2 * H.323 extension for NAT alteration.
4 * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
5 * Copyright (c) 2006-2012 Patrick McHardy <kaber@trash.net>
7 * This source code is licensed under General Public License version 2.
9 * Based on the 'brute force' H.323 NAT module by
10 * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
13 #include <linux/module.h>
14 #include <linux/tcp.h>
17 #include <net/netfilter/nf_nat.h>
18 #include <net/netfilter/nf_nat_helper.h>
19 #include <net/netfilter/nf_conntrack_helper.h>
20 #include <net/netfilter/nf_conntrack_expect.h>
21 #include <linux/netfilter/nf_conntrack_h323.h>
23 /****************************************************************************/
24 static int set_addr(struct sk_buff
*skb
, unsigned int protoff
,
25 unsigned char **data
, int dataoff
,
26 unsigned int addroff
, __be32 ip
, __be16 port
)
28 enum ip_conntrack_info ctinfo
;
29 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
33 } __attribute__ ((__packed__
)) buf
;
34 const struct tcphdr
*th
;
41 if (ip_hdr(skb
)->protocol
== IPPROTO_TCP
) {
42 if (!nf_nat_mangle_tcp_packet(skb
, ct
, ctinfo
,
43 protoff
, addroff
, sizeof(buf
),
44 (char *) &buf
, sizeof(buf
))) {
45 net_notice_ratelimited("nf_nat_h323: nf_nat_mangle_tcp_packet error\n");
49 /* Relocate data pointer */
50 th
= skb_header_pointer(skb
, ip_hdrlen(skb
),
51 sizeof(_tcph
), &_tcph
);
54 *data
= skb
->data
+ ip_hdrlen(skb
) + th
->doff
* 4 + dataoff
;
56 if (!nf_nat_mangle_udp_packet(skb
, ct
, ctinfo
,
57 protoff
, addroff
, sizeof(buf
),
58 (char *) &buf
, sizeof(buf
))) {
59 net_notice_ratelimited("nf_nat_h323: nf_nat_mangle_udp_packet error\n");
62 /* nf_nat_mangle_udp_packet uses skb_make_writable() to copy
63 * or pull everything in a linear buffer, so we can safely
64 * use the skb pointers now */
65 *data
= skb
->data
+ ip_hdrlen(skb
) + sizeof(struct udphdr
);
71 /****************************************************************************/
72 static int set_h225_addr(struct sk_buff
*skb
, unsigned int protoff
,
73 unsigned char **data
, int dataoff
,
74 TransportAddress
*taddr
,
75 union nf_inet_addr
*addr
, __be16 port
)
77 return set_addr(skb
, protoff
, data
, dataoff
, taddr
->ipAddress
.ip
,
81 /****************************************************************************/
82 static int set_h245_addr(struct sk_buff
*skb
, unsigned protoff
,
83 unsigned char **data
, int dataoff
,
84 H245_TransportAddress
*taddr
,
85 union nf_inet_addr
*addr
, __be16 port
)
87 return set_addr(skb
, protoff
, data
, dataoff
,
88 taddr
->unicastAddress
.iPAddress
.network
,
92 /****************************************************************************/
93 static int set_sig_addr(struct sk_buff
*skb
, struct nf_conn
*ct
,
94 enum ip_conntrack_info ctinfo
,
95 unsigned int protoff
, unsigned char **data
,
96 TransportAddress
*taddr
, int count
)
98 const struct nf_ct_h323_master
*info
= nfct_help_data(ct
);
99 int dir
= CTINFO2DIR(ctinfo
);
102 union nf_inet_addr addr
;
104 for (i
= 0; i
< count
; i
++) {
105 if (get_h225_addr(ct
, *data
, &taddr
[i
], &addr
, &port
)) {
106 if (addr
.ip
== ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
&&
107 port
== info
->sig_port
[dir
]) {
110 /* Fix for Gnomemeeting */
112 get_h225_addr(ct
, *data
, &taddr
[0],
114 (ntohl(addr
.ip
) & 0xff000000) == 0x7f000000)
117 pr_debug("nf_nat_ras: set signal address %pI4:%hu->%pI4:%hu\n",
119 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
,
120 info
->sig_port
[!dir
]);
121 return set_h225_addr(skb
, protoff
, data
, 0,
123 &ct
->tuplehash
[!dir
].
