2012-08-26 11:14:06 -06:00
|
|
|
/*
|
|
|
|
|
* (C) 1999-2001 Paul `Rusty' Russell
|
2006-12-02 23:07:13 -07:00
|
|
|
* (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
|
2012-08-26 11:14:06 -06:00
|
|
|
* (C) 2011 Patrick McHardy <kaber@trash.net>
|
2006-12-02 23:07:13 -07:00
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <linux/module.h>
|
|
|
|
|
#include <linux/types.h>
|
|
|
|
|
#include <linux/timer.h>
|
|
|
|
|
#include <linux/skbuff.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 02:04:11 -06:00
|
|
|
#include <linux/gfp.h>
|
2012-08-26 11:14:06 -06:00
|
|
|
#include <net/xfrm.h>
|
2006-12-02 23:07:13 -07:00
|
|
|
#include <linux/jhash.h>
|
2012-08-26 11:14:06 -06:00
|
|
|
#include <linux/rtnetlink.h>
|
2006-12-02 23:07:13 -07:00
|
|
|
|
|
|
|
|
#include <net/netfilter/nf_conntrack.h>
|
|
|
|
|
#include <net/netfilter/nf_conntrack_core.h>
|
|
|
|
|
#include <net/netfilter/nf_nat.h>
|
2012-08-26 11:14:06 -06:00
|
|
|
#include <net/netfilter/nf_nat_l3proto.h>
|
|
|
|
|
#include <net/netfilter/nf_nat_l4proto.h>
|
2006-12-02 23:07:13 -07:00
|
|
|
#include <net/netfilter/nf_nat_core.h>
|
|
|
|
|
#include <net/netfilter/nf_nat_helper.h>
|
|
|
|
|
#include <net/netfilter/nf_conntrack_helper.h>
|
2013-08-27 00:50:12 -06:00
|
|
|
#include <net/netfilter/nf_conntrack_seqadj.h>
|
2006-12-02 23:07:13 -07:00
|
|
|
#include <net/netfilter/nf_conntrack_l3proto.h>
|
2010-02-15 10:13:33 -07:00
|
|
|
#include <net/netfilter/nf_conntrack_zones.h>
|
2012-08-26 11:14:06 -06:00
|
|
|
#include <linux/netfilter/nf_nat.h>
|
2006-12-02 23:07:13 -07:00
|
|
|
|
2017-09-06 06:39:52 -06:00
|
|
|
static spinlock_t nf_nat_locks[CONNTRACK_LOCKS];
|
2017-09-06 06:39:51 -06:00
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
static DEFINE_MUTEX(nf_nat_proto_mutex);
|
|
|
|
|
static const struct nf_nat_l3proto __rcu *nf_nat_l3protos[NFPROTO_NUMPROTO]
|
|
|
|
|
__read_mostly;
|
|
|
|
|
static const struct nf_nat_l4proto __rcu **nf_nat_l4protos[NFPROTO_NUMPROTO]
|
2007-12-17 23:37:52 -07:00
|
|
|
__read_mostly;
|
2016-05-09 08:24:31 -06:00
|
|
|
|
2017-09-06 06:39:51 -06:00
|
|
|
static struct hlist_head *nf_nat_bysource __read_mostly;
|
|
|
|
|
static unsigned int nf_nat_htable_size __read_mostly;
|
|
|
|
|
static unsigned int nf_nat_hash_rnd __read_mostly;
|
2012-08-26 11:14:06 -06:00
|
|
|
|
|
|
|
|
inline const struct nf_nat_l3proto *
|
|
|
|
|
__nf_nat_l3proto_find(u8 family)
|
2006-12-02 23:07:13 -07:00
|
|
|
{
|
2012-08-26 11:14:06 -06:00
|
|
|
return rcu_dereference(nf_nat_l3protos[family]);
|
2006-12-02 23:07:13 -07:00
|
|
|
}
|
|
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
inline const struct nf_nat_l4proto *
|
|
|
|
|
__nf_nat_l4proto_find(u8 family, u8 protonum)
|
|
|
|
|
{
|
|
|
|
|
return rcu_dereference(nf_nat_l4protos[family][protonum]);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(__nf_nat_l4proto_find);
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_XFRM
|
|
|
|
|
static void __nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl)
|
|
|
|
|
{
|
|
|
|
|
const struct nf_nat_l3proto *l3proto;
|
|
|
|
|
const struct nf_conn *ct;
|
|
|
|
|
enum ip_conntrack_info ctinfo;
|
|
|
|
|
enum ip_conntrack_dir dir;
|
|
|
|
|
unsigned long statusbit;
|
|
|
|
|
u8 family;
|
|
|
|
|
|
|
|
|
|
ct = nf_ct_get(skb, &ctinfo);
|
|
|
|
|
if (ct == NULL)
|
|
|
|
|
return;
|
|
|
|
|
|
2017-03-27 09:28:50 -06:00
|
|
|
family = nf_ct_l3num(ct);
|
2012-08-26 11:14:06 -06:00
|
|
|
l3proto = __nf_nat_l3proto_find(family);
|
|
|
|
|
if (l3proto == NULL)
|
2017-03-27 09:28:50 -06:00
|
|
|
return;
|
2012-08-26 11:14:06 -06:00
|
|
|
|
|
|
|
|
dir = CTINFO2DIR(ctinfo);
|
|
|
|
|
if (dir == IP_CT_DIR_ORIGINAL)
|
|
|
|
|
statusbit = IPS_DST_NAT;
|
|
|
|
|
else
|
|
|
|
|
statusbit = IPS_SRC_NAT;
|
|
|
|
|
|
|
|
|
|
l3proto->decode_session(skb, ct, dir, statusbit, fl);
|
|
|
|
|
}
|
|
|
|
|
|
2015-09-18 13:33:07 -06:00
|
|
|
int nf_xfrm_me_harder(struct net *net, struct sk_buff *skb, unsigned int family)
|
2012-08-26 11:14:06 -06:00
|
|
|
{
|
|
|
|
|
struct flowi fl;
|
|
|
|
|
unsigned int hh_len;
|
|
|
|
|
struct dst_entry *dst;
|
2013-04-05 00:41:12 -06:00
|
|
|
int err;
|
2012-08-26 11:14:06 -06:00
|
|
|
|
2013-04-05 00:41:12 -06:00
|
|
|
err = xfrm_decode_session(skb, &fl, family);
|
2013-04-23 23:11:51 -06:00
|
|
|
if (err < 0)
|
2013-04-05 00:41:12 -06:00
|
|
|
return err;
|
2012-08-26 11:14:06 -06:00
|
|
|
|
|
|
|
|
dst = skb_dst(skb);
|
|
|
|
|
if (dst->xfrm)
|
|
|
|
|
dst = ((struct xfrm_dst *)dst)->route;
|
|
|
|
|
dst_hold(dst);
|
|
|
|
|
|
2015-09-18 13:33:07 -06:00
|
|
|
dst = xfrm_lookup(net, dst, &fl, skb->sk, 0);
|
2012-08-26 11:14:06 -06:00
|
|
|
if (IS_ERR(dst))
|
2013-04-05 00:41:12 -06:00
|
|
|
return PTR_ERR(dst);
|
2012-08-26 11:14:06 -06:00
|
|
|
|
|
|
|
|
skb_dst_drop(skb);
|
|
|
|
|
skb_dst_set(skb, dst);
|
|
|
|
|
|
|
|
|
|
/* Change in oif may mean change in hh_len. */
|
|
|
|
|
hh_len = skb_dst(skb)->dev->hard_header_len;
|
|
|
|
|
if (skb_headroom(skb) < hh_len &&
|
|
|
|
|
pskb_expand_head(skb, hh_len - skb_headroom(skb), 0, GFP_ATOMIC))
|
2013-04-05 00:41:12 -06:00
|
|
|
return -ENOMEM;
|
2012-08-26 11:14:06 -06:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(nf_xfrm_me_harder);
|
|
|
|
|
#endif /* CONFIG_XFRM */
|
|
|
|
|
|
2017-09-06 06:39:51 -06:00
|
|
|
/* We keep an extra hash for each conntrack, for fast searching. */
|
|
|
|
|
static unsigned int
|
|
|
|
|
hash_by_src(const struct net *n, const struct nf_conntrack_tuple *tuple)
|
2006-12-02 23:07:13 -07:00
|
|
|
{
|
2017-09-06 06:39:51 -06:00
|
|
|
unsigned int hash;
|
|
|
|
|
|
|
|
|
|
get_random_once(&nf_nat_hash_rnd, sizeof(nf_nat_hash_rnd));
|
2016-04-18 08:17:00 -06:00
|
|
|
|
2006-12-02 23:07:13 -07:00
|
|
|
/* Original src, to ensure we map it consistently if poss. */
|
2017-09-06 06:39:51 -06:00
|
|
|
hash = jhash2((u32 *)&tuple->src, sizeof(tuple->src) / sizeof(u32),
|
|
|
|
|
tuple->dst.protonum ^ nf_nat_hash_rnd ^ net_hash_mix(n));
|
2014-08-23 12:58:54 -06:00
|
|
|
|
2017-09-06 06:39:51 -06:00
|
|
|
return reciprocal_scale(hash, nf_nat_htable_size);
|
2006-12-02 23:07:13 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Is this tuple already taken? (not by us) */
|
|
|
|
|
int
|
|
|
|
|
nf_nat_used_tuple(const struct nf_conntrack_tuple *tuple,
|
|
|
|
|
const struct nf_conn *ignored_conntrack)
|
|
|
|
|
{
|
|
|
|
|
/* Conntrack tracking doesn't keep track of outgoing tuples; only
|
2012-08-26 11:14:06 -06:00
|
|
|
* incoming ones. NAT means they don't have a fixed mapping,
|
|
|
|
|
* so we invert the tuple and look for the incoming reply.
