[mirror_ubuntu-hirsute-kernel.git] / net / netfilter / nft_tproxy.c

/* SPDX-License-Identifier: GPL-2.0 */
#include <linux/module.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
#include <net/netfilter/nf_tproxy.h>
#include <net/inet_sock.h>
#include <net/tcp.h>
#include <linux/if_ether.h>
#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
#endif

struct nft_tproxy {
	enum nft_registers      sreg_addr:8;
	enum nft_registers      sreg_port:8;
	u8			family;
};

static void nft_tproxy_eval_v4(const struct nft_expr *expr,
			       struct nft_regs *regs,
			       const struct nft_pktinfo *pkt)
{
	const struct nft_tproxy *priv = nft_expr_priv(expr);
	struct sk_buff *skb = pkt->skb;
	const struct iphdr *iph = ip_hdr(skb);
	struct udphdr _hdr, *hp;
	__be32 taddr = 0;
	__be16 tport = 0;
	struct sock *sk;

	hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
	if (!hp) {
		regs->verdict.code = NFT_BREAK;
		return;
	}

	/* check if there's an ongoing connection on the packet addresses, this
	 * happens if the redirect already happened and the current packet
	 * belongs to an already established connection
	 */
	sk = nf_tproxy_get_sock_v4(nft_net(pkt), skb, iph->protocol,
				   iph->saddr, iph->daddr,
				   hp->source, hp->dest,
				   skb->dev, NF_TPROXY_LOOKUP_ESTABLISHED);

	if (priv->sreg_addr)
		taddr = regs->data[priv->sreg_addr];
	taddr = nf_tproxy_laddr4(skb, taddr, iph->daddr);

	if (priv->sreg_port)
		tport = regs->data[priv->sreg_port];
	if (!tport)
		tport = hp->dest;

	/* UDP has no TCP_TIME_WAIT state, so we never enter here */
	if (sk && sk->sk_state == TCP_TIME_WAIT) {
		/* reopening a TIME_WAIT connection needs special handling */
		sk = nf_tproxy_handle_time_wait4(nft_net(pkt), skb, taddr, tport, sk);
	} else if (!sk) {
		/* no, there's no established connection, check if
		 * there's a listener on the redirected addr/port
		 */
		sk = nf_tproxy_get_sock_v4(nft_net(pkt), skb, iph->protocol,
					   iph->saddr, taddr,
					   hp->source, tport,
					   skb->dev, NF_TPROXY_LOOKUP_LISTENER);
	}

	if (sk && nf_tproxy_sk_is_transparent(sk))
		nf_tproxy_assign_sock(skb, sk);
	else
		regs->verdict.code = NFT_BREAK;
}

#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
static void nft_tproxy_eval_v6(const struct nft_expr *expr,
			       struct nft_regs *regs,
			       const struct nft_pktinfo *pkt)
{
	const struct nft_tproxy *priv = nft_expr_priv(expr);
	struct sk_buff *skb = pkt->skb;
	const struct ipv6hdr *iph = ipv6_hdr(skb);
	struct in6_addr taddr;
	int thoff = pkt->xt.thoff;
	struct udphdr _hdr, *hp;
	__be16 tport = 0;
	struct sock *sk;
	int l4proto;

	memset(&taddr, 0, sizeof(taddr));

	if (!pkt->tprot_set) {
		regs->verdict.code = NFT_BREAK;
		return;
	}
	l4proto = pkt->tprot;

	hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
	if (hp == NULL) {
		regs->verdict.code = NFT_BREAK;
		return;
	}

