tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
[NETFILTER]: Introduce NF_INET_ hook values
The IPv4 and IPv6 hook values are identical, yet some code tries to figure
out the "correct" value by looking at the address family. Introduce NF_INET_*
values for both IPv4 and IPv6. The old values are kept in a #ifndef __KERNEL__
section for userspace compatibility.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
authored by
Patrick McHardy
and committed by
David S. Miller
6e23ae2a
1bf06cd2
+321
-302
+9
include/linux/netfilter.h
+9
include/linux/netfilter.h
+2
-2
include/linux/netfilter/x_tables.h
+2
-2
include/linux/netfilter/x_tables.h
···
265
265
unsigned int initial_entries;
266
266
267
267
/* Entry points and underflows */
268
-
unsigned int hook_entry[NF_IP_NUMHOOKS];
269
-
unsigned int underflow[NF_IP_NUMHOOKS];
268
+
unsigned int hook_entry[NF_INET_NUMHOOKS];
269
+
unsigned int underflow[NF_INET_NUMHOOKS];
270
270
271
271
/* ipt_entry tables: one per CPU */
272
272
char *entries[NR_CPUS];
+1
-1
include/linux/netfilter_ipv4.h
+1
-1
include/linux/netfilter_ipv4.h
···
36
36
#define NFC_IP_DST_PT 0x0400
37
37
/* Something else about the proto */
38
38
#define NFC_IP_PROTO_UNKNOWN 0x2000
39
-
#endif /* ! __KERNEL__ */
40
39
41
40
/* IP Hooks */
42
41
/* After promisc drops, checksum checks. */
···
49
50
/* Packets about to hit the wire. */
50
51
#define NF_IP_POST_ROUTING 4
51
52
#define NF_IP_NUMHOOKS 5
53
+
#endif /* ! __KERNEL__ */
52
54
53
55
enum nf_ip_hook_priorities {
54
56
NF_IP_PRI_FIRST = INT_MIN,
+4
-4
include/linux/netfilter_ipv4/ip_tables.h
+4
-4
include/linux/netfilter_ipv4/ip_tables.h
···
156
156
unsigned int valid_hooks;
157
157
158
158
/* Hook entry points: one per netfilter hook. */
159
-
unsigned int hook_entry[NF_IP_NUMHOOKS];
159
+
unsigned int hook_entry[NF_INET_NUMHOOKS];
160
160
161
161
/* Underflow points. */
162
-
unsigned int underflow[NF_IP_NUMHOOKS];
162
+
unsigned int underflow[NF_INET_NUMHOOKS];
163
163
164
164
/* Number of entries */
165
165
unsigned int num_entries;
···
185
185
unsigned int size;
186
186
187
187
/* Hook entry points. */
188
-
unsigned int hook_entry[NF_IP_NUMHOOKS];
188
+
unsigned int hook_entry[NF_INET_NUMHOOKS];
189
189
190
190
/* Underflow points. */
191
-
unsigned int underflow[NF_IP_NUMHOOKS];
191
+
unsigned int underflow[NF_INET_NUMHOOKS];
192
192
193
193
/* Information about old entries: */
194
194
/* Number of counters (must be equal to current number of entries). */
+1
-2
include/linux/netfilter_ipv6.h
+1
-2
include/linux/netfilter_ipv6.h
···
40
40
#define NFC_IP6_DST_PT 0x0400
41
41
/* Something else about the proto */
42
42
#define NFC_IP6_PROTO_UNKNOWN 0x2000
43
-
#endif /* ! __KERNEL__ */
44
-
45
43
46
44
/* IP6 Hooks */
47
45
/* After promisc drops, checksum checks. */
···
53
55
/* Packets about to hit the wire. */
54
56
#define NF_IP6_POST_ROUTING 4
55
57
#define NF_IP6_NUMHOOKS 5
58
+
#endif /* ! __KERNEL__ */
56
59
57
60
58
61
enum nf_ip6_hook_priorities {
+4
-4
include/linux/netfilter_ipv6/ip6_tables.h
+4
-4
include/linux/netfilter_ipv6/ip6_tables.h
···
216
216
unsigned int valid_hooks;
217
217
218
218
/* Hook entry points: one per netfilter hook. */
219
-
unsigned int hook_entry[NF_IP6_NUMHOOKS];
219
+
unsigned int hook_entry[NF_INET_NUMHOOKS];
220
220
221
221
/* Underflow points. */
222
-
unsigned int underflow[NF_IP6_NUMHOOKS];
222
+
unsigned int underflow[NF_INET_NUMHOOKS];
223
223
224
224
/* Number of entries */
225
225
unsigned int num_entries;
···
245
245
unsigned int size;
246
246
247
247
/* Hook entry points. */
248
-
unsigned int hook_entry[NF_IP6_NUMHOOKS];
248
+
unsigned int hook_entry[NF_INET_NUMHOOKS];
249
249
250
250
/* Underflow points. */
251
-
unsigned int underflow[NF_IP6_NUMHOOKS];
251
+
unsigned int underflow[NF_INET_NUMHOOKS];
252
252
253
253
/* Information about old entries: */
254
254
/* Number of counters (must be equal to current number of entries). */
+2
-1
include/net/netfilter/nf_nat.h
+2
-1
include/net/netfilter/nf_nat.h
···
12
12
};
13
13
14
14
/* SRC manip occurs POST_ROUTING or LOCAL_IN */
15
-
#define HOOK2MANIP(hooknum) ((hooknum) != NF_IP_POST_ROUTING && (hooknum) != NF_IP_LOCAL_IN)
15
+
#define HOOK2MANIP(hooknum) ((hooknum) != NF_INET_POST_ROUTING && \
16
+
(hooknum) != NF_INET_LOCAL_IN)
16
17
17
18
#define IP_NAT_RANGE_MAP_IPS 1
18
19
#define IP_NAT_RANGE_PROTO_SPECIFIED 2
+6
-6
net/bridge/br_netfilter.c
+6
-6
net/bridge/br_netfilter.c
···
511
511
if (!setup_pre_routing(skb))
512
512
return NF_DROP;
513
513
514
-
NF_HOOK(PF_INET6, NF_IP6_PRE_ROUTING, skb, skb->dev, NULL,
514
+
NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
515
515
br_nf_pre_routing_finish_ipv6);
516
516
517
517
return NF_STOLEN;
···
584
584
return NF_DROP;
585
585
store_orig_dstaddr(skb);
586
586
587
-
NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, skb->dev, NULL,
587
+
NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
588
588
br_nf_pre_routing_finish);
589
589
590
590
return NF_STOLEN;
···
681
681
nf_bridge->mask |= BRNF_BRIDGED;
682
682
nf_bridge->physoutdev = skb->dev;
683
683
684
-
NF_HOOK(pf, NF_IP_FORWARD, skb, bridge_parent(in), parent,
684
+
NF_HOOK(pf, NF_INET_FORWARD, skb, bridge_parent(in), parent,
685
685
br_nf_forward_finish);
686
686
687
687
return NF_STOLEN;
···
832
832
if (nf_bridge->netoutdev)
833
833
realoutdev = nf_bridge->netoutdev;
834
834
#endif
835
-
NF_HOOK(pf, NF_IP_POST_ROUTING, skb, NULL, realoutdev,
835
+
NF_HOOK(pf, NF_INET_POST_ROUTING, skb, NULL, realoutdev,
836
836
br_nf_dev_queue_xmit);
837
837
838
838
return NF_STOLEN;
···
905
905
{ .hook = ip_sabotage_in,
906
906
.owner = THIS_MODULE,
907
907
.pf = PF_INET,
908
-
.hooknum = NF_IP_PRE_ROUTING,
908
+
.hooknum = NF_INET_PRE_ROUTING,
909
909
.priority = NF_IP_PRI_FIRST, },
910
910
{ .hook = ip_sabotage_in,
911
911
.owner = THIS_MODULE,
912
912
.pf = PF_INET6,
913
-
.hooknum = NF_IP6_PRE_ROUTING,
913
+
.hooknum = NF_INET_PRE_ROUTING,
914
914
.priority = NF_IP6_PRI_FIRST, },
915
915
};
916
916
+3
-3
net/compat.c
+3
-3
net/compat.c
···
325
325
u32 valid_hooks;
326
326
u32 num_entries;
327
327
u32 size;
328
-
u32 hook_entry[NF_IP_NUMHOOKS];
329
-
u32 underflow[NF_IP_NUMHOOKS];
328
+
u32 hook_entry[NF_INET_NUMHOOKS];
329
+
u32 underflow[NF_INET_NUMHOOKS];
330
330
u32 num_counters;
331
331
compat_uptr_t counters; /* struct ipt_counters * */
332
332
struct ipt_entry entries[0];
···
391
391
origsize))
392
392
goto out;
393
393
394
-
for (i = 0; i < NF_IP_NUMHOOKS; i++) {
394
+
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
395
395
if (__get_user(tmp32, &urepl->hook_entry[i]) ||
396
396
__put_user(tmp32, &repl_nat->hook_entry[i]) ||
397
397
__get_user(tmp32, &urepl->underflow[i]) ||
+1
-1
net/ipv4/ip_forward.c
+1
-1
net/ipv4/ip_forward.c
+2
-2
net/ipv4/ip_input.c
+2
-2
net/ipv4/ip_input.c
···
268
268
return 0;
269
269
}
270
270
271
-
return NF_HOOK(PF_INET, NF_IP_LOCAL_IN, skb, skb->dev, NULL,
271
+
return NF_HOOK(PF_INET, NF_INET_LOCAL_IN, skb, skb->dev, NULL,
272
272
ip_local_deliver_finish);
273
273
}
274
274
···
442
442
/* Remove any debris in the socket control block */
443
443
memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
444
444
445
-
return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL,
445
+
return NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, dev, NULL,
446
446
ip_rcv_finish);
447
447
448
448
inhdr_error:
+6
-6
net/ipv4/ip_output.c
+6
-6
net/ipv4/ip_output.c
···
97
97
98
98
iph->tot_len = htons(skb->len);
99
99
ip_send_check(iph);
100
-
return nf_hook(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, skb->dst->dev,
100
+
return nf_hook(PF_INET, NF_INET_LOCAL_OUT, skb, NULL, skb->dst->dev,
101
101
dst_output);
102
102
}
103
103
···
270
270
) {
271
271
struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC);
272
272
if (newskb)
273
-
NF_HOOK(PF_INET, NF_IP_POST_ROUTING, newskb, NULL,
274
-
newskb->dev,
273
+
NF_HOOK(PF_INET, NF_INET_POST_ROUTING, newskb,
274
+
NULL, newskb->dev,
275
275
ip_dev_loopback_xmit);
276
276
}
277
277
···
286
286
if (rt->rt_flags&RTCF_BROADCAST) {
287
287
struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC);
288
288
if (newskb)
289
-
NF_HOOK(PF_INET, NF_IP_POST_ROUTING, newskb, NULL,
289
+
NF_HOOK(PF_INET, NF_INET_POST_ROUTING, newskb, NULL,
290
290
newskb->dev, ip_dev_loopback_xmit);
291
291
}
292
292
293
-
return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dev,
293
+
return NF_HOOK_COND(PF_INET, NF_INET_POST_ROUTING, skb, NULL, skb->dev,
294
294
ip_finish_output,
295
295
!(IPCB(skb)->flags & IPSKB_REROUTED));
296
296
}
···
304
304
skb->dev = dev;
305
305
skb->protocol = htons(ETH_P_IP);
306
306
307
-
return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, dev,
307
+
return NF_HOOK_COND(PF_INET, NF_INET_POST_ROUTING, skb, NULL, dev,
308
308
ip_finish_output,
309
309
!(IPCB(skb)->flags & IPSKB_REROUTED));
310
310
}
+1
-1
net/ipv4/ipmr.c
+1
-1
net/ipv4/ipmr.c
···
1245
1245
* not mrouter) cannot join to more than one interface - it will
1246
1246
* result in receiving multiple packets.
