| 1 | /* $NetBSD: ip_irc_pxy.c,v 1.4 2014/03/20 20:43:12 christos Exp $ */ |
| 2 | |
| 3 | /* |
| 4 | * Copyright (C) 2012 by Darren Reed. |
| 5 | * |
| 6 | * See the IPFILTER.LICENCE file for details on licencing. |
| 7 | * |
| 8 | * Id: ip_irc_pxy.c,v 1.1.1.2 2012/07/22 13:45:19 darrenr Exp |
| 9 | */ |
| 10 | |
| 11 | #include <sys/cdefs.h> |
| 12 | __KERNEL_RCSID(1, "$NetBSD: ip_irc_pxy.c,v 1.4 2014/03/20 20:43:12 christos Exp $" ); |
| 13 | |
| 14 | #define IPF_IRC_PROXY |
| 15 | |
| 16 | #define IPF_IRCBUFSZ 96 /* This *MUST* be >= 64! */ |
| 17 | |
| 18 | |
| 19 | void ipf_p_irc_main_load(void); |
| 20 | void ipf_p_irc_main_unload(void); |
| 21 | int ipf_p_irc_new(void *, fr_info_t *, ap_session_t *, nat_t *); |
| 22 | int ipf_p_irc_out(void *, fr_info_t *, ap_session_t *, nat_t *); |
| 23 | int ipf_p_irc_send(fr_info_t *, nat_t *); |
| 24 | int ipf_p_irc_complete(ircinfo_t *, char *, size_t); |
| 25 | u_short ipf_irc_atoi(char **); |
| 26 | |
| 27 | static frentry_t ircnatfr; |
| 28 | |
| 29 | int irc_proxy_init = 0; |
| 30 | |
| 31 | |
| 32 | /* |
| 33 | * Initialize local structures. |
| 34 | */ |
| 35 | void |
| 36 | ipf_p_irc_main_load(void) |
| 37 | { |
| 38 | bzero((char *)&ircnatfr, sizeof(ircnatfr)); |
| 39 | ircnatfr.fr_ref = 1; |
| 40 | ircnatfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE; |
| 41 | MUTEX_INIT(&ircnatfr.fr_lock, "IRC proxy rule lock" ); |
| 42 | irc_proxy_init = 1; |
| 43 | } |
| 44 | |
| 45 | |
| 46 | void |
| 47 | ipf_p_irc_main_unload(void) |
| 48 | { |
| 49 | if (irc_proxy_init == 1) { |
| 50 | MUTEX_DESTROY(&ircnatfr.fr_lock); |
| 51 | irc_proxy_init = 0; |
| 52 | } |
| 53 | } |
| 54 | |
| 55 | |
| 56 | const char *ipf_p_irc_dcctypes[] = { |
| 57 | "CHAT " , /* CHAT chat ipnumber portnumber */ |
| 58 | "SEND " , /* SEND filename ipnumber portnumber */ |
| 59 | "MOVE " , |
| 60 | "TSEND " , |
| 61 | "SCHAT " , |
| 62 | NULL, |
| 63 | }; |
| 64 | |
| 65 | |
| 66 | /* |
| 67 | * :A PRIVMSG B :^ADCC CHAT chat 0 0^A\r\n |
| 68 | * PRIVMSG B ^ADCC CHAT chat 0 0^A\r\n |
| 69 | */ |
| 70 | |
| 71 | |
| 72 | int |
| 73 | ipf_p_irc_complete(ircinfo_t *ircp, char *buf, size_t len) |
| 74 | { |
| 75 | register char *s, c; |
| 76 | register size_t i; |
| 77 | u_32_t l; |
| 78 | int j, k; |
| 79 | |
| 80 | ircp->irc_ipnum = 0; |
| 81 | ircp->irc_port = 0; |
| 82 | |
| 83 | if (len < 31) |
| 84 | return 0; |
| 85 | s = buf; |
| 86 | c = *s++; |
| 87 | i = len - 1; |
| 88 | |
| 89 | if ((c != ':') && (c != 'P')) |
| 90 | return 0; |
| 91 | |
| 92 | if (c == ':') { |
| 93 | /* |
| 94 | * Loosely check that the source is a nickname of some sort |
| 95 | */ |
| 96 | s++; |
| 97 | c = *s; |
| 98 | ircp->irc_snick = s; |
| 99 | if (!ISALPHA(c)) |
| 100 | return 0; |
| 101 | i--; |
| 102 | for (c = *s; !ISSPACE(c) && (i > 0); i--) |
| 103 | c = *s++; |
| 104 | if (i < 31) |
| 105 | return 0; |
| 106 | if (c != 'P') |
| 107 | return 0; |
| 108 | } else |
| 109 | ircp->irc_snick = NULL; |
| 110 | |
| 111 | /* |
| 112 | * Check command string |
| 113 | */ |
