netfilter: nf_tables: only allow in/output for arp packets

arp packets cannot be forwarded. They can be bridged, but then they can be filtered using either ebtables or nftables bridge family. The bridge netfilter exposes a "call-arptables" switch which pushes packets into arptables, but lets not expose this for nftables, so better close this asap. Signed-off-by: N Florian Westphal <fw@strlen.de> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: nf_tables: only allow in/output for arp packets
arp packets cannot be forwarded. They can be bridged, but then they can be filtered using either ebtables or nftables bridge family. The bridge netfilter exposes a "call-arptables" switch which pushes packets into arptables, but lets not expose this for nftables, so better close this asap. Signed-off-by: N Florian Westphal <fw@strlen.de> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>
974292de · Florian Westphal · Pablo Neira Ayuso · 97772bcd · 974292de
隐藏空白更改
内联并排

Showing with 1 addition and 2 deletion

net/ipv4/netfilter/nf_tables_arp.c net/ipv4/netfilter/nf_tables_arp.c +1 -2

未找到文件。
--- a/net/ipv4/netfilter/nf_tables_arp.c
+++ b/net/ipv4/netfilter/nf_tables_arp.c
@@ -72,8 +72,7 @@ static const struct nf_chain_type filter_arp = {
 	.family		= NFPROTO_ARP,
 	.owner		= THIS_MODULE,
 	.hook_mask	= (1 << NF_ARP_IN) |
-			  (1 << NF_ARP_OUT) |
+			  (1 << NF_ARP_OUT),
-			  (1 << NF_ARP_FORWARD),
 };
 static int __init nf_tables_arp_init(void)