[net-next-2.6.git] / net / ipv4 / netfilter / ipt_MASQUERADE.c

/* Masquerade.  Simple mapping which alters range to a local IP address
   (depending on route). */

/* (C) 1999-2001 Paul `Rusty' Russell
 * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

#include <linux/types.h>
#include <linux/inetdevice.h>
#include <linux/ip.h>
#include <linux/timer.h>
#include <linux/module.h>
#include <linux/netfilter.h>
#include <net/protocol.h>
#include <net/ip.h>
#include <net/checksum.h>
#include <net/route.h>
#include <linux/netfilter_ipv4.h>
#ifdef CONFIG_NF_NAT_NEEDED
#include <net/netfilter/nf_nat_rule.h>
#else
#include <linux/netfilter_ipv4/ip_nat_rule.h>
#endif
#include <linux/netfilter/x_tables.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
MODULE_DESCRIPTION("iptables MASQUERADE target module");

#if 0
#define DEBUGP printk
#else
#define DEBUGP(format, args...)
#endif

/* Lock protects masq region inside conntrack */
static DEFINE_RWLOCK(masq_lock);

/* FIXME: Multiple targets. --RR */
static int
masquerade_check(const char *tablename,
		 const void *e,
		 const struct xt_target *target,
		 void *targinfo,
		 unsigned int hook_mask)
{
	const struct ip_nat_multi_range_compat *mr = targinfo;

	if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
		DEBUGP("masquerade_check: bad MAP_IPS.\n");
		return 0;
	}
	if (mr->rangesize != 1) {
		DEBUGP("masquerade_check: bad rangesize %u.\n", mr->rangesize);
		return 0;
	}
	return 1;
}

static unsigned int
masquerade_target(struct sk_buff **pskb,
		  const struct net_device *in,
		  const struct net_device *out,
		  unsigned int hooknum,
		  const struct xt_target *target,
		  const void *targinfo)
{
#ifdef CONFIG_NF_NAT_NEEDED
	struct nf_conn_nat *nat;
#endif
	struct ip_conntrack *ct;
	enum ip_conntrack_info ctinfo;
	struct ip_nat_range newrange;
	const struct ip_nat_multi_range_compat *mr;
	struct rtable *rt;
	__be32 newsrc;

	IP_NF_ASSERT(hooknum == NF_IP_POST_ROUTING);

	ct = ip_conntrack_get(*pskb, &ctinfo);
#ifdef CONFIG_NF_NAT_NEEDED
	nat = nfct_nat(ct);
#endif
	IP_NF_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED
			    || ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));

	/* Source address is 0.0.0.0 - locally generated packet that is
	 * probably not supposed to be masqueraded.
	 */
#ifdef CONFIG_NF_NAT_NEEDED
	if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip == 0)
#else
	if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip == 0)
#endif
		return NF_ACCEPT;

	mr = targinfo;
	rt = (struct rtable *)(*pskb)->dst;
	newsrc = inet_select_addr(out, rt->rt_gateway, RT_SCOPE_UNIVERSE);
	if (!newsrc) {
		printk("MASQUERADE: %s ate my IP address\n", out->name);
		return NF_DROP;
	}

	write_lock_bh(&masq_lock);
#ifdef CONFIG_NF_NAT_NEEDED
	nat->masq_index = out->ifindex;
#else
	ct->nat.masq_index = out->ifindex;
#endif
	write_unlock_bh(&masq_lock);

	/* Transfer from original range. */
	newrange = ((struct ip_nat_range)
		{ mr->range[0].flags | IP_NAT_RANGE_MAP_IPS,
		  newsrc, newsrc,
		  mr->range[0].min, mr->range[0].max });

	/* Hand modified range to generic setup. */
	return ip_nat_setup_info(ct, &newrange, hooknum);
}

static inline int
device_cmp(struct ip_conntrack *i, void *ifindex)
{
	int ret;
#ifdef CONFIG_NF_NAT_NEEDED
	struct nf_conn_nat *nat = nfct_nat(i);

	if (!nat)
		return 0;
#endif

	read_lock_bh(&masq_lock);
#ifdef CONFIG_NF_NAT_NEEDED
	ret = (nat->masq_index == (int)(long)ifindex);
#else
	ret = (i->nat.masq_index == (int)(long)ifindex);
#endif
	read_unlock_bh(&masq_lock);

	return ret;
}

static int masq_device_event(struct notifier_block *this,
			     unsigned long event,
			     void *ptr)
{
	struct net_device *dev = ptr;

	if (event == NETDEV_DOWN) {
		/* Device was downed.  Search entire table for
		   conntracks which were associated with that device,
		   and forget them. */
		IP_NF_ASSERT(dev->ifindex != 0);

		ip_ct_iterate_cleanup(device_cmp, (void *)(long)dev->ifindex);
	}

	return NOTIFY_DONE;
}

static int masq_inet_event(struct notifier_block *this,
			   unsigned long event,
			   void *ptr)
{
	struct net_device *dev = ((struct in_ifaddr *)ptr)->ifa_dev->dev;

	if (event == NETDEV_DOWN) {
		/* IP address was deleted.  Search entire table for
		   conntracks which were associated with that device,
		   and forget them. */
		IP_NF_ASSERT(dev->ifindex != 0);

		ip_ct_iterate_cleanup(device_cmp, (void *)(long)dev->ifindex);
	}

	return NOTIFY_DONE;
}

static struct notifier_block masq_dev_notifier = {
	.notifier_call	= masq_device_event,
};

static struct notifier_block masq_inet_notifier = {
	.notifier_call	= masq_inet_event,
};

static struct xt_target masquerade = {
	.name		= "MASQUERADE",
	.family		= AF_INET,
	.target		= masquerade_target,
	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
	.table		= "nat",
	.hooks		= 1 << NF_IP_POST_ROUTING,
	.checkentry	= masquerade_check,
	.me		= THIS_MODULE,
};

static int __init ipt_masquerade_init(void)
{
	int ret;

	ret = xt_register_target(&masquerade);

	if (ret == 0) {
		/* Register for device down reports */
		register_netdevice_notifier(&masq_dev_notifier);
		/* Register IP address change reports */
		register_inetaddr_notifier(&masq_inet_notifier);
	}

	return ret;
}

static void __exit ipt_masquerade_fini(void)
{
	xt_unregister_target(&masquerade);
	unregister_netdevice_notifier(&masq_dev_notifier);
	unregister_inetaddr_notifier(&masq_inet_notifier);
}

module_init(ipt_masquerade_init);
module_exit(ipt_masquerade_fini);
Commit	Line	Data
1da177e4 LT	1	/* Masquerade. Simple mapping which alters range to a local IP address
	2	(depending on route). */
	3
	4	/* (C) 1999-2001 Paul `Rusty' Russell
5b1158e9	5	* (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
1da177e4 LT	6	*
	7	* This program is free software; you can redistribute it and/or modify
	8	* it under the terms of the GNU General Public License version 2 as
	9	* published by the Free Software Foundation.
	10	*/
	11
1da177e4	12	#include <linux/types.h>
14c85021	13	#include <linux/inetdevice.h>
1da177e4 LT	14	#include <linux/ip.h>
	15	#include <linux/timer.h>
	16	#include <linux/module.h>
	17	#include <linux/netfilter.h>
	18	#include <net/protocol.h>
	19	#include <net/ip.h>
	20	#include <net/checksum.h>
14c85021	21	#include <net/route.h>
1da177e4	22	#include <linux/netfilter_ipv4.h>
5b1158e9 JK	23	#ifdef CONFIG_NF_NAT_NEEDED
	24	#include <net/netfilter/nf_nat_rule.h>
	25	#else
1da177e4	26	#include <linux/netfilter_ipv4/ip_nat_rule.h>
5b1158e9	27	#endif
6709dbbb	28	#include <linux/netfilter/x_tables.h>
1da177e4 LT	29
	30	MODULE_LICENSE("GPL");
	31	MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
	32	MODULE_DESCRIPTION("iptables MASQUERADE target module");
	33
	34	#if 0
	35	#define DEBUGP printk
	36	#else
	37	#define DEBUGP(format, args...)
	38	#endif
	39
	40	/* Lock protects masq region inside conntrack */
e45b1be8	41	static DEFINE_RWLOCK(masq_lock);
1da177e4 LT	42
	43	/* FIXME: Multiple targets. --RR */
	44	static int
	45	masquerade_check(const char *tablename,
2e4e6a17	46	const void *e,
c4986734	47	const struct xt_target *target,
1da177e4	48	void *targinfo,
1da177e4 LT	49	unsigned int hook_mask)
	50	{
	51	const struct ip_nat_multi_range_compat *mr = targinfo;
	52
1da177e4 LT	53	if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
	54	DEBUGP("masquerade_check: bad MAP_IPS.\n");
	55	return 0;
	56	}
	57	if (mr->rangesize != 1) {
	58	DEBUGP("masquerade_check: bad rangesize %u.\n", mr->rangesize);
	59	return 0;
	60	}
	61	return 1;
	62	}
	63
	64	static unsigned int
	65	masquerade_target(struct sk_buff **pskb,
	66	const struct net_device *in,
	67	const struct net_device *out,
	68	unsigned int hooknum,
c4986734	69	const struct xt_target *target,
fe1cb108	70	const void *targinfo)
1da177e4	71	{
5b1158e9 JK	72	#ifdef CONFIG_NF_NAT_NEEDED
	73	struct nf_conn_nat *nat;
	74	#endif
1da177e4 LT	75	struct ip_conntrack *ct;
1da177e4 LT	76	enum ip_conntrack_info ctinfo;
1da177e4	77	struct ip_nat_range newrange;
5b1158e9	78	const struct ip_nat_multi_range_compat *mr;
1da177e4	79	struct rtable *rt;
a61ced5d	80	__be32 newsrc;
1da177e4 LT	81
	82	IP_NF_ASSERT(hooknum == NF_IP_POST_ROUTING);
	83
1da177e4	84	ct = ip_conntrack_get(*pskb, &ctinfo);
5b1158e9 JK	85	#ifdef CONFIG_NF_NAT_NEEDED
	86	nat = nfct_nat(ct);
	87	#endif
1da177e4	88	IP_NF_ASSERT(ct && (ctinfo == IP_CT_NEW \|\| ctinfo == IP_CT_RELATED
e905a9ed	89	\|\| ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
1da177e4	90
adcb5ad1 PM	91	/* Source address is 0.0.0.0 - locally generated packet that is
	92	* probably not supposed to be masqueraded.
	93	*/
5b1158e9 JK	94	#ifdef CONFIG_NF_NAT_NEEDED
	95	if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip == 0)
	96	#else
adcb5ad1	97	if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip == 0)
5b1158e9	98	#endif
adcb5ad1 PM	99	return NF_ACCEPT;
adcb5ad1 PM	100
1da177e4 LT	101	mr = targinfo;
	102	rt = (struct rtable )(pskb)->dst;
	103	newsrc = inet_select_addr(out, rt->rt_gateway, RT_SCOPE_UNIVERSE);
	104	if (!newsrc) {
	105	printk("MASQUERADE: %s ate my IP address\n", out->name);
	106	return NF_DROP;
	107	}
	108
e45b1be8	109	write_lock_bh(&masq_lock);
5b1158e9 JK	110	#ifdef CONFIG_NF_NAT_NEEDED
	111	nat->masq_index = out->ifindex;
	112	#else
1da177e4	113	ct->nat.masq_index = out->ifindex;
5b1158e9	114	#endif
e45b1be8	115	write_unlock_bh(&masq_lock);
1da177e4 LT	116
	117	/* Transfer from original range. */
	118	newrange = ((struct ip_nat_range)
	119	{ mr->range[0].flags \| IP_NAT_RANGE_MAP_IPS,
	120	newsrc, newsrc,
	121	mr->range[0].min, mr->range[0].max });
	122
	123	/* Hand modified range to generic setup. */
	124	return ip_nat_setup_info(ct, &newrange, hooknum);
	125	}
	126
	127	static inline int
	128	device_cmp(struct ip_conntrack i, void ifindex)
	129	{
bbdc176a	130	int ret;
5b1158e9 JK	131	#ifdef CONFIG_NF_NAT_NEEDED
5b1158e9 JK	132	struct nf_conn_nat *nat = nfct_nat(i);
bbdc176a MJ	133
	134	if (!nat)
	135	return 0;
5b1158e9	136	#endif
1da177e4	137
e45b1be8	138	read_lock_bh(&masq_lock);
5b1158e9 JK	139	#ifdef CONFIG_NF_NAT_NEEDED
	140	ret = (nat->masq_index == (int)(long)ifindex);
	141	#else
1da177e4	142	ret = (i->nat.masq_index == (int)(long)ifindex);
5b1158e9	143	#endif
e45b1be8	144	read_unlock_bh(&masq_lock);
1da177e4 LT	145
	146	return ret;
	147	}
	148
	149	static int masq_device_event(struct notifier_block *this,
	150	unsigned long event,
	151	void *ptr)
	152	{
	153	struct net_device *dev = ptr;
	154
	155	if (event == NETDEV_DOWN) {
	156	/* Device was downed. Search entire table for
	157	conntracks which were associated with that device,
	158	and forget them. */
	159	IP_NF_ASSERT(dev->ifindex != 0);
	160
	161	ip_ct_iterate_cleanup(device_cmp, (void *)(long)dev->ifindex);
	162	}
	163
	164	return NOTIFY_DONE;
	165	}
	166
	167	static int masq_inet_event(struct notifier_block *this,
	168	unsigned long event,
	169	void *ptr)
	170	{
	171	struct net_device dev = ((struct in_ifaddr )ptr)->ifa_dev->dev;
	172
	173	if (event == NETDEV_DOWN) {
	174	/* IP address was deleted. Search entire table for
	175	conntracks which were associated with that device,
	176	and forget them. */
	177	IP_NF_ASSERT(dev->ifindex != 0);
	178
	179	ip_ct_iterate_cleanup(device_cmp, (void *)(long)dev->ifindex);
	180	}
	181
	182	return NOTIFY_DONE;
	183	}
	184
	185	static struct notifier_block masq_dev_notifier = {
	186	.notifier_call = masq_device_event,
	187	};
	188
	189	static struct notifier_block masq_inet_notifier = {
	190	.notifier_call = masq_inet_event,
	191	};
	192
6709dbbb	193	static struct xt_target masquerade = {
1da177e4	194	.name = "MASQUERADE",
6709dbbb	195	.family = AF_INET,
1da177e4	196	.target = masquerade_target,
1d5cd909 PM	197	.targetsize = sizeof(struct ip_nat_multi_range_compat),
	198	.table = "nat",
	199	.hooks = 1 << NF_IP_POST_ROUTING,
1da177e4 LT	200	.checkentry = masquerade_check,
	201	.me = THIS_MODULE,
	202	};
	203
65b4b4e8	204	static int __init ipt_masquerade_init(void)
1da177e4 LT	205	{
	206	int ret;
	207
6709dbbb	208	ret = xt_register_target(&masquerade);
1da177e4 LT	209
	210	if (ret == 0) {
	211	/* Register for device down reports */
	212	register_netdevice_notifier(&masq_dev_notifier);
	213	/* Register IP address change reports */
	214	register_inetaddr_notifier(&masq_inet_notifier);
	215	}
	216
	217	return ret;
	218	}
	219
65b4b4e8	220	static void __exit ipt_masquerade_fini(void)
1da177e4	221	{
6709dbbb	222	xt_unregister_target(&masquerade);
1da177e4	223	unregister_netdevice_notifier(&masq_dev_notifier);
e905a9ed	224	unregister_inetaddr_notifier(&masq_inet_notifier);
1da177e4 LT	225	}
1da177e4 LT	226
65b4b4e8 AM	227	module_init(ipt_masquerade_init);
65b4b4e8 AM	228	module_exit(ipt_masquerade_fini);