Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
b1c0e7cb
Commit
b1c0e7cb
authored
Aug 31, 2003
by
Bart De Schuymer
Committed by
David S. Miller
Aug 31, 2003
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[BRIDGE]: Create CONFIG_BRIDGE_NETFILTER and use it instead of messy tests.
parent
6d95d4eb
Changes
11
Show whitespace changes
Inline
Side-by-side
Showing
11 changed files
with
38 additions
and
27 deletions
+38
-27
include/linux/netfilter_bridge.h
include/linux/netfilter_bridge.h
+9
-8
include/linux/skbuff.h
include/linux/skbuff.h
+3
-3
net/Kconfig
net/Kconfig
+13
-0
net/bridge/Makefile
net/bridge/Makefile
+1
-4
net/bridge/br_forward.c
net/bridge/br_forward.c
+1
-1
net/core/netfilter.c
net/core/netfilter.c
+4
-4
net/core/skbuff.c
net/core/skbuff.c
+3
-3
net/ipv4/ip_output.c
net/ipv4/ip_output.c
+1
-1
net/ipv4/netfilter/Kconfig
net/ipv4/netfilter/Kconfig
+1
-1
net/ipv4/netfilter/ipt_LOG.c
net/ipv4/netfilter/ipt_LOG.c
+1
-1
net/ipv6/ip6_output.c
net/ipv6/ip6_output.c
+1
-1
No files found.
include/linux/netfilter_bridge.h
View file @
b1c0e7cb
...
@@ -6,7 +6,7 @@
...
@@ -6,7 +6,7 @@
#include <linux/config.h>
#include <linux/config.h>
#include <linux/netfilter.h>
#include <linux/netfilter.h>
#if defined(__KERNEL__) && defined(CONFIG_NETFILTER)
#if defined(__KERNEL__) && defined(CONFIG_
BRIDGE_
NETFILTER)
#include <asm/atomic.h>
#include <asm/atomic.h>
#endif
#endif
...
@@ -27,11 +27,6 @@
...
@@ -27,11 +27,6 @@
#ifdef __KERNEL__
#ifdef __KERNEL__
#define BRNF_PKT_TYPE 0x01
#define BRNF_BRIDGED_DNAT 0x02
#define BRNF_DONT_TAKE_PARENT 0x04
#define BRNF_BRIDGED 0x08
enum
nf_br_hook_priorities
{
enum
nf_br_hook_priorities
{
NF_BR_PRI_FIRST
=
INT_MIN
,
NF_BR_PRI_FIRST
=
INT_MIN
,
NF_BR_PRI_NAT_DST_BRIDGED
=
-
300
,
NF_BR_PRI_NAT_DST_BRIDGED
=
-
300
,
...
@@ -43,7 +38,13 @@ enum nf_br_hook_priorities {
...
@@ -43,7 +38,13 @@ enum nf_br_hook_priorities {
NF_BR_PRI_LAST
=
INT_MAX
,
NF_BR_PRI_LAST
=
INT_MAX
,
};
};
#ifdef CONFIG_NETFILTER
#ifdef CONFIG_BRIDGE_NETFILTER
#define BRNF_PKT_TYPE 0x01
#define BRNF_BRIDGED_DNAT 0x02
#define BRNF_DONT_TAKE_PARENT 0x04
#define BRNF_BRIDGED 0x08
static
inline
static
inline
struct
nf_bridge_info
*
nf_bridge_alloc
(
struct
sk_buff
*
skb
)
struct
nf_bridge_info
*
nf_bridge_alloc
(
struct
sk_buff
*
skb
)
{
{
...
@@ -63,7 +64,7 @@ struct bridge_skb_cb {
...
@@ -63,7 +64,7 @@ struct bridge_skb_cb {
__u32
ipv4
;
__u32
ipv4
;
}
daddr
;
}
daddr
;
};
};
#endif
/* CONFIG_NETFILTER */
#endif
/* CONFIG_
BRIDGE_
NETFILTER */
#endif
/* __KERNEL__ */
#endif
/* __KERNEL__ */
#endif
#endif
include/linux/skbuff.h
View file @
b1c0e7cb
...
@@ -98,7 +98,7 @@ struct nf_ct_info {
...
@@ -98,7 +98,7 @@ struct nf_ct_info {
struct
nf_conntrack
*
master
;
struct
nf_conntrack
*
master
;
};
};
#if
defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
#if
def CONFIG_BRIDGE_NETFILTER
struct
nf_bridge_info
{
struct
nf_bridge_info
{
atomic_t
use
;
atomic_t
use
;
struct
net_device
*
physindev
;
struct
net_device
*
physindev
;
...
@@ -244,7 +244,7 @@ struct sk_buff {
...
@@ -244,7 +244,7 @@ struct sk_buff {
#ifdef CONFIG_NETFILTER_DEBUG
#ifdef CONFIG_NETFILTER_DEBUG
unsigned
int
nf_debug
;
unsigned
int
nf_debug
;
#endif
#endif
#if
defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
#if
def CONFIG_BRIDGE_NETFILTER
struct
nf_bridge_info
*
nf_bridge
;
struct
nf_bridge_info
*
nf_bridge
;
#endif
#endif
#endif
/* CONFIG_NETFILTER */
#endif
/* CONFIG_NETFILTER */
...
@@ -1195,7 +1195,7 @@ static inline void nf_conntrack_get(struct nf_ct_info *nfct)
...
@@ -1195,7 +1195,7 @@ static inline void nf_conntrack_get(struct nf_ct_info *nfct)
atomic_inc
(
&
nfct
->
master
->
use
);
atomic_inc
(
&
nfct
->
master
->
use
);
}
}
#if
defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
#if
def CONFIG_BRIDGE_NETFILTER
static
inline
void
nf_bridge_put
(
struct
nf_bridge_info
*
nf_bridge
)
static
inline
void
nf_bridge_put
(
struct
nf_bridge_info
*
nf_bridge
)
{
{
if
(
nf_bridge
&&
atomic_dec_and_test
(
&
nf_bridge
->
use
))
if
(
nf_bridge
&&
atomic_dec_and_test
(
&
nf_bridge
->
use
))
...
...
net/Kconfig
View file @
b1c0e7cb
...
@@ -272,6 +272,19 @@ config NETFILTER_DEBUG
...
@@ -272,6 +272,19 @@ config NETFILTER_DEBUG
You can say Y here if you want to get additional messages useful in
You can say Y here if you want to get additional messages useful in
debugging the netfilter code.
debugging the netfilter code.
config BRIDGE_NETFILTER
bool "Bridged IP/ARP packets filtering"
depends on BRIDGE && NETFILTER && INET
default y
---help---
Enabling this option will let arptables resp. iptables see bridged
ARP resp. IP traffic. If you want a bridging firewall, you probably
want this option enabled.
Enabling or disabling this option doesn't enable or disable
ebtables.
If unsure, say N.
source "net/ipv4/netfilter/Kconfig"
source "net/ipv4/netfilter/Kconfig"
source "net/ipv6/netfilter/Kconfig"
source "net/ipv6/netfilter/Kconfig"
source "net/decnet/netfilter/Kconfig"
source "net/decnet/netfilter/Kconfig"
...
...
net/bridge/Makefile
View file @
b1c0e7cb
...
@@ -8,9 +8,6 @@ bridge-y := br.o br_device.o br_fdb.o br_forward.o br_if.o br_input.o \
...
@@ -8,9 +8,6 @@ bridge-y := br.o br_device.o br_fdb.o br_forward.o br_if.o br_input.o \
br_ioctl.o br_notify.o br_stp.o br_stp_bpdu.o
\
br_ioctl.o br_notify.o br_stp.o br_stp_bpdu.o
\
br_stp_if.o br_stp_timer.o
br_stp_if.o br_stp_timer.o
# br_netfilter only deals with IPv4 and ARP filtering, both are INET protocols
bridge-$(CONFIG_BRIDGE_NETFILTER)
+=
br_netfilter.o
ifeq
($(CONFIG_INET),y)
bridge-$(CONFIG_NETFILTER)
+=
br_netfilter.o
endif
obj-$(CONFIG_BRIDGE_NF_EBTABLES)
+=
netfilter/
obj-$(CONFIG_BRIDGE_NF_EBTABLES)
+=
netfilter/
net/bridge/br_forward.c
View file @
b1c0e7cb
...
@@ -33,7 +33,7 @@ static inline int should_deliver(const struct net_bridge_port *p,
...
@@ -33,7 +33,7 @@ static inline int should_deliver(const struct net_bridge_port *p,
int
br_dev_queue_push_xmit
(
struct
sk_buff
*
skb
)
int
br_dev_queue_push_xmit
(
struct
sk_buff
*
skb
)
{
{
#ifdef CONFIG_NETFILTER
#ifdef CONFIG_
BRIDGE_
NETFILTER
/* ip_refrag calls ip_fragment, which doesn't copy the MAC header. */
/* ip_refrag calls ip_fragment, which doesn't copy the MAC header. */
if
(
skb
->
nf_bridge
)
if
(
skb
->
nf_bridge
)
memcpy
(
skb
->
data
-
16
,
skb
->
nf_bridge
->
hh
,
16
);
memcpy
(
skb
->
data
-
16
,
skb
->
nf_bridge
->
hh
,
16
);
...
