[PATCH v3 1/2] netfilter: ipt_addrtype: rename to xt_addrtype

[PATCH v3 1/2] netfilter: ipt_addrtype: rename to xt_addrtype

[Florian Westphal]

From: Florian Westphal <fwestphal@astaro.com>

followup patch will add ipv6 support.
ipt_addrtype.h is retained for compatibility reasons,
but no longer used by the kernel.

Signed-off-by: Florian Westphal <fwestphal@astaro.com>
---
No changes in V3.
Change in V2 were:
  - keep netfilter_ipv4/ipt_addrtype.h around for the time being
    and add to feature-removal-schedule. Its not used anymore, though.

 Documentation/feature-removal-schedule.txt         |    8 +++++
 include/linux/netfilter/Kbuild                     |    1 +
 include/linux/netfilter/xt_addrtype.h              |   27 +++++++++++++++++
 net/ipv4/netfilter/Kconfig                         |   10 ------
 net/ipv4/netfilter/Makefile                        |    1 -
 net/netfilter/Kconfig                              |   10 ++++++
 net/netfilter/Makefile                             |    1 +
 .../ipt_addrtype.c => netfilter/xt_addrtype.c}     |   31 ++++++++++---------
 8 files changed, 63 insertions(+), 26 deletions(-)
 create mode 100644 include/linux/netfilter/xt_addrtype.h
 rename net/{ipv4/netfilter/ipt_addrtype.c => netfilter/xt_addrtype.c} (79%)

diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 05b248a..a7ee7cf 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -618,3 +618,11 @@ Who:	Jan Engelhardt <jengelh@medozas.de>
 Files:	net/netfilter/xt_connlimit.c
 
 ----------------------------
+
+What:	ipt_addrtype match include file
+When:	2012
+Why:	superseded by xt_addrtype
+Who:	Florian Westphal <fw@strlen.de>
+Files:	include/linux/netfilter_ipv4/ipt_addrtype.h
+
+----------------------------
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index 15e83bf..a1b410c 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -29,6 +29,7 @@ header-y += xt_TCPMSS.h
 header-y += xt_TCPOPTSTRIP.h
 header-y += xt_TEE.h
 header-y += xt_TPROXY.h
+header-y += xt_addrtype.h
 header-y += xt_cluster.h
 header-y += xt_comment.h
 header-y += xt_connbytes.h
diff --git a/include/linux/netfilter/xt_addrtype.h b/include/linux/netfilter/xt_addrtype.h
new file mode 100644
index 0000000..b492fc8
--- /dev/null
+++ b/include/linux/netfilter/xt_addrtype.h
@@ -0,0 +1,27 @@
+#ifndef _XT_ADDRTYPE_H
+#define _XT_ADDRTYPE_H
+
+#include <linux/types.h>
+
+enum {
+	XT_ADDRTYPE_INVERT_SOURCE	= 0x0001,
+	XT_ADDRTYPE_INVERT_DEST		= 0x0002,
+	XT_ADDRTYPE_LIMIT_IFACE_IN	= 0x0004,
+	XT_ADDRTYPE_LIMIT_IFACE_OUT	= 0x0008,
+};
+
+struct xt_addrtype_info_v1 {
+	__u16	source;		/* source-type mask */
+	__u16	dest;		/* dest-type mask */
+	__u32	flags;
+};
+
+/* revision 0 */
+struct xt_addrtype_info {
+	__u16	source;		/* source-type mask */
+	__u16	dest;		/* dest-type mask */
+	__u32	invert_source;
+	__u32	invert_dest;
+};
+
+#endif
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index f926a31..1dfc18a 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -64,16 +64,6 @@ config IP_NF_IPTABLES
 if IP_NF_IPTABLES
 
 # The matches.
-config IP_NF_MATCH_ADDRTYPE
-	tristate '"addrtype" address type match support'
-	depends on NETFILTER_ADVANCED
-	help
-	  This option allows you to match what routing thinks of an address,
-	  eg. UNICAST, LOCAL, BROADCAST, ...
-
-	  If you want to compile it as a module, say M here and read
-	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
-
 config IP_NF_MATCH_AH
 	tristate '"ah" match support'
 	depends on NETFILTER_ADVANCED
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 19eb59d..dca2082 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -48,7 +48,6 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
 obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
 
