net/ipv4/netfilter/nft_chain_nat_ipv4.c

   1 /*
   2  * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
   3  * Copyright (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Development of this code funded by Astaro AG (http://www.astaro.com/)
  10  */
  11
  12 #include <linux/module.h>
  13 #include <linux/init.h>
  14 #include <linux/list.h>
  15 #include <linux/skbuff.h>
  16 #include <linux/ip.h>
  17 #include <linux/netlink.h>
  18 #include <linux/netfilter.h>
  19 #include <linux/netfilter_ipv4.h>
  20 #include <linux/netfilter/nfnetlink.h>
  21 #include <linux/netfilter/nf_tables.h>
  22 #include <net/netfilter/nf_conntrack.h>
  23 #include <net/netfilter/nf_nat.h>
  24 #include <net/netfilter/nf_nat_core.h>
  25 #include <net/netfilter/nf_tables.h>
  26 #include <net/netfilter/nf_tables_ipv4.h>
  27 #include <net/netfilter/nf_nat_l3proto.h>
  28 #include <net/ip.h>
  29
  30 struct nft_nat {
  31         enum nft_registers      sreg_addr_min:8;
  32         enum nft_registers      sreg_addr_max:8;
  33         enum nft_registers      sreg_proto_min:8;
  34         enum nft_registers      sreg_proto_max:8;
  35         enum nf_nat_manip_type  type;
  36 };
  37
  38 static void nft_nat_eval(const struct nft_expr *expr,
  39                          struct nft_data data[NFT_REG_MAX + 1],
  40                          const struct nft_pktinfo *pkt)
  41 {
  42         const struct nft_nat *priv = nft_expr_priv(expr);
  43         enum ip_conntrack_info ctinfo;
  44         struct nf_conn *ct = nf_ct_get(pkt->skb, &ctinfo);
  45         struct nf_nat_range range;
  46
  47         memset(&range, 0, sizeof(range));
  48         if (priv->sreg_addr_min) {
  49                 range.min_addr.ip = data[priv->sreg_addr_min].data[0];
  50                 range.max_addr.ip = data[priv->sreg_addr_max].data[0];
  51                 range.flags |= NF_NAT_RANGE_MAP_IPS;
  52         }
  53
  54         if (priv->sreg_proto_min) {
  55                 range.min_proto.all = data[priv->sreg_proto_min].data[0];
  56                 range.max_proto.all = data[priv->sreg_proto_max].data[0];
  57                 range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
  58         }
  59
  60         data[NFT_REG_VERDICT].verdict =
  61                 nf_nat_setup_info(ct, &range, priv->type);
  62 }
  63
  64 static const struct nla_policy nft_nat_policy[NFTA_NAT_MAX + 1] = {
  65         [NFTA_NAT_ADDR_MIN]     = { .type = NLA_U32 },
  66         [NFTA_NAT_ADDR_MAX]     = { .type = NLA_U32 },
  67         [NFTA_NAT_PROTO_MIN]    = { .type = NLA_U32 },
  68         [NFTA_NAT_PROTO_MAX]    = { .type = NLA_U32 },
  69         [NFTA_NAT_TYPE]         = { .type = NLA_U32 },
  70 };
  71
  72 static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
  73                         const struct nlattr * const tb[])
  74 {
  75         struct nft_nat *priv = nft_expr_priv(expr);
  76         int err;
  77
  78         if (tb[NFTA_NAT_TYPE] == NULL)
  79                 return -EINVAL;
  80
  81         switch (ntohl(nla_get_be32(tb[NFTA_NAT_TYPE]))) {
  82         case NFT_NAT_SNAT:
  83                 priv->type = NF_NAT_MANIP_SRC;
  84                 break;
  85         case NFT_NAT_DNAT:
  86                 priv->type = NF_NAT_MANIP_DST;
  87                 break;
  88         default:
  89                 return -EINVAL;
  90         }
  91
  92         if (tb[NFTA_NAT_ADDR_MIN]) {
  93                 priv->sreg_addr_min = ntohl(nla_get_be32(tb[NFTA_NAT_ADDR_MIN]));
  94                 err = nft_validate_input_register(priv->sreg_addr_min);
  95                 if (err < 0)
  96                         return err;
  97         }
  98
  99         if (tb[NFTA_NAT_ADDR_MAX]) {
 100                 priv->sreg_addr_max = ntohl(nla_get_be32(tb[NFTA_NAT_ADDR_MAX]));
 101                 err = nft_validate_input_register(priv->sreg_addr_max);
 102                 if (err < 0)
 103                         return err;
 104         } else
 105                 priv->sreg_addr_max = priv->sreg_addr_min;
 106
 107         if (tb[NFTA_NAT_PROTO_MIN]) {
 108                 priv->sreg_proto_min = ntohl(nla_get_be32(tb[NFTA_NAT_PROTO_MIN]));
 109                 err = nft_validate_input_register(priv->sreg_proto_min);
 110                 if (err < 0)
 111                         return err;
 112         }
 113
 114         if (tb[NFTA_NAT_PROTO_MAX]) {
 115                 priv->sreg_proto_max = ntohl(nla_get_be32(tb[NFTA_NAT_PROTO_MAX]));
 116                 err = nft_validate_input_register(priv->sreg_proto_max);
 117                 if (err < 0)
 118                         return err;
 119         } else
 120                 priv->sreg_proto_max = priv->sreg_proto_min;
 121
 122         return 0;
 123 }
 124
 125 static int nft_nat_dump(struct sk_buff *skb, const struct nft_expr *expr)
 126 {
 127         const struct nft_nat *priv = nft_expr_priv(expr);
 128
 129         switch (priv->type) {
 130         case NF_NAT_MANIP_SRC:
 131                 if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_SNAT)))
 132                         goto nla_put_failure;
 133                 break;
 134         case NF_NAT_MANIP_DST:
 135                 if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_DNAT)))
 136                         goto nla_put_failure;
 137                 break;
 138         }
 139
 140         if (nla_put_be32(skb, NFTA_NAT_ADDR_MIN, htonl(priv->sreg_addr_min)))
 141                 goto nla_put_failure;
 142         if (nla_put_be32(skb, NFTA_NAT_ADDR_MAX, htonl(priv->sreg_addr_max)))
 143                 goto nla_put_failure;
 144         if (nla_put_be32(skb, NFTA_NAT_PROTO_MIN, htonl(priv->sreg_proto_min)))
 145                 goto nla_put_failure;
 146         if (nla_put_be32(skb, NFTA_NAT_PROTO_MAX, htonl(priv->sreg_proto_max)))
 147                 goto nla_put_failure;
 148         return 0;
 149
 150 nla_put_failure:
 151         return -1;
 152 }
 153
 154 static struct nft_expr_type nft_nat_type;
 155 static const struct nft_expr_ops nft_nat_ops = {
 156         .type           = &nft_nat_type,
 157         .size           = NFT_EXPR_SIZE(sizeof(struct nft_nat)),
 158         .eval           = nft_nat_eval,
 159         .init           = nft_nat_init,
 160         .dump           = nft_nat_dump,
 161 };
 162
 163 static struct nft_expr_type nft_nat_type __read_mostly = {
 164         .name           = "nat",
 165         .ops            = &nft_nat_ops,
 166         .policy         = nft_nat_policy,
 167         .maxattr        = NFTA_NAT_MAX,
 168         .owner          = THIS_MODULE,
 169 };
 170
 171 /*
 172  * NAT chains
 173  */
 174
 175 static unsigned int nf_nat_fn(const struct nf_hook_ops *ops,
 176                               struct sk_buff *skb,
 177                               const struct net_device *in,
 178                               const struct net_device *out,
 179                               int (*okfn)(struct sk_buff *))
 180 {
 181         enum ip_conntrack_info ctinfo;
 182         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 183         struct nf_conn_nat *nat;
 184         enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);
 185         struct nft_pktinfo pkt;
 186         unsigned int ret;
 187
 188         if (ct == NULL || nf_ct_is_untracked(ct))
 189                 return NF_ACCEPT;
 190
 191         NF_CT_ASSERT(!(ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)));
 192
 193         nat = nfct_nat(ct);
 194         if (nat == NULL) {
 195                 /* Conntrack module was loaded late, can't add extension. */
 196                 if (nf_ct_is_confirmed(ct))
 197                         return NF_ACCEPT;
 198                 nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
 199                 if (nat == NULL)
 200                         return NF_ACCEPT;
 201         }
 202
 203         switch (ctinfo) {
 204         case IP_CT_RELATED:
 205         case IP_CT_RELATED + IP_CT_IS_REPLY:
 206                 if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
 207                         if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
 208                                                            ops->hooknum))
 209                                 return NF_DROP;
 210                         else
 211                                 return NF_ACCEPT;
 212                 }
 213                 /* Fall through */
 214         case IP_CT_NEW:
 215                 if (nf_nat_initialized(ct, maniptype))
 216                         break;
 217
 218                 nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
 219
 220                 ret = nft_do_chain_pktinfo(&pkt, ops);
 221                 if (ret != NF_ACCEPT)
 222                         return ret;
 223                 if (!nf_nat_initialized(ct, maniptype)) {
 224                         ret = nf_nat_alloc_null_binding(ct, ops->hooknum);
 225                         if (ret != NF_ACCEPT)
 226                                 return ret;
 227                 }
 228         default:
 229                 break;
 230         }
 231
 232         return nf_nat_packet(ct, ctinfo, ops->hooknum, skb);
 233 }
 234
 235 static unsigned int nf_nat_prerouting(const struct nf_hook_ops *ops,
 236                                       struct sk_buff *skb,
 237                                       const struct net_device *in,
