Merge branch 'master' of git://1984.lsi.us.es/nf-next

Pablo Neira Ayuso says: ==================== This patchset contains updates for your net-next tree, they are: * Mostly fixes for the recently pushed IPv6 NAT support: - Fix crash while removing nf_nat modules from Patrick McHardy. - Fix unbalanced rcu_read_unlock from Ulrich Weber. - Merge NETMAP and REDIRECT into one single xt_target module, from Jan Engelhardt. - Fix Kconfig for IPv6 NAT, which allows inconsistent configurations, from myself. * Updates for ipset, all of the from Jozsef Kadlecsik: - Add the new "nomatch" option to obtain reverse set matching. - Support for /0 CIDR in hash:net,iface set type. - One non-critical fix for a rare crash due to pass really wrong configuration parameters. - Coding style cleanups. - Sparse fixes. - Add set revision supported via modinfo.i * One extension for the xt_time match, to support matching during the transition between two days with one single rule, from Florian Westphal. * Fix maximum packet length supported by nfnetlink_queue and add NFQA_CAP_LEN attribute, from myself. You can notice that this batch contains a couple of fixes that may go to 3.6-rc but I don't consider them critical to push them: * The ipset fix for the /0 cidr case, which is triggered with one inconsistent command line invocation of ipset. * The nfnetlink_queue maximum packet length supported since it requires the new NFQA_CAP_LEN attribute to provide a full workaround for the described problem. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2012-09-24 15:36:53 -0400
committer: David S. Miller <davem@davemloft.net> 2012-09-24 15:42:04 -0400
commit: ae4735166ee31e29fbf8615949dac9e56299b1fd (patch)
tree: ee39087a83e0e6d6aaab87e905ce6d170185e32d /net/ipv4
parent: 2ddc7fe1cd1b2e0502f12b89c60b6e1ca66837dd (diff)
parent: 6ee584be3ee30f72dec8a8ca87bc10824e27a631 (diff)
4 files changed, 10 insertions, 229 deletions
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 131e53702e7..d8d6f2a5bf1 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -172,23 +172,20 @@ config IP_NF_TARGET_MASQUERADE
 config IP_NF_TARGET_NETMAP
        tristate "NETMAP target support"
        depends on NETFILTER_ADVANCED
-        help
+        select NETFILTER_XT_TARGET_NETMAP
-          NETMAP is an implementation of static 1:1 NAT mapping of network
+        ---help---
-          addresses. It maps the network address part, while keeping the host
+        This is a backwards-compat option for the user's convenience
-          address part intact.
+        (e.g. when running oldconfig). It selects
+        CONFIG_NETFILTER_XT_TARGET_NETMAP.
-          To compile it as a module, choose M here.  If unsure, say N.
 config IP_NF_TARGET_REDIRECT
        tristate "REDIRECT target support"
        depends on NETFILTER_ADVANCED
-        help
+        select NETFILTER_XT_TARGET_REDIRECT
-          REDIRECT is a special case of NAT: all incoming connections are
+        ---help---
-          mapped onto the incoming interface's address, causing the packets to
+        This is a backwards-compat option for the user's convenience
-          come to the local machine instead of passing through.  This is
+        (e.g. when running oldconfig). It selects
-          useful for transparent proxies.
+        CONFIG_NETFILTER_XT_TARGET_REDIRECT.
-          To compile it as a module, choose M here.  If unsure, say N.
 endif
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index b7dd1898723..007b128eecc 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -45,8 +45,6 @@ obj-$(CONFIG_IP_NF_MATCH_RPFILTER) += ipt_rpfilter.o
 obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
 obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o
 obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
-obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
-obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
 obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
deleted file mode 100644
index 85028dc0425..00000000000
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/* NETMAP - static NAT mapping of IP network addresses (1:1).
- * The mapping can be applied to source (POSTROUTING),
- * destination (PREROUTING), or both (with separate rules).
- */
-/* (C) 2000-2001 Svenning Soerensen <svenning@post5.tele.dk>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-#include <linux/ip.h>
-#include <linux/module.h>
-#include <linux/netdevice.h>
-#include <linux/netfilter.h>
-#include <linux/netfilter_ipv4.h>
-#include <linux/netfilter/x_tables.h>
-#include <net/netfilter/nf_nat.h>
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>");
-MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets");
-static int netmap_tg_check(const struct xt_tgchk_param *par)
-{
-        const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
-        if (!(mr->range[0].flags & NF_NAT_RANGE_MAP_IPS)) {
-                pr_debug("bad MAP_IPS.\n");
-                return -EINVAL;
-        }
-        if (mr->rangesize != 1) {
-                pr_debug("bad rangesize %u.\n", mr->rangesize);
-                return -EINVAL;
-        }
-        return 0;
-}
-static unsigned int
-netmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
-{
-        struct nf_conn *ct;
-        enum ip_conntrack_info ctinfo;
-        __be32 new_ip, netmask;
-        const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
-        struct nf_nat_range newrange;
-        NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING ||
-                     par->hooknum == NF_INET_POST_ROUTING ||
-                     par->hooknum == NF_INET_LOCAL_OUT ||
-                     par->hooknum == NF_INET_LOCAL_IN);
-        ct = nf_ct_get(skb, &ctinfo);
-        netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip);
-        if (par->hooknum == NF_INET_PRE_ROUTING ||
-            par->hooknum == NF_INET_LOCAL_OUT)
-                new_ip = ip_hdr(skb)->daddr & ~netmask;
-        else
-                new_ip = ip_hdr(skb)->saddr & ~netmask;
-        new_ip |= mr->range[0].min_ip & netmask;
-        memset(&newrange.min_addr, 0, sizeof(newrange.min_addr));
-        memset(&newrange.max_addr, 0, sizeof(newrange.max_addr));
-        newrange.flags       = mr->range[0].flags | NF_NAT_RANGE_MAP_IPS;
-        newrange.min_addr.ip = new_ip;
-        newrange.max_addr.ip = new_ip;
-        newrange.min_proto   = mr->range[0].min;
-        newrange.max_proto   = mr->range[0].max;
-        /* Hand modified range to generic setup. */
-        return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
-}
-static struct xt_target netmap_tg_reg __read_mostly = {
-        .name           = "NETMAP",
-        .family         = NFPROTO_IPV4,
-        .target         = netmap_tg,
-        .targetsize     = sizeof(struct nf_nat_ipv4_multi_range_compat),
-        .table          = "nat",
-        .hooks          = (1 << NF_INET_PRE_ROUTING) |
-                          (1 << NF_INET_POST_ROUTING) |
-                          (1 << NF_INET_LOCAL_OUT) |
-                          (1 << NF_INET_LOCAL_IN),
-        .checkentry     = netmap_tg_check,
-        .me             = THIS_MODULE
-};
-static int __init netmap_tg_init(void)
-{
-        return xt_register_target(&netmap_tg_reg);
-}
-static void __exit netmap_tg_exit(void)
-{
-        xt_unregister_target(&netmap_tg_reg);
-}
-module_init(netmap_tg_init);
-module_exit(netmap_tg_exit);
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
deleted file mode 100644
index 11407d7d247..00000000000
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ /dev/null
@@ -1,113 +0,0 @@
-/* Redirect.  Simple mapping which alters dst to a local IP address. */
-/* (C) 1999-2001 Paul `Rusty' Russell
- * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-#include <linux/types.h>
-#include <linux/ip.h>
-#include <linux/timer.h>
-#include <linux/module.h>
-#include <linux/netfilter.h>
-#include <linux/netdevice.h>
-#include <linux/if.h>
-#include <linux/inetdevice.h>
-#include <net/protocol.h>
-#include <net/checksum.h>
-#include <linux/netfilter_ipv4.h>
-#include <linux/netfilter/x_tables.h>
-#include <net/netfilter/nf_nat.h>
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("Xtables: Connection redirection to localhost");
-/* FIXME: Take multiple ranges --RR */
-static int redirect_tg_check(const struct xt_tgchk_param *par)
-{
-        const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
-        if (mr->range[0].flags & NF_NAT_RANGE_MAP_IPS) {
-                pr_debug("bad MAP_IPS.\n");
-                return -EINVAL;
-        }
-        if (mr->rangesize != 1) {
-                pr_debug("bad rangesize %u.\n", mr->rangesize);
-                return -EINVAL;
-        }
-        return 0;
-}
-static unsigned int
-redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
-{
-        struct nf_conn *ct;
-        enum ip_conntrack_info ctinfo;
-        __be32 newdst;
-        const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
-        struct nf_nat_range newrange;
-        NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING ||
-                     par->hooknum == NF_INET_LOCAL_OUT);
-        ct = nf_ct_get(skb, &ctinfo);
-        NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED));
-        /* Local packets: make them go to loopback */
-        if (par->hooknum == NF_INET_LOCAL_OUT)
-                newdst = htonl(0x7F000001);
-        else {
-                struct in_device *indev;
-                struct in_ifaddr *ifa;
-                newdst = 0;
-                rcu_read_lock();
-                indev = __in_dev_get_rcu(skb->dev);
-                if (indev && (ifa = indev->ifa_list))
-                        newdst = ifa->ifa_local;
-                rcu_read_unlock();
-                if (!newdst)
-                        return NF_DROP;
-        }
-        /* Transfer from original range. */
-        memset(&newrange.min_addr, 0, sizeof(newrange.min_addr));
-        memset(&newrange.max_addr, 0, sizeof(newrange.max_addr));
-        newrange.flags       = mr->range[0].flags | NF_NAT_RANGE_MAP_IPS;
-        newrange.min_addr.ip = newdst;
-        newrange.max_addr.ip = newdst;
-        newrange.min_proto   = mr->range[0].min;
-        newrange.max_proto   = mr->range[0].max;
-        /* Hand modified range to generic setup. */
-        return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST);
-}
-static struct xt_target redirect_tg_reg __read_mostly = {
-        .name           = "REDIRECT",
-        .family         = NFPROTO_IPV4,
-        .target         = redirect_tg,
-        .targetsize     = sizeof(struct nf_nat_ipv4_multi_range_compat),
-        .table          = "nat",
-        .hooks          = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT),
-        .checkentry     = redirect_tg_check,
-        .me             = THIS_MODULE,
-};
-static int __init redirect_tg_init(void)
-{
-        return xt_register_target(&redirect_tg_reg);
-}
-static void __exit redirect_tg_exit(void)
-{
-        xt_unregister_target(&redirect_tg_reg);
-}
-module_init(redirect_tg_init);
-module_exit(redirect_tg_exit);
author	David S. Miller <davem@davemloft.net>	2012-09-24 15:36:53 -0400
committer	David S. Miller <davem@davemloft.net>	2012-09-24 15:42:04 -0400
commit	ae4735166ee31e29fbf8615949dac9e56299b1fd (patch)
tree	ee39087a83e0e6d6aaab87e905ce6d170185e32d /net/ipv4
parent	2ddc7fe1cd1b2e0502f12b89c60b6e1ca66837dd (diff)
parent	6ee584be3ee30f72dec8a8ca87bc10824e27a631 (diff)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index 131e53702e7..d8d6f2a5bf1 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig
@@ -172,23 +172,20 @@ config IP_NF_TARGET_MASQUERADE
172	config IP_NF_TARGET_NETMAP	172	config IP_NF_TARGET_NETMAP
173	tristate "NETMAP target support"	173	tristate "NETMAP target support"
174	depends on NETFILTER_ADVANCED	174	depends on NETFILTER_ADVANCED
175	help	175	select NETFILTER_XT_TARGET_NETMAP
176	NETMAP is an implementation of static 1:1 NAT mapping of network	176	---help---
177	addresses. It maps the network address part, while keeping the host	177	This is a backwards-compat option for the user's convenience
178	address part intact.	178	(e.g. when running oldconfig). It selects
179		179	CONFIG_NETFILTER_XT_TARGET_NETMAP.
180	To compile it as a module, choose M here. If unsure, say N.
181		180
182	config IP_NF_TARGET_REDIRECT	181	config IP_NF_TARGET_REDIRECT
183	tristate "REDIRECT target support"	182	tristate "REDIRECT target support"
184	depends on NETFILTER_ADVANCED	183	depends on NETFILTER_ADVANCED
185	help	184	select NETFILTER_XT_TARGET_REDIRECT
186	REDIRECT is a special case of NAT: all incoming connections are	185	---help---
187	mapped onto the incoming interface's address, causing the packets to	186	This is a backwards-compat option for the user's convenience
188	come to the local machine instead of passing through. This is	187	(e.g. when running oldconfig). It selects
189	useful for transparent proxies.	188	CONFIG_NETFILTER_XT_TARGET_REDIRECT.
190
191	To compile it as a module, choose M here. If unsure, say N.
192		189
193	endif	190	endif
194		191


diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile index b7dd1898723..007b128eecc 100644 --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile
@@ -45,8 +45,6 @@ obj-$(CONFIG_IP_NF_MATCH_RPFILTER) += ipt_rpfilter.o
45	obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o	45	obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
46	obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o	46	obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o
47	obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o	47	obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
48	obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
49	obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
50	obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o	48	obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
51	obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o	49	obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
52		50


diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c deleted file mode 100644 index 85028dc0425..00000000000 --- a/net/ipv4/netfilter/ipt_NETMAP.c +++ /dev/null
@@ -1,101 +0,0 @@
1	/* NETMAP - static NAT mapping of IP network addresses (1:1).
2	* The mapping can be applied to source (POSTROUTING),
3	* destination (PREROUTING), or both (with separate rules).
4	*/
5
6	/* (C) 2000-2001 Svenning Soerensen <svenning@post5.tele.dk>
7	*
8	* This program is free software; you can redistribute it and/or modify
9	* it under the terms of the GNU General Public License version 2 as
10	* published by the Free Software Foundation.
11	*/
12	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13	#include <linux/ip.h>
14	#include <linux/module.h>
15	#include <linux/netdevice.h>
16	#include <linux/netfilter.h>
17	#include <linux/netfilter_ipv4.h>
18	#include <linux/netfilter/x_tables.h>
19	#include <net/netfilter/nf_nat.h>
20
21	MODULE_LICENSE("GPL");
22	MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>");
23	MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets");
24
25	static int netmap_tg_check(const struct xt_tgchk_param *par)
26	{
27	const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
28
29	if (!(mr->range[0].flags & NF_NAT_RANGE_MAP_IPS)) {
30	pr_debug("bad MAP_IPS.\n");
31	return -EINVAL;
32	}
33	if (mr->rangesize != 1) {
34	pr_debug("bad rangesize %u.\n", mr->rangesize);
35	return -EINVAL;
36	}
37	return 0;
38	}
39
40	static unsigned int
41	netmap_tg(struct sk_buff skb, const struct xt_action_param par)
42	{
43	struct nf_conn *ct;
44	enum ip_conntrack_info ctinfo;
45	__be32 new_ip, netmask;
46	const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
47	struct nf_nat_range newrange;
48
49	NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING \|\|
50	par->hooknum == NF_INET_POST_ROUTING \|\|
51	par->hooknum == NF_INET_LOCAL_OUT \|\|
52	par->hooknum == NF_INET_LOCAL_IN);
53	ct = nf_ct_get(skb, &ctinfo);
54
55	netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip);
56
57	if (par->hooknum == NF_INET_PRE_ROUTING \|\|
58	par->hooknum == NF_INET_LOCAL_OUT)
59	new_ip = ip_hdr(skb)->daddr & ~netmask;
60	else
61	new_ip = ip_hdr(skb)->saddr & ~netmask;
62	new_ip \|= mr->range[0].min_ip & netmask;
63
64	memset(&newrange.min_addr, 0, sizeof(newrange.min_addr));
65	memset(&newrange.max_addr, 0, sizeof(newrange.max_addr));
66	newrange.flags = mr->range[0].flags \| NF_NAT_RANGE_MAP_IPS;
67	newrange.min_addr.ip = new_ip;
68	newrange.max_addr.ip = new_ip;
69	newrange.min_proto = mr->range[0].min;
70	newrange.max_proto = mr->range[0].max;
71
72	/* Hand modified range to generic setup. */
73	return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
74	}
75
76	static struct xt_target netmap_tg_reg __read_mostly = {
77	.name = "NETMAP",
78	.family = NFPROTO_IPV4,
79	.target = netmap_tg,
80	.targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat),
81	.table = "nat",
82	.hooks = (1 << NF_INET_PRE_ROUTING) \|
83	(1 << NF_INET_POST_ROUTING) \|
84	(1 << NF_INET_LOCAL_OUT) \|
85	(1 << NF_INET_LOCAL_IN),
86	.checkentry = netmap_tg_check,
87	.me = THIS_MODULE
88	};
89
90	static int __init netmap_tg_init(void)
91	{
92	return xt_register_target(&netmap_tg_reg);
93	}
94
95	static void __exit netmap_tg_exit(void)
96	{
97	xt_unregister_target(&netmap_tg_reg);
98	}
99
100	module_init(netmap_tg_init);
101	module_exit(netmap_tg_exit);


diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c deleted file mode 100644 index 11407d7d247..00000000000 --- a/net/ipv4/netfilter/ipt_REDIRECT.c +++ /dev/null
@@ -1,113 +0,0 @@
1	/* Redirect. Simple mapping which alters dst to a local IP address. */
2	/* (C) 1999-2001 Paul `Rusty' Russell
3	* (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
4	*
5	* This program is free software; you can redistribute it and/or modify
6	* it under the terms of the GNU General Public License version 2 as
7	* published by the Free Software Foundation.
8	*/
9	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10	#include <linux/types.h>
11	#include <linux/ip.h>
12	#include <linux/timer.h>
13	#include <linux/module.h>
14	#include <linux/netfilter.h>
15	#include <linux/netdevice.h>
16	#include <linux/if.h>
17	#include <linux/inetdevice.h>
18	#include <net/protocol.h>
19	#include <net/checksum.h>
20	#include <linux/netfilter_ipv4.h>
21	#include <linux/netfilter/x_tables.h>
22	#include <net/netfilter/nf_nat.h>
23
24	MODULE_LICENSE("GPL");
25	MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
26	MODULE_DESCRIPTION("Xtables: Connection redirection to localhost");
27
28	/* FIXME: Take multiple ranges --RR */
29	static int redirect_tg_check(const struct xt_tgchk_param *par)
30	{
31	const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
32
33	if (mr->range[0].flags & NF_NAT_RANGE_MAP_IPS) {
34	pr_debug("bad MAP_IPS.\n");
35	return -EINVAL;
36	}
37	if (mr->rangesize != 1) {
38	pr_debug("bad rangesize %u.\n", mr->rangesize);
39	return -EINVAL;
40	}
41	return 0;
42	}
43
44	static unsigned int
45	redirect_tg(struct sk_buff skb, const struct xt_action_param par)
46	{
47	struct nf_conn *ct;
48	enum ip_conntrack_info ctinfo;
49	__be32 newdst;
50	const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
51	struct nf_nat_range newrange;
52
53	NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING \|\|
54	par->hooknum == NF_INET_LOCAL_OUT);
55
56	ct = nf_ct_get(skb, &ctinfo);
57	NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW \|\| ctinfo == IP_CT_RELATED));
58
59	/* Local packets: make them go to loopback */
60	if (par->hooknum == NF_INET_LOCAL_OUT)
61	newdst = htonl(0x7F000001);
62	else {
63	struct in_device *indev;
64	struct in_ifaddr *ifa;
65
66	newdst = 0;
67
68	rcu_read_lock();
69	indev = __in_dev_get_rcu(skb->dev);
70	if (indev && (ifa = indev->ifa_list))
71	newdst = ifa->ifa_local;
72	rcu_read_unlock();
73
74	if (!newdst)
75	return NF_DROP;
76	}
77
78	/* Transfer from original range. */
79	memset(&newrange.min_addr, 0, sizeof(newrange.min_addr));
80	memset(&newrange.max_addr, 0, sizeof(newrange.max_addr));
81	newrange.flags = mr->range[0].flags \| NF_NAT_RANGE_MAP_IPS;
82	newrange.min_addr.ip = newdst;
83	newrange.max_addr.ip = newdst;
84	newrange.min_proto = mr->range[0].min;
85	newrange.max_proto = mr->range[0].max;
86
87	/* Hand modified range to generic setup. */
88	return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST);
89	}
90
91	static struct xt_target redirect_tg_reg __read_mostly = {
92	.name = "REDIRECT",
93	.family = NFPROTO_IPV4,
94	.target = redirect_tg,
95	.targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat),
96	.table = "nat",
97	.hooks = (1 << NF_INET_PRE_ROUTING) \| (1 << NF_INET_LOCAL_OUT),
98	.checkentry = redirect_tg_check,
99	.me = THIS_MODULE,
100	};
101
102	static int __init redirect_tg_init(void)
103	{
104	return xt_register_target(&redirect_tg_reg);
105	}
106
107	static void __exit redirect_tg_exit(void)
108	{
109	xt_unregister_target(&redirect_tg_reg);
110	}
111
112	module_init(redirect_tg_init);
113	module_exit(redirect_tg_exit);