2 * H.323 connection tracking helper
4 * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
6 * This source code is licensed under General Public License version 2.
8 * Based on the 'brute force' H.323 connection tracking module by
9 * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 * For more information, please see http://nath323.sourceforge.net/
14 #include <linux/module.h>
15 #include <linux/moduleparam.h>
16 #include <linux/ctype.h>
17 #include <linux/inet.h>
20 #include <linux/udp.h>
21 #include <linux/tcp.h>
22 #include <linux/skbuff.h>
23 #include <net/route.h>
24 #include <net/ip6_route.h>
26 #include <net/netfilter/nf_conntrack.h>
27 #include <net/netfilter/nf_conntrack_core.h>
28 #include <net/netfilter/nf_conntrack_tuple.h>
29 #include <net/netfilter/nf_conntrack_expect.h>
30 #include <net/netfilter/nf_conntrack_ecache.h>
31 #include <net/netfilter/nf_conntrack_helper.h>
32 #include <linux/netfilter/nf_conntrack_h323.h>
35 static unsigned int default_rrq_ttl __read_mostly
= 300;
36 module_param(default_rrq_ttl
, uint
, 0600);
37 MODULE_PARM_DESC(default_rrq_ttl
, "use this TTL if it's missing in RRQ");
39 static int gkrouted_only __read_mostly
= 1;
40 module_param(gkrouted_only
, int, 0600);
41 MODULE_PARM_DESC(gkrouted_only
, "only accept calls from gatekeeper");
43 static int callforward_filter __read_mostly
= 1;
44 module_param(callforward_filter
, bool, 0600);
45 MODULE_PARM_DESC(callforward_filter
, "only create call forwarding expectations "
46 "if both endpoints are on different sides "
47 "(determined by routing information)");
50 int (*set_h245_addr_hook
) (struct sk_buff
*skb
,
51 unsigned char **data
, int dataoff
,
52 H245_TransportAddress
*taddr
,
53 union nf_conntrack_address
*addr
, __be16 port
)
55 int (*set_h225_addr_hook
) (struct sk_buff
*skb
,
56 unsigned char **data
, int dataoff
,
57 TransportAddress
*taddr
,
58 union nf_conntrack_address
*addr
, __be16 port
)
60 int (*set_sig_addr_hook
) (struct sk_buff
*skb
,
62 enum ip_conntrack_info ctinfo
,
64 TransportAddress
*taddr
, int count
) __read_mostly
;
65 int (*set_ras_addr_hook
) (struct sk_buff
*skb
,
67 enum ip_conntrack_info ctinfo
,
69 TransportAddress
*taddr
, int count
) __read_mostly
;
70 int (*nat_rtp_rtcp_hook
) (struct sk_buff
*skb
,
72 enum ip_conntrack_info ctinfo
,
73 unsigned char **data
, int dataoff
,
74 H245_TransportAddress
*taddr
,
75 __be16 port
, __be16 rtp_port
,
76 struct nf_conntrack_expect
*rtp_exp
,
77 struct nf_conntrack_expect
*rtcp_exp
) __read_mostly
;
78 int (*nat_t120_hook
) (struct sk_buff
*skb
,
80 enum ip_conntrack_info ctinfo
,
81 unsigned char **data
, int dataoff
,
82 H245_TransportAddress
*taddr
, __be16 port
,
83 struct nf_conntrack_expect
*exp
) __read_mostly
;
84 int (*nat_h245_hook
) (struct sk_buff
*skb
,
86 enum ip_conntrack_info ctinfo
,
87 unsigned char **data
, int dataoff
,
88 TransportAddress
*taddr
, __be16 port
,
89 struct nf_conntrack_expect
*exp
) __read_mostly
;
90 int (*nat_callforwarding_hook
) (struct sk_buff
*skb
,
92 enum ip_conntrack_info ctinfo
,
93 unsigned char **data
, int dataoff
,
94 TransportAddress
*taddr
, __be16 port
,
95 struct nf_conntrack_expect
*exp
) __read_mostly
;
96 int (*nat_q931_hook
) (struct sk_buff
*skb
,
98 enum ip_conntrack_info ctinfo
,
99 unsigned char **data
, TransportAddress
*taddr
, int idx
,
100 __be16 port
, struct nf_conntrack_expect
*exp
)
103 static DEFINE_SPINLOCK(nf_h323_lock
);
104 static char *h323_buffer
;
106 static struct nf_conntrack_helper nf_conntrack_helper_h245
;
107 static struct nf_conntrack_helper nf_conntrack_helper_q931
[];
108 static struct nf_conntrack_helper nf_conntrack_helper_ras
[];
110 /****************************************************************************/
111 static int get_tpkt_data(struct sk_buff
*skb
, unsigned int protoff
,
112 struct nf_conn
*ct
, enum ip_conntrack_info ctinfo
,
113 unsigned char **data
, int *datalen
, int *dataoff
)
115 struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
116 int dir
= CTINFO2DIR(ctinfo
);
117 struct tcphdr _tcph
, *th
;
125 th
= skb_header_pointer(skb
, protoff
, sizeof(_tcph
), &_tcph
);
129 /* Get TCP data offset */
130 tcpdataoff
= protoff
+ th
->doff
* 4;
132 /* Get TCP data length */
133 tcpdatalen
= skb
->len
- tcpdataoff
;
134 if (tcpdatalen
<= 0) /* No TCP data */
137 if (*data
== NULL
) { /* first TPKT */
138 /* Get first TPKT pointer */
139 tpkt
= skb_header_pointer(skb
, tcpdataoff
, tcpdatalen
,
141 BUG_ON(tpkt
== NULL
);
143 /* Validate TPKT identifier */
144 if (tcpdatalen
< 4 || tpkt
[0] != 0x03 || tpkt
[1] != 0) {
145 /* Netmeeting sends TPKT header and data separately */
146 if (info
->tpkt_len
[dir
] > 0) {
147 pr_debug("nf_ct_h323: previous packet "
148 "indicated separate TPKT data of %hu "
149 "bytes\n", info
->tpkt_len
[dir
]);
150 if (info
->tpkt_len
[dir
] <= tcpdatalen
) {
151 /* Yes, there was a TPKT header
154 *datalen
= info
->tpkt_len
[dir
];
159 /* Fragmented TPKT */
160 pr_debug("nf_ct_h323: fragmented TPKT\n");
164 /* It is not even a TPKT */
168 } else { /* Next TPKT */
169 tpktoff
= *dataoff
+ *datalen
;
170 tcpdatalen
-= tpktoff
;
171 if (tcpdatalen
<= 4) /* No more TPKT */
173 tpkt
= *data
+ *datalen
;
175 /* Validate TPKT identifier */
176 if (tpkt
[0] != 0x03 || tpkt
[1] != 0)
180 /* Validate TPKT length */
181 tpktlen
= tpkt
[2] * 256 + tpkt
[3];
184 if (tpktlen
> tcpdatalen
) {
185 if (tcpdatalen
== 4) { /* Separate TPKT header */
186 /* Netmeeting sends TPKT header and data separately */
187 pr_debug("nf_ct_h323: separate TPKT header indicates "
188 "there will be TPKT data of %hu bytes\n",
190 info
->tpkt_len
[dir
] = tpktlen
- 4;
195 printk("nf_ct_h323: incomplete TPKT (fragmented?)\n");
199 /* This is the encapsulated data */
201 *datalen
= tpktlen
- 4;
202 *dataoff
= tpktoff
+ 4;
205 /* Clear TPKT length */
206 info
->tpkt_len
[dir
] = 0;
210 info
->tpkt_len
[dir
] = 0;
214 /****************************************************************************/
215 static int get_h245_addr(struct nf_conn
*ct
, unsigned char *data
,
216 H245_TransportAddress
*taddr
,
217 union nf_conntrack_address
*addr
, __be16
*port
)
220 int family
= ct
->tuplehash
[IP_CT_DIR_ORIGINAL
].tuple
.src
.l3num
;
223 if (taddr
->choice
!= eH245_TransportAddress_unicastAddress
)
226 switch (taddr
->unicastAddress
.choice
) {
227 case eUnicastAddress_iPAddress
:
228 if (family
!= AF_INET
)
230 p
= data
+ taddr
->unicastAddress
.iPAddress
.network
;
233 case eUnicastAddress_iP6Address
:
234 if (family
!= AF_INET6
)
236 p
= data
+ taddr
->unicastAddress
.iP6Address
.network
;
243 memcpy(addr
, p
, len
);
244 memset((void *)addr
+ len
, 0, sizeof(*addr
) - len
);
245 memcpy(port
, p
+ len
, sizeof(__be16
));
250 /****************************************************************************/
251 static int expect_rtp_rtcp(struct sk_buff
*skb
, struct nf_conn
*ct
,
252 enum ip_conntrack_info ctinfo
,
253 unsigned char **data
, int dataoff
,
254 H245_TransportAddress
*taddr
)
256 int dir
= CTINFO2DIR(ctinfo
);
259 __be16 rtp_port
, rtcp_port
;
260 union nf_conntrack_address addr
;
261 struct nf_conntrack_expect
*rtp_exp
;
262 struct nf_conntrack_expect
*rtcp_exp
;
263 typeof(nat_rtp_rtcp_hook
) nat_rtp_rtcp
;
265 /* Read RTP or RTCP address */
266 if (!get_h245_addr(ct
, *data
, taddr
, &addr
, &port
) ||
267 memcmp(&addr
, &ct
->tuplehash
[dir
].tuple
.src
.u3
, sizeof(addr
)) ||
271 /* RTP port is even */
274 rtcp_port
= htons(ntohs(port
) + 1);
276 /* Create expect for RTP */
277 if ((rtp_exp
= nf_ct_expect_alloc(ct
)) == NULL
)
279 nf_ct_expect_init(rtp_exp
, ct
->tuplehash
[!dir
].tuple
.src
.l3num
,
280 &ct
->tuplehash
[!dir
].tuple
.src
.u3
,
281 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
282 IPPROTO_UDP
, NULL
, &rtp_port
);
284 /* Create expect for RTCP */
285 if ((rtcp_exp
= nf_ct_expect_alloc(ct
)) == NULL
) {
286 nf_ct_expect_put(rtp_exp
);
289 nf_ct_expect_init(rtcp_exp
, ct
->tuplehash
[!dir
].tuple
.src
.l3num
,
290 &ct
->tuplehash
[!dir
].tuple
.src
.u3
,
291 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
292 IPPROTO_UDP
, NULL
, &rtcp_port
);
294 if (memcmp(&ct
->tuplehash
[dir
].tuple
.src
.u3
,
295 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
296 sizeof(ct
->tuplehash
[dir
].tuple
.src
.u3
)) &&
297 (nat_rtp_rtcp
= rcu_dereference(nat_rtp_rtcp_hook
)) &&
298 ct
->status
& IPS_NAT_MASK
) {
300 ret
= nat_rtp_rtcp(skb
, ct
, ctinfo
, data
, dataoff
,
301 taddr
, port
, rtp_port
, rtp_exp
, rtcp_exp
);
302 } else { /* Conntrack only */
303 if (nf_ct_expect_related(rtp_exp
) == 0) {
304 if (nf_ct_expect_related(rtcp_exp
) == 0) {
305 pr_debug("nf_ct_h323: expect RTP ");
306 NF_CT_DUMP_TUPLE(&rtp_exp
->tuple
);
307 pr_debug("nf_ct_h323: expect RTCP ");
308 NF_CT_DUMP_TUPLE(&rtcp_exp
->tuple
);
310 nf_ct_unexpect_related(rtp_exp
);
317 nf_ct_expect_put(rtp_exp
);
318 nf_ct_expect_put(rtcp_exp
);
323 /****************************************************************************/
324 static int expect_t120(struct sk_buff
*skb
,
326 enum ip_conntrack_info ctinfo
,
327 unsigned char **data
, int dataoff
,
328 H245_TransportAddress
*taddr
)
330 int dir
= CTINFO2DIR(ctinfo
);
333 union nf_conntrack_address addr
;
334 struct nf_conntrack_expect
*exp
;
335 typeof(nat_t120_hook
) nat_t120
;
337 /* Read T.120 address */
338 if (!get_h245_addr(ct
, *data
, taddr
, &addr
, &port
) ||
339 memcmp(&addr
, &ct
->tuplehash
[dir
].tuple
.src
.u3
, sizeof(addr
)) ||
343 /* Create expect for T.120 connections */
344 if ((exp
= nf_ct_expect_alloc(ct
)) == NULL
)
346 nf_ct_expect_init(exp
, ct
->tuplehash
[!dir
].tuple
.src
.l3num
,
347 &ct
->tuplehash
[!dir
].tuple
.src
.u3
,
348 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
349 IPPROTO_TCP
, NULL
, &port
);
350 exp
->flags
= NF_CT_EXPECT_PERMANENT
; /* Accept multiple channels */
352 if (memcmp(&ct
->tuplehash
[dir
].tuple
.src
.u3
,
353 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
354 sizeof(ct
->tuplehash
[dir
].tuple
.src
.u3
)) &&
355 (nat_t120
= rcu_dereference(nat_t120_hook
)) &&
356 ct
->status
& IPS_NAT_MASK
) {
358 ret
= nat_t120(skb
, ct
, ctinfo
, data
, dataoff
, taddr
,
360 } else { /* Conntrack only */
361 if (nf_ct_expect_related(exp
) == 0) {
362 pr_debug("nf_ct_h323: expect T.120 ");
363 NF_CT_DUMP_TUPLE(&exp
->tuple
);
368 nf_ct_expect_put(exp
);
373 /****************************************************************************/
374 static int process_h245_channel(struct sk_buff
*skb
,
376 enum ip_conntrack_info ctinfo
,
377 unsigned char **data
, int dataoff
,
378 H2250LogicalChannelParameters
*channel
)
382 if (channel
->options
& eH2250LogicalChannelParameters_mediaChannel
) {
384 ret
= expect_rtp_rtcp(skb
, ct
, ctinfo
, data
, dataoff
,
385 &channel
->mediaChannel
);
391 options
& eH2250LogicalChannelParameters_mediaControlChannel
) {
393 ret
= expect_rtp_rtcp(skb
, ct
, ctinfo
, data
, dataoff
,
394 &channel
->mediaControlChannel
);
402 /****************************************************************************/
403 static int process_olc(struct sk_buff
*skb
, struct nf_conn
*ct
,
404 enum ip_conntrack_info ctinfo
,
405 unsigned char **data
, int dataoff
,
406 OpenLogicalChannel
*olc
)
410 pr_debug("nf_ct_h323: OpenLogicalChannel\n");
412 if (olc
->forwardLogicalChannelParameters
.multiplexParameters
.choice
==
413 eOpenLogicalChannel_forwardLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters
)
415 ret
= process_h245_channel(skb
, ct
, ctinfo
, data
, dataoff
,
417 forwardLogicalChannelParameters
.
419 h2250LogicalChannelParameters
);
425 eOpenLogicalChannel_reverseLogicalChannelParameters
) &&
426 (olc
->reverseLogicalChannelParameters
.options
&
427 eOpenLogicalChannel_reverseLogicalChannelParameters_multiplexParameters
)
428 && (olc
->reverseLogicalChannelParameters
.multiplexParameters
.
430 eOpenLogicalChannel_reverseLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters
))
433 process_h245_channel(skb
, ct
, ctinfo
, data
, dataoff
,
435 reverseLogicalChannelParameters
.
437 h2250LogicalChannelParameters
);
442 if ((olc
->options
& eOpenLogicalChannel_separateStack
) &&
443 olc
->forwardLogicalChannelParameters
.dataType
.choice
==
445 olc
->forwardLogicalChannelParameters
.dataType
.data
.application
.
446 choice
== eDataApplicationCapability_application_t120
&&
447 olc
->forwardLogicalChannelParameters
.dataType
.data
.application
.
448 t120
.choice
== eDataProtocolCapability_separateLANStack
&&
449 olc
->separateStack
.networkAddress
.choice
==
450 eNetworkAccessParameters_networkAddress_localAreaAddress
) {
451 ret
= expect_t120(skb
, ct
, ctinfo
, data
, dataoff
,
452 &olc
->separateStack
.networkAddress
.
461 /****************************************************************************/
462 static int process_olca(struct sk_buff
*skb
, struct nf_conn
*ct
,
463 enum ip_conntrack_info ctinfo
,
464 unsigned char **data
, int dataoff
,
465 OpenLogicalChannelAck
*olca
)
467 H2250LogicalChannelAckParameters
*ack
;
470 pr_debug("nf_ct_h323: OpenLogicalChannelAck\n");
473 eOpenLogicalChannelAck_reverseLogicalChannelParameters
) &&
474 (olca
->reverseLogicalChannelParameters
.options
&
475 eOpenLogicalChannelAck_reverseLogicalChannelParameters_multiplexParameters
)
476 && (olca
->reverseLogicalChannelParameters
.multiplexParameters
.
478 eOpenLogicalChannelAck_reverseLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters
))
480 ret
= process_h245_channel(skb
, ct
, ctinfo
, data
, dataoff
,
482 reverseLogicalChannelParameters
.
484 h2250LogicalChannelParameters
);
490 eOpenLogicalChannelAck_forwardMultiplexAckParameters
) &&
491 (olca
->forwardMultiplexAckParameters
.choice
==
492 eOpenLogicalChannelAck_forwardMultiplexAckParameters_h2250LogicalChannelAckParameters
))
494 ack
= &olca
->forwardMultiplexAckParameters
.
495 h2250LogicalChannelAckParameters
;
497 eH2250LogicalChannelAckParameters_mediaChannel
) {
499 ret
= expect_rtp_rtcp(skb
, ct
, ctinfo
, data
, dataoff
,
506 eH2250LogicalChannelAckParameters_mediaControlChannel
) {
508 ret
= expect_rtp_rtcp(skb
, ct
, ctinfo
, data
, dataoff
,
509 &ack
->mediaControlChannel
);
515 if ((olca
->options
& eOpenLogicalChannelAck_separateStack
) &&
516 olca
->separateStack
.networkAddress
.choice
==
517 eNetworkAccessParameters_networkAddress_localAreaAddress
) {
518 ret
= expect_t120(skb
, ct
, ctinfo
, data
, dataoff
,
519 &olca
->separateStack
.networkAddress
.
528 /****************************************************************************/
529 static int process_h245(struct sk_buff
*skb
, struct nf_conn
*ct
,
530 enum ip_conntrack_info ctinfo
,
531 unsigned char **data
, int dataoff
,
532 MultimediaSystemControlMessage
*mscm
)
534 switch (mscm
->choice
) {
535 case eMultimediaSystemControlMessage_request
:
536 if (mscm
->request
.choice
==
537 eRequestMessage_openLogicalChannel
) {
538 return process_olc(skb
, ct
, ctinfo
, data
, dataoff
,
539 &mscm
->request
.openLogicalChannel
);
541 pr_debug("nf_ct_h323: H.245 Request %d\n",
542 mscm
->request
.choice
);
544 case eMultimediaSystemControlMessage_response
:
545 if (mscm
->response
.choice
==
546 eResponseMessage_openLogicalChannelAck
) {
547 return process_olca(skb
, ct
, ctinfo
, data
, dataoff
,
549 openLogicalChannelAck
);
551 pr_debug("nf_ct_h323: H.245 Response %d\n",
552 mscm
->response
.choice
);
555 pr_debug("nf_ct_h323: H.245 signal %d\n", mscm
->choice
);
562 /****************************************************************************/
563 static int h245_help(struct sk_buff
*skb
, unsigned int protoff
,
564 struct nf_conn
*ct
, enum ip_conntrack_info ctinfo
)
566 static MultimediaSystemControlMessage mscm
;
567 unsigned char *data
= NULL
;
572 /* Until there's been traffic both ways, don't look in packets. */
573 if (ctinfo
!= IP_CT_ESTABLISHED
&&
574 ctinfo
!= IP_CT_ESTABLISHED
+ IP_CT_IS_REPLY
) {
577 pr_debug("nf_ct_h245: skblen = %u\n", skb
->len
);
579 spin_lock_bh(&nf_h323_lock
);
581 /* Process each TPKT */
582 while (get_tpkt_data(skb
, protoff
, ct
, ctinfo
,
583 &data
, &datalen
, &dataoff
)) {
584 pr_debug("nf_ct_h245: TPKT len=%d ", datalen
);
585 NF_CT_DUMP_TUPLE(&ct
->tuplehash
[CTINFO2DIR(ctinfo
)].tuple
);
587 /* Decode H.245 signal */
588 ret
= DecodeMultimediaSystemControlMessage(data
, datalen
,
591 pr_debug("nf_ct_h245: decoding error: %s\n",
592 ret
== H323_ERROR_BOUND
?
593 "out of bound" : "out of range");
594 /* We don't drop when decoding error */
598 /* Process H.245 signal */
599 if (process_h245(skb
, ct
, ctinfo
, &data
, dataoff
, &mscm
) < 0)
603 spin_unlock_bh(&nf_h323_lock
);
607 spin_unlock_bh(&nf_h323_lock
);
609 printk("nf_ct_h245: packet dropped\n");
613 /****************************************************************************/
614 static struct nf_conntrack_helper nf_conntrack_helper_h245 __read_mostly
= {
617 .max_expected
= H323_RTP_CHANNEL_MAX
* 4 + 2 /* T.120 */,
619 .tuple
.dst
.protonum
= IPPROTO_UDP
,
623 /****************************************************************************/
624 int get_h225_addr(struct nf_conn
*ct
, unsigned char *data
,
625 TransportAddress
*taddr
,
626 union nf_conntrack_address
*addr
, __be16
*port
)
629 int family
= ct
->tuplehash
[IP_CT_DIR_ORIGINAL
].tuple
.src
.l3num
;
632 switch (taddr
->choice
) {
633 case eTransportAddress_ipAddress
:
634 if (family
!= AF_INET
)
636 p
= data
+ taddr
->ipAddress
.ip
;
639 case eTransportAddress_ip6Address
:
640 if (family
!= AF_INET6
)
642 p
= data
+ taddr
->ip6Address
.ip
;
649 memcpy(addr
, p
, len
);
650 memset((void *)addr
+ len
, 0, sizeof(*addr
) - len
);
651 memcpy(port
, p
+ len
, sizeof(__be16
));
656 /****************************************************************************/
657 static int expect_h245(struct sk_buff
*skb
, struct nf_conn
*ct
,
658 enum ip_conntrack_info ctinfo
,
659 unsigned char **data
, int dataoff
,
660 TransportAddress
*taddr
)
662 int dir
= CTINFO2DIR(ctinfo
);
665 union nf_conntrack_address addr
;
666 struct nf_conntrack_expect
*exp
;
667 typeof(nat_h245_hook
) nat_h245
;
669 /* Read h245Address */
670 if (!get_h225_addr(ct
, *data
, taddr
, &addr
, &port
) ||
671 memcmp(&addr
, &ct
->tuplehash
[dir
].tuple
.src
.u3
, sizeof(addr
)) ||
675 /* Create expect for h245 connection */
676 if ((exp
= nf_ct_expect_alloc(ct
)) == NULL
)
678 nf_ct_expect_init(exp
, ct
->tuplehash
[!dir
].tuple
.src
.l3num
,
679 &ct
->tuplehash
[!dir
].tuple
.src
.u3
,
680 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
681 IPPROTO_TCP
, NULL
, &port
);
682 exp
->helper
= &nf_conntrack_helper_h245
;
684 if (memcmp(&ct
->tuplehash
[dir
].tuple
.src
.u3
,
685 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
686 sizeof(ct
->tuplehash
[dir
].tuple
.src
.u3
)) &&
687 (nat_h245
= rcu_dereference(nat_h245_hook
)) &&
688 ct
->status
& IPS_NAT_MASK
) {
690 ret
= nat_h245(skb
, ct
, ctinfo
, data
, dataoff
, taddr
,
692 } else { /* Conntrack only */
693 if (nf_ct_expect_related(exp
) == 0) {
694 pr_debug("nf_ct_q931: expect H.245 ");
695 NF_CT_DUMP_TUPLE(&exp
->tuple
);
700 nf_ct_expect_put(exp
);
705 /* If the calling party is on the same side of the forward-to party,
706 * we don't need to track the second call */
707 static int callforward_do_filter(union nf_conntrack_address
*src
,
708 union nf_conntrack_address
*dst
,
711 struct flowi fl1
, fl2
;
714 memset(&fl1
, 0, sizeof(fl1
));
715 memset(&fl2
, 0, sizeof(fl2
));
719 struct rtable
*rt1
, *rt2
;
721 fl1
.fl4_dst
= src
->ip
;
722 fl2
.fl4_dst
= dst
->ip
;
723 if (ip_route_output_key(&rt1
, &fl1
) == 0) {
724 if (ip_route_output_key(&rt2
, &fl2
) == 0) {
725 if (rt1
->rt_gateway
== rt2
->rt_gateway
&&
726 rt1
->u
.dst
.dev
== rt2
->u
.dst
.dev
)
728 dst_release(&rt2
->u
.dst
);
730 dst_release(&rt1
->u
.dst
);
734 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
736 struct rt6_info
*rt1
, *rt2
;
738 memcpy(&fl1
.fl6_dst
, src
, sizeof(fl1
.fl6_dst
));
739 memcpy(&fl2
.fl6_dst
, dst
, sizeof(fl2
.fl6_dst
));
740 rt1
= (struct rt6_info
*)ip6_route_output(NULL
, &fl1
);
742 rt2
= (struct rt6_info
*)ip6_route_output(NULL
, &fl2
);
744 if (!memcmp(&rt1
->rt6i_gateway
, &rt2
->rt6i_gateway
,
745 sizeof(rt1
->rt6i_gateway
)) &&
746 rt1
->u
.dst
.dev
== rt2
->u
.dst
.dev
)
748 dst_release(&rt2
->u
.dst
);
750 dst_release(&rt1
->u
.dst
);
760 /****************************************************************************/
761 static int expect_callforwarding(struct sk_buff
*skb
,
763 enum ip_conntrack_info ctinfo
,
764 unsigned char **data
, int dataoff
,
765 TransportAddress
*taddr
)
767 int dir
= CTINFO2DIR(ctinfo
);
770 union nf_conntrack_address addr
;
771 struct nf_conntrack_expect
*exp
;
772 typeof(nat_callforwarding_hook
) nat_callforwarding
;
774 /* Read alternativeAddress */
775 if (!get_h225_addr(ct
, *data
, taddr
, &addr
, &port
) || port
== 0)
778 /* If the calling party is on the same side of the forward-to party,
779 * we don't need to track the second call */
780 if (callforward_filter
&&
781 callforward_do_filter(&addr
, &ct
->tuplehash
[!dir
].tuple
.src
.u3
,
782 ct
->tuplehash
[!dir
].tuple
.src
.l3num
)) {
783 pr_debug("nf_ct_q931: Call Forwarding not tracked\n");
787 /* Create expect for the second call leg */
788 if ((exp
= nf_ct_expect_alloc(ct
)) == NULL
)
790 nf_ct_expect_init(exp
, ct
->tuplehash
[!dir
].tuple
.src
.l3num
,
791 &ct
->tuplehash
[!dir
].tuple
.src
.u3
, &addr
,
792 IPPROTO_TCP
, NULL
, &port
);
793 exp
->helper
= nf_conntrack_helper_q931
;
795 if (memcmp(&ct
->tuplehash
[dir
].tuple
.src
.u3
,
796 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
797 sizeof(ct
->tuplehash
[dir
].tuple
.src
.u3
)) &&
798 (nat_callforwarding
= rcu_dereference(nat_callforwarding_hook
)) &&
799 ct
->status
& IPS_NAT_MASK
) {
801 ret
= nat_callforwarding(skb
, ct
, ctinfo
, data
, dataoff
,
803 } else { /* Conntrack only */
804 if (nf_ct_expect_related(exp
) == 0) {
805 pr_debug("nf_ct_q931: expect Call Forwarding ");
806 NF_CT_DUMP_TUPLE(&exp
->tuple
);
811 nf_ct_expect_put(exp
);
816 /****************************************************************************/
817 static int process_setup(struct sk_buff
*skb
, struct nf_conn
*ct
,
818 enum ip_conntrack_info ctinfo
,
819 unsigned char **data
, int dataoff
,
822 int dir
= CTINFO2DIR(ctinfo
);
826 union nf_conntrack_address addr
;
827 typeof(set_h225_addr_hook
) set_h225_addr
;
829 pr_debug("nf_ct_q931: Setup\n");
831 if (setup
->options
& eSetup_UUIE_h245Address
) {
832 ret
= expect_h245(skb
, ct
, ctinfo
, data
, dataoff
,
833 &setup
->h245Address
);
838 set_h225_addr
= rcu_dereference(set_h225_addr_hook
);
839 if ((setup
->options
& eSetup_UUIE_destCallSignalAddress
) &&
840 (set_h225_addr
) && ct
->status
&& IPS_NAT_MASK
&&
841 get_h225_addr(ct
, *data
, &setup
->destCallSignalAddress
,
843 memcmp(&addr
, &ct
->tuplehash
[!dir
].tuple
.src
.u3
, sizeof(addr
))) {
844 pr_debug("nf_ct_q931: set destCallSignalAddress "
845 NIP6_FMT
":%hu->" NIP6_FMT
":%hu\n",
846 NIP6(*(struct in6_addr
*)&addr
), ntohs(port
),
847 NIP6(*(struct in6_addr
*)&ct
->tuplehash
[!dir
].tuple
.src
.u3
),
848 ntohs(ct
->tuplehash
[!dir
].tuple
.src
.u
.tcp
.port
));
849 ret
= set_h225_addr(skb
, data
, dataoff
,
850 &setup
->destCallSignalAddress
,
851 &ct
->tuplehash
[!dir
].tuple
.src
.u3
,
852 ct
->tuplehash
[!dir
].tuple
.src
.u
.tcp
.port
);
857 if ((setup
->options
& eSetup_UUIE_sourceCallSignalAddress
) &&
858 (set_h225_addr
) && ct
->status
& IPS_NAT_MASK
&&
859 get_h225_addr(ct
, *data
, &setup
->sourceCallSignalAddress
,
861 memcmp(&addr
, &ct
->tuplehash
[!dir
].tuple
.dst
.u3
, sizeof(addr
))) {
862 pr_debug("nf_ct_q931: set sourceCallSignalAddress "
863 NIP6_FMT
":%hu->" NIP6_FMT
":%hu\n",
864 NIP6(*(struct in6_addr
*)&addr
), ntohs(port
),
865 NIP6(*(struct in6_addr
*)&ct
->tuplehash
[!dir
].tuple
.dst
.u3
),
866 ntohs(ct
->tuplehash
[!dir
].tuple
.dst
.u
.tcp
.port
));
867 ret
= set_h225_addr(skb
, data
, dataoff
,
868 &setup
->sourceCallSignalAddress
,
869 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
870 ct
->tuplehash
[!dir
].tuple
.dst
.u
.tcp
.port
);
875 if (setup
->options
& eSetup_UUIE_fastStart
) {
876 for (i
= 0; i
< setup
->fastStart
.count
; i
++) {
877 ret
= process_olc(skb
, ct
, ctinfo
, data
, dataoff
,
878 &setup
->fastStart
.item
[i
]);
887 /****************************************************************************/
888 static int process_callproceeding(struct sk_buff
*skb
,
890 enum ip_conntrack_info ctinfo
,
891 unsigned char **data
, int dataoff
,
892 CallProceeding_UUIE
*callproc
)
897 pr_debug("nf_ct_q931: CallProceeding\n");
899 if (callproc
->options
& eCallProceeding_UUIE_h245Address
) {
900 ret
= expect_h245(skb
, ct
, ctinfo
, data
, dataoff
,
901 &callproc
->h245Address
);
906 if (callproc
->options
& eCallProceeding_UUIE_fastStart
) {
907 for (i
= 0; i
< callproc
->fastStart
.count
; i
++) {
908 ret
= process_olc(skb
, ct
, ctinfo
, data
, dataoff
,
909 &callproc
->fastStart
.item
[i
]);
918 /****************************************************************************/
919 static int process_connect(struct sk_buff
*skb
, struct nf_conn
*ct
,
920 enum ip_conntrack_info ctinfo
,
921 unsigned char **data
, int dataoff
,
922 Connect_UUIE
*connect
)
927 pr_debug("nf_ct_q931: Connect\n");
929 if (connect
->options
& eConnect_UUIE_h245Address
) {
930 ret
= expect_h245(skb
, ct
, ctinfo
, data
, dataoff
,
931 &connect
->h245Address
);
936 if (connect
->options
& eConnect_UUIE_fastStart
) {
937 for (i
= 0; i
< connect
->fastStart
.count
; i
++) {
938 ret
= process_olc(skb
, ct
, ctinfo
, data
, dataoff
,
939 &connect
->fastStart
.item
[i
]);
948 /****************************************************************************/
949 static int process_alerting(struct sk_buff
*skb
, struct nf_conn
*ct
,
950 enum ip_conntrack_info ctinfo
,
951 unsigned char **data
, int dataoff
,
952 Alerting_UUIE
*alert
)
957 pr_debug("nf_ct_q931: Alerting\n");
959 if (alert
->options
& eAlerting_UUIE_h245Address
) {
960 ret
= expect_h245(skb
, ct
, ctinfo
, data
, dataoff
,
961 &alert
->h245Address
);
966 if (alert
->options
& eAlerting_UUIE_fastStart
) {
967 for (i
= 0; i
< alert
->fastStart
.count
; i
++) {
968 ret
= process_olc(skb
, ct
, ctinfo
, data
, dataoff
,
969 &alert
->fastStart
.item
[i
]);
978 /****************************************************************************/
979 static int process_facility(struct sk_buff
*skb
, struct nf_conn
*ct
,
980 enum ip_conntrack_info ctinfo
,
981 unsigned char **data
, int dataoff
,
982 Facility_UUIE
*facility
)
987 pr_debug("nf_ct_q931: Facility\n");
989 if (facility
->reason
.choice
== eFacilityReason_callForwarded
) {
990 if (facility
->options
& eFacility_UUIE_alternativeAddress
)
991 return expect_callforwarding(skb
, ct
, ctinfo
, data
,
998 if (facility
->options
& eFacility_UUIE_h245Address
) {
999 ret
= expect_h245(skb
, ct
, ctinfo
, data
, dataoff
,
1000 &facility
->h245Address
);
1005 if (facility
->options
& eFacility_UUIE_fastStart
) {
1006 for (i
= 0; i
< facility
->fastStart
.count
; i
++) {
1007 ret
= process_olc(skb
, ct
, ctinfo
, data
, dataoff
,
1008 &facility
->fastStart
.item
[i
]);
1017 /****************************************************************************/
1018 static int process_progress(struct sk_buff
*skb
, struct nf_conn
*ct
,
1019 enum ip_conntrack_info ctinfo
,
1020 unsigned char **data
, int dataoff
,
1021 Progress_UUIE
*progress
)
1026 pr_debug("nf_ct_q931: Progress\n");
1028 if (progress
->options
& eProgress_UUIE_h245Address
) {
1029 ret
= expect_h245(skb
, ct
, ctinfo
, data
, dataoff
,
1030 &progress
->h245Address
);
1035 if (progress
->options
& eProgress_UUIE_fastStart
) {
1036 for (i
= 0; i
< progress
->fastStart
.count
; i
++) {
1037 ret
= process_olc(skb
, ct
, ctinfo
, data
, dataoff
,
1038 &progress
->fastStart
.item
[i
]);
1047 /****************************************************************************/
1048 static int process_q931(struct sk_buff
*skb
, struct nf_conn
*ct
,
1049 enum ip_conntrack_info ctinfo
,
1050 unsigned char **data
, int dataoff
, Q931
*q931
)
1052 H323_UU_PDU
*pdu
= &q931
->UUIE
.h323_uu_pdu
;
1056 switch (pdu
->h323_message_body
.choice
) {
1057 case eH323_UU_PDU_h323_message_body_setup
:
1058 ret
= process_setup(skb
, ct
, ctinfo
, data
, dataoff
,
1059 &pdu
->h323_message_body
.setup
);
1061 case eH323_UU_PDU_h323_message_body_callProceeding
:
1062 ret
= process_callproceeding(skb
, ct
, ctinfo
, data
, dataoff
,
1063 &pdu
->h323_message_body
.
1066 case eH323_UU_PDU_h323_message_body_connect
:
1067 ret
= process_connect(skb
, ct
, ctinfo
, data
, dataoff
,
1068 &pdu
->h323_message_body
.connect
);
1070 case eH323_UU_PDU_h323_message_body_alerting
:
1071 ret
= process_alerting(skb
, ct
, ctinfo
, data
, dataoff
,
1072 &pdu
->h323_message_body
.alerting
);
1074 case eH323_UU_PDU_h323_message_body_facility
:
1075 ret
= process_facility(skb
, ct
, ctinfo
, data
, dataoff
,
1076 &pdu
->h323_message_body
.facility
);
1078 case eH323_UU_PDU_h323_message_body_progress
:
1079 ret
= process_progress(skb
, ct
, ctinfo
, data
, dataoff
,
1080 &pdu
->h323_message_body
.progress
);
1083 pr_debug("nf_ct_q931: Q.931 signal %d\n",
1084 pdu
->h323_message_body
.choice
);
1091 if (pdu
->options
& eH323_UU_PDU_h245Control
) {
1092 for (i
= 0; i
< pdu
->h245Control
.count
; i
++) {
1093 ret
= process_h245(skb
, ct
, ctinfo
, data
, dataoff
,
1094 &pdu
->h245Control
.item
[i
]);
1103 /****************************************************************************/
1104 static int q931_help(struct sk_buff
*skb
, unsigned int protoff
,
1105 struct nf_conn
*ct
, enum ip_conntrack_info ctinfo
)
1108 unsigned char *data
= NULL
;
1113 /* Until there's been traffic both ways, don't look in packets. */
1114 if (ctinfo
!= IP_CT_ESTABLISHED
&&
1115 ctinfo
!= IP_CT_ESTABLISHED
+ IP_CT_IS_REPLY
) {
1118 pr_debug("nf_ct_q931: skblen = %u\n", skb
->len
);
1120 spin_lock_bh(&nf_h323_lock
);
1122 /* Process each TPKT */
1123 while (get_tpkt_data(skb
, protoff
, ct
, ctinfo
,
1124 &data
, &datalen
, &dataoff
)) {
1125 pr_debug("nf_ct_q931: TPKT len=%d ", datalen
);
1126 NF_CT_DUMP_TUPLE(&ct
->tuplehash
[CTINFO2DIR(ctinfo
)].tuple
);
1128 /* Decode Q.931 signal */
1129 ret
= DecodeQ931(data
, datalen
, &q931
);
1131 pr_debug("nf_ct_q931: decoding error: %s\n",
1132 ret
== H323_ERROR_BOUND
?
