Commit 974292de authored Jul 07, 2017 by Florian Westphal Committed by Pablo Neira Ayuso Jul 17, 2017

netfilter: nf_tables: only allow in/output for arp packets



arp packets cannot be forwarded.

They can be bridged, but then they can be filtered using
either ebtables or nftables bridge family.

The bridge netfilter exposes a "call-arptables" switch which
pushes packets into arptables, but lets not expose this for nftables, so better
close this asap.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 97772bcd

net/ipv4/netfilter/nf_tables_arp.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -72,8 +72,7 @@ static const struct nf_chain_type filter_arp = {
		.family = NFPROTO_ARP,
		.owner = THIS_MODULE,
		.hook_mask = (1 << NF_ARP_IN) \|
		(1 << NF_ARP_OUT) \|
		(1 << NF_ARP_FORWARD),
		(1 << NF_ARP_OUT),
		};

		static int __init nf_tables_arp_init(void)