From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 01/12] netfilter: nf_conntrack_sip: allow duplicate SDP expectations
Date: Mon, 23 Apr 2018 19:57:03 +0200 [thread overview]
Message-ID: <20180423175714.9794-2-pablo@netfilter.org> (raw)
In-Reply-To: <20180423175714.9794-1-pablo@netfilter.org>
From: Florian Westphal <fw@strlen.de>
Callum Sinclair reported SIP IP Phone errors that he tracked down to
such phones sending session descriptions for different media types but
with same port numbers.
The expect core will only 'refresh' existing expectation if it is
from same master AND same expectation class (media type).
As expectation class is different, we get an error.
The SIP connection tracking code will then
1). drop the SDP packet
2). if an rtp expectation was already installed successfully,
error on rtcp expectation will cancel the rtp one.
Make the expect core report back to caller when the conflict is due
to different expectation class and have SIP tracker ignore soft-error.
Reported-by: Callum Sinclair <Callum.Sinclair@alliedtelesis.co.nz>
Tested-by: Callum Sinclair <Callum.Sinclair@alliedtelesis.co.nz>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_expect.c | 5 ++++-
net/netfilter/nf_conntrack_sip.c | 16 ++++++++++++----
2 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 8ef21d9f9a00..4b2b3d53acfc 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -252,7 +252,7 @@ static inline int expect_clash(const struct nf_conntrack_expect *a,
static inline int expect_matches(const struct nf_conntrack_expect *a,
const struct nf_conntrack_expect *b)
{
- return a->master == b->master && a->class == b->class &&
+ return a->master == b->master &&
nf_ct_tuple_equal(&a->tuple, &b->tuple) &&
nf_ct_tuple_mask_equal(&a->mask, &b->mask) &&
net_eq(nf_ct_net(a->master), nf_ct_net(b->master)) &&
@@ -421,6 +421,9 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
h = nf_ct_expect_dst_hash(net, &expect->tuple);
hlist_for_each_entry_safe(i, next, &nf_ct_expect_hash[h], hnode) {
if (expect_matches(i, expect)) {
+ if (i->class != expect->class)
+ return -EALREADY;
+
if (nf_ct_remove_expect(i))
break;
} else if (expect_clash(i, expect)) {
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 4dbb5bad4363..908e51e2dc2b 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -938,11 +938,19 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int protoff,
datalen, rtp_exp, rtcp_exp,
mediaoff, medialen, daddr);
else {
- if (nf_ct_expect_related(rtp_exp) == 0) {
- if (nf_ct_expect_related(rtcp_exp) != 0)
- nf_ct_unexpect_related(rtp_exp);
- else
+ /* -EALREADY handling works around end-points that send
+ * SDP messages with identical port but different media type,
+ * we pretend expectation was set up.
+ */
+ int errp = nf_ct_expect_related(rtp_exp);
+
+ if (errp == 0 || errp == -EALREADY) {
+ int errcp = nf_ct_expect_related(rtcp_exp);
+
+ if (errcp == 0 || errcp == -EALREADY)
ret = NF_ACCEPT;
+ else if (errp == 0)
+ nf_ct_unexpect_related(rtp_exp);
}
}
nf_ct_expect_put(rtcp_exp);
--
2.11.0
next prev parent reply other threads:[~2018-04-23 17:57 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-23 17:57 [PATCH 00/12] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2018-04-23 17:57 ` Pablo Neira Ayuso [this message]
2018-04-23 17:57 ` [PATCH 02/12] ipvs: fix rtnl_lock lockups caused by start_sync_thread Pablo Neira Ayuso
2018-04-23 17:57 ` [PATCH 03/12] netfilter: ebtables: don't attempt to allocate 0-sized compat array Pablo Neira Ayuso
2018-04-24 8:55 ` Sergei Shtylyov
2018-04-23 17:57 ` [PATCH 04/12] netfilter: xt_connmark: Add bit mapping for bit-shift operation Pablo Neira Ayuso
2018-04-23 17:57 ` [PATCH 05/12] netfilter: conntrack: silent a memory leak warning Pablo Neira Ayuso
2018-04-23 17:57 ` [PATCH 06/12] netfilter: fix CONFIG_NF_REJECT_IPV6=m link error Pablo Neira Ayuso
2018-04-23 17:57 ` [PATCH 07/12] netfilter: nf_tables: can't fail after linking rule into active rule list Pablo Neira Ayuso
2018-04-23 17:57 ` [PATCH 08/12] netfilter: nf_tables: free set name in error path Pablo Neira Ayuso
2018-04-23 17:57 ` [PATCH 09/12] netfilter: conntrack: include kmemleak.h for kmemleak_not_leak() Pablo Neira Ayuso
2018-04-23 17:57 ` [PATCH 10/12] netfilter: nf_tables: NAT chain and extensions require NF_TABLES Pablo Neira Ayuso
2018-04-23 17:57 ` [PATCH 11/12] netfilter: nf_tables: fix out-of-bounds in nft_chain_commit_update Pablo Neira Ayuso
2018-04-23 17:57 ` [PATCH 12/12] netfilter: xt_connmark: do not cast xt_connmark_tginfo1 to xt_connmark_tginfo2 Pablo Neira Ayuso
2018-04-23 20:22 ` [PATCH 00/12] Netfilter/IPVS fixes for net David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180423175714.9794-2-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).