diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-10-02 11:13:21 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-10-02 18:30:57 +0200 |
| commit | 4b7fd5d97ee6e599247b4a55122ca6ba80c8148d (patch) | |
| tree | f79ecdd32fb619bcf982dcb493997f2285311a92 /net/netfilter | |
| parent | netfilter: nf_tables: allow to filter from prerouting and postrouting (diff) | |
| download | linux-4b7fd5d97ee6e599247b4a55122ca6ba80c8148d.tar.xz linux-4b7fd5d97ee6e599247b4a55122ca6ba80c8148d.zip | |
netfilter: explicit module dependency between br_netfilter and physdev
You can use physdev to match the physical interface enslaved to the
bridge device. This information is stored in skb->nf_bridge and it is
set up by br_netfilter. So, this is only available when iptables is
used from the bridge netfilter path.
Since 34666d4 ("netfilter: bridge: move br_netfilter out of the core"),
the br_netfilter code is modular. To reduce the impact of this change,
we can autoload the br_netfilter if the physdev match is used since
we assume that the users need br_netfilter in place.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/xt_physdev.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c index d7ca16b8b8df..f440f57a452f 100644 --- a/net/netfilter/xt_physdev.c +++ b/net/netfilter/xt_physdev.c @@ -13,6 +13,7 @@ #include <linux/netfilter_bridge.h> #include <linux/netfilter/xt_physdev.h> #include <linux/netfilter/x_tables.h> +#include <net/netfilter/br_netfilter.h> MODULE_LICENSE("GPL"); MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>"); @@ -87,6 +88,8 @@ static int physdev_mt_check(const struct xt_mtchk_param *par) { const struct xt_physdev_info *info = par->matchinfo; + br_netfilter_enable(); + if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || info->bitmask & ~XT_PHYSDEV_OP_MASK) return -EINVAL; |