diff options
| author | Patrick McHardy <kaber@trash.net> | 2014-02-05 10:03:38 -0500 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-02-06 03:44:10 -0500 |
| commit | cc4723ca316742891954efa346298e7c747c0d17 (patch) | |
| tree | 998eae9bbf8de6eeeb75c633921b8ab2e28cc258 /net/ipv4 | |
| parent | 64d46806b6218c97f68742c5663a8ae3a5fbe838 (diff) | |
netfilter: nft_reject: split up reject module into IPv4 and IPv6 specifc parts
Currently the nft_reject module depends on symbols from ipv6. This is
wrong since no generic module should force IPv6 support to be loaded.
Split up the module into AF-specific and a generic part.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/Kconfig | 5 | ||||
| -rw-r--r-- | net/ipv4/netfilter/Makefile | 1 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nft_reject_ipv4.c | 74 |
3 files changed, 80 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index 81c6910cfa92..a26ce035e3fa 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig | |||
| @@ -61,6 +61,11 @@ config NFT_CHAIN_NAT_IPV4 | |||
| 61 | packet transformations such as the source, destination address and | 61 | packet transformations such as the source, destination address and |
| 62 | source and destination ports. | 62 | source and destination ports. |
| 63 | 63 | ||
| 64 | config NFT_REJECT_IPV4 | ||
| 65 | depends on NF_TABLES_IPV4 | ||
| 66 | default NFT_REJECT | ||
| 67 | tristate | ||
| 68 | |||
| 64 | config NF_TABLES_ARP | 69 | config NF_TABLES_ARP |
| 65 | depends on NF_TABLES | 70 | depends on NF_TABLES |
| 66 | tristate "ARP nf_tables support" | 71 | tristate "ARP nf_tables support" |
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile index c16be9d58420..90b82405331e 100644 --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile | |||
| @@ -30,6 +30,7 @@ obj-$(CONFIG_NF_NAT_PROTO_GRE) += nf_nat_proto_gre.o | |||
| 30 | obj-$(CONFIG_NF_TABLES_IPV4) += nf_tables_ipv4.o | 30 | obj-$(CONFIG_NF_TABLES_IPV4) += nf_tables_ipv4.o |
| 31 | obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o | 31 | obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o |
| 32 | obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o | 32 | obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o |
| 33 | obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o | ||
| 33 | obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o | 34 | obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o |
| 34 | 35 | ||
| 35 | # generic IP tables | 36 | # generic IP tables |
diff --git a/net/ipv4/netfilter/nft_reject_ipv4.c b/net/ipv4/netfilter/nft_reject_ipv4.c new file mode 100644 index 000000000000..e935d8de1182 --- /dev/null +++ b/net/ipv4/netfilter/nft_reject_ipv4.c | |||
| @@ -0,0 +1,74 @@ | |||
| 1 | /* | ||
| 2 | * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net> | ||
| 3 | * Copyright (c) 2013 Eric Leblond <eric@regit.org> | ||
| 4 | * | ||
| 5 | * This program is free software; you can redistribute it and/or modify | ||
| 6 | * it under the terms of the GNU General Public License version 2 as | ||
| 7 | * published by the Free Software Foundation. | ||
| 8 | * | ||
| 9 | * Development of this code funded by Astaro AG (http://www.astaro.com/) | ||
| 10 | */ | ||
| 11 | |||
| 12 | #include <linux/kernel.h> | ||
| 13 | #include <linux/init.h> | ||
| 14 | #include <linux/module.h> | ||
| 15 | #include <linux/netlink.h> | ||
| 16 | #include <linux/netfilter.h> | ||
| 17 | #include <linux/netfilter/nf_tables.h> | ||
| 18 | #include <net/netfilter/nf_tables.h> | ||
| 19 | #include <net/icmp.h> | ||
| 20 | #include <net/netfilter/ipv4/nf_reject.h> | ||
| 21 | #include <net/netfilter/nft_reject.h> | ||
| 22 | |||
| 23 | static void nft_reject_ipv4_eval(const struct nft_expr *expr, | ||
| 24 | struct nft_data data[NFT_REG_MAX + 1], | ||
| 25 | const struct nft_pktinfo *pkt) | ||
| 26 | { | ||
| 27 | struct nft_reject *priv = nft_expr_priv(expr); | ||
| 28 | |||
| 29 | switch (priv->type) { | ||
| 30 | case NFT_REJECT_ICMP_UNREACH: | ||
| 31 | nf_send_unreach(pkt->skb, priv->icmp_code); | ||
| 32 | break; | ||
| 33 | case NFT_REJECT_TCP_RST: | ||
| 34 | nf_send_reset(pkt->skb, pkt->ops->hooknum); | ||
| 35 | break; | ||
| 36 | } | ||
| 37 | |||
| 38 | data[NFT_REG_VERDICT].verdict = NF_DROP; | ||
| 39 | } | ||
| 40 | |||
| 41 | static struct nft_expr_type nft_reject_ipv4_type; | ||
| 42 | static const struct nft_expr_ops nft_reject_ipv4_ops = { | ||
| 43 | .type = &nft_reject_ipv4_type, | ||
| 44 | .size = NFT_EXPR_SIZE(sizeof(struct nft_reject)), | ||
| 45 | .eval = nft_reject_ipv4_eval, | ||
| 46 | .init = nft_reject_init, | ||
| 47 | .dump = nft_reject_dump, | ||
| 48 | }; | ||
| 49 | |||
| 50 | static struct nft_expr_type nft_reject_ipv4_type __read_mostly = { | ||
| 51 | .family = NFPROTO_IPV4, | ||
| 52 | .name = "reject", | ||
| 53 | .ops = &nft_reject_ipv4_ops, | ||
| 54 | .policy = nft_reject_policy, | ||
| 55 | .maxattr = NFTA_REJECT_MAX, | ||
| 56 | .owner = THIS_MODULE, | ||
| 57 | }; | ||
| 58 | |||
| 59 | static int __init nft_reject_ipv4_module_init(void) | ||
| 60 | { | ||
| 61 | return nft_register_expr(&nft_reject_ipv4_type); | ||
| 62 | } | ||
| 63 | |||
| 64 | static void __exit nft_reject_ipv4_module_exit(void) | ||
| 65 | { | ||
| 66 | nft_unregister_expr(&nft_reject_ipv4_type); | ||
| 67 | } | ||
| 68 | |||
| 69 | module_init(nft_reject_ipv4_module_init); | ||
| 70 | module_exit(nft_reject_ipv4_module_exit); | ||
| 71 | |||
| 72 | MODULE_LICENSE("GPL"); | ||
| 73 | MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); | ||
| 74 | MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "reject"); | ||