tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: nf_tables: merge ipv4 and ipv6 nat chain types

Merge the ipv4 and ipv6 nat chain type. This is the last
missing piece which allows to provide inet family support
for nat in a follow patch.

The kconfig knobs for ipv4/ipv6 nat chain are removed, the
nat chain type will be built unconditionally if NFT_NAT
expression is enabled.

Before:
text data bss dec hex filename
1576 896 0 2472 9a8 nft_chain_nat_ipv4.ko
1697 896 0 2593 a21 nft_chain_nat_ipv6.ko

After:
text data bss dec hex filename
1832 896 0 2728 aa8 nft_chain_nat.ko

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by
Pablo Neira Ayuso db8ab388 a9ce849e

+111 -194
-13
net/ipv4/netfilter/Kconfig
··· 95 95 default m if NETFILTER_ADVANCED=n 96 96 97 97 if NF_NAT 98 - 99 - if NF_TABLES 100 - config NFT_CHAIN_NAT_IPV4 101 - depends on NF_TABLES_IPV4 102 - tristate "IPv4 nf_tables nat chain support" 103 - help 104 - This option enables the "nat" chain for IPv4 in nf_tables. This 105 - chain type is used to perform Network Address Translation (NAT) 106 - packet transformations such as the source, destination address and 107 - source and destination ports. 108 - 109 - endif # NF_TABLES 110 - 111 98 config NF_NAT_SNMP_BASIC 112 99 tristate "Basic SNMP-ALG support" 113 100 depends on NF_CONNTRACK_SNMP
-1
net/ipv4/netfilter/Makefile
··· 25 25 obj-$(CONFIG_NF_NAT_SNMP_BASIC) += nf_nat_snmp_basic.o 26 26 27 27 obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o 28 - obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o 29 28 obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o 30 29 obj-$(CONFIG_NFT_FIB_IPV4) += nft_fib_ipv4.o 31 30 obj-$(CONFIG_NFT_DUP_IPV4) += nft_dup_ipv4.o
-85
net/ipv4/netfilter/nft_chain_nat_ipv4.c
··· 1 - /* 2 - * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net> 3 - * Copyright (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org> 4 - * Copyright (c) 2012 Intel Corporation 5 - * 6 - * This program is free software; you can redistribute it and/or modify 7 - * it under the terms of the GNU General Public License version 2 as 8 - * published by the Free Software Foundation. 9 - * 10 - * Development of this code funded by Astaro AG (http://www.astaro.com/) 11 - */ 12 - 13 - #include <linux/module.h> 14 - #include <linux/init.h> 15 - #include <linux/list.h> 16 - #include <linux/skbuff.h> 17 - #include <linux/ip.h> 18 - #include <linux/netfilter.h> 19 - #include <linux/netfilter_ipv4.h> 20 - #include <linux/netfilter/nf_tables.h> 21 - #include <net/netfilter/nf_conntrack.h> 22 - #include <net/netfilter/nf_nat.h> 23 - #include <net/netfilter/nf_tables.h> 24 - #include <net/netfilter/nf_tables_ipv4.h> 25 - #include <net/ip.h> 26 - 27 - static unsigned int nft_nat_do_chain(void *priv, 28 - struct sk_buff *skb, 29 - const struct nf_hook_state *state) 30 - { 31 - struct nft_pktinfo pkt; 32 - 33 - nft_set_pktinfo(&pkt, skb, state); 