	/* check if there's an ongoing connection on the packet addresses, this
	 * happens if the redirect already happened and the current packet
	 * belongs to an already established connection
	 */
	sk = nf_tproxy_get_sock_v6(nft_net(pkt), skb, thoff, l4proto,
				   &iph->saddr, &iph->daddr,
				   hp->source, hp->dest,
				   nft_in(pkt), NF_TPROXY_LOOKUP_ESTABLISHED);

	if (priv->sreg_addr)
		memcpy(&taddr, &regs->data[priv->sreg_addr], sizeof(taddr));
	taddr = *nf_tproxy_laddr6(skb, &taddr, &iph->daddr);

	if (priv->sreg_port)
		tport = regs->data[priv->sreg_port];
	if (!tport)
		tport = hp->dest;

	/* UDP has no TCP_TIME_WAIT state, so we never enter here */
	if (sk && sk->sk_state == TCP_TIME_WAIT) {
		/* reopening a TIME_WAIT connection needs special handling */
		sk = nf_tproxy_handle_time_wait6(skb, l4proto, thoff,
						 nft_net(pkt),
						 &taddr,
						 tport,
						 sk);
	} else if (!sk) {
		/* no there's no established connection, check if
		 * there's a listener on the redirected addr/port
		 */
		sk = nf_tproxy_get_sock_v6(nft_net(pkt), skb, thoff,
					   l4proto, &iph->saddr, &taddr,
					   hp->source, tport,
					   nft_in(pkt), NF_TPROXY_LOOKUP_LISTENER);
	}

	/* NOTE: assign_sock consumes our sk reference */
	if (sk && nf_tproxy_sk_is_transparent(sk))
		nf_tproxy_assign_sock(skb, sk);
	else
		regs->verdict.code = NFT_BREAK;
}
#endif

static void nft_tproxy_eval(const struct nft_expr *expr,
			    struct nft_regs *regs,
			    const struct nft_pktinfo *pkt)
{
	const struct nft_tproxy *priv = nft_expr_priv(expr);

	switch (nft_pf(pkt)) {
	case NFPROTO_IPV4:
		switch (priv->family) {
		case NFPROTO_IPV4:
		case NFPROTO_UNSPEC:
			nft_tproxy_eval_v4(expr, regs, pkt);
			return;
		}
		break;
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
	case NFPROTO_IPV6:
		switch (priv->family) {
		case NFPROTO_IPV6:
		case NFPROTO_UNSPEC:
			nft_tproxy_eval_v6(expr, regs, pkt);
			return;
		}
#endif
	}
	regs->verdict.code = NFT_BREAK;
}

static const struct nla_policy nft_tproxy_policy[NFTA_TPROXY_MAX + 1] = {
	[NFTA_TPROXY_FAMILY]   = { .type = NLA_U32 },
	[NFTA_TPROXY_REG_ADDR] = { .type = NLA_U32 },
	[NFTA_TPROXY_REG_PORT] = { .type = NLA_U32 },
};

static int nft_tproxy_init(const struct nft_ctx *ctx,
			   const struct nft_expr *expr,
			   const struct nlattr * const tb[])
{
	struct nft_tproxy *priv = nft_expr_priv(expr);
	unsigned int alen = 0;
	int err;

	if (!tb[NFTA_TPROXY_FAMILY] ||
	    (!tb[NFTA_TPROXY_REG_ADDR] && !tb[NFTA_TPROXY_REG_PORT]))
		return -EINVAL;

	priv->family = ntohl(nla_get_be32(tb[NFTA_TPROXY_FAMILY]));

	switch (ctx->family) {
	case NFPROTO_IPV4:
		if (priv->family != NFPROTO_IPV4)
			return -EINVAL;
		break;
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
	case NFPROTO_IPV6:
		if (priv->family != NFPROTO_IPV6)
			return -EINVAL;
		break;
#endif
	case NFPROTO_INET:
		break;
	default:
		return -EOPNOTSUPP;
	}

