netfilter: combine IPv4 and IPv6 nf_nat_redirect code in one module

-9

include/net/netfilter/ipv4/nf_nat_redirect.h

··· 1 - #ifndef _NF_NAT_REDIRECT_IPV4_H_ 2 - #define _NF_NAT_REDIRECT_IPV4_H_ 3 - 4 - unsigned int 5 - nf_nat_redirect_ipv4(struct sk_buff *skb, 6 - const struct nf_nat_ipv4_multi_range_compat *mr, 7 - unsigned int hooknum); 8 - 9 - #endif /* _NF_NAT_REDIRECT_IPV4_H_ */

-8

include/net/netfilter/ipv6/nf_nat_redirect.h

··· 1 - #ifndef _NF_NAT_REDIRECT_IPV6_H_ 2 - #define _NF_NAT_REDIRECT_IPV6_H_ 3 - 4 - unsigned int 5 - nf_nat_redirect_ipv6(struct sk_buff *skb, const struct nf_nat_range *range, 6 - unsigned int hooknum); 7 - 8 - #endif /* _NF_NAT_REDIRECT_IPV6_H_ */

+12

include/net/netfilter/nf_nat_redirect.h

··· 1 + #ifndef _NF_NAT_REDIRECT_H_ 2 + #define _NF_NAT_REDIRECT_H_ 3 + 4 + unsigned int 5 + nf_nat_redirect_ipv4(struct sk_buff *skb, 6 + const struct nf_nat_ipv4_multi_range_compat *mr, 7 + unsigned int hooknum); 8 + unsigned int 9 + nf_nat_redirect_ipv6(struct sk_buff *skb, const struct nf_nat_range *range, 10 + unsigned int hooknum); 11 + 12 + #endif /* _NF_NAT_REDIRECT_H_ */

+1 -7

net/ipv4/netfilter/Kconfig

··· 104 104 This is the kernel functionality to provide NAT in the masquerade 105 105 flavour (automatic source address selection). 106 106 107 - config NF_NAT_REDIRECT_IPV4 108 - tristate "IPv4 redirect support" 109 - help 110 - This is the kernel functionality to provide NAT in the redirect 111 - flavour (redirect packets to local machine). 112 - 113 107 config NFT_MASQ_IPV4 114 108 tristate "IPv4 masquerading support for nf_tables" 115 109 depends on NF_TABLES_IPV4 ··· 117 123 tristate "IPv4 redirect support for nf_tables" 118 124 depends on NF_TABLES_IPV4 119 125 depends on NFT_REDIR 120 - select NF_NAT_REDIRECT_IPV4 126 + select NF_NAT_REDIRECT 121 127 help 122 128 This is the expression that provides IPv4 redirect support for 123 129 nf_tables.

-1

net/ipv4/netfilter/Makefile

··· 31 31 obj-$(CONFIG_NF_NAT_PPTP) += nf_nat_pptp.o 32 32 obj-$(CONFIG_NF_NAT_SNMP_BASIC) += nf_nat_snmp_basic.o 33 33 obj-$(CONFIG_NF_NAT_MASQUERADE_IPV4) += nf_nat_masquerade_ipv4.o 34 - obj-$(CONFIG_NF_NAT_REDIRECT_IPV4) += nf_nat_redirect_ipv4.o 35 34 36 35 # NAT protocols (nf_nat) 37 36 obj-$(CONFIG_NF_NAT_PROTO_GRE) += nf_nat_proto_gre.o

