4 * Basic SNMP Application Layer Gateway
6 * This IP NAT module is intended for use with SNMP network
7 * discovery and monitoring applications where target networks use
8 * conflicting private address realms.
10 * Static NAT is used to remap the networks from the view of the network
11 * management system at the IP layer, and this module remaps some application
12 * layer addresses to match.
14 * The simplest form of ALG is performed, where only tagged IP addresses
15 * are modified. The module does not need to be MIB aware and only scans
16 * messages at the ASN.1/BER level.
18 * Currently, only SNMPv1 and SNMPv2 are supported.
20 * More information on ALG and associated issues can be found in
23 * The ASB.1/BER parsing code is derived from the gxsnmp package by Gregory
24 * McLean & Jochen Friedrich, stripped down for use in the kernel.
26 * Copyright (c) 2000 RP Internet (www.rpi.net.au).
28 * This program is free software; you can redistribute it and/or modify
29 * it under the terms of the GNU General Public License as published by
30 * the Free Software Foundation; either version 2 of the License, or
31 * (at your option) any later version.
32 * This program is distributed in the hope that it will be useful,
33 * but WITHOUT ANY WARRANTY; without even the implied warranty of
34 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
35 * GNU General Public License for more details.
36 * You should have received a copy of the GNU General Public License
37 * along with this program; if not, write to the Free Software
38 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
40 * Author: James Morris <jmorris@intercode.com.au>
42 #include <linux/module.h>
43 #include <linux/moduleparam.h>
44 #include <linux/types.h>
45 #include <linux/kernel.h>
46 #include <linux/slab.h>
49 #include <linux/udp.h>
50 #include <net/checksum.h>
53 #include <net/netfilter/nf_nat.h>
54 #include <net/netfilter/nf_conntrack_expect.h>
55 #include <net/netfilter/nf_conntrack_helper.h>
56 #include <net/netfilter/nf_nat_helper.h>
57 #include <linux/netfilter/nf_conntrack_snmp.h>
59 MODULE_LICENSE("GPL");
60 MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
61 MODULE_DESCRIPTION("Basic SNMP Application Layer Gateway");
62 MODULE_ALIAS("ip_nat_snmp_basic");
65 #define SNMP_TRAP_PORT 162
66 #define NOCT1(n) (*(u8 *)(n))
69 static DEFINE_SPINLOCK(snmp_lock);
72 * Application layer address mapping mimics the NAT mapping, but
73 * only for the first octet in this case (a more flexible system
74 * can be implemented if needed).
83 /*****************************************************************************
85 * Basic ASN.1 decoding routines (gxsnmp author Dirk Wisse)
87 *****************************************************************************/
90 #define ASN1_UNI 0 /* Universal */
91 #define ASN1_APL 1 /* Application */
92 #define ASN1_CTX 2 /* Context */
93 #define ASN1_PRV 3 /* Private */
96 #define ASN1_EOC 0 /* End Of Contents */
97 #define ASN1_BOL 1 /* Boolean */
98 #define ASN1_INT 2 /* Integer */
99 #define ASN1_BTS 3 /* Bit String */
100 #define ASN1_OTS 4 /* Octet String */
101 #define ASN1_NUL 5 /* Null */
102 #define ASN1_OJI 6 /* Object Identifier */
103 #define ASN1_OJD 7 /* Object Description */
104 #define ASN1_EXT 8 /* External */
105 #define ASN1_SEQ 16 /* Sequence */