	/* Address is specified but the rule family is not set accordingly */
	if (priv->family == NFPROTO_UNSPEC && tb[NFTA_TPROXY_REG_ADDR])
		return -EINVAL;

	switch (priv->family) {
	case NFPROTO_IPV4:
		alen = FIELD_SIZEOF(union nf_inet_addr, in);
		err = nf_defrag_ipv4_enable(ctx->net);
		if (err)
			return err;
		break;
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
	case NFPROTO_IPV6:
		alen = FIELD_SIZEOF(union nf_inet_addr, in6);
		err = nf_defrag_ipv6_enable(ctx->net);
		if (err)
			return err;
		break;
#endif
	case NFPROTO_UNSPEC:
		/* No address is specified here */
		err = nf_defrag_ipv4_enable(ctx->net);
		if (err)
			return err;
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
		err = nf_defrag_ipv6_enable(ctx->net);
		if (err)
			return err;
#endif
		break;
	default:
		return -EOPNOTSUPP;
	}

	if (tb[NFTA_TPROXY_REG_ADDR]) {
		priv->sreg_addr = nft_parse_register(tb[NFTA_TPROXY_REG_ADDR]);
		err = nft_validate_register_load(priv->sreg_addr, alen);
		if (err < 0)
			return err;
	}

	if (tb[NFTA_TPROXY_REG_PORT]) {
		priv->sreg_port = nft_parse_register(tb[NFTA_TPROXY_REG_PORT]);
		err = nft_validate_register_load(priv->sreg_port, sizeof(u16));
		if (err < 0)
			return err;
	}

	return 0;
}

static int nft_tproxy_dump(struct sk_buff *skb,
			   const struct nft_expr *expr)
{
	const struct nft_tproxy *priv = nft_expr_priv(expr);

	if (nla_put_be32(skb, NFTA_TPROXY_FAMILY, htonl(priv->family)))
		return -1;

	if (priv->sreg_addr &&
	    nft_dump_register(skb, NFTA_TPROXY_REG_ADDR, priv->sreg_addr))
		return -1;

	if (priv->sreg_port &&
	    nft_dump_register(skb, NFTA_TPROXY_REG_PORT, priv->sreg_port))
			return -1;

	return 0;
}

static struct nft_expr_type nft_tproxy_type;
static const struct nft_expr_ops nft_tproxy_ops = {
	.type		= &nft_tproxy_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_tproxy)),
	.eval		= nft_tproxy_eval,
	.init		= nft_tproxy_init,
	.dump		= nft_tproxy_dump,
};

static struct nft_expr_type nft_tproxy_type __read_mostly = {
	.name		= "tproxy",
	.ops		= &nft_tproxy_ops,
	.policy		= nft_tproxy_policy,
	.maxattr	= NFTA_TPROXY_MAX,
	.owner		= THIS_MODULE,
};

static int __init nft_tproxy_module_init(void)
{
	return nft_register_expr(&nft_tproxy_type);
}

static void __exit nft_tproxy_module_exit(void)
{
	nft_unregister_expr(&nft_tproxy_type);
}

