123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683 |
- /* SIP extension for IP connection tracking.
- *
- * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
- * based on RR's ip_conntrack_ftp.c and other modules.
- * (C) 2007 United Security Providers
- * (C) 2007, 2008 Patrick McHardy <kaber@trash.net>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
- #include <linux/module.h>
- #include <linux/ctype.h>
- #include <linux/skbuff.h>
- #include <linux/inet.h>
- #include <linux/in.h>
- #include <linux/udp.h>
- #include <linux/tcp.h>
- #include <linux/netfilter.h>
- #include <net/netfilter/nf_conntrack.h>
- #include <net/netfilter/nf_conntrack_core.h>
- #include <net/netfilter/nf_conntrack_expect.h>
- #include <net/netfilter/nf_conntrack_helper.h>
- #include <net/netfilter/nf_conntrack_zones.h>
- #include <linux/netfilter/nf_conntrack_sip.h>
- MODULE_LICENSE("GPL");
- MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
- MODULE_DESCRIPTION("SIP connection tracking helper");
- MODULE_ALIAS("ip_conntrack_sip");
- MODULE_ALIAS_NFCT_HELPER("sip");
- #define MAX_PORTS 8
- static unsigned short ports[MAX_PORTS];
- static unsigned int ports_c;
- module_param_array(ports, ushort, &ports_c, 0400);
- MODULE_PARM_DESC(ports, "port numbers of SIP servers");
- static unsigned int sip_timeout __read_mostly = SIP_TIMEOUT;
- module_param(sip_timeout, uint, 0600);
- MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session");
- static int sip_direct_signalling __read_mostly = 1;
- module_param(sip_direct_signalling, int, 0600);
- MODULE_PARM_DESC(sip_direct_signalling, "expect incoming calls from registrar "
- "only (default 1)");
- static int sip_direct_media __read_mostly = 1;
- module_param(sip_direct_media, int, 0600);
- MODULE_PARM_DESC(sip_direct_media, "Expect Media streams between signalling "
- "endpoints only (default 1)");
- const struct nf_nat_sip_hooks *nf_nat_sip_hooks;
- EXPORT_SYMBOL_GPL(nf_nat_sip_hooks);
- static int string_len(const struct nf_conn *ct, const char *dptr,
- const char *limit, int *shift)
- {
- int len = 0;
- while (dptr < limit && isalpha(*dptr)) {
- dptr++;
- len++;
- }
- return len;
- }
- static int digits_len(const struct nf_conn *ct, const char *dptr,
- const char *limit, int *shift)
- {
- int len = 0;
- while (dptr < limit && isdigit(*dptr)) {
- dptr++;
- len++;
- }
- return len;
- }
- static int iswordc(const char c)
- {
- if (isalnum(c) || c == '!' || c == '"' || c == '%' ||
- (c >= '(' && c <= '/') || c == ':' || c == '<' || c == '>' ||
- c == '?' || (c >= '[' && c <= ']') || c == '_' || c == '`' ||
- c == '{' || c == '}' || c == '~')
- return 1;
- return 0;
- }
- static int word_len(const char *dptr, const char *limit)
- {
- int len = 0;
- while (dptr < limit && iswordc(*dptr)) {
- dptr++;
- len++;
- }
- return len;
- }
- static int callid_len(const struct nf_conn *ct, const char *dptr,
- const char *limit, int *shift)
- {
- int len, domain_len;
- len = word_len(dptr, limit);
- dptr += len;
- if (!len || dptr == limit || *dptr != '@')
- return len;
- dptr++;
- len++;
- domain_len = word_len(dptr, limit);
- if (!domain_len)
- return 0;
- return len + domain_len;
- }
- /* get media type + port length */
- static int media_len(const struct nf_conn *ct, const char *dptr,
- const char *limit, int *shift)
- {
- int len = string_len(ct, dptr, limit, shift);
- dptr += len;
- if (dptr >= limit || *dptr != ' ')
- return 0;
- len++;
- dptr++;
- return len + digits_len(ct, dptr, limit, shift);
- }
- static int sip_parse_addr(const struct nf_conn *ct, const char *cp,
- const char **endp, union nf_inet_addr *addr,
- const char *limit, bool delim)
- {
- const char *end;
- int ret;
- if (!ct)
- return 0;
- memset(addr, 0, sizeof(*addr));
- switch (nf_ct_l3num(ct)) {
- case AF_INET:
- ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
- if (ret == 0)
- return 0;
- break;
- case AF_INET6:
- if (cp < limit && *cp == '[')
- cp++;
- else if (delim)
- return 0;
- ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
- if (ret == 0)
- return 0;
- if (end < limit && *end == ']')
- end++;
- else if (delim)
- return 0;
- break;
- default:
- BUG();
- }
- if (endp)
- *endp = end;
- return 1;
- }
- /* skip ip address. returns its length. */
- static int epaddr_len(const struct nf_conn *ct, const char *dptr,
- const char *limit, int *shift)
- {
- union nf_inet_addr addr;
- const char *aux = dptr;
- if (!sip_parse_addr(ct, dptr, &dptr, &addr, limit, true)) {
- pr_debug("ip: %s parse failed.!\n", dptr);
- return 0;
- }
- /* Port number */
- if (*dptr == ':') {
- dptr++;
- dptr += digits_len(ct, dptr, limit, shift);
- }
- return dptr - aux;
- }
- /* get address length, skiping user info. */
- static int skp_epaddr_len(const struct nf_conn *ct, const char *dptr,
- const char *limit, int *shift)
- {
- const char *start = dptr;
- int s = *shift;
- /* Search for @, but stop at the end of the line.
- * We are inside a sip: URI, so we don't need to worry about
- * continuation lines. */
- while (dptr < limit &&
- *dptr != '@' && *dptr != '\r' && *dptr != '\n') {
- (*shift)++;
- dptr++;
- }
- if (dptr < limit && *dptr == '@') {
- dptr++;
- (*shift)++;
- } else {
- dptr = start;
- *shift = s;
- }
- return epaddr_len(ct, dptr, limit, shift);
- }
- /* Parse a SIP request line of the form:
- *
- * Request-Line = Method SP Request-URI SP SIP-Version CRLF
- *
- * and return the offset and length of the address contained in the Request-URI.
- */
- int ct_sip_parse_request(const struct nf_conn *ct,
- const char *dptr, unsigned int datalen,
- unsigned int *matchoff, unsigned int *matchlen,
- union nf_inet_addr *addr, __be16 *port)
- {
- const char *start = dptr, *limit = dptr + datalen, *end;
- unsigned int mlen;
- unsigned int p;
- int shift = 0;
- /* Skip method and following whitespace */
- mlen = string_len(ct, dptr, limit, NULL);
- if (!mlen)
- return 0;
- dptr += mlen;
- if (++dptr >= limit)
- return 0;
- /* Find SIP URI */
- for (; dptr < limit - strlen("sip:"); dptr++) {
- if (*dptr == '\r' || *dptr == '\n')
- return -1;
- if (strncasecmp(dptr, "sip:", strlen("sip:")) == 0) {
- dptr += strlen("sip:");
- break;
- }
- }
- if (!skp_epaddr_len(ct, dptr, limit, &shift))
- return 0;
- dptr += shift;
- if (!sip_parse_addr(ct, dptr, &end, addr, limit, true))
- return -1;
- if (end < limit && *end == ':') {
- end++;
- p = simple_strtoul(end, (char **)&end, 10);
- if (p < 1024 || p > 65535)
- return -1;
- *port = htons(p);
- } else
- *port = htons(SIP_PORT);
- if (end == dptr)
- return 0;
- *matchoff = dptr - start;
- *matchlen = end - dptr;
- return 1;
- }
- EXPORT_SYMBOL_GPL(ct_sip_parse_request);
- /* SIP header parsing: SIP headers are located at the beginning of a line, but
- * may span several lines, in which case the continuation lines begin with a
- * whitespace character. RFC 2543 allows lines to be terminated with CR, LF or
- * CRLF, RFC 3261 allows only CRLF, we support both.
- *
- * Headers are followed by (optionally) whitespace, a colon, again (optionally)
- * whitespace and the values. Whitespace in this context means any amount of
- * tabs, spaces and continuation lines, which are treated as a single whitespace
- * character.
- *
- * Some headers may appear multiple times. A comma separated list of values is
- * equivalent to multiple headers.
- */
- static const struct sip_header ct_sip_hdrs[] = {
- [SIP_HDR_CSEQ] = SIP_HDR("CSeq", NULL, NULL, digits_len),
- [SIP_HDR_FROM] = SIP_HDR("From", "f", "sip:", skp_epaddr_len),
- [SIP_HDR_TO] = SIP_HDR("To", "t", "sip:", skp_epaddr_len),
- [SIP_HDR_CONTACT] = SIP_HDR("Contact", "m", "sip:", skp_epaddr_len),
- [SIP_HDR_VIA_UDP] = SIP_HDR("Via", "v", "UDP ", epaddr_len),
- [SIP_HDR_VIA_TCP] = SIP_HDR("Via", "v", "TCP ", epaddr_len),
- [SIP_HDR_EXPIRES] = SIP_HDR("Expires", NULL, NULL, digits_len),
- [SIP_HDR_CONTENT_LENGTH] = SIP_HDR("Content-Length", "l", NULL, digits_len),
- [SIP_HDR_CALL_ID] = SIP_HDR("Call-Id", "i", NULL, callid_len),
- };
- static const char *sip_follow_continuation(const char *dptr, const char *limit)
- {
- /* Walk past newline */
- if (++dptr >= limit)
- return NULL;
- /* Skip '\n' in CR LF */
- if (*(dptr - 1) == '\r' && *dptr == '\n') {
- if (++dptr >= limit)
- return NULL;
- }
- /* Continuation line? */
- if (*dptr != ' ' && *dptr != '\t')
- return NULL;
- /* skip leading whitespace */
- for (; dptr < limit; dptr++) {
- if (*dptr != ' ' && *dptr != '\t')
- break;
- }
- return dptr;
- }
- static const char *sip_skip_whitespace(const char *dptr, const char *limit)
- {
- for (; dptr < limit; dptr++) {
- if (*dptr == ' ')
- continue;
- if (*dptr != '\r' && *dptr != '\n')
- break;
- dptr = sip_follow_continuation(dptr, limit);
- if (dptr == NULL)
- return NULL;
- }
- return dptr;
- }
- /* Search within a SIP header value, dealing with continuation lines */
- static const char *ct_sip_header_search(const char *dptr, const char *limit,
- const char *needle, unsigned int len)
- {
- for (limit -= len; dptr < limit; dptr++) {
- if (*dptr == '\r' || *dptr == '\n') {
- dptr = sip_follow_continuation(dptr, limit);
- if (dptr == NULL)
- break;
- continue;
- }
- if (strncasecmp(dptr, needle, len) == 0)
- return dptr;
- }
- return NULL;
- }
- int ct_sip_get_header(const struct nf_conn *ct, const char *dptr,
- unsigned int dataoff, unsigned int datalen,
- enum sip_header_types type,
- unsigned int *matchoff, unsigned int *matchlen)
- {
- const struct sip_header *hdr = &ct_sip_hdrs[type];
- const char *start = dptr, *limit = dptr + datalen;
- int shift = 0;
- for (dptr += dataoff; dptr < limit; dptr++) {
- /* Find beginning of line */
- if (*dptr != '\r' && *dptr != '\n')
- continue;
- if (++dptr >= limit)
- break;
- if (*(dptr - 1) == '\r' && *dptr == '\n') {
- if (++dptr >= limit)
- break;
- }
- /* Skip continuation lines */
- if (*dptr == ' ' || *dptr == '\t')
- continue;
- /* Find header. Compact headers must be followed by a
- * non-alphabetic character to avoid mismatches. */
- if (limit - dptr >= hdr->len &&
- strncasecmp(dptr, hdr->name, hdr->len) == 0)
- dptr += hdr->len;
- else if (hdr->cname && limit - dptr >= hdr->clen + 1 &&
- strncasecmp(dptr, hdr->cname, hdr->clen) == 0 &&
- !isalpha(*(dptr + hdr->clen)))
- dptr += hdr->clen;
- else
- continue;
- /* Find and skip colon */
- dptr = sip_skip_whitespace(dptr, limit);
- if (dptr == NULL)
- break;
- if (*dptr != ':' || ++dptr >= limit)
- break;
- /* Skip whitespace after colon */
- dptr = sip_skip_whitespace(dptr, limit);
- if (dptr == NULL)
- break;
- *matchoff = dptr - start;
- if (hdr->search) {
- dptr = ct_sip_header_search(dptr, limit, hdr->search,
- hdr->slen);
- if (!dptr)
- return -1;
- dptr += hdr->slen;
- }
- *matchlen = hdr->match_len(ct, dptr, limit, &shift);
- if (!*matchlen)
- return -1;
- *matchoff = dptr - start + shift;
- return 1;
- }
- return 0;
- }
- EXPORT_SYMBOL_GPL(ct_sip_get_header);
- /* Get next header field in a list of comma separated values */
- static int ct_sip_next_header(const struct nf_conn *ct, const char *dptr,
- unsigned int dataoff, unsigned int datalen,
- enum sip_header_types type,
- unsigned int *matchoff, unsigned int *matchlen)
- {
- const struct sip_header *hdr = &ct_sip_hdrs[type];
- const char *start = dptr, *limit = dptr + datalen;
- int shift = 0;
- dptr += dataoff;
- dptr = ct_sip_header_search(dptr, limit, ",", strlen(","));
- if (!dptr)
- return 0;
- dptr = ct_sip_header_search(dptr, limit, hdr->search, hdr->slen);
- if (!dptr)
- return 0;
- dptr += hdr->slen;
- *matchoff = dptr - start;
- *matchlen = hdr->match_len(ct, dptr, limit, &shift);
- if (!*matchlen)
- return -1;
- *matchoff += shift;
- return 1;
- }
- /* Walk through headers until a parsable one is found or no header of the
- * given type is left. */
- static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr,
- unsigned int dataoff, unsigned int datalen,
- enum sip_header_types type, int *in_header,
- unsigned int *matchoff, unsigned int *matchlen)
- {
- int ret;
- if (in_header && *in_header) {
- while (1) {
- ret = ct_sip_next_header(ct, dptr, dataoff, datalen,
- type, matchoff, matchlen);
- if (ret > 0)
- return ret;
- if (ret == 0)
- break;
- dataoff += *matchoff;
- }
- *in_header = 0;
- }
- while (1) {
- ret = ct_sip_get_header(ct, dptr, dataoff, datalen,
- type, matchoff, matchlen);
- if (ret > 0)
- break;
- if (ret == 0)
- return ret;
- dataoff += *matchoff;
- }
- if (in_header)
- *in_header = 1;
- return 1;
- }
- /* Locate a SIP header, parse the URI and return the offset and length of
- * the address as well as the address and port themselves. A stream of
- * headers can be parsed by handing in a non-NULL datalen and in_header
- * pointer.
