1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
* Add logical bridge in/out device filtering support
* Be more paranoid about the given userspace device names
--- linux/net/bridge/netfilter/ebtables.c Fri Apr 19 21:48:59 2002
+++ ebt2.0pre3.002/net/bridge/netfilter/ebtables.c Fri Apr 19 23:21:22 2002
@@ -30,6 +30,8 @@
#include <asm/uaccess.h>
#include <linux/smp.h>
#include <net/sock.h>
+// needed for logical [in,out]-dev filtering
+#include "../br_private.h"
// list_named_find
#define ASSERT_READ_LOCK(x)
@@ -115,6 +117,11 @@
(point->bitmask & EBT_802_3), EBT_IPROTO) )
&& FWINV(!ebt_dev_check((char *)(point->in), in), EBT_IIN)
&& FWINV(!ebt_dev_check((char *)(point->out), out), EBT_IOUT)
+ && ((!in || !in->br_port) ? 1 : FWINV(!ebt_dev_check((char *)
+ (point->logical_in), &in->br_port->br->dev), EBT_ILOGICALIN))
+ && ((!out || !out->br_port) ? 1 :
+ FWINV(!ebt_dev_check((char *)
+ (point->logical_out), &out->br_port->br->dev), EBT_ILOGICALOUT))
) {
if ( (point->bitmask & EBT_SOURCEMAC) &&
FWINV(!!memcmp(point->sourcemac,
@@ -363,6 +370,10 @@
BUGPRINT("NOPROTO & 802_3 not allowed\n");
return -EINVAL;
}
+ e->in[IFNAMSIZ - 1] = '\0';
+ e->out[IFNAMSIZ - 1] = '\0';
+ e->logical_in[IFNAMSIZ - 1] = '\0';
+ e->logical_out[IFNAMSIZ - 1] = '\0';
// what hook do we belong to?
for (i = 0; i < NF_BR_NUMHOOKS; i++) {
if ((valid_hooks & (1 << i)) == 0)
--- linux/include/linux/netfilter_bridge/ebtables.h Fri Apr 19 21:48:59 2002
+++ ebt2.0pre3.002/include/linux/netfilter_bridge/ebtables.h Fri Apr 19 21:06:25 2002
@@ -71,7 +71,10 @@
#define EBT_IOUT 0x04
#define EBT_ISOURCE 0x8
#define EBT_IDEST 0x10
-#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ISOURCE | EBT_IDEST)
+#define EBT_ILOGICALIN 0x20
+#define EBT_ILOGICALOUT 0x40
+#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
+ | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
struct ebt_counter
{
@@ -124,8 +127,14 @@
__u32 bitmask;
__u32 invflags;
__u16 ethproto;
+ // the physical in-dev
__u8 in[IFNAMSIZ];
+ // the logical in-dev
+ __u8 logical_in[IFNAMSIZ];
+ // the physical out-dev
__u8 out[IFNAMSIZ];
+ // the logical out-dev
+ __u8 logical_out[IFNAMSIZ];
__u8 sourcemac[ETH_ALEN];
__u8 destmac[ETH_ALEN];
// sizeof ebt_entry + matches
|
