* [PATCH] arptables in netns for real
@ 2008-07-21 16:29 Alexey Dobriyan
2008-07-21 16:33 ` Patrick McHardy
2008-07-21 16:47 ` Jan Engelhardt
0 siblings, 2 replies; 4+ messages in thread
From: Alexey Dobriyan @ 2008-07-21 16:29 UTC (permalink / raw)
To: kaber
Cc: netdev, netfilter-devel, xemul, den, ebiederm, dlezcano,
benjamin.thery
IN, FORWARD -- grab netns from in device,
OUT -- from out device.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
---
net/ipv4/netfilter/arptable_filter.c | 39 ++++++++++++++++++++++++++---------
1 file changed, 30 insertions(+), 9 deletions(-)
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -55,32 +55,53 @@ static struct xt_table packet_filter = {
};
/* The work comes in here from netfilter.c */
-static unsigned int arpt_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
+static unsigned int arpt_in_hook(unsigned int hook,
+ struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
{
- return arpt_do_table(skb, hook, in, out, init_net.ipv4.arptable_filter);
+ return arpt_do_table(skb, hook, in, out,
+ dev_net(in)->ipv4.arptable_filter);
+}
+
+static unsigned int arpt_out_hook(unsigned int hook,
+ struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+{
+ return arpt_do_table(skb, hook, in, out,
+ dev_net(out)->ipv4.arptable_filter);
+}
+
+static unsigned int arpt_forward_hook(unsigned int hook,
+ struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+{
+ return arpt_do_table(skb, hook, in, out,
+ dev_net(in)->ipv4.arptable_filter);
}
static struct nf_hook_ops arpt_ops[] __read_mostly = {
{
- .hook = arpt_hook,
+ .hook = arpt_in_hook,
.owner = THIS_MODULE,
.pf = NF_ARP,
.hooknum = NF_ARP_IN,
.priority = NF_IP_PRI_FILTER,
},
{
- .hook = arpt_hook,
+ .hook = arpt_out_hook,
.owner = THIS_MODULE,
.pf = NF_ARP,
.hooknum = NF_ARP_OUT,
.priority = NF_IP_PRI_FILTER,
},
{
- .hook = arpt_hook,
+ .hook = arpt_forward_hook,
.owner = THIS_MODULE,
.pf = NF_ARP,
.hooknum = NF_ARP_FORWARD,
--
1.5.4.5
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] arptables in netns for real
2008-07-21 16:29 [PATCH] arptables in netns for real Alexey Dobriyan
@ 2008-07-21 16:33 ` Patrick McHardy
2008-07-21 16:47 ` Jan Engelhardt
1 sibling, 0 replies; 4+ messages in thread
From: Patrick McHardy @ 2008-07-21 16:33 UTC (permalink / raw)
To: Alexey Dobriyan
Cc: netdev, netfilter-devel, xemul, den, ebiederm, dlezcano,
benjamin.thery
Alexey Dobriyan wrote:
> IN, FORWARD -- grab netns from in device,
> OUT -- from out device.
Applied, thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] arptables in netns for real
2008-07-21 16:29 [PATCH] arptables in netns for real Alexey Dobriyan
2008-07-21 16:33 ` Patrick McHardy
@ 2008-07-21 16:47 ` Jan Engelhardt
2008-07-21 17:03 ` Alexey Dobriyan
1 sibling, 1 reply; 4+ messages in thread
From: Jan Engelhardt @ 2008-07-21 16:47 UTC (permalink / raw)
To: Alexey Dobriyan
Cc: kaber, netdev, netfilter-devel, xemul, den, ebiederm, dlezcano,
benjamin.thery
On Monday 2008-07-21 18:29, Alexey Dobriyan wrote:
>- int (*okfn)(struct sk_buff *))
>+static unsigned int arpt_in_hook(unsigned int hook,
>+ struct sk_buff *skb,
>+ const struct net_device *in,
>+ const struct net_device *out,
>+ int (*okfn)(struct sk_buff *))
> {
>- return arpt_do_table(skb, hook, in, out, init_net.ipv4.arptable_filter);
>+ return arpt_do_table(skb, hook, in, out,
>+ dev_net(in)->ipv4.arptable_filter);
>+}
What I dislike with this netns stuff is that you need to touch
the ->ipv4. structure if you want to add new tables and there is
no more way to dynamically add tables from 3rd party modules unless
the admin loading them is fine with having them register against
&init_net only.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] arptables in netns for real
2008-07-21 16:47 ` Jan Engelhardt
@ 2008-07-21 17:03 ` Alexey Dobriyan
0 siblings, 0 replies; 4+ messages in thread
From: Alexey Dobriyan @ 2008-07-21 17:03 UTC (permalink / raw)
To: Jan Engelhardt
Cc: kaber, netdev, netfilter-devel, xemul, den, ebiederm, dlezcano,
benjamin.thery
On Mon, Jul 21, 2008 at 06:47:22PM +0200, Jan Engelhardt wrote:
> On Monday 2008-07-21 18:29, Alexey Dobriyan wrote:
> >- int (*okfn)(struct sk_buff *))
> >+static unsigned int arpt_in_hook(unsigned int hook,
> >+ struct sk_buff *skb,
> >+ const struct net_device *in,
> >+ const struct net_device *out,
> >+ int (*okfn)(struct sk_buff *))
> > {
> >- return arpt_do_table(skb, hook, in, out, init_net.ipv4.arptable_filter);
> >+ return arpt_do_table(skb, hook, in, out,
> >+ dev_net(in)->ipv4.arptable_filter);
> >+}
>
> What I dislike with this netns stuff is that you need to touch
> the ->ipv4. structure if you want to add new tables and there is
> no more way to dynamically add tables from 3rd party modules unless
> the admin loading them is fine with having them register against
> &init_net only.
Not exactly sure, if it's sufficient for you, you can use
net_assign_generic() infrastructure from module and not touch "struct net"
at all.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2008-07-21 17:03 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-07-21 16:29 [PATCH] arptables in netns for real Alexey Dobriyan
2008-07-21 16:33 ` Patrick McHardy
2008-07-21 16:47 ` Jan Engelhardt
2008-07-21 17:03 ` Alexey Dobriyan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).