diff --git a/doc/changelog.txt b/doc/changelog.txt index d2928cb..7012d5f 100644 --- a/doc/changelog.txt +++ b/doc/changelog.txt @@ -1,6 +1,8 @@ HEAD ==== +Changes +- remove unmaintained RAWSNAT/RAWDNAT code v2.3 (2013-06-18) diff --git a/extensions/Kbuild b/extensions/Kbuild index 39421ec..c05d5c0 100644 --- a/extensions/Kbuild +++ b/extensions/Kbuild @@ -15,10 +15,6 @@ obj-${build_ECHO} += xt_ECHO.o endif obj-${build_IPMARK} += xt_IPMARK.o obj-${build_LOGMARK} += xt_LOGMARK.o -obj-${build_RAWNAT} += xt_RAWNAT.o iptable_rawpost.o -ifneq (${CONFIG_IP6_NF_IPTABLES},) -obj-${build_RAWNAT} += ip6table_rawpost.o -endif obj-${build_SYSRQ} += xt_SYSRQ.o obj-${build_TARPIT} += xt_TARPIT.o obj-${build_condition} += xt_condition.o diff --git a/extensions/Mbuild b/extensions/Mbuild index 1d46a2d..1176948 100644 --- a/extensions/Mbuild +++ b/extensions/Mbuild @@ -8,7 +8,6 @@ obj-${build_DNETMAP} += libxt_DNETMAP.so obj-${build_ECHO} += libxt_ECHO.so obj-${build_IPMARK} += libxt_IPMARK.so obj-${build_LOGMARK} += libxt_LOGMARK.so -obj-${build_RAWNAT} += libxt_RAWDNAT.so libxt_RAWSNAT.so obj-${build_SYSRQ} += libxt_SYSRQ.so obj-${build_TARPIT} += libxt_TARPIT.so obj-${build_condition} += libxt_condition.so diff --git a/extensions/compat_rawpost.h b/extensions/compat_rawpost.h deleted file mode 100644 index 0221c8b..0000000 --- a/extensions/compat_rawpost.h +++ /dev/null @@ -1,6 +0,0 @@ -#ifndef XTA_COMPAT_RAWPOST_H -#define XTA_COMPAT_RAWPOST_H 1 - -typedef struct sk_buff sk_buff_t; - -#endif /* XTA_COMPAT_RAWPOST_H */ diff --git a/extensions/ip6table_rawpost.c b/extensions/ip6table_rawpost.c deleted file mode 100644 index e664f16..0000000 --- a/extensions/ip6table_rawpost.c +++ /dev/null @@ -1,93 +0,0 @@ -/* - * rawpost table for ip6_tables - * written by Jan Engelhardt, 2008 - 2009 - * placed in the Public Domain - */ -#include -#include -#include -#include "compat_xtables.h" -#include "compat_rawpost.h" - -enum { - RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING, -}; - -static struct { - struct ip6t_replace repl; - struct ip6t_standard entries[1]; - struct ip6t_error term; -} rawpost6_initial __initdata = { - .repl = { - .name = "rawpost", - .valid_hooks = RAWPOST_VALID_HOOKS, - .num_entries = 2, - .size = sizeof(struct ip6t_standard) + - sizeof(struct ip6t_error), - .hook_entry = { - [NF_INET_POST_ROUTING] = 0, - }, - .underflow = { - [NF_INET_POST_ROUTING] = 0, - }, - }, - .entries = { - IP6T_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */ - }, - .term = IP6T_ERROR_INIT, /* ERROR */ -}; - -static struct xt_table *rawpost6_ptable; - -static struct xt_table rawpost6_itable = { - .name = "rawpost", - .af = NFPROTO_IPV6, - .valid_hooks = RAWPOST_VALID_HOOKS, - .me = THIS_MODULE, -}; - -static unsigned int rawpost6_hook_fn(unsigned int hook, sk_buff_t *skb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return ip6t_do_table(skb, hook, in, out, rawpost6_ptable); -} - -static struct nf_hook_ops rawpost6_hook_ops __read_mostly = { - .hook = rawpost6_hook_fn, - .pf = NFPROTO_IPV6, - .hooknum = NF_INET_POST_ROUTING, - .priority = NF_IP6_PRI_LAST, - .owner = THIS_MODULE, -}; - -static int __init rawpost6_table_init(void) -{ - int ret; - - rawpost6_ptable = ip6t_register_table(&init_net, &rawpost6_itable, - &rawpost6_initial.repl); - if (IS_ERR(rawpost6_ptable)) - return PTR_ERR(rawpost6_ptable); - - ret = nf_register_hook(&rawpost6_hook_ops); - if (ret < 0) - goto out; - - return ret; - - out: - ip6t_unregister_table(rawpost6_ptable); - return ret; -} - -static void __exit rawpost6_table_exit(void) -{ - nf_unregister_hook(&rawpost6_hook_ops); - ip6t_unregister_table(rawpost6_ptable); -} - -module_init(rawpost6_table_init); -module_exit(rawpost6_table_exit); -MODULE_AUTHOR("Jan Engelhardt "); -MODULE_LICENSE("GPL"); diff --git a/extensions/iptable_rawpost.c b/extensions/iptable_rawpost.c deleted file mode 100644 index 633cd7e..0000000 --- a/extensions/iptable_rawpost.c +++ /dev/null @@ -1,95 +0,0 @@ -/* - * rawpost table for ip_tables - * written by Jan Engelhardt, 2008 - 2009 - * placed in the Public Domain - */ -#include -#include -#include -#include -#include "compat_xtables.h" -#include "compat_rawpost.h" - -enum { - RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING, -}; - -static struct { - struct ipt_replace repl; - struct ipt_standard entries[1]; - struct ipt_error term; -} rawpost4_initial __initdata = { - .repl = { - .name = "rawpost", - .valid_hooks = RAWPOST_VALID_HOOKS, - .num_entries = 2, - .size = sizeof(struct ipt_standard) + - sizeof(struct ipt_error), - .hook_entry = { - [NF_INET_POST_ROUTING] = 0, - }, - .underflow = { - [NF_INET_POST_ROUTING] = 0, - }, - }, - .entries = { - IPT_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */ - }, - .term = IPT_ERROR_INIT, /* ERROR */ -}; - -static struct xt_table *rawpost4_ptable; - -static struct xt_table rawpost4_itable = { - .name = "rawpost", - .af = NFPROTO_IPV4, - .valid_hooks = RAWPOST_VALID_HOOKS, - .me = THIS_MODULE, -}; - -static unsigned int rawpost4_hook_fn(unsigned int hook, sk_buff_t *skb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return ipt_do_table(skb, hook, in, out, rawpost4_ptable); -} - -static struct nf_hook_ops rawpost4_hook_ops __read_mostly = { - .hook = rawpost4_hook_fn, - .pf = NFPROTO_IPV4, - .hooknum = NF_INET_POST_ROUTING, - .priority = NF_IP_PRI_LAST, - .owner = THIS_MODULE, -}; - -static int __init rawpost4_table_init(void) -{ - int ret; - - rawpost4_ptable = ipt_register_table(&init_net, &rawpost4_itable, - &rawpost4_initial.repl); - if (IS_ERR(rawpost4_ptable)) - return PTR_ERR(rawpost4_ptable); - - ret = nf_register_hook(&rawpost4_hook_ops); - if (ret < 0) - goto out; - - return ret; - - out: - ipt_unregister_table(rawpost4_ptable); - return ret; -} - -static void __exit rawpost4_table_exit(void) -{ - nf_unregister_hook(&rawpost4_hook_ops); - ipt_unregister_table(rawpost4_ptable); -} - -module_init(rawpost4_table_init); -module_exit(rawpost4_table_exit); -MODULE_DESCRIPTION("Xtables: rawpost table for use with RAWNAT"); -MODULE_AUTHOR("Jan Engelhardt "); -MODULE_LICENSE("GPL"); diff --git a/extensions/libxt_RAWDNAT.c b/extensions/libxt_RAWDNAT.c deleted file mode 100644 index 4285bae..0000000 --- a/extensions/libxt_RAWDNAT.c +++ /dev/null @@ -1,177 +0,0 @@ -/* - * "RAWNAT" target extension for iptables - * Copyright © Jan Engelhardt, 2008 - 2009 - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License; either - * version 2 of the License, or any later version, as published by the - * Free Software Foundation. - */ -#include -#include -#include -#include -#include -#include -#include -#include "xt_RAWNAT.h" -#include "compat_user.h" - -enum { - FLAGS_TO = 1 << 0, -}; - -static const struct option rawdnat_tg_opts[] = { - {.name = "to-destination", .has_arg = true, .val = 't'}, - {}, -}; - -static void rawdnat_tg_help(void) -{ - printf( -"RAWDNAT target options:\n" -" --to-destination addr[/mask] Address or network to map to\n" -); -} - -static int -rawdnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_target **target) -{ - struct xt_rawnat_tginfo *info = (void *)(*target)->data; - struct in_addr *a; - unsigned int mask; - char *end; - - switch (c) { - case 't': - info->mask = 32; - end = strchr(optarg, '/'); - if (end != NULL) { - *end++ = '\0'; - if (!xtables_strtoui(end, NULL, &mask, 0, 32)) - xtables_param_act(XTF_BAD_VALUE, "RAWDNAT", - "--to-destination", optarg); - info->mask = mask; - } - a = xtables_numeric_to_ipaddr(optarg); - if (a == NULL) - xtables_param_act(XTF_BAD_VALUE, "RAWDNAT", - "--to-destination", optarg); - memcpy(&info->addr.in, a, sizeof(*a)); - *flags |= FLAGS_TO; - return true; - } - return false; -} - -static int -rawdnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_target **target) -{ - struct xt_rawnat_tginfo *info = (void *)(*target)->data; - struct in6_addr *a; - unsigned int mask; - char *end; - - switch (c) { - case 't': - info->mask = 128; - end = strchr(optarg, '/'); - if (end != NULL) { - *end++ = '\0'; - if (!xtables_strtoui(end, NULL, &mask, 0, 128)) - xtables_param_act(XTF_BAD_VALUE, "RAWDNAT", - "--to-destination", optarg); - info->mask = mask; - } - a = xtables_numeric_to_ip6addr(optarg); - if (a == NULL) - xtables_param_act(XTF_BAD_VALUE, "RAWDNAT", - "--to-destination", optarg); - memcpy(&info->addr.in6, a, sizeof(*a)); - *flags |= FLAGS_TO; - return true; - } - return false; -} - -static void rawdnat_tg_check(unsigned int flags) -{ - if (!(flags & FLAGS_TO)) - xtables_error(PARAMETER_PROBLEM, "RAWDNAT: " - "\"--to-destination\" is required."); -} - -static void -rawdnat_tg4_save(const void *entry, const struct xt_entry_target *target) -{ - const struct xt_rawnat_tginfo *info = (const void *)target->data; - - printf(" --to-destination %s/%u ", - xtables_ipaddr_to_numeric(&info->addr.in), - info->mask); -} - -static void -rawdnat_tg4_print(const void *entry, const struct xt_entry_target *target, - int numeric) -{ - printf(" -j RAWDNAT"); - rawdnat_tg4_save(entry, target); -} - -static void -rawdnat_tg6_save(const void *entry, const struct xt_entry_target *target) -{ - const struct xt_rawnat_tginfo *info = (const void *)target->data; - - printf(" --to-destination %s/%u ", - xtables_ip6addr_to_numeric(&info->addr.in6), - info->mask); -} - -static void -rawdnat_tg6_print(const void *entry, const struct xt_entry_target *target, - int numeric) -{ - printf(" -j RAWDNAT"); - rawdnat_tg6_save(entry, target); -} - -static struct xtables_target rawdnat_tg_reg[] = { - { - .version = XTABLES_VERSION, - .name = "RAWDNAT", - .revision = 0, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)), - .userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)), - .help = rawdnat_tg_help, - .parse = rawdnat_tg4_parse, - .final_check = rawdnat_tg_check, - .print = rawdnat_tg4_print, - .save = rawdnat_tg4_save, - .extra_opts = rawdnat_tg_opts, - }, - { - .version = XTABLES_VERSION, - .name = "RAWDNAT", - .revision = 0, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)), - .userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)), - .help = rawdnat_tg_help, - .parse = rawdnat_tg6_parse, - .final_check = rawdnat_tg_check, - .print = rawdnat_tg6_print, - .save = rawdnat_tg6_save, - .extra_opts = rawdnat_tg_opts, - }, -}; - -static void _init(void) -{ - xtables_register_targets(rawdnat_tg_reg, - sizeof(rawdnat_tg_reg) / sizeof(*rawdnat_tg_reg)); -} diff --git a/extensions/libxt_RAWDNAT.man b/extensions/libxt_RAWDNAT.man deleted file mode 100644 index 53062f6..0000000 --- a/extensions/libxt_RAWDNAT.man +++ /dev/null @@ -1,11 +0,0 @@ -.PP -The \fBRAWDNAT\fR target will rewrite the destination address in the IP header, -much like the \fBNETMAP\fR target. -.TP -\fB\-\-to\-destination\fR \fIaddr\fR[\fB/\fR\fImask\fR] -Network address to map to. The resulting address will be constructed the -following way: All "one" bits in the \fImask\fR are filled in from the new -\fIaddress\fR. All bits that are zero in the mask are filled in from the -original address. -.PP -See the \fBRAWSNAT\fR help entry for examples and constraints. diff --git a/extensions/libxt_RAWSNAT.c b/extensions/libxt_RAWSNAT.c deleted file mode 100644 index 1a64a97..0000000 --- a/extensions/libxt_RAWSNAT.c +++ /dev/null @@ -1,177 +0,0 @@ -/* - * "RAWNAT" target extension for iptables - * Copyright © Jan Engelhardt, 2008 - 2009 - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License; either - * version 2 of the License, or any later version, as published by the - * Free Software Foundation. - */ -#include -#include -#include -#include -#include -#include -#include -#include "xt_RAWNAT.h" -#include "compat_user.h" - -enum { - FLAGS_TO = 1 << 0, -}; - -static const struct option rawsnat_tg_opts[] = { - {.name = "to-source", .has_arg = true, .val = 't'}, - {}, -}; - -static void rawsnat_tg_help(void) -{ - printf( -"RAWSNAT target options:\n" -" --to-source addr[/mask] Address or network to map to\n" -); -} - -static int -rawsnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_target **target) -{ - struct xt_rawnat_tginfo *info = (void *)(*target)->data; - struct in_addr *a; - unsigned int mask; - char *end; - - switch (c) { - case 't': - info->mask = 32; - end = strchr(optarg, '/'); - if (end != NULL) { - *end++ = '\0'; - if (!xtables_strtoui(end, NULL, &mask, 0, 32)) - xtables_param_act(XTF_BAD_VALUE, "RAWSNAT", - "--to-source", optarg); - info->mask = mask; - } - a = xtables_numeric_to_ipaddr(optarg); - if (a == NULL) - xtables_param_act(XTF_BAD_VALUE, "RAWSNAT", - "--to-source", optarg); - memcpy(&info->addr.in, a, sizeof(*a)); - *flags |= FLAGS_TO; - return true; - } - return false; -} - -static int -rawsnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_target **target) -{ - struct xt_rawnat_tginfo *info = (void *)(*target)->data; - struct in6_addr *a; - unsigned int mask; - char *end; - - switch (c) { - case 't': - info->mask = 128; - end = strchr(optarg, '/'); - if (end != NULL) { - *end++ = '\0'; - if (!xtables_strtoui(end, NULL, &mask, 0, 128)) - xtables_param_act(XTF_BAD_VALUE, "RAWSNAT", - "--to-source", optarg); - info->mask = mask; - } - a = xtables_numeric_to_ip6addr(optarg); - if (a == NULL) - xtables_param_act(XTF_BAD_VALUE, "RAWSNAT", - "--to-source", optarg); - memcpy(&info->addr.in6, a, sizeof(*a)); - *flags |= FLAGS_TO; - return true; - } - return false; -} - -static void rawsnat_tg_check(unsigned int flags) -{ - if (!(flags & FLAGS_TO)) - xtables_error(PARAMETER_PROBLEM, "RAWSNAT: " - "\"--to-source\" is required."); -} - -static void -rawsnat_tg4_save(const void *entry, const struct xt_entry_target *target) -{ - const struct xt_rawnat_tginfo *info = (const void *)target->data; - - printf(" --to-source %s/%u ", - xtables_ipaddr_to_numeric(&info->addr.in), - info->mask); -} - -static void -rawsnat_tg6_save(const void *entry, const struct xt_entry_target *target) -{ - const struct xt_rawnat_tginfo *info = (const void *)target->data; - - printf(" --to-source %s/%u ", - xtables_ip6addr_to_numeric(&info->addr.in6), - info->mask); -} - -static void -rawsnat_tg4_print(const void *entry, const struct xt_entry_target *target, - int numeric) -{ - printf(" -j RAWSNAT"); - rawsnat_tg4_save(entry, target); -} - -static void -rawsnat_tg6_print(const void *entry, const struct xt_entry_target *target, - int numeric) -{ - printf(" -j RAWSNAT"); - rawsnat_tg6_save(entry, target); -} - -static struct xtables_target rawsnat_tg_reg[] = { - { - .version = XTABLES_VERSION, - .name = "RAWSNAT", - .revision = 0, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)), - .userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)), - .help = rawsnat_tg_help, - .parse = rawsnat_tg4_parse, - .final_check = rawsnat_tg_check, - .print = rawsnat_tg4_print, - .save = rawsnat_tg4_save, - .extra_opts = rawsnat_tg_opts, - }, - { - .version = XTABLES_VERSION, - .name = "RAWSNAT", - .revision = 0, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)), - .userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)), - .help = rawsnat_tg_help, - .parse = rawsnat_tg6_parse, - .final_check = rawsnat_tg_check, - .print = rawsnat_tg6_print, - .save = rawsnat_tg6_save, - .extra_opts = rawsnat_tg_opts, - }, -}; - -static void _init(void) -{ - xtables_register_targets(rawsnat_tg_reg, - sizeof(rawsnat_tg_reg) / sizeof(*rawsnat_tg_reg)); -} diff --git a/extensions/libxt_RAWSNAT.man b/extensions/libxt_RAWSNAT.man deleted file mode 100644 index 7ef73f5..0000000 --- a/extensions/libxt_RAWSNAT.man +++ /dev/null @@ -1,39 +0,0 @@ -.PP -The \fBRAWSNAT\fR and \fBRAWDNAT\fP targets provide stateless network address -translation. -.PP -The \fBRAWSNAT\fR target will rewrite the source address in the IP header, much -like the \fBNETMAP\fP target. \fBRAWSNAT\fP (and \fBRAWDNAT\fP) may only be -used in the \fBraw\fP or \fBrawpost\fP tables, but can be used in all chains, -which makes it possible to change the source address either when the packet -enters the machine or when it leaves it. The reason for this table constraint -is that RAWNAT must happen outside of connection tracking. -.TP -\fB\-\-to\-source\fR \fIaddr\fR[\fB/\fR\fImask\fR] -Network address to map to. The resulting address will be constructed the -following way: All "one" bits in the \fImask\fR are filled in from the new -\fIaddress\fR. All bits that are zero in the mask are filled in from the -original address. -.PP -As an example, changing the destination for packets forwarded from an internal -LAN to the internet: -.IP -\-t raw \-A PREROUTING \-i lan0 \-d 212.201.100.135 \-j RAWDNAT \-\-to\-destination 199.181.132.250; -\-t rawpost \-A POSTROUTING \-o lan0 \-s 199.181.132.250 \-j RAWSNAT \-\-to\-source 212.201.100.135; -.PP -Note that changing addresses may influence the route selection! Specifically, -it statically NATs packets, not connections, like the normal DNAT/SNAT targets -would do. Also note that it can transform already-NATed connections \(em as -said, it is completely external to Netfilter's connection tracking/NAT. -.PP -If the machine itself generates packets that are to be rawnat-ed, you need a -rule in the OUTPUT chain instead, just like you would with the stateful NAT -targets. -.PP -It may be necessary that in doing so, you also need an extra RAWSNAT rule, to -override the automatic source address selection that the routing code does -before passing packets to iptables. If the connecting socket has not been -explicitly bound to an address, as is the common mode of operation, the address -that will be chosen is the primary address of the device through which the -packet would be routed with its initial destination address - the address as -seen before any RAWNAT takes place. diff --git a/extensions/xt_RAWNAT.c b/extensions/xt_RAWNAT.c deleted file mode 100644 index 858f911..0000000 --- a/extensions/xt_RAWNAT.c +++ /dev/null @@ -1,354 +0,0 @@ -/* - * "RAWNAT" target extension for Xtables - untracked NAT - * Copyright © Jan Engelhardt, 2008 - 2009 - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License; either - * version 2 of the License, or any later version, as published by the - * Free Software Foundation. - */ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "compat_xtables.h" -#include "xt_RAWNAT.h" -#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) -# define WITH_IPV6 1 -#endif - -static inline __be32 -remask(__be32 addr, __be32 repl, unsigned int shift) -{ - uint32_t mask = (shift == 32) ? 0 : (~(uint32_t)0 >> shift); - return htonl((ntohl(addr) & mask) | (ntohl(repl) & ~mask)); -} - -#ifdef WITH_IPV6 -static void -rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask) -{ - switch (mask) { - case 0: - break; - case 1 ... 31: - addr[0] = remask(addr[0], repl[0], mask); - break; - case 32: - addr[0] = repl[0]; - break; - case 33 ... 63: - addr[0] = repl[0]; - addr[1] = remask(addr[1], repl[1], mask - 32); - break; - case 64: - addr[0] = repl[0]; - addr[1] = repl[1]; - break; - case 65 ... 95: - addr[0] = repl[0]; - addr[1] = repl[1]; - addr[2] = remask(addr[2], repl[2], mask - 64); - case 96: - addr[0] = repl[0]; - addr[1] = repl[1]; - addr[2] = repl[2]; - break; - case 97 ... 127: - addr[0] = repl[0]; - addr[1] = repl[1]; - addr[2] = repl[2]; - addr[3] = remask(addr[3], repl[3], mask - 96); - break; - case 128: - addr[0] = repl[0]; - addr[1] = repl[1]; - addr[2] = repl[2]; - addr[3] = repl[3]; - break; - } -} -#endif - -static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip) -{ - struct iphdr *iph = ip_hdr(skb); - void *transport_hdr = (void *)iph + ip_hdrlen(skb); - struct tcphdr *tcph; - struct udphdr *udph; - bool cond; - - switch (iph->protocol) { - case IPPROTO_TCP: - tcph = transport_hdr; - inet_proto_csum_replace4(&tcph->check, skb, oldip, newip, true); - break; - case IPPROTO_UDP: - case IPPROTO_UDPLITE: - udph = transport_hdr; - cond = udph->check != 0; - cond |= skb->ip_summed == CHECKSUM_PARTIAL; - if (cond) { - inet_proto_csum_replace4(&udph->check, skb, - oldip, newip, true); - if (udph->check == 0) - udph->check = CSUM_MANGLED_0; - } - break; - } -} - -static unsigned int rawnat4_writable_part(const struct iphdr *iph) -{ - unsigned int wlen = iph->ihl * 4; - - switch (iph->protocol) { - case IPPROTO_TCP: - wlen += sizeof(struct tcphdr); - break; - case IPPROTO_UDP: - wlen += sizeof(struct udphdr); - break; - } - return wlen; -} - -static unsigned int -rawsnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par) -{ - const struct xt_rawnat_tginfo *info = par->targinfo; - struct iphdr *iph; - __be32 new_addr; - - iph = ip_hdr(*pskb); - new_addr = remask(iph->saddr, info->addr.ip, info->mask); - if (iph->saddr == new_addr) - return XT_CONTINUE; - - if (!skb_make_writable(pskb, rawnat4_writable_part(iph))) - return NF_DROP; - - iph = ip_hdr(*pskb); - csum_replace4(&iph->check, iph->saddr, new_addr); - rawnat4_update_l4(*pskb, iph->saddr, new_addr); - iph->saddr = new_addr; - return XT_CONTINUE; -} - -static unsigned int -rawdnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par) -{ - const struct xt_rawnat_tginfo *info = par->targinfo; - struct iphdr *iph; - __be32 new_addr; - - iph = ip_hdr(*pskb); - new_addr = remask(iph->daddr, info->addr.ip, info->mask); - if (iph->daddr == new_addr) - return XT_CONTINUE; - - if (!skb_make_writable(pskb, rawnat4_writable_part(iph))) - return NF_DROP; - - iph = ip_hdr(*pskb); - csum_replace4(&iph->check, iph->daddr, new_addr); - rawnat4_update_l4(*pskb, iph->daddr, new_addr); - iph->daddr = new_addr; - return XT_CONTINUE; -} - -#ifdef WITH_IPV6 -static bool rawnat6_prepare_l4(struct sk_buff **pskb, unsigned int *l4offset, - unsigned int *l4proto) -{ - static const unsigned int types[] = - {IPPROTO_TCP, IPPROTO_UDP, IPPROTO_UDPLITE}; - unsigned int i; - int err; - - *l4proto = NEXTHDR_MAX; - - for (i = 0; i < ARRAY_SIZE(types); ++i) { - err = ipv6_find_hdr(*pskb, l4offset, types[i], NULL, NULL); - if (err >= 0) { - *l4proto = types[i]; - break; - } - if (err != -ENOENT) - return false; - } - - switch (*l4proto) { - case IPPROTO_TCP: - if (!skb_make_writable(pskb, *l4offset + sizeof(struct tcphdr))) - return false; - break; - case IPPROTO_UDP: - case IPPROTO_UDPLITE: - if (!skb_make_writable(pskb, *l4offset + sizeof(struct udphdr))) - return false; - break; - } - - return true; -} - -static void rawnat6_update_l4(struct sk_buff *skb, unsigned int l4proto, - unsigned int l4offset, const struct in6_addr *oldip, - const struct in6_addr *newip) -{ - const struct ipv6hdr *iph = ipv6_hdr(skb); - struct tcphdr *tcph; - struct udphdr *udph; - unsigned int i; - bool cond; - - switch (l4proto) { - case IPPROTO_TCP: - tcph = (void *)iph + l4offset; - for (i = 0; i < 4; ++i) - inet_proto_csum_replace4(&tcph->check, skb, - oldip->s6_addr32[i], newip->s6_addr32[i], true); - break; - case IPPROTO_UDP: - case IPPROTO_UDPLITE: - udph = (void *)iph + l4offset; - cond = udph->check; - cond |= skb->ip_summed == CHECKSUM_PARTIAL; - if (cond) { - for (i = 0; i < 4; ++i) - inet_proto_csum_replace4(&udph->check, skb, - oldip->s6_addr32[i], - newip->s6_addr32[i], true); - if (udph->check == 0) - udph->check = CSUM_MANGLED_0; - } - break; - } -} - -static unsigned int -rawsnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par) -{ - const struct xt_rawnat_tginfo *info = par->targinfo; - unsigned int l4offset = 0, l4proto; - struct ipv6hdr *iph; - struct in6_addr new_addr; - - iph = ipv6_hdr(*pskb); - memcpy(&new_addr, &iph->saddr, sizeof(new_addr)); - rawnat_ipv6_mask(new_addr.s6_addr32, info->addr.ip6, info->mask); - if (ipv6_addr_cmp(&iph->saddr, &new_addr) == 0) - return XT_CONTINUE; - if (!rawnat6_prepare_l4(pskb, &l4offset, &l4proto)) - return NF_DROP; - iph = ipv6_hdr(*pskb); - rawnat6_update_l4(*pskb, l4proto, l4offset, &iph->saddr, &new_addr); - memcpy(&iph->saddr, &new_addr, sizeof(new_addr)); - return XT_CONTINUE; -} - -static unsigned int -rawdnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par) -{ - const struct xt_rawnat_tginfo *info = par->targinfo; - unsigned int l4offset = 0, l4proto; - struct ipv6hdr *iph; - struct in6_addr new_addr; - - iph = ipv6_hdr(*pskb); - memcpy(&new_addr, &iph->daddr, sizeof(new_addr)); - rawnat_ipv6_mask(new_addr.s6_addr32, info->addr.ip6, info->mask); - if (ipv6_addr_cmp(&iph->daddr, &new_addr) == 0) - return XT_CONTINUE; - if (!rawnat6_prepare_l4(pskb, &l4offset, &l4proto)) - return NF_DROP; - iph = ipv6_hdr(*pskb); - rawnat6_update_l4(*pskb, l4proto, l4offset, &iph->daddr, &new_addr); - memcpy(&iph->daddr, &new_addr, sizeof(new_addr)); - return XT_CONTINUE; -} -#endif - -static int rawnat_tg_check(const struct xt_tgchk_param *par) -{ - if (strcmp(par->table, "raw") == 0 || - strcmp(par->table, "rawpost") == 0) - return 0; - - printk(KERN_ERR KBUILD_MODNAME " may only be used in the \"raw\" or " - "\"rawpost\" table.\n"); - return -EINVAL; -} - -static struct xt_target rawnat_tg_reg[] __read_mostly = { - { - .name = "RAWSNAT", - .revision = 0, - .family = NFPROTO_IPV4, - .target = rawsnat_tg4, - .targetsize = sizeof(struct xt_rawnat_tginfo), - .checkentry = rawnat_tg_check, - .me = THIS_MODULE, - }, -#ifdef WITH_IPV6 - { - .name = "RAWSNAT", - .revision = 0, - .family = NFPROTO_IPV6, - .target = rawsnat_tg6, - .targetsize = sizeof(struct xt_rawnat_tginfo), - .checkentry = rawnat_tg_check, - .me = THIS_MODULE, - }, -#endif - { - .name = "RAWDNAT", - .revision = 0, - .family = NFPROTO_IPV4, - .target = rawdnat_tg4, - .targetsize = sizeof(struct xt_rawnat_tginfo), - .checkentry = rawnat_tg_check, - .me = THIS_MODULE, - }, -#ifdef WITH_IPV6 - { - .name = "RAWDNAT", - .revision = 0, - .family = NFPROTO_IPV6, - .target = rawdnat_tg6, - .targetsize = sizeof(struct xt_rawnat_tginfo), - .checkentry = rawnat_tg_check, - .me = THIS_MODULE, - }, -#endif -}; - -static int __init rawnat_tg_init(void) -{ - return xt_register_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg)); -} - -static void __exit rawnat_tg_exit(void) -{ - xt_unregister_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg)); -} - -module_init(rawnat_tg_init); -module_exit(rawnat_tg_exit); -MODULE_AUTHOR("Jan Engelhardt "); -MODULE_DESCRIPTION("Xtables: conntrack-less raw NAT"); -MODULE_LICENSE("GPL"); -MODULE_ALIAS("ipt_RAWSNAT"); -MODULE_ALIAS("ipt_RAWDNAT"); -MODULE_ALIAS("ip6t_RAWSNAT"); -MODULE_ALIAS("ip6t_RAWDNAT"); diff --git a/extensions/xt_RAWNAT.h b/extensions/xt_RAWNAT.h deleted file mode 100644 index 308841c..0000000 --- a/extensions/xt_RAWNAT.h +++ /dev/null @@ -1,9 +0,0 @@ -#ifndef _LINUX_NETFILTER_XT_TARGET_RAWNAT -#define _LINUX_NETFILTER_XT_TARGET_RAWNAT 1 - -struct xt_rawnat_tginfo { - union nf_inet_addr addr; - __u8 mask; -}; - -#endif /* _LINUX_NETFILTER_XT_TARGET_RAWNAT */ diff --git a/mconfig b/mconfig index 979d410..74ccd03 100644 --- a/mconfig +++ b/mconfig @@ -8,7 +8,6 @@ build_DNETMAP=m build_ECHO=m build_IPMARK=m build_LOGMARK=m -build_RAWNAT=m build_SYSRQ=m build_TARPIT=m build_condition=m