[linux-block.git] / net / ipv6 / netfilter.c

/*
 * IPv6 specific functions of netfilter core
 *
 * Rusty Russell (C) 2000 -- This code is GPL.
 * Patrick McHardy (C) 2006-2012
 */
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/ipv6.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv6.h>
#include <linux/export.h>
#include <net/addrconf.h>
#include <net/dst.h>
#include <net/ipv6.h>
#include <net/ip6_route.h>
#include <net/xfrm.h>
#include <net/netfilter/nf_queue.h>

int ip6_route_me_harder(struct net *net, struct sk_buff *skb)
{
	const struct ipv6hdr *iph = ipv6_hdr(skb);
	struct sock *sk = sk_to_full_sk(skb->sk);
	unsigned int hh_len;
	struct dst_entry *dst;
	struct flowi6 fl6 = {
		.flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if :
			rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0,
		.flowi6_mark = skb->mark,
		.flowi6_uid = sock_net_uid(net, sk),
		.daddr = iph->daddr,
		.saddr = iph->saddr,
	};
	int err;

	dst = ip6_route_output(net, sk, &fl6);
	err = dst->error;
	if (err) {
		IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
		net_dbg_ratelimited("ip6_route_me_harder: No more route\n");
		dst_release(dst);
		return err;
	}

	/* Drop old route. */
	skb_dst_drop(skb);

	skb_dst_set(skb, dst);

#ifdef CONFIG_XFRM
	if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
	    xfrm_decode_session(skb, flowi6_to_flowi(&fl6), AF_INET6) == 0) {
		skb_dst_set(skb, NULL);
		dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), sk, 0);
		if (IS_ERR(dst))
			return PTR_ERR(dst);
		skb_dst_set(skb, dst);
	}
#endif

	/* Change in oif may mean change in hh_len. */
	hh_len = skb_dst(skb)->dev->hard_header_len;
	if (skb_headroom(skb) < hh_len &&
	    pskb_expand_head(skb, HH_DATA_ALIGN(hh_len - skb_headroom(skb)),
			     0, GFP_ATOMIC))
		return -ENOMEM;

	return 0;
}
EXPORT_SYMBOL(ip6_route_me_harder);

static int nf_ip6_reroute(struct sk_buff *skb,
			  const struct nf_queue_entry *entry)
{
	struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);

	if (entry->state.hook == NF_INET_LOCAL_OUT) {
		const struct ipv6hdr *iph = ipv6_hdr(skb);
		if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) ||
		    !ipv6_addr_equal(&iph->saddr, &rt_info->saddr) ||
		    skb->mark != rt_info->mark)
			return ip6_route_me_harder(entry->state.net, skb);
	}
	return 0;
}

static int nf_ip6_route(struct net *net, struct dst_entry **dst,
			struct flowi *fl, bool strict)
{
	static const struct ipv6_pinfo fake_pinfo;
	static const struct inet_sock fake_sk = {
		/* makes ip6_route_output set RT6_LOOKUP_F_IFACE: */
		.sk.sk_bound_dev_if = 1,
		.pinet6 = (struct ipv6_pinfo *) &fake_pinfo,
	};
	const void *sk = strict ? &fake_sk : NULL;
	struct dst_entry *result;
	int err;

	result = ip6_route_output(net, sk, &fl->u.ip6);
	err = result->error;
	if (err)
		dst_release(result);
	else
		*dst = result;
	return err;
}

static const struct nf_ipv6_ops ipv6ops = {
	.chk_addr		= ipv6_chk_addr,
	.route_input    	= ip6_route_input,
	.fragment		= ip6_fragment,
	.route			= nf_ip6_route,
	.reroute		= nf_ip6_reroute,
};

int __init ipv6_netfilter_init(void)
{
	RCU_INIT_POINTER(nf_ipv6_ops, &ipv6ops);
	return 0;
}

/* This can be called from inet6_init() on errors, so it cannot
 * be marked __exit. -DaveM
 */
void ipv6_netfilter_fini(void)
{
	RCU_INIT_POINTER(nf_ipv6_ops, NULL);
}
Commit	Line	Data
f229f6ce PM	1	/*
	2	* IPv6 specific functions of netfilter core
	3	*
	4	* Rusty Russell (C) 2000 -- This code is GPL.
	5	* Patrick McHardy (C) 2006-2012
	6	*/
020b4c12	7	#include <linux/kernel.h>
bb94aa16	8	#include <linux/init.h>
020b4c12	9	#include <linux/ipv6.h>
2cc7d573 HW	10	#include <linux/netfilter.h>
2cc7d573 HW	11	#include <linux/netfilter_ipv6.h>
bc3b2d7f	12	#include <linux/export.h>
2a7851bf	13	#include <net/addrconf.h>
020b4c12 HW	14	#include <net/dst.h>
	15	#include <net/ipv6.h>
	16	#include <net/ip6_route.h>
3e3850e9	17	#include <net/xfrm.h>
c01cd429	18	#include <net/netfilter/nf_queue.h>
020b4c12	19
5f5d74d7	20	int ip6_route_me_harder(struct net net, struct sk_buff skb)
020b4c12	21	{
b71d1d42	22	const struct ipv6hdr *iph = ipv6_hdr(skb);
7d98386d	23	struct sock *sk = sk_to_full_sk(skb->sk);
0ad352cb	24	unsigned int hh_len;
020b4c12	25	struct dst_entry *dst;
4c9483b2	26	struct flowi6 fl6 = {
508b0904 AN	27	.flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if :
508b0904 AN	28	rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0,
4c9483b2	29	.flowi6_mark = skb->mark,
7d98386d	30	.flowi6_uid = sock_net_uid(net, sk),
4c9483b2 DM	31	.daddr = iph->daddr,
4c9483b2 DM	32	.saddr = iph->saddr,
020b4c12	33	};
a8951d58	34	int err;
020b4c12	35
7d98386d	36	dst = ip6_route_output(net, sk, &fl6);
a8951d58 SP	37	err = dst->error;
a8951d58 SP	38	if (err) {
eef9d90d	39	IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
ba7a46f1	40	net_dbg_ratelimited("ip6_route_me_harder: No more route\n");
020b4c12	41	dst_release(dst);
a8951d58	42	return err;
020b4c12 HW	43	}
	44
	45	/* Drop old route. */
adf30907	46	skb_dst_drop(skb);
020b4c12	47
adf30907	48	skb_dst_set(skb, dst);
90348e0e UW	49
	50	#ifdef CONFIG_XFRM
	51	if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
4c9483b2	52	xfrm_decode_session(skb, flowi6_to_flowi(&fl6), AF_INET6) == 0) {
90348e0e	53	skb_dst_set(skb, NULL);
7d98386d	54	dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), sk, 0);
452edd59	55	if (IS_ERR(dst))
58e35d14	56	return PTR_ERR(dst);
90348e0e UW	57	skb_dst_set(skb, dst);
	58	}
	59	#endif
	60
0ad352cb PM	61	/* Change in oif may mean change in hh_len. */
	62	hh_len = skb_dst(skb)->dev->hard_header_len;
	63	if (skb_headroom(skb) < hh_len &&
	64	pskb_expand_head(skb, HH_DATA_ALIGN(hh_len - skb_headroom(skb)),
	65	0, GFP_ATOMIC))
58e35d14	66	return -ENOMEM;
0ad352cb	67
020b4c12 HW	68	return 0;
	69	}
	70	EXPORT_SYMBOL(ip6_route_me_harder);
	71
ce388f45	72	static int nf_ip6_reroute(struct sk_buff *skb,
02f014d8	73	const struct nf_queue_entry *entry)
2cc7d573	74	{
02f014d8	75	struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
2cc7d573	76
1d1de89b	77	if (entry->state.hook == NF_INET_LOCAL_OUT) {
b71d1d42	78	const struct ipv6hdr *iph = ipv6_hdr(skb);
2cc7d573	79	if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) \|\|
9f40ac71 EL	80	!ipv6_addr_equal(&iph->saddr, &rt_info->saddr) \|\|
9f40ac71 EL	81	skb->mark != rt_info->mark)
ce388f45	82	return ip6_route_me_harder(entry->state.net, skb);
2cc7d573 HW	83	}
	84	return 0;
	85	}
	86
31ad3dd6	87	static int nf_ip6_route(struct net net, struct dst_entry *dst,
0fae2e77	88	struct flowi *fl, bool strict)
1841a4c7	89	{
0fae2e77 FW	90	static const struct ipv6_pinfo fake_pinfo;
	91	static const struct inet_sock fake_sk = {
	92	/* makes ip6_route_output set RT6_LOOKUP_F_IFACE: */
	93	.sk.sk_bound_dev_if = 1,
	94	.pinet6 = (struct ipv6_pinfo *) &fake_pinfo,
	95	};
	96	const void *sk = strict ? &fake_sk : NULL;
2dad81ad FW	97	struct dst_entry *result;
	98	int err;
	99
	100	result = ip6_route_output(net, sk, &fl->u.ip6);
	101	err = result->error;
	102	if (err)
	103	dst_release(result);
	104	else
	105	*dst = result;
	106	return err;
1841a4c7 PM	107	}
1841a4c7 PM	108
2a7851bf	109	static const struct nf_ipv6_ops ipv6ops = {
f7dcbe2f PNA	110	.chk_addr = ipv6_chk_addr,
	111	.route_input = ip6_route_input,
	112	.fragment = ip6_fragment,
3f87c08c	113	.route = nf_ip6_route,
ce388f45	114	.reroute = nf_ip6_reroute,
2a7851bf FW	115	};
2a7851bf FW	116
2cc7d573 HW	117	int __init ipv6_netfilter_init(void)
2cc7d573 HW	118	{
2a7851bf	119	RCU_INIT_POINTER(nf_ipv6_ops, &ipv6ops);
b3a61254	120	return 0;
2cc7d573 HW	121	}
2cc7d573 HW	122
5bf887f2 DM	123	/* This can be called from inet6_init() on errors, so it cannot
	124	* be marked __exit. -DaveM
	125	*/
	126	void ipv6_netfilter_fini(void)
2cc7d573	127	{
2a7851bf	128	RCU_INIT_POINTER(nf_ipv6_ops, NULL);
2cc7d573	129	}