static int
xt_ct_set_helper(struct nf_conn *ct, const char *helper_name,
const struct xt_tgchk_param *par)
{
struct nf_conntrack_helper *helper;
struct nf_conn_help *help;
u8 proto;
proto = xt_ct_find_proto(par);
if (!proto) {
pr_info("You must specify a L4 protocol, and not use "
"inversions on it.\n");
return -ENOENT;
}
helper = nf_conntrack_helper_try_module_get(helper_name, par->family,
proto);
if (helper == NULL) {
pr_info("No such helper \"%s\"\n", helper_name);
return -ENOENT;
}
help = nf_ct_helper_ext_add(ct, helper, GFP_KERNEL);
if (help == NULL) {
module_put(helper->me);
return -ENOMEM;
}
help->helper = helper;
return 0;
}
static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name,
const struct sw_flow_key *key, bool log)
{
struct nf_conntrack_helper *helper;
struct nf_conn_help *help;
helper = nf_conntrack_helper_try_module_get(name, info->family,
key->ip.proto);
if (!helper) {
OVS_NLERR(log, "Unknown helper \"%s\"", name);
return -EINVAL;
}
help = nf_ct_helper_ext_add(info->ct, helper, GFP_KERNEL);
if (!help) {
module_put(helper->me);
return -ENOMEM;
}
rcu_assign_pointer(help->helper, helper);
info->helper = helper;
return 0;
}
static int xt_ct_tg_check(const struct xt_tgchk_param *par)
{
struct xt_ct_target_info *info = par->targinfo;
struct nf_conntrack_tuple t;
struct nf_conn_help *help;
struct nf_conn *ct;
int ret = 0;
u8 proto;
if (info->flags & ~XT_CT_NOTRACK)
return -EINVAL;
if (info->flags & XT_CT_NOTRACK) {
ct = nf_ct_untracked_get();
atomic_inc(&ct->ct_general.use);
goto out;
}
#ifndef CONFIG_NF_CONNTRACK_ZONES
if (info->zone)
goto err1;
#endif
ret = nf_ct_l3proto_try_module_get(par->family);
if (ret < 0)
goto err1;
memset(&t, 0, sizeof(t));
ct = nf_conntrack_alloc(par->net, info->zone, &t, &t, GFP_KERNEL);
ret = PTR_ERR(ct);
if (IS_ERR(ct))
goto err2;
ret = 0;
if ((info->ct_events || info->exp_events) &&
!nf_ct_ecache_ext_add(ct, info->ct_events, info->exp_events,
GFP_KERNEL))
goto err3;
if (info->helper[0]) {
ret = -ENOENT;
proto = xt_ct_find_proto(par);
if (!proto)
goto err3;
ret = -ENOMEM;
help = nf_ct_helper_ext_add(ct, GFP_KERNEL);
if (help == NULL)
goto err3;
ret = -ENOENT;
help->helper = nf_conntrack_helper_try_module_get(info->helper,
par->family,
proto);
if (help->helper == NULL)
goto err3;
}
__set_bit(IPS_TEMPLATE_BIT, &ct->status);
__set_bit(IPS_CONFIRMED_BIT, &ct->status);
out:
info->ct = ct;
return 0;
err3:
nf_conntrack_free(ct);
err2:
nf_ct_l3proto_module_put(par->family);
err1:
return ret;
}
static unsigned int
conenat_tg(struct sk_buff *skb, const struct xt_target_param *par)
{
struct net *net;
struct nf_conn *ct;
struct nf_conn_nat *nat;
enum ip_conntrack_info ctinfo;
struct nf_nat_range newrange;
const struct nf_nat_multi_range_compat *mr;
struct rtable *rt;
__be32 newsrc;
NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING);
ct = nf_ct_get(skb, &ctinfo);
nat = nfct_nat(ct);
net = nf_ct_net(ct);
NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED
|| ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
/* Source address is 0.0.0.0 - locally generated packet that is
* probably not supposed to be masqueraded.
*/
if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip == 0)
return NF_ACCEPT;
mr = par->targinfo;
rt = skb->rtable;
newsrc = inet_select_addr(par->out, rt->rt_gateway, RT_SCOPE_UNIVERSE);
if (!newsrc) {
printk("CONENAT: %s ate my IP address\n", par->out->name);
return NF_DROP;
}
write_lock_bh(&conenat_lock);
nat->masq_index = par->out->ifindex;
write_unlock_bh(&conenat_lock);
if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum == IPPROTO_UDP)
{
unsigned int ret,expectcount = net->ct.expect_count;
u_int16_t minport, maxport;
u_int16_t newport, tmpport;
struct nf_conntrack_expect *exp=NULL;
struct nf_conntrack_tuple tuple;
struct nf_conn_help *help = nfct_help(ct);
/* Choose port */
spin_lock_bh(&nf_conntrack_lock);
#if 0
exp = LIST_FIND(&nf_conntrack_expect_list,
exp_src_cmp,
struct nf_conntrack_expect *,
&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
#endif
memset(&tuple,0,sizeof(tuple));
//src
tuple.src.l3num = ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.l3num;
tuple.src.u3.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip;
tuple.src.u.udp.port = ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u.udp.port;
//dst
tuple.dst.u3.ip = newsrc;
//tuple.dst.u.udp.port = htons(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port);
newport = htons(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port);
tuple.dst.protonum = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
pr_debug("tupple1 = %pI4:%hu\n", &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip,ntohs(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port));
if(expectcount > 0){
for(tmpport=0; (tmpport<=expectcount)&&(newport<=65535); tmpport++,newport++){
tuple.dst.u.udp.port=newport;
exp = __nf_ct_expect_find_bysave(net, &tuple, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
if(exp)
break;
}
}
if (exp) {
minport = maxport = exp->tuple.dst.u.udp.port;
pr_debug("existing mapped port = %hu\n", ntohs(minport));
} else {
minport = mr->range[0].min.udp.port == 0 ?
ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port :
mr->range[0].min.udp.port;
maxport = mr->range[0].max.udp.port == 0 ?
htons(65535) :
mr->range[0].max.udp.port;
for (newport = ntohs(minport),tmpport = ntohs(maxport);
newport <= tmpport; newport++) {
#if 0
exp = LIST_FIND(&ip_conntrack_expect_list,
exp_cmp,
struct nf_conntrack_expect *,
newsrc, htons(newport), ct->tuplehash[IP_CT_DIR_ORIGINAL].
tuple.dst.protonum);
#endif
//dst
tuple.dst.u.udp.port = htons(newport);
exp = __nf_ct_expect_find(net, &tuple);
if (!exp)
{
pr_debug("new mapping: %pI4:%hu -> %pI4:%hu\n",
&(ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip),
ntohs(ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u.udp.port),
&newsrc, newport);
minport = maxport = htons(newport);
break;
}
}
}
spin_unlock_bh(&nf_conntrack_lock);
newrange.flags = mr->range[0].flags | IP_NAT_RANGE_MAP_IPS |IP_NAT_RANGE_PROTO_SPECIFIED;
newrange.min_ip = newrange.max_ip = newsrc;
newrange.min.udp.port = minport;
newrange.max.udp.port = maxport;
/* Set ct helper */
ret = nf_nat_setup_info(ct, &newrange, IP_NAT_MANIP_SRC);
if (ret == NF_ACCEPT)
{
rcu_read_lock();
if (help == NULL) {
help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
if (help == NULL) {
return NF_ACCEPT;
}
} else {
memset(&help->help, 0, sizeof(help->help));
}
rcu_assign_pointer(help->helper, &nf_conntrack_helper_cone_nat);
rcu_read_unlock();
pr_debug("helper setup, skb=%p\n", skb);
}
return ret;
}
unsigned int rtl_find_appropriate_newrange(struct nf_conn *ct, __be32 newsrc, const struct nf_nat_multi_range_compat *mr)
{
struct net *net;
unsigned int ret,expectcount = net->ct.expect_count;
u_int16_t minport, maxport;
u_int16_t newport, tmpport;
struct nf_conntrack_expect *exp=NULL;
struct nf_conntrack_tuple tuple;
struct nf_nat_range newrange;
struct nf_conn_help *help = nfct_help(ct);
net = nf_ct_net(ct);
expectcount = net->ct.expect_count;
/* Choose port */
spin_lock_bh(&nf_conntrack_lock);
#if 0
exp = LIST_FIND(&nf_conntrack_expect_list,
exp_src_cmp,
struct nf_conntrack_expect *,
&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
#endif
memset(&tuple,0,sizeof(tuple));
//src
tuple.src.l3num = ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.l3num;
tuple.src.u3.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip;
tuple.src.u.udp.port = ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u.udp.port;
//dst
tuple.dst.u3.ip = newsrc;
//tuple.dst.u.udp.port = htons(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port);
newport = htons(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port);
tuple.dst.protonum = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
pr_debug("tupple1 = %pI4:%hu\n", &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip,ntohs(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port));
if(expectcount > 0){
for(tmpport=0; (tmpport<=expectcount)&&(newport<=65535); tmpport++,newport++){
tuple.dst.u.udp.port=newport;
exp = __nf_ct_expect_find_bysave(net, &tuple, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
if(exp)
break;
}
}
if (exp) {
minport = maxport = exp->tuple.dst.u.udp.port;
pr_debug("existing mapped port = %hu\n", ntohs(minport));
} else {
minport = mr->range[0].min.udp.port == 0 ?
ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port :
mr->range[0].min.udp.port;
maxport = mr->range[0].max.udp.port == 0 ?
htons(65535) :
mr->range[0].max.udp.port;
for (newport = ntohs(minport),tmpport = ntohs(maxport);
newport <= tmpport; newport++) {
#if 0
exp = LIST_FIND(&ip_conntrack_expect_list,
exp_cmp,
struct nf_conntrack_expect *,
newsrc, htons(newport), ct->tuplehash[IP_CT_DIR_ORIGINAL].
tuple.dst.protonum);
#endif
//dst
tuple.dst.u.udp.port = htons(newport);
exp = __nf_ct_expect_find(net, &tuple);
if (!exp)
{
pr_debug("new mapping: %pI4:%hu -> %pI4:%hu\n",
&(ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip),
ntohs(ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u.udp.port),
&newsrc, newport);
minport = maxport = htons(newport);
break;
}
}
}
spin_unlock_bh(&nf_conntrack_lock);
newrange.flags = mr->range[0].flags | IP_NAT_RANGE_MAP_IPS |IP_NAT_RANGE_PROTO_SPECIFIED;
newrange.min_ip = newrange.max_ip = newsrc;
newrange.min.udp.port = minport;
newrange.max.udp.port = maxport;
/* Set ct helper */
ret = nf_nat_setup_info(ct, &newrange, IP_NAT_MANIP_SRC);
if (ret == NF_ACCEPT)
{
rcu_read_lock();
if (help == NULL) {
help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
if (help == NULL) {
return NF_ACCEPT;
}
} else {
memset(&help->help, 0, sizeof(help->help));
}
rcu_assign_pointer(help->helper, &nf_conntrack_helper_cone_nat);
rcu_read_unlock();
}
return ret;
}
static int xt_ct_tg_check_v1(const struct xt_tgchk_param *par)
{
struct xt_ct_target_info_v1 *info = par->targinfo;
struct nf_conntrack_tuple t;
struct nf_conn_help *help;
struct nf_conn *ct;
int ret = 0;
u8 proto;
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
struct ctnl_timeout *timeout;
#endif
if (info->flags & ~XT_CT_NOTRACK)
return -EINVAL;
if (info->flags & XT_CT_NOTRACK) {
ct = nf_ct_untracked_get();
atomic_inc(&ct->ct_general.use);
goto out;
}
#ifndef CONFIG_NF_CONNTRACK_ZONES
if (info->zone)
goto err1;
#endif
ret = nf_ct_l3proto_try_module_get(par->family);
if (ret < 0)
goto err1;
memset(&t, 0, sizeof(t));
ct = nf_conntrack_alloc(par->net, info->zone, &t, &t, GFP_KERNEL);
ret = PTR_ERR(ct);
if (IS_ERR(ct))
goto err2;
ret = 0;
if ((info->ct_events || info->exp_events) &&
!nf_ct_ecache_ext_add(ct, info->ct_events, info->exp_events,
GFP_KERNEL))
goto err3;
if (info->helper[0]) {
ret = -ENOENT;
proto = xt_ct_find_proto(par);
if (!proto) {
pr_info("You must specify a L4 protocol, "
"and not use inversions on it.\n");
goto err3;
}
ret = -ENOMEM;
help = nf_ct_helper_ext_add(ct, GFP_KERNEL);
if (help == NULL)
goto err3;
ret = -ENOENT;
help->helper = nf_conntrack_helper_try_module_get(info->helper,
par->family,
proto);
if (help->helper == NULL) {
pr_info("No such helper \"%s\"\n", info->helper);
goto err3;
}
}
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
if (info->timeout[0]) {
typeof(nf_ct_timeout_find_get_hook) timeout_find_get;
struct nf_conn_timeout *timeout_ext;
rcu_read_lock();
timeout_find_get =
rcu_dereference(nf_ct_timeout_find_get_hook);
if (timeout_find_get) {
const struct ipt_entry *e = par->entryinfo;
struct nf_conntrack_l4proto *l4proto;
if (e->ip.invflags & IPT_INV_PROTO) {
ret = -EINVAL;
pr_info("You cannot use inversion on "
"L4 protocol\n");
goto err4;
}
timeout = timeout_find_get(info->timeout);
if (timeout == NULL) {
ret = -ENOENT;
pr_info("No such timeout policy \"%s\"\n",
info->timeout);
goto err4;
}
if (timeout->l3num != par->family) {
ret = -EINVAL;
pr_info("Timeout policy `%s' can only be "
"used by L3 protocol number %d\n",
info->timeout, timeout->l3num);
goto err5;
}
/* Make sure the timeout policy matches any existing
* protocol tracker, otherwise default to generic.
*/
l4proto = __nf_ct_l4proto_find(par->family,
e->ip.proto);
if (timeout->l4proto->l4proto != l4proto->l4proto) {
ret = -EINVAL;
pr_info("Timeout policy `%s' can only be "
"used by L4 protocol number %d\n",
info->timeout,
timeout->l4proto->l4proto);
goto err5;
}
timeout_ext = nf_ct_timeout_ext_add(ct, timeout,
GFP_ATOMIC);
if (timeout_ext == NULL) {
ret = -ENOMEM;
goto err5;
}
} else {
ret = -ENOENT;
pr_info("Timeout policy base is empty\n");
goto err4;
}
rcu_read_unlock();
}
#endif
__set_bit(IPS_TEMPLATE_BIT, &ct->status);
__set_bit(IPS_CONFIRMED_BIT, &ct->status);
out:
info->ct = ct;
return 0;
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
err5:
__xt_ct_tg_timeout_put(timeout);
err4:
rcu_read_unlock();
#endif
err3:
nf_conntrack_free(ct);
err2:
nf_ct_l3proto_module_put(par->family);
err1:
return ret;
}