Commit | Line | Data |
---|---|---|
ae5b7d8b PM |
1 | /* SIP extension for IP connection tracking. |
2 | * | |
3 | * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar> | |
4 | * based on RR's ip_conntrack_ftp.c and other modules. | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify | |
7 | * it under the terms of the GNU General Public License version 2 as | |
8 | * published by the Free Software Foundation. | |
9 | */ | |
10 | ||
ae5b7d8b PM |
11 | #include <linux/module.h> |
12 | #include <linux/ctype.h> | |
13 | #include <linux/skbuff.h> | |
14 | #include <linux/in.h> | |
15 | #include <linux/ip.h> | |
16 | #include <linux/udp.h> | |
17 | ||
18 | #include <linux/netfilter.h> | |
19 | #include <linux/netfilter_ipv4.h> | |
20 | #include <linux/netfilter_ipv4/ip_conntrack_helper.h> | |
21 | #include <linux/netfilter_ipv4/ip_conntrack_sip.h> | |
22 | ||
23 | #if 0 | |
24 | #define DEBUGP printk | |
25 | #else | |
26 | #define DEBUGP(format, args...) | |
27 | #endif | |
28 | ||
29 | MODULE_LICENSE("GPL"); | |
30 | MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>"); | |
31 | MODULE_DESCRIPTION("SIP connection tracking helper"); | |
32 | ||
33 | #define MAX_PORTS 8 | |
34 | static unsigned short ports[MAX_PORTS]; | |
35 | static int ports_c; | |
36 | module_param_array(ports, ushort, &ports_c, 0400); | |
37 | MODULE_PARM_DESC(ports, "port numbers of sip servers"); | |
38 | ||
39 | static unsigned int sip_timeout = SIP_TIMEOUT; | |
40 | module_param(sip_timeout, uint, 0600); | |
41 | MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session"); | |
42 | ||
43 | unsigned int (*ip_nat_sip_hook)(struct sk_buff **pskb, | |
44 | enum ip_conntrack_info ctinfo, | |
45 | struct ip_conntrack *ct, | |
46 | const char **dptr); | |
47 | EXPORT_SYMBOL_GPL(ip_nat_sip_hook); | |
48 | ||
49 | unsigned int (*ip_nat_sdp_hook)(struct sk_buff **pskb, | |
50 | enum ip_conntrack_info ctinfo, | |
51 | struct ip_conntrack_expect *exp, | |
52 | const char *dptr); | |
53 | EXPORT_SYMBOL_GPL(ip_nat_sdp_hook); | |
54 | ||
ae5b7d8b PM |
55 | static int digits_len(const char *dptr, const char *limit, int *shift); |
56 | static int epaddr_len(const char *dptr, const char *limit, int *shift); | |
57 | static int skp_digits_len(const char *dptr, const char *limit, int *shift); | |
58 | static int skp_epaddr_len(const char *dptr, const char *limit, int *shift); | |
59 | ||
9d5b8baa PM |
60 | struct sip_header_nfo { |
61 | const char *lname; | |
62 | const char *sname; | |
63 | const char *ln_str; | |
64 | size_t lnlen; | |
65 | size_t snlen; | |
66 | size_t ln_strlen; | |
40883e81 | 67 | int case_sensitive; |
9d5b8baa PM |
68 | int (*match_len)(const char *, const char *, int *); |
69 | }; | |
70 | ||
71 | static struct sip_header_nfo ct_sip_hdrs[] = { | |
1b683b55 PM |
72 | [POS_REG_REQ_URI] = { /* SIP REGISTER request URI */ |
73 | .lname = "sip:", | |
