diff options
author | David S. Miller <davem@davemloft.net> | 2011-12-25 02:21:45 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2011-12-25 02:21:45 -0500 |
commit | c5e1fd8ccae09f574d6f978c90c2b968ee29030c (patch) | |
tree | e4485dc086ce76c4ff2ff551246255f5de0a250b /net/ipv4 | |
parent | 60b778ce519625102d3f72a2071ea72a05e990ce (diff) | |
parent | ceb98d03eac5704820f2ac1f370c9ff385e3a9f5 (diff) |
Merge branch 'nf-next' of git://1984.lsi.us.es/net-next
Diffstat (limited to 'net/ipv4')
24 files changed, 278 insertions, 187 deletions
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c index 46339ba7a2d3..799fc790b3cf 100644 --- a/net/ipv4/fib_rules.c +++ b/net/ipv4/fib_rules.c | |||
@@ -67,6 +67,7 @@ int fib_lookup(struct net *net, struct flowi4 *flp, struct fib_result *res) | |||
67 | 67 | ||
68 | return err; | 68 | return err; |
69 | } | 69 | } |
70 | EXPORT_SYMBOL_GPL(fib_lookup); | ||
70 | 71 | ||
71 | static int fib4_rule_action(struct fib_rule *rule, struct flowi *flp, | 72 | static int fib4_rule_action(struct fib_rule *rule, struct flowi *flp, |
72 | int flags, struct fib_lookup_arg *arg) | 73 | int flags, struct fib_lookup_arg *arg) |
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c index 37b671185c81..d04b13ae18fe 100644 --- a/net/ipv4/fib_trie.c +++ b/net/ipv4/fib_trie.c | |||
@@ -1607,6 +1607,7 @@ found: | |||
1607 | rcu_read_unlock(); | 1607 | rcu_read_unlock(); |
1608 | return ret; | 1608 | return ret; |
1609 | } | 1609 | } |
1610 | EXPORT_SYMBOL_GPL(fib_table_lookup); | ||
1610 | 1611 | ||
1611 | /* | 1612 | /* |
1612 | * Remove the leaf and return parent. | 1613 | * Remove the leaf and return parent. |
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index f19f2182894c..7e1f5cdaf11e 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig | |||
@@ -82,6 +82,16 @@ config IP_NF_MATCH_ECN | |||
82 | 82 | ||
83 | To compile it as a module, choose M here. If unsure, say N. | 83 | To compile it as a module, choose M here. If unsure, say N. |
84 | 84 | ||
85 | config IP_NF_MATCH_RPFILTER | ||
86 | tristate '"rpfilter" reverse path filter match support' | ||
87 | depends on NETFILTER_ADVANCED | ||
88 | ---help--- | ||
89 | This option allows you to match packets whose replies would | ||
90 | go out via the interface the packet came in. | ||
91 | |||
92 | To compile it as a module, choose M here. If unsure, say N. | ||
93 | The module will be called ipt_rpfilter. | ||
94 | |||
85 | config IP_NF_MATCH_TTL | 95 | config IP_NF_MATCH_TTL |
86 | tristate '"ttl" match support' | 96 | tristate '"ttl" match support' |
87 | depends on NETFILTER_ADVANCED | 97 | depends on NETFILTER_ADVANCED |
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile index dca2082ec683..123dd88cea53 100644 --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile | |||
@@ -50,6 +50,7 @@ obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o | |||
50 | # matches | 50 | # matches |
51 | obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o | 51 | obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o |
52 | obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o | 52 | obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o |
53 | obj-$(CONFIG_IP_NF_MATCH_RPFILTER) += ipt_rpfilter.o | ||
53 | 54 | ||
54 | # targets | 55 | # targets |
55 | obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o | 56 | obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o |
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c index 9931152a78b5..2f210c79dc87 100644 --- a/net/ipv4/netfilter/ipt_MASQUERADE.c +++ b/net/ipv4/netfilter/ipt_MASQUERADE.c | |||
@@ -30,9 +30,9 @@ MODULE_DESCRIPTION("Xtables: automatic-address SNAT"); | |||
30 | /* FIXME: Multiple targets. --RR */ | 30 | /* FIXME: Multiple targets. --RR */ |
31 | static int masquerade_tg_check(const struct xt_tgchk_param *par) | 31 | static int masquerade_tg_check(const struct xt_tgchk_param *par) |
32 | { | 32 | { |
33 | const struct nf_nat_multi_range_compat *mr = par->targinfo; | 33 | const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; |
34 | 34 | ||
35 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { | 35 | if (mr->range[0].flags & NF_NAT_RANGE_MAP_IPS) { |
36 | pr_debug("bad MAP_IPS.\n"); | 36 | pr_debug("bad MAP_IPS.\n"); |
37 | return -EINVAL; | 37 | return -EINVAL; |
38 | } | 38 | } |
@@ -49,8 +49,8 @@ masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par) | |||
49 | struct nf_conn *ct; | 49 | struct nf_conn *ct; |
50 | struct nf_conn_nat *nat; | 50 | struct nf_conn_nat *nat; |
51 | enum ip_conntrack_info ctinfo; | 51 | enum ip_conntrack_info ctinfo; |
52 | struct nf_nat_range newrange; | 52 | struct nf_nat_ipv4_range newrange; |
53 | const struct nf_nat_multi_range_compat *mr; | 53 | const struct nf_nat_ipv4_multi_range_compat *mr; |
54 | const struct rtable *rt; | 54 | const struct rtable *rt; |
55 | __be32 newsrc; | 55 | __be32 newsrc; |
56 | 56 | ||
@@ -79,13 +79,13 @@ masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par) | |||
79 | nat->masq_index = par->out->ifindex; | 79 | nat->masq_index = par->out->ifindex; |
80 | 80 | ||
81 | /* Transfer from original range. */ | 81 | /* Transfer from original range. */ |
82 | newrange = ((struct nf_nat_range) | 82 | newrange = ((struct nf_nat_ipv4_range) |
83 | { mr->range[0].flags | IP_NAT_RANGE_MAP_IPS, | 83 | { mr->range[0].flags | NF_NAT_RANGE_MAP_IPS, |
84 | newsrc, newsrc, | 84 | newsrc, newsrc, |
85 | mr->range[0].min, mr->range[0].max }); | 85 | mr->range[0].min, mr->range[0].max }); |
86 | 86 | ||
87 | /* Hand modified range to generic setup. */ | 87 | /* Hand modified range to generic setup. */ |
88 | return nf_nat_setup_info(ct, &newrange, IP_NAT_MANIP_SRC); | 88 | return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_SRC); |
89 | } | 89 | } |
90 | 90 | ||
91 | static int | 91 | static int |
@@ -139,7 +139,7 @@ static struct xt_target masquerade_tg_reg __read_mostly = { | |||
139 | .name = "MASQUERADE", | 139 | .name = "MASQUERADE", |
140 | .family = NFPROTO_IPV4, | 140 | .family = NFPROTO_IPV4, |
141 | .target = masquerade_tg, | 141 | .target = masquerade_tg, |
142 | .targetsize = sizeof(struct nf_nat_multi_range_compat), | 142 | .targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat), |
143 | .table = "nat", | 143 | .table = "nat", |
144 | .hooks = 1 << NF_INET_POST_ROUTING, | 144 | .hooks = 1 << NF_INET_POST_ROUTING, |
145 | .checkentry = masquerade_tg_check, | 145 | .checkentry = masquerade_tg_check, |
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c index 6cdb298f1035..b5bfbbabf70d 100644 --- a/net/ipv4/netfilter/ipt_NETMAP.c +++ b/net/ipv4/netfilter/ipt_NETMAP.c | |||
@@ -24,9 +24,9 @@ MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets"); | |||
24 | 24 | ||
25 | static int netmap_tg_check(const struct xt_tgchk_param *par) | 25 | static int netmap_tg_check(const struct xt_tgchk_param *par) |
26 | { | 26 | { |
27 | const struct nf_nat_multi_range_compat *mr = par->targinfo; | 27 | const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; |
28 | 28 | ||
29 | if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) { | 29 | if (!(mr->range[0].flags & NF_NAT_RANGE_MAP_IPS)) { |
30 | pr_debug("bad MAP_IPS.\n"); | 30 | pr_debug("bad MAP_IPS.\n"); |
31 | return -EINVAL; | 31 | return -EINVAL; |
32 | } | 32 | } |
@@ -43,8 +43,8 @@ netmap_tg(struct sk_buff *skb, const struct xt_action_param *par) | |||
43 | struct nf_conn *ct; | 43 | struct nf_conn *ct; |
44 | enum ip_conntrack_info ctinfo; | 44 | enum ip_conntrack_info ctinfo; |
45 | __be32 new_ip, netmask; | 45 | __be32 new_ip, netmask; |
46 | const struct nf_nat_multi_range_compat *mr = par->targinfo; | 46 | const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; |
47 | struct nf_nat_range newrange; | 47 | struct nf_nat_ipv4_range newrange; |
48 | 48 | ||
49 | NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING || | 49 | NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING || |
50 | par->hooknum == NF_INET_POST_ROUTING || | 50 | par->hooknum == NF_INET_POST_ROUTING || |
@@ -61,8 +61,8 @@ netmap_tg(struct sk_buff *skb, const struct xt_action_param *par) | |||
61 | new_ip = ip_hdr(skb)->saddr & ~netmask; | 61 | new_ip = ip_hdr(skb)->saddr & ~netmask; |
62 | new_ip |= mr->range[0].min_ip & netmask; | 62 | new_ip |= mr->range[0].min_ip & netmask; |
63 | 63 | ||
64 | newrange = ((struct nf_nat_range) | 64 | newrange = ((struct nf_nat_ipv4_range) |
65 | { mr->range[0].flags | IP_NAT_RANGE_MAP_IPS, | 65 | { mr->range[0].flags | NF_NAT_RANGE_MAP_IPS, |
66 | new_ip, new_ip, | 66 | new_ip, new_ip, |
67 | mr->range[0].min, mr->range[0].max }); | 67 | mr->range[0].min, mr->range[0].max }); |
68 | 68 | ||
@@ -74,7 +74,7 @@ static struct xt_target netmap_tg_reg __read_mostly = { | |||
74 | .name = "NETMAP", | 74 | .name = "NETMAP", |
75 | .family = NFPROTO_IPV4, | 75 | .family = NFPROTO_IPV4, |
76 | .target = netmap_tg, | 76 | .target = netmap_tg, |
77 | .targetsize = sizeof(struct nf_nat_multi_range_compat), | 77 | .targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat), |
78 | .table = "nat", | 78 | .table = "nat", |
79 | .hooks = (1 << NF_INET_PRE_ROUTING) | | 79 | .hooks = (1 << NF_INET_PRE_ROUTING) | |
80 | (1 << NF_INET_POST_ROUTING) | | 80 | (1 << NF_INET_POST_ROUTING) | |
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c index 18a0656505a0..7c0103a5203e 100644 --- a/net/ipv4/netfilter/ipt_REDIRECT.c +++ b/net/ipv4/netfilter/ipt_REDIRECT.c | |||
@@ -28,9 +28,9 @@ MODULE_DESCRIPTION("Xtables: Connection redirection to localhost"); | |||
28 | /* FIXME: Take multiple ranges --RR */ | 28 | /* FIXME: Take multiple ranges --RR */ |
