Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 9370761c56b66aa5c65e069a7b010111a025018d / . / net / ipv4 / netfilter / nft_chain_nat_ipv4.c
blob: cd286306be8550e44628befc5001775a4cec9a8d [file] [log] [blame]
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]1/*
Patrick McHardyef1f7df2013-10-10 11:41:20 +0200[diff] [blame]2 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
Pablo Neira Ayuso93707612013-10-10 23:21:26 +0200[diff] [blame^]3 * Copyright (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Development of this code funded by Astaro AG (http://www.astaro.com/)
10 */
11
12#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/list.h>
15#include <linux/skbuff.h>
16#include <linux/ip.h>
17#include <linux/netlink.h>
18#include <linux/netfilter.h>
19#include <linux/netfilter_ipv4.h>
20#include <linux/netfilter/nfnetlink.h>
21#include <linux/netfilter/nf_tables.h>
22#include <net/netfilter/nf_conntrack.h>
23#include <net/netfilter/nf_nat.h>
24#include <net/netfilter/nf_nat_core.h>
25#include <net/netfilter/nf_tables.h>
26#include <net/netfilter/nf_nat_l3proto.h>
27#include <net/ip.h>
28
29struct nft_nat {
30 enum nft_registers sreg_addr_min:8;
31 enum nft_registers sreg_addr_max:8;
32 enum nft_registers sreg_proto_min:8;
33 enum nft_registers sreg_proto_max:8;
34 enum nf_nat_manip_type type;
35};
36
37static void nft_nat_eval(const struct nft_expr *expr,
38 struct nft_data data[NFT_REG_MAX + 1],
39 const struct nft_pktinfo *pkt)
40{
41 const struct nft_nat *priv = nft_expr_priv(expr);
42 enum ip_conntrack_info ctinfo;
43 struct nf_conn *ct = nf_ct_get(pkt->skb, &ctinfo);
44 struct nf_nat_range range;
45
46 memset(&range, 0, sizeof(range));
47 if (priv->sreg_addr_min) {
48 range.min_addr.ip = data[priv->sreg_addr_min].data[0];
49 range.max_addr.ip = data[priv->sreg_addr_max].data[0];
50 range.flags |= NF_NAT_RANGE_MAP_IPS;
51 }
52
53 if (priv->sreg_proto_min) {
54 range.min_proto.all = data[priv->sreg_proto_min].data[0];
55 range.max_proto.all = data[priv->sreg_proto_max].data[0];
56 range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
57 }
58
59 data[NFT_REG_VERDICT].verdict =
60 nf_nat_setup_info(ct, &range, priv->type);
61}
62
63static const struct nla_policy nft_nat_policy[NFTA_NAT_MAX + 1] = {
64 [NFTA_NAT_ADDR_MIN] = { .type = NLA_U32 },
65 [NFTA_NAT_ADDR_MAX] = { .type = NLA_U32 },
66 [NFTA_NAT_PROTO_MIN] = { .type = NLA_U32 },
67 [NFTA_NAT_PROTO_MAX] = { .type = NLA_U32 },
68 [NFTA_NAT_TYPE] = { .type = NLA_U32 },
69};
70
71static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
72 const struct nlattr * const tb[])
73{
74 struct nft_nat *priv = nft_expr_priv(expr);
75 int err;
76
77 if (tb[NFTA_NAT_TYPE] == NULL)
78 return -EINVAL;
79
80 switch (ntohl(nla_get_be32(tb[NFTA_NAT_TYPE]))) {
81 case NFT_NAT_SNAT:
82 priv->type = NF_NAT_MANIP_SRC;
83 break;
84 case NFT_NAT_DNAT:
85 priv->type = NF_NAT_MANIP_DST;
86 break;
87 default:
88 return -EINVAL;
89 }
90
91 if (tb[NFTA_NAT_ADDR_MIN]) {
92 priv->sreg_addr_min = ntohl(nla_get_be32(tb[NFTA_NAT_ADDR_MIN]));
93 err = nft_validate_input_register(priv->sreg_addr_min);
94 if (err < 0)
95 return err;
96 }
97
98 if (tb[NFTA_NAT_ADDR_MAX]) {
99 priv->sreg_addr_max = ntohl(nla_get_be32(tb[NFTA_NAT_ADDR_MAX]));
100 err = nft_validate_input_register(priv->sreg_addr_max);
101 if (err < 0)
102 return err;
103 } else
104 priv->sreg_addr_max = priv->sreg_addr_min;
105
106 if (tb[NFTA_NAT_PROTO_MIN]) {
107 priv->sreg_proto_min = ntohl(nla_get_be32(tb[NFTA_NAT_PROTO_MIN]));
108 err = nft_validate_input_register(priv->sreg_proto_min);
109 if (err < 0)
110 return err;
111 }
112
113 if (tb[NFTA_NAT_PROTO_MAX]) {
114 priv->sreg_proto_max = ntohl(nla_get_be32(tb[NFTA_NAT_PROTO_MAX]));
115 err = nft_validate_input_register(priv->sreg_proto_max);
116 if (err < 0)
117 return err;
118 } else
119 priv->sreg_proto_max = priv->sreg_proto_min;
120
121 return 0;
122}
123
124static int nft_nat_dump(struct sk_buff *skb, const struct nft_expr *expr)
125{
126 const struct nft_nat *priv = nft_expr_priv(expr);
127
128 switch (priv->type) {
129 case NF_NAT_MANIP_SRC:
130 if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_SNAT)))
131 goto nla_put_failure;
132 break;
133 case NF_NAT_MANIP_DST:
134 if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_DNAT)))
135 goto nla_put_failure;
136 break;
137 }
138
139 if (nla_put_be32(skb, NFTA_NAT_ADDR_MIN, htonl(priv->sreg_addr_min)))
140 goto nla_put_failure;
141 if (nla_put_be32(skb, NFTA_NAT_ADDR_MAX, htonl(priv->sreg_addr_max)))
142 goto nla_put_failure;
143 if (nla_put_be32(skb, NFTA_NAT_PROTO_MIN, htonl(priv->sreg_proto_min)))
144 goto nla_put_failure;
145 if (nla_put_be32(skb, NFTA_NAT_PROTO_MAX, htonl(priv->sreg_proto_max)))
146 goto nla_put_failure;
147 return 0;
148
149nla_put_failure:
150 return -1;
151}
152
Patrick McHardyef1f7df2013-10-10 11:41:20 +0200[diff] [blame]153static struct nft_expr_type nft_nat_type;
154static const struct nft_expr_ops nft_nat_ops = {
155 .type = &nft_nat_type,
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]156 .size = NFT_EXPR_SIZE(sizeof(struct nft_nat)),
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]157 .eval = nft_nat_eval,
158 .init = nft_nat_init,
159 .dump = nft_nat_dump,
Patrick McHardyef1f7df2013-10-10 11:41:20 +0200[diff] [blame]160};
161
162static struct nft_expr_type nft_nat_type __read_mostly = {
163 .name = "nat",
164 .ops = &nft_nat_ops,
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]165 .policy = nft_nat_policy,
166 .maxattr = NFTA_NAT_MAX,
Patrick McHardyef1f7df2013-10-10 11:41:20 +0200[diff] [blame]167 .owner = THIS_MODULE,
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]168};
169
170/*
Pablo Neira Ayuso93707612013-10-10 23:21:26 +0200[diff] [blame^]171 * NAT chains
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]172 */
173
174static unsigned int nf_nat_fn(const struct nf_hook_ops *ops,
175 struct sk_buff *skb,
176 const struct net_device *in,
177 const struct net_device *out,
178 int (*okfn)(struct sk_buff *))
179{
180 enum ip_conntrack_info ctinfo;
181 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
182 struct nf_conn_nat *nat;
183 enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);
184 unsigned int ret;
185
186 if (ct == NULL || nf_ct_is_untracked(ct))
187 return NF_ACCEPT;
188
189 NF_CT_ASSERT(!(ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)));
190
191 nat = nfct_nat(ct);
192 if (nat == NULL) {
193 /* Conntrack module was loaded late, can't add extension. */
194 if (nf_ct_is_confirmed(ct))
195 return NF_ACCEPT;
196 nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
197 if (nat == NULL)
198 return NF_ACCEPT;
199 }
200
201 switch (ctinfo) {
202 case IP_CT_RELATED:
203 case IP_CT_RELATED + IP_CT_IS_REPLY:
204 if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
205 if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
206 ops->hooknum))
207 return NF_DROP;
208 else
209 return NF_ACCEPT;
210 }
211 /* Fall through */
212 case IP_CT_NEW:
213 if (nf_nat_initialized(ct, maniptype))
214 break;
215
216 ret = nft_do_chain(ops, skb, in, out, okfn);
217 if (ret != NF_ACCEPT)
218 return ret;
219 if (!nf_nat_initialized(ct, maniptype)) {
220 ret = nf_nat_alloc_null_binding(ct, ops->hooknum);
221 if (ret != NF_ACCEPT)
222 return ret;
223 }
224 default:
225 break;
226 }
227
228 return nf_nat_packet(ct, ctinfo, ops->hooknum, skb);
229}
230
231static unsigned int nf_nat_prerouting(const struct nf_hook_ops *ops,
232 struct sk_buff *skb,
233 const struct net_device *in,
234 const struct net_device *out,
235 int (*okfn)(struct sk_buff *))
236{
237 __be32 daddr = ip_hdr(skb)->daddr;
238 unsigned int ret;
239
240 ret = nf_nat_fn(ops, skb, in, out, okfn);
241 if (ret != NF_DROP && ret != NF_STOLEN &&
242 ip_hdr(skb)->daddr != daddr) {
243 skb_dst_drop(skb);
244 }
245 return ret;
246}
247
248static unsigned int nf_nat_postrouting(const struct nf_hook_ops *ops,
249 struct sk_buff *skb,
250 const struct net_device *in,
251 const struct net_device *out,
252 int (*okfn)(struct sk_buff *))
253{
254 enum ip_conntrack_info ctinfo __maybe_unused;
255 const struct nf_conn *ct __maybe_unused;
256 unsigned int ret;
257
258 ret = nf_nat_fn(ops, skb, in, out, okfn);
259#ifdef CONFIG_XFRM
260 if (ret != NF_DROP && ret != NF_STOLEN &&
261 (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
262 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
263
264 if (ct->tuplehash[dir].tuple.src.u3.ip !=
265 ct->tuplehash[!dir].tuple.dst.u3.ip ||
266 ct->tuplehash[dir].tuple.src.u.all !=
267 ct->tuplehash[!dir].tuple.dst.u.all)
268 return nf_xfrm_me_harder(skb, AF_INET) == 0 ?
269 ret : NF_DROP;
270 }
271#endif
272 return ret;
273}
274
275static unsigned int nf_nat_output(const struct nf_hook_ops *ops,
276 struct sk_buff *skb,
277 const struct net_device *in,
278 const struct net_device *out,
279 int (*okfn)(struct sk_buff *))
280{
281 enum ip_conntrack_info ctinfo;
282 const struct nf_conn *ct;
283 unsigned int ret;
284
285 ret = nf_nat_fn(ops, skb, in, out, okfn);
286 if (ret != NF_DROP && ret != NF_STOLEN &&
287 (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
288 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
289
290 if (ct->tuplehash[dir].tuple.dst.u3.ip !=
291 ct->tuplehash[!dir].tuple.src.u3.ip) {
292 if (ip_route_me_harder(skb, RTN_UNSPEC))
293 ret = NF_DROP;
294 }
295#ifdef CONFIG_XFRM
296 else if (ct->tuplehash[dir].tuple.dst.u.all !=
297 ct->tuplehash[!dir].tuple.src.u.all)
298 if (nf_xfrm_me_harder(skb, AF_INET))
299 ret = NF_DROP;
300#endif
301 }
302 return ret;
303}
304
Pablo Neira Ayuso93707612013-10-10 23:21:26 +0200[diff] [blame^]305struct nf_chain_type nft_chain_nat_ipv4 = {
306 .family = NFPROTO_IPV4,
307 .name = "nat",
308 .type = NFT_CHAIN_T_NAT,
309 .hook_mask = (1 << NF_INET_PRE_ROUTING) |
310 (1 << NF_INET_POST_ROUTING) |
311 (1 << NF_INET_LOCAL_OUT) |
312 (1 << NF_INET_LOCAL_IN),
313 .fn = {
314 [NF_INET_PRE_ROUTING] = nf_nat_prerouting,
315 [NF_INET_POST_ROUTING] = nf_nat_postrouting,
316 [NF_INET_LOCAL_OUT] = nf_nat_output,
317 [NF_INET_LOCAL_IN] = nf_nat_fn,
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]318 },
Pablo Neira Ayuso93707612013-10-10 23:21:26 +0200[diff] [blame^]319 .me = THIS_MODULE,
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]320};
321
Pablo Neira Ayuso93707612013-10-10 23:21:26 +0200[diff] [blame^]322static int __init nft_chain_nat_init(void)
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]323{
324 int err;
325
Pablo Neira Ayuso93707612013-10-10 23:21:26 +0200[diff] [blame^]326 err = nft_register_chain_type(&nft_chain_nat_ipv4);
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]327 if (err < 0)
Pablo Neira Ayuso93707612013-10-10 23:21:26 +0200[diff] [blame^]328 return err;
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]329
Patrick McHardyef1f7df2013-10-10 11:41:20 +0200[diff] [blame]330 err = nft_register_expr(&nft_nat_type);
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]331 if (err < 0)
Pablo Neira Ayuso93707612013-10-10 23:21:26 +0200[diff] [blame^]332 goto err;
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]333
334 return 0;
335
Pablo Neira Ayuso93707612013-10-10 23:21:26 +0200[diff] [blame^]336err:
337 nft_unregister_chain_type(&nft_chain_nat_ipv4);
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]338 return err;
339}
340
Pablo Neira Ayuso93707612013-10-10 23:21:26 +0200[diff] [blame^]341static void __exit nft_chain_nat_exit(void)
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]342{
Patrick McHardyef1f7df2013-10-10 11:41:20 +0200[diff] [blame]343 nft_unregister_expr(&nft_nat_type);
Pablo Neira Ayuso93707612013-10-10 23:21:26 +0200[diff] [blame^]344 nft_unregister_chain_type(&nft_chain_nat_ipv4);
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]345}
346
Pablo Neira Ayuso93707612013-10-10 23:21:26 +0200[diff] [blame^]347module_init(nft_chain_nat_init);
348module_exit(nft_chain_nat_exit);
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]349
350MODULE_LICENSE("GPL");
351MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
Pablo Neira Ayuso93707612013-10-10 23:21:26 +0200[diff] [blame^]352MODULE_ALIAS_NFT_CHAIN(AF_INET, "nat");
Patrick McHardy96518512013-10-14 11:00:02 +0200[diff] [blame]353MODULE_ALIAS_NFT_EXPR("nat");