]> git.proxmox.com Git - mirror_ubuntu-eoan-kernel.git/blob - net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
projects / mirror_ubuntu-eoan-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
netfilter: nat: fix spurious connection timeouts
[mirror_ubuntu-eoan-kernel.git] / net / ipv6 / netfilter / nf_nat_l3proto_ipv6.c
1 /*
2 * Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
7 *
8 * Development of IPv6 NAT funded by Astaro.
9 */
10 #include <linux/types.h>
11 #include <linux/module.h>
12 #include <linux/skbuff.h>
13 #include <linux/ipv6.h>
14 #include <linux/netfilter.h>
15 #include <linux/netfilter_ipv6.h>
16 #include <net/secure_seq.h>
17 #include <net/checksum.h>
18 #include <net/ip6_checksum.h>
19 #include <net/ip6_route.h>
20 #include <net/ipv6.h>
21
22 #include <net/netfilter/nf_conntrack_core.h>
23 #include <net/netfilter/nf_conntrack.h>
24 #include <net/netfilter/nf_nat_core.h>
25 #include <net/netfilter/nf_nat_l3proto.h>
26 #include <net/netfilter/nf_nat_l4proto.h>
27
28 static const struct nf_nat_l3proto nf_nat_l3proto_ipv6;
29
30 #ifdef CONFIG_XFRM
31 static void nf_nat_ipv6_decode_session(struct sk_buff *skb,
32 const struct nf_conn *ct,
33 enum ip_conntrack_dir dir,
34 unsigned long statusbit,
35 struct flowi *fl)
36 {
37 const struct nf_conntrack_tuple *t = &ct->tuplehash[dir].tuple;
38 struct flowi6 *fl6 = &fl->u.ip6;
39
40 if (ct->status & statusbit) {
41 fl6->daddr = t->dst.u3.in6;
42 if (t->dst.protonum == IPPROTO_TCP ||
43 t->dst.protonum == IPPROTO_UDP ||
44 t->dst.protonum == IPPROTO_UDPLITE ||
45 t->dst.protonum == IPPROTO_DCCP ||
46 t->dst.protonum == IPPROTO_SCTP)
47 fl6->fl6_dport = t->dst.u.all;
48 }
49
50 statusbit ^= IPS_NAT_MASK;
51
52 if (ct->status & statusbit) {
53 fl6->saddr = t->src.u3.in6;
54 if (t->dst.protonum == IPPROTO_TCP ||
55 t->dst.protonum == IPPROTO_UDP ||
56 t->dst.protonum == IPPROTO_UDPLITE ||
57 t->dst.protonum == IPPROTO_DCCP ||
58 t->dst.protonum == IPPROTO_SCTP)
59 fl6->fl6_sport = t->src.u.all;
60 }
61 }
62 #endif
63
64 static bool nf_nat_ipv6_manip_pkt(struct sk_buff *skb,
65 unsigned int iphdroff,
66 const struct nf_conntrack_tuple *target,
67 enum nf_nat_manip_type maniptype)
68 {
69 struct ipv6hdr *ipv6h;
70 __be16 frag_off;
71 int hdroff;
72 u8 nexthdr;
73
74 if (!skb_make_writable(skb, iphdroff + sizeof(*ipv6h)))
75 return false;
76
77 ipv6h = (void *)skb->data + iphdroff;
78 nexthdr = ipv6h->nexthdr;
79 hdroff = ipv6_skip_exthdr(skb, iphdroff + sizeof(*ipv6h),
80 &nexthdr, &frag_off);
81 if (hdroff < 0)
82 goto manip_addr;
83
84 if ((frag_off & htons(~0x7)) == 0 &&
85 !nf_nat_l4proto_manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,
86 target, maniptype))
87 return false;
88
89 /* must reload, offset might have changed */
90 ipv6h = (void *)skb->data + iphdroff;
91
92 manip_addr:
93 if (maniptype == NF_NAT_MANIP_SRC)
94 ipv6h->saddr = target->src.u3.in6;
95 else
96 ipv6h->daddr = target->dst.u3.in6;
97
98 return true;
99 }
100
101 static void nf_nat_ipv6_csum_update(struct sk_buff *skb,
102 unsigned int iphdroff, __sum16 *check,