+46 -1

net/ipv4/netfilter/nf_nat_redirect_ipv4.c net/netfilter/nf_nat_redirect.c

··· 20 20 #include <linux/netfilter.h> 21 21 #include <linux/types.h> 22 22 #include <linux/netfilter_ipv4.h> 23 + #include <linux/netfilter_ipv6.h> 23 24 #include <linux/netfilter/x_tables.h> 24 25 #include <net/addrconf.h> 25 26 #include <net/checksum.h> 26 27 #include <net/protocol.h> 27 28 #include <net/netfilter/nf_nat.h> 28 - #include <net/netfilter/ipv4/nf_nat_redirect.h> 29 + #include <net/netfilter/nf_nat_redirect.h> 29 30 30 31 unsigned int 31 32 nf_nat_redirect_ipv4(struct sk_buff *skb, ··· 78 77 return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST); 79 78 } 80 79 EXPORT_SYMBOL_GPL(nf_nat_redirect_ipv4); 80 + 81 + static const struct in6_addr loopback_addr = IN6ADDR_LOOPBACK_INIT; 82 + 83 + unsigned int 84 + nf_nat_redirect_ipv6(struct sk_buff *skb, const struct nf_nat_range *range, 85 + unsigned int hooknum) 86 + { 87 + struct nf_nat_range newrange; 88 + struct in6_addr newdst; 89 + enum ip_conntrack_info ctinfo; 90 + struct nf_conn *ct; 91 + 92 + ct = nf_ct_get(skb, &ctinfo); 93 + if (hooknum == NF_INET_LOCAL_OUT) { 94 + newdst = loopback_addr; 95 + } else { 96 + struct inet6_dev *idev; 97 + struct inet6_ifaddr *ifa; 98 + bool addr = false; 99 + 100 + rcu_read_lock(); 101 + idev = __in6_dev_get(skb->dev); 102 + if (idev != NULL) { 103 + list_for_each_entry(ifa, &idev->addr_list, if_list) { 104 + newdst = ifa->addr; 105 + addr = true; 106 + break; 107 + } 108 + } 109 + rcu_read_unlock(); 110 + 111 + if (!addr) 112 + return NF_DROP; 113 + } 114 + 115 + newrange.flags = range->flags | NF_NAT_RANGE_MAP_IPS; 116 + newrange.min_addr.in6 = newdst; 117 + newrange.max_addr.in6 = newdst; 118 + newrange.min_proto = range->min_proto; 119 + newrange.max_proto = range->max_proto; 120 + 121 + return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST); 122 + } 123 + EXPORT_SYMBOL_GPL(nf_nat_redirect_ipv6); 81 124 82 125 MODULE_LICENSE("GPL"); 83 126 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");

+1 -1

net/ipv4/netfilter/nft_redir_ipv4.c

··· 14 14 #include <linux/netfilter/nf_tables.h> 15 15 #include <net/netfilter/nf_tables.h> 16 16 #include <net/netfilter/nf_nat.h> 17 - #include <net/netfilter/ipv4/nf_nat_redirect.h> 17 + #include <net/netfilter/nf_nat_redirect.h> 18 18 #include <net/netfilter/nft_redir.h> 19 19 20 20 static void nft_redir_ipv4_eval(const struct nft_expr *expr,

+1 -7

net/ipv6/netfilter/Kconfig

··· 82 82 This is the kernel functionality to provide NAT in the masquerade 83 83 flavour (automatic source address selection) for IPv6. 84 84 85 - config NF_NAT_REDIRECT_IPV6 86 - tristate "IPv6 redirect support" 87 - help 88 - This is the kernel functionality to provide NAT in the redirect 89 - flavour (redirect packet to local machine) for IPv6. 90 - 91 85 config NFT_MASQ_IPV6 92 86 tristate "IPv6 masquerade support for nf_tables" 93 87 depends on NF_TABLES_IPV6 ··· 95 101 tristate "IPv6 redirect support for nf_tables" 96 102 depends on NF_TABLES_IPV6 97 103 depends on NFT_REDIR 98 - select NF_NAT_REDIRECT_IPV6 104 + select NF_NAT_REDIRECT 99 105 help 100 106 This is the expression that provides IPv4 redirect support for 101 107 nf_tables.

-1

net/ipv6/netfilter/Makefile

··· 19 19 nf_nat_ipv6-y := nf_nat_l3proto_ipv6.o nf_nat_proto_icmpv6.o 20 20 obj-$(CONFIG_NF_NAT_IPV6) += nf_nat_ipv6.o 21 21 obj-$(CONFIG_NF_NAT_MASQUERADE_IPV6) += nf_nat_masquerade_ipv6.o 22 - obj-$(CONFIG_NF_NAT_REDIRECT_IPV6) += nf_nat_redirect_ipv6.o 23 22 24 23 # defrag 25 24 nf_defrag_ipv6-y := nf_defrag_ipv6_hooks.o nf_conntrack_reasm.o