106 #define ASN1_SET 17 /* Set */
107 #define ASN1_NUMSTR 18 /* Numerical String */
108 #define ASN1_PRNSTR 19 /* Printable String */
109 #define ASN1_TEXSTR 20 /* Teletext String */
110 #define ASN1_VIDSTR 21 /* Video String */
111 #define ASN1_IA5STR 22 /* IA5 String */
112 #define ASN1_UNITIM 23 /* Universal Time */
113 #define ASN1_GENTIM 24 /* General Time */
114 #define ASN1_GRASTR 25 /* Graphical String */
115 #define ASN1_VISSTR 26 /* Visible String */
116 #define ASN1_GENSTR 27 /* General String */
118 /* Primitive / Constructed methods*/
119 #define ASN1_PRI 0 /* Primitive */
120 #define ASN1_CON 1 /* Constructed */
125 #define ASN1_ERR_NOERROR 0
126 #define ASN1_ERR_DEC_EMPTY 2
127 #define ASN1_ERR_DEC_EOC_MISMATCH 3
128 #define ASN1_ERR_DEC_LENGTH_MISMATCH 4
129 #define ASN1_ERR_DEC_BADVALUE 5
136 int error; /* Error condition */
137 unsigned char *pointer; /* Octet just to be decoded */
138 unsigned char *begin; /* First octet */
139 unsigned char *end; /* Octet after last octet */
143 * Octet string (not null terminated)
151 static void asn1_open(struct asn1_ctx *ctx,
156 ctx->end = buf + len;
158 ctx->error = ASN1_ERR_NOERROR;
161 static unsigned char asn1_octet_decode(struct asn1_ctx *ctx, unsigned char *ch)
163 if (ctx->pointer >= ctx->end) {
164 ctx->error = ASN1_ERR_DEC_EMPTY;
167 *ch = *(ctx->pointer)++;
171 static unsigned char asn1_tag_decode(struct asn1_ctx *ctx, unsigned int *tag)
179 if (!asn1_octet_decode(ctx, &ch))
183 } while ((ch & 0x80) == 0x80);
187 static unsigned char asn1_id_decode(struct asn1_ctx *ctx,
194 if (!asn1_octet_decode(ctx, &ch))
197 *cls = (ch & 0xC0) >> 6;
198 *con = (ch & 0x20) >> 5;
202 if (!asn1_tag_decode(ctx, tag))
208 static unsigned char asn1_length_decode(struct asn1_ctx *ctx,
212 unsigned char ch, cnt;
214 if (!asn1_octet_decode(ctx, &ch))
229 if (!asn1_octet_decode(ctx, &ch))
238 /* don't trust len bigger than ctx buffer */
239 if (*len > ctx->end - ctx->pointer)
245 static unsigned char asn1_header_decode(struct asn1_ctx *ctx,
251 unsigned int def, len;
253 if (!asn1_id_decode(ctx, cls, con, tag))
257 if (!asn1_length_decode(ctx, &def, &len))
260 /* primitive shall be definite, indefinite shall be constructed */
261 if (*con == ASN1_PRI && !def)
265 *eoc = ctx->pointer + len;
271 static unsigned char asn1_eoc_decode(struct asn1_ctx *ctx, unsigned char *eoc)
276 if (!asn1_octet_decode(ctx, &ch))
280 ctx->error = ASN1_ERR_DEC_EOC_MISMATCH;
284 if (!asn1_octet_decode(ctx, &ch))
288 ctx->error = ASN1_ERR_DEC_EOC_MISMATCH;
293 if (ctx->pointer != eoc) {
294 ctx->error = ASN1_ERR_DEC_LENGTH_MISMATCH;
301 static unsigned char asn1_null_decode(struct asn1_ctx *ctx, unsigned char *eoc)
307 static unsigned char asn1_long_decode(struct asn1_ctx *ctx,
314 if (!asn1_octet_decode(ctx, &ch))
317 *integer = (signed char) ch;
320 while (ctx->pointer < eoc) {
321 if (++len > sizeof (long)) {
322 ctx->error = ASN1_ERR_DEC_BADVALUE;
326 if (!asn1_octet_decode(ctx, &ch))
335 static unsigned char asn1_uint_decode(struct asn1_ctx *ctx,
337 unsigned int *integer)
342 if (!asn1_octet_decode(ctx, &ch))
346 if (ch == 0) len = 0;
349 while (ctx->pointer < eoc) {
350 if (++len > sizeof (unsigned int)) {
351 ctx->error = ASN1_ERR_DEC_BADVALUE;
355 if (!asn1_octet_decode(ctx, &ch))
364 static unsigned char asn1_ulong_decode(struct asn1_ctx *ctx,
