netfilter: add helper for adding nat extension

Reduce copy-past a bit by adding a common helper. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2014-04-28 15:09:50 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2014-04-29 14:56:22 -0400
commit: f768e5bdefe1ec9adbf7a116dfb156b73cacb582 (patch)
tree: 1d49bc5b3184cc71d34090a4b056e3b9a9427fb9 /net
parent: 683399eddb9fff742b1a14c5a5d03e12bfc0afff (diff)
5 files changed, 28 insertions, 48 deletions
diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index ee2886126e3d..f1787c04a4dd 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -91,17 +91,9 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops,
        if (nf_ct_is_untracked(ct))
                return NF_ACCEPT;
-        nat = nfct_nat(ct);
+        nat = nf_ct_nat_ext_add(ct);
-        if (!nat) {
+        if (nat == NULL)
-                /* NAT module was loaded late. */
+                return NF_ACCEPT;
-                if (nf_ct_is_confirmed(ct))
-                        return NF_ACCEPT;
-                nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
-                if (nat == NULL) {
-                        pr_debug("failed to add NAT extension\n");
-                        return NF_ACCEPT;
-                }
-        }
        switch (ctinfo) {
        case IP_CT_RELATED:
diff --git a/net/ipv4/netfilter/nft_chain_nat_ipv4.c b/net/ipv4/netfilter/nft_chain_nat_ipv4.c
index b5b256d45e67..3964157d826c 100644
--- a/net/ipv4/netfilter/nft_chain_nat_ipv4.c
+++ b/net/ipv4/netfilter/nft_chain_nat_ipv4.c
@@ -48,15 +48,9 @@ static unsigned int nf_nat_fn(const struct nf_hook_ops *ops,
        NF_CT_ASSERT(!(ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)));
-        nat = nfct_nat(ct);
+        nat = nf_ct_nat_ext_add(ct);
-        if (nat == NULL) {
+        if (nat == NULL)
-                /* Conntrack module was loaded late, can't add extension. */
+                return NF_ACCEPT;
-                if (nf_ct_is_confirmed(ct))
-                        return NF_ACCEPT;
-                nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
-                if (nat == NULL)
-                        return NF_ACCEPT;
-        }
        switch (ctinfo) {
        case IP_CT_RELATED:
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index 84c7f33d0cf8..387d8b8fc18d 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -90,17 +90,9 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops,
        if (nf_ct_is_untracked(ct))
                return NF_ACCEPT;
-        nat = nfct_nat(ct);
+        nat = nf_ct_nat_ext_add(ct);
-        if (!nat) {
+        if (nat == NULL)
-                /* NAT module was loaded late. */
+                return NF_ACCEPT;
-                if (nf_ct_is_confirmed(ct))
-                        return NF_ACCEPT;
-                nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
-                if (nat == NULL) {
-                        pr_debug("failed to add NAT extension\n");
-                        return NF_ACCEPT;
-                }
-        }
        switch (ctinfo) {
        case IP_CT_RELATED:
diff --git a/net/ipv6/netfilter/nft_chain_nat_ipv6.c b/net/ipv6/netfilter/nft_chain_nat_ipv6.c
index 9c3297a768fd..d189fcb437fe 100644
--- a/net/ipv6/netfilter/nft_chain_nat_ipv6.c
+++ b/net/ipv6/netfilter/nft_chain_nat_ipv6.c
@@ -47,15 +47,9 @@ static unsigned int nf_nat_ipv6_fn(const struct nf_hook_ops *ops,
        if (ct == NULL || nf_ct_is_untracked(ct))
                return NF_ACCEPT;
-        nat = nfct_nat(ct);
+        nat = nf_ct_nat_ext_add(ct);
-        if (nat == NULL) {
+        if (nat == NULL)
-                /* Conntrack module was loaded late, can't add extension. */
+                return NF_ACCEPT;
-                if (nf_ct_is_confirmed(ct))
-                        return NF_ACCEPT;
-                nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
-                if (nat == NULL)
-                        return NF_ACCEPT;
-        }
        switch (ctinfo) {
        case IP_CT_RELATED:
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 52ca952b802c..09096a670c45 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -358,6 +358,19 @@ out:
        rcu_read_unlock();
 }
+struct nf_conn_nat *nf_ct_nat_ext_add(struct nf_conn *ct)
+{
+        struct nf_conn_nat *nat = nfct_nat(ct);
+        if (nat)
+                return nat;
+        if (!nf_ct_is_confirmed(ct))
+                nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
+        return nat;
+}
+EXPORT_SYMBOL_GPL(nf_ct_nat_ext_add);
 unsigned int
 nf_nat_setup_info(struct nf_conn *ct,
                  const struct nf_nat_range *range,
@@ -368,14 +381,9 @@ nf_nat_setup_info(struct nf_conn *ct,
        struct nf_conn_nat *nat;
        /* nat helper or nfctnetlink also setup binding */
-        nat = nfct_nat(ct);
+        nat = nf_ct_nat_ext_add(ct);
-        if (!nat) {
+        if (nat == NULL)
-                nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
+                return NF_ACCEPT;
-                if (nat == NULL) {
-                        pr_debug("failed to add NAT extension\n");
-                        return NF_ACCEPT;
-                }
-        }
        NF_CT_ASSERT(maniptype == NF_NAT_MANIP_SRC ||
                     maniptype == NF_NAT_MANIP_DST);
author	Florian Westphal <fw@strlen.de>	2014-04-28 15:09:50 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2014-04-29 14:56:22 -0400
commit	f768e5bdefe1ec9adbf7a116dfb156b73cacb582 (patch)
tree	1d49bc5b3184cc71d34090a4b056e3b9a9427fb9 /net
parent	683399eddb9fff742b1a14c5a5d03e12bfc0afff (diff)