29 | static int redirect_tg_check(const struct xt_tgchk_param *par) | 29 | static int redirect_tg_check(const struct xt_tgchk_param *par) |
30 | { | 30 | { |
31 | const struct nf_nat_multi_range_compat *mr = par->targinfo; | 31 | const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; |
32 | 32 | ||
33 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { | 33 | if (mr->range[0].flags & NF_NAT_RANGE_MAP_IPS) { |
34 | pr_debug("bad MAP_IPS.\n"); | 34 | pr_debug("bad MAP_IPS.\n"); |
35 | return -EINVAL; | 35 | return -EINVAL; |
36 | } | 36 | } |
@@ -47,8 +47,8 @@ redirect_tg(struct sk_buff *skb, const struct xt_action_param *par) | |||
47 | struct nf_conn *ct; | 47 | struct nf_conn *ct; |
48 | enum ip_conntrack_info ctinfo; | 48 | enum ip_conntrack_info ctinfo; |
49 | __be32 newdst; | 49 | __be32 newdst; |
50 | const struct nf_nat_multi_range_compat *mr = par->targinfo; | 50 | const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; |
51 | struct nf_nat_range newrange; | 51 | struct nf_nat_ipv4_range newrange; |
52 | 52 | ||
53 | NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING || | 53 | NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING || |
54 | par->hooknum == NF_INET_LOCAL_OUT); | 54 | par->hooknum == NF_INET_LOCAL_OUT); |
@@ -76,20 +76,20 @@ redirect_tg(struct sk_buff *skb, const struct xt_action_param *par) | |||
76 | } | 76 | } |
77 | 77 | ||
78 | /* Transfer from original range. */ | 78 | /* Transfer from original range. */ |
79 | newrange = ((struct nf_nat_range) | 79 | newrange = ((struct nf_nat_ipv4_range) |
80 | { mr->range[0].flags | IP_NAT_RANGE_MAP_IPS, | 80 | { mr->range[0].flags | NF_NAT_RANGE_MAP_IPS, |
81 | newdst, newdst, | 81 | newdst, newdst, |
82 | mr->range[0].min, mr->range[0].max }); | 82 | mr->range[0].min, mr->range[0].max }); |
83 | 83 | ||
84 | /* Hand modified range to generic setup. */ | 84 | /* Hand modified range to generic setup. */ |
85 | return nf_nat_setup_info(ct, &newrange, IP_NAT_MANIP_DST); | 85 | return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST); |
86 | } | 86 | } |
87 | 87 | ||
88 | static struct xt_target redirect_tg_reg __read_mostly = { | 88 | static struct xt_target redirect_tg_reg __read_mostly = { |
89 | .name = "REDIRECT", | 89 | .name = "REDIRECT", |
90 | .family = NFPROTO_IPV4, | 90 | .family = NFPROTO_IPV4, |
91 | .target = redirect_tg, | 91 | .target = redirect_tg, |
92 | .targetsize = sizeof(struct nf_nat_multi_range_compat), | 92 | .targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat), |
93 | .table = "nat", | 93 | .table = "nat", |
94 | .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT), | 94 | .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT), |
95 | .checkentry = redirect_tg_check, | 95 | .checkentry = redirect_tg_check, |
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c new file mode 100644 index 000000000000..31371be8174b --- /dev/null +++ b/net/ipv4/netfilter/ipt_rpfilter.c | |||
@@ -0,0 +1,141 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2011 Florian Westphal <fw@strlen.de> | ||
3 | * | ||
4 | * This program is free software; you can redistribute it and/or modify | ||
5 | * it under the terms of the GNU General Public License version 2 as | ||
6 | * published by the Free Software Foundation. | ||
7 | * | ||
8 | * based on fib_frontend.c; Author: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru> | ||
9 | */ | ||
10 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
11 | #include <linux/module.h> | ||
12 | #include <linux/skbuff.h> | ||
13 | #include <linux/netdevice.h> | ||
14 | #include <linux/ip.h> | ||
15 | #include <net/ip.h> | ||
16 | #include <net/ip_fib.h> | ||
17 | #include <net/route.h> | ||
18 | |||
19 | #include <linux/netfilter/xt_rpfilter.h> | ||
20 | #include <linux/netfilter/x_tables.h> | ||
21 | |||
22 | MODULE_LICENSE("GPL"); | ||
23 | MODULE_AUTHOR("Florian Westphal <fw@strlen.de>"); | ||
24 | MODULE_DESCRIPTION("iptables: ipv4 reverse path filter match"); | ||
25 | |||
26 | /* don't try to find route from mcast/bcast/zeronet */ | ||
27 | static __be32 rpfilter_get_saddr(__be32 addr) | ||
28 | { | ||
29 | if (ipv4_is_multicast(addr) || ipv4_is_lbcast(addr) || | ||
30 | ipv4_is_zeronet(addr)) | ||
31 | return 0; | ||
32 | return addr; | ||
33 | } | ||
34 | |||
35 | static bool rpfilter_lookup_reverse(struct flowi4 *fl4, | ||
36 | const struct net_device *dev, u8 flags) | ||
37 | { | ||
38 | struct fib_result res; | ||
39 | bool dev_match; | ||
40 | struct net *net = dev_net(dev); | ||
41 | int ret __maybe_unused; | ||
42 | |||
43 | if (fib_lookup(net, fl4, &res)) | ||
44 | return false; | ||
45 | |||
46 | if (res.type != RTN_UNICAST) { | ||
47 | if (res.type != RTN_LOCAL || !(flags & XT_RPFILTER_ACCEPT_LOCAL)) | ||
48 | return false; | ||
49 | } | ||
50 | dev_match = false; | ||
51 | #ifdef CONFIG_IP_ROUTE_MULTIPATH | ||
52 | for (ret = 0; ret < res.fi->fib_nhs; ret++) { | ||
53 | struct fib_nh *nh = &res.fi->fib_nh[ret]; | ||
54 | |||
55 | if (nh->nh_dev == dev) { | ||
56 | dev_match = true; | ||
57 | break; | ||
58 | } | ||
59 | } | ||
60 | #else | ||
61 | if (FIB_RES_DEV(res) == dev) | ||
62 | dev_match = true; | ||
63 | #endif | ||
64 | if (dev_match || flags & XT_RPFILTER_LOOSE) | ||
65 | return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST; | ||
66 | return dev_match; | ||
67 | } | ||
68 | |||
69 | static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par) | ||
70 | { | ||
71 | const struct xt_rpfilter_info *info; | ||
72 | const struct iphdr *iph; | ||
73 | struct flowi4 flow; | ||
74 | bool invert; | ||
75 | |||
76 | info = par->matchinfo; | ||
77 | invert = info->flags & XT_RPFILTER_INVERT; | ||
78 | |||
79 | if (par->in->flags & IFF_LOOPBACK) | ||
80 | return true ^ invert; | ||
81 | |||
82 | iph = ip_hdr(skb); | ||
83 | if (ipv4_is_multicast(iph->daddr)) { | ||
84 | if (ipv4_is_zeronet(iph->saddr)) | ||
85 | return ipv4_is_local_multicast(iph->daddr) ^ invert; | ||
86 | flow.flowi4_iif = 0; | ||
87 | } else { | ||
88 | flow.flowi4_iif = dev_net(par->in)->loopback_dev->ifindex; | ||
89 | } | ||
90 | |||
91 | flow.daddr = iph->saddr; | ||
92 | flow.saddr = rpfilter_get_saddr(iph->daddr); | ||
93 | flow.flowi4_oif = 0; | ||
94 | flow.flowi4_mark = info->flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0; | ||
95 | flow.flowi4_tos = RT_TOS(iph->tos); | ||
96 | flow.flowi4_scope = RT_SCOPE_UNIVERSE; | ||
97 | |||
98 | return rpfilter_lookup_reverse(&flow, par->in, info->flags) ^ invert; | ||
99 | } | ||
100 | |||
101 | static int rpfilter_check(const struct xt_mtchk_param *par) | ||
102 | { | ||
103 | const struct xt_rpfilter_info *info = par->matchinfo; | ||
104 | unsigned int options = ~XT_RPFILTER_OPTION_MASK; | ||
105 | if (info->flags & options) { | ||
106 | pr_info("unknown options encountered"); | ||
107 | return -EINVAL; | ||
108 | } | ||
109 | |||
110 | if (strcmp(par->table, "mangle") != 0 && | ||
111 | strcmp(par->table, "raw") != 0) { | ||
112 | pr_info("match only valid in the \'raw\' " | ||
113 | "or \'mangle\' tables, not \'%s\'.\n", par->table); | ||
114 | return -EINVAL; | ||
115 | } | ||
116 | |||
117 | return 0; | ||
118 | } | ||
119 | |||
120 | static struct xt_match rpfilter_mt_reg __read_mostly = { | ||
121 | .name = "rpfilter", | ||
122 | .family = NFPROTO_IPV4, | ||
123 | .checkentry = rpfilter_check, | ||
124 | .match = rpfilter_mt, | ||
125 | .matchsize = sizeof(struct xt_rpfilter_info), | ||
126 | .hooks = (1 << NF_INET_PRE_ROUTING), | ||
127 | .me = THIS_MODULE | ||
128 | }; | ||
129 | |||
130 | static int __init rpfilter_mt_init(void) | ||
131 | { | ||
132 | return xt_register_match(&rpfilter_mt_reg); | ||
133 | } | ||
134 | |||
135 | static void __exit rpfilter_mt_exit(void) | ||
136 | { | ||
137 | xt_unregister_match(&rpfilter_mt_reg); | ||
138 | } | ||
139 | |||
140 | module_init(rpfilter_mt_init); | ||
141 | module_exit(rpfilter_mt_exit); | ||
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c index 447bc5cfdc6c..acdd002bb540 100644 --- a/net/ipv4/netfilter/nf_nat_core.c +++ b/net/ipv4/netfilter/nf_nat_core.c | |||
@@ -30,7 +30,6 @@ | |||
30 | #include <net/netfilter/nf_nat_helper.h> | 30 | #include <net/netfilter/nf_nat_helper.h> |
31 | #include <net/netfilter/nf_conntrack_helper.h> | 31 | #include <net/netfilter/nf_conntrack_helper.h> |
32 | #include <net/netfilter/nf_conntrack_l3proto.h> | 32 | #include <net/netfilter/nf_conntrack_l3proto.h> |
33 | #include <net/netfilter/nf_conntrack_l4proto.h> | ||
34 | #include <net/netfilter/nf_conntrack_zones.h> | 33 | #include <net/netfilter/nf_conntrack_zones.h> |
35 | 34 | ||
36 | static DEFINE_SPINLOCK(nf_nat_lock); | 35 | static DEFINE_SPINLOCK(nf_nat_lock); |
@@ -57,7 +56,7 @@ hash_by_src(const struct net *net, u16 zone, | |||
57 | /* Original src, to ensure we map it consistently if poss. */ | 56 | /* Original src, to ensure we map it consistently if poss. */ |
58 | hash = jhash_3words((__force u32)tuple->src.u3.ip, | 57 | hash = jhash_3words((__force u32)tuple->src.u3.ip, |
59 | (__force u32)tuple->src.u.all ^ zone, | 58 | (__force u32)tuple->src.u.all ^ zone, |
60 | tuple->dst.protonum, 0); | 59 | tuple->dst.protonum, nf_conntrack_hash_rnd); |
61 | return ((u64)hash * net->ipv4.nat_htable_size) >> 32; | 60 | return ((u64)hash * net->ipv4.nat_htable_size) >> 32; |
62 | } | 61 | } |
63 | 62 | ||
@@ -82,14 +81,14 @@ EXPORT_SYMBOL(nf_nat_used_tuple); | |||
82 | * that meet the constraints of range. */ | 81 | * that meet the constraints of range. */ |
83 | static int | 82 | static int |
84 | in_range(const struct nf_conntrack_tuple *tuple, | 83 | in_range(const struct nf_conntrack_tuple *tuple, |
85 | const struct nf_nat_range *range) | 84 | const struct nf_nat_ipv4_range *range) |
86 | { | 85 | { |
87 | const struct nf_nat_protocol *proto; | 86 | const struct nf_nat_protocol *proto; |
88 | int ret = 0; | 87 | int ret = 0; |
89 | 88 | ||
90 | /* If we are supposed to map IPs, then we must be in the | 89 | /* If we are supposed to map IPs, then we must be in the |
91 | range specified, otherwise let this drag us onto a new src IP. */ | 90 | range specified, otherwise let this drag us onto a new src IP. */ |
92 | if (range->flags & IP_NAT_RANGE_MAP_IPS) { | 91 | if (range->flags & NF_NAT_RANGE_MAP_IPS) { |
93 | if (ntohl(tuple->src.u3.ip) < ntohl(range->min_ip) || | 92 | if (ntohl(tuple->src.u3.ip) < ntohl(range->min_ip) || |
94 | ntohl(tuple->src.u3.ip) > ntohl(range->max_ip)) | 93 | ntohl(tuple->src.u3.ip) > ntohl(range->max_ip)) |
95 | return 0; | 94 | return 0; |
@@ -97,8 +96,8 @@ in_range(const struct nf_conntrack_tuple *tuple, | |||
97 | 96 | ||
98 | rcu_read_lock(); | 97 | rcu_read_lock(); |
99 | proto = __nf_nat_proto_find(tuple->dst.protonum); | 98 | proto = __nf_nat_proto_find(tuple->dst.protonum); |
100 | if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) || | 99 | if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) || |
101 | proto->in_range(tuple, IP_NAT_MANIP_SRC, | 100 | proto->in_range(tuple, NF_NAT_MANIP_SRC, |
102 | &range->min, &range->max)) | 101 | &range->min, &range->max)) |
103 | ret = 1; | 102 | ret = 1; |
104 | rcu_read_unlock(); | 103 | rcu_read_unlock(); |
@@ -123,7 +122,7 @@ static int | |||
123 | find_appropriate_src(struct net *net, u16 zone, | 122 | find_appropriate_src(struct net *net, u16 zone, |
124 | const struct nf_conntrack_tuple *tuple, | 123 | const struct nf_conntrack_tuple *tuple, |
125 | struct nf_conntrack_tuple *result, | 124 | struct nf_conntrack_tuple *result, |
126 | const struct nf_nat_range *range) | 125 | const struct nf_nat_ipv4_range *range) |
127 | { | 126 | { |
128 | unsigned int h = hash_by_src(net, zone, tuple); | 127 | unsigned int h = hash_by_src(net, zone, tuple); |
129 | const struct nf_conn_nat *nat; | 128 | const struct nf_conn_nat *nat; |
@@ -157,7 +156,7 @@ find_appropriate_src(struct net *net, u16 zone, | |||
157 | */ | 156 | */ |
158 | static void | 157 | static void |
159 | find_best_ips_proto(u16 zone, struct nf_conntrack_tuple *tuple, | 158 | find_best_ips_proto(u16 zone, struct nf_conntrack_tuple *tuple, |
160 | const struct nf_nat_range *range, | 159 | const struct nf_nat_ipv4_range *range, |
161 | const struct nf_conn *ct, | 160 | const struct nf_conn *ct, |
162 | enum nf_nat_manip_type maniptype) | 161 | enum nf_nat_manip_type maniptype) |
163 | { | 162 | { |
@@ -166,10 +165,10 @@ find_best_ips_proto(u16 zone, struct nf_conntrack_tuple *tuple, | |||
166 | u_int32_t minip, maxip, j; | 165 | u_int32_t minip, maxip, j; |
167 | 166 | ||
168 | /* No IP mapping? Do nothing. */ | 167 | /* No IP mapping? Do nothing. */ |
169 | if (!(range->flags & IP_NAT_RANGE_MAP_IPS)) | 168 | if (!(range->flags & NF_NAT_RANGE_MAP_IPS)) |
170 | return; | 169 | return; |
171 | 170 | ||
172 | if (maniptype == IP_NAT_MANIP_SRC) | 171 | if (maniptype == NF_NAT_MANIP_SRC) |
173 | var_ipp = &tuple->src.u3.ip; | 172 | var_ipp = &tuple->src.u3.ip; |
174 | else | 173 | else |
175 | var_ipp = &tuple->dst.u3.ip; | 174 | var_ipp = &tuple->dst.u3.ip; |
@@ -189,7 +188,7 @@ find_best_ips_proto(u16 zone, struct nf_conntrack_tuple *tuple, | |||
189 | minip = ntohl(range->min_ip); | 188 | minip = ntohl(range->min_ip); |
190 | maxip = ntohl(range->max_ip); | 189 | maxip = ntohl(range->max_ip); |
191 | j = jhash_2words((__force u32)tuple->src.u3.ip, | 190 | j = jhash_2words((__force u32)tuple->src.u3.ip, |
192 | range->flags & IP_NAT_RANGE_PERSISTENT ? | 191 | range->flags & NF_NAT_RANGE_PERSISTENT ? |
193 | 0 : (__force u32)tuple->dst.u3.ip ^ zone, 0); | 192 | 0 : (__force u32)tuple->dst.u3.ip ^ zone, 0); |
194 | j = ((u64)j * (maxip - minip + 1)) >> 32; | 193 | j = ((u64)j * (maxip - minip + 1)) >> 32; |
195 | *var_ipp = htonl(minip + j); | 194 | *var_ipp = htonl(minip + j); |
@@ -204,7 +203,7 @@ find_best_ips_proto(u16 zone, struct nf_conntrack_tuple *tuple, | |||
204 | static void | 203 | static void |
205 | get_unique_tuple(struct nf_conntrack_tuple *tuple, | 204 | get_unique_tuple(struct nf_conntrack_tuple *tuple, |
206 | const struct nf_conntrack_tuple *orig_tuple, | 205 | const struct nf_conntrack_tuple *orig_tuple, |
207 | const struct nf_nat_range *range, | 206 | const struct nf_nat_ipv4_range *range, |
208 | struct nf_conn *ct, | 207 | struct nf_conn *ct, |
209 | enum nf_nat_manip_type maniptype) | 208 | enum nf_nat_manip_type maniptype) |
210 | { | 209 | { |
@@ -219,8 +218,8 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, | |||
219 | This is only required for source (ie. NAT/masq) mappings. | 218 | This is only required for source (ie. NAT/masq) mappings. |
220 | So far, we don't do local source mappings, so multiple | 219 | So far, we don't do local source mappings, so multiple |
221 | manips not an issue. */ | 220 | manips not an issue. */ |
222 | if (maniptype == IP_NAT_MANIP_SRC && | 221 | if (maniptype == NF_NAT_MANIP_SRC && |
223 | !(range->flags & IP_NAT_RANGE_PROTO_RANDOM)) { | 222 | !(range->flags & NF_NAT_RANGE_PROTO_RANDOM)) { |
224 | /* try the original tuple first */ | 223 | /* try the original tuple first */ |
225 | if (in_range(orig_tuple, range)) { | 224 | if (in_range(orig_tuple, range)) { |
226 | if (!nf_nat_used_tuple(orig_tuple, ct)) { | 225 | if (!nf_nat_used_tuple(orig_tuple, ct)) { |
@@ -247,8 +246,8 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, | |||
247 | proto = __nf_nat_proto_find(orig_tuple->dst.protonum); | 246 | proto = __nf_nat_proto_find(orig_tuple->dst.protonum); |
248 | 247 | ||
249 | /* Only bother mapping if it's not already in range and unique */ | 248 | /* Only bother mapping if it's not already in range and unique */ |
250 | if (!(range->flags & IP_NAT_RANGE_PROTO_RANDOM)) { | 249 | if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM)) { |
251 | if (range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) { | 250 | if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { |
252 | if (proto->in_range(tuple, maniptype, &range->min, | 251 | if (proto->in_range(tuple, maniptype, &range->min, |
253 | &range->max) && | 252 | &range->max) && |
254 | (range->min.all == range->max.all || | 253 | (range->min.all == range->max.all || |
@@ -267,7 +266,7 @@ out: | |||
267 | 266 | ||
268 | unsigned int | 267 | unsigned int |
269 | nf_nat_setup_info(struct nf_conn *ct, | 268 | nf_nat_setup_info(struct nf_conn *ct, |
270 | const struct nf_nat_range *range, | 269 | const struct nf_nat_ipv4_range *range, |
271 | enum nf_nat_manip_type maniptype) | 270 | enum nf_nat_manip_type maniptype) |
272 | { | 271 | { |
273 | struct net *net = nf_ct_net(ct); | 272 | struct net *net = nf_ct_net(ct); |
@@ -284,8 +283,8 @@ nf_nat_setup_info(struct nf_conn *ct, | |||
284 | } | 283 | } |
285 | } | 284 | } |
286 | 285 | ||
287 | NF_CT_ASSERT(maniptype == IP_NAT_MANIP_SRC || | 286 | NF_CT_ASSERT(maniptype == NF_NAT_MANIP_SRC || |
288 | maniptype == IP_NAT_MANIP_DST); | 287 | maniptype == NF_NAT_MANIP_DST); |
289 | BUG_ON(nf_nat_initialized(ct, maniptype)); | 288 | BUG_ON(nf_nat_initialized(ct, maniptype)); |
290 | 289 | ||
291 | /* What we've got will look like inverse of reply. Normally | 290 | /* What we've got will look like inverse of reply. Normally |
@@ -306,13 +305,13 @@ nf_nat_setup_info(struct nf_conn *ct, | |||
306 | nf_conntrack_alter_reply(ct, &reply); | 305 | nf_conntrack_alter_reply(ct, &reply); |
307 | 306 | ||
308 | /* Non-atomic: we own this at the moment. */ | 307 | /* Non-atomic: we own this at the moment. */ |
309 | if (maniptype == IP_NAT_MANIP_SRC) | 308 | if (maniptype == NF_NAT_MANIP_SRC) |
310 | ct->status |= IPS_SRC_NAT; | 309 | ct->status |= IPS_SRC_NAT; |
311 | else | 310 | else |
312 | ct->status |= IPS_DST_NAT; | 311 | ct->status |= IPS_DST_NAT; |
313 | } | 312 | } |
314 | 313 | ||
315 | if (maniptype == IP_NAT_MANIP_SRC) { | 314 | if (maniptype == NF_NAT_MANIP_SRC) { |
316 | unsigned int srchash; | 315 | unsigned int srchash; |
317 | 316 | ||
318 | srchash = hash_by_src(net, nf_ct_zone(ct), | 317 | srchash = hash_by_src(net, nf_ct_zone(ct), |
@@ -327,7 +326,7 @@ nf_nat_setup_info(struct nf_conn *ct, | |||
327 | } | 326 | } |
328 | 327 | ||
329 | /* It's done. */ | 328 | /* It's done. */ |
330 | if (maniptype == IP_NAT_MANIP_DST) | 329 | if (maniptype == NF_NAT_MANIP_DST) |
331 | ct->status |= IPS_DST_NAT_DONE; | 330 | ct->status |= IPS_DST_NAT_DONE; |
332 | else | 331 | else |
333 | ct->status |= IPS_SRC_NAT_DONE; | 332 | ct->status |= IPS_SRC_NAT_DONE; |
@@ -361,7 +360,7 @@ manip_pkt(u_int16_t proto, | |||
361 | 360 | ||
362 | iph = (void *)skb->data + iphdroff; | 361 | iph = (void *)skb->data + iphdroff; |
363 | 362 | ||
364 | if (maniptype == IP_NAT_MANIP_SRC) { | 363 | if (maniptype == NF_NAT_MANIP_SRC) { |
365 | csum_replace4(&iph->check, iph->saddr, target->src.u3.ip); | 364 | csum_replace4(&iph->check, iph->saddr, target->src.u3.ip); |
366 | iph->saddr = target->src.u3.ip; | 365 | iph->saddr = target->src.u3.ip; |
367 | } else { | 366 | } else { |
@@ -381,7 +380,7 @@ unsigned int nf_nat_packet(struct nf_conn *ct, | |||
381 | unsigned long statusbit; | 380 | unsigned long statusbit; |
382 | enum nf_nat_manip_type mtype = HOOK2MANIP(hooknum); | 381 | enum nf_nat_manip_type mtype = HOOK2MANIP(hooknum); |
383 | 382 | ||
384 | if (mtype == IP_NAT_MANIP_SRC) | 383 | if (mtype == NF_NAT_MANIP_SRC) |
385 | statusbit = IPS_SRC_NAT; | 384 | statusbit = IPS_SRC_NAT; |
386 | else | 385 | else |
387 | statusbit = IPS_DST_NAT; | 386 | statusbit = IPS_DST_NAT; |
@@ -414,8 +413,7 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct, | |||
414 | struct icmphdr icmp; | 413 | struct icmphdr icmp; |
415 | struct iphdr ip; | 414 | struct iphdr ip; |
416 | } *inside; | 415 | } *inside; |
417 | const struct nf_conntrack_l4proto *l4proto; | 416 | struct nf_conntrack_tuple target; |
418 | struct nf_conntrack_tuple inner, target; | ||
419 | int hdrlen = ip_hdrlen(skb); | 417 | int hdrlen = ip_hdrlen(skb); |
420 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | 418 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); |
421 | unsigned long statusbit; | 419 | unsigned long statusbit; |
@@ -447,7 +445,7 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct, | |||
447 | return 0; | 445 | return 0; |
448 | } | 446 | } |
449 | 447 | ||
450 | if (manip == IP_NAT_MANIP_SRC) | 448 | if (manip == NF_NAT_MANIP_SRC) |
451 | statusbit = IPS_SRC_NAT; | 449 | statusbit = IPS_SRC_NAT; |
452 | else | 450 | else |
453 | statusbit = IPS_DST_NAT; | 451 | statusbit = IPS_DST_NAT; |
@@ -463,16 +461,6 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct, | |||
463 | "dir %s\n", skb, manip, | 461 | "dir %s\n", skb, manip, |
464 | dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY"); | 462 | dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY"); |
465 | 463 | ||
466 | /* rcu_read_lock()ed by nf_hook_slow */ | ||
467 | l4proto = __nf_ct_l4proto_find(PF_INET, inside->ip.protocol); | ||
468 | |||
469 | if (!nf_ct_get_tuple(skb, hdrlen + sizeof(struct icmphdr), | ||
470 | (hdrlen + | ||
471 | sizeof(struct icmphdr) + inside->ip.ihl * 4), | ||
472 | (u_int16_t)AF_INET, inside->ip.protocol, | ||
473 | &inner, l3proto, l4proto)) | ||
474 | return 0; | ||
475 | |||
476 | /* Change inner back to look like incoming packet. We do the | 464 | /* Change inner back to look like incoming packet. We do the |
477 | opposite manip on this hook to normal, because it might not | 465 | opposite manip on this hook to normal, because it might not |
478 | pass all hooks (locally-generated ICMP). Consider incoming | 466 | pass all hooks (locally-generated ICMP). Consider incoming |
@@ -575,26 +563,6 @@ static struct nf_ct_ext_type nat_extend __read_mostly = { | |||
575 | #include <linux/netfilter/nfnetlink.h> | 563 | #include <linux/netfilter/nfnetlink.h> |
576 | #include <linux/netfilter/nfnetlink_conntrack.h> | 564 | #include <linux/netfilter/nfnetlink_conntrack.h> |
577 | 565 | ||
578 | static const struct nf_nat_protocol * | ||
579 | nf_nat_proto_find_get(u_int8_t protonum) | ||
580 | { | ||
581 | const struct nf_nat_protocol *p; | ||
582 | |||
583 | rcu_read_lock(); | ||
584 | p = __nf_nat_proto_find(protonum); | ||
585 | if (!try_module_get(p->me)) | ||
586 | p = &nf_nat_unknown_protocol; | ||
587 | rcu_read_unlock(); | ||
588 | |||
589 | return p; | ||
590 | } | ||
591 | |||
592 | static void | ||
593 | nf_nat_proto_put(const struct nf_nat_protocol *p) | ||
594 | { | ||
595 | module_put(p->me); | ||
596 | } | ||
597 | |||
598 | static const struct nla_policy protonat_nla_policy[CTA_PROTONAT_MAX+1] = { | 566 | static const struct nla_policy protonat_nla_policy[CTA_PROTONAT_MAX+1] = { |
599 | [CTA_PROTONAT_PORT_MIN] = { .type = NLA_U16 }, | 567 | [CTA_PROTONAT_PORT_MIN] = { .type = NLA_U16 }, |
600 | [CTA_PROTONAT_PORT_MAX] = { .type = NLA_U16 }, | 568 | [CTA_PROTONAT_PORT_MAX] = { .type = NLA_U16 }, |
@@ -602,7 +570,7 @@ static const struct nla_policy protonat_nla_policy[CTA_PROTONAT_MAX+1] = { | |||
602 | 570 | ||
603 | static int nfnetlink_parse_nat_proto(struct nlattr *attr, | 571 | static int nfnetlink_parse_nat_proto(struct nlattr *attr, |
604 | const struct nf_conn *ct, | 572 | const struct nf_conn *ct, |
605 | struct nf_nat_range *range) | 573 | struct nf_nat_ipv4_range *range) |
606 | { | 574 | { |
607 | struct nlattr *tb[CTA_PROTONAT_MAX+1]; | 575 | struct nlattr *tb[CTA_PROTONAT_MAX+1]; |
608 | const struct nf_nat_protocol *npt; | 576 | const struct nf_nat_protocol *npt; |
@@ -612,21 +580,23 @@ static int nfnetlink_parse_nat_proto(struct nlattr *attr, | |||
612 | if (err < 0) | 580 | if (err < 0) |
613 | return err; | 581 | return err; |
614 | 582 | ||
615 | npt = nf_nat_proto_find_get(nf_ct_protonum(ct)); | 583 | rcu_read_lock(); |
584 | npt = __nf_nat_proto_find(nf_ct_protonum(ct)); | ||
616 | if (npt->nlattr_to_range) | 585 | if (npt->nlattr_to_range) |
617 | err = npt->nlattr_to_range(tb, range); | 586 | err = npt->nlattr_to_range(tb, range); |
618 | nf_nat_proto_put(npt); | 587 | rcu_read_unlock(); |
619 | return err; | 588 | return err; |
620 | } | 589 | } |
621 | 590 | ||
622 | static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = { | 591 | static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = { |
623 | [CTA_NAT_MINIP] = { .type = NLA_U32 }, | 592 | [CTA_NAT_MINIP] = { .type = NLA_U32 }, |
624 | [CTA_NAT_MAXIP] = { .type = NLA_U32 }, | 593 | [CTA_NAT_MAXIP] = { .type = NLA_U32 }, |
594 | [CTA_NAT_PROTO] = { .type = NLA_NESTED }, | ||
625 | }; | 595 | }; |
626 | 596 | ||
627 | static int | 597 | static int |
628 | nfnetlink_parse_nat(const struct nlattr *nat, | 598 | nfnetlink_parse_nat(const struct nlattr *nat, |
629 | const struct nf_conn *ct, struct nf_nat_range *range) | 599 | const struct nf_conn *ct, struct nf_nat_ipv4_range *range) |
630 | { | 600 | { |
631 | struct nlattr *tb[CTA_NAT_MAX+1]; | 601 | struct nlattr *tb[CTA_NAT_MAX+1]; |
632 | int err; | 602 | int err; |
@@ -646,7 +616,7 @@ nfnetlink_parse_nat(const struct nlattr *nat, | |||
646 | range->max_ip = nla_get_be32(tb[CTA_NAT_MAXIP]); | 616 | range->max_ip = nla_get_be32(tb[CTA_NAT_MAXIP]); |
647 | 617 | ||
648 | if (range->min_ip) | 618 | if (range->min_ip) |
649 | range->flags |= IP_NAT_RANGE_MAP_IPS; | 619 | range->flags |= NF_NAT_RANGE_MAP_IPS; |
650 | 620 | ||
651 | if (!tb[CTA_NAT_PROTO]) | 621 | if (!tb[CTA_NAT_PROTO]) |
652 | return 0; | 622 | return 0; |
@@ -663,7 +633,7 @@ nfnetlink_parse_nat_setup(struct nf_conn *ct, | |||
663 | enum nf_nat_manip_type manip, | 633 | enum nf_nat_manip_type manip, |
664 | const struct nlattr *attr) | 634 | const struct nlattr *attr) |
665 | { | 635 | { |
666 | struct nf_nat_range range; | 636 | struct nf_nat_ipv4_range range; |
667 | 637 | ||
668 | if (nfnetlink_parse_nat(attr, ct, &range) < 0) | 638 | if (nfnetlink_parse_nat(attr, ct, &range) < 0) |
669 | return -EINVAL; | 639 | return -EINVAL; |
diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c index b9a1136addbd..dc1dd912baf4 100644 --- a/net/ipv4/netfilter/nf_nat_h323.c +++ b/net/ipv4/netfilter/nf_nat_h323.c | |||
@@ -398,7 +398,7 @@ static int nat_h245(struct sk_buff *skb, struct nf_conn *ct, | |||
398 | static void ip_nat_q931_expect(struct nf_conn *new, | 398 | static void ip_nat_q931_expect(struct nf_conn *new, |
399 | struct nf_conntrack_expect *this) | 399 | struct nf_conntrack_expect *this) |
400 | { | 400 | { |
401 | struct nf_nat_range range; | 401 | struct nf_nat_ipv4_range range; |
402 | 402 | ||
403 | if (this->tuple.src.u3.ip != 0) { /* Only accept calls from GK */ | 403 | if (this->tuple.src.u3.ip != 0) { /* Only accept calls from GK */ |
404 | nf_nat_follow_master(new, this); | 404 | nf_nat_follow_master(new, this); |
@@ -409,16 +409,16 @@ static void ip_nat_q931_expect(struct nf_conn *new, | |||
409 | BUG_ON(new->status & IPS_NAT_DONE_MASK); | 409 | BUG_ON(new->status & IPS_NAT_DONE_MASK); |
410 | 410 | ||
411 | /* Change src to where master sends to */ | 411 | /* Change src to where master sends to */ |
412 | range.flags = IP_NAT_RANGE_MAP_IPS; | 412 | range.flags = NF_NAT_RANGE_MAP_IPS; |
413 | range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.u3.ip; | 413 | range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.u3.ip; |
414 | nf_nat_setup_info(new, &range, IP_NAT_MANIP_SRC); | 414 | nf_nat_setup_info(new, &range, NF_NAT_MANIP_SRC); |
415 | 415 | ||
416 | /* For DST manip, map port here to where it's expected. */ | 416 | /* For DST manip, map port here to where it's expected. */ |
417 | range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED); | 417 | range.flags = (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED); |
418 | range.min = range.max = this->saved_proto; | 418 | range.min = range.max = this->saved_proto; |
419 | range.min_ip = range.max_ip = | 419 | range.min_ip = range.max_ip = |
420 | new->master->tuplehash[!this->dir].tuple.src.u3.ip; | 420 | new->master->tuplehash[!this->dir].tuple.src.u3.ip; |
421 | nf_nat_setup_info(new, &range, IP_NAT_MANIP_DST); | 421 | nf_nat_setup_info(new, &range, NF_NAT_MANIP_DST); |
422 | } | 422 | } |
423 | 423 | ||
424 | /****************************************************************************/ | 424 | /****************************************************************************/ |
@@ -496,21 +496,21 @@ static int nat_q931(struct sk_buff *skb, struct nf_conn *ct, | |||
496 | static void ip_nat_callforwarding_expect(struct nf_conn *new, | 496 | static void ip_nat_callforwarding_expect(struct nf_conn *new, |
497 | struct nf_conntrack_expect *this) | 497 | struct nf_conntrack_expect *this) |
498 | { | 498 | { |
499 | struct nf_nat_range range; | 499 | struct nf_nat_ipv4_range range; |
500 | 500 | ||
501 | /* This must be a fresh one. */ | 501 | /* This must be a fresh one. */ |
502 | BUG_ON(new->status & IPS_NAT_DONE_MASK); | 502 | BUG_ON(new->status & IPS_NAT_DONE_MASK); |
503 | 503 | ||
504 | /* Change src to where master sends to */ | 504 | /* Change src to where master sends to */ |
505 | range.flags = IP_NAT_RANGE_MAP_IPS; | 505 | range.flags = NF_NAT_RANGE_MAP_IPS; |
506 | range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.u3.ip; | 506 | range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.u3.ip; |
507 | nf_nat_setup_info(new, &range, IP_NAT_MANIP_SRC); | 507 | nf_nat_setup_info(new, &range, NF_NAT_MANIP_SRC); |
508 | 508 | ||
509 | /* For DST manip, map port here to where it's expected. */ | 509 | /* For DST manip, map port here to where it's expected. */ |
510 | range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED); | 510 | range.flags = (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED); |
511 | range.min = range.max = this->saved_proto; | 511 | range.min = range.max = this->saved_proto; |
512 | range.min_ip = range.max_ip = this->saved_ip; | 512 | range.min_ip = range.max_ip = this->saved_ip; |
513 | nf_nat_setup_info(new, &range, IP_NAT_MANIP_DST); | 513 | nf_nat_setup_info(new, &range, NF_NAT_MANIP_DST); |
514 | } | 514 | } |
515 | 515 | ||
516 | /****************************************************************************/ | 516 | /****************************************************************************/ |
diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c index ebc5f8894f99..af65958f6308 100644 --- a/net/ipv4/netfilter/nf_nat_helper.c +++ b/net/ipv4/netfilter/nf_nat_helper.c | |||
@@ -253,12 +253,6 @@ nf_nat_mangle_udp_packet(struct sk_buff *skb, | |||
253 | struct udphdr *udph; | 253 | struct udphdr *udph; |
254 | int datalen, oldlen; | 254 | int datalen, oldlen; |
255 | 255 | ||
256 | /* UDP helpers might accidentally mangle the wrong packet */ | ||
257 | iph = ip_hdr(skb); | ||
258 | if (skb->len < iph->ihl*4 + sizeof(*udph) + | ||
259 | match_offset + match_len) | ||
260 | return 0; | ||
261 | |||
262 | if (!skb_make_writable(skb, skb->len)) | 256 | if (!skb_make_writable(skb, skb->len)) |
263 | return 0; | 257 | return 0; |
264 | 258 | ||
@@ -430,22 +424,22 @@ nf_nat_seq_adjust(struct sk_buff *skb, | |||
430 | void nf_nat_follow_master(struct nf_conn *ct, | 424 | void nf_nat_follow_master(struct nf_conn *ct, |
431 | struct nf_conntrack_expect *exp) | 425 | struct nf_conntrack_expect *exp) |
432 | { | 426 | { |
433 | struct nf_nat_range range; | 427 | struct nf_nat_ipv4_range range; |
434 | 428 | ||
435 | /* This must be a fresh one. */ | 429 | /* This must be a fresh one. */ |
436 | BUG_ON(ct->status & IPS_NAT_DONE_MASK); | 430 | BUG_ON(ct->status & IPS_NAT_DONE_MASK); |
437 | 431 | ||
438 | /* Change src to where master sends to */ | 432 | /* Change src to where master sends to */ |
439 | range.flags = IP_NAT_RANGE_MAP_IPS; | 433 | range.flags = NF_NAT_RANGE_MAP_IPS; |
440 | range.min_ip = range.max_ip | 434 | range.min_ip = range.max_ip |
441 | = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip; | 435 | = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip; |
442 | nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC); | 436 | nf_nat_setup_info(ct, &range, NF_NAT_MANIP_SRC); |
443 | 437 | ||
444 | /* For DST manip, map port here to where it's expected. */ | 438 | /* For DST manip, map port here to where it's expected. */ |
445 | range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED); | 439 | range.flags = (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED); |
446 | range.min = range.max = exp->saved_proto; | 440 | range.min = range.max = exp->saved_proto; |
447 | range.min_ip = range.max_ip | 441 | range.min_ip = range.max_ip |
448 | = ct->master->tuplehash[!exp->dir].tuple.src.u3.ip; | 442 | = ct->master->tuplehash[!exp->dir].tuple.src.u3.ip; |
449 | nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST); | 443 | nf_nat_setup_info(ct, &range, NF_NAT_MANIP_DST); |
450 | } | 444 | } |
451 | EXPORT_SYMBOL(nf_nat_follow_master); | 445 | EXPORT_SYMBOL(nf_nat_follow_master); |
diff --git a/net/ipv4/netfilter/nf_nat_pptp.c b/net/ipv4/netfilter/nf_nat_pptp.c index 3e8284ba46b8..c273d58980ae 100644 --- a/net/ipv4/netfilter/nf_nat_pptp.c +++ b/net/ipv4/netfilter/nf_nat_pptp.c | |||
@@ -47,7 +47,7 @@ static void pptp_nat_expected(struct nf_conn *ct, | |||
47 | struct nf_conntrack_tuple t; | 47 | struct nf_conntrack_tuple t; |
48 | const struct nf_ct_pptp_master *ct_pptp_info; | 48 | const struct nf_ct_pptp_master *ct_pptp_info; |
49 | const struct nf_nat_pptp *nat_pptp_info; | 49 | const struct nf_nat_pptp *nat_pptp_info; |
50 | struct nf_nat_range range; | 50 | struct nf_nat_ipv4_range range; |
51 | 51 | ||
52 | ct_pptp_info = &nfct_help(master)->help.ct_pptp_info; | 52 | ct_pptp_info = &nfct_help(master)->help.ct_pptp_info; |
53 | nat_pptp_info = &nfct_nat(master)->help.nat_pptp_info; | 53 | nat_pptp_info = &nfct_nat(master)->help.nat_pptp_info; |
@@ -88,24 +88,24 @@ static void pptp_nat_expected(struct nf_conn *ct, | |||
88 | BUG_ON(ct->status & IPS_NAT_DONE_MASK); | 88 | BUG_ON(ct->status & IPS_NAT_DONE_MASK); |
89 | 89 | ||
90 | /* Change src to where master sends to */ | 90 | /* Change src to where master sends to */ |
91 | range.flags = IP_NAT_RANGE_MAP_IPS; | 91 | range.flags = NF_NAT_RANGE_MAP_IPS; |
92 | range.min_ip = range.max_ip | 92 | range.min_ip = range.max_ip |
93 | = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip; | 93 | = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip; |
94 | if (exp->dir == IP_CT_DIR_ORIGINAL) { | 94 | if (exp->dir == IP_CT_DIR_ORIGINAL) { |
95 | range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED; | 95 | range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; |
96 | range.min = range.max = exp->saved_proto; | 96 | range.min = range.max = exp->saved_proto; |
97 | } | 97 | } |
98 | nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC); | 98 | nf_nat_setup_info(ct, &range, NF_NAT_MANIP_SRC); |
99 | 99 | ||
100 | /* For DST manip, map port here to where it's expected. */ | 100 | /* For DST manip, map port here to where it's expected. */ |
101 | range.flags = IP_NAT_RANGE_MAP_IPS; | 101 | range.flags = NF_NAT_RANGE_MAP_IPS; |
102 | range.min_ip = range.max_ip | 102 | range.min_ip = range.max_ip |
103 | = ct->master->tuplehash[!exp->dir].tuple.src.u3.ip; | 103 | = ct->master->tuplehash[!exp->dir].tuple.src.u3.ip; |
104 | if (exp->dir == IP_CT_DIR_REPLY) { | 104 | if (exp->dir == IP_CT_DIR_REPLY) { |
105 | range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED; | 105 | range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; |
106 | range.min = range.max = exp->saved_proto; | 106 | range.min = range.max = exp->saved_proto; |
107 | } | 107 | } |
108 | nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST); | 108 | nf_nat_setup_info(ct, &range, NF_NAT_MANIP_DST); |
109 | } | 109 | } |
110 | 110 | ||
111 | /* outbound packets == from PNS to PAC */ | 111 | /* outbound packets == from PNS to PAC */ |
diff --git a/net/ipv4/netfilter/nf_nat_proto_common.c b/net/ipv4/netfilter/nf_nat_proto_common.c index a3d997618602..9993bc93e102 100644 --- a/net/ipv4/netfilter/nf_nat_proto_common.c +++ b/net/ipv4/netfilter/nf_nat_proto_common.c | |||
@@ -26,7 +26,7 @@ bool nf_nat_proto_in_range(const struct nf_conntrack_tuple *tuple, | |||
26 | { | 26 | { |
27 | __be16 port; | 27 | __be16 port; |
28 | 28 | ||
29 | if (maniptype == IP_NAT_MANIP_SRC) | 29 | if (maniptype == NF_NAT_MANIP_SRC) |
30 | port = tuple->src.u.all; | 30 | port = tuple->src.u.all; |
31 | else | 31 | else |
32 | port = tuple->dst.u.all; | 32 | port = tuple->dst.u.all; |
@@ -37,7 +37,7 @@ bool nf_nat_proto_in_range(const struct nf_conntrack_tuple *tuple, | |||
37 | EXPORT_SYMBOL_GPL(nf_nat_proto_in_range); | 37 | EXPORT_SYMBOL_GPL(nf_nat_proto_in_range); |
38 | 38 | ||
39 | void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple, | 39 | void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple, |
40 | const struct nf_nat_range *range, | 40 | const struct nf_nat_ipv4_range *range, |
41 | enum nf_nat_manip_type maniptype, | 41 | enum nf_nat_manip_type maniptype, |
42 | const struct nf_conn *ct, | 42 | const struct nf_conn *ct, |
43 | u_int16_t *rover) | 43 | u_int16_t *rover) |
@@ -46,15 +46,15 @@ void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple, | |||
46 | __be16 *portptr; | 46 | __be16 *portptr; |
47 | u_int16_t off; | 47 | u_int16_t off; |
48 | 48 | ||
49 | if (maniptype == IP_NAT_MANIP_SRC) | 49 | if (maniptype == NF_NAT_MANIP_SRC) |
50 | portptr = &tuple->src.u.all; | 50 | portptr = &tuple->src.u.all; |
51 | else | 51 | else |
52 | portptr = &tuple->dst.u.all; | 52 | portptr = &tuple->dst.u.all; |
53 | 53 | ||
54 | /* If no range specified... */ | 54 | /* If no range specified... */ |
55 | if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) { | 55 | if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) { |
56 | /* If it's dst rewrite, can't change port */ | 56 | /* If it's dst rewrite, can't change port */ |
57 | if (maniptype == IP_NAT_MANIP_DST) | 57 | if (maniptype == NF_NAT_MANIP_DST) |
58 | return; | 58 | return; |
59 | 59 | ||
60 | if (ntohs(*portptr) < 1024) { | 60 | if (ntohs(*portptr) < 1024) { |
@@ -75,9 +75,9 @@ void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple, | |||
75 | range_size = ntohs(range->max.all) - min + 1; | 75 | range_size = ntohs(range->max.all) - min + 1; |
76 | } | 76 | } |
77 | 77 | ||
78 | if (range->flags & IP_NAT_RANGE_PROTO_RANDOM) | 78 | if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) |
79 | off = secure_ipv4_port_ephemeral(tuple->src.u3.ip, tuple->dst.u3.ip, | 79 | off = secure_ipv4_port_ephemeral(tuple->src.u3.ip, tuple->dst.u3.ip, |
80 | maniptype == IP_NAT_MANIP_SRC | 80 | maniptype == NF_NAT_MANIP_SRC |
81 | ? tuple->dst.u.all | 81 | ? tuple->dst.u.all |
82 | : tuple->src.u.all); | 82 | : tuple->src.u.all); |
