err.no Git - linux-2.6/blob - net/ipv4/netfilter/nf_nat_sip.c

   1 /* SIP extension for UDP NAT alteration.
   2  *
   3  * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
   4  * based on RR's ip_nat_ftp.c and other modules.
   5  *
   6  * This program is free software; you can redistribute it and/or modify
   7  * it under the terms of the GNU General Public License version 2 as
   8  * published by the Free Software Foundation.
   9  */
  10
  11 #include <linux/module.h>
  12 #include <linux/skbuff.h>
  13 #include <linux/ip.h>
  14 #include <net/ip.h>
  15 #include <linux/udp.h>
  16
  17 #include <net/netfilter/nf_nat.h>
  18 #include <net/netfilter/nf_nat_helper.h>
  19 #include <net/netfilter/nf_nat_rule.h>
  20 #include <net/netfilter/nf_conntrack_helper.h>
  21 #include <net/netfilter/nf_conntrack_expect.h>
  22 #include <linux/netfilter/nf_conntrack_sip.h>
  23
  24 MODULE_LICENSE("GPL");
  25 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
  26 MODULE_DESCRIPTION("SIP NAT helper");
  27 MODULE_ALIAS("ip_nat_sip");
  28
  29
  30 static unsigned int mangle_packet(struct sk_buff *skb,
  31                                   const char **dptr, unsigned int *datalen,
  32                                   unsigned int matchoff, unsigned int matchlen,
  33                                   const char *buffer, unsigned int buflen)
  34 {
  35         enum ip_conntrack_info ctinfo;
  36         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
  37
  38         if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, matchoff, matchlen,
  39                                       buffer, buflen))
  40                 return 0;
  41
  42         /* Reload data pointer and adjust datalen value */
  43         *dptr = skb->data + ip_hdrlen(skb) + sizeof(struct udphdr);
  44         *datalen += buflen - matchlen;
  45         return 1;
  46 }
  47
  48 static int map_addr(struct sk_buff *skb,
  49                     const char **dptr, unsigned int *datalen,
  50                     unsigned int matchoff, unsigned int matchlen,
  51                     union nf_inet_addr *addr, __be16 port)
  52 {
  53         enum ip_conntrack_info ctinfo;
  54         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
  55         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
  56         char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
  57         unsigned int buflen;
  58         __be32 newaddr;
  59         __be16 newport;
  60
  61         if (ct->tuplehash[dir].tuple.src.u3.ip == addr->ip &&
  62             ct->tuplehash[dir].tuple.src.u.udp.port == port) {
  63                 newaddr = ct->tuplehash[!dir].tuple.dst.u3.ip;
  64                 newport = ct->tuplehash[!dir].tuple.dst.u.udp.port;
  65         } else if (ct->tuplehash[dir].tuple.dst.u3.ip == addr->ip &&
  66                    ct->tuplehash[dir].tuple.dst.u.udp.port == port) {
  67                 newaddr = ct->tuplehash[!dir].tuple.src.u3.ip;
  68                 newport = ct->tuplehash[!dir].tuple.src.u.udp.port;
  69         } else
  70                 return 1;
  71
  72         if (newaddr == addr->ip && newport == port)
  73                 return 1;
  74
  75         buflen = sprintf(buffer, "%u.%u.%u.%u:%u",
  76                          NIPQUAD(newaddr), ntohs(newport));
  77
  78         return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
  79                              buffer, buflen);
  80 }
  81
  82 static int map_sip_addr(struct sk_buff *skb,
  83                         const char **dptr, unsigned int *datalen,
  84                         enum sip_header_types type)
  85 {
  86         enum ip_conntrack_info ctinfo;
  87         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
  88         unsigned int matchlen, matchoff;
  89         union nf_inet_addr addr;
  90         __be16 port;
  91
  92         if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, type, NULL,
  93                                     &matchoff, &matchlen, &addr, &port) <= 0)
  94                 return 1;
  95         return map_addr(skb, dptr, datalen, matchoff, matchlen, &addr, port);
  96 }
  97
  98 static unsigned int ip_nat_sip(struct sk_buff *skb,
  99                                const char **dptr, unsigned int *datalen)
 100 {
 101         enum ip_conntrack_info ctinfo;
 102         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 103         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 104         unsigned int dataoff, matchoff, matchlen;
 105         union nf_inet_addr addr;
 106         __be16 port;
 107         int request, in_header;
 108
 109         /* Basic rules: requests and responses. */
 110         if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
 111                 if (ct_sip_parse_request(ct, *dptr, *datalen,
 112                                          &matchoff, &matchlen,
 113                                          &addr, &port) > 0 &&
 114                     !map_addr(skb, dptr, datalen, matchoff, matchlen,
 115                               &addr, port))
 116                         return NF_DROP;
 117                 request = 1;
 118         } else
 119                 request = 0;
 120
 121         /* Translate topmost Via header and parameters */
 122         if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
 123                                     SIP_HDR_VIA, NULL, &matchoff, &matchlen,
 124                                     &addr, &port) > 0) {
 125                 unsigned int matchend, poff, plen, buflen, n;
 126                 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
 127
 128                 /* We're only interested in headers related to this
 129                  * connection */
 130                 if (request) {
 131                         if (addr.ip != ct->tuplehash[dir].tuple.src.u3.ip ||
 132                             port != ct->tuplehash[dir].tuple.src.u.udp.port)
 133                                 goto next;
 134                 } else {
 135                         if (addr.ip != ct->tuplehash[dir].tuple.dst.u3.ip ||
 136                             port != ct->tuplehash[dir].tuple.dst.u.udp.port)
 137                                 goto next;
 138                 }
 139
 140                 if (!map_addr(skb, dptr, datalen, matchoff, matchlen,
 141                               &addr, port))
 142                         return NF_DROP;
 143
 144                 matchend = matchoff + matchlen;
 145
 146                 /* The maddr= parameter (RFC 2361) specifies where to send
 147                  * the reply. */
 148                 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
 149                                                "maddr=", &poff, &plen,
 150                                                &addr) > 0 &&
 151                     addr.ip == ct->tuplehash[dir].tuple.src.u3.ip &&
 152                     addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) {
 153                         __be32 ip = ct->tuplehash[!dir].tuple.dst.u3.ip;
 154                         buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(ip));
 155                         if (!mangle_packet(skb, dptr, datalen, poff, plen,
 156                                            buffer, buflen))
 157                                 return NF_DROP;
 158                 }
 159
 160                 /* The received= parameter (RFC 2361) contains the address
 161                  * from which the server received the request. */
 162                 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
 163                                                "received=", &poff, &plen,
 164                                                &addr) > 0 &&
 165                     addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip &&
 166                     addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) {
 167                         __be32 ip = ct->tuplehash[!dir].tuple.src.u3.ip;
 168                         buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(ip));
 169                         if (!mangle_packet(skb, dptr, datalen, poff, plen,
 170                                            buffer, buflen))
 171                                 return NF_DROP;
 172                 }
 173
 174                 /* The rport= parameter (RFC 3581) contains the port number
 175                  * from which the server received the request. */
 176                 if (ct_sip_parse_numerical_param(ct, *dptr, matchend, *datalen,
 177                                                  "rport=", &poff, &plen,
 178                                                  &n) > 0 &&
 179                     htons(n) == ct->tuplehash[dir].tuple.dst.u.udp.port &&
 180                     htons(n) != ct->tuplehash[!dir].tuple.src.u.udp.port) {
 181                         __be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port;
 182                         buflen = sprintf(buffer, "%u", ntohs(p));
 183                         if (!mangle_packet(skb, dptr, datalen, poff, plen,
 184                                            buffer, buflen))
 185                                 return NF_DROP;
 186                 }
 187         }
