• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Amanda extension for IP connection tracking
2  *
3  * (C) 2002 by Brian J. Murrell <netfilter@interlinx.bc.ca>
4  * based on HW's ip_conntrack_irc.c as well as other modules
5  * (C) 2006 Patrick McHardy <kaber@trash.net>
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU General Public License
9  * as published by the Free Software Foundation; either version
10  * 2 of the License, or (at your option) any later version.
11  */
12 #include <linux/kernel.h>
13 #include <linux/module.h>
14 #include <linux/moduleparam.h>
15 #include <linux/textsearch.h>
16 #include <linux/skbuff.h>
17 #include <linux/in.h>
18 #include <linux/udp.h>
19 #include <linux/netfilter.h>
20 #include <linux/gfp.h>
21 
22 #include <net/netfilter/nf_conntrack.h>
23 #include <net/netfilter/nf_conntrack_expect.h>
24 #include <net/netfilter/nf_conntrack_ecache.h>
25 #include <net/netfilter/nf_conntrack_helper.h>
26 #include <linux/netfilter/nf_conntrack_amanda.h>
27 
28 static unsigned int master_timeout __read_mostly = 300;
29 static char *ts_algo = "kmp";
30 
31 MODULE_AUTHOR("Brian J. Murrell <netfilter@interlinx.bc.ca>");
32 MODULE_DESCRIPTION("Amanda connection tracking module");
33 MODULE_LICENSE("GPL");
34 MODULE_ALIAS("ip_conntrack_amanda");
35 MODULE_ALIAS_NFCT_HELPER("amanda");
36 
37 module_param(master_timeout, uint, 0600);
38 MODULE_PARM_DESC(master_timeout, "timeout for the master connection");
39 module_param(ts_algo, charp, 0400);
40 MODULE_PARM_DESC(ts_algo, "textsearch algorithm to use (default kmp)");
41 
42 unsigned int (*nf_nat_amanda_hook)(struct sk_buff *skb,
43 				   enum ip_conntrack_info ctinfo,
44 				   unsigned int protoff,
45 				   unsigned int matchoff,
46 				   unsigned int matchlen,
47 				   struct nf_conntrack_expect *exp)
48 				   __read_mostly;
49 EXPORT_SYMBOL_GPL(nf_nat_amanda_hook);
50 
51 enum amanda_strings {
52 	SEARCH_CONNECT,
53 	SEARCH_NEWLINE,
54 	SEARCH_DATA,
55 	SEARCH_MESG,
56 	SEARCH_INDEX,
57 };
58 
59 static struct {
60 	const char		*string;
61 	size_t			len;
62 	struct ts_config	*ts;
63 } search[] __read_mostly = {
64 	[SEARCH_CONNECT] = {
65 		.string	= "CONNECT ",
66 		.len	= 8,
67 	},
68 	[SEARCH_NEWLINE] = {
69 		.string	= "\n",
70 		.len	= 1,
71 	},
72 	[SEARCH_DATA] = {
73 		.string	= "DATA ",
74 		.len	= 5,
75 	},
76 	[SEARCH_MESG] = {
77 		.string	= "MESG ",
78 		.len	= 5,
79 	},
80 	[SEARCH_INDEX] = {
81 		.string = "INDEX ",
82 		.len	= 6,
83 	},
84 };
85 
amanda_help(struct sk_buff * skb,unsigned int protoff,struct nf_conn * ct,enum ip_conntrack_info ctinfo)86 static int amanda_help(struct sk_buff *skb,
87 		       unsigned int protoff,
88 		       struct nf_conn *ct,
89 		       enum ip_conntrack_info ctinfo)
90 {
91 	struct ts_state ts;
92 	struct nf_conntrack_expect *exp;
93 	struct nf_conntrack_tuple *tuple;
94 	unsigned int dataoff, start, stop, off, i;
95 	char pbuf[sizeof("65535")], *tmp;
96 	u_int16_t len;
97 	__be16 port;
98 	int ret = NF_ACCEPT;
99 	typeof(nf_nat_amanda_hook) nf_nat_amanda;
100 
101 	/* Only look at packets from the Amanda server */
102 	if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
103 		return NF_ACCEPT;
104 
105 	/* increase the UDP timeout of the master connection as replies from
106 	 * Amanda clients to the server can be quite delayed */
107 	nf_ct_refresh(ct, skb, master_timeout * HZ);
108 
109 	/* No data? */
110 	dataoff = protoff + sizeof(struct udphdr);
111 	if (dataoff >= skb->len) {
112 		net_err_ratelimited("amanda_help: skblen = %u\n", skb->len);
113 		return NF_ACCEPT;
114 	}
115 
116 	memset(&ts, 0, sizeof(ts));
117 	start = skb_find_text(skb, dataoff, skb->len,
118 			      search[SEARCH_CONNECT].ts, &ts);
119 	if (start == UINT_MAX)
120 		goto out;
121 	start += dataoff + search[SEARCH_CONNECT].len;
122 
123 	memset(&ts, 0, sizeof(ts));
124 	stop = skb_find_text(skb, start, skb->len,
125 			     search[SEARCH_NEWLINE].ts, &ts);
126 	if (stop == UINT_MAX)
127 		goto out;
128 	stop += start;
129 
130 	for (i = SEARCH_DATA; i <= SEARCH_INDEX; i++) {
131 		memset(&ts, 0, sizeof(ts));
132 		off = skb_find_text(skb, start, stop, search[i].ts, &ts);
133 		if (off == UINT_MAX)
134 			continue;
135 		off += start + search[i].len;
136 
137 		len = min_t(unsigned int, sizeof(pbuf) - 1, stop - off);
138 		if (skb_copy_bits(skb, off, pbuf, len))
139 			break;
140 		pbuf[len] = '\0';
141 
142 		port = htons(simple_strtoul(pbuf, &tmp, 10));
143 		len = tmp - pbuf;
144 		if (port == 0 || len > 5)
145 			break;
146 
147 		exp = nf_ct_expect_alloc(ct);
148 		if (exp == NULL) {
149 			nf_ct_helper_log(skb, ct, "cannot alloc expectation");
150 			ret = NF_DROP;
151 			goto out;
152 		}
153 		tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
154 		nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT,
155 				  nf_ct_l3num(ct),
156 				  &tuple->src.u3, &tuple->dst.u3,
157 				  IPPROTO_TCP, NULL, &port);
158 
159 		nf_nat_amanda = rcu_dereference(nf_nat_amanda_hook);
160 		if (nf_nat_amanda && ct->status & IPS_NAT_MASK)
161 			ret = nf_nat_amanda(skb, ctinfo, protoff,
162 					    off - dataoff, len, exp);
163 		else if (nf_ct_expect_related(exp) != 0) {
164 			nf_ct_helper_log(skb, ct, "cannot add expectation");
165 			ret = NF_DROP;
166 		}
167 		nf_ct_expect_put(exp);
168 	}
169 
170 out:
171 	return ret;
172 }
173 
174 static const struct nf_conntrack_expect_policy amanda_exp_policy = {
175 	.max_expected		= 3,
176 	.timeout		= 180,
177 };
178 
179 static struct nf_conntrack_helper amanda_helper[2] __read_mostly = {
180 	{
181 		.name			= "amanda",
182 		.me			= THIS_MODULE,
183 		.help			= amanda_help,
184 		.tuple.src.l3num	= AF_INET,
185 		.tuple.src.u.udp.port	= cpu_to_be16(10080),
186 		.tuple.dst.protonum	= IPPROTO_UDP,
187 		.expect_policy		= &amanda_exp_policy,
188 	},
189 	{
190 		.name			= "amanda",
191 		.me			= THIS_MODULE,
192 		.help			= amanda_help,
193 		.tuple.src.l3num	= AF_INET6,
194 		.tuple.src.u.udp.port	= cpu_to_be16(10080),
195 		.tuple.dst.protonum	= IPPROTO_UDP,
196 		.expect_policy		= &amanda_exp_policy,
197 	},
198 };
199 
nf_conntrack_amanda_fini(void)200 static void __exit nf_conntrack_amanda_fini(void)
201 {
202 	int i;
203 
204 	nf_conntrack_helper_unregister(&amanda_helper[0]);
205 	nf_conntrack_helper_unregister(&amanda_helper[1]);
206 	for (i = 0; i < ARRAY_SIZE(search); i++)
207 		textsearch_destroy(search[i].ts);
208 }
209 
nf_conntrack_amanda_init(void)210 static int __init nf_conntrack_amanda_init(void)
211 {
212 	int ret, i;
213 
214 	for (i = 0; i < ARRAY_SIZE(search); i++) {
215 		search[i].ts = textsearch_prepare(ts_algo, search[i].string,
216 						  search[i].len,
217 						  GFP_KERNEL, TS_AUTOLOAD);
218 		if (IS_ERR(search[i].ts)) {
219 			ret = PTR_ERR(search[i].ts);
220 			goto err1;
221 		}
222 	}
223 	ret = nf_conntrack_helper_register(&amanda_helper[0]);
224 	if (ret < 0)
225 		goto err1;
226 	ret = nf_conntrack_helper_register(&amanda_helper[1]);
227 	if (ret < 0)
228 		goto err2;
229 	return 0;
230 
231 err2:
232 	nf_conntrack_helper_unregister(&amanda_helper[0]);
233 err1:
234 	while (--i >= 0)
235 		textsearch_destroy(search[i].ts);
236 
237 	return ret;
238 }
239 
240 module_init(nf_conntrack_amanda_init);
241 module_exit(nf_conntrack_amanda_fini);
242