Patrick McHardy | 9fafcd7 | 2006-12-02 22:09:57 -0800 | [diff] [blame] | 1 | /* SIP extension for UDP NAT alteration. |
| 2 | * |
| 3 | * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar> |
| 4 | * based on RR's ip_nat_ftp.c and other modules. |
| 5 | * |
| 6 | * This program is free software; you can redistribute it and/or modify |
| 7 | * it under the terms of the GNU General Public License version 2 as |
| 8 | * published by the Free Software Foundation. |
| 9 | */ |
| 10 | |
| 11 | #include <linux/module.h> |
| 12 | #include <linux/skbuff.h> |
| 13 | #include <linux/ip.h> |
Arnaldo Carvalho de Melo | c9bdd4b | 2007-03-12 20:09:15 -0300 | [diff] [blame^] | 14 | #include <net/ip.h> |
Patrick McHardy | 9fafcd7 | 2006-12-02 22:09:57 -0800 | [diff] [blame] | 15 | #include <linux/udp.h> |
| 16 | |
| 17 | #include <net/netfilter/nf_nat.h> |
| 18 | #include <net/netfilter/nf_nat_helper.h> |
| 19 | #include <net/netfilter/nf_nat_rule.h> |
| 20 | #include <net/netfilter/nf_conntrack_helper.h> |
| 21 | #include <net/netfilter/nf_conntrack_expect.h> |
| 22 | #include <linux/netfilter/nf_conntrack_sip.h> |
| 23 | |
| 24 | MODULE_LICENSE("GPL"); |
| 25 | MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>"); |
| 26 | MODULE_DESCRIPTION("SIP NAT helper"); |
| 27 | MODULE_ALIAS("ip_nat_sip"); |
| 28 | |
| 29 | #if 0 |
| 30 | #define DEBUGP printk |
| 31 | #else |
| 32 | #define DEBUGP(format, args...) |
| 33 | #endif |
| 34 | |
| 35 | struct addr_map { |
| 36 | struct { |
| 37 | char src[sizeof("nnn.nnn.nnn.nnn:nnnnn")]; |
| 38 | char dst[sizeof("nnn.nnn.nnn.nnn:nnnnn")]; |
| 39 | unsigned int srclen, srciplen; |
| 40 | unsigned int dstlen, dstiplen; |
| 41 | } addr[IP_CT_DIR_MAX]; |
| 42 | }; |
| 43 | |
| 44 | static void addr_map_init(struct nf_conn *ct, struct addr_map *map) |
| 45 | { |
| 46 | struct nf_conntrack_tuple *t; |
| 47 | enum ip_conntrack_dir dir; |
| 48 | unsigned int n; |
| 49 | |
| 50 | for (dir = 0; dir < IP_CT_DIR_MAX; dir++) { |
| 51 | t = &ct->tuplehash[dir].tuple; |
| 52 | |
| 53 | n = sprintf(map->addr[dir].src, "%u.%u.%u.%u", |
| 54 | NIPQUAD(t->src.u3.ip)); |
| 55 | map->addr[dir].srciplen = n; |
| 56 | n += sprintf(map->addr[dir].src + n, ":%u", |
| 57 | ntohs(t->src.u.udp.port)); |
| 58 | map->addr[dir].srclen = n; |
| 59 | |
| 60 | n = sprintf(map->addr[dir].dst, "%u.%u.%u.%u", |
| 61 | NIPQUAD(t->dst.u3.ip)); |
| 62 | map->addr[dir].dstiplen = n; |
| 63 | n += sprintf(map->addr[dir].dst + n, ":%u", |
| 64 | ntohs(t->dst.u.udp.port)); |
| 65 | map->addr[dir].dstlen = n; |
| 66 | } |
| 67 | } |
| 68 | |
| 69 | static int map_sip_addr(struct sk_buff **pskb, enum ip_conntrack_info ctinfo, |
| 70 | struct nf_conn *ct, const char **dptr, size_t dlen, |
| 71 | enum sip_header_pos pos, struct addr_map *map) |
| 72 | { |
| 73 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); |
| 74 | unsigned int matchlen, matchoff, addrlen; |
| 75 | char *addr; |
| 76 | |
| 77 | if (ct_sip_get_info(ct, *dptr, dlen, &matchoff, &matchlen, pos) <= 0) |
| 78 | return 1; |
| 79 | |
| 80 | if ((matchlen == map->addr[dir].srciplen || |
| 81 | matchlen == map->addr[dir].srclen) && |
| 82 | memcmp(*dptr + matchoff, map->addr[dir].src, matchlen) == 0) { |
| 83 | addr = map->addr[!dir].dst; |
| 84 | addrlen = map->addr[!dir].dstlen; |
| 85 | } else if ((matchlen == map->addr[dir].dstiplen || |
| 86 | matchlen == map->addr[dir].dstlen) && |
| 87 | memcmp(*dptr + matchoff, map->addr[dir].dst, matchlen) == 0) { |
| 88 | addr = map->addr[!dir].src; |
| 89 | addrlen = map->addr[!dir].srclen; |
| 90 | } else |
| 91 | return 1; |
| 92 | |
| 93 | if (!nf_nat_mangle_udp_packet(pskb, ct, ctinfo, |
YOSHIFUJI Hideaki | e905a9e | 2007-02-09 23:24:47 +0900 | [diff] [blame] | 94 | matchoff, matchlen, addr, addrlen)) |
Patrick McHardy | 9fafcd7 | 2006-12-02 22:09:57 -0800 | [diff] [blame] | 95 | return 0; |
Arnaldo Carvalho de Melo | c9bdd4b | 2007-03-12 20:09:15 -0300 | [diff] [blame^] | 96 | *dptr = (*pskb)->data + ip_hdrlen(*pskb) + sizeof(struct udphdr); |
Patrick McHardy | 9fafcd7 | 2006-12-02 22:09:57 -0800 | [diff] [blame] | 97 | return 1; |
| 98 | |
| 99 | } |
| 100 | |
| 101 | static unsigned int ip_nat_sip(struct sk_buff **pskb, |
| 102 | enum ip_conntrack_info ctinfo, |
| 103 | struct nf_conn *ct, |
| 104 | const char **dptr) |
| 105 | { |
| 106 | enum sip_header_pos pos; |
| 107 | struct addr_map map; |
| 108 | int dataoff, datalen; |
| 109 | |
Arnaldo Carvalho de Melo | c9bdd4b | 2007-03-12 20:09:15 -0300 | [diff] [blame^] | 110 | dataoff = ip_hdrlen(*pskb) + sizeof(struct udphdr); |
Patrick McHardy | 9fafcd7 | 2006-12-02 22:09:57 -0800 | [diff] [blame] | 111 | datalen = (*pskb)->len - dataoff; |
| 112 | if (datalen < sizeof("SIP/2.0") - 1) |
| 113 | return NF_DROP; |
| 114 | |
| 115 | addr_map_init(ct, &map); |
| 116 | |
| 117 | /* Basic rules: requests and responses. */ |
| 118 | if (strncmp(*dptr, "SIP/2.0", sizeof("SIP/2.0") - 1) != 0) { |
| 119 | /* 10.2: Constructing the REGISTER Request: |
| 120 | * |
| 121 | * The "userinfo" and "@" components of the SIP URI MUST NOT |
| 122 | * be present. |
| 123 | */ |
| 124 | if (datalen >= sizeof("REGISTER") - 1 && |
| 125 | strncmp(*dptr, "REGISTER", sizeof("REGISTER") - 1) == 0) |
| 126 | pos = POS_REG_REQ_URI; |
| 127 | else |
| 128 | pos = POS_REQ_URI; |
| 129 | |
| 130 | if (!map_sip_addr(pskb, ctinfo, ct, dptr, datalen, pos, &map)) |
| 131 | return NF_DROP; |
| 132 | } |
| 133 | |
| 134 | if (!map_sip_addr(pskb, ctinfo, ct, dptr, datalen, POS_FROM, &map) || |
| 135 | !map_sip_addr(pskb, ctinfo, ct, dptr, datalen, POS_TO, &map) || |
| 136 | !map_sip_addr(pskb, ctinfo, ct, dptr, datalen, POS_VIA, &map) || |
| 137 | !map_sip_addr(pskb, ctinfo, ct, dptr, datalen, POS_CONTACT, &map)) |
| 138 | return NF_DROP; |
| 139 | return NF_ACCEPT; |
| 140 | } |
| 141 | |
| 142 | static unsigned int mangle_sip_packet(struct sk_buff **pskb, |
| 143 | enum ip_conntrack_info ctinfo, |
| 144 | struct nf_conn *ct, |
| 145 | const char **dptr, size_t dlen, |
| 146 | char *buffer, int bufflen, |
| 147 | enum sip_header_pos pos) |
| 148 | { |
| 149 | unsigned int matchlen, matchoff; |
| 150 | |
| 151 | if (ct_sip_get_info(ct, *dptr, dlen, &matchoff, &matchlen, pos) <= 0) |
| 152 | return 0; |
| 153 | |
| 154 | if (!nf_nat_mangle_udp_packet(pskb, ct, ctinfo, |
YOSHIFUJI Hideaki | e905a9e | 2007-02-09 23:24:47 +0900 | [diff] [blame] | 155 | matchoff, matchlen, buffer, bufflen)) |
Patrick McHardy | 9fafcd7 | 2006-12-02 22:09:57 -0800 | [diff] [blame] | 156 | return 0; |
| 157 | |
| 158 | /* We need to reload this. Thanks Patrick. */ |
Arnaldo Carvalho de Melo | c9bdd4b | 2007-03-12 20:09:15 -0300 | [diff] [blame^] | 159 | *dptr = (*pskb)->data + ip_hdrlen(*pskb) + sizeof(struct udphdr); |
Patrick McHardy | 9fafcd7 | 2006-12-02 22:09:57 -0800 | [diff] [blame] | 160 | return 1; |
| 161 | } |
| 162 | |
| 163 | static int mangle_content_len(struct sk_buff **pskb, |
| 164 | enum ip_conntrack_info ctinfo, |
| 165 | struct nf_conn *ct, |
| 166 | const char *dptr) |
| 167 | { |
| 168 | unsigned int dataoff, matchoff, matchlen; |
| 169 | char buffer[sizeof("65536")]; |
| 170 | int bufflen; |
| 171 | |
Arnaldo Carvalho de Melo | c9bdd4b | 2007-03-12 20:09:15 -0300 | [diff] [blame^] | 172 | dataoff = ip_hdrlen(*pskb) + sizeof(struct udphdr); |
Patrick McHardy | 9fafcd7 | 2006-12-02 22:09:57 -0800 | [diff] [blame] | 173 | |
| 174 | /* Get actual SDP lenght */ |
| 175 | if (ct_sip_get_info(ct, dptr, (*pskb)->len - dataoff, &matchoff, |
YOSHIFUJI Hideaki | e905a9e | 2007-02-09 23:24:47 +0900 | [diff] [blame] | 176 | &matchlen, POS_SDP_HEADER) > 0) { |
Patrick McHardy | 9fafcd7 | 2006-12-02 22:09:57 -0800 | [diff] [blame] | 177 | |
| 178 | /* since ct_sip_get_info() give us a pointer passing 'v=' |
| 179 | we need to add 2 bytes in this count. */ |
| 180 | int c_len = (*pskb)->len - dataoff - matchoff + 2; |
| 181 | |
| 182 | /* Now, update SDP length */ |
| 183 | if (ct_sip_get_info(ct, dptr, (*pskb)->len - dataoff, &matchoff, |
YOSHIFUJI Hideaki | e905a9e | 2007-02-09 23:24:47 +0900 | [diff] [blame] | 184 | &matchlen, POS_CONTENT) > 0) { |
Patrick McHardy | 9fafcd7 | 2006-12-02 22:09:57 -0800 | [diff] [blame] | 185 | |
| 186 | bufflen = sprintf(buffer, "%u", c_len); |
| 187 | return nf_nat_mangle_udp_packet(pskb, ct, ctinfo, |
| 188 | matchoff, matchlen, |
| 189 | buffer, bufflen); |
| 190 | } |
| 191 | } |
| 192 | return 0; |
| 193 | } |
| 194 | |
| 195 | static unsigned int mangle_sdp(struct sk_buff **pskb, |
| 196 | enum ip_conntrack_info ctinfo, |
| 197 | struct nf_conn *ct, |
| 198 | __be32 newip, u_int16_t port, |
| 199 | const char *dptr) |
| 200 | { |
| 201 | char buffer[sizeof("nnn.nnn.nnn.nnn")]; |
| 202 | unsigned int dataoff, bufflen; |
| 203 | |
Arnaldo Carvalho de Melo | c9bdd4b | 2007-03-12 20:09:15 -0300 | [diff] [blame^] | 204 | dataoff = ip_hdrlen(*pskb) + sizeof(struct udphdr); |
Patrick McHardy | 9fafcd7 | 2006-12-02 22:09:57 -0800 | [diff] [blame] | 205 | |
| 206 | /* Mangle owner and contact info. */ |
| 207 | bufflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(newip)); |
| 208 | if (!mangle_sip_packet(pskb, ctinfo, ct, &dptr, (*pskb)->len - dataoff, |
YOSHIFUJI Hideaki | e905a9e | 2007-02-09 23:24:47 +0900 | [diff] [blame] | 209 | buffer, bufflen, POS_OWNER_IP4)) |
Patrick McHardy | 9fafcd7 | 2006-12-02 22:09:57 -0800 | [diff] [blame] | 210 | return 0; |
| 211 | |
| 212 | if (!mangle_sip_packet(pskb, ctinfo, ct, &dptr, (*pskb)->len - dataoff, |
YOSHIFUJI Hideaki | e905a9e | 2007-02-09 23:24:47 +0900 | [diff] [blame] | 213 | buffer, bufflen, POS_CONNECTION_IP4)) |
Patrick McHardy | 9fafcd7 | 2006-12-02 22:09:57 -0800 | [diff] [blame] | 214 | return 0; |
| 215 | |
| 216 | /* Mangle media port. */ |
| 217 | bufflen = sprintf(buffer, "%u", port); |
| 218 | if (!mangle_sip_packet(pskb, ctinfo, ct, &dptr, (*pskb)->len - dataoff, |
YOSHIFUJI Hideaki | e905a9e | 2007-02-09 23:24:47 +0900 | [diff] [blame] | 219 | buffer, bufflen, POS_MEDIA)) |
Patrick McHardy | 9fafcd7 | 2006-12-02 22:09:57 -0800 | [diff] [blame] | 220 | return 0; |
| 221 | |
| 222 | return mangle_content_len(pskb, ctinfo, ct, dptr); |
| 223 | } |
| 224 | |
| 225 | /* So, this packet has hit the connection tracking matching code. |
| 226 | Mangle it, and change the expectation to match the new version. */ |
| 227 | static unsigned int ip_nat_sdp(struct sk_buff **pskb, |
| 228 | enum ip_conntrack_info ctinfo, |
| 229 | struct nf_conntrack_expect *exp, |
| 230 | const char *dptr) |
| 231 | { |
| 232 | struct nf_conn *ct = exp->master; |
| 233 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); |
| 234 | __be32 newip; |
| 235 | u_int16_t port; |
| 236 | |
| 237 | DEBUGP("ip_nat_sdp():\n"); |
| 238 | |
| 239 | /* Connection will come from reply */ |
| 240 | newip = ct->tuplehash[!dir].tuple.dst.u3.ip; |
| 241 | |
| 242 | exp->tuple.dst.u3.ip = newip; |
| 243 | exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port; |
| 244 | exp->dir = !dir; |
| 245 | |
| 246 | /* When you see the packet, we need to NAT it the same as the |
| 247 | this one. */ |
| 248 | exp->expectfn = nf_nat_follow_master; |
| 249 | |
| 250 | /* Try to get same port: if not, try to change it. */ |
| 251 | for (port = ntohs(exp->saved_proto.udp.port); port != 0; port++) { |
| 252 | exp->tuple.dst.u.udp.port = htons(port); |
| 253 | if (nf_conntrack_expect_related(exp) == 0) |
| 254 | break; |
| 255 | } |
| 256 | |
| 257 | if (port == 0) |
| 258 | return NF_DROP; |
| 259 | |
| 260 | if (!mangle_sdp(pskb, ctinfo, ct, newip, port, dptr)) { |
| 261 | nf_conntrack_unexpect_related(exp); |
| 262 | return NF_DROP; |
| 263 | } |
| 264 | return NF_ACCEPT; |
| 265 | } |
| 266 | |
| 267 | static void __exit nf_nat_sip_fini(void) |
| 268 | { |
| 269 | rcu_assign_pointer(nf_nat_sip_hook, NULL); |
| 270 | rcu_assign_pointer(nf_nat_sdp_hook, NULL); |
| 271 | synchronize_rcu(); |
| 272 | } |
| 273 | |
| 274 | static int __init nf_nat_sip_init(void) |
| 275 | { |
| 276 | BUG_ON(rcu_dereference(nf_nat_sip_hook)); |
| 277 | BUG_ON(rcu_dereference(nf_nat_sdp_hook)); |
| 278 | rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip); |
| 279 | rcu_assign_pointer(nf_nat_sdp_hook, ip_nat_sdp); |
| 280 | return 0; |
| 281 | } |
| 282 | |
| 283 | module_init(nf_nat_sip_init); |
| 284 | module_exit(nf_nat_sip_fini); |