Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 30766f4c authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nat: move specific NAT IPv4 to core 



Move the specific NAT IPv4 core functions that are called from the
hooks from iptable_nat.c to nf_nat_l3proto_ipv4.c. This prepares the
ground to allow iptables and nft to use the same NAT engine code that
comes in a follow up patch.

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent f111f780

include/net/netfilter/nf_nat_l3proto.h

+38 −0
Original line number Diff line number Diff line
@@ -42,6 +42,44 @@ const struct nf_nat_l3proto *__nf_nat_l3proto_find(u8 l3proto); 
int nf_nat_icmp_reply_translation(struct sk_buff *skb, struct nf_conn *ct,

				  enum ip_conntrack_info ctinfo,

				  unsigned int hooknum);



unsigned int nf_nat_ipv4_in(const struct nf_hook_ops *ops, struct sk_buff *skb,

			    const struct net_device *in,

			    const struct net_device *out,

			    unsigned int (*do_chain)(const struct nf_hook_ops *ops,

						     struct sk_buff *skb,

						     const struct net_device *in,

						     const struct net_device *out,

						     struct nf_conn *ct));



unsigned int nf_nat_ipv4_out(const struct nf_hook_ops *ops, struct sk_buff *skb,

			     const struct net_device *in,

			     const struct net_device *out,

			     unsigned int (*do_chain)(const struct nf_hook_ops *ops,

						      struct sk_buff *skb,

						      const struct net_device *in,

						      const struct net_device *out,

						      struct nf_conn *ct));



unsigned int nf_nat_ipv4_local_fn(const struct nf_hook_ops *ops,

				  struct sk_buff *skb,

				  const struct net_device *in,

				  const struct net_device *out,

				  unsigned int (*do_chain)(const struct nf_hook_ops *ops,

							   struct sk_buff *skb,

							   const struct net_device *in,

							   const struct net_device *out,

							   struct nf_conn *ct));



unsigned int nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,

			    const struct net_device *in,

			    const struct net_device *out,

			    unsigned int (*do_chain)(const struct nf_hook_ops *ops,

						     struct sk_buff *skb,

						     const struct net_device *in,

						     const struct net_device *out,

						     struct nf_conn *ct));



int nf_nat_icmpv6_reply_translation(struct sk_buff *skb, struct nf_conn *ct,

				    enum ip_conntrack_info ctinfo,

				    unsigned int hooknum, unsigned int hdrlen);

net/ipv4/netfilter/iptable_nat.c

+34 −199
Original line number Diff line number Diff line
@@ -28,222 +28,57 @@ static const struct xt_table nf_nat_ipv4_table = { 
	.af		= NFPROTO_IPV4,

};



static unsigned int alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)

{

	/* Force range to this IP; let proto decide mapping for

	 * per-proto parts (hence not IP_NAT_RANGE_PROTO_SPECIFIED).

	 */

	struct nf_nat_range range;



	range.flags = 0;

	pr_debug("Allocating NULL binding for %p (%pI4)\n", ct,

		 HOOK2MANIP(hooknum) == NF_NAT_MANIP_SRC ?

		 &ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip :

		 &ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip);



	return nf_nat_setup_info(ct, &range, HOOK2MANIP(hooknum));

}



static unsigned int nf_nat_rule_find(struct sk_buff *skb, unsigned int hooknum,

static unsigned int iptable_nat_do_chain(const struct nf_hook_ops *ops,

					 struct sk_buff *skb,

					 const struct net_device *in,

					 const struct net_device *out,

					 struct nf_conn *ct)

{

	struct net *net = nf_ct_net(ct);

	unsigned int ret;



	ret = ipt_do_table(skb, hooknum, in, out, net->ipv4.nat_table);

	if (ret == NF_ACCEPT) {

		if (!nf_nat_initialized(ct, HOOK2MANIP(hooknum)))

			ret = alloc_null_binding(ct, hooknum);

	}

	return ret;

	return ipt_do_table(skb, ops->hooknum, in, out, net->ipv4.nat_table);

}



static unsigned int

nf_nat_ipv4_fn(const struct nf_hook_ops *ops,

static unsigned int iptable_nat_ipv4_fn(const struct nf_hook_ops *ops,

					struct sk_buff *skb,

					const struct net_device *in,

					const struct net_device *out,

					int (*okfn)(struct sk_buff *))

{

	struct nf_conn *ct;

	enum ip_conntrack_info ctinfo;

	struct nf_conn_nat *nat;

	/* maniptype == SRC for postrouting. */

	enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);



	/* We never see fragments: conntrack defrags on pre-routing

	 * and local-out, and nf_nat_out protects post-routing.

	 */

	NF_CT_ASSERT(!ip_is_fragment(ip_hdr(skb)));



	ct = nf_ct_get(skb, &ctinfo);

	/* Can't track?  It's not due to stress, or conntrack would

	 * have dropped it.  Hence it's the user's responsibilty to

	 * packet filter it out, or implement conntrack/NAT for that

	 * protocol. 8) --RR

	 */

	if (!ct)

		return NF_ACCEPT;



	/* Don't try to NAT if this packet is not conntracked */

	if (nf_ct_is_untracked(ct))

		return NF_ACCEPT;



	nat = nf_ct_nat_ext_add(ct);

	if (nat == NULL)

		return NF_ACCEPT;



	switch (ctinfo) {

	case IP_CT_RELATED:

	case IP_CT_RELATED_REPLY:

		if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {

			if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,

							   ops->hooknum))

				return NF_DROP;

			else

				return NF_ACCEPT;

		}

		/* Fall thru... (Only ICMPs can be IP_CT_IS_REPLY) */

	case IP_CT_NEW:

		/* Seen it before?  This can happen for loopback, retrans,

		 * or local packets.

		 */

		if (!nf_nat_initialized(ct, maniptype)) {

			unsigned int ret;



			ret = nf_nat_rule_find(skb, ops->hooknum, in, out, ct);

			if (ret != NF_ACCEPT)

				return ret;

		} else {

			pr_debug("Already setup manip %s for ct %p\n",

				 maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",

				 ct);

			if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out))

				goto oif_changed;

	return nf_nat_ipv4_fn(ops, skb, in, out, iptable_nat_do_chain);

}

		break;



	default:

		/* ESTABLISHED */

		NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||

			     ctinfo == IP_CT_ESTABLISHED_REPLY);

		if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out))

			goto oif_changed;

	}



	return nf_nat_packet(ct, ctinfo, ops->hooknum, skb);



oif_changed:

	nf_ct_kill_acct(ct, ctinfo, skb);

	return NF_DROP;

}



static unsigned int

nf_nat_ipv4_in(const struct nf_hook_ops *ops,

static unsigned int iptable_nat_ipv4_in(const struct nf_hook_ops *ops,

					struct sk_buff *skb,

					const struct net_device *in,

					const struct net_device *out,

					int (*okfn)(struct sk_buff *))

{

	unsigned int ret;

	__be32 daddr = ip_hdr(skb)->daddr;



	ret = nf_nat_ipv4_fn(ops, skb, in, out, okfn);

	if (ret != NF_DROP && ret != NF_STOLEN &&

	    daddr != ip_hdr(skb)->daddr)

		skb_dst_drop(skb);



	return ret;

	return nf_nat_ipv4_in(ops, skb, in, out, iptable_nat_do_chain);

}



static unsigned int

nf_nat_ipv4_out(const struct nf_hook_ops *ops,

static unsigned int iptable_nat_ipv4_out(const struct nf_hook_ops *ops,

					 struct sk_buff *skb,

					 const struct net_device *in,

					 const struct net_device *out,

					 int (*okfn)(struct sk_buff *))

{

#ifdef CONFIG_XFRM

	const struct nf_conn *ct;

	enum ip_conntrack_info ctinfo;

	int err;

#endif

	unsigned int ret;



	/* root is playing with raw sockets. */

	if (skb->len < sizeof(struct iphdr) ||

	    ip_hdrlen(skb) < sizeof(struct iphdr))

		return NF_ACCEPT;



	ret = nf_nat_ipv4_fn(ops, skb, in, out, okfn);

#ifdef CONFIG_XFRM

	if (ret != NF_DROP && ret != NF_STOLEN &&

	    !(IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) &&

	    (ct = nf_ct_get(skb, &ctinfo)) != NULL) {

		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);



		if ((ct->tuplehash[dir].tuple.src.u3.ip !=

		     ct->tuplehash[!dir].tuple.dst.u3.ip) ||

		    (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&

		     ct->tuplehash[dir].tuple.src.u.all !=

		     ct->tuplehash[!dir].tuple.dst.u.all)) {

			err = nf_xfrm_me_harder(skb, AF_INET);

			if (err < 0)

				ret = NF_DROP_ERR(err);

		}

	}

#endif

	return ret;

	return nf_nat_ipv4_out(ops, skb, in, out, iptable_nat_do_chain);

}



static unsigned int

nf_nat_ipv4_local_fn(const struct nf_hook_ops *ops,

static unsigned int iptable_nat_ipv4_local_fn(const struct nf_hook_ops *ops,

					      struct sk_buff *skb,

					      const struct net_device *in,

					      const struct net_device *out,

					      int (*okfn)(struct sk_buff *))

{

	const struct nf_conn *ct;

	enum ip_conntrack_info ctinfo;

	unsigned int ret;

	int err;



	/* root is playing with raw sockets. */

	if (skb->len < sizeof(struct iphdr) ||

	    ip_hdrlen(skb) < sizeof(struct iphdr))

		return NF_ACCEPT;



	ret = nf_nat_ipv4_fn(ops, skb, in, out, okfn);

	if (ret != NF_DROP && ret != NF_STOLEN &&

	    (ct = nf_ct_get(skb, &ctinfo)) != NULL) {

		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);



		if (ct->tuplehash[dir].tuple.dst.u3.ip !=

		    ct->tuplehash[!dir].tuple.src.u3.ip) {

			err = ip_route_me_harder(skb, RTN_UNSPEC);

			if (err < 0)

				ret = NF_DROP_ERR(err);

		}

#ifdef CONFIG_XFRM

		else if (!(IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) &&

			 ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&

			 ct->tuplehash[dir].tuple.dst.u.all !=

			 ct->tuplehash[!dir].tuple.src.u.all) {

			err = nf_xfrm_me_harder(skb, AF_INET);

			if (err < 0)

				ret = NF_DROP_ERR(err);

		}

#endif

	}

	return ret;

	return nf_nat_ipv4_local_fn(ops, skb, in, out, iptable_nat_do_chain);

}



static struct nf_hook_ops nf_nat_ipv4_ops[] __read_mostly = {

	/* Before packet filtering, change destination */

	{

		.hook		= nf_nat_ipv4_in,

		.hook		= iptable_nat_ipv4_in,

		.owner		= THIS_MODULE,

		.pf		= NFPROTO_IPV4,

		.hooknum	= NF_INET_PRE_ROUTING,
@@ -251,7 +86,7 @@ static struct nf_hook_ops nf_nat_ipv4_ops[] __read_mostly = { 
	},

	/* After packet filtering, change source */

	{

		.hook		= nf_nat_ipv4_out,

		.hook		= iptable_nat_ipv4_out,

		.owner		= THIS_MODULE,

		.pf		= NFPROTO_IPV4,

		.hooknum	= NF_INET_POST_ROUTING,
@@ -259,7 +94,7 @@ static struct nf_hook_ops nf_nat_ipv4_ops[] __read_mostly = { 
	},

	/* Before packet filtering, change destination */

	{

		.hook		= nf_nat_ipv4_local_fn,

		.hook		= iptable_nat_ipv4_local_fn,

		.owner		= THIS_MODULE,

		.pf		= NFPROTO_IPV4,

		.hooknum	= NF_INET_LOCAL_OUT,
@@ -267,7 +102,7 @@ static struct nf_hook_ops nf_nat_ipv4_ops[] __read_mostly = { 
	},

	/* After packet filtering, change source */

	{

		.hook		= nf_nat_ipv4_fn,

		.hook		= iptable_nat_ipv4_fn,

		.owner		= THIS_MODULE,

		.pf		= NFPROTO_IPV4,

		.hooknum	= NF_INET_LOCAL_IN,

net/ipv4/netfilter/nf_nat_l3proto_ipv4.c

+199 −0
Original line number Diff line number Diff line
@@ -254,6 +254,205 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, 
}

EXPORT_SYMBOL_GPL(nf_nat_icmp_reply_translation);



unsigned int

nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,

	       const struct net_device *in, const struct net_device *out,

	       unsigned int (*do_chain)(const struct nf_hook_ops *ops,

					struct sk_buff *skb,

					const struct net_device *in,

					const struct net_device *out,

					struct nf_conn *ct))

{

	struct nf_conn *ct;

	enum ip_conntrack_info ctinfo;

	struct nf_conn_nat *nat;

	/* maniptype == SRC for postrouting. */

	enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);



	/* We never see fragments: conntrack defrags on pre-routing

	 * and local-out, and nf_nat_out protects post-routing.

	 */

	NF_CT_ASSERT(!ip_is_fragment(ip_hdr(skb)));



	ct = nf_ct_get(skb, &ctinfo);

	/* Can't track?  It's not due to stress, or conntrack would

	 * have dropped it.  Hence it's the user's responsibilty to

	 * packet filter it out, or implement conntrack/NAT for that

	 * protocol. 8) --RR

	 */

	if (!ct)

		return NF_ACCEPT;



	/* Don't try to NAT if this packet is not conntracked */

	if (nf_ct_is_untracked(ct))

		return NF_ACCEPT;



	nat = nf_ct_nat_ext_add(ct);

	if (nat == NULL)

		return NF_ACCEPT;



	switch (ctinfo) {

	case IP_CT_RELATED:

	case IP_CT_RELATED_REPLY:

		if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {

			if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,

							   ops->hooknum))

				return NF_DROP;

			else

				return NF_ACCEPT;

		}

		/* Fall thru... (Only ICMPs can be IP_CT_IS_REPLY) */

	case IP_CT_NEW:

		/* Seen it before?  This can happen for loopback, retrans,

		 * or local packets.

		 */

		if (!nf_nat_initialized(ct, maniptype)) {

			unsigned int ret;



			ret = do_chain(ops, skb, in, out, ct);

			if (ret != NF_ACCEPT)

				return ret;



			if (nf_nat_initialized(ct, HOOK2MANIP(ops->hooknum)))

				break;



			ret = nf_nat_alloc_null_binding(ct, ops->hooknum);

			if (ret != NF_ACCEPT)

				return ret;

		} else {

			pr_debug("Already setup manip %s for ct %p\n",

				 maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",

				 ct);

			if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out))

				goto oif_changed;

		}

		break;



	default:

		/* ESTABLISHED */

		NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||

			     ctinfo == IP_CT_ESTABLISHED_REPLY);

		if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out))

			goto oif_changed;

	}



	return nf_nat_packet(ct, ctinfo, ops->hooknum, skb);



oif_changed:

	nf_ct_kill_acct(ct, ctinfo, skb);

	return NF_DROP;

}

EXPORT_SYMBOL_GPL(nf_nat_ipv4_fn);



unsigned int

nf_nat_ipv4_in(const struct nf_hook_ops *ops, struct sk_buff *skb,

	       const struct net_device *in, const struct net_device *out,

	       unsigned int (*do_chain)(const struct nf_hook_ops *ops,

					 struct sk_buff *skb,

					 const struct net_device *in,

					 const struct net_device *out,

					 struct nf_conn *ct))