...
net/core/netfilter.c
View file @
b1c0e7cb
...
@@ -430,7 +430,7 @@ static int nf_queue(struct sk_buff *skb,
...
@@ -430,7 +430,7 @@ static int nf_queue(struct sk_buff *skb,
{
{
int
status
;
int
status
;
struct
nf_info
*
info
;
struct
nf_info
*
info
;
#if
defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
#if
def CONFIG_BRIDGE_NETFILTER
struct
net_device
*
physindev
=
NULL
;
struct
net_device
*
physindev
=
NULL
;
struct
net_device
*
physoutdev
=
NULL
;
struct
net_device
*
physoutdev
=
NULL
;
#endif
#endif
...
@@ -467,7 +467,7 @@ static int nf_queue(struct sk_buff *skb,
...
@@ -467,7 +467,7 @@ static int nf_queue(struct sk_buff *skb,
if
(
indev
)
dev_hold
(
indev
);
if
(
indev
)
dev_hold
(
indev
);
if
(
outdev
)
dev_hold
(
outdev
);
if
(
outdev
)
dev_hold
(
outdev
);
#if
defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
#if
def CONFIG_BRIDGE_NETFILTER
if
(
skb
->
nf_bridge
)
{
if
(
skb
->
nf_bridge
)
{
physindev
=
skb
->
nf_bridge
->
physindev
;
physindev
=
skb
->
nf_bridge
->
physindev
;
if
(
physindev
)
dev_hold
(
physindev
);
if
(
physindev
)
dev_hold
(
physindev
);
...
@@ -483,7 +483,7 @@ static int nf_queue(struct sk_buff *skb,
...
@@ -483,7 +483,7 @@ static int nf_queue(struct sk_buff *skb,
/* James M doesn't say fuck enough. */
/* James M doesn't say fuck enough. */
if
(
indev
)
dev_put
(
indev
);
if
(
indev
)
dev_put
(
indev
);
if
(
outdev
)
dev_put
(
outdev
);
if
(
outdev
)
dev_put
(
outdev
);
#if
defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
#if
def CONFIG_BRIDGE_NETFILTER
if
(
physindev
)
dev_put
(
physindev
);
if
(
physindev
)
dev_put
(
physindev
);
if
(
physoutdev
)
dev_put
(
physoutdev
);
if
(
physoutdev
)
dev_put
(
physoutdev
);
#endif
#endif
...
@@ -560,7 +560,7 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
...
@@ -560,7 +560,7 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
/* Release those devices we held, or Alexey will kill me. */
/* Release those devices we held, or Alexey will kill me. */
if
(
info
->
indev
)
dev_put
(
info
->
indev
);
if
(
info
->
indev
)
dev_put
(
info
->
indev
);
if
(
info
->
outdev
)
dev_put
(
info
->
outdev
);
if
(
info
->
outdev
)
dev_put
(
info
->
outdev
);
#if
defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
#if
def CONFIG_BRIDGE_NETFILTER
if
(
skb
->
nf_bridge
)
{
if
(
skb
->
nf_bridge
)
{
if
(
skb
->
nf_bridge
->
physindev
)
if
(
skb
->
nf_bridge
->
physindev
)
dev_put
(
skb
->
nf_bridge
->
physindev
);
dev_put
(
skb
->
nf_bridge
->
physindev
);
...
...
net/core/skbuff.c
View file @
b1c0e7cb
...
@@ -236,7 +236,7 @@ void __kfree_skb(struct sk_buff *skb)
...
@@ -236,7 +236,7 @@ void __kfree_skb(struct sk_buff *skb)
}
}
#ifdef CONFIG_NETFILTER
#ifdef CONFIG_NETFILTER
nf_conntrack_put
(
skb
->
nfct
);
nf_conntrack_put
(
skb
->
nfct
);
#if
defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
#if
def CONFIG_BRIDGE_NETFILTER
nf_bridge_put
(
skb
->
nf_bridge
);
nf_bridge_put
(
skb
->
nf_bridge
);
#endif
#endif
#endif
#endif
...
@@ -301,7 +301,7 @@ struct sk_buff *skb_clone(struct sk_buff *skb, int gfp_mask)
...
