Re: nf_nat_sip & nf_conntrack_sip

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Jorge Bastos <mysql.jorge@decimal.pt>
Cc: netfilter@vger.kernel.org
Subject: Re: nf_nat_sip & nf_conntrack_sip
Date: Sun, 12 Jul 2009 16:28:36 +0200	[thread overview]
Message-ID: <4A59F314.6010309@trash.net> (raw)
In-Reply-To: <2026.87.196.17.191.1247346190.squirrel@webmail.decimal.pt>

[-- Attachment #1: Type: text/plain, Size: 873 bytes --]

Jorge Bastos wrote:
>>> Hi Patrick,
>>> continuing this matter, after updating to 2.6.31-rc2-git4 (i needed
>>> 'cause
>>> a fix for pty.c for PPTPD connections), loading the modules:
>>>
>>> /sbin/modprobe nf_conntrack_sip sip_direct_signalling=0
>>> sip_direct_media=0
>>> /sbin/modprobe nf_nat_sip
>>>
>>> When the other person disconnects from the other side, the call remains
>>> active in my side.
>>> Unloading the modules works as expected.
>>> A bug?
>> What exactly do you mean with "remains active"? The expectations?
>>
> 
> Let me see if i can explain myself.
> When I'm on a call, and the person for the other side ends the call, the
> sessions remains active.
> Without loadling the modules, it works fine.

That sounds like some packets are dropped by the helper. You could
try this patch in combination with ulogd(2) to capture the packet
in pcap format.


[-- Attachment #2: x --]
[-- Type: text/plain, Size: 2194 bytes --]

commit 78384e4b2e7ddb21709b0d8abac0d37b060dd3b7
Author: Patrick McHardy <kaber@trash.net>
Date:   Fri Jul 10 14:16:57 2009 +0200

    netfilter: nf_conntrack: log packets dropped by helpers
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 7d2ead7..44fa394 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -26,6 +26,7 @@
 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
 #include <net/netfilter/nf_nat_helper.h>
 #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
+#include <net/netfilter/nf_log.h>
 
 int (*nf_nat_seq_adjust_hook)(struct sk_buff *skb,
 			      struct nf_conn *ct,
@@ -113,8 +114,11 @@ static unsigned int ipv4_confirm(unsigned int hooknum,
 
 	ret = helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
 			   ct, ctinfo);
-	if (ret != NF_ACCEPT)
+	if (ret != NF_ACCEPT) {
+		nf_log_packet(AF_INET, hooknum, skb, in, out, NULL,
+			      "nf_ct_%s: dropping packet", helper->name);
 		return ret;
+	}
 
 	if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status)) {
 		typeof(nf_nat_seq_adjust_hook) seq_adjust;
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 2a15c2d..6b76778 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -27,6 +27,7 @@
 #include <net/netfilter/nf_conntrack_l3proto.h>
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
+#include <net/netfilter/nf_log.h>
 
 static bool ipv6_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,
 			      struct nf_conntrack_tuple *tuple)
@@ -176,8 +177,11 @@ static unsigned int ipv6_confirm(unsigned int hooknum,
 	}
 
 	ret = helper->help(skb, protoff, ct, ctinfo);
-	if (ret != NF_ACCEPT)
+	if (ret != NF_ACCEPT) {
+		nf_log_packet(AF_INET6, hooknum, skb, in, out, NULL,
+			      "nf_ct_%s: dropping packet", helper->name);
 		return ret;
+	}
 out:
 	/* We've seen it coming out the other side: confirm it */
 	return nf_conntrack_confirm(skb);

next prev parent reply	other threads:[~2009-07-12 14:28 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-06-26  8:34 nf_nat_sip & nf_conntrack_sip Jorge Bastos
2009-06-26 12:57 ` Patrick McHardy
2009-06-26 19:07   ` Jorge Bastos
2009-06-29  8:22     ` Jorge Bastos
2009-06-29 12:30       ` Patrick McHardy
2009-06-29 12:53         ` Jorge Bastos
2009-06-29 12:54           ` Patrick McHardy
2009-06-29 13:02             ` Jorge Bastos
2009-06-29 13:36               ` Pascal Hambourg
2009-06-29 13:40                 ` Jorge Bastos
2009-07-10 17:36             ` Jorge Bastos
2009-07-11 17:13               ` Patrick McHardy
2009-07-11 21:03                 ` Jorge Bastos
2009-07-12 14:28                   ` Patrick McHardy [this message]
2009-07-12 18:02                     ` Jorge Bastos

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7d2ead7 dfblob:44fa394 dfblob:2a15c2d dfblob:6b76778 )
 OR (
bs:"Re: nf_nat_sip & nf_conntrack_sip" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A59F314.6010309@trash.net \
    --to=kaber@trash.net \
    --cc=mysql.jorge@decimal.pt \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.