1 // SPDX-License-Identifier: GPL-2.0
3 #include <linux/types.h>
4 #include <linux/atomic.h>
5 #include <linux/inetdevice.h>
6 #include <linux/netfilter.h>
7 #include <linux/netfilter_ipv4.h>
8 #include <linux/netfilter_ipv6.h>
10 #include <net/netfilter/ipv4/nf_nat_masquerade.h>
11 #include <net/netfilter/ipv6/nf_nat_masquerade.h>
13 static DEFINE_MUTEX(masq_mutex);
14 static unsigned int masq_refcnt4 __read_mostly;
15 static unsigned int masq_refcnt6 __read_mostly;
18 nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum,
19 const struct nf_nat_range2 *range,
20 const struct net_device *out)
23 struct nf_conn_nat *nat;
24 enum ip_conntrack_info ctinfo;
25 struct nf_nat_range2 newrange;
26 const struct rtable *rt;
29 WARN_ON(hooknum != NF_INET_POST_ROUTING);
31 ct = nf_ct_get(skb, &ctinfo);
33 WARN_ON(!(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
34 ctinfo == IP_CT_RELATED_REPLY)));
36 /* Source address is 0.0.0.0 - locally generated packet that is
37 * probably not supposed to be masqueraded.
39 if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip == 0)
43 nh = rt_nexthop(rt, ip_hdr(skb)->daddr);
44 newsrc = inet_select_addr(out, nh, RT_SCOPE_UNIVERSE);
46 pr_info("%s ate my IP address\n", out->name);
50 nat = nf_ct_nat_ext_add(ct);
52 nat->masq_index = out->ifindex;
54 /* Transfer from original range. */
55 memset(&newrange.min_addr, 0, sizeof(newrange.min_addr));
56 memset(&newrange.max_addr, 0, sizeof(newrange.max_addr));
57 newrange.flags = range->flags | NF_NAT_RANGE_MAP_IPS;
58 newrange.min_addr.ip = newsrc;
59 newrange.max_addr.ip = newsrc;
60 newrange.min_proto = range->min_proto;
61 newrange.max_proto = range->max_proto;
63 /* Hand modified range to generic setup. */
64 return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_SRC);
66 EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv4);
68 static int device_cmp(struct nf_conn *i, void *ifindex)
70 const struct nf_conn_nat *nat = nfct_nat(i);
74 return nat->masq_index == (int)(long)ifindex;
77 static int masq_device_event(struct notifier_block *this,
81 const struct net_device *dev = netdev_notifier_info_to_dev(ptr);
82 struct net *net = dev_net(dev);
84 if (event == NETDEV_DOWN) {
85 /* Device was downed. Search entire table for
86 * conntracks which were associated with that device,
90 nf_ct_iterate_cleanup_net(net, device_cmp,
91 (void *)(long)dev->ifindex, 0, 0);
97 static int inet_cmp(struct nf_conn *ct, void *ptr)
99 struct in_ifaddr *ifa = (struct in_ifaddr *)ptr;
100 struct net_device *dev = ifa->ifa_dev->dev;
101 struct nf_conntrack_tuple *tuple;
103 if (!device_cmp(ct, (void *)(long)dev->ifindex))
106 tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
108 return ifa->ifa_address == tuple->dst.u3.ip;
111 static int masq_inet_event(struct notifier_block *this,
115 struct in_device *idev = ((struct in_ifaddr *)ptr)->ifa_dev;
116 struct net *net = dev_net(idev->dev);
118 /* The masq_dev_notifier will catch the case of the device going
119 * down. So if the inetdev is dead and being destroyed we have
120 * no work to do. Otherwise this is an individual address removal
121 * and we have to perform the flush.
126 if (event == NETDEV_DOWN)
127 nf_ct_iterate_cleanup_net(net, inet_cmp, ptr, 0, 0);
132 static struct notifier_block masq_dev_notifier = {
133 .notifier_call = masq_device_event,
136 static struct notifier_block masq_inet_notifier = {
137 .notifier_call = masq_inet_event,
140 int nf_nat_masquerade_ipv4_register_notifier(void)
144 mutex_lock(&masq_mutex);
145 if (WARN_ON_ONCE(masq_refcnt4 == UINT_MAX)) {
150 /* check if the notifier was already set */
151 if (++masq_refcnt4 > 1)
154 /* Register for device down reports */
155 ret = register_netdevice_notifier(&masq_dev_notifier);
158 /* Register IP address change reports */
159 ret = register_inetaddr_notifier(&masq_inet_notifier);
163 mutex_unlock(&masq_mutex);
167 unregister_netdevice_notifier(&masq_dev_notifier);
171 mutex_unlock(&masq_mutex);
174 EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv4_register_notifier);
176 void nf_nat_masquerade_ipv4_unregister_notifier(void)
178 mutex_lock(&masq_mutex);
179 /* check if the notifier still has clients */
180 if (--masq_refcnt4 > 0)
183 unregister_netdevice_notifier(&masq_dev_notifier);
184 unregister_inetaddr_notifier(&masq_inet_notifier);
186 mutex_unlock(&masq_mutex);
188 EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv4_unregister_notifier);
190 #if IS_ENABLED(CONFIG_IPV6)
191 static atomic_t v6_worker_count __read_mostly;
194 nat_ipv6_dev_get_saddr(struct net *net, const struct net_device *dev,
195 const struct in6_addr *daddr, unsigned int srcprefs,
196 struct in6_addr *saddr)
198 #ifdef CONFIG_IPV6_MODULE
199 const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
202 return -EHOSTUNREACH;
204 return v6_ops->dev_get_saddr(net, dev, daddr, srcprefs, saddr);
206 return ipv6_dev_get_saddr(net, dev, daddr, srcprefs, saddr);
211 nf_nat_masquerade_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range,
212 const struct net_device *out)
214 enum ip_conntrack_info ctinfo;
215 struct nf_conn_nat *nat;
218 struct nf_nat_range2 newrange;
220 ct = nf_ct_get(skb, &ctinfo);
221 WARN_ON(!(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
222 ctinfo == IP_CT_RELATED_REPLY)));
224 if (nat_ipv6_dev_get_saddr(nf_ct_net(ct), out,
225 &ipv6_hdr(skb)->daddr, 0, &src) < 0)
228 nat = nf_ct_nat_ext_add(ct);
230 nat->masq_index = out->ifindex;
232 newrange.flags = range->flags | NF_NAT_RANGE_MAP_IPS;
233 newrange.min_addr.in6 = src;
234 newrange.max_addr.in6 = src;
235 newrange.min_proto = range->min_proto;
236 newrange.max_proto = range->max_proto;
238 return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_SRC);
240 EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6);
242 struct masq_dev_work {
243 struct work_struct work;
245 struct in6_addr addr;
249 static int inet6_cmp(struct nf_conn *ct, void *work)
251 struct masq_dev_work *w = (struct masq_dev_work *)work;
252 struct nf_conntrack_tuple *tuple;
254 if (!device_cmp(ct, (void *)(long)w->ifindex))
257 tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
259 return ipv6_addr_equal(&w->addr, &tuple->dst.u3.in6);
262 static void iterate_cleanup_work(struct work_struct *work)
264 struct masq_dev_work *w;
266 w = container_of(work, struct masq_dev_work, work);
268 nf_ct_iterate_cleanup_net(w->net, inet6_cmp, (void *)w, 0, 0);
272 atomic_dec(&v6_worker_count);
273 module_put(THIS_MODULE);
276 /* atomic notifier; can't call nf_ct_iterate_cleanup_net (it can sleep).
278 * Defer it to the system workqueue.
280 * As we can have 'a lot' of inet_events (depending on amount of ipv6
281 * addresses being deleted), we also need to limit work item queue.
283 static int masq_inet6_event(struct notifier_block *this,
284 unsigned long event, void *ptr)
286 struct inet6_ifaddr *ifa = ptr;
287 const struct net_device *dev;
288 struct masq_dev_work *w;
291 if (event != NETDEV_DOWN || atomic_read(&v6_worker_count) >= 16)
294 dev = ifa->idev->dev;
295 net = maybe_get_net(dev_net(dev));
299 if (!try_module_get(THIS_MODULE))
302 w = kmalloc(sizeof(*w), GFP_ATOMIC);
304 atomic_inc(&v6_worker_count);
306 INIT_WORK(&w->work, iterate_cleanup_work);
307 w->ifindex = dev->ifindex;
310 schedule_work(&w->work);
315 module_put(THIS_MODULE);
321 static struct notifier_block masq_inet6_notifier = {
322 .notifier_call = masq_inet6_event,
325 int nf_nat_masquerade_ipv6_register_notifier(void)
329 mutex_lock(&masq_mutex);
330 if (WARN_ON_ONCE(masq_refcnt6 == UINT_MAX)) {
335 /* check if the notifier is already set */
336 if (++masq_refcnt6 > 1)
339 ret = register_inet6addr_notifier(&masq_inet6_notifier);
343 mutex_unlock(&masq_mutex);
348 mutex_unlock(&masq_mutex);
351 EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6_register_notifier);
353 void nf_nat_masquerade_ipv6_unregister_notifier(void)
355 mutex_lock(&masq_mutex);
356 /* check if the notifier still has clients */
357 if (--masq_refcnt6 > 0)
360 unregister_inet6addr_notifier(&masq_inet6_notifier);
362 mutex_unlock(&masq_mutex);
364 EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6_unregister_notifier);