]> Pileus Git - ~andy/linux/blob - net/ipv4/netfilter/nft_chain_nat_ipv4.c
projects / ~andy / linux / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
netfilter: nf_tables: add support for dormant tables
[~andy/linux] / net / ipv4 / netfilter / nft_chain_nat_ipv4.c
1 /*
2  * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
3  * Copyright (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Development of this code funded by Astaro AG (http://www.astaro.com/)
10  */
11
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/list.h>
15 #include <linux/skbuff.h>
16 #include <linux/ip.h>
17 #include <linux/netlink.h>
18 #include <linux/netfilter.h>
19 #include <linux/netfilter_ipv4.h>
20 #include <linux/netfilter/nfnetlink.h>
21 #include <linux/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_conntrack.h>
23 #include <net/netfilter/nf_nat.h>
24 #include <net/netfilter/nf_nat_core.h>
25 #include <net/netfilter/nf_tables.h>
26 #include <net/netfilter/nf_tables_ipv4.h>
27 #include <net/netfilter/nf_nat_l3proto.h>
28 #include <net/ip.h>
29
30 struct nft_nat {
31         enum nft_registers      sreg_addr_min:8;
32         enum nft_registers      sreg_addr_max:8;
33         enum nft_registers      sreg_proto_min:8;
34         enum nft_registers      sreg_proto_max:8;
35         enum nf_nat_manip_type  type;
36 };
37
38 static void nft_nat_eval(const struct nft_expr *expr,
39                          struct nft_data data[NFT_REG_MAX + 1],
40                          const struct nft_pktinfo *pkt)
41 {
42         const struct nft_nat *priv = nft_expr_priv(expr);
43         enum ip_conntrack_info ctinfo;
44         struct nf_conn *ct = nf_ct_get(pkt->skb, &ctinfo);
45         struct nf_nat_range range;
46
47         memset(&range, 0, sizeof(range));
48         if (priv->sreg_addr_min) {
49                 range.min_addr.ip = data[priv->sreg_addr_min].data[0];
50                 range.max_addr.ip = data[priv->sreg_addr_max].data[0];
51                 range.flags |= NF_NAT_RANGE_MAP_IPS;
52         }
53
54         if (priv->sreg_proto_min) {
55                 range.min_proto.all = data[priv->sreg_proto_min].data[0];
56                 range.max_proto.all = data[priv->sreg_proto_max].data[0];
57                 range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
58         }
59
60         data[NFT_REG_VERDICT].verdict =
61                 nf_nat_setup_info(ct, &range, priv->type);
62 }
63
64 static const struct nla_policy nft_nat_policy[NFTA_NAT_MAX + 1] = {
65         [NFTA_NAT_ADDR_MIN]     = { .type = NLA_U32 },
66         [NFTA_NAT_ADDR_MAX]     = { .type = NLA_U32 },
67         [NFTA_NAT_PROTO_MIN]    = { .type = NLA_U32 },
68         [NFTA_NAT_PROTO_MAX]    = { .type = NLA_U32 },
69         [NFTA_NAT_TYPE]         = { .type = NLA_U32 },
70 };
71
72 static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
73                         const struct nlattr * const tb[])
74 {
75         struct nft_nat *priv = nft_expr_priv(expr);
76         int err;
77
78         if (tb[NFTA_NAT_TYPE] == NULL)
79                 return -EINVAL;
80
81         switch (ntohl(nla_get_be32(tb[NFTA_NAT_TYPE]))) {
82         case NFT_NAT_SNAT:
83                 priv->type = NF_NAT_MANIP_SRC;
84                 break;
85         case NFT_NAT_DNAT:
86                 priv->type = NF_NAT_MANIP_DST;
87                 break;
88         default:
89                 return -EINVAL;
90         }
91
92         if (tb[NFTA_NAT_ADDR_MIN]) {
93                 priv->sreg_addr_min = ntohl(nla_get_be32(tb[NFTA_NAT_ADDR_MIN]));
94                 err = nft_validate_input_register(priv->sreg_addr_min);
95                 if (err < 0)
96                         return err;
97         }
98
99         if (tb[NFTA_NAT_ADDR_MAX]) {
100                 priv->sreg_addr_max = ntohl(nla_get_be32(tb[NFTA_NAT_ADDR_MAX]));
101                 err = nft_validate_input_register(priv->sreg_addr_max);
102                 if (err < 0)
103                         return err;
104         } else
105                 priv->sreg_addr_max = priv->sreg_addr_min;
106
107         if (tb[NFTA_NAT_PROTO_MIN]) {
108                 priv->sreg_proto_min = ntohl(nla_get_be32(tb[NFTA_NAT_PROTO_MIN]));
109                 err = nft_validate_input_register(priv->sreg_proto_min);
110                 if (err < 0)
111                         return err;
112         }
113
114         if (tb[NFTA_NAT_PROTO_MAX]) {
115                 priv->sreg_proto_max = ntohl(nla_get_be32(tb[NFTA_NAT_PROTO_MAX]));
116                 err = nft_validate_input_register(priv->sreg_proto_max);
117                 if (err < 0)
118                         return err;
119         } else
120                 priv->sreg_proto_max = priv->sreg_proto_min;
121
122         return 0;
123 }
124
125 static int nft_nat_dump(struct sk_buff *skb, const struct nft_expr *expr)
126 {
127         const struct nft_nat *priv = nft_expr_priv(expr);
128
129         switch (priv->type) {
130         case NF_NAT_MANIP_SRC:
131                 if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_SNAT)))
132                         goto nla_put_failure;
133                 break;
134         case NF_NAT_MANIP_DST:
135                 if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_DNAT)))
136                         goto nla_put_failure;
137                 break;
138         }
139
140         if (nla_put_be32(skb, NFTA_NAT_ADDR_MIN, htonl(priv->sreg_addr_min)))
141                 goto nla_put_failure;
142         if (nla_put_be32(skb, NFTA_NAT_ADDR_MAX, htonl(priv->sreg_addr_max)))
143                 goto nla_put_failure;
144         if (nla_put_be32(skb, NFTA_NAT_PROTO_MIN, htonl(priv->sreg_proto_min)))
145                 goto nla_put_failure;
146         if (nla_put_be32(skb, NFTA_NAT_PROTO_MAX, htonl(priv->sreg_proto_max)))
147                 goto nla_put_failure;
148         return 0;
149
150 nla_put_failure:
151         return -1;
152 }
153
154 static struct nft_expr_type nft_nat_type;
155 static const struct nft_expr_ops nft_nat_ops = {
156         .type           = &nft_nat_type,
157         .size           = NFT_EXPR_SIZE(sizeof(struct nft_nat)),
158         .eval           = nft_nat_eval,
159         .init           = nft_nat_init,
160         .dump           = nft_nat_dump,
161 };
162
163 static struct nft_expr_type nft_nat_type __read_mostly = {
164         .name           = "nat",
165         .ops            = &nft_nat_ops,
166         .policy         = nft_nat_policy,
167         .maxattr        = NFTA_NAT_MAX,
168         .owner          = THIS_MODULE,
169 };
170
171 /*
172  * NAT chains
173  */
174
175 static unsigned int nf_nat_fn(const struct nf_hook_ops *ops,
176                               struct sk_buff *skb,
177                               const struct net_device *in,
178                               const struct net_device *out,
179                               int (*okfn)(struct sk_buff *))
180 {
181         enum ip_conntrack_info ctinfo;
182         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
183         struct nf_conn_nat *nat;
184         enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);
185         struct nft_pktinfo pkt;
186         unsigned int ret;
187
188         if (ct == NULL || nf_ct_is_untracked(ct))
189                 return NF_ACCEPT;
190
191         NF_CT_ASSERT(!(ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)));
192
193         nat = nfct_nat(ct);
194         if (nat == NULL) {
195                 /* Conntrack module was loaded late, can't add extension. */
196                 if (nf_ct_is_confirmed(ct))
197                         return NF_ACCEPT;
198                 nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
199                 if (nat == NULL)
200                         return NF_ACCEPT;
201         }
202
203         switch (ctinfo) {
204         case IP_CT_RELATED:
205         case IP_CT_RELATED + IP_CT_IS_REPLY:
206                 if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
207                         if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
208                                                            ops->hooknum))
209                                 return NF_DROP;
210                         else
211                                 return NF_ACCEPT;
212                 }
213                 /* Fall through */
214         case IP_CT_NEW:
215                 if (nf_nat_initialized(ct, maniptype))
216                         break;
217
218                 nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
219
220                 ret = nft_do_chain_pktinfo(&pkt, ops);
221                 if (ret != NF_ACCEPT)
222                         return ret;
223                 if (!nf_nat_initialized(ct, maniptype)) {
224                         ret = nf_nat_alloc_null_binding(ct, ops->hooknum);
225                         if (ret != NF_ACCEPT)
226                                 return ret;
227                 }
228         default:
229                 break;
230         }
231
232         return nf_nat_packet(ct, ctinfo, ops->hooknum, skb);
233 }
234
235 static unsigned int nf_nat_prerouting(const struct nf_hook_ops *ops,
236                                       struct sk_buff *skb,
237                                       const struct net_device *in,