 238                                       const struct net_device *out,
 239                                       int (*okfn)(struct sk_buff *))
 240 {
 241         __be32 daddr = ip_hdr(skb)->daddr;
 242         unsigned int ret;
 243
 244         ret = nf_nat_fn(ops, skb, in, out, okfn);
 245         if (ret != NF_DROP && ret != NF_STOLEN &&
 246             ip_hdr(skb)->daddr != daddr) {
 247                 skb_dst_drop(skb);
 248         }
 249         return ret;
 250 }
 251
 252 static unsigned int nf_nat_postrouting(const struct nf_hook_ops *ops,
 253                                        struct sk_buff *skb,
 254                                        const struct net_device *in,
 255                                        const struct net_device *out,
 256                                        int (*okfn)(struct sk_buff *))
 257 {
 258         enum ip_conntrack_info ctinfo __maybe_unused;
 259         const struct nf_conn *ct __maybe_unused;
 260         unsigned int ret;
 261
 262         ret = nf_nat_fn(ops, skb, in, out, okfn);
 263 #ifdef CONFIG_XFRM
 264         if (ret != NF_DROP && ret != NF_STOLEN &&
 265             (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
 266                 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 267
 268                 if (ct->tuplehash[dir].tuple.src.u3.ip !=
 269                     ct->tuplehash[!dir].tuple.dst.u3.ip ||
 270                     ct->tuplehash[dir].tuple.src.u.all !=
 271                     ct->tuplehash[!dir].tuple.dst.u.all)
 272                         return nf_xfrm_me_harder(skb, AF_INET) == 0 ?
 273                                                                 ret : NF_DROP;
 274         }
 275 #endif
 276         return ret;
 277 }
 278
 279 static unsigned int nf_nat_output(const struct nf_hook_ops *ops,
 280                                   struct sk_buff *skb,
 281                                   const struct net_device *in,
 282                                   const struct net_device *out,
 283                                   int (*okfn)(struct sk_buff *))
 284 {
 285         enum ip_conntrack_info ctinfo;
 286         const struct nf_conn *ct;
 287         unsigned int ret;
 288
 289         ret = nf_nat_fn(ops, skb, in, out, okfn);
 290         if (ret != NF_DROP && ret != NF_STOLEN &&
 291             (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
 292                 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 293
 294                 if (ct->tuplehash[dir].tuple.dst.u3.ip !=
 295                     ct->tuplehash[!dir].tuple.src.u3.ip) {
 296                         if (ip_route_me_harder(skb, RTN_UNSPEC))
 297                                 ret = NF_DROP;
 298                 }
 299 #ifdef CONFIG_XFRM
 300                 else if (ct->tuplehash[dir].tuple.dst.u.all !=
 301                          ct->tuplehash[!dir].tuple.src.u.all)
 302                         if (nf_xfrm_me_harder(skb, AF_INET))
 303                                 ret = NF_DROP;
 304 #endif
 305         }
 306         return ret;
 307 }
 308
 309 struct nf_chain_type nft_chain_nat_ipv4 = {
 310         .family         = NFPROTO_IPV4,
 311         .name           = "nat",
 312         .type           = NFT_CHAIN_T_NAT,
 313         .hook_mask      = (1 << NF_INET_PRE_ROUTING) |
 314                           (1 << NF_INET_POST_ROUTING) |
 315                           (1 << NF_INET_LOCAL_OUT) |
 316                           (1 << NF_INET_LOCAL_IN),
 317         .fn             = {
 318                 [NF_INET_PRE_ROUTING]   = nf_nat_prerouting,
 319                 [NF_INET_POST_ROUTING]  = nf_nat_postrouting,
 320                 [NF_INET_LOCAL_OUT]     = nf_nat_output,
 321                 [NF_INET_LOCAL_IN]      = nf_nat_fn,
 322         },
 323         .me             = THIS_MODULE,
 324 };
 325
 326 static int __init nft_chain_nat_init(void)
 327 {
 328         int err;
 329
 330         err = nft_register_chain_type(&nft_chain_nat_ipv4);
 331         if (err < 0)
 332                 return err;
 333
 334         err = nft_register_expr(&nft_nat_type);
 335         if (err < 0)
 336                 goto err;
 337
 338         return 0;
 339
 340 err:
 341         nft_unregister_chain_type(&nft_chain_nat_ipv4);
 342         return err;
 343 }
 344
 345 static void __exit nft_chain_nat_exit(void)
 346 {
 347         nft_unregister_expr(&nft_nat_type);
 348         nft_unregister_chain_type(&nft_chain_nat_ipv4);
 349 }
 350
 351 module_init(nft_chain_nat_init);
 352 module_exit(nft_chain_nat_exit);
 353
 354 MODULE_LICENSE("GPL");
 355 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
 356 MODULE_ALIAS_NFT_CHAIN(AF_INET, "nat");
 357 MODULE_ALIAS_NFT_EXPR("nat");