Blame view
net/netfilter/nf_conntrack_pptp.c
18.4 KB
f09943fef [NETFILTER]: nf_c... |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
/* * Connection tracking support for PPTP (Point to Point Tunneling Protocol). * PPTP is a a protocol for creating virtual private networks. * It is a specification defined by Microsoft and some vendors * working with Microsoft. PPTP is built on top of a modified * version of the Internet Generic Routing Encapsulation Protocol. * GRE is defined in RFC 1701 and RFC 1702. Documentation of * PPTP can be found in RFC 2637 * * (C) 2000-2005 by Harald Welte <laforge@gnumonks.org> * * Development of this code funded by Astaro AG (http://www.astaro.com/) * * Limitations: * - We blindly assume that control connections are always * established in PNS->PAC direction. This is a violation * of RFFC2673 * - We can only support one single call within each session * TODO: * - testing of incoming PPTP calls */ #include <linux/module.h> #include <linux/skbuff.h> #include <linux/in.h> #include <linux/tcp.h> #include <net/netfilter/nf_conntrack.h> #include <net/netfilter/nf_conntrack_core.h> #include <net/netfilter/nf_conntrack_helper.h> |
5d0aa2ccd netfilter: nf_con... |
31 |
#include <net/netfilter/nf_conntrack_zones.h> |
f09943fef [NETFILTER]: nf_c... |
32 33 34 35 36 37 38 39 40 |
#include <linux/netfilter/nf_conntrack_proto_gre.h> #include <linux/netfilter/nf_conntrack_pptp.h> #define NF_CT_PPTP_VERSION "3.1" MODULE_LICENSE("GPL"); MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>"); MODULE_DESCRIPTION("Netfilter connection tracking helper module for PPTP"); MODULE_ALIAS("ip_conntrack_pptp"); |
4dc06f963 netfilter: nf_con... |
41 |
MODULE_ALIAS_NFCT_HELPER("pptp"); |
f09943fef [NETFILTER]: nf_c... |
42 43 44 45 |
static DEFINE_SPINLOCK(nf_pptp_lock); int |
3db05fea5 [NETFILTER]: Repl... |
46 |
(*nf_nat_pptp_hook_outbound)(struct sk_buff *skb, |
f09943fef [NETFILTER]: nf_c... |
47 48 49 50 51 52 |
struct nf_conn *ct, enum ip_conntrack_info ctinfo, struct PptpControlHeader *ctlh, union pptp_ctrl_union *pptpReq) __read_mostly; EXPORT_SYMBOL_GPL(nf_nat_pptp_hook_outbound); int |
3db05fea5 [NETFILTER]: Repl... |
53 |
(*nf_nat_pptp_hook_inbound)(struct sk_buff *skb, |
f09943fef [NETFILTER]: nf_c... |
54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 |
struct nf_conn *ct, enum ip_conntrack_info ctinfo, struct PptpControlHeader *ctlh, union pptp_ctrl_union *pptpReq) __read_mostly; EXPORT_SYMBOL_GPL(nf_nat_pptp_hook_inbound); void (*nf_nat_pptp_hook_exp_gre)(struct nf_conntrack_expect *expect_orig, struct nf_conntrack_expect *expect_reply) __read_mostly; EXPORT_SYMBOL_GPL(nf_nat_pptp_hook_exp_gre); void (*nf_nat_pptp_hook_expectfn)(struct nf_conn *ct, struct nf_conntrack_expect *exp) __read_mostly; EXPORT_SYMBOL_GPL(nf_nat_pptp_hook_expectfn); |
e9d376f0f dynamic debug: co... |
69 |
#if defined(DEBUG) || defined(CONFIG_DYNAMIC_DEBUG) |
f09943fef [NETFILTER]: nf_c... |
70 |
/* PptpControlMessageType names */ |
9ddd0ed05 [NETFILTER]: nf_{... |
71 |
const char *const pptp_msg_name[] = { |
f09943fef [NETFILTER]: nf_c... |
72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 |
"UNKNOWN_MESSAGE", "START_SESSION_REQUEST", "START_SESSION_REPLY", "STOP_SESSION_REQUEST", "STOP_SESSION_REPLY", "ECHO_REQUEST", "ECHO_REPLY", "OUT_CALL_REQUEST", "OUT_CALL_REPLY", "IN_CALL_REQUEST", "IN_CALL_REPLY", "IN_CALL_CONNECT", "CALL_CLEAR_REQUEST", "CALL_DISCONNECT_NOTIFY", "WAN_ERROR_NOTIFY", "SET_LINK_INFO" }; EXPORT_SYMBOL(pptp_msg_name); |
f09943fef [NETFILTER]: nf_c... |
90 91 92 93 94 95 96 97 98 99 100 101 |
#endif #define SECS *HZ #define MINS * 60 SECS #define HOURS * 60 MINS #define PPTP_GRE_TIMEOUT (10 MINS) #define PPTP_GRE_STREAM_TIMEOUT (5 HOURS) static void pptp_expectfn(struct nf_conn *ct, struct nf_conntrack_expect *exp) { |
0e6e75af9 netfilter: netns ... |
102 |
struct net *net = nf_ct_net(ct); |
f09943fef [NETFILTER]: nf_c... |
103 |
typeof(nf_nat_pptp_hook_expectfn) nf_nat_pptp_expectfn; |
0d53778e8 [NETFILTER]: Conv... |
104 105 |
pr_debug("increasing timeouts "); |
f09943fef [NETFILTER]: nf_c... |
106 107 108 109 110 111 112 113 114 115 |
/* increase timeout of GRE data channel conntrack entry */ ct->proto.gre.timeout = PPTP_GRE_TIMEOUT; ct->proto.gre.stream_timeout = PPTP_GRE_STREAM_TIMEOUT; /* Can you see how rusty this code is, compared with the pre-2.6.11 * one? That's what happened to my shiny newnat of 2002 ;( -HW */ rcu_read_lock(); nf_nat_pptp_expectfn = rcu_dereference(nf_nat_pptp_hook_expectfn); |
7399072a7 [NETFILTER]: nf_c... |
116 |
if (nf_nat_pptp_expectfn && ct->master->status & IPS_NAT_MASK) |
f09943fef [NETFILTER]: nf_c... |
117 118 119 120 121 122 123 |
nf_nat_pptp_expectfn(ct, exp); else { struct nf_conntrack_tuple inv_t; struct nf_conntrack_expect *exp_other; /* obviously this tuple inversion only works until you do NAT */ nf_ct_invert_tuplepr(&inv_t, &exp->tuple); |
0d53778e8 [NETFILTER]: Conv... |
124 |
pr_debug("trying to unexpect other dir: "); |
3c9fba656 [NETFILTER]: nf_c... |
125 |
nf_ct_dump_tuple(&inv_t); |
f09943fef [NETFILTER]: nf_c... |
126 |
|
5d0aa2ccd netfilter: nf_con... |
127 |
exp_other = nf_ct_expect_find_get(net, nf_ct_zone(ct), &inv_t); |
f09943fef [NETFILTER]: nf_c... |
128 129 |
if (exp_other) { /* delete other expectation. */ |
0d53778e8 [NETFILTER]: Conv... |
130 131 |
pr_debug("found "); |
6823645d6 [NETFILTER]: nf_c... |
132 133 |
nf_ct_unexpect_related(exp_other); nf_ct_expect_put(exp_other); |
f09943fef [NETFILTER]: nf_c... |
134 |
} else { |
0d53778e8 [NETFILTER]: Conv... |
135 136 |
pr_debug("not found "); |
f09943fef [NETFILTER]: nf_c... |
137 138 139 140 |
} } rcu_read_unlock(); } |
5d0aa2ccd netfilter: nf_con... |
141 |
static int destroy_sibling_or_exp(struct net *net, struct nf_conn *ct, |
0e6e75af9 netfilter: netns ... |
142 |
const struct nf_conntrack_tuple *t) |
f09943fef [NETFILTER]: nf_c... |
143 |
{ |
9ddd0ed05 [NETFILTER]: nf_{... |
144 |
const struct nf_conntrack_tuple_hash *h; |
f09943fef [NETFILTER]: nf_c... |
145 146 |
struct nf_conntrack_expect *exp; struct nf_conn *sibling; |
5d0aa2ccd netfilter: nf_con... |
147 |
u16 zone = nf_ct_zone(ct); |
f09943fef [NETFILTER]: nf_c... |
148 |
|
0d53778e8 [NETFILTER]: Conv... |
149 |
pr_debug("trying to timeout ct or exp for tuple "); |
3c9fba656 [NETFILTER]: nf_c... |
150 |
nf_ct_dump_tuple(t); |
f09943fef [NETFILTER]: nf_c... |
151 |
|
5d0aa2ccd netfilter: nf_con... |
152 |
h = nf_conntrack_find_get(net, zone, t); |
