Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
60af0ada
Commit
60af0ada
authored
Jun 18, 2003
by
Bart De Schuymer
Committed by
Vojtech Pavlik
Jun 18, 2003
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[NET]: Let arptables see bridged arp traffic.
parent
9c4d8938
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
80 additions
and
41 deletions
+80
-41
include/linux/netfilter_arp.h
include/linux/netfilter_arp.h
+2
-1
net/bridge/br_netfilter.c
net/bridge/br_netfilter.c
+33
-18
net/ipv4/netfilter/arptable_filter.c
net/ipv4/netfilter/arptable_filter.c
+45
-22
No files found.
include/linux/netfilter_arp.h
View file @
60af0ada
...
@@ -14,6 +14,7 @@
...
@@ -14,6 +14,7 @@
/* ARP Hooks */
/* ARP Hooks */
#define NF_ARP_IN 0
#define NF_ARP_IN 0
#define NF_ARP_OUT 1
#define NF_ARP_OUT 1
#define NF_ARP_NUMHOOKS 2
#define NF_ARP_FORWARD 2
#define NF_ARP_NUMHOOKS 3
#endif
/* __LINUX_ARP_NETFILTER_H */
#endif
/* __LINUX_ARP_NETFILTER_H */
net/bridge/br_netfilter.c
View file @
60af0ada
...
@@ -22,6 +22,7 @@
...
@@ -22,6 +22,7 @@
#include <linux/if_ether.h>
#include <linux/if_ether.h>
#include <linux/netfilter_bridge.h>
#include <linux/netfilter_bridge.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_arp.h>
#include <linux/in_route.h>
#include <linux/in_route.h>
#include <net/ip.h>
#include <net/ip.h>
#include <asm/uaccess.h>
#include <asm/uaccess.h>
...
@@ -304,31 +305,36 @@ static unsigned int br_nf_local_in(unsigned int hook, struct sk_buff **pskb,
...
@@ -304,31 +305,36 @@ static unsigned int br_nf_local_in(unsigned int hook, struct sk_buff **pskb,
return
NF_ACCEPT
;
return
NF_ACCEPT
;
}
}
/* PF_BRIDGE/FORWARD *************************************************/
/* PF_BRIDGE/FORWARD *************************************************/
static
int
br_nf_forward_finish
(
struct
sk_buff
*
skb
)
static
int
br_nf_forward_finish
(
struct
sk_buff
*
skb
)
{
{
struct
nf_bridge_info
*
nf_bridge
=
skb
->
nf_bridge
;
struct
nf_bridge_info
*
nf_bridge
=
skb
->
nf_bridge
;
struct
net_device
*
in
;
#ifdef CONFIG_NETFILTER_DEBUG
#ifdef CONFIG_NETFILTER_DEBUG
skb
->
nf_debug
^=
(
1
<<
NF_BR_FORWARD
);
skb
->
nf_debug
^=
(
1
<<
NF_BR_FORWARD
);
#endif
#endif
if
(
skb
->
protocol
==
__constant_htons
(
ETH_P_IP
))
{
in
=
nf_bridge
->
physindev
;
if
(
nf_bridge
->
mask
&
BRNF_PKT_TYPE
)
{
if
(
nf_bridge
->
mask
&
BRNF_PKT_TYPE
)
{
skb
->
pkt_type
=
PACKET_OTHERHOST
;
skb
->
pkt_type
=
PACKET_OTHERHOST
;
nf_bridge
->
mask
^=
BRNF_PKT_TYPE
;
nf_bridge
->
mask
^=
BRNF_PKT_TYPE
;
}
}
}
else
{
in
=
*
((
struct
net_device
**
)(
skb
->
cb
));
}
NF_HOOK_THRESH
(
PF_BRIDGE
,
NF_BR_FORWARD
,
skb
,
nf_bridge
->
physindev
,
NF_HOOK_THRESH
(
PF_BRIDGE
,
NF_BR_FORWARD
,
skb
,
in
,
skb
->
dev
,
br_forward_finish
,
1
);
skb
->
dev
,
br_forward_finish
,
1
);
return
0
;
return
0
;
}
}
/* This is the 'purely bridged' case.
W
e pass the packet to
/* This is the 'purely bridged' case.
For IP, w
e pass the packet to
* netfilter with indev and outdev set to the bridge device,
* netfilter with indev and outdev set to the bridge device,
* but we are still able to filter on the 'real' indev/outdev
* but we are still able to filter on the 'real' indev/outdev
* because of the ipt_physdev.c module.
* because of the ipt_physdev.c module. For ARP, indev and outdev are the
* bridge ports.
*/
*/
static
unsigned
int
br_nf_forward
(
unsigned
int
hook
,
struct
sk_buff
**
pskb
,
static
unsigned
int
br_nf_forward
(
unsigned
int
hook
,
struct
sk_buff
**
pskb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
...
