1 // SPDX-License-Identifier: GPL-2.0-only
3 * H.323 connection tracking helper
5 * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
6 * Copyright (c) 2006-2012 Patrick McHardy <kaber@trash.net>
8 * Based on the 'brute force' H.323 connection tracking module by
9 * Jozsef Kadlecsik <kadlec@netfilter.org>
11 * For more information, please see http://nath323.sourceforge.net/
14 #include <linux/module.h>
15 #include <linux/moduleparam.h>
16 #include <linux/ctype.h>
17 #include <linux/inet.h>
20 #include <linux/slab.h>
21 #include <linux/udp.h>
22 #include <linux/tcp.h>
23 #include <linux/skbuff.h>
24 #include <net/route.h>
25 #include <net/ip6_route.h>
26 #include <linux/netfilter_ipv6.h>
28 #include <net/netfilter/nf_conntrack.h>
29 #include <net/netfilter/nf_conntrack_core.h>
30 #include <net/netfilter/nf_conntrack_tuple.h>
31 #include <net/netfilter/nf_conntrack_expect.h>
32 #include <net/netfilter/nf_conntrack_ecache.h>
33 #include <net/netfilter/nf_conntrack_helper.h>
34 #include <net/netfilter/nf_conntrack_zones.h>
35 #include <linux/netfilter/nf_conntrack_h323.h>
37 #define H323_MAX_SIZE 65535
40 static unsigned int default_rrq_ttl __read_mostly = 300;
41 module_param(default_rrq_ttl, uint, 0600);
42 MODULE_PARM_DESC(default_rrq_ttl, "use this TTL if it's missing in RRQ");
44 static int gkrouted_only __read_mostly = 1;
45 module_param(gkrouted_only, int, 0600);
46 MODULE_PARM_DESC(gkrouted_only, "only accept calls from gatekeeper");
48 static bool callforward_filter __read_mostly = true;
49 module_param(callforward_filter, bool, 0600);
50 MODULE_PARM_DESC(callforward_filter, "only create call forwarding expectations "
51 "if both endpoints are on different sides "
52 "(determined by routing information)");
55 int (*set_h245_addr_hook) (struct sk_buff *skb, unsigned int protoff,
56 unsigned char **data, int dataoff,
57 H245_TransportAddress *taddr,
58 union nf_inet_addr *addr, __be16 port)
60 int (*set_h225_addr_hook) (struct sk_buff *skb, unsigned int protoff,
61 unsigned char **data, int dataoff,
62 TransportAddress *taddr,
63 union nf_inet_addr *addr, __be16 port)
65 int (*set_sig_addr_hook) (struct sk_buff *skb,
67 enum ip_conntrack_info ctinfo,
68 unsigned int protoff, unsigned char **data,
69 TransportAddress *taddr, int count) __read_mostly;
70 int (*set_ras_addr_hook) (struct sk_buff *skb,
72 enum ip_conntrack_info ctinfo,
73 unsigned int protoff, unsigned char **data,
74 TransportAddress *taddr, int count) __read_mostly;
75 int (*nat_rtp_rtcp_hook) (struct sk_buff *skb,
77 enum ip_conntrack_info ctinfo,
79 unsigned char **data, int dataoff,
80 H245_TransportAddress *taddr,
81 __be16 port, __be16 rtp_port,
82 struct nf_conntrack_expect *rtp_exp,
83 struct nf_conntrack_expect *rtcp_exp) __read_mostly;
84 int (*nat_t120_hook) (struct sk_buff *skb,
86 enum ip_conntrack_info ctinfo,
88 unsigned char **data, int dataoff,
89 H245_TransportAddress *taddr, __be16 port,
90 struct nf_conntrack_expect *exp) __read_mostly;
91 int (*nat_h245_hook) (struct sk_buff *skb,
93 enum ip_conntrack_info ctinfo,
95 unsigned char **data, int dataoff,
96 TransportAddress *taddr, __be16 port,
97 struct nf_conntrack_expect *exp) __read_mostly;
98 int (*nat_callforwarding_hook) (struct sk_buff *skb,
100 enum ip_conntrack_info ctinfo,
101 unsigned int protoff,
102 unsigned char **data, int dataoff,
103 TransportAddress *taddr, __be16 port,
104 struct nf_conntrack_expect *exp) __read_mostly;
105 int (*nat_q931_hook) (struct sk_buff *skb,
107 enum ip_conntrack_info ctinfo,
108 unsigned int protoff,
109 unsigned char **data, TransportAddress *taddr, int idx,
110 __be16 port, struct nf_conntrack_expect *exp)
113 static DEFINE_SPINLOCK(nf_h323_lock);
114 static char *h323_buffer;
116 static struct nf_conntrack_helper nf_conntrack_helper_h245;
117 static struct nf_conntrack_helper nf_conntrack_helper_q931[];
118 static struct nf_conntrack_helper nf_conntrack_helper_ras[];
120 static int get_tpkt_data(struct sk_buff *skb, unsigned int protoff,
121 struct nf_conn *ct, enum ip_conntrack_info ctinfo,
122 unsigned char **data, int *datalen, int *dataoff)
124 struct nf_ct_h323_master *info = nfct_help_data(ct);
125 int dir = CTINFO2DIR(ctinfo);
126 const struct tcphdr *th;
135 th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph);
139 /* Get TCP data offset */
140 tcpdataoff = protoff + th->doff * 4;
142 /* Get TCP data length */
143 tcpdatalen = skb->len - tcpdataoff;
144 if (tcpdatalen <= 0) /* No TCP data */
147 if (tcpdatalen > H323_MAX_SIZE)
148 tcpdatalen = H323_MAX_SIZE;
150 if (*data == NULL) { /* first TPKT */
151 /* Get first TPKT pointer */
152 tpkt = skb_header_pointer(skb, tcpdataoff, tcpdatalen,
157 /* Validate TPKT identifier */
158 if (tcpdatalen < 4 || tpkt[0] != 0x03 || tpkt[1] != 0) {
159 /* Netmeeting sends TPKT header and data separately */
160 if (info->tpkt_len[dir] > 0) {
161 pr_debug("nf_ct_h323: previous packet "
162 "indicated separate TPKT data of %hu "
163 "bytes\n", info->tpkt_len[dir]);
164 if (info->tpkt_len[dir] <= tcpdatalen) {
165 /* Yes, there was a TPKT header
168 *datalen = info->tpkt_len[dir];
173 /* Fragmented TPKT */
174 pr_debug("nf_ct_h323: fragmented TPKT\n");
178 /* It is not even a TPKT */
182 } else { /* Next TPKT */
183 tpktoff = *dataoff + *datalen;
184 tcpdatalen -= tpktoff;
185 if (tcpdatalen <= 4) /* No more TPKT */
187 tpkt = *data + *datalen;
189 /* Validate TPKT identifier */
190 if (tpkt[0] != 0x03 || tpkt[1] != 0)
194 /* Validate TPKT length */
195 tpktlen = tpkt[2] * 256 + tpkt[3];
198 if (tpktlen > tcpdatalen) {
199 if (tcpdatalen == 4) { /* Separate TPKT header */
200 /* Netmeeting sends TPKT header and data separately */
201 pr_debug("nf_ct_h323: separate TPKT header indicates "
202 "there will be TPKT data of %d bytes\n",
204 info->tpkt_len[dir] = tpktlen - 4;
208 pr_debug("nf_ct_h323: incomplete TPKT (fragmented?)\n");
212 /* This is the encapsulated data */
214 *datalen = tpktlen - 4;
215 *dataoff = tpktoff + 4;
218 /* Clear TPKT length */
219 info->tpkt_len[dir] = 0;
223 info->tpkt_len[dir] = 0;
227 static int get_h245_addr(struct nf_conn *ct, const unsigned char *data,
228 H245_TransportAddress *taddr,
229 union nf_inet_addr *addr, __be16 *port)
231 const unsigned char *p;
234 if (taddr->choice != eH245_TransportAddress_unicastAddress)
237 switch (taddr->unicastAddress.choice) {
238 case eUnicastAddress_iPAddress:
239 if (nf_ct_l3num(ct) != AF_INET)
241 p = data + taddr->unicastAddress.iPAddress.network;
244 case eUnicastAddress_iP6Address:
245 if (nf_ct_l3num(ct) != AF_INET6)
247 p = data + taddr->unicastAddress.iP6Address.network;
254 memcpy(addr, p, len);
255 memset((void *)addr + len, 0, sizeof(*addr) - len);
256 memcpy(port, p + len, sizeof(__be16));
261 static int expect_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
262 enum ip_conntrack_info ctinfo,
263 unsigned int protoff,
264 unsigned char **data, int dataoff,
265 H245_TransportAddress *taddr)
267 int dir = CTINFO2DIR(ctinfo);
270 __be16 rtp_port, rtcp_port;
271 union nf_inet_addr addr;
272 struct nf_conntrack_expect *rtp_exp;
273 struct nf_conntrack_expect *rtcp_exp;
274 typeof(nat_rtp_rtcp_hook) nat_rtp_rtcp;
276 /* Read RTP or RTCP address */
277 if (!get_h245_addr(ct, *data, taddr, &addr, &port) ||
278 memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) ||
282 /* RTP port is even */
283 rtp_port = port & ~htons(1);
284 rtcp_port = port | htons(1);
286 /* Create expect for RTP */
287 if ((rtp_exp = nf_ct_expect_alloc(ct)) == NULL)
289 nf_ct_expect_init(rtp_exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
290 &ct->tuplehash[!dir].tuple.src.u3,
291 &ct->tuplehash[!dir].tuple.dst.u3,
292 IPPROTO_UDP, NULL, &rtp_port);
294 /* Create expect for RTCP */
295 if ((rtcp_exp = nf_ct_expect_alloc(ct)) == NULL) {
296 nf_ct_expect_put(rtp_exp);
299 nf_ct_expect_init(rtcp_exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
300 &ct->tuplehash[!dir].tuple.src.u3,
301 &ct->tuplehash[!dir].tuple.dst.u3,
302 IPPROTO_UDP, NULL, &rtcp_port);
304 if (memcmp(&ct->tuplehash[dir].tuple.src.u3,
305 &ct->tuplehash[!dir].tuple.dst.u3,
306 sizeof(ct->tuplehash[dir].tuple.src.u3)) &&
307 (nat_rtp_rtcp = rcu_dereference(nat_rtp_rtcp_hook)) &&
308 nf_ct_l3num(ct) == NFPROTO_IPV4 &&
309 ct->status & IPS_NAT_MASK) {
311 ret = nat_rtp_rtcp(skb, ct, ctinfo, protoff, data, dataoff,
312 taddr, port, rtp_port, rtp_exp, rtcp_exp);
313 } else { /* Conntrack only */
314 if (nf_ct_expect_related(rtp_exp, 0) == 0) {
315 if (nf_ct_expect_related(rtcp_exp, 0) == 0) {
316 pr_debug("nf_ct_h323: expect RTP ");
317 nf_ct_dump_tuple(&rtp_exp->tuple);
318 pr_debug("nf_ct_h323: expect RTCP ");
319 nf_ct_dump_tuple(&rtcp_exp->tuple);
321 nf_ct_unexpect_related(rtp_exp);
328 nf_ct_expect_put(rtp_exp);
329 nf_ct_expect_put(rtcp_exp);
334 static int expect_t120(struct sk_buff *skb,
336 enum ip_conntrack_info ctinfo,
337 unsigned int protoff,
338 unsigned char **data, int dataoff,
339 H245_TransportAddress *taddr)
341 int dir = CTINFO2DIR(ctinfo);
344 union nf_inet_addr addr;
345 struct nf_conntrack_expect *exp;
346 typeof(nat_t120_hook) nat_t120;
348 /* Read T.120 address */
349 if (!get_h245_addr(ct, *data, taddr, &addr, &port) ||
350 memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) ||
354 /* Create expect for T.120 connections */
355 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
357 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
358 &ct->tuplehash[!dir].tuple.src.u3,
359 &ct->tuplehash[!dir].tuple.dst.u3,
360 IPPROTO_TCP, NULL, &port);
361 exp->flags = NF_CT_EXPECT_PERMANENT; /* Accept multiple channels */
363 if (memcmp(&ct->tuplehash[dir].tuple.src.u3,
364 &ct->tuplehash[!dir].tuple.dst.u3,
365 sizeof(ct->tuplehash[dir].tuple.src.u3)) &&
366 (nat_t120 = rcu_dereference(nat_t120_hook)) &&
367 nf_ct_l3num(ct) == NFPROTO_IPV4 &&
368 ct->status & IPS_NAT_MASK) {
370 ret = nat_t120(skb, ct, ctinfo, protoff, data, dataoff, taddr,
372 } else { /* Conntrack only */
373 if (nf_ct_expect_related(exp, 0) == 0) {
374 pr_debug("nf_ct_h323: expect T.120 ");
375 nf_ct_dump_tuple(&exp->tuple);
380 nf_ct_expect_put(exp);
385 static int process_h245_channel(struct sk_buff *skb,
387 enum ip_conntrack_info ctinfo,
388 unsigned int protoff,
389 unsigned char **data, int dataoff,
390 H2250LogicalChannelParameters *channel)
394 if (channel->options & eH2250LogicalChannelParameters_mediaChannel) {
396 ret = expect_rtp_rtcp(skb, ct, ctinfo, protoff, data, dataoff,
397 &channel->mediaChannel);
403 options & eH2250LogicalChannelParameters_mediaControlChannel) {
405 ret = expect_rtp_rtcp(skb, ct, ctinfo, protoff, data, dataoff,
406 &channel->mediaControlChannel);
414 static int process_olc(struct sk_buff *skb, struct nf_conn *ct,
415 enum ip_conntrack_info ctinfo,
416 unsigned int protoff,
417 unsigned char **data, int dataoff,
418 OpenLogicalChannel *olc)
422 pr_debug("nf_ct_h323: OpenLogicalChannel\n");
424 if (olc->forwardLogicalChannelParameters.multiplexParameters.choice ==
425 eOpenLogicalChannel_forwardLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters)
427 ret = process_h245_channel(skb, ct, ctinfo,
428 protoff, data, dataoff,
430 forwardLogicalChannelParameters.
432 h2250LogicalChannelParameters);
438 eOpenLogicalChannel_reverseLogicalChannelParameters) &&
439 (olc->reverseLogicalChannelParameters.options &
440 eOpenLogicalChannel_reverseLogicalChannelParameters_multiplexParameters)
441 && (olc->reverseLogicalChannelParameters.multiplexParameters.
443 eOpenLogicalChannel_reverseLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters))
446 process_h245_channel(skb, ct, ctinfo,
447 protoff, data, dataoff,
449 reverseLogicalChannelParameters.
451 h2250LogicalChannelParameters);
456 if ((olc->options & eOpenLogicalChannel_separateStack) &&
457 olc->forwardLogicalChannelParameters.dataType.choice ==
459 olc->forwardLogicalChannelParameters.dataType.data.application.
460 choice == eDataApplicationCapability_application_t120 &&
461 olc->forwardLogicalChannelParameters.dataType.data.application.
462 t120.choice == eDataProtocolCapability_separateLANStack &&
463 olc->separateStack.networkAddress.choice ==
464 eNetworkAccessParameters_networkAddress_localAreaAddress) {
465 ret = expect_t120(skb, ct, ctinfo, protoff, data, dataoff,
466 &olc->separateStack.networkAddress.
475 static int process_olca(struct sk_buff *skb, struct nf_conn *ct,
476 enum ip_conntrack_info ctinfo,
477 unsigned int protoff, unsigned char **data, int dataoff,
478 OpenLogicalChannelAck *olca)
480 H2250LogicalChannelAckParameters *ack;
483 pr_debug("nf_ct_h323: OpenLogicalChannelAck\n");
486 eOpenLogicalChannelAck_reverseLogicalChannelParameters) &&
487 (olca->reverseLogicalChannelParameters.options &
488 eOpenLogicalChannelAck_reverseLogicalChannelParameters_multiplexParameters)
489 && (olca->reverseLogicalChannelParameters.multiplexParameters.
491 eOpenLogicalChannelAck_reverseLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters))
493 ret = process_h245_channel(skb, ct, ctinfo,
494 protoff, data, dataoff,
496 reverseLogicalChannelParameters.
498 h2250LogicalChannelParameters);
504 eOpenLogicalChannelAck_forwardMultiplexAckParameters) &&
505 (olca->forwardMultiplexAckParameters.choice ==
506 eOpenLogicalChannelAck_forwardMultiplexAckParameters_h2250LogicalChannelAckParameters))
508 ack = &olca->forwardMultiplexAckParameters.
509 h2250LogicalChannelAckParameters;
511 eH2250LogicalChannelAckParameters_mediaChannel) {
513 ret = expect_rtp_rtcp(skb, ct, ctinfo,
514 protoff, data, dataoff,
521 eH2250LogicalChannelAckParameters_mediaControlChannel) {
523 ret = expect_rtp_rtcp(skb, ct, ctinfo,
524 protoff, data, dataoff,
525 &ack->mediaControlChannel);
531 if ((olca->options & eOpenLogicalChannelAck_separateStack) &&
532 olca->separateStack.networkAddress.choice ==
533 eNetworkAccessParameters_networkAddress_localAreaAddress) {
534 ret = expect_t120(skb, ct, ctinfo, protoff, data, dataoff,
535 &olca->separateStack.networkAddress.
544 static int process_h245(struct sk_buff *skb, struct nf_conn *ct,
545 enum ip_conntrack_info ctinfo,
546 unsigned int protoff, unsigned char **data, int dataoff,
547 MultimediaSystemControlMessage *mscm)
549 switch (mscm->choice) {
550 case eMultimediaSystemControlMessage_request:
551 if (mscm->request.choice ==
552 eRequestMessage_openLogicalChannel) {
553 return process_olc(skb, ct, ctinfo,
554 protoff, data, dataoff,
555 &mscm->request.openLogicalChannel);
557 pr_debug("nf_ct_h323: H.245 Request %d\n",
558 mscm->request.choice);
560 case eMultimediaSystemControlMessage_response:
561 if (mscm->response.choice ==
562 eResponseMessage_openLogicalChannelAck) {
563 return process_olca(skb, ct, ctinfo,
564 protoff, data, dataoff,
566 openLogicalChannelAck);
568 pr_debug("nf_ct_h323: H.245 Response %d\n",
569 mscm->response.choice);
572 pr_debug("nf_ct_h323: H.245 signal %d\n", mscm->choice);
579 static int h245_help(struct sk_buff *skb, unsigned int protoff,
580 struct nf_conn *ct, enum ip_conntrack_info ctinfo)
582 static MultimediaSystemControlMessage mscm;
583 unsigned char *data = NULL;
588 /* Until there's been traffic both ways, don't look in packets. */
589 if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
592 pr_debug("nf_ct_h245: skblen = %u\n", skb->len);
594 spin_lock_bh(&nf_h323_lock);
596 /* Process each TPKT */
597 while (get_tpkt_data(skb, protoff, ct, ctinfo,
598 &data, &datalen, &dataoff)) {
599 pr_debug("nf_ct_h245: TPKT len=%d ", datalen);
600 nf_ct_dump_tuple(&ct->tuplehash[CTINFO2DIR(ctinfo)].tuple);
602 /* Decode H.245 signal */
603 ret = DecodeMultimediaSystemControlMessage(data, datalen,
606 pr_debug("nf_ct_h245: decoding error: %s\n",
607 ret == H323_ERROR_BOUND ?
608 "out of bound" : "out of range");
609 /* We don't drop when decoding error */
613 /* Process H.245 signal */
614 if (process_h245(skb, ct, ctinfo, protoff,
615 &data, dataoff, &mscm) < 0)
619 spin_unlock_bh(&nf_h323_lock);
623 spin_unlock_bh(&nf_h323_lock);
624 nf_ct_helper_log(skb, ct, "cannot process H.245 message");
628 static const struct nf_conntrack_expect_policy h245_exp_policy = {
629 .max_expected = H323_RTP_CHANNEL_MAX * 4 + 2 /* T.120 */,
633 static struct nf_conntrack_helper nf_conntrack_helper_h245 __read_mostly = {
636 .tuple.src.l3num = AF_UNSPEC,
637 .tuple.dst.protonum = IPPROTO_UDP,
639 .expect_policy = &h245_exp_policy,
642 int get_h225_addr(struct nf_conn *ct, unsigned char *data,
643 TransportAddress *taddr,
644 union nf_inet_addr *addr, __be16 *port)
646 const unsigned char *p;
649 switch (taddr->choice) {
650 case eTransportAddress_ipAddress:
651 if (nf_ct_l3num(ct) != AF_INET)
653 p = data + taddr->ipAddress.ip;
656 case eTransportAddress_ip6Address:
657 if (nf_ct_l3num(ct) != AF_INET6)
659 p = data + taddr->ip6Address.ip;
666 memcpy(addr, p, len);
667 memset((void *)addr + len, 0, sizeof(*addr) - len);
668 memcpy(port, p + len, sizeof(__be16));
673 static int expect_h245(struct sk_buff *skb, struct nf_conn *ct,
674 enum ip_conntrack_info ctinfo,
675 unsigned int protoff, unsigned char **data, int dataoff,
676 TransportAddress *taddr)
678 int dir = CTINFO2DIR(ctinfo);
681 union nf_inet_addr addr;
682 struct nf_conntrack_expect *exp;
683 typeof(nat_h245_hook) nat_h245;
685 /* Read h245Address */
686 if (!get_h225_addr(ct, *data, taddr, &addr, &port) ||
687 memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) ||
691 /* Create expect for h245 connection */
692 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
694 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
695 &ct->tuplehash[!dir].tuple.src.u3,
696 &ct->tuplehash[!dir].tuple.dst.u3,
697 IPPROTO_TCP, NULL, &port);
698 exp->helper = &nf_conntrack_helper_h245;
700 if (memcmp(&ct->tuplehash[dir].tuple.src.u3,
701 &ct->tuplehash[!dir].tuple.dst.u3,
702 sizeof(ct->tuplehash[dir].tuple.src.u3)) &&
703 (nat_h245 = rcu_dereference(nat_h245_hook)) &&
704 nf_ct_l3num(ct) == NFPROTO_IPV4 &&
705 ct->status & IPS_NAT_MASK) {
707 ret = nat_h245(skb, ct, ctinfo, protoff, data, dataoff, taddr,
709 } else { /* Conntrack only */
710 if (nf_ct_expect_related(exp, 0) == 0) {
711 pr_debug("nf_ct_q931: expect H.245 ");
712 nf_ct_dump_tuple(&exp->tuple);
717 nf_ct_expect_put(exp);
722 /* If the calling party is on the same side of the forward-to party,
723 * we don't need to track the second call
725 static int callforward_do_filter(struct net *net,
726 const union nf_inet_addr *src,
727 const union nf_inet_addr *dst,
734 struct flowi4 fl1, fl2;
735 struct rtable *rt1, *rt2;
737 memset(&fl1, 0, sizeof(fl1));
740 memset(&fl2, 0, sizeof(fl2));
742 if (!nf_ip_route(net, (struct dst_entry **)&rt1,
743 flowi4_to_flowi(&fl1), false)) {
744 if (!nf_ip_route(net, (struct dst_entry **)&rt2,
745 flowi4_to_flowi(&fl2), false)) {
746 if (rt_nexthop(rt1, fl1.daddr) ==
747 rt_nexthop(rt2, fl2.daddr) &&
748 rt1->dst.dev == rt2->dst.dev)
750 dst_release(&rt2->dst);
752 dst_release(&rt1->dst);
756 #if IS_ENABLED(CONFIG_IPV6)
758 struct rt6_info *rt1, *rt2;
759 struct flowi6 fl1, fl2;
761 memset(&fl1, 0, sizeof(fl1));
762 fl1.daddr = src->in6;
764 memset(&fl2, 0, sizeof(fl2));
765 fl2.daddr = dst->in6;
766 if (!nf_ip6_route(net, (struct dst_entry **)&rt1,
767 flowi6_to_flowi(&fl1), false)) {
768 if (!nf_ip6_route(net, (struct dst_entry **)&rt2,
769 flowi6_to_flowi(&fl2), false)) {
770 if (ipv6_addr_equal(rt6_nexthop(rt1, &fl1.daddr),
771 rt6_nexthop(rt2, &fl2.daddr)) &&
772 rt1->dst.dev == rt2->dst.dev)
774 dst_release(&rt2->dst);
776 dst_release(&rt1->dst);
786 static int expect_callforwarding(struct sk_buff *skb,
788 enum ip_conntrack_info ctinfo,
789 unsigned int protoff,
790 unsigned char **data, int dataoff,
791 TransportAddress *taddr)
793 int dir = CTINFO2DIR(ctinfo);
796 union nf_inet_addr addr;
797 struct nf_conntrack_expect *exp;
798 struct net *net = nf_ct_net(ct);
799 typeof(nat_callforwarding_hook) nat_callforwarding;
801 /* Read alternativeAddress */
802 if (!get_h225_addr(ct, *data, taddr, &addr, &port) || port == 0)
805 /* If the calling party is on the same side of the forward-to party,
806 * we don't need to track the second call
808 if (callforward_filter &&
809 callforward_do_filter(net, &addr, &ct->tuplehash[!dir].tuple.src.u3,
811 pr_debug("nf_ct_q931: Call Forwarding not tracked\n");
815 /* Create expect for the second call leg */
816 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
818 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
819 &ct->tuplehash[!dir].tuple.src.u3, &addr,
820 IPPROTO_TCP, NULL, &port);
821 exp->helper = nf_conntrack_helper_q931;
823 if (memcmp(&ct->tuplehash[dir].tuple.src.u3,
824 &ct->tuplehash[!dir].tuple.dst.u3,
825 sizeof(ct->tuplehash[dir].tuple.src.u3)) &&
826 (nat_callforwarding = rcu_dereference(nat_callforwarding_hook)) &&
827 nf_ct_l3num(ct) == NFPROTO_IPV4 &&
828 ct->status & IPS_NAT_MASK) {
830 ret = nat_callforwarding(skb, ct, ctinfo,
831 protoff, data, dataoff,
833 } else { /* Conntrack only */
834 if (nf_ct_expect_related(exp, 0) == 0) {
835 pr_debug("nf_ct_q931: expect Call Forwarding ");
836 nf_ct_dump_tuple(&exp->tuple);
841 nf_ct_expect_put(exp);
846 static int process_setup(struct sk_buff *skb, struct nf_conn *ct,
847 enum ip_conntrack_info ctinfo,
848 unsigned int protoff,
849 unsigned char **data, int dataoff,
852 int dir = CTINFO2DIR(ctinfo);
856 union nf_inet_addr addr;
857 typeof(set_h225_addr_hook) set_h225_addr;
859 pr_debug("nf_ct_q931: Setup\n");
861 if (setup->options & eSetup_UUIE_h245Address) {
862 ret = expect_h245(skb, ct, ctinfo, protoff, data, dataoff,
863 &setup->h245Address);
868 set_h225_addr = rcu_dereference(set_h225_addr_hook);
869 if ((setup->options & eSetup_UUIE_destCallSignalAddress) &&
870 (set_h225_addr) && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
871 ct->status & IPS_NAT_MASK &&
872 get_h225_addr(ct, *data, &setup->destCallSignalAddress,
874 memcmp(&addr, &ct->tuplehash[!dir].tuple.src.u3, sizeof(addr))) {
875 pr_debug("nf_ct_q931: set destCallSignalAddress %pI6:%hu->%pI6:%hu\n",
876 &addr, ntohs(port), &ct->tuplehash[!dir].tuple.src.u3,
877 ntohs(ct->tuplehash[!dir].tuple.src.u.tcp.port));
878 ret = set_h225_addr(skb, protoff, data, dataoff,
879 &setup->destCallSignalAddress,
880 &ct->tuplehash[!dir].tuple.src.u3,
881 ct->tuplehash[!dir].tuple.src.u.tcp.port);
886 if ((setup->options & eSetup_UUIE_sourceCallSignalAddress) &&
887 (set_h225_addr) && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
888 ct->status & IPS_NAT_MASK &&
889 get_h225_addr(ct, *data, &setup->sourceCallSignalAddress,
891 memcmp(&addr, &ct->tuplehash[!dir].tuple.dst.u3, sizeof(addr))) {
892 pr_debug("nf_ct_q931: set sourceCallSignalAddress %pI6:%hu->%pI6:%hu\n",
893 &addr, ntohs(port), &ct->tuplehash[!dir].tuple.dst.u3,
894 ntohs(ct->tuplehash[!dir].tuple.dst.u.tcp.port));
895 ret = set_h225_addr(skb, protoff, data, dataoff,
896 &setup->sourceCallSignalAddress,
897 &ct->tuplehash[!dir].tuple.dst.u3,
898 ct->tuplehash[!dir].tuple.dst.u.tcp.port);
903 if (setup->options & eSetup_UUIE_fastStart) {
904 for (i = 0; i < setup->fastStart.count; i++) {
905 ret = process_olc(skb, ct, ctinfo,
906 protoff, data, dataoff,
