1 /* SIP extension for UDP NAT alteration.
3 * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
4 * based on RR's ip_nat_ftp.c and other modules.
5 * (C) 2007 United Security Providers
6 * (C) 2007, 2008 Patrick McHardy <kaber@trash.net>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
13 #include <linux/module.h>
14 #include <linux/skbuff.h>
17 #include <linux/udp.h>
19 #include <net/netfilter/nf_nat.h>
20 #include <net/netfilter/nf_nat_helper.h>
21 #include <net/netfilter/nf_nat_rule.h>
22 #include <net/netfilter/nf_conntrack_helper.h>
23 #include <net/netfilter/nf_conntrack_expect.h>
24 #include <linux/netfilter/nf_conntrack_sip.h>
26 MODULE_LICENSE("GPL");
27 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
28 MODULE_DESCRIPTION("SIP NAT helper");
29 MODULE_ALIAS("ip_nat_sip");
32 static unsigned int mangle_packet(struct sk_buff
*skb
, unsigned int dataoff
,
33 const char **dptr
, unsigned int *datalen
,
34 unsigned int matchoff
, unsigned int matchlen
,
35 const char *buffer
, unsigned int buflen
)
37 enum ip_conntrack_info ctinfo
;
38 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
40 if (!nf_nat_mangle_udp_packet(skb
, ct
, ctinfo
, matchoff
, matchlen
,
44 /* Reload data pointer and adjust datalen value */
45 *dptr
= skb
->data
+ dataoff
;
46 *datalen
+= buflen
- matchlen
;
50 static int map_addr(struct sk_buff
*skb
, unsigned int dataoff
,
51 const char **dptr
, unsigned int *datalen
,
52 unsigned int matchoff
, unsigned int matchlen
,
53 union nf_inet_addr
*addr
, __be16 port
)
55 enum ip_conntrack_info ctinfo
;
56 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
57 enum ip_conntrack_dir dir
= CTINFO2DIR(ctinfo
);
58 char buffer
[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
63 if (ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
== addr
->ip
&&
64 ct
->tuplehash
[dir
].tuple
.src
.u
.udp
.port
== port
) {
65 newaddr
= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
;
66 newport
= ct
->tuplehash
[!dir
].tuple
.dst
.u
.udp
.port
;
67 } else if (ct
->tuplehash
[dir
].tuple
.dst
.u3
.ip
== addr
->ip
&&
68 ct
->tuplehash
[dir
].tuple
.dst
.u
.udp
.port
== port
) {
69 newaddr
= ct
->tuplehash
[!dir
].tuple
.src
.u3
.ip
;
70 newport
= ct
->tuplehash
[!dir
].tuple
.src
.u
.udp
.port
;
74 if (newaddr
== addr
->ip
&& newport
== port
)
77 buflen
= sprintf(buffer
, "%pI4:%u", &newaddr
, ntohs(newport
));
79 return mangle_packet(skb
, dataoff
, dptr
, datalen
, matchoff
, matchlen
,
83 static int map_sip_addr(struct sk_buff
*skb
, unsigned int dataoff
,
84 const char **dptr
, unsigned int *datalen
,
85 enum sip_header_types type
)
87 enum ip_conntrack_info ctinfo
;
88 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
89 unsigned int matchlen
, matchoff
;
90 union nf_inet_addr addr
;
93 if (ct_sip_parse_header_uri(ct
, *dptr
, NULL
, *datalen
, type
, NULL
,
94 &matchoff
, &matchlen
, &addr
, &port
) <= 0)
96 return map_addr(skb
, dataoff
, dptr
, datalen
, matchoff
, matchlen
,
100 static unsigned int ip_nat_sip(struct sk_buff
*skb
, unsigned int dataoff
,
101 const char **dptr
, unsigned int *datalen
)
103 enum ip_conntrack_info ctinfo
;
104 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
105 enum ip_conntrack_dir dir
= CTINFO2DIR(ctinfo
);
106 unsigned int coff
, matchoff
, matchlen
;
107 union nf_inet_addr addr
;
109 int request
, in_header
;
111 /* Basic rules: requests and responses. */
112 if (strnicmp(*dptr
, "SIP/2.0", strlen("SIP/2.0")) != 0) {
113 if (ct_sip_parse_request(ct
, *dptr
, *datalen
,
114 &matchoff
, &matchlen
,
116 !map_addr(skb
, dataoff
, dptr
, datalen
, matchoff
, matchlen
,
123 /* Translate topmost Via header and parameters */
124 if (ct_sip_parse_header_uri(ct
, *dptr
, NULL
, *datalen
,
125 SIP_HDR_VIA
, NULL
, &matchoff
, &matchlen
,
127 unsigned int matchend
, poff
, plen
, buflen
, n
;
128 char buffer
[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
130 /* We're only interested in headers related to this
133 if (addr
.ip
!= ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
||
134 port
!= ct
->tuplehash
[dir
].tuple
.src
.u
.udp
.port
)
137 if (addr
.ip
!= ct
->tuplehash
[dir
].tuple
.dst
.u3
.ip
||
138 port
!= ct
->tuplehash
[dir
].tuple
.dst
.u
.udp
.port
)
142 if (!map_addr(skb
, dataoff
, dptr
, datalen
, matchoff
, matchlen
,
146 matchend
= matchoff
+ matchlen
;
148 /* The maddr= parameter (RFC 2361) specifies where to send
150 if (ct_sip_parse_address_param(ct
, *dptr
, matchend
, *datalen
,
151 "maddr=", &poff
, &plen
,
153 addr
.ip
== ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
&&
154 addr
.ip
!= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
) {
155 buflen
= sprintf(buffer
, "%pI4",
156 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
);
157 if (!mangle_packet(skb
, dataoff
, dptr
, datalen
,
158 poff
, plen
, buffer
, buflen
))
162 /* The received= parameter (RFC 2361) contains the address
163 * from which the server received the request. */
164 if (ct_sip_parse_address_param(ct
, *dptr
, matchend
, *datalen
,
165 "received=", &poff
, &plen
,
167 addr
.ip
== ct
->tuplehash
[dir
].tuple
.dst
.u3
.ip
&&
168 addr
.ip
!= ct
->tuplehash
[!dir
].tuple
.src
.u3
.ip
) {
169 buflen
= sprintf(buffer
, "%pI4",
170 &ct
->tuplehash
[!dir
].tuple
.src
.u3
.ip
);
171 if (!mangle_packet(skb
, dataoff
, dptr
, datalen
,
172 poff
, plen
, buffer
, buflen
))
176 /* The rport= parameter (RFC 3581) contains the port number
177 * from which the server received the request. */
178 if (ct_sip_parse_numerical_param(ct
, *dptr
, matchend
, *datalen
,
179 "rport=", &poff
, &plen
,
181 htons(n
) == ct
->tuplehash
[dir
].tuple
.dst
.u
.udp
.port
&&
182 htons(n
) != ct
->tuplehash
[!dir
].tuple
.src
.u
.udp
.port
) {
183 __be16 p
= ct
->tuplehash
[!dir
].tuple
.src
.u
.udp
.port
;
184 buflen
= sprintf(buffer
, "%u", ntohs(p
));
185 if (!mangle_packet(skb
, dataoff
, dptr
, datalen
,
186 poff
, plen
, buffer
, buflen
))
192 /* Translate Contact headers */
195 while (ct_sip_parse_header_uri(ct
, *dptr
, &coff
, *datalen
,
196 SIP_HDR_CONTACT
, &in_header
,
197 &matchoff
, &matchlen
,
199 if (!map_addr(skb
, dataoff
, dptr
, datalen
, matchoff
, matchlen
,
204 if (!map_sip_addr(skb
, dataoff
, dptr
, datalen
, SIP_HDR_FROM
) ||
205 !map_sip_addr(skb
, dataoff
, dptr
, datalen
, SIP_HDR_TO
))
210 /* Handles expected signalling connections and media streams */
211 static void ip_nat_sip_expected(struct nf_conn
*ct
,
212 struct nf_conntrack_expect
*exp
)
214 struct nf_nat_range range
;
216 /* This must be a fresh one. */
217 BUG_ON(ct
->status
& IPS_NAT_DONE_MASK
);
219 /* For DST manip, map port here to where it's expected. */
220 range
.flags
= (IP_NAT_RANGE_MAP_IPS
| IP_NAT_RANGE_PROTO_SPECIFIED
);
221 range
.min
= range
.max
= exp
->saved_proto
;
222 range
.min_ip
= range
.max_ip
= exp
->saved_ip
;
223 nf_nat_setup_info(ct
, &range
, IP_NAT_MANIP_DST
);
225 /* Change src to where master sends to, but only if the connection
226 * actually came from the same source. */
227 if (ct
->tuplehash
[IP_CT_DIR_ORIGINAL
].tuple
.src
.u3
.ip
==
228 ct
->master
->tuplehash
[exp
->dir
].tuple
.src
.u3
.ip
) {
229 range
.flags
= IP_NAT_RANGE_MAP_IPS
;
230 range
.min_ip
= range
.max_ip
231 = ct
->master
->tuplehash
[!exp
->dir
].tuple
.dst
.u3
.ip
;
232 nf_nat_setup_info(ct
, &range
, IP_NAT_MANIP_SRC
);
236 static unsigned int ip_nat_sip_expect(struct sk_buff
*skb
, unsigned int dataoff
,
237 const char **dptr
, unsigned int *datalen
,
238 struct nf_conntrack_expect
*exp
,
239 unsigned int matchoff
,
240 unsigned int matchlen
)
242 enum ip_conntrack_info ctinfo
;
243 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
244 enum ip_conntrack_dir dir
= CTINFO2DIR(ctinfo
);
247 char buffer
[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
250 /* Connection will come from reply */
251 if (ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
== ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
)
252 newip
= exp
->tuple
.dst
.u3
.ip
;
254 newip
= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
;
256 /* If the signalling port matches the connection's source port in the
257 * original direction, try to use the destination port in the opposite
259 if (exp
->tuple
.dst
.u
.udp
.port
==
260 ct
->tuplehash
[dir
].tuple
.src
.u
.udp
.port
)
261 port
= ntohs(ct
->tuplehash
[!dir
].tuple
.dst
.u
.udp
.port
);
263 port
= ntohs(exp
->tuple
.dst
.u
.udp
.port
);
265 exp
->saved_ip
= exp
->tuple
.dst
.u3
.ip
;
266 exp
->tuple
.dst
.u3
.ip
= newip
;
267 exp
->saved_proto
.udp
.port
= exp
->tuple
.dst
.u
.udp
.port
;
269 exp
->expectfn
= ip_nat_sip_expected
;
271 for (; port
!= 0; port
++) {
272 exp
->tuple
.dst
.u
.udp
.port
= htons(port
);
273 if (nf_ct_expect_related(exp
) == 0)
280 if (exp
->tuple
.dst
.u3
.ip
!= exp
->saved_ip
||
281 exp
->tuple
.dst
.u
.udp
.port
!= exp
->saved_proto
.udp
.port
) {
282 buflen
= sprintf(buffer
, "%pI4:%u", &newip
, port
);
283 if (!mangle_packet(skb
, dataoff
, dptr
, datalen
,
284 matchoff
, matchlen
, buffer
, buflen
))
290 nf_ct_unexpect_related(exp
);
294 static int mangle_content_len(struct sk_buff
*skb
, unsigned int dataoff
,
295 const char **dptr
, unsigned int *datalen
)
297 enum ip_conntrack_info ctinfo
;
298 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
299 unsigned int matchoff
, matchlen
;
300 char buffer
[sizeof("65536")];
303 /* Get actual SDP length */
304 if (ct_sip_get_sdp_header(ct
, *dptr
, 0, *datalen
,
305 SDP_HDR_VERSION
, SDP_HDR_UNSPEC
,
306 &matchoff
, &matchlen
) <= 0)
308 c_len
= *datalen
- matchoff
+ strlen("v=");
310 /* Now, update SDP length */
311 if (ct_sip_get_header(ct
, *dptr
, 0, *datalen
, SIP_HDR_CONTENT_LENGTH
,
312 &matchoff
, &matchlen
) <= 0)
315 buflen
= sprintf(buffer
, "%u", c_len
);
316 return mangle_packet(skb
, dataoff
, dptr
, datalen
, matchoff
, matchlen
,
320 static int mangle_sdp_packet(struct sk_buff
*skb
, unsigned int dataoff
,
321 const char **dptr
, unsigned int *datalen
,
323 enum sdp_header_types type
,
324 enum sdp_header_types term
,
325 char *buffer
, int buflen
)
327 enum ip_conntrack_info ctinfo
;
328 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
329 unsigned int matchlen
, matchoff
;
331 if (ct_sip_get_sdp_header(ct
, *dptr
, sdpoff
, *datalen
, type
, term
,
332 &matchoff
, &matchlen
) <= 0)
334 return mangle_packet(skb
, dataoff
, dptr
, datalen
, matchoff
, matchlen
,
335 buffer
, buflen
) ? 0 : -EINVAL
;
338 static unsigned int ip_nat_sdp_addr(struct sk_buff
*skb
, unsigned int dataoff
,
339 const char **dptr
, unsigned int *datalen
,
341 enum sdp_header_types type
,
342 enum sdp_header_types term
,
343 const union nf_inet_addr
*addr
)
345 char buffer
[sizeof("nnn.nnn.nnn.nnn")];
348 buflen
= sprintf(buffer
, "%pI4", &addr
->ip
);
349 if (mangle_sdp_packet(skb
, dataoff
, dptr
, datalen
, sdpoff
, type
, term
,
353 return mangle_content_len(skb
, dataoff
, dptr
, datalen
);
356 static unsigned int ip_nat_sdp_port(struct sk_buff
*skb
, unsigned int dataoff
,
357 const char **dptr
, unsigned int *datalen
,
358 unsigned int matchoff
,
359 unsigned int matchlen
,
362 char buffer
[sizeof("nnnnn")];
365 buflen
= sprintf(buffer
, "%u", port
);
366 if (!mangle_packet(skb
, dataoff
, dptr
, datalen
, matchoff
, matchlen
,
370 return mangle_content_len(skb
, dataoff
, dptr
, datalen
);
373 static unsigned int ip_nat_sdp_session(struct sk_buff
*skb
, unsigned int dataoff
,
374 const char **dptr
, unsigned int *datalen
,
376 const union nf_inet_addr
*addr
)
378 char buffer
[sizeof("nnn.nnn.nnn.nnn")];
381 /* Mangle session description owner and contact addresses */
382 buflen
= sprintf(buffer
, "%pI4", &addr
->ip
);
383 if (mangle_sdp_packet(skb
, dataoff
, dptr
, datalen
, sdpoff
,
384 SDP_HDR_OWNER_IP4
, SDP_HDR_MEDIA
,
388 switch (mangle_sdp_packet(skb
, dataoff
, dptr
, datalen
, sdpoff
,
389 SDP_HDR_CONNECTION_IP4
, SDP_HDR_MEDIA
,
395 * Session description
397 * c=* (connection information - not required if included in all media)
405 return mangle_content_len(skb
, dataoff
, dptr
, datalen
);
408 /* So, this packet has hit the connection tracking matching code.
409 Mangle it, and change the expectation to match the new version. */
410 static unsigned int ip_nat_sdp_media(struct sk_buff
*skb
, unsigned int dataoff
,
411 const char **dptr
, unsigned int *datalen
,
412 struct nf_conntrack_expect
*rtp_exp
,
413 struct nf_conntrack_expect
*rtcp_exp
,
414 unsigned int mediaoff
,
415 unsigned int medialen
,
416 union nf_inet_addr
*rtp_addr
)
418 enum ip_conntrack_info ctinfo
;
419 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
420 enum ip_conntrack_dir dir
= CTINFO2DIR(ctinfo
);
423 /* Connection will come from reply */
424 if (ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
==
425 ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
)
426 rtp_addr
->ip
= rtp_exp
->tuple
.dst
.u3
.ip
;
428 rtp_addr
->ip
= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
;
430 rtp_exp
->saved_ip
= rtp_exp
->tuple
.dst
.u3
.ip
;
431 rtp_exp
->tuple
.dst
.u3
.ip
= rtp_addr
->ip
;
432 rtp_exp
->saved_proto
.udp
.port
= rtp_exp
->tuple
.dst
.u
.udp
.port
;
434 rtp_exp
->expectfn
= ip_nat_sip_expected
;
436 rtcp_exp
->saved_ip
= rtcp_exp
->tuple
.dst
.u3
.ip
;
437 rtcp_exp
->tuple
.dst
.u3
.ip
= rtp_addr
->ip
;
438 rtcp_exp
->saved_proto
.udp
.port
= rtcp_exp
->tuple
.dst
.u
.udp
.port
;
439 rtcp_exp
->dir
= !dir
;
440 rtcp_exp
->expectfn
= ip_nat_sip_expected
;
442 /* Try to get same pair of ports: if not, try to change them. */
443 for (port
= ntohs(rtp_exp
->tuple
.dst
.u
.udp
.port
);
444 port
!= 0; port
+= 2) {
445 rtp_exp
->tuple
.dst
.u
.udp
.port
= htons(port
);
446 if (nf_ct_expect_related(rtp_exp
) != 0)
448 rtcp_exp
->tuple
.dst
.u
.udp
.port
= htons(port
+ 1);
449 if (nf_ct_expect_related(rtcp_exp
) == 0)
451 nf_ct_unexpect_related(rtp_exp
);
457 /* Update media port. */
458 if (rtp_exp
->tuple
.dst
.u
.udp
.port
!= rtp_exp
->saved_proto
.udp
.port
&&
459 !ip_nat_sdp_port(skb
, dataoff
, dptr
, datalen
,
460 mediaoff
, medialen
, port
))
466 nf_ct_unexpect_related(rtp_exp
);
467 nf_ct_unexpect_related(rtcp_exp
);
472 static void __exit
nf_nat_sip_fini(void)
474 rcu_assign_pointer(nf_nat_sip_hook
, NULL
);
475 rcu_assign_pointer(nf_nat_sip_expect_hook
, NULL
);
476 rcu_assign_pointer(nf_nat_sdp_addr_hook
, NULL
);
477 rcu_assign_pointer(nf_nat_sdp_port_hook
, NULL
);
478 rcu_assign_pointer(nf_nat_sdp_session_hook
, NULL
);
479 rcu_assign_pointer(nf_nat_sdp_media_hook
, NULL
);
483 static int __init
nf_nat_sip_init(void)
485 BUG_ON(nf_nat_sip_hook
!= NULL
);
486 BUG_ON(nf_nat_sip_expect_hook
!= NULL
);
487 BUG_ON(nf_nat_sdp_addr_hook
!= NULL
);
488 BUG_ON(nf_nat_sdp_port_hook
!= NULL
);
489 BUG_ON(nf_nat_sdp_session_hook
!= NULL
);
490 BUG_ON(nf_nat_sdp_media_hook
!= NULL
);
491 rcu_assign_pointer(nf_nat_sip_hook
, ip_nat_sip
);
492 rcu_assign_pointer(nf_nat_sip_expect_hook
, ip_nat_sip_expect
);
493 rcu_assign_pointer(nf_nat_sdp_addr_hook
, ip_nat_sdp_addr
);
494 rcu_assign_pointer(nf_nat_sdp_port_hook
, ip_nat_sdp_port
);
495 rcu_assign_pointer(nf_nat_sdp_session_hook
, ip_nat_sdp_session
);
496 rcu_assign_pointer(nf_nat_sdp_media_hook
, ip_nat_sdp_media
);
500 module_init(nf_nat_sip_init
);
501 module_exit(nf_nat_sip_fini
);