aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2010-02-11 06:29:38 -0500
committerPatrick McHardy <kaber@trash.net>2010-02-11 06:29:38 -0500
commit48f8ac26537c1b7b1a2422f5232f45d06c945348 (patch)
tree352aab0881ef9e449dc86b3dc1da2b4b329ead44
parent010c0b9f34a4c567b431f8b49a58b7332ed42e47 (diff)
netfilter: nf_nat_sip: add TCP support
Add support for mangling TCP SIP packets. Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r--include/linux/netfilter/nf_conntrack_sip.h1
-rw-r--r--net/ipv4/netfilter/nf_nat_sip.c53
-rw-r--r--net/netfilter/nf_conntrack_sip.c10
3 files changed, 58 insertions, 6 deletions
diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index fa9bb8981450..cd84d6f44d11 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -104,6 +104,7 @@ extern unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb,
104 unsigned int dataoff, 104 unsigned int dataoff,
105 const char **dptr, 105 const char **dptr,
106 unsigned int *datalen); 106 unsigned int *datalen);
107extern void (*nf_nat_sip_seq_adjust_hook)(struct sk_buff *skb, s16 off);
107extern unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb, 108extern unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb,
108 unsigned int dataoff, 109 unsigned int dataoff,
109 const char **dptr, 110 const char **dptr,
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index b232e4040dc6..11b538deaaec 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -1,4 +1,4 @@
1/* SIP extension for UDP NAT alteration. 1/* SIP extension for NAT alteration.
2 * 2 *
3 * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar> 3 * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
4 * based on RR's ip_nat_ftp.c and other modules. 4 * based on RR's ip_nat_ftp.c and other modules.
@@ -15,6 +15,7 @@
15#include <linux/ip.h> 15#include <linux/ip.h>
16#include <net/ip.h> 16#include <net/ip.h>
17#include <linux/udp.h> 17#include <linux/udp.h>
18#include <linux/tcp.h>
18 19
19#include <net/netfilter/nf_nat.h> 20#include <net/netfilter/nf_nat.h>
20#include <net/netfilter/nf_nat_helper.h> 21#include <net/netfilter/nf_nat_helper.h>
@@ -36,10 +37,27 @@ static unsigned int mangle_packet(struct sk_buff *skb, unsigned int dataoff,
36{ 37{
37 enum ip_conntrack_info ctinfo; 38 enum ip_conntrack_info ctinfo;
38 struct nf_conn *ct = nf_ct_get(skb, &ctinfo); 39 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
39 40 struct tcphdr *th;
40 if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, matchoff, matchlen, 41 unsigned int baseoff;
41 buffer, buflen)) 42
42 return 0; 43 if (nf_ct_protonum(ct) == IPPROTO_TCP) {
44 th = (struct tcphdr *)(skb->data + ip_hdrlen(skb));
45 baseoff = ip_hdrlen(skb) + th->doff * 4;
46 matchoff += dataoff - baseoff;
47
48 if (!__nf_nat_mangle_tcp_packet(skb, ct, ctinfo,
49 matchoff, matchlen,
50 buffer, buflen, false))
51 return 0;
52 } else {
53 baseoff = ip_hdrlen(skb) + sizeof(struct udphdr);
54 matchoff += dataoff - baseoff;
55
56 if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo,
57 matchoff, matchlen,
58 buffer, buflen))
59 return 0;
60 }
43 61
44 /* Reload data pointer and adjust datalen value */ 62 /* Reload data pointer and adjust datalen value */
45 *dptr = skb->data + dataoff; 63 *dptr = skb->data + dataoff;
@@ -104,6 +122,7 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
104 struct nf_conn *ct = nf_ct_get(skb, &ctinfo); 122 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
105 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 123 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
106 unsigned int coff, matchoff, matchlen; 124 unsigned int coff, matchoff, matchlen;
125 enum sip_header_types hdr;
107 union nf_inet_addr addr; 126 union nf_inet_addr addr;
108 __be16 port; 127 __be16 port;
109 int request, in_header; 128 int request, in_header;
@@ -120,9 +139,14 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
120 } else 139 } else
121 request = 0; 140 request = 0;
122 141
142 if (nf_ct_protonum(ct) == IPPROTO_TCP)
143 hdr = SIP_HDR_VIA_TCP;
144 else
145 hdr = SIP_HDR_VIA_UDP;
146
123 /* Translate topmost Via header and parameters */ 147 /* Translate topmost Via header and parameters */
124 if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, 148 if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
125 SIP_HDR_VIA_UDP, NULL, &matchoff, &matchlen, 149 hdr, NULL, &matchoff, &matchlen,
126 &addr, &port) > 0) { 150 &addr, &port) > 0) {
127 unsigned int matchend, poff, plen, buflen, n; 151 unsigned int matchend, poff, plen, buflen, n;
128 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")]; 152 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
@@ -204,9 +228,23 @@ next:
204 if (!map_sip_addr(skb, dataoff, dptr, datalen, SIP_HDR_FROM) || 228 if (!map_sip_addr(skb, dataoff, dptr, datalen, SIP_HDR_FROM) ||
205 !map_sip_addr(skb, dataoff, dptr, datalen, SIP_HDR_TO)) 229 !map_sip_addr(skb, dataoff, dptr, datalen, SIP_HDR_TO))
206 return NF_DROP; 230 return NF_DROP;
231
207 return NF_ACCEPT; 232 return NF_ACCEPT;
208} 233}
209 234
235static void ip_nat_sip_seq_adjust(struct sk_buff *skb, s16 off)
236{
237 enum ip_conntrack_info ctinfo;
238 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
239 const struct tcphdr *th;
240
241 if (nf_ct_protonum(ct) != IPPROTO_TCP || off == 0)
242 return;
243
244 th = (struct tcphdr *)(skb->data + ip_hdrlen(skb));
245 nf_nat_set_seq_adjust(ct, ctinfo, th->seq, off);
246}
247
210/* Handles expected signalling connections and media streams */ 248/* Handles expected signalling connections and media streams */
211static void ip_nat_sip_expected(struct nf_conn *ct, 249static void ip_nat_sip_expected(struct nf_conn *ct,
212 struct nf_conntrack_expect *exp) 250 struct nf_conntrack_expect *exp)
@@ -472,6 +510,7 @@ err1:
472static void __exit nf_nat_sip_fini(void) 510static void __exit nf_nat_sip_fini(void)
473{ 511{
474 rcu_assign_pointer(nf_nat_sip_hook, NULL); 512 rcu_assign_pointer(nf_nat_sip_hook, NULL);
513 rcu_assign_pointer(nf_nat_sip_seq_adjust_hook, NULL);
475 rcu_assign_pointer(nf_nat_sip_expect_hook, NULL); 514 rcu_assign_pointer(nf_nat_sip_expect_hook, NULL);
476 rcu_assign_pointer(nf_nat_sdp_addr_hook, NULL); 515 rcu_assign_pointer(nf_nat_sdp_addr_hook, NULL);
477 rcu_assign_pointer(nf_nat_sdp_port_hook, NULL); 516 rcu_assign_pointer(nf_nat_sdp_port_hook, NULL);
@@ -483,12 +522,14 @@ static void __exit nf_nat_sip_fini(void)
483static int __init nf_nat_sip_init(void) 522static int __init nf_nat_sip_init(void)
484{ 523{
485 BUG_ON(nf_nat_sip_hook != NULL); 524 BUG_ON(nf_nat_sip_hook != NULL);
525 BUG_ON(nf_nat_sip_seq_adjust_hook != NULL);
486 BUG_ON(nf_nat_sip_expect_hook != NULL); 526 BUG_ON(nf_nat_sip_expect_hook != NULL);
487 BUG_ON(nf_nat_sdp_addr_hook != NULL); 527 BUG_ON(nf_nat_sdp_addr_hook != NULL);
488 BUG_ON(nf_nat_sdp_port_hook != NULL); 528 BUG_ON(nf_nat_sdp_port_hook != NULL);
489 BUG_ON(nf_nat_sdp_session_hook != NULL); 529 BUG_ON(nf_nat_sdp_session_hook != NULL);
490 BUG_ON(nf_nat_sdp_media_hook != NULL); 530 BUG_ON(nf_nat_sdp_media_hook != NULL);
491 rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip); 531 rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip);
532 rcu_assign_pointer(nf_nat_sip_seq_adjust_hook, ip_nat_sip_seq_adjust);
492 rcu_assign_pointer(nf_nat_sip_expect_hook, ip_nat_sip_expect); 533 rcu_assign_pointer(nf_nat_sip_expect_hook, ip_nat_sip_expect);
493 rcu_assign_pointer(nf_nat_sdp_addr_hook, ip_nat_sdp_addr); 534 rcu_assign_pointer(nf_nat_sdp_addr_hook, ip_nat_sdp_addr);
494 rcu_assign_pointer(nf_nat_sdp_port_hook, ip_nat_sdp_port); 535 rcu_assign_pointer(nf_nat_sdp_port_hook, ip_nat_sdp_port);
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 1cc75c5a822b..3bb3aaff76e9 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -56,6 +56,9 @@ unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb, unsigned int dataoff,
56 unsigned int *datalen) __read_mostly; 56 unsigned int *datalen) __read_mostly;
57EXPORT_SYMBOL_GPL(nf_nat_sip_hook); 57EXPORT_SYMBOL_GPL(nf_nat_sip_hook);
58 58
59void (*nf_nat_sip_seq_adjust_hook)(struct sk_buff *skb, s16 off) __read_mostly;
60EXPORT_SYMBOL_GPL(nf_nat_sip_seq_adjust_hook);
61
59unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb, 62unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb,
60 unsigned int dataoff, 63 unsigned int dataoff,
61 const char **dptr, 64 const char **dptr,
@@ -1360,6 +1363,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
1360 const char *dptr, *end; 1363 const char *dptr, *end;
1361 s16 diff, tdiff = 0; 1364 s16 diff, tdiff = 0;
1362 int ret; 1365 int ret;
1366 typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;
1363 1367
1364 if (ctinfo != IP_CT_ESTABLISHED && 1368 if (ctinfo != IP_CT_ESTABLISHED &&
1365 ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) 1369 ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)
@@ -1415,6 +1419,12 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
1415 datalen = datalen + diff - msglen; 1419 datalen = datalen + diff - msglen;
1416 } 1420 }
1417 1421
1422 if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
1423 nf_nat_sip_seq_adjust = rcu_dereference(nf_nat_sip_seq_adjust_hook);
1424 if (nf_nat_sip_seq_adjust)
1425 nf_nat_sip_seq_adjust(skb, tdiff);
1426 }
1427
1418 return ret; 1428 return ret;
1419} 1429}
1420 1430