]>
Commit | Line | Data |
---|---|---|
9fafcd7b PM |
1 | /* SIP extension for IP connection tracking. |
2 | * | |
3 | * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar> | |
4 | * based on RR's ip_conntrack_ftp.c and other modules. | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify | |
7 | * it under the terms of the GNU General Public License version 2 as | |
8 | * published by the Free Software Foundation. | |
9 | */ | |
10 | ||
11 | #include <linux/module.h> | |
12 | #include <linux/ctype.h> | |
13 | #include <linux/skbuff.h> | |
14 | #include <linux/inet.h> | |
15 | #include <linux/in.h> | |
16 | #include <linux/udp.h> | |
1863f096 | 17 | #include <linux/netfilter.h> |
9fafcd7b PM |
18 | |
19 | #include <net/netfilter/nf_conntrack.h> | |
20 | #include <net/netfilter/nf_conntrack_expect.h> | |
21 | #include <net/netfilter/nf_conntrack_helper.h> | |
22 | #include <linux/netfilter/nf_conntrack_sip.h> | |
23 | ||
24 | #if 0 | |
25 | #define DEBUGP printk | |
26 | #else | |
27 | #define DEBUGP(format, args...) | |
28 | #endif | |
29 | ||
30 | MODULE_LICENSE("GPL"); | |
31 | MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>"); | |
32 | MODULE_DESCRIPTION("SIP connection tracking helper"); | |
33 | MODULE_ALIAS("ip_conntrack_sip"); | |
34 | ||
35 | #define MAX_PORTS 8 | |
36 | static unsigned short ports[MAX_PORTS]; | |
37 | static int ports_c; | |
38 | module_param_array(ports, ushort, &ports_c, 0400); | |
39 | MODULE_PARM_DESC(ports, "port numbers of SIP servers"); | |
40 | ||
41 | static unsigned int sip_timeout __read_mostly = SIP_TIMEOUT; | |
42 | module_param(sip_timeout, uint, 0600); | |
43 | MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session"); | |
44 | ||
45 | unsigned int (*nf_nat_sip_hook)(struct sk_buff **pskb, | |
46 | enum ip_conntrack_info ctinfo, | |
47 | struct nf_conn *ct, | |
48 | const char **dptr) __read_mostly; | |
49 | EXPORT_SYMBOL_GPL(nf_nat_sip_hook); | |
50 | ||
51 | unsigned int (*nf_nat_sdp_hook)(struct sk_buff **pskb, | |
52 | enum ip_conntrack_info ctinfo, | |
53 | struct nf_conntrack_expect *exp, | |
54 | const char *dptr) __read_mostly; | |
55 | EXPORT_SYMBOL_GPL(nf_nat_sdp_hook); | |
56 | ||
57 | static int digits_len(struct nf_conn *, const char *, const char *, int *); | |
58 | static int epaddr_len(struct nf_conn *, const char *, const char *, int *); | |
59 | static int skp_digits_len(struct nf_conn *, const char *, const char *, int *); | |
60 | static int skp_epaddr_len(struct nf_conn *, const char *, const char *, int *); | |
61 | ||
62 | struct sip_header_nfo { | |
63 | const char *lname; | |
64 | const char *sname; | |
65 | const char *ln_str; | |
66 | size_t lnlen; | |
67 | size_t snlen; | |
68 | size_t ln_strlen; | |
69 | int case_sensitive; | |
70 | int (*match_len)(struct nf_conn *, const char *, | |
71 | const char *, int *); | |
72 | }; | |
73 | ||
74 | static const struct sip_header_nfo ct_sip_hdrs[] = { | |
75 | [POS_REG_REQ_URI] = { /* SIP REGISTER request URI */ | |
76 | .lname = "sip:", | |
77 | .lnlen = sizeof("sip:") - 1, | |
78 | .ln_str = ":", | |
79 | .ln_strlen = sizeof(":") - 1, | |
80 | .match_len = epaddr_len, | |
81 | }, | |
82 | [POS_REQ_URI] = { /* SIP request URI */ | |
83 | .lname = "sip:", | |
84 | .lnlen = sizeof("sip:") - 1, | |
85 | .ln_str = "@", | |
86 | .ln_strlen = sizeof("@") - 1, | |
87 | .match_len = epaddr_len, | |
88 | }, | |
89 | [POS_FROM] = { /* SIP From header */ | |
90 | .lname = "From:", | |
91 | .lnlen = sizeof("From:") - 1, | |
92 | .sname = "\r\nf:", | |
93 | .snlen = sizeof("\r\nf:") - 1, | |
94 | .ln_str = "sip:", | |
95 | .ln_strlen = sizeof("sip:") - 1, | |
96 | .match_len = skp_epaddr_len, | |
97 | }, | |
98 | [POS_TO] = { /* SIP To header */ | |
99 | .lname = "To:", | |
100 | .lnlen = sizeof("To:") - 1, | |
101 | .sname = "\r\nt:", | |
102 | .snlen = sizeof("\r\nt:") - 1, | |
103 | .ln_str = "sip:", | |
104 | .ln_strlen = sizeof("sip:") - 1, | |
105 | .match_len = skp_epaddr_len | |
106 | }, | |
107 | [POS_VIA] = { /* SIP Via header */ | |
108 | .lname = "Via:", | |
109 | .lnlen = sizeof("Via:") - 1, | |
110 | .sname = "\r\nv:", | |
111 | .snlen = sizeof("\r\nv:") - 1, /* rfc3261 "\r\n" */ | |
112 | .ln_str = "UDP ", | |
113 | .ln_strlen = sizeof("UDP ") - 1, | |
114 | .match_len = epaddr_len, | |
115 | }, | |
116 | [POS_CONTACT] = { /* SIP Contact header */ | |
117 | .lname = "Contact:", | |
118 | .lnlen = sizeof("Contact:") - 1, | |
119 | .sname = "\r\nm:", | |
120 | .snlen = sizeof("\r\nm:") - 1, | |
121 | .ln_str = "sip:", | |
122 | .ln_strlen = sizeof("sip:") - 1, | |
123 | .match_len = skp_epaddr_len | |
124 | }, | |
125 | [POS_CONTENT] = { /* SIP Content length header */ | |
126 | .lname = "Content-Length:", | |
127 | .lnlen = sizeof("Content-Length:") - 1, | |
128 | .sname = "\r\nl:", | |
129 | .snlen = sizeof("\r\nl:") - 1, | |
130 | .ln_str = ":", | |
131 | .ln_strlen = sizeof(":") - 1, | |
132 | .match_len = skp_digits_len | |
133 | }, | |
134 | [POS_MEDIA] = { /* SDP media info */ | |
135 | .case_sensitive = 1, | |
136 | .lname = "\nm=", | |
137 | .lnlen = sizeof("\nm=") - 1, | |
138 | .sname = "\rm=", | |
139 | .snlen = sizeof("\rm=") - 1, | |
140 | .ln_str = "audio ", | |
141 | .ln_strlen = sizeof("audio ") - 1, | |
142 | .match_len = digits_len | |
143 | }, | |
144 | [POS_OWNER_IP4] = { /* SDP owner address*/ | |
145 | .case_sensitive = 1, | |
146 | .lname = "\no=", | |
147 | .lnlen = sizeof("\no=") - 1, | |
148 | .sname = "\ro=", | |
149 | .snlen = sizeof("\ro=") - 1, | |
150 | .ln_str = "IN IP4 ", | |
151 | .ln_strlen = sizeof("IN IP4 ") - 1, | |
152 | .match_len = epaddr_len | |
153 | }, | |
154 | [POS_CONNECTION_IP4] = {/* SDP connection info */ | |
155 | .case_sensitive = 1, | |
156 | .lname = "\nc=", | |
157 | .lnlen = sizeof("\nc=") - 1, | |
158 | .sname = "\rc=", | |
159 | .snlen = sizeof("\rc=") - 1, | |
160 | .ln_str = "IN IP4 ", | |
161 | .ln_strlen = sizeof("IN IP4 ") - 1, | |
162 | .match_len = epaddr_len | |
163 | }, | |
164 | [POS_OWNER_IP6] = { /* SDP owner address*/ | |
165 | .case_sensitive = 1, | |
166 | .lname = "\no=", | |
167 | .lnlen = sizeof("\no=") - 1, | |
168 | .sname = "\ro=", | |
169 | .snlen = sizeof("\ro=") - 1, | |
170 | .ln_str = "IN IP6 ", | |
171 | .ln_strlen = sizeof("IN IP6 ") - 1, | |
172 | .match_len = epaddr_len | |
173 | }, | |
174 | [POS_CONNECTION_IP6] = {/* SDP connection info */ | |
175 | .case_sensitive = 1, | |
176 | .lname = "\nc=", | |
177 | .lnlen = sizeof("\nc=") - 1, | |
178 | .sname = "\rc=", | |
179 | .snlen = sizeof("\rc=") - 1, | |
180 | .ln_str = "IN IP6 ", | |
181 | .ln_strlen = sizeof("IN IP6 ") - 1, | |
182 | .match_len = epaddr_len | |
183 | }, | |
184 | [POS_SDP_HEADER] = { /* SDP version header */ | |
185 | .case_sensitive = 1, | |
186 | .lname = "\nv=", | |
187 | .lnlen = sizeof("\nv=") - 1, | |
188 | .sname = "\rv=", | |
189 | .snlen = sizeof("\rv=") - 1, | |
190 | .ln_str = "=", | |
191 | .ln_strlen = sizeof("=") - 1, | |
192 | .match_len = digits_len | |
193 | } | |
194 | }; | |
195 | ||
196 | /* get line lenght until first CR or LF seen. */ | |
197 | int ct_sip_lnlen(const char *line, const char *limit) | |
198 | { | |
199 | const char *k = line; | |
200 | ||
201 | while ((line <= limit) && (*line == '\r' || *line == '\n')) | |
202 | line++; | |
203 | ||
204 | while (line <= limit) { | |
205 | if (*line == '\r' || *line == '\n') | |
206 | break; | |
207 | line++; | |
208 | } | |
209 | return line - k; | |
210 | } | |
211 | EXPORT_SYMBOL_GPL(ct_sip_lnlen); | |
212 | ||
213 | /* Linear string search, case sensitive. */ | |
214 | const char *ct_sip_search(const char *needle, const char *haystack, | |
215 | size_t needle_len, size_t haystack_len, | |
216 | int case_sensitive) | |
217 | { | |
218 | const char *limit = haystack + (haystack_len - needle_len); | |
219 | ||
220 | while (haystack <= limit) { | |
221 | if (case_sensitive) { | |
222 | if (strncmp(haystack, needle, needle_len) == 0) | |
223 | return haystack; | |
224 | } else { | |
225 | if (strnicmp(haystack, needle, needle_len) == 0) | |
226 | return haystack; | |
227 | } | |
228 | haystack++; | |
229 | } | |
230 | return NULL; | |
231 | } | |
232 | EXPORT_SYMBOL_GPL(ct_sip_search); | |
233 | ||
234 | static int digits_len(struct nf_conn *ct, const char *dptr, | |
235 | const char *limit, int *shift) | |
236 | { | |
237 | int len = 0; | |
238 | while (dptr <= limit && isdigit(*dptr)) { | |
239 | dptr++; | |
240 | len++; | |
241 | } | |
242 | return len; | |
243 | } | |
244 | ||
245 | /* get digits lenght, skiping blank spaces. */ | |
246 | static int skp_digits_len(struct nf_conn *ct, const char *dptr, | |
247 | const char *limit, int *shift) | |
248 | { | |
249 | for (; dptr <= limit && *dptr == ' '; dptr++) | |
250 | (*shift)++; | |
251 | ||
252 | return digits_len(ct, dptr, limit, shift); | |
253 | } | |
254 | ||
