aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2008-05-08 04:15:21 -0400
committerDavid S. Miller <davem@davemloft.net>2008-05-08 04:15:21 -0400
commitef75d49f116bccbb80bccd423ecf3cb86c4509a5 (patch)
tree9aad710282284d7f7ac97dac1f23428c3787dc3e
parent7312096454b6cd71267eaa3d0efb408e449e9ff3 (diff)
netfilter: nf_conntrack_sip: restrict RTP expect flushing on error to last request
Some Inovaphone PBXs exhibit very stange behaviour: when dialing for example "123", the device sends INVITE requests for "1", "12" and "123" back to back. The first requests will elicit error responses from the receiver, causing the SIP helper to flush the RTP expectations even though we might still see a positive response. Note the sequence number of the last INVITE request that contained a media description and only flush the expectations when receiving a negative response for that sequence number. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/linux/netfilter/nf_conntrack_sip.h1
-rw-r--r--net/netfilter/nf_conntrack_sip.c22
2 files changed, 14 insertions, 9 deletions
diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index 5da04e586a3f..23aa2ec6b7b7 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -7,6 +7,7 @@
7 7
8struct nf_ct_sip_master { 8struct nf_ct_sip_master {
9 unsigned int register_cseq; 9 unsigned int register_cseq;
10 unsigned int invite_cseq;
10}; 11};
11 12
12enum sip_expectation_classes { 13enum sip_expectation_classes {
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 9f4900069561..2f9bbc058b48 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -870,6 +870,7 @@ static int process_sdp(struct sk_buff *skb,
870{ 870{
871 enum ip_conntrack_info ctinfo; 871 enum ip_conntrack_info ctinfo;
872 struct nf_conn *ct = nf_ct_get(skb, &ctinfo); 872 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
873 struct nf_conn_help *help = nfct_help(ct);
873 unsigned int matchoff, matchlen; 874 unsigned int matchoff, matchlen;
874 unsigned int mediaoff, medialen; 875 unsigned int mediaoff, medialen;
875 unsigned int sdpoff; 876 unsigned int sdpoff;
@@ -959,6 +960,9 @@ static int process_sdp(struct sk_buff *skb,
959 if (nf_nat_sdp_session && ct->status & IPS_NAT_MASK) 960 if (nf_nat_sdp_session && ct->status & IPS_NAT_MASK)
960 ret = nf_nat_sdp_session(skb, dptr, sdpoff, datalen, &rtp_addr); 961 ret = nf_nat_sdp_session(skb, dptr, sdpoff, datalen, &rtp_addr);
961 962
963 if (ret == NF_ACCEPT && i > 0)
964 help->help.ct_sip_info.invite_cseq = cseq;
965
962 return ret; 966 return ret;
963} 967}
964static int process_invite_response(struct sk_buff *skb, 968static int process_invite_response(struct sk_buff *skb,
@@ -967,14 +971,14 @@ static int process_invite_response(struct sk_buff *skb,
967{ 971{
968 enum ip_conntrack_info ctinfo; 972 enum ip_conntrack_info ctinfo;
969 struct nf_conn *ct = nf_ct_get(skb, &ctinfo); 973 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
974 struct nf_conn_help *help = nfct_help(ct);
970 975
971 if ((code >= 100 && code <= 199) || 976 if ((code >= 100 && code <= 199) ||
972 (code >= 200 && code <= 299)) 977 (code >= 200 && code <= 299))
973 return process_sdp(skb, dptr, datalen, cseq); 978 return process_sdp(skb, dptr, datalen, cseq);
974 else { 979 else if (help->help.ct_sip_info.invite_cseq == cseq)
975 flush_expectations(ct, true); 980 flush_expectations(ct, true);
976 return NF_ACCEPT; 981 return NF_ACCEPT;
977 }
978} 982}
979 983
980static int process_update_response(struct sk_buff *skb, 984static int process_update_response(struct sk_buff *skb,
@@ -983,14 +987,14 @@ static int process_update_response(struct sk_buff *skb,
983{ 987{
984 enum ip_conntrack_info ctinfo; 988 enum ip_conntrack_info ctinfo;
985 struct nf_conn *ct = nf_ct_get(skb, &ctinfo); 989 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
990 struct nf_conn_help *help = nfct_help(ct);
986 991
987 if ((code >= 100 && code <= 199) || 992 if ((code >= 100 && code <= 199) ||
988 (code >= 200 && code <= 299)) 993 (code >= 200 && code <= 299))
989 return process_sdp(skb, dptr, datalen, cseq); 994 return process_sdp(skb, dptr, datalen, cseq);
990 else { 995 else if (help->help.ct_sip_info.invite_cseq == cseq)
991 flush_expectations(ct, true); 996 flush_expectations(ct, true);
992 return NF_ACCEPT; 997 return NF_ACCEPT;
993 }
994} 998}
995 999
996static int process_prack_response(struct sk_buff *skb, 1000static int process_prack_response(struct sk_buff *skb,
@@ -999,14 +1003,14 @@ static int process_prack_response(struct sk_buff *skb,
999{ 1003{
1000 enum ip_conntrack_info ctinfo; 1004 enum ip_conntrack_info ctinfo;
1001 struct nf_conn *ct = nf_ct_get(skb, &ctinfo); 1005 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1006 struct nf_conn_help *help = nfct_help(ct);
1002 1007
1003 if ((code >= 100 && code <= 199) || 1008 if ((code >= 100 && code <= 199) ||
1004 (code >= 200 && code <= 299)) 1009 (code >= 200 && code <= 299))
1005 return process_sdp(skb, dptr, datalen, cseq); 1010 return process_sdp(skb, dptr, datalen, cseq);
1006 else { 1011 else if (help->help.ct_sip_info.invite_cseq == cseq)
1007 flush_expectations(ct, true); 1012 flush_expectations(ct, true);
1008 return NF_ACCEPT; 1013 return NF_ACCEPT;
1009 }
1010} 1014}
1011 1015
1012static int process_bye_request(struct sk_buff *skb, 1016static int process_bye_request(struct sk_buff *skb,