From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, Patrick McHardy <kaber@trash.net>,
netfilter-devel@vger.kernel.org
Subject: netfilter 45/62: nf_nat_sip: add TCP support
Date: Tue, 16 Feb 2010 15:56:21 +0100 (MET) [thread overview]
Message-ID: <20100216145618.2796.93098.sendpatchset@x2.localnet> (raw)
In-Reply-To: <20100216145517.2796.40634.sendpatchset@x2.localnet>
commit 48f8ac26537c1b7b1a2422f5232f45d06c945348
Author: Patrick McHardy <kaber@trash.net>
Date: Thu Feb 11 12:29:38 2010 +0100
netfilter: nf_nat_sip: add TCP support
Add support for mangling TCP SIP packets.
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index fa9bb89..cd84d6f 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -104,6 +104,7 @@ extern unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb,
unsigned int dataoff,
const char **dptr,
unsigned int *datalen);
+extern void (*nf_nat_sip_seq_adjust_hook)(struct sk_buff *skb, s16 off);
extern unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb,
unsigned int dataoff,
const char **dptr,
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index b232e40..11b538d 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -1,4 +1,4 @@
-/* SIP extension for UDP NAT alteration.
+/* SIP extension for NAT alteration.
*
* (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
* based on RR's ip_nat_ftp.c and other modules.
@@ -15,6 +15,7 @@
#include <linux/ip.h>
#include <net/ip.h>
#include <linux/udp.h>
+#include <linux/tcp.h>
#include <net/netfilter/nf_nat.h>
#include <net/netfilter/nf_nat_helper.h>
@@ -36,10 +37,27 @@ static unsigned int mangle_packet(struct sk_buff *skb, unsigned int dataoff,
{
enum ip_conntrack_info ctinfo;
struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
-
- if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, matchoff, matchlen,
- buffer, buflen))
- return 0;
+ struct tcphdr *th;
+ unsigned int baseoff;
+
+ if (nf_ct_protonum(ct) == IPPROTO_TCP) {
+ th = (struct tcphdr *)(skb->data + ip_hdrlen(skb));
+ baseoff = ip_hdrlen(skb) + th->doff * 4;
+ matchoff += dataoff - baseoff;
+
+ if (!__nf_nat_mangle_tcp_packet(skb, ct, ctinfo,
+ matchoff, matchlen,
+ buffer, buflen, false))
+ return 0;
+ } else {
+ baseoff = ip_hdrlen(skb) + sizeof(struct udphdr);
+ matchoff += dataoff - baseoff;
+
+ if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo,
+ matchoff, matchlen,
+ buffer, buflen))
+ return 0;
+ }
/* Reload data pointer and adjust datalen value */
*dptr = skb->data + dataoff;
@@ -104,6 +122,7 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
unsigned int coff, matchoff, matchlen;
+ enum sip_header_types hdr;
union nf_inet_addr addr;
__be16 port;
int request, in_header;
@@ -120,9 +139,14 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
} else
request = 0;
+ if (nf_ct_protonum(ct) == IPPROTO_TCP)
+ hdr = SIP_HDR_VIA_TCP;
+ else
+ hdr = SIP_HDR_VIA_UDP;
+
/* Translate topmost Via header and parameters */
if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
- SIP_HDR_VIA_UDP, NULL, &matchoff, &matchlen,
+ hdr, NULL, &matchoff, &matchlen,
&addr, &port) > 0) {
unsigned int matchend, poff, plen, buflen, n;
char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
@@ -204,9 +228,23 @@ next:
if (!map_sip_addr(skb, dataoff, dptr, datalen, SIP_HDR_FROM) ||
!map_sip_addr(skb, dataoff, dptr, datalen, SIP_HDR_TO))
return NF_DROP;
+
return NF_ACCEPT;
}
+static void ip_nat_sip_seq_adjust(struct sk_buff *skb, s16 off)
+{
+ enum ip_conntrack_info ctinfo;
+ struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+ const struct tcphdr *th;
+
+ if (nf_ct_protonum(ct) != IPPROTO_TCP || off == 0)
+ return;
+
+ th = (struct tcphdr *)(skb->data + ip_hdrlen(skb));
+ nf_nat_set_seq_adjust(ct, ctinfo, th->seq, off);
+}
+
/* Handles expected signalling connections and media streams */
static void ip_nat_sip_expected(struct nf_conn *ct,
struct nf_conntrack_expect *exp)
@@ -472,6 +510,7 @@ err1:
static void __exit nf_nat_sip_fini(void)
{
rcu_assign_pointer(nf_nat_sip_hook, NULL);
+ rcu_assign_pointer(nf_nat_sip_seq_adjust_hook, NULL);
rcu_assign_pointer(nf_nat_sip_expect_hook, NULL);
rcu_assign_pointer(nf_nat_sdp_addr_hook, NULL);
