This source file includes following definitions.
- fast_csum
- snmp_version
- snmp_helper
- snmp_translate
- help
- nf_nat_snmp_basic_init
- nf_nat_snmp_basic_fini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33 #include <linux/module.h>
34 #include <linux/moduleparam.h>
35 #include <linux/types.h>
36 #include <linux/kernel.h>
37 #include <linux/in.h>
38 #include <linux/ip.h>
39 #include <linux/udp.h>
40 #include <net/checksum.h>
41 #include <net/udp.h>
42
43 #include <net/netfilter/nf_nat.h>
44 #include <net/netfilter/nf_conntrack_expect.h>
45 #include <net/netfilter/nf_conntrack_helper.h>
46 #include <linux/netfilter/nf_conntrack_snmp.h>
47 #include "nf_nat_snmp_basic.asn1.h"
48
49 MODULE_LICENSE("GPL");
50 MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
51 MODULE_DESCRIPTION("Basic SNMP Application Layer Gateway");
52 MODULE_ALIAS("ip_nat_snmp_basic");
53 MODULE_ALIAS_NFCT_HELPER("snmp_trap");
54
55 #define SNMP_PORT 161
56 #define SNMP_TRAP_PORT 162
57
58 static DEFINE_SPINLOCK(snmp_lock);
59
60 struct snmp_ctx {
61 unsigned char *begin;
62 __sum16 *check;
63 __be32 from;
64 __be32 to;
65 };
66
67 static void fast_csum(struct snmp_ctx *ctx, unsigned char offset)
68 {
69 unsigned char s[12] = {0,};
70 int size;
71
72 if (offset & 1) {
73 memcpy(&s[1], &ctx->from, 4);
74 memcpy(&s[7], &ctx->to, 4);
75 s[0] = ~0;
76 s[1] = ~s[1];
77 s[2] = ~s[2];
78 s[3] = ~s[3];
79 s[4] = ~s[4];
80 s[5] = ~0;
81 size = 12;
82 } else {
83 memcpy(&s[0], &ctx->from, 4);
84 memcpy(&s[4], &ctx->to, 4);
85 s[0] = ~s[0];
86 s[1] = ~s[1];
87 s[2] = ~s[2];
88 s[3] = ~s[3];
89 size = 8;
90 }
91 *ctx->check = csum_fold(csum_partial(s, size,
92 ~csum_unfold(*ctx->check)));
93 }
94
95 int snmp_version(void *context, size_t hdrlen, unsigned char tag,
96 const void *data, size_t datalen)
97 {
98 if (datalen != 1)
99 return -EINVAL;
100 if (*(unsigned char *)data > 1)
101 return -ENOTSUPP;
102 return 1;
103 }
104
105 int snmp_helper(void *context, size_t hdrlen, unsigned char tag,
106 const void *data, size_t datalen)
107 {
108 struct snmp_ctx *ctx = (struct snmp_ctx *)context;
109 __be32 *pdata;
110
111 if (datalen != 4)
112 return -EINVAL;
113 pdata = (__be32 *)data;
114 if (*pdata == ctx->from) {
115 pr_debug("%s: %pI4 to %pI4\n", __func__,
116 (void *)&ctx->from, (void *)&ctx->to);
117
118 if (*ctx->check)
119 fast_csum(ctx, (unsigned char *)data - ctx->begin);
120 *pdata = ctx->to;
121 }
122
123 return 1;
124 }
125
126 static int snmp_translate(struct nf_conn *ct, int dir, struct sk_buff *skb)
127 {
128 struct iphdr *iph = ip_hdr(skb);
129 struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
130 u16 datalen = ntohs(udph->len) - sizeof(struct udphdr);
131 char *data = (unsigned char *)udph + sizeof(struct udphdr);
132 struct snmp_ctx ctx;
133 int ret;
134
135 if (dir == IP_CT_DIR_ORIGINAL) {
136 ctx.from = ct->tuplehash[dir].tuple.src.u3.ip;
137 ctx.to = ct->tuplehash[!dir].tuple.dst.u3.ip;
138 } else {
139 ctx.from = ct->tuplehash[!dir].tuple.src.u3.ip;
140 ctx.to = ct->tuplehash[dir].tuple.dst.u3.ip;
141 }
142
143 if (ctx.from == ctx.to)
144 return NF_ACCEPT;
145
146 ctx.begin = (unsigned char *)udph + sizeof(struct udphdr);
147 ctx.check = &udph->check;
148 ret = asn1_ber_decoder(&nf_nat_snmp_basic_decoder, &ctx, data, datalen);
149 if (ret < 0) {
150 nf_ct_helper_log(skb, ct, "parser failed\n");
151 return NF_DROP;
152 }
153
154 return NF_ACCEPT;
155 }
156
157
158
159
160 static int help(struct sk_buff *skb, unsigned int protoff,
161 struct nf_conn *ct,
162 enum ip_conntrack_info ctinfo)
163 {
164 int dir = CTINFO2DIR(ctinfo);
165 unsigned int ret;
166 const struct iphdr *iph = ip_hdr(skb);
167 const struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
168
169
170 if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
171 return NF_ACCEPT;
172 if (udph->dest == htons(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
173 return NF_ACCEPT;
174
175
176 if (!(ct->status & IPS_NAT_MASK))
177 return NF_ACCEPT;
178
179
180
181
182
183
184 if (ntohs(udph->len) != skb->len - (iph->ihl << 2)) {
185 nf_ct_helper_log(skb, ct, "dropping malformed packet\n");
186 return NF_DROP;
187 }
188
189 if (skb_ensure_writable(skb, skb->len)) {
190 nf_ct_helper_log(skb, ct, "cannot mangle packet");
191 return NF_DROP;
192 }
193
194 spin_lock_bh(&snmp_lock);
195 ret = snmp_translate(ct, dir, skb);
196 spin_unlock_bh(&snmp_lock);
197 return ret;
198 }
199
200 static const struct nf_conntrack_expect_policy snmp_exp_policy = {
201 .max_expected = 0,
202 .timeout = 180,
203 };
204
205 static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
206 .me = THIS_MODULE,
207 .help = help,
208 .expect_policy = &snmp_exp_policy,
209 .name = "snmp_trap",
210 .tuple.src.l3num = AF_INET,
211 .tuple.src.u.udp.port = cpu_to_be16(SNMP_TRAP_PORT),
212 .tuple.dst.protonum = IPPROTO_UDP,
213 };
214
215 static int __init nf_nat_snmp_basic_init(void)
216 {
217 BUG_ON(nf_nat_snmp_hook != NULL);
218 RCU_INIT_POINTER(nf_nat_snmp_hook, help);
219
220 return nf_conntrack_helper_register(&snmp_trap_helper);
221 }
222
223 static void __exit nf_nat_snmp_basic_fini(void)
224 {
225 RCU_INIT_POINTER(nf_nat_snmp_hook, NULL);
226 synchronize_rcu();
227 nf_conntrack_helper_unregister(&snmp_trap_helper);
228 }
229
230 module_init(nf_nat_snmp_basic_init);
231 module_exit(nf_nat_snmp_basic_fini);