1 |
3 |
xianfeng |
/* SIP extension for UDP NAT alteration.
|
2 |
|
|
*
|
3 |
|
|
* (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
|
4 |
|
|
* based on RR's ip_nat_ftp.c and other modules.
|
5 |
|
|
*
|
6 |
|
|
* This program is free software; you can redistribute it and/or modify
|
7 |
|
|
* it under the terms of the GNU General Public License version 2 as
|
8 |
|
|
* published by the Free Software Foundation.
|
9 |
|
|
*/
|
10 |
|
|
|
11 |
|
|
#include <linux/module.h>
|
12 |
|
|
#include <linux/skbuff.h>
|
13 |
|
|
#include <linux/ip.h>
|
14 |
|
|
#include <net/ip.h>
|
15 |
|
|
#include <linux/udp.h>
|
16 |
|
|
|
17 |
|
|
#include <net/netfilter/nf_nat.h>
|
18 |
|
|
#include <net/netfilter/nf_nat_helper.h>
|
19 |
|
|
#include <net/netfilter/nf_nat_rule.h>
|
20 |
|
|
#include <net/netfilter/nf_conntrack_helper.h>
|
21 |
|
|
#include <net/netfilter/nf_conntrack_expect.h>
|
22 |
|
|
#include <linux/netfilter/nf_conntrack_sip.h>
|
23 |
|
|
|
24 |
|
|
MODULE_LICENSE("GPL");
|
25 |
|
|
MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
|
26 |
|
|
MODULE_DESCRIPTION("SIP NAT helper");
|
27 |
|
|
MODULE_ALIAS("ip_nat_sip");
|
28 |
|
|
|
29 |
|
|
struct addr_map {
|
30 |
|
|
struct {
|
31 |
|
|
char src[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
|
32 |
|
|
char dst[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
|
33 |
|
|
unsigned int srclen, srciplen;
|
34 |
|
|
unsigned int dstlen, dstiplen;
|
35 |
|
|
} addr[IP_CT_DIR_MAX];
|
36 |
|
|
};
|
37 |
|
|
|
38 |
|
|
static void addr_map_init(struct nf_conn *ct, struct addr_map *map)
|
39 |
|
|
{
|
40 |
|
|
struct nf_conntrack_tuple *t;
|
41 |
|
|
enum ip_conntrack_dir dir;
|
42 |
|
|
unsigned int n;
|
43 |
|
|
|
44 |
|
|
for (dir = 0; dir < IP_CT_DIR_MAX; dir++) {
|
45 |
|
|
t = &ct->tuplehash[dir].tuple;
|
46 |
|
|
|
47 |
|
|
n = sprintf(map->addr[dir].src, "%u.%u.%u.%u",
|
48 |
|
|
NIPQUAD(t->src.u3.ip));
|
49 |
|
|
map->addr[dir].srciplen = n;
|
50 |
|
|
n += sprintf(map->addr[dir].src + n, ":%u",
|
51 |
|
|
ntohs(t->src.u.udp.port));
|
52 |
|
|
map->addr[dir].srclen = n;
|
53 |
|
|
|
54 |
|
|
n = sprintf(map->addr[dir].dst, "%u.%u.%u.%u",
|
55 |
|
|
NIPQUAD(t->dst.u3.ip));
|
56 |
|
|
map->addr[dir].dstiplen = n;
|
57 |
|
|
n += sprintf(map->addr[dir].dst + n, ":%u",
|
58 |
|
|
ntohs(t->dst.u.udp.port));
|
59 |
|
|
map->addr[dir].dstlen = n;
|
60 |
|
|
}
|
61 |
|
|
}
|
62 |
|
|
|
63 |
|
|
static int map_sip_addr(struct sk_buff *skb, enum ip_conntrack_info ctinfo,
|
64 |
|
|
struct nf_conn *ct, const char **dptr, size_t dlen,
|
65 |
|
|
enum sip_header_pos pos, struct addr_map *map)
|
66 |
|
|
{
|
67 |
|
|
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
|
68 |
|
|
unsigned int matchlen, matchoff, addrlen;
|
69 |
|
|
char *addr;
|
70 |
|
|
|
71 |
|
|
if (ct_sip_get_info(ct, *dptr, dlen, &matchoff, &matchlen, pos) <= 0)
|
72 |
|
|
return 1;
|
73 |
|
|
|
74 |
|
|
if ((matchlen == map->addr[dir].srciplen ||
|
75 |
|
|
matchlen == map->addr[dir].srclen) &&
|
76 |
|
|
memcmp(*dptr + matchoff, map->addr[dir].src, matchlen) == 0) {
|
77 |
|
|
addr = map->addr[!dir].dst;
|
78 |
|
|
addrlen = map->addr[!dir].dstlen;
|
79 |
|
|
} else if ((matchlen == map->addr[dir].dstiplen ||
|
80 |
|
|
matchlen == map->addr[dir].dstlen) &&
|
81 |
|
|
memcmp(*dptr + matchoff, map->addr[dir].dst, matchlen) == 0) {
|
82 |
|
|
addr = map->addr[!dir].src;
|
83 |
|
|
addrlen = map->addr[!dir].srclen;
|
84 |
|
|
} else
|
85 |
|
|
return 1;
|
86 |
|
|
|
87 |
|
|
if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo,
|
88 |
|
|
matchoff, matchlen, addr, addrlen))
|
89 |
|
|
return 0;
|
90 |
|
|
*dptr = skb->data + ip_hdrlen(skb) + sizeof(struct udphdr);
|
91 |
|
|
return 1;
|
92 |
|
|
|
93 |
|
|
}
|
94 |
|
|
|
95 |
|
|
static unsigned int ip_nat_sip(struct sk_buff *skb,
|
96 |
|
|
enum ip_conntrack_info ctinfo,
|
97 |
|
|
struct nf_conn *ct,
|
98 |
|
|
const char **dptr)
|
99 |
|
|
{
|
100 |
|
|
enum sip_header_pos pos;
|
101 |
|
|
struct addr_map map;
|
102 |
|
|
int dataoff, datalen;
|
103 |
|
|
|
104 |
|
|
dataoff = ip_hdrlen(skb) + sizeof(struct udphdr);
|
105 |
|
|
datalen = skb->len - dataoff;
|
106 |
|
|
if (datalen < sizeof("SIP/2.0") - 1)
|
107 |
|
|
return NF_ACCEPT;
|
108 |
|
|
|
109 |
|
|
addr_map_init(ct, &map);
|
110 |
|
|
|
111 |
|
|
/* Basic rules: requests and responses. */
|
112 |
|
|
if (strncmp(*dptr, "SIP/2.0", sizeof("SIP/2.0") - 1) != 0) {
|
113 |
|
|
/* 10.2: Constructing the REGISTER Request:
|
114 |
|
|
*
|
115 |
|
|
* The "userinfo" and "@" components of the SIP URI MUST NOT
|
116 |
|
|
* be present.
|
117 |
|
|
*/
|
118 |
|
|
if (datalen >= sizeof("REGISTER") - 1 &&
|
119 |
|
|
strncmp(*dptr, "REGISTER", sizeof("REGISTER") - 1) == 0)
|
120 |
|
|
pos = POS_REG_REQ_URI;
|
121 |
|
|
else
|
122 |
|
|
pos = POS_REQ_URI;
|
123 |
|
|
|
124 |
|
|
if (!map_sip_addr(skb, ctinfo, ct, dptr, datalen, pos, &map))
|
125 |
|
|
return NF_DROP;
|
126 |
|
|
}
|
127 |
|
|
|
128 |
|
|
if (!map_sip_addr(skb, ctinfo, ct, dptr, datalen, POS_FROM, &map) ||
|
129 |
|
|
!map_sip_addr(skb, ctinfo, ct, dptr, datalen, POS_TO, &map) ||
|
130 |
|
|
!map_sip_addr(skb, ctinfo, ct, dptr, datalen, POS_VIA, &map) ||
|
131 |
|
|
!map_sip_addr(skb, ctinfo, ct, dptr, datalen, POS_CONTACT, &map))
|
132 |
|
|
return NF_DROP;
|
133 |
|
|
return NF_ACCEPT;
|
134 |
|
|
}
|
135 |
|
|
|
136 |
|
|
static unsigned int mangle_sip_packet(struct sk_buff *skb,
|
137 |
|
|
enum ip_conntrack_info ctinfo,
|
138 |
|
|
struct nf_conn *ct,
|
139 |
|
|
const char **dptr, size_t dlen,
|
140 |
|
|
char *buffer, int bufflen,
|
141 |
|
|
enum sip_header_pos pos)
|
142 |
|
|
{
|
143 |
|
|
unsigned int matchlen, matchoff;
|
144 |
|
|
|
145 |
|
|
if (ct_sip_get_info(ct, *dptr, dlen, &matchoff, &matchlen, pos) <= 0)
|
146 |
|
|
return 0;
|
147 |
|
|
|
148 |
|
|
if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo,
|
149 |
|
|
matchoff, matchlen, buffer, bufflen))
|
150 |
|
|
return 0;
|
151 |
|
|
|
152 |
|
|
/* We need to reload this. Thanks Patrick. */
|
153 |
|
|
*dptr = skb->data + ip_hdrlen(skb) + sizeof(struct udphdr);
|
154 |
|
|
return 1;
|
155 |
|
|
}
|
156 |
|
|
|
157 |
|
|
static int mangle_content_len(struct sk_buff *skb,
|
158 |
|
|
enum ip_conntrack_info ctinfo,
|
159 |
|
|
struct nf_conn *ct,
|
160 |
|
|
const char *dptr)
|
161 |
|
|
{
|
162 |
|
|
unsigned int dataoff, matchoff, matchlen;
|
163 |
|
|
char buffer[sizeof("65536")];
|
164 |
|
|
