]>
Commit | Line | Data |
---|---|---|
384c1045 | 1 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter.h linux-2.6.6-rc3/include/linux/netfilter.h |
2 | --- linux-2.6.6-rc3.org/include/linux/netfilter.h 2004-04-28 03:35:48.000000000 +0200 | |
3 | +++ linux-2.6.6-rc3/include/linux/netfilter.h 2004-04-29 11:18:06.000000000 +0200 | |
4 | @@ -23,6 +23,7 @@ | |
5 | <= 0x2000 is used for protocol-flags. */ | |
6 | #define NFC_UNKNOWN 0x4000 | |
7 | #define NFC_ALTERED 0x8000 | |
8 | +#define NFC_TRACE 0x10000 | |
9 | ||
10 | #ifdef __KERNEL__ | |
11 | #include <linux/config.h> | |
12 | @@ -137,12 +138,14 @@ | |
13 | /* This is gross, but inline doesn't cut it for avoiding the function | |
14 | call in fast path: gcc doesn't inline (needs value tracking?). --RR */ | |
15 | #ifdef CONFIG_NETFILTER_DEBUG | |
16 | -#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \ | |
17 | - nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), INT_MIN) | |
18 | +#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \ | |
19 | +(!(cond) \ | |
20 | + ? (okfn)(skb) \ | |
21 | + : nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), INT_MIN)) | |
22 | #define NF_HOOK_THRESH nf_hook_slow | |
23 | #else | |
24 | -#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \ | |
25 | -(list_empty(&nf_hooks[(pf)][(hook)]) \ | |
26 | +#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \ | |
27 | +(!(cond) || list_empty(&nf_hooks[(pf)][(hook)]) \ | |
28 | ? (okfn)(skb) \ | |
29 | : nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), INT_MIN)) | |
30 | #define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \ | |
31 | @@ -150,6 +153,8 @@ | |
32 | ? (okfn)(skb) \ | |
33 | : nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), (thresh))) | |
34 | #endif | |
35 | +#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \ | |
36 | + NF_HOOK_COND((pf), (hook), (skb), (indev), (outdev), (okfn), 1) | |
37 | ||
38 | int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb, | |
39 | struct net_device *indev, struct net_device *outdev, | |
40 | @@ -182,7 +187,24 @@ | |
41 | ||
42 | #else /* !CONFIG_NETFILTER */ | |
43 | #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb) | |
44 | +#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) (okfn)(skb) | |
45 | #endif /*CONFIG_NETFILTER*/ | |
46 | ||
47 | +#ifdef CONFIG_XFRM | |
48 | +#ifdef CONFIG_IP_NF_NAT_NEEDED | |
49 | +struct flowi; | |
50 | +extern void nf_nat_decode_session4(struct sk_buff *skb, struct flowi *fl); | |
51 | + | |
52 | +static inline void | |
53 | +nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family) | |
54 | +{ | |
55 | + if (family == AF_INET) | |
56 | + nf_nat_decode_session4(skb, fl); | |
57 | +} | |
58 | +#else /* CONFIG_IP_NF_NAT_NEEDED */ | |
59 | +#define nf_nat_decode_session(skb,fl,family) | |
60 | +#endif /* CONFIG_IP_NF_NAT_NEEDED */ | |
61 | +#endif /* CONFIG_XFRM */ | |
62 | + | |
63 | #endif /*__KERNEL__*/ | |
64 | #endif /*__LINUX_NETFILTER_H*/ | |
65 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_helpers.h linux-2.6.6-rc3/include/linux/netfilter_helpers.h | |
66 | --- linux-2.6.6-rc3.org/include/linux/netfilter_helpers.h 1970-01-01 01:00:00.000000000 +0100 | |
67 | +++ linux-2.6.6-rc3/include/linux/netfilter_helpers.h 2004-04-29 11:20:13.000000000 +0200 | |
68 | @@ -0,0 +1,133 @@ | |
69 | +/* | |
70 | + * Helpers for netfiler modules. This file provides implementations for basic | |
71 | + * functions such as strncasecmp(), etc. | |
72 | + * | |
73 | + * gcc will warn for defined but unused functions, so we only include the | |
74 | + * functions requested. The following macros are used: | |
75 | + * NF_NEED_STRNCASECMP nf_strncasecmp() | |
76 | + * NF_NEED_STRTOU16 nf_strtou16() | |
77 | + * NF_NEED_STRTOU32 nf_strtou32() | |
78 | + */ | |
79 | +#ifndef _NETFILTER_HELPERS_H | |
80 | +#define _NETFILTER_HELPERS_H | |
81 | + | |
82 | +/* Only include these functions for kernel code. */ | |
83 | +#ifdef __KERNEL__ | |
84 | + | |
85 | +#include <linux/ctype.h> | |
86 | +#define iseol(c) ( (c) == '\r' || (c) == '\n' ) | |
87 | + | |
88 | +/* | |
89 | + * The standard strncasecmp() | |
90 | + */ | |
91 | +#ifdef NF_NEED_STRNCASECMP | |
92 | +static int | |
93 | +nf_strncasecmp(const char* s1, const char* s2, u_int32_t len) | |
94 | +{ | |
95 | + if (s1 == NULL || s2 == NULL) | |
96 | + { | |
97 | + if (s1 == NULL && s2 == NULL) | |
98 | + { | |
99 | + return 0; | |
100 | + } | |
101 | + return (s1 == NULL) ? -1 : 1; | |
102 | + } | |
103 | + while (len > 0 && tolower(*s1) == tolower(*s2)) | |
104 | + { | |
105 | + len--; | |
106 | + s1++; | |
107 | + s2++; | |
108 | + } | |
109 | + return ( (len == 0) ? 0 : (tolower(*s1) - tolower(*s2)) ); | |
110 | +} | |
111 | +#endif /* NF_NEED_STRNCASECMP */ | |
112 | + | |
113 | +/* | |
114 | + * Parse a string containing a 16-bit unsigned integer. | |
115 | + * Returns the number of chars used, or zero if no number is found. | |
116 | + */ | |
117 | +#ifdef NF_NEED_STRTOU16 | |
118 | +static int | |
119 | +nf_strtou16(const char* pbuf, u_int16_t* pval) | |
120 | +{ | |
121 | + int n = 0; | |
122 | + | |
123 | + *pval = 0; | |
124 | + while (isdigit(pbuf[n])) | |
125 | + { | |
126 | + *pval = (*pval * 10) + (pbuf[n] - '0'); | |
127 | + n++; | |
128 | + } | |
129 | + | |
130 | + return n; | |
131 | +} | |
132 | +#endif /* NF_NEED_STRTOU16 */ | |
133 | + | |
134 | +/* | |
135 | + * Parse a string containing a 32-bit unsigned integer. | |
136 | + * Returns the number of chars used, or zero if no number is found. | |
137 | + */ | |
138 | +#ifdef NF_NEED_STRTOU32 | |
139 | +static int | |
140 | +nf_strtou32(const char* pbuf, u_int32_t* pval) | |
141 | +{ | |
142 | + int n = 0; | |
143 | + | |
144 | + *pval = 0; | |
145 | + while (pbuf[n] >= '0' && pbuf[n] <= '9') | |
146 | + { | |
147 | + *pval = (*pval * 10) + (pbuf[n] - '0'); | |
148 | + n++; | |
149 | + } | |
150 | + | |
151 | + return n; | |
152 | +} | |
153 | +#endif /* NF_NEED_STRTOU32 */ | |
154 | + | |
155 | +/* | |
156 | + * Given a buffer and length, advance to the next line and mark the current | |
157 | + * line. | |
158 | + */ | |
159 | +#ifdef NF_NEED_NEXTLINE | |
160 | +static int | |
161 | +nf_nextline(char* p, uint len, uint* poff, uint* plineoff, uint* plinelen) | |
162 | +{ | |
163 | + uint off = *poff; | |
164 | + uint physlen = 0; | |
165 | + | |
166 | + if (off >= len) | |
167 | + { | |
168 | + return 0; | |
169 | + } | |
170 | + | |
171 | + while (p[off] != '\n') | |
172 | + { | |
173 | + if (len-off <= 1) | |
174 | + { | |
175 | + return 0; | |
176 | + } | |
177 | + | |
178 | + physlen++; | |
179 | + off++; | |
180 | + } | |
181 | + | |
182 | + /* if we saw a crlf, physlen needs adjusted */ | |
183 | + if (physlen > 0 && p[off] == '\n' && p[off-1] == '\r') | |
184 | + { | |
185 | + physlen--; | |
186 | + } | |
187 | + | |
188 | + /* advance past the newline */ | |
189 | + off++; | |
190 | + | |
191 | + *plineoff = *poff; | |
192 | + *plinelen = physlen; | |
193 | + *poff = off; | |
194 | + | |
195 | + return 1; | |
196 | +} | |
197 | +#endif /* NF_NEED_NEXTLINE */ | |
198 | + | |
199 | +#endif /* __KERNEL__ */ | |
200 | + | |
201 | +#endif /* _NETFILTER_HELPERS_H */ | |
202 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack.h | |
203 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack.h 2004-04-28 03:36:37.000000000 +0200 | |
204 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack.h 2004-04-29 11:21:43.000000000 +0200 | |
205 | @@ -51,10 +51,12 @@ | |
206 | ||
207 | #include <linux/netfilter_ipv4/ip_conntrack_tcp.h> | |
208 | #include <linux/netfilter_ipv4/ip_conntrack_icmp.h> | |
209 | +#include <linux/netfilter_ipv4/ip_conntrack_sctp.h> | |
210 | ||
211 | /* per conntrack: protocol private data */ | |
212 | union ip_conntrack_proto { | |
213 | /* insert conntrack proto private data here */ | |
214 | + struct ip_ct_sctp sctp; | |
215 | struct ip_ct_tcp tcp; | |
216 | struct ip_ct_icmp icmp; | |
217 | }; | |
218 | @@ -64,6 +66,11 @@ | |
219 | }; | |
220 | ||
221 | /* Add protocol helper include file here */ | |
222 | +#include <linux/netfilter_ipv4/ip_conntrack_talk.h> | |
223 | +#include <linux/netfilter_ipv4/ip_conntrack_rtsp.h> | |
224 | +#include <linux/netfilter_ipv4/ip_conntrack_rsh.h> | |
225 | +#include <linux/netfilter_ipv4/ip_conntrack_mms.h> | |
226 | +#include <linux/netfilter_ipv4/ip_conntrack_h323.h> | |
227 | #include <linux/netfilter_ipv4/ip_conntrack_amanda.h> | |
228 | #include <linux/netfilter_ipv4/ip_conntrack_ftp.h> | |
229 | #include <linux/netfilter_ipv4/ip_conntrack_irc.h> | |
230 | @@ -71,6 +78,11 @@ | |
231 | /* per expectation: application helper private data */ | |
232 | union ip_conntrack_expect_help { | |
233 | /* insert conntrack helper private data (expect) here */ | |
234 | + struct ip_ct_talk_expect exp_talk_info; | |
235 | + struct ip_ct_rtsp_expect exp_rtsp_info; | |
236 | + struct ip_ct_rsh_expect exp_rsh_info; | |
237 | + struct ip_ct_mms_expect exp_mms_info; | |
238 | + struct ip_ct_h225_expect exp_h225_info; | |
239 | struct ip_ct_amanda_expect exp_amanda_info; | |
240 | struct ip_ct_ftp_expect exp_ftp_info; | |
241 | struct ip_ct_irc_expect exp_irc_info; | |
242 | @@ -85,6 +97,11 @@ | |
243 | /* per conntrack: application helper private data */ | |
244 | union ip_conntrack_help { | |
245 | /* insert conntrack helper private data (master) here */ | |
246 | + struct ip_ct_talk_master ct_talk_info; | |
247 | + struct ip_ct_rtsp_master ct_rtsp_info; | |
248 | + struct ip_ct_rsh_master ct_rsh_info; | |
249 | + struct ip_ct_mms_master ct_mms_info; | |
250 | + struct ip_ct_h225_master ct_h225_info; | |
251 | struct ip_ct_ftp_master ct_ftp_info; | |
252 | struct ip_ct_irc_master ct_irc_info; | |
253 | }; | |
254 | @@ -207,6 +224,10 @@ | |
255 | } nat; | |
256 | #endif /* CONFIG_IP_NF_NAT_NEEDED */ | |
257 | ||
258 | +#if defined(CONFIG_IP_NF_CONNTRACK_MARK) | |
259 | + unsigned long mark; | |
260 | +#endif | |
261 | + | |
262 | }; | |
263 | ||
264 | /* get master conntrack via master expectation */ | |
384c1045 | 265 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_h323.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_h323.h |
266 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_h323.h 1970-01-01 01:00:00.000000000 +0100 | |
267 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_h323.h 2004-04-29 11:18:00.000000000 +0200 | |
268 | @@ -0,0 +1,31 @@ | |
269 | +#ifndef _IP_CONNTRACK_H323_H | |
270 | +#define _IP_CONNTRACK_H323_H | |
271 | +/* H.323 connection tracking. */ | |
272 | + | |
273 | +#ifdef __KERNEL__ | |
274 | +/* Protects H.323 related data */ | |
275 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
276 | +DECLARE_LOCK_EXTERN(ip_h323_lock); | |
277 | +#endif | |
278 | + | |
279 | +/* Default H.225 port */ | |
280 | +#define H225_PORT 1720 | |
281 | + | |
282 | +/* This structure is per expected connection */ | |
283 | +struct ip_ct_h225_expect { | |
284 | + u_int16_t port; /* Port of the H.225 helper/RTCP/RTP channel */ | |
285 | + enum ip_conntrack_dir dir; /* Direction of the original connection */ | |
286 | + unsigned int offset; /* offset of the address in the payload */ | |
287 | +}; | |
288 | + | |
289 | +/* This structure exists only once per master */ | |
290 | +struct ip_ct_h225_master { | |
291 | + int is_h225; /* H.225 or H.245 connection */ | |
292 | +#ifdef CONFIG_IP_NF_NAT_NEEDED | |
293 | + enum ip_conntrack_dir dir; /* Direction of the original connection */ | |
294 | + u_int32_t seq[IP_CT_DIR_MAX]; /* Exceptional packet mangling for signal addressess... */ | |
295 | + unsigned int offset[IP_CT_DIR_MAX]; /* ...and the offset of the addresses in the payload */ | |
296 | +#endif | |
297 | +}; | |
298 | + | |
299 | +#endif /* _IP_CONNTRACK_H323_H */ | |
300 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_mms.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_mms.h | |
301 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_mms.h 1970-01-01 01:00:00.000000000 +0100 | |
302 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_mms.h 2004-04-29 11:19:01.000000000 +0200 | |
303 | @@ -0,0 +1,31 @@ | |
304 | +#ifndef _IP_CONNTRACK_MMS_H | |
305 | +#define _IP_CONNTRACK_MMS_H | |
306 | +/* MMS tracking. */ | |
307 | + | |
308 | +#ifdef __KERNEL__ | |
309 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
310 | + | |
311 | +DECLARE_LOCK_EXTERN(ip_mms_lock); | |
312 | + | |
313 | +#define MMS_PORT 1755 | |
314 | +#define MMS_SRV_MSG_ID 196610 | |
315 | + | |
316 | +#define MMS_SRV_MSG_OFFSET 36 | |
317 | +#define MMS_SRV_UNICODE_STRING_OFFSET 60 | |
318 | +#define MMS_SRV_CHUNKLENLV_OFFSET 16 | |
319 | +#define MMS_SRV_CHUNKLENLM_OFFSET 32 | |
320 | +#define MMS_SRV_MESSAGELENGTH_OFFSET 8 | |
321 | +#endif | |
322 | + | |
323 | +/* This structure is per expected connection */ | |
324 | +struct ip_ct_mms_expect { | |
325 | + u_int32_t len; | |
326 | + u_int32_t padding; | |
327 | + u_int16_t port; | |
328 | +}; | |
329 | + | |
330 | +/* This structure exists only once per master */ | |
331 | +struct ip_ct_mms_master { | |
332 | +}; | |
333 | + | |
334 | +#endif /* _IP_CONNTRACK_MMS_H */ | |
335 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_quake3.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_quake3.h | |
336 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_quake3.h 1970-01-01 01:00:00.000000000 +0100 | |
337 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_quake3.h 2004-04-29 11:19:53.000000000 +0200 | |
338 | @@ -0,0 +1,21 @@ | |
339 | +#ifndef _IP_CT_QUAKE3 | |
340 | +#define _IP_CT_QUAKE3 | |
341 | + | |
342 | +/* Don't confuse with 27960, often used as the Server Port */ | |
343 | +#define QUAKE3_MASTER_PORT 27950 | |
344 | + | |
345 | +struct quake3_search { | |
346 | + const char marker[4]; /* always 0xff 0xff 0xff 0xff ? */ | |
347 | + const char *pattern; | |
348 | + size_t plen; | |
349 | +}; | |
350 | + | |
351 | +/* This structure is per expected connection */ | |
352 | +struct ip_ct_quake3_expect { | |
353 | +}; | |
354 | + | |
355 | +/* This structure exists only once per master */ | |
356 | +struct ip_ct_quake3_master { | |
357 | +}; | |
358 | + | |
359 | +#endif /* _IP_CT_QUAKE3 */ | |
360 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_rpc.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_rpc.h | |
361 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_rpc.h 1970-01-01 01:00:00.000000000 +0100 | |
362 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_rpc.h 2004-04-29 11:20:02.000000000 +0200 | |
363 | @@ -0,0 +1,68 @@ | |
364 | +/* RPC extension for IP connection tracking, Version 2.2 | |
365 | + * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br> | |
366 | + * - original rpc tracking module | |
367 | + * - "recent" connection handling for kernel 2.3+ netfilter | |
368 | + * | |
369 | + * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au> | |
370 | + * - upgraded conntrack modules to oldnat api - kernel 2.4.0+ | |
371 | + * | |
372 | + * (C) 2002 by Ian (Larry) Latter <Ian.Latter@mq.edu.au> | |
373 | + * - upgraded conntrack modules to newnat api - kernel 2.4.20+ | |
374 | + * - extended matching to support filtering on procedures | |
375 | + * | |
376 | + * ip_conntrack_rpc.h,v 2.2 2003/01/12 18:30:00 | |
377 | + * | |
378 | + * This program is free software; you can redistribute it and/or | |
379 | + * modify it under the terms of the GNU General Public License | |
380 | + * as published by the Free Software Foundation; either version | |
381 | + * 2 of the License, or (at your option) any later version. | |
382 | + ** | |
383 | + */ | |
384 | + | |
385 | +#include <asm/param.h> | |
386 | +#include <linux/sched.h> | |
387 | +#include <linux/timer.h> | |
388 | +#include <linux/stddef.h> | |
389 | +#include <linux/list.h> | |
390 | + | |
391 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
392 | + | |
393 | +#ifndef _IP_CONNTRACK_RPC_H | |
394 | +#define _IP_CONNTRACK_RPC_H | |
395 | + | |
396 | +#define RPC_PORT 111 | |
397 | + | |
398 | + | |
399 | +/* Datum in RPC packets are encoded in XDR */ | |
400 | +#define IXDR_GET_INT32(buf) ((u_int32_t) ntohl((uint32_t)*buf)) | |
401 | + | |
402 | +/* Fast timeout, to deny DoS atacks */ | |
403 | +#define EXP (60 * HZ) | |
404 | + | |
405 | +/* Normal timeouts */ | |
406 | +#define EXPIRES (180 * HZ) | |
407 | + | |
408 | +/* For future conections RPC, using client's cache bindings | |
409 | + * I'll use ip_conntrack_lock to lock these lists */ | |
410 | + | |
411 | +/* This identifies each request and stores protocol */ | |
412 | +struct request_p { | |
413 | + struct list_head list; | |
414 | + | |
415 | + u_int32_t xid; | |
416 | + u_int32_t ip; | |
417 | + u_int16_t port; | |
418 | + | |
419 | + /* Protocol */ | |
420 | + u_int16_t proto; | |
421 | + | |
422 | + struct timer_list timeout; | |
423 | +}; | |
424 | + | |
425 | +static inline int request_p_cmp(const struct request_p *p, u_int32_t xid, | |
426 | + u_int32_t ip, u_int32_t port) { | |
427 | + return (p->xid == xid && p->ip == ip && p->port); | |
428 | + | |
429 | +} | |
430 | + | |
431 | +#endif /* _IP_CONNTRACK_RPC_H */ | |
432 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_rsh.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_rsh.h | |
433 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_rsh.h 1970-01-01 01:00:00.000000000 +0100 | |
434 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_rsh.h 2004-04-29 11:20:06.000000000 +0200 | |
435 | @@ -0,0 +1,35 @@ | |
436 | +/* RSH extension for IP connection tracking, Version 1.0 | |
437 | + * (C) 2002 by Ian (Larry) Latter <Ian.Latter@mq.edu.au> | |
438 | + * based on HW's ip_conntrack_irc.c | |
439 | + * | |
440 | + * ip_conntrack_rsh.c,v 1.0 2002/07/17 14:49:26 | |
441 | + * | |
442 | + * This program is free software; you can redistribute it and/or | |
443 | + * modify it under the terms of the GNU General Public License | |
444 | + * as published by the Free Software Foundation; either version | |
445 | + * 2 of the License, or (at your option) any later version. | |
446 | + */ | |
447 | +#ifndef _IP_CONNTRACK_RSH_H | |
448 | +#define _IP_CONNTRACK_RSH_H | |
449 | + | |
450 | +#ifdef __KERNEL__ | |
451 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
452 | + | |
453 | +DECLARE_LOCK_EXTERN(ip_rsh_lock); | |
454 | +#endif | |
455 | + | |
456 | + | |
457 | +#define RSH_PORT 514 | |
458 | + | |
459 | +/* This structure is per expected connection */ | |
460 | +struct ip_ct_rsh_expect | |
461 | +{ | |
462 | + u_int16_t port; | |
463 | +}; | |
464 | + | |
465 | +/* This structure exists only once per master */ | |
466 | +struct ip_ct_rsh_master { | |
467 | +}; | |
468 | + | |
469 | +#endif /* _IP_CONNTRACK_RSH_H */ | |
470 | + | |
471 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_rtsp.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_rtsp.h | |
472 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_rtsp.h 1970-01-01 01:00:00.000000000 +0100 | |
473 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_rtsp.h 2004-04-29 11:20:13.000000000 +0200 | |
474 | @@ -0,0 +1,68 @@ | |
475 | +/* | |
476 | + * RTSP extension for IP connection tracking. | |
477 | + * (C) 2003 by Tom Marshall <tmarshall@real.com> | |
478 | + * based on ip_conntrack_irc.h | |
479 | + * | |
480 | + * This program is free software; you can redistribute it and/or | |
481 | + * modify it under the terms of the GNU General Public License | |
482 | + * as published by the Free Software Foundation; either version | |
483 | + * 2 of the License, or (at your option) any later version. | |
484 | + */ | |
485 | +#ifndef _IP_CONNTRACK_RTSP_H | |
486 | +#define _IP_CONNTRACK_RTSP_H | |
487 | + | |
488 | +/* #define IP_NF_RTSP_DEBUG */ | |
489 | +#define IP_NF_RTSP_VERSION "0.01" | |
490 | + | |
491 | +/* port block types */ | |
492 | +typedef enum { | |
493 | + pb_single, /* client_port=x */ | |
494 | + pb_range, /* client_port=x-y */ | |
495 | + pb_discon /* client_port=x/y (rtspbis) */ | |
496 | +} portblock_t; | |
497 | + | |
498 | +/* We record seq number and length of rtsp headers here, all in host order. */ | |
499 | + | |
500 | +/* | |
501 | + * This structure is per expected connection. It is a member of struct | |
502 | + * ip_conntrack_expect. The TCP SEQ for the conntrack expect is stored | |
503 | + * there and we are expected to only store the length of the data which | |
504 | + * needs replaced. If a packet contains multiple RTSP messages, we create | |
505 | + * one expected connection per message. | |
506 | + * | |
507 | + * We use these variables to mark the entire header block. This may seem | |
508 | + * like overkill, but the nature of RTSP requires it. A header may appear | |
509 | + * multiple times in a message. We must treat two Transport headers the | |
510 | + * same as one Transport header with two entries. | |
511 | + */ | |
512 | +struct ip_ct_rtsp_expect | |
513 | +{ | |
514 | + u_int32_t len; /* length of header block */ | |
515 | + portblock_t pbtype; /* Type of port block that was requested */ | |
516 | + u_int16_t loport; /* Port that was requested, low or first */ | |
517 | + u_int16_t hiport; /* Port that was requested, high or second */ | |
518 | +#if 0 | |
519 | + uint method; /* RTSP method */ | |
520 | + uint cseq; /* CSeq from request */ | |
521 | +#endif | |
522 | +}; | |
523 | + | |
524 | +/* This structure exists only once per master */ | |
525 | +struct ip_ct_rtsp_master | |
526 | +{ | |
527 | + /* Empty (?) */ | |
528 | +}; | |
529 | + | |
530 | + | |
531 | +#ifdef __KERNEL__ | |
532 | + | |
533 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
534 | + | |
535 | +#define RTSP_PORT 554 | |
536 | + | |
537 | +/* Protects rtsp part of conntracks */ | |
538 | +DECLARE_LOCK_EXTERN(ip_rtsp_lock); | |
539 | + | |
540 | +#endif /* __KERNEL__ */ | |
541 | + | |
542 | +#endif /* _IP_CONNTRACK_RTSP_H */ | |
543 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_sctp.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_sctp.h | |
544 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_sctp.h 1970-01-01 01:00:00.000000000 +0100 | |
545 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_sctp.h 2004-04-29 11:20:17.000000000 +0200 | |
546 | @@ -0,0 +1,25 @@ | |
547 | +#ifndef _IP_CONNTRACK_SCTP_H | |
548 | +#define _IP_CONNTRACK_SCTP_H | |
549 | +/* SCTP tracking. */ | |
550 | + | |
551 | +enum sctp_conntrack { | |
552 | + SCTP_CONNTRACK_NONE, | |
553 | + SCTP_CONNTRACK_CLOSED, | |
554 | + SCTP_CONNTRACK_COOKIE_WAIT, | |
555 | + SCTP_CONNTRACK_COOKIE_ECHOED, | |
556 | + SCTP_CONNTRACK_ESTABLISHED, | |
557 | + SCTP_CONNTRACK_SHUTDOWN_SENT, | |
558 | + SCTP_CONNTRACK_SHUTDOWN_RECD, | |
559 | + SCTP_CONNTRACK_SHUTDOWN_ACK_SENT, | |
560 | + SCTP_CONNTRACK_MAX | |
561 | +}; | |
562 | + | |
563 | +struct ip_ct_sctp | |
564 | +{ | |
565 | + enum sctp_conntrack state; | |
566 | + | |
567 | + u_int32_t vtag[IP_CT_DIR_MAX]; | |
568 | + u_int32_t ttag[IP_CT_DIR_MAX]; | |
569 | +}; | |
570 | + | |
571 | +#endif /* _IP_CONNTRACK_SCTP_H */ | |
572 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_talk.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_talk.h | |
573 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_talk.h 1970-01-01 01:00:00.000000000 +0100 | |
574 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_talk.h 2004-04-29 11:21:43.000000000 +0200 | |
575 | @@ -0,0 +1,152 @@ | |
576 | +#ifndef _IP_CONNTRACK_TALK_H | |
577 | +#define _IP_CONNTRACK_TALK_H | |
578 | +/* TALK tracking. */ | |
579 | + | |
580 | +#ifdef __KERNEL__ | |
581 | +#include <linux/in.h> | |
582 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
583 | + | |
584 | +/* Protects talk part of conntracks */ | |
585 | +DECLARE_LOCK_EXTERN(ip_talk_lock); | |
586 | +#endif | |
587 | + | |
588 | + | |
589 | +#define TALK_PORT 517 | |
590 | +#define NTALK_PORT 518 | |
591 | + | |
592 | +/* talk structures and constants from <protocols/talkd.h> */ | |
593 | + | |
594 | +/* | |
595 | + * 4.3BSD struct sockaddr | |
596 | + */ | |
597 | +struct talk_addr { | |
598 | + u_int16_t ta_family; | |
599 | + u_int16_t ta_port; | |
600 | + u_int32_t ta_addr; | |
601 | + u_int32_t ta_junk1; | |
602 | + u_int32_t ta_junk2; | |
603 | +}; | |
604 | + | |
605 | +#define TALK_OLD_NSIZE 9 | |
606 | +#define TALK_NSIZE 12 | |
607 | +#define TALK_TTY_NSIZE 16 | |
608 | + | |
609 | +/* | |
610 | + * Client->server request message formats. | |
611 | + */ | |
612 | +struct talk_msg { | |
613 | + u_char type; /* request type, see below */ | |
614 | + char l_name[TALK_OLD_NSIZE];/* caller's name */ | |
615 | + char r_name[TALK_OLD_NSIZE];/* callee's name */ | |
616 | + u_char pad; | |
617 | + u_int32_t id_num; /* message id */ | |
618 | + int32_t pid; /* caller's process id */ | |
619 | + char r_tty[TALK_TTY_NSIZE];/* callee's tty name */ | |
620 | + struct talk_addr addr; /* old (4.3) style */ | |
621 | + struct talk_addr ctl_addr; /* old (4.3) style */ | |
622 | +}; | |
623 | + | |
624 | +struct ntalk_msg { | |
625 | + u_char vers; /* protocol version */ | |
626 | + u_char type; /* request type, see below */ | |
627 | + u_char answer; /* not used */ | |
628 | + u_char pad; | |
629 | + u_int32_t id_num; /* message id */ | |
630 | + struct talk_addr addr; /* old (4.3) style */ | |
631 | + struct talk_addr ctl_addr; /* old (4.3) style */ | |
632 | + int32_t pid; /* caller's process id */ | |
633 | + char l_name[TALK_NSIZE];/* caller's name */ | |
634 | + char r_name[TALK_NSIZE];/* callee's name */ | |
635 | + char r_tty[TALK_TTY_NSIZE];/* callee's tty name */ | |
636 | +}; | |
637 | + | |
638 | +struct ntalk2_msg { | |
639 | + u_char vers; /* talk protocol version */ | |
640 | + u_char type; /* request type */ | |
641 | + u_char answer; /* */ | |
642 | + u_char extended; /* !0 if additional parts */ | |
643 | + u_int32_t id_num; /* message id number (dels) */ | |
644 | + struct talk_addr addr; /* target address */ | |
645 | + struct talk_addr ctl_addr; /* reply to address */ | |
646 | + int32_t pid; /* caller's process id */ | |
647 | + char l_name[TALK_NSIZE]; /* caller's name */ | |
648 | + char r_name[TALK_NSIZE]; /* callee's name */ | |
649 | + char r_tty[TALK_TTY_NSIZE]; /* callee's tty */ | |
650 | +}; | |
651 | + | |
652 | +/* | |
653 | + * Server->client response message formats. | |
654 | + */ | |
655 | +struct talk_response { | |
656 | + u_char type; /* type of request message, see below */ | |
657 | + u_char answer; /* response to request message, see below */ | |
658 | + u_char pad[2]; | |
659 | + u_int32_t id_num; /* message id */ | |
660 | + struct talk_addr addr; /* address for establishing conversation */ | |
661 | +}; | |
662 | + | |
663 | +struct ntalk_response { | |
664 | + u_char vers; /* protocol version */ | |
665 | + u_char type; /* type of request message, see below */ | |
666 | + u_char answer; /* response to request message, see below */ | |
667 | + u_char pad; | |
668 | + u_int32_t id_num; /* message id */ | |
669 | + struct talk_addr addr; /* address for establishing conversation */ | |
670 | +}; | |
671 | + | |
672 | +struct ntalk2_response { | |
673 | + u_char vers; /* protocol version */ | |
674 | + u_char type; /* type of request message */ | |
675 | + u_char answer; /* response to request */ | |
676 | + u_char rvers; /* Version of answering vers*/ | |
677 | + u_int32_t id_num; /* message id number */ | |
678 | + struct talk_addr addr; /* address for connection */ | |
679 | + /* This is at the end to compatiblize this with NTALK version. */ | |
680 | + char r_name[TALK_NSIZE]; /* callee's name */ | |
681 | +}; | |
682 | + | |
683 | +#define TALK_STR(data, talk_str, member) ((struct talk_str *)data)->member) | |
684 | +#define TALK_RESP(data, ver, member) (ver ? ((struct ntalk_response *)data)->member : ((struct talk_response *)data)->member) | |
685 | +#define TALK_MSG(data, ver, member) (ver ? ((struct ntalk_msg *)data)->member : ((struct talk_msg *)data)->member) | |
686 | + | |
687 | +#define TALK_VERSION 0 /* protocol versions */ | |
688 | +#define NTALK_VERSION 1 | |
689 | +#define NTALK2_VERSION 2 | |
690 | + | |
691 | +/* message type values */ | |
692 | +#define LEAVE_INVITE 0 /* leave invitation with server */ | |
693 | +#define LOOK_UP 1 /* check for invitation by callee */ | |
694 | +#define DELETE 2 /* delete invitation by caller */ | |
695 | +#define ANNOUNCE 3 /* announce invitation by caller */ | |
696 | +/* NTALK2 */ | |
697 | +#define REPLY_QUERY 4 /* request reply data from local daemon */ | |
698 | + | |
699 | +/* answer values */ | |
700 | +#define SUCCESS 0 /* operation completed properly */ | |
701 | +#define NOT_HERE 1 /* callee not logged in */ | |
702 | +#define FAILED 2 /* operation failed for unexplained reason */ | |
703 | +#define MACHINE_UNKNOWN 3 /* caller's machine name unknown */ | |
704 | +#define PERMISSION_DENIED 4 /* callee's tty doesn't permit announce */ | |
705 | +#define UNKNOWN_REQUEST 5 /* request has invalid type value */ | |
706 | +#define BADVERSION 6 /* request has invalid protocol version */ | |
707 | +#define BADADDR 7 /* request has invalid addr value */ | |
708 | +#define BADCTLADDR 8 /* request has invalid ctl_addr value */ | |
709 | +/* NTALK2 */ | |
710 | +#define NO_CALLER 9 /* no-one calling answer from REPLY */ | |
711 | +#define TRY_HERE 10 /* Not on this machine, try this */ | |
712 | +#define SELECTIVE_REFUSAL 11 /* User Filter refusal. */ | |
713 | +#define MAX_RESPONSE_TYPE 11 /* Make sure this is updated */ | |
714 | + | |
715 | +/* We don't really need much for talk */ | |
716 | +struct ip_ct_talk_expect | |
717 | +{ | |
718 | + /* Port that was to be used */ | |
719 | + u_int16_t port; | |
720 | +}; | |
721 | + | |
722 | +/* This structure exists only once per master */ | |
723 | +struct ip_ct_talk_master | |
724 | +{ | |
725 | +}; | |
726 | + | |
727 | +#endif /* _IP_CONNTRACK_TALK_H */ | |
728 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_tuple.h | |
729 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2004-04-28 03:36:22.000000000 +0200 | |
730 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2004-04-29 11:20:17.000000000 +0200 | |
731 | @@ -25,6 +25,9 @@ | |
732 | struct { | |
733 | u_int16_t id; | |
734 | } icmp; | |
735 | + struct { | |
736 | + u_int16_t port; | |
737 | + } sctp; | |
738 | }; | |
739 | ||
740 | /* The manipulable part of the tuple. */ | |
741 | @@ -55,6 +58,9 @@ | |
742 | struct { | |
743 | u_int8_t type, code; | |
744 | } icmp; | |
745 | + struct { | |
746 | + u_int16_t port; | |
747 | + } sctp; | |
748 | } u; | |
749 | ||
750 | /* The protocol. */ | |
751 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_tables.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_tables.h | |
752 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ip_tables.h 2004-04-28 03:35:48.000000000 +0200 | |
753 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ip_tables.h 2004-04-29 11:17:15.000000000 +0200 | |
754 | @@ -134,6 +134,12 @@ | |
755 | /* Back pointer */ | |
756 | unsigned int comefrom; | |
757 | ||
758 | + /* Name of the chain */ | |
759 | + char *chainname; | |
760 | + | |
761 | + /* Rule number in the chain. */ | |
762 | + u_int32_t rulenum; | |
763 | + | |
764 | /* Packet and byte counters. */ | |
765 | struct ipt_counters counters; | |
766 | ||
767 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ipt_CONNMARK.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ipt_CONNMARK.h | |
768 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ipt_CONNMARK.h 1970-01-01 01:00:00.000000000 +0100 | |
769 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ipt_CONNMARK.h 2004-04-29 11:10:59.000000000 +0200 | |
770 | @@ -0,0 +1,25 @@ | |
771 | +#ifndef _IPT_CONNMARK_H_target | |
772 | +#define _IPT_CONNMARK_H_target | |
773 | + | |
774 | +/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> | |
775 | + * by Henrik Nordstrom <hno@marasystems.com> | |
776 | + * | |
777 | + * This program is free software; you can redistribute it and/or modify | |
778 | + * it under the terms of the GNU General Public License as published by | |
779 | + * the Free Software Foundation; either version 2 of the License, or | |
780 | + * (at your option) any later version. | |
781 | + */ | |
782 | + | |
783 | +enum { | |
784 | + IPT_CONNMARK_SET = 0, | |
785 | + IPT_CONNMARK_SAVE, | |
786 | + IPT_CONNMARK_RESTORE | |
787 | +}; | |
788 | + | |
789 | +struct ipt_connmark_target_info { | |
790 | + unsigned long mark; | |
791 | + unsigned long mask; | |
792 | + u_int8_t mode; | |
793 | +}; | |
794 | + | |
795 | +#endif /*_IPT_CONNMARK_H_target*/ | |
796 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ipt_IPMARK.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ipt_IPMARK.h | |
797 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ipt_IPMARK.h 1970-01-01 01:00:00.000000000 +0100 | |
798 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ipt_IPMARK.h 2004-04-29 11:17:03.000000000 +0200 | |
799 | @@ -0,0 +1,13 @@ | |
800 | +#ifndef _IPT_IPMARK_H_target | |
801 | +#define _IPT_IPMARK_H_target | |
802 | + | |
803 | +struct ipt_ipmark_target_info { | |
804 | + unsigned long andmask; | |
805 | + unsigned long ormask; | |
806 | + unsigned int addr; | |
807 | +}; | |
808 | + | |
809 | +#define IPT_IPMARK_SRC 0 | |
810 | +#define IPT_IPMARK_DST 1 | |
811 | + | |
812 | +#endif /*_IPT_IPMARK_H_target*/ | |
813 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ipt_XOR.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ipt_XOR.h | |
814 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ipt_XOR.h 1970-01-01 01:00:00.000000000 +0100 | |
815 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ipt_XOR.h 2004-04-29 11:17:18.000000000 +0200 | |
816 | @@ -0,0 +1,9 @@ | |
817 | +#ifndef _IPT_XOR_H | |
818 | +#define _IPT_XOR_H | |
819 | + | |
820 | +struct ipt_XOR_info { | |
821 | + char key[30]; | |
822 | + u_int8_t block_size; | |
823 | +}; | |
824 | + | |
825 | +#endif /* _IPT_XOR_H */ | |
826 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ipt_addrtype.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ipt_addrtype.h | |
827 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ipt_addrtype.h 1970-01-01 01:00:00.000000000 +0100 | |
828 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ipt_addrtype.h 2004-04-29 11:17:23.000000000 +0200 | |
829 | @@ -0,0 +1,11 @@ | |
830 | +#ifndef _IPT_ADDRTYPE_H | |
831 | +#define _IPT_ADDRTYPE_H | |
832 | + | |
833 | +struct ipt_addrtype_info { | |
834 | + u_int16_t source; /* source-type mask */ | |
835 | + u_int16_t dest; /* dest-type mask */ | |
836 | + int invert_source; | |
837 | + int invert_dest; | |
838 | +}; | |
839 | + | |
840 | +#endif | |
841 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ipt_connmark.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ipt_connmark.h | |
842 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ipt_connmark.h 1970-01-01 01:00:00.000000000 +0100 | |
843 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ipt_connmark.h 2004-04-29 11:10:59.000000000 +0200 | |
844 | @@ -0,0 +1,18 @@ | |
845 | +#ifndef _IPT_CONNMARK_H | |
846 | +#define _IPT_CONNMARK_H | |
847 | + | |
848 | +/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> | |
849 | + * by Henrik Nordstrom <hno@marasystems.com> | |
850 | + * | |
851 | + * This program is free software; you can redistribute it and/or modify | |
852 | + * it under the terms of the GNU General Public License as published by | |
853 | + * the Free Software Foundation; either version 2 of the License, or | |
854 | + * (at your option) any later version. | |
855 | + */ | |
856 | + | |
857 | +struct ipt_connmark_info { | |
858 | + unsigned long mark, mask; | |
859 | + u_int8_t invert; | |
860 | +}; | |
861 | + | |
862 | +#endif /*_IPT_CONNMARK_H*/ | |
863 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ipt_policy.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ipt_policy.h | |
864 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ipt_policy.h 1970-01-01 01:00:00.000000000 +0100 | |
865 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ipt_policy.h 2004-04-29 11:19:41.000000000 +0200 | |
866 | @@ -0,0 +1,52 @@ | |
867 | +#ifndef _IPT_POLICY_H | |
868 | +#define _IPT_POLICY_H | |
869 | + | |
870 | +#define POLICY_MAX_ELEM 4 | |
871 | + | |
872 | +enum ipt_policy_flags | |
873 | +{ | |
874 | + POLICY_MATCH_IN = 0x1, | |
875 | + POLICY_MATCH_OUT = 0x2, | |
876 | + POLICY_MATCH_NONE = 0x4, | |
877 | + POLICY_MATCH_STRICT = 0x8, | |
878 | +}; | |
879 | + | |
880 | +enum ipt_policy_modes | |
881 | +{ | |
882 | + POLICY_MODE_TRANSPORT, | |
883 | + POLICY_MODE_TUNNEL | |
884 | +}; | |
885 | + | |
886 | +struct ipt_policy_spec | |
887 | +{ | |
888 | + u_int8_t saddr:1, | |
889 | + daddr:1, | |
890 | + proto:1, | |
891 | + mode:1, | |
892 | + spi:1, | |
893 | + reqid:1; | |
894 | +}; | |
895 | + | |
896 | +struct ipt_policy_elem | |
897 | +{ | |
898 | + u_int32_t saddr; | |
899 | + u_int32_t smask; | |
900 | + u_int32_t daddr; | |
901 | + u_int32_t dmask; | |
902 | + u_int32_t spi; | |
903 | + u_int32_t reqid; | |
904 | + u_int8_t proto; | |
905 | + u_int8_t mode; | |
906 | + | |
907 | + struct ipt_policy_spec match; | |
908 | + struct ipt_policy_spec invert; | |
909 | +}; | |
910 | + | |
911 | +struct ipt_policy_info | |
912 | +{ | |
913 | + struct ipt_policy_elem pol[POLICY_MAX_ELEM]; | |
914 | + u_int16_t flags; | |
915 | + u_int16_t len; | |
916 | +}; | |
917 | + | |
918 | +#endif /* _IPT_POLICY_H */ | |
919 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ipt_rpc.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ipt_rpc.h | |
920 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ipt_rpc.h 1970-01-01 01:00:00.000000000 +0100 | |
921 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ipt_rpc.h 2004-04-29 11:20:02.000000000 +0200 | |
922 | @@ -0,0 +1,35 @@ | |
923 | +/* RPC extension for IP netfilter matching, Version 2.2 | |
924 | + * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br> | |
925 | + * - original rpc tracking module | |
926 | + * - "recent" connection handling for kernel 2.3+ netfilter | |
927 | + * | |
928 | + * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au> | |
929 | + * - upgraded conntrack modules to oldnat api - kernel 2.4.0+ | |
930 | + * | |
931 | + * (C) 2002 by Ian (Larry) Latter <Ian.Latter@mq.edu.au> | |
932 | + * - upgraded conntrack modules to newnat api - kernel 2.4.20+ | |
933 | + * - extended matching to support filtering on procedures | |
934 | + * | |
935 | + * ipt_rpc.h.c,v 2.2 2003/01/12 18:30:00 | |
936 | + * | |
937 | + * This program is free software; you can redistribute it and/or | |
938 | + * modify it under the terms of the GNU General Public License | |
939 | + * as published by the Free Software Foundation; either version | |
940 | + * 2 of the License, or (at your option) any later version. | |
941 | + ** | |
942 | + */ | |
943 | + | |
944 | +#ifndef _IPT_RPC_H | |
945 | +#define _IPT_RPC_H | |
946 | + | |
947 | +struct ipt_rpc_data; | |
948 | + | |
949 | +struct ipt_rpc_info { | |
950 | + int inverse; | |
951 | + int strict; | |
952 | + const char c_procs[1408]; | |
953 | + int i_procs; | |
954 | + struct ipt_rpc_data *data; | |
955 | +}; | |
956 | + | |
957 | +#endif /* _IPT_RPC_H */ | |
958 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ipt_string.h linux-2.6.6-rc3/include/linux/netfilter_ipv4/ipt_string.h | |
959 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4/ipt_string.h 1970-01-01 01:00:00.000000000 +0100 | |
960 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4/ipt_string.h 2004-04-29 11:21:38.000000000 +0200 | |
961 | @@ -0,0 +1,21 @@ | |
962 | +#ifndef _IPT_STRING_H | |
963 | +#define _IPT_STRING_H | |
964 | + | |
965 | +/* *** PERFORMANCE TWEAK *** | |
966 | + * Packet size and search string threshold, | |
967 | + * above which sublinear searches is used. */ | |
968 | +#define IPT_STRING_HAYSTACK_THRESH 100 | |
969 | +#define IPT_STRING_NEEDLE_THRESH 20 | |
970 | + | |
971 | +#define BM_MAX_NLEN 256 | |
972 | +#define BM_MAX_HLEN 1024 | |
973 | + | |
974 | +typedef char *(*proc_ipt_search) (char *, char *, int, int); | |
975 | + | |
976 | +struct ipt_string_info { | |
977 | + char string[BM_MAX_NLEN]; | |
978 | + u_int16_t invert; | |
979 | + u_int16_t len; | |
980 | +}; | |
981 | + | |
982 | +#endif /* _IPT_STRING_H */ | |
983 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv4.h linux-2.6.6-rc3/include/linux/netfilter_ipv4.h | |
984 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv4.h 2004-04-28 03:36:31.000000000 +0200 | |
985 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv4.h 2004-04-29 11:18:03.000000000 +0200 | |
986 | @@ -7,6 +7,8 @@ | |
987 | ||
988 | #include <linux/config.h> | |
989 | #include <linux/netfilter.h> | |
990 | +#include <linux/netdevice.h> | |
991 | +#include <net/protocol.h> | |
992 | ||
993 | /* IP Cache bits. */ | |
994 | /* Src IP address. */ | |
995 | @@ -85,6 +87,58 @@ | |
996 | Returns true or false. */ | |
997 | extern int skb_ip_make_writable(struct sk_buff **pskb, | |
998 | unsigned int writable_len); | |
999 | + | |
1000 | +#if defined(CONFIG_XFRM) && defined(CONFIG_NETFILTER) | |
1001 | +#include <net/route.h> | |
1002 | +#include <net/xfrm.h> | |
1003 | + | |
1004 | +static inline int nf_hook_input_cond(struct sk_buff *skb) | |
1005 | +{ | |
1006 | + return !skb->sp || skb->sp->decap_done; | |
1007 | +} | |
1008 | + | |
1009 | +static inline int | |
1010 | +nf_xfrm_local_done(struct sk_buff *skb, struct inet_protocol *ipprot) | |
1011 | +{ | |
1012 | + return skb->sp && !skb->sp->decap_done | |
1013 | + && (!ipprot || !ipprot->xfrm_prot); | |
1014 | +} | |
1015 | + | |
1016 | +static inline int nf_xfrm_nonlocal_done(struct sk_buff *skb) | |
1017 | +{ | |
1018 | + return skb->sp && !skb->sp->decap_done | |
1019 | + && !(((struct rtable *)skb->dst)->rt_flags&RTCF_LOCAL); | |
1020 | +} | |
1021 | + | |
1022 | +extern int nf_rcv_postxfrm_local(struct sk_buff *skb); | |
1023 | +extern int nf_rcv_postxfrm_nonlocal(struct sk_buff *skb); | |
1024 | +#else /* CONFIG_XFRM */ | |
1025 | +static inline int nf_hook_input_cond(struct sk_buff *skb) | |
1026 | +{ | |
1027 | + return 1; | |
1028 | +} | |
1029 | + | |
1030 | +static inline int | |
1031 | +nf_xfrm_local_done(struct sk_buff *skb, struct inet_protocol *ipprot) | |
1032 | +{ | |
1033 | + return 0; | |
1034 | +} | |
1035 | + | |
1036 | +static inline int nf_xfrm_nonlocal_done(struct sk_buff *skb) | |
1037 | +{ | |
1038 | + return 0; | |
1039 | +} | |
1040 | + | |
1041 | +static inline int nf_rcv_postxfrm_local(struct sk_buff *skb) | |
1042 | +{ | |
1043 | + return 0; | |
1044 | +} | |
1045 | + | |
1046 | +static inline int nf_rcv_postxfrm_nonlocal(struct sk_buff *skb) | |
1047 | +{ | |
1048 | + return 0; | |
1049 | +} | |
1050 | +#endif /* CONFIG_XFRM */ | |
1051 | #endif /*__KERNEL__*/ | |
1052 | ||
1053 | #endif /*__LINUX_IP_NETFILTER_H*/ | |
1054 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv6/ip6_tables.h linux-2.6.6-rc3/include/linux/netfilter_ipv6/ip6_tables.h | |
1055 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv6/ip6_tables.h 2004-04-28 03:36:37.000000000 +0200 | |
1056 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv6/ip6_tables.h 2004-04-29 11:17:15.000000000 +0200 | |
1057 | @@ -140,6 +140,12 @@ | |
1058 | /* Back pointer */ | |
1059 | unsigned int comefrom; | |
1060 | ||
1061 | + /* Name of the chain */ | |
1062 | + char *chainname; | |
1063 | + | |
1064 | + /* Rule number in the chain. */ | |
1065 | + u_int32_t rulenum; | |
1066 | + | |
1067 | /* Packet and byte counters. */ | |
1068 | struct ip6t_counters counters; | |
1069 | ||
1070 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv6/ip6t_owner.h linux-2.6.6-rc3/include/linux/netfilter_ipv6/ip6t_owner.h | |
1071 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv6/ip6t_owner.h 2004-04-28 03:36:03.000000000 +0200 | |
1072 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv6/ip6t_owner.h 2004-04-29 11:19:40.000000000 +0200 | |
1073 | @@ -6,12 +6,14 @@ | |
1074 | #define IP6T_OWNER_GID 0x02 | |
1075 | #define IP6T_OWNER_PID 0x04 | |
1076 | #define IP6T_OWNER_SID 0x08 | |
1077 | +#define IP6T_OWNER_COMM 0x10 | |
1078 | ||
1079 | struct ip6t_owner_info { | |
1080 | uid_t uid; | |
1081 | gid_t gid; | |
1082 | pid_t pid; | |
1083 | pid_t sid; | |
1084 | + char comm[16]; | |
1085 | u_int8_t match, invert; /* flags */ | |
1086 | }; | |
1087 | ||
1088 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_ipv6/ip6t_policy.h linux-2.6.6-rc3/include/linux/netfilter_ipv6/ip6t_policy.h | |
1089 | --- linux-2.6.6-rc3.org/include/linux/netfilter_ipv6/ip6t_policy.h 1970-01-01 01:00:00.000000000 +0100 | |
1090 | +++ linux-2.6.6-rc3/include/linux/netfilter_ipv6/ip6t_policy.h 2004-04-29 11:19:41.000000000 +0200 | |
1091 | @@ -0,0 +1,52 @@ | |
1092 | +#ifndef _IP6T_POLICY_H\r | |
1093 | +#define _IP6T_POLICY_H\r | |
1094 | +\r | |
1095 | +#define POLICY_MAX_ELEM 4\r | |
1096 | +\r | |
1097 | +enum ip6t_policy_flags\r | |
1098 | +{\r | |
1099 | + POLICY_MATCH_IN = 0x1,\r | |
1100 | + POLICY_MATCH_OUT = 0x2,\r | |
1101 | + POLICY_MATCH_NONE = 0x4,\r | |
1102 | + POLICY_MATCH_STRICT = 0x8,\r | |
1103 | +};\r | |
1104 | +\r | |
1105 | +enum ip6t_policy_modes\r | |
1106 | +{\r | |
1107 | + POLICY_MODE_TRANSPORT,\r | |
1108 | + POLICY_MODE_TUNNEL\r | |
1109 | +};\r | |
1110 | +\r | |
1111 | +struct ip6t_policy_spec\r | |
1112 | +{\r | |
1113 | + u_int8_t saddr:1,\r | |
1114 | + daddr:1,\r | |
1115 | + proto:1,\r | |
1116 | + mode:1,\r | |
1117 | + spi:1,\r | |
1118 | + reqid:1;\r | |
1119 | +};\r | |
1120 | +\r | |
1121 | +struct ip6t_policy_elem\r | |
1122 | +{\r | |
1123 | + struct in6_addr saddr;\r | |
1124 | + struct in6_addr smask;\r | |
1125 | + struct in6_addr daddr;\r | |
1126 | + struct in6_addr dmask;\r | |
1127 | + u_int32_t spi;\r | |
1128 | + u_int32_t reqid;\r | |
1129 | + u_int8_t proto;\r | |
1130 | + u_int8_t mode;\r | |
1131 | +\r | |
1132 | + struct ip6t_policy_spec match;\r | |
1133 | + struct ip6t_policy_spec invert;\r | |
1134 | +};\r | |
1135 | +\r | |
1136 | +struct ip6t_policy_info\r | |
1137 | +{\r | |
1138 | + struct ip6t_policy_elem pol[POLICY_MAX_ELEM];\r | |
1139 | + u_int16_t flags;\r | |
1140 | + u_int16_t len;\r | |
1141 | +};\r | |
1142 | +\r | |
1143 | +#endif /* _IP6T_POLICY_H */\r | |
1144 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/linux/netfilter_mime.h linux-2.6.6-rc3/include/linux/netfilter_mime.h | |
1145 | --- linux-2.6.6-rc3.org/include/linux/netfilter_mime.h 1970-01-01 01:00:00.000000000 +0100 | |
1146 | +++ linux-2.6.6-rc3/include/linux/netfilter_mime.h 2004-04-29 11:20:13.000000000 +0200 | |
1147 | @@ -0,0 +1,89 @@ | |
1148 | +/* | |
1149 | + * MIME functions for netfilter modules. This file provides implementations | |
1150 | + * for basic MIME parsing. MIME headers are used in many protocols, such as | |
1151 | + * HTTP, RTSP, SIP, etc. | |
1152 | + * | |
1153 | + * gcc will warn for defined but unused functions, so we only include the | |
1154 | + * functions requested. The following macros are used: | |
1155 | + * NF_NEED_MIME_NEXTLINE nf_mime_nextline() | |
1156 | + */ | |
1157 | +#ifndef _NETFILTER_MIME_H | |
1158 | +#define _NETFILTER_MIME_H | |
1159 | + | |
1160 | +/* Only include these functions for kernel code. */ | |
1161 | +#ifdef __KERNEL__ | |
1162 | + | |
1163 | +#include <linux/ctype.h> | |
1164 | + | |
1165 | +/* | |
1166 | + * Given a buffer and length, advance to the next line and mark the current | |
1167 | + * line. If the current line is empty, *plinelen will be set to zero. If | |
1168 | + * not, it will be set to the actual line length (including CRLF). | |
1169 | + * | |
1170 | + * 'line' in this context means logical line (includes LWS continuations). | |
1171 | + * Returns 1 on success, 0 on failure. | |
1172 | + */ | |
1173 | +#ifdef NF_NEED_MIME_NEXTLINE | |
1174 | +static int | |
1175 | +nf_mime_nextline(char* p, uint len, uint* poff, uint* plineoff, uint* plinelen) | |
1176 | +{ | |
1177 | + uint off = *poff; | |
1178 | + uint physlen = 0; | |
1179 | + int is_first_line = 1; | |
1180 | + | |
1181 | + if (off >= len) | |
1182 | + { | |
1183 | + return 0; | |
1184 | + } | |
1185 | + | |
1186 | + do | |
1187 | + { | |
1188 | + while (p[off] != '\n') | |
1189 | + { | |
1190 | + if (len-off <= 1) | |
1191 | + { | |
1192 | + return 0; | |
1193 | + } | |
1194 | + | |
1195 | + physlen++; | |
1196 | + off++; | |
1197 | + } | |
1198 | + | |
1199 | + /* if we saw a crlf, physlen needs adjusted */ | |
1200 | + if (physlen > 0 && p[off] == '\n' && p[off-1] == '\r') | |
1201 | + { | |
1202 | + physlen--; | |
1203 | + } | |
1204 | + | |
1205 | + /* advance past the newline */ | |
1206 | + off++; | |
1207 | + | |
1208 | + /* check for an empty line */ | |
1209 | + if (physlen == 0) | |
1210 | + { | |
1211 | + break; | |
1212 | + } | |
1213 | + | |
1214 | + /* check for colon on the first physical line */ | |
1215 | + if (is_first_line) | |
1216 | + { | |
1217 | + is_first_line = 0; | |
1218 | + if (memchr(p+(*poff), ':', physlen) == NULL) | |
1219 | + { | |
1220 | + return 0; | |
1221 | + } | |
1222 | + } | |
1223 | + } | |
1224 | + while (p[off] == ' ' || p[off] == '\t'); | |
1225 | + | |
1226 | + *plineoff = *poff; | |
1227 | + *plinelen = (physlen == 0) ? 0 : (off - *poff); | |
1228 | + *poff = off; | |
1229 | + | |
1230 | + return 1; | |
1231 | +} | |
1232 | +#endif /* NF_NEED_MIME_NEXTLINE */ | |
1233 | + | |
1234 | +#endif /* __KERNEL__ */ | |
1235 | + | |
1236 | +#endif /* _NETFILTER_MIME_H */ | |
1237 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/net/ip.h linux-2.6.6-rc3/include/net/ip.h | |
1238 | --- linux-2.6.6-rc3.org/include/net/ip.h 2004-04-28 03:36:16.000000000 +0200 | |
1239 | +++ linux-2.6.6-rc3/include/net/ip.h 2004-04-29 11:18:02.000000000 +0200 | |
1240 | @@ -30,6 +30,8 @@ | |
1241 | #include <linux/netdevice.h> | |
1242 | #include <linux/inetdevice.h> | |
1243 | #include <linux/in_route.h> | |
1244 | +#include <linux/netfilter.h> | |
1245 | +#include <linux/netfilter_ipv4.h> | |
1246 | #include <net/route.h> | |
1247 | #include <net/arp.h> | |
1248 | ||
1249 | @@ -48,6 +50,7 @@ | |
1250 | #define IPSKB_TRANSLATED 2 | |
1251 | #define IPSKB_FORWARDED 4 | |
1252 | #define IPSKB_XFRM_TUNNEL_SIZE 8 | |
1253 | +#define IPSKB_XFRM_TRANSFORMED 16 | |
1254 | }; | |
1255 | ||
1256 | struct ipcm_cookie | |
1257 | @@ -212,6 +215,12 @@ | |
1258 | __ip_select_ident(iph, dst, more); | |
1259 | } | |
1260 | ||
1261 | +extern inline int ip_dst_output(struct sk_buff *skb) | |
1262 | +{ | |
1263 | + return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, | |
1264 | + skb->dst->dev, dst_output, skb->dst->xfrm != NULL); | |
1265 | +} | |
1266 | + | |
1267 | /* | |
1268 | * Map a multicast IP onto multicast MAC for type ethernet. | |
1269 | */ | |
1270 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/net/protocol.h linux-2.6.6-rc3/include/net/protocol.h | |
1271 | --- linux-2.6.6-rc3.org/include/net/protocol.h 2004-04-28 03:35:44.000000000 +0200 | |
1272 | +++ linux-2.6.6-rc3/include/net/protocol.h 2004-04-29 11:18:03.000000000 +0200 | |
1273 | @@ -39,6 +39,7 @@ | |
1274 | int (*handler)(struct sk_buff *skb); | |
1275 | void (*err_handler)(struct sk_buff *skb, u32 info); | |
1276 | int no_policy; | |
1277 | + int xfrm_prot; | |
1278 | }; | |
1279 | ||
1280 | #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE) | |
1281 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/net/tcp.h linux-2.6.6-rc3/include/net/tcp.h | |
1282 | --- linux-2.6.6-rc3.org/include/net/tcp.h 2004-04-29 11:24:38.000000000 +0200 | |
1283 | +++ linux-2.6.6-rc3/include/net/tcp.h 2004-04-29 11:19:32.000000000 +0200 | |
1284 | @@ -162,6 +162,7 @@ | |
1285 | extern void tcp_bucket_unlock(struct sock *sk); | |
1286 | extern int tcp_port_rover; | |
1287 | extern struct sock *tcp_v4_lookup_listener(u32 addr, unsigned short hnum, int dif); | |
1288 | +extern struct sock *tcp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 hnum, int dif); | |
1289 | ||
1290 | /* These are AF independent. */ | |
1291 | static __inline__ int tcp_bhashfn(__u16 lport) | |
1292 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/net/udp.h linux-2.6.6-rc3/include/net/udp.h | |
1293 | --- linux-2.6.6-rc3.org/include/net/udp.h 2004-04-28 03:36:29.000000000 +0200 | |
1294 | +++ linux-2.6.6-rc3/include/net/udp.h 2004-04-29 11:19:32.000000000 +0200 | |
1295 | @@ -74,6 +74,8 @@ | |
1296 | extern int udp_ioctl(struct sock *sk, int cmd, unsigned long arg); | |
1297 | extern int udp_disconnect(struct sock *sk, int flags); | |
1298 | ||
1299 | +extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif); | |
1300 | + | |
1301 | DECLARE_SNMP_STAT(struct udp_mib, udp_statistics); | |
1302 | #define UDP_INC_STATS(field) SNMP_INC_STATS(udp_statistics, field) | |
1303 | #define UDP_INC_STATS_BH(field) SNMP_INC_STATS_BH(udp_statistics, field) | |
1304 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/include/net/xfrm.h linux-2.6.6-rc3/include/net/xfrm.h | |
1305 | --- linux-2.6.6-rc3.org/include/net/xfrm.h 2004-04-28 03:36:31.000000000 +0200 | |
1306 | +++ linux-2.6.6-rc3/include/net/xfrm.h 2004-04-29 11:18:03.000000000 +0200 | |
1307 | @@ -540,6 +540,9 @@ | |
1308 | { | |
1309 | atomic_t refcnt; | |
1310 | int len; | |
1311 | +#ifdef CONFIG_NETFILTER | |
1312 | + int decap_done; | |
1313 | +#endif | |
1314 | struct sec_decap_state x[XFRM_MAX_DEPTH]; | |
1315 | }; | |
1316 | ||
1317 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/core/netfilter.c linux-2.6.6-rc3/net/core/netfilter.c | |
1318 | --- linux-2.6.6-rc3.org/net/core/netfilter.c 2004-04-28 03:35:46.000000000 +0200 | |
1319 | +++ linux-2.6.6-rc3/net/core/netfilter.c 2004-04-29 11:18:06.000000000 +0200 | |
1320 | @@ -27,6 +27,8 @@ | |
1321 | #include <linux/icmp.h> | |
1322 | #include <net/sock.h> | |
1323 | #include <net/route.h> | |
1324 | +#include <net/xfrm.h> | |
1325 | +#include <net/ip.h> | |
1326 | #include <linux/ip.h> | |
1327 | ||
1328 | /* In this code, we can be waiting indefinitely for userspace to | |
1329 | @@ -638,7 +640,6 @@ | |
1330 | #ifdef CONFIG_IP_ROUTE_FWMARK | |
1331 | fl.nl_u.ip4_u.fwmark = (*pskb)->nfmark; | |
1332 | #endif | |
1333 | - fl.proto = iph->protocol; | |
1334 | if (ip_route_output_key(&rt, &fl) != 0) | |
1335 | return -1; | |
1336 | ||
1337 | @@ -665,6 +666,20 @@ | |
1338 | if ((*pskb)->dst->error) | |
1339 | return -1; | |
1340 | ||
1341 | +#ifdef CONFIG_XFRM | |
1342 | + if (!(IPCB(*pskb)->flags & IPSKB_XFRM_TRANSFORMED)) { | |
1343 | + struct xfrm_policy_afinfo *afinfo; | |
1344 | + | |
1345 | + afinfo = xfrm_policy_get_afinfo(AF_INET); | |
1346 | + if (afinfo != NULL) { | |
1347 | + afinfo->decode_session(*pskb, &fl); | |
1348 | + xfrm_policy_put_afinfo(afinfo); | |
1349 | + if (xfrm_lookup(&(*pskb)->dst, &fl, (*pskb)->sk, 0) != 0) | |
1350 | + return -1; | |
1351 | + } | |
1352 | + } | |
1353 | +#endif | |
1354 | + | |
1355 | /* Change in oif may mean change in hh_len. */ | |
1356 | hh_len = (*pskb)->dst->dev->hard_header_len; | |
1357 | if (skb_headroom(*pskb) < hh_len) { | |
1358 | @@ -682,6 +697,71 @@ | |
1359 | return 0; | |
1360 | } | |
1361 | ||
1362 | +#ifdef CONFIG_XFRM | |
1363 | +inline int nf_rcv_postxfrm_nonlocal(struct sk_buff *skb) | |
1364 | +{ | |
1365 | + skb->sp->decap_done = 1; | |
1366 | + dst_release(skb->dst); | |
1367 | + skb->dst = NULL; | |
1368 | + nf_reset(skb); | |
1369 | + return netif_rx(skb); | |
1370 | +} | |
1371 | + | |
1372 | +int nf_rcv_postxfrm_local(struct sk_buff *skb) | |
1373 | +{ | |
1374 | + __skb_push(skb, skb->data - skb->nh.raw); | |
1375 | + /* Fix header len and checksum if last xfrm was transport mode */ | |
1376 | + if (!skb->sp->x[skb->sp->len - 1].xvec->props.mode) { | |
1377 | + skb->nh.iph->tot_len = htons(skb->len); | |
1378 | + ip_send_check(skb->nh.iph); | |
1379 | + } | |
1380 | + return nf_rcv_postxfrm_nonlocal(skb); | |
1381 | +} | |
1382 | + | |
1383 | +#ifdef CONFIG_IP_NF_NAT_NEEDED | |
1384 | +#include <linux/netfilter_ipv4/ip_conntrack.h> | |
1385 | +#include <linux/netfilter_ipv4/ip_nat.h> | |
1386 | + | |
1387 | +void nf_nat_decode_session4(struct sk_buff *skb, struct flowi *fl) | |
1388 | +{ | |
1389 | + struct ip_conntrack *ct; | |
1390 | + struct ip_conntrack_tuple *t; | |
1391 | + struct ip_nat_info_manip *m; | |
1392 | + unsigned int i; | |
1393 | + | |
1394 | + if (skb->nfct == NULL) | |
1395 | + return; | |
1396 | + ct = (struct ip_conntrack *)skb->nfct->master; | |
1397 | + | |
1398 | + for (i = 0; i < ct->nat.info.num_manips; i++) { | |
1399 | + m = &ct->nat.info.manips[i]; | |
1400 | + t = &ct->tuplehash[m->direction].tuple; | |
1401 | + | |
1402 | + switch (m->hooknum) { | |
1403 | + case NF_IP_PRE_ROUTING: | |
1404 | + if (m->maniptype != IP_NAT_MANIP_DST) | |
1405 | + break; | |
1406 | + fl->fl4_dst = t->dst.ip; | |
1407 | + if (t->dst.protonum == IPPROTO_TCP || | |
1408 | + t->dst.protonum == IPPROTO_UDP) | |
1409 | + fl->fl_ip_dport = t->dst.u.tcp.port; | |
1410 | + break; | |
1411 | +#ifdef CONFIG_IP_NF_NAT_LOCAL | |
1412 | + case NF_IP_LOCAL_IN: | |
1413 | + if (m->maniptype != IP_NAT_MANIP_SRC) | |
1414 | + break; | |
1415 | + fl->fl4_src = t->src.ip; | |
1416 | + if (t->dst.protonum == IPPROTO_TCP || | |
1417 | + t->dst.protonum == IPPROTO_UDP) | |
1418 | + fl->fl_ip_sport = t->src.u.tcp.port; | |
1419 | + break; | |
1420 | +#endif | |
1421 | + } | |
1422 | + } | |
1423 | +} | |
1424 | +#endif /* CONFIG_IP_NF_NAT_NEEDED */ | |
1425 | +#endif | |
1426 | + | |
1427 | int skb_ip_make_writable(struct sk_buff **pskb, unsigned int writable_len) | |
1428 | { | |
1429 | struct sk_buff *nskb; | |
1430 | @@ -839,3 +919,4 @@ | |
1431 | EXPORT_SYMBOL(nf_unregister_hook); | |
1432 | EXPORT_SYMBOL(nf_unregister_queue_handler); | |
1433 | EXPORT_SYMBOL(nf_unregister_sockopt); | |
1434 | +EXPORT_SYMBOL(nf_rcv_postxfrm_local); | |
1435 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/ah4.c linux-2.6.6-rc3/net/ipv4/ah4.c | |
1436 | --- linux-2.6.6-rc3.org/net/ipv4/ah4.c 2004-04-28 03:36:34.000000000 +0200 | |
1437 | +++ linux-2.6.6-rc3/net/ipv4/ah4.c 2004-04-29 11:18:03.000000000 +0200 | |
1438 | @@ -145,6 +145,7 @@ | |
1439 | err = -EHOSTUNREACH; | |
1440 | goto error_nolock; | |
1441 | } | |
1442 | + IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; | |
1443 | return NET_XMIT_BYPASS; | |
1444 | ||
1445 | error: | |
1446 | @@ -343,6 +344,7 @@ | |
1447 | .handler = xfrm4_rcv, | |
1448 | .err_handler = ah4_err, | |
1449 | .no_policy = 1, | |
1450 | + .xfrm_prot = 1, | |
1451 | }; | |
1452 | ||
1453 | static int __init ah4_init(void) | |
1454 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/esp4.c linux-2.6.6-rc3/net/ipv4/esp4.c | |
1455 | --- linux-2.6.6-rc3.org/net/ipv4/esp4.c 2004-04-28 03:36:01.000000000 +0200 | |
1456 | +++ linux-2.6.6-rc3/net/ipv4/esp4.c 2004-04-29 11:18:03.000000000 +0200 | |
1457 | @@ -216,6 +216,7 @@ | |
1458 | err = -EHOSTUNREACH; | |
1459 | goto error_nolock; | |
1460 | } | |
1461 | + IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; | |
1462 | return NET_XMIT_BYPASS; | |
1463 | ||
1464 | error: | |
1465 | @@ -598,6 +599,7 @@ | |
1466 | .handler = xfrm4_rcv, | |
1467 | .err_handler = esp4_err, | |
1468 | .no_policy = 1, | |
1469 | + .xfrm_prot = 1, | |
1470 | }; | |
1471 | ||
1472 | static int __init esp4_init(void) | |
1473 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/igmp.c linux-2.6.6-rc3/net/ipv4/igmp.c | |
1474 | --- linux-2.6.6-rc3.org/net/ipv4/igmp.c 2004-04-28 03:36:55.000000000 +0200 | |
1475 | +++ linux-2.6.6-rc3/net/ipv4/igmp.c 2004-04-29 11:18:02.000000000 +0200 | |
1476 | @@ -342,7 +342,7 @@ | |
1477 | pig->csum = ip_compute_csum((void *)skb->h.igmph, igmplen); | |
1478 | ||
1479 | return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, skb->dev, | |
1480 | - dst_output); | |
1481 | + ip_dst_output); | |
1482 | } | |
1483 | ||
1484 | static int grec_size(struct ip_mc_list *pmc, int type, int gdel, int sdel) | |
1485 | @@ -672,7 +672,7 @@ | |
1486 | ih->csum=ip_compute_csum((void *)ih, sizeof(struct igmphdr)); | |
1487 | ||
1488 | return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, | |
1489 | - dst_output); | |
1490 | + ip_dst_output); | |
1491 | } | |
1492 | ||
1493 | static void igmp_gq_timer_expire(unsigned long data) | |
1494 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/ip_forward.c linux-2.6.6-rc3/net/ipv4/ip_forward.c | |
1495 | --- linux-2.6.6-rc3.org/net/ipv4/ip_forward.c 2004-04-28 03:34:59.000000000 +0200 | |
1496 | +++ linux-2.6.6-rc3/net/ipv4/ip_forward.c 2004-04-29 11:18:03.000000000 +0200 | |
1497 | @@ -51,7 +51,7 @@ | |
1498 | if (unlikely(opt->optlen)) | |
1499 | ip_forward_options(skb); | |
1500 | ||
1501 | - return dst_output(skb); | |
1502 | + return ip_dst_output(skb); | |
1503 | } | |
1504 | ||
1505 | int ip_forward(struct sk_buff *skb) | |
1506 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/ip_input.c linux-2.6.6-rc3/net/ipv4/ip_input.c | |
1507 | --- linux-2.6.6-rc3.org/net/ipv4/ip_input.c 2004-04-29 11:24:39.000000000 +0200 | |
1508 | +++ linux-2.6.6-rc3/net/ipv4/ip_input.c 2004-04-29 11:18:06.000000000 +0200 | |
1509 | @@ -206,10 +206,6 @@ | |
1510 | ||
1511 | __skb_pull(skb, ihl); | |
1512 | ||
1513 | - /* Free reference early: we don't need it any more, and it may | |
1514 | - hold ip_conntrack module loaded indefinitely. */ | |
1515 | - nf_reset(skb); | |
1516 | - | |
1517 | /* Point into the IP datagram, just past the header. */ | |
1518 | skb->h.raw = skb->data; | |
1519 | ||
1520 | @@ -224,6 +220,13 @@ | |
1521 | resubmit: | |
1522 | hash = protocol & (MAX_INET_PROTOS - 1); | |
1523 | raw_sk = sk_head(&raw_v4_htable[hash]); | |
1524 | + ipprot = inet_protos[hash]; | |
1525 | + smp_read_barrier_depends(); | |
1526 | + | |
1527 | + if (nf_xfrm_local_done(skb, ipprot)) { | |
1528 | + nf_rcv_postxfrm_local(skb); | |
1529 | + goto out; | |
1530 | + } | |
1531 | ||
1532 | /* If there maybe a raw socket we must check - if not we | |
1533 | * don't care less | |
1534 | @@ -231,14 +234,15 @@ | |
1535 | if (raw_sk) | |
1536 | raw_v4_input(skb, skb->nh.iph, hash); | |
1537 | ||
1538 | - if ((ipprot = inet_protos[hash]) != NULL) { | |
1539 | + if (ipprot != NULL) { | |
1540 | int ret; | |
1541 | ||
1542 | - smp_read_barrier_depends(); | |
1543 | - if (!ipprot->no_policy && | |
1544 | - !xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) { | |
1545 | - kfree_skb(skb); | |
1546 | - goto out; | |
1547 | + if (!ipprot->no_policy) { | |
1548 | + if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) { | |
1549 | + kfree_skb(skb); | |
1550 | + goto out; | |
1551 | + } | |
1552 | + nf_reset(skb); | |
1553 | } | |
1554 | ret = ipprot->handler(skb); | |
1555 | if (ret < 0) { | |
1556 | @@ -279,8 +283,8 @@ | |
1557 | return 0; | |
1558 | } | |
1559 | ||
1560 | - return NF_HOOK(PF_INET, NF_IP_LOCAL_IN, skb, skb->dev, NULL, | |
1561 | - ip_local_deliver_finish); | |
1562 | + return NF_HOOK_COND(PF_INET, NF_IP_LOCAL_IN, skb, skb->dev, NULL, | |
1563 | + ip_local_deliver_finish, nf_hook_input_cond(skb)); | |
1564 | } | |
1565 | ||
1566 | static inline int ip_rcv_finish(struct sk_buff *skb) | |
1567 | @@ -297,6 +301,9 @@ | |
1568 | goto drop; | |
1569 | } | |
1570 | ||
1571 | + if (nf_xfrm_nonlocal_done(skb)) | |
1572 | + return nf_rcv_postxfrm_nonlocal(skb); | |
1573 | + | |
1574 | #ifdef CONFIG_NET_CLS_ROUTE | |
1575 | if (skb->dst->tclassid) { | |
1576 | struct ip_rt_acct *st = ip_rt_acct + 256*smp_processor_id(); | |
1577 | @@ -418,8 +425,8 @@ | |
1578 | } | |
1579 | } | |
1580 | ||
1581 | - return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL, | |
1582 | - ip_rcv_finish); | |
1583 | + return NF_HOOK_COND(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL, | |
1584 | + ip_rcv_finish, nf_hook_input_cond(skb)); | |
1585 | ||
1586 | inhdr_error: | |
1587 | IP_INC_STATS_BH(IpInHdrErrors); | |
1588 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/ip_output.c linux-2.6.6-rc3/net/ipv4/ip_output.c | |
1589 | --- linux-2.6.6-rc3.org/net/ipv4/ip_output.c 2004-04-28 03:36:55.000000000 +0200 | |
1590 | +++ linux-2.6.6-rc3/net/ipv4/ip_output.c 2004-04-29 11:18:03.000000000 +0200 | |
1591 | @@ -123,6 +123,15 @@ | |
1592 | return ttl; | |
1593 | } | |
1594 | ||
1595 | +#ifdef CONFIG_NETFILTER | |
1596 | +/* out-of-line copy is only required with netfilter */ | |
1597 | +int ip_dst_output(struct sk_buff *skb) | |
1598 | +{ | |
1599 | + return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, | |
1600 | + skb->dst->dev, dst_output, skb->dst->xfrm != NULL); | |
1601 | +} | |
1602 | +#endif | |
1603 | + | |
1604 | /* | |
1605 | * Add an ip header to a skbuff and send it out. | |
1606 | * | |
1607 | @@ -165,7 +174,7 @@ | |
1608 | ||
1609 | /* Send it out. */ | |
1610 | return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, | |
1611 | - dst_output); | |
1612 | + ip_dst_output); | |
1613 | } | |
1614 | ||
1615 | static inline int ip_finish_output2(struct sk_buff *skb) | |
1616 | @@ -283,7 +292,7 @@ | |
1617 | return ip_finish_output(skb); | |
1618 | } | |
1619 | ||
1620 | -int ip_output(struct sk_buff *skb) | |
1621 | +static inline int ip_output2(struct sk_buff *skb) | |
1622 | { | |
1623 | IP_INC_STATS(IpOutRequests); | |
1624 | ||
1625 | @@ -294,6 +303,16 @@ | |
1626 | return ip_finish_output(skb); | |
1627 | } | |
1628 | ||
1629 | +int ip_output(struct sk_buff *skb) | |
1630 | +{ | |
1631 | + int transformed = IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED; | |
1632 | + | |
1633 | + if (transformed) | |
1634 | + nf_reset(skb); | |
1635 | + return NF_HOOK_COND(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, | |
1636 | + skb->dst->dev, ip_output2, transformed); | |
1637 | +} | |
1638 | + | |
1639 | int ip_queue_xmit(struct sk_buff *skb, int ipfragok) | |
1640 | { | |
1641 | struct sock *sk = skb->sk; | |
1642 | @@ -387,7 +406,7 @@ | |
1643 | skb->priority = sk->sk_priority; | |
1644 | ||
1645 | return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, | |
1646 | - dst_output); | |
1647 | + ip_dst_output); | |
1648 | ||
1649 | no_route: | |
1650 | IP_INC_STATS(IpOutNoRoutes); | |
1651 | @@ -1177,7 +1196,7 @@ | |
1652 | ||
1653 | /* Netfilter gets whole the not fragmented skb. */ | |
1654 | err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, | |
1655 | - skb->dst->dev, dst_output); | |
1656 | + skb->dst->dev, ip_dst_output); | |
1657 | if (err) { | |
1658 | if (err > 0) | |
1659 | err = inet->recverr ? net_xmit_errno(err) : 0; | |
1660 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/ipcomp.c linux-2.6.6-rc3/net/ipv4/ipcomp.c | |
1661 | --- linux-2.6.6-rc3.org/net/ipv4/ipcomp.c 2004-04-28 03:36:33.000000000 +0200 | |
1662 | +++ linux-2.6.6-rc3/net/ipv4/ipcomp.c 2004-04-29 11:18:03.000000000 +0200 | |
1663 | @@ -231,6 +231,7 @@ | |
1664 | err = -EHOSTUNREACH; | |
1665 | goto error_nolock; | |
1666 | } | |
1667 | + IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; | |
1668 | err = NET_XMIT_BYPASS; | |
1669 | ||
1670 | out_exit: | |
1671 | @@ -407,6 +408,7 @@ | |
1672 | .handler = xfrm4_rcv, | |
1673 | .err_handler = ipcomp4_err, | |
1674 | .no_policy = 1, | |
1675 | + .xfrm_prot = 1, | |
1676 | }; | |
1677 | ||
1678 | static int __init ipcomp4_init(void) | |
1679 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/ipip.c linux-2.6.6-rc3/net/ipv4/ipip.c | |
1680 | --- linux-2.6.6-rc3.org/net/ipv4/ipip.c 2004-04-29 11:24:39.000000000 +0200 | |
1681 | +++ linux-2.6.6-rc3/net/ipv4/ipip.c 2004-04-29 11:18:03.000000000 +0200 | |
1682 | @@ -478,6 +478,11 @@ | |
1683 | ||
1684 | read_lock(&ipip_lock); | |
1685 | if ((tunnel = ipip_tunnel_lookup(iph->saddr, iph->daddr)) != NULL) { | |
1686 | + /* IPIP packets decapsulated by IPsec missed netfilter hooks */ | |
1687 | + if (nf_xfrm_local_done(skb, NULL)) { | |
1688 | + nf_rcv_postxfrm_local(skb); | |
1689 | + return 0; | |
1690 | + } | |
1691 | if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) { | |
1692 | kfree_skb(skb); | |
1693 | return 0; | |
1694 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/ipmr.c linux-2.6.6-rc3/net/ipv4/ipmr.c | |
1695 | --- linux-2.6.6-rc3.org/net/ipv4/ipmr.c 2004-04-28 03:35:47.000000000 +0200 | |
1696 | +++ linux-2.6.6-rc3/net/ipv4/ipmr.c 2004-04-29 11:18:03.000000000 +0200 | |
1697 | @@ -1120,7 +1120,7 @@ | |
1698 | if (unlikely(opt->optlen)) | |
1699 | ip_forward_options(skb); | |
1700 | ||
1701 | - return dst_output(skb); | |
1702 | + return ip_dst_output(skb); | |
1703 | } | |
1704 | ||
1705 | /* | |
1706 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/Kconfig linux-2.6.6-rc3/net/ipv4/netfilter/Kconfig | |
1707 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/Kconfig 2004-04-29 11:24:40.000000000 +0200 | |
1708 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/Kconfig 2004-04-29 11:21:43.000000000 +0200 | |
1709 | @@ -206,6 +206,11 @@ | |
1710 | ||
1711 | To compile it as a module, choose M here. If unsure, say N. | |
1712 | ||
1713 | +config IP_NF_MATCH_UNCLEAN | |
1714 | + tristate 'unclean match support (EXPERIMENTAL)' | |
1715 | + depends on EXPERIMENTAL && IP_NF_IPTABLES | |
1716 | + help | |
1717 | + | |
1718 | config IP_NF_MATCH_TTL | |
1719 | tristate "TTL match support" | |
1720 | depends on IP_NF_IPTABLES | |
d8b5a97c | 1721 | @@ -706,5 +711,138 @@ |
384c1045 | 1722 | depends on IP_NF_IPTABLES |
1723 | help | |
1724 | ||
1725 | +config IP_NF_CONNTRACK_MARK | |
1726 | + bool 'Connection mark tracking support' | |
1727 | +config IP_NF_TARGET_CONNMARK | |
1728 | + tristate 'CONNMARK target support' | |
1729 | + depends on IP_NF_MANGLE | |
1730 | +config IP_NF_MATCH_CONNMARK | |
1731 | + tristate ' Connection mark match support' | |
1732 | + depends on IP_NF_IPTABLES | |
1733 | + help | |
1734 | + | |
1735 | +config IP_NF_TARGET_IPMARK | |
1736 | + tristate 'IPMARK target support' | |
1737 | + depends on IP_NF_MANGLE | |
1738 | + help | |
1739 | + | |
1740 | +config IP_NF_TARGET_TARPIT | |
1741 | + tristate 'TARPIT target support' | |
1742 | + depends on IP_NF_FILTER | |
1743 | + help | |
1744 | + | |
1745 | +config IP_NF_TARGET_TRACE | |
1746 | + tristate 'TRACE target support' | |
1747 | + depends on IP_NF_RAW | |
1748 | + help | |
1749 | + The TRACE target allows packets to be traced as those | |
1750 | + matches any subsequent rule in any table/rule. The matched | |
1751 | + rule and the packet is logged with the prefix | |
1752 | + | |
1753 | + TRACE: tablename/chainname/rulenum | |
1754 | + | |
1755 | + If you want to compile it as a module, say M here and read | |
1756 | + <file:Documentation/modules.txt>. If unsure, say `N'. | |
1757 | + help | |
1758 | + | |
1759 | +config IP_NF_TARGET_XOR | |
1760 | + tristate 'XOR target support' | |
1761 | + depends on IP_NF_MANGLE | |
1762 | + help | |
1763 | + | |
1764 | +config IP_NF_MATCH_ADDRTYPE | |
1765 | + tristate 'address type match support' | |
1766 | + depends on IP_NF_IPTABLES | |
1767 | + help | |
1768 | + | |
384c1045 | 1769 | +config IP_NF_EGG |
1770 | + tristate 'Eggdrop bot support' | |
1771 | + depends on IP_NF_CONNTRACK | |
1772 | + help | |
1773 | + | |
1774 | +config IP_NF_NAT_H323 | |
1775 | + tristate | |
1776 | + depends on IP_NF_CONNTRACK!=n && IP_NF_NAT!=n | |
1777 | + default IP_NF_NAT if IP_NF_H323=y | |
1778 | + default m if IP_NF_H323=m | |
1779 | + | |
1780 | +config IP_NF_H323 | |
1781 | + tristate 'H.323 (netmeeting) support' | |
1782 | + depends on IP_NF_CONNTRACK | |
1783 | + help | |
1784 | + | |
1785 | +config IP_NF_NAT_MMS | |
1786 | + tristate | |
1787 | + depends on IP_NF_CONNTRACK!=n && IP_NF_NAT!=n | |
1788 | + default IP_NF_NAT if IP_NF_MMS=y | |
1789 | + default m if IP_NF_MMS=m | |
1790 | + | |
1791 | +config IP_NF_MMS | |
1792 | + tristate 'MMS protocol support' | |
1793 | + depends on IP_NF_CONNTRACK | |
1794 | + help | |
1795 | + | |
1796 | +config IP_NF_MATCH_POLICY | |
1797 | + tristate "IPsec policy match support" | |
1798 | + depends on IP_NF_IPTABLES && XFRM | |
1799 | + help | |
1800 | + Policy matching allows you to match packets based on the | |
1801 | + IPsec policy that was used during decapsulation/will | |
1802 | + be used during encapsulation. | |
1803 | + | |
1804 | + To compile it as a module, choose M here. If unsure, say N. | |
1805 | + help | |
1806 | + | |
1807 | +config IP_NF_NAT_QUAKE3 | |
1808 | + tristate | |
1809 | + depends on IP_NF_CONNTRACK!=n && IP_NF_NAT !=n | |
1810 | + default IP_NF_NAT if IP_NF_QUAKE3=y | |
1811 | + default m if IP_NF_QUAKE3=m | |
1812 | + | |
1813 | +config IP_NF_QUAKE3 | |
1814 | + tristate "Quake3 protocol support" | |
1815 | + depends on IP_NF_CONNTRACK | |
1816 | + help | |
1817 | + | |
1818 | +config IP_NF_MATCH_RPC | |
1819 | + tristate 'RPC match support' | |
1820 | + depends on IP_NF_CONNTRACK && IP_NF_IPTABLES | |
1821 | + help | |
1822 | + | |
1823 | +config IP_NF_RSH | |
1824 | + tristate 'RSH protocol support' | |
1825 | + depends on IP_NF_CONNTRACK | |
1826 | + help | |
1827 | + | |
1828 | +config IP_NF_NAT_RTSP | |
1829 | + tristate | |
1830 | + depends on IP_NF_CONNTRACK!=n && IP_NF_NAT!=n | |
1831 | + default IP_NF_NAT if IP_NF_RTSP=y | |
1832 | + default m if IP_NF_RTSP=m | |
1833 | +config IP_NF_RTSP | |
1834 | + tristate ' RTSP protocol support' | |
1835 | + depends on IP_NF_CONNTRACK | |
1836 | + help | |
1837 | + | |
1838 | +config IP_NF_CT_PROTO_SCTP | |
1839 | + tristate 'SCTP protocol connection tracking support' | |
1840 | + depends on IP_NF_CONNTRACK | |
1841 | + help | |
1842 | + | |
1843 | +config IP_NF_MATCH_STRING | |
1844 | + tristate 'String match support' | |
1845 | + depends on IP_NF_IPTABLES | |
1846 | + help | |
1847 | + | |
1848 | +config IP_NF_NAT_TALK | |
1849 | + tristate | |
1850 | + depends on IP_NF_CONNTRACK!=n && IP_NF_NAT!=n | |
1851 | + default IP_NF_NAT if IP_NF_TALK=y | |
1852 | + default m if IP_NF_TALK=m | |
1853 | +config IP_NF_TALK | |
1854 | + tristate 'talk protocol support' | |
1855 | + depends on IP_NF_CONNTRACK | |
1856 | + help | |
1857 | + | |
1858 | endmenu | |
1859 | ||
1860 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/Makefile linux-2.6.6-rc3/net/ipv4/netfilter/Makefile | |
1861 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/Makefile 2004-04-29 11:24:40.000000000 +0200 | |
1862 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/Makefile 2004-04-29 11:21:43.000000000 +0200 | |
d8b5a97c | 1863 | @@ -19,17 +19,43 @@ |
384c1045 | 1864 | # connection tracking |
1865 | obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o | |
1866 | ||
1867 | +# talk protocol support | |
1868 | +obj-$(CONFIG_IP_NF_TALK) += ip_conntrack_talk.o | |
1869 | +obj-$(CONFIG_IP_NF_NAT_TALK) += ip_nat_talk.o | |
1870 | + | |
1871 | + | |
1872 | +# SCTP protocol connection tracking | |
1873 | +obj-$(CONFIG_IP_NF_CT_PROTO_SCTP) += ip_conntrack_proto_sctp.o | |
1874 | + | |
1875 | +# H.323 support | |
1876 | +obj-$(CONFIG_IP_NF_H323) += ip_conntrack_h323.o | |
1877 | +obj-$(CONFIG_IP_NF_NAT_H323) += ip_nat_h323.o | |
1878 | + | |
1879 | + | |
1880 | # connection tracking helpers | |
1881 | + | |
1882 | +# rtsp protocol support | |
1883 | +obj-$(CONFIG_IP_NF_RTSP) += ip_conntrack_rtsp.o | |
1884 | +obj-$(CONFIG_IP_NF_NAT_RTSP) += ip_nat_rtsp.o | |
1885 | + | |
1886 | +obj-$(CONFIG_IP_NF_QUAKE3) += ip_conntrack_quake3.o | |
1887 | +obj-$(CONFIG_IP_NF_MMS) += ip_conntrack_mms.o | |
1888 | obj-$(CONFIG_IP_NF_AMANDA) += ip_conntrack_amanda.o | |
1889 | obj-$(CONFIG_IP_NF_TFTP) += ip_conntrack_tftp.o | |
1890 | obj-$(CONFIG_IP_NF_FTP) += ip_conntrack_ftp.o | |
1891 | +obj-$(CONFIG_IP_NF_RSH) += ip_conntrack_rsh.o | |
1892 | + | |
1893 | +obj-$(CONFIG_IP_NF_EGG) += ip_conntrack_egg.o | |
1894 | + | |
1895 | obj-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc.o | |
1896 | ||
1897 | # NAT helpers | |
384c1045 | 1898 | obj-$(CONFIG_IP_NF_NAT_AMANDA) += ip_nat_amanda.o |
1899 | obj-$(CONFIG_IP_NF_NAT_TFTP) += ip_nat_tftp.o | |
1900 | obj-$(CONFIG_IP_NF_NAT_FTP) += ip_nat_ftp.o | |
1901 | obj-$(CONFIG_IP_NF_NAT_IRC) += ip_nat_irc.o | |
1902 | +obj-$(CONFIG_IP_NF_NAT_QUAKE3) += ip_nat_quake3.o | |
1903 | +obj-$(CONFIG_IP_NF_NAT_MMS) += ip_nat_mms.o | |
1904 | ||
1905 | # generic IP tables | |
1906 | obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o | |
1907 | @@ -41,6 +83,8 @@ | |
1908 | obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o | |
1909 | ||
1910 | # matches | |
1911 | +obj-$(CONFIG_IP_NF_MATCH_RPC) += ip_conntrack_rpc_tcp.o ip_conntrack_rpc_udp.o ipt_rpc.o | |
1912 | + | |
1913 | obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o | |
1914 | obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o | |
1915 | obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o | |
1916 | @@ -87,14 +132,19 @@ | |
1917 | obj-$(CONFIG_IP_NF_MATCH_U32) += ipt_u32.o | |
1918 | ||
1919 | ||
1920 | +obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o | |
1921 | +obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o | |
1922 | obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o | |
1923 | obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o | |
1924 | +obj-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark.o | |
1925 | obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o | |
1926 | obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o | |
1927 | obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o | |
1928 | +obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o | |
1929 | obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o | |
1930 | ||
1931 | obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o | |
1932 | +obj-$(CONFIG_IP_NF_MATCH_POLICY) += ipt_policy.o | |
1933 | ||
1934 | # targets | |
1935 | obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o | |
1936 | @@ -102,6 +152,8 @@ | |
1937 | obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o | |
1938 | obj-$(CONFIG_IP_NF_TARGET_DSCP) += ipt_DSCP.o | |
1939 | obj-$(CONFIG_IP_NF_TARGET_MARK) += ipt_MARK.o | |
1940 | +obj-$(CONFIG_IP_NF_TARGET_TARPIT) += ipt_TARPIT.o | |
1941 | +obj-$(CONFIG_IP_NF_TARGET_IPMARK) += ipt_IPMARK.o | |
1942 | obj-$(CONFIG_IP_NF_TARGET_IMQ) += ipt_IMQ.o | |
1943 | obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o | |
1944 | obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o | |
1945 | @@ -110,11 +162,14 @@ | |
1946 | obj-$(CONFIG_IP_NF_TARGET_CLASSIFY) += ipt_CLASSIFY.o | |
1947 | obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o | |
1948 | obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o | |
1949 | +obj-$(CONFIG_IP_NF_TARGET_XOR) += ipt_XOR.o | |
1950 | +obj-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK.o | |
1951 | obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o | |
1952 | obj-$(CONFIG_IP_NF_TARGET_NETLINK) += ipt_NETLINK.o | |
1953 | obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o | |
1954 | obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o | |
1955 | obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o | |
1956 | +obj-$(CONFIG_IP_NF_TARGET_TRACE) += ipt_TRACE.o | |
1957 | obj-$(CONFIG_IP_NF_TARGET_NOTRACK) += ipt_NOTRACK.o | |
1958 | ||
1959 | # generic ARP tables | |
1960 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_core.c | |
1961 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_core.c 2004-04-29 11:24:39.000000000 +0200 | |
1962 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_core.c 2004-04-29 11:11:00.000000000 +0200 | |
1963 | @@ -718,6 +718,9 @@ | |
1964 | __set_bit(IPS_EXPECTED_BIT, &conntrack->status); | |
1965 | conntrack->master = expected; | |
1966 | expected->sibling = conntrack; | |
1967 | +#if CONFIG_IP_NF_CONNTRACK_MARK | |
1968 | + conntrack->mark = expected->expectant->mark; | |
1969 | +#endif | |
1970 | LIST_DELETE(&ip_conntrack_expect_list, expected); | |
1971 | expected->expectant->expecting--; | |
1972 | nf_conntrack_get(&master_ct(conntrack)->infos[0]); | |
1973 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_egg.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_egg.c | |
1974 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_egg.c 1970-01-01 01:00:00.000000000 +0100 | |
1975 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_egg.c 2004-04-29 11:17:59.000000000 +0200 | |
1976 | @@ -0,0 +1,237 @@ | |
1977 | +/* Eggdrop extension for IP connection tracking, Version 0.0.5 | |
1978 | + * based on ip_conntrack_irc.c | |
1979 | + * | |
1980 | + * This module only supports the share userfile-send command, | |
1981 | + * used by eggdrops to share it's userfile. | |
1982 | + * | |
1983 | + * There are no support for NAT at the moment. | |
1984 | + * | |
1985 | + * This program is free software; you can redistribute it and/or | |
1986 | + * modify it under the terms of the GNU General Public License | |
1987 | + * as published by the Free Software Foundation; either version | |
1988 | + * 2 of the License, or (at your option) any later version. | |
1989 | + * | |
1990 | + * Module load syntax: | |
1991 | + * | |
1992 | + * please give the ports of all Eggdrops You have running | |
1993 | + * on your system, the default port is 3333. | |
1994 | + * | |
1995 | + * 2001-04-19: Security update. IP addresses are now compared | |
1996 | + * to prevent unauthorized "related" access. | |
1997 | + * | |
1998 | + * 2002-03-25: Harald Welte <laforge@gnumonks.org>: | |
1999 | + * Port to netfilter 'newnat' API. | |
2000 | + */ | |
2001 | + | |
2002 | +#include <linux/module.h> | |
2003 | +#include <linux/netfilter.h> | |
2004 | +#include <linux/ip.h> | |
2005 | +#include <net/checksum.h> | |
2006 | +#include <net/tcp.h> | |
2007 | + | |
2008 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
2009 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
2010 | + | |
2011 | +#define MAX_PORTS 8 | |
2012 | +static int ports[MAX_PORTS]; | |
2013 | +static int ports_c = 0; | |
2014 | +static unsigned int egg_timeout = 300; | |
2015 | + | |
2016 | +MODULE_AUTHOR("Magnus Sandin <magnus@sandin.cx>"); | |
2017 | +MODULE_DESCRIPTION("Eggdrop (userfile-sharing) connection tracking module"); | |
2018 | +MODULE_LICENSE("GPL"); | |
2019 | +#ifdef MODULE_PARM | |
2020 | +MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i"); | |
2021 | +MODULE_PARM_DESC(ports, "port numbers of eggdrop servers"); | |
2022 | +#endif | |
2023 | + | |
2024 | +DECLARE_LOCK(ip_egg_lock); | |
2025 | +struct module *ip_conntrack_egg = THIS_MODULE; | |
2026 | + | |
2027 | +#if 0 | |
2028 | +#define DEBUGP printk | |
2029 | +#else | |
2030 | +#define DEBUGP(format, args...) | |
2031 | +#endif | |
2032 | + | |
2033 | +int parse_command(char *data, char *data_end, u_int32_t * ip, u_int16_t * port) | |
2034 | +/* tries to get the ip_addr and port out of a eggdrop command | |
2035 | + return value: -1 on failure, 0 on success | |
2036 | + data pointer to first byte of DCC command data | |
2037 | + data_end pointer to last byte of dcc command data | |
2038 | + ip returns parsed ip of dcc command | |
2039 | + port returns parsed port of dcc command */ | |
2040 | +{ | |
2041 | + if (data > data_end) | |
2042 | + return -1; | |
2043 | + | |
2044 | + *ip = simple_strtoul(data, &data, 10); | |
2045 | + | |
2046 | + /* skip blanks between ip and port */ | |
2047 | + while (*data == ' ' && data < data_end) | |
2048 | + data++; | |
2049 | + | |
2050 | + *port = simple_strtoul(data, &data, 10); | |
2051 | + return 0; | |
2052 | +} | |
2053 | + | |
2054 | + | |
2055 | +static int help(const struct iphdr *iph, size_t len, | |
2056 | + struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) | |
2057 | +{ | |
2058 | + /* tcplen not negative guarenteed by ip_conntrack_tcp.c */ | |
2059 | + struct tcphdr *tcph = (void *) iph + iph->ihl * 4; | |
2060 | + char *data = (char *) tcph + tcph->doff * 4; | |
2061 | + char *data_limit; | |
2062 | + u_int32_t tcplen = len - iph->ihl * 4; | |
2063 | + u_int32_t datalen = tcplen - tcph->doff * 4; | |
2064 | + int dir = CTINFO2DIR(ctinfo); | |
2065 | + int bytes_scanned = 0; | |
2066 | + struct ip_conntrack_expect exp; | |
2067 | + | |
2068 | + u_int32_t egg_ip; | |
2069 | + u_int16_t egg_port; | |
2070 | + | |
2071 | + DEBUGP("entered\n"); | |
2072 | + | |
2073 | + /* If packet is coming from IRC server */ | |
2074 | + if (dir != IP_CT_DIR_REPLY) | |
2075 | + return NF_ACCEPT; | |
2076 | + | |
2077 | + /* Until there's been traffic both ways, don't look in packets. */ | |
2078 | + if (ctinfo != IP_CT_ESTABLISHED | |
2079 | + && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) { | |
2080 | + DEBUGP("Conntrackinfo = %u\n", ctinfo); | |
2081 | + return NF_ACCEPT; | |
2082 | + } | |
2083 | + | |
2084 | + /* Not whole TCP header? */ | |
2085 | + if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4) { | |
2086 | + DEBUGP("tcplen = %u\n", (unsigned) tcplen); | |
2087 | + return NF_ACCEPT; | |
2088 | + } | |
2089 | + | |
2090 | + /* Checksum invalid? Ignore. */ | |
2091 | + /* FIXME: Source route IP option packets --RR */ | |
2092 | + if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, | |
2093 | + csum_partial((char *) tcph, tcplen, 0))) { | |
2094 | + DEBUGP("bad csum: %p %u %u.%u.%u.%u -> %u.%u.%u.%u\n", | |
2095 | + tcph, tcplen, NIPQUAD(iph->saddr), | |
2096 | + NIPQUAD(iph->daddr)); | |
2097 | + return NF_ACCEPT; | |
2098 | + } | |
2099 | + | |
2100 | + data_limit = (char *) data + datalen; | |
2101 | + while (datalen > 5 && bytes_scanned < 128) { | |
2102 | + if (memcmp(data, "s us ", 5)) { | |
2103 | + data++; | |
2104 | + datalen--; | |
2105 | + bytes_scanned++; | |
2106 | + continue; | |
2107 | + } | |
2108 | + | |
2109 | + data += 5; | |
2110 | + | |
2111 | + DEBUGP("Userfile-share found in connection " | |
2112 | + "%u.%u.%u.%u -> %u.%u.%u.%u\n", | |
2113 | + NIPQUAD(iph->saddr), NIPQUAD(iph->daddr)); | |
2114 | + | |
2115 | + if (parse_command((char *) data, data_limit, &egg_ip, | |
2116 | + &egg_port)) { | |
2117 | + DEBUGP("no data in userfile-share pkt\n"); | |
2118 | + return NF_ACCEPT; | |
2119 | + } | |
2120 | + | |
2121 | + memset(&exp, 0, sizeof(exp)); | |
2122 | + | |
2123 | + if (ct->tuplehash[dir].tuple.src.ip != htonl(egg_ip)) { | |
2124 | + if (net_ratelimit()) | |
2125 | + printk("Forged Eggdrop command from " | |
2126 | + "%u.%u.%u.%u: %u.%u.%u.%u:%u\n", | |
2127 | + NIPQUAD(ct->tuplehash[dir].tuple.src.ip), | |
2128 | + HIPQUAD(egg_ip), egg_port); | |
2129 | + return NF_ACCEPT; | |
2130 | + } | |
2131 | + | |
2132 | + exp.tuple.src.ip = iph->daddr; | |
2133 | + exp.tuple.src.u.tcp.port = 0; | |
2134 | + exp.tuple.dst.ip = htonl(egg_ip); | |
2135 | + exp.tuple.dst.u.tcp.port = htons(egg_port); | |
2136 | + exp.tuple.dst.protonum = IPPROTO_TCP; | |
2137 | + | |
2138 | + exp.mask.dst.u.tcp.port = 0xffff; | |
2139 | + exp.mask.dst.protonum = 0xffff; | |
2140 | + | |
2141 | + DEBUGP("expect_related %u.%u.%u.%u:%u - %u.%u.%u.%u:%u\n", | |
2142 | + NIPQUAD(t.src.ip), ntohs(t.src.u.tcp.port), | |
2143 | + NIPQUAD(t.dst.ip), ntohs(t.dst.u.tcp.port)); | |
2144 | + | |
2145 | + ip_conntrack_expect_related(ct, &exp); | |
2146 | + break; | |
2147 | + } | |
2148 | + return NF_ACCEPT; | |
2149 | +} | |
2150 | + | |
2151 | +static struct ip_conntrack_helper egg_helpers[MAX_PORTS]; | |
2152 | +static char egg_names[MAX_PORTS][14]; /* eggdrop-65535 */ | |
2153 | + | |
2154 | +static void deregister_helpers(void) { | |
2155 | + int i; | |
2156 | + | |
2157 | + for (i = 0; i < ports_c; i++) { | |
2158 | + DEBUGP("unregistering helper for port %d\n", ports[i]); | |
2159 | + ip_conntrack_helper_unregister(&egg_helpers[i]); | |
2160 | + } | |
2161 | +} | |
2162 | + | |
2163 | +static int __init init(void) | |
2164 | +{ | |
2165 | + int i, ret; | |
2166 | + char *tmpname; | |
2167 | + | |
2168 | + /* If no port given, default to standard eggdrop port */ | |
2169 | + if (ports[0] == 0) | |
2170 | + ports[0] = 3333; | |
2171 | + | |
2172 | + for (i = 0; (i < MAX_PORTS) && ports[i]; i++) { | |
2173 | + memset(&egg_helpers[i], 0, | |
2174 | + sizeof(struct ip_conntrack_helper)); | |
2175 | + egg_helpers[i].tuple.src.u.tcp.port = htons(ports[i]); | |
2176 | + egg_helpers[i].tuple.dst.protonum = IPPROTO_TCP; | |
2177 | + egg_helpers[i].mask.src.u.tcp.port = 0xFFFF; | |
2178 | + egg_helpers[i].mask.dst.protonum = 0xFFFF; | |
2179 | + egg_helpers[i].max_expected = 1; | |
2180 | + egg_helpers[i].timeout = egg_timeout; | |
2181 | + egg_helpers[i].flags = IP_CT_HELPER_F_REUSE_EXPECT; | |
2182 | + egg_helpers[i].me = THIS_MODULE; | |
2183 | + egg_helpers[i].help = help; | |
2184 | + | |
2185 | + tmpname = &egg_names[i][0]; | |
2186 | + if (ports[i] == 3333) | |
2187 | + sprintf(tmpname, "eggdrop"); | |
2188 | + else | |
2189 | + sprintf(tmpname, "eggdrop-%d", ports[i]); | |
2190 | + egg_helpers[i].name = tmpname; | |
2191 | + | |
2192 | + DEBUGP("port #%d: %d\n", i, ports[i]); | |
2193 | + | |
2194 | + ret = ip_conntrack_helper_register(&egg_helpers[i]); | |
2195 | + | |
2196 | + if (ret) { | |
2197 | + printk("ip_conntrack_egg: ERROR registering helper " | |
2198 | + "for port %d\n", ports[i]); | |
2199 | + deregister_helpers(); | |
2200 | + return 1; | |
2201 | + } | |
2202 | + ports_c++; | |
2203 | + } | |
2204 | + return 0; | |
2205 | +} | |
2206 | + | |
2207 | +static void __exit fini(void) | |
2208 | +{ | |
2209 | + deregister_helpers(); | |
2210 | +} | |
2211 | + | |
2212 | +module_init(init); | |
2213 | +module_exit(fini); | |
2214 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_h323.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_h323.c | |
2215 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_h323.c 1970-01-01 01:00:00.000000000 +0100 | |
2216 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_h323.c 2004-04-29 11:18:00.000000000 +0200 | |
2217 | @@ -0,0 +1,308 @@ | |
2218 | +/* | |
2219 | + * H.323 'brute force' extension for H.323 connection tracking. | |
2220 | + * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | |
2221 | + * | |
2222 | + * Based on ip_masq_h323.c for 2.2 kernels from CoRiTel, Sofia project. | |
2223 | + * (http://www.coritel.it/projects/sofia/nat/) | |
2224 | + * Uses Sampsa Ranta's excellent idea on using expectfn to 'bind' | |
2225 | + * the unregistered helpers to the conntrack entries. | |
2226 | + */ | |
2227 | + | |
2228 | + | |
2229 | +#include <linux/module.h> | |
2230 | +#include <linux/netfilter.h> | |
2231 | +#include <linux/ip.h> | |
2232 | +#include <net/checksum.h> | |
2233 | +#include <net/tcp.h> | |
2234 | + | |
2235 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
2236 | +#include <linux/netfilter_ipv4/ip_conntrack.h> | |
2237 | +#include <linux/netfilter_ipv4/ip_conntrack_core.h> | |
2238 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
2239 | +#include <linux/netfilter_ipv4/ip_conntrack_tuple.h> | |
2240 | +#include <linux/netfilter_ipv4/ip_conntrack_h323.h> | |
2241 | + | |
2242 | +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
2243 | +MODULE_DESCRIPTION("H.323 'brute force' connection tracking module"); | |
2244 | +MODULE_LICENSE("GPL"); | |
2245 | + | |
2246 | +DECLARE_LOCK(ip_h323_lock); | |
2247 | +struct module *ip_conntrack_h323 = THIS_MODULE; | |
2248 | + | |
2249 | +#if 0 | |
2250 | +#define DEBUGP printk | |
2251 | +#else | |
2252 | +#define DEBUGP(format, args...) | |
2253 | +#endif | |
2254 | + | |
2255 | +/* FIXME: This should be in userspace. Later. */ | |
2256 | +static int h245_help(const struct iphdr *iph, size_t len, | |
2257 | + struct ip_conntrack *ct, | |
2258 | + enum ip_conntrack_info ctinfo) | |
2259 | +{ | |
2260 | + struct tcphdr *tcph = (void *)iph + iph->ihl * 4; | |
2261 | + unsigned char *data = (unsigned char *) tcph + tcph->doff * 4; | |
2262 | + unsigned char *data_limit; | |
2263 | + u_int32_t tcplen = len - iph->ihl * 4; | |
2264 | + u_int32_t datalen = tcplen - tcph->doff * 4; | |
2265 | + int dir = CTINFO2DIR(ctinfo); | |
2266 | + struct ip_ct_h225_master *info = &ct->help.ct_h225_info; | |
2267 | + struct ip_conntrack_expect expect, *exp = &expect; | |
2268 | + struct ip_ct_h225_expect *exp_info = &exp->help.exp_h225_info; | |
2269 | + u_int16_t data_port; | |
2270 | + u_int32_t data_ip; | |
2271 | + unsigned int i; | |
2272 | + | |
2273 | + DEBUGP("ct_h245_help: help entered %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", | |
2274 | + NIPQUAD(iph->saddr), ntohs(tcph->source), | |
2275 | + NIPQUAD(iph->daddr), ntohs(tcph->dest)); | |
2276 | + | |
2277 | + /* Can't track connections formed before we registered */ | |
2278 | + if (!info) | |
2279 | + return NF_ACCEPT; | |
2280 | + | |
2281 | + /* Until there's been traffic both ways, don't look in packets. */ | |
2282 | + if (ctinfo != IP_CT_ESTABLISHED | |
2283 | + && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) { | |
2284 | + DEBUGP("ct_h245_help: Conntrackinfo = %u\n", ctinfo); | |
2285 | + return NF_ACCEPT; | |
2286 | + } | |
2287 | + | |
2288 | + /* Not whole TCP header or too short packet? */ | |
2289 | + if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4 + 5) { | |
2290 | + DEBUGP("ct_h245_help: tcplen = %u\n", (unsigned)tcplen); | |
2291 | + return NF_ACCEPT; | |
2292 | + } | |
2293 | + | |
2294 | + /* Checksum invalid? Ignore. */ | |
2295 | + /* FIXME: Source route IP option packets --RR */ | |
2296 | + if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, | |
2297 | + csum_partial((char *)tcph, tcplen, 0))) { | |
2298 | + DEBUGP("ct_h245_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n", | |
2299 | + tcph, tcplen, NIPQUAD(iph->saddr), | |
2300 | + NIPQUAD(iph->daddr)); | |
2301 | + return NF_ACCEPT; | |
2302 | + } | |
2303 | + | |
2304 | + data_limit = (unsigned char *) data + datalen; | |
2305 | + /* bytes: 0123 45 | |
2306 | + ipadrr port */ | |
2307 | + for (i = 0; data < (data_limit - 5); data++, i++) { | |
2308 | + data_ip = *((u_int32_t *)data); | |
2309 | + if (data_ip == iph->saddr) { | |
2310 | + data_port = *((u_int16_t *)(data + 4)); | |
2311 | + memset(&expect, 0, sizeof(expect)); | |
2312 | + /* update the H.225 info */ | |
2313 | + DEBUGP("ct_h245_help: new RTCP/RTP requested %u.%u.%u.%u:->%u.%u.%u.%u:%u\n", | |
2314 | + NIPQUAD(ct->tuplehash[!dir].tuple.src.ip), | |
2315 | + NIPQUAD(iph->saddr), ntohs(data_port)); | |
2316 | + LOCK_BH(&ip_h323_lock); | |
2317 | + info->is_h225 = H225_PORT + 1; | |
2318 | + exp_info->port = data_port; | |
2319 | + exp_info->dir = dir; | |
2320 | + exp_info->offset = i; | |
2321 | + | |
2322 | + exp->seq = ntohl(tcph->seq) + i; | |
2323 | + | |
2324 | + exp->tuple = ((struct ip_conntrack_tuple) | |
2325 | + { { ct->tuplehash[!dir].tuple.src.ip, | |
2326 | + { 0 } }, | |
2327 | + { data_ip, | |
2328 | + { .tcp = { data_port } }, | |
2329 | + IPPROTO_UDP }}); | |
2330 | + exp->mask = ((struct ip_conntrack_tuple) | |
2331 | + { { 0xFFFFFFFF, { 0 } }, | |
2332 | + { 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFFFF }}); | |
2333 | + | |
2334 | + exp->expectfn = NULL; | |
2335 | + | |
2336 | + /* Ignore failure; should only happen with NAT */ | |
2337 | + ip_conntrack_expect_related(ct, exp); | |
2338 | + | |
2339 | + UNLOCK_BH(&ip_h323_lock); | |
2340 | + } | |
2341 | + } | |
2342 | + | |
2343 | + return NF_ACCEPT; | |
2344 | + | |
2345 | +} | |
2346 | + | |
2347 | +/* H.245 helper is not registered! */ | |
2348 | +static struct ip_conntrack_helper h245 = | |
2349 | + { { NULL, NULL }, | |
2350 | + "H.245", /* name */ | |
2351 | + IP_CT_HELPER_F_REUSE_EXPECT, /* flags */ | |
2352 | + NULL, /* module */ | |
2353 | + 8, /* max_ expected */ | |
2354 | + 240, /* timeout */ | |
2355 | + { { 0, { 0 } }, /* tuple */ | |
2356 | + { 0, { 0 }, IPPROTO_TCP } }, | |
2357 | + { { 0, { 0xFFFF } }, /* mask */ | |
2358 | + { 0, { 0 }, 0xFFFF } }, | |
2359 | + h245_help /* helper */ | |
2360 | + }; | |
2361 | + | |
2362 | +static int h225_expect(struct ip_conntrack *ct) | |
2363 | +{ | |
2364 | + WRITE_LOCK(&ip_conntrack_lock); | |
2365 | + ct->helper = &h245; | |
2366 | + DEBUGP("h225_expect: helper for %p added\n", ct); | |
2367 | + WRITE_UNLOCK(&ip_conntrack_lock); | |
2368 | + | |
2369 | + return NF_ACCEPT; /* unused */ | |
2370 | +} | |
2371 | + | |
2372 | +/* FIXME: This should be in userspace. Later. */ | |
2373 | +static int h225_help(const struct iphdr *iph, size_t len, | |
2374 | + struct ip_conntrack *ct, | |
2375 | + enum ip_conntrack_info ctinfo) | |
2376 | +{ | |
2377 | + struct tcphdr *tcph = (void *)iph + iph->ihl * 4; | |
2378 | + unsigned char *data = (unsigned char *) tcph + tcph->doff * 4; | |
2379 | + unsigned char *data_limit; | |
2380 | + u_int32_t tcplen = len - iph->ihl * 4; | |
2381 | + u_int32_t datalen = tcplen - tcph->doff * 4; | |
2382 | + int dir = CTINFO2DIR(ctinfo); | |
2383 | + struct ip_ct_h225_master *info = &ct->help.ct_h225_info; | |
2384 | + struct ip_conntrack_expect expect, *exp = &expect; | |
2385 | + struct ip_ct_h225_expect *exp_info = &exp->help.exp_h225_info; | |
2386 | + u_int16_t data_port; | |
2387 | + u_int32_t data_ip; | |
2388 | + unsigned int i; | |
2389 | + | |
2390 | + DEBUGP("ct_h225_help: help entered %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", | |
2391 | + NIPQUAD(iph->saddr), ntohs(tcph->source), | |
2392 | + NIPQUAD(iph->daddr), ntohs(tcph->dest)); | |
2393 | + | |
2394 | + /* Can't track connections formed before we registered */ | |
2395 | + if (!info) | |
2396 | + return NF_ACCEPT; | |
2397 | + | |
2398 | + /* Until there's been traffic both ways, don't look in packets. */ | |
2399 | + if (ctinfo != IP_CT_ESTABLISHED | |
2400 | + && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) { | |
2401 | + DEBUGP("ct_h225_help: Conntrackinfo = %u\n", ctinfo); | |
2402 | + return NF_ACCEPT; | |
2403 | + } | |
2404 | + | |
2405 | + /* Not whole TCP header or too short packet? */ | |
2406 | + if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4 + 5) { | |
2407 | + DEBUGP("ct_h225_help: tcplen = %u\n", (unsigned)tcplen); | |
2408 | + return NF_ACCEPT; | |
2409 | + } | |
2410 | + | |
2411 | + /* Checksum invalid? Ignore. */ | |
2412 | + /* FIXME: Source route IP option packets --RR */ | |
2413 | + if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, | |
2414 | + csum_partial((char *)tcph, tcplen, 0))) { | |
2415 | + DEBUGP("ct_h225_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n", | |
2416 | + tcph, tcplen, NIPQUAD(iph->saddr), | |
2417 | + NIPQUAD(iph->daddr)); | |
2418 | + return NF_ACCEPT; | |
2419 | + } | |
2420 | + | |
2421 | + data_limit = (unsigned char *) data + datalen; | |
2422 | + /* bytes: 0123 45 | |
2423 | + ipadrr port */ | |
2424 | + for (i = 0; data < (data_limit - 5); data++, i++) { | |
2425 | + data_ip = *((u_int32_t *)data); | |
2426 | + if (data_ip == iph->saddr) { | |
2427 | + data_port = *((u_int16_t *)(data + 4)); | |
2428 | + if (data_port == tcph->source) { | |
2429 | + /* Signal address */ | |
2430 | + DEBUGP("ct_h225_help: sourceCallSignalAddress from %u.%u.%u.%u\n", | |
2431 | + NIPQUAD(iph->saddr)); | |
2432 | + /* Update the H.225 info so that NAT can mangle the address/port | |
2433 | + even when we have no expected connection! */ | |
2434 | +#ifdef CONFIG_IP_NF_NAT_NEEDED | |
2435 | + LOCK_BH(&ip_h323_lock); | |
2436 | + info->dir = dir; | |
2437 | + info->seq[IP_CT_DIR_ORIGINAL] = ntohl(tcph->seq) + i; | |
2438 | + info->offset[IP_CT_DIR_ORIGINAL] = i; | |
2439 | + UNLOCK_BH(&ip_h323_lock); | |
2440 | +#endif | |
2441 | + } else { | |
2442 | + memset(&expect, 0, sizeof(expect)); | |
2443 | + | |
2444 | + /* update the H.225 info */ | |
2445 | + LOCK_BH(&ip_h323_lock); | |
2446 | + info->is_h225 = H225_PORT; | |
2447 | + exp_info->port = data_port; | |
2448 | + exp_info->dir = dir; | |
2449 | + exp_info->offset = i; | |
2450 | + | |
2451 | + exp->seq = ntohl(tcph->seq) + i; | |
2452 | + | |
2453 | + exp->tuple = ((struct ip_conntrack_tuple) | |
2454 | + { { ct->tuplehash[!dir].tuple.src.ip, | |
2455 | + { 0 } }, | |
2456 | + { data_ip, | |
2457 | + { .tcp = { data_port } }, | |
2458 | + IPPROTO_TCP }}); | |
2459 | + exp->mask = ((struct ip_conntrack_tuple) | |
2460 | + { { 0xFFFFFFFF, { 0 } }, | |
2461 | + { 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFFFF }}); | |
2462 | + | |
2463 | + exp->expectfn = h225_expect; | |
2464 | + | |
2465 | + /* Ignore failure */ | |
2466 | + ip_conntrack_expect_related(ct, exp); | |
2467 | + | |
2468 | + DEBUGP("ct_h225_help: new H.245 requested %u.%u.%u.%u->%u.%u.%u.%u:%u\n", | |
2469 | + NIPQUAD(ct->tuplehash[!dir].tuple.src.ip), | |
2470 | + NIPQUAD(iph->saddr), ntohs(data_port)); | |
2471 | + | |
2472 | + UNLOCK_BH(&ip_h323_lock); | |
2473 | + } | |
2474 | +#ifdef CONFIG_IP_NF_NAT_NEEDED | |
2475 | + } else if (data_ip == iph->daddr) { | |
2476 | + data_port = *((u_int16_t *)(data + 4)); | |
2477 | + if (data_port == tcph->dest) { | |
2478 | + /* Signal address */ | |
2479 | + DEBUGP("ct_h225_help: destCallSignalAddress %u.%u.%u.%u\n", | |
2480 | + NIPQUAD(iph->daddr)); | |
2481 | + /* Update the H.225 info so that NAT can mangle the address/port | |
2482 | + even when we have no expected connection! */ | |
2483 | + LOCK_BH(&ip_h323_lock); | |
2484 | + info->dir = dir; | |
2485 | + info->seq[IP_CT_DIR_REPLY] = ntohl(tcph->seq) + i; | |
2486 | + info->offset[IP_CT_DIR_REPLY] = i; | |
2487 | + UNLOCK_BH(&ip_h323_lock); | |
2488 | + } | |
2489 | +#endif | |
2490 | + } | |
2491 | + } | |
2492 | + | |
2493 | + return NF_ACCEPT; | |
2494 | + | |
2495 | +} | |
2496 | + | |
2497 | +static struct ip_conntrack_helper h225 = | |
2498 | + { { NULL, NULL }, | |
2499 | + "H.225", /* name */ | |
2500 | + IP_CT_HELPER_F_REUSE_EXPECT, /* flags */ | |
2501 | + THIS_MODULE, /* module */ | |
2502 | + 2, /* max_expected */ | |
2503 | + 240, /* timeout */ | |
2504 | + { { 0, { __constant_htons(H225_PORT) } }, /* tuple */ | |
2505 | + { 0, { 0 }, IPPROTO_TCP } }, | |
2506 | + { { 0, { 0xFFFF } }, /* mask */ | |
2507 | + { 0, { 0 }, 0xFFFF } }, | |
2508 | + h225_help /* helper */ | |
2509 | + }; | |
2510 | + | |
2511 | +static int __init init(void) | |
2512 | +{ | |
2513 | + return ip_conntrack_helper_register(&h225); | |
2514 | +} | |
2515 | + | |
2516 | +static void __exit fini(void) | |
2517 | +{ | |
2518 | + /* Unregister H.225 helper */ | |
2519 | + ip_conntrack_helper_unregister(&h225); | |
2520 | +} | |
2521 | + | |
2522 | +EXPORT_SYMBOL(ip_h323_lock); | |
2523 | + | |
2524 | +module_init(init); | |
2525 | +module_exit(fini); | |
2526 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_mms.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_mms.c | |
2527 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_mms.c 1970-01-01 01:00:00.000000000 +0100 | |
2528 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_mms.c 2004-04-29 11:19:01.000000000 +0200 | |
2529 | @@ -0,0 +1,308 @@ | |
2530 | +/* MMS extension for IP connection tracking | |
2531 | + * (C) 2002 by Filip Sneppe <filip.sneppe@cronos.be> | |
2532 | + * based on ip_conntrack_ftp.c and ip_conntrack_irc.c | |
2533 | + * | |
2534 | + * ip_conntrack_mms.c v0.3 2002-09-22 | |
2535 | + * | |
2536 | + * This program is free software; you can redistribute it and/or | |
2537 | + * modify it under the terms of the GNU General Public License | |
2538 | + * as published by the Free Software Foundation; either version | |
2539 | + * 2 of the License, or (at your option) any later version. | |
2540 | + * | |
2541 | + * Module load syntax: | |
2542 | + * insmod ip_conntrack_mms.o ports=port1,port2,...port<MAX_PORTS> | |
2543 | + * | |
2544 | + * Please give the ports of all MMS servers You wish to connect to. | |
2545 | + * If you don't specify ports, the default will be TCP port 1755. | |
2546 | + * | |
2547 | + * More info on MMS protocol, firewalls and NAT: | |
2548 | + * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwmt/html/MMSFirewall.asp | |
2549 | + * http://www.microsoft.com/windows/windowsmedia/serve/firewall.asp | |
2550 | + * | |
2551 | + * The SDP project people are reverse-engineering MMS: | |
2552 | + * http://get.to/sdp | |
2553 | + */ | |
2554 | + | |
2555 | +#include <linux/config.h> | |
2556 | +#include <linux/module.h> | |
2557 | +#include <linux/netfilter.h> | |
2558 | +#include <linux/ip.h> | |
2559 | +#include <linux/ctype.h> | |
2560 | +#include <net/checksum.h> | |
2561 | +#include <net/tcp.h> | |
2562 | + | |
2563 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
2564 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
2565 | +#include <linux/netfilter_ipv4/ip_conntrack_mms.h> | |
2566 | + | |
2567 | +DECLARE_LOCK(ip_mms_lock); | |
2568 | +struct module *ip_conntrack_mms = THIS_MODULE; | |
2569 | + | |
2570 | +#define MAX_PORTS 8 | |
2571 | +static int ports[MAX_PORTS]; | |
2572 | +static int ports_c; | |
2573 | +#ifdef MODULE_PARM | |
2574 | +MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i"); | |
2575 | +#endif | |
2576 | + | |
2577 | +#if 0 | |
2578 | +#define DEBUGP printk | |
2579 | +#else | |
2580 | +#define DEBUGP(format, args...) | |
2581 | +#endif | |
2582 | + | |
2583 | +EXPORT_SYMBOL(ip_mms_lock); | |
2584 | + | |
2585 | +MODULE_AUTHOR("Filip Sneppe <filip.sneppe@cronos.be>"); | |
2586 | +MODULE_DESCRIPTION("Microsoft Windows Media Services (MMS) connection tracking module"); | |
2587 | +MODULE_LICENSE("GPL"); | |
2588 | + | |
2589 | +/* #define isdigit(c) (c >= '0' && c <= '9') */ | |
2590 | + | |
2591 | +/* copied from drivers/usb/serial/io_edgeport.c - not perfect but will do the trick */ | |
2592 | +static void unicode_to_ascii (char *string, short *unicode, int unicode_size) | |
2593 | +{ | |
2594 | + int i; | |
2595 | + for (i = 0; i < unicode_size; ++i) { | |
2596 | + string[i] = (char)(unicode[i]); | |
2597 | + } | |
2598 | + string[unicode_size] = 0x00; | |
2599 | +} | |
2600 | + | |
2601 | +__inline static int atoi(char *s) | |
2602 | +{ | |
2603 | + int i=0; | |
2604 | + while (isdigit(*s)) { | |
2605 | + i = i*10 + *(s++) - '0'; | |
2606 | + } | |
2607 | + return i; | |
2608 | +} | |
2609 | + | |
2610 | +/* convert ip address string like "192.168.0.10" to unsigned int */ | |
2611 | +__inline static u_int32_t asciiiptoi(char *s) | |
2612 | +{ | |
2613 | + unsigned int i, j, k; | |
2614 | + | |
2615 | + for(i=k=0; k<3; ++k, ++s, i<<=8) { | |
2616 | + i+=atoi(s); | |
2617 | + for(j=0; (*(++s) != '.') && (j<3); ++j) | |
2618 | + ; | |
2619 | + } | |
2620 | + i+=atoi(s); | |
2621 | + return ntohl(i); | |
2622 | +} | |
2623 | + | |
2624 | +int parse_mms(const char *data, | |
2625 | + const unsigned int datalen, | |
2626 | + u_int32_t *mms_ip, | |
2627 | + u_int16_t *mms_proto, | |
2628 | + u_int16_t *mms_port, | |
2629 | + char **mms_string_b, | |
2630 | + char **mms_string_e, | |
2631 | + char **mms_padding_e) | |
2632 | +{ | |
2633 | + int unicode_size, i; | |
2634 | + char tempstring[28]; /* "\\255.255.255.255\UDP\65535" */ | |
2635 | + char getlengthstring[28]; | |
2636 | + | |
2637 | + for(unicode_size=0; | |
2638 | + (char) *(data+(MMS_SRV_UNICODE_STRING_OFFSET+unicode_size*2)) != (char)0; | |
2639 | + unicode_size++) | |
2640 | + if ((unicode_size == 28) || (MMS_SRV_UNICODE_STRING_OFFSET+unicode_size*2 >= datalen)) | |
2641 | + return -1; /* out of bounds - incomplete packet */ | |
2642 | + | |
2643 | + unicode_to_ascii(tempstring, (short *)(data+MMS_SRV_UNICODE_STRING_OFFSET), unicode_size); | |
2644 | + DEBUGP("ip_conntrack_mms: offset 60: %s\n", (const char *)(tempstring)); | |
2645 | + | |
2646 | + /* IP address ? */ | |
2647 | + *mms_ip = asciiiptoi(tempstring+2); | |
2648 | + | |
2649 | + i=sprintf(getlengthstring, "%u.%u.%u.%u", HIPQUAD(*mms_ip)); | |
2650 | + | |
2651 | + /* protocol ? */ | |
2652 | + if(strncmp(tempstring+3+i, "TCP", 3)==0) | |
2653 | + *mms_proto = IPPROTO_TCP; | |
2654 | + else if(strncmp(tempstring+3+i, "UDP", 3)==0) | |
2655 | + *mms_proto = IPPROTO_UDP; | |
2656 | + | |
2657 | + /* port ? */ | |
2658 | + *mms_port = atoi(tempstring+7+i); | |
2659 | + | |
2660 | + /* we store a pointer to the beginning of the "\\a.b.c.d\proto\port" | |
2661 | + unicode string, one to the end of the string, and one to the end | |
2662 | + of the packet, since we must keep track of the number of bytes | |
2663 | + between end of the unicode string and the end of packet (padding) */ | |
2664 | + *mms_string_b = (char *)(data + MMS_SRV_UNICODE_STRING_OFFSET); | |
2665 | + *mms_string_e = (char *)(data + MMS_SRV_UNICODE_STRING_OFFSET + unicode_size * 2); | |
2666 | + *mms_padding_e = (char *)(data + datalen); /* looks funny, doesn't it */ | |
2667 | + return 0; | |
2668 | +} | |
2669 | + | |
2670 | + | |
2671 | +/* FIXME: This should be in userspace. Later. */ | |
2672 | +static int help(const struct iphdr *iph, size_t len, | |
2673 | + struct ip_conntrack *ct, | |
2674 | + enum ip_conntrack_info ctinfo) | |
2675 | +{ | |
2676 | + /* tcplen not negative guaranteed by ip_conntrack_tcp.c */ | |
2677 | + struct tcphdr *tcph = (void *)iph + iph->ihl * 4; | |
2678 | + const char *data = (const char *)tcph + tcph->doff * 4; | |
2679 | + unsigned int tcplen = len - iph->ihl * 4; | |
2680 | + unsigned int datalen = tcplen - tcph->doff * 4; | |
2681 | + int dir = CTINFO2DIR(ctinfo); | |
2682 | + struct ip_conntrack_expect expect, *exp = &expect; | |
2683 | + struct ip_ct_mms_expect *exp_mms_info = &exp->help.exp_mms_info; | |
2684 | + | |
2685 | + u_int32_t mms_ip; | |
2686 | + u_int16_t mms_proto; | |
2687 | + char mms_proto_string[8]; | |
2688 | + u_int16_t mms_port; | |
2689 | + char *mms_string_b, *mms_string_e, *mms_padding_e; | |
2690 | + | |
2691 | + /* Until there's been traffic both ways, don't look in packets. */ | |
2692 | + if (ctinfo != IP_CT_ESTABLISHED | |
2693 | + && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) { | |
2694 | + DEBUGP("ip_conntrack_mms: Conntrackinfo = %u\n", ctinfo); | |
2695 | + return NF_ACCEPT; | |
2696 | + } | |
2697 | + | |
2698 | + /* Not whole TCP header? */ | |
2699 | + if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff*4) { | |
2700 | + DEBUGP("ip_conntrack_mms: tcplen = %u\n", (unsigned)tcplen); | |
2701 | + return NF_ACCEPT; | |
2702 | + } | |
2703 | + | |
2704 | + /* Checksum invalid? Ignore. */ | |
2705 | + /* FIXME: Source route IP option packets --RR */ | |
2706 | + if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, | |
2707 | + csum_partial((char *)tcph, tcplen, 0))) { | |
2708 | + DEBUGP("mms_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n", | |
2709 | + tcph, tcplen, NIPQUAD(iph->saddr), | |
2710 | + NIPQUAD(iph->daddr)); | |
2711 | + return NF_ACCEPT; | |
2712 | + } | |
2713 | + | |
2714 | + /* Only look at packets with 0x00030002/196610 on bytes 36->39 of TCP payload */ | |
2715 | + /* FIXME: There is an issue with only looking at this packet: before this packet, | |
2716 | + the client has already sent a packet to the server with the server's hostname | |
2717 | + according to the client (think of it as the "Host: " header in HTTP/1.1). The | |
2718 | + server will break the connection if this doesn't correspond to its own host | |
2719 | + header. The client can also connect to an IP address; if it's the server's IP | |
2720 | + address, it will not break the connection. When doing DNAT on a connection | |
2721 | + where the client uses a server's IP address, the nat module should detect | |
2722 | + this and change this string accordingly to the DNATed address. This should | |
2723 | + probably be done by checking for an IP address, then storing it as a member | |
2724 | + of struct ip_ct_mms_expect and checking for it in ip_nat_mms... | |
2725 | + */ | |
2726 | + if( (MMS_SRV_MSG_OFFSET < datalen) && | |
2727 | + ((*(u32 *)(data+MMS_SRV_MSG_OFFSET)) == MMS_SRV_MSG_ID)) { | |
2728 | + DEBUGP("ip_conntrack_mms: offset 37: %u %u %u %u, datalen:%u\n", | |
2729 | + (u8)*(data+36), (u8)*(data+37), | |
2730 | + (u8)*(data+38), (u8)*(data+39), | |
2731 | + datalen); | |
2732 | + if(parse_mms(data, datalen, &mms_ip, &mms_proto, &mms_port, | |
2733 | + &mms_string_b, &mms_string_e, &mms_padding_e)) | |
2734 | + if(net_ratelimit()) | |
2735 | + /* FIXME: more verbose debugging ? */ | |
2736 | + printk(KERN_WARNING | |
2737 | + "ip_conntrack_mms: Unable to parse data payload\n"); | |
2738 | + | |
2739 | + memset(&expect, 0, sizeof(expect)); | |
2740 | + | |
2741 | + sprintf(mms_proto_string, "(%u)", mms_proto); | |
2742 | + DEBUGP("ip_conntrack_mms: adding %s expectation %u.%u.%u.%u -> %u.%u.%u.%u:%u\n", | |
2743 | + mms_proto == IPPROTO_TCP ? "TCP" | |
2744 | + : mms_proto == IPPROTO_UDP ? "UDP":mms_proto_string, | |
2745 | + NIPQUAD(ct->tuplehash[!dir].tuple.src.ip), | |
2746 | + NIPQUAD(mms_ip), | |
2747 | + mms_port); | |
2748 | + | |
2749 | + /* it's possible that the client will just ask the server to tunnel | |
2750 | + the stream over the same TCP session (from port 1755): there's | |
2751 | + shouldn't be a need to add an expectation in that case, but it | |
2752 | + makes NAT packet mangling so much easier */ | |
2753 | + LOCK_BH(&ip_mms_lock); | |
2754 | + | |
2755 | + DEBUGP("ip_conntrack_mms: tcph->seq = %u\n", tcph->seq); | |
2756 | + | |
2757 | + exp->seq = ntohl(tcph->seq) + (mms_string_b - data); | |
2758 | + exp_mms_info->len = (mms_string_e - mms_string_b); | |
2759 | + exp_mms_info->padding = (mms_padding_e - mms_string_e); | |
2760 | + exp_mms_info->port = mms_port; | |
2761 | + | |
2762 | + DEBUGP("ip_conntrack_mms: wrote info seq=%u (ofs=%u), len=%d, padding=%u\n", | |
2763 | + exp->seq, (mms_string_e - data), exp_mms_info->len, exp_mms_info->padding); | |
2764 | + | |
2765 | + exp->tuple = ((struct ip_conntrack_tuple) | |
2766 | + { { ct->tuplehash[!dir].tuple.src.ip, { 0 } }, | |
2767 | + { mms_ip, | |
2768 | + { .tcp = { (__u16) ntohs(mms_port) } }, | |
2769 | + mms_proto } } | |
2770 | + ); | |
2771 | + exp->mask = ((struct ip_conntrack_tuple) | |
2772 | + { { 0xFFFFFFFF, { 0 } }, | |
2773 | + { 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFFFF }}); | |
2774 | + exp->expectfn = NULL; | |
2775 | + ip_conntrack_expect_related(ct, &expect); | |
2776 | + UNLOCK_BH(&ip_mms_lock); | |
2777 | + } | |
2778 | + | |
2779 | + return NF_ACCEPT; | |
2780 | +} | |
2781 | + | |
2782 | +static struct ip_conntrack_helper mms[MAX_PORTS]; | |
2783 | +static char mms_names[MAX_PORTS][10]; | |
2784 | + | |
2785 | +/* Not __exit: called from init() */ | |
2786 | +static void fini(void) | |
2787 | +{ | |
2788 | + int i; | |
2789 | + for (i = 0; (i < MAX_PORTS) && ports[i]; i++) { | |
2790 | + DEBUGP("ip_conntrack_mms: unregistering helper for port %d\n", | |
2791 | + ports[i]); | |
2792 | + ip_conntrack_helper_unregister(&mms[i]); | |
2793 | + } | |
2794 | +} | |
2795 | + | |
2796 | +static int __init init(void) | |
2797 | +{ | |
2798 | + int i, ret; | |
2799 | + char *tmpname; | |
2800 | + | |
2801 | + if (ports[0] == 0) | |
2802 | + ports[0] = MMS_PORT; | |
2803 | + | |
2804 | + for (i = 0; (i < MAX_PORTS) && ports[i]; i++) { | |
2805 | + memset(&mms[i], 0, sizeof(struct ip_conntrack_helper)); | |
2806 | + mms[i].tuple.src.u.tcp.port = htons(ports[i]); | |
2807 | + mms[i].tuple.dst.protonum = IPPROTO_TCP; | |
2808 | + mms[i].mask.src.u.tcp.port = 0xFFFF; | |
2809 | + mms[i].mask.dst.protonum = 0xFFFF; | |
2810 | + mms[i].max_expected = 1; | |
2811 | + mms[i].timeout = 0; | |
2812 | + mms[i].flags = IP_CT_HELPER_F_REUSE_EXPECT; | |
2813 | + mms[i].me = THIS_MODULE; | |
2814 | + mms[i].help = help; | |
2815 | + | |
2816 | + tmpname = &mms_names[i][0]; | |
2817 | + if (ports[i] == MMS_PORT) | |
2818 | + sprintf(tmpname, "mms"); | |
2819 | + else | |
2820 | + sprintf(tmpname, "mms-%d", ports[i]); | |
2821 | + mms[i].name = tmpname; | |
2822 | + | |
2823 | + DEBUGP("ip_conntrack_mms: registering helper for port %d\n", | |
2824 | + ports[i]); | |
2825 | + ret = ip_conntrack_helper_register(&mms[i]); | |
2826 | + | |
2827 | + if (ret) { | |
2828 | + fini(); | |
2829 | + return ret; | |
2830 | + } | |
2831 | + ports_c++; | |
2832 | + } | |
2833 | + return 0; | |
2834 | +} | |
2835 | + | |
2836 | +module_init(init); | |
2837 | +module_exit(fini); | |
2838 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_proto_sctp.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_proto_sctp.c | |
2839 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_proto_sctp.c 1970-01-01 01:00:00.000000000 +0100 | |
2840 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_proto_sctp.c 2004-04-29 11:20:17.000000000 +0200 | |
2841 | @@ -0,0 +1,529 @@ | |
2842 | +/* | |
2843 | + * Connection tracking protocol helper module for SCTP. | |
2844 | + * | |
2845 | + * SCTP is defined in RFC 2960. References to various sections in this code | |
2846 | + * are to this RFC. | |
2847 | + * | |
2848 | + * This program is free software; you can redistribute it and/or modify | |
2849 | + * it under the terms of the GNU General Public License version 2 as | |
2850 | + * published by the Free Software Foundation. | |
2851 | + */ | |
2852 | + | |
2853 | +#include <linux/types.h> | |
2854 | +#include <linux/sched.h> | |
2855 | +#include <linux/timer.h> | |
2856 | +#include <linux/netfilter.h> | |
2857 | +#include <linux/module.h> | |
2858 | +#include <linux/in.h> | |
2859 | +#include <linux/ip.h> | |
2860 | +#include <linux/sctp.h> | |
2861 | +#include <linux/string.h> | |
2862 | + | |
2863 | +#include <linux/netfilter_ipv4/ip_conntrack.h> | |
2864 | +#include <linux/netfilter_ipv4/ip_conntrack_protocol.h> | |
2865 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
2866 | + | |
2867 | +#if 0 | |
2868 | +#define DEBUGP(format, ...) printk(format, ## __VA_ARGS__) | |
2869 | +#else | |
2870 | +#define DEBUGP(format, args...) | |
2871 | +#endif | |
2872 | + | |
2873 | +/* Protects conntrack->proto.sctp */ | |
2874 | +static DECLARE_RWLOCK(sctp_lock); | |
2875 | + | |
2876 | +/* FIXME: Examine ipfilter's timeouts and conntrack transitions more | |
2877 | + closely. They're more complex. --RR | |
2878 | + | |
2879 | + And so for me for SCTP :D -Kiran */ | |
2880 | + | |
2881 | +static const char *sctp_conntrack_names[] = { | |
2882 | + "NONE", | |
2883 | + "CLOSED", | |
2884 | + "COOKIE_WAIT", | |
2885 | + "COOKIE_ECHOED", | |
2886 | + "ESTABLISHED", | |
2887 | + "SHUTDOWN_SENT", | |
2888 | + "SHUTDOWN_RECD", | |
2889 | + "SHUTDOWN_ACK_SENT", | |
2890 | +}; | |
2891 | + | |
2892 | +#define SECS * HZ | |
2893 | +#define MINS * 60 SECS | |
2894 | +#define HOURS * 60 MINS | |
2895 | +#define DAYS * 24 HOURS | |
2896 | + | |
2897 | +unsigned long ip_ct_sctp_timeout_closed = 10 SECS; | |
2898 | +unsigned long ip_ct_sctp_timeout_cookie_wait = 3 SECS; | |
2899 | +unsigned long ip_ct_sctp_timeout_cookie_echoed = 3 SECS; | |
2900 | +unsigned long ip_ct_sctp_timeout_established = 5 DAYS; | |
2901 | +unsigned long ip_ct_sctp_timeout_shutdown_sent = 300 SECS / 1000; | |
2902 | +unsigned long ip_ct_sctp_timeout_shutdown_recd = 300 SECS / 1000; | |
2903 | +unsigned long ip_ct_sctp_timeout_shutdown_ack_sent = 3 SECS; | |
2904 | + | |
2905 | +static unsigned long * sctp_timeouts[] | |
2906 | += { 0, /* SCTP_CONNTRACK_NONE */ | |
2907 | + &ip_ct_sctp_timeout_closed, /* SCTP_CONNTRACK_CLOSED */ | |
2908 | + &ip_ct_sctp_timeout_cookie_wait, /* SCTP_CONNTRACK_COOKIE_WAIT */ | |
2909 | + &ip_ct_sctp_timeout_cookie_echoed, /* SCTP_CONNTRACK_COOKIE_ECHOED */ | |
2910 | + &ip_ct_sctp_timeout_established, /* SCTP_CONNTRACK_ESTABLISHED */ | |
2911 | + &ip_ct_sctp_timeout_shutdown_sent, /* SCTP_CONNTRACK_SHUTDOWN_SENT */ | |
2912 | + &ip_ct_sctp_timeout_shutdown_recd, /* SCTP_CONNTRACK_SHUTDOWN_RECD */ | |
2913 | + &ip_ct_sctp_timeout_shutdown_ack_sent /* SCTP_CONNTRACK_SHUTDOWN_ACK_SENT */ | |
2914 | + }; | |
2915 | + | |
2916 | +#define sNO SCTP_CONNTRACK_NONE | |
2917 | +#define sCL SCTP_CONNTRACK_CLOSED | |
2918 | +#define sCW SCTP_CONNTRACK_COOKIE_WAIT | |
2919 | +#define sCE SCTP_CONNTRACK_COOKIE_ECHOED | |
2920 | +#define sES SCTP_CONNTRACK_ESTABLISHED | |
2921 | +#define sSS SCTP_CONNTRACK_SHUTDOWN_SENT | |
2922 | +#define sSR SCTP_CONNTRACK_SHUTDOWN_RECD | |
2923 | +#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT | |
2924 | +#define sIV SCTP_CONNTRACK_MAX | |
2925 | + | |
2926 | +/* | |
2927 | + These are the descriptions of the states: | |
2928 | + | |
2929 | +NOTE: These state names are tantalizingly similar to the states of an | |
2930 | +SCTP endpoint. But the interpretation of the states is a little different, | |
2931 | +considering that these are the states of the connection and not of an end | |
2932 | +point. Please note the subtleties. -Kiran | |
2933 | + | |
2934 | +NONE - Nothing so far. | |
2935 | +COOKIE WAIT - We have seen an INIT chunk in the original direction, or also | |
2936 | + an INIT_ACK chunk in the reply direction. | |
2937 | +COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction. | |
2938 | +ESTABLISHED - We have seen a COOKIE_ACK in the reply direction. | |
2939 | +SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction. | |
2940 | +SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin. | |
2941 | +SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite | |
2942 | + to that of the SHUTDOWN chunk. | |
2943 | +CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of | |
2944 | + the SHUTDOWN chunk. Connection is closed. | |
2945 | +*/ | |
2946 | + | |
2947 | +/* TODO | |
2948 | + - I have assumed that the first INIT is in the original direction. | |
2949 | + This messes things when an INIT comes in the reply direction in CLOSED | |
2950 | + state. | |
2951 | + - Check the error type in the reply dir before transitioning from | |
2952 | +cookie echoed to closed. | |
2953 | + - Sec 5.2.4 of RFC 2960 | |
2954 | + - Multi Homing support. | |
2955 | +*/ | |
2956 | + | |
2957 | +/* SCTP conntrack state transitions */ | |
2958 | +static enum sctp_conntrack sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = { | |
2959 | + { | |
2960 | +/* ORIGINAL */ | |
2961 | +/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */ | |
2962 | +/* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA}, | |
2963 | +/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA}, | |
2964 | +/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, | |
2965 | +/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA}, | |
2966 | +/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA}, | |
2967 | +/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant have Stale cookie*/ | |
2968 | +/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA},/* 5.2.4 - Big TODO */ | |
2969 | +/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant come in orig dir */ | |
2970 | +/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL} | |
2971 | + }, | |
2972 | + { | |
2973 | +/* REPLY */ | |
2974 | +/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */ | |
2975 | +/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* INIT in sCL Big TODO */ | |
2976 | +/* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA}, | |
2977 | +/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, | |
2978 | +/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA}, | |
2979 | +/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA}, | |
2980 | +/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA}, | |
2981 | +/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant come in reply dir */ | |
2982 | +/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA}, | |
2983 | +/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL} | |
2984 | + } | |
2985 | +}; | |
2986 | + | |
2987 | +static int sctp_pkt_to_tuple(const struct sk_buff *skb, | |
2988 | + unsigned int dataoff, | |
2989 | + struct ip_conntrack_tuple *tuple) | |
2990 | +{ | |
2991 | + sctp_sctphdr_t hdr; | |
2992 | + | |
2993 | + DEBUGP(__FUNCTION__); | |
2994 | + DEBUGP("\n"); | |
2995 | + | |
2996 | + /* Actually only need first 8 bytes. */ | |
2997 | + if (skb_copy_bits(skb, dataoff, &hdr, 8) != 0) | |
2998 | + return 0; | |
2999 | + | |
3000 | + tuple->src.u.sctp.port = hdr.source; | |
3001 | + tuple->dst.u.sctp.port = hdr.dest; | |
3002 | + | |
3003 | + return 1; | |
3004 | +} | |
3005 | + | |
3006 | +static int sctp_invert_tuple(struct ip_conntrack_tuple *tuple, | |
3007 | + const struct ip_conntrack_tuple *orig) | |
3008 | +{ | |
3009 | + DEBUGP(__FUNCTION__); | |
3010 | + DEBUGP("\n"); | |
3011 | + | |
3012 | + tuple->src.u.sctp.port = orig->dst.u.sctp.port; | |
3013 | + tuple->dst.u.sctp.port = orig->src.u.sctp.port; | |
3014 | + return 1; | |
3015 | +} | |
3016 | + | |
3017 | +/* Print out the per-protocol part of the tuple. */ | |
3018 | +static unsigned int sctp_print_tuple(char *buffer, | |
3019 | + const struct ip_conntrack_tuple *tuple) | |
3020 | +{ | |
3021 | + DEBUGP(__FUNCTION__); | |
3022 | + DEBUGP("\n"); | |
3023 | + | |
3024 | + return sprintf(buffer, "sport=%hu dport=%hu ", | |
3025 | + ntohs(tuple->src.u.sctp.port), | |
3026 | + ntohs(tuple->dst.u.sctp.port)); | |
3027 | +} | |
3028 | + | |
3029 | +/* Print out the private part of the conntrack. */ | |
3030 | +static unsigned int sctp_print_conntrack(char *buffer, | |
3031 | + const struct ip_conntrack *conntrack) | |
3032 | +{ | |
3033 | + enum sctp_conntrack state; | |
3034 | + | |
3035 | + DEBUGP(__FUNCTION__); | |
3036 | + DEBUGP("\n"); | |
3037 | + | |
3038 | + READ_LOCK(&sctp_lock); | |
3039 | + state = conntrack->proto.sctp.state; | |
3040 | + READ_UNLOCK(&sctp_lock); | |
3041 | + | |
3042 | + return sprintf(buffer, "%s ", sctp_conntrack_names[state]); | |
3043 | +} | |
3044 | + | |
3045 | +#define for_each_sctp_chunk(skb, sch, offset, count) \ | |
3046 | +for (offset = skb->nh.iph->ihl * 4 + sizeof (sctp_sctphdr_t), count = 0; \ | |
3047 | + offset < skb->len && !skb_copy_bits(skb, offset, &sch, sizeof(sch)); \ | |
3048 | + offset += (htons(sch.length) + 3) & ~3, count++) | |
3049 | + | |
3050 | +/* Some validity checks to make sure the chunks are fine */ | |
3051 | +static int do_basic_checks(struct ip_conntrack *conntrack, | |
3052 | + const struct sk_buff *skb, | |
3053 | + char *map) | |
3054 | +{ | |
3055 | + u_int32_t offset, count; | |
3056 | + sctp_chunkhdr_t sch; | |
3057 | + int flag; | |
3058 | + | |
3059 | + DEBUGP(__FUNCTION__); | |
3060 | + DEBUGP("\n"); | |
3061 | + | |
3062 | + flag = 0; | |
3063 | + | |
3064 | + for_each_sctp_chunk (skb, sch, offset, count) { | |
3065 | + DEBUGP("Chunk Num: %d Type: %d\n", count, sch.type); | |
3066 | + | |
3067 | + if (sch.type == SCTP_CID_INIT | |
3068 | + || sch.type == SCTP_CID_INIT_ACK | |
3069 | + || sch.type == SCTP_CID_SHUTDOWN_COMPLETE) { | |
3070 | + flag = 1; | |
3071 | + } | |
3072 | + | |
3073 | + /* Cookie Ack/Echo chunks not the first OR | |
3074 | + Init / Init Ack / Shutdown compl chunks not the only chunks */ | |
3075 | + if ((sch.type == SCTP_CID_COOKIE_ACK | |
3076 | + || sch.type == SCTP_CID_COOKIE_ECHO | |
3077 | + || flag) | |
3078 | + && count !=0 ) { | |
3079 | + DEBUGP("Basic checks failed\n"); | |
3080 | + return 1; | |
3081 | + } | |
3082 | + | |
3083 | + if (map) { | |
3084 | + set_bit (sch.type, (void *)map); | |
3085 | + } | |
3086 | + } | |
3087 | + | |
3088 | + DEBUGP("Basic checks passed\n"); | |
3089 | + return 0; | |
3090 | +} | |
3091 | + | |
3092 | +static int new_state(enum ip_conntrack_dir dir, | |
3093 | + enum sctp_conntrack cur_state, | |
3094 | + int chunk_type) | |
3095 | +{ | |
3096 | + int i; | |
3097 | + | |
3098 | + DEBUGP(__FUNCTION__); | |
3099 | + DEBUGP("\n"); | |
3100 | + | |
3101 | + DEBUGP("Chunk type: %d\n", chunk_type); | |
3102 | + | |
3103 | + switch (chunk_type) { | |
3104 | + case SCTP_CID_INIT: | |
3105 | + DEBUGP("SCTP_CID_INIT\n"); | |
3106 | + i = 0; break; | |
3107 | + case SCTP_CID_INIT_ACK: | |
3108 | + DEBUGP("SCTP_CID_INIT_ACK\n"); | |
3109 | + i = 1; break; | |
3110 | + case SCTP_CID_ABORT: | |
3111 | + DEBUGP("SCTP_CID_ABORT\n"); | |
3112 | + i = 2; break; | |
3113 | + case SCTP_CID_SHUTDOWN: | |
3114 | + DEBUGP("SCTP_CID_SHUTDOWN\n"); | |
3115 | + i = 3; break; | |
3116 | + case SCTP_CID_SHUTDOWN_ACK: | |
3117 | + DEBUGP("SCTP_CID_SHUTDOWN_ACK\n"); | |
3118 | + i = 4; break; | |
3119 | + case SCTP_CID_ERROR: | |
3120 | + DEBUGP("SCTP_CID_ERROR\n"); | |
3121 | + i = 5; break; | |
3122 | + case SCTP_CID_COOKIE_ECHO: | |
3123 | + DEBUGP("SCTP_CID_COOKIE_ECHO\n"); | |
3124 | + i = 6; break; | |
3125 | + case SCTP_CID_COOKIE_ACK: | |
3126 | + DEBUGP("SCTP_CID_COOKIE_ACK\n"); | |
3127 | + i = 7; break; | |
3128 | + case SCTP_CID_SHUTDOWN_COMPLETE: | |
3129 | + DEBUGP("SCTP_CID_SHUTDOWN_COMPLETE\n"); | |
3130 | + i = 8; break; | |
3131 | + default: | |
3132 | + /* Other chunks like DATA, SACK, HEARTBEAT and | |
3133 | + its ACK do not cause a change in state */ | |
3134 | + DEBUGP("Unknown chunk type, Will stay in %s\n", | |
3135 | + sctp_conntrack_names[cur_state]); | |
3136 | + return cur_state; | |
3137 | + } | |
3138 | + | |
3139 | + DEBUGP("dir: %d cur_state: %s chunk_type: %d new_state: %s\n", | |
3140 | + dir, sctp_conntrack_names[cur_state], chunk_type, | |
3141 | + sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]); | |
3142 | + | |
3143 | + return sctp_conntracks[dir][i][cur_state]; | |
3144 | +} | |
3145 | + | |
3146 | +/* Returns verdict for packet, or -1 for invalid. */ | |
3147 | +static int sctp_packet(struct ip_conntrack *conntrack, | |
3148 | + const struct sk_buff *skb, | |
3149 | + enum ip_conntrack_info ctinfo) | |
3150 | +{ | |
3151 | + enum sctp_conntrack newconntrack, oldsctpstate; | |
3152 | + sctp_sctphdr_t sctph; | |
3153 | + sctp_chunkhdr_t sch; | |
3154 | + u_int32_t offset, count; | |
3155 | + char map[256 / sizeof (char)] = {0}; | |
3156 | + | |
3157 | + DEBUGP(__FUNCTION__); | |
3158 | + DEBUGP("\n"); | |
3159 | + | |
3160 | + if (skb_copy_bits(skb, skb->nh.iph->ihl * 4, &sctph, sizeof(sctph)) != 0) | |
3161 | + return -1; | |
3162 | + | |
3163 | + if (do_basic_checks(conntrack, skb, map) != 0) | |
3164 | + return -1; | |
3165 | + | |
3166 | + /* Check the verification tag (Sec 8.5) */ | |
3167 | + if (!test_bit(SCTP_CID_INIT, (void *)map) | |
3168 | + && !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, (void *)map) | |
3169 | + && !test_bit(SCTP_CID_COOKIE_ECHO, (void *)map) | |
3170 | + && !test_bit(SCTP_CID_ABORT, (void *)map) | |
3171 | + && !test_bit(SCTP_CID_SHUTDOWN_ACK, (void *)map) | |
3172 | + && (sctph.vtag != conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)])) { | |
3173 | + DEBUGP("Verification tag check failed\n"); | |
3174 | + return -1; | |
3175 | + } | |
3176 | + | |
3177 | + oldsctpstate = newconntrack = SCTP_CONNTRACK_MAX; | |
3178 | + for_each_sctp_chunk (skb, sch, offset, count) { | |
3179 | + WRITE_LOCK(&sctp_lock); | |
3180 | + | |
3181 | + /* Special cases of Verification tag check (Sec 8.5.1) */ | |
3182 | + if (sch.type == SCTP_CID_INIT) { | |
3183 | + /* Sec 8.5.1 (A) */ | |
3184 | + if (sctph.vtag != 0) { | |
3185 | + WRITE_UNLOCK(&sctp_lock); | |
3186 | + return -1; | |
3187 | + } | |
3188 | + } else if (sch.type == SCTP_CID_ABORT) { | |
3189 | + /* Sec 8.5.1 (B) */ | |
3190 | + if (!(sctph.vtag == conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)]) | |
3191 | + && !(sctph.vtag == conntrack->proto.sctp.vtag | |
3192 | + [1 - CTINFO2DIR(ctinfo)])) { | |
3193 | + WRITE_UNLOCK(&sctp_lock); | |
3194 | + return -1; | |
3195 | + } | |
3196 | + } else if (sch.type == SCTP_CID_SHUTDOWN_COMPLETE) { | |
3197 | + /* Sec 8.5.1 (C) */ | |
3198 | + if (!(sctph.vtag == conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)]) | |
3199 | + && !(sctph.vtag == conntrack->proto.sctp.vtag | |
3200 | + [1 - CTINFO2DIR(ctinfo)] | |
3201 | + && (sch.flags & 1))) { | |
3202 | + WRITE_UNLOCK(&sctp_lock); | |
3203 | + return -1; | |
3204 | + } | |
3205 | + } else if (sch.type == SCTP_CID_COOKIE_ECHO) { | |
3206 | + /* Sec 8.5.1 (D) */ | |
3207 | + if (!(sctph.vtag == conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)])) { | |
3208 | + WRITE_UNLOCK(&sctp_lock); | |
3209 | + return -1; | |
3210 | + } | |
3211 | + } | |
3212 | + | |
3213 | + oldsctpstate = conntrack->proto.sctp.state; | |
3214 | + newconntrack = new_state(CTINFO2DIR(ctinfo), oldsctpstate, sch.type); | |
3215 | + | |
3216 | + /* Invalid */ | |
3217 | + if (newconntrack == SCTP_CONNTRACK_MAX) { | |
3218 | + DEBUGP("ip_conntrack_sctp: Invalid dir=%i ctype=%u conntrack=%u\n", | |
3219 | + CTINFO2DIR(ctinfo), sch.type, oldsctpstate); | |
3220 | + WRITE_UNLOCK(&sctp_lock); | |
3221 | + return -1; | |
3222 | + } | |
3223 | + | |
3224 | + /* If it is an INIT or an INIT ACK note down the vtag */ | |
3225 | + if (sch.type == SCTP_CID_INIT | |
3226 | + || sch.type == SCTP_CID_INIT_ACK) { | |
3227 | + sctp_inithdr_t inithdr; | |
3228 | + | |
3229 | + if (skb_copy_bits(skb, offset + sizeof (sctp_chunkhdr_t), | |
3230 | + &inithdr, sizeof(inithdr)) != 0) { | |
3231 | + WRITE_UNLOCK(&sctp_lock); | |
3232 | + return -1; | |
3233 | + } | |
3234 | + DEBUGP("Setting vtag %x for dir %d\n", | |
3235 | + inithdr.init_tag, CTINFO2DIR(ctinfo)); | |
3236 | + conntrack->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = inithdr.init_tag; | |
3237 | + } | |
3238 | + | |
3239 | + conntrack->proto.sctp.state = newconntrack; | |
3240 | + WRITE_UNLOCK(&sctp_lock); | |
3241 | + } | |
3242 | + | |
3243 | + ip_ct_refresh(conntrack, *sctp_timeouts[newconntrack]); | |
3244 | + | |
3245 | + if (oldsctpstate == SCTP_CONNTRACK_COOKIE_ECHOED | |
3246 | + && CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY | |
3247 | + && newconntrack == SCTP_CONNTRACK_ESTABLISHED) { | |
3248 | + DEBUGP("Setting assured bit\n"); | |
3249 | + set_bit(IPS_ASSURED_BIT, &conntrack->status); | |
3250 | + } | |
3251 | + | |
3252 | + return NF_ACCEPT; | |
3253 | +} | |
3254 | + | |
3255 | +/* Called when a new connection for this protocol found. */ | |
3256 | +static int sctp_new(struct ip_conntrack *conntrack, | |
3257 | + const struct sk_buff *skb) | |
3258 | +{ | |
3259 | + enum sctp_conntrack newconntrack; | |
3260 | + sctp_sctphdr_t sctph; | |
3261 | + sctp_chunkhdr_t sch; | |
3262 | + u_int32_t offset, count; | |
3263 | + char map[256 / sizeof (char)] = {0}; | |
3264 | + | |
3265 | + DEBUGP(__FUNCTION__); | |
3266 | + DEBUGP("\n"); | |
3267 | + | |
3268 | + if (skb_copy_bits(skb, skb->nh.iph->ihl * 4, &sctph, sizeof(sctph)) != 0) | |
3269 | + return -1; | |
3270 | + | |
3271 | + if (do_basic_checks(conntrack, skb, map) != 0) | |
3272 | + return -1; | |
3273 | + | |
3274 | + /* If an OOTB packet has any of these chunks discard (Sec 8.4) */ | |
3275 | + if ((test_bit (SCTP_CID_ABORT, (void *)map)) | |
3276 | + || (test_bit (SCTP_CID_SHUTDOWN_COMPLETE, (void *)map)) | |
3277 | + || (test_bit (SCTP_CID_COOKIE_ACK, (void *)map))) { | |
3278 | + return -1; | |
3279 | + } | |
3280 | + | |
3281 | + newconntrack = SCTP_CONNTRACK_MAX; | |
3282 | + for_each_sctp_chunk (skb, sch, offset, count) { | |
3283 | + /* Don't need lock here: this conntrack not in circulation yet */ | |
3284 | + newconntrack = new_state (IP_CT_DIR_ORIGINAL, | |
3285 | + SCTP_CONNTRACK_NONE, sch.type); | |
3286 | + | |
3287 | + /* Invalid: delete conntrack */ | |
3288 | + if (newconntrack == SCTP_CONNTRACK_MAX) { | |
3289 | + DEBUGP("ip_conntrack_sctp: invalid new deleting.\n"); | |
3290 | + return 0; | |
3291 | + } | |
3292 | + | |
3293 | + /* Copy the vtag into the state info */ | |
3294 | + if (sch.type == SCTP_CID_INIT) { | |
3295 | + if (sctph.vtag == 0) { | |
3296 | + sctp_inithdr_t inithdr; | |
3297 | + | |
3298 | + if (skb_copy_bits(skb, offset + sizeof (sctp_chunkhdr_t), | |
3299 | + &inithdr, sizeof(inithdr)) != 0) { | |
3300 | + return -1; | |
3301 | + } | |
3302 | + | |
3303 | + DEBUGP("Setting vtag %x for new conn\n", | |
3304 | + inithdr.init_tag); | |
3305 | + | |
3306 | + conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] = | |
3307 | + inithdr.init_tag; | |
3308 | + } else { | |
3309 | + /* Sec 8.5.1 (A) */ | |
3310 | + return -1; | |
3311 | + } | |
3312 | + } | |
3313 | + /* If it is a shutdown ack OOTB packet, we expect a return | |
3314 | + shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */ | |
3315 | + else { | |
3316 | + DEBUGP("Setting vtag %x for new conn OOTB\n", | |
3317 | + sctph.vtag); | |
3318 | + conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] = sctph.vtag; | |
3319 | + } | |
3320 | + | |
3321 | + conntrack->proto.sctp.state = newconntrack; | |
3322 | + } | |
3323 | + | |
3324 | + return 1; | |
3325 | +} | |
3326 | + | |
3327 | +static int sctp_exp_matches_pkt(struct ip_conntrack_expect *exp, | |
3328 | + const struct sk_buff *skb) | |
3329 | +{ | |
3330 | + /* To be implemented */ | |
3331 | + return 0; | |
3332 | +} | |
3333 | + | |
3334 | +struct ip_conntrack_protocol ip_conntrack_protocol_sctp = { | |
3335 | + .list = { NULL, NULL }, | |
3336 | + .proto = IPPROTO_SCTP, | |
3337 | + .name = "sctp", | |
3338 | + .pkt_to_tuple = sctp_pkt_to_tuple, | |
3339 | + .invert_tuple = sctp_invert_tuple, | |
3340 | + .print_tuple = sctp_print_tuple, | |
3341 | + .print_conntrack = sctp_print_conntrack, | |
3342 | + .packet = sctp_packet, | |
3343 | + .new = sctp_new, | |
3344 | + .destroy = NULL, | |
3345 | + .exp_matches_pkt = sctp_exp_matches_pkt, | |
3346 | + .me = THIS_MODULE | |
3347 | +}; | |
3348 | + | |
3349 | +int __init init(void) | |
3350 | +{ | |
3351 | + int ret; | |
3352 | + | |
3353 | + ret = ip_conntrack_protocol_register(&ip_conntrack_protocol_sctp); | |
3354 | + DEBUGP("SCTP conntrack module loading %s\n", | |
3355 | + ret ? "failed": "succeeded"); | |
3356 | + return ret; | |
3357 | +} | |
3358 | + | |
3359 | +void __exit fini(void) | |
3360 | +{ | |
3361 | + ip_conntrack_protocol_unregister(&ip_conntrack_protocol_sctp); | |
3362 | + DEBUGP("SCTP conntrack module unloaded\n"); | |
3363 | +} | |
3364 | + | |
3365 | +module_init(init); | |
3366 | +module_exit(fini); | |
3367 | + | |
3368 | +MODULE_LICENSE("GPL"); | |
3369 | +MODULE_AUTHOR("Kiran Kumar Immidi"); | |
3370 | +MODULE_DESCRIPTION("Netfilter connection tracking protocol helper for SCTP"); | |
3371 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_quake3.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_quake3.c | |
3372 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_quake3.c 1970-01-01 01:00:00.000000000 +0100 | |
3373 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_quake3.c 2004-04-29 11:19:53.000000000 +0200 | |
3374 | @@ -0,0 +1,156 @@ | |
3375 | +/* Quake3 extension for IP connection tracking | |
3376 | + * (C) 2002 by Filip Sneppe <filip.sneppe@cronos.be> | |
3377 | + * based on ip_conntrack_ftp.c and ip_conntrack_tftp.c | |
3378 | + * | |
3379 | + * ip_conntrack_quake3.c v0.04 2002-08-31 | |
3380 | + * | |
3381 | + * This program is free software; you can redistribute it and/or | |
3382 | + * modify it under the terms of the GNU General Public License | |
3383 | + * as published by the Free Software Foundation; either version | |
3384 | + * 2 of the License, or (at your option) any later version. | |
3385 | + * | |
3386 | + * Module load syntax: | |
3387 | + * insmod ip_conntrack_quake3.o ports=port1,port2,...port<MAX_PORTS> | |
3388 | + * | |
3389 | + * please give the ports of all Quake3 master servers You wish to | |
3390 | + * connect to. If you don't specify ports, the default will be UDP | |
3391 | + * port 27950. | |
3392 | + * | |
3393 | + * Thanks to the Ethereal folks for their analysis of the Quake3 protocol. | |
3394 | + */ | |
3395 | + | |
3396 | +#include <linux/module.h> | |
3397 | +#include <linux/ip.h> | |
3398 | +#include <linux/udp.h> | |
3399 | + | |
3400 | +#include <linux/netfilter.h> | |
3401 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
3402 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
3403 | +#include <linux/netfilter_ipv4/ip_conntrack_quake3.h> | |
3404 | + | |
3405 | +struct module *ip_conntrack_quake3 = THIS_MODULE; | |
3406 | + | |
3407 | +MODULE_AUTHOR("Filip Sneppe <filip.sneppe@cronos.be>"); | |
3408 | +MODULE_DESCRIPTION("Netfilter connection tracking module for Quake III Arena"); | |
3409 | +MODULE_LICENSE("GPL"); | |
3410 | + | |
3411 | +#define MAX_PORTS 8 | |
3412 | +static int ports[MAX_PORTS]; | |
3413 | +static int ports_c = 0; | |
3414 | +#ifdef MODULE_PARM | |
3415 | +MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i"); | |
3416 | +MODULE_PARM_DESC(ports, "port numbers of Quake III master servers"); | |
3417 | +#endif | |
3418 | + | |
3419 | +/* Quake3 master server reply will add > 100 expectations per reply packet; when | |
3420 | + doing lots of printk's, klogd may not be able to read /proc/kmsg fast enough */ | |
3421 | +#if 0 | |
3422 | +#define DEBUGP printk | |
3423 | +#else | |
3424 | +#define DEBUGP(format, args...) | |
3425 | +#endif | |
3426 | + | |
3427 | +struct quake3_search quake3s_conntrack = { "****", "getserversResponse", sizeof("getserversResponse") - 1 }; | |
3428 | + | |
3429 | +static int quake3_help(const struct iphdr *iph, size_t len, | |
3430 | + struct ip_conntrack *ct, | |
3431 | + enum ip_conntrack_info ctinfo) | |
3432 | +{ | |
3433 | + struct udphdr *udph = (void *)iph + iph->ihl * 4; | |
3434 | + int dir = CTINFO2DIR(ctinfo); | |
3435 | + struct ip_conntrack_expect exp; | |
3436 | + int i; | |
3437 | + | |
3438 | + /* Until there's been traffic both ways, don't look in packets. note: it's UDP ! */ | |
3439 | + if (ctinfo != IP_CT_ESTABLISHED | |
3440 | + && ctinfo != IP_CT_IS_REPLY) { | |
3441 | + DEBUGP("ip_conntrack_quake3: not ok ! Conntrackinfo = %u\n", ctinfo); | |
3442 | + return NF_ACCEPT; | |
3443 | + } else { DEBUGP("ip_conntrack_quake3: it's ok ! Conntrackinfo = %u\n", ctinfo); } | |
3444 | + | |
3445 | + if (strnicmp((const char *)udph + 12, quake3s_conntrack.pattern, quake3s_conntrack.plen) == 0) { | |
3446 | + for(i=31; /* 8 bytes UDP hdr, 4 bytes filler, 18 bytes "getserversResponse", 1 byte "\" */ | |
3447 | + i+6 < ntohs(udph->len); | |
3448 | + i+=7) { | |
3449 | + DEBUGP("ip_conntrack_quake3: adding server at offset %u/%u %u.%u.%u.%u:%u\n", | |
3450 | + i, ntohs(udph->len), | |
3451 | + NIPQUAD( (u_int32_t) *( (u_int32_t *)( (int)udph + i ) ) ), | |
3452 | + ntohs((__u16) *( (__u16 *)( (int)udph + i + 4 ) ) ) ); | |
3453 | + | |
3454 | + memset(&exp, 0, sizeof(exp)); | |
3455 | + | |
3456 | + exp.tuple = ((struct ip_conntrack_tuple) | |
3457 | + { { ct->tuplehash[!dir].tuple.src.ip, { 0 } }, | |
3458 | + { (u_int32_t) *((u_int32_t *)((int)udph + i)), | |
3459 | + { .udp = { (__u16) *((__u16 *)((int)udph+i+4)) } }, | |
3460 | + IPPROTO_UDP } } | |
3461 | + ); | |
3462 | + exp.mask = ((struct ip_conntrack_tuple) | |
3463 | + { { 0xFFFFFFFF, { 0 } }, | |
3464 | + { 0xFFFFFFFF, { .udp = { 0xFFFF } }, 0xFFFF }}); | |
3465 | + exp.expectfn = NULL; | |
3466 | + | |
3467 | + ip_conntrack_expect_related(ct, &exp); | |
3468 | + } | |
3469 | + | |
3470 | + } | |
3471 | + | |
3472 | + return(NF_ACCEPT); | |
3473 | +} | |
3474 | + | |
3475 | +static struct ip_conntrack_helper quake3[MAX_PORTS]; | |
3476 | +static char quake3_names[MAX_PORTS][13]; /* quake3-65535 */ | |
3477 | + | |
3478 | +static void fini(void) | |
3479 | +{ | |
3480 | + int i; | |
3481 | + | |
3482 | + for(i = 0 ; (i < ports_c); i++) { | |
3483 | + DEBUGP("ip_conntrack_quake3: unregistering helper for port %d\n", | |
3484 | + ports[i]); | |
3485 | + ip_conntrack_helper_unregister(&quake3[i]); | |
3486 | + } | |
3487 | +} | |
3488 | + | |
3489 | +static int __init init(void) | |
3490 | +{ | |
3491 | + int i, ret; | |
3492 | + char *tmpname; | |
3493 | + | |
3494 | + if(!ports[0]) | |
3495 | + ports[0]=QUAKE3_MASTER_PORT; | |
3496 | + | |
3497 | + for(i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) { | |
3498 | + /* Create helper structure */ | |
3499 | + memset(&quake3[i], 0, sizeof(struct ip_conntrack_helper)); | |
3500 | + | |
3501 | + quake3[i].tuple.dst.protonum = IPPROTO_UDP; | |
3502 | + quake3[i].tuple.src.u.udp.port = htons(ports[i]); | |
3503 | + quake3[i].mask.dst.protonum = 0xFFFF; | |
3504 | + quake3[i].mask.src.u.udp.port = 0xFFFF; | |
3505 | + quake3[i].help = quake3_help; | |
3506 | + quake3[i].me = THIS_MODULE; | |
3507 | + | |
3508 | + tmpname = &quake3_names[i][0]; | |
3509 | + if (ports[i] == QUAKE3_MASTER_PORT) | |
3510 | + sprintf(tmpname, "quake3"); | |
3511 | + else | |
3512 | + sprintf(tmpname, "quake3-%d", i); | |
3513 | + quake3[i].name = tmpname; | |
3514 | + | |
3515 | + DEBUGP("ip_conntrack_quake3: registering helper for port %d\n", | |
3516 | + ports[i]); | |
3517 | + | |
3518 | + ret=ip_conntrack_helper_register(&quake3[i]); | |
3519 | + if(ret) { | |
3520 | + fini(); | |
3521 | + return(ret); | |
3522 | + } | |
3523 | + ports_c++; | |
3524 | + } | |
3525 | + | |
3526 | + return(0); | |
3527 | +} | |
3528 | + | |
3529 | +module_init(init); | |
3530 | +module_exit(fini); | |
3531 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c | |
3532 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c 1970-01-01 01:00:00.000000000 +0100 | |
3533 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c 2004-04-29 11:20:02.000000000 +0200 | |
3534 | @@ -0,0 +1,508 @@ | |
3535 | +/* RPC extension for IP (TCP) connection tracking, Version 2.2 | |
3536 | + * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br> | |
3537 | + * - original rpc tracking module | |
3538 | + * - "recent" connection handling for kernel 2.3+ netfilter | |
3539 | + * | |
3540 | + * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au> | |
3541 | + * - upgraded conntrack modules to oldnat api - kernel 2.4.0+ | |
3542 | + * | |
3543 | + * (C) 2002,2003 by Ian (Larry) Latter <Ian.Latter@mq.edu.au> | |
3544 | + * - upgraded conntrack modules to newnat api - kernel 2.4.20+ | |
3545 | + * - extended matching to support filtering on procedures | |
3546 | + * | |
3547 | + * ip_conntrack_rpc_tpc.c,v 2.2 2003/01/12 18:30:00 | |
3548 | + * | |
3549 | + * This program is free software; you can redistribute it and/or | |
3550 | + * modify it under the terms of the GNU General Public License | |
3551 | + * as published by the Free Software Foundation; either version | |
3552 | + * 2 of the License, or (at your option) any later version. | |
3553 | + ** | |
3554 | + * Module load syntax: | |
3555 | + * insmod ip_conntrack_rpc_tcp.o ports=port1,port2,...port<MAX_PORTS> | |
3556 | + * | |
3557 | + * Please give the ports of all RPC servers you wish to connect to. | |
3558 | + * If you don't specify ports, the default will be port 111. | |
3559 | + ** | |
3560 | + * Note to all: | |
3561 | + * | |
3562 | + * RPCs should not be exposed to the internet - ask the Pentagon; | |
3563 | + * | |
3564 | + * "The unidentified crackers pleaded guilty in July to charges | |
3565 | + * of juvenile delinquency stemming from a string of Pentagon | |
3566 | + * network intrusions in February. | |
3567 | + * | |
3568 | + * The youths, going by the names TooShort and Makaveli, used | |
3569 | + * a common server security hole to break in, according to | |
3570 | + * Dane Jasper, owner of the California Internet service | |
3571 | + * provider, Sonic. They used the hole, known as the 'statd' | |
3572 | + * exploit, to attempt more than 800 break-ins, Jasper said." | |
3573 | + * | |
3574 | + * From: Wired News; "Pentagon Kids Kicked Off Grid" - Nov 6, 1998 | |
3575 | + * URL: http://www.wired.com/news/politics/0,1283,16098,00.html | |
3576 | + ** | |
3577 | + */ | |
3578 | + | |
3579 | +#include <linux/module.h> | |
3580 | +#include <linux/netfilter.h> | |
3581 | +#include <linux/ip.h> | |
3582 | +#include <net/checksum.h> | |
3583 | +#include <net/tcp.h> | |
3584 | + | |
3585 | +#include <asm/param.h> | |
3586 | +#include <linux/sched.h> | |
3587 | +#include <linux/timer.h> | |
3588 | +#include <linux/stddef.h> | |
3589 | +#include <linux/list.h> | |
3590 | + | |
3591 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
3592 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
3593 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
3594 | +#include <linux/netfilter_ipv4/ip_conntrack_rpc.h> | |
3595 | + | |
3596 | +#define MAX_PORTS 8 | |
3597 | +static int ports[MAX_PORTS]; | |
3598 | +static int ports_n_c = 0; | |
3599 | + | |
3600 | +#ifdef MODULE_PARM | |
3601 | +MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i"); | |
3602 | +MODULE_PARM_DESC(ports, "port numbers (TCP/UDP) of RPC portmapper servers"); | |
3603 | +#endif | |
3604 | + | |
3605 | +MODULE_AUTHOR("Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>"); | |
3606 | +MODULE_DESCRIPTION("RPC TCP connection tracking module"); | |
3607 | +MODULE_LICENSE("GPL"); | |
3608 | + | |
3609 | +#if 0 | |
3610 | +#define DEBUGP(format, args...) printk(KERN_DEBUG "ip_conntrack_rpc_tcp: " \ | |
3611 | + format, ## args) | |
3612 | +#else | |
3613 | +#define DEBUGP(format, args...) | |
3614 | +#endif | |
3615 | + | |
3616 | +DECLARE_RWLOCK(ipct_rpc_tcp_lock); | |
3617 | +#define ASSERT_READ_LOCK(x) MUST_BE_READ_LOCKED(&ipct_rpc_tcp_lock) | |
3618 | +#define ASSERT_WRITE_LOCK(x) MUST_BE_WRITE_LOCKED(&ipct_rpc_tcp_lock) | |
3619 | +#include <linux/netfilter_ipv4/listhelp.h> | |
3620 | + | |
3621 | +/* For future conections RPC, using client's cache bindings | |
3622 | + * I'll use ip_conntrack_lock to lock these lists */ | |
3623 | + | |
3624 | +LIST_HEAD(request_p_list_tcp); | |
3625 | + | |
3626 | + | |
3627 | +static void delete_request_p(unsigned long request_p_ul) | |
3628 | +{ | |
3629 | + struct request_p *p = (void *)request_p_ul; | |
3630 | + | |
3631 | + WRITE_LOCK(&ipct_rpc_tcp_lock); | |
3632 | + LIST_DELETE(&request_p_list_tcp, p); | |
3633 | + WRITE_UNLOCK(&ipct_rpc_tcp_lock); | |
3634 | + kfree(p); | |
3635 | + return; | |
3636 | +} | |
3637 | + | |
3638 | + | |
3639 | +static void req_cl(struct request_p * r) | |
3640 | +{ | |
3641 | + WRITE_LOCK(&ipct_rpc_tcp_lock); | |
3642 | + del_timer(&r->timeout); | |
3643 | + LIST_DELETE(&request_p_list_tcp, r); | |
3644 | + WRITE_UNLOCK(&ipct_rpc_tcp_lock); | |
3645 | + kfree(r); | |
3646 | + return; | |
3647 | +} | |
3648 | + | |
3649 | + | |
3650 | +static void clean_request(struct list_head *list) | |
3651 | +{ | |
3652 | + struct list_head *first = list->prev; | |
3653 | + struct list_head *temp = list->next; | |
3654 | + struct list_head *aux; | |
3655 | + | |
3656 | + if (list_empty(list)) | |
3657 | + return; | |
3658 | + | |
3659 | + while (first != temp) { | |
3660 | + aux = temp->next; | |
3661 | + req_cl((struct request_p *)temp); | |
3662 | + temp = aux; | |
3663 | + } | |
3664 | + req_cl((struct request_p *)temp); | |
3665 | + return; | |
3666 | +} | |
3667 | + | |
3668 | + | |
3669 | +static void alloc_request_p(u_int32_t xid, u_int16_t proto, u_int32_t ip, | |
3670 | + u_int16_t port) | |
3671 | +{ | |
3672 | + struct request_p *req_p; | |
3673 | + | |
3674 | + /* Verifies if entry already exists */ | |
3675 | + WRITE_LOCK(&ipct_rpc_tcp_lock); | |
3676 | + req_p = LIST_FIND(&request_p_list_tcp, request_p_cmp, | |
3677 | + struct request_p *, xid, ip, port); | |
3678 | + | |
3679 | + if (req_p) { | |
3680 | + /* Refresh timeout */ | |
3681 | + if (del_timer(&req_p->timeout)) { | |
3682 | + req_p->timeout.expires = jiffies + EXP; | |
3683 | + add_timer(&req_p->timeout); | |
3684 | + } | |
3685 | + WRITE_UNLOCK(&ipct_rpc_tcp_lock); | |
3686 | + return; | |
3687 | + | |
3688 | + } | |
3689 | + WRITE_UNLOCK(&ipct_rpc_tcp_lock); | |
3690 | + | |
3691 | + /* Allocate new request_p */ | |
3692 | + req_p = (struct request_p *) kmalloc(sizeof(struct request_p), GFP_ATOMIC); | |
3693 | + if (!req_p) { | |
3694 | + DEBUGP("can't allocate request_p\n"); | |
3695 | + return; | |
3696 | + } | |
3697 | + *req_p = ((struct request_p) {{ NULL, NULL }, xid, ip, port, proto, | |
3698 | + { { NULL, NULL }, jiffies + EXP, (unsigned long)req_p, | |
3699 | + NULL }}); | |
3700 | + | |
3701 | + /* Initialize timer */ | |
3702 | + init_timer(&req_p->timeout); | |
3703 | + req_p->timeout.function = delete_request_p; | |
3704 | + add_timer(&req_p->timeout); | |
3705 | + | |
3706 | + /* Put in list */ | |
3707 | + WRITE_LOCK(&ipct_rpc_tcp_lock); | |
3708 | + list_prepend(&request_p_list_tcp, req_p); | |
3709 | + WRITE_UNLOCK(&ipct_rpc_tcp_lock); | |
3710 | + return; | |
3711 | + | |
3712 | +} | |
3713 | + | |
3714 | + | |
3715 | +static int check_rpc_packet(const u_int32_t *data, | |
3716 | + int dir, struct ip_conntrack *ct, | |
3717 | + struct list_head request_p_list) | |
3718 | +{ | |
3719 | + struct request_p *req_p; | |
3720 | + u_int32_t xid; | |
3721 | + struct ip_conntrack_expect expect, *exp = &expect; | |
3722 | + | |
3723 | + /* Translstion's buffer for XDR */ | |
3724 | + u_int16_t port_buf; | |
3725 | + | |
3726 | + | |
3727 | + /* Get XID */ | |
3728 | + xid = *data; | |
3729 | + | |
3730 | + /* This does sanity checking on RPC payloads, | |
3731 | + * and permits only the RPC "get port" (3) | |
3732 | + * in authorised procedures in client | |
3733 | + * communications with the portmapper. | |
3734 | + */ | |
3735 | + | |
3736 | + /* perform direction dependant RPC work */ | |
3737 | + if (dir == IP_CT_DIR_ORIGINAL) { | |
3738 | + | |
3739 | + data += 5; | |
3740 | + | |
3741 | + /* Get RPC requestor */ | |
3742 | + if (IXDR_GET_INT32(data) != 3) { | |
3743 | + DEBUGP("RPC packet contains an invalid (non \"get\") requestor. [skip]\n"); | |
3744 | + return NF_ACCEPT; | |
3745 | + } | |
3746 | + DEBUGP("RPC packet contains a \"get\" requestor. [cont]\n"); | |
3747 | + | |
3748 | + data++; | |
3749 | + | |
3750 | + /* Jump Credentials and Verfifier */ | |
3751 | + data += IXDR_GET_INT32(data) + 2; | |
3752 | + data += IXDR_GET_INT32(data) + 2; | |
3753 | + | |
3754 | + /* Get RPC procedure */ | |
3755 | + DEBUGP("RPC packet contains procedure request [%u]. [cont]\n", | |
3756 | + (unsigned int)IXDR_GET_INT32(data)); | |
3757 | + | |
3758 | + /* Get RPC protocol and store against client parameters */ | |
3759 | + data = data + 2; | |
3760 | + alloc_request_p(xid, IXDR_GET_INT32(data), ct->tuplehash[dir].tuple.src.ip, | |
3761 | + ct->tuplehash[dir].tuple.src.u.all); | |
3762 | + | |
3763 | + DEBUGP("allocated RPC req_p for xid=%u proto=%u %u.%u.%u.%u:%u\n", | |
3764 | + xid, IXDR_GET_INT32(data), | |
3765 | + NIPQUAD(ct->tuplehash[dir].tuple.src.ip), | |
3766 | + ntohs(ct->tuplehash[dir].tuple.src.u.all)); | |
3767 | + | |
3768 | + DEBUGP("allocated RPC request for protocol %u. [done]\n", | |
3769 | + (unsigned int)IXDR_GET_INT32(data)); | |
3770 | + | |
3771 | + } else { | |
3772 | + | |
3773 | + /* Check for returning packet's stored counterpart */ | |
3774 | + req_p = LIST_FIND(&request_p_list_tcp, request_p_cmp, | |
3775 | + struct request_p *, xid, | |
3776 | + ct->tuplehash[!dir].tuple.src.ip, | |
3777 | + ct->tuplehash[!dir].tuple.src.u.all); | |
3778 | + | |
3779 | + /* Drop unexpected packets */ | |
3780 | + if (!req_p) { | |
3781 | + DEBUGP("packet is not expected. [skip]\n"); | |
3782 | + return NF_ACCEPT; | |
3783 | + } | |
3784 | + | |
3785 | + /* Verifies if packet is really an RPC reply packet */ | |
3786 | + data = data++; | |
3787 | + if (IXDR_GET_INT32(data) != 1) { | |
3788 | + DEBUGP("packet is not a valid RPC reply. [skip]\n"); | |
3789 | + return NF_ACCEPT; | |
3790 | + } | |
3791 | + | |
3792 | + /* Is status accept? */ | |
3793 | + data++; | |
3794 | + if (IXDR_GET_INT32(data)) { | |
3795 | + DEBUGP("packet is not an RPC accept. [skip]\n"); | |
3796 | + return NF_ACCEPT; | |
3797 | + } | |
3798 | + | |
3799 | + /* Get Verifier length. Jump verifier */ | |
3800 | + data++; | |
3801 | + data = data + IXDR_GET_INT32(data) + 2; | |
3802 | + | |
3803 | + /* Is accpet status "success"? */ | |
3804 | + if (IXDR_GET_INT32(data)) { | |
3805 | + DEBUGP("packet is not an RPC accept status of success. [skip]\n"); | |
3806 | + return NF_ACCEPT; | |
3807 | + } | |
3808 | + | |
3809 | + /* Get server port number */ | |
3810 | + data++; | |
3811 | + port_buf = (u_int16_t) IXDR_GET_INT32(data); | |
3812 | + | |
3813 | + /* If a packet has made it this far then it deserves an | |
3814 | + * expectation ... if port == 0, then this service is | |
3815 | + * not going to be registered. | |
3816 | + */ | |
3817 | + if (port_buf) { | |
3818 | + DEBUGP("port found: %u\n", port_buf); | |
3819 | + | |
3820 | + memset(&expect, 0, sizeof(expect)); | |
3821 | + | |
3822 | + /* Watch out, Radioactive-Man! */ | |
3823 | + exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip; | |
3824 | + exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip; | |
3825 | + exp->mask.src.ip = 0xffffffff; | |
3826 | + exp->mask.dst.ip = 0xffffffff; | |
3827 | + | |
3828 | + switch (req_p->proto) { | |
3829 | + case IPPROTO_UDP: | |
3830 | + exp->tuple.src.u.udp.port = 0; | |
3831 | + exp->tuple.dst.u.udp.port = htons(port_buf); | |
3832 | + exp->tuple.dst.protonum = IPPROTO_UDP; | |
3833 | + exp->mask.src.u.udp.port = 0; | |
3834 | + exp->mask.dst.u.udp.port = htons(0xffff); | |
3835 | + exp->mask.dst.protonum = 0xffff; | |
3836 | + break; | |
3837 | + | |
3838 | + case IPPROTO_TCP: | |
3839 | + exp->tuple.src.u.tcp.port = 0; | |
3840 | + exp->tuple.dst.u.tcp.port = htons(port_buf); | |
3841 | + exp->tuple.dst.protonum = IPPROTO_TCP; | |
3842 | + exp->mask.src.u.tcp.port = 0; | |
3843 | + exp->mask.dst.u.tcp.port = htons(0xffff); | |
3844 | + exp->mask.dst.protonum = 0xffff; | |
3845 | + break; | |
3846 | + } | |
3847 | + exp->expectfn = NULL; | |
3848 | + | |
3849 | + ip_conntrack_expect_related(ct, &expect); | |
3850 | + | |
3851 | + DEBUGP("expect related ip %u.%u.%u.%u:0-%u.%u.%u.%u:%u proto=%u\n", | |
3852 | + NIPQUAD(exp->tuple.src.ip), | |
3853 | + NIPQUAD(exp->tuple.dst.ip), | |
3854 | + port_buf, req_p->proto); | |
3855 | + | |
3856 | + DEBUGP("expect related mask %u.%u.%u.%u:0-%u.%u.%u.%u:65535 proto=%u\n", | |
3857 | + NIPQUAD(exp->mask.src.ip), | |
3858 | + NIPQUAD(exp->mask.dst.ip), | |
3859 | + exp->mask.dst.protonum); | |
3860 | + | |
3861 | + } | |
3862 | + | |
3863 | + req_cl(req_p); | |
3864 | + | |
3865 | + DEBUGP("packet evaluated. [expect]\n"); | |
3866 | + return NF_ACCEPT; | |
3867 | + } | |
3868 | + | |
3869 | + return NF_ACCEPT; | |
3870 | + | |
3871 | +} | |
3872 | + | |
3873 | + | |
3874 | +/* RPC TCP helper */ | |
3875 | +static int help(const struct iphdr *iph, size_t len, | |
3876 | + struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) | |
3877 | +{ | |
3878 | + struct tcphdr *tcph = (void *) iph + iph->ihl * 4; | |
3879 | + const u_int32_t *data = (const u_int32_t *)tcph + tcph->doff; | |
3880 | + size_t tcplen = len - iph->ihl * 4; | |
3881 | + | |
3882 | + int dir = CTINFO2DIR(ctinfo); | |
3883 | + int crp_ret; | |
3884 | + | |
3885 | + | |
3886 | + DEBUGP("new packet to evaluate ..\n"); | |
3887 | + | |
3888 | + /* This works for packets like handshake packets, ignore */ | |
3889 | + if (len == ((tcph->doff + iph->ihl) * 4)) { | |
3890 | + DEBUGP("packet has no data (may still be handshaking). [skip]\n"); | |
3891 | + return NF_ACCEPT; | |
3892 | + } | |
3893 | + | |
3894 | + /* Until there's been traffic both ways, don't look in packets. */ | |
3895 | + if (ctinfo != IP_CT_ESTABLISHED | |
3896 | + && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) { | |
3897 | + DEBUGP("connection tracking state is; ctinfo=%u ..\n", ctinfo); | |
3898 | + DEBUGP("[note: failure to get past this error may indicate asymmetric routing]\n"); | |
3899 | + DEBUGP("packet is not yet part of a two way stream. [skip]\n"); | |
3900 | + return NF_ACCEPT; | |
3901 | + } | |
3902 | + | |
3903 | + /* Not whole TCP header? */ | |
3904 | + if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4) { | |
3905 | + DEBUGP("TCP header length is; tcplen=%u ..\n", (unsigned) tcplen); | |
3906 | + DEBUGP("packet does not contain a complete TCP header. [skip]\n"); | |
3907 | + return NF_ACCEPT; | |
3908 | + } | |
3909 | + | |
3910 | + /* FIXME: Source route IP option packets --RR */ | |
3911 | + if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, | |
3912 | + csum_partial((char *) tcph, tcplen, 0))) { | |
3913 | + DEBUGP("csum; %p %u %u.%u.%u.%u %u.%u.%u.%u\n", | |
3914 | + tcph, tcplen, NIPQUAD(iph->saddr), | |
3915 | + NIPQUAD(iph->daddr)); | |
3916 | + DEBUGP("[note: failure to get past this error may indicate source routing]\n"); | |
3917 | + DEBUGP("packet contains a bad checksum. [skip]\n"); | |
3918 | + return NF_ACCEPT; | |
3919 | + } | |
3920 | + | |
3921 | + /* perform direction dependant protocol work */ | |
3922 | + if (dir == IP_CT_DIR_ORIGINAL) { | |
3923 | + | |
3924 | + DEBUGP("packet is from the initiator. [cont]\n"); | |
3925 | + | |
3926 | + /* Tests if packet len is ok */ | |
3927 | + if ((tcplen - (tcph->doff * 4)) != 60) { | |
3928 | + DEBUGP("packet length is not correct. [skip]\n"); | |
3929 | + return NF_ACCEPT; | |
3930 | + } | |
3931 | + | |
3932 | + } else { | |
3933 | + | |
3934 | + DEBUGP("packet is from the receiver. [cont]\n"); | |
3935 | + | |
3936 | + /* Tests if packet len is ok */ | |
3937 | + if ((tcplen - (tcph->doff * 4)) != 32) { | |
3938 | + DEBUGP("packet length is not correct. [skip]\n"); | |
3939 | + return NF_ACCEPT; | |
3940 | + } | |
3941 | + } | |
3942 | + | |
3943 | + /* Get to the data */ | |
3944 | + data++; | |
3945 | + | |
3946 | + /* Check the RPC data */ | |
3947 | + crp_ret = check_rpc_packet(data, dir, ct, request_p_list_tcp); | |
3948 | + | |
3949 | + return crp_ret; | |
3950 | + | |
3951 | +} | |
3952 | + | |
3953 | + | |
3954 | +static struct ip_conntrack_helper rpc_helpers[MAX_PORTS]; | |
3955 | + | |
3956 | +static void fini(void); | |
3957 | + | |
3958 | + | |
3959 | +static int __init init(void) | |
3960 | +{ | |
3961 | + int port, ret; | |
3962 | + static char name[10]; | |
3963 | + | |
3964 | + | |
3965 | + /* If no port given, default to standard RPC port */ | |
3966 | + if (ports[0] == 0) | |
3967 | + ports[0] = RPC_PORT; | |
3968 | + | |
3969 | + for (port = 0; (port < MAX_PORTS) && ports[port]; port++) { | |
3970 | + memset(&rpc_helpers[port], 0, sizeof(struct ip_conntrack_helper)); | |
3971 | + | |
3972 | + if (ports[port] == RPC_PORT) | |
3973 | + sprintf(name, "rpc"); | |
3974 | + else | |
3975 | + sprintf(name, "rpc-%d", port); | |
3976 | + | |
3977 | + rpc_helpers[port].name = name; | |
3978 | + rpc_helpers[port].me = THIS_MODULE; | |
3979 | + rpc_helpers[port].max_expected = 1; | |
3980 | + rpc_helpers[port].flags = IP_CT_HELPER_F_REUSE_EXPECT; | |
3981 | + rpc_helpers[port].timeout = 0; | |
3982 | + | |
3983 | + rpc_helpers[port].tuple.dst.protonum = IPPROTO_TCP; | |
3984 | + rpc_helpers[port].mask.dst.protonum = 0xffff; | |
3985 | + | |
3986 | + /* RPC can come from ports 0:65535 to ports[port] (111) */ | |
3987 | + rpc_helpers[port].tuple.src.u.udp.port = htons(ports[port]); | |
3988 | + rpc_helpers[port].mask.src.u.udp.port = htons(0xffff); | |
3989 | + rpc_helpers[port].mask.dst.u.udp.port = htons(0x0); | |
3990 | + | |
3991 | + rpc_helpers[port].help = help; | |
3992 | + | |
3993 | + DEBUGP("registering helper for port #%d: %d/TCP\n", port, ports[port]); | |
3994 | + DEBUGP("helper match ip %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", | |
3995 | + NIPQUAD(rpc_helpers[port].tuple.dst.ip), | |
3996 | + ntohs(rpc_helpers[port].tuple.dst.u.tcp.port), | |
3997 | + NIPQUAD(rpc_helpers[port].tuple.src.ip), | |
3998 | + ntohs(rpc_helpers[port].tuple.src.u.tcp.port)); | |
3999 | + DEBUGP("helper match mask %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", | |
4000 | + NIPQUAD(rpc_helpers[port].mask.dst.ip), | |
4001 | + ntohs(rpc_helpers[port].mask.dst.u.tcp.port), | |
4002 | + NIPQUAD(rpc_helpers[port].mask.src.ip), | |
4003 | + ntohs(rpc_helpers[port].mask.src.u.tcp.port)); | |
4004 | + | |
4005 | + ret = ip_conntrack_helper_register(&rpc_helpers[port]); | |
4006 | + | |
4007 | + if (ret) { | |
4008 | + printk("ERROR registering port %d\n", | |
4009 | + ports[port]); | |
4010 | + fini(); | |
4011 | + return -EBUSY; | |
4012 | + } | |
4013 | + ports_n_c++; | |
4014 | + } | |
4015 | + return 0; | |
4016 | +} | |
4017 | + | |
4018 | + | |
4019 | +/* This function is intentionally _NOT_ defined as __exit, because | |
4020 | + * it is needed by the init function */ | |
4021 | +static void fini(void) | |
4022 | +{ | |
4023 | + int port; | |
4024 | + | |
4025 | + DEBUGP("cleaning request list\n"); | |
4026 | + clean_request(&request_p_list_tcp); | |
4027 | + | |
4028 | + for (port = 0; (port < ports_n_c) && ports[port]; port++) { | |
4029 | + DEBUGP("unregistering port %d\n", ports[port]); | |
4030 | + ip_conntrack_helper_unregister(&rpc_helpers[port]); | |
4031 | + } | |
4032 | +} | |
4033 | + | |
4034 | + | |
4035 | +module_init(init); | |
4036 | +module_exit(fini); | |
4037 | + | |
4038 | +struct module *ip_conntrack_rpc_tcp = THIS_MODULE; | |
4039 | +EXPORT_SYMBOL(request_p_list_tcp); | |
4040 | +EXPORT_SYMBOL(ip_conntrack_rpc_tcp); | |
4041 | +EXPORT_SYMBOL(ipct_rpc_tcp_lock); | |
4042 | + | |
4043 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_rpc_udp.c | |
4044 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c 1970-01-01 01:00:00.000000000 +0100 | |
4045 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_rpc_udp.c 2004-04-29 11:20:02.000000000 +0200 | |
4046 | @@ -0,0 +1,503 @@ | |
4047 | +/* RPC extension for IP (UDP) connection tracking, Version 2.2 | |
4048 | + * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br> | |
4049 | + * - original rpc tracking module | |
4050 | + * - "recent" connection handling for kernel 2.3+ netfilter | |
4051 | + * | |
4052 | + * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au> | |
4053 | + * - upgraded conntrack modules to oldnat api - kernel 2.4.0+ | |
4054 | + * | |
4055 | + * (C) 2002,2003 by Ian (Larry) Latter <Ian.Latter@mq.edu.au> | |
4056 | + * - upgraded conntrack modules to newnat api - kernel 2.4.20+ | |
4057 | + * - extended matching to support filtering on procedures | |
4058 | + * | |
4059 | + * ip_conntrack_rpc_udp.c,v 2.2 2003/01/12 18:30:00 | |
4060 | + * | |
4061 | + * This program is free software; you can redistribute it and/or | |
4062 | + * modify it under the terms of the GNU General Public License | |
4063 | + * as published by the Free Software Foundation; either version | |
4064 | + * 2 of the License, or (at your option) any later version. | |
4065 | + ** | |
4066 | + * Module load syntax: | |
4067 | + * insmod ip_conntrack_rpc_udp.o ports=port1,port2,...port<MAX_PORTS> | |
4068 | + * | |
4069 | + * Please give the ports of all RPC servers you wish to connect to. | |
4070 | + * If you don't specify ports, the default will be port 111. | |
4071 | + ** | |
4072 | + * Note to all: | |
4073 | + * | |
4074 | + * RPCs should not be exposed to the internet - ask the Pentagon; | |
4075 | + * | |
4076 | + * "The unidentified crackers pleaded guilty in July to charges | |
4077 | + * of juvenile delinquency stemming from a string of Pentagon | |
4078 | + * network intrusions in February. | |
4079 | + * | |
4080 | + * The youths, going by the names TooShort and Makaveli, used | |
4081 | + * a common server security hole to break in, according to | |
4082 | + * Dane Jasper, owner of the California Internet service | |
4083 | + * provider, Sonic. They used the hole, known as the 'statd' | |
4084 | + * exploit, to attempt more than 800 break-ins, Jasper said." | |
4085 | + * | |
4086 | + * From: Wired News; "Pentagon Kids Kicked Off Grid" - Nov 6, 1998 | |
4087 | + * URL: http://www.wired.com/news/politics/0,1283,16098,00.html | |
4088 | + ** | |
4089 | + */ | |
4090 | + | |
4091 | +#include <linux/module.h> | |
4092 | +#include <linux/netfilter.h> | |
4093 | +#include <linux/ip.h> | |
4094 | +#include <net/checksum.h> | |
4095 | +#include <net/udp.h> | |
4096 | + | |
4097 | +#include <asm/param.h> | |
4098 | +#include <linux/sched.h> | |
4099 | +#include <linux/timer.h> | |
4100 | +#include <linux/stddef.h> | |
4101 | +#include <linux/list.h> | |
4102 | + | |
4103 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
4104 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
4105 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
4106 | +#include <linux/netfilter_ipv4/ip_conntrack_rpc.h> | |
4107 | + | |
4108 | +#define MAX_PORTS 8 | |
4109 | +static int ports[MAX_PORTS]; | |
4110 | +static int ports_n_c = 0; | |
4111 | + | |
4112 | +#ifdef MODULE_PARM | |
4113 | +MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i"); | |
4114 | +MODULE_PARM_DESC(ports, "port numbers (TCP/UDP) of RPC portmapper servers"); | |
4115 | +#endif | |
4116 | + | |
4117 | +MODULE_AUTHOR("Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>"); | |
4118 | +MODULE_DESCRIPTION("RPC UDP connection tracking module"); | |
4119 | +MODULE_LICENSE("GPL"); | |
4120 | + | |
4121 | +#if 0 | |
4122 | +#define DEBUGP(format, args...) printk(KERN_DEBUG "ip_conntrack_rpc_udp: " \ | |
4123 | + format, ## args) | |
4124 | +#else | |
4125 | +#define DEBUGP(format, args...) | |
4126 | +#endif | |
4127 | + | |
4128 | +DECLARE_RWLOCK(ipct_rpc_udp_lock); | |
4129 | +#define ASSERT_READ_LOCK(x) MUST_BE_READ_LOCKED(&ipct_rpc_udp_lock) | |
4130 | +#define ASSERT_WRITE_LOCK(x) MUST_BE_WRITE_LOCKED(&ipct_rpc_udp_lock) | |
4131 | +#include <linux/netfilter_ipv4/listhelp.h> | |
4132 | + | |
4133 | +/* For future conections RPC, using client's cache bindings | |
4134 | + * I'll use ip_conntrack_lock to lock these lists */ | |
4135 | + | |
4136 | +LIST_HEAD(request_p_list_udp); | |
4137 | + | |
4138 | + | |
4139 | +static void delete_request_p(unsigned long request_p_ul) | |
4140 | +{ | |
4141 | + struct request_p *p = (void *)request_p_ul; | |
4142 | + | |
4143 | + WRITE_LOCK(&ipct_rpc_udp_lock); | |
4144 | + LIST_DELETE(&request_p_list_udp, p); | |
4145 | + WRITE_UNLOCK(&ipct_rpc_udp_lock); | |
4146 | + kfree(p); | |
4147 | + return; | |
4148 | +} | |
4149 | + | |
4150 | + | |
4151 | +static void req_cl(struct request_p * r) | |
4152 | +{ | |
4153 | + WRITE_LOCK(&ipct_rpc_udp_lock); | |
4154 | + del_timer(&r->timeout); | |
4155 | + LIST_DELETE(&request_p_list_udp, r); | |
4156 | + WRITE_UNLOCK(&ipct_rpc_udp_lock); | |
4157 | + kfree(r); | |
4158 | + return; | |
4159 | +} | |
4160 | + | |
4161 | + | |
4162 | +static void clean_request(struct list_head *list) | |
4163 | +{ | |
4164 | + struct list_head *first = list->prev; | |
4165 | + struct list_head *temp = list->next; | |
4166 | + struct list_head *aux; | |
4167 | + | |
4168 | + if (list_empty(list)) | |
4169 | + return; | |
4170 | + | |
4171 | + while (first != temp) { | |
4172 | + aux = temp->next; | |
4173 | + req_cl((struct request_p *)temp); | |
4174 | + temp = aux; | |
4175 | + } | |
4176 | + req_cl((struct request_p *)temp); | |
4177 | + return; | |
4178 | +} | |
4179 | + | |
4180 | + | |
4181 | +static void alloc_request_p(u_int32_t xid, u_int16_t proto, u_int32_t ip, | |
4182 | + u_int16_t port) | |
4183 | +{ | |
4184 | + struct request_p *req_p; | |
4185 | + | |
4186 | + /* Verifies if entry already exists */ | |
4187 | + WRITE_LOCK(&ipct_rpc_udp_lock); | |
4188 | + req_p = LIST_FIND(&request_p_list_udp, request_p_cmp, | |
4189 | + struct request_p *, xid, ip, port); | |
4190 | + | |
4191 | + if (req_p) { | |
4192 | + /* Refresh timeout */ | |
4193 | + if (del_timer(&req_p->timeout)) { | |
4194 | + req_p->timeout.expires = jiffies + EXP; | |
4195 | + add_timer(&req_p->timeout); | |
4196 | + } | |
4197 | + WRITE_UNLOCK(&ipct_rpc_udp_lock); | |
4198 | + return; | |
4199 | + | |
4200 | + } | |
4201 | + WRITE_UNLOCK(&ipct_rpc_udp_lock); | |
4202 | + | |
4203 | + /* Allocate new request_p */ | |
4204 | + req_p = (struct request_p *) kmalloc(sizeof(struct request_p), GFP_ATOMIC); | |
4205 | + if (!req_p) { | |
4206 | + DEBUGP("can't allocate request_p\n"); | |
4207 | + return; | |
4208 | + } | |
4209 | + *req_p = ((struct request_p) {{ NULL, NULL }, xid, ip, port, proto, | |
4210 | + { { NULL, NULL }, jiffies + EXP, (unsigned long)req_p, | |
4211 | + NULL }}); | |
4212 | + | |
4213 | + /* Initialize timer */ | |
4214 | + init_timer(&req_p->timeout); | |
4215 | + req_p->timeout.function = delete_request_p; | |
4216 | + add_timer(&req_p->timeout); | |
4217 | + | |
4218 | + /* Put in list */ | |
4219 | + WRITE_LOCK(&ipct_rpc_udp_lock); | |
4220 | + list_prepend(&request_p_list_udp, req_p); | |
4221 | + WRITE_UNLOCK(&ipct_rpc_udp_lock); | |
4222 | + return; | |
4223 | + | |
4224 | +} | |
4225 | + | |
4226 | + | |
4227 | +static int check_rpc_packet(const u_int32_t *data, | |
4228 | + int dir, struct ip_conntrack *ct, | |
4229 | + struct list_head request_p_list) | |
4230 | +{ | |
4231 | + struct request_p *req_p; | |
4232 | + u_int32_t xid; | |
4233 | + struct ip_conntrack_expect expect, *exp = &expect; | |
4234 | + | |
4235 | + /* Translstion's buffer for XDR */ | |
4236 | + u_int16_t port_buf; | |
4237 | + | |
4238 | + | |
4239 | + /* Get XID */ | |
4240 | + xid = *data; | |
4241 | + | |
4242 | + /* This does sanity checking on RPC payloads, | |
4243 | + * and permits only the RPC "get port" (3) | |
4244 | + * in authorised procedures in client | |
4245 | + * communications with the portmapper. | |
4246 | + */ | |
4247 | + | |
4248 | + /* perform direction dependant RPC work */ | |
4249 | + if (dir == IP_CT_DIR_ORIGINAL) { | |
4250 | + | |
4251 | + data += 5; | |
4252 | + | |
4253 | + /* Get RPC requestor */ | |
4254 | + if (IXDR_GET_INT32(data) != 3) { | |
4255 | + DEBUGP("RPC packet contains an invalid (non \"get\") requestor. [skip]\n"); | |
4256 | + return NF_ACCEPT; | |
4257 | + } | |
4258 | + DEBUGP("RPC packet contains a \"get\" requestor. [cont]\n"); | |
4259 | + | |
4260 | + data++; | |
4261 | + | |
4262 | + /* Jump Credentials and Verfifier */ | |
4263 | + data = data + IXDR_GET_INT32(data) + 2; | |
4264 | + data = data + IXDR_GET_INT32(data) + 2; | |
4265 | + | |
4266 | + /* Get RPC procedure */ | |
4267 | + DEBUGP("RPC packet contains procedure request [%u]. [cont]\n", | |
4268 | + (unsigned int)IXDR_GET_INT32(data)); | |
4269 | + | |
4270 | + /* Get RPC protocol and store against client parameters */ | |
4271 | + data = data + 2; | |
4272 | + alloc_request_p(xid, IXDR_GET_INT32(data), ct->tuplehash[dir].tuple.src.ip, | |
4273 | + ct->tuplehash[dir].tuple.src.u.all); | |
4274 | + | |
4275 | + DEBUGP("allocated RPC req_p for xid=%u proto=%u %u.%u.%u.%u:%u\n", | |
4276 | + xid, IXDR_GET_INT32(data), | |
4277 | + NIPQUAD(ct->tuplehash[dir].tuple.src.ip), | |
4278 | + ntohs(ct->tuplehash[dir].tuple.src.u.all)); | |
4279 | + | |
4280 | + DEBUGP("allocated RPC request for protocol %u. [done]\n", | |
4281 | + (unsigned int)IXDR_GET_INT32(data)); | |
4282 | + | |
4283 | + } else { | |
4284 | + | |
4285 | + /* Check for returning packet's stored counterpart */ | |
4286 | + req_p = LIST_FIND(&request_p_list_udp, request_p_cmp, | |
4287 | + struct request_p *, xid, | |
4288 | + ct->tuplehash[!dir].tuple.src.ip, | |
4289 | + ct->tuplehash[!dir].tuple.src.u.all); | |
4290 | + | |
4291 | + /* Drop unexpected packets */ | |
4292 | + if (!req_p) { | |
4293 | + DEBUGP("packet is not expected. [skip]\n"); | |
4294 | + return NF_ACCEPT; | |
4295 | + } | |
4296 | + | |
4297 | + /* Verifies if packet is really an RPC reply packet */ | |
4298 | + data = data++; | |
4299 | + if (IXDR_GET_INT32(data) != 1) { | |
4300 | + DEBUGP("packet is not a valid RPC reply. [skip]\n"); | |
4301 | + return NF_ACCEPT; | |
4302 | + } | |
4303 | + | |
4304 | + /* Is status accept? */ | |
4305 | + data++; | |
4306 | + if (IXDR_GET_INT32(data)) { | |
4307 | + DEBUGP("packet is not an RPC accept. [skip]\n"); | |
4308 | + return NF_ACCEPT; | |
4309 | + } | |
4310 | + | |
4311 | + /* Get Verifier length. Jump verifier */ | |
4312 | + data++; | |
4313 | + data = data + IXDR_GET_INT32(data) + 2; | |
4314 | + | |
4315 | + /* Is accpet status "success"? */ | |
4316 | + if (IXDR_GET_INT32(data)) { | |
4317 | + DEBUGP("packet is not an RPC accept status of success. [skip]\n"); | |
4318 | + return NF_ACCEPT; | |
4319 | + } | |
4320 | + | |
4321 | + /* Get server port number */ | |
4322 | + data++; | |
4323 | + port_buf = (u_int16_t) IXDR_GET_INT32(data); | |
4324 | + | |
4325 | + /* If a packet has made it this far then it deserves an | |
4326 | + * expectation ... if port == 0, then this service is | |
4327 | + * not going to be registered. | |
4328 | + */ | |
4329 | + if (port_buf) { | |
4330 | + DEBUGP("port found: %u\n", port_buf); | |
4331 | + | |
4332 | + memset(&expect, 0, sizeof(expect)); | |
4333 | + | |
4334 | + /* Watch out, Radioactive-Man! */ | |
4335 | + exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip; | |
4336 | + exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip; | |
4337 | + exp->mask.src.ip = 0xffffffff; | |
4338 | + exp->mask.dst.ip = 0xffffffff; | |
4339 | + | |
4340 | + switch (req_p->proto) { | |
4341 | + case IPPROTO_UDP: | |
4342 | + exp->tuple.src.u.udp.port = 0; | |
4343 | + exp->tuple.dst.u.udp.port = htons(port_buf); | |
4344 | + exp->tuple.dst.protonum = IPPROTO_UDP; | |
4345 | + exp->mask.src.u.udp.port = 0; | |
4346 | + exp->mask.dst.u.udp.port = htons(0xffff); | |
4347 | + exp->mask.dst.protonum = 0xffff; | |
4348 | + break; | |
4349 | + | |
4350 | + case IPPROTO_TCP: | |
4351 | + exp->tuple.src.u.tcp.port = 0; | |
4352 | + exp->tuple.dst.u.tcp.port = htons(port_buf); | |
4353 | + exp->tuple.dst.protonum = IPPROTO_TCP; | |
4354 | + exp->mask.src.u.tcp.port = 0; | |
4355 | + exp->mask.dst.u.tcp.port = htons(0xffff); | |
4356 | + exp->mask.dst.protonum = 0xffff; | |
4357 | + break; | |
4358 | + } | |
4359 | + exp->expectfn = NULL; | |
4360 | + | |
4361 | + ip_conntrack_expect_related(ct, &expect); | |
4362 | + | |
4363 | + DEBUGP("expect related ip %u.%u.%u.%u:0-%u.%u.%u.%u:%u proto=%u\n", | |
4364 | + NIPQUAD(exp->tuple.src.ip), | |
4365 | + NIPQUAD(exp->tuple.dst.ip), | |
4366 | + port_buf, req_p->proto); | |
4367 | + | |
4368 | + DEBUGP("expect related mask %u.%u.%u.%u:0-%u.%u.%u.%u:65535 proto=%u\n", | |
4369 | + NIPQUAD(exp->mask.src.ip), | |
4370 | + NIPQUAD(exp->mask.dst.ip), | |
4371 | + exp->mask.dst.protonum); | |
4372 | + | |
4373 | + } | |
4374 | + | |
4375 | + req_cl(req_p); | |
4376 | + | |
4377 | + DEBUGP("packet evaluated. [expect]\n"); | |
4378 | + return NF_ACCEPT; | |
4379 | + } | |
4380 | + | |
4381 | + return NF_ACCEPT; | |
4382 | + | |
4383 | +} | |
4384 | + | |
4385 | + | |
4386 | +/* RPC UDP helper */ | |
4387 | +static int help(const struct iphdr *iph, size_t len, | |
4388 | + struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) | |
4389 | +{ | |
4390 | + struct udphdr *udph = (void *) iph + iph->ihl * 4; | |
4391 | + const u_int32_t *data = (const u_int32_t *)udph + 2; | |
4392 | + size_t udplen = len - iph->ihl * 4; | |
4393 | + int dir = CTINFO2DIR(ctinfo); | |
4394 | + int crp_ret; | |
4395 | + | |
4396 | + /* Checksum */ | |
4397 | + const u_int16_t *chsm = (const u_int16_t *)udph + 3; | |
4398 | + | |
4399 | + | |
4400 | + DEBUGP("new packet to evaluate ..\n"); | |
4401 | + | |
4402 | + /* Not whole UDP header? */ | |
4403 | + if (udplen < sizeof(struct udphdr)) { | |
4404 | + DEBUGP("UDP header length is; udplen=%u ..\n", (unsigned) udplen); | |
4405 | + DEBUGP("packet does not contain a complete UDP header. [skip]\n"); | |
4406 | + return NF_ACCEPT; | |
4407 | + } | |
4408 | + | |
4409 | + /* FIXME: Source route IP option packets --RR */ | |
4410 | + if (*chsm) { | |
4411 | + if (csum_tcpudp_magic(iph->saddr, iph->daddr, udplen, IPPROTO_UDP, | |
4412 | + csum_partial((char *)udph, udplen, 0))) { | |
4413 | + DEBUGP("[note: failure to get past this error may indicate source routing]\n"); | |
4414 | + DEBUGP("packet contains a bad checksum. [skip]\n"); | |
4415 | + return NF_ACCEPT; | |
4416 | + } | |
4417 | + } | |
4418 | + | |
4419 | + /* perform direction dependant protocol work */ | |
4420 | + if (dir == IP_CT_DIR_ORIGINAL) { | |
4421 | + | |
4422 | + DEBUGP("packet is from the initiator. [cont]\n"); | |
4423 | + | |
4424 | + /* Tests if packet len is ok */ | |
4425 | + if ((udplen - sizeof(struct udphdr)) != 56) { | |
4426 | + DEBUGP("packet length is not correct. [skip]\n"); | |
4427 | + return NF_ACCEPT; | |
4428 | + } | |
4429 | + | |
4430 | + } else { | |
4431 | + | |
4432 | + DEBUGP("packet is from the receiver. [cont]\n"); | |
4433 | + | |
4434 | + /* Until there's been traffic both ways, don't look in packets. */ | |
4435 | + if (ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) { | |
4436 | + DEBUGP("connection tracking state is; ctinfo=%u ..\n", ctinfo); | |
4437 | + DEBUGP("[note: failure to get past this error may indicate asymmetric routing]\n"); | |
4438 | + DEBUGP("packet is not yet part of a two way stream. [skip]\n"); | |
4439 | + return NF_ACCEPT; | |
4440 | + } | |
4441 | + | |
4442 | + /* Tests if packet len is ok */ | |
4443 | + if ((udplen - sizeof(struct udphdr)) != 28) { | |
4444 | + DEBUGP("packet length is not correct. [skip]\n"); | |
4445 | + return NF_ACCEPT; | |
4446 | + } | |
4447 | + | |
4448 | + } | |
4449 | + | |
4450 | + /* Get to the data */ | |
4451 | + /* udp *data == *correct */ | |
4452 | + | |
4453 | + /* Check the RPC data */ | |
4454 | + crp_ret = check_rpc_packet(data, dir, ct, request_p_list_udp); | |
4455 | + | |
4456 | + return crp_ret; | |
4457 | + | |
4458 | +} | |
4459 | + | |
4460 | + | |
4461 | +static struct ip_conntrack_helper rpc_helpers[MAX_PORTS]; | |
4462 | + | |
4463 | +static void fini(void); | |
4464 | + | |
4465 | + | |
4466 | +static int __init init(void) | |
4467 | +{ | |
4468 | + int port, ret; | |
4469 | + static char name[10]; | |
4470 | + | |
4471 | + | |
4472 | + /* If no port given, default to standard RPC port */ | |
4473 | + if (ports[0] == 0) | |
4474 | + ports[0] = RPC_PORT; | |
4475 | + | |
4476 | + for (port = 0; (port < MAX_PORTS) && ports[port]; port++) { | |
4477 | + memset(&rpc_helpers[port], 0, sizeof(struct ip_conntrack_helper)); | |
4478 | + | |
4479 | + if (ports[port] == RPC_PORT) | |
4480 | + sprintf(name, "rpc"); | |
4481 | + else | |
4482 | + sprintf(name, "rpc-%d", port); | |
4483 | + | |
4484 | + rpc_helpers[port].name = name; | |
4485 | + rpc_helpers[port].me = THIS_MODULE; | |
4486 | + rpc_helpers[port].max_expected = 1; | |
4487 | + rpc_helpers[port].flags = IP_CT_HELPER_F_REUSE_EXPECT; | |
4488 | + rpc_helpers[port].timeout = 0; | |
4489 | + | |
4490 | + rpc_helpers[port].tuple.dst.protonum = IPPROTO_UDP; | |
4491 | + rpc_helpers[port].mask.dst.protonum = 0xffff; | |
4492 | + | |
4493 | + /* RPC can come from ports 0:65535 to ports[port] (111) */ | |
4494 | + rpc_helpers[port].tuple.src.u.udp.port = htons(ports[port]); | |
4495 | + rpc_helpers[port].mask.src.u.udp.port = htons(0xffff); | |
4496 | + rpc_helpers[port].mask.dst.u.udp.port = htons(0x0); | |
4497 | + | |
4498 | + rpc_helpers[port].help = help; | |
4499 | + | |
4500 | + DEBUGP("registering helper for port #%d: %d/UDP\n", port, ports[port]); | |
4501 | + DEBUGP("helper match ip %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", | |
4502 | + NIPQUAD(rpc_helpers[port].tuple.dst.ip), | |
4503 | + ntohs(rpc_helpers[port].tuple.dst.u.udp.port), | |
4504 | + NIPQUAD(rpc_helpers[port].tuple.src.ip), | |
4505 | + ntohs(rpc_helpers[port].tuple.src.u.udp.port)); | |
4506 | + DEBUGP("helper match mask %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", | |
4507 | + NIPQUAD(rpc_helpers[port].mask.dst.ip), | |
4508 | + ntohs(rpc_helpers[port].mask.dst.u.udp.port), | |
4509 | + NIPQUAD(rpc_helpers[port].mask.src.ip), | |
4510 | + ntohs(rpc_helpers[port].mask.src.u.udp.port)); | |
4511 | + | |
4512 | + ret = ip_conntrack_helper_register(&rpc_helpers[port]); | |
4513 | + | |
4514 | + if (ret) { | |
4515 | + printk("ERROR registering port %d\n", | |
4516 | + ports[port]); | |
4517 | + fini(); | |
4518 | + return -EBUSY; | |
4519 | + } | |
4520 | + ports_n_c++; | |
4521 | + } | |
4522 | + return 0; | |
4523 | +} | |
4524 | + | |
4525 | + | |
4526 | +/* This function is intentionally _NOT_ defined as __exit, because | |
4527 | + * it is needed by the init function */ | |
4528 | +static void fini(void) | |
4529 | +{ | |
4530 | + int port; | |
4531 | + | |
4532 | + DEBUGP("cleaning request list\n"); | |
4533 | + clean_request(&request_p_list_udp); | |
4534 | + | |
4535 | + for (port = 0; (port < ports_n_c) && ports[port]; port++) { | |
4536 | + DEBUGP("unregistering port %d\n", ports[port]); | |
4537 | + ip_conntrack_helper_unregister(&rpc_helpers[port]); | |
4538 | + } | |
4539 | +} | |
4540 | + | |
4541 | + | |
4542 | +module_init(init); | |
4543 | +module_exit(fini); | |
4544 | + | |
4545 | +struct module *ip_conntrack_rpc_udp = THIS_MODULE; | |
4546 | +EXPORT_SYMBOL(request_p_list_udp); | |
4547 | +EXPORT_SYMBOL(ip_conntrack_rpc_udp); | |
4548 | +EXPORT_SYMBOL(ipct_rpc_udp_lock); | |
4549 | + | |
4550 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_rsh.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_rsh.c | |
4551 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_rsh.c 1970-01-01 01:00:00.000000000 +0100 | |
4552 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_rsh.c 2004-04-29 11:20:06.000000000 +0200 | |
4553 | @@ -0,0 +1,331 @@ | |
4554 | +/* RSH extension for IP connection tracking, Version 1.0 | |
4555 | + * (C) 2002 by Ian (Larry) Latter <Ian.Latter@mq.edu.au> | |
4556 | + * based on HW's ip_conntrack_irc.c | |
4557 | + * | |
4558 | + * ip_conntrack_rsh.c,v 1.0 2002/07/17 14:49:26 | |
4559 | + * | |
4560 | + * This program is free software; you can redistribute it and/or | |
4561 | + * modify it under the terms of the GNU General Public License | |
4562 | + * as published by the Free Software Foundation; either version | |
4563 | + * 2 of the License, or (at your option) any later version. | |
4564 | + ** | |
4565 | + * Module load syntax: | |
4566 | + * insmod ip_conntrack_rsh.o ports=port1,port2,...port<MAX_PORTS> | |
4567 | + * | |
4568 | + * please give the ports of all RSH servers You wish to connect to. | |
4569 | + * If You don't specify ports, the default will be port 514 | |
4570 | + ** | |
4571 | + * Note to all: | |
4572 | + * RSH blows ... you should use SSH (openssh.org) to replace it, | |
4573 | + * unfortunately I babysit some sysadmins that won't migrate | |
4574 | + * their legacy crap, in our second tier. | |
4575 | + */ | |
4576 | + | |
4577 | + | |
4578 | +/* | |
4579 | + * Some docco ripped from the net to teach me all there is to know about | |
4580 | + * RSH, in 16.5 seconds (ie, all of the non-netfilter docco used to write | |
4581 | + * this module). | |
4582 | + * | |
4583 | + * I have no idea what "unix rshd man pages" these guys have .. but that | |
4584 | + * is some pretty detailed docco! | |
4585 | + ** | |
4586 | + * | |
4587 | + * 4. Of the rsh protocol. | |
4588 | + * ----------------------- | |
4589 | + * | |
4590 | + * The rshd listens on TCP port #514. The following info is from the unix | |
4591 | + * rshd man pages : | |
4592 | + * | |
4593 | + * "Service Request Protocol | |
4594 | + * | |
4595 | + * When the rshd daemon receives a service request, it initiates the | |
4596 | + * following protocol: | |
4597 | + * | |
4598 | + * 1. The rshd daemon checks the source port number for the request. | |
4599 | + * If the port number is not in the range 0 through 1023, the rshd daemon | |
4600 | + * terminates the connection. | |
4601 | + * | |
4602 | + * 2. The rshd daemon reads characters from the socket up to a null byte. | |
4603 | + * The string read is interpreted as an ASCII number (base 10). If this | |
4604 | + * number is nonzero, the rshd daemon interprets it as the port number | |
4605 | + * of a secondary stream to be used as standard error. A second connection | |
4606 | + * is created to the specified port on the client host. The source port | |
4607 | + * on the local host is in the range 0 through 1023. | |
4608 | + * | |
4609 | + * 3. The rshd daemon uses the source address of the initial connection | |
4610 | + * request to determine the name of the client host. If the name cannot | |
4611 | + * be determined, the rshd daemon uses the dotted decimal representation | |
4612 | + * of the client host's address. | |
4613 | + * | |
4614 | + * 4. The rshd daemon retrieves the following information from the initial | |
4615 | + * socket: | |
4616 | + * | |
4617 | + * * A null-terminated string of at most 16 bytes interpreted as | |
4618 | + * the user name of the user on the client host. | |
4619 | + * | |
4620 | + * * A null-terminated string of at most 16 bytes interpreted as | |
4621 | + * the user name to be used on the local server host. | |
4622 | + * | |
4623 | + * * Another null-terminated string interpreted as a command line | |
4624 | + * to be passed to a shell on the local server host. | |
4625 | + * | |
4626 | + * 5. The rshd daemon attempts to validate the user using the following steps: | |
4627 | + * | |
4628 | + * a. The rshd daemon looks up the local user name in the /etc/passwd | |
4629 | + * file and tries to switch to the home directory (using the chdir | |
4630 | + * subroutine). If either the lookup or the directory change fails, | |
4631 | + * the rshd daemon terminates the connection. | |
4632 | + * | |
4633 | + * b. If the local user ID is a nonzero value, the rshd daemon searches | |
4634 | + * the /etc/hosts.equiv file to see if the name of the client | |
4635 | + * workstation is listed. If the client workstation is listed as an | |
4636 | + * equivalent host, the rshd daemon validates the user. | |
4637 | + * | |
4638 | + * c. If the $HOME/.rhosts file exists, the rshd daemon tries to | |
4639 | + * authenticate the user by checking the .rhosts file. | |
4640 | + * | |
4641 | + * d. If either the $HOME/.rhosts authentication fails or the | |
4642 | + * client host is not an equivalent host, the rshd daemon | |
4643 | + * terminates the connection. | |
4644 | + * | |
4645 | + * 6. Once rshd validates the user, the rshd daemon returns a null byte | |
4646 | + * on the initial connection and passes the command line to the user's | |
4647 | + * local login shell. The shell then inherits the network connections | |
4648 | + * established by the rshd daemon." | |
4649 | + * | |
4650 | + */ | |
4651 | + | |
4652 | + | |
4653 | +#include <linux/module.h> | |
4654 | +#include <linux/netfilter.h> | |
4655 | +#include <linux/ip.h> | |
4656 | +#include <net/checksum.h> | |
4657 | +#include <net/tcp.h> | |
4658 | + | |
4659 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
4660 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
4661 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
4662 | +#include <linux/netfilter_ipv4/ip_conntrack_rsh.h> | |
4663 | + | |
4664 | +#define MAX_PORTS 8 | |
4665 | +static int ports[MAX_PORTS]; | |
4666 | +static int ports_n_c = 0; | |
4667 | + | |
4668 | +MODULE_AUTHOR("Ian (Larry) Latter <Ian.Latter@mq.edu.au>"); | |
4669 | +MODULE_DESCRIPTION("RSH connection tracking module"); | |
4670 | +MODULE_LICENSE("GPL"); | |
4671 | +#ifdef MODULE_PARM | |
4672 | +MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i"); | |
4673 | +MODULE_PARM_DESC(ports, "port numbers of RSH servers"); | |
4674 | +#endif | |
4675 | + | |
4676 | +DECLARE_LOCK(ip_rsh_lock); | |
4677 | +struct module *ip_conntrack_rsh = THIS_MODULE; | |
4678 | + | |
4679 | +#if 0 | |
4680 | +#define DEBUGP(format, args...) printk(KERN_DEBUG "ip_conntrack_rsh: " \ | |
4681 | + format, ## args) | |
4682 | +#else | |
4683 | +#define DEBUGP(format, args...) | |
4684 | +#endif | |
4685 | + | |
4686 | + | |
4687 | + | |
4688 | +/* FIXME: This should be in userspace. Later. */ | |
4689 | +static int help(const struct iphdr *iph, size_t len, | |
4690 | + struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) | |
4691 | +{ | |
4692 | + /* tcplen not negative guarenteed by ip_conntrack_tcp.c */ | |
4693 | + struct tcphdr *tcph = (void *) iph + iph->ihl * 4; | |
4694 | + const char *data = (const char *) tcph + tcph->doff * 4; | |
4695 | + u_int32_t tcplen = len - iph->ihl * 4; | |
4696 | + int dir = CTINFO2DIR(ctinfo); | |
4697 | + struct ip_conntrack_expect expect, *exp = &expect; | |
4698 | + struct ip_ct_rsh_expect *exp_rsh_info = &exp->help.exp_rsh_info; | |
4699 | + u_int16_t port; | |
4700 | + int maxoctet; | |
4701 | + | |
4702 | + /* note that "maxoctet" is used to maintain sanity (8 was the | |
4703 | + * original array size used in rshd/glibc) -- is there a | |
4704 | + * vulnerability in rshd.c in the looped port *= 10? | |
4705 | + */ | |
4706 | + | |
4707 | + | |
4708 | + DEBUGP("entered\n"); | |
4709 | + | |
4710 | + /* bail if packet is not from RSH client */ | |
4711 | + if (dir == IP_CT_DIR_REPLY) | |
4712 | + return NF_ACCEPT; | |
4713 | + | |
4714 | + /* Until there's been traffic both ways, don't look in packets. */ | |
4715 | + if (ctinfo != IP_CT_ESTABLISHED | |
4716 | + && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) { | |
4717 | + DEBUGP("Conntrackinfo = %u\n", ctinfo); | |
4718 | + return NF_ACCEPT; | |
4719 | + } | |
4720 | + | |
4721 | + /* Not whole TCP header? */ | |
4722 | + if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4) { | |
4723 | + DEBUGP("tcplen = %u\n", (unsigned) tcplen); | |
4724 | + return NF_ACCEPT; | |
4725 | + } | |
4726 | + | |
4727 | + /* Checksum invalid? Ignore. */ | |
4728 | + /* FIXME: Source route IP option packets --RR */ | |
4729 | + if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, | |
4730 | + csum_partial((char *) tcph, tcplen, 0))) { | |
4731 | + DEBUGP("bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n", | |
4732 | + tcph, tcplen, NIPQUAD(iph->saddr), | |
4733 | + NIPQUAD(iph->daddr)); | |
4734 | + return NF_ACCEPT; | |
4735 | + } | |
4736 | + | |
4737 | + /* find the rsh stderr port */ | |
4738 | + maxoctet = 4; | |
4739 | + port = 0; | |
4740 | + for ( ; *data != 0 && maxoctet != 0; data++, maxoctet--) { | |
4741 | + if (*data < 0) | |
4742 | + return(1); | |
4743 | + if (*data == 0) | |
4744 | + break; | |
4745 | + if (*data < 48 || *data > 57) { | |
4746 | + DEBUGP("these aren't the packets you're looking for ..\n"); | |
4747 | + return NF_ACCEPT; | |
4748 | + } | |
4749 | + port = port * 10 + ( *data - 48 ); | |
4750 | + } | |
4751 | + | |
4752 | + /* dont relate sessions that try to expose the client */ | |
4753 | + DEBUGP("found port %u\n", port); | |
4754 | + if (port > 1023) { | |
4755 | + DEBUGP("skipping, expected port size is greater than 1023!\n"); | |
4756 | + return NF_ACCEPT; | |
4757 | + } | |
4758 | + | |
4759 | + | |
4760 | + LOCK_BH(&ip_rsh_lock); | |
4761 | + | |
4762 | + /* new(,related) connection is; | |
4763 | + * reply + dst (uint)port + src port (0:1023) | |
4764 | + */ | |
4765 | + memset(&expect, 0, sizeof(expect)); | |
4766 | + | |
4767 | + /* save some discovered data, in case someone ever wants to write | |
4768 | + * a NAT module for this bastard .. | |
4769 | + */ | |
4770 | + exp_rsh_info->port = port; | |
4771 | + | |
4772 | + DEBUGP("wrote info port=%u\n", exp_rsh_info->port); | |
4773 | + | |
4774 | + | |
4775 | + /* Watch out, Radioactive-Man! */ | |
4776 | + exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip; | |
4777 | + exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip; | |
4778 | + exp->tuple.src.u.tcp.port = 0; | |
4779 | + exp->tuple.dst.u.tcp.port = htons(exp_rsh_info->port); | |
4780 | + exp->tuple.dst.protonum = IPPROTO_TCP; | |
4781 | + | |
4782 | + exp->mask.src.ip = 0xffffffff; | |
4783 | + exp->mask.dst.ip = 0xffffffff; | |
4784 | + | |
4785 | + exp->mask.src.u.tcp.port = htons(0xfc00); | |
4786 | + exp->mask.dst.u.tcp.port = htons(0xfc00); | |
4787 | + exp->mask.dst.protonum = 0xffff; | |
4788 | + | |
4789 | + exp->expectfn = NULL; | |
4790 | + | |
4791 | + ip_conntrack_expect_related(ct, &expect); | |
4792 | + | |
4793 | + DEBUGP("expect related ip %u.%u.%u.%u:%u-%u.%u.%u.%u:%u\n", | |
4794 | + NIPQUAD(exp->tuple.src.ip), | |
4795 | + ntohs(exp->tuple.src.u.tcp.port), | |
4796 | + NIPQUAD(exp->tuple.dst.ip), | |
4797 | + ntohs(exp->tuple.dst.u.tcp.port)); | |
4798 | + | |
4799 | + DEBUGP("expect related mask %u.%u.%u.%u:%u-%u.%u.%u.%u:%u\n", | |
4800 | + NIPQUAD(exp->mask.src.ip), | |
4801 | + ntohs(exp->mask.src.u.tcp.port), | |
4802 | + NIPQUAD(exp->mask.dst.ip), | |
4803 | + ntohs(exp->mask.dst.u.tcp.port)); | |
4804 | + UNLOCK_BH(&ip_rsh_lock); | |
4805 | + | |
4806 | + return NF_ACCEPT; | |
4807 | +} | |
4808 | + | |
4809 | +static struct ip_conntrack_helper rsh_helpers[MAX_PORTS]; | |
4810 | + | |
4811 | +static void fini(void); | |
4812 | + | |
4813 | +static int __init init(void) | |
4814 | +{ | |
4815 | + int port, ret; | |
4816 | + static char name[10]; | |
4817 | + | |
4818 | + | |
4819 | + /* If no port given, default to standard RSH port */ | |
4820 | + if (ports[0] == 0) | |
4821 | + ports[0] = RSH_PORT; | |
4822 | + | |
4823 | + for (port = 0; (port < MAX_PORTS) && ports[port]; port++) { | |
4824 | + memset(&rsh_helpers[port], 0, sizeof(struct ip_conntrack_helper)); | |
4825 | + | |
4826 | + if (ports[port] == RSH_PORT) | |
4827 | + sprintf(name, "rsh"); | |
4828 | + else | |
4829 | + sprintf(name, "rsh-%d", port); | |
4830 | + | |
4831 | + rsh_helpers[port].name = name; | |
4832 | + rsh_helpers[port].me = THIS_MODULE; | |
4833 | + rsh_helpers[port].max_expected = 1; | |
4834 | + rsh_helpers[port].flags = IP_CT_HELPER_F_REUSE_EXPECT; | |
4835 | + rsh_helpers[port].timeout = 0; | |
4836 | + | |
4837 | + rsh_helpers[port].tuple.dst.protonum = IPPROTO_TCP; | |
4838 | + rsh_helpers[port].mask.dst.protonum = 0xffff; | |
4839 | + | |
4840 | + /* RSH must come from ports 0:1023 to ports[port] (514) */ | |
4841 | + rsh_helpers[port].tuple.src.u.tcp.port = htons(ports[port]); | |
4842 | + rsh_helpers[port].mask.src.u.tcp.port = htons(0xfc00); | |
4843 | + rsh_helpers[port].mask.dst.u.tcp.port = htons(0xfc00); | |
4844 | + | |
4845 | + rsh_helpers[port].help = help; | |
4846 | + | |
4847 | + DEBUGP("registering helper for port #%d: %d/TCP\n", port, ports[port]); | |
4848 | + DEBUGP("helper match ip %u.%u.%u.%u:%u-%u.%u.%u.%u:%u\n", | |
4849 | + NIPQUAD(rsh_helpers[port].tuple.src.ip), | |
4850 | + ntohs(rsh_helpers[port].tuple.src.u.tcp.port), | |
4851 | + NIPQUAD(rsh_helpers[port].tuple.dst.ip), | |
4852 | + ntohs(rsh_helpers[port].tuple.dst.u.tcp.port)); | |
4853 | + DEBUGP("helper match mask %u.%u.%u.%u:%u-%u.%u.%u.%u:%u\n", | |
4854 | + NIPQUAD(rsh_helpers[port].mask.src.ip), | |
4855 | + ntohs(rsh_helpers[port].mask.src.u.tcp.port), | |
4856 | + NIPQUAD(rsh_helpers[port].mask.dst.ip), | |
4857 | + ntohs(rsh_helpers[port].mask.dst.u.tcp.port)); | |
4858 | + | |
4859 | + ret = ip_conntrack_helper_register(&rsh_helpers[port]); | |
4860 | + | |
4861 | + if (ret) { | |
4862 | + printk("ERROR registering port %d\n", | |
4863 | + ports[port]); | |
4864 | + fini(); | |
4865 | + return -EBUSY; | |
4866 | + } | |
4867 | + ports_n_c++; | |
4868 | + } | |
4869 | + return 0; | |
4870 | +} | |
4871 | + | |
4872 | +/* This function is intentionally _NOT_ defined as __exit, because | |
4873 | + * it is needed by the init function */ | |
4874 | +static void fini(void) | |
4875 | +{ | |
4876 | + int port; | |
4877 | + for (port = 0; (port < MAX_PORTS) && ports[port]; port++) { | |
4878 | + DEBUGP("unregistering port %d\n", ports[port]); | |
4879 | + ip_conntrack_helper_unregister(&rsh_helpers[port]); | |
4880 | + } | |
4881 | +} | |
4882 | + | |
4883 | +module_init(init); | |
4884 | +module_exit(fini); | |
4885 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_rtsp.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_rtsp.c | |
4886 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_rtsp.c 1970-01-01 01:00:00.000000000 +0100 | |
4887 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_rtsp.c 2004-04-29 11:20:13.000000000 +0200 | |
4888 | @@ -0,0 +1,507 @@ | |
4889 | +/* | |
4890 | + * RTSP extension for IP connection tracking | |
4891 | + * (C) 2003 by Tom Marshall <tmarshall@real.com> | |
4892 | + * based on ip_conntrack_irc.c | |
4893 | + * | |
4894 | + * This program is free software; you can redistribute it and/or | |
4895 | + * modify it under the terms of the GNU General Public License | |
4896 | + * as published by the Free Software Foundation; either version | |
4897 | + * 2 of the License, or (at your option) any later version. | |
4898 | + * | |
4899 | + * Module load syntax: | |
4900 | + * insmod ip_conntrack_rtsp.o ports=port1,port2,...port<MAX_PORTS> | |
4901 | + * max_outstanding=n setup_timeout=secs | |
4902 | + * | |
4903 | + * If no ports are specified, the default will be port 554. | |
4904 | + * | |
4905 | + * With max_outstanding you can define the maximum number of not yet | |
4906 | + * answered SETUP requests per RTSP session (default 8). | |
4907 | + * With setup_timeout you can specify how long the system waits for | |
4908 | + * an expected data channel (default 300 seconds). | |
4909 | + */ | |
4910 | + | |
4911 | +#include <linux/config.h> | |
4912 | +#include <linux/module.h> | |
4913 | +#include <linux/netfilter.h> | |
4914 | +#include <linux/ip.h> | |
4915 | +#include <net/checksum.h> | |
4916 | +#include <net/tcp.h> | |
4917 | + | |
4918 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
4919 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
4920 | +#include <linux/netfilter_ipv4/ip_conntrack_rtsp.h> | |
4921 | + | |
4922 | +#include <linux/ctype.h> | |
4923 | +#define NF_NEED_STRNCASECMP | |
4924 | +#define NF_NEED_STRTOU16 | |
4925 | +#define NF_NEED_STRTOU32 | |
4926 | +#define NF_NEED_NEXTLINE | |
4927 | +#include <linux/netfilter_helpers.h> | |
4928 | +#define NF_NEED_MIME_NEXTLINE | |
4929 | +#include <linux/netfilter_mime.h> | |
4930 | + | |
4931 | +#define MAX_SIMUL_SETUP 8 /* XXX: use max_outstanding */ | |
4932 | + | |
4933 | +#define INFOP(fmt, args...) printk(KERN_INFO "%s: %s: " fmt, __FILE__, __FUNCTION__, ## args) | |
4934 | +#ifdef IP_NF_RTSP_DEBUG | |
4935 | +#define DEBUGP(fmt, args...) printk(KERN_DEBUG "%s: %s: " fmt, __FILE__, __FUNCTION__, ## args) | |
4936 | +#else | |
4937 | +#define DEBUGP(fmt, args...) | |
4938 | +#endif | |
4939 | + | |
4940 | +#define MAX_PORTS 8 | |
4941 | +static int ports[MAX_PORTS]; | |
4942 | +static int num_ports = 0; | |
4943 | +static int max_outstanding = 8; | |
4944 | +static unsigned int setup_timeout = 300; | |
4945 | + | |
4946 | +MODULE_AUTHOR("Tom Marshall <tmarshall@real.com>"); | |
4947 | +MODULE_DESCRIPTION("RTSP connection tracking module"); | |
4948 | +MODULE_LICENSE("GPL"); | |
4949 | +#ifdef MODULE_PARM | |
4950 | +MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i"); | |
4951 | +MODULE_PARM_DESC(ports, "port numbers of RTSP servers"); | |
4952 | +MODULE_PARM(max_outstanding, "i"); | |
4953 | +MODULE_PARM_DESC(max_outstanding, "max number of outstanding SETUP requests per RTSP session"); | |
4954 | +MODULE_PARM(setup_timeout, "i"); | |
4955 | +MODULE_PARM_DESC(setup_timeout, "timeout on for unestablished data channels"); | |
4956 | +#endif | |
4957 | + | |
4958 | +DECLARE_LOCK(ip_rtsp_lock); | |
4959 | +struct module* ip_conntrack_rtsp = THIS_MODULE; | |
4960 | + | |
4961 | +/* | |
4962 | + * Max mappings we will allow for one RTSP connection (for RTP, the number | |
4963 | + * of allocated ports is twice this value). Note that SMIL burns a lot of | |
4964 | + * ports so keep this reasonably high. If this is too low, you will see a | |
4965 | + * lot of "no free client map entries" messages. | |
4966 | + */ | |
4967 | +#define MAX_PORT_MAPS 16 | |
4968 | + | |
4969 | +/*** default port list was here in the masq code: 554, 3030, 4040 ***/ | |
4970 | + | |
4971 | +#define SKIP_WSPACE(ptr,len,off) while(off < len && isspace(*(ptr+off))) { off++; } | |
4972 | + | |
4973 | +/* | |
4974 | + * Parse an RTSP packet. | |
4975 | + * | |
4976 | + * Returns zero if parsing failed. | |
4977 | + * | |
4978 | + * Parameters: | |
4979 | + * IN ptcp tcp data pointer | |
4980 | + * IN tcplen tcp data len | |
4981 | + * IN/OUT ptcpoff points to current tcp offset | |
4982 | + * OUT phdrsoff set to offset of rtsp headers | |
4983 | + * OUT phdrslen set to length of rtsp headers | |
4984 | + * OUT pcseqoff set to offset of CSeq header | |
4985 | + * OUT pcseqlen set to length of CSeq header | |
4986 | + */ | |
4987 | +static int | |
4988 | +rtsp_parse_message(char* ptcp, uint tcplen, uint* ptcpoff, | |
4989 | + uint* phdrsoff, uint* phdrslen, | |
4990 | + uint* pcseqoff, uint* pcseqlen) | |
4991 | +{ | |
4992 | + uint entitylen = 0; | |
4993 | + uint lineoff; | |
4994 | + uint linelen; | |
4995 | + | |
4996 | + if (!nf_nextline(ptcp, tcplen, ptcpoff, &lineoff, &linelen)) | |
4997 | + { | |
4998 | + return 0; | |
4999 | + } | |
5000 | + | |
5001 | + *phdrsoff = *ptcpoff; | |
5002 | + while (nf_mime_nextline(ptcp, tcplen, ptcpoff, &lineoff, &linelen)) | |
5003 | + { | |
5004 | + if (linelen == 0) | |
5005 | + { | |
5006 | + if (entitylen > 0) | |
5007 | + { | |
5008 | + *ptcpoff += min(entitylen, tcplen - *ptcpoff); | |
5009 | + } | |
5010 | + break; | |
5011 | + } | |
5012 | + if (lineoff+linelen > tcplen) | |
5013 | + { | |
5014 | + INFOP("!! overrun !!\n"); | |
5015 | + break; | |
5016 | + } | |
5017 | + | |
5018 | + if (nf_strncasecmp(ptcp+lineoff, "CSeq:", 5) == 0) | |
5019 | + { | |
5020 | + *pcseqoff = lineoff; | |
5021 | + *pcseqlen = linelen; | |
5022 | + } | |
5023 | + if (nf_strncasecmp(ptcp+lineoff, "Content-Length:", 15) == 0) | |
5024 | + { | |
5025 | + uint off = lineoff+15; | |
5026 | + SKIP_WSPACE(ptcp+lineoff, linelen, off); | |
5027 | + nf_strtou32(ptcp+off, &entitylen); | |
5028 | + } | |
5029 | + } | |
5030 | + *phdrslen = (*ptcpoff) - (*phdrsoff); | |
5031 | + | |
5032 | + return 1; | |
5033 | +} | |
5034 | + | |
5035 | +/* | |
5036 | + * Find lo/hi client ports (if any) in transport header | |
5037 | + * In: | |
5038 | + * ptcp, tcplen = packet | |
5039 | + * tranoff, tranlen = buffer to search | |
5040 | + * | |
5041 | + * Out: | |
5042 | + * pport_lo, pport_hi = lo/hi ports (host endian) | |
5043 | + * | |
5044 | + * Returns nonzero if any client ports found | |
5045 | + * | |
5046 | + * Note: it is valid (and expected) for the client to request multiple | |
5047 | + * transports, so we need to parse the entire line. | |
5048 | + */ | |
5049 | +static int | |
5050 | +rtsp_parse_transport(char* ptran, uint tranlen, | |
5051 | + struct ip_ct_rtsp_expect* prtspexp) | |
5052 | +{ | |
5053 | + int rc = 0; | |
5054 | + uint off = 0; | |
5055 | + | |
5056 | + if (tranlen < 10 || !iseol(ptran[tranlen-1]) || | |
5057 | + nf_strncasecmp(ptran, "Transport:", 10) != 0) | |
5058 | + { | |
5059 | + INFOP("sanity check failed\n"); | |
5060 | + return 0; | |
5061 | + } | |
5062 | + DEBUGP("tran='%.*s'\n", (int)tranlen, ptran); | |
5063 | + off += 10; | |
5064 | + SKIP_WSPACE(ptran, tranlen, off); | |
5065 | + | |
5066 | + /* Transport: tran;field;field=val,tran;field;field=val,... */ | |
5067 | + while (off < tranlen) | |
5068 | + { | |
5069 | + const char* pparamend; | |
5070 | + uint nextparamoff; | |
5071 | + | |
5072 | + pparamend = memchr(ptran+off, ',', tranlen-off); | |
5073 | + pparamend = (pparamend == NULL) ? ptran+tranlen : pparamend+1; | |
5074 | + nextparamoff = pparamend-ptran; | |
5075 | + | |
5076 | + while (off < nextparamoff) | |
5077 | + { | |
5078 | + const char* pfieldend; | |
5079 | + uint nextfieldoff; | |
5080 | + | |
5081 | + pfieldend = memchr(ptran+off, ';', nextparamoff-off); | |
5082 | + nextfieldoff = (pfieldend == NULL) ? nextparamoff : pfieldend-ptran+1; | |
5083 | + | |
5084 | + if (strncmp(ptran+off, "client_port=", 12) == 0) | |
5085 | + { | |
5086 | + u_int16_t port; | |
5087 | + uint numlen; | |
5088 | + | |
5089 | + off += 12; | |
5090 | + numlen = nf_strtou16(ptran+off, &port); | |
5091 | + off += numlen; | |
5092 | + if (prtspexp->loport != 0 && prtspexp->loport != port) | |
5093 | + { | |
5094 | + DEBUGP("multiple ports found, port %hu ignored\n", port); | |
5095 | + } | |
5096 | + else | |
5097 | + { | |
5098 | + prtspexp->loport = prtspexp->hiport = port; | |
5099 | + if (ptran[off] == '-') | |
5100 | + { | |
5101 | + off++; | |
5102 | + numlen = nf_strtou16(ptran+off, &port); | |
5103 | + off += numlen; | |
5104 | + prtspexp->pbtype = pb_range; | |
5105 | + prtspexp->hiport = port; | |
5106 | + | |
5107 | + // If we have a range, assume rtp: | |
5108 | + // loport must be even, hiport must be loport+1 | |
5109 | + if ((prtspexp->loport & 0x0001) != 0 || | |
5110 | + prtspexp->hiport != prtspexp->loport+1) | |
5111 | + { | |
5112 | + DEBUGP("incorrect range: %hu-%hu, correcting\n", | |
5113 | + prtspexp->loport, prtspexp->hiport); | |
5114 | + prtspexp->loport &= 0xfffe; | |
5115 | + prtspexp->hiport = prtspexp->loport+1; | |
5116 | + } | |
5117 | + } | |
5118 | + else if (ptran[off] == '/') | |
5119 | + { | |
5120 | + off++; | |
5121 | + numlen = nf_strtou16(ptran+off, &port); | |
5122 | + off += numlen; | |
5123 | + prtspexp->pbtype = pb_discon; | |
5124 | + prtspexp->hiport = port; | |
5125 | + } | |
5126 | + rc = 1; | |
5127 | + } | |
5128 | + } | |
5129 | + | |
5130 | + /* | |
5131 | + * Note we don't look for the destination parameter here. | |
5132 | + * If we are using NAT, the NAT module will handle it. If not, | |
5133 | + * and the client is sending packets elsewhere, the expectation | |
5134 | + * will quietly time out. | |
5135 | + */ | |
5136 | + | |
5137 | + off = nextfieldoff; | |
5138 | + } | |
5139 | + | |
5140 | + off = nextparamoff; | |
5141 | + } | |
5142 | + | |
5143 | + return rc; | |
5144 | +} | |
5145 | + | |
5146 | +/*** conntrack functions ***/ | |
5147 | + | |
5148 | +/* outbound packet: client->server */ | |
5149 | +static int | |
5150 | +help_out(const struct iphdr* iph, size_t pktlen, | |
5151 | + struct ip_conntrack* ct, enum ip_conntrack_info ctinfo) | |
5152 | +{ | |
5153 | + int dir = CTINFO2DIR(ctinfo); /* = IP_CT_DIR_ORIGINAL */ | |
5154 | + struct tcphdr* tcph = (void*)iph + iph->ihl * 4; | |
5155 | + uint tcplen = pktlen - iph->ihl * 4; | |
5156 | + char* pdata = (char*)tcph + tcph->doff * 4; | |
5157 | + uint datalen = tcplen - tcph->doff * 4; | |
5158 | + uint dataoff = 0; | |
5159 | + | |
5160 | + struct ip_conntrack_expect exp; | |
5161 | + | |
5162 | + while (dataoff < datalen) | |
5163 | + { | |
5164 | + uint cmdoff = dataoff; | |
5165 | + uint hdrsoff = 0; | |
5166 | + uint hdrslen = 0; | |
5167 | + uint cseqoff = 0; | |
5168 | + uint cseqlen = 0; | |
5169 | + uint lineoff = 0; | |
5170 | + uint linelen = 0; | |
5171 | + uint off; | |
5172 | + int rc; | |
5173 | + | |
5174 | + if (!rtsp_parse_message(pdata, datalen, &dataoff, | |
5175 | + &hdrsoff, &hdrslen, | |
5176 | + &cseqoff, &cseqlen)) | |
5177 | + { | |
5178 | + break; /* not a valid message */ | |
5179 | + } | |
5180 | + | |
5181 | + if (strncmp(pdata+cmdoff, "SETUP ", 6) != 0) | |
5182 | + { | |
5183 | + continue; /* not a SETUP message */ | |
5184 | + } | |
5185 | + DEBUGP("found a setup message\n"); | |
5186 | + | |
5187 | + memset(&exp, 0, sizeof(exp)); | |
5188 | + | |
5189 | + off = 0; | |
5190 | + while (nf_mime_nextline(pdata+hdrsoff, hdrslen, &off, | |
5191 | + &lineoff, &linelen)) | |
5192 | + { | |
5193 | + if (linelen == 0) | |
5194 | + { | |
5195 | + break; | |
5196 | + } | |
5197 | + if (off > hdrsoff+hdrslen) | |
5198 | + { | |
5199 | + INFOP("!! overrun !!"); | |
5200 | + break; | |
5201 | + } | |
5202 | + | |
5203 | + if (nf_strncasecmp(pdata+hdrsoff+lineoff, "Transport:", 10) == 0) | |
5204 | + { | |
5205 | + rtsp_parse_transport(pdata+hdrsoff+lineoff, linelen, | |
5206 | + &exp.help.exp_rtsp_info); | |
5207 | + } | |
5208 | + } | |
5209 | + | |
5210 | + if (exp.help.exp_rtsp_info.loport == 0) | |
5211 | + { | |
5212 | + DEBUGP("no udp transports found\n"); | |
5213 | + continue; /* no udp transports found */ | |
5214 | + } | |
5215 | + | |
5216 | + DEBUGP("udp transport found, ports=(%d,%hu,%hu)\n", | |
5217 | + (int)exp.help.exp_rtsp_info.pbtype, | |
5218 | + exp.help.exp_rtsp_info.loport, | |
5219 | + exp.help.exp_rtsp_info.hiport); | |
5220 | + | |
5221 | + LOCK_BH(&ip_rtsp_lock); | |
5222 | + exp.seq = ntohl(tcph->seq) + hdrsoff; /* mark all the headers */ | |
5223 | + exp.help.exp_rtsp_info.len = hdrslen; | |
5224 | + | |
5225 | + exp.tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip; | |
5226 | + exp.mask.src.ip = 0xffffffff; | |
5227 | + exp.tuple.dst.ip = ct->tuplehash[dir].tuple.src.ip; | |
5228 | + exp.mask.dst.ip = 0xffffffff; | |
5229 | + exp.tuple.dst.u.udp.port = exp.help.exp_rtsp_info.loport; | |
5230 | + exp.mask.dst.u.udp.port = (exp.help.exp_rtsp_info.pbtype == pb_range) ? 0xfffe : 0xffff; | |
5231 | + exp.tuple.dst.protonum = IPPROTO_UDP; | |
5232 | + exp.mask.dst.protonum = 0xffff; | |
5233 | + | |
5234 | + DEBUGP("expect_related %u.%u.%u.%u:%u-%u.%u.%u.%u:%u\n", | |
5235 | + NIPQUAD(exp.tuple.src.ip), | |
5236 | + ntohs(exp.tuple.src.u.tcp.port), | |
5237 | + NIPQUAD(exp.tuple.dst.ip), | |
5238 | + ntohs(exp.tuple.dst.u.tcp.port)); | |
5239 | + | |
5240 | + /* pass the request off to the nat helper */ | |
5241 | + rc = ip_conntrack_expect_related(ct, &exp); | |
5242 | + UNLOCK_BH(&ip_rtsp_lock); | |
5243 | + if (rc == 0) | |
5244 | + { | |
5245 | + DEBUGP("ip_conntrack_expect_related succeeded\n"); | |
5246 | + } | |
5247 | + else | |
5248 | + { | |
5249 | + INFOP("ip_conntrack_expect_related failed (%d)\n", rc); | |
5250 | + } | |
5251 | + } | |
5252 | + | |
5253 | + return NF_ACCEPT; | |
5254 | +} | |
5255 | + | |
5256 | +/* inbound packet: server->client */ | |
5257 | +static int | |
5258 | +help_in(const struct iphdr* iph, size_t pktlen, | |
5259 | + struct ip_conntrack* ct, enum ip_conntrack_info ctinfo) | |
5260 | +{ | |
5261 | + return NF_ACCEPT; | |
5262 | +} | |
5263 | + | |
5264 | +static int | |
5265 | +help(const struct iphdr* iph, size_t pktlen, | |
5266 | + struct ip_conntrack* ct, enum ip_conntrack_info ctinfo) | |
5267 | +{ | |
5268 | + /* tcplen not negative guarenteed by ip_conntrack_tcp.c */ | |
5269 | + struct tcphdr* tcph = (void*)iph + iph->ihl * 4; | |
5270 | + u_int32_t tcplen = pktlen - iph->ihl * 4; | |
5271 | + | |
5272 | + /* Until there's been traffic both ways, don't look in packets. */ | |
5273 | + if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) | |
5274 | + { | |
5275 | + DEBUGP("conntrackinfo = %u\n", ctinfo); | |
5276 | + return NF_ACCEPT; | |
5277 | + } | |
5278 | + | |
5279 | + /* Not whole TCP header? */ | |
5280 | + if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4) | |
5281 | + { | |
5282 | + DEBUGP("tcplen = %u\n", (unsigned)tcplen); | |
5283 | + return NF_ACCEPT; | |
5284 | + } | |
5285 | + | |
5286 | + /* Checksum invalid? Ignore. */ | |
5287 | + /* FIXME: Source route IP option packets --RR */ | |
5288 | + if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, | |
5289 | + csum_partial((char*)tcph, tcplen, 0))) | |
5290 | + { | |
5291 | + DEBUGP("bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n", | |
5292 | + tcph, tcplen, NIPQUAD(iph->saddr), NIPQUAD(iph->daddr)); | |
5293 | + return NF_ACCEPT; | |
5294 | + } | |
5295 | + | |
5296 | + switch (CTINFO2DIR(ctinfo)) | |
5297 | + { | |
5298 | + case IP_CT_DIR_ORIGINAL: | |
5299 | + help_out(iph, pktlen, ct, ctinfo); | |
5300 | + break; | |
5301 | + case IP_CT_DIR_REPLY: | |
5302 | + help_in(iph, pktlen, ct, ctinfo); | |
5303 | + break; | |
5304 | + } | |
5305 | + | |
5306 | + return NF_ACCEPT; | |
5307 | +} | |
5308 | + | |
5309 | +static struct ip_conntrack_helper rtsp_helpers[MAX_PORTS]; | |
5310 | +static char rtsp_names[MAX_PORTS][10]; | |
5311 | + | |
5312 | +/* This function is intentionally _NOT_ defined as __exit */ | |
5313 | +static void | |
5314 | +fini(void) | |
5315 | +{ | |
5316 | + int i; | |
5317 | + for (i = 0; i < num_ports; i++) | |
5318 | + { | |
5319 | + DEBUGP("unregistering port %d\n", ports[i]); | |
5320 | + ip_conntrack_helper_unregister(&rtsp_helpers[i]); | |
5321 | + } | |
5322 | +} | |
5323 | + | |
5324 | +static int __init | |
5325 | +init(void) | |
5326 | +{ | |
5327 | + int i, ret; | |
5328 | + struct ip_conntrack_helper *hlpr; | |
5329 | + char *tmpname; | |
5330 | + | |
5331 | + printk("ip_conntrack_rtsp v" IP_NF_RTSP_VERSION " loading\n"); | |
5332 | + | |
5333 | + if (max_outstanding < 1) | |
5334 | + { | |
5335 | + printk("ip_conntrack_rtsp: max_outstanding must be a positive integer\n"); | |
5336 | + return -EBUSY; | |
5337 | + } | |
5338 | + if (setup_timeout < 0) | |
5339 | + { | |
5340 | + printk("ip_conntrack_rtsp: setup_timeout must be a positive integer\n"); | |
5341 | + return -EBUSY; | |
5342 | + } | |
5343 | + | |
5344 | + /* If no port given, default to standard rtsp port */ | |
5345 | + if (ports[0] == 0) | |
5346 | + { | |
5347 | + ports[0] = RTSP_PORT; | |
5348 | + } | |
5349 | + | |
5350 | + for (i = 0; (i < MAX_PORTS) && ports[i]; i++) | |
5351 | + { | |
5352 | + hlpr = &rtsp_helpers[i]; | |
5353 | + memset(hlpr, 0, sizeof(struct ip_conntrack_helper)); | |
5354 | + hlpr->tuple.src.u.tcp.port = htons(ports[i]); | |
5355 | + hlpr->tuple.dst.protonum = IPPROTO_TCP; | |
5356 | + hlpr->mask.src.u.tcp.port = 0xFFFF; | |
5357 | + hlpr->mask.dst.protonum = 0xFFFF; | |
5358 | + hlpr->max_expected = max_outstanding; | |
5359 | + hlpr->timeout = setup_timeout; | |
5360 | + hlpr->flags = IP_CT_HELPER_F_REUSE_EXPECT; | |
5361 | + hlpr->me = ip_conntrack_rtsp; | |
5362 | + hlpr->help = help; | |
5363 | + | |
5364 | + tmpname = &rtsp_names[i][0]; | |
5365 | + if (ports[i] == RTSP_PORT) | |
5366 | + { | |
5367 | + sprintf(tmpname, "rtsp"); | |
5368 | + } | |
5369 | + else | |
5370 | + { | |
5371 | + sprintf(tmpname, "rtsp-%d", i); | |
5372 | + } | |
5373 | + hlpr->name = tmpname; | |
5374 | + | |
5375 | + DEBUGP("port #%d: %d\n", i, ports[i]); | |
5376 | + | |
5377 | + ret = ip_conntrack_helper_register(hlpr); | |
5378 | + | |
5379 | + if (ret) | |
5380 | + { | |
5381 | + printk("ip_conntrack_rtsp: ERROR registering port %d\n", ports[i]); | |
5382 | + fini(); | |
5383 | + return -EBUSY; | |
5384 | + } | |
5385 | + num_ports++; | |
5386 | + } | |
5387 | + return 0; | |
5388 | +} | |
5389 | + | |
5390 | +#ifdef CONFIG_IP_NF_NAT_NEEDED | |
5391 | +EXPORT_SYMBOL(ip_rtsp_lock); | |
5392 | +#endif | |
5393 | + | |
5394 | +module_init(init); | |
5395 | +module_exit(fini); | |
5396 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_standalone.c | |
5397 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-04-28 03:35:45.000000000 +0200 | |
5398 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-04-29 11:18:04.000000000 +0200 | |
5399 | @@ -110,6 +110,9 @@ | |
5400 | len += sprintf(buffer + len, "[ASSURED] "); | |
5401 | len += sprintf(buffer + len, "use=%u ", | |
5402 | atomic_read(&conntrack->ct_general.use)); | |
5403 | +#if defined(CONFIG_IP_NF_CONNTRACK_MARK) | |
5404 | + len += sprintf(buffer + len, "mark=%ld ", conntrack->mark); | |
5405 | +#endif | |
5406 | len += sprintf(buffer + len, "\n"); | |
5407 | ||
5408 | return len; | |
5409 | @@ -633,6 +636,7 @@ | |
5410 | EXPORT_SYMBOL(ip_conntrack_alter_reply); | |
5411 | EXPORT_SYMBOL(ip_conntrack_destroyed); | |
5412 | EXPORT_SYMBOL(ip_conntrack_get); | |
5413 | +EXPORT_SYMBOL(__ip_conntrack_confirm); | |
5414 | EXPORT_SYMBOL(need_ip_conntrack); | |
5415 | EXPORT_SYMBOL(ip_conntrack_helper_register); | |
5416 | EXPORT_SYMBOL(ip_conntrack_helper_unregister); | |
5417 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_talk.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_talk.c | |
5418 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_conntrack_talk.c 1970-01-01 01:00:00.000000000 +0100 | |
5419 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_conntrack_talk.c 2004-04-29 11:21:43.000000000 +0200 | |
5420 | @@ -0,0 +1,360 @@ | |
5421 | +/* | |
5422 | + * talk extension for IP connection tracking. | |
5423 | + * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | |
5424 | + * | |
5425 | + * This program is free software; you can redistribute it and/or | |
5426 | + * modify it under the terms of the GNU General Public License | |
5427 | + * as published by the Free Software Foundation; either version | |
5428 | + * 2 of the License, or (at your option) any later version. | |
5429 | + ** | |
5430 | + * Module load syntax: | |
5431 | + * insmod ip_nat_talk.o talk=[0|1] ntalk=[0|1] ntalk2=[01] | |
5432 | + * | |
5433 | + * talk=[0|1] disable|enable old talk support | |
5434 | + * ntalk=[0|1] disable|enable ntalk support | |
5435 | + * ntalk2=[0|1] disable|enable ntalk2 support | |
5436 | + * | |
5437 | + * The default is talk=1 ntalk=1 ntalk2=1 | |
5438 | + * | |
5439 | + * The helper does not support simultaneous talk requests. | |
5440 | + ** | |
5441 | + * | |
5442 | + * ASCII art on talk protocols | |
5443 | + * | |
5444 | + * | |
5445 | + * caller server callee server | |
5446 | + * | \ / | |
5447 | + * | \ / | |
5448 | + * | \ / | |
5449 | + * | / | |
5450 | + * | / \ | |
5451 | + * 2 | 1 / \ 3 | |
5452 | + * caller client ----------- callee client | |
5453 | + * 4 | |
5454 | + * | |
5455 | + * 1. caller client <-> callee server: LOOK_UP, then ANNOUNCE invitation | |
5456 | + * ( 2. caller client <-> caller server: LEAVE_INVITE to server ) | |
5457 | + * 3. callee client <-> caller server: LOOK_UP invitation | |
5458 | + * 4. callee client <-> caller client: talk data channel | |
5459 | + * | |
5460 | + * [1]: M. Hunter, talk: a historical protocol for interactive communication | |
5461 | + * draft-hunter-talk-00.txt | |
5462 | + * [2]: D.B. Chapman, E.D. Zwicky: Building Internet Firewalls (O'Reilly) | |
5463 | + */ | |
5464 | +#include <linux/config.h> | |
5465 | +#include <linux/module.h> | |
5466 | +#include <linux/netfilter.h> | |
5467 | +#include <linux/ip.h> | |
5468 | +#include <net/checksum.h> | |
5469 | +#include <net/udp.h> | |
5470 | + | |
5471 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
5472 | +#include <linux/netfilter_ipv4/ip_conntrack.h> | |
5473 | +#include <linux/netfilter_ipv4/ip_conntrack_core.h> | |
5474 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
5475 | +#include <linux/netfilter_ipv4/ip_conntrack_talk.h> | |
5476 | + | |
5477 | +/* Default all talk protocols are supported */ | |
5478 | +static int talk = 1; | |
5479 | +static int ntalk = 1; | |
5480 | +static int ntalk2 = 1; | |
5481 | +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
5482 | +MODULE_DESCRIPTION("talk connection tracking module"); | |
5483 | +MODULE_LICENSE("GPL"); | |
5484 | +#ifdef MODULE_PARM | |
5485 | +MODULE_PARM(talk, "i"); | |
5486 | +MODULE_PARM_DESC(talk, "support (old) talk protocol"); | |
5487 | +MODULE_PARM(ntalk, "i"); | |
5488 | +MODULE_PARM_DESC(ntalk, "support ntalk protocol"); | |
5489 | +MODULE_PARM(ntalk2, "i"); | |
5490 | +MODULE_PARM_DESC(ntalk2, "support ntalk2 protocol"); | |
5491 | +#endif | |
5492 | + | |
5493 | +DECLARE_LOCK(ip_talk_lock); | |
5494 | +struct module *ip_conntrack_talk = THIS_MODULE; | |
5495 | + | |
5496 | +#if 0 | |
5497 | +#define DEBUGP printk | |
5498 | +#else | |
5499 | +#define DEBUGP(format, args...) | |
5500 | +#endif | |
5501 | + | |
5502 | +static int talk_expect(struct ip_conntrack *ct); | |
5503 | +static int ntalk_expect(struct ip_conntrack *ct); | |
5504 | + | |
5505 | +static int (*talk_expectfn[2])(struct ip_conntrack *ct) = {talk_expect, ntalk_expect}; | |
5506 | + | |
5507 | +static int talk_help_response(const struct iphdr *iph, size_t len, | |
5508 | + struct ip_conntrack *ct, | |
5509 | + enum ip_conntrack_info ctinfo, | |
5510 | + int talk_port, | |
5511 | + u_char mode, | |
5512 | + u_char type, | |
5513 | + u_char answer, | |
5514 | + struct talk_addr *addr) | |
5515 | +{ | |
5516 | + int dir = CTINFO2DIR(ctinfo); | |
5517 | + struct ip_conntrack_expect expect, *exp = &expect; | |
5518 | + struct ip_ct_talk_expect *exp_talk_info = &exp->help.exp_talk_info; | |
5519 | + | |
5520 | + DEBUGP("ip_ct_talk_help_response: %u.%u.%u.%u:%u, type %d answer %d\n", | |
5521 | + NIPQUAD(addr->ta_addr), ntohs(addr->ta_port), | |
5522 | + type, answer); | |
5523 | + | |
5524 | + if (!(answer == SUCCESS && type == mode)) | |
5525 | + return NF_ACCEPT; | |
5526 | + | |
5527 | + memset(&expect, 0, sizeof(expect)); | |
5528 | + | |
5529 | + if (type == ANNOUNCE) { | |
5530 | + | |
5531 | + DEBUGP("ip_ct_talk_help_response: ANNOUNCE\n"); | |
5532 | + | |
5533 | + /* update the talk info */ | |
5534 | + LOCK_BH(&ip_talk_lock); | |
5535 | + exp_talk_info->port = htons(talk_port); | |
5536 | + | |
5537 | + /* expect callee client -> caller server message */ | |
5538 | + exp->tuple = ((struct ip_conntrack_tuple) | |
5539 | + { { ct->tuplehash[dir].tuple.src.ip, | |
5540 | + { 0 } }, | |
5541 | + { ct->tuplehash[dir].tuple.dst.ip, | |
5542 | + { .tcp = { htons(talk_port) } }, | |
5543 | + IPPROTO_UDP }}); | |
5544 | + exp->mask = ((struct ip_conntrack_tuple) | |
5545 | + { { 0xFFFFFFFF, { 0 } }, | |
5546 | + { 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFFFF }}); | |
5547 | + | |
5548 | + exp->expectfn = talk_expectfn[talk_port - TALK_PORT]; | |
5549 | + | |
5550 | + DEBUGP("ip_ct_talk_help_response: callee client %u.%u.%u.%u:%u -> caller daemon %u.%u.%u.%u:%u!\n", | |
5551 | + NIPQUAD(exp->tuple.src.ip), ntohs(exp->tuple.src.u.udp.port), | |
5552 | + NIPQUAD(exp->tuple.dst.ip), ntohs(exp->tuple.dst.u.udp.port)); | |
5553 | + | |
5554 | + /* Ignore failure; should only happen with NAT */ | |
5555 | + ip_conntrack_expect_related(ct, &expect); | |
5556 | + UNLOCK_BH(&ip_talk_lock); | |
5557 | + } | |
5558 | + if (type == LOOK_UP) { | |
5559 | + | |
5560 | + DEBUGP("ip_ct_talk_help_response: LOOK_UP\n"); | |
5561 | + | |
5562 | + /* update the talk info */ | |
5563 | + LOCK_BH(&ip_talk_lock); | |
5564 | + exp_talk_info->port = addr->ta_port; | |
5565 | + | |
5566 | + /* expect callee client -> caller client connection */ | |
5567 | + exp->tuple = ((struct ip_conntrack_tuple) | |
5568 | + { { ct->tuplehash[!dir].tuple.src.ip, | |
5569 | + { 0 } }, | |
5570 | + { addr->ta_addr, | |
5571 | + { addr->ta_port }, | |
5572 | + IPPROTO_TCP }}); | |
5573 | + exp->mask = ((struct ip_conntrack_tuple) | |
5574 | + { { 0xFFFFFFFF, { 0 } }, | |
5575 | + { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }}); | |
5576 | + | |
5577 | + exp->expectfn = NULL; | |
5578 | + | |
5579 | + DEBUGP("ip_ct_talk_help_response: callee client %u.%u.%u.%u:%u -> caller client %u.%u.%u.%u:%u!\n", | |
5580 | + NIPQUAD(exp->tuple.src.ip), ntohs(exp->tuple.src.u.tcp.port), | |
5581 | + NIPQUAD(exp->tuple.dst.ip), ntohs(exp->tuple.dst.u.tcp.port)); | |
5582 | + | |
5583 | + /* Ignore failure; should only happen with NAT */ | |
5584 | + ip_conntrack_expect_related(ct, &expect); | |
5585 | + UNLOCK_BH(&ip_talk_lock); | |
5586 | + } | |
5587 | + | |
5588 | + return NF_ACCEPT; | |
5589 | +} | |
5590 | + | |
5591 | +/* FIXME: This should be in userspace. Later. */ | |
5592 | +static int talk_help(const struct iphdr *iph, size_t len, | |
5593 | + struct ip_conntrack *ct, | |
5594 | + enum ip_conntrack_info ctinfo, | |
5595 | + int talk_port, | |
5596 | + u_char mode) | |
5597 | +{ | |
5598 | + struct udphdr *udph = (void *)iph + iph->ihl * 4; | |
5599 | + const char *data = (const char *)udph + sizeof(struct udphdr); | |
5600 | + int dir = CTINFO2DIR(ctinfo); | |
5601 | + size_t udplen; | |
5602 | + | |
5603 | + DEBUGP("ip_ct_talk_help: help entered\n"); | |
5604 | + | |
5605 | + /* Until there's been traffic both ways, don't look in packets. */ | |
5606 | + if (ctinfo != IP_CT_ESTABLISHED | |
5607 | + && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) { | |
5608 | + DEBUGP("ip_ct_talk_help: Conntrackinfo = %u\n", ctinfo); | |
5609 | + return NF_ACCEPT; | |
5610 | + } | |
5611 | + | |
5612 | + /* Not whole UDP header? */ | |
5613 | + udplen = len - iph->ihl * 4; | |
5614 | + if (udplen < sizeof(struct udphdr)) { | |
5615 | + DEBUGP("ip_ct_talk_help: too short for udph, udplen = %u\n", (unsigned)udplen); | |
5616 | + return NF_ACCEPT; | |
5617 | + } | |
5618 | + | |
5619 | + /* Checksum invalid? Ignore. */ | |
5620 | + /* FIXME: Source route IP option packets --RR */ | |
5621 | + if (csum_tcpudp_magic(iph->saddr, iph->daddr, udplen, IPPROTO_UDP, | |
5622 | + csum_partial((char *)udph, udplen, 0))) { | |
5623 | + DEBUGP("ip_ct_talk_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n", | |
5624 | + udph, udplen, NIPQUAD(iph->saddr), | |
5625 | + NIPQUAD(iph->daddr)); | |
5626 | + return NF_ACCEPT; | |
5627 | + } | |
5628 | + | |
5629 | + DEBUGP("ip_ct_talk_help: %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", | |
5630 | + NIPQUAD(iph->saddr), ntohs(udph->source), NIPQUAD(iph->daddr), ntohs(udph->dest)); | |
5631 | + | |
5632 | + if (dir == IP_CT_DIR_ORIGINAL) | |
5633 | + return NF_ACCEPT; | |
5634 | + | |
5635 | + if (talk_port == TALK_PORT | |
5636 | + && udplen == sizeof(struct udphdr) + sizeof(struct talk_response)) | |
5637 | + return talk_help_response(iph, len, ct, ctinfo, talk_port, mode, | |
5638 | + ((struct talk_response *)data)->type, | |
5639 | + ((struct talk_response *)data)->answer, | |
5640 | + &(((struct talk_response *)data)->addr)); | |
5641 | + else if (talk_port == NTALK_PORT | |
5642 | + && ntalk | |
5643 | + && udplen == sizeof(struct udphdr) + sizeof(struct ntalk_response) | |
5644 | + && ((struct ntalk_response *)data)->vers == NTALK_VERSION) | |
5645 | + return talk_help_response(iph, len, ct, ctinfo, talk_port, mode, | |
5646 | + ((struct ntalk_response *)data)->type, | |
5647 | + ((struct ntalk_response *)data)->answer, | |
5648 | + &(((struct ntalk_response *)data)->addr)); | |
5649 | + else if (talk_port == NTALK_PORT | |
5650 | + && ntalk2 | |
5651 | + && udplen >= sizeof(struct udphdr) + sizeof(struct ntalk2_response) | |
5652 | + && ((struct ntalk2_response *)data)->vers == NTALK2_VERSION) | |
5653 | + return talk_help_response(iph, len, ct, ctinfo, talk_port, mode, | |
5654 | + ((struct ntalk2_response *)data)->type, | |
5655 | + ((struct ntalk2_response *)data)->answer, | |
5656 | + &(((struct ntalk2_response *)data)->addr)); | |
5657 | + else { | |
5658 | + DEBUGP("ip_ct_talk_help: not ntalk/ntalk2 response, datalen %u != %u or %u + max 256\n", | |
5659 | + (unsigned)udplen - sizeof(struct udphdr), | |
5660 | + sizeof(struct ntalk_response), sizeof(struct ntalk2_response)); | |
5661 | + return NF_ACCEPT; | |
5662 | + } | |
5663 | +} | |
5664 | + | |
5665 | +static int lookup_help(const struct iphdr *iph, size_t len, | |
5666 | + struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) | |
5667 | +{ | |
5668 | + return talk_help(iph, len, ct, ctinfo, TALK_PORT, LOOK_UP); | |
5669 | +} | |
5670 | + | |
5671 | +static int lookup_nhelp(const struct iphdr *iph, size_t len, | |
5672 | + struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) | |
5673 | +{ | |
5674 | + return talk_help(iph, len, ct, ctinfo, NTALK_PORT, LOOK_UP); | |
5675 | +} | |
5676 | + | |
5677 | +static struct ip_conntrack_helper lookup_helpers[2] = | |
5678 | + { { { NULL, NULL }, | |
5679 | + "talk", /* name */ | |
5680 | + 0, /* flags */ | |
5681 | + NULL, /* module */ | |
5682 | + 1, /* max_expected */ | |
5683 | + 240, /* timeout */ | |
5684 | + { { 0, { __constant_htons(TALK_PORT) } }, /* tuple */ | |
5685 | + { 0, { 0 }, IPPROTO_UDP } }, | |
5686 | + { { 0, { 0xFFFF } }, /* mask */ | |
5687 | + { 0, { 0 }, 0xFFFF } }, | |
5688 | + lookup_help }, /* helper */ | |
5689 | + { { NULL, NULL }, | |
5690 | + "ntalk", /* name */ | |
5691 | + 0, /* flags */ | |
5692 | + NULL, /* module */ | |
5693 | + 1, /* max_expected */ | |
5694 | + 240, /* timeout */ | |
5695 | + { { 0, { __constant_htons(NTALK_PORT) } }, /* tuple */ | |
5696 | + { 0, { 0 }, IPPROTO_UDP } }, | |
5697 | + { { 0, { 0xFFFF } }, /* mask */ | |
5698 | + { 0, { 0 }, 0xFFFF } }, | |
5699 | + lookup_nhelp } /* helper */ | |
5700 | + }; | |
5701 | + | |
5702 | +static int talk_expect(struct ip_conntrack *ct) | |
5703 | +{ | |
5704 | + DEBUGP("ip_conntrack_talk: calling talk_expectfn for ct %p\n", ct); | |
