1 /* SIP extension for NAT alteration.
3 * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
4 * based on RR's ip_nat_ftp.c and other modules.
5 * (C) 2007 United Security Providers
6 * (C) 2007, 2008 Patrick McHardy <kaber@trash.net>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
13 #include <linux/module.h>
14 #include <linux/skbuff.h>
17 #include <linux/udp.h>
18 #include <linux/tcp.h>
20 #include <net/netfilter/nf_nat.h>
21 #include <net/netfilter/nf_nat_helper.h>
22 #include <net/netfilter/nf_conntrack_helper.h>
23 #include <net/netfilter/nf_conntrack_expect.h>
24 #include <linux/netfilter/nf_conntrack_sip.h>
26 MODULE_LICENSE("GPL");
27 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
28 MODULE_DESCRIPTION("SIP NAT helper");
29 MODULE_ALIAS("ip_nat_sip");
32 static unsigned int mangle_packet(struct sk_buff
*skb
, unsigned int protoff
,
34 const char **dptr
, unsigned int *datalen
,
35 unsigned int matchoff
, unsigned int matchlen
,
36 const char *buffer
, unsigned int buflen
)
38 enum ip_conntrack_info ctinfo
;
39 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
43 if (nf_ct_protonum(ct
) == IPPROTO_TCP
) {
44 th
= (struct tcphdr
*)(skb
->data
+ ip_hdrlen(skb
));
45 baseoff
= ip_hdrlen(skb
) + th
->doff
* 4;
46 matchoff
+= dataoff
- baseoff
;
48 if (!__nf_nat_mangle_tcp_packet(skb
, ct
, ctinfo
,
49 protoff
, matchoff
, matchlen
,
50 buffer
, buflen
, false))
53 baseoff
= ip_hdrlen(skb
) + sizeof(struct udphdr
);
54 matchoff
+= dataoff
- baseoff
;
56 if (!nf_nat_mangle_udp_packet(skb
, ct
, ctinfo
,
57 protoff
, matchoff
, matchlen
,
62 /* Reload data pointer and adjust datalen value */
63 *dptr
= skb
->data
+ dataoff
;
64 *datalen
+= buflen
- matchlen
;
68 static int map_addr(struct sk_buff
*skb
, unsigned int protoff
,
70 const char **dptr
, unsigned int *datalen
,
71 unsigned int matchoff
, unsigned int matchlen
,
72 union nf_inet_addr
*addr
, __be16 port
)
74 enum ip_conntrack_info ctinfo
;
75 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
76 enum ip_conntrack_dir dir
= CTINFO2DIR(ctinfo
);
77 char buffer
[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
82 if (ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
== addr
->ip
&&
83 ct
->tuplehash
[dir
].tuple
.src
.u
.udp
.port
== port
) {
84 newaddr
= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
;
85 newport
= ct
->tuplehash
[!dir
].tuple
.dst
.u
.udp
.port
;
86 } else if (ct
->tuplehash
[dir
].tuple
.dst
.u3
.ip
== addr
->ip
&&
87 ct
->tuplehash
[dir
].tuple
.dst
.u
.udp
.port
== port
) {
88 newaddr
= ct
->tuplehash
[!dir
].tuple
.src
.u3
.ip
;
89 newport
= ct
->tuplehash
[!dir
].tuple
.src
.u
.udp
.port
;
93 if (newaddr
== addr
->ip
&& newport
== port
)
96 buflen
= sprintf(buffer
, "%pI4:%u", &newaddr
, ntohs(newport
));
98 return mangle_packet(skb
, protoff
, dataoff
, dptr
, datalen
,
99 matchoff
, matchlen
, buffer
, buflen
);
102 static int map_sip_addr(struct sk_buff
*skb
, unsigned int protoff
,
103 unsigned int dataoff
,
104 const char **dptr
, unsigned int *datalen
,
105 enum sip_header_types type
)
107 enum ip_conntrack_info ctinfo
;
108 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
109 unsigned int matchlen
, matchoff
;
110 union nf_inet_addr addr
;
113 if (ct_sip_parse_header_uri(ct
, *dptr
, NULL
, *datalen
, type
, NULL
,
114 &matchoff
, &matchlen
, &addr
, &port
) <= 0)
116 return map_addr(skb
, protoff
, dataoff
, dptr
, datalen
,
117 matchoff
, matchlen
, &addr
, port
);
120 static unsigned int ip_nat_sip(struct sk_buff
*skb
, unsigned int protoff
,
121 unsigned int dataoff
,
122 const char **dptr
, unsigned int *datalen
)
124 enum ip_conntrack_info ctinfo
;
125 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
126 enum ip_conntrack_dir dir
= CTINFO2DIR(ctinfo
);
127 unsigned int coff
, matchoff
, matchlen
;
128 enum sip_header_types hdr
;
129 union nf_inet_addr addr
;
131 int request
, in_header
;
133 /* Basic rules: requests and responses. */
134 if (strnicmp(*dptr
, "SIP/2.0", strlen("SIP/2.0")) != 0) {
135 if (ct_sip_parse_request(ct
, *dptr
, *datalen
,
136 &matchoff
, &matchlen
,
138 !map_addr(skb
, protoff
, dataoff
, dptr
, datalen
,
139 matchoff
, matchlen
, &addr
, port
))
145 if (nf_ct_protonum(ct
) == IPPROTO_TCP
)
146 hdr
= SIP_HDR_VIA_TCP
;
148 hdr
= SIP_HDR_VIA_UDP
;
150 /* Translate topmost Via header and parameters */
151 if (ct_sip_parse_header_uri(ct
, *dptr
, NULL
, *datalen
,
152 hdr
, NULL
, &matchoff
, &matchlen
,
154 unsigned int olen
, matchend
, poff
, plen
, buflen
, n
;
155 char buffer
[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
157 /* We're only interested in headers related to this
160 if (addr
.ip
!= ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
||
161 port
!= ct
->tuplehash
[dir
].tuple
.src
.u
.udp
.port
)
164 if (addr
.ip
!= ct
->tuplehash
[dir
].tuple
.dst
.u3
.ip
||
165 port
!= ct
->tuplehash
[dir
].tuple
.dst
.u
.udp
.port
)
170 if (!map_addr(skb
, protoff
, dataoff
, dptr
, datalen
,
171 matchoff
, matchlen
, &addr
, port
))
174 matchend
= matchoff
+ matchlen
+ *datalen
- olen
;
176 /* The maddr= parameter (RFC 2361) specifies where to send
178 if (ct_sip_parse_address_param(ct
, *dptr
, matchend
, *datalen
,
179 "maddr=", &poff
, &plen
,
181 addr
.ip
== ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
&&
182 addr
.ip
!= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
) {
183 buflen
= sprintf(buffer
, "%pI4",
184 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
);
185 if (!mangle_packet(skb
, protoff
, dataoff
, dptr
, datalen
,
186 poff
, plen
, buffer
, buflen
))
190 /* The received= parameter (RFC 2361) contains the address
191 * from which the server received the request. */
192 if (ct_sip_parse_address_param(ct
, *dptr
, matchend
, *datalen
,
193 "received=", &poff
, &plen
,
195 addr
.ip
== ct
->tuplehash
[dir
].tuple
.dst
.u3
.ip
&&
196 addr
.ip
!= ct
->tuplehash
[!dir
].tuple
.src
.u3
.ip
) {
197 buflen
= sprintf(buffer
, "%pI4",
198 &ct
->tuplehash
[!dir
].tuple
.src
.u3
.ip
);
199 if (!mangle_packet(skb
, protoff
, dataoff
, dptr
, datalen
,
200 poff
, plen
, buffer
, buflen
))
204 /* The rport= parameter (RFC 3581) contains the port number
205 * from which the server received the request. */
206 if (ct_sip_parse_numerical_param(ct
, *dptr
, matchend
, *datalen
,
207 "rport=", &poff
, &plen
,
209 htons(n
) == ct
->tuplehash
[dir
].tuple
.dst
.u
.udp
.port
&&
210 htons(n
) != ct
->tuplehash
[!dir
].tuple
.src
.u
.udp
.port
) {
211 __be16 p
= ct
->tuplehash
[!dir
].tuple
.src
.u
.udp
.port
;
212 buflen
= sprintf(buffer
, "%u", ntohs(p
));
213 if (!mangle_packet(skb
, protoff
, dataoff
, dptr
, datalen
,
214 poff
, plen
, buffer
, buflen
))
220 /* Translate Contact headers */
223 while (ct_sip_parse_header_uri(ct
, *dptr
, &coff
, *datalen
,
224 SIP_HDR_CONTACT
