Commit 4798a0d2 authored by Bart De Schuymer's avatar Bart De Schuymer Committed by David S. Miller

[BRIDGE]: Add ipt_physdev netfilter module.

parent 0aa30dc6
#ifndef _IPT_PHYSDEV_H
#define _IPT_PHYSDEV_H
#ifdef __KERNEL__
#include <linux/if.h>
#endif
#define IPT_PHYSDEV_OP_MATCH_IN 0x01
#define IPT_PHYSDEV_OP_MATCH_OUT 0x02
struct ipt_physdev_info {
u_int8_t invert;
char physindev[IFNAMSIZ];
char in_mask[IFNAMSIZ];
char physoutdev[IFNAMSIZ];
char out_mask[IFNAMSIZ];
};
#endif /*_IPT_PHYSDEV_H*/
...@@ -165,6 +165,13 @@ CONFIG_IP_NF_MATCH_OWNER ...@@ -165,6 +165,13 @@ CONFIG_IP_NF_MATCH_OWNER
If you want to compile it as a module, say M here and read If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'. <file:Documentation/modules.txt>. If unsure, say `N'.
CONFIG_IP_NF_MATCH_PHYSDEV
Physdev packet matching matches against the physical bridge ports
the IP packet arrived on or will leave by.
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
CONFIG_IP_NF_FILTER CONFIG_IP_NF_FILTER
Packet filtering defines a table `filter', which has a series of Packet filtering defines a table `filter', which has a series of
rules for simple packet filtering at local input, forwarding and rules for simple packet filtering at local input, forwarding and
......
...@@ -41,6 +41,10 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then ...@@ -41,6 +41,10 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then
dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES
fi fi
if [ "$CONFIG_BRIDGE" != "n" ]; then
dep_tristate ' Physdev match support' CONFIG_IP_NF_MATCH_PHYSDEV
fi
# The targets # The targets
dep_tristate ' Packet filtering' CONFIG_IP_NF_FILTER $CONFIG_IP_NF_IPTABLES dep_tristate ' Packet filtering' CONFIG_IP_NF_FILTER $CONFIG_IP_NF_IPTABLES
if [ "$CONFIG_IP_NF_FILTER" != "n" ]; then if [ "$CONFIG_IP_NF_FILTER" != "n" ]; then
......
...@@ -66,6 +66,8 @@ obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o ...@@ -66,6 +66,8 @@ obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o
# targets # targets
obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
obj-$(CONFIG_IP_NF_TARGET_MIRROR) += ipt_MIRROR.o obj-$(CONFIG_IP_NF_TARGET_MIRROR) += ipt_MIRROR.o
......
/* Kernel module to match the bridge port in and
* out device for IP packets coming into contact with a bridge. */
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netfilter_ipv4/ipt_physdev.h>
#include <linux/netfilter_ipv4/ip_tables.h>
static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
const void *hdr,
u_int16_t datalen,
int *hotdrop)
{
int i;
static const char nulldevname[IFNAMSIZ] = { 0 };
const struct ipt_physdev_info *info = matchinfo;
unsigned long ret;
const char *indev, *outdev;
struct nf_bridge_info *nf_bridge;
/* Not a bridged IP packet or no info available yet:
* LOCAL_OUT/mangle and LOCAL_OUT/nat don't know if
* the destination device will be a bridge. */
if (!(nf_bridge = skb->nf_bridge))
return 1;
indev = nf_bridge->physindev ? nf_bridge->physindev->name : nulldevname;
outdev = nf_bridge->physoutdev ?
nf_bridge->physoutdev->name : nulldevname;
for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
ret |= (((const unsigned long *)indev)[i]
^ ((const unsigned long *)info->physindev)[i])
& ((const unsigned long *)info->in_mask)[i];
}
if ((ret != 0) ^ !(info->invert & IPT_PHYSDEV_OP_MATCH_IN))
return 1;
for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
ret |= (((const unsigned long *)outdev)[i]
^ ((const unsigned long *)info->physoutdev)[i])
& ((const unsigned long *)info->out_mask)[i];
}
return (ret != 0) ^ !(info->invert & IPT_PHYSDEV_OP_MATCH_OUT);
}
static int
checkentry(const char *tablename,
const struct ipt_ip *ip,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
if (matchsize != IPT_ALIGN(sizeof(struct ipt_physdev_info)))
return 0;
return 1;
}
static struct ipt_match physdev_match
= { { NULL, NULL }, "physdev", &match, &checkentry, NULL, THIS_MODULE };
static int __init init(void)
{
return ipt_register_match(&physdev_match);
}
static void __exit fini(void)
{
ipt_unregister_match(&physdev_match);
}
module_init(init);
module_exit(fini);
MODULE_LICENSE("GPL");
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment