Commit | Line | Data |
---|---|---|
9fafcd7b PM |
1 | /* SIP extension for IP connection tracking. |
2 | * | |
3 | * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar> | |
4 | * based on RR's ip_conntrack_ftp.c and other modules. | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify | |
7 | * it under the terms of the GNU General Public License version 2 as | |
8 | * published by the Free Software Foundation. | |
9 | */ | |
10 | ||
11 | #include <linux/module.h> | |
12 | #include <linux/ctype.h> | |
13 | #include <linux/skbuff.h> | |
14 | #include <linux/inet.h> | |
15 | #include <linux/in.h> | |
16 | #include <linux/udp.h> | |
1863f096 | 17 | #include <linux/netfilter.h> |
9fafcd7b PM |
18 | |
19 | #include <net/netfilter/nf_conntrack.h> | |
20 | #include <net/netfilter/nf_conntrack_expect.h> | |
21 | #include <net/netfilter/nf_conntrack_helper.h> | |
22 | #include <linux/netfilter/nf_conntrack_sip.h> | |
23 | ||
24 | #if 0 | |
25 | #define DEBUGP printk | |
26 | #else | |
27 | #define DEBUGP(format, args...) | |
28 | #endif | |
29 | ||
30 | MODULE_LICENSE("GPL"); | |
31 | MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>"); | |
32 | MODULE_DESCRIPTION("SIP connection tracking helper"); | |
33 | MODULE_ALIAS("ip_conntrack_sip"); | |
34 | ||
35 | #define MAX_PORTS 8 | |
36 | static unsigned short ports[MAX_PORTS]; | |
37 | static int ports_c; | |
38 | module_param_array(ports, ushort, &ports_c, 0400); | |
39 | MODULE_PARM_DESC(ports, "port numbers of SIP servers"); | |
40 | ||
41 | static unsigned int sip_timeout __read_mostly = SIP_TIMEOUT; | |
42 | module_param(sip_timeout, uint, 0600); | |
43 | MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session"); | |
44 | ||
45 | unsigned int (*nf_nat_sip_hook)(struct sk_buff **pskb, | |
46 | enum ip_conntrack_info ctinfo, | |
47 | struct nf_conn *ct, | |
48 | const char **dptr) __read_mostly; | |
49 | EXPORT_SYMBOL_GPL(nf_nat_sip_hook); | |
50 | ||
51 | unsigned int (*nf_nat_sdp_hook)(struct sk_buff **pskb, | |
52 | enum ip_conntrack_info ctinfo, | |
53 | struct nf_conntrack_expect *exp, | |
54 | const char *dptr) __read_mostly; | |
55 | EXPORT_SYMBOL_GPL(nf_nat_sdp_hook); | |
56 | ||
57 | static int digits_len(struct nf_conn *, const char *, const char *, int *); | |
58 | static int epaddr_len(struct nf_conn *, const char *, const char *, int *); | |
59 | static int skp_digits_len(struct nf_conn *, const char *, const char *, int *); | |
60 | static int skp_epaddr_len(struct nf_conn *, const char *, const char *, int *); | |
61 | ||
62 | struct sip_header_nfo { | |
63 | const char *lname; | |
64 | const char *sname; | |
65 | const char *ln_str; | |
66 | size_t lnlen; | |
67 | size_t snlen; | |
68 | size_t ln_strlen; | |
69 | int case_sensitive; | |
70 | int (*match_len)(struct nf_conn *, const char *, | |
71 | const char *, int *); | |
72 | }; | |
73 | ||
74 | static const struct sip_header_nfo ct_sip_hdrs[] = { | |
75 | [POS_REG_REQ_URI] = { /* SIP REGISTER request URI */ | |
76 | .lname = "sip:", | |
77 | .lnlen = sizeof("sip:") - 1, | |
78 | .ln_str = ":", | |
79 | .ln_strlen = sizeof(":") - 1, | |
80 | .match_len = epaddr_len, | |
81 | }, | |
82 | [POS_REQ_URI] = { /* SIP request URI */ | |
83 | .lname = "sip:", | |
84 | .lnlen = sizeof("sip:") - 1, | |
85 | .ln_str = "@", | |
86 | .ln_strlen = sizeof("@") - 1, | |
87 | .match_len = epaddr_len, | |
88 | }, | |
89 | [POS_FROM] = { /* SIP From header */ | |
90 | .lname = "From:", | |
91 | .lnlen = sizeof("From:") - 1, | |
92 | .sname = "\r\nf:", | |
93 | .snlen = sizeof("\r\nf:") - 1, | |
94 | .ln_str = "sip:", | |
95 | .ln_strlen = sizeof("sip:") - 1, | |
96 | .match_len = skp_epaddr_len, | |
97 | }, | |
98 | [POS_TO] = { /* SIP To header */ | |
99 | .lname = "To:", | |
100 | .lnlen = sizeof("To:") - 1, | |
101 | .sname = "\r\nt:", | |
102 | .snlen = sizeof("\r\nt:") - 1, | |
103 | .ln_str = "sip:", | |
104 | .ln_strlen = sizeof("sip:") - 1, | |
105 | .match_len = skp_epaddr_len | |
106 | }, | |
107 | [POS_VIA] = { /* SIP Via header */ | |
108 | .lname = "Via:", | |
109 | .lnlen = sizeof("Via:") - 1, | |
110 | .sname = "\r\nv:", | |
111 | .snlen = sizeof("\r\nv:") - 1, /* rfc3261 "\r\n" */ | |
112 | .ln_str = "UDP ", | |
113 | .ln_strlen = sizeof("UDP ") - 1, | |
114 | .match_len = epaddr_len, | |
115 | }, | |
116 | [POS_CONTACT] = { /* SIP Contact header */ | |
117 | .lname = "Contact:", | |
118 | .lnlen = sizeof("Contact:") - 1, | |
119 | .sname = "\r\nm:", | |
120 | .snlen = sizeof("\r\nm:") - 1, | |
121 | .ln_str = "sip:", | |
122 | .ln_strlen = sizeof("sip:") - 1, | |
123 | .match_len = skp_epaddr_len | |
124 | }, | |
125 | [POS_CONTENT] = { /* SIP Content length header */ | |
126 | .lname = "Content-Length:", | |
127 | .lnlen = sizeof("Content-Length:") - 1, | |
128 | .sname = "\r\nl:", | |
129 | .snlen = sizeof("\r\nl:") - 1, | |
130 | .ln_str = ":", | |
131 | .ln_strlen = sizeof(":") - 1, | |
132 | .match_len = skp_digits_len | |
133 | }, | |
134 | [POS_MEDIA] = { /* SDP media info */ | |
135 | .case_sensitive = 1, | |
136 | .lname = "\nm=", | |
137 | .lnlen = sizeof("\nm=") - 1, | |
138 | .sname = "\rm=", | |
139 | .snlen = sizeof("\rm=") - 1, | |
140 | .ln_str = "audio ", | |
141 | .ln_strlen = sizeof("audio ") - 1, | |
142 | .match_len = digits_len | |
143 | }, | |
144 | [POS_OWNER_IP4] = { /* SDP owner address*/ | |
145 | .case_sensitive = 1, | |
146 | .lname = "\no=", | |
147 | .lnlen = sizeof("\no=") - 1, | |
148 | .sname = "\ro=", | |
149 | .snlen = sizeof("\ro=") - 1, | |
150 | .ln_str = "IN IP4 ", | |
151 | .ln_strlen = sizeof("IN IP4 ") - 1, | |
152 | .match_len = epaddr_len | |
153 | }, | |
154 | [POS_CONNECTION_IP4] = {/* SDP connection info */ | |
155 | .case_sensitive = 1, | |
156 | .lname = "\nc=", | |
157 | .lnlen = sizeof("\nc=") - 1, | |
158 | .sname = "\rc=", | |
159 | .snlen = sizeof("\rc=") - 1, | |
160 | .ln_str = "IN IP4 ", | |
161 | .ln_strlen = sizeof("IN IP4 ") - 1, | |
162 | .match_len = epaddr_len | |
163 | }, | |
164 | [POS_OWNER_IP6] = { /* SDP owner address*/ | |
165 | .case_sensitive = 1, | |
166 | .lname = "\no=", | |
167 | .lnlen = sizeof("\no=") - 1, | |
168 | .sname = "\ro=", | |
169 | .snlen = sizeof("\ro=") - 1, | |
170 | .ln_str = "IN IP6 ", | |
171 | .ln_strlen = sizeof("IN IP6 ") - 1, | |
172 | .match_len = epaddr_len | |
173 | }, | |
174 | [POS_CONNECTION_IP6] = {/* SDP connection info */ | |
175 | .case_sensitive = 1, | |
176 | .lname = "\nc=", | |
177 | .lnlen = sizeof("\nc=") - 1, | |
178 | .sname = "\rc=", | |
179 | .snlen = sizeof("\rc=") - 1, | |
180 | .ln_str = "IN IP6 ", | |
181 | .ln_strlen = sizeof("IN IP6 ") - 1, | |
182 | .match_len = epaddr_len | |
183 | }, | |
184 | [POS_SDP_HEADER] = { /* SDP version header */ | |
185 | .case_sensitive = 1, | |
186 | .lname = "\nv=", | |
187 | .lnlen = sizeof("\nv=") - 1, | |
188 | .sname = "\rv=", | |
189 | .snlen = sizeof("\rv=") - 1, | |
190 | .ln_str = "=", | |
191 | .ln_strlen = sizeof("=") - 1, | |
192 | .match_len = digits_len | |
193 | } | |
194 | }; | |
195 | ||
196 | /* get line lenght until first CR or LF seen. */ | |
197 | int ct_sip_lnlen(const char *line, const char *limit) | |
198 | { | |
199 | const char *k = line; | |
200 | ||
201 | while ((line <= limit) && (*line == '\r' || *line == '\n')) | |
202 | line++; | |
203 | ||
204 | while (line <= limit) { | |
205 | if (*line == '\r' || *line == '\n') | |
206 | break; | |
207 | line++; | |
208 | } | |
209 | return line - k; | |
210 | } | |
211 | EXPORT_SYMBOL_GPL(ct_sip_lnlen); | |
212 | ||
213 | /* Linear string search, case sensitive. */ | |
214 | const char *ct_sip_search(const char *needle, const char *haystack, | |
215 | size_t needle_len, size_t haystack_len, | |
216 | int case_sensitive) | |
217 | { | |
218 | const char *limit = haystack + (haystack_len - needle_len); | |
219 | ||
220 | while (haystack <= limit) { | |
221 | if (case_sensitive) { | |
222 | if (strncmp(haystack, needle, needle_len) == 0) | |
223 | return haystack; | |
224 | } else { | |
225 | if (strnicmp(haystack, needle, needle_len) == 0) | |
226 | return haystack; | |
227 | } | |
228 | haystack++; | |
229 | } | |
230 | return NULL; | |
231 | } | |
232 | EXPORT_SYMBOL_GPL(ct_sip_search); | |
233 | ||
234 | static int digits_len(struct nf_conn *ct, const char *dptr, | |
235 | const char *limit, int *shift) | |
236 | { | |
237 | int len = 0; | |
238 | while (dptr <= limit && isdigit(*dptr)) { | |
239 | dptr++; | |
240 | len++; | |
241 | } | |
242 | return len; | |
243 | } | |
244 | ||
245 | /* get digits lenght, skiping blank spaces. */ | |
246 | static int skp_digits_len(struct nf_conn *ct, const char *dptr, | |
247 | const char *limit, int *shift) | |
248 | { | |
249 | for (; dptr <= limit && *dptr == ' '; dptr++) | |
250 | (*shift)++; | |
251 | ||
252 | return digits_len(ct, dptr, limit, shift); | |
253 | } | |
254 | ||
255 | static int parse_addr(struct nf_conn *ct, const char *cp, const char **endp, | |
256 | union nf_conntrack_address *addr, const char *limit) | |
257 | { | |
258 | const char *end; | |
259 | int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num; | |
260 | int ret = 0; | |
261 | ||
262 | switch (family) { | |
263 | case AF_INET: | |
264 | ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end); | |
265 | break; | |
266 | case AF_INET6: | |
267 | ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end); | |
268 | break; | |
269 | default: | |
270 | BUG(); | |
271 | } | |
272 | ||
273 | if (ret == 0 || end == cp) | |
274 | return 0; | |
275 | if (endp) | |
276 | *endp = end; | |
277 | return 1; | |
278 | } | |
279 | ||
280 | /* skip ip address. returns its length. */ | |
281 | static int epaddr_len(struct nf_conn *ct, const char *dptr, | |
282 | const char *limit, int *shift) | |
283 | { | |
284 | union nf_conntrack_address addr; | |
285 | const char *aux = dptr; | |
286 | ||
287 | if (!parse_addr(ct, dptr, &dptr, &addr, limit)) { | |
288 | DEBUGP("ip: %s parse failed.!\n", dptr); | |
289 | return 0; | |
290 | } | |
291 | ||
292 | /* Port number */ | |
293 | if (*dptr == ':') { | |
294 | dptr++; | |
295 | dptr += digits_len(ct, dptr, limit, shift); | |
296 | } | |
297 | return dptr - aux; | |
298 | } | |
299 | ||
300 | /* get address length, skiping user info. */ | |
301 | static int skp_epaddr_len(struct nf_conn *ct, const char *dptr, | |
302 | const char *limit, int *shift) | |
303 | { | |
304 | int s = *shift; | |
305 | ||
7da5bfbb LI |
306 | /* Search for @, but stop at the end of the line. |
307 | * We are inside a sip: URI, so we don't need to worry about | |
308 | * continuation lines. */ | |
309 | while (dptr <= limit && | |
310 | *dptr != '@' && *dptr != '\r' && *dptr != '\n') { | |
9fafcd7b | 311 | (*shift)++; |
7da5bfbb LI |
312 | dptr++; |
313 | } | |
9fafcd7b | 314 | |
adcb4711 | 315 | if (dptr <= limit && *dptr == '@') { |
9fafcd7b PM |
316 | dptr++; |
317 | (*shift)++; | |
318 | } else | |
319 | *shift = s; | |
320 | ||
321 | return epaddr_len(ct, dptr, limit, shift); | |
322 | } | |
323 | ||
324 | /* Returns 0 if not found, -1 error parsing. */ | |
325 | int ct_sip_get_info(struct nf_conn *ct, | |
326 | const char *dptr, size_t dlen, | |
327 | unsigned int *matchoff, | |
328 | unsigned int *matchlen, | |
329 | enum sip_header_pos pos) | |
330 | { | |
331 | const struct sip_header_nfo *hnfo = &ct_sip_hdrs[pos]; | |
332 | const char *limit, *aux, *k = dptr; | |
333 | int shift = 0; | |
334 | ||
335 | limit = dptr + (dlen - hnfo->lnlen); | |
336 | ||
337 | while (dptr <= limit) { | |
338 | if ((strncmp(dptr, hnfo->lname, hnfo->lnlen) != 0) && | |
339 | (strncmp(dptr, hnfo->sname, hnfo->snlen) != 0)) { | |
340 | dptr++; | |
341 | continue; | |
342 | } | |
343 | aux = ct_sip_search(hnfo->ln_str, dptr, hnfo->ln_strlen, | |
601e68e1 | 344 | ct_sip_lnlen(dptr, limit), |
9fafcd7b PM |
345 | hnfo->case_sensitive); |
346 | if (!aux) { | |
347 | DEBUGP("'%s' not found in '%s'.\n", hnfo->ln_str, | |
348 | hnfo->lname); | |
349 | return -1; | |
350 | } | |
351 | aux += hnfo->ln_strlen; | |
352 | ||
353 | *matchlen = hnfo->match_len(ct, aux, limit, &shift); | |
354 | if (!*matchlen) | |
355 | return -1; | |
356 | ||
357 | *matchoff = (aux - k) + shift; | |
358 | ||
359 | DEBUGP("%s match succeeded! - len: %u\n", hnfo->lname, | |
360 | *matchlen); | |
361 | return 1; | |
362 | } | |
363 | DEBUGP("%s header not found.\n", hnfo->lname); | |
364 | return 0; | |
365 | } | |
366 | EXPORT_SYMBOL_GPL(ct_sip_get_info); | |
367 | ||
368 | static int set_expected_rtp(struct sk_buff **pskb, | |
369 | struct nf_conn *ct, | |
370 | enum ip_conntrack_info ctinfo, | |
371 | union nf_conntrack_address *addr, | |
372 | __be16 port, | |
373 | const char *dptr) | |
374 | { | |
375 | struct nf_conntrack_expect *exp; | |
376 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | |
377 | int family = ct->tuplehash[!dir].tuple.src.l3num; | |
378 | int ret; | |
379 | typeof(nf_nat_sdp_hook) nf_nat_sdp; | |
380 | ||
381 | exp = nf_conntrack_expect_alloc(ct); | |
382 | if (exp == NULL) | |
383 | return NF_DROP; | |
384 | nf_conntrack_expect_init(exp, family, | |
385 | &ct->tuplehash[!dir].tuple.src.u3, addr, | |
386 | IPPROTO_UDP, NULL, &port); | |
387 | ||
388 | nf_nat_sdp = rcu_dereference(nf_nat_sdp_hook); | |
389 | if (nf_nat_sdp && ct->status & IPS_NAT_MASK) | |
390 | ret = nf_nat_sdp(pskb, ctinfo, exp, dptr); | |
391 | else { | |
392 | if (nf_conntrack_expect_related(exp) != 0) | |
393 | ret = NF_DROP; | |
394 | else | |
395 | ret = NF_ACCEPT; | |
396 | } | |
397 | nf_conntrack_expect_put(exp); | |
398 | ||
399 | return ret; | |
400 | } | |
401 | ||
402 | static int sip_help(struct sk_buff **pskb, | |
403 | unsigned int protoff, | |
404 | struct nf_conn *ct, | |
405 | enum ip_conntrack_info ctinfo) | |
406 | { | |
407 | int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num; | |
408 | union nf_conntrack_address addr; | |
409 | unsigned int dataoff, datalen; | |
410 | const char *dptr; | |
411 | int ret = NF_ACCEPT; | |
412 | int matchoff, matchlen; | |
413 | u_int16_t port; | |
414 | enum sip_header_pos pos; | |
415 | typeof(nf_nat_sip_hook) nf_nat_sip; | |
416 | ||
417 | /* No Data ? */ | |
418 | dataoff = protoff + sizeof(struct udphdr); | |
419 | if (dataoff >= (*pskb)->len) | |
420 | return NF_ACCEPT; | |
421 | ||
422 | nf_ct_refresh(ct, *pskb, sip_timeout * HZ); | |
423 | ||
424 | if (!skb_is_nonlinear(*pskb)) | |
425 | dptr = (*pskb)->data + dataoff; | |
426 | else { | |
427 | DEBUGP("Copy of skbuff not supported yet.\n"); | |
428 | goto out; | |
429 | } | |
430 | ||
431 | nf_nat_sip = rcu_dereference(nf_nat_sip_hook); | |
432 | if (nf_nat_sip && ct->status & IPS_NAT_MASK) { | |
433 | if (!nf_nat_sip(pskb, ctinfo, ct, &dptr)) { | |
434 | ret = NF_DROP; | |
435 | goto out; | |
436 | } | |
437 | } | |
438 | ||
439 | datalen = (*pskb)->len - dataoff; | |
440 | if (datalen < sizeof("SIP/2.0 200") - 1) | |
441 | goto out; | |
442 | ||
443 | /* RTP info only in some SDP pkts */ | |
444 | if (memcmp(dptr, "INVITE", sizeof("INVITE") - 1) != 0 && | |
445 | memcmp(dptr, "SIP/2.0 200", sizeof("SIP/2.0 200") - 1) != 0) { | |
