src/helpers/mdns.c - manifest_repos/conntrack-tools - Git at Google

 /*
  * Copyright (C) 2016 Google Inc.
  * Author: Kevin Cernekee <cernekee@chromium.org>
  *
  * This helper pokes a hole in the firewall for unicast mDNS replies
  * (RFC6762 section 5.1).  It is needed because the destination address of
  * the outgoing mDNS query (224.0.0.251) will not match the source address
  * of the incoming response (192.168.x.x or similar).  The helper is not used
  * for standard multicast queries/responses in which the sport and dport are
  * both 5353, because those can be handled by a standard filter/INPUT rule.
  *
  * Usage:
  *
  *     nfct add helper mdns inet udp
  *     iptables -t raw -A OUTPUT -p udp -d 224.0.0.251 '!' --sport 5353 \
  *         --dport 5353 -j CT --helper mdns
  *     iptables -t filter -A INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
  *     iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED \
  *         -j ACCEPT
  *
  * Requires Linux 3.12 or higher.  NAT is unsupported.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */

 #include "conntrackd.h"
 #include "helper.h"
 #include "myct.h"
 #include "log.h"

 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
 #include <linux/netfilter.h>

 static int mdns_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
 			  struct myct *myct, uint32_t ctinfo)
 {
 	struct nf_expect *exp;
 	int dir = CTINFO2DIR(ctinfo);
 	union nfct_attr_grp_addr saddr;
 	uint16_t sport, dport;

 	exp = nfexp_new();
 	if (exp == NULL) {
 		pr_debug("conntrack_mdns: failed to allocate expectation\n");
 		return NF_ACCEPT;
 	}

 	cthelper_get_addr_src(myct->ct, dir, &saddr);
 	cthelper_get_port_src(myct->ct, dir, &sport);
 	cthelper_get_port_src(myct->ct, !dir, &dport);

 	if (cthelper_expect_init(exp,
 				 myct->ct,
 				 0 /* class */,
 				 NULL /* saddr */,
 				 &saddr /* daddr */,
 				 IPPROTO_UDP,
 				 &dport /* sport */,
 				 &sport /* dport */,
 				 NF_CT_EXPECT_PERMANENT)) {
 		pr_debug("conntrack_mdns: failed to init expectation\n");
 		nfexp_destroy(exp);
 		return NF_ACCEPT;
 	}

 	myct->exp = exp;
 	return NF_ACCEPT;
 }

 static struct ctd_helper mdns_helper = {
 	.name		= "mdns",
 	.l4proto	= IPPROTO_UDP,
 	.priv_data_len	= 0,
 	.cb		= mdns_helper_cb,
 	.policy		= {
 		[0] = {
 			.name		= "mdns",
 			.expect_max	= 8,
 			.expect_timeout	= 30,
 		},
 	},
 };

 static void __attribute__ ((constructor)) mdns_init(void)
 {
 	helper_register(&mdns_helper);
 }
	/*
	* Copyright (C) 2016 Google Inc.
	* Author: Kevin Cernekee <cernekee@chromium.org>
	*
	* This helper pokes a hole in the firewall for unicast mDNS replies
	* (RFC6762 section 5.1). It is needed because the destination address of
	* the outgoing mDNS query (224.0.0.251) will not match the source address
	* of the incoming response (192.168.x.x or similar). The helper is not used
	* for standard multicast queries/responses in which the sport and dport are
	* both 5353, because those can be handled by a standard filter/INPUT rule.
	*
	* Usage:
	*
	* nfct add helper mdns inet udp
	* iptables -t raw -A OUTPUT -p udp -d 224.0.0.251 '!' --sport 5353 \
	* --dport 5353 -j CT --helper mdns
	* iptables -t filter -A INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
	* iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED \
	* -j ACCEPT
	*
	* Requires Linux 3.12 or higher. NAT is unsupported.
	*
	* This program is free software; you can redistribute it and/or modify
	* it under the terms of the GNU General Public License version 2 as
	* published by the Free Software Foundation.
	*/

	#include "conntrackd.h"
	#include "helper.h"
	#include "myct.h"
	#include "log.h"

	#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
	#include <linux/netfilter.h>

	static int mdns_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
	struct myct *myct, uint32_t ctinfo)
	{
	struct nf_expect *exp;
	int dir = CTINFO2DIR(ctinfo);
	union nfct_attr_grp_addr saddr;
	uint16_t sport, dport;

	exp = nfexp_new();
	if (exp == NULL) {
	pr_debug("conntrack_mdns: failed to allocate expectation\n");
	return NF_ACCEPT;
	}

	cthelper_get_addr_src(myct->ct, dir, &saddr);
	cthelper_get_port_src(myct->ct, dir, &sport);
	cthelper_get_port_src(myct->ct, !dir, &dport);

	if (cthelper_expect_init(exp,
	myct->ct,
	0 /* class */,
	NULL /* saddr */,
	&saddr /* daddr */,
	IPPROTO_UDP,
	&dport /* sport */,
	&sport /* dport */,
	NF_CT_EXPECT_PERMANENT)) {
	pr_debug("conntrack_mdns: failed to init expectation\n");
	nfexp_destroy(exp);
	return NF_ACCEPT;
	}

	myct->exp = exp;
	return NF_ACCEPT;
	}

	static struct ctd_helper mdns_helper = {
	.name = "mdns",
	.l4proto = IPPROTO_UDP,
	.priv_data_len = 0,
	.cb = mdns_helper_cb,
	.policy = {
	[0] = {
	.name = "mdns",
	.expect_max = 8,
	.expect_timeout = 30,
	},
	},
	};

	static void __attribute__ ((constructor)) mdns_init(void)
	{
	helper_register(&mdns_helper);
	}