1 /* SIP extension for IP connection tracking.
3 * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
4 * based on RR's ip_conntrack_ftp.c and other modules.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
11 #include <linux/module.h>
12 #include <linux/ctype.h>
13 #include <linux/skbuff.h>
14 #include <linux/inet.h>
16 #include <linux/udp.h>
17 #include <linux/netfilter.h>
19 #include <net/netfilter/nf_conntrack.h>
20 #include <net/netfilter/nf_conntrack_core.h>
21 #include <net/netfilter/nf_conntrack_expect.h>
22 #include <net/netfilter/nf_conntrack_helper.h>
23 #include <linux/netfilter/nf_conntrack_sip.h>
25 MODULE_LICENSE("GPL");
26 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
27 MODULE_DESCRIPTION("SIP connection tracking helper");
28 MODULE_ALIAS("ip_conntrack_sip");
31 static unsigned short ports[MAX_PORTS];
32 static unsigned int ports_c;
33 module_param_array(ports, ushort, &ports_c, 0400);
34 MODULE_PARM_DESC(ports, "port numbers of SIP servers");
36 static unsigned int sip_timeout __read_mostly = SIP_TIMEOUT;
37 module_param(sip_timeout, uint, 0600);
38 MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session");
40 static int sip_direct_signalling __read_mostly = 1;
41 module_param(sip_direct_signalling, int, 0600);
42 MODULE_PARM_DESC(sip_direct_signalling, "expect incoming calls from registrar "
45 static int sip_direct_media __read_mostly = 1;
46 module_param(sip_direct_media, int, 0600);
47 MODULE_PARM_DESC(sip_direct_media, "Expect Media streams between signalling "
48 "endpoints only (default 1)");
50 unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb,
52 unsigned int *datalen) __read_mostly;
53 EXPORT_SYMBOL_GPL(nf_nat_sip_hook);
55 unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb,
57 unsigned int *datalen,
58 struct nf_conntrack_expect *exp,
59 unsigned int matchoff,
60 unsigned int matchlen) __read_mostly;
61 EXPORT_SYMBOL_GPL(nf_nat_sip_expect_hook);
63 unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb,
65 unsigned int *datalen,
66 struct nf_conntrack_expect *exp) __read_mostly;
67 EXPORT_SYMBOL_GPL(nf_nat_sdp_hook);
69 static int string_len(const struct nf_conn *ct, const char *dptr,
70 const char *limit, int *shift)
74 while (dptr < limit && isalpha(*dptr)) {
81 static int digits_len(const struct nf_conn *ct, const char *dptr,
82 const char *limit, int *shift)
85 while (dptr < limit && isdigit(*dptr)) {
92 static int parse_addr(const struct nf_conn *ct, const char *cp,
93 const char **endp, union nf_inet_addr *addr,
97 int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
102 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
105 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
111 if (ret == 0 || end == cp)
118 /* skip ip address. returns its length. */
119 static int epaddr_len(const struct nf_conn *ct, const char *dptr,
120 const char *limit, int *shift)
122 union nf_inet_addr addr;
123 const char *aux = dptr;
125 if (!parse_addr(ct, dptr, &dptr, &addr, limit)) {
126 pr_debug("ip: %s parse failed.!\n", dptr);
133 dptr += digits_len(ct, dptr, limit, shift);
138 /* get address length, skiping user info. */
139 static int skp_epaddr_len(const struct nf_conn *ct, const char *dptr,
140 const char *limit, int *shift)
142 const char *start = dptr;
145 /* Search for @, but stop at the end of the line.
146 * We are inside a sip: URI, so we don't need to worry about
147 * continuation lines. */
148 while (dptr < limit &&
149 *dptr != '@' && *dptr != '\r' && *dptr != '\n') {
154 if (dptr < limit && *dptr == '@') {
162 return epaddr_len(ct, dptr, limit, shift);
165 /* Parse a SIP request line of the form:
167 * Request-Line = Method SP Request-URI SP SIP-Version CRLF
169 * and return the offset and length of the address contained in the Request-URI.
171 int ct_sip_parse_request(const struct nf_conn *ct,
172 const char *dptr, unsigned int datalen,
173 unsigned int *matchoff, unsigned int *matchlen,
174 union nf_inet_addr *addr, __be16 *port)
176 const char *start = dptr, *limit = dptr + datalen, *end;
181 /* Skip method and following whitespace */
182 mlen = string_len(ct, dptr, limit, NULL);
190 limit -= strlen("sip:");
191 for (; dptr < limit; dptr++) {
192 if (*dptr == '\r' || *dptr == '\n')
194 if (strnicmp(dptr, "sip:", strlen("sip:")) == 0)
197 if (!skp_epaddr_len(ct, dptr, limit, &shift))
201 if (!parse_addr(ct, dptr, &end, addr, limit))
203 if (end < limit && *end == ':') {
205 p = simple_strtoul(end, (char **)&end, 10);
206 if (p < 1024 || p > 65535)
210 *port = htons(SIP_PORT);
214 *matchoff = dptr - start;
215 *matchlen = end - dptr;
218 EXPORT_SYMBOL_GPL(ct_sip_parse_request);
220 /* SIP header parsing: SIP headers are located at the beginning of a line, but
221 * may span several lines, in which case the continuation lines begin with a
222 * whitespace character. RFC 2543 allows lines to be terminated with CR, LF or
223 * CRLF, RFC 3261 allows only CRLF, we support both.
225 * Headers are followed by (optionally) whitespace, a colon, again (optionally)
226 * whitespace and the values. Whitespace in this context means any amount of
227 * tabs, spaces and continuation lines, which are treated as a single whitespace
230 * Some headers may appear multiple times. A comma seperated list of values is
231 * equivalent to multiple headers.
233 static const struct sip_header ct_sip_hdrs[] = {
234 [SIP_HDR_CSEQ] = SIP_HDR("CSeq", NULL, NULL, digits_len),
235 [SIP_HDR_FROM] = SIP_HDR("From", "f", "sip:", skp_epaddr_len),
236 [SIP_HDR_TO] = SIP_HDR("To", "t", "sip:", skp_epaddr_len),
237 [SIP_HDR_CONTACT] = SIP_HDR("Contact", "m", "sip:", skp_epaddr_len),
238 [SIP_HDR_VIA] = SIP_HDR("Via", "v", "UDP ", epaddr_len),
239 [SIP_HDR_EXPIRES] = SIP_HDR("Expires", NULL, NULL, digits_len),
240 [SIP_HDR_CONTENT_LENGTH] = SIP_HDR("Content-Length", "l", NULL, digits_len),
243 static const char *sip_follow_continuation(const char *dptr, const char *limit)
245 /* Walk past newline */
249 /* Skip '\n' in CR LF */
250 if (*(dptr - 1) == '\r' && *dptr == '\n') {
255 /* Continuation line? */
256 if (*dptr != ' ' && *dptr != '\t')
259 /* skip leading whitespace */
260 for (; dptr < limit; dptr++) {
261 if (*dptr != ' ' && *dptr != '\t')
267 static const char *sip_skip_whitespace(const char *dptr, const char *limit)
269 for (; dptr < limit; dptr++) {
272 if (*dptr != '\r' && *dptr != '\n')
274 dptr = sip_follow_continuation(dptr, limit);
281 /* Search within a SIP header value, dealing with continuation lines */
282 static const char *ct_sip_header_search(const char *dptr, const char *limit,
283 const char *needle, unsigned int len)
285 for (limit -= len; dptr < limit; dptr++) {
286 if (*dptr == '\r' || *dptr == '\n') {
287 dptr = sip_follow_continuation(dptr, limit);
293 if (strnicmp(dptr, needle, len) == 0)
299 int ct_sip_get_header(const struct nf_conn *ct, const char *dptr,
