Skip to content

Commit 4ed8eb6

Browse files
ecklmummakynes
authored andcommitted
netfilter: nf_tables: Add native tproxy support
A great portion of the code is taken from xt_TPROXY.c There are some changes compared to the iptables implementation: - tproxy statement is not terminal here - Either address or port has to be specified, but at least one of them is necessary. If one of them is not specified, the evaluation will be performed with the original attribute of the packet (ie. target port is not specified => the packet's dport will be used). To make this work in inet tables, the tproxy structure has a family member (typically called priv->family) which is not necessarily equal to ctx->family. priv->family can have three values legally: - NFPROTO_IPV4 if the table family is ip OR if table family is inet, but an ipv4 address is specified as a target address. The rule only evaluates ipv4 packets in this case. - NFPROTO_IPV6 if the table family is ip6 OR if table family is inet, but an ipv6 address is specified as a target address. The rule only evaluates ipv6 packets in this case. - NFPROTO_UNSPEC if the table family is inet AND if only the port is specified. The rule will evaluate both ipv4 and ipv6 packets. Signed-off-by: Máté Eckl <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent b96af92 commit 4ed8eb6

File tree

4 files changed

+341
-0
lines changed

4 files changed

+341
-0
lines changed

include/uapi/linux/netfilter/nf_tables.h

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1252,6 +1252,22 @@ enum nft_nat_attributes {
12521252
};
12531253
#define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1)
12541254

1255+
/**
1256+
* enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes
1257+
*
1258+
* NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers)
1259+
* NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers)
1260+
* NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers)
1261+
*/
1262+
enum nft_tproxy_attributes {
1263+
NFTA_TPROXY_UNSPEC,
1264+
NFTA_TPROXY_FAMILY,
1265+
NFTA_TPROXY_REG_ADDR,
1266+
NFTA_TPROXY_REG_PORT,
1267+
__NFTA_TPROXY_MAX
1268+
};
1269+
#define NFTA_TPROXY_MAX (__NFTA_TPROXY_MAX - 1)
1270+
12551271
/**
12561272
* enum nft_masq_attributes - nf_tables masquerade expression attributes
12571273
*

net/netfilter/Kconfig

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -634,6 +634,16 @@ config NFT_OSF
634634
help
635635
This option allows matching packets from an specific OS.
636636

637+
config NFT_TPROXY
638+
tristate "Netfilter nf_tables tproxy support"
639+
depends on IPV6 || IPV6=n
640+
select NF_DEFRAG_IPV4
641+
select NF_DEFRAG_IPV6 if NF_TABLES_IPV6
642+
select NF_TPROXY_IPV4
643+
select NF_TPROXY_IPV6 if NF_TABLES_IPV6
644+
help
645+
This makes transparent proxy support available in nftables.
646+
637647
if NF_TABLES_NETDEV
638648

639649
config NF_DUP_NETDEV

net/netfilter/Makefile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,7 @@ obj-$(CONFIG_NFT_FIB_INET) += nft_fib_inet.o
111111
obj-$(CONFIG_NFT_FIB_NETDEV) += nft_fib_netdev.o
112112
obj-$(CONFIG_NFT_SOCKET) += nft_socket.o
113113
obj-$(CONFIG_NFT_OSF) += nft_osf.o
114+
obj-$(CONFIG_NFT_TPROXY) += nft_tproxy.o
114115

115116
# nf_tables netdev
116117
obj-$(CONFIG_NFT_DUP_NETDEV) += nft_dup_netdev.o

net/netfilter/nft_tproxy.c

Lines changed: 314 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,314 @@
1+
/* SPDX-License-Identifier: GPL-2.0 */
2+
#include <linux/module.h>
3+
#include <linux/netfilter/nf_tables.h>
4+
#include <net/netfilter/nf_tables.h>
5+
#include <net/netfilter/nf_tables_core.h>
6+
#include <net/netfilter/nf_tproxy.h>
7+
#include <net/inet_sock.h>
8+
#include <net/tcp.h>
9+
#include <linux/if_ether.h>
10+
#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
11+
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
12+
#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
13+
#endif
14+
15+
struct nft_tproxy {
16+
enum nft_registers sreg_addr:8;
17+
enum nft_registers sreg_port:8;
18+
u8 family;
19+
};
20+
21+
static void nft_tproxy_eval_v4(const struct nft_expr *expr,
22+
struct nft_regs *regs,
23+
const struct nft_pktinfo *pkt)
24+
{
25+
const struct nft_tproxy *priv = nft_expr_priv(expr);
26+
struct sk_buff *skb = pkt->skb;
27+
const struct iphdr *iph = ip_hdr(skb);
28+
struct udphdr _hdr, *hp;
29+
__be32 taddr = 0;
30+
__be16 tport = 0;
31+
struct sock *sk;
32+
33+
hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
34+
if (!hp) {
35+
regs->verdict.code = NFT_BREAK;
36+
return;
37+
}
38+
39+
/* check if there's an ongoing connection on the packet addresses, this
40+
* happens if the redirect already happened and the current packet
41+
* belongs to an already established connection
42+
*/
43+
sk = nf_tproxy_get_sock_v4(nft_net(pkt), skb, iph->protocol,
44+
iph->saddr, iph->daddr,
45+
hp->source, hp->dest,
46+
skb->dev, NF_TPROXY_LOOKUP_ESTABLISHED);
47+
48+
if (priv->sreg_addr)
49+
taddr = regs->data[priv->sreg_addr];
50+
taddr = nf_tproxy_laddr4(skb, taddr, iph->daddr);
51+
52+
if (priv->sreg_port)
53+
tport = regs->data[priv->sreg_port];
54+
if (!tport)
55+
tport = hp->dest;
56+
57+
/* UDP has no TCP_TIME_WAIT state, so we never enter here */
58+
if (sk && sk->sk_state == TCP_TIME_WAIT) {
59+
/* reopening a TIME_WAIT connection needs special handling */
60+
sk = nf_tproxy_handle_time_wait4(nft_net(pkt), skb, taddr, tport, sk);
61+
} else if (!sk) {
62+
/* no, there's no established connection, check if
63+
* there's a listener on the redirected addr/port
64+
*/
65+
sk = nf_tproxy_get_sock_v4(nft_net(pkt), skb, iph->protocol,
66+
iph->saddr, taddr,
67+
hp->source, tport,
68+
skb->dev, NF_TPROXY_LOOKUP_LISTENER);
69+
}
70+
71+
if (sk && nf_tproxy_sk_is_transparent(sk))
72+
nf_tproxy_assign_sock(skb, sk);
73+
else
74+
regs->verdict.code = NFT_BREAK;
75+
}
76+
77+
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
78+
static void nft_tproxy_eval_v6(const struct nft_expr *expr,
79+
struct nft_regs *regs,
80+
const struct nft_pktinfo *pkt)
81+
{
82+
const struct nft_tproxy *priv = nft_expr_priv(expr);
83+
struct sk_buff *skb = pkt->skb;
84+
const struct ipv6hdr *iph = ipv6_hdr(skb);
85+
struct in6_addr taddr = {0};
86+
int thoff = pkt->xt.thoff;
87+
struct udphdr _hdr, *hp;
88+
__be16 tport = 0;
89+
struct sock *sk;
90+
int l4proto;
91+
92+
if (!pkt->tprot_set) {
93+
regs->verdict.code = NFT_BREAK;
94+
return;
95+
}
96+
l4proto = pkt->tprot;
97+
98+
hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
99+
if (hp == NULL) {
100+
regs->verdict.code = NFT_BREAK;
101+
return;
102+
}
103+
104+
/* check if there's an ongoing connection on the packet addresses, this
105+
* happens if the redirect already happened and the current packet
106+
* belongs to an already established connection
107+
*/
108+
sk = nf_tproxy_get_sock_v6(nft_net(pkt), skb, thoff, l4proto,
109+
&iph->saddr, &iph->daddr,
110+
hp->source, hp->dest,
111+
nft_in(pkt), NF_TPROXY_LOOKUP_ESTABLISHED);
112+
113+
if (priv->sreg_addr)
114+
memcpy(&taddr, &regs->data[priv->sreg_addr], sizeof(taddr));
115+
taddr = *nf_tproxy_laddr6(skb, &taddr, &iph->daddr);
116+
117+
if (priv->sreg_port)
118+
tport = regs->data[priv->sreg_port];
119+
if (!tport)
120+
tport = hp->dest;
121+
122+
/* UDP has no TCP_TIME_WAIT state, so we never enter here */
123+
if (sk && sk->sk_state == TCP_TIME_WAIT) {
124+
/* reopening a TIME_WAIT connection needs special handling */
125+
sk = nf_tproxy_handle_time_wait6(skb, l4proto, thoff,
126+
nft_net(pkt),
127+
&taddr,
128+
tport,
129+
sk);
130+
} else if (!sk) {
131+
/* no there's no established connection, check if
132+
* there's a listener on the redirected addr/port
133+
*/
134+
sk = nf_tproxy_get_sock_v6(nft_net(pkt), skb, thoff,
135+
l4proto, &iph->saddr, &taddr,
136+
hp->source, tport,
137+
nft_in(pkt), NF_TPROXY_LOOKUP_LISTENER);
138+
}
139+
140+
/* NOTE: assign_sock consumes our sk reference */
141+
if (sk && nf_tproxy_sk_is_transparent(sk))
142+
nf_tproxy_assign_sock(skb, sk);
143+
else
144+
regs->verdict.code = NFT_BREAK;
145+
}
146+
#endif
147+
148+
static void nft_tproxy_eval(const struct nft_expr *expr,
149+
struct nft_regs *regs,
150+
const struct nft_pktinfo *pkt)
151+
{
152+
const struct nft_tproxy *priv = nft_expr_priv(expr);
153+
154+
switch (nft_pf(pkt)) {
155+
case NFPROTO_IPV4:
156+
switch (priv->family) {
157+
case NFPROTO_IPV4:
158+
case NFPROTO_UNSPEC:
159+
nft_tproxy_eval_v4(expr, regs, pkt);
160+
return;
161+
}
162+
break;
163+
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
164+
case NFPROTO_IPV6:
165+
switch (priv->family) {
166+
case NFPROTO_IPV6:
167+
case NFPROTO_UNSPEC:
168+
nft_tproxy_eval_v6(expr, regs, pkt);
169+
return;
170+
}
171+
#endif
172+
}
173+
regs->verdict.code = NFT_BREAK;
174+
}
175+
176+
static const struct nla_policy nft_tproxy_policy[NFTA_TPROXY_MAX + 1] = {
177+
[NFTA_TPROXY_FAMILY] = { .type = NLA_U32 },
178+
[NFTA_TPROXY_REG_ADDR] = { .type = NLA_U32 },
179+
[NFTA_TPROXY_REG_PORT] = { .type = NLA_U32 },
180+
};
181+
182+
static int nft_tproxy_init(const struct nft_ctx *ctx,
183+
const struct nft_expr *expr,
184+
const struct nlattr * const tb[])
185+
{
186+
struct nft_tproxy *priv = nft_expr_priv(expr);
187+
unsigned int alen = 0;
188+
int err;
189+
190+
if (!tb[NFTA_TPROXY_FAMILY] ||
191+
(!tb[NFTA_TPROXY_REG_ADDR] && !tb[NFTA_TPROXY_REG_PORT]))
192+
return -EINVAL;
193+
194+
priv->family = ntohl(nla_get_be32(tb[NFTA_TPROXY_FAMILY]));
195+
196+
switch (ctx->family) {
197+
case NFPROTO_IPV4:
198+
if (priv->family != NFPROTO_IPV4)
199+
return -EINVAL;
200+
break;
201+
