2 * H.323 extension for NAT alteration.
4 * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
5 * Copyright (c) 2006-2012 Patrick McHardy <kaber@trash.net>
7 * This source code is licensed under General Public License version 2.
9 * Based on the 'brute force' H.323 NAT module by
10 * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
13 #include <linux/module.h>
14 #include <linux/tcp.h>
17 #include <net/netfilter/nf_nat.h>
18 #include <net/netfilter/nf_nat_helper.h>
19 #include <net/netfilter/nf_conntrack_helper.h>
20 #include <net/netfilter/nf_conntrack_expect.h>
21 #include <linux/netfilter/nf_conntrack_h323.h>
23 /****************************************************************************/
24 static int set_addr(struct sk_buff *skb, unsigned int protoff,
25 unsigned char **data, int dataoff,
26 unsigned int addroff, __be32 ip, __be16 port)
28 enum ip_conntrack_info ctinfo;
29 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
33 } __attribute__ ((__packed__)) buf;
34 const struct tcphdr *th;
41 if (ip_hdr(skb)->protocol == IPPROTO_TCP) {
42 if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo,
43 protoff, addroff, sizeof(buf),
44 (char *) &buf, sizeof(buf))) {
45 net_notice_ratelimited("nf_nat_h323: nf_nat_mangle_tcp_packet error\n");
49 /* Relocate data pointer */
50 th = skb_header_pointer(skb, ip_hdrlen(skb),
51 sizeof(_tcph), &_tcph);
54 *data = skb->data + ip_hdrlen(skb) + th->doff * 4 + dataoff;
56 if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo,
57 protoff, addroff, sizeof(buf),
58 (char *) &buf, sizeof(buf))) {
59 net_notice_ratelimited("nf_nat_h323: nf_nat_mangle_udp_packet error\n");
62 /* nf_nat_mangle_udp_packet uses skb_make_writable() to copy
63 * or pull everything in a linear buffer, so we can safely
64 * use the skb pointers now */
65 *data = skb->data + ip_hdrlen(skb) + sizeof(struct udphdr);
71 /****************************************************************************/
72 static int set_h225_addr(struct sk_buff *skb, unsigned int protoff,
73 unsigned char **data, int dataoff,
74 TransportAddress *taddr,
75 union nf_inet_addr *addr, __be16 port)
77 return set_addr(skb, protoff, data, dataoff, taddr->ipAddress.ip,
81 /****************************************************************************/
82 static int set_h245_addr(struct sk_buff *skb, unsigned protoff,
83 unsigned char **data, int dataoff,
84 H245_TransportAddress *taddr,
85 union nf_inet_addr *addr, __be16 port)
87 return set_addr(skb, protoff, data, dataoff,
88 taddr->unicastAddress.iPAddress.network,
92 /****************************************************************************/
93 static int set_sig_addr(struct sk_buff *skb, struct nf_conn *ct,
94 enum ip_conntrack_info ctinfo,
95 unsigned int protoff, unsigned char **data,
96 TransportAddress *taddr, int count)
98 const struct nf_ct_h323_master *info = nfct_help_data(ct);
99 int dir = CTINFO2DIR(ctinfo);
102 union nf_inet_addr addr;
104 for (i = 0; i < count; i++) {
105 if (get_h225_addr(ct, *data, &taddr[i], &addr, &port)) {
106 if (addr.ip == ct->tuplehash[dir].tuple.src.u3.ip &&
107 port == info->sig_port[dir]) {
110 /* Fix for Gnomemeeting */
112 get_h225_addr(ct, *data, &taddr[0],
114 (ntohl(addr.ip) & 0xff000000) == 0x7f000000)
117 pr_debug("nf_nat_ras: set signal address %pI4:%hu->%pI4:%hu\n",
119 &ct->tuplehash[!dir].tuple.dst.u3.ip,
120 info->sig_port[!dir]);
121 return set_h225_addr(skb, protoff, data, 0,
123 &ct->tuplehash[!dir].
125 info->sig_port[!dir]);
126 } else if (addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip &&
127 port == info->sig_port[dir]) {
129 pr_debug("nf_nat_ras: set signal address %pI4:%hu->%pI4:%hu\n",
131 &ct->tuplehash[!dir].tuple.src.u3.ip,
132 info->sig_port[!dir]);
133 return set_h225_addr(skb, protoff, data, 0,
135 &ct->tuplehash[!dir].
137 info->sig_port[!dir]);
145 /****************************************************************************/
146 static int set_ras_addr(struct sk_buff *skb, struct nf_conn *ct,
147 enum ip_conntrack_info ctinfo,
148 unsigned int protoff, unsigned char **data,
149 TransportAddress *taddr, int count)
151 int dir = CTINFO2DIR(ctinfo);
154 union nf_inet_addr addr;
156 for (i = 0; i < count; i++) {
157 if (get_h225_addr(ct, *data, &taddr[i], &addr, &port) &&
158 addr.ip == ct->tuplehash[dir].tuple.src.u3.ip &&
159 port == ct->tuplehash[dir].tuple.src.u.udp.port) {
160 pr_debug("nf_nat_ras: set rasAddress %pI4:%hu->%pI4:%hu\n",
161 &addr.ip, ntohs(port),
162 &ct->tuplehash[!dir].tuple.dst.u3.ip,
163 ntohs(ct->tuplehash[!dir].tuple.dst.u.udp.port));
164 return set_h225_addr(skb, protoff, data, 0, &taddr[i],
165 &ct->tuplehash[!dir].tuple.dst.u3,
166 ct->tuplehash[!dir].tuple.
174 /****************************************************************************/
175 static int nat_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
176 enum ip_conntrack_info ctinfo,
177 unsigned int protoff, unsigned char **data, int dataoff,
178 H245_TransportAddress *taddr,
179 __be16 port, __be16 rtp_port,
180 struct nf_conntrack_expect *rtp_exp,
181 struct nf_conntrack_expect *rtcp_exp)
183 struct nf_ct_h323_master *info = nfct_help_data(ct);
184 int dir = CTINFO2DIR(ctinfo);
186 u_int16_t nated_port;
188 /* Set expectations for NAT */
189 rtp_exp->saved_proto.udp.port = rtp_exp->tuple.dst.u.udp.port;
190 rtp_exp->expectfn = nf_nat_follow_master;
192 rtcp_exp->saved_proto.udp.port = rtcp_exp->tuple.dst.u.udp.port;
193 rtcp_exp->expectfn = nf_nat_follow_master;
194 rtcp_exp->dir = !dir;
196 /* Lookup existing expects */
197 for (i = 0; i < H323_RTP_CHANNEL_MAX; i++) {
198 if (info->rtp_port[i][dir] == rtp_port) {
201 /* Use allocated ports first. This will refresh
203 rtp_exp->tuple.dst.u.udp.port = info->rtp_port[i][dir];
204 rtcp_exp->tuple.dst.u.udp.port =
205 htons(ntohs(info->rtp_port[i][dir]) + 1);
207 } else if (info->rtp_port[i][dir] == 0) {
213 /* Run out of expectations */
214 if (i >= H323_RTP_CHANNEL_MAX) {
215 net_notice_ratelimited("nf_nat_h323: out of expectations\n");
219 /* Try to get a pair of ports. */
220 for (nated_port = ntohs(rtp_exp->tuple.dst.u.udp.port);
221 nated_port != 0; nated_port += 2) {
224 rtp_exp->tuple.dst.u.udp.port = htons(nated_port);
225 ret = nf_ct_expect_related(rtp_exp);
227 rtcp_exp->tuple.dst.u.udp.port =
228 htons(nated_port + 1);
229 ret = nf_ct_expect_related(rtcp_exp);
232 else if (ret == -EBUSY) {
233 nf_ct_unexpect_related(rtp_exp);
235 } else if (ret < 0) {
236 nf_ct_unexpect_related(rtp_exp);
240 } else if (ret != -EBUSY) {
246 if (nated_port == 0) { /* No port available */
247 net_notice_ratelimited("nf_nat_h323: out of RTP ports\n");
252 if (set_h245_addr(skb, protoff, data, dataoff, taddr,
253 &ct->tuplehash[!dir].tuple.dst.u3,
254 htons((port & htons(1)) ? nated_port + 1 :
257 info->rtp_port[i][dir] = rtp_port;
258 info->rtp_port[i][!dir] = htons(nated_port);
260 nf_ct_unexpect_related(rtp_exp);
261 nf_ct_unexpect_related(rtcp_exp);
266 pr_debug("nf_nat_h323: expect RTP %pI4:%hu->%pI4:%hu\n",
267 &rtp_exp->tuple.src.u3.ip,
268 ntohs(rtp_exp->tuple.src.u.udp.port),
269 &rtp_exp->tuple.dst.u3.ip,
270 ntohs(rtp_exp->tuple.dst.u.udp.port));
271 pr_debug("nf_nat_h323: expect RTCP %pI4:%hu->%pI4:%hu\n",
272 &rtcp_exp->tuple.src.u3.ip,
273 ntohs(rtcp_exp->tuple.src.u.udp.port),
274 &rtcp_exp->tuple.dst.u3.ip,
275 ntohs(rtcp_exp->tuple.dst.u.udp.port));
280 /****************************************************************************/
281 static int nat_t120(struct sk_buff *skb, struct nf_conn *ct,
282 enum ip_conntrack_info ctinfo,
283 unsigned int protoff, unsigned char **data, int dataoff,
284 H245_TransportAddress *taddr, __be16 port,
285 struct nf_conntrack_expect *exp)
287 int dir = CTINFO2DIR(ctinfo);
288 u_int16_t nated_port = ntohs(port);
290 /* Set expectations for NAT */
291 exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
292 exp->expectfn = nf_nat_follow_master;
295 /* Try to get same port: if not, try to change it. */
296 for (; nated_port != 0; nated_port++) {
299 exp->tuple.dst.u.tcp.port = htons(nated_port);
300 ret = nf_ct_expect_related(exp);
303 else if (ret != -EBUSY) {
309 if (nated_port == 0) { /* No port available */
310 net_notice_ratelimited("nf_nat_h323: out of TCP ports\n");
315 if (set_h245_addr(skb, protoff, data, dataoff, taddr,
316 &ct->tuplehash[!dir].tuple.dst.u3,
317 htons(nated_port)) < 0) {
318 nf_ct_unexpect_related(exp);
322 pr_debug("nf_nat_h323: expect T.120 %pI4:%hu->%pI4:%hu\n",
323 &exp->tuple.src.u3.ip,
324 ntohs(exp->tuple.src.u.tcp.port),
325 &exp->tuple.dst.u3.ip,
326 ntohs(exp->tuple.dst.u.tcp.port));
331 /****************************************************************************/
332 static int nat_h245(struct sk_buff *skb, struct nf_conn *ct,
333 enum ip_conntrack_info ctinfo,
334 unsigned int protoff, unsigned char **data, int dataoff,
335 TransportAddress *taddr, __be16 port,
336 struct nf_conntrack_expect *exp)
338 struct nf_ct_h323_master *info = nfct_help_data(ct);
339 int dir = CTINFO2DIR(ctinfo);
340 u_int16_t nated_port = ntohs(port);
342 /* Set expectations for NAT */
343 exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
344 exp->expectfn = nf_nat_follow_master;
347 /* Check existing expects */
348 if (info->sig_port[dir] == port)
349 nated_port = ntohs(info->sig_port[!dir]);
351 /* Try to get same port: if not, try to change it. */
352 for (; nated_port != 0; nated_port++) {
355 exp->tuple.dst.u.tcp.port = htons(nated_port);
356 ret = nf_ct_expect_related(exp);
359 else if (ret != -EBUSY) {
365 if (nated_port == 0) { /* No port available */
366 net_notice_ratelimited("nf_nat_q931: out of TCP ports\n");
371 if (set_h225_addr(skb, protoff, data, dataoff, taddr,
372 &ct->tuplehash[!dir].tuple.dst.u3,
373 htons(nated_port)) == 0) {
375 info->sig_port[dir] = port;
376 info->sig_port[!dir] = htons(nated_port);
378 nf_ct_unexpect_related(exp);
382 pr_debug("nf_nat_q931: expect H.245 %pI4:%hu->%pI4:%hu\n",
383 &exp->tuple.src.u3.ip,
384 ntohs(exp->tuple.src.u.tcp.port),
385 &exp->tuple.dst.u3.ip,
386 ntohs(exp->tuple.dst.u.tcp.port));
391 /****************************************************************************
392 * This conntrack expect function replaces nf_conntrack_q931_expect()
393 * which was set by nf_conntrack_h323.c.
394 ****************************************************************************/
395 static void ip_nat_q931_expect(struct nf_conn *new,
396 struct nf_conntrack_expect *this)
398 struct nf_nat_range range;
400 if (this->tuple.src.u3.ip != 0) { /* Only accept calls from GK */
401 nf_nat_follow_master(new, this);
405 /* This must be a fresh one. */
406 BUG_ON(new->status & IPS_NAT_DONE_MASK);
408 /* Change src to where master sends to */
409 range.flags = NF_NAT_RANGE_MAP_IPS;
410 range.min_addr = range.max_addr =
411 new->tuplehash[!this->dir].tuple.src.u3;
412 nf_nat_setup_info(new, &range, NF_NAT_MANIP_SRC);
414 /* For DST manip, map port here to where it's expected. */
415 range.flags = (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED);
416 range.min_proto = range.max_proto = this->saved_proto;
417 range.min_addr = range.max_addr =
418 new->master->tuplehash[!this->dir].tuple.src.u3;
419 nf_nat_setup_info(new, &range, NF_NAT_MANIP_DST);
422 /****************************************************************************/
423 static int nat_q931(struct sk_buff *skb, struct nf_conn *ct,
424 enum ip_conntrack_info ctinfo,
425 unsigned int protoff, unsigned char **data,
426 TransportAddress *taddr, int idx,
427 __be16 port, struct nf_conntrack_expect *exp)
429 struct nf_ct_h323_master *info = nfct_help_data(ct);
430 int dir = CTINFO2DIR(ctinfo);
431 u_int16_t nated_port = ntohs(port);
432 union nf_inet_addr addr;
434 /* Set expectations for NAT */
435 exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
436 exp->expectfn = ip_nat_q931_expect;
439 /* Check existing expects */
440 if (info->sig_port[dir] == port)
441 nated_port = ntohs(info->sig_port[!dir]);
443 /* Try to get same port: if not, try to change it. */
444 for (; nated_port != 0; nated_port++) {
447 exp->tuple.dst.u.tcp.port = htons(nated_port);
448 ret = nf_ct_expect_related(exp);
451 else if (ret != -EBUSY) {
457 if (nated_port == 0) { /* No port available */
458 net_notice_ratelimited("nf_nat_ras: out of TCP ports\n");
463 if (set_h225_addr(skb, protoff, data, 0, &taddr[idx],
464 &ct->tuplehash[!dir].tuple.dst.u3,
465 htons(nated_port)) == 0) {
467 info->sig_port[dir] = port;
468 info->sig_port[!dir] = htons(nated_port);
470 /* Fix for Gnomemeeting */
472 get_h225_addr(ct, *data, &taddr[0], &addr, &port) &&
473 (ntohl(addr.ip) & 0xff000000) == 0x7f000000) {
474 set_h225_addr(skb, protoff, data, 0, &taddr[0],
475 &ct->tuplehash[!dir].tuple.dst.u3,
476 info->sig_port[!dir]);
479 nf_ct_unexpect_related(exp);
484 pr_debug("nf_nat_ras: expect Q.931 %pI4:%hu->%pI4:%hu\n",
485 &exp->tuple.src.u3.ip,
486 ntohs(exp->tuple.src.u.tcp.port),
487 &exp->tuple.dst.u3.ip,
488 ntohs(exp->tuple.dst.u.tcp.port));
493 /****************************************************************************/
494 static void ip_nat_callforwarding_expect(struct nf_conn *new,
495 struct nf_conntrack_expect *this)
497 struct nf_nat_range range;
499 /* This must be a fresh one. */
500 BUG_ON(new->status & IPS_NAT_DONE_MASK);
502 /* Change src to where master sends to */
503 range.flags = NF_NAT_RANGE_MAP_IPS;
504 range.min_addr = range.max_addr =
505 new->tuplehash[!this->dir].tuple.src.u3;
506 nf_nat_setup_info(new, &range, NF_NAT_MANIP_SRC);
508 /* For DST manip, map port here to where it's expected. */
509 range.flags = (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED);
510 range.min_proto = range.max_proto = this->saved_proto;
511 range.min_addr = range.max_addr = this->saved_addr;
512 nf_nat_setup_info(new, &range, NF_NAT_MANIP_DST);
515 /****************************************************************************/
516 static int nat_callforwarding(struct sk_buff *skb, struct nf_conn *ct,
517 enum ip_conntrack_info ctinfo,
518 unsigned int protoff,
519 unsigned char **data, int dataoff,
520 TransportAddress *taddr, __be16 port,
521 struct nf_conntrack_expect *exp)
523 int dir = CTINFO2DIR(ctinfo);
524 u_int16_t nated_port;
526 /* Set expectations for NAT */
527 exp->saved_addr = exp->tuple.dst.u3;
528 exp->tuple.dst.u3.ip = ct->tuplehash[!dir].tuple.dst.u3.ip;
529 exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
530 exp->expectfn = ip_nat_callforwarding_expect;
533 /* Try to get same port: if not, try to change it. */
534 for (nated_port = ntohs(port); nated_port != 0; nated_port++) {
537 exp->tuple.dst.u.tcp.port = htons(nated_port);
538 ret = nf_ct_expect_related(exp);
541 else if (ret != -EBUSY) {
547 if (nated_port == 0) { /* No port available */
548 net_notice_ratelimited("nf_nat_q931: out of TCP ports\n");
553 if (!set_h225_addr(skb, protoff, data, dataoff, taddr,
554 &ct->tuplehash[!dir].tuple.dst.u3,
555 htons(nated_port)) == 0) {
556 nf_ct_unexpect_related(exp);
561 pr_debug("nf_nat_q931: expect Call Forwarding %pI4:%hu->%pI4:%hu\n",
562 &exp->tuple.src.u3.ip,
563 ntohs(exp->tuple.src.u.tcp.port),
564 &exp->tuple.dst.u3.ip,
565 ntohs(exp->tuple.dst.u.tcp.port));
570 static struct nf_ct_helper_expectfn q931_nat = {
572 .expectfn = ip_nat_q931_expect,
575 static struct nf_ct_helper_expectfn callforwarding_nat = {
576 .name = "callforwarding",
577 .expectfn = ip_nat_callforwarding_expect,
580 /****************************************************************************/
581 static int __init init(void)
583 BUG_ON(set_h245_addr_hook != NULL);
584 BUG_ON(set_h225_addr_hook != NULL);
585 BUG_ON(set_sig_addr_hook != NULL);
586 BUG_ON(set_ras_addr_hook != NULL);
587 BUG_ON(nat_rtp_rtcp_hook != NULL);
588 BUG_ON(nat_t120_hook != NULL);
589 BUG_ON(nat_h245_hook != NULL);
590 BUG_ON(nat_callforwarding_hook != NULL);
591 BUG_ON(nat_q931_hook != NULL);
593 RCU_INIT_POINTER(set_h245_addr_hook, set_h245_addr);
594 RCU_INIT_POINTER(set_h225_addr_hook, set_h225_addr);
595 RCU_INIT_POINTER(set_sig_addr_hook, set_sig_addr);
596 RCU_INIT_POINTER(set_ras_addr_hook, set_ras_addr);
597 RCU_INIT_POINTER(nat_rtp_rtcp_hook, nat_rtp_rtcp);
598 RCU_INIT_POINTER(nat_t120_hook, nat_t120);
599 RCU_INIT_POINTER(nat_h245_hook, nat_h245);
600 RCU_INIT_POINTER(nat_callforwarding_hook, nat_callforwarding);
601 RCU_INIT_POINTER(nat_q931_hook, nat_q931);
602 nf_ct_helper_expectfn_register(&q931_nat);
603 nf_ct_helper_expectfn_register(&callforwarding_nat);
607 /****************************************************************************/
608 static void __exit fini(void)
610 RCU_INIT_POINTER(set_h245_addr_hook, NULL);
611 RCU_INIT_POINTER(set_h225_addr_hook, NULL);
612 RCU_INIT_POINTER(set_sig_addr_hook, NULL);
613 RCU_INIT_POINTER(set_ras_addr_hook, NULL);
614 RCU_INIT_POINTER(nat_rtp_rtcp_hook, NULL);
615 RCU_INIT_POINTER(nat_t120_hook, NULL);
616 RCU_INIT_POINTER(nat_h245_hook, NULL);
617 RCU_INIT_POINTER(nat_callforwarding_hook, NULL);
618 RCU_INIT_POINTER(nat_q931_hook, NULL);
619 nf_ct_helper_expectfn_unregister(&q931_nat);
620 nf_ct_helper_expectfn_unregister(&callforwarding_nat);
624 /****************************************************************************/
628 MODULE_AUTHOR("Jing Min Zhao <zhaojingmin@users.sourceforge.net>");
629 MODULE_DESCRIPTION("H.323 NAT helper");
630 MODULE_LICENSE("GPL");
631 MODULE_ALIAS("ip_nat_h323");