
平台论坛博客文库

› 论坛 › 操作系统 › Linux系统管理 › platinum进来讨论一下(iptables nat方式)

[网络管理] platinum进来讨论一下(iptables nat方式) [复制链接]

qingfeng79

稍有积蓄

论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2006-09-18 14:51 |显示全部楼层 |倒序浏览

你有没有研究一下iptables nat的方式?iptables 属于Symmetric NAT,不适合VOIP语音对话.你知道linux 如何实现Full Cone NAT ?

文库|博客

qingfeng79

稍有积蓄

论坛徽章:: 0

2楼 [报告]

发表于 2006-09-18 14:51 |显示全部楼层

谢谢!

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

qingfeng79

稍有积蓄

论坛徽章:: 0

3楼 [报告]

发表于 2006-09-19 08:02 |显示全部楼层

晕倒,呵呵.

qingfeng79

稍有积蓄

论坛徽章:: 0

4楼 [报告]

发表于 2006-09-19 14:05 |显示全部楼层

经过分析和实际测试发现,iptalbes 是对程性NAT.在经过NAT转换后的端口必须一一对应.更麻烦的是它有一个连接跟踪功能,能记录是否有相同的端口，如果有,自动把它端口修改.这样语音包就不能收到.
我看看是否iptables有相关补丁?应该没有，打算修改它源码.可参考资料..

qingfeng79

稍有积蓄

论坛徽章:: 0

5楼 [报告]

发表于 2006-09-19 14:06 |显示全部楼层

http://www.linuxforum.net/docnew ... =new&Number=727

qingfeng79

稍有积蓄

论坛徽章:: 0

6楼 [报告]

发表于 2006-09-22 14:10 |显示全部楼层

那你说的意思就是做应用层网关了?
昨天我把一个支持SIP的patch移植进2.4.25内核.做了两个NAT 路由器.分别接在网络里.两个路由器下分别有一个PC1,PC2.发现PC1与PC2呼叫能建立会话,但语音包还是不能通.昏迷中.......

qingfeng79

稍有积蓄

论坛徽章:: 0

7楼 [报告]

发表于 2006-09-25 10:43 |显示全部楼层

diff -urN linux2425_jffs2/include/linux/netfilter_ipv4/ip_conntrack_sip.h linux2425_jffs2/include/linux/netfilter_ipv4/ip_conntrack_sip.h
--- linux2425_jffs2/include/linux/netfilter_ipv4/ip_conntrack_sip.h (revision 0)
+++ linux2425_jffs2/include/linux/netfilter_ipv4/ip_conntrack_sip.h (revision 0)
@@ -0,0 +1,75 @@
+#ifndef __IP_CONNTRACK_SIP_H__
+#define __IP_CONNTRACK_SIP_H__
+/* SIP tracking. */
+
+#ifdef __KERNEL__
+
+#define SIP_PORT 5060
+#define SIP_TIMEOUT 3600
+
+#define POS_VIA 0
+#define POS_CONTACT 1
+#define POS_CONTENT 2
+#define POS_MEDIA 3
+#define POS_OWNER 4
+#define POS_CONECTION 5
+#define POS_REQ_HEADER 6
+#define POS_SDP_HEADER 7
+
+struct sip_header_nfo {
+ const char *lname;
+ size_t lnlen;
+ const char *sname;
+ size_t snlen;
+ const char *ln_str;
+ size_t ln_strlen;
+ int (*match_len)(const char *, const char *, int *);
+
+};
+
+extern unsigned int (*ip_nat_sip_hook)(struct sk_buff **pskb,
+ enum ip_conntrack_info ctinfo,
+ struct ip_conntrack *ct,
+ char **dptr);
+
+/* For NAT to hook in when on expect. */
+extern unsigned int (*ip_nat_sdp_hook)(struct sk_buff **pskb,
+ enum ip_conntrack_info ctinfo,
+ struct ip_conntrack_expect *exp,
+ char *dptr);
+
+extern int ct_sip_get_info(char *dptr, int dlen, int *matchoff,
+ int *matchlen, struct sip_header_nfo *hnfo);
+
+/* get line lenght until first CR or LF seen. */
+static __inline__ int ct_sip_lnlen(char *line, char *limit)
+{
+ char *k = line;
+
+ while ((line <= limit) && (*line == '\r' || *line == '\n'))
+ line++;
+
+ while (line <= limit) {
+ if (*line == '\r' || *line == '\n')
+ break;
+ line++;
+ }
+ return line - k;
+}
+
+/* Linear string search, case sensitive. */
+static __inline__ char *ct_sip_search(const char *needle, char *haystack,
+ int needle_len, int haystack_len)
+{
+ char *limit = haystack + (haystack_len - needle_len);
+
+ while (haystack <= limit) {
+ if (memcmp(haystack, needle, needle_len) == 0)
+ return haystack;
+ haystack++;
+ }
+ return NULL;
+}
+#endif /* __KERNEL__ */
+
+#endif /* __IP_CONNTRACK_SIP_H__ */
diff -urN linux2425_jffs2/net/ipv4/netfilter/ip_conntrack_sip.c linux2425_jffs2/net/ipv4/netfilter/ip_conntrack_sip.c
--- linux2425_jffs2/net/ipv4/netfilter/ip_conntrack_sip.c (revision 0)
+++ linux2425_jffs2/net/ipv4/netfilter/ip_conntrack_sip.c (revision 0)
@@ -0,0 +1,405 @@
+/* SIP extension for IP connection tracking.
+ *
+ * (C) 2005 by Christian Hentschel <[email]chentschel@arnet.com.ar[/email]>
+ * based on RR's ip_conntrack_ftp.c and other modules.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/netfilter.h>
+#include <linux/ip.h>
+#include <linux/ctype.h>
+#include <net/checksum.h>
+#include <net/udp.h>
+
+#include <linux/netfilter_ipv4/lockhelp.h>
+#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
+#include <linux/netfilter_ipv4/ip_conntrack_sip.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Christian Hentschel <[email]chentschel@arnet.com.ar[/email]>");
+MODULE_DESCRIPTION("SIP connection tracking helper");
+
+static DECLARE_LOCK(sipbf_lock);
+
+#define MAX_PORTS 8
+static int ports[MAX_PORTS];
+static int ports_c;
+module_param_array(ports, int, &ports_c, 0400);
+MODULE_PARM_DESC(ports, " port numbers of sip servers");
+
+static unsigned int sip_timeout = SIP_TIMEOUT;
+
+module_param(sip_timeout, int, 0600);
+MODULE_PARM_DESC(sip_timeout, "timeout for the master sip session");
+
+unsigned int (*ip_nat_sip_hook)(struct sk_buff **pskb,
+ enum ip_conntrack_info ctinfo,
+ struct ip_conntrack *ct,
+ char **dptr);
+EXPORT_SYMBOL_GPL(ip_nat_sip_hook);
+
+unsigned int (*ip_nat_sdp_hook)(struct sk_buff **pskb,
+ enum ip_conntrack_info ctinfo,
+ struct ip_conntrack_expect *exp,
+ char *dptr);
+EXPORT_SYMBOL_GPL(ip_nat_sdp_hook);
+
+int ct_sip_get_info(char *dptr, int dlen, int *matchoff, int *matchlen,
+ struct sip_header_nfo *hnfo);
+
+EXPORT_SYMBOL(ct_sip_get_info);
+
+#if 0
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+static int digits_len(const char *dptr, const char *limit, int *shift);
+static int epaddr_len(const char *dptr, const char *limit, int *shift);
+static int skp_digits_len(const char *dptr, const char *limit, int *shift);
+static int skp_epaddr_len(const char *dptr, const char *limit, int *shift);
+
+struct sip_header_nfo ct_sip_hdrs[] = {
+ { /* Via header */
+ "Via:", sizeof("Via:") - 1,
+ "\r\nv:", sizeof("\r\nv:") - 1, /* rfc3261 says "end in CRLF" */
+ "UDP ", sizeof("UDP ") - 1,
+ epaddr_len
+ },
+ { /* Contact header */
+ "Contact:", sizeof("Contact:") - 1,
+ "\r\nm:", sizeof("\r\nm:") - 1,
+ "sip:", sizeof("sip:") - 1,
+ skp_epaddr_len
+ },
+ { /* Content length header */
+ "Content-Length:", sizeof("Content-Length:") - 1,
+ "\r\nl:", sizeof("\r\nl:") - 1,
+ ":", sizeof(":") - 1,
+ skp_digits_len
+ },
+ { /* SDP media info */
+ "\nm=", sizeof("\nm=") - 1,
+ "\rm=", sizeof("\rm=") - 1,
+ "audio ", sizeof("audio ") - 1,
+ digits_len
+ },
+ { /* SDP owner address*/
+ "\no=", sizeof("\no=") - 1,
+ "\ro=", sizeof("\ro=") - 1,
+ "IN IP4 ", sizeof("IN IP4 ") - 1,
+ epaddr_len
+ },
+ { /* SDP connection info */
+ "\nc=", sizeof("\nc=") - 1,
+ "\rc=", sizeof("\rc=") - 1,
+ "IN IP4 ", sizeof("IN IP4 ") - 1,
+ epaddr_len
+ },
+ { /* Requests headers */
+ "sip:", sizeof("sip:") - 1,
+ "sip:", sizeof("sip:") - 1, /* yes, i know..*/
+ "@", sizeof("@") - 1,
+ epaddr_len
+ },
+ { /* SDP version header */
+ "\nv=", sizeof("\nv=") - 1,
+ "\rv=", sizeof("\rv=") - 1,
+ "=", sizeof("=") - 1,
+ digits_len
+ }
+};
+EXPORT_SYMBOL(ct_sip_hdrs);
+
+
+static int digits_len(const char *dptr, const char *limit, int *shift)
+{
+ int len = 0;
+ while (dptr <= limit && isdigit(*dptr)) {
+ dptr++;
+ len++;
+ }
+ return len;
+}
+
+/* get digits lenght, skiping blank spaces. */
+static int skp_digits_len(const char *dptr, const char *limit, int *shift)
+{
+ for (; dptr <= limit && *dptr == ' '; dptr++)
+ (*shift)++;
+
+ return digits_len(dptr, limit, shift);
+}
+
+/* Simple ipaddr parser.. */
+static int parse_ipaddr(const char *cp, char **endp,
+ uint32_t *ipaddr, const char *limit)
+{
+ unsigned long int val;
+ int i, digit = 0;
+
+ for (i = 0, *ipaddr = 0; cp <= limit && i < 4; i++) {
+ digit = 0;
+ if (!isdigit(*cp))
+ break;
+
+ val = simple_strtoul(cp, (char **)&cp, 10);
+ if (val > 0xFF)
+ return -1;
+
+ ((uint8_t *)ipaddr)[i] = val;
+ digit = 1;
+
+ if (*cp != '.')
+ break;
+ cp++;
+ }
+ if (!digit)
+ return -1;
+
+ if (endp)
+ *endp = (char *)cp;
+
+ return 0;
+}
+
+/* skip ip address. returns it lenght. */
+static int epaddr_len(const char *dptr, const char *limit, int *shift)
+{
+ const char *aux = dptr;
+ uint32_t ip;
+
+ if (parse_ipaddr(dptr, (char **)&dptr, &ip, limit) < 0) {
+ DEBUGP("ip: %s parse failed.!\n", dptr);
+ return 0;
+ }
+
+ /* Port number */
+ if (*dptr == ':') {
+ dptr++;
+ dptr += digits_len(dptr, limit, shift);
+ }
+ return dptr - aux;
+}
+
+/* get address lenght, skiping user info. */
+static int skp_epaddr_len(const char *dptr, const char *limit, int *shift)
+{
+ for (; dptr <= limit && *dptr != '@'; dptr++)
+ (*shift)++;
+
+ if (*dptr == '@') {
+ dptr++;
+ (*shift)++;
+ return epaddr_len(dptr, limit, shift);
+ }
+ return 0;
+}
+
+/* Returns 0 if not found, -1 error parsing. */
+int ct_sip_get_info(char *dptr, int dlen,
+ int *matchoff, int *matchlen,
+ struct sip_header_nfo *hnfo)
+{
+ char *limit = dptr + (dlen - hnfo->lnlen);
+ char *aux, *k = dptr;
+ int shift = 0;
+
+ while (dptr <= limit) {
+ if ((strncmp(dptr, hnfo->lname, hnfo->lnlen) != 0) &&
+ (strncmp(dptr, hnfo->sname, hnfo->snlen) != 0))
+ {
+ dptr++;
+ continue;
+ }
+ aux = ct_sip_search(hnfo->ln_str, dptr, hnfo->ln_strlen,
+ ct_sip_lnlen(dptr, limit));
+ if (!aux) {
+ DEBUGP("'%s' not found in '%s'.\n", hnfo->ln_str, hnfo->lname);
+ return -1;
+ }
+ aux += hnfo->ln_strlen;
+
+ *matchlen = hnfo->match_len(aux, limit, &shift);
+ if (!*matchlen)
+ return -1;
+
+ *matchoff = (aux - k) + shift;
+
+ DEBUGP("%s match succeeded! - len: %u\n", hnfo->lname, *matchlen);
+ return 1;
+ }
+ DEBUGP("%s header not found.\n", hnfo->lname);
+ return 0;
+}
+
+static int set_expected_rtp(struct sk_buff **pskb,
+ struct ip_conntrack *ct,
+ enum ip_conntrack_info ctinfo,
+ uint32_t ipaddr, uint16_t port,
+ char *dptr)
+{
+ struct ip_conntrack_expect *exp;
+
+ exp = ip_conntrack_expect_alloc();
+ if (exp == NULL)
+ return NF_DROP;
+
+ exp->tuple = ((struct ip_conntrack_tuple)
+ { { ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip, { 0 } },
+ { ipaddr, { .udp = { htons(port) } }, IPPROTO_UDP }});
+
+ exp->mask = ((struct ip_conntrack_tuple)
+ { { 0xFFFFFFFF, { 0 } },
+ { 0xFFFFFFFF, { .udp = { 0xFFFF } }, 0xFF }});
+
+ exp->expectfn = NULL;
+ exp->master = ct;
+
+ if (ip_nat_sdp_hook)
+ return ip_nat_sdp_hook(pskb, ctinfo, exp, dptr);
+ else if (ip_conntrack_expect_related(exp) != 0) {
+ ip_conntrack_expect_free(exp);
+ return NF_DROP;
+ }
+ return NF_ACCEPT;
+}
+
+static int sip_help(struct sk_buff **pskb,
+ struct ip_conntrack *ct,
+ enum ip_conntrack_info ctinfo)
+{
+ unsigned int dataoff, datalen;
+ char *dptr;
+ int ret = NF_ACCEPT;
+ int matchoff, matchlen;
+ uint32_t ipaddr;
+ uint16_t port;
+
+ /* No Data ? */
+ dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
+ if (dataoff >= (*pskb)->len) {
+ DEBUGP("skb->len = %u\n", (*pskb)->len);
+ return NF_ACCEPT;
+ }
+
+ ip_ct_refresh_acct(ct, ctinfo, NULL, sip_timeout * HZ);
+
+ LOCK_BH(&sipbf_lock);
+
+ if ((dataoff + (*pskb)->len - dataoff) <= skb_headlen(*pskb))
+ dptr = (*pskb)->data + dataoff;
+ else {
+ DEBUGP("SIP mangle in copied skbuff not supported yet.\n");
+ goto out;
+ }
+
+ if (ip_nat_sip_hook) {
+ if (!ip_nat_sip_hook(pskb, ctinfo, ct, &dptr)) {
+ ret = NF_DROP;
+ goto out;
+ }
+ }
+
+ if ((ctinfo) >= IP_CT_IS_REPLY)
+ goto out;
+
+ /* After this point NAT, could have mangled skb, so
+ we need to recalculate payload lenght. */
+ datalen = (*pskb)->len - dataoff;
+
+ if (datalen < (sizeof("SIP/2.0 200") - 1))
+ goto out;
+
+ /* RTP info only in some SDP pkts */
+ if (memcmp(dptr, "INVITE", sizeof("INVITE") - 1) != 0 &&
+ memcmp(dptr, "SIP/2.0 200", sizeof("SIP/2.0 200") - 1) != 0) {
+ goto out;
+ }
+ /* Get ip and port address from SDP packet. */
+ if (ct_sip_get_info(dptr, datalen, &matchoff, &matchlen,
+ &ct_sip_hdrs[POS_CONECTION]) > 0) {
+
+ /* We'll drop only if there are parse problems. */
+ if (parse_ipaddr(dptr + matchoff, NULL, &ipaddr,
+ dptr + datalen) < 0) {
+ ret = NF_DROP;
+ goto out;
+ }
+ if (ct_sip_get_info(dptr, datalen, &matchoff, &matchlen,
+ &ct_sip_hdrs[POS_MEDIA]) > 0) {
+
+ port = simple_strtoul(dptr + matchoff, NULL, 10);
+ if (port < 1024) {
+ ret = NF_DROP;
+ goto out;
+ }
+ ret = set_expected_rtp(pskb, ct, ctinfo,
+ ipaddr, port, dptr);
+ }
+ }
+out: UNLOCK_BH(&sipbf_lock);
+ return ret;
+}
+
+static struct ip_conntrack_helper sip[MAX_PORTS];
+static char sip_names[MAX_PORTS][10];
+
+static void fini(void)
+{
+ int i = 0;
+ for (; i < ports_c; i++) {
+ DEBUGP("unregistering helper for port %d\n", ports[i]);
+ ip_conntrack_helper_unregister(&sip[i]);
+ }
+}
+
+static int __init init(void)
+{
+ int i, ret;
+ char *tmpname;
+
+ if (ports_c == 0)
+ ports[ports_c++] = SIP_PORT;
+
+ for (i = 0; i < ports_c; i++) {
+ /* Create helper structure */
+ memset(&sip[i], 0, sizeof(struct ip_conntrack_helper));
+
+ sip[i].tuple.dst.protonum = IPPROTO_UDP;
+ sip[i].tuple.src.u.udp.port = htons(ports[i]);
+ sip[i].mask.src.u.udp.port = 0xFFFF;
+ sip[i].mask.dst.protonum = 0xFF;
+ sip[i].max_expected = 1;
+ sip[i].timeout = 3 * 60; /* 3 minutes */
+ sip[i].me = THIS_MODULE;
+ sip[i].help = sip_help;
+
+ tmpname = &sip_names[i][0];
+ if (ports[i] == SIP_PORT)
+ sprintf(tmpname, "sip");
+ else
+ sprintf(tmpname, "sip-%d", i);
+ sip[i].name = tmpname;
+
+ DEBUGP("port #%d: %d\n", i, ports[i]);
+
+ ret=ip_conntrack_helper_register(&sip[i]);
+ if (ret) {
+ printk("ERROR registering helper for port %d\n",
+ ports[i]);
+ fini();
+ return(ret);
+ }
+ }
+ return(0);
+}
+
+module_init(init);
+module_exit(fini);

复制代码

[ 本帖最后由 platinum 于 2006-9-25 11:08 编辑 ]

qingfeng79

稍有积蓄

论坛徽章:: 0

8楼 [报告]

发表于 2006-09-25 10:46 |显示全部楼层

diff -urN linux2425_jffs2/net/ipv4/netfilter/ip_nat_sip.c linux2425_jffs2/net/ipv4/netfilter/ip_nat_sip.c
--- linux2425_jffs2/net/ipv4/netfilter/ip_nat_sip.c (revision 0)
+++ linux2425_jffs2/net/ipv4/netfilter/ip_nat_sip.c (revision 0)
@@ -0,0 +1,253 @@
+/* SIP extension for UDP NAT alteration.
+ *
+ * (C) 2005 by Christian Hentschel <[email]chentschel@arnet.com.ar[/email]>
+ * based on RR's ip_nat_ftp.c and other modules.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/ctype.h>
+#include <linux/module.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/ip.h>
+#include <linux/udp.h>
+#include <linux/moduleparam.h>
+#include <net/udp.h>
+#include <linux/netfilter_ipv4/ip_nat.h>
+#include <linux/netfilter_ipv4/ip_nat_helper.h>
+#include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
+#include <linux/netfilter_ipv4/ip_conntrack_sip.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Christian Hentschel <[email]chentschel@arnet.com.ar[/email]>");
+MODULE_DESCRIPTION("SIP NAT helper");
+
+#if 0
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+extern struct sip_header_nfo ct_sip_hdrs[];
+
+static unsigned int mangle_sip_packet(struct sk_buff **pskb,
+ enum ip_conntrack_info ctinfo,
+ struct ip_conntrack *ct,
+ char **dptr, int dlen,
+ char *buffer, int bufflen,
+ struct sip_header_nfo *hnfo)
+{
+ unsigned int matchlen, matchoff;
+
+ if (ct_sip_get_info(*dptr, dlen, &matchoff, &matchlen, hnfo) <= 0)
+ return 0;
+
+ if (!ip_nat_mangle_udp_packet(pskb, ct, ctinfo,
+ matchoff, matchlen, buffer, bufflen)) {
+ return 0;
+ }
+ /* We need to reload this. Thanks Patrick. */
+ *dptr = (*pskb)->data + (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
+ return 1;
+}
+
+static unsigned int ip_nat_sip(struct sk_buff **pskb,
+ enum ip_conntrack_info ctinfo,
+ struct ip_conntrack *ct,
+ char **dptr)
+{
+ char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
+ unsigned int bufflen, dataoff;
+ uint32_t ip;
+ uint16_t port;
+
+ dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
+
+ if ((ctinfo) >= IP_CT_IS_REPLY) {
+ ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
+ port = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port;
+ } else {
+ ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
+ port = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.udp.port;
+ }
+ bufflen = sprintf(buffer, "%u.%u.%u.%u:%u", NIPQUAD(ip), ntohs(port));
+
+ /* short packet ? */
+ if (((*pskb)->len - dataoff) < (sizeof("SIP/2.0") - 1))
+ return 0;
+
+ /* Basic rules: requests and responses. */
+ if (memcmp(*dptr, "SIP/2.0", sizeof("SIP/2.0") - 1) == 0) {
+
+ if ((ctinfo) < IP_CT_IS_REPLY) {
+ mangle_sip_packet(pskb, ctinfo, ct, dptr,
+ (*pskb)->len - dataoff, buffer, bufflen,
+ &ct_sip_hdrs[POS_CONTACT]);
+ return 1;
+ }
+
+ if (!mangle_sip_packet(pskb, ctinfo, ct, dptr, (*pskb)->len - dataoff,
+ buffer, bufflen, &ct_sip_hdrs[POS_VIA])) {
+ return 0;
+ }
+
+ /* This search should ignore case, but later.. */
+ char *aux = ct_sip_search("CSeq:", *dptr, sizeof("CSeq:") - 1,
+ (*pskb)->len - dataoff);
+ if (!aux)
+ return 0;
+
+ if (!ct_sip_search("REGISTER", aux, sizeof("REGISTER"),
+ ct_sip_lnlen(aux, *dptr + (*pskb)->len - dataoff))) {
+ return 1;
+ }
+ return mangle_sip_packet(pskb, ctinfo, ct, dptr, (*pskb)->len - dataoff,
+ buffer, bufflen, &ct_sip_hdrs[POS_CONTACT]);
+ }
+ if ((ctinfo) < IP_CT_IS_REPLY) {
+ if (!mangle_sip_packet(pskb, ctinfo, ct, dptr, (*pskb)->len - dataoff,
+ buffer, bufflen, &ct_sip_hdrs[POS_VIA])) {
+ return 0;
+ }
+
+ /* Mangle Contact if exists only. - watch udp_nat_mangle()! */
+ mangle_sip_packet(pskb, ctinfo, ct, dptr, (*pskb)->len - dataoff,
+ buffer, bufflen, &ct_sip_hdrs[POS_CONTACT]);
+ return 1;
+ }
+ /* This mangle requests headers. */
+ return mangle_sip_packet(pskb, ctinfo, ct, dptr,
