net/netfilter/nf_conntrack_sip.c

   1 /* SIP extension for IP connection tracking.
   2  *
   3  * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
   4  * based on RR's ip_conntrack_ftp.c and other modules.
   5  * (C) 2007 United Security Providers
   6  * (C) 2007, 2008 Patrick McHardy <kaber@trash.net>
   7  *
   8  * This program is free software; you can redistribute it and/or modify
   9  * it under the terms of the GNU General Public License version 2 as
  10  * published by the Free Software Foundation.
  11  */
  12
  13 #include <linux/module.h>
  14 #include <linux/ctype.h>
  15 #include <linux/skbuff.h>
  16 #include <linux/inet.h>
  17 #include <linux/in.h>
  18 #include <linux/udp.h>
  19 #include <linux/tcp.h>
  20 #include <linux/netfilter.h>
  21
  22 #include <net/netfilter/nf_conntrack.h>
  23 #include <net/netfilter/nf_conntrack_core.h>
  24 #include <net/netfilter/nf_conntrack_expect.h>
  25 #include <net/netfilter/nf_conntrack_helper.h>
  26 #include <linux/netfilter/nf_conntrack_sip.h>
  27
  28 MODULE_LICENSE("GPL");
  29 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
  30 MODULE_DESCRIPTION("SIP connection tracking helper");
  31 MODULE_ALIAS("ip_conntrack_sip");
  32 MODULE_ALIAS_NFCT_HELPER("sip");
  33
  34 #define MAX_PORTS       8
  35 static unsigned short ports[MAX_PORTS];
  36 static unsigned int ports_c;
  37 module_param_array(ports, ushort, &ports_c, 0400);
  38 MODULE_PARM_DESC(ports, "port numbers of SIP servers");
  39
  40 static unsigned int sip_timeout __read_mostly = SIP_TIMEOUT;
  41 module_param(sip_timeout, uint, 0600);
  42 MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session");
  43
  44 static int sip_direct_signalling __read_mostly = 1;
  45 module_param(sip_direct_signalling, int, 0600);
  46 MODULE_PARM_DESC(sip_direct_signalling, "expect incoming calls from registrar "
  47                                         "only (default 1)");
  48
  49 static int sip_direct_media __read_mostly = 1;
  50 module_param(sip_direct_media, int, 0600);
  51 MODULE_PARM_DESC(sip_direct_media, "Expect Media streams between signalling "
  52                                    "endpoints only (default 1)");
  53
  54 unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb, unsigned int dataoff,
  55                                 const char **dptr,
  56                                 unsigned int *datalen) __read_mostly;
  57 EXPORT_SYMBOL_GPL(nf_nat_sip_hook);
  58
  59 void (*nf_nat_sip_seq_adjust_hook)(struct sk_buff *skb, s16 off) __read_mostly;
  60 EXPORT_SYMBOL_GPL(nf_nat_sip_seq_adjust_hook);
  61
  62 unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb,
  63                                        unsigned int dataoff,
  64                                        const char **dptr,
  65                                        unsigned int *datalen,
  66                                        struct nf_conntrack_expect *exp,
  67                                        unsigned int matchoff,
  68                                        unsigned int matchlen) __read_mostly;
  69 EXPORT_SYMBOL_GPL(nf_nat_sip_expect_hook);
  70
  71 unsigned int (*nf_nat_sdp_addr_hook)(struct sk_buff *skb, unsigned int dataoff,
  72                                      const char **dptr,
  73                                      unsigned int *datalen,
  74                                      unsigned int sdpoff,
  75                                      enum sdp_header_types type,
  76                                      enum sdp_header_types term,
  77                                      const union nf_inet_addr *addr)
  78                                      __read_mostly;
  79 EXPORT_SYMBOL_GPL(nf_nat_sdp_addr_hook);
  80
  81 unsigned int (*nf_nat_sdp_port_hook)(struct sk_buff *skb, unsigned int dataoff,
  82                                      const char **dptr,
  83                                      unsigned int *datalen,
  84                                      unsigned int matchoff,
  85                                      unsigned int matchlen,
  86                                      u_int16_t port) __read_mostly;
  87 EXPORT_SYMBOL_GPL(nf_nat_sdp_port_hook);
  88
  89 unsigned int (*nf_nat_sdp_session_hook)(struct sk_buff *skb,
  90                                         unsigned int dataoff,
  91                                         const char **dptr,
  92                                         unsigned int *datalen,
  93                                         unsigned int sdpoff,
  94                                         const union nf_inet_addr *addr)
  95                                         __read_mostly;
  96 EXPORT_SYMBOL_GPL(nf_nat_sdp_session_hook);
  97
  98 unsigned int (*nf_nat_sdp_media_hook)(struct sk_buff *skb, unsigned int dataoff,
  99                                       const char **dptr,
 100                                       unsigned int *datalen,
 101                                       struct nf_conntrack_expect *rtp_exp,
 102                                       struct nf_conntrack_expect *rtcp_exp,
 103                                       unsigned int mediaoff,
 104                                       unsigned int medialen,
 105                                       union nf_inet_addr *rtp_addr)
 106                                       __read_mostly;
 107 EXPORT_SYMBOL_GPL(nf_nat_sdp_media_hook);
 108
 109 static int string_len(const struct nf_conn *ct, const char *dptr,
 110                       const char *limit, int *shift)
 111 {
 112         int len = 0;
 113
 114         while (dptr < limit && isalpha(*dptr)) {
 115                 dptr++;
 116                 len++;
 117         }
 118         return len;
 119 }
 120
 121 static int digits_len(const struct nf_conn *ct, const char *dptr,
 122                       const char *limit, int *shift)
 123 {
 124         int len = 0;
 125         while (dptr < limit && isdigit(*dptr)) {
 126                 dptr++;
 127                 len++;
 128         }
 129         return len;
 130 }
 131
 132 /* get media type + port length */
 133 static int media_len(const struct nf_conn *ct, const char *dptr,
 134                      const char *limit, int *shift)
 135 {
 136         int len = string_len(ct, dptr, limit, shift);
 137
 138         dptr += len;
 139         if (dptr >= limit || *dptr != ' ')
 140                 return 0;
 141         len++;
 142         dptr++;
 143
 144         return len + digits_len(ct, dptr, limit, shift);
 145 }
 146
 147 static int parse_addr(const struct nf_conn *ct, const char *cp,
 148                       const char **endp, union nf_inet_addr *addr,
 149                       const char *limit)
 150 {
 151         const char *end;
 152         int ret = 0;
 153
 154         memset(addr, 0, sizeof(*addr));
 155         switch (nf_ct_l3num(ct)) {
 156         case AF_INET:
 157                 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
 158                 break;
 159         case AF_INET6:
 160                 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
 161                 break;
 162         default:
 163                 BUG();
 164         }
 165
 166         if (ret == 0 || end == cp)
 167                 return 0;
 168         if (endp)
 169                 *endp = end;
 170         return 1;
 171 }
 172
 173 /* skip ip address. returns its length. */
 174 static int epaddr_len(const struct nf_conn *ct, const char *dptr,
 175                       const char *limit, int *shift)
 176 {
 177         union nf_inet_addr addr;
 178         const char *aux = dptr;
 179
 180         if (!parse_addr(ct, dptr, &dptr, &addr, limit)) {
 181                 pr_debug("ip: %s parse failed.!\n", dptr);
 182                 return 0;
 183         }
 184
 185         /* Port number */
 186         if (*dptr == ':') {
 187                 dptr++;
 188                 dptr += digits_len(ct, dptr, limit, shift);
 189         }
 190         return dptr - aux;
 191 }
 192
 193 /* get address length, skiping user info. */
 194 static int skp_epaddr_len(const struct nf_conn *ct, const char *dptr,
 195                           const char *limit, int *shift)
 196 {
 197         const char *start = dptr;
 198         int s = *shift;
 199
 200         /* Search for @, but stop at the end of the line.
