| Message ID | 20210705040856.25191-3-Cole.Dishington@alliedtelesis.co.nz (mailing list archive) |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | net: netfilter: Add RFC-7597 Section 5.1 PSID support | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Guessed tree name to be net-next |
| netdev/subject_prefix | warning | Target tree name not specified in the subject |
| netdev/cc_maintainers | success | CCed 8 of 8 maintainers |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | fail | Errors and warnings before: 1 this patch: 10 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | warning | WARNING: line length of 116 exceeds 80 columns WARNING: line length of 84 exceeds 80 columns WARNING: line length of 89 exceeds 80 columns WARNING: line length of 95 exceeds 80 columns |
| netdev/build_allmodconfig_warn | fail | Errors and warnings before: 1 this patch: 10 |
| netdev/header_inline | success | Link |
Cole Dishington <Cole.Dishington@alliedtelesis.co.nz> wrote: > Adds support for masquerading into a smaller subset of ports - > defined by the PSID values from RFC-7597 Section 5.1. This is part of > the support for MAP-E and Lightweight 4over6, which allows multiple > devices to share an IPv4 address by splitting the L4 port / id into > ranges. > > Co-developed-by: Anthony Lineham <anthony.lineham@alliedtelesis.co.nz> > Signed-off-by: Anthony Lineham <anthony.lineham@alliedtelesis.co.nz> > Co-developed-by: Scott Parlane <scott.parlane@alliedtelesis.co.nz> > Signed-off-by: Scott Parlane <scott.parlane@alliedtelesis.co.nz> > Signed-off-by: Blair Steven <blair.steven@alliedtelesis.co.nz> > Signed-off-by: Cole Dishington <Cole.Dishington@alliedtelesis.co.nz> > --- Just a quick review: > + /* In this case we are in PSID mode, avoid checking all ranges by computing bitmasks */ > + if (is_psid) { > + u16 j = ntohs(max->all) - ntohs(min->all) + 1; > + u16 a = (1 << 16) / ntohs(base->all); This gives crash when base->all is 0. If this is impossible, please add a comment, otherwise this needs a sanity test on the divisor. > @@ -55,8 +55,21 @@ nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum, > newrange.flags = range->flags | NF_NAT_RANGE_MAP_IPS; > newrange.min_addr.ip = newsrc; > newrange.max_addr.ip = newsrc; > - newrange.min_proto = range->min_proto; > - newrange.max_proto = range->max_proto; > + > + if (range->flags & NF_NAT_RANGE_PSID) { > + u16 off = prandom_u32(); > + u16 base = ntohs(range->base_proto.all); > + u16 min = ntohs(range->min_proto.all); > + u16 max_off = ((1 << 16) / base) - 1; > + > + newrange.flags = newrange.flags | NF_NAT_RANGE_PROTO_SPECIFIED; > + newrange.min_proto.all = htons(min + base * (off % max_off)); Same here for base and max_off.
Thanks for your time reviewing! Changes in v4: - Handle special case of no offset bits (a=0 / A=2^16). Cole Dishington (3): net: netfilter: Add RFC-7597 Section 5.1 PSID support xtables API net: netfilter: Add RFC-7597 Section 5.1 PSID support selftests: netfilter: Add RFC-7597 Section 5.1 PSID selftests include/uapi/linux/netfilter/nf_nat.h | 3 +- net/netfilter/nf_nat_core.c | 39 +++- net/netfilter/nf_nat_masquerade.c | 20 +- net/netfilter/xt_MASQUERADE.c | 44 ++++- .../netfilter/nat_masquerade_psid.sh | 182 ++++++++++++++++++ 5 files changed, 276 insertions(+), 12 deletions(-) create mode 100644 tools/testing/selftests/netfilter/nat_masquerade_psid.sh
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c index 7de595ead06a..1fbf98cade41 100644 --- a/net/netfilter/nf_nat_core.c +++ b/net/netfilter/nf_nat_core.c @@ -195,13 +195,30 @@ static bool nf_nat_inet_in_range(const struct nf_conntrack_tuple *t, static bool l4proto_in_range(const struct nf_conntrack_tuple *tuple, enum nf_nat_manip_type maniptype, const union nf_conntrack_man_proto *min, - const union nf_conntrack_man_proto *max) + const union nf_conntrack_man_proto *max, + const union nf_conntrack_man_proto *base, + bool is_psid) { __be16 port; + u16 psid, psid_mask, offset_mask; + + /* In this case we are in PSID mode, avoid checking all ranges by computing bitmasks */ + if (is_psid) { + u16 j = ntohs(max->all) - ntohs(min->all) + 1; + u16 a = (1 << 16) / ntohs(base->all); + + offset_mask = (a - 1) * ntohs(base->all); + psid_mask = ((ntohs(base->all) / j) << 1) - 1; + psid = ntohs(min->all) & psid_mask; + } switch (tuple->dst.protonum) { case IPPROTO_ICMP: case IPPROTO_ICMPV6: + if (is_psid) { + return ((ntohs(tuple->src.u.icmp.id) & offset_mask) != 0) && + ((ntohs(tuple->src.u.icmp.id) & psid_mask) == psid); + } return ntohs(tuple->src.u.icmp.id) >= ntohs(min->icmp.id) && ntohs(tuple->src.u.icmp.id) <= ntohs(max->icmp.id); case IPPROTO_GRE: /* all fall though */ @@ -215,6 +232,10 @@ static bool l4proto_in_range(const struct nf_conntrack_tuple *tuple, else port = tuple->dst.u.all; + if (is_psid) { + return ((ntohs(port) & offset_mask) != 0) && + ((ntohs(port) & psid_mask) == psid); + } return ntohs(port) >= ntohs(min->all) && ntohs(port) <= ntohs(max->all); default: @@ -239,7 +260,8 @@ static int in_range(const struct nf_conntrack_tuple *tuple, return 1; return l4proto_in_range(tuple, NF_NAT_MANIP_SRC, - &range->min_proto, &range->max_proto); + &range->min_proto, &range->max_proto, &range->base_proto, + range->flags & NF_NAT_RANGE_PSID); } static inline int @@ -532,8 +554,11 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { if (!(range->flags & NF_NAT_RANGE_PROTO_OFFSET) && l4proto_in_range(tuple, maniptype, - &range->min_proto, - &range->max_proto) && + &range->min_proto, + &range->max_proto, + &range->base_proto, + range->flags & + NF_NAT_RANGE_PSID) && (range->min_proto.all == range->max_proto.all || !nf_nat_used_tuple(tuple, ct))) return; diff --git a/net/netfilter/nf_nat_masquerade.c b/net/netfilter/nf_nat_masquerade.c index 8e8a65d46345..423b3774e65c 100644 --- a/net/netfilter/nf_nat_masquerade.c +++ b/net/netfilter/nf_nat_masquerade.c @@ -55,8 +55,21 @@ nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum, newrange.flags = range->flags | NF_NAT_RANGE_MAP_IPS; newrange.min_addr.ip = newsrc; newrange.max_addr.ip = newsrc; - newrange.min_proto = range->min_proto; - newrange.max_proto = range->max_proto; + + if (range->flags & NF_NAT_RANGE_PSID) { + u16 off = prandom_u32(); + u16 base = ntohs(range->base_proto.all); + u16 min = ntohs(range->min_proto.all); + u16 max_off = ((1 << 16) / base) - 1; + + newrange.flags = newrange.flags | NF_NAT_RANGE_PROTO_SPECIFIED; + newrange.min_proto.all = htons(min + base * (off % max_off)); + newrange.max_proto.all = htons(ntohs(newrange.min_proto.all) + ntohs(range->max_proto.all) - min); + newrange.base_proto = range->base_proto; + } else { + newrange.min_proto = range->min_proto; + newrange.max_proto = range->max_proto; + } /* Hand modified range to generic setup. */ return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_SRC);