[NETFILTER]: nf_conntrack/nf_nat: add SIP helper port

Add IPv4 and IPv6 capable nf_conntrack port of the SIP conntrack/NAT helper.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

3 files changed, 289 insertions, 0 deletions

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index c3327ac024de..83e83f553ccb 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -555,6 +555,11 @@ config IP_NF_NAT_SIP
         default IP_NF_NAT if IP_NF_SIP=y
         default m if IP_NF_SIP=m
 
+config NF_NAT_SIP
+        tristate
+        depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
+        default NF_NAT && NF_CONNTRACK_SIP
+
 # mangle + specific targets
 config IP_NF_MANGLE
         tristate "Packet mangling"
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index ef33ff2cdda9..167b65e89aca 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -55,6 +55,7 @@ obj-$(CONFIG_NF_NAT_FTP) += nf_nat_ftp.o
 obj-$(CONFIG_NF_NAT_H323) += nf_nat_h323.o
 obj-$(CONFIG_NF_NAT_IRC) += nf_nat_irc.o
 obj-$(CONFIG_NF_NAT_PPTP) += nf_nat_pptp.o
+obj-$(CONFIG_NF_NAT_SIP) += nf_nat_sip.o
 
 # NAT protocols (nf_nat)
 obj-$(CONFIG_NF_NAT_PROTO_GRE) += nf_nat_proto_gre.o
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
new file mode 100644
index 000000000000..3d524b957310
--- /dev/null
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -0,0 +1,283 @@
+/* SIP extension for UDP NAT alteration.
+ *
+ * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
+ * based on RR's ip_nat_ftp.c and other modules.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/udp.h>
+
+#include <net/netfilter/nf_nat.h>
+#include <net/netfilter/nf_nat_helper.h>
+#include <net/netfilter/nf_nat_rule.h>
+#include <net/netfilter/nf_conntrack_helper.h>
+#include <net/netfilter/nf_conntrack_expect.h>
+#include <linux/netfilter/nf_conntrack_sip.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
+MODULE_DESCRIPTION("SIP NAT helper");
+MODULE_ALIAS("ip_nat_sip");
+
+#if 0
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+struct addr_map {
+        struct {
+                char            src[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
+                char            dst[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
+                unsigned int    srclen, srciplen;
+                unsigned int    dstlen, dstiplen;
+        } addr[IP_CT_DIR_MAX];
+};
+
+static void addr_map_init(struct nf_conn *ct, struct addr_map *map)
+{
+        struct nf_conntrack_tuple *t;
+        enum ip_conntrack_dir dir;
+        unsigned int n;
+
+        for (dir = 0; dir < IP_CT_DIR_MAX; dir++) {
+                t = &ct->tuplehash[dir].tuple;
+
+                n = sprintf(map->addr[dir].src, "%u.%u.%u.%u",
+                            NIPQUAD(t->src.u3.ip));
+                map->addr[dir].srciplen = n;
+                n += sprintf(map->addr[dir].src + n, ":%u",
+                             ntohs(t->src.u.udp.port));
+                map->addr[dir].srclen = n;
+
+                n = sprintf(map->addr[dir].dst, "%u.%u.%u.%u",
+                            NIPQUAD(t->dst.u3.ip));
+                map->addr[dir].dstiplen = n;
+                n += sprintf(map->addr[dir].dst + n, ":%u",
+                             ntohs(t->dst.u.udp.port));
+                map->addr[dir].dstlen = n;
+        }
+}
+
+static int map_sip_addr(struct sk_buff **pskb, enum ip_conntrack_info ctinfo,
+                        struct nf_conn *ct, const char **dptr, size_t dlen,
+                        enum sip_header_pos pos, struct addr_map *map)
+{
+        enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+        unsigned int matchlen, matchoff, addrlen;
+        char *addr;
+
+        if (ct_sip_get_info(ct, *dptr, dlen, &matchoff, &matchlen, pos) <= 0)
+                return 1;
+
+        if ((matchlen == map->addr[dir].srciplen ||
+             matchlen == map->addr[dir].srclen) &&
+            memcmp(*dptr + matchoff, map->addr[dir].src, matchlen) == 0) {
+                addr    = map->addr[!dir].dst;
+                addrlen = map->addr[!dir].dstlen;
+        } else if ((matchlen == map->addr[dir].dstiplen ||
+                    matchlen == map->addr[dir].dstlen) &&
+                   memcmp(*dptr + matchoff, map->addr[dir].dst, matchlen) == 0) {
+                addr    = map->addr[!dir].src;
+                addrlen = map->addr[!dir].srclen;
+        } else
+                return 1;
+
+        if (!nf_nat_mangle_udp_packet(pskb, ct, ctinfo,
+                                      matchoff, matchlen, addr, addrlen))
+                return 0;
+        *dptr = (*pskb)->data + (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
+        return 1;
+
+}
+
+static unsigned int ip_nat_sip(struct sk_buff **pskb,
+                               enum ip_conntrack_info ctinfo,
+                               struct nf_conn *ct,
+                               const char **dptr)
+{
+        enum sip_header_pos pos;
+        struct addr_map map;
+        int dataoff, datalen;
+
+        dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
+        datalen = (*pskb)->len - dataoff;
+        if (datalen < sizeof("SIP/2.0") - 1)
+                return NF_DROP;
+
+        addr_map_init(ct, &map);
+
+        /* Basic rules: requests and responses. */
+        if (strncmp(*dptr, "SIP/2.0", sizeof("SIP/2.0") - 1) != 0) {
+                /* 10.2: Constructing the REGISTER Request:
+                 *
+                 * The "userinfo" and "@" components of the SIP URI MUST NOT
+                 * be present.
+                 */
+                if (datalen >= sizeof("REGISTER") - 1 &&
+                    strncmp(*dptr, "REGISTER", sizeof("REGISTER") - 1) == 0)
+                        pos = POS_REG_REQ_URI;
+                else
+                        pos = POS_REQ_URI;
+
+                if (!map_sip_addr(pskb, ctinfo, ct, dptr, datalen, pos, &map))
+                        return NF_DROP;
+        }
+
+        if (!map_sip_addr(pskb, ctinfo, ct, dptr, datalen, POS_FROM, &map) ||
+            !map_sip_addr(pskb, ctinfo, ct, dptr, datalen, POS_TO, &map) ||
+            !map_sip_addr(pskb, ctinfo, ct, dptr, datalen, POS_VIA, &map) ||
+            !map_sip_addr(pskb, ctinfo, ct, dptr, datalen, POS_CONTACT, &map))
+                return NF_DROP;
+        return NF_ACCEPT;
+}
+
+static unsigned int mangle_sip_packet(struct sk_buff **pskb,
+                                      enum ip_conntrack_info ctinfo,
+                                      struct nf_conn *ct,
+                                      const char **dptr, size_t dlen,
+                                      char *buffer, int bufflen,
+                                      enum sip_header_pos pos)
+{
+        unsigned int matchlen, matchoff;
+
+        if (ct_sip_get_info(ct, *dptr, dlen, &matchoff, &matchlen, pos) <= 0)
+                return 0;
+
+        if (!nf_nat_mangle_udp_packet(pskb, ct, ctinfo,
+                                      matchoff, matchlen, buffer, bufflen))
+                return 0;
+
+        /* We need to reload this. Thanks Patrick. */
+        *dptr = (*pskb)->data + (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
+        return 1;
+}
+
+static int mangle_content_len(struct sk_buff **pskb,
+                              enum ip_conntrack_info ctinfo,
+                              struct nf_conn *ct,
+                              const char *dptr)
+{
+        unsigned int dataoff, matchoff, matchlen;
+        char buffer[sizeof("65536")];
+        int bufflen;
+
+        dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
+
+        /* Get actual SDP lenght */
+        if (ct_sip_get_info(ct, dptr, (*pskb)->len - dataoff, &matchoff,
+                            &matchlen, POS_SDP_HEADER) > 0) {
+
+                /* since ct_sip_get_info() give us a pointer passing 'v='
+                   we need to add 2 bytes in this count. */
+                int c_len = (*pskb)->len - dataoff - matchoff + 2;
+
+                /* Now, update SDP length */
+                if (ct_sip_get_info(ct, dptr, (*pskb)->len - dataoff, &matchoff,
+                                    &matchlen, POS_CONTENT) > 0) {
+
+                        bufflen = sprintf(buffer, "%u", c_len);
+                        return nf_nat_mangle_udp_packet(pskb, ct, ctinfo,
+                                                        matchoff, matchlen,
+                                                        buffer, bufflen);
+                }
+        }
+        return 0;
+}
+
+static unsigned int mangle_sdp(struct sk_buff **pskb,
+                               enum ip_conntrack_info ctinfo,
+                               struct nf_conn *ct,
+                               __be32 newip, u_int16_t port,
+                               const char *dptr)
+{
+        char buffer[sizeof("nnn.nnn.nnn.nnn")];
+        unsigned int dataoff, bufflen;
+
+        dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
+
+        /* Mangle owner and contact info. */
+        bufflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(newip));
+        if (!mangle_sip_packet(pskb, ctinfo, ct, &dptr, (*pskb)->len - dataoff,
+                               buffer, bufflen, POS_OWNER_IP4))
+                return 0;
+
+        if (!mangle_sip_packet(pskb, ctinfo, ct, &dptr, (*pskb)->len - dataoff,
+                               buffer, bufflen, POS_CONNECTION_IP4))
+                return 0;
+
+        /* Mangle media port. */
+        bufflen = sprintf(buffer, "%u", port);
+        if (!mangle_sip_packet(pskb, ctinfo, ct, &dptr, (*pskb)->len - dataoff,
+                               buffer, bufflen, POS_MEDIA))
+                return 0;
+
+        return mangle_content_len(pskb, ctinfo, ct, dptr);
+}
+
+/* So, this packet has hit the connection tracking matching code.
+   Mangle it, and change the expectation to match the new version. */
+static unsigned int ip_nat_sdp(struct sk_buff **pskb,
+                               enum ip_conntrack_info ctinfo,
+                               struct nf_conntrack_expect *exp,
+                               const char *dptr)
+{
+        struct nf_conn *ct = exp->master;
+        enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+        __be32 newip;
+        u_int16_t port;
+
+        DEBUGP("ip_nat_sdp():\n");
+
+        /* Connection will come from reply */
+        newip = ct->tuplehash[!dir].tuple.dst.u3.ip;
+
+        exp->tuple.dst.u3.ip = newip;
+        exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port;
+        exp->dir = !dir;
+
+        /* When you see the packet, we need to NAT it the same as the
+           this one. */
+        exp->expectfn = nf_nat_follow_master;
+
+        /* Try to get same port: if not, try to change it. */
+        for (port = ntohs(exp->saved_proto.udp.port); port != 0; port++) {
+                exp->tuple.dst.u.udp.port = htons(port);
+                if (nf_conntrack_expect_related(exp) == 0)
+                        break;
+        }
+
+        if (port == 0)
+                return NF_DROP;
+
+        if (!mangle_sdp(pskb, ctinfo, ct, newip, port, dptr)) {
+                nf_conntrack_unexpect_related(exp);
+                return NF_DROP;
+        }
+        return NF_ACCEPT;
+}
+
+static void __exit nf_nat_sip_fini(void)
+{
+        rcu_assign_pointer(nf_nat_sip_hook, NULL);
+        rcu_assign_pointer(nf_nat_sdp_hook, NULL);
+        synchronize_rcu();
+}
+
+static int __init nf_nat_sip_init(void)
+{
+        BUG_ON(rcu_dereference(nf_nat_sip_hook));
+        BUG_ON(rcu_dereference(nf_nat_sdp_hook));
+        rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip);
+        rcu_assign_pointer(nf_nat_sdp_hook, ip_nat_sdp);
+        return 0;
+}
+
+module_init(nf_nat_sip_init);
+module_exit(nf_nat_sip_fini);