2 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
3 * Copyright (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Development of this code funded by Astaro AG (http://www.astaro.com/)
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/list.h>
15 #include <linux/skbuff.h>
17 #include <linux/netlink.h>
18 #include <linux/netfilter.h>
19 #include <linux/netfilter_ipv4.h>
20 #include <linux/netfilter/nfnetlink.h>
21 #include <linux/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_conntrack.h>
23 #include <net/netfilter/nf_nat.h>
24 #include <net/netfilter/nf_nat_core.h>
25 #include <net/netfilter/nf_tables.h>
26 #include <net/netfilter/nf_tables_ipv4.h>
27 #include <net/netfilter/nf_nat_l3proto.h>
31 enum nft_registers sreg_addr_min
:8;
32 enum nft_registers sreg_addr_max
:8;
33 enum nft_registers sreg_proto_min
:8;
34 enum nft_registers sreg_proto_max
:8;
35 enum nf_nat_manip_type type
;
38 static void nft_nat_eval(const struct nft_expr
*expr
,
39 struct nft_data data
[NFT_REG_MAX
+ 1],
40 const struct nft_pktinfo
*pkt
)
42 const struct nft_nat
*priv
= nft_expr_priv(expr
);
43 enum ip_conntrack_info ctinfo
;
44 struct nf_conn
*ct
= nf_ct_get(pkt
->skb
, &ctinfo
);
45 struct nf_nat_range range
;
47 memset(&range
, 0, sizeof(range
));
48 if (priv
->sreg_addr_min
) {
49 range
.min_addr
.ip
= data
[priv
->sreg_addr_min
].data
[0];
50 range
.max_addr
.ip
= data
[priv
->sreg_addr_max
].data
[0];
51 range
.flags
|= NF_NAT_RANGE_MAP_IPS
;
54 if (priv
->sreg_proto_min
) {
55 range
.min_proto
.all
= data
[priv
->sreg_proto_min
].data
[0];
56 range
.max_proto
.all
= data
[priv
->sreg_proto_max
].data
[0];
57 range
.flags
|= NF_NAT_RANGE_PROTO_SPECIFIED
;
60 data
[NFT_REG_VERDICT
].verdict
=
61 nf_nat_setup_info(ct
, &range
, priv
->type
);
64 static const struct nla_policy nft_nat_policy
[NFTA_NAT_MAX
+ 1] = {
65 [NFTA_NAT_ADDR_MIN
] = { .type
= NLA_U32
},
66 [NFTA_NAT_ADDR_MAX
] = { .type
= NLA_U32
},
67 [NFTA_NAT_PROTO_MIN
] = { .type
= NLA_U32
},
68 [NFTA_NAT_PROTO_MAX
] = { .type
= NLA_U32
},
69 [NFTA_NAT_TYPE
] = { .type
= NLA_U32
},
72 static int nft_nat_init(const struct nft_ctx
*ctx
, const struct nft_expr
*expr
,
73 const struct nlattr
* const tb
[])
75 struct nft_nat
*priv
= nft_expr_priv(expr
);
78 if (tb
[NFTA_NAT_TYPE
] == NULL
)
81 switch (ntohl(nla_get_be32(tb
[NFTA_NAT_TYPE
]))) {
83 priv
->type
= NF_NAT_MANIP_SRC
;
86 priv
->type
= NF_NAT_MANIP_DST
;
92 if (tb
[NFTA_NAT_ADDR_MIN
]) {
93 priv
->sreg_addr_min
= ntohl(nla_get_be32(tb
[NFTA_NAT_ADDR_MIN
]));
94 err
= nft_validate_input_register(priv
->sreg_addr_min
);
99 if (tb
[NFTA_NAT_ADDR_MAX
]) {
100 priv
->sreg_addr_max
= ntohl(nla_get_be32(tb
[NFTA_NAT_ADDR_MAX
]));
101 err
= nft_validate_input_register(priv
->sreg_addr_max
);
105 priv
->sreg_addr_max
= priv
->sreg_addr_min
;
107 if (tb
[NFTA_NAT_PROTO_MIN
]) {
108 priv
->sreg_proto_min
= ntohl(nla_get_be32(tb
[NFTA_NAT_PROTO_MIN
]));
109 err
= nft_validate_input_register(priv
->sreg_proto_min
);
114 if (tb
[NFTA_NAT_PROTO_MAX
]) {
115 priv
->sreg_proto_max
= ntohl(nla_get_be32(tb
[NFTA_NAT_PROTO_MAX
]));
116 err
= nft_validate_input_register(priv
->sreg_proto_max
);
120 priv
->sreg_proto_max
= priv
->sreg_proto_min
;
125 static int nft_nat_dump(struct sk_buff
*skb
, const struct nft_expr
*expr
)
127 const struct nft_nat
*priv
= nft_expr_priv(expr
);
129 switch (priv
->type
) {
130 case NF_NAT_MANIP_SRC
:
131 if (nla_put_be32(skb
, NFTA_NAT_TYPE
, htonl(NFT_NAT_SNAT
)))
132 goto nla_put_failure
;
134 case NF_NAT_MANIP_DST
:
135 if (nla_put_be32(skb
, NFTA_NAT_TYPE
, htonl(NFT_NAT_DNAT
)))
136 goto nla_put_failure
;
140 if (nla_put_be32(skb
, NFTA_NAT_ADDR_MIN
, htonl(priv
->sreg_addr_min
)))
141 goto nla_put_failure
;
142 if (nla_put_be32(skb
, NFTA_NAT_ADDR_MAX
, htonl(priv
->sreg_addr_max
)))
143 goto nla_put_failure
;
144 if (nla_put_be32(skb
, NFTA_NAT_PROTO_MIN
, htonl(priv
->sreg_proto_min
)))
145 goto nla_put_failure
;
146 if (nla_put_be32(skb
, NFTA_NAT_PROTO_MAX
, htonl(priv
->sreg_proto_max
)))
147 goto nla_put_failure
;
154 static struct nft_expr_type nft_nat_type
;
155 static const struct nft_expr_ops nft_nat_ops
= {
156 .type
= &nft_nat_type
,
157 .size
= NFT_EXPR_SIZE(sizeof(struct nft_nat
)),
158 .eval
= nft_nat_eval
,
159 .init
= nft_nat_init
,
160 .dump
= nft_nat_dump
,
163 static struct nft_expr_type nft_nat_type __read_mostly
= {
166 .policy
= nft_nat_policy
,
167 .maxattr
= NFTA_NAT_MAX
,
168 .owner
= THIS_MODULE
,
175 static unsigned int nf_nat_fn(const struct nf_hook_ops
*ops
,
177 const struct net_device
*in
,
178 const struct net_device
*out
,
179 int (*okfn
)(struct sk_buff
*))
181 enum ip_conntrack_info ctinfo
;
182 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
183 struct nf_conn_nat
*nat
;
184 enum nf_nat_manip_type maniptype
= HOOK2MANIP(ops
->hooknum
);
185 struct nft_pktinfo pkt
;
188 if (ct
== NULL
|| nf_ct_is_untracked(ct
))
191 NF_CT_ASSERT(!(ip_hdr(skb
)->frag_off
& htons(IP_MF
| IP_OFFSET
)));
195 /* Conntrack module was loaded late, can't add extension. */
196 if (nf_ct_is_confirmed(ct
))
198 nat
= nf_ct_ext_add(ct
, NF_CT_EXT_NAT
, GFP_ATOMIC
);
205 case IP_CT_RELATED
+ IP_CT_IS_REPLY
:
206 if (ip_hdr(skb
)->protocol
== IPPROTO_ICMP
) {
207 if (!nf_nat_icmp_reply_translation(skb
, ct
, ctinfo
,
215 if (nf_nat_initialized(ct
, maniptype
))
218 nft_set_pktinfo_ipv4(&pkt
, ops
, skb
, in
, out
);
220 ret
= nft_do_chain_pktinfo(&pkt
, ops
);
221 if (ret
!= NF_ACCEPT
)
223 if (!nf_nat_initialized(ct
, maniptype
)) {
224 ret
= nf_nat_alloc_null_binding(ct
, ops
->hooknum
);
225 if (ret
!= NF_ACCEPT
)
232 return nf_nat_packet(ct
, ctinfo
, ops
->hooknum
, skb
);
235 static unsigned int nf_nat_prerouting(const struct nf_hook_ops
*ops
,
237 const struct net_device
*in
,
238 const struct net_device
*out
,
239 int (*okfn
)(struct sk_buff
*))
241 __be32 daddr
= ip_hdr(skb
)->daddr
;
244 ret
= nf_nat_fn(ops
, skb
, in
, out
, okfn
);
245 if (ret
!= NF_DROP
&& ret
!= NF_STOLEN
&&
246 ip_hdr(skb
)->daddr
!= daddr
) {
252 static unsigned int nf_nat_postrouting(const struct nf_hook_ops
*ops
,
254 const struct net_device
*in
,
255 const struct net_device
*out
,
256 int (*okfn
)(struct sk_buff
*))
258 enum ip_conntrack_info ctinfo __maybe_unused
;
259 const struct nf_conn
*ct __maybe_unused
;
262 ret
= nf_nat_fn(ops
, skb
, in
, out
, okfn
);
264 if (ret
!= NF_DROP
&& ret
!= NF_STOLEN
&&
265 (ct
= nf_ct_get(skb
, &ctinfo
)) != NULL
) {
266 enum ip_conntrack_dir dir
= CTINFO2DIR(ctinfo
);
268 if (ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
!=
269 ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
||
270 ct
->tuplehash
[dir
].tuple
.src
.u
.all
!=
271 ct
->tuplehash
[!dir
].tuple
.dst
.u
.all
)
272 return nf_xfrm_me_harder(skb
, AF_INET
) == 0 ?
279 static unsigned int nf_nat_output(const struct nf_hook_ops
*ops
,
281 const struct net_device
*in
,
282 const struct net_device
*out
,
283 int (*okfn
)(struct sk_buff
*))
285 enum ip_conntrack_info ctinfo
;
286 const struct nf_conn
*ct
;
289 ret
= nf_nat_fn(ops
, skb
, in
, out
, okfn
);
290 if (ret
!= NF_DROP
&& ret
!= NF_STOLEN
&&
291 (ct
= nf_ct_get(skb
, &ctinfo
)) != NULL
) {
292 enum ip_conntrack_dir dir
= CTINFO2DIR(ctinfo
);
294 if (ct
->tuplehash
[dir
].tuple
.dst
.u3
.ip
!=
295 ct
->tuplehash
[!dir
].tuple
.src
.u3
.ip
) {
296 if (ip_route_me_harder(skb
, RTN_UNSPEC
))
300 else if (ct
->tuplehash
[dir
].tuple
.dst
.u
.all
!=
301 ct
->tuplehash
[!dir
].tuple
.src
.u
.all
)
302 if (nf_xfrm_me_harder(skb
, AF_INET
))
309 struct nf_chain_type nft_chain_nat_ipv4
= {
310 .family
= NFPROTO_IPV4
,
312 .type
= NFT_CHAIN_T_NAT
,
313 .hook_mask
= (1 << NF_INET_PRE_ROUTING
) |
314 (1 << NF_INET_POST_ROUTING
) |
315 (1 << NF_INET_LOCAL_OUT
) |
316 (1 << NF_INET_LOCAL_IN
),
318 [NF_INET_PRE_ROUTING
] = nf_nat_prerouting
,
319 [NF_INET_POST_ROUTING
] = nf_nat_postrouting
,
320 [NF_INET_LOCAL_OUT
] = nf_nat_output
,
321 [NF_INET_LOCAL_IN
] = nf_nat_fn
,
326 static int __init
nft_chain_nat_init(void)
330 err
= nft_register_chain_type(&nft_chain_nat_ipv4
);
334 err
= nft_register_expr(&nft_nat_type
);
341 nft_unregister_chain_type(&nft_chain_nat_ipv4
);
345 static void __exit
nft_chain_nat_exit(void)
347 nft_unregister_expr(&nft_nat_type
);
348 nft_unregister_chain_type(&nft_chain_nat_ipv4
);
351 module_init(nft_chain_nat_init
);
352 module_exit(nft_chain_nat_exit
);
354 MODULE_LICENSE("GPL");
355 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
356 MODULE_ALIAS_NFT_CHAIN(AF_INET
, "nat");
357 MODULE_ALIAS_NFT_EXPR("nat");