LXR linux/net/ipv4/netfilter/nf_nat

   1/* (C) 1999-2001 Paul `Rusty' Russell
   2 * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
   3 *
   4 * This program is free software; you can redistribute it and/or modify
   5 * it under the terms of the GNU General Public License version 2 as
   6 * published by the Free Software Foundation.
   7 */
   8#include <linux/types.h>
   9#include <linux/icmp.h>
  10#include <linux/gfp.h>
  11#include <linux/ip.h>
  12#include <linux/netfilter.h>
  13#include <linux/netfilter_ipv4.h>
  14#include <linux/module.h>
  15#include <linux/skbuff.h>
  16#include <linux/proc_fs.h>
  17#include <net/ip.h>
  18#include <net/checksum.h>
  19#include <linux/spinlock.h>
  20
  21#include <net/netfilter/nf_conntrack.h>
  22#include <net/netfilter/nf_conntrack_core.h>
  23#include <net/netfilter/nf_conntrack_extend.h>
  24#include <net/netfilter/nf_nat.h>
  25#include <net/netfilter/nf_nat_rule.h>
  26#include <net/netfilter/nf_nat_protocol.h>
  27#include <net/netfilter/nf_nat_core.h>
  28#include <net/netfilter/nf_nat_helper.h>
  29#include <linux/netfilter_ipv4/ip_tables.h>
  30
  31#ifdef CONFIG_XFRM
  32static void nat_decode_session(struct sk_buff *skb, struct flowi *fl)
  33{
  34        const struct nf_conn *ct;
  35        const struct nf_conntrack_tuple *t;
  36        enum ip_conntrack_info ctinfo;
  37        enum ip_conntrack_dir dir;
  38        unsigned long statusbit;
  39
  40        ct = nf_ct_get(skb, &ctinfo);
  41        if (ct == NULL)
  42                return;
  43        dir = CTINFO2DIR(ctinfo);
  44        t = &ct->tuplehash[dir].tuple;
  45
  46        if (dir == IP_CT_DIR_ORIGINAL)
  47                statusbit = IPS_DST_NAT;
  48        else
  49                statusbit = IPS_SRC_NAT;
  50
  51        if (ct->status & statusbit) {
  52                fl->fl4_dst = t->dst.u3.ip;
  53                if (t->dst.protonum == IPPROTO_TCP ||
  54                    t->dst.protonum == IPPROTO_UDP ||
  55                    t->dst.protonum == IPPROTO_UDPLITE ||
  56                    t->dst.protonum == IPPROTO_DCCP ||
  57                    t->dst.protonum == IPPROTO_SCTP)
  58                        fl->fl_ip_dport = t->dst.u.tcp.port;
  59        }
  60
  61        statusbit ^= IPS_NAT_MASK;
  62
  63        if (ct->status & statusbit) {
  64                fl->fl4_src = t->src.u3.ip;
  65                if (t->dst.protonum == IPPROTO_TCP ||
  66                    t->dst.protonum == IPPROTO_UDP ||
  67                    t->dst.protonum == IPPROTO_UDPLITE ||
  68                    t->dst.protonum == IPPROTO_DCCP ||
  69                    t->dst.protonum == IPPROTO_SCTP)
  70                        fl->fl_ip_sport = t->src.u.tcp.port;
  71        }
  72}
  73#endif
  74
  75static unsigned int
  76nf_nat_fn(unsigned int hooknum,
  77          struct sk_buff *skb,
  78          const struct net_device *in,
  79          const struct net_device *out,
  80          int (*okfn)(struct sk_buff *))
  81{
  82        struct nf_conn *ct;
  83        enum ip_conntrack_info ctinfo;
  84        struct nf_conn_nat *nat;
  85        /* maniptype == SRC for postrouting. */
  86        enum nf_nat_manip_type maniptype = HOOK2MANIP(hooknum);
  87
  88        /* We never see fragments: conntrack defrags on pre-routing
  89           and local-out, and nf_nat_out protects post-routing. */
  90        NF_CT_ASSERT(!(ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)));
  91
  92        ct = nf_ct_get(skb, &ctinfo);
  93        /* Can't track?  It's not due to stress, or conntrack would
  94           have dropped it.  Hence it's the user's responsibilty to
  95           packet filter it out, or implement conntrack/NAT for that
  96           protocol. 8) --RR */
  97        if (!ct)
  98                return NF_ACCEPT;
  99
 100        /* Don't try to NAT if this packet is not conntracked */
 101        if (nf_ct_is_untracked(ct))
 102                return NF_ACCEPT;
 103
 104        nat = nfct_nat(ct);
 105        if (!nat) {
 106                /* NAT module was loaded late. */
 107                if (nf_ct_is_confirmed(ct))
 108                        return NF_ACCEPT;
 109                nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
 110                if (nat == NULL) {
 111                        pr_debug("failed to add NAT extension\n");
 112                        return NF_ACCEPT;
 113                }
 114        }
 115
 116        switch (ctinfo) {
 117        case IP_CT_RELATED:
 118        case IP_CT_RELATED+IP_CT_IS_REPLY:
 119                if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
 120                        if (!nf_nat_icmp_reply_translation(ct, ctinfo,
 121                                                           hooknum, skb))
 122                                return NF_DROP;
 123                        else
 124                                return NF_ACCEPT;
 125                }
 126                /* Fall thru... (Only ICMPs can be IP_CT_IS_REPLY) */
 127        case IP_CT_NEW:
 128
 129                /* Seen it before?  This can happen for loopback, retrans,
 130                   or local packets.. */
 131                if (!nf_nat_initialized(ct, maniptype)) {
 132                        unsigned int ret;
 133
 134                        ret = nf_nat_rule_find(skb, hooknum, in, out, ct);
 135                        if (ret != NF_ACCEPT)
 136                                return ret;
 137                } else
 138                        pr_debug("Already setup manip %s for ct %p\n",
 139                                 maniptype == IP_NAT_MANIP_SRC ? "SRC" : "DST",
 140                                 ct);
 141                break;
 142
 143        default:
 144                /* ESTABLISHED */
 145                NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
 146                             ctinfo == (IP_CT_ESTABLISHED+IP_CT_IS_REPLY));
 147        }
 148
 149        return nf_nat_packet(ct, ctinfo, hooknum, skb);
 150}
 151
 152static unsigned int
 153nf_nat_in(unsigned int hooknum,
 154          struct sk_buff *skb,
 155          const struct net_device *in,
 156          const struct net_device *out,
 157          int (*okfn)(struct sk_buff *))
 158{
 159        unsigned int ret;
 160        __be32 daddr = ip_hdr(skb)->daddr;
 161
 162        ret = nf_nat_fn(hooknum, skb, in, out, okfn);
 163        if (ret != NF_DROP && ret != NF_STOLEN &&
 164            daddr != ip_hdr(skb)->daddr)
 165                skb_dst_drop(skb);
 166
 167        return ret;
 168}
 169
 170static unsigned int
 171nf_nat_out(unsigned int hooknum,
 172           struct sk_buff *skb,
 173           const struct net_device *in,
 174           const struct net_device *out,
 175           int (*okfn)(struct sk_buff *))
 176{
 177#ifdef CONFIG_XFRM
 178        const struct nf_conn *ct;
 179        enum ip_conntrack_info ctinfo;
 180#endif
 181        unsigned int ret;
 182
 183        /* root is playing with raw sockets. */
 184        if (skb->len < sizeof(struct iphdr) ||
 185            ip_hdrlen(skb) < sizeof(struct iphdr))
 186                return NF_ACCEPT;
 187
 188        ret = nf_nat_fn(hooknum, skb, in, out, okfn);
 189#ifdef CONFIG_XFRM
 190        if (ret != NF_DROP && ret != NF_STOLEN &&
 191            (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
 192                enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 193
 194                if ((ct->tuplehash[dir].tuple.src.u3.ip !=
 195                     ct->tuplehash[!dir].tuple.dst.u3.ip) ||
 196                    (ct->tuplehash[dir].tuple.src.u.all !=
 197                     ct->tuplehash[!dir].tuple.dst.u.all)
 198                   )
 199                        return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP;
 200        }
 201#endif
 202        return ret;
 203}
 204
 205static unsigned int
 206nf_nat_local_fn(unsigned int hooknum,
 207                struct sk_buff *skb,
 208                const struct net_device *in,
 209                const struct net_device *out,
 210                int (*okfn)(struct sk_buff *))
 211{
 212        const struct nf_conn *ct;
 213        enum ip_conntrack_info ctinfo;
 214        unsigned int ret;
 215
 216        /* root is playing with raw sockets. */
 217        if (skb->len < sizeof(struct iphdr) ||
 218            ip_hdrlen(skb) < sizeof(struct iphdr))
 219                return NF_ACCEPT;
 220
 221        ret = nf_nat_fn(hooknum, skb, in, out, okfn);
 222        if (ret != NF_DROP && ret != NF_STOLEN &&
 223            (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
 224                enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 225
 226                if (ct->tuplehash[dir].tuple.dst.u3.ip !=
 227                    ct->tuplehash[!dir].tuple.src.u3.ip) {
 228                        if (ip_route_me_harder(skb, RTN_UNSPEC))
 229                                ret = NF_DROP;
 230                }
 231#ifdef CONFIG_XFRM
 232                else if (ct->tuplehash[dir].tuple.dst.u.all !=
 233                         ct->tuplehash[!dir].tuple.src.u.all)
 234                        if (ip_xfrm_me_harder(skb))
 235                                ret = NF_DROP;
 236#endif
 237        }
 238        return ret;
 239}
 240
 241/* We must be after connection tracking and before packet filtering. */
 242
 243static struct nf_hook_ops nf_nat_ops[] __read_mostly = {
 244        /* Before packet filtering, change destination */
 245        {
 246                .hook           = nf_nat_in,
 247                .owner          = THIS_MODULE,
 248                .pf             = NFPROTO_IPV4,
 249                .hooknum        = NF_INET_PRE_ROUTING,
 250                .priority       = NF_IP_PRI_NAT_DST,
 251        },
 252        /* After packet filtering, change source */
 253        {
 254                .hook           = nf_nat_out,
 255                .owner          = THIS_MODULE,
 256                .pf             = NFPROTO_IPV4,
 257                .hooknum        = NF_INET_POST_ROUTING,
 258                .priority       = NF_IP_PRI_NAT_SRC,
 259        },
 260        /* Before packet filtering, change destination */
 261        {
 262                .hook           = nf_nat_local_fn,
 263                .owner          = THIS_MODULE,
 264                .pf             = NFPROTO_IPV4,
 265                .hooknum        = NF_INET_LOCAL_OUT,
 266                .priority       = NF_IP_PRI_NAT_DST,
 267        },
 268        /* After packet filtering, change source */
 269        {
 270                .hook           = nf_nat_fn,
 271                .owner          = THIS_MODULE,
 272                .pf             = NFPROTO_IPV4,
 273                .hooknum        = NF_INET_LOCAL_IN,
 274                .priority       = NF_IP_PRI_NAT_SRC,
 275        },
 276};
 277
 278static int __init nf_nat_standalone_init(void)
 279{
 280        int ret = 0;
 281
 282        need_ipv4_conntrack();
 283
 284#ifdef CONFIG_XFRM
 285        BUG_ON(ip_nat_decode_session != NULL);
 286        rcu_assign_pointer(ip_nat_decode_session, nat_decode_session);
 287#endif
 288        ret = nf_nat_rule_init();
 289        if (ret < 0) {
 290                pr_err("nf_nat_init: can't setup rules.\n");
 291                goto cleanup_decode_session;
 292        }
 293        ret = nf_register_hooks(nf_nat_ops, ARRAY_SIZE(nf_nat_ops));
 294        if (ret < 0) {
 295                pr_err("nf_nat_init: can't register hooks.\n");
 296                goto cleanup_rule_init;
 297        }
 298        return ret;
 299
 300 cleanup_rule_init:
 301        nf_nat_rule_cleanup();
 302 cleanup_decode_session:
 303#ifdef CONFIG_XFRM
 304        rcu_assign_pointer(ip_nat_decode_session, NULL);
 305        synchronize_net();
 306#endif
 307        return ret;
 308}
 309
 310static void __exit nf_nat_standalone_fini(void)
 311{
 312        nf_unregister_hooks(nf_nat_ops, ARRAY_SIZE(nf_nat_ops));
 313        nf_nat_rule_cleanup();
 314#ifdef CONFIG_XFRM
 315        rcu_assign_pointer(ip_nat_decode_session, NULL);
 316        synchronize_net();
 317#endif
 318        /* Conntrack caches are unregistered in nf_conntrack_cleanup */
 319}
 320
 321module_init(nf_nat_standalone_init);
 322module_exit(nf_nat_standalone_fini);
 323
 324MODULE_LICENSE("GPL");
 325MODULE_ALIAS("ip_nat");
 326