]>
Commit | Line | Data |
---|---|---|
7a6eb60b | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
715a70e7 FW |
2 | |
3 | #include <arpa/inet.h> | |
4 | #include <endian.h> | |
5 | #include <errno.h> | |
6 | #include <stddef.h> | |
7 | #include <string.h> | |
8 | #include <linux/netfilter/nf_tables.h> | |
9 | #include <linux/netfilter/nf_nat.h> | |
10 | #include <linux/netfilter_ipv4.h> | |
11 | #include <netinet/ip.h> | |
0e544221 | 12 | #include <netinet/ip6.h> |
715a70e7 FW |
13 | |
14 | #include "sd-netlink.h" | |
15 | ||
16 | #include "alloc-util.h" | |
17 | #include "firewall-util.h" | |
18 | #include "firewall-util-private.h" | |
19 | #include "in-addr-util.h" | |
20 | #include "macro.h" | |
21 | #include "socket-util.h" | |
22 | #include "time-util.h" | |
23 | ||
24 | #define NFT_SYSTEMD_DNAT_MAP_NAME "map_port_ipport" | |
25 | #define NFT_SYSTEMD_TABLE_NAME "io.systemd.nat" | |
26 | #define NFT_SYSTEMD_MASQ_SET_NAME "masq_saddr" | |
27 | ||
28 | #define NFNL_DEFAULT_TIMEOUT_USECS (1ULL * USEC_PER_SEC) | |
29 | ||
30 | #define UDP_DPORT_OFFSET 2 | |
31 | ||
32 | static int nfnl_netlink_sendv(sd_netlink *nfnl, | |
33 | sd_netlink_message *messages[], | |
34 | size_t msgcount) { | |
35 | _cleanup_free_ uint32_t *serial = NULL; | |
36 | size_t i; | |
37 | int r; | |
38 | ||
39 | assert(msgcount > 0); | |
40 | ||
41 | r = sd_netlink_sendv(nfnl, messages, msgcount, &serial); | |
42 | if (r < 0) | |
43 | return r; | |
44 | ||
45 | r = 0; | |
46 | for (i = 1; i < msgcount - 1; i++) { | |
47 | int tmp; | |
48 | ||
49 | /* If message is an error, this returns embedded errno */ | |
50 | tmp = sd_netlink_read(nfnl, serial[i], NFNL_DEFAULT_TIMEOUT_USECS, NULL); | |
51 | if (tmp < 0 && r == 0) | |
52 | r = tmp; | |
53 | } | |
54 | ||
55 | return r; | |
56 | } | |
57 | ||
58 | static int nfnl_add_open_expr_container(sd_netlink_message *m, const char *name) { | |
59 | int r; | |
60 | ||
61 | r = sd_netlink_message_open_array(m, NFTA_LIST_ELEM); | |
62 | if (r < 0) | |
63 | return r; | |
64 | ||
65 | r = sd_netlink_message_append_string(m, NFTA_EXPR_NAME, name); | |
66 | if (r < 0) | |
67 | return r; | |
68 | ||
69 | return sd_netlink_message_open_container_union(m, NFTA_EXPR_DATA, name); | |
70 | } | |
71 | ||
72 | static int nfnl_add_expr_fib(sd_netlink_message *m, uint32_t nft_fib_flags, | |
73 | enum nft_fib_result result, | |
74 | enum nft_registers dreg) { | |
75 | int r; | |
76 | ||
77 | r = nfnl_add_open_expr_container(m, "fib"); | |
78 | if (r < 0) | |
79 | return r; | |
80 | ||
81 | r = sd_netlink_message_append_u32(m, NFTA_FIB_FLAGS, htobe32(nft_fib_flags)); | |
82 | if (r < 0) | |
83 | return r; | |
84 | r = sd_netlink_message_append_u32(m, NFTA_FIB_RESULT, htobe32(result)); | |
85 | if (r < 0) | |
86 | return r; | |
87 | r = sd_netlink_message_append_u32(m, NFTA_FIB_DREG, htobe32(dreg)); | |
88 | if (r < 0) | |
89 | return r; | |
90 | ||
91 | r = sd_netlink_message_close_container(m); /* NFTA_EXPR_DATA */ | |
92 | if (r < 0) | |
93 | return r; | |
94 | ||
95 | return sd_netlink_message_close_container(m); /* NFTA_LIST_ELEM */ | |
96 | } | |
97 | ||
98 | static int nfnl_add_expr_meta(sd_netlink_message *m, enum nft_meta_keys key, | |
99 | enum nft_registers dreg) { | |
100 | int r; | |
101 | ||
102 | r = nfnl_add_open_expr_container(m, "meta"); | |
103 | if (r < 0) | |
104 | return r; | |
105 | ||
106 | r = sd_netlink_message_append_u32(m, NFTA_META_KEY, htobe32(key)); | |
107 | if (r < 0) | |
108 | return r; | |
109 | ||
110 | r = sd_netlink_message_append_u32(m, NFTA_META_DREG, htobe32(dreg)); | |
111 | if (r < 0) | |
112 | return r; | |
113 | ||
114 | r = sd_netlink_message_close_container(m); /* NFTA_EXPR_DATA */ | |
115 | if (r < 0) | |
116 | return r; | |
117 | ||
118 | return sd_netlink_message_close_container(m); /* NFTA_LIST_ELEM */ | |
119 | } | |
120 | ||
121 | static int nfnl_add_expr_payload(sd_netlink_message *m, enum nft_payload_bases pb, | |
122 | uint32_t offset, uint32_t len, enum nft_registers dreg) { | |
123 | int r; | |
124 | ||
125 | r = nfnl_add_open_expr_container(m, "payload"); | |
126 | if (r < 0) | |
127 | return r; | |
128 | ||
129 | r = sd_netlink_message_append_u32(m, NFTA_PAYLOAD_DREG, htobe32(dreg)); | |
130 | if (r < 0) | |
131 | return r; | |
132 | r = sd_netlink_message_append_u32(m, NFTA_PAYLOAD_BASE, htobe32(pb)); | |
133 | if (r < 0) | |
134 | return r; | |
135 | r = sd_netlink_message_append_u32(m, NFTA_PAYLOAD_OFFSET, htobe32(offset)); | |
136 | if (r < 0) | |
137 | return r; | |
138 | r = sd_netlink_message_append_u32(m, NFTA_PAYLOAD_LEN, htobe32(len)); | |
139 | if (r < 0) | |
140 | return r; | |
141 | ||
142 | r = sd_netlink_message_close_container(m); /* NFTA_EXPR_DATA */ | |
143 | if (r < 0) | |
144 | return r; | |
145 | return sd_netlink_message_close_container(m); /* NFTA_LIST_ELEM */ | |
146 | } | |
147 | ||
148 | static int nfnl_add_expr_lookup_set_data(sd_netlink_message *m, const char *set_name, | |
149 | enum nft_registers sreg) { | |
150 | int r; | |
151 | ||
152 | r = nfnl_add_open_expr_container(m, "lookup"); | |
153 | if (r < 0) | |
154 | return r; | |
155 | ||
156 | r = sd_netlink_message_append_string(m, NFTA_LOOKUP_SET, set_name); | |
157 | if (r < 0) | |
158 | return r; | |
159 | ||
160 | return sd_netlink_message_append_u32(m, NFTA_LOOKUP_SREG, htobe32(sreg)); | |
161 | } | |
162 | ||
163 | static int nfnl_add_expr_lookup_set(sd_netlink_message *m, const char *set_name, | |
164 | enum nft_registers sreg) { | |
165 | int r; | |
166 | ||
167 | r = nfnl_add_expr_lookup_set_data(m, set_name, sreg); | |
168 | if (r < 0) | |
169 | return r; | |
170 | ||
171 | r = sd_netlink_message_close_container(m); /* NFTA_EXPR_DATA */ | |
172 | if (r < 0) | |
173 | return r; | |
174 | return sd_netlink_message_close_container(m); /* NFTA_LIST_ELEM */ | |
175 | } | |
176 | ||
177 | static int nfnl_add_expr_lookup_map(sd_netlink_message *m, const char *set_name, | |
178 | enum nft_registers sreg, enum nft_registers dreg) { | |
179 | int r; | |
180 | ||
181 | r = nfnl_add_expr_lookup_set_data(m, set_name, sreg); | |
182 | if (r < 0) | |
183 | return r; | |
184 | ||
185 | r = sd_netlink_message_append_u32(m, NFTA_LOOKUP_DREG, htobe32(dreg)); | |
186 | if (r < 0) | |
187 | return r; | |
188 | ||
189 | r = sd_netlink_message_close_container(m); /* NFTA_EXPR_DATA */ | |
190 | if (r < 0) | |
191 | return r; | |
192 | ||
193 | return sd_netlink_message_close_container(m); /* NFTA_LIST_ELEM */ | |
194 | } | |
195 | ||
196 | static int nfnl_add_expr_data(sd_netlink_message *m, int attr, const void *data, uint32_t dlen) { | |
197 | int r; | |
198 | ||
199 | r = sd_netlink_message_open_container(m, attr); | |
200 | if (r < 0) | |
201 | return r; | |
202 | r = sd_netlink_message_append_data(m, NFTA_DATA_VALUE, data, dlen); | |
203 | if (r < 0) | |
204 | return r; | |
205 | ||
206 | return sd_netlink_message_close_container(m); /* attr */ | |
207 | } | |
208 | ||
209 | static int nfnl_add_expr_cmp_data(sd_netlink_message *m, const void *data, uint32_t dlen) { | |
210 | return nfnl_add_expr_data(m, NFTA_CMP_DATA, data, dlen); | |
211 | } | |
212 | ||
213 | static int nfnl_add_expr_cmp(sd_netlink_message *m, enum nft_cmp_ops cmp_op, | |
214 | enum nft_registers sreg, const void *data, uint32_t dlen) { | |
215 | int r; | |
216 | ||
217 | r = nfnl_add_open_expr_container(m, "cmp"); | |
218 | if (r < 0) | |
219 | return r; | |
220 | ||
221 | r = sd_netlink_message_append_u32(m, NFTA_CMP_OP, htobe32(cmp_op)); | |
222 | if (r < 0) | |
223 | return r; | |
224 | r = sd_netlink_message_append_u32(m, NFTA_CMP_SREG, htobe32(sreg)); | |
225 | if (r < 0) | |
226 | return r; | |
227 | ||
228 | r = nfnl_add_expr_cmp_data(m, data, dlen); | |
229 | if (r < 0) | |
230 | return r; | |
231 | ||
232 | r = sd_netlink_message_close_container(m); /* NFTA_EXPR_DATA */ | |
233 | if (r < 0) | |
234 | return r; | |
235 | return sd_netlink_message_close_container(m); /* NFTA_LIST_ELEM */ | |
236 | } | |
237 | ||
238 | static int nfnl_add_expr_bitwise(sd_netlink_message *m, | |
239 | enum nft_registers sreg, | |
240 | enum nft_registers dreg, | |
241 | const void *and, | |
242 | const void *xor, uint32_t len) { | |
243 | int r; | |
244 | ||
245 | r = nfnl_add_open_expr_container(m, "bitwise"); | |
246 | if (r < 0) | |
247 | return r; | |
248 | ||
249 | r = sd_netlink_message_append_u32(m, NFTA_BITWISE_SREG, htobe32(sreg)); | |
250 | if (r < 0) | |
251 | return r; | |
252 | r = sd_netlink_message_append_u32(m, NFTA_BITWISE_DREG, htobe32(dreg)); | |
253 | if (r < 0) | |
254 | return r; | |
255 | r = sd_netlink_message_append_u32(m, NFTA_BITWISE_LEN, htobe32(len)); | |
256 | if (r < 0) | |
257 | return r; | |
258 | ||
259 | r = nfnl_add_expr_data(m, NFTA_BITWISE_MASK, and, len); | |
260 | if (r < 0) | |
261 | return r; | |
262 | ||
263 | r = nfnl_add_expr_data(m, NFTA_BITWISE_XOR, xor, len); | |
264 | if (r < 0) | |
265 | return r; | |
266 | ||
267 | r = sd_netlink_message_close_container(m); /* NFTA_EXPR_DATA */ | |
268 | if (r < 0) | |
269 | return r; | |
270 | return sd_netlink_message_close_container(m); /* NFTA_LIST_ELEM */ | |
271 | } | |
272 | ||
273 | static int nfnl_add_expr_dnat(sd_netlink_message *m, | |
274 | int family, | |
275 | enum nft_registers areg, | |
276 | enum nft_registers preg) { | |
277 | int r; | |
278 | ||
279 | r = nfnl_add_open_expr_container(m, "nat"); | |
280 | if (r < 0) | |
281 | return r; | |
282 | ||
283 | r = sd_netlink_message_append_u32(m, NFTA_NAT_TYPE, htobe32(NFT_NAT_DNAT)); | |
284 | if (r < 0) | |
285 | return r; | |
286 | ||
287 | r = sd_netlink_message_append_u32(m, NFTA_NAT_FAMILY, htobe32(family)); | |
288 | if (r < 0) | |
289 | return r; | |
290 | ||
291 | r = sd_netlink_message_append_u32(m, NFTA_NAT_REG_ADDR_MIN, htobe32(areg)); | |
292 | if (r < 0) | |
293 | return r; | |
294 | r = sd_netlink_message_append_u32(m, NFTA_NAT_REG_PROTO_MIN, htobe32(preg)); | |
295 | if (r < 0) | |
296 | return r; | |
297 | r = sd_netlink_message_close_container(m); | |
298 | if (r < 0) | |
299 | return r; | |
300 | ||
301 | return sd_netlink_message_close_container(m); | |
302 | } | |
303 | ||
304 | static int nfnl_add_expr_masq(sd_netlink_message *m) { | |
305 | int r; | |
306 | ||
307 | r = sd_netlink_message_open_array(m, NFTA_LIST_ELEM); | |
308 | if (r < 0) | |
309 | return r; | |
310 | ||
311 | r = sd_netlink_message_append_string(m, NFTA_EXPR_NAME, "masq"); | |
312 | if (r < 0) | |
313 | return r; | |
314 | ||
315 | return sd_netlink_message_close_container(m); /* NFTA_LIST_ELEM */ | |
316 | } | |
317 | ||
715a70e7 FW |
318 | static int sd_nfnl_message_new_masq_rule(sd_netlink *nfnl, sd_netlink_message **ret, int family, |
319 | const char *chain) { | |
320 | _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL; | |
321 | int r; | |
322 | ||
45861042 YW |
323 | /* -t nat -A POSTROUTING -p protocol -s source/pflen -o out_interface -d destination/pflen -j MASQUERADE */ |
324 | ||
715a70e7 FW |
325 | r = sd_nfnl_nft_message_new_rule(nfnl, &m, family, NFT_SYSTEMD_TABLE_NAME, chain); |
326 | if (r < 0) | |
327 | return r; | |
328 | ||
329 | r = sd_netlink_message_open_container(m, NFTA_RULE_EXPRESSIONS); | |
330 | if (r < 0) | |
331 | return r; | |
332 | ||
0e544221 FW |
333 | /* 1st statement: ip saddr @masq_saddr. Place iph->saddr in reg1, resp. ipv6 in reg1..reg4. */ |
334 | if (family == AF_INET) | |
335 | r = nfnl_add_expr_payload(m, NFT_PAYLOAD_NETWORK_HEADER, offsetof(struct iphdr, saddr), | |
336 | sizeof(uint32_t), NFT_REG32_01); | |
337 | else | |
338 | r = nfnl_add_expr_payload(m, NFT_PAYLOAD_NETWORK_HEADER, offsetof(struct ip6_hdr, ip6_src.s6_addr), | |
339 | sizeof(struct in6_addr), NFT_REG32_01); | |
715a70e7 FW |
340 | if (r < 0) |
341 | return r; | |
342 | ||
343 | /* 1st statement: use reg1 content to make lookup in @masq_saddr set. */ | |
344 | r = nfnl_add_expr_lookup_set(m, NFT_SYSTEMD_MASQ_SET_NAME, NFT_REG32_01); | |
345 | if (r < 0) | |
346 | return r; | |
347 | ||
348 | /* 2nd statement: masq. Only executed by kernel if the previous lookup was successful. */ | |
349 | r = nfnl_add_expr_masq(m); | |
350 | if (r < 0) | |
351 | return r; | |
352 | ||
353 | r = sd_netlink_message_close_container(m); /* NFTA_RULE_EXPRESSIONS */ | |
354 | if (r < 0) | |
355 | return r; | |
356 | *ret = TAKE_PTR(m); | |
357 | return 0; | |
358 | } | |
359 | ||
715a70e7 FW |
360 | static int sd_nfnl_message_new_dnat_rule_pre(sd_netlink *nfnl, sd_netlink_message **ret, int family, |
361 | const char *chain) { | |
362 | _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL; | |
363 | enum nft_registers proto_reg; | |
364 | uint32_t local = RTN_LOCAL; | |
365 | int r; | |
366 | ||
45861042 YW |
367 | /* -t nat -A PREROUTING -p protocol --dport local_port -i in_interface -s source/pflen |
368 | * -d destination/pflen -j DNAT --to-destination remote_addr:remote_port */ | |
369 | ||
715a70e7 FW |
370 | r = sd_nfnl_nft_message_new_rule(nfnl, &m, family, NFT_SYSTEMD_TABLE_NAME, chain); |
371 | if (r < 0) | |
372 | return r; | |
373 | ||
374 | r = sd_netlink_message_open_container(m, NFTA_RULE_EXPRESSIONS); | |
375 | if (r < 0) | |
376 | return r; | |
377 | ||
378 | /* 1st statement: fib daddr type local */ | |
379 | r = nfnl_add_expr_fib(m, NFTA_FIB_F_DADDR, NFT_FIB_RESULT_ADDRTYPE, NFT_REG32_01); | |
380 | if (r < 0) | |
381 | return r; | |
382 | ||
383 | /* 1st statement (cont.): compare RTN_LOCAL */ | |
384 | r = nfnl_add_expr_cmp(m, NFT_CMP_EQ, NFT_REG32_01, &local, sizeof(local)); | |
385 | if (r < 0) | |
386 | return r; | |
387 | ||
388 | /* 2nd statement: lookup local port in map, fetch address:dport to map to */ | |
389 | r = nfnl_add_expr_meta(m, NFT_META_L4PROTO, NFT_REG32_01); | |
390 | if (r < 0) | |
391 | return r; | |
392 | ||
393 | r = nfnl_add_expr_payload(m, NFT_PAYLOAD_TRANSPORT_HEADER, UDP_DPORT_OFFSET, | |
394 | sizeof(uint16_t), NFT_REG32_02); | |
395 | if (r < 0) | |
396 | return r; | |
397 | ||
398 | /* 3rd statement: lookup 'l4proto . dport', e.g. 'tcp . 22' as key and | |
399 | * store address and port for the dnat mapping in REG1/REG2. | |
400 | */ | |
401 | r = nfnl_add_expr_lookup_map(m, NFT_SYSTEMD_DNAT_MAP_NAME, NFT_REG32_01, NFT_REG32_01); | |
402 | if (r < 0) | |
403 | return r; | |
404 | ||
0e544221 | 405 | proto_reg = family == AF_INET ? NFT_REG32_02 : NFT_REG32_05; |
715a70e7 FW |
406 | r = nfnl_add_expr_dnat(m, family, NFT_REG32_01, proto_reg); |
407 | if (r < 0) | |
408 | return r; | |
409 | ||
410 | r = sd_netlink_message_close_container(m); /* NFTA_RULE_EXPRESSIONS */ | |
411 | if (r < 0) | |
412 | return r; | |
413 | *ret = TAKE_PTR(m); | |
414 | return 0; | |
415 | } | |
416 | ||
417 | static int sd_nfnl_message_new_dnat_rule_out(sd_netlink *nfnl, sd_netlink_message **ret, | |
418 | int family, const char *chain) { | |
0e544221 | 419 | static const uint32_t zero = 0, one = 1; |
715a70e7 | 420 | |
715a70e7 FW |
421 | _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL; |
422 | enum nft_registers proto_reg; | |
423 | int r; | |
424 | ||
425 | r = sd_nfnl_nft_message_new_rule(nfnl, &m, family, NFT_SYSTEMD_TABLE_NAME, chain); | |
426 | if (r < 0) | |
427 | return r; | |
428 | ||
429 | r = sd_netlink_message_open_container(m, NFTA_RULE_EXPRESSIONS); | |
430 | if (r < 0) | |
431 | return r; | |
432 | ||
0e544221 FW |
433 | /* 1st statement: exclude 127.0.0.1/8: ip daddr != 127.0.0.1/8, resp. avoid ::1 */ |
434 | if (family == AF_INET) { | |
435 | uint32_t lonet = htobe32(UINT32_C(0x7F000000)), lomask = htobe32(UINT32_C(0xff000000)); | |
715a70e7 | 436 | |
0e544221 FW |
437 | r = nfnl_add_expr_payload(m, NFT_PAYLOAD_NETWORK_HEADER, offsetof(struct iphdr, daddr), |
438 | sizeof(lonet), NFT_REG32_01); | |
439 | if (r < 0) | |
440 | return r; | |
441 | /* 1st statement (cont.): bitops/prefix */ | |
442 | r = nfnl_add_expr_bitwise(m, NFT_REG32_01, NFT_REG32_01, &lomask, &zero, sizeof(lomask)); | |
443 | if (r < 0) | |
444 | return r; | |
715a70e7 | 445 | |
0e544221 FW |
446 | /* 1st statement (cont.): compare reg1 with 127/8 */ |
447 | r = nfnl_add_expr_cmp(m, NFT_CMP_NEQ, NFT_REG32_01, &lonet, sizeof(lonet)); | |
448 | } else { | |
449 | struct in6_addr loaddr = IN6ADDR_LOOPBACK_INIT; | |
715a70e7 | 450 | |
0e544221 FW |
451 | r = nfnl_add_expr_payload(m, NFT_PAYLOAD_NETWORK_HEADER, offsetof(struct ip6_hdr, ip6_dst.s6_addr), |
452 | sizeof(loaddr), NFT_REG32_01); | |
453 | if (r < 0) | |
454 | return r; | |
455 | ||
456 | r = nfnl_add_expr_cmp(m, NFT_CMP_NEQ, NFT_REG32_01, &loaddr, sizeof(loaddr)); | |
457 | } | |
715a70e7 FW |
458 | if (r < 0) |
459 | return r; | |
460 | ||
461 | /* 2nd statement: meta oif lo */ | |
462 | r = nfnl_add_expr_meta(m, NFT_META_OIF, NFT_REG32_01); | |
463 | if (r < 0) | |
464 | return r; | |
465 | ||
466 | /* 2nd statement (cont.): compare to lo ifindex (1) */ | |
467 | r = nfnl_add_expr_cmp(m, NFT_CMP_EQ, NFT_REG32_01, &one, sizeof(one)); | |
468 | if (r < 0) | |
469 | return r; | |
470 | ||
471 | /* 3rd statement: meta l4proto . th dport dnat ip . port to map @map_port_ipport */ | |
472 | r = nfnl_add_expr_meta(m, NFT_META_L4PROTO, NFT_REG32_01); | |
473 | if (r < 0) | |
474 | return r; | |
475 | ||
476 | /* 3rd statement (cont): store the port number in reg2 */ | |
477 | r = nfnl_add_expr_payload(m, NFT_PAYLOAD_TRANSPORT_HEADER, UDP_DPORT_OFFSET, | |
478 | sizeof(uint16_t), NFT_REG32_02); | |
479 | if (r < 0) | |
480 | return r; | |
481 | ||
482 | /* 3rd statement (cont): use reg1 and reg2 and retrieve | |
483 | * the new destination ip and port number. | |
484 | * | |
485 | * reg1 and reg2 are clobbered and will then contain the new | |
486 | * address/port number. | |
487 | */ | |
488 | r = nfnl_add_expr_lookup_map(m, NFT_SYSTEMD_DNAT_MAP_NAME, NFT_REG32_01, NFT_REG32_01); | |
489 | if (r < 0) | |
490 | return r; | |
491 | ||
492 | /* 4th statement: dnat connection to address/port retrieved by the | |
45861042 | 493 | * preceding expression. */ |
0e544221 | 494 | proto_reg = family == AF_INET ? NFT_REG32_02 : NFT_REG32_05; |
715a70e7 FW |
495 | r = nfnl_add_expr_dnat(m, family, NFT_REG32_01, proto_reg); |
496 | if (r < 0) | |
497 | return r; | |
498 | ||
499 | r = sd_netlink_message_close_container(m); /* NFTA_RULE_EXPRESSIONS */ | |
500 | if (r < 0) | |
501 | return r; | |
502 | *ret = TAKE_PTR(m); | |
503 | return 0; | |
504 | } | |
505 | ||
506 | static int nft_new_set(struct sd_netlink *nfnl, | |
507 | sd_netlink_message **ret, | |
508 | int family, const char *set_name, | |
509 | uint32_t set_id, | |
510 | uint32_t flags, uint32_t type, uint32_t klen) { | |
511 | _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL; | |
512 | int r; | |
513 | ||
514 | r = sd_nfnl_nft_message_new_set(nfnl, &m, family, NFT_SYSTEMD_TABLE_NAME, set_name, set_id, klen); | |
515 | if (r < 0) | |
516 | return r; | |
517 | ||
518 | if (flags != 0) { | |
519 | r = sd_netlink_message_append_u32(m, NFTA_SET_FLAGS, htobe32(flags)); | |
520 | if (r < 0) | |
521 | return r; | |
522 | } | |
523 | ||
524 | r = sd_netlink_message_append_u32(m, NFTA_SET_KEY_TYPE, htobe32(type)); | |
525 | if (r < 0) | |
526 | return r; | |
527 | ||
528 | *ret = TAKE_PTR(m); | |
529 | return r; | |
530 | } | |
531 | ||
532 | static int nft_new_map(struct sd_netlink *nfnl, | |
533 | sd_netlink_message **ret, | |
534 | int family, const char *set_name, uint32_t set_id, | |
535 | uint32_t flags, uint32_t type, uint32_t klen, uint32_t dtype, uint32_t dlen) { | |
536 | _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL; | |
537 | int r; | |
538 | ||
539 | r = nft_new_set(nfnl, &m, family, set_name, set_id, flags | NFT_SET_MAP, type, klen); | |
540 | if (r < 0) | |
541 | return r; | |
542 | ||
543 | r = sd_netlink_message_append_u32(m, NFTA_SET_DATA_TYPE, htobe32(dtype)); | |
544 | if (r < 0) | |
545 | return r; | |
546 | ||
547 | r = sd_netlink_message_append_u32(m, NFTA_SET_DATA_LEN, htobe32(dlen)); | |
548 | if (r < 0) | |
549 | return r; | |
550 | *ret = TAKE_PTR(m); | |
551 | return 0; | |
552 | } | |
553 | ||
554 | static int nft_add_element(sd_netlink *nfnl, sd_netlink_message **ret, | |
555 | int family, const char *set_name, | |
556 | const void *key, uint32_t klen, | |
557 | const void *data, uint32_t dlen) { | |
558 | _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL; | |
559 | int r; | |
560 | ||
561 | /* | |
562 | * Ideally there would be an API that provides: | |
563 | * | |
564 | * 1) a init function to add the main ruleset skeleton | |
565 | * 2) a function that populates the sets with all known address/port pairs to s/dnat for | |
566 | * 3) a function that can remove address/port pairs again. | |
567 | * | |
568 | * At this time, the existing API is used which is built on a | |
569 | * 'add/delete a rule' paradigm. | |
570 | * | |
571 | * This replicated here and each element gets added to the set | |
572 | * one-by-one. | |
573 | */ | |
574 | r = sd_nfnl_nft_message_new_setelems_begin(nfnl, &m, family, NFT_SYSTEMD_TABLE_NAME, set_name); | |
575 | if (r < 0) | |
576 | return r; | |
577 | ||
578 | r = sd_nfnl_nft_message_add_setelem(m, 0, key, klen, data, dlen); | |
579 | if (r < 0) | |
580 | return r; | |
581 | ||
582 | /* could theoretically append more set elements to add here */ | |
583 | r = sd_nfnl_nft_message_add_setelem_end(m); | |
584 | if (r < 0) | |
585 | return r; | |
586 | *ret = TAKE_PTR(m); | |
587 | return 0; | |
588 | } | |
589 | ||
590 | static int nft_del_element(sd_netlink *nfnl, | |
591 | sd_netlink_message **ret, int family, const char *set_name, | |
592 | const void *key, uint32_t klen, | |
593 | const void *data, uint32_t dlen) { | |
594 | _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL; | |
595 | int r; | |
596 | ||
597 | r = sd_nfnl_nft_message_del_setelems_begin(nfnl, &m, family, NFT_SYSTEMD_TABLE_NAME, set_name); | |
598 | if (r < 0) | |
599 | return r; | |
600 | ||
601 | r = sd_nfnl_nft_message_add_setelem(m, 0, key, klen, data, dlen); | |
602 | if (r < 0) | |
603 | return r; | |
604 | ||
605 | r = sd_nfnl_nft_message_add_setelem_end(m); | |
606 | if (r < 0) | |
607 | return r; | |
608 | *ret = TAKE_PTR(m); | |
609 | return 0; | |
610 | } | |
611 | ||
612 | /* This is needed so 'nft' userspace tool can properly format the contents | |
613 | * of the set/map when someone uses 'nft' to inspect their content. | |
614 | * | |
615 | * The values cannot be changed, they are part of the nft tool type identifier ABI. | |
616 | */ | |
617 | #define TYPE_BITS 6 | |
618 | ||
619 | enum nft_key_types { | |
620 | TYPE_IPADDR = 7, | |
621 | TYPE_IP6ADDR = 8, | |
622 | TYPE_INET_PROTOCOL = 12, | |
623 | TYPE_INET_SERVICE = 13, | |
624 | }; | |
625 | ||
626 | static uint32_t concat_types2(enum nft_key_types a, enum nft_key_types b) { | |
627 | uint32_t type = (uint32_t)a; | |
628 | ||
629 | type <<= TYPE_BITS; | |
630 | type |= (uint32_t)b; | |
631 | ||
632 | return type; | |
633 | } | |
634 | ||
635 | /* enough space to hold netlink messages for table skeleton */ | |
636 | #define NFT_INIT_MSGS 16 | |
637 | static int fw_nftables_init_family(sd_netlink *nfnl, int family) { | |
638 | sd_netlink_message *batch[NFT_INIT_MSGS] = {}; | |
0e544221 | 639 | size_t msgcnt = 0, i, ip_type_size; |
715a70e7 | 640 | uint32_t set_id = 0; |
0e544221 FW |
641 | int ip_type, r; |
642 | ||
643 | assert(IN_SET(family, AF_INET, AF_INET6)); | |
715a70e7 FW |
644 | |
645 | r = sd_nfnl_message_batch_begin(nfnl, &batch[msgcnt]); | |
646 | if (r < 0) | |
647 | goto out_unref; | |
648 | ||
649 | msgcnt++; | |
650 | assert(msgcnt < NFT_INIT_MSGS); | |
651 | /* Set F_EXCL so table add fails if the table already exists. */ | |
652 | r = sd_nfnl_nft_message_new_table(nfnl, &batch[msgcnt], family, NFT_SYSTEMD_TABLE_NAME, NLM_F_EXCL | NLM_F_ACK); | |
653 | if (r < 0) | |
654 | goto out_unref; | |
655 | ||
656 | msgcnt++; | |
657 | assert(msgcnt < NFT_INIT_MSGS); | |
658 | ||
659 | r = sd_nfnl_nft_message_new_basechain(nfnl, &batch[msgcnt], family, NFT_SYSTEMD_TABLE_NAME, | |
660 | "prerouting", "nat", | |
661 | NF_INET_PRE_ROUTING, NF_IP_PRI_NAT_DST + 1); | |
662 | if (r < 0) | |
663 | goto out_unref; | |
664 | ||
665 | msgcnt++; | |
666 | assert(msgcnt < NFT_INIT_MSGS); | |
667 | r = sd_nfnl_nft_message_new_basechain(nfnl, &batch[msgcnt], family, NFT_SYSTEMD_TABLE_NAME, | |
668 | "output", "nat", | |
669 | NF_INET_LOCAL_OUT, NF_IP_PRI_NAT_DST + 1); | |
670 | if (r < 0) | |
671 | goto out_unref; | |
672 | ||
673 | msgcnt++; | |
674 | assert(msgcnt < NFT_INIT_MSGS); | |
675 | r = sd_nfnl_nft_message_new_basechain(nfnl, &batch[msgcnt], family, NFT_SYSTEMD_TABLE_NAME, | |
676 | "postrouting", "nat", | |
677 | NF_INET_POST_ROUTING, NF_IP_PRI_NAT_SRC + 1); | |
678 | if (r < 0) | |
679 | goto out_unref; | |
680 | ||
0e544221 FW |
681 | if (family == AF_INET) { |
682 | ip_type_size = sizeof(uint32_t); | |
683 | ip_type = TYPE_IPADDR; | |
684 | } else { | |
685 | assert(family == AF_INET6); | |
686 | ip_type_size = sizeof(struct in6_addr); | |
687 | ip_type = TYPE_IP6ADDR; | |
688 | } | |
715a70e7 FW |
689 | msgcnt++; |
690 | assert(msgcnt < NFT_INIT_MSGS); | |
691 | /* set to store ip address ranges we should masquerade for */ | |
692 | r = nft_new_set(nfnl, &batch[msgcnt], family, NFT_SYSTEMD_MASQ_SET_NAME, ++set_id, NFT_SET_INTERVAL, ip_type, ip_type_size); | |
693 | if (r < 0) | |
694 | goto out_unref; | |
695 | ||
696 | /* | |
697 | * map to store ip address:port pair to dnat to. elements in concatenation | |
698 | * are rounded up to 4 bytes. | |
699 | * | |
700 | * Example: ip protocol . tcp daddr is sizeof(uint32_t) + sizeof(uint32_t), not | |
701 | * sizeof(uint8_t) + sizeof(uint16_t). | |
702 | */ | |
703 | msgcnt++; | |
704 | assert(msgcnt < NFT_INIT_MSGS); | |
705 | r = nft_new_map(nfnl, &batch[msgcnt], family, NFT_SYSTEMD_DNAT_MAP_NAME, ++set_id, 0, | |
706 | concat_types2(TYPE_INET_PROTOCOL, TYPE_INET_SERVICE), sizeof(uint32_t) * 2, | |
707 | concat_types2(ip_type, TYPE_INET_SERVICE), ip_type_size + sizeof(uint32_t)); | |
708 | if (r < 0) | |
709 | goto out_unref; | |
710 | ||
711 | msgcnt++; | |
712 | assert(msgcnt < NFT_INIT_MSGS); | |
713 | r = sd_nfnl_message_new_dnat_rule_pre(nfnl, &batch[msgcnt], family, "prerouting"); | |
714 | if (r < 0) | |
715 | goto out_unref; | |
716 | ||
717 | msgcnt++; | |
718 | assert(msgcnt < NFT_INIT_MSGS); | |
719 | r = sd_nfnl_message_new_dnat_rule_out(nfnl, &batch[msgcnt], family, "output"); | |
720 | if (r < 0) | |
721 | goto out_unref; | |
722 | ||
723 | msgcnt++; | |
724 | r = sd_nfnl_message_new_masq_rule(nfnl, &batch[msgcnt], family, "postrouting"); | |
725 | if (r < 0) | |
726 | goto out_unref; | |
727 | ||
728 | msgcnt++; | |
729 | assert(msgcnt < NFT_INIT_MSGS); | |
730 | r = sd_nfnl_message_batch_end(nfnl, &batch[msgcnt]); | |
731 | if (r < 0) | |
732 | goto out_unref; | |
733 | ||
734 | msgcnt++; | |
735 | assert(msgcnt <= NFT_INIT_MSGS); | |
736 | r = nfnl_netlink_sendv(nfnl, batch, msgcnt); | |
737 | if (r == -EEXIST) | |
738 | r = 0; | |
739 | ||
740 | out_unref: | |
741 | for (i = 0; i < msgcnt; i++) | |
742 | sd_netlink_message_unref(batch[i]); | |
743 | ||
744 | return r; | |
745 | } | |
746 | ||
747 | int fw_nftables_init(FirewallContext *ctx) { | |
748 | _cleanup_(sd_netlink_unrefp) sd_netlink *nfnl = NULL; | |
749 | int r; | |
750 | ||
751 | r = sd_nfnl_socket_open(&nfnl); | |
752 | if (r < 0) | |
753 | return r; | |
754 | ||
755 | r = fw_nftables_init_family(nfnl, AF_INET); | |
756 | if (r < 0) | |
757 | return r; | |
758 | ||
0c4363a0 YW |
759 | if (socket_ipv6_is_supported()) { |
760 | r = fw_nftables_init_family(nfnl, AF_INET6); | |
761 | if (r < 0) | |
762 | log_debug_errno(r, "Failed to init ipv6 NAT: %m"); | |
763 | } | |
0e544221 | 764 | |
715a70e7 FW |
765 | ctx->nfnl = TAKE_PTR(nfnl); |
766 | return 0; | |
767 | } | |
768 | ||
769 | void fw_nftables_exit(FirewallContext *ctx) { | |
770 | ctx->nfnl = sd_netlink_unref(ctx->nfnl); | |
771 | } | |
772 | ||
773 | static int nft_message_add_setelem_iprange(sd_netlink_message *m, | |
774 | const union in_addr_union *source, | |
775 | unsigned int prefixlen) { | |
776 | uint32_t mask, start, end; | |
777 | unsigned int nplen; | |
778 | int r; | |
779 | ||
780 | assert(prefixlen <= 32); | |
781 | nplen = 32 - prefixlen; | |
782 | ||
783 | mask = (1U << nplen) - 1U; | |
784 | mask = htobe32(~mask); | |
785 | start = source->in.s_addr & mask; | |
786 | ||
787 | r = sd_nfnl_nft_message_add_setelem(m, 0, &start, sizeof(start), NULL, 0); | |
788 | if (r < 0) | |
789 | return r; | |
790 | ||
791 | r = sd_nfnl_nft_message_add_setelem_end(m); | |
792 | if (r < 0) | |
793 | return r; | |
794 | ||
795 | end = be32toh(start) + (1U << nplen); | |
796 | if (end < be32toh(start)) | |
797 | end = 0U; | |
798 | end = htobe32(end); | |
799 | ||
800 | r = sd_nfnl_nft_message_add_setelem(m, 1, &end, sizeof(end), NULL, 0); | |
801 | if (r < 0) | |
802 | return r; | |
803 | ||
804 | r = sd_netlink_message_append_u32(m, NFTA_SET_ELEM_FLAGS, htobe32(NFT_SET_ELEM_INTERVAL_END)); | |
805 | if (r < 0) | |
806 | return r; | |
807 | ||
808 | r = sd_nfnl_nft_message_add_setelem_end(m); | |
809 | if (r < 0) | |
810 | return r; | |
811 | ||
812 | return 0; | |
813 | } | |
814 | ||
99975074 YW |
