2 * H.323 extension for NAT alteration.
4 * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
6 * This source code is licensed under General Public License version 2.
8 * Based on the 'brute force' H.323 NAT module by
9 * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
12 #include <linux/module.h>
13 #include <linux/tcp.h>
16 #include <net/netfilter/nf_nat.h>
17 #include <net/netfilter/nf_nat_helper.h>
18 #include <net/netfilter/nf_nat_rule.h>
19 #include <net/netfilter/nf_conntrack_helper.h>
20 #include <net/netfilter/nf_conntrack_expect.h>
21 #include <linux/netfilter/nf_conntrack_h323.h>
23 /****************************************************************************/
24 static int set_addr(struct sk_buff
*skb
,
25 unsigned char **data
, int dataoff
,
26 unsigned int addroff
, __be32 ip
, __be16 port
)
28 enum ip_conntrack_info ctinfo
;
29 struct nf_conn
*ct
= nf_ct_get(skb
, &ctinfo
);
33 } __attribute__ ((__packed__
)) buf
;
34 const struct tcphdr
*th
;
41 if (ip_hdr(skb
)->protocol
== IPPROTO_TCP
) {
42 if (!nf_nat_mangle_tcp_packet(skb
, ct
, ctinfo
,
44 (char *) &buf
, sizeof(buf
))) {
45 net_notice_ratelimited("nf_nat_h323: nf_nat_mangle_tcp_packet error\n");
49 /* Relocate data pointer */
50 th
= skb_header_pointer(skb
, ip_hdrlen(skb
),
51 sizeof(_tcph
), &_tcph
);
54 *data
= skb
->data
+ ip_hdrlen(skb
) + th
->doff
* 4 + dataoff
;
56 if (!nf_nat_mangle_udp_packet(skb
, ct
, ctinfo
,
58 (char *) &buf
, sizeof(buf
))) {
59 net_notice_ratelimited("nf_nat_h323: nf_nat_mangle_udp_packet error\n");
62 /* nf_nat_mangle_udp_packet uses skb_make_writable() to copy
63 * or pull everything in a linear buffer, so we can safely
64 * use the skb pointers now */
65 *data
= skb
->data
+ ip_hdrlen(skb
) + sizeof(struct udphdr
);
71 /****************************************************************************/
72 static int set_h225_addr(struct sk_buff
*skb
,
73 unsigned char **data
, int dataoff
,
74 TransportAddress
*taddr
,
75 union nf_inet_addr
*addr
, __be16 port
)
77 return set_addr(skb
, data
, dataoff
, taddr
->ipAddress
.ip
,
81 /****************************************************************************/
82 static int set_h245_addr(struct sk_buff
*skb
,
83 unsigned char **data
, int dataoff
,
84 H245_TransportAddress
*taddr
,
85 union nf_inet_addr
*addr
, __be16 port
)
87 return set_addr(skb
, data
, dataoff
,
88 taddr
->unicastAddress
.iPAddress
.network
,
92 /****************************************************************************/
93 static int set_sig_addr(struct sk_buff
*skb
, struct nf_conn
*ct
,
94 enum ip_conntrack_info ctinfo
,
96 TransportAddress
*taddr
, int count
)
98 const struct nf_ct_h323_master
*info
= nfct_help_data(ct
);
99 int dir
= CTINFO2DIR(ctinfo
);
102 union nf_inet_addr addr
;
104 for (i
= 0; i
< count
; i
++) {
105 if (get_h225_addr(ct
, *data
, &taddr
[i
], &addr
, &port
)) {
106 if (addr
.ip
== ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
&&
107 port
== info
->sig_port
[dir
]) {
110 /* Fix for Gnomemeeting */
112 get_h225_addr(ct
, *data
, &taddr
[0],
114 (ntohl(addr
.ip
) & 0xff000000) == 0x7f000000)
117 pr_debug("nf_nat_ras: set signal address %pI4:%hu->%pI4:%hu\n",
119 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
,
120 info
->sig_port
[!dir
]);
121 return set_h225_addr(skb
, data
, 0, &taddr
[i
],
122 &ct
->tuplehash
[!dir
].
124 info
->sig_port
[!dir
]);
125 } else if (addr
.ip
== ct
->tuplehash
[dir
].tuple
.dst
.u3
.ip
&&
126 port
== info
->sig_port
[dir
]) {
128 pr_debug("nf_nat_ras: set signal address %pI4:%hu->%pI4:%hu\n",
130 &ct
->tuplehash
[!dir
].tuple
.src
.u3
.ip
,
131 info
->sig_port
[!dir
]);
132 return set_h225_addr(skb
, data
, 0, &taddr
[i
],
133 &ct
->tuplehash
[!dir
].
135 info
->sig_port
[!dir
]);
143 /****************************************************************************/
144 static int set_ras_addr(struct sk_buff
*skb
, struct nf_conn
*ct
,
145 enum ip_conntrack_info ctinfo
,
146 unsigned char **data
,
147 TransportAddress
*taddr
, int count
)
149 int dir
= CTINFO2DIR(ctinfo
);
152 union nf_inet_addr addr
;
154 for (i
= 0; i
< count
; i
++) {
155 if (get_h225_addr(ct
, *data
, &taddr
[i
], &addr
, &port
) &&
156 addr
.ip
== ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
&&
157 port
== ct
->tuplehash
[dir
].tuple
.src
.u
.udp
.port
) {
158 pr_debug("nf_nat_ras: set rasAddress %pI4:%hu->%pI4:%hu\n",
159 &addr
.ip
, ntohs(port
),
160 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
,
161 ntohs(ct
->tuplehash
[!dir
].tuple
.dst
.u
.udp
.port
));
162 return set_h225_addr(skb
, data
, 0, &taddr
[i
],
163 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
164 ct
->tuplehash
[!dir
].tuple
.
172 /****************************************************************************/
173 static int nat_rtp_rtcp(struct sk_buff
*skb
, struct nf_conn
*ct
,
174 enum ip_conntrack_info ctinfo
,
175 unsigned char **data
, int dataoff
,
176 H245_TransportAddress
*taddr
,
177 __be16 port
, __be16 rtp_port
,
178 struct nf_conntrack_expect
*rtp_exp
,
179 struct nf_conntrack_expect
*rtcp_exp
)
181 struct nf_ct_h323_master
*info
= nfct_help_data(ct
);
182 int dir
= CTINFO2DIR(ctinfo
);
184 u_int16_t nated_port
;
186 /* Set expectations for NAT */
187 rtp_exp
->saved_proto
.udp
.port
= rtp_exp
->tuple
.dst
.u
.udp
.port
;
188 rtp_exp
->expectfn
= nf_nat_follow_master
;
190 rtcp_exp
->saved_proto
.udp
.port
= rtcp_exp
->tuple
.dst
.u
.udp
.port
;
191 rtcp_exp
->expectfn
= nf_nat_follow_master
;
192 rtcp_exp
->dir
= !dir
;
194 /* Lookup existing expects */
195 for (i
= 0; i
< H323_RTP_CHANNEL_MAX
; i
++) {
196 if (info
->rtp_port
[i
][dir
] == rtp_port
) {
199 /* Use allocated ports first. This will refresh
201 rtp_exp
->tuple
.dst
.u
.udp
.port
= info
->rtp_port
[i
][dir
];
202 rtcp_exp
->tuple
.dst
.u
.udp
.port
=
203 htons(ntohs(info
->rtp_port
[i
][dir
]) + 1);
205 } else if (info
->rtp_port
[i
][dir
] == 0) {
211 /* Run out of expectations */
212 if (i
>= H323_RTP_CHANNEL_MAX
) {
213 net_notice_ratelimited("nf_nat_h323: out of expectations\n");
217 /* Try to get a pair of ports. */
218 for (nated_port
= ntohs(rtp_exp
->tuple
.dst
.u
.udp
.port
);
219 nated_port
!= 0; nated_port
+= 2) {
222 rtp_exp
->tuple
.dst
.u
.udp
.port
= htons(nated_port
);
223 ret
= nf_ct_expect_related(rtp_exp
);
225 rtcp_exp
->tuple
.dst
.u
.udp
.port
=
226 htons(nated_port
+ 1);
227 ret
= nf_ct_expect_related(rtcp_exp
);
230 else if (ret
!= -EBUSY
) {
231 nf_ct_unexpect_related(rtp_exp
);
235 } else if (ret
!= -EBUSY
) {
241 if (nated_port
== 0) { /* No port available */
242 net_notice_ratelimited("nf_nat_h323: out of RTP ports\n");
247 if (set_h245_addr(skb
, data
, dataoff
, taddr
,
248 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
249 htons((port
& htons(1)) ? nated_port
+ 1 :
252 info
->rtp_port
[i
][dir
] = rtp_port
;
253 info
->rtp_port
[i
][!dir
] = htons(nated_port
);
255 nf_ct_unexpect_related(rtp_exp
);
256 nf_ct_unexpect_related(rtcp_exp
);
261 pr_debug("nf_nat_h323: expect RTP %pI4:%hu->%pI4:%hu\n",
262 &rtp_exp
->tuple
.src
.u3
.ip
,
263 ntohs(rtp_exp
->tuple
.src
.u
.udp
.port
),
264 &rtp_exp
->tuple
.dst
.u3
.ip
,
265 ntohs(rtp_exp
->tuple
.dst
.u
.udp
.port
));
266 pr_debug("nf_nat_h323: expect RTCP %pI4:%hu->%pI4:%hu\n",
267 &rtcp_exp
->tuple
.src
.u3
.ip
,
268 ntohs(rtcp_exp
->tuple
.src
.u
.udp
.port
),
269 &rtcp_exp
->tuple
.dst
.u3
.ip
,
270 ntohs(rtcp_exp
->tuple
.dst
.u
.udp
.port
));
275 /****************************************************************************/
276 static int nat_t120(struct sk_buff
*skb
, struct nf_conn
*ct
,
277 enum ip_conntrack_info ctinfo
,
278 unsigned char **data
, int dataoff
,
279 H245_TransportAddress
*taddr
, __be16 port
,
280 struct nf_conntrack_expect
*exp
)
282 int dir
= CTINFO2DIR(ctinfo
);
283 u_int16_t nated_port
= ntohs(port
);
285 /* Set expectations for NAT */
286 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
287 exp
->expectfn
= nf_nat_follow_master
;
290 /* Try to get same port: if not, try to change it. */
291 for (; nated_port
!= 0; nated_port
++) {
294 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
295 ret
= nf_ct_expect_related(exp
);
298 else if (ret
!= -EBUSY
) {
304 if (nated_port
== 0) { /* No port available */
305 net_notice_ratelimited("nf_nat_h323: out of TCP ports\n");
310 if (set_h245_addr(skb
, data
, dataoff
, taddr
,
311 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
312 htons(nated_port
)) < 0) {
313 nf_ct_unexpect_related(exp
);
317 pr_debug("nf_nat_h323: expect T.120 %pI4:%hu->%pI4:%hu\n",
318 &exp
->tuple
.src
.u3
.ip
,
319 ntohs(exp
->tuple
.src
.u
.tcp
.port
),
320 &exp
->tuple
.dst
.u3
.ip
,
321 ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
326 /****************************************************************************/
327 static int nat_h245(struct sk_buff
*skb
, struct nf_conn
*ct
,
328 enum ip_conntrack_info ctinfo
,
329 unsigned char **data
, int dataoff
,
330 TransportAddress
*taddr
, __be16 port
,
331 struct nf_conntrack_expect
*exp
)
333 struct nf_ct_h323_master
*info
= nfct_help_data(ct
);
334 int dir
= CTINFO2DIR(ctinfo
);
335 u_int16_t nated_port
= ntohs(port
);
337 /* Set expectations for NAT */
338 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
339 exp
->expectfn
= nf_nat_follow_master
;
342 /* Check existing expects */
343 if (info
->sig_port
[dir
] == port
)
344 nated_port
= ntohs(info
->sig_port
[!dir
]);
346 /* Try to get same port: if not, try to change it. */
347 for (; nated_port
!= 0; nated_port
++) {
350 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
351 ret
= nf_ct_expect_related(exp
);
354 else if (ret
!= -EBUSY
) {
360 if (nated_port
== 0) { /* No port available */
361 net_notice_ratelimited("nf_nat_q931: out of TCP ports\n");
366 if (set_h225_addr(skb
, data
, dataoff
, taddr
,
367 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
368 htons(nated_port
)) == 0) {
370 info
->sig_port
[dir
] = port
;
371 info
->sig_port
[!dir
] = htons(nated_port
);
373 nf_ct_unexpect_related(exp
);
377 pr_debug("nf_nat_q931: expect H.245 %pI4:%hu->%pI4:%hu\n",
378 &exp
->tuple
.src
.u3
.ip
,
379 ntohs(exp
->tuple
.src
.u
.tcp
.port
),
380 &exp
->tuple
.dst
.u3
.ip
,
381 ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
386 /****************************************************************************
387 * This conntrack expect function replaces nf_conntrack_q931_expect()
388 * which was set by nf_conntrack_h323.c.