34 - nft_set_pktinfo_ipv4(&pkt, skb); 35 - 36 - return nft_do_chain(&pkt, priv); 37 - } 38 - 39 - static int nft_nat_ipv4_reg(struct net *net, const struct nf_hook_ops *ops) 40 - { 41 - return nf_nat_ipv4_register_fn(net, ops); 42 - } 43 - 44 - static void nft_nat_ipv4_unreg(struct net *net, const struct nf_hook_ops *ops) 45 - { 46 - nf_nat_ipv4_unregister_fn(net, ops); 47 - } 48 - 49 - static const struct nft_chain_type nft_chain_nat_ipv4 = { 50 - .name = "nat", 51 - .type = NFT_CHAIN_T_NAT, 52 - .family = NFPROTO_IPV4, 53 - .owner = THIS_MODULE, 54 - .hook_mask = (1 << NF_INET_PRE_ROUTING) | 55 - (1 << NF_INET_POST_ROUTING) | 56 - (1 << NF_INET_LOCAL_OUT) | 57 - (1 << NF_INET_LOCAL_IN), 58 - .hooks = { 59 - [NF_INET_PRE_ROUTING] = nft_nat_do_chain, 60 - [NF_INET_POST_ROUTING] = nft_nat_do_chain, 61 - [NF_INET_LOCAL_OUT] = nft_nat_do_chain, 62 - [NF_INET_LOCAL_IN] = nft_nat_do_chain, 63 - }, 64 - .ops_register = nft_nat_ipv4_reg, 65 - .ops_unregister = nft_nat_ipv4_unreg, 66 - }; 67 - 68 - static int __init nft_chain_nat_init(void) 69 - { 70 - nft_register_chain_type(&nft_chain_nat_ipv4); 71 - 72 - return 0; 73 - } 74 - 75 - static void __exit nft_chain_nat_exit(void) 76 - { 77 - nft_unregister_chain_type(&nft_chain_nat_ipv4); 78 - } 79 - 80 - module_init(nft_chain_nat_init); 81 - module_exit(nft_chain_nat_exit); 82 - 83 - MODULE_LICENSE("GPL"); 84 - MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 85 - MODULE_ALIAS_NFT_CHAIN(AF_INET, "nat");
-11
net/ipv6/netfilter/Kconfig
··· 31 31 fields such as the source, destination, flowlabel, hop-limit and 32 32 the packet mark. 33 33 34 - if NF_NAT 35 - 36 - config NFT_CHAIN_NAT_IPV6 37 - tristate "IPv6 nf_tables nat chain support" 38 - help 39 - This option enables the "nat" chain for IPv6 in nf_tables. This 40 - chain type is used to perform Network Address Translation (NAT) 41 - packet transformations such as the source, destination address and 42 - source and destination ports. 43 - endif # NF_NAT 44 - 45 34 config NFT_REJECT_IPV6 46 35 select NF_REJECT_IPV6 47 36 default NFT_REJECT
-1
net/ipv6/netfilter/Makefile
··· 28 28 29 29 # nf_tables 30 30 obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV6) += nft_chain_route_ipv6.o 31 - obj-$(CONFIG_NFT_CHAIN_NAT_IPV6) += nft_chain_nat_ipv6.o 32 31 obj-$(CONFIG_NFT_REJECT_IPV6) += nft_reject_ipv6.o 33 32 obj-$(CONFIG_NFT_DUP_IPV6) += nft_dup_ipv6.o 34 33 obj-$(CONFIG_NFT_FIB_IPV6) += nft_fib_ipv6.o
-83
net/ipv6/netfilter/nft_chain_nat_ipv6.c
··· 1 - /* 2 - * Copyright (c) 2011 Patrick McHardy <kaber@trash.net> 3 - * Copyright (c) 2012 Intel Corporation 4 - * 5 - * This program is free software; you can redistribute it and/or modify it 6 - * under the terms and conditions of the GNU General Public License, 7 - * version 2, as published by the Free Software Foundation. 8 - * 9 - */ 10 - 11 - #include <linux/module.h> 12 - #include <linux/init.h> 13 - #include <linux/list.h> 14 - #include <linux/skbuff.h> 15 - #include <linux/ip.h> 16 - #include <linux/netfilter.h> 17 - #include <linux/netfilter_ipv6.h> 18 - #include <linux/netfilter/nf_tables.h> 19 - #include <net/netfilter/nf_conntrack.h> 20 - #include <net/netfilter/nf_nat.h> 21 - #include <net/netfilter/nf_tables.h> 22 - #include <net/netfilter/nf_tables_ipv6.h> 23 - #include <net/ipv6.h> 24 - 25 - static unsigned int nft_nat_do_chain(void *priv, 26 - struct sk_buff *skb, 27 - const struct nf_hook_state *state) 28 - { 29 - struct nft_pktinfo pkt; 30 - 31 - nft_set_pktinfo(&pkt, skb, state); 32 - nft_set_pktinfo_ipv6(&pkt, skb); 33 - 34 - return nft_do_chain(&pkt, priv); 35 - } 36 - 37 - static int nft_nat_ipv6_reg(struct net *net, const struct nf_hook_ops *ops) 38 - { 39 - return nf_nat_ipv6_register_fn(net, ops); 40 - } 41 - 42 - static void nft_nat_ipv6_unreg(struct net *net, const struct nf_hook_ops *ops) 43 - { 44 - nf_nat_ipv6_unregister_fn(net, ops); 45 - } 46 - 47 - static const struct nft_chain_type nft_chain_nat_ipv6 = { 48 - .name = "nat", 49 - .type = NFT_CHAIN_T_NAT, 50 - .family = NFPROTO_IPV6, 51 - .owner = THIS_MODULE, 52 - .hook_mask = (1 << NF_INET_PRE_ROUTING) | 53 - (1 << NF_INET_POST_ROUTING) | 54 - (1 << NF_INET_LOCAL_OUT) | 55 - (1 << NF_INET_LOCAL_IN), 56 - .hooks = { 57 - [NF_INET_PRE_ROUTING] = nft_nat_do_chain, 58 - [NF_INET_POST_ROUTING] = nft_nat_do_chain, 59 - [NF_INET_LOCAL_OUT] = nft_nat_do_chain, 60 - [NF_INET_LOCAL_IN] = nft_nat_do_chain, 61 - }, 62 - .ops_register = nft_nat_ipv6_reg, 63 - .ops_unregister = nft_nat_ipv6_unreg, 64 - }; 65 - 66 - static int __init nft_chain_nat_ipv6_init(void) 67 - { 68 - nft_register_chain_type(&nft_chain_nat_ipv6); 69 - 70 - return 0; 71 - } 72 - 73 - static void __exit nft_chain_nat_ipv6_exit(void) 74 - { 75 - nft_unregister_chain_type(&nft_chain_nat_ipv6); 76 - } 77 - 78 - module_init(nft_chain_nat_ipv6_init); 79 - module_exit(nft_chain_nat_ipv6_exit); 80 - 81 - MODULE_LICENSE("GPL"); 82 - MODULE_AUTHOR("Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>"); 83 - MODULE_ALIAS_NFT_CHAIN(AF_INET6, "nat");
+1
net/netfilter/Kconfig
··· 550 550 config NFT_NAT 551 551 depends on NF_CONNTRACK 552 552 select NF_NAT 553 + depends on NF_TABLES_IPV4 || NF_TABLES_IPV6 553 554 tristate "Netfilter nf_tables nat module" 554 555 help 555 556 This option adds the "nat" expression that you can use to perform
+2
net/netfilter/Makefile
··· 110 110 obj-$(CONFIG_NFT_TPROXY) += nft_tproxy.o 111 111 obj-$(CONFIG_NFT_XFRM) += nft_xfrm.o 112 112 113 + obj-$(CONFIG_NFT_NAT) += nft_chain_nat.o 114 + 113 115 # nf_tables netdev 114 116 obj-$(CONFIG_NFT_DUP_NETDEV) += nft_dup_netdev.o 115 117 obj-$(CONFIG_NFT_FWD_NETDEV) += nft_fwd_netdev.o
+108
net/netfilter/nft_chain_nat.c
