Commit 5e35941d authored by Jing Min Zhao's avatar Jing Min Zhao Committed by David S. Miller

[NETFILTER]: Add H.323 conntrack/NAT helper

Signed-off-by: default avatarJing Min Zhao <zhaojignmin@hotmail.com>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 30ca3e37
...@@ -29,6 +29,7 @@ union ip_conntrack_expect_proto { ...@@ -29,6 +29,7 @@ union ip_conntrack_expect_proto {
}; };
/* Add protocol helper include file here */ /* Add protocol helper include file here */
#include <linux/netfilter_ipv4/ip_conntrack_h323.h>
#include <linux/netfilter_ipv4/ip_conntrack_pptp.h> #include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
#include <linux/netfilter_ipv4/ip_conntrack_amanda.h> #include <linux/netfilter_ipv4/ip_conntrack_amanda.h>
#include <linux/netfilter_ipv4/ip_conntrack_ftp.h> #include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
...@@ -37,6 +38,7 @@ union ip_conntrack_expect_proto { ...@@ -37,6 +38,7 @@ union ip_conntrack_expect_proto {
/* per conntrack: application helper private data */ /* per conntrack: application helper private data */
union ip_conntrack_help { union ip_conntrack_help {
/* insert conntrack helper private data (master) here */ /* insert conntrack helper private data (master) here */
struct ip_ct_h323_master ct_h323_info;
struct ip_ct_pptp_master ct_pptp_info; struct ip_ct_pptp_master ct_pptp_info;
struct ip_ct_ftp_master ct_ftp_info; struct ip_ct_ftp_master ct_ftp_info;
struct ip_ct_irc_master ct_irc_info; struct ip_ct_irc_master ct_irc_info;
......
#ifndef _IP_CONNTRACK_H323_H
#define _IP_CONNTRACK_H323_H
#ifdef __KERNEL__
#define RAS_PORT 1719
#define Q931_PORT 1720
#define H323_RTP_CHANNEL_MAX 4 /* Audio, video, FAX and other */
/* This structure exists only once per master */
struct ip_ct_h323_master {
/* Original and NATed Q.931 or H.245 signal ports */
u_int16_t sig_port[IP_CT_DIR_MAX];
/* Original and NATed RTP ports */
u_int16_t rtp_port[H323_RTP_CHANNEL_MAX][IP_CT_DIR_MAX];
union {
/* RAS connection timeout */
u_int32_t timeout;
/* Next TPKT length (for separate TPKT header and data) */
u_int16_t tpkt_len[IP_CT_DIR_MAX];
};
};
#endif
#endif
...@@ -168,6 +168,26 @@ config IP_NF_PPTP ...@@ -168,6 +168,26 @@ config IP_NF_PPTP
If you want to compile it as a module, say M here and read If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'. Documentation/modules.txt. If unsure, say `N'.
config IP_NF_H323
tristate 'H.323 protocol support'
depends on IP_NF_CONNTRACK
help
H.323 is a VoIP signalling protocol from ITU-T. As one of the most
important VoIP protocols, it is widely used by voice hardware and
software including voice gateways, IP phones, Netmeeting, OpenPhone,
Gnomemeeting, etc.
With this module you can support H.323 on a connection tracking/NAT
firewall.
This module supports RAS, Fast-start, H.245 tunnelling, RTP/RTCP
and T.120 based data and applications including audio, video, FAX,
chat, whiteboard, file transfer, etc. For more information, please
see http://nath323.sourceforge.net/.
If you want to compile it as a module, say 'M' here and read
Documentation/modules.txt. If unsure, say 'N'.
config IP_NF_QUEUE config IP_NF_QUEUE
tristate "IP Userspace queueing via NETLINK (OBSOLETE)" tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
help help
...@@ -484,6 +504,12 @@ config IP_NF_NAT_PPTP ...@@ -484,6 +504,12 @@ config IP_NF_NAT_PPTP
default IP_NF_NAT if IP_NF_PPTP=y default IP_NF_NAT if IP_NF_PPTP=y
default m if IP_NF_PPTP=m default m if IP_NF_PPTP=m
config IP_NF_NAT_H323
tristate
depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
default IP_NF_NAT if IP_NF_H323=y
default m if IP_NF_H323=m
# mangle + specific targets # mangle + specific targets
config IP_NF_MANGLE config IP_NF_MANGLE
tristate "Packet mangling" tristate "Packet mangling"
......
...@@ -10,6 +10,9 @@ iptable_nat-objs := ip_nat_rule.o ip_nat_standalone.o ...@@ -10,6 +10,9 @@ iptable_nat-objs := ip_nat_rule.o ip_nat_standalone.o
ip_conntrack_pptp-objs := ip_conntrack_helper_pptp.o ip_conntrack_proto_gre.o ip_conntrack_pptp-objs := ip_conntrack_helper_pptp.o ip_conntrack_proto_gre.o
ip_nat_pptp-objs := ip_nat_helper_pptp.o ip_nat_proto_gre.o ip_nat_pptp-objs := ip_nat_helper_pptp.o ip_nat_proto_gre.o
ip_conntrack_h323-objs := ip_conntrack_helper_h323.o ip_conntrack_helper_h323_asn1.o
ip_nat_h323-objs := ip_nat_helper_h323.o
# connection tracking # connection tracking
obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o
obj-$(CONFIG_IP_NF_NAT) += ip_nat.o obj-$(CONFIG_IP_NF_NAT) += ip_nat.o
...@@ -22,6 +25,7 @@ obj-$(CONFIG_IP_NF_CONNTRACK_NETLINK) += ip_conntrack_netlink.o ...@@ -22,6 +25,7 @@ obj-$(CONFIG_IP_NF_CONNTRACK_NETLINK) += ip_conntrack_netlink.o
obj-$(CONFIG_IP_NF_CT_PROTO_SCTP) += ip_conntrack_proto_sctp.o obj-$(CONFIG_IP_NF_CT_PROTO_SCTP) += ip_conntrack_proto_sctp.o
# connection tracking helpers # connection tracking helpers
obj-$(CONFIG_IP_NF_H323) += ip_conntrack_h323.o
obj-$(CONFIG_IP_NF_PPTP) += ip_conntrack_pptp.o obj-$(CONFIG_IP_NF_PPTP) += ip_conntrack_pptp.o
obj-$(CONFIG_IP_NF_AMANDA) += ip_conntrack_amanda.o obj-$(CONFIG_IP_NF_AMANDA) += ip_conntrack_amanda.o
obj-$(CONFIG_IP_NF_TFTP) += ip_conntrack_tftp.o obj-$(CONFIG_IP_NF_TFTP) += ip_conntrack_tftp.o
...@@ -30,6 +34,7 @@ obj-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc.o ...@@ -30,6 +34,7 @@ obj-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc.o
obj-$(CONFIG_IP_NF_NETBIOS_NS) += ip_conntrack_netbios_ns.o obj-$(CONFIG_IP_NF_NETBIOS_NS) += ip_conntrack_netbios_ns.o
# NAT helpers # NAT helpers
obj-$(CONFIG_IP_NF_NAT_H323) += ip_nat_h323.o
obj-$(CONFIG_IP_NF_NAT_PPTP) += ip_nat_pptp.o obj-$(CONFIG_IP_NF_NAT_PPTP) += ip_nat_pptp.o
obj-$(CONFIG_IP_NF_NAT_AMANDA) += ip_nat_amanda.o obj-$(CONFIG_IP_NF_NAT_AMANDA) += ip_nat_amanda.o
obj-$(CONFIG_IP_NF_NAT_TFTP) += ip_nat_tftp.o obj-$(CONFIG_IP_NF_NAT_TFTP) += ip_nat_tftp.o
......
This diff is collapsed.
This diff is collapsed.
/****************************************************************************
* ip_conntrack_helper_h323_asn1.h - BER and PER decoding library for H.323
* conntrack/NAT module.
*
* Copyright (c) 2006 by Jing Min Zhao <zhaojingmin@hotmail.com>
*
* This source code is licensed under General Public License version 2.
*
*
* This library is based on H.225 version 4, H.235 version 2 and H.245
* version 7. It is extremely optimized to decode only the absolutely
* necessary objects in a signal for Linux kernel NAT module use, so don't
* expect it to be a full ASN.1 library.
*
* Features:
*
* 1. Small. The total size of code plus data is less than 20 KB (IA32).
* 2. Fast. Decoding Netmeeting's Setup signal 1 million times on a PIII 866
* takes only 3.9 seconds.
* 3. No memory allocation. It uses a static object. No need to initialize or
* cleanup.
* 4. Thread safe.
* 5. Support embedded architectures that has no misaligned memory access
* support.
*
* Limitations:
*
* 1. At most 30 faststart entries. Actually this is limited by ethernet's MTU.
* If a Setup signal contains more than 30 faststart, the packet size will
* very likely exceed the MTU size, then the TPKT will be fragmented. I
* don't know how to handle this in a Netfilter module. Anybody can help?
* Although I think 30 is enough for most of the cases.
* 2. IPv4 addresses only.
*
****************************************************************************/
#ifndef _IP_CONNTRACK_HELPER_H323_ASN1_H_
#define _IP_CONNTRACK_HELPER_H323_ASN1_H_
/*****************************************************************************
* H.323 Types
****************************************************************************/
#include "ip_conntrack_helper_h323_types.h"
typedef struct {
enum {
Q931_NationalEscape = 0x00,
Q931_Alerting = 0x01,
Q931_CallProceeding = 0x02,
Q931_Connect = 0x07,
Q931_ConnectAck = 0x0F,
Q931_Progress = 0x03,
Q931_Setup = 0x05,
Q931_SetupAck = 0x0D,
Q931_Resume = 0x26,
Q931_ResumeAck = 0x2E,
Q931_ResumeReject = 0x22,
Q931_Suspend = 0x25,
Q931_SuspendAck = 0x2D,
Q931_SuspendReject = 0x21,
Q931_UserInformation = 0x20,
Q931_Disconnect = 0x45,
Q931_Release = 0x4D,
Q931_ReleaseComplete = 0x5A,
Q931_Restart = 0x46,
Q931_RestartAck = 0x4E,
Q931_Segment = 0x60,
Q931_CongestionCtrl = 0x79,
Q931_Information = 0x7B,
Q931_Notify = 0x6E,
Q931_Status = 0x7D,
Q931_StatusEnquiry = 0x75,
Q931_Facility = 0x62
} MessageType;
H323_UserInformation UUIE;
} Q931;
/*****************************************************************************
* Decode Functions Return Codes
****************************************************************************/
#define H323_ERROR_NONE 0 /* Decoded successfully */
#define H323_ERROR_STOP 1 /* Decoding stopped, not really an error */
#define H323_ERROR_BOUND -1
#define H323_ERROR_RANGE -2
/*****************************************************************************
* Decode Functions
****************************************************************************/
int DecodeRasMessage(unsigned char *buf, size_t sz, RasMessage * ras);
int DecodeQ931(unsigned char *buf, size_t sz, Q931 * q931);
int DecodeMultimediaSystemControlMessage(unsigned char *buf, size_t sz,
MultimediaSystemControlMessage *
mscm);
#endif
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment