tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: nf_tables: add reject module for NFPROTO_INET
Add a reject module for NFPROTO_INET. It does nothing but dispatch
to the AF-specific modules based on the hook family.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
authored by
Patrick McHardy
and committed by
Pablo Neira Ayuso
05513e9e
cc4723ca
+85
-6
+8
include/net/netfilter/nft_reject.h
+8
include/net/netfilter/nft_reject.h
···
14
14
15
15
int nft_reject_dump(struct sk_buff *skb, const struct nft_expr *expr);
16
16
17
+
void nft_reject_ipv4_eval(const struct nft_expr *expr,
18
+
struct nft_data data[NFT_REG_MAX + 1],
19
+
const struct nft_pktinfo *pkt);
20
+
21
+
void nft_reject_ipv6_eval(const struct nft_expr *expr,
22
+
struct nft_data data[NFT_REG_MAX + 1],
23
+
const struct nft_pktinfo *pkt);
24
+
17
25
#endif
+4
-3
net/ipv4/netfilter/nft_reject_ipv4.c
+4
-3
net/ipv4/netfilter/nft_reject_ipv4.c
···
20
20
#include <net/netfilter/ipv4/nf_reject.h>
21
21
#include <net/netfilter/nft_reject.h>
22
22
23
-
static void nft_reject_ipv4_eval(const struct nft_expr *expr,
24
-
struct nft_data data[NFT_REG_MAX + 1],
25
-
const struct nft_pktinfo *pkt)
23
+
void nft_reject_ipv4_eval(const struct nft_expr *expr,
24
+
struct nft_data data[NFT_REG_MAX + 1],
25
+
const struct nft_pktinfo *pkt)
26
26
{
27
27
struct nft_reject *priv = nft_expr_priv(expr);
28
28
···
37
37
38
38
data[NFT_REG_VERDICT].verdict = NF_DROP;
39
39
}
40
+
EXPORT_SYMBOL_GPL(nft_reject_ipv4_eval);
40
41
41
42
static struct nft_expr_type nft_reject_ipv4_type;
42
43
static const struct nft_expr_ops nft_reject_ipv4_ops = {
+4
-3
net/ipv6/netfilter/nft_reject_ipv6.c
+4
-3
net/ipv6/netfilter/nft_reject_ipv6.c
···
19
19
#include <net/netfilter/nft_reject.h>
20
20
#include <net/netfilter/ipv6/nf_reject.h>
21
21
22
-
static void nft_reject_ipv6_eval(const struct nft_expr *expr,
23
-
struct nft_data data[NFT_REG_MAX + 1],
24
-
const struct nft_pktinfo *pkt)
22
+
void nft_reject_ipv6_eval(const struct nft_expr *expr,
23
+
struct nft_data data[NFT_REG_MAX + 1],
24
+
const struct nft_pktinfo *pkt)
25
25
{
26
26
struct nft_reject *priv = nft_expr_priv(expr);
27
27
struct net *net = dev_net((pkt->in != NULL) ? pkt->in : pkt->out);
···
38
38
39
39
data[NFT_REG_VERDICT].verdict = NF_DROP;
40
40
}
41
+
EXPORT_SYMBOL_GPL(nft_reject_ipv6_eval);
41
42
42
43
static struct nft_expr_type nft_reject_ipv6_type;
43
44
static const struct nft_expr_ops nft_reject_ipv6_ops = {
+5
net/netfilter/Kconfig
+5
net/netfilter/Kconfig
···
520
520
explicitly deny and notify via TCP reset/ICMP informational errors
521
521
unallowed traffic.
522
522
523
+
config NFT_REJECT_INET
524
+
depends on NF_TABLES_INET
525
+
default NFT_REJECT
526
+
tristate
527
+
523
528
config NFT_COMPAT
524
529
depends on NF_TABLES
525
530
depends on NETFILTER_XTABLES
+1
net/netfilter/Makefile
+1
net/netfilter/Makefile
···
79
79
obj-$(CONFIG_NFT_NAT) += nft_nat.o
80
80
obj-$(CONFIG_NFT_QUEUE) += nft_queue.o
81
81
obj-$(CONFIG_NFT_REJECT) += nft_reject.o
82
+
obj-$(CONFIG_NFT_REJECT_INET) += nft_reject_inet.o
82
83
obj-$(CONFIG_NFT_RBTREE) += nft_rbtree.o
83
84
obj-$(CONFIG_NFT_HASH) += nft_hash.o
84
85
obj-$(CONFIG_NFT_COUNTER) += nft_counter.o
+63
net/netfilter/nft_reject_inet.c
+63
net/netfilter/nft_reject_inet.c
···
1
+
/*
2
+
* Copyright (c) 2014 Patrick McHardy <kaber@trash.net>
3
+
*
4
+
* This program is free software; you can redistribute it and/or modify
5
+
* it under the terms of the GNU General Public License version 2 as
6
+
* published by the Free Software Foundation.
7
+
*/
8
+
9
+
#include <linux/kernel.h>
10
+
#include <linux/init.h>
11
+
#include <linux/module.h>
12
+
#include <linux/netlink.h>
13
+
#include <linux/netfilter.h>
14
+
#include <linux/netfilter/nf_tables.h>
15
+
#include <net/netfilter/nf_tables.h>
16
+
#include <net/netfilter/nft_reject.h>
17
+
18
+
static void nft_reject_inet_eval(const struct nft_expr *expr,
19
+
struct nft_data data[NFT_REG_MAX + 1],
20
+
const struct nft_pktinfo *pkt)
21
+
{
22
+
switch (pkt->ops->pf) {
23
+
case NFPROTO_IPV4:
24
+
nft_reject_ipv4_eval(expr, data, pkt);
25
+
case NFPROTO_IPV6:
26
+
nft_reject_ipv6_eval(expr, data, pkt);
27
+
}
28
+
}
29
+
30
+
static struct nft_expr_type nft_reject_inet_type;
31
+
static const struct nft_expr_ops nft_reject_inet_ops = {
32
+
.type = &nft_reject_inet_type,
33
+
.size = NFT_EXPR_SIZE(sizeof(struct nft_reject)),
34
+
.eval = nft_reject_inet_eval,
35
+
.init = nft_reject_init,
36
+
.dump = nft_reject_dump,
37
+
};
38
+
39
+
static struct nft_expr_type nft_reject_inet_type __read_mostly = {
40
+
.family = NFPROTO_INET,
41
+
.name = "reject",
42
+
.ops = &nft_reject_inet_ops,
43
+
.policy = nft_reject_policy,
44
+
.maxattr = NFTA_REJECT_MAX,
45
+
.owner = THIS_MODULE,
46
+
};
47
+
48
+
static int __init nft_reject_inet_module_init(void)
49
+
{
50
+
return nft_register_expr(&nft_reject_inet_type);
51
+
}
52
+
53
+
static void __exit nft_reject_inet_module_exit(void)
54
+
{
55
+
nft_unregister_expr(&nft_reject_inet_type);
56
+
}
57
+
58
+
module_init(nft_reject_inet_module_init);
59
+
module_exit(nft_reject_inet_module_exit);
60
+
61
+
MODULE_LICENSE("GPL");
62
+
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
63
+
MODULE_ALIAS_NFT_AF_EXPR(1, "reject");