{

	unsigned int ret;

	__be32 daddr = ip_hdr(skb)->daddr;



	ret = nf_nat_ipv4_fn(ops, skb, in, out, do_chain);

	if (ret != NF_DROP && ret != NF_STOLEN &&

	    daddr != ip_hdr(skb)->daddr)

		skb_dst_drop(skb);



	return ret;

}

EXPORT_SYMBOL_GPL(nf_nat_ipv4_in);



unsigned int

nf_nat_ipv4_out(const struct nf_hook_ops *ops, struct sk_buff *skb,

		const struct net_device *in, const struct net_device *out,

		unsigned int (*do_chain)(const struct nf_hook_ops *ops,

					  struct sk_buff *skb,

					  const struct net_device *in,

					  const struct net_device *out,

					  struct nf_conn *ct))

{

#ifdef CONFIG_XFRM

	const struct nf_conn *ct;

	enum ip_conntrack_info ctinfo;

	int err;

#endif

	unsigned int ret;



	/* root is playing with raw sockets. */

	if (skb->len < sizeof(struct iphdr) ||

	    ip_hdrlen(skb) < sizeof(struct iphdr))

		return NF_ACCEPT;



	ret = nf_nat_ipv4_fn(ops, skb, in, out, do_chain);

#ifdef CONFIG_XFRM

	if (ret != NF_DROP && ret != NF_STOLEN &&

	    !(IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) &&

	    (ct = nf_ct_get(skb, &ctinfo)) != NULL) {

		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);



		if ((ct->tuplehash[dir].tuple.src.u3.ip !=

		     ct->tuplehash[!dir].tuple.dst.u3.ip) ||

		    (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&

		     ct->tuplehash[dir].tuple.src.u.all !=

		     ct->tuplehash[!dir].tuple.dst.u.all)) {

			err = nf_xfrm_me_harder(skb, AF_INET);

			if (err < 0)

				ret = NF_DROP_ERR(err);

		}

	}

#endif

	return ret;

}

EXPORT_SYMBOL_GPL(nf_nat_ipv4_out);



unsigned int

nf_nat_ipv4_local_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,

		     const struct net_device *in, const struct net_device *out,

		     unsigned int (*do_chain)(const struct nf_hook_ops *ops,

					       struct sk_buff *skb,

					       const struct net_device *in,

					       const struct net_device *out,

					       struct nf_conn *ct))

{

	const struct nf_conn *ct;

	enum ip_conntrack_info ctinfo;

	unsigned int ret;

	int err;



	/* root is playing with raw sockets. */

	if (skb->len < sizeof(struct iphdr) ||

	    ip_hdrlen(skb) < sizeof(struct iphdr))

		return NF_ACCEPT;



	ret = nf_nat_ipv4_fn(ops, skb, in, out, do_chain);

	if (ret != NF_DROP && ret != NF_STOLEN &&

	    (ct = nf_ct_get(skb, &ctinfo)) != NULL) {

		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);



		if (ct->tuplehash[dir].tuple.dst.u3.ip !=

		    ct->tuplehash[!dir].tuple.src.u3.ip) {

			err = ip_route_me_harder(skb, RTN_UNSPEC);

			if (err < 0)

				ret = NF_DROP_ERR(err);

		}

#ifdef CONFIG_XFRM

		else if (!(IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) &&

			 ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&

			 ct->tuplehash[dir].tuple.dst.u.all !=

			 ct->tuplehash[!dir].tuple.src.u.all) {

			err = nf_xfrm_me_harder(skb, AF_INET);

			if (err < 0)

				ret = NF_DROP_ERR(err);

		}

#endif

	}

	return ret;

}

EXPORT_SYMBOL_GPL(nf_nat_ipv4_local_fn);



static int __init nf_nat_l3proto_ipv4_init(void)

{

	int err;