2 * Stateless NAT actions
4 * Copyright (c) 2007 Herbert Xu <herbert@gondor.apana.org.au>
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the Free
8 * Software Foundation; either version 2 of the License, or (at your option)
12 #include <linux/errno.h>
13 #include <linux/init.h>
14 #include <linux/kernel.h>
15 #include <linux/module.h>
16 #include <linux/netfilter.h>
17 #include <linux/rtnetlink.h>
18 #include <linux/skbuff.h>
19 #include <linux/slab.h>
20 #include <linux/spinlock.h>
21 #include <linux/string.h>
22 #include <linux/tc_act/tc_nat.h>
23 #include <net/act_api.h>
26 #include <net/netlink.h>
27 #include <net/tc_act/tc_nat.h>
32 #define NAT_TAB_MASK 15
33 static struct tcf_common *tcf_nat_ht[NAT_TAB_MASK + 1];
34 static u32 nat_idx_gen;
35 static DEFINE_RWLOCK(nat_lock);
37 static struct tcf_hashinfo nat_hash_info = {
39 .hmask = NAT_TAB_MASK,
43 static int tcf_nat_init(struct nlattr *nla, struct nlattr *est,
44 struct tc_action *a, int ovr, int bind)
46 struct nlattr *tb[TCA_NAT_MAX + 1];
50 struct tcf_common *pc;
55 err = nla_parse_nested(tb, TCA_NAT_MAX, nla, NULL);
59 if (tb[TCA_NAT_PARMS] == NULL ||
60 nla_len(tb[TCA_NAT_PARMS]) < sizeof(*parm))
62 parm = nla_data(tb[TCA_NAT_PARMS]);
64 pc = tcf_hash_check(parm->index, a, bind, &nat_hash_info);
66 pc = tcf_hash_create(parm->index, est, a, sizeof(*p), bind,
67 &nat_idx_gen, &nat_hash_info);
75 tcf_hash_release(pc, bind, &nat_hash_info);
80 spin_lock_bh(&p->tcf_lock);
81 p->old_addr = parm->old_addr;
82 p->new_addr = parm->new_addr;
84 p->flags = parm->flags;
86 p->tcf_action = parm->action;
87 spin_unlock_bh(&p->tcf_lock);
89 if (ret == ACT_P_CREATED)
90 tcf_hash_insert(pc, &nat_hash_info);
95 static int tcf_nat_cleanup(struct tc_action *a, int bind)
97 struct tcf_nat *p = a->priv;
99 return tcf_hash_release(&p->common, bind, &nat_hash_info);
102 static int tcf_nat(struct sk_buff *skb, struct tc_action *a,
103 struct tcf_result *res)
105 struct tcf_nat *p = a->priv;
115 spin_lock(&p->tcf_lock);
117 p->tcf_tm.lastuse = jiffies;
118 old_addr = p->old_addr;
119 new_addr = p->new_addr;
121 egress = p->flags & TCA_NAT_FLAG_EGRESS;
122 action = p->tcf_action;
124 p->tcf_bstats.bytes += skb->len;
125 p->tcf_bstats.packets++;
127 spin_unlock(&p->tcf_lock);
129 if (unlikely(action == TC_ACT_SHOT))
132 if (!pskb_may_pull(skb, sizeof(*iph)))
142 if (!((old_addr ^ addr) & mask)) {
143 if (skb_cloned(skb) &&
144 !skb_clone_writable(skb, sizeof(*iph)) &&
145 pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
149 new_addr |= addr & ~mask;
151 /* Rewrite IP header */
154 iph->saddr = new_addr;
156 iph->daddr = new_addr;
158 csum_replace4(&iph->check, addr, new_addr);
163 /* It would be nice to share code with stateful NAT. */
164 switch (iph->frag_off & htons(IP_OFFSET) ? 0 : iph->protocol) {
169 if (!pskb_may_pull(skb, ihl + sizeof(*tcph)) ||
171 !skb_clone_writable(skb, ihl + sizeof(*tcph)) &&
172 pskb_expand_head(skb, 0, 0, GFP_ATOMIC)))
175 tcph = (void *)(skb_network_header(skb) + ihl);
176 inet_proto_csum_replace4(&tcph->check, skb, addr, new_addr, 1);
183 if (!pskb_may_pull(skb, ihl + sizeof(*udph)) ||
185 !skb_clone_writable(skb, ihl + sizeof(*udph)) &&
186 pskb_expand_head(skb, 0, 0, GFP_ATOMIC)))
189 udph = (void *)(skb_network_header(skb) + ihl);
190 if (udph->check || skb->ip_summed == CHECKSUM_PARTIAL) {
191 inet_proto_csum_replace4(&udph->check, skb, addr,
194 udph->check = CSUM_MANGLED_0;
200 struct icmphdr *icmph;
202 if (!pskb_may_pull(skb, ihl + sizeof(*icmph) + sizeof(*iph)))
205 icmph = (void *)(skb_network_header(skb) + ihl);
207 if ((icmph->type != ICMP_DEST_UNREACH) &&
208 (icmph->type != ICMP_TIME_EXCEEDED) &&
209 (icmph->type != ICMP_PARAMETERPROB))
212 iph = (void *)(icmph + 1);
218 if ((old_addr ^ addr) & mask)
221 if (skb_cloned(skb) &&
222 !skb_clone_writable(skb,
223 ihl + sizeof(*icmph) + sizeof(*iph)) &&
224 pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
227 icmph = (void *)(skb_network_header(skb) + ihl);
228 iph = (void *)(icmph + 1);
231 new_addr |= addr & ~mask;
233 /* XXX Fix up the inner checksums. */
235 iph->daddr = new_addr;
237 iph->saddr = new_addr;
239 inet_proto_csum_replace4(&icmph->checksum, skb, addr, new_addr,
250 spin_lock(&p->tcf_lock);
251 p->tcf_qstats.drops++;
252 spin_unlock(&p->tcf_lock);
256 static int tcf_nat_dump(struct sk_buff *skb, struct tc_action *a,
259 unsigned char *b = skb_tail_pointer(skb);
260 struct tcf_nat *p = a->priv;
267 /* netlink spinlocks held above us - must use ATOMIC */
268 opt = kzalloc(s, GFP_ATOMIC);
272 opt->old_addr = p->old_addr;
273 opt->new_addr = p->new_addr;
275 opt->flags = p->flags;
277 opt->index = p->tcf_index;
278 opt->action = p->tcf_action;
279 opt->refcnt = p->tcf_refcnt - ref;
280 opt->bindcnt = p->tcf_bindcnt - bind;
282 NLA_PUT(skb, TCA_NAT_PARMS, s, opt);
283 t.install = jiffies_to_clock_t(jiffies - p->tcf_tm.install);
284 t.lastuse = jiffies_to_clock_t(jiffies - p->tcf_tm.lastuse);
285 t.expires = jiffies_to_clock_t(p->tcf_tm.expires);
286 NLA_PUT(skb, TCA_NAT_TM, sizeof(t), &t);
298 static struct tc_action_ops act_nat_ops = {
300 .hinfo = &nat_hash_info,
302 .capab = TCA_CAP_NONE,
303 .owner = THIS_MODULE,
305 .dump = tcf_nat_dump,
306 .cleanup = tcf_nat_cleanup,
307 .lookup = tcf_hash_search,
308 .init = tcf_nat_init,
309 .walk = tcf_generic_walker
312 MODULE_DESCRIPTION("Stateless NAT actions");
313 MODULE_LICENSE("GPL");
315 static int __init nat_init_module(void)
317 return tcf_register_action(&act_nat_ops);
320 static void __exit nat_cleanup_module(void)
322 tcf_unregister_action(&act_nat_ops);
325 module_init(nat_init_module);
326 module_exit(nat_cleanup_module);