 # matches
-obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
 obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
 
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 82a6e0d..32bff6d 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -649,6 +649,16 @@ config NETFILTER_XT_TARGET_TCPOPTSTRIP
 
 comment "Xtables matches"
 
+config NETFILTER_XT_MATCH_ADDRTYPE
+	tristate '"addrtype" address type match support'
+	depends on NETFILTER_ADVANCED
+	---help---
+	  This option allows you to match what routing thinks of an address,
+	  eg. UNICAST, LOCAL, BROADCAST, ...
+
+	  If you want to compile it as a module, say M here and read
+	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
+
 config NETFILTER_XT_MATCH_CLUSTER
 	tristate '"cluster" match support'
 	depends on NF_CONNTRACK
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index d57a890..1a02853 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -70,6 +70,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_IDLETIMER) += xt_IDLETIMER.o
 
 # matches
+obj-$(CONFIG_NETFILTER_XT_MATCH_ADDRTYPE) += xt_addrtype.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/netfilter/xt_addrtype.c
similarity index 79%
rename from net/ipv4/netfilter/ipt_addrtype.c
rename to net/netfilter/xt_addrtype.c
index db8bff0..e89c0b8 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/netfilter/xt_addrtype.c
@@ -16,12 +16,13 @@
 #include <linux/ip.h>
 #include <net/route.h>
 
-#include <linux/netfilter_ipv4/ipt_addrtype.h>
+#include <linux/netfilter/xt_addrtype.h>
 #include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("Xtables: address type match for IPv4");
+MODULE_DESCRIPTION("Xtables: address type match");
+MODULE_ALIAS("ipt_addrtype");
 
 static inline bool match_type(struct net *net, const struct net_device *dev,
 			      __be32 addr, u_int16_t mask)
@@ -33,7 +34,7 @@ static bool
 addrtype_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	struct net *net = dev_net(par->in ? par->in : par->out);
-	const struct ipt_addrtype_info *info = par->matchinfo;
+	const struct xt_addrtype_info *info = par->matchinfo;
 	const struct iphdr *iph = ip_hdr(skb);
 	bool ret = true;
 
@@ -51,31 +52,31 @@ static bool
 addrtype_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	struct net *net = dev_net(par->in ? par->in : par->out);
-	const struct ipt_addrtype_info_v1 *info = par->matchinfo;
+	const struct xt_addrtype_info_v1 *info = par->matchinfo;
 	const struct iphdr *iph = ip_hdr(skb);
 	const struct net_device *dev = NULL;
 	bool ret = true;
 
-	if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN)
+	if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN)
 		dev = par->in;
-	else if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT)
+	else if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT)
 		dev = par->out;
 
 	if (info->source)
 		ret &= match_type(net, dev, iph->saddr, info->source) ^
-		       (info->flags & IPT_ADDRTYPE_INVERT_SOURCE);
+		       (info->flags & XT_ADDRTYPE_INVERT_SOURCE);
 	if (ret && info->dest)
 		ret &= match_type(net, dev, iph->daddr, info->dest) ^
-		       !!(info->flags & IPT_ADDRTYPE_INVERT_DEST);
+		       !!(info->flags & XT_ADDRTYPE_INVERT_DEST);
 	return ret;
 }
 
 static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
 {
-	struct ipt_addrtype_info_v1 *info = par->matchinfo;
+	struct xt_addrtype_info_v1 *info = par->matchinfo;
 
-	if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN &&
-	    info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
+	if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN &&
+	    info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) {
 		pr_info("both incoming and outgoing "
 			"interface limitation cannot be selected\n");
 		return -EINVAL;
@@ -83,7 +84,7 @@ static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
 
 	if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
 	    (1 << NF_INET_LOCAL_IN)) &&
-	    info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
+	    info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) {
 		pr_info("output interface limitation "
 			"not valid in PREROUTING and INPUT\n");
 		return -EINVAL;
@@ -91,7 +92,7 @@ static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
 
 	if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
 	    (1 << NF_INET_LOCAL_OUT)) &&
-	    info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
+	    info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) {
 		pr_info("input interface limitation "
 			"not valid in POSTROUTING and OUTPUT\n");
 		return -EINVAL;
@@ -105,7 +106,7 @@ static struct xt_match addrtype_mt_reg[] __read_mostly = {
 		.name		= "addrtype",
 		.family		= NFPROTO_IPV4,
 		.match		= addrtype_mt_v0,
-		.matchsize	= sizeof(struct ipt_addrtype_info),
+		.matchsize	= sizeof(struct xt_addrtype_info),
 		.me		= THIS_MODULE
 	},
 	{
@@ -114,7 +115,7 @@ static struct xt_match addrtype_mt_reg[] __read_mostly = {
 		.revision	= 1,
 		.match		= addrtype_mt_v1,
 		.checkentry	= addrtype_mt_checkentry_v1,
-		.matchsize	= sizeof(struct ipt_addrtype_info_v1),
+		.matchsize	= sizeof(struct xt_addrtype_info_v1),
 		.me		= THIS_MODULE
 	}
 };
-- 
1.7.3.4

[PATCH v3 2/2] netfilter: xt_addrtype: ipv6 support

[Florian Westphal]

From: Florian Westphal <fwestphal@astaro.com>

No new match revision is introduced, as binary compatibility
is not broken (XT_ADDRTYPE_ values match the RTN_ "bitshifted"
ones used by old iptables userspace).

The kernel will refuse certain types that do not work in ipv6 mode.
We can then add these features incrementally without risk of userspace
breakage.

Signed-off-by: Florian Westphal <fwestphal@astaro.com>
---
 Changes in V3: disallow xt_addrtype=y when ipv6=m, it caused linker errors.

 include/linux/netfilter/xt_addrtype.h |   17 ++++++
 net/netfilter/Kconfig                 |    1 +
 net/netfilter/xt_addrtype.c           |   98 ++++++++++++++++++++++++++++++++-
 3 files changed, 114 insertions(+), 2 deletions(-)

diff --git a/include/linux/netfilter/xt_addrtype.h b/include/linux/netfilter/xt_addrtype.h
index b492fc8..b156baa 100644
--- a/include/linux/netfilter/xt_addrtype.h
+++ b/include/linux/netfilter/xt_addrtype.h
@@ -10,6 +10,23 @@ enum {
 	XT_ADDRTYPE_LIMIT_IFACE_OUT	= 0x0008,
 };
 
+
+/* rtn_type enum values from rtnetlink.h, but shifted */
+enum {
+	XT_ADDRTYPE_UNSPEC = 1 << 0,
+	XT_ADDRTYPE_UNICAST = 1 << 1,	/* 1 << RTN_UNICAST */
+	XT_ADDRTYPE_LOCAL  = 1 << 2,	/* 1 << RTN_LOCAL, etc */
+	XT_ADDRTYPE_BROADCAST = 1 << 3,
+	XT_ADDRTYPE_ANYCAST = 1 << 4,
+	XT_ADDRTYPE_MULTICAST = 1 << 5,
+	XT_ADDRTYPE_BLACKHOLE = 1 << 6,
+	XT_ADDRTYPE_UNREACHABLE = 1 << 7,
+	XT_ADDRTYPE_PROHIBIT = 1 << 8,
+	XT_ADDRTYPE_THROW = 1 << 9,
+	XT_ADDRTYPE_NAT = 1 << 10,
+	XT_ADDRTYPE_XRESOLVE = 1 << 11,
+};
+
 struct xt_addrtype_info_v1 {
 	__u16	source;		/* source-type mask */
 	__u16	dest;		/* dest-type mask */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 32bff6d..c3f988a 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -652,6 +652,7 @@ comment "Xtables matches"
 config NETFILTER_XT_MATCH_ADDRTYPE
 	tristate '"addrtype" address type match support'
 	depends on NETFILTER_ADVANCED
+	depends on (IPV6 || IPV6=n)
 	---help---
 	  This option allows you to match what routing thinks of an address,
 	  eg. UNICAST, LOCAL, BROADCAST, ...
diff --git a/net/netfilter/xt_addrtype.c b/net/netfilter/xt_addrtype.c
index e89c0b8..2220b85 100644
--- a/net/netfilter/xt_addrtype.c
+++ b/net/netfilter/xt_addrtype.c
@@ -16,6 +16,12 @@
 #include <linux/ip.h>
 #include <net/route.h>
 
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+#include <net/ipv6.h>
+#include <net/ip6_route.h>
+#include <net/ip6_fib.h>
+#endif
+
 #include <linux/netfilter/xt_addrtype.h>
 #include <linux/netfilter/x_tables.h>
 
@@ -23,6 +29,73 @@ MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
 MODULE_DESCRIPTION("Xtables: address type match");
 MODULE_ALIAS("ipt_addrtype");
+MODULE_ALIAS("ip6t_addrtype");
+
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+static u32 xt_addrtype_rt6_to_type(const struct rt6_info *rt)
+{
+	u32 ret;
+
+	if (!rt)
+		return XT_ADDRTYPE_UNREACHABLE;
+
+	if (rt->rt6i_flags & RTF_REJECT)
+		ret = XT_ADDRTYPE_UNREACHABLE;
+	else
+		ret = 0;
+
+	if (rt->rt6i_flags & RTF_LOCAL)
+		ret |= XT_ADDRTYPE_LOCAL;
+	if (rt->rt6i_flags & RTF_ANYCAST)
+		ret |= XT_ADDRTYPE_ANYCAST;
+	return ret;
+}
+
+static bool match_type6(struct net *net, const struct net_device *dev,
+				const struct in6_addr *addr, u16 mask)
+{
+	int addr_type = ipv6_addr_type(addr);
+
+	if ((mask & XT_ADDRTYPE_MULTICAST) &&
+	    !(addr_type & IPV6_ADDR_MULTICAST))
+		return false;
+	if ((mask & XT_ADDRTYPE_UNICAST) && !(addr_type & IPV6_ADDR_UNICAST))
+		return false;
+	if ((mask & XT_ADDRTYPE_UNSPEC) && addr_type != IPV6_ADDR_ANY)
+		return false;
+
+	if ((XT_ADDRTYPE_LOCAL | XT_ADDRTYPE_ANYCAST |
+	     XT_ADDRTYPE_UNREACHABLE) & mask) {
+		struct rt6_info *rt;
+		u32 type;
+		int ifindex = dev ? dev->ifindex : 0;
+
+		rt = rt6_lookup(net, addr, NULL, ifindex, !!dev);
+
+		type = xt_addrtype_rt6_to_type(rt);
+
+		dst_release(&rt->dst);
+		return !!(mask & type);
+	}
+	return true;
+}
+
+static bool
+addrtype_mt6(struct net *net, const struct net_device *dev,
+	const struct sk_buff *skb, const struct xt_addrtype_info_v1 *info)
+{
+	const struct ipv6hdr *iph = ipv6_hdr(skb);
+	bool ret = true;
+
+	if (info->source)
+		ret &= match_type6(net, dev, &iph->saddr, info->source) ^
+		       (info->flags & XT_ADDRTYPE_INVERT_SOURCE);
+	if (ret && info->dest)
+		ret &= match_type6(net, dev, &iph->daddr, info->dest) ^
+		       !!(info->flags & XT_ADDRTYPE_INVERT_DEST);
+	return ret;
+}
+#endif
 
 static inline bool match_type(struct net *net, const struct net_device *dev,
 			      __be32 addr, u_int16_t mask)
@@ -53,7 +126,7 @@ addrtype_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	struct net *net = dev_net(par->in ? par->in : par->out);
 	const struct xt_addrtype_info_v1 *info = par->matchinfo;
-	const struct iphdr *iph = ip_hdr(skb);
+	const struct iphdr *iph;
 	const struct net_device *dev = NULL;
 	bool ret = true;
 
@@ -62,6 +135,11 @@ addrtype_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
 	else if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT)
 		dev = par->out;
 
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+	if (par->family == NFPROTO_IPV6)
+		return addrtype_mt6(net, dev, skb, info);
+#endif
+	iph = ip_hdr(skb);
 	if (info->source)
 		ret &= match_type(net, dev, iph->saddr, info->source) ^
 		       (info->flags & XT_ADDRTYPE_INVERT_SOURCE);
@@ -98,6 +176,22 @@ static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
 		return -EINVAL;
 	}
 
