netfilter: bridge: add reject support

So you can reject IPv4 and IPv6 packets from bridge tables. If the ether
proto is now known, default on dropping the packet instead.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 4ce0b31..9cebf47 100644 (file)
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -14,6 +14,12 @@ config NFT_BRIDGE_META
        help
          Add support for bridge dedicated meta key.
 
+config NFT_BRIDGE_REJECT
+       tristate "Netfilter nf_tables bridge reject support"
+       depends on NFT_REJECT && NFT_REJECT_IPV4 && NFT_REJECT_IPV6
+       help
+         Add support to reject packets.
+
 config NF_LOG_BRIDGE
        tristate "Bridge packet logging"
 

diff --git a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile
index 1f78ea0..061d121 100644 (file)
--- a/net/bridge/netfilter/Makefile
+++ b/net/bridge/netfilter/Makefile
@@ -4,6 +4,7 @@
 
 obj-$(CONFIG_NF_TABLES_BRIDGE) += nf_tables_bridge.o
 obj-$(CONFIG_NFT_BRIDGE_META)  += nft_meta_bridge.o
+obj-$(CONFIG_NFT_BRIDGE_REJECT)  += nft_reject_bridge.o
 
 # packet logging
 obj-$(CONFIG_NF_LOG_BRIDGE) += nf_log_bridge.o

diff --cc net/bridge/netfilter/nft_reject_bridge.c
Simple merge