446 | goto out; | |
447 | } | |
448 | /* Get address and port from SDP packet. */ | |
449 | pos = family == AF_INET ? POS_CONNECTION_IP4 : POS_CONNECTION_IP6; | |
450 | if (ct_sip_get_info(ct, dptr, datalen, &matchoff, &matchlen, pos) > 0) { | |
451 | ||
452 | /* We'll drop only if there are parse problems. */ | |
453 | if (!parse_addr(ct, dptr + matchoff, NULL, &addr, | |
601e68e1 | 454 | dptr + datalen)) { |
9fafcd7b PM |
455 | ret = NF_DROP; |
456 | goto out; | |
457 | } | |
458 | if (ct_sip_get_info(ct, dptr, datalen, &matchoff, &matchlen, | |
601e68e1 | 459 | POS_MEDIA) > 0) { |
9fafcd7b PM |
460 | |
461 | port = simple_strtoul(dptr + matchoff, NULL, 10); | |
462 | if (port < 1024) { | |
463 | ret = NF_DROP; | |
464 | goto out; | |
465 | } | |
466 | ret = set_expected_rtp(pskb, ct, ctinfo, &addr, | |
467 | htons(port), dptr); | |
468 | } | |
469 | } | |
470 | out: | |
471 | return ret; | |
472 | } | |
473 | ||
474 | static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly; | |
475 | static char sip_names[MAX_PORTS][2][sizeof("sip-65535")] __read_mostly; | |
476 | ||
477 | static void nf_conntrack_sip_fini(void) | |
478 | { | |
479 | int i, j; | |
480 | ||
481 | for (i = 0; i < ports_c; i++) { | |
482 | for (j = 0; j < 2; j++) { | |
483 | if (sip[i][j].me == NULL) | |
484 | continue; | |
485 | nf_conntrack_helper_unregister(&sip[i][j]); | |
486 | } | |
487 | } | |
488 | } | |
489 | ||
490 | static int __init nf_conntrack_sip_init(void) | |
491 | { | |
492 | int i, j, ret; | |
493 | char *tmpname; | |
494 | ||
495 | if (ports_c == 0) | |
496 | ports[ports_c++] = SIP_PORT; | |
497 | ||
498 | for (i = 0; i < ports_c; i++) { | |
499 | memset(&sip[i], 0, sizeof(sip[i])); | |
500 | ||
501 | sip[i][0].tuple.src.l3num = AF_INET; | |
502 | sip[i][1].tuple.src.l3num = AF_INET6; | |
503 | for (j = 0; j < 2; j++) { | |
504 | sip[i][j].tuple.dst.protonum = IPPROTO_UDP; | |
505 | sip[i][j].tuple.src.u.udp.port = htons(ports[i]); | |
506 | sip[i][j].mask.src.l3num = 0xFFFF; | |
507 | sip[i][j].mask.src.u.udp.port = htons(0xFFFF); | |
508 | sip[i][j].mask.dst.protonum = 0xFF; | |
509 | sip[i][j].max_expected = 2; | |
510 | sip[i][j].timeout = 3 * 60; /* 3 minutes */ | |
511 | sip[i][j].me = THIS_MODULE; | |
512 | sip[i][j].help = sip_help; | |
513 | ||
514 | tmpname = &sip_names[i][j][0]; | |
515 | if (ports[i] == SIP_PORT) | |
516 | sprintf(tmpname, "sip"); | |
517 | else | |
518 | sprintf(tmpname, "sip-%u", i); | |
519 | sip[i][j].name = tmpname; | |
520 | ||
521 | DEBUGP("port #%u: %u\n", i, ports[i]); | |
522 | ||
523 | ret = nf_conntrack_helper_register(&sip[i][j]); | |
524 | if (ret) { | |
525 | printk("nf_ct_sip: failed to register helper " | |
526 | "for pf: %u port: %u\n", | |
527 | sip[i][j].tuple.src.l3num, ports[i]); | |
528 | nf_conntrack_sip_fini(); | |
529 | return ret; | |
530 | } | |
531 | } | |
532 | } | |
533 | return 0; | |
534 | } | |
535 | ||
536 | module_init(nf_conntrack_sip_init); | |
537 | module_exit(nf_conntrack_sip_fini); |