[linux-2.6-block.git] / net / ipv4 / netfilter / nf_nat_snmp_basic_main.c

/*
 * nf_nat_snmp_basic.c
 *
 * Basic SNMP Application Layer Gateway
 *
 * This IP NAT module is intended for use with SNMP network
 * discovery and monitoring applications where target networks use
 * conflicting private address realms.
 *
 * Static NAT is used to remap the networks from the view of the network
 * management system at the IP layer, and this module remaps some application
 * layer addresses to match.
 *
 * The simplest form of ALG is performed, where only tagged IP addresses
 * are modified.  The module does not need to be MIB aware and only scans
 * messages at the ASN.1/BER level.
 *
 * Currently, only SNMPv1 and SNMPv2 are supported.
 *
 * More information on ALG and associated issues can be found in
 * RFC 2962
 *
 * The ASB.1/BER parsing code is derived from the gxsnmp package by Gregory
 * McLean & Jochen Friedrich, stripped down for use in the kernel.
 *
 * Copyright (c) 2000 RP Internet (www.rpi.net.au).
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see <http://www.gnu.org/licenses/>.
 *
 * Author: James Morris <jmorris@intercode.com.au>
 *
 * Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
 */
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/types.h>
#include <linux/kernel.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/udp.h>
#include <net/checksum.h>
#include <net/udp.h>

#include <net/netfilter/nf_nat.h>
#include <net/netfilter/nf_conntrack_expect.h>
#include <net/netfilter/nf_conntrack_helper.h>
#include <linux/netfilter/nf_conntrack_snmp.h>
#include "nf_nat_snmp_basic.asn1.h"

MODULE_LICENSE("GPL");
MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
MODULE_DESCRIPTION("Basic SNMP Application Layer Gateway");
MODULE_ALIAS("ip_nat_snmp_basic");

#define SNMP_PORT 161
#define SNMP_TRAP_PORT 162

static DEFINE_SPINLOCK(snmp_lock);

struct snmp_ctx {
	unsigned char *begin;
	__sum16 *check;
	__be32 from;
	__be32 to;
};

static void fast_csum(struct snmp_ctx *ctx, unsigned char offset)
{
	unsigned char s[12] = {0,};
	int size;

	if (offset & 1) {
		memcpy(&s[1], &ctx->from, 4);
		memcpy(&s[7], &ctx->to, 4);
		s[0] = ~0;
		s[1] = ~s[1];
		s[2] = ~s[2];
		s[3] = ~s[3];
		s[4] = ~s[4];
		s[5] = ~0;
		size = 12;
	} else {
		memcpy(&s[0], &ctx->from, 4);
		memcpy(&s[4], &ctx->to, 4);
		s[0] = ~s[0];
		s[1] = ~s[1];
		s[2] = ~s[2];
		s[3] = ~s[3];
		size = 8;
	}
	*ctx->check = csum_fold(csum_partial(s, size,
					     ~csum_unfold(*ctx->check)));
}

int snmp_version(void *context, size_t hdrlen, unsigned char tag,
		 const void *data, size_t datalen)
{
	if (*(unsigned char *)data > 1)
		return -ENOTSUPP;
	return 1;
}

int snmp_helper(void *context, size_t hdrlen, unsigned char tag,
		const void *data, size_t datalen)
{
	struct snmp_ctx *ctx = (struct snmp_ctx *)context;
	__be32 *pdata = (__be32 *)data;

	if (*pdata == ctx->from) {
		pr_debug("%s: %pI4 to %pI4\n", __func__,
			 (void *)&ctx->from, (void *)&ctx->to);

		if (*ctx->check)
			fast_csum(ctx, (unsigned char *)data - ctx->begin);
		*pdata = ctx->to;
	}

	return 1;
}

static int snmp_translate(struct nf_conn *ct, int dir, struct sk_buff *skb)
{
	struct iphdr *iph = ip_hdr(skb);
	struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
	u16 datalen = ntohs(udph->len) - sizeof(struct udphdr);
	char *data = (unsigned char *)udph + sizeof(struct udphdr);
	struct snmp_ctx ctx;
	int ret;

	if (dir == IP_CT_DIR_ORIGINAL) {
		ctx.from = ct->tuplehash[dir].tuple.src.u3.ip;
		ctx.to = ct->tuplehash[!dir].tuple.dst.u3.ip;
	} else {
		ctx.from = ct->tuplehash[!dir].tuple.src.u3.ip;
		ctx.to = ct->tuplehash[dir].tuple.dst.u3.ip;
	}

	if (ctx.from == ctx.to)
		return NF_ACCEPT;

	ctx.begin = (unsigned char *)udph + sizeof(struct udphdr);
	ctx.check = &udph->check;
	ret = asn1_ber_decoder(&nf_nat_snmp_basic_decoder, &ctx, data, datalen);
	if (ret < 0) {
		nf_ct_helper_log(skb, ct, "parser failed\n");
		return NF_DROP;
	}

	return NF_ACCEPT;
}

/* We don't actually set up expectations, just adjust internal IP
 * addresses if this is being NATted
 */
static int help(struct sk_buff *skb, unsigned int protoff,
		struct nf_conn *ct,
		enum ip_conntrack_info ctinfo)
{
	int dir = CTINFO2DIR(ctinfo);
	unsigned int ret;
	const struct iphdr *iph = ip_hdr(skb);
	const struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);

	/* SNMP replies and originating SNMP traps get mangled */
	if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
		return NF_ACCEPT;
	if (udph->dest == htons(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
		return NF_ACCEPT;

	/* No NAT? */
	if (!(ct->status & IPS_NAT_MASK))
		return NF_ACCEPT;

	/* Make sure the packet length is ok.  So far, we were only guaranteed
	 * to have a valid length IP header plus 8 bytes, which means we have
	 * enough room for a UDP header.  Just verify the UDP length field so we
	 * can mess around with the payload.
	 */
	if (ntohs(udph->len) != skb->len - (iph->ihl << 2)) {
		nf_ct_helper_log(skb, ct, "dropping malformed packet\n");
		return NF_DROP;
	}

	if (!skb_make_writable(skb, skb->len)) {
		nf_ct_helper_log(skb, ct, "cannot mangle packet");
		return NF_DROP;
	}

	spin_lock_bh(&snmp_lock);
	ret = snmp_translate(ct, dir, skb);
	spin_unlock_bh(&snmp_lock);
	return ret;
}

static const struct nf_conntrack_expect_policy snmp_exp_policy = {
	.max_expected	= 0,
	.timeout	= 180,
};

static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
	.me			= THIS_MODULE,
	.help			= help,
	.expect_policy		= &snmp_exp_policy,
	.name			= "snmp_trap",
	.tuple.src.l3num	= AF_INET,
	.tuple.src.u.udp.port	= cpu_to_be16(SNMP_TRAP_PORT),
	.tuple.dst.protonum	= IPPROTO_UDP,
};

static int __init nf_nat_snmp_basic_init(void)
{
	BUG_ON(nf_nat_snmp_hook != NULL);
	RCU_INIT_POINTER(nf_nat_snmp_hook, help);

	return nf_conntrack_helper_register(&snmp_trap_helper);
}

static void __exit nf_nat_snmp_basic_fini(void)
{
	RCU_INIT_POINTER(nf_nat_snmp_hook, NULL);
	synchronize_rcu();
	nf_conntrack_helper_unregister(&snmp_trap_helper);
}

module_init(nf_nat_snmp_basic_init);
module_exit(nf_nat_snmp_basic_fini);
Commit	Line	Data
cc2d5863 TY	1	/*
	2	* nf_nat_snmp_basic.c
	3	*
	4	* Basic SNMP Application Layer Gateway
	5	*
	6	* This IP NAT module is intended for use with SNMP network
	7	* discovery and monitoring applications where target networks use
	8	* conflicting private address realms.
	9	*
	10	* Static NAT is used to remap the networks from the view of the network
	11	* management system at the IP layer, and this module remaps some application
	12	* layer addresses to match.
	13	*
	14	* The simplest form of ALG is performed, where only tagged IP addresses
	15	* are modified. The module does not need to be MIB aware and only scans
	16	* messages at the ASN.1/BER level.
	17	*
	18	* Currently, only SNMPv1 and SNMPv2 are supported.
	19	*
	20	* More information on ALG and associated issues can be found in
	21	* RFC 2962
	22	*
	23	* The ASB.1/BER parsing code is derived from the gxsnmp package by Gregory
	24	* McLean & Jochen Friedrich, stripped down for use in the kernel.
	25	*
	26	* Copyright (c) 2000 RP Internet (www.rpi.net.au).
	27	*
	28	* This program is free software; you can redistribute it and/or modify
	29	* it under the terms of the GNU General Public License as published by
	30	* the Free Software Foundation; either version 2 of the License, or
	31	* (at your option) any later version.
	32	* This program is distributed in the hope that it will be useful,
	33	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	34	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	35	* GNU General Public License for more details.
	36	* You should have received a copy of the GNU General Public License
	37	* along with this program; if not, see <http://www.gnu.org/licenses/>.
	38	*
	39	* Author: James Morris <jmorris@intercode.com.au>
	40	*
	41	* Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
	42	*/
	43	#include <linux/module.h>
	44	#include <linux/moduleparam.h>
	45	#include <linux/types.h>
	46	#include <linux/kernel.h>
	47	#include <linux/in.h>
	48	#include <linux/ip.h>
	49	#include <linux/udp.h>
	50	#include <net/checksum.h>
	51	#include <net/udp.h>
	52
	53	#include <net/netfilter/nf_nat.h>
	54	#include <net/netfilter/nf_conntrack_expect.h>
	55	#include <net/netfilter/nf_conntrack_helper.h>
	56	#include <linux/netfilter/nf_conntrack_snmp.h>
4fa8bc94	57	#include "nf_nat_snmp_basic.asn1.h"
cc2d5863 TY	58
	59	MODULE_LICENSE("GPL");
	60	MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
	61	MODULE_DESCRIPTION("Basic SNMP Application Layer Gateway");
	62	MODULE_ALIAS("ip_nat_snmp_basic");
	63
	64	#define SNMP_PORT 161
	65	#define SNMP_TRAP_PORT 162
	66
	67	static DEFINE_SPINLOCK(snmp_lock);
	68
	69	struct snmp_ctx {
	70	unsigned char *begin;
	71	__sum16 *check;
	72	__be32 from;
	73	__be32 to;
	74	};
	75
	76	static void fast_csum(struct snmp_ctx *ctx, unsigned char offset)
	77	{
	78	unsigned char s[12] = {0,};
	79	int size;
	80
	81	if (offset & 1) {
	82	memcpy(&s[1], &ctx->from, 4);
	83	memcpy(&s[7], &ctx->to, 4);
	84	s[0] = ~0;
	85	s[1] = ~s[1];
	86	s[2] = ~s[2];
	87	s[3] = ~s[3];
	88	s[4] = ~s[4];
	89	s[5] = ~0;
	90	size = 12;
	91	} else {
	92	memcpy(&s[0], &ctx->from, 4);
	93	memcpy(&s[4], &ctx->to, 4);
	94	s[0] = ~s[0];
	95	s[1] = ~s[1];
	96	s[2] = ~s[2];
	97	s[3] = ~s[3];
	98	size = 8;
	99	}
	100	*ctx->check = csum_fold(csum_partial(s, size,
	101	~csum_unfold(*ctx->check)));
	102	}
	103
	104	int snmp_version(void *context, size_t hdrlen, unsigned char tag,
	105	const void *data, size_t datalen)
	106	{
	107	if ((unsigned char )data > 1)
	108	return -ENOTSUPP;
	109	return 1;
	110	}
	111
	112	int snmp_helper(void *context, size_t hdrlen, unsigned char tag,
	113	const void *data, size_t datalen)
	114	{
	115	struct snmp_ctx ctx = (struct snmp_ctx )context;
	116	__be32 pdata = (__be32 )data;
	117
	118	if (*pdata == ctx->from) {
	119	pr_debug("%s: %pI4 to %pI4\n", __func__,
	120	(void )&ctx->from, (void )&ctx->to);
	121
122	if (*ctx->check)
123	fast_csum(ctx, (unsigned char *)data - ctx->begin);
124	*pdata = ctx->to;
125	}
126
127	return 1;
128	}
129
130	static int snmp_translate(struct nf_conn ct, int dir, struct sk_buff skb)
131	{
132	struct iphdr *iph = ip_hdr(skb);
133	struct udphdr udph = (struct udphdr )((__be32 *)iph + iph->ihl);
134	u16 datalen = ntohs(udph->len) - sizeof(struct udphdr);
135	char data = (unsigned char )udph + sizeof(struct udphdr);
136	struct snmp_ctx ctx;
137	int ret;
138
139	if (dir == IP_CT_DIR_ORIGINAL) {
140	ctx.from = ct->tuplehash[dir].tuple.src.u3.ip;
141	ctx.to = ct->tuplehash[!dir].tuple.dst.u3.ip;
142	} else {
143	ctx.from = ct->tuplehash[!dir].tuple.src.u3.ip;
144	ctx.to = ct->tuplehash[dir].tuple.dst.u3.ip;
145	}
146
147	if (ctx.from == ctx.to)
148	return NF_ACCEPT;
149
150	ctx.begin = (unsigned char *)udph + sizeof(struct udphdr);
151	ctx.check = &udph->check;
152	ret = asn1_ber_decoder(&nf_nat_snmp_basic_decoder, &ctx, data, datalen);
153	if (ret < 0) {
154	nf_ct_helper_log(skb, ct, "parser failed\n");
155	return NF_DROP;
156	}
157
158	return NF_ACCEPT;
159	}
160
161	/* We don't actually set up expectations, just adjust internal IP
162	* addresses if this is being NATted
163	*/
164	static int help(struct sk_buff *skb, unsigned int protoff,
165	struct nf_conn *ct,
166	enum ip_conntrack_info ctinfo)
167	{
168	int dir = CTINFO2DIR(ctinfo);
169	unsigned int ret;
170	const struct iphdr *iph = ip_hdr(skb);
171	const struct udphdr udph = (struct udphdr )((__be32 *)iph + iph->ihl);
172
173	/* SNMP replies and originating SNMP traps get mangled */
174	if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
175	return NF_ACCEPT;
176	if (udph->dest == htons(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
177	return NF_ACCEPT;
178
179	/* No NAT? */
180	if (!(ct->status & IPS_NAT_MASK))
181	return NF_ACCEPT;
182
183	/* Make sure the packet length is ok. So far, we were only guaranteed
184	* to have a valid length IP header plus 8 bytes, which means we have
185	* enough room for a UDP header. Just verify the UDP length field so we
186	* can mess around with the payload.
187	*/
188	if (ntohs(udph->len) != skb->len - (iph->ihl << 2)) {
189	nf_ct_helper_log(skb, ct, "dropping malformed packet\n");
190	return NF_DROP;
191	}
192
193	if (!skb_make_writable(skb, skb->len)) {
194	nf_ct_helper_log(skb, ct, "cannot mangle packet");
195	return NF_DROP;
196	}
197
198	spin_lock_bh(&snmp_lock);
199	ret = snmp_translate(ct, dir, skb);
200	spin_unlock_bh(&snmp_lock);
201	return ret;
202	}
203
204	static const struct nf_conntrack_expect_policy snmp_exp_policy = {
205	.max_expected = 0,
206	.timeout = 180,
207	};
208
209	static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
210	.me = THIS_MODULE,
211	.help = help,
212	.expect_policy = &snmp_exp_policy,
213	.name = "snmp_trap",
214	.tuple.src.l3num = AF_INET,
215	.tuple.src.u.udp.port = cpu_to_be16(SNMP_TRAP_PORT),
216	.tuple.dst.protonum = IPPROTO_UDP,
217	};
218
219	static int __init nf_nat_snmp_basic_init(void)
220	{
221	BUG_ON(nf_nat_snmp_hook != NULL);
222	RCU_INIT_POINTER(nf_nat_snmp_hook, help);
223
224	return nf_conntrack_helper_register(&snmp_trap_helper);
225	}
226
227	static void __exit nf_nat_snmp_basic_fini(void)
228	{
229	RCU_INIT_POINTER(nf_nat_snmp_hook, NULL);
230	synchronize_rcu();
231	nf_conntrack_helper_unregister(&snmp_trap_helper);
232	}
233
234	module_init(nf_nat_snmp_basic_init);
235	module_exit(nf_nat_snmp_basic_fini);