netfilter: nf_tables: add reject module for NFPROTO_INET

Add a reject module for NFPROTO_INET. It does nothing but dispatch to the AF-specific modules based on the hook family. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Patrick McHardy <kaber@trash.net> 2014-02-05 10:03:39 -0500
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2014-02-06 03:44:18 -0500
commit: 05513e9e33dbded8124567466a444d32173eecc6 (patch)
tree: 175aafe01f1fe4914577ce67c8fd32ad8e0440a0
parent: cc4723ca316742891954efa346298e7c747c0d17 (diff)
6 files changed, 85 insertions, 6 deletions
diff --git a/include/net/netfilter/nft_reject.h b/include/net/netfilter/nft_reject.h
index ecda75945e77..36b0da2d55bb 100644
--- a/include/net/netfilter/nft_reject.h
+++ b/include/net/netfilter/nft_reject.h
@@ -14,4 +14,12 @@ int nft_reject_init(const struct nft_ctx *ctx,
 int nft_reject_dump(struct sk_buff *skb, const struct nft_expr *expr);
+void nft_reject_ipv4_eval(const struct nft_expr *expr,
+                          struct nft_data data[NFT_REG_MAX + 1],
+                          const struct nft_pktinfo *pkt);
+void nft_reject_ipv6_eval(const struct nft_expr *expr,
+                          struct nft_data data[NFT_REG_MAX + 1],
+                          const struct nft_pktinfo *pkt);
 #endif
diff --git a/net/ipv4/netfilter/nft_reject_ipv4.c b/net/ipv4/netfilter/nft_reject_ipv4.c
index e935d8de1182..e79718a382f2 100644
--- a/net/ipv4/netfilter/nft_reject_ipv4.c
+++ b/net/ipv4/netfilter/nft_reject_ipv4.c
@@ -20,9 +20,9 @@
 #include <net/netfilter/ipv4/nf_reject.h>
 #include <net/netfilter/nft_reject.h>
-static void nft_reject_ipv4_eval(const struct nft_expr *expr,
+void nft_reject_ipv4_eval(const struct nft_expr *expr,
-                                 struct nft_data data[NFT_REG_MAX + 1],
+                          struct nft_data data[NFT_REG_MAX + 1],
-                                 const struct nft_pktinfo *pkt)
+                          const struct nft_pktinfo *pkt)
 {
        struct nft_reject *priv = nft_expr_priv(expr);
@@ -37,6 +37,7 @@ static void nft_reject_ipv4_eval(const struct nft_expr *expr,
        data[NFT_REG_VERDICT].verdict = NF_DROP;
 }
+EXPORT_SYMBOL_GPL(nft_reject_ipv4_eval);
 static struct nft_expr_type nft_reject_ipv4_type;
 static const struct nft_expr_ops nft_reject_ipv4_ops = {
diff --git a/net/ipv6/netfilter/nft_reject_ipv6.c b/net/ipv6/netfilter/nft_reject_ipv6.c
index f73285924144..0bc19fa87821 100644
--- a/net/ipv6/netfilter/nft_reject_ipv6.c
+++ b/net/ipv6/netfilter/nft_reject_ipv6.c
@@ -19,9 +19,9 @@
 #include <net/netfilter/nft_reject.h>
 #include <net/netfilter/ipv6/nf_reject.h>
-static void nft_reject_ipv6_eval(const struct nft_expr *expr,
+void nft_reject_ipv6_eval(const struct nft_expr *expr,
-                                 struct nft_data data[NFT_REG_MAX + 1],
+                          struct nft_data data[NFT_REG_MAX + 1],
-                                 const struct nft_pktinfo *pkt)
+                          const struct nft_pktinfo *pkt)
 {
        struct nft_reject *priv = nft_expr_priv(expr);
        struct net *net = dev_net((pkt->in != NULL) ? pkt->in : pkt->out);
@@ -38,6 +38,7 @@ static void nft_reject_ipv6_eval(const struct nft_expr *expr,
        data[NFT_REG_VERDICT].verdict = NF_DROP;
 }