300 unsigned int dataoff, unsigned int datalen,
301 enum sip_header_types type,
302 unsigned int *matchoff, unsigned int *matchlen)
304 const struct sip_header *hdr = &ct_sip_hdrs[type];
305 const char *start = dptr, *limit = dptr + datalen;
308 for (dptr += dataoff; dptr < limit; dptr++) {
309 /* Find beginning of line */
310 if (*dptr != '\r' && *dptr != '\n')
314 if (*(dptr - 1) == '\r' && *dptr == '\n') {
319 /* Skip continuation lines */
320 if (*dptr == ' ' || *dptr == '\t')
323 /* Find header. Compact headers must be followed by a
324 * non-alphabetic character to avoid mismatches. */
325 if (limit - dptr >= hdr->len &&
326 strnicmp(dptr, hdr->name, hdr->len) == 0)
328 else if (hdr->cname && limit - dptr >= hdr->clen + 1 &&
329 strnicmp(dptr, hdr->cname, hdr->clen) == 0 &&
330 !isalpha(*(dptr + hdr->clen + 1)))
335 /* Find and skip colon */
336 dptr = sip_skip_whitespace(dptr, limit);
339 if (*dptr != ':' || ++dptr >= limit)
342 /* Skip whitespace after colon */
343 dptr = sip_skip_whitespace(dptr, limit);
347 *matchoff = dptr - start;
349 dptr = ct_sip_header_search(dptr, limit, hdr->search,
356 *matchlen = hdr->match_len(ct, dptr, limit, &shift);
359 *matchoff = dptr - start + shift;
364 EXPORT_SYMBOL_GPL(ct_sip_get_header);
366 /* Get next header field in a list of comma seperated values */
367 static int ct_sip_next_header(const struct nf_conn *ct, const char *dptr,
368 unsigned int dataoff, unsigned int datalen,
369 enum sip_header_types type,
370 unsigned int *matchoff, unsigned int *matchlen)
372 const struct sip_header *hdr = &ct_sip_hdrs[type];
373 const char *start = dptr, *limit = dptr + datalen;
378 dptr = ct_sip_header_search(dptr, limit, ",", strlen(","));
382 dptr = ct_sip_header_search(dptr, limit, hdr->search, hdr->slen);
387 *matchoff = dptr - start;
388 *matchlen = hdr->match_len(ct, dptr, limit, &shift);
395 /* Walk through headers until a parsable one is found or no header of the
396 * given type is left. */
397 static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr,
398 unsigned int dataoff, unsigned int datalen,
399 enum sip_header_types type, int *in_header,
400 unsigned int *matchoff, unsigned int *matchlen)
404 if (in_header && *in_header) {
406 ret = ct_sip_next_header(ct, dptr, dataoff, datalen,
407 type, matchoff, matchlen);
412 dataoff += *matchoff;
418 ret = ct_sip_get_header(ct, dptr, dataoff, datalen,
419 type, matchoff, matchlen);
424 dataoff += *matchoff;
432 /* Locate a SIP header, parse the URI and return the offset and length of
433 * the address as well as the address and port themselves. A stream of
434 * headers can be parsed by handing in a non-NULL datalen and in_header
437 int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
438 unsigned int *dataoff, unsigned int datalen,
439 enum sip_header_types type, int *in_header,
440 unsigned int *matchoff, unsigned int *matchlen,
441 union nf_inet_addr *addr, __be16 *port)
443 const char *c, *limit = dptr + datalen;
447 ret = ct_sip_walk_headers(ct, dptr, dataoff ? *dataoff : 0, datalen,
448 type, in_header, matchoff, matchlen);
453 if (!parse_addr(ct, dptr + *matchoff, &c, addr, limit))
457 p = simple_strtoul(c, (char **)&c, 10);
458 if (p < 1024 || p > 65535)
462 *port = htons(SIP_PORT);
468 EXPORT_SYMBOL_GPL(ct_sip_parse_header_uri);
470 /* Parse address from header parameter and return address, offset and length */
471 int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr,
472 unsigned int dataoff, unsigned int datalen,
474 unsigned int *matchoff, unsigned int *matchlen,
475 union nf_inet_addr *addr)
477 const char *limit = dptr + datalen;
478 const char *start, *end;
480 limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
482 limit = dptr + datalen;
484 start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
488 start += strlen(name);
489 if (!parse_addr(ct, start, &end, addr, limit))
491 *matchoff = start - dptr;
492 *matchlen = end - start;
495 EXPORT_SYMBOL_GPL(ct_sip_parse_address_param);
497 /* Parse numerical header parameter and return value, offset and length */
498 int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr,
499 unsigned int dataoff, unsigned int datalen,
501 unsigned int *matchoff, unsigned int *matchlen,
504 const char *limit = dptr + datalen;
508 limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
510 limit = dptr + datalen;
512 start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
516 start += strlen(name);
517 *val = simple_strtoul(start, &end, 0);
520 if (matchoff && matchlen) {
521 *matchoff = start - dptr;
522 *matchlen = end - start;
526 EXPORT_SYMBOL_GPL(ct_sip_parse_numerical_param);
528 /* SDP header parsing: a SDP session description contains an ordered set of
529 * headers, starting with a section containing general session parameters,
530 * optionally followed by multiple media descriptions.
532 * SDP headers always start at the beginning of a line. According to RFC 2327:
533 * "The sequence CRLF (0x0d0a) is used to end a record, although parsers should
534 * be tolerant and also accept records terminated with a single newline
535 * character". We handle both cases.
537 static const struct sip_header ct_sdp_hdrs[] = {
538 [SDP_HDR_VERSION] = SDP_HDR("v=", NULL, digits_len),
539 [SDP_HDR_OWNER_IP4] = SDP_HDR("o=", "IN IP4 ", epaddr_len),
540 [SDP_HDR_CONNECTION_IP4] = SDP_HDR("c=", "IN IP4 ", epaddr_len),
541 [SDP_HDR_OWNER_IP6] = SDP_HDR("o=", "IN IP6 ", epaddr_len),
542 [SDP_HDR_CONNECTION_IP6] = SDP_HDR("c=", "IN IP6 ", epaddr_len),
543 [SDP_HDR_MEDIA] = SDP_HDR("m=", "audio ", digits_len),
546 /* Linear string search within SDP header values */
547 static const char *ct_sdp_header_search(const char *dptr, const char *limit,
548 const char *needle, unsigned int len)
550 for (limit -= len; dptr < limit; dptr++) {
551 if (*dptr == '\r' || *dptr == '\n')
553 if (strncmp(dptr, needle, len) == 0)
559 /* Locate a SDP header (optionally a substring within the header value),
560 * optionally stopping at the first occurence of the term header, parse
561 * it and return the offset and length of the data we're interested in.
563 int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
564 unsigned int dataoff, unsigned int datalen,
565 enum sdp_header_types type,
566 enum sdp_header_types term,
567 unsigned int *matchoff, unsigned int *matchlen)
569 const struct sip_header *hdr = &ct_sdp_hdrs[type];
570 const struct sip_header *thdr = &ct_sdp_hdrs[term];
571 const char *start = dptr, *limit = dptr + datalen;
574 for (dptr += dataoff; dptr < limit; dptr++) {
575 /* Find beginning of line */
576 if (*dptr != '\r' && *dptr != '\n')
580 if (*(dptr - 1) == '\r' && *dptr == '\n') {
585 if (term != SDP_HDR_UNSPEC &&
586 limit - dptr >= thdr->len &&
587 strnicmp(dptr, thdr->name, thdr->len) == 0)
589 else if (limit - dptr >= hdr->len &&
590 strnicmp(dptr, hdr->name, hdr->len) == 0)
595 *matchoff = dptr - start;
597 dptr = ct_sdp_header_search(dptr, limit, hdr->search,
604 *matchlen = hdr->match_len(ct, dptr, limit, &shift);
607 *matchoff = dptr - start + shift;
612 EXPORT_SYMBOL_GPL(ct_sip_get_sdp_header);
614 static int refresh_signalling_expectation(struct nf_conn *ct,
615 union nf_inet_addr *addr,
617 unsigned int expires)
619 struct nf_conn_help *help = nfct_help(ct);
620 struct nf_conntrack_expect *exp;
621 struct hlist_node *n, *next;
624 spin_lock_bh(&nf_conntrack_lock);
625 hlist_for_each_entry_safe(exp, n, next, &help->expectations, lnode) {
626 if (exp->class != SIP_EXPECT_SIGNALLING ||
627 !nf_inet_addr_cmp(&exp->tuple.dst.u3, addr) ||
628 exp->tuple.dst.u.udp.port != port)
630 if (!del_timer(&exp->timeout))
632 exp->flags &= ~NF_CT_EXPECT_INACTIVE;
633 exp->timeout.expires = jiffies + expires * HZ;
634 add_timer(&exp->timeout);
638 spin_unlock_bh(&nf_conntrack_lock);
642 static void flush_expectations(struct nf_conn *ct, bool media)
644 struct nf_conn_help *help = nfct_help(ct);
645 struct nf_conntrack_expect *exp;
646 struct hlist_node *n, *next;
648 spin_lock_bh(&nf_conntrack_lock);
649 hlist_for_each_entry_safe(exp, n, next, &help->expectations, lnode) {
650 if ((exp->class != SIP_EXPECT_SIGNALLING) ^ media)
652 if (!del_timer(&exp->timeout))
654 nf_ct_unlink_expect(exp);
655 nf_ct_expect_put(exp);
659 spin_unlock_bh(&nf_conntrack_lock);
662 static int set_expected_rtp(struct sk_buff *skb,
663 const char **dptr, unsigned int *datalen,
664 union nf_inet_addr *daddr, __be16 port)
666 struct nf_conntrack_expect *exp;
667 enum ip_conntrack_info ctinfo;
668 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
669 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
670 union nf_inet_addr *saddr;
671 struct nf_conntrack_tuple tuple;
672 int family = ct->tuplehash[!dir].tuple.src.l3num;
673 int skip_expect = 0, ret;
674 typeof(nf_nat_sdp_hook) nf_nat_sdp;
677 if (sip_direct_media) {
678 if (!nf_inet_addr_cmp(daddr, &ct->tuplehash[dir].tuple.src.u3))
680 saddr = &ct->tuplehash[!dir].tuple.src.u3;
683 /* We need to check whether the registration exists before attempting
684 * to register it since we can see the same media description multiple
685 * times on different connections in case multiple endpoints receive
688 memset(&tuple, 0, sizeof(tuple));
690 tuple.src.u3 = *saddr;
691 tuple.src.l3num = family;
692 tuple.dst.protonum = IPPROTO_UDP;
693 tuple.dst.u3 = *daddr;
694 tuple.dst.u.udp.port = port;
697 exp = __nf_ct_expect_find(&tuple);
698 if (exp && exp->master != ct &&
699 nfct_help(exp->master)->helper == nfct_help(ct)->helper &&
700 exp->class == SIP_EXPECT_AUDIO)
707 exp = nf_ct_expect_alloc(ct);
710 nf_ct_expect_init(exp, SIP_EXPECT_AUDIO, family, saddr, daddr,
711 IPPROTO_UDP, NULL, &port);
713 nf_nat_sdp = rcu_dereference(nf_nat_sdp_hook);
714 if (nf_nat_sdp && ct->status & IPS_NAT_MASK)
715 ret = nf_nat_sdp(skb, dptr, datalen, exp);
717 if (nf_ct_expect_related(exp) != 0)
722 nf_ct_expect_put(exp);
727 static int process_sdp(struct sk_buff *skb,
728 const char **dptr, unsigned int *datalen,
731 enum ip_conntrack_info ctinfo;
732 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
733 int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
734 unsigned int matchoff, matchlen;
735 union nf_inet_addr addr;
737 enum sdp_header_types type;
739 /* Get address and port from SDP packet. */
740 type = family == AF_INET ? SDP_HDR_CONNECTION_IP4 :
741 SDP_HDR_CONNECTION_IP6;
743 if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
744 type, SDP_HDR_UNSPEC,
745 &matchoff, &matchlen) <= 0)
748 /* We'll drop only if there are parse problems. */
749 if (!parse_addr(ct, *dptr + matchoff, NULL, &addr, *dptr + *datalen))
752 if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
753 SDP_HDR_MEDIA, SDP_HDR_UNSPEC,
754 &matchoff, &matchlen) <= 0)
757 port = simple_strtoul(*dptr + matchoff, NULL, 10);
758 if (port < 1024 || port > 65535)
761 return set_expected_rtp(skb, dptr, datalen, &addr, htons(port));
763 static int process_invite_response(struct sk_buff *skb,
764 const char **dptr, unsigned int *datalen,
765 unsigned int cseq, unsigned int code)
767 enum ip_conntrack_info ctinfo;
768 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
770 if ((code >= 100 && code <= 199) ||
771 (code >= 200 && code <= 299))
772 return process_sdp(skb, dptr, datalen, cseq);
774 flush_expectations(ct, true);
779 static int process_update_response(struct sk_buff *skb,
780 const char **dptr, unsigned int *datalen,
781 unsigned int cseq, unsigned int code)
783 enum ip_conntrack_info ctinfo;
784 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
786 if ((code >= 100 && code <= 199) ||
787 (code >= 200 && code <= 299))
788 return process_sdp(skb, dptr, datalen, cseq);
790 flush_expectations(ct, true);
795 static int process_prack_response(struct sk_buff *skb,
796 const char **dptr, unsigned int *datalen,
797 unsigned int cseq, unsigned int code)
799 enum ip_conntrack_info ctinfo;
800 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
802 if ((code >= 100 && code <= 199) ||
803 (code >= 200 && code <= 299))
804 return process_sdp(skb, dptr, datalen, cseq);
806 flush_expectations(ct, true);
811 static int process_bye_request(struct sk_buff *skb,
812 const char **dptr, unsigned int *datalen,
815 enum ip_conntrack_info ctinfo;
816 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
818 flush_expectations(ct, true);
822 /* Parse a REGISTER request and create a permanent expectation for incoming
823 * signalling connections. The expectation is marked inactive and is activated
824 * when receiving a response indicating success from the registrar.
826 static int process_register_request(struct sk_buff *skb,
827 const char **dptr, unsigned int *datalen,
830 enum ip_conntrack_info ctinfo;
831 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
832 struct nf_conn_help *help = nfct_help(ct);
833 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
834 int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
835 unsigned int matchoff, matchlen;
836 struct nf_conntrack_expect *exp;
837 union nf_inet_addr *saddr, daddr;
839 unsigned int expires = 0;
841 typeof(nf_nat_sip_expect_hook) nf_nat_sip_expect;
843 /* Expected connections can not register again. */
844 if (ct->status & IPS_EXPECTED)
847 /* We must check the expiration time: a value of zero signals the
848 * registrar to release the binding. We'll remove our expectation
849 * when receiving the new bindings in the response, but we don't
850 * want to create new ones.
852 * The expiration time may be contained in Expires: header, the
853 * Contact: header parameters or the URI parameters.
855 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
856 &matchoff, &matchlen) > 0)
857 expires = simple_strtoul(*dptr + matchoff, NULL, 10);
859 ret = ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
860 SIP_HDR_CONTACT, NULL,
861 &matchoff, &matchlen, &daddr, &port);
867 /* We don't support third-party registrations */
868 if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3, &daddr))
871 if (ct_sip_parse_numerical_param(ct, *dptr,
872 matchoff + matchlen, *datalen,
873 "expires=", NULL, NULL, &expires) < 0)
881 exp = nf_ct_expect_alloc(ct);
886 if (sip_direct_signalling)
887 saddr = &ct->tuplehash[!dir].tuple.src.u3;
889 nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, family, saddr, &daddr,
890 IPPROTO_UDP, NULL, &port);
891 exp->timeout.expires = sip_timeout * HZ;
892 exp->helper = nfct_help(ct)->helper;
893 exp->flags = NF_CT_EXPECT_PERMANENT | NF_CT_EXPECT_INACTIVE;
895 nf_nat_sip_expect = rcu_dereference(nf_nat_sip_expect_hook);
896 if (nf_nat_sip_expect && ct->status & IPS_NAT_MASK)
897 ret = nf_nat_sip_expect(skb, dptr, datalen, exp,
900 if (nf_ct_expect_related(exp) != 0)
905 nf_ct_expect_put(exp);
908 if (ret == NF_ACCEPT)
909 help->help.ct_sip_info.register_cseq = cseq;
913 static int process_register_response(struct sk_buff *skb,
914 const char **dptr, unsigned int *datalen,
915 unsigned int cseq, unsigned int code)
917 enum ip_conntrack_info ctinfo;
918 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
919 struct nf_conn_help *help = nfct_help(ct);
920 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
921 union nf_inet_addr addr;
923 unsigned int matchoff, matchlen, dataoff = 0;
924 unsigned int expires = 0;
925 int in_contact = 0, ret;
927 /* According to RFC 3261, "UAs MUST NOT send a new registration until
928 * they have received a final response from the registrar for the
929 * previous one or the previous REGISTER request has timed out".
931 * However, some servers fail to detect retransmissions and send late
932 * responses, so we store the sequence number of the last valid
933 * request and compare it here.
935 if (help->help.ct_sip_info.register_cseq != cseq)
938 if (code >= 100 && code <= 199)
940 if (code < 200 || code > 299)
943 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
944 &matchoff, &matchlen) > 0)
945 expires = simple_strtoul(*dptr + matchoff, NULL, 10);
948 unsigned int c_expires = expires;
950 ret = ct_sip_parse_header_uri(ct, *dptr, &dataoff, *datalen,
951 SIP_HDR_CONTACT, &in_contact,
952 &matchoff, &matchlen,
959 /* We don't support third-party registrations */
960 if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3, &addr))
963 ret = ct_sip_parse_numerical_param(ct, *dptr,
965 *datalen, "expires=",
966 NULL, NULL, &c_expires);
971 if (refresh_signalling_expectation(ct, &addr, port, c_expires))
976 flush_expectations(ct, false);
980 static const struct sip_handler sip_handlers[] = {
981 SIP_HANDLER("INVITE", process_sdp, process_invite_response),
982 SIP_HANDLER("UPDATE", process_sdp, process_update_response),
983 SIP_HANDLER("ACK", process_sdp, NULL),
984 SIP_HANDLER("PRACK", process_sdp, process_prack_response),
985 SIP_HANDLER("BYE", process_bye_request, NULL),
986 SIP_HANDLER("REGISTER", process_register_request, process_register_response),
989 static int process_sip_response(struct sk_buff *skb,
990 const char **dptr, unsigned int *datalen)
992 static const struct sip_handler *handler;
993 enum ip_conntrack_info ctinfo;
994 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
995 unsigned int matchoff, matchlen;
996 unsigned int code, cseq, dataoff, i;
998 if (*datalen < strlen("SIP/2.0 200"))
1000 code = simple_strtoul(*dptr + strlen("SIP/2.0 "), NULL, 10);
1004 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
1005 &matchoff, &matchlen) <= 0)
1007 cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
1010 dataoff = matchoff + matchlen + 1;
1012 for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
1013 handler = &sip_handlers[i];
1014 if (handler->response == NULL)
1016 if (*datalen < dataoff + handler->len ||
1017 strnicmp(*dptr + dataoff, handler->method, handler->len))
1019 return handler->response(skb, dptr, datalen, cseq, code);
1024 static int process_sip_request(struct sk_buff *skb,
1025 const char **dptr, unsigned int *datalen)
1027 static const struct sip_handler *handler;
1028 enum ip_conntrack_info ctinfo;
1029 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1030 unsigned int matchoff, matchlen;
1031 unsigned int cseq, i;
1033 for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
1034 handler = &sip_handlers[i];
1035 if (handler->request == NULL)
1037 if (*datalen < handler->len ||
1038 strnicmp(*dptr, handler->method, handler->len))
1041 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
1042 &matchoff, &matchlen) <= 0)
1044 cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
1048 return handler->request(skb, dptr, datalen, cseq);
1053 static int sip_help(struct sk_buff *skb,
1054 unsigned int protoff,
1056 enum ip_conntrack_info ctinfo)
1058 unsigned int dataoff, datalen;
1061 typeof(nf_nat_sip_hook) nf_nat_sip;
1064 dataoff = protoff + sizeof(struct udphdr);
1065 if (dataoff >= skb->len)
1068 nf_ct_refresh(ct, skb, sip_timeout * HZ);
1070 if (!skb_is_nonlinear(skb))
1071 dptr = skb->data + dataoff;
1073 pr_debug("Copy of skbuff not supported yet.\n");
1077 datalen = skb->len - dataoff;
1078 if (datalen < strlen("SIP/2.0 200"))
1081 if (strnicmp(dptr, "SIP/2.0 ", strlen("SIP/2.0 ")) != 0)
1082 ret = process_sip_request(skb, &dptr, &datalen);
1084 ret = process_sip_response(skb, &dptr, &datalen);
1086 if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
1087 nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
1088 if (nf_nat_sip && !nf_nat_sip(skb, &dptr, &datalen))
1095 static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly;
1096 static char sip_names[MAX_PORTS][2][sizeof("sip-65535")] __read_mostly;
1098 static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1] = {
1099 [SIP_EXPECT_SIGNALLING] = {
1103 [SIP_EXPECT_AUDIO] = {
1104 .max_expected = IP_CT_DIR_MAX,
1109 static void nf_conntrack_sip_fini(void)
1113 for (i = 0; i < ports_c; i++) {
1114 for (j = 0; j < 2; j++) {
1115 if (sip[i][j].me == NULL)
1117 nf_conntrack_helper_unregister(&sip[i][j]);
1122 static int __init nf_conntrack_sip_init(void)
1128 ports[ports_c++] = SIP_PORT;
1130 for (i = 0; i < ports_c; i++) {
1131 memset(&sip[i], 0, sizeof(sip[i]));
1133 sip[i][0].tuple.src.l3num = AF_INET;
1134 sip[i][1].tuple.src.l3num = AF_INET6;
1135 for (j = 0; j < 2; j++) {
1136 sip[i][j].tuple.dst.protonum = IPPROTO_UDP;
1137 sip[i][j].tuple.src.u.udp.port = htons(ports[i]);
1138 sip[i][j].expect_policy = sip_exp_policy;
1139 sip[i][j].expect_class_max = SIP_EXPECT_MAX;
1140 sip[i][j].me = THIS_MODULE;
1141 sip[i][j].help = sip_help;
1143 tmpname = &sip_names[i][j][0];
1144 if (ports[i] == SIP_PORT)
1145 sprintf(tmpname, "sip");
1147 sprintf(tmpname, "sip-%u", i);
1148 sip[i][j].name = tmpname;
1150 pr_debug("port #%u: %u\n", i, ports[i]);
1152 ret = nf_conntrack_helper_register(&sip[i][j]);
1154 printk("nf_ct_sip: failed to register helper "
1155 "for pf: %u port: %u\n",
1156 sip[i][j].tuple.src.l3num, ports[i]);
1157 nf_conntrack_sip_fini();
1165 module_init(nf_conntrack_sip_init);
1166 module_exit(nf_conntrack_sip_fini);