netfilter: bridge: add reject support · tjh.dev/kernel@85f5b30

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

netfilter: bridge: add reject support

So you can reject IPv4 and IPv6 packets from bridge tables. If the ether
proto is now known, default on dropping the packet instead.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Pablo Neira Ayuso 11 years ago 85f5b308 8fd90bb8

+74

3 changed files

expand all

net

bridge

netfilter

Kconfig

Makefile

nft_reject_bridge.c

net/bridge/netfilter/Kconfig

··· 14 14 help 15 15 Add support for bridge dedicated meta key. 16 16 17 + config NFT_BRIDGE_REJECT 18 + tristate "Netfilter nf_tables bridge reject support" 19 + depends on NFT_REJECT && NFT_REJECT_IPV4 && NFT_REJECT_IPV6 20 + help 21 + Add support to reject packets. 22 + 17 23 config NF_LOG_BRIDGE 18 24 tristate "Bridge packet logging" 19 25

net/bridge/netfilter/Makefile

··· 4 4 5 5 obj-$(CONFIG_NF_TABLES_BRIDGE) += nf_tables_bridge.o 6 6 obj-$(CONFIG_NFT_BRIDGE_META) += nft_meta_bridge.o 7 + obj-$(CONFIG_NFT_BRIDGE_REJECT) += nft_reject_bridge.o 7 8 8 9 # packet logging 9 10 obj-$(CONFIG_NF_LOG_BRIDGE) += nf_log_bridge.o

+67

net/bridge/netfilter/nft_reject_bridge.c

··· 1 + /* 2 + * Copyright (c) 2014 Pablo Neira Ayuso <pablo@netfilter.org> 3 + * 4 + * This program is free software; you can redistribute it and/or modify 5 + * it under the terms of the GNU General Public License version 2 as 6 + * published by the Free Software Foundation. 7 + */ 8 + 9 + #include <linux/kernel.h> 10 + #include <linux/init.h> 11 + #include <linux/module.h> 12 + #include <linux/netlink.h> 13 + #include <linux/netfilter.h> 14 + #include <linux/netfilter/nf_tables.h> 15 + #include <net/netfilter/nf_tables.h> 16 + #include <net/netfilter/nft_reject.h> 17 + 18 + static void nft_reject_bridge_eval(const struct nft_expr *expr, 19 + struct nft_data data[NFT_REG_MAX + 1], 20 + const struct nft_pktinfo *pkt) 21 + { 22 + switch (eth_hdr(pkt->skb)->h_proto) { 23 + case htons(ETH_P_IP): 24 + return nft_reject_ipv4_eval(expr, data, pkt); 25 + case htons(ETH_P_IPV6): 26 + return nft_reject_ipv6_eval(expr, data, pkt); 27 + default: 28 + /* No explicit way to reject this protocol, drop it. */ 29 + data[NFT_REG_VERDICT].verdict = NF_DROP; 30 + break; 31 + } 32 + } 33 + 34 + static struct nft_expr_type nft_reject_bridge_type; 35 + static const struct nft_expr_ops nft_reject_bridge_ops = { 36 + .type = &nft_reject_bridge_type, 37 + .size = NFT_EXPR_SIZE(sizeof(struct nft_reject)), 38 + .eval = nft_reject_bridge_eval, 39 + .init = nft_reject_init, 40 + .dump = nft_reject_dump, 41 + }; 42 + 43 + static struct nft_expr_type nft_reject_bridge_type __read_mostly = { 44 + .family = NFPROTO_BRIDGE, 45 + .name = "reject", 46 + .ops = &nft_reject_bridge_ops, 47 + .policy = nft_reject_policy, 48 + .maxattr = NFTA_REJECT_MAX, 49 + .owner = THIS_MODULE, 50 + }; 51 + 52 + static int __init nft_reject_bridge_module_init(void) 53 + { 54 + return nft_register_expr(&nft_reject_bridge_type); 55 + } 56 + 57 + static void __exit nft_reject_bridge_module_exit(void) 58 + { 59 + nft_unregister_expr(&nft_reject_bridge_type); 60 + } 61 + 62 + module_init(nft_reject_bridge_module_init); 63 + module_exit(nft_reject_bridge_module_exit); 64 + 65 + MODULE_LICENSE("GPL"); 66 + MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 67 + MODULE_ALIAS_NFT_AF_EXPR(AF_BRIDGE, "reject");