From: Patrick McHardy <kaber@trash.net>
To: Greg Alexander <greqcs@galexander.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: Two patches for nf_conntrack_sip
Date: Tue, 19 Jan 2010 09:25:01 +0100 [thread overview]
Message-ID: <4B556C5D.3000006@trash.net> (raw)
In-Reply-To: <20100118193654.GE11547@goonies.be>
Greg Alexander wrote:
> On Mon, Jan 18, 2010 at 07:13:59PM +0100, Patrick McHardy wrote:
>> No, NAT is only responsible for address translation, and in fact it
>> isn't even involved in this decision. The connection tracking helper
>> (which can also be used without NAT) creates expectations, the expected
>> connections have to be permitted by the ruleset. The helper doesn't
>> drop or allow anything, all this parameter does is control how the
>> expectations are set up (wildcards or no wildcards).
>
> The thing is, you don't even need to violate the separation between NAT
> and conntrack. You are arguing that conntrack is only supposed to track
> connections, and you seem to believe that a connection exists only when
> both ends have been fully specified. Wildcard addresses do violate that
> definition, but that definition is unduly limited.
>
> There is a type of connection in which one endpoint is unspecified until
> after traffic is received. In TCP, this is a listen socket used for
> peer-to-peer communication, like IRC's DCC. Rightfully we do not love
> such wildcard connection strategies, but we acknowledge that we are not
> the body that forms the standards. Thus nf_nat_irc is born. SIP/SDP
> uses the same connection strategy (at least if early media is in play).
>
> The actual exposure from this wildcard is very limited. We only open the
> port when the internal host specifically requests it, and ultimately the
> expectation is only in effect for the first remote host to trigger it.
> The worst case scenario would be to allow people to send arbitrary
> packets to a port that is expecting valid media data. This isn't great
> but it's a weakness imposed by the protocol. As a bonus, the softphone
> software has access to both the SDP stream and the original source
> address on these UDP packets, so it can make its own decisions (generally
> turning it into a DoS instead of compromise).
Its not about what applications or phones do at all. Its about what
you can do by sending fake INVITE or other requests containing foreign
addresses. I'm not going to change the default, sorry.
I'm working on supporting helpers for selected connections (using an
iptables target) however, for which I might reconsider this.
>> I've seen quite a few of those bug reports myself, and in all but one
>> case it was actually people using the old version of the helper, which
>> didn't work properly at all (and didn't support these parameters).
>
> Maybe I'm misunderstanding the epidemiology here, but don't you see
> yourself sending out "try sip_direct_media=0" to each and every person
> who contacts you? Just imagine the thousands (soon millions) of users
> who would benefit from sip_direct_media=0 who will not know to contact
> you? The Linux kernel is packaged in most routers these days. It's all
> fine and dandy to force Linksys to add "sip_direct_media=0" to their
> options, but from the user perspective this option should be called
> "break_big_sip_providers=0". I don't think I would be willing to blame
> D-Link for failing to anticipate that we would provide a
> "break_big_sip_providers" option which defaults to 1. Even now, but
> especially in the future, SIP usage will be dominated by big providers.
> Gizmo5 is soon to be pronounced "Google Voice." I'd understand a quixotic
> desire to break common practice so that we can enforce a standard, but
> the standard in this case is clear that we are in violation, not the
> commercial providers.
>
> I mean, are we really in the business of distributing the "works with
> Asterisk" standards-ignoring but-slightly-safer SIP translator?
This is a documentation question.
Its BTW completely in line with what other helpers do, we also
have a "gkrouted_only" option in H.323 defaulting to 1 and a
"loose" option in FTP for FXP, defaulting to 0. Both for exactly
the same reason.
>> So does it work with sip_direct_media=0?
>
> Yes, it works perfectly with sip_direct_media=0.
Great. Could you send me the off-by-one fix please?
next prev parent reply other threads:[~2010-01-19 8:25 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-16 10:36 Two patches for nf_conntrack_sip Greg Alexander
2010-01-18 7:49 ` Patrick McHardy
2010-01-18 17:49 ` Greg Alexander
2010-01-18 18:13 ` Patrick McHardy
2010-01-18 19:36 ` Greg Alexander
2010-01-19 8:25 ` Patrick McHardy [this message]
2010-01-19 17:23 ` (PATCH) " Greg Alexander
2010-01-19 18:09 ` Patrick McHardy
2010-01-19 18:25 ` Group consensus sought on nf_conntrack_sip behavior Greg Alexander
2010-01-19 18:39 ` Patrick McHardy
2010-01-19 19:36 ` Greg Alexander
2010-01-19 22:01 ` Patrick McHardy
2010-01-20 0:02 ` Greg Alexander
2010-01-19 23:40 ` Florian Fuessl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B556C5D.3000006@trash.net \
--to=kaber@trash.net \
--cc=greqcs@galexander.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).