1 /* SIP extension for UDP NAT alteration.
3 * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
4 * based on RR's ip_nat_ftp.c and other modules.
5 * (C) 2007 United Security Providers
6 * (C) 2007, 2008 Patrick McHardy <kaber@trash.net>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
13 #include <linux/module.h>
14 #include <linux/skbuff.h>
17 #include <linux/udp.h>
19 #include <net/netfilter/nf_nat.h>
20 #include <net/netfilter/nf_nat_helper.h>
21 #include <net/netfilter/nf_nat_rule.h>
22 #include <net/netfilter/nf_conntrack_helper.h>
23 #include <net/netfilter/nf_conntrack_expect.h>
24 #include <linux/netfilter/nf_conntrack_sip.h>
26 MODULE_LICENSE("GPL");
27 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
28 MODULE_DESCRIPTION("SIP NAT helper");
29 MODULE_ALIAS("ip_nat_sip");
32 static unsigned int mangle_packet(struct sk_buff
*skb
,
33 const char **dptr
, unsigned int *datalen
,
34 unsigned int matchoff
, unsigned int matchlen
,
35 const char *buffer
, unsigned int buflen
)
37 enum ip_conntrack_info ctinfo
;
38 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
40 if (!nf_nat_mangle_udp_packet(skb
, ct
, ctinfo
, matchoff
, matchlen
,
44 /* Reload data pointer and adjust datalen value */
45 *dptr
= skb
->data
+ ip_hdrlen(skb
) + sizeof(struct udphdr
);
46 *datalen
+= buflen
- matchlen
;
50 static int map_addr(struct sk_buff
*skb
,
51 const char **dptr
, unsigned int *datalen
,
52 unsigned int matchoff
, unsigned int matchlen
,
53 union nf_inet_addr
*addr
, __be16 port
)
55 enum ip_conntrack_info ctinfo
;
56 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
57 enum ip_conntrack_dir dir
= CTINFO2DIR(ctinfo
);
58 char buffer
[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
63 if (ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
== addr
->ip
&&
64 ct
->tuplehash
[dir
].tuple
.src
.u
.udp
.port
== port
) {
65 newaddr
= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
;
66 newport
= ct
->tuplehash
[!dir
].tuple
.dst
.u
.udp
.port
;
67 } else if (ct
->tuplehash
[dir
].tuple
.dst
.u3
.ip
== addr
->ip
&&
68 ct
->tuplehash
[dir
].tuple
.dst
.u
.udp
.port
== port
) {
69 newaddr
= ct
->tuplehash
[!dir
].tuple
.src
.u3
.ip
;
70 newport
= ct
->tuplehash
[!dir
].tuple
.src
.u
.udp
.port
;
74 if (newaddr
== addr
->ip
&& newport
== port
)
77 buflen
= sprintf(buffer
, "%pI4:%u", &newaddr
, ntohs(newport
));
79 return mangle_packet(skb
, dptr
, datalen
, matchoff
, matchlen
,
83 static int map_sip_addr(struct sk_buff
*skb
,
84 const char **dptr
, unsigned int *datalen
,
85 enum sip_header_types type
)
87 enum ip_conntrack_info ctinfo
;
88 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
89 unsigned int matchlen
, matchoff
;
90 union nf_inet_addr addr
;
93 if (ct_sip_parse_header_uri(ct
, *dptr
, NULL
, *datalen
, type
, NULL
,
94 &matchoff
, &matchlen
, &addr
, &port
) <= 0)
96 return map_addr(skb
, dptr
, datalen
, matchoff
, matchlen
, &addr
, port
);
99 static unsigned int ip_nat_sip(struct sk_buff
*skb
,
100 const char **dptr
, unsigned int *datalen
)
102 enum ip_conntrack_info ctinfo
;
103 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
104 enum ip_conntrack_dir dir
= CTINFO2DIR(ctinfo
);
105 unsigned int dataoff
, matchoff
, matchlen
;
106 union nf_inet_addr addr
;
108 int request
, in_header
;
110 /* Basic rules: requests and responses. */
111 if (strnicmp(*dptr
, "SIP/2.0", strlen("SIP/2.0")) != 0) {
112 if (ct_sip_parse_request(ct
, *dptr
, *datalen
,
113 &matchoff
, &matchlen
,
115 !map_addr(skb
, dptr
, datalen
, matchoff
, matchlen
,
122 /* Translate topmost Via header and parameters */
123 if (ct_sip_parse_header_uri(ct
, *dptr
, NULL
, *datalen
,
124 SIP_HDR_VIA
, NULL
, &matchoff
, &matchlen
,
126 unsigned int matchend
, poff
, plen
, buflen
, n
;
127 char buffer
[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
129 /* We're only interested in headers related to this
132 if (addr
.ip
!= ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
||
133 port
!= ct
->tuplehash
[dir
].tuple
.src
.u
.udp
.port
)
136 if (addr
.ip
!= ct
->tuplehash
[dir
].tuple
.dst
.u3
.ip
||
137 port
!= ct
->tuplehash
[dir
].tuple
.dst
.u
.udp
.port
)
141 if (!map_addr(skb
, dptr
, datalen
, matchoff
, matchlen
,
145 matchend
= matchoff
+ matchlen
;
147 /* The maddr= parameter (RFC 2361) specifies where to send
149 if (ct_sip_parse_address_param(ct
, *dptr
, matchend
, *datalen
,
150 "maddr=", &poff
, &plen
,
152 addr
.ip
== ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
&&
153 addr
.ip
!= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
) {
154 buflen
= sprintf(buffer
, "%pI4",
155 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
);
156 if (!mangle_packet(skb
, dptr
, datalen
, poff
, plen
,
161 /* The received= parameter (RFC 2361) contains the address
162 * from which the server received the request. */
163 if (ct_sip_parse_address_param(ct
, *dptr
, matchend
, *datalen
,
164 "received=", &poff
, &plen
,
166 addr
.ip
== ct
->tuplehash
[dir
].tuple
.dst
.u3
.ip
&&
167 addr
.ip
!= ct
->tuplehash
[!dir
].tuple
.src
.u3
.ip
) {
168 buflen
= sprintf(buffer
, "%pI4",
169 &ct
->tuplehash
[!dir
].tuple
.src
.u3
.ip
);
170 if (!mangle_packet(skb
, dptr
, datalen
, poff
, plen
,
175 /* The rport= parameter (RFC 3581) contains the port number
176 * from which the server received the request. */
177 if (ct_sip_parse_numerical_param(ct
, *dptr
, matchend
, *datalen
,
178 "rport=", &poff
, &plen
,
180 htons(n
) == ct
->tuplehash
[dir
].tuple
.dst
.u
.udp
.port
&&
181 htons(n
) != ct
->tuplehash
[!dir
].tuple
.src
.u
.udp
.port
) {
182 __be16 p
= ct
->tuplehash
[!dir
].tuple
.src
.u
.udp
.port
;
183 buflen
= sprintf(buffer
, "%u", ntohs(p
));
184 if (!mangle_packet(skb
, dptr
, datalen
, poff
, plen
,
191 /* Translate Contact headers */
194 while (ct_sip_parse_header_uri(ct
, *dptr
, &dataoff
, *datalen
,
195 SIP_HDR_CONTACT
, &in_header
,
196 &matchoff
, &matchlen
,
198 if (!map_addr(skb
, dptr
, datalen
, matchoff
, matchlen
,
203 if (!map_sip_addr(skb
, dptr
, datalen
, SIP_HDR_FROM
) ||
204 !map_sip_addr(skb
, dptr
, datalen
, SIP_HDR_TO
))
209 /* Handles expected signalling connections and media streams */
210 static void ip_nat_sip_expected(struct nf_conn
*ct
,
211 struct nf_conntrack_expect
*exp
)
213 struct nf_nat_range range
;
215 /* This must be a fresh one. */
216 BUG_ON(ct
->status
& IPS_NAT_DONE_MASK
);
218 /* For DST manip, map port here to where it's expected. */
219 range
.flags
= (IP_NAT_RANGE_MAP_IPS
| IP_NAT_RANGE_PROTO_SPECIFIED
);
220 range
.min
= range
.max
= exp
->saved_proto
;
221 range
.min_ip
= range
.max_ip
= exp
->saved_ip
;
222 nf_nat_setup_info(ct
, &range
, IP_NAT_MANIP_DST
);
224 /* Change src to where master sends to, but only if the connection
225 * actually came from the same source. */
226 if (ct
->tuplehash
[IP_CT_DIR_ORIGINAL
].tuple
.src
.u3
.ip
==
227 ct
->master
->tuplehash
[exp
->dir
].tuple
.src
.u3
.ip
) {
228 range
.flags
= IP_NAT_RANGE_MAP_IPS
;
229 range
.min_ip
= range
.max_ip
230 = ct
->master
->tuplehash
[!exp
->dir
].tuple
.dst
.u3
.ip
;
231 nf_nat_setup_info(ct
, &range
, IP_NAT_MANIP_SRC
);
235 static unsigned int ip_nat_sip_expect(struct sk_buff
*skb
,
236 const char **dptr
, unsigned int *datalen
,
237 struct nf_conntrack_expect
*exp
,
238 unsigned int matchoff
,
239 unsigned int matchlen
)
241 enum ip_conntrack_info ctinfo
;
242 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
243 enum ip_conntrack_dir dir
= CTINFO2DIR(ctinfo
);
246 char buffer
[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
249 /* Connection will come from reply */
250 if (ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
== ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
)
251 newip
= exp
->tuple
.dst
.u3
.ip
;
253 newip
= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
;
255 /* If the signalling port matches the connection's source port in the
256 * original direction, try to use the destination port in the opposite
258 if (exp
->tuple
.dst
.u
.udp
.port
==
259 ct
->tuplehash
[dir
].tuple
.src
.u
.udp
.port
)
260 port
= ntohs(ct
->tuplehash
[!dir
].tuple
.dst
.u
.udp
.port
);
262 port
= ntohs(exp
->tuple
.dst
.u
.udp
.port
);
264 exp
->saved_ip
= exp
->tuple
.dst
.u3
.ip
;
265 exp
->tuple
.dst
.u3
.ip
= newip
;
266 exp
->saved_proto
.udp
.port
= exp
->tuple
.dst
.u
.udp
.port
;
268 exp
->expectfn
= ip_nat_sip_expected
;
270 for (; port
!= 0; port
++) {
271 exp
->tuple
.dst
.u
.udp
.port
= htons(port
);
272 if (nf_ct_expect_related(exp
) == 0)
279 if (exp
->tuple
.dst
.u3
.ip
!= exp
->saved_ip
||
280 exp
->tuple
.dst
.u
.udp
.port
!= exp
->saved_proto
.udp
.port
) {
281 buflen
= sprintf(buffer
, "%pI4:%u", &newip
, port
);
282 if (!mangle_packet(skb
, dptr
, datalen
, matchoff
, matchlen
,
289 nf_ct_unexpect_related(exp
);
293 static int mangle_content_len(struct sk_buff
*skb
,
294 const char **dptr
, unsigned int *datalen
)
296 enum ip_conntrack_info ctinfo
;
297 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
298 unsigned int matchoff
, matchlen
;
299 char buffer
[sizeof("65536")];
302 /* Get actual SDP length */
303 if (ct_sip_get_sdp_header(ct
, *dptr
, 0, *datalen
,
304 SDP_HDR_VERSION
, SDP_HDR_UNSPEC
,
305 &matchoff
, &matchlen
) <= 0)
307 c_len
= *datalen
- matchoff
+ strlen("v=");
309 /* Now, update SDP length */
310 if (ct_sip_get_header(ct
, *dptr
, 0, *datalen
, SIP_HDR_CONTENT_LENGTH
,
311 &matchoff
, &matchlen
) <= 0)
314 buflen
= sprintf(buffer
, "%u", c_len
);
315 return mangle_packet(skb
, dptr
, datalen
, matchoff
, matchlen
,
319 static int mangle_sdp_packet(struct sk_buff
*skb
, const char **dptr
,
320 unsigned int dataoff
, unsigned int *datalen
,
321 enum sdp_header_types type
,
322 enum sdp_header_types term
,
323 char *buffer
, int buflen
)
325 enum ip_conntrack_info ctinfo
;
326 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
327 unsigned int matchlen
, matchoff
;
329 if (ct_sip_get_sdp_header(ct
, *dptr
, dataoff
, *datalen
, type
, term
,
330 &matchoff
, &matchlen
) <= 0)
332 return mangle_packet(skb
, dptr
, datalen
, matchoff
, matchlen
,
333 buffer
, buflen
) ? 0 : -EINVAL
;
336 static unsigned int ip_nat_sdp_addr(struct sk_buff
*skb
, const char **dptr
,
337 unsigned int dataoff
,
338 unsigned int *datalen
,
339 enum sdp_header_types type
,
340 enum sdp_header_types term
,
341 const union nf_inet_addr
*addr
)
343 char buffer
[sizeof("nnn.nnn.nnn.nnn")];
346 buflen
= sprintf(buffer
, "%pI4", &addr
->ip
);
347 if (mangle_sdp_packet(skb
, dptr
, dataoff
, datalen
, type
, term
,
351 return mangle_content_len(skb
, dptr
, datalen
);
354 static unsigned int ip_nat_sdp_port(struct sk_buff
*skb
,
356 unsigned int *datalen
,
357 unsigned int matchoff
,
358 unsigned int matchlen
,
361 char buffer
[sizeof("nnnnn")];
364 buflen
= sprintf(buffer
, "%u", port
);
365 if (!mangle_packet(skb
, dptr
, datalen
, matchoff
, matchlen
,
369 return mangle_content_len(skb
, dptr
, datalen
);
372 static unsigned int ip_nat_sdp_session(struct sk_buff
*skb
, const char **dptr
,
373 unsigned int dataoff
,
374 unsigned int *datalen
,
375 const union nf_inet_addr
*addr
)
377 char buffer
[sizeof("nnn.nnn.nnn.nnn")];
380 /* Mangle session description owner and contact addresses */
381 buflen
= sprintf(buffer
, "%pI4", &addr
->ip
);
382 if (mangle_sdp_packet(skb
, dptr
, dataoff
, datalen
,
383 SDP_HDR_OWNER_IP4
, SDP_HDR_MEDIA
,
387 switch (mangle_sdp_packet(skb
, dptr
, dataoff
, datalen
,
388 SDP_HDR_CONNECTION_IP4
, SDP_HDR_MEDIA
,
394 * Session description
396 * c=* (connection information - not required if included in all media)
404 return mangle_content_len(skb
, dptr
, datalen
);
407 /* So, this packet has hit the connection tracking matching code.
408 Mangle it, and change the expectation to match the new version. */
409 static unsigned int ip_nat_sdp_media(struct sk_buff
*skb
,
411 unsigned int *datalen
,
412 struct nf_conntrack_expect
*rtp_exp
,
413 struct nf_conntrack_expect
*rtcp_exp
,
414 unsigned int mediaoff
,
415 unsigned int medialen
,
416 union nf_inet_addr
*rtp_addr
)
418 enum ip_conntrack_info ctinfo
;
419 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
420 enum ip_conntrack_dir dir
= CTINFO2DIR(ctinfo
);
423 /* Connection will come from reply */
424 if (ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
==
425 ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
)
426 rtp_addr
->ip
= rtp_exp
->tuple
.dst
.u3
.ip
;
428 rtp_addr
->ip
= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
;
430 rtp_exp
->saved_ip
= rtp_exp
->tuple
.dst
.u3
.ip
;
431 rtp_exp
->tuple
.dst
.u3
.ip
= rtp_addr
->ip
;
432 rtp_exp
->saved_proto
.udp
.port
= rtp_exp
->tuple
.dst
.u
.udp
.port
;
434 rtp_exp
->expectfn
= ip_nat_sip_expected
;
436 rtcp_exp
->saved_ip
= rtcp_exp
->tuple
.dst
.u3
.ip
;
437 rtcp_exp
->tuple
.dst
.u3
.ip
= rtp_addr
->ip
;
438 rtcp_exp
->saved_proto
.udp
.port
= rtcp_exp
->tuple
.dst
.u
.udp
.port
;
439 rtcp_exp
->dir
= !dir
;
440 rtcp_exp
->expectfn
= ip_nat_sip_expected
;
442 /* Try to get same pair of ports: if not, try to change them. */
443 for (port
= ntohs(rtp_exp
->tuple
.dst
.u
.udp
.port
);
444 port
!= 0; port
+= 2) {
445 rtp_exp
->tuple
.dst
.u
.udp
.port
= htons(port
);
446 if (nf_ct_expect_related(rtp_exp
) != 0)
448 rtcp_exp
->tuple
.dst
.u
.udp
.port
= htons(port
+ 1);
449 if (nf_ct_expect_related(rtcp_exp
) == 0)
451 nf_ct_unexpect_related(rtp_exp
);
457 /* Update media port. */
458 if (rtp_exp
->tuple
.dst
.u
.udp
.port
!= rtp_exp
->saved_proto
.udp
.port
&&
459 !ip_nat_sdp_port(skb
, dptr
, datalen
, mediaoff
, medialen
, port
))
465 nf_ct_unexpect_related(rtp_exp
);
466 nf_ct_unexpect_related(rtcp_exp
);
471 static void __exit
nf_nat_sip_fini(void)
473 rcu_assign_pointer(nf_nat_sip_hook
, NULL
);
474 rcu_assign_pointer(nf_nat_sip_expect_hook
, NULL
);
475 rcu_assign_pointer(nf_nat_sdp_addr_hook
, NULL
);
476 rcu_assign_pointer(nf_nat_sdp_port_hook
, NULL
);
477 rcu_assign_pointer(nf_nat_sdp_session_hook
, NULL
);
478 rcu_assign_pointer(nf_nat_sdp_media_hook
, NULL
);
482 static int __init
nf_nat_sip_init(void)
484 BUG_ON(nf_nat_sip_hook
!= NULL
);
485 BUG_ON(nf_nat_sip_expect_hook
!= NULL
);
486 BUG_ON(nf_nat_sdp_addr_hook
!= NULL
);
487 BUG_ON(nf_nat_sdp_port_hook
!= NULL
);
488 BUG_ON(nf_nat_sdp_session_hook
!= NULL
);
489 BUG_ON(nf_nat_sdp_media_hook
!= NULL
);
490 rcu_assign_pointer(nf_nat_sip_hook
, ip_nat_sip
);
491 rcu_assign_pointer(nf_nat_sip_expect_hook
, ip_nat_sip_expect
);
492 rcu_assign_pointer(nf_nat_sdp_addr_hook
, ip_nat_sdp_addr
);
493 rcu_assign_pointer(nf_nat_sdp_port_hook
, ip_nat_sdp_port
);
494 rcu_assign_pointer(nf_nat_sdp_session_hook
, ip_nat_sdp_session
);
495 rcu_assign_pointer(nf_nat_sdp_media_hook
, ip_nat_sdp_media
);
499 module_init(nf_nat_sip_init
);
500 module_exit(nf_nat_sip_fini
);