-75

net/ipv6/netfilter/nf_nat_redirect_ipv6.c

··· 1 - /* 2 - * (C) 1999-2001 Paul `Rusty' Russell 3 - * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org> 4 - * Copyright (c) 2011 Patrick McHardy <kaber@trash.net> 5 - * 6 - * This program is free software; you can redistribute it and/or modify 7 - * it under the terms of the GNU General Public License version 2 as 8 - * published by the Free Software Foundation. 9 - * 10 - * Based on Rusty Russell's IPv4 REDIRECT target. Development of IPv6 11 - * NAT funded by Astaro. 12 - */ 13 - 14 - #include <linux/if.h> 15 - #include <linux/inetdevice.h> 16 - #include <linux/ip.h> 17 - #include <linux/kernel.h> 18 - #include <linux/module.h> 19 - #include <linux/netdevice.h> 20 - #include <linux/netfilter.h> 21 - #include <linux/types.h> 22 - #include <linux/netfilter_ipv6.h> 23 - #include <linux/netfilter/x_tables.h> 24 - #include <net/addrconf.h> 25 - #include <net/checksum.h> 26 - #include <net/protocol.h> 27 - #include <net/netfilter/nf_nat.h> 28 - #include <net/netfilter/ipv6/nf_nat_redirect.h> 29 - 30 - static const struct in6_addr loopback_addr = IN6ADDR_LOOPBACK_INIT; 31 - 32 - unsigned int 33 - nf_nat_redirect_ipv6(struct sk_buff *skb, const struct nf_nat_range *range, 34 - unsigned int hooknum) 35 - { 36 - struct nf_nat_range newrange; 37 - struct in6_addr newdst; 38 - enum ip_conntrack_info ctinfo; 39 - struct nf_conn *ct; 40 - 41 - ct = nf_ct_get(skb, &ctinfo); 42 - if (hooknum == NF_INET_LOCAL_OUT) { 43 - newdst = loopback_addr; 44 - } else { 45 - struct inet6_dev *idev; 46 - struct inet6_ifaddr *ifa; 47 - bool addr = false; 48 - 49 - rcu_read_lock(); 50 - idev = __in6_dev_get(skb->dev); 51 - if (idev != NULL) { 52 - list_for_each_entry(ifa, &idev->addr_list, if_list) { 53 - newdst = ifa->addr; 54 - addr = true; 55 - break; 56 - } 57 - } 58 - rcu_read_unlock(); 59 - 60 - if (!addr) 61 - return NF_DROP; 62 - } 63 - 64 - newrange.flags = range->flags | NF_NAT_RANGE_MAP_IPS; 65 - newrange.min_addr.in6 = newdst; 66 - newrange.max_addr.in6 = newdst; 67 - newrange.min_proto = range->min_proto; 68 - newrange.max_proto = range->max_proto; 69 - 70 - return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST); 71 - } 72 - EXPORT_SYMBOL_GPL(nf_nat_redirect_ipv6); 73 - 74 - MODULE_LICENSE("GPL"); 75 - MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");

+1 -1

net/ipv6/netfilter/nft_redir_ipv6.c

··· 15 15 #include <net/netfilter/nf_tables.h> 16 16 #include <net/netfilter/nf_nat.h> 17 17 #include <net/netfilter/nft_redir.h> 18 - #include <net/netfilter/ipv6/nf_nat_redirect.h> 18 + #include <net/netfilter/nf_nat_redirect.h> 19 19 20 20 static void nft_redir_ipv6_eval(const struct nft_expr *expr, 21 21 struct nft_data data[NFT_REG_MAX + 1],

+8 -2

net/netfilter/Kconfig

··· 411 411 depends on NF_CONNTRACK && NF_NAT 412 412 default NF_NAT && NF_CONNTRACK_TFTP 413 413 414 + config NF_NAT_REDIRECT 415 + tristate "IPv4/IPv6 redirect support" 416 + depends on NF_NAT 417 + help 418 + This is the kernel functionality to redirect packets to local 419 + machine through NAT. 420 + 414 421 config NETFILTER_SYNPROXY 415 422 tristate 416 423 ··· 851 844 config NETFILTER_XT_TARGET_REDIRECT 852 845 tristate "REDIRECT target support" 853 846 depends on NF_NAT 854 - select NF_NAT_REDIRECT_IPV4 if NF_NAT_IPV4 855 - select NF_NAT_REDIRECT_IPV6 if NF_NAT_IPV6 847 + select NF_NAT_REDIRECT 856 848 ---help--- 857 849 REDIRECT is a special case of NAT: all incoming connections are 858 850 mapped onto the incoming interface's address, causing the packets to

+1

net/netfilter/Makefile

··· 51 51 obj-$(CONFIG_NF_LOG_COMMON) += nf_log_common.o 52 52 53 53 obj-$(CONFIG_NF_NAT) += nf_nat.o 54 + obj-$(CONFIG_NF_NAT_REDIRECT) += nf_nat_redirect.o 54 55 55 56 # NAT protocols (nf_nat) 56 57 obj-$(CONFIG_NF_NAT_PROTO_DCCP) += nf_nat_proto_dccp.o

+1 -2

net/netfilter/xt_REDIRECT.c

··· 26 26 #include <net/checksum.h> 27 27 #include <net/protocol.h> 28 28 #include <net/netfilter/nf_nat.h> 29 - #include <net/netfilter/ipv4/nf_nat_redirect.h> 30 - #include <net/netfilter/ipv6/nf_nat_redirect.h> 29 + #include <net/netfilter/nf_nat_redirect.h> 31 30 32 31 static unsigned int 33 32 redirect_tg6(struct sk_buff *skb, const struct xt_action_param *par)