238                                       const struct net_device *out,
239                                       int (*okfn)(struct sk_buff *))
240 {
241         __be32 daddr = ip_hdr(skb)->daddr;
242         unsigned int ret;
243
244         ret = nf_nat_fn(ops, skb, in, out, okfn);
245         if (ret != NF_DROP && ret != NF_STOLEN &&
246             ip_hdr(skb)->daddr != daddr) {
247                 skb_dst_drop(skb);
248         }
249         return ret;
250 }
251
252 static unsigned int nf_nat_postrouting(const struct nf_hook_ops *ops,
253                                        struct sk_buff *skb,
254                                        const struct net_device *in,
255                                        const struct net_device *out,
256                                        int (*okfn)(struct sk_buff *))
257 {
258         enum ip_conntrack_info ctinfo __maybe_unused;
259         const struct nf_conn *ct __maybe_unused;
260         unsigned int ret;
261
262         ret = nf_nat_fn(ops, skb, in, out, okfn);
263 #ifdef CONFIG_XFRM
264         if (ret != NF_DROP && ret != NF_STOLEN &&
265             (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
266                 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
267
268                 if (ct->tuplehash[dir].tuple.src.u3.ip !=
269                     ct->tuplehash[!dir].tuple.dst.u3.ip ||
270                     ct->tuplehash[dir].tuple.src.u.all !=
271                     ct->tuplehash[!dir].tuple.dst.u.all)
272                         return nf_xfrm_me_harder(skb, AF_INET) == 0 ?
273                                                                 ret : NF_DROP;
274         }
275 #endif
276         return ret;
277 }
278
279 static unsigned int nf_nat_output(const struct nf_hook_ops *ops,
280                                   struct sk_buff *skb,
281                                   const struct net_device *in,
282                                   const struct net_device *out,
283                                   int (*okfn)(struct sk_buff *))
284 {
285         enum ip_conntrack_info ctinfo;
286         const struct nf_conn *ct;
287         unsigned int ret;
288
289         ret = nf_nat_fn(ops, skb, in, out, okfn);
290         if (ret != NF_DROP && ret != NF_STOLEN &&
291             (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
292                 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
293
294                 if (ct->tuplehash[dir].tuple.dst.u3.ip !=
295                     ct->tuplehash[!dir].tuple.src.u3.ip) {
296                         if (ip_route_me_harder(skb, RTN_UNSPEC))
297                                 ret = NF_DROP;
298                 }
299 #ifdef CONFIG_XFRM
300                 else if (ct->tuplehash[dir].tuple.dst.u.all !=
301                          ct->tuplehash[!dir].tuple.src.u.all)
302                         if (nf_xfrm_me_harder(skb, AF_INET))
303                                 ret = NF_DROP;
304 #endif
305         }
306         return ret;
307 }
308
309 struct nf_chain_type nft_chain_nat_ipv4 = {
310         .family         = NFPROTO_IPV4,
311         .name           = "nat",
312         .type           = NFT_CHAIN_T_NAT,
313         .hook_mask      = (1 << NF_INET_PRE_ROUTING) |
314                           (1 << NF_INET_POST_ROUTING) |
315                           (1 << NF_INET_LOCAL_OUT) |
316                           (1 << NF_INET_LOCAL_IN),
317         .fn             = {
318                 [NF_INET_PRE_ROUTING]   = nf_nat_prerouting,
319                 [NF_INET_POST_ROUTING]  = nf_nat_postrouting,
320                 [NF_INET_LOCAL_OUT]     = nf_nat_output,
321                 [NF_INET_LOCAL_IN]      = nf_nat_fn,
322         },
323         .me             = THIS_MODULE,
324 };
325
326 static int __init nft_chain_nat_init(void)
327 {
328         int err;
329
330         err = nft_register_chain_type(&nft_chain_nat_ipv4);
331         if (err < 0)
332                 return err;
333
334         err = nft_register_expr(&nft_nat_type);
335         if (err < 0)
336                 goto err;
337
338         return 0;
339
340 err:
341         nft_unregister_chain_type(&nft_chain_nat_ipv4);
342         return err;
343 }
344
345 static void __exit nft_chain_nat_exit(void)
346 {
347         nft_unregister_expr(&nft_nat_type);
348         nft_unregister_chain_type(&nft_chain_nat_ipv4);
349 }
350
351 module_init(nft_chain_nat_init);
352 module_exit(nft_chain_nat_exit);
353
354 MODULE_LICENSE("GPL");
355 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
356 MODULE_ALIAS_NFT_CHAIN(AF_INET, "nat");
357 MODULE_ALIAS_NFT_EXPR("nat");
Andy's Linux Kernel repo