[netfilter-cvslog] r3997 - in trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11: include/linux/netfilter_ipv4 net/ipv4/netfilter

laforge at netfilter.org laforge at netfilter.org
Fri Jun 24 18:32:30 CEST 2005


Author: laforge at netfilter.org
Date: 2005-06-24 18:32:29 +0200 (Fri, 24 Jun 2005)
New Revision: 3997

Removed:
   trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack.h.ladd_7
Modified:
   trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
   trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_pptp.c
Log:
more work on post-2.6.11 code


Deleted: trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack.h.ladd_7
===================================================================
--- trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack.h.ladd_7	2005-06-24 16:28:49 UTC (rev 3996)
+++ trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack.h.ladd_7	2005-06-24 16:32:29 UTC (rev 3997)
@@ -1,2 +0,0 @@
-	/* insert expect proto private data here */
-	struct ip_ct_gre_expect gre;

Modified: trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
===================================================================
--- trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h	2005-06-24 16:28:49 UTC (rev 3996)
+++ trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h	2005-06-24 16:32:29 UTC (rev 3997)
@@ -69,10 +69,9 @@
 struct ip_ct_gre {
 	unsigned int stream_timeout;
 	unsigned int timeout;
-};
 
-/* this is part of ip_conntrack_expect */
-struct ip_ct_gre_expect {
+	/* in pre-2.6.11 this used to be per-expect. Now it is per-conntrack
+	 * and therefore imposes a fixed limit on the number of maps */
 	struct ip_ct_gre_keymap *keymap_orig, *keymap_reply;
 };
 
@@ -88,7 +87,7 @@
 
 
 /* add new tuple->key_reply pair to keymap */
-int ip_ct_gre_keymap_add(struct ip_conntrack_expect *exp,
+int ip_ct_gre_keymap_add(struct ip_conntrack *ct,
 			 struct ip_conntrack_tuple *t,
 			 int reply);
 
@@ -97,7 +96,7 @@
 			     struct ip_conntrack_tuple *t);
 
 /* delete keymap entries */
-void ip_ct_gre_keymap_destroy(struct ip_conntrack_expect *exp);
+void ip_ct_gre_keymap_destroy(struct ip_conntrack *ct);
 
 
 /* get pointer to gre key, if present */

Modified: trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_pptp.c
===================================================================
--- trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_pptp.c	2005-06-24 16:28:49 UTC (rev 3996)
+++ trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_pptp.c	2005-06-24 16:32:29 UTC (rev 3997)
@@ -1,5 +1,5 @@
 /*
- * ip_nat_pptp.c	- Version 2.0
+ * ip_nat_pptp.c	- Version 3.0
  *
  * NAT support for PPTP (Point to Point Tunneling Protocol).
  * PPTP is a a protocol for creating virtual private networks.
@@ -9,13 +9,11 @@
  * GRE is defined in RFC 1701 and RFC 1702.  Documentation of
  * PPTP can be found in RFC 2637
  *
- * (C) 2000-2004 by Harald Welte <laforge at gnumonks.org>
+ * (C) 2000-2005 by Harald Welte <laforge at gnumonks.org>
  *
  * Development of this code funded by Astaro AG (http://www.astaro.com/)
  *
- * TODO: - Support for multiple calls within one session
- * 	   (needs netfilter newnat code)
- * 	 - NAT to a unique tuple, not to TCP source port
+ * TODO: - NAT to a unique tuple, not to TCP source port
  * 	   (needs netfilter tuple reservation)
  *
  * Changes:
@@ -31,6 +29,8 @@
  *	   TCP header is mangled (Philip Craig <philipc at snapgear.com>)
  *     2004-10-22 - Version 2.0
  *       - kernel 2.6.x version
+ *     2005-06-10 - Version 3.0
+ *       - kernel >= 2.6.11 version
  * 
  */
 
@@ -39,6 +39,7 @@
 #include <linux/ip.h>
 #include <linux/tcp.h>
 #include <net/tcp.h>
+
 #include <linux/netfilter_ipv4/ip_nat.h>
 #include <linux/netfilter_ipv4/ip_nat_rule.h>
 #include <linux/netfilter_ipv4/ip_nat_helper.h>
@@ -47,7 +48,7 @@
 #include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
 #include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
 
-#define IP_NAT_PPTP_VERSION "2.0"
+#define IP_NAT_PPTP_VERSION "3.0"
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Harald Welte <laforge at gnumonks.org>");
@@ -62,18 +63,17 @@
 #define DEBUGP(format, args...)
 #endif
 
