Subversion Repositories or1k

/*

 *

 *      Masquerading functionality

 *

 *      Copyright (c) 1994 Pauline Middelink

 *

 *      See ip_fw.c for original log

 *

 * Fixes:

 *      Juan Jose Ciarlante     :       Modularized application masquerading (see ip_masq_app.c)

 *      Juan Jose Ciarlante     :       New struct ip_masq_seq that holds output/input delta seq.

 *      Juan Jose Ciarlante     :       Added hashed lookup by proto,maddr,mport and proto,saddr,sport

 *      Juan Jose Ciarlante     :       Fixed deadlock if free ports get exhausted

 *      Juan Jose Ciarlante     :       Added NO_ADDR status flag.

 *      Richard Lynch           :       Added IP Autoforward

 *      Nigel Metheringham      :       Added ICMP handling for demasquerade

 *      Nigel Metheringham      :       Checksum checking of masqueraded data

 *      Nigel Metheringham      :       Better handling of timeouts of TCP conns

 *      Keith Owens             :       Keep control channels alive if any related data entries.

 *      Delian Delchev          :       Added support for ICMP requests and replys

 *      Nigel Metheringham      :       ICMP in ICMP handling, tidy ups, bug fixes, made ICMP optional

 *      Juan Jose Ciarlante     :       re-assign maddr if no packet received from outside

 *      John D. Hardin          :       Added PPTP and IPSEC protocols

 *

 */

#include <linux/config.h>

#include <linux/module.h>

#include <linux/types.h>

#include <linux/kernel.h>

#include <linux/errno.h>

#include <linux/skbuff.h>

#include <asm/system.h>

#include <linux/stat.h>

#include <linux/proc_fs.h>

#include <linux/in.h>

#include <linux/ip.h>

#include <linux/inet.h>

#include <net/protocol.h>

#include <net/icmp.h>

#include <net/tcp.h>

#include <net/udp.h>

#include <net/checksum.h>

#include <net/ip_masq.h>

#include <linux/ip_fw.h>

#define IP_MASQ_TAB_SIZE 256    /* must be power of 2 */

#ifdef CONFIG_IP_MASQUERADE_PPTP

/*

 * This is clumsier than it otherwise might be (i.e. the

 * PPTP control channel sniffer should be a module, and there

 * should be a separate table for GRE masq entries so that

 * we're not making all of the hacks to the TCP table code)

 # but I wanted to keep the code changes localized to one file

 # if possible.

 * This should all be modular, and the table routines need to

 * be somewhat more generic.

 *

 * Maybe for 2.0.38 - we'll see.

 *

 * John Hardin <jhardin@wolfenet.com> gets all blame...

 * See also http://www.wolfenet.com/~jhardin/ip_masq_vpn.html

 */

static const char *strGREProt = "GRE";

#ifdef CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT

/*

 * MULTICLIENT watches the control channel and preloads the

 * call ID into the masq table entry, so we want the

 * masq table entry to persist until a Call Disconnect

 * occurs, otherwise the call IDs will be lost and the link broken.

 */

#define MASQUERADE_EXPIRE_PPTP 15*60*HZ

/*

 * To support multiple clients communicating with the same server,

 * we have to sniff the control channel and trap the client's

 * call ID, then substitute a unique-to-the-firewall call ID.

 * Then on inbound GRE packets we use the bogus call ID to figure

 * out which client to route the traffic to, then replace the

 * bogus call ID with the client's real call ID, which we've saved.

 * For simplicity we'll use masq port as the bogus call ID.

 * The actual call ID will be stored in the masq table as

 * the source port, and the destination port will always be zero.

 *

 * NB: PPTP servers can tell whether the client is masqueraded by

 * looking for call IDs above 61000.

 */

#define PPTP_CONTROL_PORT 1723

#else /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */

/* non-MULTICLIENT ignores call IDs, so masq table

 * entries may expire quickly without causing problems.

 */

#define MASQUERADE_EXPIRE_PPTP 5*60*HZ

#endif /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */

/*

 * Define this here rather than in /usr/src/linux/include/wherever/whatever.h

 * in order to localize my mistakes to one file...

 *

 * This struct may be architecture-specific because of the bitmaps.

 */

struct pptp_gre_header {

        __u8

                recur:3,

                is_strict:1,

                has_seq:1,

                has_key:1,

                has_routing:1,

                has_cksum:1;

        __u8

                version:3,

                flags:5;

        __u16

                protocol,

                payload_len,

                call_id;        /* peer's call_id for this session */

};

#endif /* CONFIG_IP_MASQUERADE_PPTP */

#ifdef CONFIG_IP_MASQUERADE_IPSEC

/*

 * The above comments about PPTP apply here, too. This should all be a module.

 *

 * The "port numbers" for masq table purposes will be part of the

 * SPI, just to gain a little benefit from the hashing.

 */

static const char *strESPProt = "ESP";

static const char *strAHProt = "AH";

/*

 * ISAKMP uses 500/udp, and the traffic must come from

 * 500/udp (i.e. 500/udp <-> 500/udp), so we need to

 * check for ISAKMP UDP traffic and avoid changing the

 * source port number. In order to associate the data streams

 * we may need to sniff the ISAKMP cookies as well.

 */

#define UDP_PORT_ISAKMP 500     /* ISAKMP default UDP port */

#if CONFIG_IP_MASQUERADE_IPSEC_EXPIRE > 15

#define MASQUERADE_EXPIRE_IPSEC CONFIG_IP_MASQUERADE_IPSEC_EXPIRE*60*HZ

#else

#define MASQUERADE_EXPIRE_IPSEC 15*60*HZ

#endif

/*

 * We can't know the inbound SPI until it comes in (the ISAKMP exchange

 * is encryptd so we can't sniff it out of that), so we associate inbound

 * and outbound traffic by inspection. If somebody sends a new packet to a

 * remote server, then block all other new traffic to that server until we

 * get a response from that server with a SPI we haven't seen yet. It is

 * assumed that this is the correct response - we have no way to verify it,

 * as everything else is encrypted.

 *

 * If there is a collision, the block will last for up to two minutes (or

 * whatever MASQUERADE_EXPIRE_IPSEC_INIT is set to), and if the client

 * retries during that time the timer will be reset. This could easily lead

 * to a Denial of Service, so we limit the number of retries that will

 * reset the timer. This means the maximum time the server could be blocked

 * is ((IPSEC_INIT_RETRIES + 1) * MASQUERADE_EXPIRE_IPSEC_INIT).

 *

 * Note: blocking will not affect already-established traffic (i.e. where

 * the inbound SPI has been associated with an outbound SPI).

 */

#define MASQUERADE_EXPIRE_IPSEC_INIT 2*60*HZ

#define IPSEC_INIT_RETRIES 5

/*

 * ...connections that don't get an answer are squelched

 * (recognized but ignored) for a short time to prevent DoS.

 * SPI values 1-255 are reserved by the IANA and are currently (2/99)

 * not assigned. If that should change, this number must also be changed

 * to an unused NONZERO value:

 */

#define IPSEC_INIT_SQUELCHED 1

struct ip_masq * ip_masq_out_get_ipsec(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port, __u32 o_spi);

struct ip_masq * ip_masq_in_get_ipsec(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port, __u32 i_spi);

struct ip_masq * ip_masq_out_get_isakmp(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port, __u32 cookie);

struct ip_masq * ip_masq_in_get_isakmp(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port, __u32 cookie);

#endif /* CONFIG_IP_MASQUERADE_IPSEC */

/*

 *      Implement IP packet masquerading

 */

static const char *strProt[] = {"UDP","TCP","ICMP"};

/*

 * masq_proto_num returns 0 for UDP, 1 for TCP, 2 for ICMP

 *

 * No, I am NOT going to add GRE/ESP/AH support to everything that relies on this...

 *

 */

static int masq_proto_num(unsigned proto)

{

   switch (proto)

   {

      case IPPROTO_UDP:  return (0); break;

#ifdef CONFIG_IP_MASQUERADE_PPTP

      case IPPROTO_GRE:

#endif /* CONFIG_IP_MASQUERADE_PPTP */

#ifdef CONFIG_IP_MASQUERADE_IPSEC

      case IPPROTO_ESP:

#endif /* CONFIG_IP_MASQUERADE_IPSEC */

      case IPPROTO_TCP:  return (1); break;

      case IPPROTO_ICMP: return (2); break;

      default:           return (-1); break;

   }

}

#ifdef CONFIG_IP_MASQUERADE_ICMP

/*

 * Converts an ICMP reply code into the equivalent request code

 */

static __inline__ const __u8 icmp_type_request(__u8 type)

{

   switch (type)

   {

      case ICMP_ECHOREPLY: return ICMP_ECHO; break;

      case ICMP_TIMESTAMPREPLY: return ICMP_TIMESTAMP; break;

      case ICMP_INFO_REPLY: return ICMP_INFO_REQUEST; break;

      case ICMP_ADDRESSREPLY: return ICMP_ADDRESS; break;

      default: return (255); break;

   }

}

/*

 * Helper macros - attempt to make code clearer!

 */

/* ID used in ICMP lookups */

#define icmp_id(icmph)          ((icmph->un).echo.id)

/* (port) hash value using in ICMP lookups for requests */

#define icmp_hv_req(icmph)      ((__u16)(icmph->code+(__u16)(icmph->type<<8)))

/* (port) hash value using in ICMP lookups for replies */

#define icmp_hv_rep(icmph)      ((__u16)(icmph->code+(__u16)(icmp_type_request(icmph->type)<<8)))

#endif

static __inline__ const char *masq_proto_name(unsigned proto)

{

        /*

         * I don't want to track down everything that

         * relies on masq_proto_num() and make it GRE/ESP/AH-tolerant.

         */

#ifdef CONFIG_IP_MASQUERADE_PPTP

        if (proto == IPPROTO_GRE) {

          return strGREProt;

        }

#endif /* CONFIG_IP_MASQUERADE_PPTP */

#ifdef CONFIG_IP_MASQUERADE_IPSEC

        if (proto == IPPROTO_ESP) {

          return strESPProt;

        } else if (proto == IPPROTO_AH) {

          return strAHProt;

        }

#endif /* CONFIG_IP_MASQUERADE_IPSEC */

        return strProt[masq_proto_num(proto)];

}

/*

 *      Last masq_port number in use.

 *      Will cycle in MASQ_PORT boundaries.

 */

static __u16 masq_port = PORT_MASQ_BEGIN;

/*

 *      free ports counters (UDP & TCP)

 *

 *      Their value is _less_ or _equal_ to actual free ports:

 *      same masq port, diff masq addr (firewall iface address) allocated

 *      entries are accounted but their actually don't eat a more than 1 port.

 *

 *      Greater values could lower MASQ_EXPIRATION setting as a way to

 *      manage 'masq_entries resource'.

 *

 */

int ip_masq_free_ports[3] = {

        PORT_MASQ_END - PORT_MASQ_BEGIN,        /* UDP */

        PORT_MASQ_END - PORT_MASQ_BEGIN,        /* TCP */

        PORT_MASQ_END - PORT_MASQ_BEGIN         /* ICMP */

};

static struct symbol_table ip_masq_syms = {

#include <linux/symtab_begin.h>

        X(ip_masq_new),

        X(ip_masq_set_expire),

        X(ip_masq_free_ports),

        X(ip_masq_expire),

        X(ip_masq_out_get_2),

#include <linux/symtab_end.h>

};

/*

 *      2 ip_masq hash tables: for input and output pkts lookups.

 */

struct ip_masq *ip_masq_m_tab[IP_MASQ_TAB_SIZE];

struct ip_masq *ip_masq_s_tab[IP_MASQ_TAB_SIZE];

#ifdef CONFIG_IP_MASQUERADE_IPSEC

        /*

         * Add a third hash table for input lookup by remote side

         */

struct ip_masq *ip_masq_d_tab[IP_MASQ_TAB_SIZE];

#endif /* CONFIG_IP_MASQUERADE_IPSEC */

/*

 * timeouts

 */

static struct ip_fw_masq ip_masq_dummy = {

        MASQUERADE_EXPIRE_TCP,

        MASQUERADE_EXPIRE_TCP_FIN,

        MASQUERADE_EXPIRE_UDP

};

struct ip_fw_masq *ip_masq_expire = &ip_masq_dummy;

#ifdef CONFIG_IP_MASQUERADE_IPAUTOFW

/*

 *      Auto-forwarding table

 */

struct ip_autofw * ip_autofw_hosts = NULL;

/*

 *      Check if a masq entry should be created for a packet

 */

struct ip_autofw * ip_autofw_check_range (__u32 where, __u16 port, __u16 protocol, int reqact)

{

        struct ip_autofw *af;

        af=ip_autofw_hosts;

        port=ntohs(port);

        while (af)

        {

                if (af->type==IP_FWD_RANGE &&

                     port>=af->low &&

                     port<=af->high &&

                     protocol==af->protocol &&

                     /* it's ok to create masq entries after the timeout if we're in insecure mode */

                     (af->flags & IP_AUTOFW_ACTIVE || !reqact || !(af->flags & IP_AUTOFW_SECURE)) &&

                     (!(af->flags & IP_AUTOFW_SECURE) || af->lastcontact==where || !reqact))

                        return(af);

                af=af->next;

        }

        return(NULL);

}

struct ip_autofw * ip_autofw_check_port (__u16 port, __u16 protocol)

{

        struct ip_autofw *af;

        af=ip_autofw_hosts;

        port=ntohs(port);

        while (af)

        {

                if (af->type==IP_FWD_PORT && port==af->visible && protocol==af->protocol)

                        return(af);

                af=af->next;

        }

        return(NULL);

}

struct ip_autofw * ip_autofw_check_direct (__u16 port, __u16 protocol)

{

        struct ip_autofw *af;

        af=ip_autofw_hosts;

        port=ntohs(port);

        while (af)

        {

                if (af->type==IP_FWD_DIRECT && af->low<=port && af->high>=port)

                        return(af);

                af=af->next;

        }

        return(NULL);

}

void ip_autofw_update_out (__u32 who, __u32 where, __u16 port, __u16 protocol)

{

        struct ip_autofw *af;

        af=ip_autofw_hosts;

        port=ntohs(port);

        while (af)

        {

                if (af->type==IP_FWD_RANGE && af->ctlport==port && af->ctlproto==protocol)

                {

                        if (af->flags & IP_AUTOFW_USETIME)

                        {

                                if (af->timer.expires)

                                        del_timer(&af->timer);

                                af->timer.expires=jiffies+IP_AUTOFW_EXPIRE;

                                add_timer(&af->timer);

                        }

                        af->flags|=IP_AUTOFW_ACTIVE;

                        af->lastcontact=where;

                        af->where=who;

                }

                af=af->next;

        }

}

void ip_autofw_update_in (__u32 where, __u16 port, __u16 protocol)

{

/*      struct ip_autofw *af;

        af=ip_autofw_check_range(where, port,protocol);

        if (af)

        {

                del_timer(&af->timer);

                af->timer.expires=jiffies+IP_AUTOFW_EXPIRE;

                add_timer(&af->timer);

        }*/

}

#endif /* CONFIG_IP_MASQUERADE_IPAUTOFW */

#ifdef CONFIG_IP_MASQUERADE_IPPORTFW

struct ip_portfw *ipportfw_lst[2];

struct ip_portfw *ip_portfw_lookup(__u16 protocol, __u16 lport, __u32 laddr, __u32 *daddr, __u16 *dport) {

       int prot = (protocol==IPPROTO_TCP);

       struct ip_portfw *n;

       unsigned long   flags;

       save_flags(flags); cli();

       for (n = ipportfw_lst[prot] ; n; n = n->next)

       {

               if (lport == n->lport && laddr == n->laddr) {

                       *daddr = n->raddr;

                       *dport = n->rport;

                       restore_flags(flags);

                       return n;

               }

       }

       restore_flags(flags);

       return NULL;

}

int ip_portfw_check(__u16 protocol, __u16 lport, __u32 laddr)

{

       __u16 rport;

       __u32 raddr;

       return (ip_portfw_lookup(protocol, lport, laddr, &raddr, &rport) != NULL);

}

#endif /* CONFIG_IP_MASQUERADE_IPPORTFW */

/*

 *      Returns hash value

 */

static __inline__ unsigned

ip_masq_hash_key(unsigned proto, __u32 addr, __u16 port)

{

        return (proto^ntohl(addr)^ntohs(port)) & (IP_MASQ_TAB_SIZE-1);

}

/*

 *      Hashes ip_masq by its proto,addrs,ports.

 *      should be called with masked interrupts.

 *      returns bool success.

 */

static __inline__ int

ip_masq_hash(struct ip_masq *ms)

{

        unsigned hash;

        if (ms->flags & IP_MASQ_F_HASHED) {

                printk("ip_masq_hash(): request for already hashed\n");

                return 0;

        }

        /*

         *      Hash by proto,m{addr,port}

         */

        hash = ip_masq_hash_key(ms->protocol, ms->maddr, ms->mport);

        ms->m_link = ip_masq_m_tab[hash];

        ip_masq_m_tab[hash] = ms;

        /*

         *      Hash by proto,s{addr,port}

         */

#ifdef CONFIG_IP_MASQUERADE_PPTP

        if (ms->protocol == IPPROTO_GRE) {

                /* Ignore the source port (Call ID) when hashing, as

                 * outbound packets will not be able to supply it...

                 */

                hash = ip_masq_hash_key(ms->protocol, ms->saddr, 0);

        } else

#endif /* CONFIG_IP_MASQUERADE_PPTP */

        hash = ip_masq_hash_key(ms->protocol, ms->saddr, ms->sport);

        ms->s_link = ip_masq_s_tab[hash];

        ip_masq_s_tab[hash] = ms;

#ifdef CONFIG_IP_MASQUERADE_IPSEC

        /*

          * Hash by proto,d{addr,port}

          */

        hash = ip_masq_hash_key(ms->protocol, ms->daddr, ms->dport);

        ms->d_link = ip_masq_d_tab[hash];

        ip_masq_d_tab[hash] = ms;

#endif /* CONFIG_IP_MASQUERADE_IPSEC */

        ms->flags |= IP_MASQ_F_HASHED;

        return 1;

}

/*

 *      UNhashes ip_masq from ip_masq_[ms]_tables.

 *      should be called with masked interrupts.

 *      returns bool success.

 */

static __inline__ int ip_masq_unhash(struct ip_masq *ms)

{

        unsigned hash;

        struct ip_masq ** ms_p;

        if (!(ms->flags & IP_MASQ_F_HASHED)) {

                printk("ip_masq_unhash(): request for unhash flagged\n");

                return 0;

        }

        /*

         *      UNhash by m{addr,port}

         */

        hash = ip_masq_hash_key(ms->protocol, ms->maddr, ms->mport);

        for (ms_p = &ip_masq_m_tab[hash]; *ms_p ; ms_p = &(*ms_p)->m_link)

                if (ms == (*ms_p))  {

                        *ms_p = ms->m_link;

                        break;

                }

        /*

         *      UNhash by s{addr,port}

         */

#ifdef CONFIG_IP_MASQUERADE_PPTP

        if (ms->protocol == IPPROTO_GRE) {

                hash = ip_masq_hash_key(ms->protocol, ms->saddr, 0);

        } else

#endif /* CONFIG_IP_MASQUERADE_PPTP */

        hash = ip_masq_hash_key(ms->protocol, ms->saddr, ms->sport);

        for (ms_p = &ip_masq_s_tab[hash]; *ms_p ; ms_p = &(*ms_p)->s_link)

                if (ms == (*ms_p))  {

                        *ms_p = ms->s_link;

                        break;

                }

#ifdef CONFIG_IP_MASQUERADE_IPSEC

        /*

         * UNhash by d{addr,port}

         */

        hash = ip_masq_hash_key(ms->protocol, ms->daddr, ms->dport);

        for (ms_p = &ip_masq_d_tab[hash]; *ms_p ; ms_p = &(*ms_p)->d_link)

                if (ms == (*ms_p))  {

                        *ms_p = ms->d_link;

                        break;

                }

#endif /* CONFIG_IP_MASQUERADE_IPSEC */

        ms->flags &= ~IP_MASQ_F_HASHED;

        return 1;

}

/*

 *      Returns ip_masq associated with addresses found in iph.

 *      called for pkts coming from outside-to-INside the firewall

 *

 *      NB. Cannot check destination address, just for the incoming port.

 *      reason: archie.doc.ac.uk has 6 interfaces, you send to

 *      phoenix and get a reply from any other interface(==dst)!

 *

 *      [Only for UDP] - AC

 */

struct ip_masq *

ip_masq_in_get(struct iphdr *iph)

{

        __u16 *portptr;

        int protocol;

        __u32 s_addr, d_addr;

        __u16 s_port, d_port;

#ifdef CONFIG_IP_MASQUERADE_IPSEC

        __u32 cookie;

#endif /* CONFIG_IP_MASQUERADE_IPSEC */

        portptr = (__u16 *)&(((char *)iph)[iph->ihl*4]);

        protocol = iph->protocol;

        s_addr = iph->saddr;

        s_port = portptr[0];

        d_addr = iph->daddr;

        d_port = portptr[1];

#ifdef CONFIG_IP_MASQUERADE_IPSEC

        if (protocol == IPPROTO_UDP && ntohs(s_port) == UDP_PORT_ISAKMP && ntohs(d_port) == UDP_PORT_ISAKMP) {

                cookie = *((__u32 *)&portptr[4]);

                return ip_masq_in_get_isakmp(protocol, s_addr, s_port, d_addr, d_port, cookie);

        } else

#endif /* CONFIG_IP_MASQUERADE_IPSEC */

        return ip_masq_in_get_2(protocol, s_addr, s_port, d_addr, d_port);

}

/*

 *      Returns ip_masq associated with supplied parameters, either

 *      broken out of the ip/tcp headers or directly supplied for those

 *      pathological protocols with address/port in the data stream

 *      (ftp, irc).  addresses and ports are in network order.

 *      called for pkts coming from outside-to-INside the firewall.

 *

 *      NB. Cannot check destination address, just for the incoming port.

 *      reason: archie.doc.ac.uk has 6 interfaces, you send to

 *      phoenix and get a reply from any other interface(==dst)!

 *

 *      [Only for UDP] - AC

 */

struct ip_masq *

ip_masq_in_get_2(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port)

{

        unsigned hash;

        struct ip_masq *ms;

        hash = ip_masq_hash_key(protocol, d_addr, d_port);

        for(ms = ip_masq_m_tab[hash]; ms ; ms = ms->m_link) {

                if (protocol==ms->protocol &&

                    ((s_addr==ms->daddr || ms->flags & IP_MASQ_F_NO_DADDR)

#ifdef CONFIG_IP_MASQUERADE_IPAUTOFW

                     || (ms->dport==htons(1558))

#endif /* CONFIG_IP_MASQUERADE_IPAUTOFW */

                     ) &&

                    (s_port==ms->dport || ms->flags & IP_MASQ_F_NO_DPORT) &&

                    (d_addr==ms->maddr && d_port==ms->mport)) {

#ifdef DEBUG_IP_MASQUERADE_VERBOSE

                        printk("MASQ: look/in %d %08X:%04hX->%08X:%04hX OK\n",

                               protocol,

                               s_addr,

                               s_port,

                               d_addr,

                               d_port);

#endif

                        return ms;

                }

        }

#ifdef CONFIG_IP_MASQUERADE_PPTP

        if (protocol == IPPROTO_GRE) {

                for(ms = ip_masq_m_tab[hash]; ms ; ms = ms->m_link) {

                        if (protocol==ms->protocol &&

#ifdef CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT

                            ms->mport == d_port && /* ignore source port */

#else /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */

                            ms->mport == 0 && ms->sport == 0 &&

#endif /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */

                            s_addr==ms->daddr && d_addr==ms->maddr) {

#ifdef DEBUG_IP_MASQUERADE_PPTP_VERBOSE

                                printk(KERN_DEBUG "MASQ: look/in %d %08X:%04hX->%08X:%04hX OK\n",

                                       protocol,

                                       s_addr,

                                       s_port,

                                       d_addr,

                                       d_port);

#endif /* DEBUG_IP_MASQUERADE_PPTP_VERBOSE */

                                return ms;

                        }

                }

        }

#endif /* CONFIG_IP_MASQUERADE_PPTP */

#ifdef DEBUG_IP_MASQUERADE_VERBOSE

        printk("MASQ: look/in %d %08X:%04hX->%08X:%04hX fail\n",

               protocol,

               s_addr,

               s_port,

               d_addr,

               d_port);

#endif

        return NULL;

}

#ifdef CONFIG_IP_MASQUERADE_IPSEC

struct ip_masq *

ip_masq_in_get_ipsec(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port, __u32 i_spi)

{

        unsigned hash;

        struct ip_masq *ms;

        if (protocol != IPPROTO_ESP) {

                return ip_masq_in_get_2(protocol,s_addr,s_port,d_addr,d_port);

        }

        /* find an entry for a packet coming in from outside,

         * or find whether there's a setup pending

         */

        if (i_spi != 0) {

                /* there's a SPI - look for a completed entry */

                hash = ip_masq_hash_key(protocol, s_addr, s_port);

                for(ms = ip_masq_d_tab[hash]; ms ; ms = ms->d_link) {

                        if (protocol==ms->protocol &&

                            s_addr==ms->daddr &&

                            d_addr==ms->maddr &&

                            ms->ispi != 0 && i_spi==ms->ispi) {

#ifdef DEBUG_IP_MASQUERADE_IPSEC_VERBOSE

                                printk(KERN_DEBUG "MASQ: IPSEC look/in %08X->%08X:%08X OK\n",

                                       s_addr,

                                       d_addr,

                                       i_spi);

#endif

                                return ms;

                        }

                }

        }

        /* no joy. look for a pending connection - maybe somebody else's

         * if we're checking for a pending setup, the d_addr will be zero

         * to avoid having to know the masq IP.

         */