Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
nf_conntrack_proto_gre.c
Go to the documentation of this file.
1 /*
2  * ip_conntrack_proto_gre.c - Version 3.0
3  *
4  * Connection tracking protocol helper module for GRE.
5  *
6  * GRE is a generic encapsulation protocol, which is generally not very
7  * suited for NAT, as it has no protocol-specific part as port numbers.
8  *
9  * It has an optional key field, which may help us distinguishing two
10  * connections between the same two hosts.
11  *
12  * GRE is defined in RFC 1701 and RFC 1702, as well as RFC 2784
13  *
14  * PPTP is built on top of a modified version of GRE, and has a mandatory
15  * field called "CallID", which serves us for the same purpose as the key
16  * field in plain GRE.
17  *
18  * Documentation about PPTP can be found in RFC 2637
19  *
20  * (C) 2000-2005 by Harald Welte <[email protected]>
21  *
22  * Development of this code funded by Astaro AG (http://www.astaro.com/)
23  *
24  */
25 
26 #include <linux/module.h>
27 #include <linux/types.h>
28 #include <linux/timer.h>
29 #include <linux/list.h>
30 #include <linux/seq_file.h>
31 #include <linux/in.h>
32 #include <linux/netdevice.h>
33 #include <linux/skbuff.h>
34 #include <linux/slab.h>
35 #include <net/dst.h>
36 #include <net/net_namespace.h>
37 #include <net/netns/generic.h>
38 #include <net/netfilter/nf_conntrack_l4proto.h>
39 #include <net/netfilter/nf_conntrack_helper.h>
40 #include <net/netfilter/nf_conntrack_core.h>
41 #include <linux/netfilter/nf_conntrack_proto_gre.h>
42 #include <linux/netfilter/nf_conntrack_pptp.h>
43 
44 enum grep_conntrack {
45  GRE_CT_UNREPLIED,
46  GRE_CT_REPLIED,
47  GRE_CT_MAX
48 };
49 
50 static unsigned int gre_timeouts[GRE_CT_MAX] = {
51  [GRE_CT_UNREPLIED] = 30*HZ,
52  [GRE_CT_REPLIED] = 180*HZ,
53 };
54 
55 static int proto_gre_net_id __read_mostly;
56 struct netns_proto_gre {
57  struct nf_proto_net nf;
58  rwlock_t keymap_lock;
59  struct list_head keymap_list;
60  unsigned int gre_timeouts[GRE_CT_MAX];
61 };
62 
63 static inline struct netns_proto_gre *gre_pernet(struct net *net)
64 {
65  return net_generic(net, proto_gre_net_id);
66 }
67 
68 void nf_ct_gre_keymap_flush(struct net *net)
69 {
70  struct netns_proto_gre *net_gre = gre_pernet(net);
71  struct nf_ct_gre_keymap *km, *tmp;
72 
73  write_lock_bh(&net_gre->keymap_lock);
74  list_for_each_entry_safe(km, tmp, &net_gre->keymap_list, list) {
75  list_del(&km->list);
76  kfree(km);
77  }
78  write_unlock_bh(&net_gre->keymap_lock);
79 }
80 EXPORT_SYMBOL(nf_ct_gre_keymap_flush);
81 
82 static inline int gre_key_cmpfn(const struct nf_ct_gre_keymap *km,
83  const struct nf_conntrack_tuple *t)
84 {
85  return km->tuple.src.l3num == t->src.l3num &&
86  !memcmp(&km->tuple.src.u3, &t->src.u3, sizeof(t->src.u3)) &&
87  !memcmp(&km->tuple.dst.u3, &t->dst.u3, sizeof(t->dst.u3)) &&
88  km->tuple.dst.protonum == t->dst.protonum &&
89  km->tuple.dst.u.all == t->dst.u.all;
90 }
91 
92 /* look up the source key for a given tuple */
93 static __be16 gre_keymap_lookup(struct net *net, struct nf_conntrack_tuple *t)
94 {
95  struct netns_proto_gre *net_gre = gre_pernet(net);
96  struct nf_ct_gre_keymap *km;
97  __be16 key = 0;
98 
99  read_lock_bh(&net_gre->keymap_lock);
100  list_for_each_entry(km, &net_gre->keymap_list, list) {
101  if (gre_key_cmpfn(km, t)) {
102  key = km->tuple.src.u.gre.key;
103  break;
104  }
105  }
106  read_unlock_bh(&net_gre->keymap_lock);
107 
108  pr_debug("lookup src key 0x%x for ", key);
109  nf_ct_dump_tuple(t);
110 
111  return key;
112 }
113 
114 /* add a single keymap entry, associate with specified master ct */
115 int nf_ct_gre_keymap_add(struct nf_conn *ct, enum ip_conntrack_dir dir,
116  struct nf_conntrack_tuple *t)
117 {
118  struct net *net = nf_ct_net(ct);
119  struct netns_proto_gre *net_gre = gre_pernet(net);
120  struct nf_ct_pptp_master *ct_pptp_info = nfct_help_data(ct);
121  struct nf_ct_gre_keymap **kmp, *km;
122 
123  kmp = &ct_pptp_info->keymap[dir];
124  if (*kmp) {
125  /* check whether it's a retransmission */
126  read_lock_bh(&net_gre->keymap_lock);
127  list_for_each_entry(km, &net_gre->keymap_list, list) {
128  if (gre_key_cmpfn(km, t) && km == *kmp) {
129  read_unlock_bh(&net_gre->keymap_lock);
130  return 0;
131  }
132  }
133  read_unlock_bh(&net_gre->keymap_lock);
134  pr_debug("trying to override keymap_%s for ct %p\n",
135  dir == IP_CT_DIR_REPLY ? "reply" : "orig", ct);
136  return -EEXIST;
137  }
138 
139  km = kmalloc(sizeof(*km), GFP_ATOMIC);
140  if (!km)
141  return -ENOMEM;
142  memcpy(&km->tuple, t, sizeof(*t));
143  *kmp = km;
144 
145  pr_debug("adding new entry %p: ", km);
146  nf_ct_dump_tuple(&km->tuple);
147 
148  write_lock_bh(&net_gre->keymap_lock);
149  list_add_tail(&km->list, &net_gre->keymap_list);
150  write_unlock_bh(&net_gre->keymap_lock);
151 
152  return 0;
153 }
154 EXPORT_SYMBOL_GPL(nf_ct_gre_keymap_add);
155 
156 /* destroy the keymap entries associated with specified master ct */
157 void nf_ct_gre_keymap_destroy(struct nf_conn *ct)
158 {
159  struct net *net = nf_ct_net(ct);
160  struct netns_proto_gre *net_gre = gre_pernet(net);
161  struct nf_ct_pptp_master *ct_pptp_info = nfct_help_data(ct);
162  enum ip_conntrack_dir dir;
163 
164  pr_debug("entering for ct %p\n", ct);
165 
166  write_lock_bh(&net_gre->keymap_lock);
167  for (dir = IP_CT_DIR_ORIGINAL; dir < IP_CT_DIR_MAX; dir++) {
168  if (ct_pptp_info->keymap[dir]) {
169  pr_debug("removing %p from list\n",
170  ct_pptp_info->keymap[dir]);
171  list_del(&ct_pptp_info->keymap[dir]->list);
172  kfree(ct_pptp_info->keymap[dir]);
173  ct_pptp_info->keymap[dir] = NULL;
174  }
175  }
176  write_unlock_bh(&net_gre->keymap_lock);
177 }
178 EXPORT_SYMBOL_GPL(nf_ct_gre_keymap_destroy);
179 
180 /* PUBLIC CONNTRACK PROTO HELPER FUNCTIONS */
181 
182 /* invert gre part of tuple */
183 static bool gre_invert_tuple(struct nf_conntrack_tuple *tuple,
184  const struct nf_conntrack_tuple *orig)
185 {
186  tuple->dst.u.gre.key = orig->src.u.gre.key;
187  tuple->src.u.gre.key = orig->dst.u.gre.key;
188  return true;
189 }
190 
191 /* gre hdr info to tuple */
192 static bool gre_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
193  struct nf_conntrack_tuple *tuple)
194 {
195  struct net *net = dev_net(skb->dev ? skb->dev : skb_dst(skb)->dev);
196  const struct gre_hdr_pptp *pgrehdr;
197  struct gre_hdr_pptp _pgrehdr;
198  __be16 srckey;
199  const struct gre_hdr *grehdr;
200  struct gre_hdr _grehdr;
201 
202  /* first only delinearize old RFC1701 GRE header */
203  grehdr = skb_header_pointer(skb, dataoff, sizeof(_grehdr), &_grehdr);
204  if (!grehdr || grehdr->version != GRE_VERSION_PPTP) {
205  /* try to behave like "nf_conntrack_proto_generic" */
206  tuple->src.u.all = 0;
207  tuple->dst.u.all = 0;
208  return true;
209  }
210 
211  /* PPTP header is variable length, only need up to the call_id field */
212  pgrehdr = skb_header_pointer(skb, dataoff, 8, &_pgrehdr);
213  if (!pgrehdr)
214  return true;
215 
216  if (ntohs(grehdr->protocol) != GRE_PROTOCOL_PPTP) {
217  pr_debug("GRE_VERSION_PPTP but unknown proto\n");
218  return false;
219  }
220 
221  tuple->dst.u.gre.key = pgrehdr->call_id;
222  srckey = gre_keymap_lookup(net, tuple);
223  tuple->src.u.gre.key = srckey;
224 
225  return true;
226 }
227 
228 /* print gre part of tuple */
229 static int gre_print_tuple(struct seq_file *s,
230  const struct nf_conntrack_tuple *tuple)
231 {
232  return seq_printf(s, "srckey=0x%x dstkey=0x%x ",
233  ntohs(tuple->src.u.gre.key),
234  ntohs(tuple->dst.u.gre.key));
235 }
236 
237 /* print private data for conntrack */
238 static int gre_print_conntrack(struct seq_file *s, struct nf_conn *ct)
239 {
240  return seq_printf(s, "timeout=%u, stream_timeout=%u ",
241  (ct->proto.gre.timeout / HZ),
242  (ct->proto.gre.stream_timeout / HZ));
243 }
244 
245 static unsigned int *gre_get_timeouts(struct net *net)
246 {
247  return gre_pernet(net)->gre_timeouts;
248 }
249 
250 /* Returns verdict for packet, and may modify conntrack */
251 static int gre_packet(struct nf_conn *ct,
252  const struct sk_buff *skb,
253  unsigned int dataoff,
254  enum ip_conntrack_info ctinfo,
255  u_int8_t pf,
256  unsigned int hooknum,
257  unsigned int *timeouts)
258 {
259  /* If we've seen traffic both ways, this is a GRE connection.
260  * Extend timeout. */
261  if (ct->status & IPS_SEEN_REPLY) {
262  nf_ct_refresh_acct(ct, ctinfo, skb,
263  ct->proto.gre.stream_timeout);
264  /* Also, more likely to be important, and not a probe. */
265  if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
266  nf_conntrack_event_cache(IPCT_ASSURED, ct);
267  } else
268  nf_ct_refresh_acct(ct, ctinfo, skb,
269  ct->proto.gre.timeout);
270 
271  return NF_ACCEPT;
272 }
273 
274 /* Called when a new connection for this protocol found. */
275 static bool gre_new(struct nf_conn *ct, const struct sk_buff *skb,
276  unsigned int dataoff, unsigned int *timeouts)
277 {
278  pr_debug(": ");
279  nf_ct_dump_tuple(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
280 
281  /* initialize to sane value. Ideally a conntrack helper
282  * (e.g. in case of pptp) is increasing them */
283  ct->proto.gre.stream_timeout = timeouts[GRE_CT_REPLIED];
284  ct->proto.gre.timeout = timeouts[GRE_CT_UNREPLIED];
285 
286  return true;
287 }
288 
289 /* Called when a conntrack entry has already been removed from the hashes
290  * and is about to be deleted from memory */
291 static void gre_destroy(struct nf_conn *ct)
292 {
293  struct nf_conn *master = ct->master;
294  pr_debug(" entering\n");
295 
296  if (!master)
297  pr_debug("no master !?!\n");
298  else
299  nf_ct_gre_keymap_destroy(master);
300 }
301 
302 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
303 
304 #include <linux/netfilter/nfnetlink.h>
305 #include <linux/netfilter/nfnetlink_cttimeout.h>
306 
307 static int gre_timeout_nlattr_to_obj(struct nlattr *tb[],
308  struct net *net, void *data)
309 {
310  unsigned int *timeouts = data;
311  struct netns_proto_gre *net_gre = gre_pernet(net);
312 
313  /* set default timeouts for GRE. */
314  timeouts[GRE_CT_UNREPLIED] = net_gre->gre_timeouts[GRE_CT_UNREPLIED];
315  timeouts[GRE_CT_REPLIED] = net_gre->gre_timeouts[GRE_CT_REPLIED];
316 
317  if (tb[CTA_TIMEOUT_GRE_UNREPLIED]) {
318  timeouts[GRE_CT_UNREPLIED] =
319  ntohl(nla_get_be32(tb[CTA_TIMEOUT_GRE_UNREPLIED])) * HZ;
320  }
321  if (tb[CTA_TIMEOUT_GRE_REPLIED]) {
322  timeouts[GRE_CT_REPLIED] =
323  ntohl(nla_get_be32(tb[CTA_TIMEOUT_GRE_REPLIED])) * HZ;
324  }
325  return 0;
326 }
327 
328 static int
329 gre_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
330 {
331  const unsigned int *timeouts = data;
332 
333  if (nla_put_be32(skb, CTA_TIMEOUT_GRE_UNREPLIED,
334  htonl(timeouts[GRE_CT_UNREPLIED] / HZ)) ||
335  nla_put_be32(skb, CTA_TIMEOUT_GRE_REPLIED,
336  htonl(timeouts[GRE_CT_REPLIED] / HZ)))
337  goto nla_put_failure;
338  return 0;
339 
340 nla_put_failure:
341  return -ENOSPC;
342 }
343 
344 static const struct nla_policy
345 gre_timeout_nla_policy[CTA_TIMEOUT_GRE_MAX+1] = {
346  [CTA_TIMEOUT_GRE_UNREPLIED] = { .type = NLA_U32 },
347  [CTA_TIMEOUT_GRE_REPLIED] = { .type = NLA_U32 },
348 };
349 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
350 
351 static int gre_init_net(struct net *net, u_int16_t proto)
352 {
353  struct netns_proto_gre *net_gre = gre_pernet(net);
354  int i;
355 
356  rwlock_init(&net_gre->keymap_lock);
357  INIT_LIST_HEAD(&net_gre->keymap_list);
358  for (i = 0; i < GRE_CT_MAX; i++)
359  net_gre->gre_timeouts[i] = gre_timeouts[i];
360 
361  return 0;
362 }
363 
364 /* protocol helper struct */
365 static struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 __read_mostly = {
366  .l3proto = AF_INET,
367  .l4proto = IPPROTO_GRE,
368  .name = "gre",
369  .pkt_to_tuple = gre_pkt_to_tuple,
370  .invert_tuple = gre_invert_tuple,
371  .print_tuple = gre_print_tuple,
372  .print_conntrack = gre_print_conntrack,
373  .get_timeouts = gre_get_timeouts,
374  .packet = gre_packet,
375  .new = gre_new,
376  .destroy = gre_destroy,
377  .me = THIS_MODULE,
378 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
379  .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
380  .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
381  .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
382  .nla_policy = nf_ct_port_nla_policy,
383 #endif
384 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
385  .ctnl_timeout = {
386  .nlattr_to_obj = gre_timeout_nlattr_to_obj,
387  .obj_to_nlattr = gre_timeout_obj_to_nlattr,
388  .nlattr_max = CTA_TIMEOUT_GRE_MAX,
389  .obj_size = sizeof(unsigned int) * GRE_CT_MAX,
390  .nla_policy = gre_timeout_nla_policy,
391  },
392 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
393  .net_id = &proto_gre_net_id,
394  .init_net = gre_init_net,
395 };
396 
397 static int proto_gre_net_init(struct net *net)
398 {
399  int ret = 0;
400  ret = nf_conntrack_l4proto_register(net, &nf_conntrack_l4proto_gre4);
401  if (ret < 0)
402  pr_err("nf_conntrack_l4proto_gre4 :protocol register failed.\n");
403  return ret;
404 }
405 
406 static void proto_gre_net_exit(struct net *net)
407 {
408  nf_conntrack_l4proto_unregister(net, &nf_conntrack_l4proto_gre4);
409  nf_ct_gre_keymap_flush(net);
410 }
411 
412 static struct pernet_operations proto_gre_net_ops = {
413  .init = proto_gre_net_init,
414  .exit = proto_gre_net_exit,
415  .id = &proto_gre_net_id,
416  .size = sizeof(struct netns_proto_gre),
417 };
418 
419 static int __init nf_ct_proto_gre_init(void)
420 {
421  return register_pernet_subsys(&proto_gre_net_ops);
422 }
423 
424 static void __exit nf_ct_proto_gre_fini(void)
425 {
426  unregister_pernet_subsys(&proto_gre_net_ops);
427 }
428 
429 module_init(nf_ct_proto_gre_init);
430 module_exit(nf_ct_proto_gre_fini);
431 
432 MODULE_LICENSE("GPL");
Generated on Thu Jan 10 2013 15:00:33 for Linux Kernel by   doxygen 1.8.2