2012-08-26 17:14:06 +00:00
|
|
|
/*
|
|
|
|
|
* (C) 1999-2001 Paul `Rusty' Russell
|
2006-12-03 06:07:13 +00:00
|
|
|
* (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
|
2012-08-26 17:14:06 +00:00
|
|
|
* (C) 2011 Patrick McHardy <kaber@trash.net>
|
2006-12-03 06:07:13 +00:00
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <linux/module.h>
|
|
|
|
|
#include <linux/types.h>
|
|
|
|
|
#include <linux/timer.h>
|
|
|
|
|
#include <linux/skbuff.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 08:04:11 +00:00
|
|
|
#include <linux/gfp.h>
|
2012-08-26 17:14:06 +00:00
|
|
|
#include <net/xfrm.h>
|
2006-12-03 06:07:13 +00:00
|
|
|
#include <linux/jhash.h>
|
2012-08-26 17:14:06 +00:00
|
|
|
#include <linux/rtnetlink.h>
|
2006-12-03 06:07:13 +00:00
|
|
|
|
|
|
|
|
#include <net/netfilter/nf_conntrack.h>
|
|
|
|
|
#include <net/netfilter/nf_conntrack_core.h>
|
|
|
|
|
#include <net/netfilter/nf_nat.h>
|
2012-08-26 17:14:06 +00:00
|
|
|
#include <net/netfilter/nf_nat_l3proto.h>
|
|
|
|
|
#include <net/netfilter/nf_nat_l4proto.h>
|
2006-12-03 06:07:13 +00:00
|
|
|
#include <net/netfilter/nf_nat_core.h>
|
|
|
|
|
#include <net/netfilter/nf_nat_helper.h>
|
|
|
|
|
#include <net/netfilter/nf_conntrack_helper.h>
|
|
|
|
|
#include <net/netfilter/nf_conntrack_l3proto.h>
|
2010-02-15 17:13:33 +00:00
|
|
|
#include <net/netfilter/nf_conntrack_zones.h>
|
2012-08-26 17:14:06 +00:00
|
|
|
#include <linux/netfilter/nf_nat.h>
|
2006-12-03 06:07:13 +00:00
|
|
|
|
2008-01-31 12:43:06 +00:00
|
|
|
static DEFINE_SPINLOCK(nf_nat_lock);
|
2006-12-03 06:07:13 +00:00
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
static DEFINE_MUTEX(nf_nat_proto_mutex);
|
|
|
|
|
static const struct nf_nat_l3proto __rcu *nf_nat_l3protos[NFPROTO_NUMPROTO]
|
|
|
|
|
__read_mostly;
|
|
|
|
|
static const struct nf_nat_l4proto __rcu **nf_nat_l4protos[NFPROTO_NUMPROTO]
|
2007-12-18 06:37:52 +00:00
|
|
|
__read_mostly;
|
2006-12-03 06:07:13 +00:00
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
|
|
|
|
|
inline const struct nf_nat_l3proto *
|
|
|
|
|
__nf_nat_l3proto_find(u8 family)
|
2006-12-03 06:07:13 +00:00
|
|
|
{
|
2012-08-26 17:14:06 +00:00
|
|
|
return rcu_dereference(nf_nat_l3protos[family]);
|
2006-12-03 06:07:13 +00:00
|
|
|
}
|
|
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
inline const struct nf_nat_l4proto *
|
|
|
|
|
__nf_nat_l4proto_find(u8 family, u8 protonum)
|
|
|
|
|
{
|
|
|
|
|
return rcu_dereference(nf_nat_l4protos[family][protonum]);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(__nf_nat_l4proto_find);
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_XFRM
|
|
|
|
|
static void __nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl)
|
|
|
|
|
{
|
|
|
|
|
const struct nf_nat_l3proto *l3proto;
|
|
|
|
|
const struct nf_conn *ct;
|
|
|
|
|
enum ip_conntrack_info ctinfo;
|
|
|
|
|
enum ip_conntrack_dir dir;
|
|
|
|
|
unsigned long statusbit;
|
|
|
|
|
u8 family;
|
|
|
|
|
|
|
|
|
|
ct = nf_ct_get(skb, &ctinfo);
|
|
|
|
|
if (ct == NULL)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
|
|
|
|
|
rcu_read_lock();
|
|
|
|
|
l3proto = __nf_nat_l3proto_find(family);
|
|
|
|
|
if (l3proto == NULL)
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
dir = CTINFO2DIR(ctinfo);
|
|
|
|
|
if (dir == IP_CT_DIR_ORIGINAL)
|
|
|
|
|
statusbit = IPS_DST_NAT;
|
|
|
|
|
else
|
|
|
|
|
statusbit = IPS_SRC_NAT;
|
|
|
|
|
|
|
|
|
|
l3proto->decode_session(skb, ct, dir, statusbit, fl);
|
|
|
|
|
out:
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int nf_xfrm_me_harder(struct sk_buff *skb, unsigned int family)
|
|
|
|
|
{
|
|
|
|
|
struct flowi fl;
|
|
|
|
|
unsigned int hh_len;
|
|
|
|
|
struct dst_entry *dst;
|
2013-04-05 06:41:12 +00:00
|
|
|
int err;
|
2012-08-26 17:14:06 +00:00
|
|
|
|
2013-04-05 06:41:12 +00:00
|
|
|
err = xfrm_decode_session(skb, &fl, family);
|
2013-04-24 05:11:51 +00:00
|
|
|
if (err < 0)
|
2013-04-05 06:41:12 +00:00
|
|
|
return err;
|
2012-08-26 17:14:06 +00:00
|
|
|
|
|
|
|
|
dst = skb_dst(skb);
|
|
|
|
|
if (dst->xfrm)
|
|
|
|
|
dst = ((struct xfrm_dst *)dst)->route;
|
|
|
|
|
dst_hold(dst);
|
|
|
|
|
|
|
|
|
|
dst = xfrm_lookup(dev_net(dst->dev), dst, &fl, skb->sk, 0);
|
|
|
|
|
if (IS_ERR(dst))
|
2013-04-05 06:41:12 +00:00
|
|
|
return PTR_ERR(dst);
|
2012-08-26 17:14:06 +00:00
|
|
|
|
|
|
|
|
skb_dst_drop(skb);
|
|
|
|
|
skb_dst_set(skb, dst);
|
|
|
|
|
|
|
|
|
|
/* Change in oif may mean change in hh_len. */
|
|
|
|
|
hh_len = skb_dst(skb)->dev->hard_header_len;
|
|
|
|
|
if (skb_headroom(skb) < hh_len &&
|
|
|
|
|
pskb_expand_head(skb, hh_len - skb_headroom(skb), 0, GFP_ATOMIC))
|
2013-04-05 06:41:12 +00:00
|
|
|
return -ENOMEM;
|
2012-08-26 17:14:06 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(nf_xfrm_me_harder);
|
|
|
|
|
#endif /* CONFIG_XFRM */
|
|
|
|
|
|
2006-12-03 06:07:13 +00:00
|
|
|
/* We keep an extra hash for each conntrack, for fast searching. */
|
|
|
|
|
static inline unsigned int
|
2010-02-15 17:13:33 +00:00
|
|
|
hash_by_src(const struct net *net, u16 zone,
|
|
|
|
|
const struct nf_conntrack_tuple *tuple)
|
2006-12-03 06:07:13 +00:00
|
|
|
{
|
2007-12-18 06:45:52 +00:00
|
|
|
unsigned int hash;
|
|
|
|
|
|
2006-12-03 06:07:13 +00:00
|
|
|
/* Original src, to ensure we map it consistently if poss. */
|
2012-08-26 17:14:06 +00:00
|
|
|
hash = jhash2((u32 *)&tuple->src, sizeof(tuple->src) / sizeof(u32),
|
|
|
|
|
tuple->dst.protonum ^ zone ^ nf_conntrack_hash_rnd);
|
|
|
|
|
return ((u64)hash * net->ct.nat_htable_size) >> 32;
|
2006-12-03 06:07:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Is this tuple already taken? (not by us) */
|
|
|
|
|
int
|
|
|
|
|
nf_nat_used_tuple(const struct nf_conntrack_tuple *tuple,
|
|
|
|
|
const struct nf_conn *ignored_conntrack)
|
|
|
|
|
{
|
|
|
|
|
/* Conntrack tracking doesn't keep track of outgoing tuples; only
|
2012-08-26 17:14:06 +00:00
|
|
|
* incoming ones. NAT means they don't have a fixed mapping,
|
|
|
|
|
* so we invert the tuple and look for the incoming reply.
|
|
|
|
|
*
|
|
|
|
|
* We could keep a separate hash if this proves too slow.
|
|
|
|
|
*/
|
2006-12-03 06:07:13 +00:00
|
|
|
struct nf_conntrack_tuple reply;
|
|
|
|
|
|
|
|
|
|
nf_ct_invert_tuplepr(&reply, tuple);
|
|
|
|
|
return nf_conntrack_tuple_taken(&reply, ignored_conntrack);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(nf_nat_used_tuple);
|
|
|
|
|
|
|
|
|
|
/* If we source map this tuple so reply looks like reply_tuple, will
|
2012-08-26 17:14:06 +00:00
|
|
|
* that meet the constraints of range.
|
|
|
|
|
*/
|
|
|
|
|
static int in_range(const struct nf_nat_l3proto *l3proto,
|
|
|
|
|
const struct nf_nat_l4proto *l4proto,
|
|
|
|
|
const struct nf_conntrack_tuple *tuple,
|
|
|
|
|
const struct nf_nat_range *range)
|
2006-12-03 06:07:13 +00:00
|
|
|
{
|
|
|
|
|
/* If we are supposed to map IPs, then we must be in the
|
2012-08-26 17:14:06 +00:00
|
|
|
* range specified, otherwise let this drag us onto a new src IP.
|
|
|
|
|
*/
|
|
|
|
|
if (range->flags & NF_NAT_RANGE_MAP_IPS &&
|
|
|
|
|
!l3proto->in_range(tuple, range))
|
|
|
|
|
return 0;
|
2006-12-03 06:07:13 +00:00
|
|
|
|
2011-12-23 12:59:49 +00:00
|
|
|
if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) ||
|
2012-08-26 17:14:06 +00:00
|
|
|
l4proto->in_range(tuple, NF_NAT_MANIP_SRC,
|
|
|
|
|
&range->min_proto, &range->max_proto))
|
|
|
|
|
return 1;
|
2006-12-03 06:07:13 +00:00
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
return 0;
|
2006-12-03 06:07:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline int
|
|
|
|
|
same_src(const struct nf_conn *ct,
|
|
|
|
|
const struct nf_conntrack_tuple *tuple)
|
|
|
|
|
{
|
|
|
|
|
const struct nf_conntrack_tuple *t;
|
|
|
|
|
|
|
|
|
|
t = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
|
|
|
|
|
return (t->dst.protonum == tuple->dst.protonum &&
|
2012-08-26 17:14:06 +00:00
|
|
|
nf_inet_addr_cmp(&t->src.u3, &tuple->src.u3) &&
|
2006-12-03 06:07:13 +00:00
|
|
|
t->src.u.all == tuple->src.u.all);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Only called for SRC manip */
|
|
|
|
|
static int
|
2010-02-15 17:13:33 +00:00
|
|
|
find_appropriate_src(struct net *net, u16 zone,
|
2012-08-26 17:14:06 +00:00
|
|
|
const struct nf_nat_l3proto *l3proto,
|
|
|
|
|
const struct nf_nat_l4proto *l4proto,
|
2008-10-08 09:35:11 +00:00
|
|
|
const struct nf_conntrack_tuple *tuple,
|
2006-12-03 06:07:13 +00:00
|
|
|
struct nf_conntrack_tuple *result,
|
2012-08-26 17:14:06 +00:00
|
|
|
const struct nf_nat_range *range)
|
2006-12-03 06:07:13 +00:00
|
|
|
{
|
2010-02-15 17:13:33 +00:00
|
|
|
unsigned int h = hash_by_src(net, zone, tuple);
|
2008-04-14 09:15:42 +00:00
|
|
|
const struct nf_conn_nat *nat;
|
|
|
|
|
const struct nf_conn *ct;
|
2006-12-03 06:07:13 +00:00
|
|
|
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 01:06:00 +00:00
|
|
|
hlist_for_each_entry_rcu(nat, &net->ct.nat_bysource[h], bysource) {
|
2007-07-08 05:26:35 +00:00
|
|
|
ct = nat->ct;
|
2010-02-15 17:13:33 +00:00
|
|
|
if (same_src(ct, tuple) && nf_ct_zone(ct) == zone) {
|
2006-12-03 06:07:13 +00:00
|
|
|
/* Copy source part from reply tuple. */
|
|
|
|
|
nf_ct_invert_tuplepr(result,
|
|
|
|
|
&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
|
|
|
|
|
result->dst = tuple->dst;
|
|
|
|
|
|
2012-09-20 03:52:04 +00:00
|
|
|
if (in_range(l3proto, l4proto, result, range))
|
2006-12-03 06:07:13 +00:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* For [FUTURE] fragmentation handling, we want the least-used
|
2012-08-26 17:14:06 +00:00
|
|
|
* src-ip/dst-ip/proto triple. Fairness doesn't come into it. Thus
|
|
|
|
|
* if the range specifies 1.2.3.4 ports 10000-10005 and 1.2.3.5 ports
|
|
|
|
|
* 1-65535, we don't do pro-rata allocation based on ports; we choose
|
|
|
|
|
* the ip with the lowest src-ip/dst-ip/proto usage.
|
|
|
|
|
*/
|
2006-12-03 06:07:13 +00:00
|
|
|
static void
|
2010-02-15 17:13:33 +00:00
|
|
|
find_best_ips_proto(u16 zone, struct nf_conntrack_tuple *tuple,
|
2012-08-26 17:14:06 +00:00
|
|
|
const struct nf_nat_range *range,
|
2006-12-03 06:07:13 +00:00
|
|
|
const struct nf_conn *ct,
|
|
|
|
|
enum nf_nat_manip_type maniptype)
|
|
|
|
|
{
|
2012-08-26 17:14:06 +00:00
|
|
|
union nf_inet_addr *var_ipp;
|
|
|
|
|
unsigned int i, max;
|
2006-12-03 06:07:13 +00:00
|
|
|
/* Host order */
|
2012-08-26 17:14:06 +00:00
|
|
|
u32 minip, maxip, j, dist;
|
|
|
|
|
bool full_range;
|
2006-12-03 06:07:13 +00:00
|
|
|
|
|
|
|
|
/* No IP mapping? Do nothing. */
|
2011-12-23 12:59:49 +00:00
|
|
|
if (!(range->flags & NF_NAT_RANGE_MAP_IPS))
|
2006-12-03 06:07:13 +00:00
|
|
|
return;
|
|
|
|
|
|
2011-12-23 12:59:49 +00:00
|
|
|
if (maniptype == NF_NAT_MANIP_SRC)
|
2012-08-26 17:14:06 +00:00
|
|
|
var_ipp = &tuple->src.u3;
|
2006-12-03 06:07:13 +00:00
|
|
|
else
|
2012-08-26 17:14:06 +00:00
|
|
|
var_ipp = &tuple->dst.u3;
|
2006-12-03 06:07:13 +00:00
|
|
|
|
|
|
|
|
/* Fast path: only one choice. */
|
2012-08-26 17:14:06 +00:00
|
|
|
if (nf_inet_addr_cmp(&range->min_addr, &range->max_addr)) {
|
|
|
|
|
*var_ipp = range->min_addr;
|
2006-12-03 06:07:13 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
if (nf_ct_l3num(ct) == NFPROTO_IPV4)
|
|
|
|
|
max = sizeof(var_ipp->ip) / sizeof(u32) - 1;
|
|
|
|
|
else
|
|
|
|
|
max = sizeof(var_ipp->ip6) / sizeof(u32) - 1;
|
|
|
|
|
|
2006-12-03 06:07:13 +00:00
|
|
|
/* Hashing source and destination IPs gives a fairly even
|
|
|
|
|
* spread in practice (if there are a small number of IPs
|
|
|
|
|
* involved, there usually aren't that many connections
|
|
|
|
|
* anyway). The consistency means that servers see the same
|
|
|
|
|
* client coming from the same IP (some Internet Banking sites
|
2012-08-26 17:14:06 +00:00
|
|
|
* like this), even across reboots.
|
|
|
|
|
*/
|
2012-09-05 10:10:28 +00:00
|
|
|
j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32),
|
2012-08-26 17:14:06 +00:00
|
|
|
range->flags & NF_NAT_RANGE_PERSISTENT ?
|
|
|
|
|
0 : (__force u32)tuple->dst.u3.all[max] ^ zone);
|
|
|
|
|
|
|
|
|
|
full_range = false;
|
|
|
|
|
for (i = 0; i <= max; i++) {
|
|
|
|
|
/* If first bytes of the address are at the maximum, use the
|
|
|
|
|
* distance. Otherwise use the full range.
|
|
|
|
|
*/
|
|
|
|
|
if (!full_range) {
|
|
|
|
|
minip = ntohl((__force __be32)range->min_addr.all[i]);
|
|
|
|
|
maxip = ntohl((__force __be32)range->max_addr.all[i]);
|
|
|
|
|
dist = maxip - minip + 1;
|
|
|
|
|
} else {
|
|
|
|
|
minip = 0;
|
|
|
|
|
dist = ~0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var_ipp->all[i] = (__force __u32)
|
|
|
|
|
htonl(minip + (((u64)j * dist) >> 32));
|
|
|
|
|
if (var_ipp->all[i] != range->max_addr.all[i])
|
|
|
|
|
full_range = true;
|
|
|
|
|
|
|
|
|
|
if (!(range->flags & NF_NAT_RANGE_PERSISTENT))
|
|
|
|
|
j ^= (__force u32)tuple->dst.u3.all[i];
|
|
|
|
|
}
|
2006-12-03 06:07:13 +00:00
|
|
|
}
|
|
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
/* Manipulate the tuple into the range given. For NF_INET_POST_ROUTING,
|
|
|
|
|
* we change the source to map into the range. For NF_INET_PRE_ROUTING
|
2007-11-20 02:53:30 +00:00
|
|
|
* and NF_INET_LOCAL_OUT, we change the destination to map into the
|
2012-08-26 17:14:06 +00:00
|
|
|
* range. It might not be possible to get a unique tuple, but we try.
|
2006-12-03 06:07:13 +00:00
|
|
|
* At worst (or if we race), we will end up with a final duplicate in
|
|
|
|
|
* __ip_conntrack_confirm and drop the packet. */
|
|
|
|
|
static void
|
|
|
|
|
get_unique_tuple(struct nf_conntrack_tuple *tuple,
|
|
|
|
|
const struct nf_conntrack_tuple *orig_tuple,
|
2012-08-26 17:14:06 +00:00
|
|
|
const struct nf_nat_range *range,
|
2006-12-03 06:07:13 +00:00
|
|
|
struct nf_conn *ct,
|
|
|
|
|
enum nf_nat_manip_type maniptype)
|
|
|
|
|
{
|
2012-08-26 17:14:06 +00:00
|
|
|
const struct nf_nat_l3proto *l3proto;
|
|
|
|
|
const struct nf_nat_l4proto *l4proto;
|
2008-10-08 09:35:11 +00:00
|
|
|
struct net *net = nf_ct_net(ct);
|
2010-02-15 17:13:33 +00:00
|
|
|
u16 zone = nf_ct_zone(ct);
|
2006-12-03 06:07:13 +00:00
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
rcu_read_lock();
|
|
|
|
|
l3proto = __nf_nat_l3proto_find(orig_tuple->src.l3num);
|
|
|
|
|
l4proto = __nf_nat_l4proto_find(orig_tuple->src.l3num,
|
|
|
|
|
orig_tuple->dst.protonum);
|
2006-12-03 06:07:13 +00:00
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
/* 1) If this srcip/proto/src-proto-part is currently mapped,
|
|
|
|
|
* and that same mapping gives a unique tuple within the given
|
|
|
|
|
* range, use that.
|
|
|
|
|
*
|
|
|
|
|
* This is only required for source (ie. NAT/masq) mappings.
|
|
|
|
|
* So far, we don't do local source mappings, so multiple
|
|
|
|
|
* manips not an issue.
|
|
|
|
|
*/
|
2011-12-23 12:59:49 +00:00
|
|
|
if (maniptype == NF_NAT_MANIP_SRC &&
|
netfilter: nf_nat: add full port randomization support
We currently use prandom_u32() for allocation of ports in tcp bind(0)
and udp code. In case of plain SNAT we try to keep the ports as is
or increment on collision.
SNAT --random mode does use per-destination incrementing port
allocation. As a recent paper pointed out in [1] that this mode of
port allocation makes it possible to an attacker to find the randomly
allocated ports through a timing side-channel in a socket overloading
attack conducted through an off-path attacker.
So, NF_NAT_RANGE_PROTO_RANDOM actually weakens the port randomization
in regard to the attack described in this paper. As we need to keep
compatibility, add another flag called NF_NAT_RANGE_PROTO_RANDOM_FULLY
that would replace the NF_NAT_RANGE_PROTO_RANDOM hash-based port
selection algorithm with a simple prandom_u32() in order to mitigate
this attack vector. Note that the lfsr113's internal state is
periodically reseeded by the kernel through a local secure entropy
source.
More details can be found in [1], the basic idea is to send bursts
of packets to a socket to overflow its receive queue and measure
the latency to detect a possible retransmit when the port is found.
Because of increasing ports to given destination and port, further
allocations can be predicted. This information could then be used by
an attacker for e.g. for cache-poisoning, NS pinning, and degradation
of service attacks against DNS servers [1]:
The best defense against the poisoning attacks is to properly
deploy and validate DNSSEC; DNSSEC provides security not only
against off-path attacker but even against MitM attacker. We hope
that our results will help motivate administrators to adopt DNSSEC.
However, full DNSSEC deployment make take significant time, and
until that happens, we recommend short-term, non-cryptographic
defenses. We recommend to support full port randomisation,
according to practices recommended in [2], and to avoid
per-destination sequential port allocation, which we show may be
vulnerable to derandomisation attacks.
Joint work between Hannes Frederic Sowa and Daniel Borkmann.
[1] https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf
[2] http://arxiv.org/pdf/1205.5190v1.pdf
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-12-20 21:40:29 +00:00
|
|
|
!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) {
|
2011-01-20 14:49:52 +00:00
|
|
|
/* try the original tuple first */
|
2012-08-26 17:14:06 +00:00
|
|
|
if (in_range(l3proto, l4proto, orig_tuple, range)) {
|
2011-01-20 14:49:52 +00:00
|
|
|
if (!nf_nat_used_tuple(orig_tuple, ct)) {
|
|
|
|
|
*tuple = *orig_tuple;
|
2012-08-26 17:14:06 +00:00
|
|
|
goto out;
|
2011-01-20 14:49:52 +00:00
|
|
|
}
|
2012-08-26 17:14:06 +00:00
|
|
|
} else if (find_appropriate_src(net, zone, l3proto, l4proto,
|
|
|
|
|
orig_tuple, tuple, range)) {
|
2007-07-08 05:39:38 +00:00
|
|
|
pr_debug("get_unique_tuple: Found current src map\n");
|
2008-07-21 17:00:51 +00:00
|
|
|
if (!nf_nat_used_tuple(tuple, ct))
|
2012-08-26 17:14:06 +00:00
|
|
|
goto out;
|
2006-12-03 06:07:13 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
/* 2) Select the least-used IP/proto combination in the given range */
|
2006-12-03 06:07:13 +00:00
|
|
|
*tuple = *orig_tuple;
|
2010-02-15 17:13:33 +00:00
|
|
|
find_best_ips_proto(zone, tuple, range, ct, maniptype);
|
2006-12-03 06:07:13 +00:00
|
|
|
|
|
|
|
|
/* 3) The per-protocol part of the manip is made to map into
|
2012-08-26 17:14:06 +00:00
|
|
|
* the range to make a unique tuple.
|
|
|
|
|
*/
|
2006-12-03 06:07:13 +00:00
|
|
|
|
|
|
|
|
/* Only bother mapping if it's not already in range and unique */
|
netfilter: nf_nat: add full port randomization support
We currently use prandom_u32() for allocation of ports in tcp bind(0)
and udp code. In case of plain SNAT we try to keep the ports as is
or increment on collision.
SNAT --random mode does use per-destination incrementing port
allocation. As a recent paper pointed out in [1] that this mode of
port allocation makes it possible to an attacker to find the randomly
allocated ports through a timing side-channel in a socket overloading
attack conducted through an off-path attacker.
So, NF_NAT_RANGE_PROTO_RANDOM actually weakens the port randomization
in regard to the attack described in this paper. As we need to keep
compatibility, add another flag called NF_NAT_RANGE_PROTO_RANDOM_FULLY
that would replace the NF_NAT_RANGE_PROTO_RANDOM hash-based port
selection algorithm with a simple prandom_u32() in order to mitigate
this attack vector. Note that the lfsr113's internal state is
periodically reseeded by the kernel through a local secure entropy
source.
More details can be found in [1], the basic idea is to send bursts
of packets to a socket to overflow its receive queue and measure
the latency to detect a possible retransmit when the port is found.
Because of increasing ports to given destination and port, further
allocations can be predicted. This information could then be used by
an attacker for e.g. for cache-poisoning, NS pinning, and degradation
of service attacks against DNS servers [1]:
The best defense against the poisoning attacks is to properly
deploy and validate DNSSEC; DNSSEC provides security not only
against off-path attacker but even against MitM attacker. We hope
that our results will help motivate administrators to adopt DNSSEC.
However, full DNSSEC deployment make take significant time, and
until that happens, we recommend short-term, non-cryptographic
defenses. We recommend to support full port randomisation,
according to practices recommended in [2], and to avoid
per-destination sequential port allocation, which we show may be
vulnerable to derandomisation attacks.
Joint work between Hannes Frederic Sowa and Daniel Borkmann.
[1] https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf
[2] http://arxiv.org/pdf/1205.5190v1.pdf
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-12-20 21:40:29 +00:00
|
|
|
if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) {
|
2011-12-23 12:59:49 +00:00
|
|
|
if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
|
2012-08-26 17:14:06 +00:00
|
|
|
if (l4proto->in_range(tuple, maniptype,
|
|
|
|
|
&range->min_proto,
|
|
|
|
|
&range->max_proto) &&
|
|
|
|
|
(range->min_proto.all == range->max_proto.all ||
|
2010-09-16 17:45:19 +00:00
|
|
|
!nf_nat_used_tuple(tuple, ct)))
|
|
|
|
|
goto out;
|
|
|
|
|
} else if (!nf_nat_used_tuple(tuple, ct)) {
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
}
|
2006-12-03 06:07:13 +00:00
|
|
|
|
|
|
|
|
/* Last change: get protocol to try to obtain unique tuple. */
|
2012-08-26 17:14:06 +00:00
|
|
|
l4proto->unique_tuple(l3proto, tuple, range, maniptype, ct);
|
2007-02-12 19:12:26 +00:00
|
|
|
out:
|
|
|
|
|
rcu_read_unlock();
|
2006-12-03 06:07:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
unsigned int
|
|
|
|
|
nf_nat_setup_info(struct nf_conn *ct,
|
2012-08-26 17:14:06 +00:00
|
|
|
const struct nf_nat_range *range,
|
2007-12-18 06:38:20 +00:00
|
|
|
enum nf_nat_manip_type maniptype)
|
2006-12-03 06:07:13 +00:00
|
|
|
{
|
2008-10-08 09:35:11 +00:00
|
|
|
struct net *net = nf_ct_net(ct);
|
2006-12-03 06:07:13 +00:00
|
|
|
struct nf_conntrack_tuple curr_tuple, new_tuple;
|
2007-07-08 05:24:28 +00:00
|
|
|
struct nf_conn_nat *nat;
|
2006-12-03 06:07:13 +00:00
|
|
|
|
2007-07-08 05:24:28 +00:00
|
|
|
/* nat helper or nfctnetlink also setup binding */
|
|
|
|
|
nat = nfct_nat(ct);
|
|
|
|
|
if (!nat) {
|
|
|
|
|
nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
|
|
|
|
|
if (nat == NULL) {
|
2007-07-08 05:39:38 +00:00
|
|
|
pr_debug("failed to add NAT extension\n");
|
2007-07-08 05:24:28 +00:00
|
|
|
return NF_ACCEPT;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2011-12-23 12:59:49 +00:00
|
|
|
NF_CT_ASSERT(maniptype == NF_NAT_MANIP_SRC ||
|
|
|
|
|
maniptype == NF_NAT_MANIP_DST);
|
2006-12-03 06:07:13 +00:00
|
|
|
BUG_ON(nf_nat_initialized(ct, maniptype));
|
|
|
|
|
|
|
|
|
|
/* What we've got will look like inverse of reply. Normally
|
2012-08-26 17:14:06 +00:00
|
|
|
* this is what is in the conntrack, except for prior
|
|
|
|
|
* manipulations (future optimization: if num_manips == 0,
|
|
|
|
|
* orig_tp = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
|
|
|
|
|
*/
|
2006-12-03 06:07:13 +00:00
|
|
|
nf_ct_invert_tuplepr(&curr_tuple,
|
|
|
|
|
&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
|
|
|
|
|
|
|
|
|
|
get_unique_tuple(&new_tuple, &curr_tuple, range, ct, maniptype);
|
|
|
|
|
|
|
|
|
|
if (!nf_ct_tuple_equal(&new_tuple, &curr_tuple)) {
|
|
|
|
|
struct nf_conntrack_tuple reply;
|
|
|
|
|
|
|
|
|
|
/* Alter conntrack table so will recognize replies. */
|
|
|
|
|
nf_ct_invert_tuplepr(&reply, &new_tuple);
|
|
|
|
|
nf_conntrack_alter_reply(ct, &reply);
|
|
|
|
|
|
|
|
|
|
/* Non-atomic: we own this at the moment. */
|
2011-12-23 12:59:49 +00:00
|
|
|
if (maniptype == NF_NAT_MANIP_SRC)
|
2006-12-03 06:07:13 +00:00
|
|
|
ct->status |= IPS_SRC_NAT;
|
|
|
|
|
else
|
|
|
|
|
ct->status |= IPS_DST_NAT;
|
|
|
|
|
}
|
|
|
|
|
|
2011-12-23 12:59:49 +00:00
|
|
|
if (maniptype == NF_NAT_MANIP_SRC) {
|
2006-12-03 06:07:13 +00:00
|
|
|
unsigned int srchash;
|
|
|
|
|
|
2010-02-15 17:13:33 +00:00
|
|
|
srchash = hash_by_src(net, nf_ct_zone(ct),
|
|
|
|
|
&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
|
2008-01-31 12:43:06 +00:00
|
|
|
spin_lock_bh(&nf_nat_lock);
|
2012-08-26 17:14:06 +00:00
|
|
|
/* nf_conntrack_alter_reply might re-allocate extension aera */
|
2007-07-08 05:26:35 +00:00
|
|
|
nat = nfct_nat(ct);
|
|
|
|
|
nat->ct = ct;
|
2008-10-08 09:35:11 +00:00
|
|
|
hlist_add_head_rcu(&nat->bysource,
|
2012-08-26 17:14:06 +00:00
|
|
|
&net->ct.nat_bysource[srchash]);
|
2008-01-31 12:43:06 +00:00
|
|
|
spin_unlock_bh(&nf_nat_lock);
|
2006-12-03 06:07:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* It's done. */
|
2011-12-23 12:59:49 +00:00
|
|
|
if (maniptype == NF_NAT_MANIP_DST)
|
2011-01-18 14:02:48 +00:00
|
|
|
ct->status |= IPS_DST_NAT_DONE;
|
2006-12-03 06:07:13 +00:00
|
|
|
else
|
2011-01-18 14:02:48 +00:00
|
|
|
ct->status |= IPS_SRC_NAT_DONE;
|
2006-12-03 06:07:13 +00:00
|
|
|
|
|
|
|
|
return NF_ACCEPT;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(nf_nat_setup_info);
|
|
|
|
|
|
|
|
|
|
/* Do packet manipulations according to nf_nat_setup_info. */
|
|
|
|
|
unsigned int nf_nat_packet(struct nf_conn *ct,
|
|
|
|
|
enum ip_conntrack_info ctinfo,
|
|
|
|
|
unsigned int hooknum,
|
2007-10-15 07:53:15 +00:00
|
|
|
struct sk_buff *skb)
|
2006-12-03 06:07:13 +00:00
|
|
|
{
|
2012-08-26 17:14:06 +00:00
|
|
|
const struct nf_nat_l3proto *l3proto;
|
|
|
|
|
const struct nf_nat_l4proto *l4proto;
|
2006-12-03 06:07:13 +00:00
|
|
|
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
|
|
|
|
|
unsigned long statusbit;
|
|
|
|
|
enum nf_nat_manip_type mtype = HOOK2MANIP(hooknum);
|
|
|
|
|
|
2011-12-23 12:59:49 +00:00
|
|
|
if (mtype == NF_NAT_MANIP_SRC)
|
2006-12-03 06:07:13 +00:00
|
|
|
statusbit = IPS_SRC_NAT;
|
|
|
|
|
else
|
|
|
|
|
statusbit = IPS_DST_NAT;
|
|
|
|
|
|
|
|
|
|
/* Invert if this is reply dir. */
|
|
|
|
|
if (dir == IP_CT_DIR_REPLY)
|
|
|
|
|
statusbit ^= IPS_NAT_MASK;
|
|
|
|
|
|
|
|
|
|
/* Non-atomic: these bits don't change. */
|
|
|
|
|
if (ct->status & statusbit) {
|
|
|
|
|
struct nf_conntrack_tuple target;
|
|
|
|
|
|
|
|
|
|
/* We are aiming to look like inverse of other direction. */
|
|
|
|
|
nf_ct_invert_tuplepr(&target, &ct->tuplehash[!dir].tuple);
|
|
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
l3proto = __nf_nat_l3proto_find(target.src.l3num);
|
|
|
|
|
l4proto = __nf_nat_l4proto_find(target.src.l3num,
|
|
|
|
|
target.dst.protonum);
|
|
|
|
|
if (!l3proto->manip_pkt(skb, 0, l4proto, &target, mtype))
|
2006-12-03 06:07:13 +00:00
|
|
|
return NF_DROP;
|
|
|
|
|
}
|
|
|
|
|
return NF_ACCEPT;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(nf_nat_packet);
|
|
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
struct nf_nat_proto_clean {
|
|
|
|
|
u8 l3proto;
|
|
|
|
|
u8 l4proto;
|
|
|
|
|
};
|
|
|
|
|
|
2013-04-11 04:22:39 +00:00
|
|
|
/* kill conntracks with affected NAT section */
|
|
|
|
|
static int nf_nat_proto_remove(struct nf_conn *i, void *data)
|
2006-12-03 06:07:13 +00:00
|
|
|
{
|
2012-08-26 17:14:06 +00:00
|
|
|
const struct nf_nat_proto_clean *clean = data;
|
|
|
|
|
struct nf_conn_nat *nat = nfct_nat(i);
|
2006-12-03 06:07:13 +00:00
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
if (!nat)
|
2006-12-03 06:07:13 +00:00
|
|
|
return 0;
|
2013-04-11 04:22:39 +00:00
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
if ((clean->l3proto && nf_ct_l3num(i) != clean->l3proto) ||
|
|
|
|
|
(clean->l4proto && nf_ct_protonum(i) != clean->l4proto))
|
2006-12-03 06:07:13 +00:00
|
|
|
return 0;
|
|
|
|
|
|
2013-04-11 04:22:39 +00:00
|
|
|
return i->status & IPS_NAT_MASK ? 1 : 0;
|
2012-08-26 17:14:06 +00:00
|
|
|
}
|
2006-12-03 06:07:13 +00:00
|
|
|
|
2014-06-07 19:17:04 +00:00
|
|
|
static int nf_nat_proto_clean(struct nf_conn *ct, void *data)
|
|
|
|
|
{
|
|
|
|
|
struct nf_conn_nat *nat = nfct_nat(ct);
|
|
|
|
|
|
|
|
|
|
if (nf_nat_proto_remove(ct, data))
|
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
|
|
if (!nat || !nat->ct)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/* This netns is being destroyed, and conntrack has nat null binding.
|
|
|
|
|
* Remove it from bysource hash, as the table will be freed soon.
|
|
|
|
|
*
|
|
|
|
|
* Else, when the conntrack is destoyed, nf_nat_cleanup_conntrack()
|
|
|
|
|
* will delete entry from already-freed table.
|
|
|
|
|
*/
|
|
|
|
|
if (!del_timer(&ct->timeout))
|
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
|
|
spin_lock_bh(&nf_nat_lock);
|
|
|
|
|
hlist_del_rcu(&nat->bysource);
|
|
|
|
|
ct->status &= ~IPS_NAT_DONE_MASK;
|
|
|
|
|
nat->ct = NULL;
|
|
|
|
|
spin_unlock_bh(&nf_nat_lock);
|
|
|
|
|
|
|
|
|
|
add_timer(&ct->timeout);
|
|
|
|
|
|
|
|
|
|
/* don't delete conntrack. Although that would make things a lot
|
|
|
|
|
* simpler, we'd end up flushing all conntracks on nat rmmod.
|
|
|
|
|
*/
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
static void nf_nat_l4proto_clean(u8 l3proto, u8 l4proto)
|
|
|
|
|
{
|
|
|
|
|
struct nf_nat_proto_clean clean = {
|
|
|
|
|
.l3proto = l3proto,
|
|
|
|
|
.l4proto = l4proto,
|
|
|
|
|
};
|
|
|
|
|
struct net *net;
|
|
|
|
|
|
|
|
|
|
rtnl_lock();
|
|
|
|
|
for_each_net(net)
|
2013-04-11 04:22:39 +00:00
|
|
|
nf_ct_iterate_cleanup(net, nf_nat_proto_remove, &clean);
|
2012-08-26 17:14:06 +00:00
|
|
|
rtnl_unlock();
|
|
|
|
|
}
|
2006-12-03 06:07:13 +00:00
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
static void nf_nat_l3proto_clean(u8 l3proto)
|
|
|
|
|
{
|
|
|
|
|
struct nf_nat_proto_clean clean = {
|
|
|
|
|
.l3proto = l3proto,
|
|
|
|
|
};
|
|
|
|
|
struct net *net;
|
|
|
|
|
|
|
|
|
|
rtnl_lock();
|
2006-12-03 06:07:13 +00:00
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
for_each_net(net)
|
2013-04-11 04:22:39 +00:00
|
|
|
nf_ct_iterate_cleanup(net, nf_nat_proto_remove, &clean);
|
2012-08-26 17:14:06 +00:00
|
|
|
rtnl_unlock();
|
2006-12-03 06:07:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Protocol registration. */
|
2012-08-26 17:14:06 +00:00
|
|
|
int nf_nat_l4proto_register(u8 l3proto, const struct nf_nat_l4proto *l4proto)
|
2006-12-03 06:07:13 +00:00
|
|
|
{
|
2012-08-26 17:14:06 +00:00
|
|
|
const struct nf_nat_l4proto **l4protos;
|
|
|
|
|
unsigned int i;
|
2006-12-03 06:07:13 +00:00
|
|
|
int ret = 0;
|
|
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
mutex_lock(&nf_nat_proto_mutex);
|
|
|
|
|
if (nf_nat_l4protos[l3proto] == NULL) {
|
|
|
|
|
l4protos = kmalloc(IPPROTO_MAX * sizeof(struct nf_nat_l4proto *),
|
|
|
|
|
GFP_KERNEL);
|
|
|
|
|
if (l4protos == NULL) {
|
|
|
|
|
ret = -ENOMEM;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < IPPROTO_MAX; i++)
|
|
|
|
|
RCU_INIT_POINTER(l4protos[i], &nf_nat_l4proto_unknown);
|
|
|
|
|
|
|
|
|
|
/* Before making proto_array visible to lockless readers,
|
|
|
|
|
* we must make sure its content is committed to memory.
|
|
|
|
|
*/
|
|
|
|
|
smp_wmb();
|
|
|
|
|
|
|
|
|
|
nf_nat_l4protos[l3proto] = l4protos;
|
|
|
|
|
}
|
|
|
|
|
|
2010-11-15 17:43:59 +00:00
|
|
|
if (rcu_dereference_protected(
|
2012-08-26 17:14:06 +00:00
|
|
|
nf_nat_l4protos[l3proto][l4proto->l4proto],
|
|
|
|
|
lockdep_is_held(&nf_nat_proto_mutex)
|
|
|
|
|
) != &nf_nat_l4proto_unknown) {
|
2006-12-03 06:07:13 +00:00
|
|
|
ret = -EBUSY;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
2012-08-26 17:14:06 +00:00
|
|
|
RCU_INIT_POINTER(nf_nat_l4protos[l3proto][l4proto->l4proto], l4proto);
|
2006-12-03 06:07:13 +00:00
|
|
|
out:
|
2012-08-26 17:14:06 +00:00
|
|
|
mutex_unlock(&nf_nat_proto_mutex);
|
2006-12-03 06:07:13 +00:00
|
|
|
return ret;
|
|
|
|
|
}
|
2012-08-26 17:14:06 +00:00
|
|
|
EXPORT_SYMBOL_GPL(nf_nat_l4proto_register);
|
2006-12-03 06:07:13 +00:00
|
|
|
|
2011-03-31 01:57:33 +00:00
|
|
|
/* No one stores the protocol anywhere; simply delete it. */
|
2012-08-26 17:14:06 +00:00
|
|
|
void nf_nat_l4proto_unregister(u8 l3proto, const struct nf_nat_l4proto *l4proto)
|
2006-12-03 06:07:13 +00:00
|
|
|
{
|
2012-08-26 17:14:06 +00:00
|
|
|
mutex_lock(&nf_nat_proto_mutex);
|
|
|
|
|
RCU_INIT_POINTER(nf_nat_l4protos[l3proto][l4proto->l4proto],
|
|
|
|
|
&nf_nat_l4proto_unknown);
|
|
|
|
|
mutex_unlock(&nf_nat_proto_mutex);
|
2007-02-12 19:12:26 +00:00
|
|
|
synchronize_rcu();
|
2012-08-26 17:14:06 +00:00
|
|
|
|
|
|
|
|
nf_nat_l4proto_clean(l3proto, l4proto->l4proto);
|
2006-12-03 06:07:13 +00:00
|
|
|
}
|
2012-08-26 17:14:06 +00:00
|
|
|
EXPORT_SYMBOL_GPL(nf_nat_l4proto_unregister);
|
|
|
|
|
|
|
|
|
|
int nf_nat_l3proto_register(const struct nf_nat_l3proto *l3proto)
|
|
|
|
|
{
|
|
|
|
|
int err;
|
|
|
|
|
|
|
|
|
|
err = nf_ct_l3proto_try_module_get(l3proto->l3proto);
|
|
|
|
|
if (err < 0)
|
|
|
|
|
return err;
|
|
|
|
|
|
|
|
|
|
mutex_lock(&nf_nat_proto_mutex);
|
|
|
|
|
RCU_INIT_POINTER(nf_nat_l4protos[l3proto->l3proto][IPPROTO_TCP],
|
|
|
|
|
&nf_nat_l4proto_tcp);
|
|
|
|
|
RCU_INIT_POINTER(nf_nat_l4protos[l3proto->l3proto][IPPROTO_UDP],
|
|
|
|
|
&nf_nat_l4proto_udp);
|
|
|
|
|
mutex_unlock(&nf_nat_proto_mutex);
|
|
|
|
|
|
|
|
|
|
RCU_INIT_POINTER(nf_nat_l3protos[l3proto->l3proto], l3proto);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(nf_nat_l3proto_register);
|
|
|
|
|
|
|
|
|
|
void nf_nat_l3proto_unregister(const struct nf_nat_l3proto *l3proto)
|
|
|
|
|
{
|
|
|
|
|
mutex_lock(&nf_nat_proto_mutex);
|
|
|
|
|
RCU_INIT_POINTER(nf_nat_l3protos[l3proto->l3proto], NULL);
|
|
|
|
|
mutex_unlock(&nf_nat_proto_mutex);
|
|
|
|
|
synchronize_rcu();
|
|
|
|
|
|
|
|
|
|
nf_nat_l3proto_clean(l3proto->l3proto);
|
|
|
|
|
nf_ct_l3proto_module_put(l3proto->l3proto);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(nf_nat_l3proto_unregister);
|
2006-12-03 06:07:13 +00:00
|
|
|
|
2011-03-31 01:57:33 +00:00
|
|
|
/* No one using conntrack by the time this called. */
|
2007-07-08 05:26:16 +00:00
|
|
|
static void nf_nat_cleanup_conntrack(struct nf_conn *ct)
|
|
|
|
|
{
|
|
|
|
|
struct nf_conn_nat *nat = nf_ct_ext_find(ct, NF_CT_EXT_NAT);
|
|
|
|
|
|
2007-07-08 05:26:35 +00:00
|
|
|
if (nat == NULL || nat->ct == NULL)
|
2007-07-08 05:26:16 +00:00
|
|
|
return;
|
|
|
|
|
|
2011-01-20 14:49:52 +00:00
|
|
|
NF_CT_ASSERT(nat->ct->status & IPS_SRC_NAT_DONE);
|
2007-07-08 05:26:16 +00:00
|
|
|
|
2008-01-31 12:43:06 +00:00
|
|
|
spin_lock_bh(&nf_nat_lock);
|
2008-01-31 12:42:37 +00:00
|
|
|
hlist_del_rcu(&nat->bysource);
|
2008-01-31 12:43:06 +00:00
|
|
|
spin_unlock_bh(&nf_nat_lock);
|
2007-07-08 05:26:16 +00:00
|
|
|
}
|
|
|
|
|
|
2008-02-08 01:56:34 +00:00
|
|
|
static void nf_nat_move_storage(void *new, void *old)
|
2007-07-08 05:24:28 +00:00
|
|
|
{
|
2008-02-08 01:56:34 +00:00
|
|
|
struct nf_conn_nat *new_nat = new;
|
|
|
|
|
struct nf_conn_nat *old_nat = old;
|
2007-07-08 05:26:35 +00:00
|
|
|
struct nf_conn *ct = old_nat->ct;
|
2007-07-08 05:24:28 +00:00
|
|
|
|
2011-01-20 14:49:52 +00:00
|
|
|
if (!ct || !(ct->status & IPS_SRC_NAT_DONE))
|
2007-07-08 05:24:28 +00:00
|
|
|
return;
|
|
|
|
|
|
2008-01-31 12:43:06 +00:00
|
|
|
spin_lock_bh(&nf_nat_lock);
|
2008-06-17 22:51:47 +00:00
|
|
|
hlist_replace_rcu(&old_nat->bysource, &new_nat->bysource);
|
2008-01-31 12:43:06 +00:00
|
|
|
spin_unlock_bh(&nf_nat_lock);
|
2007-07-08 05:24:28 +00:00
|
|
|
}
|
|
|
|
|
|
2007-07-08 05:27:06 +00:00
|
|
|
static struct nf_ct_ext_type nat_extend __read_mostly = {
|
2007-07-08 05:26:16 +00:00
|
|
|
.len = sizeof(struct nf_conn_nat),
|
|
|
|
|
.align = __alignof__(struct nf_conn_nat),
|
|
|
|
|
.destroy = nf_nat_cleanup_conntrack,
|
|
|
|
|
.move = nf_nat_move_storage,
|
|
|
|
|
.id = NF_CT_EXT_NAT,
|
|
|
|
|
.flags = NF_CT_EXT_F_PREALLOC,
|
2007-07-08 05:24:28 +00:00
|
|
|
};
|
|
|
|
|
|
2008-10-14 18:58:31 +00:00
|
|
|
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
|
|
|
|
|
|
|
|
|
|
#include <linux/netfilter/nfnetlink.h>
|
|
|
|
|
#include <linux/netfilter/nfnetlink_conntrack.h>
|
|
|
|
|
|
|
|
|
|
static const struct nla_policy protonat_nla_policy[CTA_PROTONAT_MAX+1] = {
|
|
|
|
|
[CTA_PROTONAT_PORT_MIN] = { .type = NLA_U16 },
|
|
|
|
|
[CTA_PROTONAT_PORT_MAX] = { .type = NLA_U16 },
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int nfnetlink_parse_nat_proto(struct nlattr *attr,
|
|
|
|
|
const struct nf_conn *ct,
|
2012-08-26 17:14:06 +00:00
|
|
|
struct nf_nat_range *range)
|
2008-10-14 18:58:31 +00:00
|
|
|
{
|
|
|
|
|
struct nlattr *tb[CTA_PROTONAT_MAX+1];
|
2012-08-26 17:14:06 +00:00
|
|
|
const struct nf_nat_l4proto *l4proto;
|
2008-10-14 18:58:31 +00:00
|
|
|
int err;
|
|
|
|
|
|
|
|
|
|
err = nla_parse_nested(tb, CTA_PROTONAT_MAX, attr, protonat_nla_policy);
|
|
|
|
|
if (err < 0)
|
|
|
|
|
return err;
|
|
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
l4proto = __nf_nat_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
|
|
|
|
|
if (l4proto->nlattr_to_range)
|
|
|
|
|
err = l4proto->nlattr_to_range(tb, range);
|
|
|
|
|
|
2008-10-14 18:58:31 +00:00
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = {
|
2012-08-26 17:14:06 +00:00
|
|
|
[CTA_NAT_V4_MINIP] = { .type = NLA_U32 },
|
|
|
|
|
[CTA_NAT_V4_MAXIP] = { .type = NLA_U32 },
|
2012-08-26 17:14:12 +00:00
|
|
|
[CTA_NAT_V6_MINIP] = { .len = sizeof(struct in6_addr) },
|
|
|
|
|
[CTA_NAT_V6_MAXIP] = { .len = sizeof(struct in6_addr) },
|
2011-12-23 13:00:30 +00:00
|
|
|
[CTA_NAT_PROTO] = { .type = NLA_NESTED },
|
2008-10-14 18:58:31 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int
|
2009-08-25 14:07:58 +00:00
|
|
|
nfnetlink_parse_nat(const struct nlattr *nat,
|
2012-08-26 17:14:06 +00:00
|
|
|
const struct nf_conn *ct, struct nf_nat_range *range)
|
2008-10-14 18:58:31 +00:00
|
|
|
{
|
2012-08-26 17:14:06 +00:00
|
|
|
const struct nf_nat_l3proto *l3proto;
|
2008-10-14 18:58:31 +00:00
|
|
|
struct nlattr *tb[CTA_NAT_MAX+1];
|
|
|
|
|
int err;
|
|
|
|
|
|
|
|
|
|
memset(range, 0, sizeof(*range));
|
|
|
|
|
|
|
|
|
|
err = nla_parse_nested(tb, CTA_NAT_MAX, nat, nat_nla_policy);
|
|
|
|
|
if (err < 0)
|
|
|
|
|
return err;
|
|
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
rcu_read_lock();
|
|
|
|
|
l3proto = __nf_nat_l3proto_find(nf_ct_l3num(ct));
|
|
|
|
|
if (l3proto == NULL) {
|
|
|
|
|
err = -EAGAIN;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
err = l3proto->nlattr_to_range(tb, range);
|
|
|
|
|
if (err < 0)
|
|
|
|
|
goto out;
|
2008-10-14 18:58:31 +00:00
|
|
|
|
|
|
|
|
if (!tb[CTA_NAT_PROTO])
|
2012-08-26 17:14:06 +00:00
|
|
|
goto out;
|
2008-10-14 18:58:31 +00:00
|
|
|
|
|
|
|
|
err = nfnetlink_parse_nat_proto(tb[CTA_NAT_PROTO], ct, range);
|
2012-08-26 17:14:06 +00:00
|
|
|
out:
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
return err;
|
2008-10-14 18:58:31 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
nfnetlink_parse_nat_setup(struct nf_conn *ct,
|
|
|
|
|
enum nf_nat_manip_type manip,
|
2009-08-25 14:07:58 +00:00
|
|
|
const struct nlattr *attr)
|
2008-10-14 18:58:31 +00:00
|
|
|
{
|
2012-08-26 17:14:06 +00:00
|
|
|
struct nf_nat_range range;
|
|
|
|
|
int err;
|
2008-10-14 18:58:31 +00:00
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
err = nfnetlink_parse_nat(attr, ct, &range);
|
|
|
|
|
if (err < 0)
|
|
|
|
|
return err;
|
2008-10-14 18:58:31 +00:00
|
|
|
if (nf_nat_initialized(ct, manip))
|
|
|
|
|
return -EEXIST;
|
|
|
|
|
|
|
|
|
|
return nf_nat_setup_info(ct, &range, manip);
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
static int
|
|
|
|
|
nfnetlink_parse_nat_setup(struct nf_conn *ct,
|
|
|
|
|
enum nf_nat_manip_type manip,
|
2009-08-25 14:07:58 +00:00
|
|
|
const struct nlattr *attr)
|
2008-10-14 18:58:31 +00:00
|
|
|
{
|
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2008-10-08 09:35:11 +00:00
|
|
|
static int __net_init nf_nat_net_init(struct net *net)
|
|
|
|
|
{
|
2010-02-08 19:18:07 +00:00
|
|
|
/* Leave them the same for the moment. */
|
2012-08-26 17:14:06 +00:00
|
|
|
net->ct.nat_htable_size = net->ct.htable_size;
|
|
|
|
|
net->ct.nat_bysource = nf_ct_alloc_hashtable(&net->ct.nat_htable_size, 0);
|
|
|
|
|
if (!net->ct.nat_bysource)
|
2008-10-08 09:35:11 +00:00
|
|
|
return -ENOMEM;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __net_exit nf_nat_net_exit(struct net *net)
|
|
|
|
|
{
|
2012-08-26 17:14:06 +00:00
|
|
|
struct nf_nat_proto_clean clean = {};
|
|
|
|
|
|
2014-06-07 19:17:04 +00:00
|
|
|
nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
|
2008-10-08 09:35:11 +00:00
|
|
|
synchronize_rcu();
|
2012-08-26 17:14:06 +00:00
|
|
|
nf_ct_free_hashtable(net->ct.nat_bysource, net->ct.nat_htable_size);
|
2008-10-08 09:35:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct pernet_operations nf_nat_net_ops = {
|
|
|
|
|
.init = nf_nat_net_init,
|
|
|
|
|
.exit = nf_nat_net_exit,
|
|
|
|
|
};
|
|
|
|
|
|
2012-02-05 02:44:51 +00:00
|
|
|
static struct nf_ct_helper_expectfn follow_master_nat = {
|
|
|
|
|
.name = "nat-follow-master",
|
|
|
|
|
.expectfn = nf_nat_follow_master,
|
|
|
|
|
};
|
|
|
|
|
|
2012-06-20 18:52:31 +00:00
|
|
|
static struct nfq_ct_nat_hook nfq_ct_nat = {
|
|
|
|
|
.seq_adjust = nf_nat_tcp_seq_adjust,
|
|
|
|
|
};
|
|
|
|
|
|
2006-12-03 06:07:13 +00:00
|
|
|
static int __init nf_nat_init(void)
|
|
|
|
|
{
|
2007-07-08 05:24:28 +00:00
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
ret = nf_ct_extend_register(&nat_extend);
|
|
|
|
|
if (ret < 0) {
|
|
|
|
|
printk(KERN_ERR "nf_nat_core: Unable to register extension\n");
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2006-12-03 06:07:13 +00:00
|
|
|
|
2008-10-08 09:35:11 +00:00
|
|
|
ret = register_pernet_subsys(&nf_nat_net_ops);
|
|
|
|
|
if (ret < 0)
|
2007-07-08 05:24:28 +00:00
|
|
|
goto cleanup_extend;
|
2006-12-03 06:07:13 +00:00
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
nf_ct_helper_expectfn_register(&follow_master_nat);
|
2006-12-03 06:07:13 +00:00
|
|
|
|
|
|
|
|
/* Initialize fake conntrack so that NAT will skip it */
|
2010-06-08 14:09:52 +00:00
|
|
|
nf_ct_untracked_status_or(IPS_NAT_DONE_MASK);
|
2006-12-03 06:07:13 +00:00
|
|
|
|
2008-04-14 09:15:52 +00:00
|
|
|
BUG_ON(nf_nat_seq_adjust_hook != NULL);
|
2011-08-01 16:19:00 +00:00
|
|
|
RCU_INIT_POINTER(nf_nat_seq_adjust_hook, nf_nat_seq_adjust);
|
2008-10-14 18:58:31 +00:00
|
|
|
BUG_ON(nfnetlink_parse_nat_setup_hook != NULL);
|
2011-08-01 16:19:00 +00:00
|
|
|
RCU_INIT_POINTER(nfnetlink_parse_nat_setup_hook,
|
2008-10-14 18:58:31 +00:00
|
|
|
nfnetlink_parse_nat_setup);
|
2009-11-06 08:43:42 +00:00
|
|
|
BUG_ON(nf_ct_nat_offset != NULL);
|
2011-08-01 16:19:00 +00:00
|
|
|
RCU_INIT_POINTER(nf_ct_nat_offset, nf_nat_get_offset);
|
2012-06-20 18:52:31 +00:00
|
|
|
RCU_INIT_POINTER(nfq_ct_nat_hook, &nfq_ct_nat);
|
2012-08-26 17:14:06 +00:00
|
|
|
#ifdef CONFIG_XFRM
|
|
|
|
|
BUG_ON(nf_nat_decode_session_hook != NULL);
|
|
|
|
|
RCU_INIT_POINTER(nf_nat_decode_session_hook, __nf_nat_decode_session);
|
|
|
|
|
#endif
|
2006-12-03 06:07:13 +00:00
|
|
|
return 0;
|
2007-07-08 05:24:28 +00:00
|
|
|
|
|
|
|
|
cleanup_extend:
|
|
|
|
|
nf_ct_extend_unregister(&nat_extend);
|
|
|
|
|
return ret;
|
2006-12-03 06:07:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __exit nf_nat_cleanup(void)
|
|
|
|
|
{
|
2012-08-26 17:14:06 +00:00
|
|
|
unsigned int i;
|
|
|
|
|
|
2008-10-08 09:35:11 +00:00
|
|
|
unregister_pernet_subsys(&nf_nat_net_ops);
|
2007-07-08 05:24:28 +00:00
|
|
|
nf_ct_extend_unregister(&nat_extend);
|
2012-02-05 02:44:51 +00:00
|
|
|
nf_ct_helper_expectfn_unregister(&follow_master_nat);
|
2011-08-01 16:19:00 +00:00
|
|
|
RCU_INIT_POINTER(nf_nat_seq_adjust_hook, NULL);
|
|
|
|
|
RCU_INIT_POINTER(nfnetlink_parse_nat_setup_hook, NULL);
|
|
|
|
|
RCU_INIT_POINTER(nf_ct_nat_offset, NULL);
|
2012-06-20 18:52:31 +00:00
|
|
|
RCU_INIT_POINTER(nfq_ct_nat_hook, NULL);
|
2012-08-26 17:14:06 +00:00
|
|
|
#ifdef CONFIG_XFRM
|
|
|
|
|
RCU_INIT_POINTER(nf_nat_decode_session_hook, NULL);
|
|
|
|
|
#endif
|
netfilter: invoke synchronize_rcu after set the _hook_ to NULL
commit 3b7dabf029478bb80507a6c4500ca94132a2bc0b upstream.
Otherwise, another CPU may access the invalid pointer. For example:
CPU0 CPU1
- rcu_read_lock();
- pfunc = _hook_;
_hook_ = NULL; -
mod unload -
- pfunc(); // invalid, panic
- rcu_read_unlock();
So we must call synchronize_rcu() to wait the rcu reader to finish.
Also note, in nf_nat_snmp_basic_fini, synchronize_rcu() will be invoked
by later nf_conntrack_helper_unregister, but I'm inclined to add a
explicit synchronize_rcu after set the nf_nat_snmp_hook to NULL. Depend
on such obscure assumptions is not a good idea.
Last, in nfnetlink_cttimeout, we use kfree_rcu to free the time object,
so in cttimeout_exit, invoking rcu_barrier() is not necessary at all,
remove it too.
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
2017-03-25 00:53:12 +00:00
|
|
|
synchronize_rcu();
|
|
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
for (i = 0; i < NFPROTO_NUMPROTO; i++)
|
|
|
|
|
kfree(nf_nat_l4protos[i]);
|
2008-04-14 09:15:52 +00:00
|
|
|
synchronize_net();
|
2006-12-03 06:07:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
|
|
|
|
|
|
module_init(nf_nat_init);
|
|
|
|
|
module_exit(nf_nat_cleanup);
|
