Eric Lee / smarc-fsl-linux-kernel

16 Jul, 2019

1 commit

  • 3c00fb0bf   netfilter: nf_conntrack_sip: fix expectation clash ... Browse Code »

    When conntracks change during a dialog, SDP messages may be sent from
    different conntracks to establish expects with identical tuples. In this
    case expects conflict may be detected for the 2nd SDP message and end up
    with a process failure.

    The fixing here is to reuse an existing expect who has the same tuple for a
    different conntrack if any.

    Here are two scenarios for the case.

    1)
    SERVER CPE

    | INVITE SDP |
    5060 ||5060
    | 183 SDP |
    5060 |---------------------->|5060 ===> Conntrack 1
    | PRACK |
    50601 ||5060
    | 200 OK (INVITE) |
    5060 |---------------------->|5060
    | ACK |
    50601 ||
    | |
    | INVITE SDP (t38) |
    50601 |---------------------->|5060 ===> Conntrack 2

    With a certain configuration in the CPE, SIP messages "183 with SDP" and
    "re-INVITE with SDP t38" will go through the sip helper to create
    expects for RTP and RTCP.

    It is okay to create RTP and RTCP expects for "183", whose master
    connection source port is 5060, and destination port is 5060.

    In the "183" message, port in Contact header changes to 50601 (from the
    original 5060). So the following requests e.g. PRACK and ACK are sent to
    port 50601. It is a different conntrack (let call Conntrack 2) from the
    original INVITE (let call Conntrack 1) due to the port difference.

    In this example, after the call is established, there is RTP stream but no
    RTCP stream for Conntrack 1, so the RTP expect created upon "183" is
    cleared, and RTCP expect created for Conntrack 1 retains.

    When "re-INVITE with SDP t38" arrives to create RTP&RTCP expects, current
    ALG implementation will call nf_ct_expect_related() for RTP and RTCP. The
    expects tuples are identical to those for Conntrack 1. RTP expect for
    Conntrack 2 succeeds in creation as the one for Conntrack 1 has been
    removed. RTCP expect for Conntrack 2 fails in creation because it has
    idential tuples and 'conflict' with the one retained for Conntrack 1. And
    then result in a failure in processing of the re-INVITE.

    2)

    SERVER A CPE

    | REGISTER |
    5060 | CT1
    | 200 |
    5060 |------------------>| 5060
    | |
    | INVITE SDP(1) |
    5060 || 5060 SERVER B
    | ACK |
    5060 || 5060 ==> CT2
    | 100 |
    5060 || 50601 ==> CT3
    | |
    ||
    | |
    | BYE |
    5060 || 50601
    | INVITE SDP(3) |
    5060 | CT1

    CPE sends an INVITE request(1) to Server A, and creates a RTP&RTCP expect
    pair for this Conntrack 1 (CT1). Server A responds 300 to redirect to
    Server B. The RTP&RTCP expect pairs created on CT1 are removed upon 300
    response.

    CPE sends the INVITE request(2) to Server B, and creates an expect pair
    for the new conntrack (due to destination address difference), let call
    CT2. Server B changes the port to 50601 in 200 OK response, and the
    following requests ACK and BYE from CPE are sent to 50601. The call is
    established. There is RTP stream and no RTCP stream. So RTP expect is
    removed and RTCP expect for CT2 retains.

    As BYE request is sent from port 50601, it is another conntrack, let call
    CT3, different from CT2 due to the port difference. So the BYE request will
    not remove the RTCP expect for CT2.

    Then another outgoing call is made, with the same RTP port being used (not
    definitely but possibly). CPE firstly sends the INVITE request(3) to Server
    A, and tries to create a RTP&RTCP expect pairs for this CT1. In current ALG
    implementation, the RTCP expect for CT1 fails in creation because it
    'conflicts' with the residual one for CT2. As a result the INVITE request
    fails to send.

    Signed-off-by: xiao ruizhu
    Signed-off-by: Pablo Neira Ayuso

    xiao ruizhu
     

19 Jun, 2019

1 commit

  • d2912cb15   treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 ... Browse Code »

    Based on 2 normalized pattern(s):

    this program is free software you can redistribute it and or modify
    it under the terms of the gnu general public license version 2 as
    published by the free software foundation

    this program is free software you can redistribute it and or modify
    it under the terms of the gnu general public license version 2 as
    published by the free software foundation #

    extracted by the scancode license scanner the SPDX license identifier

    GPL-2.0-only

    has been chosen to replace the boilerplate/reference in 4122 file(s).

    Signed-off-by: Thomas Gleixner
    Reviewed-by: Enrico Weigelt
    Reviewed-by: Kate Stewart
    Reviewed-by: Allison Randal
    Cc: linux-spdx@vger.kernel.org
    Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de
    Signed-off-by: Greg Kroah-Hartman

    Thomas Gleixner
     

30 Apr, 2019

1 commit

24 Apr, 2018

1 commit

19 Apr, 2017

2 commits

  • 9f0f3ebed   netfilter: helpers: remove data_len usage for inkernel helpers ... Browse Code »

    No need to track this for inkernel helpers anymore as
    NF_CT_HELPER_BUILD_BUG_ON checks do this now.

    All inkernel helpers know what kind of structure they
    stored in helper->data.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     
  • dcf67740f   netfilter: helper: add build-time asserts for helper data size ... Browse Code »

    add a 32 byte scratch area in the helper struct instead of relying
    on variable sized helpers plus compile-time asserts to let us know
    if 32 bytes aren't enough anymore.

    Not having variable sized helpers will later allow to add BUILD_BUG_ON
    for the total size of conntrack extensions -- the helper extension is
    the only one that doesn't have a fixed size.

    The (useless!) NF_CT_HELPER_BUILD_BUG_ON(0); are added so that in case
    someone adds a new helper and copy-pastes from one that doesn't store
    private data at least some indication that this macro should be used
    somehow is there...

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

21 Jul, 2016

1 commit

  • 82de0be68   netfilter: Add helper array register/unregister functions ... Browse Code »

    Add nf_ct_helper_init(), nf_conntrack_helpers_register() and
    nf_conntrack_helpers_unregister() functions to avoid repetitive
    opencoded initialization in helpers.

    This patch keeps an id parameter for nf_ct_helper_init() not to break
    helper matching by name that has been inconsistently exposed to
    userspace through ports, eg. ftp-2121, and through an incremental id,
    eg. tftp-1.

    Signed-off-by: Gao Feng
    Signed-off-by: Pablo Neira Ayuso

    Gao Feng
     

30 May, 2016

1 commit

05 Jan, 2016

1 commit

19 Apr, 2013

1 commit

  • f229f6ce4   netfilter: add my copyright statements ... Browse Code »

    Add copyright statements to all netfilter files which have had significant
    changes done by myself in the past.

    Some notes:

    - nf_conntrack_ecache.c was incorrectly attributed to Rusty and Netfilter
    Core Team when it got split out of nf_conntrack_core.c. The copyrights
    even state a date which lies six years before it was written. It was
    written in 2005 by Harald and myself.

    - net/ipv{4,6}/netfilter.c, net/netfitler/nf_queue.c were missing copyright
    statements. I've added the copyright statement from net/netfilter/core.c,
    where this code originated

    - for nf_conntrack_proto_tcp.c I've also added Jozsef, since I didn't want
    it to give the wrong impression

    Signed-off-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Patrick McHardy
     

19 Feb, 2013

1 commit

  • b20ab9cc6   netfilter: nf_ct_helper: better logging for dropped packets ... Browse Code »

    Connection tracking helpers have to drop packets under exceptional
    situations. Currently, the user gets the following logging message
    in case that happens:

    nf_ct_%s: dropping packet ...

    However, depending on the helper, there are different reasons why a
    packet can be dropped.

    This patch modifies the existing code to provide more specific
    error message in the scope of each helper to help users to debug
    the reason why the packet has been dropped, ie:

    nf_ct_%s: dropping packet: reason ...

    Thanks to Joe Perches for many formatting suggestions.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

16 Jun, 2012

1 commit

13 May, 2010

1 commit

17 Nov, 2008

1 commit

14 Apr, 2008

2 commits

26 Mar, 2008

1 commit

  • 6002f266b   [NETFILTER]: nf_conntrack: introduce expectation classes and policies ... Browse Code »

    Introduce expectation classes and policies. An expectation class
    is used to distinguish different types of expectations by the
    same helper (for example audio/video/t.120). The expectation
    policy is used to hold the maximum number of expectations and
    the initial timeout for each class.

    The individual classes are isolated from each other, which means
    that for example an audio expectation will only evict other audio
    expectations.

    Signed-off-by: Patrick McHardy
    Signed-off-by: David S. Miller

    Patrick McHardy
     

01 Feb, 2008

2 commits

16 Oct, 2007

1 commit

11 Jul, 2007

3 commits

13 Feb, 2007

1 commit

03 Dec, 2006

2 commits