1 /* SIP extension for IP connection tracking.
3 * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
4 * based on RR's ip_conntrack_ftp.c and other modules.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
11 #include <linux/module.h>
12 #include <linux/ctype.h>
13 #include <linux/skbuff.h>
14 #include <linux/inet.h>
16 #include <linux/udp.h>
17 #include <linux/netfilter.h>
19 #include <net/netfilter/nf_conntrack.h>
20 #include <net/netfilter/nf_conntrack_expect.h>
21 #include <net/netfilter/nf_conntrack_helper.h>
22 #include <linux/netfilter/nf_conntrack_sip.h>
24 MODULE_LICENSE("GPL");
25 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
26 MODULE_DESCRIPTION("SIP connection tracking helper");
27 MODULE_ALIAS("ip_conntrack_sip");
30 static unsigned short ports[MAX_PORTS];
31 static unsigned int ports_c;
32 module_param_array(ports, ushort, &ports_c, 0400);
33 MODULE_PARM_DESC(ports, "port numbers of SIP servers");
35 static unsigned int sip_timeout __read_mostly = SIP_TIMEOUT;
36 module_param(sip_timeout, uint, 0600);
37 MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session");
39 unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb,
41 unsigned int *datalen) __read_mostly;
42 EXPORT_SYMBOL_GPL(nf_nat_sip_hook);
44 unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb,
46 unsigned int *datalen,
47 struct nf_conntrack_expect *exp) __read_mostly;
48 EXPORT_SYMBOL_GPL(nf_nat_sdp_hook);
50 static int digits_len(const struct nf_conn *, const char *, const char *, int *);
51 static int epaddr_len(const struct nf_conn *, const char *, const char *, int *);
52 static int skp_digits_len(const struct nf_conn *, const char *, const char *, int *);
53 static int skp_epaddr_len(const struct nf_conn *, const char *, const char *, int *);
55 struct sip_header_nfo {
63 int (*match_len)(const struct nf_conn *, const char *,
67 static const struct sip_header_nfo ct_sip_hdrs[] = {
68 [POS_REG_REQ_URI] = { /* SIP REGISTER request URI */
70 .lnlen = sizeof("sip:") - 1,
72 .ln_strlen = sizeof(":") - 1,
73 .match_len = epaddr_len,
75 [POS_REQ_URI] = { /* SIP request URI */
77 .lnlen = sizeof("sip:") - 1,
79 .ln_strlen = sizeof("@") - 1,
80 .match_len = epaddr_len,
82 [POS_FROM] = { /* SIP From header */
84 .lnlen = sizeof("From:") - 1,
86 .snlen = sizeof("\r\nf:") - 1,
88 .ln_strlen = sizeof("sip:") - 1,
89 .match_len = skp_epaddr_len,
91 [POS_TO] = { /* SIP To header */
93 .lnlen = sizeof("To:") - 1,
95 .snlen = sizeof("\r\nt:") - 1,
97 .ln_strlen = sizeof("sip:") - 1,
98 .match_len = skp_epaddr_len
100 [POS_VIA] = { /* SIP Via header */
102 .lnlen = sizeof("Via:") - 1,
104 .snlen = sizeof("\r\nv:") - 1, /* rfc3261 "\r\n" */
106 .ln_strlen = sizeof("UDP ") - 1,
107 .match_len = epaddr_len,
109 [POS_CONTACT] = { /* SIP Contact header */
111 .lnlen = sizeof("Contact:") - 1,
113 .snlen = sizeof("\r\nm:") - 1,
115 .ln_strlen = sizeof("sip:") - 1,
116 .match_len = skp_epaddr_len
118 [POS_CONTENT] = { /* SIP Content length header */
119 .lname = "Content-Length:",
120 .lnlen = sizeof("Content-Length:") - 1,
122 .snlen = sizeof("\r\nl:") - 1,
124 .ln_strlen = sizeof(":") - 1,
125 .match_len = skp_digits_len
129 /* get line length until first CR or LF seen. */
130 int ct_sip_lnlen(const char *line, const char *limit)
132 const char *k = line;
134 while ((line < limit) && (*line == '\r' || *line == '\n'))
137 while (line < limit) {
138 if (*line == '\r' || *line == '\n')
144 EXPORT_SYMBOL_GPL(ct_sip_lnlen);
146 /* Linear string search, case sensitive. */
147 const char *ct_sip_search(const char *needle, const char *haystack,
148 size_t needle_len, size_t haystack_len,
151 const char *limit = haystack + (haystack_len - needle_len);
153 while (haystack < limit) {
154 if (case_sensitive) {
155 if (strncmp(haystack, needle, needle_len) == 0)
158 if (strnicmp(haystack, needle, needle_len) == 0)
165 EXPORT_SYMBOL_GPL(ct_sip_search);
167 static int digits_len(const struct nf_conn *ct, const char *dptr,
168 const char *limit, int *shift)
171 while (dptr < limit && isdigit(*dptr)) {
178 /* get digits length, skipping blank spaces. */
179 static int skp_digits_len(const struct nf_conn *ct, const char *dptr,
180 const char *limit, int *shift)
182 for (; dptr < limit && *dptr == ' '; dptr++)
185 return digits_len(ct, dptr, limit, shift);
188 static int parse_addr(const struct nf_conn *ct, const char *cp,
189 const char **endp, union nf_inet_addr *addr,
193 int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
198 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
201 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
207 if (ret == 0 || end == cp)
214 /* skip ip address. returns its length. */
215 static int epaddr_len(const struct nf_conn *ct, const char *dptr,
216 const char *limit, int *shift)
218 union nf_inet_addr addr;
219 const char *aux = dptr;
221 if (!parse_addr(ct, dptr, &dptr, &addr, limit)) {
222 pr_debug("ip: %s parse failed.!\n", dptr);
229 dptr += digits_len(ct, dptr, limit, shift);
234 /* get address length, skiping user info. */
235 static int skp_epaddr_len(const struct nf_conn *ct, const char *dptr,
236 const char *limit, int *shift)
238 const char *start = dptr;
241 /* Search for @, but stop at the end of the line.
242 * We are inside a sip: URI, so we don't need to worry about
243 * continuation lines. */
244 while (dptr < limit &&
245 *dptr != '@' && *dptr != '\r' && *dptr != '\n') {
250 if (dptr < limit && *dptr == '@') {
258 return epaddr_len(ct, dptr, limit, shift);
261 /* Returns 0 if not found, -1 error parsing. */
262 int ct_sip_get_info(const struct nf_conn *ct,
263 const char *dptr, size_t dlen,
264 unsigned int *matchoff,
265 unsigned int *matchlen,
266 enum sip_header_pos pos)
268 const struct sip_header_nfo *hnfo = &ct_sip_hdrs[pos];
269 const char *limit, *aux, *k = dptr;
272 limit = dptr + (dlen - hnfo->lnlen);
274 while (dptr < limit) {
275 if ((strncmp(dptr, hnfo->lname, hnfo->lnlen) != 0) &&
276 (hnfo->sname == NULL ||
277 strncmp(dptr, hnfo->sname, hnfo->snlen) != 0)) {
281 aux = ct_sip_search(hnfo->ln_str, dptr, hnfo->ln_strlen,
282 ct_sip_lnlen(dptr, limit),
283 hnfo->case_sensitive);
285 pr_debug("'%s' not found in '%s'.\n", hnfo->ln_str,
289 aux += hnfo->ln_strlen;
291 *matchlen = hnfo->match_len(ct, aux, limit, &shift);
295 *matchoff = (aux - k) + shift;
297 pr_debug("%s match succeeded! - len: %u\n", hnfo->lname,
301 pr_debug("%s header not found.\n", hnfo->lname);
304 EXPORT_SYMBOL_GPL(ct_sip_get_info);
306 /* SDP header parsing: a SDP session description contains an ordered set of
307 * headers, starting with a section containing general session parameters,
308 * optionally followed by multiple media descriptions.
310 * SDP headers always start at the beginning of a line. According to RFC 2327:
311 * "The sequence CRLF (0x0d0a) is used to end a record, although parsers should
312 * be tolerant and also accept records terminated with a single newline
313 * character". We handle both cases.
315 static const struct sip_header ct_sdp_hdrs[] = {
316 [SDP_HDR_VERSION] = SDP_HDR("v=", NULL, digits_len),
317 [SDP_HDR_OWNER_IP4] = SDP_HDR("o=", "IN IP4 ", epaddr_len),
318 [SDP_HDR_CONNECTION_IP4] = SDP_HDR("c=", "IN IP4 ", epaddr_len),
319 [SDP_HDR_OWNER_IP6] = SDP_HDR("o=", "IN IP6 ", epaddr_len),
320 [SDP_HDR_CONNECTION_IP6] = SDP_HDR("c=", "IN IP6 ", epaddr_len),
321 [SDP_HDR_MEDIA] = SDP_HDR("m=", "audio ", digits_len),
324 /* Linear string search within SDP header values */
325 static const char *ct_sdp_header_search(const char *dptr, const char *limit,
326 const char *needle, unsigned int len)
328 for (limit -= len; dptr < limit; dptr++) {
329 if (*dptr == '\r' || *dptr == '\n')
331 if (strncmp(dptr, needle, len) == 0)
337 /* Locate a SDP header (optionally a substring within the header value),
338 * optionally stopping at the first occurence of the term header, parse
339 * it and return the offset and length of the data we're interested in.
341 int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
342 unsigned int dataoff, unsigned int datalen,
343 enum sdp_header_types type,
344 enum sdp_header_types term,
345 unsigned int *matchoff, unsigned int *matchlen)
347 const struct sip_header *hdr = &ct_sdp_hdrs[type];
348 const struct sip_header *thdr = &ct_sdp_hdrs[term];
349 const char *start = dptr, *limit = dptr + datalen;
352 for (dptr += dataoff; dptr < limit; dptr++) {
353 /* Find beginning of line */
354 if (*dptr != '\r' && *dptr != '\n')
358 if (*(dptr - 1) == '\r' && *dptr == '\n') {
363 if (term != SDP_HDR_UNSPEC &&
364 limit - dptr >= thdr->len &&
365 strnicmp(dptr, thdr->name, thdr->len) == 0)
367 else if (limit - dptr >= hdr->len &&
368 strnicmp(dptr, hdr->name, hdr->len) == 0)
373 *matchoff = dptr - start;
375 dptr = ct_sdp_header_search(dptr, limit, hdr->search,
382 *matchlen = hdr->match_len(ct, dptr, limit, &shift);
385 *matchoff = dptr - start + shift;
390 EXPORT_SYMBOL_GPL(ct_sip_get_sdp_header);
392 static int set_expected_rtp(struct sk_buff *skb,
393 const char **dptr, unsigned int *datalen,
394 union nf_inet_addr *addr, __be16 port)
396 struct nf_conntrack_expect *exp;
397 enum ip_conntrack_info ctinfo;
398 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
399 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
400 int family = ct->tuplehash[!dir].tuple.src.l3num;
402 typeof(nf_nat_sdp_hook) nf_nat_sdp;
404 exp = nf_ct_expect_alloc(ct);
407 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, family,
408 &ct->tuplehash[!dir].tuple.src.u3, addr,
409 IPPROTO_UDP, NULL, &port);
411 nf_nat_sdp = rcu_dereference(nf_nat_sdp_hook);
412 if (nf_nat_sdp && ct->status & IPS_NAT_MASK)
413 ret = nf_nat_sdp(skb, dptr, datalen, exp);
415 if (nf_ct_expect_related(exp) != 0)
420 nf_ct_expect_put(exp);
425 static int sip_help(struct sk_buff *skb,
426 unsigned int protoff,
428 enum ip_conntrack_info ctinfo)
430 int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
431 union nf_inet_addr addr;
432 unsigned int dataoff, datalen;
435 unsigned int matchoff, matchlen;
437 enum sdp_header_types type;
438 typeof(nf_nat_sip_hook) nf_nat_sip;
441 dataoff = protoff + sizeof(struct udphdr);
442 if (dataoff >= skb->len)
445 nf_ct_refresh(ct, skb, sip_timeout * HZ);
447 if (!skb_is_nonlinear(skb))
448 dptr = skb->data + dataoff;
450 pr_debug("Copy of skbuff not supported yet.\n");
454 nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
455 if (nf_nat_sip && ct->status & IPS_NAT_MASK) {
456 if (!nf_nat_sip(skb, &dptr, &datalen)) {
462 datalen = skb->len - dataoff;
463 if (datalen < strlen("SIP/2.0 200"))
466 /* RTP info only in some SDP pkts */
467 if (strnicmp(dptr, "INVITE", strlen("INVITE")) != 0 &&
468 strnicmp(dptr, "UPDATE", strlen("UPDATE")) != 0 &&
469 strnicmp(dptr, "SIP/2.0 180", strlen("SIP/2.0 180")) != 0 &&
470 strnicmp(dptr, "SIP/2.0 183", strlen("SIP/2.0 183")) != 0 &&
471 strnicmp(dptr, "SIP/2.0 200", strlen("SIP/2.0 200")) != 0) {
474 /* Get address and port from SDP packet. */
475 type = family == AF_INET ? SDP_HDR_CONNECTION_IP4 :
476 SDP_HDR_CONNECTION_IP6;
477 if (ct_sip_get_sdp_header(ct, dptr, 0, datalen, type, SDP_HDR_UNSPEC,
478 &matchoff, &matchlen) > 0) {
480 /* We'll drop only if there are parse problems. */
481 if (!parse_addr(ct, dptr + matchoff, NULL, &addr,
486 if (ct_sip_get_sdp_header(ct, dptr, 0, datalen,
487 SDP_HDR_MEDIA, SDP_HDR_UNSPEC,
488 &matchoff, &matchlen) > 0) {
490 port = simple_strtoul(dptr + matchoff, NULL, 10);
495 ret = set_expected_rtp(skb, &dptr, &datalen,
503 static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly;
504 static char sip_names[MAX_PORTS][2][sizeof("sip-65535")] __read_mostly;
506 static const struct nf_conntrack_expect_policy sip_exp_policy = {
511 static void nf_conntrack_sip_fini(void)
515 for (i = 0; i < ports_c; i++) {
516 for (j = 0; j < 2; j++) {
517 if (sip[i][j].me == NULL)
519 nf_conntrack_helper_unregister(&sip[i][j]);
524 static int __init nf_conntrack_sip_init(void)
530 ports[ports_c++] = SIP_PORT;
532 for (i = 0; i < ports_c; i++) {
533 memset(&sip[i], 0, sizeof(sip[i]));
535 sip[i][0].tuple.src.l3num = AF_INET;
536 sip[i][1].tuple.src.l3num = AF_INET6;
537 for (j = 0; j < 2; j++) {
538 sip[i][j].tuple.dst.protonum = IPPROTO_UDP;
539 sip[i][j].tuple.src.u.udp.port = htons(ports[i]);
540 sip[i][j].expect_policy = &sip_exp_policy;
541 sip[i][j].me = THIS_MODULE;
542 sip[i][j].help = sip_help;
544 tmpname = &sip_names[i][j][0];
545 if (ports[i] == SIP_PORT)
546 sprintf(tmpname, "sip");
548 sprintf(tmpname, "sip-%u", i);
549 sip[i][j].name = tmpname;
551 pr_debug("port #%u: %u\n", i, ports[i]);
553 ret = nf_conntrack_helper_register(&sip[i][j]);
555 printk("nf_ct_sip: failed to register helper "
556 "for pf: %u port: %u\n",
557 sip[i][j].tuple.src.l3num, ports[i]);
558 nf_conntrack_sip_fini();
566 module_init(nf_conntrack_sip_init);
567 module_exit(nf_conntrack_sip_fini);
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob