netfilter: refactor NAT redirect IPv4 to use it from nf_tables

This patch refactors the IPv4 code so it can be usable both from xt and nf_tables. A similar patch follows-up to handle IPv6. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Arturo Borrero <arturo.borrero.glez@gmail.com> 2014-10-16 06:23:29 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2014-10-27 17:47:06 -0400
commit: 8b13eddfdf04cbfa561725cfc42d6868fe896f56 (patch)
tree: a54fcd289d9acb1566a841f66045127227c84d25 /net/ipv4
parent: b8901ac319768cdd3afa060787503e0c405f9607 (diff)
3 files changed, 89 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 4c019d5c3f57..a300e2c32b26 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -104,6 +104,12 @@ config NF_NAT_MASQUERADE_IPV4
          This is the kernel functionality to provide NAT in the masquerade
          flavour (automatic source address selection).
+config NF_NAT_REDIRECT_IPV4
+        tristate "IPv4 redirect support"
+        help
+          This is the kernel functionality to provide NAT in the redirect
+          flavour (redirect packets to local machine).
 config NFT_MASQ_IPV4
        tristate "IPv4 masquerading support for nf_tables"
        depends on NF_TABLES_IPV4
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index f4cef5af0969..34e436c92015 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -31,6 +31,7 @@ obj-$(CONFIG_NF_NAT_H323) += nf_nat_h323.o
 obj-$(CONFIG_NF_NAT_PPTP) += nf_nat_pptp.o
 obj-$(CONFIG_NF_NAT_SNMP_BASIC) += nf_nat_snmp_basic.o
 obj-$(CONFIG_NF_NAT_MASQUERADE_IPV4) += nf_nat_masquerade_ipv4.o
+obj-$(CONFIG_NF_NAT_REDIRECT_IPV4) += nf_nat_redirect_ipv4.o
 # NAT protocols (nf_nat)
 obj-$(CONFIG_NF_NAT_PROTO_GRE) += nf_nat_proto_gre.o
diff --git a/net/ipv4/netfilter/nf_nat_redirect_ipv4.c b/net/ipv4/netfilter/nf_nat_redirect_ipv4.c
new file mode 100644
index 000000000000..a220552fc532
--- /dev/null
+++ b/net/ipv4/netfilter/nf_nat_redirect_ipv4.c
@@ -0,0 +1,82 @@
+/*
+ * (C) 1999-2001 Paul `Rusty' Russell
+ * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
+ * Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * Based on Rusty Russell's IPv4 REDIRECT target. Development of IPv6
+ * NAT funded by Astaro.
+ */
+#include <linux/if.h>
+#include <linux/inetdevice.h>
+#include <linux/ip.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/netdevice.h>
+#include <linux/netfilter.h>
+#include <linux/types.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
+#include <net/addrconf.h>
+#include <net/checksum.h>
+#include <net/protocol.h>
+#include <net/netfilter/nf_nat.h>
+#include <net/netfilter/ipv4/nf_nat_redirect.h>
+unsigned int
+nf_nat_redirect_ipv4(struct sk_buff *skb,
+                     const struct nf_nat_ipv4_multi_range_compat *mr,
+                     unsigned int hooknum)
+{
+        struct nf_conn *ct;
+        enum ip_conntrack_info ctinfo;
+        __be32 newdst;
+        struct nf_nat_range newrange;
+        NF_CT_ASSERT(hooknum == NF_INET_PRE_ROUTING ||
+                     hooknum == NF_INET_LOCAL_OUT);
+        ct = nf_ct_get(skb, &ctinfo);
+        NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED));
+        /* Local packets: make them go to loopback */
+        if (hooknum == NF_INET_LOCAL_OUT) {
+                newdst = htonl(0x7F000001);
+        } else {
+                struct in_device *indev;
+                struct in_ifaddr *ifa;
+                newdst = 0;
+                rcu_read_lock();
+                indev = __in_dev_get_rcu(skb->dev);
+                if (indev != NULL) {
+                        ifa = indev->ifa_list;
+                        newdst = ifa->ifa_local;
+                }
+                rcu_read_unlock();
+                if (!newdst)
+                        return NF_DROP;
+        }
+        /* Transfer from original range. */
+        memset(&newrange.min_addr, 0, sizeof(newrange.min_addr));
+        memset(&newrange.max_addr, 0, sizeof(newrange.max_addr));
+        newrange.flags       = mr->range[0].flags | NF_NAT_RANGE_MAP_IPS;
+        newrange.min_addr.ip = newdst;
+        newrange.max_addr.ip = newdst;
+        newrange.min_proto   = mr->range[0].min;
+        newrange.max_proto   = mr->range[0].max;
+        /* Hand modified range to generic setup. */
+        return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST);
+}
+EXPORT_SYMBOL_GPL(nf_nat_redirect_ipv4);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
author	Arturo Borrero <arturo.borrero.glez@gmail.com>	2014-10-16 06:23:29 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2014-10-27 17:47:06 -0400
commit	8b13eddfdf04cbfa561725cfc42d6868fe896f56 (patch)
tree	a54fcd289d9acb1566a841f66045127227c84d25 /net/ipv4
parent	b8901ac319768cdd3afa060787503e0c405f9607 (diff)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index 4c019d5c3f57..a300e2c32b26 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig
@@ -104,6 +104,12 @@ config NF_NAT_MASQUERADE_IPV4
104	This is the kernel functionality to provide NAT in the masquerade	104	This is the kernel functionality to provide NAT in the masquerade
105	flavour (automatic source address selection).	105	flavour (automatic source address selection).
106		106
		107	config NF_NAT_REDIRECT_IPV4
		108	tristate "IPv4 redirect support"
		109	help
		110	This is the kernel functionality to provide NAT in the redirect
		111	flavour (redirect packets to local machine).
		112
107	config NFT_MASQ_IPV4	113	config NFT_MASQ_IPV4
108	tristate "IPv4 masquerading support for nf_tables"	114	tristate "IPv4 masquerading support for nf_tables"
109	depends on NF_TABLES_IPV4	115	depends on NF_TABLES_IPV4


diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile index f4cef5af0969..34e436c92015 100644 --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile
@@ -31,6 +31,7 @@ obj-$(CONFIG_NF_NAT_H323) += nf_nat_h323.o
31	obj-$(CONFIG_NF_NAT_PPTP) += nf_nat_pptp.o	31	obj-$(CONFIG_NF_NAT_PPTP) += nf_nat_pptp.o
32	obj-$(CONFIG_NF_NAT_SNMP_BASIC) += nf_nat_snmp_basic.o	32	obj-$(CONFIG_NF_NAT_SNMP_BASIC) += nf_nat_snmp_basic.o
33	obj-$(CONFIG_NF_NAT_MASQUERADE_IPV4) += nf_nat_masquerade_ipv4.o	33	obj-$(CONFIG_NF_NAT_MASQUERADE_IPV4) += nf_nat_masquerade_ipv4.o
		34	obj-$(CONFIG_NF_NAT_REDIRECT_IPV4) += nf_nat_redirect_ipv4.o
34		35
35	# NAT protocols (nf_nat)	36	# NAT protocols (nf_nat)
36	obj-$(CONFIG_NF_NAT_PROTO_GRE) += nf_nat_proto_gre.o	37	obj-$(CONFIG_NF_NAT_PROTO_GRE) += nf_nat_proto_gre.o


diff --git a/net/ipv4/netfilter/nf_nat_redirect_ipv4.c b/net/ipv4/netfilter/nf_nat_redirect_ipv4.c new file mode 100644 index 000000000000..a220552fc532 --- /dev/null +++ b/net/ipv4/netfilter/nf_nat_redirect_ipv4.c
@@ -0,0 +1,82 @@
		1	/*
		2	* (C) 1999-2001 Paul `Rusty' Russell
		3	* (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
		4	* Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License version 2 as
		8	* published by the Free Software Foundation.
		9	*
		10	* Based on Rusty Russell's IPv4 REDIRECT target. Development of IPv6
		11	* NAT funded by Astaro.
		12	*/
		13
		14	#include <linux/if.h>
		15	#include <linux/inetdevice.h>
		16	#include <linux/ip.h>
		17	#include <linux/kernel.h>
		18	#include <linux/module.h>
		19	#include <linux/netdevice.h>
		20	#include <linux/netfilter.h>
		21	#include <linux/types.h>
		22	#include <linux/netfilter_ipv4.h>
		23	#include <linux/netfilter/x_tables.h>
		24	#include <net/addrconf.h>
		25	#include <net/checksum.h>
		26	#include <net/protocol.h>
		27	#include <net/netfilter/nf_nat.h>
		28	#include <net/netfilter/ipv4/nf_nat_redirect.h>
		29
		30	unsigned int
		31	nf_nat_redirect_ipv4(struct sk_buff *skb,
		32	const struct nf_nat_ipv4_multi_range_compat *mr,
		33	unsigned int hooknum)
		34	{
		35	struct nf_conn *ct;
		36	enum ip_conntrack_info ctinfo;
		37	__be32 newdst;
		38	struct nf_nat_range newrange;
		39
		40	NF_CT_ASSERT(hooknum == NF_INET_PRE_ROUTING \|\|
		41	hooknum == NF_INET_LOCAL_OUT);
		42
		43	ct = nf_ct_get(skb, &ctinfo);
		44	NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW \|\| ctinfo == IP_CT_RELATED));
		45
		46	/* Local packets: make them go to loopback */
		47	if (hooknum == NF_INET_LOCAL_OUT) {
		48	newdst = htonl(0x7F000001);
		49	} else {
		50	struct in_device *indev;
		51	struct in_ifaddr *ifa;
		52
		53	newdst = 0;
		54
		55	rcu_read_lock();
		56	indev = __in_dev_get_rcu(skb->dev);
		57	if (indev != NULL) {
		58	ifa = indev->ifa_list;
		59	newdst = ifa->ifa_local;
		60	}
		61	rcu_read_unlock();
		62
		63	if (!newdst)
		64	return NF_DROP;
		65	}
		66
		67	/* Transfer from original range. */
		68	memset(&newrange.min_addr, 0, sizeof(newrange.min_addr));
		69	memset(&newrange.max_addr, 0, sizeof(newrange.max_addr));
		70	newrange.flags = mr->range[0].flags \| NF_NAT_RANGE_MAP_IPS;
		71	newrange.min_addr.ip = newdst;
		72	newrange.max_addr.ip = newdst;
		73	newrange.min_proto = mr->range[0].min;
		74	newrange.max_proto = mr->range[0].max;
		75
		76	/* Hand modified range to generic setup. */
		77	return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST);
		78	}
		79	EXPORT_SYMBOL_GPL(nf_nat_redirect_ipv4);
		80
		81	MODULE_LICENSE("GPL");
		82	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");