18082746a28588f94496f2daa050c11decb54179 |
|
14-Oct-2014 |
Rasmus Villemoes <linux@rasmusvillemoes.dk> |
netfilter: replace strnicmp with strncasecmp The kernel used to contain two functions for length-delimited, case-insensitive string comparison, strnicmp with correct semantics and a slightly buggy strncasecmp. The latter is the POSIX name, so strnicmp was renamed to strncasecmp, and strnicmp made into a wrapper for the new strncasecmp to avoid breaking existing users. To allow the compat wrapper strnicmp to be removed at some point in the future, and to avoid the extra indirection cost, do s/strnicmp/strncasecmp/g. Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
ca7433df3a672efc88e08222cfa4b3aa965ca324 |
|
03-Mar-2014 |
Jesper Dangaard Brouer <brouer@redhat.com> |
netfilter: conntrack: seperate expect locking from nf_conntrack_lock Netfilter expectations are protected with the same lock as conntrack entries (nf_conntrack_lock). This patch split out expectations locking to use it's own lock (nf_conntrack_expect_lock). Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
180cf72f56fab2810e00497c087c7126bfe53c85 |
|
30-Sep-2013 |
holger@eitzenberger.org <holger@eitzenberger.org> |
netfilter: nf_ct_sip: consolidate NAT hook functions There are currently seven different NAT hooks used in both nf_conntrack_sip and nf_nat_sip, each of the hooks is exported in nf_conntrack_sip, then set from the nf_nat_sip NAT helper. And because each of them is exported there is quite some overhead introduced due of this. By introducing nf_nat_sip_hooks I am able to reduce both text/data somewhat. For nf_conntrack_sip e. g. I get text data bss dec old 15243 5256 32 20531 new 15010 5192 32 20234 Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
b21613aeb649293946556410ff10dbb8c639f298 |
|
20-Sep-2013 |
holger@eitzenberger.org <holger@eitzenberger.org> |
netfilter: nf_ct_sip: extend RCU read lock in set_expected_rtp_rtcp() Currently set_expected_rtp_rtcp() in the SIP helper uses rcu_dereference() two times to access two different NAT hook functions. However, only the first one is protected by the RCU reader lock, but the 2nd isn't. Fix it by extending the RCU protected area. This is more a cosmetic thing since we rely on all netfilter hooks being rcu_read_lock()ed by nf_hook_slow() in many places anyways, as Patrick McHardy clarified. Signed-off-by: Holger Eitzenberger <holger.eitzenberger@sophos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
3a7b21eaf4fb3c971bdb47a98f570550ddfe4471 |
|
05-Apr-2013 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_ct_sip: don't drop packets with offsets pointing outside the packet Some Cisco phones create huge messages that are spread over multiple packets. After calculating the offset of the SIP body, it is validated to be within the packet and the packet is dropped otherwise. This breaks operation of these phones. Since connection tracking is supposed to be passive, just let those packets pass unmodified and untracked. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
b67bfe0d42cac56c512dd5da4b1b347a23f4b70a |
|
28-Feb-2013 |
Sasha Levin <sasha.levin@oracle.com> |
hlist: drop the node parameter from iterators I'm not sure why, but the hlist for each entry iterators were conceived list_for_each_entry(pos, head, member) The hlist ones were greedy and wanted an extra parameter: hlist_for_each_entry(tpos, pos, head, member) Why did they need an extra pos parameter? I'm not quite sure. Not only they don't really need it, it also prevents the iterator from looking exactly like the list iterator, which is unfortunate. Besides the semantic patch, there was some manual work required: - Fix up the actual hlist iterators in linux/list.h - Fix up the declaration of other iterators based on the hlist ones. - A very small amount of places were using the 'node' parameter, this was modified to use 'obj->member' instead. - Coccinelle didn't handle the hlist_for_each_entry_safe iterator properly, so those had to be fixed up manually. The semantic patch which is mostly the work of Peter Senna Tschudin is here: @@ iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host; type T; expression a,c,d,e; identifier b; statement S; @@ -T b; <+... when != b ( hlist_for_each_entry(a, - b, c, d) S | hlist_for_each_entry_continue(a, - b, c) S | hlist_for_each_entry_from(a, - b, c) S | hlist_for_each_entry_rcu(a, - b, c, d) S | hlist_for_each_entry_rcu_bh(a, - b, c, d) S | hlist_for_each_entry_continue_rcu_bh(a, - b, c) S | for_each_busy_worker(a, c, - b, d) S | ax25_uid_for_each(a, - b, c) S | ax25_for_each(a, - b, c) S | inet_bind_bucket_for_each(a, - b, c) S | sctp_for_each_hentry(a, - b, c) S | sk_for_each(a, - b, c) S | sk_for_each_rcu(a, - b, c) S | sk_for_each_from -(a, b) +(a) S + sk_for_each_from(a) S | sk_for_each_safe(a, - b, c, d) S | sk_for_each_bound(a, - b, c) S | hlist_for_each_entry_safe(a, - b, c, d, e) S | hlist_for_each_entry_continue_rcu(a, - b, c) S | nr_neigh_for_each(a, - b, c) S | nr_neigh_for_each_safe(a, - b, c, d) S | nr_node_for_each(a, - b, c) S | nr_node_for_each_safe(a, - b, c, d) S | - for_each_gfn_sp(a, c, d, b) S + for_each_gfn_sp(a, c, d) S | - for_each_gfn_indirect_valid_sp(a, c, d, b) S + for_each_gfn_indirect_valid_sp(a, c, d) S | for_each_host(a, - b, c) S | for_each_host_safe(a, - b, c, d) S | for_each_mesh_entry(a, - b, c, d) S ) ...+> [akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c] [akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c] [akpm@linux-foundation.org: checkpatch fixes] [akpm@linux-foundation.org: fix warnings] [akpm@linux-foudnation.org: redo intrusive kvm changes] Tested-by: Peter Senna Tschudin <peter.senna@gmail.com> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Cc: Wu Fengguang <fengguang.wu@intel.com> Cc: Marcelo Tosatti <mtosatti@redhat.com> Cc: Gleb Natapov <gleb@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
b20ab9cc63ca4605aec154cf54faa8455749f3f6 |
|
10-Feb-2013 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_ct_helper: better logging for dropped packets Connection tracking helpers have to drop packets under exceptional situations. Currently, the user gets the following logging message in case that happens: nf_ct_%s: dropping packet ... However, depending on the helper, there are different reasons why a packet can be dropped. This patch modifies the existing code to provide more specific error message in the scope of each helper to help users to debug the reason why the packet has been dropped, ie: nf_ct_%s: dropping packet: reason ... Thanks to Joe Perches for many formatting suggestions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
7266507d89991fa1e989283e4e032c6d9357fe26 |
|
17-Dec-2012 |
Kevin Cernekee <cernekee@gmail.com> |
netfilter: nf_ct_sip: support Cisco 7941/7945 IP phones Most SIP devices use a source port of 5060/udp on SIP requests, so the response automatically comes back to port 5060: phone_ip:5060 -> proxy_ip:5060 REGISTER proxy_ip:5060 -> phone_ip:5060 100 Trying The newer Cisco IP phones, however, use a randomly chosen high source port for the SIP request but expect the response on port 5060: phone_ip:49173 -> proxy_ip:5060 REGISTER proxy_ip:5060 -> phone_ip:5060 100 Trying Standard Linux NAT, with or without nf_nat_sip, will send the reply back to port 49173, not 5060: phone_ip:49173 -> proxy_ip:5060 REGISTER proxy_ip:5060 -> phone_ip:49173 100 Trying But the phone is not listening on 49173, so it will never see the reply. This patch modifies nf_*_sip to work around this quirk by extracting the SIP response port from the Via: header, iff the source IP in the packet header matches the source IP in the SIP request. Signed-off-by: Kevin Cernekee <cernekee@gmail.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Cc: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
9a664821068739dbc8eac13770e28167b46a0c0f |
|
26-Aug-2012 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_nat: support IPv6 in SIP NAT helper Add IPv6 support to the SIP NAT helper. There are no functional differences to IPv4 NAT, just different formats for addresses. Signed-off-by: Patrick McHardy <kaber@trash.net>
|
c7232c9979cba684c50b64c513c4a83c9aa70563 |
|
26-Aug-2012 |
Patrick McHardy <kaber@trash.net> |
netfilter: add protocol independent NAT core Convert the IPv4 NAT implementation to a protocol independent core and address family specific modules. Signed-off-by: Patrick McHardy <kaber@trash.net>
|
051966c0c644a1c96092d4206e00704ade813c9a |
|
26-Aug-2012 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_nat: add protoff argument to packet mangling functions For mangling IPv6 packets the protocol header offset needs to be known by the NAT packet mangling functions. Add a so far unused protoff argument and convert the conntrack and NAT helpers to use it in preparation of IPv6 NAT. Signed-off-by: Patrick McHardy <kaber@trash.net>
|
811927ccfe90fbfcfff5253ba7f95057f6cae692 |
|
26-Aug-2012 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_conntrack: restrict NAT helper invocation to IPv4 The NAT helpers currently only handle IPv4 packets correctly. Restrict invocation of the helpers to IPv4 in preparation of IPv6 NAT. Signed-off-by: Patrick McHardy <kaber@trash.net>
|
02b69cbdc2fb2e1bfbfd9ac0c246d7be1b08d3cd |
|
09-Aug-2012 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_ct_sip: fix IPv6 address parsing Within SIP messages IPv6 addresses are enclosed in square brackets in most cases, with the exception of the "received=" header parameter. Currently the helper fails to parse enclosed addresses. This patch: - changes the SIP address parsing function to enforce square brackets when required, and accept them when not required but present, as recommended by RFC 5118. - adds a new SDP address parsing function that never accepts square brackets since SDP doesn't use them. With these changes, the SIP helper correctly parses all test messages from RFC 5118 (Session Initiation Protocol (SIP) Torture Test Messages for Internet Protocol Version 6 (IPv6)). Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
e9324b2ce656e1910d2385b9b47a2f926456dbe3 |
|
09-Aug-2012 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_ct_sip: fix helper name Commit 3a8fc53a (netfilter: nf_ct_helper: allocate 16 bytes for the helper and policy names) introduced a bug in the SIP helper, the helper name is sprinted to the sip_names array instead of instead of into the helper structure. This breaks the helper match and the /proc/net/nf_conntrack_expect output. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
1afc56794e03229fa53cfa3c5012704d226e1dec |
|
07-Jun-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_ct_helper: implement variable length helper private data This patch uses the new variable length conntrack extensions. Instead of using union nf_conntrack_help that contain all the helper private data information, we allocate variable length area to store the private helper data. This patch includes the modification of all existing helpers. It also includes a couple of include header to avoid compilation warnings. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
3a8fc53a45c444400259e2e285ba414a87061e3d |
|
15-Jan-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_ct_helper: allocate 16 bytes for the helper and policy names This patch modifies the struct nf_conntrack_helper to allocate the room for the helper name. The maximum length is 16 bytes (this was already introduced in 2.6.24). For the maximum length for expectation policy names, I have also selected 16 bytes. This patch is required by the follow-up patch to support user-space connection tracking helpers. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
fb04883371f2cb7867d24783e7d590036dc9b548 |
|
19-May-2011 |
Eric Dumazet <eric.dumazet@gmail.com> |
netfilter: add more values to enum ip_conntrack_info Following error is raised (and other similar ones) : net/ipv4/netfilter/nf_nat_standalone.c: In function ‘nf_nat_fn’: net/ipv4/netfilter/nf_nat_standalone.c:119:2: warning: case value ‘4’ not in enumerated type ‘enum ip_conntrack_info’ gcc barfs on adding two enum values and getting a not enumerated result : case IP_CT_RELATED+IP_CT_IS_REPLY: Add missing enum values Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: David Miller <davem@davemloft.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
e6e4d9ed11fb1fab8b3256a3dc14d71b5e984ac4 |
|
16-May-2011 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_ct_sip: fix SDP parsing in TCP SIP messages for some Cisco phones Some Cisco phones do not place the Content-Length field at the end of the SIP message. This is valid, due to a misunderstanding of the specification the parser expects the SDP body to start directly after the Content-Length field. Fix the parser to scan for \r\n\r\n to locate the beginning of the SDP body. Reported-by: Teresa Kang <teresa_kang@gemtek.com.tw> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
274ea0e2a4cdf18110e5931b8ecbfef6353e5293 |
|
16-May-2011 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_ct_sip: validate Content-Length in TCP SIP messages Verify that the message length of a single SIP message, which is calculated based on the Content-Length field contained in the SIP message, does not exceed the packet boundaries. Signed-off-by: Patrick McHardy <kaber@trash.net>
|
25985edcedea6396277003854657b5f3cb31a628 |
|
31-Mar-2011 |
Lucas De Marchi <lucas.demarchi@profusion.mobi> |
Fix common misspellings Fixes generated by 'codespell' and manually reviewed. Signed-off-by: Lucas De Marchi <lucas.demarchi@profusion.mobi>
|
001985b2c0cfad48e1dec8e30f4d432eac240dd2 |
|
22-Aug-2010 |
Simon Horman <horms@verge.net.au> |
netfilter: nf_conntrack_sip: Add callid parser Signed-off-by: Simon Horman <horms@verge.net.au> Acked-by: Julian Anastasov <ja@ssi.bg>
|
5adbb9fb0c35c38022f79e09fecf15ba8f65f069 |
|
22-Aug-2010 |
Simon Horman <horms@verge.net.au> |
netfilter: nf_conntrack_sip: Allow ct_sip_get_header() to be called with a null ct argument Signed-off-by: Simon Horman <horms@verge.net.au> Acked-by: Julian Anastasov <ja@ssi.bg>
|
7874896a26624214bd7c05eeba7c8ab01548b1b5 |
|
21-Sep-2010 |
Simon Horman <horms@verge.net.au> |
netfilter: nf_ct_sip: default to NF_ACCEPT in sip_help_tcp() I initially noticed this because of the compiler warning below, but it does seem to be a valid concern in the case where ct_sip_get_header() returns 0 in the first iteration of the while loop. net/netfilter/nf_conntrack_sip.c: In function 'sip_help_tcp': net/netfilter/nf_conntrack_sip.c:1379: warning: 'ret' may be used uninitialized in this function Signed-off-by: Simon Horman <horms@verge.net.au> [Patrick: changed NF_DROP to NF_ACCEPT] Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
a1d7c1b4b8dfbc5ecadcff9284d64bb6ad4c0196 |
|
14-May-2010 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_ct_sip: handle non-linear skbs Handle non-linear skbs by linearizing them instead of silently failing. Long term the helper should be fixed to either work with non-linear skbs directly by using the string search API or work on a copy of the data. Based on patch by Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
654d0fbdc8fe1041918741ed5b6abc8ad6b4c1d8 |
|
13-May-2010 |
Stephen Hemminger <shemminger@vyatta.com> |
netfilter: cleanup printk messages Make sure all printk messages have a severity level. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
5d0aa2ccd4699a01cfdf14886191c249d7b45a01 |
|
15-Feb-2010 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_conntrack: add support for "conntrack zones" Normally, each connection needs a unique identity. Conntrack zones allow to specify a numerical zone using the CT target, connections in different zones can use the same identity. Example: iptables -t raw -A PREROUTING -i veth0 -j CT --zone 1 iptables -t raw -A OUTPUT -o veth1 -j CT --zone 1 Signed-off-by: Patrick McHardy <kaber@trash.net>
|
9d288dffe3a276e1f06ba556845c456d696c5a4f |
|
11-Feb-2010 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_conntrack_sip: add T.38 FAX support Signed-off-by: Patrick McHardy <kaber@trash.net>
|
48f8ac26537c1b7b1a2422f5232f45d06c945348 |
|
11-Feb-2010 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_nat_sip: add TCP support Add support for mangling TCP SIP packets. Signed-off-by: Patrick McHardy <kaber@trash.net>
|
f5b321bd37fbec9188feb1f721ab46a5ac0b35da |
|
11-Feb-2010 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_conntrack_sip: add TCP support Add TCP support, which is mandated by RFC3261 for all SIP elements. SIP over TCP is similar to UDP, except that messages are delimited by Content-Length: headers and multiple messages may appear in one packet. Signed-off-by: Patrick McHardy <kaber@trash.net>
|
3b6b9fab42fe98358d70735cf98d43fc18dc79c9 |
|
11-Feb-2010 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_conntrack_sip: pass data offset to NAT functions When using TCP multiple SIP messages might be present in a single packet. A following patch will parse them by setting the dptr to the beginning of each message. The NAT helper needs to reload the dptr value after mangling the packet however, so it needs to know the offset of the message to the beginning of the packet. Signed-off-by: Patrick McHardy <kaber@trash.net>
|
54101f4f3bed87fa968b57f77f8ff3b09fd88bcf |
|
11-Feb-2010 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_conntrack_sip: fix ct_sip_parse_request() REGISTER request parsing When requests are parsed, the "sip:" part of the SIP URI should be skipped. Usually this doesn't matter because address parsing skips forward until after the username part, but in case REGISTER requests it doesn't contain a username and the address can not be parsed. Signed-off-by: Patrick McHardy <kaber@trash.net>
|
b87921bdf25485afd8f5a5f25e86b5acef32a9cf |
|
11-Feb-2010 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_conntrack: show helper and class in /proc/net/nf_conntrack_expect Make the output a bit more informative by showing the helper an expectation belongs to and the expectation class. Signed-off-by: Patrick McHardy <kaber@trash.net>
|
3ad2f3fbb961429d2aa627465ae4829758bc7e07 |
|
03-Feb-2010 |
Daniel Mack <daniel@caiaq.de> |
tree-wide: Assorted spelling fixes In particular, several occurances of funny versions of 'success', 'unknown', 'therefore', 'acknowledge', 'argument', 'achieve', 'address', 'beginning', 'desirable', 'separate' and 'necessary' are fixed. Signed-off-by: Daniel Mack <daniel@caiaq.de> Cc: Joe Perches <joe@perches.com> Cc: Junio C Hamano <gitster@pobox.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
135d01899b1fba17045961febff7e5141db6048f |
|
19-Jan-2010 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_conntrack_sip: fix off-by-one in compact header parsing In a string like "v:SIP/2.0..." it was checking for !isalpha('S') when it meant to be inspecting the ':'. Patch by Greg Alexander <greqcs@galexander.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
4dc06f9633444f426ef9960c53426f2d2ded64ac |
|
17-Nov-2008 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_conntrack: connection tracking helper name persistent aliases This patch adds the macro MODULE_ALIAS_NFCT_HELPER that defines a way to provide generic and persistent aliases for the connection tracking helpers. This next patch requires this patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
a5c3a8005cb7a36ebcc5b849f6045069ce4f7ca8 |
|
08-Oct-2008 |
Alexey Dobriyan <adobriyan@gmail.com> |
netfilter: netns nf_conntrack: SIP conntracking in netns Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
9b03f38d0487f3908696242286d934c9b38f9d2a |
|
08-Oct-2008 |
Alexey Dobriyan <adobriyan@gmail.com> |
netfilter: netns nf_conntrack: per-netns expectations Make per-netns a) expectation hash and b) expectations count. Expectations always belongs to netns to which it's master conntrack belong. This is natural and doesn't bloat expectation. Proc files and leaf users are stubbed to init_net, this is temporary. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
66bf79182d6531c14c1f9a507b6bbf374a2ae4cd |
|
08-Sep-2008 |
Alexey Dobriyan <adobriyan@gmail.com> |
netfilter: nf_conntrack_sip: de-static helper pointers Helper's ->help hook can run concurrently with itself, so iterating over SIP helpers with static pointer won't work reliably. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
ef75d49f116bccbb80bccd423ecf3cb86c4509a5 |
|
08-May-2008 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_conntrack_sip: restrict RTP expect flushing on error to last request Some Inovaphone PBXs exhibit very stange behaviour: when dialing for example "123", the device sends INVITE requests for "1", "12" and "123" back to back. The first requests will elicit error responses from the receiver, causing the SIP helper to flush the RTP expectations even though we might still see a positive response. Note the sequence number of the last INVITE request that contained a media description and only flush the expectations when receiving a negative response for that sequence number. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
e1f9a464026011b3f7d0f7b6dfab3e562e870a46 |
|
20-Apr-2008 |
Patrick McHardy <kaber@trash.net> |
netfilter: Fix SIP conntrack build with NAT disabled. Reported by Ingo Molnar. The SIP helper is also useful without NAT. This patch adds an ifdef around the RTP call optimization for NATed clients. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
5e8fbe2ac8a3f1e34e7004c5750ef59bf9304f82 |
|
14-Apr-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack: add tuplehash l3num/protonum accessors Add accessors for l3num and protonum and get rid of some overly long expressions. Signed-off-by: Patrick McHardy <kaber@trash.net>
|
fa913ddf6372b20b23061996150d38f639488d42 |
|
14-Apr-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: clear address in parse_addr() Some callers pass uninitialized structures, clear the address to make sure later comparisions work properly. Signed-off-by: Patrick McHardy <kaber@trash.net>
|
f49e1aa133c2c9b74b5dfddca8863609bbda9086 |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: update copyright Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
c7f485abd618e0d249bdd1abdc586bd10fee1954 |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: RTP routing optimization Optimize call routing between NATed endpoints: when an external registrar sends a media description that contains an existing RTP expectation from a different SNATed connection, the gatekeeper is trying to route the call directly between the two endpoints. We assume both endpoints can reach each other directly and "un-NAT" the addresses, which makes the media stream go between the two endpoints directly. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
0d0ab0378d67517a4f4ae3497706c13d9dd24af1 |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: support multiple media channels Add support for multiple media channels and use it to create expectations for video streams when present. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
4ab9e64e5e3c0516577818804aaf13a630d67bc9 |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_nat_sip: split up SDP mangling The SDP connection addresses may be contained in the payload multiple times (in the session description and/or once per media description), currently only the session description is properly updated. Split up SDP mangling so the function setting up expectations only updates the media port, update connection addresses from media descriptions while parsing them and at the end update the session description when the final addresses are known. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
a9c1d35917c0c95c8f95a8e497fb91e301419693 |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: create RTCP expectations Create expectations for the RTCP connections in addition to RTP connections. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
d901a9369e6e7d07a7eb4ddb315c6fcbaf8b24d3 |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: allow media expectations with wildcard source address Media streams can come from anywhere, add a module parameter which controls whether wildcard expectations or expectations between the two signalling endpoints are created. Since the same media description sent on multiple connections may results in multiple identical expections when using a wildcard source, we need to check whether a similar expectation already exists for a different connection before attempting to register it. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
0f32a40fc91a9ebbbf66e826ac2a829ab37d9cf8 |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: create signalling expectations Create expectations for incoming signalling connections when seeing a REGISTER request. This is needed when the registrar uses a different source port number for signalling messages and for receiving incoming calls from other endpoints than the registrar. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
2bbb21168a90c788e12fe722eb66f27e611e7df7 |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: introduce URI and header parameter parsing helpers Introduce URI and header parameter parsing helpers. These are needed by the conntrack helper to parse expiration values in Contact: header parameters and by the NAT helper to properly update the Via-header rport=, received= and maddr= parameters. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
9467ee380ae881443bc259fbbac9992baf523e2d |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: flush expectations on call termination Flush the RTP expectations we've created when a call is hung up or terminated otherwise. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
595a8ecb5fa41295a7010678b60cb2f7ab15fe42 |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: process ACK and PRACK methods Both may contains SDP offers/answers. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
33cb1e9a93312f0cdd34e0be2bc88e893ff96a33 |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: perform NAT after parsing Perform NAT last after parsing the packet. This makes no difference currently, but is needed when dealing with registrations to make sure we seen the unNATed addresses. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
30f33e6dee80c6ded917f978e4f377d1069d519d |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: support method specific request/response handling Add support for per-method request/response handlers and perform SDP parsing for INVITE/UPDATE requests and for all informational and successful responses. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
7d3dd043b69b10f5abe9c785ab82cc6627898fcd |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: move SDP parsing to seperate function Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
624f8b7bba98c27a1464f5f858c4a861d5d3e8d7 |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_nat_sip: get rid of text based header translation Use the URI parsing helper to get the numerical addresses and get rid of the text based header translation. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
05e3ced297fe755093140e7487e292fb7603316e |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: introduce SIP-URI parsing helper Introduce a helper function to parse a SIP-URI in a header value, optionally iterating through all headers of this kind. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
ea45f12a2766dae54e5426a23e8f4bafdbe2782e |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: parse SIP headers properly Introduce new function for SIP header parsing that properly deals with continuation lines and whitespace in headers and use it. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
ac3677406d4e36e86b1eb5a453997a3b3e0c089a |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: kill request URI "header" definitions The request URI is not a header and needs to be treated differently than real SIP headers. Add a seperate function for parsing it and get rid of the POS_REQ_URI/POS_REG_REQ_URI definitions. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
3e9b4600b4e71beaa9d943251bfe9c25f6a97b8c |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: add seperate SDP header parsing function SDP and SIP headers are quite different, SIP can have continuation lines, leading and trailing whitespace after the colon and is mostly case-insensitive while SDP headers always begin on a new line and are followed by an equal sign and the value, without any whitespace. Introduce new SDP header parsing function and convert all users that used the SIP header parsing function. This will allow to properly deal with the special SIP cases in the SIP header parsing function later. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
779382eb324ad0c39f8c4d10a47a813b490ab82c |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: use strlen/strcmp Replace sizeof/memcmp by strlen/strcmp. Use case-insensitive comparison for SIP methods and the SIP/2.0 string, as specified in RFC 3261. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
212440a7d04a12ee13787afecc6c86c7fc4e6184 |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: remove redundant function arguments The conntrack reference and ctinfo can be derived from the packet. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
2a6cfb22ae002330d445f734668d9158db9e90de |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: adjust dptr and datalen after packet mangling After mangling the packet, the pointer to the data and the length of the data portion may change and need to be adjusted. Use double data pointers and a pointer to the length everywhere and add a helper function to the NAT helper for performing the adjustments. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
b1ec488b1fb3c7a8819857e3506787516ca1ed4d |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: fix some off-by-ones "limit" marks the first character outside the bounds. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
6002f266b3e7f0acc2d5158cddbed41730b02e82 |
|
26-Mar-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack: introduce expectation classes and policies Introduce expectation classes and policies. An expectation class is used to distinguish different types of expectations by the same helper (for example audio/video/t.120). The expectation policy is used to hold the maximum number of expectations and the initial timeout for each class. The individual classes are isolated from each other, which means that for example an audio expectation will only evict other audio expectations. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
13f7d63c2911c9d1a254d13899986fc801641127 |
|
31-Jan-2008 |
Jan Engelhardt <jengelh@computergmbh.de> |
[NETFILTER]: nf_{conntrack,nat}_sip: annotate SIP helper with const Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
2f0d2f10391e190f940da70cbdc8a61e4dad98eb |
|
31-Jan-2008 |
Stephen Hemminger <shemminger@vyatta.com> |
[NETFILTER]: conntrack: get rid of sparse warnings Teach sparse about locking here, and fix signed/unsigned warnings. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
643a2c15a407faf08101a20e1a3461160711899d |
|
18-Dec-2007 |
Jan Engelhardt <jengelh@computergmbh.de> |
[NETFILTER]: Introduce nf_inet_address A few netfilter modules provide their own union of IPv4 and IPv6 address storage. Will unify that in this patch series. (1/4): Rename union nf_conntrack_address to union nf_inet_addr and move it to x_tables.h. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
c82381775062cd8d55579959e1fd710f0e607985 |
|
20-Dec-2007 |
Joe Perches <joe@perches.com> |
[NETFILTER]: Spelling fixes Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
3db05fea51cdb162cfa8f69e9cfb9e228919d2a9 |
|
15-Oct-2007 |
Herbert Xu <herbert@gondor.apana.org.au> |
[NETFILTER]: Replace sk_buff ** with sk_buff * With all the users of the double pointers removed, this patch mops up by finally replacing all occurances of sk_buff ** in the netfilter API by sk_buff *. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
|
aa584eda5d2002097de9f608b362d9150730abd7 |
|
14-Aug-2007 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: fix SIP-URI parsing The userinfo component of a SIP-URI is optional, continue parsing at the beginning of the SIP-URI in case its not found. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
465f90a486cd724d364167747e8b8b9f806fa91a |
|
14-Aug-2007 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sip: check sname != NULL before calling strncmp The check got lost during the conversion to nf_conntrack. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
0d53778e81ac7af266dac8a20cc328328c327112 |
|
08-Jul-2007 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: Convert DEBUGP to pr_debug Convert DEBUGP to pr_debug and fix lots of non-compiling debug statements. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
d4156e8cd93f5772483928aaf4960120caebd789 |
|
08-Jul-2007 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack: reduce masks to a subset of tuples Since conntrack currently allows to use masks for every bit of both helper and expectation tuples, we can't hash them and have to keep them on two global lists that are searched for every new connection. This patch removes the never used ability to use masks for the destination part of the expectation tuple and completely removes masks from helpers since the only reasonable choice is a full match on l3num, protonum and src.u.all. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
6823645d608541c2c69e8a99454936e058c294e0 |
|
08-Jul-2007 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_expect: function naming unification Currently there is a wild mix of nf_conntrack_expect_, nf_ct_exp_, expect_, exp_, ... Consistently use nf_ct_ as prefix for exported functions. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
d258131aaea8a3979f82c0313b9a583130b29981 |
|
22-Jun-2007 |
Jerome Borsboom <j.borsboom@erasmusmc.nl> |
[NETFILTER]: nf_conntrack_sip: add missing message types containing RTP info Signed-off-by: Jerome Borsboom <j.borsboom@erasmusmc.nl> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
601e68e100b6bf8ba13a32db8faf92d43acaa997 |
|
12-Feb-2007 |
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> |
[NETFILTER]: Fix whitespace errors Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
adcb4711101dfef89d473f64a913089d303962ae |
|
30-Jan-2007 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: SIP conntrack: fix out of bounds memory access When checking for an @-sign in skp_epaddr_len, make sure not to run over the packet boundaries. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
7da5bfbb12e327b3a347ee3e076957cd6564eb56 |
|
30-Jan-2007 |
Lars Immisch <lars@ibp.de> |
[NETFILTER]: SIP conntrack: fix skipping over user info in SIP headers When trying to skip over the username in the Contact header, stop at the end of the line if no @ is found to avoid mangling following headers. We don't need to worry about continuation lines because we search inside a SIP URI. Fixes Netfilter Bugzilla #532. Signed-off-by: Lars Immisch <lars@ibp.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
1863f0965e716cc61d3c23cf106d41aa070f706f |
|
03-Dec-2006 |
Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> |
[NETFILTER]: nf_conntrack: fix header inclusions for helpers Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: David S. Miller <davem@davemloft.net>
|
9fafcd7b203229c3f3893a475741afc27e276306 |
|
03-Dec-2006 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack/nf_nat: add SIP helper port Add IPv4 and IPv6 capable nf_conntrack port of the SIP conntrack/NAT helper. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|