4 files changed, 83 insertions, 1 deletions
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index f81f59686f21..f2610e157660 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -414,7 +414,7 @@ static void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info)
        addr_type = ipv6_addr_type(&hdr->daddr);
        if (ipv6_chk_addr(net, &hdr->daddr, skb->dev, 0) ||
-            ipv6_anycast_destination(skb))
+            ipv6_chk_acast_addr_src(net, skb->dev, &hdr->daddr))
                saddr = &hdr->daddr;
        /*
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 35750df744dc..4bff1f297e39 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -50,6 +50,11 @@ config NFT_CHAIN_NAT_IPV6
          packet transformations such as the source, destination address and
          source and destination ports.
+config NFT_REJECT_IPV6
+        depends on NF_TABLES_IPV6
+        default NFT_REJECT
+        tristate
 config IP6_NF_IPTABLES
        tristate "IP6 tables support (required for filtering)"
        depends on INET && IPV6
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index d1b4928f34f7..70d3dd66f2cd 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -27,6 +27,7 @@ obj-$(CONFIG_NF_DEFRAG_IPV6) += nf_defrag_ipv6.o
 obj-$(CONFIG_NF_TABLES_IPV6) += nf_tables_ipv6.o
 obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV6) += nft_chain_route_ipv6.o
 obj-$(CONFIG_NFT_CHAIN_NAT_IPV6) += nft_chain_nat_ipv6.o
+obj-$(CONFIG_NFT_REJECT_IPV6) += nft_reject_ipv6.o
 # matches
 obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o
diff --git a/net/ipv6/netfilter/nft_reject_ipv6.c b/net/ipv6/netfilter/nft_reject_ipv6.c
new file mode 100644
index 000000000000..0bc19fa87821
--- /dev/null
+++ b/net/ipv6/netfilter/nft_reject_ipv6.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
+ * Copyright (c) 2013 Eric Leblond <eric@regit.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * Development of this code funded by Astaro AG (http://www.astaro.com/)
+ */
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables.h>
+#include <net/netfilter/nft_reject.h>
+#include <net/netfilter/ipv6/nf_reject.h>
+void nft_reject_ipv6_eval(const struct nft_expr *expr,
+                          struct nft_data data[NFT_REG_MAX + 1],
+                          const struct nft_pktinfo *pkt)
+{
+        struct nft_reject *priv = nft_expr_priv(expr);
+        struct net *net = dev_net((pkt->in != NULL) ? pkt->in : pkt->out);
+        switch (priv->type) {
+        case NFT_REJECT_ICMP_UNREACH:
+                nf_send_unreach6(net, pkt->skb, priv->icmp_code,
+                                 pkt->ops->hooknum);
+                break;
+        case NFT_REJECT_TCP_RST:
+                nf_send_reset6(net, pkt->skb, pkt->ops->hooknum);
+                break;
+        }
+        data[NFT_REG_VERDICT].verdict = NF_DROP;
+}
+EXPORT_SYMBOL_GPL(nft_reject_ipv6_eval);
+static struct nft_expr_type nft_reject_ipv6_type;
+static const struct nft_expr_ops nft_reject_ipv6_ops = {
+        .type           = &nft_reject_ipv6_type,
+        .size           = NFT_EXPR_SIZE(sizeof(struct nft_reject)),
+        .eval           = nft_reject_ipv6_eval,
+        .init           = nft_reject_init,
+        .dump           = nft_reject_dump,
+};
+static struct nft_expr_type nft_reject_ipv6_type __read_mostly = {
+        .family         = NFPROTO_IPV6,
+        .name           = "reject",
+        .ops            = &nft_reject_ipv6_ops,
+        .policy         = nft_reject_policy,
+        .maxattr        = NFTA_REJECT_MAX,
+        .owner          = THIS_MODULE,
+};
+static int __init nft_reject_ipv6_module_init(void)
+{
+        return nft_register_expr(&nft_reject_ipv6_type);
+}
+static void __exit nft_reject_ipv6_module_exit(void)
+{
+        nft_unregister_expr(&nft_reject_ipv6_type);
+}
+module_init(nft_reject_ipv6_module_init);
+module_exit(nft_reject_ipv6_module_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "reject");

diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c index f81f59686f21..f2610e157660 100644 --- a/net/ipv6/icmp.c +++ b/net/ipv6/icmp.c
@@ -414,7 +414,7 @@ static void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info)
414	addr_type = ipv6_addr_type(&hdr->daddr);	414	addr_type = ipv6_addr_type(&hdr->daddr);
415		415
416	if (ipv6_chk_addr(net, &hdr->daddr, skb->dev, 0) \|\|	416	if (ipv6_chk_addr(net, &hdr->daddr, skb->dev, 0) \|\|
417	ipv6_anycast_destination(skb))	417	ipv6_chk_acast_addr_src(net, skb->dev, &hdr->daddr))
418	saddr = &hdr->daddr;	418	saddr = &hdr->daddr;
419		419
420	/*	420	/*


diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index 35750df744dc..4bff1f297e39 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig
@@ -50,6 +50,11 @@ config NFT_CHAIN_NAT_IPV6
50	packet transformations such as the source, destination address and	50	packet transformations such as the source, destination address and
51	source and destination ports.	51	source and destination ports.
52		52
		53	config NFT_REJECT_IPV6
		54	depends on NF_TABLES_IPV6
		55	default NFT_REJECT
		56	tristate
		57
53	config IP6_NF_IPTABLES	58	config IP6_NF_IPTABLES
54	tristate "IP6 tables support (required for filtering)"	59	tristate "IP6 tables support (required for filtering)"
55	depends on INET && IPV6	60	depends on INET && IPV6


diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile index d1b4928f34f7..70d3dd66f2cd 100644 --- a/net/ipv6/netfilter/Makefile +++ b/net/ipv6/netfilter/Makefile
@@ -27,6 +27,7 @@ obj-$(CONFIG_NF_DEFRAG_IPV6) += nf_defrag_ipv6.o
27	obj-$(CONFIG_NF_TABLES_IPV6) += nf_tables_ipv6.o	27	obj-$(CONFIG_NF_TABLES_IPV6) += nf_tables_ipv6.o
28	obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV6) += nft_chain_route_ipv6.o	28	obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV6) += nft_chain_route_ipv6.o
29	obj-$(CONFIG_NFT_CHAIN_NAT_IPV6) += nft_chain_nat_ipv6.o	29	obj-$(CONFIG_NFT_CHAIN_NAT_IPV6) += nft_chain_nat_ipv6.o
		30	obj-$(CONFIG_NFT_REJECT_IPV6) += nft_reject_ipv6.o
30		31
31	# matches	32	# matches
32	obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o	33	obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o


diff --git a/net/ipv6/netfilter/nft_reject_ipv6.c b/net/ipv6/netfilter/nft_reject_ipv6.c new file mode 100644 index 000000000000..0bc19fa87821 --- /dev/null +++ b/net/ipv6/netfilter/nft_reject_ipv6.c
@@ -0,0 +1,76 @@
		1	/*
		2	* Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
		3	* Copyright (c) 2013 Eric Leblond <eric@regit.org>
		4	*
		5	* This program is free software; you can redistribute it and/or modify
		6	* it under the terms of the GNU General Public License version 2 as
		7	* published by the Free Software Foundation.
		8	*
		9	* Development of this code funded by Astaro AG (http://www.astaro.com/)
		10	*/
		11
		12	#include <linux/kernel.h>
		13	#include <linux/init.h>
		14	#include <linux/module.h>
		15	#include <linux/netlink.h>
		16	#include <linux/netfilter.h>
		17	#include <linux/netfilter/nf_tables.h>
		18	#include <net/netfilter/nf_tables.h>
		19	#include <net/netfilter/nft_reject.h>
		20	#include <net/netfilter/ipv6/nf_reject.h>
		21
		22	void nft_reject_ipv6_eval(const struct nft_expr *expr,
		23	struct nft_data data[NFT_REG_MAX + 1],
		24	const struct nft_pktinfo *pkt)
		25	{
		26	struct nft_reject *priv = nft_expr_priv(expr);
		27	struct net *net = dev_net((pkt->in != NULL) ? pkt->in : pkt->out);
		28
		29	switch (priv->type) {
		30	case NFT_REJECT_ICMP_UNREACH:
		31	nf_send_unreach6(net, pkt->skb, priv->icmp_code,
		32	pkt->ops->hooknum);
		33	break;
		34	case NFT_REJECT_TCP_RST:
		35	nf_send_reset6(net, pkt->skb, pkt->ops->hooknum);
		36	break;
		37	}
		38
		39	data[NFT_REG_VERDICT].verdict = NF_DROP;
		40	}
		41	EXPORT_SYMBOL_GPL(nft_reject_ipv6_eval);
		42
		43	static struct nft_expr_type nft_reject_ipv6_type;
		44	static const struct nft_expr_ops nft_reject_ipv6_ops = {
		45	.type = &nft_reject_ipv6_type,
		46	.size = NFT_EXPR_SIZE(sizeof(struct nft_reject)),
		47	.eval = nft_reject_ipv6_eval,
		48	.init = nft_reject_init,
		49	.dump = nft_reject_dump,
		50	};
		51
		52	static struct nft_expr_type nft_reject_ipv6_type __read_mostly = {
		53	.family = NFPROTO_IPV6,
		54	.name = "reject",
		55	.ops = &nft_reject_ipv6_ops,
		56	.policy = nft_reject_policy,
		57	.maxattr = NFTA_REJECT_MAX,
		58	.owner = THIS_MODULE,
		59	};
		60
		61	static int __init nft_reject_ipv6_module_init(void)
		62	{
		63	return nft_register_expr(&nft_reject_ipv6_type);
		64	}
		65
		66	static void __exit nft_reject_ipv6_module_exit(void)
		67	{
		68	nft_unregister_expr(&nft_reject_ipv6_type);
		69	}
		70
		71	module_init(nft_reject_ipv6_module_init);
		72	module_exit(nft_reject_ipv6_module_exit);
		73
		74	MODULE_LICENSE("GPL");
		75	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
		76	MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "reject");