netfilter: nf_nat: support mangling a single TCP packet multiple times

nf_nat_mangle_tcp_packet() can currently only handle a single mangling per window because it only maintains two sequence adjustment positions: the one before the last adjustment and the one after. This patch makes sequence number adjustment tracking in nf_nat_mangle_tcp_packet() optional and allows a helper to manually update the offsets after the packet has been fully handled. Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Patrick McHardy <kaber@trash.net> 2010-02-11 06:27:09 -0500
committer: Patrick McHardy <kaber@trash.net> 2010-02-11 06:27:09 -0500
commit: 010c0b9f34a4c567b431f8b49a58b7332ed42e47 (patch)
tree: 8922a2a87408ed185f3998011eab4c6a3e9f0c2b /net/ipv4
parent: f5b321bd37fbec9188feb1f721ab46a5ac0b35da (diff)
1 files changed, 23 insertions, 16 deletions
diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c
index 7f10a6be0191..4b6af4bb1f50 100644
--- a/net/ipv4/netfilter/nf_nat_helper.c
+++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -141,6 +141,17 @@ static int enlarge_skb(struct sk_buff *skb, unsigned int extra)
        return 1;
 }
+void nf_nat_set_seq_adjust(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
+                           __be32 seq, s16 off)
+{
+        if (!off)
+                return;
+        set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
+        adjust_tcp_sequence(ntohl(seq), off, ct, ctinfo);
+        nf_conntrack_event_cache(IPCT_NATSEQADJ, ct);
+}
+EXPORT_SYMBOL_GPL(nf_nat_set_seq_adjust);
 /* Generic function for mangling variable-length address changes inside
 * NATed TCP connections (like the PORT XXX,XXX,XXX,XXX,XXX,XXX
 * command in FTP).
@@ -149,14 +160,13 @@ static int enlarge_skb(struct sk_buff *skb, unsigned int extra)
 * skb enlargement, ...
 *
 * */
-int
+int __nf_nat_mangle_tcp_packet(struct sk_buff *skb,
-nf_nat_mangle_tcp_packet(struct sk_buff *skb,
+                               struct nf_conn *ct,
-                         struct nf_conn *ct,
+                               enum ip_conntrack_info ctinfo,
-                         enum ip_conntrack_info ctinfo,
+                               unsigned int match_offset,
-                         unsigned int match_offset,
+                               unsigned int match_len,
-                         unsigned int match_len,
+                               const char *rep_buffer,
-                         const char *rep_buffer,
+                               unsigned int rep_len, bool adjust)
-                         unsigned int rep_len)
 {
        struct rtable *rt = skb_rtable(skb);
        struct iphdr *iph;
@@ -202,16 +212,13 @@ nf_nat_mangle_tcp_packet(struct sk_buff *skb,
                inet_proto_csum_replace2(&tcph->check, skb,
                                         htons(oldlen), htons(datalen), 1);
-        if (rep_len != match_len) {
+        if (adjust && rep_len != match_len)
-                set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
+                nf_nat_set_seq_adjust(ct, ctinfo, tcph->seq,
-                adjust_tcp_sequence(ntohl(tcph->seq),
+                                      (int)rep_len - (int)match_len);
-                                    (int)rep_len - (int)match_len,
-                                    ct, ctinfo);
-                nf_conntrack_event_cache(IPCT_NATSEQADJ, ct);
-        }
        return 1;
 }
