tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: Pass nf_hook_state through nf_nat_ipv6_{in,out,fn,local_fn}().
Signed-off-by: David S. Miller <davem@davemloft.net>
+35
-52
+8
-16
include/net/netfilter/nf_nat_l3proto.h
+8
-16
include/net/netfilter/nf_nat_l3proto.h
···
77
77
unsigned int hooknum, unsigned int hdrlen);
78
78
79
79
unsigned int nf_nat_ipv6_in(const struct nf_hook_ops *ops, struct sk_buff *skb,
80
-
const struct net_device *in,
81
-
const struct net_device *out,
80
+
const struct nf_hook_state *state,
82
81
unsigned int (*do_chain)(const struct nf_hook_ops *ops,
83
82
struct sk_buff *skb,
84
-
const struct net_device *in,
85
-
const struct net_device *out,
83
+
const struct nf_hook_state *state,
86
84
struct nf_conn *ct));
87
85
88
86
unsigned int nf_nat_ipv6_out(const struct nf_hook_ops *ops, struct sk_buff *skb,
89
-
const struct net_device *in,
90
-
const struct net_device *out,
87
+
const struct nf_hook_state *state,
91
88
unsigned int (*do_chain)(const struct nf_hook_ops *ops,
92
89
struct sk_buff *skb,
93
-
const struct net_device *in,
94
-
const struct net_device *out,
90
+
const struct nf_hook_state *state,
95
91
struct nf_conn *ct));
96
92
97
93
unsigned int nf_nat_ipv6_local_fn(const struct nf_hook_ops *ops,
98
94
struct sk_buff *skb,
99
-
const struct net_device *in,
100
-
const struct net_device *out,
95
+
const struct nf_hook_state *state,
101
96
unsigned int (*do_chain)(const struct nf_hook_ops *ops,
102
97
struct sk_buff *skb,
103
-
const struct net_device *in,
104
-
const struct net_device *out,
98
+
const struct nf_hook_state *state,
105
99
struct nf_conn *ct));
106
100
107
101
unsigned int nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
108
-
const struct net_device *in,
109
-
const struct net_device *out,
102
+
const struct nf_hook_state *state,
110
103
unsigned int (*do_chain)(const struct nf_hook_ops *ops,
111
104
struct sk_buff *skb,
112
-
const struct net_device *in,
113
-
const struct net_device *out,
105
+
const struct nf_hook_state *state,
114
106
struct nf_conn *ct));
115
107
116
108
#endif /* _NF_NAT_L3PROTO_H */
+7
-11
net/ipv6/netfilter/ip6table_nat.c
+7
-11
net/ipv6/netfilter/ip6table_nat.c
···
32
32
33
33
static unsigned int ip6table_nat_do_chain(const struct nf_hook_ops *ops,
34
34
struct sk_buff *skb,
35
-
const struct net_device *in,
36
-
const struct net_device *out,
35
+
const struct nf_hook_state *state,
37
36
struct nf_conn *ct)
38
37
{
39
38
struct net *net = nf_ct_net(ct);
40
39
41
-
return ip6t_do_table(skb, ops->hooknum, in, out, net->ipv6.ip6table_nat);
40
+
return ip6t_do_table(skb, ops->hooknum, state->in, state->out,
41
+
net->ipv6.ip6table_nat);
42
42
}
43
43
44
44
static unsigned int ip6table_nat_fn(const struct nf_hook_ops *ops,
45
45
struct sk_buff *skb,
46
46
const struct nf_hook_state *state)
47
47
{
48
-
return nf_nat_ipv6_fn(ops, skb, state->in, state->out,
49
-
ip6table_nat_do_chain);
48
+
return nf_nat_ipv6_fn(ops, skb, state, ip6table_nat_do_chain);
50
49
}
51
50
52
51
static unsigned int ip6table_nat_in(const struct nf_hook_ops *ops,
53
52
struct sk_buff *skb,
54
53
const struct nf_hook_state *state)
55
54
{
56
-
return nf_nat_ipv6_in(ops, skb, state->in, state->out,
57
-
ip6table_nat_do_chain);
55
+