|
|
|
|
|
*
|
|
|
|
|
* We could keep a separate hash if this proves too slow.
|
|
|
|
|
*/
|
2006-12-02 23:07:13 -07:00
|
|
|
struct nf_conntrack_tuple reply;
|
|
|
|
|
|
|
|
|
|
nf_ct_invert_tuplepr(&reply, tuple);
|
|
|
|
|
return nf_conntrack_tuple_taken(&reply, ignored_conntrack);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(nf_nat_used_tuple);
|
|
|
|
|
|
|
|
|
|
/* If we source map this tuple so reply looks like reply_tuple, will
|
2012-08-26 11:14:06 -06:00
|
|
|
* that meet the constraints of range.
|
|
|
|
|
*/
|
|
|
|
|
static int in_range(const struct nf_nat_l3proto *l3proto,
|
|
|
|
|
const struct nf_nat_l4proto *l4proto,
|
|
|
|
|
const struct nf_conntrack_tuple *tuple,
|
|
|
|
|
const struct nf_nat_range *range)
|
2006-12-02 23:07:13 -07:00
|
|
|
{
|
|
|
|
|
/* If we are supposed to map IPs, then we must be in the
|
2012-08-26 11:14:06 -06:00
|
|
|
* range specified, otherwise let this drag us onto a new src IP.
|
|
|
|
|
*/
|
|
|
|
|
if (range->flags & NF_NAT_RANGE_MAP_IPS &&
|
|
|
|
|
!l3proto->in_range(tuple, range))
|
|
|
|
|
return 0;
|
2006-12-02 23:07:13 -07:00
|
|
|
|
2011-12-23 05:59:49 -07:00
|
|
|
if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) ||
|
2012-08-26 11:14:06 -06:00
|
|
|
l4proto->in_range(tuple, NF_NAT_MANIP_SRC,
|
|
|
|
|
&range->min_proto, &range->max_proto))
|
|
|
|
|
return 1;
|
2006-12-02 23:07:13 -07:00
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
return 0;
|
2006-12-02 23:07:13 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline int
|
|
|
|
|
same_src(const struct nf_conn *ct,
|
|
|
|
|
const struct nf_conntrack_tuple *tuple)
|
|
|
|
|
{
|
|
|
|
|
const struct nf_conntrack_tuple *t;
|
|
|
|
|
|
|
|
|
|
t = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
|
|
|
|
|
return (t->dst.protonum == tuple->dst.protonum &&
|
2012-08-26 11:14:06 -06:00
|
|
|
nf_inet_addr_cmp(&t->src.u3, &tuple->src.u3) &&
|
2006-12-02 23:07:13 -07:00
|
|
|
t->src.u.all == tuple->src.u.all);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Only called for SRC manip */
|
|
|
|
|
static int
|
2015-08-08 13:40:01 -06:00
|
|
|
find_appropriate_src(struct net *net,
|
|
|
|
|
const struct nf_conntrack_zone *zone,
|
2012-08-26 11:14:06 -06:00
|
|
|
const struct nf_nat_l3proto *l3proto,
|
|
|
|
|
const struct nf_nat_l4proto *l4proto,
|
2008-10-08 03:35:11 -06:00
|
|
|
const struct nf_conntrack_tuple *tuple,
|
2006-12-02 23:07:13 -07:00
|
|
|
struct nf_conntrack_tuple *result,
|
2012-08-26 11:14:06 -06:00
|
|
|
const struct nf_nat_range *range)
|
2006-12-02 23:07:13 -07:00
|
|
|
{
|
2017-09-06 06:39:51 -06:00
|
|
|
unsigned int h = hash_by_src(net, tuple);
|
2008-04-14 03:15:42 -06:00
|
|
|
const struct nf_conn *ct;
|
2016-07-05 04:07:24 -06:00
|
|
|
|
2017-09-06 06:39:51 -06:00
|
|
|
hlist_for_each_entry_rcu(ct, &nf_nat_bysource[h], nat_bysource) {
|
|
|
|
|
if (same_src(ct, tuple) &&
|
|
|
|
|
net_eq(net, nf_ct_net(ct)) &&
|
|
|
|
|
nf_ct_zone_equal(ct, zone, IP_CT_DIR_ORIGINAL)) {
|
|
|
|
|
/* Copy source part from reply tuple. */
|
|
|
|
|
nf_ct_invert_tuplepr(result,
|
|
|
|
|
&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
|
|
|
|
|
result->dst = tuple->dst;
|
|
|
|
|
|
|
|
|
|
if (in_range(l3proto, l4proto, result, range))
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2017-07-07 05:07:17 -06:00
|
|
|
}
|
|
|
|
|
return 0;
|
2006-12-02 23:07:13 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* For [FUTURE] fragmentation handling, we want the least-used
|
2012-08-26 11:14:06 -06:00
|
|
|
* src-ip/dst-ip/proto triple. Fairness doesn't come into it. Thus
|
|
|
|
|
* if the range specifies 1.2.3.4 ports 10000-10005 and 1.2.3.5 ports
|
|
|
|
|
* 1-65535, we don't do pro-rata allocation based on ports; we choose
|
|
|
|
|
* the ip with the lowest src-ip/dst-ip/proto usage.
|
|
|
|
|
*/
|
2006-12-02 23:07:13 -07:00
|
|
|
static void
|
2015-08-08 13:40:01 -06:00
|
|
|
find_best_ips_proto(const struct nf_conntrack_zone *zone,
|
|
|
|
|
struct nf_conntrack_tuple *tuple,
|
2012-08-26 11:14:06 -06:00
|
|
|
const struct nf_nat_range *range,
|
2006-12-02 23:07:13 -07:00
|
|
|
const struct nf_conn *ct,
|
|
|
|
|
enum nf_nat_manip_type maniptype)
|
|
|
|
|
{
|
2012-08-26 11:14:06 -06:00
|
|
|
union nf_inet_addr *var_ipp;
|
|
|
|
|
unsigned int i, max;
|
2006-12-02 23:07:13 -07:00
|
|
|
/* Host order */
|
2012-08-26 11:14:06 -06:00
|
|
|
u32 minip, maxip, j, dist;
|
|
|
|
|
bool full_range;
|
2006-12-02 23:07:13 -07:00
|
|
|
|
|
|
|
|
/* No IP mapping? Do nothing. */
|
2011-12-23 05:59:49 -07:00
|
|
|
if (!(range->flags & NF_NAT_RANGE_MAP_IPS))
|
2006-12-02 23:07:13 -07:00
|
|
|
return;
|
|
|
|
|
|
2011-12-23 05:59:49 -07:00
|
|
|
if (maniptype == NF_NAT_MANIP_SRC)
|
2012-08-26 11:14:06 -06:00
|
|
|
var_ipp = &tuple->src.u3;
|
2006-12-02 23:07:13 -07:00
|
|
|
else
|
2012-08-26 11:14:06 -06:00
|
|
|
var_ipp = &tuple->dst.u3;
|
2006-12-02 23:07:13 -07:00
|
|
|
|
|
|
|
|
/* Fast path: only one choice. */
|
2012-08-26 11:14:06 -06:00
|
|
|
if (nf_inet_addr_cmp(&range->min_addr, &range->max_addr)) {
|
|
|
|
|
*var_ipp = range->min_addr;
|
2006-12-02 23:07:13 -07:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
if (nf_ct_l3num(ct) == NFPROTO_IPV4)
|
|
|
|
|
max = sizeof(var_ipp->ip) / sizeof(u32) - 1;
|
|
|
|
|
else
|
|
|
|
|
max = sizeof(var_ipp->ip6) / sizeof(u32) - 1;
|
|
|
|
|
|
2006-12-02 23:07:13 -07:00
|
|
|
/* Hashing source and destination IPs gives a fairly even
|
|
|
|
|
* spread in practice (if there are a small number of IPs
|
|
|
|
|
* involved, there usually aren't that many connections
|
|
|
|
|
* anyway). The consistency means that servers see the same
|
|
|
|
|
* client coming from the same IP (some Internet Banking sites
|
2012-08-26 11:14:06 -06:00
|
|
|
* like this), even across reboots.
|
|
|
|
|
*/
|
2012-09-05 04:10:28 -06:00
|
|
|
j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32),
|
2012-08-26 11:14:06 -06:00
|
|
|
range->flags & NF_NAT_RANGE_PERSISTENT ?
|
2015-08-08 13:40:01 -06:00
|
|
|
0 : (__force u32)tuple->dst.u3.all[max] ^ zone->id);
|
2012-08-26 11:14:06 -06:00
|
|
|
|
|
|
|
|
full_range = false;
|
|
|
|
|
for (i = 0; i <= max; i++) {
|
|
|
|
|
/* If first bytes of the address are at the maximum, use the
|
|
|
|
|
* distance. Otherwise use the full range.
