-
Notifications
You must be signed in to change notification settings - Fork 34
/
kernel_patch_sample.natcap-patch-kernel-for-cone-nat-support.patch
72 lines (67 loc) · 2.37 KB
/
kernel_patch_sample.natcap-patch-kernel-for-cone-nat-support.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
From aeb7ac1f2fbad88de1e101be69da61e86eb9ef1d Mon Sep 17 00:00:00 2001
From: Chen Minqiang <[email protected]>
Date: Sat, 17 Jul 2021 18:01:02 +0800
Subject: [PATCH] natcap: patch kernel for cone nat support
Signed-off-by: Chen Minqiang <[email protected]>
---
include/net/netfilter/nf_nat.h | 3 +++
net/netfilter/nf_nat_core.c | 28 +++++++++++++++++++++++++++-
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index 0d412dd63707..d3dd99d59716 100644
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -114,4 +114,7 @@ static inline int nf_nat_initialized(struct nf_conn *ct,
else
return ct->status & IPS_DST_NAT_DONE;
}
+
+#define CONE_NAT_CHECK_USED_HOOK cone_nat_tuple_used
+extern int (*cone_nat_check_used)(__be32 iip, __be16 iport, __be32 eip, __be16 eport);
#endif
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index b7c3c902290f..d71b27cbe147 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -217,6 +217,32 @@ nf_nat_used_tuple(const struct nf_conntrack_tuple *tuple,
return nf_conntrack_tuple_taken(&reply, ignored_conntrack);
}
+int (*cone_nat_check_used)(__be32 iip, __be16 iport, __be32 eip, __be16 eport) = NULL;
+EXPORT_SYMBOL_GPL(cone_nat_check_used);
+
+static int
+cone_nat_tuple_ok(const struct nf_conntrack_tuple *tuple,
+ enum nf_nat_manip_type maniptype,
+ const struct nf_conn *ct)
+{
+ int (*cone_call)(__be32 iip, __be16 iport, __be32 eip, __be16 eport) = cone_nat_check_used;
+ if (maniptype != NF_NAT_MANIP_SRC)
+ return 1;
+ if (tuple->dst.protonum != IPPROTO_UDP)
+ return 1;
+ if (tuple->src.l3num != NFPROTO_IPV4)
+ return 1;
+
+ if (!cone_call ||
+ !cone_call(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip,
+ ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.all,
+ tuple->src.u3.ip, tuple->src.u.all)) {
+ return 1;
+ }
+
+ return 0;
+}
+
static bool nf_nat_inet_in_range(const struct nf_conntrack_tuple *t,
const struct nf_nat_range2 *range)
{
@@ -503,7 +529,7 @@ static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
another_round:
for (i = 0; i < attempts; i++, off++) {
*keyptr = htons(min + off % range_size);
- if (!nf_nat_used_tuple(tuple, ct))
+ if (cone_nat_tuple_ok(tuple, maniptype, ct) && !nf_nat_used_tuple(tuple, ct))
return;
}
--
2.17.1