URL
https://opencores.org/ocsvn/or1k/or1k/trunk
Subversion Repositories or1k
[/] [or1k/] [trunk/] [rc203soc/] [sw/] [uClinux/] [net/] [ipv4/] [ip_masq.c] - Rev 1771
Go to most recent revision | Compare with Previous | Blame | View Log
/* * * Masquerading functionality * * Copyright (c) 1994 Pauline Middelink * * See ip_fw.c for original log * * Fixes: * Juan Jose Ciarlante : Modularized application masquerading (see ip_masq_app.c) * Juan Jose Ciarlante : New struct ip_masq_seq that holds output/input delta seq. * Juan Jose Ciarlante : Added hashed lookup by proto,maddr,mport and proto,saddr,sport * Juan Jose Ciarlante : Fixed deadlock if free ports get exhausted * Juan Jose Ciarlante : Added NO_ADDR status flag. * Richard Lynch : Added IP Autoforward * Nigel Metheringham : Added ICMP handling for demasquerade * Nigel Metheringham : Checksum checking of masqueraded data * Nigel Metheringham : Better handling of timeouts of TCP conns * Keith Owens : Keep control channels alive if any related data entries. * Delian Delchev : Added support for ICMP requests and replys * Nigel Metheringham : ICMP in ICMP handling, tidy ups, bug fixes, made ICMP optional * Juan Jose Ciarlante : re-assign maddr if no packet received from outside * John D. Hardin : Added PPTP and IPSEC protocols * */ #include <linux/config.h> #include <linux/module.h> #include <linux/types.h> #include <linux/kernel.h> #include <linux/errno.h> #include <linux/skbuff.h> #include <asm/system.h> #include <linux/stat.h> #include <linux/proc_fs.h> #include <linux/in.h> #include <linux/ip.h> #include <linux/inet.h> #include <net/protocol.h> #include <net/icmp.h> #include <net/tcp.h> #include <net/udp.h> #include <net/checksum.h> #include <net/ip_masq.h> #include <linux/ip_fw.h> #define IP_MASQ_TAB_SIZE 256 /* must be power of 2 */ #ifdef CONFIG_IP_MASQUERADE_PPTP /* * This is clumsier than it otherwise might be (i.e. the * PPTP control channel sniffer should be a module, and there * should be a separate table for GRE masq entries so that * we're not making all of the hacks to the TCP table code) # but I wanted to keep the code changes localized to one file # if possible. * This should all be modular, and the table routines need to * be somewhat more generic. * * Maybe for 2.0.38 - we'll see. * * John Hardin <jhardin@wolfenet.com> gets all blame... * See also http://www.wolfenet.com/~jhardin/ip_masq_vpn.html */ static const char *strGREProt = "GRE"; #ifdef CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT /* * MULTICLIENT watches the control channel and preloads the * call ID into the masq table entry, so we want the * masq table entry to persist until a Call Disconnect * occurs, otherwise the call IDs will be lost and the link broken. */ #define MASQUERADE_EXPIRE_PPTP 15*60*HZ /* * To support multiple clients communicating with the same server, * we have to sniff the control channel and trap the client's * call ID, then substitute a unique-to-the-firewall call ID. * Then on inbound GRE packets we use the bogus call ID to figure * out which client to route the traffic to, then replace the * bogus call ID with the client's real call ID, which we've saved. * For simplicity we'll use masq port as the bogus call ID. * The actual call ID will be stored in the masq table as * the source port, and the destination port will always be zero. * * NB: PPTP servers can tell whether the client is masqueraded by * looking for call IDs above 61000. */ #define PPTP_CONTROL_PORT 1723 #else /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */ /* non-MULTICLIENT ignores call IDs, so masq table * entries may expire quickly without causing problems. */ #define MASQUERADE_EXPIRE_PPTP 5*60*HZ #endif /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */ /* * Define this here rather than in /usr/src/linux/include/wherever/whatever.h * in order to localize my mistakes to one file... * * This struct may be architecture-specific because of the bitmaps. */ struct pptp_gre_header { __u8 recur:3, is_strict:1, has_seq:1, has_key:1, has_routing:1, has_cksum:1; __u8 version:3, flags:5; __u16 protocol, payload_len, call_id; /* peer's call_id for this session */ }; #endif /* CONFIG_IP_MASQUERADE_PPTP */ #ifdef CONFIG_IP_MASQUERADE_IPSEC /* * The above comments about PPTP apply here, too. This should all be a module. * * The "port numbers" for masq table purposes will be part of the * SPI, just to gain a little benefit from the hashing. */ static const char *strESPProt = "ESP"; static const char *strAHProt = "AH"; /* * ISAKMP uses 500/udp, and the traffic must come from * 500/udp (i.e. 500/udp <-> 500/udp), so we need to * check for ISAKMP UDP traffic and avoid changing the * source port number. In order to associate the data streams * we may need to sniff the ISAKMP cookies as well. */ #define UDP_PORT_ISAKMP 500 /* ISAKMP default UDP port */ #if CONFIG_IP_MASQUERADE_IPSEC_EXPIRE > 15 #define MASQUERADE_EXPIRE_IPSEC CONFIG_IP_MASQUERADE_IPSEC_EXPIRE*60*HZ #else #define MASQUERADE_EXPIRE_IPSEC 15*60*HZ #endif /* * We can't know the inbound SPI until it comes in (the ISAKMP exchange * is encryptd so we can't sniff it out of that), so we associate inbound * and outbound traffic by inspection. If somebody sends a new packet to a * remote server, then block all other new traffic to that server until we * get a response from that server with a SPI we haven't seen yet. It is * assumed that this is the correct response - we have no way to verify it, * as everything else is encrypted. * * If there is a collision, the block will last for up to two minutes (or * whatever MASQUERADE_EXPIRE_IPSEC_INIT is set to), and if the client * retries during that time the timer will be reset. This could easily lead * to a Denial of Service, so we limit the number of retries that will * reset the timer. This means the maximum time the server could be blocked * is ((IPSEC_INIT_RETRIES + 1) * MASQUERADE_EXPIRE_IPSEC_INIT). * * Note: blocking will not affect already-established traffic (i.e. where * the inbound SPI has been associated with an outbound SPI). */ #define MASQUERADE_EXPIRE_IPSEC_INIT 2*60*HZ #define IPSEC_INIT_RETRIES 5 /* * ...connections that don't get an answer are squelched * (recognized but ignored) for a short time to prevent DoS. * SPI values 1-255 are reserved by the IANA and are currently (2/99) * not assigned. If that should change, this number must also be changed * to an unused NONZERO value: */ #define IPSEC_INIT_SQUELCHED 1 struct ip_masq * ip_masq_out_get_ipsec(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port, __u32 o_spi); struct ip_masq * ip_masq_in_get_ipsec(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port, __u32 i_spi); struct ip_masq * ip_masq_out_get_isakmp(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port, __u32 cookie); struct ip_masq * ip_masq_in_get_isakmp(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port, __u32 cookie); #endif /* CONFIG_IP_MASQUERADE_IPSEC */ /* * Implement IP packet masquerading */ static const char *strProt[] = {"UDP","TCP","ICMP"}; /* * masq_proto_num returns 0 for UDP, 1 for TCP, 2 for ICMP * * No, I am NOT going to add GRE/ESP/AH support to everything that relies on this... * */ static int masq_proto_num(unsigned proto) { switch (proto) { case IPPROTO_UDP: return (0); break; #ifdef CONFIG_IP_MASQUERADE_PPTP case IPPROTO_GRE: #endif /* CONFIG_IP_MASQUERADE_PPTP */ #ifdef CONFIG_IP_MASQUERADE_IPSEC case IPPROTO_ESP: #endif /* CONFIG_IP_MASQUERADE_IPSEC */ case IPPROTO_TCP: return (1); break; case IPPROTO_ICMP: return (2); break; default: return (-1); break; } } #ifdef CONFIG_IP_MASQUERADE_ICMP /* * Converts an ICMP reply code into the equivalent request code */ static __inline__ const __u8 icmp_type_request(__u8 type) { switch (type) { case ICMP_ECHOREPLY: return ICMP_ECHO; break; case ICMP_TIMESTAMPREPLY: return ICMP_TIMESTAMP; break; case ICMP_INFO_REPLY: return ICMP_INFO_REQUEST; break; case ICMP_ADDRESSREPLY: return ICMP_ADDRESS; break; default: return (255); break; } } /* * Helper macros - attempt to make code clearer! */ /* ID used in ICMP lookups */ #define icmp_id(icmph) ((icmph->un).echo.id) /* (port) hash value using in ICMP lookups for requests */ #define icmp_hv_req(icmph) ((__u16)(icmph->code+(__u16)(icmph->type<<8))) /* (port) hash value using in ICMP lookups for replies */ #define icmp_hv_rep(icmph) ((__u16)(icmph->code+(__u16)(icmp_type_request(icmph->type)<<8))) #endif static __inline__ const char *masq_proto_name(unsigned proto) { /* * I don't want to track down everything that * relies on masq_proto_num() and make it GRE/ESP/AH-tolerant. */ #ifdef CONFIG_IP_MASQUERADE_PPTP if (proto == IPPROTO_GRE) { return strGREProt; } #endif /* CONFIG_IP_MASQUERADE_PPTP */ #ifdef CONFIG_IP_MASQUERADE_IPSEC if (proto == IPPROTO_ESP) { return strESPProt; } else if (proto == IPPROTO_AH) { return strAHProt; } #endif /* CONFIG_IP_MASQUERADE_IPSEC */ return strProt[masq_proto_num(proto)]; } /* * Last masq_port number in use. * Will cycle in MASQ_PORT boundaries. */ static __u16 masq_port = PORT_MASQ_BEGIN; /* * free ports counters (UDP & TCP) * * Their value is _less_ or _equal_ to actual free ports: * same masq port, diff masq addr (firewall iface address) allocated * entries are accounted but their actually don't eat a more than 1 port. * * Greater values could lower MASQ_EXPIRATION setting as a way to * manage 'masq_entries resource'. * */ int ip_masq_free_ports[3] = { PORT_MASQ_END - PORT_MASQ_BEGIN, /* UDP */ PORT_MASQ_END - PORT_MASQ_BEGIN, /* TCP */ PORT_MASQ_END - PORT_MASQ_BEGIN /* ICMP */ }; static struct symbol_table ip_masq_syms = { #include <linux/symtab_begin.h> X(ip_masq_new), X(ip_masq_set_expire), X(ip_masq_free_ports), X(ip_masq_expire), X(ip_masq_out_get_2), #include <linux/symtab_end.h> }; /* * 2 ip_masq hash tables: for input and output pkts lookups. */ struct ip_masq *ip_masq_m_tab[IP_MASQ_TAB_SIZE]; struct ip_masq *ip_masq_s_tab[IP_MASQ_TAB_SIZE]; #ifdef CONFIG_IP_MASQUERADE_IPSEC /* * Add a third hash table for input lookup by remote side */ struct ip_masq *ip_masq_d_tab[IP_MASQ_TAB_SIZE]; #endif /* CONFIG_IP_MASQUERADE_IPSEC */ /* * timeouts */ static struct ip_fw_masq ip_masq_dummy = { MASQUERADE_EXPIRE_TCP, MASQUERADE_EXPIRE_TCP_FIN, MASQUERADE_EXPIRE_UDP }; struct ip_fw_masq *ip_masq_expire = &ip_masq_dummy; #ifdef CONFIG_IP_MASQUERADE_IPAUTOFW /* * Auto-forwarding table */ struct ip_autofw * ip_autofw_hosts = NULL; /* * Check if a masq entry should be created for a packet */ struct ip_autofw * ip_autofw_check_range (__u32 where, __u16 port, __u16 protocol, int reqact) { struct ip_autofw *af; af=ip_autofw_hosts; port=ntohs(port); while (af) { if (af->type==IP_FWD_RANGE && port>=af->low && port<=af->high && protocol==af->protocol && /* it's ok to create masq entries after the timeout if we're in insecure mode */ (af->flags & IP_AUTOFW_ACTIVE || !reqact || !(af->flags & IP_AUTOFW_SECURE)) && (!(af->flags & IP_AUTOFW_SECURE) || af->lastcontact==where || !reqact)) return(af); af=af->next; } return(NULL); } struct ip_autofw * ip_autofw_check_port (__u16 port, __u16 protocol) { struct ip_autofw *af; af=ip_autofw_hosts; port=ntohs(port); while (af) { if (af->type==IP_FWD_PORT && port==af->visible && protocol==af->protocol) return(af); af=af->next; } return(NULL); } struct ip_autofw * ip_autofw_check_direct (__u16 port, __u16 protocol) { struct ip_autofw *af; af=ip_autofw_hosts; port=ntohs(port); while (af) { if (af->type==IP_FWD_DIRECT && af->low<=port && af->high>=port) return(af); af=af->next; } return(NULL); } void ip_autofw_update_out (__u32 who, __u32 where, __u16 port, __u16 protocol) { struct ip_autofw *af; af=ip_autofw_hosts; port=ntohs(port); while (af) { if (af->type==IP_FWD_RANGE && af->ctlport==port && af->ctlproto==protocol) { if (af->flags & IP_AUTOFW_USETIME) { if (af->timer.expires) del_timer(&af->timer); af->timer.expires=jiffies+IP_AUTOFW_EXPIRE; add_timer(&af->timer); } af->flags|=IP_AUTOFW_ACTIVE; af->lastcontact=where; af->where=who; } af=af->next; } } void ip_autofw_update_in (__u32 where, __u16 port, __u16 protocol) { /* struct ip_autofw *af; af=ip_autofw_check_range(where, port,protocol); if (af) { del_timer(&af->timer); af->timer.expires=jiffies+IP_AUTOFW_EXPIRE; add_timer(&af->timer); }*/ } #endif /* CONFIG_IP_MASQUERADE_IPAUTOFW */ #ifdef CONFIG_IP_MASQUERADE_IPPORTFW struct ip_portfw *ipportfw_lst[2]; struct ip_portfw *ip_portfw_lookup(__u16 protocol, __u16 lport, __u32 laddr, __u32 *daddr, __u16 *dport) { int prot = (protocol==IPPROTO_TCP); struct ip_portfw *n; unsigned long flags; save_flags(flags); cli(); for (n = ipportfw_lst[prot] ; n; n = n->next) { if (lport == n->lport && laddr == n->laddr) { *daddr = n->raddr; *dport = n->rport; restore_flags(flags); return n; } } restore_flags(flags); return NULL; } int ip_portfw_check(__u16 protocol, __u16 lport, __u32 laddr) { __u16 rport; __u32 raddr; return (ip_portfw_lookup(protocol, lport, laddr, &raddr, &rport) != NULL); } #endif /* CONFIG_IP_MASQUERADE_IPPORTFW */ /* * Returns hash value */ static __inline__ unsigned ip_masq_hash_key(unsigned proto, __u32 addr, __u16 port) { return (proto^ntohl(addr)^ntohs(port)) & (IP_MASQ_TAB_SIZE-1); } /* * Hashes ip_masq by its proto,addrs,ports. * should be called with masked interrupts. * returns bool success. */ static __inline__ int ip_masq_hash(struct ip_masq *ms) { unsigned hash; if (ms->flags & IP_MASQ_F_HASHED) { printk("ip_masq_hash(): request for already hashed\n"); return 0; } /* * Hash by proto,m{addr,port} */ hash = ip_masq_hash_key(ms->protocol, ms->maddr, ms->mport); ms->m_link = ip_masq_m_tab[hash]; ip_masq_m_tab[hash] = ms; /* * Hash by proto,s{addr,port} */ #ifdef CONFIG_IP_MASQUERADE_PPTP if (ms->protocol == IPPROTO_GRE) { /* Ignore the source port (Call ID) when hashing, as * outbound packets will not be able to supply it... */ hash = ip_masq_hash_key(ms->protocol, ms->saddr, 0); } else #endif /* CONFIG_IP_MASQUERADE_PPTP */ hash = ip_masq_hash_key(ms->protocol, ms->saddr, ms->sport); ms->s_link = ip_masq_s_tab[hash]; ip_masq_s_tab[hash] = ms; #ifdef CONFIG_IP_MASQUERADE_IPSEC /* * Hash by proto,d{addr,port} */ hash = ip_masq_hash_key(ms->protocol, ms->daddr, ms->dport); ms->d_link = ip_masq_d_tab[hash]; ip_masq_d_tab[hash] = ms; #endif /* CONFIG_IP_MASQUERADE_IPSEC */ ms->flags |= IP_MASQ_F_HASHED; return 1; } /* * UNhashes ip_masq from ip_masq_[ms]_tables. * should be called with masked interrupts. * returns bool success. */ static __inline__ int ip_masq_unhash(struct ip_masq *ms) { unsigned hash; struct ip_masq ** ms_p; if (!(ms->flags & IP_MASQ_F_HASHED)) { printk("ip_masq_unhash(): request for unhash flagged\n"); return 0; } /* * UNhash by m{addr,port} */ hash = ip_masq_hash_key(ms->protocol, ms->maddr, ms->mport); for (ms_p = &ip_masq_m_tab[hash]; *ms_p ; ms_p = &(*ms_p)->m_link) if (ms == (*ms_p)) { *ms_p = ms->m_link; break; } /* * UNhash by s{addr,port} */ #ifdef CONFIG_IP_MASQUERADE_PPTP if (ms->protocol == IPPROTO_GRE) { hash = ip_masq_hash_key(ms->protocol, ms->saddr, 0); } else #endif /* CONFIG_IP_MASQUERADE_PPTP */ hash = ip_masq_hash_key(ms->protocol, ms->saddr, ms->sport); for (ms_p = &ip_masq_s_tab[hash]; *ms_p ; ms_p = &(*ms_p)->s_link) if (ms == (*ms_p)) { *ms_p = ms->s_link; break; } #ifdef CONFIG_IP_MASQUERADE_IPSEC /* * UNhash by d{addr,port} */ hash = ip_masq_hash_key(ms->protocol, ms->daddr, ms->dport); for (ms_p = &ip_masq_d_tab[hash]; *ms_p ; ms_p = &(*ms_p)->d_link) if (ms == (*ms_p)) { *ms_p = ms->d_link; break; } #endif /* CONFIG_IP_MASQUERADE_IPSEC */ ms->flags &= ~IP_MASQ_F_HASHED; return 1; } /* * Returns ip_masq associated with addresses found in iph. * called for pkts coming from outside-to-INside the firewall * * NB. Cannot check destination address, just for the incoming port. * reason: archie.doc.ac.uk has 6 interfaces, you send to * phoenix and get a reply from any other interface(==dst)! * * [Only for UDP] - AC */ struct ip_masq * ip_masq_in_get(struct iphdr *iph) { __u16 *portptr; int protocol; __u32 s_addr, d_addr; __u16 s_port, d_port; #ifdef CONFIG_IP_MASQUERADE_IPSEC __u32 cookie; #endif /* CONFIG_IP_MASQUERADE_IPSEC */ portptr = (__u16 *)&(((char *)iph)[iph->ihl*4]); protocol = iph->protocol; s_addr = iph->saddr; s_port = portptr[0]; d_addr = iph->daddr; d_port = portptr[1]; #ifdef CONFIG_IP_MASQUERADE_IPSEC if (protocol == IPPROTO_UDP && ntohs(s_port) == UDP_PORT_ISAKMP && ntohs(d_port) == UDP_PORT_ISAKMP) { cookie = *((__u32 *)&portptr[4]); return ip_masq_in_get_isakmp(protocol, s_addr, s_port, d_addr, d_port, cookie); } else #endif /* CONFIG_IP_MASQUERADE_IPSEC */ return ip_masq_in_get_2(protocol, s_addr, s_port, d_addr, d_port); } /* * Returns ip_masq associated with supplied parameters, either * broken out of the ip/tcp headers or directly supplied for those * pathological protocols with address/port in the data stream * (ftp, irc). addresses and ports are in network order. * called for pkts coming from outside-to-INside the firewall. * * NB. Cannot check destination address, just for the incoming port. * reason: archie.doc.ac.uk has 6 interfaces, you send to * phoenix and get a reply from any other interface(==dst)! * * [Only for UDP] - AC */ struct ip_masq * ip_masq_in_get_2(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port) { unsigned hash; struct ip_masq *ms; hash = ip_masq_hash_key(protocol, d_addr, d_port); for(ms = ip_masq_m_tab[hash]; ms ; ms = ms->m_link) { if (protocol==ms->protocol && ((s_addr==ms->daddr || ms->flags & IP_MASQ_F_NO_DADDR) #ifdef CONFIG_IP_MASQUERADE_IPAUTOFW || (ms->dport==htons(1558)) #endif /* CONFIG_IP_MASQUERADE_IPAUTOFW */ ) && (s_port==ms->dport || ms->flags & IP_MASQ_F_NO_DPORT) && (d_addr==ms->maddr && d_port==ms->mport)) { #ifdef DEBUG_IP_MASQUERADE_VERBOSE printk("MASQ: look/in %d %08X:%04hX->%08X:%04hX OK\n", protocol, s_addr, s_port, d_addr, d_port); #endif return ms; } } #ifdef CONFIG_IP_MASQUERADE_PPTP if (protocol == IPPROTO_GRE) { for(ms = ip_masq_m_tab[hash]; ms ; ms = ms->m_link) { if (protocol==ms->protocol && #ifdef CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT ms->mport == d_port && /* ignore source port */ #else /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */ ms->mport == 0 && ms->sport == 0 && #endif /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */ s_addr==ms->daddr && d_addr==ms->maddr) { #ifdef DEBUG_IP_MASQUERADE_PPTP_VERBOSE printk(KERN_DEBUG "MASQ: look/in %d %08X:%04hX->%08X:%04hX OK\n", protocol, s_addr, s_port, d_addr, d_port); #endif /* DEBUG_IP_MASQUERADE_PPTP_VERBOSE */ return ms; } } } #endif /* CONFIG_IP_MASQUERADE_PPTP */ #ifdef DEBUG_IP_MASQUERADE_VERBOSE printk("MASQ: look/in %d %08X:%04hX->%08X:%04hX fail\n", protocol, s_addr, s_port, d_addr, d_port); #endif return NULL; } #ifdef CONFIG_IP_MASQUERADE_IPSEC struct ip_masq * ip_masq_in_get_ipsec(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port, __u32 i_spi) { unsigned hash; struct ip_masq *ms; if (protocol != IPPROTO_ESP) { return ip_masq_in_get_2(protocol,s_addr,s_port,d_addr,d_port); } /* find an entry for a packet coming in from outside, * or find whether there's a setup pending */ if (i_spi != 0) { /* there's a SPI - look for a completed entry */ hash = ip_masq_hash_key(protocol, s_addr, s_port); for(ms = ip_masq_d_tab[hash]; ms ; ms = ms->d_link) { if (protocol==ms->protocol && s_addr==ms->daddr && d_addr==ms->maddr && ms->ispi != 0 && i_spi==ms->ispi) { #ifdef DEBUG_IP_MASQUERADE_IPSEC_VERBOSE printk(KERN_DEBUG "MASQ: IPSEC look/in %08X->%08X:%08X OK\n", s_addr, d_addr, i_spi); #endif return ms; } } } /* no joy. look for a pending connection - maybe somebody else's * if we're checking for a pending setup, the d_addr will be zero * to avoid having to know the masq IP. */ hash = ip_masq_hash_key(protocol, s_addr, 0); for(ms = ip_masq_d_tab[hash]; ms ; ms = ms->d_link) { if (protocol==ms->protocol && s_addr==ms->daddr && (d_addr==0 || d_addr==ms->maddr) && ms->ispi==0) { #ifdef DEBUG_IP_MASQUERADE_IPSEC_VERBOSE printk(KERN_DEBUG "MASQ: IPSEC look/in %08X->%08X:0 OK\n", s_addr, d_addr ); #endif return ms; } } #ifdef DEBUG_IP_MASQUERADE_IPSEC_VERBOSE printk(KERN_DEBUG "MASQ: IPSEC look/in %08X->%08X:%08X fail\n", s_addr, d_addr, i_spi); #endif return NULL; } struct ip_masq * ip_masq_in_get_isakmp(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port, __u32 cookie) { unsigned hash; struct ip_masq *ms; #ifdef DEBUG_IP_MASQUERADE_IPSEC printk(KERN_DEBUG "ip_masq_in_get_isakmp(): "); printk("%s -> ", in_ntoa(s_addr)); printk("%s cookie %lX\n", in_ntoa(d_addr), ntohl(cookie)); #endif /* DEBUG_IP_MASQUERADE_IPSEC */ if (cookie == 0) { printk(KERN_INFO "ip_masq_in_get_isakmp(): "); printk("zero cookie from %s\n", in_ntoa(s_addr)); } hash = ip_masq_hash_key(protocol, d_addr, d_port); for(ms = ip_masq_m_tab[hash]; ms ; ms = ms->m_link) { if (protocol==ms->protocol && cookie==ms->ospi && ((s_addr==ms->daddr || ms->flags & IP_MASQ_F_NO_DADDR) ) && (s_port==ms->dport || ms->flags & IP_MASQ_F_NO_DPORT) && (d_addr==ms->maddr && d_port==ms->mport)) { #ifdef DEBUG_IP_MASQUERADE_IPSEC_VERBOSE printk(KERN_DEBUG "MASQ: look/in %d %08X:%04hX->%08X:%04hX %08X OK\n", protocol, s_addr, s_port, d_addr, d_port, cookie); #endif return ms; } } #ifdef DEBUG_IP_MASQUERADE_IPSEC_VERBOSE printk(KERN_DEBUG "MASQ: look/in %d %08X:%04hX->%08X:%04hX %08X fail\n", protocol, s_addr, s_port, d_addr, d_port, cookie); #endif return NULL; } #endif /* CONFIG_IP_MASQUERADE_IPSEC */ /* * Returns ip_masq associated with addresses found in iph. * called for pkts coming from inside-to-OUTside the firewall. */ struct ip_masq * ip_masq_out_get(struct iphdr *iph) { __u16 *portptr; int protocol; __u32 s_addr, d_addr; __u16 s_port, d_port; #ifdef CONFIG_IP_MASQUERADE_IPSEC __u32 cookie; #endif /* CONFIG_IP_MASQUERADE_IPSEC */ portptr = (__u16 *)&(((char *)iph)[iph->ihl*4]); protocol = iph->protocol; s_addr = iph->saddr; s_port = portptr[0]; d_addr = iph->daddr; d_port = portptr[1]; #ifdef CONFIG_IP_MASQUERADE_IPSEC if (protocol == IPPROTO_UDP && ntohs(s_port) == UDP_PORT_ISAKMP && ntohs(d_port) == UDP_PORT_ISAKMP) { cookie = *((__u32 *)&portptr[4]); return ip_masq_out_get_isakmp(protocol, s_addr, s_port, d_addr, d_port, cookie); } else #endif /* CONFIG_IP_MASQUERADE_IPSEC */ return ip_masq_out_get_2(protocol, s_addr, s_port, d_addr, d_port); } /* * Returns ip_masq associated with supplied parameters, either * broken out of the ip/tcp headers or directly supplied for those * pathological protocols with address/port in the data stream * (ftp, irc). addresses and ports are in network order. * called for pkts coming from inside-to-OUTside the firewall. * * Normally we know the source address and port but for some protocols * (e.g. ftp PASV) we do not know the source port initially. Alas the * hash is keyed on source port so if the first lookup fails then try again * with a zero port, this time only looking at entries marked "no source * port". */ struct ip_masq * ip_masq_out_get_2(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port) { unsigned hash; struct ip_masq *ms; #ifdef CONFIG_IP_MASQUERADE_PPTP #ifdef CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT if (protocol == IPPROTO_GRE) { /* * Call ID is saved in source port number, * but we have no way of knowing it on the outbound packet... * we only know the *other side's* Call ID */ hash = ip_masq_hash_key(protocol, s_addr, 0); for(ms = ip_masq_s_tab[hash]; ms ; ms = ms->s_link) { if (protocol == ms->protocol && s_addr == ms->saddr && (s_port == 0 || s_port == ms->sport) && d_addr == ms->daddr && d_port == ms->dport ) { #ifdef DEBUG_IP_MASQUERADE_VERBOSE printk(KERN_DEBUG "MASQ: lk/out2 %d %08X:%04hX->%08X:%04hX OK\n", protocol, s_addr, s_port, d_addr, d_port); #endif /* DEBUG_IP_MASQUERADE_VERBOSE */ return ms; } } } #endif /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */ #endif /* CONFIG_IP_MASQUERADE_PPTP */ hash = ip_masq_hash_key(protocol, s_addr, s_port); for(ms = ip_masq_s_tab[hash]; ms ; ms = ms->s_link) { if (protocol == ms->protocol && s_addr == ms->saddr && s_port == ms->sport && d_addr == ms->daddr && d_port == ms->dport ) { #ifdef DEBUG_IP_MASQUERADE_VERBOSE printk("MASQ: lk/out1 %d %08X:%04hX->%08X:%04hX OK\n", protocol, s_addr, s_port, d_addr, d_port); #endif return ms; } } hash = ip_masq_hash_key(protocol, s_addr, 0); for(ms = ip_masq_s_tab[hash]; ms ; ms = ms->s_link) { if (ms->flags & IP_MASQ_F_NO_SPORT && protocol == ms->protocol && s_addr == ms->saddr && d_addr == ms->daddr && d_port == ms->dport ) { #ifdef DEBUG_IP_MASQUERADE_VERBOSE printk("MASQ: lk/out2 %d %08X:%04hX->%08X:%04hX OK\n", protocol, s_addr, s_port, d_addr, d_port); #endif return ms; } } #ifdef DEBUG_IP_MASQUERADE_VERBOSE printk("MASQ: lk/out1 %d %08X:%04hX->%08X:%04hX fail\n", protocol, s_addr, s_port, d_addr, d_port); #endif return NULL; } #ifdef CONFIG_IP_MASQUERADE_IPSEC struct ip_masq * ip_masq_out_get_ipsec(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port, __u32 o_spi) { unsigned hash; struct ip_masq *ms; if (protocol != IPPROTO_ESP) { return ip_masq_out_get_2(protocol,s_addr,s_port,d_addr,d_port); } hash = ip_masq_hash_key(protocol, s_addr, s_port); for(ms = ip_masq_s_tab[hash]; ms ; ms = ms->s_link) { if (protocol==ms->protocol && s_addr==ms->saddr && d_addr==ms->daddr && o_spi==ms->ospi) { #ifdef DEBUG_IP_MASQUERADE_IPSEC_VERBOSE printk(KERN_DEBUG "MASQ: IPSEC look/out %08X:%08X->%08X OK\n", s_addr, o_spi, d_addr); #endif return ms; } } #ifdef DEBUG_IP_MASQUERADE_IPSEC_VERBOSE printk(KERN_DEBUG "MASQ: IPSEC look/out %08X:%08X->%08X fail\n", s_addr, o_spi, d_addr); #endif return NULL; } struct ip_masq * ip_masq_out_get_isakmp(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port, __u32 cookie) { unsigned hash; struct ip_masq *ms; #ifdef DEBUG_IP_MASQUERADE_IPSEC printk(KERN_DEBUG "ip_masq_out_get_isakmp(): "); printk("%s -> ", in_ntoa(s_addr)); printk("%s cookie %lX\n", in_ntoa(d_addr), ntohl(cookie)); #endif /* DEBUG_IP_MASQUERADE_IPSEC */ if (cookie == 0) { printk(KERN_INFO "ip_masq_out_get_isakmp(): "); printk("zero cookie from %s\n", in_ntoa(s_addr)); } hash = ip_masq_hash_key(protocol, s_addr, s_port); for(ms = ip_masq_s_tab[hash]; ms ; ms = ms->s_link) { if (protocol == ms->protocol && cookie == ms->ospi && s_addr == ms->saddr && s_port == ms->sport && d_addr == ms->daddr && d_port == ms->dport ) { #ifdef DEBUG_IP_MASQUERADE_IPSEC_VERBOSE printk(KERN_DEBUG "MASQ: lk/out1 %d %08X:%04hX->%08X:%04hX %08X OK\n", protocol, s_addr, s_port, d_addr, d_port, cookie); #endif return ms; } } #ifdef DEBUG_IP_MASQUERADE_IPSEC_VERBOSE printk(KERN_DEBUG "MASQ: lk/out1 %d %08X:%04hX->%08X:%04hX %08X fail\n", protocol, s_addr, s_port, d_addr, d_port, cookie); #endif return NULL; } #endif /* CONFIG_IP_MASQUERADE_IPSEC */ /* * Returns ip_masq for given proto,m_addr,m_port. * called by allocation routine to find an unused m_port. */ struct ip_masq * ip_masq_getbym(int protocol, __u32 m_addr, __u16 m_port) { unsigned hash; struct ip_masq *ms; hash = ip_masq_hash_key(protocol, m_addr, m_port); for(ms = ip_masq_m_tab[hash]; ms ; ms = ms->m_link) { if ( protocol==ms->protocol && (m_addr==ms->maddr && m_port==ms->mport)) return ms; } return NULL; } static void masq_expire(unsigned long data) { struct ip_masq *ms = (struct ip_masq *)data, *ms_data; unsigned long flags; if (ms->flags & IP_MASQ_F_CONTROL) { /* a control channel is about to expire */ int idx = 0, reprieve = 0; #ifdef DEBUG_CONFIG_IP_MASQUERADE printk("Masquerade control %s %lX:%X about to expire\n", masq_proto_name(ms->protocol), ntohl(ms->saddr),ntohs(ms->sport)); #endif save_flags(flags); cli(); /* * If any other masquerade entry claims that the expiring entry * is its control channel then keep the control entry alive. * Useful for long running data channels with inactive control * links which we don't want to lose, e.g. ftp. * Assumption: loops such as a->b->a or a->a will never occur. */ for (idx = 0; idx < IP_MASQ_TAB_SIZE && !reprieve; idx++) { for (ms_data = ip_masq_m_tab[idx]; ms_data ; ms_data = ms_data->m_link) { if (ms_data->control == ms) { reprieve = 1; /* this control connection can live a bit longer */ ip_masq_set_expire(ms, ip_masq_expire->tcp_timeout); #ifdef DEBUG_CONFIG_IP_MASQUERADE printk("Masquerade control %s %lX:%X expiry reprieved\n", masq_proto_name(ms->protocol), ntohl(ms->saddr),ntohs(ms->sport)); #endif break; } } } restore_flags(flags); if (reprieve) return; } #ifdef DEBUG_CONFIG_IP_MASQUERADE printk("Masqueraded %s %lX:%X expired\n",masq_proto_name(ms->protocol),ntohl(ms->saddr),ntohs(ms->sport)); #endif save_flags(flags); cli(); if (ip_masq_unhash(ms)) { ip_masq_free_ports[masq_proto_num(ms->protocol)]++; if (ms->protocol != IPPROTO_ICMP) ip_masq_unbind_app(ms); kfree_s(ms,sizeof(*ms)); } restore_flags(flags); } #ifdef CONFIG_IP_MASQUERADE_IPAUTOFW void ip_autofw_expire(unsigned long data) { struct ip_autofw * af; af=(struct ip_autofw *) data; af->flags&=0xFFFF ^ IP_AUTOFW_ACTIVE; af->timer.expires=0; af->lastcontact=0; if (af->flags & IP_AUTOFW_SECURE) af->where=0; } #endif /* CONFIG_IP_MASQUERADE_IPAUTOFW */ /* * Create a new masquerade list entry, also allocate an * unused mport, keeping the portnumber between the * given boundaries MASQ_BEGIN and MASQ_END. */ struct ip_masq * ip_masq_new_enh(struct device *dev, int proto, __u32 saddr, __u16 sport, __u32 daddr, __u16 dport, unsigned mflags, __u16 matchport) { struct ip_masq *ms, *mst; int ports_tried, *free_ports_p; unsigned long flags; static int n_fails = 0; free_ports_p = &ip_masq_free_ports[masq_proto_num(proto)]; if (*free_ports_p == 0) { if (++n_fails < 5) printk("ip_masq_new(proto=%s): no free ports.\n", masq_proto_name(proto)); return NULL; } ms = (struct ip_masq *) kmalloc(sizeof(struct ip_masq), GFP_ATOMIC); if (ms == NULL) { if (++n_fails < 5) printk("ip_masq_new(proto=%s): no memory available.\n", masq_proto_name(proto)); return NULL; } memset(ms, 0, sizeof(*ms)); init_timer(&ms->timer); ms->timer.data = (unsigned long)ms; ms->timer.function = masq_expire; ms->protocol = proto; ms->saddr = saddr; ms->sport = sport; ms->daddr = daddr; ms->dport = dport; ms->flags = mflags; ms->app_data = NULL; ms->control = NULL; if (proto == IPPROTO_UDP && !matchport) ms->flags |= IP_MASQ_F_NO_DADDR; /* get masq address from rif */ ms->maddr = dev->pa_addr; /* * Setup new entry as not replied yet. * This flag will allow masq. addr (ms->maddr) * to follow forwarding interface address. */ ms->flags |= IP_MASQ_F_NO_REPLY; for (ports_tried = 0; (*free_ports_p && (ports_tried <= (PORT_MASQ_END - PORT_MASQ_BEGIN))); ports_tried++){ #ifdef CONFIG_IP_MASQUERADE_PPTP #ifndef CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT /* Ignoring PPTP call IDs. * Don't needlessly increase the TCP port pointer. */ if (proto == IPPROTO_GRE) { ms->mport = 0; mst = NULL; } else { #endif /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */ #endif /* CONFIG_IP_MASQUERADE_PPTP */ #ifdef CONFIG_IP_MASQUERADE_IPSEC /* ESP masq keys off the SPI, not the port number. * Don't needlessly increase the TCP port pointer. */ if (proto == IPPROTO_ESP) { ms->mport = 0; mst = NULL; } else { if (proto == IPPROTO_UDP && ntohs(sport) == UDP_PORT_ISAKMP && ntohs(dport) == UDP_PORT_ISAKMP) { /* the port number cannot be changed */ ms->mport = htons(UDP_PORT_ISAKMP); mst = NULL; } else { #endif /* CONFIG_IP_MASQUERADE_IPSEC */ save_flags(flags); cli(); /* * Try the next available port number */ if (!matchport || ports_tried) ms->mport = htons(masq_port++); else ms->mport = matchport; if (masq_port==PORT_MASQ_END) masq_port = PORT_MASQ_BEGIN; restore_flags(flags); /* * lookup to find out if this port is used. */ mst = ip_masq_getbym(proto, ms->maddr, ms->mport); #ifdef CONFIG_IP_MASQUERADE_PPTP #ifndef CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT } #endif /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */ #endif /* CONFIG_IP_MASQUERADE_PPTP */ #ifdef CONFIG_IP_MASQUERADE_IPSEC } } #endif /* CONFIG_IP_MASQUERADE_IPSEC */ if (mst == NULL || matchport) { save_flags(flags); cli(); if (*free_ports_p == 0) { restore_flags(flags); break; } (*free_ports_p)--; ip_masq_hash(ms); restore_flags(flags); if (proto != IPPROTO_ICMP) ip_masq_bind_app(ms); n_fails = 0; return ms; } } if (++n_fails < 5) printk("ip_masq_new(proto=%s): could not get free masq entry (free=%d).\n", masq_proto_name(ms->protocol), *free_ports_p); kfree_s(ms, sizeof(*ms)); return NULL; } struct ip_masq * ip_masq_new(struct device *dev, int proto, __u32 saddr, __u16 sport, __u32 daddr, __u16 dport, unsigned mflags) { return (ip_masq_new_enh(dev, proto, saddr, sport, daddr, dport, mflags, 0) ); } #ifdef CONFIG_IP_MASQUERADE_IPPORTFW /* New form of ip_masq creation which creates masqs for Port Forwarding * The routine is sufficiently different to ip_masq_new to require its own function */ struct ip_masq * ip_masq_new_portfw(struct device *dev, int proto, __u32 raddr, __u16 rport, __u32 saddr, __u16 sport, __u32 laddr, __u16 lport) { struct ip_masq *ms; static int n_fails = 0; unsigned long flags; ms = (struct ip_masq *) kmalloc(sizeof(struct ip_masq), GFP_ATOMIC); if (ms == NULL) { if (++n_fails < 5) printk("ip_masq_new_s(proto=%s): no memory available.\n", masq_proto_name(proto)); return NULL; } memset(ms, 0, sizeof(*ms)); init_timer(&ms->timer); ms->timer.data = (unsigned long)ms; ms->timer.function = masq_expire; ms->protocol = proto; ms->saddr = raddr; ms->sport = rport; ms->daddr = saddr; ms->dport = sport; ms->maddr = laddr; ms->mport = lport; ms->flags = 0; ms->app_data = NULL; ms->control = NULL; ip_masq_free_ports[masq_proto_num(proto)]--; save_flags(flags); cli(); ip_masq_hash(ms); restore_flags(flags); return ms; } #endif /* CONFIG_IP_MASQUERADE_IPPORTFW */ /* * Set masq expiration (deletion) and adds timer, * if timeout==0 cancel expiration. * Warning: it does not check/delete previous timer! */ void ip_masq_set_expire(struct ip_masq *ms, unsigned long tout) { /* There Can Be Only One (timer on a masq table entry, that is) */ del_timer(&ms->timer); if (tout) { ms->timer.expires = jiffies+tout; add_timer(&ms->timer); } } static void recalc_check(struct udphdr *uh, __u32 saddr, __u32 daddr, int len) { uh->check=0; uh->check=csum_tcpudp_magic(saddr,daddr,len, IPPROTO_UDP, csum_partial((char *)uh,len,0)); if(uh->check==0) uh->check=0xFFFF; } #ifdef CONFIG_IP_MASQUERADE_PPTP /* * Masquerade of GRE connections * to support a PPTP VPN client or server. */ /* * Handle outbound GRE packets. * * This is largely a copy of ip_fw_masquerade() */ int ip_fw_masq_gre(struct sk_buff **skb_p, struct device *dev) { struct sk_buff *skb = *skb_p; struct iphdr *iph = skb->h.iph; struct pptp_gre_header *greh; #ifdef DEBUG_IP_MASQUERADE_PPTP #ifdef DEBUG_IP_MASQUERADE_PPTP_VERBOSE __u8 *greraw; #endif /* DEBUG_IP_MASQUERADE_PPTP_VERBOSE */ #endif /* DEBUG_IP_MASQUERADE_PPTP */ struct ip_masq *ms; unsigned long flags; greh = (struct pptp_gre_header *)&(((char *)iph)[iph->ihl*4]); #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "ip_fw_masq_gre(): "); printk("Outbound GRE packet from %s", in_ntoa(iph->saddr)); printk(" to %s\n", in_ntoa(iph->daddr)); #ifdef DEBUG_IP_MASQUERADE_PPTP_VERBOSE greraw = (__u8 *) greh; printk(KERN_DEBUG "ip_fw_masq_gre(): "); printk("GRE raw: %X %X %X %X %X %X %X %X %X %X %X %X.\n", greraw[0], greraw[1], greraw[2], greraw[3], greraw[4], greraw[5], greraw[6], greraw[7], greraw[8], greraw[9], greraw[10], greraw[11]); printk(KERN_DEBUG "ip_fw_masq_gre(): "); printk("GRE C: %d R: %d K: %d S: %d s: %d recur: %X.\n", greh->has_cksum, greh->has_routing, greh->has_key, greh->has_seq, greh->is_strict, greh->recur); printk(KERN_DEBUG "ip_fw_masq_gre(): "); printk("GRE flags: %X ver: %X.\n", greh->flags, greh->version); printk(KERN_DEBUG "ip_fw_masq_gre(): "); printk("GRE proto: %X.\n", ntohs(greh->protocol)); #endif /* DEBUG_IP_MASQUERADE_PPTP_VERBOSE */ #endif /* DEBUG_IP_MASQUERADE_PPTP */ if (ntohs(greh->protocol) != 0x880B) { #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_INFO "ip_fw_masq_gre(): "); printk("GRE protocol %X not 0x880B (non-PPTP encap?) - discarding.\n", ntohs(greh->protocol)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ return -1; } /* * Look for masq table entry */ ms = ip_masq_out_get_2(IPPROTO_GRE, iph->saddr, 0, iph->daddr, 0); if (ms!=NULL) { /* delete the expiration timer */ ip_masq_set_expire(ms,0); /* * Make sure that the masq IP address is correct * for dynamic IP... */ if ( (ms->maddr != dev->pa_addr) && (sysctl_ip_dynaddr & 3) ) { printk(KERN_INFO "ip_fw_masq_gre(): "); printk("change maddr from %s", in_ntoa(ms->maddr)); printk(" to %s\n", in_ntoa(dev->pa_addr)); save_flags(flags); cli(); ip_masq_unhash(ms); ms->maddr = dev->pa_addr; ip_masq_hash(ms); restore_flags(flags); } } else { /* * Nope, not found, create a new entry for it, maybe */ #ifdef CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT /* masq table entry has to come from control channel sniffing. * If we can't find one, it may have expired. * How can this happen with the control channel active? */ printk(KERN_INFO "ip_fw_masq_gre(): "); printk("Outbound GRE to %s has no masq table entry.\n", in_ntoa(iph->daddr)); return -1; #else /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */ /* call IDs ignored, can create masq table entries on the fly. */ ms = ip_masq_new(dev, iph->protocol, iph->saddr, 0, iph->daddr, 0, 0); if (ms == NULL) { printk(KERN_NOTICE "ip_fw_masq_gre(): Couldn't create masq table entry.\n"); return -1; } #endif /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */ } /* * Set iph source addr from ip_masq obj. */ iph->saddr = ms->maddr; /* * set timeout and check IP header */ ip_masq_set_expire(ms, MASQUERADE_EXPIRE_PPTP); ip_send_check(iph); #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "MASQ: GRE O-routed from %s over %s\n", in_ntoa(ms->maddr), dev->name); #endif /* DEBUG_IP_MASQUERADE_PPTP */ return 0; } /* * Handle inbound GRE packets. * */ int ip_fw_demasq_gre(struct sk_buff **skb_p, struct device *dev) { struct sk_buff *skb = *skb_p; struct iphdr *iph = skb->h.iph; struct pptp_gre_header *greh; #ifdef DEBUG_IP_MASQUERADE_PPTP #ifdef DEBUG_IP_MASQUERADE_PPTP_VERBOSE __u8 *greraw; #endif /* DEBUG_IP_MASQUERADE_PPTP_VERBOSE */ #endif /* DEBUG_IP_MASQUERADE_PPTP */ struct ip_masq *ms; greh = (struct pptp_gre_header *)&(((char *)iph)[iph->ihl*4]); #ifdef DEBUG_IP_MASQUERADE_PPTP #if 0 printk(KERN_DEBUG "ip_fw_demasq_gre(): "); printk("Inbound GRE packet from %s", in_ntoa(iph->saddr)); printk(" to %s\n", in_ntoa(iph->daddr)); #endif #ifdef DEBUG_IP_MASQUERADE_PPTP_VERBOSE greraw = (__u8 *) greh; printk(KERN_DEBUG "ip_fw_demasq_gre(): "); printk("GRE raw: %X %X %X %X %X %X %X %X %X %X %X %X.\n", greraw[0], greraw[1], greraw[2], greraw[3], greraw[4], greraw[5], greraw[6], greraw[7], greraw[8], greraw[9], greraw[10], greraw[11]); printk(KERN_DEBUG "ip_fw_demasq_gre(): "); printk("GRE C: %d R: %d K: %d S: %d s: %d recur: %X.\n", greh->has_cksum, greh->has_routing, greh->has_key, greh->has_seq, greh->is_strict, greh->recur); printk(KERN_DEBUG "ip_fw_demasq_gre(): "); printk("GRE flags: %X ver: %X.\n", greh->flags, greh->version); printk(KERN_DEBUG "ip_fw_demasq_gre(): "); printk("GRE proto: %X.\n", ntohs(greh->protocol)); #endif /* DEBUG_IP_MASQUERADE_PPTP_VERBOSE */ #ifdef CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT printk(KERN_DEBUG "ip_fw_demasq_gre(): "); printk("PPTP call ID: %X.\n", ntohs(greh->call_id)); #endif /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */ #endif /* DEBUG_IP_MASQUERADE_PPTP */ if (ntohs(greh->protocol) != 0x880B) { #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_INFO "ip_fw_demasq_gre(): "); printk("GRE protocol %X not 0x880B (non-PPTP encap?) - discarding.\n", ntohs(greh->protocol)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ return -1; } /* * Look for a masq table entry and reroute if found */ #ifdef CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT ms = ip_masq_getbym(IPPROTO_GRE, iph->daddr, greh->call_id); #else /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */ ms = ip_masq_in_get_2(IPPROTO_GRE, iph->saddr, 0, iph->daddr, 0); #endif /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */ if (ms != NULL) { /* delete the expiration timer */ ip_masq_set_expire(ms,0); iph->daddr = ms->saddr; #ifdef CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT /* * change peer call ID to original value * (saved in masq table source port) */ greh->call_id = ms->sport; #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "ip_fw_demasq_gre(): "); printk("inbound PPTP from %s call ID now %X\n", in_ntoa(iph->saddr), ntohs(greh->call_id)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ #endif /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */ /* * resum checksums and set timeout */ ip_masq_set_expire(ms, MASQUERADE_EXPIRE_PPTP); ip_send_check(iph); #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "MASQ: GRE I-routed to %s\n", in_ntoa(iph->daddr)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ return 1; } /* sorry, all this trouble for a no-hit :) */ #if 0 printk(KERN_INFO "ip_fw_demasq_gre(): "); printk("Inbound from %s has no masq table entry.\n", in_ntoa(iph->saddr)); #endif return 0; } #ifdef CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT /* * Define all of the PPTP control channel message structures. * Sniff the control channel looking for start- and end-call * messages, and masquerade the Call ID as if it was a TCP * port. */ #define PPTP_CONTROL_PACKET 1 #define PPTP_MGMT_PACKET 2 #define PPTP_MAGIC_COOKIE 0x1A2B3C4D struct PptpPacketHeader { __u16 packetLength; __u16 packetType; __u32 magicCookie; }; /* PptpControlMessageType values */ #define PPTP_START_SESSION_REQUEST 1 #define PPTP_START_SESSION_REPLY 2 #define PPTP_STOP_SESSION_REQUEST 3 #define PPTP_STOP_SESSION_REPLY 4 #define PPTP_ECHO_REQUEST 5 #define PPTP_ECHO_REPLY 6 #define PPTP_OUT_CALL_REQUEST 7 #define PPTP_OUT_CALL_REPLY 8 #define PPTP_IN_CALL_REQUEST 9 #define PPTP_IN_CALL_REPLY 10 #define PPTP_CALL_CLEAR_REQUEST 11 #define PPTP_CALL_DISCONNECT_NOTIFY 12 #define PPTP_CALL_ERROR_NOTIFY 13 #define PPTP_WAN_ERROR_NOTIFY 14 #define PPTP_SET_LINK_INFO 15 struct PptpControlHeader { __u16 messageType; __u16 reserved; }; struct PptpOutCallRequest { __u16 callID; __u16 callSerialNumber; __u32 minBPS; __u32 maxBPS; __u32 bearerType; __u32 framingType; __u16 packetWindow; __u16 packetProcDelay; __u16 reserved1; __u16 phoneNumberLength; __u16 reserved2; __u8 phoneNumber[64]; __u8 subAddress[64]; }; struct PptpOutCallReply { __u16 callID; __u16 peersCallID; __u8 resultCode; __u8 generalErrorCode; __u16 causeCode; __u32 connectSpeed; __u16 packetWindow; __u16 packetProcDelay; __u32 physChannelID; }; struct PptpInCallRequest { __u16 callID; __u16 callSerialNumber; __u32 callBearerType; __u32 physChannelID; __u16 dialedNumberLength; __u16 dialingNumberLength; __u8 dialedNumber[64]; __u8 dialingNumber[64]; __u8 subAddress[64]; }; struct PptpInCallReply { __u16 callID; __u16 peersCallID; __u8 resultCode; __u8 generalErrorCode; __u16 packetWindow; __u16 packetProcDelay; __u16 reserved; }; struct PptpCallDisconnectNotify { __u16 callID; __u8 resultCode; __u8 generalErrorCode; __u16 causeCode; __u16 reserved; __u8 callStatistics[128]; }; struct PptpWanErrorNotify { __u16 peersCallID; __u16 reserved; __u32 crcErrors; __u32 framingErrors; __u32 hardwareOverRuns; __u32 bufferOverRuns; __u32 timeoutErrors; __u32 alignmentErrors; }; struct PptpSetLinkInfo { __u16 peersCallID; __u16 reserved; __u32 sendAccm; __u32 recvAccm; }; /* Packet sent to or from PPTP control port. Process it. */ /* Yes, all of this should be in a kernel module. Real Soon Now... */ void ip_masq_pptp(struct sk_buff *skb, struct ip_masq *ms, struct device *dev) { struct iphdr *iph = skb->h.iph; struct PptpPacketHeader *pptph = NULL; struct PptpControlHeader *ctlh = NULL; union { char *req; struct PptpOutCallRequest *ocreq; struct PptpOutCallReply *ocack; struct PptpInCallRequest *icreq; struct PptpInCallReply *icack; struct PptpCallDisconnectNotify *disc; struct PptpWanErrorNotify *wanerr; struct PptpSetLinkInfo *setlink; } pptpReq; struct ip_masq *ms_gre = NULL; /* * The GRE data channel will be treated as the "control channel" * for the purposes of masq because there are keepalives happening * on the control channel, whereas the data channel may be subject * to relatively long periods of inactivity. */ pptph = (struct PptpPacketHeader *)&(((char *)iph)[sizeof(struct iphdr) + sizeof(struct tcphdr)]); #ifdef DEBUG_IP_MASQUERADE_PPTP_VERBOSE printk(KERN_DEBUG "ip_masq_pptp(): "); printk("LEN=%d TY=%d MC=%lX", ntohs(pptph->packetLength), ntohs(pptph->packetType), ntohl(pptph->magicCookie)); printk(" from %s", in_ntoa(iph->saddr)); printk(" to %s\n", in_ntoa(iph->daddr)); #endif /* DEBUG_IP_MASQUERADE_PPTP_VERBOSE */ if (ntohs(pptph->packetType) == PPTP_CONTROL_PACKET && ntohl(pptph->magicCookie) == PPTP_MAGIC_COOKIE) { #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "ip_masq_pptp(): "); printk("PPTP control packet from %s", in_ntoa(iph->saddr)); printk(" to %s\n", in_ntoa(iph->daddr)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ ctlh = (struct PptpControlHeader *)&(((char*)pptph)[sizeof(struct PptpPacketHeader)]); pptpReq.req = &(((char*)ctlh)[sizeof(struct PptpControlHeader)]); #ifdef DEBUG_IP_MASQUERADE_PPTP_VERBOSE printk(KERN_DEBUG "ip_masq_pptp(): "); printk("MTY=%X R0=%X\n", ntohs(ctlh->messageType), ctlh->reserved); #endif /* DEBUG_IP_MASQUERADE_PPTP_VERBOSE */ switch (ntohs(ctlh->messageType)) { case PPTP_OUT_CALL_REQUEST: if (iph->daddr == ms->daddr) /* outbound only */ { #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "ip_masq_pptp(): "); printk("Call request, call ID %X\n", ntohs(pptpReq.ocreq->callID)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ ms_gre = ip_masq_new(dev, IPPROTO_GRE, ms->saddr, pptpReq.ocreq->callID, ms->daddr, 0, 0); if (ms_gre != NULL) { ms->control = ms_gre; ms_gre->flags |= IP_MASQ_F_CONTROL; ip_masq_set_expire(ms_gre, 0); ip_masq_set_expire(ms_gre, 2*60*HZ); pptpReq.ocreq->callID = ms_gre->mport; printk(KERN_INFO "ip_masq_pptp(): "); printk("Req outcall PPTP sess %s", in_ntoa(ms->saddr)); printk(" -> %s", in_ntoa(ms->daddr)); printk(" Call ID %X -> %X.\n", ntohs(ms_gre->sport), ntohs(ms_gre->mport)); #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "ip_masq_pptp(): "); printk("masqed call ID %X\n", ntohs(pptpReq.ocreq->callID)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ } else { printk(KERN_NOTICE "ip_masq_pptp(): "); printk("Couldn't create GRE masq table entry (%s)\n", "OUT_CALL_REQ"); } } break; case PPTP_OUT_CALL_REPLY: if (iph->saddr == ms->daddr) /* inbound (masqueraded client) */ { #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "ip_masq_pptp(): "); printk("Call reply, peer call ID %X\n", ntohs(pptpReq.ocack->peersCallID)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ ms_gre = ip_masq_getbym(IPPROTO_GRE, ms->maddr, pptpReq.ocack->peersCallID); if (ms_gre != NULL) { ip_masq_set_expire(ms_gre, 0); ip_masq_set_expire(ms_gre, 2*60*HZ); pptpReq.ocack->peersCallID = ms_gre->sport; printk(KERN_INFO "ip_masq_pptp(): "); printk("Estab outcall PPTP sess %s", in_ntoa(ms->saddr)); printk(" -> %s", in_ntoa(ms->daddr)); printk(" Call ID %X -> %X.\n", ntohs(ms_gre->sport), ntohs(ms_gre->mport)); #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "ip_masq_pptp(): "); printk("unmasqed call ID %X\n", ntohs(pptpReq.ocack->callID)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ } else { printk(KERN_INFO "ip_masq_pptp(): "); printk("Lost GRE masq table entry (%s)\n", "OUT_CALL_REPLY"); } } break; case PPTP_IN_CALL_REQUEST: if (iph->daddr == ms->daddr) /* outbound only */ { #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "ip_masq_pptp(): "); printk("Call request, call ID %X\n", ntohs(pptpReq.icreq->callID)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ ms_gre = ip_masq_new(dev, IPPROTO_GRE, ms->saddr, pptpReq.icreq->callID, ms->daddr, 0, 0); if (ms_gre != NULL) { ms->control = ms_gre; ms_gre->flags |= IP_MASQ_F_CONTROL; ip_masq_set_expire(ms_gre, 0); ip_masq_set_expire(ms_gre, 2*60*HZ); pptpReq.icreq->callID = ms_gre->mport; printk(KERN_INFO "ip_masq_pptp(): "); printk("Req incall PPTP sess %s", in_ntoa(ms->saddr)); printk(" -> %s", in_ntoa(ms->daddr)); printk(" Call ID %X -> %X.\n", ntohs(ms_gre->sport), ntohs(ms_gre->mport)); #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "ip_masq_pptp(): "); printk("masqed call ID %X\n", ntohs(pptpReq.icreq->callID)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ } else { printk(KERN_NOTICE "ip_masq_pptp(): "); printk("Couldn't create GRE masq table entry (%s)\n", "IN_CALL_REQ"); } } break; case PPTP_IN_CALL_REPLY: if (iph->saddr == ms->daddr) /* inbound (masqueraded client) */ { #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "ip_masq_pptp(): "); printk("Call reply, peer call ID %X\n", ntohs(pptpReq.icack->peersCallID)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ ms_gre = ip_masq_getbym(IPPROTO_GRE, ms->maddr, pptpReq.icack->peersCallID); if (ms_gre != NULL) { ip_masq_set_expire(ms_gre, 0); ip_masq_set_expire(ms_gre, 2*60*HZ); pptpReq.icack->peersCallID = ms_gre->sport; printk(KERN_INFO "ip_masq_pptp(): "); printk("Estab incall PPTP sess %s", in_ntoa(ms->saddr)); printk(" -> %s", in_ntoa(ms->daddr)); printk(" Call ID %X -> %X.\n", ntohs(ms_gre->sport), ntohs(ms_gre->mport)); #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "ip_masq_pptp(): "); printk("unmasqed call ID %X\n", ntohs(pptpReq.icack->callID)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ } else { printk(KERN_INFO "ip_masq_pptp(): "); printk("Lost GRE masq table entry (%s)\n", "IN_CALL_REPLY"); } } break; case PPTP_CALL_DISCONNECT_NOTIFY: if (iph->daddr == ms->daddr) /* outbound only */ { #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "ip_masq_pptp(): "); printk("Disconnect notify, call ID %X\n", ntohs(pptpReq.disc->callID)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ ms_gre = ip_masq_out_get_2(IPPROTO_GRE, iph->saddr, pptpReq.disc->callID, iph->daddr, 0); if (ms_gre != NULL) { /* * expire the data channel * table entry quickly now. */ ip_masq_set_expire(ms_gre, 0); ip_masq_set_expire(ms_gre, 30*HZ); ms->control = NULL; ms_gre->flags &= ~IP_MASQ_F_CONTROL; pptpReq.disc->callID = ms_gre->mport; printk(KERN_INFO "ip_masq_pptp(): "); printk("Disconnect PPTP sess %s", in_ntoa(ms->saddr)); printk(" -> %s", in_ntoa(ms->daddr)); printk(" Call ID %X -> %X.\n", ntohs(ms_gre->sport), ntohs(ms_gre->mport)); #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "ip_masq_pptp(): "); printk("masqed call ID %X\n", ntohs(pptpReq.disc->callID)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ } } break; case PPTP_WAN_ERROR_NOTIFY: if (iph->saddr == ms->daddr) /* inbound only */ { #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "ip_masq_pptp(): "); printk("Error notify, peer call ID %X\n", ntohs(pptpReq.wanerr->peersCallID)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ ms_gre = ip_masq_getbym(IPPROTO_GRE, ms->maddr, pptpReq.wanerr->peersCallID); if (ms_gre != NULL) { pptpReq.wanerr->peersCallID = ms_gre->sport; #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "ip_masq_pptp(): "); printk("unmasqed call ID %X\n", ntohs(pptpReq.wanerr->peersCallID)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ } else { printk(KERN_INFO "ip_masq_pptp(): "); printk("Lost GRE masq table entry (%s)\n", "WAN_ERROR_NOTIFY"); } } break; case PPTP_SET_LINK_INFO: if (iph->saddr == ms->daddr) /* inbound only */ { #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "ip_masq_pptp(): "); printk("Set link info, peer call ID %X\n", ntohs(pptpReq.setlink->peersCallID)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ ms_gre = ip_masq_getbym(IPPROTO_GRE, ms->maddr, pptpReq.setlink->peersCallID); if (ms_gre != NULL) { pptpReq.setlink->peersCallID = ms_gre->sport; #ifdef DEBUG_IP_MASQUERADE_PPTP printk(KERN_DEBUG "ip_masq_pptp(): "); printk("unmasqed call ID %X\n", ntohs(pptpReq.setlink->peersCallID)); #endif /* DEBUG_IP_MASQUERADE_PPTP */ } else { printk(KERN_INFO "ip_masq_pptp(): "); printk("Lost GRE masq table entry (%s)\n", "SET_LINK_INFO"); } } break; } } } #endif /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */ static struct symbol_table pptp_masq_syms = { #include <linux/symtab_begin.h> X(ip_fw_masq_gre), X(ip_fw_demasq_gre), #ifdef CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT X(ip_masq_pptp), #endif /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */ #include <linux/symtab_end.h> }; #endif /* CONFIG_IP_MASQUERADE_PPTP */ #ifdef CONFIG_IP_MASQUERADE_IPSEC /* * Quick-and-dirty handling of ESP connections * John Hardin <jhardin@wolfenet.com> gets all blame... */ /* * Handle outbound ESP packets. * * This is largely a copy of ip_fw_masquerade() * * To associate inbound traffic with outbound traffic, we only * allow one session per remote host to be negotiated at a time. * If a packet comes in and there's no masq table entry for it, * then check for other masq table entries for the same server * with the inbound SPI set to zero (i.e. no response yet). If * found, discard the packet. * This will DoS the server for the duration of the connection * attempt, so keep the masq entry's lifetime short until a * response comes in. * If multiple masqueraded hosts are in contention for the same * remote host, enforce round-robin access. This may lead to * misassociation of response traffic if the response is delayed * a great deal, but the masqueraded hosts will clean that up * if it happens. */ int ip_fw_masq_esp(struct sk_buff **skb_p, struct device *dev) { struct sk_buff *skb = *skb_p; struct iphdr *iph = skb->h.iph; struct ip_masq *ms; unsigned long flags; __u32 o_spi; __u16 fake_sport; unsigned long timeout = MASQUERADE_EXPIRE_IPSEC; o_spi = *((__u32 *)&(((char *)iph)[iph->ihl*4])); fake_sport = (__u16) ntohl(o_spi) & 0xffff; #ifdef DEBUG_IP_MASQUERADE_IPSEC printk(KERN_DEBUG "ip_fw_masq_esp(): "); printk("pkt %s", in_ntoa(iph->saddr)); printk(" -> %s SPI %lX (fakeport %X)\n", in_ntoa(iph->daddr), ntohl(o_spi), fake_sport); #endif /* DEBUG_IP_MASQUERADE_IPSEC */ if (o_spi == 0) { /* illegal SPI - discard */ printk(KERN_INFO "ip_fw_masq_esp(): "); printk("zero SPI from %s discarded\n", in_ntoa(iph->saddr)); return -1; } /* * Look for masq table entry */ ms = ip_masq_out_get_ipsec(IPPROTO_ESP, iph->saddr, fake_sport, iph->daddr, 0, o_spi); if (ms!=NULL) { if (ms->ispi == IPSEC_INIT_SQUELCHED) { /* squelched: toss the packet without changing the timer */ #ifdef DEBUG_IP_MASQUERADE_IPSEC printk(KERN_INFO "ip_fw_masq_esp(): "); printk("init %s ", in_ntoa(iph->saddr)); printk("-> %s SPI %lX ", in_ntoa(iph->daddr), ntohl(o_spi)); printk("squelched\n"); #endif /* DEBUG_IP_MASQUERADE_IPSEC */ return -1; } /* delete the expiration timer */ ip_masq_set_expire(ms,0); /* * Make sure that the masq IP address is correct * for dynamic IP... */ if ( (ms->maddr != dev->pa_addr) && (sysctl_ip_dynaddr & 3) ) { printk(KERN_INFO "ip_fw_masq_esp(): "); printk("change maddr from %s", in_ntoa(ms->maddr)); printk(" to %s\n", in_ntoa(dev->pa_addr)); save_flags(flags); cli(); ip_masq_unhash(ms); ms->maddr = dev->pa_addr; ip_masq_hash(ms); restore_flags(flags); } if (ms->ispi == 0) { /* no response yet, keep timeout short */ timeout = MASQUERADE_EXPIRE_IPSEC_INIT; if (ms->blocking) { /* prevent DoS: limit init packet timer resets */ ms->ocnt++; #ifdef DEBUG_IP_MASQUERADE_IPSEC printk(KERN_INFO "ip_fw_masq_esp(): "); printk("init %s ", in_ntoa(iph->saddr)); printk("-> %s SPI %lX ", in_ntoa(iph->daddr), ntohl(o_spi)); printk("retry %d\n", ms->ocnt); #endif /* DEBUG_IP_MASQUERADE_IPSEC */ if (ms->ocnt > IPSEC_INIT_RETRIES) { /* more than IPSEC_INIT_RETRIES tries, give up */ printk(KERN_INFO "ip_fw_masq_esp(): "); printk("init %s ", in_ntoa(iph->saddr)); printk("-> %s SPI %lX ", in_ntoa(iph->daddr), ntohl(o_spi)); printk("no response after %d tries, unblocking & squelching\n", ms->ocnt); /* squelch that source+SPI for a bit */ timeout = 30*HZ; save_flags(flags); cli(); ip_masq_unhash(ms); ms->ispi = IPSEC_INIT_SQUELCHED; ms->dport = IPSEC_INIT_SQUELCHED; ip_masq_hash(ms); restore_flags(flags); ip_masq_set_expire(ms, timeout); /* toss the packet */ return -1; } } } } else { /* * Nope, not found, create a new entry for it, maybe */ /* see if there are any pending inits with the same destination... */ ms = ip_masq_in_get_ipsec(IPPROTO_ESP, iph->daddr, 0, 0, 0, 0); if (ms != NULL) { /* found one with ispi == 0 */ if (ms->saddr != iph->saddr) { /* it's not ours, don't step on their toes */ printk(KERN_INFO "ip_fw_masq_esp(): "); printk("init %s ", in_ntoa(iph->saddr)); printk("-> %s ", in_ntoa(iph->daddr)); printk("temporarily blocked by pending "); printk("%s init\n", in_ntoa(ms->saddr)); /* let it know it has competition */ ms->blocking = 1; /* toss the packet */ return -1; } if (ms->ospi != o_spi) { /* SPIs differ, still waiting for a previous attempt to expire */ printk(KERN_INFO "ip_fw_masq_esp(): "); printk("init %s ", in_ntoa(iph->saddr)); printk("-> %s SPI %lX ", in_ntoa(iph->daddr), ntohl(o_spi)); printk("temporarily blocked by pending "); printk("init w/ SPI %lX\n", ntohl(ms->ospi)); /* let it know it has competition */ ms->blocking = 1; /* toss the packet */ return -1; } } else /* nothing pending, make new entry, pending response */ ms = ip_masq_new(dev, iph->protocol, iph->saddr, fake_sport, iph->daddr, 0, 0); if (ms == NULL) { printk(KERN_NOTICE "ip_fw_masq_esp(): Couldn't create masq table entry.\n"); return -1; } ms->blocking = ms->ocnt = 0; ms->ospi = o_spi; timeout = MASQUERADE_EXPIRE_IPSEC_INIT; /* fairly brief timeout while waiting for a response */ } /* * Set iph source addr from ip_masq obj. */ iph->saddr = ms->maddr; /* * set timeout and check IP header */ ip_masq_set_expire(ms, timeout); ip_send_check(iph); #ifdef DEBUG_IP_MASQUERADE_IPSEC_VERBOSE printk(KERN_DEBUG "MASQ: ESP O-routed from %s over %s\n", in_ntoa(ms->maddr), dev->name); #endif /* DEBUG_IP_MASQUERADE_IPSEC_VERBOSE */ return 0; } /* * Handle inbound ESP packets. * */ int ip_fw_demasq_esp(struct sk_buff **skb_p, struct device *dev) { struct sk_buff *skb = *skb_p; struct iphdr *iph = skb->h.iph; struct ip_masq *ms; unsigned long flags; __u32 i_spi; __u16 fake_sport; #ifndef CONFIG_IP_MASQUERADE_IPSEC_NOGUESS #define ESP_GUESS_SZ 5 /* minimum 3, please */ #define ESP_CAND_MIN_TM 5*60*HZ /* max 10*60*HZ? */ unsigned hash; int i, ii, ncand = 0, nguess = 0; __u16 isakmp; __u32 cand_ip, guess_ip[ESP_GUESS_SZ]; unsigned long cand_tm, guess_tm[ESP_GUESS_SZ]; struct sk_buff *skb_cl; struct iphdr *iph_cl; #endif /* CONFIG_IP_MASQUERADE_IPSEC_NOGUESS */ i_spi = *((__u32 *)&(((char *)iph)[iph->ihl*4])); fake_sport = (__u16) ntohl(i_spi) & 0xffff; #ifdef DEBUG_IP_MASQUERADE_IPSEC printk(KERN_DEBUG "ip_fw_demasq_esp(): "); printk("pkt %s", in_ntoa(iph->saddr)); printk(" -> %s SPI %lX (fakeport %X)\n", in_ntoa(iph->daddr), ntohl(i_spi), fake_sport); #endif /* DEBUG_IP_MASQUERADE_IPSEC */ if (i_spi == 0) { /* illegal SPI - discard */ printk(KERN_INFO "ip_fw_demasq_esp(): "); printk("zero SPI from %s discarded\n", in_ntoa(iph->saddr)); return -1; } if (i_spi == IPSEC_INIT_SQUELCHED) { /* Ack! This shouldn't happen! */ /* IPSEC_INIT_SQUELCHED is chosen to be a reserved value as of 4/99 */ printk(KERN_NOTICE "ip_fw_demasq_esp(): "); printk("SPI from %s is IPSEC_INIT_SQUELCHED - modify ip_masq.c!\n", in_ntoa(iph->saddr)); return -1; } /* * Look for a masq table entry and reroute if found */ ms = ip_masq_in_get_ipsec(IPPROTO_ESP, iph->saddr, fake_sport, iph->daddr, 0, i_spi); if (ms != NULL) { /* delete the expiration timer */ ip_masq_set_expire(ms,0); iph->daddr = ms->saddr; if (ms->ispi == 0) { #ifdef DEBUG_IP_MASQUERADE_IPSEC printk(KERN_INFO "ip_fw_demasq_esp(): "); printk("resp from %s SPI %lX", in_ntoa(iph->saddr), ntohl(i_spi)); printk(" routed to %s (SPI %lX)\n", in_ntoa(ms->saddr), ntohl(ms->ospi)); #endif /* DEBUG_IP_MASQUERADE_IPSEC */ save_flags(flags); cli(); ip_masq_unhash(ms); ms->ispi = i_spi; ms->dport = fake_sport; ip_masq_hash(ms); restore_flags(flags); } /* * resum checksums and set timeout */ ip_masq_set_expire(ms, MASQUERADE_EXPIRE_IPSEC); ip_send_check(iph); #ifdef DEBUG_IP_MASQUERADE_IPSEC_VERBOSE printk(KERN_DEBUG "MASQ: ESP I-routed to %s\n", in_ntoa(iph->daddr)); #endif /* DEBUG_IP_MASQUERADE_IPSEC_VERBOSE */ return 1; } #ifndef CONFIG_IP_MASQUERADE_IPSEC_NOGUESS /* Guess who this packet is likely intended for: * Scan the UDP masq table for local hosts that have communicated via * ISAKMP with the host who sent this packet. * Using an insertion sort with duplicate IP suppression, build a list * of the ESP_GUESS_SZ most recent ISAKMP sessions (determined by * sorting in decreasing order of timeout timer). * Clone the original packet and send it to those hosts, but DON'T make * a masq table entry, as we're only guessing. It is assumed that the correct * host will respond to the traffic and that will create a masq table entry. * To limit the list a bit, don't consider any ISAKMP masq entries with * less than ESP_CAND_MIN_TM time to live. This should be some value less * than the IPSEC table timeout or *all* entries will be ignored... */ #ifdef DEBUG_IP_MASQUERADE_IPSEC_VERBOSE printk(KERN_DEBUG "ip_fw_demasq_esp(): "); printk("guessing from %s SPI %lX\n", in_ntoa(iph->saddr), ntohl(i_spi)); #endif /* DEBUG_IP_MASQUERADE_IPSEC_VERBOSE */ /* zero out the guess table */ for (i = 0;i < ESP_GUESS_SZ; i++) { guess_ip[i] = 0; guess_tm[i] = 0; } /* scan ISAKMP sessions with the source host */ isakmp = htons(UDP_PORT_ISAKMP); hash = ip_masq_hash_key(IPPROTO_UDP, iph->saddr, isakmp); for(ms = ip_masq_d_tab[hash]; ms ; ms = ms->d_link) { if (ms->protocol == IPPROTO_UDP && ms->daddr == iph->saddr && ms->sport == isakmp && ms->dport == isakmp && ms->mport == isakmp && ms->ospi != 0) { /* a candidate... */ ncand++; cand_ip = ms->saddr; cand_tm = ms->timer.expires - jiffies; #ifdef DEBUG_IP_MASQUERADE_IPSEC_VERBOSE printk(KERN_DEBUG "ip_fw_demasq_esp(): "); printk("cand %d: IP %s TM %ld\n", ncand, in_ntoa(cand_ip), cand_tm); #endif /* DEBUG_IP_MASQUERADE_IPSEC_VERBOSE */ if (cand_tm > ESP_CAND_MIN_TM) { /* traffic is recent enough, add to list (maybe) */ for (i = 0; i < ESP_GUESS_SZ; i++) { if (cand_tm > guess_tm[i]) { /* newer */ if (guess_ip[i] != 0 && cand_ip != guess_ip[i]) { /* newer and IP different - insert */ if (i < (ESP_GUESS_SZ - 1)) { /* move entries down the list, * find first entry after this slot * where the IP is 0 (unused) or * IP == candidate (older traffic, same host) * rather than simply going to the end of the list, * for efficiency (don't shift zeros) and * duplicate IP suppression (don't keep older entries * having the same IP) */ for (ii = i + 1; ii < (ESP_GUESS_SZ - 1); ii++) { if (guess_ip[ii] == 0 || guess_ip[ii] == cand_ip) break; } for (ii-- ; ii >= i; ii--) { guess_ip[ii+1] = guess_ip[ii]; guess_tm[ii+1] = guess_tm[ii]; } } } guess_ip[i] = cand_ip; guess_tm[i] = cand_tm; break; } if (cand_ip == guess_ip[i]) { /* fresher entry already there */ break; } } } } } if (guess_ip[0]) { /* had guesses - send */ if (guess_ip[1]) { /* multiple guesses, send a copy to all */ for (i = 0; guess_ip[i] != 0; i++) { nguess++; #ifdef DEBUG_IP_MASQUERADE_IPSEC_VERBOSE printk(KERN_DEBUG "ip_fw_demasq_esp(): "); printk("guess %d: IP %s TM %ld\n", nguess, in_ntoa(guess_ip[i]), guess_tm[i]); #endif /* DEBUG_IP_MASQUERADE_IPSEC_VERBOSE */ /* duplicate and send the skb */ if ((skb_cl = skb_copy(skb, GFP_ATOMIC)) == NULL) { printk(KERN_INFO "ip_fw_demasq_esp(): "); printk("guessing: cannot copy skb\n"); } else { iph_cl = skb_cl->h.iph; iph_cl->daddr = guess_ip[i]; ip_send_check(iph_cl); ip_forward(skb_cl, dev, IPFWD_MASQUERADED, iph_cl->daddr); kfree_skb(skb_cl, FREE_WRITE); } } #ifdef DEBUG_IP_MASQUERADE_IPSEC printk(KERN_INFO "ip_fw_demasq_esp(): "); printk("guessing from %s SPI %lX sent to", in_ntoa(iph->saddr), ntohl(i_spi)); printk(" %d hosts (%d cand)\n", nguess, ncand); #endif /* DEBUG_IP_MASQUERADE_IPSEC */ return -1; /* discard original packet */ } else { /* only one guess, send original packet to that host */ iph->daddr = guess_ip[0]; ip_send_check(iph); #ifdef DEBUG_IP_MASQUERADE_IPSEC printk(KERN_INFO "ip_fw_demasq_esp(): "); printk("guessing from %s SPI %lX sent to", in_ntoa(iph->saddr), ntohl(i_spi)); printk(" %s (%d cand)\n", in_ntoa(guess_ip[0]), ncand); #endif /* DEBUG_IP_MASQUERADE_IPSEC */ return 1; } } #endif /* CONFIG_IP_MASQUERADE_IPSEC_NOGUESS */ /* sorry, all this trouble for a no-hit :) */ #if 0 printk(KERN_INFO "ip_fw_demasq_esp(): "); printk("Inbound from %s SPI %lX has no masq table entry.\n", in_ntoa(iph->saddr), ntohl(i_spi)); #endif return 0; } static struct symbol_table ipsec_masq_syms = { #include <linux/symtab_begin.h> X(ip_masq_out_get_ipsec), X(ip_masq_in_get_ipsec), X(ip_masq_out_get_isakmp), X(ip_masq_in_get_isakmp), X(ip_fw_masq_esp), X(ip_fw_demasq_esp), #include <linux/symtab_end.h> }; #endif /* CONFIG_IP_MASQUERADE_IPSEC */ int ip_fw_masquerade(struct sk_buff **skb_ptr, struct device *dev) { struct sk_buff *skb=*skb_ptr; struct iphdr *iph = skb->h.iph; __u16 *portptr; struct ip_masq *ms; int size; unsigned long timeout; /* * We can only masquerade protocols with ports... * [TODO] * We may need to consider masq-ing some ICMP related to masq-ed protocols */ if (iph->protocol==IPPROTO_ICMP) return (ip_fw_masq_icmp(skb_ptr,dev)); #ifdef CONFIG_IP_MASQUERADE_PPTP if (iph->protocol==IPPROTO_GRE) return (ip_fw_masq_gre(skb_ptr,dev)); #endif /* CONFIG_IP_MASQUERADE_PPTP */ #ifdef CONFIG_IP_MASQUERADE_IPSEC if (iph->protocol==IPPROTO_ESP) return (ip_fw_masq_esp(skb_ptr,dev)); #endif /* CONFIG_IP_MASQUERADE_IPSEC */ if (iph->protocol!=IPPROTO_UDP && iph->protocol!=IPPROTO_TCP) return -1; /* * Now hunt the list to see if we have an old entry */ portptr = (__u16 *)&(((char *)iph)[iph->ihl*4]); #ifdef DEBUG_CONFIG_IP_MASQUERADE printk("Outgoing %s %lX:%X -> %lX:%X\n", masq_proto_name(iph->protocol), ntohl(iph->saddr), ntohs(portptr[0]), ntohl(iph->daddr), ntohs(portptr[1])); #endif ms = ip_masq_out_get(iph); if (ms!=NULL) { ip_masq_set_expire(ms,0); /* * If sysctl & 3 and either * no pkt has been received yet * or * sysctl & 4 * in this tunnel ... * "You are welcome, diald, ipppd, pppd-3.3...". */ if ( (sysctl_ip_dynaddr & 3) && (ms->flags & IP_MASQ_F_NO_REPLY || sysctl_ip_dynaddr & 4) && dev->pa_addr != ms->maddr) { unsigned long flags; if (sysctl_ip_dynaddr & 2) { printk(KERN_INFO "ip_fw_masquerade(): change maddr from %s", in_ntoa(ms->maddr)); printk(" to %s\n", in_ntoa(dev->pa_addr)); } save_flags(flags); cli(); ip_masq_unhash(ms); ms->maddr = dev->pa_addr; ip_masq_hash(ms); restore_flags(flags); } /* * Set sport if not defined yet (e.g. ftp PASV). Because * masq entries are hashed on sport, unhash with old value * and hash with new. */ if ( ms->flags & IP_MASQ_F_NO_SPORT && ms->protocol == IPPROTO_TCP ) { unsigned long flags; ms->flags &= ~IP_MASQ_F_NO_SPORT; save_flags(flags); cli(); ip_masq_unhash(ms); ms->sport = portptr[0]; ip_masq_hash(ms); /* hash on new sport */ restore_flags(flags); #ifdef DEBUG_CONFIG_IP_MASQUERADE printk("ip_fw_masquerade(): filled sport=%d\n", ntohs(ms->sport)); #endif } } #ifdef CONFIG_IP_MASQUERADE_IPAUTOFW /* update any ipautofw entries .. */ ip_autofw_update_out(iph->saddr, iph->daddr, portptr[1], iph->protocol); #endif /* CONFIG_IP_MASQUERADE_IPAUTOFW */ /* * Nope, not found, create a new entry for it */ if (ms==NULL) { #ifdef CONFIG_IP_MASQUERADE_IPAUTOFW /* if the source port is supposed to match the masq port, then make it so */ if (ip_autofw_check_direct(portptr[1],iph->protocol)) ms = ip_masq_new_enh(dev, iph->protocol, iph->saddr, portptr[0], iph->daddr, portptr[1], 0, portptr[0]); else #endif /* CONFIG_IP_MASQUERADE_IPAUTOFW */ ms = ip_masq_new_enh(dev, iph->protocol, iph->saddr, portptr[0], iph->daddr, portptr[1], 0, 0); if (ms == NULL) return -1; #ifdef CONFIG_IP_MASQUERADE_IPSEC if (iph->protocol == IPPROTO_UDP && ntohs(portptr[0]) == UDP_PORT_ISAKMP && ntohs(portptr[1]) == UDP_PORT_ISAKMP) { /* save the initiator cookie */ ms->ospi = *((__u32 *)&portptr[4]); } #endif /* CONFIG_IP_MASQUERADE_IPSEC */ } #ifdef CONFIG_IP_MASQUERADE_PPTP #ifdef CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT if (iph->protocol == IPPROTO_TCP && ntohs(portptr[1]) == PPTP_CONTROL_PORT) { /* * Packet sent to PPTP control port. Process it. * May change call ID word in request, but * packet length will not change. */ ip_masq_pptp(skb, ms, dev); } #endif /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */ #endif /* CONFIG_IP_MASQUERADE_PPTP */ /* * Change the fragments origin */ size = skb->len - ((unsigned char *)portptr - skb->h.raw); /* * Set iph addr and port from ip_masq obj. */ iph->saddr = ms->maddr; portptr[0] = ms->mport; /* * Attempt ip_masq_app call. * will fix ip_masq and iph seq stuff */ if (ip_masq_app_pkt_out(ms, skb_ptr, dev) != 0) { /* * skb has possibly changed, update pointers. */ skb = *skb_ptr; iph = skb->h.iph; portptr = (__u16 *)&(((char *)iph)[iph->ihl*4]); size = skb->len - ((unsigned char *)portptr-skb->h.raw); } /* * Adjust packet accordingly to protocol */ if (masq_proto_num(iph->protocol)==0) { #ifdef CONFIG_IP_MASQUERADE_IPSEC if (iph->protocol == IPPROTO_UDP && ntohs(portptr[0]) == UDP_PORT_ISAKMP && ntohs(portptr[1]) == UDP_PORT_ISAKMP) { /* ISAKMP timeout should be same as ESP timeout to allow for rekeying */ timeout = MASQUERADE_EXPIRE_IPSEC; } else #endif /* CONFIG_IP_MASQUERADE_IPSEC */ timeout = ip_masq_expire->udp_timeout; recalc_check((struct udphdr *)portptr,iph->saddr,iph->daddr,size); } else { struct tcphdr *th; th = (struct tcphdr *)portptr; /* Set the flags up correctly... */ if (th->fin) { ms->flags |= IP_MASQ_F_SAW_FIN_OUT; } if (th->rst) { ms->flags |= IP_MASQ_F_SAW_RST; } /* * Timeout depends if FIN packet has been seen * Very short timeout if RST packet seen. */ if (ms->flags & IP_MASQ_F_SAW_RST) { timeout = 1; } else if ((ms->flags & IP_MASQ_F_SAW_FIN) == IP_MASQ_F_SAW_FIN) { timeout = ip_masq_expire->tcp_fin_timeout; } else timeout = ip_masq_expire->tcp_timeout; skb->csum = csum_partial((void *)(th + 1), size - sizeof(*th), 0); tcp_send_check(th,iph->saddr,iph->daddr,size,skb); } ip_masq_set_expire(ms, timeout); ip_send_check(iph); #ifdef DEBUG_CONFIG_IP_MASQUERADE printk("O-routed from %lX:%X over %s\n",ntohl(ms->maddr),ntohs(ms->mport),dev->name); #endif return 0; } /* * Handle ICMP messages in forward direction. * Find any that might be relevant, check against existing connections, * forward to masqueraded host if relevant. * Currently handles error types - unreachable, quench, ttl exceeded */ int ip_fw_masq_icmp(struct sk_buff **skb_p, struct device *dev) { struct sk_buff *skb = *skb_p; struct iphdr *iph = skb->h.iph; struct icmphdr *icmph = (struct icmphdr *)((char *)iph + (iph->ihl<<2)); struct iphdr *ciph; /* The ip header contained within the ICMP */ __u16 *pptr; /* port numbers from TCP/UDP contained header */ struct ip_masq *ms; unsigned short len = ntohs(iph->tot_len) - (iph->ihl * 4); #ifdef DEBUG_CONFIG_IP_MASQUERADE_ICMP printk("Incoming forward ICMP (%d,%d) %lX -> %lX\n", icmph->type, ntohs(icmp_id(icmph)), ntohl(iph->saddr), ntohl(iph->daddr)); #endif #ifdef CONFIG_IP_MASQUERADE_ICMP if ((icmph->type == ICMP_ECHO ) || (icmph->type == ICMP_TIMESTAMP ) || (icmph->type == ICMP_INFO_REQUEST ) || (icmph->type == ICMP_ADDRESS )) { #ifdef DEBUG_CONFIG_IP_MASQUERADE_ICMP printk("MASQ: icmp request rcv %lX->%lX id %d type %d\n", ntohl(iph->saddr), ntohl(iph->daddr), ntohs(icmp_id(icmph)), icmph->type); #endif ms = ip_masq_out_get_2(iph->protocol, iph->saddr, icmp_id(icmph), iph->daddr, icmp_hv_req(icmph)); if (ms == NULL) { ms = ip_masq_new(dev, iph->protocol, iph->saddr, icmp_id(icmph), iph->daddr, icmp_hv_req(icmph), 0); if (ms == NULL) return (-1); #ifdef DEBUG_CONFIG_IP_MASQUERADE_ICMP printk("MASQ: Create new icmp entry\n"); #endif } ip_masq_set_expire(ms, 0); /* Rewrite source address */ /* * If sysctl & 3 and either * no pkt has been received yet * or * sysctl & 4 * in this tunnel ... * "You are welcome, diald, ipppd, pppd-3.3...". */ if ( (sysctl_ip_dynaddr & 3) && (ms->flags & IP_MASQ_F_NO_REPLY || sysctl_ip_dynaddr & 4) && dev->pa_addr != ms->maddr) { unsigned long flags; #ifdef DEBUG_CONFIG_IP_MASQUERADE printk(KERN_INFO "ip_fw_masq_icmp(): change masq.addr %s", in_ntoa(ms->maddr)); printk("-> %s\n", in_ntoa(dev->pa_addr)); #endif save_flags(flags); cli(); ip_masq_unhash(ms); ms->maddr = dev->pa_addr; ip_masq_hash(ms); restore_flags(flags); } iph->saddr = ms->maddr; ip_send_check(iph); /* Rewrite port (id) */ (icmph->un).echo.id = ms->mport; icmph->checksum = 0; icmph->checksum = ip_compute_csum((unsigned char *)icmph, len); ip_masq_set_expire(ms, MASQUERADE_EXPIRE_ICMP); #ifdef DEBUG_CONFIG_IP_MASQUERADE_ICMP printk("MASQ: icmp request rwt %lX->%lX id %d type %d\n", ntohl(iph->saddr), ntohl(iph->daddr), ntohs(icmp_id(icmph)), icmph->type); #endif return (1); } #endif /* * Work through seeing if this is for us. * These checks are supposed to be in an order that * means easy things are checked first to speed up * processing.... however this means that some * packets will manage to get a long way down this * stack and then be rejected, but thats life */ if ((icmph->type != ICMP_DEST_UNREACH) && (icmph->type != ICMP_SOURCE_QUENCH) && (icmph->type != ICMP_TIME_EXCEEDED)) return 0; /* Now find the contained IP header */ ciph = (struct iphdr *) (icmph + 1); #ifdef CONFIG_IP_MASQUERADE_ICMP if (ciph->protocol == IPPROTO_ICMP) { /* * This section handles ICMP errors for ICMP packets */ struct icmphdr *cicmph = (struct icmphdr *)((char *)ciph + (ciph->ihl<<2)); #ifdef DEBUG_CONFIG_IP_MASQUERADE_ICMP printk("MASQ: fw icmp/icmp rcv %lX->%lX id %d type %d\n", ntohl(ciph->saddr), ntohl(ciph->daddr), ntohs(icmp_id(cicmph)), cicmph->type); #endif ms = ip_masq_out_get_2(ciph->protocol, ciph->daddr, icmp_id(cicmph), ciph->saddr, icmp_hv_rep(cicmph)); if (ms == NULL) return 0; /* Now we do real damage to this packet...! */ /* First change the source IP address, and recalc checksum */ iph->saddr = ms->maddr; ip_send_check(iph); /* Now change the *dest* address in the contained IP */ ciph->daddr = ms->maddr; ip_send_check(ciph); /* Change the ID to the masqed one! */ (cicmph->un).echo.id = ms->mport; /* And finally the ICMP checksum */ icmph->checksum = 0; icmph->checksum = ip_compute_csum((unsigned char *) icmph, len); #ifdef DEBUG_CONFIG_IP_MASQUERADE_ICMP printk("MASQ: fw icmp/icmp rwt %lX->%lX id %d type %d\n", ntohl(ciph->saddr), ntohl(ciph->daddr), ntohs(icmp_id(cicmph)), cicmph->type); #endif return 1; } #endif /* CONFIG_IP_MASQUERADE_ICMP */ /* We are only interested ICMPs generated from TCP or UDP packets */ if ((ciph->protocol != IPPROTO_UDP) && (ciph->protocol != IPPROTO_TCP)) return 0; /* * Find the ports involved - this packet was * incoming so the ports are right way round * (but reversed relative to outer IP header!) */ pptr = (__u16 *)&(((char *)ciph)[ciph->ihl*4]); /* Ensure the checksum is correct */ if (ip_compute_csum((unsigned char *) icmph, len)) { /* Failed checksum! */ printk(KERN_DEBUG "MASQ: forward ICMP: failed checksum from %s!\n", in_ntoa(iph->saddr)); return(-1); } #ifdef DEBUG_CONFIG_IP_MASQUERADE printk("Handling forward ICMP for %lX:%X -> %lX:%X\n", ntohl(ciph->saddr), ntohs(pptr[0]), ntohl(ciph->daddr), ntohs(pptr[1])); #endif /* This is pretty much what ip_masq_out_get() does */ ms = ip_masq_out_get_2(ciph->protocol, ciph->daddr, pptr[1], ciph->saddr, pptr[0]); if (ms == NULL) return 0; /* Now we do real damage to this packet...! */ /* First change the source IP address, and recalc checksum */ iph->saddr = ms->maddr; ip_send_check(iph); /* Now change the *dest* address in the contained IP */ ciph->daddr = ms->maddr; ip_send_check(ciph); /* the TCP/UDP dest port - cannot redo check */ pptr[1] = ms->mport; /* And finally the ICMP checksum */ icmph->checksum = 0; icmph->checksum = ip_compute_csum((unsigned char *) icmph, len); #ifdef DEBUG_CONFIG_IP_MASQUERADE printk("Rewrote forward ICMP to %lX:%X -> %lX:%X\n", ntohl(ciph->saddr), ntohs(pptr[0]), ntohl(ciph->daddr), ntohs(pptr[1])); #endif return 1; } /* * Handle ICMP messages in reverse (demasquerade) direction. * Find any that might be relevant, check against existing connections, * forward to masqueraded host if relevant. * Currently handles error types - unreachable, quench, ttl exceeded */ int ip_fw_demasq_icmp(struct sk_buff **skb_p, struct device *dev) { struct sk_buff *skb = *skb_p; struct iphdr *iph = skb->h.iph; struct icmphdr *icmph = (struct icmphdr *)((char *)iph + (iph->ihl<<2)); struct iphdr *ciph; /* The ip header contained within the ICMP */ __u16 *pptr; /* port numbers from TCP/UDP contained header */ struct ip_masq *ms; unsigned short len = ntohs(iph->tot_len) - (iph->ihl * 4); #ifdef DEBUG_CONFIG_IP_MASQUERADE_ICMP printk("MASQ: icmp in/rev (%d,%d) %lX -> %lX\n", icmph->type, ntohs(icmp_id(icmph)), ntohl(iph->saddr), ntohl(iph->daddr)); #endif #ifdef CONFIG_IP_MASQUERADE_ICMP if ((icmph->type == ICMP_ECHOREPLY) || (icmph->type == ICMP_TIMESTAMPREPLY) || (icmph->type == ICMP_INFO_REPLY) || (icmph->type == ICMP_ADDRESSREPLY)) { #ifdef DEBUG_CONFIG_IP_MASQUERADE_ICMP printk("MASQ: icmp reply rcv %lX->%lX id %d type %d, req %d\n", ntohl(iph->saddr), ntohl(iph->daddr), ntohs(icmp_id(icmph)), icmph->type, icmp_type_request(icmph->type)); #endif ms = ip_masq_in_get_2(iph->protocol, iph->saddr, icmp_hv_rep(icmph), iph->daddr, icmp_id(icmph)); if (ms == NULL) return 0; ip_masq_set_expire(ms,0); /* * got reply, so clear flag */ ms->flags &= ~IP_MASQ_F_NO_REPLY; /* Reset source address */ iph->daddr = ms->saddr; /* Redo IP header checksum */ ip_send_check(iph); /* Set ID to fake port number */ (icmph->un).echo.id = ms->sport; /* Reset ICMP checksum and set expiry */ icmph->checksum=0; icmph->checksum=ip_compute_csum((unsigned char *)icmph,len); ip_masq_set_expire(ms, MASQUERADE_EXPIRE_ICMP); #ifdef DEBUG_CONFIG_IP_MASQUERADE_ICMP printk("MASQ: icmp reply rwt %lX->%lX id %d type %d\n", ntohl(iph->saddr), ntohl(iph->daddr), ntohs(icmp_id(icmph)), icmph->type); #endif return 1; } else { #endif if ((icmph->type != ICMP_DEST_UNREACH) && (icmph->type != ICMP_SOURCE_QUENCH) && (icmph->type != ICMP_TIME_EXCEEDED)) return 0; #ifdef CONFIG_IP_MASQUERADE_ICMP } #endif /* * If we get here we have an ICMP error of one of the above 3 types * Now find the contained IP header */ ciph = (struct iphdr *) (icmph + 1); #ifdef CONFIG_IP_MASQUERADE_ICMP if (ciph->protocol == IPPROTO_ICMP) { /* * This section handles ICMP errors for ICMP packets * * First get a new ICMP header structure out of the IP packet */ struct icmphdr *cicmph = (struct icmphdr *)((char *)ciph + (ciph->ihl<<2)); #ifdef DEBUG_CONFIG_IP_MASQUERADE_ICMP printk("MASQ: rv icmp/icmp rcv %lX->%lX id %d type %d\n", ntohl(ciph->saddr), ntohl(ciph->daddr), ntohs(icmp_id(cicmph)), cicmph->type); #endif ms = ip_masq_in_get_2(ciph->protocol, ciph->daddr, icmp_hv_req(cicmph), ciph->saddr, icmp_id(cicmph)); if (ms == NULL) return 0; /* Now we do real damage to this packet...! */ /* First change the dest IP address, and recalc checksum */ iph->daddr = ms->saddr; ip_send_check(iph); /* Now change the *source* address in the contained IP */ ciph->saddr = ms->saddr; ip_send_check(ciph); /* Change the ID to the original one! */ (cicmph->un).echo.id = ms->sport; /* And finally the ICMP checksum */ icmph->checksum = 0; icmph->checksum = ip_compute_csum((unsigned char *) icmph, len); #ifdef DEBUG_CONFIG_IP_MASQUERADE_ICMP printk("MASQ: rv icmp/icmp rwt %lX->%lX id %d type %d\n", ntohl(ciph->saddr), ntohl(ciph->daddr), ntohs(icmp_id(cicmph)), cicmph->type); #endif return 1; } #endif /* CONFIG_IP_MASQUERADE_ICMP */ /* We are only interested ICMPs generated from TCP or UDP packets */ if ((ciph->protocol != IPPROTO_UDP) && (ciph->protocol != IPPROTO_TCP)) return 0; /* * Find the ports involved - remember this packet was * *outgoing* so the ports are reversed (and addresses) */ pptr = (__u16 *)&(((char *)ciph)[ciph->ihl*4]); if (ntohs(pptr[0]) < PORT_MASQ_BEGIN || ntohs(pptr[0]) > PORT_MASQ_END) return 0; /* Ensure the checksum is correct */ if (ip_compute_csum((unsigned char *) icmph, len)) { /* Failed checksum! */ printk(KERN_DEBUG "MASQ: reverse ICMP: failed checksum from %s!\n", in_ntoa(iph->saddr)); return(-1); } #ifdef DEBUG_CONFIG_IP_MASQUERADE printk("Handling reverse ICMP for %lX:%X -> %lX:%X\n", ntohl(ciph->saddr), ntohs(pptr[0]), ntohl(ciph->daddr), ntohs(pptr[1])); #endif /* This is pretty much what ip_masq_in_get() does, except params are wrong way round */ ms = ip_masq_in_get_2(ciph->protocol, ciph->daddr, pptr[1], ciph->saddr, pptr[0]); if (ms == NULL) return 0; /* Now we do real damage to this packet...! */ /* First change the dest IP address, and recalc checksum */ iph->daddr = ms->saddr; ip_send_check(iph); /* Now change the *source* address in the contained IP */ ciph->saddr = ms->saddr; ip_send_check(ciph); /* the TCP/UDP source port - cannot redo check */ pptr[0] = ms->sport; /* And finally the ICMP checksum */ icmph->checksum = 0; icmph->checksum = ip_compute_csum((unsigned char *) icmph, len); #ifdef DEBUG_CONFIG_IP_MASQUERADE printk("Rewrote reverse ICMP to %lX:%X -> %lX:%X\n", ntohl(ciph->saddr), ntohs(pptr[0]), ntohl(ciph->daddr), ntohs(pptr[1])); #endif return 1; } /* * Check if it's an masqueraded port, look it up, * and send it on its way... * * Better not have many hosts using the designated portrange * as 'normal' ports, or you'll be spending many time in * this function. */ int ip_fw_demasquerade(struct sk_buff **skb_p, struct device *dev) { struct sk_buff *skb = *skb_p; struct iphdr *iph = skb->h.iph; __u16 *portptr; struct ip_masq *ms; unsigned short len; unsigned long timeout = MASQUERADE_EXPIRE_TCP; #ifdef CONFIG_IP_MASQUERADE_IPAUTOFW struct ip_autofw *af; #endif /* CONFIG_IP_MASQUERADE_IPAUTOFW */ switch (iph->protocol) { case IPPROTO_ICMP: return(ip_fw_demasq_icmp(skb_p, dev)); #ifdef CONFIG_IP_MASQUERADE_PPTP case IPPROTO_GRE: return(ip_fw_demasq_gre(skb_p, dev)); #endif /* CONFIG_IP_MASQUERADE_PPTP */ #ifdef CONFIG_IP_MASQUERADE_IPSEC case IPPROTO_ESP: return(ip_fw_demasq_esp(skb_p, dev)); #endif /* CONFIG_IP_MASQUERADE_IPSEC */ case IPPROTO_TCP: case IPPROTO_UDP: /* Make sure packet is in the masq range */ portptr = (__u16 *)&(((char *)iph)[iph->ihl*4]); if ((ntohs(portptr[1]) < PORT_MASQ_BEGIN || ntohs(portptr[1]) > PORT_MASQ_END) #ifdef CONFIG_IP_MASQUERADE_IPSEC && ((iph->protocol != IPPROTO_UDP) || (ntohs(portptr[0]) != UDP_PORT_ISAKMP) || (ntohs(portptr[1]) != UDP_PORT_ISAKMP)) #endif /* CONFIG_IP_MASQUERADE_IPSEC */ #ifdef CONFIG_IP_MASQUERADE_IPAUTOFW && !ip_autofw_check_range(iph->saddr, portptr[1], iph->protocol, 0) && !ip_autofw_check_direct(portptr[1], iph->protocol) && !ip_autofw_check_port(portptr[1], iph->protocol) #endif /* CONFIG_IP_MASQUERADE_IPAUTOFW */ #ifdef CONFIG_IP_MASQUERADE_IPPORTFW && !ip_portfw_check(iph->protocol, portptr[1], iph->daddr) #endif /* CONFIG_IP_MASQUERADE_IPPORTFW */ ) return 0; /* Check that the checksum is OK */ len = ntohs(iph->tot_len) - (iph->ihl * 4); if ((iph->protocol == IPPROTO_UDP) && (portptr[3] == 0)) /* No UDP checksum */ break; switch (skb->ip_summed) { case CHECKSUM_NONE: skb->csum = csum_partial((char *)portptr, len, 0); case CHECKSUM_HW: if (csum_tcpudp_magic(iph->saddr, iph->daddr, len, iph->protocol, skb->csum)) { printk(KERN_DEBUG "MASQ: failed TCP/UDP checksum from %s!\n", in_ntoa(iph->saddr)); return -1; } default: /* CHECKSUM_UNNECESSARY */ } break; default: return 0; } #ifdef DEBUG_CONFIG_IP_MASQUERADE printk("Incoming %s %lX:%X -> %lX:%X\n", masq_proto_name(iph->protocol), ntohl(iph->saddr), ntohs(portptr[0]), ntohl(iph->daddr), ntohs(portptr[1])); #endif /* * reroute to original host:port if found... */ ms = ip_masq_in_get(iph); #ifdef CONFIG_IP_MASQUERADE_IPAUTOFW if (ms == NULL && (af=ip_autofw_check_range(iph->saddr, portptr[1], iph->protocol, 0))) { #ifdef DEBUG_CONFIG_IP_MASQUERADE printk("ip_autofw_check_range\n"); #endif ms = ip_masq_new_enh(dev, iph->protocol, af->where, portptr[1], iph->saddr, portptr[0], 0, portptr[1]); } if ( ms == NULL && (af=ip_autofw_check_port(portptr[1], iph->protocol)) ) { #ifdef DEBUG_CONFIG_IP_MASQUERADE printk("ip_autofw_check_port\n"); #endif ms = ip_masq_new_enh(dev, iph->protocol, af->where, htons(af->hidden), iph->saddr, portptr[0], IP_MASQ_F_AFW_PORT, htons(af->visible)); } #endif /* CONFIG_IP_MASQUERADE_IPAUTOFW */ #ifdef CONFIG_IP_MASQUERADE_IPPORTFW /* If no entry exists in the masquerading table, and the port is involved in port forwarding, create a new entry */ { __u32 raddr; __u16 rport; if ((ms == NULL) && (iph->protocol==IPPROTO_TCP || iph->protocol==IPPROTO_UDP) && ip_portfw_lookup(iph->protocol, portptr[1], iph->daddr, &raddr, &rport)) { ms = ip_masq_new_portfw(dev, iph->protocol, raddr, rport, iph->saddr, portptr[0], iph->daddr, portptr[1]); } } #endif /* CONFIG_IP_MASQUERADE_IPPORTFW */ if (ms != NULL) { #ifdef CONFIG_IP_MASQUERADE_IPAUTOFW ip_autofw_update_in(iph->saddr, portptr[1], iph->protocol); #endif /* CONFIG_IP_MASQUERADE_IPAUTOFW */ /* Stop the timer ticking.... */ ip_masq_set_expire(ms,0); /* * got reply, so clear flag */ ms->flags &= ~IP_MASQ_F_NO_REPLY; /* * Set dport if not defined yet. */ if ( ms->flags & IP_MASQ_F_NO_DPORT && ms->protocol == IPPROTO_TCP ) { ms->flags &= ~IP_MASQ_F_NO_DPORT; ms->dport = portptr[0]; #ifdef DEBUG_CONFIG_IP_MASQUERADE printk("ip_fw_demasquerade(): filled dport=%d\n", ntohs(ms->dport)); #endif } if (ms->flags & IP_MASQ_F_NO_DADDR && ms->protocol == IPPROTO_TCP) { ms->flags &= ~IP_MASQ_F_NO_DADDR; ms->daddr = iph->saddr; #ifdef DEBUG_CONFIG_IP_MASQUERADE printk("ip_fw_demasquerade(): filled daddr=%X\n", ntohs(ms->daddr)); #endif } iph->daddr = ms->saddr; portptr[1] = ms->sport; /* * Attempt ip_masq_app call. * will fix ip_masq and iph ack_seq stuff */ if (ip_masq_app_pkt_in(ms, skb_p, dev) != 0) { /* * skb has changed, update pointers. */ skb = *skb_p; iph = skb->h.iph; portptr = (__u16 *)&(((char *)iph)[iph->ihl*4]); len = ntohs(iph->tot_len) - (iph->ihl * 4); } #ifdef CONFIG_IP_MASQUERADE_PPTP #ifdef CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT if (iph->protocol == IPPROTO_TCP && ntohs(portptr[0]) == PPTP_CONTROL_PORT) { /* * Packet received from PPTP control port. Process it. * May change call ID word in request, but * packet length will not change. */ ip_masq_pptp(skb, ms, dev); } #endif /* CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT */ #endif /* CONFIG_IP_MASQUERADE_PPTP */ /* * Yug! adjust UDP/TCP and IP checksums, also update * timeouts. * If a TCP RST is seen collapse the tunnel (by using short timeout)! */ if (masq_proto_num(iph->protocol)==0) { recalc_check((struct udphdr *)portptr,iph->saddr,iph->daddr,len); #ifdef CONFIG_IP_MASQUERADE_IPSEC if (iph->protocol == IPPROTO_UDP && ntohs(portptr[0]) == UDP_PORT_ISAKMP && ntohs(portptr[1]) == UDP_PORT_ISAKMP) { /* ISAKMP timeout should be same as ESP timeout to allow for rekeying */ timeout = MASQUERADE_EXPIRE_IPSEC; } else #endif /* CONFIG_IP_MASQUERADE_IPSEC */ timeout = ip_masq_expire->udp_timeout; } else { struct tcphdr *th; if(len>=sizeof(struct tcphdr)) { skb->csum = csum_partial((void *)(((struct tcphdr *)portptr) + 1), len - sizeof(struct tcphdr), 0); tcp_send_check((struct tcphdr *)portptr,iph->saddr,iph->daddr,len,skb); /* Check if TCP FIN or RST */ th = (struct tcphdr *)portptr; if (th->fin) { ms->flags |= IP_MASQ_F_SAW_FIN_IN; } if (th->rst) { ms->flags |= IP_MASQ_F_SAW_RST; } /* Now set the timeouts */ if (ms->flags & IP_MASQ_F_SAW_RST) { timeout = 1; } else if ((ms->flags & IP_MASQ_F_SAW_FIN) == IP_MASQ_F_SAW_FIN) { timeout = ip_masq_expire->tcp_fin_timeout; } else timeout = ip_masq_expire->tcp_timeout; } } ip_masq_set_expire(ms, timeout); ip_send_check(iph); #ifdef DEBUG_CONFIG_IP_MASQUERADE printk("I-routed to %lX:%X\n",ntohl(iph->daddr),ntohs(portptr[1])); #endif return 1; } /* sorry, all this trouble for a no-hit :) */ return 0; } /* * /proc/net entries */ #ifdef CONFIG_IP_MASQUERADE_IPAUTOFW static int ip_autofw_procinfo(char *buffer, char **start, off_t offset, int length, int unused) { off_t pos=0, begin=0; struct ip_autofw * af; int len=0; len=sprintf(buffer,"Type Prot Low High Vis Hid Where Last CPto CPrt Timer Flags\n"); for(af = ip_autofw_hosts; af ; af = af->next) { len+=sprintf(buffer+len,"%4X %4X %04X-%04X/%04X %04X %08lX %08lX %04X %04X %6lu %4X\n", af->type, af->protocol, af->low, af->high, af->visible, af->hidden, ntohl(af->where), ntohl(af->lastcontact), af->ctlproto, af->ctlport, (af->timer.expires<jiffies ? 0 : af->timer.expires-jiffies), af->flags); pos=begin+len; if(pos<offset) { len=0; begin=pos; } if(pos>offset+length) break; } *start=buffer+(offset-begin); len-=(offset-begin); if(len>length) len=length; return len; } #endif /* CONFIG_IP_MASQUERADE_IPAUTOFW */ #ifdef CONFIG_IP_MASQUERADE_IPPORTFW static int ip_portfw_procinfo(char *buffer, char **start, off_t offset, int length, int unused) { off_t pos=0, begin; struct ip_portfw *pf; unsigned long flags; char temp[65]; int ind, raddr, laddr; int len=0; if (offset < 64) { sprintf(temp, "Prot Local Addr/Port > Remote Addr/Port"); len = sprintf(buffer, "%-63s\n", temp); } pos = 64; save_flags(flags); cli(); for(ind = 0; ind < 2; ind++) { for(pf = ipportfw_lst[ind]; pf ; pf = pf->next) { pos += 64; if (pos <= offset) continue; raddr = ntohl(pf->raddr); laddr = ntohl(pf->laddr); sprintf(temp,"%s %d.%d.%d.%d/%d > %d.%d.%d.%d/%d", strProt[ind], (laddr >> 24) & 255, (laddr >> 16) & 255, (laddr >> 8) & 255, laddr & 255, ntohs(pf->lport), (raddr >> 24) & 255, (raddr >> 16) & 255, (raddr >> 8) & 255, raddr & 255, ntohs(pf->rport) ); len += sprintf(buffer+len, "%-63s\n", temp); if (len >= length) goto done; } } done: restore_flags(flags); begin = len - (pos - offset); *start = buffer + begin; len -= begin; if(len>length) len = length; return len; } #endif /* CONFIG_IP_MASQUERADE_IPPORTFW */ static int ip_msqhst_procinfo(char *buffer, char **start, off_t offset, int length, int unused) { off_t pos=0, begin; struct ip_masq *ms; unsigned long flags; char temp[129]; int idx = 0; int len=0; if (offset < 128) { #ifdef CONFIG_IP_MASQUERADE_ICMP sprintf(temp, "Prc FromIP FPrt ToIP TPrt Masq Init-seq Delta PDelta Expires (free=%d,%d,%d)", ip_masq_free_ports[0], ip_masq_free_ports[1], ip_masq_free_ports[2]); #else /* !defined(CONFIG_IP_MASQUERADE_ICMP) */ sprintf(temp, "Prc FromIP FPrt ToIP TPrt Masq Init-seq Delta PDelta Expires (free=%d,%d)", ip_masq_free_ports[0], ip_masq_free_ports[1]); #endif /* CONFIG_IP_MASQUERADE_ICMP */ len = sprintf(buffer, "%-127s\n", temp); } pos = 128; save_flags(flags); cli(); for(idx = 0; idx < IP_MASQ_TAB_SIZE; idx++) for(ms = ip_masq_m_tab[idx]; ms ; ms = ms->m_link) { int timer_active; pos += 128; if (pos <= offset) continue; timer_active = del_timer(&ms->timer); if (!timer_active) ms->timer.expires = jiffies; sprintf(temp,"%s %08lX:%04X %08lX:%04X %04X %08X %6d %6d %7lu", masq_proto_name(ms->protocol), ntohl(ms->saddr), ntohs(ms->sport), ntohl(ms->daddr), ntohs(ms->dport), ntohs(ms->mport), ms->out_seq.init_seq, ms->out_seq.delta, ms->out_seq.previous_delta, ms->timer.expires-jiffies); if (timer_active) add_timer(&ms->timer); len += sprintf(buffer+len, "%-127s\n", temp); if(len >= length) goto done; } done: restore_flags(flags); begin = len - (pos - offset); *start = buffer + begin; len -= begin; if(len>length) len = length; return len; } #ifdef CONFIG_PROC_FS static struct proc_dir_entry pde1 = { PROC_NET_IPMSQHST, 13, "ip_masquerade", S_IFREG | S_IRUGO, 1, 0, 0, 0, &proc_net_inode_operations, ip_msqhst_procinfo }; #ifdef CONFIG_IP_MASQUERADE_IPAUTOFW static struct proc_dir_entry pde2 = { PROC_NET_IPAUTOFW, 9, "ip_autofw", S_IFREG | S_IRUGO, 1, 0, 0, 0, &proc_net_inode_operations, ip_autofw_procinfo }; #endif /* CONFIG_IP_MASQUERADE_IPAUTOFW */ #endif /* CONFIG_PROC_FS */ /* * Initialize ip masquerading */ int ip_masq_init(void) { register_symtab (&ip_masq_syms); #ifdef CONFIG_IP_MASQUERADE_PPTP register_symtab (&pptp_masq_syms); #endif /* CONFIG_IP_MASQUERADE_PPTP */ #ifdef CONFIG_IP_MASQUERADE_IPSEC register_symtab (&ipsec_masq_syms); #endif /* CONFIG_IP_MASQUERADE_IPSEC */ #ifdef CONFIG_PROC_FS proc_net_register(&pde1); #ifdef CONFIG_IP_MASQUERADE_IPAUTOFW proc_net_register(&pde2); #endif /* CONFIG_IP_MASQUERADE_IPAUTOFW */ #ifdef CONFIG_IP_MASQUERADE_IPPORTFW proc_net_register(&(struct proc_dir_entry) { PROC_NET_IPPORTFW, 9, "ip_portfw", S_IFREG | S_IRUGO , 1, 0, 0, 0, &proc_net_inode_operations, ip_portfw_procinfo }); #endif /* CONFIG_IP_MASQUERADE_IPPORTFW */ #endif /* CONFIG_PROC_FS */ ip_masq_app_init(); #if !defined(MODULE) { extern int ip_masq_ftp_init(void), ip_masq_irc_init(void); extern int ip_masq_raudio_init(void), ip_cuseeme_irc_init(void); extern int ip_masq_vdolive_init(void), ip_quake_irc_init(void); ip_masq_ftp_init(); ip_masq_irc_init(); ip_masq_raudio_init(); ip_masq_cuseeme_init(); ip_masq_vdolive_init(); ip_masq_quake_init(); } #endif /* MODULE */ return 0; }
Go to most recent revision | Compare with Previous | Blame | View Log