[NET]: Let arptables see bridged arp traffic.

60af0ada · Bart De Schuymer · Vojtech Pavlik · 9c4d8938 · 60af0ada · 60af0ada
Commit 60af0ada authored Jun 18, 2003 by Bart De Schuymer Committed by Vojtech Pavlik Jun 18, 2003
Showing with 80 additions and 41 deletions

include/linux/netfilter_arp.h include/linux/netfilter_arp.h +2 -1

net/bridge/br_netfilter.c net/bridge/br_netfilter.c +33 -18

net/ipv4/netfilter/arptable_filter.c net/ipv4/netfilter/arptable_filter.c +45 -22

No files found.
--- a/include/linux/netfilter_arp.h
+++ b/include/linux/netfilter_arp.h
@@ -14,6 +14,7 @@
 /* ARP Hooks */
 #define NF_ARP_IN	0
 #define NF_ARP_OUT	1
-#define NF_ARP_NUMHOOKS	2
+#define NF_ARP_FORWARD	2
+#define NF_ARP_NUMHOOKS	3
 #endif /* __LINUX_ARP_NETFILTER_H */
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -22,6 +22,7 @@
 #include <linux/if_ether.h>
 #include <linux/netfilter_bridge.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_arp.h>
 #include <linux/in_route.h>
 #include <net/ip.h>
 #include <asm/uaccess.h>
@@ -304,31 +305,36 @@ static unsigned int br_nf_local_in(unsigned int hook, struct sk_buff **pskb,
 	return NF_ACCEPT;
 }
 /* PF_BRIDGE/FORWARD *************************************************/
 static int br_nf_forward_finish(struct sk_buff *skb)
 {
 	struct nf_bridge_info *nf_bridge = skb->nf_bridge;
+	struct net_device *in;
 #ifdef CONFIG_NETFILTER_DEBUG
 	skb->nf_debug ^= (1 << NF_BR_FORWARD);
 #endif
-	if (nf_bridge->mask & BRNF_PKT_TYPE) {
+	if (skb->protocol == __constant_htons(ETH_P_IP)) {
-		skb->pkt_type = PACKET_OTHERHOST;
+		in = nf_bridge->physindev;
-		nf_bridge->mask ^= BRNF_PKT_TYPE;
+		if (nf_bridge->mask & BRNF_PKT_TYPE) {
+			skb->pkt_type = PACKET_OTHERHOST;
+			nf_bridge->mask ^= BRNF_PKT_TYPE;
+		}
+	} else {
+		in = *((struct net_device **)(skb->cb));
 	}
-	NF_HOOK_THRESH(PF_BRIDGE, NF_BR_FORWARD, skb, nf_bridge->physindev,
+	NF_HOOK_THRESH(PF_BRIDGE, NF_BR_FORWARD, skb, in,
 			skb->dev, br_forward_finish, 1);
 	return 0;
 }
-/* This is the 'purely bridged' case.  We pass the packet to
+/* This is the 'purely bridged' case.  For IP, we pass the packet to
 * netfilter with indev and outdev set to the bridge device,
 * but we are still able to filter on the 'real' indev/outdev
- * because of the ipt_physdev.c module.
+ * because of the ipt_physdev.c module. For ARP, indev and outdev are the
+ * bridge ports.
 */
 static unsigned int br_nf_forward(unsigned int hook, struct sk_buff **pskb,
   const struct net_device *in, const struct net_device *out,
@@ -337,24 +343,33 @@ static unsigned int br_nf_forward(unsigned int hook, struct sk_buff **pskb,
 	struct sk_buff *skb = *pskb;
 	struct nf_bridge_info *nf_bridge;
-	if (skb->protocol != __constant_htons(ETH_P_IP))
+	if (skb->protocol != __constant_htons(ETH_P_IP) &&
+	    skb->protocol != __constant_htons(ETH_P_ARP))
 		return NF_ACCEPT;
 #ifdef CONFIG_NETFILTER_DEBUG
 	skb->nf_debug ^= (1 << NF_BR_FORWARD);
 #endif
+	if (skb->protocol == __constant_htons(ETH_P_IP)) {
+		nf_bridge = skb->nf_bridge;
+		if (skb->pkt_type == PACKET_OTHERHOST) {
+			skb->pkt_type = PACKET_HOST;
+			nf_bridge->mask |= BRNF_PKT_TYPE;
+		}
-	nf_bridge = skb->nf_bridge;
+		/* The physdev module checks on this */
-	if (skb->pkt_type == PACKET_OTHERHOST) {
+		nf_bridge->mask |= BRNF_BRIDGED;
-		skb->pkt_type = PACKET_HOST;
+		nf_bridge->physoutdev = skb->dev;
-		nf_bridge->mask |= BRNF_PKT_TYPE;
-	}
-	nf_bridge->mask |= BRNF_BRIDGED; /* The physdev module checks on this */
+		NF_HOOK(PF_INET, NF_IP_FORWARD, skb, bridge_parent(in),
-	nf_bridge->physoutdev = skb->dev;
+			bridge_parent(out), br_nf_forward_finish);
+	} else {
+		struct net_device **d = (struct net_device **)(skb->cb);
-	NF_HOOK(PF_INET, NF_IP_FORWARD, skb, bridge_parent(nf_bridge->physindev),
+		*d = (struct net_device *)in;
-			bridge_parent(skb->dev), br_nf_forward_finish);
+		NF_HOOK(NF_ARP, NF_ARP_FORWARD, skb, (struct net_device *)in,
+			(struct net_device *)out, br_nf_forward_finish);
+	}
 	return NF_STOLEN;
 }

