diff options
| author | Arturo Borrero <arturo.borrero.glez@gmail.com> | 2014-10-17 06:37:52 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-10-27 17:48:10 -0400 |
| commit | 9de920eddb74bf67f1d6af603acc5ed05dcd35e9 (patch) | |
| tree | 096dea317cc6ee9d5de3b29b081e8a4968c51de0 /net/ipv6 | |
| parent | 8b13eddfdf04cbfa561725cfc42d6868fe896f56 (diff) | |
netfilter: refactor NAT redirect IPv6 code to use it from nf_tables
This patch refactors the IPv6 code so it can be usable both from xt and
nf_tables.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/netfilter/Kconfig | 6 | ||||
| -rw-r--r-- | net/ipv6/netfilter/Makefile | 1 | ||||
| -rw-r--r-- | net/ipv6/netfilter/nf_nat_redirect_ipv6.c | 75 |
3 files changed, 82 insertions, 0 deletions
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index 6af874fc187f..462eebbf4377 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig | |||
| @@ -82,6 +82,12 @@ config NF_NAT_MASQUERADE_IPV6 | |||
| 82 | This is the kernel functionality to provide NAT in the masquerade | 82 | This is the kernel functionality to provide NAT in the masquerade |
| 83 | flavour (automatic source address selection) for IPv6. | 83 | flavour (automatic source address selection) for IPv6. |
| 84 | 84 | ||
| 85 | config NF_NAT_REDIRECT_IPV6 | ||
| 86 | tristate "IPv6 redirect support" | ||
| 87 | help | ||
| 88 | This is the kernel functionality to provide NAT in the redirect | ||
| 89 | flavour (redirect packet to local machine) for IPv6. | ||
| 90 | |||
| 85 | config NFT_MASQ_IPV6 | 91 | config NFT_MASQ_IPV6 |
| 86 | tristate "IPv6 masquerade support for nf_tables" | 92 | tristate "IPv6 masquerade support for nf_tables" |
| 87 | depends on NF_TABLES_IPV6 | 93 | depends on NF_TABLES_IPV6 |
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile index fbb25f01143c..6c2baab10f21 100644 --- a/net/ipv6/netfilter/Makefile +++ b/net/ipv6/netfilter/Makefile | |||
| @@ -19,6 +19,7 @@ obj-$(CONFIG_NF_CONNTRACK_IPV6) += nf_conntrack_ipv6.o | |||
| 19 | nf_nat_ipv6-y := nf_nat_l3proto_ipv6.o nf_nat_proto_icmpv6.o | 19 | nf_nat_ipv6-y := nf_nat_l3proto_ipv6.o nf_nat_proto_icmpv6.o |
| 20 | obj-$(CONFIG_NF_NAT_IPV6) += nf_nat_ipv6.o | 20 | obj-$(CONFIG_NF_NAT_IPV6) += nf_nat_ipv6.o |
| 21 | obj-$(CONFIG_NF_NAT_MASQUERADE_IPV6) += nf_nat_masquerade_ipv6.o | 21 | obj-$(CONFIG_NF_NAT_MASQUERADE_IPV6) += nf_nat_masquerade_ipv6.o |
| 22 | obj-$(CONFIG_NF_NAT_REDIRECT_IPV6) += nf_nat_redirect_ipv6.o | ||
| 22 | 23 | ||
| 23 | # defrag | 24 | # defrag |
| 24 | nf_defrag_ipv6-y := nf_defrag_ipv6_hooks.o nf_conntrack_reasm.o | 25 | nf_defrag_ipv6-y := nf_defrag_ipv6_hooks.o nf_conntrack_reasm.o |
diff --git a/net/ipv6/netfilter/nf_nat_redirect_ipv6.c b/net/ipv6/netfilter/nf_nat_redirect_ipv6.c new file mode 100644 index 000000000000..ea1308aeb048 --- /dev/null +++ b/net/ipv6/netfilter/nf_nat_redirect_ipv6.c | |||