-EXPORT_SYMBOL(nf_nat_mangle_tcp_packet);
+EXPORT_SYMBOL(__nf_nat_mangle_tcp_packet);
 /* Generic function for mangling variable-length address changes inside
 * NATed UDP connections (like the CONNECT DATA XXXXX MESG XXXXX INDEX XXXXX
author	Patrick McHardy <kaber@trash.net>	2010-02-11 06:27:09 -0500
committer	Patrick McHardy <kaber@trash.net>	2010-02-11 06:27:09 -0500
commit	010c0b9f34a4c567b431f8b49a58b7332ed42e47 (patch)
tree	8922a2a87408ed185f3998011eab4c6a3e9f0c2b /net/ipv4
parent	f5b321bd37fbec9188feb1f721ab46a5ac0b35da (diff)

diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c index 7f10a6be0191..4b6af4bb1f50 100644 --- a/net/ipv4/netfilter/nf_nat_helper.c +++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -141,6 +141,17 @@ static int enlarge_skb(struct sk_buff *skb, unsigned int extra)
141	return 1;	141	return 1;
142	}	142	}
143		143
		144	void nf_nat_set_seq_adjust(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
		145	__be32 seq, s16 off)
		146	{
		147	if (!off)
		148	return;
		149	set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
		150	adjust_tcp_sequence(ntohl(seq), off, ct, ctinfo);
		151	nf_conntrack_event_cache(IPCT_NATSEQADJ, ct);
		152	}
		153	EXPORT_SYMBOL_GPL(nf_nat_set_seq_adjust);
		154
144	/* Generic function for mangling variable-length address changes inside	155	/* Generic function for mangling variable-length address changes inside
145	* NATed TCP connections (like the PORT XXX,XXX,XXX,XXX,XXX,XXX	156	* NATed TCP connections (like the PORT XXX,XXX,XXX,XXX,XXX,XXX
146	* command in FTP).	157	* command in FTP).
@@ -149,14 +160,13 @@ static int enlarge_skb(struct sk_buff *skb, unsigned int extra)
149	* skb enlargement, ...	160	* skb enlargement, ...
150	*	161	*
151	* */	162	* */
152	int	163	int __nf_nat_mangle_tcp_packet(struct sk_buff *skb,
153	nf_nat_mangle_tcp_packet(struct sk_buff *skb,	164	struct nf_conn *ct,
154	struct nf_conn *ct,	165	enum ip_conntrack_info ctinfo,
155	enum ip_conntrack_info ctinfo,	166	unsigned int match_offset,
156	unsigned int match_offset,	167	unsigned int match_len,
157	unsigned int match_len,	168	const char *rep_buffer,
158	const char *rep_buffer,	169	unsigned int rep_len, bool adjust)
159	unsigned int rep_len)
160	{	170	{
161	struct rtable *rt = skb_rtable(skb);	171	struct rtable *rt = skb_rtable(skb);
162	struct iphdr *iph;	172	struct iphdr *iph;
@@ -202,16 +212,13 @@ nf_nat_mangle_tcp_packet(struct sk_buff *skb,
202	inet_proto_csum_replace2(&tcph->check, skb,	212	inet_proto_csum_replace2(&tcph->check, skb,
203	htons(oldlen), htons(datalen), 1);	213	htons(oldlen), htons(datalen), 1);
204		214
205	if (rep_len != match_len) {	215	if (adjust && rep_len != match_len)
206	set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);	216	nf_nat_set_seq_adjust(ct, ctinfo, tcph->seq,
207	adjust_tcp_sequence(ntohl(tcph->seq),	217	(int)rep_len - (int)match_len);
208	(int)rep_len - (int)match_len,	218
209	ct, ctinfo);
210	nf_conntrack_event_cache(IPCT_NATSEQADJ, ct);
211	}
212	return 1;	219	return 1;
213	}	220	}
214	EXPORT_SYMBOL(nf_nat_mangle_tcp_packet);	221	EXPORT_SYMBOL(__nf_nat_mangle_tcp_packet);
215		222
216	/* Generic function for mangling variable-length address changes inside	223	/* Generic function for mangling variable-length address changes inside
217	* NATed UDP connections (like the CONNECT DATA XXXXX MESG XXXXX INDEX XXXXX	224	* NATed UDP connections (like the CONNECT DATA XXXXX MESG XXXXX INDEX XXXXX