tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

net: netfilter: add bpf_ct_set_nat_info kfunc helper

Introduce bpf_ct_set_nat_info kfunc helper in order to set source and
destination nat addresses/ports in a new allocated ct entry not inserted
in the connection tracking table yet.

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://lore.kernel.org/r/9567db2fdfa5bebe7b7cc5870f7a34549418b4fc.1663778601.git.lorenzo@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

Lorenzo Bianconi and committed by
Alexei Starovoitov 0fabd2aa eed807f6

+46 -1
+46 -1
net/netfilter/nf_conntrack_bpf.c
··· 17 17 #include <net/netfilter/nf_conntrack.h> 18 18 #include <net/netfilter/nf_conntrack_bpf.h> 19 19 #include <net/netfilter/nf_conntrack_core.h> 20 + #include <net/netfilter/nf_nat.h> 20 21 21 22 /* bpf_ct_opts - Options for CT lookup helpers 22 23 * ··· 138 137 139 138 memset(&ct->proto, 0, sizeof(ct->proto)); 140 139 __nf_ct_set_timeout(ct, timeout * HZ); 141 - ct->status |= IPS_CONFIRMED; 142 140 143 141 out: 144 142 if (opts->netns_id >= 0) ··· 390 390 struct nf_conn *nfct = (struct nf_conn *)nfct_i; 391 391 int err; 392 392 393 + nfct->status |= IPS_CONFIRMED; 393 394 err = nf_conntrack_hash_check_insert(nfct); 394 395 if (err < 0) { 395 396 nf_conntrack_free(nfct); ··· 476 475 return nf_ct_change_status_common(nfct, status); 477 476 } 478 477 478 + /* bpf_ct_set_nat_info - Set source or destination nat address 479 + * 480 + * Set source or destination nat address of the newly allocated 481 + * nf_conn before insertion. This must be invoked for referenced 482 + * PTR_TO_BTF_ID to nf_conn___init. 483 + * 484 + * Parameters: 485 + * @nfct - Pointer to referenced nf_conn object, obtained using 486 + * bpf_xdp_ct_alloc or bpf_skb_ct_alloc. 487 + * @addr - Nat source/destination address 488 + * @port - Nat source/destination port. Non-positive values are 489 + * interpreted as select a random port. 490 + * @manip - NF_NAT_MANIP_SRC or NF_NAT_MANIP_DST 491 + */ 492 + int bpf_ct_set_nat_info(struct nf_conn___init *nfct, 493 + union nf_inet_addr *addr, int port, 494 + enum nf_nat_manip_type manip) 495 + { 496 + #if ((IS_MODULE(CONFIG_NF_NAT) && IS_MODULE(CONFIG_NF_CONNTRACK)) || \ 497 + IS_BUILTIN(CONFIG_NF_NAT)) 498 + struct nf_conn *ct = (struct nf_conn *)nfct; 499 + u16 proto = nf_ct_l3num(ct); 500 + struct nf_nat_range2 range; 501 + 502 + if (proto != NFPROTO_IPV4 && proto != NFPROTO_IPV6) 503 + return -EINVAL; 504 + 505 + memset(&range, 0, sizeof(struct nf_nat_range2)); 506 + range.flags = NF_NAT_RANGE_MAP_IPS; 507 + range.min_addr = *addr; 508 + range.max_addr = range.min_addr; 509 + if (port > 0) { 510 + range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; 511 + range.min_proto.all = cpu_to_be16(port); 512 + range.max_proto.all = range.min_proto.all; 513 + } 514 + 515 + return nf_nat_setup_info(ct, &range, manip) == NF_DROP ? -ENOMEM : 0; 516 + #else 517 + return -EOPNOTSUPP; 518 + #endif 519 + } 520 + 479 521 __diag_pop() 480 522 481 523 BTF_SET8_START(nf_ct_kfunc_set) ··· 532 488 BTF_ID_FLAGS(func, bpf_ct_change_timeout, KF_TRUSTED_ARGS) 533 489 BTF_ID_FLAGS(func, bpf_ct_set_status, KF_TRUSTED_ARGS) 534 490 BTF_ID_FLAGS(func, bpf_ct_change_status, KF_TRUSTED_ARGS) 491 + BTF_ID_FLAGS(func, bpf_ct_set_nat_info, KF_TRUSTED_ARGS) 535 492 BTF_SET8_END(nf_ct_kfunc_set) 536 493 537 494 static const struct btf_kfunc_id_set nf_conntrack_kfunc_set = {