Commit | Line | Data |
---|---|---|
9fafcd7b PM |
1 | /* SIP extension for IP connection tracking. |
2 | * | |
3 | * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar> | |
4 | * based on RR's ip_conntrack_ftp.c and other modules. | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify | |
7 | * it under the terms of the GNU General Public License version 2 as | |
8 | * published by the Free Software Foundation. | |
9 | */ | |
10 | ||
11 | #include <linux/module.h> | |
12 | #include <linux/ctype.h> | |
13 | #include <linux/skbuff.h> | |
14 | #include <linux/inet.h> | |
15 | #include <linux/in.h> | |
16 | #include <linux/udp.h> | |
17 | ||
18 | #include <net/netfilter/nf_conntrack.h> | |
19 | #include <net/netfilter/nf_conntrack_expect.h> | |
20 | #include <net/netfilter/nf_conntrack_helper.h> | |
21 | #include <linux/netfilter/nf_conntrack_sip.h> | |
22 | ||
23 | #if 0 | |
24 | #define DEBUGP printk | |
25 | #else | |
26 | #define DEBUGP(format, args...) | |
27 | #endif | |
28 | ||
29 | MODULE_LICENSE("GPL"); | |
30 | MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>"); | |
31 | MODULE_DESCRIPTION("SIP connection tracking helper"); | |
32 | MODULE_ALIAS("ip_conntrack_sip"); | |
33 | ||
34 | #define MAX_PORTS 8 | |
35 | static unsigned short ports[MAX_PORTS]; | |
36 | static int ports_c; | |
37 | module_param_array(ports, ushort, &ports_c, 0400); | |
38 | MODULE_PARM_DESC(ports, "port numbers of SIP servers"); | |
39 | ||
40 | static unsigned int sip_timeout __read_mostly = SIP_TIMEOUT; | |
41 | module_param(sip_timeout, uint, 0600); | |
42 | MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session"); | |
43 | ||
44 | unsigned int (*nf_nat_sip_hook)(struct sk_buff **pskb, | |
45 | enum ip_conntrack_info ctinfo, | |
46 | struct nf_conn *ct, | |
47 | const char **dptr) __read_mostly; | |
48 | EXPORT_SYMBOL_GPL(nf_nat_sip_hook); | |
49 | ||
50 | unsigned int (*nf_nat_sdp_hook)(struct sk_buff **pskb, | |
51 | enum ip_conntrack_info ctinfo, | |
52 | struct nf_conntrack_expect *exp, | |
53 | const char *dptr) __read_mostly; | |
54 | EXPORT_SYMBOL_GPL(nf_nat_sdp_hook); | |
55 | ||
56 | static int digits_len(struct nf_conn *, const char *, const char *, int *); | |
57 | static int epaddr_len(struct nf_conn *, const char *, const char *, int *); | |
58 | static int skp_digits_len(struct nf_conn *, const char *, const char *, int *); | |
59 | static int skp_epaddr_len(struct nf_conn *, const char *, const char *, int *); | |
60 | ||
61 | struct sip_header_nfo { | |
62 | const char *lname; | |
63 | const char *sname; | |
64 | const char *ln_str; | |
65 | size_t lnlen; | |
66 | size_t snlen; | |
67 | size_t ln_strlen; | |
68 | int case_sensitive; | |
69 | int (*match_len)(struct nf_conn *, const char *, | |
70 | const char *, int *); | |
71 | }; | |
72 | ||
73 | static const struct sip_header_nfo ct_sip_hdrs[] = { | |
74 | [POS_REG_REQ_URI] = { /* SIP REGISTER request URI */ | |
75 | .lname = "sip:", | |
76 | .lnlen = sizeof("sip:") - 1, | |
77 | .ln_str = ":", | |
78 | .ln_strlen = sizeof(":") - 1, | |
79 | .match_len = epaddr_len, | |
80 | }, | |
81 | [POS_REQ_URI] = { /* SIP request URI */ | |
82 | .lname = "sip:", | |
83 | .lnlen = sizeof("sip:") - 1, | |
84 | .ln_str = "@", | |
85 | .ln_strlen = sizeof("@") - 1, | |
86 | .match_len = epaddr_len, | |
87 | }, | |
88 | [POS_FROM] = { /* SIP From header */ | |
89 | .lname = "From:", | |
90 | .lnlen = sizeof("From:") - 1, | |
91 | .sname = "\r\nf:", | |
92 | .snlen = sizeof("\r\nf:") - 1, | |
93 | .ln_str = "sip:", | |
94 | .ln_strlen = sizeof("sip:") - 1, | |
95 | .match_len = skp_epaddr_len, | |
96 | }, | |
97 | [POS_TO] = { /* SIP To header */ | |
98 | .lname = "To:", | |
99 | .lnlen = sizeof("To:") - 1, | |
100 | .sname = "\r\nt:", | |
101 | .snlen = sizeof("\r\nt:") - 1, | |
102 | .ln_str = "sip:", | |
103 | .ln_strlen = sizeof("sip:") - 1, | |
104 | .match_len = skp_epaddr_len | |
105 | }, | |
106 | [POS_VIA] = { /* SIP Via header */ | |
107 | .lname = "Via:", | |
108 | .lnlen = sizeof("Via:") - 1, | |
109 | .sname = "\r\nv:", | |
110 | .snlen = sizeof("\r\nv:") - 1, /* rfc3261 "\r\n" */ | |
111 | .ln_str = "UDP ", | |
112 | .ln_strlen = sizeof("UDP ") - 1, | |
113 | .match_len = epaddr_len, | |
114 | }, | |
115 | [POS_CONTACT] = { /* SIP Contact header */ | |
116 | .lname = "Contact:", | |
117 | .lnlen = sizeof("Contact:") - 1, | |
118 | .sname = "\r\nm:", | |
119 | .snlen = sizeof("\r\nm:") - 1, | |
120 | .ln_str = "sip:", | |
121 | .ln_strlen = sizeof("sip:") - 1, | |
122 | .match_len = skp_epaddr_len | |
123 | }, | |
124 | [POS_CONTENT] = { /* SIP Content length header */ | |
125 | .lname = "Content-Length:", | |
126 | .lnlen = sizeof("Content-Length:") - 1, | |
127 | .sname = "\r\nl:", | |
128 | .snlen = sizeof("\r\nl:") - 1, | |
129 | .ln_str = ":", | |
130 | .ln_strlen = sizeof(":") - 1, | |
131 | .match_len = skp_digits_len | |
132 | }, | |
133 | [POS_MEDIA] = { /* SDP media info */ | |
134 | .case_sensitive = 1, | |
135 | .lname = "\nm=", | |
136 | .lnlen = sizeof("\nm=") - 1, | |
137 | .sname = "\rm=", | |
138 | .snlen = sizeof("\rm=") - 1, | |
139 | .ln_str = "audio ", | |
140 | .ln_strlen = sizeof("audio ") - 1, | |
141 | .match_len = digits_len | |
142 | }, | |
143 | [POS_OWNER_IP4] = { /* SDP owner address*/ | |
144 | .case_sensitive = 1, | |
145 | .lname = "\no=", | |
146 | .lnlen = sizeof("\no=") - 1, | |
147 | .sname = "\ro=", | |
148 | .snlen = sizeof("\ro=") - 1, | |
149 | .ln_str = "IN IP4 ", | |
150 | .ln_strlen = sizeof("IN IP4 ") - 1, | |
151 | .match_len = epaddr_len | |
152 | }, | |
153 | [POS_CONNECTION_IP4] = {/* SDP connection info */ | |
154 | .case_sensitive = 1, | |
155 | .lname = "\nc=", | |
156 | .lnlen = sizeof("\nc=") - 1, | |
157 | .sname = "\rc=", | |
158 | .snlen = sizeof("\rc=") - 1, | |
159 | .ln_str = "IN IP4 ", | |
160 | .ln_strlen = sizeof("IN IP4 ") - 1, | |
161 | .match_len = epaddr_len | |
162 | }, | |
163 | [POS_OWNER_IP6] = { /* SDP owner address*/ | |
164 | .case_sensitive = 1, | |
165 | .lname = "\no=", | |
166 | .lnlen = sizeof("\no=") - 1, | |
167 | .sname = "\ro=", | |
168 | .snlen = sizeof("\ro=") - 1, | |
169 | .ln_str = "IN IP6 ", | |
170 | .ln_strlen = sizeof("IN IP6 ") - 1, | |
171 | .match_len = epaddr_len | |
172 | }, | |
173 | [POS_CONNECTION_IP6] = {/* SDP connection info */ | |
174 | .case_sensitive = 1, | |
175 | .lname = "\nc=", | |
176 | .lnlen = sizeof("\nc=") - 1, | |
177 | .sname = "\rc=", | |
178 | .snlen = sizeof("\rc=") - 1, | |
179 | .ln_str = "IN IP6 ", | |
180 | .ln_strlen = sizeof("IN IP6 ") - 1, | |
181 | .match_len = epaddr_len | |
182 | }, | |
183 | [POS_SDP_HEADER] = { /* SDP version header */ | |
184 | .case_sensitive = 1, | |
185 | .lname = "\nv=", | |
186 | .lnlen = sizeof("\nv=") - 1, | |
187 | .sname = "\rv=", | |
188 | .snlen = sizeof("\rv=") - 1, | |
189 | .ln_str = "=", | |
190 | .ln_strlen = sizeof("=") - 1, | |
191 | .match_len = digits_len | |
192 | } | |
193 | }; | |
194 | ||
195 | /* get line lenght until first CR or LF seen. */ | |
196 | int ct_sip_lnlen(const char *line, const char *limit) | |
197 | { | |
198 | const char *k = line; | |
199 | ||
200 | while ((line <= limit) && (*line == '\r' || *line == '\n')) | |
201 | line++; | |
202 | ||
203 | while (line <= limit) { | |
204 | if (*line == '\r' || *line == '\n') | |
205 | break; | |
206 | line++; | |
207 | } | |
208 | return line - k; | |
209 | } | |
210 | EXPORT_SYMBOL_GPL(ct_sip_lnlen); | |
211 | ||
212 | /* Linear string search, case sensitive. */ | |
213 | const char *ct_sip_search(const char *needle, const char *haystack, | |
214 | size_t needle_len, size_t haystack_len, | |
215 | int case_sensitive) | |
216 | { | |
217 | const char *limit = haystack + (haystack_len - needle_len); | |
218 | ||
219 | while (haystack <= limit) { | |
220 | if (case_sensitive) { | |
221 | if (strncmp(haystack, needle, needle_len) == 0) | |
222 | return haystack; | |
223 | } else { | |
224 | if (strnicmp(haystack, needle, needle_len) == 0) | |
225 | return haystack; | |
226 | } | |
227 | haystack++; | |
228 | } | |
229 | return NULL; | |
230 | } | |
231 | EXPORT_SYMBOL_GPL(ct_sip_search); | |
232 | ||
233 | static int digits_len(struct nf_conn *ct, const char *dptr, | |
234 | const char *limit, int *shift) | |
235 | { | |
236 | int len = 0; | |
237 | while (dptr <= limit && isdigit(*dptr)) { | |
238 | dptr++; | |
239 | len++; | |
240 | } | |
241 | return len; | |
242 | } | |
243 | ||
244 | /* get digits lenght, skiping blank spaces. */ | |
245 | static int skp_digits_len(struct nf_conn *ct, const char *dptr, | |
246 | const char *limit, int *shift) | |
247 | { | |
248 | for (; dptr <= limit && *dptr == ' '; dptr++) | |
249 | (*shift)++; | |
250 | ||
251 | return digits_len(ct, dptr, limit, shift); | |
252 | } | |
253 | ||
254 | static int parse_addr(struct nf_conn *ct, const char *cp, const char **endp, | |
255 | union nf_conntrack_address *addr, const char *limit) | |
256 | { | |
257 | const char *end; | |
258 | int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num; | |
259 | int ret = 0; | |
260 | ||
261 | switch (family) { | |
262 | case AF_INET: | |
263 | ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end); | |
264 | break; | |
265 | case AF_INET6: | |
266 | ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end); | |
267 | break; | |
268 | default: | |
269 | BUG(); | |
270 | } | |
271 | ||
272 | if (ret == 0 || end == cp) | |
273 | return 0; | |
274 | if (endp) | |
275 | *endp = end; | |
276 | return 1; | |
277 | } | |
278 | ||
279 | /* skip ip address. returns its length. */ | |
280 | static int epaddr_len(struct nf_conn *ct, const char *dptr, | |
281 | const char *limit, int *shift) | |
282 | { | |
283 | union nf_conntrack_address addr; | |
284 | const char *aux = dptr; | |
285 | ||
286 | if (!parse_addr(ct, dptr, &dptr, &addr, limit)) { | |
287 | DEBUGP("ip: %s parse failed.!\n", dptr); | |
288 | return 0; | |
289 | } | |
290 | ||
291 | /* Port number */ | |
292 | if (*dptr == ':') { | |
293 | dptr++; | |
294 | dptr += digits_len(ct, dptr, limit, shift); | |
295 | } | |
296 | return dptr - aux; | |
297 | } | |
298 | ||
299 | /* get address length, skiping user info. */ | |
300 | static int skp_epaddr_len(struct nf_conn *ct, const char *dptr, | |
301 | const char *limit, int *shift) | |
302 | { | |
303 | int s = *shift; | |
304 | ||
305 | for (; dptr <= limit && *dptr != '@'; dptr++) | |
306 | (*shift)++; | |
307 | ||
308 | if (*dptr == '@') { | |
309 | dptr++; | |
310 | (*shift)++; | |
311 | } else | |
312 | *shift = s; | |
313 | ||
314 | return epaddr_len(ct, dptr, limit, shift); | |
315 | } | |
316 | ||
317 | /* Returns 0 if not found, -1 error parsing. */ | |
318 | int ct_sip_get_info(struct nf_conn *ct, | |
319 | const char *dptr, size_t dlen, | |
320 | unsigned int *matchoff, | |
321 | unsigned int *matchlen, | |
322 | enum sip_header_pos pos) | |
323 | { | |
324 | const struct sip_header_nfo *hnfo = &ct_sip_hdrs[pos]; | |
325 | const char *limit, *aux, *k = dptr; | |
326 | int shift = 0; | |
327 | ||
328 | limit = dptr + (dlen - hnfo->lnlen); | |
329 | ||
330 | while (dptr <= limit) { | |
331 | if ((strncmp(dptr, hnfo->lname, hnfo->lnlen) != 0) && | |
332 | (strncmp(dptr, hnfo->sname, hnfo->snlen) != 0)) { | |
333 | dptr++; | |
334 | continue; | |
335 | } | |
336 | aux = ct_sip_search(hnfo->ln_str, dptr, hnfo->ln_strlen, | |
337 | ct_sip_lnlen(dptr, limit), | |
338 | hnfo->case_sensitive); | |
339 | if (!aux) { | |
340 | DEBUGP("'%s' not found in '%s'.\n", hnfo->ln_str, | |
341 | hnfo->lname); | |
342 | return -1; | |
343 | } | |
344 | aux += hnfo->ln_strlen; | |
345 | ||
346 | *matchlen = hnfo->match_len(ct, aux, limit, &shift); | |
347 | if (!*matchlen) | |
348 | return -1; | |
349 | ||
350 | *matchoff = (aux - k) + shift; | |
351 | ||
352 | DEBUGP("%s match succeeded! - len: %u\n", hnfo->lname, | |
353 | *matchlen); | |
354 | return 1; | |
355 | } | |
356 | DEBUGP("%s header not found.\n", hnfo->lname); | |
357 | return 0; | |
358 | } | |
359 | EXPORT_SYMBOL_GPL(ct_sip_get_info); | |
360 | ||
361 | static int set_expected_rtp(struct sk_buff **pskb, | |
362 | struct nf_conn *ct, | |
363 | enum ip_conntrack_info ctinfo, | |
364 | union nf_conntrack_address *addr, | |
365 | __be16 port, | |
366 | const char *dptr) | |
367 | { | |
368 | struct nf_conntrack_expect *exp; | |
369 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | |
370 | int family = ct->tuplehash[!dir].tuple.src.l3num; | |
371 | int ret; | |
372 | typeof(nf_nat_sdp_hook) nf_nat_sdp; | |
373 | ||
374 | exp = nf_conntrack_expect_alloc(ct); | |
375 | if (exp == NULL) | |
376 | return NF_DROP; | |
377 | nf_conntrack_expect_init(exp, family, | |
378 | &ct->tuplehash[!dir].tuple.src.u3, addr, | |
379 | IPPROTO_UDP, NULL, &port); | |
380 | ||
381 | nf_nat_sdp = rcu_dereference(nf_nat_sdp_hook); | |
382 | if (nf_nat_sdp && ct->status & IPS_NAT_MASK) | |
383 | ret = nf_nat_sdp(pskb, ctinfo, exp, dptr); | |
384 | else { | |
385 | if (nf_conntrack_expect_related(exp) != 0) | |
386 | ret = NF_DROP; | |
387 | else | |
388 | ret = NF_ACCEPT; | |
389 | } | |
390 | nf_conntrack_expect_put(exp); | |
391 | ||
392 | return ret; | |
393 | } | |
394 | ||
395 | static int sip_help(struct sk_buff **pskb, | |
396 | unsigned int protoff, | |
397 | struct nf_conn *ct, | |
398 | enum ip_conntrack_info ctinfo) | |
399 | { | |
400 | int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num; | |
401 | union nf_conntrack_address addr; | |
402 | unsigned int dataoff, datalen; | |
403 | const char *dptr; | |
404 | int ret = NF_ACCEPT; | |
405 | int matchoff, matchlen; | |
406 | u_int16_t port; | |
407 | enum sip_header_pos pos; | |
408 | typeof(nf_nat_sip_hook) nf_nat_sip; | |
409 | ||
410 | /* No Data ? */ | |
411 | dataoff = protoff + sizeof(struct udphdr); | |
412 | if (dataoff >= (*pskb)->len) | |
413 | return NF_ACCEPT; | |
414 | ||
415 | nf_ct_refresh(ct, *pskb, sip_timeout * HZ); | |
416 | ||
417 | if (!skb_is_nonlinear(*pskb)) | |
418 | dptr = (*pskb)->data + dataoff; | |
419 | else { | |
420 | DEBUGP("Copy of skbuff not supported yet.\n"); | |
421 | goto out; | |
422 | } | |
423 | ||
424 | nf_nat_sip = rcu_dereference(nf_nat_sip_hook); | |
425 | if (nf_nat_sip && ct->status & IPS_NAT_MASK) { | |
426 | if (!nf_nat_sip(pskb, ctinfo, ct, &dptr)) { | |
427 | ret = NF_DROP; | |
428 | goto out; | |
429 | } | |
430 | } | |
431 | ||
432 | datalen = (*pskb)->len - dataoff; | |
433 | if (datalen < sizeof("SIP/2.0 200") - 1) | |
434 | goto out; | |
435 | ||
436 | /* RTP info only in some SDP pkts */ | |
437 | if (memcmp(dptr, "INVITE", sizeof("INVITE") - 1) != 0 && | |
438 | memcmp(dptr, "SIP/2.0 200", sizeof("SIP/2.0 200") - 1) != 0) { | |
439 | goto out; | |
440 | } | |
441 | /* Get address and port from SDP packet. */ | |
442 | pos = family == AF_INET ? POS_CONNECTION_IP4 : POS_CONNECTION_IP6; | |
443 | if (ct_sip_get_info(ct, dptr, datalen, &matchoff, &matchlen, pos) > 0) { | |
444 | ||
445 | /* We'll drop only if there are parse problems. */ | |
446 | if (!parse_addr(ct, dptr + matchoff, NULL, &addr, | |
447 | dptr + datalen)) { | |
448 | ret = NF_DROP; | |
449 | goto out; | |
450 | } | |
451 | if (ct_sip_get_info(ct, dptr, datalen, &matchoff, &matchlen, | |
452 | POS_MEDIA) > 0) { | |
453 | ||
454 | port = simple_strtoul(dptr + matchoff, NULL, 10); | |
455 | if (port < 1024) { | |
456 | ret = NF_DROP; | |
457 | goto out; | |
458 | } | |
459 | ret = set_expected_rtp(pskb, ct, ctinfo, &addr, | |
460 | htons(port), dptr); | |
461 | } | |
462 | } | |
463 | out: | |
464 | return ret; | |
465 | } | |
466 | ||
467 | static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly; | |
468 | static char sip_names[MAX_PORTS][2][sizeof("sip-65535")] __read_mostly; | |
469 | ||
470 | static void nf_conntrack_sip_fini(void) | |
471 | { | |
472 | int i, j; | |
473 | ||
474 | for (i = 0; i < ports_c; i++) { | |
475 | for (j = 0; j < 2; j++) { | |
476 | if (sip[i][j].me == NULL) | |
477 | continue; | |
478 | nf_conntrack_helper_unregister(&sip[i][j]); | |
479 | } | |
480 | } | |
481 | } | |
482 | ||
483 | static int __init nf_conntrack_sip_init(void) | |
484 | { | |
485 | int i, j, ret; | |
486 | char *tmpname; | |
487 | ||
488 | if (ports_c == 0) | |
489 | ports[ports_c++] = SIP_PORT; | |
490 | ||
491 | for (i = 0; i < ports_c; i++) { | |
492 | memset(&sip[i], 0, sizeof(sip[i])); | |
493 | ||
494 | sip[i][0].tuple.src.l3num = AF_INET; | |
495 | sip[i][1].tuple.src.l3num = AF_INET6; | |
496 | for (j = 0; j < 2; j++) { | |
497 | sip[i][j].tuple.dst.protonum = IPPROTO_UDP; | |
498 | sip[i][j].tuple.src.u.udp.port = htons(ports[i]); | |
499 | sip[i][j].mask.src.l3num = 0xFFFF; | |
500 | sip[i][j].mask.src.u.udp.port = htons(0xFFFF); | |
501 | sip[i][j].mask.dst.protonum = 0xFF; | |
502 | sip[i][j].max_expected = 2; | |
503 | sip[i][j].timeout = 3 * 60; /* 3 minutes */ | |
504 | sip[i][j].me = THIS_MODULE; | |
505 | sip[i][j].help = sip_help; | |
506 | ||
507 | tmpname = &sip_names[i][j][0]; | |
508 | if (ports[i] == SIP_PORT) | |
509 | sprintf(tmpname, "sip"); | |
510 | else | |
511 | sprintf(tmpname, "sip-%u", i); | |
512 | sip[i][j].name = tmpname; | |
513 | ||
514 | DEBUGP("port #%u: %u\n", i, ports[i]); | |
515 | ||
516 | ret = nf_conntrack_helper_register(&sip[i][j]); | |
517 | if (ret) { | |
518 | printk("nf_ct_sip: failed to register helper " | |
519 | "for pf: %u port: %u\n", | |
520 | sip[i][j].tuple.src.l3num, ports[i]); | |
521 | nf_conntrack_sip_fini(); | |
522 | return ret; | |
523 | } | |
524 | } | |
525 | } | |
526 | return 0; | |
527 | } | |
528 | ||
529 | module_init(nf_conntrack_sip_init); | |
530 | module_exit(nf_conntrack_sip_fini); |