[NETFILTER 00/07]: Netfilter fixes

[NETFILTER 00/07]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are a couple of netfilter patches, fixing newline sequence number
tracking problems with the FTP helper and a few problems with the H.323
helper, mostly related to tracking IPv6 connections.

Please apply, thanks.


 include/linux/netfilter/nf_conntrack_ftp.h        |    3 -
 include/linux/netfilter/nf_conntrack_h323_types.h |   23 +-----------
 net/ipv4/netfilter/nf_nat_ftp.c                   |   20 +++-------
 net/ipv4/netfilter/nf_nat_h323.c                  |    6 +--
 net/netfilter/nf_conntrack_ftp.c                  |   13 +++---
 net/netfilter/nf_conntrack_h323_main.c            |   41 +++++-----------------
 net/netfilter/nf_conntrack_h323_types.c           |   31 ++++++----------
 7 files changed, 44 insertions(+), 93 deletions(-)

Jing Min Zhao (5):
      [NETFILTER]: nf_conntrack_h323: fix ASN.1 types
      [NETFILTER]: nf_conntrack_h323: fix get_h225_addr() for IPv6 address access
      [NETFILTER]: nf_conntrack_h323: remove unnecessary process of Information signal
      [NETFILTER]: nf_conntrack_h323: add missing T.120 address in OLCA
      [NETFILTER]: nf_nat_h323: call set_h225_addr instead of set_h225_addr_hook

Patrick McHardy (2):
      [NETFILTER]: nf_conntrack_ftp: fix newline sequence number update
      [NETFILTER]: nf_conntrack_ftp: fix newline sequence number calculation

[NETFILTER 01/07]: nf_conntrack_ftp: fix newline sequence number update

[Patrick McHardy]

[NETFILTER]: nf_conntrack_ftp: fix newline sequence number update

When trying to locate the oldest entry in the history of newline character
sequence numbers, the sequence number of the current entry is incorrectly
compared with the index of the oldest sequence number instead of the number
itself.

Additionally it is not made sure that the current sequence number really
is after the oldest known one.

Based on report by YU, Haitao <yuhaitao@tsinghua.org.cn>

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 5e09b4a295e2aed7cb6fe60f86bafba4d8e77836
tree fb2d6e90d04c155578a5fe3321f9b2297426bdee
parent 0076b2cfaee8fa7109d6c923144b88f0032ffb8b
author Patrick McHardy <kaber@trash.net> Thu, 24 May 2007 23:49:57 +0200
committer Patrick McHardy <kaber@trash.net> Thu, 24 May 2007 23:49:57 +0200

 net/netfilter/nf_conntrack_ftp.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index a186799..3357642 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -335,15 +335,17 @@ static void update_nl_seq(u32 nl_seq, struct nf_ct_ftp_master *info, int dir,
 		if (info->seq_aft_nl[dir][i] == nl_seq)
 			return;
 
-		if (oldest == info->seq_aft_nl_num[dir]
-		    || before(info->seq_aft_nl[dir][i], oldest))
+		if (oldest == info->seq_aft_nl_num[dir] ||
+		    before(info->seq_aft_nl[dir][i],
+		    	   info->seq_aft_nl[dir][oldest]))
 			oldest = i;
 	}
 
 	if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) {
 		info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq;
 		nf_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, skb);
-	} else if (oldest != NUM_SEQ_TO_REMEMBER) {
+	} else if (oldest != NUM_SEQ_TO_REMEMBER &&
+		   after(nl_seq, info->seq_aft_nl[dir][oldest])) {
 		info->seq_aft_nl[dir][oldest] = nl_seq;
 		nf_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, skb);
 	}

Re: [NETFILTER 01/07]: nf_conntrack_ftp: fix newline sequence number update

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 25 May 2007 00:02:07 +0200 (MEST)

> [NETFILTER]: nf_conntrack_ftp: fix newline sequence number update
> 
> When trying to locate the oldest entry in the history of newline character
> sequence numbers, the sequence number of the current entry is incorrectly
> compared with the index of the oldest sequence number instead of the number
> itself.
> 
> Additionally it is not made sure that the current sequence number really
> is after the oldest known one.
> 
> Based on report by YU, Haitao <yuhaitao@tsinghua.org.cn>
> 
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.

[NETFILTER 02/07]: nf_conntrack_ftp: fix newline sequence number calculation

[Patrick McHardy]

[NETFILTER]: nf_conntrack_ftp: fix newline sequence number calculation

When the packet size is changed by the FTP NAT helper, the connection
tracking helper adjusts the sequence number of the newline character
by the size difference. This is wrong because NAT sequence number
adjustment happens after helpers are called, so the unadjusted number
is compared to the already adjusted one.

Based on report by YU, Haitao <yuhaitao@tsinghua.org.cn>

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 5dcf6ca671036446403108df0dbc025887e81fb4
tree 8a9e36277001fc9f4f6c2bf1d409f1c8a7c6964d
parent 5e09b4a295e2aed7cb6fe60f86bafba4d8e77836
author Patrick McHardy <kaber@trash.net> Thu, 24 May 2007 23:49:57 +0200
committer Patrick McHardy <kaber@trash.net> Thu, 24 May 2007 23:49:57 +0200

 include/linux/netfilter/nf_conntrack_ftp.h |    3 +--
 net/ipv4/netfilter/nf_nat_ftp.c            |   20 ++++++--------------
 net/netfilter/nf_conntrack_ftp.c           |    5 ++---
 3 files changed, 9 insertions(+), 19 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_ftp.h b/include/linux/netfilter/nf_conntrack_ftp.h
index 81453ea..b7c360f 100644
--- a/include/linux/netfilter/nf_conntrack_ftp.h
+++ b/include/linux/netfilter/nf_conntrack_ftp.h
@@ -37,8 +37,7 @@ extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff **pskb,
 				       enum nf_ct_ftp_type type,
 				       unsigned int matchoff,
 				       unsigned int matchlen,
-				       struct nf_conntrack_expect *exp,
-				       u32 *seq);
+				       struct nf_conntrack_expect *exp);
 #endif /* __KERNEL__ */
 
 #endif /* _NF_CONNTRACK_FTP_H */
diff --git a/net/ipv4/netfilter/nf_nat_ftp.c b/net/ipv4/netfilter/nf_nat_ftp.c
index 751b598..e6bc8e5 100644
--- a/net/ipv4/netfilter/nf_nat_ftp.c
+++ b/net/ipv4/netfilter/nf_nat_ftp.c
@@ -40,8 +40,7 @@ mangle_rfc959_packet(struct sk_buff **pskb,
 		     unsigned int matchoff,
 		     unsigned int matchlen,
 		     struct nf_conn *ct,
-		     enum ip_conntrack_info ctinfo,
-		     u32 *seq)
+		     enum ip_conntrack_info ctinfo)
 {
 	char buffer[sizeof("nnn,nnn,nnn,nnn,nnn,nnn")];
 
@@ -50,7 +49,6 @@ mangle_rfc959_packet(struct sk_buff **pskb,
 
 	DEBUGP("calling nf_nat_mangle_tcp_packet\n");
 
-	*seq += strlen(buffer) - matchlen;
 	return nf_nat_mangle_tcp_packet(pskb, ct, ctinfo, matchoff,
 					matchlen, buffer, strlen(buffer));
 }
@@ -63,8 +61,7 @@ mangle_eprt_packet(struct sk_buff **pskb,
 		   unsigned int matchoff,
 		   unsigned int matchlen,
 		   struct nf_conn *ct,
-		   enum ip_conntrack_info ctinfo,
-		   u32 *seq)
+		   enum ip_conntrack_info ctinfo)
 {
 	char buffer[sizeof("|1|255.255.255.255|65535|")];
 
@@ -72,7 +69,6 @@ mangle_eprt_packet(struct sk_buff **pskb,
 
 	DEBUGP("calling nf_nat_mangle_tcp_packet\n");
 
-	*seq += strlen(buffer) - matchlen;
 	return nf_nat_mangle_tcp_packet(pskb, ct, ctinfo, matchoff,
 					matchlen, buffer, strlen(buffer));
 }
@@ -85,8 +81,7 @@ mangle_epsv_packet(struct sk_buff **pskb,
 		   unsigned int matchoff,
 		   unsigned int matchlen,
 		   struct nf_conn *ct,
-		   enum ip_conntrack_info ctinfo,
-		   u32 *seq)
+		   enum ip_conntrack_info ctinfo)
 {
 	char buffer[sizeof("|||65535|")];
 
@@ -94,14 +89,13 @@ mangle_epsv_packet(struct sk_buff **pskb,
 
 	DEBUGP("calling nf_nat_mangle_tcp_packet\n");
 
-	*seq += strlen(buffer) - matchlen;
 	return nf_nat_mangle_tcp_packet(pskb, ct, ctinfo, matchoff,
 					matchlen, buffer, strlen(buffer));
 }
 
 static int (*mangle[])(struct sk_buff **, __be32, u_int16_t,
 		       unsigned int, unsigned int, struct nf_conn *,
-		       enum ip_conntrack_info, u32 *seq)
+		       enum ip_conntrack_info)
 = {
 	[NF_CT_FTP_PORT] = mangle_rfc959_packet,
 	[NF_CT_FTP_PASV] = mangle_rfc959_packet,
@@ -116,8 +110,7 @@ static unsigned int nf_nat_ftp(struct sk_buff **pskb,
 			       enum nf_ct_ftp_type type,
 			       unsigned int matchoff,
 			       unsigned int matchlen,
-			       struct nf_conntrack_expect *exp,
-			       u32 *seq)
+			       struct nf_conntrack_expect *exp)
 {
 	__be32 newip;
 	u_int16_t port;
@@ -145,8 +138,7 @@ static unsigned int nf_nat_ftp(struct sk_buff **pskb,
 	if (port == 0)
 		return NF_DROP;
 
-	if (!mangle[type](pskb, newip, port, matchoff, matchlen, ct, ctinfo,
-			  seq)) {
+	if (!mangle[type](pskb, newip, port, matchoff, matchlen, ct, ctinfo)) {
 		nf_conntrack_unexpect_related(exp);
 		return NF_DROP;
 	}
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 3357642..09add2f 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -48,8 +48,7 @@ unsigned int (*nf_nat_ftp_hook)(struct sk_buff **pskb,
 				enum nf_ct_ftp_type type,
 				unsigned int matchoff,
 				unsigned int matchlen,
-				struct nf_conntrack_expect *exp,
-				u32 *seq);
+				struct nf_conntrack_expect *exp);
 EXPORT_SYMBOL_GPL(nf_nat_ftp_hook);
 
 #if 0
@@ -521,7 +520,7 @@ static int help(struct sk_buff **pskb,
 	nf_nat_ftp = rcu_dereference(nf_nat_ftp_hook);
 	if (nf_nat_ftp && ct->status & IPS_NAT_MASK)
 		ret = nf_nat_ftp(pskb, ctinfo, search[dir][i].ftptype,
-				 matchoff, matchlen, exp, &seq);
+				 matchoff, matchlen, exp);
 	else {
 		/* Can't expect this?  Best to drop packet now. */
 		if (nf_conntrack_expect_related(exp) != 0)

Re: [NETFILTER 02/07]: nf_conntrack_ftp: fix newline sequence number calculation

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 25 May 2007 00:02:09 +0200 (MEST)

> [NETFILTER]: nf_conntrack_ftp: fix newline sequence number calculation
> 
> When the packet size is changed by the FTP NAT helper, the connection
> tracking helper adjusts the sequence number of the newline character
> by the size difference. This is wrong because NAT sequence number
> adjustment happens after helpers are called, so the unadjusted number
> is compared to the already adjusted one.
> 
> Based on report by YU, Haitao <yuhaitao@tsinghua.org.cn>
> 
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.

[NETFILTER 03/07]: nf_conntrack_h323: fix ASN.1 types

[Patrick McHardy]

[NETFILTER]: nf_conntrack_h323: fix ASN.1 types

1. Add support for decoding IPv6 address. I know it was manually added in
   the header file, but not in the template file. That wouldn't work.
2. Add missing support for decoding T.120 address in OLCA.
3. Remove unnecessary decoding of Information signal.

Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit bd086e2d746d2c730c5701b09a1198bf6d335287
tree 10f40e7fa3be7d93b4e6a39ffefad839c295b778
parent 5dcf6ca671036446403108df0dbc025887e81fb4
author Jing Min Zhao <zhaojingmin@vivecode.com> Thu, 24 May 2007 23:49:57 +0200
committer Patrick McHardy <kaber@trash.net> Thu, 24 May 2007 23:49:57 +0200

 include/linux/netfilter/nf_conntrack_h323_types.h |   23 ++--------------
 net/netfilter/nf_conntrack_h323_types.c           |   31 +++++++++------------
 2 files changed, 16 insertions(+), 38 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_h323_types.h b/include/linux/netfilter/nf_conntrack_h323_types.h
index 38d74d5..f35b6b4 100644
--- a/include/linux/netfilter/nf_conntrack_h323_types.h
+++ b/include/linux/netfilter/nf_conntrack_h323_types.h
@@ -1,4 +1,4 @@
-/* Generated by Jing Min Zhao's ASN.1 parser, Apr 20 2006
+/* Generated by Jing Min Zhao's ASN.1 parser, May 16 2007
  *
  * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
  *
@@ -12,7 +12,7 @@ typedef struct TransportAddress_ipAddress {	/* SEQUENCE */
 
 typedef struct TransportAddress_ip6Address {	/* SEQUENCE */
 	int options;		/* No use */
-	unsigned ip6;
+	unsigned ip;
 } TransportAddress_ip6Address;
 
 typedef struct TransportAddress {	/* CHOICE */
@@ -364,23 +364,6 @@ typedef struct Alerting_UUIE {	/* SEQUENCE */
 	Alerting_UUIE_fastStart fastStart;
 } Alerting_UUIE;
 
-typedef struct Information_UUIE_fastStart {	/* SEQUENCE OF */
-	int count;
-	OpenLogicalChannel item[30];
-} Information_UUIE_fastStart;
-
-typedef struct Information_UUIE {	/* SEQUENCE */
-	enum {
-		eInformation_UUIE_callIdentifier = (1 << 31),
-		eInformation_UUIE_tokens = (1 << 30),
-		eInformation_UUIE_cryptoTokens = (1 << 29),
-		eInformation_UUIE_fastStart = (1 << 28),
-		eInformation_UUIE_fastConnectRefused = (1 << 27),
-		eInformation_UUIE_circuitInfo = (1 << 26),
-	} options;
-	Information_UUIE_fastStart fastStart;
-} Information_UUIE;
-
 typedef struct FacilityReason {	/* CHOICE */
 	enum {
 		eFacilityReason_routeCallToGatekeeper,
@@ -471,7 +454,6 @@ typedef struct H323_UU_PDU_h323_message_body {	/* CHOICE */
 		CallProceeding_UUIE callProceeding;
 		Connect_UUIE connect;
 		Alerting_UUIE alerting;
-		Information_UUIE information;
 		Facility_UUIE facility;
 		Progress_UUIE progress;
 	};
@@ -561,6 +543,7 @@ typedef struct OpenLogicalChannelAck {	/* SEQUENCE */
 	} options;
 	OpenLogicalChannelAck_reverseLogicalChannelParameters
 	    reverseLogicalChannelParameters;
+	NetworkAccessParameters separateStack;
 	OpenLogicalChannelAck_forwardMultiplexAckParameters
 	    forwardMultiplexAckParameters;
 } OpenLogicalChannelAck;
diff --git a/net/netfilter/nf_conntrack_h323_types.c b/net/netfilter/nf_conntrack_h323_types.c
index 4c6f8b3..3a21fdf 100644
--- a/net/netfilter/nf_conntrack_h323_types.c
+++ b/net/netfilter/nf_conntrack_h323_types.c
@@ -1,4 +1,4 @@
-/* Generated by Jing Min Zhao's ASN.1 parser, Apr 20 2006
+/* Generated by Jing Min Zhao's ASN.1 parser, May 16 2007
  *
  * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
  *
@@ -37,7 +37,7 @@ static field_t _TransportAddress_ipxAddress[] = {	/* SEQUENCE */
 
 static field_t _TransportAddress_ip6Address[] = {	/* SEQUENCE */
 	{FNAME("ip") OCTSTR, FIXD, 16, 0, DECODE,
-	 offsetof(TransportAddress_ip6Address, ip6), NULL},
+	 offsetof(TransportAddress_ip6Address, ip), NULL},
 	{FNAME("port") INT, WORD, 0, 0, SKIP, 0, NULL},
 };
 
@@ -67,7 +67,8 @@ static field_t _TransportAddress[] = {	/* CHOICE */
 	{FNAME("ipxAddress") SEQ, 0, 3, 3, SKIP, 0,
 	 _TransportAddress_ipxAddress},
 	{FNAME("ip6Address") SEQ, 0, 2, 2, DECODE | EXT,
-	offsetof(TransportAddress, ip6Address), _TransportAddress_ip6Address},
+	 offsetof(TransportAddress, ip6Address),
+	 _TransportAddress_ip6Address},
 	{FNAME("netBios") OCTSTR, FIXD, 16, 0, SKIP, 0, NULL},
 	{FNAME("nsap") OCTSTR, 5, 1, 0, SKIP, 0, NULL},
 	{FNAME("nonStandardAddress") SEQ, 0, 2, 2, SKIP, 0,
@@ -638,7 +639,8 @@ static field_t _UnicastAddress_iPXAddress[] = {	/* SEQUENCE */
 };
 
 static field_t _UnicastAddress_iP6Address[] = {	/* SEQUENCE */
-	{FNAME("network") OCTSTR, FIXD, 16, 0, SKIP, 0, NULL},
+	{FNAME("network") OCTSTR, FIXD, 16, 0, DECODE,
+	 offsetof(UnicastAddress_iP6Address, network), NULL},
 	{FNAME("tsapIdentifier") INT, WORD, 0, 0, SKIP, 0, NULL},
 };
 
@@ -665,8 +667,8 @@ static field_t _UnicastAddress[] = {	/* CHOICE */
 	 offsetof(UnicastAddress, iPAddress), _UnicastAddress_iPAddress},
 	{FNAME("iPXAddress") SEQ, 0, 3, 3, SKIP | EXT, 0,
 	 _UnicastAddress_iPXAddress},
-	{FNAME("iP6Address") SEQ, 0, 2, 2, SKIP | EXT, 0,
-	 _UnicastAddress_iP6Address},
+	{FNAME("iP6Address") SEQ, 0, 2, 2, DECODE | EXT,
+	 offsetof(UnicastAddress, iP6Address), _UnicastAddress_iP6Address},
 	{FNAME("netBios") OCTSTR, FIXD, 16, 0, SKIP, 0, NULL},
 	{FNAME("iPSourceRouteAddress") SEQ, 0, 4, 4, SKIP | EXT, 0,
 	 _UnicastAddress_iPSourceRouteAddress},
@@ -984,19 +986,12 @@ static field_t _Alerting_UUIE[] = {	/* SEQUENCE */
 	{FNAME("featureSet") SEQ, 3, 4, 4, SKIP | EXT | OPT, 0, NULL},
 };
 
-static field_t _Information_UUIE_fastStart[] = {	/* SEQUENCE OF */
-	{FNAME("item") SEQ, 1, 3, 5, DECODE | OPEN | EXT,
-	 sizeof(OpenLogicalChannel), _OpenLogicalChannel}
-	,
-};
-
 static field_t _Information_UUIE[] = {	/* SEQUENCE */
 	{FNAME("protocolIdentifier") OID, BYTE, 0, 0, SKIP, 0, NULL},
 	{FNAME("callIdentifier") SEQ, 0, 1, 1, SKIP | EXT, 0, NULL},
 	{FNAME("tokens") SEQOF, SEMI, 0, 0, SKIP | OPT, 0, NULL},
 	{FNAME("cryptoTokens") SEQOF, SEMI, 0, 0, SKIP | OPT, 0, NULL},
-	{FNAME("fastStart") SEQOF, SEMI, 0, 30, DECODE | OPT,
-	 offsetof(Information_UUIE, fastStart), _Information_UUIE_fastStart},
+	{FNAME("fastStart") SEQOF, SEMI, 0, 30, SKIP | OPT, 0, NULL},
 	{FNAME("fastConnectRefused") NUL, FIXD, 0, 0, SKIP | OPT, 0, NULL},
 	{FNAME("circuitInfo") SEQ, 3, 3, 3, SKIP | EXT | OPT, 0, NULL},
 };
@@ -1343,9 +1338,7 @@ static field_t _H323_UU_PDU_h323_message_body[] = {	/* CHOICE */
 	 offsetof(H323_UU_PDU_h323_message_body, connect), _Connect_UUIE},
 	{FNAME("alerting") SEQ, 1, 3, 17, DECODE | EXT,
 	 offsetof(H323_UU_PDU_h323_message_body, alerting), _Alerting_UUIE},
-	{FNAME("information") SEQ, 0, 1, 7, DECODE | EXT,
-	 offsetof(H323_UU_PDU_h323_message_body, information),
-	 _Information_UUIE},
+	{FNAME("information") SEQ, 0, 1, 7, SKIP | EXT, 0, _Information_UUIE},
 	{FNAME("releaseComplete") SEQ, 1, 2, 11, SKIP | EXT, 0,
 	 _ReleaseComplete_UUIE},
 	{FNAME("facility") SEQ, 3, 5, 21, DECODE | EXT,
@@ -1430,7 +1423,9 @@ static field_t _OpenLogicalChannelAck[] = {	/* SEQUENCE */
 	 DECODE | EXT | OPT, offsetof(OpenLogicalChannelAck,
 				      reverseLogicalChannelParameters),
 	 _OpenLogicalChannelAck_reverseLogicalChannelParameters},
-	{FNAME("separateStack") SEQ, 2, 4, 5, SKIP | EXT | OPT, 0, NULL},
+	{FNAME("separateStack") SEQ, 2, 4, 5, DECODE | EXT | OPT,
+	 offsetof(OpenLogicalChannelAck, separateStack),
+	 _NetworkAccessParameters},
 	{FNAME("forwardMultiplexAckParameters") CHOICE, 0, 1, 1,
 	 DECODE | EXT | OPT, offsetof(OpenLogicalChannelAck,
 				      forwardMultiplexAckParameters),

Re: [NETFILTER 03/07]: nf_conntrack_h323: fix ASN.1 types

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 25 May 2007 00:02:10 +0200 (MEST)

> [NETFILTER]: nf_conntrack_h323: fix ASN.1 types
> 
> 1. Add support for decoding IPv6 address. I know it was manually added in
>    the header file, but not in the template file. That wouldn't work.
> 2. Add missing support for decoding T.120 address in OLCA.
> 3. Remove unnecessary decoding of Information signal.
> 
> Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.

[NETFILTER 04/07]: nf_conntrack_h323: fix get_h225_addr() for IPv6 address access

[Patrick McHardy]

[NETFILTER]: nf_conntrack_h323: fix get_h225_addr() for IPv6 address access

Update get_h225_addr() to meet the changes in ASN.1 types. It was using
field ip6 to access IPv6 TransportAddress, it should be ip according the
ASN.1 definition.

Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit e71d7c2a5a69f20bd077b91bcc240f7bada53e48
tree 32a4cdeaa054fe66448d43d0255337e8f330d61b
parent bd086e2d746d2c730c5701b09a1198bf6d335287
author Jing Min Zhao <zhaojingmin@vivecode.com> Thu, 24 May 2007 23:49:58 +0200
committer Patrick McHardy <kaber@trash.net> Thu, 24 May 2007 23:49:58 +0200

 net/netfilter/nf_conntrack_h323_main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index b284db7..8bb99b3 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -640,7 +640,7 @@ int get_h225_addr(struct nf_conn *ct, unsigned char *data,
 	case eTransportAddress_ip6Address:
 		if (family != AF_INET6)
 			return 0;
-		p = data + taddr->ip6Address.ip6;
+		p = data + taddr->ip6Address.ip;
 		len = 16;
 		break;
 	default:

Re: [NETFILTER 04/07]: nf_conntrack_h323: fix get_h225_addr() for IPv6 address access

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 25 May 2007 00:02:11 +0200 (MEST)

> [NETFILTER]: nf_conntrack_h323: fix get_h225_addr() for IPv6 address access
> 
> Update get_h225_addr() to meet the changes in ASN.1 types. It was using
> field ip6 to access IPv6 TransportAddress, it should be ip according the
> ASN.1 definition.
> 
> Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.

[NETFILTER 05/07]: nf_conntrack_h323: remove unnecessary process of Information signal

[Patrick McHardy]

[NETFILTER]: nf_conntrack_h323: remove unnecessary process of Information signal

According to the implementation of H.323, it's not necessary to check the
addresses in Information signals.

Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 6fdca918957ecf41e1b5c416df341cfa48080fcd
tree 16a0761c152686fb74b89e81d4d67d6a329ab540
parent e71d7c2a5a69f20bd077b91bcc240f7bada53e48
author Jing Min Zhao <zhaojingmin@vivecode.com> Thu, 24 May 2007 23:49:58 +0200
committer Patrick McHardy <kaber@trash.net> Thu, 24 May 2007 23:49:58 +0200

 net/netfilter/nf_conntrack_h323_main.c |   29 -----------------------------
 1 files changed, 0 insertions(+), 29 deletions(-)

diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 8bb99b3..6d668af 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -977,30 +977,6 @@ static int process_alerting(struct sk_buff **pskb, struct nf_conn *ct,
 }
 
 /****************************************************************************/
-static int process_information(struct sk_buff **pskb,
-			       struct nf_conn *ct,
-			       enum ip_conntrack_info ctinfo,
-			       unsigned char **data, int dataoff,
-			       Information_UUIE *info)
-{
-	int ret;
-	int i;
-
-	DEBUGP("nf_ct_q931: Information\n");
-
-	if (info->options & eInformation_UUIE_fastStart) {
-		for (i = 0; i < info->fastStart.count; i++) {
-			ret = process_olc(pskb, ct, ctinfo, data, dataoff,
-					  &info->fastStart.item[i]);
-			if (ret < 0)
-				return -1;
-		}
-	}
-
-	return 0;
-}
-
-/****************************************************************************/
 static int process_facility(struct sk_buff **pskb, struct nf_conn *ct,
 			    enum ip_conntrack_info ctinfo,
 			    unsigned char **data, int dataoff,
@@ -1096,11 +1072,6 @@ static int process_q931(struct sk_buff **pskb, struct nf_conn *ct,
 		ret = process_alerting(pskb, ct, ctinfo, data, dataoff,
 				       &pdu->h323_message_body.alerting);
 		break;
-	case eH323_UU_PDU_h323_message_body_information:
-		ret = process_information(pskb, ct, ctinfo, data, dataoff,
-					  &pdu->h323_message_body.
-					  information);
-		break;
 	case eH323_UU_PDU_h323_message_body_facility:
 		ret = process_facility(pskb, ct, ctinfo, data, dataoff,
 				       &pdu->h323_message_body.facility);

Re: [NETFILTER 05/07]: nf_conntrack_h323: remove unnecessary process of Information signal

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 25 May 2007 00:02:13 +0200 (MEST)

> [NETFILTER]: nf_conntrack_h323: remove unnecessary process of Information signal
> 
> According to the implementation of H.323, it's not necessary to check the
> addresses in Information signals.
> 
> Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.

[NETFILTER 06/07]: nf_conntrack_h323: add missing T.120 address in OLCA

[Patrick McHardy]

[NETFILTER]: nf_conntrack_h323: add missing T.120 address in OLCA

Add missing process of T.120 address in OpenLogicalChannelAck signal.

Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 9a545fc8e2ac3c8c7bbb7315469d96bb4e7d8748
tree c06c911468eaf5c32531a940c5b740cdb41ab0fa
parent 6fdca918957ecf41e1b5c416df341cfa48080fcd
author Jing Min Zhao <zhaojingmin@vivecode.com> Thu, 24 May 2007 23:49:59 +0200
committer Patrick McHardy <kaber@trash.net> Thu, 24 May 2007 23:49:59 +0200

 net/netfilter/nf_conntrack_h323_main.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 6d668af..a1b95ac 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -520,6 +520,16 @@ static int process_olca(struct sk_buff **pskb, struct nf_conn *ct,
 		}
 	}
 
+	if ((olca->options & eOpenLogicalChannelAck_separateStack) &&
+		olca->separateStack.networkAddress.choice ==
+		eNetworkAccessParameters_networkAddress_localAreaAddress) {
+		ret = expect_t120(pskb, ct, ctinfo, data, dataoff,
+				  &olca->separateStack.networkAddress.
+				  localAreaAddress);
+		if (ret < 0)
+			return -1;
+	}
+
 	return 0;
 }
 

Re: [NETFILTER 06/07]: nf_conntrack_h323: add missing T.120 address in OLCA

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 25 May 2007 00:02:14 +0200 (MEST)

> [NETFILTER]: nf_conntrack_h323: add missing T.120 address in OLCA
> 
> Add missing process of T.120 address in OpenLogicalChannelAck signal.
> 
> Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.

[NETFILTER 07/07]: nf_nat_h323: call set_h225_addr instead of set_h225_addr_hook

[Patrick McHardy]

[NETFILTER]: nf_nat_h323: call set_h225_addr instead of set_h225_addr_hook

They're the same.

Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit ed22d6f07f4ac4b69b915df2d1798e171b501a47
tree 1accab86c105558c5ac6a9c094ac6bc9aef3288d
parent 9a545fc8e2ac3c8c7bbb7315469d96bb4e7d8748
author Jing Min Zhao <zhaojingmin@vivecode.com> Thu, 24 May 2007 23:50:52 +0200
committer Patrick McHardy <kaber@trash.net> Thu, 24 May 2007 23:50:52 +0200

 net/ipv4/netfilter/nf_nat_h323.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c
index fcebc96..c5d2a2d 100644
--- a/net/ipv4/netfilter/nf_nat_h323.c
+++ b/net/ipv4/netfilter/nf_nat_h323.c
@@ -455,9 +455,9 @@ static int nat_q931(struct sk_buff **pskb, struct nf_conn *ct,
 		if (idx > 0 &&
 		    get_h225_addr(ct, *data, &taddr[0], &addr, &port) &&
 		    (ntohl(addr.ip) & 0xff000000) == 0x7f000000) {
-			set_h225_addr_hook(pskb, data, 0, &taddr[0],
-					   &ct->tuplehash[!dir].tuple.dst.u3,
-					   info->sig_port[!dir]);
+			set_h225_addr(pskb, data, 0, &taddr[0],
+				      &ct->tuplehash[!dir].tuple.dst.u3,
+				      info->sig_port[!dir]);
 		}
 	} else {
 		nf_conntrack_unexpect_related(exp);

Re: [NETFILTER 07/07]: nf_nat_h323: call set_h225_addr instead of set_h225_addr_hook

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 25 May 2007 00:02:15 +0200 (MEST)

> [NETFILTER]: nf_nat_h323: call set_h225_addr instead of set_h225_addr_hook
> 
> They're the same.
> 
> Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.

Re: [NETFILTER 00/07]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 25 May 2007 00:02:06 +0200 (MEST)

> following are a couple of netfilter patches, fixing newline sequence number
> tracking problems with the FTP helper and a few problems with the H.323
> helper, mostly related to tracking IPv6 connections.
> 
> Please apply, thanks.

All applied, thanks Patrick.