From f6f484fff62599cdc26a638c94c118063b7365b2 Mon Sep 17 00:00:00 2001
From: Richard Fuchs <rfuchs@sipwise.com>
Date: Fri, 31 May 2019 11:05:17 -0400
Subject: [PATCH] TT#59501 add optional RTCP sink

If `strict source` is set, we can now also kernelise RTCP ports. This
will engage the kernel module's source address checking. If the check
fails, the packet is discarded. Otherwise it's passed to user space
as usual.

Change-Id: Ieedf39fba2263045b0f1faafa7f5826a27b5a115
---
 daemon/media_socket.c        | 10 ++++++++--
 kernel-module/xt_RTPENGINE.c | 18 ++++++++++++------
 kernel-module/xt_RTPENGINE.h |  3 ++-
 3 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/daemon/media_socket.c b/daemon/media_socket.c
index 087d18915..288250bec 100644
--- a/daemon/media_socket.c
+++ b/daemon/media_socket.c
@@ -1023,6 +1023,7 @@ void kernelize(struct packet_stream *stream) {
 	struct call *call = stream->call;
 	struct packet_stream *sink = NULL;
 	const char *nk_warn_msg;
+	int non_forwarding = 0;
 
 	if (PS_ISSET(stream, KERNELIZED))
 		return;
@@ -1033,8 +1034,12 @@ void kernelize(struct packet_stream *stream) {
 	nk_warn_msg = "interface to kernel module not open";
 	if (!kernel.is_open)
 		goto no_kernel_warn;
-	if (!PS_ISSET(stream, RTP))
-		goto no_kernel;
+	if (!PS_ISSET(stream, RTP)) {
+		if (PS_ISSET(stream, RTCP) && PS_ISSET(stream, STRICT_SOURCE))
+			non_forwarding = 1; // use the kernel's source checking capability
+		else
+			goto no_kernel;
+	}
 	if (!stream->selected_sfd)
 		goto no_kernel;
 	if (stream->media->monologue->block_media || call->block_media)
@@ -1078,6 +1083,7 @@ void kernelize(struct packet_stream *stream) {
 	reti.rtcp_mux = MEDIA_ISSET(stream->media, RTCP_MUX);
 	reti.dtls = MEDIA_ISSET(stream->media, DTLS);
 	reti.stun = stream->media->ice_agent ? 1 : 0;
+	reti.non_forwarding = non_forwarding;
 
 	__re_address_translate_ep(&reti.dst_addr, &sink->endpoint);
 	__re_address_translate_ep(&reti.src_addr, &sink->selected_sfd->socket.local);
diff --git a/kernel-module/xt_RTPENGINE.c b/kernel-module/xt_RTPENGINE.c
index a5cdd999d..5496698d9 100644
--- a/kernel-module/xt_RTPENGINE.c
+++ b/kernel-module/xt_RTPENGINE.c
@@ -1513,6 +1513,8 @@ static int proc_list_show(struct seq_file *f, void *v) {
 		seq_printf(f, "    option: stun\n");
 	if (g->target.transcoding)
 		seq_printf(f, "    option: transcoding\n");
+	if (g->target.non_forwarding)
+		seq_printf(f, "    option: non forwarding\n");
 
 	target_put(g);
 
@@ -2036,12 +2038,14 @@ static int table_new_target(struct rtpengine_table *t, struct rtpengine_target_i
 
 	if (!is_valid_address(&i->local))
 		return -EINVAL;
-	if (!is_valid_address(&i->src_addr))
-		return -EINVAL;
-	if (!is_valid_address(&i->dst_addr))
-		return -EINVAL;
-	if (i->src_addr.family != i->dst_addr.family)
-		return -EINVAL;
+	if (!i->non_forwarding) {
+		if (!is_valid_address(&i->src_addr))
+			return -EINVAL;
+		if (!is_valid_address(&i->dst_addr))
+			return -EINVAL;
+		if (i->src_addr.family != i->dst_addr.family)
+			return -EINVAL;
+	}
 	if (i->mirror_addr.family) {
 		if (!is_valid_address(&i->mirror_addr))
 			return -EINVAL;
@@ -3927,6 +3931,8 @@ not_stun:
 	goto skip_error;
 
 src_check_ok:
+	if (g->target.non_forwarding)
+		goto skip1;
 	if (g->target.dtls && is_dtls(skb))
 		goto skip1;
 
diff --git a/kernel-module/xt_RTPENGINE.h b/kernel-module/xt_RTPENGINE.h
index cd7978f98..f553e6740 100644
--- a/kernel-module/xt_RTPENGINE.h
+++ b/kernel-module/xt_RTPENGINE.h
@@ -104,7 +104,8 @@ struct rtpengine_target_info {
 					rtp:1,
 					rtp_only:1,
 					do_intercept:1,
-					transcoding:1; // SSRC subst and RTP PT filtering
+					transcoding:1, // SSRC subst and RTP PT filtering
+					non_forwarding:1; // empty src/dst addr
 };
 
 struct rtpengine_call_info {