static int destroy_sibling_or_exp(const struct ip_conntrack_tuple *t)
{
struct ip_conntrack_tuple_hash *h;
struct ip_conntrack_expect *exp;
DEBUGP("trying to timeout ct or exp for tuple ");
DUMP_TUPLE(t);
h = ip_conntrack_find_get(t, NULL);
if (h) {
struct ip_conntrack *sibling = tuplehash_to_ctrack(h);
DEBUGP("setting timeout of conntrack %p to 0\n", sibling);
sibling->proto.gre.timeout = 0;
sibling->proto.gre.stream_timeout = 0;
if (del_timer(&sibling->timeout))
sibling->timeout.function((unsigned long)sibling);
ip_conntrack_put(sibling);
return 1;
} else {
exp = ip_conntrack_expect_find(t);
if (exp) {
DEBUGP("unexpect_related of expect %p\n", exp);
ip_conntrack_unexpect_related(exp);
ip_conntrack_expect_put(exp);
return 1;
}
}
return 0;
}
static void pptp_expectfn(struct ip_conntrack *ct,
struct ip_conntrack_expect *exp)
{
DEBUGP("increasing timeouts\n");
/* increase timeout of GRE data channel conntrack entry */
ct->proto.gre.timeout = PPTP_GRE_TIMEOUT;
ct->proto.gre.stream_timeout = PPTP_GRE_STREAM_TIMEOUT;
/* Can you see how rusty this code is, compared with the pre-2.6.11
* one? That's what happened to my shiny newnat of 2002 ;( -HW */
if (!ip_nat_pptp_hook_expectfn) {
struct ip_conntrack_tuple inv_t;
struct ip_conntrack_expect *exp_other;
/* obviously this tuple inversion only works until you do NAT */
invert_tuplepr(&inv_t, &exp->tuple);
DEBUGP("trying to unexpect other dir: ");
DUMP_TUPLE(&inv_t);
exp_other = ip_conntrack_expect_find(&inv_t);
if (exp_other) {
/* delete other expectation. */
DEBUGP("found\n");
ip_conntrack_unexpect_related(exp_other);
ip_conntrack_expect_put(exp_other);
} else {
DEBUGP("not found\n");
}
} else {
/* we need more than simple inversion */
ip_nat_pptp_hook_expectfn(ct, exp);
}
}
static int tftp_help(struct sk_buff **pskb,
struct ip_conntrack *ct,
enum ip_conntrack_info ctinfo)
{
struct tftphdr _tftph, *tfh;
struct ip_conntrack_expect *exp;
unsigned int ret = NF_ACCEPT;
tfh = skb_header_pointer(*pskb,
(*pskb)->nh.iph->ihl*4+sizeof(struct udphdr),
sizeof(_tftph), &_tftph);
if (tfh == NULL)
return NF_ACCEPT;
switch (ntohs(tfh->opcode)) {
/* RRQ and WRQ works the same way */
case TFTP_OPCODE_READ:
case TFTP_OPCODE_WRITE:
DEBUGP("");
DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
exp = ip_conntrack_expect_alloc(ct);
if (exp == NULL)
return NF_DROP;
exp->tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
exp->mask.src.ip = 0xffffffff;
exp->mask.src.u.udp.port = 0;
exp->mask.dst.ip = 0xffffffff;
exp->mask.dst.u.udp.port = 0xffff;
exp->mask.dst.protonum = 0xff;
exp->expectfn = NULL;
exp->flags = 0;
DEBUGP("expect: ");
DUMP_TUPLE(&exp->tuple);
DUMP_TUPLE(&exp->mask);
if (ip_nat_tftp_hook)
ret = ip_nat_tftp_hook(pskb, ctinfo, exp);
else if (ip_conntrack_expect_related(exp) != 0)
ret = NF_DROP;
ip_conntrack_expect_put(exp);
break;
case TFTP_OPCODE_DATA:
case TFTP_OPCODE_ACK:
DEBUGP("Data/ACK opcode\n");
break;
case TFTP_OPCODE_ERROR:
DEBUGP("Error opcode\n");
break;
default:
DEBUGP("Unknown opcode\n");
}
return NF_ACCEPT;
}
static int quake3_help(struct sk_buff **pskb,
struct ip_conntrack *ct,
enum ip_conntrack_info ctinfo)
{
struct udphdr _udph, *uh;
struct ip_conntrack_expect *exp;
void *data, *qb_ptr;
int dir = CTINFO2DIR(ctinfo);
int i, dataoff;
int ret = NF_ACCEPT;
/* Until there's been traffic both ways, don't look in packets. note:
* it's UDP ! */
if (ctinfo != IP_CT_ESTABLISHED
&& ctinfo != IP_CT_IS_REPLY) {
DEBUGP("ip_conntrack_quake3: not ok ! Conntrackinfo = %u\n",
ctinfo);
return NF_ACCEPT;
} else {
DEBUGP("ip_conntrack_quake3: it's ok ! Conntrackinfo = %u\n",
ctinfo);
}
/* Valid UDP header? */
uh = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl*4,
sizeof(_udph), &_udph);
if (!uh)
return NF_ACCEPT;
/* Any data? */
dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
if (dataoff >= (*pskb)->len)
return NF_ACCEPT;
spin_lock_bh(&quake3_buffer_lock);
qb_ptr = skb_header_pointer(*pskb, dataoff,
(*pskb)->len - dataoff, quake3_buffer);
BUG_ON(qb_ptr == NULL);
data = qb_ptr;
if (strnicmp(data + 4, quake3s_conntrack.pattern,
quake3s_conntrack.plen) == 0) {
for(i=23; /* 4 bytes filler, 18 bytes "getserversResponse",
1 byte "\" */
i+6 < ntohs(uh->len);
i+=7) {
u_int32_t *ip = data+i;
u_int16_t *port = data+i+4;
#if 0
DEBUGP("ip_conntrack_quake3: adding server at offset "
"%u/%u %u.%u.%u.%u:%u\n", i, ntohs(uh->len),
NIPQUAD(*ip), ntohs(*port));
#endif
exp = ip_conntrack_expect_alloc(ct);
if (!exp) {
ret = NF_DROP;
goto out;
}
memset(exp, 0, sizeof(*exp));
exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
exp->tuple.dst.ip = *ip;
exp->tuple.dst.u.udp.port = *port;
exp->tuple.dst.protonum = IPPROTO_UDP;
exp->mask.src.ip = 0xffffffff;
exp->mask.dst.ip = 0xffffffff;
exp->mask.dst.u.udp.port = 0xffff;
exp->mask.dst.protonum = 0xff;
if (ip_nat_quake3_hook)
ret = ip_nat_quake3_hook(exp);
else if (ip_conntrack_expect_related(exp) != 0) {
ip_conntrack_expect_put(exp);
ret = NF_DROP;
}
goto out;
}
}
out:
spin_unlock_bh(&quake3_buffer_lock);
return ret;
}
/* outbound packet: client->server */
static inline int
help_out(struct sk_buff **pskb, unsigned char *rb_ptr, unsigned int datalen,
struct ip_conntrack* ct, enum ip_conntrack_info ctinfo)
{
struct ip_ct_rtsp_expect expinfo;
int dir = CTINFO2DIR(ctinfo); /* = IP_CT_DIR_ORIGINAL */
//struct tcphdr* tcph = (void*)iph + iph->ihl * 4;
//uint tcplen = pktlen - iph->ihl * 4;
char* pdata = rb_ptr;
//uint datalen = tcplen - tcph->doff * 4;
uint dataoff = 0;
int ret = NF_ACCEPT;
struct ip_conntrack_expect *exp;
memset(&expinfo, 0, sizeof(expinfo));
while (dataoff < datalen)
{
uint cmdoff = dataoff;
uint hdrsoff = 0;
uint hdrslen = 0;
uint cseqoff = 0;
uint cseqlen = 0;
uint lineoff = 0;
uint linelen = 0;
uint off;
if (!rtsp_parse_message(pdata, datalen, &dataoff,
&hdrsoff, &hdrslen,
&cseqoff, &cseqlen))
{
break; /* not a valid message */
}
if (strncmp(pdata+cmdoff, "SETUP ", 6) != 0)
{
continue; /* not a SETUP message */
}
DEBUGP("found a setup message\n");
off = 0;
while (nf_mime_nextline(pdata+hdrsoff, hdrslen, &off,
&lineoff, &linelen))
{
if (linelen == 0)
{
break;
}
if (off > hdrsoff+hdrslen)
{
INFOP("!! overrun !!");
break;
}
if (nf_strncasecmp(pdata+hdrsoff+lineoff, "Transport:", 10) == 0)
{
rtsp_parse_transport(pdata+hdrsoff+lineoff, linelen, &expinfo);
}
}
if (expinfo.loport == 0)
{
DEBUGP("no udp transports found\n");
continue; /* no udp transports found */
}
DEBUGP("udp transport found, ports=(%d,%hu,%hu)\n",
(int)expinfo.pbtype,
expinfo.loport,
expinfo.hiport);
exp = ip_conntrack_expect_alloc(ct);
if (!exp) {
ret = NF_DROP;
goto out;
}
//exp->seq = ntohl(tcph->seq) + hdrsoff; /* mark all the headers */
exp->master = ct;
//exp.help.exp_rtsp_info.len = hdrslen;
exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
exp->mask.src.ip = 0xffffffff;
exp->tuple.dst.ip = ct->tuplehash[dir].tuple.src.ip;
exp->mask.dst.ip = 0xffffffff;
exp->tuple.dst.u.udp.port = expinfo.loport;
exp->mask.dst.u.udp.port =
(expinfo.pbtype == pb_range) ? 0xfffe : 0xffff;
exp->tuple.dst.protonum = IPPROTO_UDP;
exp->mask.dst.protonum = 0xff;
DEBUGP("expect_related %u.%u.%u.%u:%u-%u.%u.%u.%u:%u\n",
NIPQUAD(exp->tuple.src.ip),
ntohs(exp->tuple.src.u.tcp.port),
NIPQUAD(exp->tuple.dst.ip),
ntohs(exp->tuple.dst.u.tcp.port));
if (ip_nat_rtsp_hook)
/* pass the request off to the nat helper */
ret = ip_nat_rtsp_hook(pskb, ctinfo, &expinfo, exp);
else if (ip_conntrack_expect_related(exp) != 0) {
INFOP("ip_conntrack_expect_related failed\n");
ip_conntrack_expect_put(exp);
ret = NF_DROP;
}
goto out;
}
out:
return ret;
}
/* FIXME: This should be in userspace. Later. */
static int help(struct sk_buff **pskb,
struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
{
struct tcphdr _tcph, *th;
char *data, *rb_ptr;
int ret = NF_ACCEPT;
int dir = CTINFO2DIR(ctinfo);
struct ip_conntrack_expect *exp;
unsigned int dataoff, datalen;
u_int16_t port;
int maxoctet = 4;
/* note that "maxoctet" is used to maintain sanity (8 was the
* original array size used in rshd/glibc) -- is there a
* vulnerability in rshd.c in the looped port *= 10?
*/
DEBUGP("entered\n");
/* bail if packet is not from RSH client */
if (dir == IP_CT_DIR_REPLY) {
return NF_ACCEPT;
}
/* Until there's been traffic both ways, don't look in packets. */
if (ctinfo != IP_CT_ESTABLISHED
&& ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
DEBUGP("Conntrackinfo = %u\n", ctinfo);
return NF_ACCEPT;
}
/* Not a full tcp header? */
th = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl*4,
sizeof(_tcph), &_tcph);
if (!th) {
DEBUGP("rsh: skb_header_pointer null\n");
return NF_ACCEPT;
}
/* No data? */
dataoff = (*pskb)->nh.iph->ihl*4 + th->doff*4;
if (dataoff >= (*pskb)->len) {
return NF_ACCEPT;
}
datalen = (*pskb)->len - dataoff;
spin_lock_bh(&rsh_buffer_lock);
rb_ptr = skb_header_pointer(*pskb, dataoff, datalen, rsh_buffer);
BUG_ON(rb_ptr == NULL);
data = rb_ptr;
DEBUGP("rsh: find rsh stderr port datalen %u\n",datalen);
maxoctet = 5;
port = 0;
for ( ; *data != 0 && maxoctet != 0; data++, maxoctet--) {
if (*data < 0) {
ret = 1; goto out;
}
if (*data == 0) {
break;
}
if (*data < 48 || *data > 57) {
DEBUGP("these aren't the packets you're looking for ..\n");
ret = NF_ACCEPT; goto out;
}
port = port * 10 + ( *data - 48 );
}
/* dont relate sessions that try to expose the client */
if (port == 0) {
DEBUGP("skipping, port is 0!\n");
ret = NF_ACCEPT;goto out;
}
DEBUGP("found port %u\n", port);
if (port > range) {
DEBUGP("skipping, expected port size is greater than range!\n");
return NF_ACCEPT;
}
exp = ip_conntrack_expect_alloc(ct);
if (!exp) {
ret = NF_DROP;
goto out;
}
/* new(,related) connection is;
* reply + dst (uint)port + src port (0:1023)
*/
/* Watch out, Radioactive-Man! */
exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
exp->tuple.src.u.tcp.port = 0;
exp->tuple.dst.u.tcp.port = htons(port);
exp->tuple.dst.protonum = IPPROTO_TCP;
exp->mask.src.ip = 0xffffffff;
exp->mask.dst.ip = 0xffffffff;
exp->mask.src.u.tcp.port = htons(rangemask);
exp->mask.dst.u.tcp.port = htons(0xffff);
exp->mask.dst.protonum = 0xff;
exp->expectfn = NULL;
exp->master = ct;
DEBUGP("expect related ip %u.%u.%u.%u:%u-%u.%u.%u.%u:%u\n",
NIPQUAD(exp->tuple.src.ip),
ntohs(exp->tuple.src.u.tcp.port),
NIPQUAD(exp->tuple.dst.ip),
ntohs(exp->tuple.dst.u.tcp.port));
DEBUGP("expect related mask %u.%u.%u.%u:%u-%u.%u.%u.%u:%u\n",
NIPQUAD(exp->mask.src.ip),
ntohs(exp->mask.src.u.tcp.port),
NIPQUAD(exp->mask.dst.ip),
ntohs(exp->mask.dst.u.tcp.port));
if (ip_nat_rsh_hook)
ret = ip_nat_rsh_hook(pskb, ctinfo, rb_ptr - data, exp);
else if (ip_conntrack_expect_related(exp) != 0) {
ret = NF_DROP;
}
ip_conntrack_expect_put(exp);
out:
spin_unlock_bh(&rsh_buffer_lock);
return ret;
}
static int help(struct sk_buff **pskb,
struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
{
struct ip_conntrack_expect *exp;
char *data, *data_limit, *tmp;
unsigned int dataoff, i;
u_int16_t port, len;
int ret = NF_ACCEPT;
/* Only look at packets from the Amanda server */
if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
return NF_ACCEPT;
/* increase the UDP timeout of the master connection as replies from
* Amanda clients to the server can be quite delayed */
ip_ct_refresh(ct, *pskb, master_timeout * HZ);
/* No data? */
dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
if (dataoff >= (*pskb)->len) {
if (net_ratelimit())
printk("amanda_help: skblen = %u\n", (*pskb)->len);
return NF_ACCEPT;
}
spin_lock_bh(&amanda_buffer_lock);
skb_copy_bits(*pskb, dataoff, amanda_buffer, (*pskb)->len - dataoff);
data = amanda_buffer;
data_limit = amanda_buffer + (*pskb)->len - dataoff;
*data_limit = '\0';
/* Search for the CONNECT string */
data = strstr(data, "CONNECT ");
if (!data)
goto out;
data += strlen("CONNECT ");
/* Only search first line. */
if ((tmp = strchr(data, '\n')))
*tmp = '\0';
for (i = 0; i < ARRAY_SIZE(conns); i++) {
char *match = strstr(data, conns[i]);
if (!match)
continue;
tmp = data = match + strlen(conns[i]);
port = simple_strtoul(data, &data, 10);
len = data - tmp;
if (port == 0 || len > 5)
break;
exp = ip_conntrack_expect_alloc(ct);
if (exp == NULL) {
ret = NF_DROP;
goto out;
}
exp->expectfn = NULL;
exp->flags = 0;
exp->tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
exp->tuple.src.u.tcp.port = 0;
exp->tuple.dst.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
exp->tuple.dst.protonum = IPPROTO_TCP;
exp->tuple.dst.u.tcp.port = htons(port);
exp->mask.src.ip = 0xFFFFFFFF;
exp->mask.src.u.tcp.port = 0;
exp->mask.dst.ip = 0xFFFFFFFF;
exp->mask.dst.protonum = 0xFF;
exp->mask.dst.u.tcp.port = 0xFFFF;
if (ip_nat_amanda_hook)
ret = ip_nat_amanda_hook(pskb, ctinfo,
tmp - amanda_buffer,
len, exp);
else if (ip_conntrack_expect_related(exp) != 0)
ret = NF_DROP;
ip_conntrack_expect_put(exp);
}
out:
spin_unlock_bh(&amanda_buffer_lock);
return ret;
}
static void pptp_nat_expected(struct ip_conntrack *ct,
struct ip_conntrack_expect *exp)
{
struct ip_conntrack *master = ct->master;
struct ip_conntrack_expect *other_exp;
struct ip_conntrack_tuple t;
struct ip_ct_pptp_master *ct_pptp_info;
struct ip_nat_pptp *nat_pptp_info;
struct ip_nat_range range;
ct_pptp_info = &master->help.ct_pptp_info;
nat_pptp_info = &master->nat.help.nat_pptp_info;
/* And here goes the grand finale of corrosion... */
if (exp->dir == IP_CT_DIR_ORIGINAL) {
DEBUGP("we are PNS->PAC\n");
/* therefore, build tuple for PAC->PNS */
t.src.ip = master->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip;
t.src.u.gre.key = htons(master->help.ct_pptp_info.pac_call_id);
t.dst.ip = master->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
t.dst.u.gre.key = htons(master->help.ct_pptp_info.pns_call_id);
t.dst.protonum = IPPROTO_GRE;
} else {
DEBUGP("we are PAC->PNS\n");
/* build tuple for PNS->PAC */
t.src.ip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
t.src.u.gre.key =
htons(master->nat.help.nat_pptp_info.pns_call_id);
t.dst.ip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
t.dst.u.gre.key =
htons(master->nat.help.nat_pptp_info.pac_call_id);
t.dst.protonum = IPPROTO_GRE;
}
DEBUGP("trying to unexpect other dir: ");
DUMP_TUPLE(&t);
other_exp = ip_conntrack_expect_find(&t);
if (other_exp) {
ip_conntrack_unexpect_related(other_exp);
ip_conntrack_expect_put(other_exp);
DEBUGP("success\n");
} else {
DEBUGP("not found!\n");
}
/* This must be a fresh one. */
BUG_ON(ct->status & IPS_NAT_DONE_MASK);
/* Change src to where master sends to */
range.flags = IP_NAT_RANGE_MAP_IPS;
range.min_ip = range.max_ip
= ct->master->tuplehash[!exp->dir].tuple.dst.ip;
if (exp->dir == IP_CT_DIR_ORIGINAL) {
range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
range.min = range.max = exp->saved_proto;
}
/* hook doesn't matter, but it has to do source manip */
ip_nat_setup_info(ct, &range, NF_IP_POST_ROUTING);
/* For DST manip, map port here to where it's expected. */
range.flags = IP_NAT_RANGE_MAP_IPS;
range.min_ip = range.max_ip
= ct->master->tuplehash[!exp->dir].tuple.src.ip;
if (exp->dir == IP_CT_DIR_REPLY) {
range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
range.min = range.max = exp->saved_proto;
}
/* hook doesn't matter, but it has to do destination manip */
ip_nat_setup_info(ct, &range, NF_IP_PRE_ROUTING);
}
static int help(struct sk_buff **pskb,
struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
{
struct ts_state ts;
struct ip_conntrack_expect *exp;
unsigned int dataoff, start, stop, off, i;
char pbuf[sizeof("65535")], *tmp;
u_int16_t port, len;
int ret = NF_ACCEPT;
/* Only look at packets from the Amanda server */
if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
return NF_ACCEPT;
/* increase the UDP timeout of the master connection as replies from
* Amanda clients to the server can be quite delayed */
ip_ct_refresh(ct, *pskb, master_timeout * HZ);
/* No data? */
dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
if (dataoff >= (*pskb)->len) {
if (net_ratelimit())
printk("amanda_help: skblen = %u\n", (*pskb)->len);
return NF_ACCEPT;
}
memset(&ts, 0, sizeof(ts));
start = skb_find_text(*pskb, dataoff, (*pskb)->len,
search[SEARCH_CONNECT].ts, &ts);
if (start == UINT_MAX)
goto out;
start += dataoff + search[SEARCH_CONNECT].len;
memset(&ts, 0, sizeof(ts));
stop = skb_find_text(*pskb, start, (*pskb)->len,
search[SEARCH_NEWLINE].ts, &ts);
if (stop == UINT_MAX)
goto out;
stop += start;
for (i = SEARCH_DATA; i <= SEARCH_INDEX; i++) {
memset(&ts, 0, sizeof(ts));
off = skb_find_text(*pskb, start, stop, search[i].ts, &ts);
if (off == UINT_MAX)
continue;
off += start + search[i].len;
len = min_t(unsigned int, sizeof(pbuf) - 1, stop - off);
if (skb_copy_bits(*pskb, off, pbuf, len))
break;
pbuf[len] = '\0';
port = simple_strtoul(pbuf, &tmp, 10);
len = tmp - pbuf;
if (port == 0 || len > 5)
break;
exp = ip_conntrack_expect_alloc(ct);
if (exp == NULL) {
ret = NF_DROP;
goto out;
}
exp->expectfn = NULL;
exp->flags = 0;
exp->tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
exp->tuple.src.u.tcp.port = 0;
exp->tuple.dst.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
exp->tuple.dst.protonum = IPPROTO_TCP;
exp->tuple.dst.u.tcp.port = htons(port);
exp->mask.src.ip = htonl(0xFFFFFFFF);
exp->mask.src.u.tcp.port = 0;
exp->mask.dst.ip = htonl(0xFFFFFFFF);
exp->mask.dst.protonum = 0xFF;
exp->mask.dst.u.tcp.port = htons(0xFFFF);
if (ip_nat_amanda_hook)
ret = ip_nat_amanda_hook(pskb, ctinfo, off - dataoff,
len, exp);
else if (ip_conntrack_expect_related(exp) != 0)
ret = NF_DROP;
ip_conntrack_expect_put(exp);
}
out:
return ret;
}
