[mirror_ubuntu-zesty-kernel.git] / net / ipv4 / netfilter / ip_nat_core.c

/* NAT for netfilter; shared with compatibility layer. */

/* (C) 1999-2001 Paul `Rusty' Russell
 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

#include <linux/module.h>
#include <linux/types.h>
#include <linux/timer.h>
#include <linux/skbuff.h>
#include <linux/netfilter_ipv4.h>
#include <linux/vmalloc.h>
#include <net/checksum.h>
#include <net/icmp.h>
#include <net/ip.h>
#include <net/tcp.h>  /* For tcp_prot in getorigdst */
#include <linux/icmp.h>
#include <linux/udp.h>
#include <linux/jhash.h>

#define ASSERT_READ_LOCK(x)
#define ASSERT_WRITE_LOCK(x)

#include <linux/netfilter_ipv4/ip_conntrack.h>
#include <linux/netfilter_ipv4/ip_conntrack_core.h>
#include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
#include <linux/netfilter_ipv4/ip_nat.h>
#include <linux/netfilter_ipv4/ip_nat_protocol.h>
#include <linux/netfilter_ipv4/ip_nat_core.h>
#include <linux/netfilter_ipv4/ip_nat_helper.h>
#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
#include <linux/netfilter_ipv4/listhelp.h>

#if 0
#define DEBUGP printk
#else
#define DEBUGP(format, args...)
#endif

DEFINE_RWLOCK(ip_nat_lock);

/* Calculated at init based on memory size */
static unsigned int ip_nat_htable_size;

static struct list_head *bysource;
struct ip_nat_protocol *ip_nat_protos[MAX_IP_NAT_PROTO];


/* We keep an extra hash for each conntrack, for fast searching. */
static inline unsigned int
hash_by_src(const struct ip_conntrack_tuple *tuple)
{
	/* Original src, to ensure we map it consistently if poss. */
	return jhash_3words(tuple->src.ip, tuple->src.u.all,
			    tuple->dst.protonum, 0) % ip_nat_htable_size;
}

/* Noone using conntrack by the time this called. */
static void ip_nat_cleanup_conntrack(struct ip_conntrack *conn)
{
	if (!(conn->status & IPS_NAT_DONE_MASK))
		return;

	write_lock_bh(&ip_nat_lock);
	list_del(&conn->nat.info.bysource);
	write_unlock_bh(&ip_nat_lock);
}

/* We do checksum mangling, so if they were wrong before they're still
 * wrong.  Also works for incomplete packets (eg. ICMP dest
 * unreachables.) */
u_int16_t
ip_nat_cheat_check(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck)
{
	u_int32_t diffs[] = { oldvalinv, newval };
	return csum_fold(csum_partial((char *)diffs, sizeof(diffs),
				      oldcheck^0xFFFF));
}

/* Is this tuple already taken? (not by us) */
int
ip_nat_used_tuple(const struct ip_conntrack_tuple *tuple,
		  const struct ip_conntrack *ignored_conntrack)
{
	/* Conntrack tracking doesn't keep track of outgoing tuples; only
	   incoming ones.  NAT means they don't have a fixed mapping,
	   so we invert the tuple and look for the incoming reply.

	   We could keep a separate hash if this proves too slow. */
	struct ip_conntrack_tuple reply;

	invert_tuplepr(&reply, tuple);
	return ip_conntrack_tuple_taken(&reply, ignored_conntrack);
}

/* If we source map this tuple so reply looks like reply_tuple, will
 * that meet the constraints of range. */
static int
in_range(const struct ip_conntrack_tuple *tuple,
	 const struct ip_nat_range *range)
{
	struct ip_nat_protocol *proto = ip_nat_find_proto(tuple->dst.protonum);

	/* If we are supposed to map IPs, then we must be in the
	   range specified, otherwise let this drag us onto a new src IP. */
	if (range->flags & IP_NAT_RANGE_MAP_IPS) {
		if (ntohl(tuple->src.ip) < ntohl(range->min_ip)
		    || ntohl(tuple->src.ip) > ntohl(range->max_ip))
			return 0;
	}

	if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)
	    || proto->in_range(tuple, IP_NAT_MANIP_SRC,
			       &range->min, &range->max))
		return 1;

	return 0;
}

static inline int
same_src(const struct ip_conntrack *ct,
	 const struct ip_conntrack_tuple *tuple)
{
	return (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum
		== tuple->dst.protonum
		&& ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip
		== tuple->src.ip
		&& ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.all
		== tuple->src.u.all);
}

/* Only called for SRC manip */
static int
find_appropriate_src(const struct ip_conntrack_tuple *tuple,
		     struct ip_conntrack_tuple *result,
		     const struct ip_nat_range *range)
{
	unsigned int h = hash_by_src(tuple);
	struct ip_conntrack *ct;

	read_lock_bh(&ip_nat_lock);
	list_for_each_entry(ct, &bysource[h], nat.info.bysource) {
		if (same_src(ct, tuple)) {
			/* Copy source part from reply tuple. */
			invert_tuplepr(result,
				       &ct->tuplehash[IP_CT_DIR_REPLY].tuple);
			result->dst = tuple->dst;

			if (in_range(result, range)) {
				read_unlock_bh(&ip_nat_lock);
				return 1;
			}
		}
	}
	read_unlock_bh(&ip_nat_lock);
	return 0;
}

/* For [FUTURE] fragmentation handling, we want the least-used
   src-ip/dst-ip/proto triple.  Fairness doesn't come into it.  Thus
   if the range specifies 1.2.3.4 ports 10000-10005 and 1.2.3.5 ports
   1-65535, we don't do pro-rata allocation based on ports; we choose
   the ip with the lowest src-ip/dst-ip/proto usage.
*/
static void
find_best_ips_proto(struct ip_conntrack_tuple *tuple,
		    const struct ip_nat_range *range,
		    const struct ip_conntrack *conntrack,
		    enum ip_nat_manip_type maniptype)
{
	u_int32_t *var_ipp;
	/* Host order */
	u_int32_t minip, maxip, j;

	/* No IP mapping?  Do nothing. */
	if (!(range->flags & IP_NAT_RANGE_MAP_IPS))
		return;

	if (maniptype == IP_NAT_MANIP_SRC)
		var_ipp = &tuple->src.ip;
	else
		var_ipp = &tuple->dst.ip;

	/* Fast path: only one choice. */
	if (range->min_ip == range->max_ip) {
		*var_ipp = range->min_ip;
		return;
	}

	/* Hashing source and destination IPs gives a fairly even
	 * spread in practice (if there are a small number of IPs
	 * involved, there usually aren't that many connections
	 * anyway).  The consistency means that servers see the same
	 * client coming from the same IP (some Internet Banking sites
	 * like this), even across reboots. */
	minip = ntohl(range->min_ip);
	maxip = ntohl(range->max_ip);
	j = jhash_2words(tuple->src.ip, tuple->dst.ip, 0);
	*var_ipp = htonl(minip + j % (maxip - minip + 1));
}

/* Manipulate the tuple into the range given.  For NF_IP_POST_ROUTING,
 * we change the source to map into the range.  For NF_IP_PRE_ROUTING
 * and NF_IP_LOCAL_OUT, we change the destination to map into the
 * range.  It might not be possible to get a unique tuple, but we try.
 * At worst (or if we race), we will end up with a final duplicate in
 * __ip_conntrack_confirm and drop the packet. */
static void
get_unique_tuple(struct ip_conntrack_tuple *tuple,
		 const struct ip_conntrack_tuple *orig_tuple,
		 const struct ip_nat_range *range,
		 struct ip_conntrack *conntrack,
		 enum ip_nat_manip_type maniptype)
{
	struct ip_nat_protocol *proto
		= ip_nat_find_proto(orig_tuple->dst.protonum);

	/* 1) If this srcip/proto/src-proto-part is currently mapped,
	   and that same mapping gives a unique tuple within the given
	   range, use that.

	   This is only required for source (ie. NAT/masq) mappings.
	   So far, we don't do local source mappings, so multiple
	   manips not an issue.  */
	if (maniptype == IP_NAT_MANIP_SRC) {
		if (find_appropriate_src(orig_tuple, tuple, range)) {
			DEBUGP("get_unique_tuple: Found current src map\n");
			if (!ip_nat_used_tuple(tuple, conntrack))
				return;
		}
	}

	/* 2) Select the least-used IP/proto combination in the given
	   range. */
	*tuple = *orig_tuple;
	find_best_ips_proto(tuple, range, conntrack, maniptype);

	/* 3) The per-protocol part of the manip is made to map into
	   the range to make a unique tuple. */

	/* Only bother mapping if it's not already in range and unique */
	if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)
	     || proto->in_range(tuple, maniptype, &range->min, &range->max))
	    && !ip_nat_used_tuple(tuple, conntrack))
		return;

	/* Last change: get protocol to try to obtain unique tuple. */
	proto->unique_tuple(tuple, range, maniptype, conntrack);
}

unsigned int
ip_nat_setup_info(struct ip_conntrack *conntrack,
		  const struct ip_nat_range *range,
		  unsigned int hooknum)
{
	struct ip_conntrack_tuple curr_tuple, new_tuple;
	struct ip_nat_info *info = &conntrack->nat.info;
	int have_to_hash = !(conntrack->status & IPS_NAT_DONE_MASK);
	enum ip_nat_manip_type maniptype = HOOK2MANIP(hooknum);

	IP_NF_ASSERT(hooknum == NF_IP_PRE_ROUTING
		     || hooknum == NF_IP_POST_ROUTING
		     || hooknum == NF_IP_LOCAL_IN
		     || hooknum == NF_IP_LOCAL_OUT);
	BUG_ON(ip_nat_initialized(conntrack, maniptype));

	/* What we've got will look like inverse of reply. Normally
	   this is what is in the conntrack, except for prior
	   manipulations (future optimization: if num_manips == 0,
	   orig_tp =
	   conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple) */
	invert_tuplepr(&curr_tuple,
		       &conntrack->tuplehash[IP_CT_DIR_REPLY].tuple);

	get_unique_tuple(&new_tuple, &curr_tuple, range, conntrack, maniptype);

	if (!ip_ct_tuple_equal(&new_tuple, &curr_tuple)) {
		struct ip_conntrack_tuple reply;

		/* Alter conntrack table so will recognize replies. */
		invert_tuplepr(&reply, &new_tuple);
		ip_conntrack_alter_reply(conntrack, &reply);

		/* Non-atomic: we own this at the moment. */
		if (maniptype == IP_NAT_MANIP_SRC)
			conntrack->status |= IPS_SRC_NAT;
		else
			conntrack->status |= IPS_DST_NAT;
	}

	/* Place in source hash if this is the first time. */
	if (have_to_hash) {
		unsigned int srchash
			= hash_by_src(&conntrack->tuplehash[IP_CT_DIR_ORIGINAL]
				      .tuple);
		write_lock_bh(&ip_nat_lock);
		list_add(&info->bysource, &bysource[srchash]);
		write_unlock_bh(&ip_nat_lock);
	}

	/* It's done. */
	if (maniptype == IP_NAT_MANIP_DST)
		set_bit(IPS_DST_NAT_DONE_BIT, &conntrack->status);
	else
		set_bit(IPS_SRC_NAT_DONE_BIT, &conntrack->status);

	return NF_ACCEPT;
}

/* Returns true if succeeded. */
static int
manip_pkt(u_int16_t proto,
	  struct sk_buff **pskb,
	  unsigned int iphdroff,
	  const struct ip_conntrack_tuple *target,
	  enum ip_nat_manip_type maniptype)
{
	struct iphdr *iph;

	if (!skb_ip_make_writable(pskb, iphdroff + sizeof(*iph)))
		return 0;

	iph = (void *)(*pskb)->data + iphdroff;

	/* Manipulate protcol part. */
	if (!ip_nat_find_proto(proto)->manip_pkt(pskb, iphdroff,
	                                         target, maniptype))
		return 0;

	iph = (void *)(*pskb)->data + iphdroff;

	if (maniptype == IP_NAT_MANIP_SRC) {
		iph->check = ip_nat_cheat_check(~iph->saddr, target->src.ip,
						iph->check);
		iph->saddr = target->src.ip;
	} else {
		iph->check = ip_nat_cheat_check(~iph->daddr, target->dst.ip,
						iph->check);
		iph->daddr = target->dst.ip;
	}
	return 1;
}

/* Do packet manipulations according to ip_nat_setup_info. */
unsigned int nat_packet(struct ip_conntrack *ct,
			enum ip_conntrack_info ctinfo,
			unsigned int hooknum,
			struct sk_buff **pskb)
{
	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
	unsigned long statusbit;
	enum ip_nat_manip_type mtype = HOOK2MANIP(hooknum);

	if (mtype == IP_NAT_MANIP_SRC)
		statusbit = IPS_SRC_NAT;
	else
		statusbit = IPS_DST_NAT;

	/* Invert if this is reply dir. */
	if (dir == IP_CT_DIR_REPLY)
		statusbit ^= IPS_NAT_MASK;

	/* Non-atomic: these bits don't change. */
	if (ct->status & statusbit) {
		struct ip_conntrack_tuple target;

		/* We are aiming to look like inverse of other direction. */
		invert_tuplepr(&target, &ct->tuplehash[!dir].tuple);

		if (!manip_pkt(target.dst.protonum, pskb, 0, &target, mtype))
			return NF_DROP;
	}
	return NF_ACCEPT;
}

/* Dir is direction ICMP is coming from (opposite to packet it contains) */
int icmp_reply_translation(struct sk_buff **pskb,
			   struct ip_conntrack *ct,
			   enum ip_nat_manip_type manip,
			   enum ip_conntrack_dir dir)
{
	struct {
		struct icmphdr icmp;
		struct iphdr ip;
	} *inside;
	struct ip_conntrack_tuple inner, target;
	int hdrlen = (*pskb)->nh.iph->ihl * 4;

	if (!skb_ip_make_writable(pskb, hdrlen + sizeof(*inside)))
		return 0;

	inside = (void *)(*pskb)->data + (*pskb)->nh.iph->ihl*4;

	/* We're actually going to mangle it beyond trivial checksum
	   adjustment, so make sure the current checksum is correct. */
	if ((*pskb)->ip_summed != CHECKSUM_UNNECESSARY) {
		hdrlen = (*pskb)->nh.iph->ihl * 4;
		if ((u16)csum_fold(skb_checksum(*pskb, hdrlen,
						(*pskb)->len - hdrlen, 0)))
			return 0;
	}

	/* Must be RELATED */
	IP_NF_ASSERT((*pskb)->nfctinfo == IP_CT_RELATED ||
		     (*pskb)->nfctinfo == IP_CT_RELATED+IP_CT_IS_REPLY);

	/* Redirects on non-null nats must be dropped, else they'll
           start talking to each other without our translation, and be
           confused... --RR */
	if (inside->icmp.type == ICMP_REDIRECT) {
		/* If NAT isn't finished, assume it and drop. */
		if ((ct->status & IPS_NAT_DONE_MASK) != IPS_NAT_DONE_MASK)
			return 0;

		if (ct->status & IPS_NAT_MASK)
			return 0;
	}

	DEBUGP("icmp_reply_translation: translating error %p manp %u dir %s\n",
	       *pskb, manip, dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY");

	if (!ip_ct_get_tuple(&inside->ip, *pskb, (*pskb)->nh.iph->ihl*4 +
	                     sizeof(struct icmphdr) + inside->ip.ihl*4,
	                     &inner, ip_ct_find_proto(inside->ip.protocol)))
		return 0;

	/* Change inner back to look like incoming packet.  We do the
	   opposite manip on this hook to normal, because it might not
	   pass all hooks (locally-generated ICMP).  Consider incoming
	   packet: PREROUTING (DST manip), routing produces ICMP, goes
	   through POSTROUTING (which must correct the DST manip). */
	if (!manip_pkt(inside->ip.protocol, pskb,
		       (*pskb)->nh.iph->ihl*4
		       + sizeof(inside->icmp),
		       &ct->tuplehash[!dir].tuple,
		       !manip))
		return 0;

	/* Reloading "inside" here since manip_pkt inner. */
	inside = (void *)(*pskb)->data + (*pskb)->nh.iph->ihl*4;
	inside->icmp.checksum = 0;
	inside->icmp.checksum = csum_fold(skb_checksum(*pskb, hdrlen,
						       (*pskb)->len - hdrlen,
						       0));

	/* Change outer to look the reply to an incoming packet
	 * (proto 0 means don't invert per-proto part). */

	/* Obviously, we need to NAT destination IP, but source IP
	   should be NAT'ed only if it is from a NAT'd host.

	   Explanation: some people use NAT for anonymizing.  Also,
	   CERT recommends dropping all packets from private IP
	   addresses (although ICMP errors from internal links with
	   such addresses are not too uncommon, as Alan Cox points
	   out) */
	if (manip != IP_NAT_MANIP_SRC
	    || ((*pskb)->nh.iph->saddr == ct->tuplehash[dir].tuple.src.ip)) {
		invert_tuplepr(&target, &ct->tuplehash[!dir].tuple);
		if (!manip_pkt(0, pskb, 0, &target, manip))
			return 0;
	}

	return 1;
}

/* Protocol registration. */
int ip_nat_protocol_register(struct ip_nat_protocol *proto)
{
	int ret = 0;

	write_lock_bh(&ip_nat_lock);
	if (ip_nat_protos[proto->protonum] != &ip_nat_unknown_protocol) {
		ret = -EBUSY;
		goto out;
	}
	ip_nat_protos[proto->protonum] = proto;
 out:
	write_unlock_bh(&ip_nat_lock);
	return ret;
}

/* Noone stores the protocol anywhere; simply delete it. */
void ip_nat_protocol_unregister(struct ip_nat_protocol *proto)
{
	write_lock_bh(&ip_nat_lock);
	ip_nat_protos[proto->protonum] = &ip_nat_unknown_protocol;
	write_unlock_bh(&ip_nat_lock);

	/* Someone could be still looking at the proto in a bh. */
	synchronize_net();
}

int __init ip_nat_init(void)
{
	size_t i;

	/* Leave them the same for the moment. */
	ip_nat_htable_size = ip_conntrack_htable_size;

	/* One vmalloc for both hash tables */
	bysource = vmalloc(sizeof(struct list_head) * ip_nat_htable_size);
	if (!bysource)
		return -ENOMEM;

	/* Sew in builtin protocols. */
	write_lock_bh(&ip_nat_lock);
	for (i = 0; i < MAX_IP_NAT_PROTO; i++)
		ip_nat_protos[i] = &ip_nat_unknown_protocol;
	ip_nat_protos[IPPROTO_TCP] = &ip_nat_protocol_tcp;
	ip_nat_protos[IPPROTO_UDP] = &ip_nat_protocol_udp;
	ip_nat_protos[IPPROTO_ICMP] = &ip_nat_protocol_icmp;
	write_unlock_bh(&ip_nat_lock);

	for (i = 0; i < ip_nat_htable_size; i++) {
		INIT_LIST_HEAD(&bysource[i]);
	}

	/* FIXME: Man, this is a hack.  <SIGH> */
	IP_NF_ASSERT(ip_conntrack_destroyed == NULL);
	ip_conntrack_destroyed = &ip_nat_cleanup_conntrack;

	/* Initialize fake conntrack so that NAT will skip it */
	ip_conntrack_untracked.status |= IPS_NAT_DONE_MASK;
	return 0;
}

/* Clear NAT section of all conntracks, in case we're loaded again. */
static int clean_nat(struct ip_conntrack *i, void *data)
{
	memset(&i->nat, 0, sizeof(i->nat));
	i->status &= ~(IPS_NAT_MASK | IPS_NAT_DONE_MASK | IPS_SEQ_ADJUST);
	return 0;
}

/* Not __exit: called from ip_nat_standalone.c:init_or_cleanup() --RR */
void ip_nat_cleanup(void)
{
	ip_ct_iterate_cleanup(&clean_nat, NULL);
	ip_conntrack_destroyed = NULL;
	vfree(bysource);
}
Commit	Line	Data
1da177e4 LT	1	/* NAT for netfilter; shared with compatibility layer. */
	2
	3	/* (C) 1999-2001 Paul `Rusty' Russell
	4	* (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License version 2 as
	8	* published by the Free Software Foundation.
	9	*/
	10
	11	#include <linux/module.h>
	12	#include <linux/types.h>
	13	#include <linux/timer.h>
	14	#include <linux/skbuff.h>
	15	#include <linux/netfilter_ipv4.h>
	16	#include <linux/vmalloc.h>
	17	#include <net/checksum.h>
	18	#include <net/icmp.h>
	19	#include <net/ip.h>
	20	#include <net/tcp.h> /* For tcp_prot in getorigdst */
	21	#include <linux/icmp.h>
	22	#include <linux/udp.h>
	23	#include <linux/jhash.h>
	24
e45b1be8 PM	25	#define ASSERT_READ_LOCK(x)
e45b1be8 PM	26	#define ASSERT_WRITE_LOCK(x)
1da177e4 LT	27
	28	#include <linux/netfilter_ipv4/ip_conntrack.h>
	29	#include <linux/netfilter_ipv4/ip_conntrack_core.h>
	30	#include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
	31	#include <linux/netfilter_ipv4/ip_nat.h>
	32	#include <linux/netfilter_ipv4/ip_nat_protocol.h>
	33	#include <linux/netfilter_ipv4/ip_nat_core.h>
	34	#include <linux/netfilter_ipv4/ip_nat_helper.h>
	35	#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
	36	#include <linux/netfilter_ipv4/listhelp.h>
	37
	38	#if 0
	39	#define DEBUGP printk
	40	#else
	41	#define DEBUGP(format, args...)
	42	#endif
	43
e45b1be8	44	DEFINE_RWLOCK(ip_nat_lock);
1da177e4 LT	45
	46	/* Calculated at init based on memory size */
	47	static unsigned int ip_nat_htable_size;
	48
	49	static struct list_head *bysource;
	50	struct ip_nat_protocol *ip_nat_protos[MAX_IP_NAT_PROTO];
	51
	52
	53	/* We keep an extra hash for each conntrack, for fast searching. */
	54	static inline unsigned int
	55	hash_by_src(const struct ip_conntrack_tuple *tuple)
	56	{
	57	/* Original src, to ensure we map it consistently if poss. */
	58	return jhash_3words(tuple->src.ip, tuple->src.u.all,
	59	tuple->dst.protonum, 0) % ip_nat_htable_size;
	60	}
	61
	62	/* Noone using conntrack by the time this called. */
	63	static void ip_nat_cleanup_conntrack(struct ip_conntrack *conn)
	64	{
	65	if (!(conn->status & IPS_NAT_DONE_MASK))
	66	return;
	67
e45b1be8	68	write_lock_bh(&ip_nat_lock);
1da177e4	69	list_del(&conn->nat.info.bysource);
e45b1be8	70	write_unlock_bh(&ip_nat_lock);
1da177e4 LT	71	}
	72
	73	/* We do checksum mangling, so if they were wrong before they're still
	74	* wrong. Also works for incomplete packets (eg. ICMP dest
	75	* unreachables.) */
	76	u_int16_t
	77	ip_nat_cheat_check(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck)
	78	{
	79	u_int32_t diffs[] = { oldvalinv, newval };
	80	return csum_fold(csum_partial((char *)diffs, sizeof(diffs),
	81	oldcheck^0xFFFF));
	82	}
	83
	84	/* Is this tuple already taken? (not by us) */
	85	int
	86	ip_nat_used_tuple(const struct ip_conntrack_tuple *tuple,
	87	const struct ip_conntrack *ignored_conntrack)
	88	{
	89	/* Conntrack tracking doesn't keep track of outgoing tuples; only
	90	incoming ones. NAT means they don't have a fixed mapping,
	91	so we invert the tuple and look for the incoming reply.
	92
	93	We could keep a separate hash if this proves too slow. */
	94	struct ip_conntrack_tuple reply;
	95
	96	invert_tuplepr(&reply, tuple);
	97	return ip_conntrack_tuple_taken(&reply, ignored_conntrack);
	98	}
	99
	100	/* If we source map this tuple so reply looks like reply_tuple, will
	101	* that meet the constraints of range. */
	102	static int
	103	in_range(const struct ip_conntrack_tuple *tuple,
	104	const struct ip_nat_range *range)
	105	{
	106	struct ip_nat_protocol *proto = ip_nat_find_proto(tuple->dst.protonum);
	107
	108	/* If we are supposed to map IPs, then we must be in the
	109	range specified, otherwise let this drag us onto a new src IP. */
	110	if (range->flags & IP_NAT_RANGE_MAP_IPS) {
	111	if (ntohl(tuple->src.ip) < ntohl(range->min_ip)
	112	\|\| ntohl(tuple->src.ip) > ntohl(range->max_ip))
	113	return 0;
	114	}
	115
	116	if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)
	117	\|\| proto->in_range(tuple, IP_NAT_MANIP_SRC,
	118	&range->min, &range->max))
	119	return 1;
	120
	121	return 0;
	122	}
	123
	124	static inline int
	125	same_src(const struct ip_conntrack *ct,
	126	const struct ip_conntrack_tuple *tuple)
	127	{
	128	return (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum
	129	== tuple->dst.protonum
	130	&& ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip
	131	== tuple->src.ip
	132	&& ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.all