366 unsigned long *integer)
371 if (!asn1_octet_decode(ctx, &ch))
375 if (ch == 0) len = 0;
378 while (ctx->pointer < eoc) {
379 if (++len > sizeof (unsigned long)) {
380 ctx->error = ASN1_ERR_DEC_BADVALUE;
384 if (!asn1_octet_decode(ctx, &ch))
393 static unsigned char asn1_octets_decode(struct asn1_ctx *ctx,
395 unsigned char **octets,
402 *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
403 if (*octets == NULL) {
405 pr_notice("OOM in bsalg (%d)\n", __LINE__);
410 while (ctx->pointer < eoc) {
411 if (!asn1_octet_decode(ctx, (unsigned char *)ptr++)) {
421 static unsigned char asn1_subid_decode(struct asn1_ctx *ctx,
422 unsigned long *subid)
429 if (!asn1_octet_decode(ctx, &ch))
434 } while ((ch & 0x80) == 0x80);
438 static unsigned char asn1_oid_decode(struct asn1_ctx *ctx,
447 size = eoc - ctx->pointer + 1;
449 /* first subid actually encodes first two subids */
450 if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
453 *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
456 pr_notice("OOM in bsalg (%d)\n", __LINE__);
462 if (!asn1_subid_decode(ctx, &subid)) {
471 } else if (subid < 80) {
473 optr [1] = subid - 40;
476 optr [1] = subid - 80;
482 while (ctx->pointer < eoc) {
483 if (++(*len) > size) {
484 ctx->error = ASN1_ERR_DEC_BADVALUE;
490 if (!asn1_subid_decode(ctx, optr++)) {
499 /*****************************************************************************
501 * SNMP decoding routines (gxsnmp author Dirk Wisse)
503 *****************************************************************************/
512 #define SNMP_SIZE_COMM 256
513 #define SNMP_SIZE_OBJECTID 128
514 #define SNMP_SIZE_BUFCHR 256
515 #define SNMP_SIZE_BUFINT 128
516 #define SNMP_SIZE_SMALLOBJECTID 16
519 #define SNMP_PDU_GET 0
520 #define SNMP_PDU_NEXT 1
521 #define SNMP_PDU_RESPONSE 2
522 #define SNMP_PDU_SET 3
523 #define SNMP_PDU_TRAP1 4
524 #define SNMP_PDU_BULK 5
525 #define SNMP_PDU_INFORM 6
526 #define SNMP_PDU_TRAP2 7
529 #define SNMP_NOERROR 0
530 #define SNMP_TOOBIG 1
531 #define SNMP_NOSUCHNAME 2
532 #define SNMP_BADVALUE 3
533 #define SNMP_READONLY 4
534 #define SNMP_GENERROR 5
535 #define SNMP_NOACCESS 6
536 #define SNMP_WRONGTYPE 7
537 #define SNMP_WRONGLENGTH 8
538 #define SNMP_WRONGENCODING 9
539 #define SNMP_WRONGVALUE 10
540 #define SNMP_NOCREATION 11
541 #define SNMP_INCONSISTENTVALUE 12
542 #define SNMP_RESOURCEUNAVAILABLE 13
543 #define SNMP_COMMITFAILED 14
544 #define SNMP_UNDOFAILED 15
545 #define SNMP_AUTHORIZATIONERROR 16
546 #define SNMP_NOTWRITABLE 17
547 #define SNMP_INCONSISTENTNAME 18
549 /* General SNMP V1 Traps */
550 #define SNMP_TRAP_COLDSTART 0
551 #define SNMP_TRAP_WARMSTART 1
552 #define SNMP_TRAP_LINKDOWN 2
553 #define SNMP_TRAP_LINKUP 3
554 #define SNMP_TRAP_AUTFAILURE 4
555 #define SNMP_TRAP_EQPNEIGHBORLOSS 5
556 #define SNMP_TRAP_ENTSPECIFIC 6
560 #define SNMP_INTEGER 1 /* l */
561 #define SNMP_OCTETSTR 2 /* c */
562 #define SNMP_DISPLAYSTR 2 /* c */
563 #define SNMP_OBJECTID 3 /* ul */
564 #define SNMP_IPADDR 4 /* uc */
565 #define SNMP_COUNTER 5 /* ul */
566 #define SNMP_GAUGE 6 /* ul */
567 #define SNMP_TIMETICKS 7 /* ul */
568 #define SNMP_OPAQUE 8 /* c */
570 /* Additional SNMPv2 Types */
571 #define SNMP_UINTEGER 5 /* ul */
572 #define SNMP_BITSTR 9 /* uc */
573 #define SNMP_NSAP 10 /* uc */
574 #define SNMP_COUNTER64 11 /* ul */
575 #define SNMP_NOSUCHOBJECT 12
576 #define SNMP_NOSUCHINSTANCE 13
577 #define SNMP_ENDOFMIBVIEW 14
581 unsigned char uc[0]; /* 8 bit unsigned */
582 char c[0]; /* 8 bit signed */
583 unsigned long ul[0]; /* 32 bit unsigned */
584 long l[0]; /* 32 bit signed */
592 unsigned int syntax_len;
593 union snmp_syntax syntax;
599 unsigned int error_status;
600 unsigned int error_index;
607 unsigned long ip_address; /* pointer */
608 unsigned int general;
609 unsigned int specific;
626 static inline void mangle_address(unsigned char *begin,
628 const struct oct1_map *map,
637 static const struct snmp_cnv snmp_conv[] = {
638 {ASN1_UNI, ASN1_NUL, SNMP_NULL},
639 {ASN1_UNI, ASN1_INT, SNMP_INTEGER},
640 {ASN1_UNI, ASN1_OTS, SNMP_OCTETSTR},
641 {ASN1_UNI, ASN1_OTS, SNMP_DISPLAYSTR},
642 {ASN1_UNI, ASN1_OJI, SNMP_OBJECTID},
643 {ASN1_APL, SNMP_IPA, SNMP_IPADDR},
644 {ASN1_APL, SNMP_CNT, SNMP_COUNTER}, /* Counter32 */
645 {ASN1_APL, SNMP_GGE, SNMP_GAUGE}, /* Gauge32 == Unsigned32 */
646 {ASN1_APL, SNMP_TIT, SNMP_TIMETICKS},
647 {ASN1_APL, SNMP_OPQ, SNMP_OPAQUE},
649 /* SNMPv2 data types and errors */
650 {ASN1_UNI, ASN1_BTS, SNMP_BITSTR},
651 {ASN1_APL, SNMP_C64, SNMP_COUNTER64},
652 {ASN1_CTX, SERR_NSO, SNMP_NOSUCHOBJECT},
653 {ASN1_CTX, SERR_NSI, SNMP_NOSUCHINSTANCE},
654 {ASN1_CTX, SERR_EOM, SNMP_ENDOFMIBVIEW},
658 static unsigned char snmp_tag_cls2syntax(unsigned int tag,
660 unsigned short *syntax)
662 const struct snmp_cnv *cnv;
666 while (cnv->syntax != -1) {
667 if (cnv->tag == tag && cnv->class == cls) {
668 *syntax = cnv->syntax;
676 static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
677 struct snmp_object **obj)
679 unsigned int cls, con, tag, len, idlen;
681 unsigned char *eoc, *end, *p;
682 unsigned long *lp, *id;
689 if (!asn1_header_decode(ctx, &eoc, &cls, &con, &tag))
692 if (cls != ASN1_UNI || con != ASN1_CON || tag != ASN1_SEQ)
695 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
698 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_OJI)
701 if (!asn1_oid_decode(ctx, end, &id, &idlen))
704 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag)) {
709 if (con != ASN1_PRI) {
715 if (!snmp_tag_cls2syntax(tag, cls, &type)) {
724 if (!asn1_long_decode(ctx, end, &l)) {
728 *obj = kmalloc(sizeof(struct snmp_object) + len, GFP_ATOMIC);
732 pr_notice("OOM in bsalg (%d)\n", __LINE__);
735 (*obj)->syntax.l[0] = l;
739 if (!asn1_octets_decode(ctx, end, &p, &len)) {
743 *obj = kmalloc(sizeof(struct snmp_object) + len, GFP_ATOMIC);
748 pr_notice("OOM in bsalg (%d)\n", __LINE__);
751 memcpy((*obj)->syntax.c, p, len);
755 case SNMP_NOSUCHOBJECT:
756 case SNMP_NOSUCHINSTANCE:
757 case SNMP_ENDOFMIBVIEW:
759 *obj = kmalloc(sizeof(struct snmp_object), GFP_ATOMIC);
763 pr_notice("OOM in bsalg (%d)\n", __LINE__);
766 if (!asn1_null_decode(ctx, end)) {
774 if (!asn1_oid_decode(ctx, end, (unsigned long **)&lp, &len)) {
778 len *= sizeof(unsigned long);
779 *obj = kmalloc(sizeof(struct snmp_object) + len, GFP_ATOMIC);
784 pr_notice("OOM in bsalg (%d)\n", __LINE__);
787 memcpy((*obj)->syntax.ul, lp, len);
791 if (!asn1_octets_decode(ctx, end, &p, &len)) {
800 *obj = kmalloc(sizeof(struct snmp_object) + len, GFP_ATOMIC);
805 pr_notice("OOM in bsalg (%d)\n", __LINE__);
808 memcpy((*obj)->syntax.uc, p, len);
814 len = sizeof(unsigned long);
815 if (!asn1_ulong_decode(ctx, end, &ul)) {
819 *obj = kmalloc(sizeof(struct snmp_object) + len, GFP_ATOMIC);
823 pr_notice("OOM in bsalg (%d)\n", __LINE__);
826 (*obj)->syntax.ul[0] = ul;
833 (*obj)->syntax_len = len;
836 (*obj)->id_len = idlen;
838 if (!asn1_eoc_decode(ctx, eoc)) {
847 static unsigned char snmp_request_decode(struct asn1_ctx *ctx,
848 struct snmp_request *request)
850 unsigned int cls, con, tag;
853 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
856 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_INT)
859 if (!asn1_ulong_decode(ctx, end, &request->id))
862 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
865 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_INT)
868 if (!asn1_uint_decode(ctx, end, &request->error_status))
871 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
874 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_INT)
877 if (!asn1_uint_decode(ctx, end, &request->error_index))
884 * Fast checksum update for possibly oddly-aligned UDP byte, from the
885 * code example in the draft.
887 static void fast_csum(__sum16 *csum,
888 const unsigned char *optr,
889 const unsigned char *nptr,
906 *csum = csum_fold(csum_partial(s, 4, ~csum_unfold(*csum)));
911 * - begin points to the start of the snmp messgae
912 * - addr points to the start of the address
914 static inline void mangle_address(unsigned char *begin,
916 const struct oct1_map *map,
919 if (map->from == NOCT1(addr)) {
923 memcpy(&old, addr, sizeof(old));
927 /* Update UDP checksum if being used */
930 &map->from, &map->to, addr - begin);
935 printk(KERN_DEBUG "bsalg: mapped %pI4 to %pI4\n",
940 static unsigned char snmp_trap_decode(struct asn1_ctx *ctx,
941 struct snmp_v1_trap *trap,
942 const struct oct1_map *map,
945 unsigned int cls, con, tag, len;
948 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
951 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_OJI)
954 if (!asn1_oid_decode(ctx, end, &trap->id, &trap->id_len))
957 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
960 if (!((cls == ASN1_APL && con == ASN1_PRI && tag == SNMP_IPA) ||
961 (cls == ASN1_UNI && con == ASN1_PRI && tag == ASN1_OTS)))
964 if (!asn1_octets_decode(ctx, end, (unsigned char **)&trap->ip_address, &len))
971 mangle_address(ctx->begin, ctx->pointer - 4, map, check);
973 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
976 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_INT)
979 if (!asn1_uint_decode(ctx, end, &trap->general))
982 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
985 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_INT)
988 if (!asn1_uint_decode(ctx, end, &trap->specific))
991 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
994 if (!((cls == ASN1_APL && con == ASN1_PRI && tag == SNMP_TIT) ||
995 (cls == ASN1_UNI && con == ASN1_PRI && tag == ASN1_INT)))
998 if (!asn1_ulong_decode(ctx, end, &trap->time))
1004 kfree((unsigned long *)trap->ip_address);
1012 /*****************************************************************************
1016 *****************************************************************************/
1018 static void hex_dump(const unsigned char *buf, size_t len)
1022 for (i = 0; i < len; i++) {
1025 printk("%02x ", *(buf + i));
1031 * Parse and mangle SNMP message according to mapping.
1032 * (And this is the fucking 'basic' method).
1034 static int snmp_parse_mangle(unsigned char *msg,
1036 const struct oct1_map *map,
1039 unsigned char *eoc, *end;
1040 unsigned int cls, con, tag, vers, pdutype;
1041 struct asn1_ctx ctx;
1042 struct asn1_octstr comm;
1043 struct snmp_object *obj;
1048 asn1_open(&ctx, msg, len);
1051 * Start of SNMP message.
1053 if (!asn1_header_decode(&ctx, &eoc, &cls, &con, &tag))
1055 if (cls != ASN1_UNI || con != ASN1_CON || tag != ASN1_SEQ)
1059 * Version 1 or 2 handled.
1061 if (!asn1_header_decode(&ctx, &end, &cls, &con, &tag))
1063 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_INT)
1065 if (!asn1_uint_decode (&ctx, end, &vers))
1068 printk(KERN_DEBUG "bsalg: snmp version: %u\n", vers + 1);
1075 if (!asn1_header_decode (&ctx, &end, &cls, &con, &tag))
1077 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_OTS)
1079 if (!asn1_octets_decode(&ctx, end, &comm.data, &comm.len))
1084 printk(KERN_DEBUG "bsalg: community: ");
1085 for (i = 0; i < comm.len; i++)
1086 printk("%c", comm.data[i]);
1094 if (!asn1_header_decode(&ctx, &eoc, &cls, &con, &pdutype))
1096 if (cls != ASN1_CTX || con != ASN1_CON)
1099 static const unsigned char *const pdus[] = {
1100 [SNMP_PDU_GET] = "get",
1101 [SNMP_PDU_NEXT] = "get-next",
1102 [SNMP_PDU_RESPONSE] = "response",
1103 [SNMP_PDU_SET] = "set",
1104 [SNMP_PDU_TRAP1] = "trapv1",
1105 [SNMP_PDU_BULK] = "bulk",
1106 [SNMP_PDU_INFORM] = "inform",
1107 [SNMP_PDU_TRAP2] = "trapv2"
1110 if (pdutype > SNMP_PDU_TRAP2)
1111 printk(KERN_DEBUG "bsalg: bad pdu type %u\n", pdutype);
1113 printk(KERN_DEBUG "bsalg: pdu: %s\n", pdus[pdutype]);
1115 if (pdutype != SNMP_PDU_RESPONSE &&
1116 pdutype != SNMP_PDU_TRAP1 && pdutype != SNMP_PDU_TRAP2)
1120 * Request header or v1 trap
1122 if (pdutype == SNMP_PDU_TRAP1) {
1123 struct snmp_v1_trap trap;
1124 unsigned char ret = snmp_trap_decode(&ctx, &trap, map, check);
1128 kfree((unsigned long *)trap.ip_address);
1133 struct snmp_request req;
1135 if (!snmp_request_decode(&ctx, &req))
1139 printk(KERN_DEBUG "bsalg: request: id=0x%lx error_status=%u "
1140 "error_index=%u\n", req.id, req.error_status,
1145 * Loop through objects, look for IP addresses to mangle.
1147 if (!asn1_header_decode(&ctx, &eoc, &cls, &con, &tag))
1150 if (cls != ASN1_UNI || con != ASN1_CON || tag != ASN1_SEQ)
1153 while (!asn1_eoc_decode(&ctx, eoc)) {
1156 if (!snmp_object_decode(&ctx, &obj)) {
1165 printk(KERN_DEBUG "bsalg: object: ");
1166 for (i = 0; i < obj->id_len; i++) {
1169 printk("%lu", obj->id[i]);
1171 printk(": type=%u\n", obj->type);
1175 if (obj->type == SNMP_IPADDR)
1176 mangle_address(ctx.begin, ctx.pointer - 4 , map, check);
1182 if (!asn1_eoc_decode(&ctx, eoc))
1188 /*****************************************************************************
1192 *****************************************************************************/
1195 * SNMP translation routine.
1197 static int snmp_translate(struct nf_conn *ct,
1198 enum ip_conntrack_info ctinfo,
1199 struct sk_buff *skb)
1201 struct iphdr *iph = ip_hdr(skb);
1202 struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
1203 u_int16_t udplen = ntohs(udph->len);
1204 u_int16_t paylen = udplen - sizeof(struct udphdr);
1205 int dir = CTINFO2DIR(ctinfo);
1206 struct oct1_map map;
1209 * Determine mappping for application layer addresses based
1210 * on NAT manipulations for the packet.
1212 if (dir == IP_CT_DIR_ORIGINAL) {
1214 map.from = NOCT1(&ct->tuplehash[dir].tuple.src.u3.ip);
1215 map.to = NOCT1(&ct->tuplehash[!dir].tuple.dst.u3.ip);
1218 map.from = NOCT1(&ct->tuplehash[dir].tuple.src.u3.ip);
1219 map.to = NOCT1(&ct->tuplehash[!dir].tuple.dst.u3.ip);
1222 if (map.from == map.to)
1225 if (!snmp_parse_mangle((unsigned char *)udph + sizeof(struct udphdr),
1226 paylen, &map, &udph->check)) {
1227 if (net_ratelimit())
1228 printk(KERN_WARNING "bsalg: parser failed\n");
1234 /* We don't actually set up expectations, just adjust internal IP
1235 * addresses if this is being NATted */
1236 static int help(struct sk_buff *skb, unsigned int protoff,
1238 enum ip_conntrack_info ctinfo)
1240 int dir = CTINFO2DIR(ctinfo);
1242 const struct iphdr *iph = ip_hdr(skb);
1243 const struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
1245 /* SNMP replies and originating SNMP traps get mangled */
1246 if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
1248 if (udph->dest == htons(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
1252 if (!(ct->status & IPS_NAT_MASK))
1256 * Make sure the packet length is ok. So far, we were only guaranteed
1257 * to have a valid length IP header plus 8 bytes, which means we have
1258 * enough room for a UDP header. Just verify the UDP length field so we
1259 * can mess around with the payload.
1261 if (ntohs(udph->len) != skb->len - (iph->ihl << 2)) {
1262 if (net_ratelimit())
1263 printk(KERN_WARNING "SNMP: dropping malformed packet src=%pI4 dst=%pI4\n",
1264 &iph->saddr, &iph->daddr);
1268 if (!skb_make_writable(skb, skb->len))
1271 spin_lock_bh(&snmp_lock);
1272 ret = snmp_translate(ct, ctinfo, skb);
1273 spin_unlock_bh(&snmp_lock);
1277 static const struct nf_conntrack_expect_policy snmp_exp_policy = {
1282 static struct nf_conntrack_helper snmp_helper __read_mostly = {
1285 .expect_policy = &snmp_exp_policy,
1287 .tuple.src.l3num = AF_INET,
1288 .tuple.src.u.udp.port = cpu_to_be16(SNMP_PORT),
1289 .tuple.dst.protonum = IPPROTO_UDP,
1292 static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
1295 .expect_policy = &snmp_exp_policy,
1296 .name = "snmp_trap",
1297 .tuple.src.l3num = AF_INET,
1298 .tuple.src.u.udp.port = cpu_to_be16(SNMP_TRAP_PORT),
1299 .tuple.dst.protonum = IPPROTO_UDP,
1302 /*****************************************************************************
1306 *****************************************************************************/
1308 static int __init nf_nat_snmp_basic_init(void)
1312 BUG_ON(nf_nat_snmp_hook != NULL);
1313 rcu_assign_pointer(nf_nat_snmp_hook, help);
1315 ret = nf_conntrack_helper_register(&snmp_trap_helper);
1317 nf_conntrack_helper_unregister(&snmp_helper);
1323 static void __exit nf_nat_snmp_basic_fini(void)
1325 rcu_assign_pointer(nf_nat_snmp_hook, NULL);
1326 nf_conntrack_helper_unregister(&snmp_trap_helper);
1329 module_init(nf_nat_snmp_basic_init);
1330 module_exit(nf_nat_snmp_basic_fini);
1332 module_param(debug, int, 0600);
git.openpandora.org / pandora-kernel.git / blob