2 * H.323 extension for NAT alteration.
4 * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
6 * This source code is licensed under General Public License version 2.
8 * Based on the 'brute force' H.323 NAT module by
9 * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
12 #include <linux/module.h>
13 #include <linux/moduleparam.h>
14 #include <linux/tcp.h>
17 #include <net/netfilter/nf_nat.h>
18 #include <net/netfilter/nf_nat_helper.h>
19 #include <net/netfilter/nf_nat_rule.h>
20 #include <net/netfilter/nf_conntrack_helper.h>
21 #include <net/netfilter/nf_conntrack_expect.h>
22 #include <linux/netfilter/nf_conntrack_h323.h>
27 #define DEBUGP(format, args...)
30 /****************************************************************************/
31 static int set_addr(struct sk_buff
*skb
,
32 unsigned char **data
, int dataoff
,
33 unsigned int addroff
, __be32 ip
, __be16 port
)
35 enum ip_conntrack_info ctinfo
;
36 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
40 } __attribute__ ((__packed__
)) buf
;
41 struct tcphdr _tcph
, *th
;
47 if (ip_hdr(skb
)->protocol
== IPPROTO_TCP
) {
48 if (!nf_nat_mangle_tcp_packet(skb
, ct
, ctinfo
,
50 (char *) &buf
, sizeof(buf
))) {
52 printk("nf_nat_h323: nf_nat_mangle_tcp_packet"
57 /* Relocate data pointer */
58 th
= skb_header_pointer(skb
, ip_hdrlen(skb
),
59 sizeof(_tcph
), &_tcph
);
62 *data
= skb
->data
+ ip_hdrlen(skb
) + th
->doff
* 4 + dataoff
;
64 if (!nf_nat_mangle_udp_packet(skb
, ct
, ctinfo
,
66 (char *) &buf
, sizeof(buf
))) {
68 printk("nf_nat_h323: nf_nat_mangle_udp_packet"
72 /* nf_nat_mangle_udp_packet uses skb_make_writable() to copy
73 * or pull everything in a linear buffer, so we can safely
74 * use the skb pointers now */
75 *data
= skb
->data
+ ip_hdrlen(skb
) + sizeof(struct udphdr
);
81 /****************************************************************************/
82 static int set_h225_addr(struct sk_buff
*skb
,
83 unsigned char **data
, int dataoff
,
84 TransportAddress
*taddr
,
85 union nf_inet_addr
*addr
, __be16 port
)
87 return set_addr(skb
, data
, dataoff
, taddr
->ipAddress
.ip
,
91 /****************************************************************************/
92 static int set_h245_addr(struct sk_buff
*skb
,
93 unsigned char **data
, int dataoff
,
94 H245_TransportAddress
*taddr
,
95 union nf_inet_addr
*addr
, __be16 port
)
97 return set_addr(skb
, data
, dataoff
,
98 taddr
->unicastAddress
.iPAddress
.network
,
102 /****************************************************************************/
103 static int set_sig_addr(struct sk_buff
*skb
, struct nf_conn
*ct
,
104 enum ip_conntrack_info ctinfo
,
105 unsigned char **data
,
106 TransportAddress
*taddr
, int count
)
108 struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
109 int dir
= CTINFO2DIR(ctinfo
);
112 union nf_inet_addr addr
;
114 for (i
= 0; i
< count
; i
++) {
115 if (get_h225_addr(ct
, *data
, &taddr
[i
], &addr
, &port
)) {
116 if (addr
.ip
== ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
&&
117 port
== info
->sig_port
[dir
]) {
120 /* Fix for Gnomemeeting */
122 get_h225_addr(ct
, *data
, &taddr
[0],
124 (ntohl(addr
.ip
) & 0xff000000) == 0x7f000000)
128 ("nf_nat_ras: set signal address "
129 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
131 NIPQUAD(ct
->tuplehash
[!dir
].tuple
.dst
.
132 ip
), info
->sig_port
[!dir
]);
133 return set_h225_addr(skb
, data
, 0, &taddr
[i
],
134 &ct
->tuplehash
[!dir
].
136 info
->sig_port
[!dir
]);
137 } else if (addr
.ip
== ct
->tuplehash
[dir
].tuple
.dst
.u3
.ip
&&
138 port
== info
->sig_port
[dir
]) {
141 ("nf_nat_ras: set signal address "
142 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
144 NIPQUAD(ct
->tuplehash
[!dir
].tuple
.src
.
145 ip
), info
->sig_port
[!dir
]);
146 return set_h225_addr(skb
, data
, 0, &taddr
[i
],
147 &ct
->tuplehash
[!dir
].
149 info
->sig_port
[!dir
]);
157 /****************************************************************************/
158 static int set_ras_addr(struct sk_buff
*skb
, struct nf_conn
*ct
,
159 enum ip_conntrack_info ctinfo
,
160 unsigned char **data
,
161 TransportAddress
*taddr
, int count
)
163 int dir
= CTINFO2DIR(ctinfo
);
166 union nf_inet_addr addr
;
168 for (i
= 0; i
< count
; i
++) {
169 if (get_h225_addr(ct
, *data
, &taddr
[i
], &addr
, &port
) &&
170 addr
.ip
== ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
&&
171 port
== ct
->tuplehash
[dir
].tuple
.src
.u
.udp
.port
) {
172 DEBUGP("nf_nat_ras: set rasAddress "
173 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
174 NIPQUAD(ip
), ntohs(port
),
175 NIPQUAD(ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
),
176 ntohs(ct
->tuplehash
[!dir
].tuple
.dst
.u
.udp
.
178 return set_h225_addr(skb
, data
, 0, &taddr
[i
],
179 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
180 ct
->tuplehash
[!dir
].tuple
.
188 /****************************************************************************/
189 static int nat_rtp_rtcp(struct sk_buff
*skb
, struct nf_conn
*ct
,
190 enum ip_conntrack_info ctinfo
,
191 unsigned char **data
, int dataoff
,
192 H245_TransportAddress
*taddr
,
193 __be16 port
, __be16 rtp_port
,
194 struct nf_conntrack_expect
*rtp_exp
,
195 struct nf_conntrack_expect
*rtcp_exp
)
197 struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
198 int dir
= CTINFO2DIR(ctinfo
);
200 u_int16_t nated_port
;
202 /* Set expectations for NAT */
203 rtp_exp
->saved_proto
.udp
.port
= rtp_exp
->tuple
.dst
.u
.udp
.port
;
204 rtp_exp
->expectfn
= nf_nat_follow_master
;
206 rtcp_exp
->saved_proto
.udp
.port
= rtcp_exp
->tuple
.dst
.u
.udp
.port
;
207 rtcp_exp
->expectfn
= nf_nat_follow_master
;
208 rtcp_exp
->dir
= !dir
;
210 /* Lookup existing expects */
211 for (i
= 0; i
< H323_RTP_CHANNEL_MAX
; i
++) {
212 if (info
->rtp_port
[i
][dir
] == rtp_port
) {
215 /* Use allocated ports first. This will refresh
217 rtp_exp
->tuple
.dst
.u
.udp
.port
= info
->rtp_port
[i
][dir
];
218 rtcp_exp
->tuple
.dst
.u
.udp
.port
=
219 htons(ntohs(info
->rtp_port
[i
][dir
]) + 1);
221 } else if (info
->rtp_port
[i
][dir
] == 0) {
227 /* Run out of expectations */
228 if (i
>= H323_RTP_CHANNEL_MAX
) {
230 printk("nf_nat_h323: out of expectations\n");
234 /* Try to get a pair of ports. */
235 for (nated_port
= ntohs(rtp_exp
->tuple
.dst
.u
.udp
.port
);
236 nated_port
!= 0; nated_port
+= 2) {
237 rtp_exp
->tuple
.dst
.u
.udp
.port
= htons(nated_port
);
238 if (nf_conntrack_expect_related(rtp_exp
) == 0) {
239 rtcp_exp
->tuple
.dst
.u
.udp
.port
=
240 htons(nated_port
+ 1);
241 if (nf_conntrack_expect_related(rtcp_exp
) == 0)
243 nf_conntrack_unexpect_related(rtp_exp
);
247 if (nated_port
== 0) { /* No port available */
249 printk("nf_nat_h323: out of RTP ports\n");
254 if (set_h245_addr(skb
, data
, dataoff
, taddr
,
255 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
256 htons((port
& htons(1)) ? nated_port
+ 1 :
259 info
->rtp_port
[i
][dir
] = rtp_port
;
260 info
->rtp_port
[i
][!dir
] = htons(nated_port
);
262 nf_conntrack_unexpect_related(rtp_exp
);
263 nf_conntrack_unexpect_related(rtcp_exp
);
268 DEBUGP("nf_nat_h323: expect RTP %u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
269 NIPQUAD(rtp_exp
->tuple
.src
.ip
),
270 ntohs(rtp_exp
->tuple
.src
.u
.udp
.port
),
271 NIPQUAD(rtp_exp
->tuple
.dst
.ip
),
272 ntohs(rtp_exp
->tuple
.dst
.u
.udp
.port
));
273 DEBUGP("nf_nat_h323: expect RTCP %u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
274 NIPQUAD(rtcp_exp
->tuple
.src
.ip
),
275 ntohs(rtcp_exp
->tuple
.src
.u
.udp
.port
),
276 NIPQUAD(rtcp_exp
->tuple
.dst
.ip
),
277 ntohs(rtcp_exp
->tuple
.dst
.u
.udp
.port
));
282 /****************************************************************************/
283 static int nat_t120(struct sk_buff
*skb
, struct nf_conn
*ct
,
284 enum ip_conntrack_info ctinfo
,
285 unsigned char **data
, int dataoff
,
286 H245_TransportAddress
*taddr
, __be16 port
,
287 struct nf_conntrack_expect
*exp
)
289 int dir
= CTINFO2DIR(ctinfo
);
290 u_int16_t nated_port
= ntohs(port
);
292 /* Set expectations for NAT */
293 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
294 exp
->expectfn
= nf_nat_follow_master
;
297 /* Try to get same port: if not, try to change it. */
298 for (; nated_port
!= 0; nated_port
++) {
299 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
300 if (nf_conntrack_expect_related(exp
) == 0)
304 if (nated_port
== 0) { /* No port available */
306 printk("nf_nat_h323: out of TCP ports\n");
311 if (set_h245_addr(skb
, data
, dataoff
, taddr
,
312 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
313 htons(nated_port
)) < 0) {
314 nf_conntrack_unexpect_related(exp
);
318 DEBUGP("nf_nat_h323: expect T.120 %u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
319 NIPQUAD(exp
->tuple
.src
.ip
), ntohs(exp
->tuple
.src
.u
.tcp
.port
),
320 NIPQUAD(exp
->tuple
.dst
.ip
), ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
325 /****************************************************************************/
326 static int nat_h245(struct sk_buff
*skb
, struct nf_conn
*ct
,
327 enum ip_conntrack_info ctinfo
,
328 unsigned char **data
, int dataoff
,
329 TransportAddress
*taddr
, __be16 port
,
330 struct nf_conntrack_expect
*exp
)
332 struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
333 int dir
= CTINFO2DIR(ctinfo
);
334 u_int16_t nated_port
= ntohs(port
);
336 /* Set expectations for NAT */
337 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
338 exp
->expectfn
= nf_nat_follow_master
;
341 /* Check existing expects */
342 if (info
->sig_port
[dir
] == port
)
343 nated_port
= ntohs(info
->sig_port
[!dir
]);
345 /* Try to get same port: if not, try to change it. */
346 for (; nated_port
!= 0; nated_port
++) {
347 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
348 if (nf_conntrack_expect_related(exp
) == 0)
352 if (nated_port
== 0) { /* No port available */
354 printk("nf_nat_q931: out of TCP ports\n");
359 if (set_h225_addr(skb
, data
, dataoff
, taddr
,
360 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
361 htons(nated_port
)) == 0) {
363 info
->sig_port
[dir
] = port
;
364 info
->sig_port
[!dir
] = htons(nated_port
);
366 nf_conntrack_unexpect_related(exp
);
370 DEBUGP("nf_nat_q931: expect H.245 %u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
371 NIPQUAD(exp
->tuple
.src
.ip
), ntohs(exp
->tuple
.src
.u
.tcp
.port
),
372 NIPQUAD(exp
->tuple
.dst
.ip
), ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
377 /****************************************************************************
378 * This conntrack expect function replaces nf_conntrack_q931_expect()
379 * which was set by nf_conntrack_h323.c.