| @@ -0,0 +1,75 @@ | |||
| 1 | /* | ||
| 2 | * (C) 1999-2001 Paul `Rusty' Russell | ||
| 3 | * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org> | ||
| 4 | * Copyright (c) 2011 Patrick McHardy <kaber@trash.net> | ||
| 5 | * | ||
| 6 | * This program is free software; you can redistribute it and/or modify | ||
| 7 | * it under the terms of the GNU General Public License version 2 as | ||
| 8 | * published by the Free Software Foundation. | ||
| 9 | * | ||
| 10 | * Based on Rusty Russell's IPv4 REDIRECT target. Development of IPv6 | ||
| 11 | * NAT funded by Astaro. | ||
| 12 | */ | ||
| 13 | |||
| 14 | #include <linux/if.h> | ||
| 15 | #include <linux/inetdevice.h> | ||
| 16 | #include <linux/ip.h> | ||
| 17 | #include <linux/kernel.h> | ||
| 18 | #include <linux/module.h> | ||
| 19 | #include <linux/netdevice.h> | ||
| 20 | #include <linux/netfilter.h> | ||
| 21 | #include <linux/types.h> | ||
| 22 | #include <linux/netfilter_ipv6.h> | ||
| 23 | #include <linux/netfilter/x_tables.h> | ||
| 24 | #include <net/addrconf.h> | ||
| 25 | #include <net/checksum.h> | ||
| 26 | #include <net/protocol.h> | ||
| 27 | #include <net/netfilter/nf_nat.h> | ||
| 28 | #include <net/netfilter/ipv6/nf_nat_redirect.h> | ||
| 29 | |||
| 30 | static const struct in6_addr loopback_addr = IN6ADDR_LOOPBACK_INIT; | ||
| 31 | |||
| 32 | unsigned int | ||
| 33 | nf_nat_redirect_ipv6(struct sk_buff *skb, const struct nf_nat_range *range, | ||
| 34 | unsigned int hooknum) | ||
| 35 | { | ||
| 36 | struct nf_nat_range newrange; | ||
| 37 | struct in6_addr newdst; | ||
| 38 | enum ip_conntrack_info ctinfo; | ||
| 39 | struct nf_conn *ct; | ||
| 40 | |||
| 41 | ct = nf_ct_get(skb, &ctinfo); | ||
| 42 | if (hooknum == NF_INET_LOCAL_OUT) { | ||
| 43 | newdst = loopback_addr; | ||
| 44 | } else { | ||
| 45 | struct inet6_dev *idev; | ||
| 46 | struct inet6_ifaddr *ifa; | ||
| 47 | bool addr = false; | ||
| 48 | |||
| 49 | rcu_read_lock(); | ||
| 50 | idev = __in6_dev_get(skb->dev); | ||
| 51 | if (idev != NULL) { | ||
| 52 | list_for_each_entry(ifa, &idev->addr_list, if_list) { | ||
| 53 | newdst = ifa->addr; | ||
| 54 | addr = true; | ||
| 55 | break; | ||
| 56 | } | ||
| 57 | } | ||
| 58 | rcu_read_unlock(); | ||
| 59 | |||
| 60 | if (!addr) | ||
| 61 | return NF_DROP; | ||
| 62 | } | ||
| 63 | |||
| 64 | newrange.flags = range->flags | NF_NAT_RANGE_MAP_IPS; | ||
| 65 | newrange.min_addr.in6 = newdst; | ||
| 66 | newrange.max_addr.in6 = newdst; | ||
| 67 | newrange.min_proto = range->min_proto; | ||
| 68 | newrange.max_proto = range->max_proto; | ||
| 69 | |||
| 70 | return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST); | ||
| 71 | } | ||
| 72 | EXPORT_SYMBOL_GPL(nf_nat_redirect_ipv6); | ||
| 73 | |||
| 74 | MODULE_LICENSE("GPL"); | ||
| 75 | MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); | ||