83 | else | 83 | else |
@@ -87,7 +87,7 @@ void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple, | |||
87 | *portptr = htons(min + off % range_size); | 87 | *portptr = htons(min + off % range_size); |
88 | if (++i != range_size && nf_nat_used_tuple(tuple, ct)) | 88 | if (++i != range_size && nf_nat_used_tuple(tuple, ct)) |
89 | continue; | 89 | continue; |
90 | if (!(range->flags & IP_NAT_RANGE_PROTO_RANDOM)) | 90 | if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM)) |
91 | *rover = off; | 91 | *rover = off; |
92 | return; | 92 | return; |
93 | } | 93 | } |
@@ -96,31 +96,19 @@ void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple, | |||
96 | EXPORT_SYMBOL_GPL(nf_nat_proto_unique_tuple); | 96 | EXPORT_SYMBOL_GPL(nf_nat_proto_unique_tuple); |
97 | 97 | ||
98 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) | 98 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) |
99 | int nf_nat_proto_range_to_nlattr(struct sk_buff *skb, | ||
100 | const struct nf_nat_range *range) | ||
101 | { | ||
102 | NLA_PUT_BE16(skb, CTA_PROTONAT_PORT_MIN, range->min.all); | ||
103 | NLA_PUT_BE16(skb, CTA_PROTONAT_PORT_MAX, range->max.all); | ||
104 | return 0; | ||
105 | |||
106 | nla_put_failure: | ||
107 | return -1; | ||
108 | } | ||
109 | EXPORT_SYMBOL_GPL(nf_nat_proto_nlattr_to_range); | ||
110 | |||
111 | int nf_nat_proto_nlattr_to_range(struct nlattr *tb[], | 99 | int nf_nat_proto_nlattr_to_range(struct nlattr *tb[], |
112 | struct nf_nat_range *range) | 100 | struct nf_nat_ipv4_range *range) |
113 | { | 101 | { |
114 | if (tb[CTA_PROTONAT_PORT_MIN]) { | 102 | if (tb[CTA_PROTONAT_PORT_MIN]) { |
115 | range->min.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MIN]); | 103 | range->min.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MIN]); |
116 | range->max.all = range->min.tcp.port; | 104 | range->max.all = range->min.tcp.port; |
117 | range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED; | 105 | range->flags |= NF_NAT_RANGE_PROTO_SPECIFIED; |
118 | } | 106 | } |
119 | if (tb[CTA_PROTONAT_PORT_MAX]) { | 107 | if (tb[CTA_PROTONAT_PORT_MAX]) { |
120 | range->max.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MAX]); | 108 | range->max.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MAX]); |
121 | range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED; | 109 | range->flags |= NF_NAT_RANGE_PROTO_SPECIFIED; |
122 | } | 110 | } |
123 | return 0; | 111 | return 0; |
124 | } | 112 | } |
125 | EXPORT_SYMBOL_GPL(nf_nat_proto_range_to_nlattr); | 113 | EXPORT_SYMBOL_GPL(nf_nat_proto_nlattr_to_range); |
126 | #endif | 114 | #endif |
diff --git a/net/ipv4/netfilter/nf_nat_proto_dccp.c b/net/ipv4/netfilter/nf_nat_proto_dccp.c index 570faf2667b2..3f67138d187c 100644 --- a/net/ipv4/netfilter/nf_nat_proto_dccp.c +++ b/net/ipv4/netfilter/nf_nat_proto_dccp.c | |||
@@ -24,7 +24,7 @@ static u_int16_t dccp_port_rover; | |||
24 | 24 | ||
25 | static void | 25 | static void |
26 | dccp_unique_tuple(struct nf_conntrack_tuple *tuple, | 26 | dccp_unique_tuple(struct nf_conntrack_tuple *tuple, |
27 | const struct nf_nat_range *range, | 27 | const struct nf_nat_ipv4_range *range, |
28 | enum nf_nat_manip_type maniptype, | 28 | enum nf_nat_manip_type maniptype, |
29 | const struct nf_conn *ct) | 29 | const struct nf_conn *ct) |
30 | { | 30 | { |
@@ -54,7 +54,7 @@ dccp_manip_pkt(struct sk_buff *skb, | |||
54 | iph = (struct iphdr *)(skb->data + iphdroff); | 54 | iph = (struct iphdr *)(skb->data + iphdroff); |
55 | hdr = (struct dccp_hdr *)(skb->data + hdroff); | 55 | hdr = (struct dccp_hdr *)(skb->data + hdroff); |
56 | 56 | ||
57 | if (maniptype == IP_NAT_MANIP_SRC) { | 57 | if (maniptype == NF_NAT_MANIP_SRC) { |
58 | oldip = iph->saddr; | 58 | oldip = iph->saddr; |
59 | newip = tuple->src.u3.ip; | 59 | newip = tuple->src.u3.ip; |
60 | newport = tuple->src.u.dccp.port; | 60 | newport = tuple->src.u.dccp.port; |
@@ -80,12 +80,10 @@ dccp_manip_pkt(struct sk_buff *skb, | |||
80 | 80 | ||
81 | static const struct nf_nat_protocol nf_nat_protocol_dccp = { | 81 | static const struct nf_nat_protocol nf_nat_protocol_dccp = { |
82 | .protonum = IPPROTO_DCCP, | 82 | .protonum = IPPROTO_DCCP, |
83 | .me = THIS_MODULE, | ||
84 | .manip_pkt = dccp_manip_pkt, | 83 | .manip_pkt = dccp_manip_pkt, |
85 | .in_range = nf_nat_proto_in_range, | 84 | .in_range = nf_nat_proto_in_range, |
86 | .unique_tuple = dccp_unique_tuple, | 85 | .unique_tuple = dccp_unique_tuple, |
87 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) | 86 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) |
88 | .range_to_nlattr = nf_nat_proto_range_to_nlattr, | ||
89 | .nlattr_to_range = nf_nat_proto_nlattr_to_range, | 87 | .nlattr_to_range = nf_nat_proto_nlattr_to_range, |
90 | #endif | 88 | #endif |
91 | }; | 89 | }; |
diff --git a/net/ipv4/netfilter/nf_nat_proto_gre.c b/net/ipv4/netfilter/nf_nat_proto_gre.c index bc8d83a31c73..46ba0b9ab985 100644 --- a/net/ipv4/netfilter/nf_nat_proto_gre.c +++ b/net/ipv4/netfilter/nf_nat_proto_gre.c | |||
@@ -39,7 +39,7 @@ MODULE_DESCRIPTION("Netfilter NAT protocol helper module for GRE"); | |||
39 | /* generate unique tuple ... */ | 39 | /* generate unique tuple ... */ |
40 | static void | 40 | static void |
41 | gre_unique_tuple(struct nf_conntrack_tuple *tuple, | 41 | gre_unique_tuple(struct nf_conntrack_tuple *tuple, |
42 | const struct nf_nat_range *range, | 42 | const struct nf_nat_ipv4_range *range, |
43 | enum nf_nat_manip_type maniptype, | 43 | enum nf_nat_manip_type maniptype, |
44 | const struct nf_conn *ct) | 44 | const struct nf_conn *ct) |
45 | { | 45 | { |
@@ -52,12 +52,12 @@ gre_unique_tuple(struct nf_conntrack_tuple *tuple, | |||
52 | if (!ct->master) | 52 | if (!ct->master) |
53 | return; | 53 | return; |
54 | 54 | ||
55 | if (maniptype == IP_NAT_MANIP_SRC) | 55 | if (maniptype == NF_NAT_MANIP_SRC) |
56 | keyptr = &tuple->src.u.gre.key; | 56 | keyptr = &tuple->src.u.gre.key; |
57 | else | 57 | else |
58 | keyptr = &tuple->dst.u.gre.key; | 58 | keyptr = &tuple->dst.u.gre.key; |
59 | 59 | ||
60 | if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) { | 60 | if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) { |
61 | pr_debug("%p: NATing GRE PPTP\n", ct); | 61 | pr_debug("%p: NATing GRE PPTP\n", ct); |
62 | min = 1; | 62 | min = 1; |
63 | range_size = 0xffff; | 63 | range_size = 0xffff; |
@@ -99,7 +99,7 @@ gre_manip_pkt(struct sk_buff *skb, unsigned int iphdroff, | |||
99 | 99 | ||
100 | /* we only have destination manip of a packet, since 'source key' | 100 | /* we only have destination manip of a packet, since 'source key' |
101 | * is not present in the packet itself */ | 101 | * is not present in the packet itself */ |
102 | if (maniptype != IP_NAT_MANIP_DST) | 102 | if (maniptype != NF_NAT_MANIP_DST) |
103 | return true; | 103 | return true; |
104 | switch (greh->version) { | 104 | switch (greh->version) { |
105 | case GRE_VERSION_1701: | 105 | case GRE_VERSION_1701: |
@@ -119,12 +119,10 @@ gre_manip_pkt(struct sk_buff *skb, unsigned int iphdroff, | |||
119 | 119 | ||
120 | static const struct nf_nat_protocol gre = { | 120 | static const struct nf_nat_protocol gre = { |
121 | .protonum = IPPROTO_GRE, | 121 | .protonum = IPPROTO_GRE, |
122 | .me = THIS_MODULE, | ||
123 | .manip_pkt = gre_manip_pkt, | 122 | .manip_pkt = gre_manip_pkt, |
124 | .in_range = nf_nat_proto_in_range, | 123 | .in_range = nf_nat_proto_in_range, |
125 | .unique_tuple = gre_unique_tuple, | 124 | .unique_tuple = gre_unique_tuple, |
126 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) | 125 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) |
127 | .range_to_nlattr = nf_nat_proto_range_to_nlattr, | ||
128 | .nlattr_to_range = nf_nat_proto_nlattr_to_range, | 126 | .nlattr_to_range = nf_nat_proto_nlattr_to_range, |
129 | #endif | 127 | #endif |
130 | }; | 128 | }; |
diff --git a/net/ipv4/netfilter/nf_nat_proto_icmp.c b/net/ipv4/netfilter/nf_nat_proto_icmp.c index 9f4dc1235dc7..b35172851bae 100644 --- a/net/ipv4/netfilter/nf_nat_proto_icmp.c +++ b/net/ipv4/netfilter/nf_nat_proto_icmp.c | |||
@@ -30,7 +30,7 @@ icmp_in_range(const struct nf_conntrack_tuple *tuple, | |||
30 | 30 | ||
31 | static void | 31 | static void |
32 | icmp_unique_tuple(struct nf_conntrack_tuple *tuple, | 32 | icmp_unique_tuple(struct nf_conntrack_tuple *tuple, |
33 | const struct nf_nat_range *range, | 33 | const struct nf_nat_ipv4_range *range, |
34 | enum nf_nat_manip_type maniptype, | 34 | enum nf_nat_manip_type maniptype, |
35 | const struct nf_conn *ct) | 35 | const struct nf_conn *ct) |
36 | { | 36 | { |
@@ -40,7 +40,7 @@ icmp_unique_tuple(struct nf_conntrack_tuple *tuple, | |||
40 | 40 | ||
41 | range_size = ntohs(range->max.icmp.id) - ntohs(range->min.icmp.id) + 1; | 41 | range_size = ntohs(range->max.icmp.id) - ntohs(range->min.icmp.id) + 1; |
42 | /* If no range specified... */ | 42 | /* If no range specified... */ |
43 | if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) | 43 | if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) |
44 | range_size = 0xFFFF; | 44 | range_size = 0xFFFF; |
45 | 45 | ||
46 | for (i = 0; ; ++id) { | 46 | for (i = 0; ; ++id) { |
@@ -74,12 +74,10 @@ icmp_manip_pkt(struct sk_buff *skb, | |||
74 | 74 | ||
75 | const struct nf_nat_protocol nf_nat_protocol_icmp = { | 75 | const struct nf_nat_protocol nf_nat_protocol_icmp = { |
76 | .protonum = IPPROTO_ICMP, | 76 | .protonum = IPPROTO_ICMP, |
77 | .me = THIS_MODULE, | ||
78 | .manip_pkt = icmp_manip_pkt, | 77 | .manip_pkt = icmp_manip_pkt, |
79 | .in_range = icmp_in_range, | 78 | .in_range = icmp_in_range, |
80 | .unique_tuple = icmp_unique_tuple, | 79 | .unique_tuple = icmp_unique_tuple, |
81 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) | 80 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) |
82 | .range_to_nlattr = nf_nat_proto_range_to_nlattr, | ||
83 | .nlattr_to_range = nf_nat_proto_nlattr_to_range, | 81 | .nlattr_to_range = nf_nat_proto_nlattr_to_range, |
84 | #endif | 82 | #endif |
85 | }; | 83 | }; |
diff --git a/net/ipv4/netfilter/nf_nat_proto_sctp.c b/net/ipv4/netfilter/nf_nat_proto_sctp.c index bd5a80a62a5b..3cce9b6c1c29 100644 --- a/net/ipv4/netfilter/nf_nat_proto_sctp.c +++ b/net/ipv4/netfilter/nf_nat_proto_sctp.c | |||
@@ -19,7 +19,7 @@ static u_int16_t nf_sctp_port_rover; | |||
19 | 19 | ||
20 | static void | 20 | static void |
21 | sctp_unique_tuple(struct nf_conntrack_tuple *tuple, | 21 | sctp_unique_tuple(struct nf_conntrack_tuple *tuple, |
22 | const struct nf_nat_range *range, | 22 | const struct nf_nat_ipv4_range *range, |
23 | enum nf_nat_manip_type maniptype, | 23 | enum nf_nat_manip_type maniptype, |
24 | const struct nf_conn *ct) | 24 | const struct nf_conn *ct) |
25 | { | 25 | { |
@@ -46,7 +46,7 @@ sctp_manip_pkt(struct sk_buff *skb, | |||
46 | iph = (struct iphdr *)(skb->data + iphdroff); | 46 | iph = (struct iphdr *)(skb->data + iphdroff); |
47 | hdr = (struct sctphdr *)(skb->data + hdroff); | 47 | hdr = (struct sctphdr *)(skb->data + hdroff); |
48 | 48 | ||
49 | if (maniptype == IP_NAT_MANIP_SRC) { | 49 | if (maniptype == NF_NAT_MANIP_SRC) { |
50 | /* Get rid of src ip and src pt */ | 50 | /* Get rid of src ip and src pt */ |
51 | oldip = iph->saddr; | 51 | oldip = iph->saddr; |
52 | newip = tuple->src.u3.ip; | 52 | newip = tuple->src.u3.ip; |
@@ -70,12 +70,10 @@ sctp_manip_pkt(struct sk_buff *skb, | |||
70 | 70 | ||
71 | static const struct nf_nat_protocol nf_nat_protocol_sctp = { | 71 | static const struct nf_nat_protocol nf_nat_protocol_sctp = { |
72 | .protonum = IPPROTO_SCTP, | 72 | .protonum = IPPROTO_SCTP, |
73 | .me = THIS_MODULE, | ||
74 | .manip_pkt = sctp_manip_pkt, | 73 | .manip_pkt = sctp_manip_pkt, |
75 | .in_range = nf_nat_proto_in_range, | 74 | .in_range = nf_nat_proto_in_range, |
76 | .unique_tuple = sctp_unique_tuple, | 75 | .unique_tuple = sctp_unique_tuple, |
77 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) | 76 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) |
78 | .range_to_nlattr = nf_nat_proto_range_to_nlattr, | ||
79 | .nlattr_to_range = nf_nat_proto_nlattr_to_range, | 77 | .nlattr_to_range = nf_nat_proto_nlattr_to_range, |
80 | #endif | 78 | #endif |
81 | }; | 79 | }; |
diff --git a/net/ipv4/netfilter/nf_nat_proto_tcp.c b/net/ipv4/netfilter/nf_nat_proto_tcp.c index 0d67bb80130f..9fb4b4e72bbf 100644 --- a/net/ipv4/netfilter/nf_nat_proto_tcp.c +++ b/net/ipv4/netfilter/nf_nat_proto_tcp.c | |||
@@ -23,7 +23,7 @@ static u_int16_t tcp_port_rover; | |||
23 | 23 | ||
24 | static void | 24 | static void |
25 | tcp_unique_tuple(struct nf_conntrack_tuple *tuple, | 25 | tcp_unique_tuple(struct nf_conntrack_tuple *tuple, |
26 | const struct nf_nat_range *range, | 26 | const struct nf_nat_ipv4_range *range, |
27 | enum nf_nat_manip_type maniptype, | 27 | enum nf_nat_manip_type maniptype, |
28 | const struct nf_conn *ct) | 28 | const struct nf_conn *ct) |
29 | { | 29 | { |
@@ -55,7 +55,7 @@ tcp_manip_pkt(struct sk_buff *skb, | |||
55 | iph = (struct iphdr *)(skb->data + iphdroff); | 55 | iph = (struct iphdr *)(skb->data + iphdroff); |
56 | hdr = (struct tcphdr *)(skb->data + hdroff); | 56 | hdr = (struct tcphdr *)(skb->data + hdroff); |
57 | 57 | ||
58 | if (maniptype == IP_NAT_MANIP_SRC) { | 58 | if (maniptype == NF_NAT_MANIP_SRC) { |
59 | /* Get rid of src ip and src pt */ | 59 | /* Get rid of src ip and src pt */ |
60 | oldip = iph->saddr; | 60 | oldip = iph->saddr; |
61 | newip = tuple->src.u3.ip; | 61 | newip = tuple->src.u3.ip; |
@@ -82,12 +82,10 @@ tcp_manip_pkt(struct sk_buff *skb, | |||
82 | 82 | ||
83 | const struct nf_nat_protocol nf_nat_protocol_tcp = { | 83 | const struct nf_nat_protocol nf_nat_protocol_tcp = { |
84 | .protonum = IPPROTO_TCP, | 84 | .protonum = IPPROTO_TCP, |
85 | .me = THIS_MODULE, | ||
86 | .manip_pkt = tcp_manip_pkt, | 85 | .manip_pkt = tcp_manip_pkt, |
87 | .in_range = nf_nat_proto_in_range, | 86 | .in_range = nf_nat_proto_in_range, |
88 | .unique_tuple = tcp_unique_tuple, | 87 | .unique_tuple = tcp_unique_tuple, |
89 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) | 88 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) |
90 | .range_to_nlattr = nf_nat_proto_range_to_nlattr, | ||
91 | .nlattr_to_range = nf_nat_proto_nlattr_to_range, | 89 | .nlattr_to_range = nf_nat_proto_nlattr_to_range, |
92 | #endif | 90 | #endif |
93 | }; | 91 | }; |
diff --git a/net/ipv4/netfilter/nf_nat_proto_udp.c b/net/ipv4/netfilter/nf_nat_proto_udp.c index 0b1b8601cba7..9883336e628f 100644 --- a/net/ipv4/netfilter/nf_nat_proto_udp.c +++ b/net/ipv4/netfilter/nf_nat_proto_udp.c | |||
@@ -22,7 +22,7 @@ static u_int16_t udp_port_rover; | |||
22 | 22 | ||
23 | static void | 23 | static void |
24 | udp_unique_tuple(struct nf_conntrack_tuple *tuple, | 24 | udp_unique_tuple(struct nf_conntrack_tuple *tuple, |
25 | const struct nf_nat_range *range, | 25 | const struct nf_nat_ipv4_range *range, |
26 | enum nf_nat_manip_type maniptype, | 26 | enum nf_nat_manip_type maniptype, |
27 | const struct nf_conn *ct) | 27 | const struct nf_conn *ct) |
28 | { | 28 | { |
@@ -47,7 +47,7 @@ udp_manip_pkt(struct sk_buff *skb, | |||
47 | iph = (struct iphdr *)(skb->data + iphdroff); | 47 | iph = (struct iphdr *)(skb->data + iphdroff); |
48 | hdr = (struct udphdr *)(skb->data + hdroff); | 48 | hdr = (struct udphdr *)(skb->data + hdroff); |
49 | 49 | ||
50 | if (maniptype == IP_NAT_MANIP_SRC) { | 50 | if (maniptype == NF_NAT_MANIP_SRC) { |
51 | /* Get rid of src ip and src pt */ | 51 | /* Get rid of src ip and src pt */ |
52 | oldip = iph->saddr; | 52 | oldip = iph->saddr; |
53 | newip = tuple->src.u3.ip; | 53 | newip = tuple->src.u3.ip; |
@@ -73,12 +73,10 @@ udp_manip_pkt(struct sk_buff *skb, | |||
73 | 73 | ||
74 | const struct nf_nat_protocol nf_nat_protocol_udp = { | 74 | const struct nf_nat_protocol nf_nat_protocol_udp = { |
75 | .protonum = IPPROTO_UDP, | 75 | .protonum = IPPROTO_UDP, |
76 | .me = THIS_MODULE, | ||
77 | .manip_pkt = udp_manip_pkt, | 76 | .manip_pkt = udp_manip_pkt, |
78 | .in_range = nf_nat_proto_in_range, | 77 | .in_range = nf_nat_proto_in_range, |
79 | .unique_tuple = udp_unique_tuple, | 78 | .unique_tuple = udp_unique_tuple, |
80 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) | 79 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) |
81 | .range_to_nlattr = nf_nat_proto_range_to_nlattr, | ||
82 | .nlattr_to_range = nf_nat_proto_nlattr_to_range, | 80 | .nlattr_to_range = nf_nat_proto_nlattr_to_range, |
83 | #endif | 81 | #endif |
84 | }; | 82 | }; |
diff --git a/net/ipv4/netfilter/nf_nat_proto_udplite.c b/net/ipv4/netfilter/nf_nat_proto_udplite.c index f83ef23e2ab7..d24d10a7beb2 100644 --- a/net/ipv4/netfilter/nf_nat_proto_udplite.c +++ b/net/ipv4/netfilter/nf_nat_proto_udplite.c | |||
@@ -21,7 +21,7 @@ static u_int16_t udplite_port_rover; | |||
21 | 21 | ||
22 | static void | 22 | static void |
23 | udplite_unique_tuple(struct nf_conntrack_tuple *tuple, | 23 | udplite_unique_tuple(struct nf_conntrack_tuple *tuple, |
24 | const struct nf_nat_range *range, | 24 | const struct nf_nat_ipv4_range *range, |
25 | enum nf_nat_manip_type maniptype, | 25 | enum nf_nat_manip_type maniptype, |
26 | const struct nf_conn *ct) | 26 | const struct nf_conn *ct) |
27 | { | 27 | { |
@@ -47,7 +47,7 @@ udplite_manip_pkt(struct sk_buff *skb, | |||
47 | iph = (struct iphdr *)(skb->data + iphdroff); | 47 | iph = (struct iphdr *)(skb->data + iphdroff); |
48 | hdr = (struct udphdr *)(skb->data + hdroff); | 48 | hdr = (struct udphdr *)(skb->data + hdroff); |
49 | 49 | ||
50 | if (maniptype == IP_NAT_MANIP_SRC) { | 50 | if (maniptype == NF_NAT_MANIP_SRC) { |
51 | /* Get rid of src ip and src pt */ | 51 | /* Get rid of src ip and src pt */ |
52 | oldip = iph->saddr; | 52 | oldip = iph->saddr; |
53 | newip = tuple->src.u3.ip; | 53 | newip = tuple->src.u3.ip; |
@@ -72,12 +72,10 @@ udplite_manip_pkt(struct sk_buff *skb, | |||
72 | 72 | ||
73 | static const struct nf_nat_protocol nf_nat_protocol_udplite = { | 73 | static const struct nf_nat_protocol nf_nat_protocol_udplite = { |
74 | .protonum = IPPROTO_UDPLITE, | 74 | .protonum = IPPROTO_UDPLITE, |
75 | .me = THIS_MODULE, | ||
76 | .manip_pkt = udplite_manip_pkt, | 75 | .manip_pkt = udplite_manip_pkt, |
77 | .in_range = nf_nat_proto_in_range, | 76 | .in_range = nf_nat_proto_in_range, |
78 | .unique_tuple = udplite_unique_tuple, | 77 | .unique_tuple = udplite_unique_tuple, |
79 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) | 78 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) |
80 | .range_to_nlattr = nf_nat_proto_range_to_nlattr, | ||
81 | .nlattr_to_range = nf_nat_proto_nlattr_to_range, | 79 | .nlattr_to_range = nf_nat_proto_nlattr_to_range, |
82 | #endif | 80 | #endif |
83 | }; | 81 | }; |
diff --git a/net/ipv4/netfilter/nf_nat_proto_unknown.c b/net/ipv4/netfilter/nf_nat_proto_unknown.c index a50f2bc1c732..e0afe8112b1c 100644 --- a/net/ipv4/netfilter/nf_nat_proto_unknown.c +++ b/net/ipv4/netfilter/nf_nat_proto_unknown.c | |||
@@ -27,7 +27,7 @@ static bool unknown_in_range(const struct nf_conntrack_tuple *tuple, | |||
27 | } | 27 | } |
28 | 28 | ||
29 | static void unknown_unique_tuple(struct nf_conntrack_tuple *tuple, | 29 | static void unknown_unique_tuple(struct nf_conntrack_tuple *tuple, |
30 | const struct nf_nat_range *range, | 30 | const struct nf_nat_ipv4_range *range, |
31 | enum nf_nat_manip_type maniptype, | 31 | enum nf_nat_manip_type maniptype, |
32 | const struct nf_conn *ct) | 32 | const struct nf_conn *ct) |
33 | { | 33 | { |
@@ -46,7 +46,6 @@ unknown_manip_pkt(struct sk_buff *skb, | |||
46 | } | 46 | } |
47 | 47 | ||
48 | const struct nf_nat_protocol nf_nat_unknown_protocol = { | 48 | const struct nf_nat_protocol nf_nat_unknown_protocol = { |
49 | /* .me isn't set: getting a ref to this cannot fail. */ | ||
50 | .manip_pkt = unknown_manip_pkt, | 49 | .manip_pkt = unknown_manip_pkt, |
51 | .in_range = unknown_in_range, | 50 | .in_range = unknown_in_range, |
52 | .unique_tuple = unknown_unique_tuple, | 51 | .unique_tuple = unknown_unique_tuple, |
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c index 733c9abc1cbd..d2a9dc314e0e 100644 --- a/net/ipv4/netfilter/nf_nat_rule.c +++ b/net/ipv4/netfilter/nf_nat_rule.c | |||
@@ -44,7 +44,7 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par) | |||
44 | { | 44 | { |
45 | struct nf_conn *ct; | 45 | struct nf_conn *ct; |
46 | enum ip_conntrack_info ctinfo; | 46 | enum ip_conntrack_info ctinfo; |
47 | const struct nf_nat_multi_range_compat *mr = par->targinfo; | 47 | const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; |
48 | 48 | ||
49 | NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING || | 49 | NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING || |
50 | par->hooknum == NF_INET_LOCAL_IN); | 50 | par->hooknum == NF_INET_LOCAL_IN); |
@@ -56,7 +56,7 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par) | |||
56 | ctinfo == IP_CT_RELATED_REPLY)); | 56 | ctinfo == IP_CT_RELATED_REPLY)); |
57 | NF_CT_ASSERT(par->out != NULL); | 57 | NF_CT_ASSERT(par->out != NULL); |
58 | 58 | ||
59 | return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_SRC); | 59 | return nf_nat_setup_info(ct, &mr->range[0], NF_NAT_MANIP_SRC); |
60 | } | 60 | } |
61 | 61 | ||
62 | static unsigned int | 62 | static unsigned int |
@@ -64,7 +64,7 @@ ipt_dnat_target(struct sk_buff *skb, const struct xt_action_param *par) | |||
64 | { | 64 | { |
65 | struct nf_conn *ct; | 65 | struct nf_conn *ct; |
66 | enum ip_conntrack_info ctinfo; | 66 | enum ip_conntrack_info ctinfo; |
67 | const struct nf_nat_multi_range_compat *mr = par->targinfo; | 67 | const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; |
68 | 68 | ||
69 | NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING || | 69 | NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING || |
70 | par->hooknum == NF_INET_LOCAL_OUT); | 70 | par->hooknum == NF_INET_LOCAL_OUT); |
@@ -74,12 +74,12 @@ ipt_dnat_target(struct sk_buff *skb, const struct xt_action_param *par) | |||
74 | /* Connection must be valid and new. */ | 74 | /* Connection must be valid and new. */ |
75 | NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)); | 75 | NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)); |
76 | 76 | ||
77 | return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST); | 77 | return nf_nat_setup_info(ct, &mr->range[0], NF_NAT_MANIP_DST); |
78 | } | 78 | } |
79 | 79 | ||
80 | static int ipt_snat_checkentry(const struct xt_tgchk_param *par) | 80 | static int ipt_snat_checkentry(const struct xt_tgchk_param *par) |
81 | { | 81 | { |
82 | const struct nf_nat_multi_range_compat *mr = par->targinfo; | 82 | const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; |
83 | 83 | ||
84 | /* Must be a valid range */ | 84 | /* Must be a valid range */ |
85 | if (mr->rangesize != 1) { | 85 | if (mr->rangesize != 1) { |
@@ -91,7 +91,7 @@ static int ipt_snat_checkentry(const struct xt_tgchk_param *par) | |||
91 | 91 | ||
92 | static int ipt_dnat_checkentry(const struct xt_tgchk_param *par) | 92 | static int ipt_dnat_checkentry(const struct xt_tgchk_param *par) |
93 | { | 93 | { |
94 | const struct nf_nat_multi_range_compat *mr = par->targinfo; | 94 | const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; |
95 | 95 | ||
96 | /* Must be a valid range */ | 96 | /* Must be a valid range */ |
97 | if (mr->rangesize != 1) { | 97 | if (mr->rangesize != 1) { |
@@ -105,13 +105,13 @@ static unsigned int | |||
105 | alloc_null_binding(struct nf_conn *ct, unsigned int hooknum) | 105 | alloc_null_binding(struct nf_conn *ct, unsigned int hooknum) |
106 | { | 106 | { |
107 | /* Force range to this IP; let proto decide mapping for | 107 | /* Force range to this IP; let proto decide mapping for |
108 | per-proto parts (hence not IP_NAT_RANGE_PROTO_SPECIFIED). | 108 | per-proto parts (hence not NF_NAT_RANGE_PROTO_SPECIFIED). |
109 | */ | 109 | */ |
110 | struct nf_nat_range range; | 110 | struct nf_nat_ipv4_range range; |
111 | 111 | ||
112 | range.flags = 0; | 112 | range.flags = 0; |
113 | pr_debug("Allocating NULL binding for %p (%pI4)\n", ct, | 113 | pr_debug("Allocating NULL binding for %p (%pI4)\n", ct, |
114 | HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC ? | 114 | HOOK2MANIP(hooknum) == NF_NAT_MANIP_SRC ? |
115 | &ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip : | 115 | &ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip : |
116 | &ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip); | 116 | &ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip); |
117 | 117 | ||
@@ -140,7 +140,7 @@ int nf_nat_rule_find(struct sk_buff *skb, | |||
140 | static struct xt_target ipt_snat_reg __read_mostly = { | 140 | static struct xt_target ipt_snat_reg __read_mostly = { |
141 | .name = "SNAT", | 141 | .name = "SNAT", |
142 | .target = ipt_snat_target, | 142 | .target = ipt_snat_target, |
143 | .targetsize = sizeof(struct nf_nat_multi_range_compat), | 143 | .targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat), |
144 | .table = "nat", | 144 | .table = "nat", |
145 | .hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_LOCAL_IN), | 145 | .hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_LOCAL_IN), |
146 | .checkentry = ipt_snat_checkentry, | 146 | .checkentry = ipt_snat_checkentry, |
@@ -150,7 +150,7 @@ static struct xt_target ipt_snat_reg __read_mostly = { | |||
150 | static struct xt_target ipt_dnat_reg __read_mostly = { | 150 | static struct xt_target ipt_dnat_reg __read_mostly = { |
151 | .name = "DNAT", | 151 | .name = "DNAT", |
152 | .target = ipt_dnat_target, | 152 | .target = ipt_dnat_target, |
153 | .targetsize = sizeof(struct nf_nat_multi_range_compat), | 153 | .targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat), |
154 | .table = "nat", | 154 | .table = "nat", |
155 | .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT), | 155 | .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT), |
156 | .checkentry = ipt_dnat_checkentry, | 156 | .checkentry = ipt_dnat_checkentry, |
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c index 78844d9208f1..d0319f96269f 100644 --- a/net/ipv4/netfilter/nf_nat_sip.c +++ b/net/ipv4/netfilter/nf_nat_sip.c | |||
@@ -249,25 +249,25 @@ static void ip_nat_sip_seq_adjust(struct sk_buff *skb, s16 off) | |||
249 | static void ip_nat_sip_expected(struct nf_conn *ct, | 249 | static void ip_nat_sip_expected(struct nf_conn *ct, |
250 | struct nf_conntrack_expect *exp) | 250 | struct nf_conntrack_expect *exp) |
251 | { | 251 | { |
252 | struct nf_nat_range range; | 252 | struct nf_nat_ipv4_range range; |
253 | 253 | ||
254 | /* This must be a fresh one. */ | 254 | /* This must be a fresh one. */ |
255 | BUG_ON(ct->status & IPS_NAT_DONE_MASK); | 255 | BUG_ON(ct->status & IPS_NAT_DONE_MASK); |
256 | 256 | ||
257 | /* For DST manip, map port here to where it's expected. */ | 257 | /* For DST manip, map port here to where it's expected. */ |
258 | range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED); | 258 | range.flags = (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED); |
259 | range.min = range.max = exp->saved_proto; | 259 | range.min = range.max = exp->saved_proto; |
260 | range.min_ip = range.max_ip = exp->saved_ip; | 260 | range.min_ip = range.max_ip = exp->saved_ip; |
261 | nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST); | 261 | nf_nat_setup_info(ct, &range, NF_NAT_MANIP_DST); |
262 | 262 | ||
263 | /* Change src to where master sends to, but only if the connection | 263 | /* Change src to where master sends to, but only if the connection |
264 | * actually came from the same source. */ | 264 | * actually came from the same source. */ |
265 | if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip == | 265 | if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip == |
266 | ct->master->tuplehash[exp->dir].tuple.src.u3.ip) { | 266 | ct->master->tuplehash[exp->dir].tuple.src.u3.ip) { |
267 | range.flags = IP_NAT_RANGE_MAP_IPS; | 267 | range.flags = NF_NAT_RANGE_MAP_IPS; |
268 | range.min_ip = range.max_ip | 268 | range.min_ip = range.max_ip |
269 | = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip; | 269 | = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip; |
270 | nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC); | 270 | nf_nat_setup_info(ct, &range, NF_NAT_MANIP_SRC); |
271 | } | 271 | } |
272 | } | 272 | } |
273 | 273 | ||
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c index 92900482edea..3828a4229822 100644 --- a/net/ipv4/netfilter/nf_nat_standalone.c +++ b/net/ipv4/netfilter/nf_nat_standalone.c | |||
@@ -137,7 +137,7 @@ nf_nat_fn(unsigned int hooknum, | |||
137 | return ret; | 137 | return ret; |
138 | } else | 138 | } else |
139 | pr_debug("Already setup manip %s for ct %p\n", | 139 | pr_debug("Already setup manip %s for ct %p\n", |
140 | maniptype == IP_NAT_MANIP_SRC ? "SRC" : "DST", | 140 | maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST", |
141 | ct); | 141 | ct); |
142 | break; | 142 | break; |
143 | 143 | ||