diff options
| author | David S. Miller <davem@davemloft.net> | 2015-04-03 21:05:07 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-04-04 12:48:08 -0400 |
| commit | 8fe22382d1e73dc0ded8098ccf761c986149f72b (patch) | |
| tree | 72624c6be3ec17dd66f015d20b65eb8c00ca1907 /net/ipv6 | |
| parent | 1c491ba2592f621f21a693d43fab06302527fc0f (diff) | |
netfilter: Pass nf_hook_state through nf_nat_ipv6_{in,out,fn,local_fn}().
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/netfilter/ip6table_nat.c | 18 | ||||
| -rw-r--r-- | net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 32 | ||||
| -rw-r--r-- | net/ipv6/netfilter/nft_chain_nat_ipv6.c | 13 |
3 files changed, 27 insertions, 36 deletions
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c index e32b0d0315e6..d78f69c7abce 100644 --- a/net/ipv6/netfilter/ip6table_nat.c +++ b/net/ipv6/netfilter/ip6table_nat.c | |||
| @@ -32,45 +32,41 @@ static const struct xt_table nf_nat_ipv6_table = { | |||
| 32 | 32 | ||
| 33 | static unsigned int ip6table_nat_do_chain(const struct nf_hook_ops *ops, | 33 | static unsigned int ip6table_nat_do_chain(const struct nf_hook_ops *ops, |
| 34 | struct sk_buff *skb, | 34 | struct sk_buff *skb, |
| 35 | const struct net_device *in, | 35 | const struct nf_hook_state *state, |
| 36 | const struct net_device *out, | ||
| 37 | struct nf_conn *ct) | 36 | struct nf_conn *ct) |
| 38 | { | 37 | { |
| 39 | struct net *net = nf_ct_net(ct); | 38 | struct net *net = nf_ct_net(ct); |
| 40 | 39 | ||
| 41 | return ip6t_do_table(skb, ops->hooknum, in, out, net->ipv6.ip6table_nat); | 40 | return ip6t_do_table(skb, ops->hooknum, state->in, state->out, |
| 41 | net->ipv6.ip6table_nat); | ||
| 42 | } | 42 | } |
| 43 | 43 | ||
| 44 | static unsigned int ip6table_nat_fn(const struct nf_hook_ops *ops, | 44 | static unsigned int ip6table_nat_fn(const struct nf_hook_ops *ops, |
| 45 | struct sk_buff *skb, | 45 | struct sk_buff *skb, |
| 46 | const struct nf_hook_state *state) | 46 | const struct nf_hook_state *state) |
| 47 | { | 47 | { |
| 48 | return nf_nat_ipv6_fn(ops, skb, state->in, state->out, | 48 | return nf_nat_ipv6_fn(ops, skb, state, ip6table_nat_do_chain); |
| 49 | ip6table_nat_do_chain); | ||
| 50 | } | 49 | } |
| 51 | 50 | ||
| 52 | static unsigned int ip6table_nat_in(const struct nf_hook_ops *ops, | 51 | static unsigned int ip6table_nat_in(const struct nf_hook_ops *ops, |
| 53 | struct sk_buff *skb, | 52 | struct sk_buff *skb, |
| 54 | const struct nf_hook_state *state) | 53 | const struct nf_hook_state *state) |
| 55 | { | 54 | { |
| 56 | return nf_nat_ipv6_in(ops, skb, state->in, state->out, | 55 | return nf_nat_ipv6_in(ops, skb, state, ip6table_nat_do_chain); |
| 57 | ip6table_nat_do_chain); | ||
| 58 | } | 56 | } |
| 59 | 57 | ||
| 60 | static unsigned int ip6table_nat_out(const struct nf_hook_ops *ops, | 58 | static unsigned int ip6table_nat_out(const struct nf_hook_ops *ops, |
| 61 | struct sk_buff *skb, | 59 | struct sk_buff *skb, |
| 62 | const struct nf_hook_state *state) | 60 | const struct nf_hook_state *state) |
| 63 | { | 61 | { |
| 64 | return nf_nat_ipv6_out(ops, skb, state->in, state->out, | 62 | return nf_nat_ipv6_out(ops, skb, state, ip6table_nat_do_chain); |
| 65 | ip6table_nat_do_chain); | ||
| 66 | } | 63 | } |
| 67 | 64 | ||
| 68 | static unsigned int ip6table_nat_local_fn(const struct nf_hook_ops *ops, | 65 | static unsigned int ip6table_nat_local_fn(const struct nf_hook_ops *ops, |
| 69 | struct sk_buff *skb, | 66 | struct sk_buff *skb, |
| 70 | const struct nf_hook_state *state) | 67 | const struct nf_hook_state *state) |
| 71 | { | 68 | { |
| 72 | return nf_nat_ipv6_local_fn(ops, skb, state->in, state->out, | 69 | return nf_nat_ipv6_local_fn(ops, skb, state, ip6table_nat_do_chain); |
| 73 | ip6table_nat_do_chain); | ||
| 74 | } | 70 | } |
| 75 | 71 | ||
| 76 | static struct nf_hook_ops nf_nat_ipv6_ops[] __read_mostly = { | 72 | static struct nf_hook_ops nf_nat_ipv6_ops[] __read_mostly = { |
diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c index c5812e1c1ffb..e76900e0aa92 100644 --- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c +++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | |||
| @@ -263,11 +263,10 @@ EXPORT_SYMBOL_GPL(nf_nat_icmpv6_reply_translation); | |||
| 263 | 263 | ||
| 264 | unsigned int | 264 | unsigned int |
| 265 | nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, | 265 | nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, |
| 266 | const struct net_device *in, const struct net_device *out, | 266 | const struct nf_hook_state *state, |
| 267 | unsigned int (*do_chain)(const struct nf_hook_ops *ops, | 267 | unsigned int (*do_chain)(const struct nf_hook_ops *ops, |
| 268 | struct sk_buff *skb, | 268 | struct sk_buff *skb, |
| 269 | const struct net_device *in, | 269 | const struct nf_hook_state *state, |
| 270 | const struct net_device *out, | ||
| 271 | struct nf_conn *ct)) | 270 | struct nf_conn *ct)) |
| 272 | { | 271 | { |
| 273 | struct nf_conn *ct; | 272 | struct nf_conn *ct; |
| @@ -318,7 +317,7 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, | |||
| 318 | if (!nf_nat_initialized(ct, maniptype)) { | 317 | if (!nf_nat_initialized(ct, maniptype)) { |
| 319 | unsigned int ret; | 318 | unsigned int ret; |
| 320 | 319 | ||
| 321 | ret = do_chain(ops, skb, in, out, ct); | 320 | ret = do_chain(ops, skb, state, ct); |
| 322 | if (ret != NF_ACCEPT) | 321 | if (ret != NF_ACCEPT) |
| 323 | return ret; | 322 | return ret; |
| 324 | 323 | ||
| @@ -332,7 +331,7 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, | |||
| 332 | pr_debug("Already setup manip %s for ct %p\n", | 331 | pr_debug("Already setup manip %s for ct %p\n", |
| 333 | maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST", | 332 | maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST", |
| 334 | ct); | 333 | ct); |
| 335 | if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out)) | 334 | if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, state->out)) |
| 336 | goto oif_changed; | 335 | goto oif_changed; |
| 337 | } | 336 | } |
| 338 | break; | 337 | break; |
| @@ -341,7 +340,7 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, | |||
| 341 | /* ESTABLISHED */ | 340 | /* ESTABLISHED */ |
| 342 | NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED || | 341 | NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED || |
| 343 | ctinfo == IP_CT_ESTABLISHED_REPLY); | 342 | ctinfo == IP_CT_ESTABLISHED_REPLY); |
| 344 | if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out)) | 343 | if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, state->out)) |
| 345 | goto oif_changed; | 344 | goto oif_changed; |
| 346 | } | 345 | } |
| 347 | 346 | ||
| @@ -355,17 +354,16 @@ EXPORT_SYMBOL_GPL(nf_nat_ipv6_fn); | |||
| 355 | 354 | ||
| 356 | unsigned int | 355 | unsigned int |
| 357 | nf_nat_ipv6_in(const struct nf_hook_ops *ops, struct sk_buff *skb, | 356 | nf_nat_ipv6_in(const struct nf_hook_ops *ops, struct sk_buff *skb, |
| 358 | const struct net_device *in, const struct net_device *out, | 357 | const struct nf_hook_state *state, |
