diff options
| author | David S. Miller <davem@davemloft.net> | 2015-03-09 15:58:21 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-03-09 15:58:21 -0400 |
| commit | 5428aef81157768f1052b116e0cc8abf88ff3e36 (patch) | |
| tree | a4fe8e39c5986b59ae50d3a6fefe46c309e2444e /net/ipv6 | |
| parent | 26c459a8072f2bb0680081205376e1371c114b12 (diff) | |
| parent | e5de75bf88858f5b3ab11e2504b86ec059f03102 (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:
====================
Netfilter updates for net-next
The following patchset contains Netfilter updates for your net-next
tree. Basically, improvements for the packet rejection infrastructure,
deprecation of CLUSTERIP, cleanups for nf_tables and some untangling for
br_netfilter. More specifically they are:
1) Send packet to reset flow if checksum is valid, from Florian Westphal.
2) Fix nf_tables reject bridge from the input chain, also from Florian.
3) Deprecate the CLUSTERIP target, the cluster match supersedes it in
functionality and it's known to have problems.
4) A couple of cleanups for nf_tables rule tracing infrastructure, from
Patrick McHardy.
5) Another cleanup to place transaction declarations at the bottom of
nf_tables.h, also from Patrick.
6) Consolidate Kconfig dependencies wrt. NF_TABLES.
7) Limit table names to 32 bytes in nf_tables.
8) mac header copying in bridge netfilter is already required when
calling ip_fragment(), from Florian Westphal.
9) move nf_bridge_update_protocol() to br_netfilter.c, also from
Florian.
10) Small refactor in br_netfilter in the transmission path, again from
Florian.
11) Move br_nf_pre_routing_finish_bridge_slow() to br_netfilter.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/netfilter/Kconfig | 18 | ||||
| -rw-r--r-- | net/ipv6/netfilter/nf_reject_ipv6.c | 35 |
2 files changed, 46 insertions, 7 deletions
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index a069822936e6..ca6998345b42 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig | |||
| @@ -25,14 +25,16 @@ config NF_CONNTRACK_IPV6 | |||
| 25 | 25 | ||
| 26 | To compile it as a module, choose M here. If unsure, say N. | 26 | To compile it as a module, choose M here. If unsure, say N. |
| 27 | 27 | ||
| 28 | if NF_TABLES | ||
| 29 | |||
| 28 | config NF_TABLES_IPV6 | 30 | config NF_TABLES_IPV6 |
| 29 | depends on NF_TABLES | ||
| 30 | tristate "IPv6 nf_tables support" | 31 | tristate "IPv6 nf_tables support" |
| 31 | help | 32 | help |
| 32 | This option enables the IPv6 support for nf_tables. | 33 | This option enables the IPv6 support for nf_tables. |
| 33 | 34 | ||
| 35 | if NF_TABLES_IPV6 | ||
| 36 | |||
| 34 | config NFT_CHAIN_ROUTE_IPV6 | 37 | config NFT_CHAIN_ROUTE_IPV6 |
| 35 | depends on NF_TABLES_IPV6 | ||
| 36 | tristate "IPv6 nf_tables route chain support" | 38 | tristate "IPv6 nf_tables route chain support" |
| 37 | help | 39 | help |
| 38 | This option enables the "route" chain for IPv6 in nf_tables. This | 40 | This option enables the "route" chain for IPv6 in nf_tables. This |
| @@ -40,16 +42,18 @@ config NFT_CHAIN_ROUTE_IPV6 | |||
| 40 | fields such as the source, destination, flowlabel, hop-limit and | 42 | fields such as the source, destination, flowlabel, hop-limit and |
| 41 | the packet mark. | 43 | the packet mark. |
| 42 | 44 | ||
| 43 | config NF_REJECT_IPV6 | ||
| 44 | tristate "IPv6 packet rejection" | ||
| 45 | default m if NETFILTER_ADVANCED=n | ||
| 46 | |||
| 47 | config NFT_REJECT_IPV6 | 45 | config NFT_REJECT_IPV6 |
| 48 | depends on NF_TABLES_IPV6 | ||
| 49 | select NF_REJECT_IPV6 | 46 | select NF_REJECT_IPV6 |
| 50 | default NFT_REJECT | 47 | default NFT_REJECT |
| 51 | tristate | 48 | tristate |
| 52 | 49 | ||
| 50 | endif # NF_TABLES_IPV6 | ||
| 51 | endif # NF_TABLES | ||
| 52 | |||
| 53 | config NF_REJECT_IPV6 | ||
| 54 | tristate "IPv6 packet rejection" | ||
| 55 | default m if NETFILTER_ADVANCED=n | ||
| 56 | |||
| 53 | config NF_LOG_IPV6 | 57 | config NF_LOG_IPV6 |
| 54 | tristate "IPv6 packet logging" | 58 | tristate "IPv6 packet logging" |
| 55 | default m if NETFILTER_ADVANCED=n | 59 | default m if NETFILTER_ADVANCED=n |
diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c index d05b36440e8b..68e0bb4db1bf 100644 --- a/net/ipv6/netfilter/nf_reject_ipv6.c +++ b/net/ipv6/netfilter/nf_reject_ipv6.c | |||
| @@ -208,4 +208,39 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook) | |||
| 208 | } | 208 | } |
| 209 | EXPORT_SYMBOL_GPL(nf_send_reset6); | 209 | EXPORT_SYMBOL_GPL(nf_send_reset6); |
| 210 | 210 | ||
| 211 | static bool reject6_csum_ok(struct sk_buff *skb, int hook) | ||
| 212 | { | ||
| 213 | const struct ipv6hdr *ip6h = ipv6_hdr(skb); | ||
| 214 | int thoff; | ||
| 215 | __be16 fo; | ||
| 216 | u8 proto; | ||
| 217 | |||
| 218 | if (skb->csum_bad) | ||
| 219 | return false; | ||
| 220 | |||
| 221 | if (skb_csum_unnecessary(skb)) | ||
| 222 | return true; | ||
| 223 | |||
| 224 | proto = ip6h->nexthdr; | ||
| 225 | thoff = ipv6_skip_exthdr(skb, ((u8*)(ip6h+1) - skb->data), &proto, &fo); | ||
| 226 | |||
| 227 | if (thoff < 0 || thoff >= skb->len || (fo & htons(~0x7)) != 0) | ||
| 228 | return false; | ||
| 229 | |||
| 230 | return nf_ip6_checksum(skb, hook, thoff, proto) == 0; | ||
| 231 | } | ||
| 232 | |||
| 233 | void nf_send_unreach6(struct net *net, struct sk_buff *skb_in, | ||
| 234 | unsigned char code, unsigned int hooknum) | ||
| 235 | { | ||
| 236 | if (!reject6_csum_ok(skb_in, hooknum)) | ||
| 237 | return; | ||
| 238 | |||
| 239 | if (hooknum == NF_INET_LOCAL_OUT && skb_in->dev == NULL) | ||
| 240 | skb_in->dev = net->loopback_dev; | ||
| 241 | |||
| 242 | icmpv6_send(skb_in, ICMPV6_DEST_UNREACH, code, 0); | ||
| 243 | } | ||
| 244 | EXPORT_SYMBOL_GPL(nf_send_unreach6); | ||
| 245 | |||
| 211 | MODULE_LICENSE("GPL"); | 246 | MODULE_LICENSE("GPL"); |