aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv6
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2014-12-05 23:56:46 -0500
committerDavid S. Miller <davem@davemloft.net>2014-12-05 23:56:46 -0500
commit244ebd9f8fa8beb7b37bdeebd6c5308b61f98aef (patch)
tree8b0a72056747f0bb9232fdafb480b0501dc83734 /net/ipv6
parentddd5c50f9bec7ffab5d28c5dd244db8a4c3f27e7 (diff)
parentcac3763967362ace7996532ad3933f493a928a1b (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says: ==================== Netfilter updates for net-next The following batch contains netfilter updates for net-next. Basically, enhancements for xt_recent, skip zeroing of timer in conntrack, fix linking problem with recent redirect support for nf_tables, ipset updates and a couple of cleanups. More specifically, they are: 1) Rise maximum number per IP address to be remembered in xt_recent while retaining backward compatibility, from Florian Westphal. 2) Skip zeroing timer area in nf_conn objects, also from Florian. 3) Inspect IPv4 and IPv6 traffic from the bridge to allow filtering using using meta l4proto and transport layer header, from Alvaro Neira. 4) Fix linking problems in the new redirect support when CONFIG_IPV6=n and IP6_NF_IPTABLES=n. And ipset updates from Jozsef Kadlecsik: 5) Support updating element extensions when the set is full (fixes netfilter bugzilla id 880). 6) Fix set match with 32-bits userspace / 64-bits kernel. 7) Indicate explicitly when /0 networks are supported in ipset. 8) Simplify cidr handling for hash:*net* types. 9) Allocate the proper size of memory when /0 networks are supported. 10) Explicitly add padding elements to hash:net,net and hash:net,port, because the elements must be u32 sized for the used hash function. Jozsef is also cooking ipset RCU conversion which should land soon if they reach the merge window in time. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
-rw-r--r--net/ipv6/netfilter/Kconfig8
-rw-r--r--net/ipv6/netfilter/Makefile1
-rw-r--r--net/ipv6/netfilter/nf_log_ipv6.c2
-rw-r--r--net/ipv6/netfilter/nf_nat_redirect_ipv6.c75
-rw-r--r--net/ipv6/netfilter/nft_redir_ipv6.c2
5 files changed, 3 insertions, 85 deletions
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 0dbe5c7953e5..a069822936e6 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -82,12 +82,6 @@ config NF_NAT_MASQUERADE_IPV6
82 This is the kernel functionality to provide NAT in the masquerade 82 This is the kernel functionality to provide NAT in the masquerade
83 flavour (automatic source address selection) for IPv6. 83 flavour (automatic source address selection) for IPv6.
84 84
85config NF_NAT_REDIRECT_IPV6
86 tristate "IPv6 redirect support"
87 help
88 This is the kernel functionality to provide NAT in the redirect
89 flavour (redirect packet to local machine) for IPv6.
90
91config NFT_MASQ_IPV6 85config NFT_MASQ_IPV6
92 tristate "IPv6 masquerade support for nf_tables" 86 tristate "IPv6 masquerade support for nf_tables"
93 depends on NF_TABLES_IPV6 87 depends on NF_TABLES_IPV6
@@ -101,7 +95,7 @@ config NFT_REDIR_IPV6
101 tristate "IPv6 redirect support for nf_tables" 95 tristate "IPv6 redirect support for nf_tables"
102 depends on NF_TABLES_IPV6 96 depends on NF_TABLES_IPV6
103 depends on NFT_REDIR 97 depends on NFT_REDIR
104 select NF_NAT_REDIRECT_IPV6 98 select NF_NAT_REDIRECT
105 help 99 help
106 This is the expression that provides IPv4 redirect support for 100 This is the expression that provides IPv4 redirect support for
107 nf_tables. 101 nf_tables.
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index d2ac9f5f212c..c36e0a5490de 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -19,7 +19,6 @@ obj-$(CONFIG_NF_CONNTRACK_IPV6) += nf_conntrack_ipv6.o
19nf_nat_ipv6-y := nf_nat_l3proto_ipv6.o nf_nat_proto_icmpv6.o 19nf_nat_ipv6-y := nf_nat_l3proto_ipv6.o nf_nat_proto_icmpv6.o
20obj-$(CONFIG_NF_NAT_IPV6) += nf_nat_ipv6.o 20obj-$(CONFIG_NF_NAT_IPV6) += nf_nat_ipv6.o
21obj-$(CONFIG_NF_NAT_MASQUERADE_IPV6) += nf_nat_masquerade_ipv6.o 21obj-$(CONFIG_NF_NAT_MASQUERADE_IPV6) += nf_nat_masquerade_ipv6.o
22obj-$(CONFIG_NF_NAT_REDIRECT_IPV6) += nf_nat_redirect_ipv6.o
23 22
24# defrag 23# defrag
25nf_defrag_ipv6-y := nf_defrag_ipv6_hooks.o nf_conntrack_reasm.o 24nf_defrag_ipv6-y := nf_defrag_ipv6_hooks.o nf_conntrack_reasm.o
diff --git a/net/ipv6/netfilter/nf_log_ipv6.c b/net/ipv6/netfilter/nf_log_ipv6.c
index 7fc34d1681a1..ddf07e6f59d7 100644
--- a/net/ipv6/netfilter/nf_log_ipv6.c
+++ b/net/ipv6/netfilter/nf_log_ipv6.c
@@ -422,6 +422,6 @@ module_init(nf_log_ipv6_init);
422module_exit(nf_log_ipv6_exit); 422module_exit(nf_log_ipv6_exit);
423 423
424MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); 424MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
425MODULE_DESCRIPTION("Netfilter IPv4 packet logging"); 425MODULE_DESCRIPTION("Netfilter IPv6 packet logging");
426MODULE_LICENSE("GPL"); 426MODULE_LICENSE("GPL");
427MODULE_ALIAS_NF_LOGGER(AF_INET6, 0); 427MODULE_ALIAS_NF_LOGGER(AF_INET6, 0);
diff --git a/net/ipv6/netfilter/nf_nat_redirect_ipv6.c b/net/ipv6/netfilter/nf_nat_redirect_ipv6.c
deleted file mode 100644
index ea1308aeb048..000000000000
--- a/net/ipv6/netfilter/nf_nat_redirect_ipv6.c
+++ /dev/null
@@ -1,75 +0,0 @@
1/*
2 * (C) 1999-2001 Paul `Rusty' Russell
3 * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
4 * Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
9 *
10 * Based on Rusty Russell's IPv4 REDIRECT target. Development of IPv6
11 * NAT funded by Astaro.
12 */
13
14#include <linux/if.h>
15#include <linux/inetdevice.h>
16#include <linux/ip.h>
17#include <linux/kernel.h>
18#include <linux/module.h>
19#include <linux/netdevice.h>
20#include <linux/netfilter.h>
21#include <linux/types.h>
22#include <linux/netfilter_ipv6.h>
23#include <linux/netfilter/x_tables.h>
24#include <net/addrconf.h>
25#include <net/checksum.h>
26#include <net/protocol.h>
27#include <net/netfilter/nf_nat.h>
28#include <net/netfilter/ipv6/nf_nat_redirect.h>
29
30static const struct in6_addr loopback_addr = IN6ADDR_LOOPBACK_INIT;
31
32unsigned int
33nf_nat_redirect_ipv6(struct sk_buff *skb, const struct nf_nat_range *range,
34 unsigned int hooknum)
35{
36 struct nf_nat_range newrange;
37 struct in6_addr newdst;
38 enum ip_conntrack_info ctinfo;
39 struct nf_conn *ct;
40
41 ct = nf_ct_get(skb, &ctinfo);
42 if (hooknum == NF_INET_LOCAL_OUT) {
43 newdst = loopback_addr;
44 } else {
45 struct inet6_dev *idev;
46 struct inet6_ifaddr *ifa;
47 bool addr = false;
48
49 rcu_read_lock();
50 idev = __in6_dev_get(skb->dev);
51 if (idev != NULL) {
52 list_for_each_entry(ifa, &idev->addr_list, if_list) {
53 newdst = ifa->addr;
54 addr = true;
55 break;
56 }
57 }
58 rcu_read_unlock();
59
60 if (!addr)
61 return NF_DROP;
62 }
63
64 newrange.flags = range->flags | NF_NAT_RANGE_MAP_IPS;
65 newrange.min_addr.in6 = newdst;
66 newrange.max_addr.in6 = newdst;
67 newrange.min_proto = range->min_proto;
68 newrange.max_proto = range->max_proto;
69
70 return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST);
71}
72EXPORT_SYMBOL_GPL(nf_nat_redirect_ipv6);
73
74MODULE_LICENSE("GPL");
75MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
diff --git a/net/ipv6/netfilter/nft_redir_ipv6.c b/net/ipv6/netfilter/nft_redir_ipv6.c
index 83420eeaad1c..2433a6bfb191 100644
--- a/net/ipv6/netfilter/nft_redir_ipv6.c
+++ b/net/ipv6/netfilter/nft_redir_ipv6.c
@@ -15,7 +15,7 @@
15#include <net/netfilter/nf_tables.h> 15#include <net/netfilter/nf_tables.h>
16#include <net/netfilter/nf_nat.h> 16#include <net/netfilter/nf_nat.h>
17#include <net/netfilter/nft_redir.h> 17#include <net/netfilter/nft_redir.h>
18#include <net/netfilter/ipv6/nf_nat_redirect.h> 18#include <net/netfilter/nf_nat_redirect.h>
19 19
20static void nft_redir_ipv6_eval(const struct nft_expr *expr, 20static void nft_redir_ipv6_eval(const struct nft_expr *expr,
21 struct nft_data data[NFT_REG_MAX + 1], 21 struct nft_data data[NFT_REG_MAX + 1],