815 | static int nft_message_add_setelem_ip6range( |
816 | sd_netlink_message *m, | |
817 | const union in_addr_union *source, | |
818 | unsigned int prefixlen) { | |
0e544221 | 819 | |
99975074 | 820 | union in_addr_union start, end; |
0e544221 FW |
821 | int r; |
822 | ||
99975074 YW |
823 | r = in_addr_prefix_range(AF_INET6, source, prefixlen, &start, &end); |
824 | if (r < 0) | |
825 | return r; | |
0e544221 | 826 | |
99975074 | 827 | r = sd_nfnl_nft_message_add_setelem(m, 0, &start.in6, sizeof(start.in6), NULL, 0); |
0e544221 FW |
828 | if (r < 0) |
829 | return r; | |
830 | ||
831 | r = sd_nfnl_nft_message_add_setelem_end(m); | |
832 | if (r < 0) | |
833 | return r; | |
834 | ||
99975074 | 835 | r = sd_nfnl_nft_message_add_setelem(m, 1, &end.in6, sizeof(end.in6), NULL, 0); |
0e544221 FW |
836 | if (r < 0) |
837 | return r; | |
838 | ||
839 | r = sd_netlink_message_append_u32(m, NFTA_SET_ELEM_FLAGS, htobe32(NFT_SET_ELEM_INTERVAL_END)); | |
840 | if (r < 0) | |
841 | return r; | |
842 | ||
843 | return sd_nfnl_nft_message_add_setelem_end(m); | |
844 | } | |
845 | ||
715a70e7 FW |
846 | #define NFT_MASQ_MSGS 3 |
847 | ||
5ee7c719 | 848 | static int fw_nftables_add_masquerade_internal( |
715a70e7 FW |
849 | FirewallContext *ctx, |
850 | bool add, | |
851 | int af, | |
852 | const union in_addr_union *source, | |
853 | unsigned int source_prefixlen) { | |
5ee7c719 | 854 | |
715a70e7 FW |
855 | sd_netlink_message *transaction[NFT_MASQ_MSGS] = {}; |
856 | size_t tsize; | |
857 | int r; | |
858 | ||
859 | if (!source || source_prefixlen == 0) | |
860 | return -EINVAL; | |
861 | ||
0e544221 FW |
862 | if (af == AF_INET6 && source_prefixlen < 8) |
863 | return -EINVAL; | |
5ee7c719 | 864 | |
715a70e7 FW |
865 | r = sd_nfnl_message_batch_begin(ctx->nfnl, &transaction[0]); |
866 | if (r < 0) | |
867 | return r; | |
868 | tsize = 1; | |
869 | if (add) | |
870 | r = sd_nfnl_nft_message_new_setelems_begin(ctx->nfnl, &transaction[tsize], af, NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_MASQ_SET_NAME); | |
871 | else | |
872 | r = sd_nfnl_nft_message_del_setelems_begin(ctx->nfnl, &transaction[tsize], af, NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_MASQ_SET_NAME); | |
715a70e7 FW |
873 | if (r < 0) |
874 | goto out_unref; | |
875 | ||
0e544221 FW |
876 | if (af == AF_INET) |
877 | r = nft_message_add_setelem_iprange(transaction[tsize], source, source_prefixlen); | |
878 | else | |
879 | r = nft_message_add_setelem_ip6range(transaction[tsize], source, source_prefixlen); | |
715a70e7 FW |
880 | if (r < 0) |
881 | goto out_unref; | |
882 | ||
883 | ++tsize; | |
884 | assert(tsize < NFT_MASQ_MSGS); | |
885 | r = sd_nfnl_message_batch_end(ctx->nfnl, &transaction[tsize]); | |
886 | if (r < 0) | |
887 | return r; | |
5ee7c719 | 888 | |
715a70e7 FW |
889 | ++tsize; |
890 | r = nfnl_netlink_sendv(ctx->nfnl, transaction, tsize); | |
891 | ||
892 | out_unref: | |
893 | while (tsize > 0) | |
894 | sd_netlink_message_unref(transaction[--tsize]); | |
895 | return r < 0 ? r : 0; | |
896 | } | |
897 | ||
5ee7c719 YW |
898 | int fw_nftables_add_masquerade( |
899 | FirewallContext *ctx, | |
900 | bool add, | |
901 | int af, | |
902 | const union in_addr_union *source, | |
903 | unsigned int source_prefixlen) { | |
904 | ||
905 | int r; | |
906 | ||
0c4363a0 YW |
907 | if (!socket_ipv6_is_supported() && af == AF_INET6) |
908 | return -EOPNOTSUPP; | |
909 | ||
5ee7c719 YW |
910 | r = fw_nftables_add_masquerade_internal(ctx, add, af, source, source_prefixlen); |
911 | if (r != -ENOENT) | |
912 | return r; | |
913 | ||
914 | /* When someone runs 'nft flush ruleset' in the same net namespace this will also tear down the | |
915 | * systemd nat table. | |
916 | * | |
917 | * Unlike iptables -t nat -F (which will remove all rules added by the systemd iptables | |
918 | * backend, iptables has builtin chains that cannot be deleted -- the next add operation will | |
919 | * 'just work'. | |
920 | * | |
921 | * In the nftables case, everything gets removed. The next add operation will yield -ENOENT. | |
922 | * | |
923 | * If we see -ENOENT on add, replay the initial table setup. If that works, re-do the add | |
924 | * operation. | |
925 | * | |
926 | * Note that this doesn't protect against external sabotage such as a | |
927 | * 'while true; nft flush ruleset; done'. There is nothing that could be done about that short | |
928 | * of extending the kernel to allow tables to be owned by stystemd-networkd and making them | |
929 | * non-deleteable except by the 'owning process'. */ | |
930 | ||
931 | r = fw_nftables_init_family(ctx->nfnl, af); | |
932 | if (r < 0) | |
933 | return r; | |
934 | ||
935 | return fw_nftables_add_masquerade_internal(ctx, add, af, source, source_prefixlen); | |
936 | } | |
937 | ||
715a70e7 FW |
938 | #define NFT_DNAT_MSGS 4 |
939 | ||
5ee7c719 | 940 | static int fw_nftables_add_local_dnat_internal( |
715a70e7 FW |
941 | FirewallContext *ctx, |
942 | bool add, | |
943 | int af, | |
944 | int protocol, | |
945 | uint16_t local_port, | |
946 | const union in_addr_union *remote, | |
947 | uint16_t remote_port, | |
948 | const union in_addr_union *previous_remote) { | |
5ee7c719 | 949 | |
715a70e7 | 950 | sd_netlink_message *transaction[NFT_DNAT_MSGS] = {}; |
175bc863 | 951 | static bool ipv6_supported = true; |
5ee7c719 | 952 | uint32_t data[5], key[2], dlen; |
715a70e7 FW |
953 | size_t tsize; |
954 | int r; | |
955 | ||
956 | assert(add || !previous_remote); | |
957 | ||
175bc863 YW |
958 | if (!ipv6_supported && af == AF_INET6) |
959 | return -EOPNOTSUPP; | |
960 | ||
715a70e7 FW |
961 | if (!IN_SET(protocol, IPPROTO_TCP, IPPROTO_UDP)) |
962 | return -EPROTONOSUPPORT; | |
963 | ||
964 | if (local_port <= 0) | |
965 | return -EINVAL; | |
966 | ||
967 | key[0] = protocol; | |
968 | key[1] = htobe16(local_port); | |
969 | ||
970 | if (!remote) | |
971 | return -EOPNOTSUPP; | |
972 | ||
973 | if (remote_port <= 0) | |
974 | return -EINVAL; | |
975 | ||
0e544221 FW |
976 | if (af == AF_INET) { |
977 | dlen = 8; | |
978 | data[1] = htobe16(remote_port); | |
979 | } else { | |
980 | assert(af == AF_INET6); | |
981 | dlen = sizeof(data); | |
982 | data[4] = htobe16(remote_port); | |
983 | } | |
715a70e7 FW |
984 | |
985 | r = sd_nfnl_message_batch_begin(ctx->nfnl, &transaction[0]); | |
986 | if (r < 0) | |
987 | return r; | |
988 | ||
989 | tsize = 1; | |
990 | /* If a previous remote is set, remove its entry */ | |
0e544221 FW |
991 | if (add && previous_remote && !in_addr_equal(af, previous_remote, remote)) { |
992 | if (af == AF_INET) | |
993 | data[0] = previous_remote->in.s_addr; | |
994 | else | |
995 | memcpy(data, &previous_remote->in6, sizeof(previous_remote->in6)); | |
715a70e7 | 996 | |
0e544221 | 997 | r = nft_del_element(ctx->nfnl, &transaction[tsize], af, NFT_SYSTEMD_DNAT_MAP_NAME, key, sizeof(key), data, dlen); |
715a70e7 FW |
998 | if (r < 0) |
999 | goto out_unref; | |
1000 | ||
1001 | tsize++; | |
1002 | } | |
1003 | ||
0e544221 FW |
1004 | if (af == AF_INET) |
1005 | data[0] = remote->in.s_addr; | |
1006 | else | |
1007 | memcpy(data, &remote->in6, sizeof(remote->in6)); | |
715a70e7 FW |
1008 | |
1009 | assert(tsize < NFT_DNAT_MSGS); | |
1010 | if (add) | |
84af90ba | 1011 | r = nft_add_element(ctx->nfnl, &transaction[tsize], af, NFT_SYSTEMD_DNAT_MAP_NAME, key, sizeof(key), data, dlen); |
715a70e7 | 1012 | else |
84af90ba YW |
1013 | r = nft_del_element(ctx->nfnl, &transaction[tsize], af, NFT_SYSTEMD_DNAT_MAP_NAME, key, sizeof(key), data, dlen); |
1014 | if (r < 0) | |
1015 | goto out_unref; | |
715a70e7 FW |
1016 | |
1017 | tsize++; | |
1018 | assert(tsize < NFT_DNAT_MSGS); | |
1019 | ||
1020 | r = sd_nfnl_message_batch_end(ctx->nfnl, &transaction[tsize]); | |
1021 | if (r < 0) | |
1022 | goto out_unref; | |
1023 | ||
1024 | tsize++; | |
1025 | assert(tsize <= NFT_DNAT_MSGS); | |
175bc863 | 1026 | |
715a70e7 | 1027 | r = nfnl_netlink_sendv(ctx->nfnl, transaction, tsize); |
175bc863 YW |
1028 | if (r == -EOVERFLOW && af == AF_INET6) { |
1029 | /* The current implementation of DNAT in systemd requires kernel's | |
1030 | * fdb9c405e35bdc6e305b9b4e20ebc141ed14fc81 (v5.8), and the older kernel returns | |
1031 | * -EOVERFLOW. Let's treat the error as -EOPNOTSUPP. */ | |
1032 | log_debug_errno(r, "The current implementation of IPv6 DNAT in systemd requires kernel 5.8 or newer, ignoring: %m"); | |
1033 | ipv6_supported = false; | |
1034 | r = -EOPNOTSUPP; | |
1035 | } | |
715a70e7 FW |
1036 | |
1037 | out_unref: | |
1038 | while (tsize > 0) | |
1039 | sd_netlink_message_unref(transaction[--tsize]); | |
5ee7c719 | 1040 | |
715a70e7 FW |
1041 | return r < 0 ? r : 0; |
1042 | } | |
5ee7c719 YW |
1043 | |
1044 | int fw_nftables_add_local_dnat( | |
1045 | FirewallContext *ctx, | |
1046 | bool add, | |
1047 | int af, | |
1048 | int protocol, | |
1049 | uint16_t local_port, | |
1050 | const union in_addr_union *remote, | |
1051 | uint16_t remote_port, | |
1052 | const union in_addr_union *previous_remote) { | |
1053 | ||
1054 | int r; | |
1055 | ||
0c4363a0 YW |
1056 | if (!socket_ipv6_is_supported() && af == AF_INET6) |
1057 | return -EOPNOTSUPP; | |
1058 | ||
5ee7c719 YW |
1059 | r = fw_nftables_add_local_dnat_internal(ctx, add, af, protocol, local_port, remote, remote_port, previous_remote); |
1060 | if (r != -ENOENT) | |
1061 | return r; | |
1062 | ||
1063 | /* See comment in fw_nftables_add_masquerade(). */ | |
1064 | r = fw_nftables_init_family(ctx->nfnl, af); | |
1065 | if (r < 0) | |
1066 | return r; | |
1067 | ||
1068 | /* table created anew; previous address already gone */ | |
1069 | return fw_nftables_add_local_dnat_internal(ctx, add, af, protocol, local_port, remote, remote_port, NULL); | |
1070 | } |