From: Patrick McHardy <kaber@trash.net>
To: Greg Alexander <greqcs@galexander.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: Group consensus sought on nf_conntrack_sip behavior
Date: Tue, 19 Jan 2010 19:39:52 +0100 [thread overview]
Message-ID: <4B55FC78.80001@trash.net> (raw)
In-Reply-To: <20100119182535.GG11547@goonies.be>
Greg Alexander wrote:
> Is there anyone else on this mailing list who cares to chime in?
>
> I believe it is more important to conform to standards and common
> practice, especially since they are the same in this case and present no
> undue burden or risk.
>
> Patrick McHardy seems to believe it is more important to enforce a rule
> of thumb prohibiting wildcard expectations.
>
> We each have precedent in other NAT helpers to support our position.
Well, I'll add one final point. You mentioned the IRC helper
as precedent, without referring to anything concrete. You're
mistaken though, the destination address is fixed. But I see
where your misunderstanding might come from.
What the SIP helper does is allow expectations between *arbitrary*
hosts when the direct_media option is off - the destination address
originates from the SDP payload, the source address is a wildcard.
> Any other opinions? Linux is a group effort.
>
> I'm not used to playing politics just to get a Linux project to adhere to
> a standard, but here we are. If I do not receive a satisfactory response
> here, I will petition the non-development netfilter user list. Should
> that fail I will attempt to induce the vast masses of users who are
> inconvenienced by this misfeature to write to various netfilter project
> mailing lists. Nip this in the bud, explain to me how sip_direct_media
> poses an actual security risk worth breaking SIP NAT for most users over.
>
> This issue will not go away for the userbase until the default is
> changed. The status quo in which the users are ignored is over.
>
> Thanks,
Have fun.
next prev parent reply other threads:[~2010-01-19 18:39 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-16 10:36 Two patches for nf_conntrack_sip Greg Alexander
2010-01-18 7:49 ` Patrick McHardy
2010-01-18 17:49 ` Greg Alexander
2010-01-18 18:13 ` Patrick McHardy
2010-01-18 19:36 ` Greg Alexander
2010-01-19 8:25 ` Patrick McHardy
2010-01-19 17:23 ` (PATCH) " Greg Alexander
2010-01-19 18:09 ` Patrick McHardy
2010-01-19 18:25 ` Group consensus sought on nf_conntrack_sip behavior Greg Alexander
2010-01-19 18:39 ` Patrick McHardy [this message]
2010-01-19 19:36 ` Greg Alexander
2010-01-19 22:01 ` Patrick McHardy
2010-01-20 0:02 ` Greg Alexander
2010-01-19 23:40 ` Florian Fuessl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B55FC78.80001@trash.net \
--to=kaber@trash.net \
--cc=greqcs@galexander.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).