diff options
author | Fernando Fernandez Mancera <ffmancera@riseup.net> | 2019-06-07 02:36:05 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-06-17 17:12:09 +0200 |
commit | 3006a5224f15cf68edc4878799ac6d6089861518 (patch) | |
tree | a8ddce317f915b7136e5a5af90a6ed396aa98b9c /include/linux/netfilter_ipv6.h | |
parent | netfilter: synproxy: add common uapi for SYNPROXY infrastructure (diff) | |
download | wireguard-linux-3006a5224f15cf68edc4878799ac6d6089861518.tar.xz wireguard-linux-3006a5224f15cf68edc4878799ac6d6089861518.zip |
netfilter: synproxy: remove module dependency on IPv6 SYNPROXY
This is a prerequisite for the infrastructure module NETFILTER_SYNPROXY.
The new module is needed to avoid duplicated code for the SYNPROXY
nftables support.
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/linux/netfilter_ipv6.h')
-rw-r--r-- | include/linux/netfilter_ipv6.h | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h index 3a3dc4b1f0e7..35b12525ee45 100644 --- a/include/linux/netfilter_ipv6.h +++ b/include/linux/netfilter_ipv6.h @@ -8,6 +8,7 @@ #define __LINUX_IP6_NETFILTER_H #include <uapi/linux/netfilter_ipv6.h> +#include <net/tcp.h> /* Extra routing may needed on local out, as the QUEUE target never returns * control to the table. @@ -35,6 +36,10 @@ struct nf_ipv6_ops { struct in6_addr *saddr); int (*route)(struct net *net, struct dst_entry **dst, struct flowi *fl, bool strict); + u32 (*cookie_init_sequence)(const struct ipv6hdr *iph, + const struct tcphdr *th, u16 *mssp); + int (*cookie_v6_check)(const struct ipv6hdr *iph, + const struct tcphdr *th, __u32 cookie); #endif void (*route_input)(struct sk_buff *skb); int (*fragment)(struct net *net, struct sock *sk, struct sk_buff *skb, @@ -154,6 +159,37 @@ static inline int nf_ip6_route_me_harder(struct net *net, struct sk_buff *skb) #endif } +static inline u32 nf_ipv6_cookie_init_sequence(const struct ipv6hdr *iph, + const struct tcphdr *th, + u16 *mssp) +{ +#if IS_MODULE(CONFIG_IPV6) + const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops(); + + if (v6_ops) + return v6_ops->cookie_init_sequence(iph, th, mssp); + + return 0; +#else + return __cookie_v6_init_sequence(iph, th, mssp); +#endif +} + +static inline int nf_cookie_v6_check(const struct ipv6hdr *iph, + const struct tcphdr *th, __u32 cookie) +{ +#if IS_MODULE(CONFIG_IPV6) + const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops(); + + if (v6_ops) + return v6_ops->cookie_v6_check(iph, th, cookie); + + return 0; +#else + return __cookie_v6_check(iph, th, cookie); +#endif +} + __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff, u_int8_t protocol); |