Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ip6table_nat.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2011 Patrick McHardy <[email protected]>
3  *
4  * This program is free software; you can redistribute it and/or modify
5  * it under the terms of the GNU General Public License version 2 as
6  * published by the Free Software Foundation.
7  *
8  * Based on Rusty Russell's IPv4 NAT code. Development of IPv6 NAT
9  * funded by Astaro.
10  */
11 
12 #include <linux/module.h>
13 #include <linux/netfilter.h>
14 #include <linux/netfilter_ipv6.h>
15 #include <linux/netfilter_ipv6/ip6_tables.h>
16 #include <linux/ipv6.h>
17 #include <net/ipv6.h>
18 
19 #include <net/netfilter/nf_nat.h>
20 #include <net/netfilter/nf_nat_core.h>
21 #include <net/netfilter/nf_nat_l3proto.h>
22 
23 static const struct xt_table nf_nat_ipv6_table = {
24  .name = "nat",
25  .valid_hooks = (1 << NF_INET_PRE_ROUTING) |
26  (1 << NF_INET_POST_ROUTING) |
27  (1 << NF_INET_LOCAL_OUT) |
28  (1 << NF_INET_LOCAL_IN),
29  .me = THIS_MODULE,
30  .af = NFPROTO_IPV6,
31 };
32 
33 static unsigned int alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
34 {
35  /* Force range to this IP; let proto decide mapping for
36  * per-proto parts (hence not IP_NAT_RANGE_PROTO_SPECIFIED).
37  */
38  struct nf_nat_range range;
39 
40  range.flags = 0;
41  pr_debug("Allocating NULL binding for %p (%pI6)\n", ct,
42  HOOK2MANIP(hooknum) == NF_NAT_MANIP_SRC ?
43  &ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip6 :
44  &ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip6);
45 
46  return nf_nat_setup_info(ct, &range, HOOK2MANIP(hooknum));
47 }
48 
49 static unsigned int nf_nat_rule_find(struct sk_buff *skb, unsigned int hooknum,
50  const struct net_device *in,
51  const struct net_device *out,
52  struct nf_conn *ct)
53 {
54  struct net *net = nf_ct_net(ct);
55  unsigned int ret;
56 
57  ret = ip6t_do_table(skb, hooknum, in, out, net->ipv6.ip6table_nat);
58  if (ret == NF_ACCEPT) {
59  if (!nf_nat_initialized(ct, HOOK2MANIP(hooknum)))
60  ret = alloc_null_binding(ct, hooknum);
61  }
62  return ret;
63 }
64 
65 static unsigned int
66 nf_nat_ipv6_fn(unsigned int hooknum,
67  struct sk_buff *skb,
68  const struct net_device *in,
69  const struct net_device *out,
70  int (*okfn)(struct sk_buff *))
71 {
72  struct nf_conn *ct;
73  enum ip_conntrack_info ctinfo;
74  struct nf_conn_nat *nat;
75  enum nf_nat_manip_type maniptype = HOOK2MANIP(hooknum);
76  __be16 frag_off;
77  int hdrlen;
78  u8 nexthdr;
79 
80  ct = nf_ct_get(skb, &ctinfo);
81  /* Can't track? It's not due to stress, or conntrack would
82  * have dropped it. Hence it's the user's responsibilty to
83  * packet filter it out, or implement conntrack/NAT for that
84  * protocol. 8) --RR
85  */
86  if (!ct)
87  return NF_ACCEPT;
88 
89  /* Don't try to NAT if this packet is not conntracked */
90  if (nf_ct_is_untracked(ct))
91  return NF_ACCEPT;
92 
93  nat = nfct_nat(ct);
94  if (!nat) {
95  /* NAT module was loaded late. */
96  if (nf_ct_is_confirmed(ct))
97  return NF_ACCEPT;
98  nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
99  if (nat == NULL) {
100  pr_debug("failed to add NAT extension\n");
101  return NF_ACCEPT;
102  }
103  }
104 
105  switch (ctinfo) {
106  case IP_CT_RELATED:
107  case IP_CT_RELATED_REPLY:
108  nexthdr = ipv6_hdr(skb)->nexthdr;
109  hdrlen = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr),
110  &nexthdr, &frag_off);
111 
112  if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) {
113  if (!nf_nat_icmpv6_reply_translation(skb, ct, ctinfo,
114  hooknum, hdrlen))
115  return NF_DROP;
116  else
117  return NF_ACCEPT;
118  }
119  /* Fall thru... (Only ICMPs can be IP_CT_IS_REPLY) */
120  case IP_CT_NEW:
121  /* Seen it before? This can happen for loopback, retrans,
122  * or local packets.
