1 // SPDX-License-Identifier: GPL-2.0-only
3 * H.323 connection tracking helper
5 * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
6 * Copyright (c) 2006-2012 Patrick McHardy <kaber@trash.net>
8 * Based on the 'brute force' H.323 connection tracking module by
9 * Jozsef Kadlecsik <kadlec@netfilter.org>
11 * For more information, please see http://nath323.sourceforge.net/
14 #include <linux/module.h>
15 #include <linux/moduleparam.h>
16 #include <linux/ctype.h>
17 #include <linux/inet.h>
20 #include <linux/slab.h>
21 #include <linux/udp.h>
22 #include <linux/tcp.h>
23 #include <linux/skbuff.h>
24 #include <net/route.h>
25 #include <net/ip6_route.h>
26 #include <linux/netfilter_ipv6.h>
28 #include <net/netfilter/nf_conntrack.h>
29 #include <net/netfilter/nf_conntrack_core.h>
30 #include <net/netfilter/nf_conntrack_tuple.h>
31 #include <net/netfilter/nf_conntrack_expect.h>
32 #include <net/netfilter/nf_conntrack_ecache.h>
33 #include <net/netfilter/nf_conntrack_helper.h>
34 #include <net/netfilter/nf_conntrack_zones.h>
35 #include <linux/netfilter/nf_conntrack_h323.h>
38 static unsigned int default_rrq_ttl __read_mostly = 300;
39 module_param(default_rrq_ttl, uint, 0600);
40 MODULE_PARM_DESC(default_rrq_ttl, "use this TTL if it's missing in RRQ");
42 static int gkrouted_only __read_mostly = 1;
43 module_param(gkrouted_only, int, 0600);
44 MODULE_PARM_DESC(gkrouted_only, "only accept calls from gatekeeper");
46 static bool callforward_filter __read_mostly = true;
47 module_param(callforward_filter, bool, 0600);
48 MODULE_PARM_DESC(callforward_filter, "only create call forwarding expectations "
49 "if both endpoints are on different sides "
50 "(determined by routing information)");
52 const struct nfct_h323_nat_hooks __rcu *nfct_h323_nat_hook __read_mostly;
53 EXPORT_SYMBOL_GPL(nfct_h323_nat_hook);
55 static DEFINE_SPINLOCK(nf_h323_lock);
56 static char *h323_buffer;
58 static struct nf_conntrack_helper nf_conntrack_helper_h245;
59 static struct nf_conntrack_helper nf_conntrack_helper_q931[];
60 static struct nf_conntrack_helper nf_conntrack_helper_ras[];
62 static int get_tpkt_data(struct sk_buff *skb, unsigned int protoff,
63 struct nf_conn *ct, enum ip_conntrack_info ctinfo,
64 unsigned char **data, int *datalen, int *dataoff)
66 struct nf_ct_h323_master *info = nfct_help_data(ct);
67 int dir = CTINFO2DIR(ctinfo);
68 const struct tcphdr *th;
77 th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph);
81 /* Get TCP data offset */
82 tcpdataoff = protoff + th->doff * 4;
84 /* Get TCP data length */
85 tcpdatalen = skb->len - tcpdataoff;
86 if (tcpdatalen <= 0) /* No TCP data */
89 if (*data == NULL) { /* first TPKT */
90 /* Get first TPKT pointer */
91 tpkt = skb_header_pointer(skb, tcpdataoff, tcpdatalen,
96 /* Validate TPKT identifier */
97 if (tcpdatalen < 4 || tpkt[0] != 0x03 || tpkt[1] != 0) {
98 /* Netmeeting sends TPKT header and data separately */
99 if (info->tpkt_len[dir] > 0) {
100 pr_debug("nf_ct_h323: previous packet "
101 "indicated separate TPKT data of %hu "
102 "bytes\n", info->tpkt_len[dir]);
103 if (info->tpkt_len[dir] <= tcpdatalen) {
104 /* Yes, there was a TPKT header
107 *datalen = info->tpkt_len[dir];
112 /* Fragmented TPKT */
113 pr_debug("nf_ct_h323: fragmented TPKT\n");
117 /* It is not even a TPKT */
121 } else { /* Next TPKT */
122 tpktoff = *dataoff + *datalen;
123 tcpdatalen -= tpktoff;
124 if (tcpdatalen <= 4) /* No more TPKT */
126 tpkt = *data + *datalen;
128 /* Validate TPKT identifier */
129 if (tpkt[0] != 0x03 || tpkt[1] != 0)
133 /* Validate TPKT length */
134 tpktlen = tpkt[2] * 256 + tpkt[3];
137 if (tpktlen > tcpdatalen) {
138 if (tcpdatalen == 4) { /* Separate TPKT header */
139 /* Netmeeting sends TPKT header and data separately */
140 pr_debug("nf_ct_h323: separate TPKT header indicates "
141 "there will be TPKT data of %d bytes\n",
143 info->tpkt_len[dir] = tpktlen - 4;
147 pr_debug("nf_ct_h323: incomplete TPKT (fragmented?)\n");
151 /* This is the encapsulated data */
153 *datalen = tpktlen - 4;
154 *dataoff = tpktoff + 4;
157 /* Clear TPKT length */
158 info->tpkt_len[dir] = 0;
162 info->tpkt_len[dir] = 0;
166 static int get_h245_addr(struct nf_conn *ct, const unsigned char *data,
167 H245_TransportAddress *taddr,
168 union nf_inet_addr *addr, __be16 *port)
170 const unsigned char *p;
173 if (taddr->choice != eH245_TransportAddress_unicastAddress)
176 switch (taddr->unicastAddress.choice) {
177 case eUnicastAddress_iPAddress:
178 if (nf_ct_l3num(ct) != AF_INET)
180 p = data + taddr->unicastAddress.iPAddress.network;
183 case eUnicastAddress_iP6Address:
184 if (nf_ct_l3num(ct) != AF_INET6)
186 p = data + taddr->unicastAddress.iP6Address.network;
193 memcpy(addr, p, len);
194 memset((void *)addr + len, 0, sizeof(*addr) - len);
195 memcpy(port, p + len, sizeof(__be16));
200 static int expect_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
201 enum ip_conntrack_info ctinfo,
202 unsigned int protoff,
203 unsigned char **data, int dataoff,
204 H245_TransportAddress *taddr)
206 const struct nfct_h323_nat_hooks *nathook;
207 int dir = CTINFO2DIR(ctinfo);
210 __be16 rtp_port, rtcp_port;
211 union nf_inet_addr addr;
212 struct nf_conntrack_expect *rtp_exp;
213 struct nf_conntrack_expect *rtcp_exp;
215 /* Read RTP or RTCP address */
216 if (!get_h245_addr(ct, *data, taddr, &addr, &port) ||
217 memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) ||
221 /* RTP port is even */
222 rtp_port = port & ~htons(1);
223 rtcp_port = port | htons(1);
225 /* Create expect for RTP */
226 if ((rtp_exp = nf_ct_expect_alloc(ct)) == NULL)
228 nf_ct_expect_init(rtp_exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
229 &ct->tuplehash[!dir].tuple.src.u3,
230 &ct->tuplehash[!dir].tuple.dst.u3,
231 IPPROTO_UDP, NULL, &rtp_port);
233 /* Create expect for RTCP */
234 if ((rtcp_exp = nf_ct_expect_alloc(ct)) == NULL) {
235 nf_ct_expect_put(rtp_exp);
238 nf_ct_expect_init(rtcp_exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
239 &ct->tuplehash[!dir].tuple.src.u3,
240 &ct->tuplehash[!dir].tuple.dst.u3,
241 IPPROTO_UDP, NULL, &rtcp_port);
243 nathook = rcu_dereference(nfct_h323_nat_hook);
244 if (memcmp(&ct->tuplehash[dir].tuple.src.u3,
245 &ct->tuplehash[!dir].tuple.dst.u3,
246 sizeof(ct->tuplehash[dir].tuple.src.u3)) &&
248 nf_ct_l3num(ct) == NFPROTO_IPV4 &&
249 ct->status & IPS_NAT_MASK) {
251 ret = nathook->nat_rtp_rtcp(skb, ct, ctinfo, protoff, data, dataoff,
252 taddr, port, rtp_port, rtp_exp, rtcp_exp);
253 } else { /* Conntrack only */
254 if (nf_ct_expect_related(rtp_exp, 0) == 0) {
255 if (nf_ct_expect_related(rtcp_exp, 0) == 0) {
256 pr_debug("nf_ct_h323: expect RTP ");
257 nf_ct_dump_tuple(&rtp_exp->tuple);
258 pr_debug("nf_ct_h323: expect RTCP ");
259 nf_ct_dump_tuple(&rtcp_exp->tuple);
261 nf_ct_unexpect_related(rtp_exp);
268 nf_ct_expect_put(rtp_exp);
269 nf_ct_expect_put(rtcp_exp);
274 static int expect_t120(struct sk_buff *skb,
276 enum ip_conntrack_info ctinfo,
277 unsigned int protoff,
278 unsigned char **data, int dataoff,
279 H245_TransportAddress *taddr)
281 const struct nfct_h323_nat_hooks *nathook;
282 int dir = CTINFO2DIR(ctinfo);
285 union nf_inet_addr addr;
286 struct nf_conntrack_expect *exp;
288 /* Read T.120 address */
289 if (!get_h245_addr(ct, *data, taddr, &addr, &port) ||
290 memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) ||
294 /* Create expect for T.120 connections */
295 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
297 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
298 &ct->tuplehash[!dir].tuple.src.u3,
299 &ct->tuplehash[!dir].tuple.dst.u3,
300 IPPROTO_TCP, NULL, &port);
301 exp->flags = NF_CT_EXPECT_PERMANENT; /* Accept multiple channels */
303 nathook = rcu_dereference(nfct_h323_nat_hook);
304 if (memcmp(&ct->tuplehash[dir].tuple.src.u3,
305 &ct->tuplehash[!dir].tuple.dst.u3,
306 sizeof(ct->tuplehash[dir].tuple.src.u3)) &&
308 nf_ct_l3num(ct) == NFPROTO_IPV4 &&
309 ct->status & IPS_NAT_MASK) {
311 ret = nathook->nat_t120(skb, ct, ctinfo, protoff, data,
312 dataoff, taddr, port, exp);
313 } else { /* Conntrack only */
314 if (nf_ct_expect_related(exp, 0) == 0) {
315 pr_debug("nf_ct_h323: expect T.120 ");
316 nf_ct_dump_tuple(&exp->tuple);
321 nf_ct_expect_put(exp);
326 static int process_h245_channel(struct sk_buff *skb,
328 enum ip_conntrack_info ctinfo,
329 unsigned int protoff,
330 unsigned char **data, int dataoff,
331 H2250LogicalChannelParameters *channel)
335 if (channel->options & eH2250LogicalChannelParameters_mediaChannel) {
337 ret = expect_rtp_rtcp(skb, ct, ctinfo, protoff, data, dataoff,
338 &channel->mediaChannel);
344 options & eH2250LogicalChannelParameters_mediaControlChannel) {
346 ret = expect_rtp_rtcp(skb, ct, ctinfo, protoff, data, dataoff,
347 &channel->mediaControlChannel);
355 static int process_olc(struct sk_buff *skb, struct nf_conn *ct,
356 enum ip_conntrack_info ctinfo,
357 unsigned int protoff,
358 unsigned char **data, int dataoff,
359 OpenLogicalChannel *olc)
363 pr_debug("nf_ct_h323: OpenLogicalChannel\n");
365 if (olc->forwardLogicalChannelParameters.multiplexParameters.choice ==
366 eOpenLogicalChannel_forwardLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters)
368 ret = process_h245_channel(skb, ct, ctinfo,
369 protoff, data, dataoff,
371 forwardLogicalChannelParameters.
373 h2250LogicalChannelParameters);
379 eOpenLogicalChannel_reverseLogicalChannelParameters) &&
380 (olc->reverseLogicalChannelParameters.options &
381 eOpenLogicalChannel_reverseLogicalChannelParameters_multiplexParameters)
382 && (olc->reverseLogicalChannelParameters.multiplexParameters.
384 eOpenLogicalChannel_reverseLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters))
387 process_h245_channel(skb, ct, ctinfo,
388 protoff, data, dataoff,
390 reverseLogicalChannelParameters.
392 h2250LogicalChannelParameters);
397 if ((olc->options & eOpenLogicalChannel_separateStack) &&
398 olc->forwardLogicalChannelParameters.dataType.choice ==
400 olc->forwardLogicalChannelParameters.dataType.data.application.
401 choice == eDataApplicationCapability_application_t120 &&
402 olc->forwardLogicalChannelParameters.dataType.data.application.
403 t120.choice == eDataProtocolCapability_separateLANStack &&
404 olc->separateStack.networkAddress.choice ==
405 eNetworkAccessParameters_networkAddress_localAreaAddress) {
406 ret = expect_t120(skb, ct, ctinfo, protoff, data, dataoff,
407 &olc->separateStack.networkAddress.
416 static int process_olca(struct sk_buff *skb, struct nf_conn *ct,
417 enum ip_conntrack_info ctinfo,
418 unsigned int protoff, unsigned char **data, int dataoff,
419 OpenLogicalChannelAck *olca)
421 H2250LogicalChannelAckParameters *ack;
424 pr_debug("nf_ct_h323: OpenLogicalChannelAck\n");
427 eOpenLogicalChannelAck_reverseLogicalChannelParameters) &&
428 (olca->reverseLogicalChannelParameters.options &
429 eOpenLogicalChannelAck_reverseLogicalChannelParameters_multiplexParameters)
430 && (olca->reverseLogicalChannelParameters.multiplexParameters.
432 eOpenLogicalChannelAck_reverseLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters))
434 ret = process_h245_channel(skb, ct, ctinfo,
435 protoff, data, dataoff,
437 reverseLogicalChannelParameters.
439 h2250LogicalChannelParameters);
445 eOpenLogicalChannelAck_forwardMultiplexAckParameters) &&
446 (olca->forwardMultiplexAckParameters.choice ==
447 eOpenLogicalChannelAck_forwardMultiplexAckParameters_h2250LogicalChannelAckParameters))
449 ack = &olca->forwardMultiplexAckParameters.
450 h2250LogicalChannelAckParameters;
452 eH2250LogicalChannelAckParameters_mediaChannel) {
454 ret = expect_rtp_rtcp(skb, ct, ctinfo,
455 protoff, data, dataoff,
462 eH2250LogicalChannelAckParameters_mediaControlChannel) {
464 ret = expect_rtp_rtcp(skb, ct, ctinfo,
465 protoff, data, dataoff,
466 &ack->mediaControlChannel);
472 if ((olca->options & eOpenLogicalChannelAck_separateStack) &&
473 olca->separateStack.networkAddress.choice ==
474 eNetworkAccessParameters_networkAddress_localAreaAddress) {
475 ret = expect_t120(skb, ct, ctinfo, protoff, data, dataoff,
476 &olca->separateStack.networkAddress.
485 static int process_h245(struct sk_buff *skb, struct nf_conn *ct,
486 enum ip_conntrack_info ctinfo,
487 unsigned int protoff, unsigned char **data, int dataoff,
488 MultimediaSystemControlMessage *mscm)
490 switch (mscm->choice) {
491 case eMultimediaSystemControlMessage_request:
492 if (mscm->request.choice ==
493 eRequestMessage_openLogicalChannel) {
494 return process_olc(skb, ct, ctinfo,
495 protoff, data, dataoff,
496 &mscm->request.openLogicalChannel);
498 pr_debug("nf_ct_h323: H.245 Request %d\n",
499 mscm->request.choice);
501 case eMultimediaSystemControlMessage_response:
502 if (mscm->response.choice ==
503 eResponseMessage_openLogicalChannelAck) {
504 return process_olca(skb, ct, ctinfo,
505 protoff, data, dataoff,
507 openLogicalChannelAck);
509 pr_debug("nf_ct_h323: H.245 Response %d\n",
510 mscm->response.choice);
513 pr_debug("nf_ct_h323: H.245 signal %d\n", mscm->choice);
520 static int h245_help(struct sk_buff *skb, unsigned int protoff,
521 struct nf_conn *ct, enum ip_conntrack_info ctinfo)
523 static MultimediaSystemControlMessage mscm;
524 unsigned char *data = NULL;
529 /* Until there's been traffic both ways, don't look in packets. */
530 if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
533 pr_debug("nf_ct_h245: skblen = %u\n", skb->len);
535 spin_lock_bh(&nf_h323_lock);
537 /* Process each TPKT */
538 while (get_tpkt_data(skb, protoff, ct, ctinfo,
539 &data, &datalen, &dataoff)) {
540 pr_debug("nf_ct_h245: TPKT len=%d ", datalen);
541 nf_ct_dump_tuple(&ct->tuplehash[CTINFO2DIR(ctinfo)].tuple);
543 /* Decode H.245 signal */
544 ret = DecodeMultimediaSystemControlMessage(data, datalen,
547 pr_debug("nf_ct_h245: decoding error: %s\n",
548 ret == H323_ERROR_BOUND ?
549 "out of bound" : "out of range");
550 /* We don't drop when decoding error */
554 /* Process H.245 signal */
555 if (process_h245(skb, ct, ctinfo, protoff,
556 &data, dataoff, &mscm) < 0)
560 spin_unlock_bh(&nf_h323_lock);
564 spin_unlock_bh(&nf_h323_lock);
565 nf_ct_helper_log(skb, ct, "cannot process H.245 message");
569 static const struct nf_conntrack_expect_policy h245_exp_policy = {
570 .max_expected = H323_RTP_CHANNEL_MAX * 4 + 2 /* T.120 */,
574 static struct nf_conntrack_helper nf_conntrack_helper_h245 __read_mostly = {
577 .tuple.src.l3num = AF_UNSPEC,
578 .tuple.dst.protonum = IPPROTO_UDP,
580 .expect_policy = &h245_exp_policy,
583 int get_h225_addr(struct nf_conn *ct, unsigned char *data,
584 TransportAddress *taddr,
585 union nf_inet_addr *addr, __be16 *port)
587 const unsigned char *p;
590 switch (taddr->choice) {
591 case eTransportAddress_ipAddress:
592 if (nf_ct_l3num(ct) != AF_INET)
594 p = data + taddr->ipAddress.ip;
597 case eTransportAddress_ip6Address:
598 if (nf_ct_l3num(ct) != AF_INET6)
600 p = data + taddr->ip6Address.ip;
607 memcpy(addr, p, len);
608 memset((void *)addr + len, 0, sizeof(*addr) - len);
609 memcpy(port, p + len, sizeof(__be16));
613 EXPORT_SYMBOL_GPL(get_h225_addr);
615 static int expect_h245(struct sk_buff *skb, struct nf_conn *ct,
616 enum ip_conntrack_info ctinfo,
617 unsigned int protoff, unsigned char **data, int dataoff,
618 TransportAddress *taddr)
620 const struct nfct_h323_nat_hooks *nathook;
621 int dir = CTINFO2DIR(ctinfo);
624 union nf_inet_addr addr;
625 struct nf_conntrack_expect *exp;
627 /* Read h245Address */
628 if (!get_h225_addr(ct, *data, taddr, &addr, &port) ||
629 memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) ||
633 /* Create expect for h245 connection */
634 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
636 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
637 &ct->tuplehash[!dir].tuple.src.u3,
638 &ct->tuplehash[!dir].tuple.dst.u3,
639 IPPROTO_TCP, NULL, &port);
640 exp->helper = &nf_conntrack_helper_h245;
642 nathook = rcu_dereference(nfct_h323_nat_hook);
643 if (memcmp(&ct->tuplehash[dir].tuple.src.u3,
644 &ct->tuplehash[!dir].tuple.dst.u3,
645 sizeof(ct->tuplehash[dir].tuple.src.u3)) &&
647 nf_ct_l3num(ct) == NFPROTO_IPV4 &&
648 ct->status & IPS_NAT_MASK) {
650 ret = nathook->nat_h245(skb, ct, ctinfo, protoff, data,
651 dataoff, taddr, port, exp);
652 } else { /* Conntrack only */
653 if (nf_ct_expect_related(exp, 0) == 0) {
654 pr_debug("nf_ct_q931: expect H.245 ");
655 nf_ct_dump_tuple(&exp->tuple);
660 nf_ct_expect_put(exp);
665 /* If the calling party is on the same side of the forward-to party,
666 * we don't need to track the second call
668 static int callforward_do_filter(struct net *net,
669 const union nf_inet_addr *src,
670 const union nf_inet_addr *dst,
677 struct flowi4 fl1, fl2;
678 struct rtable *rt1, *rt2;
680 memset(&fl1, 0, sizeof(fl1));
683 memset(&fl2, 0, sizeof(fl2));
685 if (!nf_ip_route(net, (struct dst_entry **)&rt1,
686 flowi4_to_flowi(&fl1), false)) {
687 if (!nf_ip_route(net, (struct dst_entry **)&rt2,
688 flowi4_to_flowi(&fl2), false)) {
689 if (rt_nexthop(rt1, fl1.daddr) ==
690 rt_nexthop(rt2, fl2.daddr) &&
691 rt1->dst.dev == rt2->dst.dev)
693 dst_release(&rt2->dst);
695 dst_release(&rt1->dst);
699 #if IS_ENABLED(CONFIG_IPV6)
701 struct rt6_info *rt1, *rt2;
702 struct flowi6 fl1, fl2;
704 memset(&fl1, 0, sizeof(fl1));
705 fl1.daddr = src->in6;
707 memset(&fl2, 0, sizeof(fl2));
708 fl2.daddr = dst->in6;
709 if (!nf_ip6_route(net, (struct dst_entry **)&rt1,
710 flowi6_to_flowi(&fl1), false)) {
711 if (!nf_ip6_route(net, (struct dst_entry **)&rt2,
712 flowi6_to_flowi(&fl2), false)) {
713 if (ipv6_addr_equal(rt6_nexthop(rt1, &fl1.daddr),
714 rt6_nexthop(rt2, &fl2.daddr)) &&
715 rt1->dst.dev == rt2->dst.dev)
717 dst_release(&rt2->dst);
719 dst_release(&rt1->dst);
729 static int expect_callforwarding(struct sk_buff *skb,
731 enum ip_conntrack_info ctinfo,
732 unsigned int protoff,
733 unsigned char **data, int dataoff,
734 TransportAddress *taddr)
736 const struct nfct_h323_nat_hooks *nathook;
737 int dir = CTINFO2DIR(ctinfo);
740 union nf_inet_addr addr;
741 struct nf_conntrack_expect *exp;
742 struct net *net = nf_ct_net(ct);
744 /* Read alternativeAddress */
745 if (!get_h225_addr(ct, *data, taddr, &addr, &port) || port == 0)
748 /* If the calling party is on the same side of the forward-to party,
749 * we don't need to track the second call
751 if (callforward_filter &&
752 callforward_do_filter(net, &addr, &ct->tuplehash[!dir].tuple.src.u3,
754 pr_debug("nf_ct_q931: Call Forwarding not tracked\n");
758 /* Create expect for the second call leg */
759 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
761 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
762 &ct->tuplehash[!dir].tuple.src.u3, &addr,
763 IPPROTO_TCP, NULL, &port);
764 exp->helper = nf_conntrack_helper_q931;
766 nathook = rcu_dereference(nfct_h323_nat_hook);
767 if (memcmp(&ct->tuplehash[dir].tuple.src.u3,
768 &ct->tuplehash[!dir].tuple.dst.u3,
769 sizeof(ct->tuplehash[dir].tuple.src.u3)) &&
771 nf_ct_l3num(ct) == NFPROTO_IPV4 &&
772 ct->status & IPS_NAT_MASK) {
774 ret = nathook->nat_callforwarding(skb, ct, ctinfo,
775 protoff, data, dataoff,
777 } else { /* Conntrack only */
778 if (nf_ct_expect_related(exp, 0) == 0) {
779 pr_debug("nf_ct_q931: expect Call Forwarding ");
780 nf_ct_dump_tuple(&exp->tuple);
785 nf_ct_expect_put(exp);
790 static int process_setup(struct sk_buff *skb, struct nf_conn *ct,
791 enum ip_conntrack_info ctinfo,
792 unsigned int protoff,
793 unsigned char **data, int dataoff,
796 const struct nfct_h323_nat_hooks *nathook;
797 int dir = CTINFO2DIR(ctinfo);
801 union nf_inet_addr addr;
803 pr_debug("nf_ct_q931: Setup\n");
805 if (setup->options & eSetup_UUIE_h245Address) {
806 ret = expect_h245(skb, ct, ctinfo, protoff, data, dataoff,
807 &setup->h245Address);
812 nathook = rcu_dereference(nfct_h323_nat_hook);
813 if ((setup->options & eSetup_UUIE_destCallSignalAddress) &&
814 nathook && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
815 ct->status & IPS_NAT_MASK &&
816 get_h225_addr(ct, *data, &setup->destCallSignalAddress,
818 memcmp(&addr, &ct->tuplehash[!dir].tuple.src.u3, sizeof(addr))) {
819 pr_debug("nf_ct_q931: set destCallSignalAddress %pI6:%hu->%pI6:%hu\n",
820 &addr, ntohs(port), &ct->tuplehash[!dir].tuple.src.u3,
821 ntohs(ct->tuplehash[!dir].tuple.src.u.tcp.port));
822 ret = nathook->set_h225_addr(skb, protoff, data, dataoff,
823 &setup->destCallSignalAddress,
824 &ct->tuplehash[!dir].tuple.src.u3,
825 ct->tuplehash[!dir].tuple.src.u.tcp.port);
830 if ((setup->options & eSetup_UUIE_sourceCallSignalAddress) &&
831 nathook && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
832 ct->status & IPS_NAT_MASK &&
833 get_h225_addr(ct, *data, &setup->sourceCallSignalAddress,
835 memcmp(&addr, &ct->tuplehash[!dir].tuple.dst.u3, sizeof(addr))) {
836 pr_debug("nf_ct_q931: set sourceCallSignalAddress %pI6:%hu->%pI6:%hu\n",
837 &addr, ntohs(port), &ct->tuplehash[!dir].tuple.dst.u3,
838 ntohs(ct->tuplehash[!dir].tuple.dst.u.tcp.port));
839 ret = nathook->set_h225_addr(skb, protoff, data, dataoff,
840 &setup->sourceCallSignalAddress,
841 &ct->tuplehash[!dir].tuple.dst.u3,
842 ct->tuplehash[!dir].tuple.dst.u.tcp.port);
847 if (setup->options & eSetup_UUIE_fastStart) {
848 for (i = 0; i < setup->fastStart.count; i++) {
849 ret = process_olc(skb, ct, ctinfo,
850 protoff, data, dataoff,
851 &setup->fastStart.item[i]);
860 static int process_callproceeding(struct sk_buff *skb,
862 enum ip_conntrack_info ctinfo,
863 unsigned int protoff,
864 unsigned char **data, int dataoff,
865 CallProceeding_UUIE *callproc)
870 pr_debug("nf_ct_q931: CallProceeding\n");
872 if (callproc->options & eCallProceeding_UUIE_h245Address) {
873 ret = expect_h245(skb, ct, ctinfo, protoff, data, dataoff,
874 &callproc->h245Address);
879 if (callproc->options & eCallProceeding_UUIE_fastStart) {
880 for (i = 0; i < callproc->fastStart.count; i++) {
881 ret = process_olc(skb, ct, ctinfo,
882 protoff, data, dataoff,
883 &callproc->fastStart.item[i]);
892 static int process_connect(struct sk_buff *skb, struct nf_conn *ct,
893 enum ip_conntrack_info ctinfo,
894 unsigned int protoff,
895 unsigned char **data, int dataoff,
896 Connect_UUIE *connect)
901 pr_debug("nf_ct_q931: Connect\n");
903 if (connect->options & eConnect_UUIE_h245Address) {
904 ret = expect_h245(skb, ct, ctinfo, protoff, data, dataoff,
905 &connect->h245Address);
910 if (connect->options & eConnect_UUIE_fastStart) {
911 for (i = 0; i < connect->fastStart.count; i++) {
912 ret = process_olc(skb, ct, ctinfo,
913 protoff, data, dataoff,
914 &connect->fastStart.item[i]);
923 static int process_alerting(struct sk_buff *skb, struct nf_conn *ct,
924 enum ip_conntrack_info ctinfo,
925 unsigned int protoff,
926 unsigned char **data, int dataoff,
927 Alerting_UUIE *alert)
932 pr_debug("nf_ct_q931: Alerting\n");
934 if (alert->options & eAlerting_UUIE_h245Address) {
935 ret = expect_h245(skb, ct, ctinfo, protoff, data, dataoff,
936 &alert->h245Address);
941 if (alert->options & eAlerting_UUIE_fastStart) {
942 for (i = 0; i < alert->fastStart.count; i++) {
943 ret = process_olc(skb, ct, ctinfo,
944 protoff, data, dataoff,
945 &alert->fastStart.item[i]);
954 static int process_facility(struct sk_buff *skb, struct nf_conn *ct,
955 enum ip_conntrack_info ctinfo,
956 unsigned int protoff,
957 unsigned char **data, int dataoff,
958 Facility_UUIE *facility)
963 pr_debug("nf_ct_q931: Facility\n");
965 if (facility->reason.choice == eFacilityReason_callForwarded) {
966 if (facility->options & eFacility_UUIE_alternativeAddress)
967 return expect_callforwarding(skb, ct, ctinfo,
968 protoff, data, dataoff,
974 if (facility->options & eFacility_UUIE_h245Address) {
975 ret = expect_h245(skb, ct, ctinfo, protoff, data, dataoff,
976 &facility->h245Address);
981 if (facility->options & eFacility_UUIE_fastStart) {
982 for (i = 0; i < facility->fastStart.count; i++) {
983 ret = process_olc(skb, ct, ctinfo,
984 protoff, data, dataoff,
985 &facility->fastStart.item[i]);
994 static int process_progress(struct sk_buff *skb, struct nf_conn *ct,
995 enum ip_conntrack_info ctinfo,
996 unsigned int protoff,
997 unsigned char **data, int dataoff,
998 Progress_UUIE *progress)
1003 pr_debug("nf_ct_q931: Progress\n");
1005 if (progress->options & eProgress_UUIE_h245Address) {
1006 ret = expect_h245(skb, ct, ctinfo, protoff, data, dataoff,
1007 &progress->h245Address);
1012 if (progress->options & eProgress_UUIE_fastStart) {
1013 for (i = 0; i < progress->fastStart.count; i++) {
1014 ret = process_olc(skb, ct, ctinfo,
1015 protoff, data, dataoff,
1016 &progress->fastStart.item[i]);
1025 static int process_q931(struct sk_buff *skb, struct nf_conn *ct,
1026 enum ip_conntrack_info ctinfo,
1027 unsigned int protoff, unsigned char **data, int dataoff,
1030 H323_UU_PDU *pdu = &q931->UUIE.h323_uu_pdu;
1034 switch (pdu->h323_message_body.choice) {
1035 case eH323_UU_PDU_h323_message_body_setup:
1036 ret = process_setup(skb, ct, ctinfo, protoff, data, dataoff,
1037 &pdu->h323_message_body.setup);
1039 case eH323_UU_PDU_h323_message_body_callProceeding:
1040 ret = process_callproceeding(skb, ct, ctinfo,
1041 protoff, data, dataoff,
1042 &pdu->h323_message_body.
1045 case eH323_UU_PDU_h323_message_body_connect:
1046 ret = process_connect(skb, ct, ctinfo, protoff, data, dataoff,
1047 &pdu->h323_message_body.connect);
1049 case eH323_UU_PDU_h323_message_body_alerting:
1050 ret = process_alerting(skb, ct, ctinfo, protoff, data, dataoff,
1051 &pdu->h323_message_body.alerting);
1053 case eH323_UU_PDU_h323_message_body_facility:
1054 ret = process_facility(skb, ct, ctinfo, protoff, data, dataoff,
1055 &pdu->h323_message_body.facility);
1057 case eH323_UU_PDU_h323_message_body_progress:
1058 ret = process_progress(skb, ct, ctinfo, protoff, data, dataoff,
1059 &pdu->h323_message_body.progress);
1062 pr_debug("nf_ct_q931: Q.931 signal %d\n",
1063 pdu->h323_message_body.choice);
1070 if (pdu->options & eH323_UU_PDU_h245Control) {
1071 for (i = 0; i < pdu->h245Control.count; i++) {
1072 ret = process_h245(skb, ct, ctinfo,
1073 protoff, data, dataoff,
1074 &pdu->h245Control.item[i]);
1083 static int q931_help(struct sk_buff *skb, unsigned int protoff,
1084 struct nf_conn *ct, enum ip_conntrack_info ctinfo)
1087 unsigned char *data = NULL;
1092 /* Until there's been traffic both ways, don't look in packets. */
1093 if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
1096 pr_debug("nf_ct_q931: skblen = %u\n", skb->len);
1098 spin_lock_bh(&nf_h323_lock);
1100 /* Process each TPKT */
1101 while (get_tpkt_data(skb, protoff, ct, ctinfo,
1102 &data, &datalen, &dataoff)) {
1103 pr_debug("nf_ct_q931: TPKT len=%d ", datalen);
1104 nf_ct_dump_tuple(&ct->tuplehash[CTINFO2DIR(ctinfo)].tuple);
1106 /* Decode Q.931 signal */
1107 ret = DecodeQ931(data, datalen, &q931);
1109 pr_debug("nf_ct_q931: decoding error: %s\n",
1110 ret == H323_ERROR_BOUND ?
1111 "out of bound" : "out of range");
1112 /* We don't drop when decoding error */
1116 /* Process Q.931 signal */
1117 if (process_q931(skb, ct, ctinfo, protoff,
1118 &data, dataoff, &q931) < 0)
1122 spin_unlock_bh(&nf_h323_lock);
1126 spin_unlock_bh(&nf_h323_lock);
1127 nf_ct_helper_log(skb, ct, "cannot process Q.931 message");
1131 static const struct nf_conntrack_expect_policy q931_exp_policy = {
1132 /* T.120 and H.245 */
1133 .max_expected = H323_RTP_CHANNEL_MAX * 4 + 4,
1137 static struct nf_conntrack_helper nf_conntrack_helper_q931[] __read_mostly = {
1141 .tuple.src.l3num = AF_INET,
1142 .tuple.src.u.tcp.port = cpu_to_be16(Q931_PORT),
1143 .tuple.dst.protonum = IPPROTO_TCP,
1145 .expect_policy = &q931_exp_policy,
1150 .tuple.src.l3num = AF_INET6,
1151 .tuple.src.u.tcp.port = cpu_to_be16(Q931_PORT),
1152 .tuple.dst.protonum = IPPROTO_TCP,
1154 .expect_policy = &q931_exp_policy,
1158 static unsigned char *get_udp_data(struct sk_buff *skb, unsigned int protoff,
1161 const struct udphdr *uh;
1165 uh = skb_header_pointer(skb, protoff, sizeof(_uh), &_uh);
1168 dataoff = protoff + sizeof(_uh);
1169 if (dataoff >= skb->len)
1171 *datalen = skb->len - dataoff;
1172 return skb_header_pointer(skb, dataoff, *datalen, h323_buffer);
1175 static struct nf_conntrack_expect *find_expect(struct nf_conn *ct,
1176 union nf_inet_addr *addr,
1179 struct net *net = nf_ct_net(ct);
1180 struct nf_conntrack_expect *exp;
1181 struct nf_conntrack_tuple tuple;
1183 memset(&tuple.src.u3, 0, sizeof(tuple.src.u3));
1184 tuple.src.u.tcp.port = 0;
1185 memcpy(&tuple.dst.u3, addr, sizeof(tuple.dst.u3));
1186 tuple.dst.u.tcp.port = port;
1187 tuple.dst.protonum = IPPROTO_TCP;
1189 exp = __nf_ct_expect_find(net, nf_ct_zone(ct), &tuple);
1190 if (exp && exp->master == ct)
1195 static int expect_q931(struct sk_buff *skb, struct nf_conn *ct,
1196 enum ip_conntrack_info ctinfo,
1197 unsigned int protoff, unsigned char **data,
1198 TransportAddress *taddr, int count)
1200 struct nf_ct_h323_master *info = nfct_help_data(ct);
1201 const struct nfct_h323_nat_hooks *nathook;
1202 int dir = CTINFO2DIR(ctinfo);
1206 union nf_inet_addr addr;
1207 struct nf_conntrack_expect *exp;
1209 /* Look for the first related address */
1210 for (i = 0; i < count; i++) {
1211 if (get_h225_addr(ct, *data, &taddr[i], &addr, &port) &&
1212 memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3,
1213 sizeof(addr)) == 0 && port != 0)
1217 if (i >= count) /* Not found */
1220 /* Create expect for Q.931 */
1221 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
1223 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
1224 gkrouted_only ? /* only accept calls from GK? */
1225 &ct->tuplehash[!dir].tuple.src.u3 : NULL,
1226 &ct->tuplehash[!dir].tuple.dst.u3,
1227 IPPROTO_TCP, NULL, &port);
1228 exp->helper = nf_conntrack_helper_q931;
1229 exp->flags = NF_CT_EXPECT_PERMANENT; /* Accept multiple calls */
1231 nathook = rcu_dereference(nfct_h323_nat_hook);
1232 if (nathook && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1233 ct->status & IPS_NAT_MASK) { /* Need NAT */
1234 ret = nathook->nat_q931(skb, ct, ctinfo, protoff, data,
1235 taddr, i, port, exp);
1236 } else { /* Conntrack only */
1237 if (nf_ct_expect_related(exp, 0) == 0) {
1238 pr_debug("nf_ct_ras: expect Q.931 ");
1239 nf_ct_dump_tuple(&exp->tuple);
1241 /* Save port for looking up expect in processing RCF */
1242 info->sig_port[dir] = port;
1247 nf_ct_expect_put(exp);
1252 static int process_grq(struct sk_buff *skb, struct nf_conn *ct,
1253 enum ip_conntrack_info ctinfo,
1254 unsigned int protoff,
1255 unsigned char **data, GatekeeperRequest *grq)
1257 const struct nfct_h323_nat_hooks *nathook;
1259 pr_debug("nf_ct_ras: GRQ\n");
1261 nathook = rcu_dereference(nfct_h323_nat_hook);
1262 if (nathook && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1263 ct->status & IPS_NAT_MASK) /* NATed */
1264 return nathook->set_ras_addr(skb, ct, ctinfo, protoff, data,
1265 &grq->rasAddress, 1);
1269 static int process_gcf(struct sk_buff *skb, struct nf_conn *ct,
1270 enum ip_conntrack_info ctinfo,
1271 unsigned int protoff,
1272 unsigned char **data, GatekeeperConfirm *gcf)
1274 int dir = CTINFO2DIR(ctinfo);
1277 union nf_inet_addr addr;
1278 struct nf_conntrack_expect *exp;
1280 pr_debug("nf_ct_ras: GCF\n");
1282 if (!get_h225_addr(ct, *data, &gcf->rasAddress, &addr, &port))
1285 /* Registration port is the same as discovery port */
1286 if (!memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) &&
1287 port == ct->tuplehash[dir].tuple.src.u.udp.port)
1290 /* Avoid RAS expectation loops. A GCF is never expected. */
1291 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
1294 /* Need new expect */
1295 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
1297 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
1298 &ct->tuplehash[!dir].tuple.src.u3, &addr,
1299 IPPROTO_UDP, NULL, &port);
1300 exp->helper = nf_conntrack_helper_ras;
1302 if (nf_ct_expect_related(exp, 0) == 0) {
1303 pr_debug("nf_ct_ras: expect RAS ");
1304 nf_ct_dump_tuple(&exp->tuple);
1308 nf_ct_expect_put(exp);
1313 static int process_rrq(struct sk_buff *skb, struct nf_conn *ct,
1314 enum ip_conntrack_info ctinfo,
1315 unsigned int protoff,
1316 unsigned char **data, RegistrationRequest *rrq)
1318 struct nf_ct_h323_master *info = nfct_help_data(ct);
1319 const struct nfct_h323_nat_hooks *nathook;
1322 pr_debug("nf_ct_ras: RRQ\n");
1324 ret = expect_q931(skb, ct, ctinfo, protoff, data,
1325 rrq->callSignalAddress.item,
1326 rrq->callSignalAddress.count);
1330 nathook = rcu_dereference(nfct_h323_nat_hook);
1331 if (nathook && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1332 ct->status & IPS_NAT_MASK) {
1333 ret = nathook->set_ras_addr(skb, ct, ctinfo, protoff, data,
1334 rrq->rasAddress.item,
1335 rrq->rasAddress.count);
1340 if (rrq->options & eRegistrationRequest_timeToLive) {
1341 pr_debug("nf_ct_ras: RRQ TTL = %u seconds\n", rrq->timeToLive);
1342 info->timeout = rrq->timeToLive;
1344 info->timeout = default_rrq_ttl;
1349 static int process_rcf(struct sk_buff *skb, struct nf_conn *ct,
1350 enum ip_conntrack_info ctinfo,
1351 unsigned int protoff,
1352 unsigned char **data, RegistrationConfirm *rcf)
1354 struct nf_ct_h323_master *info = nfct_help_data(ct);
1355 const struct nfct_h323_nat_hooks *nathook;
1356 int dir = CTINFO2DIR(ctinfo);
1358 struct nf_conntrack_expect *exp;
1360 pr_debug("nf_ct_ras: RCF\n");
1362 nathook = rcu_dereference(nfct_h323_nat_hook);
1363 if (nathook && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1364 ct->status & IPS_NAT_MASK) {
1365 ret = nathook->set_sig_addr(skb, ct, ctinfo, protoff, data,
1366 rcf->callSignalAddress.item,
1367 rcf->callSignalAddress.count);
1372 if (rcf->options & eRegistrationConfirm_timeToLive) {
1373 pr_debug("nf_ct_ras: RCF TTL = %u seconds\n", rcf->timeToLive);
1374 info->timeout = rcf->timeToLive;
1377 if (info->timeout > 0) {
1378 pr_debug("nf_ct_ras: set RAS connection timeout to "
1379 "%u seconds\n", info->timeout);
1380 nf_ct_refresh(ct, skb, info->timeout * HZ);
1382 /* Set expect timeout */
1383 spin_lock_bh(&nf_conntrack_expect_lock);
1384 exp = find_expect(ct, &ct->tuplehash[dir].tuple.dst.u3,
1385 info->sig_port[!dir]);
1387 pr_debug("nf_ct_ras: set Q.931 expect "
1388 "timeout to %u seconds for",
1390 nf_ct_dump_tuple(&exp->tuple);
1391 mod_timer_pending(&exp->timeout,
1392 jiffies + info->timeout * HZ);
1394 spin_unlock_bh(&nf_conntrack_expect_lock);
1400 static int process_urq(struct sk_buff *skb, struct nf_conn *ct,
1401 enum ip_conntrack_info ctinfo,
1402 unsigned int protoff,
1403 unsigned char **data, UnregistrationRequest *urq)
1405 struct nf_ct_h323_master *info = nfct_help_data(ct);
1406 const struct nfct_h323_nat_hooks *nathook;
1407 int dir = CTINFO2DIR(ctinfo);
1410 pr_debug("nf_ct_ras: URQ\n");
1412 nathook = rcu_dereference(nfct_h323_nat_hook);
1413 if (nathook && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1414 ct->status & IPS_NAT_MASK) {
1415 ret = nathook->set_sig_addr(skb, ct, ctinfo, protoff, data,
1416 urq->callSignalAddress.item,
1417 urq->callSignalAddress.count);
1422 /* Clear old expect */
1423 nf_ct_remove_expectations(ct);
1424 info->sig_port[dir] = 0;
1425 info->sig_port[!dir] = 0;
1427 /* Give it 30 seconds for UCF or URJ */
1428 nf_ct_refresh(ct, skb, 30 * HZ);
1433 static int process_arq(struct sk_buff *skb, struct nf_conn *ct,
1434 enum ip_conntrack_info ctinfo,
1435 unsigned int protoff,
1436 unsigned char **data, AdmissionRequest *arq)
1438 const struct nf_ct_h323_master *info = nfct_help_data(ct);
1439 const struct nfct_h323_nat_hooks *nathook;
1440 int dir = CTINFO2DIR(ctinfo);
1442 union nf_inet_addr addr;
1444 pr_debug("nf_ct_ras: ARQ\n");
1446 nathook = rcu_dereference(nfct_h323_nat_hook);
1450 if ((arq->options & eAdmissionRequest_destCallSignalAddress) &&
1451 get_h225_addr(ct, *data, &arq->destCallSignalAddress,
1453 !memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) &&
1454 port == info->sig_port[dir] &&
1455 nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1456 ct->status & IPS_NAT_MASK) {
1458 return nathook->set_h225_addr(skb, protoff, data, 0,
1459 &arq->destCallSignalAddress,
1460 &ct->tuplehash[!dir].tuple.dst.u3,
1461 info->sig_port[!dir]);
1464 if ((arq->options & eAdmissionRequest_srcCallSignalAddress) &&
1465 get_h225_addr(ct, *data, &arq->srcCallSignalAddress,
1467 !memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) &&
1468 nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1469 ct->status & IPS_NAT_MASK) {
1471 return nathook->set_h225_addr(skb, protoff, data, 0,
1472 &arq->srcCallSignalAddress,
1473 &ct->tuplehash[!dir].tuple.dst.u3,
1480 static int process_acf(struct sk_buff *skb, struct nf_conn *ct,
1481 enum ip_conntrack_info ctinfo,
1482 unsigned int protoff,
1483 unsigned char **data, AdmissionConfirm *acf)
1485 int dir = CTINFO2DIR(ctinfo);
1488 union nf_inet_addr addr;
1489 struct nf_conntrack_expect *exp;
1491 pr_debug("nf_ct_ras: ACF\n");
1493 if (!get_h225_addr(ct, *data, &acf->destCallSignalAddress,
1497 if (!memcmp(&addr, &ct->tuplehash[dir].tuple.dst.u3, sizeof(addr))) {
1498 const struct nfct_h323_nat_hooks *nathook;
1501 nathook = rcu_dereference(nfct_h323_nat_hook);
1502 if (nathook && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1503 ct->status & IPS_NAT_MASK)
1504 return nathook->set_sig_addr(skb, ct, ctinfo, protoff,
1506 &acf->destCallSignalAddress, 1);
1510 /* Need new expect */
1511 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
1513 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
1514 &ct->tuplehash[!dir].tuple.src.u3, &addr,
1515 IPPROTO_TCP, NULL, &port);
1516 exp->flags = NF_CT_EXPECT_PERMANENT;
1517 exp->helper = nf_conntrack_helper_q931;
1519 if (nf_ct_expect_related(exp, 0) == 0) {
1520 pr_debug("nf_ct_ras: expect Q.931 ");
1521 nf_ct_dump_tuple(&exp->tuple);
1525 nf_ct_expect_put(exp);
1530 static int process_lrq(struct sk_buff *skb, struct nf_conn *ct,
1531 enum ip_conntrack_info ctinfo,
1532 unsigned int protoff,
1533 unsigned char **data, LocationRequest *lrq)
1535 const struct nfct_h323_nat_hooks *nathook;
1537 pr_debug("nf_ct_ras: LRQ\n");
1539 nathook = rcu_dereference(nfct_h323_nat_hook);
1540 if (nathook && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1541 ct->status & IPS_NAT_MASK)
1542 return nathook->set_ras_addr(skb, ct, ctinfo, protoff, data,
1543 &lrq->replyAddress, 1);
1547 static int process_lcf(struct sk_buff *skb, struct nf_conn *ct,
1548 enum ip_conntrack_info ctinfo,
1549 unsigned int protoff,
1550 unsigned char **data, LocationConfirm *lcf)
1552 int dir = CTINFO2DIR(ctinfo);
