1 | /* $NetBSD: ip_irc_pxy.c,v 1.4 2014/03/20 20:43:12 christos Exp $ */ |
2 | |
3 | /* |
4 | * Copyright (C) 2012 by Darren Reed. |
5 | * |
6 | * See the IPFILTER.LICENCE file for details on licencing. |
7 | * |
8 | * Id: ip_irc_pxy.c,v 1.1.1.2 2012/07/22 13:45:19 darrenr Exp |
9 | */ |
10 | |
11 | #include <sys/cdefs.h> |
12 | __KERNEL_RCSID(1, "$NetBSD: ip_irc_pxy.c,v 1.4 2014/03/20 20:43:12 christos Exp $" ); |
13 | |
14 | #define IPF_IRC_PROXY |
15 | |
16 | #define IPF_IRCBUFSZ 96 /* This *MUST* be >= 64! */ |
17 | |
18 | |
19 | void ipf_p_irc_main_load(void); |
20 | void ipf_p_irc_main_unload(void); |
21 | int ipf_p_irc_new(void *, fr_info_t *, ap_session_t *, nat_t *); |
22 | int ipf_p_irc_out(void *, fr_info_t *, ap_session_t *, nat_t *); |
23 | int ipf_p_irc_send(fr_info_t *, nat_t *); |
24 | int ipf_p_irc_complete(ircinfo_t *, char *, size_t); |
25 | u_short ipf_irc_atoi(char **); |
26 | |
27 | static frentry_t ircnatfr; |
28 | |
29 | int irc_proxy_init = 0; |
30 | |
31 | |
32 | /* |
33 | * Initialize local structures. |
34 | */ |
35 | void |
36 | ipf_p_irc_main_load(void) |
37 | { |
38 | bzero((char *)&ircnatfr, sizeof(ircnatfr)); |
39 | ircnatfr.fr_ref = 1; |
40 | ircnatfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE; |
41 | MUTEX_INIT(&ircnatfr.fr_lock, "IRC proxy rule lock" ); |
42 | irc_proxy_init = 1; |
43 | } |
44 | |
45 | |
46 | void |
47 | ipf_p_irc_main_unload(void) |
48 | { |
49 | if (irc_proxy_init == 1) { |
50 | MUTEX_DESTROY(&ircnatfr.fr_lock); |
51 | irc_proxy_init = 0; |
52 | } |
53 | } |
54 | |
55 | |
56 | const char *ipf_p_irc_dcctypes[] = { |
57 | "CHAT " , /* CHAT chat ipnumber portnumber */ |
58 | "SEND " , /* SEND filename ipnumber portnumber */ |
59 | "MOVE " , |
60 | "TSEND " , |
61 | "SCHAT " , |
62 | NULL, |
63 | }; |
64 | |
65 | |
66 | /* |
67 | * :A PRIVMSG B :^ADCC CHAT chat 0 0^A\r\n |
68 | * PRIVMSG B ^ADCC CHAT chat 0 0^A\r\n |
69 | */ |
70 | |
71 | |
72 | int |
73 | ipf_p_irc_complete(ircinfo_t *ircp, char *buf, size_t len) |
74 | { |
75 | register char *s, c; |
76 | register size_t i; |
77 | u_32_t l; |
78 | int j, k; |
79 | |
80 | ircp->irc_ipnum = 0; |
81 | ircp->irc_port = 0; |
82 | |
83 | if (len < 31) |
84 | return 0; |
85 | s = buf; |
86 | c = *s++; |
87 | i = len - 1; |
88 | |
89 | if ((c != ':') && (c != 'P')) |
90 | return 0; |
91 | |
92 | if (c == ':') { |
93 | /* |
94 | * Loosely check that the source is a nickname of some sort |
95 | */ |
96 | s++; |
97 | c = *s; |
98 | ircp->irc_snick = s; |
99 | if (!ISALPHA(c)) |
100 | return 0; |
101 | i--; |
102 | for (c = *s; !ISSPACE(c) && (i > 0); i--) |
103 | c = *s++; |
104 | if (i < 31) |
105 | return 0; |
106 | if (c != 'P') |
107 | return 0; |
108 | } else |
109 | ircp->irc_snick = NULL; |
110 | |
111 | /* |
112 | * Check command string |
113 | */ |
114 | if (strncmp(s, "PRIVMSG " , 8)) |
115 | return 0; |
116 | i -= 8; |
117 | s += 8; |
118 | c = *s; |
119 | ircp->irc_dnick = s; |
120 | |
121 | /* |
122 | * Loosely check that the destination is a nickname of some sort |
123 | */ |
124 | if (!ISALPHA(c)) |
125 | return 0; |
126 | for (; !ISSPACE(c) && (i > 0); i--) |
127 | c = *s++; |
128 | if (i < 20) |
129 | return 0; |
130 | s++, |
131 | i--; |
132 | |
133 | /* |
134 | * Look for a ^A to start the DCC |
135 | */ |
136 | c = *s; |
137 | if (c == ':') { |
138 | s++; |
139 | c = *s; |
140 | } |
141 | |
142 | if (strncmp(s, "\001DCC " , 4)) |
143 | return 0; |
144 | |
145 | i -= 4; |
146 | s += 4; |
147 | |
148 | /* |
149 | * Check for a recognised DCC command |
150 | */ |
151 | for (j = 0, k = 0; ipf_p_irc_dcctypes[j]; j++) { |
152 | k = MIN(strlen(ipf_p_irc_dcctypes[j]), i); |
153 | if (!strncmp(ipf_p_irc_dcctypes[j], s, k)) |
154 | break; |
155 | } |
156 | if (!ipf_p_irc_dcctypes[j]) |
157 | return 0; |
158 | |
159 | ircp->irc_type = s; |
160 | i -= k; |
161 | s += k; |
162 | |
163 | if (i < 11) |
164 | return 0; |
165 | |
166 | /* |
167 | * Check for the arg |
168 | */ |
169 | c = *s; |
170 | if (ISSPACE(c)) |
171 | return 0; |
172 | ircp->irc_arg = s; |
173 | for (; (c != ' ') && (c != '\001') && (i > 0); i--) |
174 | c = *s++; |
175 | |
176 | if (c == '\001') /* In reality a ^A can quote another ^A...*/ |
177 | return 0; |
178 | |
179 | if (i < 5) |
180 | return 0; |
181 | |
182 | s++; |
183 | i--; |
184 | c = *s; |
185 | if (!ISDIGIT(c)) |
186 | return 0; |
187 | ircp->irc_addr = s; |
188 | /* |
189 | * Get the IP# |
190 | */ |
191 | for (l = 0; ISDIGIT(c) && (i > 0); i--) { |
192 | l *= 10; |
193 | l += c - '0'; |
194 | c = *s++; |
195 | } |
196 | |
197 | if (i < 4) |
198 | return 0; |
199 | |
200 | if (c != ' ') |
201 | return 0; |
202 | |
203 | ircp->irc_ipnum = l; |
204 | s++; |
205 | i--; |
206 | c = *s; |
207 | if (!ISDIGIT(c)) |
208 | return 0; |
209 | /* |
210 | * Get the port# |
211 | */ |
212 | for (l = 0; ISDIGIT(c) && (i > 0); i--) { |
213 | l *= 10; |
214 | l += c - '0'; |
215 | c = *s++; |
216 | } |
217 | if (i < 3) |
218 | return 0; |
219 | if (strncmp(s, "\001\r\n" , 3)) |
220 | return 0; |
221 | s += 3; |
222 | ircp->irc_len = s - buf; |
223 | ircp->irc_port = l; |
224 | return 1; |
225 | } |
226 | |
227 | |
228 | int |
229 | ipf_p_irc_new(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat) |
230 | { |
231 | ircinfo_t *irc; |
232 | |
233 | if (fin->fin_v != 4) |
234 | return -1; |
235 | |
236 | KMALLOC(irc, ircinfo_t *); |
237 | if (irc == NULL) |
238 | return -1; |
239 | |
240 | nat = nat; /* LINT */ |
241 | |
242 | aps->aps_data = irc; |
243 | aps->aps_psiz = sizeof(ircinfo_t); |
244 | |
245 | bzero((char *)irc, sizeof(*irc)); |
246 | return 0; |
247 | } |
248 | |
249 | |
250 | int |
251 | ipf_p_irc_send(fr_info_t *fin, nat_t *nat) |
252 | { |
253 | char ctcpbuf[IPF_IRCBUFSZ], newbuf[IPF_IRCBUFSZ]; |
254 | tcphdr_t *tcp, tcph, *tcp2 = &tcph; |
255 | int off, inc = 0, i, dlen; |
256 | ipf_main_softc_t *softc; |
257 | size_t nlen = 0, olen; |
258 | struct in_addr swip; |
259 | u_short a5, sp; |
260 | ircinfo_t *irc; |
261 | fr_info_t fi; |
262 | nat_t *nat2; |
263 | u_int a1; |
264 | ip_t *ip; |
265 | mb_t *m; |
266 | #ifdef MENTAT |
267 | mb_t *m1; |
268 | #endif |
269 | softc = fin->fin_main_soft; |
270 | |
271 | m = fin->fin_m; |
272 | ip = fin->fin_ip; |
273 | tcp = (tcphdr_t *)fin->fin_dp; |
274 | bzero(ctcpbuf, sizeof(ctcpbuf)); |
275 | off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff; |
276 | |
277 | #ifdef __sgi |
278 | dlen = fin->fin_plen - off; |
279 | #else |
280 | dlen = MSGDSIZE(m) - off; |
281 | #endif |
282 | if (dlen <= 0) |
283 | return 0; |
284 | COPYDATA(m, off, MIN(sizeof(ctcpbuf), dlen), ctcpbuf); |
285 | |
286 | if (dlen <= 0) |
287 | return 0; |
288 | ctcpbuf[sizeof(ctcpbuf) - 1] = '\0'; |
289 | *newbuf = '\0'; |
290 | |
291 | irc = nat->nat_aps->aps_data; |
292 | if (ipf_p_irc_complete(irc, ctcpbuf, dlen) == 0) |
293 | return 0; |
294 | |
295 | /* |
296 | * check that IP address in the DCC reply is the same as the |
297 | * sender of the command - prevents use for port scanning. |
298 | */ |
299 | if (irc->irc_ipnum != ntohl(nat->nat_osrcaddr)) |
300 | return 0; |
301 | |
302 | a5 = irc->irc_port; |
303 | |
304 | /* |
305 | * Calculate new address parts for the DCC command |
306 | */ |
307 | a1 = ntohl(ip->ip_src.s_addr); |
308 | olen = irc->irc_len; |
309 | i = irc->irc_addr - ctcpbuf; |
310 | i++; |
311 | (void) strncpy(newbuf, ctcpbuf, i); |
312 | snprintf(newbuf, sizeof(newbuf) - i, "%u %u\001\r\n" , a1, a5); |
313 | |
314 | nlen = strlen(newbuf); |
315 | inc = nlen - olen; |
316 | |
317 | if ((inc + fin->fin_plen) > 65535) |
318 | return 0; |
319 | |
320 | #ifdef MENTAT |
321 | for (m1 = m; m1->b_cont; m1 = m1->b_cont) |
322 | ; |
323 | if ((inc > 0) && (m1->b_datap->db_lim - m1->b_wptr < inc)) { |
324 | mblk_t *nm; |
325 | |
326 | /* alloc enough to keep same trailer space for lower driver */ |
327 | nm = allocb(nlen, BPRI_MED); |
328 | PANIC((!nm),("ipf_p_irc_out: allocb failed" )); |
329 | |
330 | nm->b_band = m1->b_band; |
331 | nm->b_wptr += nlen; |
332 | |
333 | m1->b_wptr -= olen; |
334 | PANIC((m1->b_wptr < m1->b_rptr), |
335 | ("ipf_p_irc_out: cannot handle fragmented data block" )); |
336 | |
337 | linkb(m1, nm); |
338 | } else { |
339 | # if SOLARIS && defined(ICK_VALID) |
340 | if (m1->b_datap->db_struiolim == m1->b_wptr) |
341 | m1->b_datap->db_struiolim += inc; |
342 | m1->b_datap->db_struioflag &= ~STRUIO_IP; |
343 | # endif |
344 | m1->b_wptr += inc; |
345 | } |
346 | #else |
347 | if (inc < 0) |
348 | m_adj(m, inc); |
349 | /* the mbuf chain will be extended if necessary by m_copyback() */ |
350 | #endif |
351 | COPYBACK(m, off, nlen, newbuf); |
352 | fin->fin_flx |= FI_DOCKSUM; |
353 | |
354 | if (inc != 0) { |
355 | #if defined(MENTAT) || defined(__sgi) |
356 | register u_32_t sum1, sum2; |
357 | |
358 | sum1 = fin->fin_plen; |
359 | sum2 = fin->fin_plen + inc; |
360 | |
361 | /* Because ~1 == -2, We really need ~1 == -1 */ |
362 | if (sum1 > sum2) |
363 | sum2--; |
364 | sum2 -= sum1; |
365 | sum2 = (sum2 & 0xffff) + (sum2 >> 16); |
366 | |
367 | ipf_fix_outcksum(0, &ip->ip_sum, sum2, 0); |
368 | #endif |
369 | fin->fin_plen += inc; |
370 | ip->ip_len = htons(fin->fin_plen); |
371 | fin->fin_dlen += inc; |
372 | } |
373 | |
374 | /* |
375 | * Add skeleton NAT entry for connection which will come back the |
376 | * other way. |
377 | */ |
378 | sp = htons(a5); |
379 | /* |
380 | * Don't allow the PORT command to specify a port < 1024 due to |
381 | * security crap. |
382 | */ |
383 | if (ntohs(sp) < 1024) |
384 | return 0; |
385 | |
386 | /* |
387 | * The server may not make the connection back from port 20, but |
388 | * it is the most likely so use it here to check for a conflicting |
389 | * mapping. |
390 | */ |
391 | bcopy((void *)fin, (void *)&fi, sizeof(fi)); |
392 | fi.fin_data[0] = sp; |
393 | fi.fin_data[1] = fin->fin_data[1]; |
394 | nat2 = ipf_nat_outlookup(fin, IPN_TCP, nat->nat_pr[1], nat->nat_nsrcip, |
395 | ip->ip_dst); |
396 | if (nat2 == NULL) { |
397 | #ifdef USE_MUTEXES |
398 | ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
399 | #endif |
400 | |
401 | bcopy((void *)fin, (void *)&fi, sizeof(fi)); |
402 | bzero((char *)tcp2, sizeof(*tcp2)); |
403 | tcp2->th_win = htons(8192); |
404 | tcp2->th_sport = sp; |
405 | tcp2->th_dport = 0; /* XXX - don't specify remote port */ |
406 | fi.fin_data[0] = ntohs(sp); |
407 | fi.fin_data[1] = 0; |
408 | fi.fin_dp = (char *)tcp2; |
409 | fi.fin_fr = &ircnatfr; |
410 | fi.fin_dlen = sizeof(*tcp2); |
411 | fi.fin_plen = fi.fin_hlen + sizeof(*tcp2); |
412 | swip = ip->ip_src; |
413 | ip->ip_src = nat->nat_nsrcip; |
414 | MUTEX_ENTER(&softn->ipf_nat_new); |
415 | nat2 = ipf_nat_add(&fi, nat->nat_ptr, NULL, |
416 | NAT_SLAVE|IPN_TCP|SI_W_DPORT, NAT_OUTBOUND); |
417 | MUTEX_EXIT(&softn->ipf_nat_new); |
418 | if (nat2 != NULL) { |
419 | (void) ipf_nat_proto(&fi, nat2, 0); |
420 | MUTEX_ENTER(&nat2->nat_lock); |
421 | ipf_nat_update(&fi, nat2); |
422 | MUTEX_EXIT(&nat2->nat_lock); |
423 | |
424 | (void) ipf_state_add(softc, &fi, NULL, SI_W_DPORT); |
425 | } |
426 | ip->ip_src = swip; |
427 | } |
428 | return inc; |
429 | } |
430 | |
431 | |
432 | int |
433 | ipf_p_irc_out(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat) |
434 | { |
435 | aps = aps; /* LINT */ |
436 | return ipf_p_irc_send(fin, nat); |
437 | } |
438 | |