tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: nft_chain_nat_ipv4: use generic IPv4 NAT code from core

Use the exported IPv4 NAT functions that are provided by the core. This
removes duplicated code so iptables and nft use the same NAT codebase.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Pablo Neira Ayuso 65cd90ac 30766f4c

+38 -121
+38 -121
net/ipv4/netfilter/nft_chain_nat_ipv4.c
··· 26 26 #include <net/netfilter/nf_nat_l3proto.h> 27 27 #include <net/ip.h> 28 28 29 - /* 30 - * NAT chains 31 - */ 32 - 33 - static unsigned int nf_nat_fn(const struct nf_hook_ops *ops, 34 - struct sk_buff *skb, 35 - const struct net_device *in, 36 - const struct net_device *out, 37 - int (*okfn)(struct sk_buff *)) 38 - { 39 - enum ip_conntrack_info ctinfo; 40 - struct nf_conn *ct = nf_ct_get(skb, &ctinfo); 41 - struct nf_conn_nat *nat; 42 - enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum); 43 - struct nft_pktinfo pkt; 44 - unsigned int ret; 45 - 46 - if (ct == NULL || nf_ct_is_untracked(ct)) 47 - return NF_ACCEPT; 48 - 49 - NF_CT_ASSERT(!(ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET))); 50 - 51 - nat = nf_ct_nat_ext_add(ct); 52 - if (nat == NULL) 53 - return NF_ACCEPT; 54 - 55 - switch (ctinfo) { 56 - case IP_CT_RELATED: 57 - case IP_CT_RELATED + IP_CT_IS_REPLY: 58 - if (ip_hdr(skb)->protocol == IPPROTO_ICMP) { 59 - if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, 60 - ops->hooknum)) 61 - return NF_DROP; 62 - else 63 - return NF_ACCEPT; 64 - } 65 - /* Fall through */ 66 - case IP_CT_NEW: 67 - if (nf_nat_initialized(ct, maniptype)) 68 - break; 69 - 70 - nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out); 71 - 72 - ret = nft_do_chain(&pkt, ops); 73 - if (ret != NF_ACCEPT) 74 - return ret; 75 - if (!nf_nat_initialized(ct, maniptype)) { 76 - ret = nf_nat_alloc_null_binding(ct, ops->hooknum); 77 - if (ret != NF_ACCEPT) 78 - return ret; 79 - } 80 - default: 81 - break; 82 - } 83 - 84 - return nf_nat_packet(ct, ctinfo, ops->hooknum, skb); 85 - } 86 - 87 - static unsigned int nf_nat_prerouting(const struct nf_hook_ops *ops, 29 + static unsigned int nft_nat_do_chain(const struct nf_hook_ops *ops, 88 30 struct sk_buff *skb, 89 31 const struct net_device *in, 90 32 const struct net_device *out, 91 - int (*okfn)(struct sk_buff *)) 33 + struct nf_conn *ct) 92 34 { 93 - __be32 daddr = ip_hdr(skb)->daddr; 94 - unsigned int ret; 35 + struct nft_pktinfo pkt; 95 36 96 - ret = nf_nat_fn(ops, skb, in, out, okfn); 97 - if (ret != NF_DROP && ret != NF_STOLEN && 98 - ip_hdr(skb)->daddr != daddr) { 99 - skb_dst_drop(skb); 100 - } 101 - return ret; 37 + nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out); 38 + 39 + return nft_do_chain(&pkt, ops); 102 40 } 103 41 104 - static unsigned int nf_nat_postrouting(const struct nf_hook_ops *ops, 105 - struct sk_buff *skb, 106 - const struct net_device *in, 107 - const struct net_device *out, 108 - int (*okfn)(struct sk_buff *)) 42 + static unsigned int nft_nat_ipv4_fn(const struct nf_hook_ops *ops, 43 + struct sk_buff *skb, 44 + const struct net_device *in, 45 + const struct net_device *out, 46 + int (*okfn)(struct sk_buff *)) 109 47 { 110 - enum ip_conntrack_info ctinfo __maybe_unused; 111 - const struct nf_conn *ct __maybe_unused; 112 - unsigned int ret; 113 - 114 - ret = nf_nat_fn(ops, skb, in, out, okfn); 115 - #ifdef CONFIG_XFRM 116 - if (ret != NF_DROP && ret != NF_STOLEN && 117 - (ct = nf_ct_get(skb, &ctinfo)) != NULL) { 118 - enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 119 - 120 - if (ct->tuplehash[dir].tuple.src.u3.ip != 121 - ct->tuplehash[!dir].tuple.dst.u3.ip || 122 - ct->tuplehash[dir].tuple.src.u.all != 123 - ct->tuplehash[!dir].tuple.dst.u.all) 124 - return nf_xfrm_me_harder(skb, AF_INET) == 0 ? 125 - ret : NF_DROP; 126 - } 127 - #endif 128 - return ret; 48 + return nf_nat_ipv4_fn(ops, skb, in, out, nft_nat_do_chain); 129 49 } 130 50 131 - static unsigned int nf_nat_output(const struct nf_hook_ops *ops, 132 - struct sk_buff *skb, 133 - const struct net_device *in, 134 - const struct net_device *out, 135 - int (*okfn)(struct sk_buff *)) 51 + static unsigned int nft_nat_ipv4_in(const struct nf_hook_ops *ops, 52 + struct sk_buff *skb, 53 + const struct net_device *in, 54 + const struct net_device *out, 55 + int (*okfn)(struct sk_buff *)) 136 56 { 137 - enum ip_conntrack_info ctinfo; 138 - const struct nf_conn *ct; 139 - unsigned int ret; 57 + return nf_nat_ipv4_in(ops, skb, in, out, nft_nat_do_chain); 58 + } 140 59 141 - ret = nf_nat_fn(ops, skb, in, out, okfn); 142 - if (ret != NF_DROP && ret != NF_STOLEN && 143 - (ct = nf_ct_get(skb, &ctinfo)) != NULL) { 144 - enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 60 + static unsigned int nft_nat_ipv4_out(const struct nf_hook_ops *ops, 61 + struct sk_buff *skb, 62 + const struct net_device *in, 63 + const struct net_device *out, 64 + int (*okfn)(struct sk_buff *)) 65 + { 66 + return nf_nat_ipv4_out(ops, skb, in, out, nft_nat_do_chain); 67 + } 145 68 146 - if (ct->tuplehash[dir].tuple.dst.u3.ip != 147 - ct->tuplehash[!dir].tuple.src.u3.ip) { 148 - if (ip_route_me_harder(skb, RTN_UNSPEC)) 149 - ret = NF_DROP; 150 - } 151 - #ifdef CONFIG_XFRM 152 - else if (ct->tuplehash[dir].tuple.dst.u.all != 153 - ct->tuplehash[!dir].tuple.src.u.all) 154 - if (nf_xfrm_me_harder(skb, AF_INET)) 155 - ret = NF_DROP; 156 - #endif 157 - } 158 - return ret; 69 + static unsigned int nft_nat_ipv4_local_fn(const struct nf_hook_ops *ops, 70 + struct sk_buff *skb, 71 + const struct net_device *in, 72 + const struct net_device *out, 73 + int (*okfn)(struct sk_buff *)) 74 + { 75 + return nf_nat_ipv4_local_fn(ops, skb, in, out, nft_nat_do_chain); 159 76 } 160 77 161 78 static const struct nf_chain_type nft_chain_nat_ipv4 = { ··· 85 168 (1 << NF_INET_LOCAL_OUT) | 86 169 (1 << NF_INET_LOCAL_IN), 87 170 .hooks = { 88 - [NF_INET_PRE_ROUTING] = nf_nat_prerouting, 89 - [NF_INET_POST_ROUTING] = nf_nat_postrouting, 90 - [NF_INET_LOCAL_OUT] = nf_nat_output, 91 - [NF_INET_LOCAL_IN] = nf_nat_fn, 171 + [NF_INET_PRE_ROUTING] = nft_nat_ipv4_in, 172 + [NF_INET_POST_ROUTING] = nft_nat_ipv4_out, 173 + [NF_INET_LOCAL_OUT] = nft_nat_ipv4_local_fn, 174 + [NF_INET_LOCAL_IN] = nft_nat_ipv4_fn, 92 175 }, 93 176 }; 94 177