git.baikalelectronics.ru Git - kernel.git/commit

author	Bernhard Thaler <bernhard.thaler@wvnet.at>
	Sat, 30 May 2015 13:27:40 +0000 (15:27 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 12 Jun 2015 12:08:07 +0000 (14:08 +0200)
commit	4bf3b40bda3c565e0969769190466cc71a1c4f9a
tree	9fb9ccc3f92d03b3eca9fa600ce508922a768b49	tree \| snapshot
parent	c9757e9871512a41bd7906e5ac09dab8d3a82fa8	commit \| diff

netfilter: bridge: detect NAT66 correctly and change MAC address

IPv4 iptables allows to REDIRECT/DNAT/SNAT any traffic over a bridge.

e.g. REDIRECT
$ sysctl -w net.bridge.bridge-nf-call-iptables=1
$ iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8080 \
-j REDIRECT --to-ports 81

This does not work with ip6tables on a bridge in NAT66 scenario
because the REDIRECT/DNAT/SNAT is not correctly detected.

The bridge pre-routing (finish) netfilter hook has to check for a possible
redirect and then fix the destination mac address. This allows to use the
ip6tables rules for local REDIRECT/DNAT/SNAT REDIRECT similar to the IPv4
iptables version.

e.g. REDIRECT
$ sysctl -w net.bridge.bridge-nf-call-ip6tables=1
$ ip6tables -t nat -A PREROUTING -p tcp -m tcp --dport 8080 \
-j REDIRECT --to-ports 81

This patch makes it possible to use IPv6 NAT66 on a bridge. It was tested
on a bridge with two interfaces using SNAT/DNAT NAT66 rules.

Reported-by: Artie Hamilton <artiemhamilton@yahoo.com>
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
[bernhard.thaler@wvnet.at: rebased, add indirect call to ip6_route_input()]
[bernhard.thaler@wvnet.at: rebased, split into separate patches]
Signed-off-by: Bernhard Thaler <bernhard.thaler@wvnet.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/linux/netfilter_ipv6.h		diff \| blob \| history
include/linux/skbuff.h		diff \| blob \| history
net/bridge/br_netfilter.c		diff \| blob \| history
net/ipv6/netfilter.c		diff \| blob \| history