1133 "out of bound" : "out of range");
1134 /* We don't drop when decoding error */
1138 /* Process Q.931 signal */
1139 if (process_q931(skb
, ct
, ctinfo
, &data
, dataoff
, &q931
) < 0)
1143 spin_unlock_bh(&nf_h323_lock
);
1147 spin_unlock_bh(&nf_h323_lock
);
1148 if (net_ratelimit())
1149 printk("nf_ct_q931: packet dropped\n");
1153 /****************************************************************************/
1154 static struct nf_conntrack_helper nf_conntrack_helper_q931
[] __read_mostly
= {
1158 /* T.120 and H.245 */
1159 .max_expected
= H323_RTP_CHANNEL_MAX
* 4 + 4,
1161 .tuple
.src
.l3num
= AF_INET
,
1162 .tuple
.src
.u
.tcp
.port
= __constant_htons(Q931_PORT
),
1163 .tuple
.dst
.protonum
= IPPROTO_TCP
,
1169 /* T.120 and H.245 */
1170 .max_expected
= H323_RTP_CHANNEL_MAX
* 4 + 4,
1172 .tuple
.src
.l3num
= AF_INET6
,
1173 .tuple
.src
.u
.tcp
.port
= __constant_htons(Q931_PORT
),
1174 .tuple
.dst
.protonum
= IPPROTO_TCP
,
1179 /****************************************************************************/
1180 static unsigned char *get_udp_data(struct sk_buff
*skb
, unsigned int protoff
,
1183 struct udphdr _uh
, *uh
;
1186 uh
= skb_header_pointer(skb
, protoff
, sizeof(_uh
), &_uh
);
1189 dataoff
= protoff
+ sizeof(_uh
);
1190 if (dataoff
>= skb
->len
)
1192 *datalen
= skb
->len
- dataoff
;
1193 return skb_header_pointer(skb
, dataoff
, *datalen
, h323_buffer
);
1196 /****************************************************************************/
1197 static struct nf_conntrack_expect
*find_expect(struct nf_conn
*ct
,
1198 union nf_conntrack_address
*addr
,
1201 struct nf_conntrack_expect
*exp
;
1202 struct nf_conntrack_tuple tuple
;
1204 memset(&tuple
.src
.u3
, 0, sizeof(tuple
.src
.u3
));
1205 tuple
.src
.u
.tcp
.port
= 0;
1206 memcpy(&tuple
.dst
.u3
, addr
, sizeof(tuple
.dst
.u3
));
1207 tuple
.dst
.u
.tcp
.port
= port
;
1208 tuple
.dst
.protonum
= IPPROTO_TCP
;
1210 exp
= __nf_ct_expect_find(&tuple
);
1211 if (exp
&& exp
->master
== ct
)
1216 /****************************************************************************/
1217 static int set_expect_timeout(struct nf_conntrack_expect
*exp
,
1220 if (!exp
|| !del_timer(&exp
->timeout
))
1223 exp
->timeout
.expires
= jiffies
+ timeout
* HZ
;
1224 add_timer(&exp
->timeout
);
1229 /****************************************************************************/
1230 static int expect_q931(struct sk_buff
*skb
, struct nf_conn
*ct
,
1231 enum ip_conntrack_info ctinfo
,
1232 unsigned char **data
,
1233 TransportAddress
*taddr
, int count
)
1235 struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
1236 int dir
= CTINFO2DIR(ctinfo
);
1240 union nf_conntrack_address addr
;
1241 struct nf_conntrack_expect
*exp
;
1242 typeof(nat_q931_hook
) nat_q931
;
1244 /* Look for the first related address */
1245 for (i
= 0; i
< count
; i
++) {
1246 if (get_h225_addr(ct
, *data
, &taddr
[i
], &addr
, &port
) &&
1247 memcmp(&addr
, &ct
->tuplehash
[dir
].tuple
.src
.u3
,
1248 sizeof(addr
)) == 0 && port
!= 0)
1252 if (i
>= count
) /* Not found */
1255 /* Create expect for Q.931 */
1256 if ((exp
= nf_ct_expect_alloc(ct
)) == NULL
)
1258 nf_ct_expect_init(exp
, ct
->tuplehash
[!dir
].tuple
.src
.l3num
,
1259 gkrouted_only
? /* only accept calls from GK? */
1260 &ct
->tuplehash
[!dir
].tuple
.src
.u3
: NULL
,
1261 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
1262 IPPROTO_TCP
, NULL
, &port
);
1263 exp
->helper
= nf_conntrack_helper_q931
;
1264 exp
->flags
= NF_CT_EXPECT_PERMANENT
; /* Accept multiple calls */
1266 nat_q931
= rcu_dereference(nat_q931_hook
);
1267 if (nat_q931
&& ct
->status
& IPS_NAT_MASK
) { /* Need NAT */
1268 ret
= nat_q931(skb
, ct
, ctinfo
, data
, taddr
, i
, port
, exp
);
1269 } else { /* Conntrack only */
1270 if (nf_ct_expect_related(exp
) == 0) {
1271 pr_debug("nf_ct_ras: expect Q.931 ");
1272 NF_CT_DUMP_TUPLE(&exp
->tuple
);
1274 /* Save port for looking up expect in processing RCF */
1275 info
->sig_port
[dir
] = port
;
1280 nf_ct_expect_put(exp
);
1285 /****************************************************************************/
1286 static int process_grq(struct sk_buff
*skb
, struct nf_conn
*ct
,
1287 enum ip_conntrack_info ctinfo
,
1288 unsigned char **data
, GatekeeperRequest
*grq
)
1290 typeof(set_ras_addr_hook
) set_ras_addr
;
1292 pr_debug("nf_ct_ras: GRQ\n");
1294 set_ras_addr
= rcu_dereference(set_ras_addr_hook
);
1295 if (set_ras_addr
&& ct
->status
& IPS_NAT_MASK
) /* NATed */
1296 return set_ras_addr(skb
, ct
, ctinfo
, data
,
1297 &grq
->rasAddress
, 1);
1301 /****************************************************************************/
1302 static int process_gcf(struct sk_buff
*skb
, struct nf_conn
*ct
,
1303 enum ip_conntrack_info ctinfo
,
1304 unsigned char **data
, GatekeeperConfirm
*gcf
)
1306 int dir
= CTINFO2DIR(ctinfo
);
1309 union nf_conntrack_address addr
;
1310 struct nf_conntrack_expect
*exp
;
1312 pr_debug("nf_ct_ras: GCF\n");
1314 if (!get_h225_addr(ct
, *data
, &gcf
->rasAddress
, &addr
, &port
))
1317 /* Registration port is the same as discovery port */
1318 if (!memcmp(&addr
, &ct
->tuplehash
[dir
].tuple
.src
.u3
, sizeof(addr
)) &&
1319 port
== ct
->tuplehash
[dir
].tuple
.src
.u
.udp
.port
)
1322 /* Avoid RAS expectation loops. A GCF is never expected. */
1323 if (test_bit(IPS_EXPECTED_BIT
, &ct
->status
))
1326 /* Need new expect */
1327 if ((exp
= nf_ct_expect_alloc(ct
)) == NULL
)
1329 nf_ct_expect_init(exp
, ct
->tuplehash
[!dir
].tuple
.src
.l3num
,
1330 &ct
->tuplehash
[!dir
].tuple
.src
.u3
, &addr
,
1331 IPPROTO_UDP
, NULL
, &port
);
1332 exp
->helper
= nf_conntrack_helper_ras
;
1334 if (nf_ct_expect_related(exp
) == 0) {
1335 pr_debug("nf_ct_ras: expect RAS ");
1336 NF_CT_DUMP_TUPLE(&exp
->tuple
);
1340 nf_ct_expect_put(exp
);
1345 /****************************************************************************/
1346 static int process_rrq(struct sk_buff
*skb
, struct nf_conn
*ct
,
1347 enum ip_conntrack_info ctinfo
,
1348 unsigned char **data
, RegistrationRequest
*rrq
)
1350 struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
1352 typeof(set_ras_addr_hook
) set_ras_addr
;
1354 pr_debug("nf_ct_ras: RRQ\n");
1356 ret
= expect_q931(skb
, ct
, ctinfo
, data
,
1357 rrq
->callSignalAddress
.item
,
1358 rrq
->callSignalAddress
.count
);
1362 set_ras_addr
= rcu_dereference(set_ras_addr_hook
);
1363 if (set_ras_addr
&& ct
->status
& IPS_NAT_MASK
) {
1364 ret
= set_ras_addr(skb
, ct
, ctinfo
, data
,
1365 rrq
->rasAddress
.item
,
1366 rrq
->rasAddress
.count
);
1371 if (rrq
->options
& eRegistrationRequest_timeToLive
) {
1372 pr_debug("nf_ct_ras: RRQ TTL = %u seconds\n", rrq
->timeToLive
);
1373 info
->timeout
= rrq
->timeToLive
;
1375 info
->timeout
= default_rrq_ttl
;
1380 /****************************************************************************/
1381 static int process_rcf(struct sk_buff
*skb
, struct nf_conn
*ct
,
1382 enum ip_conntrack_info ctinfo
,
1383 unsigned char **data
, RegistrationConfirm
*rcf
)
1385 struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
1386 int dir
= CTINFO2DIR(ctinfo
);
1388 struct nf_conntrack_expect
*exp
;
1389 typeof(set_sig_addr_hook
) set_sig_addr
;
1391 pr_debug("nf_ct_ras: RCF\n");
1393 set_sig_addr
= rcu_dereference(set_sig_addr_hook
);
1394 if (set_sig_addr
&& ct
->status
& IPS_NAT_MASK
) {
1395 ret
= set_sig_addr(skb
, ct
, ctinfo
, data
,
1396 rcf
->callSignalAddress
.item
,
1397 rcf
->callSignalAddress
.count
);
1402 if (rcf
->options
& eRegistrationConfirm_timeToLive
) {
1403 pr_debug("nf_ct_ras: RCF TTL = %u seconds\n", rcf
->timeToLive
);
1404 info
->timeout
= rcf
->timeToLive
;
1407 if (info
->timeout
> 0) {
1408 pr_debug("nf_ct_ras: set RAS connection timeout to "
1409 "%u seconds\n", info
->timeout
);
1410 nf_ct_refresh(ct
, skb
, info
->timeout
* HZ
);
1412 /* Set expect timeout */
1413 read_lock_bh(&nf_conntrack_lock
);
1414 exp
= find_expect(ct
, &ct
->tuplehash
[dir
].tuple
.dst
.u3
,
1415 info
->sig_port
[!dir
]);
1417 pr_debug("nf_ct_ras: set Q.931 expect "
1418 "timeout to %u seconds for",
1420 NF_CT_DUMP_TUPLE(&exp
->tuple
);
1421 set_expect_timeout(exp
, info
->timeout
);
1423 read_unlock_bh(&nf_conntrack_lock
);
1429 /****************************************************************************/
1430 static int process_urq(struct sk_buff
*skb
, struct nf_conn
*ct
,
1431 enum ip_conntrack_info ctinfo
,
1432 unsigned char **data
, UnregistrationRequest
*urq
)
1434 struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
1435 int dir
= CTINFO2DIR(ctinfo
);
1437 typeof(set_sig_addr_hook
) set_sig_addr
;
1439 pr_debug("nf_ct_ras: URQ\n");
1441 set_sig_addr
= rcu_dereference(set_sig_addr_hook
);
1442 if (set_sig_addr
&& ct
->status
& IPS_NAT_MASK
) {
1443 ret
= set_sig_addr(skb
, ct
, ctinfo
, data
,
1444 urq
->callSignalAddress
.item
,
1445 urq
->callSignalAddress
.count
);
1450 /* Clear old expect */
1451 nf_ct_remove_expectations(ct
);
1452 info
->sig_port
[dir
] = 0;
1453 info
->sig_port
[!dir
] = 0;
1455 /* Give it 30 seconds for UCF or URJ */
1456 nf_ct_refresh(ct
, skb
, 30 * HZ
);
1461 /****************************************************************************/
1462 static int process_arq(struct sk_buff
*skb
, struct nf_conn
*ct
,
1463 enum ip_conntrack_info ctinfo
,
1464 unsigned char **data
, AdmissionRequest
*arq
)
1466 struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
1467 int dir
= CTINFO2DIR(ctinfo
);
1469 union nf_conntrack_address addr
;
1470 typeof(set_h225_addr_hook
) set_h225_addr
;
1472 pr_debug("nf_ct_ras: ARQ\n");
1474 set_h225_addr
= rcu_dereference(set_h225_addr_hook
);
1475 if ((arq
->options
& eAdmissionRequest_destCallSignalAddress
) &&
1476 get_h225_addr(ct
, *data
, &arq
->destCallSignalAddress
,
1478 !memcmp(&addr
, &ct
->tuplehash
[dir
].tuple
.src
.u3
, sizeof(addr
)) &&
1479 port
== info
->sig_port
[dir
] &&
1480 set_h225_addr
&& ct
->status
& IPS_NAT_MASK
) {
1482 return set_h225_addr(skb
, data
, 0,
1483 &arq
->destCallSignalAddress
,
1484 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
1485 info
->sig_port
[!dir
]);
1488 if ((arq
->options
& eAdmissionRequest_srcCallSignalAddress
) &&
1489 get_h225_addr(ct
, *data
, &arq
->srcCallSignalAddress
,
1491 !memcmp(&addr
, &ct
->tuplehash
[dir
].tuple
.src
.u3
, sizeof(addr
)) &&
1492 set_h225_addr
&& ct
->status
& IPS_NAT_MASK
) {
1494 return set_h225_addr(skb
, data
, 0,
1495 &arq
->srcCallSignalAddress
,
1496 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
1503 /****************************************************************************/
1504 static int process_acf(struct sk_buff
*skb
, struct nf_conn
*ct
,
1505 enum ip_conntrack_info ctinfo
,
1506 unsigned char **data
, AdmissionConfirm
*acf
)
1508 int dir
= CTINFO2DIR(ctinfo
);
1511 union nf_conntrack_address addr
;
1512 struct nf_conntrack_expect
*exp
;
1513 typeof(set_sig_addr_hook
) set_sig_addr
;
1515 pr_debug("nf_ct_ras: ACF\n");
1517 if (!get_h225_addr(ct
, *data
, &acf
->destCallSignalAddress
,
1521 if (!memcmp(&addr
, &ct
->tuplehash
[dir
].tuple
.dst
.u3
, sizeof(addr
))) {
1523 set_sig_addr
= rcu_dereference(set_sig_addr_hook
);
1524 if (set_sig_addr
&& ct
->status
& IPS_NAT_MASK
)
1525 return set_sig_addr(skb
, ct
, ctinfo
, data
,
1526 &acf
->destCallSignalAddress
, 1);
1530 /* Need new expect */
1531 if ((exp
= nf_ct_expect_alloc(ct
)) == NULL
)
1533 nf_ct_expect_init(exp
, ct
->tuplehash
[!dir
].tuple
.src
.l3num
,
1534 &ct
->tuplehash
[!dir
].tuple
.src
.u3
, &addr
,
1535 IPPROTO_TCP
, NULL
, &port
);
1536 exp
->flags
= NF_CT_EXPECT_PERMANENT
;
1537 exp
->helper
= nf_conntrack_helper_q931
;
1539 if (nf_ct_expect_related(exp
) == 0) {
1540 pr_debug("nf_ct_ras: expect Q.931 ");
1541 NF_CT_DUMP_TUPLE(&exp
->tuple
);
1545 nf_ct_expect_put(exp
);
1550 /****************************************************************************/
1551 static int process_lrq(struct sk_buff
*skb
, struct nf_conn
*ct
,
1552 enum ip_conntrack_info ctinfo
,
1553 unsigned char **data
, LocationRequest
*lrq
)
1555 typeof(set_ras_addr_hook
) set_ras_addr
;
1557 pr_debug("nf_ct_ras: LRQ\n");
1559 set_ras_addr
= rcu_dereference(set_ras_addr_hook
);
1560 if (set_ras_addr
&& ct
->status
& IPS_NAT_MASK
)
1561 return set_ras_addr(skb
, ct
, ctinfo
, data
,
1562 &lrq
->replyAddress
, 1);
1566 /****************************************************************************/
1567 static int process_lcf(struct sk_buff
*skb
, struct nf_conn
*ct
,
1568 enum ip_conntrack_info ctinfo
,
1569 unsigned char **data
, LocationConfirm
*lcf
)
1571 int dir
= CTINFO2DIR(ctinfo
);
1574 union nf_conntrack_address addr
;
1575 struct nf_conntrack_expect
*exp
;
1577 pr_debug("nf_ct_ras: LCF\n");
1579 if (!get_h225_addr(ct
, *data
, &lcf
->callSignalAddress
,
1583 /* Need new expect for call signal */
1584 if ((exp
= nf_ct_expect_alloc(ct
)) == NULL
)
1586 nf_ct_expect_init(exp
, ct
->tuplehash
[!dir
].tuple
.src
.l3num
,
1587 &ct
->tuplehash
[!dir
].tuple
.src
.u3
, &addr
,
1588 IPPROTO_TCP
, NULL
, &port
);
1589 exp
->flags
= NF_CT_EXPECT_PERMANENT
;
1590 exp
->helper
= nf_conntrack_helper_q931
;
1592 if (nf_ct_expect_related(exp
) == 0) {
1593 pr_debug("nf_ct_ras: expect Q.931 ");
1594 NF_CT_DUMP_TUPLE(&exp
->tuple
);
1598 nf_ct_expect_put(exp
);
1600 /* Ignore rasAddress */
1605 /****************************************************************************/
1606 static int process_irr(struct sk_buff
*skb
, struct nf_conn
*ct
,
1607 enum ip_conntrack_info ctinfo
,
1608 unsigned char **data
, InfoRequestResponse
*irr
)
1611 typeof(set_ras_addr_hook
) set_ras_addr
;
1612 typeof(set_sig_addr_hook
) set_sig_addr
;
1614 pr_debug("nf_ct_ras: IRR\n");
1616 set_ras_addr
= rcu_dereference(set_ras_addr_hook
);
1617 if (set_ras_addr
&& ct
->status
& IPS_NAT_MASK
) {
1618 ret
= set_ras_addr(skb
, ct
, ctinfo
, data
,
1619 &irr
->rasAddress
, 1);
1624 set_sig_addr
= rcu_dereference(set_sig_addr_hook
);
1625 if (set_sig_addr
&& ct
->status
& IPS_NAT_MASK
) {
1626 ret
= set_sig_addr(skb
, ct
, ctinfo
, data
,
1627 irr
->callSignalAddress
.item
,
1628 irr
->callSignalAddress
.count
);
1636 /****************************************************************************/
1637 static int process_ras(struct sk_buff
*skb
, struct nf_conn
*ct
,
1638 enum ip_conntrack_info ctinfo
,
1639 unsigned char **data
, RasMessage
*ras
)
1641 switch (ras
->choice
) {
1642 case eRasMessage_gatekeeperRequest
:
1643 return process_grq(skb
, ct
, ctinfo
, data
,
1644 &ras
->gatekeeperRequest
);
1645 case eRasMessage_gatekeeperConfirm
:
1646 return process_gcf(skb
, ct
, ctinfo
, data
,
1647 &ras
->gatekeeperConfirm
);
1648 case eRasMessage_registrationRequest
:
1649 return process_rrq(skb
, ct
, ctinfo
, data
,
1650 &ras
->registrationRequest
);
1651 case eRasMessage_registrationConfirm
:
1652 return process_rcf(skb
, ct
, ctinfo
, data
,
1653 &ras
->registrationConfirm
);
1654 case eRasMessage_unregistrationRequest
:
1655 return process_urq(skb
, ct
, ctinfo
, data
,
1656 &ras
->unregistrationRequest
);
1657 case eRasMessage_admissionRequest
:
1658 return process_arq(skb
, ct
, ctinfo
, data
,
1659 &ras
->admissionRequest
);
1660 case eRasMessage_admissionConfirm
:
1661 return process_acf(skb
, ct
, ctinfo
, data
,
1662 &ras
->admissionConfirm
);
1663 case eRasMessage_locationRequest
:
1664 return process_lrq(skb
, ct
, ctinfo
, data
,
1665 &ras
->locationRequest
);
1666 case eRasMessage_locationConfirm
:
1667 return process_lcf(skb
, ct
, ctinfo
, data
,
1668 &ras
->locationConfirm
);
1669 case eRasMessage_infoRequestResponse
:
1670 return process_irr(skb
, ct
, ctinfo
, data
,
1671 &ras
->infoRequestResponse
);
1673 pr_debug("nf_ct_ras: RAS message %d\n", ras
->choice
);
1680 /****************************************************************************/
1681 static int ras_help(struct sk_buff
*skb
, unsigned int protoff
,
1682 struct nf_conn
*ct
, enum ip_conntrack_info ctinfo
)
1684 static RasMessage ras
;
1685 unsigned char *data
;
1689 pr_debug("nf_ct_ras: skblen = %u\n", skb
->len
);
1691 spin_lock_bh(&nf_h323_lock
);
1694 data
= get_udp_data(skb
, protoff
, &datalen
);
1697 pr_debug("nf_ct_ras: RAS message len=%d ", datalen
);
1698 NF_CT_DUMP_TUPLE(&ct
->tuplehash
[CTINFO2DIR(ctinfo
)].tuple
);
1700 /* Decode RAS message */
1701 ret
= DecodeRasMessage(data
, datalen
, &ras
);
1703 pr_debug("nf_ct_ras: decoding error: %s\n",
1704 ret
== H323_ERROR_BOUND
?
1705 "out of bound" : "out of range");
1709 /* Process RAS message */
1710 if (process_ras(skb
, ct
, ctinfo
, &data
, &ras
) < 0)
1714 spin_unlock_bh(&nf_h323_lock
);
1718 spin_unlock_bh(&nf_h323_lock
);
1719 if (net_ratelimit())
1720 printk("nf_ct_ras: packet dropped\n");
1724 /****************************************************************************/
1725 static struct nf_conntrack_helper nf_conntrack_helper_ras
[] __read_mostly
= {
1731 .tuple
.src
.l3num
= AF_INET
,
1732 .tuple
.src
.u
.udp
.port
= __constant_htons(RAS_PORT
),
1733 .tuple
.dst
.protonum
= IPPROTO_UDP
,
1741 .tuple
.src
.l3num
= AF_INET6
,
1742 .tuple
.src
.u
.udp
.port
= __constant_htons(RAS_PORT
),
1743 .tuple
.dst
.protonum
= IPPROTO_UDP
,
1748 /****************************************************************************/
1749 static void __exit
nf_conntrack_h323_fini(void)
1751 nf_conntrack_helper_unregister(&nf_conntrack_helper_ras
[1]);
1752 nf_conntrack_helper_unregister(&nf_conntrack_helper_ras
[0]);
1753 nf_conntrack_helper_unregister(&nf_conntrack_helper_q931
[1]);
1754 nf_conntrack_helper_unregister(&nf_conntrack_helper_q931
[0]);
1756 pr_debug("nf_ct_h323: fini\n");
1759 /****************************************************************************/
1760 static int __init
nf_conntrack_h323_init(void)
1764 h323_buffer
= kmalloc(65536, GFP_KERNEL
);
1767 ret
= nf_conntrack_helper_register(&nf_conntrack_helper_q931
[0]);
1770 ret
= nf_conntrack_helper_register(&nf_conntrack_helper_q931
[1]);
1773 ret
= nf_conntrack_helper_register(&nf_conntrack_helper_ras
[0]);
1776 ret
= nf_conntrack_helper_register(&nf_conntrack_helper_ras
[1]);
1779 pr_debug("nf_ct_h323: init success\n");
1783 nf_conntrack_helper_unregister(&nf_conntrack_helper_ras
[0]);
1785 nf_conntrack_helper_unregister(&nf_conntrack_helper_q931
[1]);
1787 nf_conntrack_helper_unregister(&nf_conntrack_helper_q931
[0]);
1792 /****************************************************************************/
1793 module_init(nf_conntrack_h323_init
);
1794 module_exit(nf_conntrack_h323_fini
);
1796 EXPORT_SYMBOL_GPL(get_h225_addr
);
1797 EXPORT_SYMBOL_GPL(set_h245_addr_hook
);
1798 EXPORT_SYMBOL_GPL(set_h225_addr_hook
);
1799 EXPORT_SYMBOL_GPL(set_sig_addr_hook
);
1800 EXPORT_SYMBOL_GPL(set_ras_addr_hook
);
1801 EXPORT_SYMBOL_GPL(nat_rtp_rtcp_hook
);
1802 EXPORT_SYMBOL_GPL(nat_t120_hook
);
1803 EXPORT_SYMBOL_GPL(nat_h245_hook
);
1804 EXPORT_SYMBOL_GPL(nat_callforwarding_hook
);
1805 EXPORT_SYMBOL_GPL(nat_q931_hook
);
1807 MODULE_AUTHOR("Jing Min Zhao <zhaojingmin@users.sourceforge.net>");
1808 MODULE_DESCRIPTION("H.323 connection tracking helper");
1809 MODULE_LICENSE("GPL");
1810 MODULE_ALIAS("ip_conntrack_h323");