aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2011-12-25 02:21:45 -0500
committerDavid S. Miller <davem@davemloft.net>2011-12-25 02:21:45 -0500
commitc5e1fd8ccae09f574d6f978c90c2b968ee29030c (patch)
treee4485dc086ce76c4ff2ff551246255f5de0a250b /net/ipv4
parent60b778ce519625102d3f72a2071ea72a05e990ce (diff)
parentceb98d03eac5704820f2ac1f370c9ff385e3a9f5 (diff)
Merge branch 'nf-next' of git://1984.lsi.us.es/net-next
Diffstat (limited to 'net/ipv4')
-rw-r--r--net/ipv4/fib_rules.c1
-rw-r--r--net/ipv4/fib_trie.c1
-rw-r--r--net/ipv4/netfilter/Kconfig10
-rw-r--r--net/ipv4/netfilter/Makefile1
-rw-r--r--net/ipv4/netfilter/ipt_MASQUERADE.c16
-rw-r--r--net/ipv4/netfilter/ipt_NETMAP.c14
-rw-r--r--net/ipv4/netfilter/ipt_REDIRECT.c16
-rw-r--r--net/ipv4/netfilter/ipt_rpfilter.c141
-rw-r--r--net/ipv4/netfilter/nf_nat_core.c96
-rw-r--r--net/ipv4/netfilter/nf_nat_h323.c20
-rw-r--r--net/ipv4/netfilter/nf_nat_helper.c16
-rw-r--r--net/ipv4/netfilter/nf_nat_pptp.c14
-rw-r--r--net/ipv4/netfilter/nf_nat_proto_common.c36
-rw-r--r--net/ipv4/netfilter/nf_nat_proto_dccp.c6
-rw-r--r--net/ipv4/netfilter/nf_nat_proto_gre.c10
-rw-r--r--net/ipv4/netfilter/nf_nat_proto_icmp.c6
-rw-r--r--net/ipv4/netfilter/nf_nat_proto_sctp.c6
-rw-r--r--net/ipv4/netfilter/nf_nat_proto_tcp.c6
-rw-r--r--net/ipv4/netfilter/nf_nat_proto_udp.c6
-rw-r--r--net/ipv4/netfilter/nf_nat_proto_udplite.c6
-rw-r--r--net/ipv4/netfilter/nf_nat_proto_unknown.c3
-rw-r--r--net/ipv4/netfilter/nf_nat_rule.c22
-rw-r--r--net/ipv4/netfilter/nf_nat_sip.c10
-rw-r--r--net/ipv4/netfilter/nf_nat_standalone.c2
24 files changed, 278 insertions, 187 deletions
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index 46339ba7a2d3..799fc790b3cf 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -67,6 +67,7 @@ int fib_lookup(struct net *net, struct flowi4 *flp, struct fib_result *res)
67 67
68 return err; 68 return err;
69} 69}
70EXPORT_SYMBOL_GPL(fib_lookup);
70 71
71static int fib4_rule_action(struct fib_rule *rule, struct flowi *flp, 72static int fib4_rule_action(struct fib_rule *rule, struct flowi *flp,
72 int flags, struct fib_lookup_arg *arg) 73 int flags, struct fib_lookup_arg *arg)
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 37b671185c81..d04b13ae18fe 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1607,6 +1607,7 @@ found:
1607 rcu_read_unlock(); 1607 rcu_read_unlock();
1608 return ret; 1608 return ret;
1609} 1609}
1610EXPORT_SYMBOL_GPL(fib_table_lookup);
1610 1611
1611/* 1612/*
1612 * Remove the leaf and return parent. 1613 * Remove the leaf and return parent.
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index f19f2182894c..7e1f5cdaf11e 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -82,6 +82,16 @@ config IP_NF_MATCH_ECN
82 82
83 To compile it as a module, choose M here. If unsure, say N. 83 To compile it as a module, choose M here. If unsure, say N.
84 84
85config IP_NF_MATCH_RPFILTER
86 tristate '"rpfilter" reverse path filter match support'
87 depends on NETFILTER_ADVANCED
88 ---help---
89 This option allows you to match packets whose replies would
90 go out via the interface the packet came in.
91
92 To compile it as a module, choose M here. If unsure, say N.
93 The module will be called ipt_rpfilter.
94
85config IP_NF_MATCH_TTL 95config IP_NF_MATCH_TTL
86 tristate '"ttl" match support' 96 tristate '"ttl" match support'
87 depends on NETFILTER_ADVANCED 97 depends on NETFILTER_ADVANCED
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index dca2082ec683..123dd88cea53 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -50,6 +50,7 @@ obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
50# matches 50# matches
51obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o 51obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
52obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o 52obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
53obj-$(CONFIG_IP_NF_MATCH_RPFILTER) += ipt_rpfilter.o
53 54
54# targets 55# targets
55obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o 56obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 9931152a78b5..2f210c79dc87 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -30,9 +30,9 @@ MODULE_DESCRIPTION("Xtables: automatic-address SNAT");
30/* FIXME: Multiple targets. --RR */ 30/* FIXME: Multiple targets. --RR */
31static int masquerade_tg_check(const struct xt_tgchk_param *par) 31static int masquerade_tg_check(const struct xt_tgchk_param *par)
32{ 32{
33 const struct nf_nat_multi_range_compat *mr = par->targinfo; 33 const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
34 34
35 if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { 35 if (mr->range[0].flags & NF_NAT_RANGE_MAP_IPS) {
36 pr_debug("bad MAP_IPS.\n"); 36 pr_debug("bad MAP_IPS.\n");
37 return -EINVAL; 37 return -EINVAL;
38 } 38 }
@@ -49,8 +49,8 @@ masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par)
49 struct nf_conn *ct; 49 struct nf_conn *ct;
50 struct nf_conn_nat *nat; 50 struct nf_conn_nat *nat;
51 enum ip_conntrack_info ctinfo; 51 enum ip_conntrack_info ctinfo;
52 struct nf_nat_range newrange; 52 struct nf_nat_ipv4_range newrange;
53 const struct nf_nat_multi_range_compat *mr; 53 const struct nf_nat_ipv4_multi_range_compat *mr;
54 const struct rtable *rt; 54 const struct rtable *rt;
55 __be32 newsrc; 55 __be32 newsrc;
56 56
@@ -79,13 +79,13 @@ masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par)
79 nat->masq_index = par->out->ifindex; 79 nat->masq_index = par->out->ifindex;
80 80
81 /* Transfer from original range. */ 81 /* Transfer from original range. */
82 newrange = ((struct nf_nat_range) 82 newrange = ((struct nf_nat_ipv4_range)
83 { mr->range[0].flags | IP_NAT_RANGE_MAP_IPS, 83 { mr->range[0].flags | NF_NAT_RANGE_MAP_IPS,
84 newsrc, newsrc, 84 newsrc, newsrc,
85 mr->range[0].min, mr->range[0].max }); 85 mr->range[0].min, mr->range[0].max });
86 86
87 /* Hand modified range to generic setup. */ 87 /* Hand modified range to generic setup. */
88 return nf_nat_setup_info(ct, &newrange, IP_NAT_MANIP_SRC); 88 return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_SRC);
89} 89}
90 90
91static int 91static int
@@ -139,7 +139,7 @@ static struct xt_target masquerade_tg_reg __read_mostly = {
139 .name = "MASQUERADE", 139 .name = "MASQUERADE",
140 .family = NFPROTO_IPV4, 140 .family = NFPROTO_IPV4,
141 .target = masquerade_tg, 141 .target = masquerade_tg,
142 .targetsize = sizeof(struct nf_nat_multi_range_compat), 142 .targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat),
143 .table = "nat", 143 .table = "nat",
144 .hooks = 1 << NF_INET_POST_ROUTING, 144 .hooks = 1 << NF_INET_POST_ROUTING,
145 .checkentry = masquerade_tg_check, 145 .checkentry = masquerade_tg_check,
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index 6cdb298f1035..b5bfbbabf70d 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -24,9 +24,9 @@ MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets");
24 24
25static int netmap_tg_check(const struct xt_tgchk_param *par) 25static int netmap_tg_check(const struct xt_tgchk_param *par)
26{ 26{
27 const struct nf_nat_multi_range_compat *mr = par->targinfo; 27 const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
28 28
29 if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) { 29 if (!(mr->range[0].flags & NF_NAT_RANGE_MAP_IPS)) {
30 pr_debug("bad MAP_IPS.\n"); 30 pr_debug("bad MAP_IPS.\n");
31 return -EINVAL; 31 return -EINVAL;
32 } 32 }
@@ -43,8 +43,8 @@ netmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
43 struct nf_conn *ct; 43 struct nf_conn *ct;
44 enum ip_conntrack_info ctinfo; 44 enum ip_conntrack_info ctinfo;
45 __be32 new_ip, netmask; 45 __be32 new_ip, netmask;
46 const struct nf_nat_multi_range_compat *mr = par->targinfo; 46 const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
47 struct nf_nat_range newrange; 47 struct nf_nat_ipv4_range newrange;
48 48
49 NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING || 49 NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING ||
50 par->hooknum == NF_INET_POST_ROUTING || 50 par->hooknum == NF_INET_POST_ROUTING ||
@@ -61,8 +61,8 @@ netmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
61 new_ip = ip_hdr(skb)->saddr & ~netmask; 61 new_ip = ip_hdr(skb)->saddr & ~netmask;
62 new_ip |= mr->range[0].min_ip & netmask; 62 new_ip |= mr->range[0].min_ip & netmask;
63 63
64 newrange = ((struct nf_nat_range) 64 newrange = ((struct nf_nat_ipv4_range)
65 { mr->range[0].flags | IP_NAT_RANGE_MAP_IPS, 65 { mr->range[0].flags | NF_NAT_RANGE_MAP_IPS,
66 new_ip, new_ip, 66 new_ip, new_ip,
67 mr->range[0].min, mr->range[0].max }); 67 mr->range[0].min, mr->range[0].max });
