net/netfilter/xt_NETMAP.c - linux - Git at Google

 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * (C) 2000-2001 Svenning Soerensen <svenning@post5.tele.dk>
  * Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
  */

 #include <linux/ip.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/netdevice.h>
 #include <linux/ipv6.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter_ipv6.h>
 #include <linux/netfilter/x_tables.h>
 #include <net/netfilter/nf_nat.h>

 static unsigned int
 netmap_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	const struct nf_nat_range2 *range = par->targinfo;
 	struct nf_nat_range2 newrange;
 	struct nf_conn *ct;
 	enum ip_conntrack_info ctinfo;
 	union nf_inet_addr new_addr, netmask;
 	unsigned int i;

 	ct = nf_ct_get(skb, &ctinfo);
 	for (i = 0; i < ARRAY_SIZE(range->min_addr.ip6); i++)
 		netmask.ip6[i] = ~(range->min_addr.ip6[i] ^
 				   range->max_addr.ip6[i]);

 	if (xt_hooknum(par) == NF_INET_PRE_ROUTING ||
 	    xt_hooknum(par) == NF_INET_LOCAL_OUT)
 		new_addr.in6 = ipv6_hdr(skb)->daddr;
 	else
 		new_addr.in6 = ipv6_hdr(skb)->saddr;

 	for (i = 0; i < ARRAY_SIZE(new_addr.ip6); i++) {
 		new_addr.ip6[i] &= ~netmask.ip6[i];
 		new_addr.ip6[i] |= range->min_addr.ip6[i] &
 				   netmask.ip6[i];
 	}

 	newrange.flags	= range->flags | NF_NAT_RANGE_MAP_IPS;
 	newrange.min_addr	= new_addr;
 	newrange.max_addr	= new_addr;
 	newrange.min_proto	= range->min_proto;
 	newrange.max_proto	= range->max_proto;

 	return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(xt_hooknum(par)));
 }

 static int netmap_tg6_checkentry(const struct xt_tgchk_param *par)
 {
 	const struct nf_nat_range2 *range = par->targinfo;

 	if (!(range->flags & NF_NAT_RANGE_MAP_IPS))
 		return -EINVAL;
 	return nf_ct_netns_get(par->net, par->family);
 }

 static void netmap_tg_destroy(const struct xt_tgdtor_param *par)
 {
 	nf_ct_netns_put(par->net, par->family);
 }

 static unsigned int
 netmap_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	struct nf_conn *ct;
 	enum ip_conntrack_info ctinfo;
 	__be32 new_ip, netmask;
 	const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
 	struct nf_nat_range2 newrange;

 	WARN_ON(xt_hooknum(par) != NF_INET_PRE_ROUTING &&
 		xt_hooknum(par) != NF_INET_POST_ROUTING &&
 		xt_hooknum(par) != NF_INET_LOCAL_OUT &&
 		xt_hooknum(par) != NF_INET_LOCAL_IN);
 	ct = nf_ct_get(skb, &ctinfo);

 	netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip);

 	if (xt_hooknum(par) == NF_INET_PRE_ROUTING ||
 	    xt_hooknum(par) == NF_INET_LOCAL_OUT)
 		new_ip = ip_hdr(skb)->daddr & ~netmask;
 	else
 		new_ip = ip_hdr(skb)->saddr & ~netmask;
 	new_ip |= mr->range[0].min_ip & netmask;

 	memset(&newrange.min_addr, 0, sizeof(newrange.min_addr));
 	memset(&newrange.max_addr, 0, sizeof(newrange.max_addr));
 	newrange.flags	     = mr->range[0].flags | NF_NAT_RANGE_MAP_IPS;
 	newrange.min_addr.ip = new_ip;
 	newrange.max_addr.ip = new_ip;
 	newrange.min_proto   = mr->range[0].min;
 	newrange.max_proto   = mr->range[0].max;

 	/* Hand modified range to generic setup. */
 	return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(xt_hooknum(par)));
 }

 static int netmap_tg4_check(const struct xt_tgchk_param *par)
 {
 	const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;

 	if (!(mr->range[0].flags & NF_NAT_RANGE_MAP_IPS)) {
 		pr_debug("bad MAP_IPS.\n");
 		return -EINVAL;
 	}
 	if (mr->rangesize != 1) {
 		pr_debug("bad rangesize %u.\n", mr->rangesize);
 		return -EINVAL;
 	}
 	return nf_ct_netns_get(par->net, par->family);
 }

 static struct xt_target netmap_tg_reg[] __read_mostly = {
 	{
 		.name       = "NETMAP",
 		.family     = NFPROTO_IPV6,
 		.revision   = 0,
 		.target     = netmap_tg6,
 		.targetsize = sizeof(struct nf_nat_range),
 		.table      = "nat",
 		.hooks      = (1 << NF_INET_PRE_ROUTING) |
 		              (1 << NF_INET_POST_ROUTING) |
 		              (1 << NF_INET_LOCAL_OUT) |
 		              (1 << NF_INET_LOCAL_IN),
 		.checkentry = netmap_tg6_checkentry,
 		.destroy    = netmap_tg_destroy,
 		.me         = THIS_MODULE,
 	},
 	{
 		.name       = "NETMAP",
 		.family     = NFPROTO_IPV4,
 		.revision   = 0,
 		.target     = netmap_tg4,
 		.targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat),
 		.table      = "nat",
 		.hooks      = (1 << NF_INET_PRE_ROUTING) |
 		              (1 << NF_INET_POST_ROUTING) |
 		              (1 << NF_INET_LOCAL_OUT) |
 		              (1 << NF_INET_LOCAL_IN),
 		.checkentry = netmap_tg4_check,
 		.destroy    = netmap_tg_destroy,
 		.me         = THIS_MODULE,
 	},
 };

 static int __init netmap_tg_init(void)
 {
 	return xt_register_targets(netmap_tg_reg, ARRAY_SIZE(netmap_tg_reg));
 }

 static void netmap_tg_exit(void)
 {
 	xt_unregister_targets(netmap_tg_reg, ARRAY_SIZE(netmap_tg_reg));
 }

 module_init(netmap_tg_init);
 module_exit(netmap_tg_exit);

 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of subnets");
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
 MODULE_ALIAS("ip6t_NETMAP");
 MODULE_ALIAS("ipt_NETMAP");
	// SPDX-License-Identifier: GPL-2.0-only
	/*
	* (C) 2000-2001 Svenning Soerensen <svenning@post5.tele.dk>
	* Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
	*/

	#include <linux/ip.h>
	#include <linux/kernel.h>
	#include <linux/module.h>
	#include <linux/netdevice.h>
	#include <linux/ipv6.h>
	#include <linux/netfilter.h>
	#include <linux/netfilter_ipv4.h>
	#include <linux/netfilter_ipv6.h>
	#include <linux/netfilter/x_tables.h>
	#include <net/netfilter/nf_nat.h>

	static unsigned int
	netmap_tg6(struct sk_buff skb, const struct xt_action_param par)
	{
	const struct nf_nat_range2 *range = par->targinfo;
	struct nf_nat_range2 newrange;
	struct nf_conn *ct;
	enum ip_conntrack_info ctinfo;
	union nf_inet_addr new_addr, netmask;
	unsigned int i;

	ct = nf_ct_get(skb, &ctinfo);
	for (i = 0; i < ARRAY_SIZE(range->min_addr.ip6); i++)
	netmask.ip6[i] = ~(range->min_addr.ip6[i] ^
	range->max_addr.ip6[i]);

	if (xt_hooknum(par) == NF_INET_PRE_ROUTING \|\|
	xt_hooknum(par) == NF_INET_LOCAL_OUT)
	new_addr.in6 = ipv6_hdr(skb)->daddr;
	else
	new_addr.in6 = ipv6_hdr(skb)->saddr;

	for (i = 0; i < ARRAY_SIZE(new_addr.ip6); i++) {
	new_addr.ip6[i] &= ~netmask.ip6[i];
	new_addr.ip6[i] \|= range->min_addr.ip6[i] &
	netmask.ip6[i];
	}

	newrange.flags = range->flags \| NF_NAT_RANGE_MAP_IPS;
	newrange.min_addr = new_addr;
	newrange.max_addr = new_addr;
	newrange.min_proto = range->min_proto;
	newrange.max_proto = range->max_proto;

	return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(xt_hooknum(par)));
	}

	static int netmap_tg6_checkentry(const struct xt_tgchk_param *par)
	{
	const struct nf_nat_range2 *range = par->targinfo;

	if (!(range->flags & NF_NAT_RANGE_MAP_IPS))
	return -EINVAL;
	return nf_ct_netns_get(par->net, par->family);
	}

	static void netmap_tg_destroy(const struct xt_tgdtor_param *par)
	{
	nf_ct_netns_put(par->net, par->family);
	}

	static unsigned int
	netmap_tg4(struct sk_buff skb, const struct xt_action_param par)
	{
	struct nf_conn *ct;
	enum ip_conntrack_info ctinfo;
	__be32 new_ip, netmask;
	const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
	struct nf_nat_range2 newrange;

	WARN_ON(xt_hooknum(par) != NF_INET_PRE_ROUTING &&
	xt_hooknum(par) != NF_INET_POST_ROUTING &&
	xt_hooknum(par) != NF_INET_LOCAL_OUT &&
	xt_hooknum(par) != NF_INET_LOCAL_IN);
	ct = nf_ct_get(skb, &ctinfo);

	netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip);

	if (xt_hooknum(par) == NF_INET_PRE_ROUTING \|\|
	xt_hooknum(par) == NF_INET_LOCAL_OUT)
	new_ip = ip_hdr(skb)->daddr & ~netmask;
	else
	new_ip = ip_hdr(skb)->saddr & ~netmask;
	new_ip \|= mr->range[0].min_ip & netmask;

	memset(&newrange.min_addr, 0, sizeof(newrange.min_addr));
	memset(&newrange.max_addr, 0, sizeof(newrange.max_addr));
	newrange.flags = mr->range[0].flags \| NF_NAT_RANGE_MAP_IPS;
	newrange.min_addr.ip = new_ip;
	newrange.max_addr.ip = new_ip;
	newrange.min_proto = mr->range[0].min;
	newrange.max_proto = mr->range[0].max;

	/* Hand modified range to generic setup. */
	return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(xt_hooknum(par)));
	}

	static int netmap_tg4_check(const struct xt_tgchk_param *par)
	{
	const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;

	if (!(mr->range[0].flags & NF_NAT_RANGE_MAP_IPS)) {
	pr_debug("bad MAP_IPS.\n");
	return -EINVAL;
	}
	if (mr->rangesize != 1) {
	pr_debug("bad rangesize %u.\n", mr->rangesize);
	return -EINVAL;
	}
	return nf_ct_netns_get(par->net, par->family);
	}

	static struct xt_target netmap_tg_reg[] __read_mostly = {
	{
	.name = "NETMAP",
	.family = NFPROTO_IPV6,
	.revision = 0,
	.target = netmap_tg6,
	.targetsize = sizeof(struct nf_nat_range),
	.table = "nat",
	.hooks = (1 << NF_INET_PRE_ROUTING) \|
	(1 << NF_INET_POST_ROUTING) \|
	(1 << NF_INET_LOCAL_OUT) \|
	(1 << NF_INET_LOCAL_IN),
	.checkentry = netmap_tg6_checkentry,
	.destroy = netmap_tg_destroy,
	.me = THIS_MODULE,
	},
	{
	.name = "NETMAP",
	.family = NFPROTO_IPV4,
	.revision = 0,
	.target = netmap_tg4,
	.targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat),
	.table = "nat",
	.hooks = (1 << NF_INET_PRE_ROUTING) \|
	(1 << NF_INET_POST_ROUTING) \|
	(1 << NF_INET_LOCAL_OUT) \|
	(1 << NF_INET_LOCAL_IN),
	.checkentry = netmap_tg4_check,
	.destroy = netmap_tg_destroy,
	.me = THIS_MODULE,
	},
	};

	static int __init netmap_tg_init(void)
	{
	return xt_register_targets(netmap_tg_reg, ARRAY_SIZE(netmap_tg_reg));
	}

	static void netmap_tg_exit(void)
	{
	xt_unregister_targets(netmap_tg_reg, ARRAY_SIZE(netmap_tg_reg));
	}

	module_init(netmap_tg_init);
	module_exit(netmap_tg_exit);

	MODULE_LICENSE("GPL");
	MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of subnets");
	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
	MODULE_ALIAS("ip6t_NETMAP");
	MODULE_ALIAS("ipt_NETMAP");