libipt_SNAT.c revision ae4b0b3aa70c67f2eff303a3e75834e45c3794a7 
1/* Shared library add-on to iptables to add source-NAT support. */
2#include <stdio.h>
3#include <netdb.h>
4#include <string.h>
5#include <stdlib.h>
6#include <getopt.h>
7#include <iptables.h>
8#include <linux/netfilter_ipv4/ip_tables.h>
9#include <linux/netfilter_ipv4/ip_nat_rule.h>
10
11#define IPT_SNAT_OPT_SOURCE 0x01
12#ifdef IP_NAT_RANGE_PROTO_RANDOM
13#	define IPT_SNAT_OPT_RANDOM 0x02
14#endif
15
16/* Source NAT data consists of a multi-range, indicating where to map
17   to. */
18struct ipt_natinfo
19{
20	struct ipt_entry_target t;
21	struct ip_nat_multi_range mr;
22};
23
24/* Function which prints out usage message. */
25static void
26help(void)
27{
28	printf(
29"SNAT v%s options:\n"
30" --to-source <ipaddr>[-<ipaddr>][:port-port]"
31#ifdef IP_NAT_RANGE_PROTO_RANDOM
32"[--random]"
33#endif
34"\n"
35"				Address to map source to.\n"
36"				(You can use this more than once)\n\n",
37IPTABLES_VERSION);
38}
39
40static struct option opts[] = {
41	{ "to-source", 1, 0, '1' },
42#ifdef IP_NAT_RANGE_PROTO_RANDOM
43	{ "random", 0, 0, '2' },
44#endif
45	{ 0 }
46};
47
48static struct ipt_natinfo *
49append_range(struct ipt_natinfo *info, const struct ip_nat_range *range)
50{
51	unsigned int size;
52
53	/* One rangesize already in struct ipt_natinfo */
54	size = IPT_ALIGN(sizeof(*info) + info->mr.rangesize * sizeof(*range));
55
56	info = realloc(info, size);
57	if (!info)
58		exit_error(OTHER_PROBLEM, "Out of memory\n");
59
60	info->t.u.target_size = size;
61	info->mr.range[info->mr.rangesize] = *range;
62	info->mr.rangesize++;
63
64	return info;
65}
66
67/* Ranges expected in network order. */
68static struct ipt_entry_target *
69parse_to(char *arg, int portok, struct ipt_natinfo *info)
70{
71	struct ip_nat_range range;
72	char *colon, *dash, *error;
73	struct in_addr *ip;
74
75	memset(&range, 0, sizeof(range));
76	colon = strchr(arg, ':');
77
78	if (colon) {
79		int port;
80
81		if (!portok)
82			exit_error(PARAMETER_PROBLEM,
83				   "Need TCP or UDP with port specification");
84
85		range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
86
87		port = atoi(colon+1);
88		if (port <= 0 || port > 65535)
89			exit_error(PARAMETER_PROBLEM,
90				   "Port `%s' not valid\n", colon+1);
91
92		error = strchr(colon+1, ':');
93		if (error)
94			exit_error(PARAMETER_PROBLEM,
95				   "Invalid port:port syntax - use dash\n");
96
97		dash = strchr(colon, '-');
98		if (!dash) {
99			range.min.tcp.port
100				= range.max.tcp.port
101				= htons(port);
102		} else {
103			int maxport;
104
105			maxport = atoi(dash + 1);
106			if (maxport <= 0 || maxport > 65535)
107				exit_error(PARAMETER_PROBLEM,
108					   "Port `%s' not valid\n", dash+1);
109			if (maxport < port)
110				/* People are stupid. */
111				exit_error(PARAMETER_PROBLEM,
112					   "Port range `%s' funky\n", colon+1);
113			range.min.tcp.port = htons(port);
114			range.max.tcp.port = htons(maxport);
115		}
116		/* Starts with a colon? No IP info...*/
117		if (colon == arg)
118			return &(append_range(info, &range)->t);
119		*colon = '\0';
120	}
121
122	range.flags |= IP_NAT_RANGE_MAP_IPS;
123	dash = strchr(arg, '-');
124	if (colon && dash && dash > colon)
125		dash = NULL;
126
127	if (dash)
128		*dash = '\0';
129
130	ip = dotted_to_addr(arg);
131	if (!ip)
132		exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n",
133			   arg);
134	range.min_ip = ip->s_addr;
135	if (dash) {
136		ip = dotted_to_addr(dash+1);
137		if (!ip)
138			exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n",
139				   dash+1);
140		range.max_ip = ip->s_addr;
141	} else
