static unsigned int nf_nat_ftp(struct sk_buff *skb, enum ip_conntrack_info ctinfo, enum nf_ct_ftp_type type, unsigned int matchoff, unsigned int matchlen, struct nf_conntrack_expect *exp) { __be32 newip; u_int16_t port; int dir = CTINFO2DIR(ctinfo); struct nf_conn *ct = exp->master; char buffer[sizeof("|1|255.255.255.255|65535|")]; unsigned int buflen; pr_debug("FTP_NAT: type %i, off %u len %u\n", type, matchoff, matchlen); /* */ newip = ct->tuplehash[!dir].tuple.dst.u3.ip; exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port; exp->dir = !dir; /* */ exp->expectfn = nf_nat_follow_master; /* */ for (port = ntohs(exp->saved_proto.tcp.port); port != 0; port++) { int ret; exp->tuple.dst.u.tcp.port = htons(port); ret = nf_ct_expect_related(exp); if (ret == 0) break; else if (ret != -EBUSY) { port = 0; break; } } if (port == 0) return NF_DROP; buflen = nf_nat_ftp_fmt_cmd(type, buffer, sizeof(buffer), newip, port); if (!buflen) goto out; pr_debug("calling nf_nat_mangle_tcp_packet\n"); if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, matchoff, matchlen, buffer, buflen)) goto out; return NF_ACCEPT; out: nf_ct_unexpect_related(exp); return NF_DROP; }
static int sl_remove_port(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info ctinfo, unsigned int host_offset, unsigned int dataoff, unsigned int datalen, unsigned int end_of_host, unsigned char *user_data) { /* Is the http port 8135? Look for 'Host: foo.com:8135' end_of_host? -----^ */ if (strncmp(search[PORT].string, &user_data[end_of_host-search[PORT].len+search[NEWLINE].len], search[PORT].len)) { #ifdef SL_DEBUG printk(KERN_DEBUG "no port rewrite found in packet strncmp\n"); printk(KERN_DEBUG "end of host packet dump:\n%s\n", (unsigned char *)((unsigned int)user_data+end_of_host-search[PORT].len+search[NEWLINE].len)); #endif return 0; } #ifdef SL_DEBUG printk(KERN_DEBUG "remove_port found a port at offset %u\n", end_of_host-search[PORT].len+search[NEWLINE].len ); #endif /* remove the ':8135' port designation from the packet */ if (!nf_nat_mangle_tcp_packet( skb, ct, ctinfo, end_of_host-search[PORT].len+search[NEWLINE].len, search[PORT].len-(search[NEWLINE].len*2), // subtract \r\n NULL,0)) { printk(KERN_ERR "unable to remove port needle\n"); /* we've already found the port, so we return 1 regardless */ return 1; } #ifdef SL_DEBUG printk(KERN_DEBUG "port removed ok, new packet\n%s\n", (unsigned char *)user_data); #endif return 1; }
static int set_addr(struct sk_buff **pskb, unsigned char **data, int dataoff, unsigned int addroff, __be32 ip, __be16 port) { enum ip_conntrack_info ctinfo; struct nf_conn *ct = nf_ct_get(*pskb, &ctinfo); struct { __be32 ip; __be16 port; } __attribute__ ((__packed__)) buf; struct tcphdr _tcph, *th; buf.ip = ip; buf.port = port; addroff += dataoff; if (ip_hdr(*pskb)->protocol == IPPROTO_TCP) { if (!nf_nat_mangle_tcp_packet(pskb, ct, ctinfo, addroff, sizeof(buf), (char *) &buf, sizeof(buf))) { if (net_ratelimit()) printk("nf_nat_h323: nf_nat_mangle_tcp_packet" " error\n"); return -1; } /* Relocate data pointer */ th = skb_header_pointer(*pskb, ip_hdrlen(*pskb), sizeof(_tcph), &_tcph); if (th == NULL) return -1; *data = (*pskb)->data + ip_hdrlen(*pskb) + th->doff * 4 + dataoff; } else { if (!nf_nat_mangle_udp_packet(pskb, ct, ctinfo, addroff, sizeof(buf), (char *) &buf, sizeof(buf))) { if (net_ratelimit()) printk("nf_nat_h323: nf_nat_mangle_udp_packet" " error\n"); return -1; } /* nf_nat_mangle_udp_packet uses skb_make_writable() to copy * or pull everything in a linear buffer, so we can safely * use the skb pointers now */ *data = ((*pskb)->data + ip_hdrlen(*pskb) + sizeof(struct udphdr)); } return 0; }
/* So, this packet has hit the connection tracking matching code. Mangle it, and change the expectation to match the new version. */ static unsigned int nf_nat_ftp(struct sk_buff *skb, enum ip_conntrack_info ctinfo, enum nf_ct_ftp_type type, unsigned int matchoff, unsigned int matchlen, struct nf_conntrack_expect *exp) { __be32 newip; u_int16_t port; int dir = CTINFO2DIR(ctinfo); struct nf_conn *ct = exp->master; char buffer[sizeof("|1|255.255.255.255|65535|")]; unsigned int buflen; pr_debug("FTP_NAT: type %i, off %u len %u\n", type, matchoff, matchlen); /* Connection will come from wherever this packet goes, hence !dir */ newip = ct->tuplehash[!dir].tuple.dst.u3.ip; exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port; exp->dir = !dir; /* When you see the packet, we need to NAT it the same as the * this one. */ exp->expectfn = nf_nat_follow_master; /* Try to get same port: if not, try to change it. */ for (port = ntohs(exp->saved_proto.tcp.port); port != 0; port++) { exp->tuple.dst.u.tcp.port = htons(port); if (nf_ct_expect_related(exp) == 0) break; } if (port == 0) return NF_DROP; buflen = nf_nat_ftp_fmt_cmd(type, buffer, sizeof(buffer), newip, port); if (!buflen) goto out; pr_debug("calling nf_nat_mangle_tcp_packet\n"); if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, matchoff, matchlen, buffer, buflen)) goto out; return NF_ACCEPT; out: nf_ct_unexpect_related(exp); return NF_DROP; }
static unsigned int help(struct sk_buff *skb, enum ip_conntrack_info ctinfo, unsigned int matchoff, unsigned int matchlen, struct nf_conntrack_expect *exp) { char buffer[sizeof("4294967296 65635")]; u_int32_t ip; u_int16_t port; unsigned int ret; /* Reply comes from server. */ exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port; exp->dir = IP_CT_DIR_REPLY; exp->expectfn = nf_nat_follow_master; /* Try to get same port: if not, try to change it. */ for (port = ntohs(exp->saved_proto.tcp.port); port != 0; port++) { int ret; exp->tuple.dst.u.tcp.port = htons(port); ret = nf_ct_expect_related(exp); if (ret == 0) break; else if (ret != -EBUSY) { port = 0; break; } } if (port == 0) return NF_DROP; ip = ntohl(exp->master->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip); sprintf(buffer, "%u %u", ip, port); pr_debug("nf_nat_irc: inserting '%s' == %pI4, port %u\n", buffer, &ip, port); ret = nf_nat_mangle_tcp_packet(skb, exp->master, ctinfo, matchoff, matchlen, buffer, strlen(buffer)); if (ret != NF_ACCEPT) nf_ct_unexpect_related(exp); return ret; }
/* |1|132.235.1.2|6275| */ static int mangle_eprt_packet(struct sk_buff *skb, __be32 newip, u_int16_t port, unsigned int matchoff, unsigned int matchlen, struct nf_conn *ct, enum ip_conntrack_info ctinfo) { char buffer[sizeof("|1|255.255.255.255|65535|")]; sprintf(buffer, "|1|%u.%u.%u.%u|%u|", NIPQUAD(newip), port); pr_debug("calling nf_nat_mangle_tcp_packet\n"); return nf_nat_mangle_tcp_packet(skb, ct, ctinfo, matchoff, matchlen, buffer, strlen(buffer)); }
/* |1|132.235.1.2|6275| */ static int mangle_epsv_packet(struct sk_buff *skb, __be32 newip, u_int16_t port, unsigned int matchoff, unsigned int matchlen, struct nf_conn *ct, enum ip_conntrack_info ctinfo) { char buffer[sizeof("|||65535|")]; sprintf(buffer, "|||%u|", port); DEBUGP("calling nf_nat_mangle_tcp_packet\n"); return nf_nat_mangle_tcp_packet(skb, ct, ctinfo, matchoff, matchlen, buffer, strlen(buffer)); }
static int mangle_rfc959_packet(struct sk_buff *skb, __be32 newip, u_int16_t port, unsigned int matchoff, unsigned int matchlen, struct nf_conn *ct, enum ip_conntrack_info ctinfo) { char buffer[sizeof("nnn,nnn,nnn,nnn,nnn,nnn")]; sprintf(buffer, "%u,%u,%u,%u,%u,%u", NIPQUAD(newip), port>>8, port&0xFF); DEBUGP("calling nf_nat_mangle_tcp_packet\n"); return nf_nat_mangle_tcp_packet(skb, ct, ctinfo, matchoff, matchlen, buffer, strlen(buffer)); }
/* * Look at outgoing ftp packets to catch the response to a PASV command * from the server (inside-to-outside). * When we see one, we build a connection entry with the client address, * client port 0 (unknown at the moment), the server address and the * server port. Mark the current connection entry as a control channel * of the new entry. All this work is just to make the data connection * can be scheduled to the right server later. * * The outgoing packet should be something like * "227 Entering Passive Mode (xxx,xxx,xxx,xxx,ppp,ppp)". * xxx,xxx,xxx,xxx is the server address, ppp,ppp is the server port number. */ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp, struct sk_buff *skb, int *diff) { struct iphdr *iph; struct tcphdr *th; char *data, *data_limit; char *start, *end; union nf_inet_addr from; __be16 port; struct ip_vs_conn *n_cp; char buf[24]; /* xxx.xxx.xxx.xxx,ppp,ppp\000 */ unsigned buf_len; int ret = 0; enum ip_conntrack_info ctinfo; struct nf_conn *ct; struct net *net; #ifdef CONFIG_IP_VS_IPV6 /* This application helper doesn't work with IPv6 yet, * so turn this into a no-op for IPv6 packets */ if (cp->af == AF_INET6) return 1; #endif *diff = 0; /* Only useful for established sessions */ if (cp->state != IP_VS_TCP_S_ESTABLISHED) return 1; /* Linear packets are much easier to deal with. */ if (!skb_make_writable(skb, skb->len)) return 0; if (cp->app_data == &ip_vs_ftp_pasv) { iph = ip_hdr(skb); th = (struct tcphdr *)&(((char *)iph)[iph->ihl*4]); data = (char *)th + (th->doff << 2); data_limit = skb_tail_pointer(skb); if (ip_vs_ftp_get_addrport(data, data_limit, SERVER_STRING, sizeof(SERVER_STRING)-1, '(', ')', &from.ip, &port, &start, &end) != 1) return 1; IP_VS_DBG(7, "PASV response (%pI4:%d) -> %pI4:%d detected\n", &from.ip, ntohs(port), &cp->caddr.ip, 0); /* * Now update or create an connection entry for it */ { struct ip_vs_conn_param p; ip_vs_conn_fill_param(ip_vs_conn_net(cp), AF_INET, iph->protocol, &from, port, &cp->caddr, 0, &p); n_cp = ip_vs_conn_out_get(&p); } if (!n_cp) { struct ip_vs_conn_param p; ip_vs_conn_fill_param(ip_vs_conn_net(cp), AF_INET, IPPROTO_TCP, &cp->caddr, 0, &cp->vaddr, port, &p); n_cp = ip_vs_conn_new(&p, &from, port, IP_VS_CONN_F_NO_CPORT | IP_VS_CONN_F_NFCT, cp->dest, skb->mark); if (!n_cp) return 0; /* add its controller */ ip_vs_control_add(n_cp, cp); } /* * Replace the old passive address with the new one */ from.ip = n_cp->vaddr.ip; port = n_cp->vport; snprintf(buf, sizeof(buf), "%u,%u,%u,%u,%u,%u", ((unsigned char *)&from.ip)[0], ((unsigned char *)&from.ip)[1], ((unsigned char *)&from.ip)[2], ((unsigned char *)&from.ip)[3], ntohs(port) >> 8, ntohs(port) & 0xFF); buf_len = strlen(buf); ct = nf_ct_get(skb, &ctinfo); if (ct && !nf_ct_is_untracked(ct) && nfct_nat(ct)) { /* If mangling fails this function will return 0 * which will cause the packet to be dropped. * Mangling can only fail under memory pressure, * hopefully it will succeed on the retransmitted * packet. */ ret = nf_nat_mangle_tcp_packet(skb, ct, ctinfo, start-data, end-start, buf, buf_len); if (ret) { ip_vs_nfct_expect_related(skb, ct, n_cp, IPPROTO_TCP, 0, 0); if (skb->ip_summed == CHECKSUM_COMPLETE) skb->ip_summed = CHECKSUM_UNNECESSARY; /* csum is updated */ ret = 1; } } /* * Not setting 'diff' is intentional, otherwise the sequence * would be adjusted twice. */ net = skb_net(skb); cp->app_data = NULL; ip_vs_tcp_conn_listen(net, n_cp); ip_vs_conn_put(n_cp); return ret; }
/* * Mangle the "Transport:" header: * - Replace all occurences of "client_port=<spec>" * - Handle destination parameter * * In: * ct, ctinfo = conntrack context * skb = packet * tranoff = Transport header offset from TCP data * tranlen = Transport header length (incl. CRLF) * rport_lo = replacement low port (host endian) * rport_hi = replacement high port (host endian) * * Returns packet size difference. * * Assumes that a complete transport header is present, ending with CR or LF */ static int rtsp_mangle_tran(enum ip_conntrack_info ctinfo, struct nf_conntrack_expect* exp, struct ip_ct_rtsp_expect* prtspexp, struct sk_buff* skb, uint tranoff, uint tranlen) { char* ptcp; uint tcplen; char* ptran; char rbuf1[16]; /* Replacement buffer (one port) */ uint rbuf1len; /* Replacement len (one port) */ char rbufa[16]; /* Replacement buffer (all ports) */ uint rbufalen; /* Replacement len (all ports) */ u_int32_t newip; u_int16_t loport, hiport; uint off = 0; uint diff; /* Number of bytes we removed */ struct nf_conn *ct = exp->master; struct nf_conntrack_tuple *t; char szextaddr[15+1]; uint extaddrlen; int is_stun; get_skb_tcpdata(skb, &ptcp, &tcplen); ptran = ptcp+tranoff; if (tranoff+tranlen > tcplen || tcplen-tranoff < tranlen || tranlen < 10 || !iseol(ptran[tranlen-1]) || nf_strncasecmp(ptran, "Transport:", 10) != 0) { pr_info("sanity check failed\n"); return 0; } off += 10; SKIP_WSPACE(ptcp+tranoff, tranlen, off); newip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip; t = &exp->tuple; t->dst.u3.ip = newip; extaddrlen = extip ? sprintf(szextaddr, "%pI4", &extip) : sprintf(szextaddr, "%pI4", &newip); pr_debug("stunaddr=%s (%s)\n", szextaddr, (extip?"forced":"auto")); rbuf1len = rbufalen = 0; switch (prtspexp->pbtype) { case pb_single: for (loport = prtspexp->loport; loport != 0; loport++) /* XXX: improper wrap? */ { t->dst.u.udp.port = htons(loport); if (nf_ct_expect_related(exp) == 0) { pr_debug("using port %hu\n", loport); break; } } if (loport != 0) { rbuf1len = sprintf(rbuf1, "%hu", loport); rbufalen = sprintf(rbufa, "%hu", loport); } break; case pb_range: for (loport = prtspexp->loport; loport != 0; loport += 2) /* XXX: improper wrap? */ { t->dst.u.udp.port = htons(loport); if (nf_ct_expect_related(exp) == 0) { hiport = loport + 1; //~exp->mask.dst.u.udp.port; pr_debug("using ports %hu-%hu\n", loport, hiport); break; } } if (loport != 0) { rbuf1len = sprintf(rbuf1, "%hu", loport); rbufalen = sprintf(rbufa, "%hu-%hu", loport, loport+1); } break; case pb_discon: for (loport = prtspexp->loport; loport != 0; loport++) /* XXX: improper wrap? */ { t->dst.u.udp.port = htons(loport); if (nf_ct_expect_related(exp) == 0) { pr_debug("using port %hu (1 of 2)\n", loport); break; } } for (hiport = prtspexp->hiport; hiport != 0; hiport++) /* XXX: improper wrap? */ { t->dst.u.udp.port = htons(hiport); if (nf_ct_expect_related(exp) == 0) { pr_debug("using port %hu (2 of 2)\n", hiport); break; } } if (loport != 0 && hiport != 0) { rbuf1len = sprintf(rbuf1, "%hu", loport); if (hiport == loport+1) { rbufalen = sprintf(rbufa, "%hu-%hu", loport, hiport); } else { rbufalen = sprintf(rbufa, "%hu/%hu", loport, hiport); } } break; } if (rbuf1len == 0) { return 0; /* cannot get replacement port(s) */ } /* Transport: tran;field;field=val,tran;field;field=val,... */ while (off < tranlen) { uint saveoff; const char* pparamend; uint nextparamoff; pparamend = memchr(ptran+off, ',', tranlen-off); pparamend = (pparamend == NULL) ? ptran+tranlen : pparamend+1; nextparamoff = pparamend-ptcp; /* * We pass over each param twice. On the first pass, we look for a * destination= field. It is handled by the security policy. If it * is present, allowed, and equal to our external address, we assume * that STUN is being used and we leave the client_port= field alone. */ is_stun = 0; saveoff = off; while (off < nextparamoff) { const char* pfieldend; uint nextfieldoff; pfieldend = memchr(ptran+off, ';', nextparamoff-off); nextfieldoff = (pfieldend == NULL) ? nextparamoff : pfieldend-ptran+1; if (dstact != DSTACT_NONE && strncmp(ptran+off, "destination=", 12) == 0) { if (strncmp(ptran+off+12, szextaddr, extaddrlen) == 0) { is_stun = 1; } if (dstact == DSTACT_STRIP || (dstact == DSTACT_AUTO && !is_stun)) { diff = nextfieldoff-off; if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, off, diff, NULL, 0)) { /* mangle failed, all we can do is bail */ nf_ct_unexpect_related(exp); return 0; } get_skb_tcpdata(skb, &ptcp, &tcplen); ptran = ptcp+tranoff; tranlen -= diff; nextparamoff -= diff; nextfieldoff -= diff; } } off = nextfieldoff; } if (is_stun) { continue; } off = saveoff; while (off < nextparamoff) { const char* pfieldend; uint nextfieldoff; pfieldend = memchr(ptran+off, ';', nextparamoff-off); nextfieldoff = (pfieldend == NULL) ? nextparamoff : pfieldend-ptran+1; if (strncmp(ptran+off, "client_port=", 12) == 0) { u_int16_t port; uint numlen; uint origoff; uint origlen; char* rbuf = rbuf1; uint rbuflen = rbuf1len; off += 12; origoff = (ptran-ptcp)+off; origlen = 0; numlen = nf_strtou16(ptran+off, &port); off += numlen; origlen += numlen; if (port != prtspexp->loport) { pr_debug("multiple ports found, port %hu ignored\n", port); } else { if (ptran[off] == '-' || ptran[off] == '/') { off++; origlen++; numlen = nf_strtou16(ptran+off, &port); off += numlen; origlen += numlen; rbuf = rbufa; rbuflen = rbufalen; } /* * note we cannot just memcpy() if the sizes are the same. * the mangle function does skb resizing, checks for a * cloned skb, and updates the checksums. * * parameter 4 below is offset from start of tcp data. */ diff = origlen-rbuflen; if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, origoff, origlen, rbuf, rbuflen)) { /* mangle failed, all we can do is bail */ nf_ct_unexpect_related(exp); return 0; } get_skb_tcpdata(skb, &ptcp, &tcplen); ptran = ptcp+tranoff; tranlen -= diff; nextparamoff -= diff; nextfieldoff -= diff; } } off = nextfieldoff; } off = nextparamoff; } return 1; }
static unsigned int add_sl_header(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info ctinfo, unsigned int host_offset, unsigned int dataoff, unsigned int datalen, unsigned int end_of_host, unsigned char *user_data) { /* first make sure there is room */ if ( skb->len >= ( MAX_PACKET_LEN - SL_HEADER_LEN ) ) { #ifdef SL_DEBUG printk(KERN_DEBUG "\nskb too big, length: %d\n", (skb->len)); #endif return 0; } /* next make sure an X-SLR header is not already present in the http headers already */ if (!strncmp(xslr,(unsigned char *)((unsigned int)user_data+end_of_host+1), XSLR_LEN)) { #ifdef SL_DEBUG printk(KERN_DEBUG "\npkt x-slr already present\n"); #endif return 0; } #ifdef SL_DEBUG printk(KERN_DEBUG "\nno x-slr header present, adding\n"); #endif { unsigned int jhashed, slheader_len; char slheader[SL_HEADER_LEN]; char src_string[MACADDR_SIZE]; unsigned char *pSrc_string = src_string; struct ethhdr *bigmac = eth_hdr(skb); unsigned char *pHsource = bigmac->h_source; int i = 0; /* convert the six octet mac source address into a hex string via bitmask and bitshift on each octet */ while (i<6) { *(pSrc_string++) = int2Hex[(*pHsource)>>4]; *(pSrc_string++) = int2Hex[(*pHsource)&0x0f]; pHsource++; i++; } /* null terminate it just to be safe */ *pSrc_string = '\0'; #ifdef SL_DEBUG printk(KERN_DEBUG "\nsrc macaddr %s\n", src_string); #endif /********************************************/ /* create the http header */ /* jenkins hash obfuscation of source mac */ jhashed = jhash((void *)src_string, MACADDR_SIZE, JHASH_SALT); /* create the X-SLR Header */ slheader_len = sprintf(slheader, "X-SLR: %08x|%s\r\n", jhashed, sl_device); /* handle sprintf failure */ if (slheader_len != SL_HEADER_LEN) { printk(KERN_ERR "exp header %s len %d doesnt match calc len %d\n", (char *)slheader, SL_HEADER_LEN, slheader_len ); return 0; } #ifdef SL_DEBUG printk(KERN_DEBUG "xslr %s, len %d\n", slheader, slheader_len); #endif /* insert the slheader into the http headers Host: foo.com\r\nXSLR: ffffffff|ffffffffffff */ if (!nf_nat_mangle_tcp_packet( skb, ct, ctinfo, end_of_host + search[NEWLINE].len, 0, slheader, slheader_len)) { printk(KERN_ERR " failed to mangle packet\n"); return 0; } #ifdef SL_DEBUG printk(KERN_DEBUG "packet mangled ok:\n%s\n", (unsigned char *)((unsigned int)user_data)); #endif return 1; } }
/* * Mangle the "Transport:" header: * - Replace all occurences of "client_port=<spec>" * - Handle destination parameter * * In: * ct, ctinfo = conntrack context * skb = packet * tranoff = Transport header offset from TCP data * tranlen = Transport header length (incl. CRLF) * rport_lo = replacement low port (host endian) * rport_hi = replacement high port (host endian) * * Returns packet size difference. * * Assumes that a complete transport header is present, ending with CR or LF */ static int rtsp_mangle_tran(enum ip_conntrack_info ctinfo, #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,7,0) unsigned int protoff, #endif struct nf_conntrack_expect* rtp_exp, struct nf_conntrack_expect* rtcp_exp, struct ip_ct_rtsp_expect* prtspexp, struct sk_buff* skb, uint tranoff, uint tranlen) { char* ptcp; uint tcplen; char* ptran; char rbuf1[16]; /* Replacement buffer (one port) */ uint rbuf1len; /* Replacement len (one port) */ char rbufa[16]; /* Replacement buffer (all ports) */ uint rbufalen; /* Replacement len (all ports) */ #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,7,0) union nf_inet_addr newip; #else u_int32_t newip; #endif u_int16_t loport, hiport; uint off = 0; uint diff; /* Number of bytes we removed */ struct nf_conn *ct = rtp_exp->master; /* struct nf_conn *ct = nf_ct_get(skb, &ctinfo); */ struct nf_conntrack_tuple *rtp_t; #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,7,0) char szextaddr[INET6_ADDRSTRLEN]; #else char szextaddr[INET_ADDRSTRLEN]; #endif uint extaddrlen; int is_stun; get_skb_tcpdata(skb, &ptcp, &tcplen); ptran = ptcp+tranoff; if (tranoff+tranlen > tcplen || tcplen-tranoff < tranlen || tranlen < 10 || !iseol(ptran[tranlen-1]) || nf_strncasecmp(ptran, "Transport:", 10) != 0) { pr_info("sanity check failed\n"); return 0; } off += 10; SKIP_WSPACE(ptcp+tranoff, tranlen, off); #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,7,0) newip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3; rtp_t = &rtp_exp->tuple; rtp_t->dst.u3 = newip; if (rtcp_exp) { rtcp_exp->tuple.dst.u3 = newip; } extaddrlen = rtsp_sprintf_addr(ct, szextaddr, &newip, true); // FIXME handle extip pr_debug("stunaddr=%s (auto)\n", szextaddr); #else newip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip; rtp_t = &rtp_exp->tuple; rtp_t->dst.u3.ip = newip; if (rtcp_exp) { rtcp_exp->tuple.dst.u3.ip = newip; } extaddrlen = extip ? sprintf(szextaddr, "%pI4", &extip) : sprintf(szextaddr, "%pI4", &newip); pr_debug("stunaddr=%s (%s)\n", szextaddr, (extip?"forced":"auto")); #endif hiport = 0; rbuf1len = rbufalen = 0; switch (prtspexp->pbtype) { case pb_single: for (loport = prtspexp->loport; loport != 0; loport++) { /* XXX: improper wrap? */ rtp_t->dst.u.udp.port = htons(loport); if (nf_ct_expect_related(rtp_exp) == 0) { pr_debug("using port %hu\n", loport); break; } } if (loport != 0) { rbuf1len = sprintf(rbuf1, "%hu", loport); rbufalen = sprintf(rbufa, "%hu", loport); } break; case pb_range: for (loport = prtspexp->loport; loport != 0; loport += 2) { /* XXX: improper wrap? */ rtp_t->dst.u.udp.port = htons(loport); if (nf_ct_expect_related(rtp_exp) != 0) { continue; } hiport = loport + 1; rtcp_exp->tuple.dst.u.udp.port = htons(hiport); if (nf_ct_expect_related(rtcp_exp) != 0) { nf_ct_unexpect_related(rtp_exp); continue; } /* FIXME: invalid print in case of ipv6 */ pr_debug("nat expect_related %pI4:%u-%u-%pI4:%u-%u\n", &rtp_exp->tuple.src.u3.ip, ntohs(rtp_exp->tuple.src.u.udp.port), ntohs(rtcp_exp->tuple.src.u.udp.port), &rtp_exp->tuple.dst.u3.ip, ntohs(rtp_exp->tuple.dst.u.udp.port), ntohs(rtcp_exp->tuple.dst.u.udp.port)); break; } if (loport != 0) { rbuf1len = sprintf(rbuf1, "%hu", loport); rbufalen = sprintf(rbufa, "%hu-%hu", loport, hiport); } break; case pb_discon: for (loport = prtspexp->loport; loport != 0; loport++) { /* XXX: improper wrap? */ rtp_t->dst.u.udp.port = htons(loport); if (nf_ct_expect_related(rtp_exp) == 0) { pr_debug("using port %hu (1 of 2)\n", loport); break; } } for (hiport = prtspexp->hiport; hiport != 0; hiport++) { /* XXX: improper wrap? */ rtp_t->dst.u.udp.port = htons(hiport); if (nf_ct_expect_related(rtp_exp) == 0) { pr_debug("using port %hu (2 of 2)\n", hiport); break; } } if (loport != 0 && hiport != 0) { rbuf1len = sprintf(rbuf1, "%hu", loport); rbufalen = sprintf(rbufa, hiport == loport+1 ? "%hu-%hu":"%hu/%hu", loport, hiport); } break; } if (rbuf1len == 0) return 0; /* cannot get replacement port(s) */ /* Transport: tran;field;field=val,tran;field;field=val,... `off` is set to the start of Transport value from start of line */ while (off < tranlen) { uint saveoff; const char* pparamend; uint nextparamoff; pparamend = memchr(ptran+off, ',', tranlen-off); pparamend = (pparamend == NULL) ? ptran+tranlen : pparamend+1; nextparamoff = pparamend-ptran; /* * We pass over each param twice. On the first pass, we look for a * destination= field. It is handled by the security policy. If it * is present, allowed, and equal to our external address, we assume * that STUN is being used and we leave the client_port= field alone. */ is_stun = 0; saveoff = off; while (off < nextparamoff) { const char* pfieldend; uint nextfieldoff; pfieldend = memchr(ptran+off, ';', nextparamoff-off); nextfieldoff = (pfieldend == NULL) ? nextparamoff : pfieldend-ptran+1; if (dstact != DSTACT_NONE && strncmp(ptran+off, "destination=", 12) == 0) { if (strncmp(ptran+off+12, szextaddr, extaddrlen) == 0) is_stun = 1; if (dstact == DSTACT_STRIP || (dstact == DSTACT_AUTO && !is_stun)) { uint dstoff = (ptran-ptcp)+off; uint dstlen = nextfieldoff-off; char* pdstrep = NULL; uint dstreplen = 0; diff = dstlen; if (dstact == DSTACT_AUTO && !is_stun) { pr_debug("RTSP: replace dst addr\n"); dstoff += 12; dstlen -= 13; pdstrep = szextaddr; dstreplen = extaddrlen; diff = nextfieldoff-off-13-extaddrlen; } #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,7,0) if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff, dstoff, dstlen, pdstrep, dstreplen)) { #else if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, dstoff, dstlen, pdstrep, dstreplen)) { #endif /* mangle failed, all we can do is bail */ nf_ct_unexpect_related(rtp_exp); if (rtcp_exp) nf_ct_unexpect_related(rtcp_exp); return 0; } get_skb_tcpdata(skb, &ptcp, &tcplen); ptran = ptcp+tranoff; tranlen -= diff; nextparamoff -= diff; nextfieldoff -= diff; } } off = nextfieldoff; } if (is_stun) continue; off = saveoff; while (off < nextparamoff) { const char* pfieldend; uint nextfieldoff; pfieldend = memchr(ptran+off, ';', nextparamoff-off); nextfieldoff = (pfieldend == NULL) ? nextparamoff : pfieldend-ptran+1; if (strncmp(ptran+off, "client_port=", 12) == 0) { u_int16_t port; uint numlen; uint origoff; uint origlen; char* rbuf = rbuf1; uint rbuflen = rbuf1len; off += 12; origoff = (ptran-ptcp)+off; origlen = 0; numlen = nf_strtou16(ptran+off, &port); off += numlen; origlen += numlen; if (port != prtspexp->loport) { pr_debug("multiple ports found, port %hu ignored\n", port); } else { if (ptran[off] == '-' || ptran[off] == '/') { off++; origlen++; numlen = nf_strtou16(ptran+off, &port); off += numlen; origlen += numlen; rbuf = rbufa; rbuflen = rbufalen; } /* * note we cannot just memcpy() if the sizes are the same. * the mangle function does skb resizing, checks for a * cloned skb, and updates the checksums. * * parameter 4 below is offset from start of tcp data. */ diff = origlen-rbuflen; #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,7,0) if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff, origoff, origlen, rbuf, rbuflen)) { #else if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, origoff, origlen, rbuf, rbuflen)) { #endif /* mangle failed, all we can do is bail */ nf_ct_unexpect_related(rtp_exp); if (rtcp_exp) nf_ct_unexpect_related(rtcp_exp); return 0; } get_skb_tcpdata(skb, &ptcp, &tcplen); ptran = ptcp+tranoff; tranlen -= diff; nextparamoff -= diff; nextfieldoff -= diff; } } off = nextfieldoff; } off = nextparamoff; } return 1; } static uint help_out(struct sk_buff *skb, enum ip_conntrack_info ctinfo, #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,7,0) unsigned int protoff, #endif unsigned int matchoff, unsigned int matchlen, struct ip_ct_rtsp_expect* prtspexp, struct nf_conntrack_expect* rtp_exp, struct nf_conntrack_expect* rtcp_exp) { char* ptcp; uint tcplen; uint hdrsoff; uint hdrslen; uint lineoff; uint linelen; uint off; int dir = CTINFO2DIR(ctinfo); #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,7,0) union nf_inet_addr saddr = rtp_exp->master->tuplehash[dir].tuple.src.u3; #else __be32 saddr = rtp_exp->master->tuplehash[dir].tuple.src.u3.ip; #endif //struct iphdr* iph = (struct iphdr*)(*pskb)->nh.iph; //struct tcphdr* tcph = (struct tcphdr*)((void*)iph + iph->ihl*4); get_skb_tcpdata(skb, &ptcp, &tcplen); hdrsoff = matchoff;//exp->seq - ntohl(tcph->seq); hdrslen = matchlen; off = hdrsoff; pr_debug("NAT rtsp help_out\n"); while (nf_mime_nextline(ptcp, hdrsoff+hdrslen, &off, &lineoff, &linelen)) { if (linelen == 0) break; if (off > hdrsoff+hdrslen) { pr_info("!! overrun !!"); break; } pr_debug("hdr: len=%u, %.*s", linelen, (int)linelen, ptcp+lineoff); if (nf_strncasecmp(ptcp+lineoff, "Transport:", 10) == 0) { uint oldtcplen = tcplen; pr_debug("hdr: Transport\n"); #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,7,0) if (!rtsp_mangle_tran(ctinfo, protoff, rtp_exp, rtcp_exp, prtspexp, skb, lineoff, linelen)) { #else if (!rtsp_mangle_tran(ctinfo, rtp_exp, rtcp_exp, prtspexp, skb, lineoff, linelen)) { #endif pr_debug("hdr: Transport mangle failed"); break; } rtp_exp->expectfn = nf_nat_rtsp_expected; #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,7,0) rtp_exp->saved_addr = saddr; #else rtp_exp->saved_ip = saddr; #endif rtp_exp->saved_proto.udp.port = htons(prtspexp->loport); rtp_exp->dir = !dir; if (rtcp_exp) { rtcp_exp->expectfn = nf_nat_rtsp_expected; #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,7,0) rtcp_exp->saved_addr = saddr; #else rtcp_exp->saved_ip = saddr; #endif rtcp_exp->saved_proto.udp.port = htons(prtspexp->hiport); rtcp_exp->dir = !dir; } get_skb_tcpdata(skb, &ptcp, &tcplen); hdrslen -= (oldtcplen-tcplen); off -= (oldtcplen-tcplen); lineoff -= (oldtcplen-tcplen); linelen -= (oldtcplen-tcplen); pr_debug("rep: len=%u, %.*s", linelen, (int)linelen, ptcp+lineoff); } } return NF_ACCEPT; } static unsigned int nf_nat_rtsp(struct sk_buff *skb, enum ip_conntrack_info ctinfo, #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,7,0) unsigned int protoff, #endif unsigned int matchoff, unsigned int matchlen, struct ip_ct_rtsp_expect* prtspexp, struct nf_conntrack_expect* rtp_exp, struct nf_conntrack_expect* rtcp_exp) { int dir = CTINFO2DIR(ctinfo); int rc = NF_ACCEPT; switch (dir) { case IP_CT_DIR_ORIGINAL: #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,7,0) rc = help_out(skb, ctinfo, protoff, matchoff, matchlen, prtspexp, rtp_exp, rtcp_exp); #else rc = help_out(skb, ctinfo, matchoff, matchlen, prtspexp, rtp_exp, rtcp_exp); #endif break; case IP_CT_DIR_REPLY: pr_debug("unmangle ! %u\n", ctinfo); /* XXX: unmangle */ rc = NF_ACCEPT; break; } //UNLOCK_BH(&ip_rtsp_lock); return rc; } static void nf_nat_rtsp_expected(struct nf_conn* ct, struct nf_conntrack_expect *exp) { #if LINUX_VERSION_CODE < KERNEL_VERSION(3,3,0) || LINUX_VERSION_CODE >= KERNEL_VERSION(3,7,0) struct nf_nat_range range; #else struct nf_nat_ipv4_range range; #endif /* This must be a fresh one. */ BUG_ON(ct->status & IPS_NAT_DONE_MASK); /* For DST manip, map port here to where it's expected. */ #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,7,0) range.min_proto = range.max_proto = exp->saved_proto; range.min_addr = range.max_addr = exp->saved_addr; #else range.min = range.max = exp->saved_proto; range.min_ip = range.max_ip = exp->saved_ip; #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,3,0) range.flags = (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED); nf_nat_setup_info(ct, &range, NF_NAT_MANIP_DST); #else range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED); nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST); #endif /* Change src to where master sends to, but only if the connection * actually came from the same source. */ #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,7,0) if (nf_inet_addr_cmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3, &ct->master->tuplehash[exp->dir].tuple.src.u3)) { range.min_addr = range.max_addr = ct->master->tuplehash[!exp->dir].tuple.dst.u3; #else if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip == ct->master->tuplehash[exp->dir].tuple.src.u3.ip) { range.min_ip = range.max_ip = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip; #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,3,0) range.flags = NF_NAT_RANGE_MAP_IPS; nf_nat_setup_info(ct, &range, NF_NAT_MANIP_SRC); #else range.flags = IP_NAT_RANGE_MAP_IPS; nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC); #endif } } static void __exit fini(void) { rcu_assign_pointer(nf_nat_rtsp_hook, NULL); synchronize_net(); } static int __init init(void) { printk("nf_nat_rtsp v" IP_NF_RTSP_VERSION " loading\n"); BUG_ON(nf_nat_rtsp_hook); rcu_assign_pointer(nf_nat_rtsp_hook, nf_nat_rtsp); if (stunaddr != NULL) extip = in_aton(stunaddr); if (destaction != NULL) { if (strcmp(destaction, "auto") == 0) dstact = DSTACT_AUTO; if (strcmp(destaction, "strip") == 0) dstact = DSTACT_STRIP; if (strcmp(destaction, "none") == 0) dstact = DSTACT_NONE; } return 0; }
/* So, this packet has hit the connection tracking matching code. Mangle it, and change the expectation to match the new version. */ static unsigned int nf_nat_ftp(struct sk_buff *skb, enum ip_conntrack_info ctinfo, enum nf_ct_ftp_type type, unsigned int protoff, unsigned int matchoff, unsigned int matchlen, struct nf_conntrack_expect *exp) { union nf_inet_addr newaddr; u_int16_t port; int dir = CTINFO2DIR(ctinfo); struct nf_conn *ct = exp->master; char buffer[sizeof("|1||65535|") + INET6_ADDRSTRLEN]; unsigned int buflen; pr_debug("FTP_NAT: type %i, off %u len %u\n", type, matchoff, matchlen); /* Connection will come from wherever this packet goes, hence !dir */ newaddr = ct->tuplehash[!dir].tuple.dst.u3; exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port; exp->dir = !dir; /* When you see the packet, we need to NAT it the same as the * this one. */ exp->expectfn = nf_nat_follow_master; /* Try to get same port: if not, try to change it. */ for (port = ntohs(exp->saved_proto.tcp.port); port != 0; port++) { int ret; exp->tuple.dst.u.tcp.port = htons(port); ret = nf_ct_expect_related(exp); if (ret == 0) break; else if (ret != -EBUSY) { port = 0; break; } } if (port == 0) { nf_ct_helper_log(skb, ct, "all ports in use"); return NF_DROP; } buflen = nf_nat_ftp_fmt_cmd(ct, type, buffer, sizeof(buffer), &newaddr, port); if (!buflen) goto out; pr_debug("calling nf_nat_mangle_tcp_packet\n"); if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff, matchoff, matchlen, buffer, buflen)) goto out; return NF_ACCEPT; out: nf_ct_helper_log(skb, ct, "cannot mangle packet"); nf_ct_unexpect_related(exp); return NF_DROP; }
static int pptp_outbound_pkt(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info ctinfo, struct PptpControlHeader *ctlh, union pptp_ctrl_union *pptpReq) { struct nf_ct_pptp_master *ct_pptp_info; struct nf_nat_pptp *nat_pptp_info; u_int16_t msg; __be16 new_callid; unsigned int cid_off; ct_pptp_info = &nfct_help(ct)->help.ct_pptp_info; nat_pptp_info = &nfct_nat(ct)->help.nat_pptp_info; new_callid = ct_pptp_info->pns_call_id; switch (msg = ntohs(ctlh->messageType)) { case PPTP_OUT_CALL_REQUEST: cid_off = offsetof(union pptp_ctrl_union, ocreq.callID); nat_pptp_info->pns_call_id = ct_pptp_info->pns_call_id; new_callid = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.tcp.port; ct_pptp_info->pns_call_id = new_callid; break; case PPTP_IN_CALL_REPLY: cid_off = offsetof(union pptp_ctrl_union, icack.callID); break; case PPTP_CALL_CLEAR_REQUEST: cid_off = offsetof(union pptp_ctrl_union, clrreq.callID); break; default: pr_debug("unknown outbound packet 0x%04x:%s\n", msg, msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : pptp_msg_name[0]); case PPTP_SET_LINK_INFO: case PPTP_START_SESSION_REQUEST: case PPTP_START_SESSION_REPLY: case PPTP_STOP_SESSION_REQUEST: case PPTP_STOP_SESSION_REPLY: case PPTP_ECHO_REQUEST: case PPTP_ECHO_REPLY: return NF_ACCEPT; } pr_debug("altering call id from 0x%04x to 0x%04x\n", ntohs(REQ_CID(pptpReq, cid_off)), ntohs(new_callid)); if (nf_nat_mangle_tcp_packet(skb, ct, ctinfo, cid_off + sizeof(struct pptp_pkt_hdr) + sizeof(struct PptpControlHeader), sizeof(new_callid), (char *)&new_callid, sizeof(new_callid)) == 0) return NF_DROP; return NF_ACCEPT; }
/* outbound packets == from PNS to PAC */ static int pptp_outbound_pkt(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info ctinfo, struct PptpControlHeader *ctlh, union pptp_ctrl_union *pptpReq) { struct nf_ct_pptp_master *ct_pptp_info; struct nf_nat_pptp *nat_pptp_info; u_int16_t msg; __be16 new_callid; unsigned int cid_off; ct_pptp_info = &nfct_help(ct)->help.ct_pptp_info; nat_pptp_info = &nfct_nat(ct)->help.nat_pptp_info; new_callid = ct_pptp_info->pns_call_id; switch (msg = ntohs(ctlh->messageType)) { case PPTP_OUT_CALL_REQUEST: cid_off = offsetof(union pptp_ctrl_union, ocreq.callID); /* FIXME: ideally we would want to reserve a call ID * here. current netfilter NAT core is not able to do * this :( For now we use TCP source port. This breaks * multiple calls within one control session */ /* save original call ID in nat_info */ nat_pptp_info->pns_call_id = ct_pptp_info->pns_call_id; /* don't use tcph->source since we are at a DSTmanip * hook (e.g. PREROUTING) and pkt is not mangled yet */ new_callid = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.tcp.port; /* save new call ID in ct info */ ct_pptp_info->pns_call_id = new_callid; break; case PPTP_IN_CALL_REPLY: cid_off = offsetof(union pptp_ctrl_union, icack.callID); break; case PPTP_CALL_CLEAR_REQUEST: cid_off = offsetof(union pptp_ctrl_union, clrreq.callID); break; default: pr_debug("unknown outbound packet 0x%04x:%s\n", msg, msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : pptp_msg_name[0]); /* fall through */ case PPTP_SET_LINK_INFO: /* only need to NAT in case PAC is behind NAT box */ case PPTP_START_SESSION_REQUEST: case PPTP_START_SESSION_REPLY: case PPTP_STOP_SESSION_REQUEST: case PPTP_STOP_SESSION_REPLY: case PPTP_ECHO_REQUEST: case PPTP_ECHO_REPLY: /* no need to alter packet */ return NF_ACCEPT; } /* only OUT_CALL_REQUEST, IN_CALL_REPLY, CALL_CLEAR_REQUEST pass * down to here */ pr_debug("altering call id from 0x%04x to 0x%04x\n", ntohs(REQ_CID(pptpReq, cid_off)), ntohs(new_callid)); /* mangle packet */ if (nf_nat_mangle_tcp_packet(skb, ct, ctinfo, cid_off + sizeof(struct pptp_pkt_hdr) + sizeof(struct PptpControlHeader), sizeof(new_callid), (char *)&new_callid, sizeof(new_callid)) == 0) return NF_DROP; return NF_ACCEPT; }
/* inbound packets == from PAC to PNS */ static int pptp_inbound_pkt(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info ctinfo, struct PptpControlHeader *ctlh, union pptp_ctrl_union *pptpReq) { const struct nf_nat_pptp *nat_pptp_info; u_int16_t msg; __be16 new_pcid; unsigned int pcid_off; nat_pptp_info = &nfct_nat(ct)->help.nat_pptp_info; new_pcid = nat_pptp_info->pns_call_id; switch (msg = ntohs(ctlh->messageType)) { case PPTP_OUT_CALL_REPLY: pcid_off = offsetof(union pptp_ctrl_union, ocack.peersCallID); break; case PPTP_IN_CALL_CONNECT: pcid_off = offsetof(union pptp_ctrl_union, iccon.peersCallID); break; case PPTP_IN_CALL_REQUEST: /* only need to nat in case PAC is behind NAT box */ return NF_ACCEPT; case PPTP_WAN_ERROR_NOTIFY: pcid_off = offsetof(union pptp_ctrl_union, wanerr.peersCallID); break; case PPTP_CALL_DISCONNECT_NOTIFY: pcid_off = offsetof(union pptp_ctrl_union, disc.callID); break; case PPTP_SET_LINK_INFO: pcid_off = offsetof(union pptp_ctrl_union, setlink.peersCallID); break; default: pr_debug("unknown inbound packet %s\n", msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : pptp_msg_name[0]); /* fall through */ case PPTP_START_SESSION_REQUEST: case PPTP_START_SESSION_REPLY: case PPTP_STOP_SESSION_REQUEST: case PPTP_STOP_SESSION_REPLY: case PPTP_ECHO_REQUEST: case PPTP_ECHO_REPLY: /* no need to alter packet */ return NF_ACCEPT; } /* only OUT_CALL_REPLY, IN_CALL_CONNECT, IN_CALL_REQUEST, * WAN_ERROR_NOTIFY, CALL_DISCONNECT_NOTIFY pass down here */ /* mangle packet */ pr_debug("altering peer call id from 0x%04x to 0x%04x\n", ntohs(REQ_CID(pptpReq, pcid_off)), ntohs(new_pcid)); if (nf_nat_mangle_tcp_packet(skb, ct, ctinfo, pcid_off + sizeof(struct pptp_pkt_hdr) + sizeof(struct PptpControlHeader), sizeof(new_pcid), (char *)&new_pcid, sizeof(new_pcid)) == 0) return NF_DROP; return NF_ACCEPT; }
static unsigned int help(struct sk_buff *skb, enum ip_conntrack_info ctinfo, unsigned int protoff, unsigned int matchoff, unsigned int matchlen, struct nf_conntrack_expect *exp) { char buffer[sizeof("4294967296 65635")]; struct nf_conn *ct = exp->master; union nf_inet_addr newaddr; u_int16_t port; /* Reply comes from server. */ newaddr = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3; exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port; exp->dir = IP_CT_DIR_REPLY; exp->expectfn = nf_nat_follow_master; /* Try to get same port: if not, try to change it. */ for (port = ntohs(exp->saved_proto.tcp.port); port != 0; port++) { int ret; exp->tuple.dst.u.tcp.port = htons(port); ret = nf_ct_expect_related(exp); if (ret == 0) break; else if (ret != -EBUSY) { port = 0; break; } } if (port == 0) { nf_ct_helper_log(skb, ct, "all ports in use"); return NF_DROP; } /* strlen("\1DCC CHAT chat AAAAAAAA P\1\n")=27 * strlen("\1DCC SCHAT chat AAAAAAAA P\1\n")=28 * strlen("\1DCC SEND F AAAAAAAA P S\1\n")=26 * strlen("\1DCC MOVE F AAAAAAAA P S\1\n")=26 * strlen("\1DCC TSEND F AAAAAAAA P S\1\n")=27 * * AAAAAAAAA: bound addr (1.0.0.0==16777216, min 8 digits, * 255.255.255.255==4294967296, 10 digits) * P: bound port (min 1 d, max 5d (65635)) * F: filename (min 1 d ) * S: size (min 1 d ) * 0x01, \n: terminators */ /* AAA = "us", ie. where server normally talks to. */ snprintf(buffer, sizeof(buffer), "%u %u", ntohl(newaddr.ip), port); pr_debug("nf_nat_irc: inserting '%s' == %pI4, port %u\n", buffer, &newaddr.ip, port); if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff, matchoff, matchlen, buffer, strlen(buffer))) { nf_ct_helper_log(skb, ct, "cannot mangle packet"); nf_ct_unexpect_related(exp); return NF_DROP; } return NF_ACCEPT; }