aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2008-03-25 23:22:37 -0400
committerDavid S. Miller <davem@davemloft.net>2008-03-25 23:22:37 -0400
commit33cb1e9a93312f0cdd34e0be2bc88e893ff96a33 (patch)
tree9692ef4590284acb93baccff502fce5a2853a410
parent30f33e6dee80c6ded917f978e4f377d1069d519d (diff)
[NETFILTER]: nf_conntrack_sip: perform NAT after parsing
Perform NAT last after parsing the packet. This makes no difference currently, but is needed when dealing with registrations to make sure we seen the unNATed addresses. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv4/netfilter/nf_nat_sip.c3
-rw-r--r--net/netfilter/nf_conntrack_sip.c19
2 files changed, 11 insertions, 11 deletions
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index 5b4a5cd23f39..b44281011d6d 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -104,9 +104,6 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
104 union nf_inet_addr addr; 104 union nf_inet_addr addr;
105 __be16 port; 105 __be16 port;
106 106
107 if (*datalen < strlen("SIP/2.0"))
108 return NF_ACCEPT;
109
110 /* Basic rules: requests and responses. */ 107 /* Basic rules: requests and responses. */
111 if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) { 108 if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
112 if (ct_sip_parse_request(ct, *dptr, *datalen, 109 if (ct_sip_parse_request(ct, *dptr, *datalen,
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 1be949febab7..29a37d212695 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -700,6 +700,7 @@ static int sip_help(struct sk_buff *skb,
700{ 700{
701 unsigned int dataoff, datalen; 701 unsigned int dataoff, datalen;
702 const char *dptr; 702 const char *dptr;
703 int ret;
703 typeof(nf_nat_sip_hook) nf_nat_sip; 704 typeof(nf_nat_sip_hook) nf_nat_sip;
704 705
705 /* No Data ? */ 706 /* No Data ? */
@@ -716,20 +717,22 @@ static int sip_help(struct sk_buff *skb,
716 return NF_ACCEPT; 717 return NF_ACCEPT;
717 } 718 }
718 719
719 nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
720 if (nf_nat_sip && ct->status & IPS_NAT_MASK) {
721 if (!nf_nat_sip(skb, &dptr, &datalen))
722 return NF_DROP;
723 }
724
725 datalen = skb->len - dataoff; 720 datalen = skb->len - dataoff;
726 if (datalen < strlen("SIP/2.0 200")) 721 if (datalen < strlen("SIP/2.0 200"))
727 return NF_ACCEPT; 722 return NF_ACCEPT;
728 723
729 if (strnicmp(dptr, "SIP/2.0 ", strlen("SIP/2.0 ")) != 0) 724 if (strnicmp(dptr, "SIP/2.0 ", strlen("SIP/2.0 ")) != 0)
730 return process_sip_request(skb, &dptr, &datalen); 725 ret = process_sip_request(skb, &dptr, &datalen);
731 else 726 else
732 return process_sip_response(skb, &dptr, &datalen); 727 ret = process_sip_response(skb, &dptr, &datalen);
728
729 if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
730 nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
731 if (nf_nat_sip && !nf_nat_sip(skb, &dptr, &datalen))
732 ret = NF_DROP;
733 }
734
735 return ret;
733} 736}
734 737
735static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly; 738static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly;