Commit | Line | Data |
---|---|---|
cc2d5863 TY |
1 | /* |
2 | * nf_nat_snmp_basic.c | |
3 | * | |
4 | * Basic SNMP Application Layer Gateway | |
5 | * | |
6 | * This IP NAT module is intended for use with SNMP network | |
7 | * discovery and monitoring applications where target networks use | |
8 | * conflicting private address realms. | |
9 | * | |
10 | * Static NAT is used to remap the networks from the view of the network | |
11 | * management system at the IP layer, and this module remaps some application | |
12 | * layer addresses to match. | |
13 | * | |
14 | * The simplest form of ALG is performed, where only tagged IP addresses | |
15 | * are modified. The module does not need to be MIB aware and only scans | |
16 | * messages at the ASN.1/BER level. | |
17 | * | |
18 | * Currently, only SNMPv1 and SNMPv2 are supported. | |
19 | * | |
20 | * More information on ALG and associated issues can be found in | |
21 | * RFC 2962 | |
22 | * | |
23 | * The ASB.1/BER parsing code is derived from the gxsnmp package by Gregory | |
24 | * McLean & Jochen Friedrich, stripped down for use in the kernel. | |
25 | * | |
26 | * Copyright (c) 2000 RP Internet (www.rpi.net.au). | |
27 | * | |
28 | * This program is free software; you can redistribute it and/or modify | |
29 | * it under the terms of the GNU General Public License as published by | |
30 | * the Free Software Foundation; either version 2 of the License, or | |
31 | * (at your option) any later version. | |
32 | * This program is distributed in the hope that it will be useful, | |
33 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
34 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
35 | * GNU General Public License for more details. | |
36 | * You should have received a copy of the GNU General Public License | |
37 | * along with this program; if not, see <http://www.gnu.org/licenses/>. | |
38 | * | |
39 | * Author: James Morris <jmorris@intercode.com.au> | |
40 | * | |
41 | * Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net> | |
42 | */ | |
43 | #include <linux/module.h> | |
44 | #include <linux/moduleparam.h> | |
45 | #include <linux/types.h> | |
46 | #include <linux/kernel.h> | |
47 | #include <linux/in.h> | |
48 | #include <linux/ip.h> | |
49 | #include <linux/udp.h> | |
50 | #include <net/checksum.h> | |
51 | #include <net/udp.h> | |
52 | ||
53 | #include <net/netfilter/nf_nat.h> | |
54 | #include <net/netfilter/nf_conntrack_expect.h> | |
55 | #include <net/netfilter/nf_conntrack_helper.h> | |
56 | #include <linux/netfilter/nf_conntrack_snmp.h> | |
4fa8bc94 | 57 | #include "nf_nat_snmp_basic.asn1.h" |
cc2d5863 TY |
58 | |
59 | MODULE_LICENSE("GPL"); | |
60 | MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>"); | |
61 | MODULE_DESCRIPTION("Basic SNMP Application Layer Gateway"); | |
62 | MODULE_ALIAS("ip_nat_snmp_basic"); | |
63 | ||
64 | #define SNMP_PORT 161 | |
65 | #define SNMP_TRAP_PORT 162 | |
66 | ||
67 | static DEFINE_SPINLOCK(snmp_lock); | |
68 | ||
69 | struct snmp_ctx { | |
70 | unsigned char *begin; | |
71 | __sum16 *check; | |
72 | __be32 from; | |
73 | __be32 to; | |
74 | }; | |
75 | ||
76 | static void fast_csum(struct snmp_ctx *ctx, unsigned char offset) | |
77 | { | |
78 | unsigned char s[12] = {0,}; | |
79 | int size; | |
80 | ||
81 | if (offset & 1) { | |
82 | memcpy(&s[1], &ctx->from, 4); | |
83 | memcpy(&s[7], &ctx->to, 4); | |
84 | s[0] = ~0; | |
85 | s[1] = ~s[1]; | |
86 | s[2] = ~s[2]; | |
87 | s[3] = ~s[3]; | |
88 | s[4] = ~s[4]; | |
89 | s[5] = ~0; | |
90 | size = 12; | |
91 | } else { | |
92 | memcpy(&s[0], &ctx->from, 4); | |
93 | memcpy(&s[4], &ctx->to, 4); | |
94 | s[0] = ~s[0]; | |
95 | s[1] = ~s[1]; | |
96 | s[2] = ~s[2]; | |
97 | s[3] = ~s[3]; | |
98 | size = 8; | |
99 | } | |
100 | *ctx->check = csum_fold(csum_partial(s, size, | |
101 | ~csum_unfold(*ctx->check))); | |
102 | } | |
103 | ||
104 | int snmp_version(void *context, size_t hdrlen, unsigned char tag, | |
105 | const void *data, size_t datalen) | |
106 | { | |
107 | if (*(unsigned char *)data > 1) | |
108 | return -ENOTSUPP; | |
109 | return 1; | |
110 | } | |
111 | ||
112 | int snmp_helper(void *context, size_t hdrlen, unsigned char tag, | |
113 | const void *data, size_t datalen) | |
114 | { | |
115 | struct snmp_ctx *ctx = (struct snmp_ctx *)context; | |
116 | __be32 *pdata = (__be32 *)data; | |
117 | ||
118 | if (*pdata == ctx->from) { | |
119 | pr_debug("%s: %pI4 to %pI4\n", __func__, | |
120 | (void *)&ctx->from, (void *)&ctx->to); | |
121 | ||
122 | if (*ctx->check) | |
123 | fast_csum(ctx, (unsigned char *)data - ctx->begin); | |
124 | *pdata = ctx->to; | |
125 | } | |
126 | ||
127 | return 1; | |
128 | } | |
129 | ||
130 | static int snmp_translate(struct nf_conn *ct, int dir, struct sk_buff *skb) | |
131 | { | |
132 | struct iphdr *iph = ip_hdr(skb); | |
133 | struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl); | |
134 | u16 datalen = ntohs(udph->len) - sizeof(struct udphdr); | |
135 | char *data = (unsigned char *)udph + sizeof(struct udphdr); | |
136 | struct snmp_ctx ctx; | |
137 | int ret; | |
138 | ||
139 | if (dir == IP_CT_DIR_ORIGINAL) { | |
140 | ctx.from = ct->tuplehash[dir].tuple.src.u3.ip; | |
141 | ctx.to = ct->tuplehash[!dir].tuple.dst.u3.ip; | |
142 | } else { | |
143 | ctx.from = ct->tuplehash[!dir].tuple.src.u3.ip; | |
144 | ctx.to = ct->tuplehash[dir].tuple.dst.u3.ip; | |
145 | } | |
146 | ||
147 | if (ctx.from == ctx.to) | |
148 | return NF_ACCEPT; | |
149 | ||
150 | ctx.begin = (unsigned char *)udph + sizeof(struct udphdr); | |
151 | ctx.check = &udph->check; | |
152 | ret = asn1_ber_decoder(&nf_nat_snmp_basic_decoder, &ctx, data, datalen); | |
153 | if (ret < 0) { | |
154 | nf_ct_helper_log(skb, ct, "parser failed\n"); | |
155 | return NF_DROP; | |
156 | } | |
157 | ||
158 | return NF_ACCEPT; | |
159 | } | |
160 | ||
161 | /* We don't actually set up expectations, just adjust internal IP | |
162 | * addresses if this is being NATted | |
163 | */ | |
164 | static int help(struct sk_buff *skb, unsigned int protoff, | |
165 | struct nf_conn *ct, | |
166 | enum ip_conntrack_info ctinfo) | |
167 | { | |
168 | int dir = CTINFO2DIR(ctinfo); | |
169 | unsigned int ret; | |
170 | const struct iphdr *iph = ip_hdr(skb); | |
171 | const struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl); | |
172 | ||
173 | /* SNMP replies and originating SNMP traps get mangled */ | |
174 | if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY) | |
175 | return NF_ACCEPT; | |
176 | if (udph->dest == htons(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL) | |
177 | return NF_ACCEPT; | |
178 | ||
179 | /* No NAT? */ | |
180 | if (!(ct->status & IPS_NAT_MASK)) | |
181 | return NF_ACCEPT; | |
182 | ||
183 | /* Make sure the packet length is ok. So far, we were only guaranteed | |
184 | * to have a valid length IP header plus 8 bytes, which means we have | |
185 | * enough room for a UDP header. Just verify the UDP length field so we | |
186 | * can mess around with the payload. | |
187 | */ | |
188 | if (ntohs(udph->len) != skb->len - (iph->ihl << 2)) { | |
189 | nf_ct_helper_log(skb, ct, "dropping malformed packet\n"); | |
190 | return NF_DROP; | |
191 | } | |
192 | ||
193 | if (!skb_make_writable(skb, skb->len)) { | |
194 | nf_ct_helper_log(skb, ct, "cannot mangle packet"); | |
195 | return NF_DROP; | |
196 | } | |
197 | ||
198 | spin_lock_bh(&snmp_lock); | |
199 | ret = snmp_translate(ct, dir, skb); | |
200 | spin_unlock_bh(&snmp_lock); | |
201 | return ret; | |
202 | } | |
203 | ||
204 | static const struct nf_conntrack_expect_policy snmp_exp_policy = { | |
205 | .max_expected = 0, | |
206 | .timeout = 180, | |
207 | }; | |
208 | ||
209 | static struct nf_conntrack_helper snmp_trap_helper __read_mostly = { | |
210 | .me = THIS_MODULE, | |
211 | .help = help, | |
212 | .expect_policy = &snmp_exp_policy, | |
213 | .name = "snmp_trap", | |
214 | .tuple.src.l3num = AF_INET, | |
215 | .tuple.src.u.udp.port = cpu_to_be16(SNMP_TRAP_PORT), | |
216 | .tuple.dst.protonum = IPPROTO_UDP, | |
217 | }; | |
218 | ||
219 | static int __init nf_nat_snmp_basic_init(void) | |
220 | { | |
221 | BUG_ON(nf_nat_snmp_hook != NULL); | |
222 | RCU_INIT_POINTER(nf_nat_snmp_hook, help); | |
223 | ||
224 | return nf_conntrack_helper_register(&snmp_trap_helper); | |
225 | } | |
226 | ||
227 | static void __exit nf_nat_snmp_basic_fini(void) | |
228 | { | |
229 | RCU_INIT_POINTER(nf_nat_snmp_hook, NULL); | |
230 | synchronize_rcu(); | |
231 | nf_conntrack_helper_unregister(&snmp_trap_helper); | |
232 | } | |
233 | ||
234 | module_init(nf_nat_snmp_basic_init); | |
235 | module_exit(nf_nat_snmp_basic_fini); |