]> err.no Git - linux-2.6/commitdiff
[NETFILTER]: nf_nat_sip: translate all Via headers
authorPatrick McHardy <kaber@trash.net>
Wed, 26 Mar 2008 03:24:41 +0000 (20:24 -0700)
committerDavid S. Miller <davem@davemloft.net>
Wed, 26 Mar 2008 03:24:41 +0000 (20:24 -0700)
Update maddr=, received= and rport= Via-header parameters refering to
the signalling connection.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/netfilter/nf_nat_sip.c

index b44281011d6d9fe8c916092a40791e67eccf231f..71a4adcfd5766d41e3518f0f63790f0b860f3ca1 100644 (file)
@@ -100,9 +100,11 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
 {
        enum ip_conntrack_info ctinfo;
        struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+       enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
        unsigned int matchoff, matchlen;
        union nf_inet_addr addr;
        __be16 port;
+       int request;
 
        /* Basic rules: requests and responses. */
        if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
@@ -112,11 +114,81 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
                    !map_addr(skb, dptr, datalen, matchoff, matchlen,
                              &addr, port))
                        return NF_DROP;
+               request = 1;
+       } else
+               request = 0;
+
+       /* Translate topmost Via header and parameters */
+       if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
+                                   SIP_HDR_VIA, NULL, &matchoff, &matchlen,
+                                   &addr, &port) > 0) {
+               unsigned int matchend, poff, plen, buflen, n;
+               char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
+
+               /* We're only interested in headers related to this
+                * connection */
+               if (request) {
+                       if (addr.ip != ct->tuplehash[dir].tuple.src.u3.ip ||
+                           port != ct->tuplehash[dir].tuple.src.u.udp.port)
+                               goto next;
+               } else {
+                       if (addr.ip != ct->tuplehash[dir].tuple.dst.u3.ip ||
+                           port != ct->tuplehash[dir].tuple.dst.u.udp.port)
+                               goto next;
+               }
+
+               if (!map_addr(skb, dptr, datalen, matchoff, matchlen,
+                             &addr, port))
+                       return NF_DROP;
+
+               matchend = matchoff + matchlen;
+
+               /* The maddr= parameter (RFC 2361) specifies where to send
+                * the reply. */
+               if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
+                                              "maddr=", &poff, &plen,
+                                              &addr) > 0 &&
+                   addr.ip == ct->tuplehash[dir].tuple.src.u3.ip &&
+                   addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) {
+                       __be32 ip = ct->tuplehash[!dir].tuple.dst.u3.ip;
+                       buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(ip));
+                       if (!mangle_packet(skb, dptr, datalen, poff, plen,
+                                          buffer, buflen))
+                               return NF_DROP;
+               }
+
+               /* The received= parameter (RFC 2361) contains the address
+                * from which the server received the request. */
+               if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
+                                              "received=", &poff, &plen,
+                                              &addr) > 0 &&
+                   addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip &&
+                   addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) {
+                       __be32 ip = ct->tuplehash[!dir].tuple.src.u3.ip;
+                       buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(ip));
+                       if (!mangle_packet(skb, dptr, datalen, poff, plen,
+                                          buffer, buflen))
+                               return NF_DROP;
+               }
+
+               /* The rport= parameter (RFC 3581) contains the port number
+                * from which the server received the request. */
+               if (ct_sip_parse_numerical_param(ct, *dptr, matchend, *datalen,
+                                                "rport=", &poff, &plen,
+                                                &n) > 0 &&
+                   htons(n) == ct->tuplehash[dir].tuple.dst.u.udp.port &&
+                   htons(n) != ct->tuplehash[!dir].tuple.src.u.udp.port) {
+                       __be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port;
+                       buflen = sprintf(buffer, "%u", ntohs(p));
+                       if (!mangle_packet(skb, dptr, datalen, poff, plen,
+                                          buffer, buflen))
+                               return NF_DROP;
+               }
        }
 
+next:
        if (!map_sip_addr(skb, dptr, datalen, SIP_HDR_FROM) ||
            !map_sip_addr(skb, dptr, datalen, SIP_HDR_TO) ||
-           !map_sip_addr(skb, dptr, datalen, SIP_HDR_VIA) ||
            !map_sip_addr(skb, dptr, datalen, SIP_HDR_CONTACT))
                return NF_DROP;
        return NF_ACCEPT;