 201          * We are inside a sip: URI, so we don't need to worry about
 202          * continuation lines. */
 203         while (dptr < limit &&
 204                *dptr != '@' && *dptr != '\r' && *dptr != '\n') {
 205                 (*shift)++;
 206                 dptr++;
 207         }
 208
 209         if (dptr < limit && *dptr == '@') {
 210                 dptr++;
 211                 (*shift)++;
 212         } else {
 213                 dptr = start;
 214                 *shift = s;
 215         }
 216
 217         return epaddr_len(ct, dptr, limit, shift);
 218 }
 219
 220 /* Parse a SIP request line of the form:
 221  *
 222  * Request-Line = Method SP Request-URI SP SIP-Version CRLF
 223  *
 224  * and return the offset and length of the address contained in the Request-URI.
 225  */
 226 int ct_sip_parse_request(const struct nf_conn *ct,
 227                          const char *dptr, unsigned int datalen,
 228                          unsigned int *matchoff, unsigned int *matchlen,
 229                          union nf_inet_addr *addr, __be16 *port)
 230 {
 231         const char *start = dptr, *limit = dptr + datalen, *end;
 232         unsigned int mlen;
 233         unsigned int p;
 234         int shift = 0;
 235
 236         /* Skip method and following whitespace */
 237         mlen = string_len(ct, dptr, limit, NULL);
 238         if (!mlen)
 239                 return 0;
 240         dptr += mlen;
 241         if (++dptr >= limit)
 242                 return 0;
 243
 244         /* Find SIP URI */
 245         for (; dptr < limit - strlen("sip:"); dptr++) {
 246                 if (*dptr == '\r' || *dptr == '\n')
 247                         return -1;
 248                 if (strnicmp(dptr, "sip:", strlen("sip:")) == 0) {
 249                         dptr += strlen("sip:");
 250                         break;
 251                 }
 252         }
 253         if (!skp_epaddr_len(ct, dptr, limit, &shift))
 254                 return 0;
 255         dptr += shift;
 256
 257         if (!parse_addr(ct, dptr, &end, addr, limit))
 258                 return -1;
 259         if (end < limit && *end == ':') {
 260                 end++;
 261                 p = simple_strtoul(end, (char **)&end, 10);
 262                 if (p < 1024 || p > 65535)
 263                         return -1;
 264                 *port = htons(p);
 265         } else
 266                 *port = htons(SIP_PORT);
 267
 268         if (end == dptr)
 269                 return 0;
 270         *matchoff = dptr - start;
 271         *matchlen = end - dptr;
 272         return 1;
 273 }
 274 EXPORT_SYMBOL_GPL(ct_sip_parse_request);
 275
 276 /* SIP header parsing: SIP headers are located at the beginning of a line, but
 277  * may span several lines, in which case the continuation lines begin with a
 278  * whitespace character. RFC 2543 allows lines to be terminated with CR, LF or
 279  * CRLF, RFC 3261 allows only CRLF, we support both.
 280  *
 281  * Headers are followed by (optionally) whitespace, a colon, again (optionally)
 282  * whitespace and the values. Whitespace in this context means any amount of
 283  * tabs, spaces and continuation lines, which are treated as a single whitespace
 284  * character.
 285  *
 286  * Some headers may appear multiple times. A comma seperated list of values is
 287  * equivalent to multiple headers.
 288  */
 289 static const struct sip_header ct_sip_hdrs[] = {
 290         [SIP_HDR_CSEQ]                  = SIP_HDR("CSeq", NULL, NULL, digits_len),
 291         [SIP_HDR_FROM]                  = SIP_HDR("From", "f", "sip:", skp_epaddr_len),
 292         [SIP_HDR_TO]                    = SIP_HDR("To", "t", "sip:", skp_epaddr_len),
 293         [SIP_HDR_CONTACT]               = SIP_HDR("Contact", "m", "sip:", skp_epaddr_len),
 294         [SIP_HDR_VIA_UDP]               = SIP_HDR("Via", "v", "UDP ", epaddr_len),
 295         [SIP_HDR_VIA_TCP]               = SIP_HDR("Via", "v", "TCP ", epaddr_len),
 296         [SIP_HDR_EXPIRES]               = SIP_HDR("Expires", NULL, NULL, digits_len),
 297         [SIP_HDR_CONTENT_LENGTH]        = SIP_HDR("Content-Length", "l", NULL, digits_len),
 298 };
 299
 300 static const char *sip_follow_continuation(const char *dptr, const char *limit)
 301 {
 302         /* Walk past newline */
 303         if (++dptr >= limit)
 304                 return NULL;
 305
 306         /* Skip '\n' in CR LF */
 307         if (*(dptr - 1) == '\r' && *dptr == '\n') {
 308                 if (++dptr >= limit)
 309                         return NULL;
 310         }
 311
 312         /* Continuation line? */
 313         if (*dptr != ' ' && *dptr != '\t')
 314                 return NULL;
 315
 316         /* skip leading whitespace */
 317         for (; dptr < limit; dptr++) {
 318                 if (*dptr != ' ' && *dptr != '\t')
 319                         break;
 320         }
 321         return dptr;
 322 }
 323
 324 static const char *sip_skip_whitespace(const char *dptr, const char *limit)
 325 {
 326         for (; dptr < limit; dptr++) {
 327                 if (*dptr == ' ')
 328                         continue;
 329                 if (*dptr != '\r' && *dptr != '\n')
 330                         break;
 331                 dptr = sip_follow_continuation(dptr, limit);
 332                 if (dptr == NULL)
 333                         return NULL;
 334         }
 335         return dptr;
 336 }
 337
 338 /* Search within a SIP header value, dealing with continuation lines */
 339 static const char *ct_sip_header_search(const char *dptr, const char *limit,
 340                                         const char *needle, unsigned int len)
 341 {
 342         for (limit -= len; dptr < limit; dptr++) {
 343                 if (*dptr == '\r' || *dptr == '\n') {
 344                         dptr = sip_follow_continuation(dptr, limit);
 345                         if (dptr == NULL)
 346                                 break;
 347                         continue;
 348                 }
 349
 350                 if (strnicmp(dptr, needle, len) == 0)
 351                         return dptr;
 352         }
 353         return NULL;
 354 }
 355
 356 int ct_sip_get_header(const struct nf_conn *ct, const char *dptr,
 357                       unsigned int dataoff, unsigned int datalen,
 358                       enum sip_header_types type,
 359                       unsigned int *matchoff, unsigned int *matchlen)
 360 {
 361         const struct sip_header *hdr = &ct_sip_hdrs[type];
 362         const char *start = dptr, *limit = dptr + datalen;
 363         int shift = 0;
 364
 365         for (dptr += dataoff; dptr < limit; dptr++) {
 366                 /* Find beginning of line */
 367                 if (*dptr != '\r' && *dptr != '\n')
 368                         continue;
 369                 if (++dptr >= limit)
 370                         break;
 371                 if (*(dptr - 1) == '\r' && *dptr == '\n') {
 372                         if (++dptr >= limit)
 373                                 break;
 374                 }
 375
 376                 /* Skip continuation lines */
 377                 if (*dptr == ' ' || *dptr == '\t')
 378                         continue;
 379
 380                 /* Find header. Compact headers must be followed by a
 381                  * non-alphabetic character to avoid mismatches. */
 382                 if (limit - dptr >= hdr->len &&
 383                     strnicmp(dptr, hdr->name, hdr->len) == 0)
 384                         dptr += hdr->len;
 385                 else if (hdr->cname && limit - dptr >= hdr->clen + 1 &&
 386                          strnicmp(dptr, hdr->cname, hdr->clen) == 0 &&
 387                          !isalpha(*(dptr + hdr->clen)))
 388                         dptr += hdr->clen;
 389                 else
 390                         continue;
 391
 392                 /* Find and skip colon */
 393                 dptr = sip_skip_whitespace(dptr, limit);
 394                 if (dptr == NULL)
 395                         break;
 396                 if (*dptr != ':' || ++dptr >= limit)
 397                         break;
 398
 399                 /* Skip whitespace after colon */
 400                 dptr = sip_skip_whitespace(dptr, limit);
 401                 if (dptr == NULL)
 402                         break;
 403
 404                 *matchoff = dptr - start;
 405                 if (hdr->search) {
 406                         dptr = ct_sip_header_search(dptr, limit, hdr->search,
 407                                                     hdr->slen);
 408                         if (!dptr)
 409                                 return -1;
 410                         dptr += hdr->slen;
 411                 }
 412
 413                 *matchlen = hdr->match_len(ct, dptr, limit, &shift);
 414                 if (!*matchlen)
 415                         return -1;
 416                 *matchoff = dptr - start + shift;
 417                 return 1;
 418         }
 419         return 0;
 420 }
 421 EXPORT_SYMBOL_GPL(ct_sip_get_header);
 422
 423 /* Get next header field in a list of comma seperated values */
 424 static int ct_sip_next_header(const struct nf_conn *ct, const char *dptr,
 425                               unsigned int dataoff, unsigned int datalen,
 426                               enum sip_header_types type,
 427                               unsigned int *matchoff, unsigned int *matchlen)
 428 {
 429         const struct sip_header *hdr = &ct_sip_hdrs[type];
 430         const char *start = dptr, *limit = dptr + datalen;
 431         int shift = 0;
 432
 433         dptr += dataoff;
 434
 435         dptr = ct_sip_header_search(dptr, limit, ",", strlen(","));
 436         if (!dptr)
 437                 return 0;
 438
 439         dptr = ct_sip_header_search(dptr, limit, hdr->search, hdr->slen);
 440         if (!dptr)
 441                 return 0;
 442         dptr += hdr->slen;
 443
 444         *matchoff = dptr - start;
 445         *matchlen = hdr->match_len(ct, dptr, limit, &shift);
 446         if (!*matchlen)
 447                 return -1;
 448         *matchoff += shift;
 449         return 1;
 450 }
 451
 452 /* Walk through headers until a parsable one is found or no header of the
 453  * given type is left. */
 454 static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr,
 455                                unsigned int dataoff, unsigned int datalen,
 456                                enum sip_header_types type, int *in_header,
 457                                unsigned int *matchoff, unsigned int *matchlen)
 458 {
 459         int ret;
 460
 461         if (in_header && *in_header) {
 462                 while (1) {
 463                         ret = ct_sip_next_header(ct, dptr, dataoff, datalen,
 464                                                  type, matchoff, matchlen);
 465                         if (ret > 0)
 466                                 return ret;
 467                         if (ret == 0)
 468                                 break;
 469                         dataoff += *matchoff;
 470                 }
 471                 *in_header = 0;
 472         }
 473
 474         while (1) {
 475                 ret = ct_sip_get_header(ct, dptr, dataoff, datalen,
 476                                         type, matchoff, matchlen);
 477                 if (ret > 0)
 478                         break;
 479                 if (ret == 0)
 480                         return ret;
 481                 dataoff += *matchoff;
 482         }
 483
 484         if (in_header)
 485                 *in_header = 1;
 486         return 1;
 487 }
 488
 489 /* Locate a SIP header, parse the URI and return the offset and length of
 490  * the address as well as the address and port themselves. A stream of
 491  * headers can be parsed by handing in a non-NULL datalen and in_header
 492  * pointer.
 493  */
 494 int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
 495                             unsigned int *dataoff, unsigned int datalen,
 496                             enum sip_header_types type, int *in_header,
 497                             unsigned int *matchoff, unsigned int *matchlen,
 498                             union nf_inet_addr *addr, __be16 *port)
 499 {
 500         const char *c, *limit = dptr + datalen;
 501         unsigned int p;
 502         int ret;
 503
 504         ret = ct_sip_walk_headers(ct, dptr, dataoff ? *dataoff : 0, datalen,
 505                                   type, in_header, matchoff, matchlen);
 506         WARN_ON(ret < 0);
 507         if (ret == 0)
 508                 return ret;
 509
 510         if (!parse_addr(ct, dptr + *matchoff, &c, addr, limit))
 511                 return -1;
 512         if (*c == ':') {
 513                 c++;
 514                 p = simple_strtoul(c, (char **)&c, 10);
 515                 if (p < 1024 || p > 65535)
 516                         return -1;
 517                 *port = htons(p);
 518         } else
 519                 *port = htons(SIP_PORT);
 520
 521         if (dataoff)
 522                 *dataoff = c - dptr;
 523         return 1;
 524 }
 525 EXPORT_SYMBOL_GPL(ct_sip_parse_header_uri);
 526
 527 static int ct_sip_parse_param(const struct nf_conn *ct, const char *dptr,
 528                               unsigned int dataoff, unsigned int datalen,
 529                               const char *name,
 530                               unsigned int *matchoff, unsigned int *matchlen)
 531 {
 532         const char *limit = dptr + datalen;
 533         const char *start;
 534         const char *end;
 535
 536         limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
 537         if (!limit)
 538                 limit = dptr + datalen;
 539
 540         start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
 541         if (!start)
 542                 return 0;
 543         start += strlen(name);
 544
 545         end = ct_sip_header_search(start, limit, ";", strlen(";"));
 546         if (!end)
 547                 end = limit;
 548
 549         *matchoff = start - dptr;
 550         *matchlen = end - start;
 551         return 1;
 552 }
 553
 554 /* Parse address from header parameter and return address, offset and length */
 555 int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr,
 556                                unsigned int dataoff, unsigned int datalen,
 557                                const char *name,
 558                                unsigned int *matchoff, unsigned int *matchlen,
 559                                union nf_inet_addr *addr)
 560 {
 561         const char *limit = dptr + datalen;
 562         const char *start, *end;
 563
 564         limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
 565         if (!limit)
 566                 limit = dptr + datalen;
 567
 568         start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
 569         if (!start)
 570                 return 0;
 571
 572         start += strlen(name);
 573         if (!parse_addr(ct, start, &end, addr, limit))
 574                 return 0;
 575         *matchoff = start - dptr;
 576         *matchlen = end - start;
 577         return 1;
 578 }
 579 EXPORT_SYMBOL_GPL(ct_sip_parse_address_param);
 580
 581 /* Parse numerical header parameter and return value, offset and length */
 582 int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr,
 583                                  unsigned int dataoff, unsigned int datalen,
 584                                  const char *name,
 585                                  unsigned int *matchoff, unsigned int *matchlen,
 586                                  unsigned int *val)
 587 {
 588         const char *limit = dptr + datalen;
 589         const char *start;
 590         char *end;
 591
 592         limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
 593         if (!limit)
 594                 limit = dptr + datalen;
 595
 596         start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
 597         if (!start)
 598                 return 0;
 599
 600         start += strlen(name);
 601         *val = simple_strtoul(start, &end, 0);
 602         if (start == end)
 603                 return 0;
 604         if (matchoff && matchlen) {
 605                 *matchoff = start - dptr;
 606                 *matchlen = end - start;
 607         }
 608         return 1;
 609 }
 610 EXPORT_SYMBOL_GPL(ct_sip_parse_numerical_param);
 611
 612 static int ct_sip_parse_transport(struct nf_conn *ct, const char *dptr,
 613                                   unsigned int dataoff, unsigned int datalen,
 614                                   u8 *proto)
 615 {
 616         unsigned int matchoff, matchlen;
 617
 618         if (ct_sip_parse_param(ct, dptr, dataoff, datalen, "transport=",
 619                                &matchoff, &matchlen)) {
 620                 if (!strnicmp(dptr + matchoff, "TCP", strlen("TCP")))
 621                         *proto = IPPROTO_TCP;
 622                 else if (!strnicmp(dptr + matchoff, "UDP", strlen("UDP")))
 623                         *proto = IPPROTO_UDP;
 624                 else
 625                         return 0;
 626
 627                 if (*proto != nf_ct_protonum(ct))
 628                         return 0;
 629         } else
 630                 *proto = nf_ct_protonum(ct);
 631
 632         return 1;
 633 }
 634
 635 /* SDP header parsing: a SDP session description contains an ordered set of
 636  * headers, starting with a section containing general session parameters,
 637  * optionally followed by multiple media descriptions.
