xref: /openbmc/linux/net/sched/act_nat.c (revision a5b2c10c) 
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Stateless NAT actions
4  *
5  * Copyright (c) 2007 Herbert Xu <herbert@gondor.apana.org.au>
6  */
7 
8 #include <linux/errno.h>
9 #include <linux/init.h>
10 #include <linux/kernel.h>
11 #include <linux/module.h>
12 #include <linux/netfilter.h>
13 #include <linux/rtnetlink.h>
14 #include <linux/skbuff.h>
15 #include <linux/slab.h>
16 #include <linux/spinlock.h>
17 #include <linux/string.h>
18 #include <linux/tc_act/tc_nat.h>
19 #include <net/act_api.h>
20 #include <net/pkt_cls.h>
21 #include <net/icmp.h>
22 #include <net/ip.h>
23 #include <net/netlink.h>
24 #include <net/tc_act/tc_nat.h>
25 #include <net/tcp.h>
26 #include <net/udp.h>
27 
28 
29 static unsigned int nat_net_id;
30 static struct tc_action_ops act_nat_ops;
31 
32 static const struct nla_policy nat_policy[TCA_NAT_MAX + 1] = {
33 	[TCA_NAT_PARMS]	= { .len = sizeof(struct tc_nat) },
34 };
35 
36 static int tcf_nat_init(struct net *net, struct nlattr *nla, struct nlattr *est,
37 			struct tc_action **a, int ovr, int bind,
38 			bool rtnl_held,	struct tcf_proto *tp,
39 			u32 flags, struct netlink_ext_ack *extack)
40 {
41 	struct tc_action_net *tn = net_generic(net, nat_net_id);
42 	struct nlattr *tb[TCA_NAT_MAX + 1];
43 	struct tcf_chain *goto_ch = NULL;
44 	struct tc_nat *parm;
45 	int ret = 0, err;
46 	struct tcf_nat *p;
47 	u32 index;
48 
49 	if (nla == NULL)
50 		return -EINVAL;
51 
52 	err = nla_parse_nested_deprecated(tb, TCA_NAT_MAX, nla, nat_policy,
53 					  NULL);
54 	if (err < 0)
55 		return err;
56 
57 	if (tb[TCA_NAT_PARMS] == NULL)
58 		return -EINVAL;
59 	parm = nla_data(tb[TCA_NAT_PARMS]);
60 	index = parm->index;
61 	err = tcf_idr_check_alloc(tn, &index, a, bind);
62 	if (!err) {
63 		ret = tcf_idr_create(tn, index, est, a,
64 				     &act_nat_ops, bind, false, 0);
65 		if (ret) {
66 			tcf_idr_cleanup(tn, index);
67 			return ret;
68 		}
69 		ret = ACT_P_CREATED;
70 	} else if (err > 0) {
71 		if (bind)
72 			return 0;
73 		if (!ovr) {
74 			tcf_idr_release(*a, bind);
75 			return -EEXIST;
76 		}
77 	} else {
78 		return err;
79 	}
80 	err = tcf_action_check_ctrlact(parm->action, tp, &goto_ch, extack);
81 	if (err < 0)
82 		goto release_idr;
83 	p = to_tcf_nat(*a);
84 
85 	spin_lock_bh(&p->tcf_lock);
86 	p->old_addr = parm->old_addr;
87 	p->new_addr = parm->new_addr;
88 	p->mask = parm->mask;
89 	p->flags = parm->flags;
90 
91 	goto_ch = tcf_action_set_ctrlact(*a, parm->action, goto_ch);
92 	spin_unlock_bh(&p->tcf_lock);
93 	if (goto_ch)
94 		tcf_chain_put_by_act(goto_ch);
95 
96 	if (ret == ACT_P_CREATED)
97 		tcf_idr_insert(tn, *a);
98 
99 	return ret;
100 release_idr:
101 	tcf_idr_release(*a, bind);
102 	return err;
103 }
104 
105 static int tcf_nat_act(struct sk_buff *skb, const struct tc_action *a,
106 		       struct tcf_result *res)
107 {
108 	struct tcf_nat *p = to_tcf_nat(a);
109 	struct iphdr *iph;
110 	__be32 old_addr;
111 	__be32 new_addr;
112 	__be32 mask;
113 	__be32 addr;
114 	int egress;
115 	int action;
116 	int ihl;
117 	int noff;
118 
