diff options
-rw-r--r-- | include/linux/netfilter_ipv6.h | 16 | ||||
-rw-r--r-- | include/net/addrconf.h | 2 | ||||
-rw-r--r-- | net/ipv6/addrconf.c | 2 | ||||
-rw-r--r-- | net/ipv6/netfilter.c | 7 | ||||
-rw-r--r-- | net/netfilter/core.c | 2 | ||||
-rw-r--r-- | net/netfilter/xt_addrtype.c | 27 |
6 files changed, 43 insertions, 13 deletions
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h index 98ffb54988b6..2d4df6ce043e 100644 --- a/include/linux/netfilter_ipv6.h +++ b/include/linux/netfilter_ipv6.h | |||
@@ -17,6 +17,22 @@ extern __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook, | |||
17 | 17 | ||
18 | extern int ipv6_netfilter_init(void); | 18 | extern int ipv6_netfilter_init(void); |
19 | extern void ipv6_netfilter_fini(void); | 19 | extern void ipv6_netfilter_fini(void); |
20 | |||
21 | /* | ||
22 | * Hook functions for ipv6 to allow xt_* modules to be built-in even | ||
23 | * if IPv6 is a module. | ||
24 | */ | ||
25 | struct nf_ipv6_ops { | ||
26 | int (*chk_addr)(struct net *net, const struct in6_addr *addr, | ||
27 | const struct net_device *dev, int strict); | ||
28 | }; | ||
29 | |||
30 | extern const struct nf_ipv6_ops __rcu *nf_ipv6_ops; | ||
31 | static inline const struct nf_ipv6_ops *nf_get_ipv6_ops(void) | ||
32 | { | ||
33 | return rcu_dereference(nf_ipv6_ops); | ||
34 | } | ||
35 | |||
20 | #else /* CONFIG_NETFILTER */ | 36 | #else /* CONFIG_NETFILTER */ |
21 | static inline int ipv6_netfilter_init(void) { return 0; } | 37 | static inline int ipv6_netfilter_init(void) { return 0; } |
22 | static inline void ipv6_netfilter_fini(void) { return; } | 38 | static inline void ipv6_netfilter_fini(void) { return; } |
diff --git a/include/net/addrconf.h b/include/net/addrconf.h index 84a6440f1f19..21f702704f24 100644 --- a/include/net/addrconf.h +++ b/include/net/addrconf.h | |||
@@ -65,7 +65,7 @@ extern int addrconf_set_dstaddr(struct net *net, | |||
65 | 65 | ||
66 | extern int ipv6_chk_addr(struct net *net, | 66 | extern int ipv6_chk_addr(struct net *net, |
67 | const struct in6_addr *addr, | 67 | const struct in6_addr *addr, |
68 | struct net_device *dev, | 68 | const struct net_device *dev, |
69 | int strict); | 69 | int strict); |
70 | 70 | ||
71 | #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE) | 71 | #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE) |
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index d1ab6ab29a55..d1b2d8034b54 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c | |||
@@ -1487,7 +1487,7 @@ static int ipv6_count_addresses(struct inet6_dev *idev) | |||
1487 | } | 1487 | } |
1488 | 1488 | ||
1489 | int ipv6_chk_addr(struct net *net, const struct in6_addr *addr, | 1489 | int ipv6_chk_addr(struct net *net, const struct in6_addr *addr, |
1490 | struct net_device *dev, int strict) | 1490 | const struct net_device *dev, int strict) |
1491 | { | 1491 | { |
1492 | struct inet6_ifaddr *ifp; | 1492 | struct inet6_ifaddr *ifp; |
1493 | unsigned int hash = inet6_addr_hash(addr); | 1493 | unsigned int hash = inet6_addr_hash(addr); |
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c index 72836f40b730..95f3f1da0d7f 100644 --- a/net/ipv6/netfilter.c +++ b/net/ipv6/netfilter.c | |||
@@ -10,6 +10,7 @@ | |||
10 | #include <linux/netfilter.h> | 10 | #include <linux/netfilter.h> |
11 | #include <linux/netfilter_ipv6.h> | 11 | #include <linux/netfilter_ipv6.h> |
12 | #include <linux/export.h> | 12 | #include <linux/export.h> |
13 | #include <net/addrconf.h> | ||
13 | #include <net/dst.h> | 14 | #include <net/dst.h> |
14 | #include <net/ipv6.h> | 15 | #include <net/ipv6.h> |
15 | #include <net/ip6_route.h> | 16 | #include <net/ip6_route.h> |
@@ -186,6 +187,10 @@ static __sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook, | |||
186 | return csum; | 187 | return csum; |
187 | }; | 188 | }; |
188 | 189 | ||
190 | static const struct nf_ipv6_ops ipv6ops = { | ||
191 | .chk_addr = ipv6_chk_addr, | ||
192 | }; | ||
193 | |||
189 | static const struct nf_afinfo nf_ip6_afinfo = { | 194 | static const struct nf_afinfo nf_ip6_afinfo = { |
190 | .family = AF_INET6, | 195 | .family = AF_INET6, |
191 | .checksum = nf_ip6_checksum, | 196 | .checksum = nf_ip6_checksum, |
@@ -198,6 +203,7 @@ static const struct nf_afinfo nf_ip6_afinfo = { | |||
198 | 203 | ||
199 | int __init ipv6_netfilter_init(void) | 204 | int __init ipv6_netfilter_init(void) |
200 | { | 205 | { |
206 | RCU_INIT_POINTER(nf_ipv6_ops, &ipv6ops); | ||
201 | return nf_register_afinfo(&nf_ip6_afinfo); | 207 | return nf_register_afinfo(&nf_ip6_afinfo); |
202 | } | 208 | } |
203 | 209 | ||
@@ -206,5 +212,6 @@ int __init ipv6_netfilter_init(void) | |||
206 | */ | 212 | */ |
207 | void ipv6_netfilter_fini(void) | 213 | void ipv6_netfilter_fini(void) |
208 | { | 214 | { |
215 | RCU_INIT_POINTER(nf_ipv6_ops, NULL); | ||
209 | nf_unregister_afinfo(&nf_ip6_afinfo); | 216 | nf_unregister_afinfo(&nf_ip6_afinfo); |
210 | } | 217 | } |
diff --git a/net/netfilter/core.c b/net/netfilter/core.c index 07c865a31a3d..857ca9f35177 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c | |||
@@ -30,6 +30,8 @@ static DEFINE_MUTEX(afinfo_mutex); | |||
30 | 30 | ||
31 | const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly; | 31 | const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly; |
32 | EXPORT_SYMBOL(nf_afinfo); | 32 | EXPORT_SYMBOL(nf_afinfo); |
33 | const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly; | ||
34 | EXPORT_SYMBOL_GPL(nf_ipv6_ops); | ||
33 | 35 | ||
34 | int nf_register_afinfo(const struct nf_afinfo *afinfo) | 36 | int nf_register_afinfo(const struct nf_afinfo *afinfo) |
35 | { | 37 | { |
diff --git a/net/netfilter/xt_addrtype.c b/net/netfilter/xt_addrtype.c index 49c5ff7f6dd6..68ff29f60867 100644 --- a/net/netfilter/xt_addrtype.c +++ b/net/netfilter/xt_addrtype.c | |||
@@ -22,6 +22,7 @@ | |||
22 | #include <net/ip6_fib.h> | 22 | #include <net/ip6_fib.h> |
23 | #endif | 23 | #endif |
24 | 24 | ||
25 | #include <linux/netfilter_ipv6.h> | ||
25 | #include <linux/netfilter/xt_addrtype.h> | 26 | #include <linux/netfilter/xt_addrtype.h> |
26 | #include <linux/netfilter/x_tables.h> | 27 | #include <linux/netfilter/x_tables.h> |
27 | 28 | ||
@@ -33,12 +34,12 @@ MODULE_ALIAS("ip6t_addrtype"); | |||
33 | 34 | ||
34 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) | 35 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
35 | static u32 match_lookup_rt6(struct net *net, const struct net_device *dev, | 36 | static u32 match_lookup_rt6(struct net *net, const struct net_device *dev, |
36 | const struct in6_addr *addr) | 37 | const struct in6_addr *addr, u16 mask) |
37 | { | 38 | { |
38 | const struct nf_afinfo *afinfo; | 39 | const struct nf_afinfo *afinfo; |
39 | struct flowi6 flow; | 40 | struct flowi6 flow; |
40 | struct rt6_info *rt; | 41 | struct rt6_info *rt; |
41 | u32 ret; | 42 | u32 ret = 0; |
42 | int route_err; | 43 | int route_err; |
43 | 44 | ||
44 | memset(&flow, 0, sizeof(flow)); | 45 | memset(&flow, 0, sizeof(flow)); |
@@ -49,12 +50,19 @@ static u32 match_lookup_rt6(struct net *net, const struct net_device *dev, | |||
49 | rcu_read_lock(); | 50 | rcu_read_lock(); |
50 | 51 | ||
51 | afinfo = nf_get_afinfo(NFPROTO_IPV6); | 52 | afinfo = nf_get_afinfo(NFPROTO_IPV6); |
52 | if (afinfo != NULL) | 53 | if (afinfo != NULL) { |
54 | const struct nf_ipv6_ops *v6ops; | ||
55 | |||
56 | if (dev && (mask & XT_ADDRTYPE_LOCAL)) { | ||
57 | v6ops = nf_get_ipv6_ops(); | ||
58 | if (v6ops && v6ops->chk_addr(net, addr, dev, true)) | ||
59 | ret = XT_ADDRTYPE_LOCAL; | ||
60 | } | ||
53 | route_err = afinfo->route(net, (struct dst_entry **)&rt, | 61 | route_err = afinfo->route(net, (struct dst_entry **)&rt, |
54 | flowi6_to_flowi(&flow), !!dev); | 62 | flowi6_to_flowi(&flow), false); |
55 | else | 63 | } else { |
56 | route_err = 1; | 64 | route_err = 1; |
57 | 65 | } | |
58 | rcu_read_unlock(); | 66 | rcu_read_unlock(); |
59 | 67 | ||
60 | if (route_err) | 68 | if (route_err) |
@@ -62,15 +70,12 @@ static u32 match_lookup_rt6(struct net *net, const struct net_device *dev, | |||
62 | 70 | ||
63 | if (rt->rt6i_flags & RTF_REJECT) | 71 | if (rt->rt6i_flags & RTF_REJECT) |
64 | ret = XT_ADDRTYPE_UNREACHABLE; | 72 | ret = XT_ADDRTYPE_UNREACHABLE; |
65 | else | ||
66 | ret = 0; | ||
67 | 73 | ||
68 | if (rt->rt6i_flags & RTF_LOCAL) | 74 | if (dev == NULL && rt->rt6i_flags & RTF_LOCAL) |
69 | ret |= XT_ADDRTYPE_LOCAL; | 75 | ret |= XT_ADDRTYPE_LOCAL; |
70 | if (rt->rt6i_flags & RTF_ANYCAST) | 76 | if (rt->rt6i_flags & RTF_ANYCAST) |
71 | ret |= XT_ADDRTYPE_ANYCAST; | 77 | ret |= XT_ADDRTYPE_ANYCAST; |
72 | 78 | ||
73 | |||
74 | dst_release(&rt->dst); | 79 | dst_release(&rt->dst); |
75 | return ret; | 80 | return ret; |
76 | } | 81 | } |
@@ -90,7 +95,7 @@ static bool match_type6(struct net *net, const struct net_device *dev, | |||
90 | 95 | ||
91 | if ((XT_ADDRTYPE_LOCAL | XT_ADDRTYPE_ANYCAST | | 96 | if ((XT_ADDRTYPE_LOCAL | XT_ADDRTYPE_ANYCAST | |
92 | XT_ADDRTYPE_UNREACHABLE) & mask) | 97 | XT_ADDRTYPE_UNREACHABLE) & mask) |
93 | return !!(mask & match_lookup_rt6(net, dev, addr)); | 98 | return !!(mask & match_lookup_rt6(net, dev, addr, mask)); |
94 | return true; | 99 | return true; |
95 | } | 100 | } |
96 | 101 | ||