iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

netfilter: synproxy: remove module dependency on IPv6 SYNPROXY

Browse Source 
This is a prerequisite for the infrastructure module NETFILTER_SYNPROXY.
The new module is needed to avoid duplicated code for the SYNPROXY
nftables support.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Fernando Fernandez Mancera 2019-06-07 02:36:05 +02:00 committed by Pablo Neira Ayuso
parent 5fcc88ecf6
commit 3006a5224f
2 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
include/linux/netfilter_ipv6.h
View File

@ -8,6 +8,7 @@
#define __LINUX_IP6_NETFILTER_H #define __LINUX_IP6_NETFILTER_H
#include <uapi/linux/netfilter_ipv6.h> #include <uapi/linux/netfilter_ipv6.h>
#include <net/tcp.h>
/* Extra routing may needed on local out, as the QUEUE target never returns /* Extra routing may needed on local out, as the QUEUE target never returns
* control to the table. * control to the table.
@ -35,6 +36,10 @@ struct nf_ipv6_ops {
struct in6_addr *saddr); struct in6_addr *saddr);
int (*route)(struct net *net, struct dst_entry **dst, struct flowi *fl, int (*route)(struct net *net, struct dst_entry **dst, struct flowi *fl,
bool strict); bool strict);
u32 (*cookie_init_sequence)(const struct ipv6hdr *iph,
const struct tcphdr *th, u16 *mssp);
int (*cookie_v6_check)(const struct ipv6hdr *iph,
const struct tcphdr *th, __u32 cookie);
#endif #endif
void (*route_input)(struct sk_buff *skb); void (*route_input)(struct sk_buff *skb);
int (*fragment)(struct net *net, struct sock *sk, struct sk_buff *skb, int (*fragment)(struct net *net, struct sock *sk, struct sk_buff *skb,
@ -154,6 +159,37 @@ static inline int nf_ip6_route_me_harder(struct net *net, struct sk_buff *skb)
#endif #endif
} }
static inline u32 nf_ipv6_cookie_init_sequence(const struct ipv6hdr *iph,
const struct tcphdr *th,
u16 *mssp)
{
#if IS_MODULE(CONFIG_IPV6)
const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
if (v6_ops)
return v6_ops->cookie_init_sequence(iph, th, mssp);
return 0;
#else
return __cookie_v6_init_sequence(iph, th, mssp);
#endif
}
static inline int nf_cookie_v6_check(const struct ipv6hdr *iph,
const struct tcphdr *th, __u32 cookie)
{
#if IS_MODULE(CONFIG_IPV6)
const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
if (v6_ops)
return v6_ops->cookie_v6_check(iph, th, cookie);
return 0;
#else
return __cookie_v6_check(iph, th, cookie);
#endif
}
__sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook, __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol); unsigned int dataoff, u_int8_t protocol);

2
net/ipv6/netfilter.c
View File

@ -234,6 +234,8 @@ static const struct nf_ipv6_ops ipv6ops = {
.route_me_harder = ip6_route_me_harder, .route_me_harder = ip6_route_me_harder,
.dev_get_saddr = ipv6_dev_get_saddr, .dev_get_saddr = ipv6_dev_get_saddr,
.route = __nf_ip6_route, .route = __nf_ip6_route,
.cookie_init_sequence = __cookie_v6_init_sequence,
.cookie_v6_check = __cookie_v6_check,
#endif #endif
.route_input = ip6_route_input, .route_input = ip6_route_input,
.fragment = ip6_fragment, .fragment = ip6_fragment,