1145522Sdarrenr/*	$FreeBSD$	*/
2145522Sdarrenr
353642Sguido/*
4255332Scy * Copyright (C) 2012 by Darren Reed.
5145522Sdarrenr *
6145522Sdarrenr * See the IPFILTER.LICENCE file for details on licencing.
7145522Sdarrenr *
8255332Scy * $Id$
9145522Sdarrenr *
1053642Sguido * Simple RCMD transparent proxy for in-kernel use.  For use with the NAT
1153642Sguido * code.
1257126Sguido * $FreeBSD$
1353642Sguido */
1453642Sguido
1553642Sguido#define	IPF_RCMD_PROXY
1653642Sguido
17255332Scytypedef struct rcmdinfo {
18255332Scy	u_32_t	rcmd_port;	/* Port number seen */
19255332Scy	u_32_t	rcmd_portseq;	/* Sequence number where port is first seen */
20255332Scy	ipnat_t	*rcmd_rule;	/* Template rule for back connection */
21255332Scy} rcmdinfo_t;
2253642Sguido
23255332Scyvoid ipf_p_rcmd_main_load __P((void));
24255332Scyvoid ipf_p_rcmd_main_unload __P((void));
25255332Scy
26255332Scyint ipf_p_rcmd_init __P((void));
27255332Scyvoid ipf_p_rcmd_fini __P((void));
28255332Scyvoid ipf_p_rcmd_del __P((ipf_main_softc_t *, ap_session_t *));
29255332Scyint ipf_p_rcmd_new __P((void *, fr_info_t *, ap_session_t *, nat_t *));
30255332Scyint ipf_p_rcmd_out __P((void *, fr_info_t *, ap_session_t *, nat_t *));
31255332Scyint ipf_p_rcmd_in __P((void *, fr_info_t *, ap_session_t *, nat_t *));
3253642Sguidou_short ipf_rcmd_atoi __P((char *));
33255332Scyint ipf_p_rcmd_portmsg __P((fr_info_t *, ap_session_t *, nat_t *));
3453642Sguido
3553642Sguidostatic	frentry_t	rcmdfr;
3653642Sguido
37255332Scystatic	int		rcmd_proxy_init = 0;
3853642Sguido
39145522Sdarrenr
4053642Sguido/*
4153642Sguido * RCMD application proxy initialization.
4253642Sguido */
43255332Scyvoid
44255332Scyipf_p_rcmd_main_load()
4553642Sguido{
4653642Sguido	bzero((char *)&rcmdfr, sizeof(rcmdfr));
4753642Sguido	rcmdfr.fr_ref = 1;
4853642Sguido	rcmdfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
49145522Sdarrenr	MUTEX_INIT(&rcmdfr.fr_lock, "RCMD proxy rule lock");
50145522Sdarrenr	rcmd_proxy_init = 1;
5153642Sguido}
5253642Sguido
5353642Sguido
54255332Scyvoid
55255332Scyipf_p_rcmd_main_unload()
56145522Sdarrenr{
57145522Sdarrenr	if (rcmd_proxy_init == 1) {
58145522Sdarrenr		MUTEX_DESTROY(&rcmdfr.fr_lock);
59145522Sdarrenr		rcmd_proxy_init = 0;
60145522Sdarrenr	}
61145522Sdarrenr}
62145522Sdarrenr
63145522Sdarrenr
6453642Sguido/*
6553642Sguido * Setup for a new RCMD proxy.
6653642Sguido */
67255332Scyint
68255332Scyipf_p_rcmd_new(arg, fin, aps, nat)
69255332Scy	void *arg;
70255332Scy	fr_info_t *fin;
71255332Scy	ap_session_t *aps;
72255332Scy	nat_t *nat;
7353642Sguido{
7453642Sguido	tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;
75255332Scy	rcmdinfo_t *rc;
76255332Scy	ipnat_t *ipn;
77255332Scy	ipnat_t *np;
78255332Scy	int size;
7953642Sguido
80145522Sdarrenr	fin = fin;	/* LINT */
81145522Sdarrenr
82255332Scy	np = nat->nat_ptr;
83255332Scy	size = np->in_size;
84255332Scy	KMALLOC(rc, rcmdinfo_t *);
85255332Scy	if (rc == NULL) {
86145522Sdarrenr#ifdef IP_RCMD_PROXY_DEBUG
87255332Scy		printf("ipf_p_rcmd_new:KMALLOCS(%d) failed\n", sizeof(*rc));
88145522Sdarrenr#endif
8953642Sguido		return -1;
90145522Sdarrenr	}
9153642Sguido	aps->aps_sport = tcp->th_sport;
9253642Sguido	aps->aps_dport = tcp->th_dport;
93255332Scy
94255332Scy	ipn = ipf_proxy_rule_rev(nat);
95255332Scy	if (ipn == NULL) {
96255332Scy		KFREE(rc);
97255332Scy		return -1;
98255332Scy	}
99255332Scy
100255332Scy	aps->aps_data = rc;
101255332Scy	aps->aps_psiz = sizeof(*rc);
102255332Scy	bzero((char *)rc, sizeof(*rc));
103255332Scy
104255332Scy	rc->rcmd_rule = ipn;
105255332Scy
10653642Sguido	return 0;
10753642Sguido}
10853642Sguido
10953642Sguido
110255332Scyvoid
111255332Scyipf_p_rcmd_del(softc, aps)
112255332Scy	ipf_main_softc_t *softc;
113255332Scy	ap_session_t *aps;
114255332Scy{
115255332Scy	rcmdinfo_t *rci;
116255332Scy
117255332Scy	rci = aps->aps_data;
118255332Scy	if (rci != NULL) {
119255332Scy		rci->rcmd_rule->in_flags |= IPN_DELETE;
120255332Scy		ipf_nat_rule_deref(softc, &rci->rcmd_rule);
121255332Scy	}
122255332Scy}
123255332Scy
124255332Scy
12553642Sguido/*
12653642Sguido * ipf_rcmd_atoi - implement a simple version of atoi
12753642Sguido */
128255332Scyu_short
129255332Scyipf_rcmd_atoi(ptr)
130255332Scy	char *ptr;
13153642Sguido{
13253642Sguido	register char *s = ptr, c;
13353642Sguido	register u_short i = 0;
13453642Sguido
135145522Sdarrenr	while (((c = *s++) != '\0') && ISDIGIT(c)) {
13653642Sguido		i *= 10;
13753642Sguido		i += c - '0';
13853642Sguido	}
13953642Sguido	return i;
14053642Sguido}
14153642Sguido
14253642Sguido
143255332Scyint
144255332Scyipf_p_rcmd_portmsg(fin, aps, nat)
145255332Scy	fr_info_t *fin;
146255332Scy	ap_session_t *aps;
147255332Scy	nat_t *nat;
14853642Sguido{
149145522Sdarrenr	tcphdr_t *tcp, tcph, *tcp2 = &tcph;
150255332Scy	int off, dlen, nflags, direction;
151255332Scy	ipf_main_softc_t *softc;
152255332Scy	ipf_nat_softc_t *softn;
15353642Sguido	char portbuf[8], *s;
154255332Scy	rcmdinfo_t *rc;
15553642Sguido	fr_info_t fi;
15692685Sdarrenr	u_short sp;
157145522Sdarrenr	nat_t *nat2;
158255332Scy#ifdef USE_INET6
159255332Scy	ip6_t *ip6;
160255332Scy#endif
161255332Scy	int tcpsz;
162256199Sdim	int slen = 0; /* silence gcc */
163145522Sdarrenr	ip_t *ip;
16453642Sguido	mb_t *m;
16553642Sguido
16653642Sguido	tcp = (tcphdr_t *)fin->fin_dp;
16763523Sdarrenr
168145522Sdarrenr	m = fin->fin_m;
169145522Sdarrenr	ip = fin->fin_ip;
170255332Scy	tcpsz = TCP_OFF(tcp) << 2;
171255332Scy#ifdef USE_INET6
172255332Scy	ip6 = (ip6_t *)fin->fin_ip;
173255332Scy#endif
174255332Scy	softc = fin->fin_main_soft;
175255332Scy	softn = softc->ipf_nat_soft;
176255332Scy	off = (char *)tcp - (char *)ip + tcpsz + fin->fin_ipoff;
17753642Sguido
178255332Scy	dlen = fin->fin_dlen - tcpsz;
179145522Sdarrenr	if (dlen <= 0)
180145522Sdarrenr		return 0;
18153642Sguido
182255332Scy	rc = (rcmdinfo_t *)aps->aps_data;
183255332Scy	if ((rc->rcmd_portseq != 0) &&
184255332Scy	    (tcp->th_seq != rc->rcmd_portseq))
185255332Scy		return 0;
186255332Scy
187145522Sdarrenr	bzero(portbuf, sizeof(portbuf));
188145522Sdarrenr	COPYDATA(m, off, MIN(sizeof(portbuf), dlen), portbuf);
189145522Sdarrenr
19053642Sguido	portbuf[sizeof(portbuf) - 1] = '\0';
19153642Sguido	s = portbuf;
19253642Sguido	sp = ipf_rcmd_atoi(s);
193145522Sdarrenr	if (sp == 0) {
194145522Sdarrenr#ifdef IP_RCMD_PROXY_DEBUG
195255332Scy		printf("ipf_p_rcmd_portmsg:sp == 0 dlen %d [%s]\n",
196145522Sdarrenr		       dlen, portbuf);
197145522Sdarrenr#endif
19853642Sguido		return 0;
199145522Sdarrenr	}
20053642Sguido
201255332Scy	if (rc->rcmd_port != 0 && sp != rc->rcmd_port) {
202255332Scy#ifdef IP_RCMD_PROXY_DEBUG
203255332Scy		printf("ipf_p_rcmd_portmsg:sp(%d) != rcmd_port(%d)\n",
204255332Scy		       sp, rc->rcmd_port);
205255332Scy#endif
206255332Scy		return 0;
207255332Scy	}
208255332Scy
209255332Scy	rc->rcmd_port = sp;
210255332Scy	rc->rcmd_portseq = tcp->th_seq;
211255332Scy
21253642Sguido	/*
213255332Scy	 * Initialise the packet info structure so we can search the NAT
214255332Scy	 * table to see if there already is soemthing present that matches
215255332Scy	 * up with what we want to add.
21653642Sguido	 */
21792685Sdarrenr	bcopy((char *)fin, (char *)&fi, sizeof(fi));
218145522Sdarrenr	fi.fin_flx |= FI_IGNORE;
219255332Scy	fi.fin_data[0] = 0;
220255332Scy	fi.fin_data[1] = sp;
221255332Scy	fi.fin_src6 = nat->nat_ndst6;
222255332Scy	fi.fin_dst6 = nat->nat_nsrc6;
22360857Sdarrenr
224255332Scy	if (nat->nat_v[0] == 6) {
225255332Scy#ifdef USE_INET6
226145522Sdarrenr		if (nat->nat_dir == NAT_OUTBOUND) {
227255332Scy			nat2 = ipf_nat6_outlookup(&fi, NAT_SEARCH|IPN_TCP,
228255332Scy						  nat->nat_pr[1],
229255332Scy						  &nat->nat_osrc6.in6,
230255332Scy						  &nat->nat_odst6.in6);
231145522Sdarrenr		} else {
232255332Scy			nat2 = ipf_nat6_inlookup(&fi, NAT_SEARCH|IPN_TCP,
233255332Scy						 nat->nat_pr[0],
234255332Scy						 &nat->nat_osrc6.in6,
235255332Scy						 &nat->nat_odst6.in6);
23653642Sguido		}
237255332Scy#else
238255332Scy		nat2 = (void *)-1;
239255332Scy#endif
240255332Scy	} else {
241255332Scy		if (nat->nat_dir == NAT_OUTBOUND) {
242255332Scy			nat2 = ipf_nat_outlookup(&fi, NAT_SEARCH|IPN_TCP,
243255332Scy						 nat->nat_pr[1],
244255332Scy						 nat->nat_osrcip,
245255332Scy						 nat->nat_odstip);
246255332Scy		} else {
247255332Scy			nat2 = ipf_nat_inlookup(&fi, NAT_SEARCH|IPN_TCP,
248255332Scy						nat->nat_pr[0],
249255332Scy						nat->nat_osrcip,
250255332Scy						nat->nat_odstip);
251255332Scy		}
252255332Scy	}
253255332Scy	if (nat2 != NULL)
254255332Scy		return APR_ERR(1);
255145522Sdarrenr
256255332Scy	/*
257255332Scy	 * Add skeleton NAT entry for connection which will come
258255332Scy	 * back the other way.
259255332Scy	 */
260145522Sdarrenr
261255332Scy	if (nat->nat_v[0] == 6) {
262255332Scy#ifdef USE_INET6
263255332Scy		slen = ip6->ip6_plen;
264255332Scy		ip6->ip6_plen = htons(sizeof(*tcp));
265255332Scy#endif
266255332Scy	} else {
267255332Scy		slen = ip->ip_len;
268255332Scy		ip->ip_len = htons(fin->fin_hlen + sizeof(*tcp));
269255332Scy	}
270255332Scy
271255332Scy	/*
272255332Scy	 * Fill out the fake TCP header with a few fields that ipfilter
273255332Scy	 * considers to be important.
274255332Scy	 */
275255332Scy	bzero((char *)tcp2, sizeof(*tcp2));
276255332Scy	tcp2->th_win = htons(8192);
277255332Scy	TCP_OFF_A(tcp2, 5);
278255332Scy	tcp2->th_flags = TH_SYN;
279255332Scy
280255332Scy	fi.fin_dp = (char *)tcp2;
281255332Scy	fi.fin_fr = &rcmdfr;
282255332Scy	fi.fin_dlen = sizeof(*tcp2);
283255332Scy	fi.fin_plen = fi.fin_hlen + sizeof(*tcp2);
284255332Scy	fi.fin_flx &= FI_LOWTTL|FI_FRAG|FI_TCPUDP|FI_OPTIONS|FI_IGNORE;
285255332Scy
286255332Scy	if (nat->nat_dir == NAT_OUTBOUND) {
287255332Scy		fi.fin_out = 0;
288255332Scy		direction = NAT_INBOUND;
289255332Scy	} else {
290255332Scy		fi.fin_out = 1;
291255332Scy		direction = NAT_OUTBOUND;
292255332Scy	}
293255332Scy	nflags = SI_W_SPORT|NAT_SLAVE|IPN_TCP;
294255332Scy
295255332Scy	MUTEX_ENTER(&softn->ipf_nat_new);
296255332Scy	if (fin->fin_v == 4)
297255332Scy		nat2 = ipf_nat_add(&fi, rc->rcmd_rule, NULL, nflags,
298255332Scy				   direction);
299255332Scy#ifdef USE_INET6
300255332Scy	else
301255332Scy		nat2 = ipf_nat6_add(&fi, rc->rcmd_rule, NULL, nflags,
302255332Scy				    direction);
303255332Scy#endif
304255332Scy	MUTEX_EXIT(&softn->ipf_nat_new);
305255332Scy
306255332Scy	if (nat2 != NULL) {
307255332Scy		(void) ipf_nat_proto(&fi, nat2, IPN_TCP);
308255332Scy		MUTEX_ENTER(&nat2->nat_lock);
309255332Scy		ipf_nat_update(&fi, nat2);
310255332Scy		MUTEX_EXIT(&nat2->nat_lock);
311255332Scy		fi.fin_ifp = NULL;
312255332Scy		if (nat2->nat_dir == NAT_INBOUND)
313255332Scy			fi.fin_dst6 = nat->nat_osrc6;
314255332Scy		(void) ipf_state_add(softc, &fi, NULL, SI_W_SPORT);
315255332Scy	}
316255332Scy	if (nat->nat_v[0] == 6) {
317255332Scy#ifdef USE_INET6
318255332Scy		ip6->ip6_plen = slen;
319255332Scy#endif
320255332Scy	} else {
32160857Sdarrenr		ip->ip_len = slen;
32253642Sguido	}
323255332Scy	if (nat2 == NULL)
324255332Scy		return APR_ERR(1);
32553642Sguido	return 0;
32653642Sguido}
32753642Sguido
32853642Sguido
329255332Scyint
330255332Scyipf_p_rcmd_out(arg, fin, aps, nat)
331255332Scy	void *arg;
332255332Scy	fr_info_t *fin;
333255332Scy	ap_session_t *aps;
334255332Scy	nat_t *nat;
33553642Sguido{
336145522Sdarrenr	if (nat->nat_dir == NAT_OUTBOUND)
337255332Scy		return ipf_p_rcmd_portmsg(fin, aps, nat);
338145522Sdarrenr	return 0;
33953642Sguido}
340145522Sdarrenr
341145522Sdarrenr
342255332Scyint
343255332Scyipf_p_rcmd_in(arg, fin, aps, nat)
344255332Scy	void *arg;
345255332Scy	fr_info_t *fin;
346255332Scy	ap_session_t *aps;
347255332Scy	nat_t *nat;
348145522Sdarrenr{
349145522Sdarrenr	if (nat->nat_dir == NAT_INBOUND)
350255332Scy		return ipf_p_rcmd_portmsg(fin, aps, nat);
351145522Sdarrenr	return 0;
352145522Sdarrenr}
353