Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
nf_conntrack_l3proto_ipv4.c
Go to the documentation of this file.
1 
2 /* (C) 1999-2001 Paul `Rusty' Russell
3  * (C) 2002-2004 Netfilter Core Team <[email protected]>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  */
9 
10 #include <linux/types.h>
11 #include <linux/ip.h>
12 #include <linux/netfilter.h>
13 #include <linux/module.h>
14 #include <linux/skbuff.h>
15 #include <linux/icmp.h>
16 #include <linux/sysctl.h>
17 #include <net/route.h>
18 #include <net/ip.h>
19 
20 #include <linux/netfilter_ipv4.h>
21 #include <net/netfilter/nf_conntrack.h>
22 #include <net/netfilter/nf_conntrack_helper.h>
23 #include <net/netfilter/nf_conntrack_l4proto.h>
24 #include <net/netfilter/nf_conntrack_l3proto.h>
25 #include <net/netfilter/nf_conntrack_zones.h>
26 #include <net/netfilter/nf_conntrack_core.h>
27 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
28 #include <net/netfilter/nf_nat_helper.h>
29 #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
30 #include <net/netfilter/nf_log.h>
31 
32 static bool ipv4_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,
33  struct nf_conntrack_tuple *tuple)
34 {
35  const __be32 *ap;
36  __be32 _addrs[2];
37  ap = skb_header_pointer(skb, nhoff + offsetof(struct iphdr, saddr),
38  sizeof(u_int32_t) * 2, _addrs);
39  if (ap == NULL)
40  return false;
41 
42  tuple->src.u3.ip = ap[0];
43  tuple->dst.u3.ip = ap[1];
44 
45  return true;
46 }
47 
48 static bool ipv4_invert_tuple(struct nf_conntrack_tuple *tuple,
49  const struct nf_conntrack_tuple *orig)
50 {
51  tuple->src.u3.ip = orig->dst.u3.ip;
52  tuple->dst.u3.ip = orig->src.u3.ip;
53 
54  return true;
55 }
56 
57 static int ipv4_print_tuple(struct seq_file *s,
58  const struct nf_conntrack_tuple *tuple)
59 {
60  return seq_printf(s, "src=%pI4 dst=%pI4 ",
61  &tuple->src.u3.ip, &tuple->dst.u3.ip);
62 }
63 
64 static int ipv4_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
65  unsigned int *dataoff, u_int8_t *protonum)
66 {
67  const struct iphdr *iph;
68  struct iphdr _iph;
69 
70  iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
71  if (iph == NULL)
72  return -NF_ACCEPT;
73 
74  /* Conntrack defragments packets, we might still see fragments
75  * inside ICMP packets though. */
76  if (iph->frag_off & htons(IP_OFFSET))
77  return -NF_ACCEPT;
78 
79  *dataoff = nhoff + (iph->ihl << 2);
80  *protonum = iph->protocol;
81 
82  /* Check bogus IP headers */
83  if (*dataoff > skb->len) {
84  pr_debug("nf_conntrack_ipv4: bogus IPv4 packet: "
85  "nhoff %u, ihl %u, skblen %u\n",
86  nhoff, iph->ihl << 2, skb->len);
87  return -NF_ACCEPT;
88  }
89 
90  return NF_ACCEPT;
91 }
92 
93 static unsigned int ipv4_helper(unsigned int hooknum,
94  struct sk_buff *skb,
95  const struct net_device *in,
96  const struct net_device *out,
97  int (*okfn)(struct sk_buff *))
98 {
99  struct nf_conn *ct;
100  enum ip_conntrack_info ctinfo;
101  const struct nf_conn_help *help;
102  const struct nf_conntrack_helper *helper;
103  unsigned int ret;
104 
105  /* This is where we call the helper: as the packet goes out. */
106  ct = nf_ct_get(skb, &ctinfo);
107  if (!ct || ctinfo == IP_CT_RELATED_REPLY)
108  return NF_ACCEPT;
