1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
|
/*
// Copyright (c) 2017 Intel Corporation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <app.h>
#include <rte_common.h>
#include <rte_malloc.h>
#include <rte_mbuf.h>
#include <rte_ip.h>
#include <rte_byteorder.h>
#include <rte_table_lpm.h>
#include <rte_table_hash.h>
#include <rte_pipeline.h>
#include <rte_arp.h>
#include <rte_icmp.h>
#include <rte_hash.h>
#include <rte_jhash.h>
#include <rte_cycles.h>
#include "pipeline_cgnapt_common.h"
#include "pipeline_actions_common.h"
#include "pipeline_cgnapt_be.h"
#include "hash_func.h"
#include "lib_ftp_alg.h"
#include "vnf_common.h"
#include "pipeline_common_be.h"
#include "rte_ct_tcp.h"
#include "rte_cnxn_tracking.h"
#define ALG_DEBUG 1
#if 1
extern uint8_t
rte_ct_create_cnxn_hashkey(
uint32_t *src_addr,
uint32_t *dst_addr,
uint16_t src_port,
uint16_t dst_port,
uint8_t proto,
uint32_t *key,
uint8_t type);
#endif
struct rte_mbuf *lib_alg_pkt;
enum {PRIVATE, PUBLIC};
struct rte_hash_parameters ftp_alg_hash_params = {
.name = "FTP ALG",
.entries = 1024,
.reserved = 0,
.key_len = sizeof(struct ftp_alg_key),
.hash_func = rte_jhash,
.hash_func_init_val = 0,
};
struct rte_hash *ftp_alg_hash_handle;
/**
* ftp_alg Init function
*/
void lib_ftp_alg_init(void)
{
printf("NAT FTP ALG initialization ...\n");
/* FTP ALG hash table initialization */
ftp_alg_hash_handle = rte_hash_create(&ftp_alg_hash_params);
#ifdef ALGDBG
if (ftp_alg_hash_handle == NULL)
printf("FTP ALG rte_hash_create failed ...\n");
else
printf("ftp_alg_hash_table %p\n\n",
(void *)ftp_alg_hash_handle);
#endif
}
/*
* ftp_alg table retreive function
* Input - alg key
* Output - Entry
*/
struct ftp_alg_table_entry *retrieve_ftp_alg_entry(struct ftp_alg_key alg_key)
{
struct ftp_alg_table_entry *ret_alg_data = NULL;
alg_key.filler1 = 0;
alg_key.filler2 = 0;
int ret = rte_hash_lookup_data(ftp_alg_hash_handle, &alg_key,
(void **)&ret_alg_data);
if (ret < 0) {
#ifdef ALGDBG
printf("alg-hash lookup failed ret %d, EINVAL %d, ENOENT %d\n",
ret, EINVAL, ENOENT);
#endif
} else {
return ret_alg_data;
}
return NULL;
}
/*
* ftp_alg table entry delete
* Input - ipaddress, portid
* Output - sucess or failure
*/
static int remove_ftp_alg_entry(uint32_t ipaddr, uint8_t portid)
{
/* need to lock here if multi-threaded... */
/* rte_hash_del_key is not thread safe */
struct ftp_alg_key alg_key;
alg_key.l4port = rte_bswap16(portid);
alg_key.ip_address = rte_bswap32(ipaddr);
alg_key.filler1 = 0;
alg_key.filler2 = 0;
#ifdef ALGDBG
printf("remove_alg_entry ip %x, port %d\n", alg_key.ip_address,
alg_key.l4port);
#endif
return rte_hash_del_key(ftp_alg_hash_handle, &alg_key);
}
/*
* ftp_alg table entry add
* Input - ipaddress, portid
* Output - sucess or failure
*/
void
populate_ftp_alg_entry(uint32_t ipaddr, uint8_t portid)
{
/* need to lock here if multi-threaded */
/* rte_hash_add_key_data is not thread safe */
struct ftp_alg_key alg_key;
alg_key.l4port = rte_bswap16(portid);
//arp_key.ip = rte_bswap32(ipaddr);
alg_key.ip_address = rte_bswap32(ipaddr);
alg_key.filler1 = 0;
alg_key.filler2 = 0;
//lib_arp_populate_called++;
#ifdef ALGDBG
printf("populate_ftp_alg_entry ip %x, port %d\n", alg_key.ip_address,
alg_key.l4port);
#endif
struct ftp_alg_table_entry *new_alg_data =
retrieve_ftp_alg_entry(alg_key);
if (new_alg_data) {
#ifdef ALGDBG
printf("alg_entry exists ip%x, port %d\n", alg_key.ip_address,
alg_key.l4port);
#endif
//lib_arp_duplicate_found++;
return;
}
new_alg_data = (struct ftp_alg_table_entry *)
malloc(sizeof(new_alg_data));
//new_alg_data->status = INCOMPLETE;
new_alg_data->l4port = rte_bswap16(portid);
new_alg_data->ip_address = rte_bswap32(ipaddr);
rte_hash_add_key_data(ftp_alg_hash_handle, &alg_key, new_alg_data);
#ifdef ALGDBG
// print entire hash table
printf
("\tALG: table update - ip=%d.%d.%d.%d on port=%d\n",
(alg_key.ip_address >> 24),
((alg_key.ip_address & 0x00ff0000) >> 16),
((alg_key.ip_address & 0x0000ff00) >> 8),
((alg_key.ip_address & 0x000000ff)), portid);
/* print_arp_table(); */
puts("");
#endif
}
/*
* ftp_alg payload modification for PORT and PASV command
* Input - cgnapt table entry - for taking the public /translated ip/port ,
* incoming PORT/PASV string, Session type - PORT or PASV
* Output - Translated string
*/
int ftp_alg_modify_payload(
struct cgnapt_table_entry *egress_entry,
char *port_string,
char *port_string_translated, int ftp_session_type)
{
uint32_t transport_ip;
uint16_t transport_port;
uint16_t tmp1, tmp2, tmp3, tmp4, tmp5, tmp6;
uint16_t new_port_string_length;
uint8_t *bptr_public_address;
transport_ip = egress_entry->data.pub_ip;
transport_port = egress_entry->data.pub_port;
tmp5 = (uint16_t) (transport_port/0x100);
tmp6 = (uint16_t) (transport_port % 0x100);
transport_ip = rte_bswap32(transport_ip);
bptr_public_address = (uint8_t *) &transport_ip;
tmp4 = bptr_public_address[3];
tmp3 = bptr_public_address[2];
tmp2 = bptr_public_address[1];
tmp1 = bptr_public_address[0];
if (ftp_session_type == 1)
sprintf(port_string_translated, FTP_PASV_PARAMETER_STRING,
FTP_PASV_RETURN_CODE, tmp1, tmp2, tmp3, tmp4,
tmp5, tmp6);
else
sprintf(port_string_translated, FTP_PORT_PARAMETER_STRING,
tmp1, tmp2, tmp3, tmp4, tmp5, tmp6);
#ifdef ALGDBG
printf("FTP ALG: FTP new string: Len:%d %s\n",
(uint16_t) strlen(port_string_translated)-2,
port_string_translated);
printf("FTP non translated PASV string: Len:%d, %s\n",
(uint16_t)strlen(port_string)-2, port_string);
printf("old strlen:%d new strlen:%d\n",
(int)strlen(port_string),
(int)strlen(port_string_translated));
#endif
return(new_port_string_length =
(uint16_t) strlen(port_string_translated));
}
/*
* ftp_alg modify packet len (due to change in len of FTP payload )
* Input - pkt
* Output - Length append /Trimmed Pkt
**/
static inline void ftp_alg_modify_pkt_len(struct rte_mbuf *pkt)
{
uint16_t pkt_length = 0;
int ip_hdr_size_bytes = rte_ct_get_IP_hdr_size(pkt);
void *iphdr = RTE_MBUF_METADATA_UINT32_PTR(pkt, IP_START);
if (ip_hdr_size_bytes == IPv4_HEADER_SIZE) {
struct ipv4_hdr *ihdr4 = (struct ipv4_hdr *)iphdr;
pkt_length = rte_bswap16(ihdr4->total_length) + ETH_HDR_SIZE;
} else if (ip_hdr_size_bytes == IPv6_HEADER_SIZE) {
struct ipv6_hdr *ihdr6 = (struct ipv6_hdr *)iphdr;
pkt_length = rte_bswap16(ihdr6->payload_len) +
IPv6_HEADER_SIZE + ETH_HDR_SIZE;
}
uint16_t mbuf_pkt_length = rte_pktmbuf_pkt_len(pkt);
if (pkt_length == mbuf_pkt_length)
return;
if (pkt_length < mbuf_pkt_length) {
rte_pktmbuf_trim(pkt, mbuf_pkt_length - pkt_length);
