git.oblomov.eu Git - linux-2.6/blob - net/ipv4/netfilter/arptable_filter.c

   1 /*
   2  * Filtering ARP tables module.
   3  *
   4  * Copyright (C) 2002 David S. Miller (davem@redhat.com)
   5  *
   6  */
   7
   8 #include <linux/module.h>
   9 #include <linux/netfilter_arp/arp_tables.h>
  10
  11 MODULE_LICENSE("GPL");
  12 MODULE_AUTHOR("David S. Miller <davem@redhat.com>");
  13 MODULE_DESCRIPTION("arptables filter table");
  14
  15 #define FILTER_VALID_HOOKS ((1 << NF_ARP_IN) | (1 << NF_ARP_OUT) | \
  16                            (1 << NF_ARP_FORWARD))
  17
  18 static struct
  19 {
  20         struct arpt_replace repl;
  21         struct arpt_standard entries[3];
  22         struct arpt_error term;
  23 } initial_table __net_initdata = {
  24         .repl = {
  25                 .name = "filter",
  26                 .valid_hooks = FILTER_VALID_HOOKS,
  27                 .num_entries = 4,
  28                 .size = sizeof(struct arpt_standard) * 3 + sizeof(struct arpt_error),
  29                 .hook_entry = {
  30                         [NF_ARP_IN] = 0,
  31                         [NF_ARP_OUT] = sizeof(struct arpt_standard),
  32                         [NF_ARP_FORWARD] = 2 * sizeof(struct arpt_standard),
  33                 },
  34                 .underflow = {
  35                         [NF_ARP_IN] = 0,
  36                         [NF_ARP_OUT] = sizeof(struct arpt_standard),
  37                         [NF_ARP_FORWARD] = 2 * sizeof(struct arpt_standard),
  38                 },
  39         },
  40         .entries = {
  41                 ARPT_STANDARD_INIT(NF_ACCEPT),  /* ARP_IN */
  42                 ARPT_STANDARD_INIT(NF_ACCEPT),  /* ARP_OUT */
  43                 ARPT_STANDARD_INIT(NF_ACCEPT),  /* ARP_FORWARD */
  44         },
  45         .term = ARPT_ERROR_INIT,
  46 };
  47
  48 static struct xt_table packet_filter = {
  49         .name           = "filter",
  50         .valid_hooks    = FILTER_VALID_HOOKS,
  51         .lock           = __RW_LOCK_UNLOCKED(packet_filter.lock),
  52         .private        = NULL,
  53         .me             = THIS_MODULE,
  54         .af             = NFPROTO_ARP,
  55 };
  56
  57 /* The work comes in here from netfilter.c */
  58 static unsigned int arpt_in_hook(unsigned int hook,
  59                                  struct sk_buff *skb,
  60                                  const struct net_device *in,
  61                                  const struct net_device *out,
  62                                  int (*okfn)(struct sk_buff *))
  63 {
  64         return arpt_do_table(skb, hook, in, out,
  65                              dev_net(in)->ipv4.arptable_filter);
  66 }
  67
  68 static unsigned int arpt_out_hook(unsigned int hook,
  69                                   struct sk_buff *skb,
  70                                   const struct net_device *in,
  71                                   const struct net_device *out,
  72                                   int (*okfn)(struct sk_buff *))
  73 {
  74         return arpt_do_table(skb, hook, in, out,
  75                              dev_net(out)->ipv4.arptable_filter);
  76 }
  77
  78 static struct nf_hook_ops arpt_ops[] __read_mostly = {
  79         {
  80                 .hook           = arpt_in_hook,
  81                 .owner          = THIS_MODULE,
  82                 .pf             = NFPROTO_ARP,
  83                 .hooknum        = NF_ARP_IN,
  84                 .priority       = NF_IP_PRI_FILTER,
  85         },
  86         {
  87                 .hook           = arpt_out_hook,
  88                 .owner          = THIS_MODULE,
  89                 .pf             = NFPROTO_ARP,
  90                 .hooknum        = NF_ARP_OUT,
  91                 .priority       = NF_IP_PRI_FILTER,
  92         },
  93         {
  94                 .hook           = arpt_in_hook,
  95                 .owner          = THIS_MODULE,
  96                 .pf             = NFPROTO_ARP,
  97                 .hooknum        = NF_ARP_FORWARD,
  98                 .priority       = NF_IP_PRI_FILTER,
  99         },
 100 };
 101
 102 static int __net_init arptable_filter_net_init(struct net *net)
 103 {
 104         /* Register table */
 105         net->ipv4.arptable_filter =
 106                 arpt_register_table(net, &packet_filter, &initial_table.repl);
 107         if (IS_ERR(net->ipv4.arptable_filter))
 108                 return PTR_ERR(net->ipv4.arptable_filter);
 109         return 0;
 110 }
 111
 112 static void __net_exit arptable_filter_net_exit(struct net *net)
 113 {
 114         arpt_unregister_table(net->ipv4.arptable_filter);
 115 }
 116
 117 static struct pernet_operations arptable_filter_net_ops = {
 118         .init = arptable_filter_net_init,
 119         .exit = arptable_filter_net_exit,
 120 };
 121
 122 static int __init arptable_filter_init(void)
 123 {
 124         int ret;
 125
 126         ret = register_pernet_subsys(&arptable_filter_net_ops);
 127         if (ret < 0)
 128                 return ret;
 129
 130         ret = nf_register_hooks(arpt_ops, ARRAY_SIZE(arpt_ops));
 131         if (ret < 0)
 132                 goto cleanup_table;
 133         return ret;
 134
 135 cleanup_table:
 136         unregister_pernet_subsys(&arptable_filter_net_ops);
 137         return ret;
 138 }
 139
 140 static void __exit arptable_filter_fini(void)
 141 {
 142         nf_unregister_hooks(arpt_ops, ARRAY_SIZE(arpt_ops));
 143         unregister_pernet_subsys(&arptable_filter_net_ops);
 144 }
 145
 146 module_init(arptable_filter_init);
 147 module_exit(arptable_filter_fini);