/net/netfilter/ipvs/ip_vs_nfct.c

http://github.com/mirrors/linux · C · 280 lines · 181 code · 31 blank · 68 comment · 32 complexity · e392e29425ab4ffc3ebedb211e0ca238 MD5 · raw file 

    

  1. // SPDX-License-Identifier: GPL-2.0-or-later
    2. 

  2. /*
    3. 

  3.  * ip_vs_nfct.c:	Netfilter connection tracking support for IPVS
    4. 

  4.  *
    5. 

  5.  * Portions Copyright (C) 2001-2002
    6. 

  6.  * Antefacto Ltd, 181 Parnell St, Dublin 1, Ireland.
    7. 

  7.  *
    8. 

  8.  * Portions Copyright (C) 2003-2010
    9. 

  9.  * Julian Anastasov
    10. 

  10.  *
    11. 

  11.  * Authors:
    12. 

  12.  * Ben North <ben@redfrontdoor.org>
    13. 

  13.  * Julian Anastasov <ja@ssi.bg>		Reorganize and sync with latest kernels
    14. 

  14.  * Hannes Eder <heder@google.com>	Extend NFCT support for FTP, ipvs match
    15. 

  15.  *
    16. 

  16.  * Current status:
    17. 

  17.  *
    18. 

  18.  * - provide conntrack confirmation for new and related connections, by
    19. 

  19.  * this way we can see their proper conntrack state in all hooks
    20. 

  20.  * - support for all forwarding methods, not only NAT
    21. 

  21.  * - FTP support (NAT), ability to support other NAT apps with expectations
    22. 

  22.  * - to correctly create expectations for related NAT connections the proper
    23. 

  23.  * NF conntrack support must be already installed, eg. ip_vs_ftp requires
    24. 

  24.  * nf_conntrack_ftp ... iptables_nat for the same ports (but no iptables
    25. 

  25.  * NAT rules are needed)
    26. 

  26.  * - alter reply for NAT when forwarding packet in original direction:
    27. 

  27.  * conntrack from client in NEW or RELATED (Passive FTP DATA) state or
    28. 

  28.  * when RELATED conntrack is created from real server (Active FTP DATA)
    29. 

  29.  * - if iptables_nat is not loaded the Passive FTP will not work (the
    30. 

  30.  * PASV response can not be NAT-ed) but Active FTP should work
    31. 

  31.  */
    32. 

  32. 

  33. #define KMSG_COMPONENT "IPVS"
    34. 

  34. #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
    35. 

  35. 

  36. #include <linux/module.h>
    37. 

  37. #include <linux/types.h>
    38. 

  38. #include <linux/kernel.h>
    39. 

  39. #include <linux/errno.h>
    40. 

  40. #include <linux/compiler.h>
    41. 

  41. #include <linux/vmalloc.h>
    42. 

  42. #include <linux/skbuff.h>
    43. 

  43. #include <net/ip.h>
    44. 

  44. #include <linux/netfilter.h>
    45. 

  45. #include <linux/netfilter_ipv4.h>
    46. 

  46. #include <net/ip_vs.h>
    47. 

  47. #include <net/netfilter/nf_conntrack_core.h>
    48. 

  48. #include <net/netfilter/nf_conntrack_expect.h>
    49. 

  49. #include <net/netfilter/nf_conntrack_seqadj.h>
    50. 

  50. #include <net/netfilter/nf_conntrack_helper.h>
    51. 

  51. #include <net/netfilter/nf_conntrack_zones.h>
    52. 

  52. 

  53. 

  54. #define FMT_TUPLE	"%s:%u->%s:%u/%u"
    55. 

  55. #define ARG_TUPLE(T)	IP_VS_DBG_ADDR((T)->src.l3num, &(T)->src.u3),	\
    56. 

  56. 			ntohs((T)->src.u.all),				\
    57. 

  57. 			IP_VS_DBG_ADDR((T)->src.l3num, &(T)->dst.u3),	\
    58. 

  58. 			ntohs((T)->dst.u.all),				\
    59. 

  59. 			(T)->dst.protonum
    60. 

  60. 

  61. #define FMT_CONN	"%s:%u->%s:%u->%s:%u/%u:%u"
    62. 

  62. #define ARG_CONN(C)	IP_VS_DBG_ADDR((C)->af, &((C)->caddr)),		\
    63. 

  63. 			ntohs((C)->cport),				\
    64. 

  64. 			IP_VS_DBG_ADDR((C)->af, &((C)->vaddr)),		\
    65. 

  65. 			ntohs((C)->vport),				\
    66. 

  66. 			IP_VS_DBG_ADDR((C)->daf, &((C)->daddr)),	\
    67. 

  67. 			ntohs((C)->dport),				\
    68. 

  68. 			(C)->protocol, (C)->state
    69. 

  69. 

  70. void
    71. 

  71. ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp, int outin)
    72. 

  72. {
    73. 

  73. 	enum ip_conntrack_info ctinfo;
    74. 

  74. 	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
    75. 

  75. 	struct nf_conntrack_tuple new_tuple;
    76. 

  76. 

  77. 	if (ct == NULL || nf_ct_is_confirmed(ct) ||
    78. 

  78. 	    nf_ct_is_dying(ct))
    79. 

  79. 		return;
    80. 

  80. 

  81. 	/* Never alter conntrack for non-NAT conns */
    82. 

  82. 	if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)
    83. 

  83. 		return;
    84. 

  84. 

  85. 	/* Never alter conntrack for OPS conns (no reply is expected) */
    86. 

  86. 	if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
    87. 

  87. 		return;
    88. 

  88. 

  89. 	/* Alter reply only in original direction */
    90. 

  90. 	if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
    91. 

  91. 		return;
    92. 

  92. 

  93. 	/* Applications may adjust TCP seqs */
    94. 

  94. 	if (cp->app && nf_ct_protonum(ct) == IPPROTO_TCP &&
    95. 

  95. 	    !nfct_seqadj(ct) && !nfct_seqadj_ext_add(ct))
    96. 

  96. 		return;
    97. 

  97. 

  98. 	/*
    99. 

  99. 	 * The connection is not yet in the hashtable, so we update it.
    100. 

  100. 	 * CIP->VIP will remain the same, so leave the tuple in
    101. 

  101. 	 * IP_CT_DIR_ORIGINAL untouched.  When the reply comes back from the
    102. 

  102. 	 * real-server we will see RIP->DIP.
    103. 

  103. 	 */
    104. 

  104. 	new_tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
    105. 

  105. 	/*
    106. 

  106. 	 * This will also take care of UDP and other protocols.
    107. 

  107. 	 */
    108. 

  108. 	if (outin) {
    109. 

  109. 		new_tuple.src.u3 = cp->daddr;
    110. 

  110. 		if (new_tuple.dst.protonum != IPPROTO_ICMP &&
    111. 

  111. 		    new_tuple.dst.protonum != IPPROTO_ICMPV6)
    112. 

  112. 			new_tuple.src.u.tcp.port = cp->dport;
    113. 

  113. 	} else {
    114. 

  114. 		new_tuple.dst.u3 = cp->vaddr;
    115. 

  115. 		if (new_tuple.dst.protonum != IPPROTO_ICMP &&
    116. 

  116. 		    new_tuple.dst.protonum != IPPROTO_ICMPV6)
    117. 

  117. 			new_tuple.dst.u.tcp.port = cp->vport;
    118. 

  118. 	}
    119. 

  119. 	IP_VS_DBG_BUF(7, "%s: Updating conntrack ct=%p, status=0x%lX, "
    120. 

  120. 		      "ctinfo=%d, old reply=" FMT_TUPLE "\n",
    121. 

  121. 		      __func__, ct, ct->status, ctinfo,
    122. 

  122. 		      ARG_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple));
    123. 

  123. 	IP_VS_DBG_BUF(7, "%s: Updating conntrack ct=%p, status=0x%lX, "
    124. 

  124. 		      "ctinfo=%d, new reply=" FMT_TUPLE "\n",
    125. 

  125. 		      __func__, ct, ct->status, ctinfo,
    126. 

  126. 		      ARG_TUPLE(&new_tuple));
    127. 

  127. 	nf_conntrack_alter_reply(ct, &new_tuple);
    128. 

  128. 	IP_VS_DBG_BUF(7, "%s: Updated conntrack ct=%p for cp=" FMT_CONN "\n",
    129. 

  129. 		      __func__, ct, ARG_CONN(cp));
    130. 

  130. }
    131. 

  131. 

  132. int ip_vs_confirm_conntrack(struct sk_buff *skb)
    133. 

  133. {
    134. 

  134. 	return nf_conntrack_confirm(skb);
    135. 

  135. }
    136. 

  136. 

  137. /*
    138. 

