1 /* SIP extension for UDP NAT alteration.
3 * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
4 * based on RR's ip_nat_ftp.c and other modules.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
11 #include <linux/module.h>
12 #include <linux/skbuff.h>
15 #include <linux/udp.h>
17 #include <net/netfilter/nf_nat.h>
18 #include <net/netfilter/nf_nat_helper.h>
19 #include <net/netfilter/nf_nat_rule.h>
20 #include <net/netfilter/nf_conntrack_helper.h>
21 #include <net/netfilter/nf_conntrack_expect.h>
22 #include <linux/netfilter/nf_conntrack_sip.h>
24 MODULE_LICENSE("GPL");
25 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
26 MODULE_DESCRIPTION("SIP NAT helper");
27 MODULE_ALIAS("ip_nat_sip");
31 char src[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
32 char dst[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
33 unsigned int srclen, srciplen;
34 unsigned int dstlen, dstiplen;
35 } addr[IP_CT_DIR_MAX];
38 static void addr_map_init(const struct nf_conn *ct, struct addr_map *map)
40 const struct nf_conntrack_tuple *t;
41 enum ip_conntrack_dir dir;
44 for (dir = 0; dir < IP_CT_DIR_MAX; dir++) {
45 t = &ct->tuplehash[dir].tuple;
47 n = sprintf(map->addr[dir].src, "%u.%u.%u.%u",
48 NIPQUAD(t->src.u3.ip));
49 map->addr[dir].srciplen = n;
50 n += sprintf(map->addr[dir].src + n, ":%u",
51 ntohs(t->src.u.udp.port));
52 map->addr[dir].srclen = n;
54 n = sprintf(map->addr[dir].dst, "%u.%u.%u.%u",
55 NIPQUAD(t->dst.u3.ip));
56 map->addr[dir].dstiplen = n;
57 n += sprintf(map->addr[dir].dst + n, ":%u",
58 ntohs(t->dst.u.udp.port));
59 map->addr[dir].dstlen = n;
63 static unsigned int mangle_packet(struct sk_buff *skb,
64 const char **dptr, unsigned int *datalen,
65 unsigned int matchoff, unsigned int matchlen,
66 const char *buffer, unsigned int buflen)
68 enum ip_conntrack_info ctinfo;
69 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
71 if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, matchoff, matchlen,
75 /* Reload data pointer and adjust datalen value */
76 *dptr = skb->data + ip_hdrlen(skb) + sizeof(struct udphdr);
77 *datalen += buflen - matchlen;
81 static int map_sip_addr(struct sk_buff *skb, enum ip_conntrack_info ctinfo,
83 const char **dptr, unsigned int *datalen,
84 enum sip_header_pos pos, struct addr_map *map)
86 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
87 unsigned int matchlen, matchoff, addrlen;
90 if (ct_sip_get_info(ct, *dptr, *datalen, &matchoff, &matchlen,
94 if ((matchlen == map->addr[dir].srciplen ||
95 matchlen == map->addr[dir].srclen) &&
96 memcmp(*dptr + matchoff, map->addr[dir].src, matchlen) == 0) {
97 addr = map->addr[!dir].dst;
98 addrlen = map->addr[!dir].dstlen;
99 } else if ((matchlen == map->addr[dir].dstiplen ||
100 matchlen == map->addr[dir].dstlen) &&
101 memcmp(*dptr + matchoff, map->addr[dir].dst, matchlen) == 0) {
102 addr = map->addr[!dir].src;
103 addrlen = map->addr[!dir].srclen;
107 return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
111 static unsigned int ip_nat_sip(struct sk_buff *skb,
112 enum ip_conntrack_info ctinfo,
114 const char **dptr, unsigned int *datalen)
116 enum sip_header_pos pos;
119 if (*datalen < sizeof("SIP/2.0") - 1)
122 addr_map_init(ct, &map);
124 /* Basic rules: requests and responses. */
125 if (strncmp(*dptr, "SIP/2.0", sizeof("SIP/2.0") - 1) != 0) {
126 /* 10.2: Constructing the REGISTER Request:
128 * The "userinfo" and "@" components of the SIP URI MUST NOT
131 if (*datalen >= sizeof("REGISTER") - 1 &&
132 strncmp(*dptr, "REGISTER", sizeof("REGISTER") - 1) == 0)
133 pos = POS_REG_REQ_URI;
137 if (!map_sip_addr(skb, ctinfo, ct, dptr, datalen, pos, &map))
141 if (!map_sip_addr(skb, ctinfo, ct, dptr, datalen, POS_FROM, &map) ||
142 !map_sip_addr(skb, ctinfo, ct, dptr, datalen, POS_TO, &map) ||
143 !map_sip_addr(skb, ctinfo, ct, dptr, datalen, POS_VIA, &map) ||
144 !map_sip_addr(skb, ctinfo, ct, dptr, datalen, POS_CONTACT, &map))
149 static unsigned int mangle_sip_packet(struct sk_buff *skb,
150 enum ip_conntrack_info ctinfo,
152 const char **dptr, unsigned int *datalen,
153 char *buffer, int bufflen,
154 enum sip_header_pos pos)
156 unsigned int matchlen, matchoff;
158 if (ct_sip_get_info(ct, *dptr, *datalen, &matchoff, &matchlen,
162 return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
166 static int mangle_content_len(struct sk_buff *skb,
167 enum ip_conntrack_info ctinfo,
169 const char **dptr, unsigned int *datalen)
171 unsigned int matchoff, matchlen;
172 char buffer[sizeof("65536")];
175 /* Get actual SDP length */
176 if (ct_sip_get_info(ct, *dptr, *datalen, &matchoff,
177 &matchlen, POS_SDP_HEADER) > 0) {
179 /* since ct_sip_get_info() give us a pointer passing 'v='
180 we need to add 2 bytes in this count. */
181 int c_len = *datalen - matchoff + 2;
183 /* Now, update SDP length */
184 if (ct_sip_get_info(ct, *dptr, *datalen, &matchoff,
185 &matchlen, POS_CONTENT) > 0) {
187 bufflen = sprintf(buffer, "%u", c_len);
188 return mangle_packet(skb, dptr, datalen,
196 static unsigned int mangle_sdp(struct sk_buff *skb,
197 enum ip_conntrack_info ctinfo,
199 __be32 newip, u_int16_t port,
200 const char **dptr, unsigned int *datalen)
202 char buffer[sizeof("nnn.nnn.nnn.nnn")];
203 unsigned int bufflen;
205 /* Mangle owner and contact info. */
206 bufflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(newip));
207 if (!mangle_sip_packet(skb, ctinfo, ct, dptr, datalen,
208 buffer, bufflen, POS_OWNER_IP4))
211 if (!mangle_sip_packet(skb, ctinfo, ct, dptr, datalen,
212 buffer, bufflen, POS_CONNECTION_IP4))
215 /* Mangle media port. */
216 bufflen = sprintf(buffer, "%u", port);
217 if (!mangle_sip_packet(skb, ctinfo, ct, dptr, datalen,
218 buffer, bufflen, POS_MEDIA))
221 return mangle_content_len(skb, ctinfo, ct, dptr, datalen);
224 static void ip_nat_sdp_expect(struct nf_conn *ct,
225 struct nf_conntrack_expect *exp)
227 struct nf_nat_range range;
229 /* This must be a fresh one. */
230 BUG_ON(ct->status & IPS_NAT_DONE_MASK);
232 /* For DST manip, map port here to where it's expected. */
233 range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
234 range.min = range.max = exp->saved_proto;
235 range.min_ip = range.max_ip = exp->saved_ip;
236 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
238 /* Change src to where master sends to */
239 range.flags = IP_NAT_RANGE_MAP_IPS;
240 range.min_ip = range.max_ip
241 = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
242 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
245 /* So, this packet has hit the connection tracking matching code.
246 Mangle it, and change the expectation to match the new version. */
247 static unsigned int ip_nat_sdp(struct sk_buff *skb,
248 enum ip_conntrack_info ctinfo,
249 struct nf_conntrack_expect *exp,
250 const char **dptr, unsigned int *datalen)
252 struct nf_conn *ct = exp->master;
253 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
257 /* Connection will come from reply */
258 if (ct->tuplehash[dir].tuple.src.u3.ip ==
259 ct->tuplehash[!dir].tuple.dst.u3.ip)
260 newip = exp->tuple.dst.u3.ip;
262 newip = ct->tuplehash[!dir].tuple.dst.u3.ip;
264 exp->saved_ip = exp->tuple.dst.u3.ip;
265 exp->tuple.dst.u3.ip = newip;
266 exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port;
269 /* When you see the packet, we need to NAT it the same as the
271 exp->expectfn = ip_nat_sdp_expect;
273 /* Try to get same port: if not, try to change it. */
274 for (port = ntohs(exp->saved_proto.udp.port); port != 0; port++) {
275 exp->tuple.dst.u.udp.port = htons(port);
276 if (nf_ct_expect_related(exp) == 0)
283 if (!mangle_sdp(skb, ctinfo, ct, newip, port, dptr, datalen)) {
284 nf_ct_unexpect_related(exp);
290 static void __exit nf_nat_sip_fini(void)
292 rcu_assign_pointer(nf_nat_sip_hook, NULL);
293 rcu_assign_pointer(nf_nat_sdp_hook, NULL);
297 static int __init nf_nat_sip_init(void)
299 BUG_ON(nf_nat_sip_hook != NULL);
300 BUG_ON(nf_nat_sdp_hook != NULL);
301 rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip);
302 rcu_assign_pointer(nf_nat_sdp_hook, ip_nat_sdp);
306 module_init(nf_nat_sip_init);
307 module_exit(nf_nat_sip_fini);