net/netfilter/nf_conntrack_sip.c

   1 /* SIP extension for IP connection tracking.
   2  *
   3  * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
   4  * based on RR's ip_conntrack_ftp.c and other modules.
   5  * (C) 2007 United Security Providers
   6  * (C) 2007, 2008 Patrick McHardy <kaber@trash.net>
   7  *
   8  * This program is free software; you can redistribute it and/or modify
   9  * it under the terms of the GNU General Public License version 2 as
  10  * published by the Free Software Foundation.
  11  */
  12
  13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  14
  15 #include <linux/module.h>
  16 #include <linux/ctype.h>
  17 #include <linux/skbuff.h>
  18 #include <linux/inet.h>
  19 #include <linux/in.h>
  20 #include <linux/udp.h>
  21 #include <linux/tcp.h>
  22 #include <linux/netfilter.h>
  23 #include <linux/netfilter_ipv4.h>
  24 #include <linux/netfilter_ipv6.h>
  25
  26 #include <net/netfilter/nf_conntrack.h>
  27 #include <net/netfilter/nf_conntrack_core.h>
  28 #include <net/netfilter/nf_conntrack_expect.h>
  29 #include <net/netfilter/nf_conntrack_helper.h>
  30 #include <net/netfilter/nf_conntrack_zones.h>
  31 #include <linux/netfilter/nf_conntrack_sip.h>
  32
  33 #define HELPER_NAME "sip"
  34
  35 MODULE_LICENSE("GPL");
  36 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
  37 MODULE_DESCRIPTION("SIP connection tracking helper");
  38 MODULE_ALIAS("ip_conntrack_sip");
  39 MODULE_ALIAS_NFCT_HELPER(HELPER_NAME);
  40
  41 #define MAX_PORTS       8
  42 static unsigned short ports[MAX_PORTS];
  43 static unsigned int ports_c;
  44 module_param_array(ports, ushort, &ports_c, 0400);
  45 MODULE_PARM_DESC(ports, "port numbers of SIP servers");
  46
  47 static unsigned int sip_timeout __read_mostly = SIP_TIMEOUT;
  48 module_param(sip_timeout, uint, 0600);
  49 MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session");
  50
  51 static int sip_direct_signalling __read_mostly = 1;
  52 module_param(sip_direct_signalling, int, 0600);
  53 MODULE_PARM_DESC(sip_direct_signalling, "expect incoming calls from registrar "
  54                                         "only (default 1)");
  55
  56 static int sip_direct_media __read_mostly = 1;
  57 module_param(sip_direct_media, int, 0600);
  58 MODULE_PARM_DESC(sip_direct_media, "Expect Media streams between signalling "
  59                                    "endpoints only (default 1)");
  60
  61 static int sip_external_media __read_mostly = 0;
  62 module_param(sip_external_media, int, 0600);
  63 MODULE_PARM_DESC(sip_external_media, "Expect Media streams between external "
  64                                      "endpoints (default 0)");
  65
  66 const struct nf_nat_sip_hooks *nf_nat_sip_hooks;
  67 EXPORT_SYMBOL_GPL(nf_nat_sip_hooks);
  68
  69 static int string_len(const struct nf_conn *ct, const char *dptr,
  70                       const char *limit, int *shift)
  71 {
  72         int len = 0;
  73
  74         while (dptr < limit && isalpha(*dptr)) {
  75                 dptr++;
  76                 len++;
  77         }
  78         return len;
  79 }
  80
  81 static int digits_len(const struct nf_conn *ct, const char *dptr,
  82                       const char *limit, int *shift)
  83 {
  84         int len = 0;
  85         while (dptr < limit && isdigit(*dptr)) {
  86                 dptr++;
  87                 len++;
  88         }
  89         return len;
  90 }
  91
  92 static int iswordc(const char c)
  93 {
  94         if (isalnum(c) || c == '!' || c == '"' || c == '%' ||
  95             (c >= '(' && c <= '+') || c == ':' || c == '<' || c == '>' ||
  96             c == '?' || (c >= '[' && c <= ']') || c == '_' || c == '`' ||
  97             c == '{' || c == '}' || c == '~' || (c >= '-' && c <= '/') ||
  98             c == '\'')
  99                 return 1;
 100         return 0;
 101 }
 102
 103 static int word_len(const char *dptr, const char *limit)
 104 {
 105         int len = 0;
 106         while (dptr < limit && iswordc(*dptr)) {
 107                 dptr++;
 108                 len++;
 109         }
 110         return len;
 111 }
 112
 113 static int callid_len(const struct nf_conn *ct, const char *dptr,
 114                       const char *limit, int *shift)
 115 {
 116         int len, domain_len;
 117
 118         len = word_len(dptr, limit);
 119         dptr += len;
 120         if (!len || dptr == limit || *dptr != '@')
 121                 return len;
 122         dptr++;
 123         len++;
 124
 125         domain_len = word_len(dptr, limit);
 126         if (!domain_len)
 127                 return 0;
 128         return len + domain_len;
 129 }
 130
 131 /* get media type + port length */
 132 static int media_len(const struct nf_conn *ct, const char *dptr,
 133                      const char *limit, int *shift)
 134 {
 135         int len = string_len(ct, dptr, limit, shift);
 136
 137         dptr += len;
 138         if (dptr >= limit || *dptr != ' ')
 139                 return 0;
 140         len++;
 141         dptr++;
 142
 143         return len + digits_len(ct, dptr, limit, shift);
 144 }
 145
 146 static int sip_parse_addr(const struct nf_conn *ct, const char *cp,
 147                           const char **endp, union nf_inet_addr *addr,
 148                           const char *limit, bool delim)
 149 {
 150         const char *end;
 151         int ret;
 152
 153         if (!ct)
 154                 return 0;
 155
 156         memset(addr, 0, sizeof(*addr));
 157         switch (nf_ct_l3num(ct)) {
 158         case AF_INET:
 159                 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
 160                 if (ret == 0)
 161                         return 0;
 162                 break;
 163         case AF_INET6:
 164                 if (cp < limit && *cp == '[')
 165                         cp++;
 166                 else if (delim)
 167                         return 0;
 168
 169                 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
 170                 if (ret == 0)
 171                         return 0;
 172
 173                 if (end < limit && *end == ']')
 174                         end++;
 175                 else if (delim)
 176                         return 0;
 177                 break;
 178         default:
 179                 BUG();
 180         }
 181
 182         if (endp)
 183                 *endp = end;
 184         return 1;
 185 }
 186
 187 /* skip ip address. returns its length. */
 188 static int epaddr_len(const struct nf_conn *ct, const char *dptr,
 189                       const char *limit, int *shift)
 190 {
 191         union nf_inet_addr addr;
 192         const char *aux = dptr;
 193
 194         if (!sip_parse_addr(ct, dptr, &dptr, &addr, limit, true)) {
 195                 pr_debug("ip: %s parse failed.!\n", dptr);
 196                 return 0;
 197         }
 198
 199         /* Port number */
 200         if (*dptr == ':') {
 201                 dptr++;
 202                 dptr += digits_len(ct, dptr, limit, shift);
 203         }
 204         return dptr - aux;
 205 }
 206
 207 /* get address length, skiping user info. */
 208 static int skp_epaddr_len(const struct nf_conn *ct, const char *dptr,
 209                           const char *limit, int *shift)
 210 {
 211         const char *start = dptr;
 212         int s = *shift;
 213
 214         /* Search for @, but stop at the end of the line.
 215          * We are inside a sip: URI, so we don't need to worry about
 216          * continuation lines. */
 217         while (dptr < limit &&
 218                *dptr != '@' && *dptr != '\r' && *dptr != '\n') {
 219                 (*shift)++;
 220                 dptr++;
 221         }
 222
 223         if (dptr < limit && *dptr == '@') {
 224                 dptr++;
 225                 (*shift)++;
 226         } else {
 227                 dptr = start;
 228                 *shift = s;
 229         }
 230
 231         return epaddr_len(ct, dptr, limit, shift);
 232 }
 233
 234 /* Parse a SIP request line of the form:
 235  *
 236  * Request-Line = Method SP Request-URI SP SIP-Version CRLF
 237  *
 238  * and return the offset and length of the address contained in the Request-URI.
