netfilter: synproxy: remove module dependency on IPv6 SYNPROXY

This is a prerequisite for the infrastructure module NETFILTER_SYNPROXY. The new module is needed to avoid duplicated code for the SYNPROXY nftables support. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Fernando Fernandez Mancera <ffmancera@riseup.net> 2019-06-06 20:36:05 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2019-06-17 11:12:09 -0400
commit: 3006a5224f15cf68edc4878799ac6d6089861518 (patch)
tree: a8ddce317f915b7136e5a5af90a6ed396aa98b9c
parent: 5fcc88ecf681b64da6c2c918352e2451db6a97ec (diff)
2 files changed, 38 insertions, 0 deletions
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 3a3dc4b1f0e7..35b12525ee45 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -8,6 +8,7 @@
 #define __LINUX_IP6_NETFILTER_H
 #include <uapi/linux/netfilter_ipv6.h>
+#include <net/tcp.h>
 /* Extra routing may needed on local out, as the QUEUE target never returns
 * control to the table.
@@ -35,6 +36,10 @@ struct nf_ipv6_ops {
                       struct in6_addr *saddr);
        int (*route)(struct net *net, struct dst_entry **dst, struct flowi *fl,
                     bool strict);
+        u32 (*cookie_init_sequence)(const struct ipv6hdr *iph,
+                                    const struct tcphdr *th, u16 *mssp);
+        int (*cookie_v6_check)(const struct ipv6hdr *iph,
+                               const struct tcphdr *th, __u32 cookie);
 #endif
        void (*route_input)(struct sk_buff *skb);
        int (*fragment)(struct net *net, struct sock *sk, struct sk_buff *skb,
@@ -154,6 +159,37 @@ static inline int nf_ip6_route_me_harder(struct net *net, struct sk_buff *skb)
 #endif
 }
+static inline u32 nf_ipv6_cookie_init_sequence(const struct ipv6hdr *iph,
+                                               const struct tcphdr *th,
+                                               u16 *mssp)
+{
+#if IS_MODULE(CONFIG_IPV6)
+        const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
+        if (v6_ops)
+                return v6_ops->cookie_init_sequence(iph, th, mssp);
+        return 0;
+#else
+        return __cookie_v6_init_sequence(iph, th, mssp);
+#endif
+}
+static inline int nf_cookie_v6_check(const struct ipv6hdr *iph,
+                                     const struct tcphdr *th, __u32 cookie)
+{
+#if IS_MODULE(CONFIG_IPV6)
+        const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
+        if (v6_ops)
+                return v6_ops->cookie_v6_check(iph, th, cookie);
+        return 0;
+#else
+        return __cookie_v6_check(iph, th, cookie);
+#endif
+}
 __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
                        unsigned int dataoff, u_int8_t protocol);
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 86048dce301b..dffb10fdc3e8 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -234,6 +234,8 @@ static const struct nf_ipv6_ops ipv6ops = {
        .route_me_harder        = ip6_route_me_harder,
        .dev_get_saddr          = ipv6_dev_get_saddr,
        .route                  = __nf_ip6_route,
+        .cookie_init_sequence   = __cookie_v6_init_sequence,
+        .cookie_v6_check        = __cookie_v6_check,
 #endif
        .route_input            = ip6_route_input,
        .fragment               = ip6_fragment,
author	Fernando Fernandez Mancera <ffmancera@riseup.net>	2019-06-06 20:36:05 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2019-06-17 11:12:09 -0400
commit	3006a5224f15cf68edc4878799ac6d6089861518 (patch)
tree	a8ddce317f915b7136e5a5af90a6ed396aa98b9c
parent	5fcc88ecf681b64da6c2c918352e2451db6a97ec (diff)

diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h index 3a3dc4b1f0e7..35b12525ee45 100644 --- a/include/linux/netfilter_ipv6.h +++ b/include/linux/netfilter_ipv6.h
@@ -8,6 +8,7 @@
8	#define __LINUX_IP6_NETFILTER_H	8	#define __LINUX_IP6_NETFILTER_H
9		9
10	#include <uapi/linux/netfilter_ipv6.h>	10	#include <uapi/linux/netfilter_ipv6.h>
		11	#include <net/tcp.h>
11		12
12	/* Extra routing may needed on local out, as the QUEUE target never returns	13	/* Extra routing may needed on local out, as the QUEUE target never returns
13	* control to the table.	14	* control to the table.
@@ -35,6 +36,10 @@ struct nf_ipv6_ops {
35	struct in6_addr *saddr);	36	struct in6_addr *saddr);
36	int (route)(struct net net, struct dst_entry *dst, struct flowi fl,	37	int (route)(struct net net, struct dst_entry *dst, struct flowi fl,
37	bool strict);	38	bool strict);
		39	u32 (cookie_init_sequence)(const struct ipv6hdr iph,
		40	const struct tcphdr th, u16 mssp);
		41	int (cookie_v6_check)(const struct ipv6hdr iph,
		42	const struct tcphdr *th, __u32 cookie);
38	#endif	43	#endif
39	void (route_input)(struct sk_buff skb);	44	void (route_input)(struct sk_buff skb);
40	int (fragment)(struct net net, struct sock sk, struct sk_buff skb,	45	int (fragment)(struct net net, struct sock sk, struct sk_buff skb,
@@ -154,6 +159,37 @@ static inline int nf_ip6_route_me_harder(struct net net, struct sk_buff skb)
154	#endif	159	#endif
155	}	160	}
156		161
		162	static inline u32 nf_ipv6_cookie_init_sequence(const struct ipv6hdr *iph,
		163	const struct tcphdr *th,
		164	u16 *mssp)
		165	{
		166	#if IS_MODULE(CONFIG_IPV6)
		167	const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
		168
		169	if (v6_ops)
		170	return v6_ops->cookie_init_sequence(iph, th, mssp);
		171
		172	return 0;
		173	#else
		174	return __cookie_v6_init_sequence(iph, th, mssp);
		175	#endif
		176	}
		177
		178	static inline int nf_cookie_v6_check(const struct ipv6hdr *iph,
		179	const struct tcphdr *th, __u32 cookie)
		180	{
		181	#if IS_MODULE(CONFIG_IPV6)
		182	const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
		183
		184	if (v6_ops)
		185	return v6_ops->cookie_v6_check(iph, th, cookie);
		186
		187	return 0;
		188	#else
		189	return __cookie_v6_check(iph, th, cookie);
		190	#endif
		191	}
		192
157	__sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,	193	__sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
158	unsigned int dataoff, u_int8_t protocol);	194	unsigned int dataoff, u_int8_t protocol);
159		195


diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c index 86048dce301b..dffb10fdc3e8 100644 --- a/net/ipv6/netfilter.c +++ b/net/ipv6/netfilter.c
@@ -234,6 +234,8 @@ static const struct nf_ipv6_ops ipv6ops = {
234	.route_me_harder = ip6_route_me_harder,	234	.route_me_harder = ip6_route_me_harder,
235	.dev_get_saddr = ipv6_dev_get_saddr,	235	.dev_get_saddr = ipv6_dev_get_saddr,
236	.route = __nf_ip6_route,	236	.route = __nf_ip6_route,
		237	.cookie_init_sequence = __cookie_v6_init_sequence,
		238	.cookie_v6_check = __cookie_v6_check,
237	#endif	239	#endif
238	.route_input = ip6_route_input,	240	.route_input = ip6_route_input,
239	.fragment = ip6_fragment,	241	.fragment = ip6_fragment,