1555 union nf_inet_addr addr;
1556 struct nf_conntrack_expect *exp;
1558 pr_debug("nf_ct_ras: LCF\n");
1560 if (!get_h225_addr(ct, *data, &lcf->callSignalAddress,
1564 /* Need new expect for call signal */
1565 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
1567 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
1568 &ct->tuplehash[!dir].tuple.src.u3, &addr,
1569 IPPROTO_TCP, NULL, &port);
1570 exp->flags = NF_CT_EXPECT_PERMANENT;
1571 exp->helper = nf_conntrack_helper_q931;
1573 if (nf_ct_expect_related(exp, 0) == 0) {
1574 pr_debug("nf_ct_ras: expect Q.931 ");
1575 nf_ct_dump_tuple(&exp->tuple);
1579 nf_ct_expect_put(exp);
1581 /* Ignore rasAddress */
1586 static int process_irr(struct sk_buff *skb, struct nf_conn *ct,
1587 enum ip_conntrack_info ctinfo,
1588 unsigned int protoff,
1589 unsigned char **data, InfoRequestResponse *irr)
1591 const struct nfct_h323_nat_hooks *nathook;
1594 pr_debug("nf_ct_ras: IRR\n");
1596 nathook = rcu_dereference(nfct_h323_nat_hook);
1597 if (nathook && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1598 ct->status & IPS_NAT_MASK) {
1599 ret = nathook->set_ras_addr(skb, ct, ctinfo, protoff, data,
1600 &irr->rasAddress, 1);
1604 ret = nathook->set_sig_addr(skb, ct, ctinfo, protoff, data,
1605 irr->callSignalAddress.item,
1606 irr->callSignalAddress.count);
1614 static int process_ras(struct sk_buff *skb, struct nf_conn *ct,
1615 enum ip_conntrack_info ctinfo,
1616 unsigned int protoff,
1617 unsigned char **data, RasMessage *ras)
1619 switch (ras->choice) {
1620 case eRasMessage_gatekeeperRequest:
1621 return process_grq(skb, ct, ctinfo, protoff, data,
1622 &ras->gatekeeperRequest);
1623 case eRasMessage_gatekeeperConfirm:
1624 return process_gcf(skb, ct, ctinfo, protoff, data,
1625 &ras->gatekeeperConfirm);
1626 case eRasMessage_registrationRequest:
1627 return process_rrq(skb, ct, ctinfo, protoff, data,
1628 &ras->registrationRequest);
1629 case eRasMessage_registrationConfirm:
1630 return process_rcf(skb, ct, ctinfo, protoff, data,
1631 &ras->registrationConfirm);
1632 case eRasMessage_unregistrationRequest:
1633 return process_urq(skb, ct, ctinfo, protoff, data,
1634 &ras->unregistrationRequest);
1635 case eRasMessage_admissionRequest:
1636 return process_arq(skb, ct, ctinfo, protoff, data,
1637 &ras->admissionRequest);
1638 case eRasMessage_admissionConfirm:
1639 return process_acf(skb, ct, ctinfo, protoff, data,
1640 &ras->admissionConfirm);
1641 case eRasMessage_locationRequest:
1642 return process_lrq(skb, ct, ctinfo, protoff, data,
1643 &ras->locationRequest);
1644 case eRasMessage_locationConfirm:
1645 return process_lcf(skb, ct, ctinfo, protoff, data,
1646 &ras->locationConfirm);
1647 case eRasMessage_infoRequestResponse:
1648 return process_irr(skb, ct, ctinfo, protoff, data,
1649 &ras->infoRequestResponse);
1651 pr_debug("nf_ct_ras: RAS message %d\n", ras->choice);
1658 static int ras_help(struct sk_buff *skb, unsigned int protoff,
1659 struct nf_conn *ct, enum ip_conntrack_info ctinfo)
1661 static RasMessage ras;
1662 unsigned char *data;
1666 pr_debug("nf_ct_ras: skblen = %u\n", skb->len);
1668 spin_lock_bh(&nf_h323_lock);
1671 data = get_udp_data(skb, protoff, &datalen);
1674 pr_debug("nf_ct_ras: RAS message len=%d ", datalen);
1675 nf_ct_dump_tuple(&ct->tuplehash[CTINFO2DIR(ctinfo)].tuple);
1677 /* Decode RAS message */
1678 ret = DecodeRasMessage(data, datalen, &ras);
1680 pr_debug("nf_ct_ras: decoding error: %s\n",
1681 ret == H323_ERROR_BOUND ?
1682 "out of bound" : "out of range");
1686 /* Process RAS message */
1687 if (process_ras(skb, ct, ctinfo, protoff, &data, &ras) < 0)
1691 spin_unlock_bh(&nf_h323_lock);
1695 spin_unlock_bh(&nf_h323_lock);
1696 nf_ct_helper_log(skb, ct, "cannot process RAS message");
1700 static const struct nf_conntrack_expect_policy ras_exp_policy = {
1705 static struct nf_conntrack_helper nf_conntrack_helper_ras[] __read_mostly = {
1709 .tuple.src.l3num = AF_INET,
1710 .tuple.src.u.udp.port = cpu_to_be16(RAS_PORT),
1711 .tuple.dst.protonum = IPPROTO_UDP,
1713 .expect_policy = &ras_exp_policy,
1718 .tuple.src.l3num = AF_INET6,
1719 .tuple.src.u.udp.port = cpu_to_be16(RAS_PORT),
1720 .tuple.dst.protonum = IPPROTO_UDP,
1722 .expect_policy = &ras_exp_policy,
1726 static int __init h323_helper_init(void)
1730 ret = nf_conntrack_helper_register(&nf_conntrack_helper_h245);
1733 ret = nf_conntrack_helpers_register(nf_conntrack_helper_q931,
1734 ARRAY_SIZE(nf_conntrack_helper_q931));
1737 ret = nf_conntrack_helpers_register(nf_conntrack_helper_ras,
1738 ARRAY_SIZE(nf_conntrack_helper_ras));
1744 nf_conntrack_helpers_unregister(nf_conntrack_helper_q931,
1745 ARRAY_SIZE(nf_conntrack_helper_q931));
1747 nf_conntrack_helper_unregister(&nf_conntrack_helper_h245);
1751 static void __exit h323_helper_exit(void)
1753 nf_conntrack_helpers_unregister(nf_conntrack_helper_ras,
1754 ARRAY_SIZE(nf_conntrack_helper_ras));
1755 nf_conntrack_helpers_unregister(nf_conntrack_helper_q931,
1756 ARRAY_SIZE(nf_conntrack_helper_q931));
1757 nf_conntrack_helper_unregister(&nf_conntrack_helper_h245);
1760 static void __exit nf_conntrack_h323_fini(void)
1764 pr_debug("nf_ct_h323: fini\n");
1767 static int __init nf_conntrack_h323_init(void)
1771 NF_CT_HELPER_BUILD_BUG_ON(sizeof(struct nf_ct_h323_master));
1773 h323_buffer = kmalloc(65536, GFP_KERNEL);
1776 ret = h323_helper_init();
1779 pr_debug("nf_ct_h323: init success\n");
1786 module_init(nf_conntrack_h323_init);
1787 module_exit(nf_conntrack_h323_fini);
1789 MODULE_AUTHOR("Jing Min Zhao <zhaojingmin@users.sourceforge.net>");
1790 MODULE_DESCRIPTION("H.323 connection tracking helper");
1791 MODULE_LICENSE("GPL");
1792 MODULE_ALIAS("ip_conntrack_h323");
1793 MODULE_ALIAS_NFCT_HELPER("RAS");
1794 MODULE_ALIAS_NFCT_HELPER("Q.931");
1795 MODULE_ALIAS_NFCT_HELPER("H.245");
projects / linux-2.6-microblaze.git / blob