aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv6
diff options
context:
space:
mode:
Diffstat (limited to 'net/ipv6')
-rw-r--r--net/ipv6/netfilter/nf_tables_ipv6.c33
-rw-r--r--net/ipv6/netfilter/nft_chain_route_ipv6.c8
2 files changed, 34 insertions, 7 deletions
diff --git a/net/ipv6/netfilter/nf_tables_ipv6.c b/net/ipv6/netfilter/nf_tables_ipv6.c
index 3631d6238e6f..42f905a808a3 100644
--- a/net/ipv6/netfilter/nf_tables_ipv6.c
+++ b/net/ipv6/netfilter/nf_tables_ipv6.c
@@ -14,6 +14,7 @@
14#include <linux/ipv6.h> 14#include <linux/ipv6.h>
15#include <linux/netfilter_ipv6.h> 15#include <linux/netfilter_ipv6.h>
16#include <net/netfilter/nf_tables.h> 16#include <net/netfilter/nf_tables.h>
17#include <net/netfilter/nf_tables_ipv6.h>
17 18
18static unsigned int nft_ipv6_output(const struct nf_hook_ops *ops, 19static unsigned int nft_ipv6_output(const struct nf_hook_ops *ops,
19 struct sk_buff *skb, 20 struct sk_buff *skb,
@@ -21,14 +22,18 @@ static unsigned int nft_ipv6_output(const struct nf_hook_ops *ops,
21 const struct net_device *out, 22 const struct net_device *out,
22 int (*okfn)(struct sk_buff *)) 23 int (*okfn)(struct sk_buff *))
23{ 24{
25 struct nft_pktinfo pkt;
26
24 if (unlikely(skb->len < sizeof(struct ipv6hdr))) { 27 if (unlikely(skb->len < sizeof(struct ipv6hdr))) {
25 if (net_ratelimit()) 28 if (net_ratelimit())
26 pr_info("nf_tables_ipv6: ignoring short SOCK_RAW " 29 pr_info("nf_tables_ipv6: ignoring short SOCK_RAW "
27 "packet\n"); 30 "packet\n");
28 return NF_ACCEPT; 31 return NF_ACCEPT;
29 } 32 }
33 if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0)
34 return NF_DROP;
30 35
31 return nft_do_chain(ops, skb, in, out, okfn); 36 return nft_do_chain_pktinfo(&pkt, ops);
32} 37}
33 38
34static struct nft_af_info nft_af_ipv6 __read_mostly = { 39static struct nft_af_info nft_af_ipv6 __read_mostly = {
@@ -40,6 +45,22 @@ static struct nft_af_info nft_af_ipv6 __read_mostly = {
40 }, 45 },
41}; 46};
42 47
48static unsigned int
49nft_do_chain_ipv6(const struct nf_hook_ops *ops,
50 struct sk_buff *skb,
51 const struct net_device *in,
52 const struct net_device *out,
53 int (*okfn)(struct sk_buff *))
54{
55 struct nft_pktinfo pkt;
56
57 /* malformed packet, drop it */
58 if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0)
59 return NF_DROP;
60
61 return nft_do_chain_pktinfo(&pkt, ops);
62}
63
43static struct nf_chain_type filter_ipv6 = { 64static struct nf_chain_type filter_ipv6 = {
44 .family = NFPROTO_IPV6, 65 .family = NFPROTO_IPV6,
45 .name = "filter", 66 .name = "filter",
@@ -50,11 +71,11 @@ static struct nf_chain_type filter_ipv6 = {
50 (1 << NF_INET_PRE_ROUTING) | 71 (1 << NF_INET_PRE_ROUTING) |
51 (1 << NF_INET_POST_ROUTING), 72 (1 << NF_INET_POST_ROUTING),
52 .fn = { 73 .fn = {
53 [NF_INET_LOCAL_IN] = nft_do_chain, 74 [NF_INET_LOCAL_IN] = nft_do_chain_ipv6,
54 [NF_INET_LOCAL_OUT] = nft_do_chain, 75 [NF_INET_LOCAL_OUT] = nft_ipv6_output,
55 [NF_INET_FORWARD] = nft_do_chain, 76 [NF_INET_FORWARD] = nft_do_chain_ipv6,
56 [NF_INET_PRE_ROUTING] = nft_do_chain, 77 [NF_INET_PRE_ROUTING] = nft_do_chain_ipv6,
57 [NF_INET_POST_ROUTING] = nft_do_chain, 78 [NF_INET_POST_ROUTING] = nft_do_chain_ipv6,
58 }, 79 },
59}; 80};
60 81
diff --git a/net/ipv6/netfilter/nft_chain_route_ipv6.c b/net/ipv6/netfilter/nft_chain_route_ipv6.c
index 4cdc992fa067..3fe40f0456ad 100644
--- a/net/ipv6/netfilter/nft_chain_route_ipv6.c
+++ b/net/ipv6/netfilter/nft_chain_route_ipv6.c
@@ -19,6 +19,7 @@
19#include <linux/netfilter/nfnetlink.h> 19#include <linux/netfilter/nfnetlink.h>
20#include <linux/netfilter/nf_tables.h> 20#include <linux/netfilter/nf_tables.h>
21#include <net/netfilter/nf_tables.h> 21#include <net/netfilter/nf_tables.h>
22#include <net/netfilter/nf_tables_ipv6.h>
22#include <net/route.h> 23#include <net/route.h>
23 24
24static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops, 25static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
@@ -28,10 +29,15 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
28 int (*okfn)(struct sk_buff *)) 29 int (*okfn)(struct sk_buff *))
29{ 30{
30 unsigned int ret; 31 unsigned int ret;
32 struct nft_pktinfo pkt;
31 struct in6_addr saddr, daddr; 33 struct in6_addr saddr, daddr;
32 u_int8_t hop_limit; 34 u_int8_t hop_limit;
33 u32 mark, flowlabel; 35 u32 mark, flowlabel;
34 36
37 /* malformed packet, drop it */
38 if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0)
39 return NF_DROP;
40
35 /* save source/dest address, mark, hoplimit, flowlabel, priority */ 41 /* save source/dest address, mark, hoplimit, flowlabel, priority */
36 memcpy(&saddr, &ipv6_hdr(skb)->saddr, sizeof(saddr)); 42 memcpy(&saddr, &ipv6_hdr(skb)->saddr, sizeof(saddr));
37 memcpy(&daddr, &ipv6_hdr(skb)->daddr, sizeof(daddr)); 43 memcpy(&daddr, &ipv6_hdr(skb)->daddr, sizeof(daddr));
@@ -41,7 +47,7 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
41 /* flowlabel and prio (includes version, which shouldn't change either */ 47 /* flowlabel and prio (includes version, which shouldn't change either */
42 flowlabel = *((u32 *)ipv6_hdr(skb)); 48 flowlabel = *((u32 *)ipv6_hdr(skb));
43 49
44 ret = nft_do_chain(ops, skb, in, out, okfn); 50 ret = nft_do_chain_pktinfo(&pkt, ops);
45 if (ret != NF_DROP && ret != NF_QUEUE && 51 if (ret != NF_DROP && ret != NF_QUEUE &&
46 (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) || 52 (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) ||
47 memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr)) || 53 memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr)) ||
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-23 17:04:16 -0500