module_init(nft_tproxy_module_init);
module_exit(nft_tproxy_module_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Máté Eckl");
MODULE_DESCRIPTION("nf_tables tproxy support module");
MODULE_ALIAS_NFT_EXPR("tproxy");
Commit	Line	Data
4ed8eb65 ME	1	/* SPDX-License-Identifier: GPL-2.0 */
	2	#include <linux/module.h>
	3	#include <linux/netfilter/nf_tables.h>
	4	#include <net/netfilter/nf_tables.h>
	5	#include <net/netfilter/nf_tables_core.h>
	6	#include <net/netfilter/nf_tproxy.h>
	7	#include <net/inet_sock.h>
	8	#include <net/tcp.h>
	9	#include <linux/if_ether.h>
	10	#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
	11	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
	12	#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
	13	#endif
	14
	15	struct nft_tproxy {
	16	enum nft_registers sreg_addr:8;
	17	enum nft_registers sreg_port:8;
	18	u8 family;
	19	};
	20
	21	static void nft_tproxy_eval_v4(const struct nft_expr *expr,
	22	struct nft_regs *regs,
	23	const struct nft_pktinfo *pkt)
	24	{
	25	const struct nft_tproxy *priv = nft_expr_priv(expr);
	26	struct sk_buff *skb = pkt->skb;
	27	const struct iphdr *iph = ip_hdr(skb);
	28	struct udphdr _hdr, *hp;
	29	__be32 taddr = 0;
	30	__be16 tport = 0;
	31	struct sock *sk;
	32
	33	hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
	34	if (!hp) {
	35	regs->verdict.code = NFT_BREAK;
	36	return;
	37	}
	38
	39	/* check if there's an ongoing connection on the packet addresses, this
	40	* happens if the redirect already happened and the current packet
	41	* belongs to an already established connection
	42	*/
	43	sk = nf_tproxy_get_sock_v4(nft_net(pkt), skb, iph->protocol,
	44	iph->saddr, iph->daddr,
	45	hp->source, hp->dest,
	46	skb->dev, NF_TPROXY_LOOKUP_ESTABLISHED);
	47
	48	if (priv->sreg_addr)
	49	taddr = regs->data[priv->sreg_addr];
	50	taddr = nf_tproxy_laddr4(skb, taddr, iph->daddr);
	51
	52	if (priv->sreg_port)
	53	tport = regs->data[priv->sreg_port];
	54	if (!tport)
	55	tport = hp->dest;
	56
	57	/* UDP has no TCP_TIME_WAIT state, so we never enter here */
	58	if (sk && sk->sk_state == TCP_TIME_WAIT) {
	59	/* reopening a TIME_WAIT connection needs special handling */
	60	sk = nf_tproxy_handle_time_wait4(nft_net(pkt), skb, taddr, tport, sk);
	61	} else if (!sk) {
	62	/* no, there's no established connection, check if
	63	* there's a listener on the redirected addr/port
	64	*/
65	sk = nf_tproxy_get_sock_v4(nft_net(pkt), skb, iph->protocol,
66	iph->saddr, taddr,
67	hp->source, tport,
68	skb->dev, NF_TPROXY_LOOKUP_LISTENER);
69	}
70
71	if (sk && nf_tproxy_sk_is_transparent(sk))
72	nf_tproxy_assign_sock(skb, sk);
73	else
74	regs->verdict.code = NFT_BREAK;
75	}
76
77	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
78	static void nft_tproxy_eval_v6(const struct nft_expr *expr,
79	struct nft_regs *regs,
80	const struct nft_pktinfo *pkt)
81	{
82	const struct nft_tproxy *priv = nft_expr_priv(expr);
83	struct sk_buff *skb = pkt->skb;
84	const struct ipv6hdr *iph = ipv6_hdr(skb);
90d827f0	85	struct in6_addr taddr;
4ed8eb65 ME	86	int thoff = pkt->xt.thoff;
	87	struct udphdr _hdr, *hp;
	88	__be16 tport = 0;
	89	struct sock *sk;
	90	int l4proto;
	91
90d827f0 ME	92	memset(&taddr, 0, sizeof(taddr));
