Commit | Line | Data |
---|---|---|
4ed8eb65 ME |
1 | /* SPDX-License-Identifier: GPL-2.0 */ |
2 | #include <linux/module.h> | |
3 | #include <linux/netfilter/nf_tables.h> | |
4 | #include <net/netfilter/nf_tables.h> | |
5 | #include <net/netfilter/nf_tables_core.h> | |
6 | #include <net/netfilter/nf_tproxy.h> | |
7 | #include <net/inet_sock.h> | |
8 | #include <net/tcp.h> | |
9 | #include <linux/if_ether.h> | |
10 | #include <net/netfilter/ipv4/nf_defrag_ipv4.h> | |
11 | #if IS_ENABLED(CONFIG_NF_TABLES_IPV6) | |
12 | #include <net/netfilter/ipv6/nf_defrag_ipv6.h> | |
13 | #endif | |
14 | ||
15 | struct nft_tproxy { | |
4f16d25c PNA |
16 | u8 sreg_addr; |
17 | u8 sreg_port; | |
18 | u8 family; | |
4ed8eb65 ME |
19 | }; |
20 | ||
21 | static void nft_tproxy_eval_v4(const struct nft_expr *expr, | |
22 | struct nft_regs *regs, | |
23 | const struct nft_pktinfo *pkt) | |
24 | { | |
25 | const struct nft_tproxy *priv = nft_expr_priv(expr); | |
26 | struct sk_buff *skb = pkt->skb; | |
27 | const struct iphdr *iph = ip_hdr(skb); | |
28 | struct udphdr _hdr, *hp; | |
29 | __be32 taddr = 0; | |
30 | __be16 tport = 0; | |
31 | struct sock *sk; | |
32 | ||
52f0f4e1 PNA |
33 | if (pkt->tprot != IPPROTO_TCP && |
34 | pkt->tprot != IPPROTO_UDP) { | |
35 | regs->verdict.code = NFT_BREAK; | |
36 | return; | |
37 | } | |
38 | ||
4ed8eb65 ME |
39 | hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr); |
40 | if (!hp) { | |
41 | regs->verdict.code = NFT_BREAK; | |
42 | return; | |
43 | } | |
44 | ||
45 | /* check if there's an ongoing connection on the packet addresses, this | |
46 | * happens if the redirect already happened and the current packet | |
47 | * belongs to an already established connection | |
48 | */ | |
49 | sk = nf_tproxy_get_sock_v4(nft_net(pkt), skb, iph->protocol, | |
50 | iph->saddr, iph->daddr, | |
51 | hp->source, hp->dest, | |
52 | skb->dev, NF_TPROXY_LOOKUP_ESTABLISHED); | |
53 | ||
54 | if (priv->sreg_addr) | |
7278b3c1 | 55 | taddr = nft_reg_load_be32(®s->data[priv->sreg_addr]); |
4ed8eb65 ME |
56 | taddr = nf_tproxy_laddr4(skb, taddr, iph->daddr); |
57 | ||
58 | if (priv->sreg_port) | |
7278b3c1 | 59 | tport = nft_reg_load_be16(®s->data[priv->sreg_port]); |
4ed8eb65 ME |
60 | if (!tport) |
61 | tport = hp->dest; | |
62 | ||
63 | /* UDP has no TCP_TIME_WAIT state, so we never enter here */ | |
64 | if (sk && sk->sk_state == TCP_TIME_WAIT) { | |
65 | /* reopening a TIME_WAIT connection needs special handling */ | |
66 | sk = nf_tproxy_handle_time_wait4(nft_net(pkt), skb, taddr, tport, sk); | |
67 | } else if (!sk) { | |
68 | /* no, there's no established connection, check if | |
69 | * there's a listener on the redirected addr/port | |
70 | */ | |
71 | sk = nf_tproxy_get_sock_v4(nft_net(pkt), skb, iph->protocol, | |
72 | iph->saddr, taddr, | |
73 | hp->source, tport, | |
74 | skb->dev, NF_TPROXY_LOOKUP_LISTENER); | |
75 | } | |
76 | ||
77 | if (sk && nf_tproxy_sk_is_transparent(sk)) | |
78 | nf_tproxy_assign_sock(skb, sk); | |
79 | else | |
80 | regs->verdict.code = NFT_BREAK; | |
81 | } | |
82 | ||
83 | #if IS_ENABLED(CONFIG_NF_TABLES_IPV6) | |
