Blame view
net/ipv4/netfilter/nf_nat_ftp.c
3.63 KB
55a733247
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
/* FTP extension for TCP NAT alteration. */ /* (C) 1999-2001 Paul `Rusty' Russell * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. */ #include <linux/module.h> #include <linux/moduleparam.h> #include <linux/ip.h> #include <linux/tcp.h> #include <linux/netfilter_ipv4.h> #include <net/netfilter/nf_nat.h> #include <net/netfilter/nf_nat_helper.h> #include <net/netfilter/nf_nat_rule.h> #include <net/netfilter/nf_conntrack_helper.h> #include <net/netfilter/nf_conntrack_expect.h> #include <linux/netfilter/nf_conntrack_ftp.h> MODULE_LICENSE("GPL"); MODULE_AUTHOR("Rusty Russell <rusty@rustcorp.com.au>"); MODULE_DESCRIPTION("ftp NAT helper"); MODULE_ALIAS("ip_nat_ftp"); |
55a733247
|
27 |
/* FIXME: Time out? --RR */ |
c299bd53a
|
28 29 30 |
static int nf_nat_ftp_fmt_cmd(enum nf_ct_ftp_type type, char *buffer, size_t buflen, __be32 addr, u16 port) |
55a733247
|
31 |
{ |
c299bd53a
|
32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
switch (type) { case NF_CT_FTP_PORT: case NF_CT_FTP_PASV: return snprintf(buffer, buflen, "%u,%u,%u,%u,%u,%u", ((unsigned char *)&addr)[0], ((unsigned char *)&addr)[1], ((unsigned char *)&addr)[2], ((unsigned char *)&addr)[3], port >> 8, port & 0xFF); case NF_CT_FTP_EPRT: return snprintf(buffer, buflen, "|1|%pI4|%u|", &addr, port); case NF_CT_FTP_EPSV: return snprintf(buffer, buflen, "|||%u|", port); } |
55a733247
|
47 |
|
c299bd53a
|
48 |
return 0; |
55a733247
|
49 |
} |
55a733247
|
50 51 |
/* So, this packet has hit the connection tracking matching code. Mangle it, and change the expectation to match the new version. */ |
3db05fea5
|
52 |
static unsigned int nf_nat_ftp(struct sk_buff *skb, |
55a733247
|
53 54 55 56 |
enum ip_conntrack_info ctinfo, enum nf_ct_ftp_type type, unsigned int matchoff, unsigned int matchlen, |
25b86e054
|
57 |
struct nf_conntrack_expect *exp) |
55a733247
|
58 59 60 61 62 |
{ __be32 newip; u_int16_t port; int dir = CTINFO2DIR(ctinfo); struct nf_conn *ct = exp->master; |
c299bd53a
|
63 64 |
char buffer[sizeof("|1|255.255.255.255|65535|")]; unsigned int buflen; |
55a733247
|
65 |
|
0d53778e8
|
66 67 |
pr_debug("FTP_NAT: type %i, off %u len %u ", type, matchoff, matchlen); |
55a733247
|
68 69 70 71 72 73 74 75 76 77 78 79 |
/* Connection will come from wherever this packet goes, hence !dir */ newip = ct->tuplehash[!dir].tuple.dst.u3.ip; exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port; exp->dir = !dir; /* When you see the packet, we need to NAT it the same as the * this one. */ exp->expectfn = nf_nat_follow_master; /* Try to get same port: if not, try to change it. */ for (port = ntohs(exp->saved_proto.tcp.port); port != 0; port++) { |
5b92b61f3
|
80 |
int ret; |
55a733247
|
81 |
exp->tuple.dst.u.tcp.port = htons(port); |
5b92b61f3
|
82 83 84 85 86 |
ret = nf_ct_expect_related(exp); if (ret == 0) break; else if (ret != -EBUSY) { port = 0; |
55a733247
|
87 |
break; |
5b92b61f3
|
88 |
} |
55a733247
|
89 90 91 92 |
} if (port == 0) return NF_DROP; |
c299bd53a
|
93 94 95 96 97 98 99 100 101 102 |
buflen = nf_nat_ftp_fmt_cmd(type, buffer, sizeof(buffer), newip, port); if (!buflen) goto out; pr_debug("calling nf_nat_mangle_tcp_packet "); if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, matchoff, matchlen, buffer, buflen)) goto out; |
55a733247
|
103 |
return NF_ACCEPT; |
c299bd53a
|
104 105 106 107 |
out: nf_ct_unexpect_related(exp); return NF_DROP; |
55a733247
|
108 109 110 111 |
} static void __exit nf_nat_ftp_fini(void) { |
a9b3cd7f3
|
112 |
RCU_INIT_POINTER(nf_nat_ftp_hook, NULL); |
55a733247
|
113 114 115 116 117 |
synchronize_rcu(); } static int __init nf_nat_ftp_init(void) { |
d1332e0ab
|
118 |
BUG_ON(nf_nat_ftp_hook != NULL); |
a9b3cd7f3
|
119 |
RCU_INIT_POINTER(nf_nat_ftp_hook, nf_nat_ftp); |
55a733247
|
120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 |
return 0; } /* Prior to 2.6.11, we had a ports param. No longer, but don't break users. */ static int warn_set(const char *val, struct kernel_param *kp) { printk(KERN_INFO KBUILD_MODNAME ": kernel >= 2.6.10 only uses 'ports' for conntrack modules "); return 0; } module_param_call(ports, warn_set, NULL, NULL, 0); module_init(nf_nat_ftp_init); module_exit(nf_nat_ftp_fini); |