 239  */
 240 int ct_sip_parse_request(const struct nf_conn *ct,
 241                          const char *dptr, unsigned int datalen,
 242                          unsigned int *matchoff, unsigned int *matchlen,
 243                          union nf_inet_addr *addr, __be16 *port)
 244 {
 245         const char *start = dptr, *limit = dptr + datalen, *end;
 246         unsigned int mlen;
 247         unsigned int p;
 248         int shift = 0;
 249
 250         /* Skip method and following whitespace */
 251         mlen = string_len(ct, dptr, limit, NULL);
 252         if (!mlen)
 253                 return 0;
 254         dptr += mlen;
 255         if (++dptr >= limit)
 256                 return 0;
 257
 258         /* Find SIP URI */
 259         for (; dptr < limit - strlen("sip:"); dptr++) {
 260                 if (*dptr == '\r' || *dptr == '\n')
 261                         return -1;
 262                 if (strncasecmp(dptr, "sip:", strlen("sip:")) == 0) {
 263                         dptr += strlen("sip:");
 264                         break;
 265                 }
 266         }
 267         if (!skp_epaddr_len(ct, dptr, limit, &shift))
 268                 return 0;
 269         dptr += shift;
 270
 271         if (!sip_parse_addr(ct, dptr, &end, addr, limit, true))
 272                 return -1;
 273         if (end < limit && *end == ':') {
 274                 end++;
 275                 p = simple_strtoul(end, (char **)&end, 10);
 276                 if (p < 1024 || p > 65535)
 277                         return -1;
 278                 *port = htons(p);
 279         } else
 280                 *port = htons(SIP_PORT);
 281
 282         if (end == dptr)
 283                 return 0;
 284         *matchoff = dptr - start;
 285         *matchlen = end - dptr;
 286         return 1;
 287 }
 288 EXPORT_SYMBOL_GPL(ct_sip_parse_request);
 289
 290 /* SIP header parsing: SIP headers are located at the beginning of a line, but
 291  * may span several lines, in which case the continuation lines begin with a
 292  * whitespace character. RFC 2543 allows lines to be terminated with CR, LF or
 293  * CRLF, RFC 3261 allows only CRLF, we support both.
 294  *
 295  * Headers are followed by (optionally) whitespace, a colon, again (optionally)
 296  * whitespace and the values. Whitespace in this context means any amount of
 297  * tabs, spaces and continuation lines, which are treated as a single whitespace
 298  * character.
 299  *
 300  * Some headers may appear multiple times. A comma separated list of values is
 301  * equivalent to multiple headers.
 302  */
 303 static const struct sip_header ct_sip_hdrs[] = {
 304         [SIP_HDR_CSEQ]                  = SIP_HDR("CSeq", NULL, NULL, digits_len),
 305         [SIP_HDR_FROM]                  = SIP_HDR("From", "f", "sip:", skp_epaddr_len),
 306         [SIP_HDR_TO]                    = SIP_HDR("To", "t", "sip:", skp_epaddr_len),
 307         [SIP_HDR_CONTACT]               = SIP_HDR("Contact", "m", "sip:", skp_epaddr_len),
 308         [SIP_HDR_VIA_UDP]               = SIP_HDR("Via", "v", "UDP ", epaddr_len),
 309         [SIP_HDR_VIA_TCP]               = SIP_HDR("Via", "v", "TCP ", epaddr_len),
 310         [SIP_HDR_EXPIRES]               = SIP_HDR("Expires", NULL, NULL, digits_len),
 311         [SIP_HDR_CONTENT_LENGTH]        = SIP_HDR("Content-Length", "l", NULL, digits_len),
 312         [SIP_HDR_CALL_ID]               = SIP_HDR("Call-Id", "i", NULL, callid_len),
 313 };
 314
 315 static const char *sip_follow_continuation(const char *dptr, const char *limit)
 316 {
 317         /* Walk past newline */
 318         if (++dptr >= limit)
 319                 return NULL;
 320
 321         /* Skip '\n' in CR LF */
 322         if (*(dptr - 1) == '\r' && *dptr == '\n') {
 323                 if (++dptr >= limit)
 324                         return NULL;
 325         }
 326
 327         /* Continuation line? */
 328         if (*dptr != ' ' && *dptr != '\t')
 329                 return NULL;
 330
 331         /* skip leading whitespace */
 332         for (; dptr < limit; dptr++) {
 333                 if (*dptr != ' ' && *dptr != '\t')
 334                         break;
 335         }
 336         return dptr;
 337 }
 338
 339 static const char *sip_skip_whitespace(const char *dptr, const char *limit)
 340 {
 341         for (; dptr < limit; dptr++) {
 342                 if (*dptr == ' ' || *dptr == '\t')
 343                         continue;
 344                 if (*dptr != '\r' && *dptr != '\n')
 345                         break;
 346                 dptr = sip_follow_continuation(dptr, limit);
 347                 break;
 348         }
 349         return dptr;
 350 }
 351
 352 /* Search within a SIP header value, dealing with continuation lines */
 353 static const char *ct_sip_header_search(const char *dptr, const char *limit,
 354                                         const char *needle, unsigned int len)
 355 {
 356         for (limit -= len; dptr < limit; dptr++) {
 357                 if (*dptr == '\r' || *dptr == '\n') {
 358                         dptr = sip_follow_continuation(dptr, limit);
 359                         if (dptr == NULL)
 360                                 break;
 361                         continue;
 362                 }
 363
 364                 if (strncasecmp(dptr, needle, len) == 0)
 365                         return dptr;
 366         }
 367         return NULL;
 368 }
 369
 370 int ct_sip_get_header(const struct nf_conn *ct, const char *dptr,
 371                       unsigned int dataoff, unsigned int datalen,
 372                       enum sip_header_types type,
 373                       unsigned int *matchoff, unsigned int *matchlen)
 374 {
 375         const struct sip_header *hdr = &ct_sip_hdrs[type];
 376         const char *start = dptr, *limit = dptr + datalen;
 377         int shift = 0;
 378
 379         for (dptr += dataoff; dptr < limit; dptr++) {
 380                 /* Find beginning of line */
 381                 if (*dptr != '\r' && *dptr != '\n')
 382                         continue;
 383                 if (++dptr >= limit)
 384                         break;
 385                 if (*(dptr - 1) == '\r' && *dptr == '\n') {
 386                         if (++dptr >= limit)
 387                                 break;
 388                 }
 389
 390                 /* Skip continuation lines */
 391                 if (*dptr == ' ' || *dptr == '\t')
 392                         continue;
 393
 394                 /* Find header. Compact headers must be followed by a
 395                  * non-alphabetic character to avoid mismatches. */
 396                 if (limit - dptr >= hdr->len &&
 397                     strncasecmp(dptr, hdr->name, hdr->len) == 0)
 398                         dptr += hdr->len;
 399                 else if (hdr->cname && limit - dptr >= hdr->clen + 1 &&
 400                          strncasecmp(dptr, hdr->cname, hdr->clen) == 0 &&
 401                          !isalpha(*(dptr + hdr->clen)))
 402                         dptr += hdr->clen;
 403                 else
 404                         continue;
 405
 406                 /* Find and skip colon */
 407                 dptr = sip_skip_whitespace(dptr, limit);
 408                 if (dptr == NULL)
 409                         break;
 410                 if (*dptr != ':' || ++dptr >= limit)
 411                         break;
 412
 413                 /* Skip whitespace after colon */
 414                 dptr = sip_skip_whitespace(dptr, limit);
 415                 if (dptr == NULL)
 416                         break;
 417
 418                 *matchoff = dptr - start;
 419                 if (hdr->search) {
 420                         dptr = ct_sip_header_search(dptr, limit, hdr->search,
 421                                                     hdr->slen);
 422                         if (!dptr)
 423                                 return -1;
 424                         dptr += hdr->slen;
 425                 }
 426
 427                 *matchlen = hdr->match_len(ct, dptr, limit, &shift);
 428                 if (!*matchlen)
 429                         return -1;
 430                 *matchoff = dptr - start + shift;
 431                 return 1;
 432         }
 433         return 0;
 434 }
 435 EXPORT_SYMBOL_GPL(ct_sip_get_header);
 436
 437 /* Get next header field in a list of comma separated values */
 438 static int ct_sip_next_header(const struct nf_conn *ct, const char *dptr,
 439                               unsigned int dataoff, unsigned int datalen,
 440                               enum sip_header_types type,
 441                               unsigned int *matchoff, unsigned int *matchlen)
 442 {
 443         const struct sip_header *hdr = &ct_sip_hdrs[type];
 444         const char *start = dptr, *limit = dptr + datalen;
 445         int shift = 0;
 446
 447         dptr += dataoff;
 448
 449         dptr = ct_sip_header_search(dptr, limit, ",", strlen(","));
 450         if (!dptr)
 451                 return 0;
 452
 453         dptr = ct_sip_header_search(dptr, limit, hdr->search, hdr->slen);
 454         if (!dptr)
 455                 return 0;
 456         dptr += hdr->slen;
 457
 458         *matchoff = dptr - start;
 459         *matchlen = hdr->match_len(ct, dptr, limit, &shift);
 460         if (!*matchlen)
 461                 return -1;
 462         *matchoff += shift;
 463         return 1;
 464 }
 465
 466 /* Walk through headers until a parsable one is found or no header of the
 467  * given type is left. */
 468 static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr,
 469                                unsigned int dataoff, unsigned int datalen,
 470                                enum sip_header_types type, int *in_header,
 471                                unsigned int *matchoff, unsigned int *matchlen)
 472 {
 473         int ret;
 474
 475         if (in_header && *in_header) {
 476                 while (1) {
 477                         ret = ct_sip_next_header(ct, dptr, dataoff, datalen,
 478                                                  type, matchoff, matchlen);
 479                         if (ret > 0)
 480                                 return ret;
 481                         if (ret == 0)
 482                                 break;
 483                         dataoff += *matchoff;
 484                 }
 485                 *in_header = 0;
 486         }
 487
 488         while (1) {
 489                 ret = ct_sip_get_header(ct, dptr, dataoff, datalen,
 490                                         type, matchoff, matchlen);
 491                 if (ret > 0)
 492                         break;
 493                 if (ret == 0)
 494                         return ret;
 495                 dataoff += *matchoff;
 496         }
 497
 498         if (in_header)
 499                 *in_header = 1;
 500         return 1;
 501 }
 502
 503 /* Locate a SIP header, parse the URI and return the offset and length of
 504  * the address as well as the address and port themselves. A stream of
 505  * headers can be parsed by handing in a non-NULL datalen and in_header
 506  * pointer.
 507  */
 508 int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
 509                             unsigned int *dataoff, unsigned int datalen,
 510                             enum sip_header_types type, int *in_header,
 511                             unsigned int *matchoff, unsigned int *matchlen,
 512                             union nf_inet_addr *addr, __be16 *port)
 513 {
 514         const char *c, *limit = dptr + datalen;
 515         unsigned int p;
 516         int ret;
 517
 518         ret = ct_sip_walk_headers(ct, dptr, dataoff ? *dataoff : 0, datalen,
 519                                   type, in_header, matchoff, matchlen);
 520         WARN_ON(ret < 0);
 521         if (ret == 0)
 522                 return ret;
 523
 524         if (!sip_parse_addr(ct, dptr + *matchoff, &c, addr, limit, true))
 525                 return -1;
 526         if (*c == ':') {
 527                 c++;
 528                 p = simple_strtoul(c, (char **)&c, 10);
 529                 if (p < 1024 || p > 65535)
 530                         return -1;
 531                 *port = htons(p);
 532         } else
 533                 *port = htons(SIP_PORT);
 534
 535         if (dataoff)
 536                 *dataoff = c - dptr;
 537         return 1;
 538 }
 539 EXPORT_SYMBOL_GPL(ct_sip_parse_header_uri);
 540
 541 static int ct_sip_parse_param(const struct nf_conn *ct, const char *dptr,
 542                               unsigned int dataoff, unsigned int datalen,
 543                               const char *name,
 544                               unsigned int *matchoff, unsigned int *matchlen)
 545 {
 546         const char *limit = dptr + datalen;
 547         const char *start;
 548         const char *end;
 549
 550         limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
 551         if (!limit)
 552                 limit = dptr + datalen;
 553
 554         start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
 555         if (!start)
 556                 return 0;
 557         start += strlen(name);
 558
 559         end = ct_sip_header_search(start, limit, ";", strlen(";"));
 560         if (!end)
 561                 end = limit;
 562
 563         *matchoff = start - dptr;
 564         *matchlen = end - start;
 565         return 1;
 566 }
 567
 568 /* Parse address from header parameter and return address, offset and length */
 569 int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr,
 570                                unsigned int dataoff, unsigned int datalen,
 571                                const char *name,
 572                                unsigned int *matchoff, unsigned int *matchlen,
 573                                union nf_inet_addr *addr, bool delim)
 574 {
 575         const char *limit = dptr + datalen;
 576         const char *start, *end;
 577
 578         limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
 579         if (!limit)
 580                 limit = dptr + datalen;
 581
 582         start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
 583         if (!start)
 584                 return 0;
 585
 586         start += strlen(name);
 587         if (!sip_parse_addr(ct, start, &end, addr, limit, delim))
 588                 return 0;
 589         *matchoff = start - dptr;
 590         *matchlen = end - start;
 591         return 1;
 592 }
 593 EXPORT_SYMBOL_GPL(ct_sip_parse_address_param);
 594
 595 /* Parse numerical header parameter and return value, offset and length */
 596 int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr,
 597                                  unsigned int dataoff, unsigned int datalen,
 598                                  const char *name,
 599                                  unsigned int *matchoff, unsigned int *matchlen,
 600                                  unsigned int *val)
 601 {
 602         const char *limit = dptr + datalen;
 603         const char *start;
 604         char *end;
 605
 606         limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
 607         if (!limit)
 608                 limit = dptr + datalen;
 609
 610         start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
 611         if (!start)
 612                 return 0;
 613
 614         start += strlen(name);
 615         *val = simple_strtoul(start, &end, 0);
 616         if (start == end)
 617                 return 0;
 618         if (matchoff && matchlen) {
 619                 *matchoff = start - dptr;
 620                 *matchlen = end - start;
 621         }
 622         return 1;
 623 }
 624 EXPORT_SYMBOL_GPL(ct_sip_parse_numerical_param);
 625
 626 static int ct_sip_parse_transport(struct nf_conn *ct, const char *dptr,
 627                                   unsigned int dataoff, unsigned int datalen,
 628                                   u8 *proto)
 629 {
 630         unsigned int matchoff, matchlen;
 631
 632         if (ct_sip_parse_param(ct, dptr, dataoff, datalen, "transport=",
 633                                &matchoff, &matchlen)) {
 634                 if (!strncasecmp(dptr + matchoff, "TCP", strlen("TCP")))
 635                         *proto = IPPROTO_TCP;
 636                 else if (!strncasecmp(dptr + matchoff, "UDP", strlen("UDP")))
 637                         *proto = IPPROTO_UDP;
 638                 else
 639                         return 0;
 640
 641                 if (*proto != nf_ct_protonum(ct))
 642                         return 0;
 643         } else
 644                 *proto = nf_ct_protonum(ct);
 645
 646         return 1;
 647 }
 648
 649 static int sdp_parse_addr(const struct nf_conn *ct, const char *cp,
 650                           const char **endp, union nf_inet_addr *addr,
 651                           const char *limit)
 652 {
 653         const char *end;
 654         int ret;
 655
 656         memset(addr, 0, sizeof(*addr));
 657         switch (nf_ct_l3num(ct)) {
 658         case AF_INET:
 659                 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
 660                 break;
 661         case AF_INET6:
 662                 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
 663                 break;
 664         default:
 665                 BUG();
 666         }
 667
 668         if (ret == 0)
 669                 return 0;
 670         if (endp)
 671                 *endp = end;
 672         return 1;
 673 }
 674
 675 /* skip ip address. returns its length. */
 676 static int sdp_addr_len(const struct nf_conn *ct, const char *dptr,
 677                         const char *limit, int *shift)
 678 {
 679         union nf_inet_addr addr;
 680         const char *aux = dptr;
 681
 682         if (!sdp_parse_addr(ct, dptr, &dptr, &addr, limit)) {
 683                 pr_debug("ip: %s parse failed.!\n", dptr);
 684                 return 0;
 685         }
 686
 687         return dptr - aux;
 688 }
 689
 690 /* SDP header parsing: a SDP session description contains an ordered set of
 691  * headers, starting with a section containing general session parameters,
 692  * optionally followed by multiple media descriptions.
 693  *
 694  * SDP headers always start at the beginning of a line. According to RFC 2327:
 695  * "The sequence CRLF (0x0d0a) is used to end a record, although parsers should
 696  * be tolerant and also accept records terminated with a single newline
 697  * character". We handle both cases.
 698  */
 699 static const struct sip_header ct_sdp_hdrs_v4[] = {
 700         [SDP_HDR_VERSION]       = SDP_HDR("v=", NULL, digits_len),
 701         [SDP_HDR_OWNER]         = SDP_HDR("o=", "IN IP4 ", sdp_addr_len),
 702         [SDP_HDR_CONNECTION]    = SDP_HDR("c=", "IN IP4 ", sdp_addr_len),
 703         [SDP_HDR_MEDIA]         = SDP_HDR("m=", NULL, media_len),
 704 };
 705
 706 static const struct sip_header ct_sdp_hdrs_v6[] = {
 707         [SDP_HDR_VERSION]       = SDP_HDR("v=", NULL, digits_len),
 708         [SDP_HDR_OWNER]         = SDP_HDR("o=", "IN IP6 ", sdp_addr_len),
 709         [SDP_HDR_CONNECTION]    = SDP_HDR("c=", "IN IP6 ", sdp_addr_len),
 710         [SDP_HDR_MEDIA]         = SDP_HDR("m=", NULL, media_len),
 711 };
 712
 713 /* Linear string search within SDP header values */
 714 static const char *ct_sdp_header_search(const char *dptr, const char *limit,
 715                                         const char *needle, unsigned int len)
 716 {
 717         for (limit -= len; dptr < limit; dptr++) {
 718                 if (*dptr == '\r' || *dptr == '\n')
 719                         break;
 720                 if (strncmp(dptr, needle, len) == 0)
 721                         return dptr;
 722         }
 723         return NULL;
 724 }
 725
 726 /* Locate a SDP header (optionally a substring within the header value),
 727  * optionally stopping at the first occurrence of the term header, parse
 728  * it and return the offset and length of the data we're interested in.
 729  */
 730 int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
 731                           unsigned int dataoff, unsigned int datalen,
 732                           enum sdp_header_types type,
 733                           enum sdp_header_types term,
 734                           unsigned int *matchoff, unsigned int *matchlen)
 735 {
 736         const struct sip_header *hdrs, *hdr, *thdr;
 737         const char *start = dptr, *limit = dptr + datalen;
 738         int shift = 0;
 739
 740         hdrs = nf_ct_l3num(ct) == NFPROTO_IPV4 ? ct_sdp_hdrs_v4 : ct_sdp_hdrs_v6;
 741         hdr = &hdrs[type];
 742         thdr = &hdrs[term];
 743
 744         for (dptr += dataoff; dptr < limit; dptr++) {
 745                 /* Find beginning of line */
 746                 if (*dptr != '\r' && *dptr != '\n')
 747                         continue;
 748                 if (++dptr >= limit)
 749                         break;
 750                 if (*(dptr - 1) == '\r' && *dptr == '\n') {
 751                         if (++dptr >= limit)
 752                                 break;
 753                 }
 754
 755                 if (term != SDP_HDR_UNSPEC &&
 756                     limit - dptr >= thdr->len &&
 757                     strncasecmp(dptr, thdr->name, thdr->len) == 0)
 758                         break;
 759                 else if (limit - dptr >= hdr->len &&
 760                          strncasecmp(dptr, hdr->name, hdr->len) == 0)
 761                         dptr += hdr->len;
 762                 else
 763                         continue;
 764
 765                 *matchoff = dptr - start;
 766                 if (hdr->search) {
 767                         dptr = ct_sdp_header_search(dptr, limit, hdr->search,
 768                                                     hdr->slen);
 769                         if (!dptr)
 770                                 return -1;
 771                         dptr += hdr->slen;
 772                 }
 773
 774                 *matchlen = hdr->match_len(ct, dptr, limit, &shift);
 775                 if (!*matchlen)
 776                         return -1;
 777                 *matchoff = dptr - start + shift;
 778                 return 1;
 779         }
 780         return 0;
 781 }
 782 EXPORT_SYMBOL_GPL(ct_sip_get_sdp_header);
 783
 784 static int ct_sip_parse_sdp_addr(const struct nf_conn *ct, const char *dptr,
 785                                  unsigned int dataoff, unsigned int datalen,
 786                                  enum sdp_header_types type,
 787                                  enum sdp_header_types term,
 788                                  unsigned int *matchoff, unsigned int *matchlen,
 789                                  union nf_inet_addr *addr)
 790 {
 791         int ret;
 792
 793         ret = ct_sip_get_sdp_header(ct, dptr, dataoff, datalen, type, term,
 794                                     matchoff, matchlen);
 795         if (ret <= 0)
 796                 return ret;
 797
 798         if (!sdp_parse_addr(ct, dptr + *matchoff, NULL, addr,
 799                             dptr + *matchoff + *matchlen))
 800                 return -1;
 801         return 1;
 802 }
 803
 804 static int refresh_signalling_expectation(struct nf_conn *ct,
 805                                           union nf_inet_addr *addr,
 806                                           u8 proto, __be16 port,
 807                                           unsigned int expires)
 808 {
 809         struct nf_conn_help *help = nfct_help(ct);
 810         struct nf_conntrack_expect *exp;
 811         struct hlist_node *next;
 812         int found = 0;
 813
 814         spin_lock_bh(&nf_conntrack_expect_lock);
 815         hlist_for_each_entry_safe(exp, next, &help->expectations, lnode) {
 816                 if (exp->class != SIP_EXPECT_SIGNALLING ||
 817                     !nf_inet_addr_cmp(&exp->tuple.dst.u3, addr) ||
 818                     exp->tuple.dst.protonum != proto ||
 819                     exp->tuple.dst.u.udp.port != port)
 820                         continue;
 821                 if (mod_timer_pending(&exp->timeout, jiffies + expires * HZ)) {
 822                         exp->flags &= ~NF_CT_EXPECT_INACTIVE;
 823                         found = 1;
 824                         break;
 825                 }
 826         }
 827         spin_unlock_bh(&nf_conntrack_expect_lock);
 828         return found;
 829 }
 830
 831 static void flush_expectations(struct nf_conn *ct, bool media)
 832 {
 833         struct nf_conn_help *help = nfct_help(ct);
 834         struct nf_conntrack_expect *exp;
 835         struct hlist_node *next;
 836
 837         spin_lock_bh(&nf_conntrack_expect_lock);
 838         hlist_for_each_entry_safe(exp, next, &help->expectations, lnode) {
 839                 if ((exp->class != SIP_EXPECT_SIGNALLING) ^ media)
 840                         continue;
 841                 if (!nf_ct_remove_expect(exp))
 842                         continue;
 843                 if (!media)
 844                         break;
 845         }
 846         spin_unlock_bh(&nf_conntrack_expect_lock);
 847 }
 848
 849 static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int protoff,
 850                                  unsigned int dataoff,
 851                                  const char **dptr, unsigned int *datalen,
 852                                  union nf_inet_addr *daddr, __be16 port,
 853                                  enum sip_expectation_classes class,
 854                                  unsigned int mediaoff, unsigned int medialen)
 855 {
 856         struct nf_conntrack_expect *exp, *rtp_exp, *rtcp_exp;
 857         enum ip_conntrack_info ctinfo;
 858         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 859         struct net *net = nf_ct_net(ct);
 860         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 861         union nf_inet_addr *saddr;
 862         struct nf_conntrack_tuple tuple;
 863         int direct_rtp = 0, skip_expect = 0, ret = NF_DROP;
 864         u_int16_t base_port;
 865         __be16 rtp_port, rtcp_port;
 866         const struct nf_nat_sip_hooks *hooks;
 867
 868         saddr = NULL;
 869         if (sip_direct_media) {
 870                 if (!nf_inet_addr_cmp(daddr, &ct->tuplehash[dir].tuple.src.u3))
 871                         return NF_ACCEPT;
 872                 saddr = &ct->tuplehash[!dir].tuple.src.u3;
 873         } else if (sip_external_media) {
 874                 struct net_device *dev = skb_dst(skb)->dev;
 875                 struct net *net = dev_net(dev);
 876                 struct flowi fl;
 877                 struct dst_entry *dst = NULL;
 878
 879                 memset(&fl, 0, sizeof(fl));
 880
 881                 switch (nf_ct_l3num(ct)) {
 882                         case NFPROTO_IPV4:
 883                                 fl.u.ip4.daddr = daddr->ip;
 884                                 nf_ip_route(net, &dst, &fl, false);
 885                                 break;
 886
 887                         case NFPROTO_IPV6:
 888                                 fl.u.ip6.daddr = daddr->in6;
 889                                 nf_ip6_route(net, &dst, &fl, false);
 890                                 break;
 891                 }
 892
 893                 /* Don't predict any conntracks when media endpoint is reachable
 894                  * through the same interface as the signalling peer.
