net/ipv4/netfilter/nft_chain_nat_ipv4.c

   1 /*
   2  * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
   3  * Copyright (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
   4  * Copyright (c) 2012 Intel Corporation
   5  *
   6  * This program is free software; you can redistribute it and/or modify
   7  * it under the terms of the GNU General Public License version 2 as
   8  * published by the Free Software Foundation.
   9  *
  10  * Development of this code funded by Astaro AG (http://www.astaro.com/)
  11  */
  12
  13 #include <linux/module.h>
  14 #include <linux/init.h>
  15 #include <linux/list.h>
  16 #include <linux/skbuff.h>
  17 #include <linux/ip.h>
  18 #include <linux/netfilter.h>
  19 #include <linux/netfilter_ipv4.h>
  20 #include <linux/netfilter/nf_tables.h>
  21 #include <net/netfilter/nf_conntrack.h>
  22 #include <net/netfilter/nf_nat.h>
  23 #include <net/netfilter/nf_nat_core.h>
  24 #include <net/netfilter/nf_tables.h>
  25 #include <net/netfilter/nf_tables_ipv4.h>
  26 #include <net/netfilter/nf_nat_l3proto.h>
  27 #include <net/ip.h>
  28
  29 /*
  30  * NAT chains
  31  */
  32
  33 static unsigned int nf_nat_fn(const struct nf_hook_ops *ops,
  34                               struct sk_buff *skb,
  35                               const struct net_device *in,
  36                               const struct net_device *out,
  37                               int (*okfn)(struct sk_buff *))
  38 {
  39         enum ip_conntrack_info ctinfo;
  40         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
  41         struct nf_conn_nat *nat;
  42         enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);
  43         struct nft_pktinfo pkt;
  44         unsigned int ret;
  45
  46         if (ct == NULL || nf_ct_is_untracked(ct))
  47                 return NF_ACCEPT;
  48
  49         NF_CT_ASSERT(!(ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)));
  50
  51         nat = nf_ct_nat_ext_add(ct);
  52         if (nat == NULL)
  53                 return NF_ACCEPT;
  54
  55         switch (ctinfo) {
  56         case IP_CT_RELATED:
  57         case IP_CT_RELATED + IP_CT_IS_REPLY:
  58                 if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
  59                         if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
  60                                                            ops->hooknum))
  61                                 return NF_DROP;
  62                         else
  63                                 return NF_ACCEPT;
  64                 }
  65                 /* Fall through */
  66         case IP_CT_NEW:
  67                 if (nf_nat_initialized(ct, maniptype))
  68                         break;
  69
  70                 nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
  71
  72                 ret = nft_do_chain(&pkt, ops);
  73                 if (ret != NF_ACCEPT)
  74                         return ret;
  75                 if (!nf_nat_initialized(ct, maniptype)) {
  76                         ret = nf_nat_alloc_null_binding(ct, ops->hooknum);
  77                         if (ret != NF_ACCEPT)
  78                                 return ret;
  79                 }
  80         default:
  81                 break;
  82         }
  83
  84         return nf_nat_packet(ct, ctinfo, ops->hooknum, skb);
  85 }
  86
  87 static unsigned int nf_nat_prerouting(const struct nf_hook_ops *ops,
  88                                       struct sk_buff *skb,
  89                                       const struct net_device *in,
  90                                       const struct net_device *out,
  91                                       int (*okfn)(struct sk_buff *))
  92 {
  93         __be32 daddr = ip_hdr(skb)->daddr;
  94         unsigned int ret;
  95
  96         ret = nf_nat_fn(ops, skb, in, out, okfn);
  97         if (ret != NF_DROP && ret != NF_STOLEN &&
  98             ip_hdr(skb)->daddr != daddr) {
  99                 skb_dst_drop(skb);
 100         }
 101         return ret;
 102 }
 103
 104 static unsigned int nf_nat_postrouting(const struct nf_hook_ops *ops,
 105                                        struct sk_buff *skb,
 106                                        const struct net_device *in,
 107                                        const struct net_device *out,
 108                                        int (*okfn)(struct sk_buff *))
 109 {
 110         enum ip_conntrack_info ctinfo __maybe_unused;
 111         const struct nf_conn *ct __maybe_unused;
 112         unsigned int ret;
 113
 114         ret = nf_nat_fn(ops, skb, in, out, okfn);
 115 #ifdef CONFIG_XFRM
 116         if (ret != NF_DROP && ret != NF_STOLEN &&
 117             (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
 118                 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 119
 120                 if (ct->tuplehash[dir].tuple.src.u3.ip !=
 121                     ct->tuplehash[!dir].tuple.dst.u3.ip ||
 122                     ct->tuplehash[dir].tuple.src.u.all !=
 123                     ct->tuplehash[!dir].tuple.dst.u.all)
 124                         return nf_xfrm_me_harder(skb, AF_INET) == 0 ?
 125                                                                 ret : NF_DROP;
 126         }
 127 #endif
 128         return ret;
 129 }
 130
 131 static unsigned int nf_nat_output(const struct nf_hook_ops *ops,
 132                                   struct sk_buff *skb,
 133                                   const struct net_device *in,
 134                                   const struct net_device *out,
 135                                   int (*okfn)(struct sk_buff *))
 136 {
 137         enum ip_conntrack_info ctinfo;
 138         const struct nf_conn *ct;
 139         unsigned int ret;
 140
 141         ret = nf_nat_fn(ops, skb, in, out, okfn);
 142         if (ret != NF_DROP && ret != NF_STOLEN &&
 143             (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
 144                 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 145
 146                 if (ct->tuplehash[dir].tuple.dst.u3.ip !=
 147                     ct->tuplehash[!dir].tuple.src.u3.ip) {
 148                         if (ip_route_me_harder(skb, RTN_UNSPEC))
 149                                 ret = NF_DROP;
 150                 }
 151 #ifdef CONFIG_XFRM
 152                 else if (ct->tuplehash[dir].tuple.dst.u.all !=
 153                          ct->tuplehash[!dir].tuple.src.u.all)
 154                         if (nf_xfrm_me_harder(skb, AF_INET))
 155                                 ret = NF_DROP;
 156 #endif
 157         }
 158         return ret;
 159 }
 160
 161 static const struct nf_chain_type nft_chain_nat_ipv4 = {
 162         .name           = "nat",
 163         .type           = NFT_CHAIN_T_NAT,
 164         .family         = NFPROTO_IPV4,
 165         .owner          = THIS_MODULE,
 166         .hook_mask      = (1 << NF_INET_PRE_ROUTING) |
 167                           (1 << NF_INET_POST_ROUTING) |
 168                           (1 << NF_INET_LOCAL_OUT) |
 169                           (1 << NF_INET_LOCAL_IN),
 170         .hooks          = {
 171                 [NF_INET_PRE_ROUTING]   = nf_nat_prerouting,
 172                 [NF_INET_POST_ROUTING]  = nf_nat_postrouting,
 173                 [NF_INET_LOCAL_OUT]     = nf_nat_output,
 174                 [NF_INET_LOCAL_IN]      = nf_nat_fn,
 175         },
 176 };
 177
 178 static int __init nft_chain_nat_init(void)
 179 {
 180         int err;
 181
 182         err = nft_register_chain_type(&nft_chain_nat_ipv4);
 183         if (err < 0)
 184                 return err;
 185
 186         return 0;
 187 }
 188
 189 static void __exit nft_chain_nat_exit(void)
 190 {
 191         nft_unregister_chain_type(&nft_chain_nat_ipv4);
 192 }
 193
 194 module_init(nft_chain_nat_init);
 195 module_exit(nft_chain_nat_exit);
 196
 197 MODULE_LICENSE("GPL");
 198 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
 199 MODULE_ALIAS_NFT_CHAIN(AF_INET, "nat");