net/ipv4/netfilter/ip_nat_helper_h323.c

   1 /*
   2  * H.323 extension for NAT alteration.
   3  *
   4  * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
   5  *
   6  * This source code is licensed under General Public License version 2.
   7  *
   8  * Based on the 'brute force' H.323 NAT module by
   9  * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  10  */
  11
  12 #include <linux/module.h>
  13 #include <linux/netfilter_ipv4.h>
  14 #include <linux/netfilter.h>
  15 #include <linux/ip.h>
  16 #include <linux/tcp.h>
  17 #include <linux/moduleparam.h>
  18 #include <net/tcp.h>
  19 #include <linux/netfilter_ipv4/ip_nat.h>
  20 #include <linux/netfilter_ipv4/ip_nat_helper.h>
  21 #include <linux/netfilter_ipv4/ip_nat_rule.h>
  22 #include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
  23 #include <linux/netfilter_ipv4/ip_conntrack_h323.h>
  24 #include <linux/netfilter_ipv4/ip_conntrack_helper.h>
  25
  26 #if 0
  27 #define DEBUGP printk
  28 #else
  29 #define DEBUGP(format, args...)
  30 #endif
  31
  32 /****************************************************************************/
  33 static int set_addr(struct sk_buff **pskb,
  34                     unsigned char **data, int dataoff,
  35                     unsigned int addroff, u_int32_t ip, u_int16_t port)
  36 {
  37         enum ip_conntrack_info ctinfo;
  38         struct ip_conntrack *ct = ip_conntrack_get(*pskb, &ctinfo);
  39         struct {
  40                 u_int32_t ip;
  41                 u_int16_t port;
  42         } __attribute__ ((__packed__)) buf;
  43         struct tcphdr _tcph, *th;
  44
  45         buf.ip = ip;
  46         buf.port = htons(port);
  47         addroff += dataoff;
  48
  49         if ((*pskb)->nh.iph->protocol == IPPROTO_TCP) {
  50                 if (!ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
  51                                               addroff, sizeof(buf),
  52                                               (char *) &buf, sizeof(buf))) {
  53                         if (net_ratelimit())
  54                                 printk("ip_nat_h323: ip_nat_mangle_tcp_packet"
  55                                        " error\n");
  56                         return -1;
  57                 }
  58
  59                 /* Relocate data pointer */
  60                 th = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl * 4,
  61                                         sizeof(_tcph), &_tcph);
  62                 if (th == NULL)
  63                         return -1;
  64                 *data = (*pskb)->data + (*pskb)->nh.iph->ihl * 4 +
  65                     th->doff * 4 + dataoff;
  66         } else {
  67                 if (!ip_nat_mangle_udp_packet(pskb, ct, ctinfo,
  68                                               addroff, sizeof(buf),
  69                                               (char *) &buf, sizeof(buf))) {
  70                         if (net_ratelimit())
  71                                 printk("ip_nat_h323: ip_nat_mangle_udp_packet"
  72                                        " error\n");
  73                         return -1;
  74                 }
  75                 /* ip_nat_mangle_udp_packet uses skb_make_writable() to copy
  76                  * or pull everything in a linear buffer, so we can safely
  77                  * use the skb pointers now */
  78                 *data = (*pskb)->data + (*pskb)->nh.iph->ihl * 4 +
  79                     sizeof(struct udphdr);
  80         }
  81
  82         return 0;
  83 }
  84
  85 /****************************************************************************/
  86 static int set_h225_addr(struct sk_buff **pskb,
  87                          unsigned char **data, int dataoff,
  88                          TransportAddress * addr,
  89                          u_int32_t ip, u_int16_t port)
  90 {
  91         return set_addr(pskb, data, dataoff, addr->ipAddress.ip, ip, port);
  92 }
  93
  94 /****************************************************************************/
  95 static int set_h245_addr(struct sk_buff **pskb,
  96                          unsigned char **data, int dataoff,
  97                          H245_TransportAddress * addr,
  98                          u_int32_t ip, u_int16_t port)
  99 {
 100         return set_addr(pskb, data, dataoff,
 101                         addr->unicastAddress.iPAddress.network, ip, port);
 102 }
 103
 104 /****************************************************************************/
 105 static int set_sig_addr(struct sk_buff **pskb, struct ip_conntrack *ct,
 106                         enum ip_conntrack_info ctinfo,
 107                         unsigned char **data,
 108                         TransportAddress * addr, int count)
 109 {
 110         struct ip_ct_h323_master *info = &ct->help.ct_h323_info;
 111         int dir = CTINFO2DIR(ctinfo);
 112         int i;
 113         u_int32_t ip;
 114         u_int16_t port;
 115
 116         for (i = 0; i < count; i++) {
 117                 if (get_h225_addr(*data, &addr[i], &ip, &port)) {
 118                         if (ip == ct->tuplehash[dir].tuple.src.ip &&
 119                             port == info->sig_port[dir]) {
 120                                 /* GW->GK */
 121
 122                                 /* Fix for Gnomemeeting */
 123                                 if (i > 0 &&
 124                                     get_h225_addr(*data, &addr[0],
 125                                                   &ip, &port) &&
 126                                     (ntohl(ip) & 0xff000000) == 0x7f000000)
 127                                         i = 0;
 128
 129                                 DEBUGP
 130                                     ("ip_nat_ras: set signal address "
 131                                      "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
 132                                      NIPQUAD(ip), port,
 133                                      NIPQUAD(ct->tuplehash[!dir].tuple.dst.
 134                                              ip), info->sig_port[!dir]);
 135                                 return set_h225_addr(pskb, data, 0, &addr[i],
 136                                                      ct->tuplehash[!dir].
 137                                                      tuple.dst.ip,
 138                                                      info->sig_port[!dir]);
 139                         } else if (ip == ct->tuplehash[dir].tuple.dst.ip &&
 140                                    port == info->sig_port[dir]) {
 141                                 /* GK->GW */
 142                                 DEBUGP
 143                                     ("ip_nat_ras: set signal address "
 144                                      "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
 145                                      NIPQUAD(ip), port,
 146                                      NIPQUAD(ct->tuplehash[!dir].tuple.src.
 147                                              ip), info->sig_port[!dir]);
 148                                 return set_h225_addr(pskb, data, 0, &addr[i],
 149                                                      ct->tuplehash[!dir].
 150                                                      tuple.src.ip,
 151                                                      info->sig_port[!dir]);
 152                         }
 153                 }
 154         }
 155
 156         return 0;
 157 }
 158
 159 /****************************************************************************/
 160 static int set_ras_addr(struct sk_buff **pskb, struct ip_conntrack *ct,
 161                         enum ip_conntrack_info ctinfo,
 162                         unsigned char **data,
 163                         TransportAddress * addr, int count)
 164 {
 165         int dir = CTINFO2DIR(ctinfo);
 166         int i;
 167         u_int32_t ip;
 168         u_int16_t port;
 169
 170         for (i = 0; i < count; i++) {
 171                 if (get_h225_addr(*data, &addr[i], &ip, &port) &&
 172                     ip == ct->tuplehash[dir].tuple.src.ip &&
 173                     port == ntohs(ct->tuplehash[dir].tuple.src.u.udp.port)) {
 174                         DEBUGP("ip_nat_ras: set rasAddress "
 175                                "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
 176                                NIPQUAD(ip), port,
 177                                NIPQUAD(ct->tuplehash[!dir].tuple.dst.ip),
 178                                ntohs(ct->tuplehash[!dir].tuple.dst.u.udp.
 179                                      port));
 180                         return set_h225_addr(pskb, data, 0, &addr[i],
 181                                              ct->tuplehash[!dir].tuple.dst.ip,
 182                                              ntohs(ct->tuplehash[!dir].tuple.
 183                                                    dst.u.udp.port));
 184                 }
 185         }
 186
 187         return 0;
 188 }
 189
 190 /****************************************************************************/
 191 static int nat_rtp_rtcp(struct sk_buff **pskb, struct ip_conntrack *ct,
 192                         enum ip_conntrack_info ctinfo,
 193                         unsigned char **data, int dataoff,
 194                         H245_TransportAddress * addr,
 195                         u_int16_t port, u_int16_t rtp_port,
 196                         struct ip_conntrack_expect *rtp_exp,
 197                         struct ip_conntrack_expect *rtcp_exp)
 198 {
 199         struct ip_ct_h323_master *info = &ct->help.ct_h323_info;
 200         int dir = CTINFO2DIR(ctinfo);
 201         int i;
 202         u_int16_t nated_port;
 203
 204         /* Set expectations for NAT */
 205         rtp_exp->saved_proto.udp.port = rtp_exp->tuple.dst.u.udp.port;
 206         rtp_exp->expectfn = ip_nat_follow_master;
 207         rtp_exp->dir = !dir;
 208         rtcp_exp->saved_proto.udp.port = rtcp_exp->tuple.dst.u.udp.port;
 209         rtcp_exp->expectfn = ip_nat_follow_master;
 210         rtcp_exp->dir = !dir;
 211
 212         /* Lookup existing expects */
 213         for (i = 0; i < H323_RTP_CHANNEL_MAX; i++) {
 214                 if (info->rtp_port[i][dir] == rtp_port) {
 215                         /* Expected */
 216
 217                         /* Use allocated ports first. This will refresh
 218                          * the expects */
 219                         rtp_exp->tuple.dst.u.udp.port =
 220                             htons(info->rtp_port[i][dir]);
 221                         rtcp_exp->tuple.dst.u.udp.port =
 222                             htons(info->rtp_port[i][dir] + 1);
 223                         break;
 224                 } else if (info->rtp_port[i][dir] == 0) {
 225                         /* Not expected */
 226                         break;
 227                 }
 228         }
 229
 230         /* Run out of expectations */
 231         if (i >= H323_RTP_CHANNEL_MAX) {
 232                 if (net_ratelimit())
 233                         printk("ip_nat_h323: out of expectations\n");
 234                 return 0;
 235         }
 236
 237         /* Try to get a pair of ports. */
 238         for (nated_port = ntohs(rtp_exp->tuple.dst.u.udp.port);
 239              nated_port != 0; nated_port += 2) {
 240                 rtp_exp->tuple.dst.u.udp.port = htons(nated_port);
 241                 if (ip_conntrack_expect_related(rtp_exp) == 0) {
 242                         rtcp_exp->tuple.dst.u.udp.port =
 243                             htons(nated_port + 1);
 244                         if (ip_conntrack_expect_related(rtcp_exp) == 0)
 245                                 break;
 246                         ip_conntrack_unexpect_related(rtp_exp);
 247                 }
 248         }
 249
 250         if (nated_port == 0) {  /* No port available */
 251                 if (net_ratelimit())
 252                         printk("ip_nat_h323: out of RTP ports\n");
 253                 return 0;
 254         }
 255
 256         /* Modify signal */
 257         if (set_h245_addr(pskb, data, dataoff, addr,
 258                           ct->tuplehash[!dir].tuple.dst.ip,
 259                           (port & 1) ? nated_port + 1 : nated_port) == 0) {
 260                 /* Save ports */
 261                 info->rtp_port[i][dir] = rtp_port;
 262                 info->rtp_port[i][!dir] = nated_port;
 263         } else {
 264                 ip_conntrack_unexpect_related(rtp_exp);
 265                 ip_conntrack_unexpect_related(rtcp_exp);
 266                 return -1;
 267         }
 268
 269         /* Success */
 270         DEBUGP("ip_nat_h323: expect RTP %u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
 271                NIPQUAD(rtp_exp->tuple.src.ip),
 272                ntohs(rtp_exp->tuple.src.u.udp.port),
 273                NIPQUAD(rtp_exp->tuple.dst.ip),
 274                ntohs(rtp_exp->tuple.dst.u.udp.port));
 275         DEBUGP("ip_nat_h323: expect RTCP %u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
 276                NIPQUAD(rtcp_exp->tuple.src.ip),
 277                ntohs(rtcp_exp->tuple.src.u.udp.port),
 278                NIPQUAD(rtcp_exp->tuple.dst.ip),
 279                ntohs(rtcp_exp->tuple.dst.u.udp.port));
 280
 281         return 0;
 282 }
 283
 284 /****************************************************************************/
 285 static int nat_t120(struct sk_buff **pskb, struct ip_conntrack *ct,
 286                     enum ip_conntrack_info ctinfo,
 287                     unsigned char **data, int dataoff,
 288                     H245_TransportAddress * addr, u_int16_t port,
 289                     struct ip_conntrack_expect *exp)
 290 {
 291         int dir = CTINFO2DIR(ctinfo);
 292         u_int16_t nated_port = port;
 293
 294         /* Set expectations for NAT */
 295         exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
 296         exp->expectfn = ip_nat_follow_master;
 297         exp->dir = !dir;
 298
 299         /* Try to get same port: if not, try to change it. */
 300         for (; nated_port != 0; nated_port++) {
 301                 exp->tuple.dst.u.tcp.port = htons(nated_port);
 302                 if (ip_conntrack_expect_related(exp) == 0)
 303                         break;
 304         }
 305
 306         if (nated_port == 0) {  /* No port available */
 307                 if (net_ratelimit())
 308                         printk("ip_nat_h323: out of TCP ports\n");
 309                 return 0;
 310         }
 311
 312         /* Modify signal */
 313         if (set_h245_addr(pskb, data, dataoff, addr,
 314                           ct->tuplehash[!dir].tuple.dst.ip, nated_port) < 0) {
 315                 ip_conntrack_unexpect_related(exp);
 316                 return -1;
 317         }
 318
 319         DEBUGP("ip_nat_h323: expect T.120 %u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
 320                NIPQUAD(exp->tuple.src.ip), ntohs(exp->tuple.src.u.tcp.port),
 321                NIPQUAD(exp->tuple.dst.ip), ntohs(exp->tuple.dst.u.tcp.port));
 322
 323         return 0;
 324 }
 325
 326 /****************************************************************************
 327  * This conntrack expect function replaces ip_conntrack_h245_expect()
 328  * which was set by ip_conntrack_helper_h323.c. It calls both
 329  * ip_nat_follow_master() and ip_conntrack_h245_expect()
 330  ****************************************************************************/
 331 static void ip_nat_h245_expect(struct ip_conntrack *new,
 332                                struct ip_conntrack_expect *this)
 333 {
 334         ip_nat_follow_master(new, this);
 335         ip_conntrack_h245_expect(new, this);
 336 }
 337
 338 /****************************************************************************/
 339 static int nat_h245(struct sk_buff **pskb, struct ip_conntrack *ct,
 340                     enum ip_conntrack_info ctinfo,
 341                     unsigned char **data, int dataoff,
 342                     TransportAddress * addr, u_int16_t port,
 343                     struct ip_conntrack_expect *exp)
 344 {
 345         struct ip_ct_h323_master *info = &ct->help.ct_h323_info;
 346         int dir = CTINFO2DIR(ctinfo);
 347         u_int16_t nated_port = port;
 348
 349         /* Set expectations for NAT */
 350         exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
 351         exp->expectfn = ip_nat_h245_expect;
 352         exp->dir = !dir;
 353
 354         /* Check existing expects */
 355         if (info->sig_port[dir] == port)
 356                 nated_port = info->sig_port[!dir];
 357
 358         /* Try to get same port: if not, try to change it. */
 359         for (; nated_port != 0; nated_port++) {
 360                 exp->tuple.dst.u.tcp.port = htons(nated_port);
 361                 if (ip_conntrack_expect_related(exp) == 0)
 362                         break;
 363         }
 364
 365         if (nated_port == 0) {  /* No port available */
 366                 if (net_ratelimit())
 367                         printk("ip_nat_q931: out of TCP ports\n");
 368                 return 0;
 369         }
 370
 371         /* Modify signal */
 372         if (set_h225_addr(pskb, data, dataoff, addr,
 373                           ct->tuplehash[!dir].tuple.dst.ip,
 374                           nated_port) == 0) {
 375                 /* Save ports */
 376                 info->sig_port[dir] = port;
 377                 info->sig_port[!dir] = nated_port;
 378         } else {
 379                 ip_conntrack_unexpect_related(exp);
 380                 return -1;
 381         }
 382
 383         DEBUGP("ip_nat_q931: expect H.245 %u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
 384                NIPQUAD(exp->tuple.src.ip), ntohs(exp->tuple.src.u.tcp.port),
 385                NIPQUAD(exp->tuple.dst.ip), ntohs(exp->tuple.dst.u.tcp.port));
 386
 387         return 0;
 388 }
 389
 390 /****************************************************************************
 391  * This conntrack expect function replaces ip_conntrack_q931_expect()
 392  * which was set by ip_conntrack_helper_h323.c.
 393  ****************************************************************************/
 394 static void ip_nat_q931_expect(struct ip_conntrack *new,
 395                                struct ip_conntrack_expect *this)
 396 {
 397         struct ip_nat_range range;
 398
 399         if (this->tuple.src.ip != 0) {  /* Only accept calls from GK */
 400                 ip_nat_follow_master(new, this);
 401                 goto out;
 402         }
 403
 404         /* This must be a fresh one. */
 405         BUG_ON(new->status & IPS_NAT_DONE_MASK);
 406
 407         /* Change src to where master sends to */
 408         range.flags = IP_NAT_RANGE_MAP_IPS;
 409         range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.ip;
 410
 411         /* hook doesn't matter, but it has to do source manip */
 412         ip_nat_setup_info(new, &range, NF_IP_POST_ROUTING);
 413
 414         /* For DST manip, map port here to where it's expected. */
 415         range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
 416         range.min = range.max = this->saved_proto;
 417         range.min_ip = range.max_ip =
 418             new->master->tuplehash[!this->dir].tuple.src.ip;
 419
 420         /* hook doesn't matter, but it has to do destination manip */
 421         ip_nat_setup_info(new, &range, NF_IP_PRE_ROUTING);
 422
 423       out:
 424         ip_conntrack_q931_expect(new, this);
 425 }
 426
 427 /****************************************************************************/
 428 static int nat_q931(struct sk_buff **pskb, struct ip_conntrack *ct,
 429                     enum ip_conntrack_info ctinfo,
 430                     unsigned char **data, TransportAddress * addr, int idx,
 431                     u_int16_t port, struct ip_conntrack_expect *exp)
 432 {
 433         struct ip_ct_h323_master *info = &ct->help.ct_h323_info;
 434         int dir = CTINFO2DIR(ctinfo);
 435         u_int16_t nated_port = port;
 436         u_int32_t ip;
 437
 438         /* Set expectations for NAT */
 439         exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
 440         exp->expectfn = ip_nat_q931_expect;
 441         exp->dir = !dir;
 442
 443         /* Check existing expects */
 444         if (info->sig_port[dir] == port)
 445                 nated_port = info->sig_port[!dir];
 446
 447         /* Try to get same port: if not, try to change it. */
 448         for (; nated_port != 0; nated_port++) {
 449                 exp->tuple.dst.u.tcp.port = htons(nated_port);
 450                 if (ip_conntrack_expect_related(exp) == 0)
 451                         break;
 452         }
 453
 454         if (nated_port == 0) {  /* No port available */
 455                 if (net_ratelimit())
 456                         printk("ip_nat_ras: out of TCP ports\n");
 457                 return 0;
 458         }
 459
 460         /* Modify signal */
 461         if (set_h225_addr(pskb, data, 0, &addr[idx],
 462                           ct->tuplehash[!dir].tuple.dst.ip,
 463                           nated_port) == 0) {
 464                 /* Save ports */
 465                 info->sig_port[dir] = port;
 466                 info->sig_port[!dir] = nated_port;
 467
 468                 /* Fix for Gnomemeeting */
 469                 if (idx > 0 &&
 470                     get_h225_addr(*data, &addr[0], &ip, &port) &&
 471                     (ntohl(ip) & 0xff000000) == 0x7f000000) {
 472                         set_h225_addr_hook(pskb, data, 0, &addr[0],
 473                                            ct->tuplehash[!dir].tuple.dst.ip,
 474                                            info->sig_port[!dir]);
 475                 }
 476         } else {
 477                 ip_conntrack_unexpect_related(exp);
 478                 return -1;
 479         }
 480
 481         /* Success */
 482         DEBUGP("ip_nat_ras: expect Q.931 %u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
 483                NIPQUAD(exp->tuple.src.ip), ntohs(exp->tuple.src.u.tcp.port),
 484                NIPQUAD(exp->tuple.dst.ip), ntohs(exp->tuple.dst.u.tcp.port));
 485
 486         return 0;
 487 }
 488
 489 /****************************************************************************/
 490 static int __init init(void)
 491 {
 492         BUG_ON(set_h245_addr_hook != NULL);
 493         BUG_ON(set_h225_addr_hook != NULL);
 494         BUG_ON(set_sig_addr_hook != NULL);
 495         BUG_ON(set_ras_addr_hook != NULL);
 496         BUG_ON(nat_rtp_rtcp_hook != NULL);
 497         BUG_ON(nat_t120_hook != NULL);
 498         BUG_ON(nat_h245_hook != NULL);
 499         BUG_ON(nat_q931_hook != NULL);
 500
 501         set_h245_addr_hook = set_h245_addr;
 502         set_h225_addr_hook = set_h225_addr;
 503         set_sig_addr_hook = set_sig_addr;
 504         set_ras_addr_hook = set_ras_addr;
 505         nat_rtp_rtcp_hook = nat_rtp_rtcp;
 506         nat_t120_hook = nat_t120;
 507         nat_h245_hook = nat_h245;
 508         nat_q931_hook = nat_q931;
 509
 510         DEBUGP("ip_nat_h323: init success\n");
 511         return 0;
 512 }
 513
 514 /****************************************************************************/
 515 static void __exit fini(void)
 516 {
 517         set_h245_addr_hook = NULL;
 518         set_h225_addr_hook = NULL;
 519         set_sig_addr_hook = NULL;
 520         set_ras_addr_hook = NULL;
 521         nat_rtp_rtcp_hook = NULL;
 522         nat_t120_hook = NULL;
 523         nat_h245_hook = NULL;
 524         nat_q931_hook = NULL;
 525         synchronize_net();
 526 }
 527
 528 /****************************************************************************/
 529 module_init(init);
 530 module_exit(fini);
 531
 532 MODULE_AUTHOR("Jing Min Zhao <zhaojingmin@users.sourceforge.net>");
 533 MODULE_DESCRIPTION("H.323 NAT helper");
 534 MODULE_LICENSE("GPL");