SAFE public projects git trees. - safe/jmp/linux-2.6/blob - net/netfilter/nf_conntrack_sip.c

   1 /* SIP extension for IP connection tracking.
   2  *
   3  * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
   4  * based on RR's ip_conntrack_ftp.c and other modules.
   5  * (C) 2007 United Security Providers
   6  * (C) 2007, 2008 Patrick McHardy <kaber@trash.net>
   7  *
   8  * This program is free software; you can redistribute it and/or modify
   9  * it under the terms of the GNU General Public License version 2 as
  10  * published by the Free Software Foundation.
  11  */
  12
  13 #include <linux/module.h>
  14 #include <linux/ctype.h>
  15 #include <linux/skbuff.h>
  16 #include <linux/inet.h>
  17 #include <linux/in.h>
  18 #include <linux/udp.h>
  19 #include <linux/tcp.h>
  20 #include <linux/netfilter.h>
  21
  22 #include <net/netfilter/nf_conntrack.h>
  23 #include <net/netfilter/nf_conntrack_core.h>
  24 #include <net/netfilter/nf_conntrack_expect.h>
  25 #include <net/netfilter/nf_conntrack_helper.h>
  26 #include <linux/netfilter/nf_conntrack_sip.h>
  27
  28 MODULE_LICENSE("GPL");
  29 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
  30 MODULE_DESCRIPTION("SIP connection tracking helper");
  31 MODULE_ALIAS("ip_conntrack_sip");
  32 MODULE_ALIAS_NFCT_HELPER("sip");
  33
  34 #define MAX_PORTS       8
  35 static unsigned short ports[MAX_PORTS];
  36 static unsigned int ports_c;
  37 module_param_array(ports, ushort, &ports_c, 0400);
  38 MODULE_PARM_DESC(ports, "port numbers of SIP servers");
  39
  40 static unsigned int sip_timeout __read_mostly = SIP_TIMEOUT;
  41 module_param(sip_timeout, uint, 0600);
  42 MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session");
  43
  44 static int sip_direct_signalling __read_mostly = 1;
  45 module_param(sip_direct_signalling, int, 0600);
  46 MODULE_PARM_DESC(sip_direct_signalling, "expect incoming calls from registrar "
  47                                         "only (default 1)");
  48
  49 static int sip_direct_media __read_mostly = 1;
  50 module_param(sip_direct_media, int, 0600);
  51 MODULE_PARM_DESC(sip_direct_media, "Expect Media streams between signalling "
  52                                    "endpoints only (default 1)");
  53
  54 unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb, unsigned int dataoff,
  55                                 const char **dptr,
  56                                 unsigned int *datalen) __read_mostly;
  57 EXPORT_SYMBOL_GPL(nf_nat_sip_hook);
  58
  59 void (*nf_nat_sip_seq_adjust_hook)(struct sk_buff *skb, s16 off) __read_mostly;
  60 EXPORT_SYMBOL_GPL(nf_nat_sip_seq_adjust_hook);
  61
  62 unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb,
  63                                        unsigned int dataoff,
  64                                        const char **dptr,
  65                                        unsigned int *datalen,
  66                                        struct nf_conntrack_expect *exp,
  67                                        unsigned int matchoff,
  68                                        unsigned int matchlen) __read_mostly;
  69 EXPORT_SYMBOL_GPL(nf_nat_sip_expect_hook);
  70
  71 unsigned int (*nf_nat_sdp_addr_hook)(struct sk_buff *skb, unsigned int dataoff,
  72                                      const char **dptr,
  73                                      unsigned int *datalen,
  74                                      unsigned int sdpoff,
  75                                      enum sdp_header_types type,
  76                                      enum sdp_header_types term,
  77                                      const union nf_inet_addr *addr)
  78                                      __read_mostly;
  79 EXPORT_SYMBOL_GPL(nf_nat_sdp_addr_hook);
  80
  81 unsigned int (*nf_nat_sdp_port_hook)(struct sk_buff *skb, unsigned int dataoff,
  82                                      const char **dptr,
  83                                      unsigned int *datalen,
  84                                      unsigned int matchoff,
  85                                      unsigned int matchlen,
  86                                      u_int16_t port) __read_mostly;
  87 EXPORT_SYMBOL_GPL(nf_nat_sdp_port_hook);
  88
  89 unsigned int (*nf_nat_sdp_session_hook)(struct sk_buff *skb,
  90                                         unsigned int dataoff,
  91                                         const char **dptr,
  92                                         unsigned int *datalen,
  93                                         unsigned int sdpoff,
  94                                         const union nf_inet_addr *addr)
  95                                         __read_mostly;
  96 EXPORT_SYMBOL_GPL(nf_nat_sdp_session_hook);
  97
  98 unsigned int (*nf_nat_sdp_media_hook)(struct sk_buff *skb, unsigned int dataoff,
  99                                       const char **dptr,
 100                                       unsigned int *datalen,
 101                                       struct nf_conntrack_expect *rtp_exp,
 102                                       struct nf_conntrack_expect *rtcp_exp,
 103                                       unsigned int mediaoff,
 104                                       unsigned int medialen,
 105                                       union nf_inet_addr *rtp_addr)
 106                                       __read_mostly;
 107 EXPORT_SYMBOL_GPL(nf_nat_sdp_media_hook);
 108
 109 static int string_len(const struct nf_conn *ct, const char *dptr,
 110                       const char *limit, int *shift)
 111 {
 112         int len = 0;
 113
 114         while (dptr < limit && isalpha(*dptr)) {
 115                 dptr++;
 116                 len++;
 117         }
 118         return len;
 119 }
 120
 121 static int digits_len(const struct nf_conn *ct, const char *dptr,
 122                       const char *limit, int *shift)
 123 {
 124         int len = 0;
 125         while (dptr < limit && isdigit(*dptr)) {
 126                 dptr++;
 127                 len++;
 128         }
 129         return len;
 130 }
 131
 132 /* get media type + port length */
 133 static int media_len(const struct nf_conn *ct, const char *dptr,
 134                      const char *limit, int *shift)
 135 {
 136         int len = string_len(ct, dptr, limit, shift);
 137
 138         dptr += len;
 139         if (dptr >= limit || *dptr != ' ')
 140                 return 0;
 141         len++;
 142         dptr++;
 143
 144         return len + digits_len(ct, dptr, limit, shift);
 145 }
 146
 147 static int parse_addr(const struct nf_conn *ct, const char *cp,
 148                       const char **endp, union nf_inet_addr *addr,
 149                       const char *limit)
 150 {
 151         const char *end;
 152         int ret = 0;
 153
 154         memset(addr, 0, sizeof(*addr));
 155         switch (nf_ct_l3num(ct)) {
 156         case AF_INET:
 157                 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
 158                 break;
 159         case AF_INET6:
 160                 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
 161                 break;
 162         default:
 163                 BUG();
 164         }
 165
 166         if (ret == 0 || end == cp)
 167                 return 0;
 168         if (endp)
 169                 *endp = end;
 170         return 1;
 171 }
 172
 173 /* skip ip address. returns its length. */
 174 static int epaddr_len(const struct nf_conn *ct, const char *dptr,
 175                       const char *limit, int *shift)
 176 {
 177         union nf_inet_addr addr;
 178         const char *aux = dptr;
 179
 180         if (!parse_addr(ct, dptr, &dptr, &addr, limit)) {
 181                 pr_debug("ip: %s parse failed.!\n", dptr);
 182                 return 0;
 183         }
 184
 185         /* Port number */
 186         if (*dptr == ':') {
 187                 dptr++;
 188                 dptr += digits_len(ct, dptr, limit, shift);
 189         }
 190         return dptr - aux;
 191 }
 192
 193 /* get address length, skiping user info. */
 194 static int skp_epaddr_len(const struct nf_conn *ct, const char *dptr,
 195                           const char *limit, int *shift)
 196 {
 197         const char *start = dptr;
 198         int s = *shift;
 199
 200         /* Search for @, but stop at the end of the line.
 201          * We are inside a sip: URI, so we don't need to worry about
 202          * continuation lines. */
 203         while (dptr < limit &&
 204                *dptr != '@' && *dptr != '\r' && *dptr != '\n') {
 205                 (*shift)++;
 206                 dptr++;
 207         }
 208
 209         if (dptr < limit && *dptr == '@') {
 210                 dptr++;
 211                 (*shift)++;
 212         } else {
 213                 dptr = start;
 214                 *shift = s;
 215         }
 216
 217         return epaddr_len(ct, dptr, limit, shift);
 218 }
 219
 220 /* Parse a SIP request line of the form:
 221  *
 222  * Request-Line = Method SP Request-URI SP SIP-Version CRLF
 223  *
 224  * and return the offset and length of the address contained in the Request-URI.
 225  */
 226 int ct_sip_parse_request(const struct nf_conn *ct,
 227                          const char *dptr, unsigned int datalen,
 228                          unsigned int *matchoff, unsigned int *matchlen,
 229                          union nf_inet_addr *addr, __be16 *port)
 230 {
 231         const char *start = dptr, *limit = dptr + datalen, *end;
 232         unsigned int mlen;
 233         unsigned int p;
 234         int shift = 0;
 235
 236         /* Skip method and following whitespace */
 237         mlen = string_len(ct, dptr, limit, NULL);
 238         if (!mlen)
 239                 return 0;
 240         dptr += mlen;
 241         if (++dptr >= limit)
 242                 return 0;
 243
 244         /* Find SIP URI */
 245         for (; dptr < limit - strlen("sip:"); dptr++) {
 246                 if (*dptr == '\r' || *dptr == '\n')
 247                         return -1;
 248                 if (strnicmp(dptr, "sip:", strlen("sip:")) == 0) {
 249                         dptr += strlen("sip:");
 250                         break;
 251                 }
 252         }
 253         if (!skp_epaddr_len(ct, dptr, limit, &shift))
 254                 return 0;
 255         dptr += shift;
 256
 257         if (!parse_addr(ct, dptr, &end, addr, limit))
 258                 return -1;
 259         if (end < limit && *end == ':') {
 260                 end++;
 261                 p = simple_strtoul(end, (char **)&end, 10);
 262                 if (p < 1024 || p > 65535)
 263                         return -1;
 264                 *port = htons(p);
 265         } else
 266                 *port = htons(SIP_PORT);
 267
 268         if (end == dptr)
 269                 return 0;
 270         *matchoff = dptr - start;
 271         *matchlen = end - dptr;
 272         return 1;
 273 }
 274 EXPORT_SYMBOL_GPL(ct_sip_parse_request);
 275
 276 /* SIP header parsing: SIP headers are located at the beginning of a line, but
 277  * may span several lines, in which case the continuation lines begin with a
 278  * whitespace character. RFC 2543 allows lines to be terminated with CR, LF or
 279  * CRLF, RFC 3261 allows only CRLF, we support both.
 280  *
 281  * Headers are followed by (optionally) whitespace, a colon, again (optionally)
 282  * whitespace and the values. Whitespace in this context means any amount of
 283  * tabs, spaces and continuation lines, which are treated as a single whitespace
 284  * character.
 285  *
 286  * Some headers may appear multiple times. A comma seperated list of values is
 287  * equivalent to multiple headers.
 288  */
 289 static const struct sip_header ct_sip_hdrs[] = {
 290         [SIP_HDR_CSEQ]                  = SIP_HDR("CSeq", NULL, NULL, digits_len),
 291         [SIP_HDR_FROM]                  = SIP_HDR("From", "f", "sip:", skp_epaddr_len),
 292         [SIP_HDR_TO]                    = SIP_HDR("To", "t", "sip:", skp_epaddr_len),
 293         [SIP_HDR_CONTACT]               = SIP_HDR("Contact", "m", "sip:", skp_epaddr_len),
 294         [SIP_HDR_VIA_UDP]               = SIP_HDR("Via", "v", "UDP ", epaddr_len),
 295         [SIP_HDR_VIA_TCP]               = SIP_HDR("Via", "v", "TCP ", epaddr_len),
 296         [SIP_HDR_EXPIRES]               = SIP_HDR("Expires", NULL, NULL, digits_len),
 297         [SIP_HDR_CONTENT_LENGTH]        = SIP_HDR("Content-Length", "l", NULL, digits_len),
 298 };
 299
 300 static const char *sip_follow_continuation(const char *dptr, const char *limit)
 301 {
 302         /* Walk past newline */
 303         if (++dptr >= limit)
 304                 return NULL;
 305
 306         /* Skip '\n' in CR LF */
 307         if (*(dptr - 1) == '\r' && *dptr == '\n') {
 308                 if (++dptr >= limit)
 309                         return NULL;
 310         }
 311
 312         /* Continuation line? */
 313         if (*dptr != ' ' && *dptr != '\t')
 314                 return NULL;
 315
 316         /* skip leading whitespace */
 317         for (; dptr < limit; dptr++) {
 318                 if (*dptr != ' ' && *dptr != '\t')
 319                         break;
 320         }
 321         return dptr;
 322 }
 323
 324 static const char *sip_skip_whitespace(const char *dptr, const char *limit)
 325 {
 326         for (; dptr < limit; dptr++) {
 327                 if (*dptr == ' ')
 328                         continue;
 329                 if (*dptr != '\r' && *dptr != '\n')
 330                         break;
 331                 dptr = sip_follow_continuation(dptr, limit);
 332                 if (dptr == NULL)
 333                         return NULL;
 334         }
 335         return dptr;
 336 }
 337
 338 /* Search within a SIP header value, dealing with continuation lines */
 339 static const char *ct_sip_header_search(const char *dptr, const char *limit,
 340                                         const char *needle, unsigned int len)
 341 {
 342         for (limit -= len; dptr < limit; dptr++) {
 343                 if (*dptr == '\r' || *dptr == '\n') {
 344                         dptr = sip_follow_continuation(dptr, limit);
 345                         if (dptr == NULL)
 346                                 break;
 347                         continue;
 348                 }
 349
 350                 if (strnicmp(dptr, needle, len) == 0)
 351                         return dptr;
 352         }
 353         return NULL;
 354 }
 355
 356 int ct_sip_get_header(const struct nf_conn *ct, const char *dptr,
 357                       unsigned int dataoff, unsigned int datalen,
 358                       enum sip_header_types type,
 359                       unsigned int *matchoff, unsigned int *matchlen)
 360 {
 361         const struct sip_header *hdr = &ct_sip_hdrs[type];
 362         const char *start = dptr, *limit = dptr + datalen;
 363         int shift = 0;
 364
 365         for (dptr += dataoff; dptr < limit; dptr++) {
 366                 /* Find beginning of line */
 367                 if (*dptr != '\r' && *dptr != '\n')
 368                         continue;
 369                 if (++dptr >= limit)
 370                         break;
 371                 if (*(dptr - 1) == '\r' && *dptr == '\n') {
 372                         if (++dptr >= limit)
 373                                 break;
 374                 }
 375
 376                 /* Skip continuation lines */
 377                 if (*dptr == ' ' || *dptr == '\t')
 378                         continue;
 379
 380                 /* Find header. Compact headers must be followed by a
 381                  * non-alphabetic character to avoid mismatches. */
 382                 if (limit - dptr >= hdr->len &&
 383                     strnicmp(dptr, hdr->name, hdr->len) == 0)
 384                         dptr += hdr->len;
 385                 else if (hdr->cname && limit - dptr >= hdr->clen + 1 &&
 386                          strnicmp(dptr, hdr->cname, hdr->clen) == 0 &&
 387                          !isalpha(*(dptr + hdr->clen)))
 388                         dptr += hdr->clen;
 389                 else
 390                         continue;
 391
 392                 /* Find and skip colon */
 393                 dptr = sip_skip_whitespace(dptr, limit);
 394                 if (dptr == NULL)
 395                         break;
 396                 if (*dptr != ':' || ++dptr >= limit)
 397                         break;
 398
 399                 /* Skip whitespace after colon */
 400                 dptr = sip_skip_whitespace(dptr, limit);
 401                 if (dptr == NULL)
 402                         break;
 403
 404                 *matchoff = dptr - start;
 405                 if (hdr->search) {
 406                         dptr = ct_sip_header_search(dptr, limit, hdr->search,
 407                                                     hdr->slen);
 408                         if (!dptr)
 409                                 return -1;
 410                         dptr += hdr->slen;
 411                 }
 412
 413                 *matchlen = hdr->match_len(ct, dptr, limit, &shift);
 414                 if (!*matchlen)
 415                         return -1;
 416                 *matchoff = dptr - start + shift;
 417                 return 1;
 418         }
 419         return 0;
 420 }
 421 EXPORT_SYMBOL_GPL(ct_sip_get_header);
 422
 423 /* Get next header field in a list of comma seperated values */
 424 static int ct_sip_next_header(const struct nf_conn *ct, const char *dptr,
 425                               unsigned int dataoff, unsigned int datalen,
 426                               enum sip_header_types type,
 427                               unsigned int *matchoff, unsigned int *matchlen)
 428 {
 429         const struct sip_header *hdr = &ct_sip_hdrs[type];
 430         const char *start = dptr, *limit = dptr + datalen;
 431         int shift = 0;
 432
 433         dptr += dataoff;
 434
 435         dptr = ct_sip_header_search(dptr, limit, ",", strlen(","));
 436         if (!dptr)
 437                 return 0;
 438
 439         dptr = ct_sip_header_search(dptr, limit, hdr->search, hdr->slen);
 440         if (!dptr)
 441                 return 0;
 442         dptr += hdr->slen;
 443
 444         *matchoff = dptr - start;
 445         *matchlen = hdr->match_len(ct, dptr, limit, &shift);
 446         if (!*matchlen)
 447                 return -1;
 448         *matchoff += shift;
 449         return 1;
 450 }
 451
 452 /* Walk through headers until a parsable one is found or no header of the
 453  * given type is left. */
 454 static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr,
 455                                unsigned int dataoff, unsigned int datalen,
 456                                enum sip_header_types type, int *in_header,
 457                                unsigned int *matchoff, unsigned int *matchlen)
 458 {
 459         int ret;
 460
 461         if (in_header && *in_header) {
 462                 while (1) {
 463                         ret = ct_sip_next_header(ct, dptr, dataoff, datalen,
 464                                                  type, matchoff, matchlen);
 465                         if (ret > 0)
 466                                 return ret;
 467                         if (ret == 0)
 468                                 break;
 469                         dataoff += *matchoff;
 470                 }
 471                 *in_header = 0;
 472         }
 473
 474         while (1) {
 475                 ret = ct_sip_get_header(ct, dptr, dataoff, datalen,
 476                                         type, matchoff, matchlen);
 477                 if (ret > 0)
 478                         break;
 479                 if (ret == 0)
 480                         return ret;
 481                 dataoff += *matchoff;
 482         }
 483
 484         if (in_header)
 485                 *in_header = 1;
 486         return 1;
 487 }
 488
 489 /* Locate a SIP header, parse the URI and return the offset and length of
 490  * the address as well as the address and port themselves. A stream of
 491  * headers can be parsed by handing in a non-NULL datalen and in_header
 492  * pointer.
 493  */
 494 int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
 495                             unsigned int *dataoff, unsigned int datalen,
 496                             enum sip_header_types type, int *in_header,
 497                             unsigned int *matchoff, unsigned int *matchlen,
 498                             union nf_inet_addr *addr, __be16 *port)
 499 {
 500         const char *c, *limit = dptr + datalen;
 501         unsigned int p;
 502         int ret;
 503
 504         ret = ct_sip_walk_headers(ct, dptr, dataoff ? *dataoff : 0, datalen,
 505                                   type, in_header, matchoff, matchlen);
 506         WARN_ON(ret < 0);
 507         if (ret == 0)
 508                 return ret;
 509
 510         if (!parse_addr(ct, dptr + *matchoff, &c, addr, limit))
 511                 return -1;
 512         if (*c == ':') {
 513                 c++;
 514                 p = simple_strtoul(c, (char **)&c, 10);
 515                 if (p < 1024 || p > 65535)
 516                         return -1;
 517                 *port = htons(p);
 518         } else
 519                 *port = htons(SIP_PORT);
 520
 521         if (dataoff)
 522                 *dataoff = c - dptr;
 523         return 1;
 524 }
 525 EXPORT_SYMBOL_GPL(ct_sip_parse_header_uri);
 526
 527 static int ct_sip_parse_param(const struct nf_conn *ct, const char *dptr,
 528                               unsigned int dataoff, unsigned int datalen,
 529                               const char *name,
 530                               unsigned int *matchoff, unsigned int *matchlen)
 531 {
 532         const char *limit = dptr + datalen;
 533         const char *start;
 534         const char *end;
 535
 536         limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
 537         if (!limit)
 538                 limit = dptr + datalen;
 539
 540         start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
 541         if (!start)
 542                 return 0;
 543         start += strlen(name);
 544
 545         end = ct_sip_header_search(start, limit, ";", strlen(";"));
 546         if (!end)
 547                 end = limit;
 548
 549         *matchoff = start - dptr;
 550         *matchlen = end - start;
 551         return 1;
 552 }
 553
 554 /* Parse address from header parameter and return address, offset and length */
 555 int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr,
 556                                unsigned int dataoff, unsigned int datalen,
 557                                const char *name,
 558                                unsigned int *matchoff, unsigned int *matchlen,
 559                                union nf_inet_addr *addr)
 560 {
 561         const char *limit = dptr + datalen;
 562         const char *start, *end;
 563
 564         limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
 565         if (!limit)
 566                 limit = dptr + datalen;
 567
 568         start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
 569         if (!start)
 570                 return 0;
 571
 572         start += strlen(name);
 573         if (!parse_addr(ct, start, &end, addr, limit))
 574                 return 0;
 575         *matchoff = start - dptr;
 576         *matchlen = end - start;
 577         return 1;
 578 }
 579 EXPORT_SYMBOL_GPL(ct_sip_parse_address_param);
 580
 581 /* Parse numerical header parameter and return value, offset and length */
 582 int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr,
 583                                  unsigned int dataoff, unsigned int datalen,
 584                                  const char *name,
 585                                  unsigned int *matchoff, unsigned int *matchlen,
 586                                  unsigned int *val)
 587 {
 588         const char *limit = dptr + datalen;
 589         const char *start;
 590         char *end;
 591
 592         limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
 593         if (!limit)
 594                 limit = dptr + datalen;
 595
 596         start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
 597         if (!start)
 598                 return 0;
 599
 600         start += strlen(name);
 601         *val = simple_strtoul(start, &end, 0);
 602         if (start == end)
 603                 return 0;
 604         if (matchoff && matchlen) {
 605                 *matchoff = start - dptr;
 606                 *matchlen = end - start;
 607         }
 608         return 1;
 609 }
 610 EXPORT_SYMBOL_GPL(ct_sip_parse_numerical_param);
 611
 612 static int ct_sip_parse_transport(struct nf_conn *ct, const char *dptr,
 613                                   unsigned int dataoff, unsigned int datalen,
 614                                   u8 *proto)
 615 {
 616         unsigned int matchoff, matchlen;
 617
 618         if (ct_sip_parse_param(ct, dptr, dataoff, datalen, "transport=",
 619                                &matchoff, &matchlen)) {
 620                 if (!strnicmp(dptr + matchoff, "TCP", strlen("TCP")))
 621                         *proto = IPPROTO_TCP;
 622                 else if (!strnicmp(dptr + matchoff, "UDP", strlen("UDP")))
 623                         *proto = IPPROTO_UDP;
 624                 else
 625                         return 0;
 626
 627                 if (*proto != nf_ct_protonum(ct))
 628                         return 0;
 629         } else
 630                 *proto = nf_ct_protonum(ct);
 631
 632         return 1;
 633 }
 634
 635 /* SDP header parsing: a SDP session description contains an ordered set of
 636  * headers, starting with a section containing general session parameters,
 637  * optionally followed by multiple media descriptions.
 638  *
 639  * SDP headers always start at the beginning of a line. According to RFC 2327:
 640  * "The sequence CRLF (0x0d0a) is used to end a record, although parsers should
 641  * be tolerant and also accept records terminated with a single newline
 642  * character". We handle both cases.
 643  */
 644 static const struct sip_header ct_sdp_hdrs[] = {
 645         [SDP_HDR_VERSION]               = SDP_HDR("v=", NULL, digits_len),
 646         [SDP_HDR_OWNER_IP4]             = SDP_HDR("o=", "IN IP4 ", epaddr_len),
 647         [SDP_HDR_CONNECTION_IP4]        = SDP_HDR("c=", "IN IP4 ", epaddr_len),
 648         [SDP_HDR_OWNER_IP6]             = SDP_HDR("o=", "IN IP6 ", epaddr_len),
 649         [SDP_HDR_CONNECTION_IP6]        = SDP_HDR("c=", "IN IP6 ", epaddr_len),
 650         [SDP_HDR_MEDIA]                 = SDP_HDR("m=", NULL, media_len),
 651 };
 652
 653 /* Linear string search within SDP header values */
 654 static const char *ct_sdp_header_search(const char *dptr, const char *limit,
 655                                         const char *needle, unsigned int len)
 656 {
 657         for (limit -= len; dptr < limit; dptr++) {
 658                 if (*dptr == '\r' || *dptr == '\n')
 659                         break;
 660                 if (strncmp(dptr, needle, len) == 0)
 661                         return dptr;
 662         }
 663         return NULL;
 664 }
 665
 666 /* Locate a SDP header (optionally a substring within the header value),
 667  * optionally stopping at the first occurence of the term header, parse
 668  * it and return the offset and length of the data we're interested in.
 669  */
 670 int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
 671                           unsigned int dataoff, unsigned int datalen,
 672                           enum sdp_header_types type,
 673                           enum sdp_header_types term,
 674                           unsigned int *matchoff, unsigned int *matchlen)
 675 {
 676         const struct sip_header *hdr = &ct_sdp_hdrs[type];
 677         const struct sip_header *thdr = &ct_sdp_hdrs[term];
 678         const char *start = dptr, *limit = dptr + datalen;
 679         int shift = 0;
 680
 681         for (dptr += dataoff; dptr < limit; dptr++) {
 682                 /* Find beginning of line */
 683                 if (*dptr != '\r' && *dptr != '\n')
 684                         continue;
 685                 if (++dptr >= limit)
 686                         break;
 687                 if (*(dptr - 1) == '\r' && *dptr == '\n') {
 688                         if (++dptr >= limit)
 689                                 break;
 690                 }
 691
 692                 if (term != SDP_HDR_UNSPEC &&
 693                     limit - dptr >= thdr->len &&
 694                     strnicmp(dptr, thdr->name, thdr->len) == 0)
 695                         break;
 696                 else if (limit - dptr >= hdr->len &&
 697                          strnicmp(dptr, hdr->name, hdr->len) == 0)
 698                         dptr += hdr->len;
 699                 else
 700                         continue;
 701
 702                 *matchoff = dptr - start;
 703                 if (hdr->search) {
 704                         dptr = ct_sdp_header_search(dptr, limit, hdr->search,
 705                                                     hdr->slen);
 706                         if (!dptr)
 707                                 return -1;
 708                         dptr += hdr->slen;
 709                 }
 710
 711                 *matchlen = hdr->match_len(ct, dptr, limit, &shift);
 712                 if (!*matchlen)
 713                         return -1;
 714                 *matchoff = dptr - start + shift;
 715                 return 1;
 716         }
 717         return 0;
 718 }
 719 EXPORT_SYMBOL_GPL(ct_sip_get_sdp_header);
 720
 721 static int ct_sip_parse_sdp_addr(const struct nf_conn *ct, const char *dptr,
 722                                  unsigned int dataoff, unsigned int datalen,
 723                                  enum sdp_header_types type,
 724                                  enum sdp_header_types term,
 725                                  unsigned int *matchoff, unsigned int *matchlen,
 726                                  union nf_inet_addr *addr)
 727 {
 728         int ret;
 729
 730         ret = ct_sip_get_sdp_header(ct, dptr, dataoff, datalen, type, term,
 731                                     matchoff, matchlen);
 732         if (ret <= 0)
 733                 return ret;
 734
 735         if (!parse_addr(ct, dptr + *matchoff, NULL, addr,
 736                         dptr + *matchoff + *matchlen))
 737                 return -1;
 738         return 1;
 739 }
 740
 741 static int refresh_signalling_expectation(struct nf_conn *ct,
 742                                           union nf_inet_addr *addr,
 743                                           u8 proto, __be16 port,
 744                                           unsigned int expires)
 745 {
 746         struct nf_conn_help *help = nfct_help(ct);
 747         struct nf_conntrack_expect *exp;
 748         struct hlist_node *n, *next;
 749         int found = 0;
 750
 751         spin_lock_bh(&nf_conntrack_lock);
 752         hlist_for_each_entry_safe(exp, n, next, &help->expectations, lnode) {
 753                 if (exp->class != SIP_EXPECT_SIGNALLING ||
 754                     !nf_inet_addr_cmp(&exp->tuple.dst.u3, addr) ||
 755                     exp->tuple.dst.protonum != proto ||
 756                     exp->tuple.dst.u.udp.port != port)
 757                         continue;
 758                 if (!del_timer(&exp->timeout))
 759                         continue;
 760                 exp->flags &= ~NF_CT_EXPECT_INACTIVE;
 761                 exp->timeout.expires = jiffies + expires * HZ;
 762                 add_timer(&exp->timeout);
 763                 found = 1;
 764                 break;
 765         }
 766         spin_unlock_bh(&nf_conntrack_lock);
 767         return found;
 768 }
 769
 770 static void flush_expectations(struct nf_conn *ct, bool media)
 771 {
 772         struct nf_conn_help *help = nfct_help(ct);
 773         struct nf_conntrack_expect *exp;
 774         struct hlist_node *n, *next;
 775
 776         spin_lock_bh(&nf_conntrack_lock);
 777         hlist_for_each_entry_safe(exp, n, next, &help->expectations, lnode) {
 778                 if ((exp->class != SIP_EXPECT_SIGNALLING) ^ media)
 779                         continue;
 780                 if (!del_timer(&exp->timeout))
 781                         continue;
 782                 nf_ct_unlink_expect(exp);
 783                 nf_ct_expect_put(exp);
 784                 if (!media)
 785                         break;
 786         }
 787         spin_unlock_bh(&nf_conntrack_lock);
 788 }
 789
 790 static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int dataoff,
 791                                  const char **dptr, unsigned int *datalen,
 792                                  union nf_inet_addr *daddr, __be16 port,
 793                                  enum sip_expectation_classes class,
 794                                  unsigned int mediaoff, unsigned int medialen)
 795 {
 796         struct nf_conntrack_expect *exp, *rtp_exp, *rtcp_exp;
 797         enum ip_conntrack_info ctinfo;
 798         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 799         struct net *net = nf_ct_net(ct);
 800         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 801         union nf_inet_addr *saddr;
 802         struct nf_conntrack_tuple tuple;
 803         int direct_rtp = 0, skip_expect = 0, ret = NF_DROP;
 804         u_int16_t base_port;
 805         __be16 rtp_port, rtcp_port;
 806         typeof(nf_nat_sdp_port_hook) nf_nat_sdp_port;
 807         typeof(nf_nat_sdp_media_hook) nf_nat_sdp_media;
 808
 809         saddr = NULL;
 810         if (sip_direct_media) {
 811                 if (!nf_inet_addr_cmp(daddr, &ct->tuplehash[dir].tuple.src.u3))
 812                         return NF_ACCEPT;
 813                 saddr = &ct->tuplehash[!dir].tuple.src.u3;
 814         }
 815
 816         /* We need to check whether the registration exists before attempting
 817          * to register it since we can see the same media description multiple
 818          * times on different connections in case multiple endpoints receive
 819          * the same call.
 820          *
 821          * RTP optimization: if we find a matching media channel expectation
 822          * and both the expectation and this connection are SNATed, we assume
 823          * both sides can reach each other directly and use the final
 824          * destination address from the expectation. We still need to keep
 825          * the NATed expectations for media that might arrive from the
 826          * outside, and additionally need to expect the direct RTP stream
 827          * in case it passes through us even without NAT.
 828          */
 829         memset(&tuple, 0, sizeof(tuple));
 830         if (saddr)
 831                 tuple.src.u3 = *saddr;
 832         tuple.src.l3num         = nf_ct_l3num(ct);
 833         tuple.dst.protonum      = IPPROTO_UDP;
 834         tuple.dst.u3            = *daddr;
 835         tuple.dst.u.udp.port    = port;
 836
 837         rcu_read_lock();
 838         do {
 839                 exp = __nf_ct_expect_find(net, &tuple);
 840
 841                 if (!exp || exp->master == ct ||
 842                     nfct_help(exp->master)->helper != nfct_help(ct)->helper ||
 843                     exp->class != class)
 844                         break;
 845 #ifdef CONFIG_NF_NAT_NEEDED
 846                 if (exp->tuple.src.l3num == AF_INET && !direct_rtp &&
 847                     (exp->saved_ip != exp->tuple.dst.u3.ip ||
 848                      exp->saved_proto.udp.port != exp->tuple.dst.u.udp.port) &&
 849                     ct->status & IPS_NAT_MASK) {
 850                         daddr->ip               = exp->saved_ip;
 851                         tuple.dst.u3.ip         = exp->saved_ip;
 852                         tuple.dst.u.udp.port    = exp->saved_proto.udp.port;
 853                         direct_rtp = 1;
 854                 } else
 855 #endif
 856                         skip_expect = 1;
 857         } while (!skip_expect);
 858         rcu_read_unlock();
 859
 860         base_port = ntohs(tuple.dst.u.udp.port) & ~1;
 861         rtp_port = htons(base_port);
 862         rtcp_port = htons(base_port + 1);
 863
 864         if (direct_rtp) {
 865                 nf_nat_sdp_port = rcu_dereference(nf_nat_sdp_port_hook);
 866                 if (nf_nat_sdp_port &&
 867                     !nf_nat_sdp_port(skb, dataoff, dptr, datalen,
 868                                      mediaoff, medialen, ntohs(rtp_port)))
 869                         goto err1;
 870         }
 871
 872         if (skip_expect)
 873                 return NF_ACCEPT;
 874
 875         rtp_exp = nf_ct_expect_alloc(ct);
 876         if (rtp_exp == NULL)
 877                 goto err1;
 878         nf_ct_expect_init(rtp_exp, class, nf_ct_l3num(ct), saddr, daddr,
 879                           IPPROTO_UDP, NULL, &rtp_port);
 880
 881         rtcp_exp = nf_ct_expect_alloc(ct);
 882         if (rtcp_exp == NULL)
 883                 goto err2;
 884         nf_ct_expect_init(rtcp_exp, class, nf_ct_l3num(ct), saddr, daddr,
 885                           IPPROTO_UDP, NULL, &rtcp_port);
 886
 887         nf_nat_sdp_media = rcu_dereference(nf_nat_sdp_media_hook);
 888         if (nf_nat_sdp_media && ct->status & IPS_NAT_MASK && !direct_rtp)
 889                 ret = nf_nat_sdp_media(skb, dataoff, dptr, datalen,
 890                                        rtp_exp, rtcp_exp,
 891                                        mediaoff, medialen, daddr);
 892         else {
 893                 if (nf_ct_expect_related(rtp_exp) == 0) {
 894                         if (nf_ct_expect_related(rtcp_exp) != 0)
 895                                 nf_ct_unexpect_related(rtp_exp);
 896                         else
 897                                 ret = NF_ACCEPT;
 898                 }
 899         }
 900         nf_ct_expect_put(rtcp_exp);
 901 err2:
 902         nf_ct_expect_put(rtp_exp);
 903 err1:
 904         return ret;
 905 }
 906
 907 static const struct sdp_media_type sdp_media_types[] = {
 908         SDP_MEDIA_TYPE("audio ", SIP_EXPECT_AUDIO),
 909         SDP_MEDIA_TYPE("video ", SIP_EXPECT_VIDEO),
 910         SDP_MEDIA_TYPE("image ", SIP_EXPECT_IMAGE),
 911 };
 912
 913 static const struct sdp_media_type *sdp_media_type(const char *dptr,
 914                                                    unsigned int matchoff,
 915                                                    unsigned int matchlen)
 916 {
 917         const struct sdp_media_type *t;
 918         unsigned int i;
 919
 920         for (i = 0; i < ARRAY_SIZE(sdp_media_types); i++) {
 921                 t = &sdp_media_types[i];
 922                 if (matchlen < t->len ||
 923                     strncmp(dptr + matchoff, t->name, t->len))
 924                         continue;
 925                 return t;
 926         }
 927         return NULL;
 928 }
 929
 930 static int process_sdp(struct sk_buff *skb, unsigned int dataoff,
 931                        const char **dptr, unsigned int *datalen,
 932                        unsigned int cseq)
 933 {
 934         enum ip_conntrack_info ctinfo;
 935         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 936         unsigned int matchoff, matchlen;
 937         unsigned int mediaoff, medialen;
 938         unsigned int sdpoff;
 939         unsigned int caddr_len, maddr_len;
 940         unsigned int i;
 941         union nf_inet_addr caddr, maddr, rtp_addr;
 942         unsigned int port;
 943         enum sdp_header_types c_hdr;
 944         const struct sdp_media_type *t;
 945         int ret = NF_ACCEPT;
 946         typeof(nf_nat_sdp_addr_hook) nf_nat_sdp_addr;
 947         typeof(nf_nat_sdp_session_hook) nf_nat_sdp_session;
 948
 949         nf_nat_sdp_addr = rcu_dereference(nf_nat_sdp_addr_hook);
 950         c_hdr = nf_ct_l3num(ct) == AF_INET ? SDP_HDR_CONNECTION_IP4 :
 951                                              SDP_HDR_CONNECTION_IP6;
 952
 953         /* Find beginning of session description */
 954         if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
 955                                   SDP_HDR_VERSION, SDP_HDR_UNSPEC,
 956                                   &matchoff, &matchlen) <= 0)
 957                 return NF_ACCEPT;
 958         sdpoff = matchoff;
 959
 960         /* The connection information is contained in the session description
 961          * and/or once per media description. The first media description marks
 962          * the end of the session description. */
 963         caddr_len = 0;
 964         if (ct_sip_parse_sdp_addr(ct, *dptr, sdpoff, *datalen,
 965                                   c_hdr, SDP_HDR_MEDIA,
 966                                   &matchoff, &matchlen, &caddr) > 0)
 967                 caddr_len = matchlen;
 968
 969         mediaoff = sdpoff;
 970         for (i = 0; i < ARRAY_SIZE(sdp_media_types); ) {
 971                 if (ct_sip_get_sdp_header(ct, *dptr, mediaoff, *datalen,
 972                                           SDP_HDR_MEDIA, SDP_HDR_UNSPEC,
 973                                           &mediaoff, &medialen) <= 0)
 974                         break;
 975
 976                 /* Get media type and port number. A media port value of zero
 977                  * indicates an inactive stream. */
 978                 t = sdp_media_type(*dptr, mediaoff, medialen);
 979                 if (!t) {
 980                         mediaoff += medialen;
 981                         continue;
 982                 }
 983                 mediaoff += t->len;
 984                 medialen -= t->len;
 985
 986                 port = simple_strtoul(*dptr + mediaoff, NULL, 10);
 987                 if (port == 0)
 988                         continue;
 989                 if (port < 1024 || port > 65535)
 990                         return NF_DROP;
 991
 992                 /* The media description overrides the session description. */
 993                 maddr_len = 0;
 994                 if (ct_sip_parse_sdp_addr(ct, *dptr, mediaoff, *datalen,
 995                                           c_hdr, SDP_HDR_MEDIA,
 996                                           &matchoff, &matchlen, &maddr) > 0) {
 997                         maddr_len = matchlen;
 998                         memcpy(&rtp_addr, &maddr, sizeof(rtp_addr));
 999                 } else if (caddr_len)
1000                         memcpy(&rtp_addr, &caddr, sizeof(rtp_addr));
1001                 else
1002                         return NF_DROP;
1003
1004                 ret = set_expected_rtp_rtcp(skb, dataoff, dptr, datalen,
1005                                             &rtp_addr, htons(port), t->class,
1006                                             mediaoff, medialen);
1007                 if (ret != NF_ACCEPT)
1008                         return ret;
1009
1010                 /* Update media connection address if present */
1011                 if (maddr_len && nf_nat_sdp_addr && ct->status & IPS_NAT_MASK) {
1012                         ret = nf_nat_sdp_addr(skb, dataoff, dptr, datalen,
1013                                               mediaoff, c_hdr, SDP_HDR_MEDIA,
1014                                               &rtp_addr);
1015                         if (ret != NF_ACCEPT)
1016                                 return ret;
1017                 }
1018                 i++;
1019         }
1020
1021         /* Update session connection and owner addresses */
1022         nf_nat_sdp_session = rcu_dereference(nf_nat_sdp_session_hook);
1023         if (nf_nat_sdp_session && ct->status & IPS_NAT_MASK)
1024                 ret = nf_nat_sdp_session(skb, dataoff, dptr, datalen, sdpoff,
1025                                          &rtp_addr);
1026
1027         return ret;
1028 }
1029 static int process_invite_response(struct sk_buff *skb, unsigned int dataoff,
1030                                    const char **dptr, unsigned int *datalen,
1031                                    unsigned int cseq, unsigned int code)
1032 {
1033         enum ip_conntrack_info ctinfo;
1034         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1035         struct nf_conn_help *help = nfct_help(ct);
1036
1037         if ((code >= 100 && code <= 199) ||
1038             (code >= 200 && code <= 299))
1039                 return process_sdp(skb, dataoff, dptr, datalen, cseq);
1040         else if (help->help.ct_sip_info.invite_cseq == cseq)
1041                 flush_expectations(ct, true);
1042         return NF_ACCEPT;
1043 }
1044
1045 static int process_update_response(struct sk_buff *skb, unsigned int dataoff,
1046                                    const char **dptr, unsigned int *datalen,
1047                                    unsigned int cseq, unsigned int code)
1048 {
1049         enum ip_conntrack_info ctinfo;
1050         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1051         struct nf_conn_help *help = nfct_help(ct);
1052
1053         if ((code >= 100 && code <= 199) ||
1054             (code >= 200 && code <= 299))
1055                 return process_sdp(skb, dataoff, dptr, datalen, cseq);
1056         else if (help->help.ct_sip_info.invite_cseq == cseq)
1057                 flush_expectations(ct, true);
1058         return NF_ACCEPT;
1059 }
1060
1061 static int process_prack_response(struct sk_buff *skb, unsigned int dataoff,
1062                                   const char **dptr, unsigned int *datalen,
1063                                   unsigned int cseq, unsigned int code)
1064 {
1065         enum ip_conntrack_info ctinfo;
1066         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1067         struct nf_conn_help *help = nfct_help(ct);
1068
1069         if ((code >= 100 && code <= 199) ||
1070             (code >= 200 && code <= 299))
1071                 return process_sdp(skb, dataoff, dptr, datalen, cseq);
1072         else if (help->help.ct_sip_info.invite_cseq == cseq)
1073                 flush_expectations(ct, true);
1074         return NF_ACCEPT;
1075 }
1076
1077 static int process_invite_request(struct sk_buff *skb, unsigned int dataoff,
1078                                   const char **dptr, unsigned int *datalen,
1079                                   unsigned int cseq)
1080 {
1081         enum ip_conntrack_info ctinfo;
1082         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1083         struct nf_conn_help *help = nfct_help(ct);
1084         unsigned int ret;
1085
1086         flush_expectations(ct, true);
1087         ret = process_sdp(skb, dataoff, dptr, datalen, cseq);
1088         if (ret == NF_ACCEPT)
1089                 help->help.ct_sip_info.invite_cseq = cseq;
1090         return ret;
1091 }
1092
1093 static int process_bye_request(struct sk_buff *skb, unsigned int dataoff,
1094                                const char **dptr, unsigned int *datalen,
1095                                unsigned int cseq)
1096 {
1097         enum ip_conntrack_info ctinfo;
1098         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1099
1100         flush_expectations(ct, true);
1101         return NF_ACCEPT;
1102 }
1103
1104 /* Parse a REGISTER request and create a permanent expectation for incoming
1105  * signalling connections. The expectation is marked inactive and is activated
1106  * when receiving a response indicating success from the registrar.
1107  */
1108 static int process_register_request(struct sk_buff *skb, unsigned int dataoff,
1109                                     const char **dptr, unsigned int *datalen,
1110                                     unsigned int cseq)
1111 {
1112         enum ip_conntrack_info ctinfo;
1113         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1114         struct nf_conn_help *help = nfct_help(ct);
1115         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
1116         unsigned int matchoff, matchlen;
1117         struct nf_conntrack_expect *exp;
1118         union nf_inet_addr *saddr, daddr;
1119         __be16 port;
1120         u8 proto;
1121         unsigned int expires = 0;
1122         int ret;
1123         typeof(nf_nat_sip_expect_hook) nf_nat_sip_expect;
1124
1125         /* Expected connections can not register again. */
1126         if (ct->status & IPS_EXPECTED)
1127                 return NF_ACCEPT;
1128
1129         /* We must check the expiration time: a value of zero signals the
1130          * registrar to release the binding. We'll remove our expectation
1131          * when receiving the new bindings in the response, but we don't
1132          * want to create new ones.
1133          *
1134          * The expiration time may be contained in Expires: header, the
1135          * Contact: header parameters or the URI parameters.
1136          */
1137         if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
1138                               &matchoff, &matchlen) > 0)
1139                 expires = simple_strtoul(*dptr + matchoff, NULL, 10);
1140
1141         ret = ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
1142                                       SIP_HDR_CONTACT, NULL,
1143                                       &matchoff, &matchlen, &daddr, &port);
1144         if (ret < 0)
1145                 return NF_DROP;
1146         else if (ret == 0)
1147                 return NF_ACCEPT;
1148
1149         /* We don't support third-party registrations */
1150         if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3, &daddr))
1151                 return NF_ACCEPT;
1152
1153         if (ct_sip_parse_transport(ct, *dptr, matchoff + matchlen, *datalen,
1154                                    &proto) == 0)
1155                 return NF_ACCEPT;
1156
1157         if (ct_sip_parse_numerical_param(ct, *dptr,
1158                                          matchoff + matchlen, *datalen,
1159                                          "expires=", NULL, NULL, &expires) < 0)
1160                 return NF_DROP;
1161
1162         if (expires == 0) {
1163                 ret = NF_ACCEPT;
1164                 goto store_cseq;
1165         }
1166
1167         exp = nf_ct_expect_alloc(ct);
1168         if (!exp)
1169                 return NF_DROP;
1170
1171         saddr = NULL;
1172         if (sip_direct_signalling)
1173                 saddr = &ct->tuplehash[!dir].tuple.src.u3;
1174
1175         nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct),
1176                           saddr, &daddr, proto, NULL, &port);
1177         exp->timeout.expires = sip_timeout * HZ;
1178         exp->helper = nfct_help(ct)->helper;
1179         exp->flags = NF_CT_EXPECT_PERMANENT | NF_CT_EXPECT_INACTIVE;
1180
1181         nf_nat_sip_expect = rcu_dereference(nf_nat_sip_expect_hook);
1182         if (nf_nat_sip_expect && ct->status & IPS_NAT_MASK)
1183                 ret = nf_nat_sip_expect(skb, dataoff, dptr, datalen, exp,
1184                                         matchoff, matchlen);
1185         else {
1186                 if (nf_ct_expect_related(exp) != 0)
1187                         ret = NF_DROP;
1188                 else
1189                         ret = NF_ACCEPT;
1190         }
1191         nf_ct_expect_put(exp);
1192
1193 store_cseq:
1194         if (ret == NF_ACCEPT)
1195                 help->help.ct_sip_info.register_cseq = cseq;
1196         return ret;
1197 }
1198
1199 static int process_register_response(struct sk_buff *skb, unsigned int dataoff,
1200                                      const char **dptr, unsigned int *datalen,
1201                                      unsigned int cseq, unsigned int code)
1202 {
1203         enum ip_conntrack_info ctinfo;
1204         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1205         struct nf_conn_help *help = nfct_help(ct);
1206         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
1207         union nf_inet_addr addr;
1208         __be16 port;
1209         u8 proto;
1210         unsigned int matchoff, matchlen, coff = 0;
1211         unsigned int expires = 0;
1212         int in_contact = 0, ret;
1213
1214         /* According to RFC 3261, "UAs MUST NOT send a new registration until
1215          * they have received a final response from the registrar for the
1216          * previous one or the previous REGISTER request has timed out".
1217          *
1218          * However, some servers fail to detect retransmissions and send late
1219          * responses, so we store the sequence number of the last valid
1220          * request and compare it here.
1221          */
1222         if (help->help.ct_sip_info.register_cseq != cseq)
1223                 return NF_ACCEPT;
1224
1225         if (code >= 100 && code <= 199)
1226                 return NF_ACCEPT;
1227         if (code < 200 || code > 299)
1228                 goto flush;
1229
1230         if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
1231                               &matchoff, &matchlen) > 0)
1232                 expires = simple_strtoul(*dptr + matchoff, NULL, 10);
1233
1234         while (1) {
1235                 unsigned int c_expires = expires;
1236
1237                 ret = ct_sip_parse_header_uri(ct, *dptr, &coff, *datalen,
1238                                               SIP_HDR_CONTACT, &in_contact,
1239                                               &matchoff, &matchlen,
1240                                               &addr, &port);
1241                 if (ret < 0)
1242                         return NF_DROP;
1243                 else if (ret == 0)
1244                         break;
1245
1246                 /* We don't support third-party registrations */
1247                 if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3, &addr))
1248                         continue;
1249
1250                 if (ct_sip_parse_transport(ct, *dptr, matchoff + matchlen,
1251                                            *datalen, &proto) == 0)
1252                         continue;
1253
1254                 ret = ct_sip_parse_numerical_param(ct, *dptr,
1255                                                    matchoff + matchlen,
1256                                                    *datalen, "expires=",
1257                                                    NULL, NULL, &c_expires);
1258                 if (ret < 0)
1259                         return NF_DROP;
1260                 if (c_expires == 0)
1261                         break;
1262                 if (refresh_signalling_expectation(ct, &addr, proto, port,
1263                                                    c_expires))
1264                         return NF_ACCEPT;
1265         }
1266
1267 flush:
1268         flush_expectations(ct, false);
1269         return NF_ACCEPT;
1270 }
1271
1272 static const struct sip_handler sip_handlers[] = {
1273         SIP_HANDLER("INVITE", process_invite_request, process_invite_response),
1274         SIP_HANDLER("UPDATE", process_sdp, process_update_response),
1275         SIP_HANDLER("ACK", process_sdp, NULL),
1276         SIP_HANDLER("PRACK", process_sdp, process_prack_response),
1277         SIP_HANDLER("BYE", process_bye_request, NULL),
1278         SIP_HANDLER("REGISTER", process_register_request, process_register_response),
1279 };
1280
1281 static int process_sip_response(struct sk_buff *skb, unsigned int dataoff,
1282                                 const char **dptr, unsigned int *datalen)
1283 {
1284         enum ip_conntrack_info ctinfo;
1285         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1286         unsigned int matchoff, matchlen, matchend;
1287         unsigned int code, cseq, i;
1288
1289         if (*datalen < strlen("SIP/2.0 200"))
1290                 return NF_ACCEPT;
1291         code = simple_strtoul(*dptr + strlen("SIP/2.0 "), NULL, 10);
1292         if (!code)
1293                 return NF_DROP;
1294
1295         if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
1296                               &matchoff, &matchlen) <= 0)
1297                 return NF_DROP;
1298         cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
1299         if (!cseq)
1300                 return NF_DROP;
1301         matchend = matchoff + matchlen + 1;
1302
1303         for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
1304                 const struct sip_handler *handler;
1305
1306                 handler = &sip_handlers[i];
1307                 if (handler->response == NULL)
1308                         continue;
1309                 if (*datalen < matchend + handler->len ||
1310                     strnicmp(*dptr + matchend, handler->method, handler->len))
1311                         continue;
1312                 return handler->response(skb, dataoff, dptr, datalen,
1313                                          cseq, code);
1314         }
1315         return NF_ACCEPT;
1316 }
1317
1318 static int process_sip_request(struct sk_buff *skb, unsigned int dataoff,
1319                                const char **dptr, unsigned int *datalen)
1320 {
1321         enum ip_conntrack_info ctinfo;
1322         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1323         unsigned int matchoff, matchlen;
1324         unsigned int cseq, i;
1325
1326         for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
1327                 const struct sip_handler *handler;
1328
1329                 handler = &sip_handlers[i];
1330                 if (handler->request == NULL)
1331                         continue;
1332                 if (*datalen < handler->len ||
1333                     strnicmp(*dptr, handler->method, handler->len))
1334                         continue;
1335
1336                 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
1337                                       &matchoff, &matchlen) <= 0)
1338                         return NF_DROP;
1339                 cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
1340                 if (!cseq)
1341                         return NF_DROP;
1342
1343                 return handler->request(skb, dataoff, dptr, datalen, cseq);
1344         }
1345         return NF_ACCEPT;
1346 }
1347
1348 static int process_sip_msg(struct sk_buff *skb, struct nf_conn *ct,
1349                            unsigned int dataoff, const char **dptr,
1350                            unsigned int *datalen)
1351 {
1352         typeof(nf_nat_sip_hook) nf_nat_sip;
1353         int ret;
1354
1355         if (strnicmp(*dptr, "SIP/2.0 ", strlen("SIP/2.0 ")) != 0)
1356                 ret = process_sip_request(skb, dataoff, dptr, datalen);
1357         else
1358                 ret = process_sip_response(skb, dataoff, dptr, datalen);
1359
1360         if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
1361                 nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
1362                 if (nf_nat_sip && !nf_nat_sip(skb, dataoff, dptr, datalen))
1363                         ret = NF_DROP;
1364         }
1365
1366         return ret;
1367 }
1368
1369 static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
1370                         struct nf_conn *ct, enum ip_conntrack_info ctinfo)
1371 {
1372         struct tcphdr *th, _tcph;
1373         unsigned int dataoff, datalen;
1374         unsigned int matchoff, matchlen, clen;
1375         unsigned int msglen, origlen;
1376         const char *dptr, *end;
1377         s16 diff, tdiff = 0;
1378         int ret;
1379         typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;
1380
1381         if (ctinfo != IP_CT_ESTABLISHED &&
1382             ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)
1383                 return NF_ACCEPT;
1384
1385         /* No Data ? */
1386         th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph);
1387         if (th == NULL)
1388                 return NF_ACCEPT;
1389         dataoff = protoff + th->doff * 4;
1390         if (dataoff >= skb->len)
1391                 return NF_ACCEPT;
1392
1393         nf_ct_refresh(ct, skb, sip_timeout * HZ);
1394
1395         if (skb_is_nonlinear(skb)) {
1396                 pr_debug("Copy of skbuff not supported yet.\n");
1397                 return NF_ACCEPT;
1398         }
1399
1400         dptr = skb->data + dataoff;
1401         datalen = skb->len - dataoff;
1402         if (datalen < strlen("SIP/2.0 200"))
1403                 return NF_ACCEPT;
1404
1405         while (1) {
1406                 if (ct_sip_get_header(ct, dptr, 0, datalen,
1407                                       SIP_HDR_CONTENT_LENGTH,
1408                                       &matchoff, &matchlen) <= 0)
1409                         break;
1410
1411                 clen = simple_strtoul(dptr + matchoff, (char **)&end, 10);
1412                 if (dptr + matchoff == end)
1413                         break;
1414
1415                 if (end + strlen("\r\n\r\n") > dptr + datalen)
1416                         break;
1417                 if (end[0] != '\r' || end[1] != '\n' ||
1418                     end[2] != '\r' || end[3] != '\n')
1419                         break;
1420                 end += strlen("\r\n\r\n") + clen;
1421
1422                 msglen = origlen = end - dptr;
1423
1424                 ret = process_sip_msg(skb, ct, dataoff, &dptr, &msglen);
1425                 if (ret != NF_ACCEPT)
1426                         break;
1427                 diff     = msglen - origlen;
1428                 tdiff   += diff;
1429
1430                 dataoff += msglen;
1431                 dptr    += msglen;
1432                 datalen  = datalen + diff - msglen;
1433         }
1434
1435         if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
1436                 nf_nat_sip_seq_adjust = rcu_dereference(nf_nat_sip_seq_adjust_hook);
1437                 if (nf_nat_sip_seq_adjust)
1438                         nf_nat_sip_seq_adjust(skb, tdiff);
1439         }
1440
1441         return ret;
1442 }
1443
1444 static int sip_help_udp(struct sk_buff *skb, unsigned int protoff,
1445                         struct nf_conn *ct, enum ip_conntrack_info ctinfo)
1446 {
1447         unsigned int dataoff, datalen;
1448         const char *dptr;
1449
1450         /* No Data ? */
1451         dataoff = protoff + sizeof(struct udphdr);
1452         if (dataoff >= skb->len)
1453                 return NF_ACCEPT;
1454
1455         nf_ct_refresh(ct, skb, sip_timeout * HZ);
1456
1457         if (skb_is_nonlinear(skb)) {
1458                 pr_debug("Copy of skbuff not supported yet.\n");
1459                 return NF_ACCEPT;
1460         }
1461
1462         dptr = skb->data + dataoff;
1463         datalen = skb->len - dataoff;
1464         if (datalen < strlen("SIP/2.0 200"))
1465                 return NF_ACCEPT;
1466
1467         return process_sip_msg(skb, ct, dataoff, &dptr, &datalen);
1468 }
1469
1470 static struct nf_conntrack_helper sip[MAX_PORTS][4] __read_mostly;
1471 static char sip_names[MAX_PORTS][4][sizeof("sip-65535")] __read_mostly;
1472
1473 static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1] = {
1474         [SIP_EXPECT_SIGNALLING] = {
1475                 .name           = "signalling",
1476                 .max_expected   = 1,
1477                 .timeout        = 3 * 60,
1478         },
1479         [SIP_EXPECT_AUDIO] = {
1480                 .name           = "audio",
1481                 .max_expected   = 2 * IP_CT_DIR_MAX,
1482                 .timeout        = 3 * 60,
1483         },
1484         [SIP_EXPECT_VIDEO] = {
1485                 .name           = "video",
1486                 .max_expected   = 2 * IP_CT_DIR_MAX,
1487                 .timeout        = 3 * 60,
1488         },
1489         [SIP_EXPECT_IMAGE] = {
1490                 .name           = "image",
1491                 .max_expected   = IP_CT_DIR_MAX,
1492                 .timeout        = 3 * 60,
1493         },
1494 };
1495
1496 static void nf_conntrack_sip_fini(void)
1497 {
1498         int i, j;
1499
1500         for (i = 0; i < ports_c; i++) {
1501                 for (j = 0; j < ARRAY_SIZE(sip[i]); j++) {
1502                         if (sip[i][j].me == NULL)
1503                                 continue;
1504                         nf_conntrack_helper_unregister(&sip[i][j]);
1505                 }
1506         }
1507 }
1508
1509 static int __init nf_conntrack_sip_init(void)
1510 {
1511         int i, j, ret;
1512         char *tmpname;
1513
1514         if (ports_c == 0)
1515                 ports[ports_c++] = SIP_PORT;
1516
1517         for (i = 0; i < ports_c; i++) {
1518                 memset(&sip[i], 0, sizeof(sip[i]));
1519
1520                 sip[i][0].tuple.src.l3num = AF_INET;
1521                 sip[i][0].tuple.dst.protonum = IPPROTO_UDP;
1522                 sip[i][0].help = sip_help_udp;
1523                 sip[i][1].tuple.src.l3num = AF_INET;
1524                 sip[i][1].tuple.dst.protonum = IPPROTO_TCP;
1525                 sip[i][1].help = sip_help_tcp;
1526
1527                 sip[i][2].tuple.src.l3num = AF_INET6;
1528                 sip[i][2].tuple.dst.protonum = IPPROTO_UDP;
1529                 sip[i][2].help = sip_help_udp;
1530                 sip[i][3].tuple.src.l3num = AF_INET6;
1531                 sip[i][3].tuple.dst.protonum = IPPROTO_TCP;
1532                 sip[i][3].help = sip_help_tcp;
1533
1534                 for (j = 0; j < ARRAY_SIZE(sip[i]); j++) {
1535                         sip[i][j].tuple.src.u.udp.port = htons(ports[i]);
1536                         sip[i][j].expect_policy = sip_exp_policy;
1537                         sip[i][j].expect_class_max = SIP_EXPECT_MAX;
1538                         sip[i][j].me = THIS_MODULE;
1539
1540                         tmpname = &sip_names[i][j][0];
1541                         if (ports[i] == SIP_PORT)
1542                                 sprintf(tmpname, "sip");
1543                         else
1544                                 sprintf(tmpname, "sip-%u", i);
1545                         sip[i][j].name = tmpname;
1546
1547                         pr_debug("port #%u: %u\n", i, ports[i]);
1548
1549                         ret = nf_conntrack_helper_register(&sip[i][j]);
1550                         if (ret) {
1551                                 printk("nf_ct_sip: failed to register helper "
1552                                        "for pf: %u port: %u\n",
1553                                        sip[i][j].tuple.src.l3num, ports[i]);
1554                                 nf_conntrack_sip_fini();
1555                                 return ret;
1556                         }
1557                 }
1558         }
1559         return 0;
1560 }
1561
1562 module_init(nf_conntrack_sip_init);
1563 module_exit(nf_conntrack_sip_fini);