  138.  * Called from init_conntrack() as expectfn handler.
    139. 

  139.  */
    140. 

  140. static void ip_vs_nfct_expect_callback(struct nf_conn *ct,
    141. 

  141. 	struct nf_conntrack_expect *exp)
    142. 

  142. {
    143. 

  143. 	struct nf_conntrack_tuple *orig, new_reply;
    144. 

  144. 	struct ip_vs_conn *cp;
    145. 

  145. 	struct ip_vs_conn_param p;
    146. 

  146. 	struct net *net = nf_ct_net(ct);
    147. 

  147. 

  148. 	/*
    149. 

  149. 	 * We assume that no NF locks are held before this callback.
    150. 

  150. 	 * ip_vs_conn_out_get and ip_vs_conn_in_get should match their
    151. 

  151. 	 * expectations even if they use wildcard values, now we provide the
    152. 

  152. 	 * actual values from the newly created original conntrack direction.
    153. 

  153. 	 * The conntrack is confirmed when packet reaches IPVS hooks.
    154. 

  154. 	 */
    155. 

  155. 

  156. 	/* RS->CLIENT */
    157. 

  157. 	orig = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
    158. 

  158. 	ip_vs_conn_fill_param(net_ipvs(net), exp->tuple.src.l3num, orig->dst.protonum,
    159. 

  159. 			      &orig->src.u3, orig->src.u.tcp.port,
    160. 

  160. 			      &orig->dst.u3, orig->dst.u.tcp.port, &p);
    161. 

  161. 	cp = ip_vs_conn_out_get(&p);
    162. 

  162. 	if (cp) {
    163. 

  163. 		/* Change reply CLIENT->RS to CLIENT->VS */
    164. 

  164. 		IP_VS_DBG_BUF(7, "%s: for ct=%p, status=0x%lX found inout cp="
    165. 

  165. 			      FMT_CONN "\n",
    166. 

  166. 			      __func__, ct, ct->status, ARG_CONN(cp));
    167. 

  167. 		new_reply = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
    168. 

  168. 		IP_VS_DBG_BUF(7, "%s: ct=%p before alter: reply tuple="
    169. 

  169. 			      FMT_TUPLE "\n",
    170. 

  170. 			      __func__, ct, ARG_TUPLE(&new_reply));
    171. 

  171. 		new_reply.dst.u3 = cp->vaddr;
    172. 

  172. 		new_reply.dst.u.tcp.port = cp->vport;
    173. 

  173. 		goto alter;
    174. 

  174. 	}
    175. 

  175. 

  176. 	/* CLIENT->VS */
    177. 

  177. 	cp = ip_vs_conn_in_get(&p);
    178. 

  178. 	if (cp) {
    179. 

  179. 		/* Change reply VS->CLIENT to RS->CLIENT */
    180. 

  180. 		IP_VS_DBG_BUF(7, "%s: for ct=%p, status=0x%lX found outin cp="
    181. 

  181. 			      FMT_CONN "\n",
    182. 

  182. 			      __func__, ct, ct->status, ARG_CONN(cp));
    183. 

  183. 		new_reply = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
    184. 

  184. 		IP_VS_DBG_BUF(7, "%s: ct=%p before alter: reply tuple="
    185. 

  185. 			      FMT_TUPLE "\n",
    186. 

  186. 			      __func__, ct, ARG_TUPLE(&new_reply));
    187. 

  187. 		new_reply.src.u3 = cp->daddr;
    188. 

  188. 		new_reply.src.u.tcp.port = cp->dport;
    189. 

  189. 		goto alter;
    190. 

  190. 	}
    191. 

  191. 

  192. 	IP_VS_DBG_BUF(7, "%s: ct=%p, status=0x%lX, tuple=" FMT_TUPLE
    193. 

  193. 		      " - unknown expect\n",
    194. 

  194. 		      __func__, ct, ct->status, ARG_TUPLE(orig));
    195. 

  195. 	return;
    196. 

  196. 

  197. alter:
    198. 

  198. 	/* Never alter conntrack for non-NAT conns */
    199. 

  199. 	if (IP_VS_FWD_METHOD(cp) == IP_VS_CONN_F_MASQ)
    200. 

  200. 		nf_conntrack_alter_reply(ct, &new_reply);
    201. 

  201. 	ip_vs_conn_put(cp);
    202. 

  202. 	return;
    203. 

  203. }
    204. 

  204. 

  205. /*
    206. 