| 114 | if (strncmp(s, "PRIVMSG " , 8)) |
| 115 | return 0; |
| 116 | i -= 8; |
| 117 | s += 8; |
| 118 | c = *s; |
| 119 | ircp->irc_dnick = s; |
| 120 | |
| 121 | /* |
| 122 | * Loosely check that the destination is a nickname of some sort |
| 123 | */ |
| 124 | if (!ISALPHA(c)) |
| 125 | return 0; |
| 126 | for (; !ISSPACE(c) && (i > 0); i--) |
| 127 | c = *s++; |
| 128 | if (i < 20) |
| 129 | return 0; |
| 130 | s++, |
| 131 | i--; |
| 132 | |
| 133 | /* |
| 134 | * Look for a ^A to start the DCC |
| 135 | */ |
| 136 | c = *s; |
| 137 | if (c == ':') { |
| 138 | s++; |
| 139 | c = *s; |
| 140 | } |
| 141 | |
| 142 | if (strncmp(s, "\001DCC " , 4)) |
| 143 | return 0; |
| 144 | |
| 145 | i -= 4; |
| 146 | s += 4; |
| 147 | |
| 148 | /* |
| 149 | * Check for a recognised DCC command |
| 150 | */ |
| 151 | for (j = 0, k = 0; ipf_p_irc_dcctypes[j]; j++) { |
| 152 | k = MIN(strlen(ipf_p_irc_dcctypes[j]), i); |
| 153 | if (!strncmp(ipf_p_irc_dcctypes[j], s, k)) |
| 154 | break; |
| 155 | } |
| 156 | if (!ipf_p_irc_dcctypes[j]) |
| 157 | return 0; |
| 158 | |
| 159 | ircp->irc_type = s; |
| 160 | i -= k; |
| 161 | s += k; |
| 162 | |
| 163 | if (i < 11) |
| 164 | return 0; |
| 165 | |
| 166 | /* |
| 167 | * Check for the arg |
| 168 | */ |
| 169 | c = *s; |
| 170 | if (ISSPACE(c)) |
| 171 | return 0; |
| 172 | ircp->irc_arg = s; |
| 173 | for (; (c != ' ') && (c != '\001') && (i > 0); i--) |
| 174 | c = *s++; |
| 175 | |
| 176 | if (c == '\001') /* In reality a ^A can quote another ^A...*/ |
| 177 | return 0; |
| 178 | |
| 179 | if (i < 5) |
| 180 | return 0; |
| 181 | |
| 182 | s++; |
| 183 | i--; |
| 184 | c = *s; |
| 185 | if (!ISDIGIT(c)) |
| 186 | return 0; |
| 187 | ircp->irc_addr = s; |
| 188 | /* |
| 189 | * Get the IP# |
| 190 | */ |
| 191 | for (l = 0; ISDIGIT(c) && (i > 0); i--) { |
| 192 | l *= 10; |
| 193 | l += c - '0'; |
| 194 | c = *s++; |
| 195 | } |
| 196 | |
| 197 | if (i < 4) |
| 198 | return 0; |
| 199 | |
| 200 | if (c != ' ') |
| 201 | return 0; |
| 202 | |
| 203 | ircp->irc_ipnum = l; |
| 204 | s++; |
| 205 | i--; |
| 206 | c = *s; |
| 207 | if (!ISDIGIT(c)) |
| 208 | return 0; |
| 209 | /* |
| 210 | * Get the port# |
| 211 | */ |
| 212 | for (l = 0; ISDIGIT(c) && (i > 0); i--) { |
| 213 | l *= 10; |
| 214 | l += c - '0'; |
| 215 | c = *s++; |
| 216 | } |
| 217 | if (i < 3) |
| 218 | return 0; |
| 219 | if (strncmp(s, "\001\r\n" , 3)) |
| 220 | return 0; |
| 221 | s += 3; |
| 222 | ircp->irc_len = s - buf; |
| 223 | ircp->irc_port = l; |
| 224 | return 1; |
| 225 | } |
| 226 | |
| 227 | |
| 228 | int |
| 229 | ipf_p_irc_new(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat) |
| 230 | { |
| 231 | ircinfo_t *irc; |
| 232 | |
| 233 | if (fin->fin_v != 4) |
| 234 | return -1; |
| 235 | |
| 236 | KMALLOC(irc, ircinfo_t *); |
| 237 | if (irc == NULL) |
| 238 | return -1; |
| 239 | |
| 240 | nat = nat; /* LINT */ |
| 241 | |
| 242 | aps->aps_data = irc; |
| 243 | aps->aps_psiz = sizeof(ircinfo_t); |
| 244 | |
| 245 | bzero((char *)irc, sizeof(*irc)); |
| 246 | return 0; |
