2 * H.323 extension for NAT alteration.
4 * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
6 * This source code is licensed under General Public License version 2.
8 * Based on the 'brute force' H.323 NAT module by
9 * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
12 #include <linux/module.h>
13 #include <linux/moduleparam.h>
14 #include <linux/tcp.h>
17 #include <net/netfilter/nf_nat.h>
18 #include <net/netfilter/nf_nat_helper.h>
19 #include <net/netfilter/nf_nat_rule.h>
20 #include <net/netfilter/nf_conntrack_helper.h>
21 #include <net/netfilter/nf_conntrack_expect.h>
22 #include <linux/netfilter/nf_conntrack_h323.h>
27 #define DEBUGP(format, args...)
30 /****************************************************************************/
31 static int set_addr(struct sk_buff
**pskb
,
32 unsigned char **data
, int dataoff
,
33 unsigned int addroff
, __be32 ip
, __be16 port
)
35 enum ip_conntrack_info ctinfo
;
36 struct nf_conn
*ct
= ip_conntrack_get(*pskb
, &ctinfo
);
40 } __attribute__ ((__packed__
)) buf
;
41 struct tcphdr _tcph
, *th
;
47 if ((*pskb
)->nh
.iph
->protocol
== IPPROTO_TCP
) {
48 if (!nf_nat_mangle_tcp_packet(pskb
, ct
, ctinfo
,
50 (char *) &buf
, sizeof(buf
))) {
52 printk("nf_nat_h323: nf_nat_mangle_tcp_packet"
57 /* Relocate data pointer */
58 th
= skb_header_pointer(*pskb
, (*pskb
)->nh
.iph
->ihl
* 4,
59 sizeof(_tcph
), &_tcph
);
62 *data
= (*pskb
)->data
+ (*pskb
)->nh
.iph
->ihl
* 4 +
63 th
->doff
* 4 + dataoff
;
65 if (!nf_nat_mangle_udp_packet(pskb
, ct
, ctinfo
,
67 (char *) &buf
, sizeof(buf
))) {
69 printk("nf_nat_h323: nf_nat_mangle_udp_packet"
73 /* nf_nat_mangle_udp_packet uses skb_make_writable() to copy
74 * or pull everything in a linear buffer, so we can safely
75 * use the skb pointers now */
76 *data
= (*pskb
)->data
+ (*pskb
)->nh
.iph
->ihl
* 4 +
77 sizeof(struct udphdr
);
83 /****************************************************************************/
84 static int set_h225_addr(struct sk_buff
**pskb
,
85 unsigned char **data
, int dataoff
,
86 TransportAddress
*taddr
,
87 union nf_conntrack_address
*addr
, __be16 port
)
89 return set_addr(pskb
, data
, dataoff
, taddr
->ipAddress
.ip
,
93 /****************************************************************************/
94 static int set_h245_addr(struct sk_buff
**pskb
,
95 unsigned char **data
, int dataoff
,
96 H245_TransportAddress
*taddr
,
97 union nf_conntrack_address
*addr
, __be16 port
)
99 return set_addr(pskb
, data
, dataoff
,
100 taddr
->unicastAddress
.iPAddress
.network
,
104 /****************************************************************************/
105 static int set_sig_addr(struct sk_buff
**pskb
, struct nf_conn
*ct
,
106 enum ip_conntrack_info ctinfo
,
107 unsigned char **data
,
108 TransportAddress
*taddr
, int count
)
110 struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
111 int dir
= CTINFO2DIR(ctinfo
);
114 union nf_conntrack_address addr
;
116 for (i
= 0; i
< count
; i
++) {
117 if (get_h225_addr(ct
, *data
, &taddr
[i
], &addr
, &port
)) {
118 if (addr
.ip
== ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
&&
119 port
== info
->sig_port
[dir
]) {
122 /* Fix for Gnomemeeting */
124 get_h225_addr(ct
, *data
, &taddr
[0],
126 (ntohl(addr
.ip
) & 0xff000000) == 0x7f000000)
130 ("nf_nat_ras: set signal address "
131 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
133 NIPQUAD(ct
->tuplehash
[!dir
].tuple
.dst
.
134 ip
), info
->sig_port
[!dir
]);
135 return set_h225_addr(pskb
, data
, 0, &taddr
[i
],
136 &ct
->tuplehash
[!dir
].
138 info
->sig_port
[!dir
]);
139 } else if (addr
.ip
== ct
->tuplehash
[dir
].tuple
.dst
.u3
.ip
&&
140 port
== info
->sig_port
[dir
]) {
143 ("nf_nat_ras: set signal address "
144 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
146 NIPQUAD(ct
->tuplehash
[!dir
].tuple
.src
.
147 ip
), info
->sig_port
[!dir
]);
148 return set_h225_addr(pskb
, data
, 0, &taddr
[i
],
149 &ct
->tuplehash
[!dir
].
151 info
->sig_port
[!dir
]);
159 /****************************************************************************/
160 static int set_ras_addr(struct sk_buff
**pskb
, struct nf_conn
*ct
,
161 enum ip_conntrack_info ctinfo
,
162 unsigned char **data
,
163 TransportAddress
*taddr
, int count
)
165 int dir
= CTINFO2DIR(ctinfo
);
168 union nf_conntrack_address addr
;
170 for (i
= 0; i
< count
; i
++) {
171 if (get_h225_addr(ct
, *data
, &taddr
[i
], &addr
, &port
) &&
172 addr
.ip
== ct
->tuplehash
[dir
].tuple
.src
.u3
.ip
&&
173 port
== ct
->tuplehash
[dir
].tuple
.src
.u
.udp
.port
) {
174 DEBUGP("nf_nat_ras: set rasAddress "
175 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
176 NIPQUAD(ip
), ntohs(port
),
177 NIPQUAD(ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
),
178 ntohs(ct
->tuplehash
[!dir
].tuple
.dst
.u
.udp
.
180 return set_h225_addr(pskb
, data
, 0, &taddr
[i
],
181 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
182 ct
->tuplehash
[!dir
].tuple
.
190 /****************************************************************************/
191 static int nat_rtp_rtcp(struct sk_buff
**pskb
, struct nf_conn
*ct
,
192 enum ip_conntrack_info ctinfo
,
193 unsigned char **data
, int dataoff
,
194 H245_TransportAddress
*taddr
,
195 __be16 port
, __be16 rtp_port
,
196 struct nf_conntrack_expect
*rtp_exp
,
197 struct nf_conntrack_expect
*rtcp_exp
)
199 struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
200 int dir
= CTINFO2DIR(ctinfo
);
202 u_int16_t nated_port
;
204 /* Set expectations for NAT */
205 rtp_exp
->saved_proto
.udp
.port
= rtp_exp
->tuple
.dst
.u
.udp
.port
;
206 rtp_exp
->expectfn
= nf_nat_follow_master
;
208 rtcp_exp
->saved_proto
.udp
.port
= rtcp_exp
->tuple
.dst
.u
.udp
.port
;
209 rtcp_exp
->expectfn
= nf_nat_follow_master
;
210 rtcp_exp
->dir
= !dir
;
212 /* Lookup existing expects */
213 for (i
= 0; i
< H323_RTP_CHANNEL_MAX
; i
++) {
214 if (info
->rtp_port
[i
][dir
] == rtp_port
) {
217 /* Use allocated ports first. This will refresh
219 rtp_exp
->tuple
.dst
.u
.udp
.port
= info
->rtp_port
[i
][dir
];
220 rtcp_exp
->tuple
.dst
.u
.udp
.port
=
221 htons(ntohs(info
->rtp_port
[i
][dir
]) + 1);
223 } else if (info
->rtp_port
[i
][dir
] == 0) {
229 /* Run out of expectations */
230 if (i
>= H323_RTP_CHANNEL_MAX
) {
232 printk("nf_nat_h323: out of expectations\n");
236 /* Try to get a pair of ports. */
237 for (nated_port
= ntohs(rtp_exp
->tuple
.dst
.u
.udp
.port
);
238 nated_port
!= 0; nated_port
+= 2) {
239 rtp_exp
->tuple
.dst
.u
.udp
.port
= htons(nated_port
);
240 if (nf_conntrack_expect_related(rtp_exp
) == 0) {
241 rtcp_exp
->tuple
.dst
.u
.udp
.port
=
242 htons(nated_port
+ 1);
243 if (nf_conntrack_expect_related(rtcp_exp
) == 0)
245 nf_conntrack_unexpect_related(rtp_exp
);
249 if (nated_port
== 0) { /* No port available */
251 printk("nf_nat_h323: out of RTP ports\n");
256 if (set_h245_addr(pskb
, data
, dataoff
, taddr
,
257 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
258 htons((port
& htons(1)) ? nated_port
+ 1 :
261 info
->rtp_port
[i
][dir
] = rtp_port
;
262 info
->rtp_port
[i
][!dir
] = htons(nated_port
);
264 nf_conntrack_unexpect_related(rtp_exp
);
265 nf_conntrack_unexpect_related(rtcp_exp
);
270 DEBUGP("nf_nat_h323: expect RTP %u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
271 NIPQUAD(rtp_exp
->tuple
.src
.ip
),
272 ntohs(rtp_exp
->tuple
.src
.u
.udp
.port
),
273 NIPQUAD(rtp_exp
->tuple
.dst
.ip
),
274 ntohs(rtp_exp
->tuple
.dst
.u
.udp
.port
));
275 DEBUGP("nf_nat_h323: expect RTCP %u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
276 NIPQUAD(rtcp_exp
->tuple
.src
.ip
),
277 ntohs(rtcp_exp
->tuple
.src
.u
.udp
.port
),
278 NIPQUAD(rtcp_exp
->tuple
.dst
.ip
),
279 ntohs(rtcp_exp
->tuple
.dst
.u
.udp
.port
));
284 /****************************************************************************/
285 static int nat_t120(struct sk_buff
**pskb
, struct nf_conn
*ct
,
286 enum ip_conntrack_info ctinfo
,
287 unsigned char **data
, int dataoff
,
288 H245_TransportAddress
*taddr
, __be16 port
,
289 struct nf_conntrack_expect
*exp
)
291 int dir
= CTINFO2DIR(ctinfo
);
292 u_int16_t nated_port
= ntohs(port
);
294 /* Set expectations for NAT */
295 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
296 exp
->expectfn
= nf_nat_follow_master
;
299 /* Try to get same port: if not, try to change it. */
300 for (; nated_port
!= 0; nated_port
++) {
301 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
302 if (nf_conntrack_expect_related(exp
) == 0)
306 if (nated_port
== 0) { /* No port available */
308 printk("nf_nat_h323: out of TCP ports\n");
313 if (set_h245_addr(pskb
, data
, dataoff
, taddr
,
314 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
315 htons(nated_port
)) < 0) {
316 nf_conntrack_unexpect_related(exp
);
320 DEBUGP("nf_nat_h323: expect T.120 %u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
321 NIPQUAD(exp
->tuple
.src
.ip
), ntohs(exp
->tuple
.src
.u
.tcp
.port
),
322 NIPQUAD(exp
->tuple
.dst
.ip
), ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
327 /****************************************************************************/
328 static int nat_h245(struct sk_buff
**pskb
, struct nf_conn
*ct
,
329 enum ip_conntrack_info ctinfo
,
330 unsigned char **data
, int dataoff
,
331 TransportAddress
*taddr
, __be16 port
,
332 struct nf_conntrack_expect
*exp
)
334 struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
335 int dir
= CTINFO2DIR(ctinfo
);
336 u_int16_t nated_port
= ntohs(port
);
338 /* Set expectations for NAT */
339 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
340 exp
->expectfn
= nf_nat_follow_master
;
343 /* Check existing expects */
344 if (info
->sig_port
[dir
] == port
)
345 nated_port
= ntohs(info
->sig_port
[!dir
]);
347 /* Try to get same port: if not, try to change it. */
348 for (; nated_port
!= 0; nated_port
++) {
349 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
350 if (nf_conntrack_expect_related(exp
) == 0)
354 if (nated_port
== 0) { /* No port available */
356 printk("nf_nat_q931: out of TCP ports\n");
361 if (set_h225_addr(pskb
, data
, dataoff
, taddr
,
362 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
363 htons(nated_port
)) == 0) {
365 info
->sig_port
[dir
] = port
;
366 info
->sig_port
[!dir
] = htons(nated_port
);
368 nf_conntrack_unexpect_related(exp
);
372 DEBUGP("nf_nat_q931: expect H.245 %u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
373 NIPQUAD(exp
->tuple
.src
.ip
), ntohs(exp
->tuple
.src
.u
.tcp
.port
),
374 NIPQUAD(exp
->tuple
.dst
.ip
), ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
379 /****************************************************************************
380 * This conntrack expect function replaces nf_conntrack_q931_expect()
381 * which was set by nf_conntrack_h323.c.
382 ****************************************************************************/
383 static void ip_nat_q931_expect(struct nf_conn
*new,
384 struct nf_conntrack_expect
*this)
386 struct ip_nat_range range
;
388 if (this->tuple
.src
.u3
.ip
!= 0) { /* Only accept calls from GK */
389 nf_nat_follow_master(new, this);
393 /* This must be a fresh one. */
394 BUG_ON(new->status
& IPS_NAT_DONE_MASK
);
396 /* Change src to where master sends to */
397 range
.flags
= IP_NAT_RANGE_MAP_IPS
;
398 range
.min_ip
= range
.max_ip
= new->tuplehash
[!this->dir
].tuple
.src
.u3
.ip
;
400 /* hook doesn't matter, but it has to do source manip */
401 nf_nat_setup_info(new, &range
, NF_IP_POST_ROUTING
);
403 /* For DST manip, map port here to where it's expected. */
404 range
.flags
= (IP_NAT_RANGE_MAP_IPS
| IP_NAT_RANGE_PROTO_SPECIFIED
);
405 range
.min
= range
.max
= this->saved_proto
;
406 range
.min_ip
= range
.max_ip
=
407 new->master
->tuplehash
[!this->dir
].tuple
.src
.u3
.ip
;
409 /* hook doesn't matter, but it has to do destination manip */
410 nf_nat_setup_info(new, &range
, NF_IP_PRE_ROUTING
);
413 /****************************************************************************/
414 static int nat_q931(struct sk_buff
**pskb
, struct nf_conn
*ct
,
415 enum ip_conntrack_info ctinfo
,
416 unsigned char **data
, TransportAddress
*taddr
, int idx
,
417 __be16 port
, struct nf_conntrack_expect
*exp
)
419 struct nf_ct_h323_master
*info
= &nfct_help(ct
)->help
.ct_h323_info
;
420 int dir
= CTINFO2DIR(ctinfo
);
421 u_int16_t nated_port
= ntohs(port
);
422 union nf_conntrack_address addr
;
424 /* Set expectations for NAT */
425 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
426 exp
->expectfn
= ip_nat_q931_expect
;
429 /* Check existing expects */
430 if (info
->sig_port
[dir
] == port
)
431 nated_port
= ntohs(info
->sig_port
[!dir
]);
433 /* Try to get same port: if not, try to change it. */
434 for (; nated_port
!= 0; nated_port
++) {
435 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
436 if (nf_conntrack_expect_related(exp
) == 0)
440 if (nated_port
== 0) { /* No port available */
442 printk("nf_nat_ras: out of TCP ports\n");
447 if (set_h225_addr(pskb
, data
, 0, &taddr
[idx
],
448 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
449 htons(nated_port
)) == 0) {
451 info
->sig_port
[dir
] = port
;
452 info
->sig_port
[!dir
] = htons(nated_port
);
454 /* Fix for Gnomemeeting */
456 get_h225_addr(ct
, *data
, &taddr
[0], &addr
, &port
) &&
457 (ntohl(addr
.ip
) & 0xff000000) == 0x7f000000) {
458 set_h225_addr_hook(pskb
, data
, 0, &taddr
[0],
459 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
460 info
->sig_port
[!dir
]);
463 nf_conntrack_unexpect_related(exp
);
468 DEBUGP("nf_nat_ras: expect Q.931 %u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
469 NIPQUAD(exp
->tuple
.src
.ip
), ntohs(exp
->tuple
.src
.u
.tcp
.port
),
470 NIPQUAD(exp
->tuple
.dst
.ip
), ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
475 /****************************************************************************/
476 static void ip_nat_callforwarding_expect(struct nf_conn
*new,
477 struct nf_conntrack_expect
*this)
479 struct nf_nat_range range
;
481 /* This must be a fresh one. */
482 BUG_ON(new->status
& IPS_NAT_DONE_MASK
);
484 /* Change src to where master sends to */
485 range
.flags
= IP_NAT_RANGE_MAP_IPS
;
486 range
.min_ip
= range
.max_ip
= new->tuplehash
[!this->dir
].tuple
.src
.u3
.ip
;
488 /* hook doesn't matter, but it has to do source manip */
489 nf_nat_setup_info(new, &range
, NF_IP_POST_ROUTING
);
491 /* For DST manip, map port here to where it's expected. */
492 range
.flags
= (IP_NAT_RANGE_MAP_IPS
| IP_NAT_RANGE_PROTO_SPECIFIED
);
493 range
.min
= range
.max
= this->saved_proto
;
494 range
.min_ip
= range
.max_ip
= this->saved_ip
;
496 /* hook doesn't matter, but it has to do destination manip */
497 nf_nat_setup_info(new, &range
, NF_IP_PRE_ROUTING
);
500 /****************************************************************************/
501 static int nat_callforwarding(struct sk_buff
**pskb
, struct nf_conn
*ct
,
502 enum ip_conntrack_info ctinfo
,
503 unsigned char **data
, int dataoff
,
504 TransportAddress
*taddr
, __be16 port
,
505 struct nf_conntrack_expect
*exp
)
507 int dir
= CTINFO2DIR(ctinfo
);
508 u_int16_t nated_port
;
510 /* Set expectations for NAT */
511 exp
->saved_ip
= exp
->tuple
.dst
.u3
.ip
;
512 exp
->tuple
.dst
.u3
.ip
= ct
->tuplehash
[!dir
].tuple
.dst
.u3
.ip
;
513 exp
->saved_proto
.tcp
.port
= exp
->tuple
.dst
.u
.tcp
.port
;
514 exp
->expectfn
= ip_nat_callforwarding_expect
;
517 /* Try to get same port: if not, try to change it. */
518 for (nated_port
= ntohs(port
); nated_port
!= 0; nated_port
++) {
519 exp
->tuple
.dst
.u
.tcp
.port
= htons(nated_port
);
520 if (nf_conntrack_expect_related(exp
) == 0)
524 if (nated_port
== 0) { /* No port available */
526 printk("nf_nat_q931: out of TCP ports\n");
531 if (!set_h225_addr(pskb
, data
, dataoff
, taddr
,
532 &ct
->tuplehash
[!dir
].tuple
.dst
.u3
,
533 htons(nated_port
)) == 0) {
534 nf_conntrack_unexpect_related(exp
);
539 DEBUGP("nf_nat_q931: expect Call Forwarding "
540 "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
541 NIPQUAD(exp
->tuple
.src
.ip
), ntohs(exp
->tuple
.src
.u
.tcp
.port
),
542 NIPQUAD(exp
->tuple
.dst
.ip
), ntohs(exp
->tuple
.dst
.u
.tcp
.port
));
547 /****************************************************************************/
548 static int __init
init(void)
550 BUG_ON(rcu_dereference(set_h245_addr_hook
) != NULL
);
551 BUG_ON(rcu_dereference(set_h225_addr_hook
) != NULL
);
552 BUG_ON(rcu_dereference(set_sig_addr_hook
) != NULL
);
553 BUG_ON(rcu_dereference(set_ras_addr_hook
) != NULL
);
554 BUG_ON(rcu_dereference(nat_rtp_rtcp_hook
) != NULL
);
555 BUG_ON(rcu_dereference(nat_t120_hook
) != NULL
);
556 BUG_ON(rcu_dereference(nat_h245_hook
) != NULL
);
557 BUG_ON(rcu_dereference(nat_callforwarding_hook
) != NULL
);
558 BUG_ON(rcu_dereference(nat_q931_hook
) != NULL
);
560 rcu_assign_pointer(set_h245_addr_hook
, set_h245_addr
);
561 rcu_assign_pointer(set_h225_addr_hook
, set_h225_addr
);
562 rcu_assign_pointer(set_sig_addr_hook
, set_sig_addr
);
563 rcu_assign_pointer(set_ras_addr_hook
, set_ras_addr
);
564 rcu_assign_pointer(nat_rtp_rtcp_hook
, nat_rtp_rtcp
);
565 rcu_assign_pointer(nat_t120_hook
, nat_t120
);
566 rcu_assign_pointer(nat_h245_hook
, nat_h245
);
567 rcu_assign_pointer(nat_callforwarding_hook
, nat_callforwarding
);
568 rcu_assign_pointer(nat_q931_hook
, nat_q931
);
570 DEBUGP("nf_nat_h323: init success\n");
574 /****************************************************************************/
575 static void __exit
fini(void)
577 rcu_assign_pointer(set_h245_addr_hook
, NULL
);
578 rcu_assign_pointer(set_h225_addr_hook
, NULL
);
579 rcu_assign_pointer(set_sig_addr_hook
, NULL
);
580 rcu_assign_pointer(set_ras_addr_hook
, NULL
);
581 rcu_assign_pointer(nat_rtp_rtcp_hook
, NULL
);
582 rcu_assign_pointer(nat_t120_hook
, NULL
);
583 rcu_assign_pointer(nat_h245_hook
, NULL
);
584 rcu_assign_pointer(nat_callforwarding_hook
, NULL
);
585 rcu_assign_pointer(nat_q931_hook
, NULL
);
589 /****************************************************************************/
593 MODULE_AUTHOR("Jing Min Zhao <zhaojingmin@users.sourceforge.net>");
594 MODULE_DESCRIPTION("H.323 NAT helper");
595 MODULE_LICENSE("GPL");
596 MODULE_ALIAS("ip_nat_h323");