archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/net/tcpip/driver/ipsec/shim/nsicmp.c

1196 lines
31 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1997-2001 Microsoft Corporation
  5. Module Name:
  7. NsIcmp.c
  9. Abstract:
  11. IpSec NAT shim ICMP management
  13. Author:
  15. Jonathan Burstein (jonburs) 11-July-2001
  17. Environment:
  19. Kernel mode
  21. Revision History:
  23. --*/
  25. #include "precomp.h"
  26. #pragma hdrstop
  28. //
  29. // Global Variables
  30. //
  32. LIST_ENTRY NsIcmpList;
  33. KSPIN_LOCK NsIcmpLock;
  34. NPAGED_LOOKASIDE_LIST NsIcmpLookasideList;
  36. //
  37. // Function Prototypes
  38. //
  40. NTSTATUS
  41. NspCreateIcmpEntry(
  42. ULONG64 ul64AddressKey,
  43. USHORT usOriginalIdentifier,
  44. PVOID pvIpSecContext,
  45. BOOLEAN fIdConflicts,
  46. PLIST_ENTRY pInsertionPoint,
  47. PNS_ICMP_ENTRY *ppNewEntry
  48. );
  50. NTSTATUS
  51. FASTCALL
  52. NspHandleInboundIcmpError(
  53. PNS_PACKET_CONTEXT pContext,
  54. PVOID pvIpSecContext
  55. );
  57. NTSTATUS
  58. FASTCALL
  59. NspHandleOutboundIcmpError(
  60. PNS_PACKET_CONTEXT pContext,
  61. PVOID *ppvIpSecContext
  62. );
  64. PNS_ICMP_ENTRY
  65. NspLookupInboundIcmpEntry(
  66. ULONG64 ul64AddressKey,
  67. USHORT usOriginalIdentifier,
  68. PVOID pvIpSecContext,
  69. BOOLEAN *pfIdentifierConflicts,
  70. PLIST_ENTRY *ppInsertionPoint
  71. );
  73. PNS_ICMP_ENTRY
  74. NspLookupOutboundIcmpEntry(
  75. ULONG64 ul64AddressKey,
  76. USHORT usTranslatedIdentifier
  77. );
  80. NTSTATUS
  81. NsInitializeIcmpManagement(
  82. VOID
  83. )
  85. /*++
  87. Routine Description:
  89. This routine is invoked to initialize the ICMP management module.
  91. Arguments:
  93. none.
  95. Return Value:
  97. NTSTATUS.
  99. --*/
  101. {
  102. CALLTRACE(("NsInitializeIcmpManagement\n"));
  104. InitializeListHead(&NsIcmpList);
  105. KeInitializeSpinLock(&NsIcmpLock);
  106. ExInitializeNPagedLookasideList(
  107. &NsIcmpLookasideList,
  108. NULL,
  109. NULL,
  110. 0,
  111. sizeof(NS_ICMP_ENTRY),
  112. NS_TAG_ICMP,
  113. NS_ICMP_LOOKASIDE_DEPTH
  114. );
  116. return STATUS_SUCCESS;
  117. } // NsInitializeIcmpManagement
  119. NTSTATUS
  120. FASTCALL
  121. NspHandleInboundIcmpError(
  122. PNS_PACKET_CONTEXT pContext,
  123. PVOID pvIpSecContext
  124. )
  126. /*++
  128. Routine Description:
  130. This routine is called to process inbound ICMP error messages. Based
  131. on the protocol of the embedded packet it will attempt to find a
  132. matching connection entry (for TCP, UDP, or ICMP) and perform any
  133. necessary translations.
  135. Arguments:
  137. pContext - the context information for the packet.
  139. pvIpSecContext - the IpSec context for this packet; this is considered
  140. an opaque value.
  142. Return Value:
  144. NTSTATUS.
  146. --*/
  148. {
  149. KIRQL Irql;
  150. PNS_CONNECTION_ENTRY pEntry;
  151. PNS_ICMP_ENTRY pIcmpEntry;
  152. ICMP_HEADER UNALIGNED *pIcmpHeader;
  153. UCHAR ucProtocol;
  154. ULONG64 ul64AddressKey;
  155. ULONG ulChecksum;
  156. ULONG ulChecksumDelta;
  157. ULONG ulChecksumDelta2;
  158. ULONG ulPortKey;
  160. ASSERT(NULL != pContext);
  162. //
  163. // Make sure that the buffer is large enough to contain the
  164. // encapsulated packet.
  165. //
  167. if (pContext->ulProtocolHeaderLength < sizeof(ICMP_HEADER))
  168. {
  169. return STATUS_INVALID_PARAMETER;
  170. }
  172. //
  173. // If the embedded header is not TCP, UDP, or ICMP exit quickly,
  174. // as we have nothing to do.
  175. //
  177. pIcmpHeader = pContext->pIcmpHeader;
  178. ucProtocol = pIcmpHeader->EncapsulatedIpHeader.Protocol;
  179. if (NS_PROTOCOL_TCP != ucProtocol
  180. && NS_PROTOCOL_UDP != ucProtocol
  181. && NS_PROTOCOL_ICMP != ucProtocol
  182. )
  183. {
  184. return STATUS_SUCCESS;
  185. }
  187. //
  188. // See if the embedded packet belongs to a known conection. Notice that
  189. // the order of the addresses here -- since the embedded packet is one
  190. // that we sent, the source address is local and the destination address
  191. // is remote.
  192. //
  194. MAKE_ADDRESS_KEY(
  195. ul64AddressKey,
  196. pIcmpHeader->EncapsulatedIpHeader.SourceAddress,
  197. pIcmpHeader->EncapsulatedIpHeader.DestinationAddress
  198. );
  200. if (NS_PROTOCOL_ICMP == ucProtocol)
  201. {
  202. KeAcquireSpinLock(&NsIcmpLock, &Irql);
  204. pIcmpEntry =
  205. NspLookupInboundIcmpEntry(
  206. ul64AddressKey,
  207. pIcmpHeader->EncapsulatedIcmpHeader.Identifier,
  208. pvIpSecContext,
  209. NULL,
  210. NULL
  211. );
  213. if (NULL != pIcmpEntry)
  214. {
  215. KeQueryTickCount((PLARGE_INTEGER)&pIcmpEntry->l64LastAccessTime);
  217. if (pIcmpEntry->usTranslatedId != pIcmpEntry->usOriginalId)
  218. {
  219. //
  220. // We found an ICMP entry for the embedded packet that
  221. // has a translated ID. This means that we need to:
  222. //
  223. // 1) Change the ID in the embedded packet.
  224. // 2) Update the ICMP checksum of the embedded packet.
  225. // 3) Update the ICMP checksum of the original packet, based
  226. // on the previous changes.
  227. //
  229. pIcmpHeader->EncapsulatedIcmpHeader.Identifier =
  230. pIcmpEntry->usTranslatedId;
  232. ulChecksumDelta = 0;
  233. CHECKSUM_LONG(ulChecksumDelta, ~pIcmpEntry->usOriginalId);
  234. CHECKSUM_LONG(ulChecksumDelta, pIcmpEntry->usTranslatedId);
  236. ulChecksumDelta2 = ulChecksumDelta;
  237. CHECKSUM_LONG(
  238. ulChecksumDelta2,
  239. ~pIcmpHeader->EncapsulatedIcmpHeader.Checksum
  240. );
  241. CHECKSUM_UPDATE(pIcmpHeader->EncapsulatedIcmpHeader.Checksum);
  242. CHECKSUM_LONG(
  243. ulChecksumDelta2,
  244. pIcmpHeader->EncapsulatedIcmpHeader.Checksum
  245. );
  246. ulChecksumDelta = ulChecksumDelta2;
  247. CHECKSUM_UPDATE(pIcmpHeader->Checksum);
  248. }
  249. }
  251. KeReleaseSpinLock(&NsIcmpLock, Irql);
  252. }
  253. else
  254. {
  255. MAKE_PORT_KEY(
  256. ulPortKey,
  257. pIcmpHeader->EncapsulatedUdpHeader.SourcePort,
  258. pIcmpHeader->EncapsulatedUdpHeader.DestinationPort
  259. );
  261. KeAcquireSpinLock(&NsConnectionLock, &Irql);
  263. pEntry =
  264. NsLookupInboundConnectionEntry(
  265. ul64AddressKey,
  266. ulPortKey,
  267. ucProtocol,
  268. pvIpSecContext,
  269. NULL,
  270. NULL
  271. );
  273. if (NULL != pEntry
  274. && pEntry->ulPortKey[NsInboundDirection]
  275. != pEntry->ulPortKey[NsOutboundDirection])
  276. {
  277. //
  278. // We found a connection entry that contains a translated
  279. // port. This means we need to:
  280. //
  281. // 1) Change the remote (destination) port in the
  282. // embedded packet.
  283. // 2) Update the checksum of the embedded packet, if it's
  284. // UDP. (An embedded TCP packet is not long enough to
  285. // contain the checksum.)
  286. // 3) Update the ICMP checksum of the original packet, based
  287. // on the previous changes.
  288. //
  290. pIcmpHeader->EncapsulatedUdpHeader.DestinationPort =
  291. CONNECTION_REMOTE_PORT(pEntry->ulPortKey[NsOutboundDirection]);
  293. ulChecksumDelta = 0;
  294. CHECKSUM_LONG(
  295. ulChecksumDelta,
  296. ~CONNECTION_REMOTE_PORT(pEntry->ulPortKey[NsInboundDirection])
  297. );
  298. CHECKSUM_LONG(
  299. ulChecksumDelta,
  300. CONNECTION_REMOTE_PORT(pEntry->ulPortKey[NsOutboundDirection])
  301. );
  303. if (NS_PROTOCOL_UDP == ucProtocol)
  304. {
  305. ulChecksumDelta2 = ulChecksumDelta;
  306. CHECKSUM_LONG(
  307. ulChecksumDelta2,
  308. ~pIcmpHeader->EncapsulatedUdpHeader.Checksum
  309. );
  310. CHECKSUM_UPDATE(pIcmpHeader->EncapsulatedUdpHeader.Checksum);
  311. CHECKSUM_LONG(
  312. ulChecksumDelta2,
  313. pIcmpHeader->EncapsulatedUdpHeader.Checksum
  314. );
  315. ulChecksumDelta = ulChecksumDelta2;
  316. }
  318. CHECKSUM_UPDATE(pIcmpHeader->Checksum);
  319. }
  321. KeReleaseSpinLock(&NsConnectionLock, Irql);
  322. }
  324. return STATUS_SUCCESS;
  325. } // NspHandleInboundIcmpError
  327. NTSTATUS
  328. FASTCALL
  329. NspHandleOutboundIcmpError(
  330. PNS_PACKET_CONTEXT pContext,
  331. PVOID *ppvIpSecContext
  332. )
  334. /*++
  336. Routine Description:
  338. This routine is called to process outbound ICMP error messages. Based
  339. on the protocol of the embedded packet it will attempt to find a
  340. matching connection entry (for TCP, UDP, or ICMP), obtain the IpSec
  341. context for the embedded packet, and perform any necessary translations.
  343. Arguments:
  345. pContext - the context information for the packet.
  347. ppvIpSecContext - receives the IpSec context for this packet, if any;
  348. receives NULL if no context exists.
  350. Return Value:
  352. NTSTATUS.
  354. --*/
  356. {
  357. KIRQL Irql;
  358. PNS_CONNECTION_ENTRY pEntry;
  359. PNS_ICMP_ENTRY pIcmpEntry;
  360. ICMP_HEADER UNALIGNED *pIcmpHeader;
  361. UCHAR ucProtocol;
  362. ULONG64 ul64AddressKey;
  363. ULONG ulChecksum;
  364. ULONG ulChecksumDelta;
  365. ULONG ulChecksumDelta2;
  366. ULONG ulPortKey;
  368. ASSERT(NULL != pContext);
  369. ASSERT(NULL != ppvIpSecContext);
  371. //
  372. // Make sure that the buffer is large enough to contain the
  373. // encapsulated packet.
  374. //
  376. if (pContext->ulProtocolHeaderLength < sizeof(ICMP_HEADER))
  377. {
  378. return STATUS_INVALID_PARAMETER;
  379. }
  381. //
  382. // If the embedded header is not TCP, UDP, or ICMP exit quickly,
  383. // as we have nothing to do.
  384. //
  386. pIcmpHeader = pContext->pIcmpHeader;
  387. ucProtocol = pIcmpHeader->EncapsulatedIpHeader.Protocol;
  388. if (NS_PROTOCOL_TCP != ucProtocol
  389. && NS_PROTOCOL_UDP != ucProtocol
  390. && NS_PROTOCOL_ICMP != ucProtocol
  391. )
  392. {
  393. return STATUS_SUCCESS;
  394. }
  396. //
  397. // See if the embedded packet belongs to a known conection. Notice that
  398. // the order of the addresses here -- since the embedded packet is one
  399. // that we received, the source address is remote and the destination
  400. // address is local.
  401. //
  403. MAKE_ADDRESS_KEY(
  404. ul64AddressKey,
  405. pIcmpHeader->EncapsulatedIpHeader.DestinationAddress,
  406. pIcmpHeader->EncapsulatedIpHeader.SourceAddress
  407. );
  409. if (NS_PROTOCOL_ICMP == ucProtocol)
  410. {
  411. KeAcquireSpinLock(&NsIcmpLock, &Irql);
  413. pIcmpEntry =
  414. NspLookupOutboundIcmpEntry(
  415. ul64AddressKey,
  416. pIcmpHeader->EncapsulatedIcmpHeader.Identifier
  417. );
  419. if (NULL != pIcmpEntry)
  420. {
  421. *ppvIpSecContext = pIcmpEntry->pvIpSecContext;
  422. KeQueryTickCount((PLARGE_INTEGER)&pIcmpEntry->l64LastAccessTime);
  424. if (pIcmpEntry->usTranslatedId != pIcmpEntry->usOriginalId)
  425. {
  426. //
  427. // We found an ICMP entry for the embedded packet that
  428. // has a translated ID. This means that we need to:
  429. //
  430. // 1) Change the ID in the embedded packet.
