3 * Distributed under the terms of the GNU GPL version 2.
4 * Copyright (c) 2008 Nicira Networks
7 #include <linux/netdevice.h>
8 #include <linux/netfilter.h>
9 #include <linux/netfilter_ipv4.h>
12 #include <linux/icmp.h>
13 #include <linux/if_ether.h>
15 #include <net/route.h>
19 #include "nx_act_snat.h"
22 /* We need these fake structures to make netfilter happy --
23 * lots of places assume that skb->dst != NULL, which isn't
24 * all that unreasonable.
26 * Currently, we fill in the PMTU entry because netfilter
27 * refragmentation needs it, and the rt_flags entry because
28 * ipt_REJECT needs it. Future netfilter modules might
29 * require us to fill additional fields. */
30 static struct net_device __fake_net_device = {
31 .hard_header_len = ETH_HLEN
34 static struct rtable __fake_rtable = {
37 .__refcnt = ATOMIC_INIT(1),
38 .dev = &__fake_net_device,
39 .path = &__fake_rtable.u.dst,
40 .metrics = {[RTAX_MTU - 1] = 1500},
47 /* Define ARP for IP since the Linux headers don't do it cleanly. */
54 uint8_t ar_sha[ETH_ALEN];
56 uint8_t ar_tha[ETH_ALEN];
58 } __attribute__((packed));
59 OFP_ASSERT(sizeof(struct ip_arphdr) == 28);
62 /* Push the Ethernet header back on and tranmit the packet. */
64 dp_xmit_skb_push(struct sk_buff *skb)
66 skb_push(skb, ETH_HLEN);
67 return dp_xmit_skb(skb);
70 /* Perform maintainence related to a SNAT'd interface. Currently, this only
71 * checks whether MAC->IP bindings have expired.
73 * Called with the RCU read lock */
75 snat_maint(struct net_bridge_port *p)
78 struct snat_mapping *m, *n;
80 unsigned long timeout;
82 spin_lock_irqsave(&p->lock, flags);
87 timeout = sc->mac_timeout * HZ;
89 list_for_each_entry_safe (m, n, &sc->mappings, node) {
90 if (time_after(jiffies, m->used + timeout)) {
97 spin_unlock_irqrestore(&p->lock, flags);
100 /* Check whether destination IP's address is in the IP->MAC mappings.
101 * If it is, then overwrite the destination MAC with the value from the
104 * Returns -1 if there is a problem, otherwise 0. */
106 dnat_mac(struct net_bridge_port *p, struct sk_buff *skb)
108 struct snat_conf *sc;
109 struct iphdr *iph = ip_hdr(skb);
110 struct ethhdr *eh = eth_hdr(skb);
111 struct snat_mapping *m;
114 spin_lock_irqsave(&p->lock, flags);
117 spin_unlock_irqrestore(&p->lock, flags);
121 if (skb->protocol != htons(ETH_P_IP)) {
122 spin_unlock_irqrestore(&p->lock, flags);
126 list_for_each_entry (m, &sc->mappings, node) {
127 if (m->ip_addr == iph->daddr){
129 if (!make_writable(&skb)) {
131 printk("make_writable failed\n");
132 spin_unlock_irqrestore(&p->lock, flags);
136 memcpy(eh->h_dest, m->hw_addr, ETH_ALEN);
141 spin_unlock_irqrestore(&p->lock, flags);
146 snat_pre_route_finish(struct sk_buff *skb)
148 struct net_bridge_port *p = skb->dev->br_port;
150 /* If SNAT is configured for this input device, check the IP->MAC
151 * mappings to see if we should update the destination MAC. */
153 dnat_mac(skb->dev->br_port, skb);
158 /* Checks whether 'skb' is an ARP request for an SNAT'd interface. If
159 * so, it will generate a response.
161 * Returns 0 if the packet was not handled. Otherwise, -1 is returned
162 * and the caller is responsible for freeing 'skb'. */
164 handle_arp_snat(struct sk_buff *skb)
166 struct net_bridge_port *p = skb->dev->br_port;
167 struct ip_arphdr *ah = (struct ip_arphdr *)arp_hdr(skb);
170 struct snat_conf *sc;
172 if ((ah->ar_op != htons(ARPOP_REQUEST))
173 || ah->ar_hln != ETH_ALEN
174 || ah->ar_pro != htons(ETH_P_IP)
178 ip_addr = ntohl(ah->ar_tip);
179 spin_lock_irqsave(&p->lock, flags);
182 /* We're only interested in addresses we rewrite. */
183 if (!sc || (sc && ((ip_addr < sc->ip_addr_start)
184 || (ip_addr > sc->ip_addr_end)))) {
185 spin_unlock_irqrestore(&p->lock, flags);
188 spin_unlock_irqrestore(&p->lock, flags);
190 arp_send(ARPOP_REPLY, ETH_P_ARP, ah->ar_sip, skb->dev, ah->ar_tip,
191 ah->ar_sha, p->dp->netdev->dev_addr, ah->ar_sha);
196 /* Checks whether 'skb' is a ping request for an SNAT'd interface. If
197 * so, it will generate a response.
199 * Returns 0 if the packet was not handled. Otherwise, -1 is returned
200 * and the caller is responsible for freeing 'skb'. */
202 handle_icmp_snat(struct sk_buff *skb)
204 struct net_bridge_port *p = skb->dev->br_port;
205 struct snat_conf *sc;
207 struct iphdr *iph = ip_hdr(skb);
209 struct icmphdr *icmph;
210 unsigned int datalen;
211 uint8_t tmp_eth[ETH_ALEN];
213 struct sk_buff *nskb;
217 ip_addr = ntohl(iph->daddr);
218 spin_lock_irqsave(&p->lock, flags);
221 /* We're only interested in addresses we rewrite. */
222 if (!sc || (sc && ((ip_addr < sc->ip_addr_start)
223 || (ip_addr > sc->ip_addr_end)))) {
224 spin_unlock_irqrestore(&p->lock, flags);
227 spin_unlock_irqrestore(&p->lock, flags);
229 icmph = (struct icmphdr *) ((u_int32_t *)iph + iph->ihl);
230 datalen = skb->len - iph->ihl * 4;
232 /* Drop fragments and packets not long enough to hold the ICMP
234 if (((ntohs(iph->frag_off) & IP_OFFSET) != 0) || datalen < 4)
237 /* We only respond to echo requests to our address. Continue
238 * processing replies and other ICMP messages since they may be
239 * intended for NAT'd hosts. */
240 if (icmph->type != ICMP_ECHO)
243 /* Send an echo reply in response */
244 nskb = skb_copy(skb, GFP_ATOMIC);
247 printk("skb copy failed for icmp reply\n");
253 icmph = (struct icmphdr *) ((u_int32_t *)iph + iph->ihl);
256 iph->daddr = iph->saddr;
259 memcpy(tmp_eth, eh->h_dest, ETH_ALEN);
260 memcpy(eh->h_dest, eh->h_source, ETH_ALEN);
261 memcpy(eh->h_source, tmp_eth, ETH_ALEN);
263 icmph->type = ICMP_ECHOREPLY;
265 dp_xmit_skb_push(nskb);
270 /* Check if any SNAT maintenance needs to be done on 'skb' before it's
271 * checked against the datapath's tables. This includes DNAT
272 * modification based on prior SNAT action and responding to ARP and
273 * echo requests for the SNAT interface.
275 * Returns 0 if 'skb' should continue to be processed by the caller.
276 * Returns -1 if the packet was handled, and the caller should free
280 snat_pre_route(struct sk_buff *skb)
285 if (skb->protocol == htons(ETH_P_ARP))
286 return handle_arp_snat(skb);
287 else if (skb->protocol != htons(ETH_P_IP))
291 if (iph->ihl < 5 || iph->version != 4)
294 if (!pskb_may_pull(skb, iph->ihl*4))
297 /* Check if we need to echo reply for this address */
298 if ((iph->protocol == IPPROTO_ICMP) && (handle_icmp_snat(skb)))
301 if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
304 len = ntohs(iph->tot_len);
305 if ((skb->len < len) || len < (iph->ihl*4))
308 if (pskb_trim_rcsum(skb, len))
311 skb->dst = (struct dst_entry *)&__fake_rtable;
314 return NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
315 snat_pre_route_finish);
323 snat_skb_finish(struct sk_buff *skb)
325 NF_HOOK(PF_INET, NF_INET_POST_ROUTING, skb, NULL, skb->dev,
331 /* Update the MAC->IP mappings for the private side of the SNAT'd
334 update_mapping(struct net_bridge_port *p, struct sk_buff *skb)
337 struct snat_conf *sc;
338 struct iphdr *iph = ip_hdr(skb);
339 struct ethhdr *eh = eth_hdr(skb);
340 struct snat_mapping *m;
342 spin_lock_irqsave(&p->lock, flags);
347 list_for_each_entry (m, &sc->mappings, node) {
348 if (m->ip_addr == iph->saddr){
349 if (memcmp(m->hw_addr, eh->h_source, ETH_ALEN)) {
350 memcpy(m->hw_addr, eh->h_source, ETH_ALEN);
357 m = kmalloc(sizeof *m, GFP_ATOMIC);
358 m->ip_addr = iph->saddr;
359 memcpy(m->hw_addr, eh->h_source, ETH_ALEN);
362 list_add(&m->node, &sc->mappings);
365 spin_unlock_irqrestore(&p->lock, flags);
368 /* Perform SNAT modification on 'skb' and send out 'out_port'. If the
369 * port was not configured for SNAT, it will be sent through the interface
370 * unmodified. 'skb' is not consumed, so caller will need to free it.
373 snat_skb(struct datapath *dp, struct sk_buff *skb, int out_port)
375 struct net_bridge_port *p = dp->ports[out_port];
376 struct sk_buff *nskb;
381 nskb = skb_copy(skb, GFP_ATOMIC);
387 /* We only SNAT IP, so just send it on its way if not */
388 if (skb->protocol != htons(ETH_P_IP)) {
393 /* Set the source MAC to the OF interface */
394 memcpy(eth_hdr(nskb)->h_source, dp->netdev->dev_addr, ETH_ALEN);
396 update_mapping(p, skb);
398 /* Take the Ethernet header back off for netfilter hooks. */
399 skb_pull(nskb, ETH_HLEN);
401 NF_HOOK(PF_INET, NF_INET_FORWARD, nskb, skb->dev, nskb->dev,
405 /* Remove SNAT configuration on port 'p'.
407 * NB: The caller must hold the port's spinlock. */
409 snat_free_conf(struct net_bridge_port *p)
411 struct snat_conf *sc = p->snat;
416 /* Free existing mapping entries */
417 while (!list_empty(&sc->mappings)) {
418 struct snat_mapping *m = list_entry(sc->mappings.next,
419 struct snat_mapping, node);
430 /* Remove SNAT configuration from an interface. */
432 snat_del_port(struct datapath *dp, uint16_t port)
435 struct net_bridge_port *p = dp->ports[port];
439 printk("Attempt to remove snat on non-existent port: %d\n", port);
443 spin_lock_irqsave(&p->lock, flags);
444 if (snat_free_conf(p)) {
445 /* SNAT not configured on this port */
446 spin_unlock_irqrestore(&p->lock, flags);
448 printk("Attempt to remove snat on non-snat port: %d\n", port);
452 spin_unlock_irqrestore(&p->lock, flags);
457 /* Add SNAT configuration to an interface. */
459 snat_add_port(struct datapath *dp, uint16_t port,
460 uint32_t ip_addr_start, uint32_t ip_addr_end,
461 uint16_t mac_timeout)
464 struct net_bridge_port *p = dp->ports[port];
465 struct snat_conf *sc;
468 if (mac_timeout == 0)
469 mac_timeout = MAC_TIMEOUT_DEFAULT;
473 printk("Attempt to add snat on non-existent port: %d\n", port);
477 /* If SNAT is already configured on the port, check whether the same
478 * IP addresses are used. If so, just update the mac timeout
479 * configuration. Otherwise, drop all SNAT configuration and
481 spin_lock_irqsave(&p->lock, flags);
483 if ((p->snat->ip_addr_start == ip_addr_start)
484 && (p->snat->ip_addr_end = ip_addr_end)) {
485 p->snat->mac_timeout = mac_timeout;
486 spin_unlock_irqrestore(&p->lock, flags);
490 /* Free the existing configuration and mappings. */
494 sc = kzalloc(sizeof *sc, GFP_ATOMIC);
496 spin_unlock_irqrestore(&p->lock, flags);
500 sc->ip_addr_start = ip_addr_start;
501 sc->ip_addr_end = ip_addr_end;
502 sc->mac_timeout = mac_timeout;
503 INIT_LIST_HEAD(&sc->mappings);
506 spin_unlock_irqrestore(&p->lock, flags);
511 /* Handle a SNAT configuration message.
513 * Returns 0 if no problems are found. Otherwise, a negative errno. */
515 snat_mod_config(struct datapath *dp, const struct nx_act_config *nac)
517 int n_entries = (ntohs(nac->header.header.length) - sizeof *nac)
518 / sizeof (struct nx_snat_config);
522 for (i=0; i<n_entries; i++) {
523 const struct nx_snat_config *sc = &nac->snat[i];
524 uint16_t port = ntohs(sc->port);
527 if (sc->command == NXSC_ADD)
528 r = snat_add_port(dp, port,
529 ntohl(sc->ip_addr_start), ntohl(sc->ip_addr_end),
530 ntohs(sc->mac_timeout));
532 r = snat_del_port(dp, port);
git://git.onelab.eu / sliver-openvswitch.git / blob