@@ -301,7 +301,7 @@ struct sk_buff *skb_clone(struct sk_buff *skb, int gfp_mask)
#ifdef CONFIG_NETFILTER_DEBUG
#ifdef CONFIG_NETFILTER_DEBUG
C
(
nf_debug
);
C
(
nf_debug
);
#endif
#endif
#if
defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
#if
def CONFIG_BRIDGE_NETFILTER
C
(
nf_bridge
);
C
(
nf_bridge
);
nf_bridge_get
(
skb
->
nf_bridge
);
nf_bridge_get
(
skb
->
nf_bridge
);
#endif
#endif
...
@@ -359,7 +359,7 @@ static void copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
...
@@ -359,7 +359,7 @@ static void copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
#ifdef CONFIG_NETFILTER_DEBUG
#ifdef CONFIG_NETFILTER_DEBUG
new
->
nf_debug
=
old
->
nf_debug
;
new
->
nf_debug
=
old
->
nf_debug
;
#endif
#endif
#if
defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
#if
def CONFIG_BRIDGE_NETFILTER
new
->
nf_bridge
=
old
->
nf_bridge
;
new
->
nf_bridge
=
old
->
nf_bridge
;
nf_bridge_get
(
old
->
nf_bridge
);
nf_bridge_get
(
old
->
nf_bridge
);
#endif
#endif
...
...
net/ipv4/ip_output.c
View file @
b1c0e7cb
...
@@ -414,7 +414,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from)
...
@@ -414,7 +414,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from)
/* Connection association is same as pre-frag packet */
/* Connection association is same as pre-frag packet */
to
->
nfct
=
from
->
nfct
;
to
->
nfct
=
from
->
nfct
;
nf_conntrack_get
(
to
->
nfct
);
nf_conntrack_get
(
to
->
nfct
);
#if
defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
#if
def CONFIG_BRIDGE_NETFILTER
to
->
nf_bridge
=
from
->
nf_bridge
;
to
->
nf_bridge
=
from
->
nf_bridge
;
nf_bridge_get
(
to
->
nf_bridge
);
nf_bridge_get
(
to
->
nf_bridge
);
#endif
#endif
...
...
net/ipv4/netfilter/Kconfig
View file @
b1c0e7cb
...
@@ -292,7 +292,7 @@ config IP_NF_MATCH_OWNER
...
@@ -292,7 +292,7 @@ config IP_NF_MATCH_OWNER
config IP_NF_MATCH_PHYSDEV
config IP_NF_MATCH_PHYSDEV
tristate "Physdev match support"
tristate "Physdev match support"
depends on IP_NF_IPTABLES!=n && BRIDGE
!=n
depends on IP_NF_IPTABLES!=n && BRIDGE
_NETFILTER
help
help
Physdev packet matching matches against the physical bridge ports
Physdev packet matching matches against the physical bridge ports
the IP packet arrived on or will leave by.
the IP packet arrived on or will leave by.
...
...
net/ipv4/netfilter/ipt_LOG.c
View file @
b1c0e7cb
...
@@ -333,7 +333,7 @@ ipt_log_target(struct sk_buff **pskb,
...
@@ -333,7 +333,7 @@ ipt_log_target(struct sk_buff **pskb,
loginfo
->
prefix
,
loginfo
->
prefix
,
in
?
in
->
name
:
""
,
in
?
in
->
name
:
""
,
out
?
out
->
name
:
""
);
out
?
out
->
name
:
""
);
#if
defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
#if
def CONFIG_BRIDGE_NETFILTER
if
((
*
pskb
)
->
nf_bridge
)
{
if
((
*
pskb
)
->
nf_bridge
)
{
struct
net_device
*
physindev
=
(
*
pskb
)
->
nf_bridge
->
physindev
;
struct
net_device
*
physindev
=
(
*
pskb
)
->
nf_bridge
->
physindev
;
struct
net_device
*
physoutdev
=
(
*
pskb
)
->
nf_bridge
->
physoutdev
;
struct
net_device
*
physoutdev
=
(
*
pskb
)
->
nf_bridge
->
physoutdev
;
...
...
net/ipv6/ip6_output.c
View file @
b1c0e7cb
...
@@ -876,7 +876,7 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
...
@@ -876,7 +876,7 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
/* Connection association is same as pre-frag packet */
/* Connection association is same as pre-frag packet */
to
->
nfct
=
from
->
nfct
;
to
->
nfct
=
from
->
nfct
;
nf_conntrack_get
(
to
->
nfct
);
nf_conntrack_get
(
to
->
nfct
);
#if
defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
#if
def CONFIG_BRIDGE_NETFILTER
to
->
nf_bridge
=
from
->
nf_bridge
;
to
->
nf_bridge
=
from
->
nf_bridge
;
nf_bridge_get
(
to
->
nf_bridge
);
nf_bridge_get
(
to
->
nf_bridge
);
#endif
#endif
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment