]>
Commit | Line | Data |
---|---|---|
ae5b7d8b PM |
1 | /* SIP extension for IP connection tracking. |
2 | * | |
3 | * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar> | |
4 | * based on RR's ip_conntrack_ftp.c and other modules. | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify | |
7 | * it under the terms of the GNU General Public License version 2 as | |
8 | * published by the Free Software Foundation. | |
9 | */ | |
10 | ||
ae5b7d8b PM |
11 | #include <linux/module.h> |
12 | #include <linux/ctype.h> | |
13 | #include <linux/skbuff.h> | |
14 | #include <linux/in.h> | |
15 | #include <linux/ip.h> | |
16 | #include <linux/udp.h> | |
17 | ||
18 | #include <linux/netfilter.h> | |
19 | #include <linux/netfilter_ipv4.h> | |
20 | #include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
21 | #include <linux/netfilter_ipv4/ip_conntrack_sip.h> | |
22 | ||
23 | #if 0 | |
24 | #define DEBUGP printk | |
25 | #else | |
26 | #define DEBUGP(format, args...) | |
27 | #endif | |
28 | ||
29 | MODULE_LICENSE("GPL"); | |
30 | MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>"); | |
31 | MODULE_DESCRIPTION("SIP connection tracking helper"); | |
32 | ||
33 | #define MAX_PORTS 8 | |
34 | static unsigned short ports[MAX_PORTS]; | |
35 | static int ports_c; | |
36 | module_param_array(ports, ushort, &ports_c, 0400); | |
37 | MODULE_PARM_DESC(ports, "port numbers of sip servers"); | |
38 | ||
39 | static unsigned int sip_timeout = SIP_TIMEOUT; | |
40 | module_param(sip_timeout, uint, 0600); | |
41 | MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session"); | |
42 | ||
43 | unsigned int (*ip_nat_sip_hook)(struct sk_buff **pskb, | |
44 | enum ip_conntrack_info ctinfo, | |
45 | struct ip_conntrack *ct, | |
46 | const char **dptr); | |
47 | EXPORT_SYMBOL_GPL(ip_nat_sip_hook); | |
48 | ||
49 | unsigned int (*ip_nat_sdp_hook)(struct sk_buff **pskb, | |
50 | enum ip_conntrack_info ctinfo, | |
51 | struct ip_conntrack_expect *exp, | |
52 | const char *dptr); | |
53 | EXPORT_SYMBOL_GPL(ip_nat_sdp_hook); | |
54 | ||
ae5b7d8b PM |
55 | static int digits_len(const char *dptr, const char *limit, int *shift); |
56 | static int epaddr_len(const char *dptr, const char *limit, int *shift); | |
57 | static int skp_digits_len(const char *dptr, const char *limit, int *shift); | |
58 | static int skp_epaddr_len(const char *dptr, const char *limit, int *shift); | |
59 | ||
9d5b8baa PM |
60 | struct sip_header_nfo { |
61 | const char *lname; | |
62 | const char *sname; | |
63 | const char *ln_str; | |
64 | size_t lnlen; | |
65 | size_t snlen; | |
66 | size_t ln_strlen; | |
40883e81 | 67 | int case_sensitive; |
9d5b8baa PM |
68 | int (*match_len)(const char *, const char *, int *); |
69 | }; | |
70 | ||
71 | static struct sip_header_nfo ct_sip_hdrs[] = { | |
72 | [POS_REQ_HEADER] = { /* SIP Requests headers */ | |
73 | .lname = "sip:", | |
74 | .lnlen = sizeof("sip:") - 1, | |
9d5b8baa PM |
75 | .ln_str = "@", |
76 | .ln_strlen = sizeof("@") - 1, | |
77 | .match_len = epaddr_len | |
78 | }, | |
79 | [POS_VIA] = { /* SIP Via header */ | |
ae5b7d8b PM |
80 | .lname = "Via:", |
81 | .lnlen = sizeof("Via:") - 1, | |
82 | .sname = "\r\nv:", | |
83 | .snlen = sizeof("\r\nv:") - 1, /* rfc3261 "\r\n" */ | |
84 | .ln_str = "UDP ", | |