74 | .lnlen = sizeof("sip:") - 1, | |
75 | .ln_str = ":", | |
76 | .ln_strlen = sizeof(":") - 1, | |
77 | .match_len = epaddr_len | |
78 | }, | |
79 | [POS_REQ_URI] = { /* SIP request URI */ | |
9d5b8baa PM |
80 | .lname = "sip:", |
81 | .lnlen = sizeof("sip:") - 1, | |
9d5b8baa PM |
82 | .ln_str = "@", |
83 | .ln_strlen = sizeof("@") - 1, | |
84 | .match_len = epaddr_len | |
85 | }, | |
1b683b55 PM |
86 | [POS_FROM] = { /* SIP From header */ |
87 | .lname = "From:", | |
88 | .lnlen = sizeof("From:") - 1, | |
89 | .sname = "\r\nf:", | |
90 | .snlen = sizeof("\r\nf:") - 1, | |
91 | .ln_str = "sip:", | |
92 | .ln_strlen = sizeof("sip:") - 1, | |
93 | .match_len = skp_epaddr_len, | |
94 | }, | |
95 | [POS_TO] = { /* SIP To header */ | |
96 | .lname = "To:", | |
97 | .lnlen = sizeof("To:") - 1, | |
98 | .sname = "\r\nt:", | |
99 | .snlen = sizeof("\r\nt:") - 1, | |
100 | .ln_str = "sip:", | |
101 | .ln_strlen = sizeof("sip:") - 1, | |
102 | .match_len = skp_epaddr_len, | |
103 | }, | |
9d5b8baa | 104 | [POS_VIA] = { /* SIP Via header */ |
ae5b7d8b PM |
105 | .lname = "Via:", |
106 | .lnlen = sizeof("Via:") - 1, | |
107 | .sname = "\r\nv:", | |
108 | .snlen = sizeof("\r\nv:") - 1, /* rfc3261 "\r\n" */ | |
109 | .ln_str = "UDP ", | |
110 | .ln_strlen = sizeof("UDP ") - 1, | |
111 | .match_len = epaddr_len, | |
112 | }, | |
9d5b8baa | 113 | [POS_CONTACT] = { /* SIP Contact header */ |
ae5b7d8b PM |
114 | .lname = "Contact:", |
115 | .lnlen = sizeof("Contact:") - 1, | |
116 | .sname = "\r\nm:", | |
117 | .snlen = sizeof("\r\nm:") - 1, | |
118 | .ln_str = "sip:", | |
119 | .ln_strlen = sizeof("sip:") - 1, | |
120 | .match_len = skp_epaddr_len | |
121 | }, | |
9d5b8baa | 122 | [POS_CONTENT] = { /* SIP Content length header */ |
ae5b7d8b PM |
123 | .lname = "Content-Length:", |
124 | .lnlen = sizeof("Content-Length:") - 1, | |
125 | .sname = "\r\nl:", | |
126 | .snlen = sizeof("\r\nl:") - 1, | |
127 | .ln_str = ":", | |
128 | .ln_strlen = sizeof(":") - 1, | |
129 | .match_len = skp_digits_len | |
130 | }, | |
9d5b8baa | 131 | [POS_MEDIA] = { /* SDP media info */ |
40883e81 | 132 | .case_sensitive = 1, |
ae5b7d8b PM |
133 | .lname = "\nm=", |
134 | .lnlen = sizeof("\nm=") - 1, | |
135 | .sname = "\rm=", | |
136 | .snlen = sizeof("\rm=") - 1, | |
137 | .ln_str = "audio ", | |
138 | .ln_strlen = sizeof("audio ") - 1, | |
139 | .match_len = digits_len | |
140 | }, | |
9d5b8baa | 141 | [POS_OWNER] = { /* SDP owner address*/ |
40883e81 | 142 | .case_sensitive = 1, |
ae5b7d8b PM |
143 | .lname = "\no=", |
144 | .lnlen = sizeof("\no=") - 1, | |
145 | .sname = "\ro=", | |
146 | .snlen = sizeof("\ro=") - 1, | |
147 | .ln_str = "IN IP4 ", | |
148 | .ln_strlen = sizeof("IN IP4 ") - 1, | |
149 | .match_len = epaddr_len | |
150 | }, | |
9d5b8baa | 151 | [POS_CONNECTION] = { /* SDP connection info */ |
40883e81 | 152 | .case_sensitive = 1, |
ae5b7d8b PM |
153 | .lname = "\nc=", |
154 | .lnlen = sizeof("\nc=") - 1, | |
155 | .sname = "\rc=", | |
156 | .snlen = sizeof("\rc=") - 1, | |
157 | .ln_str = "IN IP4 ", | |
158 | .ln_strlen = sizeof("IN IP4 ") - 1, | |
159 | .match_len = epaddr_len | |
160 | }, | |
9d5b8baa | 161 | [POS_SDP_HEADER] = { /* SDP version header */ |
40883e81 | 162 | .case_sensitive = 1, |
ae5b7d8b PM |
163 | .lname = "\nv=", |
164 | .lnlen = sizeof("\nv=") - 1, | |
165 | .sname = "\rv=", | |
166 | .snlen = sizeof("\rv=") - 1, | |
167 | .ln_str = "=", | |
168 | .ln_strlen = sizeof("=") - 1, | |
169 | .match_len = digits_len | |
170 | } | |
171 | }; | |
ae5b7d8b PM |
172 | |
173 | /* get line lenght until first CR or LF seen. */ | |
174 | int ct_sip_lnlen(const char *line, const char *limit) | |
175 | { | |
176 | const char *k = line; | |
177 | ||
178 | while ((line <= limit) && (*line == '\r' || *line == '\n')) | |
179 | line++; | |
180 | ||
181 | while (line <= limit) { | |
182 | if (*line == '\r' || *line == '\n') | |
183 | break; | |
184 | line++; | |
185 | } | |
186 | return line - k; | |
187 | } | |
188 | EXPORT_SYMBOL_GPL(ct_sip_lnlen); | |
189 | ||
190 | /* Linear string search, case sensitive. */ | |
191 | const char *ct_sip_search(const char *needle, const char *haystack, | |
40883e81 PM |
192 | size_t needle_len, size_t haystack_len, |
193 | int case_sensitive) | |
ae5b7d8b PM |
194 | { |
195 | const char *limit = haystack + (haystack_len - needle_len); | |
196 | ||
197 | while (haystack <= limit) { | |
40883e81 PM |
198 | if (case_sensitive) { |
199 | if (strncmp(haystack, needle, needle_len) == 0) | |
200 | return haystack; | |
201 | } else { | |
202 | if (strnicmp(haystack, needle, needle_len) == 0) | |
203 | return haystack; | |
204 | } | |
ae5b7d8b PM |
205 | haystack++; |
206 | } | |
207 | return NULL; | |
208 | } | |
209 | EXPORT_SYMBOL_GPL(ct_sip_search); | |
210 | ||
211 | static int digits_len(const char *dptr, const char *limit, int *shift) | |
212 | { | |
213 | int len = 0; | |
214 | while (dptr <= limit && isdigit(*dptr)) { | |
215 | dptr++; | |
216 | len++; | |
217 | } | |
218 | return len; | |
219 | } | |
220 | ||
221 | /* get digits lenght, skiping blank spaces. */ | |
222 | static int skp_digits_len(const char *dptr, const char *limit, int *shift) | |
223 | { | |
224 | for (; dptr <= limit && *dptr == ' '; dptr++) | |
225 | (*shift)++; | |
226 | ||
227 | return digits_len(dptr, limit, shift); | |
228 | } | |
229 | ||
230 | /* Simple ipaddr parser.. */ | |
231 | static int parse_ipaddr(const char *cp, const char **endp, | |
cdcb71bf | 232 | __be32 *ipaddr, const char *limit) |
ae5b7d8b PM |
233 | { |
234 | unsigned long int val; | |
235 | int i, digit = 0; | |
236 | ||
237 | for (i = 0, *ipaddr = 0; cp <= limit && i < 4; i++) { | |
238 | digit = 0; | |
239 | if (!isdigit(*cp)) | |
240 | break; | |
241 | ||
242 | val = simple_strtoul(cp, (char **)&cp, 10); | |
243 | if (val > 0xFF) | |
244 | return -1; | |
245 | ||
246 | ((u_int8_t *)ipaddr)[i] = val; | |
247 | digit = 1; | |
248 | ||
249 | if (*cp != '.') | |
250 | break; | |
251 | cp++; | |
252 | } | |
253 | if (!digit) | |
254 | return -1; | |
255 | ||
256 | if (endp) | |
257 | *endp = cp; | |
258 | ||
259 | return 0; | |
260 | } | |
261 | ||
262 | /* skip ip address. returns it lenght. */ | |
263 | static int epaddr_len(const char *dptr, const char *limit, int *shift) | |
264 | { | |
265 | const char *aux = dptr; | |
cdcb71bf | 266 | __be32 ip; |
ae5b7d8b PM |
267 | |
268 | if (parse_ipaddr(dptr, &dptr, &ip, limit) < 0) { | |
269 | DEBUGP("ip: %s parse failed.!\n", dptr); | |
270 | return 0; | |
271 | } | |
272 | ||
273 | /* Port number */ | |
274 | if (*dptr == ':') { | |
275 | dptr++; | |
276 | dptr += digits_len(dptr, limit, shift); | |
277 | } | |
278 | return dptr - aux; | |
279 | } | |
280 | ||
281 | /* get address length, skiping user info. */ | |
282 | static int skp_epaddr_len(const char *dptr, const char *limit, int *shift) | |
283 | { | |
284 | int s = *shift; | |
285 | ||
286 | for (; dptr <= limit && *dptr != '@'; dptr++) | |
287 | (*shift)++; | |
288 | ||
289 | if (*dptr == '@') { | |
290 | dptr++; | |
291 | (*shift)++; | |
292 | } else | |
293 | *shift = s; | |
294 | ||
295 | return epaddr_len(dptr, limit, shift); | |
296 | } | |
297 | ||
298 | /* Returns 0 if not found, -1 error parsing. */ | |
299 | int ct_sip_get_info(const char *dptr, size_t dlen, | |
300 | unsigned int *matchoff, | |
301 | unsigned int *matchlen, | |
9d5b8baa | 302 | enum sip_header_pos pos) |
ae5b7d8b | 303 | { |
9d5b8baa | 304 | struct sip_header_nfo *hnfo = &ct_sip_hdrs[pos]; |
ae5b7d8b PM |
305 | const char *limit, *aux, *k = dptr; |
306 | int shift = 0; | |
307 | ||
308 | limit = dptr + (dlen - hnfo->lnlen); | |
309 | ||
310 | while (dptr <= limit) { | |
311 | if ((strncmp(dptr, hnfo->lname, hnfo->lnlen) != 0) && | |
1b683b55 | 312 | (hnfo->sname == NULL || |
77a78dec | 313 | strncmp(dptr, hnfo->sname, hnfo->snlen) != 0)) { |
ae5b7d8b PM |
314 | dptr++; |
315 | continue; | |
316 | } | |
317 | aux = ct_sip_search(hnfo->ln_str, dptr, hnfo->ln_strlen, | |
40883e81 PM |
318 | ct_sip_lnlen(dptr, limit), |
319 | hnfo->case_sensitive); | |
ae5b7d8b PM |
320 | if (!aux) { |
321 | DEBUGP("'%s' not found in '%s'.\n", hnfo->ln_str, | |
322 | hnfo->lname); | |
323 | return -1; | |
324 | } | |
325 | aux += hnfo->ln_strlen; | |
326 | ||
327 | *matchlen = hnfo->match_len(aux, limit, &shift); | |
328 | if (!*matchlen) | |
329 | return -1; | |
330 | ||
331 | *matchoff = (aux - k) + shift; | |
332 | ||
333 | DEBUGP("%s match succeeded! - len: %u\n", hnfo->lname, | |
334 | *matchlen); | |
335 | return 1; | |
336 | } | |
337 | DEBUGP("%s header not found.\n", hnfo->lname); | |
338 | return 0; | |
339 | } | |
9d5b8baa | 340 | EXPORT_SYMBOL_GPL(ct_sip_get_info); |
ae5b7d8b PM |
341 | |
342 | static int set_expected_rtp(struct sk_buff **pskb, | |
343 | struct ip_conntrack *ct, | |
344 | enum ip_conntrack_info ctinfo, | |
cdcb71bf | 345 | __be32 ipaddr, u_int16_t port, |
ae5b7d8b PM |
346 | const char *dptr) |
347 | { | |
348 | struct ip_conntrack_expect *exp; | |
349 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | |
350 | int ret; | |
337fbc41 | 351 | typeof(ip_nat_sdp_hook) ip_nat_sdp; |
ae5b7d8b PM |
352 | |
353 | exp = ip_conntrack_expect_alloc(ct); | |
354 | if (exp == NULL) | |
355 | return NF_DROP; | |
356 | ||
357 | exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip; | |
358 | exp->tuple.src.u.udp.port = 0; | |
359 | exp->tuple.dst.ip = ipaddr; | |
360 | exp->tuple.dst.u.udp.port = htons(port); | |
361 | exp->tuple.dst.protonum = IPPROTO_UDP; | |
362 | ||
cdcb71bf | 363 | exp->mask.src.ip = htonl(0xFFFFFFFF); |
ae5b7d8b | 364 | exp->mask.src.u.udp.port = 0; |
cdcb71bf AV |
365 | exp->mask.dst.ip = htonl(0xFFFFFFFF); |
366 | exp->mask.dst.u.udp.port = htons(0xFFFF); | |
ae5b7d8b PM |
367 | exp->mask.dst.protonum = 0xFF; |
368 | ||
369 | exp->expectfn = NULL; | |
370 | exp->flags = 0; | |
371 | ||
337fbc41 PM |
372 | ip_nat_sdp = rcu_dereference(ip_nat_sdp_hook); |
373 | if (ip_nat_sdp) | |
374 | ret = ip_nat_sdp(pskb, ctinfo, exp, dptr); | |
ae5b7d8b PM |
375 | else { |
376 | if (ip_conntrack_expect_related(exp) != 0) | |
377 | ret = NF_DROP; | |
378 | else | |
379 | ret = NF_ACCEPT; | |
380 | } | |
381 | ip_conntrack_expect_put(exp); | |
382 | ||
383 | return ret; | |
384 | } | |
385 | ||
386 | static int sip_help(struct sk_buff **pskb, | |
387 | struct ip_conntrack *ct, | |
388 | enum ip_conntrack_info ctinfo) | |
389 | { | |
390 | unsigned int dataoff, datalen; | |
391 | const char *dptr; | |
392 | int ret = NF_ACCEPT; | |
393 | int matchoff, matchlen; | |
cdcb71bf | 394 | __be32 ipaddr; |
ae5b7d8b | 395 | u_int16_t port; |
337fbc41 | 396 | typeof(ip_nat_sip_hook) ip_nat_sip; |
ae5b7d8b PM |
397 | |
398 | /* No Data ? */ | |
399 | dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr); | |
400 | if (dataoff >= (*pskb)->len) { | |
401 | DEBUGP("skb->len = %u\n", (*pskb)->len); | |
402 | return NF_ACCEPT; | |
403 | } | |
404 | ||
405 | ip_ct_refresh(ct, *pskb, sip_timeout * HZ); | |
406 | ||
407 | if (!skb_is_nonlinear(*pskb)) | |
408 | dptr = (*pskb)->data + dataoff; | |
409 | else { | |
410 | DEBUGP("Copy of skbuff not supported yet.\n"); | |
411 | goto out; | |
412 | } | |
413 | ||
337fbc41 PM |
414 | ip_nat_sip = rcu_dereference(ip_nat_sip_hook); |
415 | if (ip_nat_sip) { | |
416 | if (!ip_nat_sip(pskb, ctinfo, ct, &dptr)) { | |
ae5b7d8b PM |
417 | ret = NF_DROP; |
418 | goto out; | |
419 | } | |
420 | } | |
421 | ||
422 | /* After this point NAT, could have mangled skb, so | |
423 | we need to recalculate payload lenght. */ | |
424 | datalen = (*pskb)->len - dataoff; | |
425 | ||
426 | if (datalen < (sizeof("SIP/2.0 200") - 1)) | |
427 | goto out; | |
428 | ||
429 | /* RTP info only in some SDP pkts */ | |
430 | if (memcmp(dptr, "INVITE", sizeof("INVITE") - 1) != 0 && | |
431 | memcmp(dptr, "SIP/2.0 200", sizeof("SIP/2.0 200") - 1) != 0) { | |
432 | goto out; | |
433 | } | |
434 | /* Get ip and port address from SDP packet. */ | |
435 | if (ct_sip_get_info(dptr, datalen, &matchoff, &matchlen, | |
9d5b8baa | 436 | POS_CONNECTION) > 0) { |
ae5b7d8b PM |
437 | |
438 | /* We'll drop only if there are parse problems. */ | |
439 | if (parse_ipaddr(dptr + matchoff, NULL, &ipaddr, | |
440 | dptr + datalen) < 0) { | |
441 | ret = NF_DROP; | |
442 | goto out; | |
443 | } | |
444 | if (ct_sip_get_info(dptr, datalen, &matchoff, &matchlen, | |
9d5b8baa | 445 | POS_MEDIA) > 0) { |
ae5b7d8b PM |
446 | |
447 | port = simple_strtoul(dptr + matchoff, NULL, 10); | |
448 | if (port < 1024) { | |
449 | ret = NF_DROP; | |
450 | goto out; | |
451 | } | |
452 | ret = set_expected_rtp(pskb, ct, ctinfo, | |
453 | ipaddr, port, dptr); | |
454 | } | |
455 | } | |
456 | out: | |
457 | return ret; | |
458 | } | |
459 | ||
460 | static struct ip_conntrack_helper sip[MAX_PORTS]; | |
461 | static char sip_names[MAX_PORTS][10]; | |
462 | ||
463 | static void fini(void) | |
464 | { | |
465 | int i; | |
466 | for (i = 0; i < ports_c; i++) { | |
467 | DEBUGP("unregistering helper for port %d\n", ports[i]); | |
468 | ip_conntrack_helper_unregister(&sip[i]); | |
469 | } | |
470 | } | |
471 | ||
472 | static int __init init(void) | |
473 | { | |
474 | int i, ret; | |
475 | char *tmpname; | |
476 | ||
477 | if (ports_c == 0) | |
478 | ports[ports_c++] = SIP_PORT; | |
479 | ||
480 | for (i = 0; i < ports_c; i++) { | |
481 | /* Create helper structure */ | |
482 | memset(&sip[i], 0, sizeof(struct ip_conntrack_helper)); | |
483 | ||
484 | sip[i].tuple.dst.protonum = IPPROTO_UDP; | |
485 | sip[i].tuple.src.u.udp.port = htons(ports[i]); | |
cdcb71bf | 486 | sip[i].mask.src.u.udp.port = htons(0xFFFF); |
ae5b7d8b | 487 | sip[i].mask.dst.protonum = 0xFF; |
b10866fd | 488 | sip[i].max_expected = 2; |
ae5b7d8b PM |
489 | sip[i].timeout = 3 * 60; /* 3 minutes */ |
490 | sip[i].me = THIS_MODULE; | |
491 | sip[i].help = sip_help; | |
492 | ||
493 | tmpname = &sip_names[i][0]; | |
494 | if (ports[i] == SIP_PORT) | |
495 | sprintf(tmpname, "sip"); | |
496 | else | |
497 | sprintf(tmpname, "sip-%d", i); | |
498 | sip[i].name = tmpname; | |
499 | ||
500 | DEBUGP("port #%d: %d\n", i, ports[i]); | |
501 | ||
502 | ret = ip_conntrack_helper_register(&sip[i]); | |
503 | if (ret) { | |
504 | printk("ERROR registering helper for port %d\n", | |
505 | ports[i]); | |
506 | fini(); | |
507 | return ret; | |
508 | } | |
509 | } | |
510 | return 0; | |
511 | } | |
512 | ||
513 | module_init(init); | |
514 | module_exit(fini); |