OpenWrt – Diff between revs 2 and 3
?pathlinks?
| Rev 2 | Rev 3 | |||
|---|---|---|---|---|
| Line 6... | Line 6... | |||
| 6 | --- |
6 | --- |
|
| 7 | create mode 100644 net/netfilter/xt_OFFLOAD.c |
7 | create mode 100644 net/netfilter/xt_OFFLOAD.c |
|
| Line 8... | Line 8... | |||
| 8 | |
8 | |
|
| 9 | --- a/net/ipv4/netfilter/Kconfig |
9 | --- a/net/ipv4/netfilter/Kconfig |
|
| 10 | +++ b/net/ipv4/netfilter/Kconfig |
10 | +++ b/net/ipv4/netfilter/Kconfig |
|
| 11 | @@ -76,8 +76,6 @@ config NF_TABLES_ARP |
11 | @@ -75,8 +75,6 @@ config NF_TABLES_ARP |
|
| 12 | help |
12 | help |
|
| Line 13... | Line 13... | |||
| 13 | This option enables the ARP support for nf_tables. |
13 | This option enables the ARP support for nf_tables. |
|
| 14 | |
14 | |
|
| 15 | -endif # NF_TABLES |
15 | -endif # NF_TABLES |
|
| 16 | - |
16 | - |
|
| 17 | config NF_FLOW_TABLE_IPV4 |
17 | config NF_FLOW_TABLE_IPV4 |
|
| 18 | tristate "Netfilter flow table IPv4 module" |
18 | tristate "Netfilter flow table IPv4 module" |
|
| Line 19... | Line 19... | |||
| 19 | depends on NF_FLOW_TABLE |
19 | depends on NF_FLOW_TABLE |
|
| Line 20... | Line 20... | |||
| 20 | @@ -86,6 +84,8 @@ config NF_FLOW_TABLE_IPV4 |
20 | @@ -85,6 +83,8 @@ config NF_FLOW_TABLE_IPV4 |
|
| 21 | |
21 | |
|
| Line 45... | Line 45... | |||
| 45 | config NF_DUP_IPV6 |
45 | config NF_DUP_IPV6 |
|
| 46 | tristate "Netfilter IPv6 packet duplication to alternate destination" |
46 | tristate "Netfilter IPv6 packet duplication to alternate destination" |
|
| 47 | depends on !NF_CONNTRACK || NF_CONNTRACK |
47 | depends on !NF_CONNTRACK || NF_CONNTRACK |
|
| 48 | --- a/net/netfilter/Kconfig |
48 | --- a/net/netfilter/Kconfig |
|
| 49 | +++ b/net/netfilter/Kconfig |
49 | +++ b/net/netfilter/Kconfig |
|
| 50 | @@ -671,8 +671,6 @@ config NFT_FIB_NETDEV |
50 | @@ -665,8 +665,6 @@ config NFT_FIB_NETDEV |
|
| Line 51... | Line 51... | |||
| 51 | |
51 | |
|
| Line 52... | Line 52... | |||
| 52 | endif # NF_TABLES_NETDEV |
52 | endif # NF_TABLES_NETDEV |
|
| 53 | |
53 | |
|
| 54 | -endif # NF_TABLES |
54 | -endif # NF_TABLES |
|
| 55 | - |
55 | - |
|
| 56 | config NF_FLOW_TABLE_INET |
56 | config NF_FLOW_TABLE_INET |
|
| 57 | tristate "Netfilter flow table mixed IPv4/IPv6 module" |
57 | tristate "Netfilter flow table mixed IPv4/IPv6 module" |
|
| Line 58... | Line 58... | |||
| 58 | depends on NF_FLOW_TABLE |
58 | depends on NF_FLOW_TABLE |
|
| Line 59... | Line 59... | |||
| 59 | @@ -681,11 +679,12 @@ config NF_FLOW_TABLE_INET |
59 | @@ -675,11 +673,12 @@ config NF_FLOW_TABLE_INET |
|
| 60 | |
60 | |
|
| Line 68... | Line 68... | |||
| 68 | depends on NF_CONNTRACK |
68 | depends on NF_CONNTRACK |
|
| 69 | - depends on NF_TABLES |
69 | - depends on NF_TABLES |
|
| 70 | help |
70 | help |
|
| 71 | This option adds the flow table core infrastructure. |
71 | This option adds the flow table core infrastructure. |
|
| Line 72... | Line 72... | |||
| 72 | |
72 | |
|
| 73 | @@ -974,6 +973,15 @@ config NETFILTER_XT_TARGET_NOTRACK |
73 | @@ -968,6 +967,15 @@ config NETFILTER_XT_TARGET_NOTRACK |
|
| 74 | depends on NETFILTER_ADVANCED |
74 | depends on NETFILTER_ADVANCED |
|
| Line 75... | Line 75... | |||
| 75 | select NETFILTER_XT_TARGET_CT |
75 | select NETFILTER_XT_TARGET_CT |
|
| 76 | |
76 | |
|
| Line 96... | Line 96... | |||
| 96 | obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o |
96 | obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o |
|
| 97 | obj-$(CONFIG_NETFILTER_XT_TARGET_HMARK) += xt_HMARK.o |
97 | obj-$(CONFIG_NETFILTER_XT_TARGET_HMARK) += xt_HMARK.o |
|
| 98 | obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o |
98 | obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o |
|
| 99 | --- /dev/null |
99 | --- /dev/null |
|
| 100 | +++ b/net/netfilter/xt_FLOWOFFLOAD.c |
100 | +++ b/net/netfilter/xt_FLOWOFFLOAD.c |
|
| 101 | @@ -0,0 +1,403 @@ |
101 | @@ -0,0 +1,365 @@ |
|
| 102 | +/* |
102 | +/* |
|
| 103 | + * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name> |
103 | + * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name> |
|
| 104 | + * |
104 | + * |
|
| 105 | + * This program is free software; you can redistribute it and/or modify |
105 | + * This program is free software; you can redistribute it and/or modify |
|
| 106 | + * it under the terms of the GNU General Public License version 2 as |
106 | + * it under the terms of the GNU General Public License version 2 as |
|
| Line 111... | Line 111... | |||
| 111 | +#include <linux/netfilter.h> |
111 | +#include <linux/netfilter.h> |
|
| 112 | +#include <linux/netfilter/xt_FLOWOFFLOAD.h> |
112 | +#include <linux/netfilter/xt_FLOWOFFLOAD.h> |
|
| 113 | +#include <net/ip.h> |
113 | +#include <net/ip.h> |
|
| 114 | +#include <net/netfilter/nf_conntrack.h> |
114 | +#include <net/netfilter/nf_conntrack.h> |
|
| 115 | +#include <net/netfilter/nf_flow_table.h> |
115 | +#include <net/netfilter/nf_flow_table.h> |
|
| 116 | +#include <net/netfilter/nf_conntrack_helper.h> |
- | ||
| 117 | + |
116 | + |
|
| 118 | +static struct nf_flowtable nf_flowtable; |
117 | +static struct nf_flowtable nf_flowtable; |
|
| 119 | +static HLIST_HEAD(hooks); |
118 | +static HLIST_HEAD(hooks); |
|
| 120 | +static DEFINE_SPINLOCK(hooks_lock); |
119 | +static DEFINE_SPINLOCK(hooks_lock); |
|
| 121 | +static struct delayed_work hook_work; |
120 | +static struct delayed_work hook_work; |
|
| Line 325... | Line 324... | |||
| 325 | + this_dst = xt_flowoffload_dst(ct, dir, par); |
324 | + this_dst = xt_flowoffload_dst(ct, dir, par); |
|
| 326 | + other_dst = xt_flowoffload_dst(ct, !dir, par); |
325 | + other_dst = xt_flowoffload_dst(ct, !dir, par); |
|
| 327 | + if (!this_dst || !other_dst) |
326 | + if (!this_dst || !other_dst) |
|
| 328 | + return -ENOENT; |
327 | + return -ENOENT; |
|
| 329 | + |
328 | + |
|
| 330 | + if (dst_xfrm(this_dst) || dst_xfrm(other_dst)) |
- | ||
| 331 | + return -EINVAL; |
- | ||
| 332 | + |
- | ||
| 333 | + route->tuple[dir].dst = this_dst; |
329 | + route->tuple[dir].dst = this_dst; |
|
| 334 | + route->tuple[dir].ifindex = xt_in(par)->ifindex; |
330 | + route->tuple[dir].ifindex = xt_in(par)->ifindex; |
|
| 335 | + route->tuple[!dir].dst = other_dst; |
331 | + route->tuple[!dir].dst = other_dst; |
|
| 336 | + route->tuple[!dir].ifindex = xt_out(par)->ifindex; |
332 | + route->tuple[!dir].ifindex = xt_out(par)->ifindex; |
|
| 337 | + |
333 | + |
|
| Line 345... | Line 341... | |||
| 345 | + enum ip_conntrack_info ctinfo; |
341 | + enum ip_conntrack_info ctinfo; |
|
| 346 | + enum ip_conntrack_dir dir; |
342 | + enum ip_conntrack_dir dir; |
|
| 347 | + struct nf_flow_route route; |
343 | + struct nf_flow_route route; |
|
| 348 | + struct flow_offload *flow; |
344 | + struct flow_offload *flow; |
|
| 349 | + struct nf_conn *ct; |
345 | + struct nf_conn *ct; |
|
| 350 | + const struct nf_conn_help *help; |
- | ||
| 351 | + |
346 | + |
|
| 352 | + if (xt_flowoffload_skip(skb)) |
347 | + if (xt_flowoffload_skip(skb)) |
|
| 353 | + return XT_CONTINUE; |
348 | + return XT_CONTINUE; |
|
| 354 | + |
349 | + |
|
| 355 | + ct = nf_ct_get(skb, &ctinfo); |
350 | + ct = nf_ct_get(skb, &ctinfo); |
|
| Line 365... | Line 360... | |||
| 365 | + break; |
360 | + break; |
