Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 94276fa8 authored Aug 03, 2018 by Máté Eckl Committed by Pablo Neira Ayuso Aug 03, 2018

netfilter: bridge: Expose nf_tables bridge hook priorities through uapi



Netfilter exposes standard hook priorities in case of ipv4, ipv6 and
arp but not in case of bridge.

This patch exposes the hook priority values of the bridge family (which are
different from the formerly mentioned) via uapi so that they can be used by
user-space applications just like the others.

Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent aaecfdb5

include/linux/netfilter_bridge.h

+0 −11

Original line number	Diff line number	Diff line
		@@ -5,17 +5,6 @@
		#include <uapi/linux/netfilter_bridge.h>
		#include <linux/skbuff.h>

		enum nf_br_hook_priorities {
		NF_BR_PRI_FIRST = INT_MIN,
		NF_BR_PRI_NAT_DST_BRIDGED = -300,
		NF_BR_PRI_FILTER_BRIDGED = -200,
		NF_BR_PRI_BRNF = 0,
		NF_BR_PRI_NAT_DST_OTHER = 100,
		NF_BR_PRI_FILTER_OTHER = 200,
		NF_BR_PRI_NAT_SRC = 300,
		NF_BR_PRI_LAST = INT_MAX,
		};

		#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)

		int br_handle_frame_finish(struct net net, struct sock sk, struct sk_buff *skb);

include/uapi/linux/netfilter_bridge.h

+11 −0

Original line number	Diff line number	Diff line
		@@ -26,4 +26,15 @@
		#define NF_BR_BROUTING 5
		#define NF_BR_NUMHOOKS 6

		enum nf_br_hook_priorities {
		NF_BR_PRI_FIRST = INT_MIN,
		NF_BR_PRI_NAT_DST_BRIDGED = -300,
		NF_BR_PRI_FILTER_BRIDGED = -200,
		NF_BR_PRI_BRNF = 0,
		NF_BR_PRI_NAT_DST_OTHER = 100,
		NF_BR_PRI_FILTER_OTHER = 200,
		NF_BR_PRI_NAT_SRC = 300,
		NF_BR_PRI_LAST = INT_MAX,
		};

		#endif /* _UAPI__LINUX_BRIDGE_NETFILTER_H */

net/bridge/br_netfilter_hooks.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -26,6 +26,7 @@
		#include <linux/if_pppox.h>
		#include <linux/ppp_defs.h>
		#include <linux/netfilter_bridge.h>
		#include <uapi/linux/netfilter_bridge.h>
		#include <linux/netfilter_ipv4.h>
		#include <linux/netfilter_ipv6.h>
		#include <linux/netfilter_arp.h>

net/bridge/netfilter/ebtable_filter.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -9,6 +9,7 @@
		*/

		#include <linux/netfilter_bridge/ebtables.h>
		#include <uapi/linux/netfilter_bridge.h>
		#include <linux/module.h>

		#define FILTER_VALID_HOOKS ((1 << NF_BR_LOCAL_IN) \| (1 << NF_BR_FORWARD) \| \

net/bridge/netfilter/ebtable_nat.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -9,6 +9,7 @@
		*/

		#include <linux/netfilter_bridge/ebtables.h>
		#include <uapi/linux/netfilter_bridge.h>
		#include <linux/module.h>

		#define NAT_VALID_HOOKS ((1 << NF_BR_PRE_ROUTING) \| (1 << NF_BR_LOCAL_OUT) \| \