4 * Basic SNMP Application Layer Gateway
6 * This IP NAT module is intended for use with SNMP network
7 * discovery and monitoring applications where target networks use
8 * conflicting private address realms.
10 * Static NAT is used to remap the networks from the view of the network
11 * management system at the IP layer, and this module remaps some application
12 * layer addresses to match.
14 * The simplest form of ALG is performed, where only tagged IP addresses
15 * are modified. The module does not need to be MIB aware and only scans
16 * messages at the ASN.1/BER level.
18 * Currently, only SNMPv1 and SNMPv2 are supported.
20 * More information on ALG and associated issues can be found in
23 * The ASB.1/BER parsing code is derived from the gxsnmp package by Gregory
24 * McLean & Jochen Friedrich, stripped down for use in the kernel.
26 * Copyright (c) 2000 RP Internet (www.rpi.net.au).
28 * This program is free software; you can redistribute it and/or modify
29 * it under the terms of the GNU General Public License as published by
30 * the Free Software Foundation; either version 2 of the License, or
31 * (at your option) any later version.
32 * This program is distributed in the hope that it will be useful,
33 * but WITHOUT ANY WARRANTY; without even the implied warranty of
34 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
35 * GNU General Public License for more details.
36 * You should have received a copy of the GNU General Public License
37 * along with this program; if not, write to the Free Software
38 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
40 * Author: James Morris <jmorris@intercode.com.au>
43 * 2000-08-06: Convert to new helper API (Harald Welte).
46 #include <linux/config.h>
47 #include <linux/module.h>
48 #include <linux/types.h>
49 #include <linux/kernel.h>
50 #include <linux/moduleparam.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv4/ip_nat.h>
53 #include <linux/netfilter_ipv4/ip_nat_helper.h>
55 #include <net/checksum.h>
57 #include <asm/uaccess.h>
59 MODULE_LICENSE("GPL");
60 MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
61 MODULE_DESCRIPTION("Basic SNMP Application Layer Gateway");
64 #define SNMP_TRAP_PORT 162
65 #define NOCT1(n) (u_int8_t )((n) & 0xff)
68 static spinlock_t snmp_lock = SPIN_LOCK_UNLOCKED;
71 * Application layer address mapping mimics the NAT mapping, but
72 * only for the first octet in this case (a more flexible system
73 * can be implemented if needed).
82 /*****************************************************************************
84 * Basic ASN.1 decoding routines (gxsnmp author Dirk Wisse)
86 *****************************************************************************/
89 #define ASN1_UNI 0 /* Universal */
90 #define ASN1_APL 1 /* Application */
91 #define ASN1_CTX 2 /* Context */
92 #define ASN1_PRV 3 /* Private */
95 #define ASN1_EOC 0 /* End Of Contents */
96 #define ASN1_BOL 1 /* Boolean */
97 #define ASN1_INT 2 /* Integer */
98 #define ASN1_BTS 3 /* Bit String */
99 #define ASN1_OTS 4 /* Octet String */
100 #define ASN1_NUL 5 /* Null */
101 #define ASN1_OJI 6 /* Object Identifier */
102 #define ASN1_OJD 7 /* Object Description */
103 #define ASN1_EXT 8 /* External */
104 #define ASN1_SEQ 16 /* Sequence */
105 #define ASN1_SET 17 /* Set */
106 #define ASN1_NUMSTR 18 /* Numerical String */
107 #define ASN1_PRNSTR 19 /* Printable String */
108 #define ASN1_TEXSTR 20 /* Teletext String */
109 #define ASN1_VIDSTR 21 /* Video String */
110 #define ASN1_IA5STR 22 /* IA5 String */
111 #define ASN1_UNITIM 23 /* Universal Time */
112 #define ASN1_GENTIM 24 /* General Time */
113 #define ASN1_GRASTR 25 /* Graphical String */
114 #define ASN1_VISSTR 26 /* Visible String */
115 #define ASN1_GENSTR 27 /* General String */
117 /* Primitive / Constructed methods*/
118 #define ASN1_PRI 0 /* Primitive */
119 #define ASN1_CON 1 /* Constructed */
124 #define ASN1_ERR_NOERROR 0
125 #define ASN1_ERR_DEC_EMPTY 2
126 #define ASN1_ERR_DEC_EOC_MISMATCH 3
127 #define ASN1_ERR_DEC_LENGTH_MISMATCH 4
128 #define ASN1_ERR_DEC_BADVALUE 5
135 int error; /* Error condition */
136 unsigned char *pointer; /* Octet just to be decoded */
137 unsigned char *begin; /* First octet */
138 unsigned char *end; /* Octet after last octet */
142 * Octet string (not null terminated)
150 static void asn1_open(struct asn1_ctx *ctx,
155 ctx->end = buf + len;
157 ctx->error = ASN1_ERR_NOERROR;
160 static unsigned char asn1_octet_decode(struct asn1_ctx *ctx, unsigned char *ch)
162 if (ctx->pointer >= ctx->end) {
163 ctx->error = ASN1_ERR_DEC_EMPTY;
166 *ch = *(ctx->pointer)++;
170 static unsigned char asn1_tag_decode(struct asn1_ctx *ctx, unsigned int *tag)
178 if (!asn1_octet_decode(ctx, &ch))
182 } while ((ch & 0x80) == 0x80);
186 static unsigned char asn1_id_decode(struct asn1_ctx *ctx,
193 if (!asn1_octet_decode(ctx, &ch))
196 *cls = (ch & 0xC0) >> 6;
197 *con = (ch & 0x20) >> 5;
201 if (!asn1_tag_decode(ctx, tag))
207 static unsigned char asn1_length_decode(struct asn1_ctx *ctx,
211 unsigned char ch, cnt;
213 if (!asn1_octet_decode(ctx, &ch))
224 cnt = (unsigned char) (ch & 0x7F);
228 if (!asn1_octet_decode(ctx, &ch))
239 static unsigned char asn1_header_decode(struct asn1_ctx *ctx,
245 unsigned int def, len;
247 if (!asn1_id_decode(ctx, cls, con, tag))
250 if (!asn1_length_decode(ctx, &def, &len))
254 *eoc = ctx->pointer + len;
260 static unsigned char asn1_eoc_decode(struct asn1_ctx *ctx, unsigned char *eoc)
265 if (!asn1_octet_decode(ctx, &ch))
269 ctx->error = ASN1_ERR_DEC_EOC_MISMATCH;
273 if (!asn1_octet_decode(ctx, &ch))
277 ctx->error = ASN1_ERR_DEC_EOC_MISMATCH;
282 if (ctx->pointer != eoc) {
283 ctx->error = ASN1_ERR_DEC_LENGTH_MISMATCH;
290 static unsigned char asn1_null_decode(struct asn1_ctx *ctx, unsigned char *eoc)
296 static unsigned char asn1_long_decode(struct asn1_ctx *ctx,
303 if (!asn1_octet_decode(ctx, &ch))
306 *integer = (signed char) ch;
309 while (ctx->pointer < eoc) {
310 if (++len > sizeof (long)) {
311 ctx->error = ASN1_ERR_DEC_BADVALUE;
315 if (!asn1_octet_decode(ctx, &ch))
324 static unsigned char asn1_uint_decode(struct asn1_ctx *ctx,
326 unsigned int *integer)
331 if (!asn1_octet_decode(ctx, &ch))
335 if (ch == 0) len = 0;
338 while (ctx->pointer < eoc) {
339 if (++len > sizeof (unsigned int)) {
340 ctx->error = ASN1_ERR_DEC_BADVALUE;
344 if (!asn1_octet_decode(ctx, &ch))
353 static unsigned char asn1_ulong_decode(struct asn1_ctx *ctx,
355 unsigned long *integer)
360 if (!asn1_octet_decode(ctx, &ch))
364 if (ch == 0) len = 0;
367 while (ctx->pointer < eoc) {
368 if (++len > sizeof (unsigned long)) {
369 ctx->error = ASN1_ERR_DEC_BADVALUE;
373 if (!asn1_octet_decode(ctx, &ch))
382 static unsigned char asn1_octets_decode(struct asn1_ctx *ctx,
384 unsigned char **octets,
391 *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
392 if (*octets == NULL) {
394 printk("OOM in bsalg (%d)\n", __LINE__);
399 while (ctx->pointer < eoc) {
400 if (!asn1_octet_decode(ctx, (unsigned char *)ptr++)) {
410 static unsigned char asn1_subid_decode(struct asn1_ctx *ctx,
411 unsigned long *subid)
418 if (!asn1_octet_decode(ctx, &ch))
423 } while ((ch & 0x80) == 0x80);
427 static unsigned char asn1_oid_decode(struct asn1_ctx *ctx,
436 size = eoc - ctx->pointer + 1;
437 *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
440 printk("OOM in bsalg (%d)\n", __LINE__);
446 if (!asn1_subid_decode(ctx, &subid)) {
455 } else if (subid < 80) {
457 optr [1] = subid - 40;
460 optr [1] = subid - 80;
466 while (ctx->pointer < eoc) {
467 if (++(*len) > size) {
468 ctx->error = ASN1_ERR_DEC_BADVALUE;
474 if (!asn1_subid_decode(ctx, optr++)) {
483 /*****************************************************************************
485 * SNMP decoding routines (gxsnmp author Dirk Wisse)
487 *****************************************************************************/
496 #define SNMP_SIZE_COMM 256
497 #define SNMP_SIZE_OBJECTID 128
498 #define SNMP_SIZE_BUFCHR 256
499 #define SNMP_SIZE_BUFINT 128
500 #define SNMP_SIZE_SMALLOBJECTID 16
503 #define SNMP_PDU_GET 0
504 #define SNMP_PDU_NEXT 1
505 #define SNMP_PDU_RESPONSE 2
506 #define SNMP_PDU_SET 3
507 #define SNMP_PDU_TRAP1 4
508 #define SNMP_PDU_BULK 5
509 #define SNMP_PDU_INFORM 6
510 #define SNMP_PDU_TRAP2 7
513 #define SNMP_NOERROR 0
514 #define SNMP_TOOBIG 1
515 #define SNMP_NOSUCHNAME 2
516 #define SNMP_BADVALUE 3
517 #define SNMP_READONLY 4
518 #define SNMP_GENERROR 5
519 #define SNMP_NOACCESS 6
520 #define SNMP_WRONGTYPE 7
521 #define SNMP_WRONGLENGTH 8
522 #define SNMP_WRONGENCODING 9
523 #define SNMP_WRONGVALUE 10
524 #define SNMP_NOCREATION 11
525 #define SNMP_INCONSISTENTVALUE 12
526 #define SNMP_RESOURCEUNAVAILABLE 13
527 #define SNMP_COMMITFAILED 14
528 #define SNMP_UNDOFAILED 15
529 #define SNMP_AUTHORIZATIONERROR 16
530 #define SNMP_NOTWRITABLE 17
531 #define SNMP_INCONSISTENTNAME 18
533 /* General SNMP V1 Traps */
534 #define SNMP_TRAP_COLDSTART 0
535 #define SNMP_TRAP_WARMSTART 1
536 #define SNMP_TRAP_LINKDOWN 2
537 #define SNMP_TRAP_LINKUP 3
538 #define SNMP_TRAP_AUTFAILURE 4
539 #define SNMP_TRAP_EQPNEIGHBORLOSS 5
540 #define SNMP_TRAP_ENTSPECIFIC 6
544 #define SNMP_INTEGER 1 /* l */
545 #define SNMP_OCTETSTR 2 /* c */
546 #define SNMP_DISPLAYSTR 2 /* c */
547 #define SNMP_OBJECTID 3 /* ul */
548 #define SNMP_IPADDR 4 /* uc */
549 #define SNMP_COUNTER 5 /* ul */
550 #define SNMP_GAUGE 6 /* ul */
551 #define SNMP_TIMETICKS 7 /* ul */
552 #define SNMP_OPAQUE 8 /* c */
554 /* Additional SNMPv2 Types */
555 #define SNMP_UINTEGER 5 /* ul */
556 #define SNMP_BITSTR 9 /* uc */
557 #define SNMP_NSAP 10 /* uc */
558 #define SNMP_COUNTER64 11 /* ul */
559 #define SNMP_NOSUCHOBJECT 12
560 #define SNMP_NOSUCHINSTANCE 13
561 #define SNMP_ENDOFMIBVIEW 14
565 unsigned char uc[0]; /* 8 bit unsigned */
566 char c[0]; /* 8 bit signed */
567 unsigned long ul[0]; /* 32 bit unsigned */
568 long l[0]; /* 32 bit signed */
576 unsigned int syntax_len;
577 union snmp_syntax syntax;
583 unsigned int error_status;
584 unsigned int error_index;
591 unsigned long ip_address; /* pointer */
592 unsigned int general;
593 unsigned int specific;
610 static inline void mangle_address(unsigned char *begin,
612 const struct oct1_map *map,
621 static struct snmp_cnv snmp_conv [] =
623 {ASN1_UNI, ASN1_NUL, SNMP_NULL},
624 {ASN1_UNI, ASN1_INT, SNMP_INTEGER},
625 {ASN1_UNI, ASN1_OTS, SNMP_OCTETSTR},
626 {ASN1_UNI, ASN1_OTS, SNMP_DISPLAYSTR},
627 {ASN1_UNI, ASN1_OJI, SNMP_OBJECTID},
628 {ASN1_APL, SNMP_IPA, SNMP_IPADDR},
629 {ASN1_APL, SNMP_CNT, SNMP_COUNTER}, /* Counter32 */
630 {ASN1_APL, SNMP_GGE, SNMP_GAUGE}, /* Gauge32 == Unsigned32 */
631 {ASN1_APL, SNMP_TIT, SNMP_TIMETICKS},
632 {ASN1_APL, SNMP_OPQ, SNMP_OPAQUE},
634 /* SNMPv2 data types and errors */
635 {ASN1_UNI, ASN1_BTS, SNMP_BITSTR},
636 {ASN1_APL, SNMP_C64, SNMP_COUNTER64},
637 {ASN1_CTX, SERR_NSO, SNMP_NOSUCHOBJECT},
638 {ASN1_CTX, SERR_NSI, SNMP_NOSUCHINSTANCE},
639 {ASN1_CTX, SERR_EOM, SNMP_ENDOFMIBVIEW},
643 static unsigned char snmp_tag_cls2syntax(unsigned int tag,
645 unsigned short *syntax)
647 struct snmp_cnv *cnv;
651 while (cnv->syntax != -1) {
652 if (cnv->tag == tag && cnv->class == cls) {
653 *syntax = cnv->syntax;
661 static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
662 struct snmp_object **obj)
664 unsigned int cls, con, tag, len, idlen;
666 unsigned char *eoc, *end, *p;
667 unsigned long *lp, *id;
674 if (!asn1_header_decode(ctx, &eoc, &cls, &con, &tag))
677 if (cls != ASN1_UNI || con != ASN1_CON || tag != ASN1_SEQ)
680 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
683 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_OJI)
686 if (!asn1_oid_decode(ctx, end, &id, &idlen))
689 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag)) {
694 if (con != ASN1_PRI) {
699 if (!snmp_tag_cls2syntax(tag, cls, &type)) {
707 if (!asn1_long_decode(ctx, end, &l)) {
711 *obj = kmalloc(sizeof(struct snmp_object) + len,
716 printk("OOM in bsalg (%d)\n", __LINE__);
719 (*obj)->syntax.l[0] = l;
723 if (!asn1_octets_decode(ctx, end, &p, &len)) {
727 *obj = kmalloc(sizeof(struct snmp_object) + len,
732 printk("OOM in bsalg (%d)\n", __LINE__);
735 memcpy((*obj)->syntax.c, p, len);
739 case SNMP_NOSUCHOBJECT:
740 case SNMP_NOSUCHINSTANCE:
741 case SNMP_ENDOFMIBVIEW:
743 *obj = kmalloc(sizeof(struct snmp_object), GFP_ATOMIC);
747 printk("OOM in bsalg (%d)\n", __LINE__);
750 if (!asn1_null_decode(ctx, end)) {
758 if (!asn1_oid_decode(ctx, end, (unsigned long **)&lp, &len)) {
762 len *= sizeof(unsigned long);
763 *obj = kmalloc(sizeof(struct snmp_object) + len, GFP_ATOMIC);
767 printk("OOM in bsalg (%d)\n", __LINE__);
770 memcpy((*obj)->syntax.ul, lp, len);
774 if (!asn1_octets_decode(ctx, end, &p, &len)) {
783 *obj = kmalloc(sizeof(struct snmp_object) + len, GFP_ATOMIC);
788 printk("OOM in bsalg (%d)\n", __LINE__);
791 memcpy((*obj)->syntax.uc, p, len);
797 len = sizeof(unsigned long);
798 if (!asn1_ulong_decode(ctx, end, &ul)) {
802 *obj = kmalloc(sizeof(struct snmp_object) + len, GFP_ATOMIC);
806 printk("OOM in bsalg (%d)\n", __LINE__);
809 (*obj)->syntax.ul[0] = ul;
816 (*obj)->syntax_len = len;
819 (*obj)->id_len = idlen;
821 if (!asn1_eoc_decode(ctx, eoc)) {
830 static unsigned char snmp_request_decode(struct asn1_ctx *ctx,
831 struct snmp_request *request)
833 unsigned int cls, con, tag;
836 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
839 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_INT)
842 if (!asn1_ulong_decode(ctx, end, &request->id))
845 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
848 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_INT)
851 if (!asn1_uint_decode(ctx, end, &request->error_status))
854 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
857 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_INT)
860 if (!asn1_uint_decode(ctx, end, &request->error_index))
867 * Fast checksum update for possibly oddly-aligned UDP byte, from the
868 * code example in the draft.