119 	spin_lock(&p->tcf_lock);
120 
121 	tcf_lastuse_update(&p->tcf_tm);
122 	old_addr = p->old_addr;
123 	new_addr = p->new_addr;
124 	mask = p->mask;
125 	egress = p->flags & TCA_NAT_FLAG_EGRESS;
126 	action = p->tcf_action;
127 
128 	bstats_update(&p->tcf_bstats, skb);
129 
130 	spin_unlock(&p->tcf_lock);
131 
132 	if (unlikely(action == TC_ACT_SHOT))
133 		goto drop;
134 
135 	noff = skb_network_offset(skb);
136 	if (!pskb_may_pull(skb, sizeof(*iph) + noff))
137 		goto drop;
138 
139 	iph = ip_hdr(skb);
140 
141 	if (egress)
142 		addr = iph->saddr;
143 	else
144 		addr = iph->daddr;
145 
146 	if (!((old_addr ^ addr) & mask)) {
147 		if (skb_try_make_writable(skb, sizeof(*iph) + noff))
148 			goto drop;
149 
150 		new_addr &= mask;
151 		new_addr |= addr & ~mask;
152 
153 		/* Rewrite IP header */
154 		iph = ip_hdr(skb);
155 		if (egress)
156 			iph->saddr = new_addr;
157 		else
158 			iph->daddr = new_addr;
159 
160 		csum_replace4(&iph->check, addr, new_addr);
161 	} else if ((iph->frag_off & htons(IP_OFFSET)) ||
162 		   iph->protocol != IPPROTO_ICMP) {
163 		goto out;
164 	}
165 
166 	ihl = iph->ihl * 4;
167 
168 	/* It would be nice to share code with stateful NAT. */
169 	switch (iph->frag_off & htons(IP_OFFSET) ? 0 : iph->protocol) {
170 	case IPPROTO_TCP:
171 	{
172 		struct tcphdr *tcph;
173 
174 		if (!pskb_may_pull(skb, ihl + sizeof(*tcph) + noff) ||
175 		    skb_try_make_writable(skb, ihl + sizeof(*tcph) + noff))
176 			goto drop;
177 
178 		tcph = (void *)(skb_network_header(skb) + ihl);
179 		inet_proto_csum_replace4(&tcph->check, skb, addr, new_addr,
180 					 true);
181 		break;
182 	}
183 	case IPPROTO_UDP:
184 	{
185 		struct udphdr *udph;
186 
187 		if (!pskb_may_pull(skb, ihl + sizeof(*udph) + noff) ||
188 		    skb_try_make_writable(skb, ihl + sizeof(*udph) + noff))
189 			goto drop;
190 
191 		udph = (void *)(skb_network_header(skb) + ihl);
192 		if (udph->check || skb->ip_summed == CHECKSUM_PARTIAL) {
193 			inet_proto_csum_replace4(&udph->check, skb, addr,
194 						 new_addr, true);
195 			if (!udph->check)
196 				udph->check = CSUM_MANGLED_0;
197 		}
198 		break;
199 	}
200 	case IPPROTO_ICMP:
201 	{
202 		struct icmphdr *icmph;
203 
204 		if (!pskb_may_pull(skb, ihl + sizeof(*icmph) + noff))
205 			goto drop;
206 
207 		icmph = (void *)(skb_network_header(skb) + ihl);
208 
209 		if (!icmp_is_err(icmph->type))
210 			break;
211 
212 		if (!pskb_may_pull(skb, ihl + sizeof(*icmph) + sizeof(*iph) +
213 					noff))
214 			goto drop;
215 
216 		icmph = (void *)(skb_network_header(skb) + ihl);
217 		iph = (void *)(icmph + 1);
218 		if (egress)
219 			addr = iph->daddr;
220 		else
221 			addr = iph->saddr;
222 
223 		if ((old_addr ^ addr) & mask)
224 			break;
225 
226 		if (skb_try_make_writable(skb, ihl + sizeof(*icmph) +
227 					  sizeof(*iph) + noff))
228 			goto drop;
229 
230 		icmph = (void *)(skb_network_header(skb) + ihl);
231 		iph = (void *)(icmph + 1);
232 
233 		new_addr &= mask;
234 		new_addr |= addr & ~mask;
235 
236 		/* XXX Fix up the inner checksums. */
237 		if (egress)
238 			iph->daddr = new_addr;
239 		else
