diff options
Diffstat (limited to 'net/ipv6')
-rw-r--r-- | net/ipv6/af_inet6.c | 7 | ||||
-rw-r--r-- | net/ipv6/netfilter.c | 62 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6_queue.c | 24 |
3 files changed, 69 insertions, 24 deletions
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index 28d9bcab0970..574047353628 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c | |||
@@ -44,6 +44,7 @@ | |||
44 | #include <linux/netdevice.h> | 44 | #include <linux/netdevice.h> |
45 | #include <linux/icmpv6.h> | 45 | #include <linux/icmpv6.h> |
46 | #include <linux/smp_lock.h> | 46 | #include <linux/smp_lock.h> |
47 | #include <linux/netfilter_ipv6.h> | ||
47 | 48 | ||
48 | #include <net/ip.h> | 49 | #include <net/ip.h> |
49 | #include <net/ipv6.h> | 50 | #include <net/ipv6.h> |
@@ -757,6 +758,9 @@ static int __init inet6_init(void) | |||
757 | err = igmp6_init(&inet6_family_ops); | 758 | err = igmp6_init(&inet6_family_ops); |
758 | if (err) | 759 | if (err) |
759 | goto igmp_fail; | 760 | goto igmp_fail; |
761 | err = ipv6_netfilter_init(); | ||
762 | if (err) | ||
763 | goto netfilter_fail; | ||
760 | /* Create /proc/foo6 entries. */ | 764 | /* Create /proc/foo6 entries. */ |
761 | #ifdef CONFIG_PROC_FS | 765 | #ifdef CONFIG_PROC_FS |
762 | err = -ENOMEM; | 766 | err = -ENOMEM; |
@@ -813,6 +817,8 @@ proc_tcp6_fail: | |||
813 | raw6_proc_exit(); | 817 | raw6_proc_exit(); |
814 | proc_raw6_fail: | 818 | proc_raw6_fail: |
815 | #endif | 819 | #endif |
820 | ipv6_netfilter_fini(); | ||
821 | netfilter_fail: | ||
816 | igmp6_cleanup(); | 822 | igmp6_cleanup(); |
817 | igmp_fail: | 823 | igmp_fail: |
818 | ndisc_cleanup(); | 824 | ndisc_cleanup(); |
@@ -852,6 +858,7 @@ static void __exit inet6_exit(void) | |||
852 | ip6_route_cleanup(); | 858 | ip6_route_cleanup(); |
853 | ipv6_packet_cleanup(); | 859 | ipv6_packet_cleanup(); |
854 | igmp6_cleanup(); | 860 | igmp6_cleanup(); |
861 | ipv6_netfilter_fini(); | ||
855 | ndisc_cleanup(); | 862 | ndisc_cleanup(); |
856 | icmpv6_cleanup(); | 863 | icmpv6_cleanup(); |
857 | #ifdef CONFIG_SYSCTL | 864 | #ifdef CONFIG_SYSCTL |
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c index 5656d0959aba..c8daef97cf56 100644 --- a/net/ipv6/netfilter.c +++ b/net/ipv6/netfilter.c | |||
@@ -5,6 +5,8 @@ | |||
5 | 5 | ||
6 | #include <linux/kernel.h> | 6 | #include <linux/kernel.h> |
7 | #include <linux/ipv6.h> | 7 | #include <linux/ipv6.h> |
8 | #include <linux/netfilter.h> | ||
9 | #include <linux/netfilter_ipv6.h> | ||
8 | #include <net/dst.h> | 10 | #include <net/dst.h> |
9 | #include <net/ipv6.h> | 11 | #include <net/ipv6.h> |
10 | #include <net/ip6_route.h> | 12 | #include <net/ip6_route.h> |
@@ -40,4 +42,64 @@ int ip6_route_me_harder(struct sk_buff *skb) | |||
40 | } | 42 | } |
41 | EXPORT_SYMBOL(ip6_route_me_harder); | 43 | EXPORT_SYMBOL(ip6_route_me_harder); |
42 | 44 | ||
45 | /* | ||
46 | * Extra routing may needed on local out, as the QUEUE target never | ||
47 | * returns control to the table. | ||
48 | */ | ||
49 | |||
50 | struct ip6_rt_info { | ||
51 | struct in6_addr daddr; | ||
52 | struct in6_addr saddr; | ||
53 | }; | ||
54 | |||
55 | static void save(const struct sk_buff *skb, struct nf_info *info) | ||
56 | { | ||
57 | struct ip6_rt_info *rt_info = nf_info_reroute(info); | ||
58 | |||
59 | if (info->hook == NF_IP6_LOCAL_OUT) { | ||
60 | struct ipv6hdr *iph = skb->nh.ipv6h; | ||
61 | |||
62 | rt_info->daddr = iph->daddr; | ||
63 | rt_info->saddr = iph->saddr; | ||
64 | } | ||
65 | } | ||
66 | |||
67 | static int reroute(struct sk_buff **pskb, const struct nf_info *info) | ||
68 | { | ||
