/*
* Delete existing entry
*/
static int ip_masq_user_del(struct ip_masq_user *ums)
{
struct ip_masq *ms=NULL;
if (masq_proto_num (ums->protocol) == -1) {
return EPROTONOSUPPORT;
}
start_bh_atomic();
if (ums->mport && ums->maddr) {
ms = ip_masq_in_get(ums->protocol,
ums->daddr, ums->dport,
ums->maddr, ums->mport);
end_bh_atomic();
} else if (ums->sport && ums->saddr) {
ms = ip_masq_out_get(ums->protocol,
ums->saddr, ums->sport,
ums->daddr, ums->dport);
end_bh_atomic();
} else
return EINVAL;
if (ms == NULL) {
return ESRCH;
}
/*
* got (locked) entry, setup almost tiny timeout :) and
* give away
*
* FIXME: should use something better than S_CLOSE
*/
ms->timeout = IP_MASQ_S_CLOSE;
masq_user_k2u(ms, ums);
ip_masq_put(ms);
return 0;
}
static struct ip_masq * ip_masq_user_locked_get (struct ip_masq_user *ums, int *err)
{
struct ip_masq *ms=NULL;
if (masq_proto_num (ums->protocol) == -1) {
*err = EPROTONOSUPPORT;
}
start_bh_atomic();
if (ums->mport && ums->maddr) {
ms = ip_masq_in_get(ums->protocol,
ums->daddr, ums->dport,
ums->maddr, ums->mport);
end_bh_atomic();
} else if (ums->sport && ums->saddr) {
ms = ip_masq_out_get(ums->protocol,
ums->saddr, ums->sport,
ums->daddr, ums->dport);
end_bh_atomic();
} else
*err = EINVAL;
if (ms == NULL) *err = ESRCH;
return ms;
}
int
masq_ftp_out (struct ip_masq_app *mapp, struct ip_masq *ms, struct sk_buff **skb_p, __u32 maddr)
{
struct sk_buff *skb;
struct iphdr *iph;
struct tcphdr *th;
char *p, *data, *data_limit;
unsigned char p1,p2,p3,p4,p5,p6;
__u32 from;
__u16 port;
struct ip_masq *n_ms;
char buf[24]; /* xxx.xxx.xxx.xxx,ppp,ppp\000 */
unsigned buf_len;
int diff;
skb = *skb_p;
iph = skb->nh.iph;
th = (struct tcphdr *)&(((char *)iph)[iph->ihl*4]);
data = (char *)&th[1];
data_limit = skb->h.raw + skb->len - 18;
if (skb->len >= 6 && (memcmp(data, "PASV\r\n", 6) == 0 || memcmp(data, "pasv\r\n", 6) == 0))
ms->app_data = &masq_ftp_pasv;
while (data < data_limit)
{
if (memcmp(data,"PORT ",5) && memcmp(data,"port ",5))
{
data ++;
continue;
}
p = data+5;
p1 = simple_strtoul(data+5,&data,10);
if (*data!=',')
continue;
p2 = simple_strtoul(data+1,&data,10);
if (*data!=',')
continue;
p3 = simple_strtoul(data+1,&data,10);
if (*data!=',')
continue;
p4 = simple_strtoul(data+1,&data,10);
if (*data!=',')
continue;
p5 = simple_strtoul(data+1,&data,10);
if (*data!=',')
continue;
p6 = simple_strtoul(data+1,&data,10);
if (*data!='\r' && *data!='\n')
continue;
from = (p1<<24) | (p2<<16) | (p3<<8) | p4;
port = (p5<<8) | p6;
IP_MASQ_DEBUG(1-debug, "PORT %X:%X detected\n",from,port);
/*
* Now update or create an masquerade entry for it
*/
IP_MASQ_DEBUG(1-debug, "protocol %d %lX:%X %X:%X\n", iph->protocol, htonl(from), htons(port), iph->daddr, 0);
n_ms = ip_masq_out_get(iph->protocol,
htonl(from), htons(port),
iph->daddr, 0);
if (!n_ms) {
n_ms = ip_masq_new(IPPROTO_TCP,
maddr, 0,
htonl(from), htons(port),
iph->daddr, 0,
IP_MASQ_F_NO_DPORT);
if (n_ms==NULL)
return 0;
ip_masq_control_add(n_ms, ms);
}
/*
* Replace the old PORT with the new one
*/
from = ntohl(n_ms->maddr);
port = ntohs(n_ms->mport);
sprintf(buf,"%d,%d,%d,%d,%d,%d",
from>>24&255,from>>16&255,from>>8&255,from&255,
port>>8&255,port&255);
buf_len = strlen(buf);
IP_MASQ_DEBUG(1-debug, "new PORT %X:%X\n",from,port);
/*
* Calculate required delta-offset to keep TCP happy
*/
diff = buf_len - (data-p);
/*
* No shift.
*/
if (diff==0) {
/*
* simple case, just replace the old PORT cmd
*/
memcpy(p,buf,buf_len);
} else {
*skb_p = ip_masq_skb_replace(skb, GFP_ATOMIC, p, data-p, buf, buf_len);
}
/*
* Move tunnel to listen state
*/
ip_masq_listen(n_ms);
ip_masq_put(n_ms);
return diff;
}
return 0;
}
int ip_fw_masquerade(struct sk_buff **skb_ptr, struct device *dev)
{
struct sk_buff *skb=*skb_ptr;
struct iphdr *iph = skb->h.iph;
__u16 *portptr;
struct ip_masq *ms;
int size;
unsigned long timeout;
/*
* We can only masquerade protocols with ports...
* [TODO]
* We may need to consider masq-ing some ICMP related to masq-ed protocols
*/
if (iph->protocol==IPPROTO_ICMP)
return (ip_fw_masq_icmp(skb_ptr,dev));
if (iph->protocol!=IPPROTO_UDP && iph->protocol!=IPPROTO_TCP)
return -1;
/*
* Now hunt the list to see if we have an old entry
*/
portptr = (__u16 *)&(((char *)iph)[iph->ihl*4]);
#ifdef DEBUG_CONFIG_IP_MASQUERADE
printk("Outgoing %s %lX:%X -> %lX:%X\n",
masq_proto_name(iph->protocol),
ntohl(iph->saddr), ntohs(portptr[0]),
ntohl(iph->daddr), ntohs(portptr[1]));
#endif
ms = ip_masq_out_get(iph);
if (ms!=NULL) {
ip_masq_set_expire(ms,0);
/*
* If sysctl !=0 and no pkt has been received yet
* in this tunnel and routing iface address has changed...
* "You are welcome, diald".
*/
if ( sysctl_ip_dynaddr && ms->flags & IP_MASQ_F_NO_REPLY && dev->pa_addr != ms->maddr) {
unsigned long flags;
if (sysctl_ip_dynaddr > 1) {
printk(KERN_INFO "ip_fw_masquerade(): change maddr from %s",
in_ntoa(ms->maddr));
printk(" to %s\n", in_ntoa(dev->pa_addr));
}
save_flags(flags);
cli();
ip_masq_unhash(ms);
ms->maddr = dev->pa_addr;
ip_masq_hash(ms);
restore_flags(flags);
}
/*
* Set sport if not defined yet (e.g. ftp PASV). Because
* masq entries are hashed on sport, unhash with old value
* and hash with new.
*/
if ( ms->flags & IP_MASQ_F_NO_SPORT && ms->protocol == IPPROTO_TCP ) {
unsigned long flags;
ms->flags &= ~IP_MASQ_F_NO_SPORT;
save_flags(flags);
cli();
ip_masq_unhash(ms);
ms->sport = portptr[0];
ip_masq_hash(ms); /* hash on new sport */
restore_flags(flags);
#ifdef DEBUG_CONFIG_IP_MASQUERADE
printk("ip_fw_masquerade(): filled sport=%d\n",
ntohs(ms->sport));
#endif
}
}
#ifdef CONFIG_IP_MASQUERADE_IPAUTOFW
/* update any ipautofw entries .. */
ip_autofw_update_out(iph->saddr, iph->daddr, portptr[1],
iph->protocol);
#endif /* CONFIG_IP_MASQUERADE_IPAUTOFW */
/*
* Nope, not found, create a new entry for it
*/
if (ms==NULL)
{
#ifdef CONFIG_IP_MASQUERADE_IPAUTOFW
/* if the source port is supposed to match the masq port, then
make it so */
if (ip_autofw_check_direct(portptr[1],iph->protocol))
ms = ip_masq_new_enh(dev, iph->protocol,
iph->saddr, portptr[0],
iph->daddr, portptr[1],
0,
portptr[0]);
else
#endif /* CONFIG_IP_MASQUERADE_IPAUTOFW */
ms = ip_masq_new_enh(dev, iph->protocol,
iph->saddr, portptr[0],
iph->daddr, portptr[1],
0,
0);
if (ms == NULL)
return -1;
}
/*
* Change the fragments origin
*/
size = skb->len - ((unsigned char *)portptr - skb->h.raw);
/*
* Set iph addr and port from ip_masq obj.
*/
iph->saddr = ms->maddr;
portptr[0] = ms->mport;
/*
* Attempt ip_masq_app call.
* will fix ip_masq and iph seq stuff
*/
if (ip_masq_app_pkt_out(ms, skb_ptr, dev) != 0)
{
/*
* skb has possibly changed, update pointers.
*/
skb = *skb_ptr;
iph = skb->h.iph;
portptr = (__u16 *)&(((char *)iph)[iph->ihl*4]);
size = skb->len - ((unsigned char *)portptr-skb->h.raw);
}
/*
* Adjust packet accordingly to protocol
*/
if (masq_proto_num(iph->protocol)==0)
{
timeout = ip_masq_expire->udp_timeout;
recalc_check((struct udphdr *)portptr,iph->saddr,iph->daddr,size);
}
else
{
struct tcphdr *th;
th = (struct tcphdr *)portptr;
/* Set the flags up correctly... */
if (th->fin)
{
ms->flags |= IP_MASQ_F_SAW_FIN_OUT;
}
if (th->rst)
{
ms->flags |= IP_MASQ_F_SAW_RST;
}
/*
* Timeout depends if FIN packet has been seen
* Very short timeout if RST packet seen.
*/
if (ms->flags & IP_MASQ_F_SAW_RST)
{
timeout = 1;
}
else if ((ms->flags & IP_MASQ_F_SAW_FIN) == IP_MASQ_F_SAW_FIN)
{
timeout = ip_masq_expire->tcp_fin_timeout;
}
else timeout = ip_masq_expire->tcp_timeout;
skb->csum = csum_partial((void *)(th + 1), size - sizeof(*th), 0);
tcp_send_check(th,iph->saddr,iph->daddr,size,skb);
}
ip_masq_set_expire(ms, timeout);
ip_send_check(iph);
#ifdef DEBUG_CONFIG_IP_MASQUERADE
printk("O-routed from %lX:%X over %s\n",ntohl(ms->maddr),ntohs(ms->mport),dev->name);
#endif
return 0;
}
int
masq_ftp_in (struct ip_masq_app *mapp, struct ip_masq *ms, struct sk_buff **skb_p, __u32 maddr)
{
struct sk_buff *skb;
struct iphdr *iph;
struct tcphdr *th;
char *data, *data_limit;
unsigned char p1,p2,p3,p4,p5,p6;
__u32 to;
__u16 port;
struct ip_masq *n_ms;
if (ms->app_data != &masq_ftp_pasv)
return 0; /* quick exit if no outstanding PASV */
skb = *skb_p;
iph = skb->nh.iph;
th = (struct tcphdr *)&(((char *)iph)[iph->ihl*4]);
data = (char *)&th[1];
data_limit = skb->h.raw + skb->len;
while (data < data_limit && *data != ' ')
++data;
while (data < data_limit && *data == ' ')
++data;
data += 22;
if (data >= data_limit || *data != '(')
return 0;
p1 = simple_strtoul(data+1, &data, 10);
if (data >= data_limit || *data != ',')
return 0;
p2 = simple_strtoul(data+1, &data, 10);
if (data >= data_limit || *data != ',')
return 0;
p3 = simple_strtoul(data+1, &data, 10);
if (data >= data_limit || *data != ',')
return 0;
p4 = simple_strtoul(data+1, &data, 10);
if (data >= data_limit || *data != ',')
return 0;
p5 = simple_strtoul(data+1, &data, 10);
if (data >= data_limit || *data != ',')
return 0;
p6 = simple_strtoul(data+1, &data, 10);
if (data >= data_limit || *data != ')')
return 0;
to = (p1<<24) | (p2<<16) | (p3<<8) | p4;
port = (p5<<8) | p6;
/*
* Now update or create an masquerade entry for it
*/
IP_MASQ_DEBUG(1-debug, "PASV response %lX:%X %X:%X detected\n", ntohl(ms->saddr), 0, to, port);
n_ms = ip_masq_out_get(iph->protocol,
ms->saddr, 0,
htonl(to), htons(port));
if (!n_ms) {
n_ms = ip_masq_new(IPPROTO_TCP,
maddr, 0,
ms->saddr, 0,
htonl(to), htons(port),
IP_MASQ_F_NO_SPORT);
if (n_ms==NULL)
return 0;
ip_masq_control_add(n_ms, ms);
}
#if 0 /* v0.12 state processing */
/*
* keep for a bit longer than tcp_fin, client may not issue open
* to server port before tcp_fin_timeout.
*/
n_ms->timeout = ip_masq_expire->tcp_fin_timeout*3;
#endif
ms->app_data = NULL;
ip_masq_put(n_ms);
return 0; /* no diff required for incoming packets, thank goodness */
}