Skip to content

Commit

Permalink
netfilter: nf_tables: only allow in/output for arp packets
Browse files Browse the repository at this point in the history 
arp packets cannot be forwarded.

They can be bridged, but then they can be filtered using
either ebtables or nftables bridge family.

The bridge netfilter exposes a "call-arptables" switch which
pushes packets into arptables, but lets not expose this for nftables, so better
close this asap.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  • Loading branch information
Florian Westphal authored and Pablo Neira Ayuso committed Jul 17, 2017
1 parent 97772bc commit 974292d
Showing 1 changed file with 1 addition and 2 deletions.
3 changes: 1 addition & 2 deletions net/ipv4/netfilter/nf_tables_arp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,7 @@ static const struct nf_chain_type filter_arp = {
.family = NFPROTO_ARP,
.owner = THIS_MODULE,
.hook_mask = (1 << NF_ARP_IN) |
(1 << NF_ARP_OUT) |
(1 << NF_ARP_FORWARD),
(1 << NF_ARP_OUT),
};

static int __init nf_tables_arp_init(void)
Expand Down

0 comments on commit 974292d

Please sign in to comment.