aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/netfilter_ipv6.h16
-rw-r--r--include/net/addrconf.h2
-rw-r--r--net/ipv6/addrconf.c2
-rw-r--r--net/ipv6/netfilter.c7
-rw-r--r--net/netfilter/core.c2
-rw-r--r--net/netfilter/xt_addrtype.c27
6 files changed, 43 insertions, 13 deletions
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 98ffb54988b6..2d4df6ce043e 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -17,6 +17,22 @@ extern __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
17 17
18extern int ipv6_netfilter_init(void); 18extern int ipv6_netfilter_init(void);
19extern void ipv6_netfilter_fini(void); 19extern void ipv6_netfilter_fini(void);
20
21/*
22 * Hook functions for ipv6 to allow xt_* modules to be built-in even
23 * if IPv6 is a module.
24 */
25struct nf_ipv6_ops {
26 int (*chk_addr)(struct net *net, const struct in6_addr *addr,
27 const struct net_device *dev, int strict);
28};
29
30extern const struct nf_ipv6_ops __rcu *nf_ipv6_ops;
31static inline const struct nf_ipv6_ops *nf_get_ipv6_ops(void)
32{
33 return rcu_dereference(nf_ipv6_ops);
34}
35
20#else /* CONFIG_NETFILTER */ 36#else /* CONFIG_NETFILTER */
21static inline int ipv6_netfilter_init(void) { return 0; } 37static inline int ipv6_netfilter_init(void) { return 0; }
22static inline void ipv6_netfilter_fini(void) { return; } 38static inline void ipv6_netfilter_fini(void) { return; }
diff --git a/include/net/addrconf.h b/include/net/addrconf.h
index 84a6440f1f19..21f702704f24 100644
--- a/include/net/addrconf.h
+++ b/include/net/addrconf.h
@@ -65,7 +65,7 @@ extern int addrconf_set_dstaddr(struct net *net,
65 65
66extern int ipv6_chk_addr(struct net *net, 66extern int ipv6_chk_addr(struct net *net,
67 const struct in6_addr *addr, 67 const struct in6_addr *addr,
68 struct net_device *dev, 68 const struct net_device *dev,
69 int strict); 69 int strict);
70 70
71#if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE) 71#if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index d1ab6ab29a55..d1b2d8034b54 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1487,7 +1487,7 @@ static int ipv6_count_addresses(struct inet6_dev *idev)
1487} 1487}
1488 1488
1489int ipv6_chk_addr(struct net *net, const struct in6_addr *addr, 1489int ipv6_chk_addr(struct net *net, const struct in6_addr *addr,
1490 struct net_device *dev, int strict) 1490 const struct net_device *dev, int strict)
1491{ 1491{
1492 struct inet6_ifaddr *ifp; 1492 struct inet6_ifaddr *ifp;
1493 unsigned int hash = inet6_addr_hash(addr); 1493 unsigned int hash = inet6_addr_hash(addr);
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 72836f40b730..95f3f1da0d7f 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -10,6 +10,7 @@
10#include <linux/netfilter.h> 10#include <linux/netfilter.h>
11#include <linux/netfilter_ipv6.h> 11#include <linux/netfilter_ipv6.h>
12#include <linux/export.h> 12#include <linux/export.h>
13#include <net/addrconf.h>
13#include <net/dst.h> 14#include <net/dst.h>
14#include <net/ipv6.h> 15#include <net/ipv6.h>
15#include <net/ip6_route.h> 16#include <net/ip6_route.h>
@@ -186,6 +187,10 @@ static __sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
186 return csum; 187 return csum;
187}; 188};
188 189
190static const struct nf_ipv6_ops ipv6ops = {
191 .chk_addr = ipv6_chk_addr,
192};
193
189static const struct nf_afinfo nf_ip6_afinfo = { 194static const struct nf_afinfo nf_ip6_afinfo = {
190 .family = AF_INET6, 195 .family = AF_INET6,
191 .checksum = nf_ip6_checksum, 196 .checksum = nf_ip6_checksum,
@@ -198,6 +203,7 @@ static const struct nf_afinfo nf_ip6_afinfo = {
198 203
199int __init ipv6_netfilter_init(void) 204int __init ipv6_netfilter_init(void)
200{ 205{
206 RCU_INIT_POINTER(nf_ipv6_ops, &ipv6ops);
201 return nf_register_afinfo(&nf_ip6_afinfo); 207 return nf_register_afinfo(&nf_ip6_afinfo);
202} 208}
203 209
@@ -206,5 +212,6 @@ int __init ipv6_netfilter_init(void)
206 */ 212 */
207void ipv6_netfilter_fini(void) 213void ipv6_netfilter_fini(void)
208{ 214{
215 RCU_INIT_POINTER(nf_ipv6_ops, NULL);
209 nf_unregister_afinfo(&nf_ip6_afinfo); 216 nf_unregister_afinfo(&nf_ip6_afinfo);
210} 217}
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 07c865a31a3d..857ca9f35177 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -30,6 +30,8 @@ static DEFINE_MUTEX(afinfo_mutex);
30 30
31const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly; 31const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly;
32EXPORT_SYMBOL(nf_afinfo); 32EXPORT_SYMBOL(nf_afinfo);
33const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly;
34EXPORT_SYMBOL_GPL(nf_ipv6_ops);
33 35
34int nf_register_afinfo(const struct nf_afinfo *afinfo) 36int nf_register_afinfo(const struct nf_afinfo *afinfo)
35{ 37{
diff --git a/net/netfilter/xt_addrtype.c b/net/netfilter/xt_addrtype.c
index 49c5ff7f6dd6..68ff29f60867 100644
--- a/net/netfilter/xt_addrtype.c
+++ b/net/netfilter/xt_addrtype.c
@@ -22,6 +22,7 @@
22#include <net/ip6_fib.h> 22#include <net/ip6_fib.h>
23#endif 23#endif
24 24
25#include <linux/netfilter_ipv6.h>
25#include <linux/netfilter/xt_addrtype.h> 26#include <linux/netfilter/xt_addrtype.h>
26#include <linux/netfilter/x_tables.h> 27#include <linux/netfilter/x_tables.h>
27 28
@@ -33,12 +34,12 @@ MODULE_ALIAS("ip6t_addrtype");
33 34
34#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 35#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
35static u32 match_lookup_rt6(struct net *net, const struct net_device *dev, 36static u32 match_lookup_rt6(struct net *net, const struct net_device *dev,
36 const struct in6_addr *addr) 37 const struct in6_addr *addr, u16 mask)
37{ 38{
38 const struct nf_afinfo *afinfo; 39 const struct nf_afinfo *afinfo;
39 struct flowi6 flow; 40 struct flowi6 flow;
40 struct rt6_info *rt; 41 struct rt6_info *rt;
41 u32 ret; 42 u32 ret = 0;
42 int route_err; 43 int route_err;
43 44
44 memset(&flow, 0, sizeof(flow)); 45 memset(&flow, 0, sizeof(flow));
@@ -49,12 +50,19 @@ static u32 match_lookup_rt6(struct net *net, const struct net_device *dev,
49 rcu_read_lock(); 50 rcu_read_lock();
50 51
51 afinfo = nf_get_afinfo(NFPROTO_IPV6); 52 afinfo = nf_get_afinfo(NFPROTO_IPV6);
52 if (afinfo != NULL) 53 if (afinfo != NULL) {
54 const struct nf_ipv6_ops *v6ops;
55
56 if (dev && (mask & XT_ADDRTYPE_LOCAL)) {
57 v6ops = nf_get_ipv6_ops();
58 if (v6ops && v6ops->chk_addr(net, addr, dev, true))
59 ret = XT_ADDRTYPE_LOCAL;
60 }
53 route_err = afinfo->route(net, (struct dst_entry **)&rt, 61 route_err = afinfo->route(net, (struct dst_entry **)&rt,
54 flowi6_to_flowi(&flow), !!dev); 62 flowi6_to_flowi(&flow), false);
55 else 63 } else {
56 route_err = 1; 64 route_err = 1;
57 65 }
58 rcu_read_unlock(); 66 rcu_read_unlock();
59 67
60 if (route_err) 68 if (route_err)
@@ -62,15 +70,12 @@ static u32 match_lookup_rt6(struct net *net, const struct net_device *dev,
62 70
63 if (rt->rt6i_flags & RTF_REJECT) 71 if (rt->rt6i_flags & RTF_REJECT)
64 ret = XT_ADDRTYPE_UNREACHABLE; 72 ret = XT_ADDRTYPE_UNREACHABLE;
65 else
66 ret = 0;
67 73
68 if (rt->rt6i_flags & RTF_LOCAL) 74 if (dev == NULL && rt->rt6i_flags & RTF_LOCAL)
69 ret |= XT_ADDRTYPE_LOCAL; 75 ret |= XT_ADDRTYPE_LOCAL;
70 if (rt->rt6i_flags & RTF_ANYCAST) 76 if (rt->rt6i_flags & RTF_ANYCAST)
71 ret |= XT_ADDRTYPE_ANYCAST; 77 ret |= XT_ADDRTYPE_ANYCAST;
72 78
73
74 dst_release(&rt->dst); 79 dst_release(&rt->dst);
75 return ret; 80 return ret;
76} 81}
@@ -90,7 +95,7 @@ static bool match_type6(struct net *net, const struct net_device *dev,
90 95
91 if ((XT_ADDRTYPE_LOCAL | XT_ADDRTYPE_ANYCAST | 96 if ((XT_ADDRTYPE_LOCAL | XT_ADDRTYPE_ANYCAST |
92 XT_ADDRTYPE_UNREACHABLE) & mask) 97 XT_ADDRTYPE_UNREACHABLE) & mask)
93 return !!(mask & match_lookup_rt6(net, dev, addr)); 98 return !!(mask & match_lookup_rt6(net, dev, addr, mask));
94 return true; 99 return true;
95} 100}
96 101