Moving Jool from Prerouting to Local In, Local Out and Forwarding.

This is necessary so NAT64 happens after iptables does filtering. It's also needed so Jool catches local traffic, which is needed by local CLATs. As an added bonus, it invalidates issue #90. Woot! Progress so far, summary: - Issue #33: Done. - Issue #41: Done. - Issue #107: Done. - Issue #111: dhfelix is done, but haven't even started to review. - Issue #116: EAM done, moved from prerouting done, dummy interface done. Missing (off the top of my head): - Adapting the global packet processing pipeline for stateless mode. - Configuration options. - Review RFC 6145 and updaters. - Issue #120: Done. - Issue #121: Not done. Everything needs testing. There are known bugs with fragmentation.
NICMx · Dec 11, 2014 · fa8b0c2 · fa8b0c2
1 parent 242de74
commit fa8b0c2
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 36 deletions.
diff --git a/INSTALL b/INSTALL
@@ -30,9 +30,6 @@ Insert the module:
 	Turn off offloads (do this for every relevant interface)
 		# sudo ethtool --offload <interface> tso off ufo off gso off gro off lro off
 
-	Prevent martian packets from reaching the module (Required by RFC 6146).
-		# sysctl -w net.ipv4.conf.all.log_martians=1
-
 	Actually insert the module:
 		$ # default IPv4 pool: 192.168.2.1-192.168.2.4
 		$ # default IPv6 pool: 64:ff9b::/96

diff --git a/README.md b/README.md
@@ -63,6 +63,7 @@ Alternatively, you might want to upload bugs and pull requests to the [issue tra
 * [Stanislav Bogatyrev](https://github.com/realloc)
 * [tbe](https://github.com/tbe)
 * [techmotive](https://github.com/techmotive)
+* [Tore Anderson](https://github.com/toreanderson)
 * Washam Fan
 
 ## Legal stuff

diff --git a/abbreviations.txt b/abbreviations.txt
@@ -7,6 +7,8 @@ dst = destination
 in = incoming (Note, not "inner")
 out = outgoing (Not "outer")
 
+4to6 = translation from IPv4 to IPv6
+6to4 = translation from IPv6 to IPv4
 alloc = memory allocation
 addr = address
 aux = auxiliar function

diff --git a/mod/icmp_wrapper.c b/mod/icmp_wrapper.c
@@ -118,13 +118,9 @@ static void icmp6_send(struct sk_buff *skb, icmp_error_code error, __u32 info)
 		return; /* Not supported or needed. */
 	}
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 12, 0) || KERNEL_VERSION(3, 13, 0) <= LINUX_VERSION_CODE
 	log_debug("Sending ICMPv6 error: %s, type: %d, code: %d", icmp_error_to_string(error), type,
 			code);
 	icmpv6_send(skb, type, code, info);
-#else
-#warning "You're compiling in kernel 3.12. See https://github.com/NICMx/NAT64/issues/90"
-#endif
 }
 
 void icmp64_send(struct sk_buff *skb, icmp_error_code error, __u32 info)

diff --git a/mod/nf_hook.c b/mod/nf_hook.c
@@ -80,21 +80,39 @@ static unsigned int hook_ipv6(HOOK_ARG_TYPE hook, struct sk_buff *skb,
 static struct nf_hook_ops nfho[] = {
 	{
 		.hook = hook_ipv6,
-		.hooknum = NF_INET_PRE_ROUTING,
 		.pf = PF_INET6,
-		.priority = NF_IP6_PRI_NAT_SRC + 25,
+		.hooknum = NF_INET_LOCAL_IN
 	},
 	{
 		.hook = hook_ipv4,
-		.hooknum = NF_INET_PRE_ROUTING,
 		.pf = PF_INET,
-		.priority = NF_IP_PRI_NAT_SRC + 25,
+		.hooknum = NF_INET_LOCAL_IN
+	},
+	{
+		.hook = hook_ipv6,
+		.pf = PF_INET6,
+		.hooknum = NF_INET_FORWARD
+	},
+	{
+		.hook = hook_ipv4,
+		.pf = PF_INET,
+		.hooknum = NF_INET_FORWARD
+	},
+	{
+		.hook = hook_ipv6,
+		.pf = PF_INET6,
+		.hooknum = NF_INET_LOCAL_OUT
+	},
+	{
+		.hook = hook_ipv4,
+		.pf = PF_INET,
+		.hooknum = NF_INET_LOCAL_OUT
 	}
 };
 
 static int __init nat64_init(void)
 {
-	int error;
+	int i, error;
 
 	log_debug("%s", banner);
 	log_debug("Inserting the module...");
@@ -140,6 +158,12 @@ static int __init nat64_init(void)
 #endif
 
 	/* Hook Jool to Netfilter. */
+	for (i = 0; i < ARRAY_SIZE(nfho); i++) {
+		nfho[i].owner = NULL;
+		nfho[i].priv = NULL;
+		nfho[i].priority = NF_IP_PRI_NAT_SRC + 25;
+	}
+
 	error = nf_register_hooks(nfho, ARRAY_SIZE(nfho));
 	if (error)
 		goto nf_register_hooks_failure;

diff --git a/mod/packet.c b/mod/packet.c
@@ -287,14 +287,6 @@ static int __skb_init_cb_ipv6(struct sk_buff *skb)
 	if (unlikely(error))
 		goto inhdr;
 
-	/*
-	 * If you're comparing this to init_ipv4_cb(), keep in mind that ip6_route_input() is not
-	 * exported for dynamic modules to use (and linux doesn't know a route to the NAT64 prefix
-	 * anyway), so we have to test the shit out of kernel IPv6 functions which might dereference
-	 * the dst_entries of the skbs.
-	 * We already know of a bug in Linux 3.12 that does exactly that, see icmp_wrapper.c.
-	 */
-
 	cb->l3_proto = L3PROTO_IPV6;
 	cb->is_inner = 0;
 	cb->original_skb = skb;
@@ -415,22 +407,6 @@ int skb_init_cb_ipv4(struct sk_buff *skb)
 	getnstimeofday(&cb->start_time);
 #endif
 
-#ifndef UNIT_TESTING
-	if (skb && skb_rtable(skb) == NULL) {
-		/*
-		 * Some kernel functions assume that the incoming packet is already routed.
-		 * Because they seem to pop up where we least expect them, we'll just route every incoming
-		 * packet, regardless of whether we end up calling one of those functions.
-		 */
-		error = ip_route_input(skb, hdr4->daddr, hdr4->saddr, hdr4->tos, skb->dev);
-		if (error) {
-			log_debug("ip_route_input failed: %d", error);
-			inc_stats(skb, IPSTATS_MIB_INNOROUTES);
-			return error;
-		}
-	}
-#endif
-
 	cb->l3_proto = L3PROTO_IPV4;
 	cb->is_inner = 0;
 	cb->original_skb = skb;