[BRIDGE]: Add ipt_physdev netfilter module.

4798a0d2 · Bart De Schuymer · David S. Miller · 0aa30dc6 · 4798a0d2 · 4798a0d2
Commit 4798a0d2 authored Oct 27, 2002 by Bart De Schuymer Committed by David S. Miller Oct 27, 2002
5 changed files
--- a/include/linux/netfilter_ipv4/ipt_physdev.h
+++ b/include/linux/netfilter_ipv4/ipt_physdev.h
+#ifndef _IPT_PHYSDEV_H
+#define _IPT_PHYSDEV_H
+
+#ifdef __KERNEL__
+#include <linux/if.h>
+#endif
+
+#define IPT_PHYSDEV_OP_MATCH_IN 0x01
+#define IPT_PHYSDEV_OP_MATCH_OUT 0x02
+
+struct ipt_physdev_info {
+	u_int8_t invert;
+	char physindev[IFNAMSIZ];
+	char in_mask[IFNAMSIZ];
+	char physoutdev[IFNAMSIZ];
+	char out_mask[IFNAMSIZ];
+};
+
+#endif /*_IPT_PHYSDEV_H*/
--- a/net/ipv4/netfilter/Config.help
+++ b/net/ipv4/netfilter/Config.help
@@ -165,6 +165,13 @@ CONFIG_IP_NF_MATCH_OWNER
  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

+CONFIG_IP_NF_MATCH_PHYSDEV
+  Physdev packet matching matches against the physical bridge ports
+  the IP packet arrived on or will leave by.
+
+  If you want to compile it as a module, say M here and read
+  <file:Documentation/modules.txt>.  If unsure, say `N'.
+
 CONFIG_IP_NF_FILTER
  Packet filtering defines a table `filter', which has a series of
  rules for simple packet filtering at local input, forwarding and

--- a/net/ipv4/netfilter/Config.in
+++ b/net/ipv4/netfilter/Config.in
@@ -41,6 +41,10 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then
    dep_tristate '  Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
    dep_tristate '  Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES
  fi
+  if [ "$CONFIG_BRIDGE" != "n" ]; then
+    dep_tristate '  Physdev match support' CONFIG_IP_NF_MATCH_PHYSDEV
+  fi
+
 # The targets
  dep_tristate '  Packet filtering' CONFIG_IP_NF_FILTER $CONFIG_IP_NF_IPTABLES 
  if [ "$CONFIG_IP_NF_FILTER" != "n" ]; then

--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -66,6 +66,8 @@ obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
 obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o

+obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o
+
 # targets
 obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
 obj-$(CONFIG_IP_NF_TARGET_MIRROR) += ipt_MIRROR.o

--- a/net/ipv4/netfilter/ipt_physdev.c
+++ b/net/ipv4/netfilter/ipt_physdev.c
+/* Kernel module to match the bridge port in and
+ * out device for IP packets coming into contact with a bridge. */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter_ipv4/ipt_physdev.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      const void *hdr,
+      u_int16_t datalen,
+      int *hotdrop)
+{
+	int i;
+	static const char nulldevname[IFNAMSIZ] = { 0 };
+	const struct ipt_physdev_info *info = matchinfo;
+	unsigned long ret;
+	const char *indev, *outdev;
+	struct nf_bridge_info *nf_bridge;
+
+	/* Not a bridged IP packet or no info available yet:
+	 * LOCAL_OUT/mangle and LOCAL_OUT/nat don't know if
+	 * the destination device will be a bridge. */
+	if (!(nf_bridge = skb->nf_bridge))
+		return 1;
+
+	indev = nf_bridge->physindev ? nf_bridge->physindev->name : nulldevname;
+	outdev = nf_bridge->physoutdev ?
+		 nf_bridge->physoutdev->name : nulldevname;
+
+	for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
+		ret |= (((const unsigned long *)indev)[i]
+			^ ((const unsigned long *)info->physindev)[i])
+			& ((const unsigned long *)info->in_mask)[i];
+	}
+
+	if ((ret != 0) ^ !(info->invert & IPT_PHYSDEV_OP_MATCH_IN))
+		return 1;
+
+	for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
+		ret |= (((const unsigned long *)outdev)[i]
+			^ ((const unsigned long *)info->physoutdev)[i])
+			& ((const unsigned long *)info->out_mask)[i];
+	}
+
+	return (ret != 0) ^ !(info->invert & IPT_PHYSDEV_OP_MATCH_OUT);
+}
+
+static int
+checkentry(const char *tablename,
+		       const struct ipt_ip *ip,
+		       void *matchinfo,
+		       unsigned int matchsize,
+		       unsigned int hook_mask)
+{
+	if (matchsize != IPT_ALIGN(sizeof(struct ipt_physdev_info)))
+		return 0;
+
+	return 1;
+}
+
+static struct ipt_match physdev_match
+= { { NULL, NULL }, "physdev", &match, &checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+	return ipt_register_match(&physdev_match);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&physdev_match);
+}
+
+module_init(init);
+module_exit(fini);
+MODULE_LICENSE("GPL");