| The NAT module offers various extension options. These extensions are actually independent modules that can use the registration functions of the NAT module to register and unregister themselves. The following extensions are possible: Transport protocols (e.g., TCP): To use a new protocol, we have to write two extension modules one for connection tracking and one for NAT. Helper modules (helpers): To be able to handle application protocols, such as FTP (see Section 21.1.7), properly, we can register helper modules. Again, this requires one helper each for connection tracking and NAT. Configuration-tool extensions: In addition, the iptables configuration tool has to be extended by the corresponding command-line parameters for each new protocol and each new helper module. We will not discuss this issue any further.
21.4.1 Transport Protocols The functions ip_nat_protocol_register() and ip_nat_protocol_unregister() can be used to register a new transport protocol or to unregister an existing protocol. When registering a new protocol, we have to pass a pointer to a structure of the type ip_nat_protocol as a parameter. struct_ip_nat_protocol | linux/netfilter_ipv4/ip_nat_protocol.h |
struct_ip_nat_protocol { struct list_head list; /* Protocol name */ const char *name; /* Protocol number. */ unsigned int protonum; /* Do a packet translation according to the ip_nat_proto_manip * and manip type. */ void (*manip_pkt) (struct iphdr *iph, size_t len, const struct ip_conntrack_manip *manip, enum ip_nat_manip_type maniptype); /* Is the manipable part of the tuple between min and max incl? */ int (*in_range)(const struct ip_conntrack_tuple *tuple, enum ip_nat_manip_type maniptype, const union ip_conntrack_manip_proto *min, const union ip_conntrack_manip_proto *max); /* Alter the per-proto part of the tuple (depending on maniptype), to give a unique tuple in the given range if possible; return false if not. Per-protocol part of tuple is initialized to the incoming packet. */ int (*unique_tuple)(struct ip_conntrack_tuple *tuple, const struct ip_nat_range *range, enum ip_nat_manip_type maniptype, const struct ip_conntrack *conntrack); unsigned int (*print)(char *buffer, const struct ip_conntrack_tuple *match, const struct ip_conntrack_tuple *mask); unsigned int (*print_range)(char *buffer, const struct ip_nat_range *range); };
The list header required to manage the protocol list contains pointers to predecessors and successors and is initially set to {NULL,NULL}. name is a character string containing the name of the protocol. protonum is the protocol number that will be entered in the IP header. A list of protocol numbers is normally available in the /etc/protocols file. manip_pkt is a pointer to a function invoked by the manip_pkt function of the NAT module to manipulate the protocol-specific part of a packet according to the manip parameter. (See Section 21.3.5.) in_range is a pointer to a function that checks for whether the protocol-specific part of an address (e.g., the TCP port) is within the specified interval [min,max]. Whether the source or destination address will have to be checked is specified of the value of the maniptype parameter (IP_NAT_MANIP_SRC or IP_NAT_MANIP_DST). The function returns value 1 if the condition is met, otherwise 0. unique_tuple is a pointer to the module's "core function." It is invoked within get_unique_tuple() (see Section 21.3.4) to obtain a unique address by altering the protocol-specific part. The value of the manip type shows whether the source or destination address should change; the respective protocol-specific part of tuple is set to the value of the original tuple. The protocol-specific part generally is altered according to a simple scheme (e.g., by incrementing the port number for TCP). Subsequently, the function ip_nat_used_tuple() is used to see whether the new address is still free. If so, then the function returns 1; otherwise, it has to return the value 0. If the flag IP_NAT_RANGE_PROTO_SPECIFIED is set, then range also contains information about the range in which the protocol-specific part of the tuple should be. Naturally, this information has to be taken into account. The two function pointers, print() and print_range(), are invoked when the protocol-specific information in match and mask or range should be output in text form. This informative text should be written to the buffer passed, and the number of output characters should be returned. For example, TCP would invoke this function to output the port numbers. 21.4.2 Helper Modules A helper is a function invoked by the NAT module from within the do_bindings() function, once an address binding has been added (see Section 21.3.5). This allows us to verify the payload of a packet and to modify address transmitted in that packet for example, to detect PORT commands over an FTP control connection. (See Section 21.1.7.) A helper module is registered by ip_nat_helper_register(), and the only parameter it takes is a data structure of the type ip_nat_helper. struct ip_nat_helper | linux/netfilter_ipv4/ip_nat_helper.h |
struct ip_nat_helper { /* Internal use */ struct list_head list; /* Mask of things we will help: vs. tuple from server */ struct ip_conntrack_tuple tuple; struct ip_conntrack_tuple mask; /* Helper function: returns verdict */ unsigned int (*help) (struct ip_conntrack *ct, struct ip_nat_info *info, enum ip_conntrack_info ctinfo, unsigned int hooknum, struct sk_buff **pskb); const char *name; };
help is a pointer to the main function of the helper module, which is invoked by do_bindings(), as was mentioned previously. | 