|
| 1 | +/* SPDX-License-Identifier: GPL-2.0 */ |
| 2 | +#include <linux/module.h> |
| 3 | +#include <linux/netfilter/nf_tables.h> |
| 4 | +#include <net/netfilter/nf_tables.h> |
| 5 | +#include <net/netfilter/nf_tables_core.h> |
| 6 | +#include <net/netfilter/nf_tproxy.h> |
| 7 | +#include <net/inet_sock.h> |
| 8 | +#include <net/tcp.h> |
| 9 | +#include <linux/if_ether.h> |
| 10 | +#include <net/netfilter/ipv4/nf_defrag_ipv4.h> |
| 11 | +#if IS_ENABLED(CONFIG_NF_TABLES_IPV6) |
| 12 | +#include <net/netfilter/ipv6/nf_defrag_ipv6.h> |
| 13 | +#endif |
| 14 | + |
| 15 | +struct nft_tproxy { |
| 16 | + enum nft_registers sreg_addr:8; |
| 17 | + enum nft_registers sreg_port:8; |
| 18 | + u8 family; |
| 19 | +}; |
| 20 | + |
| 21 | +static void nft_tproxy_eval_v4(const struct nft_expr *expr, |
| 22 | + struct nft_regs *regs, |
| 23 | + const struct nft_pktinfo *pkt) |
| 24 | +{ |
| 25 | + const struct nft_tproxy *priv = nft_expr_priv(expr); |
| 26 | + struct sk_buff *skb = pkt->skb; |
| 27 | + const struct iphdr *iph = ip_hdr(skb); |
| 28 | + struct udphdr _hdr, *hp; |
| 29 | + __be32 taddr = 0; |
| 30 | + __be16 tport = 0; |
| 31 | + struct sock *sk; |
| 32 | + |
| 33 | + hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr); |
| 34 | + if (!hp) { |
| 35 | + regs->verdict.code = NFT_BREAK; |
| 36 | + return; |
| 37 | + } |
| 38 | + |
| 39 | + /* check if there's an ongoing connection on the packet addresses, this |
| 40 | + * happens if the redirect already happened and the current packet |
| 41 | + * belongs to an already established connection |
| 42 | + */ |
| 43 | + sk = nf_tproxy_get_sock_v4(nft_net(pkt), skb, iph->protocol, |
| 44 | + iph->saddr, iph->daddr, |
| 45 | + hp->source, hp->dest, |
| 46 | + skb->dev, NF_TPROXY_LOOKUP_ESTABLISHED); |
| 47 | + |
| 48 | + if (priv->sreg_addr) |
| 49 | + taddr = regs->data[priv->sreg_addr]; |
| 50 | + taddr = nf_tproxy_laddr4(skb, taddr, iph->daddr); |
| 51 | + |
| 52 | + if (priv->sreg_port) |
| 53 | + tport = regs->data[priv->sreg_port]; |
| 54 | + if (!tport) |
| 55 | + tport = hp->dest; |
| 56 | + |
| 57 | + /* UDP has no TCP_TIME_WAIT state, so we never enter here */ |
| 58 | + if (sk && sk->sk_state == TCP_TIME_WAIT) { |
| 59 | + /* reopening a TIME_WAIT connection needs special handling */ |
| 60 | + sk = nf_tproxy_handle_time_wait4(nft_net(pkt), skb, taddr, tport, sk); |
| 61 | + } else if (!sk) { |
| 62 | + /* no, there's no established connection, check if |
| 63 | + * there's a listener on the redirected addr/port |
| 64 | + */ |
| 65 | + sk = nf_tproxy_get_sock_v4(nft_net(pkt), skb, iph->protocol, |
| 66 | + iph->saddr, taddr, |
| 67 | + hp->source, tport, |
| 68 | + skb->dev, NF_TPROXY_LOOKUP_LISTENER); |
| 69 | + } |
| 70 | + |
| 71 | + if (sk && nf_tproxy_sk_is_transparent(sk)) |
| 72 | + nf_tproxy_assign_sock(skb, sk); |
| 73 | + else |
| 74 | + regs->verdict.code = NFT_BREAK; |
| 75 | +} |
| 76 | + |
| 77 | +#if IS_ENABLED(CONFIG_NF_TABLES_IPV6) |
| 78 | +static void nft_tproxy_eval_v6(const struct nft_expr *expr, |
| 79 | + struct nft_regs *regs, |
| 80 | + const struct nft_pktinfo *pkt) |
| 81 | +{ |
| 82 | + const struct nft_tproxy *priv = nft_expr_priv(expr); |
| 83 | + struct sk_buff *skb = pkt->skb; |
| 84 | + const struct ipv6hdr *iph = ipv6_hdr(skb); |
| 85 | + struct in6_addr taddr = {0}; |
| 86 | + int thoff = pkt->xt.thoff; |
| 87 | + struct udphdr _hdr, *hp; |
| 88 | + __be16 tport = 0; |
| 89 | + struct sock *sk; |
| 90 | + int l4proto; |
| 91 | + |
| 92 | + if (!pkt->tprot_set) { |
| 93 | + regs->verdict.code = NFT_BREAK; |
| 94 | + return; |
| 95 | + } |
| 96 | + l4proto = pkt->tprot; |
| 97 | + |
| 98 | + hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr); |
| 99 | + if (hp == NULL) { |
| 100 | + regs->verdict.code = NFT_BREAK; |
| 101 | + return; |
| 102 | + } |
| 103 | + |
| 104 | + /* check if there's an ongoing connection on the packet addresses, this |
| 105 | + * happens if the redirect already happened and the current packet |
| 106 | + * belongs to an already established connection |
| 107 | + */ |
| 108 | + sk = nf_tproxy_get_sock_v6(nft_net(pkt), skb, thoff, l4proto, |
| 109 | + &iph->saddr, &iph->daddr, |
| 110 | + hp->source, hp->dest, |
| 111 | + nft_in(pkt), NF_TPROXY_LOOKUP_ESTABLISHED); |
| 112 | + |
| 113 | + if (priv->sreg_addr) |
| 114 | + memcpy(&taddr, ®s->data[priv->sreg_addr], sizeof(taddr)); |
| 115 | + taddr = *nf_tproxy_laddr6(skb, &taddr, &iph->daddr); |
| 116 | + |
| 117 | + if (priv->sreg_port) |
| 118 | + tport = regs->data[priv->sreg_port]; |
| 119 | + if (!tport) |
| 120 | + tport = hp->dest; |
| 121 | + |
| 122 | + /* UDP has no TCP_TIME_WAIT state, so we never enter here */ |
| 123 | + if (sk && sk->sk_state == TCP_TIME_WAIT) { |
| 124 | + /* reopening a TIME_WAIT connection needs special handling */ |
| 125 | + sk = nf_tproxy_handle_time_wait6(skb, l4proto, thoff, |
| 126 | + nft_net(pkt), |
| 127 | + &taddr, |
| 128 | + tport, |
| 129 | + sk); |
| 130 | + } else if (!sk) { |
| 131 | + /* no there's no established connection, check if |
| 132 | + * there's a listener on the redirected addr/port |
| 133 | + */ |
| 134 | + sk = nf_tproxy_get_sock_v6(nft_net(pkt), skb, thoff, |
| 135 | + l4proto, &iph->saddr, &taddr, |
| 136 | + hp->source, tport, |
| 137 | + nft_in(pkt), NF_TPROXY_LOOKUP_LISTENER); |
| 138 | + } |
| 139 | + |
| 140 | + /* NOTE: assign_sock consumes our sk reference */ |
| 141 | + if (sk && nf_tproxy_sk_is_transparent(sk)) |
| 142 | + nf_tproxy_assign_sock(skb, sk); |
| 143 | + else |
| 144 | + regs->verdict.code = NFT_BREAK; |
| 145 | +} |
| 146 | +#endif |
| 147 | + |
| 148 | +static void nft_tproxy_eval(const struct nft_expr *expr, |
| 149 | + struct nft_regs *regs, |
| 150 | + const struct nft_pktinfo *pkt) |
| 151 | +{ |
| 152 | + const struct nft_tproxy *priv = nft_expr_priv(expr); |
| 153 | + |
| 154 | + switch (nft_pf(pkt)) { |
| 155 | + case NFPROTO_IPV4: |
| 156 | + switch (priv->family) { |
| 157 | + case NFPROTO_IPV4: |
| 158 | + case NFPROTO_UNSPEC: |
| 159 | + nft_tproxy_eval_v4(expr, regs, pkt); |
| 160 | + return; |
| 161 | + } |
| 162 | + break; |
| 163 | +#if IS_ENABLED(CONFIG_NF_TABLES_IPV6) |
| 164 | + case NFPROTO_IPV6: |
| 165 | + switch (priv->family) { |
| 166 | + case NFPROTO_IPV6: |
| 167 | + case NFPROTO_UNSPEC: |
| 168 | + nft_tproxy_eval_v6(expr, regs, pkt); |
| 169 | + return; |
| 170 | + } |
| 171 | +#endif |
| 172 | + } |
| 173 | + regs->verdict.code = NFT_BREAK; |
| 174 | +} |
| 175 | + |
| 176 | +static const struct nla_policy nft_tproxy_policy[NFTA_TPROXY_MAX + 1] = { |
| 177 | + [NFTA_TPROXY_FAMILY] = { .type = NLA_U32 }, |
| 178 | + [NFTA_TPROXY_REG_ADDR] = { .type = NLA_U32 }, |
| 179 | + [NFTA_TPROXY_REG_PORT] = { .type = NLA_U32 }, |
| 180 | +}; |
| 181 | + |
| 182 | +static int nft_tproxy_init(const struct nft_ctx *ctx, |
| 183 | + const struct nft_expr *expr, |
| 184 | + const struct nlattr * const tb[]) |
| 185 | +{ |
| 186 | + struct nft_tproxy *priv = nft_expr_priv(expr); |
| 187 | + unsigned int alen = 0; |
| 188 | + int err; |
| 189 | + |
| 190 | + if (!tb[NFTA_TPROXY_FAMILY] || |
| 191 | + (!tb[NFTA_TPROXY_REG_ADDR] && !tb[NFTA_TPROXY_REG_PORT])) |
| 192 | + return -EINVAL; |
| 193 | + |
| 194 | + priv->family = ntohl(nla_get_be32(tb[NFTA_TPROXY_FAMILY])); |
| 195 | + |
| 196 | + switch (ctx->family) { |
| 197 | + case NFPROTO_IPV4: |
| 198 | + if (priv->family != NFPROTO_IPV4) |
| 199 | + return -EINVAL; |
| 200 | + break; |
| 201 | +#if IS_ENABLED(CONFIG_NF_TABLES_IPV6) |
| 202 | + case NFPROTO_IPV6: |
| 203 | + if (priv->family != NFPROTO_IPV6) |
| 204 | + return -EINVAL; |
| 205 | + break; |
| 206 | +#endif |
| 207 | + case NFPROTO_INET: |
| 208 | + break; |
| 209 | + default: |
| 210 | + return -EOPNOTSUPP; |
| 211 | + } |
| 212 | + |
| 213 | + /* Address is specified but the rule family is not set accordingly */ |
| 214 | + if (priv->family == NFPROTO_UNSPEC && tb[NFTA_TPROXY_REG_ADDR]) |
| 215 | + return -EINVAL; |
| 216 | + |
| 217 | + switch (priv->family) { |
| 218 | + case NFPROTO_IPV4: |
| 219 | + alen = FIELD_SIZEOF(union nf_inet_addr, in); |
| 220 | + err = nf_defrag_ipv4_enable(ctx->net); |
| 221 | + if (err) |
| 222 | + return err; |
| 223 | + break; |
| 224 | +#if IS_ENABLED(CONFIG_NF_TABLES_IPV6) |
| 225 | + case NFPROTO_IPV6: |
| 226 | + alen = FIELD_SIZEOF(union nf_inet_addr, in6); |
| 227 | + err = nf_defrag_ipv6_enable(ctx->net); |
| 228 | + if (err) |
| 229 | + return err; |
| 230 | + break; |
| 231 | +#endif |
| 232 | + case NFPROTO_UNSPEC: |
| 233 | + /* No address is specified here */ |
| 234 | + err = nf_defrag_ipv4_enable(ctx->net); |
| 235 | + if (err) |
| 236 | + return err; |
| 237 | + err = nf_defrag_ipv6_enable(ctx->net); |
| 238 | + if (err) |
| 239 | + return err; |
| 240 | + break; |
| 241 | + default: |
| 242 | + return -EOPNOTSUPP; |
| 243 | + } |
| 244 | + |
| 245 | + if (tb[NFTA_TPROXY_REG_ADDR]) { |
| 246 | + priv->sreg_addr = nft_parse_register(tb[NFTA_TPROXY_REG_ADDR]); |
| 247 | + err = nft_validate_register_load(priv->sreg_addr, alen); |
| 248 | + if (err < 0) |
| 249 | + return err; |
| 250 | + } |
| 251 | + |
| 252 | + if (tb[NFTA_TPROXY_REG_PORT]) { |
| 253 | + priv->sreg_port = nft_parse_register(tb[NFTA_TPROXY_REG_PORT]); |
| 254 | + err = nft_validate_register_load(priv->sreg_port, sizeof(u16)); |
| 255 | + if (err < 0) |
| 256 | + return err; |
| 257 | + } |
| 258 | + |
| 259 | + return 0; |
| 260 | +} |
| 261 | + |
| 262 | +static int nft_tproxy_dump(struct sk_buff *skb, |
| 263 | + const struct nft_expr *expr) |
| 264 | +{ |
| 265 | + const struct nft_tproxy *priv = nft_expr_priv(expr); |
| 266 | + |
| 267 | + if (nla_put_be32(skb, NFTA_TPROXY_FAMILY, htonl(priv->family))) |
| 268 | + return -1; |
| 269 | + |
| 270 | + if (priv->sreg_addr && |
| 271 | + nft_dump_register(skb, NFTA_TPROXY_REG_ADDR, priv->sreg_addr)) |
| 272 | + return -1; |
| 273 | + |
| 274 | + if (priv->sreg_port && |
| 275 | + nft_dump_register(skb, NFTA_TPROXY_REG_PORT, priv->sreg_port)) |
| 276 | + return -1; |
| 277 | + |
| 278 | + return 0; |
| 279 | +} |
| 280 | + |
| 281 | +static struct nft_expr_type nft_tproxy_type; |
| 282 | +static const struct nft_expr_ops nft_tproxy_ops = { |
| 283 | + .type = &nft_tproxy_type, |
| 284 | + .size = NFT_EXPR_SIZE(sizeof(struct nft_tproxy)), |
| 285 | + .eval = nft_tproxy_eval, |
| 286 | + .init = nft_tproxy_init, |
| 287 | + .dump = nft_tproxy_dump, |
| 288 | +}; |
| 289 | + |
| 290 | +static struct nft_expr_type nft_tproxy_type __read_mostly = { |
| 291 | + .name = "tproxy", |
| 292 | + .ops = &nft_tproxy_ops, |
| 293 | + .policy = nft_tproxy_policy, |
| 294 | + .maxattr = NFTA_TPROXY_MAX, |
| 295 | + .owner = THIS_MODULE, |
| 296 | +}; |
| 297 | + |
| 298 | +static int __init nft_tproxy_module_init(void) |
| 299 | +{ |
| 300 | + return nft_register_expr(&nft_tproxy_type); |
| 301 | +} |
| 302 | + |
| 303 | +static void __exit nft_tproxy_module_exit(void) |
| 304 | +{ |
| 305 | + nft_unregister_expr(&nft_tproxy_type); |
| 306 | +} |
| 307 | + |
| 308 | +module_init(nft_tproxy_module_init); |
| 309 | +module_exit(nft_tproxy_module_exit); |
| 310 | + |
| 311 | +MODULE_LICENSE("GPL"); |
| 312 | +MODULE_AUTHOR("Máté Eckl"); |
| 313 | +MODULE_DESCRIPTION("nf_tables tproxy support module"); |
| 314 | +MODULE_ALIAS_NFT_EXPR("tproxy"); |
0 commit comments