tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: nat: move specific NAT IPv6 to core

Move the specific NAT IPv6 core functions that are called from the
hooks from ip6table_nat.c to nf_nat_l3proto_ipv6.c. This prepares the
ground to allow iptables and nft to use the same NAT engine code that
comes in a follow up patch.

This also renames nf_nat_ipv6_fn to nft_nat_ipv6_fn in
net/ipv6/netfilter/nft_chain_nat_ipv6.c to avoid a compilation breakage.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Pablo Neira Ayuso 2a5538e9 65cd90ac

+275 -204
+37
include/net/netfilter/nf_nat_l3proto.h
··· 84 84 enum ip_conntrack_info ctinfo, 85 85 unsigned int hooknum, unsigned int hdrlen); 86 86 87 + unsigned int nf_nat_ipv6_in(const struct nf_hook_ops *ops, struct sk_buff *skb, 88 + const struct net_device *in, 89 + const struct net_device *out, 90 + unsigned int (*do_chain)(const struct nf_hook_ops *ops, 91 + struct sk_buff *skb, 92 + const struct net_device *in, 93 + const struct net_device *out, 94 + struct nf_conn *ct)); 95 + 96 + unsigned int nf_nat_ipv6_out(const struct nf_hook_ops *ops, struct sk_buff *skb, 97 + const struct net_device *in, 98 + const struct net_device *out, 99 + unsigned int (*do_chain)(const struct nf_hook_ops *ops, 100 + struct sk_buff *skb, 101 + const struct net_device *in, 102 + const struct net_device *out, 103 + struct nf_conn *ct)); 104 + 105 + unsigned int nf_nat_ipv6_local_fn(const struct nf_hook_ops *ops, 106 + struct sk_buff *skb, 107 + const struct net_device *in, 108 + const struct net_device *out, 109 + unsigned int (*do_chain)(const struct nf_hook_ops *ops, 110 + struct sk_buff *skb, 111 + const struct net_device *in, 112 + const struct net_device *out, 113 + struct nf_conn *ct)); 114 + 115 + unsigned int nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, 116 + const struct net_device *in, 117 + const struct net_device *out, 118 + unsigned int (*do_chain)(const struct nf_hook_ops *ops, 119 + struct sk_buff *skb, 120 + const struct net_device *in, 121 + const struct net_device *out, 122 + struct nf_conn *ct)); 123 + 87 124 #endif /* _NF_NAT_L3PROTO_H */
+34 -199
net/ipv6/netfilter/ip6table_nat.c
··· 30 30 .af = NFPROTO_IPV6, 31 31 }; 32 32 33 - static unsigned int alloc_null_binding(struct nf_conn *ct, unsigned int hooknum) 34 - { 35 - /* Force range to this IP; let proto decide mapping for 36 - * per-proto parts (hence not IP_NAT_RANGE_PROTO_SPECIFIED). 37 - */ 38 - struct nf_nat_range range; 39 - 40 - range.flags = 0; 41 - pr_debug("Allocating NULL binding for %p (%pI6)\n", ct, 42 - HOOK2MANIP(hooknum) == NF_NAT_MANIP_SRC ? 43 - &ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip6 : 44 - &ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip6); 45 - 46 - return nf_nat_setup_info(ct, &range, HOOK2MANIP(hooknum)); 47 - } 48 - 49 - static unsigned int nf_nat_rule_find(struct sk_buff *skb, unsigned int hooknum, 50 - const struct net_device *in, 51 - const struct net_device *out, 52 - struct nf_conn *ct) 33 + static unsigned int ip6table_nat_do_chain(const struct nf_hook_ops *ops, 34 + struct sk_buff *skb, 35 + const struct net_device *in, 36 + const struct net_device *out, 37 + struct nf_conn *ct) 53 38 { 54 39 struct net *net = nf_ct_net(ct); 55 - unsigned int ret; 56 40 57 - ret = ip6t_do_table(skb, hooknum, in, out, net->ipv6.ip6table_nat); 58 - if (ret == NF_ACCEPT) { 59 - if (!nf_nat_initialized(ct, HOOK2MANIP(hooknum))) 60 - ret = alloc_null_binding(ct, hooknum); 61 - } 62 - return ret; 41 + return ip6t_do_table(skb, ops->hooknum, in, out, net->ipv6.ip6table_nat); 63 42 } 64 43 65 - static unsigned int 66 - nf_nat_ipv6_fn(const struct nf_hook_ops *ops, 67 - struct sk_buff *skb, 68 - const struct net_device *in, 69 - const struct net_device *out, 70 - int (*okfn)(struct sk_buff *)) 44 + static unsigned int ip6table_nat_fn(const struct nf_hook_ops *ops, 45 + struct sk_buff *skb, 46 + const struct net_device *in, 47 + const struct net_device *out, 48 + int (*okfn)(struct sk_buff *)) 71 49 { 72 - struct nf_conn *ct; 73 - enum ip_conntrack_info ctinfo; 74 - struct nf_conn_nat *nat; 75 - enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum); 76 - __be16 frag_off; 77 - int hdrlen; 78 - u8 nexthdr; 79 - 80 - ct = nf_ct_get(skb, &ctinfo); 81 - /* Can't track? It's not due to stress, or conntrack would 82 - * have dropped it. Hence it's the user's responsibilty to 83 - * packet filter it out, or implement conntrack/NAT for that 84 - * protocol. 8) --RR 85 - */ 86 - if (!ct) 87 - return NF_ACCEPT; 88 - 89 - /* Don't try to NAT if this packet is not conntracked */ 90 - if (nf_ct_is_untracked(ct)) 91 - return NF_ACCEPT; 92 - 93 - nat = nf_ct_nat_ext_add(ct); 94 - if (nat == NULL) 95 - return NF_ACCEPT; 96 - 97 - switch (ctinfo) { 98 - case IP_CT_RELATED: 99 - case IP_CT_RELATED_REPLY: 100 - nexthdr = ipv6_hdr(skb)->nexthdr; 101 - hdrlen = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), 102 - &nexthdr, &frag_off); 103 - 104 - if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) { 105 - if (!nf_nat_icmpv6_reply_translation(skb, ct, ctinfo, 106 - ops->hooknum, 107 - hdrlen)) 108 - return NF_DROP; 109 - else 110 - return NF_ACCEPT; 111 - } 112 - /* Fall thru... (Only ICMPs can be IP_CT_IS_REPLY) */ 113 - case IP_CT_NEW: 114 - /* Seen it before? This can happen for loopback, retrans, 115 - * or local packets. 116 - */ 117 - if (!nf_nat_initialized(ct, maniptype)) { 118 - unsigned int ret; 119 - 120 - ret = nf_nat_rule_find(skb, ops->hooknum, in, out, ct); 121 - if (ret != NF_ACCEPT) 122 - return ret; 123 - } else { 124 - pr_debug("Already setup manip %s for ct %p\n", 125 - maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST", 126 - ct); 127 - if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out)) 128 - goto oif_changed; 129 - } 130 - break; 131 - 132 - default: 133 - /* ESTABLISHED */ 134 - NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED || 135 - ctinfo == IP_CT_ESTABLISHED_REPLY); 136 - if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out)) 137 - goto oif_changed; 138 - } 139 - 140 - return nf_nat_packet(ct, ctinfo, ops->hooknum, skb); 141 - 142 - oif_changed: 143 - nf_ct_kill_acct(ct, ctinfo, skb); 144 - return NF_DROP; 50 + return nf_nat_ipv6_fn(ops, skb, in, out, ip6table_nat_do_chain); 145 51 } 146 52 147 - static unsigned int 148 - nf_nat_ipv6_in(const struct nf_hook_ops *ops, 149 - struct sk_buff *skb, 150 - const struct net_device *in, 151 - const struct net_device *out, 152 - int (*okfn)(struct sk_buff *)) 53 + static unsigned int ip6table_nat_in(const struct nf_hook_ops *ops, 54 + struct sk_buff *skb, 55 + const struct net_device *in, 56 + const struct net_device *out, 57 + int (*okfn)(struct sk_buff *)) 153 58 { 154 - unsigned int ret; 155 - struct in6_addr daddr = ipv6_hdr(skb)->daddr; 156 - 157 - ret = nf_nat_ipv6_fn(ops, skb, in, out, okfn); 158 - if (ret != NF_DROP && ret != NF_STOLEN && 159 - ipv6_addr_cmp(&daddr, &ipv6_hdr(skb)->daddr)) 160 - skb_dst_drop(skb); 161 - 162 - return ret; 59 + return nf_nat_ipv6_in(ops, skb, in, out, ip6table_nat_do_chain); 163 60 } 164 61 165 - static unsigned int 166 - nf_nat_ipv6_out(const struct nf_hook_ops *ops, 167 - struct sk_buff *skb, 168 - const struct net_device *in, 169 - const struct net_device *out, 170 - int (*okfn)(struct sk_buff *)) 62 + static unsigned int ip6table_nat_out(const struct nf_hook_ops *ops, 63 + struct sk_buff *skb, 64 + const struct net_device *in, 65 + const struct net_device *out, 66 + int (*okfn)(struct sk_buff *)) 171 67 { 172 - #ifdef CONFIG_XFRM 173 - const struct nf_conn *ct; 174 - enum ip_conntrack_info ctinfo; 175 - int err; 176 - #endif 177 - unsigned int ret; 178 - 179 - /* root is playing with raw sockets. */ 180 - if (skb->len < sizeof(struct ipv6hdr)) 181 - return NF_ACCEPT; 182 - 183 - ret = nf_nat_ipv6_fn(ops, skb, in, out, okfn); 184 - #ifdef CONFIG_XFRM 185 - if (ret != NF_DROP && ret != NF_STOLEN && 186 - !(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && 187 - (ct = nf_ct_get(skb, &ctinfo)) != NULL) { 188 - enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 189 - 190 - if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3, 191 - &ct->tuplehash[!dir].tuple.dst.u3) || 192 - (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 && 193 - ct->tuplehash[dir].tuple.src.u.all != 194 - ct->tuplehash[!dir].tuple.dst.u.all)) { 195 - err = nf_xfrm_me_harder(skb, AF_INET6); 196 - if (err < 0) 197 - ret = NF_DROP_ERR(err); 198 - } 199 - } 200 - #endif 201 - return ret; 68 + return nf_nat_ipv6_out(ops, skb, in, out, ip6table_nat_do_chain); 202 69 } 203 70 204 - static unsigned int 205 - nf_nat_ipv6_local_fn(const struct nf_hook_ops *ops, 206 - struct sk_buff *skb, 207 - const struct net_device *in, 208 - const struct net_device *out, 209 - int (*okfn)(struct sk_buff *)) 71 + static unsigned int ip6table_nat_local_fn(const struct nf_hook_ops *ops, 72 + struct sk_buff *skb, 73 + const struct net_device *in, 74 + const struct net_device *out, 75 + int (*okfn)(struct sk_buff *)) 210 76 { 211 - const struct nf_conn *ct; 212 - enum ip_conntrack_info ctinfo; 213 - unsigned int ret; 214 - int err; 215 - 216 - /* root is playing with raw sockets. */ 217 - if (skb->len < sizeof(struct ipv6hdr)) 218 - return NF_ACCEPT; 219 - 220 - ret = nf_nat_ipv6_fn(ops, skb, in, out, okfn); 221 - if (ret != NF_DROP && ret != NF_STOLEN && 222 - (ct = nf_ct_get(skb, &ctinfo)) != NULL) { 223 - enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 224 - 225 - if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3, 226 - &ct->tuplehash[!dir].tuple.src.u3)) { 227 - err = ip6_route_me_harder(skb); 228 - if (err < 0) 229 - ret = NF_DROP_ERR(err); 230 - } 231 - #ifdef CONFIG_XFRM 232 - else if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && 233 - ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 && 234 - ct->tuplehash[dir].tuple.dst.u.all != 235 - ct->tuplehash[!dir].tuple.src.u.all) { 236 - err = nf_xfrm_me_harder(skb, AF_INET6); 237 - if (err < 0) 238 - ret = NF_DROP_ERR(err); 239 - } 240 - #endif 241 - } 242 - return ret; 77 + return nf_nat_ipv6_local_fn(ops, skb, in, out, ip6table_nat_do_chain); 243 78 } 244 79 245 80 static struct nf_hook_ops nf_nat_ipv6_ops[] __read_mostly = { 246 81 /* Before packet filtering, change destination */ 247 82 { 248 - .hook = nf_nat_ipv6_in, 83 + .hook = ip6table_nat_in, 249 84 .owner = THIS_MODULE, 250 85 .pf = NFPROTO_IPV6, 251 86 .hooknum = NF_INET_PRE_ROUTING, ··· 88 253 }, 89 254 /* After packet filtering, change source */ 90 255 { 91 - .hook = nf_nat_ipv6_out, 256 + .hook = ip6table_nat_out, 92 257 .owner = THIS_MODULE, 93 258 .pf = NFPROTO_IPV6, 94 259 .hooknum = NF_INET_POST_ROUTING, ··· 96 261 }, 97 262 /* Before packet filtering, change destination */ 98 263 { 99 - .hook = nf_nat_ipv6_local_fn, 264 + .hook = ip6table_nat_local_fn, 100 265 .owner = THIS_MODULE, 101 266 .pf = NFPROTO_IPV6, 102 267 .hooknum = NF_INET_LOCAL_OUT, ··· 104 269 }, 105 270 /* After packet filtering, change source */ 106 271 { 107 - .hook = nf_nat_ipv6_fn, 272 + .hook = ip6table_nat_fn, 108 273 .owner = THIS_MODULE, 109 274 .pf = NFPROTO_IPV6, 110 275 .hooknum = NF_INET_LOCAL_IN,
+199
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
··· 261 261 } 262 262 EXPORT_SYMBOL_GPL(nf_nat_icmpv6_reply_translation); 263 263 264 + unsigned int 265 + nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, 266 + const struct net_device *in, const struct net_device *out, 267 + unsigned int (*do_chain)(const struct nf_hook_ops *ops, 268 + struct sk_buff *skb, 269 + const struct net_device *in, 270 + const struct net_device *out, 271 + struct nf_conn *ct)) 272 + { 273 + struct nf_conn *ct; 274 + enum ip_conntrack_info ctinfo; 275 + struct nf_conn_nat *nat; 276 + enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum); 277 + __be16 frag_off; 278 + int hdrlen; 279 + u8 nexthdr; 280 + 281 + ct = nf_ct_get(skb, &ctinfo); 282 + /* Can't track? It's not due to stress, or conntrack would 283 + * have dropped it. Hence it's the user's responsibilty to 284 + * packet filter it out, or implement conntrack/NAT for that 285 + * protocol. 8) --RR 286 + */ 287 + if (!ct) 288 + return NF_ACCEPT; 289 + 290 + /* Don't try to NAT if this packet is not conntracked */ 291 + if (nf_ct_is_untracked(ct)) 292 + return NF_ACCEPT; 293 + 294 + nat = nf_ct_nat_ext_add(ct); 295 + if (nat == NULL) 296 + return NF_ACCEPT; 297 + 298 + switch (ctinfo) { 299 + case IP_CT_RELATED: 300 + case IP_CT_RELATED_REPLY: 301 + nexthdr = ipv6_hdr(skb)->nexthdr; 302 + hdrlen = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), 303 + &nexthdr, &frag_off); 304 + 305 + if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) { 306 + if (!nf_nat_icmpv6_reply_translation(skb, ct, ctinfo, 307 + ops->hooknum, 308 + hdrlen)) 309 + return NF_DROP; 310 + else 311 + return NF_ACCEPT; 312 + } 313 + /* Fall thru... (Only ICMPs can be IP_CT_IS_REPLY) */ 314 + case IP_CT_NEW: 315 + /* Seen it before? This can happen for loopback, retrans, 316 + * or local packets. 317 + */ 318 + if (!nf_nat_initialized(ct, maniptype)) { 319 + unsigned int ret; 320 + 321 + ret = do_chain(ops, skb, in, out, ct); 322 + if (ret != NF_ACCEPT) 323 + return ret; 324 + 325 + if (nf_nat_initialized(ct, HOOK2MANIP(ops->hooknum))) 326 + break; 327 + 328 + ret = nf_nat_alloc_null_binding(ct, ops->hooknum); 329 + if (ret != NF_ACCEPT) 330 + return ret; 331 + } else { 332 + pr_debug("Already setup manip %s for ct %p\n", 333 + maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST", 334 + ct); 335 + if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out)) 336 + goto oif_changed; 337 + } 338 + break; 339 + 340 + default: 341 + /* ESTABLISHED */ 342 + NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED || 343 + ctinfo == IP_CT_ESTABLISHED_REPLY); 344 + if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out)) 345 + goto oif_changed; 346 + } 347 + 348 + return nf_nat_packet(ct, ctinfo, ops->hooknum, skb); 349 + 350 + oif_changed: 351 + nf_ct_kill_acct(ct, ctinfo, skb); 352 + return NF_DROP; 353 + } 354 + EXPORT_SYMBOL_GPL(nf_nat_ipv6_fn); 355 + 356 + unsigned int 357 + nf_nat_ipv6_in(const struct nf_hook_ops *ops, struct sk_buff *skb, 358 + const struct net_device *in, const struct net_device *out, 359 + unsigned int (*do_chain)(const struct nf_hook_ops *ops, 360 + struct sk_buff *skb, 361 + const struct net_device *in, 362 + const struct net_device *out, 363 + struct nf_conn *ct)) 364 + { 365 + unsigned int ret; 366 + struct in6_addr daddr = ipv6_hdr(skb)->daddr; 367 + 368 + ret = nf_nat_ipv6_fn(ops, skb, in, out, do_chain); 369 + if (ret != NF_DROP && ret != NF_STOLEN && 370 + ipv6_addr_cmp(&daddr, &ipv6_hdr(skb)->daddr)) 371 + skb_dst_drop(skb); 372 + 373 + return ret; 374 + } 375 + EXPORT_SYMBOL_GPL(nf_nat_ipv6_in); 376 + 377 + unsigned int 378 + nf_nat_ipv6_out(const struct nf_hook_ops *ops, struct sk_buff *skb, 379 + const struct net_device *in, const struct net_device *out, 380 + unsigned int (*do_chain)(const struct nf_hook_ops *ops, 381 + struct sk_buff *skb, 382 + const struct net_device *in, 383 + const struct net_device *out, 384 + struct nf_conn *ct)) 385 + { 386 + #ifdef CONFIG_XFRM 387 + const struct nf_conn *ct; 388 + enum ip_conntrack_info ctinfo; 389 + int err; 390 + #endif 391 + unsigned int ret; 392 + 393 + /* root is playing with raw sockets. */ 394 + if (skb->len < sizeof(struct ipv6hdr)) 395 + return NF_ACCEPT; 396 + 397 + ret = nf_nat_ipv6_fn(ops, skb, in, out, do_chain); 398 + #ifdef CONFIG_XFRM 399 + if (ret != NF_DROP && ret != NF_STOLEN && 400 + !(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && 401 + (ct = nf_ct_get(skb, &ctinfo)) != NULL) { 402 + enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 403 + 404 + if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3, 405 + &ct->tuplehash[!dir].tuple.dst.u3) || 406 + (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 && 407 + ct->tuplehash[dir].tuple.src.u.all != 408 + ct->tuplehash[!dir].tuple.dst.u.all)) { 409 + err = nf_xfrm_me_harder(skb, AF_INET6); 410 + if (err < 0) 411 + ret = NF_DROP_ERR(err); 412 + } 413 + } 414 + #endif 415 + return ret; 416 + } 417 + EXPORT_SYMBOL_GPL(nf_nat_ipv6_out); 418 + 419 + unsigned int 420 + nf_nat_ipv6_local_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, 421 + const struct net_device *in, const struct net_device *out, 422 + unsigned int (*do_chain)(const struct nf_hook_ops *ops, 423 + struct sk_buff *skb, 424 + const struct net_device *in, 425 + const struct net_device *out, 426 + struct nf_conn *ct)) 427 + { 428 + const struct nf_conn *ct; 429 + enum ip_conntrack_info ctinfo; 430 + unsigned int ret; 431 + int err; 432 + 433 + /* root is playing with raw sockets. */ 434 + if (skb->len < sizeof(struct ipv6hdr)) 435 + return NF_ACCEPT; 436 + 437 + ret = nf_nat_ipv6_fn(ops, skb, in, out, do_chain); 438 + if (ret != NF_DROP && ret != NF_STOLEN && 439 + (ct = nf_ct_get(skb, &ctinfo)) != NULL) { 440 + enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 441 + 442 + if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3, 443 + &ct->tuplehash[!dir].tuple.src.u3)) { 444 + err = ip6_route_me_harder(skb); 445 + if (err < 0) 446 + ret = NF_DROP_ERR(err); 447 + } 448 + #ifdef CONFIG_XFRM 449 + else if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && 450 + ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 && 451 + ct->tuplehash[dir].tuple.dst.u.all != 452 + ct->tuplehash[!dir].tuple.src.u.all) { 453 + err = nf_xfrm_me_harder(skb, AF_INET6); 454 + if (err < 0) 455 + ret = NF_DROP_ERR(err); 456 + } 457 + #endif 458 + } 459 + return ret; 460 + } 461 + EXPORT_SYMBOL_GPL(nf_nat_ipv6_local_fn); 462 + 264 463 static int __init nf_nat_l3proto_ipv6_init(void) 265 464 { 266 465 int err;
+5 -5
net/ipv6/netfilter/nft_chain_nat_ipv6.c
··· 28 28 * IPv6 NAT chains 29 29 */ 30 30 31 - static unsigned int nf_nat_ipv6_fn(const struct nf_hook_ops *ops, 31 + static unsigned int nft_nat_ipv6_fn(const struct nf_hook_ops *ops, 32 32 struct sk_buff *skb, 33 33 const struct net_device *in, 34 34 const struct net_device *out, ··· 97 97 struct in6_addr daddr = ipv6_hdr(skb)->daddr; 98 98 unsigned int ret; 99 99 100 - ret = nf_nat_ipv6_fn(ops, skb, in, out, okfn); 100 + ret = nft_nat_ipv6_fn(ops, skb, in, out, okfn); 101 101 if (ret != NF_DROP && ret != NF_STOLEN && 102 102 ipv6_addr_cmp(&daddr, &ipv6_hdr(skb)->daddr)) 103 103 skb_dst_drop(skb); ··· 115 115 const struct nf_conn *ct __maybe_unused; 116 116 unsigned int ret; 117 117 118 - ret = nf_nat_ipv6_fn(ops, skb, in, out, okfn); 118 + ret = nft_nat_ipv6_fn(ops, skb, in, out, okfn); 119 119 #ifdef CONFIG_XFRM 120 120 if (ret != NF_DROP && ret != NF_STOLEN && 121 121 !(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && ··· 143 143 const struct nf_conn *ct; 144 144 unsigned int ret; 145 145 146 - ret = nf_nat_ipv6_fn(ops, skb, in, out, okfn); 146 + ret = nft_nat_ipv6_fn(ops, skb, in, out, okfn); 147 147 if (ret != NF_DROP && ret != NF_STOLEN && 148 148 (ct = nf_ct_get(skb, &ctinfo)) != NULL) { 149 149 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); ··· 177 177 [NF_INET_PRE_ROUTING] = nf_nat_ipv6_prerouting, 178 178 [NF_INET_POST_ROUTING] = nf_nat_ipv6_postrouting, 179 179 [NF_INET_LOCAL_OUT] = nf_nat_ipv6_output, 180 - [NF_INET_LOCAL_IN] = nf_nat_ipv6_fn, 180 + [NF_INET_LOCAL_IN] = nft_nat_ipv6_fn, 181 181 }, 182 182 }; 183 183