2 * Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
16 #include <linux/netlink.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter_ipv4.h>
19 #include <linux/netfilter/nfnetlink.h>
20 #include <linux/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_conntrack.h>
22 #include <net/netfilter/nf_nat.h>
23 #include <net/netfilter/nf_nat_core.h>
24 #include <net/netfilter/nf_tables.h>
25 #include <net/netfilter/nf_nat_l3proto.h>
29 enum nft_registers sreg_addr_min:8;
30 enum nft_registers sreg_addr_max:8;
31 enum nft_registers sreg_proto_min:8;
32 enum nft_registers sreg_proto_max:8;
33 enum nf_nat_manip_type type;
36 static void nft_nat_eval(const struct nft_expr *expr,
37 struct nft_data data[NFT_REG_MAX + 1],
38 const struct nft_pktinfo *pkt)
40 const struct nft_nat *priv = nft_expr_priv(expr);
41 enum ip_conntrack_info ctinfo;
42 struct nf_conn *ct = nf_ct_get(pkt->skb, &ctinfo);
43 struct nf_nat_range range;
45 memset(&range, 0, sizeof(range));
46 if (priv->sreg_addr_min) {
47 range.min_addr.ip = data[priv->sreg_addr_min].data[0];
48 range.max_addr.ip = data[priv->sreg_addr_max].data[0];
49 range.flags |= NF_NAT_RANGE_MAP_IPS;
52 if (priv->sreg_proto_min) {
53 range.min_proto.all = data[priv->sreg_proto_min].data[0];
54 range.max_proto.all = data[priv->sreg_proto_max].data[0];
55 range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
58 data[NFT_REG_VERDICT].verdict =
59 nf_nat_setup_info(ct, &range, priv->type);
62 static const struct nla_policy nft_nat_policy[NFTA_NAT_MAX + 1] = {
63 [NFTA_NAT_ADDR_MIN] = { .type = NLA_U32 },
64 [NFTA_NAT_ADDR_MAX] = { .type = NLA_U32 },
65 [NFTA_NAT_PROTO_MIN] = { .type = NLA_U32 },
66 [NFTA_NAT_PROTO_MAX] = { .type = NLA_U32 },
67 [NFTA_NAT_TYPE] = { .type = NLA_U32 },
70 static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
71 const struct nlattr * const tb[])
73 struct nft_nat *priv = nft_expr_priv(expr);
76 if (tb[NFTA_NAT_TYPE] == NULL)
79 switch (ntohl(nla_get_be32(tb[NFTA_NAT_TYPE]))) {
81 priv->type = NF_NAT_MANIP_SRC;
84 priv->type = NF_NAT_MANIP_DST;
90 if (tb[NFTA_NAT_ADDR_MIN]) {
91 priv->sreg_addr_min = ntohl(nla_get_be32(tb[NFTA_NAT_ADDR_MIN]));
92 err = nft_validate_input_register(priv->sreg_addr_min);
97 if (tb[NFTA_NAT_ADDR_MAX]) {
98 priv->sreg_addr_max = ntohl(nla_get_be32(tb[NFTA_NAT_ADDR_MAX]));
99 err = nft_validate_input_register(priv->sreg_addr_max);
103 priv->sreg_addr_max = priv->sreg_addr_min;
105 if (tb[NFTA_NAT_PROTO_MIN]) {
106 priv->sreg_proto_min = ntohl(nla_get_be32(tb[NFTA_NAT_PROTO_MIN]));
107 err = nft_validate_input_register(priv->sreg_proto_min);
112 if (tb[NFTA_NAT_PROTO_MAX]) {
113 priv->sreg_proto_max = ntohl(nla_get_be32(tb[NFTA_NAT_PROTO_MAX]));
114 err = nft_validate_input_register(priv->sreg_proto_max);
118 priv->sreg_proto_max = priv->sreg_proto_min;
123 static int nft_nat_dump(struct sk_buff *skb, const struct nft_expr *expr)
125 const struct nft_nat *priv = nft_expr_priv(expr);
127 switch (priv->type) {
128 case NF_NAT_MANIP_SRC:
129 if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_SNAT)))
130 goto nla_put_failure;
132 case NF_NAT_MANIP_DST:
133 if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_DNAT)))
134 goto nla_put_failure;
138 if (nla_put_be32(skb, NFTA_NAT_ADDR_MIN, htonl(priv->sreg_addr_min)))
139 goto nla_put_failure;
140 if (nla_put_be32(skb, NFTA_NAT_ADDR_MAX, htonl(priv->sreg_addr_max)))
141 goto nla_put_failure;
142 if (nla_put_be32(skb, NFTA_NAT_PROTO_MIN, htonl(priv->sreg_proto_min)))
143 goto nla_put_failure;
144 if (nla_put_be32(skb, NFTA_NAT_PROTO_MAX, htonl(priv->sreg_proto_max)))
145 goto nla_put_failure;
152 static struct nft_expr_ops nft_nat_ops __read_mostly = {
154 .size = NFT_EXPR_SIZE(sizeof(struct nft_nat)),
155 .owner = THIS_MODULE,
156 .eval = nft_nat_eval,
157 .init = nft_nat_init,
158 .dump = nft_nat_dump,
159 .policy = nft_nat_policy,
160 .maxattr = NFTA_NAT_MAX,
167 static unsigned int nf_nat_fn(const struct nf_hook_ops *ops,
169 const struct net_device *in,
170 const struct net_device *out,
171 int (*okfn)(struct sk_buff *))
173 enum ip_conntrack_info ctinfo;
174 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
175 struct nf_conn_nat *nat;
176 enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);
179 if (ct == NULL || nf_ct_is_untracked(ct))
182 NF_CT_ASSERT(!(ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)));
186 /* Conntrack module was loaded late, can't add extension. */
187 if (nf_ct_is_confirmed(ct))
189 nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
196 case IP_CT_RELATED + IP_CT_IS_REPLY:
197 if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
198 if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
206 if (nf_nat_initialized(ct, maniptype))
209 ret = nft_do_chain(ops, skb, in, out, okfn);
210 if (ret != NF_ACCEPT)
212 if (!nf_nat_initialized(ct, maniptype)) {
213 ret = nf_nat_alloc_null_binding(ct, ops->hooknum);
214 if (ret != NF_ACCEPT)
221 return nf_nat_packet(ct, ctinfo, ops->hooknum, skb);
224 static unsigned int nf_nat_prerouting(const struct nf_hook_ops *ops,
226 const struct net_device *in,
227 const struct net_device *out,
228 int (*okfn)(struct sk_buff *))
230 __be32 daddr = ip_hdr(skb)->daddr;
233 ret = nf_nat_fn(ops, skb, in, out, okfn);
234 if (ret != NF_DROP && ret != NF_STOLEN &&
235 ip_hdr(skb)->daddr != daddr) {
241 static unsigned int nf_nat_postrouting(const struct nf_hook_ops *ops,
243 const struct net_device *in,
244 const struct net_device *out,
245 int (*okfn)(struct sk_buff *))
247 enum ip_conntrack_info ctinfo __maybe_unused;
248 const struct nf_conn *ct __maybe_unused;
251 ret = nf_nat_fn(ops, skb, in, out, okfn);
253 if (ret != NF_DROP && ret != NF_STOLEN &&
254 (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
255 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
257 if (ct->tuplehash[dir].tuple.src.u3.ip !=
258 ct->tuplehash[!dir].tuple.dst.u3.ip ||
259 ct->tuplehash[dir].tuple.src.u.all !=
260 ct->tuplehash[!dir].tuple.dst.u.all)
261 return nf_xfrm_me_harder(skb, AF_INET) == 0 ?
268 static unsigned int nf_nat_output(const struct nf_hook_ops *ops,
270 const struct net_device *in,
271 const struct net_device *out,
272 int (*okfn)(struct sk_buff *))
274 enum ip_conntrack_info ctinfo;
275 const struct nf_conn *ct;
278 ret = nf_nat_fn(ops, skb, in, out, okfn);
279 if (ret != NF_DROP && ret != NF_STOLEN &&
280 (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
281 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
283 if (ct->tuplehash[dir].tuple.dst.u3.ip !=
284 ct->tuplehash[!dir].tuple.src.u3.ip) {
285 if (ip_route_me_harder(skb, RTN_UNSPEC))
289 else if (ct->tuplehash[dir].tuple.dst.u.all !=
290 ct->tuplehash[!dir].tuple.src.u.all)
291 if (nf_xfrm_me_harder(skb, AF_INET))
298 static struct nft_base_chain nf_chain_nat_prerouting __read_mostly = {
300 .name = "PREROUTING",
301 .rules = LIST_HEAD_INIT(nf_chain_nat_prerouting.chain.rules),
302 .flags = NFT_BASE_CHAIN | NFT_CHAIN_BUILTIN,
305 .hook = nf_nat_prerouting,
306 .owner = THIS_MODULE,
308 .hooknum = NF_INET_PRE_ROUTING,
309 .priority = NF_IP_PRI_NAT_DST,
310 .priv = &nf_chain_nat_prerouting.chain,
314 static struct nft_base_chain nf_chain_nat_postrouting __read_mostly = {
316 .name = "POSTROUTING",
317 .rules = LIST_HEAD_INIT(nf_chain_nat_postrouting.chain.rules),
318 .flags = NFT_BASE_CHAIN | NFT_CHAIN_BUILTIN,
321 .hook = nf_nat_postrouting,
322 .owner = THIS_MODULE,
324 .hooknum = NF_INET_POST_ROUTING,
325 .priority = NF_IP_PRI_NAT_SRC,
326 .priv = &nf_chain_nat_postrouting.chain,
330 static struct nft_base_chain nf_chain_nat_output __read_mostly = {
333 .rules = LIST_HEAD_INIT(nf_chain_nat_output.chain.rules),
334 .flags = NFT_BASE_CHAIN | NFT_CHAIN_BUILTIN,
337 .hook = nf_nat_output,
338 .owner = THIS_MODULE,
340 .hooknum = NF_INET_LOCAL_OUT,
341 .priority = NF_IP_PRI_NAT_DST,
342 .priv = &nf_chain_nat_output.chain,
346 static struct nft_base_chain nf_chain_nat_input __read_mostly = {
349 .rules = LIST_HEAD_INIT(nf_chain_nat_input.chain.rules),
350 .flags = NFT_BASE_CHAIN | NFT_CHAIN_BUILTIN,
354 .owner = THIS_MODULE,
356 .hooknum = NF_INET_LOCAL_IN,
357 .priority = NF_IP_PRI_NAT_SRC,
358 .priv = &nf_chain_nat_input.chain,
363 static struct nft_table nf_table_nat_ipv4 __read_mostly = {
365 .chains = LIST_HEAD_INIT(nf_table_nat_ipv4.chains),
368 static int __init nf_table_nat_init(void)
372 list_add_tail(&nf_chain_nat_prerouting.chain.list,
373 &nf_table_nat_ipv4.chains);
374 list_add_tail(&nf_chain_nat_postrouting.chain.list,
375 &nf_table_nat_ipv4.chains);
376 list_add_tail(&nf_chain_nat_output.chain.list,
377 &nf_table_nat_ipv4.chains);
378 list_add_tail(&nf_chain_nat_input.chain.list,
379 &nf_table_nat_ipv4.chains);
381 err = nft_register_table(&nf_table_nat_ipv4, NFPROTO_IPV4);
385 err = nft_register_expr(&nft_nat_ops);
392 nft_unregister_table(&nf_table_nat_ipv4, NFPROTO_IPV4);
397 static void __exit nf_table_nat_exit(void)
399 nft_unregister_expr(&nft_nat_ops);
400 nft_unregister_table(&nf_table_nat_ipv4, AF_INET);
403 module_init(nf_table_nat_init);
404 module_exit(nf_table_nat_exit);
406 MODULE_LICENSE("GPL");
407 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
408 MODULE_ALIAS_NFT_TABLE(AF_INET, "nat");
409 MODULE_ALIAS_NFT_EXPR("nat");