 638  *
 639  * SDP headers always start at the beginning of a line. According to RFC 2327:
 640  * "The sequence CRLF (0x0d0a) is used to end a record, although parsers should
 641  * be tolerant and also accept records terminated with a single newline
 642  * character". We handle both cases.
 643  */
 644 static const struct sip_header ct_sdp_hdrs[] = {
 645         [SDP_HDR_VERSION]               = SDP_HDR("v=", NULL, digits_len),
 646         [SDP_HDR_OWNER_IP4]             = SDP_HDR("o=", "IN IP4 ", epaddr_len),
 647         [SDP_HDR_CONNECTION_IP4]        = SDP_HDR("c=", "IN IP4 ", epaddr_len),
 648         [SDP_HDR_OWNER_IP6]             = SDP_HDR("o=", "IN IP6 ", epaddr_len),
 649         [SDP_HDR_CONNECTION_IP6]        = SDP_HDR("c=", "IN IP6 ", epaddr_len),
 650         [SDP_HDR_MEDIA]                 = SDP_HDR("m=", NULL, media_len),
 651 };
 652
 653 /* Linear string search within SDP header values */
 654 static const char *ct_sdp_header_search(const char *dptr, const char *limit,
 655                                         const char *needle, unsigned int len)
 656 {
 657         for (limit -= len; dptr < limit; dptr++) {
 658                 if (*dptr == '\r' || *dptr == '\n')
 659                         break;
 660                 if (strncmp(dptr, needle, len) == 0)
 661                         return dptr;
 662         }
 663         return NULL;
 664 }
 665
 666 /* Locate a SDP header (optionally a substring within the header value),
 667  * optionally stopping at the first occurence of the term header, parse
 668  * it and return the offset and length of the data we're interested in.
 669  */
 670 int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
 671                           unsigned int dataoff, unsigned int datalen,
 672                           enum sdp_header_types type,
 673                           enum sdp_header_types term,
 674                           unsigned int *matchoff, unsigned int *matchlen)
 675 {
 676         const struct sip_header *hdr = &ct_sdp_hdrs[type];
 677         const struct sip_header *thdr = &ct_sdp_hdrs[term];
 678         const char *start = dptr, *limit = dptr + datalen;
 679         int shift = 0;
 680
 681         for (dptr += dataoff; dptr < limit; dptr++) {
 682                 /* Find beginning of line */
 683                 if (*dptr != '\r' && *dptr != '\n')
 684                         continue;
 685                 if (++dptr >= limit)
 686                         break;
 687                 if (*(dptr - 1) == '\r' && *dptr == '\n') {
 688                         if (++dptr >= limit)
 689                                 break;
 690                 }
 691
 692                 if (term != SDP_HDR_UNSPEC &&
 693                     limit - dptr >= thdr->len &&
 694                     strnicmp(dptr, thdr->name, thdr->len) == 0)
 695                         break;
 696                 else if (limit - dptr >= hdr->len &&
 697                          strnicmp(dptr, hdr->name, hdr->len) == 0)
 698                         dptr += hdr->len;
 699                 else
 700                         continue;
 701
 702                 *matchoff = dptr - start;
 703                 if (hdr->search) {
 704                         dptr = ct_sdp_header_search(dptr, limit, hdr->search,
 705                                                     hdr->slen);
 706                         if (!dptr)
 707                                 return -1;
 708                         dptr += hdr->slen;
 709                 }
 710
 711                 *matchlen = hdr->match_len(ct, dptr, limit, &shift);
 712                 if (!*matchlen)
 713                         return -1;
 714                 *matchoff = dptr - start + shift;
 715                 return 1;
 716         }
 717         return 0;
 718 }
 719 EXPORT_SYMBOL_GPL(ct_sip_get_sdp_header);
 720
 721 static int ct_sip_parse_sdp_addr(const struct nf_conn *ct, const char *dptr,
 722                                  unsigned int dataoff, unsigned int datalen,
 723                                  enum sdp_header_types type,
 724                                  enum sdp_header_types term,
 725                                  unsigned int *matchoff, unsigned int *matchlen,
 726                                  union nf_inet_addr *addr)
 727 {
 728         int ret;
 729
 730         ret = ct_sip_get_sdp_header(ct, dptr, dataoff, datalen, type, term,
 731                                     matchoff, matchlen);
 732         if (ret <= 0)
 733                 return ret;
 734
 735         if (!parse_addr(ct, dptr + *matchoff, NULL, addr,
 736                         dptr + *matchoff + *matchlen))
 737                 return -1;
 738         return 1;
 739 }
 740
 741 static int refresh_signalling_expectation(struct nf_conn *ct,
 742                                           union nf_inet_addr *addr,
 743                                           u8 proto, __be16 port,
 744                                           unsigned int expires)
 745 {
 746         struct nf_conn_help *help = nfct_help(ct);
 747         struct nf_conntrack_expect *exp;
 748         struct hlist_node *n, *next;
 749         int found = 0;
 750
 751         spin_lock_bh(&nf_conntrack_lock);
 752         hlist_for_each_entry_safe(exp, n, next, &help->expectations, lnode) {
 753                 if (exp->class != SIP_EXPECT_SIGNALLING ||
 754                     !nf_inet_addr_cmp(&exp->tuple.dst.u3, addr) ||
 755                     exp->tuple.dst.protonum != proto ||
 756                     exp->tuple.dst.u.udp.port != port)
 757                         continue;
 758                 if (!del_timer(&exp->timeout))
 759                         continue;
 760                 exp->flags &= ~NF_CT_EXPECT_INACTIVE;
 761                 exp->timeout.expires = jiffies + expires * HZ;
 762                 add_timer(&exp->timeout);
 763                 found = 1;
 764                 break;
 765         }
 766         spin_unlock_bh(&nf_conntrack_lock);
 767         return found;
 768 }
 769
 770 static void flush_expectations(struct nf_conn *ct, bool media)
 771 {
 772         struct nf_conn_help *help = nfct_help(ct);
 773         struct nf_conntrack_expect *exp;
 774         struct hlist_node *n, *next;
 775
 776         spin_lock_bh(&nf_conntrack_lock);
 777         hlist_for_each_entry_safe(exp, n, next, &help->expectations, lnode) {
 778                 if ((exp->class != SIP_EXPECT_SIGNALLING) ^ media)
 779                         continue;
 780                 if (!del_timer(&exp->timeout))
 781                         continue;
 782                 nf_ct_unlink_expect(exp);
 783                 nf_ct_expect_put(exp);
 784                 if (!media)
 785                         break;
 786         }
 787         spin_unlock_bh(&nf_conntrack_lock);
 788 }
 789
 790 static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int dataoff,
 791                                  const char **dptr, unsigned int *datalen,
 792                                  union nf_inet_addr *daddr, __be16 port,
 793                                  enum sip_expectation_classes class,
 794                                  unsigned int mediaoff, unsigned int medialen)
 795 {
 796         struct nf_conntrack_expect *exp, *rtp_exp, *rtcp_exp;
 797         enum ip_conntrack_info ctinfo;
 798         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 799         struct net *net = nf_ct_net(ct);
 800         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 801         union nf_inet_addr *saddr;
 802         struct nf_conntrack_tuple tuple;
 803         int direct_rtp = 0, skip_expect = 0, ret = NF_DROP;
 804         u_int16_t base_port;
 805         __be16 rtp_port, rtcp_port;
 806         typeof(nf_nat_sdp_port_hook) nf_nat_sdp_port;
 807         typeof(nf_nat_sdp_media_hook) nf_nat_sdp_media;
 808
 809         saddr = NULL;
 810         if (sip_direct_media) {
 811                 if (!nf_inet_addr_cmp(daddr, &ct->tuplehash[dir].tuple.src.u3))
 812                         return NF_ACCEPT;
 813                 saddr = &ct->tuplehash[!dir].tuple.src.u3;
 814         }
 815
 816         /* We need to check whether the registration exists before attempting
 817          * to register it since we can see the same media description multiple
 818          * times on different connections in case multiple endpoints receive
 819          * the same call.
 820          *
 821          * RTP optimization: if we find a matching media channel expectation
 822          * and both the expectation and this connection are SNATed, we assume
 823          * both sides can reach each other directly and use the final
 824          * destination address from the expectation. We still need to keep
 825          * the NATed expectations for media that might arrive from the
 826          * outside, and additionally need to expect the direct RTP stream
 827          * in case it passes through us even without NAT.
 828          */
 829         memset(&tuple, 0, sizeof(tuple));
 830         if (saddr)
 831                 tuple.src.u3 = *saddr;
 832         tuple.src.l3num         = nf_ct_l3num(ct);
 833         tuple.dst.protonum      = IPPROTO_UDP;
 834         tuple.dst.u3            = *daddr;
 835         tuple.dst.u.udp.port    = port;
 836
 837         rcu_read_lock();
 838         do {
 839                 exp = __nf_ct_expect_find(net, &tuple);
 840
 841                 if (!exp || exp->master == ct ||
 842                     nfct_help(exp->master)->helper != nfct_help(ct)->helper ||
 843                     exp->class != class)
 844                         break;
 845 #ifdef CONFIG_NF_NAT_NEEDED
 846                 if (exp->tuple.src.l3num == AF_INET && !direct_rtp &&
 847                     (exp->saved_ip != exp->tuple.dst.u3.ip ||
 848                      exp->saved_proto.udp.port != exp->tuple.dst.u.udp.port) &&
 849                     ct->status & IPS_NAT_MASK) {
 850                         daddr->ip               = exp->saved_ip;
 851                         tuple.dst.u3.ip         = exp->saved_ip;
 852                         tuple.dst.u.udp.port    = exp->saved_proto.udp.port;
 853                         direct_rtp = 1;
 854                 } else
 855 #endif
 856                         skip_expect = 1;
 857         } while (!skip_expect);
 858         rcu_read_unlock();
 859
 860         base_port = ntohs(tuple.dst.u.udp.port) & ~1;
 861         rtp_port = htons(base_port);
 862         rtcp_port = htons(base_port + 1);
 863
 864         if (direct_rtp) {
 865                 nf_nat_sdp_port = rcu_dereference(nf_nat_sdp_port_hook);
 866                 if (nf_nat_sdp_port &&
 867                     !nf_nat_sdp_port(skb, dataoff, dptr, datalen,
 868                                      mediaoff, medialen, ntohs(rtp_port)))
 869                         goto err1;
 870         }
 871
 872         if (skip_expect)
 873                 return NF_ACCEPT;
 874
 875         rtp_exp = nf_ct_expect_alloc(ct);
 876         if (rtp_exp == NULL)
 877                 goto err1;
 878         nf_ct_expect_init(rtp_exp, class, nf_ct_l3num(ct), saddr, daddr,
 879                           IPPROTO_UDP, NULL, &rtp_port);
 880
 881         rtcp_exp = nf_ct_expect_alloc(ct);
 882         if (rtcp_exp == NULL)
 883                 goto err2;
 884         nf_ct_expect_init(rtcp_exp, class, nf_ct_l3num(ct), saddr, daddr,
 885                           IPPROTO_UDP, NULL, &rtcp_port);
 886
 887         nf_nat_sdp_media = rcu_dereference(nf_nat_sdp_media_hook);
 888         if (nf_nat_sdp_media && ct->status & IPS_NAT_MASK && !direct_rtp)
 889                 ret = nf_nat_sdp_media(skb, dataoff, dptr, datalen,
 890                                        rtp_exp, rtcp_exp,
 891                                        mediaoff, medialen, daddr);
 892         else {
 893                 if (nf_ct_expect_related(rtp_exp) == 0) {
 894                         if (nf_ct_expect_related(rtcp_exp) != 0)
 895                                 nf_ct_unexpect_related(rtp_exp);
 896                         else
 897                                 ret = NF_ACCEPT;
 898                 }
 899         }
 900         nf_ct_expect_put(rtcp_exp);
 901 err2:
 902         nf_ct_expect_put(rtp_exp);
 903 err1:
 904         return ret;
 905 }
 906
 907 static const struct sdp_media_type sdp_media_types[] = {
 908         SDP_MEDIA_TYPE("audio ", SIP_EXPECT_AUDIO),
 909         SDP_MEDIA_TYPE("video ", SIP_EXPECT_VIDEO),
 910 };
 911
 912 static const struct sdp_media_type *sdp_media_type(const char *dptr,
 913                                                    unsigned int matchoff,
 914                                                    unsigned int matchlen)
 915 {
 916         const struct sdp_media_type *t;
 917         unsigned int i;
 918
 919         for (i = 0; i < ARRAY_SIZE(sdp_media_types); i++) {
 920                 t = &sdp_media_types[i];
 921                 if (matchlen < t->len ||
 922                     strncmp(dptr + matchoff, t->name, t->len))
 923                         continue;
 924                 return t;
 925         }
 926         return NULL;
 927 }
 928
 929 static int process_sdp(struct sk_buff *skb, unsigned int dataoff,
 930                        const char **dptr, unsigned int *datalen,
 931                        unsigned int cseq)
 932 {
 933         enum ip_conntrack_info ctinfo;
 934         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 935         struct nf_conn_help *help = nfct_help(ct);
 936         unsigned int matchoff, matchlen;
 937         unsigned int mediaoff, medialen;
 938         unsigned int sdpoff;
 939         unsigned int caddr_len, maddr_len;
 940         unsigned int i;
 941         union nf_inet_addr caddr, maddr, rtp_addr;
 942         unsigned int port;
 943         enum sdp_header_types c_hdr;
 944         const struct sdp_media_type *t;
 945         int ret = NF_ACCEPT;
 946         typeof(nf_nat_sdp_addr_hook) nf_nat_sdp_addr;
 947         typeof(nf_nat_sdp_session_hook) nf_nat_sdp_session;
 948
 949         nf_nat_sdp_addr = rcu_dereference(nf_nat_sdp_addr_hook);
 950         c_hdr = nf_ct_l3num(ct) == AF_INET ? SDP_HDR_CONNECTION_IP4 :
 951                                              SDP_HDR_CONNECTION_IP6;
 952
 953         /* Find beginning of session description */
 954         if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
 955                                   SDP_HDR_VERSION, SDP_HDR_UNSPEC,
 956                                   &matchoff, &matchlen) <= 0)
 957                 return NF_ACCEPT;
 958         sdpoff = matchoff;
 959
 960         /* The connection information is contained in the session description
 961          * and/or once per media description. The first media description marks
 962          * the end of the session description. */
 963         caddr_len = 0;
 964         if (ct_sip_parse_sdp_addr(ct, *dptr, sdpoff, *datalen,
 965                                   c_hdr, SDP_HDR_MEDIA,
 966                                   &matchoff, &matchlen, &caddr) > 0)
 967                 caddr_len = matchlen;
 968
 969         mediaoff = sdpoff;
 970         for (i = 0; i < ARRAY_SIZE(sdp_media_types); ) {
 971                 if (ct_sip_get_sdp_header(ct, *dptr, mediaoff, *datalen,
 972                                           SDP_HDR_MEDIA, SDP_HDR_UNSPEC,
 973                                           &mediaoff, &medialen) <= 0)