125 info
->sig_port
[!dir
]);
126 } else if (addr
.ip
== ct
->tuplehash
[dir
].tuple
.dst
.u3
.ip
&&
127 port
== info
->sig_port
[dir
]) {
129 pr_debug("nf_nat_ras: set signal address %pI4:%hu->%pI4:%hu\n",
131 &ct
->tuplehash
[!dir
].tuple
.src
.u3
.ip
,
132 info
->sig_port
[!dir
]);
133 return set_h225_addr(skb
, protoff
, data
, 0,
135 &ct
->tuplehash
[!dir
].
137 info
->sig_port
[!dir
]);
145 /****************************************************************************/
146 static int set_ras_addr(struct sk_buff
*skb
, struct nf_conn
*ct
,
147 enum ip_conntrack_info ctinfo
,
148 unsigned int protoff
, unsigned char **data
,
149 TransportAddress
*taddr
, int count
)
151 int dir
= CTINFO2DIR(ctinfo
);
154 union nf_inet_addr addr
;
156 for (i
= 0; i
< count
; i
++) {
157 if (get_h225_addr(ct
, *data
, &taddr
[i
], &addr
, &port
) &&
158 addr
.ip
== ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
&&
159 port
== ct
->tuplehash
[dir
].tuple
.src
.u
.udp
.port
) {
160 pr_debug("nf_nat_ras: set rasAddress %pI4:%hu->%pI4:%hu\n",
161 &addr
.ip
, ntohs(port
),
162 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
,
163 ntohs(ct
->tuplehash
[!dir
].tuple
.dst
.u
.udp
.port
));
164 return set_h225_addr(skb
, protoff
, data
, 0, &taddr
[i
],
165 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
166 ct
->tuplehash
[!dir
].tuple
.
174 /****************************************************************************/
175 static int nat_rtp_rtcp(struct sk_buff
*skb
, struct nf_conn
*ct
,
176 enum ip_conntrack_info ctinfo
,
177 unsigned int protoff
, unsigned char **data
, int dataoff
,
178 H245_TransportAddress
*taddr
,
179 __be16 port
, __be16 rtp_port
,
180 struct nf_conntrack_expect
*rtp_exp
,
181 struct nf_conntrack_expect
*rtcp_exp
)
183 struct nf_ct_h323_master
*info
= nfct_help_data(ct
);
184 int dir
= CTINFO2DIR(ctinfo
);
186 u_int16_t nated_port
;
188 /* Set expectations for NAT */
189 rtp_exp
->saved_proto
.udp
.port
= rtp_exp
->tuple
.dst
.u
.udp
.port
;
190 rtp_exp
->expectfn
= nf_nat_follow_master
;
192 rtcp_exp
->saved_proto
.udp
.port
= rtcp_exp
->tuple
.dst
.u
.udp
.port
;
193 rtcp_exp
->expectfn
= nf_nat_follow_master
;
194 rtcp_exp
->dir
= !dir
;
196 /* Lookup existing expects */
197 for (i
= 0; i
< H323_RTP_CHANNEL_MAX
; i
++) {
198 if (info
->rtp_port
[i
][dir
] == rtp_port
) {
201 /* Use allocated ports first. This will refresh
203 rtp_exp
->tuple
.dst
.u
.udp
.port
= info
->rtp_port
[i
][dir
];
204 rtcp_exp
->tuple
.dst
.u
.udp
.port
=
205 htons(ntohs(info
->rtp_port
[i
][dir
]) + 1);
207 } else if (info
->rtp_port
[i
][dir
] == 0) {
213 /* Run out of expectations */
214 if (i
>= H323_RTP_CHANNEL_MAX
) {
215 net_notice_ratelimited("nf_nat_h323: out of expectations\n");
219 /* Try to get a pair of ports. */
220 for (nated_port
= ntohs(rtp_exp
->tuple
.dst
.u
.udp
.port
);
221 nated_port
!= 0; nated_port
+= 2) {
224 rtp_exp
->tuple
.dst
.u
.udp
.port
= htons(nated_port
);
225 ret
= nf_ct_expect_related(rtp_exp
);
227 rtcp_exp
->tuple
.dst
.u
.udp
.port
=
228 htons(nated_port
+ 1);
229 ret
= nf_ct_expect_related(rtcp_exp
);
232 else if (ret
== -EBUSY
) {
233 nf_ct_unexpect_related(rtp_exp
);
235 } else if (ret
< 0) {
236 nf_ct_unexpect_related(rtp_exp
);
240 } else if (ret
!= -EBUSY
) {
246 if (nated_port
== 0) { /* No port available */
247 net_notice_ratelimited("nf_nat_h323: out of RTP ports\n");
252 if (set_h245_addr(skb
, protoff
, data
, dataoff
, taddr
,
253 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
254 htons((port
& htons(1)) ? nated_port
+ 1 :
256 nf_ct_unexpect_related(rtp_exp
);
257 nf_ct_unexpect_related(rtcp_exp
);
262 info
->rtp_port
[i
][dir
] = rtp_port
;
263 info
->rtp_port
[i
][!dir
] = htons(nated_port
);
266 pr_debug("nf_nat_h323: expect RTP %pI4:%hu->%pI4:%hu\n",
267 &rtp_exp
->tuple
.src
.u3
.ip
,
268 ntohs(rtp_exp
->tuple
.src
.u
.udp
.port
),
269 &rtp_exp
->tuple
.dst
.u3
.ip
,
270 ntohs(rtp_exp
->tuple
.dst
.u
.udp
.port
));
271 pr_debug("nf_nat_h323: expect RTCP %pI4:%hu->%pI4:%hu\n",
272 &rtcp_exp
->tuple
.src
.u3
.ip
,
273 ntohs(rtcp_exp
->tuple
.src
.u
.udp
.port
),
274 &rtcp_exp
->tuple
.dst
.u3
.ip
,
275 ntohs(rtcp_exp
->tuple
.dst
.u
.udp
.port
));
280 /****************************************************************************/
281 static int nat_t120(struct sk_buff
*skb
, struct nf_conn
*ct
,
282 enum ip_conntrack_info ctinfo
,
283 unsigned int protoff
, unsigned char **data
, int dataoff
,
284 H245_TransportAddress
*taddr
, __be16 port
,
285 struct nf_conntrack_expect
*exp
)
287 int dir
= CTINFO2DIR(ctinfo
);
288 u_int16_t nated_port
= ntohs(port
);
290 /* Set expectations for NAT */
291 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
292 exp
->expectfn
= nf_nat_follow_master
;
295 /* Try to get same port: if not, try to change it. */
296 for (; nated_port
!= 0; nated_port
++) {
299 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
300 ret
= nf_ct_expect_related(exp
);
303 else if (ret
!= -EBUSY
) {
309 if (nated_port
== 0) { /* No port available */
310 net_notice_ratelimited("nf_nat_h323: out of TCP ports\n");
315 if (set_h245_addr(skb
, protoff
, data
, dataoff
, taddr
,
316 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
317 htons(nated_port
)) < 0) {
318 nf_ct_unexpect_related(exp
);
322 pr_debug("nf_nat_h323: expect T.120 %pI4:%hu->%pI4:%hu\n",
323 &exp
->tuple
.src
.u3
.ip
,
324 ntohs(exp
->tuple
.src
.u
.tcp
.port
),
325 &exp
->tuple
.dst
.u3
.ip
,
326 ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
331 /****************************************************************************/
332 static int nat_h245(struct sk_buff
*skb
, struct nf_conn
*ct
,
333 enum ip_conntrack_info ctinfo
,
334 unsigned int protoff
, unsigned char **data
, int dataoff
,
335 TransportAddress
*taddr
, __be16 port
,
336 struct nf_conntrack_expect
*exp
)
338 struct nf_ct_h323_master
*info
= nfct_help_data(ct
);
339 int dir
= CTINFO2DIR(ctinfo
);
340 u_int16_t nated_port
= ntohs(port
);
342 /* Set expectations for NAT */
343 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
344 exp
->expectfn
= nf_nat_follow_master
;
347 /* Check existing expects */
348 if (info
->sig_port
[dir
] == port
)
349 nated_port
= ntohs(info
->sig_port
[!dir
]);
351 /* Try to get same port: if not, try to change it. */
352 for (; nated_port
!= 0; nated_port
++) {
355 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
356 ret
= nf_ct_expect_related(exp
);
359 else if (ret
!= -EBUSY
) {
365 if (nated_port
== 0) { /* No port available */
366 net_notice_ratelimited("nf_nat_q931: out of TCP ports\n");
371 if (set_h225_addr(skb
, protoff
, data
, dataoff
, taddr
,
372 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
373 htons(nated_port
))) {
374 nf_ct_unexpect_related(exp
);
379 info
->sig_port
[dir
] = port
;
380 info
->sig_port
[!dir
] = htons(nated_port
);
382 pr_debug("nf_nat_q931: expect H.245 %pI4:%hu->%pI4:%hu\n",
383 &exp
->tuple
.src
.u3
.ip
,
384 ntohs(exp
->tuple
.src
.u
.tcp
.port
),
385 &exp
->tuple
.dst
.u3
.ip
,
386 ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
391 /****************************************************************************
392 * This conntrack expect function replaces nf_conntrack_q931_expect()
393 * which was set by nf_conntrack_h323.c.
394 ****************************************************************************/
395 static void ip_nat_q931_expect(struct nf_conn
*new,
396 struct nf_conntrack_expect
*this)
398 struct nf_nat_range range
;
400 if (this->tuple
.src
.u3
.ip
!= 0) { /* Only accept calls from GK */
401 nf_nat_follow_master(new, this);
405 /* This must be a fresh one. */
406 BUG_ON(new->status
& IPS_NAT_DONE_MASK
);
408 /* Change src to where master sends to */
409 range
.flags
= NF_NAT_RANGE_MAP_IPS
;
410 range
.min_addr
= range
.max_addr
=
411 new->tuplehash
[!this->dir
].tuple
.src
.u3
;
412 nf_nat_setup_info(new, &range
, NF_NAT_MANIP_SRC
);
414 /* For DST manip, map port here to where it's expected. */
415 range
.flags
= (NF_NAT_RANGE_MAP_IPS
| NF_NAT_RANGE_PROTO_SPECIFIED
);
416 range
.min_proto
= range
.max_proto
= this->saved_proto
;
417 range
.min_addr
= range
.max_addr
=
418 new->master
->tuplehash
[!this->dir
].tuple
.src
.u3
;
419 nf_nat_setup_info(new, &range
, NF_NAT_MANIP_DST
);
422 /****************************************************************************/
423 static int nat_q931(struct sk_buff
*skb
, struct nf_conn
*ct
,
424 enum ip_conntrack_info ctinfo
,
425 unsigned int protoff
, unsigned char **data
,
426 TransportAddress
*taddr
, int idx
,
427 __be16 port
, struct nf_conntrack_expect
*exp
)
429 struct nf_ct_h323_master
*info
= nfct_help_data(ct
);
430 int dir
= CTINFO2DIR(ctinfo
);
431 u_int16_t nated_port
= ntohs(port
);
432 union nf_inet_addr addr
;
434 /* Set expectations for NAT */
435 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
