From: Pablo Neira Ayuso <pablo@netfilter.org>
To: kaber@trash.net
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH 13/19] netfilter: ip6tables: add MASQUERADE target
Date: Fri, 17 Aug 2012 15:11:57 +0200 [thread overview]
Message-ID: <20120817131157.GA23832@1984> (raw)
In-Reply-To: <1344542943-11588-14-git-send-email-kaber@trash.net>
Hi Patrick,
On Thu, Aug 09, 2012 at 10:08:57PM +0200, kaber@trash.net wrote:
> From: Patrick McHardy <kaber@trash.net>
>
> Signed-off-by: Patrick McHardy <kaber@trash.net>
> ---
> include/net/addrconf.h | 2 +-
> net/ipv4/netfilter/ipt_MASQUERADE.c | 3 +-
> net/ipv6/addrconf.c | 2 +-
> net/ipv6/netfilter/Kconfig | 12 +++
> net/ipv6/netfilter/Makefile | 1 +
> net/ipv6/netfilter/ip6t_MASQUERADE.c | 135 ++++++++++++++++++++++++++++++++++
> 6 files changed, 152 insertions(+), 3 deletions(-)
> create mode 100644 net/ipv6/netfilter/ip6t_MASQUERADE.c
Please, add this chunk to this patch:
diff --git a/include/net/netfilter/nf_nat.h
b/include/net/netfilter/nf_nat.h
index 1752f133..bd8eea7 100644
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -43,7 +43,9 @@ struct nf_conn_nat {
struct nf_conn *ct;
union nf_conntrack_nat_help help;
#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \
- defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
+ defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE) || \
+ defined(CONFIG_IP6_NF_TARGET_MASQUERADE) || \
+ defined(CONFIG_IP6_NF_TARGET_MASQUERADE_MODULE)
int masq_index;
#endif
};
Otherwise, compilation breaks with:
* IPv4 NAT is disabled
* IPv6 NAT enabled.
And yes, that pile of ifdefs is really ugly, I wonder if they are
worth for saving 4 bytes. I think most vendors usually include
MASQUERADE support if NAT is enabled.
It seems we have the tradition of keeping several similar compile time
options in Netfilter to optimize memory in several situations (at the
cost of polluting the code with ifdefs). Probably we can think of
getting rid of them.
> diff --git a/include/net/addrconf.h b/include/net/addrconf.h
> index 089a09d..9e63e76 100644
> --- a/include/net/addrconf.h
> +++ b/include/net/addrconf.h
> @@ -78,7 +78,7 @@ extern struct inet6_ifaddr *ipv6_get_ifaddr(struct net *net,
> int strict);
>
> extern int ipv6_dev_get_saddr(struct net *net,
> - struct net_device *dev,
> + const struct net_device *dev,
> const struct in6_addr *daddr,
> unsigned int srcprefs,
> struct in6_addr *saddr);
> diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
> index 1c3aa28..5d5d4d1 100644
> --- a/net/ipv4/netfilter/ipt_MASQUERADE.c
> +++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
> @@ -99,7 +99,8 @@ device_cmp(struct nf_conn *i, void *ifindex)
>
> if (!nat)
> return 0;
> -
> + if (nf_ct_l3num(i) != NFPROTO_IPV4)
> + return 0;
> return nat->masq_index == (int)(long)ifindex;
> }
>
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index 7918181..6536404 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -1095,7 +1095,7 @@ out:
> return ret;
> }
>
> -int ipv6_dev_get_saddr(struct net *net, struct net_device *dst_dev,
> +int ipv6_dev_get_saddr(struct net *net, const struct net_device *dst_dev,
> const struct in6_addr *daddr, unsigned int prefs,
> struct in6_addr *saddr)
> {
> diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
> index b27e0ad..54a5032 100644
> --- a/net/ipv6/netfilter/Kconfig
> +++ b/net/ipv6/netfilter/Kconfig
> @@ -144,6 +144,18 @@ config IP6_NF_TARGET_HL
> (e.g. when running oldconfig). It selects
> CONFIG_NETFILTER_XT_TARGET_HL.
>
> +config IP6_NF_TARGET_MASQUERADE
> + tristate "MASQUERADE target support"
> + depends on NF_NAT_IPV6
> + help
> + Masquerading is a special case of NAT: all outgoing connections are
> + changed to seem to come from a particular interface's address, and
> + if the interface goes down, those connections are lost. This is
> + only useful for dialup accounts with dynamic IP address (ie. your IP
> + address will be different on next dialup).
> +
> + To compile it as a module, choose M here. If unsure, say N.
> +
> config IP6_NF_FILTER
> tristate "Packet filtering"
> default m if NETFILTER_ADVANCED=n
> diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
> index 7677937..068bad1 100644
> --- a/net/ipv6/netfilter/Makefile
> +++ b/net/ipv6/netfilter/Makefile
> @@ -34,4 +34,5 @@ obj-$(CONFIG_IP6_NF_MATCH_RPFILTER) += ip6t_rpfilter.o
> obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
>
> # targets
> +obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o
> obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o
> diff --git a/net/ipv6/netfilter/ip6t_MASQUERADE.c b/net/ipv6/netfilter/ip6t_MASQUERADE.c
> new file mode 100644
> index 0000000..60e9053
> --- /dev/null
> +++ b/net/ipv6/netfilter/ip6t_MASQUERADE.c
> @@ -0,0 +1,135 @@
> +/*
> + * Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + * Based on Rusty Russell's IPv6 MASQUERADE target. Development of IPv6
> + * NAT funded by Astaro.
> + */
> +
> +#include <linux/kernel.h>
> +#include <linux/module.h>
> +#include <linux/netdevice.h>
> +#include <linux/ipv6.h>
> +#include <linux/netfilter.h>
> +#include <linux/netfilter_ipv6.h>
> +#include <linux/netfilter/x_tables.h>
> +#include <net/netfilter/nf_nat.h>
> +#include <net/addrconf.h>
> +#include <net/ipv6.h>
> +
> +static unsigned int
> +masquerade_tg6(struct sk_buff *skb, const struct xt_action_param *par)
> +{
> + const struct nf_nat_range *range = par->targinfo;
> + enum ip_conntrack_info ctinfo;
> + struct in6_addr src;
> + struct nf_conn *ct;
> + struct nf_nat_range newrange;
> +
> + ct = nf_ct_get(skb, &ctinfo);
> + NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
> + ctinfo == IP_CT_RELATED_REPLY));
> +
> + if (ipv6_dev_get_saddr(dev_net(par->out), par->out,
> + &ipv6_hdr(skb)->daddr, 0, &src) < 0)
> + return NF_DROP;
> +
> + nfct_nat(ct)->masq_index = par->out->ifindex;
> +
> + newrange.flags = range->flags | NF_NAT_RANGE_MAP_IPS;
> + newrange.min_addr.in6 = src;
> + newrange.max_addr.in6 = src;
> + newrange.min_proto = range->min_proto;
> + newrange.max_proto = range->max_proto;
> +
> + return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_SRC);
> +}
> +
> +static int masquerade_tg6_checkentry(const struct xt_tgchk_param *par)
> +{
> + const struct nf_nat_range *range = par->targinfo;
> +
> + if (range->flags & NF_NAT_RANGE_MAP_IPS)
> + return -EINVAL;
> + return 0;
> +}
> +
> +static int device_cmp(struct nf_conn *ct, void *ifindex)
> +{
> + const struct nf_conn_nat *nat = nfct_nat(ct);
> +
> + if (!nat)
> + return 0;
> + if (nf_ct_l3num(ct) != NFPROTO_IPV6)
> + return 0;
> + return nat->masq_index == (int)(long)ifindex;
> +}
> +
> +static int masq_device_event(struct notifier_block *this,
> + unsigned long event, void *ptr)
> +{
> + const struct net_device *dev = ptr;
> + struct net *net = dev_net(dev);
> +
> + if (event == NETDEV_DOWN)
> + nf_ct_iterate_cleanup(net, device_cmp,
> + (void *)(long)dev->ifindex);
> +
> + return NOTIFY_DONE;
> +}
> +
> +static struct notifier_block masq_dev_notifier = {
> + .notifier_call = masq_device_event,
> +};
> +
> +static int masq_inet_event(struct notifier_block *this,
> + unsigned long event, void *ptr)
> +{
> + struct inet6_ifaddr *ifa = ptr;
> +
> + return masq_device_event(this, event, ifa->idev->dev);
> +}
> +
> +static struct notifier_block masq_inet_notifier = {
> + .notifier_call = masq_inet_event,
> +};
> +
> +static struct xt_target masquerade_tg6_reg __read_mostly = {
> + .name = "MASQUERADE",
> + .family = NFPROTO_IPV6,
> + .checkentry = masquerade_tg6_checkentry,
> + .target = masquerade_tg6,
> + .targetsize = sizeof(struct nf_nat_range),
> + .table = "nat",
> + .hooks = 1 << NF_INET_POST_ROUTING,
> + .me = THIS_MODULE,
> +};
> +
> +static int __init masquerade_tg6_init(void)
> +{
> + int err;
> +
> + err = xt_register_target(&masquerade_tg6_reg);
> + if (err == 0) {
> + register_netdevice_notifier(&masq_dev_notifier);
> + register_inet6addr_notifier(&masq_inet_notifier);
> + }
> +
> + return err;
> +}
> +static void __exit masquerade_tg6_exit(void)
> +{
> + unregister_inet6addr_notifier(&masq_inet_notifier);
> + unregister_netdevice_notifier(&masq_dev_notifier);
> + xt_unregister_target(&masquerade_tg6_reg);
> +}
> +
> +module_init(masquerade_tg6_init);
> +module_exit(masquerade_tg6_exit);
> +
> +MODULE_LICENSE("GPL");
> +MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
> +MODULE_DESCRIPTION("Xtables: automatic address SNAT");
> --
> 1.7.1
>
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-08-17 13:11 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-09 20:08 [PATCH 00/19] netfilter: IPv6 NAT kaber
2012-08-09 20:08 ` [PATCH 01/19] netfilter: nf_ct_sip: fix helper name kaber
2012-08-14 0:00 ` Pablo Neira Ayuso
2012-08-09 20:08 ` [PATCH 02/19] netfilter: nf_ct_sip: fix IPv6 address parsing kaber
2012-08-14 0:19 ` Pablo Neira Ayuso
2012-08-09 20:08 ` [PATCH 03/19] netfilter: nf_nat_sip: fix via header translation with multiple parameters kaber
2012-08-14 0:28 ` Pablo Neira Ayuso
2012-08-14 12:23 ` Patrick McHardy
2012-08-09 20:08 ` [PATCH 04/19] ipv4: fix path MTU discovery with connection tracking kaber
2012-08-09 20:08 ` [PATCH 05/19] netfilter: nf_conntrack_ipv6: improve fragmentation handling kaber
2012-08-17 8:06 ` Jesper Dangaard Brouer
2012-08-18 12:26 ` Patrick McHardy
2012-08-19 19:37 ` Jesper Dangaard Brouer
2012-08-19 19:44 ` Patrick McHardy
2012-08-20 13:13 ` Jesper Dangaard Brouer
2012-08-22 22:21 ` Patrick McHardy
2012-08-21 22:21 ` Jesper Dangaard Brouer
2012-08-26 21:20 ` Patrick McHardy
2012-08-27 10:13 ` Jesper Dangaard Brouer
2012-08-27 10:41 ` Patrick McHardy
2012-08-27 14:40 ` [PATCH 0/2] net: ipvs and netfilter IPv6 defrag MTU handling Jesper Dangaard Brouer
2012-08-27 14:40 ` [PATCH 1/2] ipvs: IPv6 MTU checking cleanup and bugfix Jesper Dangaard Brouer
2012-08-27 14:42 ` [PATCH 2/2] ipvs: Extend MTU check to account for IPv6 NAT defrag changes Jesper Dangaard Brouer
2012-08-27 15:20 ` Julian Anastasov
2012-08-28 8:22 ` Patrick McHardy
2012-08-28 8:28 ` Simon Horman
2012-08-28 14:21 ` [PATCH V2 0/2] net: ipvs and netfilter IPv6 defrag MTU handling Jesper Dangaard Brouer
2012-08-28 14:22 ` [PATCH V2 1/2] ipvs: IPv6 MTU checking cleanup and bugfix Jesper Dangaard Brouer
2012-08-28 20:08 ` Patrick McHardy
2012-08-28 14:23 ` [PATCH V2 2/2] ipvs: Extend MTU check to account for IPv6 NAT defrag changes Jesper Dangaard Brouer
2012-08-28 14:49 ` Eric Dumazet
2012-08-29 7:02 ` Jesper Dangaard Brouer
2012-08-29 8:43 ` Eric Dumazet
2012-08-29 9:04 ` Jesper Dangaard Brouer
2012-08-28 20:10 ` Patrick McHardy
2012-08-28 9:03 ` [PATCH " Jesper Dangaard Brouer
2012-08-28 9:47 ` Julian Anastasov
2012-08-17 13:36 ` [PATCH 05/19] netfilter: nf_conntrack_ipv6: improve fragmentation handling Pablo Neira Ayuso
2012-08-18 12:43 ` Patrick McHardy
2012-08-09 20:08 ` [PATCH 06/19] netfilter: nf_conntrack_ipv6: fix tracking of ICMPv6 error messages containing fragments kaber
2012-08-09 20:08 ` [PATCH 07/19] netfilter: nf_conntrack: restrict NAT helper invocation to IPv4 kaber
2012-08-09 20:08 ` [PATCH 08/19] netfilter: nf_nat: add protoff argument to packet mangling functions kaber
2012-08-09 20:08 ` [PATCH 09/19] netfilter: add protocol independant NAT core kaber
2012-08-09 20:08 ` [PATCH 10/19] netfilter: ipv6: expand skb head in ip6_route_me_harder after oif change kaber
2012-08-09 20:08 ` [PATCH 11/19] net: core: add function for incremental IPv6 pseudo header checksum updates kaber
2012-08-09 20:08 ` [PATCH 12/19] netfilter: ipv6: add IPv6 NAT support kaber
2012-08-09 20:08 ` [PATCH 13/19] netfilter: ip6tables: add MASQUERADE target kaber
2012-08-17 13:11 ` Pablo Neira Ayuso [this message]
2012-08-18 12:31 ` Patrick McHardy
2012-08-09 20:08 ` [PATCH 14/19] netfilter: ip6tables: add REDIRECT target kaber
2012-08-09 20:08 ` [PATCH 15/19] netfilter: ip6tables: add NETMAP target kaber
2012-08-09 20:09 ` [PATCH 16/19] netfilter: nf_nat: support IPv6 in FTP NAT helper kaber
2012-08-09 20:09 ` [PATCH 17/19] netfilter: nf_nat: support IPv6 in amanda " kaber
2012-08-09 20:09 ` [PATCH 18/19] netfilter: nf_nat: support IPv6 in SIP " kaber
2012-08-09 20:09 ` [PATCH 19/19] netfilter: ip6tables: add stateless IPv6-to-IPv6 Network Prefix Translation target kaber
2012-08-09 21:55 ` Jan Engelhardt
2012-08-09 22:25 ` Patrick McHardy
2012-08-09 20:56 ` [PATCH 00/19] netfilter: IPv6 NAT Eric W. Biederman
2012-08-09 21:52 ` Patrick McHardy
2012-08-09 22:00 ` Pablo Neira Ayuso
2012-08-09 22:30 ` Patrick McHardy
2012-08-17 13:42 ` Pablo Neira Ayuso
2012-08-18 12:46 ` Patrick McHardy
2012-08-25 0:58 ` Andre Tomt
2012-08-25 1:16 ` Andre Tomt
2012-08-26 18:06 ` Patrick McHardy
2012-08-27 7:33 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120817131157.GA23832@1984 \
--to=pablo@netfilter.org \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).