  431. // 2) Update the ICMP checksum of the embedded packet.
  432. // 3) Update the ICMP checksum of the original packet, based
  433. // on the previous changes.
  434. //
  436. pIcmpHeader->EncapsulatedIcmpHeader.Identifier =
  437. pIcmpEntry->usOriginalId;
  439. ulChecksumDelta = 0;
  440. CHECKSUM_LONG(ulChecksumDelta, ~pIcmpEntry->usTranslatedId);
  441. CHECKSUM_LONG(ulChecksumDelta, pIcmpEntry->usOriginalId);
  443. ulChecksumDelta2 = ulChecksumDelta;
  444. CHECKSUM_LONG(
  445. ulChecksumDelta2,
  446. ~pIcmpHeader->EncapsulatedIcmpHeader.Checksum
  447. );
  448. CHECKSUM_UPDATE(pIcmpHeader->EncapsulatedIcmpHeader.Checksum);
  449. CHECKSUM_LONG(
  450. ulChecksumDelta2,
  451. pIcmpHeader->EncapsulatedIcmpHeader.Checksum
  452. );
  453. ulChecksumDelta = ulChecksumDelta2;
  454. CHECKSUM_UPDATE(pIcmpHeader->Checksum);
  455. }
  456. }
  458. KeReleaseSpinLock(&NsIcmpLock, Irql);
  459. }
  460. else
  461. {
  462. MAKE_PORT_KEY(
  463. ulPortKey,
  464. pIcmpHeader->EncapsulatedUdpHeader.DestinationPort,
  465. pIcmpHeader->EncapsulatedUdpHeader.SourcePort
  466. );
  468. KeAcquireSpinLock(&NsConnectionLock, &Irql);
  470. pEntry =
  471. NsLookupOutboundConnectionEntry(
  472. ul64AddressKey,
  473. ulPortKey,
  474. ucProtocol,
  475. NULL
  476. );
  478. if (NULL != pEntry)
  479. {
  480. *ppvIpSecContext = pEntry->pvIpSecContext;
  482. if (pEntry->ulPortKey[NsInboundDirection]
  483. != pEntry->ulPortKey[NsOutboundDirection])
  484. {
  485. //
  486. // We found a connection entry that contains a translated
  487. // port. This means we need to:
  488. //
  489. // 1) Change the remote (source) port in the
  490. // embedded packet.
  491. // 2) Update the checksum of the embedded packet, if it's
  492. // UDP. (An embedded TCP packet is not long enough to
  493. // contain the checksum.)
  494. // 3) Update the ICMP checksum of the original packet, based
  495. // on the previous changes.
  496. //
  498. pIcmpHeader->EncapsulatedUdpHeader.SourcePort =
  499. CONNECTION_REMOTE_PORT(pEntry->ulPortKey[NsInboundDirection]);
  501. ulChecksumDelta = 0;
  502. CHECKSUM_LONG(
  503. ulChecksumDelta,
  504. ~CONNECTION_REMOTE_PORT(pEntry->ulPortKey[NsOutboundDirection])
  505. );
  506. CHECKSUM_LONG(
  507. ulChecksumDelta,
  508. CONNECTION_REMOTE_PORT(pEntry->ulPortKey[NsInboundDirection])
  509. );
  511. if (NS_PROTOCOL_UDP == ucProtocol)
  512. {
  513. ulChecksumDelta2 = ulChecksumDelta;
  514. CHECKSUM_LONG(
  515. ulChecksumDelta2,
  516. ~pIcmpHeader->EncapsulatedUdpHeader.Checksum
  517. );
  518. CHECKSUM_UPDATE(pIcmpHeader->EncapsulatedUdpHeader.Checksum);
  519. CHECKSUM_LONG(
  520. ulChecksumDelta2,
  521. pIcmpHeader->EncapsulatedUdpHeader.Checksum
  522. );
  523. ulChecksumDelta = ulChecksumDelta2;
  524. }
  526. CHECKSUM_UPDATE(pIcmpHeader->Checksum);
  527. }
  528. }
  530. KeReleaseSpinLock(&NsConnectionLock, Irql);
  531. }
  533. return STATUS_SUCCESS;
  534. } // NspHandleOutboundIcmpError
  538. NTSTATUS
  539. NspCreateIcmpEntry(
  540. ULONG64 ul64AddressKey,
  541. USHORT usOriginalIdentifier,
  542. PVOID pvIpSecContext,
  543. BOOLEAN fIdConflicts,
  544. PLIST_ENTRY pInsertionPoint,
  545. PNS_ICMP_ENTRY *ppNewEntry
  546. )
  548. /*++
  550. Routine Description:
  552. Creates an ICMP entry (for request / response message types). If
  553. necessary this routine will allocate a new identifier.
  555. Arguments:
  557. ul64AddressKey - the addressing information for the entry
  559. usOriginalIdentifier - the original ICMP identifier for the entry
  561. pvIpSecContext - the IpSec context for the entry
  563. fIdConflicts - TRUE if the original identifier is known to conflict
  564. with an existing entry on the inbound path
  566. pInsertionPoint - the insertion point for the new entry
  568. ppNewEntry - receives the newly created entry on success
  570. Return Value:
  572. NTSTATUS
  574. Environment:
  576. Invoked with 'NsIcmpLock' held by the caller.
  578. --*/
  580. {
  581. PNS_ICMP_ENTRY pEntry;
  582. NTSTATUS Status = STATUS_UNSUCCESSFUL;
  583. USHORT usTranslatedId;
  585. TRACE(ICMP, ("NspCreateIcmpEntry\n"));
  587. ASSERT(NULL != pInsertionPoint);
  588. ASSERT(NULL != ppNewEntry);
  590. //
  591. // Determine what translated ID should be used for this
  592. // entry
  593. //
  595. if (fIdConflicts)
  596. {
  597. usTranslatedId = (USHORT) -1;
  598. }
  599. else
  600. {
  601. usTranslatedId = usOriginalIdentifier;
  602. }
  604. do
  605. {
  606. if (NULL == NspLookupOutboundIcmpEntry(ul64AddressKey, usTranslatedId))
  607. {
  608. //
  609. // This identifier does not conflict.
  610. //
  612. Status = STATUS_SUCCESS;
  613. break;
  614. }
  616. if (fIdConflicts)
  617. {
  618. usTranslatedId -= 1;
  619. }
  620. else
  621. {
  622. fIdConflicts = TRUE;
  623. usTranslatedId = (USHORT) -1;
  624. }
  625. }
  626. while (usTranslatedId > 0);
  628. if (STATUS_SUCCESS == Status)
  629. {
  630. //
  631. // Allocate and initialize the new entry
  632. //
  634. pEntry = ALLOCATE_ICMP_BLOCK();
  635. if (NULL != pEntry)
  636. {
  637. RtlZeroMemory(pEntry, sizeof(*pEntry));
  638. pEntry->ul64AddressKey = ul64AddressKey;
  639. pEntry->usOriginalId = usOriginalIdentifier;
  640. pEntry->usTranslatedId = usTranslatedId;
  641. pEntry->pvIpSecContext = pvIpSecContext;
  642. InsertTailList(pInsertionPoint, &pEntry->Link);
  644. *ppNewEntry = pEntry;
  645. }
  646. else
  647. {
  648. ERROR(("NspCreateIcmpEntry: Allocation Failed\n"));
  649. Status = STATUS_NO_MEMORY;
  650. }
  651. }
  653. return Status;
  654. } // NspCreateIcmpEntry
  657. PNS_ICMP_ENTRY
  658. NspLookupInboundIcmpEntry(
  659. ULONG64 ul64AddressKey,
  660. USHORT usOriginalIdentifier,
  661. PVOID pvIpSecContext,
  662. BOOLEAN *pfIdentifierConflicts,
  663. PLIST_ENTRY *ppInsertionPoint
  664. )
  666. /*++
  668. Routine Description:
  670. Called to lookup an inbound ICMP entry.
  672. Arguments:
  674. ul64AddressKey - the addressing information for the entry
  676. usOriginalIdentifier - the original ICMP identifier for the entry
  678. pvIpSecContext - the IpSec context for the entry
  680. pfIdentifierConflicts - on failure, receives a boolean the indicates why
  681. the lookup failed: TRUE if the lookup failed because there is
  682. an identical entry w/ different IpSec context, FALSE
  683. otherwise. (optional)
  685. ppInsertionPoint - receives the insertion point if not found (optional)
  687. Return Value:
  689. PNS_ICMP_ENTRY - a pointer to the connection entry, if found, or
  690. NULL otherwise.
  692. Environment:
  694. Invoked with 'NsIcmpLock' held by the caller.
  696. --*/
  698. {
  699. PNS_ICMP_ENTRY pEntry;
  700. PLIST_ENTRY pLink;
  702. if (pfIdentifierConflicts)
  703. {
  704. *pfIdentifierConflicts = FALSE;
  705. }
  707. for (pLink = NsIcmpList.Flink; pLink != &NsIcmpList; pLink = pLink->Flink)
  708. {
  709. pEntry = CONTAINING_RECORD(pLink, NS_ICMP_ENTRY, Link);
  711. //
  712. // For inbound entries the search order is:
  713. // 1) address key
  714. // 2) original identifier
  715. // 3) IpSec context
  716. //
  718. if (ul64AddressKey > pEntry->ul64AddressKey)
  719. {
  720. continue;
  721. }
  722. else if (ul64AddressKey < pEntry->ul64AddressKey)
  723. {
  724. break;
  725. }
  726. else if (usOriginalIdentifier > pEntry->usOriginalId)
  727. {
  728. continue;
  729. }
  730. else if (usOriginalIdentifier < pEntry->usOriginalId)
  731. {
  732. break;
  733. }
  734. else if (pvIpSecContext > pEntry->pvIpSecContext)
  735. {
  736. //
  737. // This entry matches everything requested except
  738. // for the IpSec context. Inform the caller of this
  739. // fact (if desired).
  740. //
  742. if (pfIdentifierConflicts)
  743. {
  744. *pfIdentifierConflicts = TRUE;
  745. }
  746. continue;
  747. }
  748. else if (pvIpSecContext < pEntry->pvIpSecContext)
  749. {
  750. //
  751. // This entry matches everything requested except
  752. // for the IpSec context. Inform the caller of this
  753. // fact (if desired).
  754. //
  756. if (pfIdentifierConflicts)
  757. {
  758. *pfIdentifierConflicts = TRUE;
  759. }
  760. break;
  761. }
  763. //
  764. // This is the requested entry.
  765. //
  767. return pEntry;
  768. }
  770. //
  771. // Entry not found -- set insertion point if so requested.
  772. //
  774. if (ppInsertionPoint)
  775. {
  776. *ppInsertionPoint = pLink;
  777. }
  779. return NULL;
  780. } // NspLookupInboundIcmpEntry
  783. PNS_ICMP_ENTRY
  784. NspLookupOutboundIcmpEntry(
  785. ULONG64 ul64AddressKey,
  786. USHORT usTranslatedIdentifier
  787. )
  789. /*++
  791. Routine Description:
  793. Called to lookup an outbound ICMP entry.
  795. Arguments:
  797. ul64AddressKey - the addressing information for the entry
  799. usTranslatedIdentifier - the translated ICMP identifier for the entry
  801. Return Value:
  803. PNS_ICMP_ENTRY - a pointer to the entry, if found, or NULL otherwise.
  805. Environment:
  807. Invoked with 'NsIcmpLock' held by the caller.
  809. --*/
  811. {
  812. PNS_ICMP_ENTRY pEntry;
  813. PLIST_ENTRY pLink;
  815. for (pLink = NsIcmpList.Flink; pLink != &NsIcmpList; pLink = pLink->Flink)
  816. {
  817. pEntry = CONTAINING_RECORD(pLink, NS_ICMP_ENTRY, Link);
  819. //
  820. // When searching for an outbound entry, we can depend on the
  821. // ordering of address keys. However, we cannot depend on the
  822. // order of the translated identifiers, so we have to perform
  823. // an exhaustive search of all entries with the proper
  824. // address key.
  825. //
  827. if (ul64AddressKey > pEntry->ul64AddressKey)
  828. {
  829. continue;
  830. }
  831. else if (ul64AddressKey < pEntry->ul64AddressKey)
  832. {
  833. break;
  834. }
  835. else if (usTranslatedIdentifier == pEntry->usTranslatedId)
  836. {
  837. //
  838. // This is the requested entry.
  839. //
  841. return pEntry;
  842. }
  843. }
  845. //
  846. // Entry not found.
  847. //
  849. return NULL;
  850. } // NspLookupOutboundIcmpEntry
  853. NTSTATUS
  854. FASTCALL
  855. NsProcessIncomingIcmpPacket(
  856. PNS_PACKET_CONTEXT pContext,
  857. PVOID pvIpSecContext
  858. )
  860. /*++
  862. Routine Description:
  864. This routine is invoked by IpSec for each incoming ICMP packet.
  866. Arguments:
  868. pContext - the context information for the packet.
  870. pvIpSecContext - the IpSec context for this packet; this is considered
  871. an opaque value.
  873. Return Value:
  875. NTSTATUS.
  877. --*/
  879. {
  880. BOOLEAN fIdConflicts;
  881. KIRQL Irql;
  882. PNS_ICMP_ENTRY pIcmpEntry;
  883. PLIST_ENTRY pInsertionPoint;
  884. NTSTATUS Status = STATUS_SUCCESS;
  885. ULONG64 ul64AddressKey;
  886. ULONG ulChecksum;
  887. ULONG ulChecksumDelta;
  889. ASSERT(NULL != pContext);
  891. TRACE(
  892. ICMP,
  893. ("NsProcessIncomingIcmpPacket: %d.%d.%d.%d -> %d.%d.%d.%d : %d, %d : %d\n",
  894. ADDRESS_BYTES(pContext->ulSourceAddress),
  895. ADDRESS_BYTES(pContext->ulDestinationAddress),
  896. pContext->pIcmpHeader->Type,
  897. pContext->pIcmpHeader->Code,
  898. pvIpSecContext
  899. ));
  901. //
  902. // Branch to proper behavior based on ICMP Type
  903. //
  905. switch (pContext->pIcmpHeader->Type)
  906. {
  907. case ICMP_ROUTER_REPLY:
  908. case ICMP_MASK_REPLY:
  909. case ICMP_ECHO_REPLY:
  910. case ICMP_TIMESTAMP_REPLY:
  911. {
  912. //
  913. // No action is needed for inbound replies.
  914. //
  916. break;
  917. }
  919. case ICMP_ROUTER_REQUEST:
  920. case ICMP_MASK_REQUEST:
  921. case ICMP_ECHO_REQUEST:
  922. case ICMP_TIMESTAMP_REQUEST:
  923. {
  924. //
  925. // See if we have an ICMP entry that matches this packet.
  926. //
  928. MAKE_ADDRESS_KEY(
  929. ul64AddressKey,
  930. pContext->ulDestinationAddress,
  931. pContext->ulSourceAddress
  932. );
  934. KeAcquireSpinLock(&NsIcmpLock, &Irql);
  936. pIcmpEntry =
  937. NspLookupInboundIcmpEntry(
  938. ul64AddressKey,
  939. pContext->pIcmpHeader->Identifier,
  940. pvIpSecContext,
  941. &fIdConflicts,
  942. &pInsertionPoint
  943. );
  945. if (NULL == pIcmpEntry)
  946. {
  947. //
  948. // No entry was found; attempt to create a new
  949. // one. (The creation function will allocate
  950. // a new ID, if necessary.)
  951. //
  953. Status =
  954. NspCreateIcmpEntry(
  955. ul64AddressKey,
  956. pContext->pIcmpHeader->Identifier,
  957. pvIpSecContext,
  958. fIdConflicts,
  959. pInsertionPoint,
  960. &pIcmpEntry
  961. );
  962. }
  964. if (STATUS_SUCCESS == Status)
  965. {
  966. ASSERT(NULL != pIcmpEntry);
  967. KeQueryTickCount((PLARGE_INTEGER)&pIcmpEntry->l64LastAccessTime);
  969. if (pIcmpEntry->usTranslatedId != pIcmpEntry->usOriginalId)
  970. {
  971. //
  972. // Need to translate the ICMP ID for this packet, and
  973. // adjust the checksum accordingly.
  974. //
  976. pContext->pIcmpHeader->Identifier =
  977. pIcmpEntry->usTranslatedId;
  979. ulChecksumDelta = 0;
  980. CHECKSUM_LONG(ulChecksumDelta, ~pIcmpEntry->usOriginalId);
  981. CHECKSUM_LONG(ulChecksumDelta, pIcmpEntry->usTranslatedId);
  982. CHECKSUM_UPDATE(pContext->pIcmpHeader->Checksum);
  983. }
  984. }
  986. KeReleaseSpinLock(&NsIcmpLock, Irql);
  988. break;
  989. }
  991. case ICMP_TIME_EXCEED:
  992. case ICMP_PARAM_PROBLEM:
  993. case ICMP_DEST_UNREACH:
  994. case ICMP_SOURCE_QUENCH:
  995. {
  996. Status = NspHandleInboundIcmpError(pContext, pvIpSecContext);
  997. break;
  998. }
  1000. default:
  1001. {
  1002. break;
  1003. }
  1004. }
  1007. return Status;
  1008. } // NsProcessIncomingIcmpPacket
  1011. NTSTATUS
  1012. FASTCALL
  1013. NsProcessOutgoingIcmpPacket(
  1014. PNS_PACKET_CONTEXT pContext,
  1015. PVOID *ppvIpSecContext
  1016. )
  1018. /*++
  1020. Routine Description:
  1022. This routine is invoked by IpSec for each outgoing ICMP packet.
  1024. Arguments:
  1026. pContext - the context information for the packet.
  1028. ppvIpSecContext - receives the IpSec context for this packet, if any;
  1029. receives NULL if no context exists.
  1031. Return Value:
  1033. NTSTATUS.
  1035. --*/
  1037. {
  1038. KIRQL Irql;
  1039. PNS_ICMP_ENTRY pIcmpEntry;
  1040. NTSTATUS Status = STATUS_SUCCESS;
  1041. ULONG64 ul64AddressKey;
  1042. ULONG ulChecksum;
  1043. ULONG ulChecksumDelta;
  1045. ASSERT(NULL != pContext);
  1046. ASSERT(NULL != ppvIpSecContext);
  1048. TRACE(
  1049. ICMP,
  1050. ("NsProcessOutgoingIcmpPacket: %d.%d.%d.%d -> %d.%d.%d.%d : %d, %d\n",
  1051. ADDRESS_BYTES(pContext->ulSourceAddress),
  1052. ADDRESS_BYTES(pContext->ulDestinationAddress),
  1053. pContext->pIcmpHeader->Type,
  1054. pContext->pIcmpHeader->Code
  1055. ));
  1057. //
  1058. // Set context to the default value
  1059. //
  1061. *ppvIpSecContext = NULL;
  1063. //
  1064. // Branch to proper behavior based on ICMP Type
  1065. //
  1067. switch (pContext->pIcmpHeader->Type)
  1068. {
  1069. case ICMP_ROUTER_REPLY:
  1070. case ICMP_MASK_REPLY:
  1071. case ICMP_ECHO_REPLY:
  1072. case ICMP_TIMESTAMP_REPLY:
  1073. {
  1074. //
  1075. // See if we have an ICMP entry that matches this packet.
  1076. //
  1078. MAKE_ADDRESS_KEY(
  1079. ul64AddressKey,
  1080. pContext->ulSourceAddress,
  1081. pContext->ulDestinationAddress
  1082. );
  1084. KeAcquireSpinLock(&NsIcmpLock, &Irql);
  1086. pIcmpEntry =
  1087. NspLookupOutboundIcmpEntry(
  1088. ul64AddressKey,
  1089. pContext->pIcmpHeader->Identifier
  1090. );
  1092. if (NULL != pIcmpEntry)
  1093. {
  1094. *ppvIpSecContext = pIcmpEntry->pvIpSecContext;
  1095. KeQueryTickCount((PLARGE_INTEGER)&pIcmpEntry->l64LastAccessTime);
  1097. if (pIcmpEntry->usTranslatedId != pIcmpEntry->usOriginalId)
  1098. {
  1099. //
  1100. // Need to translate the ICMP ID for this packet, and
  1101. // adjust the checksum accordingly.
  1102. //
  1104. pContext->pIcmpHeader->Identifier =
  1105. pIcmpEntry->usOriginalId;
  1107. ulChecksumDelta = 0;
  1108. CHECKSUM_LONG(ulChecksumDelta, ~pIcmpEntry->usTranslatedId);
  1109. CHECKSUM_LONG(ulChecksumDelta, pIcmpEntry->usOriginalId);
  1110. CHECKSUM_UPDATE(pContext->pIcmpHeader->Checksum);
  1111. }
  1112. }
  1114. KeReleaseSpinLock(&NsIcmpLock, Irql);
  1116. break;
  1117. }
  1119. case ICMP_ROUTER_REQUEST:
  1120. case ICMP_MASK_REQUEST:
  1121. case ICMP_ECHO_REQUEST:
  1122. case ICMP_TIMESTAMP_REQUEST:
  1123. {
  1124. //
  1125. // No action is needed for outgoing requests.
  1126. //
  1128. break;
  1129. }
  1131. case ICMP_TIME_EXCEED:
  1132. case ICMP_PARAM_PROBLEM:
  1133. case ICMP_DEST_UNREACH:
  1134. case ICMP_SOURCE_QUENCH:
  1135. {
  1136. Status = NspHandleOutboundIcmpError(pContext, ppvIpSecContext);
  1137. break;
  1138. }
  1140. default:
  1141. {
  1142. break;
  1143. }
  1144. }
  1146. return Status;
  1147. } // NsProcessOutgoingIcmpPacket
  1151. VOID
  1152. NsShutdownIcmpManagement(
  1153. VOID
  1154. )
  1156. /*++
  1158. Routine Description:
  1160. This routine is invoked to cleanup the ICMP management module.
  1162. Arguments:
  1164. none.
  1166. Return Value:
  1168. none.
  1170. --*/
  1172. {
  1173. KIRQL Irql;
  1174. PNS_ICMP_ENTRY pEntry;
  1176. CALLTRACE(("NsShutdownIcmpManagement\n"));
  1178. KeAcquireSpinLock(&NsIcmpLock, &Irql);
  1180. while (!IsListEmpty(&NsIcmpList))
  1181. {
  1182. pEntry =
  1183. CONTAINING_RECORD(
  1184. RemoveHeadList(&NsIcmpList),
  1185. NS_ICMP_ENTRY,
  1186. Link
  1187. );
  1189. FREE_ICMP_BLOCK(pEntry);
  1190. }
  1192. KeReleaseSpinLock(&NsIcmpLock, Irql);
  1194. ExDeleteNPagedLookasideList(&NsIcmpLookasideList);
  1195. } // NsShutdownIcmpManagement