netfilter: nf_tables: add ARP filtering support

This patch registers the ARP family and he filter chain type for this family. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2013-10-07 16:53:08 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2013-10-14 12:01:03 -0400
commit: ed683f138b3dbc8a5e878e24a0bfa0bb61043a09 (patch)
tree: 86ae7c24eb4d4032f6d5eb4aa175a6c88033ac70
parent: b5bc89bfa0b46de37754610f46c0ef4e2280edb4 (diff)
4 files changed, 108 insertions, 0 deletions
diff --git a/include/net/netns/nftables.h b/include/net/netns/nftables.h
index 08a4248a12b5..15d056d534e3 100644
--- a/include/net/netns/nftables.h
+++ b/include/net/netns/nftables.h
@@ -10,6 +10,7 @@ struct netns_nftables {
        struct list_head        commit_list;
        struct nft_af_info      *ipv4;
        struct nft_af_info      *ipv6;
+        struct nft_af_info      *arp;
        struct nft_af_info      *bridge;
        u8                      gencursor;
        u8                      genctr;
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 1f37ef67f1ac..40d56073cd19 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -53,6 +53,10 @@ config NFT_CHAIN_NAT_IPV4
        depends on NF_NAT_IPV4 && NFT_NAT
        tristate "IPv4 nf_tables nat chain support"
+config NF_TABLES_ARP
+        depends on NF_TABLES
+        tristate "ARP nf_tables support"
 config IP_NF_IPTABLES
        tristate "IP tables support (required for filtering/masq/NAT)"
        default m if NETFILTER_ADVANCED=n
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 91e0bd71a6d3..19df72b7ba88 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -31,6 +31,7 @@ obj-$(CONFIG_NF_TABLES_IPV4) += nf_tables_ipv4.o
 obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o
 obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o
 obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o
+obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o
 # generic IP tables 
 obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
diff --git a/net/ipv4/netfilter/nf_tables_arp.c b/net/ipv4/netfilter/nf_tables_arp.c
new file mode 100644
index 000000000000..3e67ef1c676f
--- /dev/null
+++ b/net/ipv4/netfilter/nf_tables_arp.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 2008-2010 Patrick McHardy <kaber@trash.net>
+ * Copyright (c) 2013 Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * Development of this code funded by Astaro AG (http://www.astaro.com/)
+ */
+#include <linux/module.h>
+#include <linux/init.h>
+#include <linux/netfilter_arp.h>
+#include <net/netfilter/nf_tables.h>
+static struct nft_af_info nft_af_arp __read_mostly = {
+        .family         = NFPROTO_ARP,
+        .nhooks         = NF_ARP_NUMHOOKS,
+        .owner          = THIS_MODULE,
+};
+static int nf_tables_arp_init_net(struct net *net)
+{
+        net->nft.arp = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
+        if (net->nft.arp== NULL)
+                return -ENOMEM;
+        memcpy(net->nft.arp, &nft_af_arp, sizeof(nft_af_arp));
+        if (nft_register_afinfo(net, net->nft.arp) < 0)
+                goto err;
+        return 0;
+err:
+        kfree(net->nft.arp);
+        return -ENOMEM;
+}
+static void nf_tables_arp_exit_net(struct net *net)
+{
+        nft_unregister_afinfo(net->nft.arp);
+        kfree(net->nft.arp);
+}
+static struct pernet_operations nf_tables_arp_net_ops = {
+        .init   = nf_tables_arp_init_net,
+        .exit   = nf_tables_arp_exit_net,
+};
+static unsigned int
+nft_do_chain_arp(const struct nf_hook_ops *ops,
+                  struct sk_buff *skb,
+                  const struct net_device *in,
+                  const struct net_device *out,
+                  int (*okfn)(struct sk_buff *))
+{
+        struct nft_pktinfo pkt;
+        nft_set_pktinfo(&pkt, ops, skb, in, out);
+        return nft_do_chain_pktinfo(&pkt, ops);
+}
+static struct nf_chain_type filter_arp = {
+        .family         = NFPROTO_ARP,
+        .name           = "filter",
+        .type           = NFT_CHAIN_T_DEFAULT,
+        .hook_mask      = (1 << NF_ARP_IN) |
+                          (1 << NF_ARP_OUT) |
+                          (1 << NF_ARP_FORWARD),
+        .fn             = {
+                [NF_ARP_IN]             = nft_do_chain_arp,
+                [NF_ARP_OUT]            = nft_do_chain_arp,
+                [NF_ARP_FORWARD]        = nft_do_chain_arp,
+        },
+};
+static int __init nf_tables_arp_init(void)
+{
+        int ret;
+        nft_register_chain_type(&filter_arp);
+        ret = register_pernet_subsys(&nf_tables_arp_net_ops);
+        if (ret < 0)
+                nft_unregister_chain_type(&filter_arp);
+        return ret;
+}
+static void __exit nf_tables_arp_exit(void)
+{
+        unregister_pernet_subsys(&nf_tables_arp_net_ops);
+        nft_unregister_chain_type(&filter_arp);
+}
+module_init(nf_tables_arp_init);
+module_exit(nf_tables_arp_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_ALIAS_NFT_FAMILY(3); /* NFPROTO_ARP */
author	Pablo Neira Ayuso <pablo@netfilter.org>	2013-10-07 16:53:08 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2013-10-14 12:01:03 -0400
commit	ed683f138b3dbc8a5e878e24a0bfa0bb61043a09 (patch)
tree	86ae7c24eb4d4032f6d5eb4aa175a6c88033ac70
parent	b5bc89bfa0b46de37754610f46c0ef4e2280edb4 (diff)

diff --git a/include/net/netns/nftables.h b/include/net/netns/nftables.h index 08a4248a12b5..15d056d534e3 100644 --- a/include/net/netns/nftables.h +++ b/include/net/netns/nftables.h
@@ -10,6 +10,7 @@ struct netns_nftables {
10	struct list_head commit_list;	10	struct list_head commit_list;
11	struct nft_af_info *ipv4;	11	struct nft_af_info *ipv4;
12	struct nft_af_info *ipv6;	12	struct nft_af_info *ipv6;
		13	struct nft_af_info *arp;
13	struct nft_af_info *bridge;	14	struct nft_af_info *bridge;
14	u8 gencursor;	15	u8 gencursor;
15	u8 genctr;	16	u8 genctr;


diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index 1f37ef67f1ac..40d56073cd19 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig
@@ -53,6 +53,10 @@ config NFT_CHAIN_NAT_IPV4
53	depends on NF_NAT_IPV4 && NFT_NAT	53	depends on NF_NAT_IPV4 && NFT_NAT
54	tristate "IPv4 nf_tables nat chain support"	54	tristate "IPv4 nf_tables nat chain support"
55		55
		56	config NF_TABLES_ARP
		57	depends on NF_TABLES
		58	tristate "ARP nf_tables support"
		59
56	config IP_NF_IPTABLES	60	config IP_NF_IPTABLES
57	tristate "IP tables support (required for filtering/masq/NAT)"	61	tristate "IP tables support (required for filtering/masq/NAT)"
58	default m if NETFILTER_ADVANCED=n	62	default m if NETFILTER_ADVANCED=n


diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile index 91e0bd71a6d3..19df72b7ba88 100644 --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile
@@ -31,6 +31,7 @@ obj-$(CONFIG_NF_TABLES_IPV4) += nf_tables_ipv4.o
31	obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o	31	obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o
32	obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o	32	obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o
33	obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o	33	obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o
		34	obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o
34		35
35	# generic IP tables	36	# generic IP tables
36	obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o	37	obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o


diff --git a/net/ipv4/netfilter/nf_tables_arp.c b/net/ipv4/netfilter/nf_tables_arp.c new file mode 100644 index 000000000000..3e67ef1c676f --- /dev/null +++ b/net/ipv4/netfilter/nf_tables_arp.c
@@ -0,0 +1,102 @@
		1	/*
		2	* Copyright (c) 2008-2010 Patrick McHardy <kaber@trash.net>
		3	* Copyright (c) 2013 Pablo Neira Ayuso <pablo@netfilter.org>
		4	*
		5	* This program is free software; you can redistribute it and/or modify
		6	* it under the terms of the GNU General Public License version 2 as
		7	* published by the Free Software Foundation.
		8	*
		9	* Development of this code funded by Astaro AG (http://www.astaro.com/)
		10	*/
		11
		12	#include <linux/module.h>
		13	#include <linux/init.h>
		14	#include <linux/netfilter_arp.h>
		15	#include <net/netfilter/nf_tables.h>
		16
		17	static struct nft_af_info nft_af_arp __read_mostly = {
		18	.family = NFPROTO_ARP,
		19	.nhooks = NF_ARP_NUMHOOKS,
		20	.owner = THIS_MODULE,
		21	};
		22
		23	static int nf_tables_arp_init_net(struct net *net)
		24	{
		25	net->nft.arp = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
		26	if (net->nft.arp== NULL)
		27	return -ENOMEM;
		28
		29	memcpy(net->nft.arp, &nft_af_arp, sizeof(nft_af_arp));
		30
		31	if (nft_register_afinfo(net, net->nft.arp) < 0)
		32	goto err;
		33
		34	return 0;
		35	err:
		36	kfree(net->nft.arp);
		37	return -ENOMEM;
		38	}
		39
		40	static void nf_tables_arp_exit_net(struct net *net)
		41	{
		42	nft_unregister_afinfo(net->nft.arp);
		43	kfree(net->nft.arp);
		44	}
		45
		46	static struct pernet_operations nf_tables_arp_net_ops = {
		47	.init = nf_tables_arp_init_net,
		48	.exit = nf_tables_arp_exit_net,
		49	};
		50
		51	static unsigned int
		52	nft_do_chain_arp(const struct nf_hook_ops *ops,
		53	struct sk_buff *skb,
		54	const struct net_device *in,
		55	const struct net_device *out,
		56	int (okfn)(struct sk_buff ))
		57	{
		58	struct nft_pktinfo pkt;
		59
		60	nft_set_pktinfo(&pkt, ops, skb, in, out);
		61
		62	return nft_do_chain_pktinfo(&pkt, ops);
		63	}
		64
		65	static struct nf_chain_type filter_arp = {
		66	.family = NFPROTO_ARP,
		67	.name = "filter",
		68	.type = NFT_CHAIN_T_DEFAULT,
		69	.hook_mask = (1 << NF_ARP_IN) \|
		70	(1 << NF_ARP_OUT) \|
		71	(1 << NF_ARP_FORWARD),
		72	.fn = {
		73	[NF_ARP_IN] = nft_do_chain_arp,
		74	[NF_ARP_OUT] = nft_do_chain_arp,
		75	[NF_ARP_FORWARD] = nft_do_chain_arp,
		76	},
		77	};
		78
		79	static int __init nf_tables_arp_init(void)
		80	{
		81	int ret;
		82
		83	nft_register_chain_type(&filter_arp);
		84	ret = register_pernet_subsys(&nf_tables_arp_net_ops);
		85	if (ret < 0)
		86	nft_unregister_chain_type(&filter_arp);
		87
		88	return ret;
		89	}
		90
		91	static void __exit nf_tables_arp_exit(void)
		92	{
		93	unregister_pernet_subsys(&nf_tables_arp_net_ops);
		94	nft_unregister_chain_type(&filter_arp);
		95	}
		96
		97	module_init(nf_tables_arp_init);
		98	module_exit(nf_tables_arp_exit);
		99
		100	MODULE_LICENSE("GPL");
		101	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
		102	MODULE_ALIAS_NFT_FAMILY(3); /* NFPROTO_ARP */