They can be
> and so far haven't managed to deduce the way the various code modules
> interact. I wouldn't exactly describe myself as a network guru either,
> but I'm happy to have a crack at this if there is someone out there
> prepared to hold my hand...
The bridge code needs to call
call_in_firewall(PF_BRIDGE, skb->dev, skb->h.raw, NULL,&skb)
for each frame it plans to accept
call_out_firewall(...)
for each frame it plans to send
and
call_fw_firewall(..)
for each frame it plans to forward
You may well only want to implement some of these for a bridge.
These routines return
FW_ACCEPT - accept packet
FW_REJECT - discard and error if you can
FW_DENY - throw away quietly.
and may replace the sk_buff you pass it with a new one (thats how masquerade
works).
That puts the firewall hooks into the bridge. The other half is to register
a firewall handler for PF_BRIDGE. That probably wants to call the IP routines
if you are going to be doing just IP filtering.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/