/net/netfilter/ipvs/ip_vs_nfct.c

  1// SPDX-License-Identifier: GPL-2.0-or-later
  2/*
  3 * ip_vs_nfct.c:	Netfilter connection tracking support for IPVS
  4 *
  5 * Portions Copyright (C) 2001-2002
  6 * Antefacto Ltd, 181 Parnell St, Dublin 1, Ireland.
  7 *
  8 * Portions Copyright (C) 2003-2010
  9 * Julian Anastasov
 10 *
 11 * Authors:
 12 * Ben North <ben@redfrontdoor.org>
 13 * Julian Anastasov <ja@ssi.bg>		Reorganize and sync with latest kernels
 14 * Hannes Eder <heder@google.com>	Extend NFCT support for FTP, ipvs match
 15 *
 16 * Current status:
 17 *
 18 * - provide conntrack confirmation for new and related connections, by
 19 * this way we can see their proper conntrack state in all hooks
 20 * - support for all forwarding methods, not only NAT
 21 * - FTP support (NAT), ability to support other NAT apps with expectations
 22 * - to correctly create expectations for related NAT connections the proper
 23 * NF conntrack support must be already installed, eg. ip_vs_ftp requires
 24 * nf_conntrack_ftp ... iptables_nat for the same ports (but no iptables
 25 * NAT rules are needed)
 26 * - alter reply for NAT when forwarding packet in original direction:
 27 * conntrack from client in NEW or RELATED (Passive FTP DATA) state or
 28 * when RELATED conntrack is created from real server (Active FTP DATA)
 29 * - if iptables_nat is not loaded the Passive FTP will not work (the
 30 * PASV response can not be NAT-ed) but Active FTP should work
 31 */
 32
 33#define KMSG_COMPONENT "IPVS"
 34#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
 35
 36#include <linux/module.h>
 37#include <linux/types.h>
 38#include <linux/kernel.h>
 39#include <linux/errno.h>
 40#include <linux/compiler.h>
 41#include <linux/vmalloc.h>
 42#include <linux/skbuff.h>
 43#include <net/ip.h>
 44#include <linux/netfilter.h>
 45#include <linux/netfilter_ipv4.h>
 46#include <net/ip_vs.h>
 47#include <net/netfilter/nf_conntrack_core.h>
 48#include <net/netfilter/nf_conntrack_expect.h>
 49#include <net/netfilter/nf_conntrack_seqadj.h>
 50#include <net/netfilter/nf_conntrack_helper.h>
 51#include <net/netfilter/nf_conntrack_zones.h>
 52
 53
 54#define FMT_TUPLE	"%s:%u->%s:%u/%u"
 55#define ARG_TUPLE(T)	IP_VS_DBG_ADDR((T)->src.l3num, &(T)->src.u3),	\
 56			ntohs((T)->src.u.all),				\
 57			IP_VS_DBG_ADDR((T)->src.l3num, &(T)->dst.u3),	\
 58			ntohs((T)->dst.u.all),				\
 59			(T)->dst.protonum
 60
 61#define FMT_CONN	"%s:%u->%s:%u->%s:%u/%u:%u"
 62#define ARG_CONN(C)	IP_VS_DBG_ADDR((C)->af, &((C)->caddr)),		\
 63			ntohs((C)->cport),				\
 64			IP_VS_DBG_ADDR((C)->af, &((C)->vaddr)),		\
 65			ntohs((C)->vport),				\
 66			IP_VS_DBG_ADDR((C)->daf, &((C)->daddr)),	\
 67			ntohs((C)->dport),				\
 68			(C)->protocol, (C)->state
 69
 70void
 71ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp, int outin)
 72{
 73	enum ip_conntrack_info ctinfo;
 74	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 75	struct nf_conntrack_tuple new_tuple;
 76
 77	if (ct == NULL || nf_ct_is_confirmed(ct) ||
 78	    nf_ct_is_dying(ct))
 79		return;
 80
 81	/* Never alter conntrack for non-NAT conns */
 82	if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)
 83		return;
 84
 85	/* Never alter conntrack for OPS conns (no reply is expected) */
 86	if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
 87		return;
 88
 89	/* Alter reply only in original direction */
 90	if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
 91		return;
 92
 93	/* Applications may adjust TCP seqs */
 94	if (cp->app && nf_ct_protonum(ct) == IPPROTO_TCP &&
 95	    !nfct_seqadj(ct) && !nfct_seqadj_ext_add(ct))
 96		return;
 97
 98	/*
 99	 * The connection is not yet in the hashtable, so we update it.
100	 * CIP->VIP will remain the same, so leave the tuple in
101	 * IP_CT_DIR_ORIGINAL untouched.  When the reply comes back from the
102	 * real-server we will see RIP->DIP.
103	 */
104	new_tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
105	/*
106	 * This will also take care of UDP and other protocols.
107	 */
108	if (outin) {
109		new_tuple.src.u3 = cp->daddr;
110		if (new_tuple.dst.protonum != IPPROTO_ICMP &&
111		    new_tuple.dst.protonum != IPPROTO_ICMPV6)
112			new_tuple.src.u.tcp.port = cp->dport;
113	} else {
114		new_tuple.dst.u3 = cp->vaddr;
115		if (new_tuple.dst.protonum != IPPROTO_ICMP &&
116		    new_tuple.dst.protonum != IPPROTO_ICMPV6)
117			new_tuple.dst.u.tcp.port = cp->vport;
118	}
119	IP_VS_DBG_BUF(7, "%s: Updating conntrack ct=%p, status=0x%lX, "
120		      "ctinfo=%d, old reply=" FMT_TUPLE "\n",
121		      __func__, ct, ct->status, ctinfo,
122		      ARG_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple));
123	IP_VS_DBG_BUF(7, "%s: Updating conntrack ct=%p, status=0x%lX, "
124		      "ctinfo=%d, new reply=" FMT_TUPLE "\n",
125		      __func__, ct, ct->status, ctinfo,
126		      ARG_TUPLE(&new_tuple));
127	nf_conntrack_alter_reply(ct, &new_tuple);
128	IP_VS_DBG_BUF(7, "%s: Updated conntrack ct=%p for cp=" FMT_CONN "\n",
129		      __func__, ct, ARG_CONN(cp));
130}
131
132int ip_vs_confirm_conntrack(struct sk_buff *skb)
133{
134	return nf_conntrack_confirm(skb);
135}
136
137/*
138 * Called from init_conntrack() as expectfn handler.
139 */
140static void ip_vs_nfct_expect_callback(struct nf_conn *ct,
141	struct nf_conntrack_expect *exp)
142{
143	struct nf_conntrack_tuple *orig, new_reply;
144	struct ip_vs_conn *cp;
145	struct ip_vs_conn_param p;
146	struct net *net = nf_ct_net(ct);
147
148	/*
149	 * We assume that no NF locks are held before this callback.
150	 * ip_vs_conn_out_get and ip_vs_conn_in_get should match their
151	 * expectations even if they use wildcard values, now we provide the
152	 * actual values from the newly created original conntrack direction.
153	 * The conntrack is confirmed when packet reaches IPVS hooks.
154	 */
155
156	/* RS->CLIENT */
157	orig = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
158	ip_vs_conn_fill_param(net_ipvs(net), exp->tuple.src.l3num, orig->dst.protonum,
159			      &orig->src.u3, orig->src.u.tcp.port,
160			      &orig->dst.u3, orig->dst.u.tcp.port, &p);
161	cp = ip_vs_conn_out_get(&p);
162	if (cp) {
163		/* Change reply CLIENT->RS to CLIENT->VS */
164		IP_VS_DBG_BUF(7, "%s: for ct=%p, status=0x%lX found inout cp="
165			      FMT_CONN "\n",
166			      __func__, ct, ct->status, ARG_CONN(cp));
167		new_reply = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
168		IP_VS_DBG_BUF(7, "%s: ct=%p before alter: reply tuple="
169			      FMT_TUPLE "\n",
170			      __func__, ct, ARG_TUPLE(&new_reply));
171		new_reply.dst.u3 = cp->vaddr;
172		new_reply.dst.u.tcp.port = cp->vport;
173		goto alter;
174	}
175
176	/* CLIENT->VS */
177	cp = ip_vs_conn_in_get(&p);
178	if (cp) {
179		/* Change reply VS->CLIENT to RS->CLIENT */
180		IP_VS_DBG_BUF(7, "%s: for ct=%p, status=0x%lX found outin cp="
181			      FMT_CONN "\n",
182			      __func__, ct, ct->status, ARG_CONN(cp));
183		new_reply = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
184		IP_VS_DBG_BUF(7, "%s: ct=%p before alter: reply tuple="
185			      FMT_TUPLE "\n",
186			      __func__, ct, ARG_TUPLE(&new_reply));
187		new_reply.src.u3 = cp->daddr;
188		new_reply.src.u.tcp.port = cp->dport;
189		goto alter;
190	}
191
192	IP_VS_DBG_BUF(7, "%s: ct=%p, status=0x%lX, tuple=" FMT_TUPLE
193		      " - unknown expect\n",
194		      __func__, ct, ct->status, ARG_TUPLE(orig));
195	return;
196
197alter:
198	/* Never alter conntrack for non-NAT conns */
199	if (IP_VS_FWD_METHOD(cp) == IP_VS_CONN_F_MASQ)
200		nf_conntrack_alter_reply(ct, &new_reply);
201	ip_vs_conn_put(cp);
202	return;
203}
204
205/*
206 * Create NF conntrack expectation with wildcard (optional) source port.
