From patchwork Mon Dec 24 07:15:19 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Alin_N=C4=83stac?= X-Patchwork-Id: 1018205 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="sYOyYPeZ"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43NVrK5znrz9sDT for ; Mon, 24 Dec 2018 18:15:45 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725981AbeLXHPo (ORCPT ); Mon, 24 Dec 2018 02:15:44 -0500 Received: from mail-wr1-f67.google.com ([209.85.221.67]:32908 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725927AbeLXHPn (ORCPT ); Mon, 24 Dec 2018 02:15:43 -0500 Received: by mail-wr1-f67.google.com with SMTP id c14so10793747wrr.0 for ; Sun, 23 Dec 2018 23:15:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id; bh=E0Jz7gm/7c69l9ErJypCzihqiggRsYhmYQkJkHGhRaI=; b=sYOyYPeZPZkeydI5Eq6PuwQsHUOi/MZZvBfzBcnml4wYH2N9fRA8IzJ6pxfwT/LWLj 01g2e2SCs4xkkb7AuweDnFnYMaUvnB/qmZ5bair8rPjZf9nHR0fNvTKwDM8kfdiROGBE 0uqPtczT590WIWN/X79XYU/r9iyGYwV/ajiEZw5DidZFCHvNgOdJYNMgsMeAPpFjNQdI qAfo3TcrY1if5RF1KiGqTPGRXaWTuSVF95QDTqJ1CACIlo9PeTSVyiYh6WKBch8cZiET CwFLr4DvAbLIf7D8oeM58G9tieEuAze481z6k4XDef6VlsJIF4lP+QqhPZVQkga1Ev19 xE7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=E0Jz7gm/7c69l9ErJypCzihqiggRsYhmYQkJkHGhRaI=; b=JIfUIFdpVBt4XRi6vOzTJl5i82u1DUONkL9WNa+tyQupYdAWM5OVWfdRDBehqURjIp XHKl5FTHVa9DNIRty2zP6sM9SL/gI9Pxewmfv0S6h6TI4IgpoHiGEQYo4/J6M2obikxS Grr5KJGG9MzjQbQIcoLgarRjwK5dMGTYMkkWDjLe34n3PTUqBW53F6ZslefHUqN3Exhv MMT+Bcj5VJC5y4WLVwU4sLhDOGlIJ7ZBzhKHea1U49mqlfkOEmYIssp70py4kJyleeHA r5OQFKi2vFDCpLYPMHLdKlYwGY47k0H64j4PsUSRU1lalawcstmiD9Y6LLeFVGpqID3x 1kfA== X-Gm-Message-State: AJcUukehPleoQfp2P5ZVX1MqPfAmunBs5pxGDAJ3JKEjeyh4AeKxVJxw 5+DKSEgL/EXzSl7E3P1F4ZVZjDcvlHk= X-Google-Smtp-Source: ALg8bN5oaU7HAG5Al/3ZPX3cGmKRxV620XizqFuonswDwNp5SDJN7RHOz4o+WbD54flIHIzPYyQSMA== X-Received: by 2002:a5d:4fcb:: with SMTP id h11mr6878655wrw.139.1545635741565; Sun, 23 Dec 2018 23:15:41 -0800 (PST) Received: from alin-laptop.home-sv ([31.5.67.234]) by smtp.gmail.com with ESMTPSA id o5sm32104768wmg.25.2018.12.23.23.15.35 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 23 Dec 2018 23:15:40 -0800 (PST) From: Alin Nastac To: netfilter-devel@vger.kernel.org Subject: [PATCH v4] netfilter: nf_conntrack_sip: add sip_external_media logic Date: Mon, 24 Dec 2018 08:15:19 +0100 Message-Id: <20181224071519.24568-1-alin.nastac@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org When enabled, the sip_external_media logic will leave SDP payload untouched when it detects that interface towards INVITEd party is the same with the one towards media endpoint. The typical scenario for this logic is when a LAN SIP agent has more than one IP address (uses a different address for media streams than the one used on signalling stream) and it also forwards calls to a voice mailbox located on the WAN side. In such case sip_direct_media must be disabled (so normal calls could be handled by the SIP helper), but media streams that are not traversing this router must also be excluded from address translation (e.g. call forwards). Signed-off-by: Alin Nastac --- net/netfilter/nf_conntrack_sip.c | 42 ++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index c8d2b6688a2a..f067c6b50857 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c @@ -21,6 +21,8 @@ #include #include +#include +#include #include #include #include @@ -54,6 +56,11 @@ module_param(sip_direct_media, int, 0600); MODULE_PARM_DESC(sip_direct_media, "Expect Media streams between signalling " "endpoints only (default 1)"); +static int sip_external_media __read_mostly = 0; +module_param(sip_external_media, int, 0600); +MODULE_PARM_DESC(sip_external_media, "Expect Media streams between external " + "endpoints (default 0)"); + const struct nf_nat_sip_hooks *nf_nat_sip_hooks; EXPORT_SYMBOL_GPL(nf_nat_sip_hooks); @@ -861,6 +868,41 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int protoff, if (!nf_inet_addr_cmp(daddr, &ct->tuplehash[dir].tuple.src.u3)) return NF_ACCEPT; saddr = &ct->tuplehash[!dir].tuple.src.u3; + } else if (sip_external_media) { + struct net_device *dev = skb_dst(skb)->dev; + struct net *net = dev_net(dev); + struct rtable *rt; + struct flowi4 fl4 = {}; +#if IS_ENABLED(CONFIG_IPV6) + struct flowi6 fl6 = {}; +#endif + struct dst_entry *dst = NULL; + + switch (nf_ct_l3num(ct)) { + case NFPROTO_IPV4: + fl4.daddr = daddr->ip; + rt = ip_route_output_key(net, &fl4); + if (!IS_ERR(rt)) + dst = &rt->dst; + break; + +#if IS_ENABLED(CONFIG_IPV6) + case NFPROTO_IPV6: + fl6.daddr = daddr->in6; + dst = ip6_route_output(net, NULL, &fl6); + if (dst->error) { + dst_release(dst); + dst = NULL; + } + break; +#endif + } + + /* Don't predict any conntracks when media endpoint is reachable + * through the same interface as the signalling peer. + */ + if (dst && dst->dev == dev) + return NF_ACCEPT; } /* We need to check whether the registration exists before attempting