, &in_header
,
225 &matchoff
, &matchlen
,
227 if (!map_addr(skb
, protoff
, dataoff
, dptr
, datalen
,
233 if (!map_sip_addr(skb
, protoff
, dataoff
, dptr
, datalen
, SIP_HDR_FROM
) ||
234 !map_sip_addr(skb
, protoff
, dataoff
, dptr
, datalen
, SIP_HDR_TO
))
240 static void ip_nat_sip_seq_adjust(struct sk_buff
*skb
, s16 off
)
242 enum ip_conntrack_info ctinfo
;
243 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
244 const struct tcphdr
*th
;
246 if (nf_ct_protonum(ct
) != IPPROTO_TCP
|| off
== 0)
249 th
= (struct tcphdr
*)(skb
->data
+ ip_hdrlen(skb
));
250 nf_nat_set_seq_adjust(ct
, ctinfo
, th
->seq
, off
);
253 /* Handles expected signalling connections and media streams */
254 static void ip_nat_sip_expected(struct nf_conn
*ct
,
255 struct nf_conntrack_expect
*exp
)
257 struct nf_nat_range range
;
259 /* This must be a fresh one. */
260 BUG_ON(ct
->status
& IPS_NAT_DONE_MASK
);
262 /* For DST manip, map port here to where it's expected. */
263 range
.flags
= (NF_NAT_RANGE_MAP_IPS
| NF_NAT_RANGE_PROTO_SPECIFIED
);
264 range
.min_proto
= range
.max_proto
= exp
->saved_proto
;
265 range
.min_addr
= range
.max_addr
= exp
->saved_addr
;
266 nf_nat_setup_info(ct
, &range
, NF_NAT_MANIP_DST
);
268 /* Change src to where master sends to, but only if the connection
269 * actually came from the same source. */
270 if (ct
->tuplehash
[IP_CT_DIR_ORIGINAL
].tuple
.src
.u3
.ip
==
271 ct
->master
->tuplehash
[exp
->dir
].tuple
.src
.u3
.ip
) {
272 range
.flags
= NF_NAT_RANGE_MAP_IPS
;
273 range
.min_addr
= range
.max_addr
274 = ct
->master
->tuplehash
[!exp
->dir
].tuple
.dst
.u3
;
275 nf_nat_setup_info(ct
, &range
, NF_NAT_MANIP_SRC
);
279 static unsigned int ip_nat_sip_expect(struct sk_buff
*skb
, unsigned int protoff
,
280 unsigned int dataoff
,
281 const char **dptr
, unsigned int *datalen
,
282 struct nf_conntrack_expect
*exp
,
283 unsigned int matchoff
,
284 unsigned int matchlen
)
286 enum ip_conntrack_info ctinfo
;
287 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
288 enum ip_conntrack_dir dir
= CTINFO2DIR(ctinfo
);
291 char buffer
[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
294 /* Connection will come from reply */
295 if (ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
== ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
)
296 newip
= exp
->tuple
.dst
.u3
.ip
;
298 newip
= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
;
300 /* If the signalling port matches the connection's source port in the
301 * original direction, try to use the destination port in the opposite
303 if (exp
->tuple
.dst
.u
.udp
.port
==
304 ct
->tuplehash
[dir
].tuple
.src
.u
.udp
.port
)
305 port
= ntohs(ct
->tuplehash
[!dir
].tuple
.dst
.u
.udp
.port
);
307 port
= ntohs(exp
->tuple
.dst
.u
.udp
.port
);
309 exp
->saved_addr
= exp
->tuple
.dst
.u3
;
310 exp
->tuple
.dst
.u3
.ip
= newip
;
311 exp
->saved_proto
.udp
.port
= exp
->tuple
.dst
.u
.udp
.port
;
313 exp
->expectfn
= ip_nat_sip_expected
;
315 for (; port
!= 0; port
++) {
318 exp
->tuple
.dst
.u
.udp
.port
= htons(port
);
319 ret
= nf_ct_expect_related(exp
);
322 else if (ret
!= -EBUSY
) {
331 if (exp
->tuple
.dst
.u3
.ip
!= exp
->saved_addr
.ip
||
332 exp
->tuple
.dst
.u
.udp
.port
!= exp
->saved_proto
.udp
.port
) {
333 buflen
= sprintf(buffer
, "%pI4:%u", &newip
, port
);
334 if (!mangle_packet(skb
, protoff
, dataoff
, dptr
, datalen
,
335 matchoff
, matchlen
, buffer
, buflen
))
341 nf_ct_unexpect_related(exp
);
345 static int mangle_content_len(struct sk_buff
*skb
, unsigned int protoff
,
346 unsigned int dataoff
,
347 const char **dptr
, unsigned int *datalen
)
349 enum ip_conntrack_info ctinfo
;
350 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
351 unsigned int matchoff
, matchlen
;
352 char buffer
[sizeof("65536")];
355 /* Get actual SDP length */
356 if (ct_sip_get_sdp_header(ct
, *dptr
, 0, *datalen
,
357 SDP_HDR_VERSION
, SDP_HDR_UNSPEC
,
358 &matchoff
, &matchlen
) <= 0)
360 c_len
= *datalen
- matchoff
+ strlen("v=");
362 /* Now, update SDP length */
363 if (ct_sip_get_header(ct
, *dptr
, 0, *datalen
, SIP_HDR_CONTENT_LENGTH
,
364 &matchoff
, &matchlen
) <= 0)
367 buflen
= sprintf(buffer
, "%u", c_len
);
368 return mangle_packet(skb
, protoff
, dataoff
, dptr
, datalen
,
369 matchoff
, matchlen
, buffer
, buflen
);
372 static int mangle_sdp_packet(struct sk_buff
*skb
, unsigned int protoff
,
373 unsigned int dataoff
,
374 const char **dptr
, unsigned int *datalen
,
376 enum sdp_header_types type
,
377 enum sdp_header_types term
,
378 char *buffer
, int buflen
)
380 enum ip_conntrack_info ctinfo
;
381 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
382 unsigned int matchlen
, matchoff
;
384 if (ct_sip_get_sdp_header(ct
, *dptr
, sdpoff
, *datalen
, type
, term
,
385 &matchoff
, &matchlen
) <= 0)
387 return mangle_packet(skb
, protoff
, dataoff
, dptr
, datalen
,
388 matchoff
, matchlen
, buffer
, buflen
) ? 0 : -EINVAL
;
391 static unsigned int ip_nat_sdp_addr(struct sk_buff
*skb
, unsigned int protoff
,
392 unsigned int dataoff
,
393 const char **dptr
, unsigned int *datalen
,
395 enum sdp_header_types type
,
396 enum sdp_header_types term
,
397 const union nf_inet_addr
*addr
)
399 char buffer
[sizeof("nnn.nnn.nnn.nnn")];
402 buflen
= sprintf(buffer
, "%pI4", &addr
->ip
);
403 if (mangle_sdp_packet(skb
, protoff
, dataoff
, dptr
, datalen
,
404 sdpoff
, type
, term
, buffer
, buflen
))
407 return mangle_content_len(skb
, protoff
, dataoff
, dptr
, datalen
);
410 static unsigned int ip_nat_sdp_port(struct sk_buff
*skb
, unsigned int protoff
,
411 unsigned int dataoff
,
412 const char **dptr
, unsigned int *datalen
,
413 unsigned int matchoff
,
414 unsigned int matchlen
,
417 char buffer
[sizeof("nnnnn")];
420 buflen
= sprintf(buffer
, "%u", port
);
421 if (!mangle_packet(skb
, protoff
, dataoff
, dptr
, datalen
,
422 matchoff
, matchlen
, buffer
, buflen
))
425 return mangle_content_len(skb
, protoff
, dataoff
, dptr
, datalen
);
428 static unsigned int ip_nat_sdp_session(struct sk_buff
*skb
, unsigned int protoff
,
429 unsigned int dataoff
,
430 const char **dptr
, unsigned int *datalen
,
432 const union nf_inet_addr
*addr
)
434 char buffer
[sizeof("nnn.nnn.nnn.nnn")];
437 /* Mangle session description owner and contact addresses */
438 buflen
= sprintf(buffer
, "%pI4", &addr
->ip
);
439 if (mangle_sdp_packet(skb
, protoff
, dataoff
, dptr
, datalen
, sdpoff
,
440 SDP_HDR_OWNER_IP4
, SDP_HDR_MEDIA
,
444 switch (mangle_sdp_packet(skb
, protoff
, dataoff
, dptr
, datalen
, sdpoff
,
445 SDP_HDR_CONNECTION_IP4
, SDP_HDR_MEDIA
,
451 * Session description
453 * c=* (connection information - not required if included in all media)
461 return mangle_content_len(skb
, protoff
, dataoff
, dptr
, datalen
);
464 /* So, this packet has hit the connection tracking matching code.
465 Mangle it, and change the expectation to match the new version. */
466 static unsigned int ip_nat_sdp_media(struct sk_buff
*skb
, unsigned int protoff
,
467 unsigned int dataoff
,
468 const char **dptr
, unsigned int *datalen
,
469 struct nf_conntrack_expect
*rtp_exp
,
470 struct nf_conntrack_expect
*rtcp_exp
,
471 unsigned int mediaoff
,
472 unsigned int medialen
,
473 union nf_inet_addr
*rtp_addr
)
475 enum ip_conntrack_info ctinfo
;
476 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
477 enum ip_conntrack_dir dir
= CTINFO2DIR(ctinfo
);
480 /* Connection will come from reply */
481 if (ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
==
482 ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
)
483 rtp_addr
->ip
= rtp_exp
->tuple
.dst
.u3
.ip
;
485 rtp_addr
->ip
= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
;
487 rtp_exp
->saved_addr
= rtp_exp
->tuple
.dst
.u3
;
488 rtp_exp
->tuple
.dst
.u3
.ip
= rtp_addr
->ip
;
489 rtp_exp
->saved_proto
.udp
.port
= rtp_exp
->tuple
.dst
.u
.udp
.port
;
491 rtp_exp
->expectfn
= ip_nat_sip_expected
;
493 rtcp_exp
->saved_addr
= rtcp_exp
->tuple
.dst
.u3
;
494 rtcp_exp
->tuple
.dst
.u3
.ip
= rtp_addr
->ip
;
495 rtcp_exp
->saved_proto
.udp
.port
= rtcp_exp
->tuple
.dst
.u
.udp
.port
;
496 rtcp_exp
->dir
= !dir
;
497 rtcp_exp
->expectfn
= ip_nat_sip_expected
;
499 /* Try to get same pair of ports: if not, try to change them. */
500 for (port
= ntohs(rtp_exp
->tuple
.dst
.u
.udp
.port
);
501 port
!= 0; port
+= 2) {
504 rtp_exp
->tuple
.dst
.u
.udp
.port
= htons(port
);
505 ret
= nf_ct_expect_related(rtp_exp
);
512 rtcp_exp
->tuple
.dst
.u
.udp
.port
= htons(port
+ 1);
513 ret
= nf_ct_expect_related(rtcp_exp
);
516 else if (ret
!= -EBUSY
) {
517 nf_ct_unexpect_related(rtp_exp
);
526 /* Update media port. */
527 if (rtp_exp
->tuple
.dst
.u
.udp
.port
!= rtp_exp
->saved_proto
.udp
.port
&&
528 !ip_nat_sdp_port(skb
, protoff
, dataoff
, dptr
, datalen
,
529 mediaoff
, medialen
, port
))
535 nf_ct_unexpect_related(rtp_exp
);
536 nf_ct_unexpect_related(rtcp_exp
);
541 static struct nf_ct_helper_expectfn sip_nat
= {
543 .expectfn
= ip_nat_sip_expected
,
546 static void __exit
nf_nat_sip_fini(void)
548 RCU_INIT_POINTER(nf_nat_sip_hook
, NULL
);
549 RCU_INIT_POINTER(nf_nat_sip_seq_adjust_hook
, NULL
);
550 RCU_INIT_POINTER(nf_nat_sip_expect_hook
, NULL
);
551 RCU_INIT_POINTER(nf_nat_sdp_addr_hook
, NULL
);
552 RCU_INIT_POINTER(nf_nat_sdp_port_hook
, NULL
);
553 RCU_INIT_POINTER(nf_nat_sdp_session_hook
, NULL
);
554 RCU_INIT_POINTER(nf_nat_sdp_media_hook
, NULL
);
555 nf_ct_helper_expectfn_unregister(&sip_nat
);
559 static int __init
nf_nat_sip_init(void)
561 BUG_ON(nf_nat_sip_hook
!= NULL
);
562 BUG_ON(nf_nat_sip_seq_adjust_hook
!= NULL
);
563 BUG_ON(nf_nat_sip_expect_hook
!= NULL
);
564 BUG_ON(nf_nat_sdp_addr_hook
!= NULL
);
565 BUG_ON(nf_nat_sdp_port_hook
!= NULL
);
566 BUG_ON(nf_nat_sdp_session_hook
!= NULL
);
567 BUG_ON(nf_nat_sdp_media_hook
!= NULL
);
568 RCU_INIT_POINTER(nf_nat_sip_hook
, ip_nat_sip
);
569 RCU_INIT_POINTER(nf_nat_sip_seq_adjust_hook
, ip_nat_sip_seq_adjust
);
570 RCU_INIT_POINTER(nf_nat_sip_expect_hook
, ip_nat_sip_expect
);
571 RCU_INIT_POINTER(nf_nat_sdp_addr_hook
, ip_nat_sdp_addr
);
572 RCU_INIT_POINTER(nf_nat_sdp_port_hook
, ip_nat_sdp_port
);
573 RCU_INIT_POINTER(nf_nat_sdp_session_hook
, ip_nat_sdp_session
);
574 RCU_INIT_POINTER(nf_nat_sdp_media_hook
, ip_nat_sdp_media
);
575 nf_ct_helper_expectfn_register(&sip_nat
);
579 module_init(nf_nat_sip_init
);
580 module_exit(nf_nat_sip_fini
);