linux/net/ipv4/netfilter/nf_nat_pptp.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * nf_nat_pptp.c
   4 *
   5 * NAT support for PPTP (Point to Point Tunneling Protocol).
   6 * PPTP is a protocol for creating virtual private networks.
   7 * It is a specification defined by Microsoft and some vendors
   8 * working with Microsoft.  PPTP is built on top of a modified
   9 * version of the Internet Generic Routing Encapsulation Protocol.
  10 * GRE is defined in RFC 1701 and RFC 1702.  Documentation of
  11 * PPTP can be found in RFC 2637
  12 *
  13 * (C) 2000-2005 by Harald Welte <laforge@gnumonks.org>
  14 *
  15 * Development of this code funded by Astaro AG (http://www.astaro.com/)
  16 *
  17 * (C) 2006-2012 Patrick McHardy <kaber@trash.net>
  18 *
  19 * TODO: - NAT to a unique tuple, not to TCP source port
  20 *         (needs netfilter tuple reservation)
  21 */
  22
  23#include <linux/module.h>
  24#include <linux/tcp.h>
  25
  26#include <net/netfilter/nf_nat.h>
  27#include <net/netfilter/nf_nat_helper.h>
  28#include <net/netfilter/nf_conntrack_helper.h>
  29#include <net/netfilter/nf_conntrack_expect.h>
  30#include <net/netfilter/nf_conntrack_zones.h>
  31#include <linux/netfilter/nf_conntrack_proto_gre.h>
  32#include <linux/netfilter/nf_conntrack_pptp.h>
  33
  34#define NF_NAT_PPTP_VERSION "3.0"
  35
  36#define REQ_CID(req, off)               (*(__be16 *)((char *)(req) + (off)))
  37
  38MODULE_LICENSE("GPL");
  39MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
  40MODULE_DESCRIPTION("Netfilter NAT helper module for PPTP");
  41MODULE_ALIAS_NF_NAT_HELPER("pptp");
  42
  43static void pptp_nat_expected(struct nf_conn *ct,
  44                              struct nf_conntrack_expect *exp)
  45{
  46        struct net *net = nf_ct_net(ct);
  47        const struct nf_conn *master = ct->master;
  48        struct nf_conntrack_expect *other_exp;
  49        struct nf_conntrack_tuple t = {};
  50        const struct nf_ct_pptp_master *ct_pptp_info;
  51        const struct nf_nat_pptp *nat_pptp_info;
  52        struct nf_nat_range2 range;
  53        struct nf_conn_nat *nat;
  54
  55        nat = nf_ct_nat_ext_add(ct);
  56        if (WARN_ON_ONCE(!nat))
  57                return;
  58
  59        nat_pptp_info = &nat->help.nat_pptp_info;
  60        ct_pptp_info = nfct_help_data(master);
  61
  62        /* And here goes the grand finale of corrosion... */
  63        if (exp->dir == IP_CT_DIR_ORIGINAL) {
  64                pr_debug("we are PNS->PAC\n");
  65                /* therefore, build tuple for PAC->PNS */
  66                t.src.l3num = AF_INET;
  67                t.src.u3.ip = master->tuplehash[!exp->dir].tuple.src.u3.ip;
  68                t.src.u.gre.key = ct_pptp_info->pac_call_id;
  69                t.dst.u3.ip = master->tuplehash[!exp->dir].tuple.dst.u3.ip;
  70                t.dst.u.gre.key = ct_pptp_info->pns_call_id;
  71                t.dst.protonum = IPPROTO_GRE;
  72        } else {
  73                pr_debug("we are PAC->PNS\n");
  74                /* build tuple for PNS->PAC */
  75                t.src.l3num = AF_INET;
  76                t.src.u3.ip = master->tuplehash[!exp->dir].tuple.src.u3.ip;
  77                t.src.u.gre.key = nat_pptp_info->pns_call_id;
  78                t.dst.u3.ip = master->tuplehash[!exp->dir].tuple.dst.u3.ip;
  79                t.dst.u.gre.key = nat_pptp_info->pac_call_id;
  80                t.dst.protonum = IPPROTO_GRE;
  81        }
  82
  83        pr_debug("trying to unexpect other dir: ");
  84        nf_ct_dump_tuple_ip(&t);
  85        other_exp = nf_ct_expect_find_get(net, nf_ct_zone(ct), &t);
  86        if (other_exp) {
  87                nf_ct_unexpect_related(other_exp);
  88                nf_ct_expect_put(other_exp);
  89                pr_debug("success\n");
  90        } else {
  91                pr_debug("not found!\n");
  92        }
  93
  94        /* This must be a fresh one. */
  95        BUG_ON(ct->status & IPS_NAT_DONE_MASK);
  96
  97        /* Change src to where master sends to */
  98        range.flags = NF_NAT_RANGE_MAP_IPS;
  99        range.min_addr = range.max_addr
 100                = ct->master->tuplehash[!exp->dir].tuple.dst.u3;
 101        if (exp->dir == IP_CT_DIR_ORIGINAL) {
 102                range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
 103                range.min_proto = range.max_proto = exp->saved_proto;
 104        }
 105        nf_nat_setup_info(ct, &range, NF_NAT_MANIP_SRC);
 106
 107        /* For DST manip, map port here to where it's expected. */
 108        range.flags = NF_NAT_RANGE_MAP_IPS;
 109        range.min_addr = range.max_addr
 110                = ct->master->tuplehash[!exp->dir].tuple.src.u3;
 111        if (exp->dir == IP_CT_DIR_REPLY) {
 112                range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
 113                range.min_proto = range.max_proto = exp->saved_proto;
 114        }
 115        nf_nat_setup_info(ct, &range, NF_NAT_MANIP_DST);
 116}
 117
 118/* outbound packets == from PNS to PAC */
 119static int
 120pptp_outbound_pkt(struct sk_buff *skb,
 121                  struct nf_conn *ct,
 122                  enum ip_conntrack_info ctinfo,
 123                  unsigned int protoff,
 124                  struct PptpControlHeader *ctlh,
 125                  union pptp_ctrl_union *pptpReq)
 126
 127{
 128        struct nf_ct_pptp_master *ct_pptp_info;
 129        struct nf_conn_nat *nat = nfct_nat(ct);
 130        struct nf_nat_pptp *nat_pptp_info;
 131        u_int16_t msg;
 132        __be16 new_callid;
 133        unsigned int cid_off;
 134
 135        if (WARN_ON_ONCE(!nat))
 136                return NF_DROP;
 137
 138        nat_pptp_info = &nat->help.nat_pptp_info;
 139        ct_pptp_info = nfct_help_data(ct);
 140
 141        new_callid = ct_pptp_info->pns_call_id;
 142
 143        switch (msg = ntohs(ctlh->messageType)) {
 144        case PPTP_OUT_CALL_REQUEST:
 145                cid_off = offsetof(union pptp_ctrl_union, ocreq.callID);
 146                /* FIXME: ideally we would want to reserve a call ID
 147                 * here.  current netfilter NAT core is not able to do
 148                 * this :( For now we use TCP source port. This breaks
 149                 * multiple calls within one control session */
 150
 151                /* save original call ID in nat_info */
 152                nat_pptp_info->pns_call_id = ct_pptp_info->pns_call_id;
 153
 154                /* don't use tcph->source since we are at a DSTmanip
 155                 * hook (e.g. PREROUTING) and pkt is not mangled yet */
 156                new_callid = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.tcp.port;
 157
 158                /* save new call ID in ct info */
 159                ct_pptp_info->pns_call_id = new_callid;
 160                break;
 161        case PPTP_IN_CALL_REPLY:
 162                cid_off = offsetof(union pptp_ctrl_union, icack.callID);
 163                break;
 164        case PPTP_CALL_CLEAR_REQUEST:
 165                cid_off = offsetof(union pptp_ctrl_union, clrreq.callID);
 166                break;
 167        default:
 168                pr_debug("unknown outbound packet 0x%04x:%s\n", msg,
 169                         pptp_msg_name(msg));
 170                fallthrough;
 171        case PPTP_SET_LINK_INFO:
 172                /* only need to NAT in case PAC is behind NAT box */
 173        case PPTP_START_SESSION_REQUEST:
 174        case PPTP_START_SESSION_REPLY:
 175        case PPTP_STOP_SESSION_REQUEST:
 176        case PPTP_STOP_SESSION_REPLY:
 177        case PPTP_ECHO_REQUEST:
 178        case PPTP_ECHO_REPLY:
 179                /* no need to alter packet */
 180                return NF_ACCEPT;
 181        }
 182
 183        /* only OUT_CALL_REQUEST, IN_CALL_REPLY, CALL_CLEAR_REQUEST pass
 184         * down to here */
 185        pr_debug("altering call id from 0x%04x to 0x%04x\n",
 186                 ntohs(REQ_CID(pptpReq, cid_off)), ntohs(new_callid));
 187
 188        /* mangle packet */
 189        if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff,
 190                                      cid_off + sizeof(struct pptp_pkt_hdr) +
 191                                      sizeof(struct PptpControlHeader),
 192                                      sizeof(new_callid), (char *)&new_callid,
 193                                      sizeof(new_callid)))
 194                return NF_DROP;
 195        return NF_ACCEPT;
 196}
 197
 198static void
 199pptp_exp_gre(struct nf_conntrack_expect *expect_orig,
 200             struct nf_conntrack_expect *expect_reply)
 201{
 202        const struct nf_conn *ct = expect_orig->master;
 203        struct nf_conn_nat *nat = nfct_nat(ct);
 204        struct nf_ct_pptp_master *ct_pptp_info;
 205        struct nf_nat_pptp *nat_pptp_info;
 206
 207        if (WARN_ON_ONCE(!nat))
 208                return;
 209
 210        nat_pptp_info = &nat->help.nat_pptp_info;
 211        ct_pptp_info = nfct_help_data(ct);
 212
 213        /* save original PAC call ID in nat_info */
 214        nat_pptp_info->pac_call_id = ct_pptp_info->pac_call_id;
 215
 216        /* alter expectation for PNS->PAC direction */
 217        expect_orig->saved_proto.gre.key = ct_pptp_info->pns_call_id;
 218        expect_orig->tuple.src.u.gre.key = nat_pptp_info->pns_call_id;
 219        expect_orig->tuple.dst.u.gre.key = ct_pptp_info->pac_call_id;
 220        expect_orig->dir = IP_CT_DIR_ORIGINAL;
 221
 222        /* alter expectation for PAC->PNS direction */
 223        expect_reply->saved_proto.gre.key = nat_pptp_info->pns_call_id;
 224        expect_reply->tuple.src.u.gre.key = nat_pptp_info->pac_call_id;
 225        expect_reply->tuple.dst.u.gre.key = ct_pptp_info->pns_call_id;
 226        expect_reply->dir = IP_CT_DIR_REPLY;
 227}
 228
 229/* inbound packets == from PAC to PNS */
 230static int
 231pptp_inbound_pkt(struct sk_buff *skb,
 232                 struct nf_conn *ct,
 233                 enum ip_conntrack_info ctinfo,
 234                 unsigned int protoff,
 235                 struct PptpControlHeader *ctlh,
 236                 union pptp_ctrl_union *pptpReq)
 237{
 238        const struct nf_nat_pptp *nat_pptp_info;
 239        struct nf_conn_nat *nat = nfct_nat(ct);
 240        u_int16_t msg;
 241        __be16 new_pcid;
 242        unsigned int pcid_off;
 243
 244        if (WARN_ON_ONCE(!nat))
 245                return NF_DROP;
 246
 247        nat_pptp_info = &nat->help.nat_pptp_info;
 248        new_pcid = nat_pptp_info->pns_call_id;
 249
 250        switch (msg = ntohs(ctlh->messageType)) {
 251        case PPTP_OUT_CALL_REPLY:
 252                pcid_off = offsetof(union pptp_ctrl_union, ocack.peersCallID);
 253                break;
 254        case PPTP_IN_CALL_CONNECT:
 255                pcid_off = offsetof(union pptp_ctrl_union, iccon.peersCallID);
 256                break;
 257        case PPTP_IN_CALL_REQUEST:
 258                /* only need to nat in case PAC is behind NAT box */
 259                return NF_ACCEPT;
 260        case PPTP_WAN_ERROR_NOTIFY:
 261                pcid_off = offsetof(union pptp_ctrl_union, wanerr.peersCallID);
 262                break;
 263        case PPTP_CALL_DISCONNECT_NOTIFY:
 264                pcid_off = offsetof(union pptp_ctrl_union, disc.callID);
 265                break;
 266        case PPTP_SET_LINK_INFO:
 267                pcid_off = offsetof(union pptp_ctrl_union, setlink.peersCallID);
 268                break;
 269        default:
 270                pr_debug("unknown inbound packet %s\n", pptp_msg_name(msg));
 271                fallthrough;
 272        case PPTP_START_SESSION_REQUEST:
 273        case PPTP_START_SESSION_REPLY:
 274        case PPTP_STOP_SESSION_REQUEST:
 275        case PPTP_STOP_SESSION_REPLY:
 276        case PPTP_ECHO_REQUEST:
 277        case PPTP_ECHO_REPLY:
 278                /* no need to alter packet */
 279                return NF_ACCEPT;
 280        }
 281
 282        /* only OUT_CALL_REPLY, IN_CALL_CONNECT, IN_CALL_REQUEST,
 283         * WAN_ERROR_NOTIFY, CALL_DISCONNECT_NOTIFY pass down here */
 284
 285        /* mangle packet */
 286        pr_debug("altering peer call id from 0x%04x to 0x%04x\n",
 287                 ntohs(REQ_CID(pptpReq, pcid_off)), ntohs(new_pcid));
 288
 289        if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff,
 290                                      pcid_off + sizeof(struct pptp_pkt_hdr) +
 291                                      sizeof(struct PptpControlHeader),
 292                                      sizeof(new_pcid), (char *)&new_pcid,
 293                                      sizeof(new_pcid)))
 294                return NF_DROP;
 295        return NF_ACCEPT;
 296}
 297
 298static int __init nf_nat_helper_pptp_init(void)
 299{
 300        BUG_ON(nf_nat_pptp_hook_outbound != NULL);
 301        RCU_INIT_POINTER(nf_nat_pptp_hook_outbound, pptp_outbound_pkt);
 302
 303        BUG_ON(nf_nat_pptp_hook_inbound != NULL);
 304        RCU_INIT_POINTER(nf_nat_pptp_hook_inbound, pptp_inbound_pkt);
 305
 306        BUG_ON(nf_nat_pptp_hook_exp_gre != NULL);
 307        RCU_INIT_POINTER(nf_nat_pptp_hook_exp_gre, pptp_exp_gre);
 308
 309        BUG_ON(nf_nat_pptp_hook_expectfn != NULL);
 310        RCU_INIT_POINTER(nf_nat_pptp_hook_expectfn, pptp_nat_expected);
 311        return 0;
 312}
 313
 314static void __exit nf_nat_helper_pptp_fini(void)
 315{
 316        RCU_INIT_POINTER(nf_nat_pptp_hook_expectfn, NULL);
 317        RCU_INIT_POINTER(nf_nat_pptp_hook_exp_gre, NULL);
 318        RCU_INIT_POINTER(nf_nat_pptp_hook_inbound, NULL);
 319        RCU_INIT_POINTER(nf_nat_pptp_hook_outbound, NULL);
 320        synchronize_rcu();
 321}
 322
 323module_init(nf_nat_helper_pptp_init);
 324module_exit(nf_nat_helper_pptp_fini);
 325