84 | static void nft_tproxy_eval_v6(const struct nft_expr *expr, | |
85 | struct nft_regs *regs, | |
86 | const struct nft_pktinfo *pkt) | |
87 | { | |
88 | const struct nft_tproxy *priv = nft_expr_priv(expr); | |
89 | struct sk_buff *skb = pkt->skb; | |
90 | const struct ipv6hdr *iph = ipv6_hdr(skb); | |
2d7b4ace | 91 | int thoff = nft_thoff(pkt); |
4ed8eb65 | 92 | struct udphdr _hdr, *hp; |
2d7b4ace | 93 | struct in6_addr taddr; |
4ed8eb65 ME |
94 | __be16 tport = 0; |
95 | struct sock *sk; | |
96 | int l4proto; | |
97 | ||
90d827f0 ME |
98 | memset(&taddr, 0, sizeof(taddr)); |
99 | ||
52f0f4e1 PNA |
100 | if (pkt->tprot != IPPROTO_TCP && |
101 | pkt->tprot != IPPROTO_UDP) { | |
4ed8eb65 ME |
102 | regs->verdict.code = NFT_BREAK; |
103 | return; | |
104 | } | |
105 | l4proto = pkt->tprot; | |
106 | ||
107 | hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr); | |
108 | if (hp == NULL) { | |
109 | regs->verdict.code = NFT_BREAK; | |
110 | return; | |
111 | } | |
112 | ||
113 | /* check if there's an ongoing connection on the packet addresses, this | |
114 | * happens if the redirect already happened and the current packet | |
115 | * belongs to an already established connection | |
116 | */ | |
117 | sk = nf_tproxy_get_sock_v6(nft_net(pkt), skb, thoff, l4proto, | |
118 | &iph->saddr, &iph->daddr, | |
119 | hp->source, hp->dest, | |
120 | nft_in(pkt), NF_TPROXY_LOOKUP_ESTABLISHED); | |
121 | ||
122 | if (priv->sreg_addr) | |
123 | memcpy(&taddr, ®s->data[priv->sreg_addr], sizeof(taddr)); | |
124 | taddr = *nf_tproxy_laddr6(skb, &taddr, &iph->daddr); | |
125 | ||
126 | if (priv->sreg_port) | |
7278b3c1 | 127 | tport = nft_reg_load_be16(®s->data[priv->sreg_port]); |
4ed8eb65 ME |
128 | if (!tport) |
129 | tport = hp->dest; | |
130 | ||
131 | /* UDP has no TCP_TIME_WAIT state, so we never enter here */ | |
132 | if (sk && sk->sk_state == TCP_TIME_WAIT) { | |
133 | /* reopening a TIME_WAIT connection needs special handling */ | |
134 | sk = nf_tproxy_handle_time_wait6(skb, l4proto, thoff, | |
135 | nft_net(pkt), | |
136 | &taddr, | |
137 | tport, | |
138 | sk); | |
139 | } else if (!sk) { | |
140 | /* no there's no established connection, check if | |
141 | * there's a listener on the redirected addr/port | |
142 | */ | |
143 | sk = nf_tproxy_get_sock_v6(nft_net(pkt), skb, thoff, | |
144 | l4proto, &iph->saddr, &taddr, | |
145 | hp->source, tport, | |
146 | nft_in(pkt), NF_TPROXY_LOOKUP_LISTENER); | |
147 | } | |
148 | ||
149 | /* NOTE: assign_sock consumes our sk reference */ | |
150 | if (sk && nf_tproxy_sk_is_transparent(sk)) | |
151 | nf_tproxy_assign_sock(skb, sk); | |
152 | else | |
153 | regs->verdict.code = NFT_BREAK; | |
154 | } | |
155 | #endif | |
156 | ||
157 | static void nft_tproxy_eval(const struct nft_expr *expr, | |
158 | struct nft_regs *regs, | |
159 | const struct nft_pktinfo *pkt) | |
160 | { | |
161 | const struct nft_tproxy *priv = nft_expr_priv(expr); | |
162 | ||
163 | switch (nft_pf(pkt)) { | |
164 | case NFPROTO_IPV4: | |
165 | switch (priv->family) { | |
166 | case NFPROTO_IPV4: | |
167 | case NFPROTO_UNSPEC: | |
168 | nft_tproxy_eval_v4(expr, regs, pkt); | |
169 | return; | |
170 | } | |
171 | break; | |
172 | #if IS_ENABLED(CONFIG_NF_TABLES_IPV6) | |
173 | case NFPROTO_IPV6: | |
174 | switch (priv->family) { | |
175 | case NFPROTO_IPV6: | |
176 | case NFPROTO_UNSPEC: | |
177 | nft_tproxy_eval_v6(expr, regs, pkt); | |
178 | return; | |
179 | } | |
180 | #endif | |
181 | } | |
182 | regs->verdict.code = NFT_BREAK; | |
183 | } | |
184 | ||
185 | static const struct nla_policy nft_tproxy_policy[NFTA_TPROXY_MAX + 1] = { | |
186 | [NFTA_TPROXY_FAMILY] = { .type = NLA_U32 }, | |
187 | [NFTA_TPROXY_REG_ADDR] = { .type = NLA_U32 }, | |
188 | [NFTA_TPROXY_REG_PORT] = { .type = NLA_U32 }, | |
189 | }; | |
190 | ||
191 | static int nft_tproxy_init(const struct nft_ctx *ctx, | |
192 | const struct nft_expr *expr, | |
193 | const struct nlattr * const tb[]) | |
194 | { | |
195 | struct nft_tproxy *priv = nft_expr_priv(expr); | |
196 | unsigned int alen = 0; | |
197 | int err; | |
198 | ||
199 | if (!tb[NFTA_TPROXY_FAMILY] || | |
200 | (!tb[NFTA_TPROXY_REG_ADDR] && !tb[NFTA_TPROXY_REG_PORT])) | |
201 | return -EINVAL; | |
202 | ||
203 | priv->family = ntohl(nla_get_be32(tb[NFTA_TPROXY_FAMILY])); | |
204 | ||
205 | switch (ctx->family) { | |
206 | case NFPROTO_IPV4: | |
207 | if (priv->family != NFPROTO_IPV4) | |
208 | return -EINVAL; | |
209 | break; | |
210 | #if IS_ENABLED(CONFIG_NF_TABLES_IPV6) | |
211 | case NFPROTO_IPV6: | |
212 | if (priv->family != NFPROTO_IPV6) | |
213 | return -EINVAL; | |
214 | break; | |
215 | #endif | |
216 | case NFPROTO_INET: | |
217 | break; | |
218 | default: | |
219 | return -EOPNOTSUPP; | |
220 | } | |
221 | ||
222 | /* Address is specified but the rule family is not set accordingly */ | |
223 | if (priv->family == NFPROTO_UNSPEC && tb[NFTA_TPROXY_REG_ADDR]) | |
224 | return -EINVAL; | |
225 | ||
226 | switch (priv->family) { | |
227 | case NFPROTO_IPV4: | |
c593642c | 228 | alen = sizeof_field(union nf_inet_addr, in); |
4ed8eb65 ME |
229 | err = nf_defrag_ipv4_enable(ctx->net); |
230 | if (err) | |
231 | return err; | |
232 | break; | |
233 | #if IS_ENABLED(CONFIG_NF_TABLES_IPV6) | |
234 | case NFPROTO_IPV6: | |
c593642c | 235 | alen = sizeof_field(union nf_inet_addr, in6); |
4ed8eb65 ME |
236 | err = nf_defrag_ipv6_enable(ctx->net); |
237 | if (err) | |
238 | return err; | |
239 | break; | |
240 | #endif | |
241 | case NFPROTO_UNSPEC: | |
242 | /* No address is specified here */ | |
243 | err = nf_defrag_ipv4_enable(ctx->net); | |
244 | if (err) | |
245 | return err; | |
033eab53 | 246 | #if IS_ENABLED(CONFIG_NF_TABLES_IPV6) |
4ed8eb65 ME |
247 | err = nf_defrag_ipv6_enable(ctx->net); |
248 | if (err) | |
249 | return err; | |
033eab53 | 250 | #endif |
4ed8eb65 ME |
251 | break; |
252 | default: | |
253 | return -EOPNOTSUPP; | |
254 | } | |
255 | ||
256 | if (tb[NFTA_TPROXY_REG_ADDR]) { | |
4f16d25c PNA |
257 | err = nft_parse_register_load(tb[NFTA_TPROXY_REG_ADDR], |
258 | &priv->sreg_addr, alen); | |
4ed8eb65 ME |
259 | if (err < 0) |
260 | return err; | |
261 | } | |
262 | ||
263 | if (tb[NFTA_TPROXY_REG_PORT]) { | |
4f16d25c PNA |
264 | err = nft_parse_register_load(tb[NFTA_TPROXY_REG_PORT], |
