1 /* SIP extension for UDP NAT alteration.
3 * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
4 * based on RR's ip_nat_ftp.c and other modules.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
11 #include <linux/module.h>
12 #include <linux/skbuff.h>
15 #include <linux/udp.h>
17 #include <net/netfilter/nf_nat.h>
18 #include <net/netfilter/nf_nat_helper.h>
19 #include <net/netfilter/nf_nat_rule.h>
20 #include <net/netfilter/nf_conntrack_helper.h>
21 #include <net/netfilter/nf_conntrack_expect.h>
22 #include <linux/netfilter/nf_conntrack_sip.h>
24 MODULE_LICENSE("GPL");
25 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
26 MODULE_DESCRIPTION("SIP NAT helper");
27 MODULE_ALIAS("ip_nat_sip");
30 static unsigned int mangle_packet(struct sk_buff *skb,
31 const char **dptr, unsigned int *datalen,
32 unsigned int matchoff, unsigned int matchlen,
33 const char *buffer, unsigned int buflen)
35 enum ip_conntrack_info ctinfo;
36 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
38 if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, matchoff, matchlen,
42 /* Reload data pointer and adjust datalen value */
43 *dptr = skb->data + ip_hdrlen(skb) + sizeof(struct udphdr);
44 *datalen += buflen - matchlen;
48 static int map_addr(struct sk_buff *skb,
49 const char **dptr, unsigned int *datalen,
50 unsigned int matchoff, unsigned int matchlen,
51 union nf_inet_addr *addr, __be16 port)
53 enum ip_conntrack_info ctinfo;
54 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
55 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
56 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
61 if (ct->tuplehash[dir].tuple.src.u3.ip == addr->ip &&
62 ct->tuplehash[dir].tuple.src.u.udp.port == port) {
63 newaddr = ct->tuplehash[!dir].tuple.dst.u3.ip;
64 newport = ct->tuplehash[!dir].tuple.dst.u.udp.port;
65 } else if (ct->tuplehash[dir].tuple.dst.u3.ip == addr->ip &&
66 ct->tuplehash[dir].tuple.dst.u.udp.port == port) {
67 newaddr = ct->tuplehash[!dir].tuple.src.u3.ip;
68 newport = ct->tuplehash[!dir].tuple.src.u.udp.port;
72 if (newaddr == addr->ip && newport == port)
75 buflen = sprintf(buffer, "%u.%u.%u.%u:%u",
76 NIPQUAD(newaddr), ntohs(newport));
78 return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
82 static int map_sip_addr(struct sk_buff *skb,
83 const char **dptr, unsigned int *datalen,
84 enum sip_header_types type)
86 enum ip_conntrack_info ctinfo;
87 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
88 unsigned int matchlen, matchoff;
89 union nf_inet_addr addr;
92 if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, type, NULL,
93 &matchoff, &matchlen, &addr, &port) <= 0)
95 return map_addr(skb, dptr, datalen, matchoff, matchlen, &addr, port);
98 static unsigned int ip_nat_sip(struct sk_buff *skb,
99 const char **dptr, unsigned int *datalen)
101 enum ip_conntrack_info ctinfo;
102 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
103 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
104 unsigned int dataoff, matchoff, matchlen;
105 union nf_inet_addr addr;
107 int request, in_header;
109 /* Basic rules: requests and responses. */
110 if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
111 if (ct_sip_parse_request(ct, *dptr, *datalen,
112 &matchoff, &matchlen,
114 !map_addr(skb, dptr, datalen, matchoff, matchlen,
121 /* Translate topmost Via header and parameters */
122 if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
123 SIP_HDR_VIA, NULL, &matchoff, &matchlen,
125 unsigned int matchend, poff, plen, buflen, n;
126 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
128 /* We're only interested in headers related to this
131 if (addr.ip != ct->tuplehash[dir].tuple.src.u3.ip ||
132 port != ct->tuplehash[dir].tuple.src.u.udp.port)
135 if (addr.ip != ct->tuplehash[dir].tuple.dst.u3.ip ||
136 port != ct->tuplehash[dir].tuple.dst.u.udp.port)
140 if (!map_addr(skb, dptr, datalen, matchoff, matchlen,
144 matchend = matchoff + matchlen;
146 /* The maddr= parameter (RFC 2361) specifies where to send
148 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
149 "maddr=", &poff, &plen,
151 addr.ip == ct->tuplehash[dir].tuple.src.u3.ip &&
152 addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) {
153 __be32 ip = ct->tuplehash[!dir].tuple.dst.u3.ip;
154 buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(ip));
155 if (!mangle_packet(skb, dptr, datalen, poff, plen,
160 /* The received= parameter (RFC 2361) contains the address
161 * from which the server received the request. */
162 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
163 "received=", &poff, &plen,
165 addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip &&
166 addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) {
167 __be32 ip = ct->tuplehash[!dir].tuple.src.u3.ip;
168 buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(ip));
169 if (!mangle_packet(skb, dptr, datalen, poff, plen,
174 /* The rport= parameter (RFC 3581) contains the port number
175 * from which the server received the request. */
176 if (ct_sip_parse_numerical_param(ct, *dptr, matchend, *datalen,
177 "rport=", &poff, &plen,
179 htons(n) == ct->tuplehash[dir].tuple.dst.u.udp.port &&
180 htons(n) != ct->tuplehash[!dir].tuple.src.u.udp.port) {
181 __be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port;
182 buflen = sprintf(buffer, "%u", ntohs(p));
183 if (!mangle_packet(skb, dptr, datalen, poff, plen,
190 /* Translate Contact headers */
193 while (ct_sip_parse_header_uri(ct, *dptr, &dataoff, *datalen,
194 SIP_HDR_CONTACT, &in_header,
195 &matchoff, &matchlen,
197 if (!map_addr(skb, dptr, datalen, matchoff, matchlen,
202 if (!map_sip_addr(skb, dptr, datalen, SIP_HDR_FROM) ||
203 !map_sip_addr(skb, dptr, datalen, SIP_HDR_TO))
208 /* Handles expected signalling connections and media streams */
209 static void ip_nat_sip_expected(struct nf_conn *ct,
210 struct nf_conntrack_expect *exp)
212 struct nf_nat_range range;
214 /* This must be a fresh one. */
215 BUG_ON(ct->status & IPS_NAT_DONE_MASK);
217 /* For DST manip, map port here to where it's expected. */
218 range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
219 range.min = range.max = exp->saved_proto;
220 range.min_ip = range.max_ip = exp->saved_ip;
221 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
223 /* Change src to where master sends to, but only if the connection
224 * actually came from the same source. */
225 if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip ==
226 ct->master->tuplehash[exp->dir].tuple.src.u3.ip) {
227 range.flags = IP_NAT_RANGE_MAP_IPS;
228 range.min_ip = range.max_ip
229 = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
230 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
234 static unsigned int ip_nat_sip_expect(struct sk_buff *skb,
235 const char **dptr, unsigned int *datalen,
236 struct nf_conntrack_expect *exp,
237 unsigned int matchoff,
238 unsigned int matchlen)
240 enum ip_conntrack_info ctinfo;
241 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
242 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
245 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
248 /* Connection will come from reply */
249 if (ct->tuplehash[dir].tuple.src.u3.ip == ct->tuplehash[!dir].tuple.dst.u3.ip)
250 newip = exp->tuple.dst.u3.ip;
252 newip = ct->tuplehash[!dir].tuple.dst.u3.ip;
254 /* If the signalling port matches the connection's source port in the
255 * original direction, try to use the destination port in the opposite
257 if (exp->tuple.dst.u.udp.port ==
258 ct->tuplehash[dir].tuple.src.u.udp.port)
259 port = ntohs(ct->tuplehash[!dir].tuple.dst.u.udp.port);
261 port = ntohs(exp->tuple.dst.u.udp.port);
263 exp->saved_ip = exp->tuple.dst.u3.ip;
264 exp->tuple.dst.u3.ip = newip;
265 exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port;
267 exp->expectfn = ip_nat_sip_expected;
269 for (; port != 0; port++) {
270 exp->tuple.dst.u.udp.port = htons(port);
271 if (nf_ct_expect_related(exp) == 0)
278 if (exp->tuple.dst.u3.ip != exp->saved_ip ||
279 exp->tuple.dst.u.udp.port != exp->saved_proto.udp.port) {
280 buflen = sprintf(buffer, "%u.%u.%u.%u:%u",
281 NIPQUAD(newip), port);
282 if (!mangle_packet(skb, dptr, datalen, matchoff, matchlen,
289 nf_ct_unexpect_related(exp);
293 static int mangle_content_len(struct sk_buff *skb,
294 const char **dptr, unsigned int *datalen)
296 enum ip_conntrack_info ctinfo;
297 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
298 unsigned int matchoff, matchlen;
299 char buffer[sizeof("65536")];
302 /* Get actual SDP length */
303 if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
304 SDP_HDR_VERSION, SDP_HDR_UNSPEC,
305 &matchoff, &matchlen) <= 0)
307 c_len = *datalen - matchoff + strlen("v=");
309 /* Now, update SDP length */
310 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CONTENT_LENGTH,
311 &matchoff, &matchlen) <= 0)
314 buflen = sprintf(buffer, "%u", c_len);
315 return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
319 static unsigned mangle_sdp_packet(struct sk_buff *skb,
320 const char **dptr, unsigned int *datalen,
321 enum sdp_header_types type,
322 char *buffer, int buflen)
324 enum ip_conntrack_info ctinfo;
325 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
326 unsigned int matchlen, matchoff;
328 if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen, type, SDP_HDR_UNSPEC,
329 &matchoff, &matchlen) <= 0)
331 return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
335 static unsigned int mangle_sdp(struct sk_buff *skb,
336 enum ip_conntrack_info ctinfo,
338 __be32 newip, u_int16_t port,
339 const char **dptr, unsigned int *datalen)
341 char buffer[sizeof("nnn.nnn.nnn.nnn")];
342 unsigned int bufflen;
344 /* Mangle owner and contact info. */
345 bufflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(newip));
346 if (!mangle_sdp_packet(skb, dptr, datalen, SDP_HDR_OWNER_IP4,
350 if (!mangle_sdp_packet(skb, dptr, datalen, SDP_HDR_CONNECTION_IP4,
354 /* Mangle media port. */
355 bufflen = sprintf(buffer, "%u", port);
356 if (!mangle_sdp_packet(skb, dptr, datalen, SDP_HDR_MEDIA,
360 return mangle_content_len(skb, dptr, datalen);
363 /* So, this packet has hit the connection tracking matching code.
364 Mangle it, and change the expectation to match the new version. */
365 static unsigned int ip_nat_sdp(struct sk_buff *skb,
366 const char **dptr, unsigned int *datalen,
367 struct nf_conntrack_expect *exp)
369 enum ip_conntrack_info ctinfo;
370 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
371 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
375 /* Connection will come from reply */
376 if (ct->tuplehash[dir].tuple.src.u3.ip ==
377 ct->tuplehash[!dir].tuple.dst.u3.ip)
378 newip = exp->tuple.dst.u3.ip;
380 newip = ct->tuplehash[!dir].tuple.dst.u3.ip;
382 exp->saved_ip = exp->tuple.dst.u3.ip;
383 exp->tuple.dst.u3.ip = newip;
384 exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port;
387 /* When you see the packet, we need to NAT it the same as the
389 exp->expectfn = ip_nat_sip_expected;
391 /* Try to get same port: if not, try to change it. */
392 for (port = ntohs(exp->saved_proto.udp.port); port != 0; port++) {
393 exp->tuple.dst.u.udp.port = htons(port);
394 if (nf_ct_expect_related(exp) == 0)
401 if (!mangle_sdp(skb, ctinfo, ct, newip, port, dptr, datalen)) {
402 nf_ct_unexpect_related(exp);
408 static void __exit nf_nat_sip_fini(void)
410 rcu_assign_pointer(nf_nat_sip_hook, NULL);
411 rcu_assign_pointer(nf_nat_sip_expect_hook, NULL);
412 rcu_assign_pointer(nf_nat_sdp_hook, NULL);
416 static int __init nf_nat_sip_init(void)
418 BUG_ON(nf_nat_sip_hook != NULL);
419 BUG_ON(nf_nat_sip_expect_hook != NULL);
420 BUG_ON(nf_nat_sdp_hook != NULL);
421 rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip);
422 rcu_assign_pointer(nf_nat_sip_expect_hook, ip_nat_sip_expect);
423 rcu_assign_pointer(nf_nat_sdp_hook, ip_nat_sdp);
427 module_init(nf_nat_sip_init);
428 module_exit(nf_nat_sip_fini);
OSDN Git Service
