Blame view
net/ipv6/netfilter/ip6table_filter.c
2.94 KB
1da177e4c Linux-2.6.12-rc2 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
/* * This is the 1999 rewrite of IP Firewalling, aiming for kernel 2.3.x. * * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling * Copyright (C) 2000-2004 Netfilter Core Team <coreteam@netfilter.org> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. */ #include <linux/module.h> #include <linux/moduleparam.h> #include <linux/netfilter_ipv6/ip6_tables.h> |
5a0e3ad6a include cleanup: ... |
15 |
#include <linux/slab.h> |
1da177e4c Linux-2.6.12-rc2 |
16 17 18 19 |
MODULE_LICENSE("GPL"); MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); MODULE_DESCRIPTION("ip6tables filter table"); |
6e23ae2a4 [NETFILTER]: Intr... |
20 21 22 |
#define FILTER_VALID_HOOKS ((1 << NF_INET_LOCAL_IN) | \ (1 << NF_INET_FORWARD) | \ (1 << NF_INET_LOCAL_OUT)) |
1da177e4c Linux-2.6.12-rc2 |
23 |
|
b9e69e127 netfilter: xtable... |
24 |
static int __net_init ip6table_filter_table_init(struct net *net); |
35aad0ffd netfilter: xtable... |
25 |
static const struct xt_table packet_filter = { |
1da177e4c Linux-2.6.12-rc2 |
26 27 |
.name = "filter", .valid_hooks = FILTER_VALID_HOOKS, |
1da177e4c Linux-2.6.12-rc2 |
28 |
.me = THIS_MODULE, |
f88e6a8a5 netfilter: xtable... |
29 |
.af = NFPROTO_IPV6, |
2b95efe7f netfilter: xtable... |
30 |
.priority = NF_IP6_PRI_FILTER, |
b9e69e127 netfilter: xtable... |
31 |
.table_init = ip6table_filter_table_init, |
1da177e4c Linux-2.6.12-rc2 |
32 33 34 35 |
}; /* The work comes in here from netfilter.c. */ static unsigned int |
06198b34a netfilter: Pass p... |
36 |
ip6table_filter_hook(void *priv, struct sk_buff *skb, |
238e54c9c netfilter: Make n... |
37 |
const struct nf_hook_state *state) |
43de9dfea netfilter: ip6tab... |
38 |
{ |
6cb8ff3f1 inet netfilter: R... |
39 |
return ip6t_do_table(skb, state, state->net->ipv6.ip6table_filter); |
1da177e4c Linux-2.6.12-rc2 |
40 |
} |
2b95efe7f netfilter: xtable... |
41 |
static struct nf_hook_ops *filter_ops __read_mostly; |
1da177e4c Linux-2.6.12-rc2 |
42 43 |
/* Default to forward because I got too much mail already. */ |
523f610e1 netfilter: remove... |
44 |
static bool forward = true; |
1da177e4c Linux-2.6.12-rc2 |
45 |
module_param(forward, bool, 0000); |
b9e69e127 netfilter: xtable... |
46 |
static int __net_init ip6table_filter_table_init(struct net *net) |
8280aa618 [NETFILTER]: ip6_... |
47 |
{ |
e3eaa9910 netfilter: xtable... |
48 |
struct ip6t_replace *repl; |
a67dd266a netfilter: xtable... |
49 |
int err; |
e3eaa9910 netfilter: xtable... |
50 |
|
b9e69e127 netfilter: xtable... |
51 52 |
if (net->ipv6.ip6table_filter) return 0; |
e3eaa9910 netfilter: xtable... |
53 54 55 56 57 |
repl = ip6t_alloc_initial_table(&packet_filter); if (repl == NULL) return -ENOMEM; /* Entry 1 is the FORWARD hook */ ((struct ip6t_standard *)repl->entries)[1].target.verdict = |
523f610e1 netfilter: remove... |
58 |
forward ? -NF_ACCEPT - 1 : -NF_DROP - 1; |
e3eaa9910 netfilter: xtable... |
59 |
|
a67dd266a netfilter: xtable... |
60 61 |
err = ip6t_register_table(net, &packet_filter, repl, filter_ops, &net->ipv6.ip6table_filter); |
e3eaa9910 netfilter: xtable... |
62 |
kfree(repl); |
a67dd266a netfilter: xtable... |
63 |
return err; |
8280aa618 [NETFILTER]: ip6_... |
64 |
} |
b9e69e127 netfilter: xtable... |
65 66 67 68 69 70 71 |
static int __net_init ip6table_filter_net_init(struct net *net) { if (net == &init_net || !forward) return ip6table_filter_table_init(net); return 0; } |
8280aa618 [NETFILTER]: ip6_... |
72 73 |
static void __net_exit ip6table_filter_net_exit(struct net *net) { |
b9e69e127 netfilter: xtable... |
74 75 |
if (!net->ipv6.ip6table_filter) return; |
a67dd266a netfilter: xtable... |
76 |
ip6t_unregister_table(net, net->ipv6.ip6table_filter, filter_ops); |
b9e69e127 netfilter: xtable... |
77 |
net->ipv6.ip6table_filter = NULL; |
8280aa618 [NETFILTER]: ip6_... |
78 79 80 81 82 83 |
} static struct pernet_operations ip6table_filter_net_ops = { .init = ip6table_filter_net_init, .exit = ip6table_filter_net_exit, }; |
65b4b4e81 [NETFILTER]: Rena... |
84 |
static int __init ip6table_filter_init(void) |
1da177e4c Linux-2.6.12-rc2 |
85 86 |
{ int ret; |
b9e69e127 netfilter: xtable... |
87 88 89 |
filter_ops = xt_hook_ops_alloc(&packet_filter, ip6table_filter_hook); if (IS_ERR(filter_ops)) return PTR_ERR(filter_ops); |
8280aa618 [NETFILTER]: ip6_... |
90 91 |
ret = register_pernet_subsys(&ip6table_filter_net_ops); if (ret < 0) |
b9e69e127 netfilter: xtable... |
92 |
kfree(filter_ops); |
1da177e4c Linux-2.6.12-rc2 |
93 |
|
1da177e4c Linux-2.6.12-rc2 |
94 |
return ret; |
1da177e4c Linux-2.6.12-rc2 |
95 |
} |
65b4b4e81 [NETFILTER]: Rena... |
96 |
static void __exit ip6table_filter_fini(void) |
1da177e4c Linux-2.6.12-rc2 |
97 |
{ |
8280aa618 [NETFILTER]: ip6_... |
98 |
unregister_pernet_subsys(&ip6table_filter_net_ops); |
b9e69e127 netfilter: xtable... |
99 |
kfree(filter_ops); |
1da177e4c Linux-2.6.12-rc2 |
100 |
} |
65b4b4e81 [NETFILTER]: Rena... |
101 102 |
module_init(ip6table_filter_init); module_exit(ip6table_filter_fini); |