Commit b3d54b3e authored by Jan Engelhardt's avatar Jan Engelhardt Committed by Pablo Neira Ayuso

netfilter: combine ipt_NETMAP and ip6t_NETMAP

Combine more modules since the actual code is so small anyway that the
kmod metadata and the module in its loaded state totally outweighs the
combined actual code size.

IP_NF_TARGET_NETMAP becomes a compat option; IP6_NF_TARGET_NETMAP
is completely eliminated since it has not see a release yet.
Signed-off-by: default avatarJan Engelhardt <jengelh@inai.de>
Acked-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 136251d0
...@@ -172,12 +172,11 @@ config IP_NF_TARGET_MASQUERADE ...@@ -172,12 +172,11 @@ config IP_NF_TARGET_MASQUERADE
config IP_NF_TARGET_NETMAP config IP_NF_TARGET_NETMAP
tristate "NETMAP target support" tristate "NETMAP target support"
depends on NETFILTER_ADVANCED depends on NETFILTER_ADVANCED
help select NETFILTER_XT_TARGET_NETMAP
NETMAP is an implementation of static 1:1 NAT mapping of network ---help---
addresses. It maps the network address part, while keeping the host This is a backwards-compat option for the user's convenience
address part intact. (e.g. when running oldconfig). It selects
CONFIG_NETFILTER_XT_TARGET_NETMAP.
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_TARGET_REDIRECT config IP_NF_TARGET_REDIRECT
tristate "REDIRECT target support" tristate "REDIRECT target support"
......
...@@ -45,7 +45,6 @@ obj-$(CONFIG_IP_NF_MATCH_RPFILTER) += ipt_rpfilter.o ...@@ -45,7 +45,6 @@ obj-$(CONFIG_IP_NF_MATCH_RPFILTER) += ipt_rpfilter.o
obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o
obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
......
...@@ -209,15 +209,6 @@ config IP6_NF_TARGET_MASQUERADE ...@@ -209,15 +209,6 @@ config IP6_NF_TARGET_MASQUERADE
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_TARGET_NETMAP
tristate "NETMAP target support"
help
NETMAP is an implementation of static 1:1 NAT mapping of network
addresses. It maps the network address part, while keeping the host
address part intact.
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_TARGET_REDIRECT config IP6_NF_TARGET_REDIRECT
tristate "REDIRECT target support" tristate "REDIRECT target support"
help help
......
...@@ -35,7 +35,6 @@ obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o ...@@ -35,7 +35,6 @@ obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
# targets # targets
obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o
obj-$(CONFIG_IP6_NF_TARGET_NETMAP) += ip6t_NETMAP.o
obj-$(CONFIG_IP6_NF_TARGET_NPT) += ip6t_NPT.o obj-$(CONFIG_IP6_NF_TARGET_NPT) += ip6t_NPT.o
obj-$(CONFIG_IP6_NF_TARGET_REDIRECT) += ip6t_REDIRECT.o obj-$(CONFIG_IP6_NF_TARGET_REDIRECT) += ip6t_REDIRECT.o
obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o
/*
* Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* Based on Svenning Soerensen's IPv4 NETMAP target. Development of IPv6
* NAT funded by Astaro.