int bufflen;
|
165 |
|
|
|
166 |
|
|
dataoff = ip_hdrlen(skb) + sizeof(struct udphdr);
|
167 |
|
|
|
168 |
|
|
/* Get actual SDP length */
|
169 |
|
|
if (ct_sip_get_info(ct, dptr, skb->len - dataoff, &matchoff,
|
170 |
|
|
&matchlen, POS_SDP_HEADER) > 0) {
|
171 |
|
|
|
172 |
|
|
/* since ct_sip_get_info() give us a pointer passing 'v='
|
173 |
|
|
we need to add 2 bytes in this count. */
|
174 |
|
|
int c_len = skb->len - dataoff - matchoff + 2;
|
175 |
|
|
|
176 |
|
|
/* Now, update SDP length */
|
177 |
|
|
if (ct_sip_get_info(ct, dptr, skb->len - dataoff, &matchoff,
|
178 |
|
|
&matchlen, POS_CONTENT) > 0) {
|
179 |
|
|
|
180 |
|
|
bufflen = sprintf(buffer, "%u", c_len);
|
181 |
|
|
return nf_nat_mangle_udp_packet(skb, ct, ctinfo,
|
182 |
|
|
matchoff, matchlen,
|
183 |
|
|
buffer, bufflen);
|
184 |
|
|
}
|
185 |
|
|
}
|
186 |
|
|
return 0;
|
187 |
|
|
}
|
188 |
|
|
|
189 |
|
|
static unsigned int mangle_sdp(struct sk_buff *skb,
|
190 |
|
|
enum ip_conntrack_info ctinfo,
|
191 |
|
|
struct nf_conn *ct,
|
192 |
|
|
__be32 newip, u_int16_t port,
|
193 |
|
|
const char *dptr)
|
194 |
|
|
{
|
195 |
|
|
char buffer[sizeof("nnn.nnn.nnn.nnn")];
|
196 |
|
|
unsigned int dataoff, bufflen;
|
197 |
|
|
|
198 |
|
|
dataoff = ip_hdrlen(skb) + sizeof(struct udphdr);
|
199 |
|
|
|
200 |
|
|
/* Mangle owner and contact info. */
|
201 |
|
|
bufflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(newip));
|
202 |
|
|
if (!mangle_sip_packet(skb, ctinfo, ct, &dptr, skb->len - dataoff,
|
203 |
|
|
buffer, bufflen, POS_OWNER_IP4))
|
204 |
|
|
return 0;
|
205 |
|
|
|
206 |
|
|
if (!mangle_sip_packet(skb, ctinfo, ct, &dptr, skb->len - dataoff,
|
207 |
|
|
buffer, bufflen, POS_CONNECTION_IP4))
|
208 |
|
|
return 0;
|
209 |
|
|
|
210 |
|
|
/* Mangle media port. */
|
211 |
|
|
bufflen = sprintf(buffer, "%u", port);
|
212 |
|
|
if (!mangle_sip_packet(skb, ctinfo, ct, &dptr, skb->len - dataoff,
|
213 |
|
|
buffer, bufflen, POS_MEDIA))
|
214 |
|
|
return 0;
|
215 |
|
|
|
216 |
|
|
return mangle_content_len(skb, ctinfo, ct, dptr);
|
217 |
|
|
}
|
218 |
|
|
|
219 |
|
|
static void ip_nat_sdp_expect(struct nf_conn *ct,
|
220 |
|
|
struct nf_conntrack_expect *exp)
|
221 |
|
|
{
|
222 |
|
|
struct nf_nat_range range;
|
223 |
|
|
|
224 |
|
|
/* This must be a fresh one. */
|
225 |
|
|
BUG_ON(ct->status & IPS_NAT_DONE_MASK);
|
226 |
|
|
|
227 |
|
|
/* Change src to where master sends to */
|
228 |
|
|
range.flags = IP_NAT_RANGE_MAP_IPS;
|
229 |
|
|
range.min_ip = range.max_ip
|
230 |
|
|
= ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
|
231 |
|
|
/* hook doesn't matter, but it has to do source manip */
|
232 |
|
|
nf_nat_setup_info(ct, &range, NF_IP_POST_ROUTING);
|
233 |
|
|
|
234 |
|
|
/* For DST manip, map port here to where it's expected. */
|
235 |
|
|
range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
|
236 |
|
|
range.min = range.max = exp->saved_proto;
|
237 |
|
|
range.min_ip = range.max_ip = exp->saved_ip;
|
238 |
|
|
/* hook doesn't matter, but it has to do destination manip */
|
239 |
|
|
nf_nat_setup_info(ct, &range, NF_IP_PRE_ROUTING);
|
240 |
|
|
}
|
241 |
|
|
|
242 |
|
|
/* So, this packet has hit the connection tracking matching code.
|
243 |
|
|
Mangle it, and change the expectation to match the new version. */
|
244 |
|
|
static unsigned int ip_nat_sdp(struct sk_buff *skb,
|
245 |
|
|
enum ip_conntrack_info ctinfo,
|
246 |
|
|
struct nf_conntrack_expect *exp,
|
247 |
|
|
const char *dptr)
|
248 |
|
|
{
|
249 |
|
|
struct nf_conn *ct = exp->master;
|
250 |
|
|
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
|
251 |
|
|
__be32 newip;
|
252 |
|
|
u_int16_t port;
|
253 |
|
|
|
254 |
|
|
/* Connection will come from reply */
|
255 |
|
|
if (ct->tuplehash[dir].tuple.src.u3.ip ==
|
256 |
|
|
ct->tuplehash[!dir].tuple.dst.u3.ip)
|
257 |
|
|
newip = exp->tuple.dst.u3.ip;
|
258 |
|
|
else
|
259 |
|
|
newip = ct->tuplehash[!dir].tuple.dst.u3.ip;
|
260 |
|
|
|
261 |
|
|
exp->saved_ip = exp->tuple.dst.u3.ip;
|
262 |
|
|
exp->tuple.dst.u3.ip = newip;
|
263 |
|
|
exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port;
|
264 |
|
|
exp->dir = !dir;
|
265 |
|
|
|
266 |
|
|
/* When you see the packet, we need to NAT it the same as the
|
267 |
|
|
this one. */
|
268 |
|
|
exp->expectfn = ip_nat_sdp_expect;
|
269 |
|
|
|
270 |
|
|
/* Try to get same port: if not, try to change it. */
|
271 |
|
|
for (port = ntohs(exp->saved_proto.udp.port); port != 0; port++) {
|
272 |
|
|
exp->tuple.dst.u.udp.port = htons(port);
|
273 |
|
|
if (nf_ct_expect_related(exp) == 0)
|
274 |
|
|
break;
|
275 |
|
|
}
|
276 |
|
|
|
277 |
|
|
if (port == 0)
|
278 |
|
|
return NF_DROP;
|
279 |
|
|
|
280 |
|
|
if (!mangle_sdp(skb, ctinfo, ct, newip, port, dptr)) {
|
281 |
|
|
nf_ct_unexpect_related(exp);
|
282 |
|
|
return NF_DROP;
|
283 |
|
|
}
|
284 |
|
|
return NF_ACCEPT;
|
285 |
|
|
}
|
286 |
|
|
|
287 |
|
|
static void __exit nf_nat_sip_fini(void)
|
288 |
|
|
{
|
289 |
|
|
rcu_assign_pointer(nf_nat_sip_hook, NULL);
|
290 |
|
|
rcu_assign_pointer(nf_nat_sdp_hook, NULL);
|
291 |
|
|
synchronize_rcu();
|
292 |
|
|
}
|
293 |
|
|
|
294 |
|
|
static int __init nf_nat_sip_init(void)
|
295 |
|
|
{
|
296 |
|
|
BUG_ON(nf_nat_sip_hook != NULL);
|
297 |
|
|
BUG_ON(nf_nat_sdp_hook != NULL);
|
298 |
|
|
rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip);
|
299 |
|
|
rcu_assign_pointer(nf_nat_sdp_hook, ip_nat_sdp);
|
300 |
|
|
return 0;
|
301 |
|
|
}
|
302 |
|
|
|
303 |
|
|
module_init(nf_nat_sip_init);
|
304 |
|
|
module_exit(nf_nat_sip_fini);
|