net/ipv4/netfilter/nf_table_nat_ipv4.c

   1 /*
   2  * Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
   3  *
   4  * This program is free software; you can redistribute it and/or modify
   5  * it under the terms of the GNU General Public License version 2 as
   6  * published by the Free Software Foundation.
   7  *
   8  * Development of this code funded by Astaro AG (http://www.astaro.com/)
   9  */
  10
  11 #include <linux/module.h>
  12 #include <linux/init.h>
  13 #include <linux/list.h>
  14 #include <linux/skbuff.h>
  15 #include <linux/ip.h>
  16 #include <linux/netlink.h>
  17 #include <linux/netfilter.h>
  18 #include <linux/netfilter_ipv4.h>
  19 #include <linux/netfilter/nfnetlink.h>
  20 #include <linux/netfilter/nf_tables.h>
  21 #include <net/netfilter/nf_conntrack.h>
  22 #include <net/netfilter/nf_nat.h>
  23 #include <net/netfilter/nf_nat_core.h>
  24 #include <net/netfilter/nf_tables.h>
  25 #include <net/netfilter/nf_nat_l3proto.h>
  26 #include <net/ip.h>
  27
  28 struct nft_nat {
  29         enum nft_registers      sreg_addr_min:8;
  30         enum nft_registers      sreg_addr_max:8;
  31         enum nft_registers      sreg_proto_min:8;
  32         enum nft_registers      sreg_proto_max:8;
  33         enum nf_nat_manip_type  type;
  34 };
  35
  36 static void nft_nat_eval(const struct nft_expr *expr,
  37                          struct nft_data data[NFT_REG_MAX + 1],
  38                          const struct nft_pktinfo *pkt)
  39 {
  40         const struct nft_nat *priv = nft_expr_priv(expr);
  41         enum ip_conntrack_info ctinfo;
  42         struct nf_conn *ct = nf_ct_get(pkt->skb, &ctinfo);
  43         struct nf_nat_range range;
  44
  45         memset(&range, 0, sizeof(range));
  46         if (priv->sreg_addr_min) {
  47                 range.min_addr.ip = data[priv->sreg_addr_min].data[0];
  48                 range.max_addr.ip = data[priv->sreg_addr_max].data[0];
  49                 range.flags |= NF_NAT_RANGE_MAP_IPS;
  50         }
  51
  52         if (priv->sreg_proto_min) {
  53                 range.min_proto.all = data[priv->sreg_proto_min].data[0];
  54                 range.max_proto.all = data[priv->sreg_proto_max].data[0];
  55                 range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
  56         }
  57
  58         data[NFT_REG_VERDICT].verdict =
  59                 nf_nat_setup_info(ct, &range, priv->type);
  60 }
  61
  62 static const struct nla_policy nft_nat_policy[NFTA_NAT_MAX + 1] = {
  63         [NFTA_NAT_ADDR_MIN]     = { .type = NLA_U32 },
  64         [NFTA_NAT_ADDR_MAX]     = { .type = NLA_U32 },
  65         [NFTA_NAT_PROTO_MIN]    = { .type = NLA_U32 },
  66         [NFTA_NAT_PROTO_MAX]    = { .type = NLA_U32 },
  67         [NFTA_NAT_TYPE]         = { .type = NLA_U32 },
  68 };
  69
  70 static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
  71                         const struct nlattr * const tb[])
  72 {
  73         struct nft_nat *priv = nft_expr_priv(expr);
  74         int err;
  75
  76         if (tb[NFTA_NAT_TYPE] == NULL)
  77                 return -EINVAL;
  78
  79         switch (ntohl(nla_get_be32(tb[NFTA_NAT_TYPE]))) {
  80         case NFT_NAT_SNAT:
  81                 priv->type = NF_NAT_MANIP_SRC;
  82                 break;
  83         case NFT_NAT_DNAT:
  84                 priv->type = NF_NAT_MANIP_DST;
  85                 break;
  86         default:
  87                 return -EINVAL;
  88         }
  89
  90         if (tb[NFTA_NAT_ADDR_MIN]) {
  91                 priv->sreg_addr_min = ntohl(nla_get_be32(tb[NFTA_NAT_ADDR_MIN]));
  92                 err = nft_validate_input_register(priv->sreg_addr_min);
  93                 if (err < 0)
  94                         return err;
  95         }
  96
  97         if (tb[NFTA_NAT_ADDR_MAX]) {
  98                 priv->sreg_addr_max = ntohl(nla_get_be32(tb[NFTA_NAT_ADDR_MAX]));
  99                 err = nft_validate_input_register(priv->sreg_addr_max);
 100                 if (err < 0)
 101                         return err;
 102         } else
 103                 priv->sreg_addr_max = priv->sreg_addr_min;
 104
 105         if (tb[NFTA_NAT_PROTO_MIN]) {
 106                 priv->sreg_proto_min = ntohl(nla_get_be32(tb[NFTA_NAT_PROTO_MIN]));
 107                 err = nft_validate_input_register(priv->sreg_proto_min);
 108                 if (err < 0)
 109                         return err;
 110         }
 111
 112         if (tb[NFTA_NAT_PROTO_MAX]) {
 113                 priv->sreg_proto_max = ntohl(nla_get_be32(tb[NFTA_NAT_PROTO_MAX]));
 114                 err = nft_validate_input_register(priv->sreg_proto_max);
 115                 if (err < 0)
 116                         return err;
 117         } else
 118                 priv->sreg_proto_max = priv->sreg_proto_min;
 119
 120         return 0;
 121 }
 122
 123 static int nft_nat_dump(struct sk_buff *skb, const struct nft_expr *expr)
 124 {
 125         const struct nft_nat *priv = nft_expr_priv(expr);
 126
 127         switch (priv->type) {
 128         case NF_NAT_MANIP_SRC:
 129                 if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_SNAT)))
 130                         goto nla_put_failure;
 131                 break;
 132         case NF_NAT_MANIP_DST:
 133                 if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_DNAT)))
 134                         goto nla_put_failure;
 135                 break;
 136         }
 137
 138         if (nla_put_be32(skb, NFTA_NAT_ADDR_MIN, htonl(priv->sreg_addr_min)))
 139                 goto nla_put_failure;
 140         if (nla_put_be32(skb, NFTA_NAT_ADDR_MAX, htonl(priv->sreg_addr_max)))
 141                 goto nla_put_failure;
 142         if (nla_put_be32(skb, NFTA_NAT_PROTO_MIN, htonl(priv->sreg_proto_min)))
 143                 goto nla_put_failure;
 144         if (nla_put_be32(skb, NFTA_NAT_PROTO_MAX, htonl(priv->sreg_proto_max)))
 145                 goto nla_put_failure;
 146         return 0;
 147
 148 nla_put_failure:
 149         return -1;
 150 }
 151
 152 static struct nft_expr_ops nft_nat_ops __read_mostly = {
 153         .name           = "nat",
 154         .size           = NFT_EXPR_SIZE(sizeof(struct nft_nat)),
 155         .owner          = THIS_MODULE,
 156         .eval           = nft_nat_eval,
 157         .init           = nft_nat_init,
 158         .dump           = nft_nat_dump,
 159         .policy         = nft_nat_policy,
 160         .maxattr        = NFTA_NAT_MAX,
 161 };
 162
 163 /*
 164  * NAT table
 165  */
 166
 167 static unsigned int nf_nat_fn(const struct nf_hook_ops *ops,
 168                               struct sk_buff *skb,
 169                               const struct net_device *in,
 170                               const struct net_device *out,
 171                               int (*okfn)(struct sk_buff *))
 172 {
 173         enum ip_conntrack_info ctinfo;
 174         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 175         struct nf_conn_nat *nat;
 176         enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);
 177         unsigned int ret;
 178
 179         if (ct == NULL || nf_ct_is_untracked(ct))
 180                 return NF_ACCEPT;
 181
 182         NF_CT_ASSERT(!(ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)));
 183
 184         nat = nfct_nat(ct);
 185         if (nat == NULL) {
 186                 /* Conntrack module was loaded late, can't add extension. */
 187                 if (nf_ct_is_confirmed(ct))
 188                         return NF_ACCEPT;
 189                 nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
 190                 if (nat == NULL)
 191                         return NF_ACCEPT;
 192         }
 193
 194         switch (ctinfo) {
 195         case IP_CT_RELATED:
 196         case IP_CT_RELATED + IP_CT_IS_REPLY:
 197                 if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
 198                         if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
 199                                                            ops->hooknum))
 200                                 return NF_DROP;
 201                         else
 202                                 return NF_ACCEPT;
 203                 }
 204                 /* Fall through */
 205         case IP_CT_NEW:
 206                 if (nf_nat_initialized(ct, maniptype))