+ ct_sip_lnlen(*dptr, *dptr + (*pskb)->len - dataoff),
+ buffer, bufflen, &ct_sip_hdrs[POS_REQ_HEADER]);
+}
+
+static int mangle_content_len(struct sk_buff **pskb,
+ enum ip_conntrack_info ctinfo,
+ struct ip_conntrack *ct,
+ char *dptr)
+{
+ unsigned int dataoff, matchoff, matchlen;
+ char buffer[sizeof("65536")];
+ int bufflen;
+
+ dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
+
+ /* Get actual SDP lenght */
+ if (ct_sip_get_info(dptr, (*pskb)->len - dataoff, &matchoff,
+ &matchlen, &ct_sip_hdrs[POS_SDP_HEADER]) > 0) {
+
+ /* since ct_sip_get_info() give us a pointer passing 'v='
+ we need to add 2 bytes in this count. */
+ int c_len = (*pskb)->len - dataoff - matchoff + 2;
+
+ /* Now, update SDP lenght */
+ if (ct_sip_get_info(dptr, (*pskb)->len - dataoff, &matchoff,
+ &matchlen, &ct_sip_hdrs[POS_CONTENT]) > 0) {
+
+ bufflen = sprintf(buffer, "%u", c_len);
+
+ return ip_nat_mangle_udp_packet(pskb, ct, ctinfo, matchoff,
+ matchlen, buffer, bufflen);
+ }
+ }
+ return 0;
+}
+
+static unsigned int mangle_sdp(struct sk_buff **pskb,
+ enum ip_conntrack_info ctinfo,
+ struct ip_conntrack *ct,
+ uint32_t newip, uint16_t port,
+ char *dptr)
+{
+ char buffer[sizeof("nnn.nnn.nnn.nnn")];
+ unsigned int dataoff, bufflen;
+
+ dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
+
+ /* Mangle owner and contact info. */
+ bufflen = sprintf(buffer, "%u.%u.%u.%u", NIPQUAD(newip));
+ if (!mangle_sip_packet(pskb, ctinfo, ct, &dptr, (*pskb)->len - dataoff,
+ buffer, bufflen, &ct_sip_hdrs[POS_OWNER])) {
+ return 0;
+ }
+
+ if (!mangle_sip_packet(pskb, ctinfo, ct, &dptr, (*pskb)->len - dataoff,
+ buffer, bufflen, &ct_sip_hdrs[POS_CONECTION])) {
+ return 0;
+ }
+
+ /* Mangle media port. */
+ bufflen = sprintf(buffer, "%u", port);
+ if (!mangle_sip_packet(pskb, ctinfo, ct, &dptr, (*pskb)->len - dataoff,
+ buffer, bufflen, &ct_sip_hdrs[POS_MEDIA])) {
+ return 0;
+ }
+
+ return mangle_content_len(pskb, ctinfo, ct, dptr);
+}
+
+/* So, this packet has hit the connection tracking matching code.
+ Mangle it, and change the expectation to match the new version. */
+static unsigned int ip_nat_sdp(struct sk_buff **pskb,
+ enum ip_conntrack_info ctinfo,
+ struct ip_conntrack_expect *exp,
+ char *dptr)
+{
+ struct ip_conntrack *ct = exp->master;
+ uint32_t newip;
+ uint16_t port;
+
+ DEBUGP("ip_nat_sdp():\n");
+
+ /* Connection will come from reply */
+ newip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
+
+ exp->tuple.dst.ip = newip;
+ exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port;
+ exp->dir = IP_CT_DIR_REPLY;
+
+ /* When you see the packet, we need to NAT it the same as the
+ this one. */
+ exp->expectfn = ip_nat_follow_master;
+
+ /* Try to get same port: if not, try to change it. */
+ for (port = ntohs(exp->saved_proto.udp.port); port != 0; port++) {
+ exp->tuple.dst.u.udp.port = htons(port);
+ if (ip_conntrack_expect_related(exp) == 0)
+ break;
+ }
+
+ if (port == 0) {
+ ip_conntrack_expect_free(exp);
+ return NF_DROP;
+ }
+
+ if (!mangle_sdp(pskb, ctinfo, ct, newip, port, dptr)) {
+ ip_conntrack_unexpect_related(exp);
+ return NF_DROP;
+ }
+ return NF_ACCEPT;
+}
+
+static void __exit fini(void)
+{
+ ip_nat_sip_hook = NULL;
+ ip_nat_sdp_hook = NULL;
+ /* Make sure noone calls it, meanwhile. */
+ synchronize_net();
+}
+
+static int __init init(void)
+{
+ BUG_ON(ip_nat_sip_hook);
+ BUG_ON(ip_nat_sdp_hook);
+ ip_nat_sip_hook = ip_nat_sip;
+ ip_nat_sdp_hook = ip_nat_sdp;
+ return 0;
+}
+
+module_init(init);
+module_exit(fini);

复制代码

这是经我稍微修改的sip patch for 2.4.25.应该没什么问题，模块加载也正确.这种方法就是ALG实现的方法.
但问题还是存在.

[ 本帖最后由 platinum 于 2006-9-25 11:08 编辑 ]

qingfeng79

稍有积蓄

论坛徽章:: 0

9楼 [报告]

发表于 2006-09-25 11:48 |显示全部楼层

大概是，不过我也不想做ALG了,毕竟ALG要修改包头.在大量的语音传输中会影响通讯质量.还是先做一个FUll cone Nat for linux ,现在正在分析Netfilter结构，和Nat实现机制.platinum有什么相关资料介绍一下??

返回列表

Chinaunix › 论坛 › 操作系统 › Linux系统管理 › platinum进来讨论一下(iptables nat方式)