netfilter: ctnetlink: remove bogus module dependency between ctnetlink and nf_nat

This patch removes the module dependency between ctnetlink and
nf_nat by means of an indirect call that is initialized when
nf_nat is loaded. Now, nf_conntrack_netlink only requires
nf_conntrack and nfnetlink.

This patch puts nfnetlink_parse_nat_setup_hook into the
nf_conntrack_core to avoid dependencies between ctnetlink,
nf_conntrack_ipv4 and nf_conntrack_ipv6.

This patch also introduces the function ctnetlink_change_nat
that is only invoked from the creation path. Actually, the
nat handling cannot be invoked from the update path since
this is not allowed. By introducing this function, we remove
the useless nat handling in the update path and we avoid
deadlock-prone code.

This patch also adds the required EAGAIN logic for nfnetlink.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 97 insertions, 0 deletions

diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 2ac9eaf1a8c9..a65cf692359f 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -584,6 +584,98 @@ static struct nf_ct_ext_type nat_extend __read_mostly = {
         .flags          = NF_CT_EXT_F_PREALLOC,
 };
 
+#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
+
+#include <linux/netfilter/nfnetlink.h>
+#include <linux/netfilter/nfnetlink_conntrack.h>
+
+static const struct nla_policy protonat_nla_policy[CTA_PROTONAT_MAX+1] = {
+        [CTA_PROTONAT_PORT_MIN] = { .type = NLA_U16 },
+        [CTA_PROTONAT_PORT_MAX] = { .type = NLA_U16 },
+};
+
+static int nfnetlink_parse_nat_proto(struct nlattr *attr,
+                                     const struct nf_conn *ct,
+                                     struct nf_nat_range *range)
+{
+        struct nlattr *tb[CTA_PROTONAT_MAX+1];
+        const struct nf_nat_protocol *npt;
+        int err;
+
+        err = nla_parse_nested(tb, CTA_PROTONAT_MAX, attr, protonat_nla_policy);
+        if (err < 0)
+                return err;
+
+        npt = nf_nat_proto_find_get(nf_ct_protonum(ct));
+        if (npt->nlattr_to_range)
+                err = npt->nlattr_to_range(tb, range);
+        nf_nat_proto_put(npt);
+        return err;
+}
+
+static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = {
+        [CTA_NAT_MINIP]         = { .type = NLA_U32 },
+        [CTA_NAT_MAXIP]         = { .type = NLA_U32 },
+};
+
+static int
+nfnetlink_parse_nat(struct nlattr *nat,
+                    const struct nf_conn *ct, struct nf_nat_range *range)
+{
+        struct nlattr *tb[CTA_NAT_MAX+1];
+        int err;
+
+        memset(range, 0, sizeof(*range));
+
+        err = nla_parse_nested(tb, CTA_NAT_MAX, nat, nat_nla_policy);
+        if (err < 0)
+                return err;
+
+        if (tb[CTA_NAT_MINIP])
+                range->min_ip = nla_get_be32(tb[CTA_NAT_MINIP]);
+
+        if (!tb[CTA_NAT_MAXIP])
+                range->max_ip = range->min_ip;
+        else
+                range->max_ip = nla_get_be32(tb[CTA_NAT_MAXIP]);
+
+        if (range->min_ip)
+                range->flags |= IP_NAT_RANGE_MAP_IPS;
+
+        if (!tb[CTA_NAT_PROTO])
+                return 0;
+
+        err = nfnetlink_parse_nat_proto(tb[CTA_NAT_PROTO], ct, range);
+        if (err < 0)
+                return err;
+
+        return 0;
+}
+
+static int
+nfnetlink_parse_nat_setup(struct nf_conn *ct,
+                          enum nf_nat_manip_type manip,
+                          struct nlattr *attr)
+{
+        struct nf_nat_range range;
+
+        if (nfnetlink_parse_nat(attr, ct, &range) < 0)
+                return -EINVAL;
+        if (nf_nat_initialized(ct, manip))
+                return -EEXIST;
+
+        return nf_nat_setup_info(ct, &range, manip);
+}
+#else
+static int
+nfnetlink_parse_nat_setup(struct nf_conn *ct,
+                          enum nf_nat_manip_type manip,
+                          struct nlattr *attr)
+{
+        return -EOPNOTSUPP;
+}
+#endif
+
 static int __net_init nf_nat_net_init(struct net *net)
 {
         net->ipv4.nat_bysource = nf_ct_alloc_hashtable(&nf_nat_htable_size,
@@ -654,6 +746,9 @@ static int __init nf_nat_init(void)
 
         BUG_ON(nf_nat_seq_adjust_hook != NULL);
         rcu_assign_pointer(nf_nat_seq_adjust_hook, nf_nat_seq_adjust);
+        BUG_ON(nfnetlink_parse_nat_setup_hook != NULL);
+        rcu_assign_pointer(nfnetlink_parse_nat_setup_hook,
+                           nfnetlink_parse_nat_setup);
         return 0;
 
  cleanup_extend:
@@ -667,10 +762,12 @@ static void __exit nf_nat_cleanup(void)
         nf_ct_l3proto_put(l3proto);
         nf_ct_extend_unregister(&nat_extend);
         rcu_assign_pointer(nf_nat_seq_adjust_hook, NULL);
+        rcu_assign_pointer(nfnetlink_parse_nat_setup_hook, NULL);
         synchronize_net();
 }
 
 MODULE_LICENSE("GPL");
+MODULE_ALIAS("nf-nat-ipv4");
 
 module_init(nf_nat_init);
 module_exit(nf_nat_cleanup);