+EXPORT_SYMBOL_GPL(nft_reject_ipv6_eval);
 static struct nft_expr_type nft_reject_ipv6_type;
 static const struct nft_expr_ops nft_reject_ipv6_ops = {
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index ed8b50e62276..e9410d17619d 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -520,6 +520,11 @@ config NFT_REJECT
          explicitly deny and notify via TCP reset/ICMP informational errors
          unallowed traffic.
+config NFT_REJECT_INET
+        depends on NF_TABLES_INET
+        default NFT_REJECT
+        tristate
 config NFT_COMPAT
        depends on NF_TABLES
        depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index ee9c4de5f8ed..bffdad774da7 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -79,6 +79,7 @@ obj-$(CONFIG_NFT_LIMIT)		+= nft_limit.o
 obj-$(CONFIG_NFT_NAT)           += nft_nat.o
 obj-$(CONFIG_NFT_QUEUE)         += nft_queue.o
 obj-$(CONFIG_NFT_REJECT)        += nft_reject.o
+obj-$(CONFIG_NFT_REJECT_INET)   += nft_reject_inet.o
 obj-$(CONFIG_NFT_RBTREE)        += nft_rbtree.o
 obj-$(CONFIG_NFT_HASH)          += nft_hash.o
 obj-$(CONFIG_NFT_COUNTER)       += nft_counter.o
diff --git a/net/netfilter/nft_reject_inet.c b/net/netfilter/nft_reject_inet.c
new file mode 100644
index 000000000000..8a310f239c93
--- /dev/null
+++ b/net/netfilter/nft_reject_inet.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 2014 Patrick McHardy <kaber@trash.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables.h>
+#include <net/netfilter/nft_reject.h>
+static void nft_reject_inet_eval(const struct nft_expr *expr,
+                                 struct nft_data data[NFT_REG_MAX + 1],
+                                 const struct nft_pktinfo *pkt)
+{
+        switch (pkt->ops->pf) {
+        case NFPROTO_IPV4:
+                nft_reject_ipv4_eval(expr, data, pkt);
+        case NFPROTO_IPV6:
+                nft_reject_ipv6_eval(expr, data, pkt);
+        }
+}
+static struct nft_expr_type nft_reject_inet_type;
+static const struct nft_expr_ops nft_reject_inet_ops = {
+        .type           = &nft_reject_inet_type,
+        .size           = NFT_EXPR_SIZE(sizeof(struct nft_reject)),
+        .eval           = nft_reject_inet_eval,
+        .init           = nft_reject_init,
+        .dump           = nft_reject_dump,
+};
+static struct nft_expr_type nft_reject_inet_type __read_mostly = {
+        .family         = NFPROTO_INET,
+        .name           = "reject",
+        .ops            = &nft_reject_inet_ops,
+        .policy         = nft_reject_policy,
+        .maxattr        = NFTA_REJECT_MAX,
+        .owner          = THIS_MODULE,
+};
+static int __init nft_reject_inet_module_init(void)
+{
+        return nft_register_expr(&nft_reject_inet_type);
+}
+static void __exit nft_reject_inet_module_exit(void)
+{
+        nft_unregister_expr(&nft_reject_inet_type);
+}
+module_init(nft_reject_inet_module_init);
+module_exit(nft_reject_inet_module_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_ALIAS_NFT_AF_EXPR(1, "reject");
author	Patrick McHardy <kaber@trash.net>	2014-02-05 10:03:39 -0500
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2014-02-06 03:44:18 -0500
commit	05513e9e33dbded8124567466a444d32173eecc6 (patch)
tree	175aafe01f1fe4914577ce67c8fd32ad8e0440a0
parent	cc4723ca316742891954efa346298e7c747c0d17 (diff)

