[NETFILTER]: SIP helper: expect RTP streams in both directions

[NETFILTER]: SIP helper: expect RTP streams in both directions

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 367 bytes --]

Hi Dave,

following are two small fixes for 2.6.18. The second patch fixes
missing string validation in two netfilter modules. James sent a
similar patch for SECMARK to -stable, in my opinion this is not
necessary since CAP_NET_ADMIN in practice always means root and
mainline doesn't support virtualization yet. But if you feel
otherwise please pass it on. Thanks.


[-- Attachment #2: 01.diff --]
[-- Type: text/plain, Size: 1235 bytes --]

[NETFILTER]: SIP helper: expect RTP streams in both directions

Since we don't know in which direction the first packet will arrive, we
need to create one expectation for each direction, which is currently
prevented by max_expected beeing set to 1.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit e8b121382d0690c0d92b6134bb60e7626cd49284
tree 2a85a79242cb160e35d207d504886e770db2ed6f
parent 49b1e3ea19b1c95c2f012b8331ffb3b169e4c042
author Patrick McHardy <kaber@trash.net> Tue, 01 Aug 2006 07:26:21 +0200
committer Patrick McHardy <kaber@trash.net> Tue, 01 Aug 2006 07:26:21 +0200

 net/ipv4/netfilter/ip_conntrack_sip.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_sip.c b/net/ipv4/netfilter/ip_conntrack_sip.c
index fc87ce0..4f222d6 100644
--- a/net/ipv4/netfilter/ip_conntrack_sip.c
+++ b/net/ipv4/netfilter/ip_conntrack_sip.c
@@ -442,7 +442,7 @@ static int __init init(void)
 		sip[i].tuple.src.u.udp.port = htons(ports[i]);
 		sip[i].mask.src.u.udp.port = 0xFFFF;
 		sip[i].mask.dst.protonum = 0xFF;
-		sip[i].max_expected = 1;
+		sip[i].max_expected = 2;
 		sip[i].timeout = 3 * 60; /* 3 minutes */
 		sip[i].me = THIS_MODULE;
 		sip[i].help = sip_help;

Re: [NETFILTER]: SIP helper: expect RTP streams in both directions

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 01 Aug 2006 08:39:50 +0200

> following are two small fixes for 2.6.18. The second patch fixes
> missing string validation in two netfilter modules. James sent a
> similar patch for SECMARK to -stable, in my opinion this is not
> necessary since CAP_NET_ADMIN in practice always means root and
> mainline doesn't support virtualization yet. But if you feel
> otherwise please pass it on. Thanks.

I applied James's patch because we should not make life
overly difficult for the openvz folks.

I've applied both of your patches too, thanks a lot Patrick.

Re: [NETFILTER]: SIP helper: expect RTP streams in both directions

[Patrick McHardy]

David Miller wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Tue, 01 Aug 2006 08:39:50 +0200
> 
> 
>>following are two small fixes for 2.6.18. The second patch fixes
>>missing string validation in two netfilter modules. James sent a
>>similar patch for SECMARK to -stable, in my opinion this is not
>>necessary since CAP_NET_ADMIN in practice always means root and
>>mainline doesn't support virtualization yet. But if you feel
>>otherwise please pass it on. Thanks.
> 
> 
> I applied James's patch because we should not make life
> overly difficult for the openvz folks.

I only meant -stable with "unnecessary", it should be fixed of course.

> I've applied both of your patches too, thanks a lot Patrick.

Thanks.