1 /* SIP extension for UDP NAT alteration.
3 * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
4 * based on RR's ip_nat_ftp.c and other modules.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
11 #include <linux/module.h>
12 #include <linux/skbuff.h>
15 #include <linux/udp.h>
17 #include <net/netfilter/nf_nat.h>
18 #include <net/netfilter/nf_nat_helper.h>
19 #include <net/netfilter/nf_nat_rule.h>
20 #include <net/netfilter/nf_conntrack_helper.h>
21 #include <net/netfilter/nf_conntrack_expect.h>
22 #include <linux/netfilter/nf_conntrack_sip.h>
24 MODULE_LICENSE("GPL");
25 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
26 MODULE_DESCRIPTION("SIP NAT helper");
27 MODULE_ALIAS("ip_nat_sip");
30 static unsigned int mangle_packet(struct sk_buff *skb,
31 const char **dptr, unsigned int *datalen,
32 unsigned int matchoff, unsigned int matchlen,
33 const char *buffer, unsigned int buflen)
35 enum ip_conntrack_info ctinfo;
36 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
38 if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, matchoff, matchlen,
42 /* Reload data pointer and adjust datalen value */
43 *dptr = skb->data + ip_hdrlen(skb) + sizeof(struct udphdr);
44 *datalen += buflen - matchlen;
48 static int map_addr(struct sk_buff *skb,
49 const char **dptr, unsigned int *datalen,
50 unsigned int matchoff, unsigned int matchlen,
51 union nf_inet_addr *addr, __be16 port)
53 enum ip_conntrack_info ctinfo;
54 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
55 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
56 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
61 if (ct->tuplehash[dir].tuple.src.u3.ip == addr->ip &&
62 ct->tuplehash[dir].tuple.src.u.udp.port == port) {
63 newaddr = ct->tuplehash[!dir].tuple.dst.u3.ip;
64 newport = ct->tuplehash[!dir].tuple.dst.u.udp.port;
65 } else if (ct->tuplehash[dir].tuple.dst.u3.ip == addr->ip &&
66 ct->tuplehash[dir].tuple.dst.u.udp.port == port) {
67 newaddr = ct->tuplehash[!dir].tuple.src.u3.ip;
68 newport = ct->tuplehash[!dir].tuple.src.u.udp.port;
72 if (newaddr == addr->ip && newport == port)
75 buflen = sprintf(buffer, "%u.%u.%u.%u:%u",
76 NIPQUAD(newaddr), ntohs(newport));
78 return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
82 static int map_sip_addr(struct sk_buff *skb,
83 const char **dptr, unsigned int *datalen,
84 enum sip_header_types type)
86 enum ip_conntrack_info ctinfo;
87 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
88 unsigned int matchlen, matchoff;
89 union nf_inet_addr addr;
92 if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, type, NULL,
93 &matchoff, &matchlen, &addr, &port) <= 0)
95 return map_addr(skb, dptr, datalen, matchoff, matchlen, &addr, port);
98 static unsigned int ip_nat_sip(struct sk_buff *skb,
99 const char **dptr, unsigned int *datalen)
101 enum ip_conntrack_info ctinfo;
102 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
103 unsigned int matchoff, matchlen;
104 union nf_inet_addr addr;
107 /* Basic rules: requests and responses. */
108 if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
109 if (ct_sip_parse_request(ct, *dptr, *datalen,
110 &matchoff, &matchlen,
112 !map_addr(skb, dptr, datalen, matchoff, matchlen,
117 if (!map_sip_addr(skb, dptr, datalen, SIP_HDR_FROM) ||
118 !map_sip_addr(skb, dptr, datalen, SIP_HDR_TO) ||
119 !map_sip_addr(skb, dptr, datalen, SIP_HDR_VIA) ||
120 !map_sip_addr(skb, dptr, datalen, SIP_HDR_CONTACT))
125 static int mangle_content_len(struct sk_buff *skb,
126 const char **dptr, unsigned int *datalen)
128 enum ip_conntrack_info ctinfo;
129 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
130 unsigned int matchoff, matchlen;
131 char buffer[sizeof("65536")];
134 /* Get actual SDP length */
135 if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
136 SDP_HDR_VERSION, SDP_HDR_UNSPEC,
137 &matchoff, &matchlen) <= 0)
139 c_len = *datalen - matchoff + strlen("v=");
141 /* Now, update SDP length */
142 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CONTENT_LENGTH,
143 &matchoff, &matchlen) <= 0)
146 buflen = sprintf(buffer, "%u", c_len);
147 return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
151 static unsigned mangle_sdp_packet(struct sk_buff *skb,
152 const char **dptr, unsigned int *datalen,
153 enum sdp_header_types type,
154 char *buffer, int buflen)
156 enum ip_conntrack_info ctinfo;
157 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
158 unsigned int matchlen, matchoff;
160 if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen, type, SDP_HDR_UNSPEC,
161 &matchoff, &matchlen) <= 0)
163 return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
167 static unsigned int mangle_sdp(struct sk_buff *skb,
168 enum ip_conntrack_info ctinfo,
170 __be32 newip, u_int16_t port,
171 const char **dptr, unsigned int *datalen)
173 char buffer[sizeof("nnn.nnn.nnn.nnn")];
174 unsigned int bufflen;
176 /* Mangle owner and contact info. */
177 bufflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(newip));
178 if (!mangle_sdp_packet(skb, dptr, datalen, SDP_HDR_OWNER_IP4,
182 if (!mangle_sdp_packet(skb, dptr, datalen, SDP_HDR_CONNECTION_IP4,
186 /* Mangle media port. */
187 bufflen = sprintf(buffer, "%u", port);
188 if (!mangle_sdp_packet(skb, dptr, datalen, SDP_HDR_MEDIA,
192 return mangle_content_len(skb, dptr, datalen);
195 static void ip_nat_sdp_expect(struct nf_conn *ct,
196 struct nf_conntrack_expect *exp)
198 struct nf_nat_range range;
200 /* This must be a fresh one. */
201 BUG_ON(ct->status & IPS_NAT_DONE_MASK);
203 /* For DST manip, map port here to where it's expected. */
204 range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
205 range.min = range.max = exp->saved_proto;
206 range.min_ip = range.max_ip = exp->saved_ip;
207 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
209 /* Change src to where master sends to */
210 range.flags = IP_NAT_RANGE_MAP_IPS;
211 range.min_ip = range.max_ip
212 = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
213 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
216 /* So, this packet has hit the connection tracking matching code.
217 Mangle it, and change the expectation to match the new version. */
218 static unsigned int ip_nat_sdp(struct sk_buff *skb,
219 const char **dptr, unsigned int *datalen,
220 struct nf_conntrack_expect *exp)
222 enum ip_conntrack_info ctinfo;
223 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
224 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
228 /* Connection will come from reply */
229 if (ct->tuplehash[dir].tuple.src.u3.ip ==
230 ct->tuplehash[!dir].tuple.dst.u3.ip)
231 newip = exp->tuple.dst.u3.ip;
233 newip = ct->tuplehash[!dir].tuple.dst.u3.ip;
235 exp->saved_ip = exp->tuple.dst.u3.ip;
236 exp->tuple.dst.u3.ip = newip;
237 exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port;
240 /* When you see the packet, we need to NAT it the same as the
242 exp->expectfn = ip_nat_sdp_expect;
244 /* Try to get same port: if not, try to change it. */
245 for (port = ntohs(exp->saved_proto.udp.port); port != 0; port++) {
246 exp->tuple.dst.u.udp.port = htons(port);
247 if (nf_ct_expect_related(exp) == 0)
254 if (!mangle_sdp(skb, ctinfo, ct, newip, port, dptr, datalen)) {
255 nf_ct_unexpect_related(exp);
261 static void __exit nf_nat_sip_fini(void)
263 rcu_assign_pointer(nf_nat_sip_hook, NULL);
264 rcu_assign_pointer(nf_nat_sdp_hook, NULL);
268 static int __init nf_nat_sip_init(void)
270 BUG_ON(nf_nat_sip_hook != NULL);
271 BUG_ON(nf_nat_sdp_hook != NULL);
272 rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip);
273 rcu_assign_pointer(nf_nat_sdp_hook, ip_nat_sdp);
277 module_init(nf_nat_sip_init);
278 module_exit(nf_nat_sip_fini);