109c434b8SThomas Gleixner // SPDX-License-Identifier: GPL-2.0-only
21da177e4SLinus Torvalds /*
31da177e4SLinus Torvalds * ebtable_filter
41da177e4SLinus Torvalds *
51da177e4SLinus Torvalds * Authors:
61da177e4SLinus Torvalds * Bart De Schuymer <bdschuym@pandora.be>
71da177e4SLinus Torvalds *
81da177e4SLinus Torvalds * April, 2002
91da177e4SLinus Torvalds *
101da177e4SLinus Torvalds */
111da177e4SLinus Torvalds
121da177e4SLinus Torvalds #include <linux/netfilter_bridge/ebtables.h>
1394276fa8SMáté Eckl #include <uapi/linux/netfilter_bridge.h>
141da177e4SLinus Torvalds #include <linux/module.h>
151da177e4SLinus Torvalds
161da177e4SLinus Torvalds #define FILTER_VALID_HOOKS ((1 << NF_BR_LOCAL_IN) | (1 << NF_BR_FORWARD) | \
171da177e4SLinus Torvalds (1 << NF_BR_LOCAL_OUT))
181da177e4SLinus Torvalds
1997ad8b53Stanxiaojun static struct ebt_entries initial_chains[] = {
201da177e4SLinus Torvalds {
211da177e4SLinus Torvalds .name = "INPUT",
221da177e4SLinus Torvalds .policy = EBT_ACCEPT,
231da177e4SLinus Torvalds },
241da177e4SLinus Torvalds {
251da177e4SLinus Torvalds .name = "FORWARD",
261da177e4SLinus Torvalds .policy = EBT_ACCEPT,
271da177e4SLinus Torvalds },
281da177e4SLinus Torvalds {
291da177e4SLinus Torvalds .name = "OUTPUT",
301da177e4SLinus Torvalds .policy = EBT_ACCEPT,
311da177e4SLinus Torvalds },
321da177e4SLinus Torvalds };
331da177e4SLinus Torvalds
3497ad8b53Stanxiaojun static struct ebt_replace_kernel initial_table = {
351da177e4SLinus Torvalds .name = "filter",
361da177e4SLinus Torvalds .valid_hooks = FILTER_VALID_HOOKS,
371da177e4SLinus Torvalds .entries_size = 3 * sizeof(struct ebt_entries),
381da177e4SLinus Torvalds .hook_entry = {
391da177e4SLinus Torvalds [NF_BR_LOCAL_IN] = &initial_chains[0],
401da177e4SLinus Torvalds [NF_BR_FORWARD] = &initial_chains[1],
411da177e4SLinus Torvalds [NF_BR_LOCAL_OUT] = &initial_chains[2],
421da177e4SLinus Torvalds },
431da177e4SLinus Torvalds .entries = (char *)initial_chains,
441da177e4SLinus Torvalds };
451da177e4SLinus Torvalds
4697ad8b53Stanxiaojun static const struct ebt_table frame_filter = {
471da177e4SLinus Torvalds .name = "filter",
481da177e4SLinus Torvalds .table = &initial_table,
491da177e4SLinus Torvalds .valid_hooks = FILTER_VALID_HOOKS,
501da177e4SLinus Torvalds .me = THIS_MODULE,
511da177e4SLinus Torvalds };
521da177e4SLinus Torvalds
53591bb278SFlorian Westphal static const struct nf_hook_ops ebt_ops_filter[] = {
541da177e4SLinus Torvalds {
55*f0d6764fSFlorian Westphal .hook = ebt_do_table,
5624c232d8SJan Engelhardt .pf = NFPROTO_BRIDGE,
571da177e4SLinus Torvalds .hooknum = NF_BR_LOCAL_IN,
581da177e4SLinus Torvalds .priority = NF_BR_PRI_FILTER_BRIDGED,
591da177e4SLinus Torvalds },
601da177e4SLinus Torvalds {
61*f0d6764fSFlorian Westphal .hook = ebt_do_table,
6224c232d8SJan Engelhardt .pf = NFPROTO_BRIDGE,
631da177e4SLinus Torvalds .hooknum = NF_BR_FORWARD,
641da177e4SLinus Torvalds .priority = NF_BR_PRI_FILTER_BRIDGED,
651da177e4SLinus Torvalds },
661da177e4SLinus Torvalds {
67*f0d6764fSFlorian Westphal .hook = ebt_do_table,
6824c232d8SJan Engelhardt .pf = NFPROTO_BRIDGE,
691da177e4SLinus Torvalds .hooknum = NF_BR_LOCAL_OUT,
701da177e4SLinus Torvalds .priority = NF_BR_PRI_FILTER_OTHER,
711da177e4SLinus Torvalds },
721da177e4SLinus Torvalds };
731da177e4SLinus Torvalds
frame_filter_table_init(struct net * net)7487663c39SFlorian Westphal static int frame_filter_table_init(struct net *net)
754aad1093SAlexey Dobriyan {
764c95e072SFlorian Westphal return ebt_register_table(net, &frame_filter, ebt_ops_filter);
774aad1093SAlexey Dobriyan }
784aad1093SAlexey Dobriyan
frame_filter_net_pre_exit(struct net * net)797ee3c61dSFlorian Westphal static void __net_exit frame_filter_net_pre_exit(struct net *net)
807ee3c61dSFlorian Westphal {
814c95e072SFlorian Westphal ebt_unregister_table_pre_exit(net, "filter");
827ee3c61dSFlorian Westphal }
837ee3c61dSFlorian Westphal
frame_filter_net_exit(struct net * net)844aad1093SAlexey Dobriyan static void __net_exit frame_filter_net_exit(struct net *net)
854aad1093SAlexey Dobriyan {
864c95e072SFlorian Westphal ebt_unregister_table(net, "filter");
874aad1093SAlexey Dobriyan }
884aad1093SAlexey Dobriyan
894aad1093SAlexey Dobriyan static struct pernet_operations frame_filter_net_ops = {
904aad1093SAlexey Dobriyan .exit = frame_filter_net_exit,
917ee3c61dSFlorian Westphal .pre_exit = frame_filter_net_pre_exit,
924aad1093SAlexey Dobriyan };
934aad1093SAlexey Dobriyan
ebtable_filter_init(void)9465b4b4e8SAndrew Morton static int __init ebtable_filter_init(void)
951da177e4SLinus Torvalds {
9687663c39SFlorian Westphal int ret = ebt_register_template(&frame_filter, frame_filter_table_init);
9787663c39SFlorian Westphal
9887663c39SFlorian Westphal if (ret)
9987663c39SFlorian Westphal return ret;
10087663c39SFlorian Westphal
10187663c39SFlorian Westphal ret = register_pernet_subsys(&frame_filter_net_ops);
10287663c39SFlorian Westphal if (ret) {
10387663c39SFlorian Westphal ebt_unregister_template(&frame_filter);
10487663c39SFlorian Westphal return ret;
10587663c39SFlorian Westphal }
10687663c39SFlorian Westphal
10787663c39SFlorian Westphal return 0;
1081da177e4SLinus Torvalds }
1091da177e4SLinus Torvalds
ebtable_filter_fini(void)11065b4b4e8SAndrew Morton static void __exit ebtable_filter_fini(void)
1111da177e4SLinus Torvalds {
1124aad1093SAlexey Dobriyan unregister_pernet_subsys(&frame_filter_net_ops);
11387663c39SFlorian Westphal ebt_unregister_template(&frame_filter);
1141da177e4SLinus Torvalds }
1151da177e4SLinus Torvalds
11665b4b4e8SAndrew Morton module_init(ebtable_filter_init);
11765b4b4e8SAndrew Morton module_exit(ebtable_filter_fini);
1181da177e4SLinus Torvalds MODULE_LICENSE("GPL");
119