|
|
|
|
|
*/
|
|
|
|
|
if (!full_range) {
|
|
|
|
|
minip = ntohl((__force __be32)range->min_addr.all[i]);
|
|
|
|
|
maxip = ntohl((__force __be32)range->max_addr.all[i]);
|
|
|
|
|
dist = maxip - minip + 1;
|
|
|
|
|
} else {
|
|
|
|
|
minip = 0;
|
|
|
|
|
dist = ~0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var_ipp->all[i] = (__force __u32)
|
2014-08-23 12:58:54 -06:00
|
|
|
htonl(minip + reciprocal_scale(j, dist));
|
2012-08-26 11:14:06 -06:00
|
|
|
if (var_ipp->all[i] != range->max_addr.all[i])
|
|
|
|
|
full_range = true;
|
|
|
|
|
|
|
|
|
|
if (!(range->flags & NF_NAT_RANGE_PERSISTENT))
|
|
|
|
|
j ^= (__force u32)tuple->dst.u3.all[i];
|
|
|
|
|
}
|
2006-12-02 23:07:13 -07:00
|
|
|
}
|
|
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
/* Manipulate the tuple into the range given. For NF_INET_POST_ROUTING,
|
|
|
|
|
* we change the source to map into the range. For NF_INET_PRE_ROUTING
|
2007-11-19 19:53:30 -07:00
|
|
|
* and NF_INET_LOCAL_OUT, we change the destination to map into the
|
2012-08-26 11:14:06 -06:00
|
|
|
* range. It might not be possible to get a unique tuple, but we try.
|
2006-12-02 23:07:13 -07:00
|
|
|
* At worst (or if we race), we will end up with a final duplicate in
|
|
|
|
|
* __ip_conntrack_confirm and drop the packet. */
|
|
|
|
|
static void
|
|
|
|
|
get_unique_tuple(struct nf_conntrack_tuple *tuple,
|
|
|
|
|
const struct nf_conntrack_tuple *orig_tuple,
|
2012-08-26 11:14:06 -06:00
|
|
|
const struct nf_nat_range *range,
|
2006-12-02 23:07:13 -07:00
|
|
|
struct nf_conn *ct,
|
|
|
|
|
enum nf_nat_manip_type maniptype)
|
|
|
|
|
{
|
2015-08-08 13:40:01 -06:00
|
|
|
const struct nf_conntrack_zone *zone;
|
2012-08-26 11:14:06 -06:00
|
|
|
const struct nf_nat_l3proto *l3proto;
|
|
|
|
|
const struct nf_nat_l4proto *l4proto;
|
2008-10-08 03:35:11 -06:00
|
|
|
struct net *net = nf_ct_net(ct);
|
2015-08-08 13:40:01 -06:00
|
|
|
|
|
|
|
|
zone = nf_ct_zone(ct);
|
2006-12-02 23:07:13 -07:00
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
rcu_read_lock();
|
|
|
|
|
l3proto = __nf_nat_l3proto_find(orig_tuple->src.l3num);
|
|
|
|
|
l4proto = __nf_nat_l4proto_find(orig_tuple->src.l3num,
|
|
|
|
|
orig_tuple->dst.protonum);
|
2006-12-02 23:07:13 -07:00
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
/* 1) If this srcip/proto/src-proto-part is currently mapped,
|
|
|
|
|
* and that same mapping gives a unique tuple within the given
|
|
|
|
|
* range, use that.
|
|
|
|
|
*
|
|
|
|
|
* This is only required for source (ie. NAT/masq) mappings.
|
|
|
|
|
* So far, we don't do local source mappings, so multiple
|
|
|
|
|
* manips not an issue.
|
|
|
|
|
*/
|
2011-12-23 05:59:49 -07:00
|
|
|
if (maniptype == NF_NAT_MANIP_SRC &&
|
netfilter: nf_nat: add full port randomization support
We currently use prandom_u32() for allocation of ports in tcp bind(0)
and udp code. In case of plain SNAT we try to keep the ports as is
or increment on collision.
SNAT --random mode does use per-destination incrementing port
allocation. As a recent paper pointed out in [1] that this mode of
port allocation makes it possible to an attacker to find the randomly
allocated ports through a timing side-channel in a socket overloading
attack conducted through an off-path attacker.
So, NF_NAT_RANGE_PROTO_RANDOM actually weakens the port randomization
in regard to the attack described in this paper. As we need to keep
compatibility, add another flag called NF_NAT_RANGE_PROTO_RANDOM_FULLY
that would replace the NF_NAT_RANGE_PROTO_RANDOM hash-based port
selection algorithm with a simple prandom_u32() in order to mitigate
this attack vector. Note that the lfsr113's internal state is
periodically reseeded by the kernel through a local secure entropy
source.
More details can be found in [1], the basic idea is to send bursts
of packets to a socket to overflow its receive queue and measure
the latency to detect a possible retransmit when the port is found.
Because of increasing ports to given destination and port, further
allocations can be predicted. This information could then be used by
an attacker for e.g. for cache-poisoning, NS pinning, and degradation
of service attacks against DNS servers [1]:
The best defense against the poisoning attacks is to properly
deploy and validate DNSSEC; DNSSEC provides security not only
against off-path attacker but even against MitM attacker. We hope
that our results will help motivate administrators to adopt DNSSEC.
However, full DNSSEC deployment make take significant time, and
until that happens, we recommend short-term, non-cryptographic
defenses. We recommend to support full port randomisation,
according to practices recommended in [2], and to avoid
per-destination sequential port allocation, which we show may be
vulnerable to derandomisation attacks.
Joint work between Hannes Frederic Sowa and Daniel Borkmann.
[1] https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf
[2] http://arxiv.org/pdf/1205.5190v1.pdf
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-12-20 14:40:29 -07:00
|
|
|
!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) {
|
2011-01-20 07:49:52 -07:00
|
|
|
/* try the original tuple first */
|
2012-08-26 11:14:06 -06:00
|
|
|
if (in_range(l3proto, l4proto, orig_tuple, range)) {
|
2011-01-20 07:49:52 -07:00
|
|
|
if (!nf_nat_used_tuple(orig_tuple, ct)) {
|
|
|
|
|
*tuple = *orig_tuple;
|
2012-08-26 11:14:06 -06:00
|
|
|
goto out;
|
2011-01-20 07:49:52 -07:00
|
|
|
}
|
2012-08-26 11:14:06 -06:00
|
|
|
} else if (find_appropriate_src(net, zone, l3proto, l4proto,
|
|
|
|
|
orig_tuple, tuple, range)) {
|
2007-07-07 23:39:38 -06:00
|
|
|
pr_debug("get_unique_tuple: Found current src map\n");
|
2008-07-21 11:00:51 -06:00
|
|
|
if (!nf_nat_used_tuple(tuple, ct))
|
2012-08-26 11:14:06 -06:00
|
|
|
goto out;
|
2006-12-02 23:07:13 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
/* 2) Select the least-used IP/proto combination in the given range */
|
2006-12-02 23:07:13 -07:00
|
|
|
*tuple = *orig_tuple;
|
2010-02-15 10:13:33 -07:00
|
|
|
find_best_ips_proto(zone, tuple, range, ct, maniptype);
|
2006-12-02 23:07:13 -07:00
|
|
|
|
|
|
|
|
/* 3) The per-protocol part of the manip is made to map into
|
2012-08-26 11:14:06 -06:00
|
|
|
* the range to make a unique tuple.
|
|
|
|
|
*/
|
2006-12-02 23:07:13 -07:00
|
|
|
|
|
|
|
|
/* Only bother mapping if it's not already in range and unique */
|
netfilter: nf_nat: add full port randomization support
We currently use prandom_u32() for allocation of ports in tcp bind(0)
and udp code. In case of plain SNAT we try to keep the ports as is
or increment on collision.
SNAT --random mode does use per-destination incrementing port
allocation. As a recent paper pointed out in [1] that this mode of
port allocation makes it possible to an attacker to find the randomly
allocated ports through a timing side-channel in a socket overloading
attack conducted through an off-path attacker.
So, NF_NAT_RANGE_PROTO_RANDOM actually weakens the port randomization
in regard to the attack described in this paper. As we need to keep
compatibility, add another flag called NF_NAT_RANGE_PROTO_RANDOM_FULLY
that would replace the NF_NAT_RANGE_PROTO_RANDOM hash-based port
selection algorithm with a simple prandom_u32() in order to mitigate
this attack vector. Note that the lfsr113's internal state is
periodically reseeded by the kernel through a local secure entropy
source.
More details can be found in [1], the basic idea is to send bursts
of packets to a socket to overflow its receive queue and measure
the latency to detect a possible retransmit when the port is found.
Because of increasing ports to given destination and port, further
allocations can be predicted. This information could then be used by
an attacker for e.g. for cache-poisoning, NS pinning, and degradation
of service attacks against DNS servers [1]:
The best defense against the poisoning attacks is to properly
deploy and validate DNSSEC; DNSSEC provides security not only
against off-path attacker but even against MitM attacker. We hope
that our results will help motivate administrators to adopt DNSSEC.
However, full DNSSEC deployment make take significant time, and
until that happens, we recommend short-term, non-cryptographic
defenses. We recommend to support full port randomisation,
according to practices recommended in [2], and to avoid
per-destination sequential port allocation, which we show may be
vulnerable to derandomisation attacks.
Joint work between Hannes Frederic Sowa and Daniel Borkmann.
