ip_pptp_pxy.c - net/ipfilter - Rivoreo Source Code Repositories

 /*
  * Copyright (C) 2002-2003 by Darren Reed
  *
  * Simple PPTP transparent proxy for in-kernel use.  For use with the NAT
  * code.
  *
  * $Id$
  *
  */
 #define	IPF_PPTP_PROXY

 typedef	struct pptp_pxy {
 	ipnat_t		pptp_rule;
 	nat_t		*pptp_nat;
 	ipstate_t	*pptp_state;
 	int		pptp_seencookie;
 	u_32_t		pptp_cookie;
 } pptp_pxy_t;


 int ippr_pptp_init __P((void));
 void ippr_pptp_fini __P((void));
 int ippr_pptp_new __P((fr_info_t *, ap_session_t *, nat_t *));
 void ippr_pptp_del __P((ap_session_t *));
 int ippr_pptp_inout __P((fr_info_t *, ap_session_t *, nat_t *));
 int ippr_pptp_match __P((fr_info_t *, ap_session_t *, nat_t *));

 static	frentry_t	pptpfr;

 int	pptp_proxy_init = 0;


 /*
  * PPTP application proxy initialization.
  */
 int ippr_pptp_init()
 {
 	bzero((char *)&pptpfr, sizeof(pptpfr));
 	pptpfr.fr_ref = 1;
 	pptpfr.fr_flags = FR_OUTQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
 	MUTEX_INIT(&pptpfr.fr_lock, "PPTP proxy rule lock");
 	pptp_proxy_init = 1;

 	return 0;
 }


 void ippr_pptp_fini()
 {
 	if (pptp_proxy_init == 1) {
 		MUTEX_DESTROY(&pptpfr.fr_lock);
 		pptp_proxy_init = 0;
 	}
 }


 /*
  * Setup for a new PPTP proxy.
  */
 int ippr_pptp_new(fin, aps, nat)
 fr_info_t *fin;
 ap_session_t *aps;
 nat_t *nat;
 {
 	pptp_pxy_t *pptp;
 	fr_info_t fi;
 	ipnat_t *ipn;
 	nat_t *nat2;
 	int p, off;
 	ip_t *ip;

 	ip = fin->fin_ip;
 	off = fin->fin_hlen + sizeof(udphdr_t);

 	if (nat_outlookup(fin, 0, IPPROTO_GRE, nat->nat_inip,
 			  ip->ip_dst) != NULL)
 		return -1;

 	aps->aps_psiz = sizeof(*pptp);
 	KMALLOCS(aps->aps_data, pptp_pxy_t *, sizeof(*pptp));
 	if (aps->aps_data == NULL)
 		return -1;

 	ip = fin->fin_ip;
 	pptp = aps->aps_data;
 	bzero((char *)pptp, sizeof(*pptp));

 	/*
 	 * Create NAT rule against which the tunnel/transport mapping is
 	 * created.  This is required because the current NAT rule does not
 	 * describe GRE but TCP instead.
 	 */
 	ipn = &pptp->pptp_rule;
 	ipn->in_ifps[0] = fin->fin_ifp;
 	ipn->in_apr = NULL;
 	ipn->in_use = 1;
 	ipn->in_hits = 1;
 	ipn->in_nip = ntohl(nat->nat_outip.s_addr);
 	ipn->in_ippip = 1;
 	ipn->in_inip = nat->nat_inip.s_addr;
 	ipn->in_inmsk = 0xffffffff;
 	ipn->in_outip = fin->fin_saddr;
 	ipn->in_outmsk = nat->nat_outip.s_addr;
 	ipn->in_srcip = fin->fin_saddr;
 	ipn->in_srcmsk = 0xffffffff;
 	ipn->in_redir = NAT_MAP;
 	bcopy(nat->nat_ptr->in_ifnames[0], ipn->in_ifnames[0],
 	      sizeof(ipn->in_ifnames[0]));
 	ipn->in_p = IPPROTO_GRE;

 	bcopy((char *)fin, (char *)&fi, sizeof(fi));
 	fi.fin_fi.fi_p = IPPROTO_GRE;
 	fi.fin_fr = &pptpfr;
 	fi.fin_data[0] = 0;
 	fi.fin_data[1] = 0;
 	p = ip->ip_p;
 	ip->ip_p = IPPROTO_GRE;
 	fi.fin_flx &= ~FI_TCPUDP;
 	fi.fin_flx |= FI_IGNORE;

 	nat2 = nat_new(&fi, ipn, &pptp->pptp_nat, 0, NAT_OUTBOUND);
 	pptp->pptp_nat = nat2;
 	if (nat2 != NULL) {
 		(void) nat_proto(&fi, nat2, 0);
 		nat_update(&fi, nat2, nat2->nat_ptr);

 		fi.fin_data[0] = 0;
 		fi.fin_data[1] = 0;
 		pptp->pptp_state = fr_addstate(&fi, &pptp->pptp_state, 0);
 	}
 	ip->ip_p = p;
 	return 0;
 }


 /*
  * For outgoing PPTP packets.  refresh timeouts for NAT & state entries, if
  * we can.  If they have disappeared, recreate them.
  */
 int ippr_pptp_inout(fin, aps, nat)
 fr_info_t *fin;
 ap_session_t *aps;
 nat_t *nat;
 {
 	pptp_pxy_t *pptp;
 	fr_info_t fi;
 	nat_t *nat2;
 	ip_t *ip;
 	int p;

 	if ((fin->fin_out == 1) && (nat->nat_dir == NAT_INBOUND))
 		return 0;

 	if ((fin->fin_out == 0) && (nat->nat_dir == NAT_OUTBOUND))
 		return 0;

 	pptp = aps->aps_data;

 	if (pptp != NULL) {
 		ip = fin->fin_ip;
 		p = ip->ip_p;

 		if ((pptp->pptp_nat == NULL) || (pptp->pptp_state == NULL)) {
 			bcopy((char *)fin, (char *)&fi, sizeof(fi));
 			fi.fin_fi.fi_p = IPPROTO_GRE;
 			fi.fin_fr = &pptpfr;
 			fi.fin_data[0] = 0;
 			fi.fin_data[1] = 0;
 			ip->ip_p = IPPROTO_GRE;
 			fi.fin_flx &= ~FI_TCPUDP;
 			fi.fin_flx |= FI_IGNORE;
 		}

 		/*
 		 * Update NAT timeout/create NAT if missing.
 		 */
 		if (pptp->pptp_nat != NULL)
 			fr_queueback(&pptp->pptp_nat->nat_tqe);
 		else {
 			nat2 = nat_new(&fi, &pptp->pptp_rule, &pptp->pptp_nat,
 				       NAT_SLAVE, nat->nat_dir);
 			pptp->pptp_nat = nat2;
 			if (nat2 != NULL) {
 				(void) nat_proto(&fi, nat2, 0);
 				nat_update(&fi, nat2, nat2->nat_ptr);
 			}
 		}

 		/*
 		 * Update state timeout/create state if missing.
 		 */
 		READ_ENTER(&ipf_state);
 		if (pptp->pptp_state != NULL) {
 			fr_queueback(&pptp->pptp_state->is_sti);
 			RWLOCK_EXIT(&ipf_state);
 		} else {
 			RWLOCK_EXIT(&ipf_state);
 			fi.fin_data[0] = 0;
 			fi.fin_data[1] = 0;
 			pptp->pptp_state = fr_addstate(&fi, &pptp->pptp_state,
 						       0);
 		}
 		ip->ip_p = p;
 	}
 	return 0;
 }


 /*
  * clean up after ourselves.
  */
 void ippr_pptp_del(aps)
 ap_session_t *aps;
 {
 	pptp_pxy_t *pptp;

 	pptp = aps->aps_data;

 	if (pptp != NULL) {
 		/*
 		 * Don't bother changing any of the NAT structure details,
 		 * *_del() is on a callback from aps_free(), from nat_delete()
 		 */

 		READ_ENTER(&ipf_state);
 		if (pptp->pptp_state != NULL) {
 			pptp->pptp_state->is_die = fr_ticks + 1;
 			pptp->pptp_state->is_me = NULL;
 			fr_queuefront(&pptp->pptp_state->is_sti);
 		}
 		RWLOCK_EXIT(&ipf_state);

 		pptp->pptp_state = NULL;
 		pptp->pptp_nat = NULL;
 	}
 }


 int ippr_pptp_match(fin, aps, nat)
 fr_info_t *fin;
 ap_session_t *aps;
 nat_t *nat;
 {
 	pptp_pxy_t *pptp;
 	tcphdr_t *tcp;
 	u_32_t cookie;

 	pptp = aps->aps_data;
 	tcp = fin->fin_dp;

 	if ((pptp != NULL) && (fin->fin_dlen - (TCP_OFF(tcp) << 2) >= 8)) {
 		u_char *cs;

 		cs = (u_char *)tcp + (TCP_OFF(tcp) << 2) + 4;

 		if (pptp->pptp_seencookie == 0) {
 			pptp->pptp_seencookie = 1;
 			pptp->pptp_cookie = (cs[0] << 24) | (cs[1] << 16) |
 					    (cs[2] << 8) | cs[3];
 		} else {
 			cookie = (cs[0] << 24) | (cs[1] << 16) |
 				 (cs[2] << 8) | cs[3];
 			if (cookie != pptp->pptp_cookie)
 				return -1;
 		}

 	}
 	return 0;
 }
	/*
	* Copyright (C) 2002-2003 by Darren Reed
	*
	* Simple PPTP transparent proxy for in-kernel use. For use with the NAT
	* code.
	*
	* $Id$
	*
	*/
	#define IPF_PPTP_PROXY

	typedef struct pptp_pxy {
	ipnat_t pptp_rule;
	nat_t *pptp_nat;
	ipstate_t *pptp_state;
	int pptp_seencookie;
	u_32_t pptp_cookie;
	} pptp_pxy_t;


	int ippr_pptp_init __P((void));
	void ippr_pptp_fini __P((void));
	int ippr_pptp_new __P((fr_info_t , ap_session_t , nat_t *));
	void ippr_pptp_del __P((ap_session_t *));
	int ippr_pptp_inout __P((fr_info_t , ap_session_t , nat_t *));
	int ippr_pptp_match __P((fr_info_t , ap_session_t , nat_t *));

	static frentry_t pptpfr;

	int pptp_proxy_init = 0;


	/*
	* PPTP application proxy initialization.
	*/
	int ippr_pptp_init()
	{
	bzero((char *)&pptpfr, sizeof(pptpfr));
	pptpfr.fr_ref = 1;
	pptpfr.fr_flags = FR_OUTQUE\|FR_PASS\|FR_QUICK\|FR_KEEPSTATE;
	MUTEX_INIT(&pptpfr.fr_lock, "PPTP proxy rule lock");
	pptp_proxy_init = 1;

	return 0;
	}


	void ippr_pptp_fini()
	{
	if (pptp_proxy_init == 1) {
	MUTEX_DESTROY(&pptpfr.fr_lock);
	pptp_proxy_init = 0;
	}
	}


	/*
	* Setup for a new PPTP proxy.
	*/
	int ippr_pptp_new(fin, aps, nat)
	fr_info_t *fin;
	ap_session_t *aps;
	nat_t *nat;
	{
	pptp_pxy_t *pptp;
	fr_info_t fi;
	ipnat_t *ipn;
	nat_t *nat2;
	int p, off;
	ip_t *ip;

	ip = fin->fin_ip;
	off = fin->fin_hlen + sizeof(udphdr_t);

	if (nat_outlookup(fin, 0, IPPROTO_GRE, nat->nat_inip,
	ip->ip_dst) != NULL)
	return -1;

	aps->aps_psiz = sizeof(*pptp);
	KMALLOCS(aps->aps_data, pptp_pxy_t , sizeof(pptp));
	if (aps->aps_data == NULL)
	return -1;

	ip = fin->fin_ip;
	pptp = aps->aps_data;
	bzero((char )pptp, sizeof(pptp));

	/*
	* Create NAT rule against which the tunnel/transport mapping is
	* created. This is required because the current NAT rule does not
	* describe GRE but TCP instead.
	*/
	ipn = &pptp->pptp_rule;
	ipn->in_ifps[0] = fin->fin_ifp;
	ipn->in_apr = NULL;
	ipn->in_use = 1;
	ipn->in_hits = 1;
	ipn->in_nip = ntohl(nat->nat_outip.s_addr);
	ipn->in_ippip = 1;
	ipn->in_inip = nat->nat_inip.s_addr;
	ipn->in_inmsk = 0xffffffff;
	ipn->in_outip = fin->fin_saddr;
	ipn->in_outmsk = nat->nat_outip.s_addr;
	ipn->in_srcip = fin->fin_saddr;
	ipn->in_srcmsk = 0xffffffff;
	ipn->in_redir = NAT_MAP;
	bcopy(nat->nat_ptr->in_ifnames[0], ipn->in_ifnames[0],
	sizeof(ipn->in_ifnames[0]));
	ipn->in_p = IPPROTO_GRE;

	bcopy((char )fin, (char )&fi, sizeof(fi));
	fi.fin_fi.fi_p = IPPROTO_GRE;
	fi.fin_fr = &pptpfr;
	fi.fin_data[0] = 0;
	fi.fin_data[1] = 0;
	p = ip->ip_p;
	ip->ip_p = IPPROTO_GRE;
	fi.fin_flx &= ~FI_TCPUDP;
	fi.fin_flx \|= FI_IGNORE;

	nat2 = nat_new(&fi, ipn, &pptp->pptp_nat, 0, NAT_OUTBOUND);
	pptp->pptp_nat = nat2;
	if (nat2 != NULL) {
	(void) nat_proto(&fi, nat2, 0);
	nat_update(&fi, nat2, nat2->nat_ptr);

	fi.fin_data[0] = 0;
	fi.fin_data[1] = 0;
	pptp->pptp_state = fr_addstate(&fi, &pptp->pptp_state, 0);
	}
	ip->ip_p = p;
	return 0;
	}


	/*
	* For outgoing PPTP packets. refresh timeouts for NAT & state entries, if
	* we can. If they have disappeared, recreate them.
	*/
	int ippr_pptp_inout(fin, aps, nat)
	fr_info_t *fin;
	ap_session_t *aps;
	nat_t *nat;
	{
	pptp_pxy_t *pptp;
	fr_info_t fi;
	nat_t *nat2;
	ip_t *ip;
	int p;

	if ((fin->fin_out == 1) && (nat->nat_dir == NAT_INBOUND))
	return 0;

	if ((fin->fin_out == 0) && (nat->nat_dir == NAT_OUTBOUND))
	return 0;

	pptp = aps->aps_data;

	if (pptp != NULL) {
	ip = fin->fin_ip;
	p = ip->ip_p;

	if ((pptp->pptp_nat == NULL) \|\| (pptp->pptp_state == NULL)) {
	bcopy((char )fin, (char )&fi, sizeof(fi));
	fi.fin_fi.fi_p = IPPROTO_GRE;
	fi.fin_fr = &pptpfr;
	fi.fin_data[0] = 0;
	fi.fin_data[1] = 0;
	ip->ip_p = IPPROTO_GRE;
	fi.fin_flx &= ~FI_TCPUDP;
	fi.fin_flx \|= FI_IGNORE;
	}

	/*
	* Update NAT timeout/create NAT if missing.
	*/
	if (pptp->pptp_nat != NULL)
	fr_queueback(&pptp->pptp_nat->nat_tqe);
	else {
	nat2 = nat_new(&fi, &pptp->pptp_rule, &pptp->pptp_nat,
	NAT_SLAVE, nat->nat_dir);
	pptp->pptp_nat = nat2;
	if (nat2 != NULL) {
	(void) nat_proto(&fi, nat2, 0);
	nat_update(&fi, nat2, nat2->nat_ptr);
	}
	}

	/*
	* Update state timeout/create state if missing.
	*/
	READ_ENTER(&ipf_state);
	if (pptp->pptp_state != NULL) {
	fr_queueback(&pptp->pptp_state->is_sti);
	RWLOCK_EXIT(&ipf_state);
	} else {
	RWLOCK_EXIT(&ipf_state);
	fi.fin_data[0] = 0;
	fi.fin_data[1] = 0;
	pptp->pptp_state = fr_addstate(&fi, &pptp->pptp_state,
	0);
	}
	ip->ip_p = p;
	}
	return 0;
	}


	/*
	* clean up after ourselves.
	*/
	void ippr_pptp_del(aps)
	ap_session_t *aps;
	{
	pptp_pxy_t *pptp;

	pptp = aps->aps_data;

	if (pptp != NULL) {
	/*
	* Don't bother changing any of the NAT structure details,
	* *_del() is on a callback from aps_free(), from nat_delete()
	*/

	READ_ENTER(&ipf_state);
	if (pptp->pptp_state != NULL) {
	pptp->pptp_state->is_die = fr_ticks + 1;
	pptp->pptp_state->is_me = NULL;
	fr_queuefront(&pptp->pptp_state->is_sti);
	}
	RWLOCK_EXIT(&ipf_state);

	pptp->pptp_state = NULL;
	pptp->pptp_nat = NULL;
	}
	}


	int ippr_pptp_match(fin, aps, nat)
	fr_info_t *fin;
	ap_session_t *aps;
	nat_t *nat;
	{
	pptp_pxy_t *pptp;
	tcphdr_t *tcp;
	u_32_t cookie;

	pptp = aps->aps_data;
	tcp = fin->fin_dp;

	if ((pptp != NULL) && (fin->fin_dlen - (TCP_OFF(tcp) << 2) >= 8)) {
	u_char *cs;

	cs = (u_char *)tcp + (TCP_OFF(tcp) << 2) + 4;

	if (pptp->pptp_seencookie == 0) {
	pptp->pptp_seencookie = 1;
	pptp->pptp_cookie = (cs[0] << 24) \| (cs[1] << 16) \|
	(cs[2] << 8) \| cs[3];
	} else {
	cookie = (cs[0] << 24) \| (cs[1] << 16) \|
	(cs[2] << 8) \| cs[3];
	if (cookie != pptp->pptp_cookie)
	return -1;
	}

	}
	return 0;
	}