2 * H.323 extension for NAT alteration.
4 * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
6 * This source code is licensed under General Public License version 2.
8 * Based on the 'brute force' H.323 NAT module by
9 * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
12 #include <linux/module.h>
13 #include <linux/tcp.h>
16 #include <net/netfilter/nf_nat.h>
17 #include <net/netfilter/nf_nat_helper.h>
18 #include <net/netfilter/nf_nat_rule.h>
19 #include <net/netfilter/nf_conntrack_helper.h>
20 #include <net/netfilter/nf_conntrack_expect.h>
21 #include <linux/netfilter/nf_conntrack_h323.h>
23 /****************************************************************************/
24 static int set_addr(struct sk_buff
*skb
,
25 unsigned char **data
, int dataoff
,
26 unsigned int addroff
, __be32 ip
, __be16 port
)
28 enum ip_conntrack_info ctinfo
;
29 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
33 } __attribute__ ((__packed__
)) buf
;
34 const struct tcphdr
*th
;
41 if (ip_hdr(skb
)->protocol
== IPPROTO_TCP
) {
42 if (!nf_nat_mangle_tcp_packet(skb
, ct
, ctinfo
,
44 (char *) &buf
, sizeof(buf
))) {
46 pr_notice("nf_nat_h323: nf_nat_mangle_tcp_packet"
51 /* Relocate data pointer */
52 th
= skb_header_pointer(skb
, ip_hdrlen(skb
),
53 sizeof(_tcph
), &_tcph
);
56 *data
= skb
->data
+ ip_hdrlen(skb
) + th
->doff
* 4 + dataoff
;
58 if (!nf_nat_mangle_udp_packet(skb
, ct
, ctinfo
,
60 (char *) &buf
, sizeof(buf
))) {
62 pr_notice("nf_nat_h323: nf_nat_mangle_udp_packet"
66 /* nf_nat_mangle_udp_packet uses skb_make_writable() to copy
67 * or pull everything in a linear buffer, so we can safely
68 * use the skb pointers now */
69 *data
= skb
->data
+ ip_hdrlen(skb
) + sizeof(struct udphdr
);
75 /****************************************************************************/
76 static int set_h225_addr(struct sk_buff
*skb
,
77 unsigned char **data
, int dataoff
,
78 TransportAddress
*taddr
,
79 union nf_inet_addr
*addr
, __be16 port
)
81 return set_addr(skb
, data
, dataoff
, taddr
->ipAddress
.ip
,
85 /****************************************************************************/
86 static int set_h245_addr(struct sk_buff
*skb
,
87 unsigned char **data
, int dataoff
,
88 H245_TransportAddress
*taddr
,
89 union nf_inet_addr
*addr
, __be16 port
)
91 return set_addr(skb
, data
, dataoff
,
92 taddr
->unicastAddress
.iPAddress
.network
,
96 /****************************************************************************/
97 static int set_sig_addr(struct sk_buff
*skb
, struct nf_conn
*ct
,
98 enum ip_conntrack_info ctinfo
,
100 TransportAddress
*taddr
, int count
)
102 const struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
103 int dir
= CTINFO2DIR(ctinfo
);
106 union nf_inet_addr addr
;
108 for (i
= 0; i
< count
; i
++) {
109 if (get_h225_addr(ct
, *data
, &taddr
[i
], &addr
, &port
)) {
110 if (addr
.ip
== ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
&&
111 port
== info
->sig_port
[dir
]) {
114 /* Fix for Gnomemeeting */
116 get_h225_addr(ct
, *data
, &taddr
[0],
118 (ntohl(addr
.ip
) & 0xff000000) == 0x7f000000)
121 pr_debug("nf_nat_ras: set signal address %pI4:%hu->%pI4:%hu\n",
123 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
,
124 info
->sig_port
[!dir
]);
125 return set_h225_addr(skb
, data
, 0, &taddr
[i
],
126 &ct
->tuplehash
[!dir
].
128 info
->sig_port
[!dir
]);
129 } else if (addr
.ip
== ct
->tuplehash
[dir
].tuple
.dst
.u3
.ip
&&
130 port
== info
->sig_port
[dir
]) {
132 pr_debug("nf_nat_ras: set signal address %pI4:%hu->%pI4:%hu\n",
134 &ct
->tuplehash
[!dir
].tuple
.src
.u3
.ip
,
135 info
->sig_port
[!dir
]);
136 return set_h225_addr(skb
, data
, 0, &taddr
[i
],
137 &ct
->tuplehash
[!dir
].
139 info
->sig_port
[!dir
]);
147 /****************************************************************************/
148 static int set_ras_addr(struct sk_buff
*skb
, struct nf_conn
*ct
,
149 enum ip_conntrack_info ctinfo
,
150 unsigned char **data
,
151 TransportAddress
*taddr
, int count
)
153 int dir
= CTINFO2DIR(ctinfo
);
156 union nf_inet_addr addr
;
158 for (i
= 0; i
< count
; i
++) {
159 if (get_h225_addr(ct
, *data
, &taddr
[i
], &addr
, &port
) &&
160 addr
.ip
== ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
&&
161 port
== ct
->tuplehash
[dir
].tuple
.src
.u
.udp
.port
) {
162 pr_debug("nf_nat_ras: set rasAddress %pI4:%hu->%pI4:%hu\n",
163 &addr
.ip
, ntohs(port
),
164 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
,
165 ntohs(ct
->tuplehash
[!dir
].tuple
.dst
.u
.udp
.port
));
166 return set_h225_addr(skb
, data
, 0, &taddr
[i
],
167 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
168 ct
->tuplehash
[!dir
].tuple
.
176 /****************************************************************************/
177 static int nat_rtp_rtcp(struct sk_buff
*skb
, struct nf_conn
*ct
,
178 enum ip_conntrack_info ctinfo
,
179 unsigned char **data
, int dataoff
,
180 H245_TransportAddress
*taddr
,
181 __be16 port
, __be16 rtp_port
,
182 struct nf_conntrack_expect
*rtp_exp
,
183 struct nf_conntrack_expect
*rtcp_exp
)
185 struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
186 int dir
= CTINFO2DIR(ctinfo
);
188 u_int16_t nated_port
;
190 /* Set expectations for NAT */
191 rtp_exp
->saved_proto
.udp
.port
= rtp_exp
->tuple
.dst
.u
.udp
.port
;
192 rtp_exp
->expectfn
= nf_nat_follow_master
;
194 rtcp_exp
->saved_proto
.udp
.port
= rtcp_exp
->tuple
.dst
.u
.udp
.port
;
195 rtcp_exp
->expectfn
= nf_nat_follow_master
;
196 rtcp_exp
->dir
= !dir
;
198 /* Lookup existing expects */
199 for (i
= 0; i
< H323_RTP_CHANNEL_MAX
; i
++) {
200 if (info
->rtp_port
[i
][dir
] == rtp_port
) {
203 /* Use allocated ports first. This will refresh
205 rtp_exp
->tuple
.dst
.u
.udp
.port
= info
->rtp_port
[i
][dir
];
206 rtcp_exp
->tuple
.dst
.u
.udp
.port
=
207 htons(ntohs(info
->rtp_port
[i
][dir
]) + 1);
209 } else if (info
->rtp_port
[i
][dir
] == 0) {
215 /* Run out of expectations */
216 if (i
>= H323_RTP_CHANNEL_MAX
) {
218 pr_notice("nf_nat_h323: out of expectations\n");
222 /* Try to get a pair of ports. */
223 for (nated_port
= ntohs(rtp_exp
->tuple
.dst
.u
.udp
.port
);
224 nated_port
!= 0; nated_port
+= 2) {
227 rtp_exp
->tuple
.dst
.u
.udp
.port
= htons(nated_port
);
228 ret
= nf_ct_expect_related(rtp_exp
);
230 rtcp_exp
->tuple
.dst
.u
.udp
.port
=
231 htons(nated_port
+ 1);
232 ret
= nf_ct_expect_related(rtcp_exp
);
235 else if (ret
!= -EBUSY
) {
236 nf_ct_unexpect_related(rtp_exp
);
240 } else if (ret
!= -EBUSY
) {
246 if (nated_port
== 0) { /* No port available */
248 pr_notice("nf_nat_h323: out of RTP ports\n");
253 if (set_h245_addr(skb
, data
, dataoff
, taddr
,
254 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
255 htons((port
& htons(1)) ? nated_port
+ 1 :
258 info
->rtp_port
[i
][dir
] = rtp_port
;
259 info
->rtp_port
[i
][!dir
] = htons(nated_port
);
261 nf_ct_unexpect_related(rtp_exp
);
262 nf_ct_unexpect_related(rtcp_exp
);
267 pr_debug("nf_nat_h323: expect RTP %pI4:%hu->%pI4:%hu\n",
268 &rtp_exp
->tuple
.src
.u3
.ip
,
269 ntohs(rtp_exp
->tuple
.src
.u
.udp
.port
),
270 &rtp_exp
->tuple
.dst
.u3
.ip
,
271 ntohs(rtp_exp
->tuple
.dst
.u
.udp
.port
));
272 pr_debug("nf_nat_h323: expect RTCP %pI4:%hu->%pI4:%hu\n",
273 &rtcp_exp
->tuple
.src
.u3
.ip
,
274 ntohs(rtcp_exp
->tuple
.src
.u
.udp
.port
),
275 &rtcp_exp
->tuple
.dst
.u3
.ip
,
276 ntohs(rtcp_exp
->tuple
.dst
.u
.udp
.port
));
281 /****************************************************************************/
282 static int nat_t120(struct sk_buff
*skb
, struct nf_conn
*ct
,
283 enum ip_conntrack_info ctinfo
,
284 unsigned char **data
, int dataoff
,
285 H245_TransportAddress
*taddr
, __be16 port
,
286 struct nf_conntrack_expect
*exp
)
288 int dir
= CTINFO2DIR(ctinfo
);
289 u_int16_t nated_port
= ntohs(port
);
291 /* Set expectations for NAT */
292 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
293 exp
->expectfn
= nf_nat_follow_master
;
296 /* Try to get same port: if not, try to change it. */
297 for (; nated_port
!= 0; nated_port
++) {
300 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
301 ret
= nf_ct_expect_related(exp
);
304 else if (ret
!= -EBUSY
) {
310 if (nated_port
== 0) { /* No port available */
312 pr_notice("nf_nat_h323: out of TCP ports\n");
317 if (set_h245_addr(skb
, data
, dataoff
, taddr
,
318 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
319 htons(nated_port
)) < 0) {
320 nf_ct_unexpect_related(exp
);
324 pr_debug("nf_nat_h323: expect T.120 %pI4:%hu->%pI4:%hu\n",
325 &exp
->tuple
.src
.u3
.ip
,
326 ntohs(exp
->tuple
.src
.u
.tcp
.port
),
327 &exp
->tuple
.dst
.u3
.ip
,
328 ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
333 /****************************************************************************/
334 static int nat_h245(struct sk_buff
*skb
, struct nf_conn
*ct
,
335 enum ip_conntrack_info ctinfo
,
336 unsigned char **data
, int dataoff
,
337 TransportAddress
*taddr
, __be16 port
,
338 struct nf_conntrack_expect
*exp
)
340 struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
341 int dir
= CTINFO2DIR(ctinfo
);
342 u_int16_t nated_port
= ntohs(port
);
344 /* Set expectations for NAT */
345 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
346 exp
->expectfn
= nf_nat_follow_master
;
349 /* Check existing expects */
350 if (info
->sig_port
[dir
] == port
)
351 nated_port
= ntohs(info
->sig_port
[!dir
]);
353 /* Try to get same port: if not, try to change it. */
354 for (; nated_port
!= 0; nated_port
++) {
357 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
358 ret
= nf_ct_expect_related(exp
);
361 else if (ret
!= -EBUSY
) {
367 if (nated_port
== 0) { /* No port available */
369 pr_notice("nf_nat_q931: out of TCP ports\n");
374 if (set_h225_addr(skb
, data
, dataoff
, taddr
,
375 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
376 htons(nated_port
)) == 0) {
378 info
->sig_port
[dir
] = port
;
379 info
->sig_port
[!dir
] = htons(nated_port
);
381 nf_ct_unexpect_related(exp
);
385 pr_debug("nf_nat_q931: expect H.245 %pI4:%hu->%pI4:%hu\n",
386 &exp
->tuple
.src
.u3
.ip
,
387 ntohs(exp
->tuple
.src
.u
.tcp
.port
),
388 &exp
->tuple
.dst
.u3
.ip
,
389 ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
394 /****************************************************************************
395 * This conntrack expect function replaces nf_conntrack_q931_expect()
396 * which was set by nf_conntrack_h323.c.
397 ****************************************************************************/
398 static void ip_nat_q931_expect(struct nf_conn
*new,
399 struct nf_conntrack_expect
*this)
401 struct nf_nat_range range
;
403 if (this->tuple
.src
.u3
.ip
!= 0) { /* Only accept calls from GK */
404 nf_nat_follow_master(new, this);
408 /* This must be a fresh one. */
409 BUG_ON(new->status
& IPS_NAT_DONE_MASK
);
411 /* Change src to where master sends to */
412 range
.flags
= IP_NAT_RANGE_MAP_IPS
;
413 range
.min_ip
= range
.max_ip
= new->tuplehash
[!this->dir
].tuple
.src
.u3
.ip
;
414 nf_nat_setup_info(new, &range
, IP_NAT_MANIP_SRC
);
416 /* For DST manip, map port here to where it's expected. */
417 range
.flags
= (IP_NAT_RANGE_MAP_IPS
| IP_NAT_RANGE_PROTO_SPECIFIED
);
418 range
.min
= range
.max
= this->saved_proto
;
419 range
.min_ip
= range
.max_ip
=
420 new->master
->tuplehash
[!this->dir
].tuple
.src
.u3
.ip
;
421 nf_nat_setup_info(new, &range
, IP_NAT_MANIP_DST
);
424 /****************************************************************************/
425 static int nat_q931(struct sk_buff
*skb
, struct nf_conn
*ct
,
426 enum ip_conntrack_info ctinfo
,
427 unsigned char **data
, TransportAddress
*taddr
, int idx
,
428 __be16 port
, struct nf_conntrack_expect
*exp
)
430 struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
431 int dir
= CTINFO2DIR(ctinfo
);
432 u_int16_t nated_port
= ntohs(port
);
433 union nf_inet_addr addr
;
435 /* Set expectations for NAT */
436 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
437 exp
->expectfn
= ip_nat_q931_expect
;
440 /* Check existing expects */
441 if (info
->sig_port
[dir
] == port
)
442 nated_port
= ntohs(info
->sig_port
[!dir
]);
444 /* Try to get same port: if not, try to change it. */
445 for (; nated_port
!= 0; nated_port
++) {
448 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
449 ret
= nf_ct_expect_related(exp
);
452 else if (ret
!= -EBUSY
) {
458 if (nated_port
== 0) { /* No port available */
460 pr_notice("nf_nat_ras: out of TCP ports\n");
465 if (set_h225_addr(skb
, data
, 0, &taddr
[idx
],
466 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
467 htons(nated_port
)) == 0) {
469 info
->sig_port
[dir
] = port
;
470 info
->sig_port
[!dir
] = htons(nated_port
);
472 /* Fix for Gnomemeeting */
474 get_h225_addr(ct
, *data
, &taddr
[0], &addr
, &port
) &&
475 (ntohl(addr
.ip
) & 0xff000000) == 0x7f000000) {
476 set_h225_addr(skb
, data
, 0, &taddr
[0],
477 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
478 info
->sig_port
[!dir
]);
481 nf_ct_unexpect_related(exp
);
486 pr_debug("nf_nat_ras: expect Q.931 %pI4:%hu->%pI4:%hu\n",
487 &exp
->tuple
.src
.u3
.ip
,
488 ntohs(exp
->tuple
.src
.u
.tcp
.port
),
489 &exp
->tuple
.dst
.u3
.ip
,
490 ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
495 /****************************************************************************/
496 static void ip_nat_callforwarding_expect(struct nf_conn
*new,
497 struct nf_conntrack_expect
*this)
499 struct nf_nat_range range
;
501 /* This must be a fresh one. */
502 BUG_ON(new->status
& IPS_NAT_DONE_MASK
);
504 /* Change src to where master sends to */
505 range
.flags
= IP_NAT_RANGE_MAP_IPS
;
506 range
.min_ip
= range
.max_ip
= new->tuplehash
[!this->dir
].tuple
.src
.u3
.ip
;
507 nf_nat_setup_info(new, &range
, IP_NAT_MANIP_SRC
);
509 /* For DST manip, map port here to where it's expected. */
510 range
.flags
= (IP_NAT_RANGE_MAP_IPS
| IP_NAT_RANGE_PROTO_SPECIFIED
);
511 range
.min
= range
.max
= this->saved_proto
;
512 range
.min_ip
= range
.max_ip
= this->saved_ip
;
513 nf_nat_setup_info(new, &range
, IP_NAT_MANIP_DST
);
516 /****************************************************************************/
517 static int nat_callforwarding(struct sk_buff
*skb
, struct nf_conn
*ct
,
518 enum ip_conntrack_info ctinfo
,
519 unsigned char **data
, int dataoff
,
520 TransportAddress
*taddr
, __be16 port
,
521 struct nf_conntrack_expect
*exp
)
523 int dir
= CTINFO2DIR(ctinfo
);
524 u_int16_t nated_port
;
526 /* Set expectations for NAT */
527 exp
->saved_ip
= exp
->tuple
.dst
.u3
.ip
;
528 exp
->tuple
.dst
.u3
.ip
= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
;
529 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
530 exp
->expectfn
= ip_nat_callforwarding_expect
;
533 /* Try to get same port: if not, try to change it. */
534 for (nated_port
= ntohs(port
); nated_port
!= 0; nated_port
++) {
537 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
538 ret
= nf_ct_expect_related(exp
);
541 else if (ret
!= -EBUSY
) {
547 if (nated_port
== 0) { /* No port available */
549 pr_notice("nf_nat_q931: out of TCP ports\n");
554 if (!set_h225_addr(skb
, data
, dataoff
, taddr
,
555 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
556 htons(nated_port
)) == 0) {
557 nf_ct_unexpect_related(exp
);
562 pr_debug("nf_nat_q931: expect Call Forwarding %pI4:%hu->%pI4:%hu\n",
563 &exp
->tuple
.src
.u3
.ip
,
564 ntohs(exp
->tuple
.src
.u
.tcp
.port
),
565 &exp
->tuple
.dst
.u3
.ip
,
566 ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
571 /****************************************************************************/
572 static int __init
init(void)
574 BUG_ON(set_h245_addr_hook
!= NULL
);
575 BUG_ON(set_h225_addr_hook
!= NULL
);
576 BUG_ON(set_sig_addr_hook
!= NULL
);
577 BUG_ON(set_ras_addr_hook
!= NULL
);
578 BUG_ON(nat_rtp_rtcp_hook
!= NULL
);
579 BUG_ON(nat_t120_hook
!= NULL
);
580 BUG_ON(nat_h245_hook
!= NULL
);
581 BUG_ON(nat_callforwarding_hook
!= NULL
);
582 BUG_ON(nat_q931_hook
!= NULL
);
584 RCU_INIT_POINTER(set_h245_addr_hook
, set_h245_addr
);
585 RCU_INIT_POINTER(set_h225_addr_hook
, set_h225_addr
);
586 RCU_INIT_POINTER(set_sig_addr_hook
, set_sig_addr
);
587 RCU_INIT_POINTER(set_ras_addr_hook
, set_ras_addr
);
588 RCU_INIT_POINTER(nat_rtp_rtcp_hook
, nat_rtp_rtcp
);
589 RCU_INIT_POINTER(nat_t120_hook
, nat_t120
);
590 RCU_INIT_POINTER(nat_h245_hook
, nat_h245
);
591 RCU_INIT_POINTER(nat_callforwarding_hook
, nat_callforwarding
);
592 RCU_INIT_POINTER(nat_q931_hook
, nat_q931
);
596 /****************************************************************************/
597 static void __exit
fini(void)
599 RCU_INIT_POINTER(set_h245_addr_hook
, NULL
);
600 RCU_INIT_POINTER(set_h225_addr_hook
, NULL
);
601 RCU_INIT_POINTER(set_sig_addr_hook
, NULL
);
602 RCU_INIT_POINTER(set_ras_addr_hook
, NULL
);
603 RCU_INIT_POINTER(nat_rtp_rtcp_hook
, NULL
);
604 RCU_INIT_POINTER(nat_t120_hook
, NULL
);
605 RCU_INIT_POINTER(nat_h245_hook
, NULL
);
606 RCU_INIT_POINTER(nat_callforwarding_hook
, NULL
);
607 RCU_INIT_POINTER(nat_q931_hook
, NULL
);
611 /****************************************************************************/
615 MODULE_AUTHOR("Jing Min Zhao <zhaojingmin@users.sourceforge.net>");
616 MODULE_DESCRIPTION("H.323 NAT helper");
617 MODULE_LICENSE("GPL");
618 MODULE_ALIAS("ip_nat_h323");