1 /* (C) 1999-2001 Paul `Rusty' Russell
2 * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
7 */
8
9 #include <linux/types.h>
10 #include <linux/atomic.h>
11 #include <linux/inetdevice.h>
12 #include <linux/ip.h>
13 #include <linux/timer.h>
14 #include <linux/netfilter.h>
15 #include <net/protocol.h>
16 #include <net/ip.h>
17 #include <net/checksum.h>
18 #include <net/route.h>
19 #include <linux/netfilter_ipv4.h>
20 #include <linux/netfilter/x_tables.h>
21 #include <net/netfilter/nf_nat.h>
22 #include <net/netfilter/ipv4/nf_nat_masquerade.h>
23
24 unsigned int
nf_nat_masquerade_ipv4(struct sk_buff * skb,unsigned int hooknum,const struct nf_nat_range2 * range,const struct net_device * out)25 nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum,
26 const struct nf_nat_range2 *range,
27 const struct net_device *out)
28 {
29 struct nf_conn *ct;
30 struct nf_conn_nat *nat;
31 enum ip_conntrack_info ctinfo;
32 struct nf_nat_range2 newrange;
33 const struct rtable *rt;
34 __be32 newsrc, nh;
35
36 WARN_ON(hooknum != NF_INET_POST_ROUTING);
37
38 ct = nf_ct_get(skb, &ctinfo);
39
40 WARN_ON(!(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
41 ctinfo == IP_CT_RELATED_REPLY)));
42
43 /* Source address is 0.0.0.0 - locally generated packet that is
44 * probably not supposed to be masqueraded.
45 */
46 if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip == 0)
47 return NF_ACCEPT;
48
49 rt = skb_rtable(skb);
50 nh = rt_nexthop(rt, ip_hdr(skb)->daddr);
51 newsrc = inet_select_addr(out, nh, RT_SCOPE_UNIVERSE);
52 if (!newsrc) {
53 pr_info("%s ate my IP address\n", out->name);
54 return NF_DROP;
55 }
56
57 nat = nf_ct_nat_ext_add(ct);
58 if (nat)
59 nat->masq_index = out->ifindex;
60
61 /* Transfer from original range. */
62 memset(&newrange.min_addr, 0, sizeof(newrange.min_addr));
63 memset(&newrange.max_addr, 0, sizeof(newrange.max_addr));
64 newrange.flags = range->flags | NF_NAT_RANGE_MAP_IPS;
65 newrange.min_addr.ip = newsrc;
66 newrange.max_addr.ip = newsrc;
67 newrange.min_proto = range->min_proto;
68 newrange.max_proto = range->max_proto;
69
70 /* Hand modified range to generic setup. */
71 return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_SRC);
72 }
73 EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv4);
74
device_cmp(struct nf_conn * i,void * ifindex)75 static int device_cmp(struct nf_conn *i, void *ifindex)
76 {
77 const struct nf_conn_nat *nat = nfct_nat(i);
78
79 if (!nat)
80 return 0;
81 if (nf_ct_l3num(i) != NFPROTO_IPV4)
82 return 0;
83 return nat->masq_index == (int)(long)ifindex;
84 }
85
masq_device_event(struct notifier_block * this,unsigned long event,void * ptr)86 static int masq_device_event(struct notifier_block *this,
87 unsigned long event,
88 void *ptr)
89 {
90 const struct net_device *dev = netdev_notifier_info_to_dev(ptr);
91 struct net *net = dev_net(dev);
92
93 if (event == NETDEV_DOWN) {
94 /* Device was downed. Search entire table for
95 * conntracks which were associated with that device,
96 * and forget them.
97 */
98 WARN_ON(dev->ifindex == 0);
99
100 nf_ct_iterate_cleanup_net(net, device_cmp,
101 (void *)(long)dev->ifindex, 0, 0);
102 }
103
104 return NOTIFY_DONE;
105 }
106
masq_inet_event(struct notifier_block * this,unsigned long event,void * ptr)107 static int masq_inet_event(struct notifier_block *this,
108 unsigned long event,
109 void *ptr)
110 {
111 struct in_device *idev = ((struct in_ifaddr *)ptr)->ifa_dev;
112 struct netdev_notifier_info info;
113
114 /* The masq_dev_notifier will catch the case of the device going
115 * down. So if the inetdev is dead and being destroyed we have
116 * no work to do. Otherwise this is an individual address removal
117 * and we have to perform the flush.
118 */
119 if (idev->dead)
120 return NOTIFY_DONE;
121
122 netdev_notifier_info_init(&info, idev->dev);
123 return masq_device_event(this, event, &info);
124 }
125
126 static struct notifier_block masq_dev_notifier = {
127 .notifier_call = masq_device_event,
128 };
129
130 static struct notifier_block masq_inet_notifier = {
131 .notifier_call = masq_inet_event,
132 };
133
134 static atomic_t masquerade_notifier_refcount = ATOMIC_INIT(0);
135
nf_nat_masquerade_ipv4_register_notifier(void)136 void nf_nat_masquerade_ipv4_register_notifier(void)
137 {
138 /* check if the notifier was already set */
139 if (atomic_inc_return(&masquerade_notifier_refcount) > 1)
140 return;
141
142 /* Register for device down reports */
143 register_netdevice_notifier(&masq_dev_notifier);
144 /* Register IP address change reports */
145 register_inetaddr_notifier(&masq_inet_notifier);
146 }
147 EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv4_register_notifier);
148
nf_nat_masquerade_ipv4_unregister_notifier(void)149 void nf_nat_masquerade_ipv4_unregister_notifier(void)
150 {
151 /* check if the notifier still has clients */
152 if (atomic_dec_return(&masquerade_notifier_refcount) > 0)
153 return;
154
155 unregister_netdevice_notifier(&masq_dev_notifier);
156 unregister_inetaddr_notifier(&masq_inet_notifier);
157 }
158 EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv4_unregister_notifier);
159