 188
 189 next:
 190         /* Translate Contact headers */
 191         dataoff = 0;
 192         in_header = 0;
 193         while (ct_sip_parse_header_uri(ct, *dptr, &dataoff, *datalen,
 194                                        SIP_HDR_CONTACT, &in_header,
 195                                        &matchoff, &matchlen,
 196                                        &addr, &port) > 0) {
 197                 if (!map_addr(skb, dptr, datalen, matchoff, matchlen,
 198                               &addr, port))
 199                         return NF_DROP;
 200         }
 201
 202         if (!map_sip_addr(skb, dptr, datalen, SIP_HDR_FROM) ||
 203             !map_sip_addr(skb, dptr, datalen, SIP_HDR_TO))
 204                 return NF_DROP;
 205         return NF_ACCEPT;
 206 }
 207
 208 /* Handles expected signalling connections and media streams */
 209 static void ip_nat_sip_expected(struct nf_conn *ct,
 210                                 struct nf_conntrack_expect *exp)
 211 {
 212         struct nf_nat_range range;
 213
 214         /* This must be a fresh one. */
 215         BUG_ON(ct->status & IPS_NAT_DONE_MASK);
 216
 217         /* For DST manip, map port here to where it's expected. */
 218         range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
 219         range.min = range.max = exp->saved_proto;
 220         range.min_ip = range.max_ip = exp->saved_ip;
 221         nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
 222
 223         /* Change src to where master sends to, but only if the connection
 224          * actually came from the same source. */
 225         if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip ==
 226             ct->master->tuplehash[exp->dir].tuple.src.u3.ip) {
 227                 range.flags = IP_NAT_RANGE_MAP_IPS;
 228                 range.min_ip = range.max_ip
 229                         = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
 230                 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
 231         }
 232 }
 233
 234 static unsigned int ip_nat_sip_expect(struct sk_buff *skb,
 235                                       const char **dptr, unsigned int *datalen,
 236                                       struct nf_conntrack_expect *exp,
 237                                       unsigned int matchoff,
 238                                       unsigned int matchlen)
 239 {
 240         enum ip_conntrack_info ctinfo;
 241         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 242         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 243         __be32 newip;
 244         u_int16_t port;
 245         char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
 246         unsigned buflen;
 247
 248         /* Connection will come from reply */
 249         if (ct->tuplehash[dir].tuple.src.u3.ip == ct->tuplehash[!dir].tuple.dst.u3.ip)
 250                 newip = exp->tuple.dst.u3.ip;
 251         else
 252                 newip = ct->tuplehash[!dir].tuple.dst.u3.ip;
 253
 254         /* If the signalling port matches the connection's source port in the
 255          * original direction, try to use the destination port in the opposite
 256          * direction. */
 257         if (exp->tuple.dst.u.udp.port ==
 258             ct->tuplehash[dir].tuple.src.u.udp.port)
 259                 port = ntohs(ct->tuplehash[!dir].tuple.dst.u.udp.port);
 260         else
 261                 port = ntohs(exp->tuple.dst.u.udp.port);
 262
 263         exp->saved_ip = exp->tuple.dst.u3.ip;
 264         exp->tuple.dst.u3.ip = newip;
 265         exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port;
 266         exp->dir = !dir;
 267         exp->expectfn = ip_nat_sip_expected;
 268
 269         for (; port != 0; port++) {
 270                 exp->tuple.dst.u.udp.port = htons(port);
 271                 if (nf_ct_expect_related(exp) == 0)
 272                         break;
 273         }
 274
 275         if (port == 0)
 276                 return NF_DROP;
 277
 278         if (exp->tuple.dst.u3.ip != exp->saved_ip ||
 279             exp->tuple.dst.u.udp.port != exp->saved_proto.udp.port) {
 280                 buflen = sprintf(buffer, "%u.%u.%u.%u:%u",
 281                                  NIPQUAD(newip), port);
 282                 if (!mangle_packet(skb, dptr, datalen, matchoff, matchlen,
 283                                    buffer, buflen))
 284                         goto err;
 285         }
 286         return NF_ACCEPT;
 287
 288 err:
 289         nf_ct_unexpect_related(exp);
 290         return NF_DROP;
 291 }
 292
 293 static int mangle_content_len(struct sk_buff *skb,
 294                               const char **dptr, unsigned int *datalen)
 295 {
 296         enum ip_conntrack_info ctinfo;
 297         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 298         unsigned int matchoff, matchlen;
 299         char buffer[sizeof("65536")];
 300         int buflen, c_len;
 301
 302         /* Get actual SDP length */
 303         if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
 304                                   SDP_HDR_VERSION, SDP_HDR_UNSPEC,
 305                                   &matchoff, &matchlen) <= 0)
 306                 return 0;
 307         c_len = *datalen - matchoff + strlen("v=");
 308
 309         /* Now, update SDP length */
 310         if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CONTENT_LENGTH,
 311                               &matchoff, &matchlen) <= 0)
 312                 return 0;
 313
 314         buflen = sprintf(buffer, "%u", c_len);
 315         return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
 316                              buffer, buflen);
 317 }
 318
 319 static unsigned mangle_sdp_packet(struct sk_buff *skb, const char **dptr,
 320                                   unsigned int dataoff, unsigned int *datalen,
 321                                   enum sdp_header_types type,
 322                                   enum sdp_header_types term,
 323                                   char *buffer, int buflen)
 324 {
 325         enum ip_conntrack_info ctinfo;
 326         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 327         unsigned int matchlen, matchoff;
 328
 329         if (ct_sip_get_sdp_header(ct, *dptr, dataoff, *datalen, type, term,
 330                                   &matchoff, &matchlen) <= 0)
 331                 return 0;
 332         return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
 333                              buffer, buflen);
 334 }
 335
 336 static unsigned int ip_nat_sdp_addr(struct sk_buff *skb, const char **dptr,
 337                                     unsigned int dataoff,
 338                                     unsigned int *datalen,
 339                                     enum sdp_header_types type,
 340                                     enum sdp_header_types term,
 341                                     const union nf_inet_addr *addr)
 342 {
 343         char buffer[sizeof("nnn.nnn.nnn.nnn")];
 344         unsigned int buflen;
 345
 346         buflen = sprintf(buffer, NIPQUAD_FMT, NIPQUAD(addr->ip));
 347         if (!mangle_sdp_packet(skb, dptr, dataoff, datalen, type, term,
 348                                buffer, buflen))
 349                 return 0;
 350
 351         return mangle_content_len(skb, dptr, datalen);
 352 }
 353
 354 static unsigned int ip_nat_sdp_port(struct sk_buff *skb,
 355                                     const char **dptr,
 356                                     unsigned int *datalen,
 357                                     unsigned int matchoff,
 358                                     unsigned int matchlen,
 359                                     u_int16_t port)
 360 {
 361         char buffer[sizeof("nnnnn")];
 362         unsigned int buflen;
 363
 364         buflen = sprintf(buffer, "%u", port);
 365         if (!mangle_packet(skb, dptr, datalen, matchoff, matchlen,
 366                            buffer, buflen))
 367                 return 0;
 368
 369         return mangle_content_len(skb, dptr, datalen);
 370 }
 371
 372 static unsigned int ip_nat_sdp_session(struct sk_buff *skb, const char **dptr,
 373                                        unsigned int dataoff,
 374                                        unsigned int *datalen,
 375                                        const union nf_inet_addr *addr)
 376 {
 377         char buffer[sizeof("nnn.nnn.nnn.nnn")];
 378         unsigned int buflen;
 379
 380         /* Mangle session description owner and contact addresses */
 381         buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(addr->ip));
 382         if (!mangle_sdp_packet(skb, dptr, dataoff, datalen,
 383                                SDP_HDR_OWNER_IP4, SDP_HDR_MEDIA,
 384                                buffer, buflen))
 385                 return 0;
 386
 387         if (!mangle_sdp_packet(skb, dptr, dataoff, datalen,
 388                                SDP_HDR_CONNECTION_IP4, SDP_HDR_MEDIA,
 389                                buffer, buflen))
 390                 return 0;
 391
 392         return mangle_content_len(skb, dptr, datalen);
 393 }
 394
 395 /* So, this packet has hit the connection tracking matching code.
 396    Mangle it, and change the expectation to match the new version. */
 397 static unsigned int ip_nat_sdp_media(struct sk_buff *skb,
 398                                      const char **dptr,
 399                                      unsigned int *datalen,
 400                                      struct nf_conntrack_expect *rtp_exp,
 401                                      struct nf_conntrack_expect *rtcp_exp,
 402                                      unsigned int mediaoff,
 403                                      unsigned int medialen,
 404                                      union nf_inet_addr *rtp_addr)
 405 {
 406         enum ip_conntrack_info ctinfo;
 407         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 408         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 409         u_int16_t port;
 410
 411         /* Connection will come from reply */
 412         if (ct->tuplehash[dir].tuple.src.u3.ip ==
 413             ct->tuplehash[!dir].tuple.dst.u3.ip)
 414                 rtp_addr->ip = rtp_exp->tuple.dst.u3.ip;
 415         else
 416                 rtp_addr->ip = ct->tuplehash[!dir].tuple.dst.u3.ip;
 417
 418         rtp_exp->saved_ip = rtp_exp->tuple.dst.u3.ip;
 419         rtp_exp->tuple.dst.u3.ip = rtp_addr->ip;
 420         rtp_exp->saved_proto.udp.port = rtp_exp->tuple.dst.u.udp.port;
 421         rtp_exp->dir = !dir;
 422         rtp_exp->expectfn = ip_nat_sip_expected;
 423
 424         rtcp_exp->saved_ip = rtcp_exp->tuple.dst.u3.ip;
 425         rtcp_exp->tuple.dst.u3.ip = rtp_addr->ip;
 426         rtcp_exp->saved_proto.udp.port = rtcp_exp->tuple.dst.u.udp.port;
 427         rtcp_exp->dir = !dir;
 428         rtcp_exp->expectfn = ip_nat_sip_expected;
 429
 430         /* Try to get same pair of ports: if not, try to change them. */
 431         for (port = ntohs(rtp_exp->tuple.dst.u.udp.port);
 432              port != 0; port += 2) {
 433                 rtp_exp->tuple.dst.u.udp.port = htons(port);
 434                 if (nf_ct_expect_related(rtp_exp) != 0)
 435                         continue;
 436                 rtcp_exp->tuple.dst.u.udp.port = htons(port + 1);
 437                 if (nf_ct_expect_related(rtcp_exp) == 0)
 438                         break;
 439                 nf_ct_unexpect_related(rtp_exp);
 440         }
 441
 442         if (port == 0)
 443                 goto err1;
 444
 445         /* Update media port. */
 446         if (rtp_exp->tuple.dst.u.udp.port != rtp_exp->saved_proto.udp.port &&
 447             !ip_nat_sdp_port(skb, dptr, datalen, mediaoff, medialen, port))
 448                 goto err2;
 449
 450         return NF_ACCEPT;
 451
 452 err2:
 453         nf_ct_unexpect_related(rtp_exp);
 454         nf_ct_unexpect_related(rtcp_exp);
 455 err1:
 456         return NF_DROP;
 457 }
 458
 459 static void __exit nf_nat_sip_fini(void)
 460 {
 461         rcu_assign_pointer(nf_nat_sip_hook, NULL);
 462         rcu_assign_pointer(nf_nat_sip_expect_hook, NULL);
 463         rcu_assign_pointer(nf_nat_sdp_addr_hook, NULL);
 464         rcu_assign_pointer(nf_nat_sdp_session_hook, NULL);
 465         rcu_assign_pointer(nf_nat_sdp_media_hook, NULL);
 466         synchronize_rcu();
 467 }
 468
 469 static int __init nf_nat_sip_init(void)
 470 {
 471         BUG_ON(nf_nat_sip_hook != NULL);
 472         BUG_ON(nf_nat_sip_expect_hook != NULL);
 473         BUG_ON(nf_nat_sdp_addr_hook != NULL);
 474         BUG_ON(nf_nat_sdp_session_hook != NULL);
 475         BUG_ON(nf_nat_sdp_media_hook != NULL);
 476         rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip);
 477         rcu_assign_pointer(nf_nat_sip_expect_hook, ip_nat_sip_expect);
 478         rcu_assign_pointer(nf_nat_sdp_addr_hook, ip_nat_sdp_addr);
 479         rcu_assign_pointer(nf_nat_sdp_session_hook, ip_nat_sdp_session);
 480         rcu_assign_pointer(nf_nat_sdp_media_hook, ip_nat_sdp_media);
 481         return 0;
 482 }
 483
 484 module_init(nf_nat_sip_init);
 485 module_exit(nf_nat_sip_fini);