1247
1247
*/
1248
-
NF_HOOK(PF_INET, NF_IP_FORWARD, skb, skb->dev, dev,
1248
+
NF_HOOK(PF_INET, NF_INET_FORWARD, skb, skb->dev, dev,
1249
1249
ipmr_forward_finish);
1250
1250
return;
1251
1251
+9
-9
net/ipv4/ipvs/ip_vs_core.c
+9
-9
net/ipv4/ipvs/ip_vs_core.c
···
481
481
482
482
483
483
/*
484
-
* It is hooked before NF_IP_PRI_NAT_SRC at the NF_IP_POST_ROUTING
484
+
* It is hooked before NF_IP_PRI_NAT_SRC at the NF_INET_POST_ROUTING
485
485
* chain, and is used for VS/NAT.
486
486
* It detects packets for VS/NAT connections and sends the packets
487
487
* immediately. This can avoid that iptable_nat mangles the packets
···
679
679
}
680
680
681
681
/*
682
-
* It is hooked at the NF_IP_FORWARD chain, used only for VS/NAT.
682
+
* It is hooked at the NF_INET_FORWARD chain, used only for VS/NAT.
683
683
* Check if outgoing packet belongs to the established ip_vs_conn,
684
684
* rewrite addresses of the packet and send it on its way...
685
685
*/
···
814
814
815
815
/* reassemble IP fragments */
816
816
if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
817
-
if (ip_vs_gather_frags(skb, hooknum == NF_IP_LOCAL_IN ?
817
+
if (ip_vs_gather_frags(skb, hooknum == NF_INET_LOCAL_IN ?
818
818
IP_DEFRAG_VS_IN : IP_DEFRAG_VS_FWD))
819
819
return NF_STOLEN;
820
820
}
···
1003
1003
1004
1004
1005
1005
/*
1006
-
* It is hooked at the NF_IP_FORWARD chain, in order to catch ICMP
1006
+
* It is hooked at the NF_INET_FORWARD chain, in order to catch ICMP
1007
1007
* related packets destined for 0.0.0.0/0.
1008
1008
* When fwmark-based virtual service is used, such as transparent
1009
1009
* cache cluster, TCP packets can be marked and routed to ip_vs_in,
1010
1010
* but ICMP destined for 0.0.0.0/0 cannot not be easily marked and
1011
-
* sent to ip_vs_in_icmp. So, catch them at the NF_IP_FORWARD chain
1011
+
* sent to ip_vs_in_icmp. So, catch them at the NF_INET_FORWARD chain
1012
1012
* and send them to ip_vs_in_icmp.
1013
1013
*/
1014
1014
static unsigned int
···
1032
1032
.hook = ip_vs_in,
1033
1033
.owner = THIS_MODULE,
1034
1034
.pf = PF_INET,
1035
-
.hooknum = NF_IP_LOCAL_IN,
1035
+
.hooknum = NF_INET_LOCAL_IN,
1036
1036
.priority = 100,
1037
1037
};
1038
1038
···
1041
1041
.hook = ip_vs_out,
1042
1042
.owner = THIS_MODULE,
1043
1043
.pf = PF_INET,
1044
-
.hooknum = NF_IP_FORWARD,
1044
+
.hooknum = NF_INET_FORWARD,
1045
1045
.priority = 100,
1046
1046
};
1047
1047
···
1051
1051
.hook = ip_vs_forward_icmp,
1052
1052
.owner = THIS_MODULE,
1053
1053
.pf = PF_INET,
1054
-
.hooknum = NF_IP_FORWARD,
1054
+
.hooknum = NF_INET_FORWARD,
1055
1055
.priority = 99,
1056
1056
};
1057
1057
···
1060
1060
.hook = ip_vs_post_routing,
1061
1061
.owner = THIS_MODULE,
1062
1062
.pf = PF_INET,
1063
-
.hooknum = NF_IP_POST_ROUTING,
1063
+
.hooknum = NF_INET_POST_ROUTING,
1064
1064
.priority = NF_IP_PRI_NAT_SRC-1,
1065
1065
};
1066
1066
+1
-1
net/ipv4/ipvs/ip_vs_xmit.c
+1
-1
net/ipv4/ipvs/ip_vs_xmit.c
+4
-4
net/ipv4/netfilter.c
+4
-4
net/ipv4/netfilter.c
···
23
23
addr_type = type;
24
24
25
25
/* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
26
-
* packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook.
26
+
* packets with foreign saddr to appear on the NF_INET_LOCAL_OUT hook.
27
27
*/
28
28
if (addr_type == RTN_LOCAL) {
29
29
fl.nl_u.ip4_u.daddr = iph->daddr;
···
126
126
{
127
127
struct ip_rt_info *rt_info = nf_info_reroute(info);
128
128
129
-
if (info->hook == NF_IP_LOCAL_OUT) {
129
+
if (info->hook == NF_INET_LOCAL_OUT) {
130
130
const struct iphdr *iph = ip_hdr(skb);
131
131
132
132
rt_info->tos = iph->tos;
···
139
139
{
140
140
const struct ip_rt_info *rt_info = nf_info_reroute(info);
141
141
142
-
if (info->hook == NF_IP_LOCAL_OUT) {
142
+
if (info->hook == NF_INET_LOCAL_OUT) {
143
143
const struct iphdr *iph = ip_hdr(skb);
144
144
145
145
if (!(iph->tos == rt_info->tos
···
158
158
159
159
switch (skb->ip_summed) {
160
160
case CHECKSUM_COMPLETE:
161
-
if (hook != NF_IP_PRE_ROUTING && hook != NF_IP_LOCAL_IN)
161
+
if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
162
162
break;
163
163
if ((protocol == 0 && !csum_fold(skb->csum)) ||
164
164
!csum_tcpudp_magic(iph->saddr, iph->daddr,
+22
-22
net/ipv4/netfilter/ip_tables.c
+22
-22
net/ipv4/netfilter/ip_tables.c
···
220
220
#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
221
221
defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
222
222
static const char *hooknames[] = {
223
-
[NF_IP_PRE_ROUTING] = "PREROUTING",
224
-
[NF_IP_LOCAL_IN] = "INPUT",
225
-
[NF_IP_FORWARD] = "FORWARD",
226
-
[NF_IP_LOCAL_OUT] = "OUTPUT",
227
-
[NF_IP_POST_ROUTING] = "POSTROUTING",
223
+
[NF_INET_PRE_ROUTING] = "PREROUTING",
224
+
[NF_INET_LOCAL_IN] = "INPUT",
225
+
[NF_INET_FORWARD] = "FORWARD",
226
+
[NF_INET_LOCAL_OUT] = "OUTPUT",
227
+
[NF_INET_POST_ROUTING] = "POSTROUTING",
228
228
};
229
229
230
230
enum nf_ip_trace_comments {
···
465
465
466
466
/* No recursion; use packet counter to save back ptrs (reset
467
467
to 0 as we leave), and comefrom to save source hook bitmask */
468
-
for (hook = 0; hook < NF_IP_NUMHOOKS; hook++) {
468
+
for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
469
469
unsigned int pos = newinfo->hook_entry[hook];
470
470
struct ipt_entry *e
471
471
= (struct ipt_entry *)(entry0 + pos);
···
481
481
= (void *)ipt_get_target(e);
482
482
int visited = e->comefrom & (1 << hook);
483
483
484
-
if (e->comefrom & (1 << NF_IP_NUMHOOKS)) {
484
+
if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
485
485
printk("iptables: loop hook %u pos %u %08X.\n",
486
486
hook, pos, e->comefrom);
487
487
return 0;
488
488
}
489
489
e->comefrom
490
-
|= ((1 << hook) | (1 << NF_IP_NUMHOOKS));
490
+
|= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
491
491
492
492
/* Unconditional return/END. */
493
493
if ((e->target_offset == sizeof(struct ipt_entry)
···
507
507
/* Return: backtrack through the last
508
508
big jump. */
509
509
do {
510
-
e->comefrom ^= (1<<NF_IP_NUMHOOKS);
510
+
e->comefrom ^= (1<<NF_INET_NUMHOOKS);
511
511
#ifdef DEBUG_IP_FIREWALL_USER
512
512
if (e->comefrom
513
-
& (1 << NF_IP_NUMHOOKS)) {
513
+
& (1 << NF_INET_NUMHOOKS)) {
514
514
duprintf("Back unset "
515
515
"on hook %u "
516
516
"rule %u\n",
···
741
741
}
742
742
743
743
/* Check hooks & underflows */
744
-
for (h = 0; h < NF_IP_NUMHOOKS; h++) {
744
+
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
745
745
if ((unsigned char *)e - base == hook_entries[h])
746
746
newinfo->hook_entry[h] = hook_entries[h];
747
747
if ((unsigned char *)e - base == underflows[h])
···
795
795
newinfo->number = number;
796
796
797
797
/* Init all hooks to impossible value. */
798
-
for (i = 0; i < NF_IP_NUMHOOKS; i++) {
798
+
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
799
799
newinfo->hook_entry[i] = 0xFFFFFFFF;
800
800
newinfo->underflow[i] = 0xFFFFFFFF;
801
801
}
···
819
819
}
820
820
821
821
/* Check hooks all assigned */
822
-
for (i = 0; i < NF_IP_NUMHOOKS; i++) {
822
+
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
823
823
/* Only hooks which are valid */
824
824
if (!(valid_hooks & (1 << i)))
825
825
continue;
···
1107
1107
if (ret)
1108
1108
return ret;
1109
1109
1110
-
for (i = 0; i< NF_IP_NUMHOOKS; i++) {
1110
+
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1111
1111
if (info->hook_entry[i] && (e < (struct ipt_entry *)
1112
1112
(base + info->hook_entry[i])))
1113
1113
newinfo->hook_entry[i] -= off;
···
1130
1130
memset(newinfo, 0, sizeof(struct xt_table_info));
1131
1131
newinfo->size = info->size;
1132
1132
newinfo->number = info->number;
1133
-
for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1133
+
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1134
1134
newinfo->hook_entry[i] = info->hook_entry[i];
1135
1135
newinfo->underflow[i] = info->underflow[i];
1136
1136
}
···
1479
1479
u32 valid_hooks;
1480
1480
u32 num_entries;
1481
1481
u32 size;
1482
-
u32 hook_entry[NF_IP_NUMHOOKS];
1483
-
u32 underflow[NF_IP_NUMHOOKS];
1482
+
u32 hook_entry[NF_INET_NUMHOOKS];
1483
+
u32 underflow[NF_INET_NUMHOOKS];
1484
1484
u32 num_counters;
1485
1485
compat_uptr_t counters; /* struct ipt_counters * */
1486
1486
struct compat_ipt_entry entries[0];
···
1645
1645
goto out;
1646
1646
1647
1647
/* Check hooks & underflows */
1648
-
for (h = 0; h < NF_IP_NUMHOOKS; h++) {
1648
+
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1649
1649
if ((unsigned char *)e - base == hook_entries[h])
1650
1650
newinfo->hook_entry[h] = hook_entries[h];
1651
1651
if ((unsigned char *)e - base == underflows[h])
···
1700
1700
xt_compat_target_from_user(t, dstptr, size);
1701
1701
1702
1702
de->next_offset = e->next_offset - (origsize - *size);
1703
-
for (h = 0; h < NF_IP_NUMHOOKS; h++) {
1703
+
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1704
1704
if ((unsigned char *)de - base < newinfo->hook_entry[h])
1705
1705
newinfo->hook_entry[h] -= origsize - *size;
1706
1706
if ((unsigned char *)de - base < newinfo->underflow[h])
···
1753
1753
info->number = number;
1754
1754
1755
1755
/* Init all hooks to impossible value. */
1756
-
for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1756
+
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1757
1757
info->hook_entry[i] = 0xFFFFFFFF;
1758
1758
info->underflow[i] = 0xFFFFFFFF;
1759
1759
}
···
1778
1778
}
1779
1779
1780
1780
/* Check hooks all assigned */
1781
-
for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1781
+
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1782
1782
/* Only hooks which are valid */
1783
1783
if (!(valid_hooks & (1 << i)))
1784
1784
continue;
···
1800
1800
goto out_unlock;
1801
1801
1802
1802
newinfo->number = number;
1803
-
for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1803
+
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1804
1804
newinfo->hook_entry[i] = info->hook_entry[i];
1805
1805
newinfo->underflow[i] = info->underflow[i];
1806
1806
}
+2
-2
net/ipv4/netfilter/ipt_MASQUERADE.c
+2
-2
net/ipv4/netfilter/ipt_MASQUERADE.c
···
67
67
const struct rtable *rt;
68
68
__be32 newsrc;
69
69
70
-
NF_CT_ASSERT(hooknum == NF_IP_POST_ROUTING);
70
+
NF_CT_ASSERT(hooknum == NF_INET_POST_ROUTING);
71
71
72
72
ct = nf_ct_get(skb, &ctinfo);
73
73
nat = nfct_nat(ct);
···
172
172
.target = masquerade_target,
173
173
.targetsize = sizeof(struct nf_nat_multi_range_compat),
174
174
.table = "nat",
175
-
.hooks = 1 << NF_IP_POST_ROUTING,
175
+
.hooks = 1 << NF_INET_POST_ROUTING,
176
176
.checkentry = masquerade_check,
177
177
.me = THIS_MODULE,
178
178
};
+7
-6
net/ipv4/netfilter/ipt_NETMAP.c
+7
-6
net/ipv4/netfilter/ipt_NETMAP.c
···
56
56
const struct nf_nat_multi_range_compat *mr = targinfo;
57
57
struct nf_nat_range newrange;
58
58
59
-
NF_CT_ASSERT(hooknum == NF_IP_PRE_ROUTING
60
-
|| hooknum == NF_IP_POST_ROUTING
61
-
|| hooknum == NF_IP_LOCAL_OUT);
59
+
NF_CT_ASSERT(hooknum == NF_INET_PRE_ROUTING
60
+
|| hooknum == NF_INET_POST_ROUTING
61
+
|| hooknum == NF_INET_LOCAL_OUT);
62
62
ct = nf_ct_get(skb, &ctinfo);
63
63
64
64
netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip);
65
65
66
-
if (hooknum == NF_IP_PRE_ROUTING || hooknum == NF_IP_LOCAL_OUT)
66
+
if (hooknum == NF_INET_PRE_ROUTING || hooknum == NF_INET_LOCAL_OUT)
67
67
new_ip = ip_hdr(skb)->daddr & ~netmask;
68
68
else
69
69
new_ip = ip_hdr(skb)->saddr & ~netmask;
···
84
84
.target = target,
85
85
.targetsize = sizeof(struct nf_nat_multi_range_compat),
86
86
.table = "nat",
87
-
.hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING) |
88
-
(1 << NF_IP_LOCAL_OUT),
87
+
.hooks = (1 << NF_INET_PRE_ROUTING) |
88
+
(1 << NF_INET_POST_ROUTING) |
89
+
(1 << NF_INET_LOCAL_OUT),
89
90
.checkentry = check,
90
91
.me = THIS_MODULE
91
92
};
+4
-4
net/ipv4/netfilter/ipt_REDIRECT.c
+4
-4
net/ipv4/netfilter/ipt_REDIRECT.c
···
60
60
const struct nf_nat_multi_range_compat *mr = targinfo;
61
61
struct nf_nat_range newrange;
62
62
63
-
NF_CT_ASSERT(hooknum == NF_IP_PRE_ROUTING
64
-
|| hooknum == NF_IP_LOCAL_OUT);
63
+
NF_CT_ASSERT(hooknum == NF_INET_PRE_ROUTING
64
+
|| hooknum == NF_INET_LOCAL_OUT);
65
65
66
66
ct = nf_ct_get(skb, &ctinfo);
67
67
NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED));
68
68
69
69
/* Local packets: make them go to loopback */
70
-
if (hooknum == NF_IP_LOCAL_OUT)
70
+
if (hooknum == NF_INET_LOCAL_OUT)
71
71
newdst = htonl(0x7F000001);
72
72
else {
73
73
struct in_device *indev;
···
101
101
.target = redirect_target,
102
102
.targetsize = sizeof(struct nf_nat_multi_range_compat),
103
103
.table = "nat",
104
-
.hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT),
104
+
.hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT),
105
105
.checkentry = redirect_check,
106
106
.me = THIS_MODULE,
107
107
};
+3
-3
net/ipv4/netfilter/ipt_REJECT.c
+3
-3
net/ipv4/netfilter/ipt_REJECT.c
···
123
123
niph->id = 0;
124
124
125
125
addr_type = RTN_UNSPEC;
126
-
if (hook != NF_IP_FORWARD
126
+
if (hook != NF_INET_FORWARD
127
127
#ifdef CONFIG_BRIDGE_NETFILTER
128
128
|| (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
129
129
#endif
···
234
234
.target = reject,
235
235
.targetsize = sizeof(struct ipt_reject_info),
236
236
.table = "filter",
237
-
.hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
238
-
(1 << NF_IP_LOCAL_OUT),
237
+
.hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) |
238
+
(1 << NF_INET_LOCAL_OUT),
239
239
.checkentry = check,
240
240
.me = THIS_MODULE,
241
241
};
+4
-3
net/ipv4/netfilter/ipt_SAME.c
+4
-3
net/ipv4/netfilter/ipt_SAME.c
···
119
119
struct nf_nat_range newrange;
120
120
const struct nf_conntrack_tuple *t;
121
121
122
-
NF_CT_ASSERT(hooknum == NF_IP_PRE_ROUTING ||
123
-
hooknum == NF_IP_POST_ROUTING);
122
+
NF_CT_ASSERT(hooknum == NF_INET_PRE_ROUTING ||
123
+
hooknum == NF_INET_POST_ROUTING);
124
124
ct = nf_ct_get(skb, &ctinfo);
125
125
126
126
t = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
···
158
158
.target = same_target,
159
159
.targetsize = sizeof(struct ipt_same_info),
160
160
.table = "nat",
161
-
.hooks = (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_POST_ROUTING),
161
+
.hooks = (1 << NF_INET_PRE_ROUTING) |
162
+
(1 << NF_INET_POST_ROUTING),
162
163
.checkentry = same_check,
163
164
.destroy = same_destroy,
164
165
.me = THIS_MODULE,
+2
-1
net/ipv4/netfilter/ipt_owner.c
+2
-1
net/ipv4/netfilter/ipt_owner.c
···
73
73
.family = AF_INET,
74
74
.match = match,
75
75
.matchsize = sizeof(struct ipt_owner_info),
76
-
.hooks = (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING),
76
+
.hooks = (1 << NF_INET_LOCAL_OUT) |
77
+
(1 << NF_INET_POST_ROUTING),
77
78
.checkentry = checkentry,
78
79
.me = THIS_MODULE,
79
80
};
+12
-10
net/ipv4/netfilter/iptable_filter.c
+12
-10
net/ipv4/netfilter/iptable_filter.c
···
19
19
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
20
20
MODULE_DESCRIPTION("iptables filter table");
21
21
22
-
#define FILTER_VALID_HOOKS ((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | (1 << NF_IP_LOCAL_OUT))
22
+
#define FILTER_VALID_HOOKS ((1 << NF_INET_LOCAL_IN) | \
23
+
(1 << NF_INET_FORWARD) | \
24
+
(1 << NF_INET_LOCAL_OUT))
23
25
24
26
static struct
25
27
{
···
35
33
.num_entries = 4,
36
34
.size = sizeof(struct ipt_standard) * 3 + sizeof(struct ipt_error),
37
35
.hook_entry = {
38
-
[NF_IP_LOCAL_IN] = 0,
39
-
[NF_IP_FORWARD] = sizeof(struct ipt_standard),
40
-
[NF_IP_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
36
+
[NF_INET_LOCAL_IN] = 0,
37
+
[NF_INET_FORWARD] = sizeof(struct ipt_standard),
38
+
[NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
41
39
},
42
40
.underflow = {
43
-
[NF_IP_LOCAL_IN] = 0,
44
-
[NF_IP_FORWARD] = sizeof(struct ipt_standard),
45
-
[NF_IP_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
41
+
[NF_INET_LOCAL_IN] = 0,
42
+
[NF_INET_FORWARD] = sizeof(struct ipt_standard),
43
+
[NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
46
44
},
47
45
},
48
46
.entries = {
···
96
94
.hook = ipt_hook,
97
95
.owner = THIS_MODULE,
98
96
.pf = PF_INET,
99
-
.hooknum = NF_IP_LOCAL_IN,
97
+
.hooknum = NF_INET_LOCAL_IN,
100
98
.priority = NF_IP_PRI_FILTER,
101
99
},
102
100
{
103
101
.hook = ipt_hook,
104
102
.owner = THIS_MODULE,
105
103
.pf = PF_INET,
106
-
.hooknum = NF_IP_FORWARD,
104
+
.hooknum = NF_INET_FORWARD,
107
105
.priority = NF_IP_PRI_FILTER,
108
106
},
109
107
{
110
108
.hook = ipt_local_out_hook,
111
109
.owner = THIS_MODULE,
112
110
.pf = PF_INET,
113
-
.hooknum = NF_IP_LOCAL_OUT,
111
+
.hooknum = NF_INET_LOCAL_OUT,
114
112
.priority = NF_IP_PRI_FILTER,
115
113
},
116
114
};
+20
-20
net/ipv4/netfilter/iptable_mangle.c
+20
-20
net/ipv4/netfilter/iptable_mangle.c
···
21
21
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
22
22
MODULE_DESCRIPTION("iptables mangle table");
23
23
24
-
#define MANGLE_VALID_HOOKS ((1 << NF_IP_PRE_ROUTING) | \
25
-
(1 << NF_IP_LOCAL_IN) | \
26
-
(1 << NF_IP_FORWARD) | \
27
-
(1 << NF_IP_LOCAL_OUT) | \
28
-
(1 << NF_IP_POST_ROUTING))
24
+
#define MANGLE_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | \
25
+
(1 << NF_INET_LOCAL_IN) | \
26
+
(1 << NF_INET_FORWARD) | \
27
+
(1 << NF_INET_LOCAL_OUT) | \
28
+
(1 << NF_INET_POST_ROUTING))
29
29
30
30
/* Ouch - five different hooks? Maybe this should be a config option..... -- BC */
31
31
static struct
···
40
40
.num_entries = 6,
41
41
.size = sizeof(struct ipt_standard) * 5 + sizeof(struct ipt_error),
42
42
.hook_entry = {
43
-
[NF_IP_PRE_ROUTING] = 0,
44
-
[NF_IP_LOCAL_IN] = sizeof(struct ipt_standard),
45
-
[NF_IP_FORWARD] = sizeof(struct ipt_standard) * 2,
46
-
[NF_IP_LOCAL_OUT] = sizeof(struct ipt_standard) * 3,
47
-
[NF_IP_POST_ROUTING] = sizeof(struct ipt_standard) * 4,
43
+
[NF_INET_PRE_ROUTING] = 0,
44
+
[NF_INET_LOCAL_IN] = sizeof(struct ipt_standard),
45
+
[NF_INET_FORWARD] = sizeof(struct ipt_standard) * 2,
46
+
[NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 3,
47
+
[NF_INET_POST_ROUTING] = sizeof(struct ipt_standard) * 4,
48
48
},
49
49
.underflow = {
50
-
[NF_IP_PRE_ROUTING] = 0,
51
-
[NF_IP_LOCAL_IN] = sizeof(struct ipt_standard),
52
-
[NF_IP_FORWARD] = sizeof(struct ipt_standard) * 2,
53
-
[NF_IP_LOCAL_OUT] = sizeof(struct ipt_standard) * 3,
54
-
[NF_IP_POST_ROUTING] = sizeof(struct ipt_standard) * 4,
50
+
[NF_INET_PRE_ROUTING] = 0,
51
+
[NF_INET_LOCAL_IN] = sizeof(struct ipt_standard),
52
+
[NF_INET_FORWARD] = sizeof(struct ipt_standard) * 2,
53
+
[NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 3,
54
+
[NF_INET_POST_ROUTING] = sizeof(struct ipt_standard) * 4,
55
55
},
56
56
},
57
57
.entries = {
···
133
133
.hook = ipt_route_hook,
134
134
.owner = THIS_MODULE,
135
135
.pf = PF_INET,
136
-
.hooknum = NF_IP_PRE_ROUTING,
136
+
.hooknum = NF_INET_PRE_ROUTING,
137
137
.priority = NF_IP_PRI_MANGLE,
138
138
},
139
139
{
140
140
.hook = ipt_route_hook,
141
141
.owner = THIS_MODULE,
142
142
.pf = PF_INET,
143
-
.hooknum = NF_IP_LOCAL_IN,
143
+
.hooknum = NF_INET_LOCAL_IN,
144
144
.priority = NF_IP_PRI_MANGLE,
145
145
},
146
146
{
147
147
.hook = ipt_route_hook,
148
148
.owner = THIS_MODULE,
149
149
.pf = PF_INET,
150
-
.hooknum = NF_IP_FORWARD,
150
+
.hooknum = NF_INET_FORWARD,
151
151
.priority = NF_IP_PRI_MANGLE,
152
152
},
153
153
{
154
154
.hook = ipt_local_hook,
155
155
.owner = THIS_MODULE,
156
156
.pf = PF_INET,
157
-
.hooknum = NF_IP_LOCAL_OUT,
157
+
.hooknum = NF_INET_LOCAL_OUT,
158
158
.priority = NF_IP_PRI_MANGLE,
159
159
},
160
160
{
161
161
.hook = ipt_route_hook,
162
162
.owner = THIS_MODULE,
163
163
.pf = PF_INET,
164
-
.hooknum = NF_IP_POST_ROUTING,
164
+
.hooknum = NF_INET_POST_ROUTING,
165
165
.priority = NF_IP_PRI_MANGLE,
166
166
},
167
167
};
+7
-7
net/ipv4/netfilter/iptable_raw.c
+7
-7
net/ipv4/netfilter/iptable_raw.c
···
7
7
#include <linux/netfilter_ipv4/ip_tables.h>
8
8
#include <net/ip.h>
9
9
10
-
#define RAW_VALID_HOOKS ((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))
10
+
#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
11
11
12
12
static struct
13
13
{
···
21
21
.num_entries = 3,
22
22
.size = sizeof(struct ipt_standard) * 2 + sizeof(struct ipt_error),
23
23
.hook_entry = {
24
-
[NF_IP_PRE_ROUTING] = 0,
25
-
[NF_IP_LOCAL_OUT] = sizeof(struct ipt_standard)
24
+
[NF_INET_PRE_ROUTING] = 0,
25
+
[NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard)
26
26
},
27
27
.underflow = {
28
-
[NF_IP_PRE_ROUTING] = 0,
29
-
[NF_IP_LOCAL_OUT] = sizeof(struct ipt_standard)
28
+
[NF_INET_PRE_ROUTING] = 0,
29
+
[NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard)
30
30
},
31
31
},
32
32
.entries = {
···
78
78
{
79
79
.hook = ipt_hook,
80
80
.pf = PF_INET,
81
-
.hooknum = NF_IP_PRE_ROUTING,
81
+
.hooknum = NF_INET_PRE_ROUTING,
82
82
.priority = NF_IP_PRI_RAW,
83
83
.owner = THIS_MODULE,
84
84
},
85
85
{
86
86
.hook = ipt_local_hook,
87
87
.pf = PF_INET,
88
-
.hooknum = NF_IP_LOCAL_OUT,
88
+
.hooknum = NF_INET_LOCAL_OUT,
89
89
.priority = NF_IP_PRI_RAW,
90
90
.owner = THIS_MODULE,
91
91
},
+9
-9
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+9
-9
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
···
150
150
/* Gather fragments. */
151
151
if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
152
152
if (nf_ct_ipv4_gather_frags(skb,
153
-
hooknum == NF_IP_PRE_ROUTING ?
153
+
hooknum == NF_INET_PRE_ROUTING ?
154
154
IP_DEFRAG_CONNTRACK_IN :
155
155
IP_DEFRAG_CONNTRACK_OUT))
156
156
return NF_STOLEN;
···
190
190
.hook = ipv4_conntrack_defrag,
191
191
.owner = THIS_MODULE,
192
192
.pf = PF_INET,
193
-
.hooknum = NF_IP_PRE_ROUTING,
193
+
.hooknum = NF_INET_PRE_ROUTING,
194
194
.priority = NF_IP_PRI_CONNTRACK_DEFRAG,
195
195
},
196
196
{
197
197
.hook = ipv4_conntrack_in,
198
198
.owner = THIS_MODULE,
199
199
.pf = PF_INET,
200
-
.hooknum = NF_IP_PRE_ROUTING,
200
+
.hooknum = NF_INET_PRE_ROUTING,
201
201
.priority = NF_IP_PRI_CONNTRACK,
202
202
},
203
203
{
204
204
.hook = ipv4_conntrack_defrag,
205
205
.owner = THIS_MODULE,
206
206
.pf = PF_INET,
207
-
.hooknum = NF_IP_LOCAL_OUT,
207
+
.hooknum = NF_INET_LOCAL_OUT,
208
208
.priority = NF_IP_PRI_CONNTRACK_DEFRAG,
209
209
},
210
210
{
211
211
.hook = ipv4_conntrack_local,
212
212
.owner = THIS_MODULE,
213
213
.pf = PF_INET,
214
-
.hooknum = NF_IP_LOCAL_OUT,
214
+
.hooknum = NF_INET_LOCAL_OUT,
215
215
.priority = NF_IP_PRI_CONNTRACK,
216
216
},
217
217
{
218
218
.hook = ipv4_conntrack_help,
219
219
.owner = THIS_MODULE,
220
220
.pf = PF_INET,
221
-
.hooknum = NF_IP_POST_ROUTING,
221
+
.hooknum = NF_INET_POST_ROUTING,
222
222
.priority = NF_IP_PRI_CONNTRACK_HELPER,
223
223
},
224
224
{
225
225
.hook = ipv4_conntrack_help,
226
226
.owner = THIS_MODULE,
227
227
.pf = PF_INET,
228
-
.hooknum = NF_IP_LOCAL_IN,
228
+
.hooknum = NF_INET_LOCAL_IN,
229
229
.priority = NF_IP_PRI_CONNTRACK_HELPER,
230
230
},
231
231
{
232
232
.hook = ipv4_confirm,
233
233
.owner = THIS_MODULE,
234
234
.pf = PF_INET,
235
-
.hooknum = NF_IP_POST_ROUTING,
235
+
.hooknum = NF_INET_POST_ROUTING,
236
236
.priority = NF_IP_PRI_CONNTRACK_CONFIRM,
237
237
},
238
238
{
239
239
.hook = ipv4_confirm,
240
240
.owner = THIS_MODULE,
241
241
.pf = PF_INET,
242
-
.hooknum = NF_IP_LOCAL_IN,
242
+
.hooknum = NF_INET_LOCAL_IN,
243
243
.priority = NF_IP_PRI_CONNTRACK_CONFIRM,
244
244
},
245
245
};
+1
-1
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+1
-1
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
···
195
195
}
196
196
197
197
/* See ip_conntrack_proto_tcp.c */
198
-
if (nf_conntrack_checksum && hooknum == NF_IP_PRE_ROUTING &&
198
+
if (nf_conntrack_checksum && hooknum == NF_INET_PRE_ROUTING &&
199
199
nf_ip_checksum(skb, hooknum, dataoff, 0)) {
200
200
if (LOG_INVALID(IPPROTO_ICMP))
201
201
nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
+7
-7
net/ipv4/netfilter/nf_nat_core.c
+7
-7
net/ipv4/netfilter/nf_nat_core.c
···
213
213
*var_ipp = htonl(minip + j % (maxip - minip + 1));
214
214
}
215
215
216
-
/* Manipulate the tuple into the range given. For NF_IP_POST_ROUTING,
217
-
* we change the source to map into the range. For NF_IP_PRE_ROUTING
218
-
* and NF_IP_LOCAL_OUT, we change the destination to map into the
216
+
/* Manipulate the tuple into the range given. For NF_INET_POST_ROUTING,
217
+
* we change the source to map into the range. For NF_INET_PRE_ROUTING
218
+
* and NF_INET_LOCAL_OUT, we change the destination to map into the
219
219
* range. It might not be possible to get a unique tuple, but we try.
220
220
* At worst (or if we race), we will end up with a final duplicate in
221
221
* __ip_conntrack_confirm and drop the packet. */
···
293
293
}
294
294
}
295
295
296
-
NF_CT_ASSERT(hooknum == NF_IP_PRE_ROUTING ||
297
-
hooknum == NF_IP_POST_ROUTING ||
298
-
hooknum == NF_IP_LOCAL_IN ||
299
-
hooknum == NF_IP_LOCAL_OUT);
296
+
NF_CT_ASSERT(hooknum == NF_INET_PRE_ROUTING ||
297
+
hooknum == NF_INET_POST_ROUTING ||
298
+
hooknum == NF_INET_LOCAL_IN ||
299
+
hooknum == NF_INET_LOCAL_OUT);
300
300
BUG_ON(nf_nat_initialized(ct, maniptype));
301
301
302
302
/* What we've got will look like inverse of reply. Normally
+4
-4
net/ipv4/netfilter/nf_nat_h323.c
+4
-4
net/ipv4/netfilter/nf_nat_h323.c
···
391
391
range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.u3.ip;
392
392
393
393
/* hook doesn't matter, but it has to do source manip */
394
-
nf_nat_setup_info(new, &range, NF_IP_POST_ROUTING);
394
+
nf_nat_setup_info(new, &range, NF_INET_POST_ROUTING);
395
395
396
396
/* For DST manip, map port here to where it's expected. */
397
397
range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
···
400
400
new->master->tuplehash[!this->dir].tuple.src.u3.ip;
401
401
402
402
/* hook doesn't matter, but it has to do destination manip */
403
-
nf_nat_setup_info(new, &range, NF_IP_PRE_ROUTING);
403
+
nf_nat_setup_info(new, &range, NF_INET_PRE_ROUTING);
404
404
}
405
405
406
406
/****************************************************************************/
···
481
481
range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.u3.ip;
482
482
483
483
/* hook doesn't matter, but it has to do source manip */
484
-
nf_nat_setup_info(new, &range, NF_IP_POST_ROUTING);
484
+
nf_nat_setup_info(new, &range, NF_INET_POST_ROUTING);
485
485
486
486
/* For DST manip, map port here to where it's expected. */
487
487
range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
···
489
489
range.min_ip = range.max_ip = this->saved_ip;
490
490
491
491
/* hook doesn't matter, but it has to do destination manip */
492
-
nf_nat_setup_info(new, &range, NF_IP_PRE_ROUTING);
492
+
nf_nat_setup_info(new, &range, NF_INET_PRE_ROUTING);
493
493
}
494
494
495
495
/****************************************************************************/
+2
-2
net/ipv4/netfilter/nf_nat_helper.c
+2
-2
net/ipv4/netfilter/nf_nat_helper.c
···
431
431
range.min_ip = range.max_ip
432
432
= ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
433
433
/* hook doesn't matter, but it has to do source manip */
434
-
nf_nat_setup_info(ct, &range, NF_IP_POST_ROUTING);
434
+
nf_nat_setup_info(ct, &range, NF_INET_POST_ROUTING);
435
435
436
436
/* For DST manip, map port here to where it's expected. */
437
437
range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
···
439
439
range.min_ip = range.max_ip
440
440
= ct->master->tuplehash[!exp->dir].tuple.src.u3.ip;
441
441
/* hook doesn't matter, but it has to do destination manip */
442
-
nf_nat_setup_info(ct, &range, NF_IP_PRE_ROUTING);
442
+
nf_nat_setup_info(ct, &range, NF_INET_PRE_ROUTING);
443
443
}
444
444
EXPORT_SYMBOL(nf_nat_follow_master);
+2
-2
net/ipv4/netfilter/nf_nat_pptp.c
+2
-2
net/ipv4/netfilter/nf_nat_pptp.c
···
94
94
range.min = range.max = exp->saved_proto;
95
95
}
96
96
/* hook doesn't matter, but it has to do source manip */
97
-
nf_nat_setup_info(ct, &range, NF_IP_POST_ROUTING);
97
+
nf_nat_setup_info(ct, &range, NF_INET_POST_ROUTING);
98
98
99
99
/* For DST manip, map port here to where it's expected. */
100
100
range.flags = IP_NAT_RANGE_MAP_IPS;
···
105
105
range.min = range.max = exp->saved_proto;
106
106
}
107
107
/* hook doesn't matter, but it has to do destination manip */
108
-
nf_nat_setup_info(ct, &range, NF_IP_PRE_ROUTING);
108
+
nf_nat_setup_info(ct, &range, NF_INET_PRE_ROUTING);
109
109
}
110
110
111
111
/* outbound packets == from PNS to PAC */
+15
-13
net/ipv4/netfilter/nf_nat_rule.c
+15
-13
net/ipv4/netfilter/nf_nat_rule.c
···
24
24
#include <net/netfilter/nf_nat_core.h>
25
25
#include <net/netfilter/nf_nat_rule.h>
26
26
27
-
#define NAT_VALID_HOOKS ((1<<NF_IP_PRE_ROUTING) | (1<<NF_IP_POST_ROUTING) | (1<<NF_IP_LOCAL_OUT))
27
+
#define NAT_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | \
28
+
(1 << NF_INET_POST_ROUTING) | \
29
+
(1 << NF_INET_LOCAL_OUT))
28
30
29
31
static struct
30
32
{
···
40
38
.num_entries = 4,
41
39
.size = sizeof(struct ipt_standard) * 3 + sizeof(struct ipt_error),
42
40
.hook_entry = {
43
-
[NF_IP_PRE_ROUTING] = 0,
44
-
[NF_IP_POST_ROUTING] = sizeof(struct ipt_standard),
45
-
[NF_IP_LOCAL_OUT] = sizeof(struct ipt_standard) * 2
41
+
[NF_INET_PRE_ROUTING] = 0,
42
+
[NF_INET_POST_ROUTING] = sizeof(struct ipt_standard),
43
+
[NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2
46
44
},
47
45
.underflow = {
48
-
[NF_IP_PRE_ROUTING] = 0,
49
-
[NF_IP_POST_ROUTING] = sizeof(struct ipt_standard),
50
-
[NF_IP_LOCAL_OUT] = sizeof(struct ipt_standard) * 2
46
+
[NF_INET_PRE_ROUTING] = 0,
47
+
[NF_INET_POST_ROUTING] = sizeof(struct ipt_standard),
48
+
[NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2
51
49
},
52
50
},
53
51
.entries = {
···
78
76
enum ip_conntrack_info ctinfo;
79
77
const struct nf_nat_multi_range_compat *mr = targinfo;
80
78
81
-
NF_CT_ASSERT(hooknum == NF_IP_POST_ROUTING);
79
+
NF_CT_ASSERT(hooknum == NF_INET_POST_ROUTING);
82
80
83
81
ct = nf_ct_get(skb, &ctinfo);
84
82
···
120
118
enum ip_conntrack_info ctinfo;
121
119
const struct nf_nat_multi_range_compat *mr = targinfo;
122
120
123
-
NF_CT_ASSERT(hooknum == NF_IP_PRE_ROUTING ||
124
-
hooknum == NF_IP_LOCAL_OUT);
121
+
NF_CT_ASSERT(hooknum == NF_INET_PRE_ROUTING ||
122
+
hooknum == NF_INET_LOCAL_OUT);
125
123
126
124
ct = nf_ct_get(skb, &ctinfo);
127
125
128
126
/* Connection must be valid and new. */
129
127
NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED));
130
128
131
-
if (hooknum == NF_IP_LOCAL_OUT &&
129
+
if (hooknum == NF_INET_LOCAL_OUT &&
132
130
mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)
133
131
warn_if_extra_mangle(ip_hdr(skb)->daddr,
134
132
mr->range[0].min_ip);
···
229
227
.target = ipt_snat_target,
230
228
.targetsize = sizeof(struct nf_nat_multi_range_compat),
231
229
.table = "nat",
232
-
.hooks = 1 << NF_IP_POST_ROUTING,
230
+
.hooks = 1 << NF_INET_POST_ROUTING,
233
231
.checkentry = ipt_snat_checkentry,
234
232
.family = AF_INET,
235
233
};
···
239
237
.target = ipt_dnat_target,
240
238
.targetsize = sizeof(struct nf_nat_multi_range_compat),
241
239
.table = "nat",
242
-
.hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT),
240
+
.hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT),
243
241
.checkentry = ipt_dnat_checkentry,
244
242
.family = AF_INET,
245
243
};
+2
-2
net/ipv4/netfilter/nf_nat_sip.c
+2
-2
net/ipv4/netfilter/nf_nat_sip.c
···
229
229
range.min_ip = range.max_ip
230
230
= ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
231
231
/* hook doesn't matter, but it has to do source manip */
232
-
nf_nat_setup_info(ct, &range, NF_IP_POST_ROUTING);
232
+
nf_nat_setup_info(ct, &range, NF_INET_POST_ROUTING);
233
233
234
234
/* For DST manip, map port here to where it's expected. */
235
235
range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
236
236
range.min = range.max = exp->saved_proto;
237
237
range.min_ip = range.max_ip = exp->saved_ip;
238
238
/* hook doesn't matter, but it has to do destination manip */
239
-
nf_nat_setup_info(ct, &range, NF_IP_PRE_ROUTING);
239
+
nf_nat_setup_info(ct, &range, NF_INET_PRE_ROUTING);
240
240
}
241
241
242
242
/* So, this packet has hit the connection tracking matching code.
+7
-7
net/ipv4/netfilter/nf_nat_standalone.c
+7
-7
net/ipv4/netfilter/nf_nat_standalone.c
···
137
137
if (unlikely(nf_ct_is_confirmed(ct)))
138
138
/* NAT module was loaded late */
139
139
ret = alloc_null_binding_confirmed(ct, hooknum);
140
-
else if (hooknum == NF_IP_LOCAL_IN)
140
+
else if (hooknum == NF_INET_LOCAL_IN)
141
141
/* LOCAL_IN hook doesn't have a chain! */
142
142
ret = alloc_null_binding(ct, hooknum);
143
143
else
···
279
279
.hook = nf_nat_in,
280
280
.owner = THIS_MODULE,
281
281
.pf = PF_INET,
282
-
.hooknum = NF_IP_PRE_ROUTING,
282
+
.hooknum = NF_INET_PRE_ROUTING,
283
283
.priority = NF_IP_PRI_NAT_DST,
284
284
},
285
285
/* After packet filtering, change source */
···
287
287
.hook = nf_nat_out,
288
288
.owner = THIS_MODULE,
289
289
.pf = PF_INET,
290
-
.hooknum = NF_IP_POST_ROUTING,
290
+
.hooknum = NF_INET_POST_ROUTING,
291
291
.priority = NF_IP_PRI_NAT_SRC,
292
292
},
293
293
/* After conntrack, adjust sequence number */
···
295
295
.hook = nf_nat_adjust,
296
296
.owner = THIS_MODULE,
297
297
.pf = PF_INET,
298
-
.hooknum = NF_IP_POST_ROUTING,
298
+
.hooknum = NF_INET_POST_ROUTING,
299
299
.priority = NF_IP_PRI_NAT_SEQ_ADJUST,
300
300
},
301
301
/* Before packet filtering, change destination */
···
303
303
.hook = nf_nat_local_fn,
304
304
.owner = THIS_MODULE,
305
305
.pf = PF_INET,
306
-
.hooknum = NF_IP_LOCAL_OUT,
306
+
.hooknum = NF_INET_LOCAL_OUT,
307
307
.priority = NF_IP_PRI_NAT_DST,
308
308
},
309
309
/* After packet filtering, change source */
···
311
311
.hook = nf_nat_fn,
312
312
.owner = THIS_MODULE,
313
313
.pf = PF_INET,
314
-
.hooknum = NF_IP_LOCAL_IN,
314
+
.hooknum = NF_INET_LOCAL_IN,
315
315
.priority = NF_IP_PRI_NAT_SRC,
316
316
},
317
317
/* After conntrack, adjust sequence number */
···
319
319
.hook = nf_nat_adjust,
320
320
.owner = THIS_MODULE,
321
321
.pf = PF_INET,
322
-
.hooknum = NF_IP_LOCAL_IN,
322
+
.hooknum = NF_INET_LOCAL_IN,
323
323
.priority = NF_IP_PRI_NAT_SEQ_ADJUST,
324
324
},
325
325
};
+1
-1
net/ipv4/raw.c
+1
-1
net/ipv4/raw.c
···
321
321
icmp_out_count(((struct icmphdr *)
322
322
skb_transport_header(skb))->type);
323
323
324
-
err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
324
+
err = NF_HOOK(PF_INET, NF_INET_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
325
325
dst_output);
326
326
if (err > 0)
327
327
err = inet->recverr ? net_xmit_errno(err) : 0;
+1
-1
net/ipv4/xfrm4_input.c
+1
-1
net/ipv4/xfrm4_input.c
+2
-2
net/ipv4/xfrm4_output.c
+2
-2
net/ipv4/xfrm4_output.c
···
86
86
87
87
int xfrm4_output(struct sk_buff *skb)
88
88
{
89
-
return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dst->dev,
90
-
xfrm4_output_finish,
89
+
return NF_HOOK_COND(PF_INET, NF_INET_POST_ROUTING, skb,
90
+
NULL, skb->dst->dev, xfrm4_output_finish,
91
91
!(IPCB(skb)->flags & IPSKB_REROUTED));
92
92
}
+1
-1
net/ipv4/xfrm4_state.c
+1
-1
net/ipv4/xfrm4_state.c
+4
-2
net/ipv6/ip6_input.c
+4
-2
net/ipv6/ip6_input.c
···
134
134
135
135
rcu_read_unlock();
136
136
137
-
return NF_HOOK(PF_INET6,NF_IP6_PRE_ROUTING, skb, dev, NULL, ip6_rcv_finish);
137
+
return NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, dev, NULL,
138
+
ip6_rcv_finish);
138
139
err:
139
140
IP6_INC_STATS_BH(idev, IPSTATS_MIB_INHDRERRORS);
140
141
drop:
···
230
229
231
230
int ip6_input(struct sk_buff *skb)
232
231
{
233
-
return NF_HOOK(PF_INET6,NF_IP6_LOCAL_IN, skb, skb->dev, NULL, ip6_input_finish);
232
+
return NF_HOOK(PF_INET6, NF_INET_LOCAL_IN, skb, skb->dev, NULL,
233
+
ip6_input_finish);
234
234
}
235
235
236
236
int ip6_mc_input(struct sk_buff *skb)
+8
-6
net/ipv6/ip6_output.c
+8
-6
net/ipv6/ip6_output.c
···
79
79
len = 0;
80
80
ipv6_hdr(skb)->payload_len = htons(len);
81
81
82
-
return nf_hook(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, skb->dst->dev,
82
+
return nf_hook(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, skb->dst->dev,
83
83
dst_output);
84
84
}
85
85
···
145
145
is not supported in any case.
