search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Import 2.3.10pre5
[davej-history.git] / net / ipv4 / ip_masq.c
blob91f572fa623cbb73f6300211333150297840a956
1 /*
2 *
3 * Masquerading functionality
4 *
5 * Copyright (c) 1994 Pauline Middelink
6 *
7 * $Id: ip_masq.c,v 1.35 1999/06/29 12:35:46 davem Exp $
8 *
9 *
10 * See ip_fw.c for original log
11 *
12 * Fixes:
13 * Juan Jose Ciarlante : Modularized application masquerading (see ip_masq_app.c)
14 * Juan Jose Ciarlante : New struct ip_masq_seq that holds output/input delta seq.
15 * Juan Jose Ciarlante : Added hashed lookup by proto,maddr,mport and proto,saddr,sport
16 * Juan Jose Ciarlante : Fixed deadlock if free ports get exhausted
17 * Juan Jose Ciarlante : Added NO_ADDR status flag.
18 * Richard Lynch : Added IP Autoforward
19 * Nigel Metheringham : Added ICMP handling for demasquerade
20 * Nigel Metheringham : Checksum checking of masqueraded data
21 * Nigel Metheringham : Better handling of timeouts of TCP conns
22 * Delian Delchev : Added support for ICMP requests and replys
23 * Nigel Metheringham : ICMP in ICMP handling, tidy ups, bug fixes, made ICMP optional
24 * Juan Jose Ciarlante : re-assign maddr if no packet received from outside
25 * Juan Jose Ciarlante : ported to 2.1 tree
26 * Juan Jose Ciarlante : reworked control connections
27 * Steven Clarke : Added Port Forwarding
28 * Juan Jose Ciarlante : Just ONE ip_masq_new (!)
29 * Juan Jose Ciarlante : IP masq modules support
30 * Juan Jose Ciarlante : don't go into search loop if mport specified
31 * Juan Jose Ciarlante : locking
32 * Steven Clarke : IP_MASQ_S_xx state design
33 * Juan Jose Ciarlante : IP_MASQ_S state implementation
34 * Juan Jose Ciarlante : xx_get() clears timer, _put() inserts it
35 * Juan Jose Ciarlante : create /proc/net/ip_masq/
36 * Juan Jose Ciarlante : reworked checksums (save payload csum if possible)
37 * Juan Jose Ciarlante : added missing ip_fw_masquerade checksum
38 * Juan Jose Ciarlante : csum savings
39 * Juan Jose Ciarlante : added user-space tunnel creation/del, etc
40 * Juan Jose Ciarlante : (last) moved to ip_masq_user runtime module
41 * Juan Jose Ciarlante : user timeout handling again
42 * Juan Jose Ciarlante : make new modules support optional
43 * Juan Jose Ciarlante : u-space context => locks reworked
44 * Juan Jose Ciarlante : fixed stupid SMP locking bug
45 * Juan Jose Ciarlante : fixed "tap"ing in demasq path by copy-on-w
46 * Juan Jose Ciarlante : make masq_proto_doff() robust against fake sized/corrupted packets
47 * Kai Bankett : do not toss other IP protos in proto_doff()
48 * Dan Kegel : pointed correct NAT behavior for UDP streams
49 *
50 */
51
52 #include <linux/config.h>
53 #include <linux/module.h>
54 #ifdef CONFIG_KMOD
55 #include <linux/kmod.h>
56 #endif
57 #include <linux/types.h>
58 #include <linux/kernel.h>
59 #include <linux/errno.h>
60 #include <linux/skbuff.h>
61 #include <asm/system.h>
62 #include <linux/stat.h>
63 #include <linux/proc_fs.h>
64 #include <linux/in.h>
65 #include <linux/ip.h>
66 #include <linux/inet.h>
67 #include <linux/init.h>
68 #include <net/protocol.h>
69 #include <net/icmp.h>
70 #include <net/tcp.h>
71 #include <net/udp.h>
72 #include <net/checksum.h>
73 #include <net/ip_masq.h>
74
75 #ifdef CONFIG_IP_MASQUERADE_MOD
76 #include <net/ip_masq_mod.h>
77 #endif
78
79 #include <linux/sysctl.h>
80 #include <linux/ip_fw.h>
81 #include <linux/ip_masq.h>
82
83 int sysctl_ip_masq_debug = 0;
84
85 /*
86 * Exported wrapper
87 */
88 int ip_masq_get_debug_level(void)
89 {
90 return sysctl_ip_masq_debug;
91 }
92
93 struct ip_masq_hook *ip_masq_user_hook = NULL;
94
95 /*
96 * Timeout table[state]
97 */
98 /* static int masq_timeout_table[IP_MASQ_S_LAST+1] = { */
99 static struct ip_masq_timeout_table masq_timeout_table = {
100 ATOMIC_INIT(0), /* refcnt */
101 0, /* scale */
102 {
103 30*60*HZ, /* IP_MASQ_S_NONE, */
104 15*60*HZ, /* IP_MASQ_S_ESTABLISHED, */
105 2*60*HZ, /* IP_MASQ_S_SYN_SENT, */
106 1*60*HZ, /* IP_MASQ_S_SYN_RECV, */
107 2*60*HZ, /* IP_MASQ_S_FIN_WAIT, */
108 2*60*HZ, /* IP_MASQ_S_TIME_WAIT, */
109 10*HZ, /* IP_MASQ_S_CLOSE, */
110 60*HZ, /* IP_MASQ_S_CLOSE_WAIT, */
111 30*HZ, /* IP_MASQ_S_LAST_ACK, */
112 2*60*HZ, /* IP_MASQ_S_LISTEN, */
113 5*60*HZ, /* IP_MASQ_S_UDP, */
114 1*60*HZ, /* IP_MASQ_S_ICMP, */
115 2*HZ,/* IP_MASQ_S_LAST */
116 }, /* timeout */
117 };
118
119 #define MASQUERADE_EXPIRE_RETRY masq_timeout_table.timeout[IP_MASQ_S_TIME_WAIT]
120
121 static const char * state_name_table[IP_MASQ_S_LAST+1] = {
122 "NONE", /* IP_MASQ_S_NONE, */
123 "ESTABLISHED", /* IP_MASQ_S_ESTABLISHED, */
124 "SYN_SENT", /* IP_MASQ_S_SYN_SENT, */
125 "SYN_RECV", /* IP_MASQ_S_SYN_RECV, */
126 "FIN_WAIT", /* IP_MASQ_S_FIN_WAIT, */
127 "TIME_WAIT", /* IP_MASQ_S_TIME_WAIT, */
128 "CLOSE", /* IP_MASQ_S_CLOSE, */
129 "CLOSE_WAIT", /* IP_MASQ_S_CLOSE_WAIT, */
130 "LAST_ACK", /* IP_MASQ_S_LAST_ACK, */
131 "LISTEN", /* IP_MASQ_S_LISTEN, */
132 "UDP", /* IP_MASQ_S_UDP, */
133 "ICMP", /* IP_MASQ_S_ICMP, */
134 "BUG!", /* IP_MASQ_S_LAST */
135 };
136
137 #define mNO IP_MASQ_S_NONE
138 #define mES IP_MASQ_S_ESTABLISHED
139 #define mSS IP_MASQ_S_SYN_SENT
140 #define mSR IP_MASQ_S_SYN_RECV
141 #define mFW IP_MASQ_S_FIN_WAIT
142 #define mTW IP_MASQ_S_TIME_WAIT
143 #define mCL IP_MASQ_S_CLOSE
144 #define mCW IP_MASQ_S_CLOSE_WAIT
145 #define mLA IP_MASQ_S_LAST_ACK
146 #define mLI IP_MASQ_S_LISTEN
147
148 struct masq_tcp_states_t {
149 int next_state[IP_MASQ_S_LAST]; /* should be _LAST_TCP */
150 };
151
152 const char * ip_masq_state_name(int state)
153 {
154 if (state >= IP_MASQ_S_LAST)
155 return "ERR!";
156 return state_name_table[state];
157 }
158
159 struct masq_tcp_states_t masq_tcp_states [] = {
160 /* INPUT */
161 /* mNO, mES, mSS, mSR, mFW, mTW, mCL, mCW, mLA, mLI */
162 /*syn*/ {{mSR, mES, mES, mSR, mSR, mSR, mSR, mSR, mSR, mSR }},
163 /*fin*/ {{mCL, mCW, mSS, mTW, mTW, mTW, mCL, mCW, mLA, mLI }},
164 /*ack*/ {{mCL, mES, mSS, mSR, mFW, mTW, mCL, mCW, mCL, mLI }},
165 /*rst*/ {{mCL, mCL, mCL, mSR, mCL, mCL, mCL, mCL, mLA, mLI }},
166
167 /* OUTPUT */
168 /* mNO, mES, mSS, mSR, mFW, mTW, mCL, mCW, mLA, mLI */
169 /*syn*/ {{mSS, mES, mSS, mES, mSS, mSS, mSS, mSS, mSS, mLI }},
170 /*fin*/ {{mTW, mFW, mSS, mTW, mFW, mTW, mCL, mTW, mLA, mLI }},
171 /*ack*/ {{mES, mES, mSS, mSR, mFW, mTW, mCL, mCW, mLA, mES }},
172 /*rst*/ {{mCL, mCL, mSS, mCL, mCL, mTW, mCL, mCL, mCL, mCL }},
173 };
174
175 static __inline__ int masq_tcp_state_idx(struct tcphdr *th, int output)
176 {
177 /*
178 * [0-3]: input states, [4-7]: output.
179 */
180 if (output)
181 output=4;
182
183 if (th->rst)
184 return output+3;
185 if (th->syn)
186 return output+0;
187 if (th->fin)
188 return output+1;
189 if (th->ack)
190 return output+2;
191 return -1;
192 }
193
194
195
196 static int masq_set_state_timeout(struct ip_masq *ms, int state)
197 {
198 struct ip_masq_timeout_table *mstim = ms->timeout_table;
199 int scale;
200
201 /*
202 * Use default timeout table if no specific for this entry
203 */
204 if (!mstim)
205 mstim = &masq_timeout_table;
206
207 ms->timeout = mstim->timeout[ms->state=state];
208 scale = mstim->scale;
209
210 if (scale<0)
211 ms->timeout >>= -scale;
212 else if (scale > 0)
213 ms->timeout <<= scale;
214
215 return state;
216 }
217
218 static int masq_tcp_state(struct ip_masq *ms, int output, struct tcphdr *th)
219 {
220 int state_idx;
221 int new_state = IP_MASQ_S_CLOSE;
222
223 if ((state_idx = masq_tcp_state_idx(th, output)) < 0) {
224 IP_MASQ_DEBUG(1, "masq_state_idx(%d)=%d!!!\n",
225 output, state_idx);
226 goto tcp_state_out;
227 }
228
229 new_state = masq_tcp_states[state_idx].next_state[ms->state];
230
231 tcp_state_out:
232 if (new_state!=ms->state)
233 IP_MASQ_DEBUG(1, "%s %s [%c%c%c%c] %08lX:%04X-%08lX:%04X state: %s->%s\n",
234 masq_proto_name(ms->protocol),
235 output? "output" : "input ",
236 th->syn? 'S' : '.',
237 th->fin? 'F' : '.',
238 th->ack? 'A' : '.',
239 th->rst? 'R' : '.',
240 ntohl(ms->saddr), ntohs(ms->sport),
241 ntohl(ms->daddr), ntohs(ms->dport),
242 ip_masq_state_name(ms->state),
243 ip_masq_state_name(new_state));
244 return masq_set_state_timeout(ms, new_state);
245 }
246
247
248 /*
249 * Handle state transitions
250 */
251 static int masq_set_state(struct ip_masq *ms, int output, struct iphdr *iph, void *tp)
252 {
253 switch (iph->protocol) {
254 case IPPROTO_ICMP:
255 return masq_set_state_timeout(ms, IP_MASQ_S_ICMP);
256 case IPPROTO_UDP:
257 return masq_set_state_timeout(ms, IP_MASQ_S_UDP);
258 case IPPROTO_TCP:
259 return masq_tcp_state(ms, output, tp);
260 }
261 return -1;
262 }
263
264 /*
265 * Set LISTEN timeout. (ip_masq_put will setup timer)
266 */
267 int ip_masq_listen(struct ip_masq *ms)
268 {
269 masq_set_state_timeout(ms, IP_MASQ_S_LISTEN);
270 return ms->timeout;
271 }
272
273 /*
274 * Dynamic address rewriting
275 */
276 extern int sysctl_ip_dynaddr;
277
278 /*
279 * Lookup lock
280 */
281 rwlock_t __ip_masq_lock = RW_LOCK_UNLOCKED;
282
283 /*
284 * Implement IP packet masquerading
285 */
286
287 /*
288 * Converts an ICMP reply code into the equivalent request code
289 */
290 static __inline__ const __u8 icmp_type_request(__u8 type)
291 {
292 switch (type)
293 {
294 case ICMP_ECHOREPLY: return ICMP_ECHO; break;
295 case ICMP_TIMESTAMPREPLY: return ICMP_TIMESTAMP; break;
296 case ICMP_INFO_REPLY: return ICMP_INFO_REQUEST; break;
297 case ICMP_ADDRESSREPLY: return ICMP_ADDRESS; break;
298 default: return (255); break;
299 }
300 }
301
302 /*
303 * Helper macros - attempt to make code clearer!
304 */
305
306 /* ID used in ICMP lookups */
307 #define icmp_id(icmph) ((icmph->un).echo.id)
308 /* (port) hash value using in ICMP lookups for requests */
309 #define icmp_hv_req(icmph) ((__u16)(icmph->code+(__u16)(icmph->type<<8)))
310 /* (port) hash value using in ICMP lookups for replies */
311 #define icmp_hv_rep(icmph) ((__u16)(icmph->code+(__u16)(icmp_type_request(icmph->type)<<8)))
312
313 /*
314 * Last masq_port number in use.
315 * Will cycle in MASQ_PORT boundaries.
316 */
317 static __u16 masq_port = PORT_MASQ_BEGIN;
318 static spinlock_t masq_port_lock = SPIN_LOCK_UNLOCKED;
319
320 /*
321 * free ports counters (UDP & TCP)
322 *
323 * Their value is _less_ or _equal_ to actual free ports:
324 * same masq port, diff masq addr (firewall iface address) allocated
325 * entries are accounted but their actually don't eat a more than 1 port.
326 *
327 * Greater values could lower MASQ_EXPIRATION setting as a way to
328 * manage 'masq_entries resource'.
329 *
330 * By default we will reuse masq.port iff (output) connection
331 * (5-upla) if not duplicated.
332 * This may break midentd and others ...
333 */
334
335 #ifdef CONFIG_IP_MASQ_NREUSE
336 #define PORT_MASQ_MUL 1
337 #else
338 #define PORT_MASQ_MUL 10
339 #endif
340
341 /*
342 * At the moment, hardcore in sync with masq_proto_num
343 */
344 atomic_t ip_masq_free_ports[3] = {
345 ATOMIC_INIT((PORT_MASQ_END-PORT_MASQ_BEGIN) * PORT_MASQ_MUL),/* UDP */
346 ATOMIC_INIT((PORT_MASQ_END-PORT_MASQ_BEGIN) * PORT_MASQ_MUL),/* TCP */
347 ATOMIC_INIT((PORT_MASQ_END-PORT_MASQ_BEGIN) * PORT_MASQ_MUL),/* ICMP */
348 };
349
350 /*
351 * Counts entries that have been requested with specific mport.
352 * Used for incoming packets to "relax" input rule (port in MASQ range).
353 */
354 atomic_t mport_count = ATOMIC_INIT(0);
355
356 EXPORT_SYMBOL(ip_masq_get_debug_level);
357 EXPORT_SYMBOL(ip_masq_new);
358 EXPORT_SYMBOL(ip_masq_listen);
359 EXPORT_SYMBOL(ip_masq_free_ports);
360 EXPORT_SYMBOL(ip_masq_out_get);
361 EXPORT_SYMBOL(ip_masq_in_get);
362 EXPORT_SYMBOL(ip_masq_put);
363 EXPORT_SYMBOL(ip_masq_control_add);
364 EXPORT_SYMBOL(ip_masq_control_del);
365 EXPORT_SYMBOL(ip_masq_control_get);
366 EXPORT_SYMBOL(ip_masq_user_hook);
367 EXPORT_SYMBOL(ip_masq_m_tab);
368 EXPORT_SYMBOL(ip_masq_state_name);
369 EXPORT_SYMBOL(ip_masq_select_addr);
370 EXPORT_SYMBOL(__ip_masq_lock);
371
372 /*
373 * 2 ip_masq hash tables: for input and output pkts lookups.
374 */
375
376 struct ip_masq *ip_masq_m_tab[IP_MASQ_TAB_SIZE];
377 struct ip_masq *ip_masq_s_tab[IP_MASQ_TAB_SIZE];
378
379 /*
380 * timeouts
381 */
382
383 #if 000 /* FIXED timeout handling */
384 static struct ip_fw_masq ip_masq_dummy = {
385 MASQUERADE_EXPIRE_TCP,
386 MASQUERADE_EXPIRE_TCP_FIN,
387 MASQUERADE_EXPIRE_UDP
388 };
389
390 EXPORT_SYMBOL(ip_masq_expire);
391 struct ip_fw_masq *ip_masq_expire = &ip_masq_dummy;
392 #endif
393
394 /*
395 * These flags enable non-strict d{addr,port} checks
396 * Given that both (in/out) lookup tables are hashed
397 * by m{addr,port} and s{addr,port} this is quite easy
398 */
399
400 #define MASQ_DADDR_PASS (IP_MASQ_F_NO_DADDR|IP_MASQ_F_DLOOSE)
401 #define MASQ_DPORT_PASS (IP_MASQ_F_NO_DPORT|IP_MASQ_F_DLOOSE)
402
403 /*
404 * By default enable dest loose semantics
405 */
406 #define CONFIG_IP_MASQ_LOOSE_DEFAULT 1
407
408
409 /*
410 * Set masq expiration (deletion) and adds timer,
411 * if timeout==0 cancel expiration.
412 * Warning: it does not check/delete previous timer!
413 */
414
415 static void __ip_masq_set_expire(struct ip_masq *ms, unsigned long tout)
416 {
417 if (tout) {
418 ms->timer.expires = jiffies+tout;
419 add_timer(&ms->timer);
420 } else {
421 del_timer(&ms->timer);
422 }
423 }
424
425
426 /*
427 * Returns hash value
428 */
429
430 static __inline__ unsigned
431 ip_masq_hash_key(unsigned proto, __u32 addr, __u16 port)
432 {
433 return (proto^ntohl(addr)^ntohs(port)) & (IP_MASQ_TAB_SIZE-1);
434 }
435
436 /*
437 * Hashes ip_masq by its proto,addrs,ports.
438 * should be called with locked tables.
439 * returns bool success.
440 */
441
442 static int ip_masq_hash(struct ip_masq *ms)
443 {
444 unsigned hash;
445
446 if (ms->flags & IP_MASQ_F_HASHED) {
447 IP_MASQ_ERR( "ip_masq_hash(): request for already hashed, called from %p\n",
448 __builtin_return_address(0));
449 return 0;
450 }
451 /*
452 * Hash by proto,m{addr,port}
453 */
454 hash = ip_masq_hash_key(ms->protocol, ms->maddr, ms->mport);
455 ms->m_link = ip_masq_m_tab[hash];
456 atomic_inc(&ms->refcnt);
457 ip_masq_m_tab[hash] = ms;
458
459 /*
460 * Hash by proto,s{addr,port}
461 */
462 hash = ip_masq_hash_key(ms->protocol, ms->saddr, ms->sport);
463 ms->s_link = ip_masq_s_tab[hash];
464 atomic_inc(&ms->refcnt);
465 ip_masq_s_tab[hash] = ms;
466
467
468 ms->flags |= IP_MASQ_F_HASHED;
469 return 1;
470 }
471
472 /*
473 * UNhashes ip_masq from ip_masq_[ms]_tables.
474 * should be called with locked tables.
475 * returns bool success.
476 */
477
478 static int ip_masq_unhash(struct ip_masq *ms)
479 {
480 unsigned hash;
481 struct ip_masq ** ms_p;
482 if (!(ms->flags & IP_MASQ_F_HASHED)) {
483 IP_MASQ_ERR( "ip_masq_unhash(): request for unhash flagged, called from %p\n",
484 __builtin_return_address(0));
485 return 0;
486 }
487 /*
488 * UNhash by m{addr,port}
489 */
490 hash = ip_masq_hash_key(ms->protocol, ms->maddr, ms->mport);
491 for (ms_p = &ip_masq_m_tab[hash]; *ms_p ; ms_p = &(*ms_p)->m_link)
492 if (ms == (*ms_p)) {
493 atomic_dec(&ms->refcnt);
494 *ms_p = ms->m_link;
495 break;
496 }
497
498 /*
499 * UNhash by s{addr,port}
500 */
501 hash = ip_masq_hash_key(ms->protocol, ms->saddr, ms->sport);
502 for (ms_p = &ip_masq_s_tab[hash]; *ms_p ; ms_p = &(*ms_p)->s_link)
503 if (ms == (*ms_p)) {
504 atomic_dec(&ms->refcnt);
505 *ms_p = ms->s_link;
506 break;
507 }
508
509 ms->flags &= ~IP_MASQ_F_HASHED;
510 return 1;
511 }
512
513 /*
514 * Returns ip_masq associated with supplied parameters, either
515 * broken out of the ip/tcp headers or directly supplied for those
516 * pathological protocols with address/port in the data stream
517 * (ftp, irc). addresses and ports are in network order.
518 * called for pkts coming from OUTside-to-INside the firewall.
519 *
520 * s_addr, s_port: pkt source address (foreign host)
521 * d_addr, d_port: pkt dest address (firewall)
522 *
523 * NB. Cannot check destination address, just for the incoming port.
524 * reason: archie.doc.ac.uk has 6 interfaces, you send to
525 * phoenix and get a reply from any other interface(==dst)!
526 *
527 * [Only for UDP] - AC
528 *
529 * Caller must lock tables
530 */
531
532 static struct ip_masq * __ip_masq_in_get(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port)
533 {
534 unsigned hash;
535 struct ip_masq *ms = NULL;
536
537 hash = ip_masq_hash_key(protocol, d_addr, d_port);
538
539 for(ms = ip_masq_m_tab[hash]; ms ; ms = ms->m_link) {
540 if (protocol==ms->protocol &&
541 (d_addr==ms->maddr && d_port==ms->mport) &&
542 (s_addr==ms->daddr || ms->flags & MASQ_DADDR_PASS) &&
543 (s_port==ms->dport || ms->flags & MASQ_DPORT_PASS)
544 ) {
545 IP_MASQ_DEBUG(2, "look/in %d %08X:%04hX->%08X:%04hX OK\n",
546 protocol,
547 s_addr,
548 s_port,
549 d_addr,
550 d_port);
551 atomic_inc(&ms->refcnt);
552 goto out;
553 }
554 }
555 IP_MASQ_DEBUG(2, "look/in %d %08X:%04hX->%08X:%04hX fail\n",
556 protocol,
557 s_addr,
558 s_port,
559 d_addr,
560 d_port);
561
562 out:
563 return ms;
564 }
565
566 /*
567 * Returns ip_masq associated with supplied parameters, either
568 * broken out of the ip/tcp headers or directly supplied for those
569 * pathological protocols with address/port in the data stream
570 * (ftp, irc). addresses and ports are in network order.
571 * called for pkts coming from inside-to-OUTside the firewall.
572 *
573 * Normally we know the source address and port but for some protocols
574 * (e.g. ftp PASV) we do not know the source port initially. Alas the
575 * hash is keyed on source port so if the first lookup fails then try again
576 * with a zero port, this time only looking at entries marked "no source
577 * port".
578 *
579 * Caller must lock tables
580 */
581
582 static struct ip_masq * __ip_masq_out_get(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port)
583 {
584 unsigned hash;
585 struct ip_masq *ms = NULL;
586
587 /*
588 * Check for "full" addressed entries
589 */
590 hash = ip_masq_hash_key(protocol, s_addr, s_port);
591
592 for(ms = ip_masq_s_tab[hash]; ms ; ms = ms->s_link) {
593 if (protocol == ms->protocol &&
594 s_addr == ms->saddr && s_port == ms->sport &&
595 (d_addr==ms->daddr || ms->flags & MASQ_DADDR_PASS) &&
596 (d_port==ms->dport || ms->flags & MASQ_DPORT_PASS)
597 ) {
598 IP_MASQ_DEBUG(2, "lk/out1 %d %08X:%04hX->%08X:%04hX OK\n",
599 protocol,
600 s_addr,
601 s_port,
602 d_addr,
603 d_port);
604
605 atomic_inc(&ms->refcnt);
606 goto out;
607 }
608
609 }
610
611 /*
612 * Check for NO_SPORT entries
613 */
614 hash = ip_masq_hash_key(protocol, s_addr, 0);
615 for(ms = ip_masq_s_tab[hash]; ms ; ms = ms->s_link) {
616 if (ms->flags & IP_MASQ_F_NO_SPORT &&
617 protocol == ms->protocol &&
618 s_addr == ms->saddr &&
619 (d_addr==ms->daddr || ms->flags & MASQ_DADDR_PASS) &&
620 (d_port==ms->dport || ms->flags & MASQ_DPORT_PASS)
621 ) {
622 IP_MASQ_DEBUG(2, "lk/out2 %d %08X:%04hX->%08X:%04hX OK\n",
623 protocol,
624 s_addr,
625 s_port,
626 d_addr,
627 d_port);
628
629 atomic_inc(&ms->refcnt);
630 goto out;
631 }
632 }
633 IP_MASQ_DEBUG(2, "lk/out1 %d %08X:%04hX->%08X:%04hX fail\n",
634 protocol,
635 s_addr,
636 s_port,
637 d_addr,
638 d_port);
639
640 out:
641 return ms;
642 }
643
644 #ifdef CONFIG_IP_MASQ_NREUSE
645 /*
646 * Returns ip_masq for given proto,m_addr,m_port.
647 * called by allocation routine to find an unused m_port.
648 *
649 * Caller must lock tables
650 */
651
652 static struct ip_masq * __ip_masq_getbym(int protocol, __u32 m_addr, __u16 m_port)
653 {
654 unsigned hash;
655 struct ip_masq *ms = NULL;
656
657 hash = ip_masq_hash_key(protocol, m_addr, m_port);
658
659 for(ms = ip_masq_m_tab[hash]; ms ; ms = ms->m_link) {
660 if ( protocol==ms->protocol &&
661 (m_addr==ms->maddr && m_port==ms->mport)) {
662 atomic_inc(&ms->refcnt);
663 goto out;
664 }
665 }
666
667 out:
668 return ms;
669 }
670 #endif
671
672 struct ip_masq * ip_masq_out_get(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port)
673 {
674 struct ip_masq *ms;
675
676 read_lock(&__ip_masq_lock);
677 ms = __ip_masq_out_get(protocol, s_addr, s_port, d_addr, d_port);
678 read_unlock(&__ip_masq_lock);
679
680 if (ms)
681 __ip_masq_set_expire(ms, 0);
682 return ms;
683 }
684
685 struct ip_masq * ip_masq_in_get(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port)
686 {
687 struct ip_masq *ms;
688
689 read_lock(&__ip_masq_lock);
690 ms = __ip_masq_in_get(protocol, s_addr, s_port, d_addr, d_port);
691 read_unlock(&__ip_masq_lock);
692
693 if (ms)
694 __ip_masq_set_expire(ms, 0);
695 return ms;
696 }
697
698 static __inline__ void __ip_masq_put(struct ip_masq *ms)
699 {
700 atomic_dec(&ms->refcnt);
701 }
702
703 void ip_masq_put(struct ip_masq *ms)
704 {
705 /*
706 * Decrement refcnt
707 */
708 __ip_masq_put(ms);
709
710 /*
711 * if refcnt==2 (2 hashes)
712 */
713 if (atomic_read(&ms->refcnt)==2) {
714 __ip_masq_set_expire(ms, ms->timeout);
715 } else {
716 IP_MASQ_DEBUG(0, "did not set timer with refcnt=%d, called from %p\n",
717 atomic_read(&ms->refcnt),
718 __builtin_return_address(0));
719 }
720 }
721
722 static void masq_expire(unsigned long data)
723 {
724 struct ip_masq *ms = (struct ip_masq *)data;
725 ms->timeout = MASQUERADE_EXPIRE_RETRY;
726
727 /*
728 * hey, I'm using it
729 */
730 atomic_inc(&ms->refcnt);
731
732 IP_MASQ_DEBUG(1, "Masqueraded %s %08lX:%04X expired\n",
733 masq_proto_name(ms->protocol),
734 ntohl(ms->saddr),ntohs(ms->sport));
735
736 write_lock(&__ip_masq_lock);
737
738 #if 0000
739 /*
740 * Already locked, do bounce ...
741 */
742 if (ip_masq_nlocks(&__ip_masq_lock) != 1) {
743 goto masq_expire_later;
744 }
745
746 #endif
747 /*
748 * do I control anybody?
749 */
750 if (atomic_read(&ms->n_control))
751 goto masq_expire_later;
752
753 /*
754 * does anybody controls me?
755 */
756
757 if (ms->control)
758 ip_masq_control_del(ms);
759
760 if (ip_masq_unhash(ms)) {
761 if (ms->flags&IP_MASQ_F_MPORT) {
762 atomic_dec(&mport_count);
763 } else {
764 atomic_inc(ip_masq_free_ports + masq_proto_num(ms->protocol));
765 }
766 ip_masq_unbind_app(ms);
767 }
768
769 /*
770 * refcnt==1 implies I'm the only one referrer
771 */
772 if (atomic_read(&ms->refcnt) == 1) {
773 kfree_s(ms,sizeof(*ms));
774 MOD_DEC_USE_COUNT;
775 goto masq_expire_out;
776 }
777
778 masq_expire_later:
779 IP_MASQ_DEBUG(0, "masq_expire delayed: %s %08lX:%04X->%08lX:%04X masq.refcnt-1=%d masq.n_control=%d\n",
780 masq_proto_name(ms->protocol),
781 ntohl(ms->saddr), ntohs(ms->sport),
782 ntohl(ms->daddr), ntohs(ms->dport),
783 atomic_read(&ms->refcnt)-1,
784 atomic_read(&ms->n_control));
785
786 ip_masq_put(ms);
787
788 masq_expire_out:
789 write_unlock(&__ip_masq_lock);
790 }
791
792 static __u16 get_next_mport(void)
793 {
794 __u16 mport;
795
796 spin_lock_irq(&masq_port_lock);
797 /*
798 * Try the next available port number
799 */
800 mport = htons(masq_port++);
801 if (masq_port==PORT_MASQ_END) masq_port = PORT_MASQ_BEGIN;
802
803 spin_unlock_irq(&masq_port_lock);
804 return mport;
805 }
806
807 /*
808 * Create a new masquerade list entry, also allocate an
809 * unused mport, keeping the portnumber between the
810 * given boundaries MASQ_BEGIN and MASQ_END.
811 *
812 * Be careful, it can be called from u-space
813 */
814
815 struct ip_masq * ip_masq_new(int proto, __u32 maddr, __u16 mport, __u32 saddr, __u16 sport, __u32 daddr, __u16 dport, unsigned mflags)
816 {
817 struct ip_masq *ms, *mst;
818 int ports_tried;
819 atomic_t *free_ports_p = NULL;
820 static int n_fails = 0;
821 int prio;
822
823
824 if (masq_proto_num(proto)!=-1 && mport == 0) {
825 free_ports_p = ip_masq_free_ports + masq_proto_num(proto);
826
827 if (atomic_read(free_ports_p) == 0) {
828 if (++n_fails < 5)
829 IP_MASQ_ERR( "ip_masq_new(proto=%s): no free ports.\n",
830 masq_proto_name(proto));
831 return NULL;
832 }
833 }
834
835 prio = (mflags&IP_MASQ_F_USER) ? GFP_KERNEL : GFP_ATOMIC;
836
837 ms = (struct ip_masq *) kmalloc(sizeof(struct ip_masq), prio);
838 if (ms == NULL) {
839 if (++n_fails < 5)
840 IP_MASQ_ERR("ip_masq_new(proto=%s): no memory available.\n",
841 masq_proto_name(proto));
842 return NULL;
843 }
844 MOD_INC_USE_COUNT;
845 memset(ms, 0, sizeof(*ms));
846 init_timer(&ms->timer);
847 ms->timer.data = (unsigned long)ms;
848 ms->timer.function = masq_expire;
849 ms->protocol = proto;
850 ms->saddr = saddr;
851 ms->sport = sport;
852 ms->daddr = daddr;
853 ms->dport = dport;
854 ms->flags = mflags;
855 ms->app_data = NULL;
856 ms->control = NULL;
857
858 atomic_set(&ms->n_control,0);
859 atomic_set(&ms->refcnt,0);
860
861 if (proto == IPPROTO_UDP && !mport)
862 #ifdef CONFIG_IP_MASQ_LOOSE_DEFAULT
863 /*
864 * Flag this tunnel as "dest loose"
865 *
866 */
867 ms->flags |= IP_MASQ_F_DLOOSE;
868 #else
869 ms->flags |= IP_MASQ_F_NO_DADDR;
870 #endif
871
872
873 /* get masq address from rif */
874 ms->maddr = maddr;
875
876 /*
877 * This flag will allow masq. addr (ms->maddr)
878 * to follow forwarding interface address.
879 */
880 ms->flags |= IP_MASQ_F_NO_REPLY;
881
882 /*
883 * We want a specific mport. Be careful.
884 */
885 if (masq_proto_num(proto) == -1 || mport) {
886 ms->mport = mport;
887
888 /*
889 * Check 5-upla uniqueness
890 */
891 if (mflags & IP_MASQ_F_USER)
892 write_lock_bh(&__ip_masq_lock);
893 else
894 write_lock(&__ip_masq_lock);
895
896 mst = __ip_masq_in_get(proto, daddr, dport, maddr, mport);
897 if (mst==NULL) {
898 ms->flags |= IP_MASQ_F_MPORT;
899
900 atomic_inc(&mport_count);
901 ip_masq_hash(ms);
902
903 if (mflags & IP_MASQ_F_USER)
904 write_unlock_bh(&__ip_masq_lock);
905 else
906 write_unlock(&__ip_masq_lock);
907
908 ip_masq_bind_app(ms);
909 atomic_inc(&ms->refcnt);
910 masq_set_state_timeout(ms, IP_MASQ_S_NONE);
911 return ms;
912 }
913 if (mflags & IP_MASQ_F_USER)
914 write_unlock_bh(&__ip_masq_lock);
915 else
916 write_unlock(&__ip_masq_lock);
917
918 __ip_masq_put(mst);
919
920 IP_MASQ_ERR( "Already used connection: %s, %d.%d.%d.%d:%d => %d.%d.%d.%d:%d, called from %p\n",
921 masq_proto_name(proto),
922 NIPQUAD(maddr), ntohs(mport),
923 NIPQUAD(daddr), ntohs(dport),
924 __builtin_return_address(0));
925
926
927 goto mport_nono;
928 }
929
930
931 for (ports_tried = 0;
932 (atomic_read(free_ports_p) && (ports_tried <= (PORT_MASQ_END - PORT_MASQ_BEGIN)));
933 ports_tried++){
934
935 mport = ms->mport = get_next_mport();
936 /*
937 * lookup to find out if this connection is used.
938 */
939
940 if (mflags & IP_MASQ_F_USER)
941 write_lock_bh(&__ip_masq_lock);
942 else
943 write_lock(&__ip_masq_lock);
944
945 #ifdef CONFIG_IP_MASQ_NREUSE
946 mst = __ip_masq_getbym(proto, maddr, mport);
947 #else
948 mst = __ip_masq_in_get(proto, daddr, dport, maddr, mport);
949 #endif
950 if (mst == NULL) {
951
952 if (atomic_read(free_ports_p) == 0) {
953 if (mflags & IP_MASQ_F_USER)
954 write_unlock_bh(&__ip_masq_lock);
955 else
956 write_unlock(&__ip_masq_lock);
957
958 break;
959 }
960 atomic_dec(free_ports_p);
961 ip_masq_hash(ms);
962
963 if (mflags & IP_MASQ_F_USER)
964 write_unlock_bh(&__ip_masq_lock);
965 else
966 write_unlock(&__ip_masq_lock);
967
968 ip_masq_bind_app(ms);
969 n_fails = 0;
970 atomic_inc(&ms->refcnt);
971 masq_set_state_timeout(ms, IP_MASQ_S_NONE);
972 return ms;
973 }
974 if (mflags & IP_MASQ_F_USER)
975 write_unlock_bh(&__ip_masq_lock);
976 else
977 write_unlock(&__ip_masq_lock);
978
979 __ip_masq_put(mst);
980 }
981
982 if (++n_fails < 5)
983 IP_MASQ_ERR( "ip_masq_new(proto=%s): could not get free masq entry (free=%d).\n",
984 masq_proto_name(ms->protocol),
985 atomic_read(free_ports_p));
986 mport_nono:
987 kfree_s(ms, sizeof(*ms));
988
989 MOD_DEC_USE_COUNT;
990 return NULL;
991 }
992
993 /*
994 * Get transport protocol data offset, check against size
995 * return:
996 * 0 if other IP proto
997 * -1 if error
998 */
999 static __inline__ int proto_doff(unsigned proto, char *th, unsigned size)
1000 {
1001 int ret = -1;
1002 switch (proto) {
1003 case IPPROTO_ICMP:
1004 if (size >= sizeof(struct icmphdr))
1005 ret = sizeof(struct icmphdr);
1006 break;
1007 case IPPROTO_UDP:
1008 if (size >= sizeof(struct udphdr))
1009 ret = sizeof(struct udphdr);
1010 break;
1011 case IPPROTO_TCP:
1012 /*
1013 * Is this case, this check _also_ avoids
1014 * touching an invalid pointer if
1015 * size is invalid
1016 */
1017 if (size >= sizeof(struct tcphdr)) {
1018 ret = ((struct tcphdr*)th)->doff << 2;
1019 if (ret > size) {
1020 ret = -1 ;
1021 }
1022 }
1023
1024 break;
1025 default:
1026 /* Other proto: nothing to say, by now :) */
1027 ret = 0;
1028 }
1029 if (ret < 0)
1030 IP_MASQ_DEBUG(0, "mess proto_doff for proto=%d, size =%d\n",
1031 proto, size);
1032 return ret;
1033 }
1034
1035 int ip_fw_masquerade(struct sk_buff **skb_p, __u32 maddr)
1036 {
1037 struct sk_buff *skb = *skb_p;
1038 struct iphdr *iph = skb->nh.iph;
1039 union ip_masq_tphdr h;
1040 struct ip_masq *ms;
1041 int size;
1042
1043 /*
1044 * doff holds transport protocol data offset
1045 * csum holds its checksum
1046 * csum_ok says if csum is valid
1047 */
1048 int doff = 0;
1049 int csum = 0;
1050 int csum_ok = 0;
1051
1052 /*
1053 * We can only masquerade protocols with ports... and hack some ICMPs
1054 */
1055
1056 h.raw = (char*) iph + iph->ihl * 4;
1057 size = ntohs(iph->tot_len) - (iph->ihl * 4);
1058
1059
1060 doff = proto_doff(iph->protocol, h.raw, size);
1061 if (doff <= 0) {
1062 /*
1063 * Output path: do not pass other IP protos nor
1064 * invalid packets.
1065 */
1066 return -1;
1067 }
1068
1069 switch (iph->protocol) {
1070 case IPPROTO_ICMP:
1071 return(ip_fw_masq_icmp(skb_p, maddr));
1072 case IPPROTO_UDP:
1073 if (h.uh->check == 0)
1074 /* No UDP checksum */
1075 break;
1076 case IPPROTO_TCP:
1077 /* Make sure packet is in the masq range */
1078 IP_MASQ_DEBUG(3, "O-pkt: %s size=%d\n",
1079 masq_proto_name(iph->protocol),
1080 size);
1081
1082 #ifdef CONFIG_IP_MASQ_DEBUG
1083 if (ip_masq_get_debug_level() > 3) {
1084 skb->ip_summed = CHECKSUM_NONE;
1085 }
1086 #endif
1087 /* Check that the checksum is OK */
1088 switch (skb->ip_summed)
1089 {
1090 case CHECKSUM_NONE:
1091 {
1092 csum = csum_partial(h.raw + doff, size - doff, 0);
1093 IP_MASQ_DEBUG(3, "O-pkt: %s I-datacsum=%d\n",
1094 masq_proto_name(iph->protocol),
1095 csum);
1096
1097 skb->csum = csum_partial(h.raw , doff, csum);
1098 }
1099 case CHECKSUM_HW:
1100 if (csum_tcpudp_magic(iph->saddr, iph->daddr,
1101 size, iph->protocol, skb->csum))
1102 {
1103 IP_MASQ_DEBUG(0, "Outgoing failed %s checksum from %d.%d.%d.%d (size=%d)!\n",
1104 masq_proto_name(iph->protocol),
1105 NIPQUAD(iph->saddr),
1106 size);
1107 return -1;
1108 }
1109 default:
1110 /* CHECKSUM_UNNECESSARY */
1111 }
1112 break;
1113 default:
1114 return -1;
1115 }
1116 /*
1117 * Now hunt the list to see if we have an old entry
1118 */
1119
1120 /* h.raw = (char*) iph + iph->ihl * 4; */
1121
1122 IP_MASQ_DEBUG(2, "Outgoing %s %08lX:%04X -> %08lX:%04X\n",
1123 masq_proto_name(iph->protocol),
1124 ntohl(iph->saddr), ntohs(h.portp[0]),
1125 ntohl(iph->daddr), ntohs(h.portp[1]));
1126
1127 ms = ip_masq_out_get_iph(iph);
1128 if (ms!=NULL) {
1129
1130 /*
1131 * If sysctl !=0 and no pkt has been received yet
1132 * in this tunnel and routing iface address has changed...
1133 * "You are welcome, diald".
1134 */
1135 if ( sysctl_ip_dynaddr && ms->flags & IP_MASQ_F_NO_REPLY && maddr != ms->maddr) {
1136
1137 if (sysctl_ip_dynaddr > 1) {
1138 IP_MASQ_INFO( "ip_fw_masquerade(): change masq.addr from %d.%d.%d.%d to %d.%d.%d.%d\n",
1139 NIPQUAD(ms->maddr),NIPQUAD(maddr));
1140 }
1141
1142 write_lock(&__ip_masq_lock);
1143
1144 ip_masq_unhash(ms);
1145 ms->maddr = maddr;
1146 ip_masq_hash(ms);
1147
1148 write_unlock(&__ip_masq_lock);
1149 }
1150
1151 /*
1152 * Set sport if not defined yet (e.g. ftp PASV). Because
1153 * masq entries are hashed on sport, unhash with old value
1154 * and hash with new.
1155 */
1156
1157 if ( ms->flags & IP_MASQ_F_NO_SPORT && ms->protocol == IPPROTO_TCP ) {
1158 ms->flags &= ~IP_MASQ_F_NO_SPORT;
1159
1160 write_lock(&__ip_masq_lock);
1161
1162 ip_masq_unhash(ms);
1163 ms->sport = h.portp[0];
1164 ip_masq_hash(ms); /* hash on new sport */
1165
1166 write_unlock(&__ip_masq_lock);
1167
1168 IP_MASQ_DEBUG(1, "ip_fw_masquerade(): filled sport=%d\n",
1169 ntohs(ms->sport));
1170 }
1171 if (ms->flags & IP_MASQ_F_DLOOSE) {
1172 /*
1173 * update dest loose values
1174 */
1175 ms->dport = h.portp[1];
1176 ms->daddr = iph->daddr;
1177 }
1178 } else {
1179 /*
1180 * Nope, not found, create a new entry for it
1181 */
1182
1183 #ifdef CONFIG_IP_MASQUERADE_MOD
1184 if (!(ms = ip_masq_mod_out_create(skb, iph, maddr)))
1185 #endif
1186 ms = ip_masq_new(iph->protocol,
1187 maddr, 0,
1188 iph->saddr, h.portp[0],
1189 iph->daddr, h.portp[1],
1190 0);
1191 if (ms == NULL)
1192 return -1;
1193 }
1194
1195 /*
1196 * Call module's output update hook
1197 */
1198
1199 #ifdef CONFIG_IP_MASQUERADE_MOD
1200 ip_masq_mod_out_update(skb, iph, ms);
1201 #endif
1202
1203 /*
1204 * Change the fragments origin
1205 */
1206
1207 size = skb->len - (h.raw - skb->nh.raw);
1208
1209 /*
1210 * Set iph addr and port from ip_masq obj.
1211 */
1212 iph->saddr = ms->maddr;
1213 h.portp[0] = ms->mport;
1214
1215 /*
1216 * Invalidate csum saving if tunnel has masq helper
1217 */
1218
1219 if (ms->app)
1220 csum_ok = 0;
1221
1222 /*
1223 * Attempt ip_masq_app call.
1224 * will fix ip_masq and iph seq stuff
1225 */
1226 if (ip_masq_app_pkt_out(ms, skb_p, maddr) != 0)
1227 {
1228 /*
1229 * skb has possibly changed, update pointers.
1230 */
1231 skb = *skb_p;
1232 iph = skb->nh.iph;
1233 h.raw = (char*) iph + iph->ihl *4;
1234 size = skb->len - (h.raw - skb->nh.raw);
1235 /* doff should have not changed */
1236 }
1237
1238 /*
1239 * Adjust packet accordingly to protocol
1240 */
1241
1242 /*
1243 * Transport's payload partial csum
1244 */
1245
1246 if (!csum_ok) {
1247 csum = csum_partial(h.raw + doff, size - doff, 0);
1248 }
1249 skb->csum = csum;
1250
1251 IP_MASQ_DEBUG(3, "O-pkt: %s size=%d O-datacsum=%d\n",
1252 masq_proto_name(iph->protocol),
1253 size,
1254 csum);
1255
1256 /*
1257 * Protocol csum
1258 */
1259 switch (iph->protocol) {
1260 case IPPROTO_TCP:
1261 h.th->check = 0;
1262 h.th->check=csum_tcpudp_magic(iph->saddr, iph->daddr,
1263 size, iph->protocol,
1264 csum_partial(h.raw , doff, csum));
1265 IP_MASQ_DEBUG(3, "O-pkt: %s O-csum=%d (+%d)\n",
1266 masq_proto_name(iph->protocol),
1267 h.th->check,
1268 (char*) & (h.th->check) - (char*) h.raw);
1269
1270 break;
1271 case IPPROTO_UDP:
1272 h.uh->check = 0;
1273 h.uh->check=csum_tcpudp_magic(iph->saddr, iph->daddr,
1274 size, iph->protocol,
1275 csum_partial(h.raw , doff, csum));
1276 if (h.uh->check == 0)
1277 h.uh->check = 0xFFFF;
1278 IP_MASQ_DEBUG(3, "O-pkt: %s O-csum=%d (+%d)\n",
1279 masq_proto_name(iph->protocol),
1280 h.uh->check,
1281 (char*) &(h.uh->check)- (char*) h.raw);
1282 break;
1283 }
1284 ip_send_check(iph);
1285
1286 IP_MASQ_DEBUG(2, "O-routed from %08lX:%04X with masq.addr %08lX\n",
1287 ntohl(ms->maddr),ntohs(ms->mport),ntohl(maddr));
1288
1289 masq_set_state(ms, 1, iph, h.portp);
1290 ip_masq_put(ms);
1291
1292 return 0;
1293 }
1294
1295 /*
1296 * Restore original addresses and ports in the original IP
1297 * datagram if the failing packet has been [de]masqueraded.
1298 * This is ugly in the extreme. We no longer have the original
1299 * packet so we have to reconstruct it from the failing packet
1300 * plus data in the masq tables. The resulting "original data"
1301 * should be good enough to tell the sender which session to
1302 * throttle. Relies on far too much knowledge of masq internals,
1303 * there ought to be a better way - KAO 990303.
1304 *
1305 * Moved here from icmp.c - JJC.
1306 * Already known: type == ICMP_DEST_UNREACH, IPSKB_MASQUERADED
1307 * skb->nh.iph points to original header.
1308 *
1309 * Must try both OUT and IN tables; we could add a flag
1310 * ala IPSKB_MASQUERADED to avoid 2nd tables lookup, but this is VERY
1311 * unlike because routing makes mtu decision before reaching
1312 * ip_fw_masquerade().
1313 *
1314 */
1315 int ip_fw_unmasq_icmp(struct sk_buff *skb) {
1316 struct ip_masq *ms;
1317 struct iphdr *iph = skb->nh.iph;
1318 __u16 *portp = (__u16 *)&(((char *)iph)[iph->ihl*4]);
1319
1320 /*
1321 * Always called from _bh context: use read_[un]lock()
1322 */
1323
1324 /*
1325 * Peek "out" table, this packet has bounced:
1326 * out->in(frag_needed!)->OUT[icmp]
1327 *
1328 * iph->daddr is IN host
1329 * iph->saddr is OUT host
1330 */
1331 read_lock(&__ip_masq_lock);
1332 ms = __ip_masq_out_get(iph->protocol,
1333 iph->daddr, portp[1],
1334 iph->saddr, portp[0]);
1335 read_unlock(&__ip_masq_lock);
1336 if (ms) {
1337 IP_MASQ_DEBUG(1, "Incoming frag_need rewrited from %d.%d.%d.%d to %d.%d.%d.%d\n",
1338 NIPQUAD(iph->daddr), NIPQUAD(ms->maddr));
1339 iph->daddr = ms->maddr;
1340 portp[1] = ms->mport;
1341 __ip_masq_put(ms);
1342 return 1;
1343 }
1344 /*
1345 * Peek "in" table
1346 * in->out(frag_needed!)->IN[icmp]
1347 *
1348 * iph->daddr is OUT host
1349 * iph->saddr is MASQ host
1350 *
1351 */
1352 read_lock(&__ip_masq_lock);
1353 ms = __ip_masq_in_get(iph->protocol,
1354 iph->daddr, portp[1],
1355 iph->saddr, portp[0]);
1356 read_unlock(&__ip_masq_lock);
1357 if (ms) {
1358 IP_MASQ_DEBUG(1, "Outgoing frag_need rewrited from %d.%d.%d.%d to %d.%d.%d.%d\n",
1359 NIPQUAD(iph->saddr), NIPQUAD(ms->saddr));
1360 iph->saddr = ms->saddr;
1361 portp[0] = ms->sport;
1362 __ip_masq_put(ms);
1363 return 1;
1364 }
1365 return 0;
1366
1367 }
1368 /*
1369 * Handle ICMP messages in forward direction.
1370 * Find any that might be relevant, check against existing connections,
1371 * forward to masqueraded host if relevant.
1372 * Currently handles error types - unreachable, quench, ttl exceeded
1373 */
1374
1375 int ip_fw_masq_icmp(struct sk_buff **skb_p, __u32 maddr)
1376 {
1377 struct sk_buff *skb = *skb_p;
1378 struct iphdr *iph = skb->nh.iph;
1379 struct icmphdr *icmph = (struct icmphdr *)((char *)iph + (iph->ihl<<2));
1380 struct iphdr *ciph; /* The ip header contained within the ICMP */
1381 __u16 *pptr; /* port numbers from TCP/UDP contained header */
1382 struct ip_masq *ms;
1383 unsigned short len = ntohs(iph->tot_len) - (iph->ihl * 4);
1384
1385 IP_MASQ_DEBUG(2, "Incoming forward ICMP (%d,%d) %lX -> %lX\n",
1386 icmph->type, ntohs(icmp_id(icmph)),
1387 ntohl(iph->saddr), ntohl(iph->daddr));
1388
1389 #ifdef CONFIG_IP_MASQUERADE_ICMP
1390 if ((icmph->type == ICMP_ECHO ) ||
1391 (icmph->type == ICMP_TIMESTAMP ) ||
1392 (icmph->type == ICMP_INFO_REQUEST ) ||
1393 (icmph->type == ICMP_ADDRESS )) {
1394
1395 IP_MASQ_DEBUG(2, "icmp request rcv %lX->%lX id %d type %d\n",
1396 ntohl(iph->saddr),
1397 ntohl(iph->daddr),
1398 ntohs(icmp_id(icmph)),
1399 icmph->type);
1400
1401 ms = ip_masq_out_get(iph->protocol,
1402 iph->saddr,
1403 icmp_id(icmph),
1404 iph->daddr,
1405 icmp_hv_req(icmph));
1406 if (ms == NULL) {
1407 ms = ip_masq_new(iph->protocol,
1408 maddr, 0,
1409 iph->saddr, icmp_id(icmph),
1410 iph->daddr, icmp_hv_req(icmph),
1411 0);
1412 if (ms == NULL)
1413 return (-1);
1414 IP_MASQ_DEBUG(1, "Created new icmp entry\n");
1415 }
1416 /* Rewrite source address */
1417
1418 /*
1419 * If sysctl !=0 and no pkt has been received yet
1420 * in this tunnel and routing iface address has changed...
1421 * "You are welcome, diald".
1422 */
1423 if ( sysctl_ip_dynaddr && ms->flags & IP_MASQ_F_NO_REPLY && maddr != ms->maddr) {
1424
1425 if (sysctl_ip_dynaddr > 1) {
1426 IP_MASQ_INFO( "ip_fw_masq_icmp(): change masq.addr %d.%d.%d.%d to %d.%d.%d.%d",
1427 NIPQUAD(ms->maddr), NIPQUAD(maddr));
1428 }
1429
1430 write_lock(&__ip_masq_lock);
1431
1432 ip_masq_unhash(ms);
1433 ms->maddr = maddr;
1434 ip_masq_hash(ms);
1435
1436 write_unlock(&__ip_masq_lock);
1437 }
1438
1439 iph->saddr = ms->maddr;
1440 ip_send_check(iph);
1441 /* Rewrite port (id) */
1442 (icmph->un).echo.id = ms->mport;
1443 icmph->checksum = 0;
1444 icmph->checksum = ip_compute_csum((unsigned char *)icmph, len);
1445
1446 IP_MASQ_DEBUG(2, "icmp request rwt %lX->%lX id %d type %d\n",
1447 ntohl(iph->saddr),
1448 ntohl(iph->daddr),
1449 ntohs(icmp_id(icmph)),
1450 icmph->type);
1451
1452 masq_set_state(ms, 1, iph, icmph);
1453 ip_masq_put(ms);
1454
1455 return 1;
1456 }
1457 #endif
1458
1459 /*
1460 * Work through seeing if this is for us.
1461 * These checks are supposed to be in an order that
1462 * means easy things are checked first to speed up
1463 * processing.... however this means that some
1464 * packets will manage to get a long way down this
1465 * stack and then be rejected, but thats life
1466 */
1467 if ((icmph->type != ICMP_DEST_UNREACH) &&
1468 (icmph->type != ICMP_SOURCE_QUENCH) &&
1469 (icmph->type != ICMP_TIME_EXCEEDED))
1470 return 0;
1471
1472 /* Now find the contained IP header */
1473 ciph = (struct iphdr *) (icmph + 1);
1474
1475 #ifdef CONFIG_IP_MASQUERADE_ICMP
1476 if (ciph->protocol == IPPROTO_ICMP) {
1477 /*
1478 * This section handles ICMP errors for ICMP packets
1479 */
1480 struct icmphdr *cicmph = (struct icmphdr *)((char *)ciph +
1481 (ciph->ihl<<2));
1482
1483
1484 IP_MASQ_DEBUG(2, "fw icmp/icmp rcv %lX->%lX id %d type %d\n",
1485 ntohl(ciph->saddr),
1486 ntohl(ciph->daddr),
1487 ntohs(icmp_id(cicmph)),
1488 cicmph->type);
1489
1490 read_lock(&__ip_masq_lock);
1491 ms = __ip_masq_out_get(ciph->protocol,
1492 ciph->daddr,
1493 icmp_id(cicmph),
1494 ciph->saddr,
1495 icmp_hv_rep(cicmph));
1496 read_unlock(&__ip_masq_lock);
1497
1498 if (ms == NULL)
1499 return 0;
1500
1501 /* Now we do real damage to this packet...! */
1502 /* First change the source IP address, and recalc checksum */
1503 iph->saddr = ms->maddr;
1504 ip_send_check(iph);
1505
1506 /* Now change the *dest* address in the contained IP */
1507 ciph->daddr = ms->maddr;
1508 __ip_masq_put(ms);
1509
1510 ip_send_check(ciph);
1511
1512 /* Change the ID to the masqed one! */
1513 (cicmph->un).echo.id = ms->mport;
1514
1515 /* And finally the ICMP checksum */
1516 icmph->checksum = 0;
1517 icmph->checksum = ip_compute_csum((unsigned char *) icmph, len);
1518
1519
1520 IP_MASQ_DEBUG(2, "fw icmp/icmp rwt %lX->%lX id %d type %d\n",
1521 ntohl(ciph->saddr),
1522 ntohl(ciph->daddr),
1523 ntohs(icmp_id(cicmph)),
1524 cicmph->type);
1525
1526 return 1;
1527 }
1528 #endif /* CONFIG_IP_MASQUERADE_ICMP */
1529
1530 /* We are only interested ICMPs generated from TCP or UDP packets */
1531 if ((ciph->protocol != IPPROTO_UDP) && (ciph->protocol != IPPROTO_TCP))
1532 return 0;
1533
1534 /*
1535 * Find the ports involved - this packet was
1536 * incoming so the ports are right way round
1537 * (but reversed relative to outer IP header!)
1538 */
1539 pptr = (__u16 *)&(((char *)ciph)[ciph->ihl*4]);
1540 #if 0
1541 if (ntohs(pptr[1]) < PORT_MASQ_BEGIN ||
1542 ntohs(pptr[1]) > PORT_MASQ_END)
1543 return 0;
1544 #endif
1545
1546 /* Ensure the checksum is correct */
1547 if (ip_compute_csum((unsigned char *) icmph, len))
1548 {
1549 /* Failed checksum! */
1550 IP_MASQ_DEBUG(0, "forward ICMP: failed checksum from %d.%d.%d.%d!\n",
1551 NIPQUAD(iph->saddr));
1552 return(-1);
1553 }
1554
1555
1556 IP_MASQ_DEBUG(2, "Handling forward ICMP for %08lX:%04X -> %08lX:%04X\n",
1557 ntohl(ciph->saddr), ntohs(pptr[0]),
1558 ntohl(ciph->daddr), ntohs(pptr[1]));
1559
1560
1561 #if 0
1562 /* This is pretty much what __ip_masq_in_get_iph() does */
1563 ms = __ip_masq_in_get(ciph->protocol, ciph->saddr, pptr[0], ciph->daddr, pptr[1]);
1564 #endif
1565 read_lock(&__ip_masq_lock);
1566 ms = __ip_masq_out_get(ciph->protocol,
1567 ciph->daddr,
1568 pptr[1],
1569 ciph->saddr,
1570 pptr[0]);
1571 read_unlock(&__ip_masq_lock);
1572
1573 if (ms == NULL)
1574 return 0;
1575
1576 /* Now we do real damage to this packet...! */
1577 /* First change the source IP address, and recalc checksum */
1578 iph->saddr = ms->maddr;
1579 ip_send_check(iph);
1580
1581 /* Now change the *dest* address in the contained IP */
1582 ciph->daddr = ms->maddr;
1583 ip_send_check(ciph);
1584
1585 /* the TCP/UDP dest port - cannot redo check */
1586 pptr[1] = ms->mport;
1587 __ip_masq_put(ms);
1588
1589 /* And finally the ICMP checksum */
1590 icmph->checksum = 0;
1591 icmph->checksum = ip_compute_csum((unsigned char *) icmph, len);
1592
1593
1594 IP_MASQ_DEBUG(2, "Rewrote forward ICMP to %08lX:%04X -> %08lX:%04X\n",
1595 ntohl(ciph->saddr), ntohs(pptr[0]),
1596 ntohl(ciph->daddr), ntohs(pptr[1]));
1597
1598
1599 return 1;
1600 }
1601
1602
1603 /*
1604 * Own skb_cow() beast, tweaked for rewriting commonly
1605 * used pointers in masq code
1606 */
1607 static struct sk_buff * masq_skb_cow(struct sk_buff **skb_p,
1608 struct iphdr **iph_p, unsigned char **t_p) {
1609 struct sk_buff *skb=(*skb_p);
1610 if (skb_cloned(skb)) {
1611 skb = skb_copy(skb, GFP_ATOMIC);
1612 if (skb) {
1613 /*
1614 * skb changed, update other pointers
1615 */
1616 struct iphdr *iph = skb->nh.iph;
1617 kfree_skb(*skb_p);
1618 *skb_p = skb;
1619 *iph_p = iph;
1620 *t_p = (char*) iph + iph->ihl * 4;
1621 }
1622 }
1623 return skb;
1624 }
1625
1626 /*
1627 * Handle ICMP messages in reverse (demasquerade) direction.
1628 * Find any that might be relevant, check against existing connections,
1629 * forward to masqueraded host if relevant.
1630 * Currently handles error types - unreachable, quench, ttl exceeded
1631 */
1632
1633 int ip_fw_demasq_icmp(struct sk_buff **skb_p)
1634 {
1635 struct sk_buff *skb = *skb_p;
1636 struct iphdr *iph = skb->nh.iph;
1637 struct icmphdr *icmph = (struct icmphdr *)((char *)iph + (iph->ihl<<2));
1638 struct iphdr *ciph; /* The ip header contained within the ICMP */
1639 __u16 *pptr; /* port numbers from TCP/UDP contained header */
1640 struct ip_masq *ms;
1641 unsigned short len = ntohs(iph->tot_len) - (iph->ihl * 4);
1642
1643
1644 IP_MASQ_DEBUG(2, "icmp in/rev (%d,%d) %lX -> %lX\n",
1645 icmph->type, ntohs(icmp_id(icmph)),
1646 ntohl(iph->saddr), ntohl(iph->daddr));
1647
1648
1649 #ifdef CONFIG_IP_MASQUERADE_ICMP
1650 if ((icmph->type == ICMP_ECHOREPLY) ||
1651 (icmph->type == ICMP_TIMESTAMPREPLY) ||
1652 (icmph->type == ICMP_INFO_REPLY) ||
1653 (icmph->type == ICMP_ADDRESSREPLY)) {
1654
1655 IP_MASQ_DEBUG(2, "icmp reply rcv %lX->%lX id %d type %d, req %d\n",
1656 ntohl(iph->saddr),
1657 ntohl(iph->daddr),
1658 ntohs(icmp_id(icmph)),
1659 icmph->type,
1660 icmp_type_request(icmph->type));
1661
1662 ms = ip_masq_in_get(iph->protocol,
1663 iph->saddr,
1664 icmp_hv_rep(icmph),
1665 iph->daddr,
1666 icmp_id(icmph));
1667 if (ms == NULL)
1668 return 0;
1669
1670 /*
1671 * got reply, so clear flag
1672 */
1673 ms->flags &= ~IP_MASQ_F_NO_REPLY;
1674
1675 if ((skb=masq_skb_cow(skb_p, &iph, (unsigned char**)&icmph)) == NULL) {
1676 ip_masq_put(ms);
1677 return -1;
1678 }
1679
1680 /* Reset source address */
1681 iph->daddr = ms->saddr;
1682 /* Redo IP header checksum */
1683 ip_send_check(iph);
1684 /* Set ID to fake port number */
1685 (icmph->un).echo.id = ms->sport;
1686 /* Reset ICMP checksum and set expiry */
1687 icmph->checksum=0;
1688 icmph->checksum=ip_compute_csum((unsigned char *)icmph,len);
1689
1690
1691
1692 IP_MASQ_DEBUG(2, "icmp reply rwt %lX->%lX id %d type %d\n",
1693 ntohl(iph->saddr),
1694 ntohl(iph->daddr),
1695 ntohs(icmp_id(icmph)),
1696 icmph->type);
1697
1698 masq_set_state(ms, 0, iph, icmph);
1699 ip_masq_put(ms);
1700
1701 return 1;
1702 } else {
1703 #endif
1704 if ((icmph->type != ICMP_DEST_UNREACH) &&
1705 (icmph->type != ICMP_SOURCE_QUENCH) &&
1706 (icmph->type != ICMP_TIME_EXCEEDED))
1707 return 0;
1708 #ifdef CONFIG_IP_MASQUERADE_ICMP
1709 }
1710 #endif
1711 /*
1712 * If we get here we have an ICMP error of one of the above 3 types
1713 * Now find the contained IP header
1714 */
1715
1716 ciph = (struct iphdr *) (icmph + 1);
1717
1718 #ifdef CONFIG_IP_MASQUERADE_ICMP
1719 if (ciph->protocol == IPPROTO_ICMP) {
1720 /*
1721 * This section handles ICMP errors for ICMP packets
1722 *
1723 * First get a new ICMP header structure out of the IP packet
1724 */
1725 struct icmphdr *cicmph = (struct icmphdr *)((char *)ciph +
1726 (ciph->ihl<<2));
1727
1728
1729 IP_MASQ_DEBUG(2, "rv icmp/icmp rcv %lX->%lX id %d type %d\n",
1730 ntohl(ciph->saddr),
1731 ntohl(ciph->daddr),
1732 ntohs(icmp_id(cicmph)),
1733 cicmph->type);
1734
1735 read_lock(&__ip_masq_lock);
1736 ms = __ip_masq_in_get(ciph->protocol,
1737 ciph->daddr,
1738 icmp_hv_req(cicmph),
1739 ciph->saddr,
1740 icmp_id(cicmph));
1741 read_unlock(&__ip_masq_lock);
1742
1743 if (ms == NULL)
1744 return 0;
1745
1746 if ((skb=masq_skb_cow(skb_p, &iph, (unsigned char**)&icmph)) == NULL) {
1747 __ip_masq_put(ms);
1748 return -1;
1749 }
1750 ciph = (struct iphdr *) (icmph + 1);
1751 cicmph = (struct icmphdr *)((char *)ciph +
1752 (ciph->ihl<<2));
1753 /* Now we do real damage to this packet...! */
1754 /* First change the dest IP address, and recalc checksum */
1755 iph->daddr = ms->saddr;
1756 ip_send_check(iph);
1757
1758 /* Now change the *source* address in the contained IP */
1759 ciph->saddr = ms->saddr;
1760 ip_send_check(ciph);
1761
1762 /* Change the ID to the original one! */
1763 (cicmph->un).echo.id = ms->sport;
1764 __ip_masq_put(ms);
1765
1766 /* And finally the ICMP checksum */
1767 icmph->checksum = 0;
1768 icmph->checksum = ip_compute_csum((unsigned char *) icmph, len);
1769
1770
1771 IP_MASQ_DEBUG(2, "rv icmp/icmp rwt %lX->%lX id %d type %d\n",
1772 ntohl(ciph->saddr),
1773 ntohl(ciph->daddr),
1774 ntohs(icmp_id(cicmph)),
1775 cicmph->type);
1776
1777 return 1;
1778 }
1779 #endif /* CONFIG_IP_MASQUERADE_ICMP */
1780
1781 /* We are only interested ICMPs generated from TCP or UDP packets */
1782 if ((ciph->protocol != IPPROTO_UDP) &&
1783 (ciph->protocol != IPPROTO_TCP))
1784 return 0;
1785
1786 /*
1787 * Find the ports involved - remember this packet was
1788 * *outgoing* so the ports are reversed (and addresses)
1789 */
1790 pptr = (__u16 *)&(((char *)ciph)[ciph->ihl*4]);
1791 if (ntohs(pptr[0]) < PORT_MASQ_BEGIN ||
1792 ntohs(pptr[0]) > PORT_MASQ_END)
1793 return 0;
1794
1795 /* Ensure the checksum is correct */
1796 if (ip_compute_csum((unsigned char *) icmph, len))
1797 {
1798 /* Failed checksum! */
1799 IP_MASQ_ERR( "reverse ICMP: failed checksum from %d.%d.%d.%d!\n",
1800 NIPQUAD(iph->saddr));
1801 return(-1);
1802 }
1803
1804
1805 IP_MASQ_DEBUG(2, "Handling reverse ICMP for %08lX:%04X -> %08lX:%04X\n",
1806 ntohl(ciph->saddr), ntohs(pptr[0]),
1807 ntohl(ciph->daddr), ntohs(pptr[1]));
1808
1809
1810 /* This is pretty much what __ip_masq_in_get_iph() does, except params are wrong way round */
1811 read_lock(&__ip_masq_lock);
1812 ms = __ip_masq_in_get(ciph->protocol,
1813 ciph->daddr,
1814 pptr[1],
1815 ciph->saddr,
1816 pptr[0]);
1817 read_unlock(&__ip_masq_lock);
1818
1819 if (ms == NULL)
1820 return 0;
1821
1822 if ((skb=masq_skb_cow(skb_p, &iph, (unsigned char**)&icmph)) == NULL) {
1823 __ip_masq_put(ms);
1824 return -1;
1825 }
1826 ciph = (struct iphdr *) (icmph + 1);
1827 pptr = (__u16 *)&(((char *)ciph)[ciph->ihl*4]);
1828
1829 /* Now we do real damage to this packet...! */
1830 /* First change the dest IP address, and recalc checksum */
1831 iph->daddr = ms->saddr;
1832 ip_send_check(iph);
1833
1834 /* Now change the *source* address in the contained IP */
1835 ciph->saddr = ms->saddr;
1836 ip_send_check(ciph);
1837
1838 /* the TCP/UDP source port - cannot redo check */
1839 pptr[0] = ms->sport;
1840 __ip_masq_put(ms);
1841
1842 /* And finally the ICMP checksum */
1843 icmph->checksum = 0;
1844 icmph->checksum = ip_compute_csum((unsigned char *) icmph, len);
1845
1846
1847 IP_MASQ_DEBUG(2, "Rewrote reverse ICMP to %08lX:%04X -> %08lX:%04X\n",
1848 ntohl(ciph->saddr), ntohs(pptr[0]),
1849 ntohl(ciph->daddr), ntohs(pptr[1]));
1850
1851
1852 return 1;
1853 }
1854
1855 /*
1856 * Check if it's an masqueraded port, look it up,
1857 * and send it on its way...
1858 *
1859 * Better not have many hosts using the designated portrange
1860 * as 'normal' ports, or you'll be spending many time in
1861 * this function.
1862 */
1863
1864 int ip_fw_demasquerade(struct sk_buff **skb_p)
1865 {
1866 struct sk_buff *skb = *skb_p;
1867 struct iphdr *iph = skb->nh.iph;
1868 union ip_masq_tphdr h;
1869 struct ip_masq *ms;
1870 unsigned short size;
1871 int doff = 0;
1872 int csum = 0;
1873 int csum_ok = 0;
1874 __u32 maddr;
1875
1876 /*
1877 * Big tappo: only PACKET_HOST (nor loopback neither mcasts)
1878 * ... don't know why 1st test DOES NOT include 2nd (?)
1879 */
1880
1881 if (skb->pkt_type != PACKET_HOST || skb->dev == &loopback_dev) {
1882 IP_MASQ_DEBUG(2, "ip_fw_demasquerade(): packet type=%d proto=%d daddr=%d.%d.%d.%d ignored\n",
1883 skb->pkt_type,
1884 iph->protocol,
1885 NIPQUAD(iph->daddr));
1886 return 0;
1887 }
1888
1889 h.raw = (char*) iph + iph->ihl * 4;
1890
1891 /*
1892 * IP payload size
1893 */
1894 size = ntohs(iph->tot_len) - (iph->ihl * 4);
1895
1896 doff = proto_doff(iph->protocol, h.raw, size);
1897
1898 switch (doff) {
1899 case 0:
1900 /*
1901 * Input path: other IP protos Ok, will
1902 * reach local sockets path.
1903 */
1904 return 0;
1905 case -1:
1906 IP_MASQ_DEBUG(0, "I-pkt invalid packet data size\n");
1907 return -1;
1908 }
1909
1910 maddr = iph->daddr;
1911 switch (iph->protocol) {
1912 case IPPROTO_ICMP:
1913 return(ip_fw_demasq_icmp(skb_p));
1914 case IPPROTO_TCP:
1915 case IPPROTO_UDP:
1916 /*
1917 * Make sure packet is in the masq range
1918 * ... or some mod-ule relaxes input range
1919 * ... or there is still some `special' mport opened
1920 */
1921 if ((ntohs(h.portp[1]) < PORT_MASQ_BEGIN
1922 || ntohs(h.portp[1]) > PORT_MASQ_END)
1923 #ifdef CONFIG_IP_MASQUERADE_MOD
1924 && (ip_masq_mod_in_rule(skb, iph) != 1)
1925 #endif
1926 && atomic_read(&mport_count) == 0 )
1927 return 0;
1928
1929 /* Check that the checksum is OK */
1930 if ((iph->protocol == IPPROTO_UDP) && (h.uh->check == 0))
1931 /* No UDP checksum */
1932 break;
1933 #ifdef CONFIG_IP_MASQ_DEBUG
1934 if (ip_masq_get_debug_level() > 3) {
1935 skb->ip_summed = CHECKSUM_NONE;
1936 }
1937 #endif
1938
1939 switch (skb->ip_summed)
1940 {
1941 case CHECKSUM_NONE:
1942 csum = csum_partial(h.raw + doff, size - doff, 0);
1943 csum_ok++;
1944 skb->csum = csum_partial(h.raw , doff, csum);
1945
1946 case CHECKSUM_HW:
1947 if (csum_tcpudp_magic(iph->saddr, iph->daddr,
1948 size, iph->protocol, skb->csum))
1949 {
1950 IP_MASQ_DEBUG(0, "Incoming failed %s checksum from %d.%d.%d.%d (size=%d)!\n",
1951 masq_proto_name(iph->protocol),
1952 NIPQUAD(iph->saddr),
1953 size);
1954 return -1;
1955 }
1956 default:
1957 /* CHECKSUM_UNNECESSARY */
1958 }
1959 break;
1960 default:
1961 return 0;
1962 }
1963
1964
1965
1966 IP_MASQ_DEBUG(2, "Incoming %s %08lX:%04X -> %08lX:%04X\n",
1967 masq_proto_name(iph->protocol),
1968 ntohl(iph->saddr), ntohs(h.portp[0]),
1969 ntohl(iph->daddr), ntohs(h.portp[1]));
1970
1971 /*
1972 * reroute to original host:port if found...
1973 */
1974
1975 ms = ip_masq_in_get_iph(iph);
1976
1977 /*
1978 * Give additional modules a chance to create an entry
1979 */
1980 #ifdef CONFIG_IP_MASQUERADE_MOD
1981 if (!ms)
1982 ms = ip_masq_mod_in_create(skb, iph, maddr);
1983
1984 /*
1985 * Call module's input update hook
1986 */
1987 ip_masq_mod_in_update(skb, iph, ms);
1988 #endif
1989
1990
1991 if (ms != NULL)
1992 {
1993
1994 /*
1995 * got reply, so clear flag
1996 */
1997 ms->flags &= ~IP_MASQ_F_NO_REPLY;
1998
1999 /*
2000 * Set daddr,dport if not defined yet
2001 * and tunnel is not setup as "dest loose"
2002 */
2003
2004 if (ms->flags & IP_MASQ_F_DLOOSE) {
2005 /*
2006 * update dest loose values
2007 */
2008 ms->dport = h.portp[0];
2009 ms->daddr = iph->saddr;
2010 } else {
2011 if ( ms->flags & IP_MASQ_F_NO_DPORT ) { /* && ms->protocol == IPPROTO_TCP ) { */
2012 ms->flags &= ~IP_MASQ_F_NO_DPORT;
2013 ms->dport = h.portp[0];
2014
2015 IP_MASQ_DEBUG(1, "ip_fw_demasquerade(): filled dport=%d\n",
2016 ntohs(ms->dport));
2017
2018 }
2019 if (ms->flags & IP_MASQ_F_NO_DADDR ) { /* && ms->protocol == IPPROTO_TCP) { */
2020 ms->flags &= ~IP_MASQ_F_NO_DADDR;
2021 ms->daddr = iph->saddr;
2022
2023 IP_MASQ_DEBUG(1, "ip_fw_demasquerade(): filled daddr=%lX\n",
2024 ntohl(ms->daddr));
2025
2026 }
2027 }
2028 if ((skb=masq_skb_cow(skb_p, &iph, &h.raw)) == NULL) {
2029 ip_masq_put(ms);
2030 return -1;
2031 }
2032 iph->daddr = ms->saddr;
2033 h.portp[1] = ms->sport;
2034
2035 /*
2036 * Invalidate csum saving if tunnel has masq helper
2037 */
2038
2039 if (ms->app)
2040 csum_ok = 0;
2041
2042 /*
2043 * Attempt ip_masq_app call.
2044 * will fix ip_masq and iph ack_seq stuff
2045 */
2046
2047 if (ip_masq_app_pkt_in(ms, skb_p, maddr) != 0)
2048 {
2049 /*
2050 * skb has changed, update pointers.
2051 */
2052
2053 skb = *skb_p;
2054 iph = skb->nh.iph;
2055 h.raw = (char*) iph + iph->ihl*4;
2056 size = ntohs(iph->tot_len) - (iph->ihl * 4);
2057 }
2058
2059 /*
2060 * Yug! adjust UDP/TCP checksums
2061 */
2062
2063 /*
2064 * Transport's payload partial csum
2065 */
2066
2067 if (!csum_ok) {
2068 csum = csum_partial(h.raw + doff, size - doff, 0);
2069 }
2070 skb->csum = csum;
2071
2072 /*
2073 * Protocol csum
2074 */
2075 switch (iph->protocol) {
2076 case IPPROTO_TCP:
2077 h.th->check = 0;
2078 h.th->check=csum_tcpudp_magic(iph->saddr, iph->daddr,
2079 size, iph->protocol,
2080 csum_partial(h.raw , doff, csum));
2081 break;
2082 case IPPROTO_UDP:
2083 h.uh->check = 0;
2084 h.uh->check=csum_tcpudp_magic(iph->saddr, iph->daddr,
2085 size, iph->protocol,
2086 csum_partial(h.raw , doff, csum));
2087 if (h.uh->check == 0)
2088 h.uh->check = 0xFFFF;
2089 break;
2090 }
2091 ip_send_check(iph);
2092
2093 IP_MASQ_DEBUG(2, "I-routed to %08lX:%04X\n",ntohl(iph->daddr),ntohs(h.portp[1]));
2094
2095 masq_set_state (ms, 0, iph, h.portp);
2096 ip_masq_put(ms);
2097
2098 return 1;
2099 }
2100
2101 /* sorry, all this trouble for a no-hit :) */
2102 return 0;
2103 }
2104
2105
2106 void ip_masq_control_add(struct ip_masq *ms, struct ip_masq* ctl_ms)
2107 {
2108 if (ms->control) {
2109 IP_MASQ_ERR( "request control ADD for already controlled: %d.%d.%d.%d:%d to %d.%d.%d.%d:%d\n",
2110 NIPQUAD(ms->saddr),ntohs(ms->sport),
2111 NIPQUAD(ms->daddr),ntohs(ms->dport));
2112 ip_masq_control_del(ms);
2113 }
2114 IP_MASQ_DEBUG(1, "ADDing control for: ms.dst=%d.%d.%d.%d:%d ctl_ms.dst=%d.%d.%d.%d:%d\n",
2115 NIPQUAD(ms->daddr),ntohs(ms->dport),
2116 NIPQUAD(ctl_ms->daddr),ntohs(ctl_ms->dport));
2117 ms->control = ctl_ms;
2118 atomic_inc(&ctl_ms->n_control);
2119 }
2120
2121 void ip_masq_control_del(struct ip_masq *ms)
2122 {
2123 struct ip_masq *ctl_ms = ms->control;
2124 if (!ctl_ms) {
2125 IP_MASQ_ERR( "request control DEL for uncontrolled: %d.%d.%d.%d:%d to %d.%d.%d.%d:%d\n",
2126 NIPQUAD(ms->saddr),ntohs(ms->sport),
2127 NIPQUAD(ms->daddr),ntohs(ms->dport));
2128 return;
2129 }
2130 IP_MASQ_DEBUG(1, "DELeting control for: ms.dst=%d.%d.%d.%d:%d ctl_ms.dst=%d.%d.%d.%d:%d\n",
2131 NIPQUAD(ms->daddr),ntohs(ms->dport),
2132 NIPQUAD(ctl_ms->daddr),ntohs(ctl_ms->dport));
2133 ms->control = NULL;
2134 if (atomic_read(&ctl_ms->n_control) == 0) {
2135 IP_MASQ_ERR( "BUG control DEL with n=0 : %d.%d.%d.%d:%d to %d.%d.%d.%d:%d\n",
2136 NIPQUAD(ms->saddr),ntohs(ms->sport),
2137 NIPQUAD(ms->daddr),ntohs(ms->dport));
2138 return;
2139
2140 }
2141 atomic_dec(&ctl_ms->n_control);
2142 }
2143
2144 struct ip_masq * ip_masq_control_get(struct ip_masq *ms)
2145 {
2146 return ms->control;
2147 }
2148
2149
2150 #ifdef CONFIG_PROC_FS
2151 /*
2152 * /proc/net entries
2153 * From userspace
2154 */
2155 static int ip_msqhst_procinfo(char *buffer, char **start, off_t offset,
2156 int length, int unused)
2157 {
2158 off_t pos=0, begin;
2159 struct ip_masq *ms;
2160 char temp[129];
2161 int idx = 0;
2162 int len=0;
2163
2164
2165 if (offset < 128)
2166 {
2167 sprintf(temp,
2168 "Prc FromIP FPrt ToIP TPrt Masq Init-seq Delta PDelta Expires (free=%d,%d,%d)",
2169 atomic_read(ip_masq_free_ports),
2170 atomic_read(ip_masq_free_ports+1),
2171 atomic_read(ip_masq_free_ports+2));
2172 len = sprintf(buffer, "%-127s\n", temp);
2173 }
2174 pos = 128;
2175
2176 for(idx = 0; idx < IP_MASQ_TAB_SIZE; idx++)
2177 {
2178 /*
2179 * Lock is actually only need in next loop
2180 * we are called from uspace: must stop bh.
2181 */
2182 read_lock_bh(&__ip_masq_lock);
2183
2184 for(ms = ip_masq_m_tab[idx]; ms ; ms = ms->m_link)
2185 {
2186 pos += 128;
2187 if (pos <= offset) {
2188 len = 0;
2189 continue;
2190 }
2191
2192 /*
2193 * We have locked the tables, no need to del/add timers
2194 * nor cli() 8)
2195 */
2196
2197 sprintf(temp,"%s %08lX:%04X %08lX:%04X %04X %08X %6d %6d %7lu",
2198 masq_proto_name(ms->protocol),
2199 ntohl(ms->saddr), ntohs(ms->sport),
2200 ntohl(ms->daddr), ntohs(ms->dport),
2201 ntohs(ms->mport),
2202 ms->out_seq.init_seq,
2203 ms->out_seq.delta,
2204 ms->out_seq.previous_delta,
2205 ms->timer.expires-jiffies);
2206 len += sprintf(buffer+len, "%-127s\n", temp);
2207
2208 if(len >= length) {
2209
2210 read_unlock_bh(&__ip_masq_lock);
2211 goto done;
2212 }
2213 }
2214 read_unlock_bh(&__ip_masq_lock);
2215
2216 }
2217 done:
2218
2219
2220 begin = len - (pos - offset);
2221 *start = buffer + begin;
2222 len -= begin;
2223 if(len>length)
2224 len = length;
2225 return len;
2226 }
2227
2228 #endif
2229
2230 /*
2231 * Timeouts handling by ipfwadm/ipchains
2232 * From ip_fw.c
2233 */
2234
2235 int ip_fw_masq_timeouts(void *m, int len)
2236 {
2237 struct ip_fw_masq *masq;
2238 int ret = EINVAL;
2239
2240 if (len != sizeof(struct ip_fw_masq)) {
2241 IP_MASQ_DEBUG(1, "ip_fw_masq_timeouts: length %d, expected %d\n",
2242 len, sizeof(struct ip_fw_masq));
2243 } else {
2244 masq = (struct ip_fw_masq *)m;
2245 if (masq->tcp_timeout)
2246 masq_timeout_table.timeout[IP_MASQ_S_ESTABLISHED]
2247 = masq->tcp_timeout;
2248
2249 if (masq->tcp_fin_timeout)
2250 masq_timeout_table.timeout[IP_MASQ_S_FIN_WAIT]
2251 = masq->tcp_fin_timeout;
2252
2253 if (masq->udp_timeout)
2254 masq_timeout_table.timeout[IP_MASQ_S_UDP]
2255 = masq->udp_timeout;
2256 ret = 0;
2257 }
2258 return ret;
2259 }
2260 /*
2261 * Module autoloading stuff
2262 */
2263
2264 static int ip_masq_user_check_hook(void) {
2265 #ifdef CONFIG_KMOD
2266 if (ip_masq_user_hook == NULL) {
2267 IP_MASQ_DEBUG(1, "About to request \"ip_masq_user\" module\n");
2268 request_module("ip_masq_user");
2269 }
2270 #endif /* CONFIG_KMOD */
2271 return (ip_masq_user_hook != NULL);
2272 }
2273
2274 /*
2275 * user module hook- info
2276 */
2277 static int ip_masq_user_info(char *buffer, char **start, off_t offset,
2278 int len, int *eof, void *data)
2279 {
2280 int ret = -ENOPKG;
2281 if (ip_masq_user_check_hook()) {
2282 ret = ip_masq_user_hook->info(buffer, start, offset, len, (int) data);
2283 }
2284 return ret;
2285 }
2286
2287 /*
2288 * user module hook- entry mgmt
2289 */
2290 static int ip_masq_user_ctl(int optname, void *arg, int arglen)
2291 {
2292 int ret = -ENOPKG;
2293 if (ip_masq_user_check_hook()) {
2294 ret = ip_masq_user_hook->ctl(optname, arg, arglen);
2295 }
2296 return ret;
2297 }
2298
2299 /*
2300 * Control from ip_sockglue
2301 * MAIN ENTRY point from userspace (apart from /proc *info entries)
2302 * Returns errno
2303 */
2304 int ip_masq_uctl(int optname, char * optval , int optlen)
2305 {
2306 struct ip_masq_ctl masq_ctl;
2307 int ret = -EINVAL;
2308
2309 if(optlen>sizeof(masq_ctl))
2310 return -EINVAL;
2311
2312 if(copy_from_user(&masq_ctl,optval,optlen))
2313 return -EFAULT;
2314
2315 IP_MASQ_DEBUG(1,"ip_masq_ctl(optname=%d, optlen=%d, target=%d, cmd=%d)\n",
2316 optname, optlen, masq_ctl.m_target, masq_ctl.m_cmd);
2317
2318 switch (masq_ctl.m_target) {
2319 case IP_MASQ_TARGET_USER:
2320 ret = ip_masq_user_ctl(optname, &masq_ctl, optlen);
2321 break;
2322 #ifdef CONFIG_IP_MASQUERADE_MOD
2323 case IP_MASQ_TARGET_MOD:
2324 ret = ip_masq_mod_ctl(optname, &masq_ctl, optlen);
2325 break;
2326 #endif
2327 }
2328
2329 /*
2330 * If ret>0, copy to user space
2331 */
2332
2333 if (ret > 0 && ret <= sizeof (masq_ctl)) {
2334 if (copy_to_user(optval, &masq_ctl, ret) )
2335 return -EFAULT;
2336 ret = 0;
2337 }
2338
2339 return ret;
2340 }
2341
2342 #ifdef CONFIG_PROC_FS
2343 static struct proc_dir_entry *proc_net_ip_masq = NULL;
2344
2345 #ifdef MODULE
2346 static void ip_masq_proc_count(struct inode *inode, int fill)
2347 {
2348 if (fill)
2349 MOD_INC_USE_COUNT;
2350 else
2351 MOD_DEC_USE_COUNT;
2352 }
2353 #endif
2354
2355 int ip_masq_proc_register(struct proc_dir_entry *ent)
2356 {
2357 if (!proc_net_ip_masq) return -1;
2358 IP_MASQ_DEBUG(1, "registering \"/proc/net/ip_masq/%s\" entry\n",
2359 ent->name);
2360 return proc_register(proc_net_ip_masq, ent);
2361 }
2362 void ip_masq_proc_unregister(struct proc_dir_entry *ent)
2363 {
2364 if (!proc_net_ip_masq) return;
2365 IP_MASQ_DEBUG(1, "unregistering \"/proc/net/ip_masq/%s\" entry\n",
2366 ent->name);
2367 proc_unregister(proc_net_ip_masq, ent->low_ino);
2368 }
2369
2370
2371 __initfunc(static void masq_proc_init(void))
2372 {
2373 IP_MASQ_DEBUG(1,"registering /proc/net/ip_masq\n");
2374 if (!proc_net_ip_masq) {
2375 struct proc_dir_entry *ent;
2376 ent = create_proc_entry("net/ip_masq", S_IFDIR, 0);
2377 if (ent) {
2378 #ifdef MODULE
2379 ent->fill_inode = ip_masq_proc_count;
2380 #endif
2381 proc_net_ip_masq = ent;
2382 } else {
2383 IP_MASQ_ERR("Could not create \"/proc/net/ip_masq\" entry\n");
2384 }
2385 }
2386 }
2387 #endif /* CONFIG_PROC_FS */
2388 /*
2389 * Wrapper over inet_select_addr()
2390 */
2391 u32 ip_masq_select_addr(struct device *dev, u32 dst, int scope)
2392 {
2393 return inet_select_addr(dev, dst, scope);
2394 }
2395
2396 /*
2397 * Initialize ip masquerading
2398 */
2399 __initfunc(int ip_masq_init(void))
2400 {
2401 #ifdef CONFIG_PROC_FS
2402 proc_net_register(&(struct proc_dir_entry) {
2403 PROC_NET_IPMSQHST, 13, "ip_masquerade",
2404 S_IFREG | S_IRUGO, 1, 0, 0,
2405 0, &proc_net_inode_operations,
2406 ip_msqhst_procinfo
2407 });
2408 masq_proc_init();
2409
2410 ip_masq_proc_register(&(struct proc_dir_entry) {
2411 0, 3, "tcp",
2412 S_IFREG | S_IRUGO, 1, 0, 0,
2413 0, &proc_net_inode_operations,
2414 NULL, /* get_info */
2415 NULL, /* fill_inode */
2416 NULL, NULL, NULL,
2417 (char *) IPPROTO_TCP,
2418 ip_masq_user_info
2419 });
2420 ip_masq_proc_register(&(struct proc_dir_entry) {
2421 0, 3, "udp",
2422 S_IFREG | S_IRUGO, 1, 0, 0,
2423 0, &proc_net_inode_operations,
2424 NULL, /* get_info */
2425 NULL, /* fill_inode */
2426 NULL, NULL, NULL,
2427 (char *) IPPROTO_UDP,
2428 ip_masq_user_info
2429 });
2430 ip_masq_proc_register(&(struct proc_dir_entry) {
2431 0, 4, "icmp",
2432 S_IFREG | S_IRUGO, 1, 0, 0,
2433 0, &proc_net_inode_operations,
2434 NULL, /* get_info */
2435 NULL, /* fill_inode */
2436 NULL, NULL, NULL,
2437 (char *) IPPROTO_ICMP,
2438 ip_masq_user_info
2439 });
2440 #endif
2441 #ifdef CONFIG_IP_MASQUERADE_IPAUTOFW
2442 ip_autofw_init();
2443 #endif
2444 #ifdef CONFIG_IP_MASQUERADE_IPPORTFW
2445 ip_portfw_init();
2446 #endif
2447 #ifdef CONFIG_IP_MASQUERADE_MFW
2448 ip_mfw_init();
2449 #endif
2450 ip_masq_app_init();
2451
2452 return 0;
2453 }
Copy of Dave Jones history.git as used by http://archive.org/details/git-history-of-linux