-static unsigned int
+static void
 pptp_nat_expected(struct sk_buff **pskb,
 		  unsigned int hooknum,
 		  struct ip_conntrack *ct,
 		  struct ip_nat_info *info)
 {
 	struct ip_conntrack *master = master_ct(ct);
-	struct ip_nat_multi_range mr;
+	struct ip_nat_range range;
 	struct ip_ct_pptp_master *ct_pptp_info;
 	struct ip_nat_pptp *nat_pptp_info;
 	u_int32_t newip, newcid;
-	int ret;
 
 	IP_NF_ASSERT(info);
 	IP_NF_ASSERT(master);
@@ -122,20 +122,16 @@
 		}
 	}
 
-	mr.rangesize = 1;
-	mr.range[0].flags = IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED;
-	mr.range[0].min_ip = mr.range[0].max_ip = newip;
-	mr.range[0].min = mr.range[0].max = 
+	range.flags = IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED;
+	range.min_ip = range.max_ip = newip;
+	range.min = range.max = 
 		((union ip_conntrack_manip_proto ) { newcid }); 
 	DEBUGP("change ip to %u.%u.%u.%u\n", 
 		NIPQUAD(newip));
 	DEBUGP("change key to 0x%x\n", ntohl(newcid));
-	ret = ip_nat_setup_info(ct, &mr, hooknum);
+	ip_nat_setup_info(ct, &range, hooknum);
 
 	UNLOCK_BH(&ip_pptp_lock);
-
-	return ret;
-
 }
 
 /* outbound packets == from PNS to PAC */
@@ -205,17 +201,20 @@
 			return NF_ACCEPT;
 	}
 
+	/* only OUT_CALL_REQUEST, IN_CALL_REPLY, CALL_CLEAR_REQUEST pass
+	 * down to here */
+
 	IP_NF_ASSERT(cid);
 
 	DEBUGP("altering call id from 0x%04x to 0x%04x\n",
 		ntohs(*cid), ntohs(new_callid));
 
 	/* mangle packet */
-	ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, (void *)cid - (void *)pptph,
-				 sizeof(new_callid), (char *)&new_callid,
-				 sizeof(new_callid));
-
-	return NF_ACCEPT;
+	return ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
+					(void *)cid - (void *)pptph,
+				 	sizeof(new_callid), 
+					(char *)&new_callid,
+				 	sizeof(new_callid));
 }
 
 /* inbound packets == from PAC to PNS */
@@ -240,6 +239,7 @@
 
 	struct ip_conntrack_tuple t, inv_t;
 	struct ip_conntrack_tuple *orig_t, *reply_t;
+	int ret = NF_ACCEPT, rv;
 
 	/* FIXME: size checks !!! */
 	ctlh = (struct PptpControlHeader *) ((void *) pptph + sizeof(*pptph));
@@ -283,16 +283,18 @@
 			inv_t.dst.u.gre.key = htonl(ct_pptp_info->pac_call_id);
 		}
 
-		if (!ip_conntrack_change_expect(oldexp, &t)) {
+		if (!ip_conntrack_expect_related(oldexp)) {
 			DEBUGP("successfully changed expect\n");
 		} else {
 			DEBUGP("can't change expect\n");
+			ret = NF_DROP;
+			break;
 		}
-		if (oldexp->proto.gre.keymap_orig)
-			ip_ct_gre_keymap_change(oldexp->proto.gre.keymap_orig,
+		if (ct->proto.gre.keymap_orig)
+			ip_ct_gre_keymap_change(ct->proto.gre.keymap_orig,
 						&t);
-		if (oldexp->proto.gre.keymap_reply)
-			ip_ct_gre_keymap_change(oldexp->proto.gre.keymap_reply, 
+		if (ct->proto.gre.keymap_reply)
+			ip_ct_gre_keymap_change(ct->proto.gre.keymap_reply, 
 						&inv_t);
 		break;
 	case PPTP_IN_CALL_CONNECT:
@@ -311,10 +313,11 @@
 			t.dst.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
 		}
 
-		if (!ip_conntrack_change_expect(oldexp, &t)) {
+		if (!ip_conntrack_expect_related(oldexp)) {
 			DEBUGP("successfully changed expect\n");
 		} else {
 			DEBUGP("can't change expect\n");
+			ret = NF_DROP;
 		}
 		break;
 	case PPTP_IN_CALL_REQUEST:
@@ -342,34 +345,47 @@
 		return NF_ACCEPT;
 	}
 
+	/* only OUT_CALL_REPLY, IN_CALL_CONNECT, IN_CALL_REQUEST,
+	 * WAN_ERROR_NOTIFY, CALL_DISCONNECT_NOTIFY pass down here */
+
 	/* mangle packet */
 	IP_NF_ASSERT(pcid);
 	DEBUGP("altering peer call id from 0x%04x to 0x%04x\n",
 		ntohs(*pcid), ntohs(new_pcid));
-	ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, (void *)pcid - (void *)pptph,
-				 sizeof(new_pcid), (char *)&new_pcid, 
-				 sizeof(new_pcid));
+	
+	rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, 
+				      (void *)pcid - (void *)pptph,
+				      sizeof(new_pcid), (char *)&new_pcid, 
+				      sizeof(new_pcid));
+	if (rv != NF_ACCEPT) 
+		return rv;
 
 	if (new_cid) {
 		IP_NF_ASSERT(cid);
 		DEBUGP("altering call id from 0x%04x to 0x%04x\n",
 			ntohs(*cid), ntohs(new_cid));
-		ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, 
-					 (void *)cid - (void *)pptph, 
-					 sizeof(new_cid), (char *)&new_cid, 
-					 sizeof(new_cid));
+		rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, 
+					      (void *)cid - (void *)pptph, 
+					      sizeof(new_cid),
+					      (char *)&new_cid, 
+					      sizeof(new_cid));
+		if (rv != NF_ACCEPT)
+			return rv;
 	}
 
+	/* check for earlier return value of 'switch' above */
+	if (ret != NF_ACCEPT)
+		return ret;
+
 	/* great, at least we don't need to resize packets */
 	return NF_ACCEPT;
 }
 
 
-static unsigned int tcp_help(struct ip_conntrack *ct,
-			     struct ip_conntrack_expect *exp,
-			     struct ip_nat_info *info,
-			     enum ip_conntrack_info ctinfo,
-			     unsigned int hooknum, struct sk_buff **pskb)
+static unsigned int ip_nat_pptp(struct sk_buff **pskb,
+				enum ip_conntrack_info ctinfo,
+				struct ip_conntrack_expect *exp,
+				)
 {
 	struct iphdr *iph = (*pskb)->nh.iph;
 	struct tcphdr *tcph = (void *) iph + iph->ihl*4;
@@ -377,7 +393,7 @@
 	struct pptp_pkt_hdr *pptph;
 
 	int dir;
-
+#if 0
 	DEBUGP("entering\n");
 
 	/* Only mangle things once: DST for original direction
@@ -411,7 +427,7 @@
 		DEBUGP("not a pptp control packet\n");
 		return NF_ACCEPT;
 	}
-
+#endif
 	LOCK_BH(&ip_pptp_lock);
 
 	if (dir == IP_CT_DIR_ORIGINAL) {
@@ -426,46 +442,15 @@
 
 	return NF_ACCEPT;
 }
-
-/* nat helper struct for control connection */
-static struct ip_nat_helper pptp_tcp_helper = { 
-	.list = { NULL, NULL },
-	.name = "pptp", 
-	.flags = IP_NAT_HELPER_F_ALWAYS, 
-	.me = THIS_MODULE,
-	.tuple = { .src = { .ip = 0, 
-			    .u = { .tcp = { .port = 
-				    	__constant_htons(PPTP_CONTROL_PORT) } 
-				 } 
-			  },
-	  	   .dst = { .ip = 0, 
-			    .u = { .all = 0 }, 
-			    .protonum = IPPROTO_TCP 
-		   	  } 
-		 },
-
-	.mask = { .src = { .ip = 0, 
-			   .u = { .tcp = { .port = 0xFFFF } } 
-			 },
-		  .dst = { .ip = 0, 
-			   .u = { .all = 0 }, 
-			   .protonum = 0xFFFF 
-		  	 } 
-		},
-	.help = tcp_help, 
-	.expect = pptp_nat_expected 
-};
-
-			  
+  
 static int __init init(void)
 {
 	DEBUGP("%s: registering NAT helper\n", __FILE__);
-	if (ip_nat_helper_register(&pptp_tcp_helper)) {
-		printk(KERN_ERR "Unable to register NAT application helper "
-				"for pptp\n");
-		return -EIO;
-	}
 
+	BUG_ON(ip_nat_pptp_hook);
+
+	ip_nat_pptp_hook = ip_nat_pptp;
+
 	printk("ip_nat_pptp version %s loaded\n", IP_NAT_PPTP_VERSION);
 	return 0;
 }
@@ -473,7 +458,11 @@
 static void __exit fini(void)
 {
 	DEBUGP("cleanup_module\n" );
-	ip_nat_helper_unregister(&pptp_tcp_helper);
+
+	ip_nat_pptp_hook = NULL;
+	/* Make sure noone calls it, meanwhile */
+	synchronize_net();
+
 	printk("ip_nat_pptp version %s unloaded\n", IP_NAT_PPTP_VERSION);
 }
 




More information about the netfilter-cvslog mailing list