380 ****************************************************************************/
381 static void ip_nat_q931_expect(struct nf_conn
*new,
382 struct nf_conntrack_expect
*this)
384 struct nf_nat_range range
;
386 if (this->tuple
.src
.u3
.ip
!= 0) { /* Only accept calls from GK */
387 nf_nat_follow_master(new, this);
391 /* This must be a fresh one. */
392 BUG_ON(new->status
& IPS_NAT_DONE_MASK
);
394 /* Change src to where master sends to */
395 range
.flags
= IP_NAT_RANGE_MAP_IPS
;
396 range
.min_ip
= range
.max_ip
= new->tuplehash
[!this->dir
].tuple
.src
.u3
.ip
;
398 /* hook doesn't matter, but it has to do source manip */
399 nf_nat_setup_info(new, &range
, NF_IP_POST_ROUTING
);
401 /* For DST manip, map port here to where it's expected. */
402 range
.flags
= (IP_NAT_RANGE_MAP_IPS
| IP_NAT_RANGE_PROTO_SPECIFIED
);
403 range
.min
= range
.max
= this->saved_proto
;
404 range
.min_ip
= range
.max_ip
=
405 new->master
->tuplehash
[!this->dir
].tuple
.src
.u3
.ip
;
407 /* hook doesn't matter, but it has to do destination manip */
408 nf_nat_setup_info(new, &range
, NF_IP_PRE_ROUTING
);
411 /****************************************************************************/
412 static int nat_q931(struct sk_buff
*skb
, struct nf_conn
*ct
,
413 enum ip_conntrack_info ctinfo
,
414 unsigned char **data
, TransportAddress
*taddr
, int idx
,
415 __be16 port
, struct nf_conntrack_expect
*exp
)
417 struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
418 int dir
= CTINFO2DIR(ctinfo
);
419 u_int16_t nated_port
= ntohs(port
);
420 union nf_inet_addr addr
;
422 /* Set expectations for NAT */
423 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
424 exp
->expectfn
= ip_nat_q931_expect
;
427 /* Check existing expects */
428 if (info
->sig_port
[dir
] == port
)
429 nated_port
= ntohs(info
->sig_port
[!dir
]);
431 /* Try to get same port: if not, try to change it. */
432 for (; nated_port
!= 0; nated_port
++) {
433 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
434 if (nf_conntrack_expect_related(exp
) == 0)
438 if (nated_port
== 0) { /* No port available */
440 printk("nf_nat_ras: out of TCP ports\n");
445 if (set_h225_addr(skb
, data
, 0, &taddr
[idx
],
446 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
447 htons(nated_port
)) == 0) {
449 info
->sig_port
[dir
] = port
;
450 info
->sig_port
[!dir
] = htons(nated_port
);
452 /* Fix for Gnomemeeting */
454 get_h225_addr(ct
, *data
, &taddr
[0], &addr
, &port
) &&
455 (ntohl(addr
.ip
) & 0xff000000) == 0x7f000000) {
456 set_h225_addr(skb
, data
, 0, &taddr
[0],
457 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
458 info
->sig_port
[!dir
]);
461 nf_conntrack_unexpect_related(exp
);
466 DEBUGP("nf_nat_ras: expect Q.931 %u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
467 NIPQUAD(exp
->tuple
.src
.ip
), ntohs(exp
->tuple
.src
.u
.tcp
.port
),
468 NIPQUAD(exp
->tuple
.dst
.ip
), ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
473 /****************************************************************************/
474 static void ip_nat_callforwarding_expect(struct nf_conn
*new,
475 struct nf_conntrack_expect
*this)
477 struct nf_nat_range range
;
479 /* This must be a fresh one. */
480 BUG_ON(new->status
& IPS_NAT_DONE_MASK
);
482 /* Change src to where master sends to */
483 range
.flags
= IP_NAT_RANGE_MAP_IPS
;
484 range
.min_ip
= range
.max_ip
= new->tuplehash
[!this->dir
].tuple
.src
.u3
.ip
;
486 /* hook doesn't matter, but it has to do source manip */
487 nf_nat_setup_info(new, &range
, NF_IP_POST_ROUTING
);
489 /* For DST manip, map port here to where it's expected. */
490 range
.flags
= (IP_NAT_RANGE_MAP_IPS
| IP_NAT_RANGE_PROTO_SPECIFIED
);
491 range
.min
= range
.max
= this->saved_proto
;
492 range
.min_ip
= range
.max_ip
= this->saved_ip
;
494 /* hook doesn't matter, but it has to do destination manip */
495 nf_nat_setup_info(new, &range
, NF_IP_PRE_ROUTING
);
498 /****************************************************************************/
499 static int nat_callforwarding(struct sk_buff
*skb
, struct nf_conn
*ct
,
500 enum ip_conntrack_info ctinfo
,
501 unsigned char **data
, int dataoff
,
502 TransportAddress
*taddr
, __be16 port
,
503 struct nf_conntrack_expect
*exp
)
505 int dir
= CTINFO2DIR(ctinfo
);
506 u_int16_t nated_port
;
508 /* Set expectations for NAT */
509 exp
->saved_ip
= exp
->tuple
.dst
.u3
.ip
;
510 exp
->tuple
.dst
.u3
.ip
= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
;
511 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
512 exp
->expectfn
= ip_nat_callforwarding_expect
;
515 /* Try to get same port: if not, try to change it. */
516 for (nated_port
= ntohs(port
); nated_port
!= 0; nated_port
++) {
517 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
518 if (nf_conntrack_expect_related(exp
) == 0)
522 if (nated_port
== 0) { /* No port available */
524 printk("nf_nat_q931: out of TCP ports\n");
529 if (!set_h225_addr(skb
, data
, dataoff
, taddr
,
530 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
531 htons(nated_port
)) == 0) {
532 nf_conntrack_unexpect_related(exp
);
537 DEBUGP("nf_nat_q931: expect Call Forwarding "
538 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
539 NIPQUAD(exp
->tuple
.src
.ip
), ntohs(exp
->tuple
.src
.u
.tcp
.port
),
540 NIPQUAD(exp
->tuple
.dst
.ip
), ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
545 /****************************************************************************/
546 static int __init
init(void)
548 BUG_ON(rcu_dereference(set_h245_addr_hook
) != NULL
);
549 BUG_ON(rcu_dereference(set_h225_addr_hook
) != NULL
);
550 BUG_ON(rcu_dereference(set_sig_addr_hook
) != NULL
);
551 BUG_ON(rcu_dereference(set_ras_addr_hook
) != NULL
);
552 BUG_ON(rcu_dereference(nat_rtp_rtcp_hook
) != NULL
);
553 BUG_ON(rcu_dereference(nat_t120_hook
) != NULL
);
554 BUG_ON(rcu_dereference(nat_h245_hook
) != NULL
);
555 BUG_ON(rcu_dereference(nat_callforwarding_hook
) != NULL
);
556 BUG_ON(rcu_dereference(nat_q931_hook
) != NULL
);
558 rcu_assign_pointer(set_h245_addr_hook
, set_h245_addr
);
559 rcu_assign_pointer(set_h225_addr_hook
, set_h225_addr
);
560 rcu_assign_pointer(set_sig_addr_hook
, set_sig_addr
);
561 rcu_assign_pointer(set_ras_addr_hook
, set_ras_addr
);
562 rcu_assign_pointer(nat_rtp_rtcp_hook
, nat_rtp_rtcp
);
563 rcu_assign_pointer(nat_t120_hook
, nat_t120
);
564 rcu_assign_pointer(nat_h245_hook
, nat_h245
);
565 rcu_assign_pointer(nat_callforwarding_hook
, nat_callforwarding
);
566 rcu_assign_pointer(nat_q931_hook
, nat_q931
);
568 DEBUGP("nf_nat_h323: init success\n");
572 /****************************************************************************/
573 static void __exit
fini(void)
575 rcu_assign_pointer(set_h245_addr_hook
, NULL
);
576 rcu_assign_pointer(set_h225_addr_hook
, NULL
);
577 rcu_assign_pointer(set_sig_addr_hook
, NULL
);
578 rcu_assign_pointer(set_ras_addr_hook
, NULL
);
579 rcu_assign_pointer(nat_rtp_rtcp_hook
, NULL
);
580 rcu_assign_pointer(nat_t120_hook
, NULL
);
581 rcu_assign_pointer(nat_h245_hook
, NULL
);
582 rcu_assign_pointer(nat_callforwarding_hook
, NULL
);
583 rcu_assign_pointer(nat_q931_hook
, NULL
);
587 /****************************************************************************/
591 MODULE_AUTHOR("Jing Min Zhao <zhaojingmin@users.sourceforge.net>");
592 MODULE_DESCRIPTION("H.323 NAT helper");
593 MODULE_LICENSE("GPL");
594 MODULE_ALIAS("ip_nat_h323");