255 | static int parse_addr(struct nf_conn *ct, const char *cp, const char **endp, | |
256 | union nf_conntrack_address *addr, const char *limit) | |
257 | { | |
258 | const char *end; | |
259 | int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num; | |
260 | int ret = 0; | |
261 | ||
262 | switch (family) { | |
263 | case AF_INET: | |
264 | ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end); | |
265 | break; | |
266 | case AF_INET6: | |
267 | ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end); | |
268 | break; | |
269 | default: | |
270 | BUG(); | |
271 | } | |
272 | ||
273 | if (ret == 0 || end == cp) | |
274 | return 0; | |
275 | if (endp) | |
276 | *endp = end; | |
277 | return 1; | |
278 | } | |
279 | ||
280 | /* skip ip address. returns its length. */ | |
281 | static int epaddr_len(struct nf_conn *ct, const char *dptr, | |
282 | const char *limit, int *shift) | |
283 | { | |
284 | union nf_conntrack_address addr; | |
285 | const char *aux = dptr; | |
286 | ||
287 | if (!parse_addr(ct, dptr, &dptr, &addr, limit)) { | |
288 | DEBUGP("ip: %s parse failed.!\n", dptr); | |
289 | return 0; | |
290 | } | |
291 | ||
292 | /* Port number */ | |
293 | if (*dptr == ':') { | |
294 | dptr++; | |
295 | dptr += digits_len(ct, dptr, limit, shift); | |
296 | } | |
297 | return dptr - aux; | |
298 | } | |
299 | ||
300 | /* get address length, skiping user info. */ | |
301 | static int skp_epaddr_len(struct nf_conn *ct, const char *dptr, | |
302 | const char *limit, int *shift) | |
303 | { | |
304 | int s = *shift; | |
305 | ||
306 | for (; dptr <= limit && *dptr != '@'; dptr++) | |
307 | (*shift)++; | |
308 | ||
309 | if (*dptr == '@') { | |
310 | dptr++; | |
311 | (*shift)++; | |
312 | } else | |
313 | *shift = s; | |
314 | ||
315 | return epaddr_len(ct, dptr, limit, shift); | |
316 | } | |
317 | ||
318 | /* Returns 0 if not found, -1 error parsing. */ | |
319 | int ct_sip_get_info(struct nf_conn *ct, | |
320 | const char *dptr, size_t dlen, | |
321 | unsigned int *matchoff, | |
322 | unsigned int *matchlen, | |
323 | enum sip_header_pos pos) | |
324 | { | |
325 | const struct sip_header_nfo *hnfo = &ct_sip_hdrs[pos]; | |
326 | const char *limit, *aux, *k = dptr; | |
327 | int shift = 0; | |
328 | ||
329 | limit = dptr + (dlen - hnfo->lnlen); | |
330 | ||
331 | while (dptr <= limit) { | |
332 | if ((strncmp(dptr, hnfo->lname, hnfo->lnlen) != 0) && | |
333 | (strncmp(dptr, hnfo->sname, hnfo->snlen) != 0)) { | |
334 | dptr++; | |
335 | continue; | |
336 | } | |
337 | aux = ct_sip_search(hnfo->ln_str, dptr, hnfo->ln_strlen, | |
338 | ct_sip_lnlen(dptr, limit), | |
339 | hnfo->case_sensitive); | |
340 | if (!aux) { | |
341 | DEBUGP("'%s' not found in '%s'.\n", hnfo->ln_str, | |
342 | hnfo->lname); | |
343 | return -1; | |
344 | } | |
345 | aux += hnfo->ln_strlen; | |
346 | ||
347 | *matchlen = hnfo->match_len(ct, aux, limit, &shift); | |
348 | if (!*matchlen) | |
349 | return -1; | |
350 | ||
351 | *matchoff = (aux - k) + shift; | |
352 | ||
353 | DEBUGP("%s match succeeded! - len: %u\n", hnfo->lname, | |
354 | *matchlen); | |
355 | return 1; | |
356 | } | |
357 | DEBUGP("%s header not found.\n", hnfo->lname); | |
358 | return 0; | |
359 | } | |
360 | EXPORT_SYMBOL_GPL(ct_sip_get_info); | |
361 | ||
362 | static int set_expected_rtp(struct sk_buff **pskb, | |
363 | struct nf_conn *ct, | |
364 | enum ip_conntrack_info ctinfo, | |
365 | union nf_conntrack_address *addr, | |
366 | __be16 port, | |
367 | const char *dptr) | |
368 | { | |
369 | struct nf_conntrack_expect *exp; | |
370 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | |
371 | int family = ct->tuplehash[!dir].tuple.src.l3num; | |
372 | int ret; | |
373 | typeof(nf_nat_sdp_hook) nf_nat_sdp; | |
374 | ||
375 | exp = nf_conntrack_expect_alloc(ct); | |
376 | if (exp == NULL) | |
377 | return NF_DROP; | |
378 | nf_conntrack_expect_init(exp, family, | |
379 | &ct->tuplehash[!dir].tuple.src.u3, addr, | |
380 | IPPROTO_UDP, NULL, &port); | |
381 | ||
382 | nf_nat_sdp = rcu_dereference(nf_nat_sdp_hook); | |
383 | if (nf_nat_sdp && ct->status & IPS_NAT_MASK) | |
384 | ret = nf_nat_sdp(pskb, ctinfo, exp, dptr); | |
385 | else { | |
386 | if (nf_conntrack_expect_related(exp) != 0) | |
387 | ret = NF_DROP; | |
388 | else | |
389 | ret = NF_ACCEPT; | |
390 | } | |
391 | nf_conntrack_expect_put(exp); | |
392 | ||
393 | return ret; | |
394 | } | |
395 | ||
396 | static int sip_help(struct sk_buff **pskb, | |
397 | unsigned int protoff, | |
398 | struct nf_conn *ct, | |
399 | enum ip_conntrack_info ctinfo) | |
400 | { | |
401 | int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num; | |
402 | union nf_conntrack_address addr; | |
403 | unsigned int dataoff, datalen; | |
404 | const char *dptr; | |
405 | int ret = NF_ACCEPT; | |
406 | int matchoff, matchlen; | |
407 | u_int16_t port; | |
408 | enum sip_header_pos pos; | |
409 | typeof(nf_nat_sip_hook) nf_nat_sip; | |
410 | ||
411 | /* No Data ? */ | |
412 | dataoff = protoff + sizeof(struct udphdr); | |
413 | if (dataoff >= (*pskb)->len) | |
414 | return NF_ACCEPT; | |
415 | ||
416 | nf_ct_refresh(ct, *pskb, sip_timeout * HZ); | |
417 | ||
418 | if (!skb_is_nonlinear(*pskb)) | |
419 | dptr = (*pskb)->data + dataoff; | |
420 | else { | |
421 | DEBUGP("Copy of skbuff not supported yet.\n"); | |
422 | goto out; | |
423 | } | |
424 | ||
425 | nf_nat_sip = rcu_dereference(nf_nat_sip_hook); | |
426 | if (nf_nat_sip && ct->status & IPS_NAT_MASK) { | |
427 | if (!nf_nat_sip(pskb, ctinfo, ct, &dptr)) { | |
428 | ret = NF_DROP; | |
429 | goto out; | |
430 | } | |
431 | } | |
432 | ||
433 | datalen = (*pskb)->len - dataoff; | |
434 | if (datalen < sizeof("SIP/2.0 200") - 1) | |
435 | goto out; | |
436 | ||
437 | /* RTP info only in some SDP pkts */ | |
438 | if (memcmp(dptr, "INVITE", sizeof("INVITE") - 1) != 0 && | |
439 | memcmp(dptr, "SIP/2.0 200", sizeof("SIP/2.0 200") - 1) != 0) { | |
440 | goto out; | |
441 | } | |
442 | /* Get address and port from SDP packet. */ | |
443 | pos = family == AF_INET ? POS_CONNECTION_IP4 : POS_CONNECTION_IP6; | |
444 | if (ct_sip_get_info(ct, dptr, datalen, &matchoff, &matchlen, pos) > 0) { | |
445 | ||
446 | /* We'll drop only if there are parse problems. */ | |
447 | if (!parse_addr(ct, dptr + matchoff, NULL, &addr, | |
448 | dptr + datalen)) { | |
449 | ret = NF_DROP; | |
450 | goto out; | |
451 | } | |
452 | if (ct_sip_get_info(ct, dptr, datalen, &matchoff, &matchlen, | |
453 | POS_MEDIA) > 0) { | |
454 | ||
455 | port = simple_strtoul(dptr + matchoff, NULL, 10); | |
456 | if (port < 1024) { | |
457 | ret = NF_DROP; | |
458 | goto out; | |
459 | } | |
460 | ret = set_expected_rtp(pskb, ct, ctinfo, &addr, | |
461 | htons(port), dptr); | |
462 | } | |
463 | } | |
464 | out: | |
465 | return ret; | |
466 | } | |
467 | ||
468 | static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly; | |
469 | static char sip_names[MAX_PORTS][2][sizeof("sip-65535")] __read_mostly; | |
470 | ||
471 | static void nf_conntrack_sip_fini(void) | |
472 | { | |
473 | int i, j; | |
474 | ||
475 | for (i = 0; i < ports_c; i++) { | |
476 | for (j = 0; j < 2; j++) { | |
477 | if (sip[i][j].me == NULL) | |
478 | continue; | |
479 | nf_conntrack_helper_unregister(&sip[i][j]); | |
480 | } | |
481 | } | |
482 | } | |
483 | ||
484 | static int __init nf_conntrack_sip_init(void) | |
485 | { | |
486 | int i, j, ret; | |
487 | char *tmpname; | |
488 | ||
489 | if (ports_c == 0) | |
490 | ports[ports_c++] = SIP_PORT; | |
491 | ||
492 | for (i = 0; i < ports_c; i++) { | |
493 | memset(&sip[i], 0, sizeof(sip[i])); | |
494 | ||
495 | sip[i][0].tuple.src.l3num = AF_INET; | |
496 | sip[i][1].tuple.src.l3num = AF_INET6; | |
497 | for (j = 0; j < 2; j++) { | |
498 | sip[i][j].tuple.dst.protonum = IPPROTO_UDP; | |
499 | sip[i][j].tuple.src.u.udp.port = htons(ports[i]); | |
500 | sip[i][j].mask.src.l3num = 0xFFFF; | |
501 | sip[i][j].mask.src.u.udp.port = htons(0xFFFF); | |
502 | sip[i][j].mask.dst.protonum = 0xFF; | |
503 | sip[i][j].max_expected = 2; | |
504 | sip[i][j].timeout = 3 * 60; /* 3 minutes */ | |
505 | sip[i][j].me = THIS_MODULE; | |
506 | sip[i][j].help = sip_help; | |
507 | ||
508 | tmpname = &sip_names[i][j][0]; | |
509 | if (ports[i] == SIP_PORT) | |
510 | sprintf(tmpname, "sip"); | |
511 | else | |
512 | sprintf(tmpname, "sip-%u", i); | |
513 | sip[i][j].name = tmpname; | |
514 | ||
515 | DEBUGP("port #%u: %u\n", i, ports[i]); | |
516 | ||
517 | ret = nf_conntrack_helper_register(&sip[i][j]); | |
518 | if (ret) { | |
519 | printk("nf_ct_sip: failed to register helper " | |
520 | "for pf: %u port: %u\n", | |
521 | sip[i][j].tuple.src.l3num, ports[i]); | |
522 | nf_conntrack_sip_fini(); | |
523 | return ret; | |
524 | } | |
525 | } | |
526 | } | |
527 | return 0; | |
528 | } | |
529 | ||
530 | module_init(nf_conntrack_sip_init); | |
531 | module_exit(nf_conntrack_sip_fini); |