68 68
@@ -74,7 +74,7 @@ static struct xt_target netmap_tg_reg __read_mostly = {
74 .name = "NETMAP", 74 .name = "NETMAP",
75 .family = NFPROTO_IPV4, 75 .family = NFPROTO_IPV4,
76 .target = netmap_tg, 76 .target = netmap_tg,
77 .targetsize = sizeof(struct nf_nat_multi_range_compat), 77 .targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat),
78 .table = "nat", 78 .table = "nat",
79 .hooks = (1 << NF_INET_PRE_ROUTING) | 79 .hooks = (1 << NF_INET_PRE_ROUTING) |
80 (1 << NF_INET_POST_ROUTING) | 80 (1 << NF_INET_POST_ROUTING) |
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index 18a0656505a0..7c0103a5203e 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -28,9 +28,9 @@ MODULE_DESCRIPTION("Xtables: Connection redirection to localhost");
28/* FIXME: Take multiple ranges --RR */ 28/* FIXME: Take multiple ranges --RR */
29static int redirect_tg_check(const struct xt_tgchk_param *par) 29static int redirect_tg_check(const struct xt_tgchk_param *par)
30{ 30{
31 const struct nf_nat_multi_range_compat *mr = par->targinfo; 31 const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
32 32
33 if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { 33 if (mr->range[0].flags & NF_NAT_RANGE_MAP_IPS) {
34 pr_debug("bad MAP_IPS.\n"); 34 pr_debug("bad MAP_IPS.\n");
35 return -EINVAL; 35 return -EINVAL;
36 } 36 }
@@ -47,8 +47,8 @@ redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
47 struct nf_conn *ct; 47 struct nf_conn *ct;
48 enum ip_conntrack_info ctinfo; 48 enum ip_conntrack_info ctinfo;
49 __be32 newdst; 49 __be32 newdst;
50 const struct nf_nat_multi_range_compat *mr = par->targinfo; 50 const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
51 struct nf_nat_range newrange; 51 struct nf_nat_ipv4_range newrange;
52 52
53 NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING || 53 NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING ||
54 par->hooknum == NF_INET_LOCAL_OUT); 54 par->hooknum == NF_INET_LOCAL_OUT);
@@ -76,20 +76,20 @@ redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
76 } 76 }
77 77
78 /* Transfer from original range. */ 78 /* Transfer from original range. */
79 newrange = ((struct nf_nat_range) 79 newrange = ((struct nf_nat_ipv4_range)
80 { mr->range[0].flags | IP_NAT_RANGE_MAP_IPS, 80 { mr->range[0].flags | NF_NAT_RANGE_MAP_IPS,
81 newdst, newdst, 81 newdst, newdst,
82 mr->range[0].min, mr->range[0].max }); 82 mr->range[0].min, mr->range[0].max });
83 83
84 /* Hand modified range to generic setup. */ 84 /* Hand modified range to generic setup. */
85 return nf_nat_setup_info(ct, &newrange, IP_NAT_MANIP_DST); 85 return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST);
86} 86}
87 87
88static struct xt_target redirect_tg_reg __read_mostly = { 88static struct xt_target redirect_tg_reg __read_mostly = {
89 .name = "REDIRECT", 89 .name = "REDIRECT",
90 .family = NFPROTO_IPV4, 90 .family = NFPROTO_IPV4,
91 .target = redirect_tg, 91 .target = redirect_tg,
92 .targetsize = sizeof(struct nf_nat_multi_range_compat), 92 .targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat),
93 .table = "nat", 93 .table = "nat",
94 .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT), 94 .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT),
95 .checkentry = redirect_tg_check, 95 .checkentry = redirect_tg_check,
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
new file mode 100644
index 000000000000..31371be8174b
--- /dev/null
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -0,0 +1,141 @@
1/*
2 * Copyright (c) 2011 Florian Westphal <fw@strlen.de>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
7 *
8 * based on fib_frontend.c; Author: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
9 */
10#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11#include <linux/module.h>
12#include <linux/skbuff.h>
13#include <linux/netdevice.h>
14#include <linux/ip.h>
15#include <net/ip.h>
16#include <net/ip_fib.h>
17#include <net/route.h>
18
19#include <linux/netfilter/xt_rpfilter.h>
20#include <linux/netfilter/x_tables.h>
21
22MODULE_LICENSE("GPL");
23MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
24MODULE_DESCRIPTION("iptables: ipv4 reverse path filter match");
25
26/* don't try to find route from mcast/bcast/zeronet */
27static __be32 rpfilter_get_saddr(__be32 addr)
28{
29 if (ipv4_is_multicast(addr) || ipv4_is_lbcast(addr) ||
30 ipv4_is_zeronet(addr))
31 return 0;
32 return addr;
33}
34
35static bool rpfilter_lookup_reverse(struct flowi4 *fl4,
36 const struct net_device *dev, u8 flags)
37{
38 struct fib_result res;
39 bool dev_match;
40 struct net *net = dev_net(dev);
41 int ret __maybe_unused;
42
43 if (fib_lookup(net, fl4, &res))
44 return false;
45
46 if (res.type != RTN_UNICAST) {
47 if (res.type != RTN_LOCAL || !(flags & XT_RPFILTER_ACCEPT_LOCAL))
48 return false;
49 }
50 dev_match = false;
51#ifdef CONFIG_IP_ROUTE_MULTIPATH
52 for (ret = 0; ret < res.fi->fib_nhs; ret++) {
53 struct fib_nh *nh = &res.fi->fib_nh[ret];
54
55 if (nh->nh_dev == dev) {
56 dev_match = true;
57 break;
58 }
59 }
60#else
61 if (FIB_RES_DEV(res) == dev)
62 dev_match = true;
63#endif
64 if (dev_match || flags & XT_RPFILTER_LOOSE)
65 return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
66 return dev_match;
67}
68
69static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
70{
71 const struct xt_rpfilter_info *info;
72 const struct iphdr *iph;
73 struct flowi4 flow;
74 bool invert;
75
76 info = par->matchinfo;
77 invert = info->flags & XT_RPFILTER_INVERT;
78
79 if (par->in->flags & IFF_LOOPBACK)
80 return true ^ invert;
81
82 iph = ip_hdr(skb);
83 if (ipv4_is_multicast(iph->daddr)) {
84 if (ipv4_is_zeronet(iph->saddr))
85 return ipv4_is_local_multicast(iph->daddr) ^ invert;
86 flow.flowi4_iif = 0;
87 } else {
88 flow.flowi4_iif = dev_net(par->in)->loopback_dev->ifindex;
89 }
90
91 flow.daddr = iph->saddr;
92 flow.saddr = rpfilter_get_saddr(iph->daddr);
93 flow.flowi4_oif = 0;
94 flow.flowi4_mark = info->flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0;
95 flow.flowi4_tos = RT_TOS(iph->tos);
96 flow.flowi4_scope = RT_SCOPE_UNIVERSE;
97
98 return rpfilter_lookup_reverse(&flow, par->in, info->flags) ^ invert;
99}
100
101static int rpfilter_check(const struct xt_mtchk_param *par)
102{
103 const struct xt_rpfilter_info *info = par->matchinfo;
104 unsigned int options = ~XT_RPFILTER_OPTION_MASK;
105 if (info->flags & options) {
106 pr_info("unknown options encountered");
107 return -EINVAL;
108 }
109
110 if (strcmp(par->table, "mangle") != 0 &&
111 strcmp(par->table, "raw") != 0) {
112 pr_info("match only valid in the \'raw\' "
113 "or \'mangle\' tables, not \'%s\'.\n", par->table);
114 return -EINVAL;
115 }
116
117 return 0;
118}
119
120static struct xt_match rpfilter_mt_reg __read_mostly = {
121 .name = "rpfilter",
122 .family = NFPROTO_IPV4,
123 .checkentry = rpfilter_check,
124 .match = rpfilter_mt,
125 .matchsize = sizeof(struct xt_rpfilter_info),
126 .hooks = (1 << NF_INET_PRE_ROUTING),
127 .me = THIS_MODULE
128};
129
130static int __init rpfilter_mt_init(void)
131{
132 return xt_register_match(&rpfilter_mt_reg);
133}
134
135static void __exit rpfilter_mt_exit(void)
136{
137 xt_unregister_match(&rpfilter_mt_reg);
138}
139
140module_init(rpfilter_mt_init);
141module_exit(rpfilter_mt_exit);
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 447bc5cfdc6c..acdd002bb540 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -30,7 +30,6 @@
30#include <net/netfilter/nf_nat_helper.h> 30#include <net/netfilter/nf_nat_helper.h>
31#include <net/netfilter/nf_conntrack_helper.h> 31#include <net/netfilter/nf_conntrack_helper.h>
32#include <net/netfilter/nf_conntrack_l3proto.h> 32#include <net/netfilter/nf_conntrack_l3proto.h>
33#include <net/netfilter/nf_conntrack_l4proto.h>
34#include <net/netfilter/nf_conntrack_zones.h> 33#include <net/netfilter/nf_conntrack_zones.h>
35 34
36static DEFINE_SPINLOCK(nf_nat_lock); 35static DEFINE_SPINLOCK(nf_nat_lock);
@@ -57,7 +56,7 @@ hash_by_src(const struct net *net, u16 zone,
57 /* Original src, to ensure we map it consistently if poss. */ 56 /* Original src, to ensure we map it consistently if poss. */
58 hash = jhash_3words((__force u32)tuple->src.u3.ip, 57 hash = jhash_3words((__force u32)tuple->src.u3.ip,
59 (__force u32)tuple->src.u.all ^ zone, 58 (__force u32)tuple->src.u.all ^ zone,
60 tuple->dst.protonum, 0); 59 tuple->dst.protonum, nf_conntrack_hash_rnd);
61 return ((u64)hash * net->ipv4.nat_htable_size) >> 32; 60 return ((u64)hash * net->ipv4.nat_htable_size) >> 32;
62} 61}
63 62
@@ -82,14 +81,14 @@ EXPORT_SYMBOL(nf_nat_used_tuple);
82 * that meet the constraints of range. */ 81 * that meet the constraints of range. */
83static int 82static int
84in_range(const struct nf_conntrack_tuple *tuple, 83in_range(const struct nf_conntrack_tuple *tuple,
85 const struct nf_nat_range *range) 84 const struct nf_nat_ipv4_range *range)
86{ 85{
87 const struct nf_nat_protocol *proto; 86 const struct nf_nat_protocol *proto;
88 int ret = 0; 87 int ret = 0;
89 88
90 /* If we are supposed to map IPs, then we must be in the 89 /* If we are supposed to map IPs, then we must be in the
91 range specified, otherwise let this drag us onto a new src IP. */ 90 range specified, otherwise let this drag us onto a new src IP. */
92 if (range->flags & IP_NAT_RANGE_MAP_IPS) { 91 if (range->flags & NF_NAT_RANGE_MAP_IPS) {
93 if (ntohl(tuple->src.u3.ip) < ntohl(range->min_ip) || 92 if (ntohl(tuple->src.u3.ip) < ntohl(range->min_ip) ||
94 ntohl(tuple->src.u3.ip) > ntohl(range->max_ip)) 93 ntohl(tuple->src.u3.ip) > ntohl(range->max_ip))
95 return 0; 94 return 0;
@@ -97,8 +96,8 @@ in_range(const struct nf_conntrack_tuple *tuple,
97 96
98 rcu_read_lock(); 97 rcu_read_lock();
99 proto = __nf_nat_proto_find(tuple->dst.protonum); 98 proto = __nf_nat_proto_find(tuple->dst.protonum);
100 if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) || 99 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) ||
101 proto->in_range(tuple, IP_NAT_MANIP_SRC, 100 proto->in_range(tuple, NF_NAT_MANIP_SRC,
102 &range->min, &range->max)) 101 &range->min, &range->max))
103 ret = 1; 102 ret = 1;
104 rcu_read_unlock(); 103 rcu_read_unlock();
@@ -123,7 +122,7 @@ static int
123find_appropriate_src(struct net *net, u16 zone, 122find_appropriate_src(struct net *net, u16 zone,
124 const struct nf_conntrack_tuple *tuple, 123 const struct nf_conntrack_tuple *tuple,
125 struct nf_conntrack_tuple *result, 124 struct nf_conntrack_tuple *result,
126 const struct nf_nat_range *range) 125 const struct nf_nat_ipv4_range *range)
127{ 126{
128 unsigned int h = hash_by_src(net, zone, tuple); 127 unsigned int h = hash_by_src(net, zone, tuple);
129 const struct nf_conn_nat *nat; 128 const struct nf_conn_nat *nat;
@@ -157,7 +156,7 @@ find_appropriate_src(struct net *net, u16 zone,
157*/ 156*/
158static void 157static void
159find_best_ips_proto(u16 zone, struct nf_conntrack_tuple *tuple, 158find_best_ips_proto(u16 zone, struct nf_conntrack_tuple *tuple,
160 const struct nf_nat_range *range, 159 const struct nf_nat_ipv4_range *range,
161 const struct nf_conn *ct, 160 const struct nf_conn *ct,
162 enum nf_nat_manip_type maniptype) 161 enum nf_nat_manip_type maniptype)
163{ 162{
@@ -166,10 +165,10 @@ find_best_ips_proto(u16 zone, struct nf_conntrack_tuple *tuple,
166 u_int32_t minip, maxip, j; 165 u_int32_t minip, maxip, j;
167 166
168 /* No IP mapping? Do nothing. */ 167 /* No IP mapping? Do nothing. */
169 if (!(range->flags & IP_NAT_RANGE_MAP_IPS)) 168 if (!(range->flags & NF_NAT_RANGE_MAP_IPS))
170 return; 169 return;
171 170
172 if (maniptype == IP_NAT_MANIP_SRC) 171 if (maniptype == NF_NAT_MANIP_SRC)
173 var_ipp = &tuple->src.u3.ip; 172 var_ipp = &tuple->src.u3.ip;
174 else 173 else
175 var_ipp = &tuple->dst.u3.ip; 174 var_ipp = &tuple->dst.u3.ip;
@@ -189,7 +188,7 @@ find_best_ips_proto(u16 zone, struct nf_conntrack_tuple *tuple,
189 minip = ntohl(range->min_ip); 188 minip = ntohl(range->min_ip);
190 maxip = ntohl(range->max_ip); 189 maxip = ntohl(range->max_ip);
191 j = jhash_2words((__force u32)tuple->src.u3.ip, 190 j = jhash_2words((__force u32)tuple->src.u3.ip,
192 range->flags & IP_NAT_RANGE_PERSISTENT ? 191 range->flags & NF_NAT_RANGE_PERSISTENT ?
193 0 : (__force u32)tuple->dst.u3.ip ^ zone, 0); 192 0 : (__force u32)tuple->dst.u3.ip ^ zone, 0);
194 j = ((u64)j * (maxip - minip + 1)) >> 32; 193 j = ((u64)j * (maxip - minip + 1)) >> 32;
195 *var_ipp = htonl(minip + j); 194 *var_ipp = htonl(minip + j);
@@ -204,7 +203,7 @@ find_best_ips_proto(u16 zone, struct nf_conntrack_tuple *tuple,
204static void 203static void
205get_unique_tuple(struct nf_conntrack_tuple *tuple, 204get_unique_tuple(struct nf_conntrack_tuple *tuple,
206 const struct nf_conntrack_tuple *orig_tuple, 205 const struct nf_conntrack_tuple *orig_tuple,
207 const struct nf_nat_range *range, 206 const struct nf_nat_ipv4_range *range,
208 struct nf_conn *ct, 207 struct nf_conn *ct,
209 enum nf_nat_manip_type maniptype) 208 enum nf_nat_manip_type maniptype)
210{ 209{
@@ -219,8 +218,8 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
219 This is only required for source (ie. NAT/masq) mappings. 218 This is only required for source (ie. NAT/masq) mappings.
220 So far, we don't do local source mappings, so multiple 219 So far, we don't do local source mappings, so multiple
221 manips not an issue. */ 220 manips not an issue. */
222 if (maniptype == IP_NAT_MANIP_SRC && 221 if (maniptype == NF_NAT_MANIP_SRC &&
223 !(range->flags & IP_NAT_RANGE_PROTO_RANDOM)) { 222 !(range->flags & NF_NAT_RANGE_PROTO_RANDOM)) {
224 /* try the original tuple first */ 223 /* try the original tuple first */
225 if (in_range(orig_tuple, range)) { 224 if (in_range(orig_tuple, range)) {
226 if (!nf_nat_used_tuple(orig_tuple, ct)) { 225 if (!nf_nat_used_tuple(orig_tuple, ct)) {
@@ -247,8 +246,8 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
247 proto = __nf_nat_proto_find(orig_tuple->dst.protonum); 246 proto = __nf_nat_proto_find(orig_tuple->dst.protonum);
248 247
249 /* Only bother mapping if it's not already in range and unique */ 248 /* Only bother mapping if it's not already in range and unique */
250 if (!(range->flags & IP_NAT_RANGE_PROTO_RANDOM)) { 249 if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM)) {
251 if (range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) { 250 if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
252 if (proto->in_range(tuple, maniptype, &range->min, 251 if (proto->in_range(tuple, maniptype, &range->min,
253 &range->max) && 252 &range->max) &&
254 (range->min.all == range->max.all || 253 (range->min.all == range->max.all ||
@@ -267,7 +266,7 @@ out:
267 266
268unsigned int 267unsigned int
269nf_nat_setup_info(struct nf_conn *ct, 268nf_nat_setup_info(struct nf_conn *ct,
270 const struct nf_nat_range *range, 269 const struct nf_nat_ipv4_range *range,
271 enum nf_nat_manip_type maniptype) 270 enum nf_nat_manip_type maniptype)
272{ 271{
273 struct net *net = nf_ct_net(ct); 272 struct net *net = nf_ct_net(ct);
@@ -284,8 +283,8 @@ nf_nat_setup_info(struct nf_conn *ct,
284 } 283 }
285 } 284 }
286 285
287 NF_CT_ASSERT(maniptype == IP_NAT_MANIP_SRC || 286 NF_CT_ASSERT(maniptype == NF_NAT_MANIP_SRC ||
288 maniptype == IP_NAT_MANIP_DST); 287 maniptype == NF_NAT_MANIP_DST);
289 BUG_ON(nf_nat_initialized(ct, maniptype)); 288 BUG_ON(nf_nat_initialized(ct, maniptype));
290 289
291 /* What we've got will look like inverse of reply. Normally 290 /* What we've got will look like inverse of reply. Normally
@@ -306,13 +305,13 @@ nf_nat_setup_info(struct nf_conn *ct,
306 nf_conntrack_alter_reply(ct, &reply); 305 nf_conntrack_alter_reply(ct, &reply);
307 306
308 /* Non-atomic: we own this at the moment. */ 307 /* Non-atomic: we own this at the moment. */
309 if (maniptype == IP_NAT_MANIP_SRC) 308 if (maniptype == NF_NAT_MANIP_SRC)
310 ct->status |= IPS_SRC_NAT; 309 ct->status |= IPS_SRC_NAT;
311 else 310 else
312 ct->status |= IPS_DST_NAT; 311 ct->status |= IPS_DST_NAT;
313 } 312 }
314 313
315 if (maniptype == IP_NAT_MANIP_SRC) { 314 if (maniptype == NF_NAT_MANIP_SRC) {
316 unsigned int srchash; 315 unsigned int srchash;
317 316
318 srchash = hash_by_src(net, nf_ct_zone(ct), 317 srchash = hash_by_src(net, nf_ct_zone(ct),
@@ -327,7 +326,7 @@ nf_nat_setup_info(struct nf_conn *ct,
327 } 326 }
328 327
329 /* It's done. */ 328 /* It's done. */
330 if (maniptype == IP_NAT_MANIP_DST) 329 if (maniptype == NF_NAT_MANIP_DST)
331 ct->status |= IPS_DST_NAT_DONE; 330 ct->status |= IPS_DST_NAT_DONE;
332 else 331 else
333 ct->status |= IPS_SRC_NAT_DONE; 332 ct->status |= IPS_SRC_NAT_DONE;
@@ -361,7 +360,7 @@ manip_pkt(u_int16_t proto,
361 360
362 iph = (void *)skb->data + iphdroff; 361 iph = (void *)skb->data + iphdroff;
363 362
364 if (maniptype == IP_NAT_MANIP_SRC) { 363 if (maniptype == NF_NAT_MANIP_SRC) {
365 csum_replace4(&iph->check, iph->saddr, target->src.u3.ip); 364 csum_replace4(&iph->check, iph->saddr, target->src.u3.ip);
366 iph->saddr = target->src.u3.ip; 365 iph->saddr = target->src.u3.ip;
367 } else { 366 } else {
@@ -381,7 +380,7 @@ unsigned int nf_nat_packet(struct nf_conn *ct,
381 unsigned long statusbit; 380 unsigned long statusbit;
382 enum nf_nat_manip_type mtype = HOOK2MANIP(hooknum); 381 enum nf_nat_manip_type mtype = HOOK2MANIP(hooknum);
383 382
384 if (mtype == IP_NAT_MANIP_SRC) 383 if (mtype == NF_NAT_MANIP_SRC)
385 statusbit = IPS_SRC_NAT; 384 statusbit = IPS_SRC_NAT;
386 else 385 else
387 statusbit = IPS_DST_NAT; 386 statusbit = IPS_DST_NAT;
@@ -414,8 +413,7 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct,
414 struct icmphdr icmp; 413 struct icmphdr icmp;
415 struct iphdr ip; 414 struct iphdr ip;
416 } *inside; 415 } *inside;
417 const struct nf_conntrack_l4proto *l4proto; 416 struct nf_conntrack_tuple target;
418 struct nf_conntrack_tuple inner, target;
419 int hdrlen = ip_hdrlen(skb); 417 int hdrlen = ip_hdrlen(skb);
420 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 418 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
421 unsigned long statusbit; 419 unsigned long statusbit;
@@ -447,7 +445,7 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct,
447 return 0; 445 return 0;
448 } 446 }
449 447
450 if (manip == IP_NAT_MANIP_SRC) 448 if (manip == NF_NAT_MANIP_SRC)
451 statusbit = IPS_SRC_NAT; 449 statusbit = IPS_SRC_NAT;
452 else 450 else
453 statusbit = IPS_DST_NAT; 451 statusbit = IPS_DST_NAT;
@@ -463,16 +461,6 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct,
463 "dir %s\n", skb, manip, 461 "dir %s\n", skb, manip,
464 dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY"); 462 dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY");
465 463
466 /* rcu_read_lock()ed by nf_hook_slow */
467 l4proto = __nf_ct_l4proto_find(PF_INET, inside->ip.protocol);
468
469 if (!nf_ct_get_tuple(skb, hdrlen + sizeof(struct icmphdr),
470 (hdrlen +
471 sizeof(struct icmphdr) + inside->ip.ihl * 4),
472 (u_int16_t)AF_INET, inside->ip.protocol,
473 &inner, l3proto, l4proto))
474 return 0;
475
476 /* Change inner back to look like incoming packet. We do the 464 /* Change inner back to look like incoming packet. We do the
477 opposite manip on this hook to normal, because it might not 465 opposite manip on this hook to normal, because it might not
478 pass all hooks (locally-generated ICMP). Consider incoming 466 pass all hooks (locally-generated ICMP). Consider incoming
@@ -575,26 +563,6 @@ static struct nf_ct_ext_type nat_extend __read_mostly = {
575#include <linux/netfilter/nfnetlink.h> 563#include <linux/netfilter/nfnetlink.h>
576#include <linux/netfilter/nfnetlink_conntrack.h> 564#include <linux/netfilter/nfnetlink_conntrack.h>
577 565
578static const struct nf_nat_protocol *
579nf_nat_proto_find_get(u_int8_t protonum)
580{
581 const struct nf_nat_protocol *p;
582
583 rcu_read_lock();
584 p = __nf_nat_proto_find(protonum);
585 if (!try_module_get(p->me))
586 p = &nf_nat_unknown_protocol;
587 rcu_read_unlock();
588
589 return p;
590}
591
592static void
593nf_nat_proto_put(const struct nf_nat_protocol *p)
594{
595 module_put(p->me);
596}
597
598static const struct nla_policy protonat_nla_policy[CTA_PROTONAT_MAX+1] = { 566static const struct nla_policy protonat_nla_policy[CTA_PROTONAT_MAX+1] = {
599 [CTA_PROTONAT_PORT_MIN] = { .type = NLA_U16 }, 567 [CTA_PROTONAT_PORT_MIN] = { .type = NLA_U16 },
600 [CTA_PROTONAT_PORT_MAX] = { .type = NLA_U16 }, 568 [CTA_PROTONAT_PORT_MAX] = { .type = NLA_U16 },
@@ -602,7 +570,7 @@ static const struct nla_policy protonat_nla_policy[CTA_PROTONAT_MAX+1] = {
602 570
603static int nfnetlink_parse_nat_proto(struct nlattr *attr, 571static int nfnetlink_parse_nat_proto(struct nlattr *attr,
604 const struct nf_conn *ct, 572 const struct nf_conn *ct,
605 struct nf_nat_range *range) 573 struct nf_nat_ipv4_range *range)
606{ 574{
607 struct nlattr *tb[CTA_PROTONAT_MAX+1]; 575 struct nlattr *tb[CTA_PROTONAT_MAX+1];
608 const struct nf_nat_protocol *npt; 576 const struct nf_nat_protocol *npt;
@@ -612,21 +580,23 @@ static int nfnetlink_parse_nat_proto(struct nlattr *attr,
612 if (err < 0) 580 if (err < 0)
613 return err; 581 return err;
614 582
615 npt = nf_nat_proto_find_get(nf_ct_protonum(ct)); 583 rcu_read_lock();
584 npt = __nf_nat_proto_find(nf_ct_protonum(ct));
616 if (npt->nlattr_to_range) 585 if (npt->nlattr_to_range)
617 err = npt->nlattr_to_range(tb, range); 586 err = npt->nlattr_to_range(tb, range);
618 nf_nat_proto_put(npt); 587 rcu_read_unlock();
619 return err; 588 return err;
620} 589}
621 590
622static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = { 591static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = {
623 [CTA_NAT_MINIP] = { .type = NLA_U32 }, 592 [CTA_NAT_MINIP] = { .type = NLA_U32 },
624 [CTA_NAT_MAXIP] = { .type = NLA_U32 }, 593 [CTA_NAT_MAXIP] = { .type = NLA_U32 },
594 [CTA_NAT_PROTO] = { .type = NLA_NESTED },
625}; 595};
626 596
627static int 597static int
628nfnetlink_parse_nat(const struct nlattr *nat, 598nfnetlink_parse_nat(const struct nlattr *nat,
629 const struct nf_conn *ct, struct nf_nat_range *range) 599 const struct nf_conn *ct, struct nf_nat_ipv4_range *range)
630{ 600{
631 struct nlattr *tb[CTA_NAT_MAX+1]; 601 struct nlattr *tb[CTA_NAT_MAX+1];
632 int err; 602 int err;
@@ -646,7 +616,7 @@ nfnetlink_parse_nat(const struct nlattr *nat,
646 range->max_ip = nla_get_be32(tb[CTA_NAT_MAXIP]); 616 range->max_ip = nla_get_be32(tb[CTA_NAT_MAXIP]);
647 617
648 if (range->min_ip) 618 if (range->min_ip)
649 range->flags |= IP_NAT_RANGE_MAP_IPS; 619 range->flags |= NF_NAT_RANGE_MAP_IPS;
650 620
651 if (!tb[CTA_NAT_PROTO]) 621 if (!tb[CTA_NAT_PROTO])
652 return 0; 622 return 0;
@@ -663,7 +633,7 @@ nfnetlink_parse_nat_setup(struct nf_conn *ct,
663 enum nf_nat_manip_type manip, 633 enum nf_nat_manip_type manip,
664 const struct nlattr *attr) 634 const struct nlattr *attr)
665{ 635{
666 struct nf_nat_range range; 636 struct nf_nat_ipv4_range range;
667 637
668 if (nfnetlink_parse_nat(attr, ct, &range) < 0) 638 if (nfnetlink_parse_nat(attr, ct, &range) < 0)
669 return -EINVAL; 639 return -EINVAL;
diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c
index b9a1136addbd..dc1dd912baf4 100644
--- a/net/ipv4/netfilter/nf_nat_h323.c
+++ b/net/ipv4/netfilter/nf_nat_h323.c
@@ -398,7 +398,7 @@ static int nat_h245(struct sk_buff *skb, struct nf_conn *ct,
398static void ip_nat_q931_expect(struct nf_conn *new, 398static void ip_nat_q931_expect(struct nf_conn *new,
399 struct nf_conntrack_expect *this) 399 struct nf_conntrack_expect *this)
400{ 400{
401 struct nf_nat_range range; 401 struct nf_nat_ipv4_range range;
402 402
403 if (this->tuple.src.u3.ip != 0) { /* Only accept calls from GK */ 403 if (this->tuple.src.u3.ip != 0) { /* Only accept calls from GK */
404 nf_nat_follow_master(new, this); 404 nf_nat_follow_master(new, this);
@@ -409,16 +409,16 @@ static void ip_nat_q931_expect(struct nf_conn *new,
409 BUG_ON(new->status & IPS_NAT_DONE_MASK); 409 BUG_ON(new->status & IPS_NAT_DONE_MASK);
410 410
411 /* Change src to where master sends to */ 411 /* Change src to where master sends to */
412 range.flags = IP_NAT_RANGE_MAP_IPS; 412 range.flags = NF_NAT_RANGE_MAP_IPS;
413 range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.u3.ip; 413 range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.u3.ip;
414 nf_nat_setup_info(new, &range, IP_NAT_MANIP_SRC); 414 nf_nat_setup_info(new, &range, NF_NAT_MANIP_SRC);
415 415
416 /* For DST manip, map port here to where it's expected. */ 416 /* For DST manip, map port here to where it's expected. */
417 range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED); 417 range.flags = (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED);
418 range.min = range.max = this->saved_proto; 418 range.min = range.max = this->saved_proto;
419 range.min_ip = range.max_ip = 419 range.min_ip = range.max_ip =
420 new->master->tuplehash[!this->dir].tuple.src.u3.ip; 420 new->master->tuplehash[!this->dir].tuple.src.u3.ip;
421 nf_nat_setup_info(new, &range, IP_NAT_MANIP_DST); 421 nf_nat_setup_info(new, &range, NF_NAT_MANIP_DST);
422} 422}
423 423
424/****************************************************************************/ 424/****************************************************************************/
@@ -496,21 +496,21 @@ static int nat_q931(struct sk_buff *skb, struct nf_conn *ct,
496static void ip_nat_callforwarding_expect(struct nf_conn *new, 496static void ip_nat_callforwarding_expect(struct nf_conn *new,
497 struct nf_conntrack_expect *this) 497 struct nf_conntrack_expect *this)
498{ 498{
499 struct nf_nat_range range; 499 struct nf_nat_ipv4_range range;
500 500
501 /* This must be a fresh one. */ 501 /* This must be a fresh one. */
502 BUG_ON(new->status & IPS_NAT_DONE_MASK); 502 BUG_ON(new->status & IPS_NAT_DONE_MASK);
503 503
504 /* Change src to where master sends to */ 504 /* Change src to where master sends to */
