Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 115a60b1 authored by Patrick McHardy's avatar Patrick McHardy Committed by Pablo Neira Ayuso
Browse files

netfilter: nf_tables: add support for multi family tables 



Add support to register chains to multiple hooks for different address
families for mixed IPv4/IPv6 tables.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent c9484874

include/net/netfilter/nf_tables.h

+8 −1
Original line number Diff line number Diff line
@@ -422,6 +422,8 @@ struct nft_stats { 
	u64 pkts;

};



#define NFT_HOOK_OPS_MAX		2



/**

 *	struct nft_base_chain - nf_tables base chain

 *
@@ -432,7 +434,7 @@ struct nft_stats { 
 *	@chain: the chain

 */

struct nft_base_chain {

	struct nf_hook_ops		ops;

	struct nf_hook_ops		ops[NFT_HOOK_OPS_MAX];

	enum nft_chain_type		type;

	u8				policy;

	struct nft_stats __percpu	*stats;
@@ -476,6 +478,8 @@ struct nft_table { 
 *	@nhooks: number of hooks in this family

 *	@owner: module owner

 *	@tables: used internally

 *	@nops: number of hook ops in this family

 *	@hook_ops_init: initialization function for chain hook ops

 *	@hooks: hookfn overrides for packet validation

 */

struct nft_af_info {
@@ -484,6 +488,9 @@ struct nft_af_info { 
	unsigned int			nhooks;

	struct module			*owner;

	struct list_head		tables;

	unsigned int			nops;

	void				(*hook_ops_init)(struct nf_hook_ops *,

							 unsigned int);

	nf_hookfn			*hooks[NF_MAX_HOOKS];

};

net/bridge/netfilter/nf_tables_bridge.c

+1 −0
Original line number Diff line number Diff line
@@ -32,6 +32,7 @@ static struct nft_af_info nft_af_bridge __read_mostly = { 
	.family		= NFPROTO_BRIDGE,

	.nhooks		= NF_BR_NUMHOOKS,

	.owner		= THIS_MODULE,

	.nops		= 1,

	.hooks		= {

		[NF_BR_LOCAL_IN]	= nft_do_chain_bridge,

		[NF_BR_FORWARD]		= nft_do_chain_bridge,

net/ipv4/netfilter/nf_tables_arp.c

+1 −0
Original line number Diff line number Diff line
@@ -32,6 +32,7 @@ static struct nft_af_info nft_af_arp __read_mostly = { 
	.family		= NFPROTO_ARP,

	.nhooks		= NF_ARP_NUMHOOKS,

	.owner		= THIS_MODULE,

	.nops		= 1,

	.hooks		= {

		[NF_ARP_IN]		= nft_do_chain_arp,

		[NF_ARP_OUT]		= nft_do_chain_arp,

net/ipv4/netfilter/nf_tables_ipv4.c

+1 −0
Original line number Diff line number Diff line
@@ -52,6 +52,7 @@ static struct nft_af_info nft_af_ipv4 __read_mostly = { 
	.family		= NFPROTO_IPV4,

	.nhooks		= NF_INET_NUMHOOKS,

	.owner		= THIS_MODULE,

	.nops		= 1,

	.hooks		= {

		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv4,

		[NF_INET_LOCAL_OUT]	= nft_ipv4_output,

net/ipv6/netfilter/nf_tables_ipv6.c

+1 −0
Original line number Diff line number Diff line
@@ -51,6 +51,7 @@ static struct nft_af_info nft_af_ipv6 __read_mostly = { 
	.family		= NFPROTO_IPV6,

	.nhooks		= NF_INET_NUMHOOKS,

	.owner		= THIS_MODULE,

	.nops		= 1,

	.hooks		= {

		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv6,

		[NF_INET_LOCAL_OUT]	= nft_ipv6_output,