69 | struct ip6_rt_info *rt_info = nf_info_reroute(info); | ||
70 | |||
71 | if (info->hook == NF_IP6_LOCAL_OUT) { | ||
72 | struct ipv6hdr *iph = (*pskb)->nh.ipv6h; | ||
73 | if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) || | ||
74 | !ipv6_addr_equal(&iph->saddr, &rt_info->saddr)) | ||
75 | return ip6_route_me_harder(*pskb); | ||
76 | } | ||
77 | return 0; | ||
78 | } | ||
79 | |||
80 | static struct nf_queue_rerouter ip6_reroute = { | ||
81 | .rer_size = sizeof(struct ip6_rt_info), | ||
82 | .save = &save, | ||
83 | .reroute = &reroute, | ||
84 | }; | ||
85 | |||
86 | int __init ipv6_netfilter_init(void) | ||
87 | { | ||
88 | return nf_register_queue_rerouter(PF_INET6, &ip6_reroute); | ||
89 | } | ||
90 | |||
91 | void ipv6_netfilter_fini(void) | ||
92 | { | ||
93 | nf_unregister_queue_rerouter(PF_INET6); | ||
94 | } | ||
95 | |||
96 | #else /* CONFIG_NETFILTER */ | ||
97 | int __init ipv6_netfilter_init(void) | ||
98 | { | ||
99 | return 0; | ||
100 | } | ||
101 | |||
102 | void ipv6_netfilter_fini(void) | ||
103 | { | ||
104 | } | ||
43 | #endif /* CONFIG_NETFILTER */ | 105 | #endif /* CONFIG_NETFILTER */ |
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c index 1c3d247a22cc..c45d8f8815de 100644 --- a/net/ipv6/netfilter/ip6_queue.c +++ b/net/ipv6/netfilter/ip6_queue.c | |||
@@ -47,16 +47,10 @@ | |||
47 | #define NET_IPQ_QMAX 2088 | 47 | #define NET_IPQ_QMAX 2088 |
48 | #define NET_IPQ_QMAX_NAME "ip6_queue_maxlen" | 48 | #define NET_IPQ_QMAX_NAME "ip6_queue_maxlen" |
49 | 49 | ||
50 | struct ipq_rt_info { | ||
51 | struct in6_addr daddr; | ||
52 | struct in6_addr saddr; | ||
53 | }; | ||
54 | |||
55 | struct ipq_queue_entry { | 50 | struct ipq_queue_entry { |
56 | struct list_head list; | 51 | struct list_head list; |
57 | struct nf_info *info; | 52 | struct nf_info *info; |
58 | struct sk_buff *skb; | 53 | struct sk_buff *skb; |
59 | struct ipq_rt_info rt_info; | ||
60 | }; | 54 | }; |
61 | 55 | ||
62 | typedef int (*ipq_cmpfn)(struct ipq_queue_entry *, unsigned long); | 56 | typedef int (*ipq_cmpfn)(struct ipq_queue_entry *, unsigned long); |
@@ -302,13 +296,6 @@ ipq_enqueue_packet(struct sk_buff *skb, struct nf_info *info, void *data) | |||
302 | entry->info = info; | 296 | entry->info = info; |
303 | entry->skb = skb; | 297 | entry->skb = skb; |
304 | 298 | ||
305 | if (entry->info->hook == NF_IP_LOCAL_OUT) { | ||
306 | struct ipv6hdr *iph = skb->nh.ipv6h; | ||
307 | |||
308 | entry->rt_info.daddr = iph->daddr; | ||
309 | entry->rt_info.saddr = iph->saddr; | ||
310 | } | ||
311 | |||
312 | nskb = ipq_build_packet_message(entry, &status); | 299 | nskb = ipq_build_packet_message(entry, &status); |
313 | if (nskb == NULL) | 300 | if (nskb == NULL) |
314 | goto err_out_free; | 301 | goto err_out_free; |
@@ -389,17 +376,6 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, struct ipq_queue_entry *e) | |||
389 | memcpy(e->skb->data, v->payload, v->data_len); | 376 | memcpy(e->skb->data, v->payload, v->data_len); |
390 | e->skb->ip_summed = CHECKSUM_NONE; | 377 | e->skb->ip_summed = CHECKSUM_NONE; |
391 | 378 | ||
392 | /* | ||
393 | * Extra routing may needed on local out, as the QUEUE target never | ||
394 | * returns control to the table. | ||
395 | * Not a nice way to cmp, but works | ||
396 | */ | ||
397 | if (e->info->hook == NF_IP_LOCAL_OUT) { | ||
398 | struct ipv6hdr *iph = e->skb->nh.ipv6h; | ||
399 | if (!ipv6_addr_equal(&iph->daddr, &e->rt_info.daddr) || | ||
400 | !ipv6_addr_equal(&iph->saddr, &e->rt_info.saddr)) | ||
401 | return ip6_route_me_harder(e->skb); | ||
402 | } | ||
403 | return 0; | 379 | return 0; |
404 | } | 380 | } |
405 | 381 | ||