5705 | + WRITE_LOCK(&ip_conntrack_lock); | |
5706 | + ct->helper = &lookup_helpers[0]; | |
5707 | + WRITE_UNLOCK(&ip_conntrack_lock); | |
5708 | + | |
5709 | + return NF_ACCEPT; /* unused */ | |
5710 | +} | |
5711 | + | |
5712 | +static int ntalk_expect(struct ip_conntrack *ct) | |
5713 | +{ | |
5714 | + DEBUGP("ip_conntrack_talk: calling ntalk_expectfn for ct %p\n", ct); | |
5715 | + WRITE_LOCK(&ip_conntrack_lock); | |
5716 | + ct->helper = &lookup_helpers[1]; | |
5717 | + WRITE_UNLOCK(&ip_conntrack_lock); | |
5718 | + | |
5719 | + return NF_ACCEPT; /* unused */ | |
5720 | +} | |
5721 | + | |
5722 | +static int help(const struct iphdr *iph, size_t len, | |
5723 | + struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) | |
5724 | +{ | |
5725 | + return talk_help(iph, len, ct, ctinfo, TALK_PORT, ANNOUNCE); | |
5726 | +} | |
5727 | + | |
5728 | +static int nhelp(const struct iphdr *iph, size_t len, | |
5729 | + struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) | |
5730 | +{ | |
5731 | + return talk_help(iph, len, ct, ctinfo, NTALK_PORT, ANNOUNCE); | |
5732 | +} | |
5733 | + | |
5734 | +static struct ip_conntrack_helper talk_helpers[2] = | |
5735 | + { { { NULL, NULL }, | |
5736 | + "talk", /* name */ | |
5737 | + 0, /* flags */ | |
5738 | + THIS_MODULE, /* module */ | |
5739 | + 1, /* max_expected */ | |
5740 | + 240, /* timeout */ | |
5741 | + { { 0, { __constant_htons(TALK_PORT) } }, /* tuple */ | |
5742 | + { 0, { 0 }, IPPROTO_UDP } }, | |
5743 | + { { 0, { 0xFFFF } }, /* mask */ | |
5744 | + { 0, { 0 }, 0xFFFF } }, | |
5745 | + help }, /* helper */ | |
5746 | + { { NULL, NULL }, | |
5747 | + "ntalk", /* name */ | |
5748 | + 0, /* flags */ | |
5749 | + THIS_MODULE, /* module */ | |
5750 | + 1, /* max_expected */ | |
5751 | + 240, /* timeout */ | |
5752 | + { { 0, { __constant_htons(NTALK_PORT) } }, /* tuple */ | |
5753 | + { 0, { 0 }, IPPROTO_UDP } }, | |
5754 | + { { 0, { 0xFFFF } }, /* mask */ | |
5755 | + { 0, { 0 }, 0xFFFF } }, | |
5756 | + nhelp } /* helper */ | |
5757 | + }; | |
5758 | + | |
5759 | +static int __init init(void) | |
5760 | +{ | |
5761 | + if (talk > 0) | |
5762 | + ip_conntrack_helper_register(&talk_helpers[0]); | |
5763 | + if (ntalk > 0 || ntalk2 > 0) | |
5764 | + ip_conntrack_helper_register(&talk_helpers[1]); | |
5765 | + | |
5766 | + return 0; | |
5767 | +} | |
5768 | + | |
5769 | +static void __exit fini(void) | |
5770 | +{ | |
5771 | + if (talk > 0) | |
5772 | + ip_conntrack_helper_unregister(&talk_helpers[0]); | |
5773 | + if (ntalk > 0 || ntalk2 > 0) | |
5774 | + ip_conntrack_helper_unregister(&talk_helpers[1]); | |
5775 | +} | |
5776 | + | |
5777 | +EXPORT_SYMBOL(ip_talk_lock); | |
5778 | + | |
5779 | +module_init(init); | |
5780 | +module_exit(fini); | |
384c1045 | 5781 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_nat_h323.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_nat_h323.c |
5782 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_nat_h323.c 1970-01-01 01:00:00.000000000 +0100 | |
5783 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_nat_h323.c 2004-04-29 11:18:00.000000000 +0200 | |
5784 | @@ -0,0 +1,419 @@ | |
5785 | +/* | |
5786 | + * H.323 'brute force' extension for NAT alteration. | |
5787 | + * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | |
5788 | + * | |
5789 | + * Based on ip_masq_h323.c for 2.2 kernels from CoRiTel, Sofia project. | |
5790 | + * (http://www.coritel.it/projects/sofia/nat.html) | |
5791 | + * Uses Sampsa Ranta's excellent idea on using expectfn to 'bind' | |
5792 | + * the unregistered helpers to the conntrack entries. | |
5793 | + */ | |
5794 | + | |
5795 | + | |
5796 | +#include <linux/module.h> | |
5797 | +#include <linux/netfilter.h> | |
5798 | +#include <linux/ip.h> | |
5799 | +#include <net/checksum.h> | |
5800 | +#include <net/tcp.h> | |
5801 | + | |
5802 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
5803 | +#include <linux/netfilter_ipv4/ip_nat.h> | |
5804 | +#include <linux/netfilter_ipv4/ip_nat_helper.h> | |
5805 | +#include <linux/netfilter_ipv4/ip_nat_rule.h> | |
5806 | +#include <linux/netfilter_ipv4/ip_conntrack_tuple.h> | |
5807 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
5808 | +#include <linux/netfilter_ipv4/ip_conntrack_h323.h> | |
5809 | + | |
5810 | +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
5811 | +MODULE_DESCRIPTION("H.323 'brute force' connection tracking module"); | |
5812 | +MODULE_LICENSE("GPL"); | |
5813 | + | |
5814 | +DECLARE_LOCK_EXTERN(ip_h323_lock); | |
5815 | +struct module *ip_nat_h323 = THIS_MODULE; | |
5816 | + | |
5817 | +#if 0 | |
5818 | +#define DEBUGP printk | |
5819 | +#else | |
5820 | +#define DEBUGP(format, args...) | |
5821 | +#endif | |
5822 | + | |
5823 | +/* FIXME: Time out? --RR */ | |
5824 | + | |
5825 | +static unsigned int | |
5826 | +h225_nat_expected(struct sk_buff **pskb, | |
5827 | + unsigned int hooknum, | |
5828 | + struct ip_conntrack *ct, | |
5829 | + struct ip_nat_info *info); | |
5830 | + | |
5831 | +static unsigned int h225_nat_help(struct ip_conntrack *ct, | |
5832 | + struct ip_conntrack_expect *exp, | |
5833 | + struct ip_nat_info *info, | |
5834 | + enum ip_conntrack_info ctinfo, | |
5835 | + unsigned int hooknum, | |
5836 | + struct sk_buff **pskb); | |
5837 | + | |
5838 | +static struct ip_nat_helper h245 = | |
5839 | + { { NULL, NULL }, | |
5840 | + "H.245", /* name */ | |
5841 | + 0, /* flags */ | |
5842 | + NULL, /* module */ | |
5843 | + { { 0, { 0 } }, /* tuple */ | |
5844 | + { 0, { 0 }, IPPROTO_TCP } }, | |
5845 | + { { 0, { 0xFFFF } }, /* mask */ | |
5846 | + { 0, { 0 }, 0xFFFF } }, | |
5847 | + h225_nat_help, /* helper */ | |
5848 | + h225_nat_expected /* expectfn */ | |
5849 | + }; | |
5850 | + | |
5851 | +static unsigned int | |
5852 | +h225_nat_expected(struct sk_buff **pskb, | |
5853 | + unsigned int hooknum, | |
5854 | + struct ip_conntrack *ct, | |
5855 | + struct ip_nat_info *info) | |
5856 | +{ | |
5857 | + struct ip_nat_multi_range mr; | |
5858 | + u_int32_t newdstip, newsrcip, newip; | |
5859 | + u_int16_t port; | |
5860 | + struct ip_ct_h225_expect *exp_info; | |
5861 | + struct ip_ct_h225_master *master_info; | |
5862 | + struct ip_conntrack *master = master_ct(ct); | |
5863 | + unsigned int is_h225, ret; | |
5864 | + | |
5865 | + IP_NF_ASSERT(info); | |
5866 | + IP_NF_ASSERT(master); | |
5867 | + | |
5868 | + IP_NF_ASSERT(!(info->initialized & (1<<HOOK2MANIP(hooknum)))); | |
5869 | + | |
5870 | + DEBUGP("h225_nat_expected: We have a connection!\n"); | |
5871 | + master_info = &ct->master->expectant->help.ct_h225_info; | |
5872 | + exp_info = &ct->master->help.exp_h225_info; | |
5873 | + | |
5874 | + LOCK_BH(&ip_h323_lock); | |
5875 | + | |
5876 | + DEBUGP("master: "); | |
5877 | + DUMP_TUPLE(&master->tuplehash[IP_CT_DIR_ORIGINAL].tuple); | |
5878 | + DUMP_TUPLE(&master->tuplehash[IP_CT_DIR_REPLY].tuple); | |
5879 | + DEBUGP("conntrack: "); | |
5880 | + DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); | |
5881 | + if (exp_info->dir == IP_CT_DIR_ORIGINAL) { | |
5882 | + /* Make connection go to the client. */ | |
5883 | + newdstip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; | |
5884 | + newsrcip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip; | |
5885 | + DEBUGP("h225_nat_expected: %u.%u.%u.%u->%u.%u.%u.%u (to client)\n", | |
5886 | + NIPQUAD(newsrcip), NIPQUAD(newdstip)); | |
5887 | + } else { | |
5888 | + /* Make the connection go to the server */ | |
5889 | + newdstip = master->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip; | |
5890 | + newsrcip = master->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; | |
5891 | + DEBUGP("h225_nat_expected: %u.%u.%u.%u->%u.%u.%u.%u (to server)\n", | |
5892 | + NIPQUAD(newsrcip), NIPQUAD(newdstip)); | |
5893 | + } | |
5894 | + port = exp_info->port; | |
5895 | + is_h225 = master_info->is_h225 == H225_PORT; | |
5896 | + UNLOCK_BH(&ip_h323_lock); | |
5897 | + | |
5898 | + if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC) | |
5899 | + newip = newsrcip; | |
5900 | + else | |
5901 | + newip = newdstip; | |
5902 | + | |
5903 | + DEBUGP("h225_nat_expected: IP to %u.%u.%u.%u\n", NIPQUAD(newip)); | |
5904 | + | |
5905 | + mr.rangesize = 1; | |
5906 | + /* We don't want to manip the per-protocol, just the IPs... */ | |
5907 | + mr.range[0].flags = IP_NAT_RANGE_MAP_IPS; | |
5908 | + mr.range[0].min_ip = mr.range[0].max_ip = newip; | |
5909 | + | |
5910 | + /* ... unless we're doing a MANIP_DST, in which case, make | |
5911 | + sure we map to the correct port */ | |
5912 | + if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_DST) { | |
5913 | + mr.range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED; | |
5914 | + mr.range[0].min = mr.range[0].max | |
5915 | + = ((union ip_conntrack_manip_proto) | |
5916 | + { .tcp = { port } }); | |
5917 | + } | |
5918 | + | |
5919 | + ret = ip_nat_setup_info(ct, &mr, hooknum); | |
5920 | + | |
5921 | + if (is_h225) { | |
5922 | + DEBUGP("h225_nat_expected: H.225, setting NAT helper for %p\n", ct); | |
5923 | + /* NAT expectfn called with ip_nat_lock write-locked */ | |
5924 | + info->helper = &h245; | |
5925 | + } | |
5926 | + return ret; | |
5927 | +} | |
5928 | + | |
5929 | +static int h323_signal_address_fixup(struct ip_conntrack *ct, | |
5930 | + struct sk_buff **pskb, | |
5931 | + enum ip_conntrack_info ctinfo) | |
5932 | +{ | |
5933 | + struct iphdr *iph = (*pskb)->nh.iph; | |
5934 | + struct tcphdr *tcph = (void *)iph + iph->ihl*4; | |
5935 | + char *data = (char *) tcph + tcph->doff * 4; | |
5936 | + u_int32_t tcplen = (*pskb)->len - iph->ihl*4; | |
5937 | + u_int32_t datalen = tcplen - tcph->doff*4; | |
5938 | + struct ip_ct_h225_master *info = &ct->help.ct_h225_info; | |
5939 | + u_int32_t newip; | |
5940 | + u_int16_t port; | |
5941 | + int i; | |
5942 | + | |
5943 | + MUST_BE_LOCKED(&ip_h323_lock); | |
5944 | + | |
5945 | + DEBUGP("h323_signal_address_fixup: %s %s\n", | |
5946 | + between(info->seq[IP_CT_DIR_ORIGINAL], ntohl(tcph->seq), ntohl(tcph->seq) + datalen) | |
5947 | + ? "yes" : "no", | |
5948 | + between(info->seq[IP_CT_DIR_REPLY], ntohl(tcph->seq), ntohl(tcph->seq) + datalen) | |
5949 | + ? "yes" : "no"); | |
5950 | + if (!(between(info->seq[IP_CT_DIR_ORIGINAL], ntohl(tcph->seq), ntohl(tcph->seq) + datalen) | |
5951 | + || between(info->seq[IP_CT_DIR_REPLY], ntohl(tcph->seq), ntohl(tcph->seq) + datalen))) | |
5952 | + return 1; | |
5953 | + | |
5954 | + DEBUGP("h323_signal_address_fixup: offsets %u + 6 and %u + 6 in %u\n", | |
5955 | + info->offset[IP_CT_DIR_ORIGINAL], | |
5956 | + info->offset[IP_CT_DIR_REPLY], | |
5957 | + tcplen); | |
5958 | + DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); | |
5959 | + DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); | |
5960 | + | |
5961 | + for (i = 0; i < IP_CT_DIR_MAX; i++) { | |
5962 | + DEBUGP("h323_signal_address_fixup: %s %s\n", | |
5963 | + info->dir == IP_CT_DIR_ORIGINAL ? "original" : "reply", | |
5964 | + i == IP_CT_DIR_ORIGINAL ? "caller" : "callee"); | |
5965 | + if (!between(info->seq[i], ntohl(tcph->seq), | |
5966 | + ntohl(tcph->seq) + datalen)) | |
5967 | + continue; | |
5968 | + if (!between(info->seq[i] + 6, ntohl(tcph->seq), | |
5969 | + ntohl(tcph->seq) + datalen)) { | |
5970 | + /* Partial retransmisison. It's a cracker being funky. */ | |
5971 | + if (net_ratelimit()) { | |
5972 | + printk("H.323_NAT: partial packet %u/6 in %u/%u\n", | |
5973 | + info->seq[i], | |
5974 | + ntohl(tcph->seq), | |
5975 | + ntohl(tcph->seq) + datalen); | |
5976 | + } | |
5977 | + return 0; | |
5978 | + } | |
5979 | + | |
5980 | + /* Change address inside packet to match way we're mapping | |
5981 | + this connection. */ | |
5982 | + if (i == IP_CT_DIR_ORIGINAL) { | |
5983 | + newip = ct->tuplehash[!info->dir].tuple.dst.ip; | |
5984 | + port = ct->tuplehash[!info->dir].tuple.dst.u.tcp.port; | |
5985 | + } else { | |
5986 | + newip = ct->tuplehash[!info->dir].tuple.src.ip; | |
5987 | + port = ct->tuplehash[!info->dir].tuple.src.u.tcp.port; | |
5988 | + } | |
5989 | + | |
5990 | + DEBUGP("h323_signal_address_fixup: orig %s IP:port %u.%u.%u.%u:%u\n", | |
5991 | + i == IP_CT_DIR_ORIGINAL ? "source" : "dest ", | |
5992 | + NIPQUAD(*((u_int32_t *)(data + info->offset[i]))), | |
5993 | + ntohs(*((u_int16_t *)(data + info->offset[i] + 4)))); | |
5994 | + | |
5995 | + /* Modify the packet */ | |
5996 | + *(u_int32_t *)(data + info->offset[i]) = newip; | |
5997 | + *(u_int16_t *)(data + info->offset[i] + 4) = port; | |
5998 | + | |
5999 | + DEBUGP("h323_signal_address_fixup: new %s IP:port %u.%u.%u.%u:%u\n", | |
6000 | + i == IP_CT_DIR_ORIGINAL ? "source" : "dest ", | |
6001 | + NIPQUAD(*((u_int32_t *)(data + info->offset[i]))), | |
6002 | + ntohs(*((u_int16_t *)(data + info->offset[i] + 4)))); | |
6003 | + } | |
6004 | + | |
6005 | + /* fix checksum information */ | |
6006 | + | |
6007 | + (*pskb)->csum = csum_partial((char *)tcph + tcph->doff*4, | |
6008 | + datalen, 0); | |
6009 | + | |
6010 | + tcph->check = 0; | |
6011 | + tcph->check = tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, | |
6012 | + csum_partial((char *)tcph, tcph->doff*4, | |
6013 | + (*pskb)->csum)); | |
6014 | + ip_send_check(iph); | |
6015 | + | |
6016 | + return 1; | |
6017 | +} | |
6018 | + | |
6019 | +static int h323_data_fixup(struct ip_ct_h225_expect *info, | |
6020 | + struct ip_conntrack *ct, | |
6021 | + struct sk_buff **pskb, | |
6022 | + enum ip_conntrack_info ctinfo, | |
6023 | + struct ip_conntrack_expect *expect) | |
6024 | +{ | |
6025 | + u_int32_t newip; | |
6026 | + u_int16_t port; | |
6027 | + struct ip_conntrack_tuple newtuple; | |
6028 | + struct iphdr *iph = (*pskb)->nh.iph; | |
6029 | + struct tcphdr *tcph = (void *)iph + iph->ihl*4; | |
6030 | + char *data = (char *) tcph + tcph->doff * 4; | |
6031 | + u_int32_t tcplen = (*pskb)->len - iph->ihl*4; | |
6032 | + struct ip_ct_h225_master *master_info = &ct->help.ct_h225_info; | |
6033 | + int is_h225; | |
6034 | + | |
6035 | + MUST_BE_LOCKED(&ip_h323_lock); | |
6036 | + DEBUGP("h323_data_fixup: offset %u + 6 in %u\n", info->offset, tcplen); | |
6037 | + DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); | |
6038 | + DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); | |
6039 | + | |
6040 | + if (!between(expect->seq + 6, ntohl(tcph->seq), | |
6041 | + ntohl(tcph->seq) + tcplen - tcph->doff * 4)) { | |
6042 | + /* Partial retransmisison. It's a cracker being funky. */ | |
6043 | + if (net_ratelimit()) { | |
6044 | + printk("H.323_NAT: partial packet %u/6 in %u/%u\n", | |
6045 | + expect->seq, | |
6046 | + ntohl(tcph->seq), | |
6047 | + ntohl(tcph->seq) + tcplen - tcph->doff * 4); | |
6048 | + } | |
6049 | + return 0; | |
6050 | + } | |
6051 | + | |
6052 | + /* Change address inside packet to match way we're mapping | |
6053 | + this connection. */ | |
6054 | + if (info->dir == IP_CT_DIR_REPLY) { | |
6055 | + /* Must be where client thinks server is */ | |
6056 | + newip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip; | |
6057 | + /* Expect something from client->server */ | |
6058 | + newtuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; | |
6059 | + newtuple.dst.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip; | |
6060 | + } else { | |
6061 | + /* Must be where server thinks client is */ | |
6062 | + newip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; | |
6063 | + /* Expect something from server->client */ | |
6064 | + newtuple.src.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip; | |
6065 | + newtuple.dst.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; | |
6066 | + } | |
6067 | + | |
6068 | + is_h225 = (master_info->is_h225 == H225_PORT); | |
6069 | + | |
6070 | + if (is_h225) { | |
6071 | + newtuple.dst.protonum = IPPROTO_TCP; | |
6072 | + newtuple.src.u.tcp.port = expect->tuple.src.u.tcp.port; | |
6073 | + } else { | |
6074 | + newtuple.dst.protonum = IPPROTO_UDP; | |
6075 | + newtuple.src.u.udp.port = expect->tuple.src.u.udp.port; | |
6076 | + } | |
6077 | + | |
6078 | + /* Try to get same port: if not, try to change it. */ | |
6079 | + for (port = ntohs(info->port); port != 0; port++) { | |
6080 | + if (is_h225) | |
6081 | + newtuple.dst.u.tcp.port = htons(port); | |
6082 | + else | |
6083 | + newtuple.dst.u.udp.port = htons(port); | |
6084 | + | |
6085 | + if (ip_conntrack_change_expect(expect, &newtuple) == 0) | |
6086 | + break; | |
6087 | + } | |
6088 | + if (port == 0) { | |
6089 | + DEBUGP("h323_data_fixup: no free port found!\n"); | |
6090 | + return 0; | |
6091 | + } | |
6092 | + | |
6093 | + port = htons(port); | |
6094 | + | |
6095 | + DEBUGP("h323_data_fixup: orig IP:port %u.%u.%u.%u:%u\n", | |
6096 | + NIPQUAD(*((u_int32_t *)(data + info->offset))), | |
6097 | + ntohs(*((u_int16_t *)(data + info->offset + 4)))); | |
6098 | + | |
6099 | + /* Modify the packet */ | |
6100 | + *(u_int32_t *)(data + info->offset) = newip; | |
6101 | + *(u_int16_t *)(data + info->offset + 4) = port; | |
6102 | + | |
6103 | + DEBUGP("h323_data_fixup: new IP:port %u.%u.%u.%u:%u\n", | |
6104 | + NIPQUAD(*((u_int32_t *)(data + info->offset))), | |
6105 | + ntohs(*((u_int16_t *)(data + info->offset + 4)))); | |
6106 | + | |
6107 | + /* fix checksum information */ | |
6108 | + /* FIXME: usually repeated multiple times in the case of H.245! */ | |
6109 | + | |
6110 | + (*pskb)->csum = csum_partial((char *)tcph + tcph->doff*4, | |
6111 | + tcplen - tcph->doff*4, 0); | |
6112 | + | |
6113 | + tcph->check = 0; | |
6114 | + tcph->check = tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, | |
6115 | + csum_partial((char *)tcph, tcph->doff*4, | |
6116 | + (*pskb)->csum)); | |
6117 | + ip_send_check(iph); | |
6118 | + | |
6119 | + return 1; | |
6120 | +} | |
6121 | + | |
6122 | +static unsigned int h225_nat_help(struct ip_conntrack *ct, | |
6123 | + struct ip_conntrack_expect *exp, | |
6124 | + struct ip_nat_info *info, | |
6125 | + enum ip_conntrack_info ctinfo, | |
6126 | + unsigned int hooknum, | |
6127 | + struct sk_buff **pskb) | |
6128 | +{ | |
6129 | + int dir; | |
6130 | + struct ip_ct_h225_expect *exp_info; | |
6131 | + | |
6132 | + /* Only mangle things once: original direction in POST_ROUTING | |
6133 | + and reply direction on PRE_ROUTING. */ | |
6134 | + dir = CTINFO2DIR(ctinfo); | |
6135 | + DEBUGP("nat_h323: dir %s at hook %s\n", | |
6136 | + dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY", | |
6137 | + hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" | |
6138 | + : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" | |
6139 | + : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???"); | |
6140 | + if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL) | |
6141 | + || (hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) { | |
6142 | + DEBUGP("nat_h323: Not touching dir %s at hook %s\n", | |
6143 | + dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY", | |
6144 | + hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" | |
6145 | + : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" | |
6146 | + : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???"); | |
6147 | + return NF_ACCEPT; | |
6148 | + } | |
6149 | + | |
6150 | + if (!exp) { | |
6151 | + LOCK_BH(&ip_h323_lock); | |
6152 | + if (!h323_signal_address_fixup(ct, pskb, ctinfo)) { | |
6153 | + UNLOCK_BH(&ip_h323_lock); | |
6154 | + return NF_DROP; | |
6155 | + } | |
6156 | + UNLOCK_BH(&ip_h323_lock); | |
6157 | + return NF_ACCEPT; | |
6158 | + } | |
6159 | + | |
6160 | + exp_info = &exp->help.exp_h225_info; | |
6161 | + | |
6162 | + LOCK_BH(&ip_h323_lock); | |
6163 | + if (!h323_data_fixup(exp_info, ct, pskb, ctinfo, exp)) { | |
6164 | + UNLOCK_BH(&ip_h323_lock); | |
6165 | + return NF_DROP; | |
6166 | + } | |
6167 | + UNLOCK_BH(&ip_h323_lock); | |
6168 | + | |
6169 | + return NF_ACCEPT; | |
6170 | +} | |
6171 | + | |
6172 | +static struct ip_nat_helper h225 = | |
6173 | + { { NULL, NULL }, | |
6174 | + "H.225", /* name */ | |
6175 | + IP_NAT_HELPER_F_ALWAYS, /* flags */ | |
6176 | + THIS_MODULE, /* module */ | |
6177 | + { { 0, { .tcp = { __constant_htons(H225_PORT) } } }, /* tuple */ | |
6178 | + { 0, { 0 }, IPPROTO_TCP } }, | |
6179 | + { { 0, { .tcp = { 0xFFFF } } }, /* mask */ | |
6180 | + { 0, { 0 }, 0xFFFF } }, | |
6181 | + h225_nat_help, /* helper */ | |
6182 | + h225_nat_expected /* expectfn */ | |
6183 | + }; | |
6184 | + | |
6185 | +static int __init init(void) | |
6186 | +{ | |
6187 | + int ret; | |
6188 | + | |
6189 | + ret = ip_nat_helper_register(&h225); | |
6190 | + | |
6191 | + if (ret != 0) | |
6192 | + printk("ip_nat_h323: cannot initialize the module!\n"); | |
6193 | + | |
6194 | + return ret; | |
6195 | +} | |
6196 | + | |
6197 | +static void __exit fini(void) | |
6198 | +{ | |
6199 | + ip_nat_helper_unregister(&h225); | |
6200 | +} | |
6201 | + | |
6202 | +module_init(init); | |
6203 | +module_exit(fini); | |
6204 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_nat_mms.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_nat_mms.c | |
6205 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_nat_mms.c 1970-01-01 01:00:00.000000000 +0100 | |
6206 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_nat_mms.c 2004-04-29 11:19:01.000000000 +0200 | |
6207 | @@ -0,0 +1,350 @@ | |
6208 | +/* MMS extension for TCP NAT alteration. | |
6209 | + * (C) 2002 by Filip Sneppe <filip.sneppe@cronos.be> | |
6210 | + * based on ip_nat_ftp.c and ip_nat_irc.c | |
6211 | + * | |
6212 | + * ip_nat_mms.c v0.3 2002-09-22 | |
6213 | + * | |
6214 | + * This program is free software; you can redistribute it and/or | |
6215 | + * modify it under the terms of the GNU General Public License | |
6216 | + * as published by the Free Software Foundation; either version | |
6217 | + * 2 of the License, or (at your option) any later version. | |
6218 | + * | |
6219 | + * Module load syntax: | |
6220 | + * insmod ip_nat_mms.o ports=port1,port2,...port<MAX_PORTS> | |
6221 | + * | |
6222 | + * Please give the ports of all MMS servers You wish to connect to. | |
6223 | + * If you don't specify ports, the default will be TCP port 1755. | |
6224 | + * | |
6225 | + * More info on MMS protocol, firewalls and NAT: | |
6226 | + * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwmt/html/MMSFirewall.asp | |
6227 | + * http://www.microsoft.com/windows/windowsmedia/serve/firewall.asp | |
6228 | + * | |
6229 | + * The SDP project people are reverse-engineering MMS: | |
6230 | + * http://get.to/sdp | |
6231 | + */ | |
6232 | + | |
6233 | +/* FIXME: issue with UDP & fragmentation with this URL: | |
6234 | + http://www.cnn.com/video/world/2002/01/21/jb.shoe.bomb.cafe.cnn.low.asx | |
6235 | + may be related to out-of-order first packets: | |
6236 | + basically the expectation is set up correctly, then the server sends | |
6237 | + a first UDP packet which is fragmented plus arrives out-of-order. | |
6238 | + the MASQUERADING firewall with ip_nat_mms loaded responds with | |
6239 | + an ICMP unreachable back to the server */ | |
6240 | + | |
6241 | +#include <linux/module.h> | |
6242 | +#include <linux/netfilter_ipv4.h> | |
6243 | +#include <linux/ip.h> | |
6244 | +#include <linux/tcp.h> | |
6245 | +#include <net/tcp.h> | |
6246 | +#include <linux/netfilter_ipv4/ip_nat.h> | |
6247 | +#include <linux/netfilter_ipv4/ip_nat_helper.h> | |
6248 | +#include <linux/netfilter_ipv4/ip_nat_rule.h> | |
6249 | +#include <linux/netfilter_ipv4/ip_conntrack_mms.h> | |
6250 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
6251 | + | |
6252 | +#if 0 | |
6253 | +#define DEBUGP printk | |
6254 | +#define DUMP_BYTES(address, counter) \ | |
6255 | +({ \ | |
6256 | + int temp_counter; \ | |
6257 | + for(temp_counter=0; temp_counter<counter; ++temp_counter) { \ | |
6258 | + DEBUGP("%u ", (u8)*(address+temp_counter)); \ | |
6259 | + }; \ | |
6260 | + DEBUGP("\n"); \ | |
6261 | +}) | |
6262 | +#else | |
6263 | +#define DEBUGP(format, args...) | |
6264 | +#define DUMP_BYTES(address, counter) | |
6265 | +#endif | |
6266 | + | |
6267 | +#define MAX_PORTS 8 | |
6268 | +static int ports[MAX_PORTS]; | |
6269 | +static int ports_c = 0; | |
6270 | + | |
6271 | +#ifdef MODULE_PARM | |
6272 | +MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i"); | |
6273 | +#endif | |
6274 | + | |
6275 | +MODULE_AUTHOR("Filip Sneppe <filip.sneppe@cronos.be>"); | |
6276 | +MODULE_DESCRIPTION("Microsoft Windows Media Services (MMS) NAT module"); | |
6277 | +MODULE_LICENSE("GPL"); | |
6278 | + | |
6279 | +DECLARE_LOCK_EXTERN(ip_mms_lock); | |
6280 | + | |
6281 | +/* FIXME: Time out? --RR */ | |
6282 | + | |
6283 | +static int mms_data_fixup(const struct ip_ct_mms_expect *ct_mms_info, | |
6284 | + struct ip_conntrack *ct, | |
6285 | + struct sk_buff **pskb, | |
6286 | + enum ip_conntrack_info ctinfo, | |
6287 | + struct ip_conntrack_expect *expect) | |
6288 | +{ | |
6289 | + u_int32_t newip; | |
6290 | + struct ip_conntrack_tuple t; | |
6291 | + struct iphdr *iph = (*pskb)->nh.iph; | |
6292 | + struct tcphdr *tcph = (void *) iph + iph->ihl * 4; | |
6293 | + char *data = (char *)tcph + tcph->doff * 4; | |
6294 | + int i, j, k, port; | |
6295 | + u_int16_t mms_proto; | |
6296 | + | |
6297 | + u_int32_t *mms_chunkLenLV = (u_int32_t *)(data + MMS_SRV_CHUNKLENLV_OFFSET); | |
6298 | + u_int32_t *mms_chunkLenLM = (u_int32_t *)(data + MMS_SRV_CHUNKLENLM_OFFSET); | |
6299 | + u_int32_t *mms_messageLength = (u_int32_t *)(data + MMS_SRV_MESSAGELENGTH_OFFSET); | |
6300 | + | |
6301 | + int zero_padding; | |
6302 | + | |
6303 | + char buffer[28]; /* "\\255.255.255.255\UDP\65635" * 2 (for unicode) */ | |
6304 | + char unicode_buffer[75]; /* 27*2 (unicode) + 20 + 1 */ | |
6305 | + char proto_string[6]; | |
6306 | + | |
6307 | + MUST_BE_LOCKED(&ip_mms_lock); | |
6308 | + | |
6309 | + /* what was the protocol again ? */ | |
6310 | + mms_proto = expect->tuple.dst.protonum; | |
6311 | + sprintf(proto_string, "%u", mms_proto); | |
6312 | + | |
6313 | + DEBUGP("ip_nat_mms: mms_data_fixup: info (seq %u + %u) in %u, proto %s\n", | |
6314 | + expect->seq, ct_mms_info->len, ntohl(tcph->seq), | |
6315 | + mms_proto == IPPROTO_UDP ? "UDP" | |
6316 | + : mms_proto == IPPROTO_TCP ? "TCP":proto_string); | |
6317 | + | |
6318 | + newip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; | |
6319 | + | |
6320 | + /* Alter conntrack's expectations. */ | |
6321 | + t = expect->tuple; | |
6322 | + t.dst.ip = newip; | |
6323 | + for (port = ct_mms_info->port; port != 0; port++) { | |
6324 | + t.dst.u.tcp.port = htons(port); | |
6325 | + if (ip_conntrack_change_expect(expect, &t) == 0) { | |
6326 | + DEBUGP("ip_nat_mms: mms_data_fixup: using port %d\n", port); | |
6327 | + break; | |
6328 | + } | |
6329 | + } | |
6330 | + | |
6331 | + if(port == 0) | |
6332 | + return 0; | |
6333 | + | |
6334 | + sprintf(buffer, "\\\\%u.%u.%u.%u\\%s\\%u", | |
6335 | + NIPQUAD(newip), | |
6336 | + expect->tuple.dst.protonum == IPPROTO_UDP ? "UDP" | |
6337 | + : expect->tuple.dst.protonum == IPPROTO_TCP ? "TCP":proto_string, | |
6338 | + port); | |
6339 | + DEBUGP("ip_nat_mms: new unicode string=%s\n", buffer); | |
6340 | + | |
6341 | + memset(unicode_buffer, 0, sizeof(char)*75); | |
6342 | + | |
6343 | + for (i=0; i<strlen(buffer); ++i) | |
6344 | + *(unicode_buffer+i*2)=*(buffer+i); | |
6345 | + | |
6346 | + DEBUGP("ip_nat_mms: mms_data_fixup: padding: %u len: %u\n", ct_mms_info->padding, ct_mms_info->len); | |
6347 | + DEBUGP("ip_nat_mms: mms_data_fixup: offset: %u\n", MMS_SRV_UNICODE_STRING_OFFSET+ct_mms_info->len); | |
6348 | + DUMP_BYTES(data+MMS_SRV_UNICODE_STRING_OFFSET, 60); | |
6349 | + | |
6350 | + /* add end of packet to it */ | |
6351 | + for (j=0; j<ct_mms_info->padding; ++j) { | |
6352 | + DEBUGP("ip_nat_mms: mms_data_fixup: i=%u j=%u byte=%u\n", | |
6353 | + i, j, (u8)*(data+MMS_SRV_UNICODE_STRING_OFFSET+ct_mms_info->len+j)); | |
6354 | + *(unicode_buffer+i*2+j) = *(data+MMS_SRV_UNICODE_STRING_OFFSET+ct_mms_info->len+j); | |
6355 | + } | |
6356 | + | |
6357 | + /* pad with zeroes at the end ? see explanation of weird math below */ | |
6358 | + zero_padding = (8-(strlen(buffer)*2 + ct_mms_info->padding + 4)%8)%8; | |
6359 | + for (k=0; k<zero_padding; ++k) | |
6360 | + *(unicode_buffer+i*2+j+k)= (char)0; | |
6361 | + | |
6362 | + DEBUGP("ip_nat_mms: mms_data_fixup: zero_padding = %u\n", zero_padding); | |
6363 | + DEBUGP("ip_nat_mms: original=> chunkLenLV=%u chunkLenLM=%u messageLength=%u\n", | |
6364 | + *mms_chunkLenLV, *mms_chunkLenLM, *mms_messageLength); | |
6365 | + | |
6366 | + /* explanation, before I forget what I did: | |
6367 | + strlen(buffer)*2 + ct_mms_info->padding + 4 must be divisable by 8; | |
6368 | + divide by 8 and add 3 to compute the mms_chunkLenLM field, | |
6369 | + but note that things may have to be padded with zeroes to align by 8 | |
6370 | + bytes, hence we add 7 and divide by 8 to get the correct length */ | |
6371 | + *mms_chunkLenLM = (u_int32_t) (3+(strlen(buffer)*2+ct_mms_info->padding+11)/8); | |
6372 | + *mms_chunkLenLV = *mms_chunkLenLM+2; | |
6373 | + *mms_messageLength = *mms_chunkLenLV*8; | |
6374 | + | |
6375 | + DEBUGP("ip_nat_mms: modified=> chunkLenLV=%u chunkLenLM=%u messageLength=%u\n", | |
6376 | + *mms_chunkLenLV, *mms_chunkLenLM, *mms_messageLength); | |
6377 | + | |
6378 | + ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, | |
6379 | + expect->seq - ntohl(tcph->seq), | |
6380 | + ct_mms_info->len + ct_mms_info->padding, unicode_buffer, | |
6381 | + strlen(buffer)*2 + ct_mms_info->padding + zero_padding); | |
6382 | + DUMP_BYTES(unicode_buffer, 60); | |
6383 | + | |
6384 | + return 1; | |
6385 | +} | |
6386 | + | |
6387 | +static unsigned int | |
6388 | +mms_nat_expected(struct sk_buff **pskb, | |
6389 | + unsigned int hooknum, | |
6390 | + struct ip_conntrack *ct, | |
6391 | + struct ip_nat_info *info) | |
6392 | +{ | |
6393 | + struct ip_nat_multi_range mr; | |
6394 | + u_int32_t newdstip, newsrcip, newip; | |
6395 | + | |
6396 | + struct ip_conntrack *master = master_ct(ct); | |
6397 | + | |
6398 | + IP_NF_ASSERT(info); | |
6399 | + IP_NF_ASSERT(master); | |
6400 | + | |
6401 | + IP_NF_ASSERT(!(info->initialized & (1 << HOOK2MANIP(hooknum)))); | |
6402 | + | |
6403 | + DEBUGP("ip_nat_mms: mms_nat_expected: We have a connection!\n"); | |
6404 | + | |
6405 | + newdstip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; | |
6406 | + newsrcip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; | |
6407 | + DEBUGP("ip_nat_mms: mms_nat_expected: hook %s: newsrc->newdst %u.%u.%u.%u->%u.%u.%u.%u\n", | |
6408 | + hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" | |
6409 | + : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" | |
6410 | + : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???", | |
6411 | + NIPQUAD(newsrcip), NIPQUAD(newdstip)); | |
6412 | + | |
6413 | + if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC) | |
6414 | + newip = newsrcip; | |
6415 | + else | |
6416 | + newip = newdstip; | |
6417 | + | |
6418 | + DEBUGP("ip_nat_mms: mms_nat_expected: IP to %u.%u.%u.%u\n", NIPQUAD(newip)); | |
6419 | + | |
6420 | + mr.rangesize = 1; | |
6421 | + /* We don't want to manip the per-protocol, just the IPs. */ | |
6422 | + mr.range[0].flags = IP_NAT_RANGE_MAP_IPS; | |
6423 | + mr.range[0].min_ip = mr.range[0].max_ip = newip; | |
6424 | + | |
6425 | + return ip_nat_setup_info(ct, &mr, hooknum); | |
6426 | +} | |
6427 | + | |
6428 | + | |
6429 | +static unsigned int mms_nat_help(struct ip_conntrack *ct, | |
6430 | + struct ip_conntrack_expect *exp, | |
6431 | + struct ip_nat_info *info, | |
6432 | + enum ip_conntrack_info ctinfo, | |
6433 | + unsigned int hooknum, | |
6434 | + struct sk_buff **pskb) | |
6435 | +{ | |
6436 | + struct iphdr *iph = (*pskb)->nh.iph; | |
6437 | + struct tcphdr *tcph = (void *) iph + iph->ihl * 4; | |
6438 | + unsigned int datalen; | |
6439 | + int dir; | |
6440 | + struct ip_ct_mms_expect *ct_mms_info; | |
6441 | + | |
6442 | + if (!exp) | |
6443 | + DEBUGP("ip_nat_mms: no exp!!"); | |
6444 | + | |
6445 | + ct_mms_info = &exp->help.exp_mms_info; | |
6446 | + | |
6447 | + /* Only mangle things once: original direction in POST_ROUTING | |
6448 | + and reply direction on PRE_ROUTING. */ | |
6449 | + dir = CTINFO2DIR(ctinfo); | |
6450 | + if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL) | |
6451 | + ||(hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) { | |
6452 | + DEBUGP("ip_nat_mms: mms_nat_help: not touching dir %s at hook %s\n", | |
6453 | + dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY", | |
6454 | + hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" | |
6455 | + : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" | |
6456 | + : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???"); | |
6457 | + return NF_ACCEPT; | |
6458 | + } | |
6459 | + DEBUGP("ip_nat_mms: mms_nat_help: beyond not touching (dir %s at hook %s)\n", | |
6460 | + dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY", | |
6461 | + hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" | |
6462 | + : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" | |
6463 | + : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???"); | |
6464 | + | |
6465 | + datalen = (*pskb)->len - iph->ihl * 4 - tcph->doff * 4; | |
6466 | + | |
6467 | + DEBUGP("ip_nat_mms: mms_nat_help: %u+%u=%u %u %u\n", exp->seq, ct_mms_info->len, | |
6468 | + exp->seq + ct_mms_info->len, | |
6469 | + ntohl(tcph->seq), | |
6470 | + ntohl(tcph->seq) + datalen); | |
6471 | + | |
6472 | + LOCK_BH(&ip_mms_lock); | |
6473 | + /* Check wether the whole IP/proto/port pattern is carried in the payload */ | |
6474 | + if (between(exp->seq + ct_mms_info->len, | |
6475 | + ntohl(tcph->seq), | |
6476 | + ntohl(tcph->seq) + datalen)) { | |
6477 | + if (!mms_data_fixup(ct_mms_info, ct, pskb, ctinfo, exp)) { | |
6478 | + UNLOCK_BH(&ip_mms_lock); | |
6479 | + return NF_DROP; | |
6480 | + } | |
6481 | + } else { | |
6482 | + /* Half a match? This means a partial retransmisison. | |
6483 | + It's a cracker being funky. */ | |
6484 | + if (net_ratelimit()) { | |
6485 | + printk("ip_nat_mms: partial packet %u/%u in %u/%u\n", | |
6486 | + exp->seq, ct_mms_info->len, | |
6487 | + ntohl(tcph->seq), | |
6488 | + ntohl(tcph->seq) + datalen); | |
6489 | + } | |
6490 | + UNLOCK_BH(&ip_mms_lock); | |
6491 | + return NF_DROP; | |
6492 | + } | |
6493 | + UNLOCK_BH(&ip_mms_lock); | |
6494 | + | |
6495 | + return NF_ACCEPT; | |
6496 | +} | |
6497 | + | |
6498 | +static struct ip_nat_helper mms[MAX_PORTS]; | |
6499 | +static char mms_names[MAX_PORTS][10]; | |
6500 | + | |
6501 | +/* Not __exit: called from init() */ | |
6502 | +static void fini(void) | |
6503 | +{ | |
6504 | + int i; | |
6505 | + | |
6506 | + for (i = 0; (i < MAX_PORTS) && ports[i]; i++) { | |
6507 | + DEBUGP("ip_nat_mms: unregistering helper for port %d\n", ports[i]); | |
6508 | + ip_nat_helper_unregister(&mms[i]); | |
6509 | + } | |
6510 | +} | |
6511 | + | |
6512 | +static int __init init(void) | |
6513 | +{ | |
6514 | + int i, ret = 0; | |
6515 | + char *tmpname; | |
6516 | + | |
6517 | + if (ports[0] == 0) | |
6518 | + ports[0] = MMS_PORT; | |
6519 | + | |
6520 | + for (i = 0; (i < MAX_PORTS) && ports[i]; i++) { | |
6521 | + | |
6522 | + memset(&mms[i], 0, sizeof(struct ip_nat_helper)); | |
6523 | + | |
6524 | + mms[i].tuple.dst.protonum = IPPROTO_TCP; | |
6525 | + mms[i].tuple.src.u.tcp.port = htons(ports[i]); | |
6526 | + mms[i].mask.dst.protonum = 0xFFFF; | |
6527 | + mms[i].mask.src.u.tcp.port = 0xFFFF; | |
6528 | + mms[i].help = mms_nat_help; | |
6529 | + mms[i].me = THIS_MODULE; | |
6530 | + mms[i].flags = 0; | |
6531 | + mms[i].expect = mms_nat_expected; | |
6532 | + | |
6533 | + tmpname = &mms_names[i][0]; | |
6534 | + if (ports[i] == MMS_PORT) | |
6535 | + sprintf(tmpname, "mms"); | |
6536 | + else | |
6537 | + sprintf(tmpname, "mms-%d", i); | |
6538 | + mms[i].name = tmpname; | |
6539 | + | |
6540 | + DEBUGP("ip_nat_mms: register helper for port %d\n", | |
6541 | + ports[i]); | |
6542 | + ret = ip_nat_helper_register(&mms[i]); | |
6543 | + | |
6544 | + if (ret) { | |
6545 | + printk("ip_nat_mms: error registering " | |
6546 | + "helper for port %d\n", ports[i]); | |
6547 | + fini(); | |
6548 | + return ret; | |
6549 | + } | |
6550 | + ports_c++; | |
6551 | + } | |
6552 | + | |
6553 | + return ret; | |
6554 | +} | |
6555 | + | |
6556 | +module_init(init); | |
6557 | +module_exit(fini); | |
6558 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_nat_quake3.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_nat_quake3.c | |
6559 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_nat_quake3.c 1970-01-01 01:00:00.000000000 +0100 | |
6560 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_nat_quake3.c 2004-04-29 11:19:53.000000000 +0200 | |
6561 | @@ -0,0 +1,249 @@ | |
6562 | +/* Quake3 extension for UDP NAT alteration. | |
6563 | + * (C) 2002 by Filip Sneppe <filip.sneppe@cronos.be> | |
6564 | + * based on ip_nat_ftp.c and ip_nat_tftp.c | |
6565 | + * | |
6566 | + * ip_nat_quake3.c v0.0.3 2002-08-31 | |
6567 | + * | |
6568 | + * This program is free software; you can redistribute it and/or | |
6569 | + * modify it under the terms of the GNU General Public License | |
6570 | + * as published by the Free Software Foundation; either version | |
6571 | + * 2 of the License, or (at your option) any later version. | |
6572 | + * | |
6573 | + * Module load syntax: | |
6574 | + * insmod ip_nat_quake3.o ports=port1,port2,...port<MAX_PORTS> | |
6575 | + * | |
6576 | + * please give the ports of all Quake3 master servers You wish to | |
6577 | + * connect to. If you don't specify ports, the default will be UDP | |
6578 | + * port 27950. | |
6579 | + * | |
6580 | + * Thanks to the Ethereal folks for their analysis of the Quake3 protocol. | |
6581 | + * | |
6582 | + * Notes: | |
6583 | + * - If you're one of those people who would try anything to lower | |
6584 | + * latency while playing Quake (and who isn't :-) ), you may want to | |
6585 | + * consider not loading ip_nat_quake3 at all and just MASQUERADE all | |
6586 | + * outgoing UDP traffic. | |
6587 | + * This will make ip_conntrack_quake3 add the necessary expectations, | |
6588 | + * but there will be no overhead for client->server UDP streams. If | |
6589 | + * ip_nat_quake3 is loaded, quake3_nat_expected will be called per NAT | |
6590 | + * hook for every packet in the client->server UDP stream. | |
6591 | + * - Only SNAT/MASQUEARDE targets are useful for ip_nat_quake3. | |
6592 | + * The IP addresses in the master connection payload (=IP addresses | |
6593 | + * of Quake servers) have no relation with the master server so | |
6594 | + * DNAT'ing the master connection to a server should not change the | |
6595 | + * expected connections. | |
6596 | + * - Not tested due to lack of equipment: | |
6597 | + * - multiple Quake3 clients behind one MASQUERADE gateway | |
6598 | + * - what if Quake3 client is running on router too | |
6599 | + */ | |
6600 | + | |
6601 | +#include <linux/module.h> | |
6602 | +#include <linux/netfilter_ipv4.h> | |
6603 | +#include <linux/ip.h> | |
6604 | +#include <linux/udp.h> | |
6605 | + | |
6606 | +#include <linux/netfilter.h> | |
6607 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
6608 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
6609 | +#include <linux/netfilter_ipv4/ip_conntrack_quake3.h> | |
6610 | +#include <linux/netfilter_ipv4/ip_nat_helper.h> | |
6611 | +#include <linux/netfilter_ipv4/ip_nat_rule.h> | |
6612 | + | |
6613 | +MODULE_AUTHOR("Filip Sneppe <filip.sneppe@cronos.be>"); | |
6614 | +MODULE_DESCRIPTION("Netfilter NAT helper for Quake III Arena"); | |
6615 | +MODULE_LICENSE("GPL"); | |
6616 | + | |
6617 | +#define MAX_PORTS 8 | |
6618 | + | |
6619 | +static int ports[MAX_PORTS]; | |
6620 | +static int ports_c = 0; | |
6621 | +#ifdef MODULE_PARM | |
6622 | +MODULE_PARM(ports,"1-" __MODULE_STRING(MAX_PORTS) "i"); | |
6623 | +MODULE_PARM_DESC(ports, "port numbers of Quake III master servers"); | |
6624 | +#endif | |
6625 | + | |
6626 | +/* Quake3 master server reply will add > 100 expectations per reply packet; when | |
6627 | + doing lots of printk's, klogd may not be able to read /proc/kmsg fast enough */ | |
6628 | +#if 0 | |
6629 | +#define DEBUGP printk | |
6630 | +#else | |
6631 | +#define DEBUGP(format, args...) | |
6632 | +#endif | |
6633 | + | |
6634 | +static struct quake3_search quake3s_nat = { "****", "getserversResponse", sizeof("getserversResponse") - 1 }; | |
6635 | + | |
6636 | +static unsigned int | |
6637 | +quake3_nat_help(struct ip_conntrack *ct, | |
6638 | + struct ip_conntrack_expect *exp, | |
6639 | + struct ip_nat_info *info, | |
6640 | + enum ip_conntrack_info ctinfo, | |
6641 | + unsigned int hooknum, | |
6642 | + struct sk_buff **pskb) | |
6643 | +{ | |
6644 | + struct iphdr *iph = (*pskb)->nh.iph; | |
6645 | + struct udphdr *udph = (void *)iph + iph->ihl * 4; | |
6646 | + struct ip_conntrack_tuple repl; | |
6647 | + int dir = CTINFO2DIR(ctinfo); | |
6648 | + int i; | |
6649 | + | |
6650 | + DEBUGP("ip_nat_quake3: quake3_nat_help, direction: %s hook: %s\n", | |
6651 | + dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY", | |
6652 | + hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" | |
6653 | + : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" | |
6654 | + : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???" | |
6655 | + ); | |
6656 | + DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); | |
6657 | + DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); | |
6658 | + | |
6659 | + /* Only mangle things once: original direction in POST_ROUTING | |
6660 | + and reply direction on PRE_ROUTING. */ | |
6661 | + if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL) | |
6662 | + || (hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) { | |
6663 | + DEBUGP("ip_nat_quake3: Not touching dir %s at hook %s\n", | |
6664 | + dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY", | |
6665 | + hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" | |
6666 | + : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" | |
6667 | + : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "????"); | |
6668 | + return NF_ACCEPT; | |
6669 | + } | |
6670 | + | |
6671 | + if (!exp) { | |
6672 | + DEBUGP("no conntrack expectation to modify\n"); | |
6673 | + return NF_ACCEPT; | |
6674 | + } | |
6675 | + | |
6676 | + if (strnicmp((const char *)udph + 12, quake3s_nat.pattern, quake3s_nat.plen) == 0) { | |
6677 | + for(i=31; /* 8 bytes UDP hdr, 4 bytes filler, 18 bytes "getserversResponse", 1 byte "\" */ | |
6678 | + i+6 < ntohs(udph->len); | |
6679 | + i+=7) { | |
6680 | + DEBUGP("ip_nat_quake3: adding server at offset %u/%u %u.%u.%u.%u:%u\n", | |
6681 | + i, ntohs(udph->len), | |
6682 | + NIPQUAD( (u_int32_t) *( (u_int32_t *)( (int)udph + i ) ) ), | |
6683 | + ntohs((__u16) *( (__u16 *)( (int)udph + i + 4 ) ) ) ); | |
6684 | + | |
6685 | + memset(&repl, 0, sizeof(repl)); | |
6686 | + | |
6687 | + repl.dst.protonum = IPPROTO_UDP; | |
6688 | + repl.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; | |
6689 | + repl.dst.ip = *( (u_int32_t *)( (int)udph + i ) ); | |
6690 | + repl.dst.u.udp.port = (__u16) *( (__u16 *)( (int)udph + i + 4 ) ); | |
6691 | + | |
6692 | + ip_conntrack_change_expect(exp, &repl); | |
6693 | + } | |
6694 | + } | |
6695 | + return NF_ACCEPT; | |
6696 | +} | |
6697 | + | |
6698 | +static unsigned int | |
6699 | +quake3_nat_expected(struct sk_buff **pskb, | |
6700 | + unsigned int hooknum, | |
6701 | + struct ip_conntrack *ct, | |
6702 | + struct ip_nat_info *info) | |
6703 | +{ | |
6704 | + const struct ip_conntrack *master = ct->master->expectant; | |
6705 | + struct ip_nat_multi_range mr; | |
6706 | + u_int32_t newsrcip, newdstip, newip; | |
6707 | +#if 0 | |
6708 | + const struct ip_conntrack_tuple *repl = | |
6709 | + &master->tuplehash[IP_CT_DIR_REPLY].tuple; | |
6710 | + struct iphdr *iph = (*pskb)->nh.iph; | |
6711 | + struct udphdr *udph = (void *)iph + iph->ihl*4; | |
6712 | +#endif | |
6713 | + | |
6714 | + DEBUGP("ip_nat_quake3: quake3_nat_expected: here we are\n"); | |
6715 | + DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); | |
6716 | + | |
6717 | + IP_NF_ASSERT(info); | |
6718 | + IP_NF_ASSERT(master); | |
6719 | + IP_NF_ASSERT(!(info->initialized & (1 << HOOK2MANIP(hooknum)))); | |
6720 | + | |
6721 | + newdstip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip; | |
6722 | + newsrcip = master->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; | |
6723 | + | |
6724 | + if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC) { | |
6725 | + newip = newsrcip; | |
6726 | + DEBUGP("hook: %s orig: %u.%u.%u.%u:%u <-> %u.%u.%u.%u:%u " | |
6727 | + "newsrc: %u.%u.%u.%u\n", | |
6728 | + hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" | |
6729 | + : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" | |
6730 | + : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "????", | |
6731 | + NIPQUAD((*pskb)->nh.iph->saddr), ntohs(udph->source), | |
6732 | + NIPQUAD((*pskb)->nh.iph->daddr), ntohs(udph->dest), | |
6733 | + NIPQUAD(newip)); | |
6734 | + | |
6735 | + } else { | |
6736 | + newip = newdstip; | |
6737 | + DEBUGP("hook: %s orig: %u.%u.%u.%u:%u <-> %u.%u.%u.%u:%u " | |
6738 | + "newdst: %u.%u.%u.%u\n", | |
6739 | + hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" | |
6740 | + : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" | |
6741 | + : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "????", | |
6742 | + NIPQUAD((*pskb)->nh.iph->saddr), ntohs(udph->source), | |
6743 | + NIPQUAD((*pskb)->nh.iph->daddr), ntohs(udph->dest), | |
6744 | + NIPQUAD(newip)); | |
6745 | + } | |
6746 | + | |
6747 | + mr.rangesize = 1; | |
6748 | + mr.range[0].flags = IP_NAT_RANGE_MAP_IPS; | |
6749 | + mr.range[0].min_ip = mr.range[0].max_ip = newip; | |
6750 | + | |
6751 | + return ip_nat_setup_info(ct,&mr,hooknum); | |
6752 | +} | |
6753 | + | |
6754 | +static struct ip_nat_helper quake3[MAX_PORTS]; | |
6755 | +static char quake3_names[MAX_PORTS][13]; /* quake3-65535 */ | |
6756 | + | |
6757 | +static void fini(void) | |
6758 | +{ | |
6759 | + int i; | |
6760 | + | |
6761 | + for (i = 0 ; i < ports_c; i++) { | |
6762 | + DEBUGP("ip_nat_quake3: unregistering helper for port %d\n", ports[i]); | |
6763 | + ip_nat_helper_unregister(&quake3[i]); | |
6764 | + } | |
6765 | +} | |
6766 | + | |
6767 | +static int __init init(void) | |
6768 | + { | |
6769 | + int i, ret = 0; | |
6770 | + char *tmpname; | |
6771 | + | |
6772 | + if (!ports[0]) | |
6773 | + ports[0] = QUAKE3_MASTER_PORT; | |
6774 | + | |
6775 | + for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) { | |
6776 | + memset(&quake3[i], 0, sizeof(struct ip_nat_helper)); | |
6777 | + | |
6778 | + quake3[i].tuple.dst.protonum = IPPROTO_UDP; | |
6779 | + quake3[i].tuple.src.u.udp.port = htons(ports[i]); | |
6780 | + quake3[i].mask.dst.protonum = 0xFFFF; | |
6781 | + quake3[i].mask.src.u.udp.port = 0xFFFF; | |
6782 | + quake3[i].help = quake3_nat_help; | |
6783 | + quake3[i].flags = 0; | |
6784 | + quake3[i].me = THIS_MODULE; | |
6785 | + quake3[i].expect = quake3_nat_expected; | |
6786 | + | |
6787 | + tmpname = &quake3_names[i][0]; | |
6788 | + if (ports[i] == QUAKE3_MASTER_PORT) | |
6789 | + sprintf(tmpname, "quake3"); | |
6790 | + else | |
6791 | + sprintf(tmpname, "quake3-%d", i); | |
6792 | + quake3[i].name = tmpname; | |
6793 | + | |
6794 | + DEBUGP("ip_nat_quake3: registering helper for port %d: name %s\n", | |
6795 | + ports[i], quake3[i].name); | |
6796 | + ret = ip_nat_helper_register(&quake3[i]); | |
6797 | + | |
6798 | + if (ret) { | |
6799 | + printk("ip_nat_quake3: unable to register helper for port %d\n", | |
6800 | + ports[i]); | |
6801 | + fini(); | |
6802 | + return ret; | |
6803 | + } | |
6804 | + ports_c++; | |
6805 | + } | |
6806 | + return ret; | |
6807 | + } | |
6808 | + | |
6809 | +module_init(init); | |
6810 | +module_exit(fini); | |
6811 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_nat_rtsp.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_nat_rtsp.c | |
6812 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_nat_rtsp.c 1970-01-01 01:00:00.000000000 +0100 | |
6813 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_nat_rtsp.c 2004-04-29 11:20:13.000000000 +0200 | |
6814 | @@ -0,0 +1,621 @@ | |
6815 | +/* | |
6816 | + * RTSP extension for TCP NAT alteration | |
6817 | + * (C) 2003 by Tom Marshall <tmarshall@real.com> | |
6818 | + * based on ip_nat_irc.c | |
6819 | + * | |
6820 | + * This program is free software; you can redistribute it and/or | |
6821 | + * modify it under the terms of the GNU General Public License | |
6822 | + * as published by the Free Software Foundation; either version | |
6823 | + * 2 of the License, or (at your option) any later version. | |
6824 | + * | |
6825 | + * Module load syntax: | |
6826 | + * insmod ip_nat_rtsp.o ports=port1,port2,...port<MAX_PORTS> | |
6827 | + * stunaddr=<address> | |
6828 | + * destaction=[auto|strip|none] | |
6829 | + * | |
6830 | + * If no ports are specified, the default will be port 554 only. | |
6831 | + * | |
6832 | + * stunaddr specifies the address used to detect that a client is using STUN. | |
6833 | + * If this address is seen in the destination parameter, it is assumed that | |
6834 | + * the client has already punched a UDP hole in the firewall, so we don't | |
6835 | + * mangle the client_port. If none is specified, it is autodetected. It | |
6836 | + * only needs to be set if you have multiple levels of NAT. It should be | |
6837 | + * set to the external address that the STUN clients detect. Note that in | |
6838 | + * this case, it will not be possible for clients to use UDP with servers | |
6839 | + * between the NATs. | |
6840 | + * | |
6841 | + * If no destaction is specified, auto is used. | |
6842 | + * destaction=auto: strip destination parameter if it is not stunaddr. | |
6843 | + * destaction=strip: always strip destination parameter (not recommended). | |
6844 | + * destaction=none: do not touch destination parameter (not recommended). | |
6845 | + */ | |
6846 | + | |
6847 | +#include <linux/module.h> | |
6848 | +#include <linux/netfilter_ipv4.h> | |
6849 | +#include <linux/ip.h> | |
6850 | +#include <linux/tcp.h> | |
6851 | +#include <linux/kernel.h> | |
6852 | +#include <net/tcp.h> | |
6853 | +#include <linux/netfilter_ipv4/ip_nat.h> | |
6854 | +#include <linux/netfilter_ipv4/ip_nat_helper.h> | |
6855 | +#include <linux/netfilter_ipv4/ip_nat_rule.h> | |
6856 | +#include <linux/netfilter_ipv4/ip_conntrack_rtsp.h> | |
6857 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
6858 | + | |
6859 | +#include <linux/inet.h> | |
6860 | +#include <linux/ctype.h> | |
6861 | +#define NF_NEED_STRNCASECMP | |
6862 | +#define NF_NEED_STRTOU16 | |
6863 | +#include <linux/netfilter_helpers.h> | |
6864 | +#define NF_NEED_MIME_NEXTLINE | |
6865 | +#include <linux/netfilter_mime.h> | |
6866 | + | |
6867 | +#define INFOP(fmt, args...) printk(KERN_INFO "%s: %s: " fmt, __FILE__, __FUNCTION__, ## args) | |
6868 | +#ifdef IP_NF_RTSP_DEBUG | |
6869 | +#define DEBUGP(fmt, args...) printk(KERN_DEBUG "%s: %s: " fmt, __FILE__, __FUNCTION__, ## args) | |
6870 | +#else | |
6871 | +#define DEBUGP(fmt, args...) | |
6872 | +#endif | |
6873 | + | |
6874 | +#define MAX_PORTS 8 | |
6875 | +#define DSTACT_AUTO 0 | |
6876 | +#define DSTACT_STRIP 1 | |
6877 | +#define DSTACT_NONE 2 | |
6878 | + | |
6879 | +static int ports[MAX_PORTS]; | |
6880 | +static char* stunaddr = NULL; | |
6881 | +static char* destaction = NULL; | |
6882 | + | |
6883 | +static int num_ports = 0; | |
6884 | +static u_int32_t extip = 0; | |
6885 | +static int dstact = 0; | |
6886 | + | |
6887 | +MODULE_AUTHOR("Tom Marshall <tmarshall@real.com>"); | |
6888 | +MODULE_DESCRIPTION("RTSP network address translation module"); | |
6889 | +MODULE_LICENSE("GPL"); | |
6890 | +#ifdef MODULE_PARM | |
6891 | +MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i"); | |
6892 | +MODULE_PARM_DESC(ports, "port numbers of RTSP servers"); | |
6893 | +MODULE_PARM(stunaddr, "s"); | |
6894 | +MODULE_PARM_DESC(stunaddr, "Address for detecting STUN"); | |
6895 | +MODULE_PARM(destaction, "s"); | |
6896 | +MODULE_PARM_DESC(destaction, "Action for destination parameter (auto/strip/none)"); | |
6897 | +#endif | |
6898 | + | |
6899 | +/* protects rtsp part of conntracks */ | |
6900 | +DECLARE_LOCK_EXTERN(ip_rtsp_lock); | |
6901 | + | |
6902 | +#define SKIP_WSPACE(ptr,len,off) while(off < len && isspace(*(ptr+off))) { off++; } | |
6903 | + | |
6904 | +/*** helper functions ***/ | |
6905 | + | |
6906 | +static void | |
6907 | +get_skb_tcpdata(struct sk_buff* skb, char** pptcpdata, uint* ptcpdatalen) | |
6908 | +{ | |
6909 | + struct iphdr* iph = (struct iphdr*)skb->nh.iph; | |
6910 | + struct tcphdr* tcph = (struct tcphdr*)((char*)iph + iph->ihl*4); | |
6911 | + | |
6912 | + *pptcpdata = (char*)tcph + tcph->doff*4; | |
6913 | + *ptcpdatalen = ((char*)skb->h.raw + skb->len) - *pptcpdata; | |
6914 | +} | |
6915 | + | |
6916 | +/*** nat functions ***/ | |
6917 | + | |
6918 | +/* | |
6919 | + * Mangle the "Transport:" header: | |
6920 | + * - Replace all occurences of "client_port=<spec>" | |
6921 | + * - Handle destination parameter | |
6922 | + * | |
6923 | + * In: | |
6924 | + * ct, ctinfo = conntrack context | |
6925 | + * pskb = packet | |
6926 | + * tranoff = Transport header offset from TCP data | |
6927 | + * tranlen = Transport header length (incl. CRLF) | |
6928 | + * rport_lo = replacement low port (host endian) | |
6929 | + * rport_hi = replacement high port (host endian) | |
6930 | + * | |
6931 | + * Returns packet size difference. | |
6932 | + * | |
6933 | + * Assumes that a complete transport header is present, ending with CR or LF | |
6934 | + */ | |
6935 | +static int | |
6936 | +rtsp_mangle_tran(struct ip_conntrack* ct, enum ip_conntrack_info ctinfo, | |
6937 | + struct ip_conntrack_expect* exp, | |
6938 | + struct sk_buff** pskb, uint tranoff, uint tranlen) | |
6939 | +{ | |
6940 | + char* ptcp; | |
6941 | + uint tcplen; | |
6942 | + char* ptran; | |
6943 | + char rbuf1[16]; /* Replacement buffer (one port) */ | |
6944 | + uint rbuf1len; /* Replacement len (one port) */ | |
6945 | + char rbufa[16]; /* Replacement buffer (all ports) */ | |
6946 | + uint rbufalen; /* Replacement len (all ports) */ | |
6947 | + u_int32_t newip; | |
6948 | + u_int16_t loport, hiport; | |
6949 | + uint off = 0; | |
6950 | + uint diff; /* Number of bytes we removed */ | |
6951 | + | |
6952 | + struct ip_ct_rtsp_expect* prtspexp = &exp->help.exp_rtsp_info; | |
6953 | + struct ip_conntrack_tuple t; | |
6954 | + | |
6955 | + char szextaddr[15+1]; | |
6956 | + uint extaddrlen; | |
6957 | + int is_stun; | |
6958 | + | |
6959 | + get_skb_tcpdata(*pskb, &ptcp, &tcplen); | |
6960 | + ptran = ptcp+tranoff; | |
6961 | + | |
6962 | + if (tranoff+tranlen > tcplen || tcplen-tranoff < tranlen || | |
6963 | + tranlen < 10 || !iseol(ptran[tranlen-1]) || | |
6964 | + nf_strncasecmp(ptran, "Transport:", 10) != 0) | |
6965 | + { | |
6966 | + INFOP("sanity check failed\n"); | |
6967 | + return 0; | |
6968 | + } | |
6969 | + off += 10; | |
6970 | + SKIP_WSPACE(ptcp+tranoff, tranlen, off); | |
6971 | + | |
6972 | + newip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; | |
6973 | + t = exp->tuple; | |
6974 | + t.dst.ip = newip; | |
6975 | + | |
6976 | + extaddrlen = extip ? sprintf(szextaddr, "%u.%u.%u.%u", NIPQUAD(extip)) | |
6977 | + : sprintf(szextaddr, "%u.%u.%u.%u", NIPQUAD(newip)); | |
6978 | + DEBUGP("stunaddr=%s (%s)\n", szextaddr, (extip?"forced":"auto")); | |
6979 | + | |
6980 | + rbuf1len = rbufalen = 0; | |
6981 | + switch (prtspexp->pbtype) | |
6982 | + { | |
6983 | + case pb_single: | |
6984 | + for (loport = prtspexp->loport; loport != 0; loport++) /* XXX: improper wrap? */ | |
6985 | + { | |
6986 | + t.dst.u.udp.port = htons(loport); | |
6987 | + if (ip_conntrack_change_expect(exp, &t) == 0) | |
6988 | + { | |
6989 | + DEBUGP("using port %hu\n", loport); | |
6990 | + break; | |
6991 | + } | |
6992 | + } | |
6993 | + if (loport != 0) | |
6994 | + { | |
6995 | + rbuf1len = sprintf(rbuf1, "%hu", loport); | |
6996 | + rbufalen = sprintf(rbufa, "%hu", loport); | |
6997 | + } | |
6998 | + break; | |
6999 | + case pb_range: | |
7000 | + for (loport = prtspexp->loport; loport != 0; loport += 2) /* XXX: improper wrap? */ | |
7001 | + { | |
7002 | + t.dst.u.udp.port = htons(loport); | |
7003 | + if (ip_conntrack_change_expect(exp, &t) == 0) | |
7004 | + { | |
7005 | + hiport = loport + ~exp->mask.dst.u.udp.port; | |
7006 | + DEBUGP("using ports %hu-%hu\n", loport, hiport); | |
7007 | + break; | |
7008 | + } | |
7009 | + } | |
7010 | + if (loport != 0) | |
7011 | + { | |
7012 | + rbuf1len = sprintf(rbuf1, "%hu", loport); | |
7013 | + rbufalen = sprintf(rbufa, "%hu-%hu", loport, loport+1); | |
7014 | + } | |
7015 | + break; | |
7016 | + case pb_discon: | |
7017 | + for (loport = prtspexp->loport; loport != 0; loport++) /* XXX: improper wrap? */ | |
7018 | + { | |
7019 | + t.dst.u.udp.port = htons(loport); | |
7020 | + if (ip_conntrack_change_expect(exp, &t) == 0) | |
7021 | + { | |
7022 | + DEBUGP("using port %hu (1 of 2)\n", loport); | |
7023 | + break; | |
7024 | + } | |
7025 | + } | |
7026 | + for (hiport = prtspexp->hiport; hiport != 0; hiport++) /* XXX: improper wrap? */ | |
7027 | + { | |
7028 | + t.dst.u.udp.port = htons(hiport); | |
7029 | + if (ip_conntrack_change_expect(exp, &t) == 0) | |
7030 | + { | |
7031 | + DEBUGP("using port %hu (2 of 2)\n", hiport); | |
7032 | + break; | |
7033 | + } | |
7034 | + } | |
7035 | + if (loport != 0 && hiport != 0) | |
7036 | + { | |
7037 | + rbuf1len = sprintf(rbuf1, "%hu", loport); | |
7038 | + if (hiport == loport+1) | |
7039 | + { | |
7040 | + rbufalen = sprintf(rbufa, "%hu-%hu", loport, hiport); | |
7041 | + } | |
7042 | + else | |
7043 | + { | |
7044 | + rbufalen = sprintf(rbufa, "%hu/%hu", loport, hiport); | |
7045 | + } | |
7046 | + } | |
7047 | + break; | |
7048 | + } | |
7049 | + | |
7050 | + if (rbuf1len == 0) | |
7051 | + { | |
7052 | + return 0; /* cannot get replacement port(s) */ | |
7053 | + } | |
7054 | + | |
7055 | + /* Transport: tran;field;field=val,tran;field;field=val,... */ | |
7056 | + while (off < tranlen) | |
7057 | + { | |
7058 | + uint saveoff; | |
7059 | + const char* pparamend; | |
7060 | + uint nextparamoff; | |
7061 | + | |
7062 | + pparamend = memchr(ptran+off, ',', tranlen-off); | |
7063 | + pparamend = (pparamend == NULL) ? ptran+tranlen : pparamend+1; | |
7064 | + nextparamoff = pparamend-ptcp; | |
7065 | + | |
7066 | + /* | |
7067 | + * We pass over each param twice. On the first pass, we look for a | |
7068 | + * destination= field. It is handled by the security policy. If it | |
7069 | + * is present, allowed, and equal to our external address, we assume | |
7070 | + * that STUN is being used and we leave the client_port= field alone. | |
7071 | + */ | |
7072 | + is_stun = 0; | |
7073 | + saveoff = off; | |
7074 | + while (off < nextparamoff) | |
7075 | + { | |
7076 | + const char* pfieldend; | |
7077 | + uint nextfieldoff; | |
7078 | + | |
7079 | + pfieldend = memchr(ptran+off, ';', nextparamoff-off); | |
7080 | + nextfieldoff = (pfieldend == NULL) ? nextparamoff : pfieldend-ptran+1; | |
7081 | + | |
7082 | + if (dstact != DSTACT_NONE && strncmp(ptran+off, "destination=", 12) == 0) | |
7083 | + { | |
7084 | + if (strncmp(ptran+off+12, szextaddr, extaddrlen) == 0) | |
7085 | + { | |
7086 | + is_stun = 1; | |
7087 | + } | |
7088 | + if (dstact == DSTACT_STRIP || (dstact == DSTACT_AUTO && !is_stun)) | |
7089 | + { | |
7090 | + diff = nextfieldoff-off; | |
7091 | + if (!ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, | |
7092 | + off, diff, NULL, 0)) | |
7093 | + { | |
7094 | + /* mangle failed, all we can do is bail */ | |
7095 | + return 0; | |
7096 | + } | |
7097 | + get_skb_tcpdata(*pskb, &ptcp, &tcplen); | |
7098 | + ptran = ptcp+tranoff; | |
7099 | + tranlen -= diff; | |
7100 | + nextparamoff -= diff; | |
7101 | + nextfieldoff -= diff; | |
7102 | + } | |
7103 | + } | |
7104 | + | |
7105 | + off = nextfieldoff; | |
7106 | + } | |
7107 | + if (is_stun) | |
7108 | + { | |
7109 | + continue; | |
7110 | + } | |
7111 | + off = saveoff; | |
7112 | + while (off < nextparamoff) | |
7113 | + { | |
7114 | + const char* pfieldend; | |
7115 | + uint nextfieldoff; | |
7116 | + | |
7117 | + pfieldend = memchr(ptran+off, ';', nextparamoff-off); | |
7118 | + nextfieldoff = (pfieldend == NULL) ? nextparamoff : pfieldend-ptran+1; | |
7119 | + | |
7120 | + if (strncmp(ptran+off, "client_port=", 12) == 0) | |
7121 | + { | |
7122 | + u_int16_t port; | |
7123 | + uint numlen; | |
7124 | + uint origoff; | |
7125 | + uint origlen; | |
7126 | + char* rbuf = rbuf1; | |
7127 | + uint rbuflen = rbuf1len; | |
7128 | + | |
7129 | + off += 12; | |
7130 | + origoff = (ptran-ptcp)+off; | |
7131 | + origlen = 0; | |
7132 | + numlen = nf_strtou16(ptran+off, &port); | |
7133 | + off += numlen; | |
7134 | + origlen += numlen; | |
7135 | + if (port != prtspexp->loport) | |
7136 | + { | |
7137 | + DEBUGP("multiple ports found, port %hu ignored\n", port); | |
7138 | + } | |
7139 | + else | |
7140 | + { | |
7141 | + if (ptran[off] == '-' || ptran[off] == '/') | |
7142 | + { | |
7143 | + off++; | |
7144 | + origlen++; | |
7145 | + numlen = nf_strtou16(ptran+off, &port); | |
7146 | + off += numlen; | |
7147 | + origlen += numlen; | |
7148 | + rbuf = rbufa; | |
7149 | + rbuflen = rbufalen; | |
7150 | + } | |
7151 | + | |
7152 | + /* | |
7153 | + * note we cannot just memcpy() if the sizes are the same. | |
7154 | + * the mangle function does skb resizing, checks for a | |
7155 | + * cloned skb, and updates the checksums. | |
7156 | + * | |
7157 | + * parameter 4 below is offset from start of tcp data. | |
7158 | + */ | |
7159 | + diff = origlen-rbuflen; | |
7160 | + if (!ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, | |
7161 | + origoff, origlen, rbuf, rbuflen)) | |
7162 | + { | |
7163 | + /* mangle failed, all we can do is bail */ | |
7164 | + return 0; | |
7165 | + } | |
7166 | + get_skb_tcpdata(*pskb, &ptcp, &tcplen); | |
7167 | + ptran = ptcp+tranoff; | |
7168 | + tranlen -= diff; | |
7169 | + nextparamoff -= diff; | |
7170 | + nextfieldoff -= diff; | |
7171 | + } | |
7172 | + } | |
7173 | + | |
7174 | + off = nextfieldoff; | |
7175 | + } | |
7176 | + | |
7177 | + off = nextparamoff; | |
7178 | + } | |
7179 | + | |
7180 | + return 1; | |
7181 | +} | |
7182 | + | |
7183 | +static unsigned int | |
7184 | +expected(struct sk_buff **pskb, uint hooknum, struct ip_conntrack* ct, struct ip_nat_info* info) | |
7185 | +{ | |
7186 | + struct ip_nat_multi_range mr; | |
7187 | + u_int32_t newdstip, newsrcip, newip; | |
7188 | + | |
7189 | + struct ip_conntrack *master = master_ct(ct); | |
7190 | + | |
7191 | + IP_NF_ASSERT(info); | |
7192 | + IP_NF_ASSERT(master); | |
7193 | + | |
7194 | + IP_NF_ASSERT(!(info->initialized & (1 << HOOK2MANIP(hooknum)))); | |
7195 | + | |
7196 | + newdstip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; | |
7197 | + newsrcip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; | |
7198 | + newip = (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC) ? newsrcip : newdstip; | |
7199 | + | |
7200 | + DEBUGP("newsrcip=%u.%u.%u.%u, newdstip=%u.%u.%u.%u, newip=%u.%u.%u.%u\n", | |
7201 | + NIPQUAD(newsrcip), NIPQUAD(newdstip), NIPQUAD(newip)); | |
7202 | + | |
7203 | + mr.rangesize = 1; | |
7204 | + /* We don't want to manip the per-protocol, just the IPs. */ | |
7205 | + mr.range[0].flags = IP_NAT_RANGE_MAP_IPS; | |
7206 | + mr.range[0].min_ip = mr.range[0].max_ip = newip; | |
7207 | + | |
7208 | + return ip_nat_setup_info(ct, &mr, hooknum); | |
7209 | +} | |
7210 | + | |
7211 | +static uint | |
7212 | +help_out(struct ip_conntrack* ct, enum ip_conntrack_info ctinfo, | |
7213 | + struct ip_conntrack_expect* exp, struct sk_buff** pskb) | |
7214 | +{ | |
7215 | + char* ptcp; | |
7216 | + uint tcplen; | |
7217 | + uint hdrsoff; | |
7218 | + uint hdrslen; | |
7219 | + uint lineoff; | |
7220 | + uint linelen; | |
7221 | + uint off; | |
7222 | + | |
7223 | + struct iphdr* iph = (struct iphdr*)(*pskb)->nh.iph; | |
7224 | + struct tcphdr* tcph = (struct tcphdr*)((void*)iph + iph->ihl*4); | |
7225 | + | |
7226 | + struct ip_ct_rtsp_expect* prtspexp = &exp->help.exp_rtsp_info; | |
7227 | + | |
7228 | + get_skb_tcpdata(*pskb, &ptcp, &tcplen); | |
7229 | + | |
7230 | + hdrsoff = exp->seq - ntohl(tcph->seq); | |
7231 | + hdrslen = prtspexp->len; | |
7232 | + off = hdrsoff; | |
7233 | + | |
7234 | + while (nf_mime_nextline(ptcp, hdrsoff+hdrslen, &off, &lineoff, &linelen)) | |
7235 | + { | |
7236 | + if (linelen == 0) | |
7237 | + { | |
7238 | + break; | |
7239 | + } | |
7240 | + if (off > hdrsoff+hdrslen) | |
7241 | + { | |
7242 | + INFOP("!! overrun !!"); | |
7243 | + break; | |
7244 | + } | |
7245 | + DEBUGP("hdr: len=%u, %.*s", linelen, (int)linelen, ptcp+lineoff); | |
7246 | + | |
7247 | + if (nf_strncasecmp(ptcp+lineoff, "Transport:", 10) == 0) | |
7248 | + { | |
7249 | + uint oldtcplen = tcplen; | |
7250 | + if (!rtsp_mangle_tran(ct, ctinfo, exp, pskb, lineoff, linelen)) | |
7251 | + { | |
7252 | + break; | |
7253 | + } | |
7254 | + get_skb_tcpdata(*pskb, &ptcp, &tcplen); | |
7255 | + hdrslen -= (oldtcplen-tcplen); | |
7256 | + off -= (oldtcplen-tcplen); | |
7257 | + lineoff -= (oldtcplen-tcplen); | |
7258 | + linelen -= (oldtcplen-tcplen); | |
7259 | + DEBUGP("rep: len=%u, %.*s", linelen, (int)linelen, ptcp+lineoff); | |
7260 | + } | |
7261 | + } | |
7262 | + | |
7263 | + return NF_ACCEPT; | |
7264 | +} | |
7265 | + | |
7266 | +static uint | |
7267 | +help_in(struct ip_conntrack* ct, enum ip_conntrack_info ctinfo, | |
7268 | + struct ip_conntrack_expect* exp, struct sk_buff** pskb) | |
7269 | +{ | |
7270 | + /* XXX: unmangle */ | |
7271 | + return NF_ACCEPT; | |
7272 | +} | |
7273 | + | |
7274 | +static uint | |
7275 | +help(struct ip_conntrack* ct, | |
7276 | + struct ip_conntrack_expect* exp, | |
7277 | + struct ip_nat_info* info, | |
7278 | + enum ip_conntrack_info ctinfo, | |
7279 | + unsigned int hooknum, | |
7280 | + struct sk_buff** pskb) | |
7281 | +{ | |
7282 | + struct iphdr* iph = (struct iphdr*)(*pskb)->nh.iph; | |
7283 | + struct tcphdr* tcph = (struct tcphdr*)((char*)iph + iph->ihl * 4); | |
7284 | + uint datalen; | |
7285 | + int dir; | |
7286 | + struct ip_ct_rtsp_expect* ct_rtsp_info; | |
7287 | + int rc = NF_ACCEPT; | |
7288 | + | |
7289 | + if (ct == NULL || exp == NULL || info == NULL || pskb == NULL) | |
7290 | + { | |
7291 | + DEBUGP("!! null ptr (%p,%p,%p,%p) !!\n", ct, exp, info, pskb); | |
7292 | + return NF_ACCEPT; | |
7293 | + } | |
7294 | + | |
7295 | + ct_rtsp_info = &exp->help.exp_rtsp_info; | |
7296 | + | |
7297 | + /* | |
7298 | + * Only mangle things once: original direction in POST_ROUTING | |
7299 | + * and reply direction on PRE_ROUTING. | |
7300 | + */ | |
7301 | + dir = CTINFO2DIR(ctinfo); | |
7302 | + if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL) | |
7303 | + || (hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) | |
7304 | + { | |
7305 | + DEBUGP("Not touching dir %s at hook %s\n", | |
7306 | + dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY", | |
7307 | + hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" | |
7308 | + : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" | |
7309 | + : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???"); | |
7310 | + return NF_ACCEPT; | |
7311 | + } | |
7312 | + DEBUGP("got beyond not touching\n"); | |
7313 | + | |
7314 | + datalen = (*pskb)->len - iph->ihl * 4 - tcph->doff * 4; | |
7315 | + | |
7316 | + LOCK_BH(&ip_rtsp_lock); | |
7317 | + /* Ensure the packet contains all of the marked data */ | |
7318 | + if (!between(exp->seq + ct_rtsp_info->len, | |
7319 | + ntohl(tcph->seq), ntohl(tcph->seq) + datalen)) | |
7320 | + { | |
7321 | + /* Partial retransmission? Probably a hacker. */ | |
7322 | + if (net_ratelimit()) | |
7323 | + { | |
7324 | + INFOP("partial packet %u/%u in %u/%u\n", | |
7325 | + exp->seq, ct_rtsp_info->len, ntohl(tcph->seq), ntohl(tcph->seq) + datalen); | |
7326 | + } | |
7327 | + UNLOCK_BH(&ip_rtsp_lock); | |
7328 | + return NF_DROP; | |
7329 | + } | |
7330 | + | |
7331 | + switch (dir) | |
7332 | + { | |
7333 | + case IP_CT_DIR_ORIGINAL: | |
7334 | + rc = help_out(ct, ctinfo, exp, pskb); | |
7335 | + break; | |
7336 | + case IP_CT_DIR_REPLY: | |
7337 | + rc = help_in(ct, ctinfo, exp, pskb); | |
7338 | + break; | |
7339 | + } | |
7340 | + UNLOCK_BH(&ip_rtsp_lock); | |
7341 | + | |
7342 | + return rc; | |
7343 | +} | |
7344 | + | |
7345 | +static struct ip_nat_helper ip_nat_rtsp_helpers[MAX_PORTS]; | |
7346 | +static char rtsp_names[MAX_PORTS][10]; | |
7347 | + | |
7348 | +/* This function is intentionally _NOT_ defined as __exit */ | |
7349 | +static void | |
7350 | +fini(void) | |
7351 | +{ | |
7352 | + int i; | |
7353 | + | |
7354 | + for (i = 0; i < num_ports; i++) | |
7355 | + { | |
7356 | + DEBUGP("unregistering helper for port %d\n", ports[i]); | |
7357 | + ip_nat_helper_unregister(&ip_nat_rtsp_helpers[i]); | |
7358 | + } | |
7359 | +} | |
7360 | + | |
7361 | +static int __init | |
7362 | +init(void) | |
7363 | +{ | |
7364 | + int ret = 0; | |
7365 | + int i; | |
7366 | + struct ip_nat_helper* hlpr; | |
7367 | + char* tmpname; | |
7368 | + | |
7369 | + printk("ip_nat_rtsp v" IP_NF_RTSP_VERSION " loading\n"); | |
7370 | + | |
7371 | + if (ports[0] == 0) | |
7372 | + { | |
7373 | + ports[0] = RTSP_PORT; | |
7374 | + } | |
7375 | + | |
7376 | + for (i = 0; (i < MAX_PORTS) && ports[i] != 0; i++) | |
7377 | + { | |
7378 | + hlpr = &ip_nat_rtsp_helpers[i]; | |
7379 | + memset(hlpr, 0, sizeof(struct ip_nat_helper)); | |
7380 | + | |
7381 | + hlpr->tuple.dst.protonum = IPPROTO_TCP; | |
7382 | + hlpr->tuple.src.u.tcp.port = htons(ports[i]); | |
7383 | + hlpr->mask.src.u.tcp.port = 0xFFFF; | |
7384 | + hlpr->mask.dst.protonum = 0xFFFF; | |
7385 | + hlpr->help = help; | |
7386 | + hlpr->flags = 0; | |
7387 | + hlpr->me = THIS_MODULE; | |
7388 | + hlpr->expect = expected; | |
7389 | + | |
7390 | + tmpname = &rtsp_names[i][0]; | |
7391 | + if (ports[i] == RTSP_PORT) | |
7392 | + { | |
7393 | + sprintf(tmpname, "rtsp"); | |
7394 | + } | |
7395 | + else | |
7396 | + { | |
7397 | + sprintf(tmpname, "rtsp-%d", i); | |
7398 | + } | |
7399 | + hlpr->name = tmpname; | |
7400 | + | |
7401 | + DEBUGP("registering helper for port %d: name %s\n", ports[i], hlpr->name); | |
7402 | + ret = ip_nat_helper_register(hlpr); | |
7403 | + | |
7404 | + if (ret) | |
7405 | + { | |
7406 | + printk("ip_nat_rtsp: error registering helper for port %d\n", ports[i]); | |
7407 | + fini(); | |
7408 | + return 1; | |
7409 | + } | |
7410 | + num_ports++; | |
7411 | + } | |
7412 | + if (stunaddr != NULL) | |
7413 | + { | |
7414 | + extip = in_aton(stunaddr); | |
7415 | + } | |
7416 | + if (destaction != NULL) | |
7417 | + { | |
7418 | + if (strcmp(destaction, "auto") == 0) | |
7419 | + { | |
7420 | + dstact = DSTACT_AUTO; | |
7421 | + } | |
7422 | + if (strcmp(destaction, "strip") == 0) | |
7423 | + { | |
7424 | + dstact = DSTACT_STRIP; | |
7425 | + } | |
7426 | + if (strcmp(destaction, "none") == 0) | |
7427 | + { | |
7428 | + dstact = DSTACT_NONE; | |
7429 | + } | |
7430 | + } | |
7431 | + return ret; | |
7432 | +} | |
7433 | + | |
7434 | +module_init(init); | |
7435 | +module_exit(fini); | |
7436 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_nat_rule.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_nat_rule.c | |
7437 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_nat_rule.c 2004-04-28 03:35:44.000000000 +0200 | |
7438 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_nat_rule.c 2004-04-29 11:17:15.000000000 +0200 | |
7439 | @@ -75,7 +75,7 @@ | |
7440 | 0, | |
7441 | sizeof(struct ipt_entry), | |
7442 | sizeof(struct ipt_standard), | |
7443 | - 0, { 0, 0 }, { } }, | |
7444 | + 0, NULL, 0, { 0, 0 }, { } }, | |
7445 | { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, | |
7446 | -NF_ACCEPT - 1 } }, | |
7447 | /* POST_ROUTING */ | |
7448 | @@ -83,7 +83,7 @@ | |
7449 | 0, | |
7450 | sizeof(struct ipt_entry), | |
7451 | sizeof(struct ipt_standard), | |
7452 | - 0, { 0, 0 }, { } }, | |
7453 | + 0, NULL, 0, { 0, 0 }, { } }, | |
7454 | { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, | |
7455 | -NF_ACCEPT - 1 } }, | |
7456 | /* LOCAL_OUT */ | |
7457 | @@ -91,7 +91,7 @@ | |
7458 | 0, | |
7459 | sizeof(struct ipt_entry), | |
7460 | sizeof(struct ipt_standard), | |
7461 | - 0, { 0, 0 }, { } }, | |
7462 | + 0, NULL, 0, { 0, 0 }, { } }, | |
7463 | { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, | |
7464 | -NF_ACCEPT - 1 } } | |
7465 | }, | |
7466 | @@ -100,7 +100,7 @@ | |
7467 | 0, | |
7468 | sizeof(struct ipt_entry), | |
7469 | sizeof(struct ipt_error), | |
7470 | - 0, { 0, 0 }, { } }, | |
7471 | + 0, NULL, 0, { 0, 0 }, { } }, | |
7472 | { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } }, | |
7473 | { } }, | |
7474 | "ERROR" | |
7475 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_nat_standalone.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_nat_standalone.c | |
7476 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_nat_standalone.c 2004-04-28 03:36:29.000000000 +0200 | |
7477 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_nat_standalone.c 2004-04-29 11:18:04.000000000 +0200 | |
7478 | @@ -175,6 +175,45 @@ | |
7479 | return do_bindings(ct, ctinfo, info, hooknum, pskb); | |
7480 | } | |
7481 | ||
7482 | +struct nat_route_key | |
7483 | +{ | |
7484 | + u_int32_t addr; | |
7485 | +#ifdef CONFIG_XFRM | |
7486 | + u_int16_t port; | |
7487 | +#endif | |
7488 | +}; | |
7489 | + | |
7490 | +static inline void | |
7491 | +nat_route_key_get(struct sk_buff *skb, struct nat_route_key *key, int which) | |
7492 | +{ | |
7493 | + struct iphdr *iph = skb->nh.iph; | |
7494 | + | |
7495 | + key->addr = which ? iph->daddr : iph->saddr; | |
7496 | +#ifdef CONFIG_XFRM | |
7497 | + key->port = 0; | |
7498 | + if (iph->protocol == IPPROTO_TCP || iph->protocol == IPPROTO_UDP) { | |
7499 | + u_int16_t *ports = (u_int16_t *)(skb->nh.raw + iph->ihl*4); | |
7500 | + key->port = ports[which]; | |
7501 | + } | |
7502 | +#endif | |
7503 | +} | |
7504 | + | |
7505 | +static inline int | |
7506 | +nat_route_key_compare(struct sk_buff *skb, struct nat_route_key *key, int which) | |
7507 | +{ | |
7508 | + struct iphdr *iph = skb->nh.iph; | |
7509 | + | |
7510 | + if (key->addr != (which ? iph->daddr : iph->saddr)) | |
7511 | + return 1; | |
7512 | +#ifdef CONFIG_XFRM | |
7513 | + if (iph->protocol == IPPROTO_TCP || iph->protocol == IPPROTO_UDP) { | |
7514 | + u_int16_t *ports = (u_int16_t *)(skb->nh.raw + iph->ihl*4); | |
7515 | + if (key->port != ports[which]) | |
7516 | + return 1; | |
7517 | + } | |
7518 | +#endif | |
7519 | +} | |
7520 | + | |
7521 | static unsigned int | |
7522 | ip_nat_out(unsigned int hooknum, | |
7523 | struct sk_buff **pskb, | |
7524 | @@ -182,6 +221,9 @@ | |
7525 | const struct net_device *out, | |
7526 | int (*okfn)(struct sk_buff *)) | |
7527 | { | |
7528 | + struct nat_route_key key; | |
7529 | + unsigned int ret; | |
7530 | + | |
7531 | /* root is playing with raw sockets. */ | |
7532 | if ((*pskb)->len < sizeof(struct iphdr) | |
7533 | || (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr)) | |
7534 | @@ -204,7 +246,29 @@ | |
7535 | return NF_STOLEN; | |
7536 | } | |
7537 | ||
7538 | - return ip_nat_fn(hooknum, pskb, in, out, okfn); | |
7539 | + nat_route_key_get(*pskb, &key, 0); | |
7540 | + ret = ip_nat_fn(hooknum, pskb, in, out, okfn); | |
7541 | + | |
7542 | + if (ret != NF_DROP && ret != NF_STOLEN | |
7543 | + && nat_route_key_compare(*pskb, &key, 0)) { | |
7544 | + if (ip_route_me_harder(pskb) != 0) | |
7545 | + ret = NF_DROP; | |
7546 | +#ifdef CONFIG_XFRM | |
7547 | + /* | |
7548 | + * POST_ROUTING hook is called with fixed outfn, we need | |
7549 | + * to manually confirm the packet and direct it to the | |
7550 | + * transformers if a policy matches. | |
7551 | + */ | |
7552 | + else if ((*pskb)->dst->xfrm != NULL) { | |
7553 | + ret = ip_conntrack_confirm(*pskb); | |
7554 | + if (ret != NF_DROP) { | |
7555 | + dst_output(*pskb); | |
7556 | + ret = NF_STOLEN; | |
7557 | + } | |
7558 | + } | |
7559 | +#endif | |
7560 | + } | |
7561 | + return ret; | |
7562 | } | |
7563 | ||
7564 | #ifdef CONFIG_IP_NF_NAT_LOCAL | |
7565 | @@ -215,7 +279,7 @@ | |
7566 | const struct net_device *out, | |
7567 | int (*okfn)(struct sk_buff *)) | |
7568 | { | |
7569 | - u_int32_t saddr, daddr; | |
7570 | + struct nat_route_key key; | |
7571 | unsigned int ret; | |
7572 | ||
7573 | /* root is playing with raw sockets. */ | |
7574 | @@ -223,14 +287,14 @@ | |
7575 | || (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr)) | |
7576 | return NF_ACCEPT; | |
7577 | ||
7578 | - saddr = (*pskb)->nh.iph->saddr; | |
7579 | - daddr = (*pskb)->nh.iph->daddr; | |
7580 | - | |
7581 | + nat_route_key_get(*pskb, &key, 1); | |
7582 | ret = ip_nat_fn(hooknum, pskb, in, out, okfn); | |
7583 | + | |
7584 | if (ret != NF_DROP && ret != NF_STOLEN | |
7585 | - && ((*pskb)->nh.iph->saddr != saddr | |
7586 | - || (*pskb)->nh.iph->daddr != daddr)) | |
7587 | - return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP; | |
7588 | + && nat_route_key_compare(*pskb, &key, 1)) { | |
7589 | + if (ip_route_me_harder(pskb) != 0) | |
7590 | + ret = NF_DROP; | |
7591 | + } | |
7592 | return ret; | |
7593 | } | |
7594 | #endif | |
7595 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_nat_talk.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_nat_talk.c | |
7596 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_nat_talk.c 1970-01-01 01:00:00.000000000 +0100 | |
7597 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_nat_talk.c 2004-04-29 11:21:43.000000000 +0200 | |
7598 | @@ -0,0 +1,473 @@ | |
7599 | +/* | |
7600 | + * talk extension for UDP NAT alteration. | |
7601 | + * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | |
7602 | + * | |
7603 | + * This program is free software; you can redistribute it and/or | |
7604 | + * modify it under the terms of the GNU General Public License | |
7605 | + * as published by the Free Software Foundation; either version | |
7606 | + * 2 of the License, or (at your option) any later version. | |
7607 | + ** | |
7608 | + * Module load syntax: | |
7609 | + * insmod ip_nat_talk.o talk=[0|1] ntalk=[0|1] ntalk2=[0|1] | |
7610 | + * | |
7611 | + * talk=[0|1] disable|enable old talk support | |
7612 | + * ntalk=[0|1] disable|enable ntalk support | |
7613 | + * ntalk2=[0|1] disable|enable ntalk2 support | |
7614 | + * | |
7615 | + * The default is talk=1 ntalk=1 ntalk2=1 | |
7616 | + * | |
7617 | + * | |
7618 | + */ | |
7619 | +#include <linux/module.h> | |
7620 | +#include <linux/netfilter_ipv4.h> | |
7621 | +#include <linux/ip.h> | |
7622 | +#include <linux/udp.h> | |
7623 | +#include <linux/kernel.h> | |
7624 | +#include <net/tcp.h> | |
7625 | +#include <net/udp.h> | |
7626 | + | |
7627 | +#include <linux/netfilter_ipv4/ip_nat.h> | |
7628 | +#include <linux/netfilter_ipv4/ip_nat_helper.h> | |
7629 | +#include <linux/netfilter_ipv4/ip_nat_rule.h> | |
7630 | +#include <linux/netfilter_ipv4/ip_conntrack_talk.h> | |
7631 | +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
7632 | + | |
7633 | +/* Default all talk protocols are supported */ | |
7634 | +static int talk = 1; | |
7635 | +static int ntalk = 1; | |
7636 | +static int ntalk2 = 1; | |
7637 | +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
7638 | +MODULE_DESCRIPTION("talk network address translation module"); | |
7639 | +#ifdef MODULE_PARM | |
7640 | +MODULE_PARM(talk, "i"); | |
7641 | +MODULE_PARM_DESC(talk, "support (old) talk protocol"); | |
7642 | +MODULE_PARM(ntalk, "i"); | |
7643 | +MODULE_PARM_DESC(ntalk, "support ntalk protocol"); | |
7644 | +MODULE_PARM(ntalk2, "i"); | |
7645 | +MODULE_PARM_DESC(ntalk2, "support ntalk2 protocol"); | |
7646 | +#endif | |
7647 | + | |
7648 | +#if 0 | |
7649 | +#define DEBUGP printk | |
7650 | +#define IP_NAT_TALK_DEBUG | |
7651 | +#else | |
7652 | +#define DEBUGP(format, args...) | |
7653 | +#endif | |
7654 | + | |
7655 | +/* FIXME: Time out? --RR */ | |
7656 | + | |
7657 | +static int | |
7658 | +mangle_packet(struct sk_buff **pskb, | |
7659 | + struct ip_conntrack *ct, | |
7660 | + u_int32_t newip, | |
7661 | + u_int16_t port, | |
7662 | + struct talk_addr *addr, | |
7663 | + struct talk_addr *ctl_addr) | |
7664 | +{ | |
7665 | + struct iphdr *iph = (*pskb)->nh.iph; | |
7666 | + struct udphdr *udph = (void *)iph + iph->ihl * 4; | |
7667 | + size_t udplen = (*pskb)->len - iph->ihl * 4; | |
7668 | + | |
7669 | + /* Fortunately talk sends a structure with the address and | |
7670 | + port in it. The size of the packet won't change. */ | |
7671 | + | |
7672 | + if (ctl_addr == NULL) { | |
7673 | + /* response */ | |
7674 | + if (addr->ta_addr == INADDR_ANY) | |
7675 | + return 1; | |
7676 | + DEBUGP("ip_nat_talk_mangle_packet: response orig %u.%u.%u.%u:%u, inserting %u.%u.%u.%u:%u\n", | |
7677 | + NIPQUAD(addr->ta_addr), ntohs(addr->ta_port), | |
7678 | + NIPQUAD(newip), ntohs(port)); | |
7679 | + addr->ta_addr = newip; | |
7680 | + addr->ta_port = port; | |
7681 | + } else { | |
7682 | + /* message */ | |
7683 | + if (addr->ta_addr != INADDR_ANY) { | |
7684 | + /* Change address inside packet to match way we're mapping | |
7685 | + this connection. */ | |
7686 | + DEBUGP("ip_nat_talk_mangle_packet: message orig addr %u.%u.%u.%u:%u, inserting %u.%u.%u.%u:%u\n", | |
7687 | + NIPQUAD(addr->ta_addr), ntohs(addr->ta_port), | |
7688 | + NIPQUAD(ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip), | |
7689 | + ntohs(addr->ta_port)); | |
7690 | + addr->ta_addr = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; | |
7691 | + } | |
7692 | + DEBUGP("ip_nat_talk_mangle_packet: message orig ctl_addr %u.%u.%u.%u:%u, inserting %u.%u.%u.%u:%u\n", | |
7693 | + NIPQUAD(ctl_addr->ta_addr), ntohs(ctl_addr->ta_port), | |
7694 | + NIPQUAD(newip), ntohs(port)); | |
7695 | + ctl_addr->ta_addr = newip; | |
7696 | + ctl_addr->ta_port = port; | |
7697 | + } | |
7698 | + | |
7699 | + /* Fix checksums */ | |
7700 | + (*pskb)->csum = csum_partial((char *)udph + sizeof(struct udphdr), udplen - sizeof(struct udphdr), 0); | |
7701 | + udph->check = 0; | |
7702 | + udph->check = csum_tcpudp_magic(iph->saddr, iph->daddr, udplen, IPPROTO_UDP, | |
7703 | + csum_partial((char *)udph, sizeof(struct udphdr), (*pskb)->csum)); | |
7704 | + | |
7705 | + ip_send_check(iph); | |
7706 | + return 1; | |
7707 | +} | |
7708 | + | |
7709 | +static int talk_help_msg(struct ip_conntrack *ct, | |
7710 | + struct sk_buff **pskb, | |
7711 | + u_char type, | |
7712 | + struct talk_addr *addr, | |
7713 | + struct talk_addr *ctl_addr) | |
7714 | +{ | |
7715 | + u_int32_t newip; | |
7716 | + u_int16_t port; | |
7717 | + | |
7718 | + unsigned int verdict = NF_ACCEPT; | |
7719 | + | |
7720 | + DEBUGP("ip_nat_talk_help_msg: addr: %u.%u.%u.%u:%u, ctl_addr: %u.%u.%u.%u:%u, type %d\n", | |
7721 | + NIPQUAD(addr->ta_addr), ntohs(addr->ta_port), | |
7722 | + NIPQUAD(ctl_addr->ta_addr), ntohs(ctl_addr->ta_port), | |
7723 | + type); | |
7724 | + | |
7725 | + /* Change address inside packet to match way we're mapping | |
7726 | + this connection. */ | |
7727 | + newip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; | |
7728 | + port = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.udp.port; | |
7729 | + DEBUGP("ip_nat_talk_help_msg: inserting: %u.%u.%u.%u:%u\n", | |
7730 | + NIPQUAD(newip), ntohs(port)); | |
7731 | + | |
7732 | + if (!mangle_packet(pskb, ct, newip, port, addr, ctl_addr)) | |
7733 | + verdict = NF_DROP; | |
7734 | + | |
7735 | + return verdict; | |
7736 | +} | |
7737 | + | |
7738 | +static int talk_help_response(struct ip_conntrack *ct, | |
7739 | + struct ip_conntrack_expect *exp, | |
7740 | + struct sk_buff **pskb, | |
7741 | + u_char type, | |
7742 | + u_char answer, | |
7743 | + struct talk_addr *addr) | |
7744 | +{ | |
7745 | + u_int32_t newip; | |
7746 | + u_int16_t port; | |
7747 | + struct ip_conntrack_tuple t; | |
7748 | + struct ip_ct_talk_expect *ct_talk_info; | |
7749 | + | |
7750 | + DEBUGP("ip_nat_talk_help_response: addr: %u.%u.%u.%u:%u, type %d answer %d\n", | |
7751 | + NIPQUAD(addr->ta_addr), ntohs(addr->ta_port), | |
7752 | + type, answer); | |
7753 | + | |
7754 | + LOCK_BH(&ip_talk_lock); | |
7755 | + ct_talk_info = &exp->help.exp_talk_info; | |
7756 | + | |
7757 | + if (!(answer == SUCCESS | |
7758 | + && (type == LOOK_UP || type == ANNOUNCE) | |
7759 | + && exp != NULL)) { | |
7760 | + UNLOCK_BH(&ip_talk_lock); | |
7761 | + return NF_ACCEPT; | |
7762 | + } | |
7763 | + | |
7764 | + DEBUGP("ip_nat_talk_help_response: talkinfo port %u (%s)\n", | |
7765 | + ntohs(ct_talk_info->port), | |
7766 | + type == LOOK_UP ? "LOOK_UP" : "ANNOUNCE"); | |
7767 | + | |
7768 | + /* Change address inside packet to match way we're mapping | |
7769 | + this connection. */ | |
7770 | + newip = ct->tuplehash[type == LOOK_UP ? IP_CT_DIR_ORIGINAL : | |
7771 | + IP_CT_DIR_REPLY].tuple.dst.ip; | |
7772 | + /* We can read expect here without conntrack lock, since it's | |
7773 | + only set in ip_conntrack_talk , with ip_talk_lock held | |
7774 | + writable */ | |
7775 | + t = exp->tuple; | |
7776 | + t.dst.ip = newip; | |
7777 | + | |
7778 | + /* Try to get same port: if not, try to change it. */ | |
7779 | + for (port = ntohs(ct_talk_info->port); port != 0; port++) { | |
7780 | + if (type == LOOK_UP) | |
7781 | + t.dst.u.tcp.port = htons(port); | |
7782 | + else | |
7783 | + t.dst.u.udp.port = htons(port); | |
7784 | + | |
7785 | + if (ip_conntrack_change_expect(exp, &t) == 0) { | |
7786 | + DEBUGP("ip_nat_talk_help_response: using %u.%u.%u.%u:%u\n", NIPQUAD(newip), port); | |
7787 | + break; | |
7788 | + } | |
7789 | + } | |
7790 | + UNLOCK_BH(&ip_talk_lock); | |
7791 | + | |
7792 | + if (port == 0 || !mangle_packet(pskb, ct, newip, htons(port), addr, NULL)) | |
7793 | + return NF_DROP; | |
7794 | + | |
7795 | + return NF_ACCEPT; | |
7796 | +} | |
7797 | + | |
7798 | +static unsigned int talk_help(struct ip_conntrack *ct, | |
7799 | + struct ip_conntrack_expect *exp, | |
7800 | + struct ip_nat_info *info, | |
7801 | + enum ip_conntrack_info ctinfo, | |
7802 | + unsigned int hooknum, | |
7803 | + struct sk_buff **pskb, | |
7804 | + int talk_port) | |
7805 | +{ | |
7806 | + struct iphdr *iph = (*pskb)->nh.iph; | |
7807 | + struct udphdr *udph = (void *)iph + iph->ihl * 4; | |
7808 | + unsigned int udplen = (*pskb)->len - iph->ihl * 4; | |
7809 | + char *data = (char *)udph + sizeof(struct udphdr); | |
7810 | + int dir; | |
7811 | + | |
7812 | + /* Only mangle things once: original direction in POST_ROUTING | |
7813 | + and reply direction on PRE_ROUTING. */ | |
7814 | + dir = CTINFO2DIR(ctinfo); | |
7815 | + if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL) | |
7816 | + || (hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) { | |
7817 | + DEBUGP("ip_nat_talk_help: Not touching dir %s at hook %s\n", | |
7818 | + dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY", | |
7819 | + hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" | |
7820 | + : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" | |
7821 | + : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???"); | |
7822 | + return NF_ACCEPT; | |
7823 | + } | |
7824 | + DEBUGP("ip_nat_talk_help: dir %s at hook %s, %u.%u.%u.%u:%u->%u.%u.%u.%u:%u, talk port %d\n", | |
7825 | + dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY", | |
7826 | + hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" | |
7827 | + : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" | |
7828 | + : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???", | |
7829 | + NIPQUAD(iph->saddr), ntohs(udph->source), | |
7830 | + NIPQUAD(iph->daddr), ntohs(udph->dest), | |
7831 | + talk_port); | |
7832 | + | |
7833 | + /* Because conntrack does not drop packets, checking must be repeated here... */ | |
7834 | + if (talk_port == TALK_PORT) { | |
7835 | + if (dir == IP_CT_DIR_ORIGINAL | |
7836 | + && udplen == sizeof(struct udphdr) + sizeof(struct talk_msg)) | |
7837 | + return talk_help_msg(ct, pskb, | |
7838 | + ((struct talk_msg *)data)->type, | |
7839 | + &(((struct talk_msg *)data)->addr), | |
7840 | + &(((struct talk_msg *)data)->ctl_addr)); | |
7841 | + else if (dir == IP_CT_DIR_REPLY | |
7842 | + && udplen == sizeof(struct udphdr) + sizeof(struct talk_response)) | |
7843 | + return talk_help_response(ct, exp, pskb, | |
7844 | + ((struct talk_response *)data)->type, | |
7845 | + ((struct talk_response *)data)->answer, | |
7846 | + &(((struct talk_response *)data)->addr)); | |
7847 | + else { | |
7848 | + DEBUGP("ip_nat_talk_help: not talk %s, datalen %u != %u\n", | |
7849 | + dir == IP_CT_DIR_ORIGINAL ? "message" : "response", | |
7850 | + (unsigned)udplen - sizeof(struct udphdr), | |
7851 | + dir == IP_CT_DIR_ORIGINAL ? sizeof(struct talk_msg) : sizeof(struct talk_response)); | |
7852 | + return NF_DROP; | |
7853 | + } | |
7854 | + } else { | |
7855 | + if (dir == IP_CT_DIR_ORIGINAL) { | |
7856 | + if (ntalk | |
7857 | + && udplen == sizeof(struct udphdr) + sizeof(struct ntalk_msg) | |
7858 | + && ((struct ntalk_msg *)data)->vers == NTALK_VERSION) | |
7859 | + return talk_help_msg(ct, pskb, | |
7860 | + ((struct ntalk_msg *)data)->type, | |
7861 | + &(((struct ntalk_msg *)data)->addr), | |
7862 | + &(((struct ntalk_msg *)data)->ctl_addr)); | |
7863 | + else if (ntalk2 | |
7864 | + && udplen >= sizeof(struct udphdr) + sizeof(struct ntalk2_msg) | |
7865 | + && ((struct ntalk2_msg *)data)->vers == NTALK2_VERSION | |
7866 | + && udplen == sizeof(struct udphdr) | |
7867 | + + sizeof(struct ntalk2_msg) | |
7868 | + + ((struct ntalk2_msg *)data)->extended) | |
7869 | + return talk_help_msg(ct, pskb, | |
7870 | + ((struct ntalk2_msg *)data)->type, | |
7871 | + &(((struct ntalk2_msg *)data)->addr), | |
7872 | + &(((struct ntalk2_msg *)data)->ctl_addr)); | |
7873 | + else { | |
7874 | + DEBUGP("ip_nat_talk_help: not ntalk/ntalk2 message, datalen %u != %u or %u + max 256\n", | |
7875 | + (unsigned)udplen - sizeof(struct udphdr), | |
7876 | + sizeof(struct ntalk_msg), sizeof(struct ntalk2_msg)); | |
7877 | + return NF_DROP; | |
7878 | + } | |
7879 | + } else { | |
7880 | + if (ntalk | |
7881 | + && udplen == sizeof(struct udphdr) + sizeof(struct ntalk_response) | |
7882 | + && ((struct ntalk_response *)data)->vers == NTALK_VERSION) | |
7883 | + return talk_help_response(ct, exp, pskb, | |
7884 | + ((struct ntalk_response *)data)->type, | |
7885 | + ((struct ntalk_response *)data)->answer, | |
7886 | + &(((struct ntalk_response *)data)->addr)); | |
7887 | + else if (ntalk2 | |
7888 | + && udplen >= sizeof(struct udphdr) + sizeof(struct ntalk2_response) | |
7889 | + && ((struct ntalk2_response *)data)->vers == NTALK2_VERSION) | |
7890 | + return talk_help_response(ct, exp, pskb, | |
7891 | + ((struct ntalk2_response *)data)->type, | |
7892 | + ((struct ntalk2_response *)data)->answer, | |
7893 | + &(((struct ntalk2_response *)data)->addr)); | |
7894 | + else { | |
7895 | + DEBUGP("ip_nat_talk_help: not ntalk/ntalk2 response, datalen %u != %u or %u + max 256\n", | |
7896 | + (unsigned)udplen - sizeof(struct udphdr), | |
7897 | + sizeof(struct ntalk_response), sizeof(struct ntalk2_response)); | |
7898 | + return NF_DROP; | |
7899 | + } | |
7900 | + } | |
7901 | + } | |
7902 | +} | |
7903 | + | |
7904 | +static unsigned int help(struct ip_conntrack *ct, | |
7905 | + struct ip_conntrack_expect *exp, | |
7906 | + struct ip_nat_info *info, | |
7907 | + enum ip_conntrack_info ctinfo, | |
7908 | + unsigned int hooknum, | |
7909 | + struct sk_buff **pskb) | |
7910 | +{ | |
7911 | + return talk_help(ct, exp, info, ctinfo, hooknum, pskb, TALK_PORT); | |
7912 | +} | |
7913 | + | |
7914 | +static unsigned int nhelp(struct ip_conntrack *ct, | |
7915 | + struct ip_conntrack_expect *exp, | |
7916 | + struct ip_nat_info *info, | |
7917 | + enum ip_conntrack_info ctinfo, | |
7918 | + unsigned int hooknum, | |
7919 | + struct sk_buff **pskb) | |
7920 | +{ | |
7921 | + return talk_help(ct, exp, info, ctinfo, hooknum, pskb, NTALK_PORT); | |
7922 | +} | |
7923 | + | |
7924 | +static unsigned int | |
7925 | +talk_nat_expected(struct sk_buff **pskb, | |
7926 | + unsigned int hooknum, | |
7927 | + struct ip_conntrack *ct, | |
7928 | + struct ip_nat_info *info); | |
7929 | + | |
7930 | +static struct ip_nat_helper talk_helpers[2] = | |
7931 | + { { { NULL, NULL }, | |
7932 | + "talk", /* name */ | |
7933 | + IP_NAT_HELPER_F_ALWAYS, /* flags */ | |
7934 | + THIS_MODULE, /* module */ | |
7935 | + { { 0, { .udp = { __constant_htons(TALK_PORT) } } }, /* tuple */ | |
7936 | + { 0, { 0 }, IPPROTO_UDP } }, | |
7937 | + { { 0, { .udp = { 0xFFFF } } }, /* mask */ | |
7938 | + { 0, { 0 }, 0xFFFF } }, | |
7939 | + help, /* helper */ | |
7940 | + talk_nat_expected }, /* expectfn */ | |
7941 | + { { NULL, NULL }, | |
7942 | + "ntalk", /* name */ | |
7943 | + IP_NAT_HELPER_F_ALWAYS, /* flags */ | |
7944 | + THIS_MODULE, /* module */ | |
7945 | + { { 0, { .udp = { __constant_htons(NTALK_PORT) } } }, /* tuple */ | |
7946 | + { 0, { 0 }, IPPROTO_UDP } }, | |
7947 | + { { 0, { .udp = { 0xFFFF } } }, /* mask */ | |
7948 | + { 0, { 0 }, 0xFFFF } }, | |
7949 | + nhelp, /* helper */ | |
7950 | + talk_nat_expected } /* expectfn */ | |
7951 | + }; | |
7952 | + | |
7953 | +static unsigned int | |
7954 | +talk_nat_expected(struct sk_buff **pskb, | |
7955 | + unsigned int hooknum, | |
7956 | + struct ip_conntrack *ct, | |
7957 | + struct ip_nat_info *info) | |
7958 | +{ | |
7959 | + struct ip_nat_multi_range mr; | |
7960 | + u_int32_t newdstip, newsrcip, newip; | |
7961 | + u_int16_t port; | |
7962 | + unsigned int ret; | |
7963 | + | |
7964 | + struct ip_conntrack *master = master_ct(ct); | |
7965 | + | |
7966 | + IP_NF_ASSERT(info); | |
7967 | + IP_NF_ASSERT(master); | |
7968 | + | |
7969 | + IP_NF_ASSERT(!(info->initialized & (1<<HOOK2MANIP(hooknum)))); | |
7970 | + | |
7971 | + DEBUGP("ip_nat_talk_expected: We have a connection!\n"); | |
7972 | + | |
7973 | + LOCK_BH(&ip_talk_lock); | |
7974 | + port = ct->master->help.exp_talk_info.port; | |
7975 | + UNLOCK_BH(&ip_talk_lock); | |
7976 | + | |
7977 | + DEBUGP("ip_nat_talk_expected: dir %s at hook %s, ct %p, master %p\n", | |
7978 | + CTINFO2DIR((*pskb)->nfct - ct->infos) == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY", | |
7979 | + hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" | |
7980 | + : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" | |
7981 | + : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???", | |
7982 | + ct, master); | |
7983 | + | |
7984 | + if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum == IPPROTO_UDP) { | |
7985 | + /* Callee client -> caller server */ | |
7986 | +#ifdef IP_NAT_TALK_DEBUG | |
7987 | + struct iphdr *iph = (*pskb)->nh.iph; | |
7988 | + struct udphdr *udph = (void *)iph + iph->ihl * 4; | |
7989 | + | |
7990 | + DEBUGP("ip_nat_talk_expected: UDP %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", | |
7991 | + NIPQUAD(iph->saddr), ntohs(udph->source), | |
7992 | + NIPQUAD(iph->daddr), ntohs(udph->dest)); | |
7993 | +#endif | |
7994 | + newdstip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; | |
7995 | + newsrcip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip; | |
7996 | + DEBUGP("ip_nat_talk_expected: callee client -> caller server, newsrc: %u.%u.%u.%u, newdst: %u.%u.%u.%u\n", | |
7997 | + NIPQUAD(newsrcip), NIPQUAD(newdstip)); | |
7998 | + } else { | |
7999 | + /* Callee client -> caller client */ | |
8000 | +#ifdef IP_NAT_TALK_DEBUG | |
8001 | + struct iphdr *iph = (*pskb)->nh.iph; | |
8002 | + struct tcphdr *tcph = (void *)iph + iph->ihl * 4; | |
8003 | + | |
8004 | + DEBUGP("ip_nat_talk_expected: TCP %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", | |
8005 | + NIPQUAD(iph->saddr), ntohs(tcph->source), | |
8006 | + NIPQUAD(iph->daddr), ntohs(tcph->dest)); | |
8007 | +#endif | |
8008 | + newdstip = master->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip; | |
8009 | + newsrcip = master->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; | |
8010 | + DEBUGP("ip_nat_talk_expected: callee client -> caller client, newsrc: %u.%u.%u.%u, newdst: %u.%u.%u.%u\n", | |
8011 | + NIPQUAD(newsrcip), NIPQUAD(newdstip)); | |
8012 | + } | |
8013 | + if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC) | |
8014 | + newip = newsrcip; | |
8015 | + else | |
8016 | + newip = newdstip; | |
8017 | + | |
8018 | + DEBUGP("ip_nat_talk_expected: IP to %u.%u.%u.%u, port %u\n", NIPQUAD(newip), ntohs(port)); | |
8019 | + | |
8020 | + mr.rangesize = 1; | |
8021 | + /* We don't want to manip the per-protocol, just the IPs... */ | |
8022 | + mr.range[0].flags = IP_NAT_RANGE_MAP_IPS; | |
8023 | + mr.range[0].min_ip = mr.range[0].max_ip = newip; | |
8024 | + | |
8025 | + /* ... unless we're doing a MANIP_DST, in which case, make | |
8026 | + sure we map to the correct port */ | |
8027 | + if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_DST) { | |
8028 | + mr.range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED; | |
8029 | + mr.range[0].min = mr.range[0].max | |
8030 | + = ((union ip_conntrack_manip_proto) | |
8031 | + { .udp = { port } }); | |
8032 | + } | |
8033 | + ret = ip_nat_setup_info(ct, &mr, hooknum); | |
8034 | + | |
8035 | + if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum == IPPROTO_UDP) { | |
8036 | + DEBUGP("talk_expected: setting NAT helper for %p\n", ct); | |
8037 | + /* NAT expectfn called with ip_nat_lock write-locked */ | |
8038 | + info->helper = &talk_helpers[htons(port) - TALK_PORT]; | |
8039 | + } | |
8040 | + return ret; | |
8041 | +} | |
8042 | + | |
8043 | +static int __init init(void) | |
8044 | +{ | |
8045 | + int ret = 0; | |
8046 | + | |
8047 | + if (talk > 0) { | |
8048 | + ret = ip_nat_helper_register(&talk_helpers[0]); | |
8049 | + | |
8050 | + if (ret != 0) | |
8051 | + return ret; | |
8052 | + } | |
8053 | + if (ntalk > 0 || ntalk2 > 0) { | |
8054 | + ret = ip_nat_helper_register(&talk_helpers[1]); | |
8055 | + | |
8056 | + if (ret != 0 && talk > 0) | |
8057 | + ip_nat_helper_unregister(&talk_helpers[0]); | |
8058 | + } | |
8059 | + return ret; | |
8060 | +} | |
8061 | + | |
8062 | +static void __exit fini(void) | |
8063 | +{ | |
8064 | + if (talk > 0) | |
8065 | + ip_nat_helper_unregister(&talk_helpers[0]); | |
8066 | + if (ntalk > 0 || ntalk2 > 0) | |
8067 | + ip_nat_helper_unregister(&talk_helpers[1]); | |
8068 | +} | |
8069 | + | |
8070 | +module_init(init); | |
8071 | +module_exit(fini); | |
8072 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_tables.c linux-2.6.6-rc3/net/ipv4/netfilter/ip_tables.c | |
8073 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ip_tables.c 2004-04-29 11:24:39.000000000 +0200 | |
8074 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ip_tables.c 2004-04-29 11:17:15.000000000 +0200 | |
8075 | @@ -29,6 +29,14 @@ | |
8076 | ||
8077 | #include <linux/netfilter_ipv4/ip_tables.h> | |
8078 | ||
8079 | +static const char *hooknames[] = { | |
8080 | + [NF_IP_PRE_ROUTING] "PREROUTING", | |
8081 | + [NF_IP_LOCAL_IN] "INPUT", | |
8082 | + [NF_IP_FORWARD] "FORWARD", | |
8083 | + [NF_IP_LOCAL_OUT] "OUTPUT", | |
8084 | + [NF_IP_POST_ROUTING] "POSTROUTING", | |
8085 | +}; | |
8086 | + | |
8087 | MODULE_LICENSE("GPL"); | |
8088 | MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); | |
8089 | MODULE_DESCRIPTION("IPv4 packet filter"); | |
8090 | @@ -326,6 +334,12 @@ | |
8091 | ||
8092 | t = ipt_get_target(e); | |
8093 | IP_NF_ASSERT(t->u.kernel.target); | |
8094 | + | |
8095 | + /* The packet traced and the rule isn't an unconditional return/END. */ | |
8096 | + if (((*pskb)->nfcache & NFC_TRACE) && e->rulenum) { | |
8097 | + nf_log_packet(PF_INET, hook, *pskb, in, out, "TRACE: %s/%s/%u ", | |
8098 | + table->name, e->chainname, e->rulenum); | |
8099 | + } | |
8100 | /* Standard target? */ | |
8101 | if (!t->u.kernel.target->target) { | |
8102 | int v; | |
8103 | @@ -352,7 +366,6 @@ | |
8104 | /* set back pointer to next entry */ | |
8105 | back = next; | |
8106 | } | |
8107 | - | |
8108 | e = get_entry(table_base, v); | |
8109 | } else { | |
8110 | /* Targets which reenter must return | |
8111 | @@ -478,6 +491,29 @@ | |
8112 | return find_inlist_lock(&ipt_target, name, "ipt_", error, mutex); | |
8113 | } | |
8114 | ||
8115 | +static inline int | |
8116 | +find_error_target(struct ipt_entry *s, | |
8117 | + struct ipt_entry *e, | |
8118 | + char **chainname) | |
8119 | +{ | |
8120 | + struct ipt_entry_target *t; | |
8121 | + static struct ipt_entry *found = NULL; | |
8122 | + | |
8123 | + if (s == e) { | |
8124 | + if (!found) | |
8125 | + return 0; | |
8126 | + t = ipt_get_target(found); | |
8127 | + if (strcmp(t->u.user.name, | |
8128 | + IPT_ERROR_TARGET) == 0) { | |
8129 | + *chainname = t->data; | |
8130 | + return 1; | |
8131 | + } | |
8132 | + } else | |
8133 | + found = s; | |
8134 | + | |
8135 | + return 0; | |
8136 | +} | |
8137 | + | |
8138 | /* All zeroes == unconditional rule. */ | |
8139 | static inline int | |
8140 | unconditional(const struct ipt_ip *ip) | |
8141 | @@ -497,6 +533,8 @@ | |
8142 | mark_source_chains(struct ipt_table_info *newinfo, unsigned int valid_hooks) | |
8143 | { | |
8144 | unsigned int hook; | |
8145 | + char *chainname = NULL; | |
8146 | + u_int32_t rulenum; | |
8147 | ||
8148 | /* No recursion; use packet counter to save back ptrs (reset | |
8149 | to 0 as we leave), and comefrom to save source hook bitmask */ | |
8150 | @@ -510,6 +548,8 @@ | |
8151 | ||
8152 | /* Set initial back pointer. */ | |
8153 | e->counters.pcnt = pos; | |
8154 | + rulenum = 1; | |
8155 | + chainname = (char *) hooknames[hook]; | |
8156 | ||
8157 | for (;;) { | |
8158 | struct ipt_standard_target *t | |
8159 | @@ -522,6 +562,8 @@ | |
8160 | } | |
8161 | e->comefrom | |
8162 | |= ((1 << hook) | (1 << NF_IP_NUMHOOKS)); | |
8163 | + e->rulenum = rulenum++; | |
8164 | + e->chainname = chainname; | |
8165 | ||
8166 | /* Unconditional return/END. */ | |
8167 | if (e->target_offset == sizeof(struct ipt_entry) | |
8168 | @@ -531,6 +573,10 @@ | |
8169 | && unconditional(&e->ip)) { | |
8170 | unsigned int oldpos, size; | |
8171 | ||
8172 | + /* Set unconditional rulenum to zero. */ | |
8173 | + e->rulenum = 0; | |
8174 | + e->counters.bcnt = 0; | |
8175 | + | |
8176 | /* Return: backtrack through the last | |
8177 | big jump. */ | |
8178 | do { | |
8179 | @@ -556,6 +602,11 @@ | |
8180 | (newinfo->entries + pos); | |
8181 | } while (oldpos == pos + e->next_offset); | |
8182 | ||
8183 | + /* Restore chainname, rulenum. */ | |
8184 | + chainname = e->chainname; | |
8185 | + rulenum = e->counters.bcnt; | |
8186 | + e->counters.bcnt = 0; | |
8187 | + | |
8188 | /* Move along one */ | |
8189 | size = e->next_offset; | |
8190 | e = (struct ipt_entry *) | |
8191 | @@ -571,6 +622,17 @@ | |
8192 | /* This a jump; chase it. */ | |
8193 | duprintf("Jump rule %u -> %u\n", | |
8194 | pos, newpos); | |
8195 | + e->counters.bcnt = rulenum++; | |
8196 | + rulenum = 1; | |
8197 | + e = (struct ipt_entry *) | |
8198 | + (newinfo->entries + newpos); | |
8199 | + if (IPT_ENTRY_ITERATE(newinfo->entries, | |
8200 | + newinfo->size, | |
8201 | + find_error_target, | |
8202 | + e, &chainname) == 0) { | |
8203 | + printk("ip_tables: table screwed up!\n"); | |
8204 | + return 0; | |
8205 | + } | |
8206 | } else { | |
8207 | /* ... this is a fallthru */ | |
8208 | newpos = pos + e->next_offset; | |
8209 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_CONNMARK.c linux-2.6.6-rc3/net/ipv4/netfilter/ipt_CONNMARK.c | |
8210 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_CONNMARK.c 1970-01-01 01:00:00.000000000 +0100 | |
8211 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ipt_CONNMARK.c 2004-04-29 11:10:59.000000000 +0200 | |
8212 | @@ -0,0 +1,118 @@ | |
8213 | +/* This kernel module is used to modify the connection mark values, or | |
8214 | + * to optionally restore the skb nfmark from the connection mark | |
8215 | + * | |
8216 | + * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> | |
8217 | + * by Henrik Nordstrom <hno@marasystems.com> | |
8218 | + * | |
8219 | + * This program is free software; you can redistribute it and/or modify | |
8220 | + * it under the terms of the GNU General Public License as published by | |
8221 | + * the Free Software Foundation; either version 2 of the License, or | |
8222 | + * (at your option) any later version. | |
8223 | + * | |
8224 | + * This program is distributed in the hope that it will be useful, | |
8225 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
8226 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
8227 | + * GNU General Public License for more details. | |
8228 | + * | |
8229 | + * You should have received a copy of the GNU General Public License | |
8230 | + * along with this program; if not, write to the Free Software | |
8231 | + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
8232 | + */ | |
8233 | +#include <linux/module.h> | |
8234 | +#include <linux/skbuff.h> | |
8235 | +#include <linux/ip.h> | |
8236 | +#include <net/checksum.h> | |
8237 | + | |
8238 | +MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>"); | |
8239 | +MODULE_DESCRIPTION("IP tables CONNMARK matching module"); | |
8240 | +MODULE_LICENSE("GPL"); | |
8241 | + | |
8242 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
8243 | +#include <linux/netfilter_ipv4/ipt_CONNMARK.h> | |
8244 | +#include <linux/netfilter_ipv4/ip_conntrack.h> | |
8245 | + | |
8246 | +static unsigned int | |
8247 | +target(struct sk_buff **pskb, | |
8248 | + const struct net_device *in, | |
8249 | + const struct net_device *out, | |
8250 | + unsigned int hooknum, | |
8251 | + const void *targinfo, | |
8252 | + void *userinfo) | |
8253 | +{ | |
8254 | + const struct ipt_connmark_target_info *markinfo = targinfo; | |
8255 | + unsigned long diff; | |
8256 | + unsigned long nfmark; | |
8257 | + unsigned long newmark; | |
8258 | + | |
8259 | + enum ip_conntrack_info ctinfo; | |
8260 | + struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo); | |
8261 | + if (ct) { | |
8262 | + switch(markinfo->mode) { | |
8263 | + case IPT_CONNMARK_SET: | |
8264 | + newmark = (ct->mark & ~markinfo->mask) | markinfo->mark; | |
8265 | + if (newmark != ct->mark) | |
8266 | + ct->mark = newmark; | |
8267 | + break; | |
8268 | + case IPT_CONNMARK_SAVE: | |
8269 | + newmark = (ct->mark & ~markinfo->mask) | ((*pskb)->nfmark & markinfo->mask); | |
8270 | + if (ct->mark != newmark) | |
8271 | + ct->mark = newmark; | |
8272 | + break; | |
8273 | + case IPT_CONNMARK_RESTORE: | |
8274 | + nfmark = (*pskb)->nfmark; | |
8275 | + diff = (ct->mark ^ nfmark & markinfo->mask); | |
8276 | + if (diff != 0) { | |
8277 | + (*pskb)->nfmark = nfmark ^ diff; | |
8278 | + (*pskb)->nfcache |= NFC_ALTERED; | |
8279 | + } | |
8280 | + break; | |
8281 | + } | |
8282 | + } | |
8283 | + | |
8284 | + return IPT_CONTINUE; | |
8285 | +} | |
8286 | + | |
8287 | +static int | |
8288 | +checkentry(const char *tablename, | |
8289 | + const struct ipt_entry *e, | |
8290 | + void *targinfo, | |
8291 | + unsigned int targinfosize, | |
8292 | + unsigned int hook_mask) | |
8293 | +{ | |
8294 | + struct ipt_connmark_target_info *matchinfo = targinfo; | |
8295 | + if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) { | |
8296 | + printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n", | |
8297 | + targinfosize, | |
8298 | + IPT_ALIGN(sizeof(struct ipt_connmark_target_info))); | |
8299 | + return 0; | |
8300 | + } | |
8301 | + | |
8302 | + if (matchinfo->mode == IPT_CONNMARK_RESTORE) { | |
8303 | + if (strcmp(tablename, "mangle") != 0) { | |
8304 | + printk(KERN_WARNING "CONNMARK: restore can only be called from \"mangle\" table, not \"%s\"\n", tablename); | |
8305 | + return 0; | |
8306 | + } | |
8307 | + } | |
8308 | + | |
8309 | + return 1; | |
8310 | +} | |
8311 | + | |
8312 | +static struct ipt_target ipt_connmark_reg = { | |
8313 | + .name = "CONNMARK", | |
8314 | + .target = &target, | |
8315 | + .checkentry = &checkentry, | |
8316 | + .me = THIS_MODULE | |
8317 | +}; | |
8318 | + | |
8319 | +static int __init init(void) | |
8320 | +{ | |
8321 | + return ipt_register_target(&ipt_connmark_reg); | |
8322 | +} | |
8323 | + | |
8324 | +static void __exit fini(void) | |
8325 | +{ | |
8326 | + ipt_unregister_target(&ipt_connmark_reg); | |
8327 | +} | |
8328 | + | |
8329 | +module_init(init); | |
8330 | +module_exit(fini); | |
8331 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_IPMARK.c linux-2.6.6-rc3/net/ipv4/netfilter/ipt_IPMARK.c | |
8332 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_IPMARK.c 1970-01-01 01:00:00.000000000 +0100 | |
8333 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ipt_IPMARK.c 2004-04-29 11:17:03.000000000 +0200 | |
8334 | @@ -0,0 +1,81 @@ | |
8335 | +/* This is a module which is used for setting the NFMARK field of an skb. */ | |
8336 | +#include <linux/module.h> | |
8337 | +#include <linux/skbuff.h> | |
8338 | +#include <linux/ip.h> | |
8339 | +#include <net/checksum.h> | |
8340 | + | |
8341 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
8342 | +#include <linux/netfilter_ipv4/ipt_IPMARK.h> | |
8343 | + | |
8344 | +MODULE_AUTHOR("Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>"); | |
8345 | +MODULE_DESCRIPTION("IP tables IPMARK: mark based on ip address"); | |
8346 | +MODULE_LICENSE("GPL"); | |
8347 | + | |
8348 | +static unsigned int | |
8349 | +target(struct sk_buff **pskb, | |
8350 | + const struct net_device *in, | |
8351 | + const struct net_device *out, | |
8352 | + unsigned int hooknum, | |
8353 | + const void *targinfo, | |
8354 | + void *userinfo) | |
8355 | +{ | |
8356 | + const struct ipt_ipmark_target_info *ipmarkinfo = targinfo; | |
8357 | + struct iphdr *iph = (*pskb)->nh.iph; | |
8358 | + unsigned long mark; | |
8359 | + | |
8360 | + if (ipmarkinfo->addr == IPT_IPMARK_SRC) | |
8361 | + mark = (unsigned long) ntohl(iph->saddr); | |
8362 | + else | |
8363 | + mark = (unsigned long) ntohl(iph->daddr); | |
8364 | + | |
8365 | + mark &= ipmarkinfo->andmask; | |
8366 | + mark |= ipmarkinfo->ormask; | |
8367 | + | |
8368 | + if ((*pskb)->nfmark != mark) { | |
8369 | + (*pskb)->nfmark = mark; | |
8370 | + (*pskb)->nfcache |= NFC_ALTERED; | |
8371 | + } | |
8372 | + return IPT_CONTINUE; | |
8373 | +} | |
8374 | + | |
8375 | +static int | |
8376 | +checkentry(const char *tablename, | |
8377 | + const struct ipt_entry *e, | |
8378 | + void *targinfo, | |
8379 | + unsigned int targinfosize, | |
8380 | + unsigned int hook_mask) | |
8381 | +{ | |
8382 | + if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ipmark_target_info))) { | |
8383 | + printk(KERN_WARNING "IPMARK: targinfosize %u != %Zu\n", | |
8384 | + targinfosize, | |
8385 | + IPT_ALIGN(sizeof(struct ipt_ipmark_target_info))); | |
8386 | + return 0; | |
8387 | + } | |
8388 | + | |
8389 | + if (strcmp(tablename, "mangle") != 0) { | |
8390 | + printk(KERN_WARNING "IPMARK: can only be called from \"mangle\" table, not \"%s\"\n", tablename); | |
8391 | + return 0; | |
8392 | + } | |
8393 | + | |
8394 | + return 1; | |
8395 | +} | |
8396 | + | |
8397 | +static struct ipt_target ipt_ipmark_reg = { | |
8398 | + .name = "IPMARK", | |
8399 | + .target = target, | |
8400 | + .checkentry = checkentry, | |
8401 | + .me = THIS_MODULE | |
8402 | +}; | |
8403 | + | |
8404 | +static int __init init(void) | |
8405 | +{ | |
8406 | + return ipt_register_target(&ipt_ipmark_reg); | |
8407 | +} | |
8408 | + | |
8409 | +static void __exit fini(void) | |
8410 | +{ | |
8411 | + ipt_unregister_target(&ipt_ipmark_reg); | |
8412 | +} | |
8413 | + | |
8414 | +module_init(init); | |
8415 | +module_exit(fini); | |
8416 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_TARPIT.c linux-2.6.6-rc3/net/ipv4/netfilter/ipt_TARPIT.c | |
8417 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_TARPIT.c 1970-01-01 01:00:00.000000000 +0100 | |
8418 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ipt_TARPIT.c 2004-04-29 11:17:08.000000000 +0200 | |
8419 | @@ -0,0 +1,289 @@ | |
8420 | +/* | |
8421 | + * Kernel module to capture and hold incoming TCP connections using | |
8422 | + * no local per-connection resources. | |
8423 | + * | |
8424 | + * Based on ipt_REJECT.c and offering functionality similar to | |
8425 | + * LaBrea <http://www.hackbusters.net/LaBrea/>. | |
8426 | + * | |
8427 | + * Copyright (c) 2002 Aaron Hopkins <tools@die.net> | |
8428 | + * | |
8429 | + * This program is free software; you can redistribute it and/or modify | |
8430 | + * it under the terms of the GNU General Public License as published by | |
8431 | + * the Free Software Foundation; either version 2 of the License, or | |
8432 | + * (at your option) any later version. | |
8433 | + * | |
8434 | + * This program is distributed in the hope that it will be useful, | |
8435 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
8436 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
8437 | + * GNU General Public License for more details. | |
8438 | + * | |
8439 | + * You should have received a copy of the GNU General Public License | |
8440 | + * along with this program; if not, write to the Free Software | |
8441 | + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | |
8442 | + * | |
8443 | + * Goal: | |
8444 | + * - Allow incoming TCP connections to be established. | |
8445 | + * - Passing data should result in the connection being switched to the | |
8446 | + * persist state (0 byte window), in which the remote side stops sending | |
8447 | + * data and asks to continue every 60 seconds. | |
8448 | + * - Attempts to shut down the connection should be ignored completely, so | |
8449 | + * the remote side ends up having to time it out. | |
8450 | + * | |
8451 | + * This means: | |
8452 | + * - Reply to TCP SYN,!ACK,!RST,!FIN with SYN-ACK, window 5 bytes | |
8453 | + * - Reply to TCP SYN,ACK,!RST,!FIN with RST to prevent spoofing | |
8454 | + * - Reply to TCP !SYN,!RST,!FIN with ACK, window 0 bytes, rate-limited | |
8455 | + */ | |
8456 | + | |
8457 | +#include <linux/config.h> | |
8458 | +#include <linux/module.h> | |
8459 | +#include <linux/skbuff.h> | |
8460 | +#include <linux/ip.h> | |
8461 | +#include <net/ip.h> | |
8462 | +#include <net/tcp.h> | |
8463 | +#include <net/icmp.h> | |
8464 | +struct in_device; | |
8465 | +#include <net/route.h> | |
8466 | +#include <linux/random.h> | |
8467 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
8468 | + | |
8469 | +#if 0 | |
8470 | +#define DEBUGP printk | |
8471 | +#else | |
8472 | +#define DEBUGP(format, args...) | |
8473 | +#endif | |
8474 | + | |
8475 | +MODULE_LICENSE("GPL"); | |
8476 | +MODULE_AUTHOR("Aaron Hopkins <tools@die.net>"); | |
8477 | + | |
8478 | +/* Stolen from ip_finish_output2 */ | |
8479 | +static int ip_direct_send(struct sk_buff *skb) | |
8480 | +{ | |
8481 | + struct dst_entry *dst = skb->dst; | |
8482 | + struct hh_cache *hh = dst->hh; | |
8483 | + | |
8484 | + if (hh) { | |
8485 | + read_lock_bh(&hh->hh_lock); | |
8486 | + memcpy(skb->data - 16, hh->hh_data, 16); | |
8487 | + read_unlock_bh(&hh->hh_lock); | |
8488 | + skb_push(skb, hh->hh_len); | |
8489 | + return hh->hh_output(skb); | |
8490 | + } else if (dst->neighbour) | |
8491 | + return dst->neighbour->output(skb); | |
8492 | + | |
8493 | + if (net_ratelimit()) | |
8494 | + printk(KERN_DEBUG "TARPIT ip_direct_send: no header cache and no neighbor!\n"); | |
8495 | + kfree_skb(skb); | |
8496 | + return -EINVAL; | |
8497 | +} | |
8498 | + | |
8499 | + | |
8500 | +/* Send reply */ | |
8501 | +static void tarpit_tcp(struct sk_buff *oskb,struct rtable *ort,int local) | |
8502 | +{ | |
8503 | + struct sk_buff *nskb; | |
8504 | + struct rtable *nrt; | |
8505 | + struct tcphdr *otcph, *ntcph; | |
8506 | + unsigned int otcplen; | |
8507 | + u_int16_t tmp; | |
8508 | + struct flowi fl = {}; | |
8509 | + | |
8510 | + /* A truncated TCP header isn't going to be useful */ | |
8511 | + if (oskb->len < (oskb->nh.iph->ihl*4) + sizeof(struct tcphdr)) | |
8512 | + return; | |
8513 | + | |
8514 | + otcph = (struct tcphdr *)((u_int32_t*)oskb->nh.iph | |
8515 | + + oskb->nh.iph->ihl); | |
8516 | + otcplen = oskb->len - oskb->nh.iph->ihl*4; | |
8517 | + | |
8518 | + /* No replies for RST or FIN */ | |
8519 | + if (otcph->rst || otcph->fin) | |
8520 | + return; | |
8521 | + | |
8522 | + /* No reply to !SYN,!ACK. Rate-limit replies to !SYN,ACKs */ | |
8523 | + if (!otcph->syn && (!otcph->ack || !xrlim_allow(&ort->u.dst, 1*HZ))) | |
8524 | + return; | |
8525 | + | |
8526 | + /* Check checksum. */ | |
8527 | + if (tcp_v4_check(otcph, otcplen, oskb->nh.iph->saddr, | |
8528 | + oskb->nh.iph->daddr, | |
8529 | + csum_partial((char *)otcph, otcplen, 0)) != 0) | |
8530 | + return; | |
8531 | + | |
8532 | + /* Copy skb (even if skb is about to be dropped, we can't just | |
8533 | + clone it because there may be other things, such as tcpdump, | |
8534 | + interested in it) */ | |
8535 | + nskb = skb_copy(oskb, GFP_ATOMIC); | |
8536 | + if (!nskb) | |
8537 | + return; | |
8538 | + | |
8539 | + /* This packet will not be the same as the other: clear nf fields */ | |
8540 | + nf_conntrack_put(nskb->nfct); | |
8541 | + nskb->nfct = NULL; | |
8542 | + nskb->nfcache = 0; | |
8543 | +#ifdef CONFIG_NETFILTER_DEBUG | |
8544 | + nskb->nf_debug = 0; | |
8545 | +#endif | |
8546 | + | |
8547 | + ntcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl); | |
8548 | + | |
8549 | + /* Truncate to length (no data) */ | |
8550 | + ntcph->doff = sizeof(struct tcphdr)/4; | |
8551 | + skb_trim(nskb, nskb->nh.iph->ihl*4 + sizeof(struct tcphdr)); | |
8552 | + nskb->nh.iph->tot_len = htons(nskb->len); | |
8553 | + | |
8554 | + /* Swap source and dest */ | |
8555 | + nskb->nh.iph->daddr = xchg(&nskb->nh.iph->saddr, nskb->nh.iph->daddr); | |
8556 | + tmp = ntcph->source; | |
8557 | + ntcph->source = ntcph->dest; | |
8558 | + ntcph->dest = tmp; | |
8559 | + | |
8560 | + /* Use supplied sequence number or make a new one */ | |
8561 | + ntcph->seq = otcph->ack ? otcph->ack_seq | |
8562 | + : htonl(secure_tcp_sequence_number(nskb->nh.iph->saddr, | |
8563 | + nskb->nh.iph->daddr, | |
8564 | + ntcph->source, | |
8565 | + ntcph->dest)); | |
8566 | + | |
8567 | + /* Our SYN-ACKs must have a >0 window */ | |
8568 | + ntcph->window = (otcph->syn && !otcph->ack) ? htons(5) : 0; | |
8569 | + | |
8570 | + ntcph->urg_ptr = 0; | |
8571 | + | |
8572 | + /* Reset flags */ | |
8573 | + ((u_int8_t *)ntcph)[13] = 0; | |
8574 | + | |
8575 | + if (otcph->syn && otcph->ack) { | |
8576 | + ntcph->rst = 1; | |
8577 | + ntcph->ack_seq = 0; | |
8578 | + } else { | |
8579 | + ntcph->syn = otcph->syn; | |
8580 | + ntcph->ack = 1; | |
8581 | + ntcph->ack_seq = htonl(ntohl(otcph->seq) + otcph->syn); | |
8582 | + } | |
8583 | + | |
8584 | + /* Adjust TCP checksum */ | |
8585 | + ntcph->check = 0; | |
8586 | + ntcph->check = tcp_v4_check(ntcph, sizeof(struct tcphdr), | |
8587 | + nskb->nh.iph->saddr, | |
8588 | + nskb->nh.iph->daddr, | |
8589 | + csum_partial((char *)ntcph, | |
8590 | + sizeof(struct tcphdr), 0)); | |
8591 | + | |
8592 | + /* Adjust IP TTL */ | |
8593 | + nskb->nh.iph->ttl = sysctl_ip_default_ttl; | |
8594 | + | |
8595 | + /* Set DF, id = 0 */ | |
8596 | + nskb->nh.iph->frag_off = htons(IP_DF); | |
8597 | + nskb->nh.iph->id = 0; | |
8598 | + | |
8599 | + /* Adjust IP checksum */ | |
8600 | + nskb->nh.iph->check = 0; | |
8601 | + nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph, | |
8602 | + nskb->nh.iph->ihl); | |
8603 | + | |
8604 | + fl.nl_u.ip4_u.daddr = nskb->nh.iph->daddr; | |
8605 | + fl.nl_u.ip4_u.saddr = (local ? nskb->nh.iph->saddr : 0); | |
8606 | + fl.nl_u.ip4_u.tos = RT_TOS(nskb->nh.iph->tos) | RTO_CONN; | |
8607 | + fl.oif = 0; | |
8608 | + if (ip_route_output_key(&nrt, &fl) != 0) | |
8609 | + goto free_nskb; | |
8610 | + | |
8611 | + dst_release(nskb->dst); | |
8612 | + nskb->dst = &nrt->u.dst; | |
8613 | + | |
8614 | + /* "Never happens" */ | |
8615 | + if (nskb->len > dst_pmtu(nskb->dst)) | |
8616 | + goto free_nskb; | |
8617 | + | |
8618 | + ip_direct_send (nskb); | |
8619 | + | |
8620 | + return; | |
8621 | + | |
8622 | + free_nskb: | |
8623 | + kfree_skb(nskb); | |
8624 | +} | |
8625 | + | |
8626 | + | |
8627 | +static unsigned int tarpit(struct sk_buff **pskb, | |
8628 | + const struct net_device *in, | |
8629 | + const struct net_device *out, | |
8630 | + unsigned int hooknum, | |
8631 | + const void *targinfo, | |
8632 | + void *userinfo) | |
8633 | +{ | |
8634 | + struct sk_buff *skb = *pskb; | |
8635 | + struct rtable *rt = (struct rtable*)skb->dst; | |
8636 | + | |
8637 | + /* Do we have an input route cache entry? */ | |
8638 | + if (!rt) | |
8639 | + return NF_DROP; | |
8640 | + | |
8641 | + /* No replies to physical multicast/broadcast */ | |
8642 | + if (skb->pkt_type != PACKET_HOST && skb->pkt_type != PACKET_OTHERHOST) | |
8643 | + return NF_DROP; | |
8644 | + | |
8645 | + /* Now check at the protocol level */ | |
8646 | + if (rt->rt_flags&(RTCF_BROADCAST|RTCF_MULTICAST)) | |
8647 | + return NF_DROP; | |
8648 | + | |
8649 | + /* Our naive response construction doesn't deal with IP | |
8650 | + options, and probably shouldn't try. */ | |
8651 | + if (skb->nh.iph->ihl*4 != sizeof(struct iphdr)) | |
8652 | + return NF_DROP; | |
8653 | + | |
8654 | + /* We aren't interested in fragments */ | |
8655 | + if (skb->nh.iph->frag_off & htons(IP_OFFSET)) | |
8656 | + return NF_DROP; | |
8657 | + | |
8658 | + tarpit_tcp(skb,rt,hooknum == NF_IP_LOCAL_IN); | |
8659 | + | |
8660 | + return NF_DROP; | |
8661 | +} | |
8662 | + | |
8663 | + | |
8664 | +static int check(const char *tablename, | |
8665 | + const struct ipt_entry *e, | |
8666 | + void *targinfo, | |
8667 | + unsigned int targinfosize, | |
8668 | + unsigned int hook_mask) | |
8669 | +{ | |
8670 | + /* Only allow these for input/forward packet filtering. */ | |
8671 | + if (strcmp(tablename, "filter") != 0) { | |
8672 | + DEBUGP("TARPIT: bad table %s'.\n", tablename); | |
8673 | + return 0; | |
8674 | + } | |
8675 | + if ((hook_mask & ~((1 << NF_IP_LOCAL_IN) | |
8676 | + | (1 << NF_IP_FORWARD))) != 0) { | |
8677 | + DEBUGP("TARPIT: bad hook mask %X\n", hook_mask); | |
8678 | + return 0; | |
8679 | + } | |
8680 | + | |
8681 | + /* Must specify that it's a TCP packet */ | |
8682 | + if (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO)) { | |
8683 | + DEBUGP("TARPIT: not valid for non-tcp\n"); | |
8684 | + return 0; | |
8685 | + } | |
8686 | + | |
8687 | + return 1; | |
8688 | +} | |
8689 | + | |
8690 | +static struct ipt_target ipt_tarpit_reg = { | |
8691 | + .name = "TARPIT", | |
8692 | + .target = tarpit, | |
8693 | + .checkentry = check, | |
8694 | + .me = THIS_MODULE | |
8695 | +}; | |
8696 | + | |
8697 | +static int __init init(void) | |
8698 | +{ | |
8699 | + return ipt_register_target(&ipt_tarpit_reg); | |
8700 | +} | |
8701 | + | |
8702 | +static void __exit fini(void) | |
8703 | +{ | |
8704 | + ipt_unregister_target(&ipt_tarpit_reg); | |
8705 | +} | |
8706 | + | |
8707 | +module_init(init); | |
8708 | +module_exit(fini); | |
8709 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_TRACE.c linux-2.6.6-rc3/net/ipv4/netfilter/ipt_TRACE.c | |
8710 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_TRACE.c 1970-01-01 01:00:00.000000000 +0100 | |
8711 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ipt_TRACE.c 2004-04-29 11:17:15.000000000 +0200 | |
8712 | @@ -0,0 +1,64 @@ | |
8713 | +/* This is a module which is used for setting | |
8714 | + * the NFC_TRACE flag in the nfcache field of an skb. | |
8715 | + */ | |
8716 | +#include <linux/module.h> | |
8717 | +#include <linux/skbuff.h> | |
8718 | + | |
8719 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
8720 | + | |
8721 | +static unsigned int | |
8722 | +target(struct sk_buff **pskb, | |
8723 | + const struct net_device *in, | |
8724 | + const struct net_device *out, | |
8725 | + unsigned int hooknum, | |
8726 | + const void *targinfo, | |
8727 | + void *userinfo) | |
8728 | +{ | |
8729 | + (*pskb)->nfcache |= NFC_TRACE; | |
8730 | + return IPT_CONTINUE; | |
8731 | +} | |
8732 | + | |
8733 | +static int | |
8734 | +checkentry(const char *tablename, | |
8735 | + const struct ipt_entry *e, | |
8736 | + void *targinfo, | |
8737 | + unsigned int targinfosize, | |
8738 | + unsigned int hook_mask) | |
8739 | +{ | |
8740 | + if (targinfosize != 0) { | |
8741 | + printk(KERN_WARNING "TRACE: targinfosize %u != 0\n", | |
8742 | + targinfosize); | |
8743 | + return 0; | |
8744 | + } | |
8745 | + | |
8746 | + if (strcmp(tablename, "raw") != 0) { | |
8747 | + printk(KERN_WARNING "TRACE: can only be called from \"raw\" table, not \"%s\"\n", tablename); | |
8748 | + return 0; | |
8749 | + } | |
8750 | + | |
8751 | + return 1; | |
8752 | +} | |
8753 | + | |
8754 | +static struct ipt_target ipt_trace_reg = { | |
8755 | + .name = "TRACE", | |
8756 | + .target = target, | |
8757 | + .checkentry = checkentry, | |
8758 | + .me = THIS_MODULE | |
8759 | +}; | |
8760 | + | |
8761 | +static int __init init(void) | |
8762 | +{ | |
8763 | + if (ipt_register_target(&ipt_trace_reg)) | |
8764 | + return -EINVAL; | |
8765 | + | |
8766 | + return 0; | |
8767 | +} | |
8768 | + | |
8769 | +static void __exit fini(void) | |
8770 | +{ | |
8771 | + ipt_unregister_target(&ipt_trace_reg); | |
8772 | +} | |
8773 | + | |
8774 | +module_init(init); | |
8775 | +module_exit(fini); | |
8776 | +MODULE_LICENSE("GPL"); | |
8777 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_XOR.c linux-2.6.6-rc3/net/ipv4/netfilter/ipt_XOR.c | |
8778 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_XOR.c 1970-01-01 01:00:00.000000000 +0100 | |
8779 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ipt_XOR.c 2004-04-29 11:17:18.000000000 +0200 | |
8780 | @@ -0,0 +1,117 @@ | |
8781 | +/* XOR target for IP tables | |
8782 | + * (C) 2000 by Tim Vandermeersch <Tim.Vandermeersch@pandora.be> | |
8783 | + * Based on ipt_TTL.c | |
8784 | + * | |
8785 | + * Version 1.0 | |
8786 | + * | |
8787 | + * This software is distributed under the terms of GNU GPL | |
8788 | + */ | |
8789 | + | |
8790 | +#include <linux/module.h> | |
8791 | +#include <linux/skbuff.h> | |
8792 | +#include <linux/ip.h> | |
8793 | +#include <linux/tcp.h> | |
8794 | +#include <linux/udp.h> | |
8795 | + | |
8796 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
8797 | +#include <linux/netfilter_ipv4/ipt_XOR.h> | |
8798 | + | |
8799 | +MODULE_AUTHOR("Tim Vandermeersch <Tim.Vandermeersch@pandora.be>"); | |
8800 | +MODULE_DESCRIPTION("IP tables XOR module"); | |
8801 | +MODULE_LICENSE("GPL"); | |
8802 | + | |
8803 | +static unsigned int | |
8804 | +ipt_xor_target(struct sk_buff **pskb, | |
8805 | + const struct net_device *in, const struct net_device *out, | |
8806 | + unsigned int hooknum, const void *targinfo, void *userinfo) | |
8807 | +{ | |
8808 | + struct ipt_XOR_info *info = (void *) targinfo; | |
8809 | + struct iphdr *iph; | |
8810 | + struct tcphdr *tcph; | |
8811 | + struct udphdr *udph; | |
8812 | + int i, j, k; | |
8813 | + | |
8814 | + if (!skb_ip_make_writable(pskb, (*pskb)->len)) | |
8815 | + return NF_DROP; | |
8816 | + | |
8817 | + iph = (*pskb)->nh.iph; | |
8818 | + | |
8819 | + if (iph->protocol == IPPROTO_TCP) { | |
8820 | + tcph = (struct tcphdr *) ((*pskb)->data + iph->ihl*4); | |
8821 | + for (i=0, j=0; i<(ntohs(iph->tot_len) - iph->ihl*4 - tcph->doff*4); ) { | |
8822 | + for (k=0; k<=info->block_size; k++) { | |
8823 | + (char) (*pskb)->data[ iph->ihl*4 + tcph->doff*4 + i ] ^= | |
8824 | + info->key[j]; | |
8825 | + i++; | |
8826 | + } | |
8827 | + j++; | |
8828 | + if (info->key[j] == 0x00) | |
8829 | + j = 0; | |
8830 | + } | |
8831 | + } else if (iph->protocol == IPPROTO_UDP) { | |
8832 | + udph = (struct udphdr *) ((*pskb)->data + iph->ihl*4); | |
8833 | + for (i=0, j=0; i<(ntohs(udph->len)-8); ) { | |
8834 | + for (k=0; k<=info->block_size; k++) { | |
8835 | + (char) (*pskb)->data[ iph->ihl*4 + sizeof(struct udphdr) + i ] ^= | |
8836 | + info->key[j]; | |
8837 | + i++; | |
8838 | + } | |
8839 | + j++; | |
8840 | + if (info->key[j] == 0x00) | |
8841 | + j = 0; | |
8842 | + } | |
8843 | + } | |
8844 | + | |
8845 | + return IPT_CONTINUE; | |
8846 | +} | |
8847 | + | |
8848 | +static int ipt_xor_checkentry(const char *tablename, const struct ipt_entry *e, | |
8849 | + void *targinfo, unsigned int targinfosize, | |
8850 | + unsigned int hook_mask) | |
8851 | +{ | |
8852 | + struct ipt_XOR_info *info = targinfo; | |
8853 | + | |
8854 | + if (targinfosize != IPT_ALIGN(sizeof(struct ipt_XOR_info))) { | |
8855 | + printk(KERN_WARNING "XOR: targinfosize %u != %Zu\n", | |
8856 | + targinfosize, IPT_ALIGN(sizeof(struct ipt_XOR_info))); | |
8857 | + return 0; | |
8858 | + } | |
8859 | + | |
8860 | + if (strcmp(tablename, "mangle")) { | |
8861 | + printk(KERN_WARNING "XOR: can only be called from" | |
8862 | + "\"mangle\" table, not \"%s\"\n", tablename); | |
8863 | + return 0; | |
8864 | + } | |
8865 | + | |
8866 | + if (!strcmp(info->key, "")) { | |
8867 | + printk(KERN_WARNING "XOR: You must specify a key"); | |
8868 | + return 0; | |
8869 | + } | |
8870 | + | |
8871 | + if (info->block_size == 0) { | |
8872 | + printk(KERN_WARNING "XOR: You must specify a block-size"); | |
8873 | + return 0; | |
8874 | + } | |
8875 | + | |
8876 | + return 1; | |
8877 | +} | |
8878 | + | |
8879 | +static struct ipt_target ipt_XOR = { | |
8880 | + .name = "XOR", | |
8881 | + .target = ipt_xor_target, | |
8882 | + .checkentry = ipt_xor_checkentry, | |
8883 | + .me = THIS_MODULE, | |
8884 | +}; | |
8885 | + | |
8886 | +static int __init init(void) | |
8887 | +{ | |
8888 | + return ipt_register_target(&ipt_XOR); | |
8889 | +} | |
8890 | + | |
8891 | +static void __exit fini(void) | |
8892 | +{ | |
8893 | + ipt_unregister_target(&ipt_XOR); | |
8894 | +} | |
8895 | + | |
8896 | +module_init(init); | |
8897 | +module_exit(fini); | |
8898 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_addrtype.c linux-2.6.6-rc3/net/ipv4/netfilter/ipt_addrtype.c | |
8899 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_addrtype.c 1970-01-01 01:00:00.000000000 +0100 | |
8900 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ipt_addrtype.c 2004-04-29 11:17:23.000000000 +0200 | |
8901 | @@ -0,0 +1,68 @@ | |
8902 | +/* | |
8903 | + * iptables module to match inet_addr_type() of an ip. | |
8904 | + */ | |
8905 | + | |
8906 | +#include <linux/module.h> | |
8907 | +#include <linux/skbuff.h> | |
8908 | +#include <linux/netdevice.h> | |
8909 | +#include <net/route.h> | |
8910 | + | |
8911 | +#include <linux/netfilter_ipv4/ipt_addrtype.h> | |
8912 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
8913 | + | |
8914 | +MODULE_LICENSE("GPL"); | |
8915 | + | |
8916 | +static inline int match_type(u_int32_t addr, u_int16_t mask) | |
8917 | +{ | |
8918 | + return !!(mask & (1 << inet_addr_type(addr))); | |
8919 | +} | |
8920 | + | |
8921 | +static int match(const struct sk_buff *skb, const struct net_device *in, | |
8922 | + const struct net_device *out, const void *matchinfo, | |
8923 | + int offset, int *hotdrop) | |
8924 | +{ | |
8925 | + const struct ipt_addrtype_info *info = matchinfo; | |
8926 | + const struct iphdr *iph = skb->nh.iph; | |
8927 | + int ret = 1; | |
8928 | + | |
8929 | + if (info->source) | |
8930 | + ret &= match_type(iph->saddr, info->source)^info->invert_source; | |
8931 | + if (info->dest) | |
8932 | + ret &= match_type(iph->daddr, info->dest)^info->invert_dest; | |
8933 | + | |
8934 | + return ret; | |
8935 | +} | |
8936 | + | |
8937 | +static int checkentry(const char *tablename, const struct ipt_ip *ip, | |
8938 | + void *matchinfo, unsigned int matchsize, | |
8939 | + unsigned int hook_mask) | |
8940 | +{ | |
8941 | + if (matchsize != IPT_ALIGN(sizeof(struct ipt_addrtype_info))) { | |
8942 | + printk(KERN_ERR "ipt_addrtype: invalid size (%u != %u)\n.", | |
8943 | + matchsize, IPT_ALIGN(sizeof(struct ipt_addrtype_info))); | |
8944 | + return 0; | |
8945 | + } | |
8946 | + | |
8947 | + return 1; | |
8948 | +} | |
8949 | + | |
8950 | +static struct ipt_match addrtype_match = { | |
8951 | + .name = "addrtype", | |
8952 | + .match = match, | |
8953 | + .checkentry = checkentry, | |
8954 | + .me = THIS_MODULE | |
8955 | +}; | |
8956 | + | |
8957 | +static int __init init(void) | |
8958 | +{ | |
8959 | + return ipt_register_match(&addrtype_match); | |
8960 | +} | |
8961 | + | |
8962 | +static void __exit fini(void) | |
8963 | +{ | |
8964 | + ipt_unregister_match(&addrtype_match); | |
8965 | + | |
8966 | +} | |
8967 | + | |
8968 | +module_init(init); | |
8969 | +module_exit(fini); | |
8970 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_connmark.c linux-2.6.6-rc3/net/ipv4/netfilter/ipt_connmark.c | |
8971 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_connmark.c 1970-01-01 01:00:00.000000000 +0100 | |
8972 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ipt_connmark.c 2004-04-29 11:10:59.000000000 +0200 | |
8973 | @@ -0,0 +1,81 @@ | |
8974 | +/* This kernel module matches connection mark values set by the | |
8975 | + * CONNMARK target | |
8976 | + * | |
8977 | + * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> | |
8978 | + * by Henrik Nordstrom <hno@marasystems.com> | |
8979 | + * | |
8980 | + * This program is free software; you can redistribute it and/or modify | |
8981 | + * it under the terms of the GNU General Public License as published by | |
8982 | + * the Free Software Foundation; either version 2 of the License, or | |
8983 | + * (at your option) any later version. | |
8984 | + * | |
8985 | + * This program is distributed in the hope that it will be useful, | |
8986 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
8987 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
8988 | + * GNU General Public License for more details. | |
8989 | + * | |
8990 | + * You should have received a copy of the GNU General Public License | |
8991 | + * along with this program; if not, write to the Free Software | |
8992 | + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
8993 | + */ | |
8994 | + | |
8995 | +#include <linux/module.h> | |
8996 | +#include <linux/skbuff.h> | |
8997 | + | |
8998 | +MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>"); | |
8999 | +MODULE_DESCRIPTION("IP tables connmark match module"); | |
9000 | +MODULE_LICENSE("GPL"); | |
9001 | + | |
9002 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
9003 | +#include <linux/netfilter_ipv4/ipt_connmark.h> | |
9004 | +#include <linux/netfilter_ipv4/ip_conntrack.h> | |
9005 | + | |
9006 | +static int | |
9007 | +match(const struct sk_buff *skb, | |
9008 | + const struct net_device *in, | |
9009 | + const struct net_device *out, | |
9010 | + const void *matchinfo, | |
9011 | + int offset, | |
9012 | + int *hotdrop) | |
9013 | +{ | |
9014 | + const struct ipt_connmark_info *info = matchinfo; | |
9015 | + enum ip_conntrack_info ctinfo; | |
9016 | + struct ip_conntrack *ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo); | |
9017 | + if (!ct) | |
9018 | + return 0; | |
9019 | + | |
9020 | + return ((ct->mark & info->mask) == info->mark) ^ info->invert; | |
9021 | +} | |
9022 | + | |
9023 | +static int | |
9024 | +checkentry(const char *tablename, | |
9025 | + const struct ipt_ip *ip, | |
9026 | + void *matchinfo, | |
9027 | + unsigned int matchsize, | |
9028 | + unsigned int hook_mask) | |
9029 | +{ | |
9030 | + if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info))) | |
9031 | + return 0; | |
9032 | + | |
9033 | + return 1; | |
9034 | +} | |
9035 | + | |
9036 | +static struct ipt_match connmark_match = { | |
9037 | + .name = "connmark", | |
9038 | + .match = &match, | |
9039 | + .checkentry = &checkentry, | |
9040 | + .me = THIS_MODULE | |
9041 | +}; | |
9042 | + | |
9043 | +static int __init init(void) | |
9044 | +{ | |
9045 | + return ipt_register_match(&connmark_match); | |
9046 | +} | |
9047 | + | |
9048 | +static void __exit fini(void) | |
9049 | +{ | |
9050 | + ipt_unregister_match(&connmark_match); | |
9051 | +} | |
9052 | + | |
9053 | +module_init(init); | |
9054 | +module_exit(fini); | |
9055 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_helper.c linux-2.6.6-rc3/net/ipv4/netfilter/ipt_helper.c | |
9056 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_helper.c 2004-04-29 11:24:39.000000000 +0200 | |
9057 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ipt_helper.c 2004-04-29 11:18:37.000000000 +0200 | |
9058 | @@ -71,8 +71,11 @@ | |
9059 | DEBUGP("master's name = %s , info->name = %s\n", | |
9060 | exp->expectant->helper->name, info->name); | |
9061 | ||
9062 | - ret ^= !strncmp(exp->expectant->helper->name, info->name, | |
9063 | - strlen(exp->expectant->helper->name)); | |
9064 | + if (info->name[0] == '\0') | |
9065 | + ret ^= 1; | |
9066 | + else | |
9067 | + ret ^= !strncmp(exp->expectant->helper->name, info->name, | |
9068 | + strlen(exp->expectant->helper->name)); | |
9069 | out_unlock: | |
9070 | READ_UNLOCK(&ip_conntrack_lock); | |
9071 | return ret; | |
9072 | @@ -92,10 +95,6 @@ | |
9073 | if (matchsize != IPT_ALIGN(sizeof(struct ipt_helper_info))) | |
9074 | return 0; | |
9075 | ||
9076 | - /* verify that we actually should match anything */ | |
9077 | - if ( strlen(info->name) == 0 ) | |
9078 | - return 0; | |
9079 | - | |
9080 | return 1; | |
9081 | } | |
9082 | ||
9083 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_owner.c linux-2.6.6-rc3/net/ipv4/netfilter/ipt_owner.c | |
9084 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_owner.c 2004-04-28 03:36:37.000000000 +0200 | |
9085 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ipt_owner.c 2004-04-29 11:19:32.000000000 +0200 | |
9086 | @@ -6,12 +6,19 @@ | |
9087 | * This program is free software; you can redistribute it and/or modify | |
9088 | * it under the terms of the GNU General Public License version 2 as | |
9089 | * published by the Free Software Foundation. | |
9090 | + * | |
9091 | + * 03/26/2003 Patrick McHardy <kaber@trash.net> : LOCAL_IN support | |
9092 | */ | |
9093 | ||
9094 | #include <linux/module.h> | |
9095 | #include <linux/skbuff.h> | |
9096 | #include <linux/file.h> | |
9097 | +#include <linux/ip.h> | |
9098 | +#include <linux/tcp.h> | |
9099 | +#include <linux/udp.h> | |
9100 | #include <net/sock.h> | |
9101 | +#include <net/tcp.h> | |
9102 | +#include <net/udp.h> | |
9103 | ||
9104 | #include <linux/netfilter_ipv4/ipt_owner.h> | |
9105 | #include <linux/netfilter_ipv4/ip_tables.h> | |
9106 | @@ -21,7 +28,7 @@ | |
9107 | MODULE_DESCRIPTION("iptables owner match"); | |
9108 | ||
9109 | static int | |
9110 | -match_comm(const struct sk_buff *skb, const char *comm) | |
9111 | +match_comm(const struct sock *sk, const char *comm) | |
9112 | { | |
9113 | struct task_struct *g, *p; | |
9114 | struct files_struct *files; | |
9115 | @@ -38,7 +45,7 @@ | |
9116 | spin_lock(&files->file_lock); | |
9117 | for (i=0; i < files->max_fds; i++) { | |
9118 | if (fcheck_files(files, i) == | |
9119 | - skb->sk->sk_socket->file) { | |
9120 | + sk->sk_socket->file) { | |
9121 | spin_unlock(&files->file_lock); | |
9122 | task_unlock(p); | |
9123 | read_unlock(&tasklist_lock); | |
9124 | @@ -54,7 +61,7 @@ | |
9125 | } | |
9126 | ||
9127 | static int | |
9128 | -match_pid(const struct sk_buff *skb, pid_t pid) | |
9129 | +match_pid(const struct sock *sk, pid_t pid) | |
9130 | { | |
9131 | struct task_struct *p; | |
9132 | struct files_struct *files; | |
9133 | @@ -70,7 +77,7 @@ | |
9134 | spin_lock(&files->file_lock); | |
9135 | for (i=0; i < files->max_fds; i++) { | |
9136 | if (fcheck_files(files, i) == | |
9137 | - skb->sk->sk_socket->file) { | |
9138 | + sk->sk_socket->file) { | |
9139 | spin_unlock(&files->file_lock); | |
9140 | task_unlock(p); | |
9141 | read_unlock(&tasklist_lock); | |
9142 | @@ -86,10 +93,10 @@ | |
9143 | } | |
9144 | ||
9145 | static int | |
9146 | -match_sid(const struct sk_buff *skb, pid_t sid) | |
9147 | +match_sid(const struct sock *sk, pid_t sid) | |
9148 | { | |
9149 | struct task_struct *g, *p; | |
9150 | - struct file *file = skb->sk->sk_socket->file; | |
9151 | + struct file *file = sk->sk_socket->file; | |
9152 | int i, found=0; | |
9153 | ||
9154 | read_lock(&tasklist_lock); | |
9155 | @@ -129,41 +136,71 @@ | |
9156 | int *hotdrop) | |
9157 | { | |
9158 | const struct ipt_owner_info *info = matchinfo; | |
9159 | + struct iphdr *iph = skb->nh.iph; | |
9160 | + struct sock *sk = NULL; | |
9161 | + int ret = 0; | |
9162 | + | |
9163 | + if (out) { | |
9164 | + sk = skb->sk; | |
9165 | + } else { | |
9166 | + if (iph->protocol == IPPROTO_TCP) { | |
9167 | + struct tcphdr *tcph = | |
9168 | + (struct tcphdr *)((u_int32_t *)iph + iph->ihl); | |
9169 | + sk = tcp_v4_lookup(iph->saddr, tcph->source, | |
9170 | + iph->daddr, tcph->dest, | |
9171 | + skb->dev->ifindex); | |
9172 | + if (sk && sk->sk_state == TCP_TIME_WAIT) { | |
9173 | + tcp_tw_put((struct tcp_tw_bucket *)sk); | |
9174 | + return ret; | |
9175 | + } | |
9176 | + } else if (iph->protocol == IPPROTO_UDP) { | |
9177 | + struct udphdr *udph = | |
9178 | + (struct udphdr *)((u_int32_t *)iph + iph->ihl); | |
9179 | + sk = udp_v4_lookup(iph->saddr, udph->source, iph->daddr, | |
9180 | + udph->dest, skb->dev->ifindex); | |
9181 | + } | |
9182 | + } | |
9183 | ||
9184 | - if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file) | |
9185 | - return 0; | |
9186 | + if (!sk || !sk->sk_socket || !sk->sk_socket->file) | |
9187 | + goto out; | |
9188 | ||
9189 | if(info->match & IPT_OWNER_UID) { | |
9190 | - if ((skb->sk->sk_socket->file->f_uid != info->uid) ^ | |
9191 | + if ((sk->sk_socket->file->f_uid != info->uid) ^ | |
9192 | !!(info->invert & IPT_OWNER_UID)) | |
9193 | - return 0; | |
9194 | + goto out; | |
9195 | } | |
9196 | ||
9197 | if(info->match & IPT_OWNER_GID) { | |
9198 | - if ((skb->sk->sk_socket->file->f_gid != info->gid) ^ | |
9199 | + if ((sk->sk_socket->file->f_gid != info->gid) ^ | |
9200 | !!(info->invert & IPT_OWNER_GID)) | |
9201 | - return 0; | |
9202 | + goto out; | |
9203 | } | |
9204 | ||
9205 | if(info->match & IPT_OWNER_PID) { | |
9206 | - if (!match_pid(skb, info->pid) ^ | |
9207 | + if (!match_pid(sk, info->pid) ^ | |
9208 | !!(info->invert & IPT_OWNER_PID)) | |
9209 | - return 0; | |
9210 | + goto out; | |
9211 | } | |
9212 | ||
9213 | if(info->match & IPT_OWNER_SID) { | |
9214 | - if (!match_sid(skb, info->sid) ^ | |
9215 | + if (!match_sid(sk, info->sid) ^ | |
9216 | !!(info->invert & IPT_OWNER_SID)) | |
9217 | - return 0; | |
9218 | + goto out; | |
9219 | } | |
9220 | ||
9221 | if(info->match & IPT_OWNER_COMM) { | |
9222 | - if (!match_comm(skb, info->comm) ^ | |
9223 | + if (!match_comm(sk, info->comm) ^ | |
9224 | !!(info->invert & IPT_OWNER_COMM)) | |
9225 | - return 0; | |
9226 | + goto out; | |
9227 | } | |
9228 | ||
9229 | - return 1; | |
9230 | + ret = 1; | |
9231 | + | |
9232 | +out: | |
9233 | + if (in && sk) | |
9234 | + sock_put(sk); | |
9235 | + | |
9236 | + return ret; | |
9237 | } | |
9238 | ||
9239 | static int | |
9240 | @@ -173,11 +210,19 @@ | |
9241 | unsigned int matchsize, | |
9242 | unsigned int hook_mask) | |
9243 | { | |
9244 | - if (hook_mask | |
9245 | - & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING))) { | |
9246 | - printk("ipt_owner: only valid for LOCAL_OUT or POST_ROUTING.\n"); | |
9247 | - return 0; | |
9248 | - } | |
9249 | + if (hook_mask | |
9250 | + & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING) | | |
9251 | + (1 << NF_IP_LOCAL_IN))) { | |
9252 | + printk("ipt_owner: only valid for LOCAL_IN, LOCAL_OUT " | |
9253 | + "or POST_ROUTING.\n"); | |
9254 | + return 0; | |
9255 | + } | |
9256 | + | |
9257 | + if ((hook_mask & (1 << NF_IP_LOCAL_IN)) | |
9258 | + && ip->proto != IPPROTO_TCP && ip->proto != IPPROTO_UDP) { | |
9259 | + printk("ipt_owner: only TCP or UDP can be used in LOCAL_IN\n"); | |
9260 | + return 0; | |
9261 | + } | |
9262 | ||
9263 | if (matchsize != IPT_ALIGN(sizeof(struct ipt_owner_info))) { | |
9264 | printk("Matchsize %u != %Zu\n", matchsize, | |
9265 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_policy.c linux-2.6.6-rc3/net/ipv4/netfilter/ipt_policy.c | |
9266 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_policy.c 1970-01-01 01:00:00.000000000 +0100 | |
9267 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ipt_policy.c 2004-04-29 11:19:41.000000000 +0200 | |
9268 | @@ -0,0 +1,176 @@ | |
9269 | +/* IP tables module for matching IPsec policy | |
9270 | + * | |
9271 | + * Copyright (c) 2004 Patrick McHardy, <kaber@trash.net> | |
9272 | + * | |
9273 | + * This program is free software; you can redistribute it and/or modify | |
9274 | + * it under the terms of the GNU General Public License version 2 as | |
9275 | + * published by the Free Software Foundation. | |
9276 | + */ | |
9277 | + | |
9278 | +#include <linux/kernel.h> | |
9279 | +#include <linux/config.h> | |
9280 | +#include <linux/module.h> | |
9281 | +#include <linux/skbuff.h> | |
9282 | +#include <linux/init.h> | |
9283 | +#include <net/xfrm.h> | |
9284 | + | |
9285 | +#include <linux/netfilter_ipv4.h> | |
9286 | +#include <linux/netfilter_ipv4/ipt_policy.h> | |
9287 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
9288 | + | |
9289 | +MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); | |
9290 | +MODULE_DESCRIPTION("IPtables IPsec policy matching module"); | |
9291 | +MODULE_LICENSE("GPL"); | |
9292 | + | |
9293 | + | |
9294 | +static inline int | |
9295 | +match_xfrm_state(struct xfrm_state *x, const struct ipt_policy_elem *e) | |
9296 | +{ | |
9297 | +#define MISMATCH(x,y) (e->match.x && ((e->x != (y)) ^ e->invert.x)) | |
9298 | + | |
9299 | + if (MISMATCH(saddr, x->props.saddr.a4 & e->smask) || | |
9300 | + MISMATCH(daddr, x->id.daddr.a4 & e->dmask) || | |
9301 | + MISMATCH(proto, x->id.proto) || | |
9302 | + MISMATCH(mode, x->props.mode) || | |
9303 | + MISMATCH(spi, x->id.spi) || | |
9304 | + MISMATCH(reqid, x->props.reqid)) | |
9305 | + return 0; | |
9306 | + return 1; | |
9307 | +} | |
9308 | + | |
9309 | +static int | |
9310 | +match_policy_in(const struct sk_buff *skb, const struct ipt_policy_info *info) | |
9311 | +{ | |
9312 | + const struct ipt_policy_elem *e; | |
9313 | + struct sec_path *sp = skb->sp; | |
9314 | + int strict = info->flags & POLICY_MATCH_STRICT; | |
9315 | + int i, pos; | |
9316 | + | |
9317 | + if (sp == NULL) | |
9318 | + return -1; | |
9319 | + if (strict && info->len != sp->len) | |
9320 | + return 0; | |
9321 | + | |
9322 | + for (i = sp->len - 1; i >= 0; i--) { | |
9323 | + pos = strict ? i - sp->len + 1 : 0; | |
9324 | + if (pos >= info->len) | |
9325 | + return 0; | |
9326 | + e = &info->pol[pos]; | |
9327 | + | |
9328 | + if (match_xfrm_state(sp->x[i].xvec, e)) { | |
9329 | + if (!strict) | |
9330 | + return 1; | |
9331 | + } else if (strict) | |
9332 | + return 0; | |
9333 | + } | |
9334 | + | |
9335 | + return strict ? 1 : 0; | |
9336 | +} | |
9337 | + | |
9338 | +static int | |
9339 | +match_policy_out(const struct sk_buff *skb, const struct ipt_policy_info *info) | |
9340 | +{ | |
9341 | + const struct ipt_policy_elem *e; | |
9342 | + struct dst_entry *dst = skb->dst; | |
9343 | + int strict = info->flags & POLICY_MATCH_STRICT; | |
9344 | + int i, pos; | |
9345 | + | |
9346 | + if (dst->xfrm == NULL) | |
9347 | + return -1; | |
9348 | + | |
9349 | + for (i = 0; dst && dst->xfrm; dst = dst->child, i++) { | |
9350 | + pos = strict ? i : 0; | |
9351 | + if (pos >= info->len) | |
9352 | + return 0; | |
9353 | + e = &info->pol[pos]; | |
9354 | + | |
9355 | + if (match_xfrm_state(dst->xfrm, e)) { | |
9356 | + if (!strict) | |
9357 | + return 1; | |
9358 | + } else if (strict) | |
9359 | + return 0; | |
9360 | + } | |
9361 | + | |
9362 | + return strict ? 1 : 0; | |
9363 | +} | |
9364 | + | |
9365 | +static int match(const struct sk_buff *skb, | |
9366 | + const struct net_device *in, | |
9367 | + const struct net_device *out, | |
9368 | + const void *matchinfo, int offset, int *hotdrop) | |
9369 | +{ | |
9370 | + const struct ipt_policy_info *info = matchinfo; | |
9371 | + int ret; | |
9372 | + | |
9373 | + if (info->flags & POLICY_MATCH_IN) | |
9374 | + ret = match_policy_in(skb, info); | |
9375 | + else | |
9376 | + ret = match_policy_out(skb, info); | |
9377 | + | |
9378 | + if (ret < 0) { | |
9379 | + if (info->flags & POLICY_MATCH_NONE) | |
9380 | + ret = 1; | |
9381 | + else | |
9382 | + ret = 0; | |
9383 | + } else if (info->flags & POLICY_MATCH_NONE) | |
9384 | + ret = 0; | |
9385 | + | |
9386 | + return ret; | |
9387 | +} | |
9388 | + | |
9389 | +static int checkentry(const char *tablename, const struct ipt_ip *ip, | |
9390 | + void *matchinfo, unsigned int matchsize, | |
9391 | + unsigned int hook_mask) | |
9392 | +{ | |
9393 | + struct ipt_policy_info *info = matchinfo; | |
9394 | + | |
9395 | + if (matchsize != IPT_ALIGN(sizeof(*info))) { | |
9396 | + printk(KERN_ERR "ipt_policy: matchsize %u != %u\n", | |
9397 | + matchsize, IPT_ALIGN(sizeof(*info))); | |
9398 | + return 0; | |
9399 | + } | |
9400 | + if (!(info->flags & (POLICY_MATCH_IN|POLICY_MATCH_OUT))) { | |
9401 | + printk(KERN_ERR "ipt_policy: neither incoming nor " | |
9402 | + "outgoing policy selected\n"); | |
9403 | + return 0; | |
9404 | + } | |
9405 | + if (hook_mask & (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_LOCAL_IN) | |
9406 | + && info->flags & POLICY_MATCH_OUT) { | |
9407 | + printk(KERN_ERR "ipt_policy: output policy not valid in " | |
9408 | + "PRE_ROUTING and INPUT\n"); | |
9409 | + return 0; | |
9410 | + } | |
9411 | + if (hook_mask & (1 << NF_IP_POST_ROUTING | 1 << NF_IP_LOCAL_OUT) | |
9412 | + && info->flags & POLICY_MATCH_IN) { | |
9413 | + printk(KERN_ERR "ipt_policy: input policy not valid in " | |
9414 | + "POST_ROUTING and OUTPUT\n"); | |
9415 | + return 0; | |
9416 | + } | |
9417 | + if (info->len > POLICY_MAX_ELEM) { | |
9418 | + printk(KERN_ERR "ipt_policy: too many policy elements\n"); | |
9419 | + return 0; | |
9420 | + } | |
9421 | + | |
9422 | + return 1; | |
9423 | +} | |
9424 | + | |
9425 | +static struct ipt_match policy_match = | |
9426 | +{ | |
9427 | + .name = "policy", | |
9428 | + .match = match, | |
9429 | + .checkentry = checkentry, | |
9430 | + .me = THIS_MODULE, | |
9431 | +}; | |
9432 | + | |
9433 | +static int __init init(void) | |
9434 | +{ | |
9435 | + return ipt_register_match(&policy_match); | |
9436 | +} | |
9437 | + | |
9438 | +static void __exit fini(void) | |
9439 | +{ | |
9440 | + ipt_unregister_match(&policy_match); | |
9441 | +} | |
9442 | + | |
9443 | +module_init(init); | |
9444 | +module_exit(fini); | |
9445 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_rpc.c linux-2.6.6-rc3/net/ipv4/netfilter/ipt_rpc.c | |
9446 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_rpc.c 1970-01-01 01:00:00.000000000 +0100 | |
9447 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ipt_rpc.c 2004-04-29 11:20:02.000000000 +0200 | |
9448 | @@ -0,0 +1,428 @@ | |
9449 | +/* RPC extension for IP connection matching, Version 2.2 | |
9450 | + * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br> | |
9451 | + * - original rpc tracking module | |
9452 | + * - "recent" connection handling for kernel 2.3+ netfilter | |
9453 | + * | |
9454 | + * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au> | |
9455 | + * - upgraded conntrack modules to oldnat api - kernel 2.4.0+ | |
9456 | + * | |
9457 | + * (C) 2002,2003 by Ian (Larry) Latter <Ian.Latter@mq.edu.au> | |
9458 | + * - upgraded conntrack modules to newnat api - kernel 2.4.20+ | |
9459 | + * - extended matching to support filtering on procedures | |
9460 | + * | |
9461 | + * ipt_rpc.c,v 2.2 2003/01/12 18:30:00 | |
9462 | + * | |
9463 | + * This program is free software; you can redistribute it and/or | |
9464 | + * modify it under the terms of the GNU General Public License | |
9465 | + * as published by the Free Software Foundation; either version | |
9466 | + * 2 of the License, or (at your option) any later version. | |
9467 | + ** | |
9468 | + * Module load syntax: | |
9469 | + * insmod ipt_rpc.o ports=port1,port2,...port<MAX_PORTS> | |
9470 | + * | |
9471 | + * Please give the ports of all RPC servers you wish to connect to. | |
9472 | + * If you don't specify ports, the default will be port 111. | |
9473 | + ** | |
9474 | + * Note to all: | |
9475 | + * | |
9476 | + * RPCs should not be exposed to the internet - ask the Pentagon; | |
9477 | + * | |
9478 | + * "The unidentified crackers pleaded guilty in July to charges | |
9479 | + * of juvenile delinquency stemming from a string of Pentagon | |
9480 | + * network intrusions in February. | |
9481 | + * | |
9482 | + * The youths, going by the names TooShort and Makaveli, used | |
9483 | + * a common server security hole to break in, according to | |
9484 | + * Dane Jasper, owner of the California Internet service | |
9485 | + * provider, Sonic. They used the hole, known as the 'statd' | |
9486 | + * exploit, to attempt more than 800 break-ins, Jasper said." | |
9487 | + * | |
9488 | + * From: Wired News; "Pentagon Kids Kicked Off Grid" - Nov 6, 1998 | |
9489 | + * URL: http://www.wired.com/news/politics/0,1283,16098,00.html | |
9490 | + ** | |
9491 | + */ | |
9492 | + | |
9493 | +#include <linux/module.h> | |
9494 | +#include <linux/skbuff.h> | |
9495 | +#include <linux/list.h> | |
9496 | +#include <linux/udp.h> | |
9497 | +#include <linux/tcp.h> | |
9498 | +#include <linux/netfilter_ipv4/ip_conntrack.h> | |
9499 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
9500 | +#include <linux/netfilter_ipv4/ip_conntrack_rpc.h> | |
9501 | +#include <linux/netfilter_ipv4/lockhelp.h> | |
9502 | +#include <linux/netfilter_ipv4/ipt_rpc.h> | |
9503 | + | |
9504 | +#define MAX_PORTS 8 | |
9505 | +static int ports[MAX_PORTS]; | |
9506 | +static int ports_n_c = 0; | |
9507 | + | |
9508 | +#ifdef MODULE_PARM | |
9509 | +MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i"); | |
9510 | +MODULE_PARM_DESC(ports, "port numbers (TCP/UDP) of RPC portmapper servers"); | |
9511 | +#endif | |
9512 | + | |
9513 | +MODULE_AUTHOR("Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>"); | |
9514 | +MODULE_DESCRIPTION("RPC connection matching module"); | |
9515 | +MODULE_LICENSE("GPL"); | |
9516 | + | |
9517 | +#if 0 | |
9518 | +#define DEBUGP(format, args...) printk(KERN_DEBUG "ipt_rpc: " \ | |
9519 | + format, ## args) | |
9520 | +#else | |
9521 | +#define DEBUGP(format, args...) | |
9522 | +#endif | |
9523 | + | |
9524 | +EXPORT_NO_SYMBOLS; | |
9525 | + | |
9526 | +/* vars from ip_conntrack_rpc_tcp */ | |
9527 | +extern struct list_head request_p_list_tcp; | |
9528 | +extern struct module *ip_conntrack_rpc_tcp; | |
9529 | + | |
9530 | +/* vars from ip_conntrack_rpc_udp */ | |
9531 | +extern struct list_head request_p_list_udp; | |
9532 | +extern struct module *ip_conntrack_rpc_udp; | |
9533 | + | |
9534 | +DECLARE_RWLOCK_EXTERN(ipct_rpc_tcp_lock); | |
9535 | +DECLARE_RWLOCK_EXTERN(ipct_rpc_udp_lock); | |
9536 | + | |
9537 | +#define ASSERT_READ_LOCK(x) \ | |
9538 | +do { \ | |
9539 | + if (x == &request_p_list_udp) \ | |
9540 | + MUST_BE_READ_LOCKED(&ipct_rpc_udp_lock); \ | |
9541 | + else if (x == &request_p_list_tcp) \ | |
9542 | + MUST_BE_READ_LOCKED(&ipct_rpc_tcp_lock); \ | |
9543 | +} while (0) | |
9544 | + | |
9545 | +#define ASSERT_WRITE_LOCK(x) \ | |
9546 | +do { \ | |
9547 | + if (x == &request_p_list_udp) \ | |
9548 | + MUST_BE_WRITE_LOCKED(&ipct_rpc_udp_lock); \ | |
9549 | + else if (x == &request_p_list_tcp) \ | |
9550 | + MUST_BE_WRITE_LOCKED(&ipct_rpc_tcp_lock); \ | |
9551 | +} while (0) | |
9552 | + | |
9553 | +#include <linux/netfilter_ipv4/listhelp.h> | |
9554 | + | |
9555 | +const int IPT_RPC_CHAR_LEN = 11; | |
9556 | + | |
9557 | + | |
9558 | +static int k_atoi(char *string) | |
9559 | +{ | |
9560 | + unsigned int result = 0; | |
9561 | + int maxoctet = IPT_RPC_CHAR_LEN; | |
9562 | + | |
9563 | + for ( ; *string != 0 && maxoctet != 0; maxoctet--, string++) { | |
9564 | + if (*string < 0) | |
9565 | + return(0); | |
9566 | + if (*string == 0) | |
9567 | + break; | |
9568 | + if (*string < 48 || *string > 57) { | |
9569 | + return(0); | |
9570 | + } | |
9571 | + result = result * 10 + ( *string - 48 ); | |
9572 | + } | |
9573 | + return(result); | |
9574 | +} | |
9575 | + | |
9576 | + | |
9577 | +static int match_rpcs(char *c_procs, int i_procs, int proc) | |
9578 | +{ | |
9579 | + int proc_ctr; | |
9580 | + char *proc_ptr; | |
9581 | + unsigned int proc_num; | |
9582 | + | |
9583 | + DEBUGP("entered match_rpcs [%i] [%i] ..\n", i_procs, proc); | |
9584 | + | |
9585 | + if (i_procs == -1) | |
9586 | + return 1; | |
9587 | + | |
9588 | + for (proc_ctr=0; proc_ctr <= i_procs; proc_ctr++) { | |
9589 | + | |
9590 | + proc_ptr = c_procs; | |
9591 | + proc_ptr += proc_ctr * IPT_RPC_CHAR_LEN; | |
9592 | + proc_num = k_atoi(proc_ptr); | |
9593 | + | |
9594 | + if (proc_num == proc) | |
9595 | + return 1; | |
9596 | + } | |
9597 | + | |
9598 | + return 0; | |
9599 | +} | |
9600 | + | |
9601 | + | |
9602 | +static int check_rpc_packet(const u_int32_t *data, const void *matchinfo, | |
9603 | + int *hotdrop, int dir, struct ip_conntrack *ct, | |
9604 | + int offset, struct list_head request_p_list) | |
9605 | +{ | |
9606 | + const struct ipt_rpc_info *rpcinfo = matchinfo; | |
9607 | + struct request_p *req_p; | |
9608 | + u_int32_t xid; | |
9609 | + | |
9610 | + | |
9611 | + /* Get XID */ | |
9612 | + xid = *data; | |
9613 | + | |
9614 | + /* This does sanity checking on RPC payloads, | |
9615 | + * and permits only the RPC "get port" (3) | |
9616 | + * in authorised procedures in client | |
9617 | + * communications with the portmapper. | |
9618 | + */ | |
9619 | + | |
9620 | + data += 5; | |
9621 | + | |
9622 | + /* Get RPC requestor */ | |
9623 | + if (IXDR_GET_INT32(data) != 3) { | |
9624 | + DEBUGP("RPC packet contains an invalid (non \"get\") requestor. [skip]\n"); | |
9625 | + if(rpcinfo->strict == 1) | |
9626 | + *hotdrop = 1; | |
9627 | + return 0; | |
9628 | + } | |
9629 | + DEBUGP("RPC packet contains a \"get\" requestor. [cont]\n"); | |
9630 | + | |
9631 | + data++; | |
9632 | + | |
9633 | + /* Jump Credentials and Verfifier */ | |
9634 | + data = data + IXDR_GET_INT32(data) + 2; | |
9635 | + data = data + IXDR_GET_INT32(data) + 2; | |
9636 | + | |
9637 | + /* Get RPC procedure */ | |
9638 | + if (match_rpcs((char *)&rpcinfo->c_procs, | |
9639 | + rpcinfo->i_procs, IXDR_GET_INT32(data)) == 0) { | |
9640 | + DEBUGP("RPC packet contains illegal procedure request [%u]. [drop]\n", | |
9641 | + (unsigned int)IXDR_GET_INT32(data)); | |
9642 | + | |
9643 | + /* If the RPC conntrack half entry already exists .. */ | |
9644 | + | |
9645 | + switch (ct->tuplehash[0].tuple.dst.protonum) { | |
9646 | + case IPPROTO_UDP: | |
9647 | + WRITE_LOCK(&ipct_rpc_udp_lock); | |
9648 | + case IPPROTO_TCP: | |
9649 | + WRITE_LOCK(&ipct_rpc_tcp_lock); | |
9650 | + } | |
9651 | + req_p = LIST_FIND(&request_p_list, request_p_cmp, | |
9652 | + struct request_p *, xid, | |
9653 | + ct->tuplehash[dir].tuple.src.ip, | |
9654 | + ct->tuplehash[dir].tuple.src.u.all); | |
9655 | + | |
9656 | + if (req_p) { | |
9657 | + DEBUGP("found req_p for xid=%u proto=%u %u.%u.%u.%u:%u\n", | |
9658 | + xid, ct->tuplehash[dir].tuple.dst.protonum, | |
9659 | + NIPQUAD(ct->tuplehash[dir].tuple.src.ip), | |
9660 | + ntohs(ct->tuplehash[dir].tuple.src.u.all)); | |
9661 | + | |
9662 | + /* .. remove it */ | |
9663 | + if (del_timer(&req_p->timeout)) | |
9664 | + req_p->timeout.expires = 0; | |
9665 | + | |
9666 | + LIST_DELETE(&request_p_list, req_p); | |
9667 | + DEBUGP("RPC req_p removed. [done]\n"); | |
9668 | + | |
9669 | + } else { | |
9670 | + DEBUGP("no req_p found for xid=%u proto=%u %u.%u.%u.%u:%u\n", | |
9671 | + xid, ct->tuplehash[dir].tuple.dst.protonum, | |
9672 | + NIPQUAD(ct->tuplehash[dir].tuple.src.ip), | |
9673 | + ntohs(ct->tuplehash[dir].tuple.src.u.all)); | |
9674 | + | |
9675 | + } | |
9676 | + switch (ct->tuplehash[0].tuple.dst.protonum) { | |
9677 | + case IPPROTO_UDP: | |
9678 | + WRITE_UNLOCK(&ipct_rpc_udp_lock); | |
9679 | + case IPPROTO_TCP: | |
9680 | + WRITE_UNLOCK(&ipct_rpc_tcp_lock); | |
9681 | + } | |
9682 | + | |
9683 | + if(rpcinfo->strict == 1) | |
9684 | + *hotdrop = 1; | |
9685 | + return 0; | |
9686 | + } | |
9687 | + | |
9688 | + DEBUGP("RPC packet contains authorised procedure request [%u]. [match]\n", | |
9689 | + (unsigned int)IXDR_GET_INT32(data)); | |
9690 | + return (1 && (!offset)); | |
9691 | +} | |
9692 | + | |
9693 | + | |
9694 | +static int match(const struct sk_buff *skb, const struct net_device *in, | |
9695 | + const struct net_device *out, const void *matchinfo, | |
9696 | + int offset, const void *hdr, u_int16_t datalen, int *hotdrop) | |
9697 | +{ | |
9698 | + struct ip_conntrack *ct; | |
9699 | + enum ip_conntrack_info ctinfo; | |
9700 | + const u_int32_t *data; | |
9701 | + enum ip_conntrack_dir dir; | |
9702 | + const struct tcphdr *tcp; | |
9703 | + const struct ipt_rpc_info *rpcinfo = matchinfo; | |
9704 | + int port, portsok; | |
9705 | + int tval; | |
9706 | + | |
9707 | + | |
9708 | + DEBUGP("new packet to evaluate ..\n"); | |
9709 | + | |
9710 | + ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo); | |
9711 | + if (!ct) { | |
9712 | + DEBUGP("no ct available [skip]\n"); | |
9713 | + return 0; | |
9714 | + } | |
9715 | + | |
9716 | + DEBUGP("ct detected. [cont]\n"); | |
9717 | + dir = CTINFO2DIR(ctinfo); | |
9718 | + | |
9719 | + /* we only want the client to server packets for matching */ | |
9720 | + if (dir != IP_CT_DIR_ORIGINAL) | |
9721 | + return 0; | |
9722 | + | |
9723 | + /* This does sanity checking on UDP or TCP packets, | |
9724 | + * like their respective modules. | |
9725 | + */ | |
9726 | + | |
9727 | + switch (ct->tuplehash[0].tuple.dst.protonum) { | |
9728 | + | |
9729 | + case IPPROTO_UDP: | |
9730 | + DEBUGP("PROTO_UDP [cont]\n"); | |
9731 | + if (offset == 0 && datalen < sizeof(struct udphdr)) { | |
9732 | + DEBUGP("packet does not contain a complete header. [drop]\n"); | |
9733 | + return 0; | |
9734 | + } | |
9735 | + | |
9736 | + for (port=0,portsok=0; port <= ports_n_c; port++) { | |
9737 | + if (ntohs(ct->tuplehash[dir].tuple.dst.u.all) == ports[port]) { | |
9738 | + portsok++; | |
9739 | + break; | |
9740 | + } | |
9741 | + } | |
9742 | + if (portsok == 0) { | |
9743 | + DEBUGP("packet is not destined for a portmapper [%u]. [skip]\n", | |
9744 | + ntohs(ct->tuplehash[dir].tuple.dst.u.all)); | |
9745 | + return 0; | |
9746 | + } | |
9747 | + | |
9748 | + if ((datalen - sizeof(struct udphdr)) != 56) { | |
9749 | + DEBUGP("packet length is not correct for RPC content. [skip]\n"); | |
9750 | + if (rpcinfo->strict == 1) | |
9751 | + *hotdrop = 1; | |
9752 | + return 0; | |
9753 | + } | |
9754 | + DEBUGP("packet length is correct. [cont]\n"); | |
9755 | + | |
9756 | + /* Get to the data */ | |
9757 | + data = (const u_int32_t *)hdr + 2; | |
9758 | + | |
9759 | + /* Check the RPC data */ | |
9760 | + tval = check_rpc_packet(data, matchinfo, hotdrop, | |
9761 | + dir, ct, offset, | |
9762 | + request_p_list_udp); | |
9763 | + | |
9764 | + return tval; | |
9765 | + | |
9766 | + | |
9767 | + case IPPROTO_TCP: | |
9768 | + DEBUGP("PROTO_TCP [cont]\n"); | |
9769 | + if (offset == 0 && datalen < sizeof(struct tcphdr)) { | |
9770 | + DEBUGP("packet does not contain a complete header. [drop]\n"); | |
9771 | + return 0; | |
9772 | + } | |
9773 | + | |
9774 | + for (port=0,portsok=0; port <= ports_n_c; port++) { | |
9775 | + if (ntohs(ct->tuplehash[dir].tuple.dst.u.all) == ports[port]) { | |
9776 | + portsok++; | |
9777 | + break; | |
9778 | + } | |
9779 | + } | |
9780 | + if (portsok == 0) { | |
9781 | + DEBUGP("packet is not destined for a portmapper [%u]. [skip]\n", | |
9782 | + ntohs(ct->tuplehash[dir].tuple.dst.u.all)); | |
9783 | + return 0; | |
9784 | + } | |
9785 | + | |
9786 | + tcp = hdr; | |
9787 | + if (datalen == (tcp->doff * 4)) { | |
9788 | + DEBUGP("packet does not contain any data. [match]\n"); | |
9789 | + return (1 && (!offset)); | |
9790 | + } | |
9791 | + | |
9792 | + /* Tests if packet len is ok */ | |
9793 | + if ((datalen - (tcp->doff * 4)) != 60) { | |
9794 | + DEBUGP("packet length is not correct for RPC content. [skip]\n"); | |
9795 | + if(rpcinfo->strict == 1) | |
9796 | + *hotdrop = 1; | |
9797 | + return 0; | |
9798 | + } | |
9799 | + DEBUGP("packet length is correct. [cont]\n"); | |
9800 | + | |
9801 | + /* Get to the data */ | |
9802 | + data = (const u_int32_t *)tcp + tcp->doff + 1; | |
9803 | + | |
9804 | + /* Check the RPC data */ | |
9805 | + tval = check_rpc_packet(data, matchinfo, hotdrop, | |
9806 | + dir, ct, offset, | |
9807 | + request_p_list_tcp); | |
9808 | + | |
9809 | + return tval; | |
9810 | + | |
9811 | + } | |
9812 | + | |
9813 | + DEBUGP("transport protocol=%u, is not supported [skip]\n", | |
9814 | + ct->tuplehash[0].tuple.dst.protonum); | |
9815 | + return 0; | |
9816 | +} | |
9817 | + | |
9818 | + | |
9819 | +static int checkentry(const char *tablename, const struct ipt_ip *ip, void *matchinfo, | |
9820 | + unsigned int matchsize, unsigned int hook_mask) | |
9821 | +{ | |
9822 | + if (hook_mask | |
9823 | + & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_FORWARD) | (1 << NF_IP_POST_ROUTING) | |
9824 | + | (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_LOCAL_OUT))) { | |
9825 | + printk("ipt_rpc: only valid for PRE_ROUTING, FORWARD, POST_ROUTING, LOCAL_IN and/or LOCAL_OUT targets.\n"); | |
9826 | + return 0; | |
9827 | + } | |
9828 | + | |
9829 | + if (matchsize != IPT_ALIGN(sizeof(struct ipt_rpc_info))) | |
9830 | + return 0; | |
9831 | + | |
9832 | + return 1; | |
9833 | +} | |
9834 | + | |
9835 | + | |
9836 | +static struct ipt_match rpc_match = { { NULL, NULL }, "rpc", | |
9837 | + &match, &checkentry, NULL, | |
9838 | + THIS_MODULE }; | |
9839 | + | |
9840 | + | |
9841 | +static int __init init(void) | |
9842 | +{ | |
9843 | + int port; | |
9844 | + | |
9845 | + DEBUGP("incrementing usage counts\n"); | |
9846 | + __MOD_INC_USE_COUNT(ip_conntrack_rpc_udp); | |
9847 | + __MOD_INC_USE_COUNT(ip_conntrack_rpc_tcp); | |
9848 | + | |
9849 | + /* If no port given, default to standard RPC port */ | |
9850 | + if (ports[0] == 0) | |
9851 | + ports[0] = RPC_PORT; | |
9852 | + | |
9853 | + DEBUGP("registering match [%s] for;\n", rpc_match.name); | |
9854 | + for (port = 0; (port < MAX_PORTS) && ports[port]; port++) { | |
9855 | + DEBUGP(" port %i (UDP|TCP);\n", ports[port]); | |
9856 | + ports_n_c++; | |
9857 | + } | |
9858 | + | |
9859 | + return ipt_register_match(&rpc_match); | |
9860 | +} | |
9861 | + | |
9862 | + | |
9863 | +static void fini(void) | |
9864 | +{ | |
9865 | + DEBUGP("unregistering match\n"); | |
9866 | + ipt_unregister_match(&rpc_match); | |
9867 | + | |
9868 | + DEBUGP("decrementing usage counts\n"); | |
9869 | + __MOD_DEC_USE_COUNT(ip_conntrack_rpc_tcp); | |
9870 | + __MOD_DEC_USE_COUNT(ip_conntrack_rpc_udp); | |
9871 | +} | |
9872 | + | |
9873 | + | |
9874 | +module_init(init); | |
9875 | +module_exit(fini); | |
9876 | + | |
9877 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_string.c linux-2.6.6-rc3/net/ipv4/netfilter/ipt_string.c | |
9878 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_string.c 1970-01-01 01:00:00.000000000 +0100 | |
9879 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ipt_string.c 2004-04-29 11:21:38.000000000 +0200 | |
9880 | @@ -0,0 +1,183 @@ | |
9881 | +/* Kernel module to match a string into a packet. | |
9882 | + * | |
9883 | + * Copyright (C) 2000 Emmanuel Roger <winfield@freegates.be> | |
9884 | + * | |
9885 | + * ChangeLog | |
9886 | + * 24.03.2004: Eric Lauriault <elauri@lacitec.on.ca> | |
9887 | + * Initial 2.6 port | |
9888 | + * 19.02.2002: Gianni Tedesco <gianni@ecsc.co.uk> | |
9889 | + * Fixed SMP re-entrancy problem using per-cpu data areas | |
9890 | + * for the skip/shift tables. | |
9891 | + * 02.05.2001: Gianni Tedesco <gianni@ecsc.co.uk> | |
9892 | + * Fixed kernel panic, due to overrunning boyer moore string | |
9893 | + * tables. Also slightly tweaked heuristic for deciding what | |
9894 | + * search algo to use. | |
9895 | + * 27.01.2001: Gianni Tedesco <gianni@ecsc.co.uk> | |
9896 | + * Implemented Boyer Moore Sublinear search algorithm | |
9897 | + * alongside the existing linear search based on memcmp(). | |
9898 | + * Also a quick check to decide which method to use on a per | |
9899 | + * packet basis. | |
9900 | + */ | |
9901 | + | |
9902 | +#include <linux/smp.h> | |
9903 | +#include <linux/percpu.h> | |
9904 | +#include <linux/module.h> | |
9905 | +#include <linux/skbuff.h> | |
9906 | +#include <linux/file.h> | |
9907 | +#include <net/sock.h> | |
9908 | + | |
9909 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
9910 | +#include <linux/netfilter_ipv4/ipt_string.h> | |
9911 | + | |
9912 | +MODULE_LICENSE("GPL"); | |
9913 | + | |
9914 | +struct string_per_cpu { | |
9915 | + int skip[BM_MAX_HLEN]; | |
9916 | + int shift[BM_MAX_HLEN]; | |
9917 | + int len[BM_MAX_HLEN]; | |
9918 | +}; | |
9919 | + | |
9920 | +static DEFINE_PER_CPU(struct string_per_cpu, bm_string_data); | |
9921 | + | |
9922 | + | |
9923 | +/* Boyer Moore Sublinear string search - VERY FAST */ | |
9924 | +char *search_sublinear (char *needle, char *haystack, int needle_len, int haystack_len) | |
9925 | +{ | |
9926 | + int M1, right_end, sk, sh; | |
9927 | + int ended, j, i; | |
9928 | + | |
9929 | + int *skip, *shift, *len; | |
9930 | + | |
9931 | + /* use data suitable for this CPU */ | |
9932 | + shift=__get_cpu_var(bm_string_data).shift; | |
9933 | + skip=__get_cpu_var(bm_string_data).skip; | |
9934 | + len=__get_cpu_var(bm_string_data).len; | |
9935 | + | |
9936 | + /* Setup skip/shift tables */ | |
9937 | + M1 = right_end = needle_len-1; | |
9938 | + for (i = 0; i < BM_MAX_HLEN; i++) skip[i] = needle_len; | |
9939 | + for (i = 0; needle[i]; i++) skip[(int)needle[i]] = M1 - i; | |
9940 | + | |
9941 | + for (i = 1; i < needle_len; i++) { | |
9942 | + for (j = 0; j < needle_len && needle[M1 - j] == needle[M1 - i - j]; j++); | |
9943 | + len[i] = j; | |
9944 | + } | |
9945 | + | |
9946 | + shift[0] = 1; | |
9947 | + for (i = 1; i < needle_len; i++) shift[i] = needle_len; | |
9948 | + for (i = M1; i > 0; i--) shift[len[i]] = i; | |
9949 | + ended = 0; | |
9950 | + | |
9951 | + for (i = 0; i < needle_len; i++) { | |
9952 | + if (len[i] == M1 - i) ended = i; | |
9953 | + if (ended) shift[i] = ended; | |
9954 | + } | |
9955 | + | |
9956 | + /* Do the search*/ | |
9957 | + while (right_end < haystack_len) | |
9958 | + { | |
9959 | + for (i = 0; i < needle_len && haystack[right_end - i] == needle[M1 - i]; i++); | |
9960 | + if (i == needle_len) { | |
9961 | + return haystack+(right_end - M1); | |
9962 | + } | |
9963 | + | |
9964 | + sk = skip[(int)haystack[right_end - i]]; | |
9965 | + sh = shift[i]; | |
9966 | + right_end = max(right_end - i + sk, right_end + sh); | |
9967 | + } | |
9968 | + | |
9969 | + return NULL; | |
9970 | +} | |
9971 | + | |
9972 | +/* Linear string search based on memcmp() */ | |
9973 | +char *search_linear (char *needle, char *haystack, int needle_len, int haystack_len) | |
9974 | +{ | |
9975 | + char *k = haystack + (haystack_len-needle_len); | |
9976 | + char *t = haystack; | |
9977 | + | |
9978 | + while ( t <= k ) { | |
9979 | + if (memcmp(t, needle, needle_len) == 0) | |
9980 | + return t; | |
9981 | + t++; | |
9982 | + } | |
9983 | + | |
9984 | + return NULL; | |
9985 | +} | |
9986 | + | |
9987 | +static int | |
9988 | +match(const struct sk_buff *skb, | |
9989 | + const struct net_device *in, | |
9990 | + const struct net_device *out, | |
9991 | + const void *matchinfo, | |
9992 | + int offset, | |
9993 | + int *hotdrop) | |
9994 | +{ | |
9995 | + const struct ipt_string_info *info = matchinfo; | |
9996 | + struct iphdr *ip = skb->nh.iph; | |
9997 | + int hlen, nlen; | |
9998 | + char *needle, *haystack; | |
9999 | + proc_ipt_search search=search_linear; | |
10000 | + | |
10001 | + if ( !ip ) return 0; | |
10002 | + | |
10003 | + /* get lenghts, and validate them */ | |
10004 | + nlen=info->len; | |
10005 | + hlen=ntohs(ip->tot_len)-(ip->ihl*4); | |
10006 | + if ( nlen > hlen ) return 0; | |
10007 | + | |
10008 | + needle=(char *)&info->string; | |
10009 | + haystack=(char *)ip+(ip->ihl*4); | |
10010 | + | |
10011 | + /* The sublinear search comes in to its own | |
10012 | + * on the larger packets */ | |
10013 | + if ( (hlen>IPT_STRING_HAYSTACK_THRESH) && | |
10014 | + (nlen>IPT_STRING_NEEDLE_THRESH) ) { | |
10015 | + if ( hlen < BM_MAX_HLEN ) { | |
10016 | + search=search_sublinear; | |
10017 | + }else{ | |
10018 | + if (net_ratelimit()) | |
10019 | + printk(KERN_INFO "ipt_string: Packet too big " | |
10020 | + "to attempt sublinear string search " | |
10021 | + "(%d bytes)\n", hlen ); | |
10022 | + } | |
10023 | + } | |
10024 | + | |
10025 | + return ((search(needle, haystack, nlen, hlen)!=NULL) ^ info->invert); | |
10026 | +} | |
10027 | + | |
10028 | +static int | |
10029 | +checkentry(const char *tablename, | |
10030 | + const struct ipt_ip *ip, | |
10031 | + void *matchinfo, | |
10032 | + unsigned int matchsize, | |
10033 | + unsigned int hook_mask) | |
10034 | +{ | |
10035 | + | |
10036 | + if (matchsize != IPT_ALIGN(sizeof(struct ipt_string_info))) | |
10037 | + return 0; | |
10038 | + | |
10039 | + return 1; | |
10040 | +} | |
10041 | + | |
10042 | +static struct ipt_match string_match = { | |
10043 | + .name = "string", | |
10044 | + .match = &match, | |
10045 | + .checkentry = &checkentry, | |
10046 | + .me = THIS_MODULE | |
10047 | +}; | |
10048 | + | |
10049 | + | |
10050 | +static int __init init(void) | |
10051 | +{ | |
10052 | + return ipt_register_match(&string_match); | |
10053 | +} | |
10054 | + | |
10055 | +static void __exit fini(void) | |
10056 | +{ | |
10057 | + ipt_unregister_match(&string_match); | |
10058 | +} | |
10059 | + | |
10060 | +module_init(init); | |
10061 | +module_exit(fini); | |
10062 | + | |
10063 | + | |
10064 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_unclean.c linux-2.6.6-rc3/net/ipv4/netfilter/ipt_unclean.c | |
10065 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/ipt_unclean.c 1970-01-01 01:00:00.000000000 +0100 | |
10066 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/ipt_unclean.c 2004-04-29 11:21:33.000000000 +0200 | |
10067 | @@ -0,0 +1,604 @@ | |
10068 | +/* Kernel module to match suspect packets. */ | |
10069 | +#include <linux/module.h> | |
10070 | +#include <linux/skbuff.h> | |
10071 | +#include <linux/ip.h> | |
10072 | +#include <linux/udp.h> | |
10073 | +#include <linux/tcp.h> | |
10074 | +#include <linux/icmp.h> | |
10075 | +#include <net/checksum.h> | |
10076 | + | |
10077 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
10078 | + | |
10079 | +#define limpk(format, args...) \ | |
10080 | +do { \ | |
10081 | + if (net_ratelimit()) \ | |
10082 | + printk("ipt_unclean: %s" format, \ | |
10083 | + embedded ? "(embedded packet) " : "" , ## args); \ | |
10084 | +} while(0) | |
10085 | + | |
10086 | +enum icmp_error_status | |
10087 | +{ | |
10088 | + ICMP_MAY_BE_ERROR, | |
10089 | + ICMP_IS_ERROR, | |
10090 | + ICMP_NOT_ERROR | |
10091 | +}; | |
10092 | + | |
10093 | +struct icmp_info | |
10094 | +{ | |
10095 | + size_t min_len, max_len; | |
10096 | + enum icmp_error_status err; | |
10097 | + u_int8_t min_code, max_code; | |
10098 | +}; | |
10099 | + | |
10100 | +static int | |
10101 | +check_ip(struct iphdr *iph, size_t length, int embedded); | |
10102 | + | |
10103 | +/* ICMP-specific checks. */ | |
10104 | +static int | |
10105 | +check_icmp(const struct icmphdr *icmph, | |
10106 | + u_int16_t datalen, | |
10107 | + unsigned int offset, | |
10108 | + int more_frags, | |
10109 | + int embedded) | |
10110 | +{ | |
10111 | + static struct icmp_info info[] | |
10112 | + = { [ICMP_ECHOREPLY] | |
10113 | + = { 8, 65536, ICMP_NOT_ERROR, 0, 0 }, | |
10114 | + [ICMP_DEST_UNREACH] | |
10115 | + = { 8 + 28, 65536, ICMP_IS_ERROR, 0, 15 }, | |
10116 | + [ICMP_SOURCE_QUENCH] | |
10117 | + = { 8 + 28, 65536, ICMP_IS_ERROR, 0, 0 }, | |
10118 | + [ICMP_REDIRECT] | |
10119 | + = { 8 + 28, 65536, ICMP_IS_ERROR, 0, 3 }, | |
10120 | + [ICMP_ECHO] | |
10121 | + = { 8, 65536, ICMP_NOT_ERROR, 0, 0 }, | |
10122 | + /* Router advertisement. */ | |
10123 | + [9] | |
10124 | + = { 8, 8 + 255 * 8, ICMP_NOT_ERROR, 0, 0 }, | |
10125 | + /* Router solicitation. */ | |
10126 | + [10] | |
10127 | + = { 8, 8, ICMP_NOT_ERROR, 0, 0 }, | |
10128 | + [ICMP_TIME_EXCEEDED] | |
10129 | + = { 8 + 28, 65536, ICMP_IS_ERROR, 0, 1 }, | |
10130 | + [ICMP_PARAMETERPROB] | |
10131 | + = { 8 + 28, 65536, ICMP_IS_ERROR, 0, 1 }, | |
10132 | + [ICMP_TIMESTAMP] | |
10133 | + = { 20, 20, ICMP_NOT_ERROR, 0, 0 }, | |
10134 | + [ICMP_TIMESTAMPREPLY] | |
10135 | + = { 20, 20, ICMP_NOT_ERROR, 0, 0 }, | |
10136 | + [ICMP_INFO_REQUEST] | |
10137 | + = { 8, 65536, ICMP_NOT_ERROR, 0, 0 }, | |
10138 | + [ICMP_INFO_REPLY] | |
10139 | + = { 8, 65536, ICMP_NOT_ERROR, 0, 0 }, | |
10140 | + [ICMP_ADDRESS] | |
10141 | + = { 12, 12, ICMP_NOT_ERROR, 0, 0 }, | |
10142 | + [ICMP_ADDRESSREPLY] | |
10143 | + = { 12, 12, ICMP_NOT_ERROR, 0, 0 } }; | |
10144 | + | |
10145 | + /* Can't do anything if it's a fragment. */ | |
10146 | + if (offset) | |
10147 | + return 1; | |
10148 | + | |
10149 | + /* Must cover type and code. */ | |
10150 | + if (datalen < 2) { | |
10151 | + limpk("ICMP len=%u too short\n", datalen); | |
10152 | + return 0; | |
10153 | + } | |
10154 | + | |
10155 | + /* If not embedded. */ | |
10156 | + if (!embedded) { | |
10157 | + /* Bad checksum? Don't print, just ignore. */ | |
10158 | + if (!more_frags | |
10159 | + && ip_compute_csum((unsigned char *) icmph, datalen) != 0) | |
10160 | + return 0; | |
10161 | + | |
10162 | + /* CHECK: Truncated ICMP (even if first fragment). */ | |
10163 | + if (icmph->type < sizeof(info)/sizeof(struct icmp_info) | |
10164 | + && info[icmph->type].min_len != 0 | |
10165 | + && datalen < info[icmph->type].min_len) { | |
10166 | + limpk("ICMP type %u len %u too short\n", | |
10167 | + icmph->type, datalen); | |
10168 | + return 0; | |
10169 | + } | |
10170 | + | |
10171 | + /* CHECK: Check within known error ICMPs. */ | |
10172 | + if (icmph->type < sizeof(info)/sizeof(struct icmp_info) | |
10173 | + && info[icmph->type].err == ICMP_IS_ERROR) { | |
10174 | + /* CHECK: Embedded packet must be at least | |
10175 | + length of iph + 8 bytes. */ | |
10176 | + struct iphdr *inner = (void *)icmph + 8; | |
10177 | + | |
10178 | + /* datalen > 8 since all ICMP_IS_ERROR types | |
10179 | + have min length > 8 */ | |
10180 | + if (datalen - 8 < sizeof(struct iphdr)) { | |
10181 | + limpk("ICMP error internal way too short\n"); | |
10182 | + return 0; | |
10183 | + } | |
10184 | + if (datalen - 8 < inner->ihl*4 + 8) { | |
10185 | + limpk("ICMP error internal too short\n"); | |
10186 | + return 0; | |
10187 | + } | |
10188 | + if (!check_ip(inner, datalen - 8, 1)) | |
10189 | + return 0; | |
10190 | + } | |
10191 | + } else { | |
10192 | + /* CHECK: Can't embed ICMP unless known non-error. */ | |
10193 | + if (icmph->type >= sizeof(info)/sizeof(struct icmp_info) | |
10194 | + || info[icmph->type].err != ICMP_NOT_ERROR) { | |
10195 | + limpk("ICMP type %u not embeddable\n", | |
10196 | + icmph->type); | |
10197 | + return 0; | |
10198 | + } | |
10199 | + } | |
10200 | + | |
10201 | + /* CHECK: Invalid ICMP codes. */ | |
10202 | + if (icmph->type < sizeof(info)/sizeof(struct icmp_info) | |
10203 | + && (icmph->code < info[icmph->type].min_code | |
10204 | + || icmph->code > info[icmph->type].max_code)) { | |
10205 | + limpk("ICMP type=%u code=%u\n", | |
10206 | + icmph->type, icmph->code); | |
10207 | + return 0; | |
10208 | + } | |
10209 | + | |
10210 | + /* CHECK: Above maximum length. */ | |
10211 | + if (icmph->type < sizeof(info)/sizeof(struct icmp_info) | |
10212 | + && info[icmph->type].max_len != 0 | |
10213 | + && datalen > info[icmph->type].max_len) { | |
10214 | + limpk("ICMP type=%u too long: %u bytes\n", | |
10215 | + icmph->type, datalen); | |
10216 | + return 0; | |
10217 | + } | |
10218 | + | |
10219 | + switch (icmph->type) { | |
10220 | + case ICMP_PARAMETERPROB: { | |
10221 | + /* CHECK: Problem param must be within error packet's | |
10222 | + * IP header. */ | |
10223 | + struct iphdr *iph = (void *)icmph + 8; | |
10224 | + u_int32_t arg = ntohl(icmph->un.gateway); | |
10225 | + | |
10226 | + if (icmph->code == 0) { | |
10227 | + /* Code 0 means that upper 8 bits is pointer | |
10228 | + to problem. */ | |
10229 | + if ((arg >> 24) >= iph->ihl*4) { | |
10230 | + limpk("ICMP PARAMETERPROB ptr = %u\n", | |
10231 | + ntohl(icmph->un.gateway) >> 24); | |
10232 | + return 0; | |
10233 | + } | |
10234 | + arg &= 0x00FFFFFF; | |
10235 | + } | |
10236 | + | |
10237 | + /* CHECK: Rest must be zero. */ | |
10238 | + if (arg) { | |
10239 | + limpk("ICMP PARAMETERPROB nonzero arg = %u\n", | |
10240 | + arg); | |
10241 | + return 0; | |
10242 | + } | |
10243 | + break; | |
10244 | + } | |
10245 | + | |
10246 | + case ICMP_TIME_EXCEEDED: | |
10247 | + case ICMP_SOURCE_QUENCH: | |
10248 | + /* CHECK: Unused must be zero. */ | |
10249 | + if (icmph->un.gateway != 0) { | |
10250 | + limpk("ICMP type=%u unused = %u\n", | |
10251 | + icmph->type, ntohl(icmph->un.gateway)); | |
10252 | + return 0; | |
10253 | + } | |
10254 | + break; | |
10255 | + } | |
10256 | + | |
10257 | + return 1; | |
10258 | +} | |
10259 | + | |
10260 | +/* UDP-specific checks. */ | |
10261 | +static int | |
10262 | +check_udp(const struct iphdr *iph, | |
10263 | + const struct udphdr *udph, | |
10264 | + u_int16_t datalen, | |
10265 | + unsigned int offset, | |
10266 | + int more_frags, | |
10267 | + int embedded) | |
10268 | +{ | |
10269 | + /* Can't do anything if it's a fragment. */ | |
10270 | + if (offset) | |
10271 | + return 1; | |
10272 | + | |
10273 | + /* CHECK: Must cover UDP header. */ | |
10274 | + if (datalen < sizeof(struct udphdr)) { | |
10275 | + limpk("UDP len=%u too short\n", datalen); | |
10276 | + return 0; | |
10277 | + } | |
10278 | + | |
10279 | + /* Bad checksum? Don't print, just say it's unclean. */ | |
10280 | + /* FIXME: SRC ROUTE packets won't match checksum --RR */ | |
10281 | + if (!more_frags && !embedded && udph->check | |
10282 | + && csum_tcpudp_magic(iph->saddr, iph->daddr, datalen, IPPROTO_UDP, | |
10283 | + csum_partial((char *)udph, datalen, 0)) != 0) | |
10284 | + return 0; | |
10285 | + | |
10286 | + /* CHECK: Destination port can't be zero. */ | |
10287 | + if (!udph->dest) { | |
10288 | + limpk("UDP zero destination port\n"); | |
10289 | + return 0; | |
10290 | + } | |
10291 | + | |
10292 | + if (!more_frags) { | |
10293 | + if (!embedded) { | |
10294 | + /* CHECK: UDP length must match. */ | |
10295 | + if (ntohs(udph->len) != datalen) { | |
10296 | + limpk("UDP len too short %u vs %u\n", | |
10297 | + ntohs(udph->len), datalen); | |
10298 | + return 0; | |
10299 | + } | |
10300 | + } else { | |
10301 | + /* CHECK: UDP length be >= this truncated pkt. */ | |
10302 | + if (ntohs(udph->len) < datalen) { | |
10303 | + limpk("UDP len too long %u vs %u\n", | |
10304 | + ntohs(udph->len), datalen); | |
10305 | + return 0; | |
10306 | + } | |
10307 | + } | |
10308 | + } else { | |
10309 | + /* CHECK: UDP length must be > this frag's length. */ | |
10310 | + if (ntohs(udph->len) <= datalen) { | |
10311 | + limpk("UDP fragment len too short %u vs %u\n", | |
10312 | + ntohs(udph->len), datalen); | |
10313 | + return 0; | |
10314 | + } | |
10315 | + } | |
10316 | + | |
10317 | + return 1; | |
10318 | +} | |
10319 | + | |
10320 | +#define TH_FIN 0x01 | |
10321 | +#define TH_SYN 0x02 | |
10322 | +#define TH_RST 0x04 | |
10323 | +#define TH_PUSH 0x08 | |
10324 | +#define TH_ACK 0x10 | |
10325 | +#define TH_URG 0x20 | |
10326 | +#define TH_ECE 0x40 | |
10327 | +#define TH_CWR 0x80 | |
10328 | + | |
10329 | +/* table of valid flag combinations - ECE and CWR are always valid */ | |
10330 | +static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] = | |
10331 | +{ | |
10332 | + [TH_SYN] = 1, | |
10333 | + [TH_SYN|TH_ACK] = 1, | |
10334 | + [TH_RST] = 1, | |
10335 | + [TH_RST|TH_ACK] = 1, | |
10336 | + [TH_RST|TH_ACK|TH_PUSH] = 1, | |
10337 | + [TH_FIN|TH_ACK] = 1, | |
10338 | + [TH_ACK] = 1, | |
10339 | + [TH_ACK|TH_PUSH] = 1, | |
10340 | + [TH_ACK|TH_URG] = 1, | |
10341 | + [TH_ACK|TH_URG|TH_PUSH] = 1, | |
10342 | + [TH_FIN|TH_ACK|TH_PUSH] = 1, | |
10343 | + [TH_FIN|TH_ACK|TH_URG] = 1, | |
10344 | + [TH_FIN|TH_ACK|TH_URG|TH_PUSH] = 1 | |
10345 | +}; | |
10346 | + | |
10347 | +/* TCP-specific checks. */ | |
10348 | +static int | |
10349 | +check_tcp(const struct iphdr *iph, | |
10350 | + const struct tcphdr *tcph, | |
10351 | + u_int16_t datalen, | |
10352 | + unsigned int offset, | |
10353 | + int more_frags, | |
10354 | + int embedded) | |
10355 | +{ | |
10356 | + u_int8_t *opt = (u_int8_t *)tcph; | |
10357 | + u_int8_t *endhdr = (u_int8_t *)tcph + tcph->doff * 4; | |
10358 | + u_int8_t tcpflags; | |
10359 | + int end_of_options = 0; | |
10360 | + size_t i; | |
10361 | + | |
10362 | + /* CHECK: Can't have offset=1: used to override TCP syn-checks. */ | |
10363 | + /* In fact, this is caught below (offset < 516). */ | |
10364 | + | |
10365 | + /* Can't do anything if it's a fragment. */ | |
10366 | + if (offset) | |
10367 | + return 1; | |
10368 | + | |
10369 | + /* CHECK: Smaller than minimal TCP hdr. */ | |
10370 | + if (datalen < sizeof(struct tcphdr)) { | |
10371 | + if (!embedded) { | |
10372 | + limpk("Packet length %u < TCP header.\n", datalen); | |
10373 | + return 0; | |
10374 | + } | |
10375 | + /* Must have ports available (datalen >= 8), from | |
10376 | + check_icmp which set embedded = 1 */ | |
10377 | + /* CHECK: TCP ports inside ICMP error */ | |
10378 | + if (!tcph->source || !tcph->dest) { | |
10379 | + limpk("Zero TCP ports %u/%u.\n", | |
10380 | + htons(tcph->source), htons(tcph->dest)); | |
10381 | + return 0; | |
10382 | + } | |
10383 | + return 1; | |
10384 | + } | |
10385 | + | |
10386 | + /* CHECK: Smaller than actual TCP hdr. */ | |
10387 | + if (datalen < tcph->doff * 4) { | |
10388 | + if (!embedded) { | |
10389 | + limpk("Packet length %u < actual TCP header.\n", | |
10390 | + datalen); | |
10391 | + return 0; | |
10392 | + } else | |
10393 | + return 1; | |
10394 | + } | |
10395 | + | |
10396 | + /* Bad checksum? Don't print, just say it's unclean. */ | |
10397 | + /* FIXME: SRC ROUTE packets won't match checksum --RR */ | |
10398 | + if (!more_frags && !embedded | |
10399 | + && csum_tcpudp_magic(iph->saddr, iph->daddr, datalen, IPPROTO_TCP, | |
10400 | + csum_partial((char *)tcph, datalen, 0)) != 0) | |
10401 | + return 0; | |
10402 | + | |
10403 | + /* CHECK: TCP ports non-zero */ | |
10404 | + if (!tcph->source || !tcph->dest) { | |
10405 | + limpk("Zero TCP ports %u/%u.\n", | |
10406 | + htons(tcph->source), htons(tcph->dest)); | |
10407 | + return 0; | |
10408 | + } | |
10409 | + | |
10410 | + /* CHECK: TCP reserved bits zero. */ | |
10411 | + if(tcp_flag_word(tcph) & TCP_RESERVED_BITS) { | |
10412 | + limpk("TCP reserved bits not zero\n"); | |
10413 | + return 0; | |
10414 | + } | |
10415 | + | |
10416 | + /* CHECK: TCP flags. */ | |
10417 | + tcpflags = (((u_int8_t *)tcph)[13] & ~(TH_ECE|TH_CWR)); | |
10418 | + if (!tcp_valid_flags[tcpflags]) { | |
10419 | + limpk("TCP flags bad: %u\n", tcpflags); | |
10420 | + return 0; | |
10421 | + } | |
10422 | + | |
10423 | + for (i = sizeof(struct tcphdr); i < tcph->doff * 4; ) { | |
10424 | + switch (opt[i]) { | |
10425 | + case 0: | |
10426 | + end_of_options = 1; | |
10427 | + i++; | |
10428 | + break; | |
10429 | + case 1: | |
10430 | + i++; | |
10431 | + break; | |
10432 | + default: | |
10433 | + /* CHECK: options after EOO. */ | |
10434 | + if (end_of_options) { | |
10435 | + limpk("TCP option %u after end\n", | |
10436 | + opt[i]); | |
10437 | + return 0; | |
10438 | + } | |
10439 | + /* CHECK: options at tail. */ | |
10440 | + else if (i+1 >= tcph->doff * 4) { | |
10441 | + limpk("TCP option %u at tail\n", | |
10442 | + opt[i]); | |
10443 | + return 0; | |
10444 | + } | |
10445 | + /* CHECK: zero-length options. */ | |
10446 | + else if (opt[i+1] == 0) { | |
10447 | + limpk("TCP option %u 0 len\n", | |
10448 | + opt[i]); | |
10449 | + return 0; | |
10450 | + } | |
10451 | + /* CHECK: oversize options. */ | |
10452 | + else if (&opt[i] + opt[i+1] > endhdr) { | |
10453 | + limpk("TCP option %u at %Zu too long\n", | |
10454 | + (unsigned int) opt[i], i); | |
10455 | + return 0; | |
10456 | + } | |
10457 | + /* Move to next option */ | |
10458 | + i += opt[i+1]; | |
10459 | + } | |
10460 | + } | |
10461 | + | |
10462 | + return 1; | |
10463 | +} | |
10464 | + | |
10465 | +/* Returns 1 if ok */ | |
10466 | +/* Standard IP checks. */ | |
10467 | +static int | |
10468 | +check_ip(struct iphdr *iph, size_t length, int embedded) | |
10469 | +{ | |
10470 | + u_int8_t *opt = (u_int8_t *)iph; | |
10471 | + u_int8_t *endhdr = (u_int8_t *)iph + iph->ihl * 4; | |
10472 | + int end_of_options = 0; | |
10473 | + void *protoh; | |
10474 | + size_t datalen; | |
10475 | + unsigned int i; | |
10476 | + unsigned int offset; | |
10477 | + | |
10478 | + /* Should only happen for local outgoing raw-socket packets. */ | |
10479 | + /* CHECK: length >= ip header. */ | |
10480 | + if (length < sizeof(struct iphdr) || length < iph->ihl * 4) { | |
10481 | + limpk("Packet length %Zu < IP header.\n", length); | |
10482 | + return 0; | |
10483 | + } | |
10484 | + | |
10485 | + offset = ntohs(iph->frag_off) & IP_OFFSET; | |
10486 | + protoh = (void *)iph + iph->ihl * 4; | |
10487 | + datalen = length - iph->ihl * 4; | |
10488 | + | |
10489 | + /* CHECK: Embedded fragment. */ | |
10490 | + if (embedded && offset) { | |
10491 | + limpk("Embedded fragment.\n"); | |
10492 | + return 0; | |
10493 | + } | |
10494 | + | |
10495 | + for (i = sizeof(struct iphdr); i < iph->ihl * 4; ) { | |
10496 | + switch (opt[i]) { | |
10497 | + case 0: | |
10498 | + end_of_options = 1; | |
10499 | + i++; | |
10500 | + break; | |
10501 | + case 1: | |
10502 | + i++; | |
10503 | + break; | |
10504 | + default: | |
10505 | + /* CHECK: options after EOO. */ | |
10506 | + if (end_of_options) { | |
10507 | + limpk("IP option %u after end\n", | |
10508 | + opt[i]); | |
10509 | + return 0; | |
10510 | + } | |
10511 | + /* CHECK: options at tail. */ | |
10512 | + else if (i+1 >= iph->ihl * 4) { | |
10513 | + limpk("IP option %u at tail\n", | |
10514 | + opt[i]); | |
10515 | + return 0; | |
10516 | + } | |
10517 | + /* CHECK: zero-length or one-length options. */ | |
10518 | + else if (opt[i+1] < 2) { | |
10519 | + limpk("IP option %u %u len\n", | |
10520 | + opt[i], opt[i+1]); | |
10521 | + return 0; | |
10522 | + } | |
10523 | + /* CHECK: oversize options. */ | |
10524 | + else if (&opt[i] + opt[i+1] > endhdr) { | |
10525 | + limpk("IP option %u at %u too long\n", | |
10526 | + opt[i], i); | |
10527 | + return 0; | |
10528 | + } | |
10529 | + /* Move to next option */ | |
10530 | + i += opt[i+1]; | |
10531 | + } | |
10532 | + } | |
10533 | + | |
10534 | + /* Fragment checks. */ | |
10535 | + | |
10536 | + /* CHECK: More fragments, but doesn't fill 8-byte boundary. */ | |
10537 | + if ((ntohs(iph->frag_off) & IP_MF) | |
10538 | + && (ntohs(iph->tot_len) % 8) != 0) { | |
10539 | + limpk("Truncated fragment %u long.\n", ntohs(iph->tot_len)); | |
10540 | + return 0; | |
10541 | + } | |
10542 | + | |
10543 | + /* CHECK: Oversize fragment a-la Ping of Death. */ | |
10544 | + if (offset * 8 + datalen > 65535) { | |
10545 | + limpk("Oversize fragment to %u.\n", offset * 8); | |
10546 | + return 0; | |
10547 | + } | |
10548 | + | |
10549 | + /* CHECK: DF set and offset or MF set. */ | |
10550 | + if ((ntohs(iph->frag_off) & IP_DF) | |
10551 | + && (offset || (ntohs(iph->frag_off) & IP_MF))) { | |
10552 | + limpk("DF set and offset=%u, MF=%u.\n", | |
10553 | + offset, ntohs(iph->frag_off) & IP_MF); | |
10554 | + return 0; | |
10555 | + } | |
10556 | + | |
10557 | + /* CHECK: Zero-sized fragments. */ | |
10558 | + if ((offset || (ntohs(iph->frag_off) & IP_MF)) | |
10559 | + && datalen == 0) { | |
10560 | + limpk("Zero size fragment offset=%u\n", offset); | |
10561 | + return 0; | |
10562 | + } | |
10563 | + | |
10564 | + /* Note: we can have even middle fragments smaller than this: | |
10565 | + consider a large packet passing through a 600MTU then | |
10566 | + 576MTU link: this gives a fragment of 24 data bytes. But | |
10567 | + everyone packs fragments largest first, hence a fragment | |
10568 | + can't START before 576 - MAX_IP_HEADER_LEN. */ | |
10569 | + | |
10570 | + /* Used to be min-size 576: I recall Alan Cox saying ax25 goes | |
10571 | + down to 128 (576 taken from RFC 791: All hosts must be | |
10572 | + prepared to accept datagrams of up to 576 octets). Use 128 | |
10573 | + here. */ | |
10574 | +#define MIN_LIKELY_MTU 128 | |
10575 | + /* CHECK: Min size of first frag = 128. */ | |
10576 | + if ((ntohs(iph->frag_off) & IP_MF) | |
10577 | + && offset == 0 | |
10578 | + && ntohs(iph->tot_len) < MIN_LIKELY_MTU) { | |
10579 | + limpk("First fragment size %u < %u\n", ntohs(iph->tot_len), | |
10580 | + MIN_LIKELY_MTU); | |
10581 | + return 0; | |
10582 | + } | |
10583 | + | |
10584 | + /* CHECK: Min offset of frag = 128 - IP hdr len. */ | |
10585 | + if (offset && offset * 8 < MIN_LIKELY_MTU - iph->ihl * 4) { | |
10586 | + limpk("Fragment starts at %u < %u\n", offset * 8, | |
10587 | + MIN_LIKELY_MTU - iph->ihl * 4); | |
10588 | + return 0; | |
10589 | + } | |
10590 | + | |
10591 | + /* CHECK: Protocol specification non-zero. */ | |
10592 | + if (iph->protocol == 0) { | |
10593 | + limpk("Zero protocol\n"); | |
10594 | + return 0; | |
10595 | + } | |
10596 | + | |
10597 | + /* CHECK: Do not use what is unused. | |
10598 | + * First bit of fragmentation flags should be unused. | |
10599 | + * May be used by OS fingerprinting tools. | |
10600 | + * 04 Jun 2002, Maciej Soltysiak, solt@dns.toxicfilms.tv | |
10601 | + */ | |
10602 | + if (ntohs(iph->frag_off)>>15) { | |
10603 | + limpk("IP unused bit set\n"); | |
10604 | + return 0; | |
10605 | + } | |
10606 | + | |
10607 | + /* Per-protocol checks. */ | |
10608 | + switch (iph->protocol) { | |
10609 | + case IPPROTO_ICMP: | |
10610 | + return check_icmp(protoh, datalen, offset, | |
10611 | + (ntohs(iph->frag_off) & IP_MF), | |
10612 | + embedded); | |
10613 | + | |
10614 | + case IPPROTO_UDP: | |
10615 | + return check_udp(iph, protoh, datalen, offset, | |
10616 | + (ntohs(iph->frag_off) & IP_MF), | |
10617 | + embedded); | |
10618 | + | |
10619 | + case IPPROTO_TCP: | |
10620 | + return check_tcp(iph, protoh, datalen, offset, | |
10621 | + (ntohs(iph->frag_off) & IP_MF), | |
10622 | + embedded); | |
10623 | + default: | |
10624 | + /* Ignorance is bliss. */ | |
10625 | + return 1; | |
10626 | + } | |
10627 | +} | |
10628 | + | |
10629 | +static int | |
10630 | +match(const struct sk_buff *skb, | |
10631 | + const struct net_device *in, | |
10632 | + const struct net_device *out, | |
10633 | + const void *matchinfo, | |
10634 | + int offset, | |
10635 | + const void *hdr, | |
10636 | + u_int16_t datalen, | |
10637 | + int *hotdrop) | |
10638 | +{ | |
10639 | + return !check_ip(skb->nh.iph, skb->len, 0); | |
10640 | +} | |
10641 | + | |
10642 | +/* Called when user tries to insert an entry of this type. */ | |
10643 | +static int | |
10644 | +checkentry(const char *tablename, | |
10645 | + const struct ipt_ip *ip, | |
10646 | + void *matchinfo, | |
10647 | + unsigned int matchsize, | |
10648 | + unsigned int hook_mask) | |
10649 | +{ | |
10650 | + if (matchsize != IPT_ALIGN(0)) | |
10651 | + return 0; | |
10652 | + | |
10653 | + return 1; | |
10654 | +} | |
10655 | + | |
10656 | +static struct ipt_match unclean_match | |
10657 | += { { NULL, NULL }, "unclean", &match, &checkentry, NULL, THIS_MODULE }; | |
10658 | + | |
10659 | +static int __init init(void) | |
10660 | +{ | |
10661 | + return ipt_register_match(&unclean_match); | |
10662 | +} | |
10663 | + | |
10664 | +static void __exit fini(void) | |
10665 | +{ | |
10666 | + ipt_unregister_match(&unclean_match); | |
10667 | +} | |
10668 | + | |
10669 | +module_init(init); | |
10670 | +module_exit(fini); | |
10671 | +MODULE_LICENSE("GPL"); | |
10672 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/iptable_filter.c linux-2.6.6-rc3/net/ipv4/netfilter/iptable_filter.c | |
10673 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/iptable_filter.c 2004-04-28 03:35:43.000000000 +0200 | |
10674 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/iptable_filter.c 2004-04-29 11:17:15.000000000 +0200 | |
10675 | @@ -59,7 +59,7 @@ | |
10676 | 0, | |
10677 | sizeof(struct ipt_entry), | |
10678 | sizeof(struct ipt_standard), | |
10679 | - 0, { 0, 0 }, { } }, | |
10680 | + 0, NULL, 0, { 0, 0 }, { } }, | |
10681 | { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, | |
10682 | -NF_ACCEPT - 1 } }, | |
10683 | /* FORWARD */ | |
10684 | @@ -67,7 +67,7 @@ | |
10685 | 0, | |
10686 | sizeof(struct ipt_entry), | |
10687 | sizeof(struct ipt_standard), | |
10688 | - 0, { 0, 0 }, { } }, | |
10689 | + 0, NULL, 0, { 0, 0 }, { } }, | |
10690 | { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, | |
10691 | -NF_ACCEPT - 1 } }, | |
10692 | /* LOCAL_OUT */ | |
10693 | @@ -75,7 +75,7 @@ | |
10694 | 0, | |
10695 | sizeof(struct ipt_entry), | |
10696 | sizeof(struct ipt_standard), | |
10697 | - 0, { 0, 0 }, { } }, | |
10698 | + 0, NULL, 0, { 0, 0 }, { } }, | |
10699 | { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, | |
10700 | -NF_ACCEPT - 1 } } | |
10701 | }, | |
10702 | @@ -84,7 +84,7 @@ | |
10703 | 0, | |
10704 | sizeof(struct ipt_entry), | |
10705 | sizeof(struct ipt_error), | |
10706 | - 0, { 0, 0 }, { } }, | |
10707 | + 0, NULL, 0, { 0, 0 }, { } }, | |
10708 | { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } }, | |
10709 | { } }, | |
10710 | "ERROR" | |
10711 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/iptable_mangle.c linux-2.6.6-rc3/net/ipv4/netfilter/iptable_mangle.c | |
10712 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/iptable_mangle.c 2004-04-28 03:36:34.000000000 +0200 | |
10713 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/iptable_mangle.c 2004-04-29 11:17:15.000000000 +0200 | |
10714 | @@ -74,7 +74,7 @@ | |
10715 | 0, | |
10716 | sizeof(struct ipt_entry), | |
10717 | sizeof(struct ipt_standard), | |
10718 | - 0, { 0, 0 }, { } }, | |
10719 | + 0, NULL, 0, { 0, 0 }, { } }, | |
10720 | { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, | |
10721 | -NF_ACCEPT - 1 } }, | |
10722 | /* LOCAL_IN */ | |
10723 | @@ -82,7 +82,7 @@ | |
10724 | 0, | |
10725 | sizeof(struct ipt_entry), | |
10726 | sizeof(struct ipt_standard), | |
10727 | - 0, { 0, 0 }, { } }, | |
10728 | + 0, NULL, 0, { 0, 0 }, { } }, | |
10729 | { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, | |
10730 | -NF_ACCEPT - 1 } }, | |
10731 | /* FORWARD */ | |
10732 | @@ -90,7 +90,7 @@ | |
10733 | 0, | |
10734 | sizeof(struct ipt_entry), | |
10735 | sizeof(struct ipt_standard), | |
10736 | - 0, { 0, 0 }, { } }, | |
10737 | + 0, NULL, 0, { 0, 0 }, { } }, | |
10738 | { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, | |
10739 | -NF_ACCEPT - 1 } }, | |
10740 | /* LOCAL_OUT */ | |
10741 | @@ -98,7 +98,7 @@ | |
10742 | 0, | |
10743 | sizeof(struct ipt_entry), | |
10744 | sizeof(struct ipt_standard), | |
10745 | - 0, { 0, 0 }, { } }, | |
10746 | + 0, NULL, 0, { 0, 0 }, { } }, | |
10747 | { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, | |
10748 | -NF_ACCEPT - 1 } }, | |
10749 | /* POST_ROUTING */ | |
10750 | @@ -106,7 +106,7 @@ | |
10751 | 0, | |
10752 | sizeof(struct ipt_entry), | |
10753 | sizeof(struct ipt_standard), | |
10754 | - 0, { 0, 0 }, { } }, | |
10755 | + 0, NULL, 0, { 0, 0 }, { } }, | |
10756 | { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, | |
10757 | -NF_ACCEPT - 1 } }, | |
10758 | }, | |
10759 | @@ -115,7 +115,7 @@ | |
10760 | 0, | |
10761 | sizeof(struct ipt_entry), | |
10762 | sizeof(struct ipt_error), | |
10763 | - 0, { 0, 0 }, { } }, | |
10764 | + 0, NULL, 0, { 0, 0 }, { } }, | |
10765 | { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } }, | |
10766 | { } }, | |
10767 | "ERROR" | |
10768 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/netfilter/iptable_raw.c linux-2.6.6-rc3/net/ipv4/netfilter/iptable_raw.c | |
10769 | --- linux-2.6.6-rc3.org/net/ipv4/netfilter/iptable_raw.c 2004-04-28 03:36:36.000000000 +0200 | |
10770 | +++ linux-2.6.6-rc3/net/ipv4/netfilter/iptable_raw.c 2004-04-29 11:17:15.000000000 +0200 | |
10771 | @@ -46,7 +46,7 @@ | |
10772 | 0, | |
10773 | sizeof(struct ipt_entry), | |
10774 | sizeof(struct ipt_standard), | |
10775 | - 0, { 0, 0 }, { } }, | |
10776 | + 0, NULL, 0, { 0, 0 }, { } }, | |
10777 | { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, | |
10778 | -NF_ACCEPT - 1 } }, | |
10779 | /* LOCAL_OUT */ | |
10780 | @@ -54,7 +54,7 @@ | |
10781 | 0, | |
10782 | sizeof(struct ipt_entry), | |
10783 | sizeof(struct ipt_standard), | |
10784 | - 0, { 0, 0 }, { } }, | |
10785 | + 0, NULL, 0, { 0, 0 }, { } }, | |
10786 | { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, | |
10787 | -NF_ACCEPT - 1 } } | |
10788 | }, | |
10789 | @@ -63,7 +63,7 @@ | |
10790 | 0, | |
10791 | sizeof(struct ipt_entry), | |
10792 | sizeof(struct ipt_error), | |
10793 | - 0, { 0, 0 }, { } }, | |
10794 | + 0, NULL, 0, { 0, 0 }, { } }, | |
10795 | { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } }, | |
10796 | { } }, | |
10797 | "ERROR" | |
10798 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/raw.c linux-2.6.6-rc3/net/ipv4/raw.c | |
10799 | --- linux-2.6.6-rc3.org/net/ipv4/raw.c 2004-04-28 03:35:49.000000000 +0200 | |
10800 | +++ linux-2.6.6-rc3/net/ipv4/raw.c 2004-04-29 11:18:06.000000000 +0200 | |
10801 | @@ -249,6 +249,7 @@ | |
10802 | kfree_skb(skb); | |
10803 | return NET_RX_DROP; | |
10804 | } | |
10805 | + nf_reset(skb); | |
10806 | ||
10807 | skb_push(skb, skb->data - skb->nh.raw); | |
10808 | ||
10809 | @@ -307,7 +308,7 @@ | |
10810 | } | |
10811 | ||
10812 | err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, | |
10813 | - dst_output); | |
10814 | + ip_dst_output); | |
10815 | if (err > 0) | |
10816 | err = inet->recverr ? net_xmit_errno(err) : 0; | |
10817 | if (err) | |
10818 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/tcp_ipv4.c linux-2.6.6-rc3/net/ipv4/tcp_ipv4.c | |
10819 | --- linux-2.6.6-rc3.org/net/ipv4/tcp_ipv4.c 2004-04-28 03:35:40.000000000 +0200 | |
10820 | +++ linux-2.6.6-rc3/net/ipv4/tcp_ipv4.c 2004-04-29 11:19:32.000000000 +0200 | |
10821 | @@ -1785,6 +1785,7 @@ | |
10822 | ||
10823 | if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) | |
10824 | goto discard_and_relse; | |
10825 | + nf_reset(skb); | |
10826 | ||
10827 | if (sk_filter(sk, skb, 0)) | |
10828 | goto discard_and_relse; | |
10829 | @@ -2670,6 +2671,7 @@ | |
10830 | EXPORT_SYMBOL(tcp_v4_connect); | |
10831 | EXPORT_SYMBOL(tcp_v4_do_rcv); | |
10832 | EXPORT_SYMBOL(tcp_v4_lookup_listener); | |
10833 | +EXPORT_SYMBOL(tcp_v4_lookup); | |
10834 | EXPORT_SYMBOL(tcp_v4_rebuild_header); | |
10835 | EXPORT_SYMBOL(tcp_v4_remember_stamp); | |
10836 | EXPORT_SYMBOL(tcp_v4_send_check); | |
10837 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/udp.c linux-2.6.6-rc3/net/ipv4/udp.c | |
10838 | --- linux-2.6.6-rc3.org/net/ipv4/udp.c 2004-04-28 03:35:19.000000000 +0200 | |
10839 | +++ linux-2.6.6-rc3/net/ipv4/udp.c 2004-04-29 11:19:32.000000000 +0200 | |
10840 | @@ -1045,6 +1045,7 @@ | |
10841 | kfree_skb(skb); | |
10842 | return -1; | |
10843 | } | |
10844 | + nf_reset(skb); | |
10845 | ||
10846 | if (up->encap_type) { | |
10847 | /* | |
10848 | @@ -1210,6 +1211,7 @@ | |
10849 | ||
10850 | if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) | |
10851 | goto drop; | |
10852 | + nf_reset(skb); | |
10853 | ||
10854 | /* No socket. Drop packet silently, if checksum is wrong */ | |
10855 | if (udp_checksum_complete(skb)) | |
10856 | @@ -1558,6 +1560,7 @@ | |
10857 | EXPORT_SYMBOL(udp_port_rover); | |
10858 | EXPORT_SYMBOL(udp_prot); | |
10859 | EXPORT_SYMBOL(udp_sendmsg); | |
10860 | +EXPORT_SYMBOL(udp_v4_lookup); | |
10861 | ||
10862 | #ifdef CONFIG_PROC_FS | |
10863 | EXPORT_SYMBOL(udp_proc_register); | |
10864 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv4/xfrm4_tunnel.c linux-2.6.6-rc3/net/ipv4/xfrm4_tunnel.c | |
10865 | --- linux-2.6.6-rc3.org/net/ipv4/xfrm4_tunnel.c 2004-04-28 03:35:08.000000000 +0200 | |
10866 | +++ linux-2.6.6-rc3/net/ipv4/xfrm4_tunnel.c 2004-04-29 11:18:03.000000000 +0200 | |
10867 | @@ -76,6 +76,7 @@ | |
10868 | err = -EHOSTUNREACH; | |
10869 | goto error_nolock; | |
10870 | } | |
10871 | + IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; | |
10872 | return NET_XMIT_BYPASS; | |
10873 | ||
10874 | error_nolock: | |
10875 | @@ -170,6 +171,7 @@ | |
10876 | .handler = ipip_rcv, | |
10877 | .err_handler = ipip_err, | |
10878 | .no_policy = 1, | |
10879 | + .xfrm_prot = 1, | |
10880 | }; | |
10881 | ||
10882 | static int __init ipip_init(void) | |
10883 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv6/netfilter/Kconfig linux-2.6.6-rc3/net/ipv6/netfilter/Kconfig | |
10884 | --- linux-2.6.6-rc3.org/net/ipv6/netfilter/Kconfig 2004-04-29 11:24:39.000000000 +0200 | |
10885 | +++ linux-2.6.6-rc3/net/ipv6/netfilter/Kconfig 2004-04-29 11:19:41.000000000 +0200 | |
10886 | @@ -255,5 +255,29 @@ | |
10887 | depends on IP6_NF_IPTABLES | |
10888 | help | |
10889 | ||
10890 | +config IP6_NF_TARGET_TRACE | |
10891 | + tristate 'TRACE target support' | |
10892 | + depends on IP6_NF_RAW | |
10893 | + help | |
10894 | + The TRACE target allows packets to be traced as those | |
10895 | + matches any subsequent rule in any table/rule. The matched | |
10896 | + rule and the packet is logged with the prefix | |
10897 | + | |
10898 | + TRACE: tablename/chainname/rulenum | |
10899 | + | |
10900 | + If you want to compile it as a module, say M here and read | |
10901 | + <file:Documentation/modules.txt>. If unsure, say `N'. | |
10902 | + help | |
10903 | + | |
10904 | +config IP6_NF_MATCH_POLICY | |
10905 | + tristate "IPsec policy match support" | |
10906 | + depends on IP6_NF_IPTABLES && XFRM | |
10907 | + help | |
10908 | + Policy matching allows you to match packets based on the | |
10909 | + IPsec policy that was used during decapsulation/will | |
10910 | + be used during encapsulation. | |
10911 | + | |
10912 | + To compile it as a module, choose M here. If unsure, say N. | |
10913 | + | |
10914 | endmenu | |
10915 | ||
10916 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv6/netfilter/Makefile linux-2.6.6-rc3/net/ipv6/netfilter/Makefile | |
10917 | --- linux-2.6.6-rc3.org/net/ipv6/netfilter/Makefile 2004-04-29 11:24:39.000000000 +0200 | |
10918 | +++ linux-2.6.6-rc3/net/ipv6/netfilter/Makefile 2004-04-29 11:19:41.000000000 +0200 | |
10919 | @@ -29,4 +29,6 @@ | |
10920 | obj-$(CONFIG_IP6_NF_MATCH_NTH) += ip6t_nth.o | |
10921 | obj-$(CONFIG_IP6_NF_TARGET_HL) += ip6t_HL.o | |
10922 | obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o | |
10923 | +obj-$(CONFIG_IP6_NF_TARGET_TRACE) += ip6t_TRACE.o | |
10924 | obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o | |
10925 | +obj-$(CONFIG_IP6_NF_MATCH_POLICY) += ip6t_policy.o | |
10926 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv6/netfilter/ip6_tables.c linux-2.6.6-rc3/net/ipv6/netfilter/ip6_tables.c | |
10927 | --- linux-2.6.6-rc3.org/net/ipv6/netfilter/ip6_tables.c 2004-04-28 03:36:34.000000000 +0200 | |
10928 | +++ linux-2.6.6-rc3/net/ipv6/netfilter/ip6_tables.c 2004-04-29 11:17:15.000000000 +0200 | |
10929 | @@ -38,6 +38,14 @@ | |
10930 | #define IPV6_HDR_LEN (sizeof(struct ipv6hdr)) | |
10931 | #define IPV6_OPTHDR_LEN (sizeof(struct ipv6_opt_hdr)) | |
10932 | ||
10933 | +static const char *hook6names[] = { | |
10934 | + [NF_IP6_PRE_ROUTING] "PREROUTING", | |
10935 | + [NF_IP6_LOCAL_IN] "INPUT", | |
10936 | + [NF_IP6_FORWARD] "FORWARD", | |
10937 | + [NF_IP6_LOCAL_OUT] "OUTPUT", | |
10938 | + [NF_IP6_POST_ROUTING] "POSTROUTING", | |
10939 | +}; | |
10940 | + | |
10941 | /*#define DEBUG_IP_FIREWALL*/ | |
10942 | /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */ | |
10943 | /*#define DEBUG_IP_FIREWALL_USER*/ | |
10944 | @@ -408,6 +416,12 @@ | |
10945 | ||
10946 | t = ip6t_get_target(e); | |
10947 | IP_NF_ASSERT(t->u.kernel.target); | |
10948 | + | |
10949 | + /* The packet traced and the rule isn't an unconditional return/END. */ | |
10950 | + if (((*pskb)->nfcache & NFC_TRACE) && e->rulenum) { | |
10951 | + nf_log_packet(PF_INET6, hook, *pskb, in, out, "TRACE: %s/%s/%u ", | |
10952 | + table->name, e->chainname, e->rulenum); | |
10953 | + } | |
10954 | /* Standard target? */ | |
10955 | if (!t->u.kernel.target->target) { | |
10956 | int v; | |
10957 | @@ -561,6 +575,29 @@ | |
10958 | return find_inlist_lock(&ip6t_target, name, "ip6t_", error, mutex); | |
10959 | } | |
10960 | ||
10961 | +static inline int | |
10962 | +find_error_target(struct ip6t_entry *s, | |
10963 | + struct ip6t_entry *e, | |
10964 | + char **chainname) | |
10965 | +{ | |
10966 | + struct ip6t_entry_target *t; | |
10967 | + static struct ip6t_entry *found = NULL; | |
10968 | + | |
10969 | + if (s == e) { | |
10970 | + if (!found) | |
10971 | + return 0; | |
10972 | + t = ip6t_get_target(found); | |
10973 | + if (strcmp(t->u.user.name, | |
10974 | + IP6T_ERROR_TARGET) == 0) { | |
10975 | + *chainname = t->data; | |
10976 | + return 1; | |
10977 | + } | |
10978 | + } else | |
10979 | + found = s; | |
10980 | + | |
10981 | + return 0; | |
10982 | +} | |
10983 | + | |
10984 | /* All zeroes == unconditional rule. */ | |
10985 | static inline int | |
10986 | unconditional(const struct ip6t_ip6 *ipv6) | |
10987 | @@ -580,6 +617,8 @@ | |
10988 | mark_source_chains(struct ip6t_table_info *newinfo, unsigned int valid_hooks) | |
10989 | { | |
10990 | unsigned int hook; | |
10991 | + char *chainname = NULL; | |
10992 | + u_int32_t rulenum; | |
10993 | ||
10994 | /* No recursion; use packet counter to save back ptrs (reset | |
10995 | to 0 as we leave), and comefrom to save source hook bitmask */ | |
10996 | @@ -593,6 +632,8 @@ | |
10997 | ||
10998 | /* Set initial back pointer. */ | |
10999 | e->counters.pcnt = pos; | |
11000 | + rulenum = 1; | |
11001 | + chainname = (char *) hook6names[hook]; | |
11002 | ||
11003 | for (;;) { | |
11004 | struct ip6t_standard_target *t | |
11005 | @@ -605,6 +646,8 @@ | |
11006 | } | |
11007 | e->comefrom | |
11008 | |= ((1 << hook) | (1 << NF_IP6_NUMHOOKS)); | |
11009 | + e->rulenum = rulenum++; | |
11010 | + e->chainname = chainname; | |
11011 | ||
11012 | /* Unconditional return/END. */ | |
11013 | if (e->target_offset == sizeof(struct ip6t_entry) | |
11014 | @@ -614,6 +657,10 @@ | |
11015 | && unconditional(&e->ipv6)) { | |
11016 | unsigned int oldpos, size; | |
11017 | ||
11018 | + /* Set unconditional rulenum to zero. */ | |
11019 | + e->rulenum = 0; | |
11020 | + e->counters.bcnt = 0; | |
11021 | + | |
11022 | /* Return: backtrack through the last | |
11023 | big jump. */ | |
11024 | do { | |
11025 | @@ -639,6 +686,11 @@ | |
11026 | (newinfo->entries + pos); | |
11027 | } while (oldpos == pos + e->next_offset); | |
11028 | ||
11029 | + /* Restore chainname, rulenum. */ | |
11030 | + chainname = e->chainname; | |
11031 | + rulenum = e->counters.bcnt; | |
11032 | + e->counters.bcnt = 0; | |
11033 | + | |
11034 | /* Move along one */ | |
11035 | size = e->next_offset; | |
11036 | e = (struct ip6t_entry *) | |
11037 | @@ -654,6 +706,17 @@ | |
11038 | /* This a jump; chase it. */ | |
11039 | duprintf("Jump rule %u -> %u\n", | |
11040 | pos, newpos); | |
11041 | + e->counters.bcnt = rulenum++; | |
11042 | + rulenum = 1; | |
11043 | + e = (struct ip6t_entry *) | |
11044 | + (newinfo->entries + newpos); | |
11045 | + if (IP6T_ENTRY_ITERATE(newinfo->entries, | |
11046 | + newinfo->size, | |
11047 | + find_error_target, | |
11048 | + e, &chainname) == 0) { | |
11049 | + printk("ip6_tables: table screwed up!\n"); | |
11050 | + return 0; | |
11051 | + } | |
11052 | } else { | |
11053 | /* ... this is a fallthru */ | |
11054 | newpos = pos + e->next_offset; | |
11055 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv6/netfilter/ip6t_TRACE.c linux-2.6.6-rc3/net/ipv6/netfilter/ip6t_TRACE.c | |
11056 | --- linux-2.6.6-rc3.org/net/ipv6/netfilter/ip6t_TRACE.c 1970-01-01 01:00:00.000000000 +0100 | |
11057 | +++ linux-2.6.6-rc3/net/ipv6/netfilter/ip6t_TRACE.c 2004-04-29 11:17:15.000000000 +0200 | |
11058 | @@ -0,0 +1,65 @@ | |
11059 | +/* This is a module which is used for setting | |
11060 | + * the NFC_TRACE flag in the nfcache field of an skb. | |
11061 | + */ | |
11062 | +#include <linux/module.h> | |
11063 | +#include <linux/skbuff.h> | |
11064 | + | |
11065 | +#include <linux/netfilter_ipv6/ip6_tables.h> | |
11066 | + | |
11067 | +MODULE_LICENSE("GPL"); | |
11068 | + | |
11069 | +static unsigned int | |
11070 | +target(struct sk_buff **pskb, | |
11071 | + unsigned int hooknum, | |
11072 | + const struct net_device *in, | |
11073 | + const struct net_device *out, | |
11074 | + const void *targinfo, | |
11075 | + void *userinfo) | |
11076 | +{ | |
11077 | + (*pskb)->nfcache |= NFC_TRACE; | |
11078 | + return IP6T_CONTINUE; | |
11079 | +} | |
11080 | + | |
11081 | +static int | |
11082 | +checkentry(const char *tablename, | |
11083 | + const struct ip6t_entry *e, | |
11084 | + void *targinfo, | |
11085 | + unsigned int targinfosize, | |
11086 | + unsigned int hook_mask) | |
11087 | +{ | |
11088 | + if (targinfosize != 0) { | |
11089 | + printk(KERN_WARNING "TRACE: targinfosize %u != 0\n", | |
11090 | + targinfosize); | |
11091 | + return 0; | |
11092 | + } | |
11093 | + | |
11094 | + if (strcmp(tablename, "raw") != 0) { | |
11095 | + printk(KERN_WARNING "TRACE: can only be called from \"raw\" table, not \"%s\"\n", tablename); | |
11096 | + return 0; | |
11097 | + } | |
11098 | + | |
11099 | + return 1; | |
11100 | +} | |
11101 | + | |
11102 | +static struct ip6t_target ip6t_trace_reg = { | |
11103 | + .name = "TRACE", | |
11104 | + .target = target, | |
11105 | + .checkentry = checkentry, | |
11106 | + .me = THIS_MODULE | |
11107 | +}; | |
11108 | + | |
11109 | +static int __init init(void) | |
11110 | +{ | |
11111 | + if (ip6t_register_target(&ip6t_trace_reg)) | |
11112 | + return -EINVAL; | |
11113 | + | |
11114 | + return 0; | |
11115 | +} | |
11116 | + | |
11117 | +static void __exit fini(void) | |
11118 | +{ | |
11119 | + ip6t_unregister_target(&ip6t_trace_reg); | |
11120 | +} | |
11121 | + | |
11122 | +module_init(init); | |
11123 | +module_exit(fini); | |
11124 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv6/netfilter/ip6t_owner.c linux-2.6.6-rc3/net/ipv6/netfilter/ip6t_owner.c | |
11125 | --- linux-2.6.6-rc3.org/net/ipv6/netfilter/ip6t_owner.c 2004-04-28 03:36:30.000000000 +0200 | |
11126 | +++ linux-2.6.6-rc3/net/ipv6/netfilter/ip6t_owner.c 2004-04-29 11:19:40.000000000 +0200 | |
11127 | @@ -21,6 +21,39 @@ | |
11128 | MODULE_LICENSE("GPL"); | |
11129 | ||
11130 | static int | |
11131 | +match_comm(const struct sk_buff *skb, const char *comm) | |
11132 | +{ | |
11133 | + struct task_struct *p, *g; | |
11134 | + struct files_struct *files; | |
11135 | + int i; | |
11136 | + | |
11137 | + read_lock(&tasklist_lock); | |
11138 | + do_each_thread(g, p) { | |
11139 | + if(strncmp(p->comm, comm, sizeof(p->comm))) | |
11140 | + continue; | |
11141 | + | |
11142 | + task_lock(p); | |
11143 | + files = p->files; | |
11144 | + if(files) { | |
11145 | + read_lock(&files->file_lock); | |
11146 | + for (i=0; i < files->max_fds; i++) { | |
11147 | + if (fcheck_files(files, i) == | |
11148 | + skb->sk->sk_socket->file) { | |
11149 | + read_unlock(&files->file_lock); | |
11150 | + task_unlock(p); | |
11151 | + read_unlock(&tasklist_lock); | |
11152 | + return 1; | |
11153 | + } | |
11154 | + } | |
11155 | + read_unlock(&files->file_lock); | |
11156 | + } | |
11157 | + task_unlock(p); | |
11158 | + } while_each_thread(g, p); | |
11159 | + read_unlock(&tasklist_lock); | |
11160 | + return 0; | |
11161 | +} | |
11162 | + | |
11163 | +static int | |
11164 | match_pid(const struct sk_buff *skb, pid_t pid) | |
11165 | { | |
11166 | struct task_struct *p; | |
11167 | @@ -125,6 +158,12 @@ | |
11168 | return 0; | |
11169 | } | |
11170 | ||
11171 | + if(info->match & IP6T_OWNER_COMM) { | |
11172 | + if (!match_comm(skb, info->comm) ^ | |
11173 | + !!(info->invert & IP6T_OWNER_COMM)) | |
11174 | + return 0; | |
11175 | + } | |
11176 | + | |
11177 | return 1; | |
11178 | } | |
11179 | ||
11180 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv6/netfilter/ip6t_policy.c linux-2.6.6-rc3/net/ipv6/netfilter/ip6t_policy.c | |
11181 | --- linux-2.6.6-rc3.org/net/ipv6/netfilter/ip6t_policy.c 1970-01-01 01:00:00.000000000 +0100 | |
11182 | +++ linux-2.6.6-rc3/net/ipv6/netfilter/ip6t_policy.c 2004-04-29 11:19:41.000000000 +0200 | |
11183 | @@ -0,0 +1,200 @@ | |
11184 | +/* IP tables module for matching IPsec policy\r | |
11185 | + *\r | |
11186 | + * Copyright (c) 2004 Patrick McHardy, <kaber@trash.net>\r | |
11187 | + *\r | |
11188 | + * This program is free software; you can redistribute it and/or modify\r | |
11189 | + * it under the terms of the GNU General Public License version 2 as\r | |
11190 | + * published by the Free Software Foundation.\r | |
11191 | + */\r | |
11192 | +\r | |
11193 | +#include <linux/kernel.h>\r | |
11194 | +#include <linux/config.h>\r | |
11195 | +#include <linux/module.h>\r | |
11196 | +#include <linux/skbuff.h>\r | |
11197 | +#include <linux/init.h>\r | |
11198 | +#include <net/xfrm.h>\r | |
11199 | +\r | |
11200 | +#include <linux/netfilter_ipv6.h>\r | |
11201 | +#include <linux/netfilter_ipv6/ip6t_policy.h>\r | |
11202 | +#include <linux/netfilter_ipv6/ip6_tables.h>\r | |
11203 | +\r | |
11204 | +MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");\r | |
11205 | +MODULE_DESCRIPTION("IPtables IPsec policy matching module");\r | |
11206 | +MODULE_LICENSE("GPL");\r | |
11207 | +\r | |
11208 | +\r | |
11209 | +static inline int ip6_masked_addrcmp(struct in6_addr addr1, struct in6_addr mask,\r | |
11210 | + struct in6_addr addr2)\r | |
11211 | +{\r | |
11212 | + int i;\r | |
11213 | +\r | |
11214 | + for (i = 0; i < 16; i++) {\r | |
11215 | + if ((addr1.s6_addr[i] & mask.s6_addr[i]) !=\r | |
11216 | + (addr2.s6_addr[i] & mask.s6_addr[i]))\r | |
11217 | + return 1;\r | |
11218 | + }\r | |
11219 | + return 0;\r | |
11220 | +}\r | |
11221 | +\r | |
11222 | +\r | |
11223 | +static inline int\r | |
11224 | +match_xfrm_state(struct xfrm_state *x, const struct ip6t_policy_elem *e)\r | |
11225 | +{\r | |
11226 | +#define MISMATCH(x,y) (e->match.x && ((e->x != (y)) ^ e->invert.x))\r | |
11227 | + \r | |
11228 | + struct in6_addr xfrm_saddr, xfrm_daddr;\r | |
11229 | + \r | |
11230 | + if ((e->match.saddr\r | |
11231 | + && (ip6_masked_addrcmp(xfrm_saddr, e->saddr, e->smask))\r | |
11232 | + ^ e->invert.saddr ) ||\r | |
11233 | + (e->match.daddr\r | |
11234 | + && (ip6_masked_addrcmp(xfrm_daddr, e->daddr, e->dmask))\r | |
11235 | + ^ e->invert.daddr ) ||\r | |
11236 | + MISMATCH(proto, x->id.proto) ||\r | |
11237 | + MISMATCH(mode, x->props.mode) ||\r | |
11238 | + MISMATCH(spi, x->id.spi) ||\r | |
11239 | + MISMATCH(reqid, x->props.reqid))\r | |
11240 | + return 0;\r | |
11241 | + return 1;\r | |
11242 | +}\r | |
11243 | +\r | |
11244 | +static int\r | |
11245 | +match_policy_in(const struct sk_buff *skb, const struct ip6t_policy_info *info)\r | |
11246 | +{\r | |
11247 | + const struct ip6t_policy_elem *e;\r | |
11248 | + struct sec_path *sp = skb->sp;\r | |
11249 | + int strict = info->flags & POLICY_MATCH_STRICT;\r | |
11250 | + int i, pos;\r | |
11251 | +\r | |
11252 | + if (sp == NULL)\r | |
11253 | + return -1;\r | |
11254 | + if (strict && info->len != sp->len)\r | |
11255 | + return 0;\r | |
11256 | +\r | |
11257 | + for (i = sp->len - 1; i >= 0; i--) {\r | |
11258 | + pos = strict ? i - sp->len + 1 : 0;\r | |
11259 | + if (pos >= info->len)\r | |
11260 | + return 0;\r | |
11261 | + e = &info->pol[pos];\r | |
11262 | +\r | |
11263 | + if (match_xfrm_state(sp->x[i].xvec, e)) {\r | |
11264 | + if (!strict)\r | |
11265 | + return 1;\r | |
11266 | + } else if (strict)\r | |
11267 | + return 0;\r | |
11268 | + }\r | |
11269 | +\r | |
11270 | + return strict ? 1 : 0;\r | |
11271 | +}\r | |
11272 | +\r | |
11273 | +static int\r | |
11274 | +match_policy_out(const struct sk_buff *skb, const struct ip6t_policy_info *info)\r | |
11275 | +{\r | |
11276 | + const struct ip6t_policy_elem *e;\r | |
11277 | + struct dst_entry *dst = skb->dst;\r | |
11278 | + int strict = info->flags & POLICY_MATCH_STRICT;\r | |
11279 | + int i, pos;\r | |
11280 | +\r | |
11281 | + if (dst->xfrm == NULL)\r | |
11282 | + return -1;\r | |
11283 | +\r | |
11284 | + for (i = 0; dst && dst->xfrm; dst = dst->child, i++) {\r | |
11285 | + pos = strict ? i : 0;\r | |
11286 | + if (pos >= info->len)\r | |
11287 | + return 0;\r | |
11288 | + e = &info->pol[pos];\r | |
11289 | +\r | |
11290 | + if (match_xfrm_state(dst->xfrm, e)) {\r | |
11291 | + if (!strict)\r | |
11292 | + return 1;\r | |
11293 | + } else if (strict)\r | |
11294 | + return 0;\r | |
11295 | + }\r | |
11296 | +\r | |
11297 | + return strict ? 1 : 0;\r | |
11298 | +}\r | |
11299 | +\r | |
11300 | +static int match(const struct sk_buff *skb,\r | |
11301 | + const struct net_device *in,\r | |
11302 | + const struct net_device *out,\r | |
11303 | + const void *matchinfo,\r | |
11304 | + int offset,\r | |
11305 | + const void *hdr,\r | |
11306 | + u_int16_t datalen,\r | |
11307 | + int *hotdrop)\r | |
11308 | +{\r | |
11309 | + const struct ip6t_policy_info *info = matchinfo;\r | |
11310 | + int ret;\r | |
11311 | +\r | |
11312 | + if (info->flags & POLICY_MATCH_IN)\r | |
11313 | + ret = match_policy_in(skb, info);\r | |
11314 | + else\r | |
11315 | + ret = match_policy_out(skb, info);\r | |
11316 | +\r | |
11317 | + if (ret < 0) {\r | |
11318 | + if (info->flags & POLICY_MATCH_NONE)\r | |
11319 | + ret = 1;\r | |
11320 | + else\r | |
11321 | + ret = 0;\r | |
11322 | + } else if (info->flags & POLICY_MATCH_NONE)\r | |
11323 | + ret = 0;\r | |
11324 | +\r | |
11325 | + return ret;\r | |
11326 | +}\r | |
11327 | +\r | |
11328 | +static int checkentry(const char *tablename, const struct ip6t_ip6 *ip,\r | |
11329 | + void *matchinfo, unsigned int matchsize,\r | |
11330 | + unsigned int hook_mask)\r | |
11331 | +{\r | |
11332 | + struct ip6t_policy_info *info = matchinfo;\r | |
11333 | +\r | |
11334 | + if (matchsize != IP6T_ALIGN(sizeof(*info))) {\r | |
11335 | + printk(KERN_ERR "ip6t_policy: matchsize %u != %u\n",\r | |
11336 | + matchsize, IP6T_ALIGN(sizeof(*info)));\r | |
11337 | + return 0;\r | |
11338 | + }\r | |
11339 | + if (!(info->flags & (POLICY_MATCH_IN|POLICY_MATCH_OUT))) {\r | |
11340 | + printk(KERN_ERR "ip6t_policy: neither incoming nor "\r | |
11341 | + "outgoing policy selected\n");\r | |
11342 | + return 0;\r | |
11343 | + }\r | |
11344 | + if (hook_mask & (1 << NF_IP6_PRE_ROUTING | 1 << NF_IP6_LOCAL_IN)\r | |
11345 | + && info->flags & POLICY_MATCH_OUT) {\r | |
11346 | + printk(KERN_ERR "ip6t_policy: output policy not valid in "\r | |
11347 | + "PRE_ROUTING and INPUT\n");\r | |
11348 | + return 0;\r | |
11349 | + }\r | |
11350 | + if (hook_mask & (1 << NF_IP6_POST_ROUTING | 1 << NF_IP6_LOCAL_OUT)\r | |
11351 | + && info->flags & POLICY_MATCH_IN) {\r | |
11352 | + printk(KERN_ERR "ip6t_policy: input policy not valid in "\r | |
11353 | + "POST_ROUTING and OUTPUT\n");\r | |
11354 | + return 0;\r | |
11355 | + }\r | |
11356 | + if (info->len > POLICY_MAX_ELEM) {\r | |
11357 | + printk(KERN_ERR "ip6t_policy: too many policy elements\n");\r | |
11358 | + return 0;\r | |
11359 | + }\r | |
11360 | +\r | |
11361 | + return 1;\r | |
11362 | +}\r | |
11363 | +\r | |
11364 | +static struct ip6t_match policy_match =\r | |
11365 | +{\r | |
11366 | + .name = "policy",\r | |
11367 | + .match = match,\r | |
11368 | + .checkentry = checkentry,\r | |
11369 | + .me = THIS_MODULE,\r | |
11370 | +};\r | |
11371 | +\r | |
11372 | +static int __init init(void)\r | |
11373 | +{\r | |
11374 | + return ip6t_register_match(&policy_match);\r | |
11375 | +}\r | |
11376 | +\r | |
11377 | +static void __exit fini(void)\r | |
11378 | +{\r | |
11379 | + ip6t_unregister_match(&policy_match);\r | |
11380 | +}\r | |
11381 | +\r | |
11382 | +module_init(init);\r | |
11383 | +module_exit(fini);\r | |
11384 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv6/netfilter/ip6table_filter.c linux-2.6.6-rc3/net/ipv6/netfilter/ip6table_filter.c | |
11385 | --- linux-2.6.6-rc3.org/net/ipv6/netfilter/ip6table_filter.c 2004-04-28 03:35:07.000000000 +0200 | |
11386 | +++ linux-2.6.6-rc3/net/ipv6/netfilter/ip6table_filter.c 2004-04-29 11:17:15.000000000 +0200 | |
11387 | @@ -58,7 +58,7 @@ | |
11388 | 0, | |
11389 | sizeof(struct ip6t_entry), | |
11390 | sizeof(struct ip6t_standard), | |
11391 | - 0, { 0, 0 }, { } }, | |
11392 | + 0, NULL, 0, { 0, 0 }, { } }, | |
11393 | { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } }, | |
11394 | -NF_ACCEPT - 1 } }, | |
11395 | /* FORWARD */ | |
11396 | @@ -66,7 +66,7 @@ | |
11397 | 0, | |
11398 | sizeof(struct ip6t_entry), | |
11399 | sizeof(struct ip6t_standard), | |
11400 | - 0, { 0, 0 }, { } }, | |
11401 | + 0, NULL, 0, { 0, 0 }, { } }, | |
11402 | { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } }, | |
11403 | -NF_ACCEPT - 1 } }, | |
11404 | /* LOCAL_OUT */ | |
11405 | @@ -74,7 +74,7 @@ | |
11406 | 0, | |
11407 | sizeof(struct ip6t_entry), | |
11408 | sizeof(struct ip6t_standard), | |
11409 | - 0, { 0, 0 }, { } }, | |
11410 | + 0, NULL, 0, { 0, 0 }, { } }, | |
11411 | { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } }, | |
11412 | -NF_ACCEPT - 1 } } | |
11413 | }, | |
11414 | @@ -83,7 +83,7 @@ | |
11415 | 0, | |
11416 | sizeof(struct ip6t_entry), | |
11417 | sizeof(struct ip6t_error), | |
11418 | - 0, { 0, 0 }, { } }, | |
11419 | + 0, NULL, 0, { 0, 0 }, { } }, | |
11420 | { { { { IP6T_ALIGN(sizeof(struct ip6t_error_target)), IP6T_ERROR_TARGET } }, | |
11421 | { } }, | |
11422 | "ERROR" | |
11423 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv6/netfilter/ip6table_mangle.c linux-2.6.6-rc3/net/ipv6/netfilter/ip6table_mangle.c | |
11424 | --- linux-2.6.6-rc3.org/net/ipv6/netfilter/ip6table_mangle.c 2004-04-28 03:35:43.000000000 +0200 | |
11425 | +++ linux-2.6.6-rc3/net/ipv6/netfilter/ip6table_mangle.c 2004-04-29 11:17:15.000000000 +0200 | |
11426 | @@ -73,7 +73,7 @@ | |
11427 | 0, | |
11428 | sizeof(struct ip6t_entry), | |
11429 | sizeof(struct ip6t_standard), | |
11430 | - 0, { 0, 0 }, { } }, | |
11431 | + 0, NULL, 0, { 0, 0 }, { } }, | |
11432 | { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } }, | |
11433 | -NF_ACCEPT - 1 } }, | |
11434 | /* LOCAL_IN */ | |
11435 | @@ -81,7 +81,7 @@ | |
11436 | 0, | |
11437 | sizeof(struct ip6t_entry), | |
11438 | sizeof(struct ip6t_standard), | |
11439 | - 0, { 0, 0 }, { } }, | |
11440 | + 0, NULL, 0, { 0, 0 }, { } }, | |
11441 | { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } }, | |
11442 | -NF_ACCEPT - 1 } }, | |
11443 | /* FORWARD */ | |
11444 | @@ -89,7 +89,7 @@ | |
11445 | 0, | |
11446 | sizeof(struct ip6t_entry), | |
11447 | sizeof(struct ip6t_standard), | |
11448 | - 0, { 0, 0 }, { } }, | |
11449 | + 0, NULL, 0, { 0, 0 }, { } }, | |
11450 | { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } }, | |
11451 | -NF_ACCEPT - 1 } }, | |
11452 | /* LOCAL_OUT */ | |
11453 | @@ -97,7 +97,7 @@ | |
11454 | 0, | |
11455 | sizeof(struct ip6t_entry), | |
11456 | sizeof(struct ip6t_standard), | |
11457 | - 0, { 0, 0 }, { } }, | |
11458 | + 0, NULL, 0, { 0, 0 }, { } }, | |
11459 | { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } }, | |
11460 | -NF_ACCEPT - 1 } }, | |
11461 | /* POST_ROUTING */ | |
11462 | @@ -105,7 +105,7 @@ | |
11463 | 0, | |
11464 | sizeof(struct ip6t_entry), | |
11465 | sizeof(struct ip6t_standard), | |
11466 | - 0, { 0, 0 }, { } }, | |
11467 | + 0, NULL, 0, { 0, 0 }, { } }, | |
11468 | { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } }, | |
11469 | -NF_ACCEPT - 1 } } | |
11470 | }, | |
11471 | @@ -114,7 +114,7 @@ | |
11472 | 0, | |
11473 | sizeof(struct ip6t_entry), | |
11474 | sizeof(struct ip6t_error), | |
11475 | - 0, { 0, 0 }, { } }, | |
11476 | + 0, NULL, 0, { 0, 0 }, { } }, | |
11477 | { { { { IP6T_ALIGN(sizeof(struct ip6t_error_target)), IP6T_ERROR_TARGET } }, | |
11478 | { } }, | |
11479 | "ERROR" | |
11480 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/ipv6/netfilter/ip6table_raw.c linux-2.6.6-rc3/net/ipv6/netfilter/ip6table_raw.c | |
11481 | --- linux-2.6.6-rc3.org/net/ipv6/netfilter/ip6table_raw.c 2004-04-28 03:36:19.000000000 +0200 | |
11482 | +++ linux-2.6.6-rc3/net/ipv6/netfilter/ip6table_raw.c 2004-04-29 11:17:15.000000000 +0200 | |
11483 | @@ -52,7 +52,7 @@ | |
11484 | 0, | |
11485 | sizeof(struct ip6t_entry), | |
11486 | sizeof(struct ip6t_standard), | |
11487 | - 0, { 0, 0 }, { } }, | |
11488 | + 0, NULL, 0, { 0, 0 }, { } }, | |
11489 | { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } }, | |
11490 | -NF_ACCEPT - 1 } }, | |
11491 | /* LOCAL_OUT */ | |
11492 | @@ -60,7 +60,7 @@ | |
11493 | 0, | |
11494 | sizeof(struct ip6t_entry), | |
11495 | sizeof(struct ip6t_standard), | |
11496 | - 0, { 0, 0 }, { } }, | |
11497 | + 0, NULL, 0, { 0, 0 }, { } }, | |
11498 | { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } }, | |
11499 | -NF_ACCEPT - 1 } }, | |
11500 | }, | |
11501 | @@ -69,7 +69,7 @@ | |
11502 | 0, | |
11503 | sizeof(struct ip6t_entry), | |
11504 | sizeof(struct ip6t_error), | |
11505 | - 0, { 0, 0 }, { } }, | |
11506 | + 0, NULL, 0, { 0, 0 }, { } }, | |
11507 | { { { { IP6T_ALIGN(sizeof(struct ip6t_error_target)), IP6T_ERROR_TARGET } }, | |
11508 | { } }, | |
11509 | "ERROR" | |
11510 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/xfrm/xfrm_input.c linux-2.6.6-rc3/net/xfrm/xfrm_input.c | |
11511 | --- linux-2.6.6-rc3.org/net/xfrm/xfrm_input.c 2004-04-28 03:35:05.000000000 +0200 | |
11512 | +++ linux-2.6.6-rc3/net/xfrm/xfrm_input.c 2004-04-29 11:18:03.000000000 +0200 | |
11513 | @@ -29,6 +29,9 @@ | |
11514 | if (!sp) | |
11515 | return NULL; | |
11516 | ||
11517 | +#ifdef CONFIG_NETFILTER | |
11518 | + sp->decap_done = 0; | |
11519 | +#endif | |
11520 | sp->len = 0; | |
11521 | if (src) { | |
11522 | int i; | |
11523 | diff -Nur --exclude '*.orig' linux-2.6.6-rc3.org/net/xfrm/xfrm_policy.c linux-2.6.6-rc3/net/xfrm/xfrm_policy.c | |
11524 | --- linux-2.6.6-rc3.org/net/xfrm/xfrm_policy.c 2004-04-28 03:35:48.000000000 +0200 | |
11525 | +++ linux-2.6.6-rc3/net/xfrm/xfrm_policy.c 2004-04-29 11:18:06.000000000 +0200 | |
11526 | @@ -21,6 +21,7 @@ | |
11527 | #include <linux/workqueue.h> | |
11528 | #include <linux/notifier.h> | |
11529 | #include <linux/netdevice.h> | |
11530 | +#include <linux/netfilter.h> | |
11531 | #include <net/xfrm.h> | |
11532 | #include <net/ip.h> | |
11533 | ||
11534 | @@ -908,6 +909,7 @@ | |
11535 | ||
11536 | if (_decode_session(skb, &fl, family) < 0) | |
11537 | return 0; | |
11538 | + nf_nat_decode_session(skb, &fl, family); | |
11539 | ||
11540 | /* First, check used SA against their selectors. */ | |
11541 | if (skb->sp) { |