diff options
Diffstat (limited to 'target/linux/generic/backport-4.14/325-v4.16-netfilter-flow-table-support-for-the-mixed-IPv4-IPv6.patch')
| -rw-r--r-- | target/linux/generic/backport-4.14/325-v4.16-netfilter-flow-table-support-for-the-mixed-IPv4-IPv6.patch | 141 |
1 files changed, 141 insertions, 0 deletions
diff --git a/target/linux/generic/backport-4.14/325-v4.16-netfilter-flow-table-support-for-the-mixed-IPv4-IPv6.patch b/target/linux/generic/backport-4.14/325-v4.16-netfilter-flow-table-support-for-the-mixed-IPv4-IPv6.patch new file mode 100644 index 0000000000..9fcb1be982 --- /dev/null +++ b/target/linux/generic/backport-4.14/325-v4.16-netfilter-flow-table-support-for-the-mixed-IPv4-IPv6.patch @@ -0,0 +1,141 @@ +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Sun, 7 Jan 2018 01:04:22 +0100 +Subject: [PATCH] netfilter: flow table support for the mixed IPv4/IPv6 family + +This patch adds the IPv6 flow table type, that implements the datapath +flow table to forward IPv6 traffic. + +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + create mode 100644 net/netfilter/nf_flow_table_inet.c + +--- a/include/net/netfilter/nf_flow_table.h ++++ b/include/net/netfilter/nf_flow_table.h +@@ -111,6 +111,11 @@ struct flow_ports { + __be16 source, dest; + }; + ++unsigned int nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, ++ const struct nf_hook_state *state); ++unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, ++ const struct nf_hook_state *state); ++ + #define MODULE_ALIAS_NF_FLOWTABLE(family) \ + MODULE_ALIAS("nf-flowtable-" __stringify(family)) + +--- a/net/ipv4/netfilter/nf_flow_table_ipv4.c ++++ b/net/ipv4/netfilter/nf_flow_table_ipv4.c +@@ -202,7 +202,7 @@ static bool nf_flow_exceeds_mtu(struct s + return false; + } + +-static unsigned int ++unsigned int + nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, + const struct nf_hook_state *state) + { +@@ -254,6 +254,7 @@ nf_flow_offload_ip_hook(void *priv, stru + + return NF_STOLEN; + } ++EXPORT_SYMBOL_GPL(nf_flow_offload_ip_hook); + + static struct nf_flowtable_type flowtable_ipv4 = { + .family = NFPROTO_IPV4, +--- a/net/ipv6/netfilter/nf_flow_table_ipv6.c ++++ b/net/ipv6/netfilter/nf_flow_table_ipv6.c +@@ -196,7 +196,7 @@ static bool nf_flow_exceeds_mtu(struct s + return false; + } + +-static unsigned int ++unsigned int + nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, + const struct nf_hook_state *state) + { +@@ -248,6 +248,7 @@ nf_flow_offload_ipv6_hook(void *priv, st + + return NF_STOLEN; + } ++EXPORT_SYMBOL_GPL(nf_flow_offload_ipv6_hook); + + static struct nf_flowtable_type flowtable_ipv6 = { + .family = NFPROTO_IPV6, +--- a/net/netfilter/Kconfig ++++ b/net/netfilter/Kconfig +@@ -661,6 +661,14 @@ endif # NF_TABLES_NETDEV + + endif # NF_TABLES + ++config NF_FLOW_TABLE_INET ++ select NF_FLOW_TABLE ++ tristate "Netfilter flow table mixed IPv4/IPv6 module" ++ help ++ This option adds the flow table mixed IPv4/IPv6 support. ++ ++ To compile it as a module, choose M here. ++ + config NF_FLOW_TABLE + tristate "Netfilter flow table module" + help +--- a/net/netfilter/Makefile ++++ b/net/netfilter/Makefile +@@ -112,6 +112,7 @@ obj-$(CONFIG_NFT_FWD_NETDEV) += nft_fwd_ + + # flow table infrastructure + obj-$(CONFIG_NF_FLOW_TABLE) += nf_flow_table.o ++obj-$(CONFIG_NF_FLOW_TABLE_INET) += nf_flow_table_inet.o + + # generic X tables + obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o +--- /dev/null ++++ b/net/netfilter/nf_flow_table_inet.c +@@ -0,0 +1,48 @@ ++#include <linux/kernel.h> ++#include <linux/init.h> ++#include <linux/module.h> ++#include <linux/netfilter.h> ++#include <linux/rhashtable.h> ++#include <net/netfilter/nf_flow_table.h> ++#include <net/netfilter/nf_tables.h> ++ ++static unsigned int ++nf_flow_offload_inet_hook(void *priv, struct sk_buff *skb, ++ const struct nf_hook_state *state) ++{ ++ switch (skb->protocol) { ++ case htons(ETH_P_IP): ++ return nf_flow_offload_ip_hook(priv, skb, state); ++ case htons(ETH_P_IPV6): ++ return nf_flow_offload_ipv6_hook(priv, skb, state); ++ } ++ ++ return NF_ACCEPT; ++} ++ ++static struct nf_flowtable_type flowtable_inet = { ++ .family = NFPROTO_INET, ++ .params = &nf_flow_offload_rhash_params, ++ .gc = nf_flow_offload_work_gc, ++ .hook = nf_flow_offload_inet_hook, ++ .owner = THIS_MODULE, ++}; ++ ++static int __init nf_flow_inet_module_init(void) ++{ ++ nft_register_flowtable_type(&flowtable_inet); ++ ++ return 0; ++} ++ ++static void __exit nf_flow_inet_module_exit(void) ++{ ++ nft_unregister_flowtable_type(&flowtable_inet); ++} ++ ++module_init(nf_flow_inet_module_init); ++module_exit(nf_flow_inet_module_exit); ++ ++MODULE_LICENSE("GPL"); ++MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); ++MODULE_ALIAS_NF_FLOWTABLE(1); /* NFPROTO_INET */ |