I applied the kernel patches from http://ac2i.tzo.com/bridge_filter/
to 2.2.10 kernel source to enable IP filtering when bridging.
It works very well with ACCEPT and DENY. In an attempt to make it
also work with REJECT (send back a dest unreachable ICMP message)
I added few lines to handle this case, no success yet.
The following is the excerpt from the patched net/core/dev.c:
#ifdef CONFIG_FIREWALL
if(type==__constant_htons(ETH_P_IP))
{
int fwres;
u16 rport;
/* call the bridge input filter function */
fwres = call_bridgein_firewall(PF_INET, skb->dev,
skb->nh.iph, &rport, &skb);
if (fwres < FW_ACCEPT && fwres != FW_REJECT) {
return;
}
if (fwres == FW_REJECT) {
skb=skb_clone(skb, GFP_ATOMIC);
if(skb==NULL)
return;
offset=skb->data-skb->mac.raw;
skb_push(skb,offset); /* Put header back on for bridge */
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
kfree_skb(skb);
return;
}
}
#endif /* CONFIG_FIREWALL */
icmp_send() returns quickly after checking packet type:
if (skb_in->pkt_type!=PACKET_HOST)
return;
Fooling icmp_send() by setting pkt_type=PACKET_HOST before it gets
called doesn't help match. It bombs out after ip_route_output() call.
As I don't have enough kernel know-how I can just trial and error
and it doesn't seem to be an efficient method.
Would any of you experts like to comment? Is it possible to achieve
what I'm trying?
Thanks for your time.
Regards,
Chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/