2 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
3 * Copyright (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
4 * Copyright (c) 2012 Intel Corporation
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms and conditions of the GNU General Public License,
8 * version 2, as published by the Free Software Foundation.
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/skbuff.h>
16 #include <linux/string.h>
17 #include <linux/netlink.h>
18 #include <linux/netfilter.h>
19 #include <linux/netfilter_ipv4.h>
20 #include <linux/netfilter/nfnetlink.h>
21 #include <linux/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_conntrack.h>
23 #include <net/netfilter/nf_nat.h>
24 #include <net/netfilter/nf_nat_core.h>
25 #include <net/netfilter/nf_tables.h>
26 #include <net/netfilter/nf_nat_l3proto.h>
30 enum nft_registers sreg_addr_min
:8;
31 enum nft_registers sreg_addr_max
:8;
32 enum nft_registers sreg_proto_min
:8;
33 enum nft_registers sreg_proto_max
:8;
34 enum nf_nat_manip_type type
:8;
38 static void nft_nat_eval(const struct nft_expr
*expr
,
39 struct nft_data data
[NFT_REG_MAX
+ 1],
40 const struct nft_pktinfo
*pkt
)
42 const struct nft_nat
*priv
= nft_expr_priv(expr
);
43 enum ip_conntrack_info ctinfo
;
44 struct nf_conn
*ct
= nf_ct_get(pkt
->skb
, &ctinfo
);
45 struct nf_nat_range range
;
47 memset(&range
, 0, sizeof(range
));
48 if (priv
->sreg_addr_min
) {
49 if (priv
->family
== AF_INET
) {
50 range
.min_addr
.ip
= (__force __be32
)
51 data
[priv
->sreg_addr_min
].data
[0];
52 range
.max_addr
.ip
= (__force __be32
)
53 data
[priv
->sreg_addr_max
].data
[0];
56 memcpy(range
.min_addr
.ip6
,
57 data
[priv
->sreg_addr_min
].data
,
58 sizeof(struct nft_data
));
59 memcpy(range
.max_addr
.ip6
,
60 data
[priv
->sreg_addr_max
].data
,
61 sizeof(struct nft_data
));
63 range
.flags
|= NF_NAT_RANGE_MAP_IPS
;
66 if (priv
->sreg_proto_min
) {
67 range
.min_proto
.all
= (__force __be16
)
68 data
[priv
->sreg_proto_min
].data
[0];
69 range
.max_proto
.all
= (__force __be16
)
70 data
[priv
->sreg_proto_max
].data
[0];
71 range
.flags
|= NF_NAT_RANGE_PROTO_SPECIFIED
;
74 data
[NFT_REG_VERDICT
].verdict
=
75 nf_nat_setup_info(ct
, &range
, priv
->type
);
78 static const struct nla_policy nft_nat_policy
[NFTA_NAT_MAX
+ 1] = {
79 [NFTA_NAT_TYPE
] = { .type
= NLA_U32
},
80 [NFTA_NAT_FAMILY
] = { .type
= NLA_U32
},
81 [NFTA_NAT_REG_ADDR_MIN
] = { .type
= NLA_U32
},
82 [NFTA_NAT_REG_ADDR_MAX
] = { .type
= NLA_U32
},
83 [NFTA_NAT_REG_PROTO_MIN
] = { .type
= NLA_U32
},
84 [NFTA_NAT_REG_PROTO_MAX
] = { .type
= NLA_U32
},
87 static int nft_nat_init(const struct nft_ctx
*ctx
, const struct nft_expr
*expr
,
88 const struct nlattr
* const tb
[])
90 struct nft_nat
*priv
= nft_expr_priv(expr
);
94 if (tb
[NFTA_NAT_TYPE
] == NULL
)
97 switch (ntohl(nla_get_be32(tb
[NFTA_NAT_TYPE
]))) {
99 priv
->type
= NF_NAT_MANIP_SRC
;
102 priv
->type
= NF_NAT_MANIP_DST
;
108 if (tb
[NFTA_NAT_FAMILY
] == NULL
)
111 family
= ntohl(nla_get_be32(tb
[NFTA_NAT_FAMILY
]));
112 if (family
!= AF_INET
&& family
!= AF_INET6
)
113 return -EAFNOSUPPORT
;
114 if (family
!= ctx
->afi
->family
)
116 priv
->family
= family
;
118 if (tb
[NFTA_NAT_REG_ADDR_MIN
]) {
119 priv
->sreg_addr_min
= ntohl(nla_get_be32(
120 tb
[NFTA_NAT_REG_ADDR_MIN
]));
121 err
= nft_validate_input_register(priv
->sreg_addr_min
);
126 if (tb
[NFTA_NAT_REG_ADDR_MAX
]) {
127 priv
->sreg_addr_max
= ntohl(nla_get_be32(
128 tb
[NFTA_NAT_REG_ADDR_MAX
]));
129 err
= nft_validate_input_register(priv
->sreg_addr_max
);
133 priv
->sreg_addr_max
= priv
->sreg_addr_min
;
135 if (tb
[NFTA_NAT_REG_PROTO_MIN
]) {
136 priv
->sreg_proto_min
= ntohl(nla_get_be32(
137 tb
[NFTA_NAT_REG_PROTO_MIN
]));
138 err
= nft_validate_input_register(priv
->sreg_proto_min
);
143 if (tb
[NFTA_NAT_REG_PROTO_MAX
]) {
144 priv
->sreg_proto_max
= ntohl(nla_get_be32(
145 tb
[NFTA_NAT_REG_PROTO_MAX
]));
146 err
= nft_validate_input_register(priv
->sreg_proto_max
);
150 priv
->sreg_proto_max
= priv
->sreg_proto_min
;
155 static int nft_nat_dump(struct sk_buff
*skb
, const struct nft_expr
*expr
)
157 const struct nft_nat
*priv
= nft_expr_priv(expr
);
159 switch (priv
->type
) {
160 case NF_NAT_MANIP_SRC
:
161 if (nla_put_be32(skb
, NFTA_NAT_TYPE
, htonl(NFT_NAT_SNAT
)))
162 goto nla_put_failure
;
164 case NF_NAT_MANIP_DST
:
165 if (nla_put_be32(skb
, NFTA_NAT_TYPE
, htonl(NFT_NAT_DNAT
)))
166 goto nla_put_failure
;
170 if (nla_put_be32(skb
, NFTA_NAT_FAMILY
, htonl(priv
->family
)))
171 goto nla_put_failure
;
172 if (nla_put_be32(skb
,
173 NFTA_NAT_REG_ADDR_MIN
, htonl(priv
->sreg_addr_min
)))
174 goto nla_put_failure
;
175 if (nla_put_be32(skb
,
176 NFTA_NAT_REG_ADDR_MAX
, htonl(priv
->sreg_addr_max
)))
177 goto nla_put_failure
;
178 if (nla_put_be32(skb
,
179 NFTA_NAT_REG_PROTO_MIN
, htonl(priv
->sreg_proto_min
)))
180 goto nla_put_failure
;
181 if (nla_put_be32(skb
,
182 NFTA_NAT_REG_PROTO_MAX
, htonl(priv
->sreg_proto_max
)))
183 goto nla_put_failure
;
190 static struct nft_expr_type nft_nat_type
;
191 static const struct nft_expr_ops nft_nat_ops
= {
192 .type
= &nft_nat_type
,
193 .size
= NFT_EXPR_SIZE(sizeof(struct nft_nat
)),
194 .eval
= nft_nat_eval
,
195 .init
= nft_nat_init
,
196 .dump
= nft_nat_dump
,
199 static struct nft_expr_type nft_nat_type __read_mostly
= {
202 .policy
= nft_nat_policy
,
203 .maxattr
= NFTA_NAT_MAX
,
204 .owner
= THIS_MODULE
,
207 static int __init
nft_nat_module_init(void)
209 return nft_register_expr(&nft_nat_type
);
212 static void __exit
nft_nat_module_exit(void)
214 nft_unregister_expr(&nft_nat_type
);
217 module_init(nft_nat_module_init
);
218 module_exit(nft_nat_module_exit
);
220 MODULE_LICENSE("GPL");
221 MODULE_AUTHOR("Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>");
222 MODULE_ALIAS_NFT_EXPR("nat");