diff options
| author | Patrick McHardy <kaber@trash.net> | 2012-08-26 13:14:25 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-08-29 21:00:22 -0400 |
| commit | 9a664821068739dbc8eac13770e28167b46a0c0f (patch) | |
| tree | df7921b2a21c92442fb9021688006f09e5e3bebd /net/ipv4 | |
| parent | ee6eb96673704225164f0ba7462e1973ce10885c (diff) | |
netfilter: nf_nat: support IPv6 in SIP NAT helper
Add IPv6 support to the SIP NAT helper. There are no functional differences
to IPv4 NAT, just different formats for addresses.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/Kconfig | 5 | ||||
| -rw-r--r-- | net/ipv4/netfilter/Makefile | 1 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_nat_sip.c | 580 |
3 files changed, 0 insertions, 586 deletions
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index 52c4a87007aa..30197f8003be 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig | |||
| @@ -242,11 +242,6 @@ config NF_NAT_H323 | |||
| 242 | depends on NF_CONNTRACK && NF_NAT_IPV4 | 242 | depends on NF_CONNTRACK && NF_NAT_IPV4 |
| 243 | default NF_NAT_IPV4 && NF_CONNTRACK_H323 | 243 | default NF_NAT_IPV4 && NF_CONNTRACK_H323 |
| 244 | 244 | ||
| 245 | config NF_NAT_SIP | ||
| 246 | tristate | ||
| 247 | depends on NF_CONNTRACK && NF_NAT_IPV4 | ||
| 248 | default NF_NAT_IPV4 && NF_CONNTRACK_SIP | ||
| 249 | |||
| 250 | # mangle + specific targets | 245 | # mangle + specific targets |
| 251 | config IP_NF_MANGLE | 246 | config IP_NF_MANGLE |
| 252 | tristate "Packet mangling" | 247 | tristate "Packet mangling" |
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile index 8baa496f6a4e..8914abffc96d 100644 --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile | |||
| @@ -23,7 +23,6 @@ obj-$(CONFIG_NF_DEFRAG_IPV4) += nf_defrag_ipv4.o | |||
| 23 | obj-$(CONFIG_NF_NAT_H323) += nf_nat_h323.o | 23 | obj-$(CONFIG_NF_NAT_H323) += nf_nat_h323.o |
| 24 | obj-$(CONFIG_NF_NAT_IRC) += nf_nat_irc.o | 24 | obj-$(CONFIG_NF_NAT_IRC) += nf_nat_irc.o |
| 25 | obj-$(CONFIG_NF_NAT_PPTP) += nf_nat_pptp.o | 25 | obj-$(CONFIG_NF_NAT_PPTP) += nf_nat_pptp.o |
| 26 | obj-$(CONFIG_NF_NAT_SIP) += nf_nat_sip.o | ||
| 27 | obj-$(CONFIG_NF_NAT_SNMP_BASIC) += nf_nat_snmp_basic.o | 26 | obj-$(CONFIG_NF_NAT_SNMP_BASIC) += nf_nat_snmp_basic.o |
| 28 | obj-$(CONFIG_NF_NAT_TFTP) += nf_nat_tftp.o | 27 | obj-$(CONFIG_NF_NAT_TFTP) += nf_nat_tftp.o |
| 29 | 28 | ||
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c deleted file mode 100644 index 47a47186a791..000000000000 --- a/net/ipv4/netfilter/nf_nat_sip.c +++ /dev/null | |||
| @@ -1,580 +0,0 @@ | |||
| 1 | /* SIP extension for NAT alteration. | ||
| 2 | * | ||
| 3 | * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar> | ||
| 4 | * based on RR's ip_nat_ftp.c and other modules. | ||
| 5 | * (C) 2007 United Security Providers | ||
| 6 | * (C) 2007, 2008 Patrick McHardy <kaber@trash.net> | ||
| 7 | * | ||
| 8 | * This program is free software; you can redistribute it and/or modify | ||
| 9 | * it under the terms of the GNU General Public License version 2 as | ||
| 10 | * published by the Free Software Foundation. | ||
| 11 | */ | ||
| 12 | |||
| 13 | #include <linux/module.h> | ||
| 14 | #include <linux/skbuff.h> | ||
| 15 | #include <linux/ip.h> | ||
| 16 | #include <net/ip.h> | ||
| 17 | #include <linux/udp.h> | ||
| 18 | #include <linux/tcp.h> | ||
| 19 | |||
| 20 | #include <net/netfilter/nf_nat.h> | ||
| 21 | #include <net/netfilter/nf_nat_helper.h> | ||
| 22 | #include <net/netfilter/nf_conntrack_helper.h> | ||
| 23 | #include <net/netfilter/nf_conntrack_expect.h> | ||
| 24 | #include <linux/netfilter/nf_conntrack_sip.h> | ||
| 25 | |||
| 26 | MODULE_LICENSE("GPL"); | ||
| 27 | MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>"); | ||
| 28 | MODULE_DESCRIPTION("SIP NAT helper"); | ||
| 29 | MODULE_ALIAS("ip_nat_sip"); | ||
| 30 | |||
| 31 | |||
| 32 | static unsigned int mangle_packet(struct sk_buff *skb, unsigned int protoff, | ||
| 33 | unsigned int dataoff, | ||
| 34 | const char **dptr, unsigned int *datalen, | ||
| 35 | unsigned int matchoff, unsigned int matchlen, | ||
| 36 | const char *buffer, unsigned int buflen) | ||
| 37 | { | ||
| 38 | enum ip_conntrack_info ctinfo; | ||
| 39 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); | ||
| 40 | struct tcphdr *th; | ||
| 41 | unsigned int baseoff; | ||
| 42 | |||
| 43 | if (nf_ct_protonum(ct) == IPPROTO_TCP) { | ||
| 44 | th = (struct tcphdr *)(skb->data + ip_hdrlen(skb)); | ||
| 45 | baseoff = ip_hdrlen(skb) + th->doff * 4; | ||
| 46 | matchoff += dataoff - baseoff; | ||
| 47 | |||
| 48 | if (!__nf_nat_mangle_tcp_packet(skb, ct, ctinfo, | ||
| 49 | protoff, matchoff, matchlen, | ||
| 50 | buffer, buflen, false)) | ||
| 51 | return 0; | ||
| 52 | } else { | ||
| 53 | baseoff = ip_hdrlen(skb) + sizeof(struct udphdr); | ||
| 54 | matchoff += dataoff - baseoff; | ||
| 55 | |||
| 56 | if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, | ||
| 57 | protoff, matchoff, matchlen, | ||
| 58 | buffer, buflen)) | ||
| 59 | return 0; | ||
| 60 | } | ||
| 61 | |||
| 62 | /* Reload data pointer and adjust datalen value */ | ||
| 63 | *dptr = skb->data + dataoff; | ||
| 64 | *datalen += buflen - matchlen; | ||
| 65 | return 1; | ||
| 66 | } | ||
| 67 | |||
| 68 | static int map_addr(struct sk_buff *skb, unsigned int protoff, | ||
| 69 | unsigned int dataoff, | ||
| 70 | const char **dptr, unsigned int *datalen, | ||
| 71 | unsigned int matchoff, unsigned int matchlen, | ||
| 72 | union nf_inet_addr *addr, __be16 port) | ||
| 73 | { | ||
| 74 | enum ip_conntrack_info ctinfo; | ||
| 75 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); | ||
| 76 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | ||
| 77 | char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")]; | ||
| 78 | unsigned int buflen; | ||
| 79 | __be32 newaddr; | ||
| 80 | __be16 newport; | ||
| 81 | |||
| 82 | if (ct->tuplehash[dir].tuple.src.u3.ip == addr->ip && | ||
| 83 | ct->tuplehash[dir].tuple.src.u.udp.port == port) { | ||
| 84 | newaddr = ct->tuplehash[!dir].tuple.dst.u3.ip; | ||
| 85 | newport = ct->tuplehash[!dir].tuple.dst.u.udp.port; | ||
| 86 | } else if (ct->tuplehash[dir].tuple.dst.u3.ip == addr->ip && | ||
| 87 | ct->tuplehash[dir].tuple.dst.u.udp.port == port) { | ||
| 88 | newaddr = ct->tuplehash[!dir].tuple.src.u3.ip; | ||
| 89 | newport = ct->tuplehash[!dir].tuple.src.u.udp.port; | ||
| 90 | } else | ||
| 91 | return 1; | ||
| 92 | |||
| 93 | if (newaddr == addr->ip && newport == port) | ||
| 94 | return 1; | ||
| 95 | |||
| 96 | buflen = sprintf(buffer, "%pI4:%u", &newaddr, ntohs(newport)); | ||
| 97 | |||
| 98 | return mangle_packet(skb, protoff, dataoff, dptr, datalen, | ||
| 99 | matchoff, matchlen, buffer, buflen); | ||
| 100 | } | ||
| 101 | |||
| 102 | static int map_sip_addr(struct sk_buff *skb, unsigned int protoff, | ||
| 103 | unsigned int dataoff, | ||
| 104 | const char **dptr, unsigned int *datalen, | ||
| 105 | enum sip_header_types type) | ||
| 106 | { | ||
| 107 | enum ip_conntrack_info ctinfo; | ||
| 108 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); | ||
| 109 | unsigned int matchlen, matchoff; | ||
| 110 | union nf_inet_addr addr; | ||
| 111 | __be16 port; | ||
| 112 | |||
| 113 | if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, type, NULL, | ||
| 114 | &matchoff, &matchlen, &addr, &port) <= 0) | ||
| 115 | return 1; | ||
| 116 | return map_addr(skb, protoff, dataoff, dptr, datalen, | ||
| 117 | matchoff, matchlen, &addr, port); | ||
| 118 | } | ||
| 119 | |||
| 120 | static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int protoff, | ||
| 121 | unsigned int dataoff, | ||
| 122 | const char **dptr, unsigned int *datalen) | ||
| 123 | { | ||
| 124 | enum ip_conntrack_info ctinfo; | ||
| 125 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); | ||
| 126 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | ||
| 127 | unsigned int coff, matchoff, matchlen; | ||
| 128 | enum sip_header_types hdr; | ||
| 129 | union nf_inet_addr addr; | ||
| 130 | __be16 port; | ||
| 131 | int request, in_header; | ||
| 132 | |||
| 133 | /* Basic rules: requests and responses. */ | ||
| 134 | if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) { | ||
| 135 | if (ct_sip_parse_request(ct, *dptr, *datalen, | ||
| 136 | &matchoff, &matchlen, | ||
| 137 | &addr, &port) > 0 && | ||
| 138 | !map_addr(skb, protoff, dataoff, dptr, datalen, | ||
| 139 | matchoff, matchlen, &addr, port)) | ||
| 140 | return NF_DROP; | ||
| 141 | request = 1; | ||
| 142 | } else | ||
| 143 | request = 0; | ||
| 144 | |||
| 145 | if (nf_ct_protonum(ct) == IPPROTO_TCP) | ||
| 146 | hdr = SIP_HDR_VIA_TCP; | ||
| 147 | else | ||
| 148 | hdr = SIP_HDR_VIA_UDP; | ||
| 149 | |||
| 150 | /* Translate topmost Via header and parameters */ | ||
| 151 | if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, | ||
| 152 | hdr, NULL, &matchoff, &matchlen, | ||
| 153 | &addr, &port) > 0) { | ||
| 154 | unsigned int olen, matchend, poff, plen, buflen, n; | ||
| 155 | char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")]; | ||
| 156 | |||
| 157 | /* We're only interested in headers related to this | ||
| 158 | * connection */ | ||
| 159 | if (request) { | ||
| 160 | if (addr.ip != ct->tuplehash[dir].tuple.src.u3.ip || | ||
| 161 | port != ct->tuplehash[dir].tuple.src.u.udp.port) | ||
| 162 | goto next; | ||
| 163 | } else { | ||
| 164 | if (addr.ip != ct->tuplehash[dir].tuple.dst.u3.ip || | ||
| 165 | port != ct->tuplehash[dir].tuple.dst.u.udp.port) | ||
| 166 | goto next; | ||
| 167 | } | ||
| 168 | |||
| 169 | olen = *datalen; | ||
| 170 | if (!map_addr(skb, protoff, dataoff, dptr, datalen, | ||
| 171 | matchoff, matchlen, &addr, port)) | ||
| 172 | return NF_DROP; | ||
| 173 | |||
| 174 | matchend = matchoff + matchlen + *datalen - olen; | ||
| 175 | |||
| 176 | /* The maddr= parameter (RFC 2361) specifies where to send | ||
| 177 | * the reply. */ | ||
| 178 | if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen, | ||
| 179 | "maddr=", &poff, &plen, | ||
| 180 | &addr, true) > 0 && | ||
| 181 | addr.ip == ct->tuplehash[dir].tuple.src.u3.ip && | ||
| 182 | addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) { | ||
| 183 | buflen = sprintf(buffer, "%pI4", | ||
| 184 | &ct->tuplehash[!dir].tuple.dst.u3.ip); | ||
| 185 | if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, | ||
| 186 | poff, plen, buffer, buflen)) | ||
| 187 | return NF_DROP; | ||
| 188 | } | ||
| 189 | |||
| 190 | /* The received= parameter (RFC 2361) contains the address | ||
| 191 | * from which the server received the request. */ | ||
| 192 | if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen, | ||
| 193 | "received=", &poff, &plen, | ||
| 194 | &addr, false) > 0 && | ||
| 195 | addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip && | ||
| 196 | addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) { | ||
| 197 | buflen = sprintf(buffer, "%pI4", | ||
| 198 | &ct->tuplehash[!dir].tuple.src.u3.ip); | ||
| 199 | if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, | ||
| 200 | poff, plen, buffer, buflen)) | ||
| 201 | return NF_DROP; | ||
| 202 | } | ||
| 203 | |||
| 204 | /* The rport= parameter (RFC 3581) contains the port number | ||
| 205 | * from which the server received the request. */ | ||
| 206 | if (ct_sip_parse_numerical_param(ct, *dptr, matchend, *datalen, | ||
| 207 | "rport=", &poff, &plen, | ||
| 208 | &n) > 0 && | ||
| 209 | htons(n) == ct->tuplehash[dir].tuple.dst.u.udp.port && | ||
| 210 | htons(n) != ct->tuplehash[!dir].tuple.src.u.udp.port) { | ||
| 211 | __be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port; | ||
| 212 | buflen = sprintf(buffer, "%u", ntohs(p)); | ||
| 213 | if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, | ||
| 214 | poff, plen, buffer, buflen)) | ||
| 215 | return NF_DROP; | ||
| 216 | } | ||
| 217 | } | ||
| 218 | |||
| 219 | next: | ||
| 220 | /* Translate Contact headers */ | ||
| 221 | coff = 0; | ||
| 222 | in_header = 0; | ||
| 223 | while (ct_sip_parse_header_uri(ct, *dptr, &coff, *datalen, | ||
| 224 | SIP_HDR_CONTACT, &in_header, | ||
| 225 | &matchoff, &matchlen, | ||
| 226 | &addr, &port) > 0) { | ||
| 227 | if (!map_addr(skb, protoff, dataoff, dptr, datalen, | ||
| 228 | matchoff, matchlen, | ||
| 229 | &addr, port)) | ||
| 230 | return NF_DROP; | ||
| 231 | } | ||
| 232 | |||
| 233 | if (!map_sip_addr(skb, protoff, dataoff, dptr, datalen, SIP_HDR_FROM) || | ||
| 234 | !map_sip_addr(skb, protoff, dataoff, dptr, datalen, SIP_HDR_TO)) | ||
| 235 | return NF_DROP; | ||
| 236 | |||
| 237 | return NF_ACCEPT; | ||
| 238 | } | ||
| 239 | |||
| 240 | static void ip_nat_sip_seq_adjust(struct sk_buff *skb, s16 off) | ||
| 241 | { | ||
| 242 | enum ip_conntrack_info ctinfo; | ||
| 243 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); | ||
| 244 | const struct tcphdr *th; | ||
| 245 | |||
| 246 | if (nf_ct_protonum(ct) != IPPROTO_TCP || off == 0) | ||
| 247 | return; | ||
| 248 | |||
| 249 | th = (struct tcphdr *)(skb->data + ip_hdrlen(skb)); | ||
| 250 | nf_nat_set_seq_adjust(ct, ctinfo, th->seq, off); | ||
| 251 | } | ||
| 252 | |||
| 253 | /* Handles expected signalling connections and media streams */ | ||
| 254 | static void ip_nat_sip_expected(struct nf_conn *ct, | ||
| 255 | struct nf_conntrack_expect *exp) | ||
| 256 | { | ||
| 257 | struct nf_nat_range range; | ||
| 258 | |||
| 259 | /* This must be a fresh one. */ | ||
| 260 | BUG_ON(ct->status & IPS_NAT_DONE_MASK); | ||
| 261 | |||
| 262 | /* For DST manip, map port here to where it's expected. */ | ||
| 263 | range.flags = (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED); | ||
| 264 | range.min_proto = range.max_proto = exp->saved_proto; | ||
| 265 | range.min_addr = range.max_addr = exp->saved_addr; | ||
| 266 | nf_nat_setup_info(ct, &range, NF_NAT_MANIP_DST); | ||
| 267 | |||
| 268 | /* Change src to where master sends to, but only if the connection | ||
| 269 | * actually came from the same source. */ | ||
| 270 | if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip == | ||
| 271 | ct->master->tuplehash[exp->dir].tuple.src.u3.ip) { | ||
| 272 | range.flags = NF_NAT_RANGE_MAP_IPS; | ||
| 273 | range.min_addr = range.max_addr | ||
| 274 | = ct->master->tuplehash[!exp->dir].tuple.dst.u3; | ||
| 275 | nf_nat_setup_info(ct, &range, NF_NAT_MANIP_SRC); | ||
| 276 | } | ||
| 277 | } | ||
| 278 | |||
| 279 | static unsigned int ip_nat_sip_expect(struct sk_buff *skb, unsigned int protoff, | ||
| 280 | unsigned int dataoff, | ||
| 281 | const char **dptr, unsigned int *datalen, | ||
| 282 | struct nf_conntrack_expect *exp, | ||
| 283 | unsigned int matchoff, | ||
| 284 | unsigned int matchlen) | ||
| 285 | { | ||
| 286 | enum ip_conntrack_info ctinfo; | ||
| 287 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); | ||
| 288 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | ||
| 289 | __be32 newip; | ||
| 290 | u_int16_t port; | ||
| 291 | char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")]; | ||
| 292 | unsigned int buflen; | ||
| 293 | |||
| 294 | /* Connection will come from reply */ | ||
| 295 | if (ct->tuplehash[dir].tuple.src.u3.ip == ct->tuplehash[!dir].tuple.dst.u3.ip) | ||
| 296 | newip = exp->tuple.dst.u3.ip; | ||
| 297 | else | ||
| 298 | newip = ct->tuplehash[!dir].tuple.dst.u3.ip; | ||
| 299 | |||
| 300 | /* If the signalling port matches the connection's source port in the | ||
| 301 | * original direction, try to use the destination port in the opposite | ||
| 302 | * direction. */ | ||
| 303 | if (exp->tuple.dst.u.udp.port == | ||
| 304 | ct->tuplehash[dir].tuple.src.u.udp.port) | ||
| 305 | port = ntohs(ct->tuplehash[!dir].tuple.dst.u.udp.port); | ||
| 306 | else | ||
| 307 | port = ntohs(exp->tuple.dst.u.udp.port); | ||
| 308 | |||
| 309 | exp->saved_addr = exp->tuple.dst.u3; | ||
| 310 | exp->tuple.dst.u3.ip = newip; | ||
| 311 | exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port; | ||
| 312 | exp->dir = !dir; | ||
| 313 | exp->expectfn = ip_nat_sip_expected; | ||
| 314 | |||
| 315 | for (; port != 0; port++) { | ||
| 316 | int ret; | ||
| 317 | |||
| 318 | exp->tuple.dst.u.udp.port = htons(port); | ||
| 319 | ret = nf_ct_expect_related(exp); | ||
| 320 | if (ret == 0) | ||
| 321 | break; | ||
| 322 | else if (ret != -EBUSY) { | ||
| 323 | port = 0; | ||
| 324 | break; | ||
| 325 | } | ||
| 326 | } | ||
| 327 | |||
| 328 | if (port == 0) | ||
| 329 | return NF_DROP; | ||
| 330 | |||
| 331 | if (exp->tuple.dst.u3.ip != exp->saved_addr.ip || | ||
| 332 | exp->tuple.dst.u.udp.port != exp->saved_proto.udp.port) { | ||
| 333 | buflen = sprintf(buffer, "%pI4:%u", &newip, port); | ||
| 334 | if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, | ||
| 335 | matchoff, matchlen, buffer, buflen)) | ||
| 336 | goto err; | ||
| 337 | } | ||
| 338 | return NF_ACCEPT; | ||
| 339 | |||
| 340 | err: | ||
| 341 | nf_ct_unexpect_related(exp); | ||
| 342 | return NF_DROP; | ||
| 343 | } | ||
| 344 | |||
| 345 | static int mangle_content_len(struct sk_buff *skb, unsigned int protoff, | ||
| 346 | unsigned int dataoff, | ||
| 347 | const char **dptr, unsigned int *datalen) | ||
| 348 | { | ||
| 349 | enum ip_conntrack_info ctinfo; | ||
| 350 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); | ||
| 351 | unsigned int matchoff, matchlen; | ||
| 352 | char buffer[sizeof("65536")]; | ||
| 353 | int buflen, c_len; | ||
| 354 | |||
| 355 | /* Get actual SDP length */ | ||
| 356 | if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen, | ||
| 357 | SDP_HDR_VERSION, SDP_HDR_UNSPEC, | ||
| 358 | &matchoff, &matchlen) <= 0) | ||
| 359 | return 0; | ||
| 360 | c_len = *datalen - matchoff + strlen("v="); | ||
| 361 | |||
| 362 | /* Now, update SDP length */ | ||
| 363 | if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CONTENT_LENGTH, | ||
| 364 | &matchoff, &matchlen) <= 0) | ||
| 365 | return 0; | ||
| 366 | |||
| 367 | buflen = sprintf(buffer, "%u", c_len); | ||
| 368 | return mangle_packet(skb, protoff, dataoff, dptr, datalen, | ||
| 369 | matchoff, matchlen, buffer, buflen); | ||
| 370 | } | ||
| 371 | |||
| 372 | static int mangle_sdp_packet(struct sk_buff *skb, unsigned int protoff, | ||
| 373 | unsigned int dataoff, | ||
| 374 | const char **dptr, unsigned int *datalen, | ||
| 375 | unsigned int sdpoff, | ||
| 376 | enum sdp_header_types type, | ||
| 377 | enum sdp_header_types term, | ||
| 378 | char *buffer, int buflen) | ||
| 379 | { | ||
| 380 | enum ip_conntrack_info ctinfo; | ||
| 381 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); | ||
| 382 | unsigned int matchlen, matchoff; | ||
| 383 | |||
| 384 | if (ct_sip_get_sdp_header(ct, *dptr, sdpoff, *datalen, type, term, | ||
| 385 | &matchoff, &matchlen) <= 0) | ||
| 386 | return -ENOENT; | ||
| 387 | return mangle_packet(skb, protoff, dataoff, dptr, datalen, | ||
| 388 | matchoff, matchlen, buffer, buflen) ? 0 : -EINVAL; | ||
| 389 | } | ||
| 390 | |||
| 391 | static unsigned int ip_nat_sdp_addr(struct sk_buff *skb, unsigned int protoff, | ||
| 392 | unsigned int dataoff, | ||
| 393 | const char **dptr, unsigned int *datalen, | ||
| 394 | unsigned int sdpoff, | ||
| 395 | enum sdp_header_types type, | ||
| 396 | enum sdp_header_types term, | ||
| 397 | const union nf_inet_addr *addr) | ||
| 398 | { | ||
| 399 | char buffer[sizeof("nnn.nnn.nnn.nnn")]; | ||
| 400 | unsigned int buflen; | ||
| 401 | |||
| 402 | buflen = sprintf(buffer, "%pI4", &addr->ip); | ||
| 403 | if (mangle_sdp_packet(skb, protoff, dataoff, dptr, datalen, | ||
| 404 | sdpoff, type, term, buffer, buflen)) | ||
| 405 | return 0; | ||
| 406 | |||
| 407 | return mangle_content_len(skb, protoff, dataoff, dptr, datalen); | ||
| 408 | } | ||
| 409 | |||
| 410 | static unsigned int ip_nat_sdp_port(struct sk_buff *skb, unsigned int protoff, | ||
| 411 | unsigned int dataoff, | ||
| 412 | const char **dptr, unsigned int *datalen, | ||
| 413 | unsigned int matchoff, | ||
| 414 | unsigned int matchlen, | ||
| 415 | u_int16_t port) | ||
| 416 | { | ||
| 417 | char buffer[sizeof("nnnnn")]; | ||
| 418 | unsigned int buflen; | ||
| 419 | |||
| 420 | buflen = sprintf(buffer, "%u", port); | ||
| 421 | if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, | ||
| 422 | matchoff, matchlen, buffer, buflen)) | ||
| 423 | return 0; | ||
| 424 | |||
| 425 | return mangle_content_len(skb, protoff, dataoff, dptr, datalen); | ||
| 426 | } | ||
| 427 | |||
| 428 | static unsigned int ip_nat_sdp_session(struct sk_buff *skb, unsigned int protoff, | ||
| 429 | unsigned int dataoff, | ||
| 430 | const char **dptr, unsigned int *datalen, | ||
| 431 | unsigned int sdpoff, | ||
| 432 | const union nf_inet_addr *addr) | ||
| 433 | { | ||
| 434 | char buffer[sizeof("nnn.nnn.nnn.nnn")]; | ||
| 435 | unsigned int buflen; | ||
| 436 | |||
| 437 | /* Mangle session description owner and contact addresses */ | ||
| 438 | buflen = sprintf(buffer, "%pI4", &addr->ip); | ||
| 439 | if (mangle_sdp_packet(skb, protoff, dataoff, dptr, datalen, sdpoff, | ||
| 440 | SDP_HDR_OWNER_IP4, SDP_HDR_MEDIA, | ||
| 441 | buffer, buflen)) | ||
| 442 | return 0; | ||
| 443 | |||
| 444 | switch (mangle_sdp_packet(skb, protoff, dataoff, dptr, datalen, sdpoff, | ||
| 445 | SDP_HDR_CONNECTION_IP4, SDP_HDR_MEDIA, | ||
| 446 | buffer, buflen)) { | ||
| 447 | case 0: | ||
| 448 | /* | ||
| 449 | * RFC 2327: | ||
| 450 | * | ||
| 451 | * Session description | ||
| 452 | * | ||
| 453 | * c=* (connection information - not required if included in all media) | ||
| 454 | */ | ||
| 455 | case -ENOENT: | ||
| 456 | break; | ||
| 457 | default: | ||
| 458 | return 0; | ||
| 459 | } | ||
| 460 | |||
| 461 | return mangle_content_len(skb, protoff, dataoff, dptr, datalen); | ||
| 462 | } | ||
| 463 | |||
| 464 | /* So, this packet has hit the connection tracking matching code. | ||
| 465 | Mangle it, and change the expectation to match the new version. */ | ||
| 466 | static unsigned int ip_nat_sdp_media(struct sk_buff *skb, unsigned int protoff, | ||
| 467 | unsigned int dataoff, | ||
| 468 | const char **dptr, unsigned int *datalen, | ||
| 469 | struct nf_conntrack_expect *rtp_exp, | ||
| 470 | struct nf_conntrack_expect *rtcp_exp, | ||
| 471 | unsigned int mediaoff, | ||
| 472 | unsigned int medialen, | ||
| 473 | union nf_inet_addr *rtp_addr) | ||
| 474 | { | ||
| 475 | enum ip_conntrack_info ctinfo; | ||
| 476 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); | ||
| 477 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | ||
| 478 | u_int16_t port; | ||
| 479 | |||
| 480 | /* Connection will come from reply */ | ||
| 481 | if (ct->tuplehash[dir].tuple.src.u3.ip == | ||
| 482 | ct->tuplehash[!dir].tuple.dst.u3.ip) | ||
| 483 | rtp_addr->ip = rtp_exp->tuple.dst.u3.ip; | ||
| 484 | else | ||
| 485 | rtp_addr->ip = ct->tuplehash[!dir].tuple.dst.u3.ip; | ||
| 486 | |||
| 487 | rtp_exp->saved_addr = rtp_exp->tuple.dst.u3; | ||
| 488 | rtp_exp->tuple.dst.u3.ip = rtp_addr->ip; | ||
| 489 | rtp_exp->saved_proto.udp.port = rtp_exp->tuple.dst.u.udp.port; | ||
| 490 | rtp_exp->dir = !dir; | ||
| 491 | rtp_exp->expectfn = ip_nat_sip_expected; | ||
| 492 | |||
| 493 | rtcp_exp->saved_addr = rtcp_exp->tuple.dst.u3; | ||
| 494 | rtcp_exp->tuple.dst.u3.ip = rtp_addr->ip; | ||
| 495 | rtcp_exp->saved_proto.udp.port = rtcp_exp->tuple.dst.u.udp.port; | ||
| 496 | rtcp_exp->dir = !dir; | ||
| 497 | rtcp_exp->expectfn = ip_nat_sip_expected; | ||
| 498 | |||
| 499 | /* Try to get same pair of ports: if not, try to change them. */ | ||
| 500 | for (port = ntohs(rtp_exp->tuple.dst.u.udp.port); | ||
| 501 | port != 0; port += 2) { | ||
| 502 | int ret; | ||
| 503 | |||
| 504 | rtp_exp->tuple.dst.u.udp.port = htons(port); | ||
| 505 | ret = nf_ct_expect_related(rtp_exp); | ||
| 506 | if (ret == -EBUSY) | ||
| 507 | continue; | ||
| 508 | else if (ret < 0) { | ||
| 509 | port = 0; | ||
| 510 | break; | ||
| 511 | } | ||
| 512 | rtcp_exp->tuple.dst.u.udp.port = htons(port + 1); | ||
| 513 | ret = nf_ct_expect_related(rtcp_exp); | ||
| 514 | if (ret == 0) | ||
| 515 | break; | ||
| 516 | else if (ret != -EBUSY) { | ||
| 517 | nf_ct_unexpect_related(rtp_exp); | ||
| 518 | port = 0; | ||
| 519 | break; | ||
| 520 | } | ||
| 521 | } | ||
| 522 | |||
| 523 | if (port == 0) | ||
| 524 | goto err1; | ||
| 525 | |||
| 526 | /* Update media port. */ | ||
| 527 | if (rtp_exp->tuple.dst.u.udp.port != rtp_exp->saved_proto.udp.port && | ||
| 528 | !ip_nat_sdp_port(skb, protoff, dataoff, dptr, datalen, | ||
| 529 | mediaoff, medialen, port)) | ||
| 530 | goto err2; | ||
| 531 | |||
| 532 | return NF_ACCEPT; | ||
| 533 | |||
| 534 | err2: | ||
| 535 | nf_ct_unexpect_related(rtp_exp); | ||
| 536 | nf_ct_unexpect_related(rtcp_exp); | ||
| 537 | err1: | ||
| 538 | return NF_DROP; | ||
| 539 | } | ||
| 540 | |||
| 541 | static struct nf_ct_helper_expectfn sip_nat = { | ||
| 542 | .name = "sip", | ||
| 543 | .expectfn = ip_nat_sip_expected, | ||
| 544 | }; | ||
| 545 | |||
| 546 | static void __exit nf_nat_sip_fini(void) | ||
| 547 | { | ||
| 548 | RCU_INIT_POINTER(nf_nat_sip_hook, NULL); | ||
| 549 | RCU_INIT_POINTER(nf_nat_sip_seq_adjust_hook, NULL); | ||
| 550 | RCU_INIT_POINTER(nf_nat_sip_expect_hook, NULL); | ||
| 551 | RCU_INIT_POINTER(nf_nat_sdp_addr_hook, NULL); | ||
| 552 | RCU_INIT_POINTER(nf_nat_sdp_port_hook, NULL); | ||
| 553 | RCU_INIT_POINTER(nf_nat_sdp_session_hook, NULL); | ||
| 554 | RCU_INIT_POINTER(nf_nat_sdp_media_hook, NULL); | ||
| 555 | nf_ct_helper_expectfn_unregister(&sip_nat); | ||
| 556 | synchronize_rcu(); | ||
| 557 | } | ||
| 558 | |||
| 559 | static int __init nf_nat_sip_init(void) | ||
| 560 | { | ||
| 561 | BUG_ON(nf_nat_sip_hook != NULL); | ||
| 562 | BUG_ON(nf_nat_sip_seq_adjust_hook != NULL); | ||
| 563 | BUG_ON(nf_nat_sip_expect_hook != NULL); | ||
| 564 | BUG_ON(nf_nat_sdp_addr_hook != NULL); | ||
| 565 | BUG_ON(nf_nat_sdp_port_hook != NULL); | ||
| 566 | BUG_ON(nf_nat_sdp_session_hook != NULL); | ||
| 567 | BUG_ON(nf_nat_sdp_media_hook != NULL); | ||
| 568 | RCU_INIT_POINTER(nf_nat_sip_hook, ip_nat_sip); | ||
| 569 | RCU_INIT_POINTER(nf_nat_sip_seq_adjust_hook, ip_nat_sip_seq_adjust); | ||
| 570 | RCU_INIT_POINTER(nf_nat_sip_expect_hook, ip_nat_sip_expect); | ||
| 571 | RCU_INIT_POINTER(nf_nat_sdp_addr_hook, ip_nat_sdp_addr); | ||
| 572 | RCU_INIT_POINTER(nf_nat_sdp_port_hook, ip_nat_sdp_port); | ||
| 573 | RCU_INIT_POINTER(nf_nat_sdp_session_hook, ip_nat_sdp_session); | ||
| 574 | RCU_INIT_POINTER(nf_nat_sdp_media_hook, ip_nat_sdp_media); | ||
| 575 | nf_ct_helper_expectfn_register(&sip_nat); | ||
| 576 | return 0; | ||
| 577 | } | ||
| 578 | |||
| 579 | module_init(nf_nat_sip_init); | ||
| 580 | module_exit(nf_nat_sip_fini); | ||