1 /* SIP extension for UDP NAT alteration.
3 * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
4 * based on RR's ip_nat_ftp.c and other modules.
5 * (C) 2007 United Security Providers
6 * (C) 2007, 2008 Patrick McHardy <kaber@trash.net>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
13 #include <linux/module.h>
14 #include <linux/skbuff.h>
17 #include <linux/udp.h>
19 #include <net/netfilter/nf_nat.h>
20 #include <net/netfilter/nf_nat_helper.h>
21 #include <net/netfilter/nf_nat_rule.h>
22 #include <net/netfilter/nf_conntrack_helper.h>
23 #include <net/netfilter/nf_conntrack_expect.h>
24 #include <linux/netfilter/nf_conntrack_sip.h>
26 MODULE_LICENSE("GPL");
27 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
28 MODULE_DESCRIPTION("SIP NAT helper");
29 MODULE_ALIAS("ip_nat_sip");
32 static unsigned int mangle_packet(struct sk_buff *skb, unsigned int dataoff,
33 const char **dptr, unsigned int *datalen,
34 unsigned int matchoff, unsigned int matchlen,
35 const char *buffer, unsigned int buflen)
37 enum ip_conntrack_info ctinfo;
38 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
40 if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, matchoff, matchlen,
44 /* Reload data pointer and adjust datalen value */
45 *dptr = skb->data + dataoff;
46 *datalen += buflen - matchlen;
50 static int map_addr(struct sk_buff *skb, unsigned int dataoff,
51 const char **dptr, unsigned int *datalen,
52 unsigned int matchoff, unsigned int matchlen,
53 union nf_inet_addr *addr, __be16 port)
55 enum ip_conntrack_info ctinfo;
56 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
57 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
58 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
63 if (ct->tuplehash[dir].tuple.src.u3.ip == addr->ip &&
64 ct->tuplehash[dir].tuple.src.u.udp.port == port) {
65 newaddr = ct->tuplehash[!dir].tuple.dst.u3.ip;
66 newport = ct->tuplehash[!dir].tuple.dst.u.udp.port;
67 } else if (ct->tuplehash[dir].tuple.dst.u3.ip == addr->ip &&
68 ct->tuplehash[dir].tuple.dst.u.udp.port == port) {
69 newaddr = ct->tuplehash[!dir].tuple.src.u3.ip;
70 newport = ct->tuplehash[!dir].tuple.src.u.udp.port;
74 if (newaddr == addr->ip && newport == port)
77 buflen = sprintf(buffer, "%pI4:%u", &newaddr, ntohs(newport));
79 return mangle_packet(skb, dataoff, dptr, datalen, matchoff, matchlen,
83 static int map_sip_addr(struct sk_buff *skb, unsigned int dataoff,
84 const char **dptr, unsigned int *datalen,
85 enum sip_header_types type)
87 enum ip_conntrack_info ctinfo;
88 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
89 unsigned int matchlen, matchoff;
90 union nf_inet_addr addr;
93 if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, type, NULL,
94 &matchoff, &matchlen, &addr, &port) <= 0)
96 return map_addr(skb, dataoff, dptr, datalen, matchoff, matchlen,
100 static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
101 const char **dptr, unsigned int *datalen)
103 enum ip_conntrack_info ctinfo;
104 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
105 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
106 unsigned int coff, matchoff, matchlen;
107 union nf_inet_addr addr;
109 int request, in_header;
111 /* Basic rules: requests and responses. */
112 if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
113 if (ct_sip_parse_request(ct, *dptr, *datalen,
114 &matchoff, &matchlen,
116 !map_addr(skb, dataoff, dptr, datalen, matchoff, matchlen,
123 /* Translate topmost Via header and parameters */
124 if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
125 SIP_HDR_VIA_UDP, NULL, &matchoff, &matchlen,
127 unsigned int matchend, poff, plen, buflen, n;
128 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
130 /* We're only interested in headers related to this
133 if (addr.ip != ct->tuplehash[dir].tuple.src.u3.ip ||
134 port != ct->tuplehash[dir].tuple.src.u.udp.port)
137 if (addr.ip != ct->tuplehash[dir].tuple.dst.u3.ip ||
138 port != ct->tuplehash[dir].tuple.dst.u.udp.port)
142 if (!map_addr(skb, dataoff, dptr, datalen, matchoff, matchlen,
146 matchend = matchoff + matchlen;
148 /* The maddr= parameter (RFC 2361) specifies where to send
150 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
151 "maddr=", &poff, &plen,
153 addr.ip == ct->tuplehash[dir].tuple.src.u3.ip &&
154 addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) {
155 buflen = sprintf(buffer, "%pI4",
156 &ct->tuplehash[!dir].tuple.dst.u3.ip);
157 if (!mangle_packet(skb, dataoff, dptr, datalen,
158 poff, plen, buffer, buflen))
162 /* The received= parameter (RFC 2361) contains the address
163 * from which the server received the request. */
164 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
165 "received=", &poff, &plen,
167 addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip &&
168 addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) {
169 buflen = sprintf(buffer, "%pI4",
170 &ct->tuplehash[!dir].tuple.src.u3.ip);
171 if (!mangle_packet(skb, dataoff, dptr, datalen,
172 poff, plen, buffer, buflen))
176 /* The rport= parameter (RFC 3581) contains the port number
177 * from which the server received the request. */
178 if (ct_sip_parse_numerical_param(ct, *dptr, matchend, *datalen,
179 "rport=", &poff, &plen,
181 htons(n) == ct->tuplehash[dir].tuple.dst.u.udp.port &&
182 htons(n) != ct->tuplehash[!dir].tuple.src.u.udp.port) {
183 __be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port;
184 buflen = sprintf(buffer, "%u", ntohs(p));
185 if (!mangle_packet(skb, dataoff, dptr, datalen,
186 poff, plen, buffer, buflen))
192 /* Translate Contact headers */
195 while (ct_sip_parse_header_uri(ct, *dptr, &coff, *datalen,
196 SIP_HDR_CONTACT, &in_header,
197 &matchoff, &matchlen,
199 if (!map_addr(skb, dataoff, dptr, datalen, matchoff, matchlen,
204 if (!map_sip_addr(skb, dataoff, dptr, datalen, SIP_HDR_FROM) ||
205 !map_sip_addr(skb, dataoff, dptr, datalen, SIP_HDR_TO))
210 /* Handles expected signalling connections and media streams */
211 static void ip_nat_sip_expected(struct nf_conn *ct,
212 struct nf_conntrack_expect *exp)
214 struct nf_nat_range range;
216 /* This must be a fresh one. */
217 BUG_ON(ct->status & IPS_NAT_DONE_MASK);
219 /* For DST manip, map port here to where it's expected. */
220 range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
221 range.min = range.max = exp->saved_proto;
222 range.min_ip = range.max_ip = exp->saved_ip;
223 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
225 /* Change src to where master sends to, but only if the connection
226 * actually came from the same source. */
227 if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip ==
228 ct->master->tuplehash[exp->dir].tuple.src.u3.ip) {
229 range.flags = IP_NAT_RANGE_MAP_IPS;
230 range.min_ip = range.max_ip
231 = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
232 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
236 static unsigned int ip_nat_sip_expect(struct sk_buff *skb, unsigned int dataoff,
237 const char **dptr, unsigned int *datalen,
238 struct nf_conntrack_expect *exp,
239 unsigned int matchoff,
240 unsigned int matchlen)
242 enum ip_conntrack_info ctinfo;
243 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
244 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
247 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
250 /* Connection will come from reply */
251 if (ct->tuplehash[dir].tuple.src.u3.ip == ct->tuplehash[!dir].tuple.dst.u3.ip)
252 newip = exp->tuple.dst.u3.ip;
254 newip = ct->tuplehash[!dir].tuple.dst.u3.ip;
256 /* If the signalling port matches the connection's source port in the
257 * original direction, try to use the destination port in the opposite
259 if (exp->tuple.dst.u.udp.port ==
260 ct->tuplehash[dir].tuple.src.u.udp.port)
261 port = ntohs(ct->tuplehash[!dir].tuple.dst.u.udp.port);
263 port = ntohs(exp->tuple.dst.u.udp.port);
265 exp->saved_ip = exp->tuple.dst.u3.ip;
266 exp->tuple.dst.u3.ip = newip;
267 exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port;
269 exp->expectfn = ip_nat_sip_expected;
271 for (; port != 0; port++) {
272 exp->tuple.dst.u.udp.port = htons(port);
273 if (nf_ct_expect_related(exp) == 0)
280 if (exp->tuple.dst.u3.ip != exp->saved_ip ||
281 exp->tuple.dst.u.udp.port != exp->saved_proto.udp.port) {
282 buflen = sprintf(buffer, "%pI4:%u", &newip, port);
283 if (!mangle_packet(skb, dataoff, dptr, datalen,
284 matchoff, matchlen, buffer, buflen))
290 nf_ct_unexpect_related(exp);
294 static int mangle_content_len(struct sk_buff *skb, unsigned int dataoff,
295 const char **dptr, unsigned int *datalen)
297 enum ip_conntrack_info ctinfo;
298 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
299 unsigned int matchoff, matchlen;
300 char buffer[sizeof("65536")];
303 /* Get actual SDP length */
304 if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
305 SDP_HDR_VERSION, SDP_HDR_UNSPEC,
306 &matchoff, &matchlen) <= 0)
308 c_len = *datalen - matchoff + strlen("v=");
310 /* Now, update SDP length */
311 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CONTENT_LENGTH,
312 &matchoff, &matchlen) <= 0)
315 buflen = sprintf(buffer, "%u", c_len);
316 return mangle_packet(skb, dataoff, dptr, datalen, matchoff, matchlen,
320 static int mangle_sdp_packet(struct sk_buff *skb, unsigned int dataoff,
321 const char **dptr, unsigned int *datalen,
323 enum sdp_header_types type,
324 enum sdp_header_types term,
325 char *buffer, int buflen)
327 enum ip_conntrack_info ctinfo;
328 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
329 unsigned int matchlen, matchoff;
331 if (ct_sip_get_sdp_header(ct, *dptr, sdpoff, *datalen, type, term,
332 &matchoff, &matchlen) <= 0)
334 return mangle_packet(skb, dataoff, dptr, datalen, matchoff, matchlen,
335 buffer, buflen) ? 0 : -EINVAL;
338 static unsigned int ip_nat_sdp_addr(struct sk_buff *skb, unsigned int dataoff,
339 const char **dptr, unsigned int *datalen,
341 enum sdp_header_types type,
342 enum sdp_header_types term,
343 const union nf_inet_addr *addr)
345 char buffer[sizeof("nnn.nnn.nnn.nnn")];
348 buflen = sprintf(buffer, "%pI4", &addr->ip);
349 if (mangle_sdp_packet(skb, dataoff, dptr, datalen, sdpoff, type, term,
353 return mangle_content_len(skb, dataoff, dptr, datalen);
356 static unsigned int ip_nat_sdp_port(struct sk_buff *skb, unsigned int dataoff,
357 const char **dptr, unsigned int *datalen,
358 unsigned int matchoff,
359 unsigned int matchlen,
362 char buffer[sizeof("nnnnn")];
365 buflen = sprintf(buffer, "%u", port);
366 if (!mangle_packet(skb, dataoff, dptr, datalen, matchoff, matchlen,
370 return mangle_content_len(skb, dataoff, dptr, datalen);
373 static unsigned int ip_nat_sdp_session(struct sk_buff *skb, unsigned int dataoff,
374 const char **dptr, unsigned int *datalen,
376 const union nf_inet_addr *addr)
378 char buffer[sizeof("nnn.nnn.nnn.nnn")];
381 /* Mangle session description owner and contact addresses */
382 buflen = sprintf(buffer, "%pI4", &addr->ip);
383 if (mangle_sdp_packet(skb, dataoff, dptr, datalen, sdpoff,
384 SDP_HDR_OWNER_IP4, SDP_HDR_MEDIA,
388 switch (mangle_sdp_packet(skb, dataoff, dptr, datalen, sdpoff,
389 SDP_HDR_CONNECTION_IP4, SDP_HDR_MEDIA,
395 * Session description
397 * c=* (connection information - not required if included in all media)
405 return mangle_content_len(skb, dataoff, dptr, datalen);
408 /* So, this packet has hit the connection tracking matching code.
409 Mangle it, and change the expectation to match the new version. */
410 static unsigned int ip_nat_sdp_media(struct sk_buff *skb, unsigned int dataoff,
411 const char **dptr, unsigned int *datalen,
412 struct nf_conntrack_expect *rtp_exp,
413 struct nf_conntrack_expect *rtcp_exp,
414 unsigned int mediaoff,
415 unsigned int medialen,
416 union nf_inet_addr *rtp_addr)
418 enum ip_conntrack_info ctinfo;
419 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
420 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
423 /* Connection will come from reply */
424 if (ct->tuplehash[dir].tuple.src.u3.ip ==
425 ct->tuplehash[!dir].tuple.dst.u3.ip)
426 rtp_addr->ip = rtp_exp->tuple.dst.u3.ip;
428 rtp_addr->ip = ct->tuplehash[!dir].tuple.dst.u3.ip;
430 rtp_exp->saved_ip = rtp_exp->tuple.dst.u3.ip;
431 rtp_exp->tuple.dst.u3.ip = rtp_addr->ip;
432 rtp_exp->saved_proto.udp.port = rtp_exp->tuple.dst.u.udp.port;
434 rtp_exp->expectfn = ip_nat_sip_expected;
436 rtcp_exp->saved_ip = rtcp_exp->tuple.dst.u3.ip;
437 rtcp_exp->tuple.dst.u3.ip = rtp_addr->ip;
438 rtcp_exp->saved_proto.udp.port = rtcp_exp->tuple.dst.u.udp.port;
439 rtcp_exp->dir = !dir;
440 rtcp_exp->expectfn = ip_nat_sip_expected;
442 /* Try to get same pair of ports: if not, try to change them. */
443 for (port = ntohs(rtp_exp->tuple.dst.u.udp.port);
444 port != 0; port += 2) {
445 rtp_exp->tuple.dst.u.udp.port = htons(port);
446 if (nf_ct_expect_related(rtp_exp) != 0)
448 rtcp_exp->tuple.dst.u.udp.port = htons(port + 1);
449 if (nf_ct_expect_related(rtcp_exp) == 0)
451 nf_ct_unexpect_related(rtp_exp);
457 /* Update media port. */
458 if (rtp_exp->tuple.dst.u.udp.port != rtp_exp->saved_proto.udp.port &&
459 !ip_nat_sdp_port(skb, dataoff, dptr, datalen,
460 mediaoff, medialen, port))
466 nf_ct_unexpect_related(rtp_exp);
467 nf_ct_unexpect_related(rtcp_exp);
472 static void __exit nf_nat_sip_fini(void)
474 rcu_assign_pointer(nf_nat_sip_hook, NULL);
475 rcu_assign_pointer(nf_nat_sip_expect_hook, NULL);
476 rcu_assign_pointer(nf_nat_sdp_addr_hook, NULL);
477 rcu_assign_pointer(nf_nat_sdp_port_hook, NULL);
478 rcu_assign_pointer(nf_nat_sdp_session_hook, NULL);
479 rcu_assign_pointer(nf_nat_sdp_media_hook, NULL);
483 static int __init nf_nat_sip_init(void)
485 BUG_ON(nf_nat_sip_hook != NULL);
486 BUG_ON(nf_nat_sip_expect_hook != NULL);
487 BUG_ON(nf_nat_sdp_addr_hook != NULL);
488 BUG_ON(nf_nat_sdp_port_hook != NULL);
489 BUG_ON(nf_nat_sdp_session_hook != NULL);
490 BUG_ON(nf_nat_sdp_media_hook != NULL);
491 rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip);
492 rcu_assign_pointer(nf_nat_sip_expect_hook, ip_nat_sip_expect);
493 rcu_assign_pointer(nf_nat_sdp_addr_hook, ip_nat_sdp_addr);
494 rcu_assign_pointer(nf_nat_sdp_port_hook, ip_nat_sdp_port);
495 rcu_assign_pointer(nf_nat_sdp_session_hook, ip_nat_sdp_session);
496 rcu_assign_pointer(nf_nat_sdp_media_hook, ip_nat_sdp_media);
500 module_init(nf_nat_sip_init);
501 module_exit(nf_nat_sip_fini);