diff options
author | Alexey Dobriyan <adobriyan@gmail.com> | 2008-07-26 20:48:59 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-07-26 20:48:59 -0400 |
commit | 3918fed5f31213067c1c345bd904e1ea369e6819 (patch) | |
tree | 81148af4b7f53f32e4cfcee8f731eb3ec1382597 | |
parent | f858b4869a9136dd28cc2ab37f8b89268cc99462 (diff) |
netfilter: arptables in netns for real
IN, FORWARD -- grab netns from in device, OUT -- from out device.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/netfilter/arptable_filter.c | 39 |
1 files changed, 30 insertions, 9 deletions
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c index 3be4d07e7ed9..082f5dd3156c 100644 --- a/net/ipv4/netfilter/arptable_filter.c +++ b/net/ipv4/netfilter/arptable_filter.c | |||
@@ -55,32 +55,53 @@ static struct xt_table packet_filter = { | |||
55 | }; | 55 | }; |
56 | 56 | ||
57 | /* The work comes in here from netfilter.c */ | 57 | /* The work comes in here from netfilter.c */ |
58 | static unsigned int arpt_hook(unsigned int hook, | 58 | static unsigned int arpt_in_hook(unsigned int hook, |
59 | struct sk_buff *skb, | 59 | struct sk_buff *skb, |
60 | const struct net_device *in, | 60 | const struct net_device *in, |
61 | const struct net_device *out, | 61 | const struct net_device *out, |
62 | int (*okfn)(struct sk_buff *)) | 62 | int (*okfn)(struct sk_buff *)) |
63 | { | 63 | { |
64 | return arpt_do_table(skb, hook, in, out, init_net.ipv4.arptable_filter); | 64 | return arpt_do_table(skb, hook, in, out, |
65 | dev_net(in)->ipv4.arptable_filter); | ||
66 | } | ||
67 | |||
68 | static unsigned int arpt_out_hook(unsigned int hook, | ||
69 | struct sk_buff *skb, | ||
70 | const struct net_device *in, | ||
71 | const struct net_device *out, | ||
72 | int (*okfn)(struct sk_buff *)) | ||
73 | { | ||
74 | return arpt_do_table(skb, hook, in, out, | ||
75 | dev_net(out)->ipv4.arptable_filter); | ||
76 | } | ||
77 | |||
78 | static unsigned int arpt_forward_hook(unsigned int hook, | ||
79 | struct sk_buff *skb, | ||
80 | const struct net_device *in, | ||
81 | const struct net_device *out, | ||
82 | int (*okfn)(struct sk_buff *)) | ||
83 | { | ||
84 | return arpt_do_table(skb, hook, in, out, | ||
85 | dev_net(in)->ipv4.arptable_filter); | ||
65 | } | 86 | } |
66 | 87 | ||
67 | static struct nf_hook_ops arpt_ops[] __read_mostly = { | 88 | static struct nf_hook_ops arpt_ops[] __read_mostly = { |
68 | { | 89 | { |
69 | .hook = arpt_hook, | 90 | .hook = arpt_in_hook, |
70 | .owner = THIS_MODULE, | 91 | .owner = THIS_MODULE, |
71 | .pf = NF_ARP, | 92 | .pf = NF_ARP, |
72 | .hooknum = NF_ARP_IN, | 93 | .hooknum = NF_ARP_IN, |
73 | .priority = NF_IP_PRI_FILTER, | 94 | .priority = NF_IP_PRI_FILTER, |
74 | }, | 95 | }, |
75 | { | 96 | { |
76 | .hook = arpt_hook, | 97 | .hook = arpt_out_hook, |
77 | .owner = THIS_MODULE, | 98 | .owner = THIS_MODULE, |
78 | .pf = NF_ARP, | 99 | .pf = NF_ARP, |
79 | .hooknum = NF_ARP_OUT, | 100 | .hooknum = NF_ARP_OUT, |
80 | .priority = NF_IP_PRI_FILTER, | 101 | .priority = NF_IP_PRI_FILTER, |
81 | }, | 102 | }, |
82 | { | 103 | { |
83 | .hook = arpt_hook, | 104 | .hook = arpt_forward_hook, |
84 | .owner = THIS_MODULE, | 105 | .owner = THIS_MODULE, |
85 | .pf = NF_ARP, | 106 | .pf = NF_ARP, |
86 | .hooknum = NF_ARP_FORWARD, | 107 | .hooknum = NF_ARP_FORWARD, |