[OpenWrt-Devel] [PATCH 2/3] linux/generic/3.7: add IPv6 NAT support and fixes.

Sun, 06 Jan 2013 08:37:18 -0800 

This evil of a patch adds kernel support for IPv6 NAT under the 3.7
series kernel. If you are anyone who ships devices commercially, you are
kindly requested NOT to include this code in your image; the sole
purpose of this code should be to provide a means of getting around
geolocation restrictions.

I hope nobody sane wants to see all the stupid and lazy ISPs out there
dishing out single on-link IPv6 addresses, forcing customers to use NAT.
Just Say No.

In order to actually make use of what is provided in this patch, it is
required to also have iptables 1.4.17 or higher.

Signed-off-by: Oliver Smith <oli...@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
---
 include/netfilter.mk                               |  6 ++
 package/kernel/modules/netfilter.mk                | 20 ++++++
 target/linux/generic/config-3.7                    |  2 +-
 ...tfilter-fix-ipv6-NPT-checksum-calculation.patch | 81 ++++++++++++++++++++++
 4 files changed, 108 insertions(+), 1 deletion(-)
 create mode 100644 
target/linux/generic/patches-3.7/615-netfilter-fix-ipv6-NPT-checksum-calculation.patch

diff --git a/include/netfilter.mk b/include/netfilter.mk
index f36bc3c..658cdb3 100644
--- a/include/netfilter.mk
+++ b/include/netfilter.mk
@@ -163,12 +163,17 @@ $(eval $(call 
nf_add,IPT_IPV6,CONFIG_IP6_NF_TARGET_REJECT, $(P_V6)ip6t_REJECT))
 
 # kernel only
 $(eval $(if $(NF_KMOD),$(call nf_add,IPT_NAT,CONFIG_NF_NAT, $(P_XT)nf_nat 
$(P_V4)nf_nat_ipv4 $(P_XT)xt_nat $(P_V4)iptable_nat, ge 3.7.0),))
+$(eval $(if $(NF_KMOD),$(call nf_add,IP6T_NAT,CONFIG_NF_NAT_IPV6, 
$(P_V6)nf_nat_ipv6 $(P_V6)ip6table_nat, ge 3.7.0),))
 $(eval $(if $(NF_KMOD),$(call nf_add,IPT_NAT,CONFIG_NF_NAT, $(P_V4)nf_nat 
$(P_V4)iptable_nat, lt 3.7.0),))
 
 # userland only
 $(eval $(if $(NF_KMOD),,$(call nf_add,IPT_NAT,CONFIG_NF_NAT, ipt_SNAT 
ipt_DNAT)))
+$(eval $(if $(NF_KMOD),,$(call nf_add,IP6T_NAT,CONFIG_NF_NAT_IPV6, ip6t_SNAT 
ip6t_DNAT)))
+$(eval $(if $(NF_KMOD),,$(call nf_add,IP6T_NAT,CONFIG_IP6_NF_TARGET_NPT, 
ip6t_SNPT ip6t_DNPT)))
 
 $(eval $(call nf_add,IPT_NAT,CONFIG_IP_NF_TARGET_MASQUERADE, 
$(P_V4)ipt_MASQUERADE))
+$(eval $(if $(NF_KMOD),$(call nf_add,IP6T_NAT,CONFIG_IP6_NF_TARGET_MASQUERADE, 
$(P_V6)ip6t_MASQUERADE, ge 3.7.0),))
+$(eval $(call nf_add,IP6T_NAT,CONFIG_IP6_NF_TARGET_NPT, $(P_V6)ip6t_NPT))
 
 
 # nat-extra
@@ -295,6 +300,7 @@ IPT_BUILTIN += $(IPT_NATHELPER_EXTRA-y)
 IPT_BUILTIN += $(IPT_ULOG-y)
 IPT_BUILTIN += $(IPT_DEBUG-y)
 IPT_BUILTIN += $(IPT_TPROXY-y)
+IPT_BUILTIN += $(IP6T_NAT-y)
 IPT_BUILTIN += $(EBTABLES-y)
 IPT_BUILTIN += $(EBTABLES_IP4-y)
 IPT_BUILTIN += $(EBTABLES_IP6-y)
diff --git a/package/kernel/modules/netfilter.mk 
b/package/kernel/modules/netfilter.mk
index b739a9c..3891bbe 100644
--- a/package/kernel/modules/netfilter.mk
+++ b/package/kernel/modules/netfilter.mk
@@ -401,6 +401,26 @@ endef
 
 $(eval $(call KernelPackage,ip6tables))
 
+define KernelPackage/ip6t-nat
+  SUBMENU:=$(NF_MENU)
+  TITLE:=IPv6 NAT modules
+  DEPENDS:=+kmod-ipv6 +kmod-ip6tables
+  KCONFIG:=$(KCONFIG_IP6T_NAT)
+  FILES:=$(foreach mod,$(IP6T_NAT-m),$(LINUX_DIR)/net/$(mod).ko)
+  AUTOLOAD:=$(call AutoLoad,50,$(notdir $(IP6T_NAT-m)))
+endef
+
+define KernelPackage/ip6t-nat/description
+ Netfilter IPv6 NAT support.
+ 
+ This support is intended to facilitate dealing with geolocation restrictions
+ and similar issues. It should not be deployed as a means of allowing a lazy
+ and stupid ISP to give you a single on-link address.
+
+ If unsure or unfamiliar with routing vs NAT, say N
+endef
+
+$(eval $(call KernelPackage,ip6t-nat))
 
 define KernelPackage/arptables
   SUBMENU:=$(NF_MENU)
diff --git a/target/linux/generic/config-3.7 b/target/linux/generic/config-3.7
index 8e7a450..50b5bf8 100644
--- a/target/linux/generic/config-3.7
+++ b/target/linux/generic/config-3.7
@@ -2040,7 +2040,7 @@ CONFIG_NF_CONNTRACK_PROCFS=y
 # CONFIG_NF_NAT_FTP is not set
 # CONFIG_NF_NAT_H323 is not set
 CONFIG_NF_NAT_IPV4=m
-# CONFIG_NF_NAT_IPV6 is not set
+CONFIG_NF_NAT_IPV6=m
 # CONFIG_NF_NAT_IRC is not set
 # CONFIG_NF_NAT_NEEDED is not set
 # CONFIG_NF_NAT_PPTP is not set
diff --git 
a/target/linux/generic/patches-3.7/615-netfilter-fix-ipv6-NPT-checksum-calculation.patch
 
b/target/linux/generic/patches-3.7/615-netfilter-fix-ipv6-NPT-checksum-calculation.patch
new file mode 100644
index 0000000..44efc4b
--- /dev/null
+++ 
b/target/linux/generic/patches-3.7/615-netfilter-fix-ipv6-NPT-checksum-calculation.patch
@@ -0,0 +1,81 @@
+From b2149cdb219350a2697c8380f8034e5f3d2e9032 Mon Sep 17 00:00:00 2001
+From: Ulrich Weber <ulrich.we...@sophos.com>
+Date: Wed, 2 Jan 2013 16:24:40 +0100
+Subject: [PATCH] netfilter: fix IPv6 NTP checksum calculation
+
+csum16_add() has a broken carry detection, should be:
+sum += sum < (__force u16)b;
+
+Instead of fixing csum16_add, remove the custom checksum
+functions and use the generic csum_add/csum_sub ones.
+
+Signed-off-by: Ulrich Weber <ulrich.we...@sophos.com>
+---
+ net/ipv6/netfilter/ip6t_NPT.c | 33 +++++++--------------------------
+ 1 file changed, 7 insertions(+), 26 deletions(-)
+
+diff --git a/net/ipv6/netfilter/ip6t_NPT.c b/net/ipv6/netfilter/ip6t_NPT.c
+index e948691..7302b0b 100644
+--- a/net/ipv6/netfilter/ip6t_NPT.c
++++ b/net/ipv6/netfilter/ip6t_NPT.c
+@@ -14,42 +14,23 @@
+ #include <linux/netfilter_ipv6/ip6t_NPT.h>
+ #include <linux/netfilter/x_tables.h>
+ 
+-static __sum16 csum16_complement(__sum16 a)
+-{
+-      return (__force __sum16)(0xffff - (__force u16)a);
+-}
+-
+-static __sum16 csum16_add(__sum16 a, __sum16 b)
+-{
+-      u16 sum;
+-
+-      sum = (__force u16)a + (__force u16)b;
+-      sum += (__force u16)a < (__force u16)b;
+-      return (__force __sum16)sum;
+-}
+-
+-static __sum16 csum16_sub(__sum16 a, __sum16 b)
+-{
+-      return csum16_add(a, csum16_complement(b));
+-}
+-
+ static int ip6t_npt_checkentry(const struct xt_tgchk_param *par)
+ {
+       struct ip6t_npt_tginfo *npt = par->targinfo;
+-      __sum16 src_sum = 0, dst_sum = 0;
++      __wsum src_sum = 0, dst_sum = 0;
+       unsigned int i;
+ 
+       if (npt->src_pfx_len > 64 || npt->dst_pfx_len > 64)
+               return -EINVAL;
+ 
+       for (i = 0; i < ARRAY_SIZE(npt->src_pfx.in6.s6_addr16); i++) {
+-              src_sum = csum16_add(src_sum,
+-                              (__force __sum16)npt->src_pfx.in6.s6_addr16[i]);
+-              dst_sum = csum16_add(dst_sum,
+-                              (__force __sum16)npt->dst_pfx.in6.s6_addr16[i]);
++              src_sum = csum_add(src_sum,
++                              (__force __wsum)npt->src_pfx.in6.s6_addr16[i]);
++              dst_sum = csum_add(dst_sum,
++                              (__force __wsum)npt->dst_pfx.in6.s6_addr16[i]);
+       }
+ 
+-      npt->adjustment = csum16_sub(src_sum, dst_sum);
++      npt->adjustment = (__force __sum16) csum_sub(src_sum, dst_sum);
+       return 0;
+ }
+ 
+@@ -85,7 +66,7 @@ static bool ip6t_npt_map_pfx(const struct ip6t_npt_tginfo 
*npt,
+                       return false;
+       }
+ 
+-      sum = csum16_add((__force __sum16)addr->s6_addr16[idx],
++      sum = (__force __sum16) csum_add((__force __wsum)addr->s6_addr16[idx],
+                        npt->adjustment);
+       if (sum == CSUM_MANGLED_0)
+               sum = 0;
+-- 
+1.8.0.2
+
-- 
1.8.0.2

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to