[1] https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf
[2] http://arxiv.org/pdf/1205.5190v1.pdf
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-12-20 14:40:29 -07:00
|
|
|
if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) {
|
2011-12-23 05:59:49 -07:00
|
|
|
if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
|
2012-08-26 11:14:06 -06:00
|
|
|
if (l4proto->in_range(tuple, maniptype,
|
|
|
|
|
&range->min_proto,
|
|
|
|
|
&range->max_proto) &&
|
|
|
|
|
(range->min_proto.all == range->max_proto.all ||
|
2010-09-16 11:45:19 -06:00
|
|
|
!nf_nat_used_tuple(tuple, ct)))
|
|
|
|
|
goto out;
|
|
|
|
|
} else if (!nf_nat_used_tuple(tuple, ct)) {
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
}
|
2006-12-02 23:07:13 -07:00
|
|
|
|
|
|
|
|
/* Last change: get protocol to try to obtain unique tuple. */
|
2012-08-26 11:14:06 -06:00
|
|
|
l4proto->unique_tuple(l3proto, tuple, range, maniptype, ct);
|
2007-02-12 12:12:26 -07:00
|
|
|
out:
|
|
|
|
|
rcu_read_unlock();
|
2006-12-02 23:07:13 -07:00
|
|
|
}
|
|
|
|
|
|
2014-04-28 13:09:50 -06:00
|
|
|
struct nf_conn_nat *nf_ct_nat_ext_add(struct nf_conn *ct)
|
|
|
|
|
{
|
|
|
|
|
struct nf_conn_nat *nat = nfct_nat(ct);
|
|
|
|
|
if (nat)
|
|
|
|
|
return nat;
|
|
|
|
|
|
|
|
|
|
if (!nf_ct_is_confirmed(ct))
|
|
|
|
|
nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
|
|
|
|
|
|
|
|
|
|
return nat;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(nf_ct_nat_ext_add);
|
|
|
|
|
|
2006-12-02 23:07:13 -07:00
|
|
|
unsigned int
|
|
|
|
|
nf_nat_setup_info(struct nf_conn *ct,
|
2012-08-26 11:14:06 -06:00
|
|
|
const struct nf_nat_range *range,
|
2007-12-17 23:38:20 -07:00
|
|
|
enum nf_nat_manip_type maniptype)
|
2006-12-02 23:07:13 -07:00
|
|
|
{
|
2017-09-06 06:39:51 -06:00
|
|
|
struct net *net = nf_ct_net(ct);
|
2006-12-02 23:07:13 -07:00
|
|
|
struct nf_conntrack_tuple curr_tuple, new_tuple;
|
2007-07-07 23:24:28 -06:00
|
|
|
|
2017-05-06 06:28:02 -06:00
|
|
|
/* Can't setup nat info for confirmed ct. */
|
|
|
|
|
if (nf_ct_is_confirmed(ct))
|
|
|
|
|
return NF_ACCEPT;
|
|
|
|
|
|
2017-08-30 02:07:11 -06:00
|
|
|
WARN_ON(maniptype != NF_NAT_MANIP_SRC &&
|
|
|
|
|
maniptype != NF_NAT_MANIP_DST);
|
2017-08-31 05:45:24 -06:00
|
|
|
|
|
|
|
|
if (WARN_ON(nf_nat_initialized(ct, maniptype)))
|
|
|
|
|
return NF_DROP;
|
2006-12-02 23:07:13 -07:00
|
|
|
|
|
|
|
|
/* What we've got will look like inverse of reply. Normally
|
2012-08-26 11:14:06 -06:00
|
|
|
* this is what is in the conntrack, except for prior
|
|
|
|
|
* manipulations (future optimization: if num_manips == 0,
|
|
|
|
|
* orig_tp = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
|
|
|
|
|
*/
|
2006-12-02 23:07:13 -07:00
|
|
|
nf_ct_invert_tuplepr(&curr_tuple,
|
|
|
|
|
&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
|
|
|
|
|
|
|
|
|
|
get_unique_tuple(&new_tuple, &curr_tuple, range, ct, maniptype);
|
|
|
|
|
|
|
|
|
|
if (!nf_ct_tuple_equal(&new_tuple, &curr_tuple)) {
|
|
|
|
|
struct nf_conntrack_tuple reply;
|
|
|
|
|
|
|
|
|
|
/* Alter conntrack table so will recognize replies. */
|
|
|
|
|
nf_ct_invert_tuplepr(&reply, &new_tuple);
|
|
|
|
|
nf_conntrack_alter_reply(ct, &reply);
|
|
|
|
|
|
|
|
|
|
/* Non-atomic: we own this at the moment. */
|
2011-12-23 05:59:49 -07:00
|
|
|
if (maniptype == NF_NAT_MANIP_SRC)
|
2006-12-02 23:07:13 -07:00
|
|
|
ct->status |= IPS_SRC_NAT;
|
|
|
|
|
else
|
|
|
|
|
ct->status |= IPS_DST_NAT;
|
2013-08-27 00:50:12 -06:00
|
|
|
|
2017-08-09 20:22:24 -06:00
|
|
|
if (nfct_help(ct) && !nfct_seqadj(ct))
|
2016-09-12 18:49:18 -06:00
|
|
|
if (!nfct_seqadj_ext_add(ct))
|
|
|
|
|
return NF_DROP;
|
2006-12-02 23:07:13 -07:00
|
|
|
}
|
|
|
|
|
|
2011-12-23 05:59:49 -07:00
|
|
|
if (maniptype == NF_NAT_MANIP_SRC) {
|
2017-09-06 06:39:51 -06:00
|
|
|
unsigned int srchash;
|
2017-09-06 06:39:52 -06:00
|
|
|
spinlock_t *lock;
|
2017-09-06 06:39:51 -06:00
|
|
|
|
|
|
|
|
srchash = hash_by_src(net,
|
|
|
|
|
&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
|
2017-09-10 05:41:41 -06:00
|
|
|
lock = &nf_nat_locks[srchash % CONNTRACK_LOCKS];
|
2017-09-06 06:39:52 -06:00
|
|
|
spin_lock_bh(lock);
|
2017-09-06 06:39:51 -06:00
|
|
|
hlist_add_head_rcu(&ct->nat_bysource,
|
|
|
|
|
&nf_nat_bysource[srchash]);
|
2017-09-06 06:39:52 -06:00
|
|
|
spin_unlock_bh(lock);
|
2006-12-02 23:07:13 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* It's done. */
|
2011-12-23 05:59:49 -07:00
|
|
|
if (maniptype == NF_NAT_MANIP_DST)
|
2011-01-18 07:02:48 -07:00
|
|
|
ct->status |= IPS_DST_NAT_DONE;
|
2006-12-02 23:07:13 -07:00
|
|
|
else
|
2011-01-18 07:02:48 -07:00
|
|
|
ct->status |= IPS_SRC_NAT_DONE;
|
2006-12-02 23:07:13 -07:00
|
|
|
|
|
|
|
|
return NF_ACCEPT;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(nf_nat_setup_info);
|
|
|
|
|
|
netfilter: ctnetlink: force null nat binding on insert
Quoting Andrey Vagin:
When a conntrack is created by kernel, it is initialized (sets
IPS_{DST,SRC}_NAT_DONE_BIT bits in nf_nat_setup_info) and only then it
is added in hashes (__nf_conntrack_hash_insert), so one conntract
can't be initialized from a few threads concurrently.
ctnetlink can add an uninitialized conntrack (w/o
IPS_{DST,SRC}_NAT_DONE_BIT) in hashes, then a few threads can look up
this conntrack and start initialize it concurrently. It's dangerous,
because BUG can be triggered from nf_nat_setup_info.
Fix this race by always setting up nat, even if no CTA_NAT_ attribute
was requested before inserting the ct into the hash table. In absence
of CTA_NAT_ attribute, a null binding is created.
This alters current behaviour: Before this patch, the first packet
matching the newly injected conntrack would be run through the nat
table since nf_nat_initialized() returns false. IOW, this forces
ctnetlink users to specify the desired nat transformation on ct
creation time.
Thanks for Florian Westphal, this patch is based on his original
patch to address this problem, including this patch description.
Reported-By: Andrey Vagin <avagin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
2014-02-16 04:15:43 -07:00
|
|
|
static unsigned int
|
|
|
|
|
__nf_nat_alloc_null_binding(struct nf_conn *ct, enum nf_nat_manip_type manip)
|
2013-10-14 02:57:04 -06:00
|
|
|
{
|
|
|
|
|
/* Force range to this IP; let proto decide mapping for
|
|
|
|
|
* per-proto parts (hence not IP_NAT_RANGE_PROTO_SPECIFIED).
|
|
|
|
|
* Use reply in case it's already been mangled (eg local packet).
|
|
|
|
|
*/
|
|
|
|
|
union nf_inet_addr ip =
|
netfilter: ctnetlink: force null nat binding on insert
Quoting Andrey Vagin:
When a conntrack is created by kernel, it is initialized (sets
IPS_{DST,SRC}_NAT_DONE_BIT bits in nf_nat_setup_info) and only then it
is added in hashes (__nf_conntrack_hash_insert), so one conntract
can't be initialized from a few threads concurrently.
ctnetlink can add an uninitialized conntrack (w/o
IPS_{DST,SRC}_NAT_DONE_BIT) in hashes, then a few threads can look up
this conntrack and start initialize it concurrently. It's dangerous,
because BUG can be triggered from nf_nat_setup_info.
Fix this race by always setting up nat, even if no CTA_NAT_ attribute
was requested before inserting the ct into the hash table. In absence
of CTA_NAT_ attribute, a null binding is created.
This alters current behaviour: Before this patch, the first packet
matching the newly injected conntrack would be run through the nat
table since nf_nat_initialized() returns false. IOW, this forces
ctnetlink users to specify the desired nat transformation on ct
creation time.
Thanks for Florian Westphal, this patch is based on his original
patch to address this problem, including this patch description.
Reported-By: Andrey Vagin <avagin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
2014-02-16 04:15:43 -07:00
|
|
|
(manip == NF_NAT_MANIP_SRC ?
|
2013-10-14 02:57:04 -06:00
|
|
|
ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3 :
|
|
|
|
|
ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3);
|
|
|
|
|
struct nf_nat_range range = {
|
|
|
|
|
.flags = NF_NAT_RANGE_MAP_IPS,
|
|
|
|
|
.min_addr = ip,
|
|
|
|
|
.max_addr = ip,
|
|
|
|
|
};
|
netfilter: ctnetlink: force null nat binding on insert
Quoting Andrey Vagin:
When a conntrack is created by kernel, it is initialized (sets
IPS_{DST,SRC}_NAT_DONE_BIT bits in nf_nat_setup_info) and only then it
is added in hashes (__nf_conntrack_hash_insert), so one conntract
can't be initialized from a few threads concurrently.
ctnetlink can add an uninitialized conntrack (w/o
IPS_{DST,SRC}_NAT_DONE_BIT) in hashes, then a few threads can look up
this conntrack and start initialize it concurrently. It's dangerous,
because BUG can be triggered from nf_nat_setup_info.