@@ -337,24 +343,33 @@ static unsigned int br_nf_forward(unsigned int hook, struct sk_buff **pskb,
...
@@ -337,24 +343,33 @@ static unsigned int br_nf_forward(unsigned int hook, struct sk_buff **pskb,
struct
sk_buff
*
skb
=
*
pskb
;
struct
sk_buff
*
skb
=
*
pskb
;
struct
nf_bridge_info
*
nf_bridge
;
struct
nf_bridge_info
*
nf_bridge
;
if
(
skb
->
protocol
!=
__constant_htons
(
ETH_P_IP
))
if
(
skb
->
protocol
!=
__constant_htons
(
ETH_P_IP
)
&&
skb
->
protocol
!=
__constant_htons
(
ETH_P_ARP
))
return
NF_ACCEPT
;
return
NF_ACCEPT
;
#ifdef CONFIG_NETFILTER_DEBUG
#ifdef CONFIG_NETFILTER_DEBUG
skb
->
nf_debug
^=
(
1
<<
NF_BR_FORWARD
);
skb
->
nf_debug
^=
(
1
<<
NF_BR_FORWARD
);
#endif
#endif
if
(
skb
->
protocol
==
__constant_htons
(
ETH_P_IP
))
{
nf_bridge
=
skb
->
nf_bridge
;
nf_bridge
=
skb
->
nf_bridge
;
if
(
skb
->
pkt_type
==
PACKET_OTHERHOST
)
{
if
(
skb
->
pkt_type
==
PACKET_OTHERHOST
)
{
skb
->
pkt_type
=
PACKET_HOST
;
skb
->
pkt_type
=
PACKET_HOST
;
nf_bridge
->
mask
|=
BRNF_PKT_TYPE
;
nf_bridge
->
mask
|=
BRNF_PKT_TYPE
;
}
}
nf_bridge
->
mask
|=
BRNF_BRIDGED
;
/* The physdev module checks on this */
/* The physdev module checks on this */
nf_bridge
->
mask
|=
BRNF_BRIDGED
;
nf_bridge
->
physoutdev
=
skb
->
dev
;
nf_bridge
->
physoutdev
=
skb
->
dev
;
NF_HOOK
(
PF_INET
,
NF_IP_FORWARD
,
skb
,
bridge_parent
(
nf_bridge
->
physindev
),
NF_HOOK
(
PF_INET
,
NF_IP_FORWARD
,
skb
,
bridge_parent
(
in
),
bridge_parent
(
skb
->
dev
),
br_nf_forward_finish
);
bridge_parent
(
out
),
br_nf_forward_finish
);
}
else
{
struct
net_device
**
d
=
(
struct
net_device
**
)(
skb
->
cb
);
*
d
=
(
struct
net_device
*
)
in
;
NF_HOOK
(
NF_ARP
,
NF_ARP_FORWARD
,
skb
,
(
struct
net_device
*
)
in
,
(
struct
net_device
*
)
out
,
br_nf_forward_finish
);
}
return
NF_STOLEN
;
return
NF_STOLEN
;
}
}
...
...
net/ipv4/netfilter/arptable_filter.c
View file @
60af0ada
...
@@ -8,7 +8,8 @@
...
@@ -8,7 +8,8 @@
#include <linux/module.h>
#include <linux/module.h>
#include <linux/netfilter_arp/arp_tables.h>
#include <linux/netfilter_arp/arp_tables.h>
#define FILTER_VALID_HOOKS ((1 << NF_ARP_IN) | (1 << NF_ARP_OUT))
#define FILTER_VALID_HOOKS ((1 << NF_ARP_IN) | (1 << NF_ARP_OUT) | \
(1 << NF_ARP_FORWARD))
/* Standard entry. */
/* Standard entry. */
struct
arpt_standard
struct
arpt_standard
...
@@ -32,15 +33,17 @@ struct arpt_error
...
@@ -32,15 +33,17 @@ struct arpt_error
static
struct
static
struct
{
{
struct
arpt_replace
repl
;
struct
arpt_replace
repl
;
struct
arpt_standard
entries
[
2
];
struct
arpt_standard
entries
[
3
];
struct
arpt_error
term
;
struct
arpt_error
term
;
}
initial_table
__initdata
}
initial_table
__initdata
=
{
{
"filter"
,
FILTER_VALID_HOOKS
,
3
,
=
{
{
"filter"
,
FILTER_VALID_HOOKS
,
4
,
sizeof
(
struct
arpt_standard
)
*
2
+
sizeof
(
struct
arpt_error
),
sizeof
(
struct
arpt_standard
)
*
3
+
sizeof
(
struct
arpt_error
),
{
[
NF_ARP_IN
]
=
0
,
{
[
NF_ARP_IN
]
=
0
,
[
NF_ARP_OUT
]
=
sizeof
(
struct
arpt_standard
)
},
[
NF_ARP_OUT
]
=
sizeof
(
struct
arpt_standard
),
[
NF_ARP_FORWARD
]
=
2
*
sizeof
(
struct
arpt_standard
),
},
{
[
NF_ARP_IN
]
=
0
,
{
[
NF_ARP_IN
]
=
0
,
[
NF_ARP_OUT
]
=
sizeof
(
struct
arpt_standard
),
},
[
NF_ARP_OUT
]
=
sizeof
(
struct
arpt_standard
),
[
NF_ARP_FORWARD
]
=
2
*
sizeof
(
struct
arpt_standard
),
},
0
,
NULL
,
{
}
},
0
,
NULL
,
{
}
},
{
{
/* ARP_IN */
/* ARP_IN */
...
@@ -65,6 +68,27 @@ static struct
...
@@ -65,6 +68,27 @@ static struct
-
NF_ACCEPT
-
1
}
-
NF_ACCEPT
-
1
}
},
},
/* ARP_OUT */
/* ARP_OUT */
{
{
{
{
0
},
{
0
},
{
0
},
{
0
},
0
,
0
,
{
{
0
,
},
{
0
,
}
},
{
{
0
,
},
{
0
,
}
},
0
,
0
,
0
,
0
,
0
,
0
,
""
,
""
,
{
0
},
{
0
},
0
,
0
},
sizeof
(
struct
arpt_entry
),
sizeof
(
struct
arpt_standard
),
0
,
{
0
,
0
},
{
}
},
{
{
{
{
ARPT_ALIGN
(
sizeof
(
struct
arpt_standard_target
)),
""
}
},
{
}
},
-
NF_ACCEPT
-
1
}
},
/* ARP_FORWARD */
{
{
{
{
{
{
...
@@ -142,35 +166,34 @@ static struct nf_hook_ops arpt_ops[] = {
...
@@ -142,35 +166,34 @@ static struct nf_hook_ops arpt_ops[] = {
.
owner
=
THIS_MODULE
,
.
owner
=
THIS_MODULE
,
.
pf
=
NF_ARP
,
.
pf
=
NF_ARP
,
.
hooknum
=
NF_ARP_OUT
,
.
hooknum
=
NF_ARP_OUT
,
}
},
{
.
hook
=
arpt_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NF_ARP
,
.
hooknum
=
NF_ARP_FORWARD
,
},
};
};
static
int
__init
init
(
void
)
static
int
__init
init
(
void
)
{
{
int
ret
;
int
ret
,
i
;
/* Register table */
/* Register table */
ret
=
arpt_register_table
(
&
packet_filter
);
ret
=
arpt_register_table
(
&
packet_filter
);
if
(
ret
<
0
)
if
(
ret
<
0
)
return
ret
;
return
ret
;
/* Register hooks */
for
(
i
=
0
;
i
<
ARRAY_SIZE
(
arpt_ops
);
i
++
)
ret
=
nf_register_hook
(
&
arpt_ops
[
0
]);
if
((
ret
=
nf_register_hook
(
&
arpt_ops
[
i
]))
<
0
)
if
(
ret
<
0
)
goto
cleanup_hooks
;
goto
cleanup_table
;
ret
=
nf_register_hook
(
&
arpt_ops
[
1
]);
if
(
ret
<
0
)
goto
cleanup_hook0
;
return
ret
;
return
ret
;
cleanup_hook0:
cleanup_hooks:
nf_unregister_hook
(
&
arpt_ops
[
0
]);
while
(
--
i
>=
0
)
nf_unregister_hook
(
&
arpt_ops
[
i
]);
cleanup_table:
arpt_unregister_table
(
&
packet_filter
);
arpt_unregister_table
(
&
packet_filter
);
return
ret
;
return
ret
;
}
}
...
@@ -178,7 +201,7 @@ static void __exit fini(void)
...
@@ -178,7 +201,7 @@ static void __exit fini(void)
{
{
unsigned
int
i
;
unsigned
int
i
;
for
(
i
=
0
;
i
<
sizeof
(
arpt_ops
)
/
sizeof
(
struct
nf_hook
_ops
);
i
++
)
for
(
i
=
0
;
i
<
ARRAY_SIZE
(
arpt
_ops
);
i
++
)
nf_unregister_hook
(
&
arpt_ops
[
i
]);
nf_unregister_hook
(
&
arpt_ops
[
i
]);
arpt_unregister_table
(
&
packet_filter
);
arpt_unregister_table
(
&
packet_filter
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment