1 /* SIP extension for IP connection tracking.
3 * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
4 * based on RR's ip_conntrack_ftp.c and other modules.
5 * (C) 2007 United Security Providers
6 * (C) 2007, 2008 Patrick McHardy <kaber@trash.net>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15 #include <linux/module.h>
16 #include <linux/ctype.h>
17 #include <linux/skbuff.h>
18 #include <linux/inet.h>
20 #include <linux/udp.h>
21 #include <linux/tcp.h>
22 #include <linux/netfilter.h>
23 #include <linux/netfilter_ipv4.h>
24 #include <linux/netfilter_ipv6.h>
26 #include <net/netfilter/nf_conntrack.h>
27 #include <net/netfilter/nf_conntrack_core.h>
28 #include <net/netfilter/nf_conntrack_expect.h>
29 #include <net/netfilter/nf_conntrack_helper.h>
30 #include <net/netfilter/nf_conntrack_zones.h>
31 #include <linux/netfilter/nf_conntrack_sip.h>
33 #define HELPER_NAME "sip"
35 MODULE_LICENSE("GPL");
36 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
37 MODULE_DESCRIPTION("SIP connection tracking helper");
38 MODULE_ALIAS("ip_conntrack_sip");
39 MODULE_ALIAS_NFCT_HELPER(HELPER_NAME);
42 static unsigned short ports[MAX_PORTS];
43 static unsigned int ports_c;
44 module_param_array(ports, ushort, &ports_c, 0400);
45 MODULE_PARM_DESC(ports, "port numbers of SIP servers");
47 static unsigned int sip_timeout __read_mostly = SIP_TIMEOUT;
48 module_param(sip_timeout, uint, 0600);
49 MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session");
51 static int sip_direct_signalling __read_mostly = 1;
52 module_param(sip_direct_signalling, int, 0600);
53 MODULE_PARM_DESC(sip_direct_signalling, "expect incoming calls from registrar "
56 static int sip_direct_media __read_mostly = 1;
57 module_param(sip_direct_media, int, 0600);
58 MODULE_PARM_DESC(sip_direct_media, "Expect Media streams between signalling "
59 "endpoints only (default 1)");
61 static int sip_external_media __read_mostly = 0;
62 module_param(sip_external_media, int, 0600);
63 MODULE_PARM_DESC(sip_external_media, "Expect Media streams between external "
64 "endpoints (default 0)");
66 const struct nf_nat_sip_hooks *nf_nat_sip_hooks;
67 EXPORT_SYMBOL_GPL(nf_nat_sip_hooks);
69 static int string_len(const struct nf_conn *ct, const char *dptr,
70 const char *limit, int *shift)
74 while (dptr < limit && isalpha(*dptr)) {
81 static int digits_len(const struct nf_conn *ct, const char *dptr,
82 const char *limit, int *shift)
85 while (dptr < limit && isdigit(*dptr)) {
92 static int iswordc(const char c)
94 if (isalnum(c) || c == '!' || c == '"' || c == '%' ||
95 (c >= '(' && c <= '+') || c == ':' || c == '<' || c == '>' ||
96 c == '?' || (c >= '[' && c <= ']') || c == '_' || c == '`' ||
97 c == '{' || c == '}' || c == '~' || (c >= '-' && c <= '/') ||
103 static int word_len(const char *dptr, const char *limit)
106 while (dptr < limit && iswordc(*dptr)) {
113 static int callid_len(const struct nf_conn *ct, const char *dptr,
114 const char *limit, int *shift)
118 len = word_len(dptr, limit);
120 if (!len || dptr == limit || *dptr != '@')
125 domain_len = word_len(dptr, limit);
128 return len + domain_len;
131 /* get media type + port length */
132 static int media_len(const struct nf_conn *ct, const char *dptr,
133 const char *limit, int *shift)
135 int len = string_len(ct, dptr, limit, shift);
138 if (dptr >= limit || *dptr != ' ')
143 return len + digits_len(ct, dptr, limit, shift);
146 static int sip_parse_addr(const struct nf_conn *ct, const char *cp,
147 const char **endp, union nf_inet_addr *addr,
148 const char *limit, bool delim)
156 memset(addr, 0, sizeof(*addr));
157 switch (nf_ct_l3num(ct)) {
159 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
164 if (cp < limit && *cp == '[')
169 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
173 if (end < limit && *end == ']')
187 /* skip ip address. returns its length. */
188 static int epaddr_len(const struct nf_conn *ct, const char *dptr,
189 const char *limit, int *shift)
191 union nf_inet_addr addr;
192 const char *aux = dptr;
194 if (!sip_parse_addr(ct, dptr, &dptr, &addr, limit, true)) {
195 pr_debug("ip: %s parse failed.!\n", dptr);
202 dptr += digits_len(ct, dptr, limit, shift);
207 /* get address length, skiping user info. */
208 static int skp_epaddr_len(const struct nf_conn *ct, const char *dptr,
209 const char *limit, int *shift)
211 const char *start = dptr;
214 /* Search for @, but stop at the end of the line.
215 * We are inside a sip: URI, so we don't need to worry about
216 * continuation lines. */
217 while (dptr < limit &&
218 *dptr != '@' && *dptr != '\r' && *dptr != '\n') {
223 if (dptr < limit && *dptr == '@') {
231 return epaddr_len(ct, dptr, limit, shift);
234 /* Parse a SIP request line of the form:
236 * Request-Line = Method SP Request-URI SP SIP-Version CRLF
238 * and return the offset and length of the address contained in the Request-URI.
240 int ct_sip_parse_request(const struct nf_conn *ct,
241 const char *dptr, unsigned int datalen,
242 unsigned int *matchoff, unsigned int *matchlen,
243 union nf_inet_addr *addr, __be16 *port)
245 const char *start = dptr, *limit = dptr + datalen, *end;
250 /* Skip method and following whitespace */
251 mlen = string_len(ct, dptr, limit, NULL);
259 for (; dptr < limit - strlen("sip:"); dptr++) {
260 if (*dptr == '\r' || *dptr == '\n')
262 if (strncasecmp(dptr, "sip:", strlen("sip:")) == 0) {
263 dptr += strlen("sip:");
267 if (!skp_epaddr_len(ct, dptr, limit, &shift))
271 if (!sip_parse_addr(ct, dptr, &end, addr, limit, true))
273 if (end < limit && *end == ':') {
275 p = simple_strtoul(end, (char **)&end, 10);
276 if (p < 1024 || p > 65535)
280 *port = htons(SIP_PORT);
284 *matchoff = dptr - start;
285 *matchlen = end - dptr;
288 EXPORT_SYMBOL_GPL(ct_sip_parse_request);
290 /* SIP header parsing: SIP headers are located at the beginning of a line, but
291 * may span several lines, in which case the continuation lines begin with a
292 * whitespace character. RFC 2543 allows lines to be terminated with CR, LF or
293 * CRLF, RFC 3261 allows only CRLF, we support both.
295 * Headers are followed by (optionally) whitespace, a colon, again (optionally)
296 * whitespace and the values. Whitespace in this context means any amount of
297 * tabs, spaces and continuation lines, which are treated as a single whitespace
300 * Some headers may appear multiple times. A comma separated list of values is
301 * equivalent to multiple headers.
303 static const struct sip_header ct_sip_hdrs[] = {
304 [SIP_HDR_CSEQ] = SIP_HDR("CSeq", NULL, NULL, digits_len),
305 [SIP_HDR_FROM] = SIP_HDR("From", "f", "sip:", skp_epaddr_len),
306 [SIP_HDR_TO] = SIP_HDR("To", "t", "sip:", skp_epaddr_len),
307 [SIP_HDR_CONTACT] = SIP_HDR("Contact", "m", "sip:", skp_epaddr_len),
308 [SIP_HDR_VIA_UDP] = SIP_HDR("Via", "v", "UDP ", epaddr_len),
309 [SIP_HDR_VIA_TCP] = SIP_HDR("Via", "v", "TCP ", epaddr_len),
310 [SIP_HDR_EXPIRES] = SIP_HDR("Expires", NULL, NULL, digits_len),
311 [SIP_HDR_CONTENT_LENGTH] = SIP_HDR("Content-Length", "l", NULL, digits_len),
312 [SIP_HDR_CALL_ID] = SIP_HDR("Call-Id", "i", NULL, callid_len),
315 static const char *sip_follow_continuation(const char *dptr, const char *limit)
317 /* Walk past newline */
321 /* Skip '\n' in CR LF */
322 if (*(dptr - 1) == '\r' && *dptr == '\n') {
327 /* Continuation line? */
328 if (*dptr != ' ' && *dptr != '\t')
331 /* skip leading whitespace */
332 for (; dptr < limit; dptr++) {
333 if (*dptr != ' ' && *dptr != '\t')
339 static const char *sip_skip_whitespace(const char *dptr, const char *limit)
341 for (; dptr < limit; dptr++) {
342 if (*dptr == ' ' || *dptr == '\t')
344 if (*dptr != '\r' && *dptr != '\n')
346 dptr = sip_follow_continuation(dptr, limit);
352 /* Search within a SIP header value, dealing with continuation lines */
353 static const char *ct_sip_header_search(const char *dptr, const char *limit,
354 const char *needle, unsigned int len)
356 for (limit -= len; dptr < limit; dptr++) {
357 if (*dptr == '\r' || *dptr == '\n') {
358 dptr = sip_follow_continuation(dptr, limit);
364 if (strncasecmp(dptr, needle, len) == 0)
370 int ct_sip_get_header(const struct nf_conn *ct, const char *dptr,
371 unsigned int dataoff, unsigned int datalen,
372 enum sip_header_types type,
373 unsigned int *matchoff, unsigned int *matchlen)
375 const struct sip_header *hdr = &ct_sip_hdrs[type];
376 const char *start = dptr, *limit = dptr + datalen;
379 for (dptr += dataoff; dptr < limit; dptr++) {
380 /* Find beginning of line */
381 if (*dptr != '\r' && *dptr != '\n')
385 if (*(dptr - 1) == '\r' && *dptr == '\n') {
390 /* Skip continuation lines */
391 if (*dptr == ' ' || *dptr == '\t')
394 /* Find header. Compact headers must be followed by a
395 * non-alphabetic character to avoid mismatches. */
396 if (limit - dptr >= hdr->len &&
397 strncasecmp(dptr, hdr->name, hdr->len) == 0)
399 else if (hdr->cname && limit - dptr >= hdr->clen + 1 &&
400 strncasecmp(dptr, hdr->cname, hdr->clen) == 0 &&
401 !isalpha(*(dptr + hdr->clen)))
406 /* Find and skip colon */
407 dptr = sip_skip_whitespace(dptr, limit);
410 if (*dptr != ':' || ++dptr >= limit)
413 /* Skip whitespace after colon */
414 dptr = sip_skip_whitespace(dptr, limit);
418 *matchoff = dptr - start;
420 dptr = ct_sip_header_search(dptr, limit, hdr->search,
427 *matchlen = hdr->match_len(ct, dptr, limit, &shift);
430 *matchoff = dptr - start + shift;
435 EXPORT_SYMBOL_GPL(ct_sip_get_header);
437 /* Get next header field in a list of comma separated values */
438 static int ct_sip_next_header(const struct nf_conn *ct, const char *dptr,
439 unsigned int dataoff, unsigned int datalen,
440 enum sip_header_types type,
441 unsigned int *matchoff, unsigned int *matchlen)
443 const struct sip_header *hdr = &ct_sip_hdrs[type];
444 const char *start = dptr, *limit = dptr + datalen;
449 dptr = ct_sip_header_search(dptr, limit, ",", strlen(","));
453 dptr = ct_sip_header_search(dptr, limit, hdr->search, hdr->slen);
458 *matchoff = dptr - start;
459 *matchlen = hdr->match_len(ct, dptr, limit, &shift);
466 /* Walk through headers until a parsable one is found or no header of the
467 * given type is left. */
468 static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr,
469 unsigned int dataoff, unsigned int datalen,
470 enum sip_header_types type, int *in_header,
471 unsigned int *matchoff, unsigned int *matchlen)
475 if (in_header && *in_header) {
477 ret = ct_sip_next_header(ct, dptr, dataoff, datalen,
478 type, matchoff, matchlen);
483 dataoff += *matchoff;
489 ret = ct_sip_get_header(ct, dptr, dataoff, datalen,
490 type, matchoff, matchlen);
495 dataoff += *matchoff;
503 /* Locate a SIP header, parse the URI and return the offset and length of
504 * the address as well as the address and port themselves. A stream of
505 * headers can be parsed by handing in a non-NULL datalen and in_header
508 int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
509 unsigned int *dataoff, unsigned int datalen,
510 enum sip_header_types type, int *in_header,
511 unsigned int *matchoff, unsigned int *matchlen,
512 union nf_inet_addr *addr, __be16 *port)
514 const char *c, *limit = dptr + datalen;
518 ret = ct_sip_walk_headers(ct, dptr, dataoff ? *dataoff : 0, datalen,
519 type, in_header, matchoff, matchlen);
524 if (!sip_parse_addr(ct, dptr + *matchoff, &c, addr, limit, true))
528 p = simple_strtoul(c, (char **)&c, 10);
529 if (p < 1024 || p > 65535)
533 *port = htons(SIP_PORT);
539 EXPORT_SYMBOL_GPL(ct_sip_parse_header_uri);
541 static int ct_sip_parse_param(const struct nf_conn *ct, const char *dptr,
542 unsigned int dataoff, unsigned int datalen,
544 unsigned int *matchoff, unsigned int *matchlen)
546 const char *limit = dptr + datalen;
550 limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
552 limit = dptr + datalen;
554 start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
557 start += strlen(name);
559 end = ct_sip_header_search(start, limit, ";", strlen(";"));
563 *matchoff = start - dptr;
564 *matchlen = end - start;
568 /* Parse address from header parameter and return address, offset and length */
569 int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr,
570 unsigned int dataoff, unsigned int datalen,
572 unsigned int *matchoff, unsigned int *matchlen,
573 union nf_inet_addr *addr, bool delim)
575 const char *limit = dptr + datalen;
576 const char *start, *end;
578 limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
580 limit = dptr + datalen;
582 start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
586 start += strlen(name);
587 if (!sip_parse_addr(ct, start, &end, addr, limit, delim))
589 *matchoff = start - dptr;
590 *matchlen = end - start;
593 EXPORT_SYMBOL_GPL(ct_sip_parse_address_param);
595 /* Parse numerical header parameter and return value, offset and length */
596 int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr,
597 unsigned int dataoff, unsigned int datalen,
599 unsigned int *matchoff, unsigned int *matchlen,
602 const char *limit = dptr + datalen;
606 limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
608 limit = dptr + datalen;
610 start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
614 start += strlen(name);
615 *val = simple_strtoul(start, &end, 0);
618 if (matchoff && matchlen) {
619 *matchoff = start - dptr;
620 *matchlen = end - start;
624 EXPORT_SYMBOL_GPL(ct_sip_parse_numerical_param);
626 static int ct_sip_parse_transport(struct nf_conn *ct, const char *dptr,
627 unsigned int dataoff, unsigned int datalen,
630 unsigned int matchoff, matchlen;
632 if (ct_sip_parse_param(ct, dptr, dataoff, datalen, "transport=",
633 &matchoff, &matchlen)) {
634 if (!strncasecmp(dptr + matchoff, "TCP", strlen("TCP")))
635 *proto = IPPROTO_TCP;
636 else if (!strncasecmp(dptr + matchoff, "UDP", strlen("UDP")))
637 *proto = IPPROTO_UDP;
641 if (*proto != nf_ct_protonum(ct))
644 *proto = nf_ct_protonum(ct);
649 static int sdp_parse_addr(const struct nf_conn *ct, const char *cp,
650 const char **endp, union nf_inet_addr *addr,
656 memset(addr, 0, sizeof(*addr));
657 switch (nf_ct_l3num(ct)) {
659 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
662 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
675 /* skip ip address. returns its length. */
676 static int sdp_addr_len(const struct nf_conn *ct, const char *dptr,
677 const char *limit, int *shift)
679 union nf_inet_addr addr;
680 const char *aux = dptr;
682 if (!sdp_parse_addr(ct, dptr, &dptr, &addr, limit)) {
683 pr_debug("ip: %s parse failed.!\n", dptr);
690 /* SDP header parsing: a SDP session description contains an ordered set of
691 * headers, starting with a section containing general session parameters,
692 * optionally followed by multiple media descriptions.
694 * SDP headers always start at the beginning of a line. According to RFC 2327:
695 * "The sequence CRLF (0x0d0a) is used to end a record, although parsers should
696 * be tolerant and also accept records terminated with a single newline
697 * character". We handle both cases.
699 static const struct sip_header ct_sdp_hdrs_v4[] = {
700 [SDP_HDR_VERSION] = SDP_HDR("v=", NULL, digits_len),
701 [SDP_HDR_OWNER] = SDP_HDR("o=", "IN IP4 ", sdp_addr_len),
702 [SDP_HDR_CONNECTION] = SDP_HDR("c=", "IN IP4 ", sdp_addr_len),
703 [SDP_HDR_MEDIA] = SDP_HDR("m=", NULL, media_len),
706 static const struct sip_header ct_sdp_hdrs_v6[] = {
707 [SDP_HDR_VERSION] = SDP_HDR("v=", NULL, digits_len),
708 [SDP_HDR_OWNER] = SDP_HDR("o=", "IN IP6 ", sdp_addr_len),
709 [SDP_HDR_CONNECTION] = SDP_HDR("c=", "IN IP6 ", sdp_addr_len),
710 [SDP_HDR_MEDIA] = SDP_HDR("m=", NULL, media_len),
713 /* Linear string search within SDP header values */
714 static const char *ct_sdp_header_search(const char *dptr, const char *limit,
715 const char *needle, unsigned int len)
717 for (limit -= len; dptr < limit; dptr++) {
718 if (*dptr == '\r' || *dptr == '\n')
720 if (strncmp(dptr, needle, len) == 0)
726 /* Locate a SDP header (optionally a substring within the header value),
727 * optionally stopping at the first occurrence of the term header, parse
728 * it and return the offset and length of the data we're interested in.
730 int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
731 unsigned int dataoff, unsigned int datalen,
732 enum sdp_header_types type,
733 enum sdp_header_types term,
734 unsigned int *matchoff, unsigned int *matchlen)
736 const struct sip_header *hdrs, *hdr, *thdr;
737 const char *start = dptr, *limit = dptr + datalen;
740 hdrs = nf_ct_l3num(ct) == NFPROTO_IPV4 ? ct_sdp_hdrs_v4 : ct_sdp_hdrs_v6;
744 for (dptr += dataoff; dptr < limit; dptr++) {
745 /* Find beginning of line */
746 if (*dptr != '\r' && *dptr != '\n')
750 if (*(dptr - 1) == '\r' && *dptr == '\n') {
755 if (term != SDP_HDR_UNSPEC &&
756 limit - dptr >= thdr->len &&
757 strncasecmp(dptr, thdr->name, thdr->len) == 0)
759 else if (limit - dptr >= hdr->len &&
760 strncasecmp(dptr, hdr->name, hdr->len) == 0)
765 *matchoff = dptr - start;
767 dptr = ct_sdp_header_search(dptr, limit, hdr->search,
774 *matchlen = hdr->match_len(ct, dptr, limit, &shift);
777 *matchoff = dptr - start + shift;
782 EXPORT_SYMBOL_GPL(ct_sip_get_sdp_header);
784 static int ct_sip_parse_sdp_addr(const struct nf_conn *ct, const char *dptr,
785 unsigned int dataoff, unsigned int datalen,
786 enum sdp_header_types type,
787 enum sdp_header_types term,
788 unsigned int *matchoff, unsigned int *matchlen,
789 union nf_inet_addr *addr)
793 ret = ct_sip_get_sdp_header(ct, dptr, dataoff, datalen, type, term,
798 if (!sdp_parse_addr(ct, dptr + *matchoff, NULL, addr,
799 dptr + *matchoff + *matchlen))
804 static int refresh_signalling_expectation(struct nf_conn *ct,
805 union nf_inet_addr *addr,
806 u8 proto, __be16 port,
807 unsigned int expires)
809 struct nf_conn_help *help = nfct_help(ct);
810 struct nf_conntrack_expect *exp;
811 struct hlist_node *next;
814 spin_lock_bh(&nf_conntrack_expect_lock);
815 hlist_for_each_entry_safe(exp, next, &help->expectations, lnode) {
816 if (exp->class != SIP_EXPECT_SIGNALLING ||
817 !nf_inet_addr_cmp(&exp->tuple.dst.u3, addr) ||
818 exp->tuple.dst.protonum != proto ||
819 exp->tuple.dst.u.udp.port != port)
821 if (mod_timer_pending(&exp->timeout, jiffies + expires * HZ)) {
822 exp->flags &= ~NF_CT_EXPECT_INACTIVE;
827 spin_unlock_bh(&nf_conntrack_expect_lock);
831 static void flush_expectations(struct nf_conn *ct, bool media)
833 struct nf_conn_help *help = nfct_help(ct);
834 struct nf_conntrack_expect *exp;
835 struct hlist_node *next;
837 spin_lock_bh(&nf_conntrack_expect_lock);
838 hlist_for_each_entry_safe(exp, next, &help->expectations, lnode) {
839 if ((exp->class != SIP_EXPECT_SIGNALLING) ^ media)
841 if (!nf_ct_remove_expect(exp))
846 spin_unlock_bh(&nf_conntrack_expect_lock);
849 static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int protoff,
850 unsigned int dataoff,
851 const char **dptr, unsigned int *datalen,
852 union nf_inet_addr *daddr, __be16 port,
853 enum sip_expectation_classes class,
854 unsigned int mediaoff, unsigned int medialen)
856 struct nf_conntrack_expect *exp, *rtp_exp, *rtcp_exp;
857 enum ip_conntrack_info ctinfo;
858 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
859 struct net *net = nf_ct_net(ct);
860 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
861 union nf_inet_addr *saddr;
862 struct nf_conntrack_tuple tuple;
863 int direct_rtp = 0, skip_expect = 0, ret = NF_DROP;
865 __be16 rtp_port, rtcp_port;
866 const struct nf_nat_sip_hooks *hooks;
869 if (sip_direct_media) {
870 if (!nf_inet_addr_cmp(daddr, &ct->tuplehash[dir].tuple.src.u3))
872 saddr = &ct->tuplehash[!dir].tuple.src.u3;
873 } else if (sip_external_media) {
874 struct net_device *dev = skb_dst(skb)->dev;
875 struct net *net = dev_net(dev);
877 struct dst_entry *dst = NULL;
879 memset(&fl, 0, sizeof(fl));
881 switch (nf_ct_l3num(ct)) {
883 fl.u.ip4.daddr = daddr->ip;
884 nf_ip_route(net, &dst, &fl, false);
888 fl.u.ip6.daddr = daddr->in6;
889 nf_ip6_route(net, &dst, &fl, false);
893 /* Don't predict any conntracks when media endpoint is reachable
894 * through the same interface as the signalling peer.
897 bool external_media = (dst->dev == dev);
905 /* We need to check whether the registration exists before attempting
906 * to register it since we can see the same media description multiple
907 * times on different connections in case multiple endpoints receive
910 * RTP optimization: if we find a matching media channel expectation
911 * and both the expectation and this connection are SNATed, we assume
912 * both sides can reach each other directly and use the final
913 * destination address from the expectation. We still need to keep
914 * the NATed expectations for media that might arrive from the
915 * outside, and additionally need to expect the direct RTP stream
916 * in case it passes through us even without NAT.
918 memset(&tuple, 0, sizeof(tuple));
920 tuple.src.u3 = *saddr;
921 tuple.src.l3num = nf_ct_l3num(ct);
922 tuple.dst.protonum = IPPROTO_UDP;
923 tuple.dst.u3 = *daddr;
924 tuple.dst.u.udp.port = port;
927 exp = __nf_ct_expect_find(net, nf_ct_zone(ct), &tuple);
929 if (!exp || exp->master == ct ||
930 nfct_help(exp->master)->helper != nfct_help(ct)->helper ||
933 #if IS_ENABLED(CONFIG_NF_NAT)
935 (!nf_inet_addr_cmp(&exp->saved_addr, &exp->tuple.dst.u3) ||
936 exp->saved_proto.udp.port != exp->tuple.dst.u.udp.port) &&
937 ct->status & IPS_NAT_MASK) {
938 *daddr = exp->saved_addr;
939 tuple.dst.u3 = exp->saved_addr;
940 tuple.dst.u.udp.port = exp->saved_proto.udp.port;
945 } while (!skip_expect);
947 base_port = ntohs(tuple.dst.u.udp.port) & ~1;
948 rtp_port = htons(base_port);
949 rtcp_port = htons(base_port + 1);
952 hooks = rcu_dereference(nf_nat_sip_hooks);
954 !hooks->sdp_port(skb, protoff, dataoff, dptr, datalen,
955 mediaoff, medialen, ntohs(rtp_port)))
962 rtp_exp = nf_ct_expect_alloc(ct);
965 nf_ct_expect_init(rtp_exp, class, nf_ct_l3num(ct), saddr, daddr,
966 IPPROTO_UDP, NULL, &rtp_port);
968 rtcp_exp = nf_ct_expect_alloc(ct);
969 if (rtcp_exp == NULL)
971 nf_ct_expect_init(rtcp_exp, class, nf_ct_l3num(ct), saddr, daddr,
972 IPPROTO_UDP, NULL, &rtcp_port);
974 hooks = rcu_dereference(nf_nat_sip_hooks);
975 if (hooks && ct->status & IPS_NAT_MASK && !direct_rtp)
976 ret = hooks->sdp_media(skb, protoff, dataoff, dptr,
977 datalen, rtp_exp, rtcp_exp,
978 mediaoff, medialen, daddr);
980 /* -EALREADY handling works around end-points that send
981 * SDP messages with identical port but different media type,
982 * we pretend expectation was set up.
984 int errp = nf_ct_expect_related(rtp_exp);
986 if (errp == 0 || errp == -EALREADY) {
987 int errcp = nf_ct_expect_related(rtcp_exp);
989 if (errcp == 0 || errcp == -EALREADY)
992 nf_ct_unexpect_related(rtp_exp);
995 nf_ct_expect_put(rtcp_exp);
997 nf_ct_expect_put(rtp_exp);
1002 static const struct sdp_media_type sdp_media_types[] = {
1003 SDP_MEDIA_TYPE("audio ", SIP_EXPECT_AUDIO),
1004 SDP_MEDIA_TYPE("video ", SIP_EXPECT_VIDEO),
1005 SDP_MEDIA_TYPE("image ", SIP_EXPECT_IMAGE),
1008 static const struct sdp_media_type *sdp_media_type(const char *dptr,
1009 unsigned int matchoff,
1010 unsigned int matchlen)
1012 const struct sdp_media_type *t;
1015 for (i = 0; i < ARRAY_SIZE(sdp_media_types); i++) {
1016 t = &sdp_media_types[i];
1017 if (matchlen < t->len ||
1018 strncmp(dptr + matchoff, t->name, t->len))
1025 static int process_sdp(struct sk_buff *skb, unsigned int protoff,
1026 unsigned int dataoff,
1027 const char **dptr, unsigned int *datalen,
1030 enum ip_conntrack_info ctinfo;
1031 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1032 unsigned int matchoff, matchlen;
1033 unsigned int mediaoff, medialen;
1034 unsigned int sdpoff;
1035 unsigned int caddr_len, maddr_len;
1037 union nf_inet_addr caddr, maddr, rtp_addr;
1038 const struct nf_nat_sip_hooks *hooks;
1040 const struct sdp_media_type *t;
1041 int ret = NF_ACCEPT;
1043 hooks = rcu_dereference(nf_nat_sip_hooks);
1045 /* Find beginning of session description */
1046 if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
1047 SDP_HDR_VERSION, SDP_HDR_UNSPEC,
1048 &matchoff, &matchlen) <= 0)
1052 /* The connection information is contained in the session description
1053 * and/or once per media description. The first media description marks
1054 * the end of the session description. */
1056 if (ct_sip_parse_sdp_addr(ct, *dptr, sdpoff, *datalen,
1057 SDP_HDR_CONNECTION, SDP_HDR_MEDIA,
1058 &matchoff, &matchlen, &caddr) > 0)
1059 caddr_len = matchlen;
1062 for (i = 0; i < ARRAY_SIZE(sdp_media_types); ) {
1063 if (ct_sip_get_sdp_header(ct, *dptr, mediaoff, *datalen,
1064 SDP_HDR_MEDIA, SDP_HDR_UNSPEC,
1065 &mediaoff, &medialen) <= 0)
1068 /* Get media type and port number. A media port value of zero
1069 * indicates an inactive stream. */
1070 t = sdp_media_type(*dptr, mediaoff, medialen);
1072 mediaoff += medialen;
1078 port = simple_strtoul(*dptr + mediaoff, NULL, 10);
1081 if (port < 1024 || port > 65535) {
1082 nf_ct_helper_log(skb, ct, "wrong port %u", port);
1086 /* The media description overrides the session description. */
1088 if (ct_sip_parse_sdp_addr(ct, *dptr, mediaoff, *datalen,
1089 SDP_HDR_CONNECTION, SDP_HDR_MEDIA,
1090 &matchoff, &matchlen, &maddr) > 0) {
1091 maddr_len = matchlen;
1092 memcpy(&rtp_addr, &maddr, sizeof(rtp_addr));
1093 } else if (caddr_len)
1094 memcpy(&rtp_addr, &caddr, sizeof(rtp_addr));
1096 nf_ct_helper_log(skb, ct, "cannot parse SDP message");
1100 ret = set_expected_rtp_rtcp(skb, protoff, dataoff,
1102 &rtp_addr, htons(port), t->class,
1103 mediaoff, medialen);
1104 if (ret != NF_ACCEPT) {
1105 nf_ct_helper_log(skb, ct,
1106 "cannot add expectation for voice");
1110 /* Update media connection address if present */
1111 if (maddr_len && hooks && ct->status & IPS_NAT_MASK) {
1112 ret = hooks->sdp_addr(skb, protoff, dataoff,
1113 dptr, datalen, mediaoff,
1117 if (ret != NF_ACCEPT) {
1118 nf_ct_helper_log(skb, ct, "cannot mangle SDP");
1125 /* Update session connection and owner addresses */
1126 hooks = rcu_dereference(nf_nat_sip_hooks);
1127 if (hooks && ct->status & IPS_NAT_MASK)
1128 ret = hooks->sdp_session(skb, protoff, dataoff,
1129 dptr, datalen, sdpoff,
1134 static int process_invite_response(struct sk_buff *skb, unsigned int protoff,
1135 unsigned int dataoff,
1136 const char **dptr, unsigned int *datalen,
1137 unsigned int cseq, unsigned int code)
1139 enum ip_conntrack_info ctinfo;
1140 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1141 struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1143 if ((code >= 100 && code <= 199) ||
1144 (code >= 200 && code <= 299))
1145 return process_sdp(skb, protoff, dataoff, dptr, datalen, cseq);
1146 else if (ct_sip_info->invite_cseq == cseq)
1147 flush_expectations(ct, true);
1151 static int process_update_response(struct sk_buff *skb, unsigned int protoff,
1152 unsigned int dataoff,
1153 const char **dptr, unsigned int *datalen,
1154 unsigned int cseq, unsigned int code)
1156 enum ip_conntrack_info ctinfo;
1157 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1158 struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1160 if ((code >= 100 && code <= 199) ||
1161 (code >= 200 && code <= 299))
1162 return process_sdp(skb, protoff, dataoff, dptr, datalen, cseq);
1163 else if (ct_sip_info->invite_cseq == cseq)
1164 flush_expectations(ct, true);
1168 static int process_prack_response(struct sk_buff *skb, unsigned int protoff,
1169 unsigned int dataoff,
1170 const char **dptr, unsigned int *datalen,
1171 unsigned int cseq, unsigned int code)
1173 enum ip_conntrack_info ctinfo;
1174 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1175 struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1177 if ((code >= 100 && code <= 199) ||
1178 (code >= 200 && code <= 299))
1179 return process_sdp(skb, protoff, dataoff, dptr, datalen, cseq);
1180 else if (ct_sip_info->invite_cseq == cseq)
1181 flush_expectations(ct, true);
1185 static int process_invite_request(struct sk_buff *skb, unsigned int protoff,
1186 unsigned int dataoff,
1187 const char **dptr, unsigned int *datalen,
1190 enum ip_conntrack_info ctinfo;
1191 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1192 struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1195 flush_expectations(ct, true);
1196 ret = process_sdp(skb, protoff, dataoff, dptr, datalen, cseq);
1197 if (ret == NF_ACCEPT)
1198 ct_sip_info->invite_cseq = cseq;
1202 static int process_bye_request(struct sk_buff *skb, unsigned int protoff,
1203 unsigned int dataoff,
1204 const char **dptr, unsigned int *datalen,
1207 enum ip_conntrack_info ctinfo;
1208 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1210 flush_expectations(ct, true);
1214 /* Parse a REGISTER request and create a permanent expectation for incoming
1215 * signalling connections. The expectation is marked inactive and is activated
1216 * when receiving a response indicating success from the registrar.
1218 static int process_register_request(struct sk_buff *skb, unsigned int protoff,
1219 unsigned int dataoff,
1220 const char **dptr, unsigned int *datalen,
1223 enum ip_conntrack_info ctinfo;
1224 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1225 struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1226 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
1227 unsigned int matchoff, matchlen;
1228 struct nf_conntrack_expect *exp;
1229 union nf_inet_addr *saddr, daddr;
1230 const struct nf_nat_sip_hooks *hooks;
1233 unsigned int expires = 0;
1236 /* Expected connections can not register again. */
1237 if (ct->status & IPS_EXPECTED)
1240 /* We must check the expiration time: a value of zero signals the
1241 * registrar to release the binding. We'll remove our expectation
1242 * when receiving the new bindings in the response, but we don't
1243 * want to create new ones.
1245 * The expiration time may be contained in Expires: header, the
1246 * Contact: header parameters or the URI parameters.
1248 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
1249 &matchoff, &matchlen) > 0)
1250 expires = simple_strtoul(*dptr + matchoff, NULL, 10);
1252 ret = ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
1253 SIP_HDR_CONTACT, NULL,
1254 &matchoff, &matchlen, &daddr, &port);
1256 nf_ct_helper_log(skb, ct, "cannot parse contact");
1258 } else if (ret == 0)
1261 /* We don't support third-party registrations */
1262 if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3, &daddr))
1265 if (ct_sip_parse_transport(ct, *dptr, matchoff + matchlen, *datalen,
1269 if (ct_sip_parse_numerical_param(ct, *dptr,
1270 matchoff + matchlen, *datalen,
1271 "expires=", NULL, NULL, &expires) < 0) {
1272 nf_ct_helper_log(skb, ct, "cannot parse expires");
1281 exp = nf_ct_expect_alloc(ct);
1283 nf_ct_helper_log(skb, ct, "cannot alloc expectation");
1288 if (sip_direct_signalling)
1289 saddr = &ct->tuplehash[!dir].tuple.src.u3;
1291 nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct),
1292 saddr, &daddr, proto, NULL, &port);
1293 exp->timeout.expires = sip_timeout * HZ;
1294 exp->helper = nfct_help(ct)->helper;
1295 exp->flags = NF_CT_EXPECT_PERMANENT | NF_CT_EXPECT_INACTIVE;
1297 hooks = rcu_dereference(nf_nat_sip_hooks);
1298 if (hooks && ct->status & IPS_NAT_MASK)
1299 ret = hooks->expect(skb, protoff, dataoff, dptr, datalen,
1300 exp, matchoff, matchlen);
1302 if (nf_ct_expect_related(exp) != 0) {
1303 nf_ct_helper_log(skb, ct, "cannot add expectation");
1308 nf_ct_expect_put(exp);
1311 if (ret == NF_ACCEPT)
1312 ct_sip_info->register_cseq = cseq;
1316 static int process_register_response(struct sk_buff *skb, unsigned int protoff,
1317 unsigned int dataoff,
1318 const char **dptr, unsigned int *datalen,
1319 unsigned int cseq, unsigned int code)
1321 enum ip_conntrack_info ctinfo;
1322 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1323 struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1324 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
1325 union nf_inet_addr addr;
1328 unsigned int matchoff, matchlen, coff = 0;
1329 unsigned int expires = 0;
1330 int in_contact = 0, ret;
1332 /* According to RFC 3261, "UAs MUST NOT send a new registration until
1333 * they have received a final response from the registrar for the
1334 * previous one or the previous REGISTER request has timed out".
1336 * However, some servers fail to detect retransmissions and send late
1337 * responses, so we store the sequence number of the last valid
1338 * request and compare it here.
1340 if (ct_sip_info->register_cseq != cseq)
1343 if (code >= 100 && code <= 199)
1345 if (code < 200 || code > 299)
1348 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
1349 &matchoff, &matchlen) > 0)
1350 expires = simple_strtoul(*dptr + matchoff, NULL, 10);
1353 unsigned int c_expires = expires;
1355 ret = ct_sip_parse_header_uri(ct, *dptr, &coff, *datalen,
1356 SIP_HDR_CONTACT, &in_contact,
1357 &matchoff, &matchlen,
1360 nf_ct_helper_log(skb, ct, "cannot parse contact");
1362 } else if (ret == 0)
1365 /* We don't support third-party registrations */
1366 if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3, &addr))
1369 if (ct_sip_parse_transport(ct, *dptr, matchoff + matchlen,
1370 *datalen, &proto) == 0)
1373 ret = ct_sip_parse_numerical_param(ct, *dptr,
1374 matchoff + matchlen,
1375 *datalen, "expires=",
1376 NULL, NULL, &c_expires);
1378 nf_ct_helper_log(skb, ct, "cannot parse expires");
1383 if (refresh_signalling_expectation(ct, &addr, proto, port,
1389 flush_expectations(ct, false);
1393 static const struct sip_handler sip_handlers[] = {
1394 SIP_HANDLER("INVITE", process_invite_request, process_invite_response),
1395 SIP_HANDLER("UPDATE", process_sdp, process_update_response),
1396 SIP_HANDLER("ACK", process_sdp, NULL),
1397 SIP_HANDLER("PRACK", process_sdp, process_prack_response),
1398 SIP_HANDLER("BYE", process_bye_request, NULL),
1399 SIP_HANDLER("REGISTER", process_register_request, process_register_response),
1402 static int process_sip_response(struct sk_buff *skb, unsigned int protoff,
1403 unsigned int dataoff,
1404 const char **dptr, unsigned int *datalen)
1406 enum ip_conntrack_info ctinfo;
1407 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1408 unsigned int matchoff, matchlen, matchend;
1409 unsigned int code, cseq, i;
1411 if (*datalen < strlen("SIP/2.0 200"))
1413 code = simple_strtoul(*dptr + strlen("SIP/2.0 "), NULL, 10);
1415 nf_ct_helper_log(skb, ct, "cannot get code");
1419 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
1420 &matchoff, &matchlen) <= 0) {
1421 nf_ct_helper_log(skb, ct, "cannot parse cseq");
1424 cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
1425 if (!cseq && *(*dptr + matchoff) != '0') {
1426 nf_ct_helper_log(skb, ct, "cannot get cseq");
1429 matchend = matchoff + matchlen + 1;
1431 for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
1432 const struct sip_handler *handler;
1434 handler = &sip_handlers[i];
1435 if (handler->response == NULL)
1437 if (*datalen < matchend + handler->len ||
1438 strncasecmp(*dptr + matchend, handler->method, handler->len))
1440 return handler->response(skb, protoff, dataoff, dptr, datalen,
1446 static int process_sip_request(struct sk_buff *skb, unsigned int protoff,
1447 unsigned int dataoff,
1448 const char **dptr, unsigned int *datalen)
1450 enum ip_conntrack_info ctinfo;
1451 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1452 struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1453 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
1454 unsigned int matchoff, matchlen;
1455 unsigned int cseq, i;
1456 union nf_inet_addr addr;
1459 /* Many Cisco IP phones use a high source port for SIP requests, but
1460 * listen for the response on port 5060. If we are the local
1461 * router for one of these phones, save the port number from the
1462 * Via: header so that nf_nat_sip can redirect the responses to
1465 if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
1466 SIP_HDR_VIA_UDP, NULL, &matchoff,
1467 &matchlen, &addr, &port) > 0 &&
1468 port != ct->tuplehash[dir].tuple.src.u.udp.port &&
1469 nf_inet_addr_cmp(&addr, &ct->tuplehash[dir].tuple.src.u3))
1470 ct_sip_info->forced_dport = port;
1472 for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
1473 const struct sip_handler *handler;
1475 handler = &sip_handlers[i];
1476 if (handler->request == NULL)
1478 if (*datalen < handler->len + 2 ||
1479 strncasecmp(*dptr, handler->method, handler->len))
1481 if ((*dptr)[handler->len] != ' ' ||
1482 !isalpha((*dptr)[handler->len+1]))
1485 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
1486 &matchoff, &matchlen) <= 0) {
1487 nf_ct_helper_log(skb, ct, "cannot parse cseq");
1490 cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
1491 if (!cseq && *(*dptr + matchoff) != '0') {
1492 nf_ct_helper_log(skb, ct, "cannot get cseq");
1496 return handler->request(skb, protoff, dataoff, dptr, datalen,
1502 static int process_sip_msg(struct sk_buff *skb, struct nf_conn *ct,
1503 unsigned int protoff, unsigned int dataoff,
1504 const char **dptr, unsigned int *datalen)
1506 const struct nf_nat_sip_hooks *hooks;
1509 if (strncasecmp(*dptr, "SIP/2.0 ", strlen("SIP/2.0 ")) != 0)
1510 ret = process_sip_request(skb, protoff, dataoff, dptr, datalen);
1512 ret = process_sip_response(skb, protoff, dataoff, dptr, datalen);
1514 if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
1515 hooks = rcu_dereference(nf_nat_sip_hooks);
1516 if (hooks && !hooks->msg(skb, protoff, dataoff,
1518 nf_ct_helper_log(skb, ct, "cannot NAT SIP message");
1526 static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
1527 struct nf_conn *ct, enum ip_conntrack_info ctinfo)
1529 struct tcphdr *th, _tcph;
1530 unsigned int dataoff, datalen;
1531 unsigned int matchoff, matchlen, clen;
1532 unsigned int msglen, origlen;
1533 const char *dptr, *end;
1534 s16 diff, tdiff = 0;
1535 int ret = NF_ACCEPT;
1538 if (ctinfo != IP_CT_ESTABLISHED &&
1539 ctinfo != IP_CT_ESTABLISHED_REPLY)
1543 th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph);
1546 dataoff = protoff + th->doff * 4;
1547 if (dataoff >= skb->len)
1550 nf_ct_refresh(ct, skb, sip_timeout * HZ);
1552 if (unlikely(skb_linearize(skb)))
1555 dptr = skb->data + dataoff;
1556 datalen = skb->len - dataoff;
1557 if (datalen < strlen("SIP/2.0 200"))
1561 if (ct_sip_get_header(ct, dptr, 0, datalen,
1562 SIP_HDR_CONTENT_LENGTH,
1563 &matchoff, &matchlen) <= 0)
1566 clen = simple_strtoul(dptr + matchoff, (char **)&end, 10);
1567 if (dptr + matchoff == end)
1571 for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) {
1572 if (end[0] == '\r' && end[1] == '\n' &&
1573 end[2] == '\r' && end[3] == '\n') {
1580 end += strlen("\r\n\r\n") + clen;
1582 msglen = origlen = end - dptr;
1583 if (msglen > datalen)
1586 ret = process_sip_msg(skb, ct, protoff, dataoff,
1588 /* process_sip_* functions report why this packet is dropped */
1589 if (ret != NF_ACCEPT)
1591 diff = msglen - origlen;
1596 datalen = datalen + diff - msglen;
1599 if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
1600 const struct nf_nat_sip_hooks *hooks;
1602 hooks = rcu_dereference(nf_nat_sip_hooks);
1604 hooks->seq_adjust(skb, protoff, tdiff);
1610 static int sip_help_udp(struct sk_buff *skb, unsigned int protoff,
1611 struct nf_conn *ct, enum ip_conntrack_info ctinfo)
1613 unsigned int dataoff, datalen;
1617 dataoff = protoff + sizeof(struct udphdr);
1618 if (dataoff >= skb->len)
1621 nf_ct_refresh(ct, skb, sip_timeout * HZ);
1623 if (unlikely(skb_linearize(skb)))
1626 dptr = skb->data + dataoff;
1627 datalen = skb->len - dataoff;
1628 if (datalen < strlen("SIP/2.0 200"))
1631 return process_sip_msg(skb, ct, protoff, dataoff, &dptr, &datalen);
1634 static struct nf_conntrack_helper sip[MAX_PORTS * 4] __read_mostly;
1636 static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1] = {
1637 [SIP_EXPECT_SIGNALLING] = {
1638 .name = "signalling",
1642 [SIP_EXPECT_AUDIO] = {
1644 .max_expected = 2 * IP_CT_DIR_MAX,
1647 [SIP_EXPECT_VIDEO] = {
1649 .max_expected = 2 * IP_CT_DIR_MAX,
1652 [SIP_EXPECT_IMAGE] = {
1654 .max_expected = IP_CT_DIR_MAX,
1659 static void __exit nf_conntrack_sip_fini(void)
1661 nf_conntrack_helpers_unregister(sip, ports_c * 4);
1664 static int __init nf_conntrack_sip_init(void)
1668 NF_CT_HELPER_BUILD_BUG_ON(sizeof(struct nf_ct_sip_master));
1671 ports[ports_c++] = SIP_PORT;
1673 for (i = 0; i < ports_c; i++) {
1674 nf_ct_helper_init(&sip[4 * i], AF_INET, IPPROTO_UDP,
1675 HELPER_NAME, SIP_PORT, ports[i], i,
1676 sip_exp_policy, SIP_EXPECT_MAX, sip_help_udp,
1678 nf_ct_helper_init(&sip[4 * i + 1], AF_INET, IPPROTO_TCP,
1679 HELPER_NAME, SIP_PORT, ports[i], i,
1680 sip_exp_policy, SIP_EXPECT_MAX, sip_help_tcp,
1682 nf_ct_helper_init(&sip[4 * i + 2], AF_INET6, IPPROTO_UDP,
1683 HELPER_NAME, SIP_PORT, ports[i], i,
1684 sip_exp_policy, SIP_EXPECT_MAX, sip_help_udp,
1686 nf_ct_helper_init(&sip[4 * i + 3], AF_INET6, IPPROTO_TCP,
1687 HELPER_NAME, SIP_PORT, ports[i], i,
1688 sip_exp_policy, SIP_EXPECT_MAX, sip_help_tcp,
1692 ret = nf_conntrack_helpers_register(sip, ports_c * 4);
1694 pr_err("failed to register helpers\n");
1700 module_init(nf_conntrack_sip_init);
1701 module_exit(nf_conntrack_sip_fini);