aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlexey Dobriyan <adobriyan@gmail.com>2008-07-26 20:48:59 -0400
committerDavid S. Miller <davem@davemloft.net>2008-07-26 20:48:59 -0400
commit3918fed5f31213067c1c345bd904e1ea369e6819 (patch)
tree81148af4b7f53f32e4cfcee8f731eb3ec1382597
parentf858b4869a9136dd28cc2ab37f8b89268cc99462 (diff)
netfilter: arptables in netns for real
IN, FORWARD -- grab netns from in device, OUT -- from out device. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv4/netfilter/arptable_filter.c39
1 files changed, 30 insertions, 9 deletions
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 3be4d07e7ed9..082f5dd3156c 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -55,32 +55,53 @@ static struct xt_table packet_filter = {
55}; 55};
56 56
57/* The work comes in here from netfilter.c */ 57/* The work comes in here from netfilter.c */
58static unsigned int arpt_hook(unsigned int hook, 58static unsigned int arpt_in_hook(unsigned int hook,
59 struct sk_buff *skb, 59 struct sk_buff *skb,
60 const struct net_device *in, 60 const struct net_device *in,
61 const struct net_device *out, 61 const struct net_device *out,
62 int (*okfn)(struct sk_buff *)) 62 int (*okfn)(struct sk_buff *))
63{ 63{
64 return arpt_do_table(skb, hook, in, out, init_net.ipv4.arptable_filter); 64 return arpt_do_table(skb, hook, in, out,
65 dev_net(in)->ipv4.arptable_filter);
66}
67
68static unsigned int arpt_out_hook(unsigned int hook,
69 struct sk_buff *skb,
70 const struct net_device *in,
71 const struct net_device *out,
72 int (*okfn)(struct sk_buff *))
73{
74 return arpt_do_table(skb, hook, in, out,
75 dev_net(out)->ipv4.arptable_filter);
76}
77
78static unsigned int arpt_forward_hook(unsigned int hook,
79 struct sk_buff *skb,
80 const struct net_device *in,
81 const struct net_device *out,
82 int (*okfn)(struct sk_buff *))
83{
84 return arpt_do_table(skb, hook, in, out,
85 dev_net(in)->ipv4.arptable_filter);
65} 86}
66 87
67static struct nf_hook_ops arpt_ops[] __read_mostly = { 88static struct nf_hook_ops arpt_ops[] __read_mostly = {
68 { 89 {
69 .hook = arpt_hook, 90 .hook = arpt_in_hook,
70 .owner = THIS_MODULE, 91 .owner = THIS_MODULE,
71 .pf = NF_ARP, 92 .pf = NF_ARP,
72 .hooknum = NF_ARP_IN, 93 .hooknum = NF_ARP_IN,
73 .priority = NF_IP_PRI_FILTER, 94 .priority = NF_IP_PRI_FILTER,
74 }, 95 },
75 { 96 {
76 .hook = arpt_hook, 97 .hook = arpt_out_hook,
77 .owner = THIS_MODULE, 98 .owner = THIS_MODULE,
78 .pf = NF_ARP, 99 .pf = NF_ARP,
79 .hooknum = NF_ARP_OUT, 100 .hooknum = NF_ARP_OUT,
80 .priority = NF_IP_PRI_FILTER, 101 .priority = NF_IP_PRI_FILTER,
81 }, 102 },
82 { 103 {
83 .hook = arpt_hook, 104 .hook = arpt_forward_hook,
84 .owner = THIS_MODULE, 105 .owner = THIS_MODULE,
85 .pf = NF_ARP, 106 .pf = NF_ARP,
86 .hooknum = NF_ARP_FORWARD, 107 .hooknum = NF_ARP_FORWARD,