*/
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/ipv6.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv6.h>
#include <linux/netfilter/x_tables.h>
#include <net/netfilter/nf_nat.h>
static unsigned int
netmap_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct nf_nat_range *range = par->targinfo;
struct nf_nat_range newrange;
struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
union nf_inet_addr new_addr, netmask;
unsigned int i;
ct = nf_ct_get(skb, &ctinfo);
for (i = 0; i < ARRAY_SIZE(range->min_addr.ip6); i++)
netmask.ip6[i] = ~(range->min_addr.ip6[i] ^
range->max_addr.ip6[i]);
if (par->hooknum == NF_INET_PRE_ROUTING ||
par->hooknum == NF_INET_LOCAL_OUT)
new_addr.in6 = ipv6_hdr(skb)->daddr;
else
new_addr.in6 = ipv6_hdr(skb)->saddr;
for (i = 0; i < ARRAY_SIZE(new_addr.ip6); i++) {
new_addr.ip6[i] &= ~netmask.ip6[i];
new_addr.ip6[i] |= range->min_addr.ip6[i] &
netmask.ip6[i];
}
newrange.flags = range->flags | NF_NAT_RANGE_MAP_IPS;
newrange.min_addr = new_addr;
newrange.max_addr = new_addr;
newrange.min_proto = range->min_proto;
newrange.max_proto = range->max_proto;
return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
}
static int netmap_tg6_checkentry(const struct xt_tgchk_param *par)
{
const struct nf_nat_range *range = par->targinfo;
if (!(range->flags & NF_NAT_RANGE_MAP_IPS))
return -EINVAL;
return 0;
}
static struct xt_target netmap_tg6_reg __read_mostly = {
.name = "NETMAP",
.family = NFPROTO_IPV6,
.target = netmap_tg6,
.targetsize = sizeof(struct nf_nat_range),
.table = "nat",
.hooks = (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_POST_ROUTING) |
(1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_LOCAL_IN),
.checkentry = netmap_tg6_checkentry,
.me = THIS_MODULE,
};
static int __init netmap_tg6_init(void)
{
return xt_register_target(&netmap_tg6_reg);
}
static void netmap_tg6_exit(void)
{
xt_unregister_target(&netmap_tg6_reg);
}
module_init(netmap_tg6_init);
module_exit(netmap_tg6_exit);
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv6 subnets");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
...@@ -648,6 +648,16 @@ config NETFILTER_XT_TARGET_MARK ...@@ -648,6 +648,16 @@ config NETFILTER_XT_TARGET_MARK
(e.g. when running oldconfig). It selects (e.g. when running oldconfig). It selects
CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
config NETFILTER_XT_TARGET_NETMAP
tristate '"NETMAP" target support'
depends on NF_NAT
---help---
NETMAP is an implementation of static 1:1 NAT mapping of network
addresses. It maps the network address part, while keeping the host
address part intact.
To compile it as a module, choose M here. If unsure, say N.
config NETFILTER_XT_TARGET_NFLOG config NETFILTER_XT_TARGET_NFLOG
tristate '"NFLOG" target support' tristate '"NFLOG" target support'
default m if NETFILTER_ADVANCED=n default m if NETFILTER_ADVANCED=n
......
...@@ -83,6 +83,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o ...@@ -83,6 +83,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o
obj-$(CONFIG_NETFILTER_XT_TARGET_HMARK) += xt_HMARK.o obj-$(CONFIG_NETFILTER_XT_TARGET_HMARK) += xt_HMARK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
obj-$(CONFIG_NETFILTER_XT_TARGET_LOG) += xt_LOG.o obj-$(CONFIG_NETFILTER_XT_TARGET_LOG) += xt_LOG.o
obj-$(CONFIG_NETFILTER_XT_TARGET_NETMAP) += xt_NETMAP.o
obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
obj-$(CONFIG_NETFILTER_XT_TARGET_RATEEST) += xt_RATEEST.o obj-$(CONFIG_NETFILTER_XT_TARGET_RATEEST) += xt_RATEEST.o
......
/* NETMAP - static NAT mapping of IP network addresses (1:1). /*
* The mapping can be applied to source (POSTROUTING), * (C) 2000-2001 Svenning Soerensen <svenning@post5.tele.dk>
* destination (PREROUTING), or both (with separate rules). * Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
*/
/* (C) 2000-2001 Svenning Soerensen <svenning@post5.tele.dk>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as * it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation. * published by the Free Software Foundation.
*/ */
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/ip.h> #include <linux/ip.h>
#include <linux/kernel.h>
#include <linux/module.h> #include <linux/module.h>
#include <linux/netdevice.h> #include <linux/netdevice.h>
#include <linux/ipv6.h>
#include <linux/netfilter.h> #include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h> #include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
#include <linux/netfilter/x_tables.h> #include <linux/netfilter/x_tables.h>
#include <net/netfilter/nf_nat.h> #include <net/netfilter/nf_nat.h>
MODULE_LICENSE("GPL"); static unsigned int
MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>"); netmap_tg6(struct sk_buff *skb, const struct xt_action_param *par)
MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets");
static int netmap_tg_check(const struct xt_tgchk_param *par)
{ {
const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; const struct nf_nat_range *range = par->targinfo;
struct nf_nat_range newrange;
struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
union nf_inet_addr new_addr, netmask;
unsigned int i;
if (!(mr->range[0].flags & NF_NAT_RANGE_MAP_IPS)) { ct = nf_ct_get(skb, &ctinfo);
pr_debug("bad MAP_IPS.\n"); for (i = 0; i < ARRAY_SIZE(range->min_addr.ip6); i++)
return -EINVAL; netmask.ip6[i] = ~(range->min_addr.ip6[i] ^
range->max_addr.ip6[i]);
if (par->hooknum == NF_INET_PRE_ROUTING ||
par->hooknum == NF_INET_LOCAL_OUT)
new_addr.in6 = ipv6_hdr(skb)->daddr;
else
new_addr.in6 = ipv6_hdr(skb)->saddr;
for (i = 0; i < ARRAY_SIZE(new_addr.ip6); i++) {
new_addr.ip6[i] &= ~netmask.ip6[i];
new_addr.ip6[i] |= range->min_addr.ip6[i] &
netmask.ip6[i];
} }
if (mr->rangesize != 1) {
pr_debug("bad rangesize %u.\n", mr->rangesize); newrange.flags = range->flags | NF_NAT_RANGE_MAP_IPS;
newrange.min_addr = new_addr;
newrange.max_addr = new_addr;
newrange.min_proto = range->min_proto;
newrange.max_proto = range->max_proto;
return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
}
static int netmap_tg6_checkentry(const struct xt_tgchk_param *par)
{
const struct nf_nat_range *range = par->targinfo;
if (!(range->flags & NF_NAT_RANGE_MAP_IPS))
return -EINVAL; return -EINVAL;
}
return 0; return 0;
} }
static unsigned int static unsigned int
netmap_tg(struct sk_buff *skb, const struct xt_action_param *par) netmap_tg4(struct sk_buff *skb, const struct xt_action_param *par)
{ {
struct nf_conn *ct; struct nf_conn *ct;
enum ip_conntrack_info ctinfo; enum ip_conntrack_info ctinfo;
...@@ -73,29 +99,67 @@ netmap_tg(struct sk_buff *skb, const struct xt_action_param *par) ...@@ -73,29 +99,67 @@ netmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum)); return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
} }
static struct xt_target netmap_tg_reg __read_mostly = { static int netmap_tg4_check(const struct xt_tgchk_param *par)
{
const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
if (!(mr->range[0].flags & NF_NAT_RANGE_MAP_IPS)) {
pr_debug("bad MAP_IPS.\n");
return -EINVAL;
}
if (mr->rangesize != 1) {
pr_debug("bad rangesize %u.\n", mr->rangesize);
return -EINVAL;
}
return 0;
}
static struct xt_target netmap_tg_reg[] __read_mostly = {
{
.name = "NETMAP",
.family = NFPROTO_IPV6,
.revision = 0,
.target = netmap_tg6,
.targetsize = sizeof(struct nf_nat_range),
.table = "nat",
.hooks = (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_POST_ROUTING) |
(1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_LOCAL_IN),
.checkentry = netmap_tg6_checkentry,
.me = THIS_MODULE,
},
{
.name = "NETMAP", .name = "NETMAP",
.family = NFPROTO_IPV4, .family = NFPROTO_IPV4,
.target = netmap_tg, .revision = 0,
.target = netmap_tg4,
.targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat), .targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat),
.table = "nat", .table = "nat",
.hooks = (1 << NF_INET_PRE_ROUTING) | .hooks = (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_POST_ROUTING) | (1 << NF_INET_POST_ROUTING) |
(1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_LOCAL_IN), (1 << NF_INET_LOCAL_IN),
.checkentry = netmap_tg_check, .checkentry = netmap_tg4_check,
.me = THIS_MODULE .me = THIS_MODULE,
},
}; };
static int __init netmap_tg_init(void) static int __init netmap_tg_init(void)
{ {
return xt_register_target(&netmap_tg_reg); return xt_register_targets(netmap_tg_reg, ARRAY_SIZE(netmap_tg_reg));
} }
static void __exit netmap_tg_exit(void) static void netmap_tg_exit(void)
{ {
xt_unregister_target(&netmap_tg_reg); xt_unregister_targets(netmap_tg_reg, ARRAY_SIZE(netmap_tg_reg));
} }
module_init(netmap_tg_init); module_init(netmap_tg_init);
module_exit(netmap_tg_exit); module_exit(netmap_tg_exit);
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of subnets");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS("ip6t_NETMAP");
MODULE_ALIAS("ipt_NETMAP");
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment