diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-10-02 05:13:21 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-10-02 12:30:57 -0400 |
| commit | 4b7fd5d97ee6e599247b4a55122ca6ba80c8148d (patch) | |
| tree | f79ecdd32fb619bcf982dcb493997f2285311a92 | |
| parent | 36d2af5998258344993dd43729997a7a3baa9d99 (diff) | |
netfilter: explicit module dependency between br_netfilter and physdev
You can use physdev to match the physical interface enslaved to the
bridge device. This information is stored in skb->nf_bridge and it is
set up by br_netfilter. So, this is only available when iptables is
used from the bridge netfilter path.
Since 34666d4 ("netfilter: bridge: move br_netfilter out of the core"),
the br_netfilter code is modular. To reduce the impact of this change,
we can autoload the br_netfilter if the physdev match is used since
we assume that the users need br_netfilter in place.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | include/net/netfilter/br_netfilter.h | 6 | ||||
| -rw-r--r-- | net/bridge/br_netfilter.c | 5 | ||||
| -rw-r--r-- | net/netfilter/xt_physdev.c | 3 |
3 files changed, 14 insertions, 0 deletions
diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h new file mode 100644 index 000000000000..2aa6048a55c1 --- /dev/null +++ b/include/net/netfilter/br_netfilter.h | |||
| @@ -0,0 +1,6 @@ | |||
| 1 | #ifndef _BR_NETFILTER_H_ | ||
| 2 | #define _BR_NETFILTER_H_ | ||
| 3 | |||
| 4 | void br_netfilter_enable(void); | ||
| 5 | |||
| 6 | #endif /* _BR_NETFILTER_H_ */ | ||
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index 97e43937aaca..fa1270cc5086 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c | |||
| @@ -856,6 +856,11 @@ static unsigned int ip_sabotage_in(const struct nf_hook_ops *ops, | |||
| 856 | return NF_ACCEPT; | 856 | return NF_ACCEPT; |
| 857 | } | 857 | } |
| 858 | 858 | ||
| 859 | void br_netfilter_enable(void) | ||
| 860 | { | ||
| 861 | } | ||
| 862 | EXPORT_SYMBOL_GPL(br_netfilter_enable); | ||
| 863 | |||
| 859 | /* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because | 864 | /* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because |
| 860 | * br_dev_queue_push_xmit is called afterwards */ | 865 | * br_dev_queue_push_xmit is called afterwards */ |
| 861 | static struct nf_hook_ops br_nf_ops[] __read_mostly = { | 866 | static struct nf_hook_ops br_nf_ops[] __read_mostly = { |
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c index d7ca16b8b8df..f440f57a452f 100644 --- a/net/netfilter/xt_physdev.c +++ b/net/netfilter/xt_physdev.c | |||
| @@ -13,6 +13,7 @@ | |||
| 13 | #include <linux/netfilter_bridge.h> | 13 | #include <linux/netfilter_bridge.h> |
| 14 | #include <linux/netfilter/xt_physdev.h> | 14 | #include <linux/netfilter/xt_physdev.h> |
| 15 | #include <linux/netfilter/x_tables.h> | 15 | #include <linux/netfilter/x_tables.h> |
| 16 | #include <net/netfilter/br_netfilter.h> | ||
| 16 | 17 | ||
| 17 | MODULE_LICENSE("GPL"); | 18 | MODULE_LICENSE("GPL"); |
| 18 | MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>"); | 19 | MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>"); |
| @@ -87,6 +88,8 @@ static int physdev_mt_check(const struct xt_mtchk_param *par) | |||
| 87 | { | 88 | { |
| 88 | const struct xt_physdev_info *info = par->matchinfo; | 89 | const struct xt_physdev_info *info = par->matchinfo; |
| 89 | 90 | ||
| 91 | br_netfilter_enable(); | ||
| 92 | |||
| 90 | if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || | 93 | if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || |
| 91 | info->bitmask & ~XT_PHYSDEV_OP_MASK) | 94 | info->bitmask & ~XT_PHYSDEV_OP_MASK) |
| 92 | return -EINVAL; | 95 | return -EINVAL; |