2 * H.323 connection tracking helper
4 * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
6 * This source code is licensed under General Public License version 2.
8 * Based on the 'brute force' H.323 connection tracking module by
9 * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 * For more information, please see http://nath323.sourceforge.net/
14 #include <linux/config.h>
15 #include <linux/module.h>
16 #include <linux/netfilter.h>
19 #include <linux/netfilter_ipv4/ip_conntrack.h>
20 #include <linux/netfilter_ipv4/ip_conntrack_core.h>
21 #include <linux/netfilter_ipv4/ip_conntrack_helper.h>
22 #include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
23 #include <linux/netfilter_ipv4/ip_conntrack_h323.h>
24 #include <linux/moduleparam.h>
25 #include <linux/ctype.h>
26 #include <linux/inet.h>
31 #define DEBUGP(format, args...)
35 static unsigned int default_rrq_ttl = 300;
36 module_param(default_rrq_ttl, uint, 0600);
37 MODULE_PARM_DESC(default_rrq_ttl, "use this TTL if it's missing in RRQ");
39 static int gkrouted_only = 1;
40 module_param(gkrouted_only, int, 0600);
41 MODULE_PARM_DESC(gkrouted_only, "only accept calls from gatekeeper");
43 static int callforward_filter = 1;
44 module_param(callforward_filter, bool, 0600);
45 MODULE_PARM_DESC(callforward_filter, "only create call forwarding expectations "
46 "if both endpoints are on different sides "
47 "(determined by routing information)");
50 int (*set_h245_addr_hook) (struct sk_buff ** pskb,
51 unsigned char **data, int dataoff,
52 H245_TransportAddress * addr,
53 u_int32_t ip, u_int16_t port);
54 int (*set_h225_addr_hook) (struct sk_buff ** pskb,
55 unsigned char **data, int dataoff,
56 TransportAddress * addr,
57 u_int32_t ip, u_int16_t port);
58 int (*set_sig_addr_hook) (struct sk_buff ** pskb,
59 struct ip_conntrack * ct,
60 enum ip_conntrack_info ctinfo,
62 TransportAddress * addr, int count);
63 int (*set_ras_addr_hook) (struct sk_buff ** pskb,
64 struct ip_conntrack * ct,
65 enum ip_conntrack_info ctinfo,
67 TransportAddress * addr, int count);
68 int (*nat_rtp_rtcp_hook) (struct sk_buff ** pskb,
69 struct ip_conntrack * ct,
70 enum ip_conntrack_info ctinfo,
71 unsigned char **data, int dataoff,
72 H245_TransportAddress * addr,
73 u_int16_t port, u_int16_t rtp_port,
74 struct ip_conntrack_expect * rtp_exp,
75 struct ip_conntrack_expect * rtcp_exp);
76 int (*nat_t120_hook) (struct sk_buff ** pskb,
77 struct ip_conntrack * ct,
78 enum ip_conntrack_info ctinfo,
79 unsigned char **data, int dataoff,
80 H245_TransportAddress * addr, u_int16_t port,
81 struct ip_conntrack_expect * exp);
82 int (*nat_h245_hook) (struct sk_buff ** pskb,
83 struct ip_conntrack * ct,
84 enum ip_conntrack_info ctinfo,
85 unsigned char **data, int dataoff,
86 TransportAddress * addr, u_int16_t port,
87 struct ip_conntrack_expect * exp);
88 int (*nat_callforwarding_hook) (struct sk_buff ** pskb,
89 struct ip_conntrack * ct,
90 enum ip_conntrack_info ctinfo,
91 unsigned char **data, int dataoff,
92 TransportAddress * addr, u_int16_t port,
93 struct ip_conntrack_expect * exp);
94 int (*nat_q931_hook) (struct sk_buff ** pskb,
95 struct ip_conntrack * ct,
96 enum ip_conntrack_info ctinfo,
97 unsigned char **data, TransportAddress * addr, int idx,
98 u_int16_t port, struct ip_conntrack_expect * exp);
101 static DEFINE_SPINLOCK(ip_h323_lock);
102 static char *h323_buffer;
104 /****************************************************************************/
105 static int get_tpkt_data(struct sk_buff **pskb, struct ip_conntrack *ct,
106 enum ip_conntrack_info ctinfo,
107 unsigned char **data, int *datalen, int *dataoff)
109 struct ip_ct_h323_master *info = &ct->help.ct_h323_info;
110 int dir = CTINFO2DIR(ctinfo);
111 struct tcphdr _tcph, *th;
119 th = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl * 4,
120 sizeof(_tcph), &_tcph);
124 /* Get TCP data offset */
125 tcpdataoff = (*pskb)->nh.iph->ihl * 4 + th->doff * 4;
127 /* Get TCP data length */
128 tcpdatalen = (*pskb)->len - tcpdataoff;
129 if (tcpdatalen <= 0) /* No TCP data */
132 if (*data == NULL) { /* first TPKT */
133 /* Get first TPKT pointer */
134 tpkt = skb_header_pointer(*pskb, tcpdataoff, tcpdatalen,
136 BUG_ON(tpkt == NULL);
138 /* Validate TPKT identifier */
139 if (tcpdatalen < 4 || tpkt[0] != 0x03 || tpkt[1] != 0) {
140 /* Netmeeting sends TPKT header and data separately */
141 if (info->tpkt_len[dir] > 0) {
142 DEBUGP("ip_ct_h323: previous packet "
143 "indicated separate TPKT data of %hu "
144 "bytes\n", info->tpkt_len[dir]);
145 if (info->tpkt_len[dir] <= tcpdatalen) {
146 /* Yes, there was a TPKT header
149 *datalen = info->tpkt_len[dir];
154 /* Fragmented TPKT */
156 printk("ip_ct_h323: "
157 "fragmented TPKT\n");
161 /* It is not even a TPKT */
165 } else { /* Next TPKT */
166 tpktoff = *dataoff + *datalen;
167 tcpdatalen -= tpktoff;
168 if (tcpdatalen <= 4) /* No more TPKT */
170 tpkt = *data + *datalen;
172 /* Validate TPKT identifier */
173 if (tpkt[0] != 0x03 || tpkt[1] != 0)
177 /* Validate TPKT length */
178 tpktlen = tpkt[2] * 256 + tpkt[3];
181 if (tpktlen > tcpdatalen) {
182 if (tcpdatalen == 4) { /* Separate TPKT header */
183 /* Netmeeting sends TPKT header and data separately */
184 DEBUGP("ip_ct_h323: separate TPKT header indicates "
185 "there will be TPKT data of %hu bytes\n",
187 info->tpkt_len[dir] = tpktlen - 4;
192 printk("ip_ct_h323: incomplete TPKT (fragmented?)\n");
196 /* This is the encapsulated data */
198 *datalen = tpktlen - 4;
199 *dataoff = tpktoff + 4;
202 /* Clear TPKT length */
203 info->tpkt_len[dir] = 0;
207 info->tpkt_len[dir] = 0;
211 /****************************************************************************/
212 static int get_h245_addr(unsigned char *data, H245_TransportAddress * addr,
213 u_int32_t * ip, u_int16_t * port)
217 if (addr->choice != eH245_TransportAddress_unicastAddress ||
218 addr->unicastAddress.choice != eUnicastAddress_iPAddress)
221 p = data + addr->unicastAddress.iPAddress.network;
222 *ip = htonl((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | (p[3]));
223 *port = (p[4] << 8) | (p[5]);
228 /****************************************************************************/
229 static int expect_rtp_rtcp(struct sk_buff **pskb, struct ip_conntrack *ct,
230 enum ip_conntrack_info ctinfo,
231 unsigned char **data, int dataoff,
232 H245_TransportAddress * addr)
234 int dir = CTINFO2DIR(ctinfo);
239 struct ip_conntrack_expect *rtp_exp;
240 struct ip_conntrack_expect *rtcp_exp;
242 /* Read RTP or RTCP address */
243 if (!get_h245_addr(*data, addr, &ip, &port) ||
244 ip != ct->tuplehash[dir].tuple.src.ip || port == 0)
247 /* RTP port is even */
248 rtp_port = port & (~1);
250 /* Create expect for RTP */
251 if ((rtp_exp = ip_conntrack_expect_alloc(ct)) == NULL)
253 rtp_exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
254 rtp_exp->tuple.src.u.udp.port = 0;
255 rtp_exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
256 rtp_exp->tuple.dst.u.udp.port = htons(rtp_port);
257 rtp_exp->tuple.dst.protonum = IPPROTO_UDP;
258 rtp_exp->mask.src.ip = 0xFFFFFFFF;
259 rtp_exp->mask.src.u.udp.port = 0;
260 rtp_exp->mask.dst.ip = 0xFFFFFFFF;
261 rtp_exp->mask.dst.u.udp.port = 0xFFFF;
262 rtp_exp->mask.dst.protonum = 0xFF;
265 /* Create expect for RTCP */
266 if ((rtcp_exp = ip_conntrack_expect_alloc(ct)) == NULL) {
267 ip_conntrack_expect_put(rtp_exp);
270 rtcp_exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
271 rtcp_exp->tuple.src.u.udp.port = 0;
272 rtcp_exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
273 rtcp_exp->tuple.dst.u.udp.port = htons(rtp_port + 1);
274 rtcp_exp->tuple.dst.protonum = IPPROTO_UDP;
275 rtcp_exp->mask.src.ip = 0xFFFFFFFF;
276 rtcp_exp->mask.src.u.udp.port = 0;
277 rtcp_exp->mask.dst.ip = 0xFFFFFFFF;
278 rtcp_exp->mask.dst.u.udp.port = 0xFFFF;
279 rtcp_exp->mask.dst.protonum = 0xFF;
282 if (ct->tuplehash[dir].tuple.src.ip !=
283 ct->tuplehash[!dir].tuple.dst.ip && nat_rtp_rtcp_hook) {
285 ret = nat_rtp_rtcp_hook(pskb, ct, ctinfo, data, dataoff,
286 addr, port, rtp_port, rtp_exp,
288 } else { /* Conntrack only */
289 rtp_exp->expectfn = NULL;
290 rtcp_exp->expectfn = NULL;
292 if (ip_conntrack_expect_related(rtp_exp) == 0) {
293 if (ip_conntrack_expect_related(rtcp_exp) == 0) {
294 DEBUGP("ip_ct_h323: expect RTP "
295 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
296 NIPQUAD(rtp_exp->tuple.src.ip),
297 ntohs(rtp_exp->tuple.src.u.udp.port),
298 NIPQUAD(rtp_exp->tuple.dst.ip),
299 ntohs(rtp_exp->tuple.dst.u.udp.port));
300 DEBUGP("ip_ct_h323: expect RTCP "
301 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
302 NIPQUAD(rtcp_exp->tuple.src.ip),
303 ntohs(rtcp_exp->tuple.src.u.udp.port),
304 NIPQUAD(rtcp_exp->tuple.dst.ip),
305 ntohs(rtcp_exp->tuple.dst.u.udp.port));
307 ip_conntrack_unexpect_related(rtp_exp);
314 ip_conntrack_expect_put(rtp_exp);
315 ip_conntrack_expect_put(rtcp_exp);
320 /****************************************************************************/
321 static int expect_t120(struct sk_buff **pskb,
322 struct ip_conntrack *ct,
323 enum ip_conntrack_info ctinfo,
324 unsigned char **data, int dataoff,
325 H245_TransportAddress * addr)
327 int dir = CTINFO2DIR(ctinfo);
331 struct ip_conntrack_expect *exp = NULL;
333 /* Read T.120 address */
334 if (!get_h245_addr(*data, addr, &ip, &port) ||
335 ip != ct->tuplehash[dir].tuple.src.ip || port == 0)
338 /* Create expect for T.120 connections */
339 if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
341 exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
342 exp->tuple.src.u.tcp.port = 0;
343 exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
344 exp->tuple.dst.u.tcp.port = htons(port);
345 exp->tuple.dst.protonum = IPPROTO_TCP;
346 exp->mask.src.ip = 0xFFFFFFFF;
347 exp->mask.src.u.tcp.port = 0;
348 exp->mask.dst.ip = 0xFFFFFFFF;
349 exp->mask.dst.u.tcp.port = 0xFFFF;
350 exp->mask.dst.protonum = 0xFF;
351 exp->flags = IP_CT_EXPECT_PERMANENT; /* Accept multiple channels */
353 if (ct->tuplehash[dir].tuple.src.ip !=
354 ct->tuplehash[!dir].tuple.dst.ip && nat_t120_hook) {
356 ret = nat_t120_hook(pskb, ct, ctinfo, data, dataoff, addr,
358 } else { /* Conntrack only */
359 exp->expectfn = NULL;
360 if (ip_conntrack_expect_related(exp) == 0) {
361 DEBUGP("ip_ct_h323: expect T.120 "
362 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
363 NIPQUAD(exp->tuple.src.ip),
364 ntohs(exp->tuple.src.u.tcp.port),
365 NIPQUAD(exp->tuple.dst.ip),
366 ntohs(exp->tuple.dst.u.tcp.port));
371 ip_conntrack_expect_put(exp);
376 /****************************************************************************/
377 static int process_h245_channel(struct sk_buff **pskb,
378 struct ip_conntrack *ct,
379 enum ip_conntrack_info ctinfo,
380 unsigned char **data, int dataoff,
381 H2250LogicalChannelParameters * channel)
385 if (channel->options & eH2250LogicalChannelParameters_mediaChannel) {
387 ret = expect_rtp_rtcp(pskb, ct, ctinfo, data, dataoff,
388 &channel->mediaChannel);
394 options & eH2250LogicalChannelParameters_mediaControlChannel) {
396 ret = expect_rtp_rtcp(pskb, ct, ctinfo, data, dataoff,
397 &channel->mediaControlChannel);
405 /****************************************************************************/
406 static int process_olc(struct sk_buff **pskb, struct ip_conntrack *ct,
407 enum ip_conntrack_info ctinfo,
408 unsigned char **data, int dataoff,
409 OpenLogicalChannel * olc)
413 DEBUGP("ip_ct_h323: OpenLogicalChannel\n");
415 if (olc->forwardLogicalChannelParameters.multiplexParameters.choice ==
416 eOpenLogicalChannel_forwardLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters)
418 ret = process_h245_channel(pskb, ct, ctinfo, data, dataoff,
420 forwardLogicalChannelParameters.
422 h2250LogicalChannelParameters);
428 eOpenLogicalChannel_reverseLogicalChannelParameters) &&
429 (olc->reverseLogicalChannelParameters.options &
430 eOpenLogicalChannel_reverseLogicalChannelParameters_multiplexParameters)
431 && (olc->reverseLogicalChannelParameters.multiplexParameters.
433 eOpenLogicalChannel_reverseLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters))
436 process_h245_channel(pskb, ct, ctinfo, data, dataoff,
438 reverseLogicalChannelParameters.
440 h2250LogicalChannelParameters);
445 if ((olc->options & eOpenLogicalChannel_separateStack) &&
446 olc->forwardLogicalChannelParameters.dataType.choice ==
448 olc->forwardLogicalChannelParameters.dataType.data.application.
449 choice == eDataApplicationCapability_application_t120 &&
450 olc->forwardLogicalChannelParameters.dataType.data.application.
451 t120.choice == eDataProtocolCapability_separateLANStack &&
452 olc->separateStack.networkAddress.choice ==
453 eNetworkAccessParameters_networkAddress_localAreaAddress) {
454 ret = expect_t120(pskb, ct, ctinfo, data, dataoff,
455 &olc->separateStack.networkAddress.
464 /****************************************************************************/
465 static int process_olca(struct sk_buff **pskb, struct ip_conntrack *ct,
466 enum ip_conntrack_info ctinfo,
467 unsigned char **data, int dataoff,
468 OpenLogicalChannelAck * olca)
470 H2250LogicalChannelAckParameters *ack;
473 DEBUGP("ip_ct_h323: OpenLogicalChannelAck\n");
476 eOpenLogicalChannelAck_reverseLogicalChannelParameters) &&
477 (olca->reverseLogicalChannelParameters.options &
478 eOpenLogicalChannelAck_reverseLogicalChannelParameters_multiplexParameters)
479 && (olca->reverseLogicalChannelParameters.multiplexParameters.
481 eOpenLogicalChannelAck_reverseLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters))
483 ret = process_h245_channel(pskb, ct, ctinfo, data, dataoff,
485 reverseLogicalChannelParameters.
487 h2250LogicalChannelParameters);
493 eOpenLogicalChannelAck_forwardMultiplexAckParameters) &&
494 (olca->forwardMultiplexAckParameters.choice ==
495 eOpenLogicalChannelAck_forwardMultiplexAckParameters_h2250LogicalChannelAckParameters))
497 ack = &olca->forwardMultiplexAckParameters.
498 h2250LogicalChannelAckParameters;
500 eH2250LogicalChannelAckParameters_mediaChannel) {
502 ret = expect_rtp_rtcp(pskb, ct, ctinfo, data, dataoff,
509 eH2250LogicalChannelAckParameters_mediaControlChannel) {
511 ret = expect_rtp_rtcp(pskb, ct, ctinfo, data, dataoff,
512 &ack->mediaControlChannel);
521 /****************************************************************************/
522 static int process_h245(struct sk_buff **pskb, struct ip_conntrack *ct,
523 enum ip_conntrack_info ctinfo,
524 unsigned char **data, int dataoff,
525 MultimediaSystemControlMessage * mscm)
527 switch (mscm->choice) {
528 case eMultimediaSystemControlMessage_request:
529 if (mscm->request.choice ==
530 eRequestMessage_openLogicalChannel) {
531 return process_olc(pskb, ct, ctinfo, data, dataoff,
532 &mscm->request.openLogicalChannel);
534 DEBUGP("ip_ct_h323: H.245 Request %d\n",
535 mscm->request.choice);
537 case eMultimediaSystemControlMessage_response:
538 if (mscm->response.choice ==
539 eResponseMessage_openLogicalChannelAck) {
540 return process_olca(pskb, ct, ctinfo, data, dataoff,
542 openLogicalChannelAck);
544 DEBUGP("ip_ct_h323: H.245 Response %d\n",
545 mscm->response.choice);
548 DEBUGP("ip_ct_h323: H.245 signal %d\n", mscm->choice);
555 /****************************************************************************/
556 static int h245_help(struct sk_buff **pskb, struct ip_conntrack *ct,
557 enum ip_conntrack_info ctinfo)
559 static MultimediaSystemControlMessage mscm;
560 unsigned char *data = NULL;
565 /* Until there's been traffic both ways, don't look in packets. */
566 if (ctinfo != IP_CT_ESTABLISHED
567 && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
570 DEBUGP("ip_ct_h245: skblen = %u\n", (*pskb)->len);
572 spin_lock_bh(&ip_h323_lock);
574 /* Process each TPKT */
575 while (get_tpkt_data(pskb, ct, ctinfo, &data, &datalen, &dataoff)) {
576 DEBUGP("ip_ct_h245: TPKT %u.%u.%u.%u->%u.%u.%u.%u, len=%d\n",
577 NIPQUAD((*pskb)->nh.iph->saddr),
578 NIPQUAD((*pskb)->nh.iph->daddr), datalen);
580 /* Decode H.245 signal */
581 ret = DecodeMultimediaSystemControlMessage(data, datalen,
585 printk("ip_ct_h245: decoding error: %s\n",
586 ret == H323_ERROR_BOUND ?
587 "out of bound" : "out of range");
588 /* We don't drop when decoding error */
592 /* Process H.245 signal */
593 if (process_h245(pskb, ct, ctinfo, &data, dataoff, &mscm) < 0)
597 spin_unlock_bh(&ip_h323_lock);
601 spin_unlock_bh(&ip_h323_lock);
603 printk("ip_ct_h245: packet dropped\n");
607 /****************************************************************************/
608 static struct ip_conntrack_helper ip_conntrack_helper_h245 = {
611 .max_expected = H323_RTP_CHANNEL_MAX * 4 + 2 /* T.120 */ ,
613 .tuple = {.dst = {.protonum = IPPROTO_TCP}},
614 .mask = {.src = {.u = {0xFFFF}},
615 .dst = {.protonum = 0xFF}},
619 /****************************************************************************/
620 void ip_conntrack_h245_expect(struct ip_conntrack *new,
621 struct ip_conntrack_expect *this)
623 write_lock_bh(&ip_conntrack_lock);
624 new->helper = &ip_conntrack_helper_h245;
625 write_unlock_bh(&ip_conntrack_lock);
628 /****************************************************************************/
629 int get_h225_addr(unsigned char *data, TransportAddress * addr,
630 u_int32_t * ip, u_int16_t * port)
634 if (addr->choice != eTransportAddress_ipAddress)
637 p = data + addr->ipAddress.ip;
638 *ip = htonl((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | (p[3]));
639 *port = (p[4] << 8) | (p[5]);
644 /****************************************************************************/
645 static int expect_h245(struct sk_buff **pskb, struct ip_conntrack *ct,
646 enum ip_conntrack_info ctinfo,
647 unsigned char **data, int dataoff,
648 TransportAddress * addr)
650 int dir = CTINFO2DIR(ctinfo);
654 struct ip_conntrack_expect *exp = NULL;
656 /* Read h245Address */
657 if (!get_h225_addr(*data, addr, &ip, &port) ||
658 ip != ct->tuplehash[dir].tuple.src.ip || port == 0)
661 /* Create expect for h245 connection */
662 if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
664 exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
665 exp->tuple.src.u.tcp.port = 0;
666 exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
667 exp->tuple.dst.u.tcp.port = htons(port);
668 exp->tuple.dst.protonum = IPPROTO_TCP;
669 exp->mask.src.ip = 0xFFFFFFFF;
670 exp->mask.src.u.tcp.port = 0;
671 exp->mask.dst.ip = 0xFFFFFFFF;
672 exp->mask.dst.u.tcp.port = 0xFFFF;
673 exp->mask.dst.protonum = 0xFF;
676 if (ct->tuplehash[dir].tuple.src.ip !=
677 ct->tuplehash[!dir].tuple.dst.ip && nat_h245_hook) {
679 ret = nat_h245_hook(pskb, ct, ctinfo, data, dataoff, addr,
681 } else { /* Conntrack only */
682 exp->expectfn = ip_conntrack_h245_expect;
684 if (ip_conntrack_expect_related(exp) == 0) {
685 DEBUGP("ip_ct_q931: expect H.245 "
686 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
687 NIPQUAD(exp->tuple.src.ip),
688 ntohs(exp->tuple.src.u.tcp.port),
689 NIPQUAD(exp->tuple.dst.ip),
690 ntohs(exp->tuple.dst.u.tcp.port));
695 ip_conntrack_expect_put(exp);
700 /* Forwarding declaration */
701 void ip_conntrack_q931_expect(struct ip_conntrack *new,
702 struct ip_conntrack_expect *this);
704 /****************************************************************************/
705 static int expect_callforwarding(struct sk_buff **pskb,
706 struct ip_conntrack *ct,
707 enum ip_conntrack_info ctinfo,
708 unsigned char **data, int dataoff,
709 TransportAddress * addr)
711 int dir = CTINFO2DIR(ctinfo);
715 struct ip_conntrack_expect *exp = NULL;
717 /* Read alternativeAddress */
718 if (!get_h225_addr(*data, addr, &ip, &port) || port == 0)
721 /* If the calling party is on the same side of the forward-to party,
722 * we don't need to track the second call */
723 if (callforward_filter) {
724 struct rtable *rt1, *rt2;
729 .fl4_dst = ct->tuplehash[!dir].tuple.src.ip,
732 if (ip_route_output_key(&rt1, &fl1) == 0) {
733 if (ip_route_output_key(&rt2, &fl2) == 0) {
734 if (rt1->rt_gateway == rt2->rt_gateway &&
735 rt1->u.dst.dev == rt2->u.dst.dev)
737 dst_release(&rt2->u.dst);
739 dst_release(&rt1->u.dst);
742 DEBUGP("ip_ct_q931: Call Forwarding not tracked\n");
747 /* Create expect for the second call leg */
748 if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
750 exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
751 exp->tuple.src.u.tcp.port = 0;
752 exp->tuple.dst.ip = ip;
753 exp->tuple.dst.u.tcp.port = htons(port);
754 exp->tuple.dst.protonum = IPPROTO_TCP;
755 exp->mask.src.ip = 0xFFFFFFFF;
756 exp->mask.src.u.tcp.port = 0;
757 exp->mask.dst.ip = 0xFFFFFFFF;
758 exp->mask.dst.u.tcp.port = 0xFFFF;
759 exp->mask.dst.protonum = 0xFF;
762 if (ct->tuplehash[dir].tuple.src.ip !=
763 ct->tuplehash[!dir].tuple.dst.ip && nat_callforwarding_hook) {
765 ret = nat_callforwarding_hook(pskb, ct, ctinfo, data, dataoff,
767 } else { /* Conntrack only */
768 exp->expectfn = ip_conntrack_q931_expect;
770 if (ip_conntrack_expect_related(exp) == 0) {
771 DEBUGP("ip_ct_q931: expect Call Forwarding "
772 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
773 NIPQUAD(exp->tuple.src.ip),
774 ntohs(exp->tuple.src.u.tcp.port),
775 NIPQUAD(exp->tuple.dst.ip),
776 ntohs(exp->tuple.dst.u.tcp.port));
781 ip_conntrack_expect_put(exp);
786 /****************************************************************************/
787 static int process_setup(struct sk_buff **pskb, struct ip_conntrack *ct,
788 enum ip_conntrack_info ctinfo,
789 unsigned char **data, int dataoff,
792 int dir = CTINFO2DIR(ctinfo);
798 DEBUGP("ip_ct_q931: Setup\n");
800 if (setup->options & eSetup_UUIE_h245Address) {
801 ret = expect_h245(pskb, ct, ctinfo, data, dataoff,
802 &setup->h245Address);
807 if ((setup->options & eSetup_UUIE_destCallSignalAddress) &&
808 (set_h225_addr_hook) &&
809 get_h225_addr(*data, &setup->destCallSignalAddress, &ip, &port) &&
810 ip != ct->tuplehash[!dir].tuple.src.ip) {
811 DEBUGP("ip_ct_q931: set destCallSignalAddress "
812 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
814 NIPQUAD(ct->tuplehash[!dir].tuple.src.ip),
815 ntohs(ct->tuplehash[!dir].tuple.src.u.tcp.port));
816 ret = set_h225_addr_hook(pskb, data, dataoff,
817 &setup->destCallSignalAddress,
818 ct->tuplehash[!dir].tuple.src.ip,
819 ntohs(ct->tuplehash[!dir].tuple.src.
825 if ((setup->options & eSetup_UUIE_sourceCallSignalAddress) &&
826 (set_h225_addr_hook) &&
827 get_h225_addr(*data, &setup->sourceCallSignalAddress, &ip, &port)
828 && ip != ct->tuplehash[!dir].tuple.dst.ip) {
829 DEBUGP("ip_ct_q931: set sourceCallSignalAddress "
830 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
832 NIPQUAD(ct->tuplehash[!dir].tuple.dst.ip),
833 ntohs(ct->tuplehash[!dir].tuple.dst.u.tcp.port));
834 ret = set_h225_addr_hook(pskb, data, dataoff,
835 &setup->sourceCallSignalAddress,
836 ct->tuplehash[!dir].tuple.dst.ip,
837 ntohs(ct->tuplehash[!dir].tuple.dst.
843 if (setup->options & eSetup_UUIE_fastStart) {
844 for (i = 0; i < setup->fastStart.count; i++) {
845 ret = process_olc(pskb, ct, ctinfo, data, dataoff,
846 &setup->fastStart.item[i]);
855 /****************************************************************************/
856 static int process_callproceeding(struct sk_buff **pskb,
857 struct ip_conntrack *ct,
858 enum ip_conntrack_info ctinfo,
859 unsigned char **data, int dataoff,
860 CallProceeding_UUIE * callproc)
865 DEBUGP("ip_ct_q931: CallProceeding\n");
867 if (callproc->options & eCallProceeding_UUIE_h245Address) {
868 ret = expect_h245(pskb, ct, ctinfo, data, dataoff,
869 &callproc->h245Address);
874 if (callproc->options & eCallProceeding_UUIE_fastStart) {
875 for (i = 0; i < callproc->fastStart.count; i++) {
876 ret = process_olc(pskb, ct, ctinfo, data, dataoff,
877 &callproc->fastStart.item[i]);
886 /****************************************************************************/
887 static int process_connect(struct sk_buff **pskb, struct ip_conntrack *ct,
888 enum ip_conntrack_info ctinfo,
889 unsigned char **data, int dataoff,
890 Connect_UUIE * connect)
895 DEBUGP("ip_ct_q931: Connect\n");
897 if (connect->options & eConnect_UUIE_h245Address) {
898 ret = expect_h245(pskb, ct, ctinfo, data, dataoff,
899 &connect->h245Address);
904 if (connect->options & eConnect_UUIE_fastStart) {
905 for (i = 0; i < connect->fastStart.count; i++) {
906 ret = process_olc(pskb, ct, ctinfo, data, dataoff,
907 &connect->fastStart.item[i]);
916 /****************************************************************************/
917 static int process_alerting(struct sk_buff **pskb, struct ip_conntrack *ct,
918 enum ip_conntrack_info ctinfo,
919 unsigned char **data, int dataoff,
920 Alerting_UUIE * alert)
925 DEBUGP("ip_ct_q931: Alerting\n");
927 if (alert->options & eAlerting_UUIE_h245Address) {
928 ret = expect_h245(pskb, ct, ctinfo, data, dataoff,
929 &alert->h245Address);
934 if (alert->options & eAlerting_UUIE_fastStart) {
935 for (i = 0; i < alert->fastStart.count; i++) {
936 ret = process_olc(pskb, ct, ctinfo, data, dataoff,
937 &alert->fastStart.item[i]);
946 /****************************************************************************/
947 static int process_information(struct sk_buff **pskb,
948 struct ip_conntrack *ct,
949 enum ip_conntrack_info ctinfo,
950 unsigned char **data, int dataoff,
951 Information_UUIE * info)
956 DEBUGP("ip_ct_q931: Information\n");
958 if (info->options & eInformation_UUIE_fastStart) {
959 for (i = 0; i < info->fastStart.count; i++) {
960 ret = process_olc(pskb, ct, ctinfo, data, dataoff,
961 &info->fastStart.item[i]);
970 /****************************************************************************/
971 static int process_facility(struct sk_buff **pskb, struct ip_conntrack *ct,
972 enum ip_conntrack_info ctinfo,
973 unsigned char **data, int dataoff,
974 Facility_UUIE * facility)
979 DEBUGP("ip_ct_q931: Facility\n");
981 if (facility->reason.choice == eFacilityReason_callForwarded) {
982 if (facility->options & eFacility_UUIE_alternativeAddress)
983 return expect_callforwarding(pskb, ct, ctinfo, data,
990 if (facility->options & eFacility_UUIE_h245Address) {
991 ret = expect_h245(pskb, ct, ctinfo, data, dataoff,
992 &facility->h245Address);
997 if (facility->options & eFacility_UUIE_fastStart) {
998 for (i = 0; i < facility->fastStart.count; i++) {
999 ret = process_olc(pskb, ct, ctinfo, data, dataoff,
1000 &facility->fastStart.item[i]);
1009 /****************************************************************************/
1010 static int process_progress(struct sk_buff **pskb, struct ip_conntrack *ct,
1011 enum ip_conntrack_info ctinfo,
1012 unsigned char **data, int dataoff,
1013 Progress_UUIE * progress)
1018 DEBUGP("ip_ct_q931: Progress\n");
1020 if (progress->options & eProgress_UUIE_h245Address) {
1021 ret = expect_h245(pskb, ct, ctinfo, data, dataoff,
1022 &progress->h245Address);
1027 if (progress->options & eProgress_UUIE_fastStart) {
1028 for (i = 0; i < progress->fastStart.count; i++) {
1029 ret = process_olc(pskb, ct, ctinfo, data, dataoff,
1030 &progress->fastStart.item[i]);
1039 /****************************************************************************/
1040 static int process_q931(struct sk_buff **pskb, struct ip_conntrack *ct,
1041 enum ip_conntrack_info ctinfo,
1042 unsigned char **data, int dataoff, Q931 * q931)
1044 H323_UU_PDU *pdu = &q931->UUIE.h323_uu_pdu;
1048 switch (pdu->h323_message_body.choice) {
1049 case eH323_UU_PDU_h323_message_body_setup:
1050 ret = process_setup(pskb, ct, ctinfo, data, dataoff,
1051 &pdu->h323_message_body.setup);
1053 case eH323_UU_PDU_h323_message_body_callProceeding:
1054 ret = process_callproceeding(pskb, ct, ctinfo, data, dataoff,
1055 &pdu->h323_message_body.
1058 case eH323_UU_PDU_h323_message_body_connect:
1059 ret = process_connect(pskb, ct, ctinfo, data, dataoff,
1060 &pdu->h323_message_body.connect);
1062 case eH323_UU_PDU_h323_message_body_alerting:
1063 ret = process_alerting(pskb, ct, ctinfo, data, dataoff,
1064 &pdu->h323_message_body.alerting);
1066 case eH323_UU_PDU_h323_message_body_information:
1067 ret = process_information(pskb, ct, ctinfo, data, dataoff,
1068 &pdu->h323_message_body.
1071 case eH323_UU_PDU_h323_message_body_facility:
1072 ret = process_facility(pskb, ct, ctinfo, data, dataoff,
1073 &pdu->h323_message_body.facility);
1075 case eH323_UU_PDU_h323_message_body_progress:
1076 ret = process_progress(pskb, ct, ctinfo, data, dataoff,
1077 &pdu->h323_message_body.progress);
1080 DEBUGP("ip_ct_q931: Q.931 signal %d\n",
1081 pdu->h323_message_body.choice);
1088 if (pdu->options & eH323_UU_PDU_h245Control) {
1089 for (i = 0; i < pdu->h245Control.count; i++) {
1090 ret = process_h245(pskb, ct, ctinfo, data, dataoff,
1091 &pdu->h245Control.item[i]);
1100 /****************************************************************************/
1101 static int q931_help(struct sk_buff **pskb, struct ip_conntrack *ct,
1102 enum ip_conntrack_info ctinfo)
1105 unsigned char *data = NULL;
1110 /* Until there's been traffic both ways, don't look in packets. */
1111 if (ctinfo != IP_CT_ESTABLISHED
1112 && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
1115 DEBUGP("ip_ct_q931: skblen = %u\n", (*pskb)->len);
1117 spin_lock_bh(&ip_h323_lock);
1119 /* Process each TPKT */
1120 while (get_tpkt_data(pskb, ct, ctinfo, &data, &datalen, &dataoff)) {
1121 DEBUGP("ip_ct_q931: TPKT %u.%u.%u.%u->%u.%u.%u.%u, len=%d\n",
1122 NIPQUAD((*pskb)->nh.iph->saddr),
1123 NIPQUAD((*pskb)->nh.iph->daddr), datalen);
1125 /* Decode Q.931 signal */
1126 ret = DecodeQ931(data, datalen, &q931);
1128 if (net_ratelimit())
1129 printk("ip_ct_q931: decoding error: %s\n",
1130 ret == H323_ERROR_BOUND ?
1131 "out of bound" : "out of range");
1132 /* We don't drop when decoding error */
1136 /* Process Q.931 signal */
1137 if (process_q931(pskb, ct, ctinfo, &data, dataoff, &q931) < 0)
1141 spin_unlock_bh(&ip_h323_lock);
1145 spin_unlock_bh(&ip_h323_lock);
1146 if (net_ratelimit())
1147 printk("ip_ct_q931: packet dropped\n");
1151 /****************************************************************************/
1152 static struct ip_conntrack_helper ip_conntrack_helper_q931 = {
1155 .max_expected = H323_RTP_CHANNEL_MAX * 4 + 4 /* T.120 and H.245 */ ,
1157 .tuple = {.src = {.u = {__constant_htons(Q931_PORT)}},
1158 .dst = {.protonum = IPPROTO_TCP}},
1159 .mask = {.src = {.u = {0xFFFF}},
1160 .dst = {.protonum = 0xFF}},
1164 /****************************************************************************/
1165 void ip_conntrack_q931_expect(struct ip_conntrack *new,
1166 struct ip_conntrack_expect *this)
1168 write_lock_bh(&ip_conntrack_lock);
1169 new->helper = &ip_conntrack_helper_q931;
1170 write_unlock_bh(&ip_conntrack_lock);
1173 /****************************************************************************/
1174 static unsigned char *get_udp_data(struct sk_buff **pskb, int *datalen)
1176 struct udphdr _uh, *uh;
1179 uh = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl * 4, sizeof(_uh),
1183 dataoff = (*pskb)->nh.iph->ihl * 4 + sizeof(_uh);
1184 if (dataoff >= (*pskb)->len)
1186 *datalen = (*pskb)->len - dataoff;
1187 return skb_header_pointer(*pskb, dataoff, *datalen, h323_buffer);
1190 /****************************************************************************/
1191 static struct ip_conntrack_expect *find_expect(struct ip_conntrack *ct,
1192 u_int32_t ip, u_int16_t port)
1194 struct ip_conntrack_expect *exp;
1195 struct ip_conntrack_tuple tuple;
1198 tuple.src.u.tcp.port = 0;
1200 tuple.dst.u.tcp.port = htons(port);
1201 tuple.dst.protonum = IPPROTO_TCP;
1203 exp = __ip_conntrack_expect_find(&tuple);
1204 if (exp->master == ct)
1209 /****************************************************************************/
1210 static int set_expect_timeout(struct ip_conntrack_expect *exp,
1213 if (!exp || !del_timer(&exp->timeout))
1216 exp->timeout.expires = jiffies + timeout * HZ;
1217 add_timer(&exp->timeout);
1222 /****************************************************************************/
1223 static int expect_q931(struct sk_buff **pskb, struct ip_conntrack *ct,
1224 enum ip_conntrack_info ctinfo,
1225 unsigned char **data,
1226 TransportAddress * addr, int count)
1228 struct ip_ct_h323_master *info = &ct->help.ct_h323_info;
1229 int dir = CTINFO2DIR(ctinfo);
1234 struct ip_conntrack_expect *exp;
1236 /* Look for the first related address */
1237 for (i = 0; i < count; i++) {
1238 if (get_h225_addr(*data, &addr[i], &ip, &port) &&
1239 ip == ct->tuplehash[dir].tuple.src.ip && port != 0)
1243 if (i >= count) /* Not found */
1246 /* Create expect for Q.931 */
1247 if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
1249 exp->tuple.src.ip = gkrouted_only ? /* only accept calls from GK? */
1250 ct->tuplehash[!dir].tuple.src.ip : 0;
1251 exp->tuple.src.u.tcp.port = 0;
1252 exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
1253 exp->tuple.dst.u.tcp.port = htons(port);
1254 exp->tuple.dst.protonum = IPPROTO_TCP;
1255 exp->mask.src.ip = gkrouted_only ? 0xFFFFFFFF : 0;
1256 exp->mask.src.u.tcp.port = 0;
1257 exp->mask.dst.ip = 0xFFFFFFFF;
1258 exp->mask.dst.u.tcp.port = 0xFFFF;
1259 exp->mask.dst.protonum = 0xFF;
1260 exp->flags = IP_CT_EXPECT_PERMANENT; /* Accept multiple calls */
1262 if (nat_q931_hook) { /* Need NAT */
1263 ret = nat_q931_hook(pskb, ct, ctinfo, data, addr, i,
1265 } else { /* Conntrack only */
1266 exp->expectfn = ip_conntrack_q931_expect;
1268 if (ip_conntrack_expect_related(exp) == 0) {
1269 DEBUGP("ip_ct_ras: expect Q.931 "
1270 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
1271 NIPQUAD(exp->tuple.src.ip),
1272 ntohs(exp->tuple.src.u.tcp.port),
1273 NIPQUAD(exp->tuple.dst.ip),
1274 ntohs(exp->tuple.dst.u.tcp.port));
1276 /* Save port for looking up expect in processing RCF */
1277 info->sig_port[dir] = port;
1282 ip_conntrack_expect_put(exp);
1287 /****************************************************************************/
1288 static int process_grq(struct sk_buff **pskb, struct ip_conntrack *ct,
1289 enum ip_conntrack_info ctinfo,
1290 unsigned char **data, GatekeeperRequest * grq)
1292 DEBUGP("ip_ct_ras: GRQ\n");
1294 if (set_ras_addr_hook) /* NATed */
1295 return set_ras_addr_hook(pskb, ct, ctinfo, data,
1296 &grq->rasAddress, 1);
1300 /* Declare before using */
1301 static void ip_conntrack_ras_expect(struct ip_conntrack *new,
1302 struct ip_conntrack_expect *this);
1304 /****************************************************************************/
1305 static int process_gcf(struct sk_buff **pskb, struct ip_conntrack *ct,
1306 enum ip_conntrack_info ctinfo,
1307 unsigned char **data, GatekeeperConfirm * gcf)
1309 int dir = CTINFO2DIR(ctinfo);
1313 struct ip_conntrack_expect *exp;
1315 DEBUGP("ip_ct_ras: GCF\n");
1317 if (!get_h225_addr(*data, &gcf->rasAddress, &ip, &port))
1320 /* Registration port is the same as discovery port */
1321 if (ip == ct->tuplehash[dir].tuple.src.ip &&
1322 port == ntohs(ct->tuplehash[dir].tuple.src.u.udp.port))
1325 /* Avoid RAS expectation loops. A GCF is never expected. */
1326 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
1329 /* Need new expect */
1330 if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
1332 exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
1333 exp->tuple.src.u.tcp.port = 0;
1334 exp->tuple.dst.ip = ip;
1335 exp->tuple.dst.u.tcp.port = htons(port);
1336 exp->tuple.dst.protonum = IPPROTO_UDP;
1337 exp->mask.src.ip = 0xFFFFFFFF;
1338 exp->mask.src.u.tcp.port = 0;
1339 exp->mask.dst.ip = 0xFFFFFFFF;
1340 exp->mask.dst.u.tcp.port = 0xFFFF;
1341 exp->mask.dst.protonum = 0xFF;
1343 exp->expectfn = ip_conntrack_ras_expect;
1344 if (ip_conntrack_expect_related(exp) == 0) {
1345 DEBUGP("ip_ct_ras: expect RAS "
1346 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
1347 NIPQUAD(exp->tuple.src.ip),
1348 ntohs(exp->tuple.src.u.tcp.port),
1349 NIPQUAD(exp->tuple.dst.ip),
1350 ntohs(exp->tuple.dst.u.tcp.port));
1354 ip_conntrack_expect_put(exp);
1359 /****************************************************************************/
1360 static int process_rrq(struct sk_buff **pskb, struct ip_conntrack *ct,
1361 enum ip_conntrack_info ctinfo,
1362 unsigned char **data, RegistrationRequest * rrq)
1364 struct ip_ct_h323_master *info = &ct->help.ct_h323_info;
1367 DEBUGP("ip_ct_ras: RRQ\n");
1369 ret = expect_q931(pskb, ct, ctinfo, data,
1370 rrq->callSignalAddress.item,
1371 rrq->callSignalAddress.count);
1375 if (set_ras_addr_hook) {
1376 ret = set_ras_addr_hook(pskb, ct, ctinfo, data,
1377 rrq->rasAddress.item,
1378 rrq->rasAddress.count);
1383 if (rrq->options & eRegistrationRequest_timeToLive) {
1384 DEBUGP("ip_ct_ras: RRQ TTL = %u seconds\n", rrq->timeToLive);
1385 info->timeout = rrq->timeToLive;
1387 info->timeout = default_rrq_ttl;
1392 /****************************************************************************/
1393 static int process_rcf(struct sk_buff **pskb, struct ip_conntrack *ct,
1394 enum ip_conntrack_info ctinfo,
1395 unsigned char **data, RegistrationConfirm * rcf)
1397 struct ip_ct_h323_master *info = &ct->help.ct_h323_info;
1398 int dir = CTINFO2DIR(ctinfo);
1400 struct ip_conntrack_expect *exp;
1402 DEBUGP("ip_ct_ras: RCF\n");
1404 if (set_sig_addr_hook) {
1405 ret = set_sig_addr_hook(pskb, ct, ctinfo, data,
1406 rcf->callSignalAddress.item,
1407 rcf->callSignalAddress.count);
1412 if (rcf->options & eRegistrationConfirm_timeToLive) {
1413 DEBUGP("ip_ct_ras: RCF TTL = %u seconds\n", rcf->timeToLive);
1414 info->timeout = rcf->timeToLive;
1417 if (info->timeout > 0) {
1419 ("ip_ct_ras: set RAS connection timeout to %u seconds\n",
1421 ip_ct_refresh_acct(ct, ctinfo, NULL, info->timeout * HZ);
1423 /* Set expect timeout */
1424 read_lock_bh(&ip_conntrack_lock);
1425 exp = find_expect(ct, ct->tuplehash[dir].tuple.dst.ip,
1426 info->sig_port[!dir]);
1428 DEBUGP("ip_ct_ras: set Q.931 expect "
1429 "(%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu) "
1430 "timeout to %u seconds\n",
1431 NIPQUAD(exp->tuple.src.ip),
1432 ntohs(exp->tuple.src.u.tcp.port),
1433 NIPQUAD(exp->tuple.dst.ip),
1434 ntohs(exp->tuple.dst.u.tcp.port),
1436 set_expect_timeout(exp, info->timeout);
1438 read_unlock_bh(&ip_conntrack_lock);
1444 /****************************************************************************/
1445 static int process_urq(struct sk_buff **pskb, struct ip_conntrack *ct,
1446 enum ip_conntrack_info ctinfo,
1447 unsigned char **data, UnregistrationRequest * urq)
1449 struct ip_ct_h323_master *info = &ct->help.ct_h323_info;
1450 int dir = CTINFO2DIR(ctinfo);
1453 DEBUGP("ip_ct_ras: URQ\n");
1455 if (set_sig_addr_hook) {
1456 ret = set_sig_addr_hook(pskb, ct, ctinfo, data,
1457 urq->callSignalAddress.item,
1458 urq->callSignalAddress.count);
1463 /* Clear old expect */
1464 ip_ct_remove_expectations(ct);
1465 info->sig_port[dir] = 0;
1466 info->sig_port[!dir] = 0;
1468 /* Give it 30 seconds for UCF or URJ */
1469 ip_ct_refresh_acct(ct, ctinfo, NULL, 30 * HZ);
1474 /****************************************************************************/
1475 static int process_arq(struct sk_buff **pskb, struct ip_conntrack *ct,
1476 enum ip_conntrack_info ctinfo,
1477 unsigned char **data, AdmissionRequest * arq)
1479 struct ip_ct_h323_master *info = &ct->help.ct_h323_info;
1480 int dir = CTINFO2DIR(ctinfo);
1484 DEBUGP("ip_ct_ras: ARQ\n");
1486 if ((arq->options & eAdmissionRequest_destCallSignalAddress) &&
1487 get_h225_addr(*data, &arq->destCallSignalAddress, &ip, &port) &&
1488 ip == ct->tuplehash[dir].tuple.src.ip &&
1489 port == info->sig_port[dir] && set_h225_addr_hook) {
1491 return set_h225_addr_hook(pskb, data, 0,
1492 &arq->destCallSignalAddress,
1493 ct->tuplehash[!dir].tuple.dst.ip,
1494 info->sig_port[!dir]);
1497 if ((arq->options & eAdmissionRequest_srcCallSignalAddress) &&
1498 get_h225_addr(*data, &arq->srcCallSignalAddress, &ip, &port) &&
1499 ip == ct->tuplehash[dir].tuple.src.ip && set_h225_addr_hook) {
1501 return set_h225_addr_hook(pskb, data, 0,
1502 &arq->srcCallSignalAddress,
1503 ct->tuplehash[!dir].tuple.dst.ip,
1510 /****************************************************************************/
1511 static int process_acf(struct sk_buff **pskb, struct ip_conntrack *ct,
1512 enum ip_conntrack_info ctinfo,
1513 unsigned char **data, AdmissionConfirm * acf)
1515 int dir = CTINFO2DIR(ctinfo);
1519 struct ip_conntrack_expect *exp;
1521 DEBUGP("ip_ct_ras: ACF\n");
1523 if (!get_h225_addr(*data, &acf->destCallSignalAddress, &ip, &port))
1526 if (ip == ct->tuplehash[dir].tuple.dst.ip) { /* Answering ACF */
1527 if (set_sig_addr_hook)
1528 return set_sig_addr_hook(pskb, ct, ctinfo, data,
1529 &acf->destCallSignalAddress,
1534 /* Need new expect */
1535 if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
1537 exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
1538 exp->tuple.src.u.tcp.port = 0;
1539 exp->tuple.dst.ip = ip;
1540 exp->tuple.dst.u.tcp.port = htons(port);
1541 exp->tuple.dst.protonum = IPPROTO_TCP;
1542 exp->mask.src.ip = 0xFFFFFFFF;
1543 exp->mask.src.u.tcp.port = 0;
1544 exp->mask.dst.ip = 0xFFFFFFFF;
1545 exp->mask.dst.u.tcp.port = 0xFFFF;
1546 exp->mask.dst.protonum = 0xFF;
1547 exp->flags = IP_CT_EXPECT_PERMANENT;
1548 exp->expectfn = ip_conntrack_q931_expect;
1550 if (ip_conntrack_expect_related(exp) == 0) {
1551 DEBUGP("ip_ct_ras: expect Q.931 "
1552 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
1553 NIPQUAD(exp->tuple.src.ip),
1554 ntohs(exp->tuple.src.u.tcp.port),
1555 NIPQUAD(exp->tuple.dst.ip),
1556 ntohs(exp->tuple.dst.u.tcp.port));
1560 ip_conntrack_expect_put(exp);
1565 /****************************************************************************/
1566 static int process_lrq(struct sk_buff **pskb, struct ip_conntrack *ct,
1567 enum ip_conntrack_info ctinfo,
1568 unsigned char **data, LocationRequest * lrq)
1570 DEBUGP("ip_ct_ras: LRQ\n");
1572 if (set_ras_addr_hook)
1573 return set_ras_addr_hook(pskb, ct, ctinfo, data,
1574 &lrq->replyAddress, 1);
1578 /****************************************************************************/
1579 static int process_lcf(struct sk_buff **pskb, struct ip_conntrack *ct,
1580 enum ip_conntrack_info ctinfo,
1581 unsigned char **data, LocationConfirm * lcf)
1583 int dir = CTINFO2DIR(ctinfo);
1587 struct ip_conntrack_expect *exp = NULL;
1589 DEBUGP("ip_ct_ras: LCF\n");
1591 if (!get_h225_addr(*data, &lcf->callSignalAddress, &ip, &port))
1594 /* Need new expect for call signal */
1595 if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
1597 exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
1598 exp->tuple.src.u.tcp.port = 0;
1599 exp->tuple.dst.ip = ip;
1600 exp->tuple.dst.u.tcp.port = htons(port);
1601 exp->tuple.dst.protonum = IPPROTO_TCP;
1602 exp->mask.src.ip = 0xFFFFFFFF;
1603 exp->mask.src.u.tcp.port = 0;
1604 exp->mask.dst.ip = 0xFFFFFFFF;
1605 exp->mask.dst.u.tcp.port = 0xFFFF;
1606 exp->mask.dst.protonum = 0xFF;
1607 exp->flags = IP_CT_EXPECT_PERMANENT;
1608 exp->expectfn = ip_conntrack_q931_expect;
1610 if (ip_conntrack_expect_related(exp) == 0) {
1611 DEBUGP("ip_ct_ras: expect Q.931 "
1612 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
1613 NIPQUAD(exp->tuple.src.ip),
1614 ntohs(exp->tuple.src.u.tcp.port),
1615 NIPQUAD(exp->tuple.dst.ip),
1616 ntohs(exp->tuple.dst.u.tcp.port));
1620 ip_conntrack_expect_put(exp);
1622 /* Ignore rasAddress */
1627 /****************************************************************************/
1628 static int process_irr(struct sk_buff **pskb, struct ip_conntrack *ct,
1629 enum ip_conntrack_info ctinfo,
1630 unsigned char **data, InfoRequestResponse * irr)
1634 DEBUGP("ip_ct_ras: IRR\n");
1636 if (set_ras_addr_hook) {
1637 ret = set_ras_addr_hook(pskb, ct, ctinfo, data,
1638 &irr->rasAddress, 1);
1643 if (set_sig_addr_hook) {
1644 ret = set_sig_addr_hook(pskb, ct, ctinfo, data,
1645 irr->callSignalAddress.item,
1646 irr->callSignalAddress.count);
1654 /****************************************************************************/
1655 static int process_ras(struct sk_buff **pskb, struct ip_conntrack *ct,
1656 enum ip_conntrack_info ctinfo,
1657 unsigned char **data, RasMessage * ras)
1659 switch (ras->choice) {
1660 case eRasMessage_gatekeeperRequest:
1661 return process_grq(pskb, ct, ctinfo, data,
1662 &ras->gatekeeperRequest);
1663 case eRasMessage_gatekeeperConfirm:
1664 return process_gcf(pskb, ct, ctinfo, data,
1665 &ras->gatekeeperConfirm);
1666 case eRasMessage_registrationRequest:
1667 return process_rrq(pskb, ct, ctinfo, data,
1668 &ras->registrationRequest);
1669 case eRasMessage_registrationConfirm:
1670 return process_rcf(pskb, ct, ctinfo, data,
1671 &ras->registrationConfirm);
1672 case eRasMessage_unregistrationRequest:
1673 return process_urq(pskb, ct, ctinfo, data,
1674 &ras->unregistrationRequest);
1675 case eRasMessage_admissionRequest:
1676 return process_arq(pskb, ct, ctinfo, data,
1677 &ras->admissionRequest);
1678 case eRasMessage_admissionConfirm:
1679 return process_acf(pskb, ct, ctinfo, data,
1680 &ras->admissionConfirm);
1681 case eRasMessage_locationRequest:
1682 return process_lrq(pskb, ct, ctinfo, data,
1683 &ras->locationRequest);
1684 case eRasMessage_locationConfirm:
1685 return process_lcf(pskb, ct, ctinfo, data,
1686 &ras->locationConfirm);
1687 case eRasMessage_infoRequestResponse:
1688 return process_irr(pskb, ct, ctinfo, data,
1689 &ras->infoRequestResponse);
1691 DEBUGP("ip_ct_ras: RAS message %d\n", ras->choice);
1698 /****************************************************************************/
1699 static int ras_help(struct sk_buff **pskb, struct ip_conntrack *ct,
1700 enum ip_conntrack_info ctinfo)
1702 static RasMessage ras;
1703 unsigned char *data;
1707 DEBUGP("ip_ct_ras: skblen = %u\n", (*pskb)->len);
1709 spin_lock_bh(&ip_h323_lock);
1712 data = get_udp_data(pskb, &datalen);
1715 DEBUGP("ip_ct_ras: RAS message %u.%u.%u.%u->%u.%u.%u.%u, len=%d\n",
1716 NIPQUAD((*pskb)->nh.iph->saddr),
1717 NIPQUAD((*pskb)->nh.iph->daddr), datalen);
1719 /* Decode RAS message */
1720 ret = DecodeRasMessage(data, datalen, &ras);
1722 if (net_ratelimit())
1723 printk("ip_ct_ras: decoding error: %s\n",
1724 ret == H323_ERROR_BOUND ?
1725 "out of bound" : "out of range");
1729 /* Process RAS message */
1730 if (process_ras(pskb, ct, ctinfo, &data, &ras) < 0)
1734 spin_unlock_bh(&ip_h323_lock);
1738 spin_unlock_bh(&ip_h323_lock);
1739 if (net_ratelimit())
1740 printk("ip_ct_ras: packet dropped\n");
1744 /****************************************************************************/
1745 static struct ip_conntrack_helper ip_conntrack_helper_ras = {
1750 .tuple = {.src = {.u = {__constant_htons(RAS_PORT)}},
1751 .dst = {.protonum = IPPROTO_UDP}},
1752 .mask = {.src = {.u = {0xFFFE}},
1753 .dst = {.protonum = 0xFF}},
1757 /****************************************************************************/
1758 static void ip_conntrack_ras_expect(struct ip_conntrack *new,
1759 struct ip_conntrack_expect *this)
1761 write_lock_bh(&ip_conntrack_lock);
1762 new->helper = &ip_conntrack_helper_ras;
1763 write_unlock_bh(&ip_conntrack_lock);
1766 /****************************************************************************/
1767 /* Not __exit - called from init() */
1768 static void fini(void)
1770 ip_conntrack_helper_unregister(&ip_conntrack_helper_ras);
1771 ip_conntrack_helper_unregister(&ip_conntrack_helper_q931);
1773 DEBUGP("ip_ct_h323: fini\n");
1776 /****************************************************************************/
1777 static int __init init(void)
1781 h323_buffer = kmalloc(65536, GFP_KERNEL);
1784 if ((ret = ip_conntrack_helper_register(&ip_conntrack_helper_q931)) ||
1785 (ret = ip_conntrack_helper_register(&ip_conntrack_helper_ras))) {
1789 DEBUGP("ip_ct_h323: init success\n");
1793 /****************************************************************************/
1797 EXPORT_SYMBOL_GPL(get_h225_addr);
1798 EXPORT_SYMBOL_GPL(ip_conntrack_h245_expect);
1799 EXPORT_SYMBOL_GPL(ip_conntrack_q931_expect);
1800 EXPORT_SYMBOL_GPL(set_h245_addr_hook);
1801 EXPORT_SYMBOL_GPL(set_h225_addr_hook);
1802 EXPORT_SYMBOL_GPL(set_sig_addr_hook);
1803 EXPORT_SYMBOL_GPL(set_ras_addr_hook);
1804 EXPORT_SYMBOL_GPL(nat_rtp_rtcp_hook);
1805 EXPORT_SYMBOL_GPL(nat_t120_hook);
1806 EXPORT_SYMBOL_GPL(nat_h245_hook);
1807 EXPORT_SYMBOL_GPL(nat_callforwarding_hook);
1808 EXPORT_SYMBOL_GPL(nat_q931_hook);
1810 MODULE_AUTHOR("Jing Min Zhao <zhaojingmin@users.sourceforge.net>");
1811 MODULE_DESCRIPTION("H.323 connection tracking helper");
1812 MODULE_LICENSE("GPL");