diff --git a/include/net/netfilter/nft_reject.h b/include/net/netfilter/nft_reject.h index ecda75945e77..36b0da2d55bb 100644 --- a/include/net/netfilter/nft_reject.h +++ b/include/net/netfilter/nft_reject.h
@@ -14,4 +14,12 @@ int nft_reject_init(const struct nft_ctx *ctx,
14		14
15	int nft_reject_dump(struct sk_buff skb, const struct nft_expr expr);	15	int nft_reject_dump(struct sk_buff skb, const struct nft_expr expr);
16		16
		17	void nft_reject_ipv4_eval(const struct nft_expr *expr,
		18	struct nft_data data[NFT_REG_MAX + 1],
		19	const struct nft_pktinfo *pkt);
		20
		21	void nft_reject_ipv6_eval(const struct nft_expr *expr,
		22	struct nft_data data[NFT_REG_MAX + 1],
		23	const struct nft_pktinfo *pkt);
		24
17	#endif	25	#endif


diff --git a/net/ipv4/netfilter/nft_reject_ipv4.c b/net/ipv4/netfilter/nft_reject_ipv4.c index e935d8de1182..e79718a382f2 100644 --- a/net/ipv4/netfilter/nft_reject_ipv4.c +++ b/net/ipv4/netfilter/nft_reject_ipv4.c
@@ -20,9 +20,9 @@
20	#include <net/netfilter/ipv4/nf_reject.h>	20	#include <net/netfilter/ipv4/nf_reject.h>
21	#include <net/netfilter/nft_reject.h>	21	#include <net/netfilter/nft_reject.h>
22		22
23	static void nft_reject_ipv4_eval(const struct nft_expr *expr,	23	void nft_reject_ipv4_eval(const struct nft_expr *expr,
24	struct nft_data data[NFT_REG_MAX + 1],	24	struct nft_data data[NFT_REG_MAX + 1],
25	const struct nft_pktinfo *pkt)	25	const struct nft_pktinfo *pkt)
26	{	26	{
27	struct nft_reject *priv = nft_expr_priv(expr);	27	struct nft_reject *priv = nft_expr_priv(expr);
28		28
@@ -37,6 +37,7 @@ static void nft_reject_ipv4_eval(const struct nft_expr *expr,
37		37
38	data[NFT_REG_VERDICT].verdict = NF_DROP;	38	data[NFT_REG_VERDICT].verdict = NF_DROP;
39	}	39	}
		40	EXPORT_SYMBOL_GPL(nft_reject_ipv4_eval);
40		41
41	static struct nft_expr_type nft_reject_ipv4_type;	42	static struct nft_expr_type nft_reject_ipv4_type;
42	static const struct nft_expr_ops nft_reject_ipv4_ops = {	43	static const struct nft_expr_ops nft_reject_ipv4_ops = {


diff --git a/net/ipv6/netfilter/nft_reject_ipv6.c b/net/ipv6/netfilter/nft_reject_ipv6.c index f73285924144..0bc19fa87821 100644 --- a/net/ipv6/netfilter/nft_reject_ipv6.c +++ b/net/ipv6/netfilter/nft_reject_ipv6.c
@@ -19,9 +19,9 @@
19	#include <net/netfilter/nft_reject.h>	19	#include <net/netfilter/nft_reject.h>
20	#include <net/netfilter/ipv6/nf_reject.h>	20	#include <net/netfilter/ipv6/nf_reject.h>
21		21
22	static void nft_reject_ipv6_eval(const struct nft_expr *expr,	22	void nft_reject_ipv6_eval(const struct nft_expr *expr,
23	struct nft_data data[NFT_REG_MAX + 1],	23	struct nft_data data[NFT_REG_MAX + 1],
24	const struct nft_pktinfo *pkt)	24	const struct nft_pktinfo *pkt)
25	{	25	{
26	struct nft_reject *priv = nft_expr_priv(expr);	26	struct nft_reject *priv = nft_expr_priv(expr);
27	struct net *net = dev_net((pkt->in != NULL) ? pkt->in : pkt->out);	27	struct net *net = dev_net((pkt->in != NULL) ? pkt->in : pkt->out);
@@ -38,6 +38,7 @@ static void nft_reject_ipv6_eval(const struct nft_expr *expr,
38		38
39	data[NFT_REG_VERDICT].verdict = NF_DROP;	39	data[NFT_REG_VERDICT].verdict = NF_DROP;
40	}	40	}
		41	EXPORT_SYMBOL_GPL(nft_reject_ipv6_eval);
41		42
42	static struct nft_expr_type nft_reject_ipv6_type;	43	static struct nft_expr_type nft_reject_ipv6_type;
43	static const struct nft_expr_ops nft_reject_ipv6_ops = {	44	static const struct nft_expr_ops nft_reject_ipv6_ops = {


diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index ed8b50e62276..e9410d17619d 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -520,6 +520,11 @@ config NFT_REJECT
520	explicitly deny and notify via TCP reset/ICMP informational errors	520	explicitly deny and notify via TCP reset/ICMP informational errors
521	unallowed traffic.	521	unallowed traffic.
522		522
		523	config NFT_REJECT_INET
		524	depends on NF_TABLES_INET
		525	default NFT_REJECT
		526	tristate
		527
523	config NFT_COMPAT	528	config NFT_COMPAT
524	depends on NF_TABLES	529	depends on NF_TABLES
525	depends on NETFILTER_XTABLES	530	depends on NETFILTER_XTABLES


diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index ee9c4de5f8ed..bffdad774da7 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -79,6 +79,7 @@ obj-$(CONFIG_NFT_LIMIT) += nft_limit.o
79	obj-$(CONFIG_NFT_NAT) += nft_nat.o	79	obj-$(CONFIG_NFT_NAT) += nft_nat.o
80	obj-$(CONFIG_NFT_QUEUE) += nft_queue.o	80	obj-$(CONFIG_NFT_QUEUE) += nft_queue.o
81	obj-$(CONFIG_NFT_REJECT) += nft_reject.o	81	obj-$(CONFIG_NFT_REJECT) += nft_reject.o
		82	obj-$(CONFIG_NFT_REJECT_INET) += nft_reject_inet.o
82	obj-$(CONFIG_NFT_RBTREE) += nft_rbtree.o	83	obj-$(CONFIG_NFT_RBTREE) += nft_rbtree.o
83	obj-$(CONFIG_NFT_HASH) += nft_hash.o	84	obj-$(CONFIG_NFT_HASH) += nft_hash.o
84	obj-$(CONFIG_NFT_COUNTER) += nft_counter.o	85	obj-$(CONFIG_NFT_COUNTER) += nft_counter.o


diff --git a/net/netfilter/nft_reject_inet.c b/net/netfilter/nft_reject_inet.c new file mode 100644 index 000000000000..8a310f239c93 --- /dev/null +++ b/net/netfilter/nft_reject_inet.c
@@ -0,0 +1,63 @@
		1	/*
		2	* Copyright (c) 2014 Patrick McHardy <kaber@trash.net>
		3	*
		4	* This program is free software; you can redistribute it and/or modify
		5	* it under the terms of the GNU General Public License version 2 as
		6	* published by the Free Software Foundation.
		7	*/
		8
		9	#include <linux/kernel.h>
		10	#include <linux/init.h>
		11	#include <linux/module.h>
		12	#include <linux/netlink.h>
		13	#include <linux/netfilter.h>
		14	#include <linux/netfilter/nf_tables.h>
		15	#include <net/netfilter/nf_tables.h>
		16	#include <net/netfilter/nft_reject.h>
		17
		18	static void nft_reject_inet_eval(const struct nft_expr *expr,
		19	struct nft_data data[NFT_REG_MAX + 1],
		20	const struct nft_pktinfo *pkt)
		21	{
		22	switch (pkt->ops->pf) {
		23	case NFPROTO_IPV4:
		24	nft_reject_ipv4_eval(expr, data, pkt);
		25	case NFPROTO_IPV6:
		26	nft_reject_ipv6_eval(expr, data, pkt);
		27	}
		28	}
		29
		30	static struct nft_expr_type nft_reject_inet_type;
		31	static const struct nft_expr_ops nft_reject_inet_ops = {
		32	.type = &nft_reject_inet_type,
		33	.size = NFT_EXPR_SIZE(sizeof(struct nft_reject)),
		34	.eval = nft_reject_inet_eval,
		35	.init = nft_reject_init,
		36	.dump = nft_reject_dump,
		37	};
		38
		39	static struct nft_expr_type nft_reject_inet_type __read_mostly = {
		40	.family = NFPROTO_INET,
		41	.name = "reject",
		42	.ops = &nft_reject_inet_ops,
		43	.policy = nft_reject_policy,
		44	.maxattr = NFTA_REJECT_MAX,
		45	.owner = THIS_MODULE,
		46	};
		47
		48	static int __init nft_reject_inet_module_init(void)
		49	{
		50	return nft_register_expr(&nft_reject_inet_type);
		51	}
		52
		53	static void __exit nft_reject_inet_module_exit(void)
		54	{
		55	nft_unregister_expr(&nft_reject_inet_type);
		56	}
		57
		58	module_init(nft_reject_inet_module_init);
		59	module_exit(nft_reject_inet_module_exit);
		60
		61	MODULE_LICENSE("GPL");
		62	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
		63	MODULE_ALIAS_NFT_AF_EXPR(1, "reject");