··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + 3 + #include <linux/module.h> 4 + #include <linux/netfilter/nf_tables.h> 5 + #include <net/netfilter/nf_nat.h> 6 + #include <net/netfilter/nf_tables.h> 7 + #include <net/netfilter/nf_tables_ipv4.h> 8 + #include <net/netfilter/nf_tables_ipv6.h> 9 + 10 + static unsigned int nft_nat_do_chain(void *priv, struct sk_buff *skb, 11 + const struct nf_hook_state *state) 12 + { 13 + struct nft_pktinfo pkt; 14 + 15 + nft_set_pktinfo(&pkt, skb, state); 16 + 17 + switch (state->pf) { 18 + #ifdef CONFIG_NF_TABLES_IPV4 19 + case NFPROTO_IPV4: 20 + nft_set_pktinfo_ipv4(&pkt, skb); 21 + break; 22 + #endif 23 + #ifdef CONFIG_NF_TABLES_IPV6 24 + case NFPROTO_IPV6: 25 + nft_set_pktinfo_ipv6(&pkt, skb); 26 + break; 27 + #endif 28 + default: 29 + break; 30 + } 31 + 32 + return nft_do_chain(&pkt, priv); 33 + } 34 + 35 + #ifdef CONFIG_NF_TABLES_IPV4 36 + static const struct nft_chain_type nft_chain_nat_ipv4 = { 37 + .name = "nat", 38 + .type = NFT_CHAIN_T_NAT, 39 + .family = NFPROTO_IPV4, 40 + .owner = THIS_MODULE, 41 + .hook_mask = (1 << NF_INET_PRE_ROUTING) | 42 + (1 << NF_INET_POST_ROUTING) | 43 + (1 << NF_INET_LOCAL_OUT) | 44 + (1 << NF_INET_LOCAL_IN), 45 + .hooks = { 46 + [NF_INET_PRE_ROUTING] = nft_nat_do_chain, 47 + [NF_INET_POST_ROUTING] = nft_nat_do_chain, 48 + [NF_INET_LOCAL_OUT] = nft_nat_do_chain, 49 + [NF_INET_LOCAL_IN] = nft_nat_do_chain, 50 + }, 51 + .ops_register = nf_nat_ipv4_register_fn, 52 + .ops_unregister = nf_nat_ipv4_unregister_fn, 53 + }; 54 + #endif 55 + 56 + #ifdef CONFIG_NF_TABLES_IPV6 57 + static const struct nft_chain_type nft_chain_nat_ipv6 = { 58 + .name = "nat", 59 + .type = NFT_CHAIN_T_NAT, 60 + .family = NFPROTO_IPV6, 61 + .owner = THIS_MODULE, 62 + .hook_mask = (1 << NF_INET_PRE_ROUTING) | 63 + (1 << NF_INET_POST_ROUTING) | 64 + (1 << NF_INET_LOCAL_OUT) | 65 + (1 << NF_INET_LOCAL_IN), 66 + .hooks = { 67 + [NF_INET_PRE_ROUTING] = nft_nat_do_chain, 68 + [NF_INET_POST_ROUTING] = nft_nat_do_chain, 69 + [NF_INET_LOCAL_OUT] = nft_nat_do_chain, 70 + [NF_INET_LOCAL_IN] = nft_nat_do_chain, 71 + }, 72 + .ops_register = nf_nat_ipv6_register_fn, 73 + .ops_unregister = nf_nat_ipv6_unregister_fn, 74 + }; 75 + #endif 76 + 77 + static int __init nft_chain_nat_init(void) 78 + { 79 + #ifdef CONFIG_NF_TABLES_IPV6 80 + nft_register_chain_type(&nft_chain_nat_ipv6); 81 + #endif 82 + #ifdef CONFIG_NF_TABLES_IPV4 83 + nft_register_chain_type(&nft_chain_nat_ipv4); 84 + #endif 85 + 86 + return 0; 87 + } 88 + 89 + static void __exit nft_chain_nat_exit(void) 90 + { 91 + #ifdef CONFIG_NF_TABLES_IPV4 92 + nft_unregister_chain_type(&nft_chain_nat_ipv4); 93 + #endif 94 + #ifdef CONFIG_NF_TABLES_IPV6 95 + nft_unregister_chain_type(&nft_chain_nat_ipv6); 96 + #endif 97 + } 98 + 99 + module_init(nft_chain_nat_init); 100 + module_exit(nft_chain_nat_exit); 101 + 102 + MODULE_LICENSE("GPL"); 103 + #ifdef CONFIG_NF_TABLES_IPV4 104 + MODULE_ALIAS_NFT_CHAIN(AF_INET, "nat"); 105 + #endif 106 + #ifdef CONFIG_NF_TABLES_IPV6 107 + MODULE_ALIAS_NFT_CHAIN(AF_INET6, "nat"); 108 + #endif