Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

2050 lines
62 KiB

  1. /*++
  2. Copyright (c) 1997 Microsoft Corporation
  3. Module Name:
  4. icmp.c
  5. Abstract:
  6. This module contains the code for manipulating ICMP request/reply mappings.
  7. When the NAT decides to translate an ICMP request, it creates a mapping
  8. and places it on the interface's ICMP-mapping list, so that when the reply
  9. to the request arrives, it can be directed to the appropriate client.
  10. Author:
  11. Abolade Gbadegesin (t-abolag) 31-July-1997
  12. Revision History:
  13. --*/
  14. #include "precomp.h"
  15. #pragma hdrstop
  16. //
  17. // GLOBAL DATA DECLARATIONS
  18. //
  19. NPAGED_LOOKASIDE_LIST IcmpLookasideList;
  20. LIST_ENTRY IcmpMappingList[NatMaximumDirection];
  21. KSPIN_LOCK IcmpMappingLock;
  22. //
  23. // FORWARD DECLARATIONS
  24. //
  25. FORWARD_ACTION
  26. NatpFirewallIcmp(
  27. PNAT_INTERFACE Interfacep,
  28. IP_NAT_DIRECTION Direction,
  29. PNAT_XLATE_CONTEXT Contextp
  30. );
  31. BOOLEAN
  32. NatTranslateIcmpEncapsulatedRequest(
  33. PNAT_INTERFACE Interfacep OPTIONAL,
  34. IP_NAT_DIRECTION Direction,
  35. PIP_HEADER IpHeader,
  36. PICMP_HEADER IcmpHeader,
  37. PIP_HEADER EncapsulatedIpHeader,
  38. struct _ENCAPSULATED_ICMP_HEADER* EncapsulatedIcmpHeader,
  39. BOOLEAN ChecksumOffloaded
  40. );
  41. BOOLEAN
  42. NatTranslateIcmpRequest(
  43. PNAT_INTERFACE Interfacep OPTIONAL,
  44. IP_NAT_DIRECTION Direction,
  45. PNAT_XLATE_CONTEXT Contextp,
  46. BOOLEAN ReplyCode,
  47. BOOLEAN ChecksumOffloaded
  48. );
  49. BOOLEAN
  50. NatTranslateEncapsulatedRequest(
  51. PNAT_INTERFACE Interfacep OPTIONAL,
  52. IP_NAT_DIRECTION Direction,
  53. PIP_HEADER IpHeader,
  54. PICMP_HEADER IcmpHeader,
  55. PIP_HEADER EncapsulatedIpHeader,
  56. struct _ENCAPSULATED_UDP_HEADER* EncapsulatedHeader,
  57. BOOLEAN ChecksumOffloaded
  58. );
  59. NTSTATUS
  60. NatCreateIcmpMapping(
  61. PNAT_INTERFACE Interfacep,
  62. ULONG RemoteAddress,
  63. ULONG PrivateAddress,
  64. ULONG PublicAddress,
  65. PUSHORT PrivateId,
  66. PUSHORT PublicId,
  67. PLIST_ENTRY InboundInsertionPoint,
  68. PLIST_ENTRY OutboundInsertionPoint,
  69. PNAT_ICMP_MAPPING* MappingCreated
  70. )
  71. /*++
  72. Routine Description:
  73. Called to create, initialize, and insert an ICMP mapping in an interface's
  74. list of ICMP mappings.
  75. For outbound ICMP requests, we allocate a unique 'PublicId' for the mapping,
  76. and for inbound requests, we allocate a unique 'PrivateId' for the mapping.
  77. Arguments:
  78. Interfacep - the interface for the new mapping
  79. RemoteAddress - the address of the remote endpoint
  80. PrivateAddress - the address of the machine on the private network
  81. PublicAddress - the publicly-visible address to replace 'PrivateAddress';
  82. in case this is 0, an address is chosen in this routine.
  83. PrivateId - the private-endpoint's identifier for the ICMP message,
  84. or NULL if an identifier should be chosen by this routine.
  85. PublicId - the public-endpoint's identifier for the ICMP message,
  86. or NULL if an identifier should be chosen by this routine.
  87. InboundInsertionPoint - the entry preceding the new mapping in the list
  88. sorted for inbound searching
  89. OutboundInsertionPoint - the entry preceding the new mapping in the list
  90. sorted for outbound searching
  91. MappingCreated - receives the mapping created
  92. Return Value:
  93. NTSTATUS - indicates success/failure
  94. Environment:
  95. Invoked with 'IcmpMappingLock' held by the caller.
  96. --*/
  97. {
  98. USHORT Id;
  99. PLIST_ENTRY Link;
  100. PNAT_ICMP_MAPPING Mapping;
  101. PNAT_ICMP_MAPPING DuplicateMapping;
  102. NTSTATUS status;
  103. PNAT_ICMP_MAPPING Temp;
  104. PNAT_USED_ADDRESS UsedAddress;
  105. CALLTRACE(("NatCreateIcmpMapping\n"));
  106. //
  107. // Allocate a new mapping
  108. //
  109. Mapping = ALLOCATE_ICMP_BLOCK();
  110. if (!Mapping) {
  111. ERROR(("NatCreateIcmpMapping: allocation failed\n"));
  112. return STATUS_NO_MEMORY;
  113. }
  114. //
  115. // Initialize the mapping
  116. //
  117. Mapping->PrivateKey = MAKE_ICMP_KEY(RemoteAddress, PrivateAddress);
  118. //
  119. // See if the public address is specified, and if not, acquire an address
  120. //
  121. if (PublicAddress) {
  122. Mapping->PublicKey = MAKE_ICMP_KEY(RemoteAddress, PublicAddress);
  123. } else {
  124. //
  125. // Acquire an address mapping for the ICMP mapping
  126. //
  127. KeAcquireSpinLockAtDpcLevel(&Interfacep->Lock);
  128. status =
  129. NatAcquireFromAddressPool(
  130. Interfacep,
  131. PrivateAddress,
  132. 0,
  133. &UsedAddress
  134. );
  135. if (!NT_SUCCESS(status)) {
  136. KeReleaseSpinLockFromDpcLevel(&Interfacep->Lock);
  137. TRACE(ICMP, ("NatCreateIcmpMapping: no address available\n"));
  138. FREE_ICMP_BLOCK(Mapping);
  139. return STATUS_UNSUCCESSFUL;
  140. }
  141. PublicAddress = UsedAddress->PublicAddress;
  142. NatDereferenceAddressPoolEntry(Interfacep, UsedAddress);
  143. KeReleaseSpinLockFromDpcLevel(&Interfacep->Lock);
  144. Mapping->PublicKey = MAKE_ICMP_KEY(RemoteAddress, PublicAddress);
  145. }
  146. //
  147. // If no 'PrivateId' is specified, select one.
  148. //
  149. if (PrivateId) {
  150. Mapping->PrivateId = *PrivateId;
  151. } else {
  152. //
  153. // Find the next available identifier
  154. // by searching the list of inbound mappings
  155. //
  156. Id = 1;
  157. for (Link = IcmpMappingList[NatOutboundDirection].Flink;
  158. Link != &IcmpMappingList[NatOutboundDirection];
  159. Link = Link->Flink) {
  160. Temp =
  161. CONTAINING_RECORD(
  162. Link, NAT_ICMP_MAPPING, Link[NatOutboundDirection]
  163. );
  164. if (Mapping->PrivateKey > Temp->PrivateKey) {
  165. continue;
  166. } else if (Mapping->PrivateKey < Temp->PrivateKey) {
  167. break;
  168. }
  169. //
  170. // Primary key equal; see if the identifier we've chosen
  171. // collides with this one
  172. //
  173. if (Id > Temp->PrivateId) {
  174. continue;
  175. } else if (Id < Temp->PrivateId) {
  176. break;
  177. }
  178. //
  179. // The identifier's collide; choose another and go on
  180. //
  181. ++Id;
  182. }
  183. if (Link == &IcmpMappingList[NatOutboundDirection] && !Id) {
  184. //
  185. // We are at the end of the list, and all 64K-1 IDs are taken
  186. //
  187. FREE_ICMP_BLOCK(Mapping);
  188. return STATUS_UNSUCCESSFUL;
  189. }
  190. Mapping->PrivateId = Id;
  191. //
  192. // And by the way, we now have the outbound insertion point
  193. //
  194. if (!OutboundInsertionPoint) { OutboundInsertionPoint = Link; }
  195. }
  196. //
  197. // If no 'PublicId' is specified, select one.
  198. //
  199. if (PublicId) {
  200. Mapping->PublicId = *PublicId;
  201. } else {
  202. //
  203. // Find the next available identifier
  204. // by searching the list of inbound mappings
  205. //
  206. Id = 1;
  207. for (Link = IcmpMappingList[NatInboundDirection].Flink;
  208. Link != &IcmpMappingList[NatInboundDirection];
  209. Link = Link->Flink) {
  210. Temp =
  211. CONTAINING_RECORD(
  212. Link, NAT_ICMP_MAPPING, Link[NatInboundDirection]
  213. );
  214. if (Mapping->PublicKey > Temp->PublicKey) {
  215. continue;
  216. } else if (Mapping->PublicKey < Temp->PublicKey) {
  217. break;
  218. }
  219. //
  220. // Primary key equal; see if the identifier we've chosen
  221. // collides with this one
  222. //
  223. if (Id > Temp->PublicId) {
  224. continue;
  225. } else if (Id < Temp->PublicId) {
  226. break;
  227. }
  228. //
  229. // The identifier's collide; choose another and go on
  230. //
  231. ++Id;
  232. }
  233. if (Link == &IcmpMappingList[NatInboundDirection] && !Id) {
  234. //
  235. // We are at the end of the list, and all 64K-1 IDs are taken
  236. //
  237. FREE_ICMP_BLOCK(Mapping);
  238. return STATUS_UNSUCCESSFUL;
  239. }
  240. Mapping->PublicId = Id;
  241. //
  242. // And by the way, we now have the inbound insertion point
  243. //
  244. if (!InboundInsertionPoint) { InboundInsertionPoint = Link; }
  245. }
  246. TRACE(
  247. MAPPING,
  248. ("NatCreateIcmpMapping: Icmp=%016I64X:%04X::%016I64X:%04X\n",
  249. Mapping->PrivateKey, Mapping->PrivateId,
  250. Mapping->PublicKey, Mapping->PublicId
  251. ));
  252. //
  253. // Insert the mapping in the inbound list
  254. //
  255. if (!InboundInsertionPoint) {
  256. DuplicateMapping =
  257. NatLookupInboundIcmpMapping(
  258. Mapping->PrivateKey,
  259. Mapping->PrivateId,
  260. &InboundInsertionPoint
  261. );
  262. if (NULL != DuplicateMapping) {
  263. //
  264. // This mapping already exists on the inbound path
  265. //
  266. FREE_ICMP_BLOCK(Mapping);
  267. return STATUS_UNSUCCESSFUL;
  268. }
  269. }
  270. InsertTailList(InboundInsertionPoint, &Mapping->Link[NatInboundDirection]);
  271. //
  272. // Insert the mapping in the outbound list
  273. //
  274. if (!OutboundInsertionPoint) {
  275. DuplicateMapping =
  276. NatLookupOutboundIcmpMapping(
  277. Mapping->PublicKey,
  278. Mapping->PublicId,
  279. &OutboundInsertionPoint
  280. );
  281. if (NULL != DuplicateMapping) {
  282. //
  283. // This mapping already exists on the outbound path
  284. //
  285. RemoveEntryList(&Mapping->Link[NatInboundDirection]);
  286. FREE_ICMP_BLOCK(Mapping);
  287. return STATUS_UNSUCCESSFUL;
  288. }
  289. }
  290. InsertTailList(
  291. OutboundInsertionPoint, &Mapping->Link[NatOutboundDirection]
  292. );
  293. *MappingCreated = Mapping;
  294. return STATUS_SUCCESS;
  295. } // NatCreateIcmpMapping
  296. VOID
  297. NatInitializeIcmpManagement(
  298. VOID
  299. )
  300. /*++
  301. Routine Description:
  302. This routine is called to initialize the ICMP translation module.
  303. Arguments:
  304. none.
  305. Return Value:
  306. none.
  307. --*/
  308. {
  309. CALLTRACE(("NatInitializeIcmpManagement\n"));
  310. KeInitializeSpinLock(&IcmpMappingLock);
  311. InitializeListHead(&IcmpMappingList[NatInboundDirection]);
  312. InitializeListHead(&IcmpMappingList[NatOutboundDirection]);
  313. ExInitializeNPagedLookasideList(
  314. &IcmpLookasideList,
  315. NatAllocateFunction,
  316. NULL,
  317. 0,
  318. sizeof(NAT_ICMP_MAPPING),
  319. NAT_TAG_ICMP,
  320. ICMP_LOOKASIDE_DEPTH
  321. );
  322. } // NatInitializeIcmpManagement
  323. PNAT_ICMP_MAPPING
  324. NatLookupInboundIcmpMapping(
  325. ULONG64 PublicKey,
  326. USHORT PublicId,
  327. PLIST_ENTRY* InsertionPoint
  328. )
  329. /*++
  330. Routine Description:
  331. This routine is called to find an ICMP mapping using the remote-address
  332. and the publicly-visible address, which correspond to the 'PublicKey',
  333. and the 'PublicId' field.
  334. Arguments:
  335. PublicKey - the remote-address/public-address combination
  336. PublicId - the mapping's public identifier
  337. InsertionPoint - receives the insertion-point if the mapping is not found.
  338. Return Value:
  339. PNAT_ICMP_MAPPING - the mapping found, or NULL if not found.
  340. --*/
  341. {
  342. PLIST_ENTRY Link;
  343. PNAT_ICMP_MAPPING Mapping;
  344. CALLTRACE(("NatLookupInboundIcmpMapping\n"));
  345. if (InsertionPoint) { *InsertionPoint = NULL; }
  346. for (Link = IcmpMappingList[NatInboundDirection].Flink;
  347. Link != &IcmpMappingList[NatInboundDirection]; Link = Link->Flink) {
  348. Mapping =
  349. CONTAINING_RECORD(
  350. Link, NAT_ICMP_MAPPING, Link[NatInboundDirection]
  351. );
  352. if (PublicKey > Mapping->PublicKey) {
  353. continue;
  354. } else if (PublicKey < Mapping->PublicKey) {
  355. break;
  356. }
  357. //
  358. // Primary keys equal; check secondary keys.
  359. //
  360. if (PublicId > Mapping->PublicId) {
  361. continue;
  362. } else if (PublicId < Mapping->PublicId) {
  363. break;
  364. }
  365. //
  366. // Secondary keys equal, too. This is the requested item.
  367. //
  368. return Mapping;
  369. }
  370. if (InsertionPoint) { *InsertionPoint = Link; }
  371. return NULL;
  372. } // NatLookupInboundIcmpMapping
  373. PNAT_ICMP_MAPPING
  374. NatLookupOutboundIcmpMapping(
  375. ULONG64 PrivateKey,
  376. USHORT PrivateId,
  377. PLIST_ENTRY* InsertionPoint
  378. )
  379. /*++
  380. Routine Description:
  381. This routine is called to find an ICMP mapping using the remote-address
  382. and the private address, which correspond to the 'PrivateKey'.
  383. Arguments:
  384. PrivateKey - the remote-address/private-address combination
  385. PrivateId - the mapping's private identifier
  386. InsertionPoint - receives insertion-point if mapping not found.
  387. Return Value:
  388. PNAT_ICMP_MAPPING - the mapping found, or NULL if not found.
  389. --*/
  390. {
  391. PLIST_ENTRY Link;
  392. PNAT_ICMP_MAPPING Mapping;
  393. CALLTRACE(("NatLookupOutboundIcmpMapping\n"));
  394. if (InsertionPoint) { *InsertionPoint = NULL; }
  395. for (Link = IcmpMappingList[NatOutboundDirection].Flink;
  396. Link != &IcmpMappingList[NatOutboundDirection]; Link = Link->Flink) {
  397. Mapping =
  398. CONTAINING_RECORD(
  399. Link, NAT_ICMP_MAPPING, Link[NatOutboundDirection]
  400. );
  401. if (PrivateKey > Mapping->PrivateKey) {
  402. continue;
  403. } else if (PrivateKey < Mapping->PrivateKey) {
  404. break;
  405. }
  406. //
  407. // Primary keys equal; check secondary keys.
  408. //
  409. if (PrivateId > Mapping->PrivateId) {
  410. continue;
  411. } else if (PrivateId < Mapping->PrivateId) {
  412. break;
  413. }
  414. //
  415. // Keys are equal, so we've found it.
  416. //
  417. return Mapping;
  418. }
  419. if (InsertionPoint) { *InsertionPoint = Link; }
  420. return NULL;
  421. } // NatLookupOutboundIcmpMapping
  422. FORWARD_ACTION
  423. NatpFirewallIcmp(
  424. PNAT_INTERFACE Interfacep,
  425. IP_NAT_DIRECTION Direction,
  426. PNAT_XLATE_CONTEXT Contextp
  427. )
  428. /*++
  429. Routine Description:
  430. This routine encapsulates the ICMP firewall logic. It is
  431. only used (as of now) for non-boundary FW interfaces
  432. Arguments:
  433. Interfacep - the boundary interface over which to translate.
  434. Direction - the direction in which the packet is traveling
  435. Contextp - initialized with context-information for the packet
  436. Return Value:
  437. FORWARD_ACTION - indicates action to take on packet.
  438. Environment:
  439. Invoked with a reference made to 'Interfacep'.
  440. --*/
  441. {
  442. FORWARD_ACTION act;
  443. ULONG i;
  444. PICMP_HEADER IcmpHeader;
  445. PIP_HEADER IpHeader;
  446. PNAT_ICMP_MAPPING IcmpMapping;
  447. ULONG64 PublicKey;
  448. ULONG64 RemoteKey;
  449. PLIST_ENTRY InsertionPoint;
  450. NTSTATUS ntStatus;
  451. TRACE(XLATE, ("NatpFirewallIcmp\n"));
  452. if (NatOutboundDirection == Direction) {
  453. //
  454. // Make sure this packet has a valid source address
  455. // for this interface.
  456. //
  457. act = DROP;
  458. for (i = 0; i < Interfacep->AddressCount; i++) {
  459. if (Contextp->SourceAddress ==
  460. Interfacep->AddressArray[i].Address
  461. ) {
  462. act = FORWARD;
  463. break;
  464. }
  465. }
  466. if (DROP == act) {
  467. //
  468. // Invalid source addess -- packet should be
  469. // dropped w/o any further processing.
  470. //
  471. return act;
  472. }
  473. }
  474. IpHeader = Contextp->Header;
  475. IcmpHeader = (PICMP_HEADER)Contextp->ProtocolHeader;
  476. switch (IcmpHeader->Type) {
  477. //
  478. // Message forewarded only if a corresponding mapping
  479. // exists. A mapping for an outbound packet can exist only
  480. // if the use chooses to allow the corresponding request
  481. // type.
  482. //
  483. case ICMP_ECHO_REPLY:
  484. case ICMP_TIMESTAMP_REPLY:
  485. case ICMP_ROUTER_REPLY:
  486. case ICMP_MASK_REPLY: {
  487. if (NatInboundDirection == Direction) {
  488. PublicKey =
  489. MAKE_ICMP_KEY(
  490. Contextp->SourceAddress,
  491. Contextp->DestinationAddress
  492. );
  493. KeAcquireSpinLockAtDpcLevel(&IcmpMappingLock);
  494. IcmpMapping =
  495. NatLookupInboundIcmpMapping(
  496. PublicKey,
  497. IcmpHeader->Identifier,
  498. &InsertionPoint
  499. );
  500. if (NULL != IcmpMapping) {
  501. KeQueryTickCount(
  502. (PLARGE_INTEGER)&IcmpMapping->LastAccessTime
  503. );
  504. }
  505. KeReleaseSpinLockFromDpcLevel(&IcmpMappingLock);
  506. act = IcmpMapping != NULL ? FORWARD : DROP;
  507. } else {
  508. PublicKey =
  509. MAKE_ICMP_KEY(
  510. Contextp->DestinationAddress,
  511. Contextp->SourceAddress
  512. );
  513. KeAcquireSpinLockAtDpcLevel(&IcmpMappingLock);
  514. IcmpMapping =
  515. NatLookupOutboundIcmpMapping(
  516. PublicKey,
  517. IcmpHeader->Identifier,
  518. &InsertionPoint
  519. );
  520. if (NULL != IcmpMapping) {
  521. KeQueryTickCount(
  522. (PLARGE_INTEGER)&IcmpMapping->LastAccessTime
  523. );
  524. }
  525. KeReleaseSpinLockFromDpcLevel(&IcmpMappingLock);
  526. act = IcmpMapping != NULL ? FORWARD : DROP;
  527. }
  528. break;
  529. }
  530. //
  531. // Outbound messages create a mapping and are forwarded.
  532. // Inbound messages are dropped, unless configured to
  533. // allow inbound; if this is the case, create a mapping
  534. // and forward. The mapping will allow the response
  535. // to go through the firewall
  536. //
  537. case ICMP_ECHO_REQUEST:
  538. case ICMP_TIMESTAMP_REQUEST:
  539. case ICMP_ROUTER_REQUEST:
  540. case ICMP_MASK_REQUEST: {
  541. if (NatOutboundDirection == Direction) {
  542. act = FORWARD;
  543. //
  544. // Check to see if a mapping already exists
  545. //
  546. PublicKey =
  547. MAKE_ICMP_KEY(
  548. Contextp->DestinationAddress,
  549. Contextp->SourceAddress
  550. );
  551. KeAcquireSpinLockAtDpcLevel (&IcmpMappingLock);
  552. IcmpMapping =
  553. NatLookupOutboundIcmpMapping(
  554. PublicKey,
  555. IcmpHeader->Identifier,
  556. &InsertionPoint
  557. );
  558. if (NULL == IcmpMapping) {
  559. //
  560. // One didn't -- create a new mappping.
  561. //
  562. ntStatus =
  563. NatCreateIcmpMapping(
  564. Interfacep,
  565. Contextp->DestinationAddress,
  566. Contextp->SourceAddress,
  567. Contextp->SourceAddress,
  568. &IcmpHeader->Identifier,
  569. &IcmpHeader->Identifier,
  570. NULL,
  571. NULL,
  572. &IcmpMapping
  573. );
  574. if (!NT_SUCCESS(ntStatus)) {
  575. TRACE(
  576. XLATE, (
  577. "NatIcmpFirewall: error 0x%x creating mapping\n",
  578. ntStatus
  579. ));
  580. act = DROP;
  581. }
  582. } else {
  583. KeQueryTickCount(
  584. (PLARGE_INTEGER)&IcmpMapping->LastAccessTime
  585. );
  586. }
  587. KeReleaseSpinLockFromDpcLevel( &IcmpMappingLock );
  588. } else {
  589. //
  590. // Check to see if inbound for this type is permitted. If
  591. // so, create a mapping and forward.
  592. //
  593. if (NAT_INTERFACE_ALLOW_ICMP(Interfacep, IcmpHeader->Type)) {
  594. act = FORWARD;
  595. //
  596. // Check to see if a mapping already exists
  597. //
  598. PublicKey =
  599. MAKE_ICMP_KEY(
  600. Contextp->SourceAddress,
  601. Contextp->DestinationAddress
  602. );
  603. KeAcquireSpinLockAtDpcLevel (&IcmpMappingLock);
  604. IcmpMapping =
  605. NatLookupInboundIcmpMapping(
  606. PublicKey,
  607. IcmpHeader->Identifier,
  608. &InsertionPoint
  609. );
  610. if (NULL == IcmpMapping) {
  611. //
  612. // One didn't -- create a new mappping.
  613. //
  614. ntStatus =
  615. NatCreateIcmpMapping(
  616. Interfacep,
  617. Contextp->SourceAddress,
  618. Contextp->DestinationAddress,
  619. Contextp->DestinationAddress,
  620. &IcmpHeader->Identifier,
  621. &IcmpHeader->Identifier,
  622. NULL,
  623. NULL,
  624. &IcmpMapping
  625. );
  626. if (!NT_SUCCESS(ntStatus)) {
  627. TRACE(
  628. XLATE, (
  629. "NatIcmpFirewall: error 0x%x creating mapping\n",
  630. ntStatus
  631. ));
  632. act = DROP;
  633. }
  634. } else {
  635. KeQueryTickCount(
  636. (PLARGE_INTEGER)&IcmpMapping->LastAccessTime
  637. );
  638. }
  639. KeReleaseSpinLockFromDpcLevel(&IcmpMappingLock);
  640. } else {
  641. //
  642. // Not permitted.
  643. //
  644. act = DROP;
  645. }
  646. }
  647. break;
  648. }
  649. //
  650. // These messages are allowed inbound, but are dropped outbound
  651. // (unless the user chooses to allow them). Allowing outbound creates
  652. // more avenues of attack for port-scanning tools.
  653. //
  654. case ICMP_TIME_EXCEED:
  655. case ICMP_PARAM_PROBLEM:
  656. case ICMP_DEST_UNREACH:
  657. case ICMP_SOURCE_QUENCH: {
  658. if (NatInboundDirection == Direction) {
  659. act = FORWARD;
  660. } else {
  661. act =
  662. (NAT_INTERFACE_ALLOW_ICMP(Interfacep, IcmpHeader->Type)
  663. ? FORWARD
  664. : DROP);
  665. }
  666. break;
  667. }
  668. //
  669. // These messages are always dropped, no matter the direction
  670. // (unless the user chooses to allow them).
  671. //
  672. case ICMP_REDIRECT: {
  673. act =
  674. (NAT_INTERFACE_ALLOW_ICMP(Interfacep, IcmpHeader->Type)
  675. ? FORWARD
  676. : DROP);
  677. break;
  678. }
  679. //
  680. // Anything else is dropped by default.
  681. //
  682. default: {
  683. act = DROP;
  684. break;
  685. }
  686. }
  687. return act;
  688. } // NatpFirewallIcmp
  689. VOID
  690. NatShutdownIcmpManagement(
  691. VOID
  692. )
  693. /*++
  694. Routine Description:
  695. This routine is invoked to clean up the ICMP management module
  696. when the NAT driver is unloaded.
  697. Arguments:
  698. none.
  699. Return Value:
  700. none.
  701. --*/
  702. {
  703. ExDeleteNPagedLookasideList(&IcmpLookasideList);
  704. } // NatShutdownIcmpManagement
  705. FORWARD_ACTION
  706. NatTranslateIcmp(
  707. PNAT_INTERFACE Interfacep OPTIONAL,
  708. IP_NAT_DIRECTION Direction,
  709. PNAT_XLATE_CONTEXT Contextp,
  710. IPRcvBuf** InRecvBuffer,
  711. IPRcvBuf** OutRecvBuffer
  712. )
  713. /*++
  714. Routine Description:
  715. This routine is invoked to perform translation on an ICMP message.
  716. Arguments:
  717. Interfacep - the boundary interface over which to translate, or NULL
  718. if the packet is inbound and the receiving interface has not been
  719. added to the NAT.
  720. Direction - the direction in which the packet is traveling
  721. Contextp - initialized with context-information for the packet
  722. InRecvBuffer - input buffer-chain
  723. OutRecvBuffer - receives modified buffer-chain.
  724. Return Value:
  725. FORWARD_ACTION - indicates action to take on packet.
  726. Environment:
  727. Invoked with a reference made to 'Interfacep' by the caller.
  728. --*/
  729. {
  730. FORWARD_ACTION act;
  731. BOOLEAN ChecksumOffloaded;
  732. ULONG i;
  733. PICMP_HEADER IcmpHeader;
  734. PIP_HEADER IpHeader;
  735. TRACE(XLATE, ("NatTranslateIcmp\n"));
  736. //
  737. // If the interface is in FW mode and is not a
  738. // boundary interface, go directly to the firewall
  739. // logic
  740. //
  741. if (Interfacep
  742. && NAT_INTERFACE_FW(Interfacep)
  743. && !NAT_INTERFACE_BOUNDARY(Interfacep)) {
  744. return NatpFirewallIcmp(
  745. Interfacep,
  746. Direction,
  747. Contextp
  748. );
  749. }
  750. IpHeader = Contextp->Header;
  751. IcmpHeader = (PICMP_HEADER)Contextp->ProtocolHeader;
  752. ChecksumOffloaded = Contextp->ChecksumOffloaded;
  753. //
  754. // The default action is chosen as follows:
  755. // i. if the packet is incoming on a boundary interface
  756. // a. drop if not locally destined
  757. // b. drop if the interface is firewalled
  758. // c. forward otherwise
  759. // ii. the packet is outgoing on a boundary interface, drop
  760. // if source-address is private.
  761. //
  762. if (Direction == NatInboundDirection) {
  763. if ((*Contextp->DestinationType >= DEST_REMOTE)
  764. || (Interfacep
  765. && NAT_INTERFACE_FW(Interfacep)
  766. && !NAT_INTERFACE_ALLOW_ICMP(Interfacep, IcmpHeader->Type))) {
  767. act = DROP;
  768. } else {
  769. act = FORWARD;
  770. }
  771. } else {
  772. //
  773. // See if the packet's source-address is private
  774. //
  775. // N.B. 'Interfacep' is always valid for outbound packets.
  776. //
  777. act = DROP;
  778. for (i = 0; i < Interfacep->AddressCount; i++) {
  779. if (Contextp->SourceAddress ==
  780. Interfacep->AddressArray[i].Address
  781. ) {
  782. //
  783. // The packet's source-address is public,
  784. // so we'll allow it onto the public network.
  785. //
  786. act = FORWARD;
  787. break;
  788. }
  789. }
  790. }
  791. //
  792. // See what kind of ICMP message this is,
  793. // and translate it if possible.
  794. //
  795. switch (IcmpHeader->Type) {
  796. case ICMP_ROUTER_REPLY:
  797. case ICMP_MASK_REPLY:
  798. case ICMP_ECHO_REPLY:
  799. case ICMP_TIMESTAMP_REPLY: {
  800. if (IpHeader->TimeToLive <= 1) {
  801. TRACE(XLATE, ("NatTranslateIcmp: ttl<=1, no translation\n"));
  802. return FORWARD;
  803. }
  804. if (Contextp->ProtocolRecvBuffer->ipr_size <
  805. FIELD_OFFSET(ICMP_HEADER, EncapsulatedIpHeader) ||
  806. !NatTranslateIcmpRequest(
  807. Interfacep,
  808. Direction,
  809. Contextp,
  810. TRUE,
  811. ChecksumOffloaded
  812. )) {
  813. return act;
  814. }
  815. *OutRecvBuffer = *InRecvBuffer; *InRecvBuffer = NULL;
  816. *Contextp->DestinationType = DEST_INVALID;
  817. return FORWARD;
  818. }
  819. case ICMP_ROUTER_REQUEST:
  820. case ICMP_MASK_REQUEST:
  821. case ICMP_ECHO_REQUEST:
  822. case ICMP_TIMESTAMP_REQUEST: {
  823. if (IpHeader->TimeToLive <= 1) {
  824. TRACE(XLATE, ("NatTranslateIcmp: ttl<=1, no translation\n"));
  825. return FORWARD;
  826. }
  827. if (Contextp->ProtocolRecvBuffer->ipr_size <
  828. FIELD_OFFSET(ICMP_HEADER, EncapsulatedIpHeader) ||
  829. !NatTranslateIcmpRequest(
  830. Interfacep,
  831. Direction,
  832. Contextp,
  833. FALSE,
  834. ChecksumOffloaded
  835. )) {
  836. //
  837. // If the interface is in FW mode, we don't want to let
  838. // a non-translated packet through, unless the user has
  839. // configured the interface otherwise.
  840. //
  841. if (Interfacep
  842. && NAT_INTERFACE_FW(Interfacep)
  843. && !NAT_INTERFACE_ALLOW_ICMP(
  844. Interfacep,
  845. IcmpHeader->Type
  846. )) {
  847. act = DROP;
  848. }
  849. return act;
  850. }
  851. *OutRecvBuffer = *InRecvBuffer; *InRecvBuffer = NULL;
  852. *Contextp->DestinationType = DEST_INVALID;
  853. return FORWARD;
  854. }
  855. case ICMP_TIME_EXCEED: {
  856. //
  857. // Outgoing on a firewalled interface are dropped, unless
  858. // the user has specified otherwise
  859. //
  860. if (Direction == NatOutboundDirection
  861. && Interfacep
  862. && NAT_INTERFACE_FW(Interfacep)
  863. && !NAT_INTERFACE_ALLOW_ICMP(Interfacep, IcmpHeader->Type)) {
  864. return DROP;
  865. }
  866. //
  867. // Time-exceeded messages will be triggered at each hop
  868. // to the final destination of a traceroute sequence.
  869. // Such messages must be translated like ICMP replies.
  870. // Time-exceeded messages may also be generated
  871. // in response to TCP/UDP packets, so we translate them
  872. // in the latter case as well.
  873. //
  874. if (Contextp->ProtocolRecvBuffer->ipr_size <
  875. sizeof(ICMP_HEADER) ||
  876. (IcmpHeader->EncapsulatedIpHeader.VersionAndHeaderLength
  877. & 0x0f) != 5) {
  878. return act;
  879. } else if (IcmpHeader->EncapsulatedIpHeader.Protocol ==
  880. NAT_PROTOCOL_ICMP) {
  881. if ((IcmpHeader->EncapsulatedIcmpHeader.Type !=
  882. ICMP_ECHO_REQUEST
  883. && IcmpHeader->EncapsulatedIcmpHeader.Type !=
  884. ICMP_MASK_REQUEST
  885. && IcmpHeader->EncapsulatedIcmpHeader.Type !=
  886. ICMP_ROUTER_REQUEST
  887. && IcmpHeader->EncapsulatedIcmpHeader.Type !=
  888. ICMP_TIMESTAMP_REQUEST) ||
  889. !NatTranslateIcmpEncapsulatedRequest(
  890. Interfacep,
  891. Direction,
  892. IpHeader,
  893. IcmpHeader,
  894. &IcmpHeader->EncapsulatedIpHeader,
  895. &IcmpHeader->EncapsulatedIcmpHeader,
  896. ChecksumOffloaded
  897. )) {
  898. return act;
  899. }
  900. } else if (IcmpHeader->EncapsulatedIpHeader.Protocol
  901. == NAT_PROTOCOL_TCP ||
  902. IcmpHeader->EncapsulatedIpHeader.Protocol
  903. == NAT_PROTOCOL_UDP) {
  904. if (!NatTranslateEncapsulatedRequest(
  905. Interfacep,
  906. Direction,
  907. IpHeader,
  908. IcmpHeader,
  909. &IcmpHeader->EncapsulatedIpHeader,
  910. &IcmpHeader->EncapsulatedUdpHeader,
  911. ChecksumOffloaded
  912. )) {
  913. return act;
  914. }
  915. } else {
  916. return act;
  917. }
  918. *OutRecvBuffer = *InRecvBuffer; *InRecvBuffer = NULL;
  919. *Contextp->DestinationType = DEST_INVALID;
  920. return FORWARD;
  921. }
  922. case ICMP_PARAM_PROBLEM:
  923. case ICMP_DEST_UNREACH: {
  924. //
  925. // Outgoing on a firewalled interface are dropped, unless
  926. // the user has specified otherwise
  927. //
  928. if (Direction == NatOutboundDirection
  929. && Interfacep
  930. && NAT_INTERFACE_FW(Interfacep)
  931. && !NAT_INTERFACE_ALLOW_ICMP(Interfacep, IcmpHeader->Type)) {
  932. return DROP;
  933. }
  934. //
  935. // Destination unreachable messages will be generated for a variety
  936. // of reasons. We are interested in the following cases:
  937. // * Packet-too-big: When a packet received on a boundary
  938. // interface has the 'DF' bit set, the local forwarder may
  939. // generate an ICMP error message to the remote endpoint
  940. // indicating that the remote system should reduce its MSS.
  941. // This error, however, will contain the IP address of the
  942. // private network in the encapsulated packet, since the ICMP
  943. // error was generated after translation.
  944. // * Port-unreachable: Indicates that no application is listening
  945. // at the UDP port to which a packet was sent.
  946. //
  947. if (Contextp->ProtocolRecvBuffer->ipr_size <
  948. sizeof(ICMP_HEADER) ||
  949. (IcmpHeader->EncapsulatedIpHeader.VersionAndHeaderLength
  950. & 0x0f) != 5) {
  951. return act;
  952. } else if (IcmpHeader->EncapsulatedIpHeader.Protocol ==
  953. NAT_PROTOCOL_ICMP) {
  954. if ((IcmpHeader->EncapsulatedIcmpHeader.Type !=
  955. ICMP_ECHO_REQUEST
  956. && IcmpHeader->EncapsulatedIcmpHeader.Type !=
  957. ICMP_MASK_REQUEST
  958. && IcmpHeader->EncapsulatedIcmpHeader.Type !=
  959. ICMP_ROUTER_REQUEST
  960. && IcmpHeader->EncapsulatedIcmpHeader.Type !=
  961. ICMP_TIMESTAMP_REQUEST) ||
  962. !NatTranslateIcmpEncapsulatedRequest(
  963. Interfacep,
  964. Direction,
  965. IpHeader,
  966. IcmpHeader,
  967. &IcmpHeader->EncapsulatedIpHeader,
  968. &IcmpHeader->EncapsulatedIcmpHeader,
  969. ChecksumOffloaded
  970. )) {
  971. return act;
  972. }
  973. } else if (IcmpHeader->EncapsulatedIpHeader.Protocol
  974. == NAT_PROTOCOL_TCP ||
  975. IcmpHeader->EncapsulatedIpHeader.Protocol
  976. == NAT_PROTOCOL_UDP) {
  977. if (!NatTranslateEncapsulatedRequest(
  978. Interfacep,
  979. Direction,
  980. IpHeader,
  981. IcmpHeader,
  982. &IcmpHeader->EncapsulatedIpHeader,
  983. &IcmpHeader->EncapsulatedUdpHeader,
  984. ChecksumOffloaded
  985. )) {
  986. return act;
  987. }
  988. } else {
  989. return act;
  990. }
  991. *OutRecvBuffer = *InRecvBuffer; *InRecvBuffer = NULL;
  992. *Contextp->DestinationType = DEST_INVALID;
  993. return FORWARD;
  994. }
  995. case ICMP_SOURCE_QUENCH: {
  996. //
  997. // Outgoing on a firewalled interface are dropped, unless
  998. // the user has specified otherwise
  999. //
  1000. if (Direction == NatOutboundDirection
  1001. && Interfacep
  1002. && NAT_INTERFACE_FW(Interfacep)
  1003. && !NAT_INTERFACE_ALLOW_ICMP(Interfacep, IcmpHeader->Type)) {
  1004. return DROP;
  1005. }
  1006. return act;
  1007. }
  1008. case ICMP_REDIRECT: {
  1009. //
  1010. // We do not translate ICMP redirect errors, since we want
  1011. // the NAT's IP forwarder to see the redirects and adjust
  1012. // its routing table accordingly.
  1013. //
  1014. // However, we do not allow inbound or outbound redirects
  1015. // across a firwall interface, unless the user has
  1016. // specified otherwise
  1017. //
  1018. if (Interfacep
  1019. && NAT_INTERFACE_FW(Interfacep)
  1020. && NAT_INTERFACE_ALLOW_ICMP(Interfacep, IcmpHeader->Type)) {
  1021. act = FORWARD;
  1022. }
  1023. return act;
  1024. }
  1025. default: {
  1026. break;
  1027. }
  1028. }
  1029. return act;
  1030. } // NatTranslateIcmp
  1031. BOOLEAN
  1032. NatTranslateIcmpEncapsulatedRequest(
  1033. PNAT_INTERFACE Interfacep OPTIONAL,
  1034. IP_NAT_DIRECTION Direction,
  1035. PIP_HEADER IpHeader,
  1036. PICMP_HEADER IcmpHeader,
  1037. PIP_HEADER EncapsulatedIpHeader,
  1038. struct _ENCAPSULATED_ICMP_HEADER* EncapsulatedIcmpHeader,
  1039. BOOLEAN ChecksumOffloaded
  1040. )
  1041. /*++
  1042. Routine Description:
  1043. This routine is invoked to translate an ICMP error message in which
  1044. we have another ICMP message encapsulated. This is necessary, for instance,
  1045. in the case of ICMP time-exceeded errors, upon which 'traceroute' relies.
  1046. Arguments:
  1047. Interfacep - the interface across which the ICMP message will be forwarded,
  1048. or NULL if the packet was received on a non-boundary interface
  1049. unknown to the NAT.
  1050. Direction - the direction in which the ICMP message is traveling
  1051. IpHeader - points to the IP header of the ICMP message
  1052. IcmpHeader - points to the ICMP header within the IP packet
  1053. EncapsulatedIpHeader - points to the IP header of the ICMP message
  1054. encapsulated in the data portion of the message
  1055. EncapsulatedIcmpHeader - points to the ICMP header of the ICMP message
  1056. encapsulated in the data portion of the message
  1057. Return Value:
  1058. BOOLEAN - TRUE if the packet was translated, FALSE otherwise
  1059. Environment:
  1060. Invoked at dispatch IRQL with a reference made to 'Interfacep'.
  1061. --*/
  1062. {
  1063. ULONG Checksum;
  1064. ULONG ChecksumDelta;
  1065. ULONG ChecksumDelta2;
  1066. PNAT_ICMP_MAPPING IcmpMapping;
  1067. ULONG64 Key;
  1068. CALLTRACE(("NatTranslateIcmpEncapsulatedRequest\n"));
  1069. //
  1070. // The checksum processing for encapsulated messages
  1071. // is extremely complicated since we must update
  1072. // (1) the ICMP checksum of the encapsulated ICMP message,
  1073. // using the change to the encapsulated ICMP identifier
  1074. // (2) the IP header-checksum of the encapsulated ICMP message
  1075. // using the change to the encapsulated IP addresses
  1076. // (3) the ICMP checksum of the containing ICMP error message
  1077. // using both the above changes as well as the changes
  1078. // to both the above checksums
  1079. // (4) the IP header-checksum of the containing ICMP error message
  1080. // using the change to the containing IP addresses
  1081. // Any changes to the logic below must be made with extreme care.
  1082. //
  1083. if (Direction == NatInboundDirection) {
  1084. Key =
  1085. MAKE_ICMP_KEY(
  1086. EncapsulatedIpHeader->DestinationAddress,
  1087. EncapsulatedIpHeader->SourceAddress
  1088. );
  1089. KeAcquireSpinLockAtDpcLevel(&IcmpMappingLock);
  1090. IcmpMapping =
  1091. NatLookupInboundIcmpMapping(
  1092. Key,
  1093. EncapsulatedIcmpHeader->Identifier,
  1094. NULL
  1095. );
  1096. if (!IcmpMapping) {
  1097. KeReleaseSpinLockFromDpcLevel(&IcmpMappingLock);
  1098. TRACE(
  1099. XLATE, (
  1100. "NatTranslateIcmpEncapsulatedRequest: "
  1101. "no mapping for error message\n"
  1102. ));
  1103. return FALSE;
  1104. }
  1105. ChecksumDelta = 0;
  1106. CHECKSUM_LONG(ChecksumDelta, ~EncapsulatedIcmpHeader->Identifier);
  1107. EncapsulatedIcmpHeader->Identifier = IcmpMapping->PrivateId;
  1108. CHECKSUM_LONG(ChecksumDelta, EncapsulatedIcmpHeader->Identifier);
  1109. ChecksumDelta2 = ChecksumDelta;
  1110. CHECKSUM_LONG(ChecksumDelta2, ~EncapsulatedIcmpHeader->Checksum);
  1111. CHECKSUM_UPDATE(EncapsulatedIcmpHeader->Checksum);
  1112. CHECKSUM_LONG(ChecksumDelta2, EncapsulatedIcmpHeader->Checksum);
  1113. ChecksumDelta = ChecksumDelta2; CHECKSUM_UPDATE(IcmpHeader->Checksum);
  1114. ChecksumDelta = 0;
  1115. CHECKSUM_LONG(ChecksumDelta, ~EncapsulatedIpHeader->SourceAddress);
  1116. EncapsulatedIpHeader->SourceAddress =
  1117. ICMP_KEY_PRIVATE(IcmpMapping->PrivateKey);
  1118. CHECKSUM_LONG(ChecksumDelta, EncapsulatedIpHeader->SourceAddress);
  1119. ChecksumDelta2 = ChecksumDelta;
  1120. CHECKSUM_LONG(ChecksumDelta2, ~EncapsulatedIpHeader->Checksum);
  1121. CHECKSUM_UPDATE(EncapsulatedIpHeader->Checksum);
  1122. CHECKSUM_LONG(ChecksumDelta2, EncapsulatedIpHeader->Checksum);
  1123. ChecksumDelta = ChecksumDelta2; CHECKSUM_UPDATE(IcmpHeader->Checksum);
  1124. ChecksumDelta = 0;
  1125. CHECKSUM_LONG(ChecksumDelta, ~IpHeader->DestinationAddress);
  1126. IpHeader->DestinationAddress =
  1127. ICMP_KEY_PRIVATE(IcmpMapping->PrivateKey);
  1128. CHECKSUM_LONG(ChecksumDelta, IpHeader->DestinationAddress);
  1129. CHECKSUM_UPDATE(IpHeader->Checksum);
  1130. KeQueryTickCount((PLARGE_INTEGER)&IcmpMapping->LastAccessTime);
  1131. } else {
  1132. Key =
  1133. MAKE_ICMP_KEY(
  1134. EncapsulatedIpHeader->SourceAddress,
  1135. EncapsulatedIpHeader->DestinationAddress
  1136. );
  1137. KeAcquireSpinLockAtDpcLevel(&IcmpMappingLock);
  1138. IcmpMapping =
  1139. NatLookupOutboundIcmpMapping(
  1140. Key,
  1141. EncapsulatedIcmpHeader->Identifier,
  1142. NULL
  1143. );
  1144. if (!IcmpMapping) {
  1145. KeReleaseSpinLockFromDpcLevel(&IcmpMappingLock);
  1146. TRACE(
  1147. XLATE, (
  1148. "NatTranslateIcmpEncapsulatedRequest: "
  1149. "no mapping for error message\n"
  1150. ));
  1151. return FALSE;
  1152. }
  1153. ChecksumDelta = 0;
  1154. CHECKSUM_LONG(ChecksumDelta, ~EncapsulatedIcmpHeader->Identifier);
  1155. EncapsulatedIcmpHeader->Identifier = IcmpMapping->PublicId;
  1156. CHECKSUM_LONG(ChecksumDelta, EncapsulatedIcmpHeader->Identifier);
  1157. ChecksumDelta2 = ChecksumDelta;
  1158. CHECKSUM_LONG(ChecksumDelta2, ~EncapsulatedIcmpHeader->Checksum);
  1159. CHECKSUM_UPDATE(EncapsulatedIcmpHeader->Checksum);
  1160. CHECKSUM_LONG(ChecksumDelta2, EncapsulatedIcmpHeader->Checksum);
  1161. ChecksumDelta = ChecksumDelta2; CHECKSUM_UPDATE(IcmpHeader->Checksum);
  1162. ChecksumDelta = 0;
  1163. CHECKSUM_LONG(ChecksumDelta, ~EncapsulatedIpHeader->DestinationAddress);
  1164. EncapsulatedIpHeader->DestinationAddress =
  1165. ICMP_KEY_PUBLIC(IcmpMapping->PublicKey);
  1166. CHECKSUM_LONG(ChecksumDelta, EncapsulatedIpHeader->DestinationAddress);
  1167. ChecksumDelta2 = ChecksumDelta;
  1168. CHECKSUM_LONG(ChecksumDelta2, ~EncapsulatedIpHeader->Checksum);
  1169. CHECKSUM_UPDATE(EncapsulatedIpHeader->Checksum);
  1170. CHECKSUM_LONG(ChecksumDelta2, EncapsulatedIpHeader->Checksum);
  1171. ChecksumDelta = ChecksumDelta2; CHECKSUM_UPDATE(IcmpHeader->Checksum);
  1172. ChecksumDelta = 0;
  1173. CHECKSUM_LONG(ChecksumDelta, ~IpHeader->SourceAddress);
  1174. IpHeader->SourceAddress =
  1175. ICMP_KEY_PUBLIC(IcmpMapping->PublicKey);
  1176. CHECKSUM_LONG(ChecksumDelta, IpHeader->SourceAddress);
  1177. CHECKSUM_UPDATE(IpHeader->Checksum);
  1178. KeQueryTickCount((PLARGE_INTEGER)&IcmpMapping->LastAccessTime);
  1179. }
  1180. KeReleaseSpinLockFromDpcLevel(&IcmpMappingLock);
  1181. //
  1182. // If checksum offloading is enabled on this packet, recompute the
  1183. // IP checksum. (There is no ICMP checksum-offload, so we will never
  1184. // need to fully recompute that.)
  1185. //
  1186. if (ChecksumOffloaded) {
  1187. NatComputeIpChecksum(IpHeader);
  1188. }
  1189. return TRUE;
  1190. } // NatTranslateIcmpEncapsulatedRequest
  1191. BOOLEAN
  1192. NatTranslateIcmpRequest(
  1193. PNAT_INTERFACE Interfacep OPTIONAL,
  1194. IP_NAT_DIRECTION Direction,
  1195. PNAT_XLATE_CONTEXT Contextp,
  1196. BOOLEAN ReplyCode,
  1197. BOOLEAN ChecksumOffloaded
  1198. )
  1199. /*++
  1200. Routine Description:
  1201. This routine is invoked to translate an ICMP request or reply message.
  1202. Arguments:
  1203. Interfacep - the interface across which the ICMP message is to be forwarded,
  1204. or NULL if the packet was received on a non-boundary interface unknown
  1205. to the NAT.
  1206. Direction - the direction in which the ICMP message is traveling
  1207. Contextp - contains information about the packet
  1208. ReplyCode - if TRUE, the message is a reply; otherwise, it is a request.
  1209. Return Value:
  1210. BOOLEAN - TRUE if the message was translated, FALSE otherwise.
  1211. Environment:
  1212. Invoked at dispatch IRQL with a reference made to 'Interfacep'.
  1213. --*/
  1214. {
  1215. ULONG Checksum;
  1216. ULONG ChecksumDelta;
  1217. ULONG i;
  1218. PICMP_HEADER IcmpHeader;
  1219. PNAT_ICMP_MAPPING IcmpMapping;
  1220. PIP_HEADER IpHeader;
  1221. PLIST_ENTRY InsertionPoint;
  1222. PNAT_DYNAMIC_MAPPING Mapping;
  1223. ULONG64 PrivateKey;
  1224. UCHAR Protocol;
  1225. ULONG64 PublicKey;
  1226. ULONG64 RemoteKey;
  1227. NTSTATUS status;
  1228. CALLTRACE(("NatTranslateIcmpRequest\n"));
  1229. IpHeader = Contextp->Header;
  1230. IcmpHeader = (PICMP_HEADER)Contextp->ProtocolHeader;
  1231. //
  1232. // For ICMP requests/replies we must maintain mappings, so begin by seeing
  1233. // if there is already a mapping for this particular message
  1234. //
  1235. InsertionPoint = NULL;
  1236. if (Direction == NatOutboundDirection) {
  1237. PrivateKey =
  1238. MAKE_ICMP_KEY(
  1239. Contextp->DestinationAddress,
  1240. Contextp->SourceAddress
  1241. );
  1242. KeAcquireSpinLockAtDpcLevel(&IcmpMappingLock);
  1243. IcmpMapping =
  1244. NatLookupOutboundIcmpMapping(
  1245. PrivateKey,
  1246. IcmpHeader->Identifier,
  1247. &InsertionPoint
  1248. );
  1249. if (!IcmpMapping) {
  1250. //
  1251. // No mapping was found, so try to create one.
  1252. //
  1253. // If the packet is an outbound reply-message,
  1254. // there really ought to be a corresponding inbound-mapping.
  1255. // Hence don't try to create one here, as it will just
  1256. // confuse the remote endpoint, which may find itself
  1257. // looking at a reply whose origin seems to be different
  1258. // from the machine to which it sent a request.
  1259. //
  1260. if (ReplyCode) {
  1261. KeReleaseSpinLockFromDpcLevel(&IcmpMappingLock);
  1262. TRACE(
  1263. XLATE, (
  1264. "NatTranslateIcmpRequest: ignoring outbound reply\n"
  1265. ));
  1266. return FALSE;
  1267. }
  1268. //
  1269. // First look for a static mapping from this private address
  1270. // to a public address. If one is found, it will be used
  1271. // in the call to 'NatCreateIcmpMapping' below. Otherwise,
  1272. // a public address will be chosen from the address-pool.
  1273. //
  1274. // N.B. When a packet is outbound, 'Interfacep' is always valid.
  1275. //
  1276. PublicKey = 0;
  1277. if (!Interfacep->NoStaticMappingExists) {
  1278. KeReleaseSpinLockFromDpcLevel(&IcmpMappingLock);
  1279. KeAcquireSpinLockAtDpcLevel(&Interfacep->Lock);
  1280. for (i = 0; i < Interfacep->AddressMappingCount; i++) {
  1281. if (Contextp->SourceAddress >
  1282. Interfacep->AddressMappingArray[i].PrivateAddress) {
  1283. continue;
  1284. } else if (Contextp->SourceAddress <
  1285. Interfacep->AddressMappingArray[i].PrivateAddress) {
  1286. break;
  1287. }
  1288. PublicKey =
  1289. Interfacep->AddressMappingArray[i].PublicAddress;
  1290. break;
  1291. }
  1292. KeReleaseSpinLockFromDpcLevel(&Interfacep->Lock);
  1293. KeAcquireSpinLockAtDpcLevel(&IcmpMappingLock);
  1294. }
  1295. status =
  1296. NatCreateIcmpMapping(
  1297. Interfacep,
  1298. Contextp->DestinationAddress,
  1299. Contextp->SourceAddress,
  1300. (ULONG)PublicKey,
  1301. &IcmpHeader->Identifier,
  1302. NULL,
  1303. NULL,
  1304. InsertionPoint,
  1305. &IcmpMapping
  1306. );
  1307. if (!NT_SUCCESS(status)) {
  1308. KeReleaseSpinLockFromDpcLevel(&IcmpMappingLock);
  1309. TRACE(
  1310. XLATE, (
  1311. "NatTranslateIcmpRequest: error creating mapping\n"
  1312. ));
  1313. return FALSE;
  1314. }
  1315. }
  1316. //
  1317. // Replace the Identifier in the packet,
  1318. // and replace the destination in the packet,
  1319. // updating the checksum as we go.
  1320. //
  1321. ChecksumDelta = 0;
  1322. CHECKSUM_LONG(ChecksumDelta, ~IcmpHeader->Identifier);
  1323. IcmpHeader->Identifier = IcmpMapping->PublicId;
  1324. CHECKSUM_LONG(ChecksumDelta, IcmpHeader->Identifier);
  1325. CHECKSUM_UPDATE(IcmpHeader->Checksum);
  1326. ChecksumDelta = 0;
  1327. CHECKSUM_LONG(ChecksumDelta, ~IpHeader->SourceAddress);
  1328. IpHeader->SourceAddress = ICMP_KEY_PUBLIC(IcmpMapping->PublicKey);
  1329. CHECKSUM_LONG(ChecksumDelta, IpHeader->SourceAddress);
  1330. CHECKSUM_UPDATE(IpHeader->Checksum);
  1331. KeQueryTickCount((PLARGE_INTEGER)&IcmpMapping->LastAccessTime);
  1332. } else {
  1333. //
  1334. // The packet is inbound.
  1335. //
  1336. PublicKey =
  1337. MAKE_ICMP_KEY(
  1338. Contextp->SourceAddress,
  1339. Contextp->DestinationAddress
  1340. );
  1341. KeAcquireSpinLockAtDpcLevel(&IcmpMappingLock);
  1342. IcmpMapping =
  1343. NatLookupInboundIcmpMapping(
  1344. PublicKey,
  1345. IcmpHeader->Identifier,
  1346. &InsertionPoint
  1347. );
  1348. if (!IcmpMapping) {
  1349. //
  1350. // No mapping was found, so try to create one,
  1351. // if there is a static mapping which allows inbound sessions.
  1352. // We make an exception for inbound reply-messages;
  1353. // if the packet is a reply-message, it might be locally destined,
  1354. // in which case we pass it untouched to the stack.
  1355. //
  1356. // Don't create a mapping for an inbound reply;
  1357. // it's probably a reply to a locally-initiated request.
  1358. //
  1359. if (ReplyCode) {
  1360. KeReleaseSpinLockFromDpcLevel(&IcmpMappingLock);
  1361. return FALSE;
  1362. }
  1363. //
  1364. // First look for a static mapping from this public address
  1365. // to a private address. If one is found, it will be used
  1366. // in the call to 'NatCreateIcmpMapping' below. Otherwise,
  1367. // a public address will be chosen from the address-pool.
  1368. //
  1369. // This involves an exhaustive search since the address-mappings
  1370. // are sorted on private address rather than public address.
  1371. //
  1372. if (!Interfacep) {
  1373. KeReleaseSpinLockFromDpcLevel(&IcmpMappingLock);
  1374. return FALSE;
  1375. } else if (Interfacep->NoStaticMappingExists) {
  1376. KeReleaseSpinLockFromDpcLevel(&IcmpMappingLock);
  1377. TRACE(
  1378. XLATE, (
  1379. "NatTranslateIcmpRequest: ignoring inbound message\n"
  1380. ));
  1381. return FALSE;
  1382. } else {
  1383. PrivateKey = 0;
  1384. KeReleaseSpinLockFromDpcLevel(&IcmpMappingLock);
  1385. KeAcquireSpinLockAtDpcLevel(&Interfacep->Lock);
  1386. for (i = 0; i < Interfacep->AddressMappingCount; i++) {
  1387. if (Interfacep->AddressMappingArray[i].PublicAddress !=
  1388. Contextp->DestinationAddress ||
  1389. !Interfacep->AddressMappingArray[i].AllowInboundSessions) {
  1390. continue;
  1391. }
  1392. PrivateKey =
  1393. Interfacep->AddressMappingArray[i].PrivateAddress;
  1394. break;
  1395. }
  1396. KeReleaseSpinLockFromDpcLevel(&Interfacep->Lock);
  1397. if (!PrivateKey) {
  1398. TRACE(
  1399. XLATE, (
  1400. "NatTranslateIcmpRequest: ignoring inbound message\n"
  1401. ));
  1402. return FALSE;
  1403. }
  1404. KeAcquireSpinLockAtDpcLevel(&IcmpMappingLock);
  1405. }
  1406. status =
  1407. NatCreateIcmpMapping(
  1408. Interfacep,
  1409. Contextp->SourceAddress,
  1410. (ULONG)PrivateKey,
  1411. Contextp->DestinationAddress,
  1412. NULL,
  1413. &IcmpHeader->Identifier,
  1414. InsertionPoint,
  1415. NULL,
  1416. &IcmpMapping
  1417. );
  1418. if (!NT_SUCCESS(status)) {
  1419. KeReleaseSpinLockFromDpcLevel(&IcmpMappingLock);
  1420. TRACE(
  1421. XLATE, (
  1422. "NatTranslateIcmpRequest: error creating mapping\n"
  1423. ));
  1424. return FALSE;
  1425. }
  1426. }
  1427. //
  1428. // Replace the Identifier in the packet
  1429. // and replace the destination in the packet,
  1430. // updating the checksum as we go.
  1431. //
  1432. ChecksumDelta = 0;
  1433. CHECKSUM_LONG(ChecksumDelta, ~IcmpHeader->Identifier);
  1434. IcmpHeader->Identifier = IcmpMapping->PrivateId;
  1435. CHECKSUM_LONG(ChecksumDelta, IcmpHeader->Identifier);
  1436. CHECKSUM_UPDATE(IcmpHeader->Checksum);
  1437. ChecksumDelta = 0;
  1438. CHECKSUM_LONG(ChecksumDelta, ~IpHeader->DestinationAddress);
  1439. IpHeader->DestinationAddress =
  1440. ICMP_KEY_PRIVATE(IcmpMapping->PrivateKey);
  1441. CHECKSUM_LONG(ChecksumDelta, IpHeader->DestinationAddress);
  1442. CHECKSUM_UPDATE(IpHeader->Checksum);
  1443. KeQueryTickCount((PLARGE_INTEGER)&IcmpMapping->LastAccessTime);
  1444. }
  1445. KeReleaseSpinLockFromDpcLevel(&IcmpMappingLock);
  1446. //
  1447. // If checksum offloading is enabled on this packet, recompute the
  1448. // IP checksum. (There is no ICMP checksum-offload, so we will never
  1449. // need to fully recompute that.)
  1450. //
  1451. if (ChecksumOffloaded) {
  1452. NatComputeIpChecksum(IpHeader);
  1453. }
  1454. return TRUE;
  1455. } // NatTranslateIcmpRequest
  1456. BOOLEAN
  1457. NatTranslateEncapsulatedRequest(
  1458. PNAT_INTERFACE Interfacep OPTIONAL,
  1459. IP_NAT_DIRECTION Direction,
  1460. PIP_HEADER IpHeader,
  1461. PICMP_HEADER IcmpHeader,
  1462. PIP_HEADER EncapsulatedIpHeader,
  1463. struct _ENCAPSULATED_UDP_HEADER* EncapsulatedHeader,
  1464. BOOLEAN ChecksumOffloaded
  1465. )
  1466. /*++
  1467. Routine Description:
  1468. This routine is invoked to translate an ICMP error message in which
  1469. we have TCP segment or UDP datagram encapsulated. This is necessary,
  1470. for instance, in the case of ICMP destination-unreachable errors,
  1471. particularly where the target will take some action (such as reducing MTU)
  1472. upon receipt of the message.
  1473. Arguments:
  1474. Interfacep - the interface across which the ICMP message will be forwarded,
  1475. or NULL if the packet was received on a non-boundary interface.
  1476. Direction - the direction in which the ICMP message is traveling
  1477. IpHeader - points to the IP header of the ICMP message
  1478. IcmpHeader - points to the ICMP header within the IP packet
  1479. EncapsulatedIpHeader - points to the IP header of the TCP segment
  1480. encapsulated in the data portion of the ICMP message
  1481. EncapsulatedHeader - points to the TCP/UDP header of the TCP segment
  1482. encapsulated in the data portion of the ICMP message
  1483. Return Value:
  1484. BOOLEAN - TRUE if the packet was translated, FALSE otherwise
  1485. Environment:
  1486. Invoked at dispatch IRQL with a reference made to 'Interfacep'.
  1487. N.B.!!! This routine will acquire the mapping lock in order to search
  1488. the mapping-tree for the entry corresponding to the session for which
  1489. this ICMP error message was generated. All callers must take note,
  1490. and must ensure that the mapping lock is not already held on entry.
  1491. --*/
  1492. {
  1493. ULONG Checksum;
  1494. ULONG ChecksumDelta;
  1495. ULONG ChecksumDelta2;
  1496. ULONG64 DestinationKey;
  1497. PNAT_DYNAMIC_MAPPING Mapping;
  1498. ULONG64 ReplacementKey;
  1499. ULONG64 SourceKey;
  1500. CALLTRACE(("NatTranslateEncapsulatedRequest\n"));
  1501. //
  1502. // We begin by retrieving the mapping for the TCP session
  1503. // to which the contained segment belongs.
  1504. //
  1505. // We need to save the key with which we will replace the
  1506. // encapsulted message's contents. When an error is inbound,
  1507. // it must have been generated in response to an outbound message,
  1508. // and the outbound message contained in the error will have in it
  1509. // the public IP address and port to which we originally translated
  1510. // the outbound message. We therefore need to put back
  1511. // the private IP address and port so that the private machine
  1512. // will be able to identify the error.
  1513. // Similarly, when the error is outbound, we need to put in
  1514. // the public IP address and port so that the remote machine
  1515. // will be able to identify the error.
  1516. //
  1517. // Onward, then. Construct the key to be used for the lookup,
  1518. // take the mapping lock, and look up forward or reverse mappings.
  1519. //
  1520. MAKE_MAPPING_KEY(
  1521. DestinationKey,
  1522. EncapsulatedIpHeader->Protocol,
  1523. EncapsulatedIpHeader->SourceAddress,
  1524. EncapsulatedHeader->SourcePort
  1525. );
  1526. MAKE_MAPPING_KEY(
  1527. SourceKey,
  1528. EncapsulatedIpHeader->Protocol,
  1529. EncapsulatedIpHeader->DestinationAddress,
  1530. EncapsulatedHeader->DestinationPort
  1531. );
  1532. KeAcquireSpinLockAtDpcLevel(&MappingLock);
  1533. if (Direction == NatInboundDirection) {
  1534. Mapping = NatLookupReverseMapping(DestinationKey, SourceKey, NULL);
  1535. if (Mapping) {
  1536. ReplacementKey = Mapping->SourceKey[NatForwardPath];
  1537. } else {
  1538. Mapping = NatLookupForwardMapping(DestinationKey, SourceKey, NULL);
  1539. if (Mapping) {
  1540. ReplacementKey = Mapping->SourceKey[NatReversePath];
  1541. }
  1542. }
  1543. } else {
  1544. Mapping = NatLookupForwardMapping(DestinationKey, SourceKey, NULL);
  1545. if (Mapping) {
  1546. ReplacementKey = Mapping->DestinationKey[NatReversePath];
  1547. } else {
  1548. Mapping = NatLookupReverseMapping(DestinationKey, SourceKey, NULL);
  1549. if (Mapping) {
  1550. ReplacementKey = Mapping->DestinationKey[NatForwardPath];
  1551. }
  1552. }
  1553. }
  1554. KeReleaseSpinLockFromDpcLevel(&MappingLock);
  1555. if (!Mapping) {
  1556. TRACE(
  1557. XLATE, (
  1558. "NatTranslateEncapsulatedRequest: no mapping for message\n"
  1559. ));
  1560. return FALSE;
  1561. }
  1562. //
  1563. // The checksum processing for encapsulated messages
  1564. // remains extremely complicated since we must update
  1565. // [0] for UDP messages, the UDP message checksum, using the change
  1566. // to the encapsulated UDP source port. No corresponding change
  1567. // is required for TCP segments, whose checksum appears beyond
  1568. // the eight bytes included in ICMP error messages.
  1569. // (1) the IP header-checksum of the encapsulated TCP segment
  1570. // using the change to the encapsulated IP addresses
  1571. // (2) the ICMP checksum of the containing ICMP error message
  1572. // using both the above change as well as the change
  1573. // to the above checksum
  1574. // (3) the IP header-checksum of the containing ICMP error message
  1575. // using the change to the containing IP addresses
  1576. // Any changes to the logic below must be made with extreme care.
  1577. //
  1578. if (Direction == NatInboundDirection) {
  1579. ChecksumDelta = 0;
  1580. CHECKSUM_LONG(ChecksumDelta, ~EncapsulatedHeader->SourcePort);
  1581. EncapsulatedHeader->SourcePort = MAPPING_PORT(ReplacementKey);
  1582. CHECKSUM_LONG(ChecksumDelta, EncapsulatedHeader->SourcePort);
  1583. if (EncapsulatedIpHeader->Protocol == NAT_PROTOCOL_UDP) {
  1584. ChecksumDelta2 = ChecksumDelta;
  1585. CHECKSUM_LONG(ChecksumDelta2, ~EncapsulatedHeader->Checksum);
  1586. CHECKSUM_UPDATE(EncapsulatedHeader->Checksum);
  1587. CHECKSUM_LONG(ChecksumDelta2, EncapsulatedHeader->Checksum);
  1588. ChecksumDelta = ChecksumDelta2;
  1589. }
  1590. CHECKSUM_UPDATE(IcmpHeader->Checksum);
  1591. ChecksumDelta = 0;
  1592. CHECKSUM_LONG(ChecksumDelta, ~EncapsulatedIpHeader->SourceAddress);
  1593. EncapsulatedIpHeader->SourceAddress = MAPPING_ADDRESS(ReplacementKey);
  1594. CHECKSUM_LONG(ChecksumDelta, EncapsulatedIpHeader->SourceAddress);
  1595. ChecksumDelta2 = ChecksumDelta;
  1596. CHECKSUM_LONG(ChecksumDelta2, ~EncapsulatedIpHeader->Checksum);
  1597. CHECKSUM_UPDATE(EncapsulatedIpHeader->Checksum);
  1598. CHECKSUM_LONG(ChecksumDelta2, EncapsulatedIpHeader->Checksum);
  1599. ChecksumDelta = ChecksumDelta2; CHECKSUM_UPDATE(IcmpHeader->Checksum);
  1600. ChecksumDelta = 0;
  1601. CHECKSUM_LONG(ChecksumDelta, ~IpHeader->DestinationAddress);
  1602. IpHeader->DestinationAddress = MAPPING_ADDRESS(ReplacementKey);
  1603. CHECKSUM_LONG(ChecksumDelta, IpHeader->DestinationAddress);
  1604. CHECKSUM_UPDATE(IpHeader->Checksum);
  1605. } else {
  1606. ChecksumDelta = 0;
  1607. CHECKSUM_LONG(ChecksumDelta, ~EncapsulatedHeader->DestinationPort);
  1608. EncapsulatedHeader->DestinationPort = MAPPING_PORT(ReplacementKey);
  1609. CHECKSUM_LONG(ChecksumDelta, EncapsulatedHeader->DestinationPort);
  1610. if (EncapsulatedIpHeader->Protocol == NAT_PROTOCOL_UDP) {
  1611. ChecksumDelta2 = ChecksumDelta;
  1612. CHECKSUM_LONG(ChecksumDelta2, ~EncapsulatedHeader->Checksum);
  1613. CHECKSUM_UPDATE(EncapsulatedHeader->Checksum);
  1614. CHECKSUM_LONG(ChecksumDelta2, EncapsulatedHeader->Checksum);
  1615. ChecksumDelta = ChecksumDelta2;
  1616. }
  1617. CHECKSUM_UPDATE(IcmpHeader->Checksum);
  1618. ChecksumDelta = 0;
  1619. CHECKSUM_LONG(ChecksumDelta, ~EncapsulatedIpHeader->DestinationAddress);
  1620. EncapsulatedIpHeader->DestinationAddress =
  1621. MAPPING_ADDRESS(ReplacementKey);
  1622. CHECKSUM_LONG(ChecksumDelta, EncapsulatedIpHeader->DestinationAddress);
  1623. ChecksumDelta2 = ChecksumDelta;
  1624. CHECKSUM_LONG(ChecksumDelta2, ~EncapsulatedIpHeader->Checksum);
  1625. CHECKSUM_UPDATE(EncapsulatedIpHeader->Checksum);
  1626. CHECKSUM_LONG(ChecksumDelta2, EncapsulatedIpHeader->Checksum);
  1627. ChecksumDelta = ChecksumDelta2; CHECKSUM_UPDATE(IcmpHeader->Checksum);
  1628. ChecksumDelta = 0;
  1629. CHECKSUM_LONG(ChecksumDelta, ~IpHeader->SourceAddress);
  1630. IpHeader->SourceAddress = MAPPING_ADDRESS(ReplacementKey);
  1631. CHECKSUM_LONG(ChecksumDelta, IpHeader->SourceAddress);
  1632. CHECKSUM_UPDATE(IpHeader->Checksum);
  1633. }
  1634. //
  1635. // If checksum offloading is enabled on this packet, recompute the
  1636. // IP checksum. (There is no ICMP checksum-offload, so we will never
  1637. // need to fully recompute that.)
  1638. //
  1639. if (ChecksumOffloaded) {
  1640. NatComputeIpChecksum(IpHeader);
  1641. }
  1642. return TRUE;
  1643. } // NatTranslateEncapsulatedRequest