netfilter: nf_tables: add new nft_masq expression

The nft_masq expression is intended to perform NAT in the masquerade flavour. We decided to have the masquerade functionality in a separated expression other than nft_nat. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Arturo Borrero <arturo.borrero.glez@gmail.com> 2014-09-08 07:45:00 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2014-09-09 10:31:30 -0400
commit: 9ba1f726bec090399eb9bb9157eb32dedc8e8c45 (patch)
tree: 4a2875982feb3cad10ccb8f3da4a1f452bd1f068 /net/ipv4
parent: be6b635cd674add9410efa9ac6f03e0040848b12 (diff)
3 files changed, 96 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 4be3e541350e..8dd3d9f19d82 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -190,6 +190,12 @@ config NF_NAT_MASQUERADE_IPV4
        This is the kernel functionality to provide NAT in the masquerade
        flavour (automatic source address selection).
+config NFT_MASQ_IPV4
+        tristate "IPv4 masquerading support for nf_tables"
+        depends on NF_TABLES_IPV4
+        depends on NFT_MASQ
+        select NF_NAT_MASQUERADE_IPV4
 config IP_NF_TARGET_MASQUERADE
        tristate "MASQUERADE target support"
        select NF_NAT_MASQUERADE_IPV4
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 42056b2fd0e3..7d019aefb0ed 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -36,6 +36,7 @@ obj-$(CONFIG_NF_TABLES_IPV4) += nf_tables_ipv4.o
 obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o
 obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o
 obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o
+obj-$(CONFIG_NFT_MASQ_IPV4) += nft_masq_ipv4.o
 obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o
 # generic IP tables 
diff --git a/net/ipv4/netfilter/nft_masq_ipv4.c b/net/ipv4/netfilter/nft_masq_ipv4.c
new file mode 100644
index 000000000000..6ea1d207b6a5
--- /dev/null
+++ b/net/ipv4/netfilter/nft_masq_ipv4.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2014 Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables.h>
+#include <net/netfilter/nft_masq.h>
+#include <net/netfilter/ipv4/nf_nat_masquerade.h>
+static void nft_masq_ipv4_eval(const struct nft_expr *expr,
+                               struct nft_data data[NFT_REG_MAX + 1],
+                               const struct nft_pktinfo *pkt)
+{
+        struct nft_masq *priv = nft_expr_priv(expr);
+        struct nf_nat_range range;
+        unsigned int verdict;
+        range.flags = priv->flags;
+        verdict = nf_nat_masquerade_ipv4(pkt->skb, pkt->ops->hooknum,
+                                         &range, pkt->out);
+        data[NFT_REG_VERDICT].verdict = verdict;
+}
+static int nft_masq_ipv4_init(const struct nft_ctx *ctx,
+                              const struct nft_expr *expr,
+                              const struct nlattr * const tb[])
+{
+        int err;
+        err = nft_masq_init(ctx, expr, tb);
+        if (err < 0)
+                return err;
+        nf_nat_masquerade_ipv4_register_notifier();
+        return 0;
+}
+static void nft_masq_ipv4_destroy(const struct nft_ctx *ctx,
+                                  const struct nft_expr *expr)
+{
+        nf_nat_masquerade_ipv4_unregister_notifier();
+}
+static struct nft_expr_type nft_masq_ipv4_type;
+static const struct nft_expr_ops nft_masq_ipv4_ops = {
+        .type           = &nft_masq_ipv4_type,
+        .size           = NFT_EXPR_SIZE(sizeof(struct nft_masq)),
+        .eval           = nft_masq_ipv4_eval,
+        .init           = nft_masq_ipv4_init,
+        .destroy        = nft_masq_ipv4_destroy,
+        .dump           = nft_masq_dump,
+};
+static struct nft_expr_type nft_masq_ipv4_type __read_mostly = {
+        .family         = NFPROTO_IPV4,
+        .name           = "masq",
+        .ops            = &nft_masq_ipv4_ops,
+        .policy         = nft_masq_policy,
+        .maxattr        = NFTA_MASQ_MAX,
+        .owner          = THIS_MODULE,
+};
+static int __init nft_masq_ipv4_module_init(void)
+{
+        return nft_register_expr(&nft_masq_ipv4_type);
+}
+static void __exit nft_masq_ipv4_module_exit(void)
+{
+        nft_unregister_expr(&nft_masq_ipv4_type);
+}
+module_init(nft_masq_ipv4_module_init);
+module_exit(nft_masq_ipv4_module_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>");
+MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "masq");
author	Arturo Borrero <arturo.borrero.glez@gmail.com>	2014-09-08 07:45:00 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2014-09-09 10:31:30 -0400
commit	9ba1f726bec090399eb9bb9157eb32dedc8e8c45 (patch)
tree	4a2875982feb3cad10ccb8f3da4a1f452bd1f068 /net/ipv4
parent	be6b635cd674add9410efa9ac6f03e0040848b12 (diff)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index 4be3e541350e..8dd3d9f19d82 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig
@@ -190,6 +190,12 @@ config NF_NAT_MASQUERADE_IPV4
190	This is the kernel functionality to provide NAT in the masquerade	190	This is the kernel functionality to provide NAT in the masquerade
191	flavour (automatic source address selection).	191	flavour (automatic source address selection).
192		192
		193	config NFT_MASQ_IPV4
		194	tristate "IPv4 masquerading support for nf_tables"
		195	depends on NF_TABLES_IPV4
		196	depends on NFT_MASQ
		197	select NF_NAT_MASQUERADE_IPV4
		198
193	config IP_NF_TARGET_MASQUERADE	199	config IP_NF_TARGET_MASQUERADE
194	tristate "MASQUERADE target support"	200	tristate "MASQUERADE target support"
195	select NF_NAT_MASQUERADE_IPV4	201	select NF_NAT_MASQUERADE_IPV4


diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile index 42056b2fd0e3..7d019aefb0ed 100644 --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile
@@ -36,6 +36,7 @@ obj-$(CONFIG_NF_TABLES_IPV4) += nf_tables_ipv4.o
36	obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o	36	obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o
37	obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o	37	obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o
38	obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o	38	obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o
		39	obj-$(CONFIG_NFT_MASQ_IPV4) += nft_masq_ipv4.o
39	obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o	40	obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o
40		41
41	# generic IP tables	42	# generic IP tables


diff --git a/net/ipv4/netfilter/nft_masq_ipv4.c b/net/ipv4/netfilter/nft_masq_ipv4.c new file mode 100644 index 000000000000..6ea1d207b6a5 --- /dev/null +++ b/net/ipv4/netfilter/nft_masq_ipv4.c
@@ -0,0 +1,89 @@
		1	/*
		2	* Copyright (c) 2014 Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
		3	*
		4	* This program is free software; you can redistribute it and/or modify
		5	* it under the terms of the GNU General Public License version 2 as
		6	* published by the Free Software Foundation.
		7	*/
		8
		9	#include <linux/kernel.h>
		10	#include <linux/init.h>
		11	#include <linux/module.h>
		12	#include <linux/netlink.h>
		13	#include <linux/netfilter.h>
		14	#include <linux/netfilter/nf_tables.h>
		15	#include <net/netfilter/nf_tables.h>
		16	#include <net/netfilter/nft_masq.h>
		17	#include <net/netfilter/ipv4/nf_nat_masquerade.h>
		18
		19	static void nft_masq_ipv4_eval(const struct nft_expr *expr,
		20	struct nft_data data[NFT_REG_MAX + 1],
		21	const struct nft_pktinfo *pkt)
		22	{
		23	struct nft_masq *priv = nft_expr_priv(expr);
		24	struct nf_nat_range range;
		25	unsigned int verdict;
		26
		27	range.flags = priv->flags;
		28
		29	verdict = nf_nat_masquerade_ipv4(pkt->skb, pkt->ops->hooknum,
		30	&range, pkt->out);
		31
		32	data[NFT_REG_VERDICT].verdict = verdict;
		33	}
		34
		35	static int nft_masq_ipv4_init(const struct nft_ctx *ctx,
		36	const struct nft_expr *expr,
		37	const struct nlattr * const tb[])
		38	{
		39	int err;
		40
		41	err = nft_masq_init(ctx, expr, tb);
		42	if (err < 0)
		43	return err;
		44
		45	nf_nat_masquerade_ipv4_register_notifier();
		46	return 0;
		47	}
		48
		49	static void nft_masq_ipv4_destroy(const struct nft_ctx *ctx,
		50	const struct nft_expr *expr)
		51	{
		52	nf_nat_masquerade_ipv4_unregister_notifier();
		53	}
		54
		55	static struct nft_expr_type nft_masq_ipv4_type;
		56	static const struct nft_expr_ops nft_masq_ipv4_ops = {
		57	.type = &nft_masq_ipv4_type,
		58	.size = NFT_EXPR_SIZE(sizeof(struct nft_masq)),
		59	.eval = nft_masq_ipv4_eval,
		60	.init = nft_masq_ipv4_init,
		61	.destroy = nft_masq_ipv4_destroy,
		62	.dump = nft_masq_dump,
		63	};
		64
		65	static struct nft_expr_type nft_masq_ipv4_type __read_mostly = {
		66	.family = NFPROTO_IPV4,
		67	.name = "masq",
		68	.ops = &nft_masq_ipv4_ops,
		69	.policy = nft_masq_policy,
		70	.maxattr = NFTA_MASQ_MAX,
		71	.owner = THIS_MODULE,
		72	};
		73
		74	static int __init nft_masq_ipv4_module_init(void)
		75	{
		76	return nft_register_expr(&nft_masq_ipv4_type);
		77	}
		78
		79	static void __exit nft_masq_ipv4_module_exit(void)
		80	{
		81	nft_unregister_expr(&nft_masq_ipv4_type);
		82	}
		83
		84	module_init(nft_masq_ipv4_module_init);
		85	module_exit(nft_masq_ipv4_module_exit);
		86
		87	MODULE_LICENSE("GPL");
		88	MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>");
		89	MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "masq");