90d827f0 ME	93
4ed8eb65 ME	94	if (!pkt->tprot_set) {
	95	regs->verdict.code = NFT_BREAK;
	96	return;
	97	}
	98	l4proto = pkt->tprot;
	99
	100	hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
	101	if (hp == NULL) {
	102	regs->verdict.code = NFT_BREAK;
	103	return;
	104	}
	105
	106	/* check if there's an ongoing connection on the packet addresses, this
	107	* happens if the redirect already happened and the current packet
	108	* belongs to an already established connection
	109	*/
	110	sk = nf_tproxy_get_sock_v6(nft_net(pkt), skb, thoff, l4proto,
	111	&iph->saddr, &iph->daddr,
	112	hp->source, hp->dest,
	113	nft_in(pkt), NF_TPROXY_LOOKUP_ESTABLISHED);
	114
	115	if (priv->sreg_addr)
	116	memcpy(&taddr, &regs->data[priv->sreg_addr], sizeof(taddr));
	117	taddr = *nf_tproxy_laddr6(skb, &taddr, &iph->daddr);
	118
	119	if (priv->sreg_port)
	120	tport = regs->data[priv->sreg_port];
	121	if (!tport)
	122	tport = hp->dest;
	123
	124	/* UDP has no TCP_TIME_WAIT state, so we never enter here */
	125	if (sk && sk->sk_state == TCP_TIME_WAIT) {
	126	/* reopening a TIME_WAIT connection needs special handling */
	127	sk = nf_tproxy_handle_time_wait6(skb, l4proto, thoff,
	128	nft_net(pkt),
	129	&taddr,
	130	tport,
	131	sk);
	132	} else if (!sk) {
	133	/* no there's no established connection, check if
	134	* there's a listener on the redirected addr/port
	135	*/
	136	sk = nf_tproxy_get_sock_v6(nft_net(pkt), skb, thoff,
	137	l4proto, &iph->saddr, &taddr,
	138	hp->source, tport,
	139	nft_in(pkt), NF_TPROXY_LOOKUP_LISTENER);
	140	}
	141
	142	/* NOTE: assign_sock consumes our sk reference */
	143	if (sk && nf_tproxy_sk_is_transparent(sk))
	144	nf_tproxy_assign_sock(skb, sk);
	145	else
	146	regs->verdict.code = NFT_BREAK;
	147	}
	148	#endif
	149
	150	static void nft_tproxy_eval(const struct nft_expr *expr,
	151	struct nft_regs *regs,
	152	const struct nft_pktinfo *pkt)
	153	{
	154	const struct nft_tproxy *priv = nft_expr_priv(expr);
	155
	156	switch (nft_pf(pkt)) {
	157	case NFPROTO_IPV4:
158	switch (priv->family) {
159	case NFPROTO_IPV4:
160	case NFPROTO_UNSPEC:
161	nft_tproxy_eval_v4(expr, regs, pkt);
162	return;
163	}
164	break;
165	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
166	case NFPROTO_IPV6:
167	switch (priv->family) {
168	case NFPROTO_IPV6:
169	case NFPROTO_UNSPEC:
170	nft_tproxy_eval_v6(expr, regs, pkt);
171	return;
172	}
173	#endif
174	}
175	regs->verdict.code = NFT_BREAK;
176	}
177
178	static const struct nla_policy nft_tproxy_policy[NFTA_TPROXY_MAX + 1] = {
179	[NFTA_TPROXY_FAMILY] = { .type = NLA_U32 },
180	[NFTA_TPROXY_REG_ADDR] = { .type = NLA_U32 },
181	[NFTA_TPROXY_REG_PORT] = { .type = NLA_U32 },
182	};
183
184	static int nft_tproxy_init(const struct nft_ctx *ctx,
185	const struct nft_expr *expr,
186	const struct nlattr * const tb[])
187	{
188	struct nft_tproxy *priv = nft_expr_priv(expr);
189	unsigned int alen = 0;
190	int err;
191
192	if (!tb[NFTA_TPROXY_FAMILY] \|\|
193	(!tb[NFTA_TPROXY_REG_ADDR] && !tb[NFTA_TPROXY_REG_PORT]))
194	return -EINVAL;
195
196	priv->family = ntohl(nla_get_be32(tb[NFTA_TPROXY_FAMILY]));
197
198	switch (ctx->family) {
199	case NFPROTO_IPV4:
200	if (priv->family != NFPROTO_IPV4)
201	return -EINVAL;
202	break;
203	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
204	case NFPROTO_IPV6:
205	if (priv->family != NFPROTO_IPV6)
206	return -EINVAL;
207	break;
208	#endif
209	case NFPROTO_INET:
210	break;
211	default:
212	return -EOPNOTSUPP;
213	}
214
215	/* Address is specified but the rule family is not set accordingly */
216	if (priv->family == NFPROTO_UNSPEC && tb[NFTA_TPROXY_REG_ADDR])
217	return -EINVAL;
218
219	switch (priv->family) {
220	case NFPROTO_IPV4:
221	alen = FIELD_SIZEOF(union nf_inet_addr, in);
222	err = nf_defrag_ipv4_enable(ctx->net);
223	if (err)
224	return err;
225	break;
226	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
227	case NFPROTO_IPV6:
228	alen = FIELD_SIZEOF(union nf_inet_addr, in6);
229	err = nf_defrag_ipv6_enable(ctx->net);
230	if (err)
231	return err;
232	break;
233	#endif
234	case NFPROTO_UNSPEC:
235	/* No address is specified here */
236	err = nf_defrag_ipv4_enable(ctx->net);
237	if (err)
238	return err;
033eab53	239	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
4ed8eb65 ME	240	err = nf_defrag_ipv6_enable(ctx->net);
	241	if (err)
	242	return err;
033eab53	243	#endif
4ed8eb65 ME	244	break;
	245	default:
	246	return -EOPNOTSUPP;
	247	}
	248
	249	if (tb[NFTA_TPROXY_REG_ADDR]) {
	250	priv->sreg_addr = nft_parse_register(tb[NFTA_TPROXY_REG_ADDR]);
	251	err = nft_validate_register_load(priv->sreg_addr, alen);
	252	if (err < 0)
	253	return err;
	254	}
	255
	256	if (tb[NFTA_TPROXY_REG_PORT]) {
	257	priv->sreg_port = nft_parse_register(tb[NFTA_TPROXY_REG_PORT]);
	258	err = nft_validate_register_load(priv->sreg_port, sizeof(u16));
	259	if (err < 0)
	260	return err;
	261	}
	262
	263	return 0;
	264	}
	265
	266	static int nft_tproxy_dump(struct sk_buff *skb,
	267	const struct nft_expr *expr)
	268	{
	269	const struct nft_tproxy *priv = nft_expr_priv(expr);
	270
	271	if (nla_put_be32(skb, NFTA_TPROXY_FAMILY, htonl(priv->family)))
	272	return -1;
	273
	274	if (priv->sreg_addr &&
	275	nft_dump_register(skb, NFTA_TPROXY_REG_ADDR, priv->sreg_addr))
	276	return -1;
	277
	278	if (priv->sreg_port &&
	279	nft_dump_register(skb, NFTA_TPROXY_REG_PORT, priv->sreg_port))
	280	return -1;
	281
	282	return 0;
	283	}
	284
	285	static struct nft_expr_type nft_tproxy_type;
	286	static const struct nft_expr_ops nft_tproxy_ops = {
	287	.type = &nft_tproxy_type,
	288	.size = NFT_EXPR_SIZE(sizeof(struct nft_tproxy)),
	289	.eval = nft_tproxy_eval,
	290	.init = nft_tproxy_init,
	291	.dump = nft_tproxy_dump,
	292	};
	293
	294	static struct nft_expr_type nft_tproxy_type __read_mostly = {
	295	.name = "tproxy",
	296	.ops = &nft_tproxy_ops,
	297	.policy = nft_tproxy_policy,
	298	.maxattr = NFTA_TPROXY_MAX,
	299	.owner = THIS_MODULE,
	300	};
	301
	302	static int __init nft_tproxy_module_init(void)
	303	{
	304	return nft_register_expr(&nft_tproxy_type);
	305	}
	306
	307	static void __exit nft_tproxy_module_exit(void)
308	{
309	nft_unregister_expr(&nft_tproxy_type);
310	}
311
312	module_init(nft_tproxy_module_init);
313	module_exit(nft_tproxy_module_exit);
314
315	MODULE_LICENSE("GPL");
316	MODULE_AUTHOR("Máté Eckl");
317	MODULE_DESCRIPTION("nf_tables tproxy support module");
318	MODULE_ALIAS_NFT_EXPR("tproxy");