109 
110  help = nfct_help(ct);
111  if (!help)
112  return NF_ACCEPT;
113 
114  /* rcu_read_lock()ed by nf_hook_slow */
115  helper = rcu_dereference(help->helper);
116  if (!helper)
117  return NF_ACCEPT;
118 
119  ret = helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
120  ct, ctinfo);
121  if (ret != NF_ACCEPT && (ret & NF_VERDICT_MASK) != NF_QUEUE) {
122  nf_log_packet(NFPROTO_IPV4, hooknum, skb, in, out, NULL,
123  "nf_ct_%s: dropping packet", helper->name);
124  }
125  return ret;
126 }
127 
128 static unsigned int ipv4_confirm(unsigned int hooknum,
129  struct sk_buff *skb,
130  const struct net_device *in,
131  const struct net_device *out,
132  int (*okfn)(struct sk_buff *))
133 {
134  struct nf_conn *ct;
135  enum ip_conntrack_info ctinfo;
136 
137  ct = nf_ct_get(skb, &ctinfo);
138  if (!ct || ctinfo == IP_CT_RELATED_REPLY)
139  goto out;
140 
141  /* adjust seqs for loopback traffic only in outgoing direction */
142  if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) &&
143  !nf_is_loopback_packet(skb)) {
144  typeof(nf_nat_seq_adjust_hook) seq_adjust;
145 
146  seq_adjust = rcu_dereference(nf_nat_seq_adjust_hook);
147  if (!seq_adjust ||
148  !seq_adjust(skb, ct, ctinfo, ip_hdrlen(skb))) {
149  NF_CT_STAT_INC_ATOMIC(nf_ct_net(ct), drop);
150  return NF_DROP;
151  }
152  }
153 out:
154  /* We've seen it coming out the other side: confirm it */
155  return nf_conntrack_confirm(skb);
156 }
157 
158 static unsigned int ipv4_conntrack_in(unsigned int hooknum,
159  struct sk_buff *skb,
160  const struct net_device *in,
161  const struct net_device *out,
162  int (*okfn)(struct sk_buff *))
163 {
164  return nf_conntrack_in(dev_net(in), PF_INET, hooknum, skb);
165 }
166 
167 static unsigned int ipv4_conntrack_local(unsigned int hooknum,
168  struct sk_buff *skb,
169  const struct net_device *in,
170  const struct net_device *out,
171  int (*okfn)(struct sk_buff *))
172 {
173  /* root is playing with raw sockets. */
174  if (skb->len < sizeof(struct iphdr) ||
175  ip_hdrlen(skb) < sizeof(struct iphdr))
176  return NF_ACCEPT;
177  return nf_conntrack_in(dev_net(out), PF_INET, hooknum, skb);
178 }
179 
180 /* Connection tracking may drop packets, but never alters them, so
181  make it the first hook. */
182 static struct nf_hook_ops ipv4_conntrack_ops[] __read_mostly = {
183  {
184  .hook = ipv4_conntrack_in,
185  .owner = THIS_MODULE,
186  .pf = NFPROTO_IPV4,
187  .hooknum = NF_INET_PRE_ROUTING,
188  .priority = NF_IP_PRI_CONNTRACK,
189  },
190  {
191  .hook = ipv4_conntrack_local,
192  .owner = THIS_MODULE,
193  .pf = NFPROTO_IPV4,
194  .hooknum = NF_INET_LOCAL_OUT,
195  .priority = NF_IP_PRI_CONNTRACK,
196  },
197  {
198  .hook = ipv4_helper,
199  .owner = THIS_MODULE,
200  .pf = NFPROTO_IPV4,
201  .hooknum = NF_INET_POST_ROUTING,
202  .priority = NF_IP_PRI_CONNTRACK_HELPER,
203  },
204  {
205  .hook = ipv4_confirm,
206  .owner = THIS_MODULE,
207  .pf = NFPROTO_IPV4,
208  .hooknum = NF_INET_POST_ROUTING,
209  .priority = NF_IP_PRI_CONNTRACK_CONFIRM,
210  },
211  {
212  .hook = ipv4_helper,
213  .owner = THIS_MODULE,
214  .pf = NFPROTO_IPV4,
215  .hooknum = NF_INET_LOCAL_IN,
216  .priority = NF_IP_PRI_CONNTRACK_HELPER,
217  },
218  {
219  .hook = ipv4_confirm,
220  .owner = THIS_MODULE,
221  .pf = NFPROTO_IPV4,
222  .hooknum = NF_INET_LOCAL_IN,
223  .priority = NF_IP_PRI_CONNTRACK_CONFIRM,
224  },
225 };
226 
227 #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
228 static int log_invalid_proto_min = 0;
229 static int log_invalid_proto_max = 255;
230 
231 static ctl_table ip_ct_sysctl_table[] = {
232  {
233  .procname = "ip_conntrack_max",
234  .maxlen = sizeof(int),
235  .mode = 0644,
236  .proc_handler = proc_dointvec,
237  },
238  {
239  .procname = "ip_conntrack_count",
240  .maxlen = sizeof(int),
241  .mode = 0444,
242  .proc_handler = proc_dointvec,
243  },
244  {
245  .procname = "ip_conntrack_buckets",
246  .maxlen = sizeof(unsigned int),
247  .mode = 0444,
248  .proc_handler = proc_dointvec,
249  },
250  {
251  .procname = "ip_conntrack_checksum",
252  .maxlen = sizeof(int),
253  .mode = 0644,
254  .proc_handler = proc_dointvec,
255  },
256  {
257  .procname = "ip_conntrack_log_invalid",
258  .maxlen = sizeof(unsigned int),
259  .mode = 0644,
260  .proc_handler = proc_dointvec_minmax,
261  .extra1 = &log_invalid_proto_min,
262  .extra2 = &log_invalid_proto_max,
263  },
264  { }
265 };
266 #endif /* CONFIG_SYSCTL && CONFIG_NF_CONNTRACK_PROC_COMPAT */
267 
268 /* Fast function for those who don't want to parse /proc (and I don't
269  blame them). */
270 /* Reversing the socket's dst/src point of view gives us the reply
271  mapping. */
272 static int
273 getorigdst(struct sock *sk, int optval, void __user *user, int *len)
274 {
275  const struct inet_sock *inet = inet_sk(sk);
276  const struct nf_conntrack_tuple_hash *h;
277  struct nf_conntrack_tuple tuple;
278 
279  memset(&tuple, 0, sizeof(tuple));
280  tuple.src.u3.ip = inet->inet_rcv_saddr;
281  tuple.src.u.tcp.port = inet->inet_sport;
282  tuple.dst.u3.ip = inet->inet_daddr;
283  tuple.dst.u.tcp.port = inet->inet_dport;
284  tuple.src.l3num = PF_INET;
285  tuple.dst.protonum = sk->sk_protocol;
286 
287  /* We only do TCP and SCTP at the moment: is there a better way? */
288  if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_SCTP) {
289  pr_debug("SO_ORIGINAL_DST: Not a TCP/SCTP socket\n");
290  return -ENOPROTOOPT;
291  }
292 
293  if ((unsigned int) *len < sizeof(struct sockaddr_in)) {
294  pr_debug("SO_ORIGINAL_DST: len %d not %Zu\n",
295  *len, sizeof(struct sockaddr_in));
296  return -EINVAL;
297  }
298 
299  h = nf_conntrack_find_get(sock_net(sk), NF_CT_DEFAULT_ZONE, &tuple);
300  if (h) {
301  struct sockaddr_in sin;
302  struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
303 
304  sin.sin_family = AF_INET;
305  sin.sin_port = ct->tuplehash[IP_CT_DIR_ORIGINAL]
306  .tuple.dst.u.tcp.port;
307  sin.sin_addr.s_addr = ct->tuplehash[IP_CT_DIR_ORIGINAL]
308  .tuple.dst.u3.ip;
309  memset(sin.sin_zero, 0, sizeof(sin.sin_zero));
310 
311  pr_debug("SO_ORIGINAL_DST: %pI4 %u\n",
312  &sin.sin_addr.s_addr, ntohs(sin.sin_port));
313  nf_ct_put(ct);
314  if (copy_to_user(user, &sin, sizeof(sin)) != 0)
315  return -EFAULT;
316  else
317  return 0;
318  }
319  pr_debug("SO_ORIGINAL_DST: Can't find %pI4/%u-%pI4/%u.\n",
320  &tuple.src.u3.ip, ntohs(tuple.src.u.tcp.port),
321  &tuple.dst.u3.ip, ntohs(tuple.dst.u.tcp.port));
322  return -ENOENT;
323 }
324 
325 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
326 
327 #include <linux/netfilter/nfnetlink.h>
328 #include <linux/netfilter/nfnetlink_conntrack.h>
329 
330 static int ipv4_tuple_to_nlattr(struct sk_buff *skb,
331  const struct nf_conntrack_tuple *tuple)
332 {
333  if (nla_put_be32(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) ||
334  nla_put_be32(skb, CTA_IP_V4_DST, tuple->dst.u3.ip))
335  goto nla_put_failure;
336  return 0;
337 
338 nla_put_failure:
339  return -1;
340 }
341 
342 static const struct nla_policy ipv4_nla_policy[CTA_IP_MAX+1] = {
343  [CTA_IP_V4_SRC] = { .type = NLA_U32 },
344  [CTA_IP_V4_DST] = { .type = NLA_U32 },
345 };
346 
347 static int ipv4_nlattr_to_tuple(struct nlattr *tb[],
348  struct nf_conntrack_tuple *t)
349 {
350  if (!tb[CTA_IP_V4_SRC] || !tb[CTA_IP_V4_DST])
351  return -EINVAL;
352 
353  t->src.u3.ip = nla_get_be32(tb[CTA_IP_V4_SRC]);
354  t->dst.u3.ip = nla_get_be32(tb[CTA_IP_V4_DST]);
355 
356  return 0;
357 }
358 
359 static int ipv4_nlattr_tuple_size(void)
360 {
361  return nla_policy_len(ipv4_nla_policy, CTA_IP_MAX + 1);
362 }
363 #endif
364 
365 static struct nf_sockopt_ops so_getorigdst = {
366  .pf = PF_INET,
367  .get_optmin = SO_ORIGINAL_DST,
368  .get_optmax = SO_ORIGINAL_DST+1,
369  .get = &getorigdst,
370  .owner = THIS_MODULE,
371 };
372 
373 static int ipv4_init_net(struct net *net)
374 {
375 #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
376  struct nf_ip_net *in = &net->ct.nf_ct_proto;
377  in->ctl_table = kmemdup(ip_ct_sysctl_table,
378  sizeof(ip_ct_sysctl_table),
379  GFP_KERNEL);
380  if (!in->ctl_table)
381  return -ENOMEM;
382 
383  in->ctl_table[0].data = &nf_conntrack_max;
384  in->ctl_table[1].data = &net->ct.count;
385  in->ctl_table[2].data = &net->ct.htable_size;
386  in->ctl_table[3].data = &net->ct.sysctl_checksum;
387  in->ctl_table[4].data = &net->ct.sysctl_log_invalid;
388 #endif
389  return 0;
390 }
391 
392 struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
393  .l3proto = PF_INET,
394  .name = "ipv4",
395  .pkt_to_tuple = ipv4_pkt_to_tuple,
396  .invert_tuple = ipv4_invert_tuple,
397  .print_tuple = ipv4_print_tuple,
398  .get_l4proto = ipv4_get_l4proto,
399 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
400  .tuple_to_nlattr = ipv4_tuple_to_nlattr,
401  .nlattr_tuple_size = ipv4_nlattr_tuple_size,
402  .nlattr_to_tuple = ipv4_nlattr_to_tuple,
403  .nla_policy = ipv4_nla_policy,
404 #endif
405 #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
406  .ctl_table_path = "net/ipv4/netfilter",
407 #endif
408  .init_net = ipv4_init_net,
409  .me = THIS_MODULE,
410 };
411 
412 module_param_call(hashsize, nf_conntrack_set_hashsize, param_get_uint,
413  &nf_conntrack_htable_size, 0600);
414 
415 MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET));
416 MODULE_ALIAS("ip_conntrack");
417 MODULE_LICENSE("GPL");
418 
419 static int ipv4_net_init(struct net *net)
420 {
421  int ret = 0;
422 
423  ret = nf_conntrack_l4proto_register(net,
424  &nf_conntrack_l4proto_tcp4);
425  if (ret < 0) {
426  pr_err("nf_conntrack_l4proto_tcp4 :protocol register failed\n");
427  goto out_tcp;
428  }
429  ret = nf_conntrack_l4proto_register(net,
430  &nf_conntrack_l4proto_udp4);
431  if (ret < 0) {
432  pr_err("nf_conntrack_l4proto_udp4 :protocol register failed\n");
433  goto out_udp;
434  }
435  ret = nf_conntrack_l4proto_register(net,
436  &nf_conntrack_l4proto_icmp);
437  if (ret < 0) {
438  pr_err("nf_conntrack_l4proto_icmp4 :protocol register failed\n");
439  goto out_icmp;
440  }
441  ret = nf_conntrack_l3proto_register(net,
442  &nf_conntrack_l3proto_ipv4);
443  if (ret < 0) {
444  pr_err("nf_conntrack_l3proto_ipv4 :protocol register failed\n");
445  goto out_ipv4;
446  }
447  return 0;
448 out_ipv4:
449  nf_conntrack_l4proto_unregister(net,
450  &nf_conntrack_l4proto_icmp);
451 out_icmp:
452  nf_conntrack_l4proto_unregister(net,
453  &nf_conntrack_l4proto_udp4);
454 out_udp:
455  nf_conntrack_l4proto_unregister(net,
456  &nf_conntrack_l4proto_tcp4);
457 out_tcp:
458  return ret;
459 }
460 
461 static void ipv4_net_exit(struct net *net)
462 {
463  nf_conntrack_l3proto_unregister(net,
464  &nf_conntrack_l3proto_ipv4);
465  nf_conntrack_l4proto_unregister(net,
466  &nf_conntrack_l4proto_icmp);
467  nf_conntrack_l4proto_unregister(net,
468  &nf_conntrack_l4proto_udp4);
469  nf_conntrack_l4proto_unregister(net,
470  &nf_conntrack_l4proto_tcp4);
471 }
472 
473 static struct pernet_operations ipv4_net_ops = {
474  .init = ipv4_net_init,
475  .exit = ipv4_net_exit,
476 };
477 
478 static int __init nf_conntrack_l3proto_ipv4_init(void)
479 {
480  int ret = 0;
481 
482  need_conntrack();
483  nf_defrag_ipv4_enable();
484 
485  ret = nf_register_sockopt(&so_getorigdst);
486  if (ret < 0) {
487  printk(KERN_ERR "Unable to register netfilter socket option\n");
488  return ret;
489  }
490 
491  ret = register_pernet_subsys(&ipv4_net_ops);
492  if (ret < 0) {
493  pr_err("nf_conntrack_ipv4: can't register pernet ops\n");
494  goto cleanup_sockopt;
495  }
496 
497  ret = nf_register_hooks(ipv4_conntrack_ops,
498  ARRAY_SIZE(ipv4_conntrack_ops));
499  if (ret < 0) {
500  pr_err("nf_conntrack_ipv4: can't register hooks.\n");
501  goto cleanup_pernet;
502  }
503 #if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
504  ret = nf_conntrack_ipv4_compat_init();
505  if (ret < 0)
506  goto cleanup_hooks;
507 #endif
508  return ret;
509 #if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
510  cleanup_hooks:
511  nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
512 #endif
513  cleanup_pernet:
514  unregister_pernet_subsys(&ipv4_net_ops);
515  cleanup_sockopt:
516  nf_unregister_sockopt(&so_getorigdst);
517  return ret;
518 }
519 
520 static void __exit nf_conntrack_l3proto_ipv4_fini(void)
521 {
522  synchronize_net();
523 #if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
524  nf_conntrack_ipv4_compat_fini();
525 #endif
526  nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
527  unregister_pernet_subsys(&ipv4_net_ops);
528  nf_unregister_sockopt(&so_getorigdst);
529 }
530 
531 module_init(nf_conntrack_l3proto_ipv4_init);
532 module_exit(nf_conntrack_l3proto_ipv4_fini);
533 
534 void need_ipv4_conntrack(void)
535 {
536  return;
537 }
538 EXPORT_SYMBOL_GPL(need_ipv4_conntrack);
Generated on Thu Jan 10 2013 14:58:41 for Linux Kernel by   doxygen 1.8.2