Warning: That file was not part of the compilation database. It may have many parsing errors.

1/*
2 * nf_nat_snmp_basic.c
3 *
4 * Basic SNMP Application Layer Gateway
5 *
6 * This IP NAT module is intended for use with SNMP network
7 * discovery and monitoring applications where target networks use
8 * conflicting private address realms.
9 *
10 * Static NAT is used to remap the networks from the view of the network
11 * management system at the IP layer, and this module remaps some application
12 * layer addresses to match.
13 *
14 * The simplest form of ALG is performed, where only tagged IP addresses
15 * are modified. The module does not need to be MIB aware and only scans
16 * messages at the ASN.1/BER level.
17 *
18 * Currently, only SNMPv1 and SNMPv2 are supported.
19 *
20 * More information on ALG and associated issues can be found in
21 * RFC 2962
22 *
23 * The ASB.1/BER parsing code is derived from the gxsnmp package by Gregory
24 * McLean & Jochen Friedrich, stripped down for use in the kernel.
25 *
26 * Copyright (c) 2000 RP Internet (www.rpi.net.au).
27 *
28 * This program is free software; you can redistribute it and/or modify
29 * it under the terms of the GNU General Public License as published by
30 * the Free Software Foundation; either version 2 of the License, or
31 * (at your option) any later version.
32 * This program is distributed in the hope that it will be useful,
33 * but WITHOUT ANY WARRANTY; without even the implied warranty of
34 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
35 * GNU General Public License for more details.
36 * You should have received a copy of the GNU General Public License
37 * along with this program; if not, see <http://www.gnu.org/licenses/>.
38 *
39 * Author: James Morris <jmorris@intercode.com.au>
40 *
41 * Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
42 */
43#include <linux/module.h>
44#include <linux/moduleparam.h>
45#include <linux/types.h>
46#include <linux/kernel.h>
47#include <linux/in.h>
48#include <linux/ip.h>
49#include <linux/udp.h>
50#include <net/checksum.h>
51#include <net/udp.h>
52
53#include <net/netfilter/nf_nat.h>
54#include <net/netfilter/nf_conntrack_expect.h>
55#include <net/netfilter/nf_conntrack_helper.h>
56#include <linux/netfilter/nf_conntrack_snmp.h>
57#include "nf_nat_snmp_basic.asn1.h"
58
59MODULE_LICENSE("GPL");
60MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
61MODULE_DESCRIPTION("Basic SNMP Application Layer Gateway");
62MODULE_ALIAS("ip_nat_snmp_basic");
63MODULE_ALIAS_NFCT_HELPER("snmp_trap");
64
65#define SNMP_PORT 161
66#define SNMP_TRAP_PORT 162
67
68static DEFINE_SPINLOCK(snmp_lock);
69
70struct snmp_ctx {
71 unsigned char *begin;
72 __sum16 *check;
73 __be32 from;
74 __be32 to;
75};
76
77static void fast_csum(struct snmp_ctx *ctx, unsigned char offset)
78{
79 unsigned char s[12] = {0,};
80 int size;
81
82 if (offset & 1) {
83 memcpy(&s[1], &ctx->from, 4);
84 memcpy(&s[7], &ctx->to, 4);
85 s[0] = ~0;
86 s[1] = ~s[1];
87 s[2] = ~s[2];
88 s[3] = ~s[3];
89 s[4] = ~s[4];
90 s[5] = ~0;
91 size = 12;
92 } else {
93 memcpy(&s[0], &ctx->from, 4);
94 memcpy(&s[4], &ctx->to, 4);
95 s[0] = ~s[0];
96 s[1] = ~s[1];
97 s[2] = ~s[2];
98 s[3] = ~s[3];
99 size = 8;
100 }
101 *ctx->check = csum_fold(csum_partial(s, size,
102 ~csum_unfold(*ctx->check)));
103}
104
105int snmp_version(void *context, size_t hdrlen, unsigned char tag,
106 const void *data, size_t datalen)
107{
108 if (datalen != 1)
109 return -EINVAL;
110 if (*(unsigned char *)data > 1)
111 return -ENOTSUPP;
112 return 1;
113}
114
115int snmp_helper(void *context, size_t hdrlen, unsigned char tag,
116 const void *data, size_t datalen)
117{
118 struct snmp_ctx *ctx = (struct snmp_ctx *)context;
119 __be32 *pdata;
120
121 if (datalen != 4)
122 return -EINVAL;
123 pdata = (__be32 *)data;
124 if (*pdata == ctx->from) {
125 pr_debug("%s: %pI4 to %pI4\n", __func__,
126 (void *)&ctx->from, (void *)&ctx->to);
127
128 if (*ctx->check)
129 fast_csum(ctx, (unsigned char *)data - ctx->begin);
130 *pdata = ctx->to;
131 }
132
133 return 1;
134}
135
136static int snmp_translate(struct nf_conn *ct, int dir, struct sk_buff *skb)
137{
138 struct iphdr *iph = ip_hdr(skb);
139 struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
140 u16 datalen = ntohs(udph->len) - sizeof(struct udphdr);
141 char *data = (unsigned char *)udph + sizeof(struct udphdr);
142 struct snmp_ctx ctx;
143 int ret;
144
145 if (dir == IP_CT_DIR_ORIGINAL) {
146 ctx.from = ct->tuplehash[dir].tuple.src.u3.ip;
147 ctx.to = ct->tuplehash[!dir].tuple.dst.u3.ip;
148 } else {
149 ctx.from = ct->tuplehash[!dir].tuple.src.u3.ip;
150 ctx.to = ct->tuplehash[dir].tuple.dst.u3.ip;
151 }
152
153 if (ctx.from == ctx.to)
154 return NF_ACCEPT;
155
156 ctx.begin = (unsigned char *)udph + sizeof(struct udphdr);
157 ctx.check = &udph->check;
158 ret = asn1_ber_decoder(&nf_nat_snmp_basic_decoder, &ctx, data, datalen);
159 if (ret < 0) {
160 nf_ct_helper_log(skb, ct, "parser failed\n");
161 return NF_DROP;
162 }
163
164 return NF_ACCEPT;
165}
166
167/* We don't actually set up expectations, just adjust internal IP
168 * addresses if this is being NATted
169 */
170static int help(struct sk_buff *skb, unsigned int protoff,
171 struct nf_conn *ct,
172 enum ip_conntrack_info ctinfo)
173{
174 int dir = CTINFO2DIR(ctinfo);
175 unsigned int ret;
176 const struct iphdr *iph = ip_hdr(skb);
177 const struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
178
179 /* SNMP replies and originating SNMP traps get mangled */
180 if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
181 return NF_ACCEPT;
182 if (udph->dest == htons(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
183 return NF_ACCEPT;
184
185 /* No NAT? */
186 if (!(ct->status & IPS_NAT_MASK))
187 return NF_ACCEPT;
188
189 /* Make sure the packet length is ok. So far, we were only guaranteed
190 * to have a valid length IP header plus 8 bytes, which means we have
191 * enough room for a UDP header. Just verify the UDP length field so we
192 * can mess around with the payload.
193 */
194 if (ntohs(udph->len) != skb->len - (iph->ihl << 2)) {
195 nf_ct_helper_log(skb, ct, "dropping malformed packet\n");
196 return NF_DROP;
197 }
198
199 if (!skb_make_writable(skb, skb->len)) {
200 nf_ct_helper_log(skb, ct, "cannot mangle packet");
201 return NF_DROP;
202 }
203
204 spin_lock_bh(&snmp_lock);
205 ret = snmp_translate(ct, dir, skb);
206 spin_unlock_bh(&snmp_lock);
207 return ret;
208}
209
210static const struct nf_conntrack_expect_policy snmp_exp_policy = {
211 .max_expected = 0,
212 .timeout = 180,
213};
214
215static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
216 .me = THIS_MODULE,
217 .help = help,
218 .expect_policy = &snmp_exp_policy,
219 .name = "snmp_trap",
220 .tuple.src.l3num = AF_INET,
221 .tuple.src.u.udp.port = cpu_to_be16(SNMP_TRAP_PORT),
222 .tuple.dst.protonum = IPPROTO_UDP,
223};
224
225static int __init nf_nat_snmp_basic_init(void)
226{
227 BUG_ON(nf_nat_snmp_hook != NULL);
228 RCU_INIT_POINTER(nf_nat_snmp_hook, help);
229
230 return nf_conntrack_helper_register(&snmp_trap_helper);
231}
232
233static void __exit nf_nat_snmp_basic_fini(void)
234{
235 RCU_INIT_POINTER(nf_nat_snmp_hook, NULL);
236 synchronize_rcu();
237 nf_conntrack_helper_unregister(&snmp_trap_helper);
238}
239
240module_init(nf_nat_snmp_basic_init);
241module_exit(nf_nat_snmp_basic_fini);
242

Warning: That file was not part of the compilation database. It may have many parsing errors.