root/net/ipv4/netfilter/iptable_filter.c

DEFINITIONS

1. iptable_filter_hook
2. iptable_filter_table_init
3. iptable_filter_net_init
4. iptable_filter_net_exit
5. iptable_filter_init
6. iptable_filter_fini

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * This is the 1999 rewrite of IP Firewalling, aiming for kernel 2.3.x.
   4  *
   5  * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
   6  * Copyright (C) 2000-2004 Netfilter Core Team <coreteam@netfilter.org>
   7  */
   8 
   9 #include <linux/module.h>
  10 #include <linux/moduleparam.h>
  11 #include <linux/netfilter_ipv4/ip_tables.h>
  12 #include <linux/slab.h>
  13 #include <net/ip.h>
  14 
  15 MODULE_LICENSE("GPL");
  16 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
  17 MODULE_DESCRIPTION("iptables filter table");
  18 
  19 #define FILTER_VALID_HOOKS ((1 << NF_INET_LOCAL_IN) | \
  20                             (1 << NF_INET_FORWARD) | \
  21                             (1 << NF_INET_LOCAL_OUT))
  22 static int __net_init iptable_filter_table_init(struct net *net);
  23 
  24 static const struct xt_table packet_filter = {
  25         .name           = "filter",
  26         .valid_hooks    = FILTER_VALID_HOOKS,
  27         .me             = THIS_MODULE,
  28         .af             = NFPROTO_IPV4,
  29         .priority       = NF_IP_PRI_FILTER,
  30         .table_init     = iptable_filter_table_init,
  31 };
  32 
  33 static unsigned int
  34 iptable_filter_hook(void *priv, struct sk_buff *skb,
  35                     const struct nf_hook_state *state)
  36 {
  37         return ipt_do_table(skb, state, state->net->ipv4.iptable_filter);
  38 }
  39 
  40 static struct nf_hook_ops *filter_ops __read_mostly;
  41 
  42 /* Default to forward because I got too much mail already. */
  43 static bool forward __read_mostly = true;
  44 module_param(forward, bool, 0000);
  45 
  46 static int __net_init iptable_filter_table_init(struct net *net)
  47 {
  48         struct ipt_replace *repl;
  49         int err;
  50 
  51         if (net->ipv4.iptable_filter)
  52                 return 0;
  53 
  54         repl = ipt_alloc_initial_table(&packet_filter);
  55         if (repl == NULL)
  56                 return -ENOMEM;
  57         /* Entry 1 is the FORWARD hook */
  58         ((struct ipt_standard *)repl->entries)[1].target.verdict =
  59                 forward ? -NF_ACCEPT - 1 : -NF_DROP - 1;
  60 
  61         err = ipt_register_table(net, &packet_filter, repl, filter_ops,
  62                                  &net->ipv4.iptable_filter);
  63         kfree(repl);
  64         return err;
  65 }
  66 
  67 static int __net_init iptable_filter_net_init(struct net *net)
  68 {
  69         if (net == &init_net || !forward)
  70                 return iptable_filter_table_init(net);
  71 
  72         return 0;
  73 }
  74 
  75 static void __net_exit iptable_filter_net_exit(struct net *net)
  76 {
  77         if (!net->ipv4.iptable_filter)
  78                 return;
  79         ipt_unregister_table(net, net->ipv4.iptable_filter, filter_ops);
  80         net->ipv4.iptable_filter = NULL;
  81 }
  82 
  83 static struct pernet_operations iptable_filter_net_ops = {
  84         .init = iptable_filter_net_init,
  85         .exit = iptable_filter_net_exit,
  86 };
  87 
  88 static int __init iptable_filter_init(void)
  89 {
  90         int ret;
  91 
  92         filter_ops = xt_hook_ops_alloc(&packet_filter, iptable_filter_hook);
  93         if (IS_ERR(filter_ops))
  94                 return PTR_ERR(filter_ops);
  95 
  96         ret = register_pernet_subsys(&iptable_filter_net_ops);
  97         if (ret < 0)
  98                 kfree(filter_ops);
  99 
 100         return ret;
 101 }
 102 
 103 static void __exit iptable_filter_fini(void)
 104 {
 105         unregister_pernet_subsys(&iptable_filter_net_ops);
 106         kfree(filter_ops);
 107 }
 108 
 109 module_init(iptable_filter_init);
 110 module_exit(iptable_filter_fini);