[RFC] [PATCH 4/4] netfilter: Enable fail-open

Krishna Kumar <krkumar2@xxxxxxxxxx> · Mon, 07 May 2012 11:34:22 +0530

Define xt_NFQ_info_v3 to get fail-open argument from iptables. Also
enable FAIL_OPEN.

Signed-off-by: Krishna Kumar <krkumar2@xxxxxxxxxx>
---
 include/linux/netfilter/xt_NFQUEUE.h |    7 +++++++
 net/netfilter/xt_NFQUEUE.c           |   19 +++++++++++++++++++
 2 files changed, 26 insertions(+)

diff -ruNp org/include/linux/netfilter/xt_NFQUEUE.h new/include/linux/netfilter/xt_NFQUEUE.h

--- org/include/linux/netfilter/xt_NFQUEUE.h	2012-05-07 10:17:28.117870787 +0530
+++ new/include/linux/netfilter/xt_NFQUEUE.h	2012-05-07 09:20:53.783813702 +0530
@@ -26,4 +26,11 @@ struct xt_NFQ_info_v2 {
 	__u16 bypass;
 };
 
+struct xt_NFQ_info_v3 {
+	__u16 queuenum;
+	__u16 queues_total;
+	__u16 bypass;
+	__u16 fail_open;
+};
+
 #endif /* _XT_NFQ_TARGET_H */
diff -ruNp org/net/netfilter/xt_NFQUEUE.c new/net/netfilter/xt_NFQUEUE.c
--- org/net/netfilter/xt_NFQUEUE.c	2012-05-07 09:20:53.871815019 +0530
+++ new/net/netfilter/xt_NFQUEUE.c	2012-05-07 09:20:53.808751034 +0530
@@ -94,6 +94,17 @@ nfqueue_tg_v2(struct sk_buff *skb, const
 	return ret;
 }
 
+static unsigned int
+nfqueue_tg_v3(struct sk_buff *skb, const struct xt_action_param *par)
+{
+	const struct xt_NFQ_info_v3 *info = par->targinfo;
+	unsigned int ret = nfqueue_tg_v1(skb, par);
+
+	if (info->fail_open)
+		ret |= NF_VERDICT_FLAG_FAIL_OPEN;
+	return ret;
+}
+
 static int nfqueue_tg_check(const struct xt_tgchk_param *par)
 {
 	const struct xt_NFQ_info_v2 *info = par->targinfo;
@@ -144,6 +155,14 @@ static struct xt_target nfqueue_tg_reg[]
 		.targetsize	= sizeof(struct xt_NFQ_info_v2),
 		.me		= THIS_MODULE,
 	},
+	{
+		.name		= "NFQUEUE",
+		.revision	= 3,
+		.family		= NFPROTO_UNSPEC,
+		.target		= nfqueue_tg_v3,
+		.targetsize	= sizeof(struct xt_NFQ_info_v3),
+		.me		= THIS_MODULE,
+	},
 };
 
 static int __init nfqueue_tg_init(void)

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html





