From 84909d171585d77fe769f03e2b1b96eab0aa0213 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Mon, 9 Sep 2013 12:54:04 +0200 Subject: xtables: bootstrap ARP compatibility layer for nftables This patch bootstraps ARP support for the compatibility layer: 1) copy original arptables code into xtables-arp.c 2) adapt it to fit into the existing nft infrastructure. 3) add the builtin table/chains for ARP. 4) add necessary parts so xtables-multi can provide xtables-arp. 5) add basic support for rule addition (-A), insertion (-I) and listing (-L). [ This was originally posted in a series of patches with interdependencies that I have collapsed to leave the repository in consistent state. This patch includes the following changes I made: * Rename from xtables-arptables to xtables-arp, previous name too long. * Remove nft-arptables.c, now we have one single nft-arp.c file. Moved specific ARP functions to nft.c. Those should go away at some point as some refactorization should allow to accomodate those functions to the existing infrastructure. * Fix --opcode Request/Reply, so we can do something useful with this like dropping ARP request/replies. --pablo ] Signed-off-by: Giuseppe Longo Signed-off-by: Tomasz Bursztyka Signed-off-by: Pablo Neira Ayuso --- iptables/nft-shared.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'iptables/nft-shared.c') diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 5681e264..c1cb5a7f 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -30,6 +30,7 @@ extern struct nft_family_ops nft_family_ops_ipv4; extern struct nft_family_ops nft_family_ops_ipv6; +extern struct nft_family_ops nft_family_ops_arp; void add_meta(struct nft_rule *r, uint32_t key) { @@ -281,8 +282,7 @@ void parse_meta(struct nft_rule_expr *e, uint8_t key, char *iniface, } } -static void -nft_parse_target(struct nft_rule_expr *e, struct nft_rule_expr_iter *iter, +void nft_parse_target(struct nft_rule_expr *e, struct nft_rule_expr_iter *iter, int family, void *data) { size_t tg_len; @@ -381,7 +381,7 @@ void get_cmp_data(struct nft_rule_expr_iter *iter, *inv = false; } -static void +void nft_parse_meta(struct nft_rule_expr *e, struct nft_rule_expr_iter *iter, int family, void *data) { @@ -402,7 +402,7 @@ nft_parse_meta(struct nft_rule_expr *e, struct nft_rule_expr_iter *iter, ops->parse_meta(e, key, data); } -static void +void nft_parse_payload(struct nft_rule_expr *e, struct nft_rule_expr_iter *iter, int family, void *data) { @@ -414,7 +414,7 @@ nft_parse_payload(struct nft_rule_expr *e, struct nft_rule_expr_iter *iter, ops->parse_payload(iter, offset, data); } -static void +void nft_parse_counter(struct nft_rule_expr *e, struct nft_rule_expr_iter *iter, struct xt_counters *counters) { @@ -422,7 +422,7 @@ nft_parse_counter(struct nft_rule_expr *e, struct nft_rule_expr_iter *iter, counters->bcnt = nft_rule_expr_get_u64(e, NFT_EXPR_CTR_BYTES); } -static void +void nft_parse_immediate(struct nft_rule_expr *e, struct nft_rule_expr_iter *iter, int family, void *data) { @@ -649,6 +649,8 @@ struct nft_family_ops *nft_family_ops_lookup(int family) return &nft_family_ops_ipv4; case AF_INET6: return &nft_family_ops_ipv6; + case NFPROTO_ARP: + return &nft_family_ops_arp; default: break; } -- cgit v1.2.3