netfilter: nft_reject: split up reject module into IPv4 and IPv6 specifc parts

Currently the nft_reject module depends on symbols from ipv6. This is wrong since no generic module should force IPv6 support to be loaded. Split up the module into AF-specific and a generic part. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Patrick McHardy <kaber@trash.net> 2014-02-05 10:03:38 -0500
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2014-02-06 03:44:10 -0500
commit: cc4723ca316742891954efa346298e7c747c0d17 (patch)
tree: 998eae9bbf8de6eeeb75c633921b8ab2e28cc258
parent: 64d46806b6218c97f68742c5663a8ae3a5fbe838 (diff)
9 files changed, 187 insertions, 81 deletions
diff --git a/include/net/netfilter/nft_reject.h b/include/net/netfilter/nft_reject.h
new file mode 100644
index 000000000000..ecda75945e77
--- /dev/null
+++ b/include/net/netfilter/nft_reject.h
@@ -0,0 +1,17 @@
+#ifndef _NFT_REJECT_H_
+#define _NFT_REJECT_H_
+struct nft_reject {
+        enum nft_reject_types   type:8;
+        u8                      icmp_code;
+};
+extern const struct nla_policy nft_reject_policy[];
+int nft_reject_init(const struct nft_ctx *ctx,
+                    const struct nft_expr *expr,
+                    const struct nlattr * const tb[]);
+int nft_reject_dump(struct sk_buff *skb, const struct nft_expr *expr);
+#endif
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 81c6910cfa92..a26ce035e3fa 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -61,6 +61,11 @@ config NFT_CHAIN_NAT_IPV4
          packet transformations such as the source, destination address and
          source and destination ports.
+config NFT_REJECT_IPV4
+        depends on NF_TABLES_IPV4
+        default NFT_REJECT
+        tristate
 config NF_TABLES_ARP
        depends on NF_TABLES
        tristate "ARP nf_tables support"
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index c16be9d58420..90b82405331e 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -30,6 +30,7 @@ obj-$(CONFIG_NF_NAT_PROTO_GRE) += nf_nat_proto_gre.o
 obj-$(CONFIG_NF_TABLES_IPV4) += nf_tables_ipv4.o
 obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o
 obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o
+obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o
 obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o
 # generic IP tables 
diff --git a/net/ipv4/netfilter/nft_reject_ipv4.c b/net/ipv4/netfilter/nft_reject_ipv4.c
new file mode 100644
index 000000000000..e935d8de1182
--- /dev/null
+++ b/net/ipv4/netfilter/nft_reject_ipv4.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
+ * Copyright (c) 2013 Eric Leblond <eric@regit.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * Development of this code funded by Astaro AG (http://www.astaro.com/)
+ */
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables.h>
+#include <net/icmp.h>
+#include <net/netfilter/ipv4/nf_reject.h>
+#include <net/netfilter/nft_reject.h>
+static void nft_reject_ipv4_eval(const struct nft_expr *expr,
+                                 struct nft_data data[NFT_REG_MAX + 1],
+                                 const struct nft_pktinfo *pkt)
+{
+        struct nft_reject *priv = nft_expr_priv(expr);
+        switch (priv->type) {
+        case NFT_REJECT_ICMP_UNREACH:
+                nf_send_unreach(pkt->skb, priv->icmp_code);
+                break;
+        case NFT_REJECT_TCP_RST:
+                nf_send_reset(pkt->skb, pkt->ops->hooknum);
+                break;
+        }
+        data[NFT_REG_VERDICT].verdict = NF_DROP;
+}
+static struct nft_expr_type nft_reject_ipv4_type;
+static const struct nft_expr_ops nft_reject_ipv4_ops = {
+        .type           = &nft_reject_ipv4_type,
+        .size           = NFT_EXPR_SIZE(sizeof(struct nft_reject)),
+        .eval           = nft_reject_ipv4_eval,
+        .init           = nft_reject_init,
+        .dump           = nft_reject_dump,
+};
+static struct nft_expr_type nft_reject_ipv4_type __read_mostly = {
+        .family         = NFPROTO_IPV4,
+        .name           = "reject",
+        .ops            = &nft_reject_ipv4_ops,
+        .policy         = nft_reject_policy,
+        .maxattr        = NFTA_REJECT_MAX,
+        .owner          = THIS_MODULE,
+};
+static int __init nft_reject_ipv4_module_init(void)
+{
+        return nft_register_expr(&nft_reject_ipv4_type);
+}
+static void __exit nft_reject_ipv4_module_exit(void)
+{
+        nft_unregister_expr(&nft_reject_ipv4_type);
+}
+module_init(nft_reject_ipv4_module_init);
+module_exit(nft_reject_ipv4_module_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "reject");
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 35750df744dc..4bff1f297e39 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -50,6 +50,11 @@ config NFT_CHAIN_NAT_IPV6
          packet transformations such as the source, destination address and
          source and destination ports.
+config NFT_REJECT_IPV6
+        depends on NF_TABLES_IPV6
+        default NFT_REJECT
+        tristate
 config IP6_NF_IPTABLES
        tristate "IP6 tables support (required for filtering)"
        depends on INET && IPV6
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index d1b4928f34f7..70d3dd66f2cd 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -27,6 +27,7 @@ obj-$(CONFIG_NF_DEFRAG_IPV6) += nf_defrag_ipv6.o
 obj-$(CONFIG_NF_TABLES_IPV6) += nf_tables_ipv6.o
 obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV6) += nft_chain_route_ipv6.o
 obj-$(CONFIG_NFT_CHAIN_NAT_IPV6) += nft_chain_nat_ipv6.o
+obj-$(CONFIG_NFT_REJECT_IPV6) += nft_reject_ipv6.o
 # matches
 obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o
diff --git a/net/ipv6/netfilter/nft_reject_ipv6.c b/net/ipv6/netfilter/nft_reject_ipv6.c
new file mode 100644
index 000000000000..f73285924144
--- /dev/null
+++ b/net/ipv6/netfilter/nft_reject_ipv6.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
+ * Copyright (c) 2013 Eric Leblond <eric@regit.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * Development of this code funded by Astaro AG (http://www.astaro.com/)
+ */
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables.h>
+#include <net/netfilter/nft_reject.h>
+#include <net/netfilter/ipv6/nf_reject.h>
+static void nft_reject_ipv6_eval(const struct nft_expr *expr,
+                                 struct nft_data data[NFT_REG_MAX + 1],
+                                 const struct nft_pktinfo *pkt)
+{
+        struct nft_reject *priv = nft_expr_priv(expr);
+        struct net *net = dev_net((pkt->in != NULL) ? pkt->in : pkt->out);
+        switch (priv->type) {
+        case NFT_REJECT_ICMP_UNREACH:
+                nf_send_unreach6(net, pkt->skb, priv->icmp_code,
+                                 pkt->ops->hooknum);
+                break;
+        case NFT_REJECT_TCP_RST:
+                nf_send_reset6(net, pkt->skb, pkt->ops->hooknum);
+                break;
+        }
+        data[NFT_REG_VERDICT].verdict = NF_DROP;
+}
+static struct nft_expr_type nft_reject_ipv6_type;
+static const struct nft_expr_ops nft_reject_ipv6_ops = {
+        .type           = &nft_reject_ipv6_type,
+        .size           = NFT_EXPR_SIZE(sizeof(struct nft_reject)),
+        .eval           = nft_reject_ipv6_eval,
+        .init           = nft_reject_init,
+        .dump           = nft_reject_dump,
+};
+static struct nft_expr_type nft_reject_ipv6_type __read_mostly = {
+        .family         = NFPROTO_IPV6,
+        .name           = "reject",
+        .ops            = &nft_reject_ipv6_ops,
+        .policy         = nft_reject_policy,
+        .maxattr        = NFTA_REJECT_MAX,
+        .owner          = THIS_MODULE,
+};
+static int __init nft_reject_ipv6_module_init(void)
+{
+        return nft_register_expr(&nft_reject_ipv6_type);
+}
+static void __exit nft_reject_ipv6_module_exit(void)
+{
+        nft_unregister_expr(&nft_reject_ipv6_type);
+}
+module_init(nft_reject_ipv6_module_init);
+module_exit(nft_reject_ipv6_module_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "reject");
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index c37467562fd0..ed8b50e62276 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -513,7 +513,6 @@ config NFT_QUEUE
 config NFT_REJECT
        depends on NF_TABLES
-        depends on NF_TABLES_IPV6 || !NF_TABLES_IPV6
        default m if NETFILTER_ADVANCED=n
        tristate "Netfilter nf_tables reject support"
        help
diff --git a/net/netfilter/nft_reject.c b/net/netfilter/nft_reject.c
index 5e204711d704..f3448c296446 100644
--- a/net/netfilter/nft_reject.c
+++ b/net/netfilter/nft_reject.c
@@ -16,65 +16,23 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/nf_tables.h>
 #include <net/netfilter/nf_tables.h>
-#include <net/icmp.h>
+#include <net/netfilter/nft_reject.h>
-#include <net/netfilter/ipv4/nf_reject.h>
-#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
+const struct nla_policy nft_reject_policy[NFTA_REJECT_MAX + 1] = {
-#include <net/netfilter/ipv6/nf_reject.h>
-#endif
-struct nft_reject {
-        enum nft_reject_types   type:8;
-        u8                      icmp_code;
-        u8                      family;
-};
-static void nft_reject_eval(const struct nft_expr *expr,
-                              struct nft_data data[NFT_REG_MAX + 1],
-                              const struct nft_pktinfo *pkt)
-{
-        struct nft_reject *priv = nft_expr_priv(expr);
-#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
-        struct net *net = dev_net((pkt->in != NULL) ? pkt->in : pkt->out);
-#endif
-        switch (priv->type) {
-        case NFT_REJECT_ICMP_UNREACH:
-                if (priv->family == NFPROTO_IPV4)
-                        nf_send_unreach(pkt->skb, priv->icmp_code);
-#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
-                else if (priv->family == NFPROTO_IPV6)
-                        nf_send_unreach6(net, pkt->skb, priv->icmp_code,
-                                      pkt->ops->hooknum);
-#endif
-                break;
-        case NFT_REJECT_TCP_RST:
-                if (priv->family == NFPROTO_IPV4)
-                        nf_send_reset(pkt->skb, pkt->ops->hooknum);
-#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
-                else if (priv->family == NFPROTO_IPV6)
-                        nf_send_reset6(net, pkt->skb, pkt->ops->hooknum);
-#endif
-                break;
-        }
-        data[NFT_REG_VERDICT].verdict = NF_DROP;
-}
-static const struct nla_policy nft_reject_policy[NFTA_REJECT_MAX + 1] = {
        [NFTA_REJECT_TYPE]              = { .type = NLA_U32 },
        [NFTA_REJECT_ICMP_CODE]         = { .type = NLA_U8 },
 };
+EXPORT_SYMBOL_GPL(nft_reject_policy);
-static int nft_reject_init(const struct nft_ctx *ctx,
+int nft_reject_init(const struct nft_ctx *ctx,
-                           const struct nft_expr *expr,
+                    const struct nft_expr *expr,
-                           const struct nlattr * const tb[])
+                    const struct nlattr * const tb[])
 {
        struct nft_reject *priv = nft_expr_priv(expr);
        if (tb[NFTA_REJECT_TYPE] == NULL)
                return -EINVAL;
-        priv->family = ctx->afi->family;
        priv->type = ntohl(nla_get_be32(tb[NFTA_REJECT_TYPE]));
        switch (priv->type) {
        case NFT_REJECT_ICMP_UNREACH:
@@ -89,8 +47,9 @@ static int nft_reject_init(const struct nft_ctx *ctx,
        return 0;
 }
+EXPORT_SYMBOL_GPL(nft_reject_init);
-static int nft_reject_dump(struct sk_buff *skb, const struct nft_expr *expr)
+int nft_reject_dump(struct sk_buff *skb, const struct nft_expr *expr)
 {
        const struct nft_reject *priv = nft_expr_priv(expr);
@@ -109,37 +68,7 @@ static int nft_reject_dump(struct sk_buff *skb, const struct nft_expr *expr)
 nla_put_failure:
        return -1;
 }
+EXPORT_SYMBOL_GPL(nft_reject_dump);
-static struct nft_expr_type nft_reject_type;
-static const struct nft_expr_ops nft_reject_ops = {
-        .type           = &nft_reject_type,
-        .size           = NFT_EXPR_SIZE(sizeof(struct nft_reject)),
-        .eval           = nft_reject_eval,
-        .init           = nft_reject_init,
-        .dump           = nft_reject_dump,
-};
-static struct nft_expr_type nft_reject_type __read_mostly = {
-        .name           = "reject",
-        .ops            = &nft_reject_ops,
-        .policy         = nft_reject_policy,
-        .maxattr        = NFTA_REJECT_MAX,
-        .owner          = THIS_MODULE,
-};
-static int __init nft_reject_module_init(void)
-{
-        return nft_register_expr(&nft_reject_type);
-}
-static void __exit nft_reject_module_exit(void)
-{
-        nft_unregister_expr(&nft_reject_type);
-}
-module_init(nft_reject_module_init);
-module_exit(nft_reject_module_exit);
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_ALIAS_NFT_EXPR("reject");
author	Patrick McHardy <kaber@trash.net>	2014-02-05 10:03:38 -0500
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2014-02-06 03:44:10 -0500
commit	cc4723ca316742891954efa346298e7c747c0d17 (patch)
tree	998eae9bbf8de6eeeb75c633921b8ab2e28cc258
parent	64d46806b6218c97f68742c5663a8ae3a5fbe838 (diff)

diff --git a/include/net/netfilter/nft_reject.h b/include/net/netfilter/nft_reject.h new file mode 100644 index 000000000000..ecda75945e77 --- /dev/null +++ b/include/net/netfilter/nft_reject.h
@@ -0,0 +1,17 @@
		1	#ifndef _NFT_REJECT_H_
		2	#define _NFT_REJECT_H_
		3
		4	struct nft_reject {
		5	enum nft_reject_types type:8;
		6	u8 icmp_code;
		7	};
		8
		9	extern const struct nla_policy nft_reject_policy[];
		10
		11	int nft_reject_init(const struct nft_ctx *ctx,
		12	const struct nft_expr *expr,
		13	const struct nlattr * const tb[]);
		14
		15	int nft_reject_dump(struct sk_buff skb, const struct nft_expr expr);
		16
		17	#endif


diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index 81c6910cfa92..a26ce035e3fa 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig
@@ -61,6 +61,11 @@ config NFT_CHAIN_NAT_IPV4
61	packet transformations such as the source, destination address and	61	packet transformations such as the source, destination address and
62	source and destination ports.	62	source and destination ports.
63		63
		64	config NFT_REJECT_IPV4
		65	depends on NF_TABLES_IPV4
		66	default NFT_REJECT
		67	tristate
		68
64	config NF_TABLES_ARP	69	config NF_TABLES_ARP
65	depends on NF_TABLES	70	depends on NF_TABLES
66	tristate "ARP nf_tables support"	71	tristate "ARP nf_tables support"


diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile index c16be9d58420..90b82405331e 100644 --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile
@@ -30,6 +30,7 @@ obj-$(CONFIG_NF_NAT_PROTO_GRE) += nf_nat_proto_gre.o
30	obj-$(CONFIG_NF_TABLES_IPV4) += nf_tables_ipv4.o	30	obj-$(CONFIG_NF_TABLES_IPV4) += nf_tables_ipv4.o
31	obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o	31	obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o
32	obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o	32	obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o
		33	obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o
33	obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o	34	obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o
34		35
35	# generic IP tables	36	# generic IP tables


diff --git a/net/ipv4/netfilter/nft_reject_ipv4.c b/net/ipv4/netfilter/nft_reject_ipv4.c new file mode 100644 index 000000000000..e935d8de1182 --- /dev/null +++ b/net/ipv4/netfilter/nft_reject_ipv4.c
@@ -0,0 +1,74 @@
		1	/*
		2	* Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
		3	* Copyright (c) 2013 Eric Leblond <eric@regit.org>
		4	*
		5	* This program is free software; you can redistribute it and/or modify
		6	* it under the terms of the GNU General Public License version 2 as
		7	* published by the Free Software Foundation.
		8	*
		9	* Development of this code funded by Astaro AG (http://www.astaro.com/)
		10	*/
		11
		12	#include <linux/kernel.h>
		13	#include <linux/init.h>
		14	#include <linux/module.h>
		15	#include <linux/netlink.h>
		16	#include <linux/netfilter.h>
		17	#include <linux/netfilter/nf_tables.h>
		18	#include <net/netfilter/nf_tables.h>
		19	#include <net/icmp.h>
		20	#include <net/netfilter/ipv4/nf_reject.h>
		21	#include <net/netfilter/nft_reject.h>
		22
		23	static void nft_reject_ipv4_eval(const struct nft_expr *expr,
		24	struct nft_data data[NFT_REG_MAX + 1],
		25	const struct nft_pktinfo *pkt)
		26	{
		27	struct nft_reject *priv = nft_expr_priv(expr);
		28
		29	switch (priv->type) {
		30	case NFT_REJECT_ICMP_UNREACH:
		31	nf_send_unreach(pkt->skb, priv->icmp_code);
		32	break;
		33	case NFT_REJECT_TCP_RST:
		34	nf_send_reset(pkt->skb, pkt->ops->hooknum);
		35	break;
		36	}
		37
		38	data[NFT_REG_VERDICT].verdict = NF_DROP;
		39	}
		40
		41	static struct nft_expr_type nft_reject_ipv4_type;
		42	static const struct nft_expr_ops nft_reject_ipv4_ops = {
		43	.type = &nft_reject_ipv4_type,
		44	.size = NFT_EXPR_SIZE(sizeof(struct nft_reject)),
		45	.eval = nft_reject_ipv4_eval,
		46	.init = nft_reject_init,
		47	.dump = nft_reject_dump,
		48	};
		49
		50	static struct nft_expr_type nft_reject_ipv4_type __read_mostly = {
		51	.family = NFPROTO_IPV4,
		52	.name = "reject",
		53	.ops = &nft_reject_ipv4_ops,
		54	.policy = nft_reject_policy,
		55	.maxattr = NFTA_REJECT_MAX,
		56	.owner = THIS_MODULE,
		57	};
		58
		59	static int __init nft_reject_ipv4_module_init(void)
		60	{
		61	return nft_register_expr(&nft_reject_ipv4_type);
		62	}
		63
		64	static void __exit nft_reject_ipv4_module_exit(void)
		65	{
		66	nft_unregister_expr(&nft_reject_ipv4_type);
		67	}
		68
		69	module_init(nft_reject_ipv4_module_init);
		70	module_exit(nft_reject_ipv4_module_exit);
		71
		72	MODULE_LICENSE("GPL");
		73	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
		74	MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "reject");


diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index 35750df744dc..4bff1f297e39 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig
@@ -50,6 +50,11 @@ config NFT_CHAIN_NAT_IPV6
50	packet transformations such as the source, destination address and	50	packet transformations such as the source, destination address and
51	source and destination ports.	51	source and destination ports.
52		52
		53	config NFT_REJECT_IPV6
		54	depends on NF_TABLES_IPV6
		55	default NFT_REJECT
		56	tristate
		57
53	config IP6_NF_IPTABLES	58	config IP6_NF_IPTABLES
54	tristate "IP6 tables support (required for filtering)"	59	tristate "IP6 tables support (required for filtering)"
55	depends on INET && IPV6	60	depends on INET && IPV6


diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile index d1b4928f34f7..70d3dd66f2cd 100644 --- a/net/ipv6/netfilter/Makefile +++ b/net/ipv6/netfilter/Makefile
@@ -27,6 +27,7 @@ obj-$(CONFIG_NF_DEFRAG_IPV6) += nf_defrag_ipv6.o
27	obj-$(CONFIG_NF_TABLES_IPV6) += nf_tables_ipv6.o	27	obj-$(CONFIG_NF_TABLES_IPV6) += nf_tables_ipv6.o
28	obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV6) += nft_chain_route_ipv6.o	28	obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV6) += nft_chain_route_ipv6.o
29	obj-$(CONFIG_NFT_CHAIN_NAT_IPV6) += nft_chain_nat_ipv6.o	29	obj-$(CONFIG_NFT_CHAIN_NAT_IPV6) += nft_chain_nat_ipv6.o
		30	obj-$(CONFIG_NFT_REJECT_IPV6) += nft_reject_ipv6.o
30		31
31	# matches	32	# matches
32	obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o	33	obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o


diff --git a/net/ipv6/netfilter/nft_reject_ipv6.c b/net/ipv6/netfilter/nft_reject_ipv6.c new file mode 100644 index 000000000000..f73285924144 --- /dev/null +++ b/net/ipv6/netfilter/nft_reject_ipv6.c
@@ -0,0 +1,75 @@
		1	/*
		2	* Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
		3	* Copyright (c) 2013 Eric Leblond <eric@regit.org>
		4	*
		5	* This program is free software; you can redistribute it and/or modify
		6	* it under the terms of the GNU General Public License version 2 as
		7	* published by the Free Software Foundation.
		8	*
		9	* Development of this code funded by Astaro AG (http://www.astaro.com/)
		10	*/
		11
		12	#include <linux/kernel.h>
		13	#include <linux/init.h>
		14	#include <linux/module.h>
		15	#include <linux/netlink.h>
		16	#include <linux/netfilter.h>
		17	#include <linux/netfilter/nf_tables.h>
		18	#include <net/netfilter/nf_tables.h>
		19	#include <net/netfilter/nft_reject.h>
		20	#include <net/netfilter/ipv6/nf_reject.h>
		21
		22	static void nft_reject_ipv6_eval(const struct nft_expr *expr,
		23	struct nft_data data[NFT_REG_MAX + 1],
		24	const struct nft_pktinfo *pkt)
		25	{
		26	struct nft_reject *priv = nft_expr_priv(expr);
		27	struct net *net = dev_net((pkt->in != NULL) ? pkt->in : pkt->out);
		28
		29	switch (priv->type) {
		30	case NFT_REJECT_ICMP_UNREACH:
		31	nf_send_unreach6(net, pkt->skb, priv->icmp_code,
		32	pkt->ops->hooknum);
		33	break;
		34	case NFT_REJECT_TCP_RST:
		35	nf_send_reset6(net, pkt->skb, pkt->ops->hooknum);
		36	break;
		37	}
		38
		39	data[NFT_REG_VERDICT].verdict = NF_DROP;
		40	}
		41
		42	static struct nft_expr_type nft_reject_ipv6_type;
		43	static const struct nft_expr_ops nft_reject_ipv6_ops = {
		44	.type = &nft_reject_ipv6_type,
		45	.size = NFT_EXPR_SIZE(sizeof(struct nft_reject)),
		46	.eval = nft_reject_ipv6_eval,
		47	.init = nft_reject_init,
		48	.dump = nft_reject_dump,
		49	};
		50
		51	static struct nft_expr_type nft_reject_ipv6_type __read_mostly = {
		52	.family = NFPROTO_IPV6,
		53	.name = "reject",
		54	.ops = &nft_reject_ipv6_ops,
		55	.policy = nft_reject_policy,
		56	.maxattr = NFTA_REJECT_MAX,
		57	.owner = THIS_MODULE,
		58	};
		59
		60	static int __init nft_reject_ipv6_module_init(void)
		61	{
		62	return nft_register_expr(&nft_reject_ipv6_type);
		63	}
		64
		65	static void __exit nft_reject_ipv6_module_exit(void)
		66	{
		67	nft_unregister_expr(&nft_reject_ipv6_type);
		68	}
		69
		70	module_init(nft_reject_ipv6_module_init);
		71	module_exit(nft_reject_ipv6_module_exit);
		72
		73	MODULE_LICENSE("GPL");
		74	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
		75	MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "reject");


diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index c37467562fd0..ed8b50e62276 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -513,7 +513,6 @@ config NFT_QUEUE
513		513
514	config NFT_REJECT	514	config NFT_REJECT
515	depends on NF_TABLES	515	depends on NF_TABLES
516	depends on NF_TABLES_IPV6 \|\| !NF_TABLES_IPV6
517	default m if NETFILTER_ADVANCED=n	516	default m if NETFILTER_ADVANCED=n
518	tristate "Netfilter nf_tables reject support"	517	tristate "Netfilter nf_tables reject support"
519	help	518	help


diff --git a/net/netfilter/nft_reject.c b/net/netfilter/nft_reject.c index 5e204711d704..f3448c296446 100644 --- a/net/netfilter/nft_reject.c +++ b/net/netfilter/nft_reject.c
@@ -16,65 +16,23 @@
16	#include <linux/netfilter.h>	16	#include <linux/netfilter.h>
17	#include <linux/netfilter/nf_tables.h>	17	#include <linux/netfilter/nf_tables.h>
18	#include <net/netfilter/nf_tables.h>	18	#include <net/netfilter/nf_tables.h>
19	#include <net/icmp.h>	19	#include <net/netfilter/nft_reject.h>
20	#include <net/netfilter/ipv4/nf_reject.h>
21		20
22	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)	21	const struct nla_policy nft_reject_policy[NFTA_REJECT_MAX + 1] = {
23	#include <net/netfilter/ipv6/nf_reject.h>
24	#endif
25
26	struct nft_reject {
27	enum nft_reject_types type:8;
28	u8 icmp_code;
29	u8 family;
30	};
31
32	static void nft_reject_eval(const struct nft_expr *expr,
33	struct nft_data data[NFT_REG_MAX + 1],
34	const struct nft_pktinfo *pkt)
35	{
36	struct nft_reject *priv = nft_expr_priv(expr);
37	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
38	struct net *net = dev_net((pkt->in != NULL) ? pkt->in : pkt->out);
39	#endif
40	switch (priv->type) {
41	case NFT_REJECT_ICMP_UNREACH:
42	if (priv->family == NFPROTO_IPV4)
43	nf_send_unreach(pkt->skb, priv->icmp_code);
44	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
45	else if (priv->family == NFPROTO_IPV6)
46	nf_send_unreach6(net, pkt->skb, priv->icmp_code,
47	pkt->ops->hooknum);
48	#endif
49	break;
50	case NFT_REJECT_TCP_RST:
51	if (priv->family == NFPROTO_IPV4)
52	nf_send_reset(pkt->skb, pkt->ops->hooknum);
53	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
54	else if (priv->family == NFPROTO_IPV6)
55	nf_send_reset6(net, pkt->skb, pkt->ops->hooknum);
56	#endif
57	break;
58	}
59
60	data[NFT_REG_VERDICT].verdict = NF_DROP;
61	}
62
63	static const struct nla_policy nft_reject_policy[NFTA_REJECT_MAX + 1] = {
64	[NFTA_REJECT_TYPE] = { .type = NLA_U32 },	22	[NFTA_REJECT_TYPE] = { .type = NLA_U32 },
65	[NFTA_REJECT_ICMP_CODE] = { .type = NLA_U8 },	23	[NFTA_REJECT_ICMP_CODE] = { .type = NLA_U8 },
66	};	24	};
		25	EXPORT_SYMBOL_GPL(nft_reject_policy);
67		26
68	static int nft_reject_init(const struct nft_ctx *ctx,	27	int nft_reject_init(const struct nft_ctx *ctx,
69	const struct nft_expr *expr,	28	const struct nft_expr *expr,
70	const struct nlattr * const tb[])	29	const struct nlattr * const tb[])
71	{	30	{
72	struct nft_reject *priv = nft_expr_priv(expr);	31	struct nft_reject *priv = nft_expr_priv(expr);
73		32
74	if (tb[NFTA_REJECT_TYPE] == NULL)	33	if (tb[NFTA_REJECT_TYPE] == NULL)
75	return -EINVAL;	34	return -EINVAL;
76		35
77	priv->family = ctx->afi->family;
78	priv->type = ntohl(nla_get_be32(tb[NFTA_REJECT_TYPE]));	36	priv->type = ntohl(nla_get_be32(tb[NFTA_REJECT_TYPE]));
79	switch (priv->type) {	37	switch (priv->type) {
80	case NFT_REJECT_ICMP_UNREACH:	38	case NFT_REJECT_ICMP_UNREACH:
@@ -89,8 +47,9 @@ static int nft_reject_init(const struct nft_ctx *ctx,
89		47
90	return 0;	48	return 0;
91	}	49	}
		50	EXPORT_SYMBOL_GPL(nft_reject_init);
92		51
93	static int nft_reject_dump(struct sk_buff skb, const struct nft_expr expr)	52	int nft_reject_dump(struct sk_buff skb, const struct nft_expr expr)
94	{	53	{
95	const struct nft_reject *priv = nft_expr_priv(expr);	54	const struct nft_reject *priv = nft_expr_priv(expr);
96		55
@@ -109,37 +68,7 @@ static int nft_reject_dump(struct sk_buff skb, const struct nft_expr expr)
109	nla_put_failure:	68	nla_put_failure:
110	return -1;	69	return -1;
111	}	70	}
112		71	EXPORT_SYMBOL_GPL(nft_reject_dump);
113	static struct nft_expr_type nft_reject_type;
114	static const struct nft_expr_ops nft_reject_ops = {
115	.type = &nft_reject_type,
116	.size = NFT_EXPR_SIZE(sizeof(struct nft_reject)),
117	.eval = nft_reject_eval,
118	.init = nft_reject_init,
119	.dump = nft_reject_dump,
120	};
121
122	static struct nft_expr_type nft_reject_type __read_mostly = {
123	.name = "reject",
124	.ops = &nft_reject_ops,
125	.policy = nft_reject_policy,
126	.maxattr = NFTA_REJECT_MAX,
127	.owner = THIS_MODULE,
128	};
129
130	static int __init nft_reject_module_init(void)
131	{
132	return nft_register_expr(&nft_reject_type);
133	}
134
135	static void __exit nft_reject_module_exit(void)
136	{
137	nft_unregister_expr(&nft_reject_type);
138	}
139
140	module_init(nft_reject_module_init);
141	module_exit(nft_reject_module_exit);
142		72
143	MODULE_LICENSE("GPL");	73	MODULE_LICENSE("GPL");
144	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");	74	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
145	MODULE_ALIAS_NFT_EXPR("reject");