1 /* SIP extension for UDP NAT alteration.
3 * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
4 * based on RR's ip_nat_ftp.c and other modules.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
11 #include <linux/module.h>
12 #include <linux/skbuff.h>
15 #include <linux/udp.h>
17 #include <net/netfilter/nf_nat.h>
18 #include <net/netfilter/nf_nat_helper.h>
19 #include <net/netfilter/nf_nat_rule.h>
20 #include <net/netfilter/nf_conntrack_helper.h>
21 #include <net/netfilter/nf_conntrack_expect.h>
22 #include <linux/netfilter/nf_conntrack_sip.h>
24 MODULE_LICENSE("GPL");
25 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
26 MODULE_DESCRIPTION("SIP NAT helper");
27 MODULE_ALIAS("ip_nat_sip");
30 static unsigned int mangle_packet(struct sk_buff *skb,
31 const char **dptr, unsigned int *datalen,
32 unsigned int matchoff, unsigned int matchlen,
33 const char *buffer, unsigned int buflen)
35 enum ip_conntrack_info ctinfo;
36 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
38 if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, matchoff, matchlen,
42 /* Reload data pointer and adjust datalen value */
43 *dptr = skb->data + ip_hdrlen(skb) + sizeof(struct udphdr);
44 *datalen += buflen - matchlen;
48 static int map_addr(struct sk_buff *skb,
49 const char **dptr, unsigned int *datalen,
50 unsigned int matchoff, unsigned int matchlen,
51 union nf_inet_addr *addr, __be16 port)
53 enum ip_conntrack_info ctinfo;
54 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
55 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
56 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
61 if (ct->tuplehash[dir].tuple.src.u3.ip == addr->ip &&
62 ct->tuplehash[dir].tuple.src.u.udp.port == port) {
63 newaddr = ct->tuplehash[!dir].tuple.dst.u3.ip;
64 newport = ct->tuplehash[!dir].tuple.dst.u.udp.port;
65 } else if (ct->tuplehash[dir].tuple.dst.u3.ip == addr->ip &&
66 ct->tuplehash[dir].tuple.dst.u.udp.port == port) {
67 newaddr = ct->tuplehash[!dir].tuple.src.u3.ip;
68 newport = ct->tuplehash[!dir].tuple.src.u.udp.port;
72 if (newaddr == addr->ip && newport == port)
75 buflen = sprintf(buffer, "%u.%u.%u.%u:%u",
76 NIPQUAD(newaddr), ntohs(newport));
78 return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
82 static int map_sip_addr(struct sk_buff *skb,
83 const char **dptr, unsigned int *datalen,
84 enum sip_header_types type)
86 enum ip_conntrack_info ctinfo;
87 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
88 unsigned int matchlen, matchoff;
89 union nf_inet_addr addr;
92 if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, type, NULL,
93 &matchoff, &matchlen, &addr, &port) <= 0)
95 return map_addr(skb, dptr, datalen, matchoff, matchlen, &addr, port);
98 static unsigned int ip_nat_sip(struct sk_buff *skb,
99 const char **dptr, unsigned int *datalen)
101 enum ip_conntrack_info ctinfo;
102 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
103 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
104 unsigned int dataoff, matchoff, matchlen;
105 union nf_inet_addr addr;
107 int request, in_header;
109 /* Basic rules: requests and responses. */
110 if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
111 if (ct_sip_parse_request(ct, *dptr, *datalen,
112 &matchoff, &matchlen,
114 !map_addr(skb, dptr, datalen, matchoff, matchlen,
121 /* Translate topmost Via header and parameters */
122 if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
123 SIP_HDR_VIA, NULL, &matchoff, &matchlen,
125 unsigned int matchend, poff, plen, buflen, n;
126 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
128 /* We're only interested in headers related to this
131 if (addr.ip != ct->tuplehash[dir].tuple.src.u3.ip ||
132 port != ct->tuplehash[dir].tuple.src.u.udp.port)
135 if (addr.ip != ct->tuplehash[dir].tuple.dst.u3.ip ||
136 port != ct->tuplehash[dir].tuple.dst.u.udp.port)
140 if (!map_addr(skb, dptr, datalen, matchoff, matchlen,
144 matchend = matchoff + matchlen;
146 /* The maddr= parameter (RFC 2361) specifies where to send
148 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
149 "maddr=", &poff, &plen,
151 addr.ip == ct->tuplehash[dir].tuple.src.u3.ip &&
152 addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) {
153 __be32 ip = ct->tuplehash[!dir].tuple.dst.u3.ip;
154 buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(ip));
155 if (!mangle_packet(skb, dptr, datalen, poff, plen,
160 /* The received= parameter (RFC 2361) contains the address
161 * from which the server received the request. */
162 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
163 "received=", &poff, &plen,
165 addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip &&
166 addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) {
167 __be32 ip = ct->tuplehash[!dir].tuple.src.u3.ip;
168 buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(ip));
169 if (!mangle_packet(skb, dptr, datalen, poff, plen,
174 /* The rport= parameter (RFC 3581) contains the port number
175 * from which the server received the request. */
176 if (ct_sip_parse_numerical_param(ct, *dptr, matchend, *datalen,
177 "rport=", &poff, &plen,
179 htons(n) == ct->tuplehash[dir].tuple.dst.u.udp.port &&
180 htons(n) != ct->tuplehash[!dir].tuple.src.u.udp.port) {
181 __be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port;
182 buflen = sprintf(buffer, "%u", ntohs(p));
183 if (!mangle_packet(skb, dptr, datalen, poff, plen,
190 /* Translate Contact headers */
193 while (ct_sip_parse_header_uri(ct, *dptr, &dataoff, *datalen,
194 SIP_HDR_CONTACT, &in_header,
195 &matchoff, &matchlen,
197 if (!map_addr(skb, dptr, datalen, matchoff, matchlen,
202 if (!map_sip_addr(skb, dptr, datalen, SIP_HDR_FROM) ||
203 !map_sip_addr(skb, dptr, datalen, SIP_HDR_TO))
208 /* Handles expected signalling connections and media streams */
209 static void ip_nat_sip_expected(struct nf_conn *ct,
210 struct nf_conntrack_expect *exp)
212 struct nf_nat_range range;
214 /* This must be a fresh one. */
215 BUG_ON(ct->status & IPS_NAT_DONE_MASK);
217 /* For DST manip, map port here to where it's expected. */
218 range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
219 range.min = range.max = exp->saved_proto;
220 range.min_ip = range.max_ip = exp->saved_ip;
221 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
223 /* Change src to where master sends to, but only if the connection
224 * actually came from the same source. */
225 if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip ==
226 ct->master->tuplehash[exp->dir].tuple.src.u3.ip) {
227 range.flags = IP_NAT_RANGE_MAP_IPS;
228 range.min_ip = range.max_ip
229 = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
230 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
234 static unsigned int ip_nat_sip_expect(struct sk_buff *skb,
235 const char **dptr, unsigned int *datalen,
236 struct nf_conntrack_expect *exp,
237 unsigned int matchoff,
238 unsigned int matchlen)
240 enum ip_conntrack_info ctinfo;
241 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
242 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
245 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
248 /* Connection will come from reply */
249 if (ct->tuplehash[dir].tuple.src.u3.ip == ct->tuplehash[!dir].tuple.dst.u3.ip)
250 newip = exp->tuple.dst.u3.ip;
252 newip = ct->tuplehash[!dir].tuple.dst.u3.ip;
254 /* If the signalling port matches the connection's source port in the
255 * original direction, try to use the destination port in the opposite
257 if (exp->tuple.dst.u.udp.port ==
258 ct->tuplehash[dir].tuple.src.u.udp.port)
259 port = ntohs(ct->tuplehash[!dir].tuple.dst.u.udp.port);
261 port = ntohs(exp->tuple.dst.u.udp.port);
263 exp->saved_ip = exp->tuple.dst.u3.ip;
264 exp->tuple.dst.u3.ip = newip;
265 exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port;
267 exp->expectfn = ip_nat_sip_expected;
269 for (; port != 0; port++) {
270 exp->tuple.dst.u.udp.port = htons(port);
271 if (nf_ct_expect_related(exp) == 0)
278 if (exp->tuple.dst.u3.ip != exp->saved_ip ||
279 exp->tuple.dst.u.udp.port != exp->saved_proto.udp.port) {
280 buflen = sprintf(buffer, "%u.%u.%u.%u:%u",
281 NIPQUAD(newip), port);
282 if (!mangle_packet(skb, dptr, datalen, matchoff, matchlen,
289 nf_ct_unexpect_related(exp);
293 static int mangle_content_len(struct sk_buff *skb,
294 const char **dptr, unsigned int *datalen)
296 enum ip_conntrack_info ctinfo;
297 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
298 unsigned int matchoff, matchlen;
299 char buffer[sizeof("65536")];
302 /* Get actual SDP length */
303 if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
304 SDP_HDR_VERSION, SDP_HDR_UNSPEC,
305 &matchoff, &matchlen) <= 0)
307 c_len = *datalen - matchoff + strlen("v=");
309 /* Now, update SDP length */
310 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CONTENT_LENGTH,
311 &matchoff, &matchlen) <= 0)
314 buflen = sprintf(buffer, "%u", c_len);
315 return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
319 static unsigned mangle_sdp_packet(struct sk_buff *skb, const char **dptr,
320 unsigned int dataoff, unsigned int *datalen,
321 enum sdp_header_types type,
322 enum sdp_header_types term,
323 char *buffer, int buflen)
325 enum ip_conntrack_info ctinfo;
326 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
327 unsigned int matchlen, matchoff;
329 if (ct_sip_get_sdp_header(ct, *dptr, dataoff, *datalen, type, term,
330 &matchoff, &matchlen) <= 0)
332 return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
336 static unsigned int ip_nat_sdp_addr(struct sk_buff *skb, const char **dptr,
337 unsigned int dataoff,
338 unsigned int *datalen,
339 enum sdp_header_types type,
340 enum sdp_header_types term,
341 const union nf_inet_addr *addr)
343 char buffer[sizeof("nnn.nnn.nnn.nnn")];
346 buflen = sprintf(buffer, NIPQUAD_FMT, NIPQUAD(addr->ip));
347 if (!mangle_sdp_packet(skb, dptr, dataoff, datalen, type, term,
351 return mangle_content_len(skb, dptr, datalen);
354 static unsigned int ip_nat_sdp_port(struct sk_buff *skb,
356 unsigned int *datalen,
357 unsigned int matchoff,
358 unsigned int matchlen,
361 char buffer[sizeof("nnnnn")];
364 buflen = sprintf(buffer, "%u", port);
365 if (!mangle_packet(skb, dptr, datalen, matchoff, matchlen,
369 return mangle_content_len(skb, dptr, datalen);
372 static unsigned int ip_nat_sdp_session(struct sk_buff *skb, const char **dptr,
373 unsigned int dataoff,
374 unsigned int *datalen,
375 const union nf_inet_addr *addr)
377 char buffer[sizeof("nnn.nnn.nnn.nnn")];
380 /* Mangle session description owner and contact addresses */
381 buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(addr->ip));
382 if (!mangle_sdp_packet(skb, dptr, dataoff, datalen,
383 SDP_HDR_OWNER_IP4, SDP_HDR_MEDIA,
387 if (!mangle_sdp_packet(skb, dptr, dataoff, datalen,
388 SDP_HDR_CONNECTION_IP4, SDP_HDR_MEDIA,
392 return mangle_content_len(skb, dptr, datalen);
395 /* So, this packet has hit the connection tracking matching code.
396 Mangle it, and change the expectation to match the new version. */
397 static unsigned int ip_nat_sdp_media(struct sk_buff *skb,
399 unsigned int *datalen,
400 struct nf_conntrack_expect *rtp_exp,
401 struct nf_conntrack_expect *rtcp_exp,
402 unsigned int mediaoff,
403 unsigned int medialen,
404 union nf_inet_addr *rtp_addr)
406 enum ip_conntrack_info ctinfo;
407 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
408 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
411 /* Connection will come from reply */
412 if (ct->tuplehash[dir].tuple.src.u3.ip ==
413 ct->tuplehash[!dir].tuple.dst.u3.ip)
414 rtp_addr->ip = rtp_exp->tuple.dst.u3.ip;
416 rtp_addr->ip = ct->tuplehash[!dir].tuple.dst.u3.ip;
418 rtp_exp->saved_ip = rtp_exp->tuple.dst.u3.ip;
419 rtp_exp->tuple.dst.u3.ip = rtp_addr->ip;
420 rtp_exp->saved_proto.udp.port = rtp_exp->tuple.dst.u.udp.port;
422 rtp_exp->expectfn = ip_nat_sip_expected;
424 rtcp_exp->saved_ip = rtcp_exp->tuple.dst.u3.ip;
425 rtcp_exp->tuple.dst.u3.ip = rtp_addr->ip;
426 rtcp_exp->saved_proto.udp.port = rtcp_exp->tuple.dst.u.udp.port;
427 rtcp_exp->dir = !dir;
428 rtcp_exp->expectfn = ip_nat_sip_expected;
430 /* Try to get same pair of ports: if not, try to change them. */
431 for (port = ntohs(rtp_exp->tuple.dst.u.udp.port);
432 port != 0; port += 2) {
433 rtp_exp->tuple.dst.u.udp.port = htons(port);
434 if (nf_ct_expect_related(rtp_exp) != 0)
436 rtcp_exp->tuple.dst.u.udp.port = htons(port + 1);
437 if (nf_ct_expect_related(rtcp_exp) == 0)
439 nf_ct_unexpect_related(rtp_exp);
445 /* Update media port. */
446 if (rtp_exp->tuple.dst.u.udp.port != rtp_exp->saved_proto.udp.port &&
447 !ip_nat_sdp_port(skb, dptr, datalen, mediaoff, medialen, port))
453 nf_ct_unexpect_related(rtp_exp);
454 nf_ct_unexpect_related(rtcp_exp);
459 static void __exit nf_nat_sip_fini(void)
461 rcu_assign_pointer(nf_nat_sip_hook, NULL);
462 rcu_assign_pointer(nf_nat_sip_expect_hook, NULL);
463 rcu_assign_pointer(nf_nat_sdp_addr_hook, NULL);
464 rcu_assign_pointer(nf_nat_sdp_session_hook, NULL);
465 rcu_assign_pointer(nf_nat_sdp_media_hook, NULL);
469 static int __init nf_nat_sip_init(void)
471 BUG_ON(nf_nat_sip_hook != NULL);
472 BUG_ON(nf_nat_sip_expect_hook != NULL);
473 BUG_ON(nf_nat_sdp_addr_hook != NULL);
474 BUG_ON(nf_nat_sdp_session_hook != NULL);
475 BUG_ON(nf_nat_sdp_media_hook != NULL);
476 rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip);
477 rcu_assign_pointer(nf_nat_sip_expect_hook, ip_nat_sip_expect);
478 rcu_assign_pointer(nf_nat_sdp_addr_hook, ip_nat_sdp_addr);
479 rcu_assign_pointer(nf_nat_sdp_session_hook, ip_nat_sdp_session);
480 rcu_assign_pointer(nf_nat_sdp_media_hook, ip_nat_sdp_media);
484 module_init(nf_nat_sip_init);
485 module_exit(nf_nat_sip_fini);