Commit 4e7df119 authored by David S. Miller's avatar David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
Netfilter/IPVS updates for net-next

The following patchset contains Netfilter/IPVS updates for net-next:

1) Add .release_ops to properly unroll .select_ops, use it from nft_compat.
   After this change, we can remove list of extensions too to simplify this
   codebase.

2) Update amanda conntrack helper to support v3.4, from Florian Tham.

3) Get rid of the obsolete BUGPRINT macro in ebtables, from
   Florian Westphal.

4) Merge IPv4 and IPv6 masquerading infrastructure into one single module.
   From Florian Westphal.

5) Patchset to remove nf_nat_l3proto structure to get rid of
   indirections, from Florian Westphal.

6) Skip unnecessary conntrack timeout updates in case the value is
   still the same, also from Florian Westphal.

7) Remove unnecessary 'fall through' comments in empty switch cases,
   from Li RongQing.

8) Fix lookup to fixed size hashtable sets on big endian with 32-bit keys.

9) Incorrect logic to deactivate path of fixed size hashtable sets,
   element was being tested to self.

10) Remove nft_hash_key(), the bitmap set is always selected for 16-bit
    keys.

11) Use boolean whenever possible in IPVS codebase, from Andrea Claudi.

12) Enter close state in conntrack if RST matches exact sequence number,
    from Florian Westphal.

13) Initialize dst_cache in tunnel extension, from wenxu.

14) Pass protocol as u16 to xt_check_match and xt_check_target, from
    Li RongQing.

15) SCTP header is granted to be in a linear area from IPVS NAT handler,
    from Xin Long.

16) Don't steal packets coming from slave VRF device from the
    ip_sabotage_in() path, from David Ahern.

17) Fix unsafe update of basechain stats, from Li RongQing.

18) Make sure CONNTRACK_LOCKS is power of 2 to let compiler optimize
    modulo operation as bitwise AND, from Li RongQing.

19) Use device_attribute instead of internal definition in the IDLETIMER
    target, from Sami Tolvanen.

20) Merge redir, masq and IPv4/IPv6 NAT chain types, from Florian Westphal.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 2369afb6 db8ab388
...@@ -289,9 +289,9 @@ bool xt_find_jump_offset(const unsigned int *offsets, ...@@ -289,9 +289,9 @@ bool xt_find_jump_offset(const unsigned int *offsets,
int xt_check_proc_name(const char *name, unsigned int size); int xt_check_proc_name(const char *name, unsigned int size);
int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto, int xt_check_match(struct xt_mtchk_param *, unsigned int size, u16 proto,
bool inv_proto); bool inv_proto);
int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto, int xt_check_target(struct xt_tgchk_param *, unsigned int size, u16 proto,
bool inv_proto); bool inv_proto);
int xt_match_to_user(const struct xt_entry_match *m, int xt_match_to_user(const struct xt_entry_match *m,
......
...@@ -190,23 +190,23 @@ bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff, ...@@ -190,23 +190,23 @@ bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff,
void __nf_ct_refresh_acct(struct nf_conn *ct, enum ip_conntrack_info ctinfo, void __nf_ct_refresh_acct(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
const struct sk_buff *skb, const struct sk_buff *skb,
unsigned long extra_jiffies, int do_acct); u32 extra_jiffies, bool do_acct);
/* Refresh conntrack for this many jiffies and do accounting */ /* Refresh conntrack for this many jiffies and do accounting */
static inline void nf_ct_refresh_acct(struct nf_conn *ct, static inline void nf_ct_refresh_acct(struct nf_conn *ct,
enum ip_conntrack_info ctinfo, enum ip_conntrack_info ctinfo,
const struct sk_buff *skb, const struct sk_buff *skb,
unsigned long extra_jiffies) u32 extra_jiffies)
{ {
__nf_ct_refresh_acct(ct, ctinfo, skb, extra_jiffies, 1); __nf_ct_refresh_acct(ct, ctinfo, skb, extra_jiffies, true);
} }
/* Refresh conntrack for this many jiffies */ /* Refresh conntrack for this many jiffies */
static inline void nf_ct_refresh(struct nf_conn *ct, static inline void nf_ct_refresh(struct nf_conn *ct,
const struct sk_buff *skb, const struct sk_buff *skb,
unsigned long extra_jiffies) u32 extra_jiffies)
{ {
__nf_ct_refresh_acct(ct, 0, skb, extra_jiffies, 0); __nf_ct_refresh_acct(ct, 0, skb, extra_jiffies, false);
} }
/* kill conntrack and do accounting */ /* kill conntrack and do accounting */
......
...@@ -31,8 +31,7 @@ struct nf_conn; ...@@ -31,8 +31,7 @@ struct nf_conn;
/* The structure embedded in the conntrack structure. */ /* The structure embedded in the conntrack structure. */
struct nf_conn_nat { struct nf_conn_nat {
union nf_conntrack_nat_help help; union nf_conntrack_nat_help help;
#if IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV4) || \ #if IS_ENABLED(CONFIG_NF_NAT_MASQUERADE)
IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV6)
int masq_index; int masq_index;
#endif #endif
}; };
...@@ -61,8 +60,7 @@ static inline bool nf_nat_oif_changed(unsigned int hooknum, ...@@ -61,8 +60,7 @@ static inline bool nf_nat_oif_changed(unsigned int hooknum,
struct nf_conn_nat *nat, struct nf_conn_nat *nat,
const struct net_device *out) const struct net_device *out)
{ {
#if IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV4) || \ #if IS_ENABLED(CONFIG_NF_NAT_MASQUERADE)
IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV6)
return nat && nat->masq_index && hooknum == NF_INET_POST_ROUTING && return nat && nat->masq_index && hooknum == NF_INET_POST_ROUTING &&
CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL && CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL &&
nat->masq_index != out->ifindex; nat->masq_index != out->ifindex;
...@@ -75,4 +73,43 @@ int nf_nat_register_fn(struct net *net, const struct nf_hook_ops *ops, ...@@ -75,4 +73,43 @@ int nf_nat_register_fn(struct net *net, const struct nf_hook_ops *ops,
const struct nf_hook_ops *nat_ops, unsigned int ops_count); const struct nf_hook_ops *nat_ops, unsigned int ops_count);
void nf_nat_unregister_fn(struct net *net, const struct nf_hook_ops *ops, void nf_nat_unregister_fn(struct net *net, const struct nf_hook_ops *ops,
unsigned int ops_count); unsigned int ops_count);
unsigned int nf_nat_packet(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
unsigned int hooknum, struct sk_buff *skb);
unsigned int nf_nat_manip_pkt(struct sk_buff *skb, struct nf_conn *ct,
enum nf_nat_manip_type mtype,
enum ip_conntrack_dir dir);
void nf_nat_csum_recalc(struct sk_buff *skb,
u8 nfproto, u8 proto, void *data, __sum16 *check,
int datalen, int oldlen);
int nf_nat_icmp_reply_translation(struct sk_buff *skb, struct nf_conn *ct,
enum ip_conntrack_info ctinfo,
unsigned int hooknum);
int nf_nat_icmpv6_reply_translation(struct sk_buff *skb, struct nf_conn *ct,
enum ip_conntrack_info ctinfo,
unsigned int hooknum, unsigned int hdrlen);
int nf_nat_ipv4_register_fn(struct net *net, const struct nf_hook_ops *ops);
void nf_nat_ipv4_unregister_fn(struct net *net, const struct nf_hook_ops *ops);
int nf_nat_ipv6_register_fn(struct net *net, const struct nf_hook_ops *ops);
void nf_nat_ipv6_unregister_fn(struct net *net, const struct nf_hook_ops *ops);
unsigned int
nf_nat_inet_fn(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state);
int nf_xfrm_me_harder(struct net *n, struct sk_buff *s, unsigned int family);
static inline int nf_nat_initialized(struct nf_conn *ct,
enum nf_nat_manip_type manip)
{
if (manip == NF_NAT_MANIP_SRC)
return ct->status & IPS_SRC_NAT_DONE;
else
return ct->status & IPS_DST_NAT_DONE;
}
#endif #endif
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _NF_NAT_CORE_H
#define _NF_NAT_CORE_H
#include <linux/list.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_nat.h>
/* This header used to share core functionality between the standalone
NAT module, and the compatibility layer's use of NAT for masquerading. */
unsigned int nf_nat_packet(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
unsigned int hooknum, struct sk_buff *skb);
unsigned int
nf_nat_inet_fn(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state);
int nf_xfrm_me_harder(struct net *net, struct sk_buff *skb, unsigned int family);
static inline int nf_nat_initialized(struct nf_conn *ct,
enum nf_nat_manip_type manip)
{
if (manip == NF_NAT_MANIP_SRC)
return ct->status & IPS_SRC_NAT_DONE;
else
return ct->status & IPS_DST_NAT_DONE;
}
#endif /* _NF_NAT_CORE_H */
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _NF_NAT_L3PROTO_H
#define _NF_NAT_L3PROTO_H
struct nf_nat_l3proto {
u8 l3proto;
bool (*manip_pkt)(struct sk_buff *skb,
unsigned int iphdroff,
const struct nf_conntrack_tuple *target,
enum nf_nat_manip_type maniptype);
void (*csum_update)(struct sk_buff *skb, unsigned int iphdroff,
__sum16 *check,
const struct nf_conntrack_tuple *t,
enum nf_nat_manip_type maniptype);
void (*csum_recalc)(struct sk_buff *skb, u8 proto,
void *data, __sum16 *check,
int datalen, int oldlen);
void (*decode_session)(struct sk_buff *skb,
const struct nf_conn *ct,
enum ip_conntrack_dir dir,
unsigned long statusbit,
struct flowi *fl);
int (*nlattr_to_range)(struct nlattr *tb[],
struct nf_nat_range2 *range);
};
int nf_nat_l3proto_register(const struct nf_nat_l3proto *);
void nf_nat_l3proto_unregister(const struct nf_nat_l3proto *);
const struct nf_nat_l3proto *__nf_nat_l3proto_find(u8 l3proto);
int nf_nat_icmp_reply_translation(struct sk_buff *skb, struct nf_conn *ct,
enum ip_conntrack_info ctinfo,
unsigned int hooknum);
int nf_nat_icmpv6_reply_translation(struct sk_buff *skb, struct nf_conn *ct,
enum ip_conntrack_info ctinfo,
unsigned int hooknum, unsigned int hdrlen);
int nf_nat_l3proto_ipv4_register_fn(struct net *net, const struct nf_hook_ops *ops);
void nf_nat_l3proto_ipv4_unregister_fn(struct net *net, const struct nf_hook_ops *ops);
int nf_nat_l3proto_ipv6_register_fn(struct net *net, const struct nf_hook_ops *ops);
void nf_nat_l3proto_ipv6_unregister_fn(struct net *net, const struct nf_hook_ops *ops);
#endif /* _NF_NAT_L3PROTO_H */
/* SPDX-License-Identifier: GPL-2.0 */
/* Header for use in defining a given protocol. */
#ifndef _NF_NAT_L4PROTO_H
#define _NF_NAT_L4PROTO_H
#include <net/netfilter/nf_nat.h>
#include <linux/netfilter/nfnetlink_conntrack.h>
struct nf_nat_l3proto;
/* Translate a packet to the target according to manip type. Return on success. */
bool nf_nat_l4proto_manip_pkt(struct sk_buff *skb,
const struct nf_nat_l3proto *l3proto,
unsigned int iphdroff, unsigned int hdroff,
const struct nf_conntrack_tuple *tuple,
enum nf_nat_manip_type maniptype);
#endif /*_NF_NAT_L4PROTO_H*/
...@@ -690,10 +690,12 @@ static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb, ...@@ -690,10 +690,12 @@ static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb,
gcb->elems[gcb->head.cnt++] = elem; gcb->elems[gcb->head.cnt++] = elem;
} }
struct nft_expr_ops;
/** /**
* struct nft_expr_type - nf_tables expression type * struct nft_expr_type - nf_tables expression type
* *
* @select_ops: function to select nft_expr_ops * @select_ops: function to select nft_expr_ops
* @release_ops: release nft_expr_ops
* @ops: default ops, used when no select_ops functions is present * @ops: default ops, used when no select_ops functions is present
* @list: used internally * @list: used internally
* @name: Identifier * @name: Identifier
...@@ -706,6 +708,7 @@ static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb, ...@@ -706,6 +708,7 @@ static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb,
struct nft_expr_type { struct nft_expr_type {
const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *, const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *,
const struct nlattr * const tb[]); const struct nlattr * const tb[]);
void (*release_ops)(const struct nft_expr_ops *ops);
const struct nft_expr_ops *ops; const struct nft_expr_ops *ops;
struct list_head list; struct list_head list;
const char *name; const char *name;
......
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _NFT_MASQ_H_
#define _NFT_MASQ_H_
struct nft_masq {
u32 flags;
enum nft_registers sreg_proto_min:8;
enum nft_registers sreg_proto_max:8;
};
extern const struct nla_policy nft_masq_policy[];
int nft_masq_init(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nlattr * const tb[]);
int nft_masq_dump(struct sk_buff *skb, const struct nft_expr *expr);
int nft_masq_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
const struct nft_data **data);
#endif /* _NFT_MASQ_H_ */
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _NFT_REDIR_H_
#define _NFT_REDIR_H_
struct nft_redir {
enum nft_registers sreg_proto_min:8;
enum nft_registers sreg_proto_max:8;
u16 flags;
};
extern const struct nla_policy nft_redir_policy[];
int nft_redir_init(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nlattr * const tb[]);
int nft_redir_dump(struct sk_buff *skb, const struct nft_expr *expr);
int nft_redir_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
const struct nft_data **data);
#endif /* _NFT_REDIR_H_ */
...@@ -831,7 +831,8 @@ static unsigned int ip_sabotage_in(void *priv, ...@@ -831,7 +831,8 @@ static unsigned int ip_sabotage_in(void *priv,
struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
if (nf_bridge && !nf_bridge->in_prerouting && if (nf_bridge && !nf_bridge->in_prerouting &&
!netif_is_l3_master(skb->dev)) { !netif_is_l3_master(skb->dev) &&
!netif_is_l3_slave(skb->dev)) {
state->okfn(state->net, state->sk, skb); state->okfn(state->net, state->sk, skb);
return NF_STOLEN; return NF_STOLEN;
} }
......
This diff is collapsed.
...@@ -94,50 +94,7 @@ config NF_REJECT_IPV4 ...@@ -94,50 +94,7 @@ config NF_REJECT_IPV4
tristate "IPv4 packet rejection" tristate "IPv4 packet rejection"
default m if NETFILTER_ADVANCED=n default m if NETFILTER_ADVANCED=n
config NF_NAT_IPV4 if NF_NAT
tristate "IPv4 NAT"
depends on NF_CONNTRACK
default m if NETFILTER_ADVANCED=n
select NF_NAT
help
The IPv4 NAT option allows masquerading, port forwarding and other
forms of full Network Address Port Translation. This can be
controlled by iptables or nft.
if NF_NAT_IPV4
config NF_NAT_MASQUERADE_IPV4
bool
if NF_TABLES
config NFT_CHAIN_NAT_IPV4
depends on NF_TABLES_IPV4
tristate "IPv4 nf_tables nat chain support"
help
This option enables the "nat" chain for IPv4 in nf_tables. This
chain type is used to perform Network Address Translation (NAT)
packet transformations such as the source, destination address and
source and destination ports.
config NFT_MASQ_IPV4
tristate "IPv4 masquerading support for nf_tables"
depends on NF_TABLES_IPV4
depends on NFT_MASQ
select NF_NAT_MASQUERADE_IPV4
help
This is the expression that provides IPv4 masquerading support for
nf_tables.
config NFT_REDIR_IPV4
tristate "IPv4 redirect support for nf_tables"
depends on NF_TABLES_IPV4
depends on NFT_REDIR
select NF_NAT_REDIRECT
help
This is the expression that provides IPv4 redirect support for
nf_tables.
endif # NF_TABLES
config NF_NAT_SNMP_BASIC config NF_NAT_SNMP_BASIC
tristate "Basic SNMP-ALG support" tristate "Basic SNMP-ALG support"
depends on NF_CONNTRACK_SNMP depends on NF_CONNTRACK_SNMP
...@@ -166,7 +123,7 @@ config NF_NAT_H323 ...@@ -166,7 +123,7 @@ config NF_NAT_H323
depends on NF_CONNTRACK depends on NF_CONNTRACK
default NF_CONNTRACK_H323 default NF_CONNTRACK_H323
endif # NF_NAT_IPV4 endif # NF_NAT
config IP_NF_IPTABLES config IP_NF_IPTABLES
tristate "IP tables support (required for filtering/masq/NAT)" tristate "IP tables support (required for filtering/masq/NAT)"
...@@ -263,7 +220,6 @@ config IP_NF_NAT ...@@ -263,7 +220,6 @@ config IP_NF_NAT
depends on NF_CONNTRACK depends on NF_CONNTRACK
default m if NETFILTER_ADVANCED=n default m if NETFILTER_ADVANCED=n
select NF_NAT select NF_NAT
select NF_NAT_IPV4
select NETFILTER_XT_NAT select NETFILTER_XT_NAT
help help
This enables the `nat' table in iptables. This allows masquerading, This enables the `nat' table in iptables. This allows masquerading,
...@@ -276,7 +232,7 @@ if IP_NF_NAT ...@@ -276,7 +232,7 @@ if IP_NF_NAT
config IP_NF_TARGET_MASQUERADE config IP_NF_TARGET_MASQUERADE
tristate "MASQUERADE target support" tristate "MASQUERADE target support"
select NF_NAT_MASQUERADE_IPV4 select NF_NAT_MASQUERADE
default m if NETFILTER_ADVANCED=n default m if NETFILTER_ADVANCED=n
help help
Masquerading is a special case of NAT: all outgoing connections are Masquerading is a special case of NAT: all outgoing connections are
......
...@@ -3,10 +3,6 @@ ...@@ -3,10 +3,6 @@
# Makefile for the netfilter modules on top of IPv4. # Makefile for the netfilter modules on top of IPv4.
# #
nf_nat_ipv4-y := nf_nat_l3proto_ipv4.o
nf_nat_ipv4-$(CONFIG_NF_NAT_MASQUERADE_IPV4) += nf_nat_masquerade_ipv4.o
obj-$(CONFIG_NF_NAT_IPV4) += nf_nat_ipv4.o
# defrag # defrag
obj-$(CONFIG_NF_DEFRAG_IPV4) += nf_defrag_ipv4.o obj-$(CONFIG_NF_DEFRAG_IPV4) += nf_defrag_ipv4.o
...@@ -29,11 +25,8 @@ $(obj)/nf_nat_snmp_basic_main.o: $(obj)/nf_nat_snmp_basic.asn1.h ...@@ -29,11 +25,8 @@ $(obj)/nf_nat_snmp_basic_main.o: $(obj)/nf_nat_snmp_basic.asn1.h
obj-$(CONFIG_NF_NAT_SNMP_BASIC) += nf_nat_snmp_basic.o obj-$(CONFIG_NF_NAT_SNMP_BASIC) += nf_nat_snmp_basic.o
obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o
obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o
obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o
obj-$(CONFIG_NFT_FIB_IPV4) += nft_fib_ipv4.o obj-$(CONFIG_NFT_FIB_IPV4) += nft_fib_ipv4.o
obj-$(CONFIG_NFT_MASQ_IPV4) += nft_masq_ipv4.o
obj-$(CONFIG_NFT_REDIR_IPV4) += nft_redir_ipv4.o
obj-$(CONFIG_NFT_DUP_IPV4) += nft_dup_ipv4.o obj-$(CONFIG_NFT_DUP_IPV4) += nft_dup_ipv4.o
# flow table support # flow table support
......
...@@ -15,8 +15,6 @@ ...@@ -15,8 +15,6 @@
#include <net/ip.h> #include <net/ip.h>
#include <net/netfilter/nf_nat.h> #include <net/netfilter/nf_nat.h>
#include <net/netfilter/nf_nat_core.h>
#include <net/netfilter/nf_nat_l3proto.h>
static int __net_init iptable_nat_table_init(struct net *net); static int __net_init iptable_nat_table_init(struct net *net);
...@@ -70,10 +68,10 @@ static int ipt_nat_register_lookups(struct net *net) ...@@ -70,10 +68,10 @@ static int ipt_nat_register_lookups(struct net *net)
int i, ret; int i, ret;
for (i = 0; i < ARRAY_SIZE(nf_nat_ipv4_ops); i++) { for (i = 0; i < ARRAY_SIZE(nf_nat_ipv4_ops); i++) {
ret = nf_nat_l3proto_ipv4_register_fn(net, &nf_nat_ipv4_ops[i]); ret = nf_nat_ipv4_register_fn(net, &nf_nat_ipv4_ops[i]);
if (ret) { if (ret) {
while (i) while (i)
nf_nat_l3proto_ipv4_unregister_fn(net, &nf_nat_ipv4_ops[--i]); nf_nat_ipv4_unregister_fn(net, &nf_nat_ipv4_ops[--i]);
return ret; return ret;
} }
...@@ -87,7 +85,7 @@ static void ipt_nat_unregister_lookups(struct net *net) ...@@ -87,7 +85,7 @@ static void ipt_nat_unregister_lookups(struct net *net)
int i; int i;
for (i = 0; i < ARRAY_SIZE(nf_nat_ipv4_ops); i++) for (i = 0; i < ARRAY_SIZE(nf_nat_ipv4_ops); i++)
nf_nat_l3proto_ipv4_unregister_fn(net, &nf_nat_ipv4_ops[i]); nf_nat_ipv4_unregister_fn(net, &nf_nat_ipv4_ops[i]);
} }
static int __net_init iptable_nat_table_init(struct net *net) static int __net_init iptable_nat_table_init(struct net *net)
......
This diff is collapsed.
/*
* Copyright (c) 2014 Arturo Borrero Gonzalez <arturo@debian.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nft_masq.h>
#include <net/netfilter/ipv4/nf_nat_masquerade.h>
static void nft_masq_ipv4_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
struct nft_masq *priv = nft_expr_priv(expr);
struct nf_nat_range2 range;
memset(&range, 0, sizeof(range));
range.flags = priv->flags;
if (priv->sreg_proto_min) {
range.min_proto.all = (__force __be16)nft_reg_load16(
&regs->data[priv->sreg_proto_min]);
range.max_proto.all = (__force __be16)nft_reg_load16(
&regs->data[priv->sreg_proto_max]);
}
regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, nft_hook(pkt),
&range, nft_out(pkt));
}
static void
nft_masq_ipv4_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
{
nf_ct_netns_put(ctx->net, NFPROTO_IPV4);
}
static struct nft_expr_type nft_masq_ipv4_type;
static const struct nft_expr_ops nft_masq_ipv4_ops = {
.type = &nft_masq_ipv4_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_masq)),
.eval = nft_masq_ipv4_eval,
.init = nft_masq_init,
.destroy = nft_masq_ipv4_destroy,
.dump = nft_masq_dump,
.validate = nft_masq_validate,
};
static struct nft_expr_type nft_masq_ipv4_type __read_mostly = {
.family = NFPROTO_IPV4,
.name = "masq",
.ops = &nft_masq_ipv4_ops,
.policy = nft_masq_policy,
.maxattr = NFTA_MASQ_MAX,
.owner = THIS_MODULE,
};
static int __init nft_masq_ipv4_module_init(void)
{
int ret;
ret = nft_register_expr(&nft_masq_ipv4_type);
if (ret < 0)
return ret;
ret = nf_nat_masquerade_ipv4_register_notifier();
if (ret)
nft_unregister_expr(&nft_masq_ipv4_type);
return ret;
}
static void __exit nft_masq_ipv4_module_exit(void)
{
nft_unregister_expr(&nft_masq_ipv4_type);
nf_nat_masquerade_ipv4_unregister_notifier();
}
module_init(nft_masq_ipv4_module_init);
module_exit(nft_masq_ipv4_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org");
MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "masq");
/*
* Copyright (c) 2014 Arturo Borrero Gonzalez <arturo@debian.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_nat.h>
#include <net/netfilter/nf_nat_redirect.h>
#include <net/netfilter/nft_redir.h>
static void nft_redir_ipv4_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
struct nft_redir *priv = nft_expr_priv(expr);
struct nf_nat_ipv4_multi_range_compat mr;
memset(&mr, 0, sizeof(mr));
if (priv->sreg_proto_min) {
mr.range[0].min.all = (__force __be16)nft_reg_load16(
&regs->data[priv->sreg_proto_min]);
mr.range[0].max.all = (__force __be16)nft_reg_load16(
&regs->data[priv->sreg_proto_max]);
mr.range[0].flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
}
mr.range[0].flags |= priv->flags;
regs->verdict.code = nf_nat_redirect_ipv4(pkt->skb, &mr, nft_hook(pkt));
}
static void
nft_redir_ipv4_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
{
nf_ct_netns_put(ctx->net, NFPROTO_IPV4);
}
static struct nft_expr_type nft_redir_ipv4_type;
static const struct nft_expr_ops nft_redir_ipv4_ops = {
.type = &nft_redir_ipv4_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_redir)),
.eval = nft_redir_ipv4_eval,
.init = nft_redir_init,
.destroy = nft_redir_ipv4_destroy,
.dump = nft_redir_dump,
.validate = nft_redir_validate,
};
static struct nft_expr_type nft_redir_ipv4_type __read_mostly = {
.family = NFPROTO_IPV4,
.name = "redir",
.ops = &nft_redir_ipv4_ops,
.policy = nft_redir_policy,
.maxattr = NFTA_REDIR_MAX,
.owner = THIS_MODULE,
};
static int __init nft_redir_ipv4_module_init(void)
{
return nft_register_expr(&nft_redir_ipv4_type);
}
static void __exit nft_redir_ipv4_module_exit(void)
{
nft_unregister_expr(&nft_redir_ipv4_type);
}
module_init(nft_redir_ipv4_module_init);
module_exit(nft_redir_ipv4_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>");
MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "redir");
...@@ -31,34 +31,6 @@ config NFT_CHAIN_ROUTE_IPV6 ...@@ -31,34 +31,6 @@ config NFT_CHAIN_ROUTE_IPV6
fields such as the source, destination, flowlabel, hop-limit and fields such as the source, destination, flowlabel, hop-limit and
the packet mark. the packet mark.
if NF_NAT_IPV6
config NFT_CHAIN_NAT_IPV6
tristate "IPv6 nf_tables nat chain support"
help
This option enables the "nat" chain for IPv6 in nf_tables. This
chain type is used to perform Network Address Translation (NAT)
packet transformations such as the source, destination address and
source and destination ports.
config NFT_MASQ_IPV6
tristate "IPv6 masquerade support for nf_tables"
depends on NFT_MASQ
select NF_NAT_MASQUERADE_IPV6
help
This is the expression that provides IPv4 masquerading support for
nf_tables.
config NFT_REDIR_IPV6
tristate "IPv6 redirect support for nf_tables"
depends on NFT_REDIR
select NF_NAT_REDIRECT
help
This is the expression that provides IPv4 redirect support for
nf_tables.
endif # NF_NAT_IPV6
config NFT_REJECT_IPV6 config NFT_REJECT_IPV6
select NF_REJECT_IPV6 select NF_REJECT_IPV6
default NFT_REJECT default NFT_REJECT
...@@ -106,23 +78,6 @@ config NF_LOG_IPV6 ...@@ -106,23 +78,6 @@ config NF_LOG_IPV6
default m if NETFILTER_ADVANCED=n default m if NETFILTER_ADVANCED=n
select NF_LOG_COMMON select NF_LOG_COMMON
config NF_NAT_IPV6
tristate "IPv6 NAT"
depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED
select NF_NAT
help
The IPv6 NAT option allows masquerading, port forwarding and other
forms of full Network Address Port Translation. This can be
controlled by iptables or nft.
if NF_NAT_IPV6
config NF_NAT_MASQUERADE_IPV6
bool
endif # NF_NAT_IPV6
config IP6_NF_IPTABLES config IP6_NF_IPTABLES
tristate "IP6 tables support (required for filtering)" tristate "IP6 tables support (required for filtering)"
depends on INET && IPV6 depends on INET && IPV6
...@@ -311,7 +266,6 @@ config IP6_NF_NAT ...@@ -311,7 +266,6 @@ config IP6_NF_NAT
depends on NF_CONNTRACK depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED depends on NETFILTER_ADVANCED
select NF_NAT select NF_NAT
select NF_NAT_IPV6
select NETFILTER_XT_NAT select NETFILTER_XT_NAT
help help
This enables the `nat' table in ip6tables. This allows masquerading, This enables the `nat' table in ip6tables. This allows masquerading,
...@@ -324,7 +278,7 @@ if IP6_NF_NAT ...@@ -324,7 +278,7 @@ if IP6_NF_NAT
config IP6_NF_TARGET_MASQUERADE config IP6_NF_TARGET_MASQUERADE
tristate "MASQUERADE target support" tristate "MASQUERADE target support"
select NF_NAT_MASQUERADE_IPV6 select NF_NAT_MASQUERADE
help help
Masquerading is a special case of NAT: all outgoing connections are Masquerading is a special case of NAT: all outgoing connections are
changed to seem to come from a particular interface's address, and changed to seem to come from a particular interface's address, and
......
...@@ -11,10 +11,6 @@ obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o ...@@ -11,10 +11,6 @@ obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
obj-$(CONFIG_IP6_NF_SECURITY) += ip6table_security.o obj-$(CONFIG_IP6_NF_SECURITY) += ip6table_security.o
obj-$(CONFIG_IP6_NF_NAT) += ip6table_nat.o obj-$(CONFIG_IP6_NF_NAT) += ip6table_nat.o
nf_nat_ipv6-y := nf_nat_l3proto_ipv6.o
nf_nat_ipv6-$(CONFIG_NF_NAT_MASQUERADE_IPV6) += nf_nat_masquerade_ipv6.o
obj-$(CONFIG_NF_NAT_IPV6) += nf_nat_ipv6.o
# defrag # defrag
nf_defrag_ipv6-y := nf_defrag_ipv6_hooks.o nf_conntrack_reasm.o nf_defrag_ipv6-y := nf_defrag_ipv6_hooks.o nf_conntrack_reasm.o
obj-$(CONFIG_NF_DEFRAG_IPV6) += nf_defrag_ipv6.o obj-$(CONFIG_NF_DEFRAG_IPV6) += nf_defrag_ipv6.o
...@@ -32,10 +28,7 @@ obj-$(CONFIG_NF_DUP_IPV6) += nf_dup_ipv6.o ...@@ -32,10 +28,7 @@ obj-$(CONFIG_NF_DUP_IPV6) += nf_dup_ipv6.o
# nf_tables # nf_tables
obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV6) += nft_chain_route_ipv6.o obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV6) += nft_chain_route_ipv6.o
obj-$(CONFIG_NFT_CHAIN_NAT_IPV6) += nft_chain_nat_ipv6.o
obj-$(CONFIG_NFT_REJECT_IPV6) += nft_reject_ipv6.o obj-$(CONFIG_NFT_REJECT_IPV6) += nft_reject_ipv6.o
obj-$(CONFIG_NFT_MASQ_IPV6) += nft_masq_ipv6.o
obj-$(CONFIG_NFT_REDIR_IPV6) += nft_redir_ipv6.o
obj-$(CONFIG_NFT_DUP_IPV6) += nft_dup_ipv6.o obj-$(CONFIG_NFT_DUP_IPV6) += nft_dup_ipv6.o
obj-$(CONFIG_NFT_FIB_IPV6) += nft_fib_ipv6.o obj-$(CONFIG_NFT_FIB_IPV6) += nft_fib_ipv6.o
......
...@@ -17,8 +17,6 @@ ...@@ -17,8 +17,6 @@
#include <net/ipv6.h> #include <net/ipv6.h>
#include <net/netfilter/nf_nat.h> #include <net/netfilter/nf_nat.h>
#include <net/netfilter/nf_nat_core.h>
#include <net/netfilter/nf_nat_l3proto.h>
static int __net_init ip6table_nat_table_init(struct net *net); static int __net_init ip6table_nat_table_init(struct net *net);
...@@ -72,10 +70,10 @@ static int ip6t_nat_register_lookups(struct net *net) ...@@ -72,10 +70,10 @@ static int ip6t_nat_register_lookups(struct net *net)
int i, ret; int i, ret;
for (i = 0; i < ARRAY_SIZE(nf_nat_ipv6_ops); i++) { for (i = 0; i < ARRAY_SIZE(nf_nat_ipv6_ops); i++) {
ret = nf_nat_l3proto_ipv6_register_fn(net, &nf_nat_ipv6_ops[i]); ret = nf_nat_ipv6_register_fn(net, &nf_nat_ipv6_ops[i]);
if (ret) { if (ret) {
while (i) while (i)
nf_nat_l3proto_ipv6_unregister_fn(net, &nf_nat_ipv6_ops[--i]); nf_nat_ipv6_unregister_fn(net, &nf_nat_ipv6_ops[--i]);
return ret; return ret;
} }
...@@ -89,7 +87,7 @@ static void ip6t_nat_unregister_lookups(struct net *net) ...@@ -89,7 +87,7 @@ static void ip6t_nat_unregister_lookups(struct net *net)
int i; int i;
for (i = 0; i < ARRAY_SIZE(nf_nat_ipv6_ops); i++) for (i = 0; i < ARRAY_SIZE(nf_nat_ipv6_ops); i++)
nf_nat_l3proto_ipv6_unregister_fn(net, &nf_nat_ipv6_ops[i]); nf_nat_ipv6_unregister_fn(net, &nf_nat_ipv6_ops[i]);
} }
static int __net_init ip6table_nat_table_init(struct net *net) static int __net_init ip6table_nat_table_init(struct net *net)
......
This diff is collapsed.
/*
* Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* Based on Rusty Russell's IPv6 MASQUERADE target. Development of IPv6
* NAT funded by Astaro.
*/
#include <linux/kernel.h>
#include <linux/atomic.h>
#include <linux/netdevice.h>
#include <linux/ipv6.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv6.h>
#include <net/netfilter/nf_nat.h>
#include <net/addrconf.h>
#include <net/ipv6.h>
#include <net/netfilter/ipv6/nf_nat_masquerade.h>
#define MAX_WORK_COUNT 16
static atomic_t v6_worker_count;
static int
nat_ipv6_dev_get_saddr(struct net *net, const struct net_device *dev,
const struct in6_addr *daddr, unsigned int srcprefs,
struct in6_addr *saddr)
{
#ifdef CONFIG_IPV6_MODULE
const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
if (!v6_ops)
return -EHOSTUNREACH;
return v6_ops->dev_get_saddr(net, dev, daddr, srcprefs, saddr);
#else
return ipv6_dev_get_saddr(net, dev, daddr, srcprefs, saddr);
#endif
}
unsigned int
nf_nat_masquerade_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range,
const struct net_device *out)
{
enum ip_conntrack_info ctinfo;
struct nf_conn_nat *nat;
struct in6_addr src;
struct nf_conn *ct;
struct nf_nat_range2 newrange;
ct = nf_ct_get(skb, &ctinfo);
WARN_ON(!(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
ctinfo == IP_CT_RELATED_REPLY)));
if (nat_ipv6_dev_get_saddr(nf_ct_net(ct), out,
&ipv6_hdr(skb)->daddr, 0, &src) < 0)
return NF_DROP;
nat = nf_ct_nat_ext_add(ct);
if (nat)
nat->masq_index = out->ifindex;
newrange.flags = range->flags | NF_NAT_RANGE_MAP_IPS;
newrange.min_addr.in6 = src;
newrange.max_addr.in6 = src;
newrange.min_proto = range->min_proto;
newrange.max_proto = range->max_proto;
return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_SRC);
}
EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6);
static int device_cmp(struct nf_conn *ct, void *ifindex)
{
const struct nf_conn_nat *nat = nfct_nat(ct);
if (!nat)
return 0;
if (nf_ct_l3num(ct) != NFPROTO_IPV6)
return 0;
return nat->masq_index == (int)(long)ifindex;
}
static int masq_device_event(struct notifier_block *this,
unsigned long event, void *ptr)
{
const struct net_device *dev = netdev_notifier_info_to_dev(ptr);
struct net *net = dev_net(dev);
if (event == NETDEV_DOWN)
nf_ct_iterate_cleanup_net(net, device_cmp,
(void *)(long)dev->ifindex, 0, 0);
return NOTIFY_DONE;
}
static struct notifier_block masq_dev_notifier = {
.notifier_call = masq_device_event,
};
struct masq_dev_work {
struct work_struct work;
struct net *net;
struct in6_addr addr;
int ifindex;
};
static int inet_cmp(struct nf_conn *ct, void *work)
{
struct masq_dev_work *w = (struct masq_dev_work *)work;
struct nf_conntrack_tuple *tuple;
if (!device_cmp(ct, (void *)(long)w->ifindex))
return 0;
tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
return ipv6_addr_equal(&w->addr, &tuple->dst.u3.in6);
}
static void iterate_cleanup_work(struct work_struct *work)
{
struct masq_dev_work *w;
w = container_of(work, struct masq_dev_work, work);
nf_ct_iterate_cleanup_net(w->net, inet_cmp, (void *)w, 0, 0);
put_net(w->net);
kfree(w);
atomic_dec(&v6_worker_count);
module_put(THIS_MODULE);
}
/* ipv6 inet notifier is an atomic notifier, i.e. we cannot
* schedule.
*
* Unfortunately, nf_ct_iterate_cleanup_net can run for a long
* time if there are lots of conntracks and the system
* handles high softirq load, so it frequently calls cond_resched
* while iterating the conntrack table.
*
* So we defer nf_ct_iterate_cleanup_net walk to the system workqueue.
*
* As we can have 'a lot' of inet_events (depending on amount
* of ipv6 addresses being deleted), we also need to add an upper
* limit to the number of queued work items.
*/
static int masq_inet6_event(struct notifier_block *this,
unsigned long event, void *ptr)
{
struct inet6_ifaddr *ifa = ptr;
const struct net_device *dev;
struct masq_dev_work *w;
struct net *net;
if (event != NETDEV_DOWN ||
atomic_read(&v6_worker_count) >= MAX_WORK_COUNT)
return NOTIFY_DONE;
dev = ifa->idev->dev;
net = maybe_get_net(dev_net(dev));
if (!net)
return NOTIFY_DONE;
if (!try_module_get(THIS_MODULE))
goto err_module;
w = kmalloc(sizeof(*w), GFP_ATOMIC);
if (w) {
atomic_inc(&v6_worker_count);
INIT_WORK(&w->work, iterate_cleanup_work);
w->ifindex = dev->ifindex;
w->net = net;
w->addr = ifa->addr;
schedule_work(&w->work);
return NOTIFY_DONE;
}
module_put(THIS_MODULE);
err_module:
put_net(net);
return NOTIFY_DONE;
}
static struct notifier_block masq_inet6_notifier = {
.notifier_call = masq_inet6_event,
};
static int masq_refcnt;
static DEFINE_MUTEX(masq_mutex);
int nf_nat_masquerade_ipv6_register_notifier(void)
{
int ret = 0;
mutex_lock(&masq_mutex);
/* check if the notifier is already set */
if (++masq_refcnt > 1)
goto out_unlock;
ret = register_netdevice_notifier(&masq_dev_notifier);
if (ret)
goto err_dec;
ret = register_inet6addr_notifier(&masq_inet6_notifier);
if (ret)
goto err_unregister;
mutex_unlock(&masq_mutex);
return ret;
err_unregister:
unregister_netdevice_notifier(&masq_dev_notifier);
err_dec:
masq_refcnt--;
out_unlock:
mutex_unlock(&masq_mutex);
return ret;
}
EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6_register_notifier);
void nf_nat_masquerade_ipv6_unregister_notifier(void)
{
mutex_lock(&masq_mutex);
/* check if the notifier still has clients */
if (--masq_refcnt > 0)
goto out_unlock;
unregister_inet6addr_notifier(&masq_inet6_notifier);
unregister_netdevice_notifier(&masq_dev_notifier);
out_unlock:
mutex_unlock(&masq_mutex);
}
EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6_unregister_notifier);
/*
* Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
* Copyright (c) 2012 Intel Corporation
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
*/
#include <linux/module.h>
#include <linux/init.h>
#include <linux/list.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv6.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_nat.h>
#include <net/netfilter/nf_nat_core.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_ipv6.h>
#include <net/netfilter/nf_nat_l3proto.h>
#include <net/ipv6.h>
static unsigned int nft_nat_do_chain(void *priv,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
struct nft_pktinfo pkt;
nft_set_pktinfo(&pkt, skb, state);
nft_set_pktinfo_ipv6(&pkt, skb);
return nft_do_chain(&pkt, priv);
}
static int nft_nat_ipv6_reg(struct net *net, const struct nf_hook_ops *ops)
{
return nf_nat_l3proto_ipv6_register_fn(net, ops);
}
static void nft_nat_ipv6_unreg(struct net *net, const struct nf_hook_ops *ops)
{
nf_nat_l3proto_ipv6_unregister_fn(net, ops);
}
static const struct nft_chain_type nft_chain_nat_ipv6 = {
.name = "nat",
.type = NFT_CHAIN_T_NAT,
.family = NFPROTO_IPV6,
.owner = THIS_MODULE,
.hook_mask = (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_POST_ROUTING) |
(1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_LOCAL_IN),
.hooks = {
[NF_INET_PRE_ROUTING] = nft_nat_do_chain,
[NF_INET_POST_ROUTING] = nft_nat_do_chain,
[NF_INET_LOCAL_OUT] = nft_nat_do_chain,
[NF_INET_LOCAL_IN] = nft_nat_do_chain,
},
.ops_register = nft_nat_ipv6_reg,
.ops_unregister = nft_nat_ipv6_unreg,
};
static int __init nft_chain_nat_ipv6_init(void)
{
nft_register_chain_type(&nft_chain_nat_ipv6);
return 0;
}
static void __exit nft_chain_nat_ipv6_exit(void)
{
nft_unregister_chain_type(&nft_chain_nat_ipv6);
}
module_init(nft_chain_nat_ipv6_init);
module_exit(nft_chain_nat_ipv6_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>");
MODULE_ALIAS_NFT_CHAIN(AF_INET6, "nat");
/*
* Copyright (c) 2014 Arturo Borrero Gonzalez <arturo@debian.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_nat.h>
#include <net/netfilter/nft_masq.h>
#include <net/netfilter/ipv6/nf_nat_masquerade.h>
static void nft_masq_ipv6_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
struct nft_masq *priv = nft_expr_priv(expr);
struct nf_nat_range2 range;
memset(&range, 0, sizeof(range));
range.flags = priv->flags;
if (priv->sreg_proto_min) {
range.min_proto.all = (__force __be16)nft_reg_load16(
&regs->data[priv->sreg_proto_min]);
range.max_proto.all = (__force __be16)nft_reg_load16(
&regs->data[priv->sreg_proto_max]);
}
regs->verdict.code = nf_nat_masquerade_ipv6(pkt->skb, &range,
nft_out(pkt));
}
static void
nft_masq_ipv6_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
{
nf_ct_netns_put(ctx->net, NFPROTO_IPV6);
}
static struct nft_expr_type nft_masq_ipv6_type;
static const struct nft_expr_ops nft_masq_ipv6_ops = {
.type = &nft_masq_ipv6_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_masq)),
.eval = nft_masq_ipv6_eval,
.init = nft_masq_init,
.destroy = nft_masq_ipv6_destroy,
.dump = nft_masq_dump,
.validate = nft_masq_validate,
};
static struct nft_expr_type nft_masq_ipv6_type __read_mostly = {
.family = NFPROTO_IPV6,
.name = "masq",
.ops = &nft_masq_ipv6_ops,
.policy = nft_masq_policy,
.maxattr = NFTA_MASQ_MAX,
.owner = THIS_MODULE,
};
static int __init nft_masq_ipv6_module_init(void)
{
int ret;
ret = nft_register_expr(&nft_masq_ipv6_type);
if (ret < 0)
return ret;
ret = nf_nat_masquerade_ipv6_register_notifier();
if (ret)
nft_unregister_expr(&nft_masq_ipv6_type);
return ret;
}
static void __exit nft_masq_ipv6_module_exit(void)
{
nft_unregister_expr(&nft_masq_ipv6_type);
nf_nat_masquerade_ipv6_unregister_notifier();
}
module_init(nft_masq_ipv6_module_init);
module_exit(nft_masq_ipv6_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>");
MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "masq");
/*
* Copyright (c) 2014 Arturo Borrero Gonzalez <arturo@debian.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_nat.h>
#include <net/netfilter/nft_redir.h>
#include <net/netfilter/nf_nat_redirect.h>
static void nft_redir_ipv6_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
struct nft_redir *priv = nft_expr_priv(expr);
struct nf_nat_range2 range;
memset(&range, 0, sizeof(range));
if (priv->sreg_proto_min) {
range.min_proto.all = (__force __be16)nft_reg_load16(
&regs->data[priv->sreg_proto_min]);
range.max_proto.all = (__force __be16)nft_reg_load16(
&regs->data[priv->sreg_proto_max]);
range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
}
range.flags |= priv->flags;
regs->verdict.code =
nf_nat_redirect_ipv6(pkt->skb, &range, nft_hook(pkt));
}
static void
nft_redir_ipv6_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
{
nf_ct_netns_put(ctx->net, NFPROTO_IPV6);
}
static struct nft_expr_type nft_redir_ipv6_type;
static const struct nft_expr_ops nft_redir_ipv6_ops = {
.type = &nft_redir_ipv6_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_redir)),
.eval = nft_redir_ipv6_eval,
.init = nft_redir_init,
.destroy = nft_redir_ipv6_destroy,
.dump = nft_redir_dump,
.validate = nft_redir_validate,
};
static struct nft_expr_type nft_redir_ipv6_type __read_mostly = {
.family = NFPROTO_IPV6,
.name = "redir",
.ops = &nft_redir_ipv6_ops,
.policy = nft_redir_policy,
.maxattr = NFTA_REDIR_MAX,
.owner = THIS_MODULE,
};
static int __init nft_redir_ipv6_module_init(void)
{
return nft_register_expr(&nft_redir_ipv6_type);
}
static void __exit nft_redir_ipv6_module_exit(void)
{
nft_unregister_expr(&nft_redir_ipv6_type);
}
module_init(nft_redir_ipv6_module_init);
module_exit(nft_redir_ipv6_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>");
MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "redir");
...@@ -396,7 +396,13 @@ config NETFILTER_NETLINK_GLUE_CT ...@@ -396,7 +396,13 @@ config NETFILTER_NETLINK_GLUE_CT
the enqueued via NFNETLINK. the enqueued via NFNETLINK.
config NF_NAT config NF_NAT
tristate tristate "Network Address Translation support"
depends on NF_CONNTRACK
default m if NETFILTER_ADVANCED=n
help
The NAT option allows masquerading, port forwarding and other
forms of full Network Address Port Translation. This can be
controlled by iptables, ip6tables or nft.
config NF_NAT_NEEDED config NF_NAT_NEEDED
bool bool
...@@ -431,6 +437,9 @@ config NF_NAT_TFTP ...@@ -431,6 +437,9 @@ config NF_NAT_TFTP
config NF_NAT_REDIRECT config NF_NAT_REDIRECT
bool bool
config NF_NAT_MASQUERADE
bool
config NETFILTER_SYNPROXY config NETFILTER_SYNPROXY
tristate tristate
...@@ -523,6 +532,7 @@ config NFT_LIMIT ...@@ -523,6 +532,7 @@ config NFT_LIMIT
config NFT_MASQ config NFT_MASQ
depends on NF_CONNTRACK depends on NF_CONNTRACK
depends on NF_NAT depends on NF_NAT
select NF_NAT_MASQUERADE
tristate "Netfilter nf_tables masquerade support" tristate "Netfilter nf_tables masquerade support"
help help
This option adds the "masquerade" expression that you can use This option adds the "masquerade" expression that you can use
...@@ -532,6 +542,7 @@ config NFT_REDIR ...@@ -532,6 +542,7 @@ config NFT_REDIR
depends on NF_CONNTRACK depends on NF_CONNTRACK
depends on NF_NAT depends on NF_NAT
tristate "Netfilter nf_tables redirect support" tristate "Netfilter nf_tables redirect support"
select NF_NAT_REDIRECT
help help
This options adds the "redirect" expression that you can use This options adds the "redirect" expression that you can use
to perform NAT in the redirect flavour. to perform NAT in the redirect flavour.
...@@ -539,6 +550,7 @@ config NFT_REDIR ...@@ -539,6 +550,7 @@ config NFT_REDIR
config NFT_NAT config NFT_NAT
depends on NF_CONNTRACK depends on NF_CONNTRACK
select NF_NAT select NF_NAT
depends on NF_TABLES_IPV4 || NF_TABLES_IPV6
tristate "Netfilter nf_tables nat module" tristate "Netfilter nf_tables nat module"
help help
This option adds the "nat" expression that you can use to perform This option adds the "nat" expression that you can use to perform
......
...@@ -56,6 +56,7 @@ obj-$(CONFIG_NF_LOG_NETDEV) += nf_log_netdev.o ...@@ -56,6 +56,7 @@ obj-$(CONFIG_NF_LOG_NETDEV) += nf_log_netdev.o
obj-$(CONFIG_NF_NAT) += nf_nat.o obj-$(CONFIG_NF_NAT) += nf_nat.o
nf_nat-$(CONFIG_NF_NAT_REDIRECT) += nf_nat_redirect.o nf_nat-$(CONFIG_NF_NAT_REDIRECT) += nf_nat_redirect.o
nf_nat-$(CONFIG_NF_NAT_MASQUERADE) += nf_nat_masquerade.o
# NAT helpers # NAT helpers
obj-$(CONFIG_NF_NAT_AMANDA) += nf_nat_amanda.o obj-$(CONFIG_NF_NAT_AMANDA) += nf_nat_amanda.o
...@@ -109,6 +110,8 @@ obj-$(CONFIG_NFT_OSF) += nft_osf.o ...@@ -109,6 +110,8 @@ obj-$(CONFIG_NFT_OSF) += nft_osf.o
obj-$(CONFIG_NFT_TPROXY) += nft_tproxy.o obj-$(CONFIG_NFT_TPROXY) += nft_tproxy.o
obj-$(CONFIG_NFT_XFRM) += nft_xfrm.o obj-$(CONFIG_NFT_XFRM) += nft_xfrm.o
obj-$(CONFIG_NFT_NAT) += nft_chain_nat.o
# nf_tables netdev # nf_tables netdev
obj-$(CONFIG_NFT_DUP_NETDEV) += nft_dup_netdev.o obj-$(CONFIG_NFT_DUP_NETDEV) += nft_dup_netdev.o
obj-$(CONFIG_NFT_FWD_NETDEV) += nft_fwd_netdev.o obj-$(CONFIG_NFT_FWD_NETDEV) += nft_fwd_netdev.o
......
...@@ -3086,7 +3086,7 @@ static bool ip_vs_is_af_valid(int af) ...@@ -3086,7 +3086,7 @@ static bool ip_vs_is_af_valid(int af)
static int ip_vs_genl_parse_service(struct netns_ipvs *ipvs, static int ip_vs_genl_parse_service(struct netns_ipvs *ipvs,
struct ip_vs_service_user_kern *usvc, struct ip_vs_service_user_kern *usvc,
struct nlattr *nla, int full_entry, struct nlattr *nla, bool full_entry,
struct ip_vs_service **ret_svc) struct ip_vs_service **ret_svc)
{ {
struct nlattr *attrs[IPVS_SVC_ATTR_MAX + 1]; struct nlattr *attrs[IPVS_SVC_ATTR_MAX + 1];
...@@ -3173,7 +3173,7 @@ static struct ip_vs_service *ip_vs_genl_find_service(struct netns_ipvs *ipvs, ...@@ -3173,7 +3173,7 @@ static struct ip_vs_service *ip_vs_genl_find_service(struct netns_ipvs *ipvs,
struct ip_vs_service *svc; struct ip_vs_service *svc;
int ret; int ret;
ret = ip_vs_genl_parse_service(ipvs, &usvc, nla, 0, &svc); ret = ip_vs_genl_parse_service(ipvs, &usvc, nla, false, &svc);
return ret ? ERR_PTR(ret) : svc; return ret ? ERR_PTR(ret) : svc;
} }
...@@ -3283,7 +3283,7 @@ static int ip_vs_genl_dump_dests(struct sk_buff *skb, ...@@ -3283,7 +3283,7 @@ static int ip_vs_genl_dump_dests(struct sk_buff *skb,
} }
static int ip_vs_genl_parse_dest(struct ip_vs_dest_user_kern *udest, static int ip_vs_genl_parse_dest(struct ip_vs_dest_user_kern *udest,
struct nlattr *nla, int full_entry) struct nlattr *nla, bool full_entry)
{ {
struct nlattr *attrs[IPVS_DEST_ATTR_MAX + 1]; struct nlattr *attrs[IPVS_DEST_ATTR_MAX + 1];
struct nlattr *nla_addr, *nla_port; struct nlattr *nla_addr, *nla_port;
...@@ -3545,11 +3545,11 @@ static int ip_vs_genl_set_daemon(struct sk_buff *skb, struct genl_info *info) ...@@ -3545,11 +3545,11 @@ static int ip_vs_genl_set_daemon(struct sk_buff *skb, struct genl_info *info)
static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info) static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
{ {
bool need_full_svc = false, need_full_dest = false;
struct ip_vs_service *svc = NULL; struct ip_vs_service *svc = NULL;
struct ip_vs_service_user_kern usvc; struct ip_vs_service_user_kern usvc;
struct ip_vs_dest_user_kern udest; struct ip_vs_dest_user_kern udest;
int ret = 0, cmd; int ret = 0, cmd;
int need_full_svc = 0, need_full_dest = 0;
struct net *net = sock_net(skb->sk); struct net *net = sock_net(skb->sk);
struct netns_ipvs *ipvs = net_ipvs(net); struct netns_ipvs *ipvs = net_ipvs(net);
...@@ -3573,7 +3573,7 @@ static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info) ...@@ -3573,7 +3573,7 @@ static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
* received a valid one. We need a full service specification when * received a valid one. We need a full service specification when
* adding / editing a service. Only identifying members otherwise. */ * adding / editing a service. Only identifying members otherwise. */
if (cmd == IPVS_CMD_NEW_SERVICE || cmd == IPVS_CMD_SET_SERVICE) if (cmd == IPVS_CMD_NEW_SERVICE || cmd == IPVS_CMD_SET_SERVICE)
need_full_svc = 1; need_full_svc = true;
ret = ip_vs_genl_parse_service(ipvs, &usvc, ret = ip_vs_genl_parse_service(ipvs, &usvc,
info->attrs[IPVS_CMD_ATTR_SERVICE], info->attrs[IPVS_CMD_ATTR_SERVICE],
...@@ -3593,7 +3593,7 @@ static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info) ...@@ -3593,7 +3593,7 @@ static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
if (cmd == IPVS_CMD_NEW_DEST || cmd == IPVS_CMD_SET_DEST || if (cmd == IPVS_CMD_NEW_DEST || cmd == IPVS_CMD_SET_DEST ||
cmd == IPVS_CMD_DEL_DEST) { cmd == IPVS_CMD_DEL_DEST) {
if (cmd != IPVS_CMD_DEL_DEST) if (cmd != IPVS_CMD_DEL_DEST)
need_full_dest = 1; need_full_dest = true;
ret = ip_vs_genl_parse_dest(&udest, ret = ip_vs_genl_parse_dest(&udest,
info->attrs[IPVS_CMD_ATTR_DEST], info->attrs[IPVS_CMD_ATTR_DEST],
......
...@@ -124,7 +124,7 @@ static int ip_vs_ftp_get_addrport(char *data, char *data_limit, ...@@ -124,7 +124,7 @@ static int ip_vs_ftp_get_addrport(char *data, char *data_limit,
} }
s = data + plen; s = data + plen;
if (skip) { if (skip) {
int found = 0; bool found = false;
for (;; s++) { for (;; s++) {
if (s == data_limit) if (s == data_limit)
...@@ -136,7 +136,7 @@ static int ip_vs_ftp_get_addrport(char *data, char *data_limit, ...@@ -136,7 +136,7 @@ static int ip_vs_ftp_get_addrport(char *data, char *data_limit,
if (!ext && isdigit(*s)) if (!ext && isdigit(*s))
break; break;
if (*s == skip) if (*s == skip)
found = 1; found = true;
} else if (*s != skip) { } else if (*s != skip) {
break; break;
} }
......
...@@ -186,7 +186,7 @@ static int ...@@ -186,7 +186,7 @@ static int
sctp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp) sctp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp)
{ {
unsigned int sctphoff; unsigned int sctphoff;
struct sctphdr *sh, _sctph; struct sctphdr *sh;
__le32 cmp, val; __le32 cmp, val;
#ifdef CONFIG_IP_VS_IPV6 #ifdef CONFIG_IP_VS_IPV6
...@@ -196,10 +196,7 @@ sctp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp) ...@@ -196,10 +196,7 @@ sctp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp)
#endif #endif
sctphoff = ip_hdrlen(skb); sctphoff = ip_hdrlen(skb);
sh = skb_header_pointer(skb, sctphoff, sizeof(_sctph), &_sctph); sh = (struct sctphdr *)(skb->data + sctphoff);
if (sh == NULL)
return 0;
cmp = sh->checksum; cmp = sh->checksum;
val = sctp_compute_cksum(skb, sctphoff); val = sctp_compute_cksum(skb, sctphoff);
......
...@@ -153,8 +153,8 @@ tcp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, ...@@ -153,8 +153,8 @@ tcp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp,
{ {
struct tcphdr *tcph; struct tcphdr *tcph;
unsigned int tcphoff = iph->len; unsigned int tcphoff = iph->len;
bool payload_csum = false;
int oldlen; int oldlen;
int payload_csum = 0;
#ifdef CONFIG_IP_VS_IPV6 #ifdef CONFIG_IP_VS_IPV6
if (cp->af == AF_INET6 && iph->fragoffs) if (cp->af == AF_INET6 && iph->fragoffs)
...@@ -180,7 +180,7 @@ tcp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, ...@@ -180,7 +180,7 @@ tcp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp,
if (ret == 1) if (ret == 1)
oldlen = skb->len - tcphoff; oldlen = skb->len - tcphoff;
else else
payload_csum = 1; payload_csum = true;
} }
tcph = (void *)skb_network_header(skb) + tcphoff; tcph = (void *)skb_network_header(skb) + tcphoff;
...@@ -231,8 +231,8 @@ tcp_dnat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, ...@@ -231,8 +231,8 @@ tcp_dnat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp,
{ {
struct tcphdr *tcph; struct tcphdr *tcph;
unsigned int tcphoff = iph->len; unsigned int tcphoff = iph->len;
bool payload_csum = false;
int oldlen; int oldlen;
int payload_csum = 0;
#ifdef CONFIG_IP_VS_IPV6 #ifdef CONFIG_IP_VS_IPV6
if (cp->af == AF_INET6 && iph->fragoffs) if (cp->af == AF_INET6 && iph->fragoffs)
...@@ -261,7 +261,7 @@ tcp_dnat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, ...@@ -261,7 +261,7 @@ tcp_dnat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp,
if (ret == 1) if (ret == 1)
oldlen = skb->len - tcphoff; oldlen = skb->len - tcphoff;
else else
payload_csum = 1; payload_csum = true;
} }
tcph = (void *)skb_network_header(skb) + tcphoff; tcph = (void *)skb_network_header(skb) + tcphoff;
......
...@@ -143,8 +143,8 @@ udp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, ...@@ -143,8 +143,8 @@ udp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp,
{ {
struct udphdr *udph; struct udphdr *udph;
unsigned int udphoff = iph->len; unsigned int udphoff = iph->len;
bool payload_csum = false;
int oldlen; int oldlen;
int payload_csum = 0;
#ifdef CONFIG_IP_VS_IPV6 #ifdef CONFIG_IP_VS_IPV6
if (cp->af == AF_INET6 && iph->fragoffs) if (cp->af == AF_INET6 && iph->fragoffs)
...@@ -172,7 +172,7 @@ udp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, ...@@ -172,7 +172,7 @@ udp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp,
if (ret == 1) if (ret == 1)
oldlen = skb->len - udphoff; oldlen = skb->len - udphoff;
else else
payload_csum = 1; payload_csum = true;
} }
udph = (void *)skb_network_header(skb) + udphoff; udph = (void *)skb_network_header(skb) + udphoff;
...@@ -226,8 +226,8 @@ udp_dnat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, ...@@ -226,8 +226,8 @@ udp_dnat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp,
{ {
struct udphdr *udph; struct udphdr *udph;
unsigned int udphoff = iph->len; unsigned int udphoff = iph->len;
bool payload_csum = false;
int oldlen; int oldlen;
int payload_csum = 0;
#ifdef CONFIG_IP_VS_IPV6 #ifdef CONFIG_IP_VS_IPV6
if (cp->af == AF_INET6 && iph->fragoffs) if (cp->af == AF_INET6 && iph->fragoffs)
...@@ -256,7 +256,7 @@ udp_dnat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, ...@@ -256,7 +256,7 @@ udp_dnat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp,
if (ret == 1) if (ret == 1)
oldlen = skb->len - udphoff; oldlen = skb->len - udphoff;
else else
payload_csum = 1; payload_csum = true;
} }
udph = (void *)skb_network_header(skb) + udphoff; udph = (void *)skb_network_header(skb) + udphoff;
......
...@@ -126,7 +126,7 @@ static struct rtable *do_output_route4(struct net *net, __be32 daddr, ...@@ -126,7 +126,7 @@ static struct rtable *do_output_route4(struct net *net, __be32 daddr,
{ {
struct flowi4 fl4; struct flowi4 fl4;
struct rtable *rt; struct rtable *rt;
int loop = 0; bool loop = false;
memset(&fl4, 0, sizeof(fl4)); memset(&fl4, 0, sizeof(fl4));
fl4.daddr = daddr; fl4.daddr = daddr;
...@@ -149,7 +149,7 @@ static struct rtable *do_output_route4(struct net *net, __be32 daddr, ...@@ -149,7 +149,7 @@ static struct rtable *do_output_route4(struct net *net, __be32 daddr,
ip_rt_put(rt); ip_rt_put(rt);
*saddr = fl4.saddr; *saddr = fl4.saddr;
flowi4_update_output(&fl4, 0, 0, daddr, fl4.saddr); flowi4_update_output(&fl4, 0, 0, daddr, fl4.saddr);
loop++; loop = true;
goto retry; goto retry;
} }
*saddr = fl4.saddr; *saddr = fl4.saddr;
......
...@@ -54,6 +54,7 @@ enum amanda_strings { ...@@ -54,6 +54,7 @@ enum amanda_strings {
SEARCH_DATA, SEARCH_DATA,
SEARCH_MESG, SEARCH_MESG,
SEARCH_INDEX, SEARCH_INDEX,
SEARCH_STATE,
}; };
static struct { static struct {
...@@ -81,6 +82,10 @@ static struct { ...@@ -81,6 +82,10 @@ static struct {
.string = "INDEX ", .string = "INDEX ",
.len = 6, .len = 6,
}, },
[SEARCH_STATE] = {
.string = "STATE ",
.len = 6,
},
}; };
static int amanda_help(struct sk_buff *skb, static int amanda_help(struct sk_buff *skb,
...@@ -124,7 +129,7 @@ static int amanda_help(struct sk_buff *skb, ...@@ -124,7 +129,7 @@ static int amanda_help(struct sk_buff *skb,
goto out; goto out;
stop += start; stop += start;
for (i = SEARCH_DATA; i <= SEARCH_INDEX; i++) { for (i = SEARCH_DATA; i <= SEARCH_STATE; i++) {
off = skb_find_text(skb, start, stop, search[i].ts); off = skb_find_text(skb, start, stop, search[i].ts);
if (off == UINT_MAX) if (off == UINT_MAX)
continue; continue;
...@@ -168,7 +173,7 @@ static int amanda_help(struct sk_buff *skb, ...@@ -168,7 +173,7 @@ static int amanda_help(struct sk_buff *skb,
} }
static const struct nf_conntrack_expect_policy amanda_exp_policy = { static const struct nf_conntrack_expect_policy amanda_exp_policy = {
.max_expected = 3, .max_expected = 4,
.timeout = 180, .timeout = 180,
}; };
......
...@@ -51,7 +51,6 @@ ...@@ -51,7 +51,6 @@
#include <net/netfilter/nf_conntrack_labels.h> #include <net/netfilter/nf_conntrack_labels.h>
#include <net/netfilter/nf_conntrack_synproxy.h> #include <net/netfilter/nf_conntrack_synproxy.h>
#include <net/netfilter/nf_nat.h> #include <net/netfilter/nf_nat.h>
#include <net/netfilter/nf_nat_core.h>
#include <net/netfilter/nf_nat_helper.h> #include <net/netfilter/nf_nat_helper.h>
#include <net/netns/hash.h> #include <net/netns/hash.h>
#include <net/ip.h> #include <net/ip.h>
...@@ -1752,11 +1751,9 @@ EXPORT_SYMBOL_GPL(nf_conntrack_alter_reply); ...@@ -1752,11 +1751,9 @@ EXPORT_SYMBOL_GPL(nf_conntrack_alter_reply);
void __nf_ct_refresh_acct(struct nf_conn *ct, void __nf_ct_refresh_acct(struct nf_conn *ct,
enum ip_conntrack_info ctinfo, enum ip_conntrack_info ctinfo,
const struct sk_buff *skb, const struct sk_buff *skb,
unsigned long extra_jiffies, u32 extra_jiffies,
int do_acct) bool do_acct)
{ {
WARN_ON(!skb);
/* Only update if this is not a fixed timeout */ /* Only update if this is not a fixed timeout */
if (test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status)) if (test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status))
goto acct; goto acct;
...@@ -1765,6 +1762,7 @@ void __nf_ct_refresh_acct(struct nf_conn *ct, ...@@ -1765,6 +1762,7 @@ void __nf_ct_refresh_acct(struct nf_conn *ct,
if (nf_ct_is_confirmed(ct)) if (nf_ct_is_confirmed(ct))
extra_jiffies += nfct_time_stamp; extra_jiffies += nfct_time_stamp;
if (ct->timeout != extra_jiffies)
ct->timeout = extra_jiffies; ct->timeout = extra_jiffies;
acct: acct:
if (do_acct) if (do_acct)
...@@ -2482,6 +2480,7 @@ int nf_conntrack_init_net(struct net *net) ...@@ -2482,6 +2480,7 @@ int nf_conntrack_init_net(struct net *net)
int cpu; int cpu;
BUILD_BUG_ON(IP_CT_UNTRACKED == IP_CT_NUMBER); BUILD_BUG_ON(IP_CT_UNTRACKED == IP_CT_NUMBER);
BUILD_BUG_ON_NOT_POWER_OF_2(CONNTRACK_LOCKS);
atomic_set(&net->ct.count, 0); atomic_set(&net->ct.count, 0);
net->ct.pcpu_lists = alloc_percpu(struct ct_pcpu); net->ct.pcpu_lists = alloc_percpu(struct ct_pcpu);
......
...@@ -46,7 +46,7 @@ ...@@ -46,7 +46,7 @@
#include <net/netfilter/nf_conntrack_labels.h> #include <net/netfilter/nf_conntrack_labels.h>
#include <net/netfilter/nf_conntrack_synproxy.h> #include <net/netfilter/nf_conntrack_synproxy.h>
#ifdef CONFIG_NF_NAT_NEEDED #ifdef CONFIG_NF_NAT_NEEDED
#include <net/netfilter/nf_nat_core.h> #include <net/netfilter/nf_nat.h>
#include <net/netfilter/nf_nat_helper.h> #include <net/netfilter/nf_nat_helper.h>
#endif #endif
......
...@@ -828,6 +828,12 @@ static noinline bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb, ...@@ -828,6 +828,12 @@ static noinline bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
return true; return true;
} }
static bool nf_conntrack_tcp_established(const struct nf_conn *ct)
{
return ct->proto.tcp.state == TCP_CONNTRACK_ESTABLISHED &&
test_bit(IPS_ASSURED_BIT, &ct->status);
}
/* Returns verdict for packet, or -1 for invalid. */ /* Returns verdict for packet, or -1 for invalid. */
int nf_conntrack_tcp_packet(struct nf_conn *ct, int nf_conntrack_tcp_packet(struct nf_conn *ct,
struct sk_buff *skb, struct sk_buff *skb,
...@@ -1030,16 +1036,38 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct, ...@@ -1030,16 +1036,38 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct,
new_state = TCP_CONNTRACK_ESTABLISHED; new_state = TCP_CONNTRACK_ESTABLISHED;
break; break;
case TCP_CONNTRACK_CLOSE: case TCP_CONNTRACK_CLOSE:
if (index == TCP_RST_SET if (index != TCP_RST_SET)
&& (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET) break;
&& before(ntohl(th->seq), ct->proto.tcp.seen[!dir].td_maxack)) {
if (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET) {
u32 seq = ntohl(th->seq);
if (before(seq, ct->proto.tcp.seen[!dir].td_maxack)) {
/* Invalid RST */ /* Invalid RST */
spin_unlock_bh(&ct->lock); spin_unlock_bh(&ct->lock);
nf_ct_l4proto_log_invalid(skb, ct, "invalid rst"); nf_ct_l4proto_log_invalid(skb, ct, "invalid rst");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
if (index == TCP_RST_SET
&& ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status) if (!nf_conntrack_tcp_established(ct) ||
seq == ct->proto.tcp.seen[!dir].td_maxack)
break;
/* Check if rst is part of train, such as
* foo:80 > bar:4379: P, 235946583:235946602(19) ack 42
* foo:80 > bar:4379: R, 235946602:235946602(0) ack 42
*/
if (ct->proto.tcp.last_index == TCP_ACK_SET &&
ct->proto.tcp.last_dir == dir &&
seq == ct->proto.tcp.last_end)
break;
/* ... RST sequence number doesn't match exactly, keep
* established state to allow a possible challenge ACK.
*/
new_state = old_state;
}
if (((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)
&& ct->proto.tcp.last_index == TCP_SYN_SET) && ct->proto.tcp.last_index == TCP_SYN_SET)
|| (!test_bit(IPS_ASSURED_BIT, &ct->status) || (!test_bit(IPS_ASSURED_BIT, &ct->status)
&& ct->proto.tcp.last_index == TCP_ACK_SET)) && ct->proto.tcp.last_index == TCP_ACK_SET))
...@@ -1055,7 +1083,7 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct, ...@@ -1055,7 +1083,7 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct,
* segments we ignored. */ * segments we ignored. */
goto in_window; goto in_window;
} }
/* Just fall through */ break;
default: default:
/* Keep compilers happy. */ /* Keep compilers happy. */
break; break;
...@@ -1090,6 +1118,8 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct, ...@@ -1090,6 +1118,8 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct,
if (ct->proto.tcp.retrans >= tn->tcp_max_retrans && if (ct->proto.tcp.retrans >= tn->tcp_max_retrans &&
timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS]) timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS])
timeout = timeouts[TCP_CONNTRACK_RETRANS]; timeout = timeouts[TCP_CONNTRACK_RETRANS];
else if (unlikely(index == TCP_RST_SET))
timeout = timeouts[TCP_CONNTRACK_CLOSE];
else if ((ct->proto.tcp.seen[0].flags | ct->proto.tcp.seen[1].flags) & else if ((ct->proto.tcp.seen[0].flags | ct->proto.tcp.seen[1].flags) &
IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED && IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED &&
timeouts[new_state] > timeouts[TCP_CONNTRACK_UNACK]) timeouts[new_state] > timeouts[TCP_CONNTRACK_UNACK])
......
...@@ -22,8 +22,6 @@ ...@@ -22,8 +22,6 @@
#include <net/netfilter/nf_conntrack.h> #include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_core.h> #include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/nf_nat.h> #include <net/netfilter/nf_nat.h>
#include <net/netfilter/nf_nat_l3proto.h>
#include <net/netfilter/nf_nat_core.h>
#include <net/netfilter/nf_nat_helper.h> #include <net/netfilter/nf_nat_helper.h>
#include <net/netfilter/nf_conntrack_helper.h> #include <net/netfilter/nf_conntrack_helper.h>
#include <net/netfilter/nf_conntrack_seqadj.h> #include <net/netfilter/nf_conntrack_seqadj.h>
...@@ -35,8 +33,6 @@ ...@@ -35,8 +33,6 @@
static spinlock_t nf_nat_locks[CONNTRACK_LOCKS]; static spinlock_t nf_nat_locks[CONNTRACK_LOCKS];
static DEFINE_MUTEX(nf_nat_proto_mutex); static DEFINE_MUTEX(nf_nat_proto_mutex);
static const struct nf_nat_l3proto __rcu *nf_nat_l3protos[NFPROTO_NUMPROTO]
__read_mostly;
static unsigned int nat_net_id __read_mostly; static unsigned int nat_net_id __read_mostly;
static struct hlist_head *nf_nat_bysource __read_mostly; static struct hlist_head *nf_nat_bysource __read_mostly;
...@@ -58,16 +54,75 @@ struct nat_net { ...@@ -58,16 +54,75 @@ struct nat_net {
struct nf_nat_hooks_net nat_proto_net[NFPROTO_NUMPROTO]; struct nf_nat_hooks_net nat_proto_net[NFPROTO_NUMPROTO];
}; };
inline const struct nf_nat_l3proto * #ifdef CONFIG_XFRM
__nf_nat_l3proto_find(u8 family) static void nf_nat_ipv4_decode_session(struct sk_buff *skb,
const struct nf_conn *ct,
enum ip_conntrack_dir dir,
unsigned long statusbit,
struct flowi *fl)
{ {
return rcu_dereference(nf_nat_l3protos[family]); const struct nf_conntrack_tuple *t = &ct->tuplehash[dir].tuple;
struct flowi4 *fl4 = &fl->u.ip4;
if (ct->status & statusbit) {
fl4->daddr = t->dst.u3.ip;
if (t->dst.protonum == IPPROTO_TCP ||
t->dst.protonum == IPPROTO_UDP ||
t->dst.protonum == IPPROTO_UDPLITE ||
t->dst.protonum == IPPROTO_DCCP ||
t->dst.protonum == IPPROTO_SCTP)
fl4->fl4_dport = t->dst.u.all;
}
statusbit ^= IPS_NAT_MASK;
if (ct->status & statusbit) {
fl4->saddr = t->src.u3.ip;
if (t->dst.protonum == IPPROTO_TCP ||
t->dst.protonum == IPPROTO_UDP ||
t->dst.protonum == IPPROTO_UDPLITE ||
t->dst.protonum == IPPROTO_DCCP ||
t->dst.protonum == IPPROTO_SCTP)
fl4->fl4_sport = t->src.u.all;
}
}
static void nf_nat_ipv6_decode_session(struct sk_buff *skb,
const struct nf_conn *ct,
enum ip_conntrack_dir dir,
unsigned long statusbit,
struct flowi *fl)
{
#if IS_ENABLED(CONFIG_IPV6)
const struct nf_conntrack_tuple *t = &ct->tuplehash[dir].tuple;
struct flowi6 *fl6 = &fl->u.ip6;
if (ct->status & statusbit) {
fl6->daddr = t->dst.u3.in6;
if (t->dst.protonum == IPPROTO_TCP ||
t->dst.protonum == IPPROTO_UDP ||
t->dst.protonum == IPPROTO_UDPLITE ||
t->dst.protonum == IPPROTO_DCCP ||
t->dst.protonum == IPPROTO_SCTP)
fl6->fl6_dport = t->dst.u.all;
}
statusbit ^= IPS_NAT_MASK;
if (ct->status & statusbit) {
fl6->saddr = t->src.u3.in6;
if (t->dst.protonum == IPPROTO_TCP ||
t->dst.protonum == IPPROTO_UDP ||
t->dst.protonum == IPPROTO_UDPLITE ||
t->dst.protonum == IPPROTO_DCCP ||
t->dst.protonum == IPPROTO_SCTP)
fl6->fl6_sport = t->src.u.all;
}
#endif
} }
#ifdef CONFIG_XFRM
static void __nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl) static void __nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl)
{ {
const struct nf_nat_l3proto *l3proto;
const struct nf_conn *ct; const struct nf_conn *ct;
enum ip_conntrack_info ctinfo; enum ip_conntrack_info ctinfo;
enum ip_conntrack_dir dir; enum ip_conntrack_dir dir;
...@@ -79,17 +134,20 @@ static void __nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl) ...@@ -79,17 +134,20 @@ static void __nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl)
return; return;
family = nf_ct_l3num(ct); family = nf_ct_l3num(ct);
l3proto = __nf_nat_l3proto_find(family);
if (l3proto == NULL)
return;
dir = CTINFO2DIR(ctinfo); dir = CTINFO2DIR(ctinfo);
if (dir == IP_CT_DIR_ORIGINAL) if (dir == IP_CT_DIR_ORIGINAL)
statusbit = IPS_DST_NAT; statusbit = IPS_DST_NAT;
else else
statusbit = IPS_SRC_NAT; statusbit = IPS_SRC_NAT;
l3proto->decode_session(skb, ct, dir, statusbit, fl); switch (family) {
case NFPROTO_IPV4:
nf_nat_ipv4_decode_session(skb, ct, dir, statusbit, fl);
return;
case NFPROTO_IPV6:
nf_nat_ipv6_decode_session(skb, ct, dir, statusbit, fl);
return;
}
} }
int nf_xfrm_me_harder(struct net *net, struct sk_buff *skb, unsigned int family) int nf_xfrm_me_harder(struct net *net, struct sk_buff *skb, unsigned int family)
...@@ -182,7 +240,7 @@ static bool l4proto_in_range(const struct nf_conntrack_tuple *tuple, ...@@ -182,7 +240,7 @@ static bool l4proto_in_range(const struct nf_conntrack_tuple *tuple,
__be16 port; __be16 port;
switch (tuple->dst.protonum) { switch (tuple->dst.protonum) {
case IPPROTO_ICMP: /* fallthrough */ case IPPROTO_ICMP:
case IPPROTO_ICMPV6: case IPPROTO_ICMPV6:
return ntohs(tuple->src.u.icmp.id) >= ntohs(min->icmp.id) && return ntohs(tuple->src.u.icmp.id) >= ntohs(min->icmp.id) &&
ntohs(tuple->src.u.icmp.id) <= ntohs(max->icmp.id); ntohs(tuple->src.u.icmp.id) <= ntohs(max->icmp.id);
...@@ -631,23 +689,6 @@ nf_nat_alloc_null_binding(struct nf_conn *ct, unsigned int hooknum) ...@@ -631,23 +689,6 @@ nf_nat_alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
} }
EXPORT_SYMBOL_GPL(nf_nat_alloc_null_binding); EXPORT_SYMBOL_GPL(nf_nat_alloc_null_binding);
static unsigned int nf_nat_manip_pkt(struct sk_buff *skb, struct nf_conn *ct,
enum nf_nat_manip_type mtype,
enum ip_conntrack_dir dir)
{
const struct nf_nat_l3proto *l3proto;
struct nf_conntrack_tuple target;
/* We are aiming to look like inverse of other direction. */
nf_ct_invert_tuple(&target, &ct->tuplehash[!dir].tuple);
l3proto = __nf_nat_l3proto_find(target.src.l3num);
if (!l3proto->manip_pkt(skb, 0, &target, mtype))
return NF_DROP;
return NF_ACCEPT;
}
/* Do packet manipulations according to nf_nat_setup_info. */ /* Do packet manipulations according to nf_nat_setup_info. */
unsigned int nf_nat_packet(struct nf_conn *ct, unsigned int nf_nat_packet(struct nf_conn *ct,
enum ip_conntrack_info ctinfo, enum ip_conntrack_info ctinfo,
...@@ -798,33 +839,6 @@ static int nf_nat_proto_clean(struct nf_conn *ct, void *data) ...@@ -798,33 +839,6 @@ static int nf_nat_proto_clean(struct nf_conn *ct, void *data)
return 0; return 0;
} }
static void nf_nat_l3proto_clean(u8 l3proto)
{
struct nf_nat_proto_clean clean = {
.l3proto = l3proto,
};
nf_ct_iterate_destroy(nf_nat_proto_remove, &clean);
}
int nf_nat_l3proto_register(const struct nf_nat_l3proto *l3proto)
{
RCU_INIT_POINTER(nf_nat_l3protos[l3proto->l3proto], l3proto);
return 0;
}
EXPORT_SYMBOL_GPL(nf_nat_l3proto_register);
void nf_nat_l3proto_unregister(const struct nf_nat_l3proto *l3proto)
{
mutex_lock(&nf_nat_proto_mutex);
RCU_INIT_POINTER(nf_nat_l3protos[l3proto->l3proto], NULL);
mutex_unlock(&nf_nat_proto_mutex);
synchronize_rcu();
nf_nat_l3proto_clean(l3proto->l3proto);
}
EXPORT_SYMBOL_GPL(nf_nat_l3proto_unregister);
/* No one using conntrack by the time this called. */ /* No one using conntrack by the time this called. */
static void nf_nat_cleanup_conntrack(struct nf_conn *ct) static void nf_nat_cleanup_conntrack(struct nf_conn *ct)
{ {
...@@ -887,10 +901,43 @@ static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = { ...@@ -887,10 +901,43 @@ static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = {
[CTA_NAT_PROTO] = { .type = NLA_NESTED }, [CTA_NAT_PROTO] = { .type = NLA_NESTED },
}; };
static int nf_nat_ipv4_nlattr_to_range(struct nlattr *tb[],
struct nf_nat_range2 *range)
{
if (tb[CTA_NAT_V4_MINIP]) {
range->min_addr.ip = nla_get_be32(tb[CTA_NAT_V4_MINIP]);
range->flags |= NF_NAT_RANGE_MAP_IPS;
}
if (tb[CTA_NAT_V4_MAXIP])
range->max_addr.ip = nla_get_be32(tb[CTA_NAT_V4_MAXIP]);
else
range->max_addr.ip = range->min_addr.ip;
return 0;
}
static int nf_nat_ipv6_nlattr_to_range(struct nlattr *tb[],
struct nf_nat_range2 *range)
{
if (tb[CTA_NAT_V6_MINIP]) {
nla_memcpy(&range->min_addr.ip6, tb[CTA_NAT_V6_MINIP],
sizeof(struct in6_addr));
range->flags |= NF_NAT_RANGE_MAP_IPS;
}
if (tb[CTA_NAT_V6_MAXIP])
nla_memcpy(&range->max_addr.ip6, tb[CTA_NAT_V6_MAXIP],
sizeof(struct in6_addr));
else
range->max_addr = range->min_addr;
return 0;
}
static int static int
nfnetlink_parse_nat(const struct nlattr *nat, nfnetlink_parse_nat(const struct nlattr *nat,
const struct nf_conn *ct, struct nf_nat_range2 *range, const struct nf_conn *ct, struct nf_nat_range2 *range)
const struct nf_nat_l3proto *l3proto)
{ {
struct nlattr *tb[CTA_NAT_MAX+1]; struct nlattr *tb[CTA_NAT_MAX+1];
int err; int err;
...@@ -901,8 +948,19 @@ nfnetlink_parse_nat(const struct nlattr *nat, ...@@ -901,8 +948,19 @@ nfnetlink_parse_nat(const struct nlattr *nat,
if (err < 0) if (err < 0)
return err; return err;
err = l3proto->nlattr_to_range(tb, range); switch (nf_ct_l3num(ct)) {
if (err < 0) case NFPROTO_IPV4:
err = nf_nat_ipv4_nlattr_to_range(tb, range);
break;
case NFPROTO_IPV6:
err = nf_nat_ipv6_nlattr_to_range(tb, range);
break;
default:
err = -EPROTONOSUPPORT;
break;
}
if (err)
return err; return err;
if (!tb[CTA_NAT_PROTO]) if (!tb[CTA_NAT_PROTO])
...@@ -918,7 +976,6 @@ nfnetlink_parse_nat_setup(struct nf_conn *ct, ...@@ -918,7 +976,6 @@ nfnetlink_parse_nat_setup(struct nf_conn *ct,
const struct nlattr *attr) const struct nlattr *attr)
{ {
struct nf_nat_range2 range; struct nf_nat_range2 range;
const struct nf_nat_l3proto *l3proto;
int err; int err;
/* Should not happen, restricted to creating new conntracks /* Should not happen, restricted to creating new conntracks
...@@ -927,18 +984,11 @@ nfnetlink_parse_nat_setup(struct nf_conn *ct, ...@@ -927,18 +984,11 @@ nfnetlink_parse_nat_setup(struct nf_conn *ct,
if (WARN_ON_ONCE(nf_nat_initialized(ct, manip))) if (WARN_ON_ONCE(nf_nat_initialized(ct, manip)))
return -EEXIST; return -EEXIST;
/* Make sure that L3 NAT is there by when we call nf_nat_setup_info to
* attach the null binding, otherwise this may oops.
*/
l3proto = __nf_nat_l3proto_find(nf_ct_l3num(ct));
if (l3proto == NULL)
return -EAGAIN;
/* No NAT information has been passed, allocate the null-binding */ /* No NAT information has been passed, allocate the null-binding */
if (attr == NULL) if (attr == NULL)
return __nf_nat_alloc_null_binding(ct, manip) == NF_DROP ? -ENOMEM : 0; return __nf_nat_alloc_null_binding(ct, manip) == NF_DROP ? -ENOMEM : 0;
err = nfnetlink_parse_nat(attr, ct, &range, l3proto); err = nfnetlink_parse_nat(attr, ct, &range);
if (err < 0) if (err < 0)
return err; return err;
...@@ -1035,7 +1085,6 @@ int nf_nat_register_fn(struct net *net, const struct nf_hook_ops *ops, ...@@ -1035,7 +1085,6 @@ int nf_nat_register_fn(struct net *net, const struct nf_hook_ops *ops,
mutex_unlock(&nf_nat_proto_mutex); mutex_unlock(&nf_nat_proto_mutex);
return ret; return ret;
} }
EXPORT_SYMBOL_GPL(nf_nat_register_fn);
void nf_nat_unregister_fn(struct net *net, const struct nf_hook_ops *ops, void nf_nat_unregister_fn(struct net *net, const struct nf_hook_ops *ops,
unsigned int ops_count) unsigned int ops_count)
...@@ -1084,7 +1133,6 @@ void nf_nat_unregister_fn(struct net *net, const struct nf_hook_ops *ops, ...@@ -1084,7 +1133,6 @@ void nf_nat_unregister_fn(struct net *net, const struct nf_hook_ops *ops,
unlock: unlock:
mutex_unlock(&nf_nat_proto_mutex); mutex_unlock(&nf_nat_proto_mutex);
} }
EXPORT_SYMBOL_GPL(nf_nat_unregister_fn);
static struct pernet_operations nat_net_ops = { static struct pernet_operations nat_net_ops = {
.id = &nat_net_id, .id = &nat_net_id,
......
...@@ -22,9 +22,6 @@ ...@@ -22,9 +22,6 @@
#include <net/netfilter/nf_conntrack_expect.h> #include <net/netfilter/nf_conntrack_expect.h>
#include <net/netfilter/nf_conntrack_seqadj.h> #include <net/netfilter/nf_conntrack_seqadj.h>
#include <net/netfilter/nf_nat.h> #include <net/netfilter/nf_nat.h>
#include <net/netfilter/nf_nat_l3proto.h>
#include <net/netfilter/nf_nat_l4proto.h>
#include <net/netfilter/nf_nat_core.h>
#include <net/netfilter/nf_nat_helper.h> #include <net/netfilter/nf_nat_helper.h>
/* Frobs data inside this packet, which is linear. */ /* Frobs data inside this packet, which is linear. */
...@@ -98,7 +95,6 @@ bool __nf_nat_mangle_tcp_packet(struct sk_buff *skb, ...@@ -98,7 +95,6 @@ bool __nf_nat_mangle_tcp_packet(struct sk_buff *skb,
const char *rep_buffer, const char *rep_buffer,
unsigned int rep_len, bool adjust) unsigned int rep_len, bool adjust)
{ {
const struct nf_nat_l3proto *l3proto;
struct tcphdr *tcph; struct tcphdr *tcph;
int oldlen, datalen; int oldlen, datalen;
...@@ -118,9 +114,8 @@ bool __nf_nat_mangle_tcp_packet(struct sk_buff *skb, ...@@ -118,9 +114,8 @@ bool __nf_nat_mangle_tcp_packet(struct sk_buff *skb,
datalen = skb->len - protoff; datalen = skb->len - protoff;
l3proto = __nf_nat_l3proto_find(nf_ct_l3num(ct)); nf_nat_csum_recalc(skb, nf_ct_l3num(ct), IPPROTO_TCP,
l3proto->csum_recalc(skb, IPPROTO_TCP, tcph, &tcph->check, tcph, &tcph->check, datalen, oldlen);
datalen, oldlen);
if (adjust && rep_len != match_len) if (adjust && rep_len != match_len)
nf_ct_seqadj_set(ct, ctinfo, tcph->seq, nf_ct_seqadj_set(ct, ctinfo, tcph->seq,
...@@ -150,7 +145,6 @@ nf_nat_mangle_udp_packet(struct sk_buff *skb, ...@@ -150,7 +145,6 @@ nf_nat_mangle_udp_packet(struct sk_buff *skb,
const char *rep_buffer, const char *rep_buffer,
unsigned int rep_len) unsigned int rep_len)
{ {
const struct nf_nat_l3proto *l3proto;
struct udphdr *udph; struct udphdr *udph;
int datalen, oldlen; int datalen, oldlen;
...@@ -176,9 +170,8 @@ nf_nat_mangle_udp_packet(struct sk_buff *skb, ...@@ -176,9 +170,8 @@ nf_nat_mangle_udp_packet(struct sk_buff *skb,
if (!udph->check && skb->ip_summed != CHECKSUM_PARTIAL) if (!udph->check && skb->ip_summed != CHECKSUM_PARTIAL)
return true; return true;
l3proto = __nf_nat_l3proto_find(nf_ct_l3num(ct)); nf_nat_csum_recalc(skb, nf_ct_l3num(ct), IPPROTO_TCP,
l3proto->csum_recalc(skb, IPPROTO_UDP, udph, &udph->check, udph, &udph->check, datalen, oldlen);
datalen, oldlen);
return true; return true;
} }
......
/* (C) 1999-2001 Paul `Rusty' Russell // SPDX-License-Identifier: GPL-2.0
* (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/types.h> #include <linux/types.h>
#include <linux/atomic.h> #include <linux/atomic.h>
#include <linux/inetdevice.h> #include <linux/inetdevice.h>
#include <linux/ip.h>
#include <linux/timer.h>
#include <linux/netfilter.h> #include <linux/netfilter.h>
#include <net/protocol.h>
#include <net/ip.h>
#include <net/checksum.h>
#include <net/route.h>
#include <linux/netfilter_ipv4.h> #include <linux/netfilter_ipv4.h>
#include <linux/netfilter/x_tables.h> #include <linux/netfilter_ipv6.h>
#include <net/netfilter/nf_nat.h>
#include <net/netfilter/ipv4/nf_nat_masquerade.h> #include <net/netfilter/ipv4/nf_nat_masquerade.h>
#include <net/netfilter/ipv6/nf_nat_masquerade.h>
static DEFINE_MUTEX(masq_mutex);
static unsigned int masq_refcnt __read_mostly;
unsigned int unsigned int
nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum, nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum,
...@@ -78,8 +70,6 @@ static int device_cmp(struct nf_conn *i, void *ifindex) ...@@ -78,8 +70,6 @@ static int device_cmp(struct nf_conn *i, void *ifindex)
if (!nat) if (!nat)
return 0; return 0;
if (nf_ct_l3num(i) != NFPROTO_IPV4)
return 0;
return nat->masq_index == (int)(long)ifindex; return nat->masq_index == (int)(long)ifindex;
} }
...@@ -95,7 +85,6 @@ static int masq_device_event(struct notifier_block *this, ...@@ -95,7 +85,6 @@ static int masq_device_event(struct notifier_block *this,
* conntracks which were associated with that device, * conntracks which were associated with that device,
* and forget them. * and forget them.
*/ */
WARN_ON(dev->ifindex == 0);
nf_ct_iterate_cleanup_net(net, device_cmp, nf_ct_iterate_cleanup_net(net, device_cmp,
(void *)(long)dev->ifindex, 0, 0); (void *)(long)dev->ifindex, 0, 0);
...@@ -147,9 +136,6 @@ static struct notifier_block masq_inet_notifier = { ...@@ -147,9 +136,6 @@ static struct notifier_block masq_inet_notifier = {
.notifier_call = masq_inet_event, .notifier_call = masq_inet_event,
}; };
static int masq_refcnt;
static DEFINE_MUTEX(masq_mutex);
int nf_nat_masquerade_ipv4_register_notifier(void) int nf_nat_masquerade_ipv4_register_notifier(void)
{ {
int ret = 0; int ret = 0;
...@@ -194,3 +180,183 @@ void nf_nat_masquerade_ipv4_unregister_notifier(void) ...@@ -194,3 +180,183 @@ void nf_nat_masquerade_ipv4_unregister_notifier(void)
mutex_unlock(&masq_mutex); mutex_unlock(&masq_mutex);
} }
EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv4_unregister_notifier); EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv4_unregister_notifier);
#if IS_ENABLED(CONFIG_IPV6)
static atomic_t v6_worker_count __read_mostly;
static int
nat_ipv6_dev_get_saddr(struct net *net, const struct net_device *dev,
const struct in6_addr *daddr, unsigned int srcprefs,
struct in6_addr *saddr)
{
#ifdef CONFIG_IPV6_MODULE
const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
if (!v6_ops)
return -EHOSTUNREACH;
return v6_ops->dev_get_saddr(net, dev, daddr, srcprefs, saddr);
#else
return ipv6_dev_get_saddr(net, dev, daddr, srcprefs, saddr);
#endif
}
unsigned int
nf_nat_masquerade_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range,
const struct net_device *out)
{
enum ip_conntrack_info ctinfo;
struct nf_conn_nat *nat;
struct in6_addr src;
struct nf_conn *ct;
struct nf_nat_range2 newrange;
ct = nf_ct_get(skb, &ctinfo);
WARN_ON(!(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
ctinfo == IP_CT_RELATED_REPLY)));
if (nat_ipv6_dev_get_saddr(nf_ct_net(ct), out,
&ipv6_hdr(skb)->daddr, 0, &src) < 0)
return NF_DROP;
nat = nf_ct_nat_ext_add(ct);
if (nat)
nat->masq_index = out->ifindex;
newrange.flags = range->flags | NF_NAT_RANGE_MAP_IPS;
newrange.min_addr.in6 = src;
newrange.max_addr.in6 = src;
newrange.min_proto = range->min_proto;
newrange.max_proto = range->max_proto;
return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_SRC);
}
EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6);
struct masq_dev_work {
struct work_struct work;
struct net *net;
struct in6_addr addr;
int ifindex;
};
static int inet6_cmp(struct nf_conn *ct, void *work)
{
struct masq_dev_work *w = (struct masq_dev_work *)work;
struct nf_conntrack_tuple *tuple;
if (!device_cmp(ct, (void *)(long)w->ifindex))
return 0;
tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
return ipv6_addr_equal(&w->addr, &tuple->dst.u3.in6);
}
static void iterate_cleanup_work(struct work_struct *work)
{
struct masq_dev_work *w;
w = container_of(work, struct masq_dev_work, work);
nf_ct_iterate_cleanup_net(w->net, inet6_cmp, (void *)w, 0, 0);
put_net(w->net);
kfree(w);
atomic_dec(&v6_worker_count);
module_put(THIS_MODULE);
}
/* atomic notifier; can't call nf_ct_iterate_cleanup_net (it can sleep).
*
* Defer it to the system workqueue.
*
* As we can have 'a lot' of inet_events (depending on amount of ipv6
* addresses being deleted), we also need to limit work item queue.
*/
static int masq_inet6_event(struct notifier_block *this,
unsigned long event, void *ptr)
{
struct inet6_ifaddr *ifa = ptr;
const struct net_device *dev;
struct masq_dev_work *w;
struct net *net;
if (event != NETDEV_DOWN || atomic_read(&v6_worker_count) >= 16)
return NOTIFY_DONE;
dev = ifa->idev->dev;
net = maybe_get_net(dev_net(dev));
if (!net)
return NOTIFY_DONE;
if (!try_module_get(THIS_MODULE))
goto err_module;
w = kmalloc(sizeof(*w), GFP_ATOMIC);
if (w) {
atomic_inc(&v6_worker_count);
INIT_WORK(&w->work, iterate_cleanup_work);
w->ifindex = dev->ifindex;
w->net = net;
w->addr = ifa->addr;
schedule_work(&w->work);
return NOTIFY_DONE;
}
module_put(THIS_MODULE);
err_module:
put_net(net);
return NOTIFY_DONE;
}
static struct notifier_block masq_inet6_notifier = {
.notifier_call = masq_inet6_event,
};
int nf_nat_masquerade_ipv6_register_notifier(void)
{
int ret = 0;
mutex_lock(&masq_mutex);
/* check if the notifier is already set */
if (++masq_refcnt > 1)
goto out_unlock;
ret = register_netdevice_notifier(&masq_dev_notifier);
if (ret)
goto err_dec;
ret = register_inet6addr_notifier(&masq_inet6_notifier);
if (ret)
goto err_unregister;
mutex_unlock(&masq_mutex);
return ret;
err_unregister:
unregister_netdevice_notifier(&masq_dev_notifier);
err_dec:
masq_refcnt--;
out_unlock:
mutex_unlock(&masq_mutex);
return ret;
}
EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6_register_notifier);
void nf_nat_masquerade_ipv6_unregister_notifier(void)
{
mutex_lock(&masq_mutex);
/* check if the notifier still has clients */
if (--masq_refcnt > 0)
goto out_unlock;
unregister_inet6addr_notifier(&masq_inet6_notifier);
unregister_netdevice_notifier(&masq_dev_notifier);
out_unlock:
mutex_unlock(&masq_mutex);
}
EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6_unregister_notifier);
#endif
This diff is collapsed.
...@@ -2172,6 +2172,7 @@ struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, ...@@ -2172,6 +2172,7 @@ struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
{ {
struct nft_expr_info info; struct nft_expr_info info;
struct nft_expr *expr; struct nft_expr *expr;
struct module *owner;
int err; int err;
err = nf_tables_expr_parse(ctx, nla, &info); err = nf_tables_expr_parse(ctx, nla, &info);
...@@ -2191,7 +2192,11 @@ struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, ...@@ -2191,7 +2192,11 @@ struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
err3: err3:
kfree(expr); kfree(expr);
err2: err2:
module_put(info.ops->type->owner); owner = info.ops->type->owner;
if (info.ops->type->release_ops)
info.ops->type->release_ops(info.ops);
module_put(owner);
err1: err1:
return ERR_PTR(err); return ERR_PTR(err);
} }
......
...@@ -98,21 +98,23 @@ static noinline void nft_update_chain_stats(const struct nft_chain *chain, ...@@ -98,21 +98,23 @@ static noinline void nft_update_chain_stats(const struct nft_chain *chain,
const struct nft_pktinfo *pkt) const struct nft_pktinfo *pkt)
{ {
struct nft_base_chain *base_chain; struct nft_base_chain *base_chain;
struct nft_stats __percpu *pstats;
struct nft_stats *stats; struct nft_stats *stats;
base_chain = nft_base_chain(chain); base_chain = nft_base_chain(chain);
if (!rcu_access_pointer(base_chain->stats))
return;
rcu_read_lock();
pstats = READ_ONCE(base_chain->stats);
if (pstats) {
local_bh_disable(); local_bh_disable();
stats = this_cpu_ptr(rcu_dereference(base_chain->stats)); stats = this_cpu_ptr(pstats);
if (stats) {
u64_stats_update_begin(&stats->syncp); u64_stats_update_begin(&stats->syncp);
stats->pkts++; stats->pkts++;
stats->bytes += pkt->skb->len; stats->bytes += pkt->skb->len;
u64_stats_update_end(&stats->syncp); u64_stats_update_end(&stats->syncp);
}
local_bh_enable(); local_bh_enable();
}
rcu_read_unlock();
} }
struct nft_jumpstack { struct nft_jumpstack {
...@@ -221,7 +223,6 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv) ...@@ -221,7 +223,6 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv)
chain = regs.verdict.chain; chain = regs.verdict.chain;
goto do_chain; goto do_chain;
case NFT_CONTINUE: case NFT_CONTINUE:
/* fall through */
case NFT_RETURN: case NFT_RETURN:
nft_trace_packet(&info, chain, rule, nft_trace_packet(&info, chain, rule,
NFT_TRACETYPE_RETURN); NFT_TRACETYPE_RETURN);
......
/* // SPDX-License-Identifier: GPL-2.0
* Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
* Copyright (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
* Copyright (c) 2012 Intel Corporation
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* Development of this code funded by Astaro AG (http://www.astaro.com/)
*/
#include <linux/module.h> #include <linux/module.h>
#include <linux/init.h>
#include <linux/list.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter/nf_tables.h> #include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_nat.h> #include <net/netfilter/nf_nat.h>
#include <net/netfilter/nf_nat_core.h>
#include <net/netfilter/nf_tables.h> #include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_ipv4.h> #include <net/netfilter/nf_tables_ipv4.h>
#include <net/netfilter/nf_nat_l3proto.h> #include <net/netfilter/nf_tables_ipv6.h>
#include <net/ip.h>
static unsigned int nft_nat_do_chain(void *priv, static unsigned int nft_nat_do_chain(void *priv, struct sk_buff *skb,
struct sk_buff *skb,
const struct nf_hook_state *state) const struct nf_hook_state *state)
{ {
struct nft_pktinfo pkt; struct nft_pktinfo pkt;
nft_set_pktinfo(&pkt, skb, state); nft_set_pktinfo(&pkt, skb, state);
switch (state->pf) {
#ifdef CONFIG_NF_TABLES_IPV4
case NFPROTO_IPV4:
nft_set_pktinfo_ipv4(&pkt, skb); nft_set_pktinfo_ipv4(&pkt, skb);
break;
#endif
#ifdef CONFIG_NF_TABLES_IPV6
case NFPROTO_IPV6:
nft_set_pktinfo_ipv6(&pkt, skb);
break;
#endif
default:
break;
}
return nft_do_chain(&pkt, priv); return nft_do_chain(&pkt, priv);
} }
static int nft_nat_ipv4_reg(struct net *net, const struct nf_hook_ops *ops) #ifdef CONFIG_NF_TABLES_IPV4
{
return nf_nat_l3proto_ipv4_register_fn(net, ops);
}
static void nft_nat_ipv4_unreg(struct net *net, const struct nf_hook_ops *ops)
{
nf_nat_l3proto_ipv4_unregister_fn(net, ops);
}
static const struct nft_chain_type nft_chain_nat_ipv4 = { static const struct nft_chain_type nft_chain_nat_ipv4 = {
.name = "nat", .name = "nat",
.type = NFT_CHAIN_T_NAT, .type = NFT_CHAIN_T_NAT,
...@@ -63,25 +48,61 @@ static const struct nft_chain_type nft_chain_nat_ipv4 = { ...@@ -63,25 +48,61 @@ static const struct nft_chain_type nft_chain_nat_ipv4 = {
[NF_INET_LOCAL_OUT] = nft_nat_do_chain, [NF_INET_LOCAL_OUT] = nft_nat_do_chain,
[NF_INET_LOCAL_IN] = nft_nat_do_chain, [NF_INET_LOCAL_IN] = nft_nat_do_chain,
}, },
.ops_register = nft_nat_ipv4_reg, .ops_register = nf_nat_ipv4_register_fn,
.ops_unregister = nft_nat_ipv4_unreg, .ops_unregister = nf_nat_ipv4_unregister_fn,
};
#endif
#ifdef CONFIG_NF_TABLES_IPV6
static const struct nft_chain_type nft_chain_nat_ipv6 = {
.name = "nat",
.type = NFT_CHAIN_T_NAT,
.family = NFPROTO_IPV6,
.owner = THIS_MODULE,
.hook_mask = (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_POST_ROUTING) |
(1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_LOCAL_IN),
.hooks = {
[NF_INET_PRE_ROUTING] = nft_nat_do_chain,
[NF_INET_POST_ROUTING] = nft_nat_do_chain,
[NF_INET_LOCAL_OUT] = nft_nat_do_chain,
[NF_INET_LOCAL_IN] = nft_nat_do_chain,
},
.ops_register = nf_nat_ipv6_register_fn,
.ops_unregister = nf_nat_ipv6_unregister_fn,
}; };
#endif
static int __init nft_chain_nat_init(void) static int __init nft_chain_nat_init(void)
{ {
#ifdef CONFIG_NF_TABLES_IPV6
nft_register_chain_type(&nft_chain_nat_ipv6);
#endif
#ifdef CONFIG_NF_TABLES_IPV4
nft_register_chain_type(&nft_chain_nat_ipv4); nft_register_chain_type(&nft_chain_nat_ipv4);
#endif
return 0; return 0;
} }
static void __exit nft_chain_nat_exit(void) static void __exit nft_chain_nat_exit(void)
{ {
#ifdef CONFIG_NF_TABLES_IPV4
nft_unregister_chain_type(&nft_chain_nat_ipv4); nft_unregister_chain_type(&nft_chain_nat_ipv4);
#endif
#ifdef CONFIG_NF_TABLES_IPV6
nft_unregister_chain_type(&nft_chain_nat_ipv6);
#endif
} }
module_init(nft_chain_nat_init); module_init(nft_chain_nat_init);
module_exit(nft_chain_nat_exit); module_exit(nft_chain_nat_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); #ifdef CONFIG_NF_TABLES_IPV4
MODULE_ALIAS_NFT_CHAIN(AF_INET, "nat"); MODULE_ALIAS_NFT_CHAIN(AF_INET, "nat");
#endif
#ifdef CONFIG_NF_TABLES_IPV6
MODULE_ALIAS_NFT_CHAIN(AF_INET6, "nat");
#endif
This diff is collapsed.
...@@ -14,16 +14,22 @@ ...@@ -14,16 +14,22 @@
#include <linux/netfilter/nf_tables.h> #include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h> #include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_nat.h> #include <net/netfilter/nf_nat.h>
#include <net/netfilter/nft_masq.h> #include <net/netfilter/ipv4/nf_nat_masquerade.h>
#include <net/netfilter/ipv6/nf_nat_masquerade.h>
const struct nla_policy nft_masq_policy[NFTA_MASQ_MAX + 1] = { struct nft_masq {
u32 flags;
enum nft_registers sreg_proto_min:8;
enum nft_registers sreg_proto_max:8;
};
static const struct nla_policy nft_masq_policy[NFTA_MASQ_MAX + 1] = {
[NFTA_MASQ_FLAGS] = { .type = NLA_U32 }, [NFTA_MASQ_FLAGS] = { .type = NLA_U32 },
[NFTA_MASQ_REG_PROTO_MIN] = { .type = NLA_U32 }, [NFTA_MASQ_REG_PROTO_MIN] = { .type = NLA_U32 },
[NFTA_MASQ_REG_PROTO_MAX] = { .type = NLA_U32 }, [NFTA_MASQ_REG_PROTO_MAX] = { .type = NLA_U32 },
}; };
EXPORT_SYMBOL_GPL(nft_masq_policy);
int nft_masq_validate(const struct nft_ctx *ctx, static int nft_masq_validate(const struct nft_ctx *ctx,
const struct nft_expr *expr, const struct nft_expr *expr,
const struct nft_data **data) const struct nft_data **data)
{ {
...@@ -36,9 +42,8 @@ int nft_masq_validate(const struct nft_ctx *ctx, ...@@ -36,9 +42,8 @@ int nft_masq_validate(const struct nft_ctx *ctx,
return nft_chain_validate_hooks(ctx->chain, return nft_chain_validate_hooks(ctx->chain,
(1 << NF_INET_POST_ROUTING)); (1 << NF_INET_POST_ROUTING));
} }
EXPORT_SYMBOL_GPL(nft_masq_validate);
int nft_masq_init(const struct nft_ctx *ctx, static int nft_masq_init(const struct nft_ctx *ctx,
const struct nft_expr *expr, const struct nft_expr *expr,
const struct nlattr * const tb[]) const struct nlattr * const tb[])
{ {
...@@ -75,9 +80,8 @@ int nft_masq_init(const struct nft_ctx *ctx, ...@@ -75,9 +80,8 @@ int nft_masq_init(const struct nft_ctx *ctx,
return nf_ct_netns_get(ctx->net, ctx->family); return nf_ct_netns_get(ctx->net, ctx->family);
} }
EXPORT_SYMBOL_GPL(nft_masq_init);
int nft_masq_dump(struct sk_buff *skb, const struct nft_expr *expr) static int nft_masq_dump(struct sk_buff *skb, const struct nft_expr *expr)
{ {
const struct nft_masq *priv = nft_expr_priv(expr); const struct nft_masq *priv = nft_expr_priv(expr);
...@@ -98,7 +102,157 @@ int nft_masq_dump(struct sk_buff *skb, const struct nft_expr *expr) ...@@ -98,7 +102,157 @@ int nft_masq_dump(struct sk_buff *skb, const struct nft_expr *expr)
nla_put_failure: nla_put_failure:
return -1; return -1;
} }
EXPORT_SYMBOL_GPL(nft_masq_dump);
static void nft_masq_ipv4_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
struct nft_masq *priv = nft_expr_priv(expr);
struct nf_nat_range2 range;
memset(&range, 0, sizeof(range));
range.flags = priv->flags;
if (priv->sreg_proto_min) {
range.min_proto.all = (__force __be16)nft_reg_load16(
&regs->data[priv->sreg_proto_min]);
range.max_proto.all = (__force __be16)nft_reg_load16(
&regs->data[priv->sreg_proto_max]);
}
regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, nft_hook(pkt),
&range, nft_out(pkt));
}
static void
nft_masq_ipv4_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
{
nf_ct_netns_put(ctx->net, NFPROTO_IPV4);
}
static struct nft_expr_type nft_masq_ipv4_type;
static const struct nft_expr_ops nft_masq_ipv4_ops = {
.type = &nft_masq_ipv4_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_masq)),
.eval = nft_masq_ipv4_eval,
.init = nft_masq_init,
.destroy = nft_masq_ipv4_destroy,
.dump = nft_masq_dump,
.validate = nft_masq_validate,
};
static struct nft_expr_type nft_masq_ipv4_type __read_mostly = {
.family = NFPROTO_IPV4,
.name = "masq",
.ops = &nft_masq_ipv4_ops,
.policy = nft_masq_policy,
.maxattr = NFTA_MASQ_MAX,
.owner = THIS_MODULE,
};
#ifdef CONFIG_NF_TABLES_IPV6
static void nft_masq_ipv6_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
struct nft_masq *priv = nft_expr_priv(expr);
struct nf_nat_range2 range;
memset(&range, 0, sizeof(range));
range.flags = priv->flags;
if (priv->sreg_proto_min) {
range.min_proto.all = (__force __be16)nft_reg_load16(
&regs->data[priv->sreg_proto_min]);
range.max_proto.all = (__force __be16)nft_reg_load16(
&regs->data[priv->sreg_proto_max]);
}
regs->verdict.code = nf_nat_masquerade_ipv6(pkt->skb, &range,
nft_out(pkt));
}
static void
nft_masq_ipv6_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
{
nf_ct_netns_put(ctx->net, NFPROTO_IPV6);
}
static struct nft_expr_type nft_masq_ipv6_type;
static const struct nft_expr_ops nft_masq_ipv6_ops = {
.type = &nft_masq_ipv6_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_masq)),
.eval = nft_masq_ipv6_eval,
.init = nft_masq_init,
.destroy = nft_masq_ipv6_destroy,
.dump = nft_masq_dump,
.validate = nft_masq_validate,
};
static struct nft_expr_type nft_masq_ipv6_type __read_mostly = {
.family = NFPROTO_IPV6,
.name = "masq",
.ops = &nft_masq_ipv6_ops,
.policy = nft_masq_policy,
.maxattr = NFTA_MASQ_MAX,
.owner = THIS_MODULE,
};
static int __init nft_masq_module_init_ipv6(void)
{
int ret = nft_register_expr(&nft_masq_ipv6_type);
if (ret)
return ret;
ret = nf_nat_masquerade_ipv6_register_notifier();
if (ret < 0)
nft_unregister_expr(&nft_masq_ipv6_type);
return ret;
}
static void nft_masq_module_exit_ipv6(void)
{
nft_unregister_expr(&nft_masq_ipv6_type);
nf_nat_masquerade_ipv6_unregister_notifier();
}
#else
static inline int nft_masq_module_init_ipv6(void) { return 0; }
static inline void nft_masq_module_exit_ipv6(void) {}
#endif
static int __init nft_masq_module_init(void)
{
int ret;
ret = nft_masq_module_init_ipv6();
if (ret < 0)
return ret;
ret = nft_register_expr(&nft_masq_ipv4_type);
if (ret < 0) {
nft_masq_module_exit_ipv6();
return ret;
}
ret = nf_nat_masquerade_ipv4_register_notifier();
if (ret < 0) {
nft_masq_module_exit_ipv6();
nft_unregister_expr(&nft_masq_ipv4_type);
return ret;
}
return ret;
}
static void __exit nft_masq_module_exit(void)
{
nft_masq_module_exit_ipv6();
nft_unregister_expr(&nft_masq_ipv4_type);
nf_nat_masquerade_ipv4_unregister_notifier();
}
module_init(nft_masq_module_init);
module_exit(nft_masq_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>"); MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>");
MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "masq");
MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "masq");
...@@ -21,9 +21,7 @@ ...@@ -21,9 +21,7 @@
#include <linux/netfilter/nf_tables.h> #include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_conntrack.h> #include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_nat.h> #include <net/netfilter/nf_nat.h>
#include <net/netfilter/nf_nat_core.h>
#include <net/netfilter/nf_tables.h> #include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_nat_l3proto.h>
#include <net/ip.h> #include <net/ip.h>
struct nft_nat { struct nft_nat {
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
...@@ -14,7 +14,7 @@ ...@@ -14,7 +14,7 @@
#include <linux/skbuff.h> #include <linux/skbuff.h>
#include <linux/netfilter.h> #include <linux/netfilter.h>
#include <linux/netfilter/x_tables.h> #include <linux/netfilter/x_tables.h>
#include <net/netfilter/nf_nat_core.h> #include <net/netfilter/nf_nat.h>
static int xt_nat_checkentry_v0(const struct xt_tgchk_param *par) static int xt_nat_checkentry_v0(const struct xt_tgchk_param *par)
{ {
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment