[netfilter-cvslog] r3832 -
trunk/patch-o-matic-ng/mms-conntrack-nat/linux-2.6/net/ipv4/netfilter
laforge at netfilter.org
laforge at netfilter.org
Sat Apr 9 12:53:36 CEST 2005
Author: laforge at netfilter.org
Date: 2005-04-09 12:53:36 +0200 (Sat, 09 Apr 2005)
New Revision: 3832
Modified:
trunk/patch-o-matic-ng/mms-conntrack-nat/linux-2.6/net/ipv4/netfilter/Makefile.ladd_2
trunk/patch-o-matic-ng/mms-conntrack-nat/linux-2.6/net/ipv4/netfilter/ip_conntrack_mms.c
trunk/patch-o-matic-ng/mms-conntrack-nat/linux-2.6/net/ipv4/netfilter/ip_nat_mms.c
Log:
now compiles on 2.6.10
Modified: trunk/patch-o-matic-ng/mms-conntrack-nat/linux-2.6/net/ipv4/netfilter/Makefile.ladd_2
===================================================================
--- trunk/patch-o-matic-ng/mms-conntrack-nat/linux-2.6/net/ipv4/netfilter/Makefile.ladd_2 2005-04-09 10:19:52 UTC (rev 3831)
+++ trunk/patch-o-matic-ng/mms-conntrack-nat/linux-2.6/net/ipv4/netfilter/Makefile.ladd_2 2005-04-09 10:53:36 UTC (rev 3832)
@@ -1,2 +1,2 @@
-# NAT helpers
+# NAT helpers
obj-$(CONFIG_IP_NF_NAT_MMS) += ip_nat_mms.o
Modified: trunk/patch-o-matic-ng/mms-conntrack-nat/linux-2.6/net/ipv4/netfilter/ip_conntrack_mms.c
===================================================================
--- trunk/patch-o-matic-ng/mms-conntrack-nat/linux-2.6/net/ipv4/netfilter/ip_conntrack_mms.c 2005-04-09 10:19:52 UTC (rev 3831)
+++ trunk/patch-o-matic-ng/mms-conntrack-nat/linux-2.6/net/ipv4/netfilter/ip_conntrack_mms.c 2005-04-09 10:53:36 UTC (rev 3832)
@@ -1,8 +1,9 @@
/* MMS extension for IP connection tracking
* (C) 2002 by Filip Sneppe <filip.sneppe at cronos.be>
+ * (C) 2005 by Harald Welte <laforge at netfilter.org>
* based on ip_conntrack_ftp.c and ip_conntrack_irc.c
*
- * ip_conntrack_mms.c v0.3 2002-09-22
+ * ip_conntrack_mms.c v1.3 2005-04-09
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -25,6 +26,7 @@
#include <linux/config.h>
#include <linux/module.h>
+#include <linux/moduleparam.h>
#include <linux/netfilter.h>
#include <linux/ip.h>
#include <linux/ctype.h>
@@ -35,15 +37,16 @@
#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
#include <linux/netfilter_ipv4/ip_conntrack_mms.h>
+/* This is slow, but it's simple. */
+static char mms_buffer[65536];
+
DECLARE_LOCK(ip_mms_lock);
struct module *ip_conntrack_mms = THIS_MODULE;
#define MAX_PORTS 8
static int ports[MAX_PORTS];
static int ports_c;
-#ifdef MODULE_PARM
-MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i");
-#endif
+module_param_array(ports, int, ports_c, 0400);
#if 0
#define DEBUGP printk
@@ -51,8 +54,6 @@
#define DEBUGP(format, args...)
#endif
-EXPORT_SYMBOL(ip_mms_lock);
-
MODULE_AUTHOR("Filip Sneppe <filip.sneppe at cronos.be>");
MODULE_DESCRIPTION("Microsoft Windows Media Services (MMS) connection tracking module");
MODULE_LICENSE("GPL");
@@ -140,25 +141,24 @@
/* FIXME: This should be in userspace. Later. */
-static int help(const struct iphdr *iph, size_t len,
+static int help(struct sk_buff *skb,
struct ip_conntrack *ct,
enum ip_conntrack_info ctinfo)
{
/* tcplen not negative guaranteed by ip_conntrack_tcp.c */
- struct tcphdr *tcph = (void *)iph + iph->ihl * 4;
- const char *data = (const char *)tcph + tcph->doff * 4;
- unsigned int tcplen = len - iph->ihl * 4;
- unsigned int datalen = tcplen - tcph->doff * 4;
+ struct tcphdr _tcph, *tcph;
+ const char *data;
+ unsigned int dataoff, datalen;
int dir = CTINFO2DIR(ctinfo);
- struct ip_conntrack_expect expect, *exp = &expect;
- struct ip_ct_mms_expect *exp_mms_info = &exp->help.exp_mms_info;
-
+ struct ip_conntrack_expect *exp;
+ struct ip_ct_mms_expect *exp_mms_info;
+
u_int32_t mms_ip;
u_int16_t mms_proto;
char mms_proto_string[8];
u_int16_t mms_port;
char *mms_string_b, *mms_string_e, *mms_padding_e;
-
+
/* Until there's been traffic both ways, don't look in packets. */
if (ctinfo != IP_CT_ESTABLISHED
&& ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) {
@@ -166,34 +166,42 @@
return NF_ACCEPT;
}
- /* Not whole TCP header? */
- if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff*4) {
- DEBUGP("ip_conntrack_mms: tcplen = %u\n", (unsigned)tcplen);
+ tcph = skb_header_pointer(skb, skb->nh.iph->ihl*4, sizeof(_tcph),
+ &tcph);
+ if (!tcph) {
+ DEBUGP("ip_conntrack_mms: skb_header_pointer() == NULL\n");
return NF_ACCEPT;
}
- /* Checksum invalid? Ignore. */
- /* FIXME: Source route IP option packets --RR */
- if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
- csum_partial((char *)tcph, tcplen, 0))) {
- DEBUGP("mms_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n",
- tcph, tcplen, NIPQUAD(iph->saddr),
- NIPQUAD(iph->daddr));
+ dataoff = skb->nh.iph->ihl*4 + tcph->doff*4;
+ /* No data? */
+ if (dataoff >= skb->len) {
+ DEBUGP("ip_conntrack_mms: skblen = %u\n", skb->len);
return NF_ACCEPT;
}
-
- /* Only look at packets with 0x00030002/196610 on bytes 36->39 of TCP payload */
- /* FIXME: There is an issue with only looking at this packet: before this packet,
- the client has already sent a packet to the server with the server's hostname
- according to the client (think of it as the "Host: " header in HTTP/1.1). The
- server will break the connection if this doesn't correspond to its own host
- header. The client can also connect to an IP address; if it's the server's IP
- address, it will not break the connection. When doing DNAT on a connection
- where the client uses a server's IP address, the nat module should detect
- this and change this string accordingly to the DNATed address. This should
- probably be done by checking for an IP address, then storing it as a member
- of struct ip_ct_mms_expect and checking for it in ip_nat_mms...
- */
+ datalen = skb->len - dataoff;
+
+ LOCK_BH(&ip_mms_lock);
+ data = skb_header_pointer(skb, dataoff, skb->len - dataoff,
+ mms_buffer);
+ BUG_ON(data == NULL);
+
+ /* Only look at packets with 0x00030002/196610 on bytes 36->39 of TCP
+ * payload */
+
+ /* FIXME: There is an issue with only looking at this packet: before
+ * this packet, the client has already sent a packet to the server with
+ * the server's hostname according to the client (think of it as the
+ * "Host: " header in HTTP/1.1). The server will break the connection
+ * if this doesn't correspond to its own host header. The client can
+ * also connect to an IP address; if it's the server's IP address, it
+ * will not break the connection. When doing DNAT on a connection where
+ * the client uses a server's IP address, the nat module should detect
+ * this and change this string accordingly to the DNATed address. This
+ * should probably be done by checking for an IP address, then storing
+ * it as a member of struct ip_ct_mms_expect and checking for it in
+ * ip_nat_mms...
+ */
if( (MMS_SRV_MSG_OFFSET < datalen) &&
((*(u32 *)(data+MMS_SRV_MSG_OFFSET)) == MMS_SRV_MSG_ID)) {
DEBUGP("ip_conntrack_mms: offset 37: %u %u %u %u, datalen:%u\n",
@@ -204,24 +212,32 @@
&mms_string_b, &mms_string_e, &mms_padding_e))
if(net_ratelimit())
/* FIXME: more verbose debugging ? */
- printk(KERN_WARNING
- "ip_conntrack_mms: Unable to parse data payload\n");
+ printk(KERN_WARNING "ip_conntrack_mms: "
+ "Unable to parse data payload\n");
- memset(&expect, 0, sizeof(expect));
+ exp = ip_conntrack_expect_alloc();
+ if (!exp) {
+ printk(KERN_WARNING
+ "ip_conntrack_mms: Unable to alloc expect\n");
+ UNLOCK_BH(&ip_mms_lock);
+ return NF_ACCEPT;
+ }
+ exp_mms_info = &exp->help.exp_mms_info;
sprintf(mms_proto_string, "(%u)", mms_proto);
- DEBUGP("ip_conntrack_mms: adding %s expectation %u.%u.%u.%u -> %u.%u.%u.%u:%u\n",
+ DEBUGP("ip_conntrack_mms: adding %s expectation %u.%u.%u.%u "
+ "-> %u.%u.%u.%u:%u\n",
mms_proto == IPPROTO_TCP ? "TCP"
: mms_proto == IPPROTO_UDP ? "UDP":mms_proto_string,
NIPQUAD(ct->tuplehash[!dir].tuple.src.ip),
NIPQUAD(mms_ip),
mms_port);
- /* it's possible that the client will just ask the server to tunnel
- the stream over the same TCP session (from port 1755): there's
- shouldn't be a need to add an expectation in that case, but it
- makes NAT packet mangling so much easier */
- LOCK_BH(&ip_mms_lock);
+ /* it's possible that the client will just ask the server to
+ * tunnel the stream over the same TCP session (from port
+ * 1755): there's shouldn't be a need to add an expectation in
+ * that case, but it makes NAT packet mangling so much easier
+ * */
DEBUGP("ip_conntrack_mms: tcph->seq = %u\n", tcph->seq);
@@ -230,8 +246,9 @@
exp_mms_info->padding = (mms_padding_e - mms_string_e);
exp_mms_info->port = mms_port;
- DEBUGP("ip_conntrack_mms: wrote info seq=%u (ofs=%u), len=%d, padding=%u\n",
- exp->seq, (mms_string_e - data), exp_mms_info->len, exp_mms_info->padding);
+ DEBUGP("ip_conntrack_mms: wrote info seq=%u (ofs=%u), len=%d, "
+ "padding=%u\n", exp->seq, (mms_string_e - data),
+ exp_mms_info->len, exp_mms_info->padding);
exp->tuple = ((struct ip_conntrack_tuple)
{ { ct->tuplehash[!dir].tuple.src.ip, { 0 } },
@@ -243,9 +260,11 @@
{ { 0xFFFFFFFF, { 0 } },
{ 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFFFF }});
exp->expectfn = NULL;
- ip_conntrack_expect_related(ct, &expect);
- UNLOCK_BH(&ip_mms_lock);
+ if (ip_conntrack_expect_related(exp, ct))
+ printk(KERN_WARNING "ip_conntrack_mms: "
+ "error during expect_related()\n");
}
+ UNLOCK_BH(&ip_mms_lock);
return NF_ACCEPT;
}
@@ -304,5 +323,7 @@
return 0;
}
+PROVIDES_CONNTRACK(mms);
+
module_init(init);
module_exit(fini);
Modified: trunk/patch-o-matic-ng/mms-conntrack-nat/linux-2.6/net/ipv4/netfilter/ip_nat_mms.c
===================================================================
--- trunk/patch-o-matic-ng/mms-conntrack-nat/linux-2.6/net/ipv4/netfilter/ip_nat_mms.c 2005-04-09 10:19:52 UTC (rev 3831)
+++ trunk/patch-o-matic-ng/mms-conntrack-nat/linux-2.6/net/ipv4/netfilter/ip_nat_mms.c 2005-04-09 10:53:36 UTC (rev 3832)
@@ -2,7 +2,7 @@
* (C) 2002 by Filip Sneppe <filip.sneppe at cronos.be>
* based on ip_nat_ftp.c and ip_nat_irc.c
*
- * ip_nat_mms.c v0.3 2002-09-22
+ * ip_nat_mms.c v1.3 2005-04-09
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -60,19 +60,12 @@
#define MAX_PORTS 8
static int ports[MAX_PORTS];
static int ports_c = 0;
+module_param_array(ports, int, ports_c, 0400);
-#ifdef MODULE_PARM
-MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i");
-#endif
-
MODULE_AUTHOR("Filip Sneppe <filip.sneppe at cronos.be>");
MODULE_DESCRIPTION("Microsoft Windows Media Services (MMS) NAT module");
MODULE_LICENSE("GPL");
-DECLARE_LOCK_EXTERN(ip_mms_lock);
-
-/* FIXME: Time out? --RR */
-
static int mms_data_fixup(const struct ip_ct_mms_expect *ct_mms_info,
struct ip_conntrack *ct,
struct sk_buff **pskb,
@@ -97,8 +90,6 @@
char unicode_buffer[75]; /* 27*2 (unicode) + 20 + 1 */
char proto_string[6];
- MUST_BE_LOCKED(&ip_mms_lock);
-
/* what was the protocol again ? */
mms_proto = expect->tuple.dst.protonum;
sprintf(proto_string, "%u", mms_proto);
@@ -262,13 +253,11 @@
ntohl(tcph->seq),
ntohl(tcph->seq) + datalen);
- LOCK_BH(&ip_mms_lock);
/* Check wether the whole IP/proto/port pattern is carried in the payload */
if (between(exp->seq + ct_mms_info->len,
ntohl(tcph->seq),
ntohl(tcph->seq) + datalen)) {
if (!mms_data_fixup(ct_mms_info, ct, pskb, ctinfo, exp)) {
- UNLOCK_BH(&ip_mms_lock);
return NF_DROP;
}
} else {
@@ -280,10 +269,8 @@
ntohl(tcph->seq),
ntohl(tcph->seq) + datalen);
}
- UNLOCK_BH(&ip_mms_lock);
return NF_DROP;
}
- UNLOCK_BH(&ip_mms_lock);
return NF_ACCEPT;
}
@@ -346,5 +333,7 @@
return ret;
}
+NEEDS_CONNTRACK(mms);
+
module_init(init);
module_exit(fini);
More information about the netfilter-cvslog
mailing list