1 diff -NurpP --minimal linux/include/net/netfilter/nf_conntrack.h linux/include/net/netfilter/nf_conntrack.h
2 --- linux/include/net/netfilter/nf_conntrack.h 2007-05-30 11:57:00.000000000 +0200
3 +++ linux/include/net/netfilter/nf_conntrack.h 2007-05-30 11:58:41.000000000 +0200
4 @@ -29,6 +29,7 @@ union nf_conntrack_expect_proto {
7 /* Add protocol helper include file here */
8 +#include <linux/netfilter/nf_conntrack_rsh.h>
9 #include <linux/netfilter/nf_conntrack_ftp.h>
10 #include <linux/netfilter/nf_conntrack_pptp.h>
11 #include <linux/netfilter/nf_conntrack_h323.h>
13 #if defined(CONFIG_NF_NAT_MMS) || defined(CONFIG_NF_NAT_MMS_MODULE)
14 struct nf_ct_mms_master ct_mms_info;
16 +#if defined(CONFIG_NF_CONNTRACK_RSH) || defined(CONFIG_NF_CONNTRACK_RSH_MODULE)
17 + struct nf_ct_rsh_master ct_rsh_info;
22 #include <linux/types.h>
23 diff -NurpP --minimal linux/include/linux/netfilter/nf_conntrack_rsh.h linux/include/linux/netfilter/nf_conntrack_rsh.h
24 --- linux/include/linux/netfilter/nf_conntrack_rsh.h 1970-01-01 01:00:00.000000000 +0100
25 +++ linux/include/linux/netfilter/nf_conntrack_rsh.h 2007-05-30 11:58:41.000000000 +0200
27 +/* RSH extension for IP connection tracking, Version 1.0
28 + * (C) 2002 by Ian (Larry) Latter <Ian.Latter@mq.edu.au>
29 + * based on HW's ip_conntrack_irc.c
31 + * nf_conntrack_rsh.c,v 1.0 2002/07/17 14:49:26
33 + * This program is free software; you can redistribute it and/or
34 + * modify it under the terms of the GNU General Public License
35 + * as published by the Free Software Foundation; either version
36 + * 2 of the License, or (at your option) any later version.
38 +#ifndef _IP_CONNTRACK_RSH_H
39 +#define _IP_CONNTRACK_RSH_H
43 +/* This structure is per expected connection */
44 +struct nf_ct_rsh_expect
49 +/* This structure exists only once per master */
50 +struct nf_ct_rsh_master {
53 +#endif /* _IP_CONNTRACK_RSH_H */
55 diff -NurpP --minimal linux/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig
56 --- linux/net/ipv4/netfilter/Kconfig 2007-05-30 11:57:07.000000000 +0200
57 +++ linux/net/ipv4/netfilter/Kconfig 2007-05-30 11:58:41.000000000 +0200
58 @@ -870,5 +870,28 @@ config IP_NF_MMS
59 If you want to compile it as a module, say M here and read
60 <file:Documentation/modules.txt>. If unsure, say `Y'.
62 +config NF_CONNTRACK_RSH
63 + tristate 'RSH protocol support'
64 + depends on NF_CONNTRACK
66 + The RSH connection tracker is required if the dynamic
67 + stderr "Server to Client" connection is to occur during a
68 + normal RSH session. This typically operates as follows;
70 + Client 0:1023 --> Server 514 (stream 1 - stdin/stdout)
71 + Client 0:1023 <-- Server 0:1023 (stream 2 - stderr)
73 + This connection tracker will identify new RSH sessions,
74 + extract the outbound session details, and notify netfilter
75 + of pending "related" sessions.
77 + Warning: This module could be dangerous. It is not "best
78 + practice" to use RSH, use SSH in all instances.
79 + (see rfc1244, rfc1948, rfc2179, etc ad-nauseum)
82 + If you want to compile it as a module, say M here and read
83 + <file:Documentation/modules.txt>. If unsure, say `N'.
87 diff -NurpP --minimal linux/net/netfilter/Makefile linux/net/netfilter/Makefile
88 --- linux/net/netfilter/Makefile 2007-05-30 11:57:07.000000000 +0200
89 +++ linux/net/netfilter/Makefile 2007-05-30 11:58:41.000000000 +0200
91 +obj-$(CONFIG_NF_CONNTRACK_RSH) += nf_conntrack_rsh.o
92 diff -NurpP --minimal linux/net/netfilter/nf_conntrack_rsh.c linux/net/netfilter/nf_conntrack_rsh.c
93 --- linux/net/netfilter/nf_conntrack_rsh.c 1970-01-01 01:00:00.000000000 +0100
94 +++ linux/net/netfilter/nf_conntrack_rsh.c 2007-05-30 11:58:41.000000000 +0200
96 +/* RSH extension for IP connection tracking, Version 1.0
97 + * (C) 2002 by Ian (Larry) Latter <Ian.Latter@mq.edu.au>
98 + * based on HW's ip_conntrack_irc.c
100 + * (C) 2004,2005 by David Stes <stes@pandora.be>
101 + * Modification for Legato NetWorker range [7937-9936] instead of [0:1023]
103 + * (C) 2005 by David Stes <stes@pandora.be>
104 + * Upgrade to 2.6.13 API
106 + * ip_conntrack_rsh.c,v 1.0 2002/07/17 14:49:26
108 + * This program is free software; you can redistribute it and/or
109 + * modify it under the terms of the GNU General Public License
110 + * as published by the Free Software Foundation; either version
111 + * 2 of the License, or (at your option) any later version.
113 + * Module load syntax:
114 + * insmod ip_conntrack_rsh.o range=1023,ports=port1,port2,...port<MAX_PORTS>
116 + * please give the ports of all RSH servers You wish to connect to.
117 + * If You don't specify ports, the default will be port 514
120 + * RSH blows ... you should use SSH (openssh.org) to replace it,
121 + * unfortunately I babysit some sysadmins that won't migrate
122 + * their legacy crap, in our second tier.
127 + * Some docco ripped from the net to teach me all there is to know about
128 + * RSH, in 16.5 seconds (ie, all of the non-netfilter docco used to write
131 + * I have no idea what "unix rshd man pages" these guys have .. but that
132 + * is some pretty detailed docco!
135 + * 4. Of the rsh protocol.
136 + * -----------------------
138 + * The rshd listens on TCP port #514. The following info is from the unix
141 + * "Service Request Protocol
143 + * When the rshd daemon receives a service request, it initiates the
144 + * following protocol:
146 + * 1. The rshd daemon checks the source port number for the request.
147 + * If the port number is not in the range 0 through 1023, the rshd daemon
148 + * terminates the connection.
150 + * 2. The rshd daemon reads characters from the socket up to a null byte.
151 + * The string read is interpreted as an ASCII number (base 10). If this
152 + * number is nonzero, the rshd daemon interprets it as the port number
153 + * of a secondary stream to be used as standard error. A second connection
154 + * is created to the specified port on the client host. The source port
155 + * on the local host is in the range 0 through 1023.
157 + * 3. The rshd daemon uses the source address of the initial connection
158 + * request to determine the name of the client host. If the name cannot
159 + * be determined, the rshd daemon uses the dotted decimal representation
160 + * of the client host's address.
162 + * 4. The rshd daemon retrieves the following information from the initial
165 + * * A null-terminated string of at most 16 bytes interpreted as
166 + * the user name of the user on the client host.
168 + * * A null-terminated string of at most 16 bytes interpreted as
169 + * the user name to be used on the local server host.
171 + * * Another null-terminated string interpreted as a command line
172 + * to be passed to a shell on the local server host.
174 + * 5. The rshd daemon attempts to validate the user using the following steps:
176 + * a. The rshd daemon looks up the local user name in the /etc/passwd
177 + * file and tries to switch to the home directory (using the chdir
178 + * subroutine). If either the lookup or the directory change fails,
179 + * the rshd daemon terminates the connection.
181 + * b. If the local user ID is a nonzero value, the rshd daemon searches
182 + * the /etc/hosts.equiv file to see if the name of the client
183 + * workstation is listed. If the client workstation is listed as an
184 + * equivalent host, the rshd daemon validates the user.
186 + * c. If the $HOME/.rhosts file exists, the rshd daemon tries to
187 + * authenticate the user by checking the .rhosts file.
189 + * d. If either the $HOME/.rhosts authentication fails or the
190 + * client host is not an equivalent host, the rshd daemon
191 + * terminates the connection.
193 + * 6. Once rshd validates the user, the rshd daemon returns a null byte
194 + * on the initial connection and passes the command line to the user's
195 + * local login shell. The shell then inherits the network connections
196 + * established by the rshd daemon."
201 +#include <linux/module.h>
202 +#include <linux/netfilter.h>
203 +#include <linux/ip.h>
204 +#include <net/checksum.h>
205 +#include <net/tcp.h>
207 +#include <linux/netfilter_ipv4/ip_tables.h>
208 +#include <net/netfilter/nf_conntrack_expect.h>
209 +#include <net/netfilter/nf_conntrack_helper.h>
210 +#include <linux/netfilter/nf_conntrack_rsh.h>
213 +static int range; /* defaults to = 1023 */
214 +static unsigned short rangemask; /* defaults to = 0xfc00 */
215 +static int ports[MAX_PORTS];
216 +static int ports_n_c = 0;
218 +MODULE_AUTHOR("Ian (Larry) Latter <Ian.Latter@mq.edu.au>");
219 +MODULE_DESCRIPTION("RSH connection tracking module");
220 +MODULE_LICENSE("GPL");
222 +module_param(range, int, 0400);
223 +MODULE_PARM_DESC(range, "max port of reserved range (default is 1023)");
224 +module_param_array(ports, int, &ports_n_c, 0400);
225 +MODULE_PARM_DESC(ports, "port numbers of RSH servers");
228 +static DEFINE_SPINLOCK(rsh_buffer_lock);
229 +static char rsh_buffer[65535];
231 +unsigned int (*ip_nat_rsh_hook)(struct sk_buff **pskb,
232 + enum ip_conntrack_info ctinfo,
233 + unsigned int matchoff,
234 + struct nf_conntrack_expect *exp);
236 +#define PRINTK(format, args...) printk(KERN_DEBUG "ip_conntrack_rsh: " \
240 +#define DEBUGP(format, args...) printk(KERN_DEBUG "ip_conntrack_rsh: " \
243 +#define DEBUGP(format, args...)
246 +#define NIPQUAD(addr) \
247 + ((unsigned char *)&addr)[0], \
248 + ((unsigned char *)&addr)[1], \
249 + ((unsigned char *)&addr)[2], \
250 + ((unsigned char *)&addr)[3]
252 +/* FIXME: This should be in userspace. Later. */
253 +static int help(struct sk_buff **pskb,
254 + struct nf_conn *ct, enum ip_conntrack_info ctinfo)
256 + struct tcphdr _tcph, *th;
257 + char *data, *rb_ptr;
258 + int ret = NF_ACCEPT;
259 + int dir = CTINFO2DIR(ctinfo);
260 + struct nf_conntrack_expect *exp;
261 + unsigned int dataoff, datalen;
265 + /* note that "maxoctet" is used to maintain sanity (8 was the
266 + * original array size used in rshd/glibc) -- is there a
267 + * vulnerability in rshd.c in the looped port *= 10?
270 + DEBUGP("entered\n");
272 + /* bail if packet is not from RSH client */
273 + if (dir == IP_CT_DIR_REPLY) {
277 + /* Until there's been traffic both ways, don't look in packets. */
278 + if (ctinfo != IP_CT_ESTABLISHED
279 + && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
280 + DEBUGP("Conntrackinfo = %u\n", ctinfo);
284 + /* Not a full tcp header? */
285 + th = skb_header_pointer(*pskb, ip_hdr(*pskb)->ihl*4,
286 + sizeof(_tcph), &_tcph);
288 + DEBUGP("rsh: skb_header_pointer null\n");
293 + dataoff = ip_hdr(*pskb)->ihl*4 + th->doff*4;
294 + if (dataoff >= (*pskb)->len) {
297 + datalen = (*pskb)->len - dataoff;
298 + spin_lock_bh(&rsh_buffer_lock);
299 + rb_ptr = skb_header_pointer(*pskb, dataoff, datalen, rsh_buffer);
300 + BUG_ON(rb_ptr == NULL);
303 + DEBUGP("rsh: find rsh stderr port datalen %u\n",datalen);
307 + for ( ; *data != 0 && maxoctet != 0; data++, maxoctet--) {
314 + if (*data < 48 || *data > 57) {
315 + DEBUGP("these aren't the packets you're looking for ..\n");
316 + ret = NF_ACCEPT; goto out;
318 + port = port * 10 + ( *data - 48 );
321 + /* dont relate sessions that try to expose the client */
323 + DEBUGP("skipping, port is 0!\n");
324 + ret = NF_ACCEPT;goto out;
327 + DEBUGP("found port %u\n", port);
328 + if (port > range) {
329 + DEBUGP("skipping, expected port size is greater than range!\n");
333 + exp = nf_ct_expect_alloc(ct);
339 + /* new(,related) connection is;
340 + * reply + dst (uint)port + src port (0:1023)
343 + /* Watch out, Radioactive-Man! */
344 + exp->tuple.src.u3.ip = ct->tuplehash[!dir].tuple.src.u3.ip;
345 + exp->tuple.dst.u3.ip = ct->tuplehash[!dir].tuple.dst.u3.ip;
346 + exp->tuple.src.u.tcp.port = 0;
347 + exp->tuple.dst.u.tcp.port = htons(port);
348 + exp->tuple.dst.protonum = IPPROTO_TCP;
350 + exp->mask.src.u3.ip = 0xffffffff;
352 + exp->mask.src.u.tcp.port = htons(rangemask);
354 + exp->expectfn = NULL;
357 + DEBUGP("expect related ip %u.%u.%u.%u:%u-%u.%u.%u.%u:%u\n",
358 + NIPQUAD(exp->tuple.src.ip),
359 + ntohs(exp->tuple.src.u.tcp.port),
360 + NIPQUAD(exp->tuple.dst.ip),
361 + ntohs(exp->tuple.dst.u.tcp.port));
363 + if (ip_nat_rsh_hook)
364 + ret = ip_nat_rsh_hook(pskb, ctinfo, rb_ptr - data, exp);
365 + else if (nf_ct_expect_related(exp) != 0) {
369 + nf_ct_expect_put(exp);
372 + spin_unlock_bh(&rsh_buffer_lock);
376 +static struct nf_conntrack_helper rsh_helpers[MAX_PORTS];
377 +static char rsh_names[MAX_PORTS][10];
378 +static const struct nf_conntrack_expect_policy rsh_exp_policy = {
380 + .timeout = 5, /* stes bug timeout=0 */
383 +static void fini(void);
385 +static int __init init(void)
390 + /* If no port given, default to standard RSH port */
392 + ports[0] = RSH_PORT;
394 + /* the check on reserved port <1023 doesn't work with Legato */
395 + /* for Legato NetWorker, the check should be that port <= 9936 */
400 + /* Legato uses range [ 7937 : 9936 ] -> 7937 by default */
402 + rangemask = 0xffff ^ range; /* defaults to = 0xfc00 */
404 + for (port = 0; (port < MAX_PORTS) && ports[port]; port++) {
405 + memset(&rsh_helpers[port], 0, sizeof(struct nf_conntrack_helper));
407 + tmpname = &rsh_names[port][0];
408 + if (ports[port] == RSH_PORT)
409 + sprintf(tmpname, "rsh");
411 + sprintf(tmpname, "rsh-%d", ports[port]);
412 + rsh_helpers[port].name = tmpname;
414 + rsh_helpers[port].me = THIS_MODULE;
415 + rsh_helpers[port].expect_policy = &rsh_exp_policy;
417 + rsh_helpers[port].tuple.dst.protonum = IPPROTO_TCP;
419 + /* RSH must come from ports 0:1023 to ports[port] (514) */
420 + rsh_helpers[port].tuple.src.u.tcp.port = htons(ports[port]);
422 + rsh_helpers[port].help = help;
424 + PRINTK("registering helper for port #%d: %d/TCP\n", port, ports[port]);
425 + PRINTK("helper match ip %u.%u.%u.%u:%u-%u.%u.%u.%u:%u\n",
426 + NIPQUAD(rsh_helpers[port].tuple.src.u3.ip),
427 + ntohs(rsh_helpers[port].tuple.src.u.tcp.port),
428 + NIPQUAD(rsh_helpers[port].tuple.dst.u3.ip),
429 + ntohs(rsh_helpers[port].tuple.dst.u.tcp.port));
431 + ret = nf_conntrack_helper_register(&rsh_helpers[port]);
434 + printk("ERROR registering port %d\n",
444 +/* This function is intentionally _NOT_ defined as __exit, because
445 + * it is needed by the init function */
446 +static void fini(void)
449 + for (port = 0; (port < MAX_PORTS) && ports[port]; port++) {
450 + DEBUGP("unregistering port %d\n", ports[port]);
451 + nf_conntrack_helper_unregister(&rsh_helpers[port]);