net/ipv4/netfilter/nf_nat_sip.c

   1 /* SIP extension for UDP NAT alteration.
   2  *
   3  * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
   4  * based on RR's ip_nat_ftp.c and other modules.
   5  * (C) 2007 United Security Providers
   6  * (C) 2007, 2008 Patrick McHardy <kaber@trash.net>
   7  *
   8  * This program is free software; you can redistribute it and/or modify
   9  * it under the terms of the GNU General Public License version 2 as
  10  * published by the Free Software Foundation.
  11  */
  12
  13 #include <linux/module.h>
  14 #include <linux/skbuff.h>
  15 #include <linux/ip.h>
  16 #include <net/ip.h>
  17 #include <linux/udp.h>
  18
  19 #include <net/netfilter/nf_nat.h>
  20 #include <net/netfilter/nf_nat_helper.h>
  21 #include <net/netfilter/nf_nat_rule.h>
  22 #include <net/netfilter/nf_conntrack_helper.h>
  23 #include <net/netfilter/nf_conntrack_expect.h>
  24 #include <linux/netfilter/nf_conntrack_sip.h>
  25
  26 MODULE_LICENSE("GPL");
  27 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
  28 MODULE_DESCRIPTION("SIP NAT helper");
  29 MODULE_ALIAS("ip_nat_sip");
  30
  31
  32 static unsigned int mangle_packet(struct sk_buff *skb,
  33                                   const char **dptr, unsigned int *datalen,
  34                                   unsigned int matchoff, unsigned int matchlen,
  35                                   const char *buffer, unsigned int buflen)
  36 {
  37         enum ip_conntrack_info ctinfo;
  38         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
  39
  40         if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, matchoff, matchlen,
  41                                       buffer, buflen))
  42                 return 0;
  43
  44         /* Reload data pointer and adjust datalen value */
  45         *dptr = skb->data + ip_hdrlen(skb) + sizeof(struct udphdr);
  46         *datalen += buflen - matchlen;
  47         return 1;
  48 }
  49
  50 static int map_addr(struct sk_buff *skb,
  51                     const char **dptr, unsigned int *datalen,
  52                     unsigned int matchoff, unsigned int matchlen,
  53                     union nf_inet_addr *addr, __be16 port)
  54 {
  55         enum ip_conntrack_info ctinfo;
  56         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
  57         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
  58         char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
  59         unsigned int buflen;
  60         __be32 newaddr;
  61         __be16 newport;
  62
  63         if (ct->tuplehash[dir].tuple.src.u3.ip == addr->ip &&
  64             ct->tuplehash[dir].tuple.src.u.udp.port == port) {
  65                 newaddr = ct->tuplehash[!dir].tuple.dst.u3.ip;
  66                 newport = ct->tuplehash[!dir].tuple.dst.u.udp.port;
  67         } else if (ct->tuplehash[dir].tuple.dst.u3.ip == addr->ip &&
  68                    ct->tuplehash[dir].tuple.dst.u.udp.port == port) {
  69                 newaddr = ct->tuplehash[!dir].tuple.src.u3.ip;
  70                 newport = ct->tuplehash[!dir].tuple.src.u.udp.port;
  71         } else
  72                 return 1;
  73
  74         if (newaddr == addr->ip && newport == port)
  75                 return 1;
  76
  77         buflen = sprintf(buffer, "%u.%u.%u.%u:%u",
  78                          NIPQUAD(newaddr), ntohs(newport));
  79
  80         return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
  81                              buffer, buflen);
  82 }
  83
  84 static int map_sip_addr(struct sk_buff *skb,
  85                         const char **dptr, unsigned int *datalen,
  86                         enum sip_header_types type)
  87 {
  88         enum ip_conntrack_info ctinfo;
  89         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
  90         unsigned int matchlen, matchoff;
  91         union nf_inet_addr addr;
  92         __be16 port;
  93
  94         if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, type, NULL,
  95                                     &matchoff, &matchlen, &addr, &port) <= 0)
  96                 return 1;
  97         return map_addr(skb, dptr, datalen, matchoff, matchlen, &addr, port);
  98 }
  99
 100 static unsigned int ip_nat_sip(struct sk_buff *skb,
 101                                const char **dptr, unsigned int *datalen)
 102 {
 103         enum ip_conntrack_info ctinfo;
 104         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 105         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 106         unsigned int dataoff, matchoff, matchlen;
 107         union nf_inet_addr addr;
 108         __be16 port;
 109         int request, in_header;
 110
 111         /* Basic rules: requests and responses. */
 112         if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
 113                 if (ct_sip_parse_request(ct, *dptr, *datalen,
 114                                          &matchoff, &matchlen,
 115                                          &addr, &port) > 0 &&
 116                     !map_addr(skb, dptr, datalen, matchoff, matchlen,
 117                               &addr, port))
 118                         return NF_DROP;
 119                 request = 1;
 120         } else
 121                 request = 0;
 122
 123         /* Translate topmost Via header and parameters */
 124         if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
 125                                     SIP_HDR_VIA, NULL, &matchoff, &matchlen,
 126                                     &addr, &port) > 0) {
 127                 unsigned int matchend, poff, plen, buflen, n;
 128                 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
 129
 130                 /* We're only interested in headers related to this
 131                  * connection */
 132                 if (request) {
 133                         if (addr.ip != ct->tuplehash[dir].tuple.src.u3.ip ||
 134                             port != ct->tuplehash[dir].tuple.src.u.udp.port)
 135                                 goto next;
 136                 } else {
 137                         if (addr.ip != ct->tuplehash[dir].tuple.dst.u3.ip ||
 138                             port != ct->tuplehash[dir].tuple.dst.u.udp.port)
 139                                 goto next;
 140                 }
 141
 142                 if (!map_addr(skb, dptr, datalen, matchoff, matchlen,
 143                               &addr, port))
 144                         return NF_DROP;
 145
 146                 matchend = matchoff + matchlen;
 147
 148                 /* The maddr= parameter (RFC 2361) specifies where to send
 149                  * the reply. */
 150                 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
 151                                                "maddr=", &poff, &plen,
 152                                                &addr) > 0 &&
 153                     addr.ip == ct->tuplehash[dir].tuple.src.u3.ip &&
 154                     addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) {
 155                         __be32 ip = ct->tuplehash[!dir].tuple.dst.u3.ip;
 156                         buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(ip));
 157                         if (!mangle_packet(skb, dptr, datalen, poff, plen,
 158                                            buffer, buflen))
 159                                 return NF_DROP;
 160                 }
 161
 162                 /* The received= parameter (RFC 2361) contains the address
 163                  * from which the server received the request. */
 164                 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
 165                                                "received=", &poff, &plen,
 166                                                &addr) > 0 &&
 167                     addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip &&
 168                     addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) {
 169                         __be32 ip = ct->tuplehash[!dir].tuple.src.u3.ip;
 170                         buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(ip));
 171                         if (!mangle_packet(skb, dptr, datalen, poff, plen,
 172                                            buffer, buflen))
 173                                 return NF_DROP;
 174                 }
 175
 176                 /* The rport= parameter (RFC 3581) contains the port number
 177                  * from which the server received the request. */
 178                 if (ct_sip_parse_numerical_param(ct, *dptr, matchend, *datalen,
 179                                                  "rport=", &poff, &plen,
 180                                                  &n) > 0 &&
 181                     htons(n) == ct->tuplehash[dir].tuple.dst.u.udp.port &&
 182                     htons(n) != ct->tuplehash[!dir].tuple.src.u.udp.port) {
 183                         __be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port;
 184                         buflen = sprintf(buffer, "%u", ntohs(p));
 185                         if (!mangle_packet(skb, dptr, datalen, poff, plen,
 186                                            buffer, buflen))
 187                                 return NF_DROP;
 188                 }
 189         }
 190
 191 next:
 192         /* Translate Contact headers */
 193         dataoff = 0;
 194         in_header = 0;
 195         while (ct_sip_parse_header_uri(ct, *dptr, &dataoff, *datalen,
 196                                        SIP_HDR_CONTACT, &in_header,
 197                                        &matchoff, &matchlen,
 198                                        &addr, &port) > 0) {
 199                 if (!map_addr(skb, dptr, datalen, matchoff, matchlen,
 200                               &addr, port))
 201                         return NF_DROP;
 202         }
 203
 204         if (!map_sip_addr(skb, dptr, datalen, SIP_HDR_FROM) ||
 205             !map_sip_addr(skb, dptr, datalen, SIP_HDR_TO))
 206                 return NF_DROP;
 207         return NF_ACCEPT;
 208 }
 209
 210 /* Handles expected signalling connections and media streams */
 211 static void ip_nat_sip_expected(struct nf_conn *ct,
 212                                 struct nf_conntrack_expect *exp)
 213 {
 214         struct nf_nat_range range;
 215
 216         /* This must be a fresh one. */
 217         BUG_ON(ct->status & IPS_NAT_DONE_MASK);
 218
 219         /* For DST manip, map port here to where it's expected. */
 220         range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
 221         range.min = range.max = exp->saved_proto;
 222         range.min_ip = range.max_ip = exp->saved_ip;
 223         nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
 224
 225         /* Change src to where master sends to, but only if the connection
 226          * actually came from the same source. */
 227         if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip ==
 228             ct->master->tuplehash[exp->dir].tuple.src.u3.ip) {
 229                 range.flags = IP_NAT_RANGE_MAP_IPS;
 230                 range.min_ip = range.max_ip
 231                         = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
 232                 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
 233         }
 234 }
 235
 236 static unsigned int ip_nat_sip_expect(struct sk_buff *skb,
 237                                       const char **dptr, unsigned int *datalen,
 238                                       struct nf_conntrack_expect *exp,
 239                                       unsigned int matchoff,
 240                                       unsigned int matchlen)
 241 {
 242         enum ip_conntrack_info ctinfo;
 243         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 244         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 245         __be32 newip;
 246         u_int16_t port;
 247         char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
 248         unsigned buflen;
 249
 250         /* Connection will come from reply */
 251         if (ct->tuplehash[dir].tuple.src.u3.ip == ct->tuplehash[!dir].tuple.dst.u3.ip)
 252                 newip = exp->tuple.dst.u3.ip;
 253         else
 254                 newip = ct->tuplehash[!dir].tuple.dst.u3.ip;
 255
 256         /* If the signalling port matches the connection's source port in the
 257          * original direction, try to use the destination port in the opposite
 258          * direction. */
 259         if (exp->tuple.dst.u.udp.port ==
 260             ct->tuplehash[dir].tuple.src.u.udp.port)
 261                 port = ntohs(ct->tuplehash[!dir].tuple.dst.u.udp.port);
 262         else
 263                 port = ntohs(exp->tuple.dst.u.udp.port);
 264
 265         exp->saved_ip = exp->tuple.dst.u3.ip;
 266         exp->tuple.dst.u3.ip = newip;
 267         exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port;
 268         exp->dir = !dir;
 269         exp->expectfn = ip_nat_sip_expected;
 270
 271         for (; port != 0; port++) {
 272                 exp->tuple.dst.u.udp.port = htons(port);
 273                 if (nf_ct_expect_related(exp) == 0)
 274                         break;
 275         }
 276
 277         if (port == 0)
 278                 return NF_DROP;
 279
 280         if (exp->tuple.dst.u3.ip != exp->saved_ip ||
 281             exp->tuple.dst.u.udp.port != exp->saved_proto.udp.port) {
 282                 buflen = sprintf(buffer, "%u.%u.%u.%u:%u",
 283                                  NIPQUAD(newip), port);
 284                 if (!mangle_packet(skb, dptr, datalen, matchoff, matchlen,
 285                                    buffer, buflen))
 286                         goto err;
 287         }
 288         return NF_ACCEPT;
 289
 290 err:
 291         nf_ct_unexpect_related(exp);
 292         return NF_DROP;
 293 }
 294
 295 static int mangle_content_len(struct sk_buff *skb,
 296                               const char **dptr, unsigned int *datalen)
 297 {
 298         enum ip_conntrack_info ctinfo;
 299         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 300         unsigned int matchoff, matchlen;
 301         char buffer[sizeof("65536")];
 302         int buflen, c_len;
 303
 304         /* Get actual SDP length */
 305         if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
 306                                   SDP_HDR_VERSION, SDP_HDR_UNSPEC,
 307                                   &matchoff, &matchlen) <= 0)
 308                 return 0;
 309         c_len = *datalen - matchoff + strlen("v=");
 310
 311         /* Now, update SDP length */
 312         if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CONTENT_LENGTH,
 313                               &matchoff, &matchlen) <= 0)
 314                 return 0;
 315
 316         buflen = sprintf(buffer, "%u", c_len);
 317         return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
 318                              buffer, buflen);
 319 }
 320
 321 static int mangle_sdp_packet(struct sk_buff *skb, const char **dptr,
 322                              unsigned int dataoff, unsigned int *datalen,
 323                              enum sdp_header_types type,
 324                              enum sdp_header_types term,
 325                              char *buffer, int buflen)
 326 {
 327         enum ip_conntrack_info ctinfo;
 328         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 329         unsigned int matchlen, matchoff;
 330
 331         if (ct_sip_get_sdp_header(ct, *dptr, dataoff, *datalen, type, term,
 332                                   &matchoff, &matchlen) <= 0)
 333                 return -ENOENT;
 334         return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
 335                              buffer, buflen) ? 0 : -EINVAL;
 336 }
 337
 338 static unsigned int ip_nat_sdp_addr(struct sk_buff *skb, const char **dptr,
 339                                     unsigned int dataoff,
 340                                     unsigned int *datalen,
 341                                     enum sdp_header_types type,
 342                                     enum sdp_header_types term,
 343                                     const union nf_inet_addr *addr)
 344 {
 345         char buffer[sizeof("nnn.nnn.nnn.nnn")];
 346         unsigned int buflen;
 347
 348         buflen = sprintf(buffer, NIPQUAD_FMT, NIPQUAD(addr->ip));
 349         if (mangle_sdp_packet(skb, dptr, dataoff, datalen, type, term,
 350                               buffer, buflen))
 351                 return 0;
 352
 353         return mangle_content_len(skb, dptr, datalen);
 354 }
 355
 356 static unsigned int ip_nat_sdp_port(struct sk_buff *skb,
 357                                     const char **dptr,
 358                                     unsigned int *datalen,
 359                                     unsigned int matchoff,
 360                                     unsigned int matchlen,
 361                                     u_int16_t port)
 362 {
 363         char buffer[sizeof("nnnnn")];
 364         unsigned int buflen;
 365
 366         buflen = sprintf(buffer, "%u", port);
 367         if (!mangle_packet(skb, dptr, datalen, matchoff, matchlen,
 368                            buffer, buflen))
 369                 return 0;
 370
 371         return mangle_content_len(skb, dptr, datalen);
 372 }
 373
 374 static unsigned int ip_nat_sdp_session(struct sk_buff *skb, const char **dptr,
 375                                        unsigned int dataoff,
 376                                        unsigned int *datalen,
 377                                        const union nf_inet_addr *addr)
 378 {
 379         char buffer[sizeof("nnn.nnn.nnn.nnn")];
 380         unsigned int buflen;
 381
 382         /* Mangle session description owner and contact addresses */
 383         buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(addr->ip));
 384         if (mangle_sdp_packet(skb, dptr, dataoff, datalen,
 385                                SDP_HDR_OWNER_IP4, SDP_HDR_MEDIA,
 386                                buffer, buflen))
 387                 return 0;
 388
 389         switch (mangle_sdp_packet(skb, dptr, dataoff, datalen,
 390                                   SDP_HDR_CONNECTION_IP4, SDP_HDR_MEDIA,
 391                                   buffer, buflen)) {
 392         case 0:
 393         /*
 394          * RFC 2327:
 395          *
 396          * Session description
 397          *
 398          * c=* (connection information - not required if included in all media)
 399          */
 400         case -ENOENT:
 401                 break;
 402         default:
 403                 return 0;
 404         }
 405
 406         return mangle_content_len(skb, dptr, datalen);
 407 }
 408
 409 /* So, this packet has hit the connection tracking matching code.
 410    Mangle it, and change the expectation to match the new version. */
 411 static unsigned int ip_nat_sdp_media(struct sk_buff *skb,
 412                                      const char **dptr,
 413                                      unsigned int *datalen,
 414                                      struct nf_conntrack_expect *rtp_exp,
 415                                      struct nf_conntrack_expect *rtcp_exp,
 416                                      unsigned int mediaoff,
 417                                      unsigned int medialen,
 418                                      union nf_inet_addr *rtp_addr)
 419 {
 420         enum ip_conntrack_info ctinfo;
 421         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 422         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 423         u_int16_t port;
 424
 425         /* Connection will come from reply */
 426         if (ct->tuplehash[dir].tuple.src.u3.ip ==
 427             ct->tuplehash[!dir].tuple.dst.u3.ip)
 428                 rtp_addr->ip = rtp_exp->tuple.dst.u3.ip;
 429         else
 430                 rtp_addr->ip = ct->tuplehash[!dir].tuple.dst.u3.ip;
 431
 432         rtp_exp->saved_ip = rtp_exp->tuple.dst.u3.ip;
 433         rtp_exp->tuple.dst.u3.ip = rtp_addr->ip;
 434         rtp_exp->saved_proto.udp.port = rtp_exp->tuple.dst.u.udp.port;
 435         rtp_exp->dir = !dir;
 436         rtp_exp->expectfn = ip_nat_sip_expected;
 437
 438         rtcp_exp->saved_ip = rtcp_exp->tuple.dst.u3.ip;
 439         rtcp_exp->tuple.dst.u3.ip = rtp_addr->ip;
 440         rtcp_exp->saved_proto.udp.port = rtcp_exp->tuple.dst.u.udp.port;
 441         rtcp_exp->dir = !dir;
 442         rtcp_exp->expectfn = ip_nat_sip_expected;
 443
 444         /* Try to get same pair of ports: if not, try to change them. */
 445         for (port = ntohs(rtp_exp->tuple.dst.u.udp.port);
 446              port != 0; port += 2) {
 447                 rtp_exp->tuple.dst.u.udp.port = htons(port);
 448                 if (nf_ct_expect_related(rtp_exp) != 0)
 449                         continue;
 450                 rtcp_exp->tuple.dst.u.udp.port = htons(port + 1);
 451                 if (nf_ct_expect_related(rtcp_exp) == 0)
 452                         break;
 453                 nf_ct_unexpect_related(rtp_exp);
 454         }
 455
 456         if (port == 0)
 457                 goto err1;
 458
 459         /* Update media port. */
 460         if (rtp_exp->tuple.dst.u.udp.port != rtp_exp->saved_proto.udp.port &&
 461             !ip_nat_sdp_port(skb, dptr, datalen, mediaoff, medialen, port))
 462                 goto err2;
 463
 464         return NF_ACCEPT;
 465
 466 err2:
 467         nf_ct_unexpect_related(rtp_exp);
 468         nf_ct_unexpect_related(rtcp_exp);
 469 err1:
 470         return NF_DROP;
 471 }
 472
 473 static void __exit nf_nat_sip_fini(void)
 474 {
 475         rcu_assign_pointer(nf_nat_sip_hook, NULL);
 476         rcu_assign_pointer(nf_nat_sip_expect_hook, NULL);
 477         rcu_assign_pointer(nf_nat_sdp_addr_hook, NULL);
 478         rcu_assign_pointer(nf_nat_sdp_port_hook, NULL);
 479         rcu_assign_pointer(nf_nat_sdp_session_hook, NULL);
 480         rcu_assign_pointer(nf_nat_sdp_media_hook, NULL);
 481         synchronize_rcu();
 482 }
 483
 484 static int __init nf_nat_sip_init(void)
 485 {
 486         BUG_ON(nf_nat_sip_hook != NULL);
 487         BUG_ON(nf_nat_sip_expect_hook != NULL);
 488         BUG_ON(nf_nat_sdp_addr_hook != NULL);
 489         BUG_ON(nf_nat_sdp_port_hook != NULL);
 490         BUG_ON(nf_nat_sdp_session_hook != NULL);
 491         BUG_ON(nf_nat_sdp_media_hook != NULL);
 492         rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip);
 493         rcu_assign_pointer(nf_nat_sip_expect_hook, ip_nat_sip_expect);
 494         rcu_assign_pointer(nf_nat_sdp_addr_hook, ip_nat_sdp_addr);
 495         rcu_assign_pointer(nf_nat_sdp_port_hook, ip_nat_sdp_port);
 496         rcu_assign_pointer(nf_nat_sdp_session_hook, ip_nat_sdp_session);
 497         rcu_assign_pointer(nf_nat_sdp_media_hook, ip_nat_sdp_media);
 498         return 0;
 499 }
 500
 501 module_init(nf_nat_sip_init);
 502 module_exit(nf_nat_sip_fini);