netfilter: refactor NAT redirect IPv4 to use it from nf_tables

This patch refactors the IPv4 code so it can be usable both from xt and nf_tables. A similar patch follows-up to handle IPv6. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Arturo Borrero <arturo.borrero.glez@gmail.com> 2014-10-16 06:23:29 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2014-10-27 17:47:06 -0400
commit: 8b13eddfdf04cbfa561725cfc42d6868fe896f56 (patch)
tree: a54fcd289d9acb1566a841f66045127227c84d25 /net/netfilter
parent: b8901ac319768cdd3afa060787503e0c405f9607 (diff)
2 files changed, 3 insertions, 42 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index ae5096ab65eb..a0716a3f08b0 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -835,6 +835,7 @@ config NETFILTER_XT_TARGET_RATEEST
 config NETFILTER_XT_TARGET_REDIRECT
        tristate "REDIRECT target support"
        depends on NF_NAT
+        select NF_NAT_REDIRECT_IPV4
        ---help---
        REDIRECT is a special case of NAT: all incoming connections are
        mapped onto the incoming interface's address, causing the packets to
diff --git a/net/netfilter/xt_REDIRECT.c b/net/netfilter/xt_REDIRECT.c
index 22a10309297c..b4ffac5fe8e9 100644
--- a/net/netfilter/xt_REDIRECT.c
+++ b/net/netfilter/xt_REDIRECT.c
@@ -26,6 +26,7 @@
 #include <net/checksum.h>
 #include <net/protocol.h>
 #include <net/netfilter/nf_nat.h>
+#include <net/netfilter/ipv4/nf_nat_redirect.h>
 static const struct in6_addr loopback_addr = IN6ADDR_LOOPBACK_INIT;
@@ -98,48 +99,7 @@ static int redirect_tg4_check(const struct xt_tgchk_param *par)
 static unsigned int
 redirect_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 {
-        struct nf_conn *ct;
+        return nf_nat_redirect_ipv4(skb, par->targinfo, par->hooknum);
-        enum ip_conntrack_info ctinfo;
-        __be32 newdst;
-        const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
-        struct nf_nat_range newrange;
-        NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING ||
-                     par->hooknum == NF_INET_LOCAL_OUT);
-        ct = nf_ct_get(skb, &ctinfo);
-        NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED));
-        /* Local packets: make them go to loopback */
-        if (par->hooknum == NF_INET_LOCAL_OUT)
-                newdst = htonl(0x7F000001);
-        else {
-                struct in_device *indev;
-                struct in_ifaddr *ifa;
-                newdst = 0;
-                rcu_read_lock();
-                indev = __in_dev_get_rcu(skb->dev);
-                if (indev && (ifa = indev->ifa_list))
-                        newdst = ifa->ifa_local;
-                rcu_read_unlock();
-                if (!newdst)
-                        return NF_DROP;
-        }
-        /* Transfer from original range. */
-        memset(&newrange.min_addr, 0, sizeof(newrange.min_addr));
-        memset(&newrange.max_addr, 0, sizeof(newrange.max_addr));
-        newrange.flags       = mr->range[0].flags | NF_NAT_RANGE_MAP_IPS;
-        newrange.min_addr.ip = newdst;
-        newrange.max_addr.ip = newdst;
-        newrange.min_proto   = mr->range[0].min;
-        newrange.max_proto   = mr->range[0].max;
-        /* Hand modified range to generic setup. */
-        return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST);
 }
 static struct xt_target redirect_tg_reg[] __read_mostly = {
author	Arturo Borrero <arturo.borrero.glez@gmail.com>	2014-10-16 06:23:29 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2014-10-27 17:47:06 -0400
commit	8b13eddfdf04cbfa561725cfc42d6868fe896f56 (patch)
tree	a54fcd289d9acb1566a841f66045127227c84d25 /net/netfilter
parent	b8901ac319768cdd3afa060787503e0c405f9607 (diff)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index ae5096ab65eb..a0716a3f08b0 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -835,6 +835,7 @@ config NETFILTER_XT_TARGET_RATEEST
835	config NETFILTER_XT_TARGET_REDIRECT	835	config NETFILTER_XT_TARGET_REDIRECT
836	tristate "REDIRECT target support"	836	tristate "REDIRECT target support"
837	depends on NF_NAT	837	depends on NF_NAT
		838	select NF_NAT_REDIRECT_IPV4
838	---help---	839	---help---
839	REDIRECT is a special case of NAT: all incoming connections are	840	REDIRECT is a special case of NAT: all incoming connections are
840	mapped onto the incoming interface's address, causing the packets to	841	mapped onto the incoming interface's address, causing the packets to


diff --git a/net/netfilter/xt_REDIRECT.c b/net/netfilter/xt_REDIRECT.c index 22a10309297c..b4ffac5fe8e9 100644 --- a/net/netfilter/xt_REDIRECT.c +++ b/net/netfilter/xt_REDIRECT.c
@@ -26,6 +26,7 @@
26	#include <net/checksum.h>	26	#include <net/checksum.h>
27	#include <net/protocol.h>	27	#include <net/protocol.h>
28	#include <net/netfilter/nf_nat.h>	28	#include <net/netfilter/nf_nat.h>
		29	#include <net/netfilter/ipv4/nf_nat_redirect.h>
29		30
30	static const struct in6_addr loopback_addr = IN6ADDR_LOOPBACK_INIT;	31	static const struct in6_addr loopback_addr = IN6ADDR_LOOPBACK_INIT;
31		32
@@ -98,48 +99,7 @@ static int redirect_tg4_check(const struct xt_tgchk_param *par)
98	static unsigned int	99	static unsigned int
99	redirect_tg4(struct sk_buff skb, const struct xt_action_param par)	100	redirect_tg4(struct sk_buff skb, const struct xt_action_param par)
100	{	101	{
101	struct nf_conn *ct;	102	return nf_nat_redirect_ipv4(skb, par->targinfo, par->hooknum);
102	enum ip_conntrack_info ctinfo;
103	__be32 newdst;
104	const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
105	struct nf_nat_range newrange;
106
107	NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING \|\|
108	par->hooknum == NF_INET_LOCAL_OUT);
109
110	ct = nf_ct_get(skb, &ctinfo);
111	NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW \|\| ctinfo == IP_CT_RELATED));
112
113	/* Local packets: make them go to loopback */
114	if (par->hooknum == NF_INET_LOCAL_OUT)
115	newdst = htonl(0x7F000001);
116	else {
117	struct in_device *indev;
118	struct in_ifaddr *ifa;
119
120	newdst = 0;
121
122	rcu_read_lock();
123	indev = __in_dev_get_rcu(skb->dev);
124	if (indev && (ifa = indev->ifa_list))
125	newdst = ifa->ifa_local;
126	rcu_read_unlock();
127
128	if (!newdst)
129	return NF_DROP;
130	}
131
132	/* Transfer from original range. */
133	memset(&newrange.min_addr, 0, sizeof(newrange.min_addr));
134	memset(&newrange.max_addr, 0, sizeof(newrange.max_addr));
135	newrange.flags = mr->range[0].flags \| NF_NAT_RANGE_MAP_IPS;
136	newrange.min_addr.ip = newdst;
137	newrange.max_addr.ip = newdst;
138	newrange.min_proto = mr->range[0].min;
139	newrange.max_proto = mr->range[0].max;
140
141	/* Hand modified range to generic setup. */
142	return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST);
143	}	103	}
144		104
145	static struct xt_target redirect_tg_reg[] __read_mostly = {	105	static struct xt_target redirect_tg_reg[] __read_mostly = {