net/ipv4/netfilter/nf_nat_snmp_basic_main.c

root/net/ipv4/netfilter/nf_nat_snmp_basic_main.c
// SPDX-License-Identifier: GPL-2.0-or-later
/*
 * nf_nat_snmp_basic.c
 *
 * Basic SNMP Application Layer Gateway
 *
 * This IP NAT module is intended for use with SNMP network
 * discovery and monitoring applications where target networks use
 * conflicting private address realms.
 *
 * Static NAT is used to remap the networks from the view of the network
 * management system at the IP layer, and this module remaps some application
 * layer addresses to match.
 *
 * The simplest form of ALG is performed, where only tagged IP addresses
 * are modified.  The module does not need to be MIB aware and only scans
 * messages at the ASN.1/BER level.
 *
 * Currently, only SNMPv1 and SNMPv2 are supported.
 *
 * More information on ALG and associated issues can be found in
 * RFC 2962
 *
 * The ASB.1/BER parsing code is derived from the gxsnmp package by Gregory
 * McLean & Jochen Friedrich, stripped down for use in the kernel.
 *
 * Copyright (c) 2000 RP Internet (www.rpi.net.au).
 *
 * Author: James Morris <jmorris@intercode.com.au>
 *
 * Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
 */
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/types.h>
#include <linux/kernel.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/udp.h>
#include <net/checksum.h>
#include <net/udp.h>

#include <net/netfilter/nf_nat.h>
#include <net/netfilter/nf_conntrack_expect.h>
#include <net/netfilter/nf_conntrack_helper.h>
#include <linux/netfilter/nf_conntrack_snmp.h>
#include "nf_nat_snmp_basic.asn1.h"

MODULE_LICENSE("GPL");
MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
MODULE_DESCRIPTION("Basic SNMP Application Layer Gateway");
MODULE_ALIAS("ip_nat_snmp_basic");
MODULE_ALIAS_NFCT_HELPER("snmp_trap");

#define SNMP_PORT 161
#define SNMP_TRAP_PORT 162

static DEFINE_SPINLOCK(snmp_lock);

struct snmp_ctx {
        unsigned char *begin;
        __sum16 *check;
        __be32 from;
        __be32 to;
};

static void fast_csum(struct snmp_ctx *ctx, unsigned char offset)
{
        unsigned char s[12] = {0,};
        int size;

        if (offset & 1) {
                memcpy(&s[1], &ctx->from, 4);
                memcpy(&s[7], &ctx->to, 4);
                s[0] = ~0;
                s[1] = ~s[1];
                s[2] = ~s[2];
                s[3] = ~s[3];
                s[4] = ~s[4];
                s[5] = ~0;
                size = 12;
        } else {
                memcpy(&s[0], &ctx->from, 4);
                memcpy(&s[4], &ctx->to, 4);
                s[0] = ~s[0];
                s[1] = ~s[1];
                s[2] = ~s[2];
                s[3] = ~s[3];
                size = 8;
        }
        *ctx->check = csum_fold(csum_partial(s, size,
                                             ~csum_unfold(*ctx->check)));
}

int snmp_version(void *context, size_t hdrlen, unsigned char tag,
                 const void *data, size_t datalen)
{
        if (datalen != 1)
                return -EINVAL;
        if (*(unsigned char *)data > 1)
                return -ENOTSUPP;
        return 1;
}

int snmp_helper(void *context, size_t hdrlen, unsigned char tag,
                const void *data, size_t datalen)
{
        struct snmp_ctx *ctx = (struct snmp_ctx *)context;
        __be32 *pdata;

        if (datalen != 4)
                return -EINVAL;
        pdata = (__be32 *)data;
        if (*pdata == ctx->from) {
                pr_debug("%s: %pI4 to %pI4\n", __func__,
                         (void *)&ctx->from, (void *)&ctx->to);

                if (*ctx->check)
                        fast_csum(ctx, (unsigned char *)data - ctx->begin);
                *pdata = ctx->to;
        }

        return 1;
}

static int snmp_translate(struct nf_conn *ct, int dir, struct sk_buff *skb)
{
        struct iphdr *iph = ip_hdr(skb);
        struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
        u16 datalen = ntohs(udph->len) - sizeof(struct udphdr);
        char *data = (unsigned char *)udph + sizeof(struct udphdr);
        struct snmp_ctx ctx;
        int ret;

        if (dir == IP_CT_DIR_ORIGINAL) {
                ctx.from = ct->tuplehash[dir].tuple.src.u3.ip;
                ctx.to = ct->tuplehash[!dir].tuple.dst.u3.ip;
        } else {
                ctx.from = ct->tuplehash[!dir].tuple.src.u3.ip;
                ctx.to = ct->tuplehash[dir].tuple.dst.u3.ip;
        }

        if (ctx.from == ctx.to)
                return NF_ACCEPT;

        ctx.begin = (unsigned char *)udph + sizeof(struct udphdr);
        ctx.check = &udph->check;
        ret = asn1_ber_decoder(&nf_nat_snmp_basic_decoder, &ctx, data, datalen);
        if (ret < 0) {
                nf_ct_helper_log(skb, ct, "parser failed\n");
                return NF_DROP;
        }

        return NF_ACCEPT;
}

/* We don't actually set up expectations, just adjust internal IP
 * addresses if this is being NATted
 */
static int help(struct sk_buff *skb, unsigned int protoff,
                struct nf_conn *ct,
                enum ip_conntrack_info ctinfo)
{
        int dir = CTINFO2DIR(ctinfo);
        unsigned int ret;
        const struct iphdr *iph = ip_hdr(skb);
        const struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);

        /* SNMP replies and originating SNMP traps get mangled */
        if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
                return NF_ACCEPT;
        if (udph->dest == htons(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
                return NF_ACCEPT;

        /* No NAT? */
        if (!(ct->status & IPS_NAT_MASK))
                return NF_ACCEPT;

        /* Make sure the packet length is ok.  So far, we were only guaranteed
         * to have a valid length IP header plus 8 bytes, which means we have
         * enough room for a UDP header.  Just verify the UDP length field so we
         * can mess around with the payload.
         */
        if (ntohs(udph->len) != skb->len - (iph->ihl << 2)) {
                nf_ct_helper_log(skb, ct, "dropping malformed packet\n");
                return NF_DROP;
        }

        if (skb_ensure_writable(skb, skb->len)) {
                nf_ct_helper_log(skb, ct, "cannot mangle packet");
                return NF_DROP;
        }

        spin_lock_bh(&snmp_lock);
        ret = snmp_translate(ct, dir, skb);
        spin_unlock_bh(&snmp_lock);
        return ret;
}

static const struct nf_conntrack_expect_policy snmp_exp_policy = {
        .max_expected   = 0,
        .timeout        = 180,
};

static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
        .me                     = THIS_MODULE,
        .help                   = help,
        .expect_policy          = &snmp_exp_policy,
        .name                   = "snmp_trap",
        .tuple.src.l3num        = AF_INET,
        .tuple.src.u.udp.port   = cpu_to_be16(SNMP_TRAP_PORT),
        .tuple.dst.protonum     = IPPROTO_UDP,
};

static int __init nf_nat_snmp_basic_init(void)
{
        BUG_ON(nf_nat_snmp_hook != NULL);
        RCU_INIT_POINTER(nf_nat_snmp_hook, help);

        return nf_conntrack_helper_register(&snmp_trap_helper);
}

static void __exit nf_nat_snmp_basic_fini(void)
{
        RCU_INIT_POINTER(nf_nat_snmp_hook, NULL);
        synchronize_rcu();
        nf_conntrack_helper_unregister(&snmp_trap_helper);
}

module_init(nf_nat_snmp_basic_init);
module_exit(nf_nat_snmp_basic_fini);
Linux