870 static void fast_csum(unsigned char *csum,
871 const unsigned char *optr,
872 const unsigned char *nptr,
877 x = csum[0] * 256 + csum[1];
881 if (odd) old = optr[0] * 256;
890 if (odd) new = nptr[0] * 256;
906 * - begin points to the start of the snmp messgae
907 * - addr points to the start of the address
909 static inline void mangle_address(unsigned char *begin,
911 const struct oct1_map *map,
914 if (map->from == NOCT1(*addr)) {
918 memcpy(&old, (unsigned char *)addr, sizeof(old));
922 /* Update UDP checksum if being used */
924 unsigned char odd = !((addr - begin) % 2);
926 fast_csum((unsigned char *)check,
927 &map->from, &map->to, odd);
932 printk(KERN_DEBUG "bsalg: mapped %u.%u.%u.%u to "
933 "%u.%u.%u.%u\n", NIPQUAD(old), NIPQUAD(*addr));
937 static unsigned char snmp_trap_decode(struct asn1_ctx *ctx,
938 struct snmp_v1_trap *trap,
939 const struct oct1_map *map,
942 unsigned int cls, con, tag, len;
945 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
948 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_OJI)
951 if (!asn1_oid_decode(ctx, end, &trap->id, &trap->id_len))
954 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
957 if (!((cls == ASN1_APL && con == ASN1_PRI && tag == SNMP_IPA) ||
958 (cls == ASN1_UNI && con == ASN1_PRI && tag == ASN1_OTS)))
961 if (!asn1_octets_decode(ctx, end, (unsigned char **)&trap->ip_address, &len))
968 mangle_address(ctx->begin, ctx->pointer - 4, map, check);
970 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
973 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_INT)
976 if (!asn1_uint_decode(ctx, end, &trap->general))
979 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
982 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_INT)
985 if (!asn1_uint_decode(ctx, end, &trap->specific))
988 if (!asn1_header_decode(ctx, &end, &cls, &con, &tag))
991 if (!((cls == ASN1_APL && con == ASN1_PRI && tag == SNMP_TIT) ||
992 (cls == ASN1_UNI && con == ASN1_PRI && tag == ASN1_INT)))
995 if (!asn1_ulong_decode(ctx, end, &trap->time))
1004 kfree((unsigned long *)trap->ip_address);
1009 /*****************************************************************************
1013 *****************************************************************************/
1015 static void hex_dump(unsigned char *buf, size_t len)
1019 for (i = 0; i < len; i++) {
1022 printk("%02x ", *(buf + i));
1028 * Parse and mangle SNMP message according to mapping.
1029 * (And this is the fucking 'basic' method).
1031 static int snmp_parse_mangle(unsigned char *msg,
1033 const struct oct1_map *map,
1036 unsigned char *eoc, *end;
1037 unsigned int cls, con, tag, vers, pdutype;
1038 struct asn1_ctx ctx;
1039 struct asn1_octstr comm;
1040 struct snmp_object **obj;
1045 asn1_open(&ctx, msg, len);
1048 * Start of SNMP message.
1050 if (!asn1_header_decode(&ctx, &eoc, &cls, &con, &tag))
1052 if (cls != ASN1_UNI || con != ASN1_CON || tag != ASN1_SEQ)
1056 * Version 1 or 2 handled.
1058 if (!asn1_header_decode(&ctx, &end, &cls, &con, &tag))
1060 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_INT)
1062 if (!asn1_uint_decode (&ctx, end, &vers))
1065 printk(KERN_DEBUG "bsalg: snmp version: %u\n", vers + 1);
1072 if (!asn1_header_decode (&ctx, &end, &cls, &con, &tag))
1074 if (cls != ASN1_UNI || con != ASN1_PRI || tag != ASN1_OTS)
1076 if (!asn1_octets_decode(&ctx, end, &comm.data, &comm.len))
1081 printk(KERN_DEBUG "bsalg: community: ");
1082 for (i = 0; i < comm.len; i++)
1083 printk("%c", comm.data[i]);
1091 if (!asn1_header_decode(&ctx, &eoc, &cls, &con, &pdutype))
1093 if (cls != ASN1_CTX || con != ASN1_CON)
1096 unsigned char *pdus[] = {
1097 [SNMP_PDU_GET] = "get",
1098 [SNMP_PDU_NEXT] = "get-next",
1099 [SNMP_PDU_RESPONSE] = "response",
1100 [SNMP_PDU_SET] = "set",
1101 [SNMP_PDU_TRAP1] = "trapv1",
1102 [SNMP_PDU_BULK] = "bulk",
1103 [SNMP_PDU_INFORM] = "inform",
1104 [SNMP_PDU_TRAP2] = "trapv2"
1107 if (pdutype > SNMP_PDU_TRAP2)
1108 printk(KERN_DEBUG "bsalg: bad pdu type %u\n", pdutype);
1110 printk(KERN_DEBUG "bsalg: pdu: %s\n", pdus[pdutype]);
1112 if (pdutype != SNMP_PDU_RESPONSE &&
1113 pdutype != SNMP_PDU_TRAP1 && pdutype != SNMP_PDU_TRAP2)
1117 * Request header or v1 trap
1119 if (pdutype == SNMP_PDU_TRAP1) {
1120 struct snmp_v1_trap trap;
1121 unsigned char ret = snmp_trap_decode(&ctx, &trap, map, check);
1123 /* Discard trap allocations regardless */
1125 kfree((unsigned long *)trap.ip_address);
1131 struct snmp_request req;
1133 if (!snmp_request_decode(&ctx, &req))
1137 printk(KERN_DEBUG "bsalg: request: id=0x%lx error_status=%u "
1138 "error_index=%u\n", req.id, req.error_status,
1143 * Loop through objects, look for IP addresses to mangle.
1145 if (!asn1_header_decode(&ctx, &eoc, &cls, &con, &tag))
1148 if (cls != ASN1_UNI || con != ASN1_CON || tag != ASN1_SEQ)
1151 obj = kmalloc(sizeof(struct snmp_object), GFP_ATOMIC);
1153 if (net_ratelimit())
1154 printk(KERN_WARNING "OOM in bsalg(%d)\n", __LINE__);
1158 while (!asn1_eoc_decode(&ctx, eoc)) {
1161 if (!snmp_object_decode(&ctx, obj)) {
1172 printk(KERN_DEBUG "bsalg: object: ");
1173 for (i = 0; i < (*obj)->id_len; i++) {
1176 printk("%lu", (*obj)->id[i]);
1178 printk(": type=%u\n", (*obj)->type);
1182 if ((*obj)->type == SNMP_IPADDR)
1183 mangle_address(ctx.begin, ctx.pointer - 4 , map, check);
1190 if (!asn1_eoc_decode(&ctx, eoc))
1196 /*****************************************************************************
1200 *****************************************************************************/
1203 * SNMP translation routine.
1205 static int snmp_translate(struct ip_conntrack *ct,
1206 struct ip_nat_info *info,
1207 enum ip_conntrack_info ctinfo,
1208 unsigned int hooknum,
1209 struct sk_buff **pskb)
1211 struct iphdr *iph = (*pskb)->nh.iph;
1212 struct udphdr *udph = (struct udphdr *)((u_int32_t *)iph + iph->ihl);
1213 u_int16_t udplen = ntohs(udph->len);
1214 u_int16_t paylen = udplen - sizeof(struct udphdr);
1215 int dir = CTINFO2DIR(ctinfo);
1216 struct oct1_map map;
1219 * Determine mappping for application layer addresses based
1220 * on NAT manipulations for the packet.
1222 if (dir == IP_CT_DIR_ORIGINAL) {
1224 map.from = NOCT1(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip);
1225 map.to = NOCT1(ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip);
1228 map.from = NOCT1(ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip);
1229 map.to = NOCT1(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip);
1232 if (map.from == map.to)
1235 if (!snmp_parse_mangle((unsigned char *)udph + sizeof(struct udphdr),
1236 paylen, &map, &udph->check)) {
1237 printk(KERN_WARNING "bsalg: parser failed\n");
1244 * NAT helper function, packets arrive here from NAT code.
1246 static unsigned int nat_help(struct ip_conntrack *ct,
1247 struct ip_conntrack_expect *exp,
1248 struct ip_nat_info *info,
1249 enum ip_conntrack_info ctinfo,
1250 unsigned int hooknum,
1251 struct sk_buff **pskb)
1253 int dir = CTINFO2DIR(ctinfo);
1254 struct iphdr *iph = (*pskb)->nh.iph;
1255 struct udphdr *udph = (struct udphdr *)((u_int32_t *)iph + iph->ihl);
1257 if (!skb_ip_make_writable(pskb, (*pskb)->len))
1260 spin_lock_bh(&snmp_lock);
1263 * Translate snmp replies on pre-routing (DNAT) and snmp traps
1264 * on post routing (SNAT).
1266 if (!((dir == IP_CT_DIR_REPLY && hooknum == NF_IP_PRE_ROUTING &&
1267 udph->source == ntohs(SNMP_PORT)) ||
1268 (dir == IP_CT_DIR_ORIGINAL && hooknum == NF_IP_POST_ROUTING &&
1269 udph->dest == ntohs(SNMP_TRAP_PORT)))) {
1270 spin_unlock_bh(&snmp_lock);
1275 printk(KERN_DEBUG "bsalg: dir=%s hook=%d manip=%s len=%d "
1276 "src=%u.%u.%u.%u:%u dst=%u.%u.%u.%u:%u "
1277 "osrc=%u.%u.%u.%u odst=%u.%u.%u.%u "
1278 "rsrc=%u.%u.%u.%u rdst=%u.%u.%u.%u "
1280 dir == IP_CT_DIR_REPLY ? "reply" : "orig", hooknum,
1281 HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC ? "snat" :
1282 "dnat", (*pskb)->len,
1283 NIPQUAD(iph->saddr), ntohs(udph->source),
1284 NIPQUAD(iph->daddr), ntohs(udph->dest),
1285 NIPQUAD(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip),
1286 NIPQUAD(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip),
1287 NIPQUAD(ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip),
1288 NIPQUAD(ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip));
1292 * Make sure the packet length is ok. So far, we were only guaranteed
1293 * to have a valid length IP header plus 8 bytes, which means we have
1294 * enough room for a UDP header. Just verify the UDP length field so we
1295 * can mess around with the payload.
1297 if (ntohs(udph->len) == (*pskb)->len - (iph->ihl << 2)) {
1298 int ret = snmp_translate(ct, info, ctinfo, hooknum, pskb);
1299 spin_unlock_bh(&snmp_lock);
1303 if (net_ratelimit())
1304 printk(KERN_WARNING "bsalg: dropping malformed packet "
1305 "src=%u.%u.%u.%u dst=%u.%u.%u.%u\n",
1306 NIPQUAD(iph->saddr), NIPQUAD(iph->daddr));
1307 spin_unlock_bh(&snmp_lock);
1311 static struct ip_nat_helper snmp = {
1316 { { 0, { .udp = { __constant_htons(SNMP_PORT) } } },
1317 { 0, { 0 }, IPPROTO_UDP } },
1318 { { 0, { .udp = { 0xFFFF } } },
1319 { 0, { 0 }, 0xFFFF } },
1322 static struct ip_nat_helper snmp_trap = {
1327 { { 0, { .udp = { __constant_htons(SNMP_TRAP_PORT) } } },
1328 { 0, { 0 }, IPPROTO_UDP } },
1329 { { 0, { .udp = { 0xFFFF } } },
1330 { 0, { 0 }, 0xFFFF } },
1333 /*****************************************************************************
1337 *****************************************************************************/
1339 static int __init init(void)
1343 ret = ip_nat_helper_register(&snmp);
1346 ret = ip_nat_helper_register(&snmp_trap);
1348 ip_nat_helper_unregister(&snmp);
1354 static void __exit fini(void)
1356 ip_nat_helper_unregister(&snmp);
1357 ip_nat_helper_unregister(&snmp_trap);
1364 module_param(debug, bool, 0600);