1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * ip_vs_nfct.c: Netfilter connection tracking support for IPVS 4 * 5 * Portions Copyright (C) 2001-2002 6 * Antefacto Ltd, 181 Parnell St, Dublin 1, Ireland. 7 * 8 * Portions Copyright (C) 2003-2010 9 * Julian Anastasov 10 * 11 * Authors: 12 * Ben North <ben@redfrontdoor.org> 13 * Julian Anastasov <ja@ssi.bg> Reorganize and sync with latest kernels 14 * Hannes Eder <heder@google.com> Extend NFCT support for FTP, ipvs match 15 * 16 * Current status: 17 * 18 * - provide conntrack confirmation for new and related connections, by 19 * this way we can see their proper conntrack state in all hooks 20 * - support for all forwarding methods, not only NAT 21 * - FTP support (NAT), ability to support other NAT apps with expectations 22 * - to correctly create expectations for related NAT connections the proper 23 * NF conntrack support must be already installed, eg. ip_vs_ftp requires 24 * nf_conntrack_ftp ... iptables_nat for the same ports (but no iptables 25 * NAT rules are needed) 26 * - alter reply for NAT when forwarding packet in original direction: 27 * conntrack from client in NEW or RELATED (Passive FTP DATA) state or 28 * when RELATED conntrack is created from real server (Active FTP DATA) 29 * - if iptables_nat is not loaded the Passive FTP will not work (the 30 * PASV response can not be NAT-ed) but Active FTP should work 31 */ 32 33 #define KMSG_COMPONENT "IPVS" 34 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 35 36 #include <linux/module.h> 37 #include <linux/types.h> 38 #include <linux/kernel.h> 39 #include <linux/errno.h> 40 #include <linux/compiler.h> 41 #include <linux/vmalloc.h> 42 #include <linux/skbuff.h> 43 #include <net/ip.h> 44 #include <linux/netfilter.h> 45 #include <linux/netfilter_ipv4.h> 46 #include <net/ip_vs.h> 47 #include <net/netfilter/nf_conntrack_core.h> 48 #include <net/netfilter/nf_conntrack_expect.h> 49 #include <net/netfilter/nf_conntrack_seqadj.h> 50 #include <net/netfilter/nf_conntrack_helper.h> 51 #include <net/netfilter/nf_conntrack_zones.h> 52 53 54 #define FMT_TUPLE "%s:%u->%s:%u/%u" 55 #define ARG_TUPLE(T) IP_VS_DBG_ADDR((T)->src.l3num, &(T)->src.u3), \ 56 ntohs((T)->src.u.all), \ 57 IP_VS_DBG_ADDR((T)->src.l3num, &(T)->dst.u3), \ 58 ntohs((T)->dst.u.all), \ 59 (T)->dst.protonum 60 61 #define FMT_CONN "%s:%u->%s:%u->%s:%u/%u:%u" 62 #define ARG_CONN(C) IP_VS_DBG_ADDR((C)->af, &((C)->caddr)), \ 63 ntohs((C)->cport), \ 64 IP_VS_DBG_ADDR((C)->af, &((C)->vaddr)), \ 65 ntohs((C)->vport), \ 66 IP_VS_DBG_ADDR((C)->daf, &((C)->daddr)), \ 67 ntohs((C)->dport), \ 68 (C)->protocol, (C)->state 69 70 void 71 ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp, int outin) 72 { 73 enum ip_conntrack_info ctinfo; 74 struct nf_conn *ct = nf_ct_get(skb, &ctinfo); 75 struct nf_conntrack_tuple new_tuple; 76 77 if (ct == NULL || nf_ct_is_confirmed(ct) || 78 nf_ct_is_dying(ct)) 79 return; 80 81 /* Never alter conntrack for non-NAT conns */ 82 if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) 83 return; 84 85 /* Never alter conntrack for OPS conns (no reply is expected) */ 86 if (cp->flags & IP_VS_CONN_F_ONE_PACKET) 87 return; 88 89 /* Alter reply only in original direction */ 90 if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) 91 return; 92 93 /* Applications may adjust TCP seqs */ 94 if (cp->app && nf_ct_protonum(ct) == IPPROTO_TCP && 95 !nfct_seqadj(ct) && !nfct_seqadj_ext_add(ct)) 96 return; 97 98 /* 99 * The connection is not yet in the hashtable, so we update it. 100 * CIP->VIP will remain the same, so leave the tuple in 101 * IP_CT_DIR_ORIGINAL untouched. When the reply comes back from the 102 * real-server we will see RIP->DIP. 103 */ 104 new_tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple; 105 /* 106 * This will also take care of UDP and other protocols. 107 */ 108 if (outin) { 109 new_tuple.src.u3 = cp->daddr; 110 if (new_tuple.dst.protonum != IPPROTO_ICMP && 111 new_tuple.dst.protonum != IPPROTO_ICMPV6) 112 new_tuple.src.u.tcp.port = cp->dport; 113 } else { 114 new_tuple.dst.u3 = cp->vaddr; 115 if (new_tuple.dst.protonum != IPPROTO_ICMP && 116 new_tuple.dst.protonum != IPPROTO_ICMPV6) 117 new_tuple.dst.u.tcp.port = cp->vport; 118 } 119 IP_VS_DBG_BUF(7, "%s: Updating conntrack ct=%p, status=0x%lX, " 120 "ctinfo=%d, old reply=" FMT_TUPLE "\n", 121 __func__, ct, ct->status, ctinfo, 122 ARG_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple)); 123 IP_VS_DBG_BUF(7, "%s: Updating conntrack ct=%p, status=0x%lX, " 124 "ctinfo=%d, new reply=" FMT_TUPLE "\n", 125 __func__, ct, ct->status, ctinfo, 126 ARG_TUPLE(&new_tuple)); 127 nf_conntrack_alter_reply(ct, &new_tuple); 128 IP_VS_DBG_BUF(7, "%s: Updated conntrack ct=%p for cp=" FMT_CONN "\n", 129 __func__, ct, ARG_CONN(cp)); 130 } 131 132 int ip_vs_confirm_conntrack(struct sk_buff *skb) 133 { 134 return nf_conntrack_confirm(skb); 135 } 136 137 /* 138 * Called from init_conntrack() as expectfn handler. 139 */ 140 static void ip_vs_nfct_expect_callback(struct nf_conn *ct, 141 struct nf_conntrack_expect *exp) 142 { 143 struct nf_conntrack_tuple *orig, new_reply; 144 struct ip_vs_conn *cp; 145 struct ip_vs_conn_param p; 146 struct net *net = nf_ct_net(ct); 147 148 /* 149 * We assume that no NF locks are held before this callback. 150 * ip_vs_conn_out_get and ip_vs_conn_in_get should match their 151 * expectations even if they use wildcard values, now we provide the 152 * actual values from the newly created original conntrack direction. 153 * The conntrack is confirmed when packet reaches IPVS hooks. 154 */ 155 156 /* RS->CLIENT */ 157 orig = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple; 158 ip_vs_conn_fill_param(net_ipvs(net), exp->tuple.src.l3num, orig->dst.protonum, 159 &orig->src.u3, orig->src.u.tcp.port, 160 &orig->dst.u3, orig->dst.u.tcp.port, &p); 161 cp = ip_vs_conn_out_get(&p); 162 if (cp) { 163 /* Change reply CLIENT->RS to CLIENT->VS */ 164 IP_VS_DBG_BUF(7, "%s: for ct=%p, status=0x%lX found inout cp=" 165 FMT_CONN "\n", 166 __func__, ct, ct->status, ARG_CONN(cp)); 167 new_reply = ct->tuplehash[IP_CT_DIR_REPLY].tuple; 168 IP_VS_DBG_BUF(7, "%s: ct=%p before alter: reply tuple=" 169 FMT_TUPLE "\n", 170 __func__, ct, ARG_TUPLE(&new_reply)); 171 new_reply.dst.u3 = cp->vaddr; 172 new_reply.dst.u.tcp.port = cp->vport; 173 goto alter; 174 } 175 176 /* CLIENT->VS */ 177 cp = ip_vs_conn_in_get(&p); 178 if (cp) { 179 /* Change reply VS->CLIENT to RS->CLIENT */ 180 IP_VS_DBG_BUF(7, "%s: for ct=%p, status=0x%lX found outin cp=" 181 FMT_CONN "\n", 182 __func__, ct, ct->status, ARG_CONN(cp)); 183 new_reply = ct->tuplehash[IP_CT_DIR_REPLY].tuple; 184 IP_VS_DBG_BUF(7, "%s: ct=%p before alter: reply tuple=" 185 FMT_TUPLE "\n", 186 __func__, ct, ARG_TUPLE(&new_reply)); 187 new_reply.src.u3 = cp->daddr; 188 new_reply.src.u.tcp.port = cp->dport; 189 goto alter; 190 } 191 192 IP_VS_DBG_BUF(7, "%s: ct=%p, status=0x%lX, tuple=" FMT_TUPLE 193 " - unknown expect\n", 194 __func__, ct, ct->status, ARG_TUPLE(orig)); 195 return; 196 197 alter: 198 /* Never alter conntrack for non-NAT conns */ 199 if (IP_VS_FWD_METHOD(cp) == IP_VS_CONN_F_MASQ) 200 nf_conntrack_alter_reply(ct, &new_reply); 201 ip_vs_conn_put(cp); 202 return; 203 } 204 205 /* 206 * Create NF conntrack expectation with wildcard (optional) source port. 207 * Then the default callback function will alter the reply and will confirm 208 * the conntrack entry when the first packet comes. 209 * Use port 0 to expect connection from any port. 210 */ 211 void ip_vs_nfct_expect_related(struct sk_buff *skb, struct nf_conn *ct, 212 struct ip_vs_conn *cp, u_int8_t proto, 213 const __be16 port, int from_rs) 214 { 215 struct nf_conntrack_expect *exp; 216 217 if (ct == NULL) 218 return; 219 220 exp = nf_ct_expect_alloc(ct); 221 if (!exp) 222 return; 223 224 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct), 225 from_rs ? &cp->daddr : &cp->caddr, 226 from_rs ? &cp->caddr : &cp->vaddr, 227 proto, port ? &port : NULL, 228 from_rs ? &cp->cport : &cp->vport); 229 230 exp->expectfn = ip_vs_nfct_expect_callback; 231 232 IP_VS_DBG_BUF(7, "%s: ct=%p, expect tuple=" FMT_TUPLE "\n", 233 __func__, ct, ARG_TUPLE(&exp->tuple)); 234 nf_ct_expect_related(exp, 0); 235 nf_ct_expect_put(exp); 236 } 237 EXPORT_SYMBOL(ip_vs_nfct_expect_related); 238 239 /* 240 * Our connection was terminated, try to drop the conntrack immediately 241 */ 242 void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp) 243 { 244 struct nf_conntrack_tuple_hash *h; 245 struct nf_conn *ct; 246 struct nf_conntrack_tuple tuple; 247 248 if (!cp->cport) 249 return; 250 251 tuple = (struct nf_conntrack_tuple) { 252 .dst = { .protonum = cp->protocol, .dir = IP_CT_DIR_ORIGINAL } }; 253 tuple.src.u3 = cp->caddr; 254 tuple.src.u.all = cp->cport; 255 tuple.src.l3num = cp->af; 256 tuple.dst.u3 = cp->vaddr; 257 tuple.dst.u.all = cp->vport; 258 259 IP_VS_DBG_BUF(7, "%s: dropping conntrack for conn " FMT_CONN "\n", 260 __func__, ARG_CONN(cp)); 261 262 h = nf_conntrack_find_get(cp->ipvs->net, &nf_ct_zone_dflt, &tuple); 263 if (h) { 264 ct = nf_ct_tuplehash_to_ctrack(h); 265 if (nf_ct_kill(ct)) { 266 IP_VS_DBG_BUF(7, "%s: ct=%p deleted for tuple=" 267 FMT_TUPLE "\n", 268 __func__, ct, ARG_TUPLE(&tuple)); 269 } else { 270 IP_VS_DBG_BUF(7, "%s: ct=%p, no conntrack for tuple=" 271 FMT_TUPLE "\n", 272 __func__, ct, ARG_TUPLE(&tuple)); 273 } 274 nf_ct_put(ct); 275 } else { 276 IP_VS_DBG_BUF(7, "%s: no conntrack for tuple=" FMT_TUPLE "\n", 277 __func__, ARG_TUPLE(&tuple)); 278 } 279 } 280 281