505 range.flags = IP_NAT_RANGE_MAP_IPS; 505 range.flags = NF_NAT_RANGE_MAP_IPS;
506 range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.u3.ip; 506 range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.u3.ip;
507 nf_nat_setup_info(new, &range, IP_NAT_MANIP_SRC); 507 nf_nat_setup_info(new, &range, NF_NAT_MANIP_SRC);
508 508
509 /* For DST manip, map port here to where it's expected. */ 509 /* For DST manip, map port here to where it's expected. */
510 range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED); 510 range.flags = (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED);
511 range.min = range.max = this->saved_proto; 511 range.min = range.max = this->saved_proto;
512 range.min_ip = range.max_ip = this->saved_ip; 512 range.min_ip = range.max_ip = this->saved_ip;
513 nf_nat_setup_info(new, &range, IP_NAT_MANIP_DST); 513 nf_nat_setup_info(new, &range, NF_NAT_MANIP_DST);
514} 514}
515 515
516/****************************************************************************/ 516/****************************************************************************/
diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c
index ebc5f8894f99..af65958f6308 100644
--- a/net/ipv4/netfilter/nf_nat_helper.c
+++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -253,12 +253,6 @@ nf_nat_mangle_udp_packet(struct sk_buff *skb,
253 struct udphdr *udph; 253 struct udphdr *udph;
254 int datalen, oldlen; 254 int datalen, oldlen;
255 255
256 /* UDP helpers might accidentally mangle the wrong packet */
257 iph = ip_hdr(skb);
258 if (skb->len < iph->ihl*4 + sizeof(*udph) +
259 match_offset + match_len)
260 return 0;
261
262 if (!skb_make_writable(skb, skb->len)) 256 if (!skb_make_writable(skb, skb->len))
263 return 0; 257 return 0;
264 258
@@ -430,22 +424,22 @@ nf_nat_seq_adjust(struct sk_buff *skb,
430void nf_nat_follow_master(struct nf_conn *ct, 424void nf_nat_follow_master(struct nf_conn *ct,
431 struct nf_conntrack_expect *exp) 425 struct nf_conntrack_expect *exp)
432{ 426{
433 struct nf_nat_range range; 427 struct nf_nat_ipv4_range range;
434 428
435 /* This must be a fresh one. */ 429 /* This must be a fresh one. */
436 BUG_ON(ct->status & IPS_NAT_DONE_MASK); 430 BUG_ON(ct->status & IPS_NAT_DONE_MASK);
437 431
438 /* Change src to where master sends to */ 432 /* Change src to where master sends to */
439 range.flags = IP_NAT_RANGE_MAP_IPS; 433 range.flags = NF_NAT_RANGE_MAP_IPS;
440 range.min_ip = range.max_ip 434 range.min_ip = range.max_ip
441 = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip; 435 = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
442 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC); 436 nf_nat_setup_info(ct, &range, NF_NAT_MANIP_SRC);
443 437
444 /* For DST manip, map port here to where it's expected. */ 438 /* For DST manip, map port here to where it's expected. */
445 range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED); 439 range.flags = (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED);
446 range.min = range.max = exp->saved_proto; 440 range.min = range.max = exp->saved_proto;
447 range.min_ip = range.max_ip 441 range.min_ip = range.max_ip
448 = ct->master->tuplehash[!exp->dir].tuple.src.u3.ip; 442 = ct->master->tuplehash[!exp->dir].tuple.src.u3.ip;
449 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST); 443 nf_nat_setup_info(ct, &range, NF_NAT_MANIP_DST);
450} 444}
451EXPORT_SYMBOL(nf_nat_follow_master); 445EXPORT_SYMBOL(nf_nat_follow_master);
diff --git a/net/ipv4/netfilter/nf_nat_pptp.c b/net/ipv4/netfilter/nf_nat_pptp.c
index 3e8284ba46b8..c273d58980ae 100644
--- a/net/ipv4/netfilter/nf_nat_pptp.c
+++ b/net/ipv4/netfilter/nf_nat_pptp.c
@@ -47,7 +47,7 @@ static void pptp_nat_expected(struct nf_conn *ct,
47 struct nf_conntrack_tuple t; 47 struct nf_conntrack_tuple t;
48 const struct nf_ct_pptp_master *ct_pptp_info; 48 const struct nf_ct_pptp_master *ct_pptp_info;
49 const struct nf_nat_pptp *nat_pptp_info; 49 const struct nf_nat_pptp *nat_pptp_info;
50 struct nf_nat_range range; 50 struct nf_nat_ipv4_range range;
51 51
52 ct_pptp_info = &nfct_help(master)->help.ct_pptp_info; 52 ct_pptp_info = &nfct_help(master)->help.ct_pptp_info;
53 nat_pptp_info = &nfct_nat(master)->help.nat_pptp_info; 53 nat_pptp_info = &nfct_nat(master)->help.nat_pptp_info;
@@ -88,24 +88,24 @@ static void pptp_nat_expected(struct nf_conn *ct,
88 BUG_ON(ct->status & IPS_NAT_DONE_MASK); 88 BUG_ON(ct->status & IPS_NAT_DONE_MASK);
89 89
90 /* Change src to where master sends to */ 90 /* Change src to where master sends to */
91 range.flags = IP_NAT_RANGE_MAP_IPS; 91 range.flags = NF_NAT_RANGE_MAP_IPS;
92 range.min_ip = range.max_ip 92 range.min_ip = range.max_ip
93 = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip; 93 = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
94 if (exp->dir == IP_CT_DIR_ORIGINAL) { 94 if (exp->dir == IP_CT_DIR_ORIGINAL) {
95 range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED; 95 range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
96 range.min = range.max = exp->saved_proto; 96 range.min = range.max = exp->saved_proto;
97 } 97 }
98 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC); 98 nf_nat_setup_info(ct, &range, NF_NAT_MANIP_SRC);
99 99
100 /* For DST manip, map port here to where it's expected. */ 100 /* For DST manip, map port here to where it's expected. */
101 range.flags = IP_NAT_RANGE_MAP_IPS; 101 range.flags = NF_NAT_RANGE_MAP_IPS;
102 range.min_ip = range.max_ip 102 range.min_ip = range.max_ip
103 = ct->master->tuplehash[!exp->dir].tuple.src.u3.ip; 103 = ct->master->tuplehash[!exp->dir].tuple.src.u3.ip;
104 if (exp->dir == IP_CT_DIR_REPLY) { 104 if (exp->dir == IP_CT_DIR_REPLY) {
105 range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED; 105 range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
106 range.min = range.max = exp->saved_proto; 106 range.min = range.max = exp->saved_proto;
107 } 107 }
108 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST); 108 nf_nat_setup_info(ct, &range, NF_NAT_MANIP_DST);
109} 109}
110 110
111/* outbound packets == from PNS to PAC */ 111/* outbound packets == from PNS to PAC */
diff --git a/net/ipv4/netfilter/nf_nat_proto_common.c b/net/ipv4/netfilter/nf_nat_proto_common.c
index a3d997618602..9993bc93e102 100644
--- a/net/ipv4/netfilter/nf_nat_proto_common.c
+++ b/net/ipv4/netfilter/nf_nat_proto_common.c
@@ -26,7 +26,7 @@ bool nf_nat_proto_in_range(const struct nf_conntrack_tuple *tuple,
26{ 26{
27 __be16 port; 27 __be16 port;
28 28
29 if (maniptype == IP_NAT_MANIP_SRC) 29 if (maniptype == NF_NAT_MANIP_SRC)
30 port = tuple->src.u.all; 30 port = tuple->src.u.all;
31 else 31 else
32 port = tuple->dst.u.all; 32 port = tuple->dst.u.all;
@@ -37,7 +37,7 @@ bool nf_nat_proto_in_range(const struct nf_conntrack_tuple *tuple,
37EXPORT_SYMBOL_GPL(nf_nat_proto_in_range); 37EXPORT_SYMBOL_GPL(nf_nat_proto_in_range);
38 38
39void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple, 39void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple,
40 const struct nf_nat_range *range, 40 const struct nf_nat_ipv4_range *range,
41 enum nf_nat_manip_type maniptype, 41 enum nf_nat_manip_type maniptype,
42 const struct nf_conn *ct, 42 const struct nf_conn *ct,
43 u_int16_t *rover) 43 u_int16_t *rover)
@@ -46,15 +46,15 @@ void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple,
46 __be16 *portptr; 46 __be16 *portptr;
47 u_int16_t off; 47 u_int16_t off;
48 48
49 if (maniptype == IP_NAT_MANIP_SRC) 49 if (maniptype == NF_NAT_MANIP_SRC)
50 portptr = &tuple->src.u.all; 50 portptr = &tuple->src.u.all;
51 else 51 else
52 portptr = &tuple->dst.u.all; 52 portptr = &tuple->dst.u.all;
53 53
54 /* If no range specified... */ 54 /* If no range specified... */
55 if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) { 55 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
56 /* If it's dst rewrite, can't change port */ 56 /* If it's dst rewrite, can't change port */
57 if (maniptype == IP_NAT_MANIP_DST) 57 if (maniptype == NF_NAT_MANIP_DST)
58 return; 58 return;
59 59
60 if (ntohs(*portptr) < 1024) { 60 if (ntohs(*portptr) < 1024) {
@@ -75,9 +75,9 @@ void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple,
75 range_size = ntohs(range->max.all) - min + 1; 75 range_size = ntohs(range->max.all) - min + 1;
76 } 76 }
77 77
78 if (range->flags & IP_NAT_RANGE_PROTO_RANDOM) 78 if (range->flags & NF_NAT_RANGE_PROTO_RANDOM)
79 off = secure_ipv4_port_ephemeral(tuple->src.u3.ip, tuple->dst.u3.ip, 79 off = secure_ipv4_port_ephemeral(tuple->src.u3.ip, tuple->dst.u3.ip,
80 maniptype == IP_NAT_MANIP_SRC 80 maniptype == NF_NAT_MANIP_SRC
81 ? tuple->dst.u.all 81 ? tuple->dst.u.all
82 : tuple->src.u.all); 82 : tuple->src.u.all);
83 else 83 else
@@ -87,7 +87,7 @@ void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple,
87 *portptr = htons(min + off % range_size); 87 *portptr = htons(min + off % range_size);
88 if (++i != range_size && nf_nat_used_tuple(tuple, ct)) 88 if (++i != range_size && nf_nat_used_tuple(tuple, ct))
89 continue; 89 continue;
90 if (!(range->flags & IP_NAT_RANGE_PROTO_RANDOM)) 90 if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM))
91 *rover = off; 91 *rover = off;
92 return; 92 return;
93 } 93 }
@@ -96,31 +96,19 @@ void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple,
96EXPORT_SYMBOL_GPL(nf_nat_proto_unique_tuple); 96EXPORT_SYMBOL_GPL(nf_nat_proto_unique_tuple);
97 97
98#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 98#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
99int nf_nat_proto_range_to_nlattr(struct sk_buff *skb,
100 const struct nf_nat_range *range)
101{
102 NLA_PUT_BE16(skb, CTA_PROTONAT_PORT_MIN, range->min.all);
103 NLA_PUT_BE16(skb, CTA_PROTONAT_PORT_MAX, range->max.all);
104 return 0;
105
106nla_put_failure:
107 return -1;
108}
109EXPORT_SYMBOL_GPL(nf_nat_proto_nlattr_to_range);
110
111int nf_nat_proto_nlattr_to_range(struct nlattr *tb[], 99int nf_nat_proto_nlattr_to_range(struct nlattr *tb[],
112 struct nf_nat_range *range) 100 struct nf_nat_ipv4_range *range)
113{ 101{
114 if (tb[CTA_PROTONAT_PORT_MIN]) { 102 if (tb[CTA_PROTONAT_PORT_MIN]) {
115 range->min.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MIN]); 103 range->min.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MIN]);
116 range->max.all = range->min.tcp.port; 104 range->max.all = range->min.tcp.port;
117 range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED; 105 range->flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
118 } 106 }
119 if (tb[CTA_PROTONAT_PORT_MAX]) { 107 if (tb[CTA_PROTONAT_PORT_MAX]) {
120 range->max.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MAX]); 108 range->max.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MAX]);
121 range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED; 109 range->flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
122 } 110 }
123 return 0; 111 return 0;
124} 112}
125EXPORT_SYMBOL_GPL(nf_nat_proto_range_to_nlattr); 113EXPORT_SYMBOL_GPL(nf_nat_proto_nlattr_to_range);
126#endif 114#endif
diff --git a/net/ipv4/netfilter/nf_nat_proto_dccp.c b/net/ipv4/netfilter/nf_nat_proto_dccp.c
index 570faf2667b2..3f67138d187c 100644
--- a/net/ipv4/netfilter/nf_nat_proto_dccp.c
+++ b/net/ipv4/netfilter/nf_nat_proto_dccp.c
@@ -24,7 +24,7 @@ static u_int16_t dccp_port_rover;
24 24
25static void 25static void
26dccp_unique_tuple(struct nf_conntrack_tuple *tuple, 26dccp_unique_tuple(struct nf_conntrack_tuple *tuple,
27 const struct nf_nat_range *range, 27 const struct nf_nat_ipv4_range *range,
28 enum nf_nat_manip_type maniptype, 28 enum nf_nat_manip_type maniptype,
29 const struct nf_conn *ct) 29 const struct nf_conn *ct)
30{ 30{
@@ -54,7 +54,7 @@ dccp_manip_pkt(struct sk_buff *skb,
54 iph = (struct iphdr *)(skb->data + iphdroff); 54 iph = (struct iphdr *)(skb->data + iphdroff);
55 hdr = (struct dccp_hdr *)(skb->data + hdroff); 55 hdr = (struct dccp_hdr *)(skb->data + hdroff);
56 56
57 if (maniptype == IP_NAT_MANIP_SRC) { 57 if (maniptype == NF_NAT_MANIP_SRC) {
58 oldip = iph->saddr; 58 oldip = iph->saddr;
59 newip = tuple->src.u3.ip; 59 newip = tuple->src.u3.ip;
60 newport = tuple->src.u.dccp.port; 60 newport = tuple->src.u.dccp.port;
@@ -80,12 +80,10 @@ dccp_manip_pkt(struct sk_buff *skb,
80 80
81static const struct nf_nat_protocol nf_nat_protocol_dccp = { 81static const struct nf_nat_protocol nf_nat_protocol_dccp = {
82 .protonum = IPPROTO_DCCP, 82 .protonum = IPPROTO_DCCP,
83 .me = THIS_MODULE,
84 .manip_pkt = dccp_manip_pkt, 83 .manip_pkt = dccp_manip_pkt,
85 .in_range = nf_nat_proto_in_range, 84 .in_range = nf_nat_proto_in_range,
86 .unique_tuple = dccp_unique_tuple, 85 .unique_tuple = dccp_unique_tuple,
87#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 86#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
88 .range_to_nlattr = nf_nat_proto_range_to_nlattr,
89 .nlattr_to_range = nf_nat_proto_nlattr_to_range, 87 .nlattr_to_range = nf_nat_proto_nlattr_to_range,
90#endif 88#endif
91}; 89};
diff --git a/net/ipv4/netfilter/nf_nat_proto_gre.c b/net/ipv4/netfilter/nf_nat_proto_gre.c
index bc8d83a31c73..46ba0b9ab985 100644
--- a/net/ipv4/netfilter/nf_nat_proto_gre.c
+++ b/net/ipv4/netfilter/nf_nat_proto_gre.c
@@ -39,7 +39,7 @@ MODULE_DESCRIPTION("Netfilter NAT protocol helper module for GRE");
39/* generate unique tuple ... */ 39/* generate unique tuple ... */
40static void 40static void
41gre_unique_tuple(struct nf_conntrack_tuple *tuple, 41gre_unique_tuple(struct nf_conntrack_tuple *tuple,
42 const struct nf_nat_range *range, 42 const struct nf_nat_ipv4_range *range,
43 enum nf_nat_manip_type maniptype, 43 enum nf_nat_manip_type maniptype,
44 const struct nf_conn *ct) 44 const struct nf_conn *ct)
45{ 45{
@@ -52,12 +52,12 @@ gre_unique_tuple(struct nf_conntrack_tuple *tuple,
52 if (!ct->master) 52 if (!ct->master)
53 return; 53 return;
54 54
55 if (maniptype == IP_NAT_MANIP_SRC) 55 if (maniptype == NF_NAT_MANIP_SRC)
56 keyptr = &tuple->src.u.gre.key; 56 keyptr = &tuple->src.u.gre.key;
57 else 57 else
58 keyptr = &tuple->dst.u.gre.key; 58 keyptr = &tuple->dst.u.gre.key;
59 59
60 if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) { 60 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
61 pr_debug("%p: NATing GRE PPTP\n", ct); 61 pr_debug("%p: NATing GRE PPTP\n", ct);
62 min = 1; 62 min = 1;
63 range_size = 0xffff; 63 range_size = 0xffff;
@@ -99,7 +99,7 @@ gre_manip_pkt(struct sk_buff *skb, unsigned int iphdroff,
99 99
100 /* we only have destination manip of a packet, since 'source key' 100 /* we only have destination manip of a packet, since 'source key'
101 * is not present in the packet itself */ 101 * is not present in the packet itself */
102 if (maniptype != IP_NAT_MANIP_DST) 102 if (maniptype != NF_NAT_MANIP_DST)
103 return true; 103 return true;
104 switch (greh->version) { 104 switch (greh->version) {
105 case GRE_VERSION_1701: 105 case GRE_VERSION_1701:
@@ -119,12 +119,10 @@ gre_manip_pkt(struct sk_buff *skb, unsigned int iphdroff,
119 119
120static const struct nf_nat_protocol gre = { 120static const struct nf_nat_protocol gre = {
121 .protonum = IPPROTO_GRE, 121 .protonum = IPPROTO_GRE,
122 .me = THIS_MODULE,
123 .manip_pkt = gre_manip_pkt, 122 .manip_pkt = gre_manip_pkt,
124 .in_range = nf_nat_proto_in_range, 123 .in_range = nf_nat_proto_in_range,
125 .unique_tuple = gre_unique_tuple, 124 .unique_tuple = gre_unique_tuple,
126#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 125#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
127 .range_to_nlattr = nf_nat_proto_range_to_nlattr,
128 .nlattr_to_range = nf_nat_proto_nlattr_to_range, 126 .nlattr_to_range = nf_nat_proto_nlattr_to_range,
129#endif 127#endif
130}; 128};
diff --git a/net/ipv4/netfilter/nf_nat_proto_icmp.c b/net/ipv4/netfilter/nf_nat_proto_icmp.c
index 9f4dc1235dc7..b35172851bae 100644
--- a/net/ipv4/netfilter/nf_nat_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_nat_proto_icmp.c
@@ -30,7 +30,7 @@ icmp_in_range(const struct nf_conntrack_tuple *tuple,
30 30
31static void 31static void
32icmp_unique_tuple(struct nf_conntrack_tuple *tuple, 32icmp_unique_tuple(struct nf_conntrack_tuple *tuple,
33 const struct nf_nat_range *range, 33 const struct nf_nat_ipv4_range *range,
34 enum nf_nat_manip_type maniptype, 34 enum nf_nat_manip_type maniptype,
35 const struct nf_conn *ct) 35 const struct nf_conn *ct)
36{ 36{
@@ -40,7 +40,7 @@ icmp_unique_tuple(struct nf_conntrack_tuple *tuple,
40 40
41 range_size = ntohs(range->max.icmp.id) - ntohs(range->min.icmp.id) + 1; 41 range_size = ntohs(range->max.icmp.id) - ntohs(range->min.icmp.id) + 1;
42 /* If no range specified... */ 42 /* If no range specified... */
43 if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) 43 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED))
44 range_size = 0xFFFF; 44 range_size = 0xFFFF;
45 45
46 for (i = 0; ; ++id) { 46 for (i = 0; ; ++id) {
@@ -74,12 +74,10 @@ icmp_manip_pkt(struct sk_buff *skb,
74 74
75const struct nf_nat_protocol nf_nat_protocol_icmp = { 75const struct nf_nat_protocol nf_nat_protocol_icmp = {
76 .protonum = IPPROTO_ICMP, 76 .protonum = IPPROTO_ICMP,
77 .me = THIS_MODULE,
78 .manip_pkt = icmp_manip_pkt, 77 .manip_pkt = icmp_manip_pkt,
79 .in_range = icmp_in_range, 78 .in_range = icmp_in_range,