Fix this race by always setting up nat, even if no CTA_NAT_ attribute
was requested before inserting the ct into the hash table. In absence
of CTA_NAT_ attribute, a null binding is created.
This alters current behaviour: Before this patch, the first packet
matching the newly injected conntrack would be run through the nat
table since nf_nat_initialized() returns false. IOW, this forces
ctnetlink users to specify the desired nat transformation on ct
creation time.
Thanks for Florian Westphal, this patch is based on his original
patch to address this problem, including this patch description.
Reported-By: Andrey Vagin <avagin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
2014-02-16 04:15:43 -07:00
|
|
|
return nf_nat_setup_info(ct, &range, manip);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
unsigned int
|
|
|
|
|
nf_nat_alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
|
|
|
|
|
{
|
|
|
|
|
return __nf_nat_alloc_null_binding(ct, HOOK2MANIP(hooknum));
|
2013-10-14 02:57:04 -06:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(nf_nat_alloc_null_binding);
|
|
|
|
|
|
2006-12-02 23:07:13 -07:00
|
|
|
/* Do packet manipulations according to nf_nat_setup_info. */
|
|
|
|
|
unsigned int nf_nat_packet(struct nf_conn *ct,
|
|
|
|
|
enum ip_conntrack_info ctinfo,
|
|
|
|
|
unsigned int hooknum,
|
2007-10-15 01:53:15 -06:00
|
|
|
struct sk_buff *skb)
|
2006-12-02 23:07:13 -07:00
|
|
|
{
|
2012-08-26 11:14:06 -06:00
|
|
|
const struct nf_nat_l3proto *l3proto;
|
|
|
|
|
const struct nf_nat_l4proto *l4proto;
|
2006-12-02 23:07:13 -07:00
|
|
|
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
|
|
|
|
|
unsigned long statusbit;
|
|
|
|
|
enum nf_nat_manip_type mtype = HOOK2MANIP(hooknum);
|
|
|
|
|
|
2011-12-23 05:59:49 -07:00
|
|
|
if (mtype == NF_NAT_MANIP_SRC)
|
2006-12-02 23:07:13 -07:00
|
|
|
statusbit = IPS_SRC_NAT;
|
|
|
|
|
else
|
|
|
|
|
statusbit = IPS_DST_NAT;
|
|
|
|
|
|
|
|
|
|
/* Invert if this is reply dir. */
|
|
|
|
|
if (dir == IP_CT_DIR_REPLY)
|
|
|
|
|
statusbit ^= IPS_NAT_MASK;
|
|
|
|
|
|
|
|
|
|
/* Non-atomic: these bits don't change. */
|
|
|
|
|
if (ct->status & statusbit) {
|
|
|
|
|
struct nf_conntrack_tuple target;
|
|
|
|
|
|
|
|
|
|
/* We are aiming to look like inverse of other direction. */
|
|
|
|
|
nf_ct_invert_tuplepr(&target, &ct->tuplehash[!dir].tuple);
|
|
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
l3proto = __nf_nat_l3proto_find(target.src.l3num);
|
|
|
|
|
l4proto = __nf_nat_l4proto_find(target.src.l3num,
|
|
|
|
|
target.dst.protonum);
|
|
|
|
|
if (!l3proto->manip_pkt(skb, 0, l4proto, &target, mtype))
|
2006-12-02 23:07:13 -07:00
|
|
|
return NF_DROP;
|
|
|
|
|
}
|
|
|
|
|
return NF_ACCEPT;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(nf_nat_packet);
|
|
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
struct nf_nat_proto_clean {
|
|
|
|
|
u8 l3proto;
|
|
|
|
|
u8 l4proto;
|
|
|
|
|
};
|
|
|
|
|
|
2013-04-10 22:22:39 -06:00
|
|
|
/* kill conntracks with affected NAT section */
|
|
|
|
|
static int nf_nat_proto_remove(struct nf_conn *i, void *data)
|
2006-12-02 23:07:13 -07:00
|
|
|
{
|
2012-08-26 11:14:06 -06:00
|
|
|
const struct nf_nat_proto_clean *clean = data;
|
2013-04-10 22:22:39 -06:00
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
if ((clean->l3proto && nf_ct_l3num(i) != clean->l3proto) ||
|
|
|
|
|
(clean->l4proto && nf_ct_protonum(i) != clean->l4proto))
|
2006-12-02 23:07:13 -07:00
|
|
|
return 0;
|
|
|
|
|
|
2013-04-10 22:22:39 -06:00
|
|
|
return i->status & IPS_NAT_MASK ? 1 : 0;
|
2012-08-26 11:14:06 -06:00
|
|
|
}
|
2006-12-02 23:07:13 -07:00
|
|
|
|
2017-09-06 06:39:52 -06:00
|
|
|
static void __nf_nat_cleanup_conntrack(struct nf_conn *ct)
|
|
|
|
|
{
|
|
|
|
|
unsigned int h;
|
|
|
|
|
|
|
|
|
|
h = hash_by_src(nf_ct_net(ct), &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
|
2017-09-10 05:41:41 -06:00
|
|
|
spin_lock_bh(&nf_nat_locks[h % CONNTRACK_LOCKS]);
|
2017-09-06 06:39:52 -06:00
|
|
|
hlist_del_rcu(&ct->nat_bysource);
|
2017-09-10 05:41:41 -06:00
|
|
|
spin_unlock_bh(&nf_nat_locks[h % CONNTRACK_LOCKS]);
|
2017-09-06 06:39:52 -06:00
|
|
|
}
|
|
|
|
|
|
2014-06-07 13:17:04 -06:00
|
|
|
static int nf_nat_proto_clean(struct nf_conn *ct, void *data)
|
|
|
|
|
{
|
|
|
|
|
if (nf_nat_proto_remove(ct, data))
|
|
|
|
|
return 1;
|
|
|
|
|
|
2017-03-28 02:31:03 -06:00
|
|
|
if ((ct->status & IPS_SRC_NAT_DONE) == 0)
|
2014-06-07 13:17:04 -06:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/* This netns is being destroyed, and conntrack has nat null binding.
|
|
|
|
|
* Remove it from bysource hash, as the table will be freed soon.
|
|
|
|
|
*
|
|
|
|
|
* Else, when the conntrack is destoyed, nf_nat_cleanup_conntrack()
|
|
|
|
|
* will delete entry from already-freed table.
|
|
|
|
|
*/
|
2017-05-21 08:38:11 -06:00
|
|
|
clear_bit(IPS_SRC_NAT_DONE_BIT, &ct->status);
|
2017-09-06 06:39:52 -06:00
|
|
|
__nf_nat_cleanup_conntrack(ct);
|
2014-06-07 13:17:04 -06:00
|
|
|
|
|
|
|
|
/* don't delete conntrack. Although that would make things a lot
|
|
|
|
|
* simpler, we'd end up flushing all conntracks on nat rmmod.
|
|
|
|
|
*/
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
static void nf_nat_l4proto_clean(u8 l3proto, u8 l4proto)
|
|
|
|
|
{
|
|
|
|
|
struct nf_nat_proto_clean clean = {
|
|
|
|
|
.l3proto = l3proto,
|
|
|
|
|
.l4proto = l4proto,
|
|
|
|
|
};
|
|
|
|
|
|
2017-05-21 04:52:59 -06:00
|
|
|
nf_ct_iterate_destroy(nf_nat_proto_remove, &clean);
|
2012-08-26 11:14:06 -06:00
|
|
|
}
|
2006-12-02 23:07:13 -07:00
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
static void nf_nat_l3proto_clean(u8 l3proto)
|
|
|
|
|
{
|
|
|
|
|
struct nf_nat_proto_clean clean = {
|
|
|
|
|
.l3proto = l3proto,
|
|
|
|
|
};
|
|
|
|
|
|
2017-05-21 04:52:59 -06:00
|
|
|
nf_ct_iterate_destroy(nf_nat_proto_remove, &clean);
|
2006-12-02 23:07:13 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Protocol registration. */
|
2012-08-26 11:14:06 -06:00
|
|
|
int nf_nat_l4proto_register(u8 l3proto, const struct nf_nat_l4proto *l4proto)
|
2006-12-02 23:07:13 -07:00
|
|
|
{
|
2012-08-26 11:14:06 -06:00
|
|
|
const struct nf_nat_l4proto **l4protos;
|
|
|
|
|
unsigned int i;
|
2006-12-02 23:07:13 -07:00
|
|
|
int ret = 0;
|
|
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
mutex_lock(&nf_nat_proto_mutex);
|
|
|
|
|
if (nf_nat_l4protos[l3proto] == NULL) {
|
|
|
|
|
l4protos = kmalloc(IPPROTO_MAX * sizeof(struct nf_nat_l4proto *),
|
|
|
|
|
GFP_KERNEL);
|
|
|
|
|
if (l4protos == NULL) {
|
|
|
|
|
ret = -ENOMEM;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < IPPROTO_MAX; i++)
|
|
|
|
|
RCU_INIT_POINTER(l4protos[i], &nf_nat_l4proto_unknown);
|
|
|
|
|
|
|
|
|
|
/* Before making proto_array visible to lockless readers,
|
|
|
|
|
* we must make sure its content is committed to memory.
|
|
|
|
|
*/
|
|
|
|
|
smp_wmb();
|
|
|
|
|
|
|
|
|
|
nf_nat_l4protos[l3proto] = l4protos;
|
|
|
|
|
}
|
|
|
|
|
|
2010-11-15 10:43:59 -07:00
|
|
|
if (rcu_dereference_protected(
|
2012-08-26 11:14:06 -06:00
|
|
|
nf_nat_l4protos[l3proto][l4proto->l4proto],
|
|
|
|
|
lockdep_is_held(&nf_nat_proto_mutex)
|
|
|
|
|
) != &nf_nat_l4proto_unknown) {
|
2006-12-02 23:07:13 -07:00
|
|
|
ret = -EBUSY;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
2012-08-26 11:14:06 -06:00
|
|
|
RCU_INIT_POINTER(nf_nat_l4protos[l3proto][l4proto->l4proto], l4proto);
|
2006-12-02 23:07:13 -07:00
|
|
|
out:
|
2012-08-26 11:14:06 -06:00
|
|
|
mutex_unlock(&nf_nat_proto_mutex);
|
2006-12-02 23:07:13 -07:00
|
|
|
return ret;
|
|
|
|
|
}
|
2012-08-26 11:14:06 -06:00
|
|
|
EXPORT_SYMBOL_GPL(nf_nat_l4proto_register);
|
2006-12-02 23:07:13 -07:00
|
|
|
|
2011-03-30 19:57:33 -06:00
|
|
|
/* No one stores the protocol anywhere; simply delete it. */
|
2012-08-26 11:14:06 -06:00
|
|
|
void nf_nat_l4proto_unregister(u8 l3proto, const struct nf_nat_l4proto *l4proto)
|
2006-12-02 23:07:13 -07:00
|
|
|
{
|
2012-08-26 11:14:06 -06:00
|
|
|
mutex_lock(&nf_nat_proto_mutex);
|
|
|
|
|
RCU_INIT_POINTER(nf_nat_l4protos[l3proto][l4proto->l4proto],
|
|
|
|
|
&nf_nat_l4proto_unknown);
|
|
|
|
|
mutex_unlock(&nf_nat_proto_mutex);
|
2007-02-12 12:12:26 -07:00
|
|
|
synchronize_rcu();
|
2012-08-26 11:14:06 -06:00
|
|
|
|
|
|
|
|
nf_nat_l4proto_clean(l3proto, l4proto->l4proto);
|
2006-12-02 23:07:13 -07:00
|
|
|
}
|
2012-08-26 11:14:06 -06:00
|
|
|
EXPORT_SYMBOL_GPL(nf_nat_l4proto_unregister);
|
|
|
|
|
|
|
|
|
|
int nf_nat_l3proto_register(const struct nf_nat_l3proto *l3proto)
|
|
|
|
|
{
|
|
|
|
|
int err;
|
|
|
|
|
|
|
|
|
|
err = nf_ct_l3proto_try_module_get(l3proto->l3proto);
|
|
|
|
|
if (err < 0)
|
|
|
|
|
return err;
|
|
|
|
|
|
|
|
|
|
mutex_lock(&nf_nat_proto_mutex);
|
|
|
|
|
RCU_INIT_POINTER(nf_nat_l4protos[l3proto->l3proto][IPPROTO_TCP],
|
|
|
|
|
&nf_nat_l4proto_tcp);
|
|
|
|
|
RCU_INIT_POINTER(nf_nat_l4protos[l3proto->l3proto][IPPROTO_UDP],
|
|
|
|
|
&nf_nat_l4proto_udp);
|
2016-10-20 10:33:01 -06:00
|
|
|
#ifdef CONFIG_NF_NAT_PROTO_DCCP
|
|
|
|
|
RCU_INIT_POINTER(nf_nat_l4protos[l3proto->l3proto][IPPROTO_DCCP],
|
|
|
|
|
&nf_nat_l4proto_dccp);
|
2016-10-20 10:33:02 -06:00
|
|
|
#endif
|
|
|
|
|
#ifdef CONFIG_NF_NAT_PROTO_SCTP
|
|
|
|
|
RCU_INIT_POINTER(nf_nat_l4protos[l3proto->l3proto][IPPROTO_SCTP],
|
|
|
|
|
&nf_nat_l4proto_sctp);
|
2016-10-20 10:33:03 -06:00
|
|
|
#endif
|
|
|
|
|
#ifdef CONFIG_NF_NAT_PROTO_UDPLITE
|
|
|
|
|
RCU_INIT_POINTER(nf_nat_l4protos[l3proto->l3proto][IPPROTO_UDPLITE],
|
|
|
|
|
&nf_nat_l4proto_udplite);
|
2016-10-20 10:33:01 -06:00
|
|
|
#endif
|
2012-08-26 11:14:06 -06:00
|
|
|
mutex_unlock(&nf_nat_proto_mutex);
|
|
|
|
|
|
|
|
|
|
RCU_INIT_POINTER(nf_nat_l3protos[l3proto->l3proto], l3proto);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(nf_nat_l3proto_register);
|
|
|
|
|
|
|
|
|
|
void nf_nat_l3proto_unregister(const struct nf_nat_l3proto *l3proto)
|
|
|
|
|
{
|
|
|
|
|
mutex_lock(&nf_nat_proto_mutex);
|
|
|
|
|
RCU_INIT_POINTER(nf_nat_l3protos[l3proto->l3proto], NULL);
|
|
|
|
|
mutex_unlock(&nf_nat_proto_mutex);
|
|
|
|
|
synchronize_rcu();
|
|
|
|
|
|
|
|
|
|
nf_nat_l3proto_clean(l3proto->l3proto);
|
|
|
|
|
nf_ct_l3proto_module_put(l3proto->l3proto);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(nf_nat_l3proto_unregister);
|
2006-12-02 23:07:13 -07:00
|
|
|
|
2011-03-30 19:57:33 -06:00
|
|
|
/* No one using conntrack by the time this called. */
|
2007-07-07 23:26:16 -06:00
|
|
|
static void nf_nat_cleanup_conntrack(struct nf_conn *ct)
|
|
|
|
|
{
|
2017-09-06 06:39:52 -06:00
|
|
|
if (ct->status & IPS_SRC_NAT_DONE)
|
|
|
|
|
__nf_nat_cleanup_conntrack(ct);
|
2007-07-07 23:24:28 -06:00
|
|
|
}
|
|
|
|
|
|
2007-07-07 23:27:06 -06:00
|
|
|
static struct nf_ct_ext_type nat_extend __read_mostly = {
|
2007-07-07 23:26:16 -06:00
|
|
|
.len = sizeof(struct nf_conn_nat),
|
|
|
|
|
.align = __alignof__(struct nf_conn_nat),
|
|
|
|
|
.destroy = nf_nat_cleanup_conntrack,
|
|
|
|
|
.id = NF_CT_EXT_NAT,
|
2007-07-07 23:24:28 -06:00
|
|
|
};
|
|
|
|
|
|
2014-06-29 19:19:32 -06:00
|
|
|
#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
|
2008-10-14 12:58:31 -06:00
|
|
|
|
|
|
|
|
#include <linux/netfilter/nfnetlink.h>
|
|
|
|
|
#include <linux/netfilter/nfnetlink_conntrack.h>
|
|
|
|
|
|
|
|
|
|
static const struct nla_policy protonat_nla_policy[CTA_PROTONAT_MAX+1] = {
|
|
|
|
|
[CTA_PROTONAT_PORT_MIN] = { .type = NLA_U16 },
|
|
|
|
|
[CTA_PROTONAT_PORT_MAX] = { .type = NLA_U16 },
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int nfnetlink_parse_nat_proto(struct nlattr *attr,
|
|
|
|
|
const struct nf_conn *ct,
|
2012-08-26 11:14:06 -06:00
|
|
|
struct nf_nat_range *range)
|
2008-10-14 12:58:31 -06:00
|
|
|
{
|
|
|
|
|
struct nlattr *tb[CTA_PROTONAT_MAX+1];
|
2012-08-26 11:14:06 -06:00
|
|
|
const struct nf_nat_l4proto *l4proto;
|
2008-10-14 12:58:31 -06:00
|
|
|
int err;
|
|
|
|
|
|
2017-04-12 06:34:07 -06:00
|
|
|
err = nla_parse_nested(tb, CTA_PROTONAT_MAX, attr,
|
|
|
|
|
protonat_nla_policy, NULL);
|
2008-10-14 12:58:31 -06:00
|
|
|
if (err < 0)
|
|
|
|
|
return err;
|
|
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
l4proto = __nf_nat_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
|
|
|
|
|
if (l4proto->nlattr_to_range)
|
|
|
|
|
err = l4proto->nlattr_to_range(tb, range);
|
|
|
|
|
|
2008-10-14 12:58:31 -06:00
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = {
|
2012-08-26 11:14:06 -06:00
|
|
|
[CTA_NAT_V4_MINIP] = { .type = NLA_U32 },
|
|
|
|
|
[CTA_NAT_V4_MAXIP] = { .type = NLA_U32 },
|
2012-08-26 11:14:12 -06:00
|
|
|
[CTA_NAT_V6_MINIP] = { .len = sizeof(struct in6_addr) },
|
|
|
|
|
[CTA_NAT_V6_MAXIP] = { .len = sizeof(struct in6_addr) },
|
2011-12-23 06:00:30 -07:00
|
|
|
[CTA_NAT_PROTO] = { .type = NLA_NESTED },
|
2008-10-14 12:58:31 -06:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int
|
2009-08-25 08:07:58 -06:00
|
|
|
nfnetlink_parse_nat(const struct nlattr *nat,
|
netfilter: ctnetlink: force null nat binding on insert
Quoting Andrey Vagin:
When a conntrack is created by kernel, it is initialized (sets
IPS_{DST,SRC}_NAT_DONE_BIT bits in nf_nat_setup_info) and only then it
is added in hashes (__nf_conntrack_hash_insert), so one conntract
can't be initialized from a few threads concurrently.
ctnetlink can add an uninitialized conntrack (w/o
IPS_{DST,SRC}_NAT_DONE_BIT) in hashes, then a few threads can look up
this conntrack and start initialize it concurrently. It's dangerous,
because BUG can be triggered from nf_nat_setup_info.