436 exp
->expectfn
= ip_nat_q931_expect
;
439 /* Check existing expects */
440 if (info
->sig_port
[dir
] == port
)
441 nated_port
= ntohs(info
->sig_port
[!dir
]);
443 /* Try to get same port: if not, try to change it. */
444 for (; nated_port
!= 0; nated_port
++) {
447 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
448 ret
= nf_ct_expect_related(exp
);
451 else if (ret
!= -EBUSY
) {
457 if (nated_port
== 0) { /* No port available */
458 net_notice_ratelimited("nf_nat_ras: out of TCP ports\n");
463 if (set_h225_addr(skb
, protoff
, data
, 0, &taddr
[idx
],
464 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
465 htons(nated_port
))) {
466 nf_ct_unexpect_related(exp
);
471 info
->sig_port
[dir
] = port
;
472 info
->sig_port
[!dir
] = htons(nated_port
);
474 /* Fix for Gnomemeeting */
476 get_h225_addr(ct
, *data
, &taddr
[0], &addr
, &port
) &&
477 (ntohl(addr
.ip
) & 0xff000000) == 0x7f000000) {
478 if (set_h225_addr(skb
, protoff
, data
, 0, &taddr
[0],
479 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
480 info
->sig_port
[!dir
])) {
481 nf_ct_unexpect_related(exp
);
487 pr_debug("nf_nat_ras: expect Q.931 %pI4:%hu->%pI4:%hu\n",
488 &exp
->tuple
.src
.u3
.ip
,
489 ntohs(exp
->tuple
.src
.u
.tcp
.port
),
490 &exp
->tuple
.dst
.u3
.ip
,
491 ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
496 /****************************************************************************/
497 static void ip_nat_callforwarding_expect(struct nf_conn
*new,
498 struct nf_conntrack_expect
*this)
500 struct nf_nat_range range
;
502 /* This must be a fresh one. */
503 BUG_ON(new->status
& IPS_NAT_DONE_MASK
);
505 /* Change src to where master sends to */
506 range
.flags
= NF_NAT_RANGE_MAP_IPS
;
507 range
.min_addr
= range
.max_addr
=
508 new->tuplehash
[!this->dir
].tuple
.src
.u3
;
509 nf_nat_setup_info(new, &range
, NF_NAT_MANIP_SRC
);
511 /* For DST manip, map port here to where it's expected. */
512 range
.flags
= (NF_NAT_RANGE_MAP_IPS
| NF_NAT_RANGE_PROTO_SPECIFIED
);
513 range
.min_proto
= range
.max_proto
= this->saved_proto
;
514 range
.min_addr
= range
.max_addr
= this->saved_addr
;
515 nf_nat_setup_info(new, &range
, NF_NAT_MANIP_DST
);
518 /****************************************************************************/
519 static int nat_callforwarding(struct sk_buff
*skb
, struct nf_conn
*ct
,
520 enum ip_conntrack_info ctinfo
,
521 unsigned int protoff
,
522 unsigned char **data
, int dataoff
,
523 TransportAddress
*taddr
, __be16 port
,
524 struct nf_conntrack_expect
*exp
)
526 int dir
= CTINFO2DIR(ctinfo
);
527 u_int16_t nated_port
;
529 /* Set expectations for NAT */
530 exp
->saved_addr
= exp
->tuple
.dst
.u3
;
531 exp
->tuple
.dst
.u3
.ip
= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
;
532 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
533 exp
->expectfn
= ip_nat_callforwarding_expect
;
536 /* Try to get same port: if not, try to change it. */
537 for (nated_port
= ntohs(port
); nated_port
!= 0; nated_port
++) {
540 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
541 ret
= nf_ct_expect_related(exp
);
544 else if (ret
!= -EBUSY
) {
550 if (nated_port
== 0) { /* No port available */
551 net_notice_ratelimited("nf_nat_q931: out of TCP ports\n");
556 if (set_h225_addr(skb
, protoff
, data
, dataoff
, taddr
,
557 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
558 htons(nated_port
))) {
559 nf_ct_unexpect_related(exp
);
564 pr_debug("nf_nat_q931: expect Call Forwarding %pI4:%hu->%pI4:%hu\n",
565 &exp
->tuple
.src
.u3
.ip
,
566 ntohs(exp
->tuple
.src
.u
.tcp
.port
),
567 &exp
->tuple
.dst
.u3
.ip
,
568 ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
573 static struct nf_ct_helper_expectfn q931_nat
= {
575 .expectfn
= ip_nat_q931_expect
,
578 static struct nf_ct_helper_expectfn callforwarding_nat
= {
579 .name
= "callforwarding",
580 .expectfn
= ip_nat_callforwarding_expect
,
583 /****************************************************************************/
584 static int __init
init(void)
586 BUG_ON(set_h245_addr_hook
!= NULL
);
587 BUG_ON(set_h225_addr_hook
!= NULL
);
588 BUG_ON(set_sig_addr_hook
!= NULL
);
589 BUG_ON(set_ras_addr_hook
!= NULL
);
590 BUG_ON(nat_rtp_rtcp_hook
!= NULL
);
591 BUG_ON(nat_t120_hook
!= NULL
);
592 BUG_ON(nat_h245_hook
!= NULL
);
593 BUG_ON(nat_callforwarding_hook
!= NULL
);
594 BUG_ON(nat_q931_hook
!= NULL
);
596 RCU_INIT_POINTER(set_h245_addr_hook
, set_h245_addr
);
597 RCU_INIT_POINTER(set_h225_addr_hook
, set_h225_addr
);
598 RCU_INIT_POINTER(set_sig_addr_hook
, set_sig_addr
);
599 RCU_INIT_POINTER(set_ras_addr_hook
, set_ras_addr
);
600 RCU_INIT_POINTER(nat_rtp_rtcp_hook
, nat_rtp_rtcp
);
601 RCU_INIT_POINTER(nat_t120_hook
, nat_t120
);
602 RCU_INIT_POINTER(nat_h245_hook
, nat_h245
);
603 RCU_INIT_POINTER(nat_callforwarding_hook
, nat_callforwarding
);
604 RCU_INIT_POINTER(nat_q931_hook
, nat_q931
);
605 nf_ct_helper_expectfn_register(&q931_nat
);
606 nf_ct_helper_expectfn_register(&callforwarding_nat
);
610 /****************************************************************************/
611 static void __exit
fini(void)
613 RCU_INIT_POINTER(set_h245_addr_hook
, NULL
);
614 RCU_INIT_POINTER(set_h225_addr_hook
, NULL
);
615 RCU_INIT_POINTER(set_sig_addr_hook
, NULL
);
616 RCU_INIT_POINTER(set_ras_addr_hook
, NULL
);
617 RCU_INIT_POINTER(nat_rtp_rtcp_hook
, NULL
);
618 RCU_INIT_POINTER(nat_t120_hook
, NULL
);
619 RCU_INIT_POINTER(nat_h245_hook
, NULL
);
620 RCU_INIT_POINTER(nat_callforwarding_hook
, NULL
);
621 RCU_INIT_POINTER(nat_q931_hook
, NULL
);
622 nf_ct_helper_expectfn_unregister(&q931_nat
);
623 nf_ct_helper_expectfn_unregister(&callforwarding_nat
);
627 /****************************************************************************/
631 MODULE_AUTHOR("Jing Min Zhao <zhaojingmin@users.sourceforge.net>");
632 MODULE_DESCRIPTION("H.323 NAT helper");
633 MODULE_LICENSE("GPL");
634 MODULE_ALIAS("ip_nat_h323");