netfilter: nf_tables: only allow in/output for arp packets

arp packets cannot be forwarded.

They can be bridged, but then they can be filtered using
either ebtables or nftables bridge family.

The bridge netfilter exposes a "call-arptables" switch which
pushes packets into arptables, but lets not expose this for nftables, so better
close this asap.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/ipv4/netfilter/nf_tables_arp.c b/net/ipv4/netfilter/nf_tables_arp.c
index 805c8ddfe86022e6b47df2026d5c5830c613b0ff..4bbc273b45e871b2c3033bfd31af73f2b8bc9aa4 100644 (file)
--- a/net/ipv4/netfilter/nf_tables_arp.c
+++ b/net/ipv4/netfilter/nf_tables_arp.c
@@ -72,8 +72,7 @@ static const struct nf_chain_type filter_arp = {
        .family         = NFPROTO_ARP,
        .owner          = THIS_MODULE,
        .hook_mask      = (1 << NF_ARP_IN) |
-                         (1 << NF_ARP_OUT) |
-                         (1 << NF_ARP_FORWARD),
+                         (1 << NF_ARP_OUT),
 };
 
 static int __init nf_tables_arp_init(void)