2 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
3 * Copyright (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
4 * Copyright (c) 2012 Intel Corporation
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
10 * Development of this code funded by Astaro AG (http://www.astaro.com/)
13 #include <linux/module.h>
14 #include <linux/init.h>
15 #include <linux/list.h>
16 #include <linux/skbuff.h>
18 #include <linux/netfilter.h>
19 #include <linux/netfilter_ipv4.h>
20 #include <linux/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_conntrack.h>
22 #include <net/netfilter/nf_nat.h>
23 #include <net/netfilter/nf_nat_core.h>
24 #include <net/netfilter/nf_tables.h>
25 #include <net/netfilter/nf_tables_ipv4.h>
26 #include <net/netfilter/nf_nat_l3proto.h>
33 static unsigned int nf_nat_fn(const struct nf_hook_ops *ops,
35 const struct net_device *in,
36 const struct net_device *out,
37 int (*okfn)(struct sk_buff *))
39 enum ip_conntrack_info ctinfo;
40 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
41 struct nf_conn_nat *nat;
42 enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);
43 struct nft_pktinfo pkt;
46 if (ct == NULL || nf_ct_is_untracked(ct))
49 NF_CT_ASSERT(!(ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)));
51 nat = nf_ct_nat_ext_add(ct);
57 case IP_CT_RELATED + IP_CT_IS_REPLY:
58 if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
59 if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
67 if (nf_nat_initialized(ct, maniptype))
70 nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
72 ret = nft_do_chain(&pkt, ops);
75 if (!nf_nat_initialized(ct, maniptype)) {
76 ret = nf_nat_alloc_null_binding(ct, ops->hooknum);
84 return nf_nat_packet(ct, ctinfo, ops->hooknum, skb);
87 static unsigned int nf_nat_prerouting(const struct nf_hook_ops *ops,
89 const struct net_device *in,
90 const struct net_device *out,
91 int (*okfn)(struct sk_buff *))
93 __be32 daddr = ip_hdr(skb)->daddr;
96 ret = nf_nat_fn(ops, skb, in, out, okfn);
97 if (ret != NF_DROP && ret != NF_STOLEN &&
98 ip_hdr(skb)->daddr != daddr) {
104 static unsigned int nf_nat_postrouting(const struct nf_hook_ops *ops,
106 const struct net_device *in,
107 const struct net_device *out,
108 int (*okfn)(struct sk_buff *))
110 enum ip_conntrack_info ctinfo __maybe_unused;
111 const struct nf_conn *ct __maybe_unused;
114 ret = nf_nat_fn(ops, skb, in, out, okfn);
116 if (ret != NF_DROP && ret != NF_STOLEN &&
117 (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
118 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
120 if (ct->tuplehash[dir].tuple.src.u3.ip !=
121 ct->tuplehash[!dir].tuple.dst.u3.ip ||
122 ct->tuplehash[dir].tuple.src.u.all !=
123 ct->tuplehash[!dir].tuple.dst.u.all)
124 return nf_xfrm_me_harder(skb, AF_INET) == 0 ?
131 static unsigned int nf_nat_output(const struct nf_hook_ops *ops,
133 const struct net_device *in,
134 const struct net_device *out,
135 int (*okfn)(struct sk_buff *))
137 enum ip_conntrack_info ctinfo;
138 const struct nf_conn *ct;
141 ret = nf_nat_fn(ops, skb, in, out, okfn);
142 if (ret != NF_DROP && ret != NF_STOLEN &&
143 (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
144 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
146 if (ct->tuplehash[dir].tuple.dst.u3.ip !=
147 ct->tuplehash[!dir].tuple.src.u3.ip) {
148 if (ip_route_me_harder(skb, RTN_UNSPEC))
152 else if (ct->tuplehash[dir].tuple.dst.u.all !=
153 ct->tuplehash[!dir].tuple.src.u.all)
154 if (nf_xfrm_me_harder(skb, AF_INET))
161 static const struct nf_chain_type nft_chain_nat_ipv4 = {
163 .type = NFT_CHAIN_T_NAT,
164 .family = NFPROTO_IPV4,
165 .owner = THIS_MODULE,
166 .hook_mask = (1 << NF_INET_PRE_ROUTING) |
167 (1 << NF_INET_POST_ROUTING) |
168 (1 << NF_INET_LOCAL_OUT) |
169 (1 << NF_INET_LOCAL_IN),
171 [NF_INET_PRE_ROUTING] = nf_nat_prerouting,
172 [NF_INET_POST_ROUTING] = nf_nat_postrouting,
173 [NF_INET_LOCAL_OUT] = nf_nat_output,
174 [NF_INET_LOCAL_IN] = nf_nat_fn,
178 static int __init nft_chain_nat_init(void)
182 err = nft_register_chain_type(&nft_chain_nat_ipv4);
189 static void __exit nft_chain_nat_exit(void)
191 nft_unregister_chain_type(&nft_chain_nat_ipv4);
194 module_init(nft_chain_nat_init);
195 module_exit(nft_chain_nat_exit);
197 MODULE_LICENSE("GPL");
198 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
199 MODULE_ALIAS_NFT_CHAIN(AF_INET, "nat");