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+	if (par->family == NFPROTO_IPV6) {
+		if ((info->source | info->dest) & XT_ADDRTYPE_BLACKHOLE) {
+			pr_err("ipv6 BLACKHOLE matching not supported\n");
+			return -EINVAL;
+		}
+		if ((info->source | info->dest) >= XT_ADDRTYPE_PROHIBIT) {
+			pr_err("ipv6 PROHIBT (THROW, NAT ..) matching not supported\n");
+			return -EINVAL;
+		}
+		if ((info->source | info->dest) & XT_ADDRTYPE_BROADCAST) {
+			pr_err("ipv6 does not support BROADCAST matching\n");
+			return -EINVAL;
+		}
+	}
+#endif
 	return 0;
 }
 
@@ -111,7 +205,7 @@ static struct xt_match addrtype_mt_reg[] __read_mostly = {
 	},
 	{
 		.name		= "addrtype",
-		.family		= NFPROTO_IPV4,
+		.family		= NFPROTO_UNSPEC,
 		.revision	= 1,
 		.match		= addrtype_mt_v1,
 		.checkentry	= addrtype_mt_checkentry_v1,
-- 
1.7.3.4

Re: [PATCH v3 2/2] netfilter: xt_addrtype: ipv6 support

[Patrick McHardy]

On 15.03.2011 19:49, Florian Westphal wrote:
> From: Florian Westphal <fwestphal@astaro.com>
> 
> No new match revision is introduced, as binary compatibility
> is not broken (XT_ADDRTYPE_ values match the RTN_ "bitshifted"
> ones used by old iptables userspace).
> 
> The kernel will refuse certain types that do not work in ipv6 mode.
> We can then add these features incrementally without risk of userspace
> breakage.
> 

Applied, thanks.

Re: [PATCH v3 2/2] netfilter: xt_addrtype: ipv6 support

[Patrick McHardy]

On 15.03.2011 19:49, Florian Westphal wrote:
> +static bool match_type6(struct net *net, const struct net_device *dev,
> +				const struct in6_addr *addr, u16 mask)
> +{
> +	int addr_type = ipv6_addr_type(addr);
> +
> +	if ((mask & XT_ADDRTYPE_MULTICAST) &&
> +	    !(addr_type & IPV6_ADDR_MULTICAST))
> +		return false;
> +	if ((mask & XT_ADDRTYPE_UNICAST) && !(addr_type & IPV6_ADDR_UNICAST))
> +		return false;
> +	if ((mask & XT_ADDRTYPE_UNSPEC) && addr_type != IPV6_ADDR_ANY)
> +		return false;
> +
> +	if ((XT_ADDRTYPE_LOCAL | XT_ADDRTYPE_ANYCAST |
> +	     XT_ADDRTYPE_UNREACHABLE) & mask) {
> +		struct rt6_info *rt;
> +		u32 type;
> +		int ifindex = dev ? dev->ifindex : 0;
> +
> +		rt = rt6_lookup(net, addr, NULL, ifindex, !!dev);

Florian, I just noticed that this will pull in the IPv6 module just
by loading the xt_addrtype module. Can we convert this to use
nf_ip6_afinfo->route() instead?

> +
> +		type = xt_addrtype_rt6_to_type(rt);
> +
> +		dst_release(&rt->dst);
> +		return !!(mask & type);
> +	}
> +	return true;
> +}

Re: [PATCH v3 2/2] netfilter: xt_addrtype: ipv6 support

[Florian Westphal]

Patrick McHardy <kaber@trash.net> wrote:
> > +		rt = rt6_lookup(net, addr, NULL, ifindex, !!dev);
> 
> Florian, I just noticed that this will pull in the IPv6 module just
> by loading the xt_addrtype module.

Yes...

> Can we convert this to use
> nf_ip6_afinfo->route() instead?

I agree that it would be much nicer, thanks for the
suggestion.

I'll look into this on Saturday.

Thanks,
Florian

Re: [PATCH v3 2/2] netfilter: xt_addrtype: ipv6 support

[Florian Westphal]

Florian Westphal <fw@strlen.de> wrote:
> Patrick McHardy <kaber@trash.net> wrote:
> > > +		rt = rt6_lookup(net, addr, NULL, ifindex, !!dev);
> > 
> > Florian, I just noticed that this will pull in the IPv6 module just
> > by loading the xt_addrtype module.
> 
> Yes...
> 
> > Can we convert this to use
> > nf_ip6_afinfo->route() instead?
> 
> I agree that it would be much nicer, thanks for the
> suggestion.
> 
> I'll look into this on Saturday.

Regardless if this works or not, we'd also
need to find an alternative to ipv6_addr_type, no?

One possibility would be to revert the xt_addrinfo patch
and add an ip6t_addrtype module instead, I think the involved
code duplication would be rlow in this case.

Re: [PATCH v3 2/2] netfilter: xt_addrtype: ipv6 support

[Patrick McHardy]

On 16.03.2011 16:59, Florian Westphal wrote:
> Florian Westphal <fw@strlen.de> wrote:
>> Patrick McHardy <kaber@trash.net> wrote:
>>>> +		rt = rt6_lookup(net, addr, NULL, ifindex, !!dev);
>>>
>>> Florian, I just noticed that this will pull in the IPv6 module just
>>> by loading the xt_addrtype module.
>>
>> Yes...
>>
>>> Can we convert this to use
>>> nf_ip6_afinfo->route() instead?
>>
>> I agree that it would be much nicer, thanks for the
>> suggestion.
>>
>> I'll look into this on Saturday.
> 
> Regardless if this works or not, we'd also
> need to find an alternative to ipv6_addr_type, no?

No, addrconf_core.o is statically linked regardless of whether
IPv6 is a module or not.

Re: [PATCH v3 2/2] netfilter: xt_addrtype: ipv6 support

[Florian Westphal]

Patrick McHardy <kaber@trash.net> wrote:
> On 15.03.2011 19:49, Florian Westphal wrote:
[..]
> > +		rt = rt6_lookup(net, addr, NULL, ifindex, !!dev);
> 
> Florian, I just noticed that this will pull in the IPv6 module just
> by loading the xt_addrtype module. Can we convert this to use
> nf_ip6_afinfo->route() instead?

I tried this, but i found two issues:
- no netns support (nf_ip6_route passed init_net)
- its not possible to ask for RT6_LOOKUP_F_IFACE flag in the
  underlying fib6_rule_lookup() call.

But AFAICT the latter is needed to support the '--limit-iface-in/out'
option.

Any idea?

Otherwise I think I'll have a go at extending afinfo->route() to pass
in struct net* and a 'strict' argument (i.e. what rt6_lookup() has).

Unfortunately that would have to wait for 2.6.40...

Thanks,
Florian

Re: [PATCH v3 2/2] netfilter: xt_addrtype: ipv6 support

[Patrick McHardy]

Am 19.03.2011 00:26, schrieb Florian Westphal:
> Patrick McHardy <kaber@trash.net> wrote:
>> On 15.03.2011 19:49, Florian Westphal wrote:
> [..]
>>> +		rt = rt6_lookup(net, addr, NULL, ifindex, !!dev);
>>
>> Florian, I just noticed that this will pull in the IPv6 module just
>> by loading the xt_addrtype module. Can we convert this to use
>> nf_ip6_afinfo->route() instead?
> 
> I tried this, but i found two issues:
> - no netns support (nf_ip6_route passed init_net)
> - its not possible to ask for RT6_LOOKUP_F_IFACE flag in the
>   underlying fib6_rule_lookup() call.
> 
> But AFAICT the latter is needed to support the '--limit-iface-in/out'
> option.
> 
> Any idea?
> 
> Otherwise I think I'll have a go at extending afinfo->route() to pass
> in struct net* and a 'strict' argument (i.e. what rt6_lookup() has).
> 
> Unfortunately that would have to wait for 2.6.40...

Actually I'd consider that (especially the struct net *) a bugfix
since we shouldn't be pulling in the IPv6 module.

Re: [PATCH v3 1/2] netfilter: ipt_addrtype: rename to xt_addrtype

[Patrick McHardy]

On 15.03.2011 19:49, Florian Westphal wrote:
> From: Florian Westphal <fwestphal@astaro.com>
> 
> followup patch will add ipv6 support.
> ipt_addrtype.h is retained for compatibility reasons,
> but no longer used by the kernel.

Applied, thanks.