80 .unique_tuple = icmp_unique_tuple, 79 .unique_tuple = icmp_unique_tuple,
81#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 80#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
82 .range_to_nlattr = nf_nat_proto_range_to_nlattr,
83 .nlattr_to_range = nf_nat_proto_nlattr_to_range, 81 .nlattr_to_range = nf_nat_proto_nlattr_to_range,
84#endif 82#endif
85}; 83};
diff --git a/net/ipv4/netfilter/nf_nat_proto_sctp.c b/net/ipv4/netfilter/nf_nat_proto_sctp.c
index bd5a80a62a5b..3cce9b6c1c29 100644
--- a/net/ipv4/netfilter/nf_nat_proto_sctp.c
+++ b/net/ipv4/netfilter/nf_nat_proto_sctp.c
@@ -19,7 +19,7 @@ static u_int16_t nf_sctp_port_rover;
19 19
20static void 20static void
21sctp_unique_tuple(struct nf_conntrack_tuple *tuple, 21sctp_unique_tuple(struct nf_conntrack_tuple *tuple,
22 const struct nf_nat_range *range, 22 const struct nf_nat_ipv4_range *range,
23 enum nf_nat_manip_type maniptype, 23 enum nf_nat_manip_type maniptype,
24 const struct nf_conn *ct) 24 const struct nf_conn *ct)
25{ 25{
@@ -46,7 +46,7 @@ sctp_manip_pkt(struct sk_buff *skb,
46 iph = (struct iphdr *)(skb->data + iphdroff); 46 iph = (struct iphdr *)(skb->data + iphdroff);
47 hdr = (struct sctphdr *)(skb->data + hdroff); 47 hdr = (struct sctphdr *)(skb->data + hdroff);
48 48
49 if (maniptype == IP_NAT_MANIP_SRC) { 49 if (maniptype == NF_NAT_MANIP_SRC) {
50 /* Get rid of src ip and src pt */ 50 /* Get rid of src ip and src pt */
51 oldip = iph->saddr; 51 oldip = iph->saddr;
52 newip = tuple->src.u3.ip; 52 newip = tuple->src.u3.ip;
@@ -70,12 +70,10 @@ sctp_manip_pkt(struct sk_buff *skb,
70 70
71static const struct nf_nat_protocol nf_nat_protocol_sctp = { 71static const struct nf_nat_protocol nf_nat_protocol_sctp = {
72 .protonum = IPPROTO_SCTP, 72 .protonum = IPPROTO_SCTP,
73 .me = THIS_MODULE,
74 .manip_pkt = sctp_manip_pkt, 73 .manip_pkt = sctp_manip_pkt,
75 .in_range = nf_nat_proto_in_range, 74 .in_range = nf_nat_proto_in_range,
76 .unique_tuple = sctp_unique_tuple, 75 .unique_tuple = sctp_unique_tuple,
77#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 76#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
78 .range_to_nlattr = nf_nat_proto_range_to_nlattr,
79 .nlattr_to_range = nf_nat_proto_nlattr_to_range, 77 .nlattr_to_range = nf_nat_proto_nlattr_to_range,
80#endif 78#endif
81}; 79};
diff --git a/net/ipv4/netfilter/nf_nat_proto_tcp.c b/net/ipv4/netfilter/nf_nat_proto_tcp.c
index 0d67bb80130f..9fb4b4e72bbf 100644
--- a/net/ipv4/netfilter/nf_nat_proto_tcp.c
+++ b/net/ipv4/netfilter/nf_nat_proto_tcp.c
@@ -23,7 +23,7 @@ static u_int16_t tcp_port_rover;
23 23
24static void 24static void
25tcp_unique_tuple(struct nf_conntrack_tuple *tuple, 25tcp_unique_tuple(struct nf_conntrack_tuple *tuple,
26 const struct nf_nat_range *range, 26 const struct nf_nat_ipv4_range *range,
27 enum nf_nat_manip_type maniptype, 27 enum nf_nat_manip_type maniptype,
28 const struct nf_conn *ct) 28 const struct nf_conn *ct)
29{ 29{
@@ -55,7 +55,7 @@ tcp_manip_pkt(struct sk_buff *skb,
55 iph = (struct iphdr *)(skb->data + iphdroff); 55 iph = (struct iphdr *)(skb->data + iphdroff);
56 hdr = (struct tcphdr *)(skb->data + hdroff); 56 hdr = (struct tcphdr *)(skb->data + hdroff);
57 57
58 if (maniptype == IP_NAT_MANIP_SRC) { 58 if (maniptype == NF_NAT_MANIP_SRC) {
59 /* Get rid of src ip and src pt */ 59 /* Get rid of src ip and src pt */
60 oldip = iph->saddr; 60 oldip = iph->saddr;
61 newip = tuple->src.u3.ip; 61 newip = tuple->src.u3.ip;
@@ -82,12 +82,10 @@ tcp_manip_pkt(struct sk_buff *skb,
82 82
83const struct nf_nat_protocol nf_nat_protocol_tcp = { 83const struct nf_nat_protocol nf_nat_protocol_tcp = {
84 .protonum = IPPROTO_TCP, 84 .protonum = IPPROTO_TCP,
85 .me = THIS_MODULE,
86 .manip_pkt = tcp_manip_pkt, 85 .manip_pkt = tcp_manip_pkt,
87 .in_range = nf_nat_proto_in_range, 86 .in_range = nf_nat_proto_in_range,
88 .unique_tuple = tcp_unique_tuple, 87 .unique_tuple = tcp_unique_tuple,
89#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 88#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
90 .range_to_nlattr = nf_nat_proto_range_to_nlattr,
91 .nlattr_to_range = nf_nat_proto_nlattr_to_range, 89 .nlattr_to_range = nf_nat_proto_nlattr_to_range,
92#endif 90#endif
93}; 91};
diff --git a/net/ipv4/netfilter/nf_nat_proto_udp.c b/net/ipv4/netfilter/nf_nat_proto_udp.c
index 0b1b8601cba7..9883336e628f 100644
--- a/net/ipv4/netfilter/nf_nat_proto_udp.c
+++ b/net/ipv4/netfilter/nf_nat_proto_udp.c
@@ -22,7 +22,7 @@ static u_int16_t udp_port_rover;
22 22
23static void 23static void
24udp_unique_tuple(struct nf_conntrack_tuple *tuple, 24udp_unique_tuple(struct nf_conntrack_tuple *tuple,
25 const struct nf_nat_range *range, 25 const struct nf_nat_ipv4_range *range,
26 enum nf_nat_manip_type maniptype, 26 enum nf_nat_manip_type maniptype,
27 const struct nf_conn *ct) 27 const struct nf_conn *ct)
28{ 28{
@@ -47,7 +47,7 @@ udp_manip_pkt(struct sk_buff *skb,
47 iph = (struct iphdr *)(skb->data + iphdroff); 47 iph = (struct iphdr *)(skb->data + iphdroff);
48 hdr = (struct udphdr *)(skb->data + hdroff); 48 hdr = (struct udphdr *)(skb->data + hdroff);
49 49
50 if (maniptype == IP_NAT_MANIP_SRC) { 50 if (maniptype == NF_NAT_MANIP_SRC) {
51 /* Get rid of src ip and src pt */ 51 /* Get rid of src ip and src pt */
52 oldip = iph->saddr; 52 oldip = iph->saddr;
53 newip = tuple->src.u3.ip; 53 newip = tuple->src.u3.ip;
@@ -73,12 +73,10 @@ udp_manip_pkt(struct sk_buff *skb,
73 73
74const struct nf_nat_protocol nf_nat_protocol_udp = { 74const struct nf_nat_protocol nf_nat_protocol_udp = {
75 .protonum = IPPROTO_UDP, 75 .protonum = IPPROTO_UDP,
76 .me = THIS_MODULE,
77 .manip_pkt = udp_manip_pkt, 76 .manip_pkt = udp_manip_pkt,
78 .in_range = nf_nat_proto_in_range, 77 .in_range = nf_nat_proto_in_range,
79 .unique_tuple = udp_unique_tuple, 78 .unique_tuple = udp_unique_tuple,
80#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 79#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
81 .range_to_nlattr = nf_nat_proto_range_to_nlattr,
82 .nlattr_to_range = nf_nat_proto_nlattr_to_range, 80 .nlattr_to_range = nf_nat_proto_nlattr_to_range,
83#endif 81#endif
84}; 82};
diff --git a/net/ipv4/netfilter/nf_nat_proto_udplite.c b/net/ipv4/netfilter/nf_nat_proto_udplite.c
index f83ef23e2ab7..d24d10a7beb2 100644
--- a/net/ipv4/netfilter/nf_nat_proto_udplite.c
+++ b/net/ipv4/netfilter/nf_nat_proto_udplite.c
@@ -21,7 +21,7 @@ static u_int16_t udplite_port_rover;
21 21
22static void 22static void
23udplite_unique_tuple(struct nf_conntrack_tuple *tuple, 23udplite_unique_tuple(struct nf_conntrack_tuple *tuple,
24 const struct nf_nat_range *range, 24 const struct nf_nat_ipv4_range *range,
25 enum nf_nat_manip_type maniptype, 25 enum nf_nat_manip_type maniptype,
26 const struct nf_conn *ct) 26 const struct nf_conn *ct)
27{ 27{
@@ -47,7 +47,7 @@ udplite_manip_pkt(struct sk_buff *skb,
47 iph = (struct iphdr *)(skb->data + iphdroff); 47 iph = (struct iphdr *)(skb->data + iphdroff);
48 hdr = (struct udphdr *)(skb->data + hdroff); 48 hdr = (struct udphdr *)(skb->data + hdroff);
49 49
50 if (maniptype == IP_NAT_MANIP_SRC) { 50 if (maniptype == NF_NAT_MANIP_SRC) {
51 /* Get rid of src ip and src pt */ 51 /* Get rid of src ip and src pt */
52 oldip = iph->saddr; 52 oldip = iph->saddr;
53 newip = tuple->src.u3.ip; 53 newip = tuple->src.u3.ip;
@@ -72,12 +72,10 @@ udplite_manip_pkt(struct sk_buff *skb,
72 72
73static const struct nf_nat_protocol nf_nat_protocol_udplite = { 73static const struct nf_nat_protocol nf_nat_protocol_udplite = {
74 .protonum = IPPROTO_UDPLITE, 74 .protonum = IPPROTO_UDPLITE,
75 .me = THIS_MODULE,
76 .manip_pkt = udplite_manip_pkt, 75 .manip_pkt = udplite_manip_pkt,
77 .in_range = nf_nat_proto_in_range, 76 .in_range = nf_nat_proto_in_range,
78 .unique_tuple = udplite_unique_tuple, 77 .unique_tuple = udplite_unique_tuple,
79#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 78#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
80 .range_to_nlattr = nf_nat_proto_range_to_nlattr,
81 .nlattr_to_range = nf_nat_proto_nlattr_to_range, 79 .nlattr_to_range = nf_nat_proto_nlattr_to_range,
82#endif 80#endif
83}; 81};
diff --git a/net/ipv4/netfilter/nf_nat_proto_unknown.c b/net/ipv4/netfilter/nf_nat_proto_unknown.c
index a50f2bc1c732..e0afe8112b1c 100644
--- a/net/ipv4/netfilter/nf_nat_proto_unknown.c
+++ b/net/ipv4/netfilter/nf_nat_proto_unknown.c
@@ -27,7 +27,7 @@ static bool unknown_in_range(const struct nf_conntrack_tuple *tuple,
27} 27}
28 28
29static void unknown_unique_tuple(struct nf_conntrack_tuple *tuple, 29static void unknown_unique_tuple(struct nf_conntrack_tuple *tuple,
