/* * Copyright (c) 2011 Patrick McHardy * * Based on Rusty Russell's IPv4 DNAT target. Development of IPv6 NAT * funded by Astaro. */ #include #include #include #include #include #include /* get_kernel_version */ #include /* INT_MAX in ip_tables.h */ #include #include #include #include #define TO_IPV4_MRC(ptr) ((const struct nf_nat_ipv4_multi_range_compat *)(ptr)) #define RANGE2_INIT_FROM_IPV4_MRC(ptr) { \ .flags = TO_IPV4_MRC(ptr)->range[0].flags, \ .min_addr.ip = TO_IPV4_MRC(ptr)->range[0].min_ip, \ .max_addr.ip = TO_IPV4_MRC(ptr)->range[0].max_ip, \ .min_proto = TO_IPV4_MRC(ptr)->range[0].min, \ .max_proto = TO_IPV4_MRC(ptr)->range[0].max, \ }; #define TO_NF_NAT_RANGE(ptr) ((const struct nf_nat_range *)(ptr)) #define RANGE2_INIT_FROM_RANGE(ptr) { \ .flags = TO_NF_NAT_RANGE(ptr)->flags, \ .min_addr = TO_NF_NAT_RANGE(ptr)->min_addr, \ .max_addr = TO_NF_NAT_RANGE(ptr)->max_addr, \ .min_proto = TO_NF_NAT_RANGE(ptr)->min_proto, \ .max_proto = TO_NF_NAT_RANGE(ptr)->max_proto, \ }; enum { O_TO_DEST = 0, O_TO_SRC, O_TO_PORTS, O_RANDOM, O_RANDOM_FULLY, O_PERSISTENT, }; static void SNAT_help(void) { printf( "SNAT target options:\n" " --to-source [[-]][:port[-port]]\n" " Address to map source to.\n" "[--random] [--random-fully] [--persistent]\n"); } static void MASQUERADE_help(void) { printf( "MASQUERADE target options:\n" " --to-ports [-]\n" " Port (range) to map to.\n" " --random\n" " Randomize source port.\n" " --random-fully\n" " Fully randomize source port.\n"); } static void DNAT_help(void) { printf( "DNAT target options:\n" " --to-destination [[-]][:port[-port]]\n" " Address to map destination to.\n" "[--random] [--persistent]\n"); } static void DNAT_help_v2(void) { printf( "DNAT target options:\n" " --to-destination [[-]][:port[-port[/port]]]\n" " Address to map destination to.\n" "[--random] [--persistent]\n"); } static void REDIRECT_help(void) { printf( "REDIRECT target options:\n" " --to-ports [-]\n" " Port (range) to map to.\n" " [--random]\n"); } static const struct xt_option_entry SNAT_opts[] = { {.name = "to-source", .id = O_TO_SRC, .type = XTTYPE_STRING, .flags = XTOPT_MAND}, {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE}, {.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE}, XTOPT_TABLEEND, }; static const struct xt_option_entry MASQUERADE_opts[] = { {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING}, {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE}, XTOPT_TABLEEND, }; static const struct xt_option_entry DNAT_opts[] = { {.name = "to-destination", .id = O_TO_DEST, .type = XTTYPE_STRING, .flags = XTOPT_MAND}, {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, {.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE}, XTOPT_TABLEEND, }; static const struct xt_option_entry REDIRECT_opts[] = { {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING}, {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, XTOPT_TABLEEND, }; /* Parses ports */ static void parse_ports(const char *arg, bool portok, struct nf_nat_range2 *range) { unsigned int port, maxport, baseport; char *end = NULL; if (!portok) xtables_error(PARAMETER_PROBLEM, "Need TCP, UDP, SCTP or DCCP with port specification"); range->flags |= NF_NAT_RANGE_PROTO_SPECIFIED; if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX)) { port = xtables_service_to_port(arg, NULL); if (port == (unsigned)-1) xtables_error(PARAMETER_PROBLEM, "Port `%s' not valid", arg); end = ""; } switch (*end) { case '\0': range->min_proto.tcp.port = range->max_proto.tcp.port = htons(port); return; case '-': arg = end + 1; break; case ':': xtables_error(PARAMETER_PROBLEM, "Invalid port:port syntax - use dash"); default: xtables_error(PARAMETER_PROBLEM, "Garbage after port value: `%s'", end); } /* it is a range, don't allow service names here */ if (!xtables_strtoui(arg, &end, &maxport, 0, UINT16_MAX)) xtables_error(PARAMETER_PROBLEM, "Port `%s' not valid", arg); if (maxport < port) /* People are stupid. */ xtables_error(PARAMETER_PROBLEM, "Port range `%s' funky", arg); range->min_proto.tcp.port = htons(port); range->max_proto.tcp.port = htons(maxport); switch (*end) { case '\0': return; case '/': arg = end + 1; break; default: xtables_error(PARAMETER_PROBLEM, "Garbage after port range: `%s'", end); } if (!xtables_strtoui(arg, &end, &baseport, 1, UINT16_MAX)) { baseport = xtables_service_to_port(arg, NULL); if (baseport == (unsigned)-1) xtables_error(PARAMETER_PROBLEM, "Port `%s' not valid", arg); } range->flags |= NF_NAT_RANGE_PROTO_OFFSET; range->base_proto.tcp.port = htons(baseport); } /* Ranges expected in network order. */ static void parse_to(const char *orig_arg, bool portok, struct nf_nat_range2 *range, int family) { char *arg, *start, *end, *colon, *dash; arg = xtables_strdup(orig_arg); start = strchr(arg, '['); if (!start) { start = arg; /* Lets assume one colon is port information. * Otherwise its an IPv6 address */ colon = strchr(arg, ':'); if (colon && strchr(colon + 1, ':')) colon = NULL; } else { start++; end = strchr(start, ']'); if (end == NULL || family == AF_INET) xtables_error(PARAMETER_PROBLEM, "Invalid address format"); *end = '\0'; colon = strchr(end + 1, ':'); } if (colon) { parse_ports(colon + 1, portok, range); /* Starts with colon or [] colon? No IP info...*/ if (colon == arg || colon == arg + 2) { free(arg); return; } *colon = '\0'; } range->flags |= NF_NAT_RANGE_MAP_IPS; dash = strchr(start, '-'); if (colon && dash && dash > colon) dash = NULL; if (dash) *dash = '\0'; if (!inet_pton(family, start, &range->min_addr)) xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"", start); if (dash) { if (!inet_pton(family, dash + 1, &range->max_addr)) xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"", dash + 1); } else { range->max_addr = range->min_addr; } free(arg); return; } static void __NAT_parse(struct xt_option_call *cb, __u16 proto, struct nf_nat_range2 *range, int family) { bool portok = proto == IPPROTO_TCP || proto == IPPROTO_UDP || proto == IPPROTO_SCTP || proto == IPPROTO_DCCP || proto == IPPROTO_ICMP; xtables_option_parse(cb); switch (cb->entry->id) { case O_TO_DEST: case O_TO_SRC: parse_to(cb->arg, portok, range, family); break; case O_TO_PORTS: parse_ports(cb->arg, portok, range); break; case O_PERSISTENT: range->flags |= NF_NAT_RANGE_PERSISTENT; break; case O_RANDOM: range->flags |= NF_NAT_RANGE_PROTO_RANDOM; break; case O_RANDOM_FULLY: range->flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; break; } } static void NAT_parse(struct xt_option_call *cb) { struct nf_nat_ipv4_multi_range_compat *mr = (void *)cb->data; const struct ipt_entry *entry = cb->xt_entry; struct nf_nat_range2 range = {}; __NAT_parse(cb, entry->ip.proto, &range, AF_INET); switch (cb->entry->id) { case O_TO_DEST: case O_TO_SRC: mr->range->min_ip = range.min_addr.ip; mr->range->max_ip = range.max_addr.ip; /* fall through */ case O_TO_PORTS: mr->range->min = range.min_proto; mr->range->max = range.max_proto; /* fall through */ case O_PERSISTENT: case O_RANDOM: case O_RANDOM_FULLY: mr->range->flags |= range.flags; break; } } static void NAT_parse6(struct xt_option_call *cb) { struct nf_nat_range2 range = RANGE2_INIT_FROM_RANGE(cb->data); struct nf_nat_range *range_v1 = (void *)cb->data; const struct ip6t_entry *entry = cb->xt_entry; __NAT_parse(cb, entry->ipv6.proto, &range, AF_INET6); memcpy(range_v1, &range, sizeof(*range_v1)); } static void DNAT_parse_v2(struct xt_option_call *cb) { const struct ipt_entry *entry = cb->xt_entry; __NAT_parse(cb, entry->ip.proto, cb->data, AF_INET); } static void DNAT_parse6_v2(struct xt_option_call *cb) { const struct ip6t_entry *entry = cb->xt_entry; __NAT_parse(cb, entry->ipv6.proto, cb->data, AF_INET6); } static void SNAT_fcheck(struct xt_fcheck_call *cb) { struct nf_nat_ipv4_multi_range_compat *mr = cb->data; mr->rangesize = 1; } static void DNAT_fcheck(struct xt_fcheck_call *cb) { struct nf_nat_ipv4_multi_range_compat *mr = cb->data; mr->rangesize = 1; if (mr->range[0].flags & NF_NAT_RANGE_PROTO_OFFSET) xtables_error(PARAMETER_PROBLEM, "Shifted portmap ranges not supported with this kernel"); } static void DNAT_fcheck6(struct xt_fcheck_call *cb) { struct nf_nat_range *range = (void *)cb->data; if (range->flags & NF_NAT_RANGE_PROTO_OFFSET) xtables_error(PARAMETER_PROBLEM, "Shifted portmap ranges not supported with this kernel"); } static char *sprint_range(const struct nf_nat_range2 *r, int family) { bool brackets = family == AF_INET6 && r->flags & NF_NAT_RANGE_PROTO_SPECIFIED; static char buf[INET6_ADDRSTRLEN * 2 + 3 + 6 * 3]; buf[0] = '\0'; if (r->flags & NF_NAT_RANGE_MAP_IPS) { if (brackets) strcat(buf, "["); inet_ntop(family, &r->min_addr, buf + strlen(buf), INET6_ADDRSTRLEN); if (memcmp(&r->min_addr, &r->max_addr, sizeof(r->min_addr))) { strcat(buf, "-"); inet_ntop(family, &r->max_addr, buf + strlen(buf), INET6_ADDRSTRLEN); } if (brackets) strcat(buf, "]"); } if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { sprintf(buf + strlen(buf), ":%hu", ntohs(r->min_proto.tcp.port)); if (r->max_proto.tcp.port != r->min_proto.tcp.port) sprintf(buf + strlen(buf), "-%hu", ntohs(r->max_proto.tcp.port)); if (r->flags & NF_NAT_RANGE_PROTO_OFFSET) sprintf(buf + strlen(buf), "/%hu", ntohs(r->base_proto.tcp.port)); } return buf; } static void __NAT_print(const struct nf_nat_range2 *r, int family, const char *rangeopt, const char *flag_pfx, bool skip_colon) { char *range_str = sprint_range(r, family); if (strlen(range_str)) { if (range_str[0] == ':' && skip_colon) range_str++; printf(" %s%s", rangeopt, range_str); } if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) printf(" %srandom", flag_pfx); if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) printf(" %srandom-fully", flag_pfx); if (r->flags & NF_NAT_RANGE_PERSISTENT) printf(" %spersistent", flag_pfx); } static int __NAT_xlate(struct xt_xlate *xl, const struct nf_nat_range2 *r, int family, const char *tgt) { char *range_str = sprint_range(r, family); const char *sep = " "; /* shifted portmap ranges are not supported by nftables */ if (r->flags & NF_NAT_RANGE_PROTO_OFFSET) return 0; xt_xlate_add(xl, "%s", tgt); if (strlen(range_str)) xt_xlate_add(xl, " to %s", range_str); if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) { xt_xlate_add(xl, "%srandom", sep); sep = ","; } if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) { xt_xlate_add(xl, "%sfully-random", sep); sep = ","; } if (r->flags & NF_NAT_RANGE_PERSISTENT) { xt_xlate_add(xl, "%spersistent", sep); sep = ","; } return 1; } #define PSX_GEN(name, converter, family, \ print_rangeopt, save_rangeopt, skip_colon, xlate) \ static void name##_print(const void *ip, const struct xt_entry_target *target, \ int numeric) \ { \ struct nf_nat_range2 range = converter(target->data); \ \ __NAT_print(&range, family, print_rangeopt, "", skip_colon); \ } \ static void name##_save(const void *ip, const struct xt_entry_target *target) \ { \ struct nf_nat_range2 range = converter(target->data); \ \ __NAT_print(&range, family, save_rangeopt, "--", skip_colon); \ } \ static int name##_xlate(struct xt_xlate *xl, \ const struct xt_xlate_tg_params *params) \ { \ struct nf_nat_range2 range = converter(params->target->data); \ \ return __NAT_xlate(xl, &range, family, xlate); \ } PSX_GEN(DNAT, RANGE2_INIT_FROM_IPV4_MRC, \ AF_INET, "to:", "--to-destination ", false, "dnat") PSX_GEN(DNATv2, *(struct nf_nat_range2 *), \ AF_INET, "to:", "--to-destination ", false, "dnat") PSX_GEN(DNAT6, RANGE2_INIT_FROM_RANGE, \ AF_INET6, "to:", "--to-destination ", false, "dnat") PSX_GEN(DNAT6v2, *(struct nf_nat_range2 *), \ AF_INET6, "to:", "--to-destination ", false, "dnat") PSX_GEN(REDIRECT, RANGE2_INIT_FROM_IPV4_MRC, \ AF_INET, "redir ports ", "--to-ports ", true, "redirect") PSX_GEN(REDIRECT6, RANGE2_INIT_FROM_RANGE, \ AF_INET6, "redir ports ", "--to-ports ", true, "redirect") PSX_GEN(SNAT, RANGE2_INIT_FROM_IPV4_MRC, \ AF_INET, "to:", "--to-source ", false, "snat") PSX_GEN(SNAT6, RANGE2_INIT_FROM_RANGE, \ AF_INET6, "to:", "--to-source ", false, "snat") PSX_GEN(MASQUERADE, RANGE2_INIT_FROM_IPV4_MRC, \ AF_INET, "masq ports: ", "--to-ports ", true, "masquerade") PSX_GEN(MASQUERADE6, RANGE2_INIT_FROM_RANGE, \ AF_INET6, "masq ports: ", "--to-ports ", true, "masquerade") static struct xtables_target nat_tg_reg[] = { { .name = "SNAT", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), .help = SNAT_help, .x6_parse = NAT_parse, .x6_fcheck = SNAT_fcheck, .print = SNAT_print, .save = SNAT_save, .x6_options = SNAT_opts, .xlate = SNAT_xlate, }, { .name = "DNAT", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, .revision = 0, .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), .help = DNAT_help, .print = DNAT_print, .save = DNAT_save, .x6_parse = NAT_parse, .x6_fcheck = DNAT_fcheck, .x6_options = DNAT_opts, .xlate = DNAT_xlate, }, { .name = "MASQUERADE", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), .help = MASQUERADE_help, .x6_parse = NAT_parse, .x6_fcheck = SNAT_fcheck, .print = MASQUERADE_print, .save = MASQUERADE_save, .x6_options = MASQUERADE_opts, .xlate = MASQUERADE_xlate, }, { .name = "MASQUERADE", .version = XTABLES_VERSION, .family = NFPROTO_IPV6, .size = XT_ALIGN(sizeof(struct nf_nat_range)), .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), .help = MASQUERADE_help, .x6_parse = NAT_parse6, .print = MASQUERADE6_print, .save = MASQUERADE6_save, .x6_options = MASQUERADE_opts, .xlate = MASQUERADE6_xlate, }, { .name = "REDIRECT", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, .revision = 0, .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), .help = REDIRECT_help, .print = REDIRECT_print, .save = REDIRECT_save, .x6_parse = NAT_parse, .x6_fcheck = DNAT_fcheck, .x6_options = REDIRECT_opts, .xlate = REDIRECT_xlate, }, { .name = "SNAT", .version = XTABLES_VERSION, .family = NFPROTO_IPV6, .revision = 1, .size = XT_ALIGN(sizeof(struct nf_nat_range)), .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), .help = SNAT_help, .x6_parse = NAT_parse6, .print = SNAT6_print, .save = SNAT6_save, .x6_options = SNAT_opts, .xlate = SNAT6_xlate, }, { .name = "DNAT", .version = XTABLES_VERSION, .family = NFPROTO_IPV6, .revision = 1, .size = XT_ALIGN(sizeof(struct nf_nat_range)), .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), .help = DNAT_help, .print = DNAT6_print, .save = DNAT6_save, .x6_parse = NAT_parse6, .x6_fcheck = DNAT_fcheck6, .x6_options = DNAT_opts, .xlate = DNAT6_xlate, }, { .name = "REDIRECT", .version = XTABLES_VERSION, .family = NFPROTO_IPV6, .size = XT_ALIGN(sizeof(struct nf_nat_range)), .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), .help = REDIRECT_help, .print = REDIRECT6_print, .save = REDIRECT6_save, .x6_parse = NAT_parse6, .x6_fcheck = DNAT_fcheck6, .x6_options = REDIRECT_opts, .xlate = REDIRECT6_xlate, }, { .name = "DNAT", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, .revision = 2, .size = XT_ALIGN(sizeof(struct nf_nat_range2)), .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range2)), .help = DNAT_help_v2, .print = DNATv2_print, .save = DNATv2_save, .x6_parse = DNAT_parse_v2, .x6_options = DNAT_opts, .xlate = DNATv2_xlate, }, { .name = "DNAT", .version = XTABLES_VERSION, .family = NFPROTO_IPV6, .revision = 2, .size = XT_ALIGN(sizeof(struct nf_nat_range2)), .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range2)), .help = DNAT_help_v2, .print = DNAT6v2_print, .save = DNAT6v2_save, .x6_parse = DNAT_parse6_v2, .x6_options = DNAT_opts, .xlate = DNAT6v2_xlate, }, }; void _init(void) { xtables_register_targets(nat_tg_reg, ARRAY_SIZE(nat_tg_reg)); }