return;
}
/* pkt_length > mbuf_pkt_length */
rte_pktmbuf_append(pkt, pkt_length - mbuf_pkt_length);
}
/*
* ftp_alg IP HDR size calculation
* Input - pkt
* Output - Length of IP HDR
*/
/* same as rte_ct_get_IP_hdr_size()*/
uint16_t ftp_alg_get_IP_hdr_size(struct rte_mbuf *pkt)
{
/* NOTE: Only supporting IP headers with no options at this time
* so header is fixed size
*/
uint8_t hdr_chk = RTE_MBUF_METADATA_UINT8(pkt, IP_START);
hdr_chk = hdr_chk >> 4;
if (hdr_chk == IP_VERSION_4)
return IPv4_HEADER_SIZE;
else if (hdr_chk == IP_VERSION_6)
return IPv6_HEADER_SIZE;
else /* Not IPv4 header with no options, return negative. */
return -1;
}
/*
* ftp_alg checksum re-computing due to change in payload , uses rte function,
* if HW Checksum is supported s/w checksum will be disabled
* Input - IP HDR and TCP HDR
* Output - Length of IP HDR
*/
static void ftp_alg_compute_checksums(
void *i_hdr,
struct tcp_hdr *t_hdr)
/* same as rte_synproxy_compute_checksums*/
{
/*
* calculate IP and TCP checksums.
* Note that both checksum routines require
* checksum fields to be set to zero, and the the checksum is in the
* correct byte order, so no rte_bswap16 is required.
*/
int8_t hdr_chk = rte_ct_ipversion(i_hdr);
t_hdr->cksum = 0;
if (hdr_chk == IP_VERSION_4) {
struct ipv4_hdr *i4_hdr = (struct ipv4_hdr *)i_hdr;
i4_hdr->hdr_checksum = 0;
t_hdr->cksum = 0;
t_hdr->cksum = rte_ipv4_udptcp_cksum(i4_hdr, t_hdr);
#ifdef ALGDBG
printf("cksum %x\n", rte_bswap32(t_hdr->cksum));
#endif
i4_hdr->hdr_checksum = rte_ipv4_cksum(i4_hdr);
} else if (hdr_chk == IP_VERSION_6) {
struct ipv6_hdr *i6_hdr = (struct ipv6_hdr *)i_hdr;
t_hdr->cksum = 0;
t_hdr->cksum = rte_ipv6_udptcp_cksum(i6_hdr, t_hdr);
}
}
/*
* ftp_alg adjusting ACK from other end ;
* ACK field of return packet to be adjusted
* to the same value of length modified in the payload
* Input - pkt, ack diff - delta
* Output - None(void)
*/
static void ftp_alg_adjust_tcp_ack(struct rte_mbuf *pkt, int16_t ackSeqdiff)
{
/*Since v6 is not supported now*/
uint16_t ip_hdr_size_bytes = IPv4_HEADER_SIZE;
struct ipv4_hdr *iphdr = (struct ipv4_hdr *)
RTE_MBUF_METADATA_UINT32_PTR(pkt, IP_START);
struct tcp_hdr *thdr = (struct tcp_hdr *)
RTE_MBUF_METADATA_UINT32_PTR(pkt,
IP_START + ip_hdr_size_bytes);
/*
* recv_ack and total length first to be chnaged to host byte order
* and then do the addition and then set back to network byte order
*/
uint32_t temp;
temp = rte_bswap32(thdr->recv_ack);
//printf("%s: ackSeqdiff :%d %u\n", __FUNCTION__, ackSeqdiff, temp);
if (ackSeqdiff < 0)
temp += abs(ackSeqdiff);
else
temp -= abs(ackSeqdiff);
thdr->recv_ack = rte_bswap32(temp);
}
/*
* ftp_alg adjusting SEQ from other end ; SEQ field of onward/egress packet
* to be adjusted to the same value of length modified in the payload
* Input - pkt, ack diff - delta
* Output - None(void)
*/
static void ftp_alg_adjust_tcp_seq(struct rte_mbuf *pkt, int16_t ackSeqdiff)
{
/*Since v6 is not supported now*/
uint16_t ip_hdr_size_bytes = IPv4_HEADER_SIZE;
struct ipv4_hdr *iphdr = (struct ipv4_hdr *)
RTE_MBUF_METADATA_UINT32_PTR(pkt, IP_START);
struct tcp_hdr *thdr = (struct tcp_hdr *)
RTE_MBUF_METADATA_UINT32_PTR(pkt,
IP_START + ip_hdr_size_bytes);
uint32_t temp;
temp = rte_bswap32(thdr->sent_seq);
if (ackSeqdiff < 0)
temp -= abs(ackSeqdiff);
else
temp += abs(ackSeqdiff);
thdr->sent_seq = rte_bswap32(temp);
}
/*
* ftp_alg adjusting SEQ from other end ; SEQ field of onward/egress packet
* to be adjusted to the same value of length modified in the payload;
* This function computes the delta and calls adjust_seq for chaging the packet
* Input - pkt,Original incoming String, Translated string and corresponding
* lengths of the string
* Output - Seq Diff between Original and translated string
*/
static int ftp_alg_delta_tcp_sequence(
struct rte_mbuf *pkt,
char *port_string,
int16_t existing_tcpSeqdiff,
uint16_t old_port_string_length,
uint16_t new_port_string_length)
{
int16_t current_sequence_number_delta=0;
int16_t final_sequence_number_delta;
/*Since v6 is not supported now*/
uint16_t ip_hdr_size_bytes = IPv4_HEADER_SIZE;
struct ipv4_hdr *iphdr = (struct ipv4_hdr *)
RTE_MBUF_METADATA_UINT32_PTR(pkt, IP_START);
struct tcp_hdr *thdr = (struct tcp_hdr *)
RTE_MBUF_METADATA_UINT32_PTR(pkt,
IP_START + ip_hdr_size_bytes);
/*
* recv_ack and total length first to be chnaged to host byte order
* and then do the addition and then set back to network byte order
*/
current_sequence_number_delta = (int16_t) (new_port_string_length -
old_port_string_length);
iphdr->total_length = rte_bswap16(iphdr->total_length);
#ifdef ALGDBG
printf("total_length :%u\n", iphdr->total_length);
#endif
if(current_sequence_number_delta < 0)
iphdr->total_length -= abs(current_sequence_number_delta);
else
iphdr->total_length += current_sequence_number_delta;
iphdr->total_length = rte_bswap16(iphdr->total_length);
if (existing_tcpSeqdiff !=0)
ftp_alg_adjust_tcp_seq(pkt,existing_tcpSeqdiff);
final_sequence_number_delta= current_sequence_number_delta + existing_tcpSeqdiff;
return final_sequence_number_delta;
}
/*
* ftp_alg dpi - this function parses the packet and does the respective
* action based on the type PORT or PASV, based on the direction of packet
* (Private or Public) This is called from CGNAPT
* Input - cgnapt pipeline struct, cgnapt key, pkt, CT ,
* position of packet assigned by CT, direction of packet
* Output - None - as it calls respective action functions
*/
void ftp_alg_dpi(
struct pipeline_cgnapt *p_nat,
struct pipeline_cgnapt_entry_key *nat_entry_key,
struct rte_mbuf *pkt,
struct rte_ct_cnxn_tracker *cgnat_cnxn_tracker,
int32_t ct_position,
uint8_t direction)
{
/*
* recv_ack and total length first to be chnaged to host byte order
* and then do the addition and then set back to network byte order
*/
/*entry key to be framed in cgnat and pass it over here*/
char *port_cmd_string;
char *port_cmd_end_string;
char *tcp_header_end;
char *tcp_start;
uint16_t private_port_number;
uint16_t public_port_number;
uint16_t ip1, ip2, ip3, ip4, port1, port2;
int16_t tcpSeqdiff;
int16_t ackSeqdiff, ackAdjust;
uint32_t private_address;
uint32_t public_address;
uint8_t *bptr_private_address;
/* also for PASV string */
char port_string[FTP_MAXIMUM_PORT_STRING_LENGTH];
char port_string_translated[FTP_MAXIMUM_PORT_STRING_LENGTH];
int16_t new_port_string_length;
int16_t old_port_string_length;
int dummy_value;
struct cgnapt_table_entry *egress_entry, *ingress_entry;
uint32_t ct_key[10];
uint8_t key_direction;
/*Since v6 is not supported now*/
uint16_t ip_hdr_size_bytes = IPv4_HEADER_SIZE;
struct ipv4_hdr *ip_hdr = rte_pktmbuf_mtod_offset(pkt,
struct ipv4_hdr *, sizeof(struct ether_hdr));
/* TCP and UDP ports at same offset,
* just use TCP for offset calculation
*/
struct tcp_hdr *thdr = rte_pktmbuf_mtod_offset(pkt, struct tcp_hdr *,
(sizeof(struct ether_hdr)+sizeof(struct ipv4_hdr)));
uint16_t src_port = rte_bswap16(thdr->src_port);
uint16_t dst_port = rte_bswap16(thdr->dst_port);
uint8_t proto = ip_hdr->next_proto_id;
uint32_t src_addr = rte_bswap32(ip_hdr->src_addr);
uint32_t dst_addr = rte_bswap32(ip_hdr->dst_addr);
uint32_t tmp_tcp_paylod_size;
#if 0
- src_port & dst_port checking to be moved from cgnat to dpi
- For control channel
first validation of tcpSeqdiff to be checked
IF < > 0
ftp_alg_tcp_ack() to be called(this includes PORT
response and PASV response ack as well)
Return
ELSE
the port/pasv paramter checkign to be done
- For data channel
-retreive ALG entry
IF found
- remove the ALG entry
even if not found(found cases too)
- set the bypass flag in the CT session table
#endif
#ifdef ALGDBG
{
printf("ftp port number: %d, %d\n", src_port, dst_port);
printf("ftp TCP seq num diff: %d\n",
cgnat_cnxn_tracker->hash_table_entries[
ct_position].tcpSeqdiff);
printf("tcp data offset: %d\n",
((thdr->data_off & 0xf0) >> 2));
printf("ct position in dpi:%d\n", ct_position);
}
#endif
if (src_port == 21 || dst_port == 21)/* Control Channel*/{
/* Control Channel Start */
/*
* need to look for the port or pasv command. Then have to look for
* the IP address and the port address. Then must create a TCP control
* block and spoof the port number, and change the ip address, and do
* the sequence number setting.
*/
/* Handle TCP headers.*/
tcp_start = (char *)thdr;
/* start of TCP payload */
port_cmd_string = (char * )(tcp_start+((thdr->data_off & 0xf0) >> 2));
tcp_header_end = port_cmd_string;
if (direction == PRIVATE) {
#ifdef ALGDBG
printf("In PRIVATE ");
#endif
cgnat_cnxn_tracker->hash_table_entries[ct_position].seq_client
= rte_bswap32(thdr->sent_seq);
cgnat_cnxn_tracker->hash_table_entries[ct_position].ack_client
= rte_bswap32(thdr->recv_ack);
#ifdef ALGDBG
printf("-->Seq_cli:%u, Ack_cli:%u, Len:%4d\n",
rte_bswap32(thdr->sent_seq),
rte_bswap32(thdr->recv_ack),
(rte_bswap16(ip_hdr->total_length) -
(((thdr->data_off & 0xf0) >> 4) * 4)) - 20);
#endif
} else {
#ifdef ALGDBG
printf("In PUBLIC ");
#endif
cgnat_cnxn_tracker->hash_table_entries[ct_position].seq_server
= rte_bswap32(thdr->sent_seq);
cgnat_cnxn_tracker->hash_table_entries[ct_position].ack_server
= rte_bswap32(thdr->recv_ack);
#ifdef ALGDBG
printf("<--Seq_cli:%4d, Ack_cli%4d, Len:%4d\n",
rte_bswap32(thdr->sent_seq), rte_bswap32(thdr->recv_ack),
(ip_hdr->total_length - (((thdr->data_off & 0xf0) >> 2))
- 20));
#endif
}
if (sscanf(port_cmd_string, FTP_PASV_PARAMETER_STRING, &dummy_value,
&ip1, &ip2, &ip3, &ip4, &port1, &port2) ==
FTP_PASV_PARAMETER_COUNT){
sprintf (port_string, FTP_PASV_PARAMETER_STRING, FTP_PASV_RETURN_CODE,
ip1, ip2, ip3, ip4, port1, port2);
int i = 0;
while (port_cmd_string[i] != '\r' && port_cmd_string[i+1] != '\n')
i++;
i += 2; // now it points to end of port cmd string.
