netfilter: bridge: nf_tables: add filter chain type

This patch adds the filter chain type which is required to create filter chains in the bridge family from userspace. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2013-10-28 12:58:07 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2013-10-28 13:07:35 -0400
commit: 46413825a7e697109028738eede2191900ec848f (patch)
tree: d07d2f965fdb696fb530528e9468346d1a4f759a /net/bridge
parent: 98c37b6b01812d331db4d49cacd603891d0d53ba (diff)
1 files changed, 39 insertions, 2 deletions
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index e8cb016fa34d..cf54b22818c8 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
+++ b/net/bridge/netfilter/nf_tables_bridge.c
@@ -1,5 +1,6 @@
 /*
 * Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
+ * Copyright (c) 2013 Pablo Neira Ayuso <pablo@netfilter.org>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
@@ -47,14 +48,50 @@ static struct pernet_operations nf_tables_bridge_net_ops = {
        .exit   = nf_tables_bridge_exit_net,
 };
+static unsigned int
+nft_do_chain_bridge(const struct nf_hook_ops *ops,
+                    struct sk_buff *skb,
+                    const struct net_device *in,
+                    const struct net_device *out,
+                    int (*okfn)(struct sk_buff *))
+{
+        struct nft_pktinfo pkt;
+        nft_set_pktinfo(&pkt, ops, skb, in, out);
+        return nft_do_chain_pktinfo(&pkt, ops);
+}
+static struct nf_chain_type filter_bridge = {
+        .family         = NFPROTO_BRIDGE,
+        .name           = "filter",
+        .type           = NFT_CHAIN_T_DEFAULT,
+        .hook_mask      = (1 << NF_BR_LOCAL_IN) |
+                          (1 << NF_BR_FORWARD) |
+                          (1 << NF_BR_LOCAL_OUT),
+        .fn             = {
+                [NF_BR_LOCAL_IN]        = nft_do_chain_bridge,
+                [NF_BR_FORWARD]         = nft_do_chain_bridge,
+                [NF_BR_LOCAL_OUT]       = nft_do_chain_bridge,
+        },
+};
 static int __init nf_tables_bridge_init(void)
 {
-        return register_pernet_subsys(&nf_tables_bridge_net_ops);
+        int ret;
+        nft_register_chain_type(&filter_bridge);
+        ret = register_pernet_subsys(&nf_tables_bridge_net_ops);
+        if (ret < 0)
+                nft_unregister_chain_type(&filter_bridge);
+        return ret;
 }
 static void __exit nf_tables_bridge_exit(void)
 {
-        return unregister_pernet_subsys(&nf_tables_bridge_net_ops);
+        unregister_pernet_subsys(&nf_tables_bridge_net_ops);
+        nft_unregister_chain_type(&filter_bridge);
 }
 module_init(nf_tables_bridge_init);
author	Pablo Neira Ayuso <pablo@netfilter.org>	2013-10-28 12:58:07 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2013-10-28 13:07:35 -0400
commit	46413825a7e697109028738eede2191900ec848f (patch)
tree	d07d2f965fdb696fb530528e9468346d1a4f759a /net/bridge
parent	98c37b6b01812d331db4d49cacd603891d0d53ba (diff)

diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c index e8cb016fa34d..cf54b22818c8 100644 --- a/net/bridge/netfilter/nf_tables_bridge.c +++ b/net/bridge/netfilter/nf_tables_bridge.c
@@ -1,5 +1,6 @@
1	/*	1	/*
2	* Copyright (c) 2008 Patrick McHardy <kaber@trash.net>	2	* Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
		3	* Copyright (c) 2013 Pablo Neira Ayuso <pablo@netfilter.org>
3	*	4	*
4	* This program is free software; you can redistribute it and/or modify	5	* This program is free software; you can redistribute it and/or modify
5	* it under the terms of the GNU General Public License version 2 as	6	* it under the terms of the GNU General Public License version 2 as
@@ -47,14 +48,50 @@ static struct pernet_operations nf_tables_bridge_net_ops = {
47	.exit = nf_tables_bridge_exit_net,	48	.exit = nf_tables_bridge_exit_net,
48	};	49	};
49		50
		51	static unsigned int
		52	nft_do_chain_bridge(const struct nf_hook_ops *ops,
		53	struct sk_buff *skb,
		54	const struct net_device *in,
		55	const struct net_device *out,
		56	int (okfn)(struct sk_buff ))
		57	{
		58	struct nft_pktinfo pkt;
		59
		60	nft_set_pktinfo(&pkt, ops, skb, in, out);
		61
		62	return nft_do_chain_pktinfo(&pkt, ops);
		63	}
		64
		65	static struct nf_chain_type filter_bridge = {
		66	.family = NFPROTO_BRIDGE,
		67	.name = "filter",
		68	.type = NFT_CHAIN_T_DEFAULT,
		69	.hook_mask = (1 << NF_BR_LOCAL_IN) \|
		70	(1 << NF_BR_FORWARD) \|
		71	(1 << NF_BR_LOCAL_OUT),
		72	.fn = {
		73	[NF_BR_LOCAL_IN] = nft_do_chain_bridge,
		74	[NF_BR_FORWARD] = nft_do_chain_bridge,
		75	[NF_BR_LOCAL_OUT] = nft_do_chain_bridge,
		76	},
		77	};
		78
50	static int __init nf_tables_bridge_init(void)	79	static int __init nf_tables_bridge_init(void)
51	{	80	{
52	return register_pernet_subsys(&nf_tables_bridge_net_ops);	81	int ret;
		82
		83	nft_register_chain_type(&filter_bridge);
		84	ret = register_pernet_subsys(&nf_tables_bridge_net_ops);
		85	if (ret < 0)
		86	nft_unregister_chain_type(&filter_bridge);
		87
		88	return ret;
53	}	89	}
54		90
55	static void __exit nf_tables_bridge_exit(void)	91	static void __exit nf_tables_bridge_exit(void)
56	{	92	{
57	return unregister_pernet_subsys(&nf_tables_bridge_net_ops);	93	unregister_pernet_subsys(&nf_tables_bridge_net_ops);
		94	nft_unregister_chain_type(&filter_bridge);
58	}	95	}
59		96
60	module_init(nf_tables_bridge_init);	97	module_init(nf_tables_bridge_init);