207 * Then the default callback function will alter the reply and will confirm
208 * the conntrack entry when the first packet comes.
209 * Use port 0 to expect connection from any port.
210 */
211void ip_vs_nfct_expect_related(struct sk_buff *skb, struct nf_conn *ct,
212			       struct ip_vs_conn *cp, u_int8_t proto,
213			       const __be16 port, int from_rs)
214{
215	struct nf_conntrack_expect *exp;
216
217	if (ct == NULL)
218		return;
219
220	exp = nf_ct_expect_alloc(ct);
221	if (!exp)
222		return;
223
224	nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
225			from_rs ? &cp->daddr : &cp->caddr,
226			from_rs ? &cp->caddr : &cp->vaddr,
227			proto, port ? &port : NULL,
228			from_rs ? &cp->cport : &cp->vport);
229
230	exp->expectfn = ip_vs_nfct_expect_callback;
231
232	IP_VS_DBG_BUF(7, "%s: ct=%p, expect tuple=" FMT_TUPLE "\n",
233		      __func__, ct, ARG_TUPLE(&exp->tuple));
234	nf_ct_expect_related(exp, 0);
235	nf_ct_expect_put(exp);
236}
237EXPORT_SYMBOL(ip_vs_nfct_expect_related);
238
239/*
240 * Our connection was terminated, try to drop the conntrack immediately
241 */
242void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp)
243{
244	struct nf_conntrack_tuple_hash *h;
245	struct nf_conn *ct;
246	struct nf_conntrack_tuple tuple;
247
248	if (!cp->cport)
249		return;
250
251	tuple = (struct nf_conntrack_tuple) {
252		.dst = { .protonum = cp->protocol, .dir = IP_CT_DIR_ORIGINAL } };
253	tuple.src.u3 = cp->caddr;
254	tuple.src.u.all = cp->cport;
255	tuple.src.l3num = cp->af;
256	tuple.dst.u3 = cp->vaddr;
257	tuple.dst.u.all = cp->vport;
258
259	IP_VS_DBG_BUF(7, "%s: dropping conntrack for conn " FMT_CONN "\n",
260		      __func__, ARG_CONN(cp));
261
262	h = nf_conntrack_find_get(cp->ipvs->net, &nf_ct_zone_dflt, &tuple);
263	if (h) {
264		ct = nf_ct_tuplehash_to_ctrack(h);
265		if (nf_ct_kill(ct)) {
266			IP_VS_DBG_BUF(7, "%s: ct=%p deleted for tuple="
267				      FMT_TUPLE "\n",
268				      __func__, ct, ARG_TUPLE(&tuple));
269		} else {
270			IP_VS_DBG_BUF(7, "%s: ct=%p, no conntrack for tuple="
271				      FMT_TUPLE "\n",
272				      __func__, ct, ARG_TUPLE(&tuple));
273		}
274		nf_ct_put(ct);
275	} else {
276		IP_VS_DBG_BUF(7, "%s: no conntrack for tuple=" FMT_TUPLE "\n",
277			      __func__, ARG_TUPLE(&tuple));
278	}
279}
280