net/netfilter/nft_nat.c

   1 /*
   2  * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
   3  * Copyright (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
   4  * Copyright (c) 2012 Intel Corporation
   5  *
   6  * This program is free software; you can redistribute it and/or modify it
   7  * under the terms and conditions of the GNU General Public License,
   8  * version 2, as published by the Free Software Foundation.
   9  *
  10  */
  11
  12 #include <linux/module.h>
  13 #include <linux/init.h>
  14 #include <linux/skbuff.h>
  15 #include <linux/ip.h>
  16 #include <linux/string.h>
  17 #include <linux/netlink.h>
  18 #include <linux/netfilter.h>
  19 #include <linux/netfilter_ipv4.h>
  20 #include <linux/netfilter/nfnetlink.h>
  21 #include <linux/netfilter/nf_tables.h>
  22 #include <net/netfilter/nf_conntrack.h>
  23 #include <net/netfilter/nf_nat.h>
  24 #include <net/netfilter/nf_nat_core.h>
  25 #include <net/netfilter/nf_tables.h>
  26 #include <net/netfilter/nf_nat_l3proto.h>
  27 #include <net/ip.h>
  28
  29 struct nft_nat {
  30         enum nft_registers      sreg_addr_min:8;
  31         enum nft_registers      sreg_addr_max:8;
  32         enum nft_registers      sreg_proto_min:8;
  33         enum nft_registers      sreg_proto_max:8;
  34         enum nf_nat_manip_type  type:8;
  35         u8                      family;
  36         u16                     flags;
  37 };
  38
  39 static void nft_nat_eval(const struct nft_expr *expr,
  40                          struct nft_regs *regs,
  41                          const struct nft_pktinfo *pkt)
  42 {
  43         const struct nft_nat *priv = nft_expr_priv(expr);
  44         enum ip_conntrack_info ctinfo;
  45         struct nf_conn *ct = nf_ct_get(pkt->skb, &ctinfo);
  46         struct nf_nat_range2 range;
  47
  48         memset(&range, 0, sizeof(range));
  49         if (priv->sreg_addr_min) {
  50                 if (priv->family == AF_INET) {
  51                         range.min_addr.ip = (__force __be32)
  52                                         regs->data[priv->sreg_addr_min];
  53                         range.max_addr.ip = (__force __be32)
  54                                         regs->data[priv->sreg_addr_max];
  55
  56                 } else {
  57                         memcpy(range.min_addr.ip6,
  58                                &regs->data[priv->sreg_addr_min],
  59                                sizeof(range.min_addr.ip6));
  60                         memcpy(range.max_addr.ip6,
  61                                &regs->data[priv->sreg_addr_max],
  62                                sizeof(range.max_addr.ip6));
  63                 }
  64                 range.flags |= NF_NAT_RANGE_MAP_IPS;
  65         }
  66
  67         if (priv->sreg_proto_min) {
  68                 range.min_proto.all = (__force __be16)nft_reg_load16(
  69                         &regs->data[priv->sreg_proto_min]);
  70                 range.max_proto.all = (__force __be16)nft_reg_load16(
  71                         &regs->data[priv->sreg_proto_max]);
  72                 range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
  73         }
  74
  75         range.flags |= priv->flags;
  76
  77         regs->verdict.code = nf_nat_setup_info(ct, &range, priv->type);
  78 }
  79
  80 static const struct nla_policy nft_nat_policy[NFTA_NAT_MAX + 1] = {
  81         [NFTA_NAT_TYPE]          = { .type = NLA_U32 },
  82         [NFTA_NAT_FAMILY]        = { .type = NLA_U32 },
  83         [NFTA_NAT_REG_ADDR_MIN]  = { .type = NLA_U32 },
  84         [NFTA_NAT_REG_ADDR_MAX]  = { .type = NLA_U32 },
  85         [NFTA_NAT_REG_PROTO_MIN] = { .type = NLA_U32 },
  86         [NFTA_NAT_REG_PROTO_MAX] = { .type = NLA_U32 },
  87         [NFTA_NAT_FLAGS]         = { .type = NLA_U32 },
  88 };
  89
  90 static int nft_nat_validate(const struct nft_ctx *ctx,
  91                             const struct nft_expr *expr,
  92                             const struct nft_data **data)
  93 {
  94         struct nft_nat *priv = nft_expr_priv(expr);
  95         int err;
  96
  97         err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
  98         if (err < 0)
  99                 return err;
 100
 101         switch (priv->type) {
 102         case NFT_NAT_SNAT:
 103                 err = nft_chain_validate_hooks(ctx->chain,
 104                                                (1 << NF_INET_POST_ROUTING) |
 105                                                (1 << NF_INET_LOCAL_IN));
 106                 break;
 107         case NFT_NAT_DNAT:
 108                 err = nft_chain_validate_hooks(ctx->chain,
 109                                                (1 << NF_INET_PRE_ROUTING) |
 110                                                (1 << NF_INET_LOCAL_OUT));
 111                 break;
 112         }
 113
 114         return err;
 115 }
 116
 117 static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
 118                         const struct nlattr * const tb[])
 119 {
 120         struct nft_nat *priv = nft_expr_priv(expr);
 121         unsigned int alen, plen;
 122         u32 family;
 123         int err;
 124
 125         if (tb[NFTA_NAT_TYPE] == NULL ||
 126             (tb[NFTA_NAT_REG_ADDR_MIN] == NULL &&
 127              tb[NFTA_NAT_REG_PROTO_MIN] == NULL))
 128                 return -EINVAL;
 129
 130         switch (ntohl(nla_get_be32(tb[NFTA_NAT_TYPE]))) {
 131         case NFT_NAT_SNAT:
 132                 priv->type = NF_NAT_MANIP_SRC;
 133                 break;
 134         case NFT_NAT_DNAT:
 135                 priv->type = NF_NAT_MANIP_DST;
 136                 break;
 137         default:
 138                 return -EINVAL;
 139         }
 140
 141         if (tb[NFTA_NAT_FAMILY] == NULL)
 142                 return -EINVAL;
 143
 144         family = ntohl(nla_get_be32(tb[NFTA_NAT_FAMILY]));
 145         if (family != ctx->family)
 146                 return -EOPNOTSUPP;
 147
 148         switch (family) {
 149         case NFPROTO_IPV4:
 150                 alen = FIELD_SIZEOF(struct nf_nat_range, min_addr.ip);
 151                 break;
 152         case NFPROTO_IPV6:
 153                 alen = FIELD_SIZEOF(struct nf_nat_range, min_addr.ip6);
 154                 break;
 155         default:
 156                 return -EAFNOSUPPORT;
 157         }
 158         priv->family = family;
 159
 160         if (tb[NFTA_NAT_REG_ADDR_MIN]) {
 161                 priv->sreg_addr_min =
 162                         nft_parse_register(tb[NFTA_NAT_REG_ADDR_MIN]);
 163                 err = nft_validate_register_load(priv->sreg_addr_min, alen);
 164                 if (err < 0)
 165                         return err;
 166
 167                 if (tb[NFTA_NAT_REG_ADDR_MAX]) {
 168                         priv->sreg_addr_max =
 169                                 nft_parse_register(tb[NFTA_NAT_REG_ADDR_MAX]);
 170
 171                         err = nft_validate_register_load(priv->sreg_addr_max,
 172                                                          alen);
 173                         if (err < 0)
 174                                 return err;
 175                 } else {
 176                         priv->sreg_addr_max = priv->sreg_addr_min;
 177                 }
 178         }
 179
 180         plen = FIELD_SIZEOF(struct nf_nat_range, min_addr.all);
 181         if (tb[NFTA_NAT_REG_PROTO_MIN]) {
 182                 priv->sreg_proto_min =
 183                         nft_parse_register(tb[NFTA_NAT_REG_PROTO_MIN]);
 184
 185                 err = nft_validate_register_load(priv->sreg_proto_min, plen);
 186                 if (err < 0)
 187                         return err;
 188
 189                 if (tb[NFTA_NAT_REG_PROTO_MAX]) {
 190                         priv->sreg_proto_max =
 191                                 nft_parse_register(tb[NFTA_NAT_REG_PROTO_MAX]);