103 const struct nf_conntrack_tuple *t,
104 enum nf_nat_manip_type maniptype)
105 {
106 const struct ipv6hdr *ipv6h = (struct ipv6hdr *)(skb->data + iphdroff);
107 const struct in6_addr *oldip, *newip;
108
109 if (maniptype == NF_NAT_MANIP_SRC) {
110 oldip = &ipv6h->saddr;
111 newip = &t->src.u3.in6;
112 } else {
113 oldip = &ipv6h->daddr;
114 newip = &t->dst.u3.in6;
115 }
116 inet_proto_csum_replace16(check, skb, oldip->s6_addr32,
117 newip->s6_addr32, true);
118 }
119
120 static void nf_nat_ipv6_csum_recalc(struct sk_buff *skb,
121 u8 proto, void *data, __sum16 *check,
122 int datalen, int oldlen)
123 {
124 if (skb->ip_summed != CHECKSUM_PARTIAL) {
125 const struct ipv6hdr *ipv6h = ipv6_hdr(skb);
126
127 skb->ip_summed = CHECKSUM_PARTIAL;
128 skb->csum_start = skb_headroom(skb) + skb_network_offset(skb) +
129 (data - (void *)skb->data);
130 skb->csum_offset = (void *)check - data;
131 *check = ~csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr,
132 datalen, proto, 0);
133 } else
134 inet_proto_csum_replace2(check, skb,
135 htons(oldlen), htons(datalen), true);
136 }
137
138 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
139 static int nf_nat_ipv6_nlattr_to_range(struct nlattr *tb[],
140 struct nf_nat_range2 *range)
141 {
142 if (tb[CTA_NAT_V6_MINIP]) {
143 nla_memcpy(&range->min_addr.ip6, tb[CTA_NAT_V6_MINIP],
144 sizeof(struct in6_addr));
145 range->flags |= NF_NAT_RANGE_MAP_IPS;
146 }
147
148 if (tb[CTA_NAT_V6_MAXIP])
149 nla_memcpy(&range->max_addr.ip6, tb[CTA_NAT_V6_MAXIP],
150 sizeof(struct in6_addr));
151 else
152 range->max_addr = range->min_addr;
153
154 return 0;
155 }
156 #endif
157
158 static const struct nf_nat_l3proto nf_nat_l3proto_ipv6 = {
159 .l3proto = NFPROTO_IPV6,
160 .manip_pkt = nf_nat_ipv6_manip_pkt,
161 .csum_update = nf_nat_ipv6_csum_update,
162 .csum_recalc = nf_nat_ipv6_csum_recalc,
163 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
164 .nlattr_to_range = nf_nat_ipv6_nlattr_to_range,
165 #endif
166 #ifdef CONFIG_XFRM
167 .decode_session = nf_nat_ipv6_decode_session,
168 #endif
169 };
170
171 int nf_nat_icmpv6_reply_translation(struct sk_buff *skb,
172 struct nf_conn *ct,
173 enum ip_conntrack_info ctinfo,
174 unsigned int hooknum,
175 unsigned int hdrlen)
176 {
177 struct {
178 struct icmp6hdr icmp6;
179 struct ipv6hdr ip6;
180 } *inside;
181 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
182 enum nf_nat_manip_type manip = HOOK2MANIP(hooknum);
183 struct nf_conntrack_tuple target;
184 unsigned long statusbit;
185
186 WARN_ON(ctinfo != IP_CT_RELATED && ctinfo != IP_CT_RELATED_REPLY);
187
188 if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
189 return 0;
190 if (nf_ip6_checksum(skb, hooknum, hdrlen, IPPROTO_ICMPV6))
191 return 0;
192
193 inside = (void *)skb->data + hdrlen;
194 if (inside->icmp6.icmp6_type == NDISC_REDIRECT) {
195 if ((ct->status & IPS_NAT_DONE_MASK) != IPS_NAT_DONE_MASK)
196 return 0;
197 if (ct->status & IPS_NAT_MASK)
198 return 0;
199 }
200
201 if (manip == NF_NAT_MANIP_SRC)
202 statusbit = IPS_SRC_NAT;
203 else
204 statusbit = IPS_DST_NAT;
205
206 /* Invert if this is reply direction */
207 if (dir == IP_CT_DIR_REPLY)
208 statusbit ^= IPS_NAT_MASK;
209
210 if (!(ct->status & statusbit))
211 return 1;
212
213 if (!nf_nat_ipv6_manip_pkt(skb, hdrlen + sizeof(inside->icmp6),
214 &ct->tuplehash[!dir].tuple, !manip))
215 return 0;
216
217 if (skb->ip_summed != CHECKSUM_PARTIAL) {
218 struct ipv6hdr *ipv6h = ipv6_hdr(skb);
219 inside = (void *)skb->data + hdrlen;
220 inside->icmp6.icmp6_cksum = 0;
221 inside->icmp6.icmp6_cksum =
222 csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr,
223 skb->len - hdrlen, IPPROTO_ICMPV6,
224 skb_checksum(skb, hdrlen,
225 skb->len - hdrlen, 0));
226 }
227
228 nf_ct_invert_tuplepr(&target, &ct->tuplehash[!dir].tuple);
229 target.dst.protonum = IPPROTO_ICMPV6;
230 if (!nf_nat_ipv6_manip_pkt(skb, 0, &target, manip))
231 return 0;
232
233 return 1;
234 }
235 EXPORT_SYMBOL_GPL(nf_nat_icmpv6_reply_translation);
236
237 static unsigned int
238 nf_nat_ipv6_fn(void *priv, struct sk_buff *skb,
239 const struct nf_hook_state *state)
240 {
241 struct nf_conn *ct;
242 enum ip_conntrack_info ctinfo;
243 __be16 frag_off;
244 int hdrlen;
245 u8 nexthdr;
246
247 ct = nf_ct_get(skb, &ctinfo);
248 /* Can't track? It's not due to stress, or conntrack would
249 * have dropped it. Hence it's the user's responsibilty to
250 * packet filter it out, or implement conntrack/NAT for that
251 * protocol. 8) --RR
252 */
253 if (!ct)
254 return NF_ACCEPT;
255
256 if (ctinfo == IP_CT_RELATED || ctinfo == IP_CT_RELATED_REPLY) {
257 nexthdr = ipv6_hdr(skb)->nexthdr;
258 hdrlen = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr),
259 &nexthdr, &frag_off);
260
261 if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) {
262 if (!nf_nat_icmpv6_reply_translation(skb, ct, ctinfo,
263 state->hook,
264 hdrlen))
265 return NF_DROP;
266 else
267 return NF_ACCEPT;
268 }
269 }
270
271 return nf_nat_inet_fn(priv, skb, state);
272 }
273
274 static unsigned int
275 nf_nat_ipv6_in(void *priv, struct sk_buff *skb,
276 const struct nf_hook_state *state)
277 {
278 unsigned int ret;
279 struct in6_addr daddr = ipv6_hdr(skb)->daddr;
280
281 ret = nf_nat_ipv6_fn(priv, skb, state);
282 if (ret != NF_DROP && ret != NF_STOLEN &&
283 ipv6_addr_cmp(&daddr, &ipv6_hdr(skb)->daddr))
284 skb_dst_drop(skb);
285
286 return ret;
287 }
288
289 static unsigned int
290 nf_nat_ipv6_out(void *priv, struct sk_buff *skb,
291 const struct nf_hook_state *state)
292 {
293 #ifdef CONFIG_XFRM
294 const struct nf_conn *ct;
295 enum ip_conntrack_info ctinfo;
296 int err;
297 #endif
298 unsigned int ret;
299
300 ret = nf_nat_ipv6_fn(priv, skb, state);
301 #ifdef CONFIG_XFRM
302 if (ret != NF_DROP && ret != NF_STOLEN &&
303 !(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
304 (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
305 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
306
307 if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3,
308 &ct->tuplehash[!dir].tuple.dst.u3) ||
