|
|
@@ -100,9 +100,11 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
|
|
|
{
|
|
|
enum ip_conntrack_info ctinfo;
|
|
|
struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
|
|
|
+ enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
|
|
|
unsigned int matchoff, matchlen;
|
|
|
union nf_inet_addr addr;
|
|
|
__be16 port;
|
|
|
+ int request;
|
|
|
|
|
|
/* Basic rules: requests and responses. */
|
|
|
if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
|
|
|
@@ -112,11 +114,81 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
|
|
|
!map_addr(skb, dptr, datalen, matchoff, matchlen,
|
|
|
&addr, port))
|
|
|
return NF_DROP;
|
|
|
+ request = 1;
|
|
|
+ } else
|
|
|
+ request = 0;
|
|
|
+
|
|
|
+ /* Translate topmost Via header and parameters */
|
|
|
+ if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
|
|
|
+ SIP_HDR_VIA, NULL, &matchoff, &matchlen,
|
|
|
+ &addr, &port) > 0) {
|
|
|
+ unsigned int matchend, poff, plen, buflen, n;
|
|
|
+ char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
|
|
|
+
|
|
|
+ /* We're only interested in headers related to this
|
|
|
+ * connection */
|
|
|
+ if (request) {
|
|
|
+ if (addr.ip != ct->tuplehash[dir].tuple.src.u3.ip ||
|
|
|
+ port != ct->tuplehash[dir].tuple.src.u.udp.port)
|
|
|
+ goto next;
|
|
|
+ } else {
|
|
|
+ if (addr.ip != ct->tuplehash[dir].tuple.dst.u3.ip ||
|
|
|
+ port != ct->tuplehash[dir].tuple.dst.u.udp.port)
|
|
|
+ goto next;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (!map_addr(skb, dptr, datalen, matchoff, matchlen,
|
|
|
+ &addr, port))
|
|
|
+ return NF_DROP;
|
|
|
+
|
|
|
+ matchend = matchoff + matchlen;
|
|
|
+
|
|
|
+ /* The maddr= parameter (RFC 2361) specifies where to send
|
|
|
+ * the reply. */
|
|
|
+ if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
|
|
|
+ "maddr=", &poff, &plen,
|
|
|
+ &addr) > 0 &&
|
|
|
+ addr.ip == ct->tuplehash[dir].tuple.src.u3.ip &&
|
|
|
+ addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) {
|
|
|
+ __be32 ip = ct->tuplehash[!dir].tuple.dst.u3.ip;
|
|
|
+ buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(ip));
|
|
|
+ if (!mangle_packet(skb, dptr, datalen, poff, plen,
|
|
|
+ buffer, buflen))
|
|
|
+ return NF_DROP;
|
|
|
+ }
|
|
|
+
|
|
|
+ /* The received= parameter (RFC 2361) contains the address
|
|
|
+ * from which the server received the request. */
|
|
|
+ if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
|
|
|
+ "received=", &poff, &plen,
|
|
|
+ &addr) > 0 &&
|
|
|
+ addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip &&
|
|
|
+ addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) {
|
|
|
+ __be32 ip = ct->tuplehash[!dir].tuple.src.u3.ip;
|
|
|
+ buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(ip));
|
|
|
+ if (!mangle_packet(skb, dptr, datalen, poff, plen,
|
|
|
+ buffer, buflen))
|
|
|
+ return NF_DROP;
|
|
|
+ }
|
|
|
+
|
|
|
+ /* The rport= parameter (RFC 3581) contains the port number
|
|
|
+ * from which the server received the request. */
|
|
|
+ if (ct_sip_parse_numerical_param(ct, *dptr, matchend, *datalen,
|
|
|
+ "rport=", &poff, &plen,
|
|
|
+ &n) > 0 &&
|
|
|
+ htons(n) == ct->tuplehash[dir].tuple.dst.u.udp.port &&
|
|
|
+ htons(n) != ct->tuplehash[!dir].tuple.src.u.udp.port) {
|
|
|
+ __be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port;
|
|
|
+ buflen = sprintf(buffer, "%u", ntohs(p));
|
|
|
+ if (!mangle_packet(skb, dptr, datalen, poff, plen,
|
|
|
+ buffer, buflen))
|
|
|
+ return NF_DROP;
|
|
|
+ }
|
|
|
}
|
|
|
|
|
|
+next:
|
|
|
if (!map_sip_addr(skb, dptr, datalen, SIP_HDR_FROM) ||
|
|
|
!map_sip_addr(skb, dptr, datalen, SIP_HDR_TO) ||
|
|
|
- !map_sip_addr(skb, dptr, datalen, SIP_HDR_VIA) ||
|
|
|
!map_sip_addr(skb, dptr, datalen, SIP_HDR_CONTACT))
|
|
|
return NF_DROP;
|
|
|
return NF_ACCEPT;
|
Patrick McHardy