:01 proto = 0x86dd IPv6 \
    	SRC=64a4:39c2:86dd:6000:0000:0020:0001:fe80 IPv6 \
    	DST=0000:0000:0000:0004:64ff:fea4:39c2:ff02, \
    	IPv6 priority=0x3, Next Header=2
    
    after (working):
    
    ~EBT:  IN= OUT=eth1 MAC source = 02:04:64:a4:39:c2 \
    	MAC dest = 33:33:00:00:00:01 proto = 0x86dd IPv6 \
    	SRC=fe80:0000:0000:0000:0004:64ff:fea4:39c2 IPv6 \
    	DST=ff02:0000:0000:0000:0000:0000:0000:0001, \
    	IPv6 priority=0x0, Next Header=0
    Signed-off-by: default avatarLinus Lüssing <linus.luessing@web.de>
    Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    f0b4eece
br_multicast.c 51.1 KB