Merge branch 'master' of git://1984.lsi.us.es/nf-next

Pablo Neira Ayuso says: ==================== This patchset contains updates for your net-next tree, they are: * Mostly fixes for the recently pushed IPv6 NAT support: - Fix crash while removing nf_nat modules from Patrick McHardy. - Fix unbalanced rcu_read_unlock from Ulrich Weber. - Merge NETMAP and REDIRECT into one single xt_target module, from Jan Engelhardt. - Fix Kconfig for IPv6 NAT, which allows inconsistent configurations, from myself. * Updates for ipset, all of the from Jozsef Kadlecsik: - Add the new "nomatch" option to obtain reverse set matching. - Support for /0 CIDR in hash:net,iface set type. - One non-critical fix for a rare crash due to pass really wrong configuration parameters. - Coding style cleanups. - Sparse fixes. - Add set revision supported via modinfo.i * One extension for the xt_time match, to support matching during the transition between two days with one single rule, from Florian Westphal. * Fix maximum packet length supported by nfnetlink_queue and add NFQA_CAP_LEN attribute, from myself. You can notice that this batch contains a couple of fixes that may go to 3.6-rc but I don't consider them critical to push them: * The ipset fix for the /0 cidr case, which is triggered with one inconsistent command line invocation of ipset. * The nfnetlink_queue maximum packet length supported since it requires the new NFQA_CAP_LEN attribute to provide a full workaround for the described problem. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2012-09-24 15:36:53 -0400
committer: David S. Miller <davem@davemloft.net> 2012-09-24 15:42:04 -0400
commit: ae4735166ee31e29fbf8615949dac9e56299b1fd (patch)
tree: ee39087a83e0e6d6aaab87e905ce6d170185e32d /net/ipv6
parent: 2ddc7fe1cd1b2e0502f12b89c60b6e1ca66837dd (diff)
parent: 6ee584be3ee30f72dec8a8ca87bc10824e27a631 (diff)
4 files changed, 36 insertions, 249 deletions
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 3b73254d7bf..c72532a60d8 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -25,18 +25,6 @@ config NF_CONNTRACK_IPV6
          To compile it as a module, choose M here.  If unsure, say N.
-config NF_NAT_IPV6
-        tristate "IPv6 NAT"
-        depends on NF_CONNTRACK_IPV6
-        depends on NETFILTER_ADVANCED
-        select NF_NAT
-        help
-          The IPv6 NAT option allows masquerading, port forwarding and other
-          forms of full Network Address Port Translation. It is controlled by
-          the `nat' table in ip6tables, see the man page for ip6tables(8).
-          To compile it as a module, choose M here.  If unsure, say N.
 config IP6_NF_IPTABLES
        tristate "IP6 tables support (required for filtering)"
        depends on INET && IPV6
@@ -144,48 +132,6 @@ config IP6_NF_TARGET_HL
        (e.g. when running oldconfig). It selects
        CONFIG_NETFILTER_XT_TARGET_HL.
-config IP6_NF_TARGET_MASQUERADE
-        tristate "MASQUERADE target support"
-        depends on NF_NAT_IPV6
-        help
-          Masquerading is a special case of NAT: all outgoing connections are
-          changed to seem to come from a particular interface's address, and
-          if the interface goes down, those connections are lost.  This is
-          only useful for dialup accounts with dynamic IP address (ie. your IP
-          address will be different on next dialup).
-          To compile it as a module, choose M here.  If unsure, say N.
-config IP6_NF_TARGET_NETMAP
-        tristate "NETMAP target support"
-        depends on NF_NAT_IPV6
-        help
-          NETMAP is an implementation of static 1:1 NAT mapping of network
-          addresses. It maps the network address part, while keeping the host
-          address part intact.
-          To compile it as a module, choose M here.  If unsure, say N.
-config IP6_NF_TARGET_REDIRECT
-        tristate "REDIRECT target support"
-        depends on NF_NAT_IPV6
-        help
-          REDIRECT is a special case of NAT: all incoming connections are
-          mapped onto the incoming interface's address, causing the packets to
-          come to the local machine instead of passing through.  This is
-          useful for transparent proxies.
-          To compile it as a module, choose M here.  If unsure, say N.
-config IP6_NF_TARGET_NPT
-        tristate "NPT (Network Prefix translation) target support"
-        depends on NETFILTER_ADVANCED
-        help
-          This option adds the `SNPT' and `DNPT' target, which perform
-          stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
-          To compile it as a module, choose M here.  If unsure, say N.
 config IP6_NF_FILTER
        tristate "Packet filtering"
        default m if NETFILTER_ADVANCED=n
@@ -235,9 +181,44 @@ config IP6_NF_SECURITY
       help
         This option adds a `security' table to iptables, for use
         with Mandatory Access Control (MAC) policy.
-        
         If unsure, say N.
+config NF_NAT_IPV6
+        tristate "IPv6 NAT"
+        depends on NF_CONNTRACK_IPV6
+        depends on NETFILTER_ADVANCED
+        select NF_NAT
+        help
+          The IPv6 NAT option allows masquerading, port forwarding and other
+          forms of full Network Address Port Translation. It is controlled by
+          the `nat' table in ip6tables, see the man page for ip6tables(8).
+          To compile it as a module, choose M here.  If unsure, say N.
+if NF_NAT_IPV6
+config IP6_NF_TARGET_MASQUERADE
+        tristate "MASQUERADE target support"
+        help
+          Masquerading is a special case of NAT: all outgoing connections are
+          changed to seem to come from a particular interface's address, and
+          if the interface goes down, those connections are lost.  This is
+          only useful for dialup accounts with dynamic IP address (ie. your IP
+          address will be different on next dialup).
+          To compile it as a module, choose M here.  If unsure, say N.
+config IP6_NF_TARGET_NPT
+        tristate "NPT (Network Prefix translation) target support"
+        help
+          This option adds the `SNPT' and `DNPT' target, which perform
+          stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
+          To compile it as a module, choose M here.  If unsure, say N.
+endif # NF_NAT_IPV6
 endif # IP6_NF_IPTABLES
 endmenu
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index 5752132ca15..2d11fcc2cf3 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -35,7 +35,5 @@ obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
 # targets
 obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o
-obj-$(CONFIG_IP6_NF_TARGET_NETMAP) += ip6t_NETMAP.o
 obj-$(CONFIG_IP6_NF_TARGET_NPT) += ip6t_NPT.o
-obj-$(CONFIG_IP6_NF_TARGET_REDIRECT) += ip6t_REDIRECT.o
 obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o
diff --git a/net/ipv6/netfilter/ip6t_NETMAP.c b/net/ipv6/netfilter/ip6t_NETMAP.c
deleted file mode 100644
index 4f3bf360e50..00000000000
--- a/net/ipv6/netfilter/ip6t_NETMAP.c
+++ /dev/null
@@ -1,94 +0,0 @@
-/*
- * Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- *
- * Based on Svenning Soerensen's IPv4 NETMAP target. Development of IPv6
- * NAT funded by Astaro.
- */
-#include <linux/kernel.h>
-#include <linux/module.h>
-#include <linux/ipv6.h>
-#include <linux/netfilter.h>
-#include <linux/netfilter_ipv6.h>
-#include <linux/netfilter/x_tables.h>
-#include <net/netfilter/nf_nat.h>
-static unsigned int
-netmap_tg6(struct sk_buff *skb, const struct xt_action_param *par)
-{
-        const struct nf_nat_range *range = par->targinfo;
-        struct nf_nat_range newrange;
-        struct nf_conn *ct;
-        enum ip_conntrack_info ctinfo;
-        union nf_inet_addr new_addr, netmask;
-        unsigned int i;
-        ct = nf_ct_get(skb, &ctinfo);
-        for (i = 0; i < ARRAY_SIZE(range->min_addr.ip6); i++)
-                netmask.ip6[i] = ~(range->min_addr.ip6[i] ^
-                                   range->max_addr.ip6[i]);
-        if (par->hooknum == NF_INET_PRE_ROUTING ||
-            par->hooknum == NF_INET_LOCAL_OUT)
-                new_addr.in6 = ipv6_hdr(skb)->daddr;
-        else
-                new_addr.in6 = ipv6_hdr(skb)->saddr;
-        for (i = 0; i < ARRAY_SIZE(new_addr.ip6); i++) {
-                new_addr.ip6[i] &= ~netmask.ip6[i];
-                new_addr.ip6[i] |= range->min_addr.ip6[i] &
-                                   netmask.ip6[i];
-        }
-        newrange.flags  = range->flags | NF_NAT_RANGE_MAP_IPS;
-        newrange.min_addr       = new_addr;
-        newrange.max_addr       = new_addr;
-        newrange.min_proto      = range->min_proto;
-        newrange.max_proto      = range->max_proto;
-        return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
-}
-static int netmap_tg6_checkentry(const struct xt_tgchk_param *par)
-{
-        const struct nf_nat_range *range = par->targinfo;
-        if (!(range->flags & NF_NAT_RANGE_MAP_IPS))
-                return -EINVAL;
-        return 0;
-}
-static struct xt_target netmap_tg6_reg __read_mostly = {
-        .name           = "NETMAP",
-        .family         = NFPROTO_IPV6,
-        .target         = netmap_tg6,
-        .targetsize     = sizeof(struct nf_nat_range),
-        .table          = "nat",
-        .hooks          = (1 << NF_INET_PRE_ROUTING) |
-                          (1 << NF_INET_POST_ROUTING) |
-                          (1 << NF_INET_LOCAL_OUT) |
-                          (1 << NF_INET_LOCAL_IN),
-        .checkentry     = netmap_tg6_checkentry,
-        .me             = THIS_MODULE,
-};
-static int __init netmap_tg6_init(void)
-{
-        return xt_register_target(&netmap_tg6_reg);
-}
-static void netmap_tg6_exit(void)
-{
-        xt_unregister_target(&netmap_tg6_reg);
-}
-module_init(netmap_tg6_init);
-module_exit(netmap_tg6_exit);
-MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv6 subnets");
-MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
diff --git a/net/ipv6/netfilter/ip6t_REDIRECT.c b/net/ipv6/netfilter/ip6t_REDIRECT.c
deleted file mode 100644
index 60497a3c600..00000000000
--- a/net/ipv6/netfilter/ip6t_REDIRECT.c
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- * Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- *
- * Based on Rusty Russell's IPv4 REDIRECT target. Development of IPv6
- * NAT funded by Astaro.
- */
-#include <linux/kernel.h>
-#include <linux/module.h>
-#include <linux/netfilter.h>
-#include <linux/netfilter_ipv6.h>
-#include <linux/netfilter/x_tables.h>
-#include <net/addrconf.h>
-#include <net/netfilter/nf_nat.h>
-static const struct in6_addr loopback_addr = IN6ADDR_LOOPBACK_INIT;
-static unsigned int
-redirect_tg6(struct sk_buff *skb, const struct xt_action_param *par)
-{
-        const struct nf_nat_range *range = par->targinfo;
-        struct nf_nat_range newrange;
-        struct in6_addr newdst;
-        enum ip_conntrack_info ctinfo;
-        struct nf_conn *ct;
-        ct = nf_ct_get(skb, &ctinfo);
-        if (par->hooknum == NF_INET_LOCAL_OUT)
-                newdst = loopback_addr;
-        else {
-                struct inet6_dev *idev;
-                struct inet6_ifaddr *ifa;
-                bool addr = false;
-                rcu_read_lock();
-                idev = __in6_dev_get(skb->dev);
-                if (idev != NULL) {
-                        list_for_each_entry(ifa, &idev->addr_list, if_list) {
-                                newdst = ifa->addr;
-                                addr = true;
-                                break;
-                        }
-                }
-                rcu_read_unlock();
-                if (!addr)
-                        return NF_DROP;
-        }
-        newrange.flags          = range->flags | NF_NAT_RANGE_MAP_IPS;
-        newrange.min_addr.in6   = newdst;
-        newrange.max_addr.in6   = newdst;
-        newrange.min_proto      = range->min_proto;
-        newrange.max_proto      = range->max_proto;
-        return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST);
-}
-static int redirect_tg6_checkentry(const struct xt_tgchk_param *par)
-{
-        const struct nf_nat_range *range = par->targinfo;
-        if (range->flags & NF_NAT_RANGE_MAP_IPS)
-                return -EINVAL;
-        return 0;
-}
-static struct xt_target redirect_tg6_reg __read_mostly = {
-        .name           = "REDIRECT",
-        .family         = NFPROTO_IPV6,
-        .checkentry     = redirect_tg6_checkentry,
-        .target         = redirect_tg6,
-        .targetsize     = sizeof(struct nf_nat_range),
-        .table          = "nat",
-        .hooks          = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT),
-        .me             = THIS_MODULE,
-};
-static int __init redirect_tg6_init(void)
-{
-        return xt_register_target(&redirect_tg6_reg);
-}
-static void __exit redirect_tg6_exit(void)
-{
-        xt_unregister_target(&redirect_tg6_reg);
-}
-module_init(redirect_tg6_init);
-module_exit(redirect_tg6_exit);
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("Xtables: Connection redirection to localhost");
author	David S. Miller <davem@davemloft.net>	2012-09-24 15:36:53 -0400
committer	David S. Miller <davem@davemloft.net>	2012-09-24 15:42:04 -0400
commit	ae4735166ee31e29fbf8615949dac9e56299b1fd (patch)
tree	ee39087a83e0e6d6aaab87e905ce6d170185e32d /net/ipv6
parent	2ddc7fe1cd1b2e0502f12b89c60b6e1ca66837dd (diff)
parent	6ee584be3ee30f72dec8a8ca87bc10824e27a631 (diff)

diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index 3b73254d7bf..c72532a60d8 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig
@@ -25,18 +25,6 @@ config NF_CONNTRACK_IPV6
25		25
26	To compile it as a module, choose M here. If unsure, say N.	26	To compile it as a module, choose M here. If unsure, say N.
27		27
28	config NF_NAT_IPV6
29	tristate "IPv6 NAT"
30	depends on NF_CONNTRACK_IPV6
31	depends on NETFILTER_ADVANCED
32	select NF_NAT
33	help
34	The IPv6 NAT option allows masquerading, port forwarding and other
35	forms of full Network Address Port Translation. It is controlled by
36	the `nat' table in ip6tables, see the man page for ip6tables(8).
37
38	To compile it as a module, choose M here. If unsure, say N.
39
40	config IP6_NF_IPTABLES	28	config IP6_NF_IPTABLES
41	tristate "IP6 tables support (required for filtering)"	29	tristate "IP6 tables support (required for filtering)"
42	depends on INET && IPV6	30	depends on INET && IPV6
@@ -144,48 +132,6 @@ config IP6_NF_TARGET_HL
144	(e.g. when running oldconfig). It selects	132	(e.g. when running oldconfig). It selects
145	CONFIG_NETFILTER_XT_TARGET_HL.	133	CONFIG_NETFILTER_XT_TARGET_HL.
146		134
147	config IP6_NF_TARGET_MASQUERADE
148	tristate "MASQUERADE target support"
149	depends on NF_NAT_IPV6
150	help
151	Masquerading is a special case of NAT: all outgoing connections are
152	changed to seem to come from a particular interface's address, and
153	if the interface goes down, those connections are lost. This is
154	only useful for dialup accounts with dynamic IP address (ie. your IP
155	address will be different on next dialup).
156
157	To compile it as a module, choose M here. If unsure, say N.
158
159	config IP6_NF_TARGET_NETMAP
160	tristate "NETMAP target support"
161	depends on NF_NAT_IPV6
162	help
163	NETMAP is an implementation of static 1:1 NAT mapping of network
164	addresses. It maps the network address part, while keeping the host
165	address part intact.
166
167	To compile it as a module, choose M here. If unsure, say N.
168
169	config IP6_NF_TARGET_REDIRECT
170	tristate "REDIRECT target support"
171	depends on NF_NAT_IPV6
172	help
173	REDIRECT is a special case of NAT: all incoming connections are
174	mapped onto the incoming interface's address, causing the packets to
175	come to the local machine instead of passing through. This is
176	useful for transparent proxies.
177
178	To compile it as a module, choose M here. If unsure, say N.
179
180	config IP6_NF_TARGET_NPT
181	tristate "NPT (Network Prefix translation) target support"
182	depends on NETFILTER_ADVANCED
183	help
184	This option adds the `SNPT' and `DNPT' target, which perform
185	stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
186
187	To compile it as a module, choose M here. If unsure, say N.
188
189	config IP6_NF_FILTER	135	config IP6_NF_FILTER
190	tristate "Packet filtering"	136	tristate "Packet filtering"
191	default m if NETFILTER_ADVANCED=n	137	default m if NETFILTER_ADVANCED=n
@@ -235,9 +181,44 @@ config IP6_NF_SECURITY
235	help	181	help
236	This option adds a `security' table to iptables, for use	182	This option adds a `security' table to iptables, for use
237	with Mandatory Access Control (MAC) policy.	183	with Mandatory Access Control (MAC) policy.
238		184
239	If unsure, say N.	185	If unsure, say N.
240		186
		187	config NF_NAT_IPV6
		188	tristate "IPv6 NAT"
		189	depends on NF_CONNTRACK_IPV6
		190	depends on NETFILTER_ADVANCED
		191	select NF_NAT
		192	help
		193	The IPv6 NAT option allows masquerading, port forwarding and other
		194	forms of full Network Address Port Translation. It is controlled by
		195	the `nat' table in ip6tables, see the man page for ip6tables(8).
		196
		197	To compile it as a module, choose M here. If unsure, say N.
		198
		199	if NF_NAT_IPV6
		200
		201	config IP6_NF_TARGET_MASQUERADE
		202	tristate "MASQUERADE target support"
		203	help
		204	Masquerading is a special case of NAT: all outgoing connections are
		205	changed to seem to come from a particular interface's address, and
		206	if the interface goes down, those connections are lost. This is
		207	only useful for dialup accounts with dynamic IP address (ie. your IP
		208	address will be different on next dialup).
		209
		210	To compile it as a module, choose M here. If unsure, say N.
		211
		212	config IP6_NF_TARGET_NPT
		213	tristate "NPT (Network Prefix translation) target support"
		214	help
		215	This option adds the `SNPT' and `DNPT' target, which perform
		216	stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
		217
		218	To compile it as a module, choose M here. If unsure, say N.
		219
		220	endif # NF_NAT_IPV6
		221
241	endif # IP6_NF_IPTABLES	222	endif # IP6_NF_IPTABLES
242		223
243	endmenu	224	endmenu


diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile index 5752132ca15..2d11fcc2cf3 100644 --- a/net/ipv6/netfilter/Makefile +++ b/net/ipv6/netfilter/Makefile
@@ -35,7 +35,5 @@ obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
35		35
36	# targets	36	# targets
37	obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o	37	obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o
38	obj-$(CONFIG_IP6_NF_TARGET_NETMAP) += ip6t_NETMAP.o
39	obj-$(CONFIG_IP6_NF_TARGET_NPT) += ip6t_NPT.o	38	obj-$(CONFIG_IP6_NF_TARGET_NPT) += ip6t_NPT.o
40	obj-$(CONFIG_IP6_NF_TARGET_REDIRECT) += ip6t_REDIRECT.o
41	obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o	39	obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o


diff --git a/net/ipv6/netfilter/ip6t_NETMAP.c b/net/ipv6/netfilter/ip6t_NETMAP.c deleted file mode 100644 index 4f3bf360e50..00000000000 --- a/net/ipv6/netfilter/ip6t_NETMAP.c +++ /dev/null
@@ -1,94 +0,0 @@
1	/*
2	* Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
3	*
4	* This program is free software; you can redistribute it and/or modify
5	* it under the terms of the GNU General Public License version 2 as
6	* published by the Free Software Foundation.
7	*
8	* Based on Svenning Soerensen's IPv4 NETMAP target. Development of IPv6
9	* NAT funded by Astaro.
10	*/
11
12	#include <linux/kernel.h>
13	#include <linux/module.h>
14	#include <linux/ipv6.h>
15	#include <linux/netfilter.h>
16	#include <linux/netfilter_ipv6.h>
17	#include <linux/netfilter/x_tables.h>
18	#include <net/netfilter/nf_nat.h>
19
20	static unsigned int
21	netmap_tg6(struct sk_buff skb, const struct xt_action_param par)
22	{
23	const struct nf_nat_range *range = par->targinfo;
24	struct nf_nat_range newrange;
25	struct nf_conn *ct;
26	enum ip_conntrack_info ctinfo;
27	union nf_inet_addr new_addr, netmask;
28	unsigned int i;
29
30	ct = nf_ct_get(skb, &ctinfo);
31	for (i = 0; i < ARRAY_SIZE(range->min_addr.ip6); i++)
32	netmask.ip6[i] = ~(range->min_addr.ip6[i] ^
33	range->max_addr.ip6[i]);
34
35	if (par->hooknum == NF_INET_PRE_ROUTING \|\|
36	par->hooknum == NF_INET_LOCAL_OUT)
37	new_addr.in6 = ipv6_hdr(skb)->daddr;
38	else
39	new_addr.in6 = ipv6_hdr(skb)->saddr;
40
41	for (i = 0; i < ARRAY_SIZE(new_addr.ip6); i++) {
42	new_addr.ip6[i] &= ~netmask.ip6[i];
43	new_addr.ip6[i] \|= range->min_addr.ip6[i] &
44	netmask.ip6[i];
45	}
46
47	newrange.flags = range->flags \| NF_NAT_RANGE_MAP_IPS;
48	newrange.min_addr = new_addr;
49	newrange.max_addr = new_addr;
50	newrange.min_proto = range->min_proto;
51	newrange.max_proto = range->max_proto;
52
53	return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
54	}
55
56	static int netmap_tg6_checkentry(const struct xt_tgchk_param *par)
57	{
58	const struct nf_nat_range *range = par->targinfo;
59
60	if (!(range->flags & NF_NAT_RANGE_MAP_IPS))
61	return -EINVAL;
62	return 0;
63	}
64
65	static struct xt_target netmap_tg6_reg __read_mostly = {
66	.name = "NETMAP",
67	.family = NFPROTO_IPV6,
68	.target = netmap_tg6,
69	.targetsize = sizeof(struct nf_nat_range),
70	.table = "nat",
71	.hooks = (1 << NF_INET_PRE_ROUTING) \|
72	(1 << NF_INET_POST_ROUTING) \|
73	(1 << NF_INET_LOCAL_OUT) \|
74	(1 << NF_INET_LOCAL_IN),
75	.checkentry = netmap_tg6_checkentry,
76	.me = THIS_MODULE,
77	};
78
79	static int __init netmap_tg6_init(void)
80	{
81	return xt_register_target(&netmap_tg6_reg);
82	}
83
84	static void netmap_tg6_exit(void)
85	{
86	xt_unregister_target(&netmap_tg6_reg);
87	}
88
89	module_init(netmap_tg6_init);
90	module_exit(netmap_tg6_exit);
91
92	MODULE_LICENSE("GPL");
93	MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv6 subnets");
94	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");


diff --git a/net/ipv6/netfilter/ip6t_REDIRECT.c b/net/ipv6/netfilter/ip6t_REDIRECT.c deleted file mode 100644 index 60497a3c600..00000000000 --- a/net/ipv6/netfilter/ip6t_REDIRECT.c +++ /dev/null
@@ -1,98 +0,0 @@
1	/*
2	* Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
3	*
4	* This program is free software; you can redistribute it and/or modify
5	* it under the terms of the GNU General Public License version 2 as
6	* published by the Free Software Foundation.
7	*
8	* Based on Rusty Russell's IPv4 REDIRECT target. Development of IPv6
9	* NAT funded by Astaro.
10	*/
11
12	#include <linux/kernel.h>
13	#include <linux/module.h>
14	#include <linux/netfilter.h>
15	#include <linux/netfilter_ipv6.h>
16	#include <linux/netfilter/x_tables.h>
17	#include <net/addrconf.h>
18	#include <net/netfilter/nf_nat.h>
19
20	static const struct in6_addr loopback_addr = IN6ADDR_LOOPBACK_INIT;
21
22	static unsigned int
23	redirect_tg6(struct sk_buff skb, const struct xt_action_param par)
24	{
25	const struct nf_nat_range *range = par->targinfo;
26	struct nf_nat_range newrange;
27	struct in6_addr newdst;
28	enum ip_conntrack_info ctinfo;
29	struct nf_conn *ct;
30
31	ct = nf_ct_get(skb, &ctinfo);
32	if (par->hooknum == NF_INET_LOCAL_OUT)
33	newdst = loopback_addr;
34	else {
35	struct inet6_dev *idev;
36	struct inet6_ifaddr *ifa;
37	bool addr = false;
38
39	rcu_read_lock();
40	idev = __in6_dev_get(skb->dev);
41	if (idev != NULL) {
42	list_for_each_entry(ifa, &idev->addr_list, if_list) {
43	newdst = ifa->addr;
44	addr = true;
45	break;
46	}
47	}
48	rcu_read_unlock();
49
50	if (!addr)
51	return NF_DROP;
52	}
53
54	newrange.flags = range->flags \| NF_NAT_RANGE_MAP_IPS;
55	newrange.min_addr.in6 = newdst;
56	newrange.max_addr.in6 = newdst;
57	newrange.min_proto = range->min_proto;
58	newrange.max_proto = range->max_proto;
59
60	return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST);
61	}
62
63	static int redirect_tg6_checkentry(const struct xt_tgchk_param *par)
64	{
65	const struct nf_nat_range *range = par->targinfo;
66
67	if (range->flags & NF_NAT_RANGE_MAP_IPS)
68	return -EINVAL;
69	return 0;
70	}
71
72	static struct xt_target redirect_tg6_reg __read_mostly = {
73	.name = "REDIRECT",
74	.family = NFPROTO_IPV6,
75	.checkentry = redirect_tg6_checkentry,
76	.target = redirect_tg6,
77	.targetsize = sizeof(struct nf_nat_range),
78	.table = "nat",
79	.hooks = (1 << NF_INET_PRE_ROUTING) \| (1 << NF_INET_LOCAL_OUT),
80	.me = THIS_MODULE,
81	};
82
83	static int __init redirect_tg6_init(void)
84	{
85	return xt_register_target(&redirect_tg6_reg);
86	}
87
88	static void __exit redirect_tg6_exit(void)
89	{
90	xt_unregister_target(&redirect_tg6_reg);
91	}
92
93	module_init(redirect_tg6_init);
94	module_exit(redirect_tg6_exit);
95
96	MODULE_LICENSE("GPL");
97	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
98	MODULE_DESCRIPTION("Xtables: Connection redirection to localhost");