| 359 | unsigned int (*do_chain)(const struct nf_hook_ops *ops, | 358 | unsigned int (*do_chain)(const struct nf_hook_ops *ops, |
| 360 | struct sk_buff *skb, | 359 | struct sk_buff *skb, |
| 361 | const struct net_device *in, | 360 | const struct nf_hook_state *state, |
| 362 | const struct net_device *out, | ||
| 363 | struct nf_conn *ct)) | 361 | struct nf_conn *ct)) |
| 364 | { | 362 | { |
| 365 | unsigned int ret; | 363 | unsigned int ret; |
| 366 | struct in6_addr daddr = ipv6_hdr(skb)->daddr; | 364 | struct in6_addr daddr = ipv6_hdr(skb)->daddr; |
| 367 | 365 | ||
| 368 | ret = nf_nat_ipv6_fn(ops, skb, in, out, do_chain); | 366 | ret = nf_nat_ipv6_fn(ops, skb, state, do_chain); |
| 369 | if (ret != NF_DROP && ret != NF_STOLEN && | 367 | if (ret != NF_DROP && ret != NF_STOLEN && |
| 370 | ipv6_addr_cmp(&daddr, &ipv6_hdr(skb)->daddr)) | 368 | ipv6_addr_cmp(&daddr, &ipv6_hdr(skb)->daddr)) |
| 371 | skb_dst_drop(skb); | 369 | skb_dst_drop(skb); |
| @@ -376,11 +374,10 @@ EXPORT_SYMBOL_GPL(nf_nat_ipv6_in); | |||
| 376 | 374 | ||
| 377 | unsigned int | 375 | unsigned int |
| 378 | nf_nat_ipv6_out(const struct nf_hook_ops *ops, struct sk_buff *skb, | 376 | nf_nat_ipv6_out(const struct nf_hook_ops *ops, struct sk_buff *skb, |
| 379 | const struct net_device *in, const struct net_device *out, | 377 | const struct nf_hook_state *state, |
| 380 | unsigned int (*do_chain)(const struct nf_hook_ops *ops, | 378 | unsigned int (*do_chain)(const struct nf_hook_ops *ops, |
| 381 | struct sk_buff *skb, | 379 | struct sk_buff *skb, |
| 382 | const struct net_device *in, | 380 | const struct nf_hook_state *state, |
| 383 | const struct net_device *out, | ||
| 384 | struct nf_conn *ct)) | 381 | struct nf_conn *ct)) |
| 385 | { | 382 | { |
| 386 | #ifdef CONFIG_XFRM | 383 | #ifdef CONFIG_XFRM |
| @@ -394,7 +391,7 @@ nf_nat_ipv6_out(const struct nf_hook_ops *ops, struct sk_buff *skb, | |||
| 394 | if (skb->len < sizeof(struct ipv6hdr)) | 391 | if (skb->len < sizeof(struct ipv6hdr)) |
| 395 | return NF_ACCEPT; | 392 | return NF_ACCEPT; |
| 396 | 393 | ||
| 397 | ret = nf_nat_ipv6_fn(ops, skb, in, out, do_chain); | 394 | ret = nf_nat_ipv6_fn(ops, skb, state, do_chain); |
| 398 | #ifdef CONFIG_XFRM | 395 | #ifdef CONFIG_XFRM |
| 399 | if (ret != NF_DROP && ret != NF_STOLEN && | 396 | if (ret != NF_DROP && ret != NF_STOLEN && |
| 400 | !(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && | 397 | !(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && |
| @@ -418,11 +415,10 @@ EXPORT_SYMBOL_GPL(nf_nat_ipv6_out); | |||
| 418 | 415 | ||
| 419 | unsigned int | 416 | unsigned int |
| 420 | nf_nat_ipv6_local_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, | 417 | nf_nat_ipv6_local_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, |
| 421 | const struct net_device *in, const struct net_device *out, | 418 | const struct nf_hook_state *state, |
| 422 | unsigned int (*do_chain)(const struct nf_hook_ops *ops, | 419 | unsigned int (*do_chain)(const struct nf_hook_ops *ops, |
| 423 | struct sk_buff *skb, | 420 | struct sk_buff *skb, |
| 424 | const struct net_device *in, | 421 | const struct nf_hook_state *state, |
| 425 | const struct net_device *out, | ||
| 426 | struct nf_conn *ct)) | 422 | struct nf_conn *ct)) |
| 427 | { | 423 | { |
| 428 | const struct nf_conn *ct; | 424 | const struct nf_conn *ct; |
| @@ -434,7 +430,7 @@ nf_nat_ipv6_local_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, | |||
| 434 | if (skb->len < sizeof(struct ipv6hdr)) | 430 | if (skb->len < sizeof(struct ipv6hdr)) |
| 435 | return NF_ACCEPT; | 431 | return NF_ACCEPT; |
