netfilter: xtables: add device group match

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Add a new 'devgroup' match to match on the device group of the
incoming and outgoing network device of a packet.

Signed-off-by: Patrick McHardy <kaber@trash.net>

Patrick McHardy 15 years ago 9291747f 5f52bc3c

+114

5 changed files

expand all

include

linux

netfilter

Kbuild

xt_devgroup.h

net

netfilter

Kconfig

Makefile

xt_devgroup.c

include/linux/netfilter/Kbuild

··· 37 37 header-y += xt_conntrack.h 38 38 header-y += xt_cpu.h 39 39 header-y += xt_dccp.h 40 + header-y += xt_devgroup.h 40 41 header-y += xt_dscp.h 41 42 header-y += xt_esp.h 42 43 header-y += xt_hashlimit.h

+21

include/linux/netfilter/xt_devgroup.h

··· 1 + #ifndef _XT_DEVGROUP_H 2 + #define _XT_DEVGROUP_H 3 + 4 + #include <linux/types.h> 5 + 6 + enum xt_devgroup_flags { 7 + XT_DEVGROUP_MATCH_SRC = 0x1, 8 + XT_DEVGROUP_INVERT_SRC = 0x2, 9 + XT_DEVGROUP_MATCH_DST = 0x4, 10 + XT_DEVGROUP_INVERT_DST = 0x8, 11 + }; 12 + 13 + struct xt_devgroup_info { 14 + __u32 flags; 15 + __u32 src_group; 16 + __u32 src_mask; 17 + __u32 dst_group; 18 + __u32 dst_mask; 19 + }; 20 + 21 + #endif /* _XT_DEVGROUP_H */

net/netfilter/Kconfig

··· 738 738 If you want to compile it as a module, say M here and read 739 739 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 740 740 741 + config NETFILTER_XT_MATCH_DEVGROUP 742 + tristate '"devgroup" match support' 743 + depends on NETFILTER_ADVANCED 744 + help 745 + This options adds a `devgroup' match, which allows to match on the 746 + device group a network device is assigned to. 747 + 748 + To compile it as a module, choose M here. If unsure, say N. 749 + 741 750 config NETFILTER_XT_MATCH_DSCP 742 751 tristate '"dscp" and "tos" match support' 743 752 depends on NETFILTER_ADVANCED

net/netfilter/Makefile

··· 77 77 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o 78 78 obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) += xt_cpu.o 79 79 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o 80 + obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o 80 81 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o 81 82 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o 82 83 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o

+82

net/netfilter/xt_devgroup.c

··· 1 + /* 2 + * Copyright (c) 2011 Patrick McHardy <kaber@trash.net> 3 + * 4 + * This program is free software; you can redistribute it and/or modify 5 + * it under the terms of the GNU General Public License version 2 as 6 + * published by the Free Software Foundation. 7 + */ 8 + 9 + #include <linux/module.h> 10 + #include <linux/skbuff.h> 11 + #include <linux/netdevice.h> 12 + 13 + #include <linux/netfilter/xt_devgroup.h> 14 + #include <linux/netfilter/x_tables.h> 15 + 16 + MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 17 + MODULE_LICENSE("GPL"); 18 + MODULE_DESCRIPTION("Xtables: Device group match"); 19 + MODULE_ALIAS("ipt_devgroup"); 20 + MODULE_ALIAS("ip6t_devgroup"); 21 + 22 + static bool devgroup_mt(const struct sk_buff *skb, struct xt_action_param *par) 23 + { 24 + const struct xt_devgroup_info *info = par->matchinfo; 25 + 26 + if (info->flags & XT_DEVGROUP_MATCH_SRC && 27 + (((info->src_group ^ par->in->group) & info->src_mask ? 1 : 0) ^ 28 + ((info->flags & XT_DEVGROUP_INVERT_SRC) ? 1 : 0))) 29 + return false; 30 + 31 + if (info->flags & XT_DEVGROUP_MATCH_DST && 32 + (((info->dst_group ^ par->out->group) & info->dst_mask ? 1 : 0) ^ 33 + ((info->flags & XT_DEVGROUP_INVERT_DST) ? 1 : 0))) 34 + return false; 35 + 36 + return true; 37 + } 38 + 39 + static int devgroup_mt_checkentry(const struct xt_mtchk_param *par) 40 + { 41 + const struct xt_devgroup_info *info = par->matchinfo; 42 + 43 + if (info->flags & ~(XT_DEVGROUP_MATCH_SRC | XT_DEVGROUP_INVERT_SRC | 44 + XT_DEVGROUP_MATCH_DST | XT_DEVGROUP_INVERT_DST)) 45 + return -EINVAL; 46 + 47 + if (info->flags & XT_DEVGROUP_MATCH_SRC && 48 + par->hook_mask & ~((1 << NF_INET_PRE_ROUTING) | 49 + (1 << NF_INET_LOCAL_IN) | 50 + (1 << NF_INET_FORWARD))) 51 + return -EINVAL; 52 + 53 + if (info->flags & XT_DEVGROUP_MATCH_DST && 54 + par->hook_mask & ~((1 << NF_INET_FORWARD) | 55 + (1 << NF_INET_LOCAL_OUT) | 56 + (1 << NF_INET_POST_ROUTING))) 57 + return -EINVAL; 58 + 59 + return 0; 60 + } 61 + 62 + static struct xt_match devgroup_mt_reg __read_mostly = { 63 + .name = "devgroup", 64 + .match = devgroup_mt, 65 + .checkentry = devgroup_mt_checkentry, 66 + .matchsize = sizeof(struct xt_devgroup_info), 67 + .family = NFPROTO_UNSPEC, 68 + .me = THIS_MODULE 69 + }; 70 + 71 + static int __init devgroup_mt_init(void) 72 + { 73 + return xt_register_match(&devgroup_mt_reg); 74 + } 75 + 76 + static void __exit devgroup_mt_exit(void) 77 + { 78 + xt_unregister_match(&devgroup_mt_reg); 79 + } 80 + 81 + module_init(devgroup_mt_init); 82 + module_exit(devgroup_mt_exit);