Merge branch 'main' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next

#include <uapi/linux/netfilter/nf_nat.h>

unsigned int

nf_nat_redirect_ipv4(struct sk_buff *skb,

		     const struct nf_nat_ipv4_multi_range_compat *mr,

nf_nat_redirect_ipv4(struct sk_buff *skb, const struct nf_nat_range2 *range,

		     unsigned int hooknum);

unsigned int

nf_nat_redirect_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range,

	if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))

		goto discard_and_relse;

	nf_reset_ct(skb);

	return __sk_receive_skb(sk, skb, 1, dh->dccph_doff * 4,

				refcounted) ? -1 : 0;

#include <linux/vmalloc.h>

#include <linux/netdevice.h>

#include <linux/module.h>

#include <linux/icmp.h>

#include <net/ip.h>

#include <net/compat.h>

#include <linux/uaccess.h>

MODULE_LICENSE("GPL");

MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");

MODULE_DESCRIPTION("IPv4 packet filter");

MODULE_ALIAS("ipt_icmp");

void *ipt_alloc_initial_table(const struct xt_table *info)

{

		__ipt_unregister_table(net, table);

}

/* Returns 1 if the type and code is matched by the range, 0 otherwise */

static inline bool

icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,

		     u_int8_t type, u_int8_t code,

		     bool invert)

{

	return ((test_type == 0xFF) ||

		(type == test_type && code >= min_code && code <= max_code))

		^ invert;

}

static bool

icmp_match(const struct sk_buff *skb, struct xt_action_param *par)

{

	const struct icmphdr *ic;

	struct icmphdr _icmph;

	const struct ipt_icmp *icmpinfo = par->matchinfo;

	/* Must not be a fragment. */

	if (par->fragoff != 0)

		return false;

	ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);

	if (ic == NULL) {

		/* We've been asked to examine this packet, and we

		 * can't.  Hence, no choice but to drop.

		 */

		par->hotdrop = true;

		return false;

	}

	return icmp_type_code_match(icmpinfo->type,

				    icmpinfo->code[0],

				    icmpinfo->code[1],

				    ic->type, ic->code,

				    !!(icmpinfo->invflags&IPT_ICMP_INV));

}

static int icmp_checkentry(const struct xt_mtchk_param *par)

{

	const struct ipt_icmp *icmpinfo = par->matchinfo;

	/* Must specify no unknown invflags */

	return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0;

}

static struct xt_target ipt_builtin_tg[] __read_mostly = {

	{

		.name             = XT_STANDARD_TARGET,

	.owner		= THIS_MODULE,

};

static struct xt_match ipt_builtin_mt[] __read_mostly = {

	{

		.name       = "icmp",

		.match      = icmp_match,

		.matchsize  = sizeof(struct ipt_icmp),

		.checkentry = icmp_checkentry,

		.proto      = IPPROTO_ICMP,

		.family     = NFPROTO_IPV4,

		.me	    = THIS_MODULE,

	},

};

static int __net_init ip_tables_net_init(struct net *net)

{

	return xt_proto_init(net, NFPROTO_IPV4);

	ret = xt_register_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));

	if (ret < 0)

		goto err2;

	ret = xt_register_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));

	if (ret < 0)

		goto err4;

	/* Register setsockopt */

	ret = nf_register_sockopt(&ipt_sockopts);

	if (ret < 0)

		goto err5;

		goto err4;

	return 0;

err5:

	xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));

err4:

	xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));

err2:

{

	nf_unregister_sockopt(&ipt_sockopts);

	xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));

	xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));

	unregister_pernet_subsys(&ip_tables_net_ops);

}

			/* Only do this once for first final protocol */

			have_final = true;

			/* Free reference early: we don't need it any more,

			   and it may hold ip_conntrack module loaded

			   indefinitely. */

			nf_reset_ct(skb);

			skb_postpull_rcsum(skb, skb_network_header(skb),

					   skb_network_header_len(skb));

				goto discard;

			}

		}

		if (!(ipprot->flags & INET6_PROTO_NOPOLICY) &&

		    !xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {

		if (!(ipprot->flags & INET6_PROTO_NOPOLICY)) {

			if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {

				SKB_DR_SET(reason, XFRM_POLICY);

				goto discard;

			}

			nf_reset_ct(skb);

		}

		ret = INDIRECT_CALL_2(ipprot->handler, tcp_v6_rcv, udpv6_rcv,

				      skb);

#include <linux/netdevice.h>

#include <linux/module.h>

#include <linux/poison.h>

#include <linux/icmpv6.h>

#include <net/ipv6.h>

#include <net/compat.h>

#include <linux/uaccess.h>

MODULE_LICENSE("GPL");

MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");

MODULE_DESCRIPTION("IPv6 packet filter");

MODULE_ALIAS("ip6t_icmp6");

void *ip6t_alloc_initial_table(const struct xt_table *info)

{

		__ip6t_unregister_table(net, table);

}

/* Returns 1 if the type and code is matched by the range, 0 otherwise */

static inline bool

icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,

		     u_int8_t type, u_int8_t code,

		     bool invert)

{

	return (type == test_type && code >= min_code && code <= max_code)

		^ invert;

}

static bool

icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)

{

	const struct icmp6hdr *ic;

	struct icmp6hdr _icmph;

	const struct ip6t_icmp *icmpinfo = par->matchinfo;

	/* Must not be a fragment. */

	if (par->fragoff != 0)

		return false;

	ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);

	if (ic == NULL) {

		/* We've been asked to examine this packet, and we

		 * can't.  Hence, no choice but to drop.

		 */

		par->hotdrop = true;

		return false;

	}

	return icmp6_type_code_match(icmpinfo->type,

				     icmpinfo->code[0],

				     icmpinfo->code[1],

				     ic->icmp6_type, ic->icmp6_code,

				     !!(icmpinfo->invflags&IP6T_ICMP_INV));

}

/* Called when user tries to insert an entry of this type. */

static int icmp6_checkentry(const struct xt_mtchk_param *par)

{

	const struct ip6t_icmp *icmpinfo = par->matchinfo;

	/* Must specify no unknown invflags */

	return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;

}

/* The built-in targets: standard (NULL) and error. */

static struct xt_target ip6t_builtin_tg[] __read_mostly = {

	{

	.owner		= THIS_MODULE,

};

static struct xt_match ip6t_builtin_mt[] __read_mostly = {

	{

		.name       = "icmp6",

		.match      = icmp6_match,

		.matchsize  = sizeof(struct ip6t_icmp),

		.checkentry = icmp6_checkentry,

		.proto      = IPPROTO_ICMPV6,

		.family     = NFPROTO_IPV6,

		.me	    = THIS_MODULE,

	},

};

static int __net_init ip6_tables_net_init(struct net *net)

{

	return xt_proto_init(net, NFPROTO_IPV6);

	ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));

	if (ret < 0)

		goto err2;

	ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));

	if (ret < 0)

		goto err4;

	/* Register setsockopt */

	ret = nf_register_sockopt(&ip6t_sockopts);

	if (ret < 0)

		goto err5;

		goto err4;

	return 0;

err5:

	xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));

err4:

	xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));

err2:

{

	nf_unregister_sockopt(&ip6t_sockopts);

	xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));

	xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));

	unregister_pernet_subsys(&ip6_tables_net_ops);

}