16 Jul, 2019
1 commit
-
When conntracks change during a dialog, SDP messages may be sent from
different conntracks to establish expects with identical tuples. In this
case expects conflict may be detected for the 2nd SDP message and end up
with a process failure.The fixing here is to reuse an existing expect who has the same tuple for a
different conntrack if any.Here are two scenarios for the case.
1)
SERVER CPE| INVITE SDP |
5060 ||5060
| 183 SDP |
5060 |---------------------->|5060 ===> Conntrack 1
| PRACK |
50601 ||5060
| 200 OK (INVITE) |
5060 |---------------------->|5060
| ACK |
50601 ||
| |
| INVITE SDP (t38) |
50601 |---------------------->|5060 ===> Conntrack 2With a certain configuration in the CPE, SIP messages "183 with SDP" and
"re-INVITE with SDP t38" will go through the sip helper to create
expects for RTP and RTCP.It is okay to create RTP and RTCP expects for "183", whose master
connection source port is 5060, and destination port is 5060.In the "183" message, port in Contact header changes to 50601 (from the
original 5060). So the following requests e.g. PRACK and ACK are sent to
port 50601. It is a different conntrack (let call Conntrack 2) from the
original INVITE (let call Conntrack 1) due to the port difference.In this example, after the call is established, there is RTP stream but no
RTCP stream for Conntrack 1, so the RTP expect created upon "183" is
cleared, and RTCP expect created for Conntrack 1 retains.When "re-INVITE with SDP t38" arrives to create RTP&RTCP expects, current
ALG implementation will call nf_ct_expect_related() for RTP and RTCP. The
expects tuples are identical to those for Conntrack 1. RTP expect for
Conntrack 2 succeeds in creation as the one for Conntrack 1 has been
removed. RTCP expect for Conntrack 2 fails in creation because it has
idential tuples and 'conflict' with the one retained for Conntrack 1. And
then result in a failure in processing of the re-INVITE.2)
SERVER A CPE
| REGISTER |
5060 | CT1
| 200 |
5060 |------------------>| 5060
| |
| INVITE SDP(1) |
5060 || 5060 SERVER B
| ACK |
5060 || 5060 ==> CT2
| 100 |
5060 || 50601 ==> CT3
| |
||
| |
| BYE |
5060 || 50601
| INVITE SDP(3) |
5060 | CT1CPE sends an INVITE request(1) to Server A, and creates a RTP&RTCP expect
pair for this Conntrack 1 (CT1). Server A responds 300 to redirect to
Server B. The RTP&RTCP expect pairs created on CT1 are removed upon 300
response.CPE sends the INVITE request(2) to Server B, and creates an expect pair
for the new conntrack (due to destination address difference), let call
CT2. Server B changes the port to 50601 in 200 OK response, and the
following requests ACK and BYE from CPE are sent to 50601. The call is
established. There is RTP stream and no RTCP stream. So RTP expect is
removed and RTCP expect for CT2 retains.As BYE request is sent from port 50601, it is another conntrack, let call
CT3, different from CT2 due to the port difference. So the BYE request will
not remove the RTCP expect for CT2.Then another outgoing call is made, with the same RTP port being used (not
definitely but possibly). CPE firstly sends the INVITE request(3) to Server
A, and tries to create a RTP&RTCP expect pairs for this CT1. In current ALG
implementation, the RTCP expect for CT1 fails in creation because it
'conflicts' with the residual one for CT2. As a result the INVITE request
fails to send.Signed-off-by: xiao ruizhu
Signed-off-by: Pablo Neira Ayuso
19 Jun, 2019
1 commit
-
Based on 2 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundationthis program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation #extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 4122 file(s).
Signed-off-by: Thomas Gleixner
Reviewed-by: Enrico Weigelt
Reviewed-by: Kate Stewart
Reviewed-by: Allison Randal
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de
Signed-off-by: Greg Kroah-Hartman
30 Apr, 2019
1 commit
-
The API allows a conntrack helper to indicate its corresponding
NAT helper which then can be loaded and reference counted.Signed-off-by: Flavio Leitner
Signed-off-by: Pablo Neira Ayuso
24 Apr, 2018
1 commit
-
There are no __exit mark in the helper modules.
because these exit functions used to be called by init function
but now that is not. so we can add __exit mark.Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
19 Apr, 2017
2 commits
-
No need to track this for inkernel helpers anymore as
NF_CT_HELPER_BUILD_BUG_ON checks do this now.All inkernel helpers know what kind of structure they
stored in helper->data.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
add a 32 byte scratch area in the helper struct instead of relying
on variable sized helpers plus compile-time asserts to let us know
if 32 bytes aren't enough anymore.Not having variable sized helpers will later allow to add BUILD_BUG_ON
for the total size of conntrack extensions -- the helper extension is
the only one that doesn't have a fixed size.The (useless!) NF_CT_HELPER_BUILD_BUG_ON(0); are added so that in case
someone adds a new helper and copy-pastes from one that doesn't store
private data at least some indication that this macro should be used
somehow is there...Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
21 Jul, 2016
1 commit
-
Add nf_ct_helper_init(), nf_conntrack_helpers_register() and
nf_conntrack_helpers_unregister() functions to avoid repetitive
opencoded initialization in helpers.This patch keeps an id parameter for nf_ct_helper_init() not to break
helper matching by name that has been inconsistently exposed to
userspace through ports, eg. ftp-2121, and through an incremental id,
eg. tftp-1.Signed-off-by: Gao Feng
Signed-off-by: Pablo Neira Ayuso
30 May, 2016
1 commit
-
helpers should unregister the only registered ports.
but, helper cannot have correct registered ports value when
failed to register.Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
05 Jan, 2016
1 commit
-
Signed-off-by: Pablo Neira Ayuso
19 Apr, 2013
1 commit
-
Add copyright statements to all netfilter files which have had significant
changes done by myself in the past.Some notes:
- nf_conntrack_ecache.c was incorrectly attributed to Rusty and Netfilter
Core Team when it got split out of nf_conntrack_core.c. The copyrights
even state a date which lies six years before it was written. It was
written in 2005 by Harald and myself.- net/ipv{4,6}/netfilter.c, net/netfitler/nf_queue.c were missing copyright
statements. I've added the copyright statement from net/netfilter/core.c,
where this code originated- for nf_conntrack_proto_tcp.c I've also added Jozsef, since I didn't want
it to give the wrong impressionSigned-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
19 Feb, 2013
1 commit
-
Connection tracking helpers have to drop packets under exceptional
situations. Currently, the user gets the following logging message
in case that happens:nf_ct_%s: dropping packet ...
However, depending on the helper, there are different reasons why a
packet can be dropped.This patch modifies the existing code to provide more specific
error message in the scope of each helper to help users to debug
the reason why the packet has been dropped, ie:nf_ct_%s: dropping packet: reason ...
Thanks to Joe Perches for many formatting suggestions.
Signed-off-by: Pablo Neira Ayuso
16 Jun, 2012
1 commit
-
This patch modifies the struct nf_conntrack_helper to allocate
the room for the helper name. The maximum length is 16 bytes
(this was already introduced in 2.6.24).For the maximum length for expectation policy names, I have
also selected 16 bytes.This patch is required by the follow-up patch to support
user-space connection tracking helpers.Signed-off-by: Pablo Neira Ayuso
13 May, 2010
1 commit
-
Make sure all printk messages have a severity level.
Signed-off-by: Stephen Hemminger
Signed-off-by: Patrick McHardy
17 Nov, 2008
1 commit
-
This patch adds the macro MODULE_ALIAS_NFCT_HELPER that defines a
way to provide generic and persistent aliases for the connection
tracking helpers.This next patch requires this patch.
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
14 Apr, 2008
2 commits
-
Directly call IPv4 and IPv6 variants where the address family is
easily known.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
Add accessors for l3num and protonum and get rid of some overly long
expressions.Signed-off-by: Patrick McHardy
26 Mar, 2008
1 commit
-
Introduce expectation classes and policies. An expectation class
is used to distinguish different types of expectations by the
same helper (for example audio/video/t.120). The expectation
policy is used to hold the maximum number of expectations and
the initial timeout for each class.The individual classes are isolated from each other, which means
that for example an audio expectation will only evict other audio
expectations.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
01 Feb, 2008
2 commits
-
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Teach sparse about locking here, and fix signed/unsigned warnings.
Signed-off-by: Stephen Hemminger
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
16 Oct, 2007
1 commit
-
With all the users of the double pointers removed, this patch mops up by
finally replacing all occurances of sk_buff ** in the netfilter API by
sk_buff *.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
11 Jul, 2007
3 commits
-
Convert DEBUGP to pr_debug and fix lots of non-compiling debug statements.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Since conntrack currently allows to use masks for every bit of both
helper and expectation tuples, we can't hash them and have to keep
them on two global lists that are searched for every new connection.This patch removes the never used ability to use masks for the
destination part of the expectation tuple and completely removes
masks from helpers since the only reasonable choice is a full
match on l3num, protonum and src.u.all.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Currently there is a wild mix of nf_conntrack_expect_, nf_ct_exp_,
expect_, exp_, ...Consistently use nf_ct_ as prefix for exported functions.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
13 Feb, 2007
1 commit
-
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
03 Dec, 2006
2 commits
-
Signed-off-by: Yasuyuki Kozakai
Signed-off-by: David S. Miller -
Add IPv4 and IPv6 capable nf_conntrack port of the TFTP conntrack/NAT helper.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller