search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
gpio: rcar: Fix runtime PM imbalance on error
[linux/fpc-iii.git] / net / netfilter / nft_nat.c
blob8b44a4de53294f25f85eb84bd3d5d4aac568d109
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
4 * Copyright (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
5 * Copyright (c) 2012 Intel Corporation
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/skbuff.h>
11 #include <linux/ip.h>
12 #include <linux/string.h>
13 #include <linux/netlink.h>
14 #include <linux/netfilter.h>
15 #include <linux/netfilter_ipv4.h>
16 #include <linux/netfilter/nfnetlink.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <net/netfilter/nf_conntrack.h>
19 #include <net/netfilter/nf_nat.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/ip.h>
22
23 struct nft_nat {
24 enum nft_registers sreg_addr_min:8;
25 enum nft_registers sreg_addr_max:8;
26 enum nft_registers sreg_proto_min:8;
27 enum nft_registers sreg_proto_max:8;
28 enum nf_nat_manip_type type:8;
29 u8 family;
30 u16 flags;
31 };
32
33 static void nft_nat_eval(const struct nft_expr *expr,
34 struct nft_regs *regs,
35 const struct nft_pktinfo *pkt)
36 {
37 const struct nft_nat *priv = nft_expr_priv(expr);
38 enum ip_conntrack_info ctinfo;
39 struct nf_conn *ct = nf_ct_get(pkt->skb, &ctinfo);
40 struct nf_nat_range2 range;
41
42 memset(&range, 0, sizeof(range));
43 if (priv->sreg_addr_min) {
44 if (priv->family == AF_INET) {
45 range.min_addr.ip = (__force __be32)
46 regs->data[priv->sreg_addr_min];
47 range.max_addr.ip = (__force __be32)
48 regs->data[priv->sreg_addr_max];
49
50 } else {
51 memcpy(range.min_addr.ip6,
52 &regs->data[priv->sreg_addr_min],
53 sizeof(range.min_addr.ip6));
54 memcpy(range.max_addr.ip6,
55 &regs->data[priv->sreg_addr_max],
56 sizeof(range.max_addr.ip6));
57 }
58 range.flags |= NF_NAT_RANGE_MAP_IPS;
59 }
60
61 if (priv->sreg_proto_min) {
62 range.min_proto.all = (__force __be16)nft_reg_load16(
63 &regs->data[priv->sreg_proto_min]);
64 range.max_proto.all = (__force __be16)nft_reg_load16(
65 &regs->data[priv->sreg_proto_max]);
66 range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
67 }
68
69 range.flags |= priv->flags;
70
71 regs->verdict.code = nf_nat_setup_info(ct, &range, priv->type);
72 }
73
74 static const struct nla_policy nft_nat_policy[NFTA_NAT_MAX + 1] = {
75 [NFTA_NAT_TYPE] = { .type = NLA_U32 },
76 [NFTA_NAT_FAMILY] = { .type = NLA_U32 },
77 [NFTA_NAT_REG_ADDR_MIN] = { .type = NLA_U32 },
78 [NFTA_NAT_REG_ADDR_MAX] = { .type = NLA_U32 },
79 [NFTA_NAT_REG_PROTO_MIN] = { .type = NLA_U32 },
80 [NFTA_NAT_REG_PROTO_MAX] = { .type = NLA_U32 },
81 [NFTA_NAT_FLAGS] = { .type = NLA_U32 },
82 };
83
84 static int nft_nat_validate(const struct nft_ctx *ctx,
85 const struct nft_expr *expr,
86 const struct nft_data **data)
87 {
88 struct nft_nat *priv = nft_expr_priv(expr);
89 int err;
90
91 err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
92 if (err < 0)
93 return err;
94
95 switch (priv->type) {
96 case NFT_NAT_SNAT:
97 err = nft_chain_validate_hooks(ctx->chain,
98 (1 << NF_INET_POST_ROUTING) |
99 (1 << NF_INET_LOCAL_IN));
100 break;
101 case NFT_NAT_DNAT:
102 err = nft_chain_validate_hooks(ctx->chain,
103 (1 << NF_INET_PRE_ROUTING) |
104 (1 << NF_INET_LOCAL_OUT));
105 break;
106 }
107
108 return err;
109 }
110
111 static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
112 const struct nlattr * const tb[])
113 {
114 struct nft_nat *priv = nft_expr_priv(expr);
115 unsigned int alen, plen;
116 u32 family;
117 int err;
118
119 if (tb[NFTA_NAT_TYPE] == NULL ||
120 (tb[NFTA_NAT_REG_ADDR_MIN] == NULL &&
121 tb[NFTA_NAT_REG_PROTO_MIN] == NULL))
122 return -EINVAL;
123
124 switch (ntohl(nla_get_be32(tb[NFTA_NAT_TYPE]))) {
125 case NFT_NAT_SNAT:
126 priv->type = NF_NAT_MANIP_SRC;
127 break;
128 case NFT_NAT_DNAT:
129 priv->type = NF_NAT_MANIP_DST;
130 break;
131 default:
132 return -EINVAL;
133 }
134
135 if (tb[NFTA_NAT_FAMILY] == NULL)
136 return -EINVAL;
137
138 family = ntohl(nla_get_be32(tb[NFTA_NAT_FAMILY]));
139 if (ctx->family != NFPROTO_INET && ctx->family != family)
140 return -EOPNOTSUPP;
141
142 switch (family) {
143 case NFPROTO_IPV4:
144 alen = sizeof_field(struct nf_nat_range, min_addr.ip);
145 break;
146 case NFPROTO_IPV6:
147 alen = sizeof_field(struct nf_nat_range, min_addr.ip6);
148 break;
149 default:
150 return -EAFNOSUPPORT;
151 }
152 priv->family = family;
153
154 if (tb[NFTA_NAT_REG_ADDR_MIN]) {
155 priv->sreg_addr_min =
156 nft_parse_register(tb[NFTA_NAT_REG_ADDR_MIN]);
157 err = nft_validate_register_load(priv->sreg_addr_min, alen);
158 if (err < 0)
159 return err;
160
161 if (tb[NFTA_NAT_REG_ADDR_MAX]) {
162 priv->sreg_addr_max =
163 nft_parse_register(tb[NFTA_NAT_REG_ADDR_MAX]);
164
165 err = nft_validate_register_load(priv->sreg_addr_max,
166 alen);
167 if (err < 0)
168 return err;
169 } else {
170 priv->sreg_addr_max = priv->sreg_addr_min;
171 }
172 }
173
174 plen = sizeof_field(struct nf_nat_range, min_addr.all);
175 if (tb[NFTA_NAT_REG_PROTO_MIN]) {
176 priv->sreg_proto_min =
177 nft_parse_register(tb[NFTA_NAT_REG_PROTO_MIN]);
178
179 err = nft_validate_register_load(priv->sreg_proto_min, plen);
180 if (err < 0)
181 return err;
182
183 if (tb[NFTA_NAT_REG_PROTO_MAX]) {
184 priv->sreg_proto_max =
185 nft_parse_register(tb[NFTA_NAT_REG_PROTO_MAX]);
186
187 err = nft_validate_register_load(priv->sreg_proto_max,
188 plen);
189 if (err < 0)
190 return err;
191 } else {
192 priv->sreg_proto_max = priv->sreg_proto_min;
193 }
194 }
195
196 if (tb[NFTA_NAT_FLAGS]) {
197 priv->flags = ntohl(nla_get_be32(tb[NFTA_NAT_FLAGS]));
198 if (priv->flags & ~NF_NAT_RANGE_MASK)
199 return -EINVAL;
200 }
201
202 return nf_ct_netns_get(ctx->net, family);
203 }
204
205 static int nft_nat_dump(struct sk_buff *skb, const struct nft_expr *expr)
206 {
207 const struct nft_nat *priv = nft_expr_priv(expr);
208
209 switch (priv->type) {
210 case NF_NAT_MANIP_SRC:
211 if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_SNAT)))
212 goto nla_put_failure;
213 break;
214 case NF_NAT_MANIP_DST:
215 if (nla_put_be32(skb, NFTA_NAT_TYPE, htonl(NFT_NAT_DNAT)))
216 goto nla_put_failure;
217 break;
218 }
219
220 if (nla_put_be32(skb, NFTA_NAT_FAMILY, htonl(priv->family)))
221 goto nla_put_failure;
222
223 if (priv->sreg_addr_min) {
224 if (nft_dump_register(skb, NFTA_NAT_REG_ADDR_MIN,