123  */
124  if (!nf_nat_initialized(ct, maniptype)) {
125  unsigned int ret;
126 
127  ret = nf_nat_rule_find(skb, hooknum, in, out, ct);
128  if (ret != NF_ACCEPT)
129  return ret;
130  } else
131  pr_debug("Already setup manip %s for ct %p\n",
132  maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",
133  ct);
134  break;
135 
136  default:
137  /* ESTABLISHED */
138  NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
139  ctinfo == IP_CT_ESTABLISHED_REPLY);
140  }
141 
142  return nf_nat_packet(ct, ctinfo, hooknum, skb);
143 }
144 
145 static unsigned int
146 nf_nat_ipv6_in(unsigned int hooknum,
147  struct sk_buff *skb,
148  const struct net_device *in,
149  const struct net_device *out,
150  int (*okfn)(struct sk_buff *))
151 {
152  unsigned int ret;
153  struct in6_addr daddr = ipv6_hdr(skb)->daddr;
154 
155  ret = nf_nat_ipv6_fn(hooknum, skb, in, out, okfn);
156  if (ret != NF_DROP && ret != NF_STOLEN &&
157  ipv6_addr_cmp(&daddr, &ipv6_hdr(skb)->daddr))
158  skb_dst_drop(skb);
159 
160  return ret;
161 }
162 
163 static unsigned int
164 nf_nat_ipv6_out(unsigned int hooknum,
165  struct sk_buff *skb,
166  const struct net_device *in,
167  const struct net_device *out,
168  int (*okfn)(struct sk_buff *))
169 {
170 #ifdef CONFIG_XFRM
171  const struct nf_conn *ct;
172  enum ip_conntrack_info ctinfo;
173 #endif
174  unsigned int ret;
175 
176  /* root is playing with raw sockets. */
177  if (skb->len < sizeof(struct ipv6hdr))
178  return NF_ACCEPT;
179 
180  ret = nf_nat_ipv6_fn(hooknum, skb, in, out, okfn);
181 #ifdef CONFIG_XFRM
182  if (ret != NF_DROP && ret != NF_STOLEN &&
183  !(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
184  (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
185  enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
186 
187  if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3,
188  &ct->tuplehash[!dir].tuple.dst.u3) ||
189  (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&
190  ct->tuplehash[dir].tuple.src.u.all !=
191  ct->tuplehash[!dir].tuple.dst.u.all))
192  if (nf_xfrm_me_harder(skb, AF_INET6) < 0)
193  ret = NF_DROP;
194  }
195 #endif
196  return ret;
197 }
198 
199 static unsigned int
200 nf_nat_ipv6_local_fn(unsigned int hooknum,
201  struct sk_buff *skb,
202  const struct net_device *in,
203  const struct net_device *out,
204  int (*okfn)(struct sk_buff *))
205 {
206  const struct nf_conn *ct;
207  enum ip_conntrack_info ctinfo;
208  unsigned int ret;
209 
210  /* root is playing with raw sockets. */
211  if (skb->len < sizeof(struct ipv6hdr))
212  return NF_ACCEPT;
213 
214  ret = nf_nat_ipv6_fn(hooknum, skb, in, out, okfn);
215  if (ret != NF_DROP && ret != NF_STOLEN &&
216  (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
217  enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
218 
219  if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3,