return nf_nat_ipv6_in(ops, skb, state, ip6table_nat_do_chain);
58
56
}
59
57
60
58
static unsigned int ip6table_nat_out(const struct nf_hook_ops *ops,
61
59
struct sk_buff *skb,
62
60
const struct nf_hook_state *state)
63
61
{
64
-
return nf_nat_ipv6_out(ops, skb, state->in, state->out,
65
-
ip6table_nat_do_chain);
62
+
return nf_nat_ipv6_out(ops, skb, state, ip6table_nat_do_chain);
66
63
}
67
64
68
65
static unsigned int ip6table_nat_local_fn(const struct nf_hook_ops *ops,
69
66
struct sk_buff *skb,
70
67
const struct nf_hook_state *state)
71
68
{
72
-
return nf_nat_ipv6_local_fn(ops, skb, state->in, state->out,
73
-
ip6table_nat_do_chain);
69
+
return nf_nat_ipv6_local_fn(ops, skb, state, ip6table_nat_do_chain);
74
70
}
75
71
76
72
static struct nf_hook_ops nf_nat_ipv6_ops[] __read_mostly = {
+14
-18
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+14
-18
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
···
263
263
264
264
unsigned int
265
265
nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
266
-
const struct net_device *in, const struct net_device *out,
266
+
const struct nf_hook_state *state,
267
267
unsigned int (*do_chain)(const struct nf_hook_ops *ops,
268
268
struct sk_buff *skb,
269
-
const struct net_device *in,
270
-
const struct net_device *out,
269
+
const struct nf_hook_state *state,
271
270
struct nf_conn *ct))
272
271
{
273
272
struct nf_conn *ct;
···
317
318
if (!nf_nat_initialized(ct, maniptype)) {
318
319
unsigned int ret;
319
320
320
-
ret = do_chain(ops, skb, in, out, ct);
321
+
ret = do_chain(ops, skb, state, ct);
321
322
if (ret != NF_ACCEPT)
322
323
return ret;
323
324
···
331
332
pr_debug("Already setup manip %s for ct %p\n",
332
333
maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",
333
334
ct);
334
-
if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out))
335
+
if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, state->out))
335
336
goto oif_changed;
336
337
}
337
338
break;
···
340
341
/* ESTABLISHED */
341
342
NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
342
343
ctinfo == IP_CT_ESTABLISHED_REPLY);
343
-
if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out))
344
+
if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, state->out))
344
345
goto oif_changed;
345
346
}
346
347
···
354
355
355
356
unsigned int
356
357
nf_nat_ipv6_in(const struct nf_hook_ops *ops, struct sk_buff *skb,
357
-
const struct net_device *in, const struct net_device *out,
358
+
const struct nf_hook_state *state,
358
359
unsigned int (*do_chain)(const struct nf_hook_ops *ops,
359
360
struct sk_buff *skb,
360
-
const struct net_device *in,
361
-
const struct net_device *out,
361
+
const struct nf_hook_state *state,
362
362
struct nf_conn *ct))
363
363
{
364
364
unsigned int ret;
365
365
struct in6_addr daddr = ipv6_hdr(skb)->daddr;
366
366
367
-
ret = nf_nat_ipv6_fn(ops, skb, in, out, do_chain);
367
+
ret = nf_nat_ipv6_fn(ops, skb, state, do_chain);
368
368
if (ret != NF_DROP && ret != NF_STOLEN &&
369
369
ipv6_addr_cmp(&daddr, &ipv6_hdr(skb)->daddr))
370
370
skb_dst_drop(skb);
···
374
376
375
377
unsigned int
376
378
nf_nat_ipv6_out(const struct nf_hook_ops *ops, struct sk_buff *skb,
377
-
const struct net_device *in, const struct net_device *out,
379
+
const struct nf_hook_state *state,
378
380
unsigned int (*do_chain)(const struct nf_hook_ops *ops,
379
381
struct sk_buff *skb,
380
-
const struct net_device *in,
381
-
const struct net_device *out,
382
+
const struct nf_hook_state *state,
382
383
struct nf_conn *ct))
383
384
{
384
385
#ifdef CONFIG_XFRM
···
391
394
if (skb->len < sizeof(struct ipv6hdr))
392
395
return NF_ACCEPT;
393
396
394
-
ret = nf_nat_ipv6_fn(ops, skb, in, out, do_chain);
397
+
ret = nf_nat_ipv6_fn(ops, skb, state, do_chain);
395
398
#ifdef CONFIG_XFRM
396
399
if (ret != NF_DROP && ret != NF_STOLEN &&
397
400
!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
···
415
418
416
419
unsigned int
417
420
nf_nat_ipv6_local_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
418
-
const struct net_device *in, const struct net_device *out,
421
+
const struct nf_hook_state *state,
419
422
unsigned int (*do_chain)(const struct nf_hook_ops *ops,
420
423
struct sk_buff *skb,
421
-
const struct net_device *in,
422
-
const struct net_device *out,
424
+
const struct nf_hook_state *state,
423
425
struct nf_conn *ct))
424
426
{
425
427
const struct nf_conn *ct;
···
430
434
if (skb->len < sizeof(struct ipv6hdr))
431
435
return NF_ACCEPT;
432
436
433
-
ret = nf_nat_ipv6_fn(ops, skb, in, out, do_chain);
437
+
ret = nf_nat_ipv6_fn(ops, skb, state, do_chain);
434
438
if (ret != NF_DROP && ret != NF_STOLEN &&
435
439
(ct = nf_ct_get(skb, &ctinfo)) != NULL) {
436
440
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+6
-7
net/ipv6/netfilter/nft_chain_nat_ipv6.c
+6
-7
net/ipv6/netfilter/nft_chain_nat_ipv6.c
···
26
26
27
27
static unsigned int nft_nat_do_chain(const struct nf_hook_ops *ops,
28
28
struct sk_buff *skb,
29
-
const struct net_device *in,
30
-
const struct net_device *out,
29
+
const struct nf_hook_state *state,
31
30
struct nf_conn *ct)
32
31
{
33
32
struct nft_pktinfo pkt;
34
33
35
-
nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out);
34
+
nft_set_pktinfo_ipv6(&pkt, ops, skb, state->in, state->out);
36
35
37
36
return nft_do_chain(&pkt, ops);
38
37
}
···
40
41
struct sk_buff *skb,
41
42
const struct nf_hook_state *state)
42
43
{
43
-
return nf_nat_ipv6_fn(ops, skb, state->in, state->out, nft_nat_do_chain);
44
+
return nf_nat_ipv6_fn(ops, skb, state, nft_nat_do_chain);
44
45
}
45
46
46
47
static unsigned int nft_nat_ipv6_in(const struct nf_hook_ops *ops,
47
48
struct sk_buff *skb,
48
49
const struct nf_hook_state *state)
49
50
{
50
-
return nf_nat_ipv6_in(ops, skb, state->in, state->out, nft_nat_do_chain);
51
+
return nf_nat_ipv6_in(ops, skb, state, nft_nat_do_chain);
51
52
}
52
53
53
54
static unsigned int nft_nat_ipv6_out(const struct nf_hook_ops *ops,
54
55
struct sk_buff *skb,
55
56
const struct nf_hook_state *state)
56
57
{
57
-
return nf_nat_ipv6_out(ops, skb, state->in, state->out, nft_nat_do_chain);
58
+
return nf_nat_ipv6_out(ops, skb, state, nft_nat_do_chain);
58
59
}
59
60
60
61
static unsigned int nft_nat_ipv6_local_fn(const struct nf_hook_ops *ops,
61
62
struct sk_buff *skb,
62
63
const struct nf_hook_state *state)
63
64
{
64
-
return nf_nat_ipv6_local_fn(ops, skb, state->in, state->out, nft_nat_do_chain);
65
+
return nf_nat_ipv6_local_fn(ops, skb, state, nft_nat_do_chain);
65
66
}
66
67
67
68
static const struct nf_chain_type nft_chain_nat_ipv6 = {