rcu_assign_pointer(nf_nat_sdp_port_hook, NULL);
@@ -483,12 +522,14 @@ static void __exit nf_nat_sip_fini(void)
static int __init nf_nat_sip_init(void)
{
BUG_ON(nf_nat_sip_hook != NULL);
+ BUG_ON(nf_nat_sip_seq_adjust_hook != NULL);
BUG_ON(nf_nat_sip_expect_hook != NULL);
BUG_ON(nf_nat_sdp_addr_hook != NULL);
BUG_ON(nf_nat_sdp_port_hook != NULL);
BUG_ON(nf_nat_sdp_session_hook != NULL);
BUG_ON(nf_nat_sdp_media_hook != NULL);
rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip);
+ rcu_assign_pointer(nf_nat_sip_seq_adjust_hook, ip_nat_sip_seq_adjust);
rcu_assign_pointer(nf_nat_sip_expect_hook, ip_nat_sip_expect);
rcu_assign_pointer(nf_nat_sdp_addr_hook, ip_nat_sdp_addr);
rcu_assign_pointer(nf_nat_sdp_port_hook, ip_nat_sdp_port);
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 1cc75c5..3bb3aaf 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -56,6 +56,9 @@ unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb, unsigned int dataoff,
unsigned int *datalen) __read_mostly;
EXPORT_SYMBOL_GPL(nf_nat_sip_hook);
+void (*nf_nat_sip_seq_adjust_hook)(struct sk_buff *skb, s16 off) __read_mostly;
+EXPORT_SYMBOL_GPL(nf_nat_sip_seq_adjust_hook);
+
unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb,
unsigned int dataoff,
const char **dptr,
@@ -1360,6 +1363,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
const char *dptr, *end;
s16 diff, tdiff = 0;
int ret;
+ typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;
if (ctinfo != IP_CT_ESTABLISHED &&
ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)
@@ -1415,6 +1419,12 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
datalen = datalen + diff - msglen;
}
+ if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
+ nf_nat_sip_seq_adjust = rcu_dereference(nf_nat_sip_seq_adjust_hook);
+ if (nf_nat_sip_seq_adjust)
+ nf_nat_sip_seq_adjust(skb, tdiff);
+ }
+
return ret;
}
next prev parent reply other threads:[~2010-02-16 14:56 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-16 14:55 netfilter 00/62: netfilter update Patrick McHardy
2010-02-16 14:55 ` netfilter 01/62: SNMP NAT: correct the size argument to kzalloc Patrick McHardy
2010-02-16 14:55 ` netfilter 02/62: xt_recent: save 8 bytes per htable Patrick McHardy
2010-02-16 14:55 ` netfilter 03/62: xtables: do not grab random bytes at __init Patrick McHardy
2010-02-16 14:55 ` netfilter 04/62: xtables: obtain random bytes earlier, in checkentry Patrick McHardy
2010-02-16 14:55 ` IPVS 05/62: Allow boot time change of hash size Patrick McHardy
2010-02-16 14:55 ` netfilter 06/62: nf_nat_ftp: remove (*mangle[]) array and functions, use %pI4 Patrick McHardy
2010-02-16 14:55 ` ipvs 07/62: use standardized format in sprintf Patrick McHardy
2010-02-16 14:55 ` netfilter 08/62: xt_osf: change %pi4 to %pI4 Patrick McHardy
2010-02-16 14:55 ` netfilter 09/62: nfnetlink: netns support Patrick McHardy
2010-02-16 14:55 ` netfilter 10/62: ctnetlink: " Patrick McHardy
2010-02-16 14:55 ` netfilter 11/62: xt_connlimit: " Patrick McHardy
2010-02-16 14:55 ` netfilter 12/62: netns: Patrick McHardy
2010-02-16 14:55 ` netfilter 13/62: xt_hashlimit: simplify seqfile code Patrick McHardy
2010-02-16 14:55 ` netfilter 14/62: xtables: add struct xt_mtchk_param::net Patrick McHardy
2010-02-16 14:55 ` netfilter 15/62: xtables: add struct xt_mtdtor_param::net Patrick McHardy
2010-02-16 14:55 ` netfilter 16/62: xt_recent: netns support Patrick McHardy
2010-02-16 14:55 ` netfilter 17/62: xt_hashlimit: " Patrick McHardy
2010-02-16 14:55 ` netfilter 18/62: nfnetlink_queue: simplify warning message Patrick McHardy
2010-02-16 14:55 ` netfilter 19/62: nf_conntrack_ipv6: delete the redundant macro definitions Patrick McHardy
2010-02-16 14:55 ` IPv6 20/62: reassembly: replace magic number with " Patrick McHardy
2010-02-16 15:43 ` Joe Perches
2010-02-16 15:47 ` Patrick McHardy
2010-02-17 4:40 ` [PATCH] ipv6.h: reassembly: replace calculated magic number with multiplication Joe Perches
2010-02-17 7:38 ` David Miller
2010-02-16 14:55 ` netfiltr 21/62: ipt_CLUSTERIP: simplify seq_file codeA Patrick McHardy
2010-02-16 14:55 ` netfilter 22/62: xtables: CONFIG_COMPAT redux Patrick McHardy