--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -8,7 +8,8 @@
 #include <linux/module.h>
 #include <linux/netfilter_arp/arp_tables.h>
-#define FILTER_VALID_HOOKS ((1 << NF_ARP_IN) | (1 << NF_ARP_OUT))
+#define FILTER_VALID_HOOKS ((1 << NF_ARP_IN) | (1 << NF_ARP_OUT) | \
+			   (1 << NF_ARP_FORWARD))
 /* Standard entry. */
 struct arpt_standard
@@ -32,15 +33,17 @@ struct arpt_error
 static struct
 {
 	struct arpt_replace repl;
-	struct arpt_standard entries[2];
+	struct arpt_standard entries[3];
 	struct arpt_error term;
 } initial_table __initdata
-= { { "filter", FILTER_VALID_HOOKS, 3,
+= { { "filter", FILTER_VALID_HOOKS, 4,
-      sizeof(struct arpt_standard) * 2 + sizeof(struct arpt_error),
+      sizeof(struct arpt_standard) * 3 + sizeof(struct arpt_error),
      { [NF_ARP_IN] = 0,
-	[NF_ARP_OUT] = sizeof(struct arpt_standard) },
+	[NF_ARP_OUT] = sizeof(struct arpt_standard),
+	[NF_ARP_FORWARD] = 2 * sizeof(struct arpt_standard), },
      { [NF_ARP_IN] = 0,
-	[NF_ARP_OUT] = sizeof(struct arpt_standard), },
+	[NF_ARP_OUT] = sizeof(struct arpt_standard),
+	[NF_ARP_FORWARD] = 2 * sizeof(struct arpt_standard), },
      0, NULL, { } },
    {
 	    /* ARP_IN */
@@ -65,6 +68,27 @@ static struct
 		      -NF_ACCEPT - 1 }
 	    },
 	    /* ARP_OUT */
+	    {
+		    {
+			    {
+				    { 0 }, { 0 }, { 0 }, { 0 },
+				    0, 0,
+				    { { 0, }, { 0, } },
+				    { { 0, }, { 0, } },
+				    0, 0,
+				    0, 0,
+				    0, 0,
+				    "", "", { 0 }, { 0 },
+				    0, 0
+			    },
+			    sizeof(struct arpt_entry),
+			    sizeof(struct arpt_standard),
+			    0,
+			    { 0, 0 }, { } },
+		    { { { { ARPT_ALIGN(sizeof(struct arpt_standard_target)), "" } }, { } },
+		      -NF_ACCEPT - 1 }
+	    },
+	    /* ARP_FORWARD */
 	    {
 		    {
 			    {
@@ -142,35 +166,34 @@ static struct nf_hook_ops arpt_ops[] = {
 		.owner		= THIS_MODULE,
 		.pf		= NF_ARP,
 		.hooknum	= NF_ARP_OUT,
-	}
+	},
+	{
+		.hook		= arpt_hook,
+		.owner		= THIS_MODULE,
+		.pf		= NF_ARP,
+		.hooknum	= NF_ARP_FORWARD,
+	},
 };
 static int __init init(void)
 {
-	int ret;
+	int ret, i;
 	/* Register table */
 	ret = arpt_register_table(&packet_filter);
 	if (ret < 0)
 		return ret;
-	/* Register hooks */
+	for (i = 0; i < ARRAY_SIZE(arpt_ops); i++)
-	ret = nf_register_hook(&arpt_ops[0]);
+		if ((ret = nf_register_hook(&arpt_ops[i])) < 0)
-	if (ret < 0)
+			goto cleanup_hooks;
-		goto cleanup_table;
-	ret = nf_register_hook(&arpt_ops[1]);
-	if (ret < 0)
-		goto cleanup_hook0;
 	return ret;
-cleanup_hook0:
+cleanup_hooks:
-	nf_unregister_hook(&arpt_ops[0]);
+	while (--i >= 0)
+		nf_unregister_hook(&arpt_ops[i]);
-cleanup_table:
 	arpt_unregister_table(&packet_filter);
 	return ret;
 }
@@ -178,7 +201,7 @@ static void __exit fini(void)
 {
 	unsigned int i;
-	for (i = 0; i < sizeof(arpt_ops)/sizeof(struct nf_hook_ops); i++)
+	for (i = 0; i < ARRAY_SIZE(arpt_ops); i++)
 		nf_unregister_hook(&arpt_ops[i]);
 	arpt_unregister_table(&packet_filter);