  206.  * Create NF conntrack expectation with wildcard (optional) source port.
    207. 

  207.  * Then the default callback function will alter the reply and will confirm
    208. 

  208.  * the conntrack entry when the first packet comes.
    209. 

  209.  * Use port 0 to expect connection from any port.
    210. 

  210.  */
    211. 

  211. void ip_vs_nfct_expect_related(struct sk_buff *skb, struct nf_conn *ct,
    212. 

  212. 			       struct ip_vs_conn *cp, u_int8_t proto,
    213. 

  213. 			       const __be16 port, int from_rs)
    214. 

  214. {
    215. 

  215. 	struct nf_conntrack_expect *exp;
    216. 

  216. 

  217. 	if (ct == NULL)
    218. 

  218. 		return;
    219. 

  219. 

  220. 	exp = nf_ct_expect_alloc(ct);
    221. 

  221. 	if (!exp)
    222. 

  222. 		return;
    223. 

  223. 

  224. 	nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
    225. 

  225. 			from_rs ? &cp->daddr : &cp->caddr,
    226. 

  226. 			from_rs ? &cp->caddr : &cp->vaddr,
    227. 

  227. 			proto, port ? &port : NULL,
    228. 

  228. 			from_rs ? &cp->cport : &cp->vport);
    229. 

  229. 

  230. 	exp->expectfn = ip_vs_nfct_expect_callback;
    231. 

  231. 

  232. 	IP_VS_DBG_BUF(7, "%s: ct=%p, expect tuple=" FMT_TUPLE "\n",
    233. 

  233. 		      __func__, ct, ARG_TUPLE(&exp->tuple));
    234. 

  234. 	nf_ct_expect_related(exp, 0);
    235. 

  235. 	nf_ct_expect_put(exp);
    236. 

  236. }
    237. 

  237. EXPORT_SYMBOL(ip_vs_nfct_expect_related);
    238. 

  238. 

  239. /*
    240. 

  240.  * Our connection was terminated, try to drop the conntrack immediately
    241. 

  241.  */
    242. 

  242. void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp)
    243. 

  243. {
    244. 

  244. 	struct nf_conntrack_tuple_hash *h;
    245. 

  245. 	struct nf_conn *ct;
    246. 

  246. 	struct nf_conntrack_tuple tuple;
    247. 

  247. 

  248. 	if (!cp->cport)
    249. 

  249. 		return;
    250. 

  250. 

  251. 	tuple = (struct nf_conntrack_tuple) {
    252. 

  252. 		.dst = { .protonum = cp->protocol, .dir = IP_CT_DIR_ORIGINAL } };
    253. 

  253. 	tuple.src.u3 = cp->caddr;
    254. 

  254. 	tuple.src.u.all = cp->cport;
    255. 

  255. 	tuple.src.l3num = cp->af;
    256. 

  256. 	tuple.dst.u3 = cp->vaddr;
    257. 

  257. 	tuple.dst.u.all = cp->vport;
    258. 

  258. 

  259. 	IP_VS_DBG_BUF(7, "%s: dropping conntrack for conn " FMT_CONN "\n",
    260. 

  260. 		      __func__, ARG_CONN(cp));
    261. 

  261. 

  262. 	h = nf_conntrack_find_get(cp->ipvs->net, &nf_ct_zone_dflt, &tuple);
    263. 

  263. 	if (h) {
    264. 

  264. 		ct = nf_ct_tuplehash_to_ctrack(h);
    265. 

  265. 		if (nf_ct_kill(ct)) {
    266. 

  266. 			IP_VS_DBG_BUF(7, "%s: ct=%p deleted for tuple="
    267. 

  267. 				      FMT_TUPLE "\n",
    268. 

  268. 				      __func__, ct, ARG_TUPLE(&tuple));
    269. 

  269. 		} else {
    270. 

  270. 			IP_VS_DBG_BUF(7, "%s: ct=%p, no conntrack for tuple="
    271. 

  271. 				      FMT_TUPLE "\n",
    272. 

  272. 				      __func__, ct, ARG_TUPLE(&tuple));
    273. 

  273. 		}
    274. 

  274. 		nf_ct_put(ct);
    275. 

  275. 	} else {
    276. 

  276. 		IP_VS_DBG_BUF(7, "%s: no conntrack for tuple=" FMT_TUPLE "\n",
    277. 

  277. 			      __func__, ARG_TUPLE(&tuple));
    278. 

  278. 	}
    279. 

  279. }
    280.