142		range.max_ip = range.min_ip;
143
144	return &(append_range(info, &range)->t);
145}
146
147/* Function which parses command options; returns true if it
148   ate an option */
149static int
150parse(int c, char **argv, int invert, unsigned int *flags,
151      const struct ipt_entry *entry,
152      struct ipt_entry_target **target)
153{
154	struct ipt_natinfo *info = (void *)*target;
155	int portok;
156
157	if (entry->ip.proto == IPPROTO_TCP
158	    || entry->ip.proto == IPPROTO_UDP
159	    || entry->ip.proto == IPPROTO_ICMP)
160		portok = 1;
161	else
162		portok = 0;
163
164	switch (c) {
165	case '1':
166		if (check_inverse(optarg, &invert, NULL, 0))
167			exit_error(PARAMETER_PROBLEM,
168				   "Unexpected `!' after --to-source");
169
170		if (*flags & IPT_SNAT_OPT_SOURCE) {
171			if (!kernel_version)
172				get_kernel_version();
173			if (kernel_version > LINUX_VERSION(2, 6, 10))
174				exit_error(PARAMETER_PROBLEM,
175					   "Multiple --to-source not supported");
176		}
177		*target = parse_to(optarg, portok, info);
178#ifdef IP_NAT_RANGE_PROTO_RANDOM
179		if (*flags & IPT_SNAT_OPT_RANDOM)
180			info->mr.range[0].flags |=  IP_NAT_RANGE_PROTO_RANDOM;
181#endif
182		*flags = IPT_SNAT_OPT_SOURCE;
183		return 1;
184
185#ifdef IP_NAT_RANGE_PROTO_RANDOM
186	case '2':
187		if (*flags & IPT_SNAT_OPT_SOURCE) {
188			info->mr.range[0].flags |=  IP_NAT_RANGE_PROTO_RANDOM;
189			*flags |= IPT_SNAT_OPT_RANDOM;
190		} else
191			*flags |= IPT_SNAT_OPT_RANDOM;
192		return 1;
193#endif
194
195	default:
196		return 0;
197	}
198}
199
200/* Final check; must have specfied --to-source. */
201static void final_check(unsigned int flags)
202{
203	if (!(flags & IPT_SNAT_OPT_SOURCE))
204		exit_error(PARAMETER_PROBLEM,
205			   "You must specify --to-source");
206}
207
208static void print_range(const struct ip_nat_range *r)
209{
210	if (r->flags & IP_NAT_RANGE_MAP_IPS) {
211		struct in_addr a;
212
213		a.s_addr = r->min_ip;
214		printf("%s", addr_to_dotted(&a));
215		if (r->max_ip != r->min_ip) {
216			a.s_addr = r->max_ip;
217			printf("-%s", addr_to_dotted(&a));
218		}
219	}
220	if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) {
221		printf(":");
222		printf("%hu", ntohs(r->min.tcp.port));
223		if (r->max.tcp.port != r->min.tcp.port)
224			printf("-%hu", ntohs(r->max.tcp.port));
225	}
226#ifdef IP_NAT_RANGE_PROTO_RANDOM
227	if (r->flags & IP_NAT_RANGE_PROTO_RANDOM) {
228		printf(" random");
229	}
230#endif
231}
232
233/* Prints out the targinfo. */
234static void
235print(const struct ipt_ip *ip,
236      const struct ipt_entry_target *target,
237      int numeric)
238{
239	struct ipt_natinfo *info = (void *)target;
240	unsigned int i = 0;
241
242	printf("to:");
243	for (i = 0; i < info->mr.rangesize; i++) {
244		print_range(&info->mr.range[i]);
245		printf(" ");
246	}
247}
248
249/* Saves the union ipt_targinfo in parsable form to stdout. */
250static void
251save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
252{
253	struct ipt_natinfo *info = (void *)target;
254	unsigned int i = 0;
255
256	for (i = 0; i < info->mr.rangesize; i++) {
257		printf("--to-source ");
258		print_range(&info->mr.range[i]);
259		printf(" ");
260	}
261}
262
263static struct iptables_target snat = {
264	.next		= NULL,
265	.name		= "SNAT",
266	.version	= IPTABLES_VERSION,
267	.size		= IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
268	.userspacesize	= IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
269	.help		= &help,
270	.parse		= &parse,
271	.final_check	= &final_check,
272	.print		= &print,
273	.save		= &save,
274	.extra_opts	= opts
275};
276
277void _init(void)
278{
279	register_target(&snat);
280}
281