| 247 | } |
| 248 | |
| 249 | |
| 250 | int |
| 251 | ipf_p_irc_send(fr_info_t *fin, nat_t *nat) |
| 252 | { |
| 253 | char ctcpbuf[IPF_IRCBUFSZ], newbuf[IPF_IRCBUFSZ]; |
| 254 | tcphdr_t *tcp, tcph, *tcp2 = &tcph; |
| 255 | int off, inc = 0, i, dlen; |
| 256 | ipf_main_softc_t *softc; |
| 257 | size_t nlen = 0, olen; |
| 258 | struct in_addr swip; |
| 259 | u_short a5, sp; |
| 260 | ircinfo_t *irc; |
| 261 | fr_info_t fi; |
| 262 | nat_t *nat2; |
| 263 | u_int a1; |
| 264 | ip_t *ip; |
| 265 | mb_t *m; |
| 266 | #ifdef MENTAT |
| 267 | mb_t *m1; |
| 268 | #endif |
| 269 | softc = fin->fin_main_soft; |
| 270 | |
| 271 | m = fin->fin_m; |
| 272 | ip = fin->fin_ip; |
| 273 | tcp = (tcphdr_t *)fin->fin_dp; |
| 274 | bzero(ctcpbuf, sizeof(ctcpbuf)); |
| 275 | off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff; |
| 276 | |
| 277 | #ifdef __sgi |
| 278 | dlen = fin->fin_plen - off; |
| 279 | #else |
| 280 | dlen = MSGDSIZE(m) - off; |
| 281 | #endif |
| 282 | if (dlen <= 0) |
| 283 | return 0; |
| 284 | COPYDATA(m, off, MIN(sizeof(ctcpbuf), dlen), ctcpbuf); |
| 285 | |
| 286 | if (dlen <= 0) |
| 287 | return 0; |
| 288 | ctcpbuf[sizeof(ctcpbuf) - 1] = '\0'; |
| 289 | *newbuf = '\0'; |
| 290 | |
| 291 | irc = nat->nat_aps->aps_data; |
| 292 | if (ipf_p_irc_complete(irc, ctcpbuf, dlen) == 0) |
| 293 | return 0; |
| 294 | |
| 295 | /* |
| 296 | * check that IP address in the DCC reply is the same as the |
| 297 | * sender of the command - prevents use for port scanning. |
| 298 | */ |
| 299 | if (irc->irc_ipnum != ntohl(nat->nat_osrcaddr)) |
| 300 | return 0; |
| 301 | |
| 302 | a5 = irc->irc_port; |
| 303 | |
| 304 | /* |
| 305 | * Calculate new address parts for the DCC command |
| 306 | */ |
| 307 | a1 = ntohl(ip->ip_src.s_addr); |
| 308 | olen = irc->irc_len; |
| 309 | i = irc->irc_addr - ctcpbuf; |
| 310 | i++; |
| 311 | (void) strncpy(newbuf, ctcpbuf, i); |
| 312 | snprintf(newbuf, sizeof(newbuf) - i, "%u %u\001\r\n" , a1, a5); |
| 313 | |
| 314 | nlen = strlen(newbuf); |
| 315 | inc = nlen - olen; |
| 316 | |
| 317 | if ((inc + fin->fin_plen) > 65535) |
| 318 | return 0; |
| 319 | |
| 320 | #ifdef MENTAT |
| 321 | for (m1 = m; m1->b_cont; m1 = m1->b_cont) |
| 322 | ; |
| 323 | if ((inc > 0) && (m1->b_datap->db_lim - m1->b_wptr < inc)) { |
| 324 | mblk_t *nm; |
| 325 | |
| 326 | /* alloc enough to keep same trailer space for lower driver */ |
| 327 | nm = allocb(nlen, BPRI_MED); |
| 328 | PANIC((!nm),("ipf_p_irc_out: allocb failed" )); |
| 329 | |
| 330 | nm->b_band = m1->b_band; |
| 331 | nm->b_wptr += nlen; |
| 332 | |
| 333 | m1->b_wptr -= olen; |
| 334 | PANIC((m1->b_wptr < m1->b_rptr), |
| 335 | ("ipf_p_irc_out: cannot handle fragmented data block" )); |
| 336 | |
| 337 | linkb(m1, nm); |
| 338 | } else { |
| 339 | # if SOLARIS && defined(ICK_VALID) |
| 340 | if (m1->b_datap->db_struiolim == m1->b_wptr) |
| 341 | m1->b_datap->db_struiolim += inc; |
| 342 | m1->b_datap->db_struioflag &= ~STRUIO_IP; |
| 343 | # endif |
| 344 | m1->b_wptr += inc; |
| 345 | } |
| 346 | #else |
| 347 | if (inc < 0) |
| 348 | m_adj(m, inc); |
| 349 | /* the mbuf chain will be extended if necessary by m_copyback() */ |
| 350 | #endif |
| 351 | COPYBACK(m, off, nlen, newbuf); |
| 352 | fin->fin_flx |= FI_DOCKSUM; |
| 353 | |
| 354 | if (inc != 0) { |
| 355 | #if defined(MENTAT) || defined(__sgi) |
| 356 | register u_32_t sum1, sum2; |
| 357 | |
| 358 | sum1 = fin->fin_plen; |
| 359 | sum2 = fin->fin_plen + inc; |
| 360 | |
| 361 | /* Because ~1 == -2, We really need ~1 == -1 */ |
| 362 | if (sum1 > sum2) |
| 363 | sum2--; |
| 364 | sum2 -= sum1; |
| 365 | sum2 = (sum2 & 0xffff) + (sum2 >> 16); |
| 366 | |
| 367 | ipf_fix_outcksum(0, &ip->ip_sum, sum2, 0); |
| 368 | #endif |
| 369 | fin->fin_plen += inc; |
| 370 | ip->ip_len = htons(fin->fin_plen); |
| 371 | fin->fin_dlen += inc; |
| 372 | } |
| 373 | |
| 374 | /* |
| 375 | * Add skeleton NAT entry for connection which will come back the |
| 376 | * other way. |
| 377 | */ |
| 378 | sp = htons(a5); |
| 379 | /* |
| 380 | * Don't allow the PORT command to specify a port < 1024 due to |
| 381 | * security crap. |
| 382 | */ |
| 383 | if (ntohs(sp) < 1024) |
| 384 | return 0; |
| 385 | |
| 386 | /* |
| 387 | * The server may not make the connection back from port 20, but |
| 388 | * it is the most likely so use it here to check for a conflicting |
| 389 | * mapping. |
| 390 | */ |
| 391 | bcopy((void *)fin, (void *)&fi, sizeof(fi)); |
| 392 | fi.fin_data[0] = sp; |
| 393 | fi.fin_data[1] = fin->fin_data[1]; |
| 394 | nat2 = ipf_nat_outlookup(fin, IPN_TCP, nat->nat_pr[1], nat->nat_nsrcip, |
| 395 | ip->ip_dst); |
| 396 | if (nat2 == NULL) { |
| 397 | #ifdef USE_MUTEXES |
| 398 | ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| 399 | #endif |
| 400 | |
| 401 | bcopy((void *)fin, (void *)&fi, sizeof(fi)); |
| 402 | bzero((char *)tcp2, sizeof(*tcp2)); |
| 403 | tcp2->th_win = htons(8192); |
| 404 | tcp2->th_sport = sp; |
| 405 | tcp2->th_dport = 0; /* XXX - don't specify remote port */ |
| 406 | fi.fin_data[0] = ntohs(sp); |
| 407 | fi.fin_data[1] = 0; |
| 408 | fi.fin_dp = (char *)tcp2; |
| 409 | fi.fin_fr = &ircnatfr; |
| 410 | fi.fin_dlen = sizeof(*tcp2); |
| 411 | fi.fin_plen = fi.fin_hlen + sizeof(*tcp2); |
| 412 | swip = ip->ip_src; |
| 413 | ip->ip_src = nat->nat_nsrcip; |
| 414 | MUTEX_ENTER(&softn->ipf_nat_new); |
| 415 | nat2 = ipf_nat_add(&fi, nat->nat_ptr, NULL, |
| 416 | NAT_SLAVE|IPN_TCP|SI_W_DPORT, NAT_OUTBOUND); |
| 417 | MUTEX_EXIT(&softn->ipf_nat_new); |
| 418 | if (nat2 != NULL) { |
| 419 | (void) ipf_nat_proto(&fi, nat2, 0); |
| 420 | MUTEX_ENTER(&nat2->nat_lock); |
| 421 | ipf_nat_update(&fi, nat2); |
| 422 | MUTEX_EXIT(&nat2->nat_lock); |
| 423 | |
| 424 | (void) ipf_state_add(softc, &fi, NULL, SI_W_DPORT); |
| 425 | } |
| 426 | ip->ip_src = swip; |
| 427 | } |
| 428 | return inc; |
| 429 | } |
| 430 | |
| 431 | |
| 432 | int |
| 433 | ipf_p_irc_out(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat) |
| 434 | { |
| 435 | aps = aps; /* LINT */ |
| 436 | return ipf_p_irc_send(fin, nat); |
| 437 | } |
| 438 | |