146
146
*/
147
147
if (newskb)
148
-
NF_HOOK(PF_INET6, NF_IP6_POST_ROUTING, newskb, NULL,
149
-
newskb->dev,
148
+
NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, newskb,
149
+
NULL, newskb->dev,
150
150
ip6_dev_loopback_xmit);
151
151
152
152
if (ipv6_hdr(skb)->hop_limit == 0) {
···
159
159
IP6_INC_STATS(idev, IPSTATS_MIB_OUTMCASTPKTS);
160
160
}
161
161
162
-
return NF_HOOK(PF_INET6, NF_IP6_POST_ROUTING, skb,NULL, skb->dev,ip6_output_finish);
162
+
return NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, skb, NULL, skb->dev,
163
+
ip6_output_finish);
163
164
}
164
165
165
166
static inline int ip6_skb_dst_mtu(struct sk_buff *skb)
···
262
261
if ((skb->len <= mtu) || ipfragok || skb_is_gso(skb)) {
263
262
IP6_INC_STATS(ip6_dst_idev(skb->dst),
264
263
IPSTATS_MIB_OUTREQUESTS);
265
-
return NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, dst->dev,
264
+
return NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev,
266
265
dst_output);
267
266
}
268
267
···
526
525
hdr->hop_limit--;
527
526
528
527
IP6_INC_STATS_BH(ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
529
-
return NF_HOOK(PF_INET6,NF_IP6_FORWARD, skb, skb->dev, dst->dev, ip6_forward_finish);
528
+
return NF_HOOK(PF_INET6, NF_INET_FORWARD, skb, skb->dev, dst->dev,
529
+
ip6_forward_finish);
530
530
531
531
error:
532
532
IP6_INC_STATS_BH(ip6_dst_idev(dst), IPSTATS_MIB_INADDRERRORS);
+3
-3
net/ipv6/mcast.c
+3
-3
net/ipv6/mcast.c
···
1448
1448
1449
1449
static inline int mld_dev_queue_xmit(struct sk_buff *skb)
1450
1450
{
1451
-
return NF_HOOK(PF_INET6, NF_IP6_POST_ROUTING, skb, NULL, skb->dev,
1451
+
return NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, skb, NULL, skb->dev,
1452
1452
mld_dev_queue_xmit2);
1453
1453
}
1454
1454
···
1469
1469
pmr->csum = csum_ipv6_magic(&pip6->saddr, &pip6->daddr, mldlen,
1470
1470
IPPROTO_ICMPV6, csum_partial(skb_transport_header(skb),
1471
1471
mldlen, 0));
1472
-
err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, skb->dev,
1472
+
err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev,
1473
1473
mld_dev_queue_xmit);
1474
1474
if (!err) {
1475
1475
ICMP6MSGOUT_INC_STATS_BH(idev, ICMPV6_MLD2_REPORT);
···
1813
1813
1814
1814
idev = in6_dev_get(skb->dev);
1815
1815
1816
-
err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, skb->dev,
1816
+
err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev,
1817
1817
mld_dev_queue_xmit);
1818
1818
if (!err) {
1819
1819
ICMP6MSGOUT_INC_STATS(idev, type);
+4
-2
net/ipv6/ndisc.c
+4
-2
net/ipv6/ndisc.c
···
533
533
idev = in6_dev_get(dst->dev);
534
534
IP6_INC_STATS(idev, IPSTATS_MIB_OUTREQUESTS);
535
535
536
-
err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, dst->dev, dst_output);
536
+
err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev,
537
+
dst_output);
537
538
if (!err) {
538
539
ICMP6MSGOUT_INC_STATS(idev, type);
539
540
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTMSGS);
···
1539
1538
buff->dst = dst;
1540
1539
idev = in6_dev_get(dst->dev);
1541
1540
IP6_INC_STATS(idev, IPSTATS_MIB_OUTREQUESTS);
1542
-
err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, buff, NULL, dst->dev, dst_output);
1541
+
err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, buff, NULL, dst->dev,
1542
+
dst_output);
1543
1543
if (!err) {
1544
1544
ICMP6MSGOUT_INC_STATS(idev, NDISC_REDIRECT);
1545
1545
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTMSGS);
+3
-3
net/ipv6/netfilter.c
+3
-3
net/ipv6/netfilter.c
···
60
60
{
61
61
struct ip6_rt_info *rt_info = nf_info_reroute(info);
62
62
63
-
if (info->hook == NF_IP6_LOCAL_OUT) {
63
+
if (info->hook == NF_INET_LOCAL_OUT) {
64
64
struct ipv6hdr *iph = ipv6_hdr(skb);
65
65
66
66
rt_info->daddr = iph->daddr;
···
72
72
{
73
73
struct ip6_rt_info *rt_info = nf_info_reroute(info);
74
74
75
-
if (info->hook == NF_IP6_LOCAL_OUT) {
75
+
if (info->hook == NF_INET_LOCAL_OUT) {
76
76
struct ipv6hdr *iph = ipv6_hdr(skb);
77
77
if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) ||
78
78
!ipv6_addr_equal(&iph->saddr, &rt_info->saddr))
···
89
89
90
90
switch (skb->ip_summed) {
91
91
case CHECKSUM_COMPLETE:
92
-
if (hook != NF_IP6_PRE_ROUTING && hook != NF_IP6_LOCAL_IN)
92
+
if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
93
93
break;
94
94
if (!csum_ipv6_magic(&ip6h->saddr, &ip6h->daddr,
95
95
skb->len - dataoff, protocol,
+13
-13
net/ipv6/netfilter/ip6_tables.c
+13
-13
net/ipv6/netfilter/ip6_tables.c
···
258
258
defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
259
259
/* This cries for unification! */
260
260
static const char *hooknames[] = {
261
-
[NF_IP6_PRE_ROUTING] = "PREROUTING",
262
-
[NF_IP6_LOCAL_IN] = "INPUT",
263
-
[NF_IP6_FORWARD] = "FORWARD",
264
-
[NF_IP6_LOCAL_OUT] = "OUTPUT",
265
-
[NF_IP6_POST_ROUTING] = "POSTROUTING",
261
+
[NF_INET_PRE_ROUTING] = "PREROUTING",
262
+
[NF_INET_LOCAL_IN] = "INPUT",
263
+
[NF_INET_FORWARD] = "FORWARD",
264
+
[NF_INET_LOCAL_OUT] = "OUTPUT",
265
+
[NF_INET_POST_ROUTING] = "POSTROUTING",
266
266
};
267
267
268
268
enum nf_ip_trace_comments {
···
502
502
503
503
/* No recursion; use packet counter to save back ptrs (reset
504
504
to 0 as we leave), and comefrom to save source hook bitmask */
505
-
for (hook = 0; hook < NF_IP6_NUMHOOKS; hook++) {
505
+
for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
506
506
unsigned int pos = newinfo->hook_entry[hook];
507
507
struct ip6t_entry *e
508
508
= (struct ip6t_entry *)(entry0 + pos);
···
518
518
struct ip6t_standard_target *t
519
519
= (void *)ip6t_get_target(e);
520
520
521
-
if (e->comefrom & (1 << NF_IP6_NUMHOOKS)) {
521
+
if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
522
522
printk("iptables: loop hook %u pos %u %08X.\n",
523
523
hook, pos, e->comefrom);
524
524
return 0;
525
525
}
526
526
e->comefrom
527
-
|= ((1 << hook) | (1 << NF_IP6_NUMHOOKS));
527
+
|= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
528
528
529
529
/* Unconditional return/END. */
530
530
if ((e->target_offset == sizeof(struct ip6t_entry)
···
544
544
/* Return: backtrack through the last
545
545
big jump. */
546
546
do {
547
-
e->comefrom ^= (1<<NF_IP6_NUMHOOKS);
547
+
e->comefrom ^= (1<<NF_INET_NUMHOOKS);
548
548
#ifdef DEBUG_IP_FIREWALL_USER
549
549
if (e->comefrom
550
-
& (1 << NF_IP6_NUMHOOKS)) {
550
+
& (1 << NF_INET_NUMHOOKS)) {
551
551
duprintf("Back unset "
552
552
"on hook %u "
553
553
"rule %u\n",
···
746
746
}
747
747
748
748
/* Check hooks & underflows */
749
-
for (h = 0; h < NF_IP6_NUMHOOKS; h++) {
749
+
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
750
750
if ((unsigned char *)e - base == hook_entries[h])
751
751
newinfo->hook_entry[h] = hook_entries[h];
752
752
if ((unsigned char *)e - base == underflows[h])
···
800
800
newinfo->number = number;
801
801
802
802
/* Init all hooks to impossible value. */
803
-
for (i = 0; i < NF_IP6_NUMHOOKS; i++) {
803
+
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
804
804
newinfo->hook_entry[i] = 0xFFFFFFFF;
805
805
newinfo->underflow[i] = 0xFFFFFFFF;
806
806
}
···
824
824
}
825
825
826
826
/* Check hooks all assigned */
827
-
for (i = 0; i < NF_IP6_NUMHOOKS; i++) {
827
+
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
828
828
/* Only hooks which are valid */
829
829
if (!(valid_hooks & (1 << i)))
830
830
continue;
+3
-3
net/ipv6/netfilter/ip6t_REJECT.c
+3
-3
net/ipv6/netfilter/ip6t_REJECT.c
···
164
164
static inline void
165
165
send_unreach(struct sk_buff *skb_in, unsigned char code, unsigned int hooknum)
166
166
{
167
-
if (hooknum == NF_IP6_LOCAL_OUT && skb_in->dev == NULL)
167
+
if (hooknum == NF_INET_LOCAL_OUT && skb_in->dev == NULL)
168
168
skb_in->dev = init_net.loopback_dev;
169
169
170
170
icmpv6_send(skb_in, ICMPV6_DEST_UNREACH, code, 0, NULL);
···
243
243
.target = reject6_target,
244
244
.targetsize = sizeof(struct ip6t_reject_info),
245
245
.table = "filter",
246
-
.hooks = (1 << NF_IP6_LOCAL_IN) | (1 << NF_IP6_FORWARD) |
247
-
(1 << NF_IP6_LOCAL_OUT),
246
+
.hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) |
247
+
(1 << NF_INET_LOCAL_OUT),
248
248
.checkentry = check,
249
249
.me = THIS_MODULE
250
250
};
+2
-2
net/ipv6/netfilter/ip6t_eui64.c
+2
-2
net/ipv6/netfilter/ip6t_eui64.c
···
67
67
.family = AF_INET6,
68
68
.match = match,
69
69
.matchsize = sizeof(int),
70
-
.hooks = (1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN) |
71
-
(1 << NF_IP6_FORWARD),
70
+
.hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN) |
71
+
(1 << NF_INET_FORWARD),
72
72
.me = THIS_MODULE,
73
73
};
74
74
+2
-1
net/ipv6/netfilter/ip6t_owner.c
+2
-1
net/ipv6/netfilter/ip6t_owner.c
···
73
73
.family = AF_INET6,
74
74
.match = match,
75
75
.matchsize = sizeof(struct ip6t_owner_info),
76
-
.hooks = (1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING),
76
+
.hooks = (1 << NF_INET_LOCAL_OUT) |
77
+
(1 << NF_INET_POST_ROUTING),
77
78
.checkentry = checkentry,
78
79
.me = THIS_MODULE,
79
80
};
+12
-10
net/ipv6/netfilter/ip6table_filter.c
+12
-10
net/ipv6/netfilter/ip6table_filter.c
···
17
17
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
18
18
MODULE_DESCRIPTION("ip6tables filter table");
19
19
20
-
#define FILTER_VALID_HOOKS ((1 << NF_IP6_LOCAL_IN) | (1 << NF_IP6_FORWARD) | (1 << NF_IP6_LOCAL_OUT))
20
+
#define FILTER_VALID_HOOKS ((1 << NF_INET_LOCAL_IN) | \
21
+
(1 << NF_INET_FORWARD) | \
22
+
(1 << NF_INET_LOCAL_OUT))
21
23
22
24
static struct
23
25
{
···
33
31
.num_entries = 4,
34
32
.size = sizeof(struct ip6t_standard) * 3 + sizeof(struct ip6t_error),
35
33
.hook_entry = {
36
-
[NF_IP6_LOCAL_IN] = 0,
37
-
[NF_IP6_FORWARD] = sizeof(struct ip6t_standard),
38
-
[NF_IP6_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2
34
+
[NF_INET_LOCAL_IN] = 0,
35
+
[NF_INET_FORWARD] = sizeof(struct ip6t_standard),
36
+
[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2
39
37
},
40
38
.underflow = {
41
-
[NF_IP6_LOCAL_IN] = 0,
42
-
[NF_IP6_FORWARD] = sizeof(struct ip6t_standard),
43
-
[NF_IP6_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2
39
+
[NF_INET_LOCAL_IN] = 0,
40
+
[NF_INET_FORWARD] = sizeof(struct ip6t_standard),
41
+
[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2
44
42
},
45
43
},
46
44
.entries = {
···
95
93
.hook = ip6t_hook,
96
94
.owner = THIS_MODULE,
97
95
.pf = PF_INET6,
98
-
.hooknum = NF_IP6_LOCAL_IN,
96
+
.hooknum = NF_INET_LOCAL_IN,
99
97
.priority = NF_IP6_PRI_FILTER,
100
98
},
101
99
{
102
100
.hook = ip6t_hook,
103
101
.owner = THIS_MODULE,
104
102
.pf = PF_INET6,
105
-
.hooknum = NF_IP6_FORWARD,
103
+
.hooknum = NF_INET_FORWARD,
106
104
.priority = NF_IP6_PRI_FILTER,
107
105
},
108
106
{
109
107
.hook = ip6t_local_out_hook,
110
108
.owner = THIS_MODULE,
111
109
.pf = PF_INET6,
112
-
.hooknum = NF_IP6_LOCAL_OUT,
110
+
.hooknum = NF_INET_LOCAL_OUT,
113
111
.priority = NF_IP6_PRI_FILTER,
114
112
},
115
113
};
+20
-20
net/ipv6/netfilter/ip6table_mangle.c
+20
-20
net/ipv6/netfilter/ip6table_mangle.c
···
15
15
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
16
16
MODULE_DESCRIPTION("ip6tables mangle table");
17
17
18
-
#define MANGLE_VALID_HOOKS ((1 << NF_IP6_PRE_ROUTING) | \
19
-
(1 << NF_IP6_LOCAL_IN) | \
20
-
(1 << NF_IP6_FORWARD) | \
21
-
(1 << NF_IP6_LOCAL_OUT) | \
22
-
(1 << NF_IP6_POST_ROUTING))
18
+
#define MANGLE_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | \
19
+
(1 << NF_INET_LOCAL_IN) | \
20
+
(1 << NF_INET_FORWARD) | \
21
+
(1 << NF_INET_LOCAL_OUT) | \
22
+
(1 << NF_INET_POST_ROUTING))
23
23
24
24
static struct
25
25
{
···
33
33
.num_entries = 6,
34
34
.size = sizeof(struct ip6t_standard) * 5 + sizeof(struct ip6t_error),
35
35
.hook_entry = {
36
-
[NF_IP6_PRE_ROUTING] = 0,
37
-
[NF_IP6_LOCAL_IN] = sizeof(struct ip6t_standard),
38
-
[NF_IP6_FORWARD] = sizeof(struct ip6t_standard) * 2,
39
-
[NF_IP6_LOCAL_OUT] = sizeof(struct ip6t_standard) * 3,
40
-
[NF_IP6_POST_ROUTING] = sizeof(struct ip6t_standard) * 4,
36
+
[NF_INET_PRE_ROUTING] = 0,
37
+
[NF_INET_LOCAL_IN] = sizeof(struct ip6t_standard),
38
+
[NF_INET_FORWARD] = sizeof(struct ip6t_standard) * 2,
39
+
[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 3,
40
+
[NF_INET_POST_ROUTING] = sizeof(struct ip6t_standard) * 4,
41
41
},
42
42
.underflow = {
43
-
[NF_IP6_PRE_ROUTING] = 0,
44
-
[NF_IP6_LOCAL_IN] = sizeof(struct ip6t_standard),
45
-
[NF_IP6_FORWARD] = sizeof(struct ip6t_standard) * 2,
46
-
[NF_IP6_LOCAL_OUT] = sizeof(struct ip6t_standard) * 3,
47
-
[NF_IP6_POST_ROUTING] = sizeof(struct ip6t_standard) * 4,
43
+
[NF_INET_PRE_ROUTING] = 0,
44
+
[NF_INET_LOCAL_IN] = sizeof(struct ip6t_standard),
45
+
[NF_INET_FORWARD] = sizeof(struct ip6t_standard) * 2,
46
+
[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 3,
47
+
[NF_INET_POST_ROUTING] = sizeof(struct ip6t_standard) * 4,
48
48
},
49
49
},
50
50
.entries = {
···
125
125
.hook = ip6t_route_hook,
126
126
.owner = THIS_MODULE,
127
127
.pf = PF_INET6,
128
-
.hooknum = NF_IP6_PRE_ROUTING,
128
+
.hooknum = NF_INET_PRE_ROUTING,
129
129
.priority = NF_IP6_PRI_MANGLE,
130
130
},
131
131
{
132
132
.hook = ip6t_local_hook,
133
133
.owner = THIS_MODULE,
134
134
.pf = PF_INET6,
135
-
.hooknum = NF_IP6_LOCAL_IN,
135
+
.hooknum = NF_INET_LOCAL_IN,
136
136
.priority = NF_IP6_PRI_MANGLE,
137
137
},
138
138
{
139
139
.hook = ip6t_route_hook,
140
140
.owner = THIS_MODULE,
141
141
.pf = PF_INET6,
142
-
.hooknum = NF_IP6_FORWARD,
142
+
.hooknum = NF_INET_FORWARD,
143
143
.priority = NF_IP6_PRI_MANGLE,
144
144
},
145
145
{
146
146
.hook = ip6t_local_hook,
147
147
.owner = THIS_MODULE,
148
148
.pf = PF_INET6,
149
-
.hooknum = NF_IP6_LOCAL_OUT,
149
+
.hooknum = NF_INET_LOCAL_OUT,
150
150
.priority = NF_IP6_PRI_MANGLE,
151
151
},
152
152
{
153
153
.hook = ip6t_route_hook,
154
154
.owner = THIS_MODULE,
155
155
.pf = PF_INET6,
156
-
.hooknum = NF_IP6_POST_ROUTING,
156
+
.hooknum = NF_INET_POST_ROUTING,
157
157
.priority = NF_IP6_PRI_MANGLE,
158
158
},
159
159
};
+7
-7
net/ipv6/netfilter/ip6table_raw.c
+7
-7
net/ipv6/netfilter/ip6table_raw.c
···
6
6
#include <linux/module.h>
7
7
#include <linux/netfilter_ipv6/ip6_tables.h>
8
8
9
-
#define RAW_VALID_HOOKS ((1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_OUT))
9
+
#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
10
10
11
11
static struct
12
12
{
···
20
20
.num_entries = 3,
21
21
.size = sizeof(struct ip6t_standard) * 2 + sizeof(struct ip6t_error),
22
22
.hook_entry = {
23
-
[NF_IP6_PRE_ROUTING] = 0,
24
-
[NF_IP6_LOCAL_OUT] = sizeof(struct ip6t_standard)
23
+
[NF_INET_PRE_ROUTING] = 0,
24
+
[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard)
25
25
},
26
26
.underflow = {
27
-
[NF_IP6_PRE_ROUTING] = 0,
28
-
[NF_IP6_LOCAL_OUT] = sizeof(struct ip6t_standard)
27
+
[NF_INET_PRE_ROUTING] = 0,
28
+
[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard)
29
29
},
30
30
},
31
31
.entries = {
···
58
58
{
59
59
.hook = ip6t_hook,
60
60
.pf = PF_INET6,
61
-
.hooknum = NF_IP6_PRE_ROUTING,
61
+
.hooknum = NF_INET_PRE_ROUTING,
62
62
.priority = NF_IP6_PRI_FIRST,
63
63
.owner = THIS_MODULE,
64
64
},
65
65
{
66
66
.hook = ip6t_hook,
67
67
.pf = PF_INET6,
68
-
.hooknum = NF_IP6_LOCAL_OUT,
68
+
.hooknum = NF_INET_LOCAL_OUT,
69
69
.priority = NF_IP6_PRI_FIRST,
70
70
.owner = THIS_MODULE,
71
71
},
+6
-6
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+6
-6
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
···
263
263
.hook = ipv6_defrag,
264
264
.owner = THIS_MODULE,
265
265
.pf = PF_INET6,
266
-
.hooknum = NF_IP6_PRE_ROUTING,
266
+
.hooknum = NF_INET_PRE_ROUTING,
267
267
.priority = NF_IP6_PRI_CONNTRACK_DEFRAG,
268
268
},
269
269
{
270
270
.hook = ipv6_conntrack_in,
271
271
.owner = THIS_MODULE,
272
272
.pf = PF_INET6,
273
-
.hooknum = NF_IP6_PRE_ROUTING,
273
+
.hooknum = NF_INET_PRE_ROUTING,
274
274
.priority = NF_IP6_PRI_CONNTRACK,
275
275
},
276
276
{
277
277
.hook = ipv6_conntrack_local,
278
278
.owner = THIS_MODULE,
279
279
.pf = PF_INET6,
280
-
.hooknum = NF_IP6_LOCAL_OUT,
280
+
.hooknum = NF_INET_LOCAL_OUT,
281
281
.priority = NF_IP6_PRI_CONNTRACK,
282
282
},
283
283
{
284
284
.hook = ipv6_defrag,
285
285
.owner = THIS_MODULE,
286
286
.pf = PF_INET6,
287
-
.hooknum = NF_IP6_LOCAL_OUT,
287
+
.hooknum = NF_INET_LOCAL_OUT,
288
288
.priority = NF_IP6_PRI_CONNTRACK_DEFRAG,
289
289
},
290
290
{
291
291
.hook = ipv6_confirm,
292
292
.owner = THIS_MODULE,
293
293
.pf = PF_INET6,
294
-
.hooknum = NF_IP6_POST_ROUTING,
294
+
.hooknum = NF_INET_POST_ROUTING,
295
295
.priority = NF_IP6_PRI_LAST,
296
296
},
297
297
{
298
298
.hook = ipv6_confirm,
299
299
.owner = THIS_MODULE,
300
300
.pf = PF_INET6,
301
-
.hooknum = NF_IP6_LOCAL_IN,
301
+
.hooknum = NF_INET_LOCAL_IN,
302
302
.priority = NF_IP6_PRI_LAST-1,
303
303
},
304
304
};
+1
-1
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+1
-1
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
···
192
192
return -NF_ACCEPT;
193
193
}
194
194
195
-
if (nf_conntrack_checksum && hooknum == NF_IP6_PRE_ROUTING &&
195
+
if (nf_conntrack_checksum && hooknum == NF_INET_PRE_ROUTING &&
196
196
nf_ip6_checksum(skb, hooknum, dataoff, IPPROTO_ICMPV6)) {
197
197
nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
198
198
"nf_ct_icmpv6: ICMPv6 checksum failed\n");
+1
-1
net/ipv6/raw.c
+1
-1
net/ipv6/raw.c
···
619
619
goto error_fault;
620
620
621
621
IP6_INC_STATS(rt->rt6i_idev, IPSTATS_MIB_OUTREQUESTS);
622
-
err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
622
+
err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
623
623
dst_output);
624
624
if (err > 0)
625
625
err = np->recverr ? net_xmit_errno(err) : 0;
+1
-1
net/ipv6/xfrm6_input.c
+1
-1
net/ipv6/xfrm6_input.c
···
37
37
ipv6_hdr(skb)->payload_len = htons(skb->len);
38
38
__skb_push(skb, skb->data - skb_network_header(skb));
39
39
40
-
NF_HOOK(PF_INET6, NF_IP6_PRE_ROUTING, skb, skb->dev, NULL,
40
+
NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
41
41
ip6_rcv_finish);
42
42
return -1;
43
43
#else
+1
-1
net/ipv6/xfrm6_output.c
+1
-1
net/ipv6/xfrm6_output.c
+1
-1
net/ipv6/xfrm6_state.c
+1
-1
net/ipv6/xfrm6_state.c
···
188
188
.family = AF_INET6,
189
189
.proto = IPPROTO_IPV6,
190
190
.eth_proto = htons(ETH_P_IPV6),
191
-
.nf_post_routing = NF_IP6_POST_ROUTING,
191
+
.nf_post_routing = NF_INET_POST_ROUTING,
192
192
.owner = THIS_MODULE,
193
193
.init_tempsel = __xfrm6_init_tempsel,
194
194
.tmpl_sort = __xfrm6_tmpl_sort,
+4
-4
net/netfilter/nf_conntrack_netlink.c
+4
-4
net/netfilter/nf_conntrack_netlink.c
···
829
829
&range) < 0)
830
830
return -EINVAL;
831
831
if (nf_nat_initialized(ct,
832
-
HOOK2MANIP(NF_IP_PRE_ROUTING)))
832
+
HOOK2MANIP(NF_INET_PRE_ROUTING)))
833
833
return -EEXIST;
834
-
nf_nat_setup_info(ct, &range, NF_IP_PRE_ROUTING);
834
+
nf_nat_setup_info(ct, &range, NF_INET_PRE_ROUTING);
835
835
}
836
836
if (cda[CTA_NAT_SRC]) {
837
837
if (nfnetlink_parse_nat(cda[CTA_NAT_SRC], ct,
838
838
&range) < 0)
839
839
return -EINVAL;
840
840
if (nf_nat_initialized(ct,
841
-
HOOK2MANIP(NF_IP_POST_ROUTING)))
841
+
HOOK2MANIP(NF_INET_POST_ROUTING)))
842
842
return -EEXIST;
843
-
nf_nat_setup_info(ct, &range, NF_IP_POST_ROUTING);
843
+
nf_nat_setup_info(ct, &range, NF_INET_POST_ROUTING);
844
844
}
845
845
#endif
846
846
}
+1
-3
net/netfilter/nf_conntrack_proto_tcp.c
+1
-3
net/netfilter/nf_conntrack_proto_tcp.c
···
783
783
* because the checksum is assumed to be correct.
784
784
*/
785
785
/* FIXME: Source route IP option packets --RR */
786
-
if (nf_conntrack_checksum &&
787
-
((pf == PF_INET && hooknum == NF_IP_PRE_ROUTING) ||
788
-
(pf == PF_INET6 && hooknum == NF_IP6_PRE_ROUTING)) &&
786
+
if (nf_conntrack_checksum && hooknum == NF_INET_PRE_ROUTING &&
789
787
nf_checksum(skb, hooknum, dataoff, IPPROTO_TCP, pf)) {
790
788
if (LOG_INVALID(IPPROTO_TCP))
791
789
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
+1
-3
net/netfilter/nf_conntrack_proto_udp.c
+1
-3
net/netfilter/nf_conntrack_proto_udp.c
···
128
128
* We skip checking packets on the outgoing path
129
129
* because the checksum is assumed to be correct.
130
130
* FIXME: Source route IP option packets --RR */
131
-
if (nf_conntrack_checksum &&
132
-
((pf == PF_INET && hooknum == NF_IP_PRE_ROUTING) ||
133
-
(pf == PF_INET6 && hooknum == NF_IP6_PRE_ROUTING)) &&
131
+
if (nf_conntrack_checksum && hooknum == NF_INET_PRE_ROUTING &&
134
132
nf_checksum(skb, hooknum, dataoff, IPPROTO_UDP, pf)) {
135
133
if (LOG_INVALID(IPPROTO_UDP))
136
134
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
+1
-2
net/netfilter/nf_conntrack_proto_udplite.c
+1
-2
net/netfilter/nf_conntrack_proto_udplite.c
···
133
133
134
134
/* Checksum invalid? Ignore. */
135
135
if (nf_conntrack_checksum && !skb_csum_unnecessary(skb) &&
136
-
((pf == PF_INET && hooknum == NF_IP_PRE_ROUTING) ||
137
-
(pf == PF_INET6 && hooknum == NF_IP6_PRE_ROUTING))) {
136
+
hooknum == NF_INET_PRE_ROUTING) {
138
137
if (pf == PF_INET) {
139
138
struct iphdr *iph = ip_hdr(skb);
140
139
+6
-6
net/netfilter/xt_CLASSIFY.c
+6
-6
net/netfilter/xt_CLASSIFY.c
···
47
47
.target = target,
48
48
.targetsize = sizeof(struct xt_classify_target_info),
49
49
.table = "mangle",
50
-
.hooks = (1 << NF_IP_LOCAL_OUT) |
51
-
(1 << NF_IP_FORWARD) |
52
-
(1 << NF_IP_POST_ROUTING),
50
+
.hooks = (1 << NF_INET_LOCAL_OUT) |
51
+
(1 << NF_INET_FORWARD) |
52
+
(1 << NF_INET_POST_ROUTING),
53
53
.me = THIS_MODULE,
54
54
},
55
55
{
···
58
58
.target = target,
59
59
.targetsize = sizeof(struct xt_classify_target_info),
60
60
.table = "mangle",
61
-
.hooks = (1 << NF_IP6_LOCAL_OUT) |
62
-
(1 << NF_IP6_FORWARD) |
63
-
(1 << NF_IP6_POST_ROUTING),
61
+
.hooks = (1 << NF_INET_LOCAL_OUT) |
62
+
(1 << NF_INET_FORWARD) |
63
+
(1 << NF_INET_POST_ROUTING),
64
64
.me = THIS_MODULE,
65
65
},
66
66
};
+6
-6
net/netfilter/xt_TCPMSS.c
+6
-6
net/netfilter/xt_TCPMSS.c
···
214
214
const struct ipt_entry *e = entry;
215
215
216
216
if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
217
-
(hook_mask & ~((1 << NF_IP_FORWARD) |
218
-
(1 << NF_IP_LOCAL_OUT) |
219
-
(1 << NF_IP_POST_ROUTING))) != 0) {
217
+
(hook_mask & ~((1 << NF_INET_FORWARD) |
218
+
(1 << NF_INET_LOCAL_OUT) |
219
+
(1 << NF_INET_POST_ROUTING))) != 0) {
220
220
printk("xt_TCPMSS: path-MTU clamping only supported in "
221
221
"FORWARD, OUTPUT and POSTROUTING hooks\n");
222
222
return false;
···
239
239
const struct ip6t_entry *e = entry;
240
240
241
241
if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
242
-
(hook_mask & ~((1 << NF_IP6_FORWARD) |
243
-
(1 << NF_IP6_LOCAL_OUT) |
244
-
(1 << NF_IP6_POST_ROUTING))) != 0) {
242
+
(hook_mask & ~((1 << NF_INET_FORWARD) |
243
+
(1 << NF_INET_LOCAL_OUT) |
244
+
(1 << NF_INET_POST_ROUTING))) != 0) {
245
245
printk("xt_TCPMSS: path-MTU clamping only supported in "
246
246
"FORWARD, OUTPUT and POSTROUTING hooks\n");
247
247
return false;
+6
-6
net/netfilter/xt_mac.c
+6
-6
net/netfilter/xt_mac.c
···
50
50
.family = AF_INET,
51
51
.match = match,
52
52
.matchsize = sizeof(struct xt_mac_info),
53
-
.hooks = (1 << NF_IP_PRE_ROUTING) |
54
-
(1 << NF_IP_LOCAL_IN) |
55
-
(1 << NF_IP_FORWARD),
53
+
.hooks = (1 << NF_INET_PRE_ROUTING) |
54
+
(1 << NF_INET_LOCAL_IN) |
55
+
(1 << NF_INET_FORWARD),
56
56
.me = THIS_MODULE,
57
57
},
58
58
{
···
60
60
.family = AF_INET6,
61
61
.match = match,
62
62
.matchsize = sizeof(struct xt_mac_info),
63
-
.hooks = (1 << NF_IP6_PRE_ROUTING) |
64
-
(1 << NF_IP6_LOCAL_IN) |
65
-
(1 << NF_IP6_FORWARD),
63
+
.hooks = (1 << NF_INET_PRE_ROUTING) |
64
+
(1 << NF_INET_LOCAL_IN) |
65
+
(1 << NF_INET_FORWARD),
66
66
.me = THIS_MODULE,
67
67
},
68
68
};
+3
-3
net/netfilter/xt_physdev.c
+3
-3
net/netfilter/xt_physdev.c
···
113
113
if (info->bitmask & XT_PHYSDEV_OP_OUT &&
114
114
(!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
115
115
info->invert & XT_PHYSDEV_OP_BRIDGED) &&
116
-
hook_mask & ((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
117
-
(1 << NF_IP_POST_ROUTING))) {
116
+
hook_mask & ((1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
117
+
(1 << NF_INET_POST_ROUTING))) {
118
118
printk(KERN_WARNING "physdev match: using --physdev-out in the "
119
119
"OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
120
120
"traffic is not supported anymore.\n");
121
-
if (hook_mask & (1 << NF_IP_LOCAL_OUT))
121
+
if (hook_mask & (1 << NF_INET_LOCAL_OUT))
122
122
return false;
123
123
}
124
124
return true;
+2
-3
net/netfilter/xt_policy.c
+2
-3
net/netfilter/xt_policy.c
···
144
144
"outgoing policy selected\n");
145
145
return false;
146
146
}
147
-
/* hook values are equal for IPv4 and IPv6 */
148
-
if (hook_mask & (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_LOCAL_IN)
147
+
if (hook_mask & (1 << NF_INET_PRE_ROUTING | 1 << NF_INET_LOCAL_IN)
149
148
&& info->flags & XT_POLICY_MATCH_OUT) {
150
149
printk(KERN_ERR "xt_policy: output policy not valid in "
151
150
"PRE_ROUTING and INPUT\n");
152
151
return false;
153
152
}
154
-
if (hook_mask & (1 << NF_IP_POST_ROUTING | 1 << NF_IP_LOCAL_OUT)
153
+
if (hook_mask & (1 << NF_INET_POST_ROUTING | 1 << NF_INET_LOCAL_OUT)
155
154
&& info->flags & XT_POLICY_MATCH_IN) {
156
155
printk(KERN_ERR "xt_policy: input policy not valid in "
157
156
"POST_ROUTING and OUTPUT\n");
+2
-2
net/netfilter/xt_realm.c
+2
-2
net/netfilter/xt_realm.c
···
41
41
.name = "realm",
42
42
.match = match,
43
43
.matchsize = sizeof(struct xt_realm_info),
44
-
.hooks = (1 << NF_IP_POST_ROUTING) | (1 << NF_IP_FORWARD) |
45
-
(1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_LOCAL_IN),
44
+
.hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_FORWARD) |
45
+
(1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_LOCAL_IN),
46
46
.family = AF_INET,
47
47
.me = THIS_MODULE
48
48
};
+2
-2
net/sched/sch_ingress.c
+2
-2
net/sched/sch_ingress.c
···
235
235
.hook = ing_hook,
236
236
.owner = THIS_MODULE,
237
237
.pf = PF_INET,
238
-
.hooknum = NF_IP_PRE_ROUTING,
238
+
.hooknum = NF_INET_PRE_ROUTING,
239
239
.priority = NF_IP_PRI_FILTER + 1,
240
240
};
241
241
···
243
243
.hook = ing_hook,
244
244
.owner = THIS_MODULE,
245
245
.pf = PF_INET6,
246
-
.hooknum = NF_IP6_PRE_ROUTING,
246
+
.hooknum = NF_INET_PRE_ROUTING,
247
247
.priority = NF_IP6_PRI_FILTER + 1,
248
248
};
249
249
+2
-2
security/selinux/hooks.c
+2
-2
security/selinux/hooks.c
···
5281
5281
.hook = selinux_ipv4_postroute_last,
5282
5282
.owner = THIS_MODULE,
5283
5283
.pf = PF_INET,
5284
-
.hooknum = NF_IP_POST_ROUTING,
5284
+
.hooknum = NF_INET_POST_ROUTING,
5285
5285
.priority = NF_IP_PRI_SELINUX_LAST,
5286
5286
};
5287
5287
···
5291
5291
.hook = selinux_ipv6_postroute_last,
5292
5292
.owner = THIS_MODULE,
5293
5293
.pf = PF_INET6,
5294
-
.hooknum = NF_IP6_POST_ROUTING,
5294
+
.hooknum = NF_INET_POST_ROUTING,
5295
5295
.priority = NF_IP6_PRI_SELINUX_LAST,
5296
5296
};
5297
5297