This source file includes following definitions.
- iptable_security_hook
- iptable_security_table_init
- iptable_security_net_exit
- iptable_security_init
- iptable_security_fini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15 #include <linux/module.h>
16 #include <linux/netfilter_ipv4/ip_tables.h>
17 #include <linux/slab.h>
18 #include <net/ip.h>
19
20 MODULE_LICENSE("GPL");
21 MODULE_AUTHOR("James Morris <jmorris <at> redhat.com>");
22 MODULE_DESCRIPTION("iptables security table, for MAC rules");
23
24 #define SECURITY_VALID_HOOKS (1 << NF_INET_LOCAL_IN) | \
25 (1 << NF_INET_FORWARD) | \
26 (1 << NF_INET_LOCAL_OUT)
27
28 static int __net_init iptable_security_table_init(struct net *net);
29
30 static const struct xt_table security_table = {
31 .name = "security",
32 .valid_hooks = SECURITY_VALID_HOOKS,
33 .me = THIS_MODULE,
34 .af = NFPROTO_IPV4,
35 .priority = NF_IP_PRI_SECURITY,
36 .table_init = iptable_security_table_init,
37 };
38
39 static unsigned int
40 iptable_security_hook(void *priv, struct sk_buff *skb,
41 const struct nf_hook_state *state)
42 {
43 return ipt_do_table(skb, state, state->net->ipv4.iptable_security);
44 }
45
46 static struct nf_hook_ops *sectbl_ops __read_mostly;
47
48 static int __net_init iptable_security_table_init(struct net *net)
49 {
50 struct ipt_replace *repl;
51 int ret;
52
53 if (net->ipv4.iptable_security)
54 return 0;
55
56 repl = ipt_alloc_initial_table(&security_table);
57 if (repl == NULL)
58 return -ENOMEM;
59 ret = ipt_register_table(net, &security_table, repl, sectbl_ops,
60 &net->ipv4.iptable_security);
61 kfree(repl);
62 return ret;
63 }
64
65 static void __net_exit iptable_security_net_exit(struct net *net)
66 {
67 if (!net->ipv4.iptable_security)
68 return;
69
70 ipt_unregister_table(net, net->ipv4.iptable_security, sectbl_ops);
71 net->ipv4.iptable_security = NULL;
72 }
73
74 static struct pernet_operations iptable_security_net_ops = {
75 .exit = iptable_security_net_exit,
76 };
77
78 static int __init iptable_security_init(void)
79 {
80 int ret;
81
82 sectbl_ops = xt_hook_ops_alloc(&security_table, iptable_security_hook);
83 if (IS_ERR(sectbl_ops))
84 return PTR_ERR(sectbl_ops);
85
86 ret = register_pernet_subsys(&iptable_security_net_ops);
87 if (ret < 0) {
88 kfree(sectbl_ops);
89 return ret;
90 }
91
92 ret = iptable_security_table_init(&init_net);
93 if (ret) {
94 unregister_pernet_subsys(&iptable_security_net_ops);
95 kfree(sectbl_ops);
96 }
97
98 return ret;
99 }
100
101 static void __exit iptable_security_fini(void)
102 {
103 unregister_pernet_subsys(&iptable_security_net_ops);
104 kfree(sectbl_ops);
105 }
106
107 module_init(iptable_security_init);
108 module_exit(iptable_security_fini);