Commit | Line | Data |
---|---|---|
ae5b7d8b PM |
1 | /* SIP extension for UDP NAT alteration. |
2 | * | |
3 | * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar> | |
4 | * based on RR's ip_nat_ftp.c and other modules. | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify | |
7 | * it under the terms of the GNU General Public License version 2 as | |
8 | * published by the Free Software Foundation. | |
9 | */ | |
10 | ||
11 | #include <linux/module.h> | |
12 | #include <linux/skbuff.h> | |
13 | #include <linux/ip.h> | |
14 | #include <linux/udp.h> | |
15 | ||
16 | #include <linux/netfilter_ipv4.h> | |
17 | #include <linux/netfilter_ipv4/ip_nat.h> | |
18 | #include <linux/netfilter_ipv4/ip_nat_helper.h> | |
19 | #include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
20 | #include <linux/netfilter_ipv4/ip_conntrack_sip.h> | |
21 | ||
22 | MODULE_LICENSE("GPL"); | |
23 | MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>"); | |
24 | MODULE_DESCRIPTION("SIP NAT helper"); | |
25 | ||
26 | #if 0 | |
27 | #define DEBUGP printk | |
28 | #else | |
29 | #define DEBUGP(format, args...) | |
30 | #endif | |
31 | ||
1b683b55 PM |
32 | struct addr_map { |
33 | struct { | |
34 | char src[sizeof("nnn.nnn.nnn.nnn:nnnnn")]; | |
35 | char dst[sizeof("nnn.nnn.nnn.nnn:nnnnn")]; | |
36 | unsigned int srclen, srciplen; | |
37 | unsigned int dstlen, dstiplen; | |
38 | } addr[IP_CT_DIR_MAX]; | |
39 | }; | |
40 | ||
41 | static void addr_map_init(struct ip_conntrack *ct, struct addr_map *map) | |
ae5b7d8b | 42 | { |
1b683b55 PM |
43 | struct ip_conntrack_tuple *t; |
44 | enum ip_conntrack_dir dir; | |
45 | unsigned int n; | |
46 | ||
47 | for (dir = 0; dir < IP_CT_DIR_MAX; dir++) { | |
48 | t = &ct->tuplehash[dir].tuple; | |
49 | ||
50 | n = sprintf(map->addr[dir].src, "%u.%u.%u.%u", | |
51 | NIPQUAD(t->src.ip)); | |
52 | map->addr[dir].srciplen = n; | |
53 | n += sprintf(map->addr[dir].src + n, ":%u", | |
54 | ntohs(t->src.u.udp.port)); | |
55 | map->addr[dir].srclen = n; | |
56 | ||
57 | n = sprintf(map->addr[dir].dst, "%u.%u.%u.%u", | |
58 | NIPQUAD(t->dst.ip)); | |
59 | map->addr[dir].dstiplen = n; | |
60 | n += sprintf(map->addr[dir].dst + n, ":%u", | |
61 | ntohs(t->dst.u.udp.port)); | |
62 | map->addr[dir].dstlen = n; | |
63 | } | |
64 | } | |
65 | ||
66 | static int map_sip_addr(struct sk_buff **pskb, enum ip_conntrack_info ctinfo, | |
67 | struct ip_conntrack *ct, const char **dptr, size_t dlen, | |
68 | enum sip_header_pos pos, struct addr_map *map) | |
69 | { | |
70 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | |
71 | unsigned int matchlen, matchoff, addrlen; | |
72 | char *addr; | |
ae5b7d8b | 73 | |
9d5b8baa | 74 | if (ct_sip_get_info(*dptr, dlen, &matchoff, &matchlen, pos) <= 0) |
1b683b55 PM |
75 | return 1; |
76 | ||
77 | if ((matchlen == map->addr[dir].srciplen || | |
78 | matchlen == map->addr[dir].srclen) && | |
79 | memcmp(*dptr + matchoff, map->addr[dir].src, matchlen) == 0) { | |
80 | addr = map->addr[!dir].dst; | |
81 | addrlen = map->addr[!dir].dstlen; | |
82 | } else if ((matchlen == map->addr[dir].dstiplen || | |
83 | matchlen == map->addr[dir].dstlen) && | |
84 | memcmp(*dptr + matchoff, map->addr[dir].dst, matchlen) == 0) { | |
85 | addr = map->addr[!dir].src; | |
86 | addrlen = map->addr[!dir].srclen; | |
87 | } else | |
88 | return 1; | |
ae5b7d8b PM |
89 | |
90 | if (!ip_nat_mangle_udp_packet(pskb, ct, ctinfo, | |
e905a9ed | 91 | matchoff, matchlen, addr, addrlen)) |
ae5b7d8b | 92 | return 0; |
ae5b7d8b PM |
93 | *dptr = (*pskb)->data + (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr); |
94 | return 1; | |
1b683b55 | 95 | |
ae5b7d8b PM |
96 | } |
97 | ||
98 | static unsigned int ip_nat_sip(struct sk_buff **pskb, | |
99 | enum ip_conntrack_info ctinfo, | |
100 | struct ip_conntrack *ct, | |
101 | const char **dptr) | |
102 | { | |
1b683b55 PM |
103 | enum sip_header_pos pos; |
104 | struct addr_map map; | |
105 | int dataoff, datalen; | |
ae5b7d8b PM |
106 | |
107 | dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr); | |
1b683b55 PM |
108 | datalen = (*pskb)->len - dataoff; |
109 | if (datalen < sizeof("SIP/2.0") - 1) | |
110 | return NF_DROP; | |
ae5b7d8b | 111 | |
1b683b55 | 112 | addr_map_init(ct, &map); |
ae5b7d8b PM |
113 | |
114 | /* Basic rules: requests and responses. */ | |
1b683b55 PM |
115 | if (strncmp(*dptr, "SIP/2.0", sizeof("SIP/2.0") - 1) != 0) { |
116 | /* 10.2: Constructing the REGISTER Request: | |
117 | * | |
118 | * The "userinfo" and "@" components of the SIP URI MUST NOT | |
119 | * be present. | |
120 | */ | |
121 | if (datalen >= sizeof("REGISTER") - 1 && | |
122 | strncmp(*dptr, "REGISTER", sizeof("REGISTER") - 1) == 0) | |
123 | pos = POS_REG_REQ_URI; | |
124 | else | |
125 | pos = POS_REQ_URI; | |
126 | ||
127 | if (!map_sip_addr(pskb, ctinfo, ct, dptr, datalen, pos, &map)) | |
128 | return NF_DROP; | |
ae5b7d8b | 129 | } |
1b683b55 PM |
130 | |
131 | if (!map_sip_addr(pskb, ctinfo, ct, dptr, datalen, POS_FROM, &map) || | |
132 | !map_sip_addr(pskb, ctinfo, ct, dptr, datalen, POS_TO, &map) || | |
133 | !map_sip_addr(pskb, ctinfo, ct, dptr, datalen, POS_VIA, &map) || | |
134 | !map_sip_addr(pskb, ctinfo, ct, dptr, datalen, POS_CONTACT, &map)) | |
135 | return NF_DROP; | |
136 | return NF_ACCEPT; | |
137 | } | |
138 | ||
139 | static unsigned int mangle_sip_packet(struct sk_buff **pskb, | |
140 | enum ip_conntrack_info ctinfo, | |
141 | struct ip_conntrack *ct, | |
142 | const char **dptr, size_t dlen, | |
143 | char *buffer, int bufflen, | |
144 | enum sip_header_pos pos) | |
145 | { | |
146 | unsigned int matchlen, matchoff; | |
147 | ||
148 | if (ct_sip_get_info(*dptr, dlen, &matchoff, &matchlen, pos) <= 0) | |
149 | return 0; | |
150 | ||
151 | if (!ip_nat_mangle_udp_packet(pskb, ct, ctinfo, | |
e905a9ed | 152 | matchoff, matchlen, buffer, bufflen)) |
1b683b55 PM |
153 | return 0; |
154 | ||
155 | /* We need to reload this. Thanks Patrick. */ | |
156 | *dptr = (*pskb)->data + (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr); | |
157 | return 1; | |
ae5b7d8b PM |
158 | } |
159 | ||
160 | static int mangle_content_len(struct sk_buff **pskb, | |
161 | enum ip_conntrack_info ctinfo, | |
162 | struct ip_conntrack *ct, | |
163 | const char *dptr) | |
164 | { | |
165 | unsigned int dataoff, matchoff, matchlen; | |
166 | char buffer[sizeof("65536")]; | |
167 | int bufflen; | |
168 | ||
169 | dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr); | |
170 | ||
171 | /* Get actual SDP lenght */ | |
172 | if (ct_sip_get_info(dptr, (*pskb)->len - dataoff, &matchoff, | |
e905a9ed | 173 | &matchlen, POS_SDP_HEADER) > 0) { |
ae5b7d8b PM |
174 | |
175 | /* since ct_sip_get_info() give us a pointer passing 'v=' | |
176 | we need to add 2 bytes in this count. */ | |
177 | int c_len = (*pskb)->len - dataoff - matchoff + 2; | |
178 | ||
179 | /* Now, update SDP lenght */ | |
180 | if (ct_sip_get_info(dptr, (*pskb)->len - dataoff, &matchoff, | |
e905a9ed | 181 | &matchlen, POS_CONTENT) > 0) { |
ae5b7d8b PM |
182 | |
183 | bufflen = sprintf(buffer, "%u", c_len); | |
184 | ||
