netfilter: nf_nat_sip: add TCP support
authorPatrick McHardy <kaber@trash.net>
Thu, 11 Feb 2010 11:29:38 +0000 (12:29 +0100)
committerPatrick McHardy <kaber@trash.net>
Thu, 11 Feb 2010 11:29:38 +0000 (12:29 +0100)
Add support for mangling TCP SIP packets.

Signed-off-by: Patrick McHardy <kaber@trash.net>
include/linux/netfilter/nf_conntrack_sip.h
net/ipv4/netfilter/nf_nat_sip.c
net/netfilter/nf_conntrack_sip.c

index fa9bb8981450304ac0bcc79e2e1308c62b1d8c3c..cd84d6f44d117470877062a950d3994bbc9fa702 100644 (file)
@@ -104,6 +104,7 @@ extern unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb,
                                       unsigned int dataoff,
                                       const char **dptr,
                                       unsigned int *datalen);
+extern void (*nf_nat_sip_seq_adjust_hook)(struct sk_buff *skb, s16 off);
 extern unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb,
                                              unsigned int dataoff,
                                              const char **dptr,
index b232e4040dc658f65c43102b53df841a65f977a1..11b538deaaec1f996505d387d549b3de6dd4bb37 100644 (file)
@@ -1,4 +1,4 @@
-/* SIP extension for UDP NAT alteration.
+/* SIP extension for NAT alteration.
  *
  * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
  * based on RR's ip_nat_ftp.c and other modules.
@@ -15,6 +15,7 @@
 #include <linux/ip.h>
 #include <net/ip.h>
 #include <linux/udp.h>
+#include <linux/tcp.h>
 
 #include <net/netfilter/nf_nat.h>
 #include <net/netfilter/nf_nat_helper.h>
@@ -36,10 +37,27 @@ static unsigned int mangle_packet(struct sk_buff *skb, unsigned int dataoff,
 {
        enum ip_conntrack_info ctinfo;
        struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
-
-       if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, matchoff, matchlen,
-                                     buffer, buflen))
-               return 0;
+       struct tcphdr *th;
+       unsigned int baseoff;
+
+       if (nf_ct_protonum(ct) == IPPROTO_TCP) {
+               th = (struct tcphdr *)(skb->data + ip_hdrlen(skb));
+               baseoff = ip_hdrlen(skb) + th->doff * 4;
+               matchoff += dataoff - baseoff;
+
+               if (!__nf_nat_mangle_tcp_packet(skb, ct, ctinfo,
+                                               matchoff, matchlen,
+                                               buffer, buflen, false))
+                       return 0;
+       } else {
+               baseoff = ip_hdrlen(skb) + sizeof(struct udphdr);
+               matchoff += dataoff - baseoff;
+
+               if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo,
+                                             matchoff, matchlen,
+                                             buffer, buflen))
+                       return 0;
+       }
 
        /* Reload data pointer and adjust datalen value */
        *dptr = skb->data + dataoff;
@@ -104,6 +122,7 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
        struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
        enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
        unsigned int coff, matchoff, matchlen;
+       enum sip_header_types hdr;
        union nf_inet_addr addr;
        __be16 port;
        int request, in_header;
@@ -120,9 +139,14 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
        } else
                request = 0;
 
+       if (nf_ct_protonum(ct) == IPPROTO_TCP)
+               hdr = SIP_HDR_VIA_TCP;
+       else
+               hdr = SIP_HDR_VIA_UDP;
+
        /* Translate topmost Via header and parameters */
        if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
-                                   SIP_HDR_VIA_UDP, NULL, &matchoff, &matchlen,
+                                   hdr, NULL, &matchoff, &matchlen,
                                    &addr, &port) > 0) {
                unsigned int matchend, poff, plen, buflen, n;
                char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
@@ -204,9 +228,23 @@ next:
        if (!map_sip_addr(skb, dataoff, dptr, datalen, SIP_HDR_FROM) ||
            !map_sip_addr(skb, dataoff, dptr, datalen, SIP_HDR_TO))
                return NF_DROP;
+
        return NF_ACCEPT;
 }
 
+static void ip_nat_sip_seq_adjust(struct sk_buff *skb, s16 off)
+{
+       enum ip_conntrack_info ctinfo;
+       struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+       const struct tcphdr *th;
+
+       if (nf_ct_protonum(ct) != IPPROTO_TCP || off == 0)
+               return;
+
+       th = (struct tcphdr *)(skb->data + ip_hdrlen(skb));
+       nf_nat_set_seq_adjust(ct, ctinfo, th->seq, off);
+}
+
 /* Handles expected signalling connections and media streams */
 static void ip_nat_sip_expected(struct nf_conn *ct,
                                struct nf_conntrack_expect *exp)
@@ -472,6 +510,7 @@ err1:
 static void __exit nf_nat_sip_fini(void)
 {
        rcu_assign_pointer(nf_nat_sip_hook, NULL);
+       rcu_assign_pointer(nf_nat_sip_seq_adjust_hook, NULL);
        rcu_assign_pointer(nf_nat_sip_expect_hook, NULL);
        rcu_assign_pointer(nf_nat_sdp_addr_hook, NULL);
        rcu_assign_pointer(nf_nat_sdp_port_hook, NULL);
@@ -483,12 +522,14 @@ static void __exit nf_nat_sip_fini(void)
 static int __init nf_nat_sip_init(void)
 {
        BUG_ON(nf_nat_sip_hook != NULL);
+       BUG_ON(nf_nat_sip_seq_adjust_hook != NULL);
        BUG_ON(nf_nat_sip_expect_hook != NULL);
        BUG_ON(nf_nat_sdp_addr_hook != NULL);
        BUG_ON(nf_nat_sdp_port_hook != NULL);
        BUG_ON(nf_nat_sdp_session_hook != NULL);
        BUG_ON(nf_nat_sdp_media_hook != NULL);
        rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip);
+       rcu_assign_pointer(nf_nat_sip_seq_adjust_hook, ip_nat_sip_seq_adjust);
        rcu_assign_pointer(nf_nat_sip_expect_hook, ip_nat_sip_expect);
        rcu_assign_pointer(nf_nat_sdp_addr_hook, ip_nat_sdp_addr);
        rcu_assign_pointer(nf_nat_sdp_port_hook, ip_nat_sdp_port);
index 1cc75c5a822b12c06501fd13acc0ce82977b796b..3bb3aaff76e99793609f254394307c79ec1631dc 100644 (file)
@@ -56,6 +56,9 @@ unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb, unsigned int dataoff,
                                unsigned int *datalen) __read_mostly;
 EXPORT_SYMBOL_GPL(nf_nat_sip_hook);
 
+void (*nf_nat_sip_seq_adjust_hook)(struct sk_buff *skb, s16 off) __read_mostly;
+EXPORT_SYMBOL_GPL(nf_nat_sip_seq_adjust_hook);
+
 unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb,
                                       unsigned int dataoff,
                                       const char **dptr,
@@ -1360,6 +1363,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
        const char *dptr, *end;
        s16 diff, tdiff = 0;
        int ret;
+       typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;
 
        if (ctinfo != IP_CT_ESTABLISHED &&
            ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)
@@ -1415,6 +1419,12 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
                datalen  = datalen + diff - msglen;
        }
 
+       if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
+               nf_nat_sip_seq_adjust = rcu_dereference(nf_nat_sip_seq_adjust_hook);
+               if (nf_nat_sip_seq_adjust)
+                       nf_nat_sip_seq_adjust(skb, tdiff);
+       }
+
        return ret;
 }