aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--net/netfilter/Kconfig19
-rw-r--r--net/netfilter/Makefile1
-rw-r--r--net/netfilter/nf_conntrack_netbios_ns.c125
3 files changed, 145 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index bd50897d8fbb..d1a365d83c53 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -194,6 +194,25 @@ config NF_CONNTRACK_IRC
194 194
195 To compile it as a module, choose M here. If unsure, say N. 195 To compile it as a module, choose M here. If unsure, say N.
196 196
197config NF_CONNTRACK_NETBIOS_NS
198 tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
199 depends on EXPERIMENTAL && NF_CONNTRACK
200 help
201 NetBIOS name service requests are sent as broadcast messages from an
202 unprivileged port and responded to with unicast messages to the
203 same port. This make them hard to firewall properly because connection
204 tracking doesn't deal with broadcasts. This helper tracks locally
205 originating NetBIOS name service requests and the corresponding
206 responses. It relies on correct IP address configuration, specifically
207 netmask and broadcast address. When properly configured, the output
208 of "ip address show" should look similar to this:
209
210 $ ip -4 address show eth0
211 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
212 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
213
214 To compile it as a module, choose M here. If unsure, say N.
215
197config NF_CT_NETLINK 216config NF_CT_NETLINK
198 tristate 'Connection tracking netlink interface (EXPERIMENTAL)' 217 tristate 'Connection tracking netlink interface (EXPERIMENTAL)'
199 depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK 218 depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 343fd4896406..67144b2af647 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -26,6 +26,7 @@ obj-$(CONFIG_NF_CONNTRACK_AMANDA) += nf_conntrack_amanda.o
26obj-$(CONFIG_NF_CONNTRACK_FTP) += nf_conntrack_ftp.o 26obj-$(CONFIG_NF_CONNTRACK_FTP) += nf_conntrack_ftp.o
27obj-$(CONFIG_NF_CONNTRACK_H323) += nf_conntrack_h323.o 27obj-$(CONFIG_NF_CONNTRACK_H323) += nf_conntrack_h323.o
28obj-$(CONFIG_NF_CONNTRACK_IRC) += nf_conntrack_irc.o 28obj-$(CONFIG_NF_CONNTRACK_IRC) += nf_conntrack_irc.o
29obj-$(CONFIG_NF_CONNTRACK_NETBIOS_NS) += nf_conntrack_netbios_ns.o
29 30
30# generic X tables 31# generic X tables
31obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o 32obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
diff --git a/net/netfilter/nf_conntrack_netbios_ns.c b/net/netfilter/nf_conntrack_netbios_ns.c
new file mode 100644
index 000000000000..4fad3ad0b886
--- /dev/null
+++ b/net/netfilter/nf_conntrack_netbios_ns.c
@@ -0,0 +1,125 @@
1/*
2 * NetBIOS name service broadcast connection tracking helper
3 *
4 * (c) 2005 Patrick McHardy <kaber@trash.net>
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 */
11/*
12 * This helper tracks locally originating NetBIOS name service
13 * requests by issuing permanent expectations (valid until
14 * timing out) matching all reply connections from the
15 * destination network. The only NetBIOS specific thing is
16 * actually the port number.
17 */
18#include <linux/kernel.h>
19#include <linux/module.h>
20#include <linux/init.h>
21#include <linux/skbuff.h>
22#include <linux/netdevice.h>
23#include <linux/inetdevice.h>
24#include <linux/if_addr.h>
25#include <linux/in.h>
26#include <linux/ip.h>
27#include <net/route.h>
28
29#include <net/netfilter/nf_conntrack.h>
30#include <net/netfilter/nf_conntrack_helper.h>
31#include <net/netfilter/nf_conntrack_expect.h>
32
33#define NMBD_PORT 137
34
35MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
36MODULE_DESCRIPTION("NetBIOS name service broadcast connection tracking helper");
37MODULE_LICENSE("GPL");
38MODULE_ALIAS("ip_conntrack_netbios_ns");
39
40static unsigned int timeout __read_mostly = 3;
41module_param(timeout, uint, 0400);
42MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds");
43
44static int help(struct sk_buff **pskb, unsigned int protoff,
45 struct nf_conn *ct, enum ip_conntrack_info ctinfo)
46{
47 struct nf_conntrack_expect *exp;
48 struct iphdr *iph = (*pskb)->nh.iph;
49 struct rtable *rt = (struct rtable *)(*pskb)->dst;
50 struct in_device *in_dev;
51 __be32 mask = 0;
52
53 /* we're only interested in locally generated packets */
54 if ((*pskb)->sk == NULL)
55 goto out;
56 if (rt == NULL || !(rt->rt_flags & RTCF_BROADCAST))
57 goto out;
58 if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
59 goto out;
60
61 rcu_read_lock();
62 in_dev = __in_dev_get_rcu(rt->u.dst.dev);
63 if (in_dev != NULL) {
64 for_primary_ifa(in_dev) {
65 if (ifa->ifa_broadcast == iph->daddr) {
66 mask = ifa->ifa_mask;
67 break;
68 }
69 } endfor_ifa(in_dev);
70 }
71 rcu_read_unlock();
72
73 if (mask == 0)
74 goto out;
75
76 exp = nf_conntrack_expect_alloc(ct);
77 if (exp == NULL)
78 goto out;
79
80 exp->tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
81 exp->tuple.src.u.udp.port = htons(NMBD_PORT);
82
83 exp->mask.src.u3.ip = mask;
84 exp->mask.src.u.udp.port = htons(0xFFFF);
85 exp->mask.dst.u3.ip = htonl(0xFFFFFFFF);
86 exp->mask.dst.u.udp.port = htons(0xFFFF);
87 exp->mask.dst.protonum = 0xFF;
88
89 exp->expectfn = NULL;
90 exp->flags = NF_CT_EXPECT_PERMANENT;
91
92 nf_conntrack_expect_related(exp);
93 nf_conntrack_expect_put(exp);
94
95 nf_ct_refresh(ct, *pskb, timeout * HZ);
96out:
97 return NF_ACCEPT;
98}
99
100static struct nf_conntrack_helper helper __read_mostly = {
101 .name = "netbios-ns",
102 .tuple.src.l3num = AF_INET,
103 .tuple.src.u.udp.port = __constant_htons(NMBD_PORT),
104 .tuple.dst.protonum = IPPROTO_UDP,
105 .mask.src.l3num = 0xFFFF,
106 .mask.src.u.udp.port = __constant_htons(0xFFFF),
107 .mask.dst.protonum = 0xFF,
108 .max_expected = 1,
109 .me = THIS_MODULE,
110 .help = help,
111};
112
113static int __init nf_conntrack_netbios_ns_init(void)
114{
115 helper.timeout = timeout;
116 return nf_conntrack_helper_register(&helper);
117}
118
119static void __exit nf_conntrack_netbios_ns_fini(void)
120{
121 nf_conntrack_helper_unregister(&helper);
122}
123
124module_init(nf_conntrack_netbios_ns_init);
125module_exit(nf_conntrack_netbios_ns_fini);