185 | return ip_nat_mangle_udp_packet(pskb, ct, ctinfo, | |
186 | matchoff, matchlen, | |
187 | buffer, bufflen); | |
188 | } | |
189 | } | |
190 | return 0; | |
191 | } | |
192 | ||
193 | static unsigned int mangle_sdp(struct sk_buff **pskb, | |
194 | enum ip_conntrack_info ctinfo, | |
195 | struct ip_conntrack *ct, | |
a76b11dd | 196 | __be32 newip, u_int16_t port, |
ae5b7d8b PM |
197 | const char *dptr) |
198 | { | |
199 | char buffer[sizeof("nnn.nnn.nnn.nnn")]; | |
200 | unsigned int dataoff, bufflen; | |
201 | ||
202 | dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr); | |
203 | ||
204 | /* Mangle owner and contact info. */ | |
205 | bufflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(newip)); | |
206 | if (!mangle_sip_packet(pskb, ctinfo, ct, &dptr, (*pskb)->len - dataoff, | |
e905a9ed | 207 | buffer, bufflen, POS_OWNER)) |
ae5b7d8b PM |
208 | return 0; |
209 | ||
210 | if (!mangle_sip_packet(pskb, ctinfo, ct, &dptr, (*pskb)->len - dataoff, | |
e905a9ed | 211 | buffer, bufflen, POS_CONNECTION)) |
ae5b7d8b PM |
212 | return 0; |
213 | ||
214 | /* Mangle media port. */ | |
215 | bufflen = sprintf(buffer, "%u", port); | |
216 | if (!mangle_sip_packet(pskb, ctinfo, ct, &dptr, (*pskb)->len - dataoff, | |
e905a9ed | 217 | buffer, bufflen, POS_MEDIA)) |
ae5b7d8b PM |
218 | return 0; |
219 | ||
220 | return mangle_content_len(pskb, ctinfo, ct, dptr); | |
221 | } | |
222 | ||
223 | /* So, this packet has hit the connection tracking matching code. | |
224 | Mangle it, and change the expectation to match the new version. */ | |
225 | static unsigned int ip_nat_sdp(struct sk_buff **pskb, | |
226 | enum ip_conntrack_info ctinfo, | |
227 | struct ip_conntrack_expect *exp, | |
228 | const char *dptr) | |
229 | { | |
230 | struct ip_conntrack *ct = exp->master; | |
231 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | |
a76b11dd | 232 | __be32 newip; |
ae5b7d8b PM |
233 | u_int16_t port; |
234 | ||
235 | DEBUGP("ip_nat_sdp():\n"); | |
236 | ||
237 | /* Connection will come from reply */ | |
238 | newip = ct->tuplehash[!dir].tuple.dst.ip; | |
239 | ||
240 | exp->tuple.dst.ip = newip; | |
241 | exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port; | |
242 | exp->dir = !dir; | |
243 | ||
244 | /* When you see the packet, we need to NAT it the same as the | |
245 | this one. */ | |
246 | exp->expectfn = ip_nat_follow_master; | |
247 | ||
248 | /* Try to get same port: if not, try to change it. */ | |
249 | for (port = ntohs(exp->saved_proto.udp.port); port != 0; port++) { | |
250 | exp->tuple.dst.u.udp.port = htons(port); | |
251 | if (ip_conntrack_expect_related(exp) == 0) | |
252 | break; | |
253 | } | |
254 | ||
255 | if (port == 0) | |
256 | return NF_DROP; | |
257 | ||
258 | if (!mangle_sdp(pskb, ctinfo, ct, newip, port, dptr)) { | |
259 | ip_conntrack_unexpect_related(exp); | |
260 | return NF_DROP; | |
261 | } | |
262 | return NF_ACCEPT; | |
263 | } | |
264 | ||
265 | static void __exit fini(void) | |
266 | { | |
337fbc41 PM |
267 | rcu_assign_pointer(ip_nat_sip_hook, NULL); |
268 | rcu_assign_pointer(ip_nat_sdp_hook, NULL); | |
269 | synchronize_rcu(); | |
ae5b7d8b PM |
270 | } |
271 | ||
272 | static int __init init(void) | |
273 | { | |
337fbc41 PM |
274 | BUG_ON(rcu_dereference(ip_nat_sip_hook)); |
275 | BUG_ON(rcu_dereference(ip_nat_sdp_hook)); | |
276 | rcu_assign_pointer(ip_nat_sip_hook, ip_nat_sip); | |
277 | rcu_assign_pointer(ip_nat_sdp_hook, ip_nat_sdp); | |
ae5b7d8b PM |
278 | return 0; |
279 | } | |
280 | ||
281 | module_init(init); | |
282 | module_exit(fini); |