netfilter: nf_tables: add new nft_masq expression

The nft_masq expression is intended to perform NAT in the masquerade flavour. We decided to have the masquerade functionality in a separated expression other than nft_nat. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Arturo Borrero <arturo.borrero.glez@gmail.com> 2014-09-08 07:45:00 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2014-09-09 10:31:30 -0400
commit: 9ba1f726bec090399eb9bb9157eb32dedc8e8c45 (patch)
tree: 4a2875982feb3cad10ccb8f3da4a1f452bd1f068 /net
parent: be6b635cd674add9410efa9ac6f03e0040848b12 (diff)
9 files changed, 261 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 4be3e541350e..8dd3d9f19d82 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -190,6 +190,12 @@ config NF_NAT_MASQUERADE_IPV4
        This is the kernel functionality to provide NAT in the masquerade
        flavour (automatic source address selection).
+config NFT_MASQ_IPV4
+        tristate "IPv4 masquerading support for nf_tables"
+        depends on NF_TABLES_IPV4
+        depends on NFT_MASQ
+        select NF_NAT_MASQUERADE_IPV4
 config IP_NF_TARGET_MASQUERADE
        tristate "MASQUERADE target support"
        select NF_NAT_MASQUERADE_IPV4
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 42056b2fd0e3..7d019aefb0ed 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -36,6 +36,7 @@ obj-$(CONFIG_NF_TABLES_IPV4) += nf_tables_ipv4.o
 obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o
 obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o
 obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o
+obj-$(CONFIG_NFT_MASQ_IPV4) += nft_masq_ipv4.o
 obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o
 # generic IP tables 
diff --git a/net/ipv4/netfilter/nft_masq_ipv4.c b/net/ipv4/netfilter/nft_masq_ipv4.c
new file mode 100644
index 000000000000..6ea1d207b6a5
--- /dev/null
+++ b/net/ipv4/netfilter/nft_masq_ipv4.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2014 Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables.h>
+#include <net/netfilter/nft_masq.h>
+#include <net/netfilter/ipv4/nf_nat_masquerade.h>
+static void nft_masq_ipv4_eval(const struct nft_expr *expr,
+                               struct nft_data data[NFT_REG_MAX + 1],
+                               const struct nft_pktinfo *pkt)
+{
+        struct nft_masq *priv = nft_expr_priv(expr);
+        struct nf_nat_range range;
+        unsigned int verdict;
+        range.flags = priv->flags;
+        verdict = nf_nat_masquerade_ipv4(pkt->skb, pkt->ops->hooknum,
+                                         &range, pkt->out);
+        data[NFT_REG_VERDICT].verdict = verdict;
+}
+static int nft_masq_ipv4_init(const struct nft_ctx *ctx,
+                              const struct nft_expr *expr,
+                              const struct nlattr * const tb[])
+{
+        int err;
+        err = nft_masq_init(ctx, expr, tb);
+        if (err < 0)
+                return err;
+        nf_nat_masquerade_ipv4_register_notifier();
+        return 0;
+}
+static void nft_masq_ipv4_destroy(const struct nft_ctx *ctx,
+                                  const struct nft_expr *expr)
+{
+        nf_nat_masquerade_ipv4_unregister_notifier();
+}
+static struct nft_expr_type nft_masq_ipv4_type;
+static const struct nft_expr_ops nft_masq_ipv4_ops = {
+        .type           = &nft_masq_ipv4_type,
+        .size           = NFT_EXPR_SIZE(sizeof(struct nft_masq)),
+        .eval           = nft_masq_ipv4_eval,
+        .init           = nft_masq_ipv4_init,
+        .destroy        = nft_masq_ipv4_destroy,
+        .dump           = nft_masq_dump,
+};
+static struct nft_expr_type nft_masq_ipv4_type __read_mostly = {
+        .family         = NFPROTO_IPV4,
+        .name           = "masq",
+        .ops            = &nft_masq_ipv4_ops,
+        .policy         = nft_masq_policy,
+        .maxattr        = NFTA_MASQ_MAX,
+        .owner          = THIS_MODULE,
+};
+static int __init nft_masq_ipv4_module_init(void)
+{
+        return nft_register_expr(&nft_masq_ipv4_type);
+}
+static void __exit nft_masq_ipv4_module_exit(void)
+{
+        nft_unregister_expr(&nft_masq_ipv4_type);
+}
+module_init(nft_masq_ipv4_module_init);
+module_exit(nft_masq_ipv4_module_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>");
+MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "masq");
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 6c8cfec6836a..24c535f66df0 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -252,6 +252,12 @@ config NF_NAT_MASQUERADE_IPV6
         This is the kernel functionality to provide NAT in the masquerade
         flavour (automatic source address selection) for IPv6.
