search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
initial commit with v2.6.9
[linux-2.6.9-moxart.git] / net / ipv4 / netfilter / ip_fw_compat_redir.c
blob7f68c1ed5a87c7636a728bbb974e372e97f4865e
1 /* This is a file to handle the "simple" NAT cases (redirect and
2 masquerade) required for the compatibility layer.
3
4 `bind to foreign address' and `getpeername' hacks are not
5 supported.
6
7 FIXME: Timing is overly simplistic. If anyone complains, make it
8 use conntrack.
9 */
10
11 /* (C) 1999-2001 Paul `Rusty' Russell
12 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
13 *
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License version 2 as
16 * published by the Free Software Foundation.
17 */
18
19 #include <linux/config.h>
20 #include <linux/netfilter.h>
21 #include <linux/ip.h>
22 #include <linux/udp.h>
23 #include <linux/tcp.h>
24 #include <net/checksum.h>
25 #include <net/ip.h>
26 #include <linux/timer.h>
27 #include <linux/netdevice.h>
28 #include <linux/if.h>
29 #include <linux/in.h>
30
31 #include <linux/netfilter_ipv4/lockhelp.h>
32
33 /* Very simple timeout pushed back by each packet */
34 #define REDIR_TIMEOUT (240*HZ)
35
36 static DECLARE_LOCK(redir_lock);
37 #define ASSERT_READ_LOCK(x) MUST_BE_LOCKED(&redir_lock)
38 #define ASSERT_WRITE_LOCK(x) MUST_BE_LOCKED(&redir_lock)
39
40 #include <linux/netfilter_ipv4/listhelp.h>
41 #include "ip_fw_compat.h"
42
43 #if 0
44 #define DEBUGP printk
45 #else
46 #define DEBUGP(format, args...)
47 #endif
48
49 #ifdef CONFIG_NETFILTER_DEBUG
50 #define IP_NF_ASSERT(x) \
51 do { \
52 if (!(x)) \
53 /* Wooah! I'm tripping my conntrack in a frenzy of \
54 netplay... */ \
55 printk("ASSERT: %s:%i(%s)\n", \
56 __FILE__, __LINE__, __FUNCTION__); \
57 } while(0)
58 #else
59 #define IP_NF_ASSERT(x)
60 #endif
61
62 static u_int16_t
63 cheat_check(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck)
64 {
65 u_int32_t diffs[] = { oldvalinv, newval };
66 return csum_fold(csum_partial((char *)diffs, sizeof(diffs),
67 oldcheck^0xFFFF));
68 }
69
70 struct redir_core {
71 u_int32_t orig_srcip, orig_dstip;
72 u_int16_t orig_sport, orig_dport;
73
74 u_int32_t new_dstip;
75 u_int16_t new_dport;
76 };
77
78 struct redir
79 {
80 struct list_head list;
81 struct redir_core core;
82 struct timer_list destroyme;
83 };
84
85 static LIST_HEAD(redirs);
86
87 static int
88 redir_cmp(const struct redir *i,
89 u_int32_t orig_srcip, u_int32_t orig_dstip,
90 u_int16_t orig_sport, u_int16_t orig_dport)
91 {
92 return (i->core.orig_srcip == orig_srcip
93 && i->core.orig_dstip == orig_dstip
94 && i->core.orig_sport == orig_sport
95 && i->core.orig_dport == orig_dport);
96 }
97
98 /* Search for an existing redirection of the TCP packet. */
99 static struct redir *
100 find_redir(u_int32_t orig_srcip, u_int32_t orig_dstip,
101 u_int16_t orig_sport, u_int16_t orig_dport)
102 {
103 return LIST_FIND(&redirs, redir_cmp, struct redir *,
104 orig_srcip, orig_dstip, orig_sport, orig_dport);
105 }
106
107 static void do_tcp_redir(struct sk_buff *skb, struct redir *redir)
108 {
109 struct iphdr *iph = skb->nh.iph;
110 struct tcphdr *tcph = (struct tcphdr *)((u_int32_t *)iph
111 + iph->ihl);
112
113 tcph->check = cheat_check(~redir->core.orig_dstip,
114 redir->core.new_dstip,
115 cheat_check(redir->core.orig_dport ^ 0xFFFF,
116 redir->core.new_dport,
117 tcph->check));
118 iph->check = cheat_check(~redir->core.orig_dstip,
119 redir->core.new_dstip, iph->check);
120 tcph->dest = redir->core.new_dport;
121 iph->daddr = redir->core.new_dstip;
122
123 skb->nfcache |= NFC_ALTERED;
124 }
125
126 static int
127 unredir_cmp(const struct redir *i,
128 u_int32_t new_dstip, u_int32_t orig_srcip,
129 u_int16_t new_dport, u_int16_t orig_sport)
130 {
131 return (i->core.orig_srcip == orig_srcip
132 && i->core.new_dstip == new_dstip
133 && i->core.orig_sport == orig_sport
134 && i->core.new_dport == new_dport);
135 }
136
137 /* Match reply packet against redir */
138 static struct redir *
139 find_unredir(u_int32_t new_dstip, u_int32_t orig_srcip,
140 u_int16_t new_dport, u_int16_t orig_sport)
141 {
142 return LIST_FIND(&redirs, unredir_cmp, struct redir *,
143 new_dstip, orig_srcip, new_dport, orig_sport);
144 }
145
146 /* `unredir' a reply packet. */
147 static void do_tcp_unredir(struct sk_buff *skb, struct redir *redir)
148 {
149 struct iphdr *iph = skb->nh.iph;
150 struct tcphdr *tcph = (struct tcphdr *)((u_int32_t *)iph
151 + iph->ihl);
152
153 tcph->check = cheat_check(~redir->core.new_dstip,
154 redir->core.orig_dstip,
155 cheat_check(redir->core.new_dport ^ 0xFFFF,
156 redir->core.orig_dport,
157 tcph->check));
158 iph->check = cheat_check(~redir->core.new_dstip,
159 redir->core.orig_dstip,
160 iph->check);
161 tcph->source = redir->core.orig_dport;
162 iph->saddr = redir->core.orig_dstip;
163
164 skb->nfcache |= NFC_ALTERED;
165 }
166
167 static void destroyme(unsigned long me)
168 {
169 LOCK_BH(&redir_lock);
170 LIST_DELETE(&redirs, (struct redir *)me);
171 UNLOCK_BH(&redir_lock);
172 kfree((struct redir *)me);
173 }
174
175 /* REDIRECT a packet. */
176 unsigned int
177 do_redirect(struct sk_buff *skb,
178 const struct net_device *dev,
179 u_int16_t redirpt)
180 {
181 struct iphdr *iph = skb->nh.iph;
182 u_int32_t newdst;
183
184 /* Figure out address: not loopback. */
185 if (!dev)
186 return NF_DROP;
187
188 /* Grab first address on interface. */
189 newdst = ((struct in_device *)dev->ip_ptr)->ifa_list->ifa_local;
190
191 switch (iph->protocol) {
192 case IPPROTO_UDP: {
193 /* Simple mangle. */
194 struct udphdr *udph = (struct udphdr *)((u_int32_t *)iph
195 + iph->ihl);
196
197 /* Must have whole header */
198 if (skb->len < iph->ihl*4 + sizeof(*udph))
199 return NF_DROP;
200
201 if (udph->check) /* 0 is a special case meaning no checksum */
202 udph->check = cheat_check(~iph->daddr, newdst,
203 cheat_check(udph->dest ^ 0xFFFF,
204 redirpt,
205 udph->check));
206 iph->check = cheat_check(~iph->daddr, newdst, iph->check);
207 udph->dest = redirpt;
208 iph->daddr = newdst;
209
210 skb->nfcache |= NFC_ALTERED;
211 return NF_ACCEPT;
212 }
213 case IPPROTO_TCP: {
214 /* Mangle, maybe record. */
215 struct tcphdr *tcph = (struct tcphdr *)((u_int32_t *)iph
216 + iph->ihl);
217 struct redir *redir;
218 int ret;
219
220 /* Must have whole header */
221 if (skb->len < iph->ihl*4 + sizeof(*tcph))
222 return NF_DROP;
223
224 DEBUGP("Doing tcp redirect. %08X:%u %08X:%u -> %08X:%u\n",
225 iph->saddr, tcph->source, iph->daddr, tcph->dest,
226 newdst, redirpt);
227 LOCK_BH(&redir_lock);
228 redir = find_redir(iph->saddr, iph->daddr,
229 tcph->source, tcph->dest);
230
231 if (!redir) {
232 redir = kmalloc(sizeof(struct redir), GFP_ATOMIC);
233 if (!redir) {
234 ret = NF_DROP;
235 goto out;
236 }
237 list_prepend(&redirs, redir);
238 init_timer(&redir->destroyme);
239 redir->destroyme.function = destroyme;
240 redir->destroyme.data = (unsigned long)redir;
241 redir->destroyme.expires = jiffies + REDIR_TIMEOUT;
242 add_timer(&redir->destroyme);
243 }
244 /* In case mangling has changed, rewrite this part. */
245 redir->core = ((struct redir_core)
246 { iph->saddr, iph->daddr,
247 tcph->source, tcph->dest,
248 newdst, redirpt });
249 do_tcp_redir(skb, redir);
250 ret = NF_ACCEPT;
251
252 out:
253 UNLOCK_BH(&redir_lock);
254 return ret;
255 }
256
257 default: /* give up if not TCP or UDP. */
258 return NF_DROP;
259 }
260 }
261
262 /* Incoming packet: is it a reply to a masqueraded connection, or
263 part of an already-redirected TCP connection? */
264 void
265 check_for_redirect(struct sk_buff *skb)
266 {
267 struct iphdr *iph = skb->nh.iph;
268 struct tcphdr *tcph = (struct tcphdr *)((u_int32_t *)iph
269 + iph->ihl);
270 struct redir *redir;
271
272 if (iph->protocol != IPPROTO_TCP)
273 return;
274
275 /* Must have whole header */
276 if (skb->len < iph->ihl*4 + sizeof(*tcph))
277 return;
278
279 LOCK_BH(&redir_lock);
280 redir = find_redir(iph->saddr, iph->daddr, tcph->source, tcph->dest);
281 if (redir) {
282 DEBUGP("Doing tcp redirect again.\n");
283 do_tcp_redir(skb, redir);
284 if (del_timer(&redir->destroyme)) {
285 redir->destroyme.expires = jiffies + REDIR_TIMEOUT;
286 add_timer(&redir->destroyme);
287 }
288 }
289 UNLOCK_BH(&redir_lock);
290 }
291
292 void
293 check_for_unredirect(struct sk_buff *skb)
294 {
295 struct iphdr *iph = skb->nh.iph;
296 struct tcphdr *tcph = (struct tcphdr *)((u_int32_t *)iph
297 + iph->ihl);
298 struct redir *redir;
299
300 if (iph->protocol != IPPROTO_TCP)
301 return;
302
303 /* Must have whole header */
304 if (skb->len < iph->ihl*4 + sizeof(*tcph))
305 return;
306
307 LOCK_BH(&redir_lock);
308 redir = find_unredir(iph->saddr, iph->daddr, tcph->source, tcph->dest);
309 if (redir) {
310 DEBUGP("Doing tcp unredirect.\n");
311 do_tcp_unredir(skb, redir);
312 if (del_timer(&redir->destroyme)) {
313 redir->destroyme.expires = jiffies + REDIR_TIMEOUT;
314 add_timer(&redir->destroyme);
315 }
316 }
317 UNLOCK_BH(&redir_lock);
318 }
MOXA 2.6.9 from sdlinux-moxaart.tgz