	133	== tuple->src.u.all);
	134	}
135
136	/* Only called for SRC manip */
137	static int
138	find_appropriate_src(const struct ip_conntrack_tuple *tuple,
139	struct ip_conntrack_tuple *result,
140	const struct ip_nat_range *range)
141	{
142	unsigned int h = hash_by_src(tuple);
143	struct ip_conntrack *ct;
144
e45b1be8	145	read_lock_bh(&ip_nat_lock);
1da177e4 LT	146	list_for_each_entry(ct, &bysource[h], nat.info.bysource) {
	147	if (same_src(ct, tuple)) {
	148	/* Copy source part from reply tuple. */
	149	invert_tuplepr(result,
	150	&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
	151	result->dst = tuple->dst;
	152
	153	if (in_range(result, range)) {
e45b1be8	154	read_unlock_bh(&ip_nat_lock);
1da177e4 LT	155	return 1;
	156	}
	157	}
	158	}
e45b1be8	159	read_unlock_bh(&ip_nat_lock);
1da177e4 LT	160	return 0;
	161	}
	162
	163	/* For [FUTURE] fragmentation handling, we want the least-used
	164	src-ip/dst-ip/proto triple. Fairness doesn't come into it. Thus
	165	if the range specifies 1.2.3.4 ports 10000-10005 and 1.2.3.5 ports
	166	1-65535, we don't do pro-rata allocation based on ports; we choose
	167	the ip with the lowest src-ip/dst-ip/proto usage.
	168	*/
	169	static void
	170	find_best_ips_proto(struct ip_conntrack_tuple *tuple,
	171	const struct ip_nat_range *range,
	172	const struct ip_conntrack *conntrack,
	173	enum ip_nat_manip_type maniptype)
	174	{
	175	u_int32_t *var_ipp;
	176	/* Host order */
	177	u_int32_t minip, maxip, j;
	178
	179	/* No IP mapping? Do nothing. */
	180	if (!(range->flags & IP_NAT_RANGE_MAP_IPS))
	181	return;
	182
	183	if (maniptype == IP_NAT_MANIP_SRC)
	184	var_ipp = &tuple->src.ip;
	185	else
	186	var_ipp = &tuple->dst.ip;
	187
	188	/* Fast path: only one choice. */
	189	if (range->min_ip == range->max_ip) {
	190	*var_ipp = range->min_ip;
	191	return;
	192	}
	193
	194	/* Hashing source and destination IPs gives a fairly even
	195	* spread in practice (if there are a small number of IPs
	196	* involved, there usually aren't that many connections
	197	* anyway). The consistency means that servers see the same
	198	* client coming from the same IP (some Internet Banking sites
	199	* like this), even across reboots. */
	200	minip = ntohl(range->min_ip);
	201	maxip = ntohl(range->max_ip);
	202	j = jhash_2words(tuple->src.ip, tuple->dst.ip, 0);
	203	*var_ipp = htonl(minip + j % (maxip - minip + 1));
	204	}
	205
	206	/* Manipulate the tuple into the range given. For NF_IP_POST_ROUTING,
	207	* we change the source to map into the range. For NF_IP_PRE_ROUTING
	208	* and NF_IP_LOCAL_OUT, we change the destination to map into the
	209	* range. It might not be possible to get a unique tuple, but we try.
	210	* At worst (or if we race), we will end up with a final duplicate in
	211	* __ip_conntrack_confirm and drop the packet. */
	212	static void
	213	get_unique_tuple(struct ip_conntrack_tuple *tuple,
	214	const struct ip_conntrack_tuple *orig_tuple,
	215	const struct ip_nat_range *range,
	216	struct ip_conntrack *conntrack,
	217	enum ip_nat_manip_type maniptype)
	218	{
	219	struct ip_nat_protocol *proto
	220	= ip_nat_find_proto(orig_tuple->dst.protonum);
	221
	222	/* 1) If this srcip/proto/src-proto-part is currently mapped,
	223	and that same mapping gives a unique tuple within the given
224	range, use that.
225
226	This is only required for source (ie. NAT/masq) mappings.
227	So far, we don't do local source mappings, so multiple
228	manips not an issue. */
229	if (maniptype == IP_NAT_MANIP_SRC) {
230	if (find_appropriate_src(orig_tuple, tuple, range)) {
231	DEBUGP("get_unique_tuple: Found current src map\n");
232	if (!ip_nat_used_tuple(tuple, conntrack))
233	return;
234	}
235	}
236
237	/* 2) Select the least-used IP/proto combination in the given
238	range. */
239	tuple = orig_tuple;
240	find_best_ips_proto(tuple, range, conntrack, maniptype);
241
242	/* 3) The per-protocol part of the manip is made to map into
243	the range to make a unique tuple. */
244
245	/* Only bother mapping if it's not already in range and unique */
246	if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)
247	\|\| proto->in_range(tuple, maniptype, &range->min, &range->max))
248	&& !ip_nat_used_tuple(tuple, conntrack))
249	return;
250
251	/* Last change: get protocol to try to obtain unique tuple. */
252	proto->unique_tuple(tuple, range, maniptype, conntrack);
253	}
254
255	unsigned int
256	ip_nat_setup_info(struct ip_conntrack *conntrack,
257	const struct ip_nat_range *range,
258	unsigned int hooknum)
259	{
260	struct ip_conntrack_tuple curr_tuple, new_tuple;
261	struct ip_nat_info *info = &conntrack->nat.info;
262	int have_to_hash = !(conntrack->status & IPS_NAT_DONE_MASK);
