+6 -96

include/linux/netfilter_ipv6.h

reviewed

··· 34 34 struct nf_queue_entry; 35 35 struct nf_bridge_frag_data; 36 36 37 37 - /* 38 38 - * Hook functions for ipv6 to allow xt_* modules to be built-in even 39 39 - * if IPv6 is a module. 40 40 - */ 41 41 - struct nf_ipv6_ops { 42 42 - #if IS_MODULE(CONFIG_IPV6) 43 43 - int (*chk_addr)(struct net *net, const struct in6_addr *addr, 44 44 - const struct net_device *dev, int strict); 45 45 - int (*route_me_harder)(struct net *net, struct sock *sk, struct sk_buff *skb); 46 46 - int (*dev_get_saddr)(struct net *net, const struct net_device *dev, 47 47 - const struct in6_addr *daddr, unsigned int srcprefs, 48 48 - struct in6_addr *saddr); 49 49 - int (*route)(struct net *net, struct dst_entry **dst, struct flowi *fl, 50 50 - bool strict); 51 51 - u32 (*cookie_init_sequence)(const struct ipv6hdr *iph, 52 52 - const struct tcphdr *th, u16 *mssp); 53 53 - int (*cookie_v6_check)(const struct ipv6hdr *iph, 54 54 - const struct tcphdr *th); 55 55 - #endif 56 56 - void (*route_input)(struct sk_buff *skb); 57 57 - int (*fragment)(struct net *net, struct sock *sk, struct sk_buff *skb, 58 58 - int (*output)(struct net *, struct sock *, struct sk_buff *)); 59 59 - int (*reroute)(struct sk_buff *skb, const struct nf_queue_entry *entry); 60 60 - #if IS_MODULE(CONFIG_IPV6) 61 61 - int (*br_fragment)(struct net *net, struct sock *sk, 62 62 - struct sk_buff *skb, 63 63 - struct nf_bridge_frag_data *data, 64 64 - int (*output)(struct net *, struct sock *sk, 65 65 - const struct nf_bridge_frag_data *data, 66 66 - struct sk_buff *)); 67 67 - #endif 68 68 - }; 69 69 - 70 37 #ifdef CONFIG_NETFILTER 71 38 #include <net/addrconf.h> 72 72 - 73 73 - extern const struct nf_ipv6_ops __rcu *nf_ipv6_ops; 74 74 - static inline const struct nf_ipv6_ops *nf_get_ipv6_ops(void) 75 75 - { 76 76 - return rcu_dereference(nf_ipv6_ops); 77 77 - } 78 39 79 40 static inline int nf_ipv6_chk_addr(struct net *net, const struct in6_addr *addr, 80 41 const struct net_device *dev, int strict) 81 42 { 82 82 - #if IS_MODULE(CONFIG_IPV6) 83 83 - const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops(); 84 84 - 85 85 - if (!v6_ops) 86 86 - return 1; 87 87 - 88 88 - return v6_ops->chk_addr(net, addr, dev, strict); 89 89 - #elif IS_BUILTIN(CONFIG_IPV6) 43 43 + #if IS_ENABLED(CONFIG_IPV6) 90 44 return ipv6_chk_addr(net, addr, dev, strict); 91 45 #else 92 46 return 1; ··· 53 99 static inline int nf_ip6_route(struct net *net, struct dst_entry **dst, 54 100 struct flowi *fl, bool strict) 55 101 { 56 56 - #if IS_MODULE(CONFIG_IPV6) 57 57 - const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops(); 58 58 - 59 59 - if (v6ops) 60 60 - return v6ops->route(net, dst, fl, strict); 61 61 - 62 62 - return -EHOSTUNREACH; 63 63 - #endif 64 64 - #if IS_BUILTIN(CONFIG_IPV6) 102 102 + #if IS_ENABLED(CONFIG_IPV6) 65 103 return __nf_ip6_route(net, dst, fl, strict); 66 104 #else 67 105 return -EHOSTUNREACH; ··· 75 129 const struct nf_bridge_frag_data *data, 76 130 struct sk_buff *)) 77 131 { 78 78 - #if IS_MODULE(CONFIG_IPV6) 79 79 - const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops(); 80 80 - 81 81 - if (!v6_ops) 82 82 - return 1; 83 83 - 84 84 - return v6_ops->br_fragment(net, sk, skb, data, output); 85 85 - #elif IS_BUILTIN(CONFIG_IPV6) 132 132 + #if IS_ENABLED(CONFIG_IPV6) 86 133 return br_ip6_fragment(net, sk, skb, data, output); 87 134 #else 88 135 return 1; ··· 86 147 87 148 static inline int nf_ip6_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb) 88 149 { 89 89 - #if IS_MODULE(CONFIG_IPV6) 90 90 - const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops(); 91 91 - 92 92 - if (!v6_ops) 93 93 - return -EHOSTUNREACH; 94 94 - 95 95 - return v6_ops->route_me_harder(net, sk, skb); 96 96 - #elif IS_BUILTIN(CONFIG_IPV6) 150 150 + #if IS_ENABLED(CONFIG_IPV6) 97 151 return ip6_route_me_harder(net, sk, skb); 98 152 #else 99 153 return -EHOSTUNREACH; ··· 97 165 const struct tcphdr *th, 98 166 u16 *mssp) 99 167 { 100 100 - #if IS_ENABLED(CONFIG_SYN_COOKIES) 101 101 - #if IS_MODULE(CONFIG_IPV6) 102 102 - const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops(); 103 103 - 104 104 - if (v6_ops) 105 105 - return v6_ops->cookie_init_sequence(iph, th, mssp); 106 106 - #elif IS_BUILTIN(CONFIG_IPV6) 168 168 + #if IS_ENABLED(CONFIG_IPV6) && IS_ENABLED(CONFIG_SYN_COOKIES) 107 169 return __cookie_v6_init_sequence(iph, th, mssp); 108 108 - #endif 109 170 #endif 110 171 return 0; 111 172 } ··· 106 181 static inline int nf_cookie_v6_check(const struct ipv6hdr *iph, 107 182 const struct tcphdr *th) 108 183 { 109 109 - #if IS_ENABLED(CONFIG_SYN_COOKIES) 110 110 - #if IS_MODULE(CONFIG_IPV6) 111 111 - const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops(); 112 112 - 113 113 - if (v6_ops) 114 114 - return v6_ops->cookie_v6_check(iph, th); 115 115 - #elif IS_BUILTIN(CONFIG_IPV6) 184 184 + #if IS_ENABLED(CONFIG_IPV6) && IS_ENABLED(CONFIG_SYN_COOKIES) 116 185 return __cookie_v6_check(iph, th); 117 117 - #endif 118 186 #endif 119 187 return 0; 120 188 } ··· 116 198 unsigned int dataoff, u_int8_t protocol); 117 199 118 200 int nf_ip6_check_hbh_len(struct sk_buff *skb, u32 *plen); 119 119 - 120 120 - int ipv6_netfilter_init(void); 121 121 - void ipv6_netfilter_fini(void); 122 122 - 123 123 - #else /* CONFIG_NETFILTER */ 124 124 - static inline int ipv6_netfilter_init(void) { return 0; } 125 125 - static inline void ipv6_netfilter_fini(void) { return; } 126 126 - static inline const struct nf_ipv6_ops *nf_get_ipv6_ops(void) { return NULL; } 127 201 #endif /* CONFIG_NETFILTER */ 128 202 129 203 #endif /*__LINUX_IP6_NETFILTER_H*/

+3 -9

net/bridge/br_netfilter_hooks.c

reviewed

··· 32 32 33 33 #include <net/ip.h> 34 34 #include <net/ipv6.h> 35 35 + #include <net/ip6_route.h> 35 36 #include <net/addrconf.h> 36 37 #include <net/dst_metadata.h> 37 38 #include <net/route.h> ··· 891 890 } 892 891 if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) && 893 892 skb->protocol == htons(ETH_P_IPV6)) { 894 894 - const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops(); 895 893 struct brnf_frag_data *data; 896 894 897 895 if (br_validate_ipv6(net, skb)) ··· 906 906 skb_copy_from_linear_data_offset(skb, -data->size, data->mac, 907 907 data->size); 908 908 909 909 - if (v6ops) { 910 910 - ret = v6ops->fragment(net, sk, skb, br_nf_push_frag_xmit); 911 911 - local_unlock_nested_bh(&brnf_frag_data_storage.bh_lock); 912 912 - return ret; 913 913 - } 909 909 + ret = ip6_fragment(net, sk, skb, br_nf_push_frag_xmit); 914 910 local_unlock_nested_bh(&brnf_frag_data_storage.bh_lock); 915 915 - 916 916 - kfree_skb(skb); 917 917 - return -EMSGSIZE; 911 911 + return ret; 918 912 } 919 913 nf_bridge_info_free(skb); 920 914 return br_dev_queue_push_xmit(net, sk, skb);

+3 -4

net/bridge/br_netfilter_ipv6.c

reviewed

··· 30 30 31 31 #include <net/ip.h> 32 32 #include <net/ipv6.h> 33 33 + #include <net/ip6_route.h> 33 34 #include <net/addrconf.h> 34 35 #include <net/route.h> 35 36 #include <net/netfilter/br_netfilter.h> ··· 96 95 97 96 /* PF_BRIDGE/PRE_ROUTING: Undo the changes made for ip6tables 98 97 * PREROUTING and continue the bridge PRE_ROUTING hook. See comment 99 99 - * for br_nf_pre_routing_finish(), same logic is used here but 100 100 - * equivalent IPv6 function ip6_route_input() called indirectly. 98 98 + * for br_nf_pre_routing_finish(), same logic is used here. 101 99 */ 102 100 static int br_nf_pre_routing_finish_ipv6(struct net *net, struct sock *sk, struct sk_buff *skb) 103 101 { 104 102 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); 105 103 struct rtable *rt; 106 104 struct net_device *dev = skb->dev, *br_indev; 107 107 - const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops(); 108 105 109 106 br_indev = nf_bridge_get_physindev(skb, net); 110 107 if (!br_indev) { ··· 119 120 nf_bridge->in_prerouting = 0; 120 121 if (br_nf_ipv6_daddr_was_changed(skb, nf_bridge)) { 121 122 skb_dst_drop(skb); 122 122 - v6ops->route_input(skb); 123 123 + ip6_route_input(skb); 123 124 124 125 if (skb_dst(skb)->error) { 125 126 kfree_skb(skb);

-6

net/ipv6/af_inet6.c

reviewed

··· 38 38 #include <linux/inet.h> 39 39 #include <linux/netdevice.h> 40 40 #include <linux/icmpv6.h> 41 41 - #include <linux/netfilter_ipv6.h> 42 41 43 42 #include <net/ip.h> 44 43 #include <net/ipv6.h> ··· 1065 1066 if (err) 1066 1067 goto igmp_fail; 1067 1068 1068 1068 - err = ipv6_netfilter_init(); 1069 1069 - if (err) 1070 1070 - goto netfilter_fail; 1071 1069 /* Create /proc/foo6 entries. */ 1072 1070 #ifdef CONFIG_PROC_FS 1073 1071 err = -ENOMEM; ··· 1195 1199 raw6_proc_exit(); 1196 1200 proc_raw6_fail: 1197 1201 #endif 1198 1198 - ipv6_netfilter_fini(); 1199 1199 - netfilter_fail: 1200 1202 igmp6_cleanup(); 1201 1203 igmp_fail: 1202 1204 ndisc_cleanup();

-48

net/ipv6/netfilter.c

reviewed

··· 86 86 } 87 87 EXPORT_SYMBOL(ip6_route_me_harder); 88 88 89 89 - static int nf_ip6_reroute(struct sk_buff *skb, 90 90 - const struct nf_queue_entry *entry) 91 91 - { 92 92 - struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry); 93 93 - 94 94 - if (entry->state.hook == NF_INET_LOCAL_OUT) { 95 95 - const struct ipv6hdr *iph = ipv6_hdr(skb); 96 96 - if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) || 97 97 - !ipv6_addr_equal(&iph->saddr, &rt_info->saddr) || 98 98 - skb->mark != rt_info->mark) 99 99 - return ip6_route_me_harder(entry->state.net, entry->state.sk, skb); 100 100 - } 101 101 - return 0; 102 102 - } 103 103 - 104 89 int __nf_ip6_route(struct net *net, struct dst_entry **dst, 105 90 struct flowi *fl, bool strict) 106 91 { ··· 228 243 return 0; 229 244 } 230 245 EXPORT_SYMBOL_GPL(br_ip6_fragment); 231 231 - 232 232 - static const struct nf_ipv6_ops ipv6ops = { 233 233 - #if IS_MODULE(CONFIG_IPV6) 234 234 - .chk_addr = ipv6_chk_addr, 235 235 - .route_me_harder = ip6_route_me_harder, 236 236 - .dev_get_saddr = ipv6_dev_get_saddr, 237 237 - .route = __nf_ip6_route, 238 238 - #if IS_ENABLED(CONFIG_SYN_COOKIES) 239 239 - .cookie_init_sequence = __cookie_v6_init_sequence, 240 240 - .cookie_v6_check = __cookie_v6_check, 241 241 - #endif 242 242 - #endif 243 243 - .route_input = ip6_route_input, 244 244 - .fragment = ip6_fragment, 245 245 - .reroute = nf_ip6_reroute, 246 246 - #if IS_MODULE(CONFIG_IPV6) 247 247 - .br_fragment = br_ip6_fragment, 248 248 - #endif 249 249 - }; 250 250 - 251 251 - int __init ipv6_netfilter_init(void) 252 252 - { 253 253 - RCU_INIT_POINTER(nf_ipv6_ops, &ipv6ops); 254 254 - return 0; 255 255 - } 256 256 - 257 257 - /* This can be called from inet6_init() on errors, so it cannot 258 258 - * be marked __exit. -DaveM 259 259 - */ 260 260 - void ipv6_netfilter_fini(void) 261 261 - { 262 262 - RCU_INIT_POINTER(nf_ipv6_ops, NULL); 263 263 - }

-3

net/netfilter/core.c

reviewed

··· 27 27 28 28 #include "nf_internals.h" 29 29 30 30 - const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly; 31 31 - EXPORT_SYMBOL_GPL(nf_ipv6_ops); 32 32 - 33 30 #ifdef CONFIG_JUMP_LABEL 34 31 struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; 35 32 EXPORT_SYMBOL(nf_hooks_needed);

+2 -19

net/netfilter/nf_nat_masquerade.c

reviewed

··· 220 220 }; 221 221 222 222 #if IS_ENABLED(CONFIG_IPV6) 223 223 - static int 224 224 - nat_ipv6_dev_get_saddr(struct net *net, const struct net_device *dev, 225 225 - const struct in6_addr *daddr, unsigned int srcprefs, 226 226 - struct in6_addr *saddr) 227 227 - { 228 228 - #ifdef CONFIG_IPV6_MODULE 229 229 - const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops(); 230 230 - 231 231 - if (!v6_ops) 232 232 - return -EHOSTUNREACH; 233 233 - 234 234 - return v6_ops->dev_get_saddr(net, dev, daddr, srcprefs, saddr); 235 235 - #else 236 236 - return ipv6_dev_get_saddr(net, dev, daddr, srcprefs, saddr); 237 237 - #endif 238 238 - } 239 239 - 240 223 unsigned int 241 224 nf_nat_masquerade_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range, 242 225 const struct net_device *out) ··· 234 251 WARN_ON(!(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED || 235 252 ctinfo == IP_CT_RELATED_REPLY))); 236 253 237 237 - if (nat_ipv6_dev_get_saddr(nf_ct_net(ct), out, 238 238 - &ipv6_hdr(skb)->daddr, 0, &src) < 0) 254 254 + if (ipv6_dev_get_saddr(nf_ct_net(ct), out, 255 255 + &ipv6_hdr(skb)->daddr, 0, &src) < 0) 239 256 return NF_DROP; 240 257 241 258 nat = nf_ct_nat_ext_add(ct);

+18 -4

net/netfilter/nfnetlink_queue.c

reviewed

··· 356 356 return 0; 357 357 } 358 358 359 359 + static int nf_ip6_reroute(struct sk_buff *skb, 360 360 + const struct nf_queue_entry *entry) 361 361 + { 362 362 + struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry); 363 363 + 364 364 + if (entry->state.hook == NF_INET_LOCAL_OUT) { 365 365 + const struct ipv6hdr *iph = ipv6_hdr(skb); 366 366 + 367 367 + if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) || 368 368 + !ipv6_addr_equal(&iph->saddr, &rt_info->saddr) || 369 369 + skb->mark != rt_info->mark) 370 370 + return nf_ip6_route_me_harder(entry->state.net, 371 371 + entry->state.sk, skb); 372 372 + } 373 373 + return 0; 374 374 + } 375 375 + 359 376 static int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry) 360 377 { 361 361 - const struct nf_ipv6_ops *v6ops; 362 378 int ret = 0; 363 379 364 380 switch (entry->state.pf) { ··· 382 366 ret = nf_ip_reroute(skb, entry); 383 367 break; 384 368 case AF_INET6: 385 385 - v6ops = rcu_dereference(nf_ipv6_ops); 386 386 - if (v6ops) 387 387 - ret = v6ops->reroute(skb, entry); 369 369 + ret = nf_ip6_reroute(skb, entry); 388 370 break; 389 371 } 390 372 return ret;

-1

net/netfilter/utils.c

reviewed

··· 163 163 int nf_route(struct net *net, struct dst_entry **dst, struct flowi *fl, 164 164 bool strict, unsigned short family) 165 165 { 166 166 - const struct nf_ipv6_ops *v6ops __maybe_unused; 167 166 int ret = 0; 168 167 169 168 switch (family) {