[PATCH net-next 2/3] net: netfilter: Add RFC-7597 Section 5.1 PSID support

From: Cole Dishington
Date: Mon Aug 09 2021 - 00:11:11 EST

Next message: Wei Huang: "Re: [PATCH v2 1/3] KVM: x86: Allow CPU to force vendor-specific TDP level"
Previous message: Cole Dishington: "[PATCH net-next 3/3] selftests: netfilter: Add RFC-7597 Section 5.1 PSID selftests"
In reply to: Cole Dishington: "[PATCH net-next 3/3] selftests: netfilter: Add RFC-7597 Section 5.1 PSID selftests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Adds support for masquerading into a smaller subset of ports -
defined by the PSID values from RFC-7597 Section 5.1. This is part of
the support for MAP-E and Lightweight 4over6, which allows multiple
devices to share an IPv4 address by splitting the L4 port / id into
ranges.

Co-developed-by: Anthony Lineham <anthony.lineham@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Anthony Lineham <anthony.lineham@xxxxxxxxxxxxxxxxxxx>
Co-developed-by: Scott Parlane <scott.parlane@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Scott Parlane <scott.parlane@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Blair Steven <blair.steven@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Cole Dishington <Cole.Dishington@xxxxxxxxxxxxxxxxxxx>
Reviewed-by: Florian Westphal <fw@xxxxxxxxx>
---

Notes:
Changes:
- Added Reviewed-by: Florian Westphal <fw@xxxxxxxxx>.

net/netfilter/nf_nat_core.c | 39 +++++++++++++++++++++++++++----
net/netfilter/nf_nat_masquerade.c | 27 +++++++++++++++++++--
2 files changed, 60 insertions(+), 6 deletions(-)

diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 7de595ead06a..f07a3473aab5 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -195,13 +195,36 @@ static bool nf_nat_inet_in_range(const struct nf_conntrack_tuple *t,
static bool l4proto_in_range(const struct nf_conntrack_tuple *tuple,
enum nf_nat_manip_type maniptype,
const union nf_conntrack_man_proto *min,
- const union nf_conntrack_man_proto *max)
+ const union nf_conntrack_man_proto *max,
+ const union nf_conntrack_man_proto *base,
+ bool is_psid)
{
__be16 port;
+ u16 psid, psid_mask, offset_mask;
+
+ /* In this case we are in PSID mode, avoid checking all ranges by computing bitmasks */
+ if (is_psid) {
+ u32 power_j = ntohs(max->all) - ntohs(min->all) + 1;
+ u32 offset = ntohs(base->all);
+ u16 power_a;
+
+ if (offset == 0)
+ offset = 1 << 16;
+
+ power_a = (1 << 16) / offset;
+ offset_mask = (power_a - 1) * offset;
+ psid_mask = ((offset / power_j) << 1) - 1;
+ psid = ntohs(min->all) & psid_mask;
+ }

switch (tuple->dst.protonum) {
case IPPROTO_ICMP:
case IPPROTO_ICMPV6:
+ if (is_psid) {
+ return (offset_mask == 0 ||
+ (ntohs(tuple->src.u.icmp.id) & offset_mask) != 0) &&
+ ((ntohs(tuple->src.u.icmp.id) & psid_mask) == psid);
+ }
return ntohs(tuple->src.u.icmp.id) >= ntohs(min->icmp.id) &&
ntohs(tuple->src.u.icmp.id) <= ntohs(max->icmp.id);
case IPPROTO_GRE: /* all fall though */
@@ -215,6 +238,10 @@ static bool l4proto_in_range(const struct nf_conntrack_tuple *tuple,
else
port = tuple->dst.u.all;

+ if (is_psid) {
+ return (offset_mask == 0 || (ntohs(port) & offset_mask) != 0) &&
+ ((ntohs(port) & psid_mask) == psid);
+ }
return ntohs(port) >= ntohs(min->all) &&
ntohs(port) <= ntohs(max->all);
default:
@@ -239,7 +266,8 @@ static int in_range(const struct nf_conntrack_tuple *tuple,
return 1;

return l4proto_in_range(tuple, NF_NAT_MANIP_SRC,
- &range->min_proto, &range->max_proto);
+ &range->min_proto, &range->max_proto, &range->base_proto,
+ range->flags & NF_NAT_RANGE_PSID);
}

static inline int
@@ -532,8 +560,11 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
if (!(range->flags & NF_NAT_RANGE_PROTO_OFFSET) &&
l4proto_in_range(tuple, maniptype,
- &range->min_proto,
- &range->max_proto) &&
+ &range->min_proto,
+ &range->max_proto,
+ &range->base_proto,
+ range->flags &
+ NF_NAT_RANGE_PSID) &&
(range->min_proto.all == range->max_proto.all ||
!nf_nat_used_tuple(tuple, ct)))
return;
diff --git a/net/netfilter/nf_nat_masquerade.c b/net/netfilter/nf_nat_masquerade.c
index 8e8a65d46345..19a4754cda76 100644
--- a/net/netfilter/nf_nat_masquerade.c
+++ b/net/netfilter/nf_nat_masquerade.c
@@ -55,8 +55,31 @@ nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum,
newrange.flags = range->flags | NF_NAT_RANGE_MAP_IPS;
newrange.min_addr.ip = newsrc;
newrange.max_addr.ip = newsrc;
- newrange.min_proto = range->min_proto;
- newrange.max_proto = range->max_proto;
+
+ if (range->flags & NF_NAT_RANGE_PSID) {
+ u16 base = ntohs(range->base_proto.all);
+ u16 min = ntohs(range->min_proto.all);
+ u16 off = 0;
+
+ /* xtables should stop base > 2^15 by enforcement of
+ * 0 <= offset_len < 16 argument, with offset_len=0
+ * as a special case inwhich base=0.
+ */
+ if (WARN_ON_ONCE(base > (1 << 15)))
+ return NF_DROP;
+
+ /* If offset=0, port range is in one contiguous block */
+ if (base)
+ off = prandom_u32_max(((1 << 16) / base) - 1);
+
+ newrange.min_proto.all = htons(min + base * off);
+ newrange.max_proto.all = htons(ntohs(newrange.min_proto.all) + ntohs(range->max_proto.all) - min);
+ newrange.base_proto = range->base_proto;
+ newrange.flags = newrange.flags | NF_NAT_RANGE_PROTO_SPECIFIED;
+ } else {
+ newrange.min_proto = range->min_proto;
+ newrange.max_proto = range->max_proto;
+ }

/* Hand modified range to generic setup. */
return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_SRC);
--
2.32.0

Next message: Wei Huang: "Re: [PATCH v2 1/3] KVM: x86: Allow CPU to force vendor-specific TDP level"
Previous message: Cole Dishington: "[PATCH net-next 3/3] selftests: netfilter: Add RFC-7597 Section 5.1 PSID selftests"
In reply to: Cole Dishington: "[PATCH net-next 3/3] selftests: netfilter: Add RFC-7597 Section 5.1 PSID selftests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]