Re: [PATCH 2/7] netfilter: nf_tables: move filter chain definition to layer 3 modules

Patrick McHardy <kaber@xxxxxxxxx> · Thu, 10 Jan 2013 17:02:24 +0100

On Thu, Jan 10, 2013 at 04:28:36PM +0100, pablo@xxxxxxxxxxxxx wrote:
> From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> 
> This patch moves the definition of the filter_ipv4 and filter_ipv6
> default filter chains to where they belong.
> 
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
>  net/ipv4/netfilter/nf_tables_ipv4.c |   23 +++++++++++++++++++-
>  net/ipv6/netfilter/nf_tables_ipv6.c |   23 +++++++++++++++++++-
>  net/netfilter/nf_tables_api.c       |   41 -----------------------------------
>  3 files changed, 44 insertions(+), 43 deletions(-)
> 
> diff --git a/net/ipv4/netfilter/nf_tables_ipv4.c b/net/ipv4/netfilter/nf_tables_ipv4.c
> index 8827539..a0ee4c2 100644
> --- a/net/ipv4/netfilter/nf_tables_ipv4.c
> +++ b/net/ipv4/netfilter/nf_tables_ipv4.c
> @@ -1,5 +1,6 @@
>  /*
>   * Copyright (c) 2008 Patrick McHardy <kaber@xxxxxxxxx>
> + * Copyright (c) 2012-2013 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
>   *
>   * This program is free software; you can redistribute it and/or modify
>   * it under the terms of the GNU General Public License version 2 as
> @@ -70,14 +71,34 @@ static struct pernet_operations nf_tables_ipv4_net_ops = {
>  	.exit	= nf_tables_ipv4_exit_net,
>  };
>  
> +static struct nf_chain_type filter_ipv4 = {
> +	.family		= NFPROTO_IPV4,
> +	.name		= "filter",
> +	.type		= NFT_CHAIN_T_DEFAULT,
> +	.hook_mask	= (1 << NF_INET_LOCAL_IN) |
> +			  (1 << NF_INET_LOCAL_OUT) |
> +			  (1 << NF_INET_FORWARD) |
> +			  (1 << NF_INET_PRE_ROUTING) |
> +			  (1 << NF_INET_POST_ROUTING),
> +	.fn		= {
> +		[NF_INET_LOCAL_IN]	= nft_do_chain,
> +		[NF_INET_LOCAL_OUT]	= nft_do_chain,
> +		[NF_INET_FORWARD]	= nft_do_chain,
> +		[NF_INET_PRE_ROUTING]	= nft_do_chain,
> +		[NF_INET_POST_ROUTING]	= nft_do_chain,
> +	},
> +};

I'm still thinking about how to rework this, the chain types currently
break the LOCAL_OUT check for short SOCK_RAW packets and setting of
the transport layer header pointer before invoking nft_do_chain().
I'll also need some additional overloading for multi family tables,
so I think we need to rethink this scheme.

Feel free to apply your patch, but I'll probably will rework this very
soon anyway.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html