225 priv->sreg_addr_min) ||
226 nft_dump_register(skb, NFTA_NAT_REG_ADDR_MAX,
227 priv->sreg_addr_max))
228 goto nla_put_failure;
229 }
230
231 if (priv->sreg_proto_min) {
232 if (nft_dump_register(skb, NFTA_NAT_REG_PROTO_MIN,
233 priv->sreg_proto_min) ||
234 nft_dump_register(skb, NFTA_NAT_REG_PROTO_MAX,
235 priv->sreg_proto_max))
236 goto nla_put_failure;
237 }
238
239 if (priv->flags != 0) {
240 if (nla_put_be32(skb, NFTA_NAT_FLAGS, htonl(priv->flags)))
241 goto nla_put_failure;
242 }
243
244 return 0;
245
246 nla_put_failure:
247 return -1;
248 }
249
250 static void
251 nft_nat_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
252 {
253 const struct nft_nat *priv = nft_expr_priv(expr);
254
255 nf_ct_netns_put(ctx->net, priv->family);
256 }
257
258 static struct nft_expr_type nft_nat_type;
259 static const struct nft_expr_ops nft_nat_ops = {
260 .type = &nft_nat_type,
261 .size = NFT_EXPR_SIZE(sizeof(struct nft_nat)),
262 .eval = nft_nat_eval,
263 .init = nft_nat_init,
264 .destroy = nft_nat_destroy,
265 .dump = nft_nat_dump,
266 .validate = nft_nat_validate,
267 };
268
269 static struct nft_expr_type nft_nat_type __read_mostly = {
270 .name = "nat",
271 .ops = &nft_nat_ops,
272 .policy = nft_nat_policy,
273 .maxattr = NFTA_NAT_MAX,
274 .owner = THIS_MODULE,
275 };
276
277 #ifdef CONFIG_NF_TABLES_INET
278 static void nft_nat_inet_eval(const struct nft_expr *expr,
279 struct nft_regs *regs,
280 const struct nft_pktinfo *pkt)
281 {
282 const struct nft_nat *priv = nft_expr_priv(expr);
283
284 if (priv->family == nft_pf(pkt))
285 nft_nat_eval(expr, regs, pkt);
286 }
287
288 static const struct nft_expr_ops nft_nat_inet_ops = {
289 .type = &nft_nat_type,
290 .size = NFT_EXPR_SIZE(sizeof(struct nft_nat)),
291 .eval = nft_nat_inet_eval,
292 .init = nft_nat_init,
293 .destroy = nft_nat_destroy,
294 .dump = nft_nat_dump,
295 .validate = nft_nat_validate,
296 };
297
298 static struct nft_expr_type nft_inet_nat_type __read_mostly = {
299 .name = "nat",
300 .family = NFPROTO_INET,
301 .ops = &nft_nat_inet_ops,
302 .policy = nft_nat_policy,
303 .maxattr = NFTA_NAT_MAX,
304 .owner = THIS_MODULE,
305 };
306
307 static int nft_nat_inet_module_init(void)
308 {
309 return nft_register_expr(&nft_inet_nat_type);
310 }
311
312 static void nft_nat_inet_module_exit(void)
313 {
314 nft_unregister_expr(&nft_inet_nat_type);
315 }
316 #else
317 static int nft_nat_inet_module_init(void) { return 0; }
318 static void nft_nat_inet_module_exit(void) { }
319 #endif
320
321 static int __init nft_nat_module_init(void)
322 {
323 int ret = nft_nat_inet_module_init();
324
325 if (ret)
326 return ret;
327
328 ret = nft_register_expr(&nft_nat_type);
329 if (ret)
330 nft_nat_inet_module_exit();
331
332 return ret;
333 }
334
335 static void __exit nft_nat_module_exit(void)
336 {
337 nft_nat_inet_module_exit();
338 nft_unregister_expr(&nft_nat_type);
339 }
340
341 module_init(nft_nat_module_init);
342 module_exit(nft_nat_module_exit);
343
344 MODULE_LICENSE("GPL");
345 MODULE_AUTHOR("Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>");
346 MODULE_ALIAS_NFT_EXPR("nat");
Linux with added FPC-III support