2 * Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of IPv6 NAT funded by Astaro.
10 #include <linux/types.h>
11 #include <linux/module.h>
12 #include <linux/skbuff.h>
13 #include <linux/ipv6.h>
14 #include <linux/netfilter.h>
15 #include <linux/netfilter_ipv6.h>
16 #include <net/secure_seq.h>
17 #include <net/checksum.h>
18 #include <net/ip6_checksum.h>
19 #include <net/ip6_route.h>
22 #include <net/netfilter/nf_conntrack_core.h>
23 #include <net/netfilter/nf_conntrack.h>
24 #include <net/netfilter/nf_nat_core.h>
25 #include <net/netfilter/nf_nat_l3proto.h>
26 #include <net/netfilter/nf_nat_l4proto.h>
28 static const struct nf_nat_l3proto nf_nat_l3proto_ipv6;
31 static void nf_nat_ipv6_decode_session(struct sk_buff *skb,
32 const struct nf_conn *ct,
33 enum ip_conntrack_dir dir,
34 unsigned long statusbit,
37 const struct nf_conntrack_tuple *t = &ct->tuplehash[dir].tuple;
38 struct flowi6 *fl6 = &fl->u.ip6;
40 if (ct->status & statusbit) {
41 fl6->daddr = t->dst.u3.in6;
42 if (t->dst.protonum == IPPROTO_TCP ||
43 t->dst.protonum == IPPROTO_UDP ||
44 t->dst.protonum == IPPROTO_UDPLITE ||
45 t->dst.protonum == IPPROTO_DCCP ||
46 t->dst.protonum == IPPROTO_SCTP)
47 fl6->fl6_dport = t->dst.u.all;
50 statusbit ^= IPS_NAT_MASK;
52 if (ct->status & statusbit) {
53 fl6->saddr = t->src.u3.in6;
54 if (t->dst.protonum == IPPROTO_TCP ||
55 t->dst.protonum == IPPROTO_UDP ||
56 t->dst.protonum == IPPROTO_UDPLITE ||
57 t->dst.protonum == IPPROTO_DCCP ||
58 t->dst.protonum == IPPROTO_SCTP)
59 fl6->fl6_sport = t->src.u.all;
64 static bool nf_nat_ipv6_in_range(const struct nf_conntrack_tuple *t,
65 const struct nf_nat_range *range)
67 return ipv6_addr_cmp(&t->src.u3.in6, &range->min_addr.in6) >= 0 &&
68 ipv6_addr_cmp(&t->src.u3.in6, &range->max_addr.in6) <= 0;
71 static u32 nf_nat_ipv6_secure_port(const struct nf_conntrack_tuple *t,
74 return secure_ipv6_port_ephemeral(t->src.u3.ip6, t->dst.u3.ip6, dport);
77 static bool nf_nat_ipv6_manip_pkt(struct sk_buff *skb,
78 unsigned int iphdroff,
79 const struct nf_nat_l4proto *l4proto,
80 const struct nf_conntrack_tuple *target,
81 enum nf_nat_manip_type maniptype)
83 struct ipv6hdr *ipv6h;
88 if (!skb_make_writable(skb, iphdroff + sizeof(*ipv6h)))
91 ipv6h = (void *)skb->data + iphdroff;
92 nexthdr = ipv6h->nexthdr;
93 hdroff = ipv6_skip_exthdr(skb, iphdroff + sizeof(*ipv6h),
98 if ((frag_off & htons(~0x7)) == 0 &&
99 !l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,
103 /* must reload, offset might have changed */
104 ipv6h = (void *)skb->data + iphdroff;
107 if (maniptype == NF_NAT_MANIP_SRC)
108 ipv6h->saddr = target->src.u3.in6;
110 ipv6h->daddr = target->dst.u3.in6;
115 static void nf_nat_ipv6_csum_update(struct sk_buff *skb,
116 unsigned int iphdroff, __sum16 *check,
117 const struct nf_conntrack_tuple *t,
118 enum nf_nat_manip_type maniptype)
120 const struct ipv6hdr *ipv6h = (struct ipv6hdr *)(skb->data + iphdroff);
