|
|
|
@ -21,6 +21,7 @@ |
|
|
|
#include <net/ipv6.h> |
|
|
|
#include <net/tcp.h> |
|
|
|
#include <net/route.h> |
|
|
|
#include <net/ip6_route.h> |
|
|
|
#include <net/dst.h> |
|
|
|
#include <linux/proc_fs.h> |
|
|
|
#include <linux/spinlock.h> |
|
|
|
@ -91,6 +92,12 @@ MODULE_ALIAS("ip6t_RTPENGINE"); |
|
|
|
#define xt_action_param xt_target_param |
|
|
|
#endif |
|
|
|
|
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,4,0) |
|
|
|
#define PAR_STATE_NET(p) (p)->state->net |
|
|
|
#else |
|
|
|
#define PAR_STATE_NET(p) (p)->net |
|
|
|
#endif |
|
|
|
|
|
|
|
#if 0 |
|
|
|
#define _s_lock(l, f) do { \ |
|
|
|
printk(KERN_DEBUG "[PID %i %s:%i] acquiring lock %s\n", \ |
|
|
|
@ -3785,12 +3792,15 @@ static ssize_t proc_control_read(struct file *file, char __user *ubuf, size_t bu |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// par can be NULL |
|
|
|
static int send_proxy_packet4(struct sk_buff *skb, struct re_address *src, struct re_address *dst, |
|
|
|
unsigned char tos, const struct xt_action_param *par) |
|
|
|
{ |
|
|
|
struct iphdr *ih; |
|
|
|
struct udphdr *uh; |
|
|
|
unsigned int datalen; |
|
|
|
struct net *net; |
|
|
|
struct rtable *rt; |
|
|
|
|
|
|
|
datalen = skb->len; |
|
|
|
|
|
|
|
@ -3823,37 +3833,34 @@ static int send_proxy_packet4(struct sk_buff *skb, struct re_address *src, struc |
|
|
|
uh->check = csum_tcpudp_magic(src->u.ipv4, dst->u.ipv4, datalen, IPPROTO_UDP, csum_partial(uh, datalen, 0)); |
|
|
|
if (uh->check == 0) |
|
|
|
uh->check = CSUM_MANGLED_0; |
|
|
|
|
|
|
|
skb->protocol = htons(ETH_P_IP); |
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,9,9) || \ |
|
|
|
(LINUX_VERSION_CODE >= KERNEL_VERSION(5,4,78) && LINUX_VERSION_CODE < KERNEL_VERSION(5,5,0)) || \ |
|
|
|
(LINUX_VERSION_CODE >= KERNEL_VERSION(4,19,158) && LINUX_VERSION_CODE < KERNEL_VERSION(4,20,0)) |
|
|
|
if (ip_route_me_harder(par->state->net, par->state->sk, skb, RTN_UNSPEC)) |
|
|
|
#elif defined(RHEL_RELEASE_CODE) && LINUX_VERSION_CODE >= KERNEL_VERSION(4,18,0) && \ |
|
|
|
RHEL_RELEASE_CODE >= RHEL_RELEASE_VERSION(8,4) |
|
|
|
if (ip_route_me_harder(par->state->net, par->state->sk, skb, RTN_UNSPEC)) |
|
|
|
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) |
|
|
|
if (ip_route_me_harder(par->state->net, skb, RTN_UNSPEC)) |
|
|
|
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4,4,0) |
|
|
|
if (ip_route_me_harder(par->net, skb, RTN_UNSPEC)) |
|
|
|
#else |
|
|
|
if (ip_route_me_harder(skb, RTN_UNSPEC)) |
|
|
|
#endif |
|
|
|
|
|
|
|
net = NULL; |
|
|
|
if (par) |
|
|
|
net = PAR_STATE_NET(par); |
|
|
|
if (!net && current && current->nsproxy) |
|
|
|
net = current->nsproxy->net_ns; |
|
|
|
if (!net) |
|
|
|
goto drop; |
|
|
|
|
|
|
|
rt = ip_route_output(net, dst->u.ipv4, src->u.ipv4, tos, 0); |
|
|
|
if (IS_ERR(rt)) |
|
|
|
goto drop; |
|
|
|
skb_dst_drop(skb); |
|
|
|
skb_dst_set(skb, &rt->dst); |
|
|
|
|
|
|
|
if (skb_dst(skb)->error) |
|
|
|
goto drop; |
|
|
|
|
|
|
|
skb->ip_summed = CHECKSUM_NONE; |
|
|
|
|
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) |
|
|
|
ip_select_ident(par->state->net, skb, NULL); |
|
|
|
ip_send_check(ih); |
|
|
|
ip_local_out(par->state->net, skb->sk, skb); |
|
|
|
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4,4,0) |
|
|
|
ip_select_ident(par->net, skb, NULL); |
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,4,0) |
|
|
|
ip_select_ident(net, skb, NULL); |
|
|
|
ip_send_check(ih); |
|
|
|
ip_local_out(par->net, skb->sk, skb); |
|
|
|
ip_local_out(net, skb->sk, skb); |
|
|
|
#else |
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,1,0) |
|
|
|
ip_select_ident(par->net, skb, NULL); |
|
|
|
ip_select_ident(net, skb, NULL); |
|
|
|
#elif (LINUX_VERSION_CODE == KERNEL_VERSION(3,10,0) && RHEL_MAJOR == 7) /* CentOS 7 */ |
|
|
|
/* nothing */ |
|
|
|
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(3,15,10) \ |
|
|
|
@ -3888,12 +3895,16 @@ drop: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// par can be NULL |
|
|
|
static int send_proxy_packet6(struct sk_buff *skb, struct re_address *src, struct re_address *dst, |
|
|
|
unsigned char tos, const struct xt_action_param *par) |
|
|
|
{ |
|
|
|
struct ipv6hdr *ih; |
|
|
|
struct udphdr *uh; |
|
|
|
unsigned int datalen; |
|
|
|
struct net *net; |
|
|
|
struct dst_entry *dst_entry; |
|
|
|
struct flowi6 fl6; |
|
|
|
|
|
|
|
datalen = skb->len; |
|
|
|
|
|
|
|
@ -3926,30 +3937,35 @@ static int send_proxy_packet6(struct sk_buff *skb, struct re_address *src, struc |
|
|
|
uh->check = csum_ipv6_magic(&ih->saddr, &ih->daddr, datalen, IPPROTO_UDP, csum_partial(uh, datalen, 0)); |
|
|
|
if (uh->check == 0) |
|
|
|
uh->check = CSUM_MANGLED_0; |
|
|
|
|
|
|
|
skb->protocol = htons(ETH_P_IPV6); |
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,9,9) || \ |
|
|
|
(LINUX_VERSION_CODE >= KERNEL_VERSION(5,4,78) && LINUX_VERSION_CODE < KERNEL_VERSION(5,5,0)) || \ |
|
|
|
(LINUX_VERSION_CODE >= KERNEL_VERSION(4,19,158) && LINUX_VERSION_CODE < KERNEL_VERSION(4,20,0)) |
|
|
|
if (ip6_route_me_harder(par->state->net, par->state->sk, skb)) |
|
|
|
#elif defined(RHEL_RELEASE_CODE) && LINUX_VERSION_CODE >= KERNEL_VERSION(4,18,0) && \ |
|
|
|
RHEL_RELEASE_CODE >= RHEL_RELEASE_VERSION(8,4) |
|
|
|
if (ip6_route_me_harder(par->state->net, par->state->sk, skb)) |
|
|
|
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) |
|
|
|
if (ip6_route_me_harder(par->state->net, skb)) |
|
|
|
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4,4,0) |
|
|
|
if (ip6_route_me_harder(par->net, skb)) |
|
|
|
#else |
|
|
|
if (ip6_route_me_harder(skb)) |
|
|
|
#endif |
|
|
|
|
|
|
|
net = NULL; |
|
|
|
if (par) |
|
|
|
net = PAR_STATE_NET(par); |
|
|
|
if (!net && current && current->nsproxy) |
|
|
|
net = current->nsproxy->net_ns; |
|
|
|
if (!net) |
|
|
|
goto drop; |
|
|
|
|
|
|
|
memset(&fl6, 0, sizeof(fl6)); |
|
|
|
memcpy(&fl6.saddr, src->u.ipv6, sizeof(fl6.saddr)); |
|
|
|
memcpy(&fl6.daddr, dst->u.ipv6, sizeof(fl6.daddr)); |
|
|
|
fl6.flowi6_mark = skb->mark; |
|
|
|
|
|
|
|
dst_entry = ip6_route_output(net, NULL, &fl6); |
|
|
|
if (!dst_entry) |
|
|
|
goto drop; |
|
|
|
if (dst_entry->error) { |
|
|
|
dst_release(dst_entry); |
|
|
|
goto drop; |
|
|
|
} |
|
|
|
skb_dst_drop(skb); |
|
|
|
skb_dst_set(skb, dst_entry); |
|
|
|
|
|
|
|
skb->ip_summed = CHECKSUM_NONE; |
|
|
|
|
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) |
|
|
|
ip6_local_out(par->state->net, skb->sk, skb); |
|
|
|
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4,4,0) |
|
|
|
ip6_local_out(par->net, skb->sk, skb); |
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,4,0) |
|
|
|
ip6_local_out(net, skb->sk, skb); |
|
|
|
#else |
|
|
|
ip6_local_out(skb); |
|
|
|
#endif |
|
|
|
@ -4581,6 +4597,56 @@ static struct sk_buff *intercept_skb_copy(struct sk_buff *oskb, const struct re_ |
|
|
|
return ret; |
|
|
|
} |
|
|
|
|
|
|
|
static void proxy_packet_output_rtp(struct sk_buff *skb, struct rtpengine_output *o, |
|
|
|
int rtp_pt_idx, |
|
|
|
struct rtp_parsed *rtp, int ssrc_idx) |
|
|
|
{ |
|
|
|
unsigned int pllen; |
|
|
|
uint64_t pkt_idx; |
|
|
|
int i; |
|
|
|
|
|
|
|
if (!rtp->ok) |
|
|
|
return; |
|
|
|
|
|
|
|
// pattern rewriting |
|
|
|
if (rtp_pt_idx >= 0 && o->output.pt_output[rtp_pt_idx].replace_pattern_len) { |
|
|
|
if (o->output.pt_output[rtp_pt_idx].replace_pattern_len == 1) |
|
|
|
memset(rtp->payload, o->output.pt_output[rtp_pt_idx].replace_pattern[0], |
|
|
|
rtp->payload_len); |
|
|
|
else { |
|
|
|
for (i = 0; i < rtp->payload_len; |
|
|
|
i += o->output.pt_output[rtp_pt_idx].replace_pattern_len) |
|
|
|
memcpy(&rtp->payload[i], |
|
|
|
o->output.pt_output[rtp_pt_idx].replace_pattern, |
|
|
|
o->output.pt_output[rtp_pt_idx].replace_pattern_len); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
// SSRC substitution and seq manipulation |
|
|
|
if (likely(ssrc_idx >= 0)) { |
|
|
|
rtp->header->seq_num = htons(ntohs(rtp->header->seq_num) |
|
|
|
+ o->output.seq_offset[ssrc_idx]); |
|
|
|
if (o->output.ssrc_subst && likely(o->output.ssrc_out[ssrc_idx])) |
|
|
|
rtp->header->ssrc = o->output.ssrc_out[ssrc_idx]; |
|
|
|
} |
|
|
|
|
|
|
|
// SRTP |
|
|
|
pkt_idx = packet_index(&o->encrypt, &o->output.encrypt, rtp->header, ssrc_idx); |
|
|
|
pllen = rtp->payload_len; |
|
|
|
srtp_encrypt(&o->encrypt, &o->output.encrypt, rtp, pkt_idx); |
|
|
|
srtp_authenticate(&o->encrypt, &o->output.encrypt, rtp, pkt_idx); |
|
|
|
skb_put(skb, rtp->payload_len - pllen); |
|
|
|
} |
|
|
|
|
|
|
|
static int send_proxy_packet_output(struct sk_buff *skb, struct rtpengine_target *g, |
|
|
|
int rtp_pt_idx, |
|
|
|
struct rtpengine_output *o, struct rtp_parsed *rtp, int ssrc_idx, |
|
|
|
const struct xt_action_param *par) |
|
|
|
{ |
|
|
|
proxy_packet_output_rtp(skb, o, rtp_pt_idx, rtp, ssrc_idx); |
|
|
|
return send_proxy_packet(skb, &o->output.src_addr, &o->output.dst_addr, o->output.tos, par); |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -4684,7 +4750,7 @@ static unsigned int rtpengine46(struct sk_buff *skb, struct rtpengine_table *t, |
|
|
|
int error_nf_action = XT_CONTINUE; |
|
|
|
int rtp_pt_idx = -2; |
|
|
|
int ssrc_idx = -1; |
|
|
|
unsigned int datalen, pllen, datalen_out; |
|
|
|
unsigned int datalen, datalen_out; |
|
|
|
struct rtp_parsed rtp, rtp2; |
|
|
|
ssize_t offset; |
|
|
|
uint64_t pkt_idx; |
|
|
|
@ -4845,40 +4911,7 @@ static unsigned int rtpengine46(struct sk_buff *skb, struct rtpengine_table *t, |
|
|
|
rtp2.header = (void *) (((char *) rtp2.header) + offset); |
|
|
|
rtp2.payload = (void *) (((char *) rtp2.payload) + offset); |
|
|
|
|
|
|
|
// pattern rewriting |
|
|
|
if (rtp_pt_idx >= 0 && o->output.pt_output[rtp_pt_idx].replace_pattern_len && rtp2.ok) { |
|
|
|
if (o->output.pt_output[rtp_pt_idx].replace_pattern_len == 1) |
|
|
|
memset(rtp2.payload, o->output.pt_output[rtp_pt_idx].replace_pattern[0], |
|
|
|
rtp2.payload_len); |
|
|
|
else { |
|
|
|
for (i = 0; i < rtp2.payload_len; |
|
|
|
i += o->output.pt_output[rtp_pt_idx].replace_pattern_len) |
|
|
|
memcpy(&rtp2.payload[i], |
|
|
|
o->output.pt_output[rtp_pt_idx].replace_pattern, |
|
|
|
o->output.pt_output[rtp_pt_idx].replace_pattern_len); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
if (rtp2.ok) { |
|
|
|
// SSRC substitution and seq manipulation |
|
|
|
if (ssrc_idx != -1) { |
|
|
|
rtp2.header->seq_num = htons(ntohs(rtp2.header->seq_num) |
|
|
|
+ o->output.seq_offset[ssrc_idx]); |
|
|
|
if (o->output.ssrc_subst && o->output.ssrc_out[ssrc_idx]) |
|
|
|
rtp2.header->ssrc = o->output.ssrc_out[ssrc_idx]; |
|
|
|
} |
|
|
|
|
|
|
|
pkt_idx = packet_index(&o->encrypt, &o->output.encrypt, rtp2.header, ssrc_idx); |
|
|
|
pllen = rtp2.payload_len; |
|
|
|
srtp_encrypt(&o->encrypt, &o->output.encrypt, &rtp2, pkt_idx); |
|
|
|
srtp_authenticate(&o->encrypt, &o->output.encrypt, &rtp2, pkt_idx); |
|
|
|
skb_put(skb2, rtp2.payload_len - pllen); |
|
|
|
} |
|
|
|
|
|
|
|
datalen_out = skb2->len; |
|
|
|
|
|
|
|
err = send_proxy_packet(skb2, &o->output.src_addr, &o->output.dst_addr, o->output.tos, par); |
|
|
|
|
|
|
|
err = send_proxy_packet_output(skb2, g, rtp_pt_idx, o, &rtp2, ssrc_idx, par); |
|
|
|
if (err) { |
|
|
|
atomic64_inc(&g->stats_in.errors); |
|
|
|
atomic64_inc(&o->stats_out.errors); |
|
|
|
|
Richard Fuchs
4 years ago