From: Patrick McHardy <kaber@trash.net>
To: pablo@netfilter.org
Cc: netfilter-devel@vger.kernel.org, tomasz.bursztyka@linux.intel.com
Subject: Re: [PATCH 2/7] netfilter: nf_tables: move filter chain definition to layer 3 modules
Date: Thu, 10 Jan 2013 17:02:24 +0100 [thread overview]
Message-ID: <20130110160156.GA2178@macbook.localnet> (raw)
In-Reply-To: <1357831721-10182-2-git-send-email-pablo@netfilter.org>
On Thu, Jan 10, 2013 at 04:28:36PM +0100, pablo@netfilter.org wrote:
> From: Pablo Neira Ayuso <pablo@netfilter.org>
>
> This patch moves the definition of the filter_ipv4 and filter_ipv6
> default filter chains to where they belong.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> net/ipv4/netfilter/nf_tables_ipv4.c | 23 +++++++++++++++++++-
> net/ipv6/netfilter/nf_tables_ipv6.c | 23 +++++++++++++++++++-
> net/netfilter/nf_tables_api.c | 41 -----------------------------------
> 3 files changed, 44 insertions(+), 43 deletions(-)
>
> diff --git a/net/ipv4/netfilter/nf_tables_ipv4.c b/net/ipv4/netfilter/nf_tables_ipv4.c
> index 8827539..a0ee4c2 100644
> --- a/net/ipv4/netfilter/nf_tables_ipv4.c
> +++ b/net/ipv4/netfilter/nf_tables_ipv4.c
> @@ -1,5 +1,6 @@
> /*
> * Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
> + * Copyright (c) 2012-2013 Pablo Neira Ayuso <pablo@netfilter.org>
> *
> * This program is free software; you can redistribute it and/or modify
> * it under the terms of the GNU General Public License version 2 as
> @@ -70,14 +71,34 @@ static struct pernet_operations nf_tables_ipv4_net_ops = {
> .exit = nf_tables_ipv4_exit_net,
> };
>
> +static struct nf_chain_type filter_ipv4 = {
> + .family = NFPROTO_IPV4,
> + .name = "filter",
> + .type = NFT_CHAIN_T_DEFAULT,
> + .hook_mask = (1 << NF_INET_LOCAL_IN) |
> + (1 << NF_INET_LOCAL_OUT) |
> + (1 << NF_INET_FORWARD) |
> + (1 << NF_INET_PRE_ROUTING) |
> + (1 << NF_INET_POST_ROUTING),
> + .fn = {
> + [NF_INET_LOCAL_IN] = nft_do_chain,
> + [NF_INET_LOCAL_OUT] = nft_do_chain,
> + [NF_INET_FORWARD] = nft_do_chain,
> + [NF_INET_PRE_ROUTING] = nft_do_chain,
> + [NF_INET_POST_ROUTING] = nft_do_chain,
> + },
> +};
I'm still thinking about how to rework this, the chain types currently
break the LOCAL_OUT check for short SOCK_RAW packets and setting of
the transport layer header pointer before invoking nft_do_chain().
I'll also need some additional overloading for multi family tables,
so I think we need to rethink this scheme.
Feel free to apply your patch, but I'll probably will rework this very
soon anyway.
next prev parent reply other threads:[~2013-01-10 16:02 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-10 15:28 [PATCH 1/7] netfilter: nf_tables: nft_compat: release cached matches/targets pablo
2013-01-10 15:28 ` [PATCH 2/7] netfilter: nf_tables: move filter chain definition to layer 3 modules pablo
2013-01-10 16:02 ` Patrick McHardy [this message]
2013-01-10 15:28 ` [PATCH 3/7] netfilter: nf_tables: remove hook definitions from struct nft_af_info pablo
2013-01-10 16:04 ` Patrick McHardy
2013-01-10 16:19 ` Pablo Neira Ayuso
2013-01-10 15:28 ` [PATCH 4/7] netfilter: nf_tables: move specific layer 3 compat code to nf_tables_ipv[4|6] pablo
2013-01-10 16:09 ` Patrick McHardy
2013-01-10 16:20 ` Pablo Neira Ayuso
2013-01-10 15:28 ` [PATCH 5/7] netfilter: nf_tables: x_tables support as a compile time option pablo
2013-01-10 15:28 ` [PATCH 6/7] netfilter: nf_tables: support 32bits-64bits x_tables compat pablo
2013-01-10 16:12 ` Patrick McHardy
2013-01-10 15:28 ` [PATCH 7/7] netfilter: nf_tables: fix alias for xtables over nftables module pablo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130110160156.GA2178@macbook.localnet \
--to=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=tomasz.bursztyka@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.