Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openeuler
Kernel
提交
d7cf4081
K
Kernel
项目概览
openeuler
/
Kernel
1 年多 前同步成功
通知
8
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
K
Kernel
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
提交
d7cf4081
编写于
9年前
作者:
D
David S. Miller
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
netfilter: Pass nf_hook_state through nf_nat_ipv4_{in,out,fn,local_fn}().
Signed-off-by:
N
David S. Miller
<
davem@davemloft.net
>
上级
238e54c9
变更
4
显示空白变更内容
内联
并排
Showing
4 changed file
with
36 addition
and
53 deletion
+36
-53
include/net/netfilter/nf_nat_l3proto.h
include/net/netfilter/nf_nat_l3proto.h
+8
-16
net/ipv4/netfilter/iptable_nat.c
net/ipv4/netfilter/iptable_nat.c
+7
-11
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
+15
-18
net/ipv4/netfilter/nft_chain_nat_ipv4.c
net/ipv4/netfilter/nft_chain_nat_ipv4.c
+6
-8
未找到文件。
include/net/netfilter/nf_nat_l3proto.h
浏览文件 @
d7cf4081
...
...
@@ -44,40 +44,32 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, struct nf_conn *ct,
unsigned
int
hooknum
);
unsigned
int
nf_nat_ipv4_in
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
nf_hook_state
*
state
,
unsigned
int
(
*
do_chain
)(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
nf_hook_state
*
state
,
struct
nf_conn
*
ct
));
unsigned
int
nf_nat_ipv4_out
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
nf_hook_state
*
state
,
unsigned
int
(
*
do_chain
)(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
nf_hook_state
*
state
,
struct
nf_conn
*
ct
));
unsigned
int
nf_nat_ipv4_local_fn
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
nf_hook_state
*
state
,
unsigned
int
(
*
do_chain
)(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
nf_hook_state
*
state
,
struct
nf_conn
*
ct
));
unsigned
int
nf_nat_ipv4_fn
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
nf_hook_state
*
state
,
unsigned
int
(
*
do_chain
)(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
nf_hook_state
*
state
,
struct
nf_conn
*
ct
));
int
nf_nat_icmpv6_reply_translation
(
struct
sk_buff
*
skb
,
struct
nf_conn
*
ct
,
...
...
This diff is collapsed.
Click to expand it.
net/ipv4/netfilter/iptable_nat.c
浏览文件 @
d7cf4081
...
...
@@ -30,45 +30,41 @@ static const struct xt_table nf_nat_ipv4_table = {
static
unsigned
int
iptable_nat_do_chain
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
nf_hook_state
*
state
,
struct
nf_conn
*
ct
)
{
struct
net
*
net
=
nf_ct_net
(
ct
);
return
ipt_do_table
(
skb
,
ops
->
hooknum
,
in
,
out
,
net
->
ipv4
.
nat_table
);
return
ipt_do_table
(
skb
,
ops
->
hooknum
,
state
->
in
,
state
->
out
,
net
->
ipv4
.
nat_table
);
}
static
unsigned
int
iptable_nat_ipv4_fn
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
nf_hook_state
*
state
)
{
return
nf_nat_ipv4_fn
(
ops
,
skb
,
state
->
in
,
state
->
out
,
iptable_nat_do_chain
);
return
nf_nat_ipv4_fn
(
ops
,
skb
,
state
,
iptable_nat_do_chain
);
}
static
unsigned
int
iptable_nat_ipv4_in
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
nf_hook_state
*
state
)
{
return
nf_nat_ipv4_in
(
ops
,
skb
,
state
->
in
,
state
->
out
,
iptable_nat_do_chain
);
return
nf_nat_ipv4_in
(
ops
,
skb
,
state
,
iptable_nat_do_chain
);
}
static
unsigned
int
iptable_nat_ipv4_out
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
nf_hook_state
*
state
)
{
return
nf_nat_ipv4_out
(
ops
,
skb
,
state
->
in
,
state
->
out
,
iptable_nat_do_chain
);
return
nf_nat_ipv4_out
(
ops
,
skb
,
state
,
iptable_nat_do_chain
);
}
static
unsigned
int
iptable_nat_ipv4_local_fn
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
nf_hook_state
*
state
)
{
return
nf_nat_ipv4_local_fn
(
ops
,
skb
,
state
->
in
,
state
->
out
,
iptable_nat_do_chain
);
return
nf_nat_ipv4_local_fn
(
ops
,
skb
,
state
,
iptable_nat_do_chain
);
}
static
struct
nf_hook_ops
nf_nat_ipv4_ops
[]
__read_mostly
=
{
...