263	enum ip_nat_manip_type maniptype = HOOK2MANIP(hooknum);
264
265	IP_NF_ASSERT(hooknum == NF_IP_PRE_ROUTING
266	\|\| hooknum == NF_IP_POST_ROUTING
267	\|\| hooknum == NF_IP_LOCAL_IN
268	\|\| hooknum == NF_IP_LOCAL_OUT);
269	BUG_ON(ip_nat_initialized(conntrack, maniptype));
270
271	/* What we've got will look like inverse of reply. Normally
272	this is what is in the conntrack, except for prior
273	manipulations (future optimization: if num_manips == 0,
274	orig_tp =
275	conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple) */
276	invert_tuplepr(&curr_tuple,
277	&conntrack->tuplehash[IP_CT_DIR_REPLY].tuple);
278
279	get_unique_tuple(&new_tuple, &curr_tuple, range, conntrack, maniptype);
280
281	if (!ip_ct_tuple_equal(&new_tuple, &curr_tuple)) {
282	struct ip_conntrack_tuple reply;
283
284	/* Alter conntrack table so will recognize replies. */
285	invert_tuplepr(&reply, &new_tuple);
286	ip_conntrack_alter_reply(conntrack, &reply);
287
288	/* Non-atomic: we own this at the moment. */
289	if (maniptype == IP_NAT_MANIP_SRC)
290	conntrack->status \|= IPS_SRC_NAT;
291	else
292	conntrack->status \|= IPS_DST_NAT;
293	}
294
295	/* Place in source hash if this is the first time. */
296	if (have_to_hash) {
297	unsigned int srchash
298	= hash_by_src(&conntrack->tuplehash[IP_CT_DIR_ORIGINAL]
299	.tuple);
e45b1be8	300	write_lock_bh(&ip_nat_lock);
1da177e4	301	list_add(&info->bysource, &bysource[srchash]);
e45b1be8	302	write_unlock_bh(&ip_nat_lock);
1da177e4 LT	303	}
	304
	305	/* It's done. */
	306	if (maniptype == IP_NAT_MANIP_DST)
	307	set_bit(IPS_DST_NAT_DONE_BIT, &conntrack->status);
	308	else
	309	set_bit(IPS_SRC_NAT_DONE_BIT, &conntrack->status);
	310
	311	return NF_ACCEPT;
	312	}
	313
	314	/* Returns true if succeeded. */
	315	static int
	316	manip_pkt(u_int16_t proto,
	317	struct sk_buff **pskb,
	318	unsigned int iphdroff,
	319	const struct ip_conntrack_tuple *target,
	320	enum ip_nat_manip_type maniptype)
	321	{
	322	struct iphdr *iph;
	323
1da177e4 LT	324	if (!skb_ip_make_writable(pskb, iphdroff + sizeof(*iph)))
	325	return 0;
	326
	327	iph = (void )(pskb)->data + iphdroff;
	328
	329	/* Manipulate protcol part. */
	330	if (!ip_nat_find_proto(proto)->manip_pkt(pskb, iphdroff,
	331	target, maniptype))
	332	return 0;
	333
	334	iph = (void )(pskb)->data + iphdroff;
	335
	336	if (maniptype == IP_NAT_MANIP_SRC) {
	337	iph->check = ip_nat_cheat_check(~iph->saddr, target->src.ip,
	338	iph->check);
	339	iph->saddr = target->src.ip;
	340	} else {
	341	iph->check = ip_nat_cheat_check(~iph->daddr, target->dst.ip,
	342	iph->check);
	343	iph->daddr = target->dst.ip;
	344	}
	345	return 1;
	346	}
	347
	348	/* Do packet manipulations according to ip_nat_setup_info. */
	349	unsigned int nat_packet(struct ip_conntrack *ct,
	350	enum ip_conntrack_info ctinfo,
	351	unsigned int hooknum,
	352	struct sk_buff **pskb)
	353	{
	354	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
	355	unsigned long statusbit;
	356	enum ip_nat_manip_type mtype = HOOK2MANIP(hooknum);
	357
1da177e4 LT	358	if (mtype == IP_NAT_MANIP_SRC)
	359	statusbit = IPS_SRC_NAT;
	360	else
	361	statusbit = IPS_DST_NAT;
	362
	363	/* Invert if this is reply dir. */
	364	if (dir == IP_CT_DIR_REPLY)
	365	statusbit ^= IPS_NAT_MASK;
	366
	367	/* Non-atomic: these bits don't change. */
	368	if (ct->status & statusbit) {
	369	struct ip_conntrack_tuple target;
	370
	371	/* We are aiming to look like inverse of other direction. */
	372	invert_tuplepr(&target, &ct->tuplehash[!dir].tuple);
	373
	374	if (!manip_pkt(target.dst.protonum, pskb, 0, &target, mtype))
	375	return NF_DROP;
	376	}
	377	return NF_ACCEPT;
	378	}
	379
	380	/* Dir is direction ICMP is coming from (opposite to packet it contains) */
	381	int icmp_reply_translation(struct sk_buff **pskb,
	382	struct ip_conntrack *ct,
	383	enum ip_nat_manip_type manip,
	384	enum ip_conntrack_dir dir)
	385	{
	386	struct {
	387	struct icmphdr icmp;
	388	struct iphdr ip;
	389	} *inside;
	390	struct ip_conntrack_tuple inner, target;
	391	int hdrlen = (pskb)->nh.iph->ihl 4;
	392
	393	if (!skb_ip_make_writable(pskb, hdrlen + sizeof(*inside)))
	394	return 0;
	395
	396	inside = (void )(pskb)->data + (pskb)->nh.iph->ihl4;
	397
	398	/* We're actually going to mangle it beyond trivial checksum
	399	adjustment, so make sure the current checksum is correct. */
	400	if ((*pskb)->ip_summed != CHECKSUM_UNNECESSARY) {
	401	hdrlen = (pskb)->nh.iph->ihl 4;
	402	if ((u16)csum_fold(skb_checksum(*pskb, hdrlen,
	403	(*pskb)->len - hdrlen, 0)))
	404	return 0;
	405	}
	406
	407	/* Must be RELATED */
	408	IP_NF_ASSERT((*pskb)->nfctinfo == IP_CT_RELATED \|\|
	409	(*pskb)->nfctinfo == IP_CT_RELATED+IP_CT_IS_REPLY);
	410