220  &ct->tuplehash[!dir].tuple.src.u3)) {
221  if (ip6_route_me_harder(skb))
222  ret = NF_DROP;
223  }
224 #ifdef CONFIG_XFRM
225  else if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
226  ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&
227  ct->tuplehash[dir].tuple.dst.u.all !=
228  ct->tuplehash[!dir].tuple.src.u.all)
229  if (nf_xfrm_me_harder(skb, AF_INET6))
230  ret = NF_DROP;
231 #endif
232  }
233  return ret;
234 }
235 
236 static struct nf_hook_ops nf_nat_ipv6_ops[] __read_mostly = {
237  /* Before packet filtering, change destination */
238  {
239  .hook = nf_nat_ipv6_in,
240  .owner = THIS_MODULE,
241  .pf = NFPROTO_IPV6,
242  .hooknum = NF_INET_PRE_ROUTING,
243  .priority = NF_IP6_PRI_NAT_DST,
244  },
245  /* After packet filtering, change source */
246  {
247  .hook = nf_nat_ipv6_out,
248  .owner = THIS_MODULE,
249  .pf = NFPROTO_IPV6,
250  .hooknum = NF_INET_POST_ROUTING,
251  .priority = NF_IP6_PRI_NAT_SRC,
252  },
253  /* Before packet filtering, change destination */
254  {
255  .hook = nf_nat_ipv6_local_fn,
256  .owner = THIS_MODULE,
257  .pf = NFPROTO_IPV6,
258  .hooknum = NF_INET_LOCAL_OUT,
259  .priority = NF_IP6_PRI_NAT_DST,
260  },
261  /* After packet filtering, change source */
262  {
263  .hook = nf_nat_ipv6_fn,
264  .owner = THIS_MODULE,
265  .pf = NFPROTO_IPV6,
266  .hooknum = NF_INET_LOCAL_IN,
267  .priority = NF_IP6_PRI_NAT_SRC,
268  },
269 };
270 
271 static int __net_init ip6table_nat_net_init(struct net *net)
272 {
273  struct ip6t_replace *repl;
274 
275  repl = ip6t_alloc_initial_table(&nf_nat_ipv6_table);
276  if (repl == NULL)
277  return -ENOMEM;
278  net->ipv6.ip6table_nat = ip6t_register_table(net, &nf_nat_ipv6_table, repl);
279  kfree(repl);
280  if (IS_ERR(net->ipv6.ip6table_nat))
281  return PTR_ERR(net->ipv6.ip6table_nat);
282  return 0;
283 }
284 
285 static void __net_exit ip6table_nat_net_exit(struct net *net)
286 {
287  ip6t_unregister_table(net, net->ipv6.ip6table_nat);
288 }
289 
290 static struct pernet_operations ip6table_nat_net_ops = {
291  .init = ip6table_nat_net_init,
292  .exit = ip6table_nat_net_exit,
293 };
294 
295 static int __init ip6table_nat_init(void)
296 {
297  int err;
298 
299  err = register_pernet_subsys(&ip6table_nat_net_ops);
300  if (err < 0)
301  goto err1;
302 
303  err = nf_register_hooks(nf_nat_ipv6_ops, ARRAY_SIZE(nf_nat_ipv6_ops));
304  if (err < 0)
305  goto err2;
306  return 0;
307 
308 err2:
309  unregister_pernet_subsys(&ip6table_nat_net_ops);
310 err1:
311  return err;
312 }
313 
314 static void __exit ip6table_nat_exit(void)
315 {
316  nf_unregister_hooks(nf_nat_ipv6_ops, ARRAY_SIZE(nf_nat_ipv6_ops));
317  unregister_pernet_subsys(&ip6table_nat_net_ops);
318 }
319 
320 module_init(ip6table_nat_init);
321 module_exit(ip6table_nat_exit);
322 
323 MODULE_LICENSE("GPL");
Generated on Thu Jan 10 2013 14:59:25 for Linux Kernel by   doxygen 1.8.2