 192
 193                         err = nft_validate_register_load(priv->sreg_proto_max,
 194                                                          plen);
 195                         if (err < 0)
 196                                 return err;
 197                 } else {
 198                         priv->sreg_proto_max = priv->sreg_proto_min;
 199                 }
 200         }
 201
 202         if (tb[NFTA_NAT_FLAGS]) {
 203                 priv->flags = ntohl(nla_get_be32(tb[NFTA_NAT_FLAGS]));
 204                 if (priv->flags & ~NF_NAT_RANGE_MASK)
 205                         return -EINVAL;
 206         }
 207
 208         return nf_ct_netns_get(ctx->net, family);
 209 }
 210
 211 static int nft_nat_dump(struct sk_buff *skb, const struct nft_expr *expr)
 212 {
 213         const struct nft_nat *priv = nft_expr_priv(expr);
 214
 215         switch (priv->type) {
 216         case NF_NAT_MANIP_SRC:
 217                 if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_SNAT)))
 218                         goto nla_put_failure;
 219                 break;
 220         case NF_NAT_MANIP_DST:
 221                 if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_DNAT)))
 222                         goto nla_put_failure;
 223                 break;
 224         }
 225
 226         if (nla_put_be32(skb, NFTA_NAT_FAMILY, htonl(priv->family)))
 227                 goto nla_put_failure;
 228
 229         if (priv->sreg_addr_min) {
 230                 if (nft_dump_register(skb, NFTA_NAT_REG_ADDR_MIN,
 231                                       priv->sreg_addr_min) ||
 232                     nft_dump_register(skb, NFTA_NAT_REG_ADDR_MAX,
 233                                       priv->sreg_addr_max))
 234                         goto nla_put_failure;
 235         }
 236
 237         if (priv->sreg_proto_min) {
 238                 if (nft_dump_register(skb, NFTA_NAT_REG_PROTO_MIN,
 239                                       priv->sreg_proto_min) ||
 240                     nft_dump_register(skb, NFTA_NAT_REG_PROTO_MAX,
 241                                       priv->sreg_proto_max))
 242                         goto nla_put_failure;
 243         }
 244
 245         if (priv->flags != 0) {
 246                 if (nla_put_be32(skb, NFTA_NAT_FLAGS, htonl(priv->flags)))
 247                         goto nla_put_failure;
 248         }
 249
 250         return 0;
 251
 252 nla_put_failure:
 253         return -1;
 254 }
 255
 256 static void
 257 nft_nat_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
 258 {
 259         const struct nft_nat *priv = nft_expr_priv(expr);
 260
 261         nf_ct_netns_put(ctx->net, priv->family);
 262 }
 263
 264 static struct nft_expr_type nft_nat_type;
 265 static const struct nft_expr_ops nft_nat_ops = {
 266         .type           = &nft_nat_type,
 267         .size           = NFT_EXPR_SIZE(sizeof(struct nft_nat)),
 268         .eval           = nft_nat_eval,
 269         .init           = nft_nat_init,
 270         .destroy        = nft_nat_destroy,
 271         .dump           = nft_nat_dump,
 272         .validate       = nft_nat_validate,
 273 };
 274
 275 static struct nft_expr_type nft_nat_type __read_mostly = {
 276         .name           = "nat",
 277         .ops            = &nft_nat_ops,
 278         .policy         = nft_nat_policy,
 279         .maxattr        = NFTA_NAT_MAX,
 280         .owner          = THIS_MODULE,
 281 };
 282
 283 static int __init nft_nat_module_init(void)
 284 {
 285         return nft_register_expr(&nft_nat_type);
 286 }
 287
 288 static void __exit nft_nat_module_exit(void)
 289 {
 290         nft_unregister_expr(&nft_nat_type);
 291 }
 292
 293 module_init(nft_nat_module_init);
 294 module_exit(nft_nat_module_exit);
 295
 296 MODULE_LICENSE("GPL");
 297 MODULE_AUTHOR("Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>");
 298 MODULE_ALIAS_NFT_EXPR("nat");