|
| 366 | + default: |
361 | + default: |
|
| 367 | + return XT_CONTINUE; |
362 | + return XT_CONTINUE; |
|
| 368 | + } |
363 | + } |
|
| 369 | + |
364 | + |
|
| 370 | + help = nfct_help(ct); |
365 | + if (test_bit(IPS_HELPER_BIT, &ct->status)) |
|
| 371 | + if (help) |
- | ||
| 372 | + return XT_CONTINUE; |
366 | + return XT_CONTINUE; |
|
| 373 | + |
367 | + |
|
| 374 | + if (ctinfo == IP_CT_NEW || |
368 | + if (ctinfo == IP_CT_NEW || |
|
| 375 | + ctinfo == IP_CT_RELATED) |
369 | + ctinfo == IP_CT_RELATED) |
|
| 376 | + return XT_CONTINUE; |
370 | + return XT_CONTINUE; |
|
| Line 442... | Line 436... | |||
| 442 | +static void xt_flowoffload_table_cleanup(struct nf_flowtable *table) |
436 | +static void xt_flowoffload_table_cleanup(struct nf_flowtable *table) |
|
| 443 | +{ |
437 | +{ |
|
| 444 | + nf_flow_table_free(table); |
438 | + nf_flow_table_free(table); |
|
| 445 | +} |
439 | +} |
|
| 446 | + |
440 | + |
|
| 447 | +static int flow_offload_netdev_event(struct notifier_block *this, |
- | ||
| 448 | + unsigned long event, void *ptr) |
- | ||
| 449 | +{ |
- | ||
| 450 | + struct xt_flowoffload_hook *hook = NULL; |
- | ||
| 451 | + struct net_device *dev = netdev_notifier_info_to_dev(ptr); |
- | ||
| 452 | + |
- | ||
| 453 | + if (event != NETDEV_UNREGISTER) |
- | ||
| 454 | + return NOTIFY_DONE; |
- | ||
| 455 | + |
- | ||
| 456 | + spin_lock_bh(&hooks_lock); |
- | ||
| 457 | + hook = flow_offload_lookup_hook(dev); |
- | ||
| 458 | + if (hook) { |
- | ||
| 459 | + hlist_del(&hook->list); |
- | ||
| 460 | + } |
- | ||
| 461 | + spin_unlock_bh(&hooks_lock); |
- | ||
| 462 | + if (hook) { |
- | ||
| 463 | + nf_unregister_net_hook(hook->net, &hook->ops); |
- | ||
| 464 | + kfree(hook); |
- | ||
| 465 | + } |
- | ||
| 466 | + |
- | ||
| 467 | + nf_flow_table_cleanup(dev_net(dev), dev); |
- | ||
| 468 | + |
- | ||
| 469 | + return NOTIFY_DONE; |
- | ||
| 470 | +} |
- | ||
| 471 | + |
- | ||
| 472 | +static struct notifier_block flow_offload_netdev_notifier = { |
- | ||
| 473 | + .notifier_call = flow_offload_netdev_event, |
- | ||
| 474 | +}; |
- | ||
| 475 | + |
- | ||
| 476 | +static int __init xt_flowoffload_tg_init(void) |
441 | +static int __init xt_flowoffload_tg_init(void) |
|
| 477 | +{ |
442 | +{ |
|
| 478 | + int ret; |
443 | + int ret; |
|
| 479 | + |
444 | + |
|
| 480 | + register_netdevice_notifier(&flow_offload_netdev_notifier); |
- | ||
| 481 | + |
- | ||
| 482 | + INIT_DELAYED_WORK(&hook_work, xt_flowoffload_hook_work); |
445 | + INIT_DELAYED_WORK(&hook_work, xt_flowoffload_hook_work); |
|
| 483 | + |
446 | + |
|
| 484 | + ret = xt_flowoffload_table_init(&nf_flowtable); |
447 | + ret = xt_flowoffload_table_init(&nf_flowtable); |
|
| 485 | + if (ret) |
448 | + if (ret) |
|
| 486 | + return ret; |
449 | + return ret; |
|
| Line 494... | Line 457... | |||
| 494 | + |
457 | + |
|
| 495 | +static void __exit xt_flowoffload_tg_exit(void) |
458 | +static void __exit xt_flowoffload_tg_exit(void) |
|
| 496 | +{ |
459 | +{ |
|
| 497 | + xt_unregister_target(&offload_tg_reg); |
460 | + xt_unregister_target(&offload_tg_reg); |
|
| 498 | + xt_flowoffload_table_cleanup(&nf_flowtable); |
461 | + xt_flowoffload_table_cleanup(&nf_flowtable); |
|
| 499 | + unregister_netdevice_notifier(&flow_offload_netdev_notifier); |
- | ||
| 500 | +} |
462 | +} |
|
| 501 | + |
463 | + |
|
| 502 | +MODULE_LICENSE("GPL"); |
464 | +MODULE_LICENSE("GPL"); |
|
| 503 | +module_init(xt_flowoffload_tg_init); |
465 | +module_init(xt_flowoffload_tg_init); |
|
| 504 | +module_exit(xt_flowoffload_tg_exit); |
466 | +module_exit(xt_flowoffload_tg_exit); |
|