162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * Stateless NAT actions 462306a36Sopenharmony_ci * 562306a36Sopenharmony_ci * Copyright (c) 2007 Herbert Xu <herbert@gondor.apana.org.au> 662306a36Sopenharmony_ci */ 762306a36Sopenharmony_ci 862306a36Sopenharmony_ci#include <linux/errno.h> 962306a36Sopenharmony_ci#include <linux/init.h> 1062306a36Sopenharmony_ci#include <linux/kernel.h> 1162306a36Sopenharmony_ci#include <linux/module.h> 1262306a36Sopenharmony_ci#include <linux/netfilter.h> 1362306a36Sopenharmony_ci#include <linux/rtnetlink.h> 1462306a36Sopenharmony_ci#include <linux/skbuff.h> 1562306a36Sopenharmony_ci#include <linux/slab.h> 1662306a36Sopenharmony_ci#include <linux/spinlock.h> 1762306a36Sopenharmony_ci#include <linux/string.h> 1862306a36Sopenharmony_ci#include <linux/tc_act/tc_nat.h> 1962306a36Sopenharmony_ci#include <net/act_api.h> 2062306a36Sopenharmony_ci#include <net/pkt_cls.h> 2162306a36Sopenharmony_ci#include <net/icmp.h> 2262306a36Sopenharmony_ci#include <net/ip.h> 2362306a36Sopenharmony_ci#include <net/netlink.h> 2462306a36Sopenharmony_ci#include <net/tc_act/tc_nat.h> 2562306a36Sopenharmony_ci#include <net/tcp.h> 2662306a36Sopenharmony_ci#include <net/udp.h> 2762306a36Sopenharmony_ci#include <net/tc_wrapper.h> 2862306a36Sopenharmony_ci 2962306a36Sopenharmony_cistatic struct tc_action_ops act_nat_ops; 3062306a36Sopenharmony_ci 3162306a36Sopenharmony_cistatic const struct nla_policy nat_policy[TCA_NAT_MAX + 1] = { 3262306a36Sopenharmony_ci [TCA_NAT_PARMS] = { .len = sizeof(struct tc_nat) }, 3362306a36Sopenharmony_ci}; 3462306a36Sopenharmony_ci 3562306a36Sopenharmony_cistatic int tcf_nat_init(struct net *net, struct nlattr *nla, struct nlattr *est, 3662306a36Sopenharmony_ci struct tc_action **a, struct tcf_proto *tp, 3762306a36Sopenharmony_ci u32 flags, struct netlink_ext_ack *extack) 3862306a36Sopenharmony_ci{ 3962306a36Sopenharmony_ci struct tc_action_net *tn = net_generic(net, act_nat_ops.net_id); 4062306a36Sopenharmony_ci bool bind = flags & TCA_ACT_FLAGS_BIND; 4162306a36Sopenharmony_ci struct tcf_nat_parms *nparm, *oparm; 4262306a36Sopenharmony_ci struct nlattr *tb[TCA_NAT_MAX + 1]; 4362306a36Sopenharmony_ci struct tcf_chain *goto_ch = NULL; 4462306a36Sopenharmony_ci struct tc_nat *parm; 4562306a36Sopenharmony_ci int ret = 0, err; 4662306a36Sopenharmony_ci struct tcf_nat *p; 4762306a36Sopenharmony_ci u32 index; 4862306a36Sopenharmony_ci 4962306a36Sopenharmony_ci if (nla == NULL) 5062306a36Sopenharmony_ci return -EINVAL; 5162306a36Sopenharmony_ci 5262306a36Sopenharmony_ci err = nla_parse_nested_deprecated(tb, TCA_NAT_MAX, nla, nat_policy, 5362306a36Sopenharmony_ci NULL); 5462306a36Sopenharmony_ci if (err < 0) 5562306a36Sopenharmony_ci return err; 5662306a36Sopenharmony_ci 5762306a36Sopenharmony_ci if (tb[TCA_NAT_PARMS] == NULL) 5862306a36Sopenharmony_ci return -EINVAL; 5962306a36Sopenharmony_ci parm = nla_data(tb[TCA_NAT_PARMS]); 6062306a36Sopenharmony_ci index = parm->index; 6162306a36Sopenharmony_ci err = tcf_idr_check_alloc(tn, &index, a, bind); 6262306a36Sopenharmony_ci if (!err) { 6362306a36Sopenharmony_ci ret = tcf_idr_create_from_flags(tn, index, est, a, &act_nat_ops, 6462306a36Sopenharmony_ci bind, flags); 6562306a36Sopenharmony_ci if (ret) { 6662306a36Sopenharmony_ci tcf_idr_cleanup(tn, index); 6762306a36Sopenharmony_ci return ret; 6862306a36Sopenharmony_ci } 6962306a36Sopenharmony_ci ret = ACT_P_CREATED; 7062306a36Sopenharmony_ci } else if (err > 0) { 7162306a36Sopenharmony_ci if (bind) 7262306a36Sopenharmony_ci return 0; 7362306a36Sopenharmony_ci if (!(flags & TCA_ACT_FLAGS_REPLACE)) { 7462306a36Sopenharmony_ci tcf_idr_release(*a, bind); 7562306a36Sopenharmony_ci return -EEXIST; 7662306a36Sopenharmony_ci } 7762306a36Sopenharmony_ci } else { 7862306a36Sopenharmony_ci return err; 7962306a36Sopenharmony_ci } 8062306a36Sopenharmony_ci err = tcf_action_check_ctrlact(parm->action, tp, &goto_ch, extack); 8162306a36Sopenharmony_ci if (err < 0) 8262306a36Sopenharmony_ci goto release_idr; 8362306a36Sopenharmony_ci 8462306a36Sopenharmony_ci nparm = kzalloc(sizeof(*nparm), GFP_KERNEL); 8562306a36Sopenharmony_ci if (!nparm) { 8662306a36Sopenharmony_ci err = -ENOMEM; 8762306a36Sopenharmony_ci goto release_idr; 8862306a36Sopenharmony_ci } 8962306a36Sopenharmony_ci 9062306a36Sopenharmony_ci nparm->old_addr = parm->old_addr; 9162306a36Sopenharmony_ci nparm->new_addr = parm->new_addr; 9262306a36Sopenharmony_ci nparm->mask = parm->mask; 9362306a36Sopenharmony_ci nparm->flags = parm->flags; 9462306a36Sopenharmony_ci 9562306a36Sopenharmony_ci p = to_tcf_nat(*a); 9662306a36Sopenharmony_ci 9762306a36Sopenharmony_ci spin_lock_bh(&p->tcf_lock); 9862306a36Sopenharmony_ci goto_ch = tcf_action_set_ctrlact(*a, parm->action, goto_ch); 9962306a36Sopenharmony_ci oparm = rcu_replace_pointer(p->parms, nparm, lockdep_is_held(&p->tcf_lock)); 10062306a36Sopenharmony_ci spin_unlock_bh(&p->tcf_lock); 10162306a36Sopenharmony_ci 10262306a36Sopenharmony_ci if (goto_ch) 10362306a36Sopenharmony_ci tcf_chain_put_by_act(goto_ch); 10462306a36Sopenharmony_ci 10562306a36Sopenharmony_ci if (oparm) 10662306a36Sopenharmony_ci kfree_rcu(oparm, rcu); 10762306a36Sopenharmony_ci 10862306a36Sopenharmony_ci return ret; 10962306a36Sopenharmony_cirelease_idr: 11062306a36Sopenharmony_ci tcf_idr_release(*a, bind); 11162306a36Sopenharmony_ci return err; 11262306a36Sopenharmony_ci} 11362306a36Sopenharmony_ci 11462306a36Sopenharmony_ciTC_INDIRECT_SCOPE int tcf_nat_act(struct sk_buff *skb, 11562306a36Sopenharmony_ci const struct tc_action *a, 11662306a36Sopenharmony_ci struct tcf_result *res) 11762306a36Sopenharmony_ci{ 11862306a36Sopenharmony_ci struct tcf_nat *p = to_tcf_nat(a); 11962306a36Sopenharmony_ci struct tcf_nat_parms *parms; 12062306a36Sopenharmony_ci struct iphdr *iph; 12162306a36Sopenharmony_ci __be32 old_addr; 12262306a36Sopenharmony_ci __be32 new_addr; 12362306a36Sopenharmony_ci __be32 mask; 12462306a36Sopenharmony_ci __be32 addr; 12562306a36Sopenharmony_ci int egress; 12662306a36Sopenharmony_ci int action; 12762306a36Sopenharmony_ci int ihl; 12862306a36Sopenharmony_ci int noff; 12962306a36Sopenharmony_ci 13062306a36Sopenharmony_ci tcf_lastuse_update(&p->tcf_tm); 13162306a36Sopenharmony_ci tcf_action_update_bstats(&p->common, skb); 13262306a36Sopenharmony_ci 13362306a36Sopenharmony_ci action = READ_ONCE(p->tcf_action); 13462306a36Sopenharmony_ci 13562306a36Sopenharmony_ci parms = rcu_dereference_bh(p->parms); 13662306a36Sopenharmony_ci old_addr = parms->old_addr; 13762306a36Sopenharmony_ci new_addr = parms->new_addr; 13862306a36Sopenharmony_ci mask = parms->mask; 13962306a36Sopenharmony_ci egress = parms->flags & TCA_NAT_FLAG_EGRESS; 14062306a36Sopenharmony_ci 14162306a36Sopenharmony_ci if (unlikely(action == TC_ACT_SHOT)) 14262306a36Sopenharmony_ci goto drop; 14362306a36Sopenharmony_ci 14462306a36Sopenharmony_ci noff = skb_network_offset(skb); 14562306a36Sopenharmony_ci if (!pskb_may_pull(skb, sizeof(*iph) + noff)) 14662306a36Sopenharmony_ci goto drop; 14762306a36Sopenharmony_ci 14862306a36Sopenharmony_ci iph = ip_hdr(skb); 14962306a36Sopenharmony_ci 15062306a36Sopenharmony_ci if (egress) 15162306a36Sopenharmony_ci addr = iph->saddr; 15262306a36Sopenharmony_ci else 15362306a36Sopenharmony_ci addr = iph->daddr; 15462306a36Sopenharmony_ci 15562306a36Sopenharmony_ci if (!((old_addr ^ addr) & mask)) { 15662306a36Sopenharmony_ci if (skb_try_make_writable(skb, sizeof(*iph) + noff)) 15762306a36Sopenharmony_ci goto drop; 15862306a36Sopenharmony_ci 15962306a36Sopenharmony_ci new_addr &= mask; 16062306a36Sopenharmony_ci new_addr |= addr & ~mask; 16162306a36Sopenharmony_ci 16262306a36Sopenharmony_ci /* Rewrite IP header */ 16362306a36Sopenharmony_ci iph = ip_hdr(skb); 16462306a36Sopenharmony_ci if (egress) 16562306a36Sopenharmony_ci iph->saddr = new_addr; 16662306a36Sopenharmony_ci else 16762306a36Sopenharmony_ci iph->daddr = new_addr; 16862306a36Sopenharmony_ci 16962306a36Sopenharmony_ci csum_replace4(&iph->check, addr, new_addr); 17062306a36Sopenharmony_ci } else if ((iph->frag_off & htons(IP_OFFSET)) || 17162306a36Sopenharmony_ci iph->protocol != IPPROTO_ICMP) { 17262306a36Sopenharmony_ci goto out; 17362306a36Sopenharmony_ci } 17462306a36Sopenharmony_ci 17562306a36Sopenharmony_ci ihl = iph->ihl * 4; 17662306a36Sopenharmony_ci 17762306a36Sopenharmony_ci /* It would be nice to share code with stateful NAT. */ 17862306a36Sopenharmony_ci switch (iph->frag_off & htons(IP_OFFSET) ? 0 : iph->protocol) { 17962306a36Sopenharmony_ci case IPPROTO_TCP: 18062306a36Sopenharmony_ci { 18162306a36Sopenharmony_ci struct tcphdr *tcph; 18262306a36Sopenharmony_ci 18362306a36Sopenharmony_ci if (!pskb_may_pull(skb, ihl + sizeof(*tcph) + noff) || 18462306a36Sopenharmony_ci skb_try_make_writable(skb, ihl + sizeof(*tcph) + noff)) 18562306a36Sopenharmony_ci goto drop; 18662306a36Sopenharmony_ci 18762306a36Sopenharmony_ci tcph = (void *)(skb_network_header(skb) + ihl); 18862306a36Sopenharmony_ci inet_proto_csum_replace4(&tcph->check, skb, addr, new_addr, 18962306a36Sopenharmony_ci true); 19062306a36Sopenharmony_ci break; 19162306a36Sopenharmony_ci } 19262306a36Sopenharmony_ci case IPPROTO_UDP: 19362306a36Sopenharmony_ci { 19462306a36Sopenharmony_ci struct udphdr *udph; 19562306a36Sopenharmony_ci 19662306a36Sopenharmony_ci if (!pskb_may_pull(skb, ihl + sizeof(*udph) + noff) || 19762306a36Sopenharmony_ci skb_try_make_writable(skb, ihl + sizeof(*udph) + noff)) 19862306a36Sopenharmony_ci goto drop; 19962306a36Sopenharmony_ci 20062306a36Sopenharmony_ci udph = (void *)(skb_network_header(skb) + ihl); 20162306a36Sopenharmony_ci if (udph->check || skb->ip_summed == CHECKSUM_PARTIAL) { 20262306a36Sopenharmony_ci inet_proto_csum_replace4(&udph->check, skb, addr, 20362306a36Sopenharmony_ci new_addr, true); 20462306a36Sopenharmony_ci if (!udph->check) 20562306a36Sopenharmony_ci udph->check = CSUM_MANGLED_0; 20662306a36Sopenharmony_ci } 20762306a36Sopenharmony_ci break; 20862306a36Sopenharmony_ci } 20962306a36Sopenharmony_ci case IPPROTO_ICMP: 21062306a36Sopenharmony_ci { 21162306a36Sopenharmony_ci struct icmphdr *icmph; 21262306a36Sopenharmony_ci 21362306a36Sopenharmony_ci if (!pskb_may_pull(skb, ihl + sizeof(*icmph) + noff)) 21462306a36Sopenharmony_ci goto drop; 21562306a36Sopenharmony_ci 21662306a36Sopenharmony_ci icmph = (void *)(skb_network_header(skb) + ihl); 21762306a36Sopenharmony_ci 21862306a36Sopenharmony_ci if (!icmp_is_err(icmph->type)) 21962306a36Sopenharmony_ci break; 22062306a36Sopenharmony_ci 22162306a36Sopenharmony_ci if (!pskb_may_pull(skb, ihl + sizeof(*icmph) + sizeof(*iph) + 22262306a36Sopenharmony_ci noff)) 22362306a36Sopenharmony_ci goto drop; 22462306a36Sopenharmony_ci 22562306a36Sopenharmony_ci icmph = (void *)(skb_network_header(skb) + ihl); 22662306a36Sopenharmony_ci iph = (void *)(icmph + 1); 22762306a36Sopenharmony_ci if (egress) 22862306a36Sopenharmony_ci addr = iph->daddr; 22962306a36Sopenharmony_ci else 23062306a36Sopenharmony_ci addr = iph->saddr; 23162306a36Sopenharmony_ci 23262306a36Sopenharmony_ci if ((old_addr ^ addr) & mask) 23362306a36Sopenharmony_ci break; 23462306a36Sopenharmony_ci 23562306a36Sopenharmony_ci if (skb_try_make_writable(skb, ihl + sizeof(*icmph) + 23662306a36Sopenharmony_ci sizeof(*iph) + noff)) 23762306a36Sopenharmony_ci goto drop; 23862306a36Sopenharmony_ci 23962306a36Sopenharmony_ci icmph = (void *)(skb_network_header(skb) + ihl); 24062306a36Sopenharmony_ci iph = (void *)(icmph + 1); 24162306a36Sopenharmony_ci 24262306a36Sopenharmony_ci new_addr &= mask; 24362306a36Sopenharmony_ci new_addr |= addr & ~mask; 24462306a36Sopenharmony_ci 24562306a36Sopenharmony_ci /* XXX Fix up the inner checksums. */ 24662306a36Sopenharmony_ci if (egress) 24762306a36Sopenharmony_ci iph->daddr = new_addr; 24862306a36Sopenharmony_ci else 24962306a36Sopenharmony_ci iph->saddr = new_addr; 25062306a36Sopenharmony_ci 25162306a36Sopenharmony_ci inet_proto_csum_replace4(&icmph->checksum, skb, addr, new_addr, 25262306a36Sopenharmony_ci false); 25362306a36Sopenharmony_ci break; 25462306a36Sopenharmony_ci } 25562306a36Sopenharmony_ci default: 25662306a36Sopenharmony_ci break; 25762306a36Sopenharmony_ci } 25862306a36Sopenharmony_ci 25962306a36Sopenharmony_ciout: 26062306a36Sopenharmony_ci return action; 26162306a36Sopenharmony_ci 26262306a36Sopenharmony_cidrop: 26362306a36Sopenharmony_ci tcf_action_inc_drop_qstats(&p->common); 26462306a36Sopenharmony_ci return TC_ACT_SHOT; 26562306a36Sopenharmony_ci} 26662306a36Sopenharmony_ci 26762306a36Sopenharmony_cistatic int tcf_nat_dump(struct sk_buff *skb, struct tc_action *a, 26862306a36Sopenharmony_ci int bind, int ref) 26962306a36Sopenharmony_ci{ 27062306a36Sopenharmony_ci unsigned char *b = skb_tail_pointer(skb); 27162306a36Sopenharmony_ci struct tcf_nat *p = to_tcf_nat(a); 27262306a36Sopenharmony_ci struct tc_nat opt = { 27362306a36Sopenharmony_ci .index = p->tcf_index, 27462306a36Sopenharmony_ci .refcnt = refcount_read(&p->tcf_refcnt) - ref, 27562306a36Sopenharmony_ci .bindcnt = atomic_read(&p->tcf_bindcnt) - bind, 27662306a36Sopenharmony_ci }; 27762306a36Sopenharmony_ci struct tcf_nat_parms *parms; 27862306a36Sopenharmony_ci struct tcf_t t; 27962306a36Sopenharmony_ci 28062306a36Sopenharmony_ci spin_lock_bh(&p->tcf_lock); 28162306a36Sopenharmony_ci 28262306a36Sopenharmony_ci opt.action = p->tcf_action; 28362306a36Sopenharmony_ci 28462306a36Sopenharmony_ci parms = rcu_dereference_protected(p->parms, lockdep_is_held(&p->tcf_lock)); 28562306a36Sopenharmony_ci 28662306a36Sopenharmony_ci opt.old_addr = parms->old_addr; 28762306a36Sopenharmony_ci opt.new_addr = parms->new_addr; 28862306a36Sopenharmony_ci opt.mask = parms->mask; 28962306a36Sopenharmony_ci opt.flags = parms->flags; 29062306a36Sopenharmony_ci 29162306a36Sopenharmony_ci if (nla_put(skb, TCA_NAT_PARMS, sizeof(opt), &opt)) 29262306a36Sopenharmony_ci goto nla_put_failure; 29362306a36Sopenharmony_ci 29462306a36Sopenharmony_ci tcf_tm_dump(&t, &p->tcf_tm); 29562306a36Sopenharmony_ci if (nla_put_64bit(skb, TCA_NAT_TM, sizeof(t), &t, TCA_NAT_PAD)) 29662306a36Sopenharmony_ci goto nla_put_failure; 29762306a36Sopenharmony_ci spin_unlock_bh(&p->tcf_lock); 29862306a36Sopenharmony_ci 29962306a36Sopenharmony_ci return skb->len; 30062306a36Sopenharmony_ci 30162306a36Sopenharmony_cinla_put_failure: 30262306a36Sopenharmony_ci spin_unlock_bh(&p->tcf_lock); 30362306a36Sopenharmony_ci nlmsg_trim(skb, b); 30462306a36Sopenharmony_ci return -1; 30562306a36Sopenharmony_ci} 30662306a36Sopenharmony_ci 30762306a36Sopenharmony_cistatic void tcf_nat_cleanup(struct tc_action *a) 30862306a36Sopenharmony_ci{ 30962306a36Sopenharmony_ci struct tcf_nat *p = to_tcf_nat(a); 31062306a36Sopenharmony_ci struct tcf_nat_parms *parms; 31162306a36Sopenharmony_ci 31262306a36Sopenharmony_ci parms = rcu_dereference_protected(p->parms, 1); 31362306a36Sopenharmony_ci if (parms) 31462306a36Sopenharmony_ci kfree_rcu(parms, rcu); 31562306a36Sopenharmony_ci} 31662306a36Sopenharmony_ci 31762306a36Sopenharmony_cistatic struct tc_action_ops act_nat_ops = { 31862306a36Sopenharmony_ci .kind = "nat", 31962306a36Sopenharmony_ci .id = TCA_ID_NAT, 32062306a36Sopenharmony_ci .owner = THIS_MODULE, 32162306a36Sopenharmony_ci .act = tcf_nat_act, 32262306a36Sopenharmony_ci .dump = tcf_nat_dump, 32362306a36Sopenharmony_ci .init = tcf_nat_init, 32462306a36Sopenharmony_ci .cleanup = tcf_nat_cleanup, 32562306a36Sopenharmony_ci .size = sizeof(struct tcf_nat), 32662306a36Sopenharmony_ci}; 32762306a36Sopenharmony_ci 32862306a36Sopenharmony_cistatic __net_init int nat_init_net(struct net *net) 32962306a36Sopenharmony_ci{ 33062306a36Sopenharmony_ci struct tc_action_net *tn = net_generic(net, act_nat_ops.net_id); 33162306a36Sopenharmony_ci 33262306a36Sopenharmony_ci return tc_action_net_init(net, tn, &act_nat_ops); 33362306a36Sopenharmony_ci} 33462306a36Sopenharmony_ci 33562306a36Sopenharmony_cistatic void __net_exit nat_exit_net(struct list_head *net_list) 33662306a36Sopenharmony_ci{ 33762306a36Sopenharmony_ci tc_action_net_exit(net_list, act_nat_ops.net_id); 33862306a36Sopenharmony_ci} 33962306a36Sopenharmony_ci 34062306a36Sopenharmony_cistatic struct pernet_operations nat_net_ops = { 34162306a36Sopenharmony_ci .init = nat_init_net, 34262306a36Sopenharmony_ci .exit_batch = nat_exit_net, 34362306a36Sopenharmony_ci .id = &act_nat_ops.net_id, 34462306a36Sopenharmony_ci .size = sizeof(struct tc_action_net), 34562306a36Sopenharmony_ci}; 34662306a36Sopenharmony_ci 34762306a36Sopenharmony_ciMODULE_DESCRIPTION("Stateless NAT actions"); 34862306a36Sopenharmony_ciMODULE_LICENSE("GPL"); 34962306a36Sopenharmony_ci 35062306a36Sopenharmony_cistatic int __init nat_init_module(void) 35162306a36Sopenharmony_ci{ 35262306a36Sopenharmony_ci return tcf_register_action(&act_nat_ops, &nat_net_ops); 35362306a36Sopenharmony_ci} 35462306a36Sopenharmony_ci 35562306a36Sopenharmony_cistatic void __exit nat_cleanup_module(void) 35662306a36Sopenharmony_ci{ 35762306a36Sopenharmony_ci tcf_unregister_action(&act_nat_ops, &nat_net_ops); 35862306a36Sopenharmony_ci} 35962306a36Sopenharmony_ci 36062306a36Sopenharmony_cimodule_init(nat_init_module); 36162306a36Sopenharmony_cimodule_exit(nat_cleanup_module); 362