From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: kaber@trash.net
Subject: [PATCH 2/3] netfilter: xtables: add PKTTYPE target
Date: Wed, 28 Jan 2009 15:58:26 +0100 [thread overview]
Message-ID: <20090128145826.7501.34671.stgit@Decadence> (raw)
In-Reply-To: <20090128145801.7501.44459.stgit@Decadence>
This patch adds the PKTTYPE target which can be used to mangle the
skbuff packet type field. This target is useful in conjunction with
the arptables mcmangle target to TCP working again when a
multicast hardware address is used. An example of its use:
iptables -I PREROUTING ! -s 224.0.0.0/4 -t mangle \
-j PKTTYPE --to-pkt-type unicast
Given the following arptables rule-set:
arptables -I OUTPUT -o eth0 -j mcmangle --h-length 6
\ --mc-mangle-mac 01:00:5e:00:01:01 --mc-mangle-dev eth0
arptables -I INPUT --h-length 6 --destination-mac 01:00:5e:00:01:01
\ -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27
See arptables mcmangle target for further information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter/xt_PKTTYPE.h | 8 ++++
net/netfilter/Kconfig | 18 ++++++++++
net/netfilter/Makefile | 1 +
net/netfilter/xt_PKTTYPE.c | 61 ++++++++++++++++++++++++++++++++++
4 files changed, 88 insertions(+), 0 deletions(-)
create mode 100644 include/linux/netfilter/xt_PKTTYPE.h
create mode 100644 net/netfilter/xt_PKTTYPE.c
diff --git a/include/linux/netfilter/xt_PKTTYPE.h b/include/linux/netfilter/xt_PKTTYPE.h
new file mode 100644
index 0000000..cc67cbf
--- /dev/null
+++ b/include/linux/netfilter/xt_PKTTYPE.h
@@ -0,0 +1,8 @@
+#ifndef _XT_PKTTYPE_TARGET_H
+#define _XT_PKTTYPE_TARGET_H
+
+struct xt_pkttype_target_info {
+ u_int8_t pkt_type;
+};
+
+#endif /* _XT_PKTTYPE_TARGET_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 25dcef9..9ed1ccf 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -489,6 +489,24 @@ config NETFILTER_XT_TARGET_TCPOPTSTRIP
This option adds a "TCPOPTSTRIP" target, which allows you to strip
TCP options from TCP packets.
+config NETFILTER_XT_TARGET_PKTTYPE
+ tristate '"PKTTYPE" target support'
+ depends on IP_NF_RAW || IP6_NF_RAW
+ depends on NETFILTER_ADVANCED
+ help
+ The PKTTYPE target allows you to change the link layer packet type.
+ This target is useful if you have set up a multicast MAC address (via
+ arptables) for a given interface and you want the packets to reach
+ the layer 4 stack (which would drop packet tagged as multicast
+ from the link layer).
+
+ This target can be used in conjunction with arptables and the cluster
+ match to setup cluster of stateful firewalls which are connected
+ through a switch.
+
+ If you want to compile it as a module, say M here and read
+ <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
+
config NETFILTER_XT_MATCH_COMMENT
tristate '"comment" match support'
depends on NETFILTER_ADVANCED
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index da3d909..dd43ba9 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -55,6 +55,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) += xt_TPROXY.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) += xt_TCPOPTSTRIP.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_PKTTYPE) += xt_PKTTYPE.o
# matches
obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
diff --git a/net/netfilter/xt_PKTTYPE.c b/net/netfilter/xt_PKTTYPE.c
new file mode 100644
index 0000000..db68dc4
--- /dev/null
+++ b/net/netfilter/xt_PKTTYPE.c
@@ -0,0 +1,61 @@
+/*
+ * (C) 2008 Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/jhash.h>
+#include <linux/netfilter/x_tables.h>
+#include <net/netfilter/nf_conntrack.h>
+#include <linux/netfilter/xt_PKTTYPE.h>
+
+static unsigned int
+xt_pkttype_tg(struct sk_buff *skb, const struct xt_target_param *par)
+{
+ const struct xt_pkttype_target_info *info = par->targinfo;
+
+ skb->pkt_type = info->pkt_type;
+
+ return XT_CONTINUE;
+}
+
+static struct xt_target xt_pkttype_target[] __read_mostly = {
+ {
+ .family = AF_INET,
+ .name = "PKTTYPE",
+ .table = "mangle",
+ .target = xt_pkttype_tg,
+ .targetsize = sizeof(struct xt_pkttype_target_info),
+ .me = THIS_MODULE,
+ },
+ {
+ .family = AF_INET6,
+ .name = "PKTTYPE",
+ .table = "mangle",
+ .target = xt_pkttype_tg,
+ .targetsize = sizeof(struct xt_pkttype_target_info),
+ .me = THIS_MODULE,
+ },
+};
+
+static int __init xt_pkttype_tg_init(void)
+{
+ return xt_register_targets(xt_pkttype_target,
+ ARRAY_SIZE(xt_pkttype_target));
+}
+
+static void __exit xt_pkttype_tg_fini(void)
+{
+ xt_unregister_targets(xt_pkttype_target, ARRAY_SIZE(xt_pkttype_target));
+}
+
+MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("Xtables: xt_PKTTYPE target");
+MODULE_ALIAS("ipt_PKTTYPE");
+MODULE_ALIAS("ip6t_PKTTYPE");
+module_init(xt_pkttype_tg_init);
+module_exit(xt_pkttype_tg_fini);
next prev parent reply other threads:[~2009-01-28 14:58 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-28 14:58 [PATCH 1/3] netfilter: arptables: add mcmangle target Pablo Neira Ayuso
2009-01-28 14:58 ` Pablo Neira Ayuso [this message]
2009-01-28 16:11 ` [PATCH 2/3] netfilter: xtables: add PKTTYPE target Jan Engelhardt
2009-01-28 16:51 ` Pablo Neira Ayuso
2009-02-09 15:13 ` Patrick McHardy
2009-02-09 23:15 ` Pablo Neira Ayuso
2009-02-10 14:03 ` Patrick McHardy
2009-02-10 14:18 ` Jozsef Kadlecsik
2009-02-10 14:22 ` Patrick McHardy
2009-02-10 18:12 ` Pablo Neira Ayuso
2009-02-11 12:26 ` Patrick McHardy
2009-02-11 14:19 ` Pablo Neira Ayuso
2009-02-11 14:35 ` Patrick McHardy
2009-02-11 14:51 ` Pablo Neira Ayuso
2009-02-11 14:54 ` Patrick McHardy
2009-01-28 14:58 ` [PATCH 3/3] netfilter: xtables: add cluster match Pablo Neira Ayuso
2009-01-28 16:07 ` Jan Engelhardt
2009-01-28 16:38 ` Pablo Neira Ayuso
2009-02-09 15:25 ` Patrick McHardy
2009-02-09 23:23 ` Pablo Neira Ayuso
2009-02-09 15:11 ` [PATCH 1/3] netfilter: arptables: add mcmangle target Patrick McHardy
2009-02-09 23:13 ` Pablo Neira Ayuso
2009-02-10 11:16 ` Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2009-02-06 7:41 Pablo Neira Ayuso
2009-02-06 7:42 ` [PATCH 2/3] netfilter: xtables: add PKTTYPE target Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090128145826.7501.34671.stgit@Decadence \
--to=pablo@netfilter.org \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).