Fix this race by always setting up nat, even if no CTA_NAT_ attribute
was requested before inserting the ct into the hash table. In absence
of CTA_NAT_ attribute, a null binding is created.
This alters current behaviour: Before this patch, the first packet
matching the newly injected conntrack would be run through the nat
table since nf_nat_initialized() returns false. IOW, this forces
ctnetlink users to specify the desired nat transformation on ct
creation time.
Thanks for Florian Westphal, this patch is based on his original
patch to address this problem, including this patch description.
Reported-By: Andrey Vagin <avagin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
2014-02-16 04:15:43 -07:00
|
|
|
const struct nf_conn *ct, struct nf_nat_range *range,
|
|
|
|
|
const struct nf_nat_l3proto *l3proto)
|
2008-10-14 12:58:31 -06:00
|
|
|
{
|
|
|
|
|
struct nlattr *tb[CTA_NAT_MAX+1];
|
|
|
|
|
int err;
|
|
|
|
|
|
|
|
|
|
memset(range, 0, sizeof(*range));
|
|
|
|
|
|
2017-04-12 06:34:07 -06:00
|
|
|
err = nla_parse_nested(tb, CTA_NAT_MAX, nat, nat_nla_policy, NULL);
|
2008-10-14 12:58:31 -06:00
|
|
|
if (err < 0)
|
|
|
|
|
return err;
|
|
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
err = l3proto->nlattr_to_range(tb, range);
|
|
|
|
|
if (err < 0)
|
netfilter: ctnetlink: force null nat binding on insert
Quoting Andrey Vagin:
When a conntrack is created by kernel, it is initialized (sets
IPS_{DST,SRC}_NAT_DONE_BIT bits in nf_nat_setup_info) and only then it
is added in hashes (__nf_conntrack_hash_insert), so one conntract
can't be initialized from a few threads concurrently.
ctnetlink can add an uninitialized conntrack (w/o
IPS_{DST,SRC}_NAT_DONE_BIT) in hashes, then a few threads can look up
this conntrack and start initialize it concurrently. It's dangerous,
because BUG can be triggered from nf_nat_setup_info.
Fix this race by always setting up nat, even if no CTA_NAT_ attribute
was requested before inserting the ct into the hash table. In absence
of CTA_NAT_ attribute, a null binding is created.
This alters current behaviour: Before this patch, the first packet
matching the newly injected conntrack would be run through the nat
table since nf_nat_initialized() returns false. IOW, this forces
ctnetlink users to specify the desired nat transformation on ct
creation time.
Thanks for Florian Westphal, this patch is based on his original
patch to address this problem, including this patch description.
Reported-By: Andrey Vagin <avagin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
2014-02-16 04:15:43 -07:00
|
|
|
return err;
|
2008-10-14 12:58:31 -06:00
|
|
|
|
|
|
|
|
if (!tb[CTA_NAT_PROTO])
|
netfilter: ctnetlink: force null nat binding on insert
Quoting Andrey Vagin:
When a conntrack is created by kernel, it is initialized (sets
IPS_{DST,SRC}_NAT_DONE_BIT bits in nf_nat_setup_info) and only then it
is added in hashes (__nf_conntrack_hash_insert), so one conntract
can't be initialized from a few threads concurrently.
ctnetlink can add an uninitialized conntrack (w/o
IPS_{DST,SRC}_NAT_DONE_BIT) in hashes, then a few threads can look up
this conntrack and start initialize it concurrently. It's dangerous,
because BUG can be triggered from nf_nat_setup_info.
Fix this race by always setting up nat, even if no CTA_NAT_ attribute
was requested before inserting the ct into the hash table. In absence
of CTA_NAT_ attribute, a null binding is created.
This alters current behaviour: Before this patch, the first packet
matching the newly injected conntrack would be run through the nat
table since nf_nat_initialized() returns false. IOW, this forces
ctnetlink users to specify the desired nat transformation on ct
creation time.
Thanks for Florian Westphal, this patch is based on his original
patch to address this problem, including this patch description.
Reported-By: Andrey Vagin <avagin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
2014-02-16 04:15:43 -07:00
|
|
|
return 0;
|
2008-10-14 12:58:31 -06:00
|
|
|
|
netfilter: ctnetlink: force null nat binding on insert
Quoting Andrey Vagin:
When a conntrack is created by kernel, it is initialized (sets
IPS_{DST,SRC}_NAT_DONE_BIT bits in nf_nat_setup_info) and only then it
is added in hashes (__nf_conntrack_hash_insert), so one conntract
can't be initialized from a few threads concurrently.
ctnetlink can add an uninitialized conntrack (w/o
IPS_{DST,SRC}_NAT_DONE_BIT) in hashes, then a few threads can look up
this conntrack and start initialize it concurrently. It's dangerous,
because BUG can be triggered from nf_nat_setup_info.
Fix this race by always setting up nat, even if no CTA_NAT_ attribute
was requested before inserting the ct into the hash table. In absence
of CTA_NAT_ attribute, a null binding is created.
This alters current behaviour: Before this patch, the first packet
matching the newly injected conntrack would be run through the nat
table since nf_nat_initialized() returns false. IOW, this forces
ctnetlink users to specify the desired nat transformation on ct
creation time.
Thanks for Florian Westphal, this patch is based on his original
patch to address this problem, including this patch description.
Reported-By: Andrey Vagin <avagin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
2014-02-16 04:15:43 -07:00
|
|
|
return nfnetlink_parse_nat_proto(tb[CTA_NAT_PROTO], ct, range);
|
2008-10-14 12:58:31 -06:00
|
|
|
}
|
|
|
|
|
|
netfilter: ctnetlink: force null nat binding on insert
Quoting Andrey Vagin:
When a conntrack is created by kernel, it is initialized (sets
IPS_{DST,SRC}_NAT_DONE_BIT bits in nf_nat_setup_info) and only then it
is added in hashes (__nf_conntrack_hash_insert), so one conntract
can't be initialized from a few threads concurrently.
ctnetlink can add an uninitialized conntrack (w/o
IPS_{DST,SRC}_NAT_DONE_BIT) in hashes, then a few threads can look up
this conntrack and start initialize it concurrently. It's dangerous,
because BUG can be triggered from nf_nat_setup_info.
Fix this race by always setting up nat, even if no CTA_NAT_ attribute
was requested before inserting the ct into the hash table. In absence
of CTA_NAT_ attribute, a null binding is created.
This alters current behaviour: Before this patch, the first packet
matching the newly injected conntrack would be run through the nat
table since nf_nat_initialized() returns false. IOW, this forces
ctnetlink users to specify the desired nat transformation on ct
creation time.
Thanks for Florian Westphal, this patch is based on his original
patch to address this problem, including this patch description.
Reported-By: Andrey Vagin <avagin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
2014-02-16 04:15:43 -07:00
|
|
|
/* This function is called under rcu_read_lock() */
|
2008-10-14 12:58:31 -06:00
|
|
|
static int
|
|
|
|
|
nfnetlink_parse_nat_setup(struct nf_conn *ct,
|
|
|
|
|
enum nf_nat_manip_type manip,
|
2009-08-25 08:07:58 -06:00
|
|
|
const struct nlattr *attr)
|
2008-10-14 12:58:31 -06:00
|
|
|
{
|
2012-08-26 11:14:06 -06:00
|
|
|
struct nf_nat_range range;
|
netfilter: ctnetlink: force null nat binding on insert
Quoting Andrey Vagin:
When a conntrack is created by kernel, it is initialized (sets
IPS_{DST,SRC}_NAT_DONE_BIT bits in nf_nat_setup_info) and only then it
is added in hashes (__nf_conntrack_hash_insert), so one conntract
can't be initialized from a few threads concurrently.
ctnetlink can add an uninitialized conntrack (w/o
IPS_{DST,SRC}_NAT_DONE_BIT) in hashes, then a few threads can look up
this conntrack and start initialize it concurrently. It's dangerous,
because BUG can be triggered from nf_nat_setup_info.
Fix this race by always setting up nat, even if no CTA_NAT_ attribute
was requested before inserting the ct into the hash table. In absence
of CTA_NAT_ attribute, a null binding is created.
This alters current behaviour: Before this patch, the first packet
matching the newly injected conntrack would be run through the nat
table since nf_nat_initialized() returns false. IOW, this forces
ctnetlink users to specify the desired nat transformation on ct
creation time.
Thanks for Florian Westphal, this patch is based on his original
patch to address this problem, including this patch description.
Reported-By: Andrey Vagin <avagin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
2014-02-16 04:15:43 -07:00
|
|
|
const struct nf_nat_l3proto *l3proto;
|
2012-08-26 11:14:06 -06:00
|
|
|
int err;
|
2008-10-14 12:58:31 -06:00
|
|
|
|
netfilter: ctnetlink: force null nat binding on insert
Quoting Andrey Vagin:
When a conntrack is created by kernel, it is initialized (sets
IPS_{DST,SRC}_NAT_DONE_BIT bits in nf_nat_setup_info) and only then it
is added in hashes (__nf_conntrack_hash_insert), so one conntract
can't be initialized from a few threads concurrently.
ctnetlink can add an uninitialized conntrack (w/o
IPS_{DST,SRC}_NAT_DONE_BIT) in hashes, then a few threads can look up
this conntrack and start initialize it concurrently. It's dangerous,
because BUG can be triggered from nf_nat_setup_info.
Fix this race by always setting up nat, even if no CTA_NAT_ attribute
was requested before inserting the ct into the hash table. In absence
of CTA_NAT_ attribute, a null binding is created.
This alters current behaviour: Before this patch, the first packet
matching the newly injected conntrack would be run through the nat
table since nf_nat_initialized() returns false. IOW, this forces
ctnetlink users to specify the desired nat transformation on ct
creation time.
Thanks for Florian Westphal, this patch is based on his original
patch to address this problem, including this patch description.
Reported-By: Andrey Vagin <avagin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
2014-02-16 04:15:43 -07:00
|
|
|
/* Should not happen, restricted to creating new conntracks
|
|
|
|
|
* via ctnetlink.
|
|
|
|
|
*/
|
|
|
|
|
if (WARN_ON_ONCE(nf_nat_initialized(ct, manip)))
|
|
|
|
|
return -EEXIST;
|
|
|
|
|
|
|
|
|
|
/* Make sure that L3 NAT is there by when we call nf_nat_setup_info to
|
|
|
|
|
* attach the null binding, otherwise this may oops.
|
|
|
|
|
*/
|
|
|
|
|
l3proto = __nf_nat_l3proto_find(nf_ct_l3num(ct));
|
|
|
|
|
if (l3proto == NULL)
|
|
|
|
|
return -EAGAIN;
|
|
|
|
|
|
|
|
|
|
/* No NAT information has been passed, allocate the null-binding */
|
|
|
|
|
if (attr == NULL)
|
2017-04-12 04:33:03 -06:00
|
|
|
return __nf_nat_alloc_null_binding(ct, manip) == NF_DROP ? -ENOMEM : 0;
|
netfilter: ctnetlink: force null nat binding on insert
Quoting Andrey Vagin:
When a conntrack is created by kernel, it is initialized (sets
IPS_{DST,SRC}_NAT_DONE_BIT bits in nf_nat_setup_info) and only then it
is added in hashes (__nf_conntrack_hash_insert), so one conntract
can't be initialized from a few threads concurrently.
ctnetlink can add an uninitialized conntrack (w/o
IPS_{DST,SRC}_NAT_DONE_BIT) in hashes, then a few threads can look up
this conntrack and start initialize it concurrently. It's dangerous,
because BUG can be triggered from nf_nat_setup_info.
Fix this race by always setting up nat, even if no CTA_NAT_ attribute
was requested before inserting the ct into the hash table. In absence
of CTA_NAT_ attribute, a null binding is created.
This alters current behaviour: Before this patch, the first packet
matching the newly injected conntrack would be run through the nat
table since nf_nat_initialized() returns false. IOW, this forces
ctnetlink users to specify the desired nat transformation on ct
creation time.
Thanks for Florian Westphal, this patch is based on his original
patch to address this problem, including this patch description.
Reported-By: Andrey Vagin <avagin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
2014-02-16 04:15:43 -07:00
|
|
|
|
|
|
|
|
err = nfnetlink_parse_nat(attr, ct, &range, l3proto);
|
2012-08-26 11:14:06 -06:00
|
|
|
if (err < 0)
|
|
|
|
|
return err;
|
2008-10-14 12:58:31 -06:00
|
|
|
|
2016-09-09 07:38:12 -06:00
|
|
|
return nf_nat_setup_info(ct, &range, manip) == NF_DROP ? -ENOMEM : 0;
|
2008-10-14 12:58:31 -06:00
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
static int
|
|
|
|
|
nfnetlink_parse_nat_setup(struct nf_conn *ct,
|
|
|
|
|
enum nf_nat_manip_type manip,
|
2009-08-25 08:07:58 -06:00
|
|
|
const struct nlattr *attr)
|
2008-10-14 12:58:31 -06:00
|
|
|
{
|
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2012-02-04 19:44:51 -07:00
|
|
|
static struct nf_ct_helper_expectfn follow_master_nat = {
|
|
|
|
|
.name = "nat-follow-master",
|
|
|
|
|
.expectfn = nf_nat_follow_master,
|
|
|
|
|
};
|
|
|
|
|
|
2006-12-02 23:07:13 -07:00
|
|
|
static int __init nf_nat_init(void)
|
|
|
|
|
{
|
2017-09-06 06:39:52 -06:00
|
|
|
int ret, i;
|
2007-07-07 23:24:28 -06:00
|
|
|
|
2017-09-06 06:39:51 -06:00
|
|
|
/* Leave them the same for the moment. */
|
|
|
|
|
nf_nat_htable_size = nf_conntrack_htable_size;
|
2017-09-10 05:41:41 -06:00
|
|
|
if (nf_nat_htable_size < CONNTRACK_LOCKS)
|
|
|
|
|
nf_nat_htable_size = CONNTRACK_LOCKS;
|
2017-09-06 06:39:51 -06:00
|
|
|
|
|
|
|
|
nf_nat_bysource = nf_ct_alloc_hashtable(&nf_nat_htable_size, 0);
|
|
|
|
|
if (!nf_nat_bysource)
|
|
|
|
|
return -ENOMEM;
|
2016-05-09 08:24:31 -06:00
|
|
|
|
2007-07-07 23:24:28 -06:00
|
|
|
ret = nf_ct_extend_register(&nat_extend);
|
|
|
|
|
if (ret < 0) {
|
2017-09-06 06:39:51 -06:00
|
|
|
nf_ct_free_hashtable(nf_nat_bysource, nf_nat_htable_size);
|
2007-07-07 23:24:28 -06:00
|
|
|
printk(KERN_ERR "nf_nat_core: Unable to register extension\n");
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2006-12-02 23:07:13 -07:00
|
|
|
|
2017-09-10 05:41:41 -06:00
|
|
|
for (i = 0; i < CONNTRACK_LOCKS; i++)
|
2017-09-06 06:39:52 -06:00
|
|
|
spin_lock_init(&nf_nat_locks[i]);
|
|
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
nf_ct_helper_expectfn_register(&follow_master_nat);
|
2006-12-02 23:07:13 -07:00
|
|
|
|
2008-10-14 12:58:31 -06:00
|
|
|
BUG_ON(nfnetlink_parse_nat_setup_hook != NULL);
|
2011-08-01 10:19:00 -06:00
|
|
|
RCU_INIT_POINTER(nfnetlink_parse_nat_setup_hook,
|
2008-10-14 12:58:31 -06:00
|
|
|
nfnetlink_parse_nat_setup);
|
2012-08-26 11:14:06 -06:00
|
|
|
#ifdef CONFIG_XFRM
|
|
|
|
|
BUG_ON(nf_nat_decode_session_hook != NULL);
|
|
|
|
|
RCU_INIT_POINTER(nf_nat_decode_session_hook, __nf_nat_decode_session);
|
|
|
|
|
#endif
|
2006-12-02 23:07:13 -07:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __exit nf_nat_cleanup(void)
|
|
|
|
|
{
|
2017-05-21 04:52:59 -06:00
|
|
|
struct nf_nat_proto_clean clean = {};
|
2012-08-26 11:14:06 -06:00
|
|
|
unsigned int i;
|
|
|
|
|
|
2017-05-21 04:52:59 -06:00
|
|
|
nf_ct_iterate_destroy(nf_nat_proto_clean, &clean);
|
|
|
|
|
|
2007-07-07 23:24:28 -06:00
|
|
|
nf_ct_extend_unregister(&nat_extend);
|
2012-02-04 19:44:51 -07:00
|
|
|
nf_ct_helper_expectfn_unregister(&follow_master_nat);
|
2011-08-01 10:19:00 -06:00
|
|
|
RCU_INIT_POINTER(nfnetlink_parse_nat_setup_hook, NULL);
|
2012-08-26 11:14:06 -06:00
|
|
|
#ifdef CONFIG_XFRM
|
|
|
|
|
RCU_INIT_POINTER(nf_nat_decode_session_hook, NULL);
|
|
|
|
|
#endif
|
netfilter: invoke synchronize_rcu after set the _hook_ to NULL
Otherwise, another CPU may access the invalid pointer. For example:
CPU0 CPU1
- rcu_read_lock();
- pfunc = _hook_;
_hook_ = NULL; -
mod unload -
- pfunc(); // invalid, panic
- rcu_read_unlock();
So we must call synchronize_rcu() to wait the rcu reader to finish.
Also note, in nf_nat_snmp_basic_fini, synchronize_rcu() will be invoked
by later nf_conntrack_helper_unregister, but I'm inclined to add a
explicit synchronize_rcu after set the nf_nat_snmp_hook to NULL. Depend
on such obscure assumptions is not a good idea.
Last, in nfnetlink_cttimeout, we use kfree_rcu to free the time object,
so in cttimeout_exit, invoking rcu_barrier() is not necessary at all,
remove it too.
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-03-24 18:53:12 -06:00
|
|
|
synchronize_rcu();
|
|
|
|
|
|
2012-08-26 11:14:06 -06:00
|
|
|
for (i = 0; i < NFPROTO_NUMPROTO; i++)
|
|
|
|
|
kfree(nf_nat_l4protos[i]);
|
2017-09-06 06:39:51 -06:00
|
|
|
synchronize_net();
|
|
|
|
|
nf_ct_free_hashtable(nf_nat_bysource, nf_nat_htable_size);
|
2006-12-02 23:07:13 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
|
|
|
|
|
|
module_init(nf_nat_init);
|
|
|
|
|
module_exit(nf_nat_cleanup);
|