old_port_string_length = i;
private_port_number = (uint16_t) (port1 * 0x100 + port2);
bptr_private_address = (uint8_t *) &private_address;
bptr_private_address[3] = (uint8_t) (ip4 & 0x00FF);
bptr_private_address[2] = (uint8_t) (ip3 & 0x00FF);
bptr_private_address[1] = (uint8_t) (ip2 & 0x00FF);
bptr_private_address[0] = (uint8_t) (ip1 & 0x00FF);
/* Not needed as got the position from CT*/
if (direction == PUBLIC) {
/*Client in Private, Server in Public*/
/* Not to convert in the payload for PASV resp from Pub side*/
/* Only Table creation and no payload modification*/
/* DAta Channel also no need to create as it will be done by NAT
* when initiated by Client later
*/
populate_ftp_alg_entry(private_address, private_port_number);
/*
* Bypass ALG flag to be set ,
* seqnumber -delta either to be 0 or not needed ,
* direction checking for all scenarios
*/
cgnat_cnxn_tracker->hash_table_entries[ct_position].
server_direction = SERVER_IN_PUBLIC;
cgnat_cnxn_tracker->hash_table_entries[ct_position].
ftp_session_type= 1; // Passive session type
} else if (direction == PRIVATE) {
/*Client in Public , Server in Private*/
struct pipeline_cgnapt_entry_key data_channel_key;
private_address = rte_bswap32(private_address);
data_channel_key.ip = private_address;
data_channel_key.port = private_port_number;
/* to be checked if it can be passed as param from NAT*/
data_channel_key.pid = pkt->port;
/* add_dynamic_cgnat_entry() */ /* for DAta Channel*/
/*Will be getting Private IP and port from Server ,
* with that NAPT entry egress and ingress can be added ,
* for further data channel communication
*/
#ifdef FTP_ALG
if (add_dynamic_cgnapt_entry_alg((struct pipeline *)p_nat,
&data_channel_key, &egress_entry, &ingress_entry) == 0){
#ifdef ALGDBG
printf("Wrong FTP ALG packet\n");
#endif
//p_nat->invalid_packets |= pkt_mask;
p_nat->naptDroppedPktCount++;
#ifdef CGNAPT_DEBUGGING
p_nat->naptDroppedPktCount4++;
#endif
return;
}
#endif
tmp_tcp_paylod_size = rte_bswap16(ip_hdr->total_length) -
((thdr->data_off & 0xf0) >> 2) - ip_hdr_size_bytes;
cgnat_cnxn_tracker->hash_table_entries[ct_position].
tcp_payload_size = tmp_tcp_paylod_size;
/*Adding ALG entry , params to be derived from egress entry*/
populate_ftp_alg_entry(egress_entry->data.pub_ip,
egress_entry->data.pub_port);
/* payload modification */
new_port_string_length = ftp_alg_modify_payload(egress_entry,
port_string,
port_string_translated, 1);
strncpy(tcp_header_end, port_string_translated,
strlen(port_string_translated));
tcpSeqdiff = ftp_alg_delta_tcp_sequence( pkt, port_string,
cgnat_cnxn_tracker->hash_table_entries
[ct_position].tcpSeqdiff,
old_port_string_length,
new_port_string_length);
/* same as rte_synproxy_adjust_pkt_length() in ct */
ftp_alg_modify_pkt_len(pkt);
/*
* Store sequence_number_delta in Session_data structure, also bypass
* flag to be set as NO (expecting TCP ack from other end then set the
* bypass accordingly , handled earlier in the function
*/
cgnat_cnxn_tracker->hash_table_entries[ct_position].
alg_bypass_flag = NO_BYPASS;
cgnat_cnxn_tracker->hash_table_entries[ct_position].
tcpSeqdiff = tcpSeqdiff;
cgnat_cnxn_tracker->hash_table_entries[ct_position].
server_direction = SERVER_IN_PRIVATE;
cgnat_cnxn_tracker->hash_table_entries[ct_position].
ftp_session_type = 1; // Passive session type
return;
} /* PRIVATE dir */
} else if (sscanf(port_cmd_string, FTP_PORT_PARAMETER_STRING,
&ip1, &ip2, &ip3, &ip4, &port1, &port2) ==
FTP_PORT_PARAMETER_COUNT){
int i = 0;
static uint8_t port_hit;
while (port_cmd_string[i] != '\r' &&
port_cmd_string[i+1] != '\n')
i++;
i += 2; // now it points to end of port cmd string.
old_port_string_length = i;
#ifdef ALGDBG
printf( " Existing Seq Diff = %d", cgnat_cnxn_tracker->
hash_table_entries[ct_position].tcpSeqdiff);
printf("FTP ALG: FTP PORT command length: %d\n",
old_port_string_length);
#endif
private_port_number = (uint16_t) (port1 * 0x100 + port2);
#ifdef ALGDBG
printf("FTP ALG: private port number before swap: %u\n",
private_port_number);
#endif
bptr_private_address = (uint8_t *) &private_address;
bptr_private_address[3] = (uint8_t) (ip4 & 0x00FF);
bptr_private_address[2] = (uint8_t) (ip3 & 0x00FF);
bptr_private_address[1] = (uint8_t) (ip2 & 0x00FF);
bptr_private_address[0] = (uint8_t) (ip1 & 0x00FF);
sprintf(port_string, FTP_PORT_PARAMETER_STRING, ip1, ip2,
ip3, ip4, port1, port2);
#ifdef ALGDBG
printf("FTP ALG: FTP original PORT string: %d,%s\n",
(int) strlen(port_string)-2, port_string);
printf("prv addr: %x\n", private_address);
#endif
if (direction == PUBLIC) {
/* Client in Public*/
/* retreive_cgnat_entry()* for Data Channel*/
/* Pub port and ip address to be used for framing key ,
* the private phrase is a misnomer
*/
struct pipeline_cgnapt_entry_key data_channel_key;
data_channel_key.ip = private_address;
data_channel_key.port = private_port_number;
data_channel_key.pid = 0xffff;
cgnat_cnxn_tracker->hash_table_entries[ct_position].
server_direction = SERVER_IN_PRIVATE;
cgnat_cnxn_tracker->hash_table_entries[ct_position].
ftp_session_type= 0; // Active session type
/* No payload modificaiton*/
#ifdef ALGDBG
printf("<--Seq_cli:%4d, Ack_cli%4d, Len:%4d\n",
rte_bswap32(thdr->sent_seq),
rte_bswap32(thdr->recv_ack),
(ip_hdr->total_length -
(((thdr->data_off & 0xf0) >> 2)) - 20));
#endif
populate_ftp_alg_entry(private_address, private_port_number);
} else if (direction == PRIVATE) {
/* Client in Private Server in Public*/
/* Populate_alg_entry*/
/*add_dynamic_cgnapt_entry()*/
/* payload modificaion*/
struct pipeline_cgnapt_entry_key data_channel_key;
private_address = rte_bswap32(private_address);
data_channel_key.ip = private_address;
data_channel_key.port = private_port_number;
/* to be checked if it can be passed as param from NAT*/
data_channel_key.pid = pkt->port;
/* add_dynamic_cgnat_entry() */ /* for DAta Channel*/
/*
* Will be getting Private IP and port from Client ,
* with that NAPT entry egress and ingress can be added ,
* for further data channel communication
*/
#ifdef FTP_ALG
if (add_dynamic_cgnapt_entry_alg((struct pipeline *)
p_nat, &data_channel_key, &egress_entry,
&ingress_entry) == 0){
#ifdef ALGDBG
printf("Wrong FTP ALG packet\n");
#endif
//p_nat->invalid_packets |= pkt_mask;
p_nat->naptDroppedPktCount++;
#ifdef CGNAPT_DEBUGGING
p_nat->naptDroppedPktCount4++;
#endif
return;
}
#endif
tmp_tcp_paylod_size = rte_bswap16(ip_hdr->total_length) -
((thdr->data_off & 0xf0) >> 2) -
ip_hdr_size_bytes;
cgnat_cnxn_tracker->hash_table_entries[ct_position].
tcp_payload_size = tmp_tcp_paylod_size;
/*ALG entry add, params to be derived from egress entry*/
populate_ftp_alg_entry(egress_entry->data.pub_ip,
egress_entry->data.pub_port);
/* payload modification */
new_port_string_length = ftp_alg_modify_payload(egress_entry,
port_string,
port_string_translated, 0);
strncpy(tcp_header_end, port_string_translated,
strlen(port_string_translated));
tcpSeqdiff = ftp_alg_delta_tcp_sequence( pkt, port_string,
cgnat_cnxn_tracker->hash_table_entries
[ct_position].tcpSeqdiff,
old_port_string_length,
new_port_string_length);
/* same as rte_synproxy_adjust_pkt_length() in ct */
ftp_alg_modify_pkt_len(pkt);
/*
* Store sequence_number_delta in Session_data structure ,
* also bypass flag to be set as NO
* While response from other end is received ,
* modify the ack no using reverse sign of sequen
*/
cgnat_cnxn_tracker->hash_table_entries[ct_position].
alg_bypass_flag = NO_BYPASS;
cgnat_cnxn_tracker->hash_table_entries[ct_position].
tcpSeqdiff = tcpSeqdiff;
cgnat_cnxn_tracker->hash_table_entries[ct_position].
server_direction = SERVER_IN_PUBLIC;
cgnat_cnxn_tracker->hash_table_entries[ct_position].
ftp_session_type = 0; // Active session type
#ifdef ALGDBG
printf("<--Seq_cli:%4d, Ack_cli%4d, Len:%4d\n",
rte_bswap32(thdr->sent_seq),
rte_bswap32(thdr->recv_ack),
(ip_hdr->total_length -
(((thdr->data_off & 0xf0) >> 2)) - 20));
#endif
return;
} /* PRIVATE dir */
} /* PORT cmd message */
if ((ackAdjust=cgnat_cnxn_tracker->hash_table_entries[
ct_position].tcpSeqdiff) != 0) {
if (direction == PRIVATE) {
if (
cgnat_cnxn_tracker->hash_table_entries
[ct_position].seq_client !=
cgnat_cnxn_tracker->hash_table_entries
[ct_position].ack_server) {
static int Seqhits;
ftp_alg_adjust_tcp_seq( pkt,ackAdjust);
tmp_tcp_paylod_size = rte_bswap16(
ip_hdr->total_length) -
((thdr->data_off & 0xf0) >> 2) -
ip_hdr_size_bytes;
cgnat_cnxn_tracker->hash_table_entries
[ct_position].tcp_payload_size = tmp_tcp_paylod_size;
#ifdef ALGDBG
printf("<--Seq_cli:%4d, Ack_cli%4d, Len:%4d\n",
rte_bswap32(thdr->sent_seq),
rte_bswap32(thdr->recv_ack),
(ip_hdr->total_length -(((thdr->data_off & 0xf0) >> 2))- 20));
#endif
}
} else {
if (cgnat_cnxn_tracker->hash_table_entries
[ct_position].ack_server !=
(cgnat_cnxn_tracker->hash_table_entries
[ct_position].seq_client +
cgnat_cnxn_tracker->hash_table_entries
[ct_position].tcp_payload_size)) {
static int Ackhits;
ftp_alg_adjust_tcp_ack( pkt,ackAdjust);
#ifdef ALGDBG
printf("<--Seq_cli:%4d, Ack_cli%4d, Len:%4d\n",
rte_bswap32(thdr->sent_seq),
rte_bswap32(thdr->recv_ack),
(ip_hdr->total_length -(((thdr->data_off & 0xf0) >> 2))- 20));
#endif
}
}
return;
} /* expected_ack and sequence number updation for PUBLIC dir TCP window */
} /* Control Channel End */
else {
/*remove the ALG entry, retreival is taken care by rte function */
#ifdef ALGDBG
printf("In Data Channel \n");
#endif
remove_ftp_alg_entry (dst_addr,dst_port);/* remove the ALG entry */
cgnat_cnxn_tracker->hash_table_entries[ct_position].alg_bypass_flag = BYPASS;
} /* Data Channel End */
}
|