389 ****************************************************************************/
390 static void ip_nat_q931_expect(struct nf_conn
*new,
391 struct nf_conntrack_expect
*this)
393 struct nf_nat_ipv4_range range
;
395 if (this->tuple
.src
.u3
.ip
!= 0) { /* Only accept calls from GK */
396 nf_nat_follow_master(new, this);
400 /* This must be a fresh one. */
401 BUG_ON(new->status
& IPS_NAT_DONE_MASK
);
403 /* Change src to where master sends to */
404 range
.flags
= NF_NAT_RANGE_MAP_IPS
;
405 range
.min_ip
= range
.max_ip
= new->tuplehash
[!this->dir
].tuple
.src
.u3
.ip
;
406 nf_nat_setup_info(new, &range
, NF_NAT_MANIP_SRC
);
408 /* For DST manip, map port here to where it's expected. */
409 range
.flags
= (NF_NAT_RANGE_MAP_IPS
| NF_NAT_RANGE_PROTO_SPECIFIED
);
410 range
.min
= range
.max
= this->saved_proto
;
411 range
.min_ip
= range
.max_ip
=
412 new->master
->tuplehash
[!this->dir
].tuple
.src
.u3
.ip
;
413 nf_nat_setup_info(new, &range
, NF_NAT_MANIP_DST
);
416 /****************************************************************************/
417 static int nat_q931(struct sk_buff
*skb
, struct nf_conn
*ct
,
418 enum ip_conntrack_info ctinfo
,
419 unsigned char **data
, TransportAddress
*taddr
, int idx
,
420 __be16 port
, struct nf_conntrack_expect
*exp
)
422 struct nf_ct_h323_master
*info
= nfct_help_data(ct
);
423 int dir
= CTINFO2DIR(ctinfo
);
424 u_int16_t nated_port
= ntohs(port
);
425 union nf_inet_addr addr
;
427 /* Set expectations for NAT */
428 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
429 exp
->expectfn
= ip_nat_q931_expect
;
432 /* Check existing expects */
433 if (info
->sig_port
[dir
] == port
)
434 nated_port
= ntohs(info
->sig_port
[!dir
]);
436 /* Try to get same port: if not, try to change it. */
437 for (; nated_port
!= 0; nated_port
++) {
440 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
441 ret
= nf_ct_expect_related(exp
);
444 else if (ret
!= -EBUSY
) {
450 if (nated_port
== 0) { /* No port available */
451 net_notice_ratelimited("nf_nat_ras: out of TCP ports\n");
456 if (set_h225_addr(skb
, data
, 0, &taddr
[idx
],
457 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
458 htons(nated_port
)) == 0) {
460 info
->sig_port
[dir
] = port
;
461 info
->sig_port
[!dir
] = htons(nated_port
);
463 /* Fix for Gnomemeeting */
465 get_h225_addr(ct
, *data
, &taddr
[0], &addr
, &port
) &&
466 (ntohl(addr
.ip
) & 0xff000000) == 0x7f000000) {
467 set_h225_addr(skb
, data
, 0, &taddr
[0],
468 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
469 info
->sig_port
[!dir
]);
472 nf_ct_unexpect_related(exp
);
477 pr_debug("nf_nat_ras: expect Q.931 %pI4:%hu->%pI4:%hu\n",
478 &exp
->tuple
.src
.u3
.ip
,
479 ntohs(exp
->tuple
.src
.u
.tcp
.port
),
480 &exp
->tuple
.dst
.u3
.ip
,
481 ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
486 /****************************************************************************/
487 static void ip_nat_callforwarding_expect(struct nf_conn
*new,
488 struct nf_conntrack_expect
*this)
490 struct nf_nat_ipv4_range range
;
492 /* This must be a fresh one. */
493 BUG_ON(new->status
& IPS_NAT_DONE_MASK
);
495 /* Change src to where master sends to */
496 range
.flags
= NF_NAT_RANGE_MAP_IPS
;
497 range
.min_ip
= range
.max_ip
= new->tuplehash
[!this->dir
].tuple
.src
.u3
.ip
;
498 nf_nat_setup_info(new, &range
, NF_NAT_MANIP_SRC
);
500 /* For DST manip, map port here to where it's expected. */
501 range
.flags
= (NF_NAT_RANGE_MAP_IPS
| NF_NAT_RANGE_PROTO_SPECIFIED
);
502 range
.min
= range
.max
= this->saved_proto
;
503 range
.min_ip
= range
.max_ip
= this->saved_ip
;
504 nf_nat_setup_info(new, &range
, NF_NAT_MANIP_DST
);
507 /****************************************************************************/
508 static int nat_callforwarding(struct sk_buff
*skb
, struct nf_conn
*ct
,
509 enum ip_conntrack_info ctinfo
,
510 unsigned char **data
, int dataoff
,
511 TransportAddress
*taddr
, __be16 port
,
512 struct nf_conntrack_expect
*exp
)
514 int dir
= CTINFO2DIR(ctinfo
);
515 u_int16_t nated_port
;
517 /* Set expectations for NAT */
518 exp
->saved_ip
= exp
->tuple
.dst
.u3
.ip
;
519 exp
->tuple
.dst
.u3
.ip
= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
;
520 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
521 exp
->expectfn
= ip_nat_callforwarding_expect
;
524 /* Try to get same port: if not, try to change it. */
525 for (nated_port
= ntohs(port
); nated_port
!= 0; nated_port
++) {
528 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
529 ret
= nf_ct_expect_related(exp
);
532 else if (ret
!= -EBUSY
) {
538 if (nated_port
== 0) { /* No port available */
539 net_notice_ratelimited("nf_nat_q931: out of TCP ports\n");
544 if (!set_h225_addr(skb
, data
, dataoff
, taddr
,
545 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
546 htons(nated_port
)) == 0) {
547 nf_ct_unexpect_related(exp
);
552 pr_debug("nf_nat_q931: expect Call Forwarding %pI4:%hu->%pI4:%hu\n",
553 &exp
->tuple
.src
.u3
.ip
,
554 ntohs(exp
->tuple
.src
.u
.tcp
.port
),
555 &exp
->tuple
.dst
.u3
.ip
,
556 ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
561 static struct nf_ct_helper_expectfn q931_nat
= {
563 .expectfn
= ip_nat_q931_expect
,
566 static struct nf_ct_helper_expectfn callforwarding_nat
= {
567 .name
= "callforwarding",
568 .expectfn
= ip_nat_callforwarding_expect
,
571 /****************************************************************************/
572 static int __init
init(void)
574 BUG_ON(set_h245_addr_hook
!= NULL
);
575 BUG_ON(set_h225_addr_hook
!= NULL
);
576 BUG_ON(set_sig_addr_hook
!= NULL
);
577 BUG_ON(set_ras_addr_hook
!= NULL
);
578 BUG_ON(nat_rtp_rtcp_hook
!= NULL
);
579 BUG_ON(nat_t120_hook
!= NULL
);
580 BUG_ON(nat_h245_hook
!= NULL
);
581 BUG_ON(nat_callforwarding_hook
!= NULL
);
582 BUG_ON(nat_q931_hook
!= NULL
);
584 RCU_INIT_POINTER(set_h245_addr_hook
, set_h245_addr
);
585 RCU_INIT_POINTER(set_h225_addr_hook
, set_h225_addr
);
586 RCU_INIT_POINTER(set_sig_addr_hook
, set_sig_addr
);
587 RCU_INIT_POINTER(set_ras_addr_hook
, set_ras_addr
);
588 RCU_INIT_POINTER(nat_rtp_rtcp_hook
, nat_rtp_rtcp
);
589 RCU_INIT_POINTER(nat_t120_hook
, nat_t120
);
590 RCU_INIT_POINTER(nat_h245_hook
, nat_h245
);
591 RCU_INIT_POINTER(nat_callforwarding_hook
, nat_callforwarding
);
592 RCU_INIT_POINTER(nat_q931_hook
, nat_q931
);
593 nf_ct_helper_expectfn_register(&q931_nat
);
594 nf_ct_helper_expectfn_register(&callforwarding_nat
);
598 /****************************************************************************/
599 static void __exit
fini(void)
601 RCU_INIT_POINTER(set_h245_addr_hook
, NULL
);
602 RCU_INIT_POINTER(set_h225_addr_hook
, NULL
);
603 RCU_INIT_POINTER(set_sig_addr_hook
, NULL
);
604 RCU_INIT_POINTER(set_ras_addr_hook
, NULL
);
605 RCU_INIT_POINTER(nat_rtp_rtcp_hook
, NULL
);
606 RCU_INIT_POINTER(nat_t120_hook
, NULL
);
607 RCU_INIT_POINTER(nat_h245_hook
, NULL
);
608 RCU_INIT_POINTER(nat_callforwarding_hook
, NULL
);
609 RCU_INIT_POINTER(nat_q931_hook
, NULL
);
610 nf_ct_helper_expectfn_unregister(&q931_nat
);
611 nf_ct_helper_expectfn_unregister(&callforwarding_nat
);
615 /****************************************************************************/
619 MODULE_AUTHOR("Jing Min Zhao <zhaojingmin@users.sourceforge.net>");
620 MODULE_DESCRIPTION("H.323 NAT helper");
621 MODULE_LICENSE("GPL");
622 MODULE_ALIAS("ip_nat_h323");