30 const struct nf_nat_range *range, 30 const struct nf_nat_ipv4_range *range,
31 enum nf_nat_manip_type maniptype, 31 enum nf_nat_manip_type maniptype,
32 const struct nf_conn *ct) 32 const struct nf_conn *ct)
33{ 33{
@@ -46,7 +46,6 @@ unknown_manip_pkt(struct sk_buff *skb,
46} 46}
47 47
48const struct nf_nat_protocol nf_nat_unknown_protocol = { 48const struct nf_nat_protocol nf_nat_unknown_protocol = {
49 /* .me isn't set: getting a ref to this cannot fail. */
50 .manip_pkt = unknown_manip_pkt, 49 .manip_pkt = unknown_manip_pkt,
51 .in_range = unknown_in_range, 50 .in_range = unknown_in_range,
52 .unique_tuple = unknown_unique_tuple, 51 .unique_tuple = unknown_unique_tuple,
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 733c9abc1cbd..d2a9dc314e0e 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -44,7 +44,7 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
44{ 44{
45 struct nf_conn *ct; 45 struct nf_conn *ct;
46 enum ip_conntrack_info ctinfo; 46 enum ip_conntrack_info ctinfo;
47 const struct nf_nat_multi_range_compat *mr = par->targinfo; 47 const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
48 48
49 NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING || 49 NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING ||
50 par->hooknum == NF_INET_LOCAL_IN); 50 par->hooknum == NF_INET_LOCAL_IN);
@@ -56,7 +56,7 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
56 ctinfo == IP_CT_RELATED_REPLY)); 56 ctinfo == IP_CT_RELATED_REPLY));
57 NF_CT_ASSERT(par->out != NULL); 57 NF_CT_ASSERT(par->out != NULL);
58 58
59 return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_SRC); 59 return nf_nat_setup_info(ct, &mr->range[0], NF_NAT_MANIP_SRC);
60} 60}
61 61
62static unsigned int 62static unsigned int
@@ -64,7 +64,7 @@ ipt_dnat_target(struct sk_buff *skb, const struct xt_action_param *par)
64{ 64{
65 struct nf_conn *ct; 65 struct nf_conn *ct;
66 enum ip_conntrack_info ctinfo; 66 enum ip_conntrack_info ctinfo;
67 const struct nf_nat_multi_range_compat *mr = par->targinfo; 67 const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
68 68
69 NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING || 69 NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING ||
70 par->hooknum == NF_INET_LOCAL_OUT); 70 par->hooknum == NF_INET_LOCAL_OUT);
@@ -74,12 +74,12 @@ ipt_dnat_target(struct sk_buff *skb, const struct xt_action_param *par)
74 /* Connection must be valid and new. */ 74 /* Connection must be valid and new. */
75 NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)); 75 NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED));
76 76
77 return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST); 77 return nf_nat_setup_info(ct, &mr->range[0], NF_NAT_MANIP_DST);
78} 78}
79 79
80static int ipt_snat_checkentry(const struct xt_tgchk_param *par) 80static int ipt_snat_checkentry(const struct xt_tgchk_param *par)
81{ 81{
82 const struct nf_nat_multi_range_compat *mr = par->targinfo; 82 const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
83 83
84 /* Must be a valid range */ 84 /* Must be a valid range */
85 if (mr->rangesize != 1) { 85 if (mr->rangesize != 1) {
@@ -91,7 +91,7 @@ static int ipt_snat_checkentry(const struct xt_tgchk_param *par)
91 91
92static int ipt_dnat_checkentry(const struct xt_tgchk_param *par) 92static int ipt_dnat_checkentry(const struct xt_tgchk_param *par)
93{ 93{
94 const struct nf_nat_multi_range_compat *mr = par->targinfo; 94 const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
95 95
96 /* Must be a valid range */ 96 /* Must be a valid range */
97 if (mr->rangesize != 1) { 97 if (mr->rangesize != 1) {
@@ -105,13 +105,13 @@ static unsigned int
105alloc_null_binding(struct nf_conn *ct, unsigned int hooknum) 105alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
106{ 106{
107 /* Force range to this IP; let proto decide mapping for 107 /* Force range to this IP; let proto decide mapping for
108 per-proto parts (hence not IP_NAT_RANGE_PROTO_SPECIFIED). 108 per-proto parts (hence not NF_NAT_RANGE_PROTO_SPECIFIED).
109 */ 109 */
110 struct nf_nat_range range; 110 struct nf_nat_ipv4_range range;
111 111
112 range.flags = 0; 112 range.flags = 0;
113 pr_debug("Allocating NULL binding for %p (%pI4)\n", ct, 113 pr_debug("Allocating NULL binding for %p (%pI4)\n", ct,
114 HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC ? 114 HOOK2MANIP(hooknum) == NF_NAT_MANIP_SRC ?
115 &ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip : 115 &ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip :
116 &ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip); 116 &ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip);
117 117
@@ -140,7 +140,7 @@ int nf_nat_rule_find(struct sk_buff *skb,
140static struct xt_target ipt_snat_reg __read_mostly = { 140static struct xt_target ipt_snat_reg __read_mostly = {
141 .name = "SNAT", 141 .name = "SNAT",
142 .target = ipt_snat_target, 142 .target = ipt_snat_target,
143 .targetsize = sizeof(struct nf_nat_multi_range_compat), 143 .targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat),
144 .table = "nat", 144 .table = "nat",
145 .hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_LOCAL_IN), 145 .hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_LOCAL_IN),
146 .checkentry = ipt_snat_checkentry, 146 .checkentry = ipt_snat_checkentry,
@@ -150,7 +150,7 @@ static struct xt_target ipt_snat_reg __read_mostly = {
150static struct xt_target ipt_dnat_reg __read_mostly = { 150static struct xt_target ipt_dnat_reg __read_mostly = {
151 .name = "DNAT", 151 .name = "DNAT",
152 .target = ipt_dnat_target, 152 .target = ipt_dnat_target,
153 .targetsize = sizeof(struct nf_nat_multi_range_compat), 153 .targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat),
154 .table = "nat", 154 .table = "nat",
155 .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT), 155 .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT),
156 .checkentry = ipt_dnat_checkentry, 156 .checkentry = ipt_dnat_checkentry,
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index 78844d9208f1..d0319f96269f 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -249,25 +249,25 @@ static void ip_nat_sip_seq_adjust(struct sk_buff *skb, s16 off)
249static void ip_nat_sip_expected(struct nf_conn *ct, 249static void ip_nat_sip_expected(struct nf_conn *ct,
250 struct nf_conntrack_expect *exp) 250 struct nf_conntrack_expect *exp)
251{ 251{
252 struct nf_nat_range range; 252 struct nf_nat_ipv4_range range;
253 253
254 /* This must be a fresh one. */ 254 /* This must be a fresh one. */
255 BUG_ON(ct->status & IPS_NAT_DONE_MASK); 255 BUG_ON(ct->status & IPS_NAT_DONE_MASK);
256 256
257 /* For DST manip, map port here to where it's expected. */ 257 /* For DST manip, map port here to where it's expected. */
258 range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED); 258 range.flags = (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED);
259 range.min = range.max = exp->saved_proto; 259 range.min = range.max = exp->saved_proto;
260 range.min_ip = range.max_ip = exp->saved_ip; 260 range.min_ip = range.max_ip = exp->saved_ip;
261 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST); 261 nf_nat_setup_info(ct, &range, NF_NAT_MANIP_DST);
262 262
263 /* Change src to where master sends to, but only if the connection 263 /* Change src to where master sends to, but only if the connection
264 * actually came from the same source. */ 264 * actually came from the same source. */
265 if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip == 265 if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip ==
266 ct->master->tuplehash[exp->dir].tuple.src.u3.ip) { 266 ct->master->tuplehash[exp->dir].tuple.src.u3.ip) {
267 range.flags = IP_NAT_RANGE_MAP_IPS; 267 range.flags = NF_NAT_RANGE_MAP_IPS;
268 range.min_ip = range.max_ip 268 range.min_ip = range.max_ip
269 = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip; 269 = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
270 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC); 270 nf_nat_setup_info(ct, &range, NF_NAT_MANIP_SRC);
271 } 271 }
272} 272}
273 273
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 92900482edea..3828a4229822 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -137,7 +137,7 @@ nf_nat_fn(unsigned int hooknum,
137 return ret; 137 return ret;
138 } else 138 } else
139 pr_debug("Already setup manip %s for ct %p\n", 139 pr_debug("Already setup manip %s for ct %p\n",
140 maniptype == IP_NAT_MANIP_SRC ? "SRC" : "DST", 140 maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",
141 ct); 141 ct);
142 break; 142 break;
143 143