aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-11-28 20:35:30 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2006-12-03 00:31:26 -0500
commit1b683b551209ca46ae59b29572018001db5af078 (patch)
tree8d88690faf3d819e42719165cae62e9953555140 /include/linux
parent77a78dec48386ce958196bf69f192ee76537c07d (diff)
[NETFILTER]: sip conntrack: better NAT handling
The NAT handling of the SIP helper has a few problems: - Request headers are only mangled in the reply direction, From/To headers not at all, which can lead to authentication failures with DNAT in case the authentication domain is the IP address - Contact headers in responses are only mangled for REGISTER responses - Headers may be mangled even though they contain addresses not participating in the connection, like alternative addresses - Packets are droppen when domain names are used where the helper expects IP addresses This patch takes a different approach, instead of fixed rules what field to mangle to what content, it adds symetric mapping of From/To/Via/Contact headers, which allows to deal properly with echoed addresses in responses and foreign addresses not belonging to the connection. Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'include/linux')
-rw-r--r--include/linux/netfilter_ipv4/ip_conntrack_sip.h5
1 files changed, 4 insertions, 1 deletions
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_sip.h b/include/linux/netfilter_ipv4/ip_conntrack_sip.h
index 51c65ac18c57..bef6c646defa 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_sip.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_sip.h
@@ -6,7 +6,10 @@
6#define SIP_TIMEOUT 3600 6#define SIP_TIMEOUT 3600
7 7
8enum sip_header_pos { 8enum sip_header_pos {
9 POS_REQ_HEADER, 9 POS_REG_REQ_URI,
10 POS_REQ_URI,
11 POS_FROM,
12 POS_TO,
10 POS_VIA, 13 POS_VIA,
11 POS_CONTACT, 14 POS_CONTACT,
12 POS_CONTENT, 15 POS_CONTENT,