f09943fef [NETFILTER]: nf_c... |
153 154 |
if (h) { sibling = nf_ct_tuplehash_to_ctrack(h); |
0d53778e8 [NETFILTER]: Conv... |
155 156 |
pr_debug("setting timeout of conntrack %p to 0 ", sibling); |
f09943fef [NETFILTER]: nf_c... |
157 158 159 160 161 162 163 |
sibling->proto.gre.timeout = 0; sibling->proto.gre.stream_timeout = 0; if (del_timer(&sibling->timeout)) sibling->timeout.function((unsigned long)sibling); nf_ct_put(sibling); return 1; } else { |
5d0aa2ccd netfilter: nf_con... |
164 |
exp = nf_ct_expect_find_get(net, zone, t); |
f09943fef [NETFILTER]: nf_c... |
165 |
if (exp) { |
0d53778e8 [NETFILTER]: Conv... |
166 167 |
pr_debug("unexpect_related of expect %p ", exp); |
6823645d6 [NETFILTER]: nf_c... |
168 169 |
nf_ct_unexpect_related(exp); nf_ct_expect_put(exp); |
f09943fef [NETFILTER]: nf_c... |
170 171 172 173 174 175 176 177 178 |
return 1; } } return 0; } /* timeout GRE data connections */ static void pptp_destroy_siblings(struct nf_conn *ct) { |
0e6e75af9 netfilter: netns ... |
179 |
struct net *net = nf_ct_net(ct); |
9ddd0ed05 [NETFILTER]: nf_{... |
180 |
const struct nf_conn_help *help = nfct_help(ct); |
f09943fef [NETFILTER]: nf_c... |
181 182 183 184 185 186 187 188 189 |
struct nf_conntrack_tuple t; nf_ct_gre_keymap_destroy(ct); /* try original (pns->pac) tuple */ memcpy(&t, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, sizeof(t)); t.dst.protonum = IPPROTO_GRE; t.src.u.gre.key = help->help.ct_pptp_info.pns_call_id; t.dst.u.gre.key = help->help.ct_pptp_info.pac_call_id; |
5d0aa2ccd netfilter: nf_con... |
190 |
if (!destroy_sibling_or_exp(net, ct, &t)) |
0d53778e8 [NETFILTER]: Conv... |
191 192 |
pr_debug("failed to timeout original pns->pac ct/exp "); |
f09943fef [NETFILTER]: nf_c... |
193 194 195 196 197 198 |
/* try reply (pac->pns) tuple */ memcpy(&t, &ct->tuplehash[IP_CT_DIR_REPLY].tuple, sizeof(t)); t.dst.protonum = IPPROTO_GRE; t.src.u.gre.key = help->help.ct_pptp_info.pac_call_id; t.dst.u.gre.key = help->help.ct_pptp_info.pns_call_id; |
5d0aa2ccd netfilter: nf_con... |
199 |
if (!destroy_sibling_or_exp(net, ct, &t)) |
0d53778e8 [NETFILTER]: Conv... |
200 201 |
pr_debug("failed to timeout reply pac->pns ct/exp "); |
f09943fef [NETFILTER]: nf_c... |
202 203 204 205 206 207 208 209 210 |
} /* expect GRE connections (PNS->PAC and PAC->PNS direction) */ static int exp_gre(struct nf_conn *ct, __be16 callid, __be16 peer_callid) { struct nf_conntrack_expect *exp_orig, *exp_reply; enum ip_conntrack_dir dir; int ret = 1; typeof(nf_nat_pptp_hook_exp_gre) nf_nat_pptp_exp_gre; |
6823645d6 [NETFILTER]: nf_c... |
211 |
exp_orig = nf_ct_expect_alloc(ct); |
f09943fef [NETFILTER]: nf_c... |
212 213 |
if (exp_orig == NULL) goto out; |
6823645d6 [NETFILTER]: nf_c... |
214 |
exp_reply = nf_ct_expect_alloc(ct); |
f09943fef [NETFILTER]: nf_c... |
215 216 217 218 219 |
if (exp_reply == NULL) goto out_put_orig; /* original direction, PNS->PAC */ dir = IP_CT_DIR_ORIGINAL; |
6002f266b [NETFILTER]: nf_c... |
220 |
nf_ct_expect_init(exp_orig, NF_CT_EXPECT_CLASS_DEFAULT, |
5e8fbe2ac [NETFILTER]: nf_c... |
221 |
nf_ct_l3num(ct), |
6823645d6 [NETFILTER]: nf_c... |
222 223 224 |
&ct->tuplehash[dir].tuple.src.u3, &ct->tuplehash[dir].tuple.dst.u3, IPPROTO_GRE, &peer_callid, &callid); |
f09943fef [NETFILTER]: nf_c... |
225 226 227 228 |
exp_orig->expectfn = pptp_expectfn; /* reply direction, PAC->PNS */ dir = IP_CT_DIR_REPLY; |
6002f266b [NETFILTER]: nf_c... |
229 |
nf_ct_expect_init(exp_reply, NF_CT_EXPECT_CLASS_DEFAULT, |
5e8fbe2ac [NETFILTER]: nf_c... |
230 |
nf_ct_l3num(ct), |
6823645d6 [NETFILTER]: nf_c... |
231 232 233 |
&ct->tuplehash[dir].tuple.src.u3, &ct->tuplehash[dir].tuple.dst.u3, IPPROTO_GRE, &callid, &peer_callid); |
f09943fef [NETFILTER]: nf_c... |
234 235 236 237 238 |
exp_reply->expectfn = pptp_expectfn; nf_nat_pptp_exp_gre = rcu_dereference(nf_nat_pptp_hook_exp_gre); if (nf_nat_pptp_exp_gre && ct->status & IPS_NAT_MASK) nf_nat_pptp_exp_gre(exp_orig, exp_reply); |
6823645d6 [NETFILTER]: nf_c... |
239 |
if (nf_ct_expect_related(exp_orig) != 0) |
f09943fef [NETFILTER]: nf_c... |
240 |
goto out_put_both; |
6823645d6 [NETFILTER]: nf_c... |
241 |
if (nf_ct_expect_related(exp_reply) != 0) |
f09943fef [NETFILTER]: nf_c... |
242 243 244 245 246 247 248 249 250 251 252 253 |
goto out_unexpect_orig; /* Add GRE keymap entries */ if (nf_ct_gre_keymap_add(ct, IP_CT_DIR_ORIGINAL, &exp_orig->tuple) != 0) goto out_unexpect_both; if (nf_ct_gre_keymap_add(ct, IP_CT_DIR_REPLY, &exp_reply->tuple) != 0) { nf_ct_gre_keymap_destroy(ct); goto out_unexpect_both; } ret = 0; out_put_both: |
6823645d6 [NETFILTER]: nf_c... |
254 |
nf_ct_expect_put(exp_reply); |
f09943fef [NETFILTER]: nf_c... |
255 |
out_put_orig: |
6823645d6 [NETFILTER]: nf_c... |
256 |
nf_ct_expect_put(exp_orig); |
f09943fef [NETFILTER]: nf_c... |
257 258 259 260 |
out: return ret; out_unexpect_both: |
6823645d6 [NETFILTER]: nf_c... |
261 |
nf_ct_unexpect_related(exp_reply); |
f09943fef [NETFILTER]: nf_c... |
262 |
out_unexpect_orig: |
6823645d6 [NETFILTER]: nf_c... |
263 |
nf_ct_unexpect_related(exp_orig); |
f09943fef [NETFILTER]: nf_c... |
264 265 266 267 |
goto out_put_both; } static inline int |
3db05fea5 [NETFILTER]: Repl... |
268 |
pptp_inbound_pkt(struct sk_buff *skb, |
f09943fef [NETFILTER]: nf_c... |
269 270 271 272 273 274 275 276 277 278 279 280 |
struct PptpControlHeader *ctlh, union pptp_ctrl_union *pptpReq, unsigned int reqlen, struct nf_conn *ct, enum ip_conntrack_info ctinfo) { struct nf_ct_pptp_master *info = &nfct_help(ct)->help.ct_pptp_info; u_int16_t msg; __be16 cid = 0, pcid = 0; typeof(nf_nat_pptp_hook_inbound) nf_nat_pptp_inbound; msg = ntohs(ctlh->messageType); |
0d53778e8 [NETFILTER]: Conv... |
281 282 |
pr_debug("inbound control message %s ", pptp_msg_name[msg]); |
f09943fef [NETFILTER]: nf_c... |
283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 |
switch (msg) { case PPTP_START_SESSION_REPLY: /* server confirms new control session */ if (info->sstate < PPTP_SESSION_REQUESTED) goto invalid; if (pptpReq->srep.resultCode == PPTP_START_OK) info->sstate = PPTP_SESSION_CONFIRMED; else info->sstate = PPTP_SESSION_ERROR; break; case PPTP_STOP_SESSION_REPLY: /* server confirms end of control session */ if (info->sstate > PPTP_SESSION_STOPREQ) goto invalid; if (pptpReq->strep.resultCode == PPTP_STOP_OK) info->sstate = PPTP_SESSION_NONE; else info->sstate = PPTP_SESSION_ERROR; break; case PPTP_OUT_CALL_REPLY: /* server accepted call, we now expect GRE frames */ if (info->sstate != PPTP_SESSION_CONFIRMED) goto invalid; if (info->cstate != PPTP_CALL_OUT_REQ && info->cstate != PPTP_CALL_OUT_CONF) goto invalid; cid = pptpReq->ocack.callID; pcid = pptpReq->ocack.peersCallID; if (info->pns_call_id != pcid) goto invalid; |
0d53778e8 [NETFILTER]: Conv... |
317 318 319 |
pr_debug("%s, CID=%X, PCID=%X ", pptp_msg_name[msg], ntohs(cid), ntohs(pcid)); |
f09943fef [NETFILTER]: nf_c... |
320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 |
if (pptpReq->ocack.resultCode == PPTP_OUTCALL_CONNECT) { info->cstate = PPTP_CALL_OUT_CONF; info->pac_call_id = cid; exp_gre(ct, cid, pcid); } else info->cstate = PPTP_CALL_NONE; break; case PPTP_IN_CALL_REQUEST: /* server tells us about incoming call request */ if (info->sstate != PPTP_SESSION_CONFIRMED) goto invalid; cid = pptpReq->icreq.callID; |
0d53778e8 [NETFILTER]: Conv... |
335 336 |
pr_debug("%s, CID=%X ", pptp_msg_name[msg], ntohs(cid)); |
f09943fef [NETFILTER]: nf_c... |
337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 |
info->cstate = PPTP_CALL_IN_REQ; info->pac_call_id = cid; break; case PPTP_IN_CALL_CONNECT: /* server tells us about incoming call established */ if (info->sstate != PPTP_SESSION_CONFIRMED) goto invalid; if (info->cstate != PPTP_CALL_IN_REP && info->cstate != PPTP_CALL_IN_CONF) goto invalid; pcid = pptpReq->iccon.peersCallID; cid = info->pac_call_id; if (info->pns_call_id != pcid) goto invalid; |
0d53778e8 [NETFILTER]: Conv... |
354 355 |
pr_debug("%s, PCID=%X ", pptp_msg_name[msg], ntohs(pcid)); |
f09943fef [NETFILTER]: nf_c... |
356 357 358 359 360 361 362 363 364 |
info->cstate = PPTP_CALL_IN_CONF; /* we expect a GRE connection from PAC to PNS */ exp_gre(ct, cid, pcid); break; case PPTP_CALL_DISCONNECT_NOTIFY: /* server confirms disconnect */ cid = pptpReq->disc.callID; |
0d53778e8 [NETFILTER]: Conv... |
365 366 |
pr_debug("%s, CID=%X ", pptp_msg_name[msg], ntohs(cid)); |
f09943fef [NETFILTER]: nf_c... |
367 368 369 370 371 372 373 |
info->cstate = PPTP_CALL_NONE; /* untrack this call id, unexpect GRE packets */ pptp_destroy_siblings(ct); break; case PPTP_WAN_ERROR_NOTIFY: |
4c6e42096 netfilter: nf_ct_... |
374 |
case PPTP_SET_LINK_INFO: |
f09943fef [NETFILTER]: nf_c... |
375 376 377 378 379 380 381 382 383 384 385 |
case PPTP_ECHO_REQUEST: case PPTP_ECHO_REPLY: /* I don't have to explain these ;) */ break; default: goto invalid; } nf_nat_pptp_inbound = rcu_dereference(nf_nat_pptp_hook_inbound); if (nf_nat_pptp_inbound && ct->status & IPS_NAT_MASK) |
3db05fea5 [NETFILTER]: Repl... |
386 |
return nf_nat_pptp_inbound(skb, ct, ctinfo, ctlh, pptpReq); |
f09943fef [NETFILTER]: nf_c... |
387 388 389 |
return NF_ACCEPT; invalid: |
0d53778e8 [NETFILTER]: Conv... |
390 391 392 393 394 395 |
pr_debug("invalid %s: type=%d cid=%u pcid=%u " "cstate=%d sstate=%d pns_cid=%u pac_cid=%u ", msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : pptp_msg_name[0], msg, ntohs(cid), ntohs(pcid), info->cstate, info->sstate, ntohs(info->pns_call_id), ntohs(info->pac_call_id)); |
f09943fef [NETFILTER]: nf_c... |
396 397 398 399 |
return NF_ACCEPT; } static inline int |
3db05fea5 [NETFILTER]: Repl... |
400 |
pptp_outbound_pkt(struct sk_buff *skb, |
f09943fef [NETFILTER]: nf_c... |
401 402 403 404 405 406 407 408 409 410 411 412 |
struct PptpControlHeader *ctlh, union pptp_ctrl_union *pptpReq, unsigned int reqlen, struct nf_conn *ct, enum ip_conntrack_info ctinfo) { struct nf_ct_pptp_master *info = &nfct_help(ct)->help.ct_pptp_info; u_int16_t msg; __be16 cid = 0, pcid = 0; typeof(nf_nat_pptp_hook_outbound) nf_nat_pptp_outbound; msg = ntohs(ctlh->messageType); |
0d53778e8 [NETFILTER]: Conv... |
413 414 |
pr_debug("outbound control message %s ", pptp_msg_name[msg]); |
f09943fef [NETFILTER]: nf_c... |
415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 |
switch (msg) { case PPTP_START_SESSION_REQUEST: /* client requests for new control session */ if (info->sstate != PPTP_SESSION_NONE) goto invalid; info->sstate = PPTP_SESSION_REQUESTED; break; case PPTP_STOP_SESSION_REQUEST: /* client requests end of control session */ info->sstate = PPTP_SESSION_STOPREQ; break; case PPTP_OUT_CALL_REQUEST: /* client initiating connection to server */ if (info->sstate != PPTP_SESSION_CONFIRMED) goto invalid; info->cstate = PPTP_CALL_OUT_REQ; /* track PNS call id */ cid = pptpReq->ocreq.callID; |
0d53778e8 [NETFILTER]: Conv... |
436 437 |
pr_debug("%s, CID=%X ", pptp_msg_name[msg], ntohs(cid)); |
f09943fef [NETFILTER]: nf_c... |
438 439 440 441 442 443 444 445 446 447 448 449 450 |
info->pns_call_id = cid; break; case PPTP_IN_CALL_REPLY: /* client answers incoming call */ if (info->cstate != PPTP_CALL_IN_REQ && info->cstate != PPTP_CALL_IN_REP) goto invalid; cid = pptpReq->icack.callID; pcid = pptpReq->icack.peersCallID; if (info->pac_call_id != pcid) goto invalid; |
0d53778e8 [NETFILTER]: Conv... |
451 452 453 |
pr_debug("%s, CID=%X PCID=%X ", pptp_msg_name[msg], ntohs(cid), ntohs(pcid)); |
f09943fef [NETFILTER]: nf_c... |
454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 |
if (pptpReq->icack.resultCode == PPTP_INCALL_ACCEPT) { /* part two of the three-way handshake */ info->cstate = PPTP_CALL_IN_REP; info->pns_call_id = cid; } else info->cstate = PPTP_CALL_NONE; break; case PPTP_CALL_CLEAR_REQUEST: /* client requests hangup of call */ if (info->sstate != PPTP_SESSION_CONFIRMED) goto invalid; /* FUTURE: iterate over all calls and check if * call ID is valid. We don't do this without newnat, * because we only know about last call */ info->cstate = PPTP_CALL_CLEAR_REQ; break; case PPTP_SET_LINK_INFO: case PPTP_ECHO_REQUEST: case PPTP_ECHO_REPLY: /* I don't have to explain these ;) */ break; default: goto invalid; } nf_nat_pptp_outbound = rcu_dereference(nf_nat_pptp_hook_outbound); if (nf_nat_pptp_outbound && ct->status & IPS_NAT_MASK) |
3db05fea5 [NETFILTER]: Repl... |
485 |
return nf_nat_pptp_outbound(skb, ct, ctinfo, ctlh, pptpReq); |
f09943fef [NETFILTER]: nf_c... |
486 487 488 |
return NF_ACCEPT; invalid: |
0d53778e8 [NETFILTER]: Conv... |
489 490 491 492 493 494 |
pr_debug("invalid %s: type=%d cid=%u pcid=%u " "cstate=%d sstate=%d pns_cid=%u pac_cid=%u ", msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : pptp_msg_name[0], msg, ntohs(cid), ntohs(pcid), info->cstate, info->sstate, ntohs(info->pns_call_id), ntohs(info->pac_call_id)); |
f09943fef [NETFILTER]: nf_c... |
495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 |
return NF_ACCEPT; } static const unsigned int pptp_msg_size[] = { [PPTP_START_SESSION_REQUEST] = sizeof(struct PptpStartSessionRequest), [PPTP_START_SESSION_REPLY] = sizeof(struct PptpStartSessionReply), [PPTP_STOP_SESSION_REQUEST] = sizeof(struct PptpStopSessionRequest), [PPTP_STOP_SESSION_REPLY] = sizeof(struct PptpStopSessionReply), [PPTP_OUT_CALL_REQUEST] = sizeof(struct PptpOutCallRequest), [PPTP_OUT_CALL_REPLY] = sizeof(struct PptpOutCallReply), [PPTP_IN_CALL_REQUEST] = sizeof(struct PptpInCallRequest), [PPTP_IN_CALL_REPLY] = sizeof(struct PptpInCallReply), [PPTP_IN_CALL_CONNECT] = sizeof(struct PptpInCallConnected), [PPTP_CALL_CLEAR_REQUEST] = sizeof(struct PptpClearCallRequest), [PPTP_CALL_DISCONNECT_NOTIFY] = sizeof(struct PptpCallDisconnectNotify), [PPTP_WAN_ERROR_NOTIFY] = sizeof(struct PptpWanErrorNotify), [PPTP_SET_LINK_INFO] = sizeof(struct PptpSetLinkInfo), }; /* track caller id inside control connection, call expect_related */ static int |
3db05fea5 [NETFILTER]: Repl... |
516 |
conntrack_pptp_help(struct sk_buff *skb, unsigned int protoff, |
f09943fef [NETFILTER]: nf_c... |
517 518 519 520 |
struct nf_conn *ct, enum ip_conntrack_info ctinfo) { int dir = CTINFO2DIR(ctinfo); |
9ddd0ed05 [NETFILTER]: nf_{... |
521 522 523 524 525 |
const struct nf_ct_pptp_master *info = &nfct_help(ct)->help.ct_pptp_info; const struct tcphdr *tcph; struct tcphdr _tcph; const struct pptp_pkt_hdr *pptph; struct pptp_pkt_hdr _pptph; |
f09943fef [NETFILTER]: nf_c... |
526 527 |
struct PptpControlHeader _ctlh, *ctlh; union pptp_ctrl_union _pptpReq, *pptpReq; |
3db05fea5 [NETFILTER]: Repl... |
528 |
unsigned int tcplen = skb->len - protoff; |
f09943fef [NETFILTER]: nf_c... |
529 530 531 532 533 534 |
unsigned int datalen, reqlen, nexthdr_off; int oldsstate, oldcstate; int ret; u_int16_t msg; /* don't do any tracking before tcp handshake complete */ |
fb0488337 netfilter: add mo... |
535 |
if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY) |
f09943fef [NETFILTER]: nf_c... |
536 537 538 |
return NF_ACCEPT; nexthdr_off = protoff; |
3db05fea5 [NETFILTER]: Repl... |
539 |
tcph = skb_header_pointer(skb, nexthdr_off, sizeof(_tcph), &_tcph); |
f09943fef [NETFILTER]: nf_c... |
540 541 |
BUG_ON(!tcph); nexthdr_off += tcph->doff * 4; |
601e68e10 [NETFILTER]: Fix ... |
542 |
datalen = tcplen - tcph->doff * 4; |
f09943fef [NETFILTER]: nf_c... |
543 |
|
3db05fea5 [NETFILTER]: Repl... |
544 |
pptph = skb_header_pointer(skb, nexthdr_off, sizeof(_pptph), &_pptph); |
f09943fef [NETFILTER]: nf_c... |
545 |
if (!pptph) { |
0d53778e8 [NETFILTER]: Conv... |
546 547 |
pr_debug("no full PPTP header, can't track "); |
f09943fef [NETFILTER]: nf_c... |
548 549 550 551 552 553 554 555 |
return NF_ACCEPT; } nexthdr_off += sizeof(_pptph); datalen -= sizeof(_pptph); /* if it's not a control message we can't do anything with it */ if (ntohs(pptph->packetType) != PPTP_PACKET_CONTROL || ntohl(pptph->magicCookie) != PPTP_MAGIC_COOKIE) { |
0d53778e8 [NETFILTER]: Conv... |
556 557 |
pr_debug("not a control packet "); |
f09943fef [NETFILTER]: nf_c... |
558 559 |
return NF_ACCEPT; } |
3db05fea5 [NETFILTER]: Repl... |
560 |
ctlh = skb_header_pointer(skb, nexthdr_off, sizeof(_ctlh), &_ctlh); |
f09943fef [NETFILTER]: nf_c... |
561 562 563 564 565 566 567 568 569 570 571 |
if (!ctlh) return NF_ACCEPT; nexthdr_off += sizeof(_ctlh); datalen -= sizeof(_ctlh); reqlen = datalen; msg = ntohs(ctlh->messageType); if (msg > 0 && msg <= PPTP_MSG_MAX && reqlen < pptp_msg_size[msg]) return NF_ACCEPT; if (reqlen > sizeof(*pptpReq)) reqlen = sizeof(*pptpReq); |
3db05fea5 [NETFILTER]: Repl... |
572 |
pptpReq = skb_header_pointer(skb, nexthdr_off, reqlen, &_pptpReq); |
f09943fef [NETFILTER]: nf_c... |
573 574 575 576 577 578 579 580 581 582 583 584 |
if (!pptpReq) return NF_ACCEPT; oldsstate = info->sstate; oldcstate = info->cstate; spin_lock_bh(&nf_pptp_lock); /* FIXME: We just blindly assume that the control connection is always * established from PNS->PAC. However, RFC makes no guarantee */ if (dir == IP_CT_DIR_ORIGINAL) /* client -> server (PNS -> PAC) */ |
3db05fea5 [NETFILTER]: Repl... |
585 |
ret = pptp_outbound_pkt(skb, ctlh, pptpReq, reqlen, ct, |
f09943fef [NETFILTER]: nf_c... |
586 587 588 |
ctinfo); else /* server -> client (PAC -> PNS) */ |
3db05fea5 [NETFILTER]: Repl... |
589 |
ret = pptp_inbound_pkt(skb, ctlh, pptpReq, reqlen, ct, |
f09943fef [NETFILTER]: nf_c... |
590 |
ctinfo); |
0d53778e8 [NETFILTER]: Conv... |
591 592 593 |
pr_debug("sstate: %d->%d, cstate: %d->%d ", oldsstate, info->sstate, oldcstate, info->cstate); |
f09943fef [NETFILTER]: nf_c... |
594 595 596 597 |
spin_unlock_bh(&nf_pptp_lock); return ret; } |
6002f266b [NETFILTER]: nf_c... |
598 599 600 601 |
static const struct nf_conntrack_expect_policy pptp_exp_policy = { .max_expected = 2, .timeout = 5 * 60, }; |
f09943fef [NETFILTER]: nf_c... |
602 603 604 605 |
/* control protocol helper */ static struct nf_conntrack_helper pptp __read_mostly = { .name = "pptp", .me = THIS_MODULE, |
f09943fef [NETFILTER]: nf_c... |
606 |
.tuple.src.l3num = AF_INET, |
09640e636 net: replace uses... |
607 |
.tuple.src.u.tcp.port = cpu_to_be16(PPTP_CONTROL_PORT), |
f09943fef [NETFILTER]: nf_c... |
608 |
.tuple.dst.protonum = IPPROTO_TCP, |
f09943fef [NETFILTER]: nf_c... |
609 610 |
.help = conntrack_pptp_help, .destroy = pptp_destroy_siblings, |
6002f266b [NETFILTER]: nf_c... |
611 |
.expect_policy = &pptp_exp_policy, |
f09943fef [NETFILTER]: nf_c... |
612 |
}; |
0e6e75af9 netfilter: netns ... |
613 614 615 616 617 618 619 620 |
static void nf_conntrack_pptp_net_exit(struct net *net) { nf_ct_gre_keymap_flush(net); } static struct pernet_operations nf_conntrack_pptp_net_ops = { .exit = nf_conntrack_pptp_net_exit, }; |
f09943fef [NETFILTER]: nf_c... |
621 622 |
static int __init nf_conntrack_pptp_init(void) { |
0e6e75af9 netfilter: netns ... |
623 624 625 626 627 628 629 630 631 |
int rv; rv = nf_conntrack_helper_register(&pptp); if (rv < 0) return rv; rv = register_pernet_subsys(&nf_conntrack_pptp_net_ops); if (rv < 0) nf_conntrack_helper_unregister(&pptp); return rv; |
f09943fef [NETFILTER]: nf_c... |
632 633 634 635 636 |
} static void __exit nf_conntrack_pptp_fini(void) { nf_conntrack_helper_unregister(&pptp); |
0e6e75af9 netfilter: netns ... |
637 |
unregister_pernet_subsys(&nf_conntrack_pptp_net_ops); |
f09943fef [NETFILTER]: nf_c... |
638 639 640 641 |
} module_init(nf_conntrack_pptp_init); module_exit(nf_conntrack_pptp_fini); |