net/ipv4/netfilter/ip_nat_sip.c

   1 /* SIP extension for UDP NAT alteration.
   2  *
   3  * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
   4  * based on RR's ip_nat_ftp.c and other modules.
   5  *
   6  * This program is free software; you can redistribute it and/or modify
   7  * it under the terms of the GNU General Public License version 2 as
   8  * published by the Free Software Foundation.
   9  */
  10
  11 #include <linux/module.h>
  12 #include <linux/skbuff.h>
  13 #include <linux/ip.h>
  14 #include <linux/udp.h>
  15
  16 #include <linux/netfilter_ipv4.h>
  17 #include <linux/netfilter_ipv4/ip_nat.h>
  18 #include <linux/netfilter_ipv4/ip_nat_helper.h>
  19 #include <linux/netfilter_ipv4/ip_conntrack_helper.h>
  20 #include <linux/netfilter_ipv4/ip_conntrack_sip.h>
  21
  22 MODULE_LICENSE("GPL");
  23 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
  24 MODULE_DESCRIPTION("SIP NAT helper");
  25
  26 #if 0
  27 #define DEBUGP printk
  28 #else
  29 #define DEBUGP(format, args...)
  30 #endif
  31
  32 struct addr_map {
  33         struct {
  34                 char            src[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
  35                 char            dst[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
  36                 unsigned int    srclen, srciplen;
  37                 unsigned int    dstlen, dstiplen;
  38         } addr[IP_CT_DIR_MAX];
  39 };
  40
  41 static void addr_map_init(struct ip_conntrack *ct, struct addr_map *map)
  42 {
  43         struct ip_conntrack_tuple *t;
  44         enum ip_conntrack_dir dir;
  45         unsigned int n;
  46
  47         for (dir = 0; dir < IP_CT_DIR_MAX; dir++) {
  48                 t = &ct->tuplehash[dir].tuple;
  49
  50                 n = sprintf(map->addr[dir].src, "%u.%u.%u.%u",
  51                             NIPQUAD(t->src.ip));
  52                 map->addr[dir].srciplen = n;
  53                 n += sprintf(map->addr[dir].src + n, ":%u",
  54                              ntohs(t->src.u.udp.port));
  55                 map->addr[dir].srclen = n;
  56
  57                 n = sprintf(map->addr[dir].dst, "%u.%u.%u.%u",
  58                             NIPQUAD(t->dst.ip));
  59                 map->addr[dir].dstiplen = n;
  60                 n += sprintf(map->addr[dir].dst + n, ":%u",
  61                              ntohs(t->dst.u.udp.port));
  62                 map->addr[dir].dstlen = n;
  63         }
  64 }
  65
  66 static int map_sip_addr(struct sk_buff **pskb, enum ip_conntrack_info ctinfo,
  67                         struct ip_conntrack *ct, const char **dptr, size_t dlen,
  68                         enum sip_header_pos pos, struct addr_map *map)
  69 {
  70         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
  71         unsigned int matchlen, matchoff, addrlen;
  72         char *addr;
  73
  74         if (ct_sip_get_info(*dptr, dlen, &matchoff, &matchlen, pos) <= 0)
  75                 return 1;
  76
  77         if ((matchlen == map->addr[dir].srciplen ||
  78              matchlen == map->addr[dir].srclen) &&
  79             memcmp(*dptr + matchoff, map->addr[dir].src, matchlen) == 0) {
  80                 addr    = map->addr[!dir].dst;
  81                 addrlen = map->addr[!dir].dstlen;
  82         } else if ((matchlen == map->addr[dir].dstiplen ||
  83                     matchlen == map->addr[dir].dstlen) &&
  84                    memcmp(*dptr + matchoff, map->addr[dir].dst, matchlen) == 0) {
  85                 addr    = map->addr[!dir].src;
  86                 addrlen = map->addr[!dir].srclen;
  87         } else
  88                 return 1;
  89
  90         if (!ip_nat_mangle_udp_packet(pskb, ct, ctinfo,
  91                                       matchoff, matchlen, addr, addrlen))
  92                 return 0;
  93         *dptr = (*pskb)->data + (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
  94         return 1;
  95
  96 }
  97
  98 static unsigned int ip_nat_sip(struct sk_buff **pskb,
  99                                enum ip_conntrack_info ctinfo,
 100                                struct ip_conntrack *ct,
 101                                const char **dptr)
 102 {
 103         enum sip_header_pos pos;
 104         struct addr_map map;
 105         int dataoff, datalen;
 106
 107         dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
 108         datalen = (*pskb)->len - dataoff;
 109         if (datalen < sizeof("SIP/2.0") - 1)
 110                 return NF_DROP;
 111
 112         addr_map_init(ct, &map);
 113
 114         /* Basic rules: requests and responses. */
 115         if (strncmp(*dptr, "SIP/2.0", sizeof("SIP/2.0") - 1) != 0) {
 116                 /* 10.2: Constructing the REGISTER Request:
 117                  *
 118                  * The "userinfo" and "@" components of the SIP URI MUST NOT
 119                  * be present.
 120                  */
 121                 if (datalen >= sizeof("REGISTER") - 1 &&
 122                     strncmp(*dptr, "REGISTER", sizeof("REGISTER") - 1) == 0)
 123                         pos = POS_REG_REQ_URI;
 124                 else
 125                         pos = POS_REQ_URI;
 126
 127                 if (!map_sip_addr(pskb, ctinfo, ct, dptr, datalen, pos, &map))
 128                         return NF_DROP;
 129         }
 130
 131         if (!map_sip_addr(pskb, ctinfo, ct, dptr, datalen, POS_FROM, &map) ||
 132             !map_sip_addr(pskb, ctinfo, ct, dptr, datalen, POS_TO, &map) ||
 133             !map_sip_addr(pskb, ctinfo, ct, dptr, datalen, POS_VIA, &map) ||
 134             !map_sip_addr(pskb, ctinfo, ct, dptr, datalen, POS_CONTACT, &map))
 135                 return NF_DROP;
 136         return NF_ACCEPT;
 137 }
 138
 139 static unsigned int mangle_sip_packet(struct sk_buff **pskb,
 140                                       enum ip_conntrack_info ctinfo,
 141                                       struct ip_conntrack *ct,
 142                                       const char **dptr, size_t dlen,
 143                                       char *buffer, int bufflen,
 144                                       enum sip_header_pos pos)
 145 {
 146         unsigned int matchlen, matchoff;
 147
 148         if (ct_sip_get_info(*dptr, dlen, &matchoff, &matchlen, pos) <= 0)
 149                 return 0;
 150
 151         if (!ip_nat_mangle_udp_packet(pskb, ct, ctinfo,
 152                                       matchoff, matchlen, buffer, bufflen))
 153                 return 0;
 154
 155         /* We need to reload this. Thanks Patrick. */
 156         *dptr = (*pskb)->data + (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
 157         return 1;
 158 }
 159
 160 static int mangle_content_len(struct sk_buff **pskb,
 161                               enum ip_conntrack_info ctinfo,
 162                               struct ip_conntrack *ct,
 163                               const char *dptr)
 164 {
 165         unsigned int dataoff, matchoff, matchlen;
 166         char buffer[sizeof("65536")];
 167         int bufflen;
 168
 169         dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
 170
 171         /* Get actual SDP lenght */
 172         if (ct_sip_get_info(dptr, (*pskb)->len - dataoff, &matchoff,
 173                             &matchlen, POS_SDP_HEADER) > 0) {
 174
 175                 /* since ct_sip_get_info() give us a pointer passing 'v='
 176                    we need to add 2 bytes in this count. */
 177                 int c_len = (*pskb)->len - dataoff - matchoff + 2;
 178
 179                 /* Now, update SDP lenght */
 180                 if (ct_sip_get_info(dptr, (*pskb)->len - dataoff, &matchoff,
 181                                     &matchlen, POS_CONTENT) > 0) {
 182
 183                         bufflen = sprintf(buffer, "%u", c_len);
 184
 185                         return ip_nat_mangle_udp_packet(pskb, ct, ctinfo,
 186                                                         matchoff, matchlen,
 187                                                         buffer, bufflen);
 188                 }
 189         }
 190         return 0;
 191 }
 192
 193 static unsigned int mangle_sdp(struct sk_buff **pskb,
 194                                enum ip_conntrack_info ctinfo,
 195                                struct ip_conntrack *ct,
 196                                __be32 newip, u_int16_t port,
 197                                const char *dptr)
 198 {
 199         char buffer[sizeof("nnn.nnn.nnn.nnn")];
 200         unsigned int dataoff, bufflen;
 201
 202         dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
 203
 204         /* Mangle owner and contact info. */
 205         bufflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(newip));
 206         if (!mangle_sip_packet(pskb, ctinfo, ct, &dptr, (*pskb)->len - dataoff,
 207                                buffer, bufflen, POS_OWNER))
 208                 return 0;
 209
 210         if (!mangle_sip_packet(pskb, ctinfo, ct, &dptr, (*pskb)->len - dataoff,
 211                                buffer, bufflen, POS_CONNECTION))
 212                 return 0;
 213
 214         /* Mangle media port. */
 215         bufflen = sprintf(buffer, "%u", port);
 216         if (!mangle_sip_packet(pskb, ctinfo, ct, &dptr, (*pskb)->len - dataoff,
 217                                buffer, bufflen, POS_MEDIA))
 218                 return 0;
 219
 220         return mangle_content_len(pskb, ctinfo, ct, dptr);
 221 }
 222
 223 /* So, this packet has hit the connection tracking matching code.
 224    Mangle it, and change the expectation to match the new version. */
 225 static unsigned int ip_nat_sdp(struct sk_buff **pskb,
 226                                enum ip_conntrack_info ctinfo,
 227                                struct ip_conntrack_expect *exp,
 228                                const char *dptr)
 229 {
 230         struct ip_conntrack *ct = exp->master;
 231         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 232         __be32 newip;
 233         u_int16_t port;
 234
 235         DEBUGP("ip_nat_sdp():\n");
 236
 237         /* Connection will come from reply */
 238         newip = ct->tuplehash[!dir].tuple.dst.ip;
 239
 240         exp->tuple.dst.ip = newip;
 241         exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port;
 242         exp->dir = !dir;
 243
 244         /* When you see the packet, we need to NAT it the same as the
 245            this one. */
 246         exp->expectfn = ip_nat_follow_master;
 247
 248         /* Try to get same port: if not, try to change it. */
 249         for (port = ntohs(exp->saved_proto.udp.port); port != 0; port++) {
 250                 exp->tuple.dst.u.udp.port = htons(port);
 251                 if (ip_conntrack_expect_related(exp) == 0)
 252                         break;
 253         }
 254
 255         if (port == 0)
 256                 return NF_DROP;
 257
 258         if (!mangle_sdp(pskb, ctinfo, ct, newip, port, dptr)) {
 259                 ip_conntrack_unexpect_related(exp);
 260                 return NF_DROP;
 261         }
 262         return NF_ACCEPT;
 263 }
 264
 265 static void __exit fini(void)
 266 {
 267         rcu_assign_pointer(ip_nat_sip_hook, NULL);
 268         rcu_assign_pointer(ip_nat_sdp_hook, NULL);
 269         synchronize_rcu();
 270 }
 271
 272 static int __init init(void)
 273 {
 274         BUG_ON(rcu_dereference(ip_nat_sip_hook));
 275         BUG_ON(rcu_dereference(ip_nat_sdp_hook));
 276         rcu_assign_pointer(ip_nat_sip_hook, ip_nat_sip);
 277         rcu_assign_pointer(ip_nat_sdp_hook, ip_nat_sdp);
 278         return 0;
 279 }
 280
 281 module_init(init);
 282 module_exit(fini);