3 * Distributed under the terms of the GNU GPL version 2.
4 * Copyright (c) 2008 Nicira Networks
7 #include <linux/netdevice.h>
8 #include <linux/netfilter.h>
9 #include <linux/netfilter_ipv4.h>
12 #include <linux/icmp.h>
13 #include <linux/if_ether.h>
15 #include <net/route.h>
19 #include "nx_act_snat.h"
22 /* We need these fake structures to make netfilter happy --
23 * lots of places assume that skb->dst != NULL, which isn't
24 * all that unreasonable.
26 * Currently, we fill in the PMTU entry because netfilter
27 * refragmentation needs it, and the rt_flags entry because
28 * ipt_REJECT needs it. Future netfilter modules might
29 * require us to fill additional fields. */
30 static struct net_device __fake_net_device = {
31 .hard_header_len = ETH_HLEN
34 static struct rtable __fake_rtable = {
37 .__refcnt = ATOMIC_INIT(1),
38 .dev = &__fake_net_device,
39 .path = &__fake_rtable.u.dst,
40 .metrics = {[RTAX_MTU - 1] = 1500},
47 /* Define ARP for IP since the Linux headers don't do it cleanly. */
54 uint8_t ar_sha[ETH_ALEN];
56 uint8_t ar_tha[ETH_ALEN];
58 } __attribute__((packed));
59 OFP_ASSERT(sizeof(struct ip_arphdr) == 28);
62 /* Push the Ethernet header back on and tranmit the packet. */
64 dp_xmit_skb_push(struct sk_buff *skb)
66 skb_push(skb, ETH_HLEN);
67 return dp_xmit_skb(skb);
70 /* Perform maintainence related to a SNAT'd interface. Currently, this only
71 * checks whether MAC->IP bindings have expired.
73 * Called with the RCU read lock */
75 snat_maint(struct net_bridge_port *p)
78 struct snat_mapping *m, *n;
80 unsigned long timeout;
82 spin_lock_irqsave(&p->lock, flags);
87 timeout = sc->mac_timeout * HZ;
89 list_for_each_entry_safe (m, n, &sc->mappings, node) {
90 if (time_after(jiffies, m->used + timeout)) {
97 spin_unlock_irqrestore(&p->lock, flags);
100 /* When the packet is bound for a local interface, strip off the fake
103 void snat_local_in(struct sk_buff *skb)
105 if (skb->dst == (struct dst_entry *)&__fake_rtable) {
106 dst_release(skb->dst);
111 /* Check whether destination IP's address is in the IP->MAC mappings.
112 * If it is, then overwrite the destination MAC with the value from the
115 * Returns -1 if there is a problem, otherwise 0. */
117 dnat_mac(struct net_bridge_port *p, struct sk_buff *skb)
119 struct snat_conf *sc = p->snat;
120 struct iphdr *iph = ip_hdr(skb);
121 struct ethhdr *eh = eth_hdr(skb);
122 struct snat_mapping *m;
124 if (skb->protocol != htons(ETH_P_IP))
127 list_for_each_entry (m, &sc->mappings, node) {
128 if (m->ip_addr == iph->daddr){
130 if (!make_writable(&skb)) {
132 printk("make_writable failed\n");
136 memcpy(eh->h_dest, m->hw_addr, ETH_ALEN);
145 __snat_this_address(struct snat_conf *sc, u32 ip_addr)
148 u32 h_ip_addr = ntohl(ip_addr);
149 return (h_ip_addr >= sc->ip_addr_start &&
150 h_ip_addr <= sc->ip_addr_end);
156 snat_this_address(struct net_bridge_port *p, u32 ip_addr)
158 unsigned long int flags;
161 spin_lock_irqsave(&p->lock, flags);
162 retval = __snat_this_address(p->snat, ip_addr);
163 spin_unlock_irqrestore(&p->lock, flags);
169 snat_pre_route_finish(struct sk_buff *skb)
171 struct net_bridge_port *p = skb->dev->br_port;
172 struct snat_conf *sc;
173 struct iphdr *iph = ip_hdr(skb);
176 skb->dst = (struct dst_entry *)&__fake_rtable;
179 /* Don't process packets that were not translated due to NAT */
180 spin_lock_irqsave(&p->lock, flags);
182 if (!__snat_this_address(sc, iph->daddr)) {
183 /* If SNAT is configured for this input device, check the
184 * IP->MAC mappings to see if we should update the destination
187 dnat_mac(skb->dev->br_port, skb);
190 spin_unlock_irqrestore(&p->lock, flags);
192 /* Pass the translated packet as input to the OpenFlow stack, which
194 skb_push(skb, ETH_HLEN);
195 skb_reset_mac_header(skb);
196 fwd_port_input(p->dp->chain, skb, p);
201 /* Checks whether 'skb' is an ARP request for an SNAT'd interface. If
202 * so, it will generate a response.
204 * Returns 0 if the packet was not handled. Otherwise, -1 is returned
205 * and the caller is responsible for freeing 'skb'. */
207 handle_arp_snat(struct sk_buff *skb)
209 struct net_bridge_port *p = skb->dev->br_port;
210 struct ip_arphdr *ah;
212 if (!pskb_may_pull(skb, sizeof *ah))
215 ah = (struct ip_arphdr *)arp_hdr(skb);
216 if ((ah->ar_op != htons(ARPOP_REQUEST))
217 || ah->ar_hln != ETH_ALEN
218 || ah->ar_pro != htons(ETH_P_IP)
222 /* We're only interested in addresses we rewrite. */
223 if (!snat_this_address(p, ah->ar_tip)) {
227 arp_send(ARPOP_REPLY, ETH_P_ARP, ah->ar_sip, skb->dev, ah->ar_tip,
228 ah->ar_sha, p->dp->netdev->dev_addr, ah->ar_sha);
233 /* Checks whether 'skb' is a ping request for an SNAT'd interface. If
234 * so, it will generate a response.
236 * Returns 0 if the packet was not handled. Otherwise, -1 is returned
237 * and the caller is responsible for freeing 'skb'. */
239 handle_icmp_snat(struct sk_buff *skb)
241 struct net_bridge_port *p = skb->dev->br_port;
244 struct icmphdr *icmph;
245 uint8_t tmp_eth[ETH_ALEN];
247 struct sk_buff *nskb;
249 /* We're only interested in addresses we rewrite. */
251 if (!snat_this_address(p, iph->daddr)) {
255 /* Drop fragments and packets not long enough to hold the ICMP
257 if ((ntohs(iph->frag_off) & IP_OFFSET) != 0 ||
258 !pskb_may_pull(skb, skb_transport_offset(skb) + 4))
261 /* We only respond to echo requests to our address. Continue
262 * processing replies and other ICMP messages since they may be
263 * intended for NAT'd hosts. */
264 icmph = icmp_hdr(skb);
265 if (icmph->type != ICMP_ECHO)
268 /* Send an echo reply in response */
269 nskb = skb_copy(skb, GFP_ATOMIC);
272 printk("skb copy failed for icmp reply\n");
276 /* Update Ethernet header. */
278 memcpy(tmp_eth, eh->h_dest, ETH_ALEN);
279 memcpy(eh->h_dest, eh->h_source, ETH_ALEN);
280 memcpy(eh->h_source, tmp_eth, ETH_ALEN);
283 * This is kind of busted, at least in that it doesn't check that the
284 * echoed IP options make sense. */
291 iph->daddr = iph->saddr;
293 iph->check = ip_fast_csum(iph, iph->ihl);
295 /* Update ICMP header. */
296 icmph = icmp_hdr(nskb);
297 icmph->type = ICMP_ECHOREPLY;
299 icmph->checksum = ip_compute_csum(icmph,
300 nskb->tail - nskb->transport_header);
302 dp_xmit_skb_push(nskb);
307 /* Check if any SNAT maintenance needs to be done on 'skb' before it's
308 * checked against the datapath's tables. This includes DNAT
309 * modification based on prior SNAT action and responding to ARP and
310 * echo requests for the SNAT interface.
312 * Returns -1 if the packet was handled and consumed, 0 if the caller
313 * should continue to process 'skb'.
316 snat_pre_route(struct sk_buff *skb)
321 WARN_ON_ONCE(skb_network_offset(skb));
322 if (skb->protocol == htons(ETH_P_ARP)) {
323 if (handle_arp_snat(skb))
327 else if (skb->protocol != htons(ETH_P_IP))
330 if (!pskb_may_pull(skb, sizeof *iph))
334 if (iph->ihl < 5 || iph->version != 4)
337 if (!pskb_may_pull(skb, ip_hdrlen(skb)))
339 skb_set_transport_header(skb, ip_hdrlen(skb));
341 /* Check if we need to echo reply for this address */
343 if ((iph->protocol == IPPROTO_ICMP) && (handle_icmp_snat(skb)))
347 if (unlikely(ip_fast_csum(iph, iph->ihl)))
350 len = ntohs(iph->tot_len);
351 if ((skb->len < len) || len < (iph->ihl*4))
354 if (pskb_trim_rcsum(skb, len))
357 NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
358 snat_pre_route_finish);
368 snat_skb_finish(struct sk_buff *skb)
370 NF_HOOK(PF_INET, NF_INET_POST_ROUTING, skb, NULL, skb->dev,
376 /* Update the MAC->IP mappings for the private side of the SNAT'd
379 update_mapping(struct net_bridge_port *p, const struct sk_buff *skb)
382 struct snat_conf *sc;
383 const struct iphdr *iph = ip_hdr(skb);
384 const struct ethhdr *eh = eth_hdr(skb);
385 struct snat_mapping *m;
387 spin_lock_irqsave(&p->lock, flags);
392 list_for_each_entry (m, &sc->mappings, node) {
393 if (m->ip_addr == iph->saddr){
394 memcpy(m->hw_addr, eh->h_source, ETH_ALEN);
400 m = kmalloc(sizeof *m, GFP_ATOMIC);
403 m->ip_addr = iph->saddr;
404 memcpy(m->hw_addr, eh->h_source, ETH_ALEN);
407 list_add(&m->node, &sc->mappings);
410 spin_unlock_irqrestore(&p->lock, flags);
413 /* Perform SNAT modification on 'skb' and send out 'out_port'. If the
414 * port was not configured for SNAT, it will be sent through the interface
415 * unmodified. 'skb' is not consumed, so caller will need to free it.
418 snat_skb(struct datapath *dp, const struct sk_buff *skb, int out_port)
420 struct net_bridge_port *p = dp->ports[out_port];
421 struct sk_buff *nskb;
426 /* FIXME: Expensive. Just need to skb_clone() here?
427 * (However, the skb_copy() does linearize and ensure that the headers
428 * are accessible.) */
429 nskb = skb_copy(skb, GFP_ATOMIC);
435 /* We only SNAT IP, so just send it on its way if not */
436 if (skb->protocol != htons(ETH_P_IP)) {
441 /* Set the source MAC to the OF interface */
442 memcpy(eth_hdr(nskb)->h_source, dp->netdev->dev_addr, ETH_ALEN);
444 update_mapping(p, skb);
446 /* Take the Ethernet header back off for netfilter hooks. */
447 skb_pull(nskb, ETH_HLEN);
449 NF_HOOK(PF_INET, NF_INET_FORWARD, nskb, skb->dev, nskb->dev,
453 /* Remove SNAT configuration on port 'p'.
455 * NB: The caller must hold the port's spinlock. */
457 snat_free_conf(struct net_bridge_port *p)
459 struct snat_conf *sc = p->snat;
464 /* Free existing mapping entries */
465 while (!list_empty(&sc->mappings)) {
466 struct snat_mapping *m = list_entry(sc->mappings.next,
467 struct snat_mapping, node);
478 /* Remove SNAT configuration from an interface. */
480 snat_del_port(struct datapath *dp, uint16_t port)
483 struct net_bridge_port *p = dp->ports[port];
487 printk("Attempt to remove snat on non-existent port: %d\n", port);
491 spin_lock_irqsave(&p->lock, flags);
492 if (snat_free_conf(p)) {
493 /* SNAT not configured on this port */
494 spin_unlock_irqrestore(&p->lock, flags);
496 printk("Attempt to remove snat on non-snat port: %d\n", port);
500 spin_unlock_irqrestore(&p->lock, flags);
505 /* Add SNAT configuration to an interface. */
507 snat_add_port(struct datapath *dp, uint16_t port,
508 uint32_t ip_addr_start, uint32_t ip_addr_end,
509 uint16_t mac_timeout)
512 struct net_bridge_port *p = dp->ports[port];
513 struct snat_conf *sc;
516 if (mac_timeout == 0)
517 mac_timeout = MAC_TIMEOUT_DEFAULT;
521 printk("Attempt to add snat on non-existent port: %d\n", port);
525 /* If SNAT is already configured on the port, check whether the same
526 * IP addresses are used. If so, just update the mac timeout
527 * configuration. Otherwise, drop all SNAT configuration and
529 spin_lock_irqsave(&p->lock, flags);
531 if ((p->snat->ip_addr_start == ip_addr_start)
532 && (p->snat->ip_addr_end == ip_addr_end)) {
533 p->snat->mac_timeout = mac_timeout;
534 spin_unlock_irqrestore(&p->lock, flags);
538 /* Free the existing configuration and mappings. */
542 sc = kzalloc(sizeof *sc, GFP_ATOMIC);
544 spin_unlock_irqrestore(&p->lock, flags);
548 sc->ip_addr_start = ip_addr_start;
549 sc->ip_addr_end = ip_addr_end;
550 sc->mac_timeout = mac_timeout;
551 INIT_LIST_HEAD(&sc->mappings);
554 spin_unlock_irqrestore(&p->lock, flags);
559 /* Handle a SNAT configuration message.
561 * Returns 0 if no problems are found. Otherwise, a negative errno. */
563 snat_mod_config(struct datapath *dp, const struct nx_act_config *nac)
565 int n_entries = (ntohs(nac->header.header.length) - sizeof *nac)
566 / sizeof (struct nx_snat_config);
570 for (i=0; i<n_entries; i++) {
571 const struct nx_snat_config *sc = &nac->snat[i];
572 uint16_t port = ntohs(sc->port);
575 if (sc->command == NXSC_ADD)
576 r = snat_add_port(dp, port,
577 ntohl(sc->ip_addr_start), ntohl(sc->ip_addr_end),
578 ntohs(sc->mac_timeout));
580 r = snat_del_port(dp, port);
git://git.onelab.eu / sliver-openvswitch.git / blob