| 1/* $FreeBSD: head/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c 145522 2005-04-25 18:43:14Z darrenr $ */ 2
|
1/*
| 3/*
|
2 * $Id: ip_rcmd_pxy.c,v 1.4.2.7 2003/04/26 05:59:39 darrenr Exp $ 3 */ 4/*
| 4 * Copyright (C) 1998-2003 by Darren Reed 5 * 6 * See the IPFILTER.LICENCE file for details on licencing. 7 * 8 * Id: ip_rcmd_pxy.c,v 1.41.2.4 2005/02/04 10:22:55 darrenr Exp 9 *
|
5 * Simple RCMD transparent proxy for in-kernel use. For use with the NAT 6 * code.
| 10 * Simple RCMD transparent proxy for in-kernel use. For use with the NAT 11 * code.
|
7 * $FreeBSD: head/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c 130886 2004-06-21 22:46:36Z darrenr $
| 12 * $FreeBSD: head/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c 145522 2005-04-25 18:43:14Z darrenr $
|
8 */
| 13 */
|
9#if SOLARIS && defined(_KERNEL) 10extern kmutex_t ipf_rw; 11#endif
| |
12
| 14
|
13#define isdigit(x) ((x) >= '0' && (x) <= '9') 14
| |
15#define IPF_RCMD_PROXY 16 17 18int ippr_rcmd_init __P((void));
| 15#define IPF_RCMD_PROXY 16 17 18int ippr_rcmd_init __P((void));
|
19int ippr_rcmd_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); 20int ippr_rcmd_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
| 19void ippr_rcmd_fini __P((void)); 20int ippr_rcmd_new __P((fr_info_t *, ap_session_t *, nat_t *)); 21int ippr_rcmd_out __P((fr_info_t *, ap_session_t *, nat_t *)); 22int ippr_rcmd_in __P((fr_info_t *, ap_session_t *, nat_t *));
|
21u_short ipf_rcmd_atoi __P((char *));
| 23u_short ipf_rcmd_atoi __P((char *));
|
22int ippr_rcmd_portmsg __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
| 24int ippr_rcmd_portmsg __P((fr_info_t *, ap_session_t *, nat_t *));
|
23 24static frentry_t rcmdfr; 25
| 25 26static frentry_t rcmdfr; 27
|
| 28int rcmd_proxy_init = 0;
|
26
| 29
|
| 30
|
27/* 28 * RCMD application proxy initialization. 29 */ 30int ippr_rcmd_init() 31{ 32 bzero((char *)&rcmdfr, sizeof(rcmdfr)); 33 rcmdfr.fr_ref = 1; 34 rcmdfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
| 31/* 32 * RCMD application proxy initialization. 33 */ 34int ippr_rcmd_init() 35{ 36 bzero((char *)&rcmdfr, sizeof(rcmdfr)); 37 rcmdfr.fr_ref = 1; 38 rcmdfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
|
| 39 MUTEX_INIT(&rcmdfr.fr_lock, "RCMD proxy rule lock"); 40 rcmd_proxy_init = 1; 41
|
35 return 0; 36} 37 38
| 42 return 0; 43} 44 45
|
| 46void ippr_rcmd_fini() 47{ 48 if (rcmd_proxy_init == 1) { 49 MUTEX_DESTROY(&rcmdfr.fr_lock); 50 rcmd_proxy_init = 0; 51 } 52} 53 54
|
39/* 40 * Setup for a new RCMD proxy. 41 */
| 55/* 56 * Setup for a new RCMD proxy. 57 */
|
42int ippr_rcmd_new(fin, ip, aps, nat)
| 58int ippr_rcmd_new(fin, aps, nat)
|
43fr_info_t *fin;
| 59fr_info_t *fin;
|
44ip_t *ip;
| |
45ap_session_t *aps; 46nat_t *nat; 47{ 48 tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp; 49
| 60ap_session_t *aps; 61nat_t *nat; 62{ 63 tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp; 64
|
| 65 fin = fin; /* LINT */ 66 nat = nat; /* LINT */ 67
|
50 aps->aps_psiz = sizeof(u_32_t); 51 KMALLOCS(aps->aps_data, u_32_t *, sizeof(u_32_t));
| 68 aps->aps_psiz = sizeof(u_32_t); 69 KMALLOCS(aps->aps_data, u_32_t *, sizeof(u_32_t));
|
52 if (aps->aps_data == NULL)
| 70 if (aps->aps_data == NULL) { 71#ifdef IP_RCMD_PROXY_DEBUG 72 printf("ippr_rcmd_new:KMALLOCS(%d) failed\n", sizeof(u_32_t)); 73#endif
|
53 return -1;
| 74 return -1;
|
| 75 }
|
54 *(u_32_t *)aps->aps_data = 0; 55 aps->aps_sport = tcp->th_sport; 56 aps->aps_dport = tcp->th_dport; 57 return 0; 58} 59 60 61/* 62 * ipf_rcmd_atoi - implement a simple version of atoi 63 */ 64u_short ipf_rcmd_atoi(ptr) 65char *ptr; 66{ 67 register char *s = ptr, c; 68 register u_short i = 0; 69
| 76 *(u_32_t *)aps->aps_data = 0; 77 aps->aps_sport = tcp->th_sport; 78 aps->aps_dport = tcp->th_dport; 79 return 0; 80} 81 82 83/* 84 * ipf_rcmd_atoi - implement a simple version of atoi 85 */ 86u_short ipf_rcmd_atoi(ptr) 87char *ptr; 88{ 89 register char *s = ptr, c; 90 register u_short i = 0; 91
|
70 while ((c = *s++) && isdigit(c)) {
| 92 while (((c = *s++) != '\0') && ISDIGIT(c)) {
|
71 i *= 10; 72 i += c - '0'; 73 } 74 return i; 75} 76 77
| 93 i *= 10; 94 i += c - '0'; 95 } 96 return i; 97} 98 99
|
78int ippr_rcmd_portmsg(fin, ip, aps, nat)
| 100int ippr_rcmd_portmsg(fin, aps, nat)
|
79fr_info_t *fin;
| 101fr_info_t *fin;
|
80ip_t *ip;
| |
81ap_session_t *aps; 82nat_t *nat; 83{
| 102ap_session_t *aps; 103nat_t *nat; 104{
|
84 char portbuf[8], *s; 85 struct in_addr swip; 86 int off, dlen;
| |
87 tcphdr_t *tcp, tcph, *tcp2 = &tcph;
| 105 tcphdr_t *tcp, tcph, *tcp2 = &tcph;
|
| 106 struct in_addr swip, swip2; 107 int off, dlen, nflags; 108 char portbuf[8], *s;
|
88 fr_info_t fi; 89 u_short sp;
| 109 fr_info_t fi; 110 u_short sp;
|
90 nat_t *ipn;
| 111 nat_t *nat2; 112 ip_t *ip;
|
91 mb_t *m; 92 93 tcp = (tcphdr_t *)fin->fin_dp; 94 95 if (tcp->th_flags & TH_SYN) { 96 *(u_32_t *)aps->aps_data = htonl(ntohl(tcp->th_seq) + 1); 97 return 0; 98 } 99 100 if ((*(u_32_t *)aps->aps_data != 0) && 101 (tcp->th_seq != *(u_32_t *)aps->aps_data)) 102 return 0; 103
| 113 mb_t *m; 114 115 tcp = (tcphdr_t *)fin->fin_dp; 116 117 if (tcp->th_flags & TH_SYN) { 118 *(u_32_t *)aps->aps_data = htonl(ntohl(tcp->th_seq) + 1); 119 return 0; 120 } 121 122 if ((*(u_32_t *)aps->aps_data != 0) && 123 (tcp->th_seq != *(u_32_t *)aps->aps_data)) 124 return 0; 125
|
104 off = fin->fin_hlen + (tcp->th_off << 2);
| 126 m = fin->fin_m; 127 ip = fin->fin_ip; 128 off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
|
105
| 129
|
106#if SOLARIS 107 m = fin->fin_qfm; 108 109 dlen = msgdsize(m) - off; 110 bzero(portbuf, sizeof(portbuf)); 111 copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf);
| 130#ifdef __sgi 131 dlen = fin->fin_plen - off;
|
112#else
| 132#else
|
113 m = *(mb_t **)fin->fin_mp; 114 dlen = mbufchainlen(m) - off; 115 bzero(portbuf, sizeof(portbuf)); 116 m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf);
| 133 dlen = MSGDSIZE(m) - off;
|
117#endif
| 134#endif
|
| 135 if (dlen <= 0) 136 return 0;
|
118
| 137
|
| 138 bzero(portbuf, sizeof(portbuf)); 139 COPYDATA(m, off, MIN(sizeof(portbuf), dlen), portbuf); 140
|
119 portbuf[sizeof(portbuf) - 1] = '\0'; 120 s = portbuf; 121 sp = ipf_rcmd_atoi(s);
| 141 portbuf[sizeof(portbuf) - 1] = '\0'; 142 s = portbuf; 143 sp = ipf_rcmd_atoi(s);
|
122 if (!sp)
| 144 if (sp == 0) { 145#ifdef IP_RCMD_PROXY_DEBUG 146 printf("ippr_rcmd_portmsg:sp == 0 dlen %d [%s]\n", 147 dlen, portbuf); 148#endif
|
123 return 0;
| 149 return 0;
|
| 150 }
|
124 125 /* 126 * Add skeleton NAT entry for connection which will come back the 127 * other way. 128 */ 129 bcopy((char *)fin, (char *)&fi, sizeof(fi));
| 151 152 /* 153 * Add skeleton NAT entry for connection which will come back the 154 * other way. 155 */ 156 bcopy((char *)fin, (char *)&fi, sizeof(fi));
|
| 157 fi.fin_flx |= FI_IGNORE;
|
130 fi.fin_data[0] = sp;
| 158 fi.fin_data[0] = sp;
|
131 fi.fin_data[1] = fin->fin_data[1]; 132 ipn = nat_outlookup(&fi, IPN_TCP, nat->nat_p, nat->nat_inip, 133 ip->ip_dst, 0); 134 if (ipn == NULL) {
| 159 fi.fin_data[1] = 0; 160 if (nat->nat_dir == NAT_OUTBOUND) 161 nat2 = nat_outlookup(&fi, NAT_SEARCH|IPN_TCP, nat->nat_p, 162 nat->nat_inip, nat->nat_oip); 163 else 164 nat2 = nat_inlookup(&fi, NAT_SEARCH|IPN_TCP, nat->nat_p, 165 nat->nat_inip, nat->nat_oip); 166 if (nat2 == NULL) {
|
135 int slen; 136 137 slen = ip->ip_len; 138 ip->ip_len = fin->fin_hlen + sizeof(*tcp); 139 bzero((char *)tcp2, sizeof(*tcp2)); 140 tcp2->th_win = htons(8192); 141 tcp2->th_sport = htons(sp); 142 tcp2->th_dport = 0; /* XXX - don't specify remote port */
| 167 int slen; 168 169 slen = ip->ip_len; 170 ip->ip_len = fin->fin_hlen + sizeof(*tcp); 171 bzero((char *)tcp2, sizeof(*tcp2)); 172 tcp2->th_win = htons(8192); 173 tcp2->th_sport = htons(sp); 174 tcp2->th_dport = 0; /* XXX - don't specify remote port */
|
143 tcp2->th_off = 5;
| 175 TCP_OFF_A(tcp2, 5);
|
144 tcp2->th_flags = TH_SYN;
| 176 tcp2->th_flags = TH_SYN;
|
145 fi.fin_data[1] = 0;
| |
146 fi.fin_dp = (char *)tcp2;
| 177 fi.fin_dp = (char *)tcp2;
|
| 178 fi.fin_fr = &rcmdfr;
|
147 fi.fin_dlen = sizeof(*tcp2);
| 179 fi.fin_dlen = sizeof(*tcp2);
|
| 180 fi.fin_plen = fi.fin_hlen + sizeof(*tcp2); 181 fi.fin_flx &= FI_LOWTTL|FI_FRAG|FI_TCPUDP|FI_OPTIONS|FI_IGNORE; 182 nflags = NAT_SLAVE|IPN_TCP|SI_W_DPORT; 183
|
148 swip = ip->ip_src;
| 184 swip = ip->ip_src;
|
149 ip->ip_src = nat->nat_inip; 150 ipn = nat_new(&fi, ip, nat->nat_ptr, NULL, IPN_TCP|FI_W_DPORT, 151 NAT_OUTBOUND); 152 if (ipn != NULL) { 153 ipn->nat_age = fr_defnatage; 154 fi.fin_fr = &rcmdfr; 155 (void) fr_addstate(ip, &fi, NULL, 156 FI_W_DPORT|FI_IGNOREPKT);
| 185 swip2 = ip->ip_dst; 186 187 if (nat->nat_dir == NAT_OUTBOUND) { 188 fi.fin_fi.fi_saddr = nat->nat_inip.s_addr; 189 ip->ip_src = nat->nat_inip; 190 } else { 191 fi.fin_fi.fi_saddr = nat->nat_oip.s_addr; 192 ip->ip_src = nat->nat_oip; 193 nflags |= NAT_NOTRULEPORT;
|
157 }
| 194 }
|
| 195 196 nat2 = nat_new(&fi, nat->nat_ptr, NULL, nflags, nat->nat_dir); 197 198 if (nat2 != NULL) { 199 (void) nat_proto(&fi, nat2, IPN_TCP); 200 nat_update(&fi, nat2, nat2->nat_ptr); 201 fi.fin_ifp = NULL; 202 if (nat->nat_dir == NAT_INBOUND) { 203 fi.fin_fi.fi_daddr = nat->nat_inip.s_addr; 204 ip->ip_dst = nat->nat_inip; 205 } 206 (void) fr_addstate(&fi, &nat2->nat_state, SI_W_DPORT); 207 if (fi.fin_state != NULL) 208 fr_statederef(&fi, (ipstate_t **)&fi.fin_state); 209 }
|
158 ip->ip_len = slen; 159 ip->ip_src = swip;
| 210 ip->ip_len = slen; 211 ip->ip_src = swip;
|
| 212 ip->ip_dst = swip2;
|
160 } 161 return 0; 162} 163 164
| 213 } 214 return 0; 215} 216 217
|
165int ippr_rcmd_out(fin, ip, aps, nat)
| 218int ippr_rcmd_out(fin, aps, nat)
|
166fr_info_t *fin;
| 219fr_info_t *fin;
|
167ip_t *ip;
| |
168ap_session_t *aps; 169nat_t *nat; 170{
| 220ap_session_t *aps; 221nat_t *nat; 222{
|
171 return ippr_rcmd_portmsg(fin, ip, aps, nat);
| 223 if (nat->nat_dir == NAT_OUTBOUND) 224 return ippr_rcmd_portmsg(fin, aps, nat); 225 return 0;
|
172}
| 226}
|
| 227 228 229int ippr_rcmd_in(fin, aps, nat) 230fr_info_t *fin; 231ap_session_t *aps; 232nat_t *nat; 233{ 234 if (nat->nat_dir == NAT_INBOUND) 235 return ippr_rcmd_portmsg(fin, aps, nat); 236 return 0; 237}
|
| |