Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | /* |
| 2 | * ebtable_filter |
| 3 | * |
| 4 | * Authors: |
| 5 | * Bart De Schuymer <bdschuym@pandora.be> |
| 6 | * |
| 7 | * April, 2002 |
| 8 | * |
| 9 | */ |
| 10 | |
| 11 | #include <linux/netfilter_bridge/ebtables.h> |
| 12 | #include <linux/module.h> |
| 13 | |
| 14 | #define FILTER_VALID_HOOKS ((1 << NF_BR_LOCAL_IN) | (1 << NF_BR_FORWARD) | \ |
| 15 | (1 << NF_BR_LOCAL_OUT)) |
| 16 | |
| 17 | static struct ebt_entries initial_chains[] = |
| 18 | { |
| 19 | { |
| 20 | .name = "INPUT", |
| 21 | .policy = EBT_ACCEPT, |
| 22 | }, |
| 23 | { |
| 24 | .name = "FORWARD", |
| 25 | .policy = EBT_ACCEPT, |
| 26 | }, |
| 27 | { |
| 28 | .name = "OUTPUT", |
| 29 | .policy = EBT_ACCEPT, |
| 30 | }, |
| 31 | }; |
| 32 | |
Al Viro | 1e419cd | 2006-11-30 19:28:48 -0800 | [diff] [blame] | 33 | static struct ebt_replace_kernel initial_table = |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 34 | { |
| 35 | .name = "filter", |
| 36 | .valid_hooks = FILTER_VALID_HOOKS, |
| 37 | .entries_size = 3 * sizeof(struct ebt_entries), |
| 38 | .hook_entry = { |
| 39 | [NF_BR_LOCAL_IN] = &initial_chains[0], |
| 40 | [NF_BR_FORWARD] = &initial_chains[1], |
| 41 | [NF_BR_LOCAL_OUT] = &initial_chains[2], |
| 42 | }, |
| 43 | .entries = (char *)initial_chains, |
| 44 | }; |
| 45 | |
| 46 | static int check(const struct ebt_table_info *info, unsigned int valid_hooks) |
| 47 | { |
| 48 | if (valid_hooks & ~FILTER_VALID_HOOKS) |
| 49 | return -EINVAL; |
| 50 | return 0; |
| 51 | } |
| 52 | |
Jan Engelhardt | 35aad0f | 2009-08-24 14:56:30 +0200 | [diff] [blame] | 53 | static const struct ebt_table frame_filter = |
YOSHIFUJI Hideaki | 9d6f229 | 2007-02-09 23:24:35 +0900 | [diff] [blame] | 54 | { |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 55 | .name = "filter", |
| 56 | .table = &initial_table, |
YOSHIFUJI Hideaki | 9d6f229 | 2007-02-09 23:24:35 +0900 | [diff] [blame] | 57 | .valid_hooks = FILTER_VALID_HOOKS, |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 58 | .check = check, |
| 59 | .me = THIS_MODULE, |
| 60 | }; |
| 61 | |
| 62 | static unsigned int |
Alexey Dobriyan | 4aad109 | 2008-11-04 14:29:58 +0100 | [diff] [blame] | 63 | ebt_in_hook(unsigned int hook, struct sk_buff *skb, const struct net_device *in, |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 64 | const struct net_device *out, int (*okfn)(struct sk_buff *)) |
| 65 | { |
Alexey Dobriyan | 4aad109 | 2008-11-04 14:29:58 +0100 | [diff] [blame] | 66 | return ebt_do_table(hook, skb, in, out, dev_net(in)->xt.frame_filter); |
| 67 | } |
| 68 | |
| 69 | static unsigned int |
| 70 | ebt_out_hook(unsigned int hook, struct sk_buff *skb, const struct net_device *in, |
| 71 | const struct net_device *out, int (*okfn)(struct sk_buff *)) |
| 72 | { |
| 73 | return ebt_do_table(hook, skb, in, out, dev_net(out)->xt.frame_filter); |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 74 | } |
| 75 | |
Patrick McHardy | 1999414 | 2007-12-05 01:23:00 -0800 | [diff] [blame] | 76 | static struct nf_hook_ops ebt_ops_filter[] __read_mostly = { |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 77 | { |
Alexey Dobriyan | 4aad109 | 2008-11-04 14:29:58 +0100 | [diff] [blame] | 78 | .hook = ebt_in_hook, |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 79 | .owner = THIS_MODULE, |
Jan Engelhardt | 24c232d | 2009-06-13 06:20:29 +0200 | [diff] [blame] | 80 | .pf = NFPROTO_BRIDGE, |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 81 | .hooknum = NF_BR_LOCAL_IN, |
