summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2013-10-02 19:21:01 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2013-10-03 10:51:03 +0200
commitea753a152cbf3a2658b5ec5bacfb738c13a4c476 (patch)
tree2d488dc6b7d937cd84a1734b309b7afc2a643c1b /src
parent9b99aa2980574f4d3bf26145a1bf8bd69d34e764 (diff)
downloadconntrack-tools-ea753a152cbf3a2658b5ec5bacfb738c13a4c476.tar.gz
conntrack-tools-ea753a152cbf3a2658b5ec5bacfb738c13a4c476.zip
conntrackd: cthelper: add TFTP helper
This patch adds an userspace port of the TFTP helper that is currently implemented in the kernel. This includes NAT support. It requires a Linux kernel 3.12. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r--src/expect.c24
-rw-r--r--src/helpers/Makefile.am5
-rw-r--r--src/helpers/tftp.c138
3 files changed, 167 insertions, 0 deletions
diff --git a/src/expect.c b/src/expect.c
index 470b9ae..bba0ed7 100644
--- a/src/expect.c
+++ b/src/expect.c
@@ -212,3 +212,27 @@ cthelper_get_addr_dst(struct nf_conntrack *ct, int dir,
break;
}
}
+
+void cthelper_get_port_src(struct nf_conntrack *ct, int dir, uint16_t *port)
+{
+ switch (dir) {
+ case MYCT_DIR_ORIG:
+ *port = nfct_get_attr_u16(ct, ATTR_PORT_SRC);
+ break;
+ case MYCT_DIR_REPL:
+ *port = nfct_get_attr_u16(ct, ATTR_REPL_PORT_SRC);
+ break;
+ }
+}
+
+void cthelper_get_port_dst(struct nf_conntrack *ct, int dir, uint16_t *port)
+{
+ switch (dir) {
+ case MYCT_DIR_ORIG:
+ *port = nfct_get_attr_u16(ct, ATTR_PORT_DST);
+ break;
+ case MYCT_DIR_REPL:
+ *port = nfct_get_attr_u16(ct, ATTR_REPL_PORT_DST);
+ break;
+ }
+}
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
index ad380e3..216a5a7 100644
--- a/src/helpers/Makefile.am
+++ b/src/helpers/Makefile.am
@@ -3,6 +3,7 @@ include $(top_srcdir)/Make_global.am
pkglib_LTLIBRARIES = ct_helper_dhcpv6.la \
ct_helper_ftp.la \
ct_helper_rpc.la \
+ ct_helper_tftp.la \
ct_helper_tns.la \
ct_helper_sane.la
@@ -18,6 +19,10 @@ ct_helper_rpc_la_SOURCES = rpc.c
ct_helper_rpc_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
ct_helper_rpc_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
+ct_helper_tftp_la_SOURCES = tftp.c
+ct_helper_tftp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
+ct_helper_tftp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
+
ct_helper_tns_la_SOURCES = tns.c
ct_helper_tns_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
ct_helper_tns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
diff --git a/src/helpers/tftp.c b/src/helpers/tftp.c
new file mode 100644
index 0000000..45591c6
--- /dev/null
+++ b/src/helpers/tftp.c
@@ -0,0 +1,138 @@
+/*
+ * (C) 2013 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * Adapted from:
+ *
+ * (C) 2001-2002 Magnus Boden <mb@ozaba.mine.nu>
+ * (C) 2006-2012 Patrick McHardy <kaber@trash.net>
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include "conntrackd.h"
+#include "helper.h"
+#include "myct.h"
+#include "log.h"
+#include <errno.h>
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+#include <netinet/udp.h>
+#include <libmnl/libmnl.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_queue/libnetfilter_queue.h>
+#include <libnetfilter_queue/libnetfilter_queue_udp.h>
+#include <libnetfilter_queue/pktbuff.h>
+#include <linux/netfilter.h>
+
+struct tftphdr {
+ uint16_t opcode;
+};
+
+#define TFTP_OPCODE_READ 1
+#define TFTP_OPCODE_WRITE 2
+#define TFTP_OPCODE_DATA 3
+#define TFTP_OPCODE_ACK 4
+#define TFTP_OPCODE_ERROR 5
+
+static unsigned int nat_tftp(struct pkt_buff *pkt, uint32_t ctinfo,
+ struct nf_conntrack *ct, struct nf_expect *exp)
+{
+ struct nf_conntrack *nat_tuple;
+ static uint32_t zero[4] = { 0, 0, 0, 0 };
+
+ nat_tuple = nfct_new();
+ if (nat_tuple == NULL)
+ return NF_ACCEPT;
+
+ switch (nfct_get_attr_u8(ct, ATTR_L3PROTO)) {
+ case AF_INET:
+ nfct_set_attr_u8(nat_tuple, ATTR_L3PROTO, AF_INET);
+ nfct_set_attr_u32(nat_tuple, ATTR_IPV4_SRC, 0);
+ nfct_set_attr_u32(nat_tuple, ATTR_IPV4_DST, 0);
+ break;
+ case AF_INET6:
+ nfct_set_attr_u8(nat_tuple, ATTR_L3PROTO, AF_INET6);
+ nfct_set_attr(nat_tuple, ATTR_IPV6_SRC, &zero);
+ nfct_set_attr(nat_tuple, ATTR_IPV6_DST, &zero);
+ break;
+ }
+ nfct_set_attr_u8(nat_tuple, ATTR_L4PROTO, IPPROTO_UDP);
+ nfct_set_attr_u16(nat_tuple, ATTR_PORT_SRC,
+ nfct_get_attr_u16(ct, ATTR_PORT_SRC));
+ nfct_set_attr_u16(nat_tuple, ATTR_PORT_DST, 0);
+
+ nfexp_set_attr_u32(exp, ATTR_EXP_NAT_DIR, MYCT_DIR_REPL);
+ nfexp_set_attr(exp, ATTR_EXP_FN, "nat-follow-master");
+ nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat_tuple);
+
+ return NF_ACCEPT;
+}
+
+static int
+tftp_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
+ struct myct *myct, uint32_t ctinfo)
+{
+ const struct tftphdr *tfh;
+ struct nf_expect *exp;
+ unsigned int ret = NF_ACCEPT;
+ union nfct_attr_grp_addr saddr, daddr;
+ uint16_t dport;
+
+ tfh = (struct tftphdr *)(pktb_network_header(pkt) + protoff + sizeof(struct udphdr));
+
+ switch (ntohs(tfh->opcode)) {
+ case TFTP_OPCODE_READ:
+ case TFTP_OPCODE_WRITE:
+ /* RRQ and WRQ works the same way */
+ exp = nfexp_new();
+ if (exp == NULL) {
+ pr_debug("cannot alloc expectation\n");
+ return NF_DROP;
+ }
+
+ cthelper_get_addr_src(myct->ct, MYCT_DIR_REPL, &saddr);
+ cthelper_get_addr_dst(myct->ct, MYCT_DIR_REPL, &daddr);
+ cthelper_get_port_dst(myct->ct, MYCT_DIR_REPL, &dport);
+
+ if (cthelper_expect_init(exp, myct->ct, 0, &saddr, &daddr,
+ IPPROTO_UDP, NULL, &dport, 0)) {
+ nfexp_destroy(exp);
+ return NF_DROP;
+ }
+
+ if (nfct_get_attr_u32(myct->ct, ATTR_STATUS) & IPS_NAT_MASK)
+ ret = nat_tftp(pkt, ctinfo, myct->ct, exp);
+
+ myct->exp = exp;
+ break;
+ case TFTP_OPCODE_DATA:
+ case TFTP_OPCODE_ACK:
+ pr_debug("Data/ACK opcode\n");
+ break;
+ case TFTP_OPCODE_ERROR:
+ pr_debug("Error opcode\n");
+ break;
+ default:
+ pr_debug("Unknown opcode\n");
+ }
+ return ret;
+}
+
+static struct ctd_helper tftp_helper = {
+ .name = "tftp",
+ .l4proto = IPPROTO_UDP,
+ .cb = tftp_helper_cb,
+ .policy = {
+ [0] = {
+ .name = "tftp",
+ .expect_max = 1,
+ .expect_timeout = 5 * 60,
+ },
+ },
+};
+
+static void __attribute__ ((constructor)) tftp_init(void)
+{
+ helper_register(&tftp_helper);
+}