ip_pptp_pxy.c revision 1.1
1 /* $NetBSD: ip_pptp_pxy.c,v 1.1 2012/03/23 20:37:01 christos Exp $ */ 2 3 /* 4 * Copyright (C) 2011 by Darren Reed. 5 * 6 * Simple PPTP transparent proxy for in-kernel use. For use with the NAT 7 * code. 8 * 9 * Id 10 * 11 */ 12 #define IPF_PPTP_PROXY 13 14 typedef struct pptp_hdr { 15 u_short pptph_len; 16 u_short pptph_type; 17 u_32_t pptph_cookie; 18 } pptp_hdr_t; 19 20 #define PPTP_MSGTYPE_CTL 1 21 #define PPTP_MTCTL_STARTREQ 1 22 #define PPTP_MTCTL_STARTREP 2 23 #define PPTP_MTCTL_STOPREQ 3 24 #define PPTP_MTCTL_STOPREP 4 25 #define PPTP_MTCTL_ECHOREQ 5 26 #define PPTP_MTCTL_ECHOREP 6 27 #define PPTP_MTCTL_OUTREQ 7 28 #define PPTP_MTCTL_OUTREP 8 29 #define PPTP_MTCTL_INREQ 9 30 #define PPTP_MTCTL_INREP 10 31 #define PPTP_MTCTL_INCONNECT 11 32 #define PPTP_MTCTL_CLEAR 12 33 #define PPTP_MTCTL_DISCONNECT 13 34 #define PPTP_MTCTL_WANERROR 14 35 #define PPTP_MTCTL_LINKINFO 15 36 37 38 void ipf_p_pptp_main_load __P((void)); 39 void ipf_p_pptp_main_unload __P((void)); 40 int ipf_p_pptp_new __P((void *, fr_info_t *, ap_session_t *, nat_t *)); 41 void ipf_p_pptp_del __P((ipf_main_softc_t *, ap_session_t *)); 42 int ipf_p_pptp_inout __P((void *, fr_info_t *, ap_session_t *, nat_t *)); 43 void ipf_p_pptp_donatstate __P((fr_info_t *, nat_t *, pptp_pxy_t *)); 44 int ipf_p_pptp_message __P((fr_info_t *, nat_t *, pptp_pxy_t *, pptp_side_t *)); 45 int ipf_p_pptp_nextmessage __P((fr_info_t *, nat_t *, pptp_pxy_t *, int)); 46 int ipf_p_pptp_mctl __P((fr_info_t *, nat_t *, pptp_pxy_t *, pptp_side_t *)); 47 48 static frentry_t pptpfr; 49 50 static int pptp_proxy_init = 0; 51 static int ipf_p_pptp_debug = 0; 52 static int ipf_p_pptp_gretimeout = IPF_TTLVAL(120); /* 2 minutes */ 53 54 55 /* 56 * PPTP application proxy initialization. 57 */ 58 void 59 ipf_p_pptp_main_load() 60 { 61 bzero((char *)&pptpfr, sizeof(pptpfr)); 62 pptpfr.fr_ref = 1; 63 pptpfr.fr_age[0] = ipf_p_pptp_gretimeout; 64 pptpfr.fr_age[1] = ipf_p_pptp_gretimeout; 65 pptpfr.fr_flags = FR_OUTQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE; 66 MUTEX_INIT(&pptpfr.fr_lock, "PPTP proxy rule lock"); 67 pptp_proxy_init = 1; 68 } 69 70 71 void 72 ipf_p_pptp_main_unload() 73 { 74 if (pptp_proxy_init == 1) { 75 MUTEX_DESTROY(&pptpfr.fr_lock); 76 pptp_proxy_init = 0; 77 } 78 } 79 80 81 /* 82 * Setup for a new PPTP proxy. 83 * 84 * NOTE: The printf's are broken up with %s in them to prevent them being 85 * optimised into puts statements on FreeBSD (this doesn't exist in the kernel) 86 */ 87 int 88 ipf_p_pptp_new(arg, fin, aps, nat) 89 void *arg; 90 fr_info_t *fin; 91 ap_session_t *aps; 92 nat_t *nat; 93 { 94 pptp_pxy_t *pptp; 95 ipnat_t *ipn, *np; 96 ip_t *ip; 97 98 ip = fin->fin_ip; 99 100 if (ipf_nat_outlookup(fin, 0, IPPROTO_GRE, nat->nat_osrcip, 101 ip->ip_dst) != NULL) { 102 if (ipf_p_pptp_debug > 0) 103 printf("ipf_p_pptp_new: GRE session already exists\n"); 104 return -1; 105 } 106 np = nat->nat_ptr; 107 108 aps->aps_psiz = sizeof(*pptp) + np->in_namelen; 109 KMALLOCS(aps->aps_data, pptp_pxy_t *, aps->aps_psiz); 110 if (aps->aps_data == NULL) { 111 if (ipf_p_pptp_debug > 0) 112 printf("ipf_p_pptp_new: malloc for aps_data failed\n"); 113 return -1; 114 } 115 116 /* 117 * Create NAT rule against which the tunnel/transport mapping is 118 * created. This is required because the current NAT rule does not 119 * describe GRE but TCP instead. 120 */ 121 pptp = aps->aps_data; 122 bzero((char *)pptp, sizeof(*pptp)); 123 ipn = &pptp->pptp_rule; 124 ipn->in_ifps[0] = fin->fin_ifp; 125 ipn->in_apr = NULL; 126 ipn->in_use = 1; 127 ipn->in_hits = 1; 128 ipn->in_ippip = 1; 129 ipn->in_snip = ntohl(nat->nat_nsrcaddr); 130 ipn->in_nsrcaddr = fin->fin_saddr; 131 ipn->in_dnip = ntohl(nat->nat_ndstaddr); 132 ipn->in_ndstaddr = nat->nat_ndstaddr; 133 ipn->in_redir = np->in_redir; 134 ipn->in_osrcaddr = nat->nat_osrcaddr; 135 ipn->in_odstaddr = nat->nat_odstaddr; 136 ipn->in_osrcmsk = 0xffffffff; 137 ipn->in_nsrcmsk = 0xffffffff; 138 ipn->in_odstmsk = 0xffffffff; 139 ipn->in_ndstmsk = 0xffffffff; 140 MUTEX_INIT(&ipn->in_lock, "pptp proxy NAT rule"); 141 142 ipn->in_namelen = np->in_namelen; 143 bcopy(np->in_names, ipn->in_ifnames, ipn->in_namelen); 144 ipn->in_ifnames[0] = np->in_ifnames[0]; 145 ipn->in_ifnames[1] = np->in_ifnames[1]; 146 147 ipn->in_pr[0] = IPPROTO_GRE; 148 ipn->in_pr[1] = IPPROTO_GRE; 149 150 pptp->pptp_side[0].pptps_wptr = pptp->pptp_side[0].pptps_buffer; 151 pptp->pptp_side[1].pptps_wptr = pptp->pptp_side[1].pptps_buffer; 152 return 0; 153 } 154 155 156 void 157 ipf_p_pptp_donatstate(fin, nat, pptp) 158 fr_info_t *fin; 159 nat_t *nat; 160 pptp_pxy_t *pptp; 161 { 162 ipf_main_softc_t *softc = fin->fin_main_soft; 163 fr_info_t fi; 164 grehdr_t gre; 165 nat_t *nat2; 166 u_char p; 167 ip_t *ip; 168 169 ip = fin->fin_ip; 170 p = ip->ip_p; 171 172 nat2 = pptp->pptp_nat; 173 if ((nat2 == NULL) || (pptp->pptp_state == NULL)) { 174 bcopy((char *)fin, (char *)&fi, sizeof(fi)); 175 bzero((char *)&gre, sizeof(gre)); 176 fi.fin_fi.fi_p = IPPROTO_GRE; 177 fi.fin_fr = &pptpfr; 178 if ((nat->nat_dir == NAT_OUTBOUND && fin->fin_out) || 179 (nat->nat_dir == NAT_INBOUND && !fin->fin_out)) { 180 fi.fin_data[0] = pptp->pptp_call[0]; 181 fi.fin_data[1] = pptp->pptp_call[1]; 182 } else { 183 fi.fin_data[0] = pptp->pptp_call[1]; 184 fi.fin_data[1] = pptp->pptp_call[0]; 185 } 186 ip = fin->fin_ip; 187 ip->ip_p = IPPROTO_GRE; 188 fi.fin_flx &= ~(FI_TCPUDP|FI_STATE|FI_FRAG); 189 fi.fin_flx |= FI_IGNORE; 190 fi.fin_dp = &gre; 191 gre.gr_flags = htons(1 << 13); 192 193 fi.fin_fi.fi_saddr = nat->nat_osrcaddr; 194 fi.fin_fi.fi_daddr = nat->nat_odstaddr; 195 } 196 197 /* 198 * Update NAT timeout/create NAT if missing. 199 */ 200 if (nat2 != NULL) 201 ipf_queueback(softc->ipf_ticks, &nat2->nat_tqe); 202 else { 203 #ifdef USE_MUTEXES 204 ipf_nat_softc_t *softn = softc->ipf_nat_soft; 205 #endif 206 207 MUTEX_ENTER(&softn->ipf_nat_new); 208 nat2 = ipf_nat_add(&fi, &pptp->pptp_rule, &pptp->pptp_nat, 209 NAT_SLAVE, nat->nat_dir); 210 MUTEX_EXIT(&softn->ipf_nat_new); 211 pptp->pptp_nat = nat2; 212 if (nat2 != NULL) { 213 (void) ipf_nat_proto(&fi, nat2, 0); 214 MUTEX_ENTER(&nat2->nat_lock); 215 ipf_nat_update(&fi, nat2); 216 MUTEX_EXIT(&nat2->nat_lock); 217 } 218 } 219 220 READ_ENTER(&softc->ipf_state); 221 if (pptp->pptp_state != NULL) { 222 ipf_queueback(softc->ipf_ticks, &pptp->pptp_state->is_sti); 223 RWLOCK_EXIT(&softc->ipf_state); 224 } else { 225 RWLOCK_EXIT(&softc->ipf_state); 226 if (nat2 != NULL) { 227 if (nat->nat_dir == NAT_INBOUND) 228 fi.fin_fi.fi_daddr = nat2->nat_ndstaddr; 229 else 230 fi.fin_fi.fi_saddr = nat2->nat_osrcaddr; 231 } 232 fi.fin_ifp = NULL; 233 (void) ipf_state_add(softc, &fi, &pptp->pptp_state, 0); 234 } 235 ip->ip_p = p; 236 return; 237 } 238 239 240 /* 241 * Try and build up the next PPTP message in the TCP stream and if we can 242 * build it up completely (fits in our buffer) then pass it off to the message 243 * parsing function. 244 */ 245 int 246 ipf_p_pptp_nextmessage(fin, nat, pptp, rev) 247 fr_info_t *fin; 248 nat_t *nat; 249 pptp_pxy_t *pptp; 250 int rev; 251 { 252 static const char *funcname = "ipf_p_pptp_nextmessage"; 253 pptp_side_t *pptps; 254 u_32_t start, end; 255 pptp_hdr_t *hdr; 256 tcphdr_t *tcp; 257 int dlen, off; 258 u_short len; 259 char *msg; 260 261 tcp = fin->fin_dp; 262 dlen = fin->fin_dlen - (TCP_OFF(tcp) << 2); 263 start = ntohl(tcp->th_seq); 264 pptps = &pptp->pptp_side[rev]; 265 off = (char *)tcp - (char *)fin->fin_ip + (TCP_OFF(tcp) << 2) + 266 fin->fin_ipoff; 267 268 if (dlen <= 0) 269 return 0; 270 /* 271 * If the complete data packet is before what we expect to see 272 * "next", just ignore it as the chances are we've already seen it. 273 * The next if statement following this one really just causes packets 274 * ahead of what we've seen to be dropped, implying that something in 275 * the middle went missing and we want to see that first. 276 */ 277 end = start + dlen; 278 if (pptps->pptps_next > end && pptps->pptps_next > start) 279 return 0; 280 281 if (pptps->pptps_next != start) { 282 if (ipf_p_pptp_debug > 5) 283 printf("%s: next (%x) != start (%x)\n", funcname, 284 pptps->pptps_next, start); 285 return -1; 286 } 287 288 msg = (char *)fin->fin_dp + (TCP_OFF(tcp) << 2); 289 290 while (dlen > 0) { 291 off += pptps->pptps_bytes; 292 if (pptps->pptps_gothdr == 0) { 293 /* 294 * PPTP has an 8 byte header that inclues the cookie. 295 * The start of every message should include one and 296 * it should match 1a2b3c4d. Byte order is ignored, 297 * deliberately, when printing out the error. 298 */ 299 len = MIN(8 - pptps->pptps_bytes, dlen); 300 COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr); 301 pptps->pptps_bytes += len; 302 pptps->pptps_wptr += len; 303 hdr = (pptp_hdr_t *)pptps->pptps_buffer; 304 if (pptps->pptps_bytes == 8) { 305 pptps->pptps_next += 8; 306 if (ntohl(hdr->pptph_cookie) != 0x1a2b3c4d) { 307 if (ipf_p_pptp_debug > 1) 308 printf("%s: bad cookie (%x)\n", 309 funcname, 310 hdr->pptph_cookie); 311 return -1; 312 } 313 } 314 dlen -= len; 315 msg += len; 316 off += len; 317 318 pptps->pptps_gothdr = 1; 319 len = ntohs(hdr->pptph_len); 320 pptps->pptps_len = len; 321 pptps->pptps_nexthdr += len; 322 323 /* 324 * If a message is too big for the buffer, just set 325 * the fields for the next message to come along. 326 * The messages defined in RFC 2637 will not exceed 327 * 512 bytes (in total length) so this is likely a 328 * bad data packet, anyway. 329 */ 330 if (len > sizeof(pptps->pptps_buffer)) { 331 if (ipf_p_pptp_debug > 3) 332 printf("%s: message too big (%d)\n", 333 funcname, len); 334 pptps->pptps_next = pptps->pptps_nexthdr; 335 pptps->pptps_wptr = pptps->pptps_buffer; 336 pptps->pptps_gothdr = 0; 337 pptps->pptps_bytes = 0; 338 pptps->pptps_len = 0; 339 break; 340 } 341 } 342 343 len = MIN(pptps->pptps_len - pptps->pptps_bytes, dlen); 344 COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr); 345 pptps->pptps_bytes += len; 346 pptps->pptps_wptr += len; 347 pptps->pptps_next += len; 348 349 if (pptps->pptps_len > pptps->pptps_bytes) 350 break; 351 352 ipf_p_pptp_message(fin, nat, pptp, pptps); 353 pptps->pptps_wptr = pptps->pptps_buffer; 354 pptps->pptps_gothdr = 0; 355 pptps->pptps_bytes = 0; 356 pptps->pptps_len = 0; 357 358 start += len; 359 msg += len; 360 dlen -= len; 361 } 362 363 return 0; 364 } 365 366 367 /* 368 * handle a complete PPTP message 369 */ 370 int 371 ipf_p_pptp_message(fin, nat, pptp, pptps) 372 fr_info_t *fin; 373 nat_t *nat; 374 pptp_pxy_t *pptp; 375 pptp_side_t *pptps; 376 { 377 pptp_hdr_t *hdr = (pptp_hdr_t *)pptps->pptps_buffer; 378 379 switch (ntohs(hdr->pptph_type)) 380 { 381 case PPTP_MSGTYPE_CTL : 382 ipf_p_pptp_mctl(fin, nat, pptp, pptps); 383 break; 384 385 default : 386 break; 387 } 388 return 0; 389 } 390 391 392 /* 393 * handle a complete PPTP control message 394 */ 395 int 396 ipf_p_pptp_mctl(fin, nat, pptp, pptps) 397 fr_info_t *fin; 398 nat_t *nat; 399 pptp_pxy_t *pptp; 400 pptp_side_t *pptps; 401 { 402 u_short *buffer = (u_short *)(pptps->pptps_buffer); 403 pptp_side_t *pptpo; 404 405 if (pptps == &pptp->pptp_side[0]) 406 pptpo = &pptp->pptp_side[1]; 407 else 408 pptpo = &pptp->pptp_side[0]; 409 410 /* 411 * Breakout to handle all the various messages. Most are just state 412 * transition. 413 */ 414 switch (ntohs(buffer[4])) 415 { 416 case PPTP_MTCTL_STARTREQ : 417 pptps->pptps_state = PPTP_MTCTL_STARTREQ; 418 break; 419 case PPTP_MTCTL_STARTREP : 420 if (pptpo->pptps_state == PPTP_MTCTL_STARTREQ) 421 pptps->pptps_state = PPTP_MTCTL_STARTREP; 422 break; 423 case PPTP_MTCTL_STOPREQ : 424 pptps->pptps_state = PPTP_MTCTL_STOPREQ; 425 break; 426 case PPTP_MTCTL_STOPREP : 427 if (pptpo->pptps_state == PPTP_MTCTL_STOPREQ) 428 pptps->pptps_state = PPTP_MTCTL_STOPREP; 429 break; 430 case PPTP_MTCTL_ECHOREQ : 431 pptps->pptps_state = PPTP_MTCTL_ECHOREQ; 432 break; 433 case PPTP_MTCTL_ECHOREP : 434 if (pptpo->pptps_state == PPTP_MTCTL_ECHOREQ) 435 pptps->pptps_state = PPTP_MTCTL_ECHOREP; 436 break; 437 case PPTP_MTCTL_OUTREQ : 438 pptps->pptps_state = PPTP_MTCTL_OUTREQ; 439 break; 440 case PPTP_MTCTL_OUTREP : 441 if (pptpo->pptps_state == PPTP_MTCTL_OUTREQ) { 442 pptps->pptps_state = PPTP_MTCTL_OUTREP; 443 pptp->pptp_call[0] = buffer[7]; 444 pptp->pptp_call[1] = buffer[6]; 445 ipf_p_pptp_donatstate(fin, nat, pptp); 446 } 447 break; 448 case PPTP_MTCTL_INREQ : 449 pptps->pptps_state = PPTP_MTCTL_INREQ; 450 break; 451 case PPTP_MTCTL_INREP : 452 if (pptpo->pptps_state == PPTP_MTCTL_INREQ) { 453 pptps->pptps_state = PPTP_MTCTL_INREP; 454 pptp->pptp_call[0] = buffer[7]; 455 pptp->pptp_call[1] = buffer[6]; 456 ipf_p_pptp_donatstate(fin, nat, pptp); 457 } 458 break; 459 case PPTP_MTCTL_INCONNECT : 460 pptps->pptps_state = PPTP_MTCTL_INCONNECT; 461 break; 462 case PPTP_MTCTL_CLEAR : 463 pptps->pptps_state = PPTP_MTCTL_CLEAR; 464 break; 465 case PPTP_MTCTL_DISCONNECT : 466 pptps->pptps_state = PPTP_MTCTL_DISCONNECT; 467 break; 468 case PPTP_MTCTL_WANERROR : 469 pptps->pptps_state = PPTP_MTCTL_WANERROR; 470 break; 471 case PPTP_MTCTL_LINKINFO : 472 pptps->pptps_state = PPTP_MTCTL_LINKINFO; 473 break; 474 } 475 476 return 0; 477 } 478 479 480 /* 481 * For outgoing PPTP packets. refresh timeouts for NAT & state entries, if 482 * we can. If they have disappeared, recreate them. 483 */ 484 int 485 ipf_p_pptp_inout(arg, fin, aps, nat) 486 void *arg; 487 fr_info_t *fin; 488 ap_session_t *aps; 489 nat_t *nat; 490 { 491 pptp_pxy_t *pptp; 492 tcphdr_t *tcp; 493 int rev; 494 495 if ((fin->fin_out == 1) && (nat->nat_dir == NAT_INBOUND)) 496 rev = 1; 497 else if ((fin->fin_out == 0) && (nat->nat_dir == NAT_OUTBOUND)) 498 rev = 1; 499 else 500 rev = 0; 501 502 tcp = (tcphdr_t *)fin->fin_dp; 503 if ((tcp->th_flags & TH_OPENING) == TH_OPENING) { 504 pptp = (pptp_pxy_t *)aps->aps_data; 505 pptp->pptp_side[1 - rev].pptps_next = ntohl(tcp->th_ack); 506 pptp->pptp_side[1 - rev].pptps_nexthdr = ntohl(tcp->th_ack); 507 pptp->pptp_side[rev].pptps_next = ntohl(tcp->th_seq) + 1; 508 pptp->pptp_side[rev].pptps_nexthdr = ntohl(tcp->th_seq) + 1; 509 } 510 return ipf_p_pptp_nextmessage(fin, nat, (pptp_pxy_t *)aps->aps_data, 511 rev); 512 } 513 514 515 /* 516 * clean up after ourselves. 517 */ 518 void 519 ipf_p_pptp_del(softc, aps) 520 ipf_main_softc_t *softc; 521 ap_session_t *aps; 522 { 523 pptp_pxy_t *pptp; 524 525 pptp = aps->aps_data; 526 527 if (pptp != NULL) { 528 /* 529 * Don't bother changing any of the NAT structure details, 530 * *_del() is on a callback from aps_free(), from nat_delete() 531 */ 532 533 READ_ENTER(&softc->ipf_state); 534 if (pptp->pptp_state != NULL) { 535 ipf_state_setpending(softc, pptp->pptp_state); 536 } 537 RWLOCK_EXIT(&softc->ipf_state); 538 539 if (pptp->pptp_nat != NULL) 540 ipf_nat_setpending(softc, pptp->pptp_nat); 541 MUTEX_DESTROY(&pptp->pptp_rule.in_lock); 542 } 543 } 544
Indexes created Tue Sep 30 11:09:46 GMT 2025