121 const struct in6_addr *oldip, *newip;
123 if (maniptype == NF_NAT_MANIP_SRC) {
124 oldip = &ipv6h->saddr;
125 newip = &t->src.u3.in6;
127 oldip = &ipv6h->daddr;
128 newip = &t->dst.u3.in6;
130 inet_proto_csum_replace16(check, skb, oldip->s6_addr32,
131 newip->s6_addr32, true);
134 static void nf_nat_ipv6_csum_recalc(struct sk_buff *skb,
135 u8 proto, void *data, __sum16 *check,
136 int datalen, int oldlen)
138 const struct ipv6hdr *ipv6h = ipv6_hdr(skb);
139 struct rt6_info *rt = (struct rt6_info *)skb_dst(skb);
141 if (skb->ip_summed != CHECKSUM_PARTIAL) {
142 if (!(rt->rt6i_flags & RTF_LOCAL) &&
143 (!skb->dev || skb->dev->features & NETIF_F_V6_CSUM)) {
144 skb->ip_summed = CHECKSUM_PARTIAL;
145 skb->csum_start = skb_headroom(skb) +
146 skb_network_offset(skb) +
147 (data - (void *)skb->data);
148 skb->csum_offset = (void *)check - data;
149 *check = ~csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr,
153 *check = csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr,
155 csum_partial(data, datalen,
157 if (proto == IPPROTO_UDP && !*check)
158 *check = CSUM_MANGLED_0;
161 inet_proto_csum_replace2(check, skb,
162 htons(oldlen), htons(datalen), true);
165 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
166 static int nf_nat_ipv6_nlattr_to_range(struct nlattr *tb[],
167 struct nf_nat_range *range)
169 if (tb[CTA_NAT_V6_MINIP]) {
170 nla_memcpy(&range->min_addr.ip6, tb[CTA_NAT_V6_MINIP],
171 sizeof(struct in6_addr));
172 range->flags |= NF_NAT_RANGE_MAP_IPS;
175 if (tb[CTA_NAT_V6_MAXIP])
176 nla_memcpy(&range->max_addr.ip6, tb[CTA_NAT_V6_MAXIP],
177 sizeof(struct in6_addr));
179 range->max_addr = range->min_addr;
185 static const struct nf_nat_l3proto nf_nat_l3proto_ipv6 = {
186 .l3proto = NFPROTO_IPV6,
187 .secure_port = nf_nat_ipv6_secure_port,
188 .in_range = nf_nat_ipv6_in_range,
189 .manip_pkt = nf_nat_ipv6_manip_pkt,
190 .csum_update = nf_nat_ipv6_csum_update,
191 .csum_recalc = nf_nat_ipv6_csum_recalc,
192 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
193 .nlattr_to_range = nf_nat_ipv6_nlattr_to_range,
196 .decode_session = nf_nat_ipv6_decode_session,
200 int nf_nat_icmpv6_reply_translation(struct sk_buff *skb,
202 enum ip_conntrack_info ctinfo,
203 unsigned int hooknum,
207 struct icmp6hdr icmp6;
210 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
211 enum nf_nat_manip_type manip = HOOK2MANIP(hooknum);
212 const struct nf_nat_l4proto *l4proto;
213 struct nf_conntrack_tuple target;
214 unsigned long statusbit;
216 NF_CT_ASSERT(ctinfo == IP_CT_RELATED || ctinfo == IP_CT_RELATED_REPLY);
218 if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
220 if (nf_ip6_checksum(skb, hooknum, hdrlen, IPPROTO_ICMPV6))
223 inside = (void *)skb->data + hdrlen;
224 if (inside->icmp6.icmp6_type == NDISC_REDIRECT) {
225 if ((ct->status & IPS_NAT_DONE_MASK) != IPS_NAT_DONE_MASK)
227 if (ct->status & IPS_NAT_MASK)
231 if (manip == NF_NAT_MANIP_SRC)