- */
- int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
- unsigned int *dataoff, unsigned int datalen,
- enum sip_header_types type, int *in_header,
- unsigned int *matchoff, unsigned int *matchlen,
- union nf_inet_addr *addr, __be16 *port)
- {
- const char *c, *limit = dptr + datalen;
- unsigned int p;
- int ret;
- ret = ct_sip_walk_headers(ct, dptr, dataoff ? *dataoff : 0, datalen,
- type, in_header, matchoff, matchlen);
- WARN_ON(ret < 0);
- if (ret == 0)
- return ret;
- if (!sip_parse_addr(ct, dptr + *matchoff, &c, addr, limit, true))
- return -1;
- if (*c == ':') {
- c++;
- p = simple_strtoul(c, (char **)&c, 10);
- if (p < 1024 || p > 65535)
- return -1;
- *port = htons(p);
- } else
- *port = htons(SIP_PORT);
- if (dataoff)
- *dataoff = c - dptr;
- return 1;
- }
- EXPORT_SYMBOL_GPL(ct_sip_parse_header_uri);
- static int ct_sip_parse_param(const struct nf_conn *ct, const char *dptr,
- unsigned int dataoff, unsigned int datalen,
- const char *name,
- unsigned int *matchoff, unsigned int *matchlen)
- {
- const char *limit = dptr + datalen;
- const char *start;
- const char *end;
- limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
- if (!limit)
- limit = dptr + datalen;
- start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
- if (!start)
- return 0;
- start += strlen(name);
- end = ct_sip_header_search(start, limit, ";", strlen(";"));
- if (!end)
- end = limit;
- *matchoff = start - dptr;
- *matchlen = end - start;
- return 1;
- }
- /* Parse address from header parameter and return address, offset and length */
- int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr,
- unsigned int dataoff, unsigned int datalen,
- const char *name,
- unsigned int *matchoff, unsigned int *matchlen,
- union nf_inet_addr *addr, bool delim)
- {
- const char *limit = dptr + datalen;
- const char *start, *end;
- limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
- if (!limit)
- limit = dptr + datalen;
- start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
- if (!start)
- return 0;
- start += strlen(name);
- if (!sip_parse_addr(ct, start, &end, addr, limit, delim))
- return 0;
- *matchoff = start - dptr;
- *matchlen = end - start;
- return 1;
- }
- EXPORT_SYMBOL_GPL(ct_sip_parse_address_param);
- /* Parse numerical header parameter and return value, offset and length */
- int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr,
- unsigned int dataoff, unsigned int datalen,
- const char *name,
- unsigned int *matchoff, unsigned int *matchlen,
- unsigned int *val)
- {
- const char *limit = dptr + datalen;
- const char *start;
- char *end;
- limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
- if (!limit)
- limit = dptr + datalen;
- start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
- if (!start)
- return 0;
- start += strlen(name);
- *val = simple_strtoul(start, &end, 0);
- if (start == end)
- return 0;
- if (matchoff && matchlen) {
- *matchoff = start - dptr;
- *matchlen = end - start;
- }
- return 1;
- }
- EXPORT_SYMBOL_GPL(ct_sip_parse_numerical_param);
- static int ct_sip_parse_transport(struct nf_conn *ct, const char *dptr,
- unsigned int dataoff, unsigned int datalen,
- u8 *proto)
- {
- unsigned int matchoff, matchlen;
- if (ct_sip_parse_param(ct, dptr, dataoff, datalen, "transport=",
- &matchoff, &matchlen)) {
- if (!strncasecmp(dptr + matchoff, "TCP", strlen("TCP")))
- *proto = IPPROTO_TCP;
- else if (!strncasecmp(dptr + matchoff, "UDP", strlen("UDP")))
- *proto = IPPROTO_UDP;
- else
- return 0;
- if (*proto != nf_ct_protonum(ct))
- return 0;
- } else
- *proto = nf_ct_protonum(ct);
- return 1;
- }
- static int sdp_parse_addr(const struct nf_conn *ct, const char *cp,
- const char **endp, union nf_inet_addr *addr,
- const char *limit)
- {
- const char *end;
- int ret;
- memset(addr, 0, sizeof(*addr));
- switch (nf_ct_l3num(ct)) {
- case AF_INET:
- ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
- break;
- case AF_INET6:
- ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
- break;
- default:
- BUG();
- }
- if (ret == 0)
- return 0;
- if (endp)
- *endp = end;
- return 1;
- }
- /* skip ip address. returns its length. */
- static int sdp_addr_len(const struct nf_conn *ct, const char *dptr,
- const char *limit, int *shift)
- {
- union nf_inet_addr addr;
- const char *aux = dptr;
- if (!sdp_parse_addr(ct, dptr, &dptr, &addr, limit)) {
- pr_debug("ip: %s parse failed.!\n", dptr);
- return 0;
- }
- return dptr - aux;
- }
- /* SDP header parsing: a SDP session description contains an ordered set of
- * headers, starting with a section containing general session parameters,
- * optionally followed by multiple media descriptions.
- *
- * SDP headers always start at the beginning of a line. According to RFC 2327:
- * "The sequence CRLF (0x0d0a) is used to end a record, although parsers should
- * be tolerant and also accept records terminated with a single newline
- * character". We handle both cases.
- */
- static const struct sip_header ct_sdp_hdrs_v4[] = {
- [SDP_HDR_VERSION] = SDP_HDR("v=", NULL, digits_len),
- [SDP_HDR_OWNER] = SDP_HDR("o=", "IN IP4 ", sdp_addr_len),
- [SDP_HDR_CONNECTION] = SDP_HDR("c=", "IN IP4 ", sdp_addr_len),
- [SDP_HDR_MEDIA] = SDP_HDR("m=", NULL, media_len),
- };
- static const struct sip_header ct_sdp_hdrs_v6[] = {
- [SDP_HDR_VERSION] = SDP_HDR("v=", NULL, digits_len),
- [SDP_HDR_OWNER] = SDP_HDR("o=", "IN IP6 ", sdp_addr_len),
- [SDP_HDR_CONNECTION] = SDP_HDR("c=", "IN IP6 ", sdp_addr_len),
- [SDP_HDR_MEDIA] = SDP_HDR("m=", NULL, media_len),
- };
- /* Linear string search within SDP header values */
- static const char *ct_sdp_header_search(const char *dptr, const char *limit,
- const char *needle, unsigned int len)
- {
- for (limit -= len; dptr < limit; dptr++) {
- if (*dptr == '\r' || *dptr == '\n')
- break;
- if (strncmp(dptr, needle, len) == 0)
- return dptr;
- }
- return NULL;
- }
- /* Locate a SDP header (optionally a substring within the header value),
- * optionally stopping at the first occurrence of the term header, parse
- * it and return the offset and length of the data we're interested in.
- */
- int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
- unsigned int dataoff, unsigned int datalen,
- enum sdp_header_types type,
- enum sdp_header_types term,
- unsigned int *matchoff, unsigned int *matchlen)
- {
- const struct sip_header *hdrs, *hdr, *thdr;
- const char *start = dptr, *limit = dptr + datalen;
- int shift = 0;
- hdrs = nf_ct_l3num(ct) == NFPROTO_IPV4 ? ct_sdp_hdrs_v4 : ct_sdp_hdrs_v6;
- hdr = &hdrs[type];
- thdr = &hdrs[term];
- for (dptr += dataoff; dptr < limit; dptr++) {
- /* Find beginning of line */
- if (*dptr != '\r' && *dptr != '\n')
- continue;
- if (++dptr >= limit)
- break;
- if (*(dptr - 1) == '\r' && *dptr == '\n') {
- if (++dptr >= limit)
- break;
- }
- if (term != SDP_HDR_UNSPEC &&
- limit - dptr >= thdr->len &&
- strncasecmp(dptr, thdr->name, thdr->len) == 0)
- break;
- else if (limit - dptr >= hdr->len &&
- strncasecmp(dptr, hdr->name, hdr->len) == 0)
- dptr += hdr->len;
- else
- continue;
- *matchoff = dptr - start;
- if (hdr->search) {
- dptr = ct_sdp_header_search(dptr, limit, hdr->search,
- hdr->slen);
- if (!dptr)
- return -1;
- dptr += hdr->slen;
- }
- *matchlen = hdr->match_len(ct, dptr, limit, &shift);
- if (!*matchlen)
- return -1;
- *matchoff = dptr - start + shift;
- return 1;
- }
- return 0;
- }
- EXPORT_SYMBOL_GPL(ct_sip_get_sdp_header);
- static int ct_sip_parse_sdp_addr(const struct nf_conn *ct, const char *dptr,
- unsigned int dataoff, unsigned int datalen,
- enum sdp_header_types type,
- enum sdp_header_types term,
- unsigned int *matchoff, unsigned int *matchlen,
- union nf_inet_addr *addr)
- {
- int ret;
- ret = ct_sip_get_sdp_header(ct, dptr, dataoff, datalen, type, term,
- matchoff, matchlen);
- if (ret <= 0)
- return ret;
- if (!sdp_parse_addr(ct, dptr + *matchoff, NULL, addr,
- dptr + *matchoff + *matchlen))
- return -1;
- return 1;
- }
- static int refresh_signalling_expectation(struct nf_conn *ct,
- union nf_inet_addr *addr,
- u8 proto, __be16 port,
- unsigned int expires)
- {
- struct nf_conn_help *help = nfct_help(ct);
- struct nf_conntrack_expect *exp;
- struct hlist_node *next;
- int found = 0;
- spin_lock_bh(&nf_conntrack_expect_lock);
- hlist_for_each_entry_safe(exp, next, &help->expectations, lnode) {
- if (exp->class != SIP_EXPECT_SIGNALLING ||
- !nf_inet_addr_cmp(&exp->tuple.dst.u3, addr) ||
- exp->tuple.dst.protonum != proto ||
- exp->tuple.dst.u.udp.port != port)
- continue;
- if (!del_timer(&exp->timeout))
- continue;
- exp->flags &= ~NF_CT_EXPECT_INACTIVE;
- exp->timeout.expires = jiffies + expires * HZ;
- add_timer(&exp->timeout);
- found = 1;
- break;
- }
- spin_unlock_bh(&nf_conntrack_expect_lock);
- return found;
- }
- static void flush_expectations(struct nf_conn *ct, bool media)
- {
- struct nf_conn_help *help = nfct_help(ct);
- struct nf_conntrack_expect *exp;
- struct hlist_node *next;
- spin_lock_bh(&nf_conntrack_expect_lock);
- hlist_for_each_entry_safe(exp, next, &help->expectations, lnode) {
- if ((exp->class != SIP_EXPECT_SIGNALLING) ^ media)
- continue;
- if (!del_timer(&exp->timeout))
- continue;
- nf_ct_unlink_expect(exp);
- nf_ct_expect_put(exp);
- if (!media)
- break;
- }
- spin_unlock_bh(&nf_conntrack_expect_lock);
- }
- static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int protoff,
- unsigned int dataoff,
- const char **dptr, unsigned int *datalen,
- union nf_inet_addr *daddr, __be16 port,
- enum sip_expectation_classes class,
- unsigned int mediaoff, unsigned int medialen)
- {
- struct nf_conntrack_expect *exp, *rtp_exp, *rtcp_exp;
- enum ip_conntrack_info ctinfo;
- struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
- struct net *net = nf_ct_net(ct);
- enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
- union nf_inet_addr *saddr;
- struct nf_conntrack_tuple tuple;
- int direct_rtp = 0, skip_expect = 0, ret = NF_DROP;
- u_int16_t base_port;
- __be16 rtp_port, rtcp_port;
- const struct nf_nat_sip_hooks *hooks;
- saddr = NULL;
- if (sip_direct_media) {
- if (!nf_inet_addr_cmp(daddr, &ct->tuplehash[dir].tuple.src.u3))
- return NF_ACCEPT;
- saddr = &ct->tuplehash[!dir].tuple.src.u3;
- }
- /* We need to check whether the registration exists before attempting
- * to register it since we can see the same media description multiple
- * times on different connections in case multiple endpoints receive
- * the same call.
- *
- * RTP optimization: if we find a matching media channel expectation
- * and both the expectation and this connection are SNATed, we assume
- * both sides can reach each other directly and use the final
- * destination address from the expectation. We still need to keep
- * the NATed expectations for media that might arrive from the
- * outside, and additionally need to expect the direct RTP stream
- * in case it passes through us even without NAT.
- */
- memset(&tuple, 0, sizeof(tuple));
- if (saddr)
- tuple.src.u3 = *saddr;
- tuple.src.l3num = nf_ct_l3num(ct);
- tuple.dst.protonum = IPPROTO_UDP;
- tuple.dst.u3 = *daddr;
- tuple.dst.u.udp.port = port;
- rcu_read_lock();
- do {
- exp = __nf_ct_expect_find(net, nf_ct_zone(ct), &tuple);
- if (!exp || exp->master == ct ||
- nfct_help(exp->master)->helper != nfct_help(ct)->helper ||
- exp->class != class)
- break;
- #ifdef CONFIG_NF_NAT_NEEDED
- if (!direct_rtp &&
- (!nf_inet_addr_cmp(&exp->saved_addr, &exp->tuple.dst.u3) ||
- exp->saved_proto.udp.port != exp->tuple.dst.u.udp.port) &&
- ct->status & IPS_NAT_MASK) {
- *daddr = exp->saved_addr;
- tuple.dst.u3 = exp->saved_addr;
- tuple.dst.u.udp.port = exp->saved_proto.udp.port;
- direct_rtp = 1;
- } else
- #endif
- skip_expect = 1;
- } while (!skip_expect);
- base_port = ntohs(tuple.dst.u.udp.port) & ~1;
- rtp_port = htons(base_port);
- rtcp_port = htons(base_port + 1);
- if (direct_rtp) {
- hooks = rcu_dereference(nf_nat_sip_hooks);
- if (hooks &&
- !hooks->sdp_port(skb, protoff, dataoff, dptr, datalen,
- mediaoff, medialen, ntohs(rtp_port)))
- goto err1;
- }
- if (skip_expect) {
- rcu_read_unlock();
- return NF_ACCEPT;
- }
- rtp_exp = nf_ct_expect_alloc(ct);
- if (rtp_exp == NULL)
- goto err1;
- nf_ct_expect_init(rtp_exp, class, nf_ct_l3num(ct), saddr, daddr,
- IPPROTO_UDP, NULL, &rtp_port);
- rtcp_exp = nf_ct_expect_alloc(ct);
- if (rtcp_exp == NULL)
- goto err2;
- nf_ct_expect_init(rtcp_exp, class, nf_ct_l3num(ct), saddr, daddr,
- IPPROTO_UDP, NULL, &rtcp_port);
- hooks = rcu_dereference(nf_nat_sip_hooks);
- if (hooks && ct->status & IPS_NAT_MASK && !direct_rtp)
- ret = hooks->sdp_media(skb, protoff, dataoff, dptr,
- datalen, rtp_exp, rtcp_exp,
- mediaoff, medialen, daddr);
- else {
- if (nf_ct_expect_related(rtp_exp) == 0) {
- if (nf_ct_expect_related(rtcp_exp) != 0)
- nf_ct_unexpect_related(rtp_exp);
- else
- ret = NF_ACCEPT;
- }
- }
- nf_ct_expect_put(rtcp_exp);
- err2:
- nf_ct_expect_put(rtp_exp);
- err1:
- rcu_read_unlock();
- return ret;
- }
- static const struct sdp_media_type sdp_media_types[] = {
- SDP_MEDIA_TYPE("audio ", SIP_EXPECT_AUDIO),
- SDP_MEDIA_TYPE("video ", SIP_EXPECT_VIDEO),
- SDP_MEDIA_TYPE("image ", SIP_EXPECT_IMAGE),
- };
- static const struct sdp_media_type *sdp_media_type(const char *dptr,
- unsigned int matchoff,
- unsigned int matchlen)
- {
- const struct sdp_media_type *t;
- unsigned int i;
- for (i = 0; i < ARRAY_SIZE(sdp_media_types); i++) {
- t = &sdp_media_types[i];
- if (matchlen < t->len ||
- strncmp(dptr + matchoff, t->name, t->len))
- continue;
- return t;
- }
- return NULL;
- }
- static int process_sdp(struct sk_buff *skb, unsigned int protoff,
- unsigned int dataoff,
- const char **dptr, unsigned int *datalen,
- unsigned int cseq)
- {
- enum ip_conntrack_info ctinfo;
- struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
- unsigned int matchoff, matchlen;
- unsigned int mediaoff, medialen;
- unsigned int sdpoff;
- unsigned int caddr_len, maddr_len;
- unsigned int i;
- union nf_inet_addr caddr, maddr, rtp_addr;
- const struct nf_nat_sip_hooks *hooks;
- unsigned int port;
- const struct sdp_media_type *t;
- int ret = NF_ACCEPT;
- hooks = rcu_dereference(nf_nat_sip_hooks);
- /* Find beginning of session description */
- if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
- SDP_HDR_VERSION, SDP_HDR_UNSPEC,
- &matchoff, &matchlen) <= 0)
- return NF_ACCEPT;
- sdpoff = matchoff;
- /* The connection information is contained in the session description
- * and/or once per media description. The first media description marks
- * the end of the session description. */
- caddr_len = 0;
- if (ct_sip_parse_sdp_addr(ct, *dptr, sdpoff, *datalen,
- SDP_HDR_CONNECTION, SDP_HDR_MEDIA,
- &matchoff, &matchlen, &caddr) > 0)
- caddr_len = matchlen;
- mediaoff = sdpoff;
- for (i = 0; i < ARRAY_SIZE(sdp_media_types); ) {
- if (ct_sip_get_sdp_header(ct, *dptr, mediaoff, *datalen,
- SDP_HDR_MEDIA, SDP_HDR_UNSPEC,
- &mediaoff, &medialen) <= 0)
- break;
- /* Get media type and port number. A media port value of zero
- * indicates an inactive stream. */
- t = sdp_media_type(*dptr, mediaoff, medialen);
- if (!t) {
- mediaoff += medialen;
- continue;
- }
- mediaoff += t->len;
- medialen -= t->len;
- port = simple_strtoul(*dptr + mediaoff, NULL, 10);
- if (port == 0)
- continue;
- if (port < 1024 || port > 65535) {
- nf_ct_helper_log(skb, ct, "wrong port %u", port);
- return NF_DROP;
- }
- /* The media description overrides the session description. */
- maddr_len = 0;
- if (ct_sip_parse_sdp_addr(ct, *dptr, mediaoff, *datalen,
- SDP_HDR_CONNECTION, SDP_HDR_MEDIA,
- &matchoff, &matchlen, &maddr) > 0) {
- maddr_len = matchlen;
- memcpy(&rtp_addr, &maddr, sizeof(rtp_addr));
- } else if (caddr_len)
- memcpy(&rtp_addr, &caddr, sizeof(rtp_addr));
- else {
- nf_ct_helper_log(skb, ct, "cannot parse SDP message");
- return NF_DROP;
- }
- ret = set_expected_rtp_rtcp(skb, protoff, dataoff,
- dptr, datalen,
- &rtp_addr, htons(port), t->class,
- mediaoff, medialen);
- if (ret != NF_ACCEPT) {
- nf_ct_helper_log(skb, ct,
- "cannot add expectation for voice");
- return ret;
- }
- /* Update media connection address if present */
- if (maddr_len && hooks && ct->status & IPS_NAT_MASK) {
- ret = hooks->sdp_addr(skb, protoff, dataoff,
- dptr, datalen, mediaoff,
- SDP_HDR_CONNECTION,
- SDP_HDR_MEDIA,
- &rtp_addr);
- if (ret != NF_ACCEPT) {
- nf_ct_helper_log(skb, ct, "cannot mangle SDP");
- return ret;
- }
- }
- i++;
- }
- /* Update session connection and owner addresses */
- hooks = rcu_dereference(nf_nat_sip_hooks);
- if (hooks && ct->status & IPS_NAT_MASK)
- ret = hooks->sdp_session(skb, protoff, dataoff,
- dptr, datalen, sdpoff,
- &rtp_addr);
- return ret;
- }
- static int process_invite_response(struct sk_buff *skb, unsigned int protoff,
- unsigned int dataoff,
- const char **dptr, unsigned int *datalen,
- unsigned int cseq, unsigned int code)
- {
- enum ip_conntrack_info ctinfo;
- struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
- struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
- if ((code >= 100 && code <= 199) ||
- (code >= 200 && code <= 299))
- return process_sdp(skb, protoff, dataoff, dptr, datalen, cseq);
- else if (ct_sip_info->invite_cseq == cseq)
- flush_expectations(ct, true);
- return NF_ACCEPT;
- }
- static int process_update_response(struct sk_buff *skb, unsigned int protoff,
- unsigned int dataoff,
- const char **dptr, unsigned int *datalen,
- unsigned int cseq, unsigned int code)
- {
- enum ip_conntrack_info ctinfo;
- struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
- struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
- if ((code >= 100 && code <= 199) ||
- (code >= 200 && code <= 299))
- return process_sdp(skb, protoff, dataoff, dptr, datalen, cseq);
- else if (ct_sip_info->invite_cseq == cseq)
- flush_expectations(ct, true);
- return NF_ACCEPT;
- }
- static int process_prack_response(struct sk_buff *skb, unsigned int protoff,
- unsigned int dataoff,
- const char **dptr, unsigned int *datalen,
- unsigned int cseq, unsigned int code)
- {
- enum ip_conntrack_info ctinfo;
- struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
- struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
- if ((code >= 100 && code <= 199) ||
- (code >= 200 && code <= 299))
- return process_sdp(skb, protoff, dataoff, dptr, datalen, cseq);
- else if (ct_sip_info->invite_cseq == cseq)
- flush_expectations(ct, true);
- return NF_ACCEPT;
- }
- static int process_invite_request(struct sk_buff *skb, unsigned int protoff,
- unsigned int dataoff,
- const char **dptr, unsigned int *datalen,
- unsigned int cseq)
- {
- enum ip_conntrack_info ctinfo;
- struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
- struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
- unsigned int ret;
- flush_expectations(ct, true);
- ret = process_sdp(skb, protoff, dataoff, dptr, datalen, cseq);
- if (ret == NF_ACCEPT)
- ct_sip_info->invite_cseq = cseq;
- return ret;
- }
- static int process_bye_request(struct sk_buff *skb, unsigned int protoff,
- unsigned int dataoff,
- const char **dptr, unsigned int *datalen,
- unsigned int cseq)
- {
- enum ip_conntrack_info ctinfo;
- struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
- flush_expectations(ct, true);
- return NF_ACCEPT;
- }
- /* Parse a REGISTER request and create a permanent expectation for incoming
- * signalling connections. The expectation is marked inactive and is activated
- * when receiving a response indicating success from the registrar.
- */
- static int process_register_request(struct sk_buff *skb, unsigned int protoff,
- unsigned int dataoff,
- const char **dptr, unsigned int *datalen,
- unsigned int cseq)
- {
- enum ip_conntrack_info ctinfo;
- struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
- struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
- enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
- unsigned int matchoff, matchlen;
- struct nf_conntrack_expect *exp;
- union nf_inet_addr *saddr, daddr;
- const struct nf_nat_sip_hooks *hooks;
- __be16 port;
- u8 proto;
- unsigned int expires = 0;
- int ret;
- /* Expected connections can not register again. */
- if (ct->status & IPS_EXPECTED)
- return NF_ACCEPT;
- /* We must check the expiration time: a value of zero signals the
- * registrar to release the binding. We'll remove our expectation
- * when receiving the new bindings in the response, but we don't
- * want to create new ones.
- *
- * The expiration time may be contained in Expires: header, the
- * Contact: header parameters or the URI parameters.
- */
- if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
- &matchoff, &matchlen) > 0)
- expires = simple_strtoul(*dptr + matchoff, NULL, 10);
- ret = ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
- SIP_HDR_CONTACT, NULL,
- &matchoff, &matchlen, &daddr, &port);
- if (ret < 0) {
- nf_ct_helper_log(skb, ct, "cannot parse contact");
- return NF_DROP;
- } else if (ret == 0)
- return NF_ACCEPT;
- /* We don't support third-party registrations */
- if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3, &daddr))
- return NF_ACCEPT;
- if (ct_sip_parse_transport(ct, *dptr, matchoff + matchlen, *datalen,
- &proto) == 0)
- return NF_ACCEPT;
- if (ct_sip_parse_numerical_param(ct, *dptr,
- matchoff + matchlen, *datalen,
- "expires=", NULL, NULL, &expires) < 0) {
- nf_ct_helper_log(skb, ct, "cannot parse expires");
- return NF_DROP;
- }
- if (expires == 0) {
- ret = NF_ACCEPT;
- goto store_cseq;
- }
- exp = nf_ct_expect_alloc(ct);
- if (!exp) {
- nf_ct_helper_log(skb, ct, "cannot alloc expectation");
- return NF_DROP;
- }
- saddr = NULL;
- if (sip_direct_signalling)
- saddr = &ct->tuplehash[!dir].tuple.src.u3;
- nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct),
- saddr, &daddr, proto, NULL, &port);
- exp->timeout.expires = sip_timeout * HZ;
- exp->helper = nfct_help(ct)->helper;
- exp->flags = NF_CT_EXPECT_PERMANENT | NF_CT_EXPECT_INACTIVE;
- hooks = rcu_dereference(nf_nat_sip_hooks);
- if (hooks && ct->status & IPS_NAT_MASK)
- ret = hooks->expect(skb, protoff, dataoff, dptr, datalen,
- exp, matchoff, matchlen);
- else {
- if (nf_ct_expect_related(exp) != 0) {
- nf_ct_helper_log(skb, ct, "cannot add expectation");
- ret = NF_DROP;
- } else
- ret = NF_ACCEPT;
- }
- nf_ct_expect_put(exp);
- store_cseq:
- if (ret == NF_ACCEPT)
- ct_sip_info->register_cseq = cseq;
- return ret;
- }
- static int process_register_response(struct sk_buff *skb, unsigned int protoff,
- unsigned int dataoff,
- const char **dptr, unsigned int *datalen,
- unsigned int cseq, unsigned int code)
- {
- enum ip_conntrack_info ctinfo;
- struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
- struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
- enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
- union nf_inet_addr addr;
- __be16 port;
- u8 proto;
- unsigned int matchoff, matchlen, coff = 0;
- unsigned int expires = 0;
- int in_contact = 0, ret;
- /* According to RFC 3261, "UAs MUST NOT send a new registration until
- * they have received a final response from the registrar for the
- * previous one or the previous REGISTER request has timed out".
- *
- * However, some servers fail to detect retransmissions and send late
- * responses, so we store the sequence number of the last valid
- * request and compare it here.
- */
- if (ct_sip_info->register_cseq != cseq)
- return NF_ACCEPT;
- if (code >= 100 && code <= 199)
- return NF_ACCEPT;
- if (code < 200 || code > 299)
- goto flush;
- if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
- &matchoff, &matchlen) > 0)
- expires = simple_strtoul(*dptr + matchoff, NULL, 10);
- while (1) {
- unsigned int c_expires = expires;
- ret = ct_sip_parse_header_uri(ct, *dptr, &coff, *datalen,
- SIP_HDR_CONTACT, &in_contact,
- &matchoff, &matchlen,
- &addr, &port);
- if (ret < 0) {
- nf_ct_helper_log(skb, ct, "cannot parse contact");
- return NF_DROP;
- } else if (ret == 0)
- break;
- /* We don't support third-party registrations */
- if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3, &addr))
- continue;
- if (ct_sip_parse_transport(ct, *dptr, matchoff + matchlen,
- *datalen, &proto) == 0)
- continue;
- ret = ct_sip_parse_numerical_param(ct, *dptr,
- matchoff + matchlen,
- *datalen, "expires=",
- NULL, NULL, &c_expires);
- if (ret < 0) {
- nf_ct_helper_log(skb, ct, "cannot parse expires");
- return NF_DROP;
- }
- if (c_expires == 0)
- break;
- if (refresh_signalling_expectation(ct, &addr, proto, port,
- c_expires))
- return NF_ACCEPT;
- }
- flush:
- flush_expectations(ct, false);
- return NF_ACCEPT;
- }
- static const struct sip_handler sip_handlers[] = {
- SIP_HANDLER("INVITE", process_invite_request, process_invite_response),
- SIP_HANDLER("UPDATE", process_sdp, process_update_response),
- SIP_HANDLER("ACK", process_sdp, NULL),
- SIP_HANDLER("PRACK", process_sdp, process_prack_response),
- SIP_HANDLER("BYE", process_bye_request, NULL),
- SIP_HANDLER("REGISTER", process_register_request, process_register_response),
- };
- static int process_sip_response(struct sk_buff *skb, unsigned int protoff,
- unsigned int dataoff,
- const char **dptr, unsigned int *datalen)
- {
- enum ip_conntrack_info ctinfo;
- struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
- unsigned int matchoff, matchlen, matchend;
- unsigned int code, cseq, i;
- if (*datalen < strlen("SIP/2.0 200"))
- return NF_ACCEPT;
- code = simple_strtoul(*dptr + strlen("SIP/2.0 "), NULL, 10);
- if (!code) {
- nf_ct_helper_log(skb, ct, "cannot get code");
- return NF_DROP;
- }
- if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
- &matchoff, &matchlen) <= 0) {
- nf_ct_helper_log(skb, ct, "cannot parse cseq");
- return NF_DROP;
- }
- cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
- if (!cseq) {
- nf_ct_helper_log(skb, ct, "cannot get cseq");
- return NF_DROP;
- }
- matchend = matchoff + matchlen + 1;
- for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
- const struct sip_handler *handler;
- handler = &sip_handlers[i];
- if (handler->response == NULL)
- continue;
- if (*datalen < matchend + handler->len ||
- strncasecmp(*dptr + matchend, handler->method, handler->len))
- continue;
- return handler->response(skb, protoff, dataoff, dptr, datalen,
- cseq, code);
- }
- return NF_ACCEPT;
- }
- static int process_sip_request(struct sk_buff *skb, unsigned int protoff,
- unsigned int dataoff,
- const char **dptr, unsigned int *datalen)
- {
- enum ip_conntrack_info ctinfo;
- struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
- struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
- enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
- unsigned int matchoff, matchlen;
- unsigned int cseq, i;
- union nf_inet_addr addr;
- __be16 port;
- /* Many Cisco IP phones use a high source port for SIP requests, but
- * listen for the response on port 5060. If we are the local
- * router for one of these phones, save the port number from the
- * Via: header so that nf_nat_sip can redirect the responses to
- * the correct port.
- */
- if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
- SIP_HDR_VIA_UDP, NULL, &matchoff,
- &matchlen, &addr, &port) > 0 &&
- port != ct->tuplehash[dir].tuple.src.u.udp.port &&
- nf_inet_addr_cmp(&addr, &ct->tuplehash[dir].tuple.src.u3))
- ct_sip_info->forced_dport = port;
- for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
- const struct sip_handler *handler;
- handler = &sip_handlers[i];
- if (handler->request == NULL)
- continue;
- if (*datalen < handler->len + 2 ||
- strncasecmp(*dptr, handler->method, handler->len))
- continue;
- if ((*dptr)[handler->len] != ' ' ||
- !isalpha((*dptr)[handler->len+1]))
- continue;
- if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
- &matchoff, &matchlen) <= 0) {
- nf_ct_helper_log(skb, ct, "cannot parse cseq");
- return NF_DROP;
- }
- cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
- if (!cseq) {
- nf_ct_helper_log(skb, ct, "cannot get cseq");
- return NF_DROP;
- }
- return handler->request(skb, protoff, dataoff, dptr, datalen,
- cseq);
- }
- return NF_ACCEPT;
- }
- static int process_sip_msg(struct sk_buff *skb, struct nf_conn *ct,
- unsigned int protoff, unsigned int dataoff,
- const char **dptr, unsigned int *datalen)
- {
- const struct nf_nat_sip_hooks *hooks;
- int ret;
- if (strncasecmp(*dptr, "SIP/2.0 ", strlen("SIP/2.0 ")) != 0)
- ret = process_sip_request(skb, protoff, dataoff, dptr, datalen);
- else
- ret = process_sip_response(skb, protoff, dataoff, dptr, datalen);
- if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
- hooks = rcu_dereference(nf_nat_sip_hooks);
- if (hooks && !hooks->msg(skb, protoff, dataoff,
- dptr, datalen)) {
- nf_ct_helper_log(skb, ct, "cannot NAT SIP message");
- ret = NF_DROP;
- }
- }
- return ret;
- }
- static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
- struct nf_conn *ct, enum ip_conntrack_info ctinfo)
- {
- struct tcphdr *th, _tcph;
- unsigned int dataoff, datalen;
- unsigned int matchoff, matchlen, clen;
- unsigned int msglen, origlen;
- const char *dptr, *end;
- s16 diff, tdiff = 0;
- int ret = NF_ACCEPT;
- bool term;
- if (ctinfo != IP_CT_ESTABLISHED &&
- ctinfo != IP_CT_ESTABLISHED_REPLY)
- return NF_ACCEPT;
- /* No Data ? */
- th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph);
- if (th == NULL)
- return NF_ACCEPT;
- dataoff = protoff + th->doff * 4;
- if (dataoff >= skb->len)
- return NF_ACCEPT;
- nf_ct_refresh(ct, skb, sip_timeout * HZ);
- if (unlikely(skb_linearize(skb)))
- return NF_DROP;
- dptr = skb->data + dataoff;
- datalen = skb->len - dataoff;
- if (datalen < strlen("SIP/2.0 200"))
- return NF_ACCEPT;
- while (1) {
- if (ct_sip_get_header(ct, dptr, 0, datalen,
- SIP_HDR_CONTENT_LENGTH,
- &matchoff, &matchlen) <= 0)
- break;
- clen = simple_strtoul(dptr + matchoff, (char **)&end, 10);
- if (dptr + matchoff == end)
- break;
- term = false;
- for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) {
- if (end[0] == '\r' && end[1] == '\n' &&
- end[2] == '\r' && end[3] == '\n') {
- term = true;
- break;
- }
- }
- if (!term)
- break;
- end += strlen("\r\n\r\n") + clen;
- msglen = origlen = end - dptr;
- if (msglen > datalen)
- return NF_ACCEPT;
- ret = process_sip_msg(skb, ct, protoff, dataoff,
- &dptr, &msglen);
- /* process_sip_* functions report why this packet is dropped */
- if (ret != NF_ACCEPT)
- break;
- diff = msglen - origlen;
- tdiff += diff;
- dataoff += msglen;
- dptr += msglen;
- datalen = datalen + diff - msglen;
- }
- if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
- const struct nf_nat_sip_hooks *hooks;
- hooks = rcu_dereference(nf_nat_sip_hooks);
- if (hooks)
- hooks->seq_adjust(skb, protoff, tdiff);
- }
- return ret;
- }
- static int sip_help_udp(struct sk_buff *skb, unsigned int protoff,
- struct nf_conn *ct, enum ip_conntrack_info ctinfo)
- {
- unsigned int dataoff, datalen;
- const char *dptr;
- /* No Data ? */
- dataoff = protoff + sizeof(struct udphdr);
- if (dataoff >= skb->len)
- return NF_ACCEPT;
- nf_ct_refresh(ct, skb, sip_timeout * HZ);
- if (unlikely(skb_linearize(skb)))
- return NF_DROP;
- dptr = skb->data + dataoff;
- datalen = skb->len - dataoff;
- if (datalen < strlen("SIP/2.0 200"))
- return NF_ACCEPT;
- return process_sip_msg(skb, ct, protoff, dataoff, &dptr, &datalen);
- }
- static struct nf_conntrack_helper sip[MAX_PORTS][4] __read_mostly;
- static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1] = {
- [SIP_EXPECT_SIGNALLING] = {
- .name = "signalling",
- .max_expected = 1,
- .timeout = 3 * 60,
- },
- [SIP_EXPECT_AUDIO] = {
- .name = "audio",
- .max_expected = 2 * IP_CT_DIR_MAX,
- .timeout = 3 * 60,
- },
- [SIP_EXPECT_VIDEO] = {
- .name = "video",
- .max_expected = 2 * IP_CT_DIR_MAX,
- .timeout = 3 * 60,
- },
- [SIP_EXPECT_IMAGE] = {
- .name = "image",
- .max_expected = IP_CT_DIR_MAX,
- .timeout = 3 * 60,
- },
- };
- static void nf_conntrack_sip_fini(void)
- {
- int i, j;
- for (i = 0; i < ports_c; i++) {
- for (j = 0; j < ARRAY_SIZE(sip[i]); j++) {
- if (sip[i][j].me == NULL)
- continue;
- nf_conntrack_helper_unregister(&sip[i][j]);
- }
- }
- }
- static int __init nf_conntrack_sip_init(void)
- {
- int i, j, ret;
- if (ports_c == 0)
- ports[ports_c++] = SIP_PORT;
- for (i = 0; i < ports_c; i++) {
- memset(&sip[i], 0, sizeof(sip[i]));
- sip[i][0].tuple.src.l3num = AF_INET;
- sip[i][0].tuple.dst.protonum = IPPROTO_UDP;
- sip[i][0].help = sip_help_udp;
- sip[i][1].tuple.src.l3num = AF_INET;
- sip[i][1].tuple.dst.protonum = IPPROTO_TCP;
- sip[i][1].help = sip_help_tcp;
- sip[i][2].tuple.src.l3num = AF_INET6;
- sip[i][2].tuple.dst.protonum = IPPROTO_UDP;
- sip[i][2].help = sip_help_udp;
- sip[i][3].tuple.src.l3num = AF_INET6;
- sip[i][3].tuple.dst.protonum = IPPROTO_TCP;
- sip[i][3].help = sip_help_tcp;
- for (j = 0; j < ARRAY_SIZE(sip[i]); j++) {
- sip[i][j].data_len = sizeof(struct nf_ct_sip_master);
- sip[i][j].tuple.src.u.udp.port = htons(ports[i]);
- sip[i][j].expect_policy = sip_exp_policy;
- sip[i][j].expect_class_max = SIP_EXPECT_MAX;
- sip[i][j].me = THIS_MODULE;
- if (ports[i] == SIP_PORT)
- sprintf(sip[i][j].name, "sip");
- else
- sprintf(sip[i][j].name, "sip-%u", i);
- pr_debug("port #%u: %u\n", i, ports[i]);
- ret = nf_conntrack_helper_register(&sip[i][j]);
- if (ret) {
- printk(KERN_ERR "nf_ct_sip: failed to register"
- " helper for pf: %u port: %u\n",
- sip[i][j].tuple.src.l3num, ports[i]);
- nf_conntrack_sip_fini();
- return ret;
- }
- }
- }
- return 0;
- }
- module_init(nf_conntrack_sip_init);
- module_exit(nf_conntrack_sip_fini);
|