netfilter: synproxy: remove module dependency on IPv6 SYNPROXY

This is a prerequisite for the infrastructure module NETFILTER_SYNPROXY.
The new module is needed to avoid duplicated code for the SYNPROXY
nftables support.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 3a3dc4b1f0e7fae54ca5b6765b072ba8630e9b35..35b12525ee4507fb39b8f1a736898920998f0793 100644 (file)
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -8,6 +8,7 @@
 #define __LINUX_IP6_NETFILTER_H
 
 #include <uapi/linux/netfilter_ipv6.h>
+#include <net/tcp.h>
 
 /* Extra routing may needed on local out, as the QUEUE target never returns
  * control to the table.
@@ -35,6 +36,10 @@ struct nf_ipv6_ops {
                       struct in6_addr *saddr);
        int (*route)(struct net *net, struct dst_entry **dst, struct flowi *fl,
                     bool strict);
+       u32 (*cookie_init_sequence)(const struct ipv6hdr *iph,
+                                   const struct tcphdr *th, u16 *mssp);
+       int (*cookie_v6_check)(const struct ipv6hdr *iph,
+                              const struct tcphdr *th, __u32 cookie);
 #endif
        void (*route_input)(struct sk_buff *skb);
        int (*fragment)(struct net *net, struct sock *sk, struct sk_buff *skb,
@@ -154,6 +159,37 @@ static inline int nf_ip6_route_me_harder(struct net *net, struct sk_buff *skb)
 #endif
 }
 
+static inline u32 nf_ipv6_cookie_init_sequence(const struct ipv6hdr *iph,
+                                              const struct tcphdr *th,
+                                              u16 *mssp)
+{
+#if IS_MODULE(CONFIG_IPV6)
+       const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
+
+       if (v6_ops)
+               return v6_ops->cookie_init_sequence(iph, th, mssp);
+
+       return 0;
+#else
+       return __cookie_v6_init_sequence(iph, th, mssp);
+#endif
+}
+
+static inline int nf_cookie_v6_check(const struct ipv6hdr *iph,
+                                    const struct tcphdr *th, __u32 cookie)
+{
+#if IS_MODULE(CONFIG_IPV6)
+       const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
+
+       if (v6_ops)
+               return v6_ops->cookie_v6_check(iph, th, cookie);
+
+       return 0;
+#else
+       return __cookie_v6_check(iph, th, cookie);
+#endif
+}
+
 __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
                        unsigned int dataoff, u_int8_t protocol);
 

diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 86048dce301bcaefa9236cf45a21863098070e88..dffb10fdc3e8add59fcf63f9678d9c11be54eb2a 100644 (file)
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -234,6 +234,8 @@ static const struct nf_ipv6_ops ipv6ops = {
        .route_me_harder        = ip6_route_me_harder,
        .dev_get_saddr          = ipv6_dev_get_saddr,
        .route                  = __nf_ip6_route,
+       .cookie_init_sequence   = __cookie_v6_init_sequence,
+       .cookie_v6_check        = __cookie_v6_check,
 #endif
        .route_input            = ip6_route_input,
        .fragment               = ip6_fragment,