240 			iph->saddr = new_addr;
241 
242 		inet_proto_csum_replace4(&icmph->checksum, skb, addr, new_addr,
243 					 false);
244 		break;
245 	}
246 	default:
247 		break;
248 	}
249 
250 out:
251 	return action;
252 
253 drop:
254 	spin_lock(&p->tcf_lock);
255 	p->tcf_qstats.drops++;
256 	spin_unlock(&p->tcf_lock);
257 	return TC_ACT_SHOT;
258 }
259 
260 static int tcf_nat_dump(struct sk_buff *skb, struct tc_action *a,
261 			int bind, int ref)
262 {
263 	unsigned char *b = skb_tail_pointer(skb);
264 	struct tcf_nat *p = to_tcf_nat(a);
265 	struct tc_nat opt = {
266 		.index    = p->tcf_index,
267 		.refcnt   = refcount_read(&p->tcf_refcnt) - ref,
268 		.bindcnt  = atomic_read(&p->tcf_bindcnt) - bind,
269 	};
270 	struct tcf_t t;
271 
272 	spin_lock_bh(&p->tcf_lock);
273 	opt.old_addr = p->old_addr;
274 	opt.new_addr = p->new_addr;
275 	opt.mask = p->mask;
276 	opt.flags = p->flags;
277 	opt.action = p->tcf_action;
278 
279 	if (nla_put(skb, TCA_NAT_PARMS, sizeof(opt), &opt))
280 		goto nla_put_failure;
281 
282 	tcf_tm_dump(&t, &p->tcf_tm);
283 	if (nla_put_64bit(skb, TCA_NAT_TM, sizeof(t), &t, TCA_NAT_PAD))
284 		goto nla_put_failure;
285 	spin_unlock_bh(&p->tcf_lock);
286 
287 	return skb->len;
288 
289 nla_put_failure:
290 	spin_unlock_bh(&p->tcf_lock);
291 	nlmsg_trim(skb, b);
292 	return -1;
293 }
294 
295 static int tcf_nat_walker(struct net *net, struct sk_buff *skb,
296 			  struct netlink_callback *cb, int type,
297 			  const struct tc_action_ops *ops,
298 			  struct netlink_ext_ack *extack)
299 {
300 	struct tc_action_net *tn = net_generic(net, nat_net_id);
301 
302 	return tcf_generic_walker(tn, skb, cb, type, ops, extack);
303 }
304 
305 static int tcf_nat_search(struct net *net, struct tc_action **a, u32 index)
306 {
307 	struct tc_action_net *tn = net_generic(net, nat_net_id);
308 
309 	return tcf_idr_search(tn, a, index);
310 }
311 
312 static struct tc_action_ops act_nat_ops = {
313 	.kind		=	"nat",
314 	.id		=	TCA_ID_NAT,
315 	.owner		=	THIS_MODULE,
316 	.act		=	tcf_nat_act,
317 	.dump		=	tcf_nat_dump,
318 	.init		=	tcf_nat_init,
319 	.walk		=	tcf_nat_walker,
320 	.lookup		=	tcf_nat_search,
321 	.size		=	sizeof(struct tcf_nat),
322 };
323 
324 static __net_init int nat_init_net(struct net *net)
325 {
326 	struct tc_action_net *tn = net_generic(net, nat_net_id);
327 
328 	return tc_action_net_init(net, tn, &act_nat_ops);
329 }
330 
331 static void __net_exit nat_exit_net(struct list_head *net_list)
332 {
333 	tc_action_net_exit(net_list, nat_net_id);
334 }
335 
336 static struct pernet_operations nat_net_ops = {
337 	.init = nat_init_net,
338 	.exit_batch = nat_exit_net,
339 	.id   = &nat_net_id,
340 	.size = sizeof(struct tc_action_net),
341 };
342 
343 MODULE_DESCRIPTION("Stateless NAT actions");
344 MODULE_LICENSE("GPL");
345 
346 static int __init nat_init_module(void)
347 {
348 	return tcf_register_action(&act_nat_ops, &nat_net_ops);
349 }
350 
351 static void __exit nat_cleanup_module(void)
352 {
353 	tcf_unregister_action(&act_nat_ops, &nat_net_ops);
354 }
355 
356 module_init(nat_init_module);
357 module_exit(nat_cleanup_module);
358