Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1d49144c authored Jan 03, 2014 by Patrick McHardy Committed by Pablo Neira Ayuso Jan 07, 2014

netfilter: nf_tables: add "inet" table for IPv4/IPv6



This patch adds a new table family and a new filter chain that you can
use to attach IPv4 and IPv6 rules. This should help to simplify
rule-set maintainance in dual-stack setups.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 115a60b1

include/net/netfilter/nf_tables_ipv4.h

+2 −0

Original line number	Original line	Diff line number	Diff line
	@@ -20,4 +20,6 @@ nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
	pkt->xt.fragoff = ntohs(ip->frag_off) & IP_OFFSET;		pkt->xt.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
	}		}

			extern struct nft_af_info nft_af_ipv4;

	#endif		#endif

include/net/netfilter/nf_tables_ipv6.h

+2 −0

Original line number	Original line	Diff line number	Diff line
	@@ -27,4 +27,6 @@ nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
	return 0;		return 0;
	}		}

			extern struct nft_af_info nft_af_ipv6;

	#endif		#endif

include/net/netns/nftables.h

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -10,6 +10,7 @@ struct netns_nftables {
	struct list_head commit_list;		struct list_head commit_list;
	struct nft_af_info *ipv4;		struct nft_af_info *ipv4;
	struct nft_af_info *ipv6;		struct nft_af_info *ipv6;
			struct nft_af_info *inet;
	struct nft_af_info *arp;		struct nft_af_info *arp;
	struct nft_af_info *bridge;		struct nft_af_info *bridge;
	u8 gencursor;		u8 gencursor;

include/uapi/linux/netfilter.h

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -53,6 +53,7 @@ enum nf_inet_hooks {

	enum {		enum {
	NFPROTO_UNSPEC = 0,		NFPROTO_UNSPEC = 0,
			NFPROTO_INET = 1,
	NFPROTO_IPV4 = 2,		NFPROTO_IPV4 = 2,
	NFPROTO_ARP = 3,		NFPROTO_ARP = 3,
	NFPROTO_BRIDGE = 7,		NFPROTO_BRIDGE = 7,

net/ipv4/netfilter/nf_tables_ipv4.c

+2 −1

Original line number	Original line	Diff line number	Diff line
	@@ -48,7 +48,7 @@ static unsigned int nft_ipv4_output(const struct nf_hook_ops *ops,
	return nft_do_chain_ipv4(ops, skb, in, out, okfn);		return nft_do_chain_ipv4(ops, skb, in, out, okfn);
	}		}

	static struct nft_af_info nft_af_ipv4 __read_mostly = {		struct nft_af_info nft_af_ipv4 __read_mostly = {
	.family = NFPROTO_IPV4,		.family = NFPROTO_IPV4,
	.nhooks = NF_INET_NUMHOOKS,		.nhooks = NF_INET_NUMHOOKS,
	.owner = THIS_MODULE,		.owner = THIS_MODULE,
	@@ -61,6 +61,7 @@ static struct nft_af_info nft_af_ipv4 __read_mostly = {
	[NF_INET_POST_ROUTING] = nft_do_chain_ipv4,		[NF_INET_POST_ROUTING] = nft_do_chain_ipv4,
	},		},
	};		};
			EXPORT_SYMBOL_GPL(nft_af_ipv4);

	static int nf_tables_ipv4_init_net(struct net *net)		static int nf_tables_ipv4_init_net(struct net *net)
	{		{