Re: [PATCH/RFC] netfilter: nf_conntrack_sip: Handle quirky Cisco phones

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Patrick McHardy

Subject: Re: [PATCH/RFC] netfilter: nf_conntrack_sip: Handle quirky Cisco phones

Date: Monday, November 15, 2010 - 3:15 am

On 15.11.2010 04:01, Kevin Cernekee wrote:
quoted text> On Sun, Nov 14, 2010 at 11:57 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
>> Via: SIP/2.0/UDP 192.168.2.28:5060;branch=xxxxxxxx
>>
>>
>> Maybe a fix would be to use this "5060" port, instead of hardcoding it
>> like you did ?
> 
> Just posted v2... appreciate the advice so far.
> 
> My new code in process_sip_request() looks for an address match + port
> mismatch between the IP source and the Via: header.  This is how it
> tries to detect whether we are talking directly to an afflicted Cisco
> phone.  If the address doesn't match, I assume the request is passing
> through a non-SIP-aware NAT router so there is no special handling.
> 
> Assuming we can reliably detect the "quirky phone" condition, is there
> any way to just trick Netfilter into thinking the source port was 5060
> instead of 49xxx?  3/4ths of the patch could probably be eliminated if
> we could overwrite the port number inside tuplehash.

The problem in doing this is that further packets from port 49xxx
wouldn't be recognized as belonging to the same connection. If another
packet was sent to the same destination conntrack would treat it as
a new connection, rewrite the source port number, notice the clash and
drop the packet.

The same problem exists with your current patch, packets from port
5060 to the same destination won't be recognized as belonging to the
connection that sent the REGISTER and thus won't be able to modify the
timeout or unregister.

Basically we would need three-legged connections to handle this
situation correctly. I've actually done some work to move one of
the conntrack tuples to a ct_extend since in most situations
(all except IPv4 NAT and ICMP packets) the tuples are symetrical
and the second one can easily be derived, but I never managed
to finish it - not sure what the problem was anymore, I'll see
if I can still find those patches. With this we could simply
attach a third tuple to a connection.
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH/RFC] netfilter: nf_conntrack_sip: Handle quirky Cis ..., Kevin Cernekee, (Sun Nov 14, 1:32 am)

Re: [PATCH/RFC] netfilter: nf_conntrack_sip: Handle quirky ..., Eric Dumazet, (Sun Nov 14, 1:59 am)

Re: [PATCH/RFC] netfilter: nf_conntrack_sip: Handle quirky ..., Kevin Cernekee, (Sun Nov 14, 11:33 am)

Re: [PATCH/RFC] netfilter: nf_conntrack_sip: Handle quirky ..., Kevin Cernekee, (Sun Nov 14, 8:01 pm)

Re: [PATCH/RFC] netfilter: nf_conntrack_sip: Handle quirky ..., Patrick McHardy, (Mon Nov 15, 2:51 am)

Re: [PATCH/RFC] netfilter: nf_conntrack_sip: Handle quirky ..., Patrick McHardy, (Mon Nov 15, 3:15 am)

Re: [PATCH/RFC] netfilter: nf_conntrack_sip: Handle quirky ..., Kevin Cernekee, (Mon Nov 15, 9:46 am)

Re: [PATCH/RFC] netfilter: nf_conntrack_sip: Handle quirky ..., Patrick McHardy, (Mon Nov 15, 9:58 am)

Re: [PATCH/RFC] netfilter: nf_conntrack_sip: Handle quirky ..., Kevin Cernekee, (Mon Nov 15, 3:09 pm)

Navigation

Popular discussions


linux-kernel:
Paul Turner	[tg_shares_up rewrite v4 11/11] sched: update tg->shares after cpu.shares write
Mr. James W. Laferriere	Re: Linux 2.6.25-rc1 , syntax error near unexpected token `;'
Linus Torvalds	Linux 2.6.34-rc4
Colin Cross	[PATCH 12/21] ARM: tegra: Add suspend and hotplug support
Chuck Ebbert	Re: PCI: Unable to reserve mem region problem
git:
Fredrik Kuivinen	Re: fatal: unable to create '.git/index': File exists
Wink Saville	How-to combine several separate git repos?
Emily Ren	How to pull remote branch with specified commit id?
Denis Bueno	Git clone error
pradeep singh	git-update-server-info may be required,cannot clone and pull from a remote reposit...
linux-netdev:
Jamie Lokier	Re: POHMELFS high performance network filesystem. Transactions, failover, performa...
Timo Teräs	ip xfrm policy semantics
Jarek Poplawski	Re: socket api problem: can't bind an ipv6 socket to ::ffff:0.0.0.0
Michael S. Tsirkin	[PATCH 3/3] vhost: fix get_user_pages_fast error handling
Jeff Garzik	Re: [0/3] POHMELFS high performance network filesystem. First steps in parallel pr...
openbsd-misc:
Sevan / Venture37	Re: This is what Linus Torvalds calls openBSD crowd
Netmaffia.hu	Tini Lányok AKCIÓBAN OTTHON
Siju George	This is what Linus Torvalds calls openBSD crowd
Darrin Chandler	Re: OT: Python (was Re: vi in /bin)
frantisek holop	Re: splassert: vwakeup: and friends
git-commits-head:
Linux Kernel Mailing List	ASoC: fix registration of the SoC card in the Freescale MPC8610 drivers
Linux Kernel Mailing List	drivers/acpi: use kasprintf
Linux Kernel Mailing List	powerpc/fsl_msi: enable msi allocation in all banks
Linux Kernel Mailing List	bnx2x: Moving includes
Linux Kernel Mailing List	nfsd41: sanity check client drc maxreqs

Colocation donated by:

Syndicate