net/ipv4/netfilter/nft_chain_nat_ipv4.c

   1 /*
   2  * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
   3  * Copyright (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
   4  * Copyright (c) 2012 Intel Corporation
   5  *
   6  * This program is free software; you can redistribute it and/or modify
   7  * it under the terms of the GNU General Public License version 2 as
   8  * published by the Free Software Foundation.
   9  *
  10  * Development of this code funded by Astaro AG (http://www.astaro.com/)
  11  */
  12
  13 #include <linux/module.h>
  14 #include <linux/init.h>
  15 #include <linux/list.h>
  16 #include <linux/skbuff.h>
  17 #include <linux/ip.h>
  18 #include <linux/netfilter.h>
  19 #include <linux/netfilter_ipv4.h>
  20 #include <linux/netfilter/nf_tables.h>
  21 #include <net/netfilter/nf_conntrack.h>
  22 #include <net/netfilter/nf_nat.h>
  23 #include <net/netfilter/nf_nat_core.h>
  24 #include <net/netfilter/nf_tables.h>
  25 #include <net/netfilter/nf_tables_ipv4.h>
  26 #include <net/netfilter/nf_nat_l3proto.h>
  27 #include <net/ip.h>
  28
  29 /*
  30  * NAT chains
  31  */
  32
  33 static unsigned int nf_nat_fn(const struct nf_hook_ops *ops,
  34                               struct sk_buff *skb,
  35                               const struct net_device *in,
  36                               const struct net_device *out,
  37                               int (*okfn)(struct sk_buff *))
  38 {
  39         enum ip_conntrack_info ctinfo;
  40         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
  41         struct nf_conn_nat *nat;
  42         enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);
  43         struct nft_pktinfo pkt;
  44         unsigned int ret;
  45
  46         if (ct == NULL || nf_ct_is_untracked(ct))
  47                 return NF_ACCEPT;
  48
  49         NF_CT_ASSERT(!(ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)));
  50
  51         nat = nfct_nat(ct);
  52         if (nat == NULL) {
  53                 /* Conntrack module was loaded late, can't add extension. */
  54                 if (nf_ct_is_confirmed(ct))
  55                         return NF_ACCEPT;
  56                 nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
  57                 if (nat == NULL)
  58                         return NF_ACCEPT;
  59         }
  60
  61         switch (ctinfo) {
  62         case IP_CT_RELATED:
  63         case IP_CT_RELATED + IP_CT_IS_REPLY:
  64                 if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
  65                         if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
  66                                                            ops->hooknum))
  67                                 return NF_DROP;
  68                         else
  69                                 return NF_ACCEPT;
  70                 }
  71                 /* Fall through */
  72         case IP_CT_NEW:
  73                 if (nf_nat_initialized(ct, maniptype))
  74                         break;
  75
  76                 nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
  77
  78                 ret = nft_do_chain_pktinfo(&pkt, ops);
  79                 if (ret != NF_ACCEPT)
  80                         return ret;
  81                 if (!nf_nat_initialized(ct, maniptype)) {
  82                         ret = nf_nat_alloc_null_binding(ct, ops->hooknum);
  83                         if (ret != NF_ACCEPT)
  84                                 return ret;
  85                 }
  86         default:
  87                 break;
  88         }
  89
  90         return nf_nat_packet(ct, ctinfo, ops->hooknum, skb);
  91 }
  92
  93 static unsigned int nf_nat_prerouting(const struct nf_hook_ops *ops,
  94                                       struct sk_buff *skb,
  95                                       const struct net_device *in,
  96                                       const struct net_device *out,
  97                                       int (*okfn)(struct sk_buff *))
  98 {
  99         __be32 daddr = ip_hdr(skb)->daddr;
 100         unsigned int ret;
 101
 102         ret = nf_nat_fn(ops, skb, in, out, okfn);
 103         if (ret != NF_DROP && ret != NF_STOLEN &&
 104             ip_hdr(skb)->daddr != daddr) {
 105                 skb_dst_drop(skb);
 106         }
 107         return ret;
 108 }
 109
 110 static unsigned int nf_nat_postrouting(const struct nf_hook_ops *ops,
 111                                        struct sk_buff *skb,
 112                                        const struct net_device *in,
 113                                        const struct net_device *out,
 114                                        int (*okfn)(struct sk_buff *))
 115 {
 116         enum ip_conntrack_info ctinfo __maybe_unused;
 117         const struct nf_conn *ct __maybe_unused;
 118         unsigned int ret;
 119
 120         ret = nf_nat_fn(ops, skb, in, out, okfn);
 121 #ifdef CONFIG_XFRM
 122         if (ret != NF_DROP && ret != NF_STOLEN &&
 123             (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
 124                 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 125
 126                 if (ct->tuplehash[dir].tuple.src.u3.ip !=
 127                     ct->tuplehash[!dir].tuple.dst.u3.ip ||
 128                     ct->tuplehash[dir].tuple.src.u.all !=
 129                     ct->tuplehash[!dir].tuple.dst.u.all)
 130                         return nf_xfrm_me_harder(skb, AF_INET) == 0 ?
 131                                                                 ret : NF_DROP;
 132         }
 133 #endif
 134         return ret;
 135 }
 136
 137 static unsigned int nf_nat_output(const struct nf_hook_ops *ops,
 138                                   struct sk_buff *skb,
 139                                   const struct net_device *in,
 140                                   const struct net_device *out,
 141                                   int (*okfn)(struct sk_buff *))
 142 {
 143         enum ip_conntrack_info ctinfo;
 144         const struct nf_conn *ct;
 145         unsigned int ret;
 146
 147         ret = nf_nat_fn(ops, skb, in, out, okfn);
 148         if (ret != NF_DROP && ret != NF_STOLEN &&
 149             (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
 150                 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 151
 152                 if (ct->tuplehash[dir].tuple.dst.u3.ip !=
 153                     ct->tuplehash[!dir].tuple.src.u3.ip) {
 154                         if (ip_route_me_harder(skb, RTN_UNSPEC))
 155                                 ret = NF_DROP;
 156                 }
 157 #ifdef CONFIG_XFRM
 158                 else if (ct->tuplehash[dir].tuple.dst.u.all !=
 159                          ct->tuplehash[!dir].tuple.src.u.all)
 160                         if (nf_xfrm_me_harder(skb, AF_INET))
 161                                 ret = NF_DROP;
 162 #endif
 163         }
 164         return ret;
 165 }
 166
 167 static const struct nf_chain_type nft_chain_nat_ipv4 = {
 168         .family         = NFPROTO_IPV4,
 169         .name           = "nat",
 170         .type           = NFT_CHAIN_T_NAT,
 171         .hook_mask      = (1 << NF_INET_PRE_ROUTING) |
 172                           (1 << NF_INET_POST_ROUTING) |
 173                           (1 << NF_INET_LOCAL_OUT) |
 174                           (1 << NF_INET_LOCAL_IN),
 175         .fn             = {
 176                 [NF_INET_PRE_ROUTING]   = nf_nat_prerouting,
 177                 [NF_INET_POST_ROUTING]  = nf_nat_postrouting,
 178                 [NF_INET_LOCAL_OUT]     = nf_nat_output,
 179                 [NF_INET_LOCAL_IN]      = nf_nat_fn,
 180         },
 181         .me             = THIS_MODULE,
 182 };
 183
 184 static int __init nft_chain_nat_init(void)
 185 {
 186         int err;
 187
 188         err = nft_register_chain_type(&nft_chain_nat_ipv4);
 189         if (err < 0)
 190                 return err;
 191
 192         return 0;
 193 }
 194
 195 static void __exit nft_chain_nat_exit(void)
 196 {
 197         nft_unregister_chain_type(&nft_chain_nat_ipv4);
 198 }
 199
 200 module_init(nft_chain_nat_init);
 201 module_exit(nft_chain_nat_exit);
 202
 203 MODULE_LICENSE("GPL");
 204 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
 205 MODULE_ALIAS_NFT_CHAIN(AF_INET, "nat");