[netfilter-cvslog] r3836 - in
trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11:
include/linux/netfilter_ipv4 net/ipv4/netfilter
laforge at netfilter.org
laforge at netfilter.org
Sun Apr 10 14:28:42 CEST 2005
Author: laforge at netfilter.org
Date: 2005-04-10 14:28:41 +0200 (Sun, 10 Apr 2005)
New Revision: 3836
Added:
trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/Makefile.ladd_2
Removed:
trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack.h.ladd_3
Modified:
trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack_talk.h
trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/Makefile.ladd
trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_talk.c
trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_talk.c
Log:
first compiling version for 2.6.11 (still incomplete nat expectfn)
Deleted: trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack.h.ladd_3
===================================================================
--- trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack.h.ladd_3 2005-04-10 11:00:28 UTC (rev 3835)
+++ trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack.h.ladd_3 2005-04-10 12:28:41 UTC (rev 3836)
@@ -1,2 +0,0 @@
- /* insert conntrack helper private data (expect) here */
- struct ip_ct_talk_expect exp_talk_info;
Modified: trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack_talk.h
===================================================================
--- trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack_talk.h 2005-04-10 11:00:28 UTC (rev 3835)
+++ trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack_talk.h 2005-04-10 12:28:41 UTC (rev 3836)
@@ -137,16 +137,24 @@
#define SELECTIVE_REFUSAL 11 /* User Filter refusal. */
#define MAX_RESPONSE_TYPE 11 /* Make sure this is updated */
-/* We don't really need much for talk */
-struct ip_ct_talk_expect
-{
- /* Port that was to be used */
- u_int16_t port;
-};
-
/* This structure exists only once per master */
struct ip_ct_talk_master
{
};
+struct ip_conntrack;
+struct ip_conntrack_expect;
+
+extern unsigned int (*ip_nat_talk_resp_hook)(struct sk_buff **pskb,
+ struct ip_conntrack_expect *exp,
+ u_char type,
+ u_char answer,
+ struct talk_addr *addr);
+
+extern unsigned int (*ip_nat_talk_msg_hook)(struct sk_buff **pskb,
+ struct ip_conntrack *ct,
+ u_char type,
+ struct talk_addr *addr,
+ struct talk_addr *ctl_addr);
+
#endif /* _IP_CONNTRACK_TALK_H */
Modified: trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/Makefile.ladd
===================================================================
--- trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/Makefile.ladd 2005-04-10 11:00:28 UTC (rev 3835)
+++ trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/Makefile.ladd 2005-04-10 12:28:41 UTC (rev 3836)
@@ -1,9 +1,2 @@
-obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o
-
-# talk protocol support
+# connection tracking helpers
obj-$(CONFIG_IP_NF_TALK) += ip_conntrack_talk.o
-ifdef CONFIG_IP_NF_TALK
- export-objs += ip_conntrack_talk.o
-endif
-obj-$(CONFIG_IP_NF_NAT_TALK) += ip_nat_talk.o
-
Added: trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/Makefile.ladd_2
===================================================================
--- trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/Makefile.ladd_2 2005-04-10 11:00:28 UTC (rev 3835)
+++ trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/Makefile.ladd_2 2005-04-10 12:28:41 UTC (rev 3836)
@@ -0,0 +1,2 @@
+# NAT helpers
+obj-$(CONFIG_IP_NF_NAT_TALK) += ip_nat_talk.o
Modified: trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_talk.c
===================================================================
--- trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_talk.c 2005-04-10 11:00:28 UTC (rev 3835)
+++ trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_talk.c 2005-04-10 12:28:41 UTC (rev 3836)
@@ -75,29 +75,38 @@
MODULE_PARM_DESC(ntalk, "support ntalk protocol");
module_param(ntalk2, int, 0400);
MODULE_PARM_DESC(ntalk2, "support ntalk2 protocol");
-#endif
static char talk_buffer[65536];
static DECLARE_LOCK(talk_buffer_lock);
-unsigned int (*ip_nat_talk_hook)(struct sk_buff **pskb,
- enum ip_conntrack_info ctinfo,
- unsigned int matchoff,
- unsigned int matchlen,
- struct ip_conntrack_expect *exp,
- u32 *seq);
-EXPORT_SYMBOL_GPL(ip_nat_talk_hook);
+unsigned int (*ip_nat_talk_resp_hook)(struct sk_buff **pskb,
+ struct ip_conntrack_expect *exp,
+ u_char type,
+ u_char answer,
+ struct talk_addr *addr);
+EXPORT_SYMBOL_GPL(ip_nat_talk_resp_hook);
+unsigned int (*ip_nat_talk_msg_hook)(struct sk_buff **pskb,
+ struct ip_conntrack *ct,
+ u_char type,
+ struct talk_addr *addr,
+ struct talk_addr *ctl_addr);
+EXPORT_SYMBOL_GPL(ip_nat_talk_msg_hook);
+
#if 0
#define DEBUGP printk
#else
#define DEBUGP(format, args...)
#endif
-static int talk_expect(struct ip_conntrack *ct);
-static int ntalk_expect(struct ip_conntrack *ct);
+static void talk_expect(struct ip_conntrack *ct,
+ struct ip_conntrack_expect *exp);
+static void ntalk_expect(struct ip_conntrack *ct,
+ struct ip_conntrack_expect *exp);
-static int (*talk_expectfn[2])(struct ip_conntrack *ct) = {talk_expect, ntalk_expect};
+static void (*talk_expectfn[2])(struct ip_conntrack *ct,
+ struct ip_conntrack_expect *exp) =
+ {talk_expect, ntalk_expect};
static int talk_help_response(struct sk_buff **pskb,
struct ip_conntrack *ct,
@@ -108,9 +117,10 @@
u_char answer,
struct talk_addr *addr)
{
+ int ret;
int dir = CTINFO2DIR(ctinfo);
struct ip_conntrack_expect *exp;
- struct ip_ct_talk_expect *exp_talk_info = &exp->help.exp_talk_info;
+ u_int16_t exp_talk_port;
DEBUGP("ip_ct_talk_help_response: %u.%u.%u.%u:%u, type %d answer %d\n",
NIPQUAD(addr->ta_addr), ntohs(addr->ta_port),
@@ -129,14 +139,14 @@
DEBUGP("ip_ct_talk_help_response: ANNOUNCE\n");
/* update the talk info */
- exp_talk_info->port = htons(talk_port);
+ exp_talk_port = htons(talk_port);
/* expect callee client -> caller server message */
exp->tuple = ((struct ip_conntrack_tuple)
{ { ct->tuplehash[dir].tuple.src.ip,
{ 0 } },
{ ct->tuplehash[dir].tuple.dst.ip,
- { .tcp = { htons(talk_port) } },
+ { .udp = { htons(talk_port) } },
IPPROTO_UDP }});
exp->mask = ((struct ip_conntrack_tuple)
{ { 0xFFFFFFFF, { 0 } },
@@ -152,10 +162,9 @@
NIPQUAD(exp->tuple.dst.ip),
ntohs(exp->tuple.dst.u.udp.port));
- if (ip_nat_talk_hook)
- ret = ip_nat_talk_hook(pskb, ctinfo,
- ...
- exp);
+ if (ip_nat_talk_resp_hook)
+ ret = ip_nat_talk_resp_hook(pskb, exp, type, answer,
+ addr);
else if (ip_conntrack_expect_related(exp) != 0) {
ip_conntrack_expect_free(exp);
ret = NF_DROP;
@@ -165,7 +174,7 @@
DEBUGP("ip_ct_talk_help_response: LOOK_UP\n");
/* update the talk info */
- exp_talk_info->port = addr->ta_port;
+ exp_talk_port = addr->ta_port;
/* expect callee client -> caller client connection */
exp->tuple = ((struct ip_conntrack_tuple)
@@ -187,10 +196,9 @@
NIPQUAD(exp->tuple.dst.ip),
ntohs(exp->tuple.dst.u.tcp.port));
- if (ip_nat_talk_hook)
- ret = ip_nat_talk_hook(pskb, ctinfo,
- ...
- exp);
+ if (ip_nat_talk_resp_hook)
+ ret = ip_nat_talk_resp_hook(pskb, exp, type, answer,
+ addr);
else if (ip_conntrack_expect_related(exp) != 0) {
ip_conntrack_expect_free(exp);
ret = NF_DROP;
@@ -225,9 +233,6 @@
return NF_ACCEPT;
}
- if (dir == IP_CT_DIR_ORIGINAL)
- return NF_ACCEPT;
-
/* Not whole UDP header? */
uh = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl*4,
sizeof(_udph), &_udph);
@@ -236,20 +241,8 @@
return NF_ACCEPT;
}
-#if 0
- /* Checksum invalid? Ignore. */
- /* FIXME: Source route IP option packets --RR */
- if (csum_tcpudp_magic(iph->saddr, iph->daddr, udplen, IPPROTO_UDP,
- csum_partial((char *)udph, udplen, 0))) {
- DEBUGP("ip_ct_talk_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n",
- udph, udplen, NIPQUAD(iph->saddr),
- NIPQUAD(iph->daddr));
- return NF_ACCEPT;
- }
-#endif
-
- udplen = (*pskb)->len - (*pskb)->nh.iph.ihl*4;
- dataoff = (*pskb)->nh.iph.ihl*4 + sizeof(_udph);
+ udplen = (*pskb)->len - (*pskb)->nh.iph->ihl*4;
+ dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(_udph);
if (dataoff >= (*pskb)->len)
return NF_ACCEPT;
@@ -263,6 +256,38 @@
DEBUGP("ip_ct_talk_help: %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n",
NIPQUAD(iph->saddr), ntohs(udph->source), NIPQUAD(iph->daddr), ntohs(udph->dest));
+ if (dir == IP_CT_DIR_ORIGINAL && ip_nat_talk_msg_hook) {
+ if (talk_port == TALK_PORT) {
+ if (udplen == sizeof(struct udphdr) +
+ sizeof(struct talk_msg)) {
+ struct talk_msg *tm = (struct talk_msg *)data;
+ return ip_nat_talk_msg_hook(pskb, ct, tm->type,
+ &tm->addr, &tm->ctl_addr);
+ }
+ } else {
+ if (ntalk &&
+ udplen == sizeof(struct udphdr) +
+ sizeof(struct ntalk_msg) &&
+ ((struct ntalk_msg *)data)->vers == NTALK_VERSION){
+ struct ntalk_msg *tm = (struct ntalk_msg *)data;
+ return ip_nat_talk_msg_hook(pskb, ct, tm->type,
+ &tm->addr, &tm->ctl_addr);
+ } else if (ntalk2 &&
+ udplen >= sizeof(struct udphdr) +
+ sizeof(struct ntalk2_msg) &&
+ ((struct ntalk2_msg *)data)->vers == NTALK2_VERSION &&
+ udplen == sizeof(struct udphdr)
+ + sizeof(struct ntalk2_msg)
+ + ((struct ntalk2_msg *)data)->extended) {
+ struct ntalk2_msg *tm = (struct ntalk2_msg *)data;
+ return ip_nat_talk_msg_hook(pskb, ct, tm->type,
+ &tm->addr, &tm->ctl_addr);
+ }
+ }
+ return NF_ACCEPT;
+ }
+
+ /* only DIR_REPLY */
if (talk_port == TALK_PORT
&& udplen == sizeof(struct udphdr) + sizeof(struct talk_response))
ret = talk_help_response(pskb, ct, ctinfo, talk_port, mode,
@@ -304,13 +329,12 @@
static int lookup_nhelp(struct sk_buff **pskb,
struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
{
- return talk_help(psk, ct, ctinfo, NTALK_PORT, LOOK_UP);
+ return talk_help(pskb, ct, ctinfo, NTALK_PORT, LOOK_UP);
}
static struct ip_conntrack_helper lookup_helpers[2] = {
{
.name = "talk-lookup",
- .module = THIS_MODULE,
.max_expected = 1,
.timeout = 4 * 60,
.tuple = {
@@ -325,7 +349,6 @@
},
{
.name = "ntalk-lookup",
- .module = THIS_MODULE,
.max_expected = 1,
.timeout = 4 * 60,
.tuple = {
@@ -340,36 +363,34 @@
},
};
-static int talk_expect(struct ip_conntrack *ct)
+static void talk_expect(struct ip_conntrack *ct,
+ struct ip_conntrack_expect *exp)
{
DEBUGP("ip_conntrack_talk: calling talk_expectfn for ct %p\n", ct);
WRITE_LOCK(&ip_conntrack_lock);
ct->helper = &lookup_helpers[0];
WRITE_UNLOCK(&ip_conntrack_lock);
-
- return NF_ACCEPT; /* unused */
}
-static int ntalk_expect(struct ip_conntrack *ct)
+static void ntalk_expect(struct ip_conntrack *ct,
+ struct ip_conntrack_expect *exp)
{
DEBUGP("ip_conntrack_talk: calling ntalk_expectfn for ct %p\n", ct);
WRITE_LOCK(&ip_conntrack_lock);
ct->helper = &lookup_helpers[1];
WRITE_UNLOCK(&ip_conntrack_lock);
-
- return NF_ACCEPT; /* unused */
}
static int help(struct sk_buff **pskb,
struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
{
- return talk_help(iph, len, ct, ctinfo, TALK_PORT, ANNOUNCE);
+ return talk_help(pskb, ct, ctinfo, TALK_PORT, ANNOUNCE);
}
static int nhelp(struct sk_buff **pskb,
struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
{
- return talk_help(iph, len, ct, ctinfo, NTALK_PORT, ANNOUNCE);
+ return talk_help(pskb, ct, ctinfo, NTALK_PORT, ANNOUNCE);
}
static struct ip_conntrack_helper talk_helpers[2] = {
Modified: trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_talk.c
===================================================================
--- trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_talk.c 2005-04-10 11:00:28 UTC (rev 3835)
+++ trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_talk.c 2005-04-10 12:28:41 UTC (rev 3836)
@@ -7,15 +7,7 @@
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
**
- * Module load syntax:
- * insmod ip_nat_talk.o talk=[0|1] ntalk=[0|1] ntalk2=[0|1]
*
- * talk=[0|1] disable|enable old talk support
- * ntalk=[0|1] disable|enable ntalk support
- * ntalk2=[0|1] disable|enable ntalk2 support
- *
- * The default is talk=1 ntalk=1 ntalk2=1
- *
* Modifications:
* 2005-02-13 Harald Welte <laforge at netfilter.org>
* - update to 2.6.x API
@@ -68,7 +60,8 @@
/* response */
if (addr->ta_addr == INADDR_ANY)
return 1;
- DEBUGP("ip_nat_talk_mangle_packet: response orig %u.%u.%u.%u:%u, inserting %u.%u.%u.%u:%u\n",
+ DEBUGP("ip_nat_talk_mangle_packet: response orig "
+ "%u.%u.%u.%u:%u, inserting %u.%u.%u.%u:%u\n",
NIPQUAD(addr->ta_addr), ntohs(addr->ta_port),
NIPQUAD(newip), ntohs(port));
addr->ta_addr = newip;
@@ -76,15 +69,17 @@
} else {
/* message */
if (addr->ta_addr != INADDR_ANY) {
- /* Change address inside packet to match way we're mapping
- this connection. */
- DEBUGP("ip_nat_talk_mangle_packet: message orig addr %u.%u.%u.%u:%u, inserting %u.%u.%u.%u:%u\n",
+ /* Change address inside packet to match way we're
+ * mapping this connection. */
+ DEBUGP("ip_nat_talk_mangle_packet: message orig addr "
+ "%u.%u.%u.%u:%u, inserting %u.%u.%u.%u:%u\n",
NIPQUAD(addr->ta_addr), ntohs(addr->ta_port),
NIPQUAD(ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip),
ntohs(addr->ta_port));
addr->ta_addr = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
}
- DEBUGP("ip_nat_talk_mangle_packet: message orig ctl_addr %u.%u.%u.%u:%u, inserting %u.%u.%u.%u:%u\n",
+ DEBUGP("ip_nat_talk_mangle_packet: message orig ctl_addr "
+ "%u.%u.%u.%u:%u, inserting %u.%u.%u.%u:%u\n",
NIPQUAD(ctl_addr->ta_addr), ntohs(ctl_addr->ta_port),
NIPQUAD(newip), ntohs(port));
ctl_addr->ta_addr = newip;
@@ -101,8 +96,8 @@
return 1;
}
-static int talk_help_msg(struct ip_conntrack *ct,
- struct sk_buff **pskb,
+static unsigned int talk_help_msg(struct sk_buff **pskb,
+ struct ip_conntrack *ct,
u_char type,
struct talk_addr *addr,
struct talk_addr *ctl_addr)
@@ -130,34 +125,22 @@
return verdict;
}
-static int talk_help_response(struct ip_conntrack *ct,
+static unsigned int talk_help_response(struct sk_buff **pskb,
struct ip_conntrack_expect *exp,
- struct sk_buff **pskb,
u_char type,
- u_char answer,
+ u_char answer,
struct talk_addr *addr)
{
+ struct ip_conntrack *ct = exp->master;
u_int32_t newip;
- u_int16_t port;
- struct ip_conntrack_tuple t;
- struct ip_ct_talk_expect *ct_talk_info;
+ u_int16_t port, *pport, *tport;
- DEBUGP("ip_nat_talk_help_response: addr: %u.%u.%u.%u:%u, type %d answer %d\n",
- NIPQUAD(addr->ta_addr), ntohs(addr->ta_port),
- type, answer);
+ DEBUGP("ip_nat_talk_help_response: addr: %u.%u.%u.%u:%u, "
+ "type %d answer %d\n", NIPQUAD(addr->ta_addr),
+ ntohs(addr->ta_port), type, answer);
- LOCK_BH(&ip_talk_lock);
- ct_talk_info = &exp->help.exp_talk_info;
-
- if (!(answer == SUCCESS
- && (type == LOOK_UP || type == ANNOUNCE)
- && exp != NULL)) {
- UNLOCK_BH(&ip_talk_lock);
- return NF_ACCEPT;
- }
-
DEBUGP("ip_nat_talk_help_response: talkinfo port %u (%s)\n",
- ntohs(ct_talk_info->port),
+ ntohs(exp->tuple.dst.u.tcp.port),
type == LOOK_UP ? "LOOK_UP" : "ANNOUNCE");
/* Change address inside packet to match way we're mapping
@@ -167,191 +150,47 @@
/* We can read expect here without conntrack lock, since it's
only set in ip_conntrack_talk , with ip_talk_lock held
writable */
- t = exp->tuple;
- t.dst.ip = newip;
+ if (type == LOOK_UP) {
+ pport = &exp->saved_proto.tcp.port;
+ tport = &exp->tuple.dst.u.tcp.port;
+ } else {
+ pport = &exp->saved_proto.udp.port;
+ tport = &exp->tuple.dst.u.udp.port;
+ }
+ *pport = *tport;
+
+ exp->tuple.dst.ip = newip;
/* Try to get same port: if not, try to change it. */
- for (port = ntohs(ct_talk_info->port); port != 0; port++) {
- if (type == LOOK_UP)
- t.dst.u.tcp.port = htons(port);
- else
- t.dst.u.udp.port = htons(port);
+ for (port = ntohs(*pport); port != 0; port++) {
+ *tport = htons(port);
- if (ip_conntrack_change_expect(exp, &t) == 0) {
- DEBUGP("ip_nat_talk_help_response: using %u.%u.%u.%u:%u\n", NIPQUAD(newip), port);
+ if (ip_conntrack_expect_related(exp) == 0) {
+ DEBUGP("ip_nat_talk_help_response: using "
+ "%u.%u.%u.%u:%u\n", NIPQUAD(newip), port);
break;
}
}
- UNLOCK_BH(&ip_talk_lock);
-
- if (port == 0 || !mangle_packet(pskb, ct, newip, htons(port), addr, NULL))
+ if (port == 0) {
+ ip_conntrack_expect_free(exp);
return NF_DROP;
-
- return NF_ACCEPT;
-}
-
-static unsigned int talk_help(struct ip_conntrack *ct,
- struct ip_conntrack_expect *exp,
- struct ip_nat_info *info,
- enum ip_conntrack_info ctinfo,
- unsigned int hooknum,
- struct sk_buff **pskb,
- int talk_port)
-{
- struct iphdr *iph = (*pskb)->nh.iph;
- struct udphdr *udph = (void *)iph + iph->ihl * 4;
- unsigned int udplen = (*pskb)->len - iph->ihl * 4;
- char *data = (char *)udph + sizeof(struct udphdr);
- int dir;
-
- /* Only mangle things once: original direction in POST_ROUTING
- and reply direction on PRE_ROUTING. */
- dir = CTINFO2DIR(ctinfo);
- if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL)
- || (hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) {
- DEBUGP("ip_nat_talk_help: Not touching dir %s at hook %s\n",
- dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY",
- hooknum == NF_IP_POST_ROUTING ? "POSTROUTING"
- : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING"
- : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???");
- return NF_ACCEPT;
}
- DEBUGP("ip_nat_talk_help: dir %s at hook %s, %u.%u.%u.%u:%u->%u.%u.%u.%u:%u, talk port %d\n",
- dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY",
- hooknum == NF_IP_POST_ROUTING ? "POSTROUTING"
- : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING"
- : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???",
- NIPQUAD(iph->saddr), ntohs(udph->source),
- NIPQUAD(iph->daddr), ntohs(udph->dest),
- talk_port);
- /* Because conntrack does not drop packets, checking must be repeated here... */
- if (talk_port == TALK_PORT) {
- if (dir == IP_CT_DIR_ORIGINAL
- && udplen == sizeof(struct udphdr) + sizeof(struct talk_msg))
- return talk_help_msg(ct, pskb,
- ((struct talk_msg *)data)->type,
- &(((struct talk_msg *)data)->addr),
- &(((struct talk_msg *)data)->ctl_addr));
- else if (dir == IP_CT_DIR_REPLY
- && udplen == sizeof(struct udphdr) + sizeof(struct talk_response))
- return talk_help_response(ct, exp, pskb,
- ((struct talk_response *)data)->type,
- ((struct talk_response *)data)->answer,
- &(((struct talk_response *)data)->addr));
- else {
- DEBUGP("ip_nat_talk_help: not talk %s, datalen %u != %u\n",
- dir == IP_CT_DIR_ORIGINAL ? "message" : "response",
- (unsigned)udplen - sizeof(struct udphdr),
- dir == IP_CT_DIR_ORIGINAL ? sizeof(struct talk_msg) : sizeof(struct talk_response));
- return NF_DROP;
- }
- } else {
- if (dir == IP_CT_DIR_ORIGINAL) {
- if (ntalk
- && udplen == sizeof(struct udphdr) + sizeof(struct ntalk_msg)
- && ((struct ntalk_msg *)data)->vers == NTALK_VERSION)
- return talk_help_msg(ct, pskb,
- ((struct ntalk_msg *)data)->type,
- &(((struct ntalk_msg *)data)->addr),
- &(((struct ntalk_msg *)data)->ctl_addr));
- else if (ntalk2
- && udplen >= sizeof(struct udphdr) + sizeof(struct ntalk2_msg)
- && ((struct ntalk2_msg *)data)->vers == NTALK2_VERSION
- && udplen == sizeof(struct udphdr)
- + sizeof(struct ntalk2_msg)
- + ((struct ntalk2_msg *)data)->extended)
- return talk_help_msg(ct, pskb,
- ((struct ntalk2_msg *)data)->type,
- &(((struct ntalk2_msg *)data)->addr),
- &(((struct ntalk2_msg *)data)->ctl_addr));
- else {
- DEBUGP("ip_nat_talk_help: not ntalk/ntalk2 message, datalen %u != %u or %u + max 256\n",
- (unsigned)udplen - sizeof(struct udphdr),
- sizeof(struct ntalk_msg), sizeof(struct ntalk2_msg));
- return NF_DROP;
- }
- } else {
- if (ntalk
- && udplen == sizeof(struct udphdr) + sizeof(struct ntalk_response)
- && ((struct ntalk_response *)data)->vers == NTALK_VERSION)
- return talk_help_response(ct, exp, pskb,
- ((struct ntalk_response *)data)->type,
- ((struct ntalk_response *)data)->answer,
- &(((struct ntalk_response *)data)->addr));
- else if (ntalk2
- && udplen >= sizeof(struct udphdr) + sizeof(struct ntalk2_response)
- && ((struct ntalk2_response *)data)->vers == NTALK2_VERSION)
- return talk_help_response(ct, exp, pskb,
- ((struct ntalk2_response *)data)->type,
- ((struct ntalk2_response *)data)->answer,
- &(((struct ntalk2_response *)data)->addr));
- else {
- DEBUGP("ip_nat_talk_help: not ntalk/ntalk2 response, datalen %u != %u or %u + max 256\n",
- (unsigned)udplen - sizeof(struct udphdr),
- sizeof(struct ntalk_response), sizeof(struct ntalk2_response));
- return NF_DROP;
- }
- }
+ if (!mangle_packet(pskb, ct, newip, htons(port), addr, NULL)) {
+ ip_conntrack_unexpect_related(exp);
+ return NF_DROP;
}
+ return NF_ACCEPT;
}
-static unsigned int help(struct ip_conntrack *ct,
- struct ip_conntrack_expect *exp,
- struct ip_nat_info *info,
- enum ip_conntrack_info ctinfo,
- unsigned int hooknum,
- struct sk_buff **pskb)
-{
- return talk_help(ct, exp, info, ctinfo, hooknum, pskb, TALK_PORT);
-}
-
-static unsigned int nhelp(struct ip_conntrack *ct,
- struct ip_conntrack_expect *exp,
- struct ip_nat_info *info,
- enum ip_conntrack_info ctinfo,
- unsigned int hooknum,
- struct sk_buff **pskb)
-{
- return talk_help(ct, exp, info, ctinfo, hooknum, pskb, NTALK_PORT);
-}
-
+#if 0
static unsigned int
talk_nat_expected(struct sk_buff **pskb,
unsigned int hooknum,
struct ip_conntrack *ct,
- struct ip_nat_info *info);
-
-static struct ip_nat_helper talk_helpers[2] =
- { { { NULL, NULL },
- "talk", /* name */
- IP_NAT_HELPER_F_ALWAYS, /* flags */
- THIS_MODULE, /* module */
- { { 0, { .udp = { __constant_htons(TALK_PORT) } } }, /* tuple */
- { 0, { 0 }, IPPROTO_UDP } },
- { { 0, { .udp = { 0xFFFF } } }, /* mask */
- { 0, { 0 }, 0xFFFF } },
- help, /* helper */
- talk_nat_expected }, /* expectfn */
- { { NULL, NULL },
- "ntalk", /* name */
- IP_NAT_HELPER_F_ALWAYS, /* flags */
- THIS_MODULE, /* module */
- { { 0, { .udp = { __constant_htons(NTALK_PORT) } } }, /* tuple */
- { 0, { 0 }, IPPROTO_UDP } },
- { { 0, { .udp = { 0xFFFF } } }, /* mask */
- { 0, { 0 }, 0xFFFF } },
- nhelp, /* helper */
- talk_nat_expected } /* expectfn */
- };
-
-static unsigned int
-talk_nat_expected(struct sk_buff **pskb,
- unsigned int hooknum,
- struct ip_conntrack *ct,
struct ip_nat_info *info)
{
- struct ip_nat_multi_range mr;
+ struct ip_nat_range range;
u_int32_t newdstip, newsrcip, newip;
u_int16_t port;
unsigned int ret;
@@ -412,20 +251,19 @@
DEBUGP("ip_nat_talk_expected: IP to %u.%u.%u.%u, port %u\n", NIPQUAD(newip), ntohs(port));
- mr.rangesize = 1;
/* We don't want to manip the per-protocol, just the IPs... */
- mr.range[0].flags = IP_NAT_RANGE_MAP_IPS;
- mr.range[0].min_ip = mr.range[0].max_ip = newip;
+ range.flags = IP_NAT_RANGE_MAP_IPS;
+ range.min_ip = range.max_ip = newip;
/* ... unless we're doing a MANIP_DST, in which case, make
sure we map to the correct port */
if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_DST) {
- mr.range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
- mr.range[0].min = mr.range[0].max
+ range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
+ range.min = range.max
= ((union ip_conntrack_manip_proto)
{ .udp = { port } });
}
- ret = ip_nat_setup_info(ct, &mr, hooknum);
+ ret = ip_nat_setup_info(ct, &range, hooknum);
if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum == IPPROTO_UDP) {
DEBUGP("talk_expected: setting NAT helper for %p\n", ct);
@@ -434,17 +272,21 @@
}
return ret;
}
+#endif
static int __init init(void)
{
- BUG_ON(ip_nat_talk_hook);
- ip_nat_talk_hook = &talk_help;
+ BUG_ON(ip_nat_talk_msg_hook);
+ BUG_ON(ip_nat_talk_resp_hook);
+ ip_nat_talk_msg_hook = &talk_help_msg;
+ ip_nat_talk_resp_hook = &talk_help_response;
return 0;
}
static void __exit fini(void)
{
- ip_nat_talk_hook = NULL;
+ ip_nat_talk_resp_hook = NULL;
+ ip_nat_talk_msg_hook = NULL;
/* Make sure noone calls it, meanwhile */
synchronize_net();
}
More information about the netfilter-cvslog
mailing list