 207                         break;
 208
 209                 ret = nft_do_chain(ops, skb, in, out, okfn);
 210                 if (ret != NF_ACCEPT)
 211                         return ret;
 212                 if (!nf_nat_initialized(ct, maniptype)) {
 213                         ret = nf_nat_alloc_null_binding(ct, ops->hooknum);
 214                         if (ret != NF_ACCEPT)
 215                                 return ret;
 216                 }
 217         default:
 218                 break;
 219         }
 220
 221         return nf_nat_packet(ct, ctinfo, ops->hooknum, skb);
 222 }
 223
 224 static unsigned int nf_nat_prerouting(const struct nf_hook_ops *ops,
 225                                       struct sk_buff *skb,
 226                                       const struct net_device *in,
 227                                       const struct net_device *out,
 228                                       int (*okfn)(struct sk_buff *))
 229 {
 230         __be32 daddr = ip_hdr(skb)->daddr;
 231         unsigned int ret;
 232
 233         ret = nf_nat_fn(ops, skb, in, out, okfn);
 234         if (ret != NF_DROP && ret != NF_STOLEN &&
 235             ip_hdr(skb)->daddr != daddr) {
 236                 skb_dst_drop(skb);
 237         }
 238         return ret;
 239 }
 240
 241 static unsigned int nf_nat_postrouting(const struct nf_hook_ops *ops,
 242                                        struct sk_buff *skb,
 243                                        const struct net_device *in,
 244                                        const struct net_device *out,
 245                                        int (*okfn)(struct sk_buff *))
 246 {
 247         enum ip_conntrack_info ctinfo __maybe_unused;
 248         const struct nf_conn *ct __maybe_unused;
 249         unsigned int ret;
 250
 251         ret = nf_nat_fn(ops, skb, in, out, okfn);
 252 #ifdef CONFIG_XFRM
 253         if (ret != NF_DROP && ret != NF_STOLEN &&
 254             (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
 255                 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 256
 257                 if (ct->tuplehash[dir].tuple.src.u3.ip !=
 258                     ct->tuplehash[!dir].tuple.dst.u3.ip ||
 259                     ct->tuplehash[dir].tuple.src.u.all !=
 260                     ct->tuplehash[!dir].tuple.dst.u.all)
 261                         return nf_xfrm_me_harder(skb, AF_INET) == 0 ?
 262                                                                 ret : NF_DROP;
 263         }
 264 #endif
 265         return ret;
 266 }
 267
 268 static unsigned int nf_nat_output(const struct nf_hook_ops *ops,
 269                                   struct sk_buff *skb,
 270                                   const struct net_device *in,
 271                                   const struct net_device *out,
 272                                   int (*okfn)(struct sk_buff *))
 273 {
 274         enum ip_conntrack_info ctinfo;
 275         const struct nf_conn *ct;
 276         unsigned int ret;
 277
 278         ret = nf_nat_fn(ops, skb, in, out, okfn);
 279         if (ret != NF_DROP && ret != NF_STOLEN &&
 280             (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
 281                 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 282
 283                 if (ct->tuplehash[dir].tuple.dst.u3.ip !=
 284                     ct->tuplehash[!dir].tuple.src.u3.ip) {
 285                         if (ip_route_me_harder(skb, RTN_UNSPEC))
 286                                 ret = NF_DROP;
 287                 }
 288 #ifdef CONFIG_XFRM
 289                 else if (ct->tuplehash[dir].tuple.dst.u.all !=
 290                          ct->tuplehash[!dir].tuple.src.u.all)
 291                         if (nf_xfrm_me_harder(skb, AF_INET))
 292                                 ret = NF_DROP;
 293 #endif
 294         }
 295         return ret;
 296 }
 297
 298 static struct nft_base_chain nf_chain_nat_prerouting __read_mostly = {
 299         .chain  = {
 300                 .name           = "PREROUTING",
 301                 .rules          = LIST_HEAD_INIT(nf_chain_nat_prerouting.chain.rules),
 302                 .flags          = NFT_BASE_CHAIN | NFT_CHAIN_BUILTIN,
 303         },
 304         .ops    = {
 305                 .hook           = nf_nat_prerouting,
 306                 .owner          = THIS_MODULE,
 307                 .pf             = NFPROTO_IPV4,
 308                 .hooknum        = NF_INET_PRE_ROUTING,
 309                 .priority       = NF_IP_PRI_NAT_DST,
 310                 .priv           = &nf_chain_nat_prerouting.chain,
 311         },
 312 };
 313
 314 static struct nft_base_chain nf_chain_nat_postrouting __read_mostly = {
 315         .chain  = {
 316                 .name           = "POSTROUTING",
 317                 .rules          = LIST_HEAD_INIT(nf_chain_nat_postrouting.chain.rules),
 318                 .flags          = NFT_BASE_CHAIN | NFT_CHAIN_BUILTIN,
 319         },
 320         .ops    = {
 321                 .hook           = nf_nat_postrouting,
 322                 .owner          = THIS_MODULE,
 323                 .pf             = NFPROTO_IPV4,
 324                 .hooknum        = NF_INET_POST_ROUTING,
 325                 .priority       = NF_IP_PRI_NAT_SRC,
 326                 .priv           = &nf_chain_nat_postrouting.chain,
 327         },
 328 };
 329
 330 static struct nft_base_chain nf_chain_nat_output __read_mostly = {
 331         .chain  = {
 332                 .name           = "OUTPUT",
 333                 .rules          = LIST_HEAD_INIT(nf_chain_nat_output.chain.rules),
 334                 .flags          = NFT_BASE_CHAIN | NFT_CHAIN_BUILTIN,
 335         },
 336         .ops    = {
 337                 .hook           = nf_nat_output,
 338                 .owner          = THIS_MODULE,
 339                 .pf             = NFPROTO_IPV4,
 340                 .hooknum        = NF_INET_LOCAL_OUT,
 341                 .priority       = NF_IP_PRI_NAT_DST,
 342                 .priv           = &nf_chain_nat_output.chain,
 343         },
 344 };
 345
 346 static struct nft_base_chain nf_chain_nat_input __read_mostly = {
 347         .chain  = {
 348                 .name           = "INPUT",
 349                 .rules          = LIST_HEAD_INIT(nf_chain_nat_input.chain.rules),
 350                 .flags          = NFT_BASE_CHAIN | NFT_CHAIN_BUILTIN,
 351         },
 352         .ops    = {
 353                 .hook           = nf_nat_fn,
 354                 .owner          = THIS_MODULE,
 355                 .pf             = NFPROTO_IPV4,
 356                 .hooknum        = NF_INET_LOCAL_IN,
 357                 .priority       = NF_IP_PRI_NAT_SRC,
 358                 .priv           = &nf_chain_nat_input.chain,
 359         },
 360 };
 361
 362
 363 static struct nft_table nf_table_nat_ipv4 __read_mostly = {
 364         .name   = "nat",
 365         .chains = LIST_HEAD_INIT(nf_table_nat_ipv4.chains),
 366 };
 367
 368 static int __init nf_table_nat_init(void)
 369 {
 370         int err;
 371
 372         list_add_tail(&nf_chain_nat_prerouting.chain.list,
 373                       &nf_table_nat_ipv4.chains);
 374         list_add_tail(&nf_chain_nat_postrouting.chain.list,
 375                       &nf_table_nat_ipv4.chains);
 376         list_add_tail(&nf_chain_nat_output.chain.list,
 377                       &nf_table_nat_ipv4.chains);
 378         list_add_tail(&nf_chain_nat_input.chain.list,
 379                       &nf_table_nat_ipv4.chains);
 380
 381         err = nft_register_table(&nf_table_nat_ipv4, NFPROTO_IPV4);
 382         if (err < 0)
 383                 goto err1;
 384
 385         err = nft_register_expr(&nft_nat_ops);
 386         if (err < 0)
 387                 goto err2;
 388
 389         return 0;
 390
 391 err2:
 392         nft_unregister_table(&nf_table_nat_ipv4, NFPROTO_IPV4);
 393 err1:
 394         return err;
 395 }
 396
 397 static void __exit nf_table_nat_exit(void)
 398 {
 399         nft_unregister_expr(&nft_nat_ops);
 400         nft_unregister_table(&nf_table_nat_ipv4, AF_INET);
 401 }
 402
 403 module_init(nf_table_nat_init);
 404 module_exit(nf_table_nat_exit);
 405
 406 MODULE_LICENSE("GPL");
 407 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
 408 MODULE_ALIAS_NFT_TABLE(AF_INET, "nat");
 409 MODULE_ALIAS_NFT_EXPR("nat");