85 | .ln_strlen = sizeof("UDP ") - 1, | |
86 | .match_len = epaddr_len, | |
87 | }, | |
9d5b8baa | 88 | [POS_CONTACT] = { /* SIP Contact header */ |
ae5b7d8b PM |
89 | .lname = "Contact:", |
90 | .lnlen = sizeof("Contact:") - 1, | |
91 | .sname = "\r\nm:", | |
92 | .snlen = sizeof("\r\nm:") - 1, | |
93 | .ln_str = "sip:", | |
94 | .ln_strlen = sizeof("sip:") - 1, | |
95 | .match_len = skp_epaddr_len | |
96 | }, | |
9d5b8baa | 97 | [POS_CONTENT] = { /* SIP Content length header */ |
ae5b7d8b PM |
98 | .lname = "Content-Length:", |
99 | .lnlen = sizeof("Content-Length:") - 1, | |
100 | .sname = "\r\nl:", | |
101 | .snlen = sizeof("\r\nl:") - 1, | |
102 | .ln_str = ":", | |
103 | .ln_strlen = sizeof(":") - 1, | |
104 | .match_len = skp_digits_len | |
105 | }, | |
9d5b8baa | 106 | [POS_MEDIA] = { /* SDP media info */ |
40883e81 | 107 | .case_sensitive = 1, |
ae5b7d8b PM |
108 | .lname = "\nm=", |
109 | .lnlen = sizeof("\nm=") - 1, | |
110 | .sname = "\rm=", | |
111 | .snlen = sizeof("\rm=") - 1, | |
112 | .ln_str = "audio ", | |
113 | .ln_strlen = sizeof("audio ") - 1, | |
114 | .match_len = digits_len | |
115 | }, | |
9d5b8baa | 116 | [POS_OWNER] = { /* SDP owner address*/ |
40883e81 | 117 | .case_sensitive = 1, |
ae5b7d8b PM |
118 | .lname = "\no=", |
119 | .lnlen = sizeof("\no=") - 1, | |
120 | .sname = "\ro=", | |
121 | .snlen = sizeof("\ro=") - 1, | |
122 | .ln_str = "IN IP4 ", | |
123 | .ln_strlen = sizeof("IN IP4 ") - 1, | |
124 | .match_len = epaddr_len | |
125 | }, | |
9d5b8baa | 126 | [POS_CONNECTION] = { /* SDP connection info */ |
40883e81 | 127 | .case_sensitive = 1, |
ae5b7d8b PM |
128 | .lname = "\nc=", |
129 | .lnlen = sizeof("\nc=") - 1, | |
130 | .sname = "\rc=", | |
131 | .snlen = sizeof("\rc=") - 1, | |
132 | .ln_str = "IN IP4 ", | |
133 | .ln_strlen = sizeof("IN IP4 ") - 1, | |
134 | .match_len = epaddr_len | |
135 | }, | |
9d5b8baa | 136 | [POS_SDP_HEADER] = { /* SDP version header */ |
40883e81 | 137 | .case_sensitive = 1, |
ae5b7d8b PM |
138 | .lname = "\nv=", |
139 | .lnlen = sizeof("\nv=") - 1, | |
140 | .sname = "\rv=", | |
141 | .snlen = sizeof("\rv=") - 1, | |
142 | .ln_str = "=", | |
143 | .ln_strlen = sizeof("=") - 1, | |
144 | .match_len = digits_len | |
145 | } | |
146 | }; | |
ae5b7d8b PM |
147 | |
148 | /* get line lenght until first CR or LF seen. */ | |
149 | int ct_sip_lnlen(const char *line, const char *limit) | |
150 | { | |
151 | const char *k = line; | |
152 | ||
153 | while ((line <= limit) && (*line == '\r' || *line == '\n')) | |
154 | line++; | |
155 | ||
156 | while (line <= limit) { | |
157 | if (*line == '\r' || *line == '\n') | |
158 | break; | |
159 | line++; | |
160 | } | |
161 | return line - k; | |
162 | } | |
163 | EXPORT_SYMBOL_GPL(ct_sip_lnlen); | |
164 | ||
165 | /* Linear string search, case sensitive. */ | |
166 | const char *ct_sip_search(const char *needle, const char *haystack, | |
40883e81 PM |
167 | size_t needle_len, size_t haystack_len, |
168 | int case_sensitive) | |
ae5b7d8b PM |
169 | { |
170 | const char *limit = haystack + (haystack_len - needle_len); | |
171 | ||
172 | while (haystack <= limit) { | |
40883e81 PM |
173 | if (case_sensitive) { |
174 | if (strncmp(haystack, needle, needle_len) == 0) | |
175 | return haystack; | |
176 | } else { | |
177 | if (strnicmp(haystack, needle, needle_len) == 0) | |
178 | return haystack; | |
179 | } | |
ae5b7d8b PM |
180 | haystack++; |
181 | } | |
182 | return NULL; | |
183 | } | |
184 | EXPORT_SYMBOL_GPL(ct_sip_search); | |
185 | ||
186 | static int digits_len(const char *dptr, const char *limit, int *shift) | |
187 | { | |
188 | int len = 0; | |
189 | while (dptr <= limit && isdigit(*dptr)) { | |
190 | dptr++; | |
191 | len++; | |
192 | } | |
193 | return len; | |
194 | } | |
195 | ||
196 | /* get digits lenght, skiping blank spaces. */ | |
197 | static int skp_digits_len(const char *dptr, const char *limit, int *shift) | |
198 | { | |
199 | for (; dptr <= limit && *dptr == ' '; dptr++) | |
200 | (*shift)++; | |
201 | ||
202 | return digits_len(dptr, limit, shift); | |
203 | } | |
204 | ||
205 | /* Simple ipaddr parser.. */ | |
206 | static int parse_ipaddr(const char *cp, const char **endp, | |
cdcb71bf | 207 | __be32 *ipaddr, const char *limit) |
ae5b7d8b PM |
208 | { |
209 | unsigned long int val; | |
210 | int i, digit = 0; | |
211 | ||
212 | for (i = 0, *ipaddr = 0; cp <= limit && i < 4; i++) { | |
213 | digit = 0; | |
214 | if (!isdigit(*cp)) | |
215 | break; | |
216 | ||
217 | val = simple_strtoul(cp, (char **)&cp, 10); | |
218 | if (val > 0xFF) | |
219 | return -1; | |
220 | ||
221 | ((u_int8_t *)ipaddr)[i] = val; | |
222 | digit = 1; | |
223 | ||
224 | if (*cp != '.') | |
225 | break; | |
226 | cp++; | |
227 | } | |
228 | if (!digit) | |
229 | return -1; | |
230 | ||
231 | if (endp) | |
232 | *endp = cp; | |
233 | ||
234 | return 0; | |
235 | } | |
236 | ||
237 | /* skip ip address. returns it lenght. */ | |
238 | static int epaddr_len(const char *dptr, const char *limit, int *shift) | |
239 | { | |
240 | const char *aux = dptr; | |
cdcb71bf | 241 | __be32 ip; |
ae5b7d8b PM |
242 | |
243 | if (parse_ipaddr(dptr, &dptr, &ip, limit) < 0) { | |
244 | DEBUGP("ip: %s parse failed.!\n", dptr); | |
245 | return 0; | |
246 | } | |
247 | ||
248 | /* Port number */ | |
249 | if (*dptr == ':') { | |
250 | dptr++; | |
251 | dptr += digits_len(dptr, limit, shift); | |
252 | } | |
253 | return dptr - aux; | |
254 | } | |
255 | ||
256 | /* get address length, skiping user info. */ | |
257 | static int skp_epaddr_len(const char *dptr, const char *limit, int *shift) | |
258 | { | |
259 | int s = *shift; | |
260 | ||
261 | for (; dptr <= limit && *dptr != '@'; dptr++) | |
262 | (*shift)++; | |
263 | ||
264 | if (*dptr == '@') { | |
265 | dptr++; | |
266 | (*shift)++; | |
267 | } else | |
268 | *shift = s; | |
269 | ||
270 | return epaddr_len(dptr, limit, shift); | |
271 | } | |
272 | ||
273 | /* Returns 0 if not found, -1 error parsing. */ | |
274 | int ct_sip_get_info(const char *dptr, size_t dlen, | |
275 | unsigned int *matchoff, | |
276 | unsigned int *matchlen, | |
9d5b8baa | 277 | enum sip_header_pos pos) |
ae5b7d8b | 278 | { |
9d5b8baa | 279 | struct sip_header_nfo *hnfo = &ct_sip_hdrs[pos]; |
ae5b7d8b PM |
280 | const char *limit, *aux, *k = dptr; |
281 | int shift = 0; | |
282 | ||
283 | limit = dptr + (dlen - hnfo->lnlen); | |
284 | ||
285 | while (dptr <= limit) { | |
286 | if ((strncmp(dptr, hnfo->lname, hnfo->lnlen) != 0) && | |
77a78dec PM |
287 | (hinfo->sname == NULL || |
288 | strncmp(dptr, hnfo->sname, hnfo->snlen) != 0)) { | |
ae5b7d8b PM |
289 | dptr++; |
290 | continue; | |
291 | } | |
292 | aux = ct_sip_search(hnfo->ln_str, dptr, hnfo->ln_strlen, | |
40883e81 PM |
293 | ct_sip_lnlen(dptr, limit), |
294 | hnfo->case_sensitive); | |
ae5b7d8b PM |
295 | if (!aux) { |
296 | DEBUGP("'%s' not found in '%s'.\n", hnfo->ln_str, | |
297 | hnfo->lname); | |
298 | return -1; | |
299 | } | |
300 | aux += hnfo->ln_strlen; | |
301 | ||
302 | *matchlen = hnfo->match_len(aux, limit, &shift); | |
303 | if (!*matchlen) | |
304 | return -1; | |
305 | ||
306 | *matchoff = (aux - k) + shift; | |
307 | ||
308 | DEBUGP("%s match succeeded! - len: %u\n", hnfo->lname, | |
309 | *matchlen); | |
310 | return 1; | |
311 | } | |
312 | DEBUGP("%s header not found.\n", hnfo->lname); | |
313 | return 0; | |
314 | } | |
9d5b8baa | 315 | EXPORT_SYMBOL_GPL(ct_sip_get_info); |
ae5b7d8b PM |
316 | |
317 | static int set_expected_rtp(struct sk_buff **pskb, | |
318 | struct ip_conntrack *ct, | |
319 | enum ip_conntrack_info ctinfo, | |
cdcb71bf | 320 | __be32 ipaddr, u_int16_t port, |
ae5b7d8b PM |
321 | const char *dptr) |
322 | { | |
323 | struct ip_conntrack_expect *exp; | |
324 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | |
325 | int ret; | |
337fbc41 | 326 | typeof(ip_nat_sdp_hook) ip_nat_sdp; |
ae5b7d8b PM |
327 | |
328 | exp = ip_conntrack_expect_alloc(ct); | |
329 | if (exp == NULL) | |
330 | return NF_DROP; | |
331 | ||
332 | exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip; | |
333 | exp->tuple.src.u.udp.port = 0; | |
334 | exp->tuple.dst.ip = ipaddr; | |
335 | exp->tuple.dst.u.udp.port = htons(port); | |
336 | exp->tuple.dst.protonum = IPPROTO_UDP; | |
337 | ||
cdcb71bf | 338 | exp->mask.src.ip = htonl(0xFFFFFFFF); |
ae5b7d8b | 339 | exp->mask.src.u.udp.port = 0; |
cdcb71bf AV |
340 | exp->mask.dst.ip = htonl(0xFFFFFFFF); |
341 | exp->mask.dst.u.udp.port = htons(0xFFFF); | |
ae5b7d8b PM |
342 | exp->mask.dst.protonum = 0xFF; |
343 | ||
344 | exp->expectfn = NULL; | |
345 | exp->flags = 0; | |
346 | ||
337fbc41 PM |
347 | ip_nat_sdp = rcu_dereference(ip_nat_sdp_hook); |
348 | if (ip_nat_sdp) | |
349 | ret = ip_nat_sdp(pskb, ctinfo, exp, dptr); | |
ae5b7d8b PM |
350 | else { |
351 | if (ip_conntrack_expect_related(exp) != 0) | |
352 | ret = NF_DROP; | |
353 | else | |
354 | ret = NF_ACCEPT; | |
355 | } | |
356 | ip_conntrack_expect_put(exp); | |
357 | ||
358 | return ret; | |
359 | } | |
360 | ||
361 | static int sip_help(struct sk_buff **pskb, | |
362 | struct ip_conntrack *ct, | |
363 | enum ip_conntrack_info ctinfo) | |
364 | { | |
365 | unsigned int dataoff, datalen; | |
366 | const char *dptr; | |
367 | int ret = NF_ACCEPT; | |
368 | int matchoff, matchlen; | |
cdcb71bf | 369 | __be32 ipaddr; |
ae5b7d8b | 370 | u_int16_t port; |
337fbc41 | 371 | typeof(ip_nat_sip_hook) ip_nat_sip; |
ae5b7d8b PM |
372 | |
373 | /* No Data ? */ | |
374 | dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr); | |
375 | if (dataoff >= (*pskb)->len) { | |
376 | DEBUGP("skb->len = %u\n", (*pskb)->len); | |
377 | return NF_ACCEPT; | |
378 | } | |
379 | ||
380 | ip_ct_refresh(ct, *pskb, sip_timeout * HZ); | |
381 | ||
382 | if (!skb_is_nonlinear(*pskb)) | |
383 | dptr = (*pskb)->data + dataoff; | |
384 | else { | |
385 | DEBUGP("Copy of skbuff not supported yet.\n"); | |
386 | goto out; | |
387 | } | |
388 | ||
337fbc41 PM |
389 | ip_nat_sip = rcu_dereference(ip_nat_sip_hook); |
390 | if (ip_nat_sip) { | |
391 | if (!ip_nat_sip(pskb, ctinfo, ct, &dptr)) { | |
ae5b7d8b PM |
392 | ret = NF_DROP; |
393 | goto out; | |
394 | } | |
395 | } | |
396 | ||
397 | /* After this point NAT, could have mangled skb, so | |
398 | we need to recalculate payload lenght. */ | |
399 | datalen = (*pskb)->len - dataoff; | |
400 | ||
401 | if (datalen < (sizeof("SIP/2.0 200") - 1)) | |
402 | goto out; | |
403 | ||
404 | /* RTP info only in some SDP pkts */ | |
405 | if (memcmp(dptr, "INVITE", sizeof("INVITE") - 1) != 0 && | |
406 | memcmp(dptr, "SIP/2.0 200", sizeof("SIP/2.0 200") - 1) != 0) { | |
407 | goto out; | |
408 | } | |
409 | /* Get ip and port address from SDP packet. */ | |
410 | if (ct_sip_get_info(dptr, datalen, &matchoff, &matchlen, | |
9d5b8baa | 411 | POS_CONNECTION) > 0) { |
ae5b7d8b PM |
412 | |
413 | /* We'll drop only if there are parse problems. */ | |
414 | if (parse_ipaddr(dptr + matchoff, NULL, &ipaddr, | |
415 | dptr + datalen) < 0) { | |
416 | ret = NF_DROP; | |
417 | goto out; | |
418 | } | |
419 | if (ct_sip_get_info(dptr, datalen, &matchoff, &matchlen, | |
9d5b8baa | 420 | POS_MEDIA) > 0) { |
ae5b7d8b PM |
421 | |
422 | port = simple_strtoul(dptr + matchoff, NULL, 10); | |
423 | if (port < 1024) { | |
424 | ret = NF_DROP; | |
425 | goto out; | |
426 | } | |
427 | ret = set_expected_rtp(pskb, ct, ctinfo, | |
428 | ipaddr, port, dptr); | |
429 | } | |
430 | } | |
431 | out: | |
432 | return ret; | |
433 | } | |
434 | ||
435 | static struct ip_conntrack_helper sip[MAX_PORTS]; | |
436 | static char sip_names[MAX_PORTS][10]; | |
437 | ||
438 | static void fini(void) | |
439 | { | |
440 | int i; | |
441 | for (i = 0; i < ports_c; i++) { | |
442 | DEBUGP("unregistering helper for port %d\n", ports[i]); | |
443 | ip_conntrack_helper_unregister(&sip[i]); | |
444 | } | |
445 | } | |
446 | ||
447 | static int __init init(void) | |
448 | { | |
449 | int i, ret; | |
450 | char *tmpname; | |
451 | ||
452 | if (ports_c == 0) | |
453 | ports[ports_c++] = SIP_PORT; | |
454 | ||
455 | for (i = 0; i < ports_c; i++) { | |
456 | /* Create helper structure */ | |
457 | memset(&sip[i], 0, sizeof(struct ip_conntrack_helper)); | |
458 | ||
459 | sip[i].tuple.dst.protonum = IPPROTO_UDP; | |
460 | sip[i].tuple.src.u.udp.port = htons(ports[i]); | |
cdcb71bf | 461 | sip[i].mask.src.u.udp.port = htons(0xFFFF); |
ae5b7d8b | 462 | sip[i].mask.dst.protonum = 0xFF; |
b10866fd | 463 | sip[i].max_expected = 2; |
ae5b7d8b PM |
464 | sip[i].timeout = 3 * 60; /* 3 minutes */ |
465 | sip[i].me = THIS_MODULE; | |
466 | sip[i].help = sip_help; | |
467 | ||
468 | tmpname = &sip_names[i][0]; | |
469 | if (ports[i] == SIP_PORT) | |
470 | sprintf(tmpname, "sip"); | |
471 | else | |
472 | sprintf(tmpname, "sip-%d", i); | |
473 | sip[i].name = tmpname; | |
474 | ||
475 | DEBUGP("port #%d: %d\n", i, ports[i]); | |
476 | ||
477 | ret = ip_conntrack_helper_register(&sip[i]); | |
478 | if (ret) { | |
479 | printk("ERROR registering helper for port %d\n", | |
480 | ports[i]); | |
481 | fini(); | |
482 | return ret; | |
483 | } | |
484 | } | |
485 | return 0; | |
486 | } | |
487 | ||
488 | module_init(init); | |
489 | module_exit(fini); |