[netfilter-cvslog] r3997 - in
trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11:
include/linux/netfilter_ipv4 net/ipv4/netfilter
laforge at netfilter.org
laforge at netfilter.org
Fri Jun 24 18:32:30 CEST 2005
Author: laforge at netfilter.org
Date: 2005-06-24 18:32:29 +0200 (Fri, 24 Jun 2005)
New Revision: 3997
Removed:
trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack.h.ladd_7
Modified:
trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_pptp.c
Log:
more work on post-2.6.11 code
Deleted: trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack.h.ladd_7
===================================================================
--- trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack.h.ladd_7 2005-06-24 16:28:49 UTC (rev 3996)
+++ trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack.h.ladd_7 2005-06-24 16:32:29 UTC (rev 3997)
@@ -1,2 +0,0 @@
- /* insert expect proto private data here */
- struct ip_ct_gre_expect gre;
Modified: trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
===================================================================
--- trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 2005-06-24 16:28:49 UTC (rev 3996)
+++ trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 2005-06-24 16:32:29 UTC (rev 3997)
@@ -69,10 +69,9 @@
struct ip_ct_gre {
unsigned int stream_timeout;
unsigned int timeout;
-};
-/* this is part of ip_conntrack_expect */
-struct ip_ct_gre_expect {
+ /* in pre-2.6.11 this used to be per-expect. Now it is per-conntrack
+ * and therefore imposes a fixed limit on the number of maps */
struct ip_ct_gre_keymap *keymap_orig, *keymap_reply;
};
@@ -88,7 +87,7 @@
/* add new tuple->key_reply pair to keymap */
-int ip_ct_gre_keymap_add(struct ip_conntrack_expect *exp,
+int ip_ct_gre_keymap_add(struct ip_conntrack *ct,
struct ip_conntrack_tuple *t,
int reply);
@@ -97,7 +96,7 @@
struct ip_conntrack_tuple *t);
/* delete keymap entries */
-void ip_ct_gre_keymap_destroy(struct ip_conntrack_expect *exp);
+void ip_ct_gre_keymap_destroy(struct ip_conntrack *ct);
/* get pointer to gre key, if present */
Modified: trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_pptp.c
===================================================================
--- trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_pptp.c 2005-06-24 16:28:49 UTC (rev 3996)
+++ trunk/patch-o-matic-ng/pptp-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_pptp.c 2005-06-24 16:32:29 UTC (rev 3997)
@@ -1,5 +1,5 @@
/*
- * ip_nat_pptp.c - Version 2.0
+ * ip_nat_pptp.c - Version 3.0
*
* NAT support for PPTP (Point to Point Tunneling Protocol).
* PPTP is a a protocol for creating virtual private networks.
@@ -9,13 +9,11 @@
* GRE is defined in RFC 1701 and RFC 1702. Documentation of
* PPTP can be found in RFC 2637
*
- * (C) 2000-2004 by Harald Welte <laforge at gnumonks.org>
+ * (C) 2000-2005 by Harald Welte <laforge at gnumonks.org>
*
* Development of this code funded by Astaro AG (http://www.astaro.com/)
*
- * TODO: - Support for multiple calls within one session
- * (needs netfilter newnat code)
- * - NAT to a unique tuple, not to TCP source port
+ * TODO: - NAT to a unique tuple, not to TCP source port
* (needs netfilter tuple reservation)
*
* Changes:
@@ -31,6 +29,8 @@
* TCP header is mangled (Philip Craig <philipc at snapgear.com>)
* 2004-10-22 - Version 2.0
* - kernel 2.6.x version
+ * 2005-06-10 - Version 3.0
+ * - kernel >= 2.6.11 version
*
*/
@@ -39,6 +39,7 @@
#include <linux/ip.h>
#include <linux/tcp.h>
#include <net/tcp.h>
+
#include <linux/netfilter_ipv4/ip_nat.h>
#include <linux/netfilter_ipv4/ip_nat_rule.h>
#include <linux/netfilter_ipv4/ip_nat_helper.h>
@@ -47,7 +48,7 @@
#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
#include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
-#define IP_NAT_PPTP_VERSION "2.0"
+#define IP_NAT_PPTP_VERSION "3.0"
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge at gnumonks.org>");
@@ -62,18 +63,17 @@
#define DEBUGP(format, args...)
#endif
-static unsigned int
+static void
pptp_nat_expected(struct sk_buff **pskb,
unsigned int hooknum,
struct ip_conntrack *ct,
struct ip_nat_info *info)
{
struct ip_conntrack *master = master_ct(ct);
- struct ip_nat_multi_range mr;
+ struct ip_nat_range range;
struct ip_ct_pptp_master *ct_pptp_info;
struct ip_nat_pptp *nat_pptp_info;
u_int32_t newip, newcid;
- int ret;
IP_NF_ASSERT(info);
IP_NF_ASSERT(master);
@@ -122,20 +122,16 @@
}
}
- mr.rangesize = 1;
- mr.range[0].flags = IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED;
- mr.range[0].min_ip = mr.range[0].max_ip = newip;
- mr.range[0].min = mr.range[0].max =
+ range.flags = IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED;
+ range.min_ip = range.max_ip = newip;
+ range.min = range.max =
((union ip_conntrack_manip_proto ) { newcid });
DEBUGP("change ip to %u.%u.%u.%u\n",
NIPQUAD(newip));
DEBUGP("change key to 0x%x\n", ntohl(newcid));
- ret = ip_nat_setup_info(ct, &mr, hooknum);
+ ip_nat_setup_info(ct, &range, hooknum);
UNLOCK_BH(&ip_pptp_lock);
-
- return ret;
-
}
/* outbound packets == from PNS to PAC */
@@ -205,17 +201,20 @@
return NF_ACCEPT;
}
+ /* only OUT_CALL_REQUEST, IN_CALL_REPLY, CALL_CLEAR_REQUEST pass
+ * down to here */
+
IP_NF_ASSERT(cid);
DEBUGP("altering call id from 0x%04x to 0x%04x\n",
ntohs(*cid), ntohs(new_callid));
/* mangle packet */
- ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, (void *)cid - (void *)pptph,
- sizeof(new_callid), (char *)&new_callid,
- sizeof(new_callid));
-
- return NF_ACCEPT;
+ return ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
+ (void *)cid - (void *)pptph,
+ sizeof(new_callid),
+ (char *)&new_callid,
+ sizeof(new_callid));
}
/* inbound packets == from PAC to PNS */
@@ -240,6 +239,7 @@
struct ip_conntrack_tuple t, inv_t;
struct ip_conntrack_tuple *orig_t, *reply_t;
+ int ret = NF_ACCEPT, rv;
/* FIXME: size checks !!! */
ctlh = (struct PptpControlHeader *) ((void *) pptph + sizeof(*pptph));
@@ -283,16 +283,18 @@
inv_t.dst.u.gre.key = htonl(ct_pptp_info->pac_call_id);
}
- if (!ip_conntrack_change_expect(oldexp, &t)) {
+ if (!ip_conntrack_expect_related(oldexp)) {
DEBUGP("successfully changed expect\n");
} else {
DEBUGP("can't change expect\n");
+ ret = NF_DROP;
+ break;
}
- if (oldexp->proto.gre.keymap_orig)
- ip_ct_gre_keymap_change(oldexp->proto.gre.keymap_orig,
+ if (ct->proto.gre.keymap_orig)
+ ip_ct_gre_keymap_change(ct->proto.gre.keymap_orig,
&t);
- if (oldexp->proto.gre.keymap_reply)
- ip_ct_gre_keymap_change(oldexp->proto.gre.keymap_reply,
+ if (ct->proto.gre.keymap_reply)
+ ip_ct_gre_keymap_change(ct->proto.gre.keymap_reply,
&inv_t);
break;
case PPTP_IN_CALL_CONNECT:
@@ -311,10 +313,11 @@
t.dst.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
}
- if (!ip_conntrack_change_expect(oldexp, &t)) {
+ if (!ip_conntrack_expect_related(oldexp)) {
DEBUGP("successfully changed expect\n");
} else {
DEBUGP("can't change expect\n");
+ ret = NF_DROP;
}
break;
case PPTP_IN_CALL_REQUEST:
@@ -342,34 +345,47 @@
return NF_ACCEPT;
}
+ /* only OUT_CALL_REPLY, IN_CALL_CONNECT, IN_CALL_REQUEST,
+ * WAN_ERROR_NOTIFY, CALL_DISCONNECT_NOTIFY pass down here */
+
/* mangle packet */
IP_NF_ASSERT(pcid);
DEBUGP("altering peer call id from 0x%04x to 0x%04x\n",
ntohs(*pcid), ntohs(new_pcid));
- ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, (void *)pcid - (void *)pptph,
- sizeof(new_pcid), (char *)&new_pcid,
- sizeof(new_pcid));
+
+ rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
+ (void *)pcid - (void *)pptph,
+ sizeof(new_pcid), (char *)&new_pcid,
+ sizeof(new_pcid));
+ if (rv != NF_ACCEPT)
+ return rv;
if (new_cid) {
IP_NF_ASSERT(cid);
DEBUGP("altering call id from 0x%04x to 0x%04x\n",
ntohs(*cid), ntohs(new_cid));
- ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
- (void *)cid - (void *)pptph,
- sizeof(new_cid), (char *)&new_cid,
- sizeof(new_cid));
+ rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
+ (void *)cid - (void *)pptph,
+ sizeof(new_cid),
+ (char *)&new_cid,
+ sizeof(new_cid));
+ if (rv != NF_ACCEPT)
+ return rv;
}
+ /* check for earlier return value of 'switch' above */
+ if (ret != NF_ACCEPT)
+ return ret;
+
/* great, at least we don't need to resize packets */
return NF_ACCEPT;
}
-static unsigned int tcp_help(struct ip_conntrack *ct,
- struct ip_conntrack_expect *exp,
- struct ip_nat_info *info,
- enum ip_conntrack_info ctinfo,
- unsigned int hooknum, struct sk_buff **pskb)
+static unsigned int ip_nat_pptp(struct sk_buff **pskb,
+ enum ip_conntrack_info ctinfo,
+ struct ip_conntrack_expect *exp,
+ )
{
struct iphdr *iph = (*pskb)->nh.iph;
struct tcphdr *tcph = (void *) iph + iph->ihl*4;
@@ -377,7 +393,7 @@
struct pptp_pkt_hdr *pptph;
int dir;
-
+#if 0
DEBUGP("entering\n");
/* Only mangle things once: DST for original direction
@@ -411,7 +427,7 @@
DEBUGP("not a pptp control packet\n");
return NF_ACCEPT;
}
-
+#endif
LOCK_BH(&ip_pptp_lock);
if (dir == IP_CT_DIR_ORIGINAL) {
@@ -426,46 +442,15 @@
return NF_ACCEPT;
}
-
-/* nat helper struct for control connection */
-static struct ip_nat_helper pptp_tcp_helper = {
- .list = { NULL, NULL },
- .name = "pptp",
- .flags = IP_NAT_HELPER_F_ALWAYS,
- .me = THIS_MODULE,
- .tuple = { .src = { .ip = 0,
- .u = { .tcp = { .port =
- __constant_htons(PPTP_CONTROL_PORT) }
- }
- },
- .dst = { .ip = 0,
- .u = { .all = 0 },
- .protonum = IPPROTO_TCP
- }
- },
-
- .mask = { .src = { .ip = 0,
- .u = { .tcp = { .port = 0xFFFF } }
- },
- .dst = { .ip = 0,
- .u = { .all = 0 },
- .protonum = 0xFFFF
- }
- },
- .help = tcp_help,
- .expect = pptp_nat_expected
-};
-
-
+
static int __init init(void)
{
DEBUGP("%s: registering NAT helper\n", __FILE__);
- if (ip_nat_helper_register(&pptp_tcp_helper)) {
- printk(KERN_ERR "Unable to register NAT application helper "
- "for pptp\n");
- return -EIO;
- }
+ BUG_ON(ip_nat_pptp_hook);
+
+ ip_nat_pptp_hook = ip_nat_pptp;
+
printk("ip_nat_pptp version %s loaded\n", IP_NAT_PPTP_VERSION);
return 0;
}
@@ -473,7 +458,11 @@
static void __exit fini(void)
{
DEBUGP("cleanup_module\n" );
- ip_nat_helper_unregister(&pptp_tcp_helper);
+
+ ip_nat_pptp_hook = NULL;
+ /* Make sure noone calls it, meanwhile */
+ synchronize_net();
+
printk("ip_nat_pptp version %s unloaded\n", IP_NAT_PPTP_VERSION);
}
More information about the netfilter-cvslog
mailing list