+config NFT_MASQ_IPV6
+        tristate "IPv6 masquerade support for nf_tables"
+        depends on NF_TABLES_IPV6
+        depends on NFT_MASQ
+        select NF_NAT_MASQUERADE_IPV6
 config IP6_NF_TARGET_MASQUERADE
        tristate "MASQUERADE target support"
        select NF_NAT_MASQUERADE_IPV6
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index 89a0bd751f82..482c4dff273f 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -32,6 +32,7 @@ obj-$(CONFIG_NF_TABLES_IPV6) += nf_tables_ipv6.o
 obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV6) += nft_chain_route_ipv6.o
 obj-$(CONFIG_NFT_CHAIN_NAT_IPV6) += nft_chain_nat_ipv6.o
 obj-$(CONFIG_NFT_REJECT_IPV6) += nft_reject_ipv6.o
+obj-$(CONFIG_NFT_MASQ_IPV6) += nft_masq_ipv6.o
 # matches
 obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o
diff --git a/net/ipv6/netfilter/nft_masq_ipv6.c b/net/ipv6/netfilter/nft_masq_ipv6.c
new file mode 100644
index 000000000000..4e51334ef6b7
--- /dev/null
+++ b/net/ipv6/netfilter/nft_masq_ipv6.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2014 Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables.h>
+#include <net/netfilter/nf_nat.h>
+#include <net/netfilter/nft_masq.h>
+#include <net/netfilter/ipv6/nf_nat_masquerade.h>
+static void nft_masq_ipv6_eval(const struct nft_expr *expr,
+                               struct nft_data data[NFT_REG_MAX + 1],
+                               const struct nft_pktinfo *pkt)
+{
+        struct nft_masq *priv = nft_expr_priv(expr);
+        struct nf_nat_range range;
+        unsigned int verdict;
+        range.flags = priv->flags;
+        verdict = nf_nat_masquerade_ipv6(pkt->skb, &range, pkt->out);
+        data[NFT_REG_VERDICT].verdict = verdict;
+}
+static int nft_masq_ipv6_init(const struct nft_ctx *ctx,
+                              const struct nft_expr *expr,
+                              const struct nlattr * const tb[])
+{
+        int err;
+        err = nft_masq_init(ctx, expr, tb);
+        if (err < 0)
+                return err;
+        nf_nat_masquerade_ipv6_register_notifier();
+        return 0;
+}
+static void nft_masq_ipv6_destroy(const struct nft_ctx *ctx,
+                                  const struct nft_expr *expr)
+{
+        nf_nat_masquerade_ipv6_unregister_notifier();
+}
+static struct nft_expr_type nft_masq_ipv6_type;
+static const struct nft_expr_ops nft_masq_ipv6_ops = {
+        .type           = &nft_masq_ipv6_type,
+        .size           = NFT_EXPR_SIZE(sizeof(struct nft_masq)),
+        .eval           = nft_masq_ipv6_eval,
+        .init           = nft_masq_ipv6_init,
+        .destroy        = nft_masq_ipv6_destroy,
+        .dump           = nft_masq_dump,
+};
+static struct nft_expr_type nft_masq_ipv6_type __read_mostly = {
+        .family         = NFPROTO_IPV6,
+        .name           = "masq",
+        .ops            = &nft_masq_ipv6_ops,
+        .policy         = nft_masq_policy,
+        .maxattr        = NFTA_MASQ_MAX,
+        .owner          = THIS_MODULE,
+};
+static int __init nft_masq_ipv6_module_init(void)
+{
+        return nft_register_expr(&nft_masq_ipv6_type);
+}
+static void __exit nft_masq_ipv6_module_exit(void)
+{
+        nft_unregister_expr(&nft_masq_ipv6_type);
+}
+module_init(nft_masq_ipv6_module_init);
+module_exit(nft_masq_ipv6_module_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>");
+MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "masq");
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index ad751fe2e82b..37428723394f 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -496,6 +496,15 @@ config NFT_LIMIT
          This option adds the "limit" expression that you can use to
          ratelimit rule matchings.
