tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: nf_tables: add ARP filtering support
This patch registers the ARP family and he filter chain type
for this family.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+108
+1
include/net/netns/nftables.h
+1
include/net/netns/nftables.h
+4
net/ipv4/netfilter/Kconfig
+4
net/ipv4/netfilter/Kconfig
···
53
53
depends on NF_NAT_IPV4 && NFT_NAT
54
54
tristate "IPv4 nf_tables nat chain support"
55
55
56
+
config NF_TABLES_ARP
57
+
depends on NF_TABLES
58
+
tristate "ARP nf_tables support"
59
+
56
60
config IP_NF_IPTABLES
57
61
tristate "IP tables support (required for filtering/masq/NAT)"
58
62
default m if NETFILTER_ADVANCED=n
+1
net/ipv4/netfilter/Makefile
+1
net/ipv4/netfilter/Makefile
···
31
31
obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o
32
32
obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o
33
33
obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o
34
+
obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o
34
35
35
36
# generic IP tables
36
37
obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
+102
net/ipv4/netfilter/nf_tables_arp.c
+102
net/ipv4/netfilter/nf_tables_arp.c
···
1
+
/*
2
+
* Copyright (c) 2008-2010 Patrick McHardy <kaber@trash.net>
3
+
* Copyright (c) 2013 Pablo Neira Ayuso <pablo@netfilter.org>
4
+
*
5
+
* This program is free software; you can redistribute it and/or modify
6
+
* it under the terms of the GNU General Public License version 2 as
7
+
* published by the Free Software Foundation.
8
+
*
9
+
* Development of this code funded by Astaro AG (http://www.astaro.com/)
10
+
*/
11
+
12
+
#include <linux/module.h>
13
+
#include <linux/init.h>
14
+
#include <linux/netfilter_arp.h>
15
+
#include <net/netfilter/nf_tables.h>
16
+
17
+
static struct nft_af_info nft_af_arp __read_mostly = {
18
+
.family = NFPROTO_ARP,
19
+
.nhooks = NF_ARP_NUMHOOKS,
20
+
.owner = THIS_MODULE,
21
+
};
22
+
23
+
static int nf_tables_arp_init_net(struct net *net)
24
+
{
25
+
net->nft.arp = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
26
+
if (net->nft.arp== NULL)
27
+
return -ENOMEM;
28
+
29
+
memcpy(net->nft.arp, &nft_af_arp, sizeof(nft_af_arp));
30
+
31
+
if (nft_register_afinfo(net, net->nft.arp) < 0)
32
+
goto err;
33
+
34
+
return 0;
35
+
err:
36
+
kfree(net->nft.arp);
37
+
return -ENOMEM;
38
+
}
39
+
40
+
static void nf_tables_arp_exit_net(struct net *net)
41
+
{
42
+
nft_unregister_afinfo(net->nft.arp);
43
+
kfree(net->nft.arp);
44
+
}
45
+
46
+
static struct pernet_operations nf_tables_arp_net_ops = {
47
+
.init = nf_tables_arp_init_net,
48
+
.exit = nf_tables_arp_exit_net,
49
+
};
50
+
51
+
static unsigned int
52
+
nft_do_chain_arp(const struct nf_hook_ops *ops,
53
+
struct sk_buff *skb,
54
+
const struct net_device *in,
55
+
const struct net_device *out,
56
+
int (*okfn)(struct sk_buff *))
57
+
{
58
+
struct nft_pktinfo pkt;
59
+
60
+
nft_set_pktinfo(&pkt, ops, skb, in, out);
61
+
62
+
return nft_do_chain_pktinfo(&pkt, ops);
63
+
}
64
+
65
+
static struct nf_chain_type filter_arp = {
66
+
.family = NFPROTO_ARP,
67
+
.name = "filter",
68
+
.type = NFT_CHAIN_T_DEFAULT,
69
+
.hook_mask = (1 << NF_ARP_IN) |
70
+
(1 << NF_ARP_OUT) |
71
+
(1 << NF_ARP_FORWARD),
72
+
.fn = {
73
+
[NF_ARP_IN] = nft_do_chain_arp,
74
+
[NF_ARP_OUT] = nft_do_chain_arp,
75
+
[NF_ARP_FORWARD] = nft_do_chain_arp,
76
+
},
77
+
};
78
+
79
+
static int __init nf_tables_arp_init(void)
80
+
{
81
+
int ret;
82
+
83
+
nft_register_chain_type(&filter_arp);
84
+
ret = register_pernet_subsys(&nf_tables_arp_net_ops);
85
+
if (ret < 0)
86
+
nft_unregister_chain_type(&filter_arp);
87
+
88
+
return ret;
89
+
}
90
+
91
+
static void __exit nf_tables_arp_exit(void)
92
+
{
93
+
unregister_pernet_subsys(&nf_tables_arp_net_ops);
94
+
nft_unregister_chain_type(&filter_arp);
95
+
}
96
+
97
+
module_init(nf_tables_arp_init);
98
+
module_exit(nf_tables_arp_exit);
99
+
100
+
MODULE_LICENSE("GPL");
101
+
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
102
+
MODULE_ALIAS_NFT_FAMILY(3); /* NFPROTO_ARP */