907 &setup->fastStart.item[i]);
916 static int process_callproceeding(struct sk_buff *skb,
918 enum ip_conntrack_info ctinfo,
919 unsigned int protoff,
920 unsigned char **data, int dataoff,
921 CallProceeding_UUIE *callproc)
926 pr_debug("nf_ct_q931: CallProceeding\n");
928 if (callproc->options & eCallProceeding_UUIE_h245Address) {
929 ret = expect_h245(skb, ct, ctinfo, protoff, data, dataoff,
930 &callproc->h245Address);
935 if (callproc->options & eCallProceeding_UUIE_fastStart) {
936 for (i = 0; i < callproc->fastStart.count; i++) {
937 ret = process_olc(skb, ct, ctinfo,
938 protoff, data, dataoff,
939 &callproc->fastStart.item[i]);
948 static int process_connect(struct sk_buff *skb, struct nf_conn *ct,
949 enum ip_conntrack_info ctinfo,
950 unsigned int protoff,
951 unsigned char **data, int dataoff,
952 Connect_UUIE *connect)
957 pr_debug("nf_ct_q931: Connect\n");
959 if (connect->options & eConnect_UUIE_h245Address) {
960 ret = expect_h245(skb, ct, ctinfo, protoff, data, dataoff,
961 &connect->h245Address);
966 if (connect->options & eConnect_UUIE_fastStart) {
967 for (i = 0; i < connect->fastStart.count; i++) {
968 ret = process_olc(skb, ct, ctinfo,
969 protoff, data, dataoff,
970 &connect->fastStart.item[i]);
979 static int process_alerting(struct sk_buff *skb, struct nf_conn *ct,
980 enum ip_conntrack_info ctinfo,
981 unsigned int protoff,
982 unsigned char **data, int dataoff,
983 Alerting_UUIE *alert)
988 pr_debug("nf_ct_q931: Alerting\n");
990 if (alert->options & eAlerting_UUIE_h245Address) {
991 ret = expect_h245(skb, ct, ctinfo, protoff, data, dataoff,
992 &alert->h245Address);
997 if (alert->options & eAlerting_UUIE_fastStart) {
998 for (i = 0; i < alert->fastStart.count; i++) {
999 ret = process_olc(skb, ct, ctinfo,
1000 protoff, data, dataoff,
1001 &alert->fastStart.item[i]);
1010 static int process_facility(struct sk_buff *skb, struct nf_conn *ct,
1011 enum ip_conntrack_info ctinfo,
1012 unsigned int protoff,
1013 unsigned char **data, int dataoff,
1014 Facility_UUIE *facility)
1019 pr_debug("nf_ct_q931: Facility\n");
1021 if (facility->reason.choice == eFacilityReason_callForwarded) {
1022 if (facility->options & eFacility_UUIE_alternativeAddress)
1023 return expect_callforwarding(skb, ct, ctinfo,
1024 protoff, data, dataoff,
1026 alternativeAddress);
1030 if (facility->options & eFacility_UUIE_h245Address) {
1031 ret = expect_h245(skb, ct, ctinfo, protoff, data, dataoff,
1032 &facility->h245Address);
1037 if (facility->options & eFacility_UUIE_fastStart) {
1038 for (i = 0; i < facility->fastStart.count; i++) {
1039 ret = process_olc(skb, ct, ctinfo,
1040 protoff, data, dataoff,
1041 &facility->fastStart.item[i]);
1050 static int process_progress(struct sk_buff *skb, struct nf_conn *ct,
1051 enum ip_conntrack_info ctinfo,
1052 unsigned int protoff,
1053 unsigned char **data, int dataoff,
1054 Progress_UUIE *progress)
1059 pr_debug("nf_ct_q931: Progress\n");
1061 if (progress->options & eProgress_UUIE_h245Address) {
1062 ret = expect_h245(skb, ct, ctinfo, protoff, data, dataoff,
1063 &progress->h245Address);
1068 if (progress->options & eProgress_UUIE_fastStart) {
1069 for (i = 0; i < progress->fastStart.count; i++) {
1070 ret = process_olc(skb, ct, ctinfo,
1071 protoff, data, dataoff,
1072 &progress->fastStart.item[i]);
1081 static int process_q931(struct sk_buff *skb, struct nf_conn *ct,
1082 enum ip_conntrack_info ctinfo,
1083 unsigned int protoff, unsigned char **data, int dataoff,
1086 H323_UU_PDU *pdu = &q931->UUIE.h323_uu_pdu;
1090 switch (pdu->h323_message_body.choice) {
1091 case eH323_UU_PDU_h323_message_body_setup:
1092 ret = process_setup(skb, ct, ctinfo, protoff, data, dataoff,
1093 &pdu->h323_message_body.setup);
1095 case eH323_UU_PDU_h323_message_body_callProceeding:
1096 ret = process_callproceeding(skb, ct, ctinfo,
1097 protoff, data, dataoff,
1098 &pdu->h323_message_body.
1101 case eH323_UU_PDU_h323_message_body_connect:
1102 ret = process_connect(skb, ct, ctinfo, protoff, data, dataoff,
1103 &pdu->h323_message_body.connect);
1105 case eH323_UU_PDU_h323_message_body_alerting:
1106 ret = process_alerting(skb, ct, ctinfo, protoff, data, dataoff,
1107 &pdu->h323_message_body.alerting);
1109 case eH323_UU_PDU_h323_message_body_facility:
1110 ret = process_facility(skb, ct, ctinfo, protoff, data, dataoff,
1111 &pdu->h323_message_body.facility);
1113 case eH323_UU_PDU_h323_message_body_progress:
1114 ret = process_progress(skb, ct, ctinfo, protoff, data, dataoff,
1115 &pdu->h323_message_body.progress);
1118 pr_debug("nf_ct_q931: Q.931 signal %d\n",
1119 pdu->h323_message_body.choice);
1126 if (pdu->options & eH323_UU_PDU_h245Control) {
1127 for (i = 0; i < pdu->h245Control.count; i++) {
1128 ret = process_h245(skb, ct, ctinfo,
1129 protoff, data, dataoff,
1130 &pdu->h245Control.item[i]);
1139 static int q931_help(struct sk_buff *skb, unsigned int protoff,
1140 struct nf_conn *ct, enum ip_conntrack_info ctinfo)
1143 unsigned char *data = NULL;
1148 /* Until there's been traffic both ways, don't look in packets. */
1149 if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
1152 pr_debug("nf_ct_q931: skblen = %u\n", skb->len);
1154 spin_lock_bh(&nf_h323_lock);
1156 /* Process each TPKT */
1157 while (get_tpkt_data(skb, protoff, ct, ctinfo,
1158 &data, &datalen, &dataoff)) {
1159 pr_debug("nf_ct_q931: TPKT len=%d ", datalen);
1160 nf_ct_dump_tuple(&ct->tuplehash[CTINFO2DIR(ctinfo)].tuple);
1162 /* Decode Q.931 signal */
1163 ret = DecodeQ931(data, datalen, &q931);
1165 pr_debug("nf_ct_q931: decoding error: %s\n",
1166 ret == H323_ERROR_BOUND ?
1167 "out of bound" : "out of range");
1168 /* We don't drop when decoding error */
1172 /* Process Q.931 signal */
1173 if (process_q931(skb, ct, ctinfo, protoff,
1174 &data, dataoff, &q931) < 0)
1178 spin_unlock_bh(&nf_h323_lock);
1182 spin_unlock_bh(&nf_h323_lock);
1183 nf_ct_helper_log(skb, ct, "cannot process Q.931 message");
1187 static const struct nf_conntrack_expect_policy q931_exp_policy = {
1188 /* T.120 and H.245 */
1189 .max_expected = H323_RTP_CHANNEL_MAX * 4 + 4,
1193 static struct nf_conntrack_helper nf_conntrack_helper_q931[] __read_mostly = {
1197 .tuple.src.l3num = AF_INET,
1198 .tuple.src.u.tcp.port = cpu_to_be16(Q931_PORT),
1199 .tuple.dst.protonum = IPPROTO_TCP,
1201 .expect_policy = &q931_exp_policy,
1206 .tuple.src.l3num = AF_INET6,
1207 .tuple.src.u.tcp.port = cpu_to_be16(Q931_PORT),
1208 .tuple.dst.protonum = IPPROTO_TCP,
1210 .expect_policy = &q931_exp_policy,
1214 static unsigned char *get_udp_data(struct sk_buff *skb, unsigned int protoff,
1217 const struct udphdr *uh;
1221 uh = skb_header_pointer(skb, protoff, sizeof(_uh), &_uh);
1224 dataoff = protoff + sizeof(_uh);
1225 if (dataoff >= skb->len)
1227 *datalen = skb->len - dataoff;
1228 if (*datalen > H323_MAX_SIZE)
1229 *datalen = H323_MAX_SIZE;
1231 return skb_header_pointer(skb, dataoff, *datalen, h323_buffer);
1234 static struct nf_conntrack_expect *find_expect(struct nf_conn *ct,
1235 union nf_inet_addr *addr,
1238 struct net *net = nf_ct_net(ct);
1239 struct nf_conntrack_expect *exp;
1240 struct nf_conntrack_tuple tuple;
1242 memset(&tuple.src.u3, 0, sizeof(tuple.src.u3));
1243 tuple.src.u.tcp.port = 0;
1244 memcpy(&tuple.dst.u3, addr, sizeof(tuple.dst.u3));
1245 tuple.dst.u.tcp.port = port;
1246 tuple.dst.protonum = IPPROTO_TCP;
1248 exp = __nf_ct_expect_find(net, nf_ct_zone(ct), &tuple);
1249 if (exp && exp->master == ct)
1254 static int expect_q931(struct sk_buff *skb, struct nf_conn *ct,
1255 enum ip_conntrack_info ctinfo,
1256 unsigned int protoff, unsigned char **data,
1257 TransportAddress *taddr, int count)
1259 struct nf_ct_h323_master *info = nfct_help_data(ct);
1260 int dir = CTINFO2DIR(ctinfo);
1264 union nf_inet_addr addr;
1265 struct nf_conntrack_expect *exp;
1266 typeof(nat_q931_hook) nat_q931;
1268 /* Look for the first related address */
1269 for (i = 0; i < count; i++) {
1270 if (get_h225_addr(ct, *data, &taddr[i], &addr, &port) &&
1271 memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3,
1272 sizeof(addr)) == 0 && port != 0)
1276 if (i >= count) /* Not found */
1279 /* Create expect for Q.931 */
1280 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
1282 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
1283 gkrouted_only ? /* only accept calls from GK? */
1284 &ct->tuplehash[!dir].tuple.src.u3 : NULL,
1285 &ct->tuplehash[!dir].tuple.dst.u3,
1286 IPPROTO_TCP, NULL, &port);
1287 exp->helper = nf_conntrack_helper_q931;
1288 exp->flags = NF_CT_EXPECT_PERMANENT; /* Accept multiple calls */
1290 nat_q931 = rcu_dereference(nat_q931_hook);
1291 if (nat_q931 && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1292 ct->status & IPS_NAT_MASK) { /* Need NAT */
1293 ret = nat_q931(skb, ct, ctinfo, protoff, data,
1294 taddr, i, port, exp);
1295 } else { /* Conntrack only */
1296 if (nf_ct_expect_related(exp, 0) == 0) {
1297 pr_debug("nf_ct_ras: expect Q.931 ");
1298 nf_ct_dump_tuple(&exp->tuple);
1300 /* Save port for looking up expect in processing RCF */
1301 info->sig_port[dir] = port;
1306 nf_ct_expect_put(exp);
1311 static int process_grq(struct sk_buff *skb, struct nf_conn *ct,
1312 enum ip_conntrack_info ctinfo,
1313 unsigned int protoff,
1314 unsigned char **data, GatekeeperRequest *grq)
1316 typeof(set_ras_addr_hook) set_ras_addr;
1318 pr_debug("nf_ct_ras: GRQ\n");
1320 set_ras_addr = rcu_dereference(set_ras_addr_hook);
1321 if (set_ras_addr && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1322 ct->status & IPS_NAT_MASK) /* NATed */
1323 return set_ras_addr(skb, ct, ctinfo, protoff, data,
1324 &grq->rasAddress, 1);
1328 static int process_gcf(struct sk_buff *skb, struct nf_conn *ct,
1329 enum ip_conntrack_info ctinfo,
1330 unsigned int protoff,
1331 unsigned char **data, GatekeeperConfirm *gcf)
1333 int dir = CTINFO2DIR(ctinfo);
1336 union nf_inet_addr addr;
1337 struct nf_conntrack_expect *exp;
1339 pr_debug("nf_ct_ras: GCF\n");
1341 if (!get_h225_addr(ct, *data, &gcf->rasAddress, &addr, &port))
1344 /* Registration port is the same as discovery port */
1345 if (!memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) &&
1346 port == ct->tuplehash[dir].tuple.src.u.udp.port)
1349 /* Avoid RAS expectation loops. A GCF is never expected. */
1350 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
1353 /* Need new expect */
1354 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
1356 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
1357 &ct->tuplehash[!dir].tuple.src.u3, &addr,
1358 IPPROTO_UDP, NULL, &port);
1359 exp->helper = nf_conntrack_helper_ras;
1361 if (nf_ct_expect_related(exp, 0) == 0) {
1362 pr_debug("nf_ct_ras: expect RAS ");
1363 nf_ct_dump_tuple(&exp->tuple);
1367 nf_ct_expect_put(exp);
1372 static int process_rrq(struct sk_buff *skb, struct nf_conn *ct,
1373 enum ip_conntrack_info ctinfo,
1374 unsigned int protoff,
1375 unsigned char **data, RegistrationRequest *rrq)
1377 struct nf_ct_h323_master *info = nfct_help_data(ct);
1379 typeof(set_ras_addr_hook) set_ras_addr;
1381 pr_debug("nf_ct_ras: RRQ\n");
1383 ret = expect_q931(skb, ct, ctinfo, protoff, data,
1384 rrq->callSignalAddress.item,
1385 rrq->callSignalAddress.count);
1389 set_ras_addr = rcu_dereference(set_ras_addr_hook);
1390 if (set_ras_addr && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1391 ct->status & IPS_NAT_MASK) {
1392 ret = set_ras_addr(skb, ct, ctinfo, protoff, data,
1393 rrq->rasAddress.item,
1394 rrq->rasAddress.count);
1399 if (rrq->options & eRegistrationRequest_timeToLive) {
1400 pr_debug("nf_ct_ras: RRQ TTL = %u seconds\n", rrq->timeToLive);
1401 info->timeout = rrq->timeToLive;
1403 info->timeout = default_rrq_ttl;
1408 static int process_rcf(struct sk_buff *skb, struct nf_conn *ct,
1409 enum ip_conntrack_info ctinfo,
1410 unsigned int protoff,
1411 unsigned char **data, RegistrationConfirm *rcf)
1413 struct nf_ct_h323_master *info = nfct_help_data(ct);
1414 int dir = CTINFO2DIR(ctinfo);
1416 struct nf_conntrack_expect *exp;
1417 typeof(set_sig_addr_hook) set_sig_addr;
1419 pr_debug("nf_ct_ras: RCF\n");
1421 set_sig_addr = rcu_dereference(set_sig_addr_hook);
1422 if (set_sig_addr && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1423 ct->status & IPS_NAT_MASK) {
1424 ret = set_sig_addr(skb, ct, ctinfo, protoff, data,
1425 rcf->callSignalAddress.item,
1426 rcf->callSignalAddress.count);
1431 if (rcf->options & eRegistrationConfirm_timeToLive) {
1432 pr_debug("nf_ct_ras: RCF TTL = %u seconds\n", rcf->timeToLive);
1433 info->timeout = rcf->timeToLive;
1436 if (info->timeout > 0) {
1437 pr_debug("nf_ct_ras: set RAS connection timeout to "
1438 "%u seconds\n", info->timeout);
1439 nf_ct_refresh(ct, skb, info->timeout * HZ);
1441 /* Set expect timeout */
1442 spin_lock_bh(&nf_conntrack_expect_lock);
1443 exp = find_expect(ct, &ct->tuplehash[dir].tuple.dst.u3,
1444 info->sig_port[!dir]);
1446 pr_debug("nf_ct_ras: set Q.931 expect "
1447 "timeout to %u seconds for",
1449 nf_ct_dump_tuple(&exp->tuple);
1450 mod_timer_pending(&exp->timeout,
1451 jiffies + info->timeout * HZ);
1453 spin_unlock_bh(&nf_conntrack_expect_lock);
1459 static int process_urq(struct sk_buff *skb, struct nf_conn *ct,
1460 enum ip_conntrack_info ctinfo,
1461 unsigned int protoff,
1462 unsigned char **data, UnregistrationRequest *urq)
1464 struct nf_ct_h323_master *info = nfct_help_data(ct);
1465 int dir = CTINFO2DIR(ctinfo);
1467 typeof(set_sig_addr_hook) set_sig_addr;
1469 pr_debug("nf_ct_ras: URQ\n");
1471 set_sig_addr = rcu_dereference(set_sig_addr_hook);
1472 if (set_sig_addr && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1473 ct->status & IPS_NAT_MASK) {
1474 ret = set_sig_addr(skb, ct, ctinfo, protoff, data,
1475 urq->callSignalAddress.item,
1476 urq->callSignalAddress.count);
1481 /* Clear old expect */
1482 nf_ct_remove_expectations(ct);
1483 info->sig_port[dir] = 0;
1484 info->sig_port[!dir] = 0;
1486 /* Give it 30 seconds for UCF or URJ */
1487 nf_ct_refresh(ct, skb, 30 * HZ);
1492 static int process_arq(struct sk_buff *skb, struct nf_conn *ct,
1493 enum ip_conntrack_info ctinfo,
1494 unsigned int protoff,
1495 unsigned char **data, AdmissionRequest *arq)
1497 const struct nf_ct_h323_master *info = nfct_help_data(ct);
1498 int dir = CTINFO2DIR(ctinfo);
1500 union nf_inet_addr addr;
1501 typeof(set_h225_addr_hook) set_h225_addr;
1503 pr_debug("nf_ct_ras: ARQ\n");
1505 set_h225_addr = rcu_dereference(set_h225_addr_hook);
1506 if ((arq->options & eAdmissionRequest_destCallSignalAddress) &&
1507 get_h225_addr(ct, *data, &arq->destCallSignalAddress,
1509 !memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) &&
1510 port == info->sig_port[dir] &&
1511 nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1512 set_h225_addr && ct->status & IPS_NAT_MASK) {
1514 return set_h225_addr(skb, protoff, data, 0,
1515 &arq->destCallSignalAddress,
1516 &ct->tuplehash[!dir].tuple.dst.u3,
1517 info->sig_port[!dir]);
1520 if ((arq->options & eAdmissionRequest_srcCallSignalAddress) &&
1521 get_h225_addr(ct, *data, &arq->srcCallSignalAddress,
1523 !memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) &&
1524 set_h225_addr && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1525 ct->status & IPS_NAT_MASK) {
1527 return set_h225_addr(skb, protoff, data, 0,
1528 &arq->srcCallSignalAddress,
1529 &ct->tuplehash[!dir].tuple.dst.u3,
1536 static int process_acf(struct sk_buff *skb, struct nf_conn *ct,
1537 enum ip_conntrack_info ctinfo,
1538 unsigned int protoff,
1539 unsigned char **data, AdmissionConfirm *acf)
1541 int dir = CTINFO2DIR(ctinfo);
1544 union nf_inet_addr addr;
1545 struct nf_conntrack_expect *exp;
1546 typeof(set_sig_addr_hook) set_sig_addr;
1548 pr_debug("nf_ct_ras: ACF\n");
1550 if (!get_h225_addr(ct, *data, &acf->destCallSignalAddress,
1554 if (!memcmp(&addr, &ct->tuplehash[dir].tuple.dst.u3, sizeof(addr))) {
1556 set_sig_addr = rcu_dereference(set_sig_addr_hook);
1557 if (set_sig_addr && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1558 ct->status & IPS_NAT_MASK)
1559 return set_sig_addr(skb, ct, ctinfo, protoff, data,
1560 &acf->destCallSignalAddress, 1);
1564 /* Need new expect */
1565 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
1567 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
1568 &ct->tuplehash[!dir].tuple.src.u3, &addr,
1569 IPPROTO_TCP, NULL, &port);
1570 exp->flags = NF_CT_EXPECT_PERMANENT;
1571 exp->helper = nf_conntrack_helper_q931;
1573 if (nf_ct_expect_related(exp, 0) == 0) {
1574 pr_debug("nf_ct_ras: expect Q.931 ");
1575 nf_ct_dump_tuple(&exp->tuple);
1579 nf_ct_expect_put(exp);
1584 static int process_lrq(struct sk_buff *skb, struct nf_conn *ct,
1585 enum ip_conntrack_info ctinfo,
1586 unsigned int protoff,
1587 unsigned char **data, LocationRequest *lrq)
1589 typeof(set_ras_addr_hook) set_ras_addr;
1591 pr_debug("nf_ct_ras: LRQ\n");
1593 set_ras_addr = rcu_dereference(set_ras_addr_hook);
1594 if (set_ras_addr && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1595 ct->status & IPS_NAT_MASK)
1596 return set_ras_addr(skb, ct, ctinfo, protoff, data,
1597 &lrq->replyAddress, 1);
1601 static int process_lcf(struct sk_buff *skb, struct nf_conn *ct,
1602 enum ip_conntrack_info ctinfo,
1603 unsigned int protoff,
1604 unsigned char **data, LocationConfirm *lcf)
1606 int dir = CTINFO2DIR(ctinfo);
1609 union nf_inet_addr addr;
1610 struct nf_conntrack_expect *exp;
1612 pr_debug("nf_ct_ras: LCF\n");
1614 if (!get_h225_addr(ct, *data, &lcf->callSignalAddress,
1618 /* Need new expect for call signal */
1619 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
1621 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
1622 &ct->tuplehash[!dir].tuple.src.u3, &addr,
1623 IPPROTO_TCP, NULL, &port);
