~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/ipv4/netfilter/nf_nat_snmp_basic_main.c

Version: ~ [ linux-6.11-rc3 ] ~ [ linux-6.10.4 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.45 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.104 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.164 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.223 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.281 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.319 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~ 
  1 // SPDX-License-Identifier: GPL-2.0-or-later
  2 /*
  3  * nf_nat_snmp_basic.c
  4  *
  5  * Basic SNMP Application Layer Gateway
  6  *
  7  * This IP NAT module is intended for use with SNMP network
  8  * discovery and monitoring applications where target networks use
  9  * conflicting private address realms.
 10  *
 11  * Static NAT is used to remap the networks from the view of the network
 12  * management system at the IP layer, and this module remaps some application
 13  * layer addresses to match.
 14  *
 15  * The simplest form of ALG is performed, where only tagged IP addresses
 16  * are modified.  The module does not need to be MIB aware and only scans
 17  * messages at the ASN.1/BER level.
 18  *
 19  * Currently, only SNMPv1 and SNMPv2 are supported.
 20  *
 21  * More information on ALG and associated issues can be found in
 22  * RFC 2962
 23  *
 24  * The ASB.1/BER parsing code is derived from the gxsnmp package by Gregory
 25  * McLean & Jochen Friedrich, stripped down for use in the kernel.
 26  *
 27  * Copyright (c) 2000 RP Internet (www.rpi.net.au).
 28  *
 29  * Author: James Morris <jmorris@intercode.com.au>
 30  *
 31  * Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
 32  */
 33 #include <linux/module.h>
 34 #include <linux/moduleparam.h>
 35 #include <linux/types.h>
 36 #include <linux/kernel.h>
 37 #include <linux/in.h>
 38 #include <linux/ip.h>
 39 #include <linux/udp.h>
 40 #include <net/checksum.h>
 41 #include <net/udp.h>
 42 
 43 #include <net/netfilter/nf_nat.h>
 44 #include <net/netfilter/nf_conntrack_expect.h>
 45 #include <net/netfilter/nf_conntrack_helper.h>
 46 #include <linux/netfilter/nf_conntrack_snmp.h>
 47 #include "nf_nat_snmp_basic.asn1.h"
 48 
 49 MODULE_LICENSE("GPL");
 50 MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
 51 MODULE_DESCRIPTION("Basic SNMP Application Layer Gateway");
 52 MODULE_ALIAS("ip_nat_snmp_basic");
 53 MODULE_ALIAS_NFCT_HELPER("snmp_trap");
 54 
 55 #define SNMP_PORT 161
 56 #define SNMP_TRAP_PORT 162
 57 
 58 static DEFINE_SPINLOCK(snmp_lock);
 59 
 60 struct snmp_ctx {
 61         unsigned char *begin;
 62         __sum16 *check;
 63         __be32 from;
 64         __be32 to;
 65 };
 66 
 67 static void fast_csum(struct snmp_ctx *ctx, unsigned char offset)
 68 {
 69         unsigned char s[12] = {0,};
 70         int size;
 71 
 72         if (offset & 1) {
 73                 memcpy(&s[1], &ctx->from, 4);
 74                 memcpy(&s[7], &ctx->to, 4);
 75                 s[0] = ~0;
 76                 s[1] = ~s[1];
 77                 s[2] = ~s[2];
 78                 s[3] = ~s[3];
 79                 s[4] = ~s[4];
 80                 s[5] = ~0;
 81                 size = 12;
 82         } else {
 83                 memcpy(&s[0], &ctx->from, 4);
 84                 memcpy(&s[4], &ctx->to, 4);
 85                 s[0] = ~s[0];
 86                 s[1] = ~s[1];
 87                 s[2] = ~s[2];
 88                 s[3] = ~s[3];
 89                 size = 8;
 90         }
 91         *ctx->check = csum_fold(csum_partial(s, size,
 92                                              ~csum_unfold(*ctx->check)));
 93 }
 94 
 95 int snmp_version(void *context, size_t hdrlen, unsigned char tag,
 96                  const void *data, size_t datalen)
 97 {
 98         if (datalen != 1)
 99                 return -EINVAL;
100         if (*(unsigned char *)data > 1)
101                 return -ENOTSUPP;
102         return 1;
103 }
104 
105 int snmp_helper(void *context, size_t hdrlen, unsigned char tag,
106                 const void *data, size_t datalen)
107 {
108         struct snmp_ctx *ctx = (struct snmp_ctx *)context;
109         __be32 *pdata;
110 
111         if (datalen != 4)
112                 return -EINVAL;
113         pdata = (__be32 *)data;
114         if (*pdata == ctx->from) {
115                 pr_debug("%s: %pI4 to %pI4\n", __func__,
116                          (void *)&ctx->from, (void *)&ctx->to);
117 
118                 if (*ctx->check)
119                         fast_csum(ctx, (unsigned char *)data - ctx->begin);
120                 *pdata = ctx->to;
121         }
122 
123         return 1;
124 }
125 
126 static int snmp_translate(struct nf_conn *ct, int dir, struct sk_buff *skb)
127 {
128         struct iphdr *iph = ip_hdr(skb);
129         struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
130         u16 datalen = ntohs(udph->len) - sizeof(struct udphdr);
131         char *data = (unsigned char *)udph + sizeof(struct udphdr);
132         struct snmp_ctx ctx;
133         int ret;
134 
135         if (dir == IP_CT_DIR_ORIGINAL) {
136                 ctx.from = ct->tuplehash[dir].tuple.src.u3.ip;
137                 ctx.to = ct->tuplehash[!dir].tuple.dst.u3.ip;
138         } else {
139                 ctx.from = ct->tuplehash[!dir].tuple.src.u3.ip;
140                 ctx.to = ct->tuplehash[dir].tuple.dst.u3.ip;
141         }
142 
143         if (ctx.from == ctx.to)
144                 return NF_ACCEPT;
145 
146         ctx.begin = (unsigned char *)udph + sizeof(struct udphdr);
147         ctx.check = &udph->check;
148         ret = asn1_ber_decoder(&nf_nat_snmp_basic_decoder, &ctx, data, datalen);
149         if (ret < 0) {
150                 nf_ct_helper_log(skb, ct, "parser failed\n");
151                 return NF_DROP;
152         }
153 
154         return NF_ACCEPT;
155 }
156 
157 /* We don't actually set up expectations, just adjust internal IP
158  * addresses if this is being NATted
159  */
160 static int help(struct sk_buff *skb, unsigned int protoff,
161                 struct nf_conn *ct,
162                 enum ip_conntrack_info ctinfo)
163 {
164         int dir = CTINFO2DIR(ctinfo);
165         unsigned int ret;
166         const struct iphdr *iph = ip_hdr(skb);
167         const struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
168 
169         /* SNMP replies and originating SNMP traps get mangled */
170         if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
171                 return NF_ACCEPT;
172         if (udph->dest == htons(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
173                 return NF_ACCEPT;
174 
175         /* No NAT? */
176         if (!(ct->status & IPS_NAT_MASK))
177                 return NF_ACCEPT;
178 
179         /* Make sure the packet length is ok.  So far, we were only guaranteed
180          * to have a valid length IP header plus 8 bytes, which means we have
181          * enough room for a UDP header.  Just verify the UDP length field so we
182          * can mess around with the payload.
183          */
184         if (ntohs(udph->len) != skb->len - (iph->ihl << 2)) {
185                 nf_ct_helper_log(skb, ct, "dropping malformed packet\n");
186                 return NF_DROP;
187         }
188 
189         if (skb_ensure_writable(skb, skb->len)) {
190                 nf_ct_helper_log(skb, ct, "cannot mangle packet");
191                 return NF_DROP;
192         }
193 
194         spin_lock_bh(&snmp_lock);
195         ret = snmp_translate(ct, dir, skb);
196         spin_unlock_bh(&snmp_lock);
197         return ret;
198 }
199 
200 static const struct nf_conntrack_expect_policy snmp_exp_policy = {
201         .max_expected   = 0,
202         .timeout        = 180,
203 };
204 
205 static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
206         .me                     = THIS_MODULE,
207         .help                   = help,
208         .expect_policy          = &snmp_exp_policy,
209         .name                   = "snmp_trap",
210         .tuple.src.l3num        = AF_INET,
211         .tuple.src.u.udp.port   = cpu_to_be16(SNMP_TRAP_PORT),
212         .tuple.dst.protonum     = IPPROTO_UDP,
213 };
214 
215 static int __init nf_nat_snmp_basic_init(void)
216 {
217         BUG_ON(nf_nat_snmp_hook != NULL);
218         RCU_INIT_POINTER(nf_nat_snmp_hook, help);
219 
220         return nf_conntrack_helper_register(&snmp_trap_helper);
221 }
222 
223 static void __exit nf_nat_snmp_basic_fini(void)
224 {
225         RCU_INIT_POINTER(nf_nat_snmp_hook, NULL);
226         synchronize_rcu();
227         nf_conntrack_helper_unregister(&snmp_trap_helper);
228 }
229 
230 module_init(nf_nat_snmp_basic_init);
231 module_exit(nf_nat_snmp_basic_fini);
232
~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~
kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php