	411	/* Redirects on non-null nats must be dropped, else they'll
	412	start talking to each other without our translation, and be
	413	confused... --RR */
	414	if (inside->icmp.type == ICMP_REDIRECT) {
	415	/* If NAT isn't finished, assume it and drop. */
	416	if ((ct->status & IPS_NAT_DONE_MASK) != IPS_NAT_DONE_MASK)
	417	return 0;
	418
	419	if (ct->status & IPS_NAT_MASK)
	420	return 0;
	421	}
422
423	DEBUGP("icmp_reply_translation: translating error %p manp %u dir %s\n",
424	*pskb, manip, dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY");
425
426	if (!ip_ct_get_tuple(&inside->ip, pskb, (pskb)->nh.iph->ihl*4 +
427	sizeof(struct icmphdr) + inside->ip.ihl*4,
428	&inner, ip_ct_find_proto(inside->ip.protocol)))
429	return 0;
430
431	/* Change inner back to look like incoming packet. We do the
432	opposite manip on this hook to normal, because it might not
433	pass all hooks (locally-generated ICMP). Consider incoming
434	packet: PREROUTING (DST manip), routing produces ICMP, goes
435	through POSTROUTING (which must correct the DST manip). */
436	if (!manip_pkt(inside->ip.protocol, pskb,
437	(pskb)->nh.iph->ihl4
438	+ sizeof(inside->icmp),
439	&ct->tuplehash[!dir].tuple,
440	!manip))
441	return 0;
442
443	/* Reloading "inside" here since manip_pkt inner. */
444	inside = (void )(pskb)->data + (pskb)->nh.iph->ihl4;
445	inside->icmp.checksum = 0;
446	inside->icmp.checksum = csum_fold(skb_checksum(*pskb, hdrlen,
447	(*pskb)->len - hdrlen,
448	0));
449
450	/* Change outer to look the reply to an incoming packet
451	* (proto 0 means don't invert per-proto part). */
452
453	/* Obviously, we need to NAT destination IP, but source IP
454	should be NAT'ed only if it is from a NAT'd host.
455
456	Explanation: some people use NAT for anonymizing. Also,
457	CERT recommends dropping all packets from private IP
458	addresses (although ICMP errors from internal links with
459	such addresses are not too uncommon, as Alan Cox points
460	out) */
461	if (manip != IP_NAT_MANIP_SRC
462	\|\| ((*pskb)->nh.iph->saddr == ct->tuplehash[dir].tuple.src.ip)) {
463	invert_tuplepr(&target, &ct->tuplehash[!dir].tuple);
464	if (!manip_pkt(0, pskb, 0, &target, manip))
465	return 0;
466	}
467
468	return 1;
469	}
470
471	/* Protocol registration. */
472	int ip_nat_protocol_register(struct ip_nat_protocol *proto)
473	{
474	int ret = 0;
475
e45b1be8	476	write_lock_bh(&ip_nat_lock);
1da177e4 LT	477	if (ip_nat_protos[proto->protonum] != &ip_nat_unknown_protocol) {
	478	ret = -EBUSY;
	479	goto out;
	480	}
	481	ip_nat_protos[proto->protonum] = proto;
	482	out:
e45b1be8	483	write_unlock_bh(&ip_nat_lock);
1da177e4 LT	484	return ret;
	485	}
	486
	487	/* Noone stores the protocol anywhere; simply delete it. */
	488	void ip_nat_protocol_unregister(struct ip_nat_protocol *proto)
	489	{
e45b1be8	490	write_lock_bh(&ip_nat_lock);
1da177e4	491	ip_nat_protos[proto->protonum] = &ip_nat_unknown_protocol;
e45b1be8	492	write_unlock_bh(&ip_nat_lock);
1da177e4 LT	493
	494	/* Someone could be still looking at the proto in a bh. */
	495	synchronize_net();
	496	}
	497
	498	int __init ip_nat_init(void)
	499	{
	500	size_t i;
	501
	502	/* Leave them the same for the moment. */
	503	ip_nat_htable_size = ip_conntrack_htable_size;
	504
	505	/* One vmalloc for both hash tables */
	506	bysource = vmalloc(sizeof(struct list_head) * ip_nat_htable_size);
	507	if (!bysource)
	508	return -ENOMEM;
	509
	510	/* Sew in builtin protocols. */
e45b1be8	511	write_lock_bh(&ip_nat_lock);
1da177e4 LT	512	for (i = 0; i < MAX_IP_NAT_PROTO; i++)
	513	ip_nat_protos[i] = &ip_nat_unknown_protocol;
	514	ip_nat_protos[IPPROTO_TCP] = &ip_nat_protocol_tcp;
	515	ip_nat_protos[IPPROTO_UDP] = &ip_nat_protocol_udp;
	516	ip_nat_protos[IPPROTO_ICMP] = &ip_nat_protocol_icmp;
e45b1be8	517	write_unlock_bh(&ip_nat_lock);
1da177e4 LT	518
	519	for (i = 0; i < ip_nat_htable_size; i++) {
	520	INIT_LIST_HEAD(&bysource[i]);
	521	}
	522
	523	/* FIXME: Man, this is a hack. <SIGH> */
	524	IP_NF_ASSERT(ip_conntrack_destroyed == NULL);
	525	ip_conntrack_destroyed = &ip_nat_cleanup_conntrack;
	526
	527	/* Initialize fake conntrack so that NAT will skip it */
	528	ip_conntrack_untracked.status \|= IPS_NAT_DONE_MASK;
	529	return 0;
	530	}
	531
	532	/* Clear NAT section of all conntracks, in case we're loaded again. */
	533	static int clean_nat(struct ip_conntrack i, void data)
	534	{
	535	memset(&i->nat, 0, sizeof(i->nat));
	536	i->status &= ~(IPS_NAT_MASK \| IPS_NAT_DONE_MASK \| IPS_SEQ_ADJUST);
	537	return 0;
	538	}
	539
	540	/* Not __exit: called from ip_nat_standalone.c:init_or_cleanup() --RR */
	541	void ip_nat_cleanup(void)
	542	{
	543	ip_ct_iterate_cleanup(&clean_nat, NULL);
	544	ip_conntrack_destroyed = NULL;
	545	vfree(bysource);
	546	}