OpenWrt – Blame information for rev 3
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
1 | office | 1 | From: Pablo Neira Ayuso <pablo@netfilter.org> |
2 | Date: Sun, 7 Jan 2018 01:04:22 +0100 |
||
3 | Subject: [PATCH] netfilter: flow table support for the mixed IPv4/IPv6 family |
||
4 | |||
5 | This patch adds the IPv6 flow table type, that implements the datapath |
||
6 | flow table to forward IPv6 traffic. |
||
7 | |||
8 | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||
9 | --- |
||
10 | create mode 100644 net/netfilter/nf_flow_table_inet.c |
||
11 | |||
12 | --- a/include/net/netfilter/nf_flow_table.h |
||
13 | +++ b/include/net/netfilter/nf_flow_table.h |
||
14 | @@ -111,6 +111,11 @@ struct flow_ports { |
||
15 | __be16 source, dest; |
||
16 | }; |
||
17 | |||
18 | +unsigned int nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, |
||
19 | + const struct nf_hook_state *state); |
||
20 | +unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, |
||
21 | + const struct nf_hook_state *state); |
||
22 | + |
||
23 | #define MODULE_ALIAS_NF_FLOWTABLE(family) \ |
||
24 | MODULE_ALIAS("nf-flowtable-" __stringify(family)) |
||
25 | |||
26 | --- a/net/ipv4/netfilter/nf_flow_table_ipv4.c |
||
27 | +++ b/net/ipv4/netfilter/nf_flow_table_ipv4.c |
||
28 | @@ -202,7 +202,7 @@ static bool nf_flow_exceeds_mtu(struct s |
||
29 | return false; |
||
30 | } |
||
31 | |||
32 | -static unsigned int |
||
33 | +unsigned int |
||
34 | nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, |
||
35 | const struct nf_hook_state *state) |
||
36 | { |
||
37 | @@ -254,6 +254,7 @@ nf_flow_offload_ip_hook(void *priv, stru |
||
38 | |||
39 | return NF_STOLEN; |
||
40 | } |
||
41 | +EXPORT_SYMBOL_GPL(nf_flow_offload_ip_hook); |
||
42 | |||
43 | static struct nf_flowtable_type flowtable_ipv4 = { |
||
44 | .family = NFPROTO_IPV4, |
||
45 | --- a/net/ipv6/netfilter/nf_flow_table_ipv6.c |
||
46 | +++ b/net/ipv6/netfilter/nf_flow_table_ipv6.c |
||
47 | @@ -196,7 +196,7 @@ static bool nf_flow_exceeds_mtu(struct s |
||
48 | return false; |
||
49 | } |
||
50 | |||
51 | -static unsigned int |
||
52 | +unsigned int |
||
53 | nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, |
||
54 | const struct nf_hook_state *state) |
||
55 | { |
||
56 | @@ -248,6 +248,7 @@ nf_flow_offload_ipv6_hook(void *priv, st |
||
57 | |||
58 | return NF_STOLEN; |
||
59 | } |
||
60 | +EXPORT_SYMBOL_GPL(nf_flow_offload_ipv6_hook); |
||
61 | |||
62 | static struct nf_flowtable_type flowtable_ipv6 = { |
||
63 | .family = NFPROTO_IPV6, |
||
64 | --- a/net/netfilter/Kconfig |
||
65 | +++ b/net/netfilter/Kconfig |
||
3 | office | 66 | @@ -661,6 +661,14 @@ endif # NF_TABLES_NETDEV |
1 | office | 67 | |
68 | endif # NF_TABLES |
||
69 | |||
70 | +config NF_FLOW_TABLE_INET |
||
71 | + select NF_FLOW_TABLE |
||
72 | + tristate "Netfilter flow table mixed IPv4/IPv6 module" |
||
73 | + help |
||
74 | + This option adds the flow table mixed IPv4/IPv6 support. |
||
75 | + |
||
76 | + To compile it as a module, choose M here. |
||
77 | + |
||
78 | config NF_FLOW_TABLE |
||
79 | tristate "Netfilter flow table module" |
||
80 | help |
||
81 | --- a/net/netfilter/Makefile |
||
82 | +++ b/net/netfilter/Makefile |
||
83 | @@ -112,6 +112,7 @@ obj-$(CONFIG_NFT_FWD_NETDEV) += nft_fwd_ |
||
84 | |||
85 | # flow table infrastructure |
||
86 | obj-$(CONFIG_NF_FLOW_TABLE) += nf_flow_table.o |
||
87 | +obj-$(CONFIG_NF_FLOW_TABLE_INET) += nf_flow_table_inet.o |
||
88 | |||
89 | # generic X tables |
||
90 | obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o |
||
91 | --- /dev/null |
||
92 | +++ b/net/netfilter/nf_flow_table_inet.c |
||
93 | @@ -0,0 +1,48 @@ |
||
94 | +#include <linux/kernel.h> |
||
95 | +#include <linux/init.h> |
||
96 | +#include <linux/module.h> |
||
97 | +#include <linux/netfilter.h> |
||
98 | +#include <linux/rhashtable.h> |
||
99 | +#include <net/netfilter/nf_flow_table.h> |
||
100 | +#include <net/netfilter/nf_tables.h> |
||
101 | + |
||
102 | +static unsigned int |
||
103 | +nf_flow_offload_inet_hook(void *priv, struct sk_buff *skb, |
||
104 | + const struct nf_hook_state *state) |
||
105 | +{ |
||
106 | + switch (skb->protocol) { |
||
107 | + case htons(ETH_P_IP): |
||
108 | + return nf_flow_offload_ip_hook(priv, skb, state); |
||
109 | + case htons(ETH_P_IPV6): |
||
110 | + return nf_flow_offload_ipv6_hook(priv, skb, state); |
||
111 | + } |
||
112 | + |
||
113 | + return NF_ACCEPT; |
||
114 | +} |
||
115 | + |
||
116 | +static struct nf_flowtable_type flowtable_inet = { |
||
117 | + .family = NFPROTO_INET, |
||
118 | + .params = &nf_flow_offload_rhash_params, |
||
119 | + .gc = nf_flow_offload_work_gc, |
||
120 | + .hook = nf_flow_offload_inet_hook, |
||
121 | + .owner = THIS_MODULE, |
||
122 | +}; |
||
123 | + |
||
124 | +static int __init nf_flow_inet_module_init(void) |
||
125 | +{ |
||
126 | + nft_register_flowtable_type(&flowtable_inet); |
||
127 | + |
||
128 | + return 0; |
||
129 | +} |
||
130 | + |
||
131 | +static void __exit nf_flow_inet_module_exit(void) |
||
132 | +{ |
||
133 | + nft_unregister_flowtable_type(&flowtable_inet); |
||
134 | +} |
||
135 | + |
||
136 | +module_init(nf_flow_inet_module_init); |
||
137 | +module_exit(nf_flow_inet_module_exit); |
||
138 | + |
||
139 | +MODULE_LICENSE("GPL"); |
||
140 | +MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); |
||
141 | +MODULE_ALIAS_NF_FLOWTABLE(1); /* NFPROTO_INET */ |