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
202+
case NFPROTO_IPV6:
203+
if (priv->family != NFPROTO_IPV6)
204+
return -EINVAL;
205+
break;
206+
#endif
207+
case NFPROTO_INET:
208+
break;
209+
default:
210+
return -EOPNOTSUPP;
211+
}
212+
213+
/* Address is specified but the rule family is not set accordingly */
214+
if (priv->family == NFPROTO_UNSPEC && tb[NFTA_TPROXY_REG_ADDR])
215+
return -EINVAL;
216+
217+
switch (priv->family) {
218+
case NFPROTO_IPV4:
219+
alen = FIELD_SIZEOF(union nf_inet_addr, in);
220+
err = nf_defrag_ipv4_enable(ctx->net);
221+
if (err)
222+
return err;
223+
break;
224+
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
225+
case NFPROTO_IPV6:
226+
alen = FIELD_SIZEOF(union nf_inet_addr, in6);
227+
err = nf_defrag_ipv6_enable(ctx->net);
228+
if (err)
229+
return err;
230+
break;
231+
#endif
232+
case NFPROTO_UNSPEC:
233+
/* No address is specified here */
234+
err = nf_defrag_ipv4_enable(ctx->net);
235+
if (err)
236+
return err;
237+
err = nf_defrag_ipv6_enable(ctx->net);
238+
if (err)
239+
return err;
240+
break;
241+
default:
242+
return -EOPNOTSUPP;
243+
}
244+
245+
if (tb[NFTA_TPROXY_REG_ADDR]) {
246+
priv->sreg_addr = nft_parse_register(tb[NFTA_TPROXY_REG_ADDR]);
247+
err = nft_validate_register_load(priv->sreg_addr, alen);
248+
if (err < 0)
249+
return err;
250+
}
251+
252+
if (tb[NFTA_TPROXY_REG_PORT]) {
253+
priv->sreg_port = nft_parse_register(tb[NFTA_TPROXY_REG_PORT]);
254+
err = nft_validate_register_load(priv->sreg_port, sizeof(u16));
255+
if (err < 0)
256+
return err;
257+
}
258+
259+
return 0;
260+
}
261+
262+
static int nft_tproxy_dump(struct sk_buff *skb,
263+
const struct nft_expr *expr)
264+
{
265+
const struct nft_tproxy *priv = nft_expr_priv(expr);
266+
267+
if (nla_put_be32(skb, NFTA_TPROXY_FAMILY, htonl(priv->family)))
268+
return -1;
269+
270+
if (priv->sreg_addr &&
271+
nft_dump_register(skb, NFTA_TPROXY_REG_ADDR, priv->sreg_addr))
272+
return -1;
273+
274+
if (priv->sreg_port &&
275+
nft_dump_register(skb, NFTA_TPROXY_REG_PORT, priv->sreg_port))
276+
return -1;
277+
278+
return 0;
279+
}
280+
281+
static struct nft_expr_type nft_tproxy_type;
282+
static const struct nft_expr_ops nft_tproxy_ops = {
283+
.type = &nft_tproxy_type,
284+
.size = NFT_EXPR_SIZE(sizeof(struct nft_tproxy)),
285+
.eval = nft_tproxy_eval,
286+
.init = nft_tproxy_init,
287+
.dump = nft_tproxy_dump,
288+
};
289+
290+
static struct nft_expr_type nft_tproxy_type __read_mostly = {
291+
.name = "tproxy",
292+
.ops = &nft_tproxy_ops,
293+
.policy = nft_tproxy_policy,
294+
.maxattr = NFTA_TPROXY_MAX,
295+
.owner = THIS_MODULE,
296+
};
297+
298+
static int __init nft_tproxy_module_init(void)
299+
{
300+
return nft_register_expr(&nft_tproxy_type);
301+
}
302+
303+
static void __exit nft_tproxy_module_exit(void)
304+
{
305+
nft_unregister_expr(&nft_tproxy_type);
306+
}
307+
308+
module_init(nft_tproxy_module_init);
309+
module_exit(nft_tproxy_module_exit);
310+
311+
MODULE_LICENSE("GPL");
312+
MODULE_AUTHOR("Máté Eckl");
313+
MODULE_DESCRIPTION("nf_tables tproxy support module");
314+
MODULE_ALIAS_NFT_EXPR("tproxy");

0 commit comments

Comments
 (0)