2010-02-16 14:55 ` netfilter 23/62: xt_TCPMSS: SYN packets are allowed to contain data Patrick McHardy
2010-02-16 14:55 ` netfilter 24/62: xt_hashlimit: fix race condition and simplify locking Patrick McHardy
2010-02-17 16:43 ` [PATCH net-next-2.6] xt_hashlimit: fix locking Eric Dumazet
2010-02-17 20:08 ` Patrick McHardy
2010-02-17 21:39 ` David Miller
2010-02-16 14:55 ` netfilter 25/62: ctnetlink: only assign helpers for matching protocols Patrick McHardy
2010-02-16 14:55 ` netfilter 26/62: add struct net * to target parameters Patrick McHardy
2010-02-16 14:55 ` netfilter 27/62: nf_conntrack: split up IPCT_STATUS event Patrick McHardy
2010-02-16 14:55 ` netfilter 28/62: ctnetlink: support selective event delivery Patrick McHardy
2010-02-16 14:55 ` netfilter 29/62: nf_conntrack: support conntrack templates Patrick McHardy
2010-02-16 14:56 ` netfilter 30/62: xtables: add CT target Patrick McHardy
2010-02-16 14:56 ` netfilter 31/62: fix build failure with CONNTRACK=y NAT=n Patrick McHardy
2010-02-16 14:56 ` netfilter 32/62: xtables: consistent struct compat_xt_counters definition Patrick McHardy
2010-02-16 14:56 ` netfilter 33/62: xtables: symmetric COMPAT_XT_ALIGN definition Patrick McHardy
2010-02-16 14:56 ` netfilter 34/62: ctnetlink: add missing netlink attribute policies Patrick McHardy
2010-02-16 14:56 ` netfilter 35/62: xtables: compact table hook functions (1/2) Patrick McHardy
2010-02-16 14:56 ` netfilter 36/62: xtables: compact table hook functions (2/2) Patrick McHardy
2010-02-16 14:56 ` netfilter 37/62: xtables: use xt_table for hook instantiation Patrick McHardy
2010-02-16 14:56 ` netfilter 38/62: xtables: generate initial table on-demand Patrick McHardy
2010-02-16 14:56 ` netfilter 39/62: ctnetlink: dump expectation helper name Patrick McHardy
2010-02-16 14:56 ` netfilter 40/62: nf_conntrack: show helper and class in /proc/net/nf_conntrack_expect Patrick McHardy
2010-02-16 14:56 ` netfilter 41/62: nf_conntrack_sip: fix ct_sip_parse_request() REGISTER request parsing Patrick McHardy
2010-02-16 14:56 ` netfilter 42/62: nf_conntrack_sip: pass data offset to NAT functions Patrick McHardy
2010-02-16 14:56 ` netfilter 43/62: nf_conntrack_sip: add TCP support Patrick McHardy
2010-02-16 14:56 ` netfilter 44/62: nf_nat: support mangling a single TCP packet multiple times Patrick McHardy
2010-02-16 14:56 ` Patrick McHardy [this message]
2010-02-16 14:56 ` netfilter 46/62: nf_conntrack_sip: add T.38 FAX support Patrick McHardy
2010-02-16 14:56 ` netfilter 47/62: xtables: fix mangle tables Patrick McHardy
2010-02-16 14:56 ` netfilter 48/62: nf_conntrack: elegantly simplify nf_ct_exp_net() Patrick McHardy
2010-02-16 14:56 ` netfilter 49/62: don't use INIT_RCU_HEAD() Patrick McHardy
2010-02-16 14:56 ` netfilter 50/62: xt_recent: inform user when hitcount is too large Patrick McHardy
2010-02-16 14:56 ` netfilter 51/62: iptables: remove unused function arguments Patrick McHardy
2010-02-16 14:56 ` netfilter 52/62: reduce NF_HOOK by one argument Patrick McHardy
2010-02-16 14:56 ` netfilter 53/62: get rid of the grossness in netfilter.h Patrick McHardy
2010-02-16 14:56 ` netfilter 54/62: xtables: print details on size mismatch Patrick McHardy
2010-02-16 14:56 ` netfilter 55/62: xtables: constify args in compat copying functions Patrick McHardy
2010-02-16 14:56 ` netfilter 56/62: xtables: add const qualifiers Patrick McHardy
2010-02-16 14:56 ` netfilter 57/62: nf_conntrack: pass template to l4proto ->error() handler Patrick McHardy
2010-02-16 14:56 ` netfilter 58/62: nf_conntrack: add support for "conntrack zones" Patrick McHardy
2010-02-16 14:56 ` netfilter 59/62: ctnetlink: add zone support Patrick McHardy
2010-02-16 14:56 ` netfilter 60/62: ebtables: abort if next_offset is too small Patrick McHardy
2010-02-16 14:56 ` netfilter 61/62: ebtables: avoid explicit XT_ALIGN() in match/targets Patrick McHardy
2010-02-16 14:56 ` netfilter 62/62: CONFIG_COMPAT: allow delta to exceed 32767 Patrick McHardy
2010-02-16 19:21 ` netfilter 00/62: netfilter update David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100216145618.2796.93098.sendpatchset@x2.localnet \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox