Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:
====================
Netfilter/IPVS updates for net-next
The following patchset contains Netfilter updates for net-next:
1) Remove the broute pseudo hook, implement this from the bridge
prerouting hook instead. Now broute becomes real table in ebtables,
from Florian Westphal. This also includes a size reduction patch for the
bridge control buffer area via squashing boolean into bitfields and
a selftest.
2) Add OS passive fingerprint version matching, from Fernando Fernandez.
3) Support for gue encapsulation for IPVS, from Jacky Hu.
4) Add support for NAT to the inet family, from Florian Westphal.
This includes support for masquerade, redirect and nat extensions.
5) Skip interface lookup in flowtable, use device in the dst object.
6) Add jiffies64_to_msecs() and use it, from Li RongQing.
7) Remove unused parameter in nf_tables_set_desc_parse(), from Colin Ian King.
8) Statify several functions, patches from YueHaibing and Florian Westphal.
9) Add an optimized version of nf_inet_addr_cmp(), from Li RongQing.
10) Merge route extension to core, also from Florian.
11) Use IS_ENABLED(CONFIG_NF_NAT) instead of NF_NAT_NEEDED, from Florian.
12) Merge ip/ip6 masquerade extensions, from Florian. This includes
netdevice notifier unification.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller
@@ -23,14 +23,6 @@ config NF_TABLES_IPV6
|
||||
|
||||
if NF_TABLES_IPV6
|
||||
|
||||
config NFT_CHAIN_ROUTE_IPV6
|
||||
tristate "IPv6 nf_tables route chain support"
|
||||
help
|
||||
This option enables the "route" chain for IPv6 in nf_tables. This
|
||||
chain type is used to force packet re-routing after mangling header
|
||||
fields such as the source, destination, flowlabel, hop-limit and
|
||||
the packet mark.
|
||||
|
||||
config NFT_REJECT_IPV6
|
||||
select NF_REJECT_IPV6
|
||||
default NFT_REJECT
|
||||
@@ -278,15 +270,10 @@ if IP6_NF_NAT
|
||||
|
||||
config IP6_NF_TARGET_MASQUERADE
|
||||
tristate "MASQUERADE target support"
|
||||
select NF_NAT_MASQUERADE
|
||||
select NETFILTER_XT_TARGET_MASQUERADE
|
||||
help
|
||||
Masquerading is a special case of NAT: all outgoing connections are
|
||||
changed to seem to come from a particular interface's address, and
|
||||
if the interface goes down, those connections are lost. This is
|
||||
only useful for dialup accounts with dynamic IP address (ie. your IP
|
||||
address will be different on next dialup).
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
This is a backwards-compat option for the user's convenience
|
||||
(e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.
|
||||
|
||||
config IP6_NF_TARGET_NPT
|
||||
tristate "NPT (Network Prefix translation) target support"
|
||||
|
||||
@@ -27,7 +27,6 @@ obj-$(CONFIG_NF_REJECT_IPV6) += nf_reject_ipv6.o
|
||||
obj-$(CONFIG_NF_DUP_IPV6) += nf_dup_ipv6.o
|
||||
|
||||
# nf_tables
|
||||
obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV6) += nft_chain_route_ipv6.o
|
||||
obj-$(CONFIG_NFT_REJECT_IPV6) += nft_reject_ipv6.o
|
||||
obj-$(CONFIG_NFT_DUP_IPV6) += nft_dup_ipv6.o
|
||||
obj-$(CONFIG_NFT_FIB_IPV6) += nft_fib_ipv6.o
|
||||
@@ -47,7 +46,6 @@ obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
|
||||
obj-$(CONFIG_IP6_NF_MATCH_SRH) += ip6t_srh.o
|
||||
|
||||
# targets
|
||||
obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o
|
||||
obj-$(CONFIG_IP6_NF_TARGET_NPT) += ip6t_NPT.o
|
||||
obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o
|
||||
obj-$(CONFIG_IP6_NF_TARGET_SYNPROXY) += ip6t_SYNPROXY.o
|
||||
|
||||
@@ -1,81 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
* published by the Free Software Foundation.
|
||||
*
|
||||
* Based on Rusty Russell's IPv6 MASQUERADE target. Development of IPv6
|
||||
* NAT funded by Astaro.
|
||||
*/
|
||||
|
||||
#include <linux/kernel.h>
|
||||
#include <linux/module.h>
|
||||
#include <linux/netdevice.h>
|
||||
#include <linux/ipv6.h>
|
||||
#include <linux/netfilter.h>
|
||||
#include <linux/netfilter_ipv6.h>
|
||||
#include <linux/netfilter/x_tables.h>
|
||||
#include <net/netfilter/nf_nat.h>
|
||||
#include <net/addrconf.h>
|
||||
#include <net/ipv6.h>
|
||||
#include <net/netfilter/ipv6/nf_nat_masquerade.h>
|
||||
|
||||
static unsigned int
|
||||
masquerade_tg6(struct sk_buff *skb, const struct xt_action_param *par)
|
||||
{
|
||||
return nf_nat_masquerade_ipv6(skb, par->targinfo, xt_out(par));
|
||||
}
|
||||
|
||||
static int masquerade_tg6_checkentry(const struct xt_tgchk_param *par)
|
||||
{
|
||||
const struct nf_nat_range2 *range = par->targinfo;
|
||||
|
||||
if (range->flags & NF_NAT_RANGE_MAP_IPS)
|
||||
return -EINVAL;
|
||||
return nf_ct_netns_get(par->net, par->family);
|
||||
}
|
||||
|
||||
static void masquerade_tg6_destroy(const struct xt_tgdtor_param *par)
|
||||
{
|
||||
nf_ct_netns_put(par->net, par->family);
|
||||
}
|
||||
|
||||
static struct xt_target masquerade_tg6_reg __read_mostly = {
|
||||
.name = "MASQUERADE",
|
||||
.family = NFPROTO_IPV6,
|
||||
.checkentry = masquerade_tg6_checkentry,
|
||||
.destroy = masquerade_tg6_destroy,
|
||||
.target = masquerade_tg6,
|
||||
.targetsize = sizeof(struct nf_nat_range),
|
||||
.table = "nat",
|
||||
.hooks = 1 << NF_INET_POST_ROUTING,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int __init masquerade_tg6_init(void)
|
||||
{
|
||||
int err;
|
||||
|
||||
err = xt_register_target(&masquerade_tg6_reg);
|
||||
if (err)
|
||||
return err;
|
||||
|
||||
err = nf_nat_masquerade_ipv6_register_notifier();
|
||||
if (err)
|
||||
xt_unregister_target(&masquerade_tg6_reg);
|
||||
|
||||
return err;
|
||||
}
|
||||
static void __exit masquerade_tg6_exit(void)
|
||||
{
|
||||
nf_nat_masquerade_ipv6_unregister_notifier();
|
||||
xt_unregister_target(&masquerade_tg6_reg);
|
||||
}
|
||||
|
||||
module_init(masquerade_tg6_init);
|
||||
module_exit(masquerade_tg6_exit);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
|
||||
MODULE_DESCRIPTION("Xtables: automatic address SNAT");
|
||||
@@ -1,91 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
|
||||
* Copyright (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
* published by the Free Software Foundation.
|
||||
*
|
||||
* Development of this code funded by Astaro AG (http://www.astaro.com/)
|
||||
*/
|
||||
|
||||
#include <linux/module.h>
|
||||
#include <linux/init.h>
|
||||
#include <linux/list.h>
|
||||
#include <linux/skbuff.h>
|
||||
#include <linux/netlink.h>
|
||||
#include <linux/netfilter.h>
|
||||
#include <linux/netfilter_ipv6.h>
|
||||
#include <linux/netfilter/nfnetlink.h>
|
||||
#include <linux/netfilter/nf_tables.h>
|
||||
#include <net/netfilter/nf_tables.h>
|
||||
#include <net/netfilter/nf_tables_ipv6.h>
|
||||
#include <net/route.h>
|
||||
|
||||
static unsigned int nf_route_table_hook(void *priv,
|
||||
struct sk_buff *skb,
|
||||
const struct nf_hook_state *state)
|
||||
{
|
||||
unsigned int ret;
|
||||
struct nft_pktinfo pkt;
|
||||
struct in6_addr saddr, daddr;
|
||||
u_int8_t hop_limit;
|
||||
u32 mark, flowlabel;
|
||||
int err;
|
||||
|
||||
nft_set_pktinfo(&pkt, skb, state);
|
||||
nft_set_pktinfo_ipv6(&pkt, skb);
|
||||
|
||||
/* save source/dest address, mark, hoplimit, flowlabel, priority */
|
||||
memcpy(&saddr, &ipv6_hdr(skb)->saddr, sizeof(saddr));
|
||||
memcpy(&daddr, &ipv6_hdr(skb)->daddr, sizeof(daddr));
|
||||
mark = skb->mark;
|
||||
hop_limit = ipv6_hdr(skb)->hop_limit;
|
||||
|
||||
/* flowlabel and prio (includes version, which shouldn't change either */
|
||||
flowlabel = *((u32 *)ipv6_hdr(skb));
|
||||
|
||||
ret = nft_do_chain(&pkt, priv);
|
||||
if (ret != NF_DROP && ret != NF_STOLEN &&
|
||||
(memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) ||
|
||||
memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr)) ||
|
||||
skb->mark != mark ||
|
||||
ipv6_hdr(skb)->hop_limit != hop_limit ||
|
||||
flowlabel != *((u_int32_t *)ipv6_hdr(skb)))) {
|
||||
err = ip6_route_me_harder(state->net, skb);
|
||||
if (err < 0)
|
||||
ret = NF_DROP_ERR(err);
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static const struct nft_chain_type nft_chain_route_ipv6 = {
|
||||
.name = "route",
|
||||
.type = NFT_CHAIN_T_ROUTE,
|
||||
.family = NFPROTO_IPV6,
|
||||
.owner = THIS_MODULE,
|
||||
.hook_mask = (1 << NF_INET_LOCAL_OUT),
|
||||
.hooks = {
|
||||
[NF_INET_LOCAL_OUT] = nf_route_table_hook,
|
||||
},
|
||||
};
|
||||
|
||||
static int __init nft_chain_route_init(void)
|
||||
{
|
||||
nft_register_chain_type(&nft_chain_route_ipv6);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void __exit nft_chain_route_exit(void)
|
||||
{
|
||||
nft_unregister_chain_type(&nft_chain_route_ipv6);
|
||||
}
|
||||
|
||||
module_init(nft_chain_route_init);
|
||||
module_exit(nft_chain_route_exit);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
|
||||
MODULE_ALIAS_NFT_CHAIN(AF_INET6, "route");
|
||||
Reference in New Issue
Block a user