aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4
diff options
context:
space:
mode:
Diffstat (limited to 'net/ipv4')
-rw-r--r--net/ipv4/netfilter/Kconfig19
-rw-r--r--net/ipv4/netfilter/Makefile1
-rw-r--r--net/ipv4/netfilter/ip_conntrack_netbios_ns.c131
3 files changed, 151 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index e046f5521814..fd2eb5d4c7fe 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -85,6 +85,25 @@ config IP_NF_IRC
85 85
86 To compile it as a module, choose M here. If unsure, say Y. 86 To compile it as a module, choose M here. If unsure, say Y.
87 87
88config IP_NF_NETBIOS_NS
89 tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
90 depends on IP_NF_CONNTRACK && EXPERIMENTAL
91 help
92 NetBIOS name service requests are sent as broadcast messages from an
93 unprivileged port and responded to with unicast messages to the
94 same port. This make them hard to firewall properly because connection
95 tracking doesn't deal with broadcasts. This helper tracks locally
96 originating NetBIOS name service requests and the corresponding
97 responses. It relies on correct IP address configuration, specifically
98 netmask and broadcast address. When properly configured, the output
99 of "ip address show" should look similar to this:
100
101 $ ip -4 address show eth0
102 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
103 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
104
105 To compile it as a module, choose M here. If unsure, say N.
106
88config IP_NF_TFTP 107config IP_NF_TFTP
89 tristate "TFTP protocol support" 108 tristate "TFTP protocol support"
90 depends on IP_NF_CONNTRACK 109 depends on IP_NF_CONNTRACK
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index a7bd38f50522..1ba0db746817 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -21,6 +21,7 @@ obj-$(CONFIG_IP_NF_AMANDA) += ip_conntrack_amanda.o
21obj-$(CONFIG_IP_NF_TFTP) += ip_conntrack_tftp.o 21obj-$(CONFIG_IP_NF_TFTP) += ip_conntrack_tftp.o
22obj-$(CONFIG_IP_NF_FTP) += ip_conntrack_ftp.o 22obj-$(CONFIG_IP_NF_FTP) += ip_conntrack_ftp.o
23obj-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc.o 23obj-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc.o
24obj-$(CONFIG_IP_NF_NETBIOS_NS) += ip_conntrack_netbios_ns.o
24 25
25# NAT helpers 26# NAT helpers
26obj-$(CONFIG_IP_NF_NAT_AMANDA) += ip_nat_amanda.o 27obj-$(CONFIG_IP_NF_NAT_AMANDA) += ip_nat_amanda.o
diff --git a/net/ipv4/netfilter/ip_conntrack_netbios_ns.c b/net/ipv4/netfilter/ip_conntrack_netbios_ns.c
new file mode 100644
index 000000000000..2b5cf9c51309
--- /dev/null
+++ b/net/ipv4/netfilter/ip_conntrack_netbios_ns.c
@@ -0,0 +1,131 @@
1/*
2 * NetBIOS name service broadcast connection tracking helper
3 *
4 * (c) 2005 Patrick McHardy <kaber@trash.net>
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 */
11/*
12 * This helper tracks locally originating NetBIOS name service
13 * requests by issuing permanent expectations (valid until
14 * timing out) matching all reply connections from the
15 * destination network. The only NetBIOS specific thing is
16 * actually the port number.
17 */
18#include <linux/kernel.h>
19#include <linux/module.h>
20#include <linux/init.h>
21#include <linux/skbuff.h>
22#include <linux/netdevice.h>
23#include <linux/inetdevice.h>
24#include <linux/in.h>
25#include <linux/ip.h>
26#include <linux/udp.h>
27#include <net/route.h>
28
29#include <linux/netfilter.h>
30#include <linux/netfilter_ipv4.h>
31#include <linux/netfilter_ipv4/ip_conntrack.h>
32#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
33
34MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
35MODULE_DESCRIPTION("NetBIOS name service broadcast connection tracking helper");
36MODULE_LICENSE("GPL");
37
38static unsigned int timeout = 3;
39module_param(timeout, int, 0600);
40MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds");
41
42static int help(struct sk_buff **pskb,
43 struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
44{
45 struct ip_conntrack_expect *exp;
46 struct iphdr *iph = (*pskb)->nh.iph;
47 struct udphdr _uh, *uh;
48 struct rtable *rt = (struct rtable *)(*pskb)->dst;
49 struct in_device *in_dev;
50 u_int32_t mask = 0;
51
52 /* we're only interested in locally generated packets */
53 if ((*pskb)->sk == NULL)
54 goto out;
55 if (rt == NULL || !(rt->rt_flags & RTCF_BROADCAST))
56 goto out;
57 if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
58 goto out;
59
60 rcu_read_lock();
61 in_dev = __in_dev_get(rt->u.dst.dev);
62 if (in_dev != NULL) {
63 for_primary_ifa(in_dev) {
64 if (ifa->ifa_broadcast == iph->daddr) {
65 mask = ifa->ifa_mask;
66 break;
67 }
68 } endfor_ifa(in_dev);
69 }
70 rcu_read_unlock();
71
72 if (mask == 0)
73 goto out;
74
75 uh = skb_header_pointer(*pskb, iph->ihl * 4, sizeof(_uh), &_uh);
76 BUG_ON(uh == NULL);
77
78 exp = ip_conntrack_expect_alloc(ct);
79 if (exp == NULL)
80 goto out;
81 memset(&exp->tuple, 0, sizeof(exp->tuple));
82 exp->tuple.src.ip = iph->daddr & mask;
83 exp->tuple.dst.ip = iph->saddr;
84 exp->tuple.dst.u.udp.port = uh->source;
85 exp->tuple.dst.protonum = IPPROTO_UDP;
86
87 memset(&exp->mask, 0, sizeof(exp->mask));
88 exp->mask.src.ip = mask;
89 exp->mask.dst.ip = 0xFFFFFFFF;
90 exp->mask.dst.u.udp.port = 0xFFFF;
91 exp->mask.dst.protonum = 0xFF;
92
93 exp->expectfn = NULL;
94 exp->flags = IP_CT_EXPECT_PERMANENT;
95
96 ip_conntrack_expect_related(exp);
97 ip_conntrack_expect_put(exp);
98
99 ip_ct_refresh_acct(ct, ctinfo, NULL, timeout * HZ);
100out:
101 return NF_ACCEPT;
102}
103
104static struct ip_conntrack_helper helper = {
105 .name = "netbios-ns",
106 .tuple = {
107 .src.u.udp.port = __constant_htons(137),
108 .dst.protonum = IPPROTO_UDP,
109 },
110 .mask = {
111 .src.u.udp.port = 0xFFFF,
112 .dst.protonum = 0xFF,
113 },
114 .max_expected = 1,
115 .me = THIS_MODULE,
116 .help = help,
117};
118
119static int __init init(void)
120{
121 helper.timeout = timeout;
122 return ip_conntrack_helper_register(&helper);
123}
124
125static void __exit fini(void)
126{
127 ip_conntrack_helper_unregister(&helper);
128}
129
130module_init(init);
131module_exit(fini);