1 // SPDX-License-Identifier: GPL-2.0-only
3 * H.323 extension for NAT alteration.
5 * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
6 * Copyright (c) 2006-2012 Patrick McHardy <kaber@trash.net>
8 * Based on the 'brute force' H.323 NAT module by
9 * Jozsef Kadlecsik <kadlec@netfilter.org>
12 #include <linux/module.h>
13 #include <linux/tcp.h>
16 #include <net/netfilter/nf_nat.h>
17 #include <net/netfilter/nf_nat_helper.h>
18 #include <net/netfilter/nf_conntrack_helper.h>
19 #include <net/netfilter/nf_conntrack_expect.h>
20 #include <linux/netfilter/nf_conntrack_h323.h>
22 /****************************************************************************/
23 static int set_addr(struct sk_buff *skb, unsigned int protoff,
24 unsigned char **data, int dataoff,
25 unsigned int addroff, __be32 ip, __be16 port)
27 enum ip_conntrack_info ctinfo;
28 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
32 } __attribute__ ((__packed__)) buf;
33 const struct tcphdr *th;
40 if (ip_hdr(skb)->protocol == IPPROTO_TCP) {
41 if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo,
42 protoff, addroff, sizeof(buf),
43 (char *) &buf, sizeof(buf))) {
44 net_notice_ratelimited("nf_nat_h323: nf_nat_mangle_tcp_packet error\n");
48 /* Relocate data pointer */
49 th = skb_header_pointer(skb, ip_hdrlen(skb),
50 sizeof(_tcph), &_tcph);
53 *data = skb->data + ip_hdrlen(skb) + th->doff * 4 + dataoff;
55 if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo,
56 protoff, addroff, sizeof(buf),
57 (char *) &buf, sizeof(buf))) {
58 net_notice_ratelimited("nf_nat_h323: nf_nat_mangle_udp_packet error\n");
61 /* nf_nat_mangle_udp_packet uses skb_ensure_writable() to copy
62 * or pull everything in a linear buffer, so we can safely
63 * use the skb pointers now */
64 *data = skb->data + ip_hdrlen(skb) + sizeof(struct udphdr);
70 /****************************************************************************/
71 static int set_h225_addr(struct sk_buff *skb, unsigned int protoff,
72 unsigned char **data, int dataoff,
73 TransportAddress *taddr,
74 union nf_inet_addr *addr, __be16 port)
76 return set_addr(skb, protoff, data, dataoff, taddr->ipAddress.ip,
80 /****************************************************************************/
81 static int set_h245_addr(struct sk_buff *skb, unsigned protoff,
82 unsigned char **data, int dataoff,
83 H245_TransportAddress *taddr,
84 union nf_inet_addr *addr, __be16 port)
86 return set_addr(skb, protoff, data, dataoff,
87 taddr->unicastAddress.iPAddress.network,
91 /****************************************************************************/
92 static int set_sig_addr(struct sk_buff *skb, struct nf_conn *ct,
93 enum ip_conntrack_info ctinfo,
94 unsigned int protoff, unsigned char **data,
95 TransportAddress *taddr, int count)
97 const struct nf_ct_h323_master *info = nfct_help_data(ct);
98 int dir = CTINFO2DIR(ctinfo);
101 union nf_inet_addr addr;
103 for (i = 0; i < count; i++) {
104 if (get_h225_addr(ct, *data, &taddr[i], &addr, &port)) {
105 if (addr.ip == ct->tuplehash[dir].tuple.src.u3.ip &&
106 port == info->sig_port[dir]) {
109 /* Fix for Gnomemeeting */
111 get_h225_addr(ct, *data, &taddr[0],
113 (ntohl(addr.ip) & 0xff000000) == 0x7f000000)
116 pr_debug("nf_nat_ras: set signal address %pI4:%hu->%pI4:%hu\n",
118 &ct->tuplehash[!dir].tuple.dst.u3.ip,
119 info->sig_port[!dir]);
120 return set_h225_addr(skb, protoff, data, 0,
122 &ct->tuplehash[!dir].
124 info->sig_port[!dir]);
125 } else if (addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip &&
126 port == info->sig_port[dir]) {
128 pr_debug("nf_nat_ras: set signal address %pI4:%hu->%pI4:%hu\n",
130 &ct->tuplehash[!dir].tuple.src.u3.ip,
131 info->sig_port[!dir]);
132 return set_h225_addr(skb, protoff, data, 0,
134 &ct->tuplehash[!dir].
136 info->sig_port[!dir]);
144 /****************************************************************************/
145 static int set_ras_addr(struct sk_buff *skb, struct nf_conn *ct,
146 enum ip_conntrack_info ctinfo,
147 unsigned int protoff, unsigned char **data,
148 TransportAddress *taddr, int count)
150 int dir = CTINFO2DIR(ctinfo);
153 union nf_inet_addr addr;
155 for (i = 0; i < count; i++) {
156 if (get_h225_addr(ct, *data, &taddr[i], &addr, &port) &&
157 addr.ip == ct->tuplehash[dir].tuple.src.u3.ip &&
158 port == ct->tuplehash[dir].tuple.src.u.udp.port) {
159 pr_debug("nf_nat_ras: set rasAddress %pI4:%hu->%pI4:%hu\n",
160 &addr.ip, ntohs(port),
161 &ct->tuplehash[!dir].tuple.dst.u3.ip,
162 ntohs(ct->tuplehash[!dir].tuple.dst.u.udp.port));
163 return set_h225_addr(skb, protoff, data, 0, &taddr[i],
164 &ct->tuplehash[!dir].tuple.dst.u3,
165 ct->tuplehash[!dir].tuple.
173 /****************************************************************************/
174 static int nat_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
175 enum ip_conntrack_info ctinfo,
176 unsigned int protoff, unsigned char **data, int dataoff,
177 H245_TransportAddress *taddr,
178 __be16 port, __be16 rtp_port,
179 struct nf_conntrack_expect *rtp_exp,
180 struct nf_conntrack_expect *rtcp_exp)
182 struct nf_ct_h323_master *info = nfct_help_data(ct);
183 int dir = CTINFO2DIR(ctinfo);
185 u_int16_t nated_port;
187 /* Set expectations for NAT */
188 rtp_exp->saved_proto.udp.port = rtp_exp->tuple.dst.u.udp.port;
189 rtp_exp->expectfn = nf_nat_follow_master;
191 rtcp_exp->saved_proto.udp.port = rtcp_exp->tuple.dst.u.udp.port;
192 rtcp_exp->expectfn = nf_nat_follow_master;
193 rtcp_exp->dir = !dir;
195 /* Lookup existing expects */
196 for (i = 0; i < H323_RTP_CHANNEL_MAX; i++) {
197 if (info->rtp_port[i][dir] == rtp_port) {
200 /* Use allocated ports first. This will refresh
202 rtp_exp->tuple.dst.u.udp.port = info->rtp_port[i][dir];
203 rtcp_exp->tuple.dst.u.udp.port =
204 htons(ntohs(info->rtp_port[i][dir]) + 1);
206 } else if (info->rtp_port[i][dir] == 0) {
212 /* Run out of expectations */
213 if (i >= H323_RTP_CHANNEL_MAX) {
214 net_notice_ratelimited("nf_nat_h323: out of expectations\n");
218 /* Try to get a pair of ports. */
219 for (nated_port = ntohs(rtp_exp->tuple.dst.u.udp.port);
220 nated_port != 0; nated_port += 2) {
223 rtp_exp->tuple.dst.u.udp.port = htons(nated_port);
224 ret = nf_ct_expect_related(rtp_exp, 0);
226 rtcp_exp->tuple.dst.u.udp.port =
227 htons(nated_port + 1);
228 ret = nf_ct_expect_related(rtcp_exp, 0);
231 else if (ret == -EBUSY) {
232 nf_ct_unexpect_related(rtp_exp);
234 } else if (ret < 0) {
235 nf_ct_unexpect_related(rtp_exp);
239 } else if (ret != -EBUSY) {
245 if (nated_port == 0) { /* No port available */
246 net_notice_ratelimited("nf_nat_h323: out of RTP ports\n");
251 if (set_h245_addr(skb, protoff, data, dataoff, taddr,
252 &ct->tuplehash[!dir].tuple.dst.u3,
253 htons((port & htons(1)) ? nated_port + 1 :
255 nf_ct_unexpect_related(rtp_exp);
256 nf_ct_unexpect_related(rtcp_exp);
261 info->rtp_port[i][dir] = rtp_port;
262 info->rtp_port[i][!dir] = htons(nated_port);
265 pr_debug("nf_nat_h323: expect RTP %pI4:%hu->%pI4:%hu\n",
266 &rtp_exp->tuple.src.u3.ip,
267 ntohs(rtp_exp->tuple.src.u.udp.port),
268 &rtp_exp->tuple.dst.u3.ip,
269 ntohs(rtp_exp->tuple.dst.u.udp.port));
270 pr_debug("nf_nat_h323: expect RTCP %pI4:%hu->%pI4:%hu\n",
271 &rtcp_exp->tuple.src.u3.ip,
272 ntohs(rtcp_exp->tuple.src.u.udp.port),
273 &rtcp_exp->tuple.dst.u3.ip,
274 ntohs(rtcp_exp->tuple.dst.u.udp.port));
279 /****************************************************************************/
280 static int nat_t120(struct sk_buff *skb, struct nf_conn *ct,
281 enum ip_conntrack_info ctinfo,
282 unsigned int protoff, unsigned char **data, int dataoff,
283 H245_TransportAddress *taddr, __be16 port,
284 struct nf_conntrack_expect *exp)
286 int dir = CTINFO2DIR(ctinfo);
287 u_int16_t nated_port = ntohs(port);
289 /* Set expectations for NAT */
290 exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
291 exp->expectfn = nf_nat_follow_master;
294 /* Try to get same port: if not, try to change it. */
295 for (; nated_port != 0; nated_port++) {
298 exp->tuple.dst.u.tcp.port = htons(nated_port);
299 ret = nf_ct_expect_related(exp, 0);
302 else if (ret != -EBUSY) {
308 if (nated_port == 0) { /* No port available */
309 net_notice_ratelimited("nf_nat_h323: out of TCP ports\n");
314 if (set_h245_addr(skb, protoff, data, dataoff, taddr,
315 &ct->tuplehash[!dir].tuple.dst.u3,
316 htons(nated_port)) < 0) {
317 nf_ct_unexpect_related(exp);
321 pr_debug("nf_nat_h323: expect T.120 %pI4:%hu->%pI4:%hu\n",
322 &exp->tuple.src.u3.ip,
323 ntohs(exp->tuple.src.u.tcp.port),
324 &exp->tuple.dst.u3.ip,
325 ntohs(exp->tuple.dst.u.tcp.port));
330 /****************************************************************************/
331 static int nat_h245(struct sk_buff *skb, struct nf_conn *ct,
332 enum ip_conntrack_info ctinfo,
333 unsigned int protoff, unsigned char **data, int dataoff,
334 TransportAddress *taddr, __be16 port,
335 struct nf_conntrack_expect *exp)
337 struct nf_ct_h323_master *info = nfct_help_data(ct);
338 int dir = CTINFO2DIR(ctinfo);
339 u_int16_t nated_port = ntohs(port);
341 /* Set expectations for NAT */
342 exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
343 exp->expectfn = nf_nat_follow_master;
346 /* Check existing expects */
347 if (info->sig_port[dir] == port)
348 nated_port = ntohs(info->sig_port[!dir]);
350 /* Try to get same port: if not, try to change it. */
351 for (; nated_port != 0; nated_port++) {
354 exp->tuple.dst.u.tcp.port = htons(nated_port);
355 ret = nf_ct_expect_related(exp, 0);
358 else if (ret != -EBUSY) {
364 if (nated_port == 0) { /* No port available */
365 net_notice_ratelimited("nf_nat_q931: out of TCP ports\n");
370 if (set_h225_addr(skb, protoff, data, dataoff, taddr,
371 &ct->tuplehash[!dir].tuple.dst.u3,
372 htons(nated_port))) {
373 nf_ct_unexpect_related(exp);
378 info->sig_port[dir] = port;
379 info->sig_port[!dir] = htons(nated_port);
381 pr_debug("nf_nat_q931: expect H.245 %pI4:%hu->%pI4:%hu\n",
382 &exp->tuple.src.u3.ip,
383 ntohs(exp->tuple.src.u.tcp.port),
384 &exp->tuple.dst.u3.ip,
385 ntohs(exp->tuple.dst.u.tcp.port));
390 /****************************************************************************
391 * This conntrack expect function replaces nf_conntrack_q931_expect()
392 * which was set by nf_conntrack_h323.c.
393 ****************************************************************************/
394 static void ip_nat_q931_expect(struct nf_conn *new,
395 struct nf_conntrack_expect *this)
397 struct nf_nat_range2 range;
399 if (this->tuple.src.u3.ip != 0) { /* Only accept calls from GK */
400 nf_nat_follow_master(new, this);
404 /* This must be a fresh one. */
405 BUG_ON(new->status & IPS_NAT_DONE_MASK);
407 /* Change src to where master sends to */
408 range.flags = NF_NAT_RANGE_MAP_IPS;
409 range.min_addr = range.max_addr =
410 new->tuplehash[!this->dir].tuple.src.u3;
411 nf_nat_setup_info(new, &range, NF_NAT_MANIP_SRC);
413 /* For DST manip, map port here to where it's expected. */
414 range.flags = (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED);
415 range.min_proto = range.max_proto = this->saved_proto;
416 range.min_addr = range.max_addr =
417 new->master->tuplehash[!this->dir].tuple.src.u3;
418 nf_nat_setup_info(new, &range, NF_NAT_MANIP_DST);
421 /****************************************************************************/
422 static int nat_q931(struct sk_buff *skb, struct nf_conn *ct,
423 enum ip_conntrack_info ctinfo,
424 unsigned int protoff, unsigned char **data,
425 TransportAddress *taddr, int idx,
426 __be16 port, struct nf_conntrack_expect *exp)
428 struct nf_ct_h323_master *info = nfct_help_data(ct);
429 int dir = CTINFO2DIR(ctinfo);
430 u_int16_t nated_port = ntohs(port);
431 union nf_inet_addr addr;
433 /* Set expectations for NAT */
434 exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
435 exp->expectfn = ip_nat_q931_expect;
438 /* Check existing expects */
439 if (info->sig_port[dir] == port)
440 nated_port = ntohs(info->sig_port[!dir]);
442 /* Try to get same port: if not, try to change it. */
443 for (; nated_port != 0; nated_port++) {
446 exp->tuple.dst.u.tcp.port = htons(nated_port);
447 ret = nf_ct_expect_related(exp, 0);
450 else if (ret != -EBUSY) {
456 if (nated_port == 0) { /* No port available */
457 net_notice_ratelimited("nf_nat_ras: out of TCP ports\n");
462 if (set_h225_addr(skb, protoff, data, 0, &taddr[idx],
463 &ct->tuplehash[!dir].tuple.dst.u3,
464 htons(nated_port))) {
465 nf_ct_unexpect_related(exp);
470 info->sig_port[dir] = port;
471 info->sig_port[!dir] = htons(nated_port);
473 /* Fix for Gnomemeeting */
475 get_h225_addr(ct, *data, &taddr[0], &addr, &port) &&
476 (ntohl(addr.ip) & 0xff000000) == 0x7f000000) {
477 if (set_h225_addr(skb, protoff, data, 0, &taddr[0],
478 &ct->tuplehash[!dir].tuple.dst.u3,
479 info->sig_port[!dir])) {
480 nf_ct_unexpect_related(exp);
486 pr_debug("nf_nat_ras: expect Q.931 %pI4:%hu->%pI4:%hu\n",
487 &exp->tuple.src.u3.ip,
488 ntohs(exp->tuple.src.u.tcp.port),
489 &exp->tuple.dst.u3.ip,
490 ntohs(exp->tuple.dst.u.tcp.port));
495 /****************************************************************************/
496 static void ip_nat_callforwarding_expect(struct nf_conn *new,
497 struct nf_conntrack_expect *this)
499 struct nf_nat_range2 range;
501 /* This must be a fresh one. */
502 BUG_ON(new->status & IPS_NAT_DONE_MASK);
504 /* Change src to where master sends to */
505 range.flags = NF_NAT_RANGE_MAP_IPS;
506 range.min_addr = range.max_addr =
507 new->tuplehash[!this->dir].tuple.src.u3;
508 nf_nat_setup_info(new, &range, NF_NAT_MANIP_SRC);
510 /* For DST manip, map port here to where it's expected. */
511 range.flags = (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED);
512 range.min_proto = range.max_proto = this->saved_proto;
513 range.min_addr = range.max_addr = this->saved_addr;
514 nf_nat_setup_info(new, &range, NF_NAT_MANIP_DST);
517 /****************************************************************************/
518 static int nat_callforwarding(struct sk_buff *skb, struct nf_conn *ct,
519 enum ip_conntrack_info ctinfo,
520 unsigned int protoff,
521 unsigned char **data, int dataoff,
522 TransportAddress *taddr, __be16 port,
523 struct nf_conntrack_expect *exp)
525 int dir = CTINFO2DIR(ctinfo);
526 u_int16_t nated_port;
528 /* Set expectations for NAT */
529 exp->saved_addr = exp->tuple.dst.u3;
530 exp->tuple.dst.u3.ip = ct->tuplehash[!dir].tuple.dst.u3.ip;
531 exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
532 exp->expectfn = ip_nat_callforwarding_expect;
535 /* Try to get same port: if not, try to change it. */
536 for (nated_port = ntohs(port); nated_port != 0; nated_port++) {
539 exp->tuple.dst.u.tcp.port = htons(nated_port);
540 ret = nf_ct_expect_related(exp, 0);
543 else if (ret != -EBUSY) {
549 if (nated_port == 0) { /* No port available */
550 net_notice_ratelimited("nf_nat_q931: out of TCP ports\n");
555 if (set_h225_addr(skb, protoff, data, dataoff, taddr,
556 &ct->tuplehash[!dir].tuple.dst.u3,
557 htons(nated_port))) {
558 nf_ct_unexpect_related(exp);
563 pr_debug("nf_nat_q931: expect Call Forwarding %pI4:%hu->%pI4:%hu\n",
564 &exp->tuple.src.u3.ip,
565 ntohs(exp->tuple.src.u.tcp.port),
566 &exp->tuple.dst.u3.ip,
567 ntohs(exp->tuple.dst.u.tcp.port));
572 static struct nf_ct_helper_expectfn q931_nat = {
574 .expectfn = ip_nat_q931_expect,
577 static struct nf_ct_helper_expectfn callforwarding_nat = {
578 .name = "callforwarding",
579 .expectfn = ip_nat_callforwarding_expect,
582 /****************************************************************************/
583 static int __init init(void)
585 BUG_ON(set_h245_addr_hook != NULL);
586 BUG_ON(set_h225_addr_hook != NULL);
587 BUG_ON(set_sig_addr_hook != NULL);
588 BUG_ON(set_ras_addr_hook != NULL);
589 BUG_ON(nat_rtp_rtcp_hook != NULL);
590 BUG_ON(nat_t120_hook != NULL);
591 BUG_ON(nat_h245_hook != NULL);
592 BUG_ON(nat_callforwarding_hook != NULL);
593 BUG_ON(nat_q931_hook != NULL);
595 RCU_INIT_POINTER(set_h245_addr_hook, set_h245_addr);
596 RCU_INIT_POINTER(set_h225_addr_hook, set_h225_addr);
597 RCU_INIT_POINTER(set_sig_addr_hook, set_sig_addr);
598 RCU_INIT_POINTER(set_ras_addr_hook, set_ras_addr);
599 RCU_INIT_POINTER(nat_rtp_rtcp_hook, nat_rtp_rtcp);
600 RCU_INIT_POINTER(nat_t120_hook, nat_t120);
601 RCU_INIT_POINTER(nat_h245_hook, nat_h245);
602 RCU_INIT_POINTER(nat_callforwarding_hook, nat_callforwarding);
603 RCU_INIT_POINTER(nat_q931_hook, nat_q931);
604 nf_ct_helper_expectfn_register(&q931_nat);
605 nf_ct_helper_expectfn_register(&callforwarding_nat);
609 /****************************************************************************/
610 static void __exit fini(void)
612 RCU_INIT_POINTER(set_h245_addr_hook, NULL);
613 RCU_INIT_POINTER(set_h225_addr_hook, NULL);
614 RCU_INIT_POINTER(set_sig_addr_hook, NULL);
615 RCU_INIT_POINTER(set_ras_addr_hook, NULL);
616 RCU_INIT_POINTER(nat_rtp_rtcp_hook, NULL);
617 RCU_INIT_POINTER(nat_t120_hook, NULL);
618 RCU_INIT_POINTER(nat_h245_hook, NULL);
619 RCU_INIT_POINTER(nat_callforwarding_hook, NULL);
620 RCU_INIT_POINTER(nat_q931_hook, NULL);
621 nf_ct_helper_expectfn_unregister(&q931_nat);
622 nf_ct_helper_expectfn_unregister(&callforwarding_nat);
626 /****************************************************************************/
630 MODULE_AUTHOR("Jing Min Zhao <zhaojingmin@users.sourceforge.net>");
631 MODULE_DESCRIPTION("H.323 NAT helper");
632 MODULE_LICENSE("GPL");
633 MODULE_ALIAS_NF_NAT_HELPER("h323");
projects / librecmc / linux-libre.git / blob