既然看到了Cisco的NAT比较灵活,那么Linux能否实现呢?答案是肯定的!因为Linux的Netfilter是超级灵活的,Linux的NAT不灵活是因为iptables程序的不灵活,xtables-addons的RAWNAT已经朝static nat迈出了重要的一步,是iptables限制了Linux的static nat发展!于是我抛开iptables,先基于Netfilter把内核模块实现,然后用procfs作为用户接口,看看怎么实现Cisco风格的static nat。顺带说一句,之所以做这个程序,是因为我们在产品中真的遇到了这个需求,玩过SIP和FTP的都知道,然而因为工期受限,又怕自己做的这个不稳定,效率也没有优化,因此只能放在这里玩玩,不登大雅之堂。
首先,我们看一下基本原理,我们不希望一条NAT绑定任何N元组或者说流,只是一个一对一的地址映射,以源地址转换为例,在从内到外的方向将源地址A转换为B,在从外到内的方向将源目标地址B转换为A!必须记住,任何时候,源地址转换都在POSTROUTING上来做,而目标地址转换都在PREROUTING上来做,按照上述的陈述,以下图说明:
有了上图作为指示,我们就知道该怎么做了:
1.内核中维护一个映射表,仅仅映射两个地址;
2.在PREROUTING和POSTROUTING两个HOOK点上基于上述的映射表执行NAT动作;
3.实现一个用户接口,可以从用户态进行地址映射的配置
以上3点比较容易实现,实际上使用xtables-addons的RAWNAT其实也能实现static nat,然而要想实现两个方向的自动匹配NAT,必然要配置两条甚至多条,最蛋疼的就是明明就是一条映射,非要写成match的形式,所以还是做成Cisco风格的吧。不管怎样,下面的这个代码的实际nat部分还是使用了RAWNAT的代码!
首先,我们看一下基本原理,我们不希望一条NAT绑定任何N元组或者说流,只是一个一对一的地址映射,以源地址转换为例,在从内到外的方向将源地址A转换为B,在从外到内的方向将源目标地址B转换为A!必须记住,任何时候,源地址转换都在POSTROUTING上来做,而目标地址转换都在PREROUTING上来做,按照上述的陈述,以下图说明:
有了上图作为指示,我们就知道该怎么做了:
1.内核中维护一个映射表,仅仅映射两个地址;
2.在PREROUTING和POSTROUTING两个HOOK点上基于上述的映射表执行NAT动作;
3.实现一个用户接口,可以从用户态进行地址映射的配置
以上3点比较容易实现,实际上使用xtables-addons的RAWNAT其实也能实现static nat,然而要想实现两个方向的自动匹配NAT,必然要配置两条甚至多条,最蛋疼的就是明明就是一条映射,非要写成match的形式,所以还是做成Cisco风格的吧。不管怎样,下面的这个代码的实际nat部分还是使用了RAWNAT的代码!
代码如下:
#include <linux/ip.h> #include <linux/ipv6.h> #include <linux/module.h> #include <linux/skbuff.h> #include <linux/tcp.h> #include <linux/udp.h> #include <linux/list.h> #include <linux/sysfs.h> #include <linux/fs.h> #include <linux/proc_fs.h> #include <linux/version.h> #include <linux/netfilter.h> #include <net/ip.h> #include "compat_xtables.h" static inline __be32 remask(__be32 addr, __be32 repl, unsigned int shift) { uint32_t mask = (shift == 32) ? 0 : (~(uint32_t)0 >> shift); return htonl((ntohl(addr) & mask) | (ntohl(repl) & ~mask)); } static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip) { struct iphdr *iph = ip_hdr(skb); void *transport_hdr = (void *)iph + ip_hdrlen(skb); struct tcphdr *tcph; struct udphdr *udph; bool cond; switch (iph->protocol) { case IPPROTO_TCP: tcph = transport_hdr; inet_proto_csum_replace4(&tcph->check, skb, oldip, newip, true); break; case IPPROTO_UDP: case IPPROTO_UDPLITE: udph = transport_hdr; cond = udph->check != 0; #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19) cond |= skb->ip_summed == CHECKSUM_PARTIAL; #endif if (cond) { inet_proto_csum_replace4(&udph->check, skb, oldip, newip, true); if (udph->check == 0) udph->check = CSUM_MANGLED_0; } break; } } static unsigned int rawnat4_writable_part(const struct iphdr *iph) { unsigned int wlen = sizeof(*iph); switch (iph->protocol) { case IPPROTO_TCP: wlen += sizeof(struct tcphdr); break; case IPPROTO_UDP: wlen += sizeof(struct udphdr); break; } return wlen; } //实现源地址转换 static unsigned int rawsnat(struct sk_buff **pskb, __be32 addr) { struct iphdr *iph; __be32 new_addr; iph = ip_hdr(*pskb); new_addr = remask(iph->saddr, addr, 32); if (iph->saddr == new_addr) { return NF_ACCEPT; } if (!skb_make_writable(pskb, rawnat4_writable_part(iph))){ return NF_DROP; } iph = ip_hdr(*pskb); csum_replace4(&iph->check, iph->saddr, new_addr); rawnat4_update_l4(*pskb, iph->saddr, new_addr); iph->saddr = new_addr; return NF_ACCEPT; } //实现目标地址转换 static unsigned int rawdnat(struct sk_buff **pskb, __be32 addr) { struct iphdr *iph; __be32 new_addr; iph = ip_hdr(*pskb); new_addr = remask(iph->daddr, addr, 32); if (iph->daddr == new_addr) return NF_ACCEPT; if (!skb_make_writable(pskb, rawnat4_writable_part(iph))) return NF_DROP; iph = ip_hdr(*pskb); csum_replace4(&iph->check, iph->daddr, new_addr); rawnat4_update_l4(*pskb, iph->daddr, new_addr); iph->daddr = new_addr; return NF_ACCEPT; } //定义数据结构 struct addr_map { struct list_head list; __be32 addr[2]; int type; //0:源地址转换;1:目标地址转换 }; //全局的map list static LIST_HEAD(map_list); static unsigned int ipv4_static_nat_pre(unsigned int hooknum, struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) { __be32 new_daddr = 0x0; struct addr_map *map; const struct iphdr *iph = ip_hdr(skb); if (list_empty(&map_list)) { return NF_ACCEPT; } //查找是否需要做目标地址转换 list_for_each_entry(map, &map_list, list) { if (map->addr[((map->type-1)&0x00000001)] == iph->daddr) { new_daddr = map->addr[map->type&0x00000001]; break; } } if (new_daddr == 0) { return NF_ACCEPT; } return rawdnat(&skb, new_daddr); } static unsigned int ipv4_static_nat_post(unsigned int hooknum, struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) { __be32 new_saddr = 0x0; struct addr_map *map; const struct iphdr *iph = ip_hdr(skb); if (list_empty(&map_list)) { return NF_ACCEPT; } //查找是否做源地址转换 list_for_each_entry(map, &map_list, list) { if (map->addr[map->type&0x00000001] == iph->saddr) { new_saddr = map->addr[((map->type-1)&0x00000001)]; break; } } if (new_saddr == 0) { return NF_ACCEPT; } return rawsnat(&skb, new_saddr); } static struct nf_hook_ops ipv4_static_nat[] __read_mostly = { { .hook = ipv4_static_nat_pre, .owner = THIS_MODULE, .pf = NFPROTO_IPV4, .hooknum = NF_INET_PRE_ROUTING, .priority = NF_IP_PRI_NAT_SRC+1, }, { .hook = ipv4_static_nat_post, .owner = THIS_MODULE, .pf = NFPROTO_IPV4, .hooknum = NF_INET_PRE_ROUTING, .priority = NF_IP_PRI_RAW+1, }, }; //以下是定义用户接口 //如果需要添加一条source转换。则: //echo +172.16.4.34-128.129.4.34 >/proc/STATIC_Nat/source struct proc_dir_entry *nat_entry = NULL; static ssize_t write_snat(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { struct addr_map *am = NULL; char addr_temp[20] = {0}; __be32 addr1 = 0, addr2 = 0; int ret = count; int i = 1; for (; i < 48; i++) { if (buf[i] == '-') { memcpy(addr_temp, buf+1, i-1); break; } } addr1 = in_aton(addr_temp); addr2 = in_aton(buf + i + 1); if (buf[0] == '+') { am = kzalloc(sizeof(struct addr_map), GFP_KERNEL); INIT_LIST_HEAD(&am->list); am->addr[0] = addr1; am->addr[1] = addr2; am->type = 0; list_add(&am->list, &map_list); } else if(buf[0] == '-') { //Remove TODO } return ret; } static ssize_t write_dnat(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { //TODO return 0; } static ssize_t read_snat(struct file *file, char __user *buf, size_t count, loff_t *ppos) { //TODO return 0; } static ssize_t read_dnat(struct file *file, char __user *buf, size_t count, loff_t *ppos) { //TODO return 0; } static const struct file_operations proc_snat_operations = { .read = read_snat, .write = write_snat, }; static const struct file_operations proc_dnat_operations = { .read = read_dnat, .write = write_dnat, }; static int __init static_nat_zy_init(void) { int ret = 0; ret = nf_register_hooks(ipv4_static_nat, ARRAY_SIZE(ipv4_static_nat)); if (ret < 0) { printk("ipv4_static_nat: can't register hooks.\n"); } /* test */else { nat_entry = proc_mkdir("STATIC_Nat", NULL); proc_create("source", S_IWUSR, nat_entry, &proc_snat_operations); proc_create("destination", S_IWUSR, nat_entry, &proc_dnat_operations); } return ret; } static void __exit static_nat_zy_exit(void) { remove_proc_entry("source", nat_entry); remove_proc_entry("destination", nat_entry); remove_proc_entry("STATIC_Nat", NULL); nf_unregister_hooks(ipv4_static_nat, ARRAY_SIZE(ipv4_static_nat)); return; } module_init(static_nat_zy_init); module_exit(static_nat_zy_exit); //保留原作者 MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>"); MODULE_AUTHOR("wangran <marywangran@126.com>"); MODULE_DESCRIPTION("Static NAT"); MODULE_LICENSE("GPL");
如此就可以实现Cisoc风格的NAT了。代码的优化空间还是有很多的,比如list可以换成hash...
本文转自 dog250 51CTO博客,原文链接:http://blog.51cto.com/dog250/1268872