1 /* 2 * nf_nat_snmp_basic.c 3 * 4 * Basic SNMP Application Layer Gateway 5 * 6 * This IP NAT module is intended for use with SNMP network 7 * discovery and monitoring applications where target networks use 8 * conflicting private address realms. 9 * 10 * Static NAT is used to remap the networks from the view of the network 11 * management system at the IP layer, and this module remaps some application 12 * layer addresses to match. 13 * 14 * The simplest form of ALG is performed, where only tagged IP addresses 15 * are modified. The module does not need to be MIB aware and only scans 16 * messages at the ASN.1/BER level. 17 * 18 * Currently, only SNMPv1 and SNMPv2 are supported. 19 * 20 * More information on ALG and associated issues can be found in 21 * RFC 2962 22 * 23 * The ASB.1/BER parsing code is derived from the gxsnmp package by Gregory 24 * McLean & Jochen Friedrich, stripped down for use in the kernel. 25 * 26 * Copyright (c) 2000 RP Internet (www.rpi.net.au). 27 * 28 * This program is free software; you can redistribute it and/or modify 29 * it under the terms of the GNU General Public License as published by 30 * the Free Software Foundation; either version 2 of the License, or 31 * (at your option) any later version. 32 * This program is distributed in the hope that it will be useful, 33 * but WITHOUT ANY WARRANTY; without even the implied warranty of 34 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 35 * GNU General Public License for more details. 36 * You should have received a copy of the GNU General Public License 37 * along with this program; if not, see <http://www.gnu.org/licenses/>. 38 * 39 * Author: James Morris <jmorris@intercode.com.au> 40 * 41 * Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net> 42 */ 43 #include <linux/module.h> 44 #include <linux/moduleparam.h> 45 #include <linux/types.h> 46 #include <linux/kernel.h> 47 #include <linux/in.h> 48 #include <linux/ip.h> 49 #include <linux/udp.h> 50 #include <net/checksum.h> 51 #include <net/udp.h> 52 53 #include <net/netfilter/nf_nat.h> 54 #include <net/netfilter/nf_conntrack_expect.h> 55 #include <net/netfilter/nf_conntrack_helper.h> 56 #include <linux/netfilter/nf_conntrack_snmp.h> 57 #include "nf_nat_snmp_basic.asn1.h" 58 59 MODULE_LICENSE("GPL"); 60 MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>"); 61 MODULE_DESCRIPTION("Basic SNMP Application Layer Gateway"); 62 MODULE_ALIAS("ip_nat_snmp_basic"); 63 64 #define SNMP_PORT 161 65 #define SNMP_TRAP_PORT 162 66 67 static DEFINE_SPINLOCK(snmp_lock); 68 69 struct snmp_ctx { 70 unsigned char *begin; 71 __sum16 *check; 72 __be32 from; 73 __be32 to; 74 }; 75 76 static void fast_csum(struct snmp_ctx *ctx, unsigned char offset) 77 { 78 unsigned char s[12] = {0,}; 79 int size; 80 81 if (offset & 1) { 82 memcpy(&s[1], &ctx->from, 4); 83 memcpy(&s[7], &ctx->to, 4); 84 s[0] = ~0; 85 s[1] = ~s[1]; 86 s[2] = ~s[2]; 87 s[3] = ~s[3]; 88 s[4] = ~s[4]; 89 s[5] = ~0; 90 size = 12; 91 } else { 92 memcpy(&s[0], &ctx->from, 4); 93 memcpy(&s[4], &ctx->to, 4); 94 s[0] = ~s[0]; 95 s[1] = ~s[1]; 96 s[2] = ~s[2]; 97 s[3] = ~s[3]; 98 size = 8; 99 } 100 *ctx->check = csum_fold(csum_partial(s, size, 101 ~csum_unfold(*ctx->check))); 102 } 103 104 int snmp_version(void *context, size_t hdrlen, unsigned char tag, 105 const void *data, size_t datalen) 106 { 107 if (*(unsigned char *)data > 1) 108 return -ENOTSUPP; 109 return 1; 110 } 111 112 int snmp_helper(void *context, size_t hdrlen, unsigned char tag, 113 const void *data, size_t datalen) 114 { 115 struct snmp_ctx *ctx = (struct snmp_ctx *)context; 116 __be32 *pdata = (__be32 *)data; 117 118 if (*pdata == ctx->from) { 119 pr_debug("%s: %pI4 to %pI4\n", __func__, 120 (void *)&ctx->from, (void *)&ctx->to); 121 122 if (*ctx->check) 123 fast_csum(ctx, (unsigned char *)data - ctx->begin); 124 *pdata = ctx->to; 125 } 126 127 return 1; 128 } 129 130 static int snmp_translate(struct nf_conn *ct, int dir, struct sk_buff *skb) 131 { 132 struct iphdr *iph = ip_hdr(skb); 133 struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl); 134 u16 datalen = ntohs(udph->len) - sizeof(struct udphdr); 135 char *data = (unsigned char *)udph + sizeof(struct udphdr); 136 struct snmp_ctx ctx; 137 int ret; 138 139 if (dir == IP_CT_DIR_ORIGINAL) { 140 ctx.from = ct->tuplehash[dir].tuple.src.u3.ip; 141 ctx.to = ct->tuplehash[!dir].tuple.dst.u3.ip; 142 } else { 143 ctx.from = ct->tuplehash[!dir].tuple.src.u3.ip; 144 ctx.to = ct->tuplehash[dir].tuple.dst.u3.ip; 145 } 146 147 if (ctx.from == ctx.to) 148 return NF_ACCEPT; 149 150 ctx.begin = (unsigned char *)udph + sizeof(struct udphdr); 151 ctx.check = &udph->check; 152 ret = asn1_ber_decoder(&nf_nat_snmp_basic_decoder, &ctx, data, datalen); 153 if (ret < 0) { 154 nf_ct_helper_log(skb, ct, "parser failed\n"); 155 return NF_DROP; 156 } 157 158 return NF_ACCEPT; 159 } 160 161 /* We don't actually set up expectations, just adjust internal IP 162 * addresses if this is being NATted 163 */ 164 static int help(struct sk_buff *skb, unsigned int protoff, 165 struct nf_conn *ct, 166 enum ip_conntrack_info ctinfo) 167 { 168 int dir = CTINFO2DIR(ctinfo); 169 unsigned int ret; 170 const struct iphdr *iph = ip_hdr(skb); 171 const struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl); 172 173 /* SNMP replies and originating SNMP traps get mangled */ 174 if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY) 175 return NF_ACCEPT; 176 if (udph->dest == htons(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL) 177 return NF_ACCEPT; 178 179 /* No NAT? */ 180 if (!(ct->status & IPS_NAT_MASK)) 181 return NF_ACCEPT; 182 183 /* Make sure the packet length is ok. So far, we were only guaranteed 184 * to have a valid length IP header plus 8 bytes, which means we have 185 * enough room for a UDP header. Just verify the UDP length field so we 186 * can mess around with the payload. 187 */ 188 if (ntohs(udph->len) != skb->len - (iph->ihl << 2)) { 189 nf_ct_helper_log(skb, ct, "dropping malformed packet\n"); 190 return NF_DROP; 191 } 192 193 if (!skb_make_writable(skb, skb->len)) { 194 nf_ct_helper_log(skb, ct, "cannot mangle packet"); 195 return NF_DROP; 196 } 197 198 spin_lock_bh(&snmp_lock); 199 ret = snmp_translate(ct, dir, skb); 200 spin_unlock_bh(&snmp_lock); 201 return ret; 202 } 203 204 static const struct nf_conntrack_expect_policy snmp_exp_policy = { 205 .max_expected = 0, 206 .timeout = 180, 207 }; 208 209 static struct nf_conntrack_helper snmp_trap_helper __read_mostly = { 210 .me = THIS_MODULE, 211 .help = help, 212 .expect_policy = &snmp_exp_policy, 213 .name = "snmp_trap", 214 .tuple.src.l3num = AF_INET, 215 .tuple.src.u.udp.port = cpu_to_be16(SNMP_TRAP_PORT), 216 .tuple.dst.protonum = IPPROTO_UDP, 217 }; 218 219 static int __init nf_nat_snmp_basic_init(void) 220 { 221 BUG_ON(nf_nat_snmp_hook != NULL); 222 RCU_INIT_POINTER(nf_nat_snmp_hook, help); 223 224 return nf_conntrack_helper_register(&snmp_trap_helper); 225 } 226 227 static void __exit nf_nat_snmp_basic_fini(void) 228 { 229 RCU_INIT_POINTER(nf_nat_snmp_hook, NULL); 230 synchronize_rcu(); 231 nf_conntrack_helper_unregister(&snmp_trap_helper); 232 } 233 234 module_init(nf_nat_snmp_basic_init); 235 module_exit(nf_nat_snmp_basic_fini); 236