1624 exp->flags = NF_CT_EXPECT_PERMANENT;
1625 exp->helper = nf_conntrack_helper_q931;
1627 if (nf_ct_expect_related(exp, 0) == 0) {
1628 pr_debug("nf_ct_ras: expect Q.931 ");
1629 nf_ct_dump_tuple(&exp->tuple);
1633 nf_ct_expect_put(exp);
1635 /* Ignore rasAddress */
1640 static int process_irr(struct sk_buff *skb, struct nf_conn *ct,
1641 enum ip_conntrack_info ctinfo,
1642 unsigned int protoff,
1643 unsigned char **data, InfoRequestResponse *irr)
1646 typeof(set_ras_addr_hook) set_ras_addr;
1647 typeof(set_sig_addr_hook) set_sig_addr;
1649 pr_debug("nf_ct_ras: IRR\n");
1651 set_ras_addr = rcu_dereference(set_ras_addr_hook);
1652 if (set_ras_addr && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1653 ct->status & IPS_NAT_MASK) {
1654 ret = set_ras_addr(skb, ct, ctinfo, protoff, data,
1655 &irr->rasAddress, 1);
1660 set_sig_addr = rcu_dereference(set_sig_addr_hook);
1661 if (set_sig_addr && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
1662 ct->status & IPS_NAT_MASK) {
1663 ret = set_sig_addr(skb, ct, ctinfo, protoff, data,
1664 irr->callSignalAddress.item,
1665 irr->callSignalAddress.count);
1673 static int process_ras(struct sk_buff *skb, struct nf_conn *ct,
1674 enum ip_conntrack_info ctinfo,
1675 unsigned int protoff,
1676 unsigned char **data, RasMessage *ras)
1678 switch (ras->choice) {
1679 case eRasMessage_gatekeeperRequest:
1680 return process_grq(skb, ct, ctinfo, protoff, data,
1681 &ras->gatekeeperRequest);
1682 case eRasMessage_gatekeeperConfirm:
1683 return process_gcf(skb, ct, ctinfo, protoff, data,
1684 &ras->gatekeeperConfirm);
1685 case eRasMessage_registrationRequest:
1686 return process_rrq(skb, ct, ctinfo, protoff, data,
1687 &ras->registrationRequest);
1688 case eRasMessage_registrationConfirm:
1689 return process_rcf(skb, ct, ctinfo, protoff, data,
1690 &ras->registrationConfirm);
1691 case eRasMessage_unregistrationRequest:
1692 return process_urq(skb, ct, ctinfo, protoff, data,
1693 &ras->unregistrationRequest);
1694 case eRasMessage_admissionRequest:
1695 return process_arq(skb, ct, ctinfo, protoff, data,
1696 &ras->admissionRequest);
1697 case eRasMessage_admissionConfirm:
1698 return process_acf(skb, ct, ctinfo, protoff, data,
1699 &ras->admissionConfirm);
1700 case eRasMessage_locationRequest:
1701 return process_lrq(skb, ct, ctinfo, protoff, data,
1702 &ras->locationRequest);
1703 case eRasMessage_locationConfirm:
1704 return process_lcf(skb, ct, ctinfo, protoff, data,
1705 &ras->locationConfirm);
1706 case eRasMessage_infoRequestResponse:
1707 return process_irr(skb, ct, ctinfo, protoff, data,
1708 &ras->infoRequestResponse);
1710 pr_debug("nf_ct_ras: RAS message %d\n", ras->choice);
1717 static int ras_help(struct sk_buff *skb, unsigned int protoff,
1718 struct nf_conn *ct, enum ip_conntrack_info ctinfo)
1720 static RasMessage ras;
1721 unsigned char *data;
1725 pr_debug("nf_ct_ras: skblen = %u\n", skb->len);
1727 spin_lock_bh(&nf_h323_lock);
1730 data = get_udp_data(skb, protoff, &datalen);
1733 pr_debug("nf_ct_ras: RAS message len=%d ", datalen);
1734 nf_ct_dump_tuple(&ct->tuplehash[CTINFO2DIR(ctinfo)].tuple);
1736 /* Decode RAS message */
1737 ret = DecodeRasMessage(data, datalen, &ras);
1739 pr_debug("nf_ct_ras: decoding error: %s\n",
1740 ret == H323_ERROR_BOUND ?
1741 "out of bound" : "out of range");
1745 /* Process RAS message */
1746 if (process_ras(skb, ct, ctinfo, protoff, &data, &ras) < 0)
1750 spin_unlock_bh(&nf_h323_lock);
1754 spin_unlock_bh(&nf_h323_lock);
1755 nf_ct_helper_log(skb, ct, "cannot process RAS message");
1759 static const struct nf_conntrack_expect_policy ras_exp_policy = {
1764 static struct nf_conntrack_helper nf_conntrack_helper_ras[] __read_mostly = {
1768 .tuple.src.l3num = AF_INET,
1769 .tuple.src.u.udp.port = cpu_to_be16(RAS_PORT),
1770 .tuple.dst.protonum = IPPROTO_UDP,
1772 .expect_policy = &ras_exp_policy,
1777 .tuple.src.l3num = AF_INET6,
1778 .tuple.src.u.udp.port = cpu_to_be16(RAS_PORT),
1779 .tuple.dst.protonum = IPPROTO_UDP,
1781 .expect_policy = &ras_exp_policy,
1785 static int __init h323_helper_init(void)
1789 ret = nf_conntrack_helper_register(&nf_conntrack_helper_h245);
1792 ret = nf_conntrack_helpers_register(nf_conntrack_helper_q931,
1793 ARRAY_SIZE(nf_conntrack_helper_q931));
1796 ret = nf_conntrack_helpers_register(nf_conntrack_helper_ras,
1797 ARRAY_SIZE(nf_conntrack_helper_ras));
1803 nf_conntrack_helpers_unregister(nf_conntrack_helper_q931,
1804 ARRAY_SIZE(nf_conntrack_helper_q931));
1806 nf_conntrack_helper_unregister(&nf_conntrack_helper_h245);
1810 static void __exit h323_helper_exit(void)
1812 nf_conntrack_helpers_unregister(nf_conntrack_helper_ras,
1813 ARRAY_SIZE(nf_conntrack_helper_ras));
1814 nf_conntrack_helpers_unregister(nf_conntrack_helper_q931,
1815 ARRAY_SIZE(nf_conntrack_helper_q931));
1816 nf_conntrack_helper_unregister(&nf_conntrack_helper_h245);
1819 static void __exit nf_conntrack_h323_fini(void)
1823 pr_debug("nf_ct_h323: fini\n");
1826 static int __init nf_conntrack_h323_init(void)
1830 NF_CT_HELPER_BUILD_BUG_ON(sizeof(struct nf_ct_h323_master));
1832 h323_buffer = kmalloc(H323_MAX_SIZE + 1, GFP_KERNEL);
1835 ret = h323_helper_init();
1838 pr_debug("nf_ct_h323: init success\n");
1845 module_init(nf_conntrack_h323_init);
1846 module_exit(nf_conntrack_h323_fini);
1848 EXPORT_SYMBOL_GPL(get_h225_addr);
1849 EXPORT_SYMBOL_GPL(set_h245_addr_hook);
1850 EXPORT_SYMBOL_GPL(set_h225_addr_hook);
1851 EXPORT_SYMBOL_GPL(set_sig_addr_hook);
1852 EXPORT_SYMBOL_GPL(set_ras_addr_hook);
1853 EXPORT_SYMBOL_GPL(nat_rtp_rtcp_hook);
1854 EXPORT_SYMBOL_GPL(nat_t120_hook);
1855 EXPORT_SYMBOL_GPL(nat_h245_hook);
1856 EXPORT_SYMBOL_GPL(nat_callforwarding_hook);
1857 EXPORT_SYMBOL_GPL(nat_q931_hook);
1859 MODULE_AUTHOR("Jing Min Zhao <zhaojingmin@users.sourceforge.net>");
1860 MODULE_DESCRIPTION("H.323 connection tracking helper");
1861 MODULE_LICENSE("GPL");
1862 MODULE_ALIAS("ip_conntrack_h323");
1863 MODULE_ALIAS_NFCT_HELPER("RAS");
1864 MODULE_ALIAS_NFCT_HELPER("Q.931");
1865 MODULE_ALIAS_NFCT_HELPER("H.245");
projects / releases.git / blob