From b660f16d18827f0310594c80d9387de11430f15f Mon Sep 17 00:00:00 2001
From: Nayana Bidari <nybidari@google.com>
Date: Fri, 27 Mar 2020 12:18:45 -0700
Subject: Support for connection tracking of TCP packets.

Connection tracking is used to track packets in prerouting and
output hooks of iptables. The NAT rules modify the tuples in
connections. The connection tracking code modifies the packets by
looking at the modified tuples.
---
 pkg/tcpip/stack/iptables_targets.go | 115 ++++++++++++++++++++----------------
 1 file changed, 65 insertions(+), 50 deletions(-)

(limited to 'pkg/tcpip/stack/iptables_targets.go')

diff --git a/pkg/tcpip/stack/iptables_targets.go b/pkg/tcpip/stack/iptables_targets.go
index 8be61f4b1..36cc6275d 100644
--- a/pkg/tcpip/stack/iptables_targets.go
+++ b/pkg/tcpip/stack/iptables_targets.go
@@ -24,7 +24,7 @@ import (
 type AcceptTarget struct{}
 
 // Action implements Target.Action.
-func (AcceptTarget) Action(packet PacketBuffer) (RuleVerdict, int) {
+func (AcceptTarget) Action(*PacketBuffer, *ConnTrackTable, Hook, *GSO, *Route, tcpip.Address) (RuleVerdict, int) {
 	return RuleAccept, 0
 }
 
@@ -32,7 +32,7 @@ func (AcceptTarget) Action(packet PacketBuffer) (RuleVerdict, int) {
 type DropTarget struct{}
 
 // Action implements Target.Action.
-func (DropTarget) Action(packet PacketBuffer) (RuleVerdict, int) {
+func (DropTarget) Action(*PacketBuffer, *ConnTrackTable, Hook, *GSO, *Route, tcpip.Address) (RuleVerdict, int) {
 	return RuleDrop, 0
 }
 
@@ -41,7 +41,7 @@ func (DropTarget) Action(packet PacketBuffer) (RuleVerdict, int) {
 type ErrorTarget struct{}
 
 // Action implements Target.Action.
-func (ErrorTarget) Action(packet PacketBuffer) (RuleVerdict, int) {
+func (ErrorTarget) Action(*PacketBuffer, *ConnTrackTable, Hook, *GSO, *Route, tcpip.Address) (RuleVerdict, int) {
 	log.Debugf("ErrorTarget triggered.")
 	return RuleDrop, 0
 }
@@ -52,7 +52,7 @@ type UserChainTarget struct {
 }
 
 // Action implements Target.Action.
-func (UserChainTarget) Action(PacketBuffer) (RuleVerdict, int) {
+func (UserChainTarget) Action(*PacketBuffer, *ConnTrackTable, Hook, *GSO, *Route, tcpip.Address) (RuleVerdict, int) {
 	panic("UserChainTarget should never be called.")
 }
 
@@ -61,7 +61,7 @@ func (UserChainTarget) Action(PacketBuffer) (RuleVerdict, int) {
 type ReturnTarget struct{}
 
 // Action implements Target.Action.
-func (ReturnTarget) Action(PacketBuffer) (RuleVerdict, int) {
+func (ReturnTarget) Action(*PacketBuffer, *ConnTrackTable, Hook, *GSO, *Route, tcpip.Address) (RuleVerdict, int) {
 	return RuleReturn, 0
 }
 
@@ -75,16 +75,16 @@ type RedirectTarget struct {
 	// redirect.
 	RangeProtoSpecified bool
 
-	// Min address used to redirect.
+	// MinIP indicates address used to redirect.
 	MinIP tcpip.Address
 
-	// Max address used to redirect.
+	// MaxIP indicates address used to redirect.
 	MaxIP tcpip.Address
 
-	// Min port used to redirect.
+	// MinPort indicates port used to redirect.
 	MinPort uint16
 
-	// Max port used to redirect.
+	// MaxPort indicates port used to redirect.
 	MaxPort uint16
 }
 
@@ -92,61 +92,76 @@ type RedirectTarget struct {
 // TODO(gvisor.dev/issue/170): Parse headers without copying. The current
 // implementation only works for PREROUTING and calls pkt.Clone(), neither
 // of which should be the case.
-func (rt RedirectTarget) Action(pkt PacketBuffer) (RuleVerdict, int) {
-	newPkt := pkt.Clone()
+func (rt RedirectTarget) Action(pkt *PacketBuffer, ct *ConnTrackTable, hook Hook, gso *GSO, r *Route, address tcpip.Address) (RuleVerdict, int) {
+	// Packet is already manipulated.
+	if pkt.NatDone {
+		return RuleAccept, 0
+	}
 
 	// Set network header.
-	headerView, ok := newPkt.Data.PullUp(header.IPv4MinimumSize)
-	if !ok {
-		return RuleDrop, 0
+	if hook == Prerouting {
+		parseHeaders(pkt)
 	}
-	netHeader := header.IPv4(headerView)
-	newPkt.NetworkHeader = headerView
 
-	hlen := int(netHeader.HeaderLength())
-	tlen := int(netHeader.TotalLength())
-	newPkt.Data.TrimFront(hlen)
-	newPkt.Data.CapLength(tlen - hlen)
+	// Drop the packet if network and transport header are not set.
+	if pkt.NetworkHeader == nil || pkt.TransportHeader == nil {
+		return RuleDrop, 0
+	}
 
-	// TODO(gvisor.dev/issue/170): Change destination address to
-	// loopback or interface address on which the packet was
-	// received.
+	// Change the address to localhost (127.0.0.1) in Output and
+	// to primary address of the incoming interface in Prerouting.
+	switch hook {
+	case Output:
+		rt.MinIP = tcpip.Address([]byte{127, 0, 0, 1})
+		rt.MaxIP = tcpip.Address([]byte{127, 0, 0, 1})
+	case Prerouting:
+		rt.MinIP = address
+		rt.MaxIP = address
+	default:
+		panic("redirect target is supported only on output and prerouting hooks")
+	}
 
 	// TODO(gvisor.dev/issue/170): Check Flags in RedirectTarget if
 	// we need to change dest address (for OUTPUT chain) or ports.
+	netHeader := header.IPv4(pkt.NetworkHeader)
 	switch protocol := netHeader.TransportProtocol(); protocol {
 	case header.UDPProtocolNumber:
-		var udpHeader header.UDP
-		if newPkt.TransportHeader != nil {
-			udpHeader = header.UDP(newPkt.TransportHeader)
-		} else {
-			if pkt.Data.Size() < header.UDPMinimumSize {
-				return RuleDrop, 0
-			}
-			hdr, ok := newPkt.Data.PullUp(header.UDPMinimumSize)
-			if !ok {
-				return RuleDrop, 0
+		udpHeader := header.UDP(pkt.TransportHeader)
+		udpHeader.SetDestinationPort(rt.MinPort)
+
+		// Calculate UDP checksum and set it.
+		if hook == Output {
+			udpHeader.SetChecksum(0)
+			hdr := &pkt.Header
+			length := uint16(pkt.Data.Size()+hdr.UsedLength()) - uint16(netHeader.HeaderLength())
+
+			// Only calculate the checksum if offloading isn't supported.
+			if r.Capabilities()&CapabilityTXChecksumOffload == 0 {
+				xsum := r.PseudoHeaderChecksum(protocol, length)
+				for _, v := range pkt.Data.Views() {
+					xsum = header.Checksum(v, xsum)
+				}
+				udpHeader.SetChecksum(0)
+				udpHeader.SetChecksum(^udpHeader.CalculateChecksum(xsum))
 			}
-			udpHeader = header.UDP(hdr)
 		}
-		udpHeader.SetDestinationPort(rt.MinPort)
+		// Change destination address.
+		netHeader.SetDestinationAddress(rt.MinIP)
+		netHeader.SetChecksum(0)
+		netHeader.SetChecksum(^netHeader.CalculateChecksum())
+		pkt.NatDone = true
 	case header.TCPProtocolNumber:
-		var tcpHeader header.TCP
-		if newPkt.TransportHeader != nil {
-			tcpHeader = header.TCP(newPkt.TransportHeader)
-		} else {
-			if pkt.Data.Size() < header.TCPMinimumSize {
-				return RuleDrop, 0
-			}
-			hdr, ok := newPkt.Data.PullUp(header.TCPMinimumSize)
-			if !ok {
-				return RuleDrop, 0
-			}
-			tcpHeader = header.TCP(hdr)
+		if ct == nil {
+			return RuleAccept, 0
+		}
+
+		// Set up conection for matching NAT rule.
+		// Only the first packet of the connection comes here.
+		// Other packets will be manipulated in connection tracking.
+		if conn, _ := ct.connTrackForPacket(pkt, hook, true); conn != nil {
+			ct.SetNatInfo(pkt, rt, hook)
+			ct.HandlePacket(pkt, hook, gso, r)
 		}
-		// TODO(gvisor.dev/issue/170): Need to recompute checksum
-		// and implement nat connection tracking to support TCP.
-		tcpHeader.SetDestinationPort(rt.MinPort)
 	default:
 		return RuleDrop, 0
 	}
-- 
cgit v1.2.3