| 1/* $FreeBSD: head/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c 145522 2005-04-25 18:43:14Z darrenr $ */
2
|
1/*
| 3/*
|
2 * $Id: ip_rcmd_pxy.c,v 1.4.2.7 2003/04/26 05:59:39 darrenr Exp $
3 */
4/*
| 4 * Copyright (C) 1998-2003 by Darren Reed
5 *
6 * See the IPFILTER.LICENCE file for details on licencing.
7 *
8 * Id: ip_rcmd_pxy.c,v 1.41.2.4 2005/02/04 10:22:55 darrenr Exp
9 *
|
5 * Simple RCMD transparent proxy for in-kernel use. For use with the NAT
6 * code.
| 10 * Simple RCMD transparent proxy for in-kernel use. For use with the NAT
11 * code.
|
7 * $FreeBSD: head/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c 130886 2004-06-21 22:46:36Z darrenr $
| 12 * $FreeBSD: head/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c 145522 2005-04-25 18:43:14Z darrenr $
|
8 */
| 13 */
|
9#if SOLARIS && defined(_KERNEL)
10extern kmutex_t ipf_rw;
11#endif
| |
12
| 14
|
13#define isdigit(x) ((x) >= '0' && (x) <= '9')
14
| |
15#define IPF_RCMD_PROXY
16
17
18int ippr_rcmd_init __P((void));
| 15#define IPF_RCMD_PROXY
16
17
18int ippr_rcmd_init __P((void));
|
19int ippr_rcmd_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
20int ippr_rcmd_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
| 19void ippr_rcmd_fini __P((void));
20int ippr_rcmd_new __P((fr_info_t *, ap_session_t *, nat_t *));
21int ippr_rcmd_out __P((fr_info_t *, ap_session_t *, nat_t *));
22int ippr_rcmd_in __P((fr_info_t *, ap_session_t *, nat_t *));
|
21u_short ipf_rcmd_atoi __P((char *));
| 23u_short ipf_rcmd_atoi __P((char *));
|
22int ippr_rcmd_portmsg __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
| 24int ippr_rcmd_portmsg __P((fr_info_t *, ap_session_t *, nat_t *));
|
23
24static frentry_t rcmdfr;
25
| 25
26static frentry_t rcmdfr;
27
|
| 28int rcmd_proxy_init = 0;
|
26
| 29
|
| 30
|
27/*
28 * RCMD application proxy initialization.
29 */
30int ippr_rcmd_init()
31{
32 bzero((char *)&rcmdfr, sizeof(rcmdfr));
33 rcmdfr.fr_ref = 1;
34 rcmdfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
| 31/*
32 * RCMD application proxy initialization.
33 */
34int ippr_rcmd_init()
35{
36 bzero((char *)&rcmdfr, sizeof(rcmdfr));
37 rcmdfr.fr_ref = 1;
38 rcmdfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
|
| 39 MUTEX_INIT(&rcmdfr.fr_lock, "RCMD proxy rule lock");
40 rcmd_proxy_init = 1;
41
|
35 return 0;
36}
37
38
| 42 return 0;
43}
44
45
|
| 46void ippr_rcmd_fini()
47{
48 if (rcmd_proxy_init == 1) {
49 MUTEX_DESTROY(&rcmdfr.fr_lock);
50 rcmd_proxy_init = 0;
51 }
52}
53
54
|
39/*
40 * Setup for a new RCMD proxy.
41 */
| 55/*
56 * Setup for a new RCMD proxy.
57 */
|
42int ippr_rcmd_new(fin, ip, aps, nat)
| 58int ippr_rcmd_new(fin, aps, nat)
|
43fr_info_t *fin;
| 59fr_info_t *fin;
|
44ip_t *ip;
| |
45ap_session_t *aps;
46nat_t *nat;
47{
48 tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;
49
| 60ap_session_t *aps;
61nat_t *nat;
62{
63 tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;
64
|
| 65 fin = fin; /* LINT */
66 nat = nat; /* LINT */
67
|
50 aps->aps_psiz = sizeof(u_32_t);
51 KMALLOCS(aps->aps_data, u_32_t *, sizeof(u_32_t));
| 68 aps->aps_psiz = sizeof(u_32_t);
69 KMALLOCS(aps->aps_data, u_32_t *, sizeof(u_32_t));
|
52 if (aps->aps_data == NULL)
| 70 if (aps->aps_data == NULL) {
71#ifdef IP_RCMD_PROXY_DEBUG
72 printf("ippr_rcmd_new:KMALLOCS(%d) failed\n", sizeof(u_32_t));
73#endif
|
53 return -1;
| 74 return -1;
|
| 75 }
|
54 *(u_32_t *)aps->aps_data = 0;
55 aps->aps_sport = tcp->th_sport;
56 aps->aps_dport = tcp->th_dport;
57 return 0;
58}
59
60
61/*
62 * ipf_rcmd_atoi - implement a simple version of atoi
63 */
64u_short ipf_rcmd_atoi(ptr)
65char *ptr;
66{
67 register char *s = ptr, c;
68 register u_short i = 0;
69
| 76 *(u_32_t *)aps->aps_data = 0;
77 aps->aps_sport = tcp->th_sport;
78 aps->aps_dport = tcp->th_dport;
79 return 0;
80}
81
82
83/*
84 * ipf_rcmd_atoi - implement a simple version of atoi
85 */
86u_short ipf_rcmd_atoi(ptr)
87char *ptr;
88{
89 register char *s = ptr, c;
90 register u_short i = 0;
91
|
70 while ((c = *s++) && isdigit(c)) {
| 92 while (((c = *s++) != '\0') && ISDIGIT(c)) {
|
71 i *= 10;
72 i += c - '0';
73 }
74 return i;
75}
76
77
| 93 i *= 10;
94 i += c - '0';
95 }
96 return i;
97}
98
99
|
78int ippr_rcmd_portmsg(fin, ip, aps, nat)
| 100int ippr_rcmd_portmsg(fin, aps, nat)
|
79fr_info_t *fin;
| 101fr_info_t *fin;
|
80ip_t *ip;
| |
81ap_session_t *aps;
82nat_t *nat;
83{
| 102ap_session_t *aps;
103nat_t *nat;
104{
|
84 char portbuf[8], *s;
85 struct in_addr swip;
86 int off, dlen;
| |
87 tcphdr_t *tcp, tcph, *tcp2 = &tcph;
| 105 tcphdr_t *tcp, tcph, *tcp2 = &tcph;
|
| 106 struct in_addr swip, swip2;
107 int off, dlen, nflags;
108 char portbuf[8], *s;
|
88 fr_info_t fi;
89 u_short sp;
| 109 fr_info_t fi;
110 u_short sp;
|
90 nat_t *ipn;
| 111 nat_t *nat2;
112 ip_t *ip;
|
91 mb_t *m;
92
93 tcp = (tcphdr_t *)fin->fin_dp;
94
95 if (tcp->th_flags & TH_SYN) {
96 *(u_32_t *)aps->aps_data = htonl(ntohl(tcp->th_seq) + 1);
97 return 0;
98 }
99
100 if ((*(u_32_t *)aps->aps_data != 0) &&
101 (tcp->th_seq != *(u_32_t *)aps->aps_data))
102 return 0;
103
| 113 mb_t *m;
114
115 tcp = (tcphdr_t *)fin->fin_dp;
116
117 if (tcp->th_flags & TH_SYN) {
118 *(u_32_t *)aps->aps_data = htonl(ntohl(tcp->th_seq) + 1);
119 return 0;
120 }
121
122 if ((*(u_32_t *)aps->aps_data != 0) &&
123 (tcp->th_seq != *(u_32_t *)aps->aps_data))
124 return 0;
125
|
104 off = fin->fin_hlen + (tcp->th_off << 2);
| 126 m = fin->fin_m;
127 ip = fin->fin_ip;
128 off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
|
105
| 129
|
106#if SOLARIS
107 m = fin->fin_qfm;
108
109 dlen = msgdsize(m) - off;
110 bzero(portbuf, sizeof(portbuf));
111 copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf);
| 130#ifdef __sgi
131 dlen = fin->fin_plen - off;
|
112#else
| 132#else
|
113 m = *(mb_t **)fin->fin_mp;
114 dlen = mbufchainlen(m) - off;
115 bzero(portbuf, sizeof(portbuf));
116 m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf);
| 133 dlen = MSGDSIZE(m) - off;
|
117#endif
| 134#endif
|
| 135 if (dlen <= 0)
136 return 0;
|
118
| 137
|
| 138 bzero(portbuf, sizeof(portbuf));
139 COPYDATA(m, off, MIN(sizeof(portbuf), dlen), portbuf);
140
|
119 portbuf[sizeof(portbuf) - 1] = '\0';
120 s = portbuf;
121 sp = ipf_rcmd_atoi(s);
| 141 portbuf[sizeof(portbuf) - 1] = '\0';
142 s = portbuf;
143 sp = ipf_rcmd_atoi(s);
|
122 if (!sp)
| 144 if (sp == 0) {
145#ifdef IP_RCMD_PROXY_DEBUG
146 printf("ippr_rcmd_portmsg:sp == 0 dlen %d [%s]\n",
147 dlen, portbuf);
148#endif
|
123 return 0;
| 149 return 0;
|
| 150 }
|
124
125 /*
126 * Add skeleton NAT entry for connection which will come back the
127 * other way.
128 */
129 bcopy((char *)fin, (char *)&fi, sizeof(fi));
| 151
152 /*
153 * Add skeleton NAT entry for connection which will come back the
154 * other way.
155 */
156 bcopy((char *)fin, (char *)&fi, sizeof(fi));
|
| 157 fi.fin_flx |= FI_IGNORE;
|
130 fi.fin_data[0] = sp;
| 158 fi.fin_data[0] = sp;
|
131 fi.fin_data[1] = fin->fin_data[1];
132 ipn = nat_outlookup(&fi, IPN_TCP, nat->nat_p, nat->nat_inip,
133 ip->ip_dst, 0);
134 if (ipn == NULL) {
| 159 fi.fin_data[1] = 0;
160 if (nat->nat_dir == NAT_OUTBOUND)
161 nat2 = nat_outlookup(&fi, NAT_SEARCH|IPN_TCP, nat->nat_p,
162 nat->nat_inip, nat->nat_oip);
163 else
164 nat2 = nat_inlookup(&fi, NAT_SEARCH|IPN_TCP, nat->nat_p,
165 nat->nat_inip, nat->nat_oip);
166 if (nat2 == NULL) {
|
135 int slen;
136
137 slen = ip->ip_len;
138 ip->ip_len = fin->fin_hlen + sizeof(*tcp);
139 bzero((char *)tcp2, sizeof(*tcp2));
140 tcp2->th_win = htons(8192);
141 tcp2->th_sport = htons(sp);
142 tcp2->th_dport = 0; /* XXX - don't specify remote port */
| 167 int slen;
168
169 slen = ip->ip_len;
170 ip->ip_len = fin->fin_hlen + sizeof(*tcp);
171 bzero((char *)tcp2, sizeof(*tcp2));
172 tcp2->th_win = htons(8192);
173 tcp2->th_sport = htons(sp);
174 tcp2->th_dport = 0; /* XXX - don't specify remote port */
|
143 tcp2->th_off = 5;
| 175 TCP_OFF_A(tcp2, 5);
|
144 tcp2->th_flags = TH_SYN;
| 176 tcp2->th_flags = TH_SYN;
|
145 fi.fin_data[1] = 0;
| |
146 fi.fin_dp = (char *)tcp2;
| 177 fi.fin_dp = (char *)tcp2;
|
| 178 fi.fin_fr = &rcmdfr;
|
147 fi.fin_dlen = sizeof(*tcp2);
| 179 fi.fin_dlen = sizeof(*tcp2);
|
| 180 fi.fin_plen = fi.fin_hlen + sizeof(*tcp2);
181 fi.fin_flx &= FI_LOWTTL|FI_FRAG|FI_TCPUDP|FI_OPTIONS|FI_IGNORE;
182 nflags = NAT_SLAVE|IPN_TCP|SI_W_DPORT;
183
|
148 swip = ip->ip_src;
| 184 swip = ip->ip_src;
|
149 ip->ip_src = nat->nat_inip;
150 ipn = nat_new(&fi, ip, nat->nat_ptr, NULL, IPN_TCP|FI_W_DPORT,
151 NAT_OUTBOUND);
152 if (ipn != NULL) {
153 ipn->nat_age = fr_defnatage;
154 fi.fin_fr = &rcmdfr;
155 (void) fr_addstate(ip, &fi, NULL,
156 FI_W_DPORT|FI_IGNOREPKT);
| 185 swip2 = ip->ip_dst;
186
187 if (nat->nat_dir == NAT_OUTBOUND) {
188 fi.fin_fi.fi_saddr = nat->nat_inip.s_addr;
189 ip->ip_src = nat->nat_inip;
190 } else {
191 fi.fin_fi.fi_saddr = nat->nat_oip.s_addr;
192 ip->ip_src = nat->nat_oip;
193 nflags |= NAT_NOTRULEPORT;
|
157 }
| 194 }
|
| 195
196 nat2 = nat_new(&fi, nat->nat_ptr, NULL, nflags, nat->nat_dir);
197
198 if (nat2 != NULL) {
199 (void) nat_proto(&fi, nat2, IPN_TCP);
200 nat_update(&fi, nat2, nat2->nat_ptr);
201 fi.fin_ifp = NULL;
202 if (nat->nat_dir == NAT_INBOUND) {
203 fi.fin_fi.fi_daddr = nat->nat_inip.s_addr;
204 ip->ip_dst = nat->nat_inip;
205 }
206 (void) fr_addstate(&fi, &nat2->nat_state, SI_W_DPORT);
207 if (fi.fin_state != NULL)
208 fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
209 }
|
158 ip->ip_len = slen;
159 ip->ip_src = swip;
| 210 ip->ip_len = slen;
211 ip->ip_src = swip;
|
| 212 ip->ip_dst = swip2;
|
160 }
161 return 0;
162}
163
164
| 213 }
214 return 0;
215}
216
217
|
165int ippr_rcmd_out(fin, ip, aps, nat)
| 218int ippr_rcmd_out(fin, aps, nat)
|
166fr_info_t *fin;
| 219fr_info_t *fin;
|
167ip_t *ip;
| |
168ap_session_t *aps;
169nat_t *nat;
170{
| 220ap_session_t *aps;
221nat_t *nat;
222{
|
171 return ippr_rcmd_portmsg(fin, ip, aps, nat);
| 223 if (nat->nat_dir == NAT_OUTBOUND)
224 return ippr_rcmd_portmsg(fin, aps, nat);
225 return 0;
|
172}
| 226}
|
| 227
228
229int ippr_rcmd_in(fin, aps, nat)
230fr_info_t *fin;
231ap_session_t *aps;
232nat_t *nat;
233{
234 if (nat->nat_dir == NAT_INBOUND)
235 return ippr_rcmd_portmsg(fin, aps, nat);
236 return 0;
237}
|
| |