struct nf_queue_entry;
struct nf_bridge_frag_data;
-/*
- * Hook functions for ipv6 to allow xt_* modules to be built-in even
- * if IPv6 is a module.
- */
-struct nf_ipv6_ops {
-#if IS_MODULE(CONFIG_IPV6)
- int (*chk_addr)(struct net *net, const struct in6_addr *addr,
- const struct net_device *dev, int strict);
- int (*route_me_harder)(struct net *net, struct sock *sk, struct sk_buff *skb);
- int (*dev_get_saddr)(struct net *net, const struct net_device *dev,
- const struct in6_addr *daddr, unsigned int srcprefs,
- struct in6_addr *saddr);
- int (*route)(struct net *net, struct dst_entry **dst, struct flowi *fl,
- bool strict);
- u32 (*cookie_init_sequence)(const struct ipv6hdr *iph,
- const struct tcphdr *th, u16 *mssp);
- int (*cookie_v6_check)(const struct ipv6hdr *iph,
- const struct tcphdr *th);
-#endif
- void (*route_input)(struct sk_buff *skb);
- int (*fragment)(struct net *net, struct sock *sk, struct sk_buff *skb,
- int (*output)(struct net *, struct sock *, struct sk_buff *));
- int (*reroute)(struct sk_buff *skb, const struct nf_queue_entry *entry);
-#if IS_MODULE(CONFIG_IPV6)
- int (*br_fragment)(struct net *net, struct sock *sk,
- struct sk_buff *skb,
- struct nf_bridge_frag_data *data,
- int (*output)(struct net *, struct sock *sk,
- const struct nf_bridge_frag_data *data,
- struct sk_buff *));
-#endif
-};
-
#ifdef CONFIG_NETFILTER
#include <net/addrconf.h>
-extern const struct nf_ipv6_ops __rcu *nf_ipv6_ops;
-static inline const struct nf_ipv6_ops *nf_get_ipv6_ops(void)
-{
- return rcu_dereference(nf_ipv6_ops);
-}
-
static inline int nf_ipv6_chk_addr(struct net *net, const struct in6_addr *addr,
const struct net_device *dev, int strict)
{
-#if IS_MODULE(CONFIG_IPV6)
- const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
-
- if (!v6_ops)
- return 1;
-
- return v6_ops->chk_addr(net, addr, dev, strict);
-#elif IS_BUILTIN(CONFIG_IPV6)
+#if IS_ENABLED(CONFIG_IPV6)
return ipv6_chk_addr(net, addr, dev, strict);
#else
return 1;
static inline int nf_ip6_route(struct net *net, struct dst_entry **dst,
struct flowi *fl, bool strict)
{
-#if IS_MODULE(CONFIG_IPV6)
- const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
-
- if (v6ops)
- return v6ops->route(net, dst, fl, strict);
-
- return -EHOSTUNREACH;
-#endif
-#if IS_BUILTIN(CONFIG_IPV6)
+#if IS_ENABLED(CONFIG_IPV6)
return __nf_ip6_route(net, dst, fl, strict);
#else
return -EHOSTUNREACH;
const struct nf_bridge_frag_data *data,
struct sk_buff *))
{
-#if IS_MODULE(CONFIG_IPV6)
- const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
-
- if (!v6_ops)
- return 1;
-
- return v6_ops->br_fragment(net, sk, skb, data, output);
-#elif IS_BUILTIN(CONFIG_IPV6)
+#if IS_ENABLED(CONFIG_IPV6)
return br_ip6_fragment(net, sk, skb, data, output);
#else
return 1;
static inline int nf_ip6_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb)
{
-#if IS_MODULE(CONFIG_IPV6)
- const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
-
- if (!v6_ops)
- return -EHOSTUNREACH;
-
- return v6_ops->route_me_harder(net, sk, skb);
-#elif IS_BUILTIN(CONFIG_IPV6)
+#if IS_ENABLED(CONFIG_IPV6)
return ip6_route_me_harder(net, sk, skb);
#else
return -EHOSTUNREACH;
const struct tcphdr *th,
u16 *mssp)
{
-#if IS_ENABLED(CONFIG_SYN_COOKIES)
-#if IS_MODULE(CONFIG_IPV6)
- const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
-
- if (v6_ops)
- return v6_ops->cookie_init_sequence(iph, th, mssp);
-#elif IS_BUILTIN(CONFIG_IPV6)
+#if IS_ENABLED(CONFIG_IPV6) && IS_ENABLED(CONFIG_SYN_COOKIES)
return __cookie_v6_init_sequence(iph, th, mssp);
-#endif
#endif
return 0;
}
static inline int nf_cookie_v6_check(const struct ipv6hdr *iph,
const struct tcphdr *th)
{
-#if IS_ENABLED(CONFIG_SYN_COOKIES)
-#if IS_MODULE(CONFIG_IPV6)
- const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
-
- if (v6_ops)
- return v6_ops->cookie_v6_check(iph, th);
-#elif IS_BUILTIN(CONFIG_IPV6)
+#if IS_ENABLED(CONFIG_IPV6) && IS_ENABLED(CONFIG_SYN_COOKIES)
return __cookie_v6_check(iph, th);
-#endif
#endif
return 0;
}
unsigned int dataoff, u_int8_t protocol);
int nf_ip6_check_hbh_len(struct sk_buff *skb, u32 *plen);
-
-int ipv6_netfilter_init(void);
-void ipv6_netfilter_fini(void);
-
-#else /* CONFIG_NETFILTER */
-static inline int ipv6_netfilter_init(void) { return 0; }
-static inline void ipv6_netfilter_fini(void) { return; }
-static inline const struct nf_ipv6_ops *nf_get_ipv6_ops(void) { return NULL; }
#endif /* CONFIG_NETFILTER */
#endif /*__LINUX_IP6_NETFILTER_H*/
#include <net/ip.h>
#include <net/ipv6.h>
+#include <net/ip6_route.h>
#include <net/addrconf.h>
#include <net/dst_metadata.h>
#include <net/route.h>
}
if (IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) &&
skb->protocol == htons(ETH_P_IPV6)) {
- const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
struct brnf_frag_data *data;
if (br_validate_ipv6(net, skb))
skb_copy_from_linear_data_offset(skb, -data->size, data->mac,
data->size);
- if (v6ops) {
- ret = v6ops->fragment(net, sk, skb, br_nf_push_frag_xmit);
- local_unlock_nested_bh(&brnf_frag_data_storage.bh_lock);
- return ret;
- }
+ ret = ip6_fragment(net, sk, skb, br_nf_push_frag_xmit);
local_unlock_nested_bh(&brnf_frag_data_storage.bh_lock);
-
- kfree_skb(skb);
- return -EMSGSIZE;
+ return ret;
}
nf_bridge_info_free(skb);
return br_dev_queue_push_xmit(net, sk, skb);
#include <net/ip.h>
#include <net/ipv6.h>
+#include <net/ip6_route.h>
#include <net/addrconf.h>
#include <net/route.h>
#include <net/netfilter/br_netfilter.h>
/* PF_BRIDGE/PRE_ROUTING: Undo the changes made for ip6tables
* PREROUTING and continue the bridge PRE_ROUTING hook. See comment
- * for br_nf_pre_routing_finish(), same logic is used here but
- * equivalent IPv6 function ip6_route_input() called indirectly.
+ * for br_nf_pre_routing_finish(), same logic is used here.
*/
static int br_nf_pre_routing_finish_ipv6(struct net *net, struct sock *sk, struct sk_buff *skb)
{
struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
struct rtable *rt;
struct net_device *dev = skb->dev, *br_indev;
- const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
br_indev = nf_bridge_get_physindev(skb, net);
if (!br_indev) {
nf_bridge->in_prerouting = 0;
if (br_nf_ipv6_daddr_was_changed(skb, nf_bridge)) {
skb_dst_drop(skb);
- v6ops->route_input(skb);
+ ip6_route_input(skb);
if (skb_dst(skb)->error) {
kfree_skb(skb);
#include <linux/inet.h>
#include <linux/netdevice.h>
#include <linux/icmpv6.h>
-#include <linux/netfilter_ipv6.h>
#include <net/ip.h>
#include <net/ipv6.h>
if (err)
goto igmp_fail;
- err = ipv6_netfilter_init();
- if (err)
- goto netfilter_fail;
/* Create /proc/foo6 entries. */
#ifdef CONFIG_PROC_FS
err = -ENOMEM;
raw6_proc_exit();
proc_raw6_fail:
#endif
- ipv6_netfilter_fini();
-netfilter_fail:
igmp6_cleanup();
igmp_fail:
ndisc_cleanup();
}
EXPORT_SYMBOL(ip6_route_me_harder);
-static int nf_ip6_reroute(struct sk_buff *skb,
- const struct nf_queue_entry *entry)
-{
- struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
-
- if (entry->state.hook == NF_INET_LOCAL_OUT) {
- const struct ipv6hdr *iph = ipv6_hdr(skb);
- if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) ||
- !ipv6_addr_equal(&iph->saddr, &rt_info->saddr) ||
- skb->mark != rt_info->mark)
- return ip6_route_me_harder(entry->state.net, entry->state.sk, skb);
- }
- return 0;
-}
-
int __nf_ip6_route(struct net *net, struct dst_entry **dst,
struct flowi *fl, bool strict)
{
return 0;
}
EXPORT_SYMBOL_GPL(br_ip6_fragment);
-
-static const struct nf_ipv6_ops ipv6ops = {
-#if IS_MODULE(CONFIG_IPV6)
- .chk_addr = ipv6_chk_addr,
- .route_me_harder = ip6_route_me_harder,
- .dev_get_saddr = ipv6_dev_get_saddr,
- .route = __nf_ip6_route,
-#if IS_ENABLED(CONFIG_SYN_COOKIES)
- .cookie_init_sequence = __cookie_v6_init_sequence,
- .cookie_v6_check = __cookie_v6_check,
-#endif
-#endif
- .route_input = ip6_route_input,
- .fragment = ip6_fragment,
- .reroute = nf_ip6_reroute,
-#if IS_MODULE(CONFIG_IPV6)
- .br_fragment = br_ip6_fragment,
-#endif
-};
-
-int __init ipv6_netfilter_init(void)
-{
- RCU_INIT_POINTER(nf_ipv6_ops, &ipv6ops);
- return 0;
-}
-
-/* This can be called from inet6_init() on errors, so it cannot
- * be marked __exit. -DaveM
- */
-void ipv6_netfilter_fini(void)
-{
- RCU_INIT_POINTER(nf_ipv6_ops, NULL);
-}
#include "nf_internals.h"
-const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly;
-EXPORT_SYMBOL_GPL(nf_ipv6_ops);
-
#ifdef CONFIG_JUMP_LABEL
struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
EXPORT_SYMBOL(nf_hooks_needed);
};
#if IS_ENABLED(CONFIG_IPV6)
-static int
-nat_ipv6_dev_get_saddr(struct net *net, const struct net_device *dev,
- const struct in6_addr *daddr, unsigned int srcprefs,
- struct in6_addr *saddr)
-{
-#ifdef CONFIG_IPV6_MODULE
- const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
-
- if (!v6_ops)
- return -EHOSTUNREACH;
-
- return v6_ops->dev_get_saddr(net, dev, daddr, srcprefs, saddr);
-#else
- return ipv6_dev_get_saddr(net, dev, daddr, srcprefs, saddr);
-#endif
-}
-
unsigned int
nf_nat_masquerade_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range,
const struct net_device *out)
WARN_ON(!(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
ctinfo == IP_CT_RELATED_REPLY)));
- if (nat_ipv6_dev_get_saddr(nf_ct_net(ct), out,
- &ipv6_hdr(skb)->daddr, 0, &src) < 0)
+ if (ipv6_dev_get_saddr(nf_ct_net(ct), out,
+ &ipv6_hdr(skb)->daddr, 0, &src) < 0)
return NF_DROP;
nat = nf_ct_nat_ext_add(ct);
return 0;
}
+static int nf_ip6_reroute(struct sk_buff *skb,
+ const struct nf_queue_entry *entry)
+{
+ struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
+
+ if (entry->state.hook == NF_INET_LOCAL_OUT) {
+ const struct ipv6hdr *iph = ipv6_hdr(skb);
+
+ if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) ||
+ !ipv6_addr_equal(&iph->saddr, &rt_info->saddr) ||
+ skb->mark != rt_info->mark)
+ return nf_ip6_route_me_harder(entry->state.net,
+ entry->state.sk, skb);
+ }
+ return 0;
+}
+
static int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry)
{
- const struct nf_ipv6_ops *v6ops;
int ret = 0;
switch (entry->state.pf) {
ret = nf_ip_reroute(skb, entry);
break;
case AF_INET6:
- v6ops = rcu_dereference(nf_ipv6_ops);
- if (v6ops)
- ret = v6ops->reroute(skb, entry);
+ ret = nf_ip6_reroute(skb, entry);
break;
}
return ret;
int nf_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
bool strict, unsigned short family)
{
- const struct nf_ipv6_ops *v6ops __maybe_unused;
int ret = 0;
switch (family) {
projects / thirdparty / kernel / linux.git / commitdiff
