[deliverable/linux.git] / net / ipv4 / netfilter / nft_chain_nat_ipv4.c

/*
 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
 * Copyright (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 *
 * Development of this code funded by Astaro AG (http://www.astaro.com/)
 */

#include <linux/module.h>
#include <linux/init.h>
#include <linux/list.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_nat.h>
#include <net/netfilter/nf_nat_core.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_ipv4.h>
#include <net/netfilter/nf_nat_l3proto.h>
#include <net/ip.h>

struct nft_nat {
	enum nft_registers	sreg_addr_min:8;
	enum nft_registers	sreg_addr_max:8;
	enum nft_registers	sreg_proto_min:8;
	enum nft_registers	sreg_proto_max:8;
	enum nf_nat_manip_type	type;
};

static void nft_nat_eval(const struct nft_expr *expr,
			 struct nft_data data[NFT_REG_MAX + 1],
			 const struct nft_pktinfo *pkt)
{
	const struct nft_nat *priv = nft_expr_priv(expr);
	enum ip_conntrack_info ctinfo;
	struct nf_conn *ct = nf_ct_get(pkt->skb, &ctinfo);
	struct nf_nat_range range;

	memset(&range, 0, sizeof(range));
	if (priv->sreg_addr_min) {
		range.min_addr.ip = data[priv->sreg_addr_min].data[0];
		range.max_addr.ip = data[priv->sreg_addr_max].data[0];
		range.flags |= NF_NAT_RANGE_MAP_IPS;
	}

	if (priv->sreg_proto_min) {
		range.min_proto.all = data[priv->sreg_proto_min].data[0];
		range.max_proto.all = data[priv->sreg_proto_max].data[0];
		range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
	}

	data[NFT_REG_VERDICT].verdict =
		nf_nat_setup_info(ct, &range, priv->type);
}

static const struct nla_policy nft_nat_policy[NFTA_NAT_MAX + 1] = {
	[NFTA_NAT_ADDR_MIN]	= { .type = NLA_U32 },
	[NFTA_NAT_ADDR_MAX]	= { .type = NLA_U32 },
	[NFTA_NAT_PROTO_MIN]	= { .type = NLA_U32 },
	[NFTA_NAT_PROTO_MAX]	= { .type = NLA_U32 },
	[NFTA_NAT_TYPE]		= { .type = NLA_U32 },
};

static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
			const struct nlattr * const tb[])
{
	struct nft_nat *priv = nft_expr_priv(expr);
	int err;

	if (tb[NFTA_NAT_TYPE] == NULL)
		return -EINVAL;

	switch (ntohl(nla_get_be32(tb[NFTA_NAT_TYPE]))) {
	case NFT_NAT_SNAT:
		priv->type = NF_NAT_MANIP_SRC;
		break;
	case NFT_NAT_DNAT:
		priv->type = NF_NAT_MANIP_DST;
		break;
	default:
		return -EINVAL;
	}

	if (tb[NFTA_NAT_ADDR_MIN]) {
		priv->sreg_addr_min = ntohl(nla_get_be32(tb[NFTA_NAT_ADDR_MIN]));
		err = nft_validate_input_register(priv->sreg_addr_min);
		if (err < 0)
			return err;
	}

	if (tb[NFTA_NAT_ADDR_MAX]) {
		priv->sreg_addr_max = ntohl(nla_get_be32(tb[NFTA_NAT_ADDR_MAX]));
		err = nft_validate_input_register(priv->sreg_addr_max);
		if (err < 0)
			return err;
	} else
		priv->sreg_addr_max = priv->sreg_addr_min;

	if (tb[NFTA_NAT_PROTO_MIN]) {
		priv->sreg_proto_min = ntohl(nla_get_be32(tb[NFTA_NAT_PROTO_MIN]));
		err = nft_validate_input_register(priv->sreg_proto_min);
		if (err < 0)
			return err;
	}

	if (tb[NFTA_NAT_PROTO_MAX]) {
		priv->sreg_proto_max = ntohl(nla_get_be32(tb[NFTA_NAT_PROTO_MAX]));
		err = nft_validate_input_register(priv->sreg_proto_max);
		if (err < 0)
			return err;
	} else
		priv->sreg_proto_max = priv->sreg_proto_min;

	return 0;
}

static int nft_nat_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
	const struct nft_nat *priv = nft_expr_priv(expr);

	switch (priv->type) {
	case NF_NAT_MANIP_SRC:
		if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_SNAT)))
			goto nla_put_failure;
		break;
	case NF_NAT_MANIP_DST:
		if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_DNAT)))
			goto nla_put_failure;
		break;
	}

	if (nla_put_be32(skb, NFTA_NAT_ADDR_MIN, htonl(priv->sreg_addr_min)))
		goto nla_put_failure;
	if (nla_put_be32(skb, NFTA_NAT_ADDR_MAX, htonl(priv->sreg_addr_max)))
		goto nla_put_failure;
	if (nla_put_be32(skb, NFTA_NAT_PROTO_MIN, htonl(priv->sreg_proto_min)))
		goto nla_put_failure;
	if (nla_put_be32(skb, NFTA_NAT_PROTO_MAX, htonl(priv->sreg_proto_max)))
		goto nla_put_failure;
	return 0;

nla_put_failure:
	return -1;
}

static struct nft_expr_type nft_nat_type;
static const struct nft_expr_ops nft_nat_ops = {
	.type		= &nft_nat_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_nat)),
	.eval		= nft_nat_eval,
	.init		= nft_nat_init,
	.dump		= nft_nat_dump,
};

static struct nft_expr_type nft_nat_type __read_mostly = {
	.name		= "nat",
	.ops		= &nft_nat_ops,
	.policy		= nft_nat_policy,
	.maxattr	= NFTA_NAT_MAX,
	.owner		= THIS_MODULE,
};

/*
 * NAT chains
 */

static unsigned int nf_nat_fn(const struct nf_hook_ops *ops,
			      struct sk_buff *skb,
			      const struct net_device *in,
			      const struct net_device *out,
			      int (*okfn)(struct sk_buff *))
{
	enum ip_conntrack_info ctinfo;
	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
	struct nf_conn_nat *nat;
	enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);
	struct nft_pktinfo pkt;
	unsigned int ret;

	if (ct == NULL || nf_ct_is_untracked(ct))
		return NF_ACCEPT;

	NF_CT_ASSERT(!(ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)));

	nat = nfct_nat(ct);
	if (nat == NULL) {
		/* Conntrack module was loaded late, can't add extension. */
		if (nf_ct_is_confirmed(ct))
			return NF_ACCEPT;
		nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
		if (nat == NULL)
			return NF_ACCEPT;
	}

	switch (ctinfo) {
	case IP_CT_RELATED:
	case IP_CT_RELATED + IP_CT_IS_REPLY:
		if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
			if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
							   ops->hooknum))
				return NF_DROP;
			else
				return NF_ACCEPT;
		}
		/* Fall through */
	case IP_CT_NEW:
		if (nf_nat_initialized(ct, maniptype))
			break;

		nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out);

		ret = nft_do_chain_pktinfo(&pkt, ops);
		if (ret != NF_ACCEPT)
			return ret;
		if (!nf_nat_initialized(ct, maniptype)) {
			ret = nf_nat_alloc_null_binding(ct, ops->hooknum);
			if (ret != NF_ACCEPT)
				return ret;
		}
	default:
		break;
	}

	return nf_nat_packet(ct, ctinfo, ops->hooknum, skb);
}

static unsigned int nf_nat_prerouting(const struct nf_hook_ops *ops,
				      struct sk_buff *skb,
				      const struct net_device *in,
				      const struct net_device *out,
				      int (*okfn)(struct sk_buff *))
{
	__be32 daddr = ip_hdr(skb)->daddr;
	unsigned int ret;

	ret = nf_nat_fn(ops, skb, in, out, okfn);
	if (ret != NF_DROP && ret != NF_STOLEN &&
	    ip_hdr(skb)->daddr != daddr) {
		skb_dst_drop(skb);
	}
	return ret;
}

static unsigned int nf_nat_postrouting(const struct nf_hook_ops *ops,
				       struct sk_buff *skb,
				       const struct net_device *in,
				       const struct net_device *out,
				       int (*okfn)(struct sk_buff *))
{
	enum ip_conntrack_info ctinfo __maybe_unused;
	const struct nf_conn *ct __maybe_unused;
	unsigned int ret;

	ret = nf_nat_fn(ops, skb, in, out, okfn);
#ifdef CONFIG_XFRM
	if (ret != NF_DROP && ret != NF_STOLEN &&
	    (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);

		if (ct->tuplehash[dir].tuple.src.u3.ip !=
		    ct->tuplehash[!dir].tuple.dst.u3.ip ||
		    ct->tuplehash[dir].tuple.src.u.all !=
		    ct->tuplehash[!dir].tuple.dst.u.all)
			return nf_xfrm_me_harder(skb, AF_INET) == 0 ?
								ret : NF_DROP;
	}
#endif
	return ret;
}

static unsigned int nf_nat_output(const struct nf_hook_ops *ops,
				  struct sk_buff *skb,
				  const struct net_device *in,
				  const struct net_device *out,
				  int (*okfn)(struct sk_buff *))
{
	enum ip_conntrack_info ctinfo;
	const struct nf_conn *ct;
	unsigned int ret;

	ret = nf_nat_fn(ops, skb, in, out, okfn);
	if (ret != NF_DROP && ret != NF_STOLEN &&
	    (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);

		if (ct->tuplehash[dir].tuple.dst.u3.ip !=
		    ct->tuplehash[!dir].tuple.src.u3.ip) {
			if (ip_route_me_harder(skb, RTN_UNSPEC))
				ret = NF_DROP;
		}
#ifdef CONFIG_XFRM
		else if (ct->tuplehash[dir].tuple.dst.u.all !=
			 ct->tuplehash[!dir].tuple.src.u.all)
			if (nf_xfrm_me_harder(skb, AF_INET))
				ret = NF_DROP;
#endif
	}
	return ret;
}

struct nf_chain_type nft_chain_nat_ipv4 = {
	.family		= NFPROTO_IPV4,
	.name		= "nat",
	.type		= NFT_CHAIN_T_NAT,
	.hook_mask	= (1 << NF_INET_PRE_ROUTING) |
			  (1 << NF_INET_POST_ROUTING) |
			  (1 << NF_INET_LOCAL_OUT) |
			  (1 << NF_INET_LOCAL_IN),
	.fn		= {
		[NF_INET_PRE_ROUTING]	= nf_nat_prerouting,
		[NF_INET_POST_ROUTING]	= nf_nat_postrouting,
		[NF_INET_LOCAL_OUT]	= nf_nat_output,
		[NF_INET_LOCAL_IN]	= nf_nat_fn,
	},
	.me		= THIS_MODULE,
};

static int __init nft_chain_nat_init(void)
{
	int err;

	err = nft_register_chain_type(&nft_chain_nat_ipv4);
	if (err < 0)
		return err;

	err = nft_register_expr(&nft_nat_type);
	if (err < 0)
		goto err;

	return 0;

err:
	nft_unregister_chain_type(&nft_chain_nat_ipv4);
	return err;
}

static void __exit nft_chain_nat_exit(void)
{
	nft_unregister_expr(&nft_nat_type);
	nft_unregister_chain_type(&nft_chain_nat_ipv4);
}

module_init(nft_chain_nat_init);
module_exit(nft_chain_nat_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_CHAIN(AF_INET, "nat");
MODULE_ALIAS_NFT_EXPR("nat");
Commit	Line	Data
96518518	1	/*
ef1f7df9	2	* Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
9370761c	3	* Copyright (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
96518518 PM	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of the GNU General Public License version 2 as
	7	* published by the Free Software Foundation.
	8	*
	9	* Development of this code funded by Astaro AG (http://www.astaro.com/)
	10	*/
	11
	12	#include <linux/module.h>
	13	#include <linux/init.h>
	14	#include <linux/list.h>
	15	#include <linux/skbuff.h>
	16	#include <linux/ip.h>
	17	#include <linux/netlink.h>
	18	#include <linux/netfilter.h>
	19	#include <linux/netfilter_ipv4.h>
	20	#include <linux/netfilter/nfnetlink.h>
	21	#include <linux/netfilter/nf_tables.h>
	22	#include <net/netfilter/nf_conntrack.h>
	23	#include <net/netfilter/nf_nat.h>
	24	#include <net/netfilter/nf_nat_core.h>
	25	#include <net/netfilter/nf_tables.h>
0ca743a5	26	#include <net/netfilter/nf_tables_ipv4.h>
96518518 PM	27	#include <net/netfilter/nf_nat_l3proto.h>
	28	#include <net/ip.h>
	29
	30	struct nft_nat {
	31	enum nft_registers sreg_addr_min:8;
	32	enum nft_registers sreg_addr_max:8;
	33	enum nft_registers sreg_proto_min:8;
	34	enum nft_registers sreg_proto_max:8;
	35	enum nf_nat_manip_type type;
	36	};
	37
	38	static void nft_nat_eval(const struct nft_expr *expr,
	39	struct nft_data data[NFT_REG_MAX + 1],
	40	const struct nft_pktinfo *pkt)
	41	{
	42	const struct nft_nat *priv = nft_expr_priv(expr);
	43	enum ip_conntrack_info ctinfo;
	44	struct nf_conn *ct = nf_ct_get(pkt->skb, &ctinfo);
	45	struct nf_nat_range range;
	46
	47	memset(&range, 0, sizeof(range));
	48	if (priv->sreg_addr_min) {
	49	range.min_addr.ip = data[priv->sreg_addr_min].data[0];
	50	range.max_addr.ip = data[priv->sreg_addr_max].data[0];
	51	range.flags \|= NF_NAT_RANGE_MAP_IPS;
	52	}
	53
	54	if (priv->sreg_proto_min) {
	55	range.min_proto.all = data[priv->sreg_proto_min].data[0];
	56	range.max_proto.all = data[priv->sreg_proto_max].data[0];
	57	range.flags \|= NF_NAT_RANGE_PROTO_SPECIFIED;
	58	}
	59
	60	data[NFT_REG_VERDICT].verdict =
	61	nf_nat_setup_info(ct, &range, priv->type);
	62	}
	63
	64	static const struct nla_policy nft_nat_policy[NFTA_NAT_MAX + 1] = {
	65	[NFTA_NAT_ADDR_MIN] = { .type = NLA_U32 },
	66	[NFTA_NAT_ADDR_MAX] = { .type = NLA_U32 },
	67	[NFTA_NAT_PROTO_MIN] = { .type = NLA_U32 },
	68	[NFTA_NAT_PROTO_MAX] = { .type = NLA_U32 },
	69	[NFTA_NAT_TYPE] = { .type = NLA_U32 },
	70	};
	71
	72	static int nft_nat_init(const struct nft_ctx ctx, const struct nft_expr expr,
	73	const struct nlattr * const tb[])
	74	{
	75	struct nft_nat *priv = nft_expr_priv(expr);
	76	int err;
	77
	78	if (tb[NFTA_NAT_TYPE] == NULL)
	79	return -EINVAL;
	80
	81	switch (ntohl(nla_get_be32(tb[NFTA_NAT_TYPE]))) {
	82	case NFT_NAT_SNAT:
	83	priv->type = NF_NAT_MANIP_SRC;
	84	break;
	85	case NFT_NAT_DNAT:
	86	priv->type = NF_NAT_MANIP_DST;
	87	break;
	88	default:
	89	return -EINVAL;
	90	}
91
92	if (tb[NFTA_NAT_ADDR_MIN]) {
93	priv->sreg_addr_min = ntohl(nla_get_be32(tb[NFTA_NAT_ADDR_MIN]));
94	err = nft_validate_input_register(priv->sreg_addr_min);
95	if (err < 0)
96	return err;
97	}
98
99	if (tb[NFTA_NAT_ADDR_MAX]) {
100	priv->sreg_addr_max = ntohl(nla_get_be32(tb[NFTA_NAT_ADDR_MAX]));
101	err = nft_validate_input_register(priv->sreg_addr_max);
102	if (err < 0)
103	return err;
104	} else
105	priv->sreg_addr_max = priv->sreg_addr_min;
106
107	if (tb[NFTA_NAT_PROTO_MIN]) {
108	priv->sreg_proto_min = ntohl(nla_get_be32(tb[NFTA_NAT_PROTO_MIN]));
109	err = nft_validate_input_register(priv->sreg_proto_min);
110	if (err < 0)
111	return err;
112	}
113
114	if (tb[NFTA_NAT_PROTO_MAX]) {
115	priv->sreg_proto_max = ntohl(nla_get_be32(tb[NFTA_NAT_PROTO_MAX]));
116	err = nft_validate_input_register(priv->sreg_proto_max);
117	if (err < 0)
118	return err;
119	} else
120	priv->sreg_proto_max = priv->sreg_proto_min;
121
122	return 0;
123	}
124
125	static int nft_nat_dump(struct sk_buff skb, const struct nft_expr expr)
126	{
127	const struct nft_nat *priv = nft_expr_priv(expr);
128
129	switch (priv->type) {
130	case NF_NAT_MANIP_SRC:
131	if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_SNAT)))
132	goto nla_put_failure;
133	break;
134	case NF_NAT_MANIP_DST:
135	if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_DNAT)))
136	goto nla_put_failure;
137	break;
138	}
139
140	if (nla_put_be32(skb, NFTA_NAT_ADDR_MIN, htonl(priv->sreg_addr_min)))
141	goto nla_put_failure;
142	if (nla_put_be32(skb, NFTA_NAT_ADDR_MAX, htonl(priv->sreg_addr_max)))
143	goto nla_put_failure;
144	if (nla_put_be32(skb, NFTA_NAT_PROTO_MIN, htonl(priv->sreg_proto_min)))
145	goto nla_put_failure;
146	if (nla_put_be32(skb, NFTA_NAT_PROTO_MAX, htonl(priv->sreg_proto_max)))
147	goto nla_put_failure;
148	return 0;
149
150	nla_put_failure:
151	return -1;
152	}
153
ef1f7df9 PM	154	static struct nft_expr_type nft_nat_type;
	155	static const struct nft_expr_ops nft_nat_ops = {
	156	.type = &nft_nat_type,
96518518	157	.size = NFT_EXPR_SIZE(sizeof(struct nft_nat)),
96518518 PM	158	.eval = nft_nat_eval,
	159	.init = nft_nat_init,
	160	.dump = nft_nat_dump,
ef1f7df9 PM	161	};
	162
	163	static struct nft_expr_type nft_nat_type __read_mostly = {
	164	.name = "nat",
	165	.ops = &nft_nat_ops,
96518518 PM	166	.policy = nft_nat_policy,
96518518 PM	167	.maxattr = NFTA_NAT_MAX,
ef1f7df9	168	.owner = THIS_MODULE,
96518518 PM	169	};
	170
	171	/*
9370761c	172	* NAT chains
96518518 PM	173	*/
	174
	175	static unsigned int nf_nat_fn(const struct nf_hook_ops *ops,
	176	struct sk_buff *skb,
	177	const struct net_device *in,
	178	const struct net_device *out,
	179	int (okfn)(struct sk_buff ))
	180	{
	181	enum ip_conntrack_info ctinfo;
	182	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
	183	struct nf_conn_nat *nat;
	184	enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);
0ca743a5	185	struct nft_pktinfo pkt;
96518518 PM	186	unsigned int ret;
	187
	188	if (ct == NULL \|\| nf_ct_is_untracked(ct))
	189	return NF_ACCEPT;
	190
	191	NF_CT_ASSERT(!(ip_hdr(skb)->frag_off & htons(IP_MF \| IP_OFFSET)));
	192
	193	nat = nfct_nat(ct);
	194	if (nat == NULL) {
	195	/* Conntrack module was loaded late, can't add extension. */
	196	if (nf_ct_is_confirmed(ct))
	197	return NF_ACCEPT;
	198	nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
	199	if (nat == NULL)
	200	return NF_ACCEPT;
	201	}
	202
	203	switch (ctinfo) {
	204	case IP_CT_RELATED:
	205	case IP_CT_RELATED + IP_CT_IS_REPLY:
	206	if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
	207	if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
	208	ops->hooknum))
	209	return NF_DROP;
	210	else
	211	return NF_ACCEPT;
	212	}
	213	/* Fall through */
	214	case IP_CT_NEW:
	215	if (nf_nat_initialized(ct, maniptype))
	216	break;
	217
0ca743a5 PNA	218	nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
	219
	220	ret = nft_do_chain_pktinfo(&pkt, ops);
96518518 PM	221	if (ret != NF_ACCEPT)
	222	return ret;
	223	if (!nf_nat_initialized(ct, maniptype)) {
	224	ret = nf_nat_alloc_null_binding(ct, ops->hooknum);
	225	if (ret != NF_ACCEPT)
	226	return ret;
	227	}
	228	default:
	229	break;
	230	}
	231
	232	return nf_nat_packet(ct, ctinfo, ops->hooknum, skb);
	233	}
	234
	235	static unsigned int nf_nat_prerouting(const struct nf_hook_ops *ops,
	236	struct sk_buff *skb,
	237	const struct net_device *in,
	238	const struct net_device *out,
	239	int (okfn)(struct sk_buff ))
	240	{
	241	__be32 daddr = ip_hdr(skb)->daddr;
	242	unsigned int ret;
	243
	244	ret = nf_nat_fn(ops, skb, in, out, okfn);
	245	if (ret != NF_DROP && ret != NF_STOLEN &&
	246	ip_hdr(skb)->daddr != daddr) {
	247	skb_dst_drop(skb);
	248	}
	249	return ret;
	250	}
	251
	252	static unsigned int nf_nat_postrouting(const struct nf_hook_ops *ops,
	253	struct sk_buff *skb,
	254	const struct net_device *in,
	255	const struct net_device *out,
	256	int (okfn)(struct sk_buff ))
	257	{
	258	enum ip_conntrack_info ctinfo __maybe_unused;
	259	const struct nf_conn *ct __maybe_unused;
	260	unsigned int ret;
	261
	262	ret = nf_nat_fn(ops, skb, in, out, okfn);
	263	#ifdef CONFIG_XFRM
	264	if (ret != NF_DROP && ret != NF_STOLEN &&
	265	(ct = nf_ct_get(skb, &ctinfo)) != NULL) {
	266	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
	267
	268	if (ct->tuplehash[dir].tuple.src.u3.ip !=
	269	ct->tuplehash[!dir].tuple.dst.u3.ip \|\|
	270	ct->tuplehash[dir].tuple.src.u.all !=
	271	ct->tuplehash[!dir].tuple.dst.u.all)
	272	return nf_xfrm_me_harder(skb, AF_INET) == 0 ?
	273	ret : NF_DROP;
	274	}
	275	#endif
	276	return ret;
	277	}
	278
	279	static unsigned int nf_nat_output(const struct nf_hook_ops *ops,
	280	struct sk_buff *skb,
	281	const struct net_device *in,
	282	const struct net_device *out,
	283	int (okfn)(struct sk_buff ))
	284	{
285	enum ip_conntrack_info ctinfo;
286	const struct nf_conn *ct;
287	unsigned int ret;
288
289	ret = nf_nat_fn(ops, skb, in, out, okfn);
290	if (ret != NF_DROP && ret != NF_STOLEN &&
291	(ct = nf_ct_get(skb, &ctinfo)) != NULL) {
292	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
293
294	if (ct->tuplehash[dir].tuple.dst.u3.ip !=
295	ct->tuplehash[!dir].tuple.src.u3.ip) {
296	if (ip_route_me_harder(skb, RTN_UNSPEC))
297	ret = NF_DROP;
298	}
299	#ifdef CONFIG_XFRM
300	else if (ct->tuplehash[dir].tuple.dst.u.all !=
301	ct->tuplehash[!dir].tuple.src.u.all)
302	if (nf_xfrm_me_harder(skb, AF_INET))
303	ret = NF_DROP;
304	#endif
305	}
306	return ret;
307	}
308
9370761c PNA	309	struct nf_chain_type nft_chain_nat_ipv4 = {
	310	.family = NFPROTO_IPV4,
	311	.name = "nat",
	312	.type = NFT_CHAIN_T_NAT,
	313	.hook_mask = (1 << NF_INET_PRE_ROUTING) \|
	314	(1 << NF_INET_POST_ROUTING) \|
	315	(1 << NF_INET_LOCAL_OUT) \|
	316	(1 << NF_INET_LOCAL_IN),
	317	.fn = {
	318	[NF_INET_PRE_ROUTING] = nf_nat_prerouting,
	319	[NF_INET_POST_ROUTING] = nf_nat_postrouting,
	320	[NF_INET_LOCAL_OUT] = nf_nat_output,
	321	[NF_INET_LOCAL_IN] = nf_nat_fn,
96518518	322	},
9370761c	323	.me = THIS_MODULE,
96518518 PM	324	};
96518518 PM	325
9370761c	326	static int __init nft_chain_nat_init(void)
96518518 PM	327	{
	328	int err;
	329
9370761c	330	err = nft_register_chain_type(&nft_chain_nat_ipv4);
96518518	331	if (err < 0)
9370761c	332	return err;
96518518	333
ef1f7df9	334	err = nft_register_expr(&nft_nat_type);
96518518	335	if (err < 0)
9370761c	336	goto err;
96518518 PM	337
	338	return 0;
	339
9370761c PNA	340	err:
9370761c PNA	341	nft_unregister_chain_type(&nft_chain_nat_ipv4);
96518518 PM	342	return err;
	343	}
	344
9370761c	345	static void __exit nft_chain_nat_exit(void)
96518518	346	{
ef1f7df9	347	nft_unregister_expr(&nft_nat_type);
9370761c	348	nft_unregister_chain_type(&nft_chain_nat_ipv4);
96518518 PM	349	}
96518518 PM	350
9370761c PNA	351	module_init(nft_chain_nat_init);
9370761c PNA	352	module_exit(nft_chain_nat_exit);
96518518 PM	353
	354	MODULE_LICENSE("GPL");
	355	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
9370761c	356	MODULE_ALIAS_NFT_CHAIN(AF_INET, "nat");
96518518	357	MODULE_ALIAS_NFT_EXPR("nat");