 974                         break;
 975
 976                 /* Get media type and port number. A media port value of zero
 977                  * indicates an inactive stream. */
 978                 t = sdp_media_type(*dptr, mediaoff, medialen);
 979                 if (!t) {
 980                         mediaoff += medialen;
 981                         continue;
 982                 }
 983                 mediaoff += t->len;
 984                 medialen -= t->len;
 985
 986                 port = simple_strtoul(*dptr + mediaoff, NULL, 10);
 987                 if (port == 0)
 988                         continue;
 989                 if (port < 1024 || port > 65535)
 990                         return NF_DROP;
 991
 992                 /* The media description overrides the session description. */
 993                 maddr_len = 0;
 994                 if (ct_sip_parse_sdp_addr(ct, *dptr, mediaoff, *datalen,
 995                                           c_hdr, SDP_HDR_MEDIA,
 996                                           &matchoff, &matchlen, &maddr) > 0) {
 997                         maddr_len = matchlen;
 998                         memcpy(&rtp_addr, &maddr, sizeof(rtp_addr));
 999                 } else if (caddr_len)
1000                         memcpy(&rtp_addr, &caddr, sizeof(rtp_addr));
1001                 else
1002                         return NF_DROP;
1003
1004                 ret = set_expected_rtp_rtcp(skb, dataoff, dptr, datalen,
1005                                             &rtp_addr, htons(port), t->class,
1006                                             mediaoff, medialen);
1007                 if (ret != NF_ACCEPT)
1008                         return ret;
1009
1010                 /* Update media connection address if present */
1011                 if (maddr_len && nf_nat_sdp_addr && ct->status & IPS_NAT_MASK) {
1012                         ret = nf_nat_sdp_addr(skb, dataoff, dptr, datalen,
1013                                               mediaoff, c_hdr, SDP_HDR_MEDIA,
1014                                               &rtp_addr);
1015                         if (ret != NF_ACCEPT)
1016                                 return ret;
1017                 }
1018                 i++;
1019         }
1020
1021         /* Update session connection and owner addresses */
1022         nf_nat_sdp_session = rcu_dereference(nf_nat_sdp_session_hook);
1023         if (nf_nat_sdp_session && ct->status & IPS_NAT_MASK)
1024                 ret = nf_nat_sdp_session(skb, dataoff, dptr, datalen, sdpoff,
1025                                          &rtp_addr);
1026
1027         if (ret == NF_ACCEPT && i > 0)
1028                 help->help.ct_sip_info.invite_cseq = cseq;
1029
1030         return ret;
1031 }
1032 static int process_invite_response(struct sk_buff *skb, unsigned int dataoff,
1033                                    const char **dptr, unsigned int *datalen,
1034                                    unsigned int cseq, unsigned int code)
1035 {
1036         enum ip_conntrack_info ctinfo;
1037         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1038         struct nf_conn_help *help = nfct_help(ct);
1039
1040         if ((code >= 100 && code <= 199) ||
1041             (code >= 200 && code <= 299))
1042                 return process_sdp(skb, dataoff, dptr, datalen, cseq);
1043         else if (help->help.ct_sip_info.invite_cseq == cseq)
1044                 flush_expectations(ct, true);
1045         return NF_ACCEPT;
1046 }
1047
1048 static int process_update_response(struct sk_buff *skb, unsigned int dataoff,
1049                                    const char **dptr, unsigned int *datalen,
1050                                    unsigned int cseq, unsigned int code)
1051 {
1052         enum ip_conntrack_info ctinfo;
1053         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1054         struct nf_conn_help *help = nfct_help(ct);
1055
1056         if ((code >= 100 && code <= 199) ||
1057             (code >= 200 && code <= 299))
1058                 return process_sdp(skb, dataoff, dptr, datalen, cseq);
1059         else if (help->help.ct_sip_info.invite_cseq == cseq)
1060                 flush_expectations(ct, true);
1061         return NF_ACCEPT;
1062 }
1063
1064 static int process_prack_response(struct sk_buff *skb, unsigned int dataoff,
1065                                   const char **dptr, unsigned int *datalen,
1066                                   unsigned int cseq, unsigned int code)
1067 {
1068         enum ip_conntrack_info ctinfo;
1069         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1070         struct nf_conn_help *help = nfct_help(ct);
1071
1072         if ((code >= 100 && code <= 199) ||
1073             (code >= 200 && code <= 299))
1074                 return process_sdp(skb, dataoff, dptr, datalen, cseq);
1075         else if (help->help.ct_sip_info.invite_cseq == cseq)
1076                 flush_expectations(ct, true);
1077         return NF_ACCEPT;
1078 }
1079
1080 static int process_bye_request(struct sk_buff *skb, unsigned int dataoff,
1081                                const char **dptr, unsigned int *datalen,
1082                                unsigned int cseq)
1083 {
1084         enum ip_conntrack_info ctinfo;
1085         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1086
1087         flush_expectations(ct, true);
1088         return NF_ACCEPT;
1089 }
1090
1091 /* Parse a REGISTER request and create a permanent expectation for incoming
1092  * signalling connections. The expectation is marked inactive and is activated
1093  * when receiving a response indicating success from the registrar.
1094  */
1095 static int process_register_request(struct sk_buff *skb, unsigned int dataoff,
1096                                     const char **dptr, unsigned int *datalen,
1097                                     unsigned int cseq)
1098 {
1099         enum ip_conntrack_info ctinfo;
1100         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1101         struct nf_conn_help *help = nfct_help(ct);
1102         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
1103         unsigned int matchoff, matchlen;
1104         struct nf_conntrack_expect *exp;
1105         union nf_inet_addr *saddr, daddr;
1106         __be16 port;
1107         u8 proto;
1108         unsigned int expires = 0;
1109         int ret;
1110         typeof(nf_nat_sip_expect_hook) nf_nat_sip_expect;
1111
1112         /* Expected connections can not register again. */
1113         if (ct->status & IPS_EXPECTED)
1114                 return NF_ACCEPT;
1115
1116         /* We must check the expiration time: a value of zero signals the
1117          * registrar to release the binding. We'll remove our expectation
1118          * when receiving the new bindings in the response, but we don't
1119          * want to create new ones.
1120          *
1121          * The expiration time may be contained in Expires: header, the
1122          * Contact: header parameters or the URI parameters.
1123          */
1124         if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
1125                               &matchoff, &matchlen) > 0)
1126                 expires = simple_strtoul(*dptr + matchoff, NULL, 10);
1127
1128         ret = ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
1129                                       SIP_HDR_CONTACT, NULL,
1130                                       &matchoff, &matchlen, &daddr, &port);
1131         if (ret < 0)
1132                 return NF_DROP;
1133         else if (ret == 0)
1134                 return NF_ACCEPT;
1135
1136         /* We don't support third-party registrations */
1137         if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3, &daddr))
1138                 return NF_ACCEPT;
1139
1140         if (ct_sip_parse_transport(ct, *dptr, matchoff + matchlen, *datalen,
1141                                    &proto) == 0)
1142                 return NF_ACCEPT;
1143
1144         if (ct_sip_parse_numerical_param(ct, *dptr,
1145                                          matchoff + matchlen, *datalen,
1146                                          "expires=", NULL, NULL, &expires) < 0)
1147                 return NF_DROP;
1148
1149         if (expires == 0) {
1150                 ret = NF_ACCEPT;
1151                 goto store_cseq;
1152         }
1153
1154         exp = nf_ct_expect_alloc(ct);
1155         if (!exp)
1156                 return NF_DROP;
1157
1158         saddr = NULL;
1159         if (sip_direct_signalling)
1160                 saddr = &ct->tuplehash[!dir].tuple.src.u3;
1161
1162         nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct),
1163                           saddr, &daddr, proto, NULL, &port);
1164         exp->timeout.expires = sip_timeout * HZ;
1165         exp->helper = nfct_help(ct)->helper;
1166         exp->flags = NF_CT_EXPECT_PERMANENT | NF_CT_EXPECT_INACTIVE;
1167
1168         nf_nat_sip_expect = rcu_dereference(nf_nat_sip_expect_hook);
1169         if (nf_nat_sip_expect && ct->status & IPS_NAT_MASK)
1170                 ret = nf_nat_sip_expect(skb, dataoff, dptr, datalen, exp,
1171                                         matchoff, matchlen);
1172         else {
1173                 if (nf_ct_expect_related(exp) != 0)
1174                         ret = NF_DROP;
1175                 else
1176                         ret = NF_ACCEPT;
1177         }
1178         nf_ct_expect_put(exp);
1179
1180 store_cseq:
1181         if (ret == NF_ACCEPT)
1182                 help->help.ct_sip_info.register_cseq = cseq;
1183         return ret;
1184 }
1185
1186 static int process_register_response(struct sk_buff *skb, unsigned int dataoff,
1187                                      const char **dptr, unsigned int *datalen,
1188                                      unsigned int cseq, unsigned int code)
1189 {
1190         enum ip_conntrack_info ctinfo;
1191         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1192         struct nf_conn_help *help = nfct_help(ct);
1193         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
1194         union nf_inet_addr addr;
1195         __be16 port;
1196         u8 proto;
1197         unsigned int matchoff, matchlen, coff = 0;
1198         unsigned int expires = 0;
1199         int in_contact = 0, ret;
1200
1201         /* According to RFC 3261, "UAs MUST NOT send a new registration until
1202          * they have received a final response from the registrar for the
1203          * previous one or the previous REGISTER request has timed out".
1204          *
1205          * However, some servers fail to detect retransmissions and send late
1206          * responses, so we store the sequence number of the last valid
1207          * request and compare it here.
1208          */
1209         if (help->help.ct_sip_info.register_cseq != cseq)
1210                 return NF_ACCEPT;
1211
1212         if (code >= 100 && code <= 199)
1213                 return NF_ACCEPT;
1214         if (code < 200 || code > 299)
1215                 goto flush;
1216
1217         if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
1218                               &matchoff, &matchlen) > 0)
1219                 expires = simple_strtoul(*dptr + matchoff, NULL, 10);
1220
1221         while (1) {
1222                 unsigned int c_expires = expires;
1223
1224                 ret = ct_sip_parse_header_uri(ct, *dptr, &coff, *datalen,
1225                                               SIP_HDR_CONTACT, &in_contact,
1226                                               &matchoff, &matchlen,
1227                                               &addr, &port);
1228                 if (ret < 0)
1229                         return NF_DROP;
1230                 else if (ret == 0)
1231                         break;
1232
1233                 /* We don't support third-party registrations */
1234                 if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3, &addr))
1235                         continue;
1236
1237                 if (ct_sip_parse_transport(ct, *dptr, matchoff + matchlen,
1238                                            *datalen, &proto) == 0)
1239                         continue;
1240
1241                 ret = ct_sip_parse_numerical_param(ct, *dptr,
1242                                                    matchoff + matchlen,
1243                                                    *datalen, "expires=",
1244                                                    NULL, NULL, &c_expires);
1245                 if (ret < 0)
1246                         return NF_DROP;
1247                 if (c_expires == 0)
1248                         break;
1249                 if (refresh_signalling_expectation(ct, &addr, proto, port,
1250                                                    c_expires))
1251                         return NF_ACCEPT;
1252         }
1253
1254 flush:
1255         flush_expectations(ct, false);
1256         return NF_ACCEPT;
1257 }
1258
1259 static const struct sip_handler sip_handlers[] = {
1260         SIP_HANDLER("INVITE", process_sdp, process_invite_response),
1261         SIP_HANDLER("UPDATE", process_sdp, process_update_response),
1262         SIP_HANDLER("ACK", process_sdp, NULL),
1263         SIP_HANDLER("PRACK", process_sdp, process_prack_response),
1264         SIP_HANDLER("BYE", process_bye_request, NULL),
1265         SIP_HANDLER("REGISTER", process_register_request, process_register_response),
1266 };
1267
1268 static int process_sip_response(struct sk_buff *skb, unsigned int dataoff,
1269                                 const char **dptr, unsigned int *datalen)
1270 {
1271         enum ip_conntrack_info ctinfo;
1272         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1273         unsigned int matchoff, matchlen, matchend;
1274         unsigned int code, cseq, i;
1275
1276         if (*datalen < strlen("SIP/2.0 200"))
1277                 return NF_ACCEPT;
1278         code = simple_strtoul(*dptr + strlen("SIP/2.0 "), NULL, 10);
1279         if (!code)
1280                 return NF_DROP;
1281
1282         if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
1283                               &matchoff, &matchlen) <= 0)
1284                 return NF_DROP;
1285         cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
1286         if (!cseq)
1287                 return NF_DROP;
1288         matchend = matchoff + matchlen + 1;
1289
1290         for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
1291                 const struct sip_handler *handler;
1292
1293                 handler = &sip_handlers[i];
1294                 if (handler->response == NULL)
1295                         continue;
1296                 if (*datalen < matchend + handler->len ||
1297                     strnicmp(*dptr + matchend, handler->method, handler->len))
1298                         continue;
1299                 return handler->response(skb, dataoff, dptr, datalen,
1300                                          cseq, code);
1301         }
1302         return NF_ACCEPT;
1303 }
1304
1305 static int process_sip_request(struct sk_buff *skb, unsigned int dataoff,
1306                                const char **dptr, unsigned int *datalen)
1307 {
1308         enum ip_conntrack_info ctinfo;
1309         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1310         unsigned int matchoff, matchlen;
1311         unsigned int cseq, i;
1312
1313         for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
1314                 const struct sip_handler *handler;
1315
1316                 handler = &sip_handlers[i];
1317                 if (handler->request == NULL)
1318                         continue;
1319                 if (*datalen < handler->len ||
1320                     strnicmp(*dptr, handler->method, handler->len))
1321                         continue;
1322
1323                 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
1324                                       &matchoff, &matchlen) <= 0)
1325                         return NF_DROP;
1326                 cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
1327                 if (!cseq)
1328                         return NF_DROP;
1329
1330                 return handler->request(skb, dataoff, dptr, datalen, cseq);
1331         }
1332         return NF_ACCEPT;
1333 }
1334
1335 static int process_sip_msg(struct sk_buff *skb, struct nf_conn *ct,
1336                            unsigned int dataoff, const char **dptr,
1337                            unsigned int *datalen)
1338 {
1339         typeof(nf_nat_sip_hook) nf_nat_sip;
1340         int ret;
1341
1342         if (strnicmp(*dptr, "SIP/2.0 ", strlen("SIP/2.0 ")) != 0)
1343                 ret = process_sip_request(skb, dataoff, dptr, datalen);
1344         else
1345                 ret = process_sip_response(skb, dataoff, dptr, datalen);
1346
1347         if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
1348                 nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
1349                 if (nf_nat_sip && !nf_nat_sip(skb, dataoff, dptr, datalen))
1350                         ret = NF_DROP;
1351         }
1352
1353         return ret;
1354 }
1355
1356 static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
1357                         struct nf_conn *ct, enum ip_conntrack_info ctinfo)
1358 {
1359         struct tcphdr *th, _tcph;
1360         unsigned int dataoff, datalen;
1361         unsigned int matchoff, matchlen, clen;
1362         unsigned int msglen, origlen;
1363         const char *dptr, *end;
1364         s16 diff, tdiff = 0;
1365         int ret;
1366         typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;
1367
1368         if (ctinfo != IP_CT_ESTABLISHED &&
1369             ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)
1370                 return NF_ACCEPT;
1371
1372         /* No Data ? */
1373         th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph);
1374         if (th == NULL)
1375                 return NF_ACCEPT;
1376         dataoff = protoff + th->doff * 4;
1377         if (dataoff >= skb->len)
1378                 return NF_ACCEPT;
1379
1380         nf_ct_refresh(ct, skb, sip_timeout * HZ);
1381
1382         if (skb_is_nonlinear(skb)) {
1383                 pr_debug("Copy of skbuff not supported yet.\n");
1384                 return NF_ACCEPT;
1385         }
1386
1387         dptr = skb->data + dataoff;
1388         datalen = skb->len - dataoff;
1389         if (datalen < strlen("SIP/2.0 200"))
1390                 return NF_ACCEPT;
1391
1392         while (1) {
1393                 if (ct_sip_get_header(ct, dptr, 0, datalen,
1394                                       SIP_HDR_CONTENT_LENGTH,
1395                                       &matchoff, &matchlen) <= 0)
1396                         break;
1397
1398                 clen = simple_strtoul(dptr + matchoff, (char **)&end, 10);
1399                 if (dptr + matchoff == end)
1400                         break;
1401
1402                 if (end + strlen("\r\n\r\n") > dptr + datalen)
1403                         break;
1404                 if (end[0] != '\r' || end[1] != '\n' ||
1405                     end[2] != '\r' || end[3] != '\n')
1406                         break;
1407                 end += strlen("\r\n\r\n") + clen;
1408
1409                 msglen = origlen = end - dptr;
1410
1411                 ret = process_sip_msg(skb, ct, dataoff, &dptr, &msglen);
1412                 if (ret != NF_ACCEPT)
1413                         break;
1414                 diff     = msglen - origlen;
1415                 tdiff   += diff;
1416
1417                 dataoff += msglen;
1418                 dptr    += msglen;
1419                 datalen  = datalen + diff - msglen;
1420         }
1421
1422         if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
1423                 nf_nat_sip_seq_adjust = rcu_dereference(nf_nat_sip_seq_adjust_hook);
1424                 if (nf_nat_sip_seq_adjust)
1425                         nf_nat_sip_seq_adjust(skb, tdiff);
1426         }
1427
1428         return ret;
1429 }
1430
1431 static int sip_help_udp(struct sk_buff *skb, unsigned int protoff,
1432                         struct nf_conn *ct, enum ip_conntrack_info ctinfo)
1433 {
1434         unsigned int dataoff, datalen;
1435         const char *dptr;
1436
1437         /* No Data ? */
1438         dataoff = protoff + sizeof(struct udphdr);
1439         if (dataoff >= skb->len)
1440                 return NF_ACCEPT;
1441
1442         nf_ct_refresh(ct, skb, sip_timeout * HZ);
1443
1444         if (skb_is_nonlinear(skb)) {
1445                 pr_debug("Copy of skbuff not supported yet.\n");
1446                 return NF_ACCEPT;
1447         }
1448
1449         dptr = skb->data + dataoff;
1450         datalen = skb->len - dataoff;
1451         if (datalen < strlen("SIP/2.0 200"))
1452                 return NF_ACCEPT;
1453
1454         return process_sip_msg(skb, ct, dataoff, &dptr, &datalen);
1455 }
1456
1457 static struct nf_conntrack_helper sip[MAX_PORTS][4] __read_mostly;
1458 static char sip_names[MAX_PORTS][4][sizeof("sip-65535")] __read_mostly;
1459
1460 static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1] = {
1461         [SIP_EXPECT_SIGNALLING] = {
1462                 .name           = "signalling",
1463                 .max_expected   = 1,
1464                 .timeout        = 3 * 60,
1465         },
1466         [SIP_EXPECT_AUDIO] = {
1467                 .name           = "audio",
1468                 .max_expected   = 2 * IP_CT_DIR_MAX,
1469                 .timeout        = 3 * 60,
1470         },
1471         [SIP_EXPECT_VIDEO] = {
1472                 .name           = "video",
1473                 .max_expected   = 2 * IP_CT_DIR_MAX,
1474                 .timeout        = 3 * 60,
1475         },
1476 };
1477
1478 static void nf_conntrack_sip_fini(void)
1479 {
1480         int i, j;
1481
1482         for (i = 0; i < ports_c; i++) {
1483                 for (j = 0; j < ARRAY_SIZE(sip[i]); j++) {
1484                         if (sip[i][j].me == NULL)
1485                                 continue;
1486                         nf_conntrack_helper_unregister(&sip[i][j]);
1487                 }
1488         }
1489 }
1490
1491 static int __init nf_conntrack_sip_init(void)
1492 {
1493         int i, j, ret;
1494         char *tmpname;
1495
1496         if (ports_c == 0)
1497                 ports[ports_c++] = SIP_PORT;
1498
1499         for (i = 0; i < ports_c; i++) {
1500                 memset(&sip[i], 0, sizeof(sip[i]));
1501
1502                 sip[i][0].tuple.src.l3num = AF_INET;
1503                 sip[i][0].tuple.dst.protonum = IPPROTO_UDP;
1504                 sip[i][0].help = sip_help_udp;
1505                 sip[i][1].tuple.src.l3num = AF_INET;
1506                 sip[i][1].tuple.dst.protonum = IPPROTO_TCP;
1507                 sip[i][1].help = sip_help_tcp;
1508
1509                 sip[i][2].tuple.src.l3num = AF_INET6;
1510                 sip[i][2].tuple.dst.protonum = IPPROTO_UDP;
1511                 sip[i][2].help = sip_help_udp;
1512                 sip[i][3].tuple.src.l3num = AF_INET6;
1513                 sip[i][3].tuple.dst.protonum = IPPROTO_TCP;
1514                 sip[i][3].help = sip_help_tcp;
1515
1516                 for (j = 0; j < ARRAY_SIZE(sip[i]); j++) {
1517                         sip[i][j].tuple.src.u.udp.port = htons(ports[i]);
1518                         sip[i][j].expect_policy = sip_exp_policy;
1519                         sip[i][j].expect_class_max = SIP_EXPECT_MAX;
1520                         sip[i][j].me = THIS_MODULE;
1521
1522                         tmpname = &sip_names[i][j][0];
1523                         if (ports[i] == SIP_PORT)
1524                                 sprintf(tmpname, "sip");
1525                         else
1526                                 sprintf(tmpname, "sip-%u", i);
1527                         sip[i][j].name = tmpname;
1528
1529                         pr_debug("port #%u: %u\n", i, ports[i]);
1530
1531                         ret = nf_conntrack_helper_register(&sip[i][j]);
1532                         if (ret) {
1533                                 printk("nf_ct_sip: failed to register helper "
1534                                        "for pf: %u port: %u\n",
1535                                        sip[i][j].tuple.src.l3num, ports[i]);
1536                                 nf_conntrack_sip_fini();
1537                                 return ret;
1538                         }
1539                 }
1540         }
1541         return 0;
1542 }
1543
1544 module_init(nf_conntrack_sip_init);
1545 module_exit(nf_conntrack_sip_fini);