+config NFT_MASQ
+        depends on NF_TABLES
+        depends on NF_CONNTRACK
+        depends on NF_NAT
+        tristate "Netfilter nf_tables masquerade support"
+        help
+          This option adds the "masquerade" expression that you can use
+          to perform NAT in the masquerade flavour.
 config NFT_NAT
        depends on NF_TABLES
        depends on NF_CONNTRACK
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 8308624a406a..0637792f6faf 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -87,6 +87,7 @@ obj-$(CONFIG_NFT_RBTREE)	+= nft_rbtree.o
 obj-$(CONFIG_NFT_HASH)          += nft_hash.o
 obj-$(CONFIG_NFT_COUNTER)       += nft_counter.o
 obj-$(CONFIG_NFT_LOG)           += nft_log.o
+obj-$(CONFIG_NFT_MASQ)          += nft_masq.o
 # generic X tables 
 obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c
new file mode 100644
index 000000000000..6637bab00567
--- /dev/null
+++ b/net/netfilter/nft_masq.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2014 Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables.h>
+#include <net/netfilter/nf_nat.h>
+#include <net/netfilter/nft_masq.h>
+const struct nla_policy nft_masq_policy[NFTA_MASQ_MAX + 1] = {
+        [NFTA_MASQ_FLAGS]       = { .type = NLA_U32 },
+};
+EXPORT_SYMBOL_GPL(nft_masq_policy);
+int nft_masq_init(const struct nft_ctx *ctx,
+                  const struct nft_expr *expr,
+                  const struct nlattr * const tb[])
+{
+        struct nft_masq *priv = nft_expr_priv(expr);
+        if (tb[NFTA_MASQ_FLAGS] == NULL)
+                return 0;
+        priv->flags = ntohl(nla_get_be32(tb[NFTA_MASQ_FLAGS]));
+        if (priv->flags & ~NF_NAT_RANGE_MASK)
+                return -EINVAL;
+        return 0;
+}
+EXPORT_SYMBOL_GPL(nft_masq_init);
+int nft_masq_dump(struct sk_buff *skb, const struct nft_expr *expr)
+{
+        const struct nft_masq *priv = nft_expr_priv(expr);
+        if (priv->flags == 0)
+                return 0;
+        if (nla_put_be32(skb, NFTA_MASQ_FLAGS, htonl(priv->flags)))
+                goto nla_put_failure;
+        return 0;
+nla_put_failure:
+        return -1;
+}
+EXPORT_SYMBOL_GPL(nft_masq_dump);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>");
author	Arturo Borrero <arturo.borrero.glez@gmail.com>	2014-09-08 07:45:00 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2014-09-09 10:31:30 -0400
commit	9ba1f726bec090399eb9bb9157eb32dedc8e8c45 (patch)
tree	4a2875982feb3cad10ccb8f3da4a1f452bd1f068 /net
parent	be6b635cd674add9410efa9ac6f03e0040848b12 (diff)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index 4be3e541350e..8dd3d9f19d82 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig
@@ -190,6 +190,12 @@ config NF_NAT_MASQUERADE_IPV4
190	This is the kernel functionality to provide NAT in the masquerade	190	This is the kernel functionality to provide NAT in the masquerade
191	flavour (automatic source address selection).	191	flavour (automatic source address selection).
192		192
		193	config NFT_MASQ_IPV4
		194	tristate "IPv4 masquerading support for nf_tables"
		195	depends on NF_TABLES_IPV4
		196	depends on NFT_MASQ
		197	select NF_NAT_MASQUERADE_IPV4
		198
193	config IP_NF_TARGET_MASQUERADE	199	config IP_NF_TARGET_MASQUERADE
194	tristate "MASQUERADE target support"	200	tristate "MASQUERADE target support"
195	select NF_NAT_MASQUERADE_IPV4	201	select NF_NAT_MASQUERADE_IPV4


diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile index 42056b2fd0e3..7d019aefb0ed 100644 --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile
@@ -36,6 +36,7 @@ obj-$(CONFIG_NF_TABLES_IPV4) += nf_tables_ipv4.o
36	obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o	36	obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o
37	obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o	37	obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o
38	obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o	38	obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o
		39	obj-$(CONFIG_NFT_MASQ_IPV4) += nft_masq_ipv4.o
39	obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o	40	obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o
40		41
41	# generic IP tables	42	# generic IP tables


diff --git a/net/ipv4/netfilter/nft_masq_ipv4.c b/net/ipv4/netfilter/nft_masq_ipv4.c new file mode 100644 index 000000000000..6ea1d207b6a5 --- /dev/null +++ b/net/ipv4/netfilter/nft_masq_ipv4.c
@@ -0,0 +1,89 @@
		1	/*
		2	* Copyright (c) 2014 Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
		3	*
		4	* This program is free software; you can redistribute it and/or modify
		5	* it under the terms of the GNU General Public License version 2 as
		6	* published by the Free Software Foundation.
		7	*/
		8
		9	#include <linux/kernel.h>
		10	#include <linux/init.h>
		11	#include <linux/module.h>
		12	#include <linux/netlink.h>
		13	#include <linux/netfilter.h>
		14	#include <linux/netfilter/nf_tables.h>
		15	#include <net/netfilter/nf_tables.h>
		16	#include <net/netfilter/nft_masq.h>
		17	#include <net/netfilter/ipv4/nf_nat_masquerade.h>
		18
		19	static void nft_masq_ipv4_eval(const struct nft_expr *expr,
		20	struct nft_data data[NFT_REG_MAX + 1],
		21	const struct nft_pktinfo *pkt)
		22	{
		23	struct nft_masq *priv = nft_expr_priv(expr);
		24	struct nf_nat_range range;
		25	unsigned int verdict;
		26
		27	range.flags = priv->flags;
		28
		29	verdict = nf_nat_masquerade_ipv4(pkt->skb, pkt->ops->hooknum,
		30	&range, pkt->out);
		31
		32	data[NFT_REG_VERDICT].verdict = verdict;
		33	}
		34
		35	static int nft_masq_ipv4_init(const struct nft_ctx *ctx,
		36	const struct nft_expr *expr,
		37	const struct nlattr * const tb[])
		38	{
		39	int err;
		40
		41	err = nft_masq_init(ctx, expr, tb);
		42	if (err < 0)
		43	return err;
		44
		45	nf_nat_masquerade_ipv4_register_notifier();
		46	return 0;
		47	}
		48
		49	static void nft_masq_ipv4_destroy(const struct nft_ctx *ctx,
		50	const struct nft_expr *expr)
		51	{
		52	nf_nat_masquerade_ipv4_unregister_notifier();
		53	}
		54
		55	static struct nft_expr_type nft_masq_ipv4_type;
		56	static const struct nft_expr_ops nft_masq_ipv4_ops = {
		57	.type = &nft_masq_ipv4_type,
		58	.size = NFT_EXPR_SIZE(sizeof(struct nft_masq)),
		59	.eval = nft_masq_ipv4_eval,
		60	.init = nft_masq_ipv4_init,
		61	.destroy = nft_masq_ipv4_destroy,
		62	.dump = nft_masq_dump,
		63	};
		64
		65	static struct nft_expr_type nft_masq_ipv4_type __read_mostly = {
		66	.family = NFPROTO_IPV4,
		67	.name = "masq",
		68	.ops = &nft_masq_ipv4_ops,
		69	.policy = nft_masq_policy,
		70	.maxattr = NFTA_MASQ_MAX,
		71	.owner = THIS_MODULE,
		72	};
		73
		74	static int __init nft_masq_ipv4_module_init(void)
		75	{
		76	return nft_register_expr(&nft_masq_ipv4_type);
		77	}
		78
		79	static void __exit nft_masq_ipv4_module_exit(void)
		80	{
		81	nft_unregister_expr(&nft_masq_ipv4_type);
		82	}
		83
		84	module_init(nft_masq_ipv4_module_init);
		85	module_exit(nft_masq_ipv4_module_exit);
		86
		87	MODULE_LICENSE("GPL");
		88	MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>");
		89	MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "masq");


diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index 6c8cfec6836a..24c535f66df0 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig
@@ -252,6 +252,12 @@ config NF_NAT_MASQUERADE_IPV6
252	This is the kernel functionality to provide NAT in the masquerade	252	This is the kernel functionality to provide NAT in the masquerade
253	flavour (automatic source address selection) for IPv6.	253	flavour (automatic source address selection) for IPv6.
254		254
		255	config NFT_MASQ_IPV6
		256	tristate "IPv6 masquerade support for nf_tables"
		257	depends on NF_TABLES_IPV6
		258	depends on NFT_MASQ
		259	select NF_NAT_MASQUERADE_IPV6
		260
255	config IP6_NF_TARGET_MASQUERADE	261	config IP6_NF_TARGET_MASQUERADE
256	tristate "MASQUERADE target support"	262	tristate "MASQUERADE target support"
257	select NF_NAT_MASQUERADE_IPV6	263	select NF_NAT_MASQUERADE_IPV6


diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile index 89a0bd751f82..482c4dff273f 100644 --- a/net/ipv6/netfilter/Makefile +++ b/net/ipv6/netfilter/Makefile
@@ -32,6 +32,7 @@ obj-$(CONFIG_NF_TABLES_IPV6) += nf_tables_ipv6.o
32	obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV6) += nft_chain_route_ipv6.o	32	obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV6) += nft_chain_route_ipv6.o
33	obj-$(CONFIG_NFT_CHAIN_NAT_IPV6) += nft_chain_nat_ipv6.o	33	obj-$(CONFIG_NFT_CHAIN_NAT_IPV6) += nft_chain_nat_ipv6.o
34	obj-$(CONFIG_NFT_REJECT_IPV6) += nft_reject_ipv6.o	34	obj-$(CONFIG_NFT_REJECT_IPV6) += nft_reject_ipv6.o
		35	obj-$(CONFIG_NFT_MASQ_IPV6) += nft_masq_ipv6.o
35		36
36	# matches	37	# matches
37	obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o	38	obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o


diff --git a/net/ipv6/netfilter/nft_masq_ipv6.c b/net/ipv6/netfilter/nft_masq_ipv6.c new file mode 100644 index 000000000000..4e51334ef6b7 --- /dev/null +++ b/net/ipv6/netfilter/nft_masq_ipv6.c
@@ -0,0 +1,89 @@
		1	/*
		2	* Copyright (c) 2014 Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
		3	*
		4	* This program is free software; you can redistribute it and/or modify
		5	* it under the terms of the GNU General Public License version 2 as
		6	* published by the Free Software Foundation.
		7	*/
		8
		9	#include <linux/kernel.h>
		10	#include <linux/init.h>
		11	#include <linux/module.h>
		12	#include <linux/netlink.h>
		13	#include <linux/netfilter.h>
		14	#include <linux/netfilter/nf_tables.h>
		15	#include <net/netfilter/nf_tables.h>
		16	#include <net/netfilter/nf_nat.h>
		17	#include <net/netfilter/nft_masq.h>
		18	#include <net/netfilter/ipv6/nf_nat_masquerade.h>
		19
		20	static void nft_masq_ipv6_eval(const struct nft_expr *expr,
		21	struct nft_data data[NFT_REG_MAX + 1],
		22	const struct nft_pktinfo *pkt)
		23	{
		24	struct nft_masq *priv = nft_expr_priv(expr);
		25	struct nf_nat_range range;
		26	unsigned int verdict;
		27
		28	range.flags = priv->flags;
		29
		30	verdict = nf_nat_masquerade_ipv6(pkt->skb, &range, pkt->out);
		31
		32	data[NFT_REG_VERDICT].verdict = verdict;
		33	}
		34
		35	static int nft_masq_ipv6_init(const struct nft_ctx *ctx,
		36	const struct nft_expr *expr,
		37	const struct nlattr * const tb[])
		38	{
		39	int err;
		40
		41	err = nft_masq_init(ctx, expr, tb);
		42	if (err < 0)
		43	return err;
		44
		45	nf_nat_masquerade_ipv6_register_notifier();
		46	return 0;
		47	}
		48
		49	static void nft_masq_ipv6_destroy(const struct nft_ctx *ctx,
		50	const struct nft_expr *expr)
		51	{
		52	nf_nat_masquerade_ipv6_unregister_notifier();
		53	}
		54
		55	static struct nft_expr_type nft_masq_ipv6_type;
		56	static const struct nft_expr_ops nft_masq_ipv6_ops = {
		57	.type = &nft_masq_ipv6_type,
		58	.size = NFT_EXPR_SIZE(sizeof(struct nft_masq)),
		59	.eval = nft_masq_ipv6_eval,
		60	.init = nft_masq_ipv6_init,
		61	.destroy = nft_masq_ipv6_destroy,
		62	.dump = nft_masq_dump,
		63	};
		64
		65	static struct nft_expr_type nft_masq_ipv6_type __read_mostly = {
		66	.family = NFPROTO_IPV6,
		67	.name = "masq",
		68	.ops = &nft_masq_ipv6_ops,
		69	.policy = nft_masq_policy,
		70	.maxattr = NFTA_MASQ_MAX,
		71	.owner = THIS_MODULE,
		72	};
		73
		74	static int __init nft_masq_ipv6_module_init(void)
		75	{
		76	return nft_register_expr(&nft_masq_ipv6_type);
		77	}
		78
		79	static void __exit nft_masq_ipv6_module_exit(void)
		80	{
		81	nft_unregister_expr(&nft_masq_ipv6_type);
		82	}
		83
		84	module_init(nft_masq_ipv6_module_init);
		85	module_exit(nft_masq_ipv6_module_exit);
		86
		87	MODULE_LICENSE("GPL");
		88	MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>");
		89	MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "masq");


diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index ad751fe2e82b..37428723394f 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -496,6 +496,15 @@ config NFT_LIMIT
496	This option adds the "limit" expression that you can use to	496	This option adds the "limit" expression that you can use to
497	ratelimit rule matchings.	497	ratelimit rule matchings.
498		498
		499	config NFT_MASQ
		500	depends on NF_TABLES
		501	depends on NF_CONNTRACK
		502	depends on NF_NAT
		503	tristate "Netfilter nf_tables masquerade support"
		504	help
		505	This option adds the "masquerade" expression that you can use
		506	to perform NAT in the masquerade flavour.
		507
499	config NFT_NAT	508	config NFT_NAT
500	depends on NF_TABLES	509	depends on NF_TABLES
501	depends on NF_CONNTRACK	510	depends on NF_CONNTRACK


diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 8308624a406a..0637792f6faf 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -87,6 +87,7 @@ obj-$(CONFIG_NFT_RBTREE) += nft_rbtree.o
87	obj-$(CONFIG_NFT_HASH) += nft_hash.o	87	obj-$(CONFIG_NFT_HASH) += nft_hash.o
88	obj-$(CONFIG_NFT_COUNTER) += nft_counter.o	88	obj-$(CONFIG_NFT_COUNTER) += nft_counter.o
89	obj-$(CONFIG_NFT_LOG) += nft_log.o	89	obj-$(CONFIG_NFT_LOG) += nft_log.o
		90	obj-$(CONFIG_NFT_MASQ) += nft_masq.o
90		91
91	# generic X tables	92	# generic X tables
92	obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o	93	obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o


diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c new file mode 100644 index 000000000000..6637bab00567 --- /dev/null +++ b/net/netfilter/nft_masq.c
@@ -0,0 +1,59 @@
		1	/*
		2	* Copyright (c) 2014 Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
		3	*
		4	* This program is free software; you can redistribute it and/or modify
		5	* it under the terms of the GNU General Public License version 2 as
		6	* published by the Free Software Foundation.
		7	*/
		8
		9	#include <linux/kernel.h>
		10	#include <linux/init.h>
		11	#include <linux/module.h>
		12	#include <linux/netlink.h>
		13	#include <linux/netfilter.h>
		14	#include <linux/netfilter/nf_tables.h>
		15	#include <net/netfilter/nf_tables.h>
		16	#include <net/netfilter/nf_nat.h>
		17	#include <net/netfilter/nft_masq.h>
		18
		19	const struct nla_policy nft_masq_policy[NFTA_MASQ_MAX + 1] = {
		20	[NFTA_MASQ_FLAGS] = { .type = NLA_U32 },
		21	};
		22	EXPORT_SYMBOL_GPL(nft_masq_policy);
		23
		24	int nft_masq_init(const struct nft_ctx *ctx,
		25	const struct nft_expr *expr,
		26	const struct nlattr * const tb[])
		27	{
		28	struct nft_masq *priv = nft_expr_priv(expr);
		29
		30	if (tb[NFTA_MASQ_FLAGS] == NULL)
		31	return 0;
		32
		33	priv->flags = ntohl(nla_get_be32(tb[NFTA_MASQ_FLAGS]));
		34	if (priv->flags & ~NF_NAT_RANGE_MASK)
		35	return -EINVAL;
		36
		37	return 0;
		38	}
		39	EXPORT_SYMBOL_GPL(nft_masq_init);
		40
		41	int nft_masq_dump(struct sk_buff skb, const struct nft_expr expr)
		42	{
		43	const struct nft_masq *priv = nft_expr_priv(expr);
		44
		45	if (priv->flags == 0)
		46	return 0;
		47
		48	if (nla_put_be32(skb, NFTA_MASQ_FLAGS, htonl(priv->flags)))
		49	goto nla_put_failure;
		50
		51	return 0;
		52
		53	nla_put_failure:
		54	return -1;
		55	}
		56	EXPORT_SYMBOL_GPL(nft_masq_dump);
		57
		58	MODULE_LICENSE("GPL");
		59	MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>");