| 436 | 432 | ||
| 437 | ret = nf_nat_ipv6_fn(ops, skb, in, out, do_chain); | 433 | ret = nf_nat_ipv6_fn(ops, skb, state, do_chain); |
| 438 | if (ret != NF_DROP && ret != NF_STOLEN && | 434 | if (ret != NF_DROP && ret != NF_STOLEN && |
| 439 | (ct = nf_ct_get(skb, &ctinfo)) != NULL) { | 435 | (ct = nf_ct_get(skb, &ctinfo)) != NULL) { |
| 440 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | 436 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); |
diff --git a/net/ipv6/netfilter/nft_chain_nat_ipv6.c b/net/ipv6/netfilter/nft_chain_nat_ipv6.c index f73f4ae25bc2..11c6f75fcc4d 100644 --- a/net/ipv6/netfilter/nft_chain_nat_ipv6.c +++ b/net/ipv6/netfilter/nft_chain_nat_ipv6.c | |||
| @@ -26,13 +26,12 @@ | |||
| 26 | 26 | ||
| 27 | static unsigned int nft_nat_do_chain(const struct nf_hook_ops *ops, | 27 | static unsigned int nft_nat_do_chain(const struct nf_hook_ops *ops, |
| 28 | struct sk_buff *skb, | 28 | struct sk_buff *skb, |
| 29 | const struct net_device *in, | 29 | const struct nf_hook_state *state, |
| 30 | const struct net_device *out, | ||
| 31 | struct nf_conn *ct) | 30 | struct nf_conn *ct) |
| 32 | { | 31 | { |
| 33 | struct nft_pktinfo pkt; | 32 | struct nft_pktinfo pkt; |
| 34 | 33 | ||
| 35 | nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out); | 34 | nft_set_pktinfo_ipv6(&pkt, ops, skb, state->in, state->out); |
| 36 | 35 | ||
| 37 | return nft_do_chain(&pkt, ops); | 36 | return nft_do_chain(&pkt, ops); |
| 38 | } | 37 | } |
| @@ -41,28 +40,28 @@ static unsigned int nft_nat_ipv6_fn(const struct nf_hook_ops *ops, | |||
| 41 | struct sk_buff *skb, | 40 | struct sk_buff *skb, |
| 42 | const struct nf_hook_state *state) | 41 | const struct nf_hook_state *state) |
| 43 | { | 42 | { |
| 44 | return nf_nat_ipv6_fn(ops, skb, state->in, state->out, nft_nat_do_chain); | 43 | return nf_nat_ipv6_fn(ops, skb, state, nft_nat_do_chain); |
| 45 | } | 44 | } |
| 46 | 45 | ||
| 47 | static unsigned int nft_nat_ipv6_in(const struct nf_hook_ops *ops, | 46 | static unsigned int nft_nat_ipv6_in(const struct nf_hook_ops *ops, |
| 48 | struct sk_buff *skb, | 47 | struct sk_buff *skb, |
| 49 | const struct nf_hook_state *state) | 48 | const struct nf_hook_state *state) |
| 50 | { | 49 | { |
| 51 | return nf_nat_ipv6_in(ops, skb, state->in, state->out, nft_nat_do_chain); | 50 | return nf_nat_ipv6_in(ops, skb, state, nft_nat_do_chain); |
| 52 | } | 51 | } |
| 53 | 52 | ||
| 54 | static unsigned int nft_nat_ipv6_out(const struct nf_hook_ops *ops, | 53 | static unsigned int nft_nat_ipv6_out(const struct nf_hook_ops *ops, |
| 55 | struct sk_buff *skb, | 54 | struct sk_buff *skb, |
| 56 | const struct nf_hook_state *state) | 55 | const struct nf_hook_state *state) |
| 57 | { | 56 | { |
| 58 | return nf_nat_ipv6_out(ops, skb, state->in, state->out, nft_nat_do_chain); | 57 | return nf_nat_ipv6_out(ops, skb, state, nft_nat_do_chain); |
| 59 | } | 58 | } |
| 60 | 59 | ||
| 61 | static unsigned int nft_nat_ipv6_local_fn(const struct nf_hook_ops *ops, | 60 | static unsigned int nft_nat_ipv6_local_fn(const struct nf_hook_ops *ops, |
| 62 | struct sk_buff *skb, | 61 | struct sk_buff *skb, |
| 63 | const struct nf_hook_state *state) | 62 | const struct nf_hook_state *state) |
| 64 | { | 63 | { |
| 65 | return nf_nat_ipv6_local_fn(ops, skb, state->in, state->out, nft_nat_do_chain); | 64 | return nf_nat_ipv6_local_fn(ops, skb, state, nft_nat_do_chain); |
| 66 | } | 65 | } |
| 67 | 66 | ||
| 68 | static const struct nf_chain_type nft_chain_nat_ipv6 = { | 67 | static const struct nf_chain_type nft_chain_nat_ipv6 = { |