1 /* SIP extension for IP connection tracking.
3 * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
4 * based on RR's ip_conntrack_ftp.c and other modules.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
11 #include <linux/module.h>
12 #include <linux/ctype.h>
13 #include <linux/skbuff.h>
14 #include <linux/inet.h>
16 #include <linux/udp.h>
17 #include <linux/netfilter.h>
19 #include <net/netfilter/nf_conntrack.h>
20 #include <net/netfilter/nf_conntrack_expect.h>
21 #include <net/netfilter/nf_conntrack_helper.h>
22 #include <linux/netfilter/nf_conntrack_sip.h>
24 MODULE_LICENSE("GPL");
25 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
26 MODULE_DESCRIPTION("SIP connection tracking helper");
27 MODULE_ALIAS("ip_conntrack_sip");
30 static unsigned short ports[MAX_PORTS];
31 static unsigned int ports_c;
32 module_param_array(ports, ushort, &ports_c, 0400);
33 MODULE_PARM_DESC(ports, "port numbers of SIP servers");
35 static unsigned int sip_timeout __read_mostly = SIP_TIMEOUT;
36 module_param(sip_timeout, uint, 0600);
37 MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session");
39 unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb,
41 unsigned int *datalen) __read_mostly;
42 EXPORT_SYMBOL_GPL(nf_nat_sip_hook);
44 unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb,
46 unsigned int *datalen,
47 struct nf_conntrack_expect *exp) __read_mostly;
48 EXPORT_SYMBOL_GPL(nf_nat_sdp_hook);
50 static int digits_len(const struct nf_conn *, const char *, const char *, int *);
51 static int epaddr_len(const struct nf_conn *, const char *, const char *, int *);
52 static int skp_digits_len(const struct nf_conn *, const char *, const char *, int *);
53 static int skp_epaddr_len(const struct nf_conn *, const char *, const char *, int *);
55 struct sip_header_nfo {
63 int (*match_len)(const struct nf_conn *, const char *,
67 static const struct sip_header_nfo ct_sip_hdrs[] = {
68 [POS_REG_REQ_URI] = { /* SIP REGISTER request URI */
70 .lnlen = sizeof("sip:") - 1,
72 .ln_strlen = sizeof(":") - 1,
73 .match_len = epaddr_len,
75 [POS_REQ_URI] = { /* SIP request URI */
77 .lnlen = sizeof("sip:") - 1,
79 .ln_strlen = sizeof("@") - 1,
80 .match_len = epaddr_len,
82 [POS_FROM] = { /* SIP From header */
84 .lnlen = sizeof("From:") - 1,
86 .snlen = sizeof("\r\nf:") - 1,
88 .ln_strlen = sizeof("sip:") - 1,
89 .match_len = skp_epaddr_len,
91 [POS_TO] = { /* SIP To header */
93 .lnlen = sizeof("To:") - 1,
95 .snlen = sizeof("\r\nt:") - 1,
97 .ln_strlen = sizeof("sip:") - 1,
98 .match_len = skp_epaddr_len
100 [POS_VIA] = { /* SIP Via header */
102 .lnlen = sizeof("Via:") - 1,
104 .snlen = sizeof("\r\nv:") - 1, /* rfc3261 "\r\n" */
106 .ln_strlen = sizeof("UDP ") - 1,
107 .match_len = epaddr_len,
109 [POS_CONTACT] = { /* SIP Contact header */
111 .lnlen = sizeof("Contact:") - 1,
113 .snlen = sizeof("\r\nm:") - 1,
115 .ln_strlen = sizeof("sip:") - 1,
116 .match_len = skp_epaddr_len
118 [POS_CONTENT] = { /* SIP Content length header */
119 .lname = "Content-Length:",
120 .lnlen = sizeof("Content-Length:") - 1,
122 .snlen = sizeof("\r\nl:") - 1,
124 .ln_strlen = sizeof(":") - 1,
125 .match_len = skp_digits_len
127 [POS_MEDIA] = { /* SDP media info */
130 .lnlen = sizeof("\nm=") - 1,
132 .snlen = sizeof("\rm=") - 1,
134 .ln_strlen = sizeof("audio ") - 1,
135 .match_len = digits_len
137 [POS_OWNER_IP4] = { /* SDP owner address*/
140 .lnlen = sizeof("\no=") - 1,
142 .snlen = sizeof("\ro=") - 1,
144 .ln_strlen = sizeof("IN IP4 ") - 1,
145 .match_len = epaddr_len
147 [POS_CONNECTION_IP4] = {/* SDP connection info */
150 .lnlen = sizeof("\nc=") - 1,
152 .snlen = sizeof("\rc=") - 1,
154 .ln_strlen = sizeof("IN IP4 ") - 1,
155 .match_len = epaddr_len
157 [POS_OWNER_IP6] = { /* SDP owner address*/
160 .lnlen = sizeof("\no=") - 1,
162 .snlen = sizeof("\ro=") - 1,
164 .ln_strlen = sizeof("IN IP6 ") - 1,
165 .match_len = epaddr_len
167 [POS_CONNECTION_IP6] = {/* SDP connection info */
170 .lnlen = sizeof("\nc=") - 1,
172 .snlen = sizeof("\rc=") - 1,
174 .ln_strlen = sizeof("IN IP6 ") - 1,
175 .match_len = epaddr_len
177 [POS_SDP_HEADER] = { /* SDP version header */
180 .lnlen = sizeof("\nv=") - 1,
182 .snlen = sizeof("\rv=") - 1,
184 .ln_strlen = sizeof("=") - 1,
185 .match_len = digits_len
189 /* get line length until first CR or LF seen. */
190 int ct_sip_lnlen(const char *line, const char *limit)
192 const char *k = line;
194 while ((line < limit) && (*line == '\r' || *line == '\n'))
197 while (line < limit) {
198 if (*line == '\r' || *line == '\n')
204 EXPORT_SYMBOL_GPL(ct_sip_lnlen);
206 /* Linear string search, case sensitive. */
207 const char *ct_sip_search(const char *needle, const char *haystack,
208 size_t needle_len, size_t haystack_len,
211 const char *limit = haystack + (haystack_len - needle_len);
213 while (haystack < limit) {
214 if (case_sensitive) {
215 if (strncmp(haystack, needle, needle_len) == 0)
218 if (strnicmp(haystack, needle, needle_len) == 0)
225 EXPORT_SYMBOL_GPL(ct_sip_search);
227 static int digits_len(const struct nf_conn *ct, const char *dptr,
228 const char *limit, int *shift)
231 while (dptr < limit && isdigit(*dptr)) {
238 /* get digits length, skipping blank spaces. */
239 static int skp_digits_len(const struct nf_conn *ct, const char *dptr,
240 const char *limit, int *shift)
242 for (; dptr < limit && *dptr == ' '; dptr++)
245 return digits_len(ct, dptr, limit, shift);
248 static int parse_addr(const struct nf_conn *ct, const char *cp,
249 const char **endp, union nf_inet_addr *addr,
253 int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
258 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
261 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
267 if (ret == 0 || end == cp)
274 /* skip ip address. returns its length. */
275 static int epaddr_len(const struct nf_conn *ct, const char *dptr,
276 const char *limit, int *shift)
278 union nf_inet_addr addr;
279 const char *aux = dptr;
281 if (!parse_addr(ct, dptr, &dptr, &addr, limit)) {
282 pr_debug("ip: %s parse failed.!\n", dptr);
289 dptr += digits_len(ct, dptr, limit, shift);
294 /* get address length, skiping user info. */
295 static int skp_epaddr_len(const struct nf_conn *ct, const char *dptr,
296 const char *limit, int *shift)
298 const char *start = dptr;
301 /* Search for @, but stop at the end of the line.
302 * We are inside a sip: URI, so we don't need to worry about
303 * continuation lines. */
304 while (dptr < limit &&
305 *dptr != '@' && *dptr != '\r' && *dptr != '\n') {
310 if (dptr < limit && *dptr == '@') {
318 return epaddr_len(ct, dptr, limit, shift);
321 /* Returns 0 if not found, -1 error parsing. */
322 int ct_sip_get_info(const struct nf_conn *ct,
323 const char *dptr, size_t dlen,
324 unsigned int *matchoff,
325 unsigned int *matchlen,
326 enum sip_header_pos pos)
328 const struct sip_header_nfo *hnfo = &ct_sip_hdrs[pos];
329 const char *limit, *aux, *k = dptr;
332 limit = dptr + (dlen - hnfo->lnlen);
334 while (dptr < limit) {
335 if ((strncmp(dptr, hnfo->lname, hnfo->lnlen) != 0) &&
336 (hnfo->sname == NULL ||
337 strncmp(dptr, hnfo->sname, hnfo->snlen) != 0)) {
341 aux = ct_sip_search(hnfo->ln_str, dptr, hnfo->ln_strlen,
342 ct_sip_lnlen(dptr, limit),
343 hnfo->case_sensitive);
345 pr_debug("'%s' not found in '%s'.\n", hnfo->ln_str,
349 aux += hnfo->ln_strlen;
351 *matchlen = hnfo->match_len(ct, aux, limit, &shift);
355 *matchoff = (aux - k) + shift;
357 pr_debug("%s match succeeded! - len: %u\n", hnfo->lname,
361 pr_debug("%s header not found.\n", hnfo->lname);
364 EXPORT_SYMBOL_GPL(ct_sip_get_info);
366 static int set_expected_rtp(struct sk_buff *skb,
367 const char **dptr, unsigned int *datalen,
368 union nf_inet_addr *addr, __be16 port)
370 struct nf_conntrack_expect *exp;
371 enum ip_conntrack_info ctinfo;
372 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
373 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
374 int family = ct->tuplehash[!dir].tuple.src.l3num;
376 typeof(nf_nat_sdp_hook) nf_nat_sdp;
378 exp = nf_ct_expect_alloc(ct);
381 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, family,
382 &ct->tuplehash[!dir].tuple.src.u3, addr,
383 IPPROTO_UDP, NULL, &port);
385 nf_nat_sdp = rcu_dereference(nf_nat_sdp_hook);
386 if (nf_nat_sdp && ct->status & IPS_NAT_MASK)
387 ret = nf_nat_sdp(skb, dptr, datalen, exp);
389 if (nf_ct_expect_related(exp) != 0)
394 nf_ct_expect_put(exp);
399 static int sip_help(struct sk_buff *skb,
400 unsigned int protoff,
402 enum ip_conntrack_info ctinfo)
404 int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
405 union nf_inet_addr addr;
406 unsigned int dataoff, datalen;
409 unsigned int matchoff, matchlen;
411 enum sip_header_pos pos;
412 typeof(nf_nat_sip_hook) nf_nat_sip;
415 dataoff = protoff + sizeof(struct udphdr);
416 if (dataoff >= skb->len)
419 nf_ct_refresh(ct, skb, sip_timeout * HZ);
421 if (!skb_is_nonlinear(skb))
422 dptr = skb->data + dataoff;
424 pr_debug("Copy of skbuff not supported yet.\n");
428 nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
429 if (nf_nat_sip && ct->status & IPS_NAT_MASK) {
430 if (!nf_nat_sip(skb, &dptr, &datalen)) {
436 datalen = skb->len - dataoff;
437 if (datalen < sizeof("SIP/2.0 200") - 1)
440 /* RTP info only in some SDP pkts */
441 if (memcmp(dptr, "INVITE", sizeof("INVITE") - 1) != 0 &&
442 memcmp(dptr, "UPDATE", sizeof("UPDATE") - 1) != 0 &&
443 memcmp(dptr, "SIP/2.0 180", sizeof("SIP/2.0 180") - 1) != 0 &&
444 memcmp(dptr, "SIP/2.0 183", sizeof("SIP/2.0 183") - 1) != 0 &&
445 memcmp(dptr, "SIP/2.0 200", sizeof("SIP/2.0 200") - 1) != 0) {
448 /* Get address and port from SDP packet. */
449 pos = family == AF_INET ? POS_CONNECTION_IP4 : POS_CONNECTION_IP6;
450 if (ct_sip_get_info(ct, dptr, datalen, &matchoff, &matchlen, pos) > 0) {
452 /* We'll drop only if there are parse problems. */
453 if (!parse_addr(ct, dptr + matchoff, NULL, &addr,
458 if (ct_sip_get_info(ct, dptr, datalen, &matchoff, &matchlen,
461 port = simple_strtoul(dptr + matchoff, NULL, 10);
466 ret = set_expected_rtp(skb, &dptr, &datalen,
474 static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly;
475 static char sip_names[MAX_PORTS][2][sizeof("sip-65535")] __read_mostly;
477 static const struct nf_conntrack_expect_policy sip_exp_policy = {
482 static void nf_conntrack_sip_fini(void)
486 for (i = 0; i < ports_c; i++) {
487 for (j = 0; j < 2; j++) {
488 if (sip[i][j].me == NULL)
490 nf_conntrack_helper_unregister(&sip[i][j]);
495 static int __init nf_conntrack_sip_init(void)
501 ports[ports_c++] = SIP_PORT;
503 for (i = 0; i < ports_c; i++) {
504 memset(&sip[i], 0, sizeof(sip[i]));
506 sip[i][0].tuple.src.l3num = AF_INET;
507 sip[i][1].tuple.src.l3num = AF_INET6;
508 for (j = 0; j < 2; j++) {
509 sip[i][j].tuple.dst.protonum = IPPROTO_UDP;
510 sip[i][j].tuple.src.u.udp.port = htons(ports[i]);
511 sip[i][j].expect_policy = &sip_exp_policy;
512 sip[i][j].me = THIS_MODULE;
513 sip[i][j].help = sip_help;
515 tmpname = &sip_names[i][j][0];
516 if (ports[i] == SIP_PORT)
517 sprintf(tmpname, "sip");
519 sprintf(tmpname, "sip-%u", i);
520 sip[i][j].name = tmpname;
522 pr_debug("port #%u: %u\n", i, ports[i]);
524 ret = nf_conntrack_helper_register(&sip[i][j]);
526 printk("nf_ct_sip: failed to register helper "
527 "for pf: %u port: %u\n",
528 sip[i][j].tuple.src.l3num, ports[i]);
529 nf_conntrack_sip_fini();
537 module_init(nf_conntrack_sip_init);
538 module_exit(nf_conntrack_sip_fini);