232 statusbit = IPS_SRC_NAT;
234 statusbit = IPS_DST_NAT;
236 /* Invert if this is reply direction */
237 if (dir == IP_CT_DIR_REPLY)
238 statusbit ^= IPS_NAT_MASK;
240 if (!(ct->status & statusbit))
243 l4proto = __nf_nat_l4proto_find(NFPROTO_IPV6, inside->ip6.nexthdr);
244 if (!nf_nat_ipv6_manip_pkt(skb, hdrlen + sizeof(inside->icmp6),
245 l4proto, &ct->tuplehash[!dir].tuple, !manip))
248 if (skb->ip_summed != CHECKSUM_PARTIAL) {
249 struct ipv6hdr *ipv6h = ipv6_hdr(skb);
250 inside = (void *)skb->data + hdrlen;
251 inside->icmp6.icmp6_cksum = 0;
252 inside->icmp6.icmp6_cksum =
253 csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr,
254 skb->len - hdrlen, IPPROTO_ICMPV6,
255 csum_partial(&inside->icmp6,
256 skb->len - hdrlen, 0));
259 nf_ct_invert_tuplepr(&target, &ct->tuplehash[!dir].tuple);
260 l4proto = __nf_nat_l4proto_find(NFPROTO_IPV6, IPPROTO_ICMPV6);
261 if (!nf_nat_ipv6_manip_pkt(skb, 0, l4proto, &target, manip))
266 EXPORT_SYMBOL_GPL(nf_nat_icmpv6_reply_translation);
269 nf_nat_ipv6_fn(void *priv, struct sk_buff *skb,
270 const struct nf_hook_state *state,
271 unsigned int (*do_chain)(void *priv,
273 const struct nf_hook_state *state,
277 enum ip_conntrack_info ctinfo;
278 struct nf_conn_nat *nat;
279 enum nf_nat_manip_type maniptype = HOOK2MANIP(state->hook);
284 ct = nf_ct_get(skb, &ctinfo);
285 /* Can't track? It's not due to stress, or conntrack would
286 * have dropped it. Hence it's the user's responsibilty to
287 * packet filter it out, or implement conntrack/NAT for that
293 /* Don't try to NAT if this packet is not conntracked */
294 if (nf_ct_is_untracked(ct))
297 nat = nf_ct_nat_ext_add(ct);
303 case IP_CT_RELATED_REPLY:
304 nexthdr = ipv6_hdr(skb)->nexthdr;
305 hdrlen = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr),
306 &nexthdr, &frag_off);
308 if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) {
309 if (!nf_nat_icmpv6_reply_translation(skb, ct, ctinfo,
316 /* Fall thru... (Only ICMPs can be IP_CT_IS_REPLY) */
318 /* Seen it before? This can happen for loopback, retrans,
321 if (!nf_nat_initialized(ct, maniptype)) {
324 ret = do_chain(priv, skb, state, ct);
325 if (ret != NF_ACCEPT)
328 if (nf_nat_initialized(ct, HOOK2MANIP(state->hook)))
331 ret = nf_nat_alloc_null_binding(ct, state->hook);
332 if (ret != NF_ACCEPT)
335 pr_debug("Already setup manip %s for ct %p\n",
336 maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",
338 if (nf_nat_oif_changed(state->hook, ctinfo, nat, state->out))
345 NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
346 ctinfo == IP_CT_ESTABLISHED_REPLY);
347 if (nf_nat_oif_changed(state->hook, ctinfo, nat, state->out))
351 return nf_nat_packet(ct, ctinfo, state->hook, skb);
354 nf_ct_kill_acct(ct, ctinfo, skb);
357 EXPORT_SYMBOL_GPL(nf_nat_ipv6_fn);
360 nf_nat_ipv6_in(void *priv, struct sk_buff *skb,
361 const struct nf_hook_state *state,
362 unsigned int (*do_chain)(void *priv,
364 const struct nf_hook_state *state,
368 struct in6_addr daddr = ipv6_hdr(skb)->daddr;
370 ret = nf_nat_ipv6_fn(priv, skb, state, do_chain);
371 if (ret != NF_DROP && ret != NF_STOLEN &&
372 ipv6_addr_cmp(&daddr, &ipv6_hdr(skb)->daddr))
377 EXPORT_SYMBOL_GPL(nf_nat_ipv6_in);
380 nf_nat_ipv6_out(void *priv, struct sk_buff *skb,
381 const struct nf_hook_state *state,
382 unsigned int (*do_chain)(void *priv,
384 const struct nf_hook_state *state,
388 const struct nf_conn *ct;
389 enum ip_conntrack_info ctinfo;
394 /* root is playing with raw sockets. */
395 if (skb->len < sizeof(struct ipv6hdr))
398 ret = nf_nat_ipv6_fn(priv, skb, state, do_chain);
400 if (ret != NF_DROP && ret != NF_STOLEN &&
401 !(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
402 (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
403 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
405 if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3,
406 &ct->tuplehash[!dir].tuple.dst.u3) ||
407 (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&
408 ct->tuplehash[dir].tuple.src.u.all !=
409 ct->tuplehash[!dir].tuple.dst.u.all)) {
410 err = nf_xfrm_me_harder(state->net, skb, AF_INET6);
412 ret = NF_DROP_ERR(err);
418 EXPORT_SYMBOL_GPL(nf_nat_ipv6_out);
421 nf_nat_ipv6_local_fn(void *priv, struct sk_buff *skb,
422 const struct nf_hook_state *state,
423 unsigned int (*do_chain)(void *priv,
425 const struct nf_hook_state *state,
428 const struct nf_conn *ct;
429 enum ip_conntrack_info ctinfo;
433 /* root is playing with raw sockets. */
434 if (skb->len < sizeof(struct ipv6hdr))
437 ret = nf_nat_ipv6_fn(priv, skb, state, do_chain);
438 if (ret != NF_DROP && ret != NF_STOLEN &&
439 (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
440 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
442 if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3,
443 &ct->tuplehash[!dir].tuple.src.u3)) {
444 err = ip6_route_me_harder(state->net, skb);
446 ret = NF_DROP_ERR(err);
449 else if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
450 ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&
451 ct->tuplehash[dir].tuple.dst.u.all !=
452 ct->tuplehash[!dir].tuple.src.u.all) {
453 err = nf_xfrm_me_harder(state->net, skb, AF_INET6);
455 ret = NF_DROP_ERR(err);
461 EXPORT_SYMBOL_GPL(nf_nat_ipv6_local_fn);
463 static int __init nf_nat_l3proto_ipv6_init(void)
467 err = nf_nat_l4proto_register(NFPROTO_IPV6, &nf_nat_l4proto_icmpv6);
470 err = nf_nat_l3proto_register(&nf_nat_l3proto_ipv6);
476 nf_nat_l4proto_unregister(NFPROTO_IPV6, &nf_nat_l4proto_icmpv6);
481 static void __exit nf_nat_l3proto_ipv6_exit(void)
483 nf_nat_l3proto_unregister(&nf_nat_l3proto_ipv6);
484 nf_nat_l4proto_unregister(NFPROTO_IPV6, &nf_nat_l4proto_icmpv6);
487 MODULE_LICENSE("GPL");
488 MODULE_ALIAS("nf-nat-" __stringify(AF_INET6));
490 module_init(nf_nat_l3proto_ipv6_init);
491 module_exit(nf_nat_l3proto_ipv6_exit);
projects / releases.git / blob