 895                  */
 896                 if (dst) {
 897                         bool external_media = (dst->dev == dev);
 898
 899                         dst_release(dst);
 900                         if (external_media)
 901                                 return NF_ACCEPT;
 902                 }
 903         }
 904
 905         /* We need to check whether the registration exists before attempting
 906          * to register it since we can see the same media description multiple
 907          * times on different connections in case multiple endpoints receive
 908          * the same call.
 909          *
 910          * RTP optimization: if we find a matching media channel expectation
 911          * and both the expectation and this connection are SNATed, we assume
 912          * both sides can reach each other directly and use the final
 913          * destination address from the expectation. We still need to keep
 914          * the NATed expectations for media that might arrive from the
 915          * outside, and additionally need to expect the direct RTP stream
 916          * in case it passes through us even without NAT.
 917          */
 918         memset(&tuple, 0, sizeof(tuple));
 919         if (saddr)
 920                 tuple.src.u3 = *saddr;
 921         tuple.src.l3num         = nf_ct_l3num(ct);
 922         tuple.dst.protonum      = IPPROTO_UDP;
 923         tuple.dst.u3            = *daddr;
 924         tuple.dst.u.udp.port    = port;
 925
 926         do {
 927                 exp = __nf_ct_expect_find(net, nf_ct_zone(ct), &tuple);
 928
 929                 if (!exp || exp->master == ct ||
 930                     nfct_help(exp->master)->helper != nfct_help(ct)->helper ||
 931                     exp->class != class)
 932                         break;
 933 #if IS_ENABLED(CONFIG_NF_NAT)
 934                 if (!direct_rtp &&
 935                     (!nf_inet_addr_cmp(&exp->saved_addr, &exp->tuple.dst.u3) ||
 936                      exp->saved_proto.udp.port != exp->tuple.dst.u.udp.port) &&
 937                     ct->status & IPS_NAT_MASK) {
 938                         *daddr                  = exp->saved_addr;
 939                         tuple.dst.u3            = exp->saved_addr;
 940                         tuple.dst.u.udp.port    = exp->saved_proto.udp.port;
 941                         direct_rtp = 1;
 942                 } else
 943 #endif
 944                         skip_expect = 1;
 945         } while (!skip_expect);
 946
 947         base_port = ntohs(tuple.dst.u.udp.port) & ~1;
 948         rtp_port = htons(base_port);
 949         rtcp_port = htons(base_port + 1);
 950
 951         if (direct_rtp) {
 952                 hooks = rcu_dereference(nf_nat_sip_hooks);
 953                 if (hooks &&
 954                     !hooks->sdp_port(skb, protoff, dataoff, dptr, datalen,
 955                                      mediaoff, medialen, ntohs(rtp_port)))
 956                         goto err1;
 957         }
 958
 959         if (skip_expect)
 960                 return NF_ACCEPT;
 961
 962         rtp_exp = nf_ct_expect_alloc(ct);
 963         if (rtp_exp == NULL)
 964                 goto err1;
 965         nf_ct_expect_init(rtp_exp, class, nf_ct_l3num(ct), saddr, daddr,
 966                           IPPROTO_UDP, NULL, &rtp_port);
 967
 968         rtcp_exp = nf_ct_expect_alloc(ct);
 969         if (rtcp_exp == NULL)
 970                 goto err2;
 971         nf_ct_expect_init(rtcp_exp, class, nf_ct_l3num(ct), saddr, daddr,
 972                           IPPROTO_UDP, NULL, &rtcp_port);
 973
 974         hooks = rcu_dereference(nf_nat_sip_hooks);
 975         if (hooks && ct->status & IPS_NAT_MASK && !direct_rtp)
 976                 ret = hooks->sdp_media(skb, protoff, dataoff, dptr,
 977                                        datalen, rtp_exp, rtcp_exp,
 978                                        mediaoff, medialen, daddr);
 979         else {
 980                 /* -EALREADY handling works around end-points that send
 981                  * SDP messages with identical port but different media type,
 982                  * we pretend expectation was set up.
 983                  */
 984                 int errp = nf_ct_expect_related(rtp_exp);
 985
 986                 if (errp == 0 || errp == -EALREADY) {
 987                         int errcp = nf_ct_expect_related(rtcp_exp);
 988
 989                         if (errcp == 0 || errcp == -EALREADY)
 990                                 ret = NF_ACCEPT;
 991                         else if (errp == 0)
 992                                 nf_ct_unexpect_related(rtp_exp);
 993                 }
 994         }
 995         nf_ct_expect_put(rtcp_exp);
 996 err2:
 997         nf_ct_expect_put(rtp_exp);
 998 err1:
 999         return ret;
1000 }
1001
1002 static const struct sdp_media_type sdp_media_types[] = {
1003         SDP_MEDIA_TYPE("audio ", SIP_EXPECT_AUDIO),
1004         SDP_MEDIA_TYPE("video ", SIP_EXPECT_VIDEO),
1005         SDP_MEDIA_TYPE("image ", SIP_EXPECT_IMAGE),
1006 };
1007
1008 static const struct sdp_media_type *sdp_media_type(const char *dptr,
1009                                                    unsigned int matchoff,
1010                                                    unsigned int matchlen)
1011 {
1012         const struct sdp_media_type *t;
1013         unsigned int i;
1014
1015         for (i = 0; i < ARRAY_SIZE(sdp_media_types); i++) {
1016                 t = &sdp_media_types[i];
1017                 if (matchlen < t->len ||
1018                     strncmp(dptr + matchoff, t->name, t->len))
1019                         continue;
1020                 return t;
1021         }
1022         return NULL;
1023 }
1024
1025 static int process_sdp(struct sk_buff *skb, unsigned int protoff,
1026                        unsigned int dataoff,
1027                        const char **dptr, unsigned int *datalen,
1028                        unsigned int cseq)
1029 {
1030         enum ip_conntrack_info ctinfo;
1031         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1032         unsigned int matchoff, matchlen;
1033         unsigned int mediaoff, medialen;
1034         unsigned int sdpoff;
1035         unsigned int caddr_len, maddr_len;
1036         unsigned int i;
1037         union nf_inet_addr caddr, maddr, rtp_addr;
1038         const struct nf_nat_sip_hooks *hooks;
1039         unsigned int port;
1040         const struct sdp_media_type *t;
1041         int ret = NF_ACCEPT;
1042
1043         hooks = rcu_dereference(nf_nat_sip_hooks);
1044
1045         /* Find beginning of session description */
1046         if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
1047                                   SDP_HDR_VERSION, SDP_HDR_UNSPEC,
1048                                   &matchoff, &matchlen) <= 0)
1049                 return NF_ACCEPT;
1050         sdpoff = matchoff;
1051
1052         /* The connection information is contained in the session description
1053          * and/or once per media description. The first media description marks
1054          * the end of the session description. */
1055         caddr_len = 0;
1056         if (ct_sip_parse_sdp_addr(ct, *dptr, sdpoff, *datalen,
1057                                   SDP_HDR_CONNECTION, SDP_HDR_MEDIA,
1058                                   &matchoff, &matchlen, &caddr) > 0)
1059                 caddr_len = matchlen;
1060
1061         mediaoff = sdpoff;
1062         for (i = 0; i < ARRAY_SIZE(sdp_media_types); ) {
1063                 if (ct_sip_get_sdp_header(ct, *dptr, mediaoff, *datalen,
1064                                           SDP_HDR_MEDIA, SDP_HDR_UNSPEC,
1065                                           &mediaoff, &medialen) <= 0)
1066                         break;
1067
1068                 /* Get media type and port number. A media port value of zero
1069                  * indicates an inactive stream. */
1070                 t = sdp_media_type(*dptr, mediaoff, medialen);
1071                 if (!t) {
1072                         mediaoff += medialen;
1073                         continue;
1074                 }
1075                 mediaoff += t->len;
1076                 medialen -= t->len;
1077
1078                 port = simple_strtoul(*dptr + mediaoff, NULL, 10);
1079                 if (port == 0)
1080                         continue;
1081                 if (port < 1024 || port > 65535) {
1082                         nf_ct_helper_log(skb, ct, "wrong port %u", port);
1083                         return NF_DROP;
1084                 }
1085
1086                 /* The media description overrides the session description. */
1087                 maddr_len = 0;
1088                 if (ct_sip_parse_sdp_addr(ct, *dptr, mediaoff, *datalen,
1089                                           SDP_HDR_CONNECTION, SDP_HDR_MEDIA,
1090                                           &matchoff, &matchlen, &maddr) > 0) {
1091                         maddr_len = matchlen;
1092                         memcpy(&rtp_addr, &maddr, sizeof(rtp_addr));
1093                 } else if (caddr_len)
1094                         memcpy(&rtp_addr, &caddr, sizeof(rtp_addr));
1095                 else {
1096                         nf_ct_helper_log(skb, ct, "cannot parse SDP message");
1097                         return NF_DROP;
1098                 }
1099
1100                 ret = set_expected_rtp_rtcp(skb, protoff, dataoff,
1101                                             dptr, datalen,
1102                                             &rtp_addr, htons(port), t->class,
1103                                             mediaoff, medialen);
1104                 if (ret != NF_ACCEPT) {
1105                         nf_ct_helper_log(skb, ct,
1106                                          "cannot add expectation for voice");
1107                         return ret;
1108                 }
1109
1110                 /* Update media connection address if present */
1111                 if (maddr_len && hooks && ct->status & IPS_NAT_MASK) {
1112                         ret = hooks->sdp_addr(skb, protoff, dataoff,
1113                                               dptr, datalen, mediaoff,
1114                                               SDP_HDR_CONNECTION,
1115                                               SDP_HDR_MEDIA,
1116                                               &rtp_addr);
1117                         if (ret != NF_ACCEPT) {
1118                                 nf_ct_helper_log(skb, ct, "cannot mangle SDP");
1119                                 return ret;
1120                         }
1121                 }
1122                 i++;
1123         }
1124
1125         /* Update session connection and owner addresses */
1126         hooks = rcu_dereference(nf_nat_sip_hooks);
1127         if (hooks && ct->status & IPS_NAT_MASK)
1128                 ret = hooks->sdp_session(skb, protoff, dataoff,
1129                                          dptr, datalen, sdpoff,
1130                                          &rtp_addr);
1131
1132         return ret;
1133 }
1134 static int process_invite_response(struct sk_buff *skb, unsigned int protoff,
1135                                    unsigned int dataoff,
1136                                    const char **dptr, unsigned int *datalen,
1137                                    unsigned int cseq, unsigned int code)
1138 {
1139         enum ip_conntrack_info ctinfo;
1140         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1141         struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1142
1143         if ((code >= 100 && code <= 199) ||
1144             (code >= 200 && code <= 299))
1145                 return process_sdp(skb, protoff, dataoff, dptr, datalen, cseq);
1146         else if (ct_sip_info->invite_cseq == cseq)
1147                 flush_expectations(ct, true);
1148         return NF_ACCEPT;
1149 }
1150
1151 static int process_update_response(struct sk_buff *skb, unsigned int protoff,
1152                                    unsigned int dataoff,
1153                                    const char **dptr, unsigned int *datalen,
1154                                    unsigned int cseq, unsigned int code)
1155 {
1156         enum ip_conntrack_info ctinfo;
1157         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1158         struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1159
1160         if ((code >= 100 && code <= 199) ||
1161             (code >= 200 && code <= 299))
1162                 return process_sdp(skb, protoff, dataoff, dptr, datalen, cseq);
1163         else if (ct_sip_info->invite_cseq == cseq)
1164                 flush_expectations(ct, true);
1165         return NF_ACCEPT;
1166 }
1167
1168 static int process_prack_response(struct sk_buff *skb, unsigned int protoff,
1169                                   unsigned int dataoff,
1170                                   const char **dptr, unsigned int *datalen,
1171                                   unsigned int cseq, unsigned int code)
1172 {
1173         enum ip_conntrack_info ctinfo;
1174         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1175         struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1176
1177         if ((code >= 100 && code <= 199) ||
1178             (code >= 200 && code <= 299))
1179                 return process_sdp(skb, protoff, dataoff, dptr, datalen, cseq);
1180         else if (ct_sip_info->invite_cseq == cseq)
1181                 flush_expectations(ct, true);
1182         return NF_ACCEPT;
1183 }
1184
1185 static int process_invite_request(struct sk_buff *skb, unsigned int protoff,
1186                                   unsigned int dataoff,
1187                                   const char **dptr, unsigned int *datalen,
1188                                   unsigned int cseq)
1189 {
1190         enum ip_conntrack_info ctinfo;
1191         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1192         struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1193         unsigned int ret;
1194
1195         flush_expectations(ct, true);
1196         ret = process_sdp(skb, protoff, dataoff, dptr, datalen, cseq);
1197         if (ret == NF_ACCEPT)
1198                 ct_sip_info->invite_cseq = cseq;
1199         return ret;
1200 }
1201
1202 static int process_bye_request(struct sk_buff *skb, unsigned int protoff,
1203                                unsigned int dataoff,
1204                                const char **dptr, unsigned int *datalen,
1205                                unsigned int cseq)
1206 {
1207         enum ip_conntrack_info ctinfo;
1208         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1209
1210         flush_expectations(ct, true);
1211         return NF_ACCEPT;
1212 }
1213
1214 /* Parse a REGISTER request and create a permanent expectation for incoming
1215  * signalling connections. The expectation is marked inactive and is activated
1216  * when receiving a response indicating success from the registrar.
1217  */
1218 static int process_register_request(struct sk_buff *skb, unsigned int protoff,
1219                                     unsigned int dataoff,
1220                                     const char **dptr, unsigned int *datalen,
1221                                     unsigned int cseq)
1222 {
1223         enum ip_conntrack_info ctinfo;
1224         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1225         struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1226         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
1227         unsigned int matchoff, matchlen;
1228         struct nf_conntrack_expect *exp;
1229         union nf_inet_addr *saddr, daddr;
1230         const struct nf_nat_sip_hooks *hooks;
1231         __be16 port;
1232         u8 proto;
1233         unsigned int expires = 0;
1234         int ret;
1235
1236         /* Expected connections can not register again. */
1237         if (ct->status & IPS_EXPECTED)
1238                 return NF_ACCEPT;
1239
1240         /* We must check the expiration time: a value of zero signals the
1241          * registrar to release the binding. We'll remove our expectation
1242          * when receiving the new bindings in the response, but we don't
1243          * want to create new ones.
1244          *
1245          * The expiration time may be contained in Expires: header, the
1246          * Contact: header parameters or the URI parameters.
1247          */
1248         if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
1249                               &matchoff, &matchlen) > 0)
1250                 expires = simple_strtoul(*dptr + matchoff, NULL, 10);
1251
1252         ret = ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
1253                                       SIP_HDR_CONTACT, NULL,
1254                                       &matchoff, &matchlen, &daddr, &port);
1255         if (ret < 0) {
1256                 nf_ct_helper_log(skb, ct, "cannot parse contact");
1257                 return NF_DROP;
1258         } else if (ret == 0)
1259                 return NF_ACCEPT;
1260
1261         /* We don't support third-party registrations */
1262         if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3, &daddr))
1263                 return NF_ACCEPT;
1264
1265         if (ct_sip_parse_transport(ct, *dptr, matchoff + matchlen, *datalen,
1266                                    &proto) == 0)
1267                 return NF_ACCEPT;
1268
1269         if (ct_sip_parse_numerical_param(ct, *dptr,
1270                                          matchoff + matchlen, *datalen,
1271                                          "expires=", NULL, NULL, &expires) < 0) {
1272                 nf_ct_helper_log(skb, ct, "cannot parse expires");
1273                 return NF_DROP;
1274         }
1275
1276         if (expires == 0) {
1277                 ret = NF_ACCEPT;
1278                 goto store_cseq;
1279         }
1280
1281         exp = nf_ct_expect_alloc(ct);
1282         if (!exp) {
1283                 nf_ct_helper_log(skb, ct, "cannot alloc expectation");
1284                 return NF_DROP;
1285         }
1286
1287         saddr = NULL;
1288         if (sip_direct_signalling)
1289                 saddr = &ct->tuplehash[!dir].tuple.src.u3;
1290
1291         nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct),
1292                           saddr, &daddr, proto, NULL, &port);
1293         exp->timeout.expires = sip_timeout * HZ;
1294         exp->helper = nfct_help(ct)->helper;
1295         exp->flags = NF_CT_EXPECT_PERMANENT | NF_CT_EXPECT_INACTIVE;
1296
1297         hooks = rcu_dereference(nf_nat_sip_hooks);
1298         if (hooks && ct->status & IPS_NAT_MASK)
1299                 ret = hooks->expect(skb, protoff, dataoff, dptr, datalen,
1300                                     exp, matchoff, matchlen);
1301         else {
1302                 if (nf_ct_expect_related(exp) != 0) {
1303                         nf_ct_helper_log(skb, ct, "cannot add expectation");
1304                         ret = NF_DROP;
1305                 } else
1306                         ret = NF_ACCEPT;
1307         }
1308         nf_ct_expect_put(exp);
1309
1310 store_cseq:
1311         if (ret == NF_ACCEPT)
1312                 ct_sip_info->register_cseq = cseq;
1313         return ret;
1314 }
1315
1316 static int process_register_response(struct sk_buff *skb, unsigned int protoff,
1317                                      unsigned int dataoff,
1318                                      const char **dptr, unsigned int *datalen,
1319                                      unsigned int cseq, unsigned int code)
1320 {
1321         enum ip_conntrack_info ctinfo;
1322         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1323         struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1324         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
1325         union nf_inet_addr addr;
1326         __be16 port;
1327         u8 proto;
1328         unsigned int matchoff, matchlen, coff = 0;
1329         unsigned int expires = 0;
1330         int in_contact = 0, ret;
1331
1332         /* According to RFC 3261, "UAs MUST NOT send a new registration until
1333          * they have received a final response from the registrar for the
1334          * previous one or the previous REGISTER request has timed out".
1335          *
1336          * However, some servers fail to detect retransmissions and send late
1337          * responses, so we store the sequence number of the last valid
1338          * request and compare it here.
1339          */
1340         if (ct_sip_info->register_cseq != cseq)
1341                 return NF_ACCEPT;
1342
1343         if (code >= 100 && code <= 199)
1344                 return NF_ACCEPT;
1345         if (code < 200 || code > 299)
1346                 goto flush;
1347
1348         if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
1349                               &matchoff, &matchlen) > 0)
1350                 expires = simple_strtoul(*dptr + matchoff, NULL, 10);
1351
1352         while (1) {
1353                 unsigned int c_expires = expires;
1354
1355                 ret = ct_sip_parse_header_uri(ct, *dptr, &coff, *datalen,
1356                                               SIP_HDR_CONTACT, &in_contact,
1357                                               &matchoff, &matchlen,
1358                                               &addr, &port);
1359                 if (ret < 0) {
1360                         nf_ct_helper_log(skb, ct, "cannot parse contact");
1361                         return NF_DROP;
1362                 } else if (ret == 0)
1363                         break;
1364
1365                 /* We don't support third-party registrations */
1366                 if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3, &addr))
1367                         continue;
1368
1369                 if (ct_sip_parse_transport(ct, *dptr, matchoff + matchlen,
1370                                            *datalen, &proto) == 0)
1371                         continue;
1372
1373                 ret = ct_sip_parse_numerical_param(ct, *dptr,
1374                                                    matchoff + matchlen,
1375                                                    *datalen, "expires=",
1376                                                    NULL, NULL, &c_expires);
1377                 if (ret < 0) {
1378                         nf_ct_helper_log(skb, ct, "cannot parse expires");
1379                         return NF_DROP;
1380                 }
1381                 if (c_expires == 0)
1382                         break;
1383                 if (refresh_signalling_expectation(ct, &addr, proto, port,
1384                                                    c_expires))
1385                         return NF_ACCEPT;
1386         }
1387
1388 flush:
1389         flush_expectations(ct, false);
1390         return NF_ACCEPT;
1391 }
1392
1393 static const struct sip_handler sip_handlers[] = {
1394         SIP_HANDLER("INVITE", process_invite_request, process_invite_response),
1395         SIP_HANDLER("UPDATE", process_sdp, process_update_response),
1396         SIP_HANDLER("ACK", process_sdp, NULL),
1397         SIP_HANDLER("PRACK", process_sdp, process_prack_response),
1398         SIP_HANDLER("BYE", process_bye_request, NULL),
1399         SIP_HANDLER("REGISTER", process_register_request, process_register_response),
1400 };
1401
1402 static int process_sip_response(struct sk_buff *skb, unsigned int protoff,
1403                                 unsigned int dataoff,
1404                                 const char **dptr, unsigned int *datalen)
1405 {
1406         enum ip_conntrack_info ctinfo;
1407         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1408         unsigned int matchoff, matchlen, matchend;
1409         unsigned int code, cseq, i;
1410
1411         if (*datalen < strlen("SIP/2.0 200"))
1412                 return NF_ACCEPT;
1413         code = simple_strtoul(*dptr + strlen("SIP/2.0 "), NULL, 10);
1414         if (!code) {
1415                 nf_ct_helper_log(skb, ct, "cannot get code");
1416                 return NF_DROP;
1417         }
1418
1419         if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
1420                               &matchoff, &matchlen) <= 0) {
1421                 nf_ct_helper_log(skb, ct, "cannot parse cseq");
1422                 return NF_DROP;
1423         }
1424         cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
1425         if (!cseq && *(*dptr + matchoff) != '0') {
1426                 nf_ct_helper_log(skb, ct, "cannot get cseq");
1427                 return NF_DROP;
1428         }
1429         matchend = matchoff + matchlen + 1;
1430
1431         for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
1432                 const struct sip_handler *handler;
1433
1434                 handler = &sip_handlers[i];
1435                 if (handler->response == NULL)
1436                         continue;
1437                 if (*datalen < matchend + handler->len ||
1438                     strncasecmp(*dptr + matchend, handler->method, handler->len))
1439                         continue;
1440                 return handler->response(skb, protoff, dataoff, dptr, datalen,
1441                                          cseq, code);
1442         }
1443         return NF_ACCEPT;
1444 }
1445
1446 static int process_sip_request(struct sk_buff *skb, unsigned int protoff,
1447                                unsigned int dataoff,
1448                                const char **dptr, unsigned int *datalen)
1449 {
1450         enum ip_conntrack_info ctinfo;
1451         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1452         struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1453         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
1454         unsigned int matchoff, matchlen;
1455         unsigned int cseq, i;
1456         union nf_inet_addr addr;
1457         __be16 port;
1458
1459         /* Many Cisco IP phones use a high source port for SIP requests, but
1460          * listen for the response on port 5060.  If we are the local
1461          * router for one of these phones, save the port number from the
1462          * Via: header so that nf_nat_sip can redirect the responses to
1463          * the correct port.
1464          */
1465         if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
1466                                     SIP_HDR_VIA_UDP, NULL, &matchoff,
1467                                     &matchlen, &addr, &port) > 0 &&
1468             port != ct->tuplehash[dir].tuple.src.u.udp.port &&
1469             nf_inet_addr_cmp(&addr, &ct->tuplehash[dir].tuple.src.u3))
1470                 ct_sip_info->forced_dport = port;
1471
1472         for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
1473                 const struct sip_handler *handler;
1474
1475                 handler = &sip_handlers[i];
1476                 if (handler->request == NULL)
1477                         continue;
1478                 if (*datalen < handler->len + 2 ||
1479                     strncasecmp(*dptr, handler->method, handler->len))
1480                         continue;
1481                 if ((*dptr)[handler->len] != ' ' ||
1482                     !isalpha((*dptr)[handler->len+1]))
1483                         continue;
1484
1485                 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
1486                                       &matchoff, &matchlen) <= 0) {
1487                         nf_ct_helper_log(skb, ct, "cannot parse cseq");
1488                         return NF_DROP;
1489                 }
1490                 cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
1491                 if (!cseq && *(*dptr + matchoff) != '0') {
1492                         nf_ct_helper_log(skb, ct, "cannot get cseq");
1493                         return NF_DROP;
1494                 }
1495
1496                 return handler->request(skb, protoff, dataoff, dptr, datalen,
1497                                         cseq);
1498         }
1499         return NF_ACCEPT;
1500 }
1501
1502 static int process_sip_msg(struct sk_buff *skb, struct nf_conn *ct,
1503                            unsigned int protoff, unsigned int dataoff,
1504                            const char **dptr, unsigned int *datalen)
1505 {
1506         const struct nf_nat_sip_hooks *hooks;
1507         int ret;
1508
1509         if (strncasecmp(*dptr, "SIP/2.0 ", strlen("SIP/2.0 ")) != 0)
1510                 ret = process_sip_request(skb, protoff, dataoff, dptr, datalen);
1511         else
1512                 ret = process_sip_response(skb, protoff, dataoff, dptr, datalen);
1513
1514         if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
1515                 hooks = rcu_dereference(nf_nat_sip_hooks);
1516                 if (hooks && !hooks->msg(skb, protoff, dataoff,
1517                                          dptr, datalen)) {
1518                         nf_ct_helper_log(skb, ct, "cannot NAT SIP message");
1519                         ret = NF_DROP;
1520                 }
1521         }
1522
1523         return ret;
1524 }
1525
1526 static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
1527                         struct nf_conn *ct, enum ip_conntrack_info ctinfo)
1528 {
1529         struct tcphdr *th, _tcph;
1530         unsigned int dataoff, datalen;
1531         unsigned int matchoff, matchlen, clen;
1532         unsigned int msglen, origlen;
1533         const char *dptr, *end;
1534         s16 diff, tdiff = 0;
1535         int ret = NF_ACCEPT;
1536         bool term;
1537
1538         if (ctinfo != IP_CT_ESTABLISHED &&
1539             ctinfo != IP_CT_ESTABLISHED_REPLY)
1540                 return NF_ACCEPT;
1541
1542         /* No Data ? */
1543         th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph);
1544         if (th == NULL)
1545                 return NF_ACCEPT;
1546         dataoff = protoff + th->doff * 4;
1547         if (dataoff >= skb->len)
1548                 return NF_ACCEPT;
1549
1550         nf_ct_refresh(ct, skb, sip_timeout * HZ);
1551
1552         if (unlikely(skb_linearize(skb)))
1553                 return NF_DROP;
1554
1555         dptr = skb->data + dataoff;
1556         datalen = skb->len - dataoff;
1557         if (datalen < strlen("SIP/2.0 200"))
1558                 return NF_ACCEPT;
1559
1560         while (1) {
1561                 if (ct_sip_get_header(ct, dptr, 0, datalen,
1562                                       SIP_HDR_CONTENT_LENGTH,
1563                                       &matchoff, &matchlen) <= 0)
1564                         break;
1565
1566                 clen = simple_strtoul(dptr + matchoff, (char **)&end, 10);
1567                 if (dptr + matchoff == end)
1568                         break;
1569
1570                 term = false;
1571                 for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) {
1572                         if (end[0] == '\r' && end[1] == '\n' &&
1573                             end[2] == '\r' && end[3] == '\n') {
1574                                 term = true;
1575                                 break;
1576                         }
1577                 }
1578                 if (!term)
1579                         break;
1580                 end += strlen("\r\n\r\n") + clen;
1581
1582                 msglen = origlen = end - dptr;
1583                 if (msglen > datalen)
1584                         return NF_ACCEPT;
1585
1586                 ret = process_sip_msg(skb, ct, protoff, dataoff,
1587                                       &dptr, &msglen);
1588                 /* process_sip_* functions report why this packet is dropped */
1589                 if (ret != NF_ACCEPT)
1590                         break;
1591                 diff     = msglen - origlen;
1592                 tdiff   += diff;
1593
1594                 dataoff += msglen;
1595                 dptr    += msglen;
1596                 datalen  = datalen + diff - msglen;
1597         }
1598
1599         if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
1600                 const struct nf_nat_sip_hooks *hooks;
1601
1602                 hooks = rcu_dereference(nf_nat_sip_hooks);
1603                 if (hooks)
1604                         hooks->seq_adjust(skb, protoff, tdiff);
1605         }
1606
1607         return ret;
1608 }
1609
1610 static int sip_help_udp(struct sk_buff *skb, unsigned int protoff,
1611                         struct nf_conn *ct, enum ip_conntrack_info ctinfo)
1612 {
1613         unsigned int dataoff, datalen;
1614         const char *dptr;
1615
1616         /* No Data ? */
1617         dataoff = protoff + sizeof(struct udphdr);
1618         if (dataoff >= skb->len)
1619                 return NF_ACCEPT;
1620
1621         nf_ct_refresh(ct, skb, sip_timeout * HZ);
1622
1623         if (unlikely(skb_linearize(skb)))
1624                 return NF_DROP;
1625
1626         dptr = skb->data + dataoff;
1627         datalen = skb->len - dataoff;
1628         if (datalen < strlen("SIP/2.0 200"))
1629                 return NF_ACCEPT;
1630
1631         return process_sip_msg(skb, ct, protoff, dataoff, &dptr, &datalen);
1632 }
1633
1634 static struct nf_conntrack_helper sip[MAX_PORTS * 4] __read_mostly;
1635
1636 static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1] = {
1637         [SIP_EXPECT_SIGNALLING] = {
1638                 .name           = "signalling",
1639                 .max_expected   = 1,
1640                 .timeout        = 3 * 60,
1641         },
1642         [SIP_EXPECT_AUDIO] = {
1643                 .name           = "audio",
1644                 .max_expected   = 2 * IP_CT_DIR_MAX,
1645                 .timeout        = 3 * 60,
1646         },
1647         [SIP_EXPECT_VIDEO] = {
1648                 .name           = "video",
1649                 .max_expected   = 2 * IP_CT_DIR_MAX,
1650                 .timeout        = 3 * 60,
1651         },
1652         [SIP_EXPECT_IMAGE] = {
1653                 .name           = "image",
1654                 .max_expected   = IP_CT_DIR_MAX,
1655                 .timeout        = 3 * 60,
1656         },
1657 };
1658
1659 static void __exit nf_conntrack_sip_fini(void)
1660 {
1661         nf_conntrack_helpers_unregister(sip, ports_c * 4);
1662 }
1663
1664 static int __init nf_conntrack_sip_init(void)
1665 {
1666         int i, ret;
1667
1668         NF_CT_HELPER_BUILD_BUG_ON(sizeof(struct nf_ct_sip_master));
1669
1670         if (ports_c == 0)
1671                 ports[ports_c++] = SIP_PORT;
1672
1673         for (i = 0; i < ports_c; i++) {
1674                 nf_ct_helper_init(&sip[4 * i], AF_INET, IPPROTO_UDP,
1675                                   HELPER_NAME, SIP_PORT, ports[i], i,
1676                                   sip_exp_policy, SIP_EXPECT_MAX, sip_help_udp,
1677                                   NULL, THIS_MODULE);
1678                 nf_ct_helper_init(&sip[4 * i + 1], AF_INET, IPPROTO_TCP,
1679                                   HELPER_NAME, SIP_PORT, ports[i], i,
1680                                   sip_exp_policy, SIP_EXPECT_MAX, sip_help_tcp,
1681                                   NULL, THIS_MODULE);
1682                 nf_ct_helper_init(&sip[4 * i + 2], AF_INET6, IPPROTO_UDP,
1683                                   HELPER_NAME, SIP_PORT, ports[i], i,
1684                                   sip_exp_policy, SIP_EXPECT_MAX, sip_help_udp,
1685                                   NULL, THIS_MODULE);
1686                 nf_ct_helper_init(&sip[4 * i + 3], AF_INET6, IPPROTO_TCP,
1687                                   HELPER_NAME, SIP_PORT, ports[i], i,
1688                                   sip_exp_policy, SIP_EXPECT_MAX, sip_help_tcp,
1689                                   NULL, THIS_MODULE);
1690         }
1691
1692         ret = nf_conntrack_helpers_register(sip, ports_c * 4);
1693         if (ret < 0) {
1694                 pr_err("failed to register helpers\n");
1695                 return ret;
1696         }
1697         return 0;
1698 }
1699
1700 module_init(nf_conntrack_sip_init);
1701 module_exit(nf_conntrack_sip_fini);