309 (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&
310 ct->tuplehash[dir].tuple.src.u.all !=
311 ct->tuplehash[!dir].tuple.dst.u.all)) {
312 err = nf_xfrm_me_harder(state->net, skb, AF_INET6);
313 if (err < 0)
314 ret = NF_DROP_ERR(err);
315 }
316 }
317 #endif
318 return ret;
319 }
320
321 static unsigned int
322 nf_nat_ipv6_local_fn(void *priv, struct sk_buff *skb,
323 const struct nf_hook_state *state)
324 {
325 const struct nf_conn *ct;
326 enum ip_conntrack_info ctinfo;
327 unsigned int ret;
328 int err;
329
330 ret = nf_nat_ipv6_fn(priv, skb, state);
331 if (ret != NF_DROP && ret != NF_STOLEN &&
332 (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
333 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
334
335 if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3,
336 &ct->tuplehash[!dir].tuple.src.u3)) {
337 err = ip6_route_me_harder(state->net, skb);
338 if (err < 0)
339 ret = NF_DROP_ERR(err);
340 }
341 #ifdef CONFIG_XFRM
342 else if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
343 ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&
344 ct->tuplehash[dir].tuple.dst.u.all !=
345 ct->tuplehash[!dir].tuple.src.u.all) {
346 err = nf_xfrm_me_harder(state->net, skb, AF_INET6);
347 if (err < 0)
348 ret = NF_DROP_ERR(err);
349 }
350 #endif
351 }
352 return ret;
353 }
354
355 static const struct nf_hook_ops nf_nat_ipv6_ops[] = {
356 /* Before packet filtering, change destination */
357 {
358 .hook = nf_nat_ipv6_in,
359 .pf = NFPROTO_IPV6,
360 .hooknum = NF_INET_PRE_ROUTING,
361 .priority = NF_IP6_PRI_NAT_DST,
362 },
363 /* After packet filtering, change source */
364 {
365 .hook = nf_nat_ipv6_out,
366 .pf = NFPROTO_IPV6,
367 .hooknum = NF_INET_POST_ROUTING,
368 .priority = NF_IP6_PRI_NAT_SRC,
369 },
370 /* Before packet filtering, change destination */
371 {
372 .hook = nf_nat_ipv6_local_fn,
373 .pf = NFPROTO_IPV6,
374 .hooknum = NF_INET_LOCAL_OUT,
375 .priority = NF_IP6_PRI_NAT_DST,
376 },
377 /* After packet filtering, change source */
378 {
379 .hook = nf_nat_ipv6_fn,
380 .pf = NFPROTO_IPV6,
381 .hooknum = NF_INET_LOCAL_IN,
382 .priority = NF_IP6_PRI_NAT_SRC,
383 },
384 };
385
386 int nf_nat_l3proto_ipv6_register_fn(struct net *net, const struct nf_hook_ops *ops)
387 {
388 return nf_nat_register_fn(net, ops, nf_nat_ipv6_ops, ARRAY_SIZE(nf_nat_ipv6_ops));
389 }
390 EXPORT_SYMBOL_GPL(nf_nat_l3proto_ipv6_register_fn);
391
392 void nf_nat_l3proto_ipv6_unregister_fn(struct net *net, const struct nf_hook_ops *ops)
393 {
394 nf_nat_unregister_fn(net, ops, ARRAY_SIZE(nf_nat_ipv6_ops));
395 }
396 EXPORT_SYMBOL_GPL(nf_nat_l3proto_ipv6_unregister_fn);
397
398 static int __init nf_nat_l3proto_ipv6_init(void)
399 {
400 return nf_nat_l3proto_register(&nf_nat_l3proto_ipv6);
401 }
402
403 static void __exit nf_nat_l3proto_ipv6_exit(void)
404 {
405 nf_nat_l3proto_unregister(&nf_nat_l3proto_ipv6);
406 }
407
408 MODULE_LICENSE("GPL");
409 MODULE_ALIAS("nf-nat-" __stringify(AF_INET6));
410
411 module_init(nf_nat_l3proto_ipv6_init);
412 module_exit(nf_nat_l3proto_ipv6_exit);
Ubuntu Eoan Linux kernel mirror