265 | &priv->sreg_port, sizeof(u16)); | |
4ed8eb65 ME |
266 | if (err < 0) |
267 | return err; | |
268 | } | |
269 | ||
270 | return 0; | |
271 | } | |
272 | ||
de8c1211 FW |
273 | static void nft_tproxy_destroy(const struct nft_ctx *ctx, |
274 | const struct nft_expr *expr) | |
275 | { | |
276 | const struct nft_tproxy *priv = nft_expr_priv(expr); | |
277 | ||
278 | switch (priv->family) { | |
279 | case NFPROTO_IPV4: | |
280 | nf_defrag_ipv4_disable(ctx->net); | |
281 | break; | |
282 | #if IS_ENABLED(CONFIG_NF_TABLES_IPV6) | |
283 | case NFPROTO_IPV6: | |
284 | nf_defrag_ipv6_disable(ctx->net); | |
285 | break; | |
286 | #endif | |
287 | case NFPROTO_UNSPEC: | |
288 | nf_defrag_ipv4_disable(ctx->net); | |
289 | #if IS_ENABLED(CONFIG_NF_TABLES_IPV6) | |
290 | nf_defrag_ipv6_disable(ctx->net); | |
291 | #endif | |
292 | break; | |
293 | } | |
294 | } | |
295 | ||
4ed8eb65 | 296 | static int nft_tproxy_dump(struct sk_buff *skb, |
7d34aa3e | 297 | const struct nft_expr *expr, bool reset) |
4ed8eb65 ME |
298 | { |
299 | const struct nft_tproxy *priv = nft_expr_priv(expr); | |
300 | ||
301 | if (nla_put_be32(skb, NFTA_TPROXY_FAMILY, htonl(priv->family))) | |
302 | return -1; | |
303 | ||
304 | if (priv->sreg_addr && | |
305 | nft_dump_register(skb, NFTA_TPROXY_REG_ADDR, priv->sreg_addr)) | |
306 | return -1; | |
307 | ||
308 | if (priv->sreg_port && | |
309 | nft_dump_register(skb, NFTA_TPROXY_REG_PORT, priv->sreg_port)) | |
310 | return -1; | |
311 | ||
312 | return 0; | |
313 | } | |
314 | ||
18bbc321 FW |
315 | static int nft_tproxy_validate(const struct nft_ctx *ctx, |
316 | const struct nft_expr *expr, | |
317 | const struct nft_data **data) | |
318 | { | |
319 | return nft_chain_validate_hooks(ctx->chain, 1 << NF_INET_PRE_ROUTING); | |
320 | } | |
321 | ||
4ed8eb65 ME |
322 | static struct nft_expr_type nft_tproxy_type; |
323 | static const struct nft_expr_ops nft_tproxy_ops = { | |
324 | .type = &nft_tproxy_type, | |
325 | .size = NFT_EXPR_SIZE(sizeof(struct nft_tproxy)), | |
326 | .eval = nft_tproxy_eval, | |
327 | .init = nft_tproxy_init, | |
de8c1211 | 328 | .destroy = nft_tproxy_destroy, |
4ed8eb65 | 329 | .dump = nft_tproxy_dump, |
b2d30654 | 330 | .reduce = NFT_REDUCE_READONLY, |
18bbc321 | 331 | .validate = nft_tproxy_validate, |
4ed8eb65 ME |
332 | }; |
333 | ||
334 | static struct nft_expr_type nft_tproxy_type __read_mostly = { | |
335 | .name = "tproxy", | |
336 | .ops = &nft_tproxy_ops, | |
337 | .policy = nft_tproxy_policy, | |
338 | .maxattr = NFTA_TPROXY_MAX, | |
339 | .owner = THIS_MODULE, | |
340 | }; | |
341 | ||
342 | static int __init nft_tproxy_module_init(void) | |
343 | { | |
344 | return nft_register_expr(&nft_tproxy_type); | |
345 | } | |
346 | ||
347 | static void __exit nft_tproxy_module_exit(void) | |
348 | { | |
349 | nft_unregister_expr(&nft_tproxy_type); | |
350 | } | |
351 | ||
352 | module_init(nft_tproxy_module_init); | |
353 | module_exit(nft_tproxy_module_exit); | |
354 | ||
355 | MODULE_LICENSE("GPL"); | |
356 | MODULE_AUTHOR("Máté Eckl"); | |
357 | MODULE_DESCRIPTION("nf_tables tproxy support module"); | |
358 | MODULE_ALIAS_NFT_EXPR("tproxy"); |