| 82 | .priority = NF_BR_PRI_FILTER_BRIDGED, |
| 83 | }, |
| 84 | { |
Alexey Dobriyan | 4aad109 | 2008-11-04 14:29:58 +0100 | [diff] [blame] | 85 | .hook = ebt_in_hook, |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 86 | .owner = THIS_MODULE, |
Jan Engelhardt | 24c232d | 2009-06-13 06:20:29 +0200 | [diff] [blame] | 87 | .pf = NFPROTO_BRIDGE, |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 88 | .hooknum = NF_BR_FORWARD, |
| 89 | .priority = NF_BR_PRI_FILTER_BRIDGED, |
| 90 | }, |
| 91 | { |
Alexey Dobriyan | 4aad109 | 2008-11-04 14:29:58 +0100 | [diff] [blame] | 92 | .hook = ebt_out_hook, |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 93 | .owner = THIS_MODULE, |
Jan Engelhardt | 24c232d | 2009-06-13 06:20:29 +0200 | [diff] [blame] | 94 | .pf = NFPROTO_BRIDGE, |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 95 | .hooknum = NF_BR_LOCAL_OUT, |
| 96 | .priority = NF_BR_PRI_FILTER_OTHER, |
| 97 | }, |
| 98 | }; |
| 99 | |
Alexey Dobriyan | 4aad109 | 2008-11-04 14:29:58 +0100 | [diff] [blame] | 100 | static int __net_init frame_filter_net_init(struct net *net) |
| 101 | { |
| 102 | net->xt.frame_filter = ebt_register_table(net, &frame_filter); |
| 103 | if (IS_ERR(net->xt.frame_filter)) |
| 104 | return PTR_ERR(net->xt.frame_filter); |
| 105 | return 0; |
| 106 | } |
| 107 | |
| 108 | static void __net_exit frame_filter_net_exit(struct net *net) |
| 109 | { |
Alexey Dobriyan | f54e936 | 2010-01-18 08:25:47 +0100 | [diff] [blame] | 110 | ebt_unregister_table(net, net->xt.frame_filter); |
Alexey Dobriyan | 4aad109 | 2008-11-04 14:29:58 +0100 | [diff] [blame] | 111 | } |
| 112 | |
| 113 | static struct pernet_operations frame_filter_net_ops = { |
| 114 | .init = frame_filter_net_init, |
| 115 | .exit = frame_filter_net_exit, |
| 116 | }; |
| 117 | |
Andrew Morton | 65b4b4e | 2006-03-28 16:37:06 -0800 | [diff] [blame] | 118 | static int __init ebtable_filter_init(void) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 119 | { |
Alexey Dobriyan | e40f51a | 2008-07-26 17:47:53 -0700 | [diff] [blame] | 120 | int ret; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 121 | |
Alexey Dobriyan | 4aad109 | 2008-11-04 14:29:58 +0100 | [diff] [blame] | 122 | ret = register_pernet_subsys(&frame_filter_net_ops); |
| 123 | if (ret < 0) |
| 124 | return ret; |
Alexey Dobriyan | e40f51a | 2008-07-26 17:47:53 -0700 | [diff] [blame] | 125 | ret = nf_register_hooks(ebt_ops_filter, ARRAY_SIZE(ebt_ops_filter)); |
| 126 | if (ret < 0) |
Alexey Dobriyan | 4aad109 | 2008-11-04 14:29:58 +0100 | [diff] [blame] | 127 | unregister_pernet_subsys(&frame_filter_net_ops); |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 128 | return ret; |
| 129 | } |
| 130 | |
Andrew Morton | 65b4b4e | 2006-03-28 16:37:06 -0800 | [diff] [blame] | 131 | static void __exit ebtable_filter_fini(void) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 132 | { |
Alexey Dobriyan | e40f51a | 2008-07-26 17:47:53 -0700 | [diff] [blame] | 133 | nf_unregister_hooks(ebt_ops_filter, ARRAY_SIZE(ebt_ops_filter)); |
Alexey Dobriyan | 4aad109 | 2008-11-04 14:29:58 +0100 | [diff] [blame] | 134 | unregister_pernet_subsys(&frame_filter_net_ops); |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 135 | } |
| 136 | |
Andrew Morton | 65b4b4e | 2006-03-28 16:37:06 -0800 | [diff] [blame] | 137 | module_init(ebtable_filter_init); |
| 138 | module_exit(ebtable_filter_fini); |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 139 | MODULE_LICENSE("GPL"); |