3 * Distributed under the terms of the GNU GPL version 2.
4 * Copyright (c) 2008 Nicira Networks
7 #include <linux/etherdevice.h>
8 #include <linux/netdevice.h>
9 #include <linux/netfilter.h>
10 #include <linux/netfilter_ipv4.h>
13 #include <linux/icmp.h>
14 #include <linux/if_ether.h>
16 #include <net/route.h>
20 #include "nx_act_snat.h"
23 /* We need these fake structures to make netfilter happy --
24 * lots of places assume that skb->dst != NULL, which isn't
25 * all that unreasonable.
27 * Currently, we fill in the PMTU entry because netfilter
28 * refragmentation needs it, and the rt_flags entry because
29 * ipt_REJECT needs it. Future netfilter modules might
30 * require us to fill additional fields. */
31 static struct net_device __fake_net_device = {
32 .hard_header_len = ETH_HLEN
35 static struct rtable __fake_rtable = {
38 .__refcnt = ATOMIC_INIT(1),
39 .dev = &__fake_net_device,
40 .path = &__fake_rtable.u.dst,
41 .metrics = {[RTAX_MTU - 1] = 1500},
48 /* Define ARP for IP since the Linux headers don't do it cleanly. */
55 uint8_t ar_sha[ETH_ALEN];
57 uint8_t ar_tha[ETH_ALEN];
59 } __attribute__((packed));
60 OFP_ASSERT(sizeof(struct ip_arphdr) == 28);
63 /* Push the Ethernet header back on and tranmit the packet. */
65 dp_xmit_skb_push(struct sk_buff *skb)
67 skb_push(skb, ETH_HLEN);
68 return dp_xmit_skb(skb);
71 /* Perform maintainence related to a SNAT'd interface. Currently, this only
72 * checks whether MAC->IP bindings have expired.
74 * Called with the RCU read lock */
76 snat_maint(struct net_bridge_port *p)
79 struct snat_mapping *m, *n;
81 unsigned long timeout;
83 spin_lock_irqsave(&p->lock, flags);
88 timeout = sc->mac_timeout * HZ;
90 list_for_each_entry_safe (m, n, &sc->mappings, node) {
91 if (time_after(jiffies, m->used + timeout)) {
98 spin_unlock_irqrestore(&p->lock, flags);
101 /* When the packet is bound for a local interface, strip off the fake
104 void snat_local_in(struct sk_buff *skb)
106 if (skb->dst == (struct dst_entry *)&__fake_rtable) {
107 dst_release(skb->dst);
112 /* Check whether destination IP's address is in the IP->MAC mappings.
113 * If it is, then overwrite the destination MAC with the value from the
116 * Returns -1 if there is a problem, otherwise 0. */
118 dnat_mac(struct net_bridge_port *p, struct sk_buff *skb)
120 struct snat_conf *sc = p->snat;
121 struct iphdr *iph = ip_hdr(skb);
122 struct ethhdr *eh = eth_hdr(skb);
123 struct snat_mapping *m;
125 if (skb->protocol != htons(ETH_P_IP))
128 list_for_each_entry (m, &sc->mappings, node) {
129 if (m->ip_addr == iph->daddr){
131 if (!make_writable(&skb)) {
133 printk("make_writable failed\n");
137 memcpy(eh->h_dest, m->hw_addr, ETH_ALEN);
146 __snat_this_address(struct snat_conf *sc, u32 ip_addr)
149 u32 h_ip_addr = ntohl(ip_addr);
150 return (h_ip_addr >= sc->ip_addr_start &&
151 h_ip_addr <= sc->ip_addr_end);
157 snat_this_address(struct net_bridge_port *p, u32 ip_addr)
159 unsigned long int flags;
162 spin_lock_irqsave(&p->lock, flags);
163 retval = __snat_this_address(p->snat, ip_addr);
164 spin_unlock_irqrestore(&p->lock, flags);
169 /* Must hold RCU lock. */
170 static struct net_bridge_port *
171 get_nbp_by_ip_addr(struct datapath *dp, u32 ip_addr)
173 struct net_bridge_port *p;
175 list_for_each_entry_rcu (p, &dp->port_list, node)
176 if (snat_this_address(p, ip_addr))
183 snat_pre_route_finish(struct sk_buff *skb)
185 struct net_bridge_port *p = skb->dev->br_port;
186 struct snat_conf *sc;
187 struct iphdr *iph = ip_hdr(skb);
190 skb->dst = (struct dst_entry *)&__fake_rtable;
193 /* Don't process packets that were not translated due to NAT */
194 spin_lock_irqsave(&p->lock, flags);
196 if (!__snat_this_address(sc, iph->daddr)) {
197 /* If SNAT is configured for this input device, check the
198 * IP->MAC mappings to see if we should update the destination
201 dnat_mac(skb->dev->br_port, skb);
204 spin_unlock_irqrestore(&p->lock, flags);
206 /* Pass the translated packet as input to the OpenFlow stack, which
208 skb_push(skb, ETH_HLEN);
209 skb_reset_mac_header(skb);
210 fwd_port_input(p->dp->chain, skb, p);
215 /* Checks whether 'skb' is an ARP request for an SNAT'd interface. If
216 * so, it will generate a response.
218 * Returns 0 if the packet was not handled. Otherwise, -1 is returned
219 * and the caller is responsible for freeing 'skb'. */
221 handle_arp_snat(struct sk_buff *skb)
223 struct net_bridge_port *s_nbp = skb->dev->br_port;
224 struct net_bridge_port *nat_nbp;
225 struct ip_arphdr *ah;
226 uint8_t mac_addr[ETH_ALEN];
228 if (!pskb_may_pull(skb, sizeof *ah))
231 ah = (struct ip_arphdr *)arp_hdr(skb);
232 if ((ah->ar_op != htons(ARPOP_REQUEST))
233 || ah->ar_hln != ETH_ALEN
234 || ah->ar_pro != htons(ETH_P_IP)
239 nat_nbp = get_nbp_by_ip_addr(s_nbp->dp, ah->ar_tip);
244 if (s_nbp == nat_nbp)
245 memcpy(mac_addr, s_nbp->dp->netdev->dev_addr, sizeof(mac_addr));
246 else if (!is_zero_ether_addr(nat_nbp->snat->mac_addr))
247 memcpy(mac_addr, nat_nbp->snat->mac_addr, sizeof(mac_addr));
254 arp_send(ARPOP_REPLY, ETH_P_ARP, ah->ar_sip, skb->dev, ah->ar_tip,
255 ah->ar_sha, mac_addr, ah->ar_sha);
260 /* Checks whether 'skb' is a ping request for an SNAT'd interface. If
261 * so, it will generate a response.
263 * Returns 0 if the packet was not handled. Otherwise, -1 is returned
264 * and the caller is responsible for freeing 'skb'. */
266 handle_icmp_snat(struct sk_buff *skb)
268 struct net_bridge_port *p = skb->dev->br_port;
271 struct icmphdr *icmph;
272 uint8_t tmp_eth[ETH_ALEN];
274 struct sk_buff *nskb;
276 /* We're only interested in addresses we rewrite. */
278 if (!snat_this_address(p, iph->daddr)) {
282 /* Drop fragments and packets not long enough to hold the ICMP
284 if ((ntohs(iph->frag_off) & IP_OFFSET) != 0 ||
285 !pskb_may_pull(skb, skb_transport_offset(skb) + 4))
288 /* We only respond to echo requests to our address. Continue
289 * processing replies and other ICMP messages since they may be
290 * intended for NAT'd hosts. */
291 icmph = icmp_hdr(skb);
292 if (icmph->type != ICMP_ECHO)
295 /* Send an echo reply in response */
296 nskb = skb_copy(skb, GFP_ATOMIC);
299 printk("skb copy failed for icmp reply\n");
303 /* Update Ethernet header. */
305 memcpy(tmp_eth, eh->h_dest, ETH_ALEN);
306 memcpy(eh->h_dest, eh->h_source, ETH_ALEN);
307 memcpy(eh->h_source, tmp_eth, ETH_ALEN);
310 * This is kind of busted, at least in that it doesn't check that the
311 * echoed IP options make sense. */
318 iph->daddr = iph->saddr;
320 iph->check = ip_fast_csum(iph, iph->ihl);
322 /* Update ICMP header. */
323 icmph = icmp_hdr(nskb);
324 icmph->type = ICMP_ECHOREPLY;
326 icmph->checksum = ip_compute_csum(icmph,
327 nskb->tail - nskb->transport_header);
329 dp_xmit_skb_push(nskb);
334 /* Check if any SNAT maintenance needs to be done on 'skb' before it's
335 * checked against the datapath's tables. This includes DNAT
336 * modification based on prior SNAT action and responding to ARP and
337 * echo requests for the SNAT interface.
339 * Returns -1 if the packet was handled and consumed, 0 if the caller
340 * should continue to process 'skb'.
343 snat_pre_route(struct sk_buff *skb)
348 WARN_ON_ONCE(skb_network_offset(skb));
349 if (skb->protocol == htons(ETH_P_ARP)) {
350 if (handle_arp_snat(skb))
354 else if (skb->protocol != htons(ETH_P_IP))
357 if (!pskb_may_pull(skb, sizeof *iph))
361 if (iph->ihl < 5 || iph->version != 4)
364 if (!pskb_may_pull(skb, ip_hdrlen(skb)))
366 skb_set_transport_header(skb, ip_hdrlen(skb));
368 /* Check if we need to echo reply for this address */
370 if ((iph->protocol == IPPROTO_ICMP) && (handle_icmp_snat(skb)))
374 if (unlikely(ip_fast_csum(iph, iph->ihl)))
377 len = ntohs(iph->tot_len);
378 if ((skb->len < len) || len < (iph->ihl*4))
381 if (pskb_trim_rcsum(skb, len))
384 NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
385 snat_pre_route_finish);
395 snat_skb_finish(struct sk_buff *skb)
397 NF_HOOK(PF_INET, NF_INET_POST_ROUTING, skb, NULL, skb->dev,
403 /* Update the MAC->IP mappings for the private side of the SNAT'd
406 update_mapping(struct net_bridge_port *p, const struct sk_buff *skb)
409 struct snat_conf *sc;
410 const struct iphdr *iph = ip_hdr(skb);
411 const struct ethhdr *eh = eth_hdr(skb);
412 struct snat_mapping *m;
414 spin_lock_irqsave(&p->lock, flags);
419 list_for_each_entry (m, &sc->mappings, node) {
420 if (m->ip_addr == iph->saddr){
421 memcpy(m->hw_addr, eh->h_source, ETH_ALEN);
427 m = kmalloc(sizeof *m, GFP_ATOMIC);
430 m->ip_addr = iph->saddr;
431 memcpy(m->hw_addr, eh->h_source, ETH_ALEN);
434 list_add(&m->node, &sc->mappings);
437 spin_unlock_irqrestore(&p->lock, flags);
440 /* Perform SNAT modification on 'skb' and send out 'out_port'. If the
441 * port was not configured for SNAT, it will be sent through the interface
442 * unmodified. 'skb' is not consumed, so caller will need to free it.
445 snat_skb(struct datapath *dp, const struct sk_buff *skb, int out_port)
447 struct net_bridge_port *p = dp->ports[out_port];
448 struct sk_buff *nskb;
453 /* FIXME: Expensive. Just need to skb_clone() here?
454 * (However, the skb_copy() does linearize and ensure that the headers
455 * are accessible.) */
456 nskb = skb_copy(skb, GFP_ATOMIC);
462 /* We only SNAT IP, so just send it on its way if not */
463 if (skb->protocol != htons(ETH_P_IP)) {
468 /* Set the source MAC to the OF interface */
469 memcpy(eth_hdr(nskb)->h_source, dp->netdev->dev_addr, ETH_ALEN);
471 update_mapping(p, skb);
473 /* Take the Ethernet header back off for netfilter hooks. */
474 skb_pull(nskb, ETH_HLEN);
476 NF_HOOK(PF_INET, NF_INET_FORWARD, nskb, skb->dev, nskb->dev,
480 /* Remove SNAT configuration on port 'p'.
482 * NB: The caller must hold the port's spinlock. */
484 snat_free_conf(struct net_bridge_port *p)
486 struct snat_conf *sc = p->snat;
491 /* Free existing mapping entries */
492 while (!list_empty(&sc->mappings)) {
493 struct snat_mapping *m = list_entry(sc->mappings.next,
494 struct snat_mapping, node);
505 /* Remove SNAT configuration from an interface. */
507 snat_del_port(struct datapath *dp, const struct nx_snat_config *nsc)
510 uint16_t port = ntohs(nsc->port);
511 struct net_bridge_port *p = dp->ports[port];
515 printk("Attempt to remove snat on non-existent port: %d\n", port);
519 spin_lock_irqsave(&p->lock, flags);
520 if (snat_free_conf(p)) {
521 /* SNAT not configured on this port */
522 spin_unlock_irqrestore(&p->lock, flags);
524 printk("Attempt to remove snat on non-snat port: %d\n", port);
528 spin_unlock_irqrestore(&p->lock, flags);
533 /* Add SNAT configuration to an interface. */
535 snat_add_port(struct datapath *dp, const struct nx_snat_config *nsc)
538 uint16_t port = ntohs(nsc->port);
539 struct net_bridge_port *p = dp->ports[port];
540 uint16_t mac_timeout = ntohs(nsc->mac_timeout);
541 struct snat_conf *sc;
543 if (mac_timeout == 0)
544 mac_timeout = MAC_TIMEOUT_DEFAULT;
548 printk("Attempt to add snat on non-existent port: %d\n", port);
552 /* If SNAT is already configured on the port, check whether the same
553 * IP addresses are used. If so, just update the mac timeout
554 * configuration. Otherwise, drop all SNAT configuration and
556 spin_lock_irqsave(&p->lock, flags);
558 if ((p->snat->ip_addr_start == ntohl(nsc->ip_addr_start))
559 && (p->snat->ip_addr_end == ntohl(nsc->ip_addr_end))) {
560 p->snat->mac_timeout = mac_timeout;
561 spin_unlock_irqrestore(&p->lock, flags);
565 /* Free the existing configuration and mappings. */
569 sc = kzalloc(sizeof *sc, GFP_ATOMIC);
571 spin_unlock_irqrestore(&p->lock, flags);
575 sc->ip_addr_start = ntohl(nsc->ip_addr_start);
576 sc->ip_addr_end = ntohl(nsc->ip_addr_end);
577 sc->mac_timeout = mac_timeout;
578 memcpy(sc->mac_addr, nsc->mac_addr, sizeof(sc->mac_addr));
579 INIT_LIST_HEAD(&sc->mappings);
582 spin_unlock_irqrestore(&p->lock, flags);
587 /* Handle a SNAT configuration message.
589 * Returns 0 if no problems are found. Otherwise, a negative errno. */
591 snat_mod_config(struct datapath *dp, const struct nx_act_config *nac)
593 int n_entries = (ntohs(nac->header.header.length) - sizeof *nac)
594 / sizeof (struct nx_snat_config);
598 for (i=0; i<n_entries; i++) {
599 const struct nx_snat_config *nsc = &nac->snat[i];
602 if (nsc->command == NXSC_ADD)
603 r = snat_add_port(dp, nsc);
605 r = snat_del_port(dp, nsc);
git://git.onelab.eu / sliver-openvswitch.git / blob