...
This diff is collapsed.
Click to expand it.
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
浏览文件 @
d7cf4081
...
...
@@ -256,11 +256,10 @@ EXPORT_SYMBOL_GPL(nf_nat_icmp_reply_translation);
unsigned
int
nf_nat_ipv4_fn
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
n
et_device
*
in
,
const
struct
net_device
*
out
,
const
struct
n
f_hook_state
*
state
,
unsigned
int
(
*
do_chain
)(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
nf_hook_state
*
state
,
struct
nf_conn
*
ct
))
{
struct
nf_conn
*
ct
;
...
...
@@ -309,7 +308,7 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
if
(
!
nf_nat_initialized
(
ct
,
maniptype
))
{
unsigned
int
ret
;
ret
=
do_chain
(
ops
,
skb
,
in
,
out
,
ct
);
ret
=
do_chain
(
ops
,
skb
,
state
,
ct
);
if
(
ret
!=
NF_ACCEPT
)
return
ret
;
...
...
@@ -323,7 +322,8 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
pr_debug
(
"Already setup manip %s for ct %p
\n
"
,
maniptype
==
NF_NAT_MANIP_SRC
?
"SRC"
:
"DST"
,
ct
);
if
(
nf_nat_oif_changed
(
ops
->
hooknum
,
ctinfo
,
nat
,
out
))
if
(
nf_nat_oif_changed
(
ops
->
hooknum
,
ctinfo
,
nat
,
state
->
out
))
goto
oif_changed
;
}
break
;
...
...
@@ -332,7 +332,7 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
/* ESTABLISHED */
NF_CT_ASSERT
(
ctinfo
==
IP_CT_ESTABLISHED
||
ctinfo
==
IP_CT_ESTABLISHED_REPLY
);
if
(
nf_nat_oif_changed
(
ops
->
hooknum
,
ctinfo
,
nat
,
out
))
if
(
nf_nat_oif_changed
(
ops
->
hooknum
,
ctinfo
,
nat
,
state
->
out
))
goto
oif_changed
;
}
...
...
@@ -346,17 +346,16 @@ EXPORT_SYMBOL_GPL(nf_nat_ipv4_fn);
unsigned
int
nf_nat_ipv4_in
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
n
et_device
*
in
,
const
struct
net_device
*
out
,
const
struct
n
f_hook_state
*
state
,
unsigned
int
(
*
do_chain
)(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
nf_hook_state
*
state
,
struct
nf_conn
*
ct
))
{
unsigned
int
ret
;
__be32
daddr
=
ip_hdr
(
skb
)
->
daddr
;
ret
=
nf_nat_ipv4_fn
(
ops
,
skb
,
in
,
out
,
do_chain
);
ret
=
nf_nat_ipv4_fn
(
ops
,
skb
,
state
,
do_chain
);
if
(
ret
!=
NF_DROP
&&
ret
!=
NF_STOLEN
&&
daddr
!=
ip_hdr
(
skb
)
->
daddr
)
skb_dst_drop
(
skb
);
...
...
@@ -367,11 +366,10 @@ EXPORT_SYMBOL_GPL(nf_nat_ipv4_in);
unsigned
int
nf_nat_ipv4_out
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
n
et_device
*
in
,
const
struct
net_device
*
out
,
const
struct
n
f_hook_state
*
state
,
unsigned
int
(
*
do_chain
)(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
nf_hook_state
*
state
,
struct
nf_conn
*
ct
))
{
#ifdef CONFIG_XFRM
...
...
