[NETFILTER 00/32]: SIP conntrack/NAT enhancements

[NETFILTER 00/32]: SIP conntrack/NAT enhancements

[Patrick McHardy]

I've forward ported and slightly reworked my SIP conntrack patches
in order to prepare them for upstream merging. They will most likely
see a few more minor changes before getting merged, but they're ready
for testing and review already.


A rough overview of the patches:

- Cleanups, minor fixes

- Expectation classes for isolating different expectation types from
  each other (audio/video/signalling/...)

- Parser fixes: proper SIP and SDP parsing, dealing with SIP's strange
  whitespace rules, case-sensitivity, etc.

- Parser enhancements: support for more message types containing SDP
  messages, support for parsing header and URI parameters

- Expectations for signalling and RTCP connections

- (Optional) wildcard RTP expectations for RTP streams that originate
  from other hosts than the registrar/proxy

- Multiple media channel support (used for audio and video for now)

- NAT enhancements: replacement of text-based address translation by
  binary address translation, support for properly updating rport=,
  received= and maddr= Via-header parameters, support for properly
  translating all Contact: addresses

- RTP routing optmization: makes RTP streams between two "internal"
  endpoints go directly without NAT (only works if the proxy doesn't
  also proxy the RTP streams).

For a full description check out the individual changelog entries.


The old (before forward porting) patches have been tested extensively
in multiple different setups, assuming no bugs have been introduced
during forward porting (everything *seems* to work fine) they should
make the SIP helper work significantly better with multiple endpoints
behind the firewall and with a wider range of clients.

In case someone wants to do some testing, the conntrack module has two
new parameters controlling whether expectations for signalling and
RTP connections are set up with wildcards or only between the two
sides of the connection:

- sip_direct_signalling (default 1): expect signalling connections only
  from registrar

- sip_direct_media (default 1): expect media streams only from remote
  side of the connection

Depending on the setup, the defaults might be too strict and need to
be changed to zero.


A git tree with these patches is available at:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.26-sip.git

Patches, testing and comments welcome :)


 include/linux/netfilter.h                     |    9 +
 include/linux/netfilter/nf_conntrack_amanda.h |    6 +
 include/linux/netfilter/nf_conntrack_ftp.h    |    6 +
 include/linux/netfilter/nf_conntrack_h323.h   |   18 +
 include/linux/netfilter/nf_conntrack_irc.h    |    6 +
 include/linux/netfilter/nf_conntrack_pptp.h   |    6 +
 include/linux/netfilter/nf_conntrack_sane.h   |    6 +
 include/linux/netfilter/nf_conntrack_sip.h    |  185 +++-
 include/linux/netfilter/nf_conntrack_tftp.h   |    6 +
 include/net/netfilter/nf_conntrack.h          |    7 +-
 include/net/netfilter/nf_conntrack_expect.h   |   20 +-
 include/net/netfilter/nf_conntrack_helper.h   |    5 +-
 include/net/netfilter/nf_conntrack_tuple.h    |   53 +-
 net/ipv4/netfilter/ipt_CLUSTERIP.c            |    2 +-
 net/ipv4/netfilter/nf_nat_sip.c               |  556 +++++++----
 net/ipv4/netfilter/nf_nat_snmp_basic.c        |   22 +-
 net/netfilter/nf_conntrack_amanda.c           |   18 +-
 net/netfilter/nf_conntrack_expect.c           |   81 +-
 net/netfilter/nf_conntrack_ftp.c              |   13 +-
 net/netfilter/nf_conntrack_h323_main.c        |   68 +-
 net/netfilter/nf_conntrack_helper.c           |    3 +-
 net/netfilter/nf_conntrack_irc.c              |   10 +-
 net/netfilter/nf_conntrack_netbios_ns.c       |   18 +-
 net/netfilter/nf_conntrack_pptp.c             |   17 +-
 net/netfilter/nf_conntrack_sane.c             |   14 +-
 net/netfilter/nf_conntrack_sip.c              | 1401 ++++++++++++++++++++-----
 net/netfilter/nf_conntrack_tftp.c             |   14 +-
 27 files changed, 1976 insertions(+), 594 deletions(-)

Patrick McHardy (32):
      [NETFILTER]: ipt_CLUSTERIP: fix non-existant macro-name
      [NETFILTER]: nf_conntrack: fix NF_CT_TUPLE_DUMP for IPv4
      [NETFILTER]: nf_conntrack_expect: constify nf_ct_expect_init arguments
      [NETFILTER]: nf_conntrack_expect: show NF_CT_EXPECT_PERMANENT flag in /proc
      [NETFILTER]: nf_conntrack_expect: support inactive expectations
      [NETFILTER]: nf_conntrack: introduce expectation classes and policies
      [NETFILTER]: Add nf_inet_addr_cmp()
      [NETFILTER]: nf_conntrack_sip: fix IPv6 address parsing
      [NETFILTER]: nf_nat_sip: fix NAT setup order
      [NETFILTER]: nf_conntrack_sip: fix some off-by-ones
      [NETFILTER]: nf_conntrack_sip: adjust dptr and datalen after packet mangling
      [NETFILTER]: nf_conntrack_sip: remove redundant function arguments
      [NETFILTER]: nf_conntrack_sip: use strlen/strcmp
      [NETFILTER]: nf_conntrack_sip: add seperate SDP header parsing function
      [NETFILTER]: nf_conntrack_sip: kill request URI "header" definitions
      [NETFILTER]: nf_conntrack_sip: parse SIP headers properly
      [NETFILTER]: nf_conntrack_sip: introduce SIP-URI parsing helper
      [NETFILTER]: nf_nat_sip: get rid of text based header translation
      [NETFILTER]: nf_conntrack_sip: move SDP parsing to seperate function
      [NETFILTER]: nf_conntrack_sip: support method specific request/response handling
      [NETFILTER]: nf_conntrack_sip: perform NAT after parsing
      [NETFILTER]: nf_conntrack_sip: process ACK and PRACK methods
      [NETFILTER]: nf_conntrack_sip: flush expectations on call termination
      [NETFILTER]: nf_conntrack_sip: introduce URI and header parameter parsing helpers
      [NETFILTER]: nf_nat_sip: translate all Via headers
      [NETFILTER]: nf_nat_sip: translate all Contact headers
      [NETFILTER]: nf_conntrack_sip: create signalling expectations
      [NETFILTER]: nf_conntrack_sip: allow media expectations with wildcard source address
      [NETFILTER]: nf_conntrack_sip: create RTCP expectations
      [NETFILTER]: nf_nat_sip: split up SDP mangling
      [NETFILTER]: nf_conntrack_sip: support multiple media channels
      [NETFILTER]: nf_conntrack_sip: RTP routing optimization

[NETFILTER 01/32]: ipt_CLUSTERIP: fix non-existant macro-name

[Patrick McHardy]

[NETFILTER]: ipt_CLUSTERIP: fix non-existant macro-name

With nf_conntrack DUMP_TUPLE got renamed to NF_CT_DUMP_TUPLE, fix
CLUSTERIP to use the proper macro name.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 64c4eb535c3d06edb1ceb47edc5bfce36348a7c4
tree 05fc830a717f22f694cd10ee41406cb936e1325a
parent d9595a7b9c777d45a74774f1428c263a0a47f4c0
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:03 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:03 +0100

 net/ipv4/netfilter/ipt_CLUSTERIP.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index c6cf84c..1b10f36 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -332,7 +332,7 @@ clusterip_tg(struct sk_buff *skb, const struct net_device *in,
 	}
 
 #ifdef DEBUG
-	DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
+	NF_CT_DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
 #endif
 	pr_debug("hash=%u ct_hash=%u ", hash, ct->mark);
 	if (!clusterip_responsible(cipinfo->config, hash)) {

[NETFILTER 02/32]: nf_conntrack: fix NF_CT_TUPLE_DUMP for IPv4

[Patrick McHardy]

[NETFILTER]: nf_conntrack: fix NF_CT_TUPLE_DUMP for IPv4

NF_CT_TUPLE_DUMP prints IPv4 addresses as IPv6, fix this and use printk
(guarded by #ifdef DEBUG) directly instead of pr_debug since the tuple
is usually printed at the end of line and we don't want to include a
log-level.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 1fd566261c97eda01f8106bcf10e09f1ecaf2d62
tree 046a6153da1deacbcdd5dd90a51b3a0bee4899fc
parent 64c4eb535c3d06edb1ceb47edc5bfce36348a7c4
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:05 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:05 +0100

 include/net/netfilter/nf_conntrack_tuple.h |   38 ++++++++++++++++++++++++----
 1 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h
index e69ab2e..d9b53dd 100644
--- a/include/net/netfilter/nf_conntrack_tuple.h
+++ b/include/net/netfilter/nf_conntrack_tuple.h
@@ -113,11 +113,39 @@ struct nf_conntrack_tuple_mask
 
 #ifdef __KERNEL__
 
-#define NF_CT_DUMP_TUPLE(tp)						     \
-pr_debug("tuple %p: %u %u " NIP6_FMT " %hu -> " NIP6_FMT " %hu\n",	     \
-	 (tp), (tp)->src.l3num, (tp)->dst.protonum,			     \
-	 NIP6(*(struct in6_addr *)(tp)->src.u3.all), ntohs((tp)->src.u.all), \
-	 NIP6(*(struct in6_addr *)(tp)->dst.u3.all), ntohs((tp)->dst.u.all))
+static inline void nf_ct_dump_tuple_ip(const struct nf_conntrack_tuple *t)
+{
+#ifdef DEBUG
+	printk("tuple %p: %u " NIPQUAD_FMT ":%hu -> " NIPQUAD_FMT ":%hu\n",
+	       t, t->dst.protonum,
+	       NIPQUAD(t->src.u3.ip), ntohs(t->src.u.all),
+	       NIPQUAD(t->dst.u3.ip), ntohs(t->dst.u.all));
+#endif
+}
+
+static inline void nf_ct_dump_tuple_ipv6(const struct nf_conntrack_tuple *t)
+{
+#ifdef DEBUG
+	printk("tuple %p: %u " NIP6_FMT " %hu -> " NIP6_FMT " %hu\n",
+	       t, t->dst.protonum,
+	       NIP6(*(struct in6_addr *)t->src.u3.all), ntohs(t->src.u.all),
+	       NIP6(*(struct in6_addr *)t->dst.u3.all), ntohs(t->dst.u.all));
+#endif
+}
+
+static inline void nf_ct_dump_tuple(const struct nf_conntrack_tuple *t)
+{
+	switch (t->src.l3num) {
+	case AF_INET:
+		nf_ct_dump_tuple_ip(t);
+		break;
+	case AF_INET6:
+		nf_ct_dump_tuple_ipv6(t);
+		break;
+	}
+}
+
+#define NF_CT_DUMP_TUPLE(tp)	nf_ct_dump_tuple(tp)
 
 /* If we're the first tuple, it's the original dir. */
 #define NF_CT_DIRECTION(h)						\

[NETFILTER 03/32]: nf_conntrack_expect: constify nf_ct_expect_init arguments

[Patrick McHardy]

[NETFILTER]: nf_conntrack_expect: constify nf_ct_expect_init arguments

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit f6c04977c6bfa6adcb366221cbaf20ed6f45bf55
tree 0520b070ca9c5312659ff898c2b6ec80b7210072
parent 1fd566261c97eda01f8106bcf10e09f1ecaf2d62
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:07 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:07 +0100

 include/net/netfilter/nf_conntrack_expect.h |    6 +++---
 net/netfilter/nf_conntrack_expect.c         |    6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index cb608a1..f1bdcb4 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -75,9 +75,9 @@ void nf_ct_unexpect_related(struct nf_conntrack_expect *exp);
    nf_ct_expect_related.  You will have to call put afterwards. */
 struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me);
 void nf_ct_expect_init(struct nf_conntrack_expect *, int,
-		       union nf_inet_addr *,
-		       union nf_inet_addr *,
-		       u_int8_t, __be16 *, __be16 *);
+		       const union nf_inet_addr *,
+		       const union nf_inet_addr *,
+		       u_int8_t, const __be16 *, const __be16 *);
 void nf_ct_expect_put(struct nf_conntrack_expect *exp);
 int nf_ct_expect_related(struct nf_conntrack_expect *expect);
 
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index e06bf00..2926e0b 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -229,9 +229,9 @@ struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me)
 EXPORT_SYMBOL_GPL(nf_ct_expect_alloc);
 
 void nf_ct_expect_init(struct nf_conntrack_expect *exp, int family,
-		       union nf_inet_addr *saddr,
-		       union nf_inet_addr *daddr,
-		       u_int8_t proto, __be16 *src, __be16 *dst)
+		       const union nf_inet_addr *saddr,
+		       const union nf_inet_addr *daddr,
+		       u_int8_t proto, const __be16 *src, const __be16 *dst)
 {
 	int len;
 

[NETFILTER 04/32]: nf_conntrack_expect: show NF_CT_EXPECT_PERMANENT flag in /proc

[Patrick McHardy]

[NETFILTER]: nf_conntrack_expect: show NF_CT_EXPECT_PERMANENT flag in /proc

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 80c19a28e05a8855425f7f8cc62384b700b208c1
tree bcae1a47f585c86d943c70b627b85fdaaefc7edd
parent f6c04977c6bfa6adcb366221cbaf20ed6f45bf55
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:08 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:08 +0100

 net/netfilter/nf_conntrack_expect.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 2926e0b..bc4c8e0 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -475,6 +475,10 @@ static int exp_seq_show(struct seq_file *s, void *v)
 		    __nf_ct_l3proto_find(expect->tuple.src.l3num),
 		    __nf_ct_l4proto_find(expect->tuple.src.l3num,
 				       expect->tuple.dst.protonum));
+
+	if (expect->flags & NF_CT_EXPECT_PERMANENT)
+		seq_printf(s, "PERMANENT ");
+
 	return seq_putc(s, '\n');
 }
 

[NETFILTER 05/32]: nf_conntrack_expect: support inactive expectations

[Patrick McHardy]

[NETFILTER]: nf_conntrack_expect: support inactive expectations

This is useful for the SIP helper and signalling expectations.
We don't want to create a full-blown expectation with a wildcard
as source based on a single UDP packet, but need to know the
final port anyways. With inactive expectations we can register
the expectation and reserve the tuple, but wait for confirmation
from the registrar before activating it.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 322ac7d38f97af880a7df6f39336b1918ccaf7d6
tree d6592355237559f9c940dd1ff49e0c4721591eb2
parent 80c19a28e05a8855425f7f8cc62384b700b208c1
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:10 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:10 +0100

 include/net/netfilter/nf_conntrack_expect.h |    3 ++-
 net/netfilter/nf_conntrack_expect.c         |   25 +++++++++++++++++++++----
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index f1bdcb4..47c28dd 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -53,7 +53,8 @@ struct nf_conntrack_expect
 	struct rcu_head rcu;
 };
 
-#define NF_CT_EXPECT_PERMANENT 0x1
+#define NF_CT_EXPECT_PERMANENT	0x1
+#define NF_CT_EXPECT_INACTIVE	0x2
 
 int nf_conntrack_expect_init(void);
 void nf_conntrack_expect_fini(void);
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index bc4c8e0..4bd694d 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -126,9 +126,21 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_find_get);
 struct nf_conntrack_expect *
 nf_ct_find_expectation(const struct nf_conntrack_tuple *tuple)
 {
-	struct nf_conntrack_expect *exp;
+	struct nf_conntrack_expect *i, *exp = NULL;
+	struct hlist_node *n;
+	unsigned int h;
+
+	if (!nf_ct_expect_count)
+		return NULL;
 
-	exp = __nf_ct_expect_find(tuple);
+	h = nf_ct_expect_dst_hash(tuple);
+	hlist_for_each_entry(i, n, &nf_ct_expect_hash[h], hnode) {
+		if (!(i->flags & NF_CT_EXPECT_INACTIVE) &&
+		    nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) {
+			exp = i;
+			break;
+		}
+	}
 	if (!exp)
 		return NULL;
 
@@ -460,6 +472,7 @@ static int exp_seq_show(struct seq_file *s, void *v)
 {
 	struct nf_conntrack_expect *expect;
 	struct hlist_node *n = v;
+	char *delim = "";
 
 	expect = hlist_entry(n, struct nf_conntrack_expect, hnode);
 
@@ -476,8 +489,12 @@ static int exp_seq_show(struct seq_file *s, void *v)
 		    __nf_ct_l4proto_find(expect->tuple.src.l3num,
 				       expect->tuple.dst.protonum));
 
-	if (expect->flags & NF_CT_EXPECT_PERMANENT)
-		seq_printf(s, "PERMANENT ");
+	if (expect->flags & NF_CT_EXPECT_PERMANENT) {
+		seq_printf(s, "PERMANENT");
+		delim = ",";
+	}
+	if (expect->flags & NF_CT_EXPECT_INACTIVE)
+		seq_printf(s, "%sINACTIVE", delim);
 
 	return seq_putc(s, '\n');
 }

[NETFILTER 06/32]: nf_conntrack: introduce expectation classes and policies

[Patrick McHardy]

[NETFILTER]: nf_conntrack: introduce expectation classes and policies

Introduce expectation classes and policies. An expectation class
is used to distinguish different types of expectations by the
same helper (for example audio/video/t.120). The expectation
policy is used to hold the maximum number of expectations and
the initial timeout for each class.

The individual classes are isolated from each other, which means
that for example an audio expectation will only evict other audio
expectations.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 52e02723b365a29b1694a8d157d42aa5f6c72895
tree f0f9bc64bf1f793073f0638df64ff2c63b833c19
parent 322ac7d38f97af880a7df6f39336b1918ccaf7d6
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:12 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:12 +0100

 include/linux/netfilter/nf_conntrack_amanda.h |    6 ++
 include/linux/netfilter/nf_conntrack_ftp.h    |    6 ++
 include/linux/netfilter/nf_conntrack_h323.h   |   18 +++++++
 include/linux/netfilter/nf_conntrack_irc.h    |    6 ++
 include/linux/netfilter/nf_conntrack_pptp.h   |    6 ++
 include/linux/netfilter/nf_conntrack_sane.h   |    6 ++
 include/linux/netfilter/nf_conntrack_sip.h    |    6 ++
 include/linux/netfilter/nf_conntrack_tftp.h   |    6 ++
 include/net/netfilter/nf_conntrack.h          |    5 +-
 include/net/netfilter/nf_conntrack_expect.h   |   11 ++++
 include/net/netfilter/nf_conntrack_helper.h   |    5 +-
 net/ipv4/netfilter/nf_nat_snmp_basic.c        |   22 +++++++-
 net/netfilter/nf_conntrack_amanda.c           |   18 +++++--
 net/netfilter/nf_conntrack_expect.c           |   50 ++++++++++++------
 net/netfilter/nf_conntrack_ftp.c              |   13 ++++-
 net/netfilter/nf_conntrack_h323_main.c        |   68 ++++++++++++++++---------
 net/netfilter/nf_conntrack_helper.c           |    3 +
 net/netfilter/nf_conntrack_irc.c              |   10 +++-
 net/netfilter/nf_conntrack_netbios_ns.c       |   18 ++++++-
 net/netfilter/nf_conntrack_pptp.c             |   17 +++++-
 net/netfilter/nf_conntrack_sane.c             |   14 ++++-
 net/netfilter/nf_conntrack_sip.c              |   13 ++++-
 net/netfilter/nf_conntrack_tftp.c             |   14 ++++-
 23 files changed, 264 insertions(+), 77 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_amanda.h b/include/linux/netfilter/nf_conntrack_amanda.h
index 0bb5a69..8afacb9 100644
--- a/include/linux/netfilter/nf_conntrack_amanda.h
+++ b/include/linux/netfilter/nf_conntrack_amanda.h
@@ -2,6 +2,12 @@
 #define _NF_CONNTRACK_AMANDA_H
 /* AMANDA tracking. */
 
+enum amanda_expectation_classes {
+	AMANDA_EXPECT,
+	__AMANDA_EXPECT_MAX,
+};
+#define AMANDA_EXPECT_MAX	(__AMANDA_EXPECT_MAX - 1)
+
 extern unsigned int (*nf_nat_amanda_hook)(struct sk_buff *skb,
 					  enum ip_conntrack_info ctinfo,
 					  unsigned int matchoff,
diff --git a/include/linux/netfilter/nf_conntrack_ftp.h b/include/linux/netfilter/nf_conntrack_ftp.h
index 47727d7..8c03915 100644
--- a/include/linux/netfilter/nf_conntrack_ftp.h
+++ b/include/linux/netfilter/nf_conntrack_ftp.h
@@ -19,6 +19,12 @@ enum nf_ct_ftp_type
 
 #define FTP_PORT	21
 
+enum ftp_expectation_classes {
+	FTP_EXPECT,
+	__FTP_EXPECT_MAX
+};
+#define FTP_EXPECT_MAX	(__FTP_EXPECT_MAX - 1)
+
 #define NUM_SEQ_TO_REMEMBER 2
 /* This structure exists only once per master */
 struct nf_ct_ftp_master {
diff --git a/include/linux/netfilter/nf_conntrack_h323.h b/include/linux/netfilter/nf_conntrack_h323.h
index 26f9226..0295a19 100644
--- a/include/linux/netfilter/nf_conntrack_h323.h
+++ b/include/linux/netfilter/nf_conntrack_h323.h
@@ -9,6 +9,24 @@
 #define Q931_PORT 1720
 #define H323_RTP_CHANNEL_MAX 4	/* Audio, video, FAX and other */
 
+enum h245_expectation_classes {
+	H245_EXPECT,
+	__H245_EXPECT_MAX
+};
+#define H245_EXPECT_MAX	(__H245_EXPECT_MAX - 1)
+
+enum q931_expectation_classes {
+	Q931_EXPECT,
+	__Q931_EXPECT_MAX
+};
+#define Q931_EXPECT_MAX	(__Q931_EXPECT_MAX - 1)
+
+enum ras_expect_classes {
+	RAS_EXPECT,
+	__RAS_EXPECT_MAX,
+};
+#define RAS_EXPECT_MAX	(__RAS_EXPECT_MAX - 1)
+
 /* This structure exists only once per master */
 struct nf_ct_h323_master {
 
diff --git a/include/linux/netfilter/nf_conntrack_irc.h b/include/linux/netfilter/nf_conntrack_irc.h
index 36282bf..25cf670 100644
--- a/include/linux/netfilter/nf_conntrack_irc.h
+++ b/include/linux/netfilter/nf_conntrack_irc.h
@@ -5,6 +5,12 @@
 
 #define IRC_PORT	6667
 
+enum irc_expectation_classes {
+	IRC_EXPECT,
+	__IRC_EXPECT_MAX
+};
+#define IRC_EXPECT_MAX	(__IRC_EXPECT_MAX - 1)
+
 extern unsigned int (*nf_nat_irc_hook)(struct sk_buff *skb,
 				       enum ip_conntrack_info ctinfo,
 				       unsigned int matchoff,
diff --git a/include/linux/netfilter/nf_conntrack_pptp.h b/include/linux/netfilter/nf_conntrack_pptp.h
index 3bbde0c..b63cd99 100644
--- a/include/linux/netfilter/nf_conntrack_pptp.h
+++ b/include/linux/netfilter/nf_conntrack_pptp.h
@@ -48,6 +48,12 @@ struct nf_nat_pptp {
 
 #define PPTP_CONTROL_PORT	1723
 
+enum pptp_expectation_classes {
+	PPTP_EXPECT,
+	__PPTP_EXPECT_MAX
+};
+#define PPTP_EXPECT_MAX	(__PPTP_EXPECT_MAX - 1)
+
 #define PPTP_PACKET_CONTROL	1
 #define PPTP_PACKET_MGMT	2
 
diff --git a/include/linux/netfilter/nf_conntrack_sane.h b/include/linux/netfilter/nf_conntrack_sane.h
index 4767d6e..bb3fec3 100644
--- a/include/linux/netfilter/nf_conntrack_sane.h
+++ b/include/linux/netfilter/nf_conntrack_sane.h
@@ -6,6 +6,12 @@
 
 #define SANE_PORT	6566
 
+enum sane_expectation_classes {
+	SANE_EXPECT,
+	__SANE_EXPECT_MAX
+};
+#define SANE_EXPECT_MAX	(__SANE_EXPECT_MAX - 1)
+
 enum sane_state {
 	SANE_STATE_NORMAL,
 	SANE_STATE_START_REQUESTED,
diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index 8e5ce1c..a58d6a3 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -5,6 +5,12 @@
 #define SIP_PORT	5060
 #define SIP_TIMEOUT	3600
 
+enum sip_expectation_classes {
+	SIP_EXPECT,
+	__SIP_EXPECT_MAX
+};
+#define SIP_EXPECT_MAX	(__SIP_EXPECT_MAX - 1)
+
 enum sip_header_pos {
 	POS_REG_REQ_URI,
 	POS_REQ_URI,
diff --git a/include/linux/netfilter/nf_conntrack_tftp.h b/include/linux/netfilter/nf_conntrack_tftp.h
index c78d38f..11001ae 100644
--- a/include/linux/netfilter/nf_conntrack_tftp.h
+++ b/include/linux/netfilter/nf_conntrack_tftp.h
@@ -3,6 +3,12 @@
 
 #define TFTP_PORT 69
 
+enum tftp_expectation_classes {
+	TFTP_EXPECT,
+	__TFTP_EXPECT_MAX
+};
+#define TFTP_EXPECT_MAX	(__TFTP_EXPECT_MAX - 1)
+
 struct tftphdr {
 	__be16 opcode;
 };
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 90b3e7f..9228771 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -75,6 +75,9 @@ do {									\
 
 struct nf_conntrack_helper;
 
+/* Must be kept in sync with the classes defined by helpers */
+#define NF_CT_MAX_EXPECT_CLASSES	1
+
 /* nf_conn feature for connections that have a helper */
 struct nf_conn_help {
 	/* Helper. if any */
@@ -85,7 +88,7 @@ struct nf_conn_help {
 	struct hlist_head expectations;
 
 	/* Current number of expected connections */
-	unsigned int expecting;
+	u8 expecting[NF_CT_MAX_EXPECT_CLASSES];
 };
 
 
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 47c28dd..a9797c5 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -41,6 +41,9 @@ struct nf_conntrack_expect
 	/* Flags */
 	unsigned int flags;
 
+	/* Expectation class */
+	unsigned int class;
+
 #ifdef CONFIG_NF_NAT_NEEDED
 	__be32 saved_ip;
 	/* This is the original per-proto part, used to map the
@@ -53,6 +56,12 @@ struct nf_conntrack_expect
 	struct rcu_head rcu;
 };
 
+struct nf_conntrack_expect_policy
+{
+	unsigned int	max_expected;
+	unsigned int	timeout;
+};
+
 #define NF_CT_EXPECT_PERMANENT	0x1
 #define NF_CT_EXPECT_INACTIVE	0x2
 
@@ -75,7 +84,7 @@ void nf_ct_unexpect_related(struct nf_conntrack_expect *exp);
 /* Allocate space for an expectation: this is mandatory before calling
    nf_ct_expect_related.  You will have to call put afterwards. */
 struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me);
-void nf_ct_expect_init(struct nf_conntrack_expect *, int,
+void nf_ct_expect_init(struct nf_conntrack_expect *, unsigned int, int,
 		       const union nf_inet_addr *,
 		       const union nf_inet_addr *,
 		       u_int8_t, const __be16 *, const __be16 *);
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
index 4ca125e..f8060ab 100644
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -20,9 +20,7 @@ struct nf_conntrack_helper
 
 	const char *name;		/* name of the module */
 	struct module *me;		/* pointer to self */
-	unsigned int max_expected;	/* Maximum number of concurrent 
-					 * expected connections */
-	unsigned int timeout;		/* timeout for expecteds */
+	const struct nf_conntrack_expect_policy *expect_policy;
 
 	/* Tuple of things we will help (compared against server response) */
 	struct nf_conntrack_tuple tuple;
@@ -37,6 +35,7 @@ struct nf_conntrack_helper
 	void (*destroy)(struct nf_conn *ct);
 
 	int (*to_nlattr)(struct sk_buff *skb, const struct nf_conn *ct);
+	unsigned int expect_class_max;
 };
 
 extern struct nf_conntrack_helper *
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index 540ce6a..48dd5de 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -50,6 +50,7 @@
 #include <net/udp.h>
 
 #include <net/netfilter/nf_nat.h>
+#include <net/netfilter/nf_conntrack_expect.h>
 #include <net/netfilter/nf_conntrack_helper.h>
 #include <net/netfilter/nf_nat_helper.h>
 
@@ -62,6 +63,12 @@ MODULE_ALIAS("ip_nat_snmp_basic");
 #define SNMP_TRAP_PORT 162
 #define NOCT1(n) (*(u8 *)(n))
 
+enum snmp_expectation_classes {
+	SNMP_EXPECT,
+	__SNMP_EXPECT_MAX
+};
+#define SNMP_EXPECT_MAX	(__SNMP_EXPECT_MAX - 1)
+
 static int debug;
 static DEFINE_SPINLOCK(snmp_lock);
 
@@ -1267,11 +1274,18 @@ static int help(struct sk_buff *skb, unsigned int protoff,
 	return ret;
 }
 
+static const struct nf_conntrack_expect_policy snmp_exp_policy[SNMP_EXPECT_MAX + 1] = {
+	[SNMP_EXPECT] = {
+		.max_expected	= 0,
+		.timeout	= 180,
+	},
+};
+
 static struct nf_conntrack_helper snmp_helper __read_mostly = {
-	.max_expected		= 0,
-	.timeout		= 180,
 	.me			= THIS_MODULE,
 	.help			= help,
+	.expect_policy		= snmp_exp_policy,
+	.expect_class_max	= SNMP_EXPECT_MAX,
 	.name			= "snmp",
 	.tuple.src.l3num	= AF_INET,
 	.tuple.src.u.udp.port	= __constant_htons(SNMP_PORT),
@@ -1279,10 +1293,10 @@ static struct nf_conntrack_helper snmp_helper __read_mostly = {
 };
 
 static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
-	.max_expected		= 0,
-	.timeout		= 180,
 	.me			= THIS_MODULE,
 	.help			= help,
+	.expect_policy		= snmp_exp_policy,
+	.expect_class_max	= SNMP_EXPECT_MAX,
 	.name			= "snmp_trap",
 	.tuple.src.l3num	= AF_INET,
 	.tuple.src.u.udp.port	= __constant_htons(SNMP_TRAP_PORT),
diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
index 7b8239c..eaafa08 100644
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -148,7 +148,8 @@ static int amanda_help(struct sk_buff *skb,
 			goto out;
 		}
 		tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
-		nf_ct_expect_init(exp, family, &tuple->src.u3, &tuple->dst.u3,
+		nf_ct_expect_init(exp, AMANDA_EXPECT, family,
+				  &tuple->src.u3, &tuple->dst.u3,
 				  IPPROTO_TCP, NULL, &port);
 
 		nf_nat_amanda = rcu_dereference(nf_nat_amanda_hook);
@@ -164,26 +165,33 @@ out:
 	return ret;
 }
 
+static const struct nf_conntrack_expect_policy amanda_exp_policy[AMANDA_EXPECT_MAX + 1] = {
+	[AMANDA_EXPECT] = {
+		.max_expected		= 3,
+		.timeout		= 180,
+	},
+};
+
 static struct nf_conntrack_helper amanda_helper[2] __read_mostly = {
 	{
 		.name			= "amanda",
-		.max_expected		= 3,
-		.timeout		= 180,
 		.me			= THIS_MODULE,
 		.help			= amanda_help,
 		.tuple.src.l3num	= AF_INET,
 		.tuple.src.u.udp.port	= __constant_htons(10080),
 		.tuple.dst.protonum	= IPPROTO_UDP,
+		.expect_policy		= amanda_exp_policy,
+		.expect_class_max	= AMANDA_EXPECT_MAX,
 	},
 	{
 		.name			= "amanda",
-		.max_expected		= 3,
-		.timeout		= 180,
 		.me			= THIS_MODULE,
 		.help			= amanda_help,
 		.tuple.src.l3num	= AF_INET6,
 		.tuple.src.u.udp.port	= __constant_htons(10080),
 		.tuple.dst.protonum	= IPPROTO_UDP,
+		.expect_policy		= amanda_exp_policy,
+		.expect_class_max	= AMANDA_EXPECT_MAX,
 	},
 };
 
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 4bd694d..f4ce51c 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -54,7 +54,7 @@ void nf_ct_unlink_expect(struct nf_conntrack_expect *exp)
 	nf_ct_expect_count--;
 
 	hlist_del(&exp->lnode);
-	master_help->expecting--;
+	master_help->expecting[exp->class]--;
 	nf_ct_expect_put(exp);
 
 	NF_CT_STAT_INC(expect_delete);
@@ -171,7 +171,7 @@ void nf_ct_remove_expectations(struct nf_conn *ct)
 	struct hlist_node *n, *next;
 
 	/* Optimization: most connection never expect any others. */
-	if (!help || help->expecting == 0)
+	if (!help)
 		return;
 
 	hlist_for_each_entry_safe(exp, n, next, &help->expectations, lnode) {
@@ -205,7 +205,7 @@ static inline int expect_clash(const struct nf_conntrack_expect *a,
 static inline int expect_matches(const struct nf_conntrack_expect *a,
 				 const struct nf_conntrack_expect *b)
 {
-	return a->master == b->master
+	return a->master == b->master && a->class == b->class
 		&& nf_ct_tuple_equal(&a->tuple, &b->tuple)
 		&& nf_ct_tuple_mask_equal(&a->mask, &b->mask);
 }
@@ -240,7 +240,8 @@ struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me)
 }
 EXPORT_SYMBOL_GPL(nf_ct_expect_alloc);
 
-void nf_ct_expect_init(struct nf_conntrack_expect *exp, int family,
+void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class,
+		       int family,
 		       const union nf_inet_addr *saddr,
 		       const union nf_inet_addr *daddr,
 		       u_int8_t proto, const __be16 *src, const __be16 *dst)
@@ -253,6 +254,7 @@ void nf_ct_expect_init(struct nf_conntrack_expect *exp, int family,
 		len = 16;
 
 	exp->flags = 0;
+	exp->class = class;
 	exp->expectfn = NULL;
 	exp->helper = NULL;
 	exp->tuple.src.l3num = family;
@@ -309,19 +311,21 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_put);
 static void nf_ct_expect_insert(struct nf_conntrack_expect *exp)
 {
 	struct nf_conn_help *master_help = nfct_help(exp->master);
+	const struct nf_conntrack_expect_policy *p;
 	unsigned int h = nf_ct_expect_dst_hash(&exp->tuple);
 
 	atomic_inc(&exp->use);
 
 	hlist_add_head(&exp->lnode, &master_help->expectations);
-	master_help->expecting++;
+	master_help->expecting[exp->class]++;
 
 	hlist_add_head_rcu(&exp->hnode, &nf_ct_expect_hash[h]);
 	nf_ct_expect_count++;
 
 	setup_timer(&exp->timeout, nf_ct_expectation_timed_out,
 		    (unsigned long)exp);
-	exp->timeout.expires = jiffies + master_help->helper->timeout * HZ;
+	p = &master_help->helper->expect_policy[exp->class];
+	exp->timeout.expires = jiffies + p->timeout * HZ;
 	add_timer(&exp->timeout);
 
 	atomic_inc(&exp->use);
@@ -329,35 +333,41 @@ static void nf_ct_expect_insert(struct nf_conntrack_expect *exp)
 }
 
 /* Race with expectations being used means we could have none to find; OK. */
-static void evict_oldest_expect(struct nf_conn *master)
+static void evict_oldest_expect(struct nf_conn *master,
+				struct nf_conntrack_expect *new)
 {
 	struct nf_conn_help *master_help = nfct_help(master);
-	struct nf_conntrack_expect *exp = NULL;
+	struct nf_conntrack_expect *exp, *last = NULL;
 	struct hlist_node *n;
 
-	hlist_for_each_entry(exp, n, &master_help->expectations, lnode)
-		; /* nothing */
+	hlist_for_each_entry(exp, n, &master_help->expectations, lnode) {
+		if (exp->class == new->class)
+			last = exp;
+	}
 
-	if (exp && del_timer(&exp->timeout)) {
-		nf_ct_unlink_expect(exp);
-		nf_ct_expect_put(exp);
+	if (last && del_timer(&last->timeout)) {
+		nf_ct_unlink_expect(last);
+		nf_ct_expect_put(last);
 	}
 }
 
 static inline int refresh_timer(struct nf_conntrack_expect *i)
 {
 	struct nf_conn_help *master_help = nfct_help(i->master);
+	const struct nf_conntrack_expect_policy *p;
 
 	if (!del_timer(&i->timeout))
 		return 0;
 
-	i->timeout.expires = jiffies + master_help->helper->timeout*HZ;
+	p = &master_help->helper->expect_policy[i->class];
+	i->timeout.expires = jiffies + p->timeout * HZ;
 	add_timer(&i->timeout);
 	return 1;
 }
 
 int nf_ct_expect_related(struct nf_conntrack_expect *expect)
 {
+	const struct nf_conntrack_expect_policy *p;
 	struct nf_conntrack_expect *i;
 	struct nf_conn *master = expect->master;
 	struct nf_conn_help *master_help = nfct_help(master);
@@ -386,9 +396,15 @@ int nf_ct_expect_related(struct nf_conntrack_expect *expect)
 		}
 	}
 	/* Will be over limit? */
-	if (master_help->helper->max_expected &&
-	    master_help->expecting >= master_help->helper->max_expected)
-		evict_oldest_expect(master);
+	p = &master_help->helper->expect_policy[expect->class];
+	if (p->max_expected &&
+	    master_help->expecting[expect->class] >= p->max_expected) {
+		evict_oldest_expect(master, expect);
+		if (master_help->expecting[expect->class] >= p->max_expected) {
+			ret = -EMFILE;
+			goto out;
+		}
+	}
 
 	if (nf_ct_expect_count >= nf_ct_expect_max) {
 		if (net_ratelimit())
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 6770baf..64579a5 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -483,7 +483,7 @@ static int help(struct sk_buff *skb,
 		daddr = &cmd.u3;
 	}
 
-	nf_ct_expect_init(exp, cmd.l3num,
+	nf_ct_expect_init(exp, FTP_EXPECT, cmd.l3num,
 			  &ct->tuplehash[!dir].tuple.src.u3, daddr,
 			  IPPROTO_TCP, NULL, &cmd.u.tcp.port);
 
@@ -517,6 +517,13 @@ out_update_nl:
 static struct nf_conntrack_helper ftp[MAX_PORTS][2] __read_mostly;
 static char ftp_names[MAX_PORTS][2][sizeof("ftp-65535")] __read_mostly;
 
+static const struct nf_conntrack_expect_policy ftp_exp_policy[FTP_EXPECT_MAX + 1] = {
+	[FTP_EXPECT] = {
+		.max_expected	= 1,
+		.timeout	= 5 * 60,
+	},
+};
+
 /* don't make this __exit, since it's called from __init ! */
 static void nf_conntrack_ftp_fini(void)
 {
@@ -556,8 +563,8 @@ static int __init nf_conntrack_ftp_init(void)
 		for (j = 0; j < 2; j++) {
 			ftp[i][j].tuple.src.u.tcp.port = htons(ports[i]);
 			ftp[i][j].tuple.dst.protonum = IPPROTO_TCP;
-			ftp[i][j].max_expected = 1;
-			ftp[i][j].timeout = 5 * 60;	/* 5 Minutes */
+			ftp[i][j].expect_policy = ftp_exp_policy;
+			ftp[i][j].expect_class_max = FTP_EXPECT_MAX;
 			ftp[i][j].me = THIS_MODULE;
 			ftp[i][j].help = help;
 			tmpname = &ftp_names[i][j][0];
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 6213787..f2ac76a 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -277,7 +277,7 @@ static int expect_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
 	/* Create expect for RTP */
 	if ((rtp_exp = nf_ct_expect_alloc(ct)) == NULL)
 		return -1;
-	nf_ct_expect_init(rtp_exp, ct->tuplehash[!dir].tuple.src.l3num,
+	nf_ct_expect_init(rtp_exp, 0, ct->tuplehash[!dir].tuple.src.l3num,
 			  &ct->tuplehash[!dir].tuple.src.u3,
 			  &ct->tuplehash[!dir].tuple.dst.u3,
 			  IPPROTO_UDP, NULL, &rtp_port);
@@ -287,7 +287,7 @@ static int expect_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
 		nf_ct_expect_put(rtp_exp);
 		return -1;
 	}
-	nf_ct_expect_init(rtcp_exp, ct->tuplehash[!dir].tuple.src.l3num,
+	nf_ct_expect_init(rtcp_exp, 0, ct->tuplehash[!dir].tuple.src.l3num,
 			  &ct->tuplehash[!dir].tuple.src.u3,
 			  &ct->tuplehash[!dir].tuple.dst.u3,
 			  IPPROTO_UDP, NULL, &rtcp_port);
@@ -344,7 +344,7 @@ static int expect_t120(struct sk_buff *skb,
 	/* Create expect for T.120 connections */
 	if ((exp = nf_ct_expect_alloc(ct)) == NULL)
 		return -1;
-	nf_ct_expect_init(exp, ct->tuplehash[!dir].tuple.src.l3num,
+	nf_ct_expect_init(exp, 0, ct->tuplehash[!dir].tuple.src.l3num,
 			  &ct->tuplehash[!dir].tuple.src.u3,
 			  &ct->tuplehash[!dir].tuple.dst.u3,
 			  IPPROTO_TCP, NULL, &port);
@@ -612,13 +612,20 @@ static int h245_help(struct sk_buff *skb, unsigned int protoff,
 }
 
 /****************************************************************************/
+static const struct nf_conntrack_expect_policy h245_exp_policy[H245_EXPECT_MAX + 1] = {
+	[H245_EXPECT] = {
+		.max_expected	= H323_RTP_CHANNEL_MAX * 4 + 2 /* T.120 */,
+		.timeout	= 240,
+	},
+};
+
 static struct nf_conntrack_helper nf_conntrack_helper_h245 __read_mostly = {
 	.name			= "H.245",
 	.me			= THIS_MODULE,
-	.max_expected		= H323_RTP_CHANNEL_MAX * 4 + 2 /* T.120 */,
-	.timeout		= 240,
 	.tuple.dst.protonum	= IPPROTO_UDP,
-	.help			= h245_help
+	.help			= h245_help,
+	.expect_policy		= h245_exp_policy,
+	.expect_class_max	= H245_EXPECT_MAX,
 };
 
 /****************************************************************************/
@@ -676,7 +683,7 @@ static int expect_h245(struct sk_buff *skb, struct nf_conn *ct,
 	/* Create expect for h245 connection */
 	if ((exp = nf_ct_expect_alloc(ct)) == NULL)
 		return -1;
-	nf_ct_expect_init(exp, ct->tuplehash[!dir].tuple.src.l3num,
+	nf_ct_expect_init(exp, 0, ct->tuplehash[!dir].tuple.src.l3num,
 			  &ct->tuplehash[!dir].tuple.src.u3,
 			  &ct->tuplehash[!dir].tuple.dst.u3,
 			  IPPROTO_TCP, NULL, &port);
@@ -792,7 +799,7 @@ static int expect_callforwarding(struct sk_buff *skb,
 	/* Create expect for the second call leg */
 	if ((exp = nf_ct_expect_alloc(ct)) == NULL)
 		return -1;
-	nf_ct_expect_init(exp, ct->tuplehash[!dir].tuple.src.l3num,
+	nf_ct_expect_init(exp, 0, ct->tuplehash[!dir].tuple.src.l3num,
 			  &ct->tuplehash[!dir].tuple.src.u3, &addr,
 			  IPPROTO_TCP, NULL, &port);
 	exp->helper = nf_conntrack_helper_q931;
@@ -1156,28 +1163,34 @@ static int q931_help(struct sk_buff *skb, unsigned int protoff,
 }
 
 /****************************************************************************/
+static const struct nf_conntrack_expect_policy q931_exp_policy[Q931_EXPECT_MAX + 1] = {
+	[Q931_EXPECT] = {
+		/* T.120 and H.245 */
+		.max_expected		= H323_RTP_CHANNEL_MAX * 4 + 4,
+		.timeout		= 240,
+	},
+};
+
 static struct nf_conntrack_helper nf_conntrack_helper_q931[] __read_mostly = {
 	{
 		.name			= "Q.931",
 		.me			= THIS_MODULE,
-					  /* T.120 and H.245 */
-		.max_expected		= H323_RTP_CHANNEL_MAX * 4 + 4,
-		.timeout		= 240,
 		.tuple.src.l3num	= AF_INET,
 		.tuple.src.u.tcp.port	= __constant_htons(Q931_PORT),
 		.tuple.dst.protonum	= IPPROTO_TCP,
-		.help			= q931_help
+		.help			= q931_help,
+		.expect_policy		= q931_exp_policy,
+		.expect_class_max	= Q931_EXPECT_MAX,
 	},
 	{
 		.name			= "Q.931",
 		.me			= THIS_MODULE,
-					  /* T.120 and H.245 */
-		.max_expected		= H323_RTP_CHANNEL_MAX * 4 + 4,
-		.timeout		= 240,
 		.tuple.src.l3num	= AF_INET6,
 		.tuple.src.u.tcp.port	= __constant_htons(Q931_PORT),
 		.tuple.dst.protonum	= IPPROTO_TCP,
-		.help			= q931_help
+		.help			= q931_help,
+		.expect_policy		= q931_exp_policy,
+		.expect_class_max	= Q931_EXPECT_MAX,
 	},
 };
 
@@ -1261,7 +1274,7 @@ static int expect_q931(struct sk_buff *skb, struct nf_conn *ct,
 	/* Create expect for Q.931 */
 	if ((exp = nf_ct_expect_alloc(ct)) == NULL)
 		return -1;
-	nf_ct_expect_init(exp, ct->tuplehash[!dir].tuple.src.l3num,
+	nf_ct_expect_init(exp, 0, ct->tuplehash[!dir].tuple.src.l3num,
 			  gkrouted_only ? /* only accept calls from GK? */
 				&ct->tuplehash[!dir].tuple.src.u3 : NULL,
 			  &ct->tuplehash[!dir].tuple.dst.u3,
@@ -1332,7 +1345,7 @@ static int process_gcf(struct sk_buff *skb, struct nf_conn *ct,
 	/* Need new expect */
 	if ((exp = nf_ct_expect_alloc(ct)) == NULL)
 		return -1;
-	nf_ct_expect_init(exp, ct->tuplehash[!dir].tuple.src.l3num,
+	nf_ct_expect_init(exp, 0, ct->tuplehash[!dir].tuple.src.l3num,
 			  &ct->tuplehash[!dir].tuple.src.u3, &addr,
 			  IPPROTO_UDP, NULL, &port);
 	exp->helper = nf_conntrack_helper_ras;
@@ -1536,7 +1549,7 @@ static int process_acf(struct sk_buff *skb, struct nf_conn *ct,
 	/* Need new expect */
 	if ((exp = nf_ct_expect_alloc(ct)) == NULL)
 		return -1;
-	nf_ct_expect_init(exp, ct->tuplehash[!dir].tuple.src.l3num,
+	nf_ct_expect_init(exp, 0, ct->tuplehash[!dir].tuple.src.l3num,
 			  &ct->tuplehash[!dir].tuple.src.u3, &addr,
 			  IPPROTO_TCP, NULL, &port);
 	exp->flags = NF_CT_EXPECT_PERMANENT;
@@ -1589,7 +1602,7 @@ static int process_lcf(struct sk_buff *skb, struct nf_conn *ct,
 	/* Need new expect for call signal */
 	if ((exp = nf_ct_expect_alloc(ct)) == NULL)
 		return -1;
-	nf_ct_expect_init(exp, ct->tuplehash[!dir].tuple.src.l3num,
+	nf_ct_expect_init(exp, 0, ct->tuplehash[!dir].tuple.src.l3num,
 			  &ct->tuplehash[!dir].tuple.src.u3, &addr,
 			  IPPROTO_TCP, NULL, &port);
 	exp->flags = NF_CT_EXPECT_PERMANENT;
@@ -1728,26 +1741,33 @@ static int ras_help(struct sk_buff *skb, unsigned int protoff,
 }
 
 /****************************************************************************/
+static const struct nf_conntrack_expect_policy ras_exp_policy[RAS_EXPECT_MAX + 1] = {
+	[RAS_EXPECT] = {
+		.max_expected		= 32,
+		.timeout		= 240,
+	},
+};
+
 static struct nf_conntrack_helper nf_conntrack_helper_ras[] __read_mostly = {
 	{
 		.name			= "RAS",
 		.me			= THIS_MODULE,
-		.max_expected		= 32,
-		.timeout		= 240,
 		.tuple.src.l3num	= AF_INET,
 		.tuple.src.u.udp.port	= __constant_htons(RAS_PORT),
 		.tuple.dst.protonum	= IPPROTO_UDP,
 		.help			= ras_help,
+		.expect_policy		= ras_exp_policy,
+		.expect_class_max	= RAS_EXPECT_MAX,
 	},
 	{
 		.name			= "RAS",
 		.me			= THIS_MODULE,
-		.max_expected		= 32,
-		.timeout		= 240,
 		.tuple.src.l3num	= AF_INET6,
 		.tuple.src.u.udp.port	= __constant_htons(RAS_PORT),
 		.tuple.dst.protonum	= IPPROTO_UDP,
 		.help			= ras_help,
+		.expect_policy		= ras_exp_policy,
+		.expect_class_max	= RAS_EXPECT_MAX,
 	},
 };
 
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index b1fd21c..e350f56 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -110,7 +110,8 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
 {
 	unsigned int h = helper_hash(&me->tuple);
 
-	BUG_ON(me->timeout == 0);
+	BUG_ON(me->expect_policy == NULL);
+	BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES);
 
 	mutex_lock(&nf_ct_helper_mutex);
 	hlist_add_head_rcu(&me->hnode, &nf_ct_helper_hash[h]);
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index c336b07..6d871e4 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -187,7 +187,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
 			}
 			tuple = &ct->tuplehash[!dir].tuple;
 			port = htons(dcc_port);
-			nf_ct_expect_init(exp, tuple->src.l3num,
+			nf_ct_expect_init(exp, IRC_EXPECT, tuple->src.l3num,
 					  NULL, &tuple->dst.u3,
 					  IPPROTO_TCP, NULL, &port);
 
@@ -210,6 +210,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
 
 static struct nf_conntrack_helper irc[MAX_PORTS] __read_mostly;
 static char irc_names[MAX_PORTS][sizeof("irc-65535")] __read_mostly;
+static struct nf_conntrack_expect_policy irc_exp_policy[IRC_EXPECT_MAX + 1];
 
 static void nf_conntrack_irc_fini(void);
 
@@ -223,6 +224,9 @@ static int __init nf_conntrack_irc_init(void)
 		return -EINVAL;
 	}
 
+	irc_exp_policy[IRC_EXPECT].max_expected = max_dcc_channels;
+	irc_exp_policy[IRC_EXPECT].timeout	= dcc_timeout;
+
 	irc_buffer = kmalloc(65536, GFP_KERNEL);
 	if (!irc_buffer)
 		return -ENOMEM;
@@ -235,8 +239,8 @@ static int __init nf_conntrack_irc_init(void)
 		irc[i].tuple.src.l3num = AF_INET;
 		irc[i].tuple.src.u.tcp.port = htons(ports[i]);
 		irc[i].tuple.dst.protonum = IPPROTO_TCP;
-		irc[i].max_expected = max_dcc_channels;
-		irc[i].timeout = dcc_timeout;
+		irc[i].expect_policy = irc_exp_policy;
+		irc[i].expect_class_max = IRC_EXPECT_MAX;
 		irc[i].me = THIS_MODULE;
 		irc[i].help = help;
 
diff --git a/net/netfilter/nf_conntrack_netbios_ns.c b/net/netfilter/nf_conntrack_netbios_ns.c
index 9810d81..7ffc7ff 100644
--- a/net/netfilter/nf_conntrack_netbios_ns.c
+++ b/net/netfilter/nf_conntrack_netbios_ns.c
@@ -42,6 +42,12 @@ static unsigned int timeout __read_mostly = 3;
 module_param(timeout, uint, 0400);
 MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds");
 
+enum netbios_ns_expectation_classes {
+	NETBIOS_NS_EXPECT,
+	__NETBIOS_NS_EXPECT_MAX
+};
+#define NETBIOS_NS_EXPECT_MAX	(__NETBIOS_NS_EXPECT_MAX - 1)
+
 static int help(struct sk_buff *skb, unsigned int protoff,
 		struct nf_conn *ct, enum ip_conntrack_info ctinfo)
 {
@@ -86,6 +92,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
 
 	exp->expectfn             = NULL;
 	exp->flags                = NF_CT_EXPECT_PERMANENT;
+	exp->class		  = NETBIOS_NS_EXPECT;
 	exp->helper               = NULL;
 
 	nf_ct_expect_related(exp);
@@ -96,19 +103,26 @@ out:
 	return NF_ACCEPT;
 }
 
+static struct nf_conntrack_expect_policy exp_policy[NETBIOS_NS_EXPECT_MAX + 1] = {
+	[NETBIOS_NS_EXPECT] = {
+		.max_expected	= 1,
+	},
+};
+
 static struct nf_conntrack_helper helper __read_mostly = {
 	.name			= "netbios-ns",
 	.tuple.src.l3num	= AF_INET,
 	.tuple.src.u.udp.port	= __constant_htons(NMBD_PORT),
 	.tuple.dst.protonum	= IPPROTO_UDP,
-	.max_expected		= 1,
 	.me			= THIS_MODULE,
 	.help			= help,
+	.expect_policy		= exp_policy,
+	.expect_class_max	= NETBIOS_NS_EXPECT_MAX,
 };
 
 static int __init nf_conntrack_netbios_ns_init(void)
 {
-	helper.timeout = timeout;
+	exp_policy[NETBIOS_NS_EXPECT].timeout = timeout;
 	return nf_conntrack_helper_register(&helper);
 }
 
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c
index b5cb8e8..40ab327 100644
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -208,7 +208,8 @@ static int exp_gre(struct nf_conn *ct, __be16 callid, __be16 peer_callid)
 
 	/* original direction, PNS->PAC */
 	dir = IP_CT_DIR_ORIGINAL;
-	nf_ct_expect_init(exp_orig, ct->tuplehash[dir].tuple.src.l3num,
+	nf_ct_expect_init(exp_orig, PPTP_EXPECT,
+			  ct->tuplehash[dir].tuple.src.l3num,
 			  &ct->tuplehash[dir].tuple.src.u3,
 			  &ct->tuplehash[dir].tuple.dst.u3,
 			  IPPROTO_GRE, &peer_callid, &callid);
@@ -216,7 +217,8 @@ static int exp_gre(struct nf_conn *ct, __be16 callid, __be16 peer_callid)
 
 	/* reply direction, PAC->PNS */
 	dir = IP_CT_DIR_REPLY;
-	nf_ct_expect_init(exp_reply, ct->tuplehash[dir].tuple.src.l3num,
+	nf_ct_expect_init(exp_reply, PPTP_EXPECT,
+			  ct->tuplehash[dir].tuple.src.l3num,
 			  &ct->tuplehash[dir].tuple.src.u3,
 			  &ct->tuplehash[dir].tuple.dst.u3,
 			  IPPROTO_GRE, &callid, &peer_callid);
@@ -575,17 +577,24 @@ conntrack_pptp_help(struct sk_buff *skb, unsigned int protoff,
 	return ret;
 }
 
+static const struct nf_conntrack_expect_policy pptp_exp_policy[PPTP_EXPECT_MAX + 1] = {
+	[PPTP_EXPECT] = {
+		.max_expected	= 2,
+		.timeout	= 5 * 60,
+	},
+};
+
 /* control protocol helper */
 static struct nf_conntrack_helper pptp __read_mostly = {
 	.name			= "pptp",
 	.me			= THIS_MODULE,
-	.max_expected		= 2,
-	.timeout		= 5 * 60,
 	.tuple.src.l3num	= AF_INET,
 	.tuple.src.u.tcp.port	= __constant_htons(PPTP_CONTROL_PORT),
 	.tuple.dst.protonum	= IPPROTO_TCP,
 	.help			= conntrack_pptp_help,
 	.destroy		= pptp_destroy_siblings,
+	.expect_policy		= pptp_exp_policy,
+	.expect_class_max	= PPTP_EXPECT_MAX,
 };
 
 static int __init nf_conntrack_pptp_init(void)
diff --git a/net/netfilter/nf_conntrack_sane.c b/net/netfilter/nf_conntrack_sane.c
index a70051d..ddb7581 100644
--- a/net/netfilter/nf_conntrack_sane.c
+++ b/net/netfilter/nf_conntrack_sane.c
@@ -143,7 +143,8 @@ static int help(struct sk_buff *skb,
 	}
 
 	tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
-	nf_ct_expect_init(exp, family, &tuple->src.u3, &tuple->dst.u3,
+	nf_ct_expect_init(exp, SANE_EXPECT, family,
+			  &tuple->src.u3, &tuple->dst.u3,
 			  IPPROTO_TCP, NULL, &reply->port);
 
 	pr_debug("nf_ct_sane: expect: ");
@@ -163,6 +164,13 @@ out:
 static struct nf_conntrack_helper sane[MAX_PORTS][2] __read_mostly;
 static char sane_names[MAX_PORTS][2][sizeof("sane-65535")] __read_mostly;
 
+static const struct nf_conntrack_expect_policy sane_exp_policy[SANE_EXPECT_MAX + 1] = {
+	[SANE_EXPECT] = {
+		.max_expected	= 1,
+		.timeout	= 5 * 60,
+	},
+};
+
 /* don't make this __exit, since it's called from __init ! */
 static void nf_conntrack_sane_fini(void)
 {
@@ -200,8 +208,8 @@ static int __init nf_conntrack_sane_init(void)
 		for (j = 0; j < 2; j++) {
 			sane[i][j].tuple.src.u.tcp.port = htons(ports[i]);
 			sane[i][j].tuple.dst.protonum = IPPROTO_TCP;
-			sane[i][j].max_expected = 1;
-			sane[i][j].timeout = 5 * 60;	/* 5 Minutes */
+			sane[i][j].expect_policy = sane_exp_policy;
+			sane[i][j].expect_class_max = SANE_EXPECT_MAX;
 			sane[i][j].me = THIS_MODULE;
 			sane[i][j].help = help;
 			tmpname = &sane_names[i][j][0];
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index c521c89..d38f953 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -380,7 +380,7 @@ static int set_expected_rtp(struct sk_buff *skb,
 	exp = nf_ct_expect_alloc(ct);
 	if (exp == NULL)
 		return NF_DROP;
-	nf_ct_expect_init(exp, family,
+	nf_ct_expect_init(exp, SIP_EXPECT, family,
 			  &ct->tuplehash[!dir].tuple.src.u3, addr,
 			  IPPROTO_UDP, NULL, &port);
 
@@ -476,6 +476,13 @@ out:
 static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly;
 static char sip_names[MAX_PORTS][2][sizeof("sip-65535")] __read_mostly;
 
+static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1] = {
+	[SIP_EXPECT] = {
+		.max_expected	= 2,
+		.timeout	= 3 * 60,
+	},
+};
+
 static void nf_conntrack_sip_fini(void)
 {
 	int i, j;
@@ -505,8 +512,8 @@ static int __init nf_conntrack_sip_init(void)
 		for (j = 0; j < 2; j++) {
 			sip[i][j].tuple.dst.protonum = IPPROTO_UDP;
 			sip[i][j].tuple.src.u.udp.port = htons(ports[i]);
-			sip[i][j].max_expected = 2;
-			sip[i][j].timeout = 3 * 60; /* 3 minutes */
+			sip[i][j].expect_policy = sip_exp_policy;
+			sip[i][j].expect_class_max = SIP_EXPECT_MAX;
 			sip[i][j].me = THIS_MODULE;
 			sip[i][j].help = sip_help;
 
diff --git a/net/netfilter/nf_conntrack_tftp.c b/net/netfilter/nf_conntrack_tftp.c
index bd2e800..7be03d6 100644
--- a/net/netfilter/nf_conntrack_tftp.c
+++ b/net/netfilter/nf_conntrack_tftp.c
@@ -63,7 +63,8 @@ static int tftp_help(struct sk_buff *skb,
 		if (exp == NULL)
 			return NF_DROP;
 		tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
-		nf_ct_expect_init(exp, family, &tuple->src.u3, &tuple->dst.u3,
+		nf_ct_expect_init(exp, TFTP_EXPECT, family,
+				  &tuple->src.u3, &tuple->dst.u3,
 				  IPPROTO_UDP, NULL, &tuple->dst.u.udp.port);
 
 		pr_debug("expect: ");
@@ -92,6 +93,13 @@ static int tftp_help(struct sk_buff *skb,
 static struct nf_conntrack_helper tftp[MAX_PORTS][2] __read_mostly;
 static char tftp_names[MAX_PORTS][2][sizeof("tftp-65535")] __read_mostly;
 
+static const struct nf_conntrack_expect_policy tftp_exp_policy[TFTP_EXPECT_MAX + 1] = {
+	[TFTP_EXPECT] = {
+		.max_expected	= 1,
+		.timeout	= 5 * 60,
+	},
+};
+
 static void nf_conntrack_tftp_fini(void)
 {
 	int i, j;
@@ -118,8 +126,8 @@ static int __init nf_conntrack_tftp_init(void)
 		for (j = 0; j < 2; j++) {
 			tftp[i][j].tuple.dst.protonum = IPPROTO_UDP;
 			tftp[i][j].tuple.src.u.udp.port = htons(ports[i]);
-			tftp[i][j].max_expected = 1;
-			tftp[i][j].timeout = 5 * 60; /* 5 minutes */
+			tftp[i][j].expect_policy = tftp_exp_policy;
+			tftp[i][j].expect_class_max = TFTP_EXPECT_MAX;
 			tftp[i][j].me = THIS_MODULE;
 			tftp[i][j].help = tftp_help;
 

[NETFILTER 07/32]: Add nf_inet_addr_cmp()

[Patrick McHardy]

[NETFILTER]: Add nf_inet_addr_cmp()

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 21eb86674a1b26ff842b7d449c34c747c897fe90
tree 1357433c0e059b26aa42526a20d5e67cc6fcd9f3
parent 52e02723b365a29b1694a8d157d42aa5f6c72895
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:13 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:13 +0100

 include/linux/netfilter.h                  |    9 +++++++++
 include/net/netfilter/nf_conntrack_tuple.h |   15 +++------------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index b74b615..9d00a3f 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -61,6 +61,15 @@ union nf_inet_addr {
 #ifdef __KERNEL__
 #ifdef CONFIG_NETFILTER
 
+static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1,
+				   const union nf_inet_addr *a2)
+{
+	return a1->all[0] == a2->all[0] &&
+	       a1->all[1] == a2->all[1] &&
+	       a1->all[2] == a2->all[2] &&
+	       a1->all[3] == a2->all[3];
+}
+
 extern void netfilter_init(void);
 
 /* Largest hook number + 1 */
diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h
index d9b53dd..168c917 100644
--- a/include/net/netfilter/nf_conntrack_tuple.h
+++ b/include/net/netfilter/nf_conntrack_tuple.h
@@ -163,10 +163,7 @@ struct nf_conntrack_tuple_hash
 static inline int __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
 					  const struct nf_conntrack_tuple *t2)
 { 
-	return (t1->src.u3.all[0] == t2->src.u3.all[0] &&
-		t1->src.u3.all[1] == t2->src.u3.all[1] &&
-		t1->src.u3.all[2] == t2->src.u3.all[2] &&
-		t1->src.u3.all[3] == t2->src.u3.all[3] &&
+	return (nf_inet_addr_cmp(&t1->src.u3, &t2->src.u3) &&
 		t1->src.u.all == t2->src.u.all &&
 		t1->src.l3num == t2->src.l3num);
 }
@@ -174,10 +171,7 @@ static inline int __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
 static inline int __nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1,
 					  const struct nf_conntrack_tuple *t2)
 {
-	return (t1->dst.u3.all[0] == t2->dst.u3.all[0] &&
-		t1->dst.u3.all[1] == t2->dst.u3.all[1] &&
-		t1->dst.u3.all[2] == t2->dst.u3.all[2] &&
-		t1->dst.u3.all[3] == t2->dst.u3.all[3] &&
+	return (nf_inet_addr_cmp(&t1->dst.u3, &t2->dst.u3) &&
 		t1->dst.u.all == t2->dst.u.all &&
 		t1->dst.protonum == t2->dst.protonum);
 }
@@ -192,10 +186,7 @@ static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1,
 static inline int nf_ct_tuple_mask_equal(const struct nf_conntrack_tuple_mask *m1,
 					 const struct nf_conntrack_tuple_mask *m2)
 {
-	return (m1->src.u3.all[0] == m2->src.u3.all[0] &&
-		m1->src.u3.all[1] == m2->src.u3.all[1] &&
-		m1->src.u3.all[2] == m2->src.u3.all[2] &&
-		m1->src.u3.all[3] == m2->src.u3.all[3] &&
+	return (nf_inet_addr_cmp(&m1->src.u3, &m2->src.u3) &&
 		m1->src.u.all == m2->src.u.all);
 }
 

Re: [NETFILTER 07/32]: Add nf_inet_addr_cmp()

[Jan Engelhardt]

On Feb 28 2008 13:00, Patrick McHardy wrote:
>+static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1,
>+				   const union nf_inet_addr *a2)
>+{
>+	return a1->all[0] == a2->all[0] &&
>+	       a1->all[1] == a2->all[1] &&
>+	       a1->all[2] == a2->all[2] &&
>+	       a1->all[3] == a2->all[3];
>+}
>+

Humm... this might raise undefined/unexpected behavior for IPv4 addresses,
for which nf_inet_addr is not properly flattened (zeroed or all-ones,
or whatever static pattern you want to put in all[1],all[2],all[3]),
but the problem already existed before I guess:

> static inline int __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
> 					  const struct nf_conntrack_tuple *t2)
> { 
>-	return (t1->src.u3.all[0] == t2->src.u3.all[0] &&
>-		t1->src.u3.all[1] == t2->src.u3.all[1] &&
>-		t1->src.u3.all[2] == t2->src.u3.all[2] &&
>-		t1->src.u3.all[3] == t2->src.u3.all[3] &&
>+	return (nf_inet_addr_cmp(&t1->src.u3, &t2->src.u3) &&
> 		t1->src.u.all == t2->src.u.all &&
> 		t1->src.l3num == t2->src.l3num);
> }
>@@ -174,10 +171,7 @@ static inline int __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
> static inline int __nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1,
> 					  const struct nf_conntrack_tuple *t2)
> {
>-	return (t1->dst.u3.all[0] == t2->dst.u3.all[0] &&
>-		t1->dst.u3.all[1] == t2->dst.u3.all[1] &&
>-		t1->dst.u3.all[2] == t2->dst.u3.all[2] &&
>-		t1->dst.u3.all[3] == t2->dst.u3.all[3] &&
>+	return (nf_inet_addr_cmp(&t1->dst.u3, &t2->dst.u3) &&
> 		t1->dst.u.all == t2->dst.u.all &&
> 		t1->dst.protonum == t2->dst.protonum);
> }
>@@ -192,10 +186,7 @@ static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1,
> static inline int nf_ct_tuple_mask_equal(const struct nf_conntrack_tuple_mask *m1,
> 					 const struct nf_conntrack_tuple_mask *m2)
> {
>-	return (m1->src.u3.all[0] == m2->src.u3.all[0] &&
>-		m1->src.u3.all[1] == m2->src.u3.all[1] &&
>-		m1->src.u3.all[2] == m2->src.u3.all[2] &&
>-		m1->src.u3.all[3] == m2->src.u3.all[3] &&
>+	return (nf_inet_addr_cmp(&m1->src.u3, &m2->src.u3) &&
> 		m1->src.u.all == m2->src.u.all);
> }

Re: [NETFILTER 07/32]: Add nf_inet_addr_cmp()

[Patrick McHardy]

Jan Engelhardt wrote:
> On Feb 28 2008 13:00, Patrick McHardy wrote:
>> +static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1,
>> +				   const union nf_inet_addr *a2)
>> +{
>> +	return a1->all[0] == a2->all[0] &&
>> +	       a1->all[1] == a2->all[1] &&
>> +	       a1->all[2] == a2->all[2] &&
>> +	       a1->all[3] == a2->all[3];
>> +}
>> +
> 
> Humm... this might raise undefined/unexpected behavior for IPv4 addresses,
> for which nf_inet_addr is not properly flattened (zeroed or all-ones,
> or whatever static pattern you want to put in all[1],all[2],all[3]),
> but the problem already existed before I guess:
> 
>> static inline int __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
>> 					  const struct nf_conntrack_tuple *t2)
>> { 
>> -	return (t1->src.u3.all[0] == t2->src.u3.all[0] &&
>> -		t1->src.u3.all[1] == t2->src.u3.all[1] &&
>> -		t1->src.u3.all[2] == t2->src.u3.all[2] &&
>> -		t1->src.u3.all[3] == t2->src.u3.all[3] &&
>> +	return (nf_inet_addr_cmp(&t1->src.u3, &t2->src.u3) &&


Indeed, but so far I'm pretty sure all addresses are initialized
properly. I checked conntrack several times, although its already
some time ago. xtables matches and targets should also be fine
since userspace zeroes everything before initializing it.

[NETFILTER 08/32]: nf_conntrack_sip: fix IPv6 address parsing

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: fix IPv6 address parsing

IPv6 addresses are enclosed in [].

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 2d238255870c937f703d8ccbf60e7be8924e1ff2
tree 098e3653056c79ffdf5a826a6ee1eeb02720bc93
parent 21eb86674a1b26ff842b7d449c34c747c897fe90
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:15 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:15 +0100

 net/netfilter/nf_conntrack_sip.c |   17 +++++++++++++----
 1 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index d38f953..b6848b7 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -252,21 +252,30 @@ static int parse_addr(const struct nf_conn *ct, const char *cp,
 {
 	const char *end;
 	int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
-	int ret = 0;
+	int ret;
 
+	memset(addr, 0, sizeof(*addr));
 	switch (family) {
 	case AF_INET:
 		ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
+		if (ret == 0 || end == cp)
+			return 0;
 		break;
 	case AF_INET6:
-		ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
+		if (cp >= limit || *cp != '[')
+			return 0;
+		cp++;
+		ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, ']', &end);
+		if (ret == 0 && end == cp)
+			return 0;
+		if (end >= limit || *end != ']')
+			return 0;
+		end++;
 		break;
 	default:
 		BUG();
 	}
 
-	if (ret == 0 || end == cp)
-		return 0;
 	if (endp)
 		*endp = end;
 	return 1;

[NETFILTER 09/32]: nf_nat_sip: fix NAT setup order

[Patrick McHardy]

[NETFILTER]: nf_nat_sip: fix NAT setup order

We need to set up the destination NAT mapping before the source NAT
mapping, so the NAT core gets to see the final tuple and can decide
whether the source port needs to be remapped.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 2d4b798a4a54565722b4022ab08d1d97f01badbc
tree 95c9c90a6f5b61b1e74550e31b87f7045708a043
parent 2d238255870c937f703d8ccbf60e7be8924e1ff2
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:16 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:16 +0100

 net/ipv4/netfilter/nf_nat_sip.c |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index b4c8d49..84d8b49 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -224,17 +224,17 @@ static void ip_nat_sdp_expect(struct nf_conn *ct,
 	/* This must be a fresh one. */
 	BUG_ON(ct->status & IPS_NAT_DONE_MASK);
 
-	/* Change src to where master sends to */
-	range.flags = IP_NAT_RANGE_MAP_IPS;
-	range.min_ip = range.max_ip
-		= ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
-	nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
-
 	/* For DST manip, map port here to where it's expected. */
 	range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
 	range.min = range.max = exp->saved_proto;
 	range.min_ip = range.max_ip = exp->saved_ip;
 	nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
+
+	/* Change src to where master sends to */
+	range.flags = IP_NAT_RANGE_MAP_IPS;
+	range.min_ip = range.max_ip
+		= ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
+	nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
 }
 
 /* So, this packet has hit the connection tracking matching code.

[NETFILTER 10/32]: nf_conntrack_sip: fix some off-by-ones

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: fix some off-by-ones

"limit" marks the first character outside the bounds.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 2b495a3c3db1a1e4149e5d8d7b26868660c9d9dd
tree 63961796393c19fbba790fab098e12adbd34429b
parent 2d4b798a4a54565722b4022ab08d1d97f01badbc
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:17 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:17 +0100

 net/netfilter/nf_conntrack_sip.c |   16 ++++++++--------
 1 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index b6848b7..d3aaeab 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -192,10 +192,10 @@ int ct_sip_lnlen(const char *line, const char *limit)
 {
 	const char *k = line;
 
-	while ((line <= limit) && (*line == '\r' || *line == '\n'))
+	while ((line < limit) && (*line == '\r' || *line == '\n'))
 		line++;
 
-	while (line <= limit) {
+	while (line < limit) {
 		if (*line == '\r' || *line == '\n')
 			break;
 		line++;
@@ -211,7 +211,7 @@ const char *ct_sip_search(const char *needle, const char *haystack,
 {
 	const char *limit = haystack + (haystack_len - needle_len);
 
-	while (haystack <= limit) {
+	while (haystack < limit) {
 		if (case_sensitive) {
 			if (strncmp(haystack, needle, needle_len) == 0)
 				return haystack;
@@ -229,7 +229,7 @@ static int digits_len(const struct nf_conn *ct, const char *dptr,
 		      const char *limit, int *shift)
 {
 	int len = 0;
-	while (dptr <= limit && isdigit(*dptr)) {
+	while (dptr < limit && isdigit(*dptr)) {
 		dptr++;
 		len++;
 	}
@@ -240,7 +240,7 @@ static int digits_len(const struct nf_conn *ct, const char *dptr,
 static int skp_digits_len(const struct nf_conn *ct, const char *dptr,
 			  const char *limit, int *shift)
 {
-	for (; dptr <= limit && *dptr == ' '; dptr++)
+	for (; dptr < limit && *dptr == ' '; dptr++)
 		(*shift)++;
 
 	return digits_len(ct, dptr, limit, shift);
@@ -311,13 +311,13 @@ static int skp_epaddr_len(const struct nf_conn *ct, const char *dptr,
 	/* Search for @, but stop at the end of the line.
 	 * We are inside a sip: URI, so we don't need to worry about
 	 * continuation lines. */
-	while (dptr <= limit &&
+	while (dptr < limit &&
 	       *dptr != '@' && *dptr != '\r' && *dptr != '\n') {
 		(*shift)++;
 		dptr++;
 	}
 
-	if (dptr <= limit && *dptr == '@') {
+	if (dptr < limit && *dptr == '@') {
 		dptr++;
 		(*shift)++;
 	} else {
@@ -341,7 +341,7 @@ int ct_sip_get_info(const struct nf_conn *ct,
 
 	limit = dptr + (dlen - hnfo->lnlen);
 
-	while (dptr <= limit) {
+	while (dptr < limit) {
 		if ((strncmp(dptr, hnfo->lname, hnfo->lnlen) != 0) &&
 		    (hnfo->sname == NULL ||
 		     strncmp(dptr, hnfo->sname, hnfo->snlen) != 0)) {

[NETFILTER 11/32]: nf_conntrack_sip: adjust dptr and datalen after packet mangling

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: adjust dptr and datalen after packet mangling

After mangling the packet, the pointer to the data and the length of the data
portion may change and need to be adjusted.

Use double data pointers and a pointer to the length everywhere and add a
helper function to the NAT helper for performing the adjustments.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 42d7af9859d42d9c1b51a076146eb75ec837a1dc
tree bfa0df703d0bce2126493a51ecc921cc8c709710
parent 2b495a3c3db1a1e4149e5d8d7b26868660c9d9dd
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:18 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:18 +0100

 include/linux/netfilter/nf_conntrack_sip.h |    6 +-
 net/ipv4/netfilter/nf_nat_sip.c            |   91 +++++++++++++++-------------
 net/netfilter/nf_conntrack_sip.c           |   14 ++--
 3 files changed, 60 insertions(+), 51 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index a58d6a3..c1d0eed 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -30,11 +30,13 @@ enum sip_header_pos {
 extern unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb,
 				       enum ip_conntrack_info ctinfo,
 				       struct nf_conn *ct,
-				       const char **dptr);
+				       const char **dptr,
+				       unsigned int *datalen);
 extern unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb,
 				       enum ip_conntrack_info ctinfo,
 				       struct nf_conntrack_expect *exp,
-				       const char *dptr);
+				       const char **dptr,
+				       unsigned int *datalen);
 
 extern int ct_sip_get_info(const struct nf_conn *ct, const char *dptr,
                            size_t dlen, unsigned int *matchoff,
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index 84d8b49..e77122e 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -60,15 +60,35 @@ static void addr_map_init(const struct nf_conn *ct, struct addr_map *map)
 	}
 }
 
+static unsigned int mangle_packet(struct sk_buff *skb,
+				  const char **dptr, unsigned int *datalen,
+				  unsigned int matchoff, unsigned int matchlen,
+				  const char *buffer, unsigned int buflen)
+{
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+
+	if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, matchoff, matchlen,
+				      buffer, buflen))
+		return 0;
+
+	/* Reload data pointer and adjust datalen value */
+	*dptr = skb->data + ip_hdrlen(skb) + sizeof(struct udphdr);
+	*datalen += buflen - matchlen;
+	return 1;
+}
+
 static int map_sip_addr(struct sk_buff *skb, enum ip_conntrack_info ctinfo,
-			struct nf_conn *ct, const char **dptr, size_t dlen,
+			struct nf_conn *ct,
+			const char **dptr, unsigned int *datalen,
 			enum sip_header_pos pos, struct addr_map *map)
 {
 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 	unsigned int matchlen, matchoff, addrlen;
 	char *addr;
 
-	if (ct_sip_get_info(ct, *dptr, dlen, &matchoff, &matchlen, pos) <= 0)
+	if (ct_sip_get_info(ct, *dptr, *datalen, &matchoff, &matchlen,
+			    pos) <= 0)
 		return 1;
 
 	if ((matchlen == map->addr[dir].srciplen ||
@@ -84,26 +104,19 @@ static int map_sip_addr(struct sk_buff *skb, enum ip_conntrack_info ctinfo,
 	} else
 		return 1;
 
-	if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo,
-				      matchoff, matchlen, addr, addrlen))
-		return 0;
-	*dptr = skb->data + ip_hdrlen(skb) + sizeof(struct udphdr);
-	return 1;
-
+	return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
+			     addr, addrlen);
 }
 
 static unsigned int ip_nat_sip(struct sk_buff *skb,
 			       enum ip_conntrack_info ctinfo,
 			       struct nf_conn *ct,
-			       const char **dptr)
+			       const char **dptr, unsigned int *datalen)
 {
 	enum sip_header_pos pos;
 	struct addr_map map;
-	int dataoff, datalen;
 
-	dataoff = ip_hdrlen(skb) + sizeof(struct udphdr);
-	datalen = skb->len - dataoff;
-	if (datalen < sizeof("SIP/2.0") - 1)
+	if (*datalen < sizeof("SIP/2.0") - 1)
 		return NF_ACCEPT;
 
 	addr_map_init(ct, &map);
@@ -115,7 +128,7 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
 		 * The "userinfo" and "@" components of the SIP URI MUST NOT
 		 * be present.
 		 */
-		if (datalen >= sizeof("REGISTER") - 1 &&
+		if (*datalen >= sizeof("REGISTER") - 1 &&
 		    strncmp(*dptr, "REGISTER", sizeof("REGISTER") - 1) == 0)
 			pos = POS_REG_REQ_URI;
 		else
@@ -136,51 +149,45 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
 static unsigned int mangle_sip_packet(struct sk_buff *skb,
 				      enum ip_conntrack_info ctinfo,
 				      struct nf_conn *ct,
-				      const char **dptr, size_t dlen,
+				      const char **dptr, unsigned int *datalen,
 				      char *buffer, int bufflen,
 				      enum sip_header_pos pos)
 {
 	unsigned int matchlen, matchoff;
 
-	if (ct_sip_get_info(ct, *dptr, dlen, &matchoff, &matchlen, pos) <= 0)
-		return 0;
-
-	if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo,
-				      matchoff, matchlen, buffer, bufflen))
+	if (ct_sip_get_info(ct, *dptr, *datalen, &matchoff, &matchlen,
+			    pos) <= 0)
 		return 0;
 
-	/* We need to reload this. Thanks Patrick. */
-	*dptr = skb->data + ip_hdrlen(skb) + sizeof(struct udphdr);
-	return 1;
+	return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
+			     buffer, bufflen);
 }
 
 static int mangle_content_len(struct sk_buff *skb,
 			      enum ip_conntrack_info ctinfo,
 			      struct nf_conn *ct,
-			      const char *dptr)
+			      const char **dptr, unsigned int *datalen)
 {
-	unsigned int dataoff, matchoff, matchlen;
+	unsigned int matchoff, matchlen;
 	char buffer[sizeof("65536")];
 	int bufflen;
 
-	dataoff = ip_hdrlen(skb) + sizeof(struct udphdr);
-
 	/* Get actual SDP length */
-	if (ct_sip_get_info(ct, dptr, skb->len - dataoff, &matchoff,
+	if (ct_sip_get_info(ct, *dptr, *datalen, &matchoff,
 			    &matchlen, POS_SDP_HEADER) > 0) {
 
 		/* since ct_sip_get_info() give us a pointer passing 'v='
 		   we need to add 2 bytes in this count. */
-		int c_len = skb->len - dataoff - matchoff + 2;
+		int c_len = *datalen - matchoff + 2;
 
 		/* Now, update SDP length */
-		if (ct_sip_get_info(ct, dptr, skb->len - dataoff, &matchoff,
+		if (ct_sip_get_info(ct, *dptr, *datalen, &matchoff,
 				    &matchlen, POS_CONTENT) > 0) {
 
 			bufflen = sprintf(buffer, "%u", c_len);
-			return nf_nat_mangle_udp_packet(skb, ct, ctinfo,
-							matchoff, matchlen,
-							buffer, bufflen);
+			return mangle_packet(skb, dptr, datalen,
+					     matchoff, matchlen,
+					     buffer, bufflen);
 		}
 	}
 	return 0;
@@ -190,30 +197,28 @@ static unsigned int mangle_sdp(struct sk_buff *skb,
 			       enum ip_conntrack_info ctinfo,
 			       struct nf_conn *ct,
 			       __be32 newip, u_int16_t port,
-			       const char *dptr)
+			       const char **dptr, unsigned int *datalen)
 {
 	char buffer[sizeof("nnn.nnn.nnn.nnn")];
-	unsigned int dataoff, bufflen;
-
-	dataoff = ip_hdrlen(skb) + sizeof(struct udphdr);
+	unsigned int bufflen;
 
 	/* Mangle owner and contact info. */
 	bufflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(newip));
-	if (!mangle_sip_packet(skb, ctinfo, ct, &dptr, skb->len - dataoff,
+	if (!mangle_sip_packet(skb, ctinfo, ct, dptr, datalen,
 			       buffer, bufflen, POS_OWNER_IP4))
 		return 0;
 
-	if (!mangle_sip_packet(skb, ctinfo, ct, &dptr, skb->len - dataoff,
+	if (!mangle_sip_packet(skb, ctinfo, ct, dptr, datalen,
 			       buffer, bufflen, POS_CONNECTION_IP4))
 		return 0;
 
 	/* Mangle media port. */
 	bufflen = sprintf(buffer, "%u", port);
-	if (!mangle_sip_packet(skb, ctinfo, ct, &dptr, skb->len - dataoff,
+	if (!mangle_sip_packet(skb, ctinfo, ct, dptr, datalen,
 			       buffer, bufflen, POS_MEDIA))
 		return 0;
 
-	return mangle_content_len(skb, ctinfo, ct, dptr);
+	return mangle_content_len(skb, ctinfo, ct, dptr, datalen);
 }
 
 static void ip_nat_sdp_expect(struct nf_conn *ct,
@@ -242,7 +247,7 @@ static void ip_nat_sdp_expect(struct nf_conn *ct,
 static unsigned int ip_nat_sdp(struct sk_buff *skb,
 			       enum ip_conntrack_info ctinfo,
 			       struct nf_conntrack_expect *exp,
-			       const char *dptr)
+			       const char **dptr, unsigned int *datalen)
 {
 	struct nf_conn *ct = exp->master;
 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
@@ -275,7 +280,7 @@ static unsigned int ip_nat_sdp(struct sk_buff *skb,
 	if (port == 0)
 		return NF_DROP;
 
-	if (!mangle_sdp(skb, ctinfo, ct, newip, port, dptr)) {
+	if (!mangle_sdp(skb, ctinfo, ct, newip, port, dptr, datalen)) {
 		nf_ct_unexpect_related(exp);
 		return NF_DROP;
 	}
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index d3aaeab..d0a651b 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -39,13 +39,15 @@ MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session");
 unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb,
 				enum ip_conntrack_info ctinfo,
 				struct nf_conn *ct,
-				const char **dptr) __read_mostly;
+				const char **dptr,
+				unsigned int *datalen) __read_mostly;
 EXPORT_SYMBOL_GPL(nf_nat_sip_hook);
 
 unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb,
 				enum ip_conntrack_info ctinfo,
 				struct nf_conntrack_expect *exp,
-				const char *dptr) __read_mostly;
+				const char **dptr,
+				unsigned int *datalen) __read_mostly;
 EXPORT_SYMBOL_GPL(nf_nat_sdp_hook);
 
 static int digits_len(const struct nf_conn *, const char *, const char *, int *);
@@ -378,7 +380,7 @@ static int set_expected_rtp(struct sk_buff *skb,
 			    enum ip_conntrack_info ctinfo,
 			    union nf_inet_addr *addr,
 			    __be16 port,
-			    const char *dptr)
+			    const char **dptr, unsigned int *datalen)
 {
 	struct nf_conntrack_expect *exp;
 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
@@ -395,7 +397,7 @@ static int set_expected_rtp(struct sk_buff *skb,
 
 	nf_nat_sdp = rcu_dereference(nf_nat_sdp_hook);
 	if (nf_nat_sdp && ct->status & IPS_NAT_MASK)
-		ret = nf_nat_sdp(skb, ctinfo, exp, dptr);
+		ret = nf_nat_sdp(skb, ctinfo, exp, dptr, datalen);
 	else {
 		if (nf_ct_expect_related(exp) != 0)
 			ret = NF_DROP;
@@ -438,7 +440,7 @@ static int sip_help(struct sk_buff *skb,
 
 	nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
 	if (nf_nat_sip && ct->status & IPS_NAT_MASK) {
-		if (!nf_nat_sip(skb, ctinfo, ct, &dptr)) {
+		if (!nf_nat_sip(skb, ctinfo, ct, &dptr, &datalen)) {
 			ret = NF_DROP;
 			goto out;
 		}
@@ -475,7 +477,7 @@ static int sip_help(struct sk_buff *skb,
 				goto out;
 			}
 			ret = set_expected_rtp(skb, ct, ctinfo, &addr,
-					       htons(port), dptr);
+					       htons(port), &dptr, &datalen);
 		}
 	}
 out:

[NETFILTER 12/32]: nf_conntrack_sip: remove redundant function arguments

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: remove redundant function arguments

The conntrack reference and ctinfo can be derived from the packet.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit ee0b2a3c7a34c1c09e96b5601d8e8ce46861e808
tree 24a0edb6ab5bf59ea318ec94e41077f49a9d30f8
parent 42d7af9859d42d9c1b51a076146eb75ec837a1dc
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:19 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:19 +0100

 include/linux/netfilter/nf_conntrack_sip.h |    7 +---
 net/ipv4/netfilter/nf_nat_sip.c            |   49 ++++++++++++++--------------
 net/netfilter/nf_conntrack_sip.c           |   24 ++++++--------
 3 files changed, 37 insertions(+), 43 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index c1d0eed..d773c61 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -28,15 +28,12 @@ enum sip_header_pos {
 };
 
 extern unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb,
-				       enum ip_conntrack_info ctinfo,
-				       struct nf_conn *ct,
 				       const char **dptr,
 				       unsigned int *datalen);
 extern unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb,
-				       enum ip_conntrack_info ctinfo,
-				       struct nf_conntrack_expect *exp,
 				       const char **dptr,
-				       unsigned int *datalen);
+				       unsigned int *datalen,
+				       struct nf_conntrack_expect *exp);
 
 extern int ct_sip_get_info(const struct nf_conn *ct, const char *dptr,
                            size_t dlen, unsigned int *matchoff,
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index e77122e..acaa7d4 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -78,11 +78,12 @@ static unsigned int mangle_packet(struct sk_buff *skb,
 	return 1;
 }
 
-static int map_sip_addr(struct sk_buff *skb, enum ip_conntrack_info ctinfo,
-			struct nf_conn *ct,
+static int map_sip_addr(struct sk_buff *skb,
 			const char **dptr, unsigned int *datalen,
 			enum sip_header_pos pos, struct addr_map *map)
 {
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 	unsigned int matchlen, matchoff, addrlen;
 	char *addr;
@@ -109,10 +110,10 @@ static int map_sip_addr(struct sk_buff *skb, enum ip_conntrack_info ctinfo,
 }
 
 static unsigned int ip_nat_sip(struct sk_buff *skb,
-			       enum ip_conntrack_info ctinfo,
-			       struct nf_conn *ct,
 			       const char **dptr, unsigned int *datalen)
 {
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 	enum sip_header_pos pos;
 	struct addr_map map;
 
@@ -134,25 +135,25 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
 		else
 			pos = POS_REQ_URI;
 
-		if (!map_sip_addr(skb, ctinfo, ct, dptr, datalen, pos, &map))
+		if (!map_sip_addr(skb, dptr, datalen, pos, &map))
 			return NF_DROP;
 	}
 
-	if (!map_sip_addr(skb, ctinfo, ct, dptr, datalen, POS_FROM, &map) ||
-	    !map_sip_addr(skb, ctinfo, ct, dptr, datalen, POS_TO, &map) ||
-	    !map_sip_addr(skb, ctinfo, ct, dptr, datalen, POS_VIA, &map) ||
-	    !map_sip_addr(skb, ctinfo, ct, dptr, datalen, POS_CONTACT, &map))
+	if (!map_sip_addr(skb, dptr, datalen, POS_FROM, &map) ||
+	    !map_sip_addr(skb, dptr, datalen, POS_TO, &map) ||
+	    !map_sip_addr(skb, dptr, datalen, POS_VIA, &map) ||
+	    !map_sip_addr(skb, dptr, datalen, POS_CONTACT, &map))
 		return NF_DROP;
 	return NF_ACCEPT;
 }
 
 static unsigned int mangle_sip_packet(struct sk_buff *skb,
-				      enum ip_conntrack_info ctinfo,
-				      struct nf_conn *ct,
 				      const char **dptr, unsigned int *datalen,
 				      char *buffer, int bufflen,
 				      enum sip_header_pos pos)
 {
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 	unsigned int matchlen, matchoff;
 
 	if (ct_sip_get_info(ct, *dptr, *datalen, &matchoff, &matchlen,
@@ -164,10 +165,10 @@ static unsigned int mangle_sip_packet(struct sk_buff *skb,
 }
 
 static int mangle_content_len(struct sk_buff *skb,
-			      enum ip_conntrack_info ctinfo,
-			      struct nf_conn *ct,
 			      const char **dptr, unsigned int *datalen)
 {
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 	unsigned int matchoff, matchlen;
 	char buffer[sizeof("65536")];
 	int bufflen;
@@ -204,21 +205,21 @@ static unsigned int mangle_sdp(struct sk_buff *skb,
 
 	/* Mangle owner and contact info. */
 	bufflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(newip));
-	if (!mangle_sip_packet(skb, ctinfo, ct, dptr, datalen,
-			       buffer, bufflen, POS_OWNER_IP4))
+	if (!mangle_sip_packet(skb, dptr, datalen, buffer, bufflen,
+			       POS_OWNER_IP4))
 		return 0;
 
-	if (!mangle_sip_packet(skb, ctinfo, ct, dptr, datalen,
-			       buffer, bufflen, POS_CONNECTION_IP4))
+	if (!mangle_sip_packet(skb, dptr, datalen, buffer, bufflen,
+			       POS_CONNECTION_IP4))
 		return 0;
 
 	/* Mangle media port. */
 	bufflen = sprintf(buffer, "%u", port);
-	if (!mangle_sip_packet(skb, ctinfo, ct, dptr, datalen,
-			       buffer, bufflen, POS_MEDIA))
+	if (!mangle_sip_packet(skb, dptr, datalen, buffer, bufflen,
+			       POS_MEDIA))
 		return 0;
 
-	return mangle_content_len(skb, ctinfo, ct, dptr, datalen);
+	return mangle_content_len(skb, dptr, datalen);
 }
 
 static void ip_nat_sdp_expect(struct nf_conn *ct,
@@ -245,11 +246,11 @@ static void ip_nat_sdp_expect(struct nf_conn *ct,
 /* So, this packet has hit the connection tracking matching code.
    Mangle it, and change the expectation to match the new version. */
 static unsigned int ip_nat_sdp(struct sk_buff *skb,
-			       enum ip_conntrack_info ctinfo,
-			       struct nf_conntrack_expect *exp,
-			       const char **dptr, unsigned int *datalen)
+			       const char **dptr, unsigned int *datalen,
+			       struct nf_conntrack_expect *exp)
 {
-	struct nf_conn *ct = exp->master;
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 	__be32 newip;
 	u_int16_t port;
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index d0a651b..b273225 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -37,17 +37,14 @@ module_param(sip_timeout, uint, 0600);
 MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session");
 
 unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb,
-				enum ip_conntrack_info ctinfo,
-				struct nf_conn *ct,
 				const char **dptr,
 				unsigned int *datalen) __read_mostly;
 EXPORT_SYMBOL_GPL(nf_nat_sip_hook);
 
 unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb,
-				enum ip_conntrack_info ctinfo,
-				struct nf_conntrack_expect *exp,
 				const char **dptr,
-				unsigned int *datalen) __read_mostly;
+				unsigned int *datalen,
+				struct nf_conntrack_expect *exp) __read_mostly;
 EXPORT_SYMBOL_GPL(nf_nat_sdp_hook);
 
 static int digits_len(const struct nf_conn *, const char *, const char *, int *);
@@ -376,13 +373,12 @@ int ct_sip_get_info(const struct nf_conn *ct,
 EXPORT_SYMBOL_GPL(ct_sip_get_info);
 
 static int set_expected_rtp(struct sk_buff *skb,
-			    struct nf_conn *ct,
-			    enum ip_conntrack_info ctinfo,
-			    union nf_inet_addr *addr,
-			    __be16 port,
-			    const char **dptr, unsigned int *datalen)
+			    const char **dptr, unsigned int *datalen,
+			    union nf_inet_addr *addr, __be16 port)
 {
 	struct nf_conntrack_expect *exp;
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 	int family = ct->tuplehash[!dir].tuple.src.l3num;
 	int ret;
@@ -397,7 +393,7 @@ static int set_expected_rtp(struct sk_buff *skb,
 
 	nf_nat_sdp = rcu_dereference(nf_nat_sdp_hook);
 	if (nf_nat_sdp && ct->status & IPS_NAT_MASK)
-		ret = nf_nat_sdp(skb, ctinfo, exp, dptr, datalen);
+		ret = nf_nat_sdp(skb, dptr, datalen, exp);
 	else {
 		if (nf_ct_expect_related(exp) != 0)
 			ret = NF_DROP;
@@ -440,7 +436,7 @@ static int sip_help(struct sk_buff *skb,
 
 	nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
 	if (nf_nat_sip && ct->status & IPS_NAT_MASK) {
-		if (!nf_nat_sip(skb, ctinfo, ct, &dptr, &datalen)) {
+		if (!nf_nat_sip(skb, &dptr, &datalen)) {
 			ret = NF_DROP;
 			goto out;
 		}
@@ -476,8 +472,8 @@ static int sip_help(struct sk_buff *skb,
 				ret = NF_DROP;
 				goto out;
 			}
-			ret = set_expected_rtp(skb, ct, ctinfo, &addr,
-					       htons(port), &dptr, &datalen);
+			ret = set_expected_rtp(skb, &dptr, &datalen,
+					       &addr, htons(port));
 		}
 	}
 out:

[NETFILTER 13/32]: nf_conntrack_sip: use strlen/strcmp

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: use strlen/strcmp

Replace sizeof/memcmp by strlen/strcmp. Use case-insensitive comparison
for SIP methods and the SIP/2.0 string, as specified in RFC 3261.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 9896edea1c747be496854039a846ad61193ecadd
tree 40d97595577407c336f378eb2ec85390828a5afc
parent ee0b2a3c7a34c1c09e96b5601d8e8ce46861e808
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:20 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:20 +0100

 net/ipv4/netfilter/nf_nat_sip.c  |   12 ++++++------
 net/netfilter/nf_conntrack_sip.c |   12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index acaa7d4..dd1b2d8 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -94,12 +94,12 @@ static int map_sip_addr(struct sk_buff *skb,
 
 	if ((matchlen == map->addr[dir].srciplen ||
 	     matchlen == map->addr[dir].srclen) &&
-	    memcmp(*dptr + matchoff, map->addr[dir].src, matchlen) == 0) {
+	    strncmp(*dptr + matchoff, map->addr[dir].src, matchlen) == 0) {
 		addr    = map->addr[!dir].dst;
 		addrlen = map->addr[!dir].dstlen;
 	} else if ((matchlen == map->addr[dir].dstiplen ||
 		    matchlen == map->addr[dir].dstlen) &&
-		   memcmp(*dptr + matchoff, map->addr[dir].dst, matchlen) == 0) {
+		   strncmp(*dptr + matchoff, map->addr[dir].dst, matchlen) == 0) {
 		addr    = map->addr[!dir].src;
 		addrlen = map->addr[!dir].srclen;
 	} else
@@ -117,20 +117,20 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
 	enum sip_header_pos pos;
 	struct addr_map map;
 
-	if (*datalen < sizeof("SIP/2.0") - 1)
+	if (*datalen < strlen("SIP/2.0"))
 		return NF_ACCEPT;
 
 	addr_map_init(ct, &map);
 
 	/* Basic rules: requests and responses. */
-	if (strncmp(*dptr, "SIP/2.0", sizeof("SIP/2.0") - 1) != 0) {
+	if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
 		/* 10.2: Constructing the REGISTER Request:
 		 *
 		 * The "userinfo" and "@" components of the SIP URI MUST NOT
 		 * be present.
 		 */
-		if (*datalen >= sizeof("REGISTER") - 1 &&
-		    strncmp(*dptr, "REGISTER", sizeof("REGISTER") - 1) == 0)
+		if (*datalen >= strlen("REGISTER") &&
+		    strnicmp(*dptr, "REGISTER", strlen("REGISTER")) == 0)
 			pos = POS_REG_REQ_URI;
 		else
 			pos = POS_REQ_URI;
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index b273225..d8e5867 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -443,15 +443,15 @@ static int sip_help(struct sk_buff *skb,
 	}
 
 	datalen = skb->len - dataoff;
-	if (datalen < sizeof("SIP/2.0 200") - 1)
+	if (datalen < strlen("SIP/2.0 200"))
 		goto out;
 
 	/* RTP info only in some SDP pkts */
-	if (memcmp(dptr, "INVITE", sizeof("INVITE") - 1) != 0 &&
-	    memcmp(dptr, "UPDATE", sizeof("UPDATE") - 1) != 0 &&
-	    memcmp(dptr, "SIP/2.0 180", sizeof("SIP/2.0 180") - 1) != 0 &&
-	    memcmp(dptr, "SIP/2.0 183", sizeof("SIP/2.0 183") - 1) != 0 &&
-	    memcmp(dptr, "SIP/2.0 200", sizeof("SIP/2.0 200") - 1) != 0) {
+	if (strnicmp(dptr, "INVITE", strlen("INVITE")) != 0 &&
+	    strnicmp(dptr, "UPDATE", strlen("UPDATE")) != 0 &&
+	    strnicmp(dptr, "SIP/2.0 180", strlen("SIP/2.0 180")) != 0 &&
+	    strnicmp(dptr, "SIP/2.0 183", strlen("SIP/2.0 183")) != 0 &&
+	    strnicmp(dptr, "SIP/2.0 200", strlen("SIP/2.0 200")) != 0) {
 		goto out;
 	}
 	/* Get address and port from SDP packet. */

[NETFILTER 14/32]: nf_conntrack_sip: add seperate SDP header parsing function

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: add seperate SDP header parsing function

SDP and SIP headers are quite different, SIP can have continuation lines,
leading and trailing whitespace after the colon and is mostly case-insensitive
while SDP headers always begin on a new line and are followed by an equal
sign and the value, without any whitespace.

Introduce new SDP header parsing function and convert all users that used
the SIP header parsing function. This will allow to properly deal with the
special SIP cases in the SIP header parsing function later.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit a29bdbd3963e34a5eea23c7136491a8b35cfb7a8
tree 50fcbae8376dcb38ce886e2ba5aac94b9c62c1ed
parent 9896edea1c747be496854039a846ad61193ecadd
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:21 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:21 +0100

 include/linux/netfilter/nf_conntrack_sip.h |   49 ++++++++-
 net/ipv4/netfilter/nf_nat_sip.c            |   69 ++++++------
 net/netfilter/nf_conntrack_sip.c           |  159 +++++++++++++++++-----------
 3 files changed, 169 insertions(+), 108 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index d773c61..3aaf795 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -19,12 +19,42 @@ enum sip_header_pos {
 	POS_VIA,
 	POS_CONTACT,
 	POS_CONTENT,
-	POS_MEDIA,
-	POS_OWNER_IP4,
-	POS_CONNECTION_IP4,
-	POS_OWNER_IP6,
-	POS_CONNECTION_IP6,
-	POS_SDP_HEADER,
+};
+
+struct sip_header {
+	const char	*name;
+	const char	*cname;
+	const char	*search;
+	unsigned int	len;
+	unsigned int	clen;
+	unsigned int	slen;
+	int		(*match_len)(const struct nf_conn *ct,
+				     const char *dptr, const char *limit,
+				     int *shift);
+};
+
+#define __SIP_HDR(__name, __cname, __search, __match)			\
+{									\
+	.name		= (__name),					\
+	.len		= sizeof(__name) - 1,				\
+	.cname		= (__cname),					\
+	.clen		= (__cname) ? sizeof(__cname) - 1 : 0,		\
+	.search		= (__search),					\
+	.slen		= (__search) ? sizeof(__search) - 1 : 0,	\
+	.match_len	= (__match),					\
+}
+
+#define SDP_HDR(__name, __search, __match) \
+	__SIP_HDR(__name, NULL, __search, __match)
+
+enum sdp_header_types {
+	SDP_HDR_UNSPEC,
+	SDP_HDR_VERSION,
+	SDP_HDR_OWNER_IP4,
+	SDP_HDR_CONNECTION_IP4,
+	SDP_HDR_OWNER_IP6,
+	SDP_HDR_CONNECTION_IP6,
+	SDP_HDR_MEDIA,
 };
 
 extern unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb,
@@ -42,5 +72,12 @@ extern int ct_sip_lnlen(const char *line, const char *limit);
 extern const char *ct_sip_search(const char *needle, const char *haystack,
 				 size_t needle_len, size_t haystack_len,
 				 int case_sensitive);
+
+extern int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
+				 unsigned int dataoff, unsigned int datalen,
+				 enum sdp_header_types type,
+				 enum sdp_header_types term,
+				 unsigned int *matchoff, unsigned int *matchlen);
+
 #endif /* __KERNEL__ */
 #endif /* __NF_CONNTRACK_SIP_H__ */
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index dd1b2d8..aa8a4f4 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -147,51 +147,46 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
 	return NF_ACCEPT;
 }
 
-static unsigned int mangle_sip_packet(struct sk_buff *skb,
-				      const char **dptr, unsigned int *datalen,
-				      char *buffer, int bufflen,
-				      enum sip_header_pos pos)
+static int mangle_content_len(struct sk_buff *skb,
+			      const char **dptr, unsigned int *datalen)
 {
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
-	unsigned int matchlen, matchoff;
+	unsigned int matchoff, matchlen;
+	char buffer[sizeof("65536")];
+	int buflen, c_len;
 
+	/* Get actual SDP length */
+	if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
+				  SDP_HDR_VERSION, SDP_HDR_UNSPEC,
+				  &matchoff, &matchlen) <= 0)
+		return 0;
+	c_len = *datalen - matchoff + strlen("v=");
+
+	/* Now, update SDP length */
 	if (ct_sip_get_info(ct, *dptr, *datalen, &matchoff, &matchlen,
-			    pos) <= 0)
+			    POS_CONTENT) <= 0)
 		return 0;
 
+	buflen = sprintf(buffer, "%u", c_len);
 	return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
-			     buffer, bufflen);
+			     buffer, buflen);
 }
 
-static int mangle_content_len(struct sk_buff *skb,
-			      const char **dptr, unsigned int *datalen)
+static unsigned mangle_sdp_packet(struct sk_buff *skb,
+				  const char **dptr, unsigned int *datalen,
+				  enum sdp_header_types type,
+				  char *buffer, int buflen)
 {
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
-	unsigned int matchoff, matchlen;
-	char buffer[sizeof("65536")];
-	int bufflen;
+	unsigned int matchlen, matchoff;
 
-	/* Get actual SDP length */
-	if (ct_sip_get_info(ct, *dptr, *datalen, &matchoff,
-			    &matchlen, POS_SDP_HEADER) > 0) {
-
-		/* since ct_sip_get_info() give us a pointer passing 'v='
-		   we need to add 2 bytes in this count. */
-		int c_len = *datalen - matchoff + 2;
-
-		/* Now, update SDP length */
-		if (ct_sip_get_info(ct, *dptr, *datalen, &matchoff,
-				    &matchlen, POS_CONTENT) > 0) {
-
-			bufflen = sprintf(buffer, "%u", c_len);
-			return mangle_packet(skb, dptr, datalen,
-					     matchoff, matchlen,
-					     buffer, bufflen);
-		}
-	}
-	return 0;
+	if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen, type, SDP_HDR_UNSPEC,
+				  &matchoff, &matchlen) <= 0)
+		return 0;
+	return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
+			     buffer, buflen);
 }
 
 static unsigned int mangle_sdp(struct sk_buff *skb,
@@ -205,18 +200,18 @@ static unsigned int mangle_sdp(struct sk_buff *skb,
 
 	/* Mangle owner and contact info. */
 	bufflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(newip));
-	if (!mangle_sip_packet(skb, dptr, datalen, buffer, bufflen,
-			       POS_OWNER_IP4))
+	if (!mangle_sdp_packet(skb, dptr, datalen, SDP_HDR_OWNER_IP4,
+			       buffer, bufflen))
 		return 0;
 
-	if (!mangle_sip_packet(skb, dptr, datalen, buffer, bufflen,
-			       POS_CONNECTION_IP4))
+	if (!mangle_sdp_packet(skb, dptr, datalen, SDP_HDR_CONNECTION_IP4,
+			       buffer, bufflen))
 		return 0;
 
 	/* Mangle media port. */
 	bufflen = sprintf(buffer, "%u", port);
-	if (!mangle_sip_packet(skb, dptr, datalen, buffer, bufflen,
-			       POS_MEDIA))
+	if (!mangle_sdp_packet(skb, dptr, datalen, SDP_HDR_MEDIA,
+			       buffer, bufflen))
 		return 0;
 
 	return mangle_content_len(skb, dptr, datalen);
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index d8e5867..c204e35 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -124,66 +124,6 @@ static const struct sip_header_nfo ct_sip_hdrs[] = {
 		.ln_strlen	= sizeof(":") - 1,
 		.match_len	= skp_digits_len
 	},
-	[POS_MEDIA] = {		/* SDP media info */
-		.case_sensitive	= 1,
-		.lname		= "\nm=",
-		.lnlen		= sizeof("\nm=") - 1,
-		.sname		= "\rm=",
-		.snlen		= sizeof("\rm=") - 1,
-		.ln_str		= "audio ",
-		.ln_strlen	= sizeof("audio ") - 1,
-		.match_len	= digits_len
-	},
-	[POS_OWNER_IP4] = {	/* SDP owner address*/
-		.case_sensitive	= 1,
-		.lname		= "\no=",
-		.lnlen		= sizeof("\no=") - 1,
-		.sname		= "\ro=",
-		.snlen		= sizeof("\ro=") - 1,
-		.ln_str		= "IN IP4 ",
-		.ln_strlen	= sizeof("IN IP4 ") - 1,
-		.match_len	= epaddr_len
-	},
-	[POS_CONNECTION_IP4] = {/* SDP connection info */
-		.case_sensitive	= 1,
-		.lname		= "\nc=",
-		.lnlen		= sizeof("\nc=") - 1,
-		.sname		= "\rc=",
-		.snlen		= sizeof("\rc=") - 1,
-		.ln_str		= "IN IP4 ",
-		.ln_strlen	= sizeof("IN IP4 ") - 1,
-		.match_len	= epaddr_len
-	},
-	[POS_OWNER_IP6] = {	/* SDP owner address*/
-		.case_sensitive	= 1,
-		.lname		= "\no=",
-		.lnlen		= sizeof("\no=") - 1,
-		.sname		= "\ro=",
-		.snlen		= sizeof("\ro=") - 1,
-		.ln_str		= "IN IP6 ",
-		.ln_strlen	= sizeof("IN IP6 ") - 1,
-		.match_len	= epaddr_len
-	},
-	[POS_CONNECTION_IP6] = {/* SDP connection info */
-		.case_sensitive	= 1,
-		.lname		= "\nc=",
-		.lnlen		= sizeof("\nc=") - 1,
-		.sname		= "\rc=",
-		.snlen		= sizeof("\rc=") - 1,
-		.ln_str		= "IN IP6 ",
-		.ln_strlen	= sizeof("IN IP6 ") - 1,
-		.match_len	= epaddr_len
-	},
-	[POS_SDP_HEADER] = { 	/* SDP version header */
-		.case_sensitive	= 1,
-		.lname		= "\nv=",
-		.lnlen		= sizeof("\nv=") - 1,
-		.sname		= "\rv=",
-		.snlen		= sizeof("\rv=") - 1,
-		.ln_str		= "=",
-		.ln_strlen	= sizeof("=") - 1,
-		.match_len	= digits_len
-	}
 };
 
 /* get line length until first CR or LF seen. */
@@ -372,6 +312,92 @@ int ct_sip_get_info(const struct nf_conn *ct,
 }
 EXPORT_SYMBOL_GPL(ct_sip_get_info);
 
+/* SDP header parsing: a SDP session description contains an ordered set of
+ * headers, starting with a section containing general session parameters,
+ * optionally followed by multiple media descriptions.
+ *
+ * SDP headers always start at the beginning of a line. According to RFC 2327:
+ * "The sequence CRLF (0x0d0a) is used to end a record, although parsers should
+ * be tolerant and also accept records terminated with a single newline
+ * character". We handle both cases.
+ */
+static const struct sip_header ct_sdp_hdrs[] = {
+	[SDP_HDR_VERSION]		= SDP_HDR("v=", NULL, digits_len),
+	[SDP_HDR_OWNER_IP4]		= SDP_HDR("o=", "IN IP4 ", epaddr_len),
+	[SDP_HDR_CONNECTION_IP4]	= SDP_HDR("c=", "IN IP4 ", epaddr_len),
+	[SDP_HDR_OWNER_IP6]		= SDP_HDR("o=", "IN IP6 ", epaddr_len),
+	[SDP_HDR_CONNECTION_IP6]	= SDP_HDR("c=", "IN IP6 ", epaddr_len),
+	[SDP_HDR_MEDIA]			= SDP_HDR("m=", "audio ", digits_len),
+};
+
+/* Linear string search within SDP header values */
+static const char *ct_sdp_header_search(const char *dptr, const char *limit,
+					const char *needle, unsigned int len)
+{
+	for (limit -= len; dptr < limit; dptr++) {
+		if (*dptr == '\r' || *dptr == '\n')
+			break;
+		if (strncmp(dptr, needle, len) == 0)
+			return dptr;
+	}
+	return NULL;
+}
+
+/* Locate a SDP header (optionally a substring within the header value),
+ * optionally stopping at the first occurence of the term header, parse
+ * it and return the offset and length of the data we're interested in.
+ */
+int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
+			  unsigned int dataoff, unsigned int datalen,
+			  enum sdp_header_types type,
+			  enum sdp_header_types term,
+			  unsigned int *matchoff, unsigned int *matchlen)
+{
+	const struct sip_header *hdr = &ct_sdp_hdrs[type];
+	const struct sip_header *thdr = &ct_sdp_hdrs[term];
+	const char *start = dptr, *limit = dptr + datalen;
+	int shift = 0;
+
+	for (dptr += dataoff; dptr < limit; dptr++) {
+		/* Find beginning of line */
+		if (*dptr != '\r' && *dptr != '\n')
+			continue;
+		if (++dptr >= limit)
+			break;
+		if (*(dptr - 1) == '\r' && *dptr == '\n') {
+			if (++dptr >= limit)
+				break;
+		}
+
+		if (term != SDP_HDR_UNSPEC &&
+		    limit - dptr >= thdr->len &&
+		    strnicmp(dptr, thdr->name, thdr->len) == 0)
+			break;
+		else if (limit - dptr >= hdr->len &&
+			 strnicmp(dptr, hdr->name, hdr->len) == 0)
+			dptr += hdr->len;
+		else
+			continue;
+
+		*matchoff = dptr - start;
+		if (hdr->search) {
+			dptr = ct_sdp_header_search(dptr, limit, hdr->search,
+						    hdr->slen);
+			if (!dptr)
+				return -1;
+			dptr += hdr->slen;
+		}
+
+		*matchlen = hdr->match_len(ct, dptr, limit, &shift);
+		if (!*matchlen)
+			return -1;
+		*matchoff = dptr - start + shift;
+		return 1;
+	}
+	return 0;
+}
+EXPORT_SYMBOL_GPL(ct_sip_get_sdp_header);
+
 static int set_expected_rtp(struct sk_buff *skb,
 			    const char **dptr, unsigned int *datalen,
 			    union nf_inet_addr *addr, __be16 port)
@@ -417,7 +443,7 @@ static int sip_help(struct sk_buff *skb,
 	int ret = NF_ACCEPT;
 	unsigned int matchoff, matchlen;
 	u_int16_t port;
-	enum sip_header_pos pos;
+	enum sdp_header_types type;
 	typeof(nf_nat_sip_hook) nf_nat_sip;
 
 	/* No Data ? */
@@ -455,8 +481,10 @@ static int sip_help(struct sk_buff *skb,
 		goto out;
 	}
 	/* Get address and port from SDP packet. */
-	pos = family == AF_INET ? POS_CONNECTION_IP4 : POS_CONNECTION_IP6;
-	if (ct_sip_get_info(ct, dptr, datalen, &matchoff, &matchlen, pos) > 0) {
+	type = family == AF_INET ? SDP_HDR_CONNECTION_IP4 :
+				   SDP_HDR_CONNECTION_IP6;
+	if (ct_sip_get_sdp_header(ct, dptr, 0, datalen, type, SDP_HDR_UNSPEC,
+				  &matchoff, &matchlen) > 0) {
 
 		/* We'll drop only if there are parse problems. */
 		if (!parse_addr(ct, dptr + matchoff, NULL, &addr,
@@ -464,8 +492,9 @@ static int sip_help(struct sk_buff *skb,
 			ret = NF_DROP;
 			goto out;
 		}
-		if (ct_sip_get_info(ct, dptr, datalen, &matchoff, &matchlen,
-				    POS_MEDIA) > 0) {
+		if (ct_sip_get_sdp_header(ct, dptr, 0, datalen,
+					  SDP_HDR_MEDIA, SDP_HDR_UNSPEC,
+					  &matchoff, &matchlen) > 0) {
 
 			port = simple_strtoul(dptr + matchoff, NULL, 10);
 			if (port < 1024) {

[NETFILTER 15/32]: nf_conntrack_sip: kill request URI "header" definitions

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: kill request URI "header" definitions

The request URI is not a header and needs to be treated differently than
real SIP headers. Add a seperate function for parsing it and get rid of
the POS_REQ_URI/POS_REG_REQ_URI definitions.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 5c32e869153429dda7acaa55eb609138af7f6f01
tree 5d858f2c5cbfddef3739a2c7da68ef4d80406cc2
parent a29bdbd3963e34a5eea23c7136491a8b35cfb7a8
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:22 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:22 +0100

 include/linux/netfilter/nf_conntrack_sip.h |    5 +-
 net/ipv4/netfilter/nf_nat_sip.c            |   46 +++++++++++---------
 net/netfilter/nf_conntrack_sip.c           |   64 ++++++++++++++++++++++------
 3 files changed, 77 insertions(+), 38 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index 3aaf795..9b96e17 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -12,8 +12,6 @@ enum sip_expectation_classes {
 #define SIP_EXPECT_MAX	(__SIP_EXPECT_MAX - 1)
 
 enum sip_header_pos {
-	POS_REG_REQ_URI,
-	POS_REQ_URI,
 	POS_FROM,
 	POS_TO,
 	POS_VIA,
@@ -65,6 +63,9 @@ extern unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb,
 				       unsigned int *datalen,
 				       struct nf_conntrack_expect *exp);
 
+extern int ct_sip_parse_request(const struct nf_conn *ct,
+				const char *dptr, unsigned int datalen,
+				unsigned int *matchoff, unsigned int *matchlen);
 extern int ct_sip_get_info(const struct nf_conn *ct, const char *dptr,
                            size_t dlen, unsigned int *matchoff,
                            unsigned int *matchlen, enum sip_header_pos pos);
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index aa8a4f4..60151b5 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -78,20 +78,17 @@ static unsigned int mangle_packet(struct sk_buff *skb,
 	return 1;
 }
 
-static int map_sip_addr(struct sk_buff *skb,
-			const char **dptr, unsigned int *datalen,
-			enum sip_header_pos pos, struct addr_map *map)
+static int map_addr(struct sk_buff *skb,
+		    const char **dptr, unsigned int *datalen,
+		    unsigned int matchoff, unsigned int matchlen,
+		    struct addr_map *map)
 {
 	enum ip_conntrack_info ctinfo;
-	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+	struct nf_conn *ct __maybe_unused = nf_ct_get(skb, &ctinfo);
 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
-	unsigned int matchlen, matchoff, addrlen;
+	unsigned int addrlen;
 	char *addr;
 
-	if (ct_sip_get_info(ct, *dptr, *datalen, &matchoff, &matchlen,
-			    pos) <= 0)
-		return 1;
-
 	if ((matchlen == map->addr[dir].srciplen ||
 	     matchlen == map->addr[dir].srclen) &&
 	    strncmp(*dptr + matchoff, map->addr[dir].src, matchlen) == 0) {
@@ -109,13 +106,27 @@ static int map_sip_addr(struct sk_buff *skb,
 			     addr, addrlen);
 }
 
+static int map_sip_addr(struct sk_buff *skb,
+			const char **dptr, unsigned int *datalen,
+			enum sip_header_pos pos, struct addr_map *map)
+{
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+	unsigned int matchlen, matchoff;
+
+	if (ct_sip_get_info(ct, *dptr, *datalen, &matchoff, &matchlen,
+			    pos) <= 0)
+		return 1;
+	return map_addr(skb, dptr, datalen, matchoff, matchlen, map);
+}
+
 static unsigned int ip_nat_sip(struct sk_buff *skb,
 			       const char **dptr, unsigned int *datalen)
 {
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
-	enum sip_header_pos pos;
 	struct addr_map map;
+	unsigned int matchoff, matchlen;
 
 	if (*datalen < strlen("SIP/2.0"))
 		return NF_ACCEPT;
@@ -124,18 +135,9 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
 
 	/* Basic rules: requests and responses. */
 	if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
-		/* 10.2: Constructing the REGISTER Request:
-		 *
-		 * The "userinfo" and "@" components of the SIP URI MUST NOT
-		 * be present.
-		 */
-		if (*datalen >= strlen("REGISTER") &&
-		    strnicmp(*dptr, "REGISTER", strlen("REGISTER")) == 0)
-			pos = POS_REG_REQ_URI;
-		else
-			pos = POS_REQ_URI;
-
-		if (!map_sip_addr(skb, dptr, datalen, pos, &map))
+		if (ct_sip_parse_request(ct, *dptr, *datalen,
+					 &matchoff, &matchlen) > 0 &&
+		    !map_addr(skb, dptr, datalen, matchoff, matchlen, &map))
 			return NF_DROP;
 	}
 
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index c204e35..d79a6fc 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -65,20 +65,6 @@ struct sip_header_nfo {
 };
 
 static const struct sip_header_nfo ct_sip_hdrs[] = {
-	[POS_REG_REQ_URI] = { 	/* SIP REGISTER request URI */
-		.lname		= "sip:",
-		.lnlen		= sizeof("sip:") - 1,
-		.ln_str		= ":",
-		.ln_strlen	= sizeof(":") - 1,
-		.match_len	= epaddr_len,
-	},
-	[POS_REQ_URI] = { 	/* SIP request URI */
-		.lname		= "sip:",
-		.lnlen		= sizeof("sip:") - 1,
-		.ln_str		= "@",
-		.ln_strlen	= sizeof("@") - 1,
-		.match_len	= epaddr_len,
-	},
 	[POS_FROM] = {		/* SIP From header */
 		.lname		= "From:",
 		.lnlen		= sizeof("From:") - 1,
@@ -164,6 +150,18 @@ const char *ct_sip_search(const char *needle, const char *haystack,
 }
 EXPORT_SYMBOL_GPL(ct_sip_search);
 
+static int string_len(const struct nf_conn *ct, const char *dptr,
+		      const char *limit, int *shift)
+{
+	int len = 0;
+
+	while (dptr < limit && isalpha(*dptr)) {
+		dptr++;
+		len++;
+	}
+	return len;
+}
+
 static int digits_len(const struct nf_conn *ct, const char *dptr,
 		      const char *limit, int *shift)
 {
@@ -267,6 +265,44 @@ static int skp_epaddr_len(const struct nf_conn *ct, const char *dptr,
 	return epaddr_len(ct, dptr, limit, shift);
 }
 
+/* Parse a SIP request line of the form:
+ *
+ * Request-Line = Method SP Request-URI SP SIP-Version CRLF
+ *
+ * and return the offset and length of the address contained in the Request-URI.
+ */
+int ct_sip_parse_request(const struct nf_conn *ct,
+			 const char *dptr, unsigned int datalen,
+			 unsigned int *matchoff, unsigned int *matchlen)
+{
+	const char *start = dptr, *limit = dptr + datalen;
+	unsigned int mlen;
+	int shift = 0;
+
+	/* Skip method and following whitespace */
+	mlen = string_len(ct, dptr, limit, NULL);
+	if (!mlen)
+		return 0;
+	dptr += mlen;
+	if (++dptr >= limit)
+		return 0;
+
+	/* Find SIP URI */
+	limit -= strlen("sip:");
+	for (; dptr < limit; dptr++) {
+		if (*dptr == '\r' || *dptr == '\n')
+			return -1;
+		if (strnicmp(dptr, "sip:", strlen("sip:")) == 0)
+			break;
+	}
+	*matchlen = skp_epaddr_len(ct, dptr, limit, &shift);
+	if (!*matchlen)
+		return 0;
+	*matchoff = dptr - start + shift;
+	return 1;
+}
+EXPORT_SYMBOL_GPL(ct_sip_parse_request);
+
 /* Returns 0 if not found, -1 error parsing. */
 int ct_sip_get_info(const struct nf_conn *ct,
 		    const char *dptr, size_t dlen,

[NETFILTER 16/32]: nf_conntrack_sip: parse SIP headers properly

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: parse SIP headers properly

Introduce new function for SIP header parsing that properly deals with
continuation lines and whitespace in headers and use it.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit ad68c0360489e4b074598ccdaff30d0651198fb2
tree f0b21dcbff630b2d4dfdac64d45ac649b224aac8
parent 5c32e869153429dda7acaa55eb609138af7f6f01
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:22 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:22 +0100

 include/linux/netfilter/nf_conntrack_sip.h |   30 ++-
 net/ipv4/netfilter/nf_nat_sip.c            |   18 +-
 net/netfilter/nf_conntrack_sip.c           |  271 +++++++++++++---------------
 3 files changed, 151 insertions(+), 168 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index 9b96e17..fac85c6 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -11,14 +11,6 @@ enum sip_expectation_classes {
 };
 #define SIP_EXPECT_MAX	(__SIP_EXPECT_MAX - 1)
 
-enum sip_header_pos {
-	POS_FROM,
-	POS_TO,
-	POS_VIA,
-	POS_CONTACT,
-	POS_CONTENT,
-};
-
 struct sip_header {
 	const char	*name;
 	const char	*cname;
@@ -42,9 +34,20 @@ struct sip_header {
 	.match_len	= (__match),					\
 }
 
+#define SIP_HDR(__name, __cname, __search, __match) \
+	__SIP_HDR(__name, __cname, __search, __match)
+
 #define SDP_HDR(__name, __search, __match) \
 	__SIP_HDR(__name, NULL, __search, __match)
 
+enum sip_header_types {
+	SIP_HDR_FROM,
+	SIP_HDR_TO,
+	SIP_HDR_CONTACT,
+	SIP_HDR_VIA,
+	SIP_HDR_CONTENT_LENGTH,
+};
+
 enum sdp_header_types {
 	SDP_HDR_UNSPEC,
 	SDP_HDR_VERSION,
@@ -66,13 +69,10 @@ extern unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb,
 extern int ct_sip_parse_request(const struct nf_conn *ct,
 				const char *dptr, unsigned int datalen,
 				unsigned int *matchoff, unsigned int *matchlen);
-extern int ct_sip_get_info(const struct nf_conn *ct, const char *dptr,
-                           size_t dlen, unsigned int *matchoff,
-                           unsigned int *matchlen, enum sip_header_pos pos);
-extern int ct_sip_lnlen(const char *line, const char *limit);
-extern const char *ct_sip_search(const char *needle, const char *haystack,
-				 size_t needle_len, size_t haystack_len,
-				 int case_sensitive);
+extern int ct_sip_get_header(const struct nf_conn *ct, const char *dptr,
+			     unsigned int dataoff, unsigned int datalen,
+			     enum sip_header_types type,
+			     unsigned int *matchoff, unsigned int *matchlen);
 
 extern int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
 				 unsigned int dataoff, unsigned int datalen,
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index 60151b5..c13e438 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -108,14 +108,14 @@ static int map_addr(struct sk_buff *skb,
 
 static int map_sip_addr(struct sk_buff *skb,
 			const char **dptr, unsigned int *datalen,
-			enum sip_header_pos pos, struct addr_map *map)
+			enum sip_header_types type, struct addr_map *map)
 {
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 	unsigned int matchlen, matchoff;
 
-	if (ct_sip_get_info(ct, *dptr, *datalen, &matchoff, &matchlen,
-			    pos) <= 0)
+	if (ct_sip_get_header(ct, *dptr, 0, *datalen, type,
+			      &matchoff, &matchlen) <= 0)
 		return 1;
 	return map_addr(skb, dptr, datalen, matchoff, matchlen, map);
 }
@@ -141,10 +141,10 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
 			return NF_DROP;
 	}
 
-	if (!map_sip_addr(skb, dptr, datalen, POS_FROM, &map) ||
-	    !map_sip_addr(skb, dptr, datalen, POS_TO, &map) ||
-	    !map_sip_addr(skb, dptr, datalen, POS_VIA, &map) ||
-	    !map_sip_addr(skb, dptr, datalen, POS_CONTACT, &map))
+	if (!map_sip_addr(skb, dptr, datalen, SIP_HDR_FROM, &map) ||
+	    !map_sip_addr(skb, dptr, datalen, SIP_HDR_TO, &map) ||
+	    !map_sip_addr(skb, dptr, datalen, SIP_HDR_VIA, &map) ||
+	    !map_sip_addr(skb, dptr, datalen, SIP_HDR_CONTACT, &map))
 		return NF_DROP;
 	return NF_ACCEPT;
 }
@@ -166,8 +166,8 @@ static int mangle_content_len(struct sk_buff *skb,
 	c_len = *datalen - matchoff + strlen("v=");
 
 	/* Now, update SDP length */
-	if (ct_sip_get_info(ct, *dptr, *datalen, &matchoff, &matchlen,
-			    POS_CONTENT) <= 0)
+	if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CONTENT_LENGTH,
+			      &matchoff, &matchlen) <= 0)
 		return 0;
 
 	buflen = sprintf(buffer, "%u", c_len);
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index d79a6fc..cf35a73 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -47,109 +47,6 @@ unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb,
 				struct nf_conntrack_expect *exp) __read_mostly;
 EXPORT_SYMBOL_GPL(nf_nat_sdp_hook);
 
-static int digits_len(const struct nf_conn *, const char *, const char *, int *);
-static int epaddr_len(const struct nf_conn *, const char *, const char *, int *);
-static int skp_digits_len(const struct nf_conn *, const char *, const char *, int *);
-static int skp_epaddr_len(const struct nf_conn *, const char *, const char *, int *);
-
-struct sip_header_nfo {
-	const char	*lname;
-	const char	*sname;
-	const char	*ln_str;
-	size_t		lnlen;
-	size_t		snlen;
-	size_t		ln_strlen;
-	int		case_sensitive;
-	int		(*match_len)(const struct nf_conn *, const char *,
-				     const char *, int *);
-};
-
-static const struct sip_header_nfo ct_sip_hdrs[] = {
-	[POS_FROM] = {		/* SIP From header */
-		.lname		= "From:",
-		.lnlen		= sizeof("From:") - 1,
-		.sname		= "\r\nf:",
-		.snlen		= sizeof("\r\nf:") - 1,
-		.ln_str		= "sip:",
-		.ln_strlen	= sizeof("sip:") - 1,
-		.match_len	= skp_epaddr_len,
-	},
-	[POS_TO] = {		/* SIP To header */
-		.lname		= "To:",
-		.lnlen		= sizeof("To:") - 1,
-		.sname		= "\r\nt:",
-		.snlen		= sizeof("\r\nt:") - 1,
-		.ln_str		= "sip:",
-		.ln_strlen	= sizeof("sip:") - 1,
-		.match_len	= skp_epaddr_len
-	},
-	[POS_VIA] = { 		/* SIP Via header */
-		.lname		= "Via:",
-		.lnlen		= sizeof("Via:") - 1,
-		.sname		= "\r\nv:",
-		.snlen		= sizeof("\r\nv:") - 1, /* rfc3261 "\r\n" */
-		.ln_str		= "UDP ",
-		.ln_strlen	= sizeof("UDP ") - 1,
-		.match_len	= epaddr_len,
-	},
-	[POS_CONTACT] = { 	/* SIP Contact header */
-		.lname		= "Contact:",
-		.lnlen		= sizeof("Contact:") - 1,
-		.sname		= "\r\nm:",
-		.snlen		= sizeof("\r\nm:") - 1,
-		.ln_str		= "sip:",
-		.ln_strlen	= sizeof("sip:") - 1,
-		.match_len	= skp_epaddr_len
-	},
-	[POS_CONTENT] = { 	/* SIP Content length header */
-		.lname		= "Content-Length:",
-		.lnlen		= sizeof("Content-Length:") - 1,
-		.sname		= "\r\nl:",
-		.snlen		= sizeof("\r\nl:") - 1,
-		.ln_str		= ":",
-		.ln_strlen	= sizeof(":") - 1,
-		.match_len	= skp_digits_len
-	},
-};
-
-/* get line length until first CR or LF seen. */
-int ct_sip_lnlen(const char *line, const char *limit)
-{
-	const char *k = line;
-
-	while ((line < limit) && (*line == '\r' || *line == '\n'))
-		line++;
-
-	while (line < limit) {
-		if (*line == '\r' || *line == '\n')
-			break;
-		line++;
-	}
-	return line - k;
-}
-EXPORT_SYMBOL_GPL(ct_sip_lnlen);
-
-/* Linear string search, case sensitive. */
-const char *ct_sip_search(const char *needle, const char *haystack,
-			  size_t needle_len, size_t haystack_len,
-			  int case_sensitive)
-{
-	const char *limit = haystack + (haystack_len - needle_len);
-
-	while (haystack < limit) {
-		if (case_sensitive) {
-			if (strncmp(haystack, needle, needle_len) == 0)
-				return haystack;
-		} else {
-			if (strnicmp(haystack, needle, needle_len) == 0)
-				return haystack;
-		}
-		haystack++;
-	}
-	return NULL;
-}
-EXPORT_SYMBOL_GPL(ct_sip_search);
-
 static int string_len(const struct nf_conn *ct, const char *dptr,
 		      const char *limit, int *shift)
 {
@@ -173,16 +70,6 @@ static int digits_len(const struct nf_conn *ct, const char *dptr,
 	return len;
 }
 
-/* get digits length, skipping blank spaces. */
-static int skp_digits_len(const struct nf_conn *ct, const char *dptr,
-			  const char *limit, int *shift)
-{
-	for (; dptr < limit && *dptr == ' '; dptr++)
-		(*shift)++;
-
-	return digits_len(ct, dptr, limit, shift);
-}
-
 static int parse_addr(const struct nf_conn *ct, const char *cp,
                       const char **endp, union nf_inet_addr *addr,
                       const char *limit)
@@ -303,50 +190,146 @@ int ct_sip_parse_request(const struct nf_conn *ct,
 }
 EXPORT_SYMBOL_GPL(ct_sip_parse_request);
 
-/* Returns 0 if not found, -1 error parsing. */
-int ct_sip_get_info(const struct nf_conn *ct,
-		    const char *dptr, size_t dlen,
-		    unsigned int *matchoff,
-		    unsigned int *matchlen,
-		    enum sip_header_pos pos)
+/* SIP header parsing: SIP headers are located at the beginning of a line, but
+ * may span several lines, in which case the continuation lines begin with a
+ * whitespace character. RFC 2543 allows lines to be terminated with CR, LF or
+ * CRLF, RFC 3261 allows only CRLF, we support both.
+ *
+ * Headers are followed by (optionally) whitespace, a colon, again (optionally)
+ * whitespace and the values. Whitespace in this context means any amount of
+ * tabs, spaces and continuation lines, which are treated as a single whitespace
+ * character.
+ */
+static const struct sip_header ct_sip_hdrs[] = {
+	[SIP_HDR_FROM]			= SIP_HDR("From", "f", "sip:", skp_epaddr_len),
+	[SIP_HDR_TO]			= SIP_HDR("To", "t", "sip:", skp_epaddr_len),
+	[SIP_HDR_CONTACT]		= SIP_HDR("Contact", "m", "sip:", skp_epaddr_len),
+	[SIP_HDR_VIA]			= SIP_HDR("Via", "v", "UDP ", epaddr_len),
+	[SIP_HDR_CONTENT_LENGTH]	= SIP_HDR("Content-Length", "l", NULL, digits_len),
+};
+
+static const char *sip_follow_continuation(const char *dptr, const char *limit)
 {
-	const struct sip_header_nfo *hnfo = &ct_sip_hdrs[pos];
-	const char *limit, *aux, *k = dptr;
-	int shift = 0;
+	/* Walk past newline */
+	if (++dptr >= limit)
+		return NULL;
+
+	/* Skip '\n' in CR LF */
+	if (*(dptr - 1) == '\r' && *dptr == '\n') {
+		if (++dptr >= limit)
+			return NULL;
+	}
 
-	limit = dptr + (dlen - hnfo->lnlen);
+	/* Continuation line? */
+	if (*dptr != ' ' && *dptr != '\t')
+		return NULL;
 
-	while (dptr < limit) {
-		if ((strncmp(dptr, hnfo->lname, hnfo->lnlen) != 0) &&
-		    (hnfo->sname == NULL ||
-		     strncmp(dptr, hnfo->sname, hnfo->snlen) != 0)) {
-			dptr++;
+	/* skip leading whitespace */
+	for (; dptr < limit; dptr++) {
+		if (*dptr != ' ' && *dptr != '\t')
+			break;
+	}
+	return dptr;
+}
+
+static const char *sip_skip_whitespace(const char *dptr, const char *limit)
+{
+	for (; dptr < limit; dptr++) {
+		if (*dptr == ' ')
+			continue;
+		if (*dptr != '\r' && *dptr != '\n')
+			break;
+		dptr = sip_follow_continuation(dptr, limit);
+		if (dptr == NULL)
+			return NULL;
+	}
+	return dptr;
+}
+
+/* Search within a SIP header value, dealing with continuation lines */
+static const char *ct_sip_header_search(const char *dptr, const char *limit,
+					const char *needle, unsigned int len)
+{
+	for (limit -= len; dptr < limit; dptr++) {
+		if (*dptr == '\r' || *dptr == '\n') {
+			dptr = sip_follow_continuation(dptr, limit);
+			if (dptr == NULL)
+				break;
 			continue;
 		}
-		aux = ct_sip_search(hnfo->ln_str, dptr, hnfo->ln_strlen,
-				    ct_sip_lnlen(dptr, limit),
-				    hnfo->case_sensitive);
-		if (!aux) {
-			pr_debug("'%s' not found in '%s'.\n", hnfo->ln_str,
-				 hnfo->lname);
-			return -1;
+
+		if (strnicmp(dptr, needle, len) == 0)
+			return dptr;
+	}
+	return NULL;
+}
+
+int ct_sip_get_header(const struct nf_conn *ct, const char *dptr,
+		      unsigned int dataoff, unsigned int datalen,
+		      enum sip_header_types type,
+		      unsigned int *matchoff, unsigned int *matchlen)
+{
+	const struct sip_header *hdr = &ct_sip_hdrs[type];
+	const char *start = dptr, *limit = dptr + datalen;
+	int shift = 0;
+
+	for (dptr += dataoff; dptr < limit; dptr++) {
+		/* Find beginning of line */
+		if (*dptr != '\r' && *dptr != '\n')
+			continue;
+		if (++dptr >= limit)
+			break;
+		if (*(dptr - 1) == '\r' && *dptr == '\n') {
+			if (++dptr >= limit)
+				break;
 		}
-		aux += hnfo->ln_strlen;
 
-		*matchlen = hnfo->match_len(ct, aux, limit, &shift);
-		if (!*matchlen)
-			return -1;
+		/* Skip continuation lines */
+		if (*dptr == ' ' || *dptr == '\t')
+			continue;
+
+		/* Find header. Compact headers must be followed by a
+		 * non-alphabetic character to avoid mismatches. */
+		if (limit - dptr >= hdr->len &&
+		    strnicmp(dptr, hdr->name, hdr->len) == 0)
+			dptr += hdr->len;
+		else if (hdr->cname && limit - dptr >= hdr->clen + 1 &&
+			 strnicmp(dptr, hdr->cname, hdr->clen) == 0 &&
+			 !isalpha(*(dptr + hdr->clen + 1)))
+			dptr += hdr->clen;
+		else
+			continue;
+
+		/* Find and skip colon */
+		dptr = sip_skip_whitespace(dptr, limit);
+		if (dptr == NULL)
+			break;
+		if (*dptr != ':' || ++dptr >= limit)
+			break;
+
+		/* Skip whitespace after colon */
+		dptr = sip_skip_whitespace(dptr, limit);
+		if (dptr == NULL)
+			break;
 
-		*matchoff = (aux - k) + shift;
+		*matchoff = dptr - start;
+		if (hdr->search) {
+			dptr = ct_sip_header_search(dptr, limit, hdr->search,
+						    hdr->slen);
+			if (!dptr)
+				return -1;
+			dptr += hdr->slen;
+		}
 
-		pr_debug("%s match succeeded! - len: %u\n", hnfo->lname,
-			 *matchlen);
+		*matchlen = hdr->match_len(ct, dptr, limit, &shift);
+		if (!*matchlen)
+			return -1;
+		*matchoff = dptr - start + shift;
 		return 1;
 	}
-	pr_debug("%s header not found.\n", hnfo->lname);
 	return 0;
 }
-EXPORT_SYMBOL_GPL(ct_sip_get_info);
+EXPORT_SYMBOL_GPL(ct_sip_get_header);
 
 /* SDP header parsing: a SDP session description contains an ordered set of
  * headers, starting with a section containing general session parameters,

[NETFILTER 17/32]: nf_conntrack_sip: introduce SIP-URI parsing helper

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: introduce SIP-URI parsing helper

Introduce a helper function to parse a SIP-URI in a header value, optionally
iterating through all headers of this kind.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 517cd32eee04d9bdcfe97160bfd9ecb3a636439b
tree e16f1debde64b8257d878378d03fc5abc4881a55
parent ad68c0360489e4b074598ccdaff30d0651198fb2
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:23 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:23 +0100

 include/linux/netfilter/nf_conntrack_sip.h |    5 +
 net/netfilter/nf_conntrack_sip.c           |  107 ++++++++++++++++++++++++++++
 2 files changed, 112 insertions(+), 0 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index fac85c6..080b2a2 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -73,6 +73,11 @@ extern int ct_sip_get_header(const struct nf_conn *ct, const char *dptr,
 			     unsigned int dataoff, unsigned int datalen,
 			     enum sip_header_types type,
 			     unsigned int *matchoff, unsigned int *matchlen);
+extern int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
+				   unsigned int *dataoff, unsigned int datalen,
+				   enum sip_header_types type, int *in_header,
+				   unsigned int *matchoff, unsigned int *matchlen,
+				   union nf_inet_addr *addr, __be16 *port);
 
 extern int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
 				 unsigned int dataoff, unsigned int datalen,
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index cf35a73..5454ab1 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -199,6 +199,9 @@ EXPORT_SYMBOL_GPL(ct_sip_parse_request);
  * whitespace and the values. Whitespace in this context means any amount of
  * tabs, spaces and continuation lines, which are treated as a single whitespace
  * character.
+ *
+ * Some headers may appear multiple times. A comma seperated list of values is
+ * equivalent to multiple headers.
  */
 static const struct sip_header ct_sip_hdrs[] = {
 	[SIP_HDR_FROM]			= SIP_HDR("From", "f", "sip:", skp_epaddr_len),
@@ -331,6 +334,110 @@ int ct_sip_get_header(const struct nf_conn *ct, const char *dptr,
 }
 EXPORT_SYMBOL_GPL(ct_sip_get_header);
 
+/* Get next header field in a list of comma seperated values */
+static int ct_sip_next_header(const struct nf_conn *ct, const char *dptr,
+			      unsigned int dataoff, unsigned int datalen,
+			      enum sip_header_types type,
+			      unsigned int *matchoff, unsigned int *matchlen)
+{
+	const struct sip_header *hdr = &ct_sip_hdrs[type];
+	const char *start = dptr, *limit = dptr + datalen;
+	int shift = 0;
+
+	dptr += dataoff;
+
+	dptr = ct_sip_header_search(dptr, limit, ",", strlen(","));
+	if (!dptr)
+		return 0;
+
+	dptr = ct_sip_header_search(dptr, limit, hdr->search, hdr->slen);
+	if (!dptr)
+		return 0;
+	dptr += hdr->slen;
+
+	*matchoff = dptr - start;
+	*matchlen = hdr->match_len(ct, dptr, limit, &shift);
+	if (!*matchlen)
+		return -1;
+	*matchoff += shift;
+	return 1;
+}
+
+/* Walk through headers until a parsable one is found or no header of the
+ * given type is left. */
+static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr,
+			       unsigned int dataoff, unsigned int datalen,
+			       enum sip_header_types type, int *in_header,
+			       unsigned int *matchoff, unsigned int *matchlen)
+{
+	int ret;
+
+	if (in_header && *in_header) {
+		while (1) {
+			ret = ct_sip_next_header(ct, dptr, dataoff, datalen,
+						 type, matchoff, matchlen);
+			if (ret > 0)
+				return ret;
+			if (ret == 0)
+				break;
+			dataoff += *matchoff;
+		}
+		*in_header = 0;
+	}
+
+	while (1) {
+		ret = ct_sip_get_header(ct, dptr, dataoff, datalen, type,
+					matchoff, matchlen);
+		if (ret > 0)
+			break;
+		if (ret == 0)
+			return ret;
+		dataoff += *matchoff;
+	}
+
+	if (in_header)
+		*in_header = 1;
+	return 1;
+}
+
+/* Locate a SIP header, parse the URI and return the offset and length of
+ * the address as well as the address and port themselves. A stream of
+ * headers can be parsed by handing in a non-NULL datalen and in_header
+ * pointer.
+ */
+int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
+			    unsigned int *dataoff, unsigned int datalen,
+			    enum sip_header_types type, int *in_header,
+			    unsigned int *matchoff, unsigned int *matchlen,
+			    union nf_inet_addr *addr, __be16 *port)
+{
+	const char *c, *limit = dptr + datalen;
+	unsigned int p;
+	int ret;
+
+	ret = ct_sip_walk_headers(ct, dptr, dataoff ? *dataoff : 0, datalen,
+				  type, in_header, matchoff, matchlen);
+	WARN_ON(ret < 0);
+	if (ret == 0)
+		return ret;
+
+	if (!parse_addr(ct, dptr + *matchoff, &c, addr, limit))
+		return -1;
+	if (*c == ':') {
+		c++;
+		p = simple_strtoul(c, (char **)&c, 10);
+		if (p < 1024 || p > 65535)
+			return -1;
+		*port = htons(p);
+	} else
+		*port = htons(SIP_PORT);
+
+	if (dataoff)
+		*dataoff = c - dptr;
+	return 1;
+}
+EXPORT_SYMBOL_GPL(ct_sip_parse_header_uri);
+
 /* SDP header parsing: a SDP session description contains an ordered set of
  * headers, starting with a section containing general session parameters,
  * optionally followed by multiple media descriptions.

[NETFILTER 18/32]: nf_nat_sip: get rid of text based header translation

[Patrick McHardy]

[NETFILTER]: nf_nat_sip: get rid of text based header translation

Use the URI parsing helper to get the numerical addresses and get rid of the
text based header translation.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 302ab099bf8a1f162642dd3c949117d852e3e57a
tree a66259227f8ac4a0ac31be8d0956f0310c42b5c0
parent 517cd32eee04d9bdcfe97160bfd9ecb3a636439b
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:24 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:24 +0100

 include/linux/netfilter/nf_conntrack_sip.h |    3 +
 net/ipv4/netfilter/nf_nat_sip.c            |  100 +++++++++++-----------------
 net/netfilter/nf_conntrack_sip.c           |   27 ++++++--
 3 files changed, 62 insertions(+), 68 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index 080b2a2..1f518d3 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -68,7 +68,8 @@ extern unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb,
 
 extern int ct_sip_parse_request(const struct nf_conn *ct,
 				const char *dptr, unsigned int datalen,
-				unsigned int *matchoff, unsigned int *matchlen);
+				unsigned int *matchoff, unsigned int *matchlen,
+				union nf_inet_addr *addr, __be16 *port);
 extern int ct_sip_get_header(const struct nf_conn *ct, const char *dptr,
 			     unsigned int dataoff, unsigned int datalen,
 			     enum sip_header_types type,
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index c13e438..5b4a5cd 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -26,39 +26,6 @@ MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
 MODULE_DESCRIPTION("SIP NAT helper");
 MODULE_ALIAS("ip_nat_sip");
 
-struct addr_map {
-	struct {
-		char		src[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
-		char		dst[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
-		unsigned int	srclen, srciplen;
-		unsigned int	dstlen, dstiplen;
-	} addr[IP_CT_DIR_MAX];
-};
-
-static void addr_map_init(const struct nf_conn *ct, struct addr_map *map)
-{
-	const struct nf_conntrack_tuple *t;
-	enum ip_conntrack_dir dir;
-	unsigned int n;
-
-	for (dir = 0; dir < IP_CT_DIR_MAX; dir++) {
-		t = &ct->tuplehash[dir].tuple;
-
-		n = sprintf(map->addr[dir].src, "%u.%u.%u.%u",
-			    NIPQUAD(t->src.u3.ip));
-		map->addr[dir].srciplen = n;
-		n += sprintf(map->addr[dir].src + n, ":%u",
-			     ntohs(t->src.u.udp.port));
-		map->addr[dir].srclen = n;
-
-		n = sprintf(map->addr[dir].dst, "%u.%u.%u.%u",
-			    NIPQUAD(t->dst.u3.ip));
-		map->addr[dir].dstiplen = n;
-		n += sprintf(map->addr[dir].dst + n, ":%u",
-			     ntohs(t->dst.u.udp.port));
-		map->addr[dir].dstlen = n;
-	}
-}
 
 static unsigned int mangle_packet(struct sk_buff *skb,
 				  const char **dptr, unsigned int *datalen,
@@ -81,43 +48,51 @@ static unsigned int mangle_packet(struct sk_buff *skb,
 static int map_addr(struct sk_buff *skb,
 		    const char **dptr, unsigned int *datalen,
 		    unsigned int matchoff, unsigned int matchlen,
-		    struct addr_map *map)
+		    union nf_inet_addr *addr, __be16 port)
 {
 	enum ip_conntrack_info ctinfo;
-	struct nf_conn *ct __maybe_unused = nf_ct_get(skb, &ctinfo);
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
-	unsigned int addrlen;
-	char *addr;
-
-	if ((matchlen == map->addr[dir].srciplen ||
-	     matchlen == map->addr[dir].srclen) &&
-	    strncmp(*dptr + matchoff, map->addr[dir].src, matchlen) == 0) {
-		addr    = map->addr[!dir].dst;
-		addrlen = map->addr[!dir].dstlen;
-	} else if ((matchlen == map->addr[dir].dstiplen ||
-		    matchlen == map->addr[dir].dstlen) &&
-		   strncmp(*dptr + matchoff, map->addr[dir].dst, matchlen) == 0) {
-		addr    = map->addr[!dir].src;
-		addrlen = map->addr[!dir].srclen;
+	char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
+	unsigned int buflen;
+	__be32 newaddr;
+	__be16 newport;
+
+	if (ct->tuplehash[dir].tuple.src.u3.ip == addr->ip &&
+	    ct->tuplehash[dir].tuple.src.u.udp.port == port) {
+		newaddr = ct->tuplehash[!dir].tuple.dst.u3.ip;
+		newport = ct->tuplehash[!dir].tuple.dst.u.udp.port;
+	} else if (ct->tuplehash[dir].tuple.dst.u3.ip == addr->ip &&
+		   ct->tuplehash[dir].tuple.dst.u.udp.port == port) {
+		newaddr = ct->tuplehash[!dir].tuple.src.u3.ip;
+		newport = ct->tuplehash[!dir].tuple.src.u.udp.port;
 	} else
 		return 1;
 
+	if (newaddr == addr->ip && newport == port)
+		return 1;
+
+	buflen = sprintf(buffer, "%u.%u.%u.%u:%u",
+			 NIPQUAD(newaddr), ntohs(newport));
+
 	return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
-			     addr, addrlen);
+			     buffer, buflen);
 }
 
 static int map_sip_addr(struct sk_buff *skb,
 			const char **dptr, unsigned int *datalen,
-			enum sip_header_types type, struct addr_map *map)
+			enum sip_header_types type)
 {
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 	unsigned int matchlen, matchoff;
+	union nf_inet_addr addr;
+	__be16 port;
 
-	if (ct_sip_get_header(ct, *dptr, 0, *datalen, type,
-			      &matchoff, &matchlen) <= 0)
+	if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, type, NULL,
+				    &matchoff, &matchlen, &addr, &port) <= 0)
 		return 1;
-	return map_addr(skb, dptr, datalen, matchoff, matchlen, map);
+	return map_addr(skb, dptr, datalen, matchoff, matchlen, &addr, port);
 }
 
 static unsigned int ip_nat_sip(struct sk_buff *skb,
@@ -125,26 +100,27 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
 {
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
-	struct addr_map map;
 	unsigned int matchoff, matchlen;
+	union nf_inet_addr addr;
+	__be16 port;
 
 	if (*datalen < strlen("SIP/2.0"))
 		return NF_ACCEPT;
 
-	addr_map_init(ct, &map);
-
 	/* Basic rules: requests and responses. */
 	if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
 		if (ct_sip_parse_request(ct, *dptr, *datalen,
-					 &matchoff, &matchlen) > 0 &&
-		    !map_addr(skb, dptr, datalen, matchoff, matchlen, &map))
+					 &matchoff, &matchlen,
+					 &addr, &port) > 0 &&
+		    !map_addr(skb, dptr, datalen, matchoff, matchlen,
+			      &addr, port))
 			return NF_DROP;
 	}
 
-	if (!map_sip_addr(skb, dptr, datalen, SIP_HDR_FROM, &map) ||
-	    !map_sip_addr(skb, dptr, datalen, SIP_HDR_TO, &map) ||
-	    !map_sip_addr(skb, dptr, datalen, SIP_HDR_VIA, &map) ||
-	    !map_sip_addr(skb, dptr, datalen, SIP_HDR_CONTACT, &map))
+	if (!map_sip_addr(skb, dptr, datalen, SIP_HDR_FROM) ||
+	    !map_sip_addr(skb, dptr, datalen, SIP_HDR_TO) ||
+	    !map_sip_addr(skb, dptr, datalen, SIP_HDR_VIA) ||
+	    !map_sip_addr(skb, dptr, datalen, SIP_HDR_CONTACT))
 		return NF_DROP;
 	return NF_ACCEPT;
 }
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 5454ab1..1f0db36 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -160,10 +160,12 @@ static int skp_epaddr_len(const struct nf_conn *ct, const char *dptr,
  */
 int ct_sip_parse_request(const struct nf_conn *ct,
 			 const char *dptr, unsigned int datalen,
-			 unsigned int *matchoff, unsigned int *matchlen)
+			 unsigned int *matchoff, unsigned int *matchlen,
+			 union nf_inet_addr *addr, __be16 *port)
 {
-	const char *start = dptr, *limit = dptr + datalen;
+	const char *start = dptr, *limit = dptr + datalen, *end;
 	unsigned int mlen;
+	unsigned int p;
 	int shift = 0;
 
 	/* Skip method and following whitespace */
@@ -182,10 +184,25 @@ int ct_sip_parse_request(const struct nf_conn *ct,
 		if (strnicmp(dptr, "sip:", strlen("sip:")) == 0)
 			break;
 	}
-	*matchlen = skp_epaddr_len(ct, dptr, limit, &shift);
-	if (!*matchlen)
+	if (!skp_epaddr_len(ct, dptr, limit, &shift))
+		return 0;
+	dptr += shift;
+
+	if (!parse_addr(ct, dptr, &end, addr, limit))
+		return -1;
+	if (end < limit && *end == ':') {
+		end++;
+		p = simple_strtoul(end, (char **)&end, 10);
+		if (p < 1024 || p > 65535)
+			return -1;
+		*port = htons(p);
+	} else
+		*port = htons(SIP_PORT);
+
+	if (end == dptr)
 		return 0;
-	*matchoff = dptr - start + shift;
+	*matchoff = dptr - start;
+	*matchlen = end - dptr;
 	return 1;
 }
 EXPORT_SYMBOL_GPL(ct_sip_parse_request);

[NETFILTER 19/32]: nf_conntrack_sip: move SDP parsing to seperate function

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: move SDP parsing to seperate function

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 9a0620a58527f73990638597813e6c759cfbb10c
tree ae38fd93ccd2985dbec87fdf04fb895494b3de70
parent 302ab099bf8a1f162642dd3c949117d852e3e57a
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:25 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:25 +0100

 net/netfilter/nf_conntrack_sip.c |   84 +++++++++++++++++++-------------------
 1 files changed, 43 insertions(+), 41 deletions(-)

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 1f0db36..556f7f6 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -574,19 +574,49 @@ static int set_expected_rtp(struct sk_buff *skb,
 	return ret;
 }
 
+static int process_sdp(struct sk_buff *skb,
+		       const char **dptr, unsigned int *datalen)
+{
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+	int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
+	unsigned int matchoff, matchlen;
+	union nf_inet_addr addr;
+	unsigned int port;
+	enum sdp_header_types type;
+
+	/* Get address and port from SDP packet. */
+	type = family == AF_INET ? SDP_HDR_CONNECTION_IP4 :
+				   SDP_HDR_CONNECTION_IP6;
+
+	if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
+				  type, SDP_HDR_UNSPEC,
+				  &matchoff, &matchlen) <= 0)
+		return NF_ACCEPT;
+
+	/* We'll drop only if there are parse problems. */
+	if (!parse_addr(ct, *dptr + matchoff, NULL, &addr, *dptr + *datalen))
+		return NF_DROP;
+
+	if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
+				  SDP_HDR_MEDIA, SDP_HDR_UNSPEC,
+				  &matchoff, &matchlen) <= 0)
+		return NF_ACCEPT;
+
+	port = simple_strtoul(*dptr + matchoff, NULL, 10);
+	if (port < 1024 || port > 65535)
+		return NF_DROP;
+
+	return set_expected_rtp(skb, dptr, datalen, &addr, htons(port));
+}
+
 static int sip_help(struct sk_buff *skb,
 		    unsigned int protoff,
 		    struct nf_conn *ct,
 		    enum ip_conntrack_info ctinfo)
 {
-	int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
-	union nf_inet_addr addr;
 	unsigned int dataoff, datalen;
 	const char *dptr;
-	int ret = NF_ACCEPT;
-	unsigned int matchoff, matchlen;
-	u_int16_t port;
-	enum sdp_header_types type;
 	typeof(nf_nat_sip_hook) nf_nat_sip;
 
 	/* No Data ? */
@@ -600,56 +630,28 @@ static int sip_help(struct sk_buff *skb,
 		dptr = skb->data + dataoff;
 	else {
 		pr_debug("Copy of skbuff not supported yet.\n");
-		goto out;
+		return NF_ACCEPT;
 	}
 
 	nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
 	if (nf_nat_sip && ct->status & IPS_NAT_MASK) {
-		if (!nf_nat_sip(skb, &dptr, &datalen)) {
-			ret = NF_DROP;
-			goto out;
-		}
+		if (!nf_nat_sip(skb, &dptr, &datalen))
+			return NF_DROP;
 	}
 
 	datalen = skb->len - dataoff;
 	if (datalen < strlen("SIP/2.0 200"))
-		goto out;
+		return NF_ACCEPT;
 
 	/* RTP info only in some SDP pkts */
 	if (strnicmp(dptr, "INVITE", strlen("INVITE")) != 0 &&
 	    strnicmp(dptr, "UPDATE", strlen("UPDATE")) != 0 &&
 	    strnicmp(dptr, "SIP/2.0 180", strlen("SIP/2.0 180")) != 0 &&
 	    strnicmp(dptr, "SIP/2.0 183", strlen("SIP/2.0 183")) != 0 &&
-	    strnicmp(dptr, "SIP/2.0 200", strlen("SIP/2.0 200")) != 0) {
-		goto out;
-	}
-	/* Get address and port from SDP packet. */
-	type = family == AF_INET ? SDP_HDR_CONNECTION_IP4 :
-				   SDP_HDR_CONNECTION_IP6;
-	if (ct_sip_get_sdp_header(ct, dptr, 0, datalen, type, SDP_HDR_UNSPEC,
-				  &matchoff, &matchlen) > 0) {
+	    strnicmp(dptr, "SIP/2.0 200", strlen("SIP/2.0 200")) != 0)
+		return NF_ACCEPT;
 
-		/* We'll drop only if there are parse problems. */
-		if (!parse_addr(ct, dptr + matchoff, NULL, &addr,
-				dptr + datalen)) {
-			ret = NF_DROP;
-			goto out;
-		}
-		if (ct_sip_get_sdp_header(ct, dptr, 0, datalen,
-					  SDP_HDR_MEDIA, SDP_HDR_UNSPEC,
-					  &matchoff, &matchlen) > 0) {
-
-			port = simple_strtoul(dptr + matchoff, NULL, 10);
-			if (port < 1024) {
-				ret = NF_DROP;
-				goto out;
-			}
-			ret = set_expected_rtp(skb, &dptr, &datalen,
-					       &addr, htons(port));
-		}
-	}
-out:
-	return ret;
+	return process_sdp(skb, &dptr, &datalen);
 }
 
 static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly;

[NETFILTER 20/32]: nf_conntrack_sip: support method specific request/response handling

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: support method specific request/response handling

Add support for per-method request/response handlers and perform SDP
parsing for INVITE/UPDATE requests and for all informational and
successful responses.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 76ff8089d5abc23d9cc6b31f7d1a7dcdd9579567
tree 16f31f2ca11985a5ecec3d0e6704647a10b546c4
parent 9a0620a58527f73990638597813e6c759cfbb10c
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:26 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:26 +0100

 include/linux/netfilter/nf_conntrack_sip.h |   20 +++++
 net/netfilter/nf_conntrack_sip.c           |  107 +++++++++++++++++++++++++---
 2 files changed, 117 insertions(+), 10 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index 1f518d3..518fdf1 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -11,6 +11,25 @@ enum sip_expectation_classes {
 };
 #define SIP_EXPECT_MAX	(__SIP_EXPECT_MAX - 1)
 
+struct sip_handler {
+	const char	*method;
+	unsigned int	len;
+	int		(*request)(struct sk_buff *skb,
+				   const char **dptr, unsigned int *datalen,
+				   unsigned int cseq);
+	int		(*response)(struct sk_buff *skb,
+				    const char **dptr, unsigned int *datalen,
+				    unsigned int cseq, unsigned int code);
+};
+
+#define SIP_HANDLER(__method, __request, __response)			\
+{									\
+	.method		= (__method),					\
+	.len		= sizeof(__method) - 1,				\
+	.request	= (__request),					\
+	.response	= (__response),					\
+}
+
 struct sip_header {
 	const char	*name;
 	const char	*cname;
@@ -41,6 +60,7 @@ struct sip_header {
 	__SIP_HDR(__name, NULL, __search, __match)
 
 enum sip_header_types {
+	SIP_HDR_CSEQ,
 	SIP_HDR_FROM,
 	SIP_HDR_TO,
 	SIP_HDR_CONTACT,
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 556f7f6..93e8565 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -221,6 +221,7 @@ EXPORT_SYMBOL_GPL(ct_sip_parse_request);
  * equivalent to multiple headers.
  */
 static const struct sip_header ct_sip_hdrs[] = {
+	[SIP_HDR_CSEQ]			= SIP_HDR("CSeq", NULL, NULL, digits_len),
 	[SIP_HDR_FROM]			= SIP_HDR("From", "f", "sip:", skp_epaddr_len),
 	[SIP_HDR_TO]			= SIP_HDR("To", "t", "sip:", skp_epaddr_len),
 	[SIP_HDR_CONTACT]		= SIP_HDR("Contact", "m", "sip:", skp_epaddr_len),
@@ -575,7 +576,8 @@ static int set_expected_rtp(struct sk_buff *skb,
 }
 
 static int process_sdp(struct sk_buff *skb,
-		       const char **dptr, unsigned int *datalen)
+		       const char **dptr, unsigned int *datalen,
+		       unsigned int cseq)
 {
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
@@ -609,6 +611,96 @@ static int process_sdp(struct sk_buff *skb,
 
 	return set_expected_rtp(skb, dptr, datalen, &addr, htons(port));
 }
+static int process_invite_response(struct sk_buff *skb,
+				   const char **dptr, unsigned int *datalen,
+				   unsigned int cseq, unsigned int code)
+{
+	if ((code >= 100 && code <= 199) ||
+	    (code >= 200 && code <= 299))
+		return process_sdp(skb, dptr, datalen, cseq);
+
+	return NF_ACCEPT;
+}
+
+static int process_update_response(struct sk_buff *skb,
+				   const char **dptr, unsigned int *datalen,
+				   unsigned int cseq, unsigned int code)
+{
+	if ((code >= 100 && code <= 199) ||
+	    (code >= 200 && code <= 299))
+		return process_sdp(skb, dptr, datalen, cseq);
+
+	return NF_ACCEPT;
+}
+
+static const struct sip_handler sip_handlers[] = {
+	SIP_HANDLER("INVITE", process_sdp, process_invite_response),
+	SIP_HANDLER("UPDATE", process_sdp, process_update_response),
+};
+
+static int process_sip_response(struct sk_buff *skb,
+				const char **dptr, unsigned int *datalen)
+{
+	static const struct sip_handler *handler;
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+	unsigned int matchoff, matchlen;
+	unsigned int code, cseq, dataoff, i;
+
+	if (*datalen < strlen("SIP/2.0 200"))
+		return NF_ACCEPT;
+	code = simple_strtoul(*dptr + strlen("SIP/2.0 "), NULL, 10);
+	if (!code)
+		return NF_DROP;
+
+	if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
+			      &matchoff, &matchlen) <= 0)
+		return NF_DROP;
+	cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
+	if (!cseq)
+		return NF_DROP;
+	dataoff = matchoff + matchlen + 1;
+
+	for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
+		handler = &sip_handlers[i];
+		if (handler->response == NULL)
+			continue;
+		if (*datalen < dataoff + handler->len ||
+		    strnicmp(*dptr + dataoff, handler->method, handler->len))
+			continue;
+		return handler->response(skb, dptr, datalen, cseq, code);
+	}
+	return NF_ACCEPT;
+}
+
+static int process_sip_request(struct sk_buff *skb,
+			       const char **dptr, unsigned int *datalen)
+{
+	static const struct sip_handler *handler;
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+	unsigned int matchoff, matchlen;
+	unsigned int cseq, i;
+
+	for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
+		handler = &sip_handlers[i];
+		if (handler->request == NULL)
+			continue;
+		if (*datalen < handler->len ||
+		    strnicmp(*dptr, handler->method, handler->len))
+			continue;
+
+		if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
+				      &matchoff, &matchlen) <= 0)
+			return NF_DROP;
+		cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
+		if (!cseq)
+			return NF_DROP;
+
+		return handler->request(skb, dptr, datalen, cseq);
+	}
+	return NF_ACCEPT;
+}
 
 static int sip_help(struct sk_buff *skb,
 		    unsigned int protoff,
@@ -643,15 +735,10 @@ static int sip_help(struct sk_buff *skb,
 	if (datalen < strlen("SIP/2.0 200"))
 		return NF_ACCEPT;
 
-	/* RTP info only in some SDP pkts */
-	if (strnicmp(dptr, "INVITE", strlen("INVITE")) != 0 &&
-	    strnicmp(dptr, "UPDATE", strlen("UPDATE")) != 0 &&
-	    strnicmp(dptr, "SIP/2.0 180", strlen("SIP/2.0 180")) != 0 &&
-	    strnicmp(dptr, "SIP/2.0 183", strlen("SIP/2.0 183")) != 0 &&
-	    strnicmp(dptr, "SIP/2.0 200", strlen("SIP/2.0 200")) != 0)
-		return NF_ACCEPT;
-
-	return process_sdp(skb, &dptr, &datalen);
+	if (strnicmp(dptr, "SIP/2.0 ", strlen("SIP/2.0 ")) != 0)
+		return process_sip_request(skb, &dptr, &datalen);
+	else
+		return process_sip_response(skb, &dptr, &datalen);
 }
 
 static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly;

[NETFILTER 21/32]: nf_conntrack_sip: perform NAT after parsing

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: perform NAT after parsing

Perform NAT last after parsing the packet. This makes no difference
currently, but is needed when dealing with registrations to make
sure we seen the unNATed addresses.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 66f5a5cc25fd9279c23d5e4560c216b8fdd72684
tree 612018ec647e76342f0233f2a7833f97808781ec
parent 76ff8089d5abc23d9cc6b31f7d1a7dcdd9579567
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:27 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:27 +0100

 net/ipv4/netfilter/nf_nat_sip.c  |    3 ---
 net/netfilter/nf_conntrack_sip.c |   19 +++++++++++--------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index 5b4a5cd..b442810 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -104,9 +104,6 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
 	union nf_inet_addr addr;
 	__be16 port;
 
-	if (*datalen < strlen("SIP/2.0"))
-		return NF_ACCEPT;
-
 	/* Basic rules: requests and responses. */
 	if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
 		if (ct_sip_parse_request(ct, *dptr, *datalen,
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 93e8565..d0c6b3d 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -709,6 +709,7 @@ static int sip_help(struct sk_buff *skb,
 {
 	unsigned int dataoff, datalen;
 	const char *dptr;
+	int ret;
 	typeof(nf_nat_sip_hook) nf_nat_sip;
 
 	/* No Data ? */
@@ -725,20 +726,22 @@ static int sip_help(struct sk_buff *skb,
 		return NF_ACCEPT;
 	}
 
-	nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
-	if (nf_nat_sip && ct->status & IPS_NAT_MASK) {
-		if (!nf_nat_sip(skb, &dptr, &datalen))
-			return NF_DROP;
-	}
-
 	datalen = skb->len - dataoff;
 	if (datalen < strlen("SIP/2.0 200"))
 		return NF_ACCEPT;
 
 	if (strnicmp(dptr, "SIP/2.0 ", strlen("SIP/2.0 ")) != 0)
-		return process_sip_request(skb, &dptr, &datalen);
+		ret = process_sip_request(skb, &dptr, &datalen);
 	else
-		return process_sip_response(skb, &dptr, &datalen);
+		ret = process_sip_response(skb, &dptr, &datalen);
+
+	if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
+		nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
+		if (nf_nat_sip && !nf_nat_sip(skb, &dptr, &datalen))
+			ret = NF_DROP;
+	}
+
+	return ret;
 }
 
 static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly;

[NETFILTER 22/32]: nf_conntrack_sip: process ACK and PRACK methods

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: process ACK and PRACK methods

Both may contains SDP offers/answers.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 5d5f4ed24fac49a4787ca44f31058bb9ffd9ef2f
tree 539efdcec64feb403e8e32961bc332a790bb5518
parent 66f5a5cc25fd9279c23d5e4560c216b8fdd72684
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:28 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:28 +0100

 net/netfilter/nf_conntrack_sip.c |   13 +++++++++++++
 1 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index d0c6b3d..567ac78 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -633,9 +633,22 @@ static int process_update_response(struct sk_buff *skb,
 	return NF_ACCEPT;
 }
 
+static int process_prack_response(struct sk_buff *skb,
+				  const char **dptr, unsigned int *datalen,
+				  unsigned int cseq, unsigned int code)
+{
+	if ((code >= 100 && code <= 199) ||
+	    (code >= 200 && code <= 299))
+		return process_sdp(skb, dptr, datalen, cseq);
+
+	return NF_ACCEPT;
+}
+
 static const struct sip_handler sip_handlers[] = {
 	SIP_HANDLER("INVITE", process_sdp, process_invite_response),
 	SIP_HANDLER("UPDATE", process_sdp, process_update_response),
+	SIP_HANDLER("ACK", process_sdp, NULL),
+	SIP_HANDLER("PRACK", process_sdp, process_prack_response),
 };
 
 static int process_sip_response(struct sk_buff *skb,

[NETFILTER 23/32]: nf_conntrack_sip: flush expectations on call termination

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: flush expectations on call termination

Flush the RTP expectations we've created when a call is hung up or
terminated otherwise.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit d37e87c417a4e93d4cc217a9ca58624e3d2023da
tree 374f588e9893046424cfa34c2dc5ac2804f5af07
parent 5d5f4ed24fac49a4787ca44f31058bb9ffd9ef2f
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:29 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:29 +0100

 net/netfilter/nf_conntrack_sip.c |   52 +++++++++++++++++++++++++++++++++++---
 1 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 567ac78..adcc031 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -17,6 +17,7 @@
 #include <linux/netfilter.h>
 
 #include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/nf_conntrack_expect.h>
 #include <net/netfilter/nf_conntrack_helper.h>
 #include <linux/netfilter/nf_conntrack_sip.h>
@@ -542,6 +543,22 @@ int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
 }
 EXPORT_SYMBOL_GPL(ct_sip_get_sdp_header);
 
+static void flush_expectations(struct nf_conn *ct)
+{
+	struct nf_conn_help *help = nfct_help(ct);
+	struct nf_conntrack_expect *exp;
+	struct hlist_node *n, *next;
+
+	spin_lock_bh(&nf_conntrack_lock);
+	hlist_for_each_entry_safe(exp, n, next, &help->expectations, lnode) {
+		if (!del_timer(&exp->timeout))
+			continue;
+		nf_ct_unlink_expect(exp);
+		nf_ct_expect_put(exp);
+	}
+	spin_unlock_bh(&nf_conntrack_lock);
+}
+
 static int set_expected_rtp(struct sk_buff *skb,
 			    const char **dptr, unsigned int *datalen,
 			    union nf_inet_addr *addr, __be16 port)
@@ -615,32 +632,58 @@ static int process_invite_response(struct sk_buff *skb,
 				   const char **dptr, unsigned int *datalen,
 				   unsigned int cseq, unsigned int code)
 {
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+
 	if ((code >= 100 && code <= 199) ||
 	    (code >= 200 && code <= 299))
 		return process_sdp(skb, dptr, datalen, cseq);
-
-	return NF_ACCEPT;
+	else {
+		flush_expectations(ct);
+		return NF_ACCEPT;
+	}
 }
 
 static int process_update_response(struct sk_buff *skb,
 				   const char **dptr, unsigned int *datalen,
 				   unsigned int cseq, unsigned int code)
 {
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+
 	if ((code >= 100 && code <= 199) ||
 	    (code >= 200 && code <= 299))
 		return process_sdp(skb, dptr, datalen, cseq);
-
-	return NF_ACCEPT;
+	else {
+		flush_expectations(ct);
+		return NF_ACCEPT;
+	}
 }
 
 static int process_prack_response(struct sk_buff *skb,
 				  const char **dptr, unsigned int *datalen,
 				  unsigned int cseq, unsigned int code)
 {
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+
 	if ((code >= 100 && code <= 199) ||
 	    (code >= 200 && code <= 299))
 		return process_sdp(skb, dptr, datalen, cseq);
+	else {
+		flush_expectations(ct);
+		return NF_ACCEPT;
+	}
+}
+
+static int process_bye_request(struct sk_buff *skb,
+			       const char **dptr, unsigned int *datalen,
+			       unsigned int cseq)
+{
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 
+	flush_expectations(ct);
 	return NF_ACCEPT;
 }
 
@@ -649,6 +692,7 @@ static const struct sip_handler sip_handlers[] = {
 	SIP_HANDLER("UPDATE", process_sdp, process_update_response),
 	SIP_HANDLER("ACK", process_sdp, NULL),
 	SIP_HANDLER("PRACK", process_sdp, process_prack_response),
+	SIP_HANDLER("BYE", process_bye_request, NULL),
 };
 
 static int process_sip_response(struct sk_buff *skb,

[NETFILTER 24/32]: nf_conntrack_sip: introduce URI and header parameter parsing helpers

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: introduce URI and header parameter parsing helpers

Introduce URI and header parameter parsing helpers. These are needed
by the conntrack helper to parse expiration values in Contact: header
parameters and by the NAT helper to properly update the Via-header
rport=, received= and maddr= parameters.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 7e00b62e009c2297c6623b4903fcce0b24fbe8bd
tree 87c7f4805ef7ce4a6f80f4de681ddb282226b697
parent d37e87c417a4e93d4cc217a9ca58624e3d2023da
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:30 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:30 +0100

 include/linux/netfilter/nf_conntrack_sip.h |   10 +++++
 net/netfilter/nf_conntrack_sip.c           |   58 ++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 0 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index 518fdf1..96e0caa 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -99,6 +99,16 @@ extern int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
 				   enum sip_header_types type, int *in_header,
 				   unsigned int *matchoff, unsigned int *matchlen,
 				   union nf_inet_addr *addr, __be16 *port);
+extern int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr,
+				      unsigned int dataoff, unsigned int datalen,
+				      const char *name,
+				      unsigned int *matchoff, unsigned int *matchlen,
+				      union nf_inet_addr *addr);
+extern int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr,
+					unsigned int off, unsigned int datalen,
+					const char *name,
+					unsigned int *matchoff, unsigned int *matchen,
+					unsigned int *val);
 
 extern int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
 				 unsigned int dataoff, unsigned int datalen,
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index adcc031..bedaf2e 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -457,6 +457,64 @@ int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
 }
 EXPORT_SYMBOL_GPL(ct_sip_parse_header_uri);
 
+/* Parse address from header parameter and return address, offset and length */
+int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr,
+			       unsigned int dataoff, unsigned int datalen,
+			       const char *name,
+			       unsigned int *matchoff, unsigned int *matchlen,
+			       union nf_inet_addr *addr)
+{
+	const char *limit = dptr + datalen;
+	const char *start, *end;
+
+	limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
+	if (!limit)
+		limit = dptr + datalen;
+
+	start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
+	if (!start)
+		return 0;
+
+	start += strlen(name);
+	if (!parse_addr(ct, start, &end, addr, limit))
+		return 0;
+	*matchoff = start - dptr;
+	*matchlen = end - start;
+	return 1;
+}
+EXPORT_SYMBOL_GPL(ct_sip_parse_address_param);
+
+/* Parse numerical header parameter and return value, offset and length */
+int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr,
+				 unsigned int dataoff, unsigned int datalen,
+				 const char *name,
+				 unsigned int *matchoff, unsigned int *matchlen,
+				 unsigned int *val)
+{
+	const char *limit = dptr + datalen;
+	const char *start;
+	char *end;
+
+	limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
+	if (!limit)
+		limit = dptr + datalen;
+
+	start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
+	if (!start)
+		return 0;
+
+	start += strlen(name);
+	*val = simple_strtoul(start, &end, 0);
+	if (start == end)
+		return 0;
+	if (matchoff && matchlen) {
+		*matchoff = start - dptr;
+		*matchlen = end - start;
+	}
+	return 1;
+}
+EXPORT_SYMBOL_GPL(ct_sip_parse_numerical_param);
+
 /* SDP header parsing: a SDP session description contains an ordered set of
  * headers, starting with a section containing general session parameters,
  * optionally followed by multiple media descriptions.

[NETFILTER 25/32]: nf_nat_sip: translate all Via headers

[Patrick McHardy]

[NETFILTER]: nf_nat_sip: translate all Via headers

Update maddr=, received= and rport= Via-header parameters refering to
the signalling connection.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit fabf616f40462d030e7f38bb70683b7fa50be075
tree a156f57eb7049a901a90a9015407cb099e366261
parent 7e00b62e009c2297c6623b4903fcce0b24fbe8bd
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:31 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:31 +0100

 net/ipv4/netfilter/nf_nat_sip.c |   74 ++++++++++++++++++++++++++++++++++++++-
 1 files changed, 73 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index b442810..71a4adc 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -100,9 +100,11 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
 {
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 	unsigned int matchoff, matchlen;
 	union nf_inet_addr addr;
 	__be16 port;
+	int request;
 
 	/* Basic rules: requests and responses. */
 	if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
@@ -112,11 +114,81 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
 		    !map_addr(skb, dptr, datalen, matchoff, matchlen,
 			      &addr, port))
 			return NF_DROP;
+		request = 1;
+	} else
+		request = 0;
+
+	/* Translate topmost Via header and parameters */
+	if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
+				    SIP_HDR_VIA, NULL, &matchoff, &matchlen,
+				    &addr, &port) > 0) {
+		unsigned int matchend, poff, plen, buflen, n;
+		char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
+
+		/* We're only interested in headers related to this
+		 * connection */
+		if (request) {
+			if (addr.ip != ct->tuplehash[dir].tuple.src.u3.ip ||
+			    port != ct->tuplehash[dir].tuple.src.u.udp.port)
+				goto next;
+		} else {
+			if (addr.ip != ct->tuplehash[dir].tuple.dst.u3.ip ||
+			    port != ct->tuplehash[dir].tuple.dst.u.udp.port)
+				goto next;
+		}
+
+		if (!map_addr(skb, dptr, datalen, matchoff, matchlen,
+			      &addr, port))
+			return NF_DROP;
+
+		matchend = matchoff + matchlen;
+
+		/* The maddr= parameter (RFC 2361) specifies where to send
+		 * the reply. */
+		if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
+					       "maddr=", &poff, &plen,
+					       &addr) > 0 &&
+		    addr.ip == ct->tuplehash[dir].tuple.src.u3.ip &&
+		    addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) {
+			__be32 ip = ct->tuplehash[!dir].tuple.dst.u3.ip;
+			buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(ip));
+			if (!mangle_packet(skb, dptr, datalen, poff, plen,
+					   buffer, buflen))
+				return NF_DROP;
+		}
+
+		/* The received= parameter (RFC 2361) contains the address
+		 * from which the server received the request. */
+		if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
+					       "received=", &poff, &plen,
+					       &addr) > 0 &&
+		    addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip &&
+		    addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) {
+			__be32 ip = ct->tuplehash[!dir].tuple.src.u3.ip;
+			buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(ip));
+			if (!mangle_packet(skb, dptr, datalen, poff, plen,
+					   buffer, buflen))
+				return NF_DROP;
+		}
+
+		/* The rport= parameter (RFC 3581) contains the port number
+		 * from which the server received the request. */
+		if (ct_sip_parse_numerical_param(ct, *dptr, matchend, *datalen,
+						 "rport=", &poff, &plen,
+						 &n) > 0 &&
+		    htons(n) == ct->tuplehash[dir].tuple.dst.u.udp.port &&
+		    htons(n) != ct->tuplehash[!dir].tuple.src.u.udp.port) {
+			__be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port;
+			buflen = sprintf(buffer, "%u", ntohs(p));
+			if (!mangle_packet(skb, dptr, datalen, poff, plen,
+					   buffer, buflen))
+				return NF_DROP;
+		}
 	}
 
+next:
 	if (!map_sip_addr(skb, dptr, datalen, SIP_HDR_FROM) ||
 	    !map_sip_addr(skb, dptr, datalen, SIP_HDR_TO) ||
-	    !map_sip_addr(skb, dptr, datalen, SIP_HDR_VIA) ||
 	    !map_sip_addr(skb, dptr, datalen, SIP_HDR_CONTACT))
 		return NF_DROP;
 	return NF_ACCEPT;

[NETFILTER 26/32]: nf_nat_sip: translate all Contact headers

[Patrick McHardy]

[NETFILTER]: nf_nat_sip: translate all Contact headers

The SIP message may contain multiple Contact: addresses referring to
the NATed endpoint, translate all of them.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 7d30e9292bdf36be9ec46fa04441fc8e94055963
tree 424ee9d4dab22e13f7683b99d75f0aa182c60c7e
parent fabf616f40462d030e7f38bb70683b7fa50be075
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:32 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:32 +0100

 net/ipv4/netfilter/nf_nat_sip.c |   19 +++++++++++++++----
 1 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index 71a4adc..b443618 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -101,10 +101,10 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
-	unsigned int matchoff, matchlen;
+	unsigned int dataoff, matchoff, matchlen;
 	union nf_inet_addr addr;
 	__be16 port;
-	int request;
+	int request, in_header;
 
 	/* Basic rules: requests and responses. */
 	if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
@@ -187,9 +187,20 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
 	}
 
 next:
+	/* Translate Contact headers */
+	dataoff = 0;
+	in_header = 0;
+	while (ct_sip_parse_header_uri(ct, *dptr, &dataoff, *datalen,
+				       SIP_HDR_CONTACT, &in_header,
+				       &matchoff, &matchlen,
+				       &addr, &port) > 0) {
+		if (!map_addr(skb, dptr, datalen, matchoff, matchlen,
+			      &addr, port))
+			return NF_DROP;
+	}
+
 	if (!map_sip_addr(skb, dptr, datalen, SIP_HDR_FROM) ||
-	    !map_sip_addr(skb, dptr, datalen, SIP_HDR_TO) ||
-	    !map_sip_addr(skb, dptr, datalen, SIP_HDR_CONTACT))
+	    !map_sip_addr(skb, dptr, datalen, SIP_HDR_TO))
 		return NF_DROP;
 	return NF_ACCEPT;
 }

[NETFILTER 27/32]: nf_conntrack_sip: create signalling expectations

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: create signalling expectations

Create expectations for incoming signalling connections when seeing
a REGISTER request. This is needed when the registrar uses a
different source port number for signalling messages and for receiving
incoming calls from other endpoints than the registrar.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 7446ec09d8df7385419cdd3008c4261c2fec7474
tree df72215c8cd97fd48e91d2cc80bc0378105e8ccd
parent 7d30e9292bdf36be9ec46fa04441fc8e94055963
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:33 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:33 +0100

 include/linux/netfilter/nf_conntrack_sip.h |   14 ++
 include/net/netfilter/nf_conntrack.h       |    4 
 net/ipv4/netfilter/nf_nat_sip.c            |  111 +++++++++++---
 net/netfilter/nf_conntrack_sip.c           |  225 +++++++++++++++++++++++++++-
 4 files changed, 322 insertions(+), 32 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index 96e0caa..7cc84ed 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -5,8 +5,13 @@
 #define SIP_PORT	5060
 #define SIP_TIMEOUT	3600
 
+struct nf_ct_sip_master {
+	unsigned int	register_cseq;
+};
+
 enum sip_expectation_classes {
-	SIP_EXPECT,
+	SIP_EXPECT_SIGNALLING,
+	SIP_EXPECT_AUDIO,
 	__SIP_EXPECT_MAX
 };
 #define SIP_EXPECT_MAX	(__SIP_EXPECT_MAX - 1)
@@ -65,6 +70,7 @@ enum sip_header_types {
 	SIP_HDR_TO,
 	SIP_HDR_CONTACT,
 	SIP_HDR_VIA,
+	SIP_HDR_EXPIRES,
 	SIP_HDR_CONTENT_LENGTH,
 };
 
@@ -81,6 +87,12 @@ enum sdp_header_types {
 extern unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb,
 				       const char **dptr,
 				       unsigned int *datalen);
+extern unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb,
+					      const char **dptr,
+					      unsigned int *datalen,
+					      struct nf_conntrack_expect *exp,
+					      unsigned int matchoff,
+					      unsigned int matchlen);
 extern unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb,
 				       const char **dptr,
 				       unsigned int *datalen,
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 9228771..4a4f870 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -46,6 +46,7 @@ union nf_conntrack_expect_proto {
 #include <linux/netfilter/nf_conntrack_pptp.h>
 #include <linux/netfilter/nf_conntrack_h323.h>
 #include <linux/netfilter/nf_conntrack_sane.h>
+#include <linux/netfilter/nf_conntrack_sip.h>
 
 /* per conntrack: application helper private data */
 union nf_conntrack_help {
@@ -54,6 +55,7 @@ union nf_conntrack_help {
 	struct nf_ct_pptp_master ct_pptp_info;
 	struct nf_ct_h323_master ct_h323_info;
 	struct nf_ct_sane_master ct_sane_info;
+	struct nf_ct_sip_master ct_sip_info;
 };
 
 #include <linux/types.h>
@@ -76,7 +78,7 @@ do {									\
 struct nf_conntrack_helper;
 
 /* Must be kept in sync with the classes defined by helpers */
-#define NF_CT_MAX_EXPECT_CLASSES	1
+#define NF_CT_MAX_EXPECT_CLASSES	2
 
 /* nf_conn feature for connections that have a helper */
 struct nf_conn_help {
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index b443618..4b85e21 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -205,6 +205,91 @@ next:
 	return NF_ACCEPT;
 }
 
+/* Handles expected signalling connections and media streams */
+static void ip_nat_sip_expected(struct nf_conn *ct,
+				struct nf_conntrack_expect *exp)
+{
+	struct nf_nat_range range;
+
+	/* This must be a fresh one. */
+	BUG_ON(ct->status & IPS_NAT_DONE_MASK);
+
+	/* For DST manip, map port here to where it's expected. */
+	range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
+	range.min = range.max = exp->saved_proto;
+	range.min_ip = range.max_ip = exp->saved_ip;
+	nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
+
+	/* Change src to where master sends to, but only if the connection
+	 * actually came from the same source. */
+	if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip ==
+	    ct->master->tuplehash[exp->dir].tuple.src.u3.ip) {
+		range.flags = IP_NAT_RANGE_MAP_IPS;
+		range.min_ip = range.max_ip
+			= ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
+		nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
+	}
+}
+
+static unsigned int ip_nat_sip_expect(struct sk_buff *skb,
+				      const char **dptr, unsigned int *datalen,
+				      struct nf_conntrack_expect *exp,
+				      unsigned int matchoff,
+				      unsigned int matchlen)
+{
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+	__be32 newip;
+	u_int16_t port;
+	char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
+	unsigned buflen;
+
+	/* Connection will come from reply */
+	if (ct->tuplehash[dir].tuple.src.u3.ip == ct->tuplehash[!dir].tuple.dst.u3.ip)
+		newip = exp->tuple.dst.u3.ip;
+	else
+		newip = ct->tuplehash[!dir].tuple.dst.u3.ip;
+
+	/* If the signalling port matches the connection's source port in the
+	 * original direction, try to use the destination port in the opposite
+	 * direction. */
+	if (exp->tuple.dst.u.udp.port ==
+	    ct->tuplehash[dir].tuple.src.u.udp.port)
+		port = ntohs(ct->tuplehash[!dir].tuple.dst.u.udp.port);
+	else
+		port = ntohs(exp->tuple.dst.u.udp.port);
+
+	exp->saved_ip = exp->tuple.dst.u3.ip;
+	exp->tuple.dst.u3.ip = newip;
+	exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port;
+	exp->dir = !dir;
+	exp->expectfn = ip_nat_sip_expected;
+
+	for (; port != 0; port++) {
+		exp->tuple.dst.u.udp.port = htons(port);
+		if (nf_ct_expect_related(exp) == 0)
+			break;
+	}
+
+	if (port == 0)
+		return NF_DROP;
+
+	if (exp->tuple.dst.u3.ip != exp->saved_ip ||
+	    exp->tuple.dst.u.udp.port != exp->saved_proto.udp.port) {
+		buflen = sprintf(buffer, "%u.%u.%u.%u:%u",
+				 NIPQUAD(newip), port);
+		if (!mangle_packet(skb, dptr, datalen, matchoff, matchlen,
+				   buffer, buflen))
+			goto err;
+	}
+	return NF_ACCEPT;
+
+err:
+	nf_ct_unexpect_related(exp);
+	return NF_DROP;
+}
+
 static int mangle_content_len(struct sk_buff *skb,
 			      const char **dptr, unsigned int *datalen)
 {
@@ -275,27 +360,6 @@ static unsigned int mangle_sdp(struct sk_buff *skb,
 	return mangle_content_len(skb, dptr, datalen);
 }
 
-static void ip_nat_sdp_expect(struct nf_conn *ct,
-			      struct nf_conntrack_expect *exp)
-{
-	struct nf_nat_range range;
-
-	/* This must be a fresh one. */
-	BUG_ON(ct->status & IPS_NAT_DONE_MASK);
-
-	/* For DST manip, map port here to where it's expected. */
-	range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
-	range.min = range.max = exp->saved_proto;
-	range.min_ip = range.max_ip = exp->saved_ip;
-	nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
-
-	/* Change src to where master sends to */
-	range.flags = IP_NAT_RANGE_MAP_IPS;
-	range.min_ip = range.max_ip
-		= ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
-	nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
-}
-
 /* So, this packet has hit the connection tracking matching code.
    Mangle it, and change the expectation to match the new version. */
 static unsigned int ip_nat_sdp(struct sk_buff *skb,
@@ -322,7 +386,7 @@ static unsigned int ip_nat_sdp(struct sk_buff *skb,
 
 	/* When you see the packet, we need to NAT it the same as the
 	   this one. */
-	exp->expectfn = ip_nat_sdp_expect;
+	exp->expectfn = ip_nat_sip_expected;
 
 	/* Try to get same port: if not, try to change it. */
 	for (port = ntohs(exp->saved_proto.udp.port); port != 0; port++) {
@@ -344,6 +408,7 @@ static unsigned int ip_nat_sdp(struct sk_buff *skb,
 static void __exit nf_nat_sip_fini(void)
 {
 	rcu_assign_pointer(nf_nat_sip_hook, NULL);
+	rcu_assign_pointer(nf_nat_sip_expect_hook, NULL);
 	rcu_assign_pointer(nf_nat_sdp_hook, NULL);
 	synchronize_rcu();
 }
@@ -351,8 +416,10 @@ static void __exit nf_nat_sip_fini(void)
 static int __init nf_nat_sip_init(void)
 {
 	BUG_ON(nf_nat_sip_hook != NULL);
+	BUG_ON(nf_nat_sip_expect_hook != NULL);
 	BUG_ON(nf_nat_sdp_hook != NULL);
 	rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip);
+	rcu_assign_pointer(nf_nat_sip_expect_hook, ip_nat_sip_expect);
 	rcu_assign_pointer(nf_nat_sdp_hook, ip_nat_sdp);
 	return 0;
 }
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index bedaf2e..2f21d0c 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -37,11 +37,24 @@ static unsigned int sip_timeout __read_mostly = SIP_TIMEOUT;
 module_param(sip_timeout, uint, 0600);
 MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session");
 
+static int sip_direct_signalling __read_mostly = 1;
+module_param(sip_direct_signalling, int, 0600);
+MODULE_PARM_DESC(sip_direct_signalling, "expect incoming calls from registrar "
+					"only (default 1)");
+
 unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb,
 				const char **dptr,
 				unsigned int *datalen) __read_mostly;
 EXPORT_SYMBOL_GPL(nf_nat_sip_hook);
 
+unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb,
+				       const char **dptr,
+				       unsigned int *datalen,
+				       struct nf_conntrack_expect *exp,
+				       unsigned int matchoff,
+				       unsigned int matchlen) __read_mostly;
+EXPORT_SYMBOL_GPL(nf_nat_sip_expect_hook);
+
 unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb,
 				const char **dptr,
 				unsigned int *datalen,
@@ -227,6 +240,7 @@ static const struct sip_header ct_sip_hdrs[] = {
 	[SIP_HDR_TO]			= SIP_HDR("To", "t", "sip:", skp_epaddr_len),
 	[SIP_HDR_CONTACT]		= SIP_HDR("Contact", "m", "sip:", skp_epaddr_len),
 	[SIP_HDR_VIA]			= SIP_HDR("Via", "v", "UDP ", epaddr_len),
+	[SIP_HDR_EXPIRES]		= SIP_HDR("Expires", NULL, NULL, digits_len),
 	[SIP_HDR_CONTENT_LENGTH]	= SIP_HDR("Content-Length", "l", NULL, digits_len),
 };
 
@@ -601,7 +615,35 @@ int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
 }
 EXPORT_SYMBOL_GPL(ct_sip_get_sdp_header);
 
-static void flush_expectations(struct nf_conn *ct)
+static int refresh_signalling_expectation(struct nf_conn *ct,
+					  union nf_inet_addr *addr,
+					  __be16 port,
+					  unsigned int expires)
+{
+	struct nf_conn_help *help = nfct_help(ct);
+	struct nf_conntrack_expect *exp;
+	struct hlist_node *n, *next;
+	int found = 0;
+
+	spin_lock_bh(&nf_conntrack_lock);
+	hlist_for_each_entry_safe(exp, n, next, &help->expectations, lnode) {
+		if (exp->class != SIP_EXPECT_SIGNALLING ||
+		    !nf_inet_addr_cmp(&exp->tuple.dst.u3, addr) ||
+		    exp->tuple.dst.u.udp.port != port)
+			continue;
+		if (!del_timer(&exp->timeout))
+			continue;
+		exp->flags &= ~NF_CT_EXPECT_INACTIVE;
+		exp->timeout.expires = jiffies + expires * HZ;
+		add_timer(&exp->timeout);
+		found = 1;
+		break;
+	}
+	spin_unlock_bh(&nf_conntrack_lock);
+	return found;
+}
+
+static void flush_expectations(struct nf_conn *ct, int media)
 {
 	struct nf_conn_help *help = nfct_help(ct);
 	struct nf_conntrack_expect *exp;
@@ -609,10 +651,14 @@ static void flush_expectations(struct nf_conn *ct)
 
 	spin_lock_bh(&nf_conntrack_lock);
 	hlist_for_each_entry_safe(exp, n, next, &help->expectations, lnode) {
+		if ((exp->class != SIP_EXPECT_SIGNALLING) ^ media)
+			continue;
 		if (!del_timer(&exp->timeout))
 			continue;
 		nf_ct_unlink_expect(exp);
 		nf_ct_expect_put(exp);
+		if (!media)
+			break;
 	}
 	spin_unlock_bh(&nf_conntrack_lock);
 }
@@ -632,7 +678,7 @@ static int set_expected_rtp(struct sk_buff *skb,
 	exp = nf_ct_expect_alloc(ct);
 	if (exp == NULL)
 		return NF_DROP;
-	nf_ct_expect_init(exp, SIP_EXPECT, family,
+	nf_ct_expect_init(exp, SIP_EXPECT_AUDIO, family,
 			  &ct->tuplehash[!dir].tuple.src.u3, addr,
 			  IPPROTO_UDP, NULL, &port);
 
@@ -697,7 +743,7 @@ static int process_invite_response(struct sk_buff *skb,
 	    (code >= 200 && code <= 299))
 		return process_sdp(skb, dptr, datalen, cseq);
 	else {
-		flush_expectations(ct);
+		flush_expectations(ct, 1);
 		return NF_ACCEPT;
 	}
 }
@@ -713,7 +759,7 @@ static int process_update_response(struct sk_buff *skb,
 	    (code >= 200 && code <= 299))
 		return process_sdp(skb, dptr, datalen, cseq);
 	else {
-		flush_expectations(ct);
+		flush_expectations(ct, 1);
 		return NF_ACCEPT;
 	}
 }
@@ -729,7 +775,7 @@ static int process_prack_response(struct sk_buff *skb,
 	    (code >= 200 && code <= 299))
 		return process_sdp(skb, dptr, datalen, cseq);
 	else {
-		flush_expectations(ct);
+		flush_expectations(ct, 1);
 		return NF_ACCEPT;
 	}
 }
@@ -741,7 +787,165 @@ static int process_bye_request(struct sk_buff *skb,
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 
-	flush_expectations(ct);
+	flush_expectations(ct, 1);
+	return NF_ACCEPT;
+}
+
+/* Parse a REGISTER request and create a permanent expectation for incoming
+ * signalling connections. The expectation is marked inactive and is activated
+ * when receiving a response indicating success from the registrar.
+ */
+static int process_register_request(struct sk_buff *skb,
+				    const char **dptr, unsigned int *datalen,
+				    unsigned int cseq)
+{
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+	struct nf_conn_help *help = nfct_help(ct);
+	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+	int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
+	unsigned int matchoff, matchlen;
+	struct nf_conntrack_expect *exp;
+	union nf_inet_addr *saddr, daddr;
+	__be16 port;
+	unsigned int expires = 0;
+	int ret;
+	typeof(nf_nat_sip_expect_hook) nf_nat_sip_expect;
+
+	/* Expected connections can not register again. */
+	if (ct->status & IPS_EXPECTED)
+		return NF_ACCEPT;
+
+	/* We must check the expiration time: a value of zero signals the
+	 * registrar to release the binding. We'll remove our expectation
+	 * when receiving the new bindings in the response, but we don't
+	 * want to create new ones.
+	 *
+	 * The expiration time may be contained in Expires: header, the
+	 * Contact: header parameters or the URI parameters.
+	 */
+	if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
+			      &matchoff, &matchlen) > 0)
+		expires = simple_strtoul(*dptr + matchoff, NULL, 10);
+
+	ret = ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
+				      SIP_HDR_CONTACT, NULL,
+				      &matchoff, &matchlen, &daddr, &port);
+	if (ret < 0)
+		return NF_DROP;
+	else if (ret == 0)
+		return NF_ACCEPT;
+
+	/* We don't support third-party registrations */
+	if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3, &daddr))
+		return NF_ACCEPT;
+
+	if (ct_sip_parse_numerical_param(ct, *dptr,
+					 matchoff + matchlen, *datalen,
+					 "expires=", NULL, NULL, &expires) < 0)
+		return NF_DROP;
+
+	if (expires == 0) {
+		ret = NF_ACCEPT;
+		goto store_cseq;
+	}
+
+	exp = nf_ct_expect_alloc(ct);
+	if (!exp)
+		return NF_DROP;
+
+	saddr = NULL;
+	if (sip_direct_signalling)
+		saddr = &ct->tuplehash[!dir].tuple.src.u3;
+
+	nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, family, saddr, &daddr,
+			  IPPROTO_UDP, NULL, &port);
+	exp->timeout.expires = sip_timeout * HZ;
+	exp->helper = nfct_help(ct)->helper;
+	exp->flags = NF_CT_EXPECT_PERMANENT | NF_CT_EXPECT_INACTIVE;
+
+	nf_nat_sip_expect = rcu_dereference(nf_nat_sip_expect_hook);
+	if (nf_nat_sip_expect && ct->status & IPS_NAT_MASK)
+		ret = nf_nat_sip_expect(skb, dptr, datalen, exp,
+					matchoff, matchlen);
+	else {
+		if (nf_ct_expect_related(exp) != 0)
+			ret = NF_DROP;
+		else
+			ret = NF_ACCEPT;
+	}
+	nf_ct_expect_put(exp);
+
+store_cseq:
+	if (ret == NF_ACCEPT)
+		help->help.ct_sip_info.register_cseq = cseq;
+	return ret;
+}
+
+static int process_register_response(struct sk_buff *skb,
+				     const char **dptr, unsigned int *datalen,
+				     unsigned int cseq, unsigned int code)
+{
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+	struct nf_conn_help *help = nfct_help(ct);
+	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+	union nf_inet_addr addr;
+	__be16 port;
+	unsigned int matchoff, matchlen, dataoff = 0;
+	unsigned int expires = 0;
+	int in_contact = 0, ret;
+
+	/* According to RFC 3261, "UAs MUST NOT send a new registration until
+	 * they have received a final response from the registrar for the
+	 * previous one or the previous REGISTER request has timed out".
+	 *
+	 * However, some servers fail to detect retransmissions and send late
+	 * responses, so we store the sequence number of the last valid
+	 * request and compare it here.
+	 */
+	if (help->help.ct_sip_info.register_cseq != cseq)
+		return NF_ACCEPT;
+
+	if (code >= 100 && code <= 199)
+		return NF_ACCEPT;
+	if (code < 200 || code > 299)
+		goto flush;
+
+	if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
+			      &matchoff, &matchlen) > 0)
+		expires = simple_strtoul(*dptr + matchoff, NULL, 10);
+
+	while (1) {
+		unsigned int c_expires = expires;
+
+		ret = ct_sip_parse_header_uri(ct, *dptr, &dataoff, *datalen,
+					      SIP_HDR_CONTACT, &in_contact,
+					      &matchoff, &matchlen,
+					      &addr, &port);
+		if (ret < 0)
+			return NF_DROP;
+		else if (ret == 0)
+			break;
+
+		/* We don't support third-party registrations */
+		if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3, &addr))
+			continue;
+
+		ret = ct_sip_parse_numerical_param(ct, *dptr,
+						   matchoff + matchlen,
+						   *datalen, "expires=",
+						   NULL, NULL, &c_expires);
+		if (ret < 0)
+			return NF_DROP;
+		if (c_expires == 0)
+			break;
+		if (refresh_signalling_expectation(ct, &addr, port, c_expires))
+			return NF_ACCEPT;
+	}
+
+flush:
+	flush_expectations(ct, 0);
 	return NF_ACCEPT;
 }
 
@@ -751,6 +955,7 @@ static const struct sip_handler sip_handlers[] = {
 	SIP_HANDLER("ACK", process_sdp, NULL),
 	SIP_HANDLER("PRACK", process_sdp, process_prack_response),
 	SIP_HANDLER("BYE", process_bye_request, NULL),
+	SIP_HANDLER("REGISTER", process_register_request, process_register_response),
 };
 
 static int process_sip_response(struct sk_buff *skb,
@@ -863,8 +1068,12 @@ static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly;
 static char sip_names[MAX_PORTS][2][sizeof("sip-65535")] __read_mostly;
 
 static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1] = {
-	[SIP_EXPECT] = {
-		.max_expected	= 2,
+	[SIP_EXPECT_SIGNALLING] = {
+		.max_expected	= 1,
+		.timeout	= 3 * 60,
+	},
+	[SIP_EXPECT_AUDIO] = {
+		.max_expected	= IP_CT_DIR_MAX,
 		.timeout	= 3 * 60,
 	},
 };

[NETFILTER 28/32]: nf_conntrack_sip: allow media expectations with wildcard source address

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: allow media expectations with wildcard source address

Media streams can come from anywhere, add a module parameter which
controls whether wildcard expectations or expectations between the
two signalling endpoints are created.

Since the same media description sent on multiple connections may
results in multiple identical expections when using a wildcard source,
we need to check whether a similar expectation already exists for a
different connection before attempting to register it.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit ab0caf103dbec8328e88d4598bdfadda4083c57d
tree d15aac94c9ec2091bef09ea8a920b898127f991f
parent 7446ec09d8df7385419cdd3008c4261c2fec7474
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:34 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:34 +0100

 net/netfilter/nf_conntrack_sip.c |   45 +++++++++++++++++++++++++++++++++++---
 1 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 2f21d0c..be4dcb3 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -42,6 +42,11 @@ module_param(sip_direct_signalling, int, 0600);
 MODULE_PARM_DESC(sip_direct_signalling, "expect incoming calls from registrar "
 					"only (default 1)");
 
+static int sip_direct_media __read_mostly = 1;
+module_param(sip_direct_media, int, 0600);
+MODULE_PARM_DESC(sip_direct_media, "Expect Media streams between signalling "
+				   "endpoints only (default 1)");
+
 unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb,
 				const char **dptr,
 				unsigned int *datalen) __read_mostly;
@@ -665,21 +670,53 @@ static void flush_expectations(struct nf_conn *ct, int media)
 
 static int set_expected_rtp(struct sk_buff *skb,
 			    const char **dptr, unsigned int *datalen,
-			    union nf_inet_addr *addr, __be16 port)
+			    union nf_inet_addr *daddr, __be16 port)
 {
 	struct nf_conntrack_expect *exp;
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+	union nf_inet_addr *saddr;
+	struct nf_conntrack_tuple tuple;
 	int family = ct->tuplehash[!dir].tuple.src.l3num;
-	int ret;
+	int skip_expect = 0, ret;
 	typeof(nf_nat_sdp_hook) nf_nat_sdp;
 
+	saddr = NULL;
+	if (sip_direct_media) {
+		if (!nf_inet_addr_cmp(daddr, &ct->tuplehash[dir].tuple.src.u3))
+			return NF_ACCEPT;
+		saddr = &ct->tuplehash[!dir].tuple.src.u3;
+	}
+
+	/* We need to check whether the registration exists before attempting
+	 * to register it since we can see the same media description multiple
+	 * times on different connections in case multiple endpoints receive
+	 * the same call.
+	 */
+	memset(&tuple, 0, sizeof(tuple));
+	if (saddr)
+		tuple.src.u3 = *saddr;
+	tuple.src.l3num		= family;
+	tuple.dst.protonum	= IPPROTO_UDP;
+	tuple.dst.u3		= *daddr;
+	tuple.dst.u.udp.port	= port;
+
+	spin_lock_bh(&nf_conntrack_lock);
+	exp = __nf_ct_expect_find(&tuple);
+	if (exp && exp->master != ct &&
+	    nfct_help(exp->master)->helper == nfct_help(ct)->helper &&
+	    exp->class == SIP_EXPECT_AUDIO)
+		skip_expect = 1;
+	spin_unlock_bh(&nf_conntrack_lock);
+
+	if (skip_expect)
+		return NF_ACCEPT;
+
 	exp = nf_ct_expect_alloc(ct);
 	if (exp == NULL)
 		return NF_DROP;
-	nf_ct_expect_init(exp, SIP_EXPECT_AUDIO, family,
-			  &ct->tuplehash[!dir].tuple.src.u3, addr,
+	nf_ct_expect_init(exp, SIP_EXPECT_AUDIO, family, saddr, daddr,
 			  IPPROTO_UDP, NULL, &port);
 
 	nf_nat_sdp = rcu_dereference(nf_nat_sdp_hook);

[NETFILTER 29/32]: nf_conntrack_sip: create RTCP expectations

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: create RTCP expectations

Create expectations for the RTCP connections in addition to RTP connections.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 6205c1de4eb35932089b86a74914ffb1d6cff650
tree e48a2f9a7487e35f4ae3f928dc6a984cbcf38509
parent ab0caf103dbec8328e88d4598bdfadda4083c57d
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:35 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:35 +0100

 include/linux/netfilter/nf_conntrack_sip.h |    3 +
 net/ipv4/netfilter/nf_nat_sip.c            |   42 +++++++++++++-------
 net/netfilter/nf_conntrack_sip.c           |   58 ++++++++++++++++++----------
 3 files changed, 66 insertions(+), 37 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index 7cc84ed..6ddf95f 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -96,7 +96,8 @@ extern unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb,
 extern unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb,
 				       const char **dptr,
 				       unsigned int *datalen,
-				       struct nf_conntrack_expect *exp);
+				       struct nf_conntrack_expect *rtp_exp,
+				       struct nf_conntrack_expect *rtcp_exp);
 
 extern int ct_sip_parse_request(const struct nf_conn *ct,
 				const char *dptr, unsigned int datalen,
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index 4b85e21..f73ab48 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -364,7 +364,8 @@ static unsigned int mangle_sdp(struct sk_buff *skb,
    Mangle it, and change the expectation to match the new version. */
 static unsigned int ip_nat_sdp(struct sk_buff *skb,
 			       const char **dptr, unsigned int *datalen,
-			       struct nf_conntrack_expect *exp)
+			       struct nf_conntrack_expect *rtp_exp,
+			       struct nf_conntrack_expect *rtcp_exp)
 {
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
@@ -375,31 +376,40 @@ static unsigned int ip_nat_sdp(struct sk_buff *skb,
 	/* Connection will come from reply */
 	if (ct->tuplehash[dir].tuple.src.u3.ip ==
 	    ct->tuplehash[!dir].tuple.dst.u3.ip)
-		newip = exp->tuple.dst.u3.ip;
+		newip = rtp_exp->tuple.dst.u3.ip;
 	else
 		newip = ct->tuplehash[!dir].tuple.dst.u3.ip;
 
-	exp->saved_ip = exp->tuple.dst.u3.ip;
-	exp->tuple.dst.u3.ip = newip;
-	exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port;
-	exp->dir = !dir;
-
-	/* When you see the packet, we need to NAT it the same as the
-	   this one. */
-	exp->expectfn = ip_nat_sip_expected;
-
-	/* Try to get same port: if not, try to change it. */
-	for (port = ntohs(exp->saved_proto.udp.port); port != 0; port++) {
-		exp->tuple.dst.u.udp.port = htons(port);
-		if (nf_ct_expect_related(exp) == 0)
+	rtp_exp->saved_ip = rtp_exp->tuple.dst.u3.ip;
+	rtp_exp->tuple.dst.u3.ip = newip;
+	rtp_exp->saved_proto.udp.port = rtp_exp->tuple.dst.u.udp.port;
+	rtp_exp->dir = !dir;
+	rtp_exp->expectfn = ip_nat_sip_expected;
+
+	rtcp_exp->saved_ip = rtcp_exp->tuple.dst.u3.ip;
+	rtcp_exp->tuple.dst.u3.ip = newip;
+	rtcp_exp->saved_proto.udp.port = rtcp_exp->tuple.dst.u.udp.port;
+	rtcp_exp->dir = !dir;
+	rtcp_exp->expectfn = ip_nat_sip_expected;
+
+	/* Try to get same pair of ports: if not, try to change them. */
+	for (port = ntohs(rtp_exp->tuple.dst.u.udp.port);
+	     port != 0; port += 2) {
+		rtp_exp->tuple.dst.u.udp.port = htons(port);
+		if (nf_ct_expect_related(rtp_exp) != 0)
+			continue;
+		rtcp_exp->tuple.dst.u.udp.port = htons(port + 1);
+		if (nf_ct_expect_related(rtcp_exp) == 0)
 			break;
+		nf_ct_unexpect_related(rtp_exp);
 	}
 
 	if (port == 0)
 		return NF_DROP;
 
 	if (!mangle_sdp(skb, ctinfo, ct, newip, port, dptr, datalen)) {
-		nf_ct_unexpect_related(exp);
+		nf_ct_unexpect_related(rtp_exp);
+		nf_ct_unexpect_related(rtcp_exp);
 		return NF_DROP;
 	}
 	return NF_ACCEPT;
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index be4dcb3..7b51ab7 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -63,7 +63,9 @@ EXPORT_SYMBOL_GPL(nf_nat_sip_expect_hook);
 unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb,
 				const char **dptr,
 				unsigned int *datalen,
-				struct nf_conntrack_expect *exp) __read_mostly;
+				struct nf_conntrack_expect *rtp_exp,
+				struct nf_conntrack_expect *rtcp_exp)
+				__read_mostly;
 EXPORT_SYMBOL_GPL(nf_nat_sdp_hook);
 
 static int string_len(const struct nf_conn *ct, const char *dptr,
@@ -668,18 +670,20 @@ static void flush_expectations(struct nf_conn *ct, int media)
 	spin_unlock_bh(&nf_conntrack_lock);
 }
 
-static int set_expected_rtp(struct sk_buff *skb,
-			    const char **dptr, unsigned int *datalen,
-			    union nf_inet_addr *daddr, __be16 port)
+static int set_expected_rtp_rtcp(struct sk_buff *skb,
+				 const char **dptr, unsigned int *datalen,
+				 union nf_inet_addr *daddr, __be16 port)
 {
-	struct nf_conntrack_expect *exp;
+	struct nf_conntrack_expect *exp, *rtp_exp, *rtcp_exp;
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 	union nf_inet_addr *saddr;
 	struct nf_conntrack_tuple tuple;
 	int family = ct->tuplehash[!dir].tuple.src.l3num;
-	int skip_expect = 0, ret;
+	int skip_expect = 0, ret = NF_DROP;
+	u_int16_t base_port;
+	__be16 rtp_port, rtcp_port;
 	typeof(nf_nat_sdp_hook) nf_nat_sdp;
 
 	saddr = NULL;
@@ -713,23 +717,37 @@ static int set_expected_rtp(struct sk_buff *skb,
 	if (skip_expect)
 		return NF_ACCEPT;
 
-	exp = nf_ct_expect_alloc(ct);
-	if (exp == NULL)
-		return NF_DROP;
-	nf_ct_expect_init(exp, SIP_EXPECT_AUDIO, family, saddr, daddr,
-			  IPPROTO_UDP, NULL, &port);
+	base_port = ntohs(tuple.dst.u.udp.port) & ~1;
+	rtp_port = htons(base_port);
+	rtcp_port = htons(base_port + 1);
+
+	rtp_exp = nf_ct_expect_alloc(ct);
+	if (rtp_exp == NULL)
+		goto err1;
+	nf_ct_expect_init(rtp_exp, SIP_EXPECT_AUDIO, family, saddr, daddr,
+			  IPPROTO_UDP, NULL, &rtp_port);
+
+	rtcp_exp = nf_ct_expect_alloc(ct);
+	if (rtcp_exp == NULL)
+		goto err2;
+	nf_ct_expect_init(rtcp_exp, SIP_EXPECT_AUDIO, family, saddr, daddr,
+			  IPPROTO_UDP, NULL, &rtcp_port);
 
 	nf_nat_sdp = rcu_dereference(nf_nat_sdp_hook);
 	if (nf_nat_sdp && ct->status & IPS_NAT_MASK)
-		ret = nf_nat_sdp(skb, dptr, datalen, exp);
+		ret = nf_nat_sdp(skb, dptr, datalen, rtp_exp, rtcp_exp);
 	else {
-		if (nf_ct_expect_related(exp) != 0)
-			ret = NF_DROP;
-		else
-			ret = NF_ACCEPT;
+		if (nf_ct_expect_related(rtp_exp) == 0) {
+			if (nf_ct_expect_related(rtcp_exp) != 0)
+				nf_ct_unexpect_related(rtp_exp);
+			else
+				ret = NF_ACCEPT;
+		}
 	}
-	nf_ct_expect_put(exp);
-
+	nf_ct_expect_put(rtcp_exp);
+err2:
+	nf_ct_expect_put(rtp_exp);
+err1:
 	return ret;
 }
 
@@ -767,7 +785,7 @@ static int process_sdp(struct sk_buff *skb,
 	if (port < 1024 || port > 65535)
 		return NF_DROP;
 
-	return set_expected_rtp(skb, dptr, datalen, &addr, htons(port));
+	return set_expected_rtp_rtcp(skb, dptr, datalen, &addr, htons(port));
 }
 static int process_invite_response(struct sk_buff *skb,
 				   const char **dptr, unsigned int *datalen,
@@ -1110,7 +1128,7 @@ static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1
 		.timeout	= 3 * 60,
 	},
 	[SIP_EXPECT_AUDIO] = {
-		.max_expected	= IP_CT_DIR_MAX,
+		.max_expected	= 2 * IP_CT_DIR_MAX,
 		.timeout	= 3 * 60,
 	},
 };

[NETFILTER 30/32]: nf_nat_sip: split up SDP mangling

[Patrick McHardy]

[NETFILTER]: nf_nat_sip: split up SDP mangling

The SDP connection addresses may be contained in the payload multiple
times (in the session description and/or once per media description),
currently only the session description is properly updated. Split up
SDP mangling so the function setting up expectations only updates the
media port, update connection addresses from media descriptions while
parsing them and at the end update the session description when the
final addresses are known.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 9661c24d47ff1e8f17663146f3d57761fd810f5f
tree 942c4df06b044550a29af9cf24bce8a74e08621b
parent 6205c1de4eb35932089b86a74914ffb1d6cff650
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:36 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:36 +0100

 include/linux/netfilter/nf_conntrack_sip.h |   25 ++++-
 net/ipv4/netfilter/nf_nat_sip.c            |  121 +++++++++++++++++-------
 net/netfilter/nf_conntrack_sip.c           |  142 +++++++++++++++++++++++-----
 3 files changed, 219 insertions(+), 69 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index 6ddf95f..eca3ad3 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -93,11 +93,26 @@ extern unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb,
 					      struct nf_conntrack_expect *exp,
 					      unsigned int matchoff,
 					      unsigned int matchlen);
-extern unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb,
-				       const char **dptr,
-				       unsigned int *datalen,
-				       struct nf_conntrack_expect *rtp_exp,
-				       struct nf_conntrack_expect *rtcp_exp);
+extern unsigned int (*nf_nat_sdp_addr_hook)(struct sk_buff *skb,
+					    const char **dptr,
+					    unsigned int dataoff,
+					    unsigned int *datalen,
+					    enum sdp_header_types type,
+					    enum sdp_header_types term,
+					    const union nf_inet_addr *addr);
+extern unsigned int (*nf_nat_sdp_session_hook)(struct sk_buff *skb,
+					       const char **dptr,
+					       unsigned int dataoff,
+					       unsigned int *datalen,
+					       const union nf_inet_addr *addr);
+extern unsigned int (*nf_nat_sdp_media_hook)(struct sk_buff *skb,
+					     const char **dptr,
+					     unsigned int *datalen,
+					     struct nf_conntrack_expect *rtp_exp,
+					     struct nf_conntrack_expect *rtcp_exp,
+					     unsigned int mediaoff,
+					     unsigned int medialen,
+					     union nf_inet_addr *rtp_addr);
 
 extern int ct_sip_parse_request(const struct nf_conn *ct,
 				const char *dptr, unsigned int datalen,
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index f73ab48..4429069 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -316,45 +316,77 @@ static int mangle_content_len(struct sk_buff *skb,
 			     buffer, buflen);
 }
 
-static unsigned mangle_sdp_packet(struct sk_buff *skb,
-				  const char **dptr, unsigned int *datalen,
+static unsigned mangle_sdp_packet(struct sk_buff *skb, const char **dptr,
+				  unsigned int dataoff, unsigned int *datalen,
 				  enum sdp_header_types type,
+				  enum sdp_header_types term,
 				  char *buffer, int buflen)
 {
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 	unsigned int matchlen, matchoff;
 
-	if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen, type, SDP_HDR_UNSPEC,
+	if (ct_sip_get_sdp_header(ct, *dptr, dataoff, *datalen, type, term,
 				  &matchoff, &matchlen) <= 0)
 		return 0;
 	return mangle_packet(skb, dptr, datalen, matchoff, matchlen,
 			     buffer, buflen);
 }
 
-static unsigned int mangle_sdp(struct sk_buff *skb,
-			       enum ip_conntrack_info ctinfo,
-			       struct nf_conn *ct,
-			       __be32 newip, u_int16_t port,
-			       const char **dptr, unsigned int *datalen)
+static unsigned int ip_nat_sdp_addr(struct sk_buff *skb, const char **dptr,
+				    unsigned int dataoff,
+				    unsigned int *datalen,
+				    enum sdp_header_types type,
+				    enum sdp_header_types term,
+				    const union nf_inet_addr *addr)
 {
 	char buffer[sizeof("nnn.nnn.nnn.nnn")];
-	unsigned int bufflen;
+	unsigned int buflen;
 
-	/* Mangle owner and contact info. */
-	bufflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(newip));
-	if (!mangle_sdp_packet(skb, dptr, datalen, SDP_HDR_OWNER_IP4,
-			       buffer, bufflen))
+	buflen = sprintf(buffer, NIPQUAD_FMT, NIPQUAD(addr->ip));
+	if (!mangle_sdp_packet(skb, dptr, dataoff, datalen, type, term,
+			       buffer, buflen))
 		return 0;
 
-	if (!mangle_sdp_packet(skb, dptr, datalen, SDP_HDR_CONNECTION_IP4,
-			       buffer, bufflen))
+	return mangle_content_len(skb, dptr, datalen);
+}
+
+static unsigned int ip_nat_sdp_port(struct sk_buff *skb,
+				    const char **dptr,
+				    unsigned int *datalen,
+				    unsigned int matchoff,
+				    unsigned int matchlen,
+				    u_int16_t port)
+{
+	char buffer[sizeof("nnnnn")];
+	unsigned int buflen;
+
+	buflen = sprintf(buffer, "%u", port);
+	if (!mangle_packet(skb, dptr, datalen, matchoff, matchlen,
+			   buffer, buflen))
 		return 0;
 
-	/* Mangle media port. */
-	bufflen = sprintf(buffer, "%u", port);
-	if (!mangle_sdp_packet(skb, dptr, datalen, SDP_HDR_MEDIA,
-			       buffer, bufflen))
+	return mangle_content_len(skb, dptr, datalen);
+}
+
+static unsigned int ip_nat_sdp_session(struct sk_buff *skb, const char **dptr,
+				       unsigned int dataoff,
+				       unsigned int *datalen,
+				       const union nf_inet_addr *addr)
+{
+	char buffer[sizeof("nnn.nnn.nnn.nnn")];
+	unsigned int buflen;
+
+	/* Mangle session description owner and contact addresses */
+	buflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(addr->ip));
+	if (!mangle_sdp_packet(skb, dptr, dataoff, datalen,
+			       SDP_HDR_OWNER_IP4, SDP_HDR_MEDIA,
+			       buffer, buflen))
+		return 0;
+
+	if (!mangle_sdp_packet(skb, dptr, dataoff, datalen,
+			       SDP_HDR_CONNECTION_IP4, SDP_HDR_MEDIA,
+			       buffer, buflen))
 		return 0;
 
 	return mangle_content_len(skb, dptr, datalen);
@@ -362,32 +394,35 @@ static unsigned int mangle_sdp(struct sk_buff *skb,
 
 /* So, this packet has hit the connection tracking matching code.
    Mangle it, and change the expectation to match the new version. */
-static unsigned int ip_nat_sdp(struct sk_buff *skb,
-			       const char **dptr, unsigned int *datalen,
-			       struct nf_conntrack_expect *rtp_exp,
-			       struct nf_conntrack_expect *rtcp_exp)
+static unsigned int ip_nat_sdp_media(struct sk_buff *skb,
+				     const char **dptr,
+				     unsigned int *datalen,
+				     struct nf_conntrack_expect *rtp_exp,
+				     struct nf_conntrack_expect *rtcp_exp,
+				     unsigned int mediaoff,
+				     unsigned int medialen,
+				     union nf_inet_addr *rtp_addr)
 {
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
-	__be32 newip;
 	u_int16_t port;
 
 	/* Connection will come from reply */
 	if (ct->tuplehash[dir].tuple.src.u3.ip ==
 	    ct->tuplehash[!dir].tuple.dst.u3.ip)
-		newip = rtp_exp->tuple.dst.u3.ip;
+		rtp_addr->ip = rtp_exp->tuple.dst.u3.ip;
 	else
-		newip = ct->tuplehash[!dir].tuple.dst.u3.ip;
+		rtp_addr->ip = ct->tuplehash[!dir].tuple.dst.u3.ip;
 
 	rtp_exp->saved_ip = rtp_exp->tuple.dst.u3.ip;
-	rtp_exp->tuple.dst.u3.ip = newip;
+	rtp_exp->tuple.dst.u3.ip = rtp_addr->ip;
 	rtp_exp->saved_proto.udp.port = rtp_exp->tuple.dst.u.udp.port;
 	rtp_exp->dir = !dir;
 	rtp_exp->expectfn = ip_nat_sip_expected;
 
 	rtcp_exp->saved_ip = rtcp_exp->tuple.dst.u3.ip;
-	rtcp_exp->tuple.dst.u3.ip = newip;
+	rtcp_exp->tuple.dst.u3.ip = rtp_addr->ip;
 	rtcp_exp->saved_proto.udp.port = rtcp_exp->tuple.dst.u.udp.port;
 	rtcp_exp->dir = !dir;
 	rtcp_exp->expectfn = ip_nat_sip_expected;
@@ -405,21 +440,29 @@ static unsigned int ip_nat_sdp(struct sk_buff *skb,
 	}
 
 	if (port == 0)
-		return NF_DROP;
+		goto err1;
+
+	/* Update media port. */
+	if (rtp_exp->tuple.dst.u.udp.port != rtp_exp->saved_proto.udp.port &&
+	    !ip_nat_sdp_port(skb, dptr, datalen, mediaoff, medialen, port))
+		goto err2;
 
-	if (!mangle_sdp(skb, ctinfo, ct, newip, port, dptr, datalen)) {
-		nf_ct_unexpect_related(rtp_exp);
-		nf_ct_unexpect_related(rtcp_exp);
-		return NF_DROP;
-	}
 	return NF_ACCEPT;
+
+err2:
+	nf_ct_unexpect_related(rtp_exp);
+	nf_ct_unexpect_related(rtcp_exp);
+err1:
+	return NF_DROP;
 }
 
 static void __exit nf_nat_sip_fini(void)
 {
 	rcu_assign_pointer(nf_nat_sip_hook, NULL);
 	rcu_assign_pointer(nf_nat_sip_expect_hook, NULL);
-	rcu_assign_pointer(nf_nat_sdp_hook, NULL);
+	rcu_assign_pointer(nf_nat_sdp_addr_hook, NULL);
+	rcu_assign_pointer(nf_nat_sdp_session_hook, NULL);
+	rcu_assign_pointer(nf_nat_sdp_media_hook, NULL);
 	synchronize_rcu();
 }
 
@@ -427,10 +470,14 @@ static int __init nf_nat_sip_init(void)
 {
 	BUG_ON(nf_nat_sip_hook != NULL);
 	BUG_ON(nf_nat_sip_expect_hook != NULL);
-	BUG_ON(nf_nat_sdp_hook != NULL);
+	BUG_ON(nf_nat_sdp_addr_hook != NULL);
+	BUG_ON(nf_nat_sdp_session_hook != NULL);
+	BUG_ON(nf_nat_sdp_media_hook != NULL);
 	rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip);
 	rcu_assign_pointer(nf_nat_sip_expect_hook, ip_nat_sip_expect);
-	rcu_assign_pointer(nf_nat_sdp_hook, ip_nat_sdp);
+	rcu_assign_pointer(nf_nat_sdp_addr_hook, ip_nat_sdp_addr);
+	rcu_assign_pointer(nf_nat_sdp_session_hook, ip_nat_sdp_session);
+	rcu_assign_pointer(nf_nat_sdp_media_hook, ip_nat_sdp_media);
 	return 0;
 }
 
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 7b51ab7..9ced70f 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -60,13 +60,34 @@ unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb,
 				       unsigned int matchlen) __read_mostly;
 EXPORT_SYMBOL_GPL(nf_nat_sip_expect_hook);
 
-unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb,
-				const char **dptr,
-				unsigned int *datalen,
-				struct nf_conntrack_expect *rtp_exp,
-				struct nf_conntrack_expect *rtcp_exp)
-				__read_mostly;
-EXPORT_SYMBOL_GPL(nf_nat_sdp_hook);
+unsigned int (*nf_nat_sdp_addr_hook)(struct sk_buff *skb,
+				     const char **dptr,
+				     unsigned int dataoff,
+				     unsigned int *datalen,
+				     enum sdp_header_types type,
+				     enum sdp_header_types term,
+				     const union nf_inet_addr *addr)
+				     __read_mostly;
+EXPORT_SYMBOL_GPL(nf_nat_sdp_addr_hook);
+
+unsigned int (*nf_nat_sdp_session_hook)(struct sk_buff *skb,
+					const char **dptr,
+					unsigned int dataoff,
+					unsigned int *datalen,
+					const union nf_inet_addr *addr)
+					__read_mostly;
+EXPORT_SYMBOL_GPL(nf_nat_sdp_session_hook);
+
+unsigned int (*nf_nat_sdp_media_hook)(struct sk_buff *skb,
+				      const char **dptr,
+				      unsigned int *datalen,
+				      struct nf_conntrack_expect *rtp_exp,
+				      struct nf_conntrack_expect *rtcp_exp,
+				      unsigned int mediaoff,
+				      unsigned int medialen,
+				      union nf_inet_addr *rtp_addr)
+				      __read_mostly;
+EXPORT_SYMBOL_GPL(nf_nat_sdp_media_hook);
 
 static int string_len(const struct nf_conn *ct, const char *dptr,
 		      const char *limit, int *shift)
@@ -622,6 +643,26 @@ int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
 }
 EXPORT_SYMBOL_GPL(ct_sip_get_sdp_header);
 
+static int ct_sip_parse_sdp_addr(const struct nf_conn *ct, const char *dptr,
+				 unsigned int dataoff, unsigned int datalen,
+				 enum sdp_header_types type,
+				 enum sdp_header_types term,
+				 unsigned int *matchoff, unsigned int *matchlen,
+				 union nf_inet_addr *addr)
+{
+	int ret;
+
+	ret = ct_sip_get_sdp_header(ct, dptr, dataoff, datalen, type, term,
+				    matchoff, matchlen);
+	if (ret <= 0)
+		return ret;
+
+	if (!parse_addr(ct, dptr + *matchoff, NULL, addr,
+			dptr + *matchoff + *matchlen))
+		return -1;
+	return 1;
+}
+
 static int refresh_signalling_expectation(struct nf_conn *ct,
 					  union nf_inet_addr *addr,
 					  __be16 port,
@@ -672,7 +713,8 @@ static void flush_expectations(struct nf_conn *ct, int media)
 
 static int set_expected_rtp_rtcp(struct sk_buff *skb,
 				 const char **dptr, unsigned int *datalen,
-				 union nf_inet_addr *daddr, __be16 port)
+				 union nf_inet_addr *daddr, __be16 port,
+				 unsigned int mediaoff, unsigned int medialen)
 {
 	struct nf_conntrack_expect *exp, *rtp_exp, *rtcp_exp;
 	enum ip_conntrack_info ctinfo;
@@ -684,7 +726,7 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb,
 	int skip_expect = 0, ret = NF_DROP;
 	u_int16_t base_port;
 	__be16 rtp_port, rtcp_port;
-	typeof(nf_nat_sdp_hook) nf_nat_sdp;
+	typeof(nf_nat_sdp_media_hook) nf_nat_sdp_media;
 
 	saddr = NULL;
 	if (sip_direct_media) {
@@ -733,9 +775,10 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb,
 	nf_ct_expect_init(rtcp_exp, SIP_EXPECT_AUDIO, family, saddr, daddr,
 			  IPPROTO_UDP, NULL, &rtcp_port);
 
-	nf_nat_sdp = rcu_dereference(nf_nat_sdp_hook);
-	if (nf_nat_sdp && ct->status & IPS_NAT_MASK)
-		ret = nf_nat_sdp(skb, dptr, datalen, rtp_exp, rtcp_exp);
+	nf_nat_sdp_media = rcu_dereference(nf_nat_sdp_media_hook);
+	if (nf_nat_sdp_media && ct->status & IPS_NAT_MASK)
+		ret = nf_nat_sdp_media(skb, dptr, datalen, rtp_exp, rtcp_exp,
+				       mediaoff, medialen, daddr);
 	else {
 		if (nf_ct_expect_related(rtp_exp) == 0) {
 			if (nf_ct_expect_related(rtcp_exp) != 0)
@@ -759,33 +802,78 @@ static int process_sdp(struct sk_buff *skb,
 	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 	int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
 	unsigned int matchoff, matchlen;
-	union nf_inet_addr addr;
+	unsigned int mediaoff, medialen;
+	unsigned int sdpoff;
+	unsigned int caddr_len, maddr_len;
+	union nf_inet_addr caddr, maddr, rtp_addr;
 	unsigned int port;
-	enum sdp_header_types type;
+	enum sdp_header_types c_hdr;
+	int ret;
+	typeof(nf_nat_sdp_addr_hook) nf_nat_sdp_addr;
+	typeof(nf_nat_sdp_session_hook) nf_nat_sdp_session;
 
-	/* Get address and port from SDP packet. */
-	type = family == AF_INET ? SDP_HDR_CONNECTION_IP4 :
-				   SDP_HDR_CONNECTION_IP6;
+	c_hdr = family == AF_INET ? SDP_HDR_CONNECTION_IP4 :
+				    SDP_HDR_CONNECTION_IP6;
 
+	/* Find beginning of session description */
 	if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
-				  type, SDP_HDR_UNSPEC,
+				  SDP_HDR_VERSION, SDP_HDR_UNSPEC,
 				  &matchoff, &matchlen) <= 0)
 		return NF_ACCEPT;
-
-	/* We'll drop only if there are parse problems. */
-	if (!parse_addr(ct, *dptr + matchoff, NULL, &addr, *dptr + *datalen))
-		return NF_DROP;
-
-	if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
+	sdpoff = matchoff;
+
+	/* The connection information is contained in the session description
+	 * and/or once per media description. The first media description marks
+	 * the end of the session description. */
+	caddr_len = 0;
+	if (ct_sip_parse_sdp_addr(ct, *dptr, sdpoff, *datalen,
+				  c_hdr, SDP_HDR_MEDIA,
+				  &matchoff, &matchlen, &caddr) > 0)
+		caddr_len = matchlen;
+
+	if (ct_sip_get_sdp_header(ct, *dptr, sdpoff, *datalen,
 				  SDP_HDR_MEDIA, SDP_HDR_UNSPEC,
-				  &matchoff, &matchlen) <= 0)
+				  &mediaoff, &medialen) <= 0)
 		return NF_ACCEPT;
 
-	port = simple_strtoul(*dptr + matchoff, NULL, 10);
+	port = simple_strtoul(*dptr + mediaoff, NULL, 10);
 	if (port < 1024 || port > 65535)
 		return NF_DROP;
 
-	return set_expected_rtp_rtcp(skb, dptr, datalen, &addr, htons(port));
+	/* The media description overrides the session description. */
+	maddr_len = 0;
+	if (ct_sip_parse_sdp_addr(ct, *dptr, mediaoff, *datalen,
+				  c_hdr, SDP_HDR_MEDIA,
+				  &matchoff, &matchlen, &maddr) > 0) {
+		maddr_len = matchlen;
+		memcpy(&rtp_addr, &maddr, sizeof(rtp_addr));
+	} else if (caddr_len)
+		memcpy(&rtp_addr, &caddr, sizeof(rtp_addr));
+	else
+		return NF_DROP;
+
+	ret = set_expected_rtp_rtcp(skb, dptr, datalen, &rtp_addr, htons(port),
+				    mediaoff, medialen);
+	if (ret != NF_ACCEPT)
+		return ret;
+
+	/* Update media connection address if present */
+	if (maddr_len) {
+		nf_nat_sdp_addr = rcu_dereference(nf_nat_sdp_addr_hook);
+		if (nf_nat_sdp_addr && ct->status & IPS_NAT_MASK) {
+			ret = nf_nat_sdp_addr(skb, dptr, mediaoff, datalen,
+					      c_hdr, SDP_HDR_MEDIA, &rtp_addr);
+			if (ret != NF_ACCEPT)
+				return ret;
+		}
+	}
+
+	/* Update session connection and owner addresses */
+	nf_nat_sdp_session = rcu_dereference(nf_nat_sdp_session_hook);
+	if (nf_nat_sdp_session && ct->status & IPS_NAT_MASK)
+		ret = nf_nat_sdp_session(skb, dptr, sdpoff, datalen, &rtp_addr);
+
+	return ret;
 }
 static int process_invite_response(struct sk_buff *skb,
 				   const char **dptr, unsigned int *datalen,

[NETFILTER 31/32]: nf_conntrack_sip: support multiple media channels

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: support multiple media channels

Add support for multiple media channels and use it to create
expectations for video streams when present.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit f6dadb448bba21aaeb55b48ac60407a8a63e05a4
tree 9c17ba8d60f960db270037bbd5865b77a61a68d3
parent 9661c24d47ff1e8f17663146f3d57761fd810f5f
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:37 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:37 +0100

 include/linux/netfilter/nf_conntrack_sip.h |   14 +++
 include/net/netfilter/nf_conntrack.h       |    2 
 net/netfilter/nf_conntrack_sip.c           |  121 +++++++++++++++++++++-------
 3 files changed, 105 insertions(+), 32 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index eca3ad3..71fa3eb 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -12,10 +12,24 @@ struct nf_ct_sip_master {
 enum sip_expectation_classes {
 	SIP_EXPECT_SIGNALLING,
 	SIP_EXPECT_AUDIO,
+	SIP_EXPECT_VIDEO,
 	__SIP_EXPECT_MAX
 };
 #define SIP_EXPECT_MAX	(__SIP_EXPECT_MAX - 1)
 
+struct sdp_media_type {
+	const char			*name;
+	unsigned int			len;
+	enum sip_expectation_classes	class;
+};
+
+#define SDP_MEDIA_TYPE(__name, __class)					\
+{									\
+	.name	= (__name),						\
+	.len	= sizeof(__name) - 1,					\
+	.class	= (__class),						\
+}
+
 struct sip_handler {
 	const char	*method;
 	unsigned int	len;
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 4a4f870..a3567a7 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -78,7 +78,7 @@ do {									\
 struct nf_conntrack_helper;
 
 /* Must be kept in sync with the classes defined by helpers */
-#define NF_CT_MAX_EXPECT_CLASSES	2
+#define NF_CT_MAX_EXPECT_CLASSES	3
 
 /* nf_conn feature for connections that have a helper */
 struct nf_conn_help {
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 9ced70f..a12be9b 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -112,6 +112,21 @@ static int digits_len(const struct nf_conn *ct, const char *dptr,
 	return len;
 }
 
+/* get media type + port length */
+static int media_len(const struct nf_conn *ct, const char *dptr,
+		     const char *limit, int *shift)
+{
+	int len = string_len(ct, dptr, limit, shift);
+
+	dptr += len;
+	if (dptr >= limit || *dptr != ' ')
+		return 0;
+	len++;
+	dptr++;
+
+	return len + digits_len(ct, dptr, limit, shift);
+}
+
 static int parse_addr(const struct nf_conn *ct, const char *cp,
                       const char **endp, union nf_inet_addr *addr,
                       const char *limit)
@@ -572,7 +587,7 @@ static const struct sip_header ct_sdp_hdrs[] = {
 	[SDP_HDR_CONNECTION_IP4]	= SDP_HDR("c=", "IN IP4 ", epaddr_len),
 	[SDP_HDR_OWNER_IP6]		= SDP_HDR("o=", "IN IP6 ", epaddr_len),
 	[SDP_HDR_CONNECTION_IP6]	= SDP_HDR("c=", "IN IP6 ", epaddr_len),
-	[SDP_HDR_MEDIA]			= SDP_HDR("m=", "audio ", digits_len),
+	[SDP_HDR_MEDIA]			= SDP_HDR("m=", NULL, media_len),
 };
 
 /* Linear string search within SDP header values */
@@ -714,6 +729,7 @@ static void flush_expectations(struct nf_conn *ct, int media)
 static int set_expected_rtp_rtcp(struct sk_buff *skb,
 				 const char **dptr, unsigned int *datalen,
 				 union nf_inet_addr *daddr, __be16 port,
+				 enum sip_expectation_classes class,
 				 unsigned int mediaoff, unsigned int medialen)
 {
 	struct nf_conntrack_expect *exp, *rtp_exp, *rtcp_exp;
@@ -752,7 +768,7 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb,
 	exp = __nf_ct_expect_find(&tuple);
 	if (exp && exp->master != ct &&
 	    nfct_help(exp->master)->helper == nfct_help(ct)->helper &&
-	    exp->class == SIP_EXPECT_AUDIO)
+	    exp->class == class)
 		skip_expect = 1;
 	spin_unlock_bh(&nf_conntrack_lock);
 
@@ -766,13 +782,13 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb,
 	rtp_exp = nf_ct_expect_alloc(ct);
 	if (rtp_exp == NULL)
 		goto err1;
-	nf_ct_expect_init(rtp_exp, SIP_EXPECT_AUDIO, family, saddr, daddr,
+	nf_ct_expect_init(rtp_exp, class, family, saddr, daddr,
 			  IPPROTO_UDP, NULL, &rtp_port);
 
 	rtcp_exp = nf_ct_expect_alloc(ct);
 	if (rtcp_exp == NULL)
 		goto err2;
-	nf_ct_expect_init(rtcp_exp, SIP_EXPECT_AUDIO, family, saddr, daddr,
+	nf_ct_expect_init(rtcp_exp, class, family, saddr, daddr,
 			  IPPROTO_UDP, NULL, &rtcp_port);
 
 	nf_nat_sdp_media = rcu_dereference(nf_nat_sdp_media_hook);
@@ -794,6 +810,28 @@ err1:
 	return ret;
 }
 
+static const struct sdp_media_type sdp_media_types[] = {
+	SDP_MEDIA_TYPE("audio ", SIP_EXPECT_AUDIO),
+	SDP_MEDIA_TYPE("video ", SIP_EXPECT_VIDEO),
+};
+
+static const struct sdp_media_type *sdp_media_type(const char *dptr,
+						   unsigned int matchoff,
+						   unsigned int matchlen)
+{
+	const struct sdp_media_type *t;
+	unsigned int i;
+
+	for (i = 0; i < ARRAY_SIZE(sdp_media_types); i++) {
+		t = &sdp_media_types[i];
+		if (matchlen < t->len ||
+		    strncmp(dptr + matchoff, t->name, t->len))
+			continue;
+		return t;
+	}
+	return NULL;
+}
+
 static int process_sdp(struct sk_buff *skb,
 		       const char **dptr, unsigned int *datalen,
 		       unsigned int cseq)
@@ -805,13 +843,16 @@ static int process_sdp(struct sk_buff *skb,
 	unsigned int mediaoff, medialen;
 	unsigned int sdpoff;
 	unsigned int caddr_len, maddr_len;
+	unsigned int i;
 	union nf_inet_addr caddr, maddr, rtp_addr;
 	unsigned int port;
 	enum sdp_header_types c_hdr;
-	int ret;
+	const struct sdp_media_type *t;
+	int ret = NF_ACCEPT;
 	typeof(nf_nat_sdp_addr_hook) nf_nat_sdp_addr;
 	typeof(nf_nat_sdp_session_hook) nf_nat_sdp_session;
 
+	nf_nat_sdp_addr = rcu_dereference(nf_nat_sdp_addr_hook);
 	c_hdr = family == AF_INET ? SDP_HDR_CONNECTION_IP4 :
 				    SDP_HDR_CONNECTION_IP6;
 
@@ -831,41 +872,55 @@ static int process_sdp(struct sk_buff *skb,
 				  &matchoff, &matchlen, &caddr) > 0)
 		caddr_len = matchlen;
 
-	if (ct_sip_get_sdp_header(ct, *dptr, sdpoff, *datalen,
-				  SDP_HDR_MEDIA, SDP_HDR_UNSPEC,
-				  &mediaoff, &medialen) <= 0)
-		return NF_ACCEPT;
+	mediaoff = sdpoff;
+	for (i = 0; i < ARRAY_SIZE(sdp_media_types); ) {
+		if (ct_sip_get_sdp_header(ct, *dptr, mediaoff, *datalen,
+					  SDP_HDR_MEDIA, SDP_HDR_UNSPEC,
+					  &mediaoff, &medialen) <= 0)
+			break;
 
-	port = simple_strtoul(*dptr + mediaoff, NULL, 10);
-	if (port < 1024 || port > 65535)
-		return NF_DROP;
+		/* Get media type and port number. A media port value of zero
+		 * indicates an inactive stream. */
+		t = sdp_media_type(*dptr, mediaoff, medialen);
+		if (!t) {
+			mediaoff += medialen;
+			continue;
+		}
+		mediaoff += t->len;
+		medialen -= t->len;
 
-	/* The media description overrides the session description. */
-	maddr_len = 0;
-	if (ct_sip_parse_sdp_addr(ct, *dptr, mediaoff, *datalen,
-				  c_hdr, SDP_HDR_MEDIA,
-				  &matchoff, &matchlen, &maddr) > 0) {
-		maddr_len = matchlen;
-		memcpy(&rtp_addr, &maddr, sizeof(rtp_addr));
-	} else if (caddr_len)
-		memcpy(&rtp_addr, &caddr, sizeof(rtp_addr));
-	else
-		return NF_DROP;
+		port = simple_strtoul(*dptr + mediaoff, NULL, 10);
+		if (port == 0)
+			continue;
+		if (port < 1024 || port > 65535)
+			return NF_DROP;
 
-	ret = set_expected_rtp_rtcp(skb, dptr, datalen, &rtp_addr, htons(port),
-				    mediaoff, medialen);
-	if (ret != NF_ACCEPT)
-		return ret;
+		/* The media description overrides the session description. */
+		maddr_len = 0;
+		if (ct_sip_parse_sdp_addr(ct, *dptr, mediaoff, *datalen,
+					  c_hdr, SDP_HDR_MEDIA,
+					  &matchoff, &matchlen, &maddr) > 0) {
+			maddr_len = matchlen;
+			memcpy(&rtp_addr, &maddr, sizeof(rtp_addr));
+		} else if (caddr_len)
+			memcpy(&rtp_addr, &caddr, sizeof(rtp_addr));
+		else
+			return NF_DROP;
+
+		ret = set_expected_rtp_rtcp(skb, dptr, datalen,
+					    &rtp_addr, htons(port), t->class,
+					    mediaoff, medialen);
+		if (ret != NF_ACCEPT)
+			return ret;
 
-	/* Update media connection address if present */
-	if (maddr_len) {
-		nf_nat_sdp_addr = rcu_dereference(nf_nat_sdp_addr_hook);
-		if (nf_nat_sdp_addr && ct->status & IPS_NAT_MASK) {
+		/* Update media connection address if present */
+		if (maddr_len && nf_nat_sdp_addr && ct->status & IPS_NAT_MASK) {
 			ret = nf_nat_sdp_addr(skb, dptr, mediaoff, datalen,
 					      c_hdr, SDP_HDR_MEDIA, &rtp_addr);
 			if (ret != NF_ACCEPT)
 				return ret;
 		}
+		i++;
 	}
 
 	/* Update session connection and owner addresses */
@@ -1219,6 +1274,10 @@ static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1
 		.max_expected	= 2 * IP_CT_DIR_MAX,
 		.timeout	= 3 * 60,
 	},
+	[SIP_EXPECT_VIDEO] = {
+		.max_expected	= 2 * IP_CT_DIR_MAX,
+		.timeout	= 3 * 60,
+	},
 };
 
 static void nf_conntrack_sip_fini(void)

[NETFILTER 32/32]: nf_conntrack_sip: RTP routing optimization

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: RTP routing optimization

Optimize call routing between NATed endpoints: when an external
registrar sends a media description that contains an existing RTP
expectation from a different SNATed connection, the gatekeeper
is trying to route the call directly between the two endpoints.

We assume both endpoints can reach each other directly and
"un-NAT" the addresses, which makes the media stream go between
the two endpoints directly.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 4b381d30dd2ae6c9abc41dedaddf85cb0316b702
tree 41e451b7be060d5ec16919cff66d463a3c703b41
parent f6dadb448bba21aaeb55b48ac60407a8a63e05a4
author Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:38 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 28 Feb 2008 12:08:38 +0100

 include/linux/netfilter/nf_conntrack_sip.h |    6 +++
 net/ipv4/netfilter/nf_nat_sip.c            |    3 +
 net/netfilter/nf_conntrack_sip.c           |   59 +++++++++++++++++++++++-----
 3 files changed, 58 insertions(+), 10 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index 71fa3eb..5da04e5 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -114,6 +114,12 @@ extern unsigned int (*nf_nat_sdp_addr_hook)(struct sk_buff *skb,
 					    enum sdp_header_types type,
 					    enum sdp_header_types term,
 					    const union nf_inet_addr *addr);
+extern unsigned int (*nf_nat_sdp_port_hook)(struct sk_buff *skb,
+					    const char **dptr,
+					    unsigned int *datalen,
+					    unsigned int matchoff,
+					    unsigned int matchlen,
+					    u_int16_t port);
 extern unsigned int (*nf_nat_sdp_session_hook)(struct sk_buff *skb,
 					       const char **dptr,
 					       unsigned int dataoff,
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index 4429069..bcddccd 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -461,6 +461,7 @@ static void __exit nf_nat_sip_fini(void)
 	rcu_assign_pointer(nf_nat_sip_hook, NULL);
 	rcu_assign_pointer(nf_nat_sip_expect_hook, NULL);
 	rcu_assign_pointer(nf_nat_sdp_addr_hook, NULL);
+	rcu_assign_pointer(nf_nat_sdp_port_hook, NULL);
 	rcu_assign_pointer(nf_nat_sdp_session_hook, NULL);
 	rcu_assign_pointer(nf_nat_sdp_media_hook, NULL);
 	synchronize_rcu();
@@ -471,11 +472,13 @@ static int __init nf_nat_sip_init(void)
 	BUG_ON(nf_nat_sip_hook != NULL);
 	BUG_ON(nf_nat_sip_expect_hook != NULL);
 	BUG_ON(nf_nat_sdp_addr_hook != NULL);
+	BUG_ON(nf_nat_sdp_port_hook != NULL);
 	BUG_ON(nf_nat_sdp_session_hook != NULL);
 	BUG_ON(nf_nat_sdp_media_hook != NULL);
 	rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip);
 	rcu_assign_pointer(nf_nat_sip_expect_hook, ip_nat_sip_expect);
 	rcu_assign_pointer(nf_nat_sdp_addr_hook, ip_nat_sdp_addr);
+	rcu_assign_pointer(nf_nat_sdp_port_hook, ip_nat_sdp_port);
 	rcu_assign_pointer(nf_nat_sdp_session_hook, ip_nat_sdp_session);
 	rcu_assign_pointer(nf_nat_sdp_media_hook, ip_nat_sdp_media);
 	return 0;
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index a12be9b..e4a209d 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -70,6 +70,14 @@ unsigned int (*nf_nat_sdp_addr_hook)(struct sk_buff *skb,
 				     __read_mostly;
 EXPORT_SYMBOL_GPL(nf_nat_sdp_addr_hook);
 
+unsigned int (*nf_nat_sdp_port_hook)(struct sk_buff *skb,
+				     const char **dptr,
+				     unsigned int *datalen,
+				     unsigned int matchoff,
+				     unsigned int matchlen,
+				     u_int16_t port) __read_mostly;
+EXPORT_SYMBOL_GPL(nf_nat_sdp_port_hook);
+
 unsigned int (*nf_nat_sdp_session_hook)(struct sk_buff *skb,
 					const char **dptr,
 					unsigned int dataoff,
@@ -739,9 +747,10 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb,
 	union nf_inet_addr *saddr;
 	struct nf_conntrack_tuple tuple;
 	int family = ct->tuplehash[!dir].tuple.src.l3num;
-	int skip_expect = 0, ret = NF_DROP;
+	int direct_rtp = 0, skip_expect = 0, ret = NF_DROP;
 	u_int16_t base_port;
 	__be16 rtp_port, rtcp_port;
+	typeof(nf_nat_sdp_port_hook) nf_nat_sdp_port;
 	typeof(nf_nat_sdp_media_hook) nf_nat_sdp_media;
 
 	saddr = NULL;
@@ -755,6 +764,14 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb,
 	 * to register it since we can see the same media description multiple
 	 * times on different connections in case multiple endpoints receive
 	 * the same call.
+	 *
+	 * RTP optimization: if we find a matching media channel expectation
+	 * and both the expectation and this connection are SNATed, we assume
+	 * both sides can reach each other directly and use the final
+	 * destination address from the expectation. We still need to keep
+	 * the NATed expectations for media that might arrive from the
+	 * outside, and additionally need to expect the direct RTP stream
+	 * in case it passes through us even without NAT.
 	 */
 	memset(&tuple, 0, sizeof(tuple));
 	if (saddr)
@@ -765,20 +782,42 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb,
 	tuple.dst.u.udp.port	= port;
 
 	spin_lock_bh(&nf_conntrack_lock);
-	exp = __nf_ct_expect_find(&tuple);
-	if (exp && exp->master != ct &&
-	    nfct_help(exp->master)->helper == nfct_help(ct)->helper &&
-	    exp->class == class)
-		skip_expect = 1;
-	spin_unlock_bh(&nf_conntrack_lock);
+	do {
+		exp = __nf_ct_expect_find(&tuple);
 
-	if (skip_expect)
-		return NF_ACCEPT;
+		if (!exp || exp->master == ct ||
+		    nfct_help(exp->master)->helper != nfct_help(ct)->helper ||
+		    exp->class != class)
+			break;
+
+		if (exp->tuple.src.l3num == AF_INET && !direct_rtp &&
+		    (exp->saved_ip != exp->tuple.dst.u3.ip ||
+		     exp->saved_proto.udp.port != exp->tuple.dst.u.udp.port) &&
+		    ct->status & IPS_NAT_MASK) {
+			daddr->ip		= exp->saved_ip;
+			tuple.dst.u3.ip		= exp->saved_ip;
+			tuple.dst.u.udp.port	= exp->saved_proto.udp.port;
+			direct_rtp = 1;
+		} else
+			skip_expect = 1;
+	} while (!skip_expect);
+	spin_unlock_bh(&nf_conntrack_lock);
 
 	base_port = ntohs(tuple.dst.u.udp.port) & ~1;
 	rtp_port = htons(base_port);
 	rtcp_port = htons(base_port + 1);
 
+	if (direct_rtp) {
+		nf_nat_sdp_port = rcu_dereference(nf_nat_sdp_port_hook);
+		if (nf_nat_sdp_port &&
+		    !nf_nat_sdp_port(skb, dptr, datalen,
+				     mediaoff, medialen, ntohs(rtp_port)))
+			goto err1;
+	}
+
+	if (skip_expect)
+		return NF_ACCEPT;
+
 	rtp_exp = nf_ct_expect_alloc(ct);
 	if (rtp_exp == NULL)
 		goto err1;
@@ -792,7 +831,7 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb,
 			  IPPROTO_UDP, NULL, &rtcp_port);
 
 	nf_nat_sdp_media = rcu_dereference(nf_nat_sdp_media_hook);
-	if (nf_nat_sdp_media && ct->status & IPS_NAT_MASK)
+	if (nf_nat_sdp_media && ct->status & IPS_NAT_MASK && !direct_rtp)
 		ret = nf_nat_sdp_media(skb, dptr, datalen, rtp_exp, rtcp_exp,
 				       mediaoff, medialen, daddr);
 	else {

[METFILTER 00/32]: SIP helper update

[Patrick McHardy]

Hi Dave,

these patches for 2.6.26 contain a large update for the SIP connection
tracking helper, fixing a number of issues with the current helper and
improving robustness. A rough overview of the patches follows, the
details are in the individual changelog entries:

- Fix NAT mapping setup order to make the NAT core properly detect
  clashes with existing connections

- Properly adjust the data pointer and length after packet mangling

- Parser enhancements: follow specification more closely (case
  sensitivity, header encoding, whitespace rules, ...)

- Optionally create signalling expectations for incoming calls from
  other endpoints than the registrar

- Support for RTCP expectations and multiple media channels

- Optionally create wildcard RTP/RTCP expectations for incoming media
  from other peers than the registrar

- "Expectation classes" for isolating signalling, audio and video
  expectations from each other

- Replacement of text-based header translation in NAT helper by binary
  address translation, support for updating rport=, received= and
  mport= Via-parameters

- RTP routing optimization for making RTP streams between two "internal"
  endpoints flow directly between the two endpoints in case the (external)
  registrar tries to make direct RTP setup

The patches are also available in a git-tree for your convencience at:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.26-sip.git

Please apply or pull, thanks.


 include/linux/netfilter.h                   |    9 +
 include/linux/netfilter/nf_conntrack_sip.h  |  185 +++-
 include/net/netfilter/nf_conntrack.h        |    7 +-
 include/net/netfilter/nf_conntrack_expect.h |   22 +-
 include/net/netfilter/nf_conntrack_helper.h |    5 +-
 include/net/netfilter/nf_conntrack_tuple.h  |   53 +-
 net/ipv4/netfilter/ipt_CLUSTERIP.c          |    2 +-
 net/ipv4/netfilter/nf_nat_sip.c             |  556 +++++++----
 net/ipv4/netfilter/nf_nat_snmp_basic.c      |   12 +-
 net/netfilter/nf_conntrack_amanda.c         |   14 +-
 net/netfilter/nf_conntrack_expect.c         |   81 ++-
 net/netfilter/nf_conntrack_ftp.c            |   10 +-
 net/netfilter/nf_conntrack_h323_main.c      |   66 +-
 net/netfilter/nf_conntrack_helper.c         |    3 +-
 net/netfilter/nf_conntrack_irc.c            |   10 +-
 net/netfilter/nf_conntrack_netbios_ns.c     |    9 +-
 net/netfilter/nf_conntrack_pptp.c           |   14 +-
 net/netfilter/nf_conntrack_sane.c           |   11 +-
 net/netfilter/nf_conntrack_sip.c            | 1386 +++++++++++++++++++++------
 net/netfilter/nf_conntrack_tftp.c           |   11 +-
 20 files changed, 1877 insertions(+), 589 deletions(-)

Patrick McHardy (32):
      [NETFILTER]: ipt_CLUSTERIP: fix non-existant macro-name
      [NETFILTER]: nf_conntrack: fix NF_CT_TUPLE_DUMP for IPv4
      [NETFILTER]: nf_conntrack_expect: constify nf_ct_expect_init arguments
      [NETFILTER]: nf_conntrack_expect: show NF_CT_EXPECT_PERMANENT flag in /proc
      [NETFILTER]: nf_conntrack_expect: support inactive expectations
      [NETFILTER]: nf_conntrack: introduce expectation classes and policies
      [NETFILTER]: Add nf_inet_addr_cmp()
      [NETFILTER]: nf_nat_sip: fix NAT setup order
      [NETFILTER]: nf_conntrack_sip: fix some off-by-ones
      [NETFILTER]: nf_conntrack_sip: adjust dptr and datalen after packet mangling
      [NETFILTER]: nf_conntrack_sip: remove redundant function arguments
      [NETFILTER]: nf_conntrack_sip: use strlen/strcmp
      [NETFILTER]: nf_conntrack_sip: add seperate SDP header parsing function
      [NETFILTER]: nf_conntrack_sip: kill request URI "header" definitions
      [NETFILTER]: nf_conntrack_sip: parse SIP headers properly
      [NETFILTER]: nf_conntrack_sip: introduce SIP-URI parsing helper
      [NETFILTER]: nf_nat_sip: get rid of text based header translation
      [NETFILTER]: nf_conntrack_sip: move SDP parsing to seperate function
      [NETFILTER]: nf_conntrack_sip: support method specific request/response handling
      [NETFILTER]: nf_conntrack_sip: perform NAT after parsing
      [NETFILTER]: nf_conntrack_sip: process ACK and PRACK methods
      [NETFILTER]: nf_conntrack_sip: flush expectations on call termination
      [NETFILTER]: nf_conntrack_sip: introduce URI and header parameter parsing helpers
      [NETFILTER]: nf_nat_sip: translate all Via headers
      [NETFILTER]: nf_nat_sip: translate all Contact headers
      [NETFILTER]: nf_conntrack_sip: create signalling expectations
      [NETFILTER]: nf_conntrack_sip: allow media expectations with wildcard source address
      [NETFILTER]: nf_conntrack_sip: create RTCP expectations
      [NETFILTER]: nf_nat_sip: split up SDP mangling
      [NETFILTER]: nf_conntrack_sip: support multiple media channels
      [NETFILTER]: nf_conntrack_sip: RTP routing optimization
      [NETFILTER]: nf_conntrack_sip: update copyright

[NETFILTER 07/32]: Add nf_inet_addr_cmp()

[Patrick McHardy]

[NETFILTER]: Add nf_inet_addr_cmp()

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 14d510e3026c99ebd8531e8ea0acb574545b5c42
tree aca9464205040aa5daa25a50a0e98443f905eb0b
parent 48bb8ab5591cab986a2850facf33998357db3b10
author Patrick McHardy <kaber@trash.net> Tue, 25 Mar 2008 13:44:45 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 25 Mar 2008 13:44:45 +0100

 include/linux/netfilter.h                  |    9 +++++++++
 include/net/netfilter/nf_conntrack_tuple.h |   15 +++------------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index f0680c2..89e6c72 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -61,6 +61,15 @@ union nf_inet_addr {
 #ifdef __KERNEL__
 #ifdef CONFIG_NETFILTER
 
+static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1,
+				   const union nf_inet_addr *a2)
+{
+	return a1->all[0] == a2->all[0] &&
+	       a1->all[1] == a2->all[1] &&
+	       a1->all[2] == a2->all[2] &&
+	       a1->all[3] == a2->all[3];
+}
+
 extern void netfilter_init(void);
 
 /* Largest hook number + 1 */
diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h
index d9b53dd..168c917 100644
--- a/include/net/netfilter/nf_conntrack_tuple.h
+++ b/include/net/netfilter/nf_conntrack_tuple.h
@@ -163,10 +163,7 @@ struct nf_conntrack_tuple_hash
 static inline int __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
 					  const struct nf_conntrack_tuple *t2)
 { 
-	return (t1->src.u3.all[0] == t2->src.u3.all[0] &&
-		t1->src.u3.all[1] == t2->src.u3.all[1] &&
-		t1->src.u3.all[2] == t2->src.u3.all[2] &&
-		t1->src.u3.all[3] == t2->src.u3.all[3] &&
+	return (nf_inet_addr_cmp(&t1->src.u3, &t2->src.u3) &&
 		t1->src.u.all == t2->src.u.all &&
 		t1->src.l3num == t2->src.l3num);
 }
@@ -174,10 +171,7 @@ static inline int __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
 static inline int __nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1,
 					  const struct nf_conntrack_tuple *t2)
 {
-	return (t1->dst.u3.all[0] == t2->dst.u3.all[0] &&
-		t1->dst.u3.all[1] == t2->dst.u3.all[1] &&
-		t1->dst.u3.all[2] == t2->dst.u3.all[2] &&
-		t1->dst.u3.all[3] == t2->dst.u3.all[3] &&
+	return (nf_inet_addr_cmp(&t1->dst.u3, &t2->dst.u3) &&
 		t1->dst.u.all == t2->dst.u.all &&
 		t1->dst.protonum == t2->dst.protonum);
 }
@@ -192,10 +186,7 @@ static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1,
 static inline int nf_ct_tuple_mask_equal(const struct nf_conntrack_tuple_mask *m1,
 					 const struct nf_conntrack_tuple_mask *m2)
 {
-	return (m1->src.u3.all[0] == m2->src.u3.all[0] &&
-		m1->src.u3.all[1] == m2->src.u3.all[1] &&
-		m1->src.u3.all[2] == m2->src.u3.all[2] &&
-		m1->src.u3.all[3] == m2->src.u3.all[3] &&
+	return (nf_inet_addr_cmp(&m1->src.u3, &m2->src.u3) &&
 		m1->src.u.all == m2->src.u.all);
 }