1 /* SIP extension for UDP NAT alteration.
3 * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
4 * based on RR's ip_nat_ftp.c and other modules.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
11 #include <linux/module.h>
12 #include <linux/skbuff.h>
15 #include <linux/udp.h>
17 #include <net/netfilter/nf_nat.h>
18 #include <net/netfilter/nf_nat_helper.h>
19 #include <net/netfilter/nf_nat_rule.h>
20 #include <net/netfilter/nf_conntrack_helper.h>
21 #include <net/netfilter/nf_conntrack_expect.h>
22 #include <linux/netfilter/nf_conntrack_sip.h>
24 MODULE_LICENSE("GPL");
25 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
26 MODULE_DESCRIPTION("SIP NAT helper");
27 MODULE_ALIAS("ip_nat_sip");
31 char src
[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
32 char dst
[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
33 unsigned int srclen
, srciplen
;
34 unsigned int dstlen
, dstiplen
;
35 } addr
[IP_CT_DIR_MAX
];
38 static void addr_map_init(struct nf_conn
*ct
, struct addr_map
*map
)
40 struct nf_conntrack_tuple
*t
;
41 enum ip_conntrack_dir dir
;
44 for (dir
= 0; dir
< IP_CT_DIR_MAX
; dir
++) {
45 t
= &ct
->tuplehash
[dir
].tuple
;
47 n
= sprintf(map
->addr
[dir
].src
, "%u.%u.%u.%u",
48 NIPQUAD(t
->src
.u3
.ip
));
49 map
->addr
[dir
].srciplen
= n
;
50 n
+= sprintf(map
->addr
[dir
].src
+ n
, ":%u",
51 ntohs(t
->src
.u
.udp
.port
));
52 map
->addr
[dir
].srclen
= n
;
54 n
= sprintf(map
->addr
[dir
].dst
, "%u.%u.%u.%u",
55 NIPQUAD(t
->dst
.u3
.ip
));
56 map
->addr
[dir
].dstiplen
= n
;
57 n
+= sprintf(map
->addr
[dir
].dst
+ n
, ":%u",
58 ntohs(t
->dst
.u
.udp
.port
));
59 map
->addr
[dir
].dstlen
= n
;
63 static int map_sip_addr(struct sk_buff
**pskb
, enum ip_conntrack_info ctinfo
,
64 struct nf_conn
*ct
, const char **dptr
, size_t dlen
,
65 enum sip_header_pos pos
, struct addr_map
*map
)
67 enum ip_conntrack_dir dir
= CTINFO2DIR(ctinfo
);
68 unsigned int matchlen
, matchoff
, addrlen
;
71 if (ct_sip_get_info(ct
, *dptr
, dlen
, &matchoff
, &matchlen
, pos
) <= 0)
74 if ((matchlen
== map
->addr
[dir
].srciplen
||
75 matchlen
== map
->addr
[dir
].srclen
) &&
76 memcmp(*dptr
+ matchoff
, map
->addr
[dir
].src
, matchlen
) == 0) {
77 addr
= map
->addr
[!dir
].dst
;
78 addrlen
= map
->addr
[!dir
].dstlen
;
79 } else if ((matchlen
== map
->addr
[dir
].dstiplen
||
80 matchlen
== map
->addr
[dir
].dstlen
) &&
81 memcmp(*dptr
+ matchoff
, map
->addr
[dir
].dst
, matchlen
) == 0) {
82 addr
= map
->addr
[!dir
].src
;
83 addrlen
= map
->addr
[!dir
].srclen
;
87 if (!nf_nat_mangle_udp_packet(pskb
, ct
, ctinfo
,
88 matchoff
, matchlen
, addr
, addrlen
))
90 *dptr
= (*pskb
)->data
+ ip_hdrlen(*pskb
) + sizeof(struct udphdr
);
95 static unsigned int ip_nat_sip(struct sk_buff
**pskb
,
96 enum ip_conntrack_info ctinfo
,
100 enum sip_header_pos pos
;
102 int dataoff
, datalen
;
104 dataoff
= ip_hdrlen(*pskb
) + sizeof(struct udphdr
);
105 datalen
= (*pskb
)->len
- dataoff
;
106 if (datalen
< sizeof("SIP/2.0") - 1)
109 addr_map_init(ct
, &map
);
111 /* Basic rules: requests and responses. */
112 if (strncmp(*dptr
, "SIP/2.0", sizeof("SIP/2.0") - 1) != 0) {
113 /* 10.2: Constructing the REGISTER Request:
115 * The "userinfo" and "@" components of the SIP URI MUST NOT
118 if (datalen
>= sizeof("REGISTER") - 1 &&
119 strncmp(*dptr
, "REGISTER", sizeof("REGISTER") - 1) == 0)
120 pos
= POS_REG_REQ_URI
;
124 if (!map_sip_addr(pskb
, ctinfo
, ct
, dptr
, datalen
, pos
, &map
))
128 if (!map_sip_addr(pskb
, ctinfo
, ct
, dptr
, datalen
, POS_FROM
, &map
) ||
129 !map_sip_addr(pskb
, ctinfo
, ct
, dptr
, datalen
, POS_TO
, &map
) ||
130 !map_sip_addr(pskb
, ctinfo
, ct
, dptr
, datalen
, POS_VIA
, &map
) ||
131 !map_sip_addr(pskb
, ctinfo
, ct
, dptr
, datalen
, POS_CONTACT
, &map
))
136 static unsigned int mangle_sip_packet(struct sk_buff
**pskb
,
137 enum ip_conntrack_info ctinfo
,
139 const char **dptr
, size_t dlen
,
140 char *buffer
, int bufflen
,
141 enum sip_header_pos pos
)
143 unsigned int matchlen
, matchoff
;
145 if (ct_sip_get_info(ct
, *dptr
, dlen
, &matchoff
, &matchlen
, pos
) <= 0)
148 if (!nf_nat_mangle_udp_packet(pskb
, ct
, ctinfo
,
149 matchoff
, matchlen
, buffer
, bufflen
))
152 /* We need to reload this. Thanks Patrick. */
153 *dptr
= (*pskb
)->data
+ ip_hdrlen(*pskb
) + sizeof(struct udphdr
);
157 static int mangle_content_len(struct sk_buff
**pskb
,
158 enum ip_conntrack_info ctinfo
,
162 unsigned int dataoff
, matchoff
, matchlen
;
163 char buffer
[sizeof("65536")];
166 dataoff
= ip_hdrlen(*pskb
) + sizeof(struct udphdr
);
168 /* Get actual SDP lenght */
169 if (ct_sip_get_info(ct
, dptr
, (*pskb
)->len
- dataoff
, &matchoff
,
170 &matchlen
, POS_SDP_HEADER
) > 0) {
172 /* since ct_sip_get_info() give us a pointer passing 'v='
173 we need to add 2 bytes in this count. */
174 int c_len
= (*pskb
)->len
- dataoff
- matchoff
+ 2;
176 /* Now, update SDP length */
177 if (ct_sip_get_info(ct
, dptr
, (*pskb
)->len
- dataoff
, &matchoff
,
178 &matchlen
, POS_CONTENT
) > 0) {
180 bufflen
= sprintf(buffer
, "%u", c_len
);
181 return nf_nat_mangle_udp_packet(pskb
, ct
, ctinfo
,
189 static unsigned int mangle_sdp(struct sk_buff
**pskb
,
190 enum ip_conntrack_info ctinfo
,
192 __be32 newip
, u_int16_t port
,
195 char buffer
[sizeof("nnn.nnn.nnn.nnn")];
196 unsigned int dataoff
, bufflen
;
198 dataoff
= ip_hdrlen(*pskb
) + sizeof(struct udphdr
);
200 /* Mangle owner and contact info. */
201 bufflen
= sprintf(buffer
, "%u.%u.%u.%u", NIPQUAD(newip
));
202 if (!mangle_sip_packet(pskb
, ctinfo
, ct
, &dptr
, (*pskb
)->len
- dataoff
,
203 buffer
, bufflen
, POS_OWNER_IP4
))
206 if (!mangle_sip_packet(pskb
, ctinfo
, ct
, &dptr
, (*pskb
)->len
- dataoff
,
207 buffer
, bufflen
, POS_CONNECTION_IP4
))
210 /* Mangle media port. */
211 bufflen
= sprintf(buffer
, "%u", port
);
212 if (!mangle_sip_packet(pskb
, ctinfo
, ct
, &dptr
, (*pskb
)->len
- dataoff
,
213 buffer
, bufflen
, POS_MEDIA
))
216 return mangle_content_len(pskb
, ctinfo
, ct
, dptr
);
219 static void ip_nat_sdp_expect(struct nf_conn
*ct
,
220 struct nf_conntrack_expect
*exp
)
222 struct nf_nat_range range
;
224 /* This must be a fresh one. */
225 BUG_ON(ct
->status
& IPS_NAT_DONE_MASK
);
227 /* Change src to where master sends to */
228 range
.flags
= IP_NAT_RANGE_MAP_IPS
;
229 range
.min_ip
= range
.max_ip
230 = ct
->master
->tuplehash
[!exp
->dir
].tuple
.dst
.u3
.ip
;
231 /* hook doesn't matter, but it has to do source manip */
232 nf_nat_setup_info(ct
, &range
, NF_IP_POST_ROUTING
);
234 /* For DST manip, map port here to where it's expected. */
235 range
.flags
= (IP_NAT_RANGE_MAP_IPS
| IP_NAT_RANGE_PROTO_SPECIFIED
);
236 range
.min
= range
.max
= exp
->saved_proto
;
237 range
.min_ip
= range
.max_ip
= exp
->saved_ip
;
238 /* hook doesn't matter, but it has to do destination manip */
239 nf_nat_setup_info(ct
, &range
, NF_IP_PRE_ROUTING
);
242 /* So, this packet has hit the connection tracking matching code.
243 Mangle it, and change the expectation to match the new version. */
244 static unsigned int ip_nat_sdp(struct sk_buff
**pskb
,
245 enum ip_conntrack_info ctinfo
,
246 struct nf_conntrack_expect
*exp
,
249 struct nf_conn
*ct
= exp
->master
;
250 enum ip_conntrack_dir dir
= CTINFO2DIR(ctinfo
);
254 /* Connection will come from reply */
255 if (ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
==
256 ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
)
257 newip
= exp
->tuple
.dst
.u3
.ip
;
259 newip
= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
;
261 exp
->saved_ip
= exp
->tuple
.dst
.u3
.ip
;
262 exp
->tuple
.dst
.u3
.ip
= newip
;
263 exp
->saved_proto
.udp
.port
= exp
->tuple
.dst
.u
.udp
.port
;
266 /* When you see the packet, we need to NAT it the same as the
268 exp
->expectfn
= ip_nat_sdp_expect
;
270 /* Try to get same port: if not, try to change it. */
271 for (port
= ntohs(exp
->saved_proto
.udp
.port
); port
!= 0; port
++) {
272 exp
->tuple
.dst
.u
.udp
.port
= htons(port
);
273 if (nf_ct_expect_related(exp
) == 0)
280 if (!mangle_sdp(pskb
, ctinfo
, ct
, newip
, port
, dptr
)) {
281 nf_ct_unexpect_related(exp
);
287 static void __exit
nf_nat_sip_fini(void)
289 rcu_assign_pointer(nf_nat_sip_hook
, NULL
);
290 rcu_assign_pointer(nf_nat_sdp_hook
, NULL
);
294 static int __init
nf_nat_sip_init(void)
296 BUG_ON(rcu_dereference(nf_nat_sip_hook
));
297 BUG_ON(rcu_dereference(nf_nat_sdp_hook
));
298 rcu_assign_pointer(nf_nat_sip_hook
, ip_nat_sip
);
299 rcu_assign_pointer(nf_nat_sdp_hook
, ip_nat_sdp
);
303 module_init(nf_nat_sip_init
);
304 module_exit(nf_nat_sip_fini
);