@@ -386,7 +384,7 @@ nf_nat_ipv4_out(const struct nf_hook_ops *ops, struct sk_buff *skb,
ip_hdrlen
(
skb
)
<
sizeof
(
struct
iphdr
))
return
NF_ACCEPT
;
ret
=
nf_nat_ipv4_fn
(
ops
,
skb
,
in
,
out
,
do_chain
);
ret
=
nf_nat_ipv4_fn
(
ops
,
skb
,
state
,
do_chain
);
#ifdef CONFIG_XFRM
if
(
ret
!=
NF_DROP
&&
ret
!=
NF_STOLEN
&&
!
(
IPCB
(
skb
)
->
flags
&
IPSKB_XFRM_TRANSFORMED
)
&&
...
...
@@ -410,11 +408,10 @@ EXPORT_SYMBOL_GPL(nf_nat_ipv4_out);
unsigned
int
nf_nat_ipv4_local_fn
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
n
et_device
*
in
,
const
struct
net_device
*
out
,
const
struct
n
f_hook_state
*
state
,
unsigned
int
(
*
do_chain
)(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
nf_hook_state
*
state
,
struct
nf_conn
*
ct
))
{
const
struct
nf_conn
*
ct
;
...
...
@@ -427,7 +424,7 @@ nf_nat_ipv4_local_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
ip_hdrlen
(
skb
)
<
sizeof
(
struct
iphdr
))
return
NF_ACCEPT
;
ret
=
nf_nat_ipv4_fn
(
ops
,
skb
,
in
,
out
,
do_chain
);
ret
=
nf_nat_ipv4_fn
(
ops
,
skb
,
state
,
do_chain
);
if
(
ret
!=
NF_DROP
&&
ret
!=
NF_STOLEN
&&
(
ct
=
nf_ct_get
(
skb
,
&
ctinfo
))
!=
NULL
)
{
enum
ip_conntrack_dir
dir
=
CTINFO2DIR
(
ctinfo
);
...
...
This diff is collapsed.
Click to expand it.
net/ipv4/netfilter/nft_chain_nat_ipv4.c
浏览文件 @
d7cf4081
...
...
@@ -28,13 +28,12 @@
static
unsigned
int
nft_nat_do_chain
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
nf_hook_state
*
state
,
struct
nf_conn
*
ct
)
{
struct
nft_pktinfo
pkt
;
nft_set_pktinfo_ipv4
(
&
pkt
,
ops
,
skb
,
in
,
out
);
nft_set_pktinfo_ipv4
(
&
pkt
,
ops
,
skb
,
state
->
in
,
state
->
out
);
return
nft_do_chain
(
&
pkt
,
ops
);
}
...
...
@@ -43,29 +42,28 @@ static unsigned int nft_nat_ipv4_fn(const struct nf_hook_ops *ops,
struct
sk_buff
*
skb
,
const
struct
nf_hook_state
*
state
)
{
return
nf_nat_ipv4_fn
(
ops
,
skb
,
state
->
in
,
state
->
out
,
nft_nat_do_chain
);
return
nf_nat_ipv4_fn
(
ops
,
skb
,
state
,
nft_nat_do_chain
);
}
static
unsigned
int
nft_nat_ipv4_in
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
nf_hook_state
*
state
)
{
return
nf_nat_ipv4_in
(
ops
,
skb
,
state
->
in
,
state
->
out
,
nft_nat_do_chain
);
return
nf_nat_ipv4_in
(
ops
,
skb
,
state
,
nft_nat_do_chain
);
}
static
unsigned
int
nft_nat_ipv4_out
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
nf_hook_state
*
state
)
{
return
nf_nat_ipv4_out
(
ops
,
skb
,
state
->
in
,
state
->
out
,
nft_nat_do_chain
);
return
nf_nat_ipv4_out
(
ops
,
skb
,
state
,
nft_nat_do_chain
);
}
static
unsigned
int
nft_nat_ipv4_local_fn
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
nf_hook_state
*
state
)
{
return
nf_nat_ipv4_local_fn
(
ops
,
skb
,
state
->
in
,
state
->
out
,
nft_nat_do_chain
);
return
nf_nat_ipv4_local_fn
(
ops
,
skb
,
state
,
nft_nat_do_chain
);
}
static
const
struct
nf_chain_type
nft_chain_nat_ipv4
=
{
...
...
This diff is collapsed.
Click to expand it.
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录
新手
引导
客服
返回
顶部