Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 305158 Details for
Bug 433661
kernel panic with voip traffic (h323)
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
latest 2.6.18 ipv4 netfilter patch
patch-2.6.18-nath323-1.5 (text/plain), 28.18 KB, created by
Linda Wang
on 2008-05-12 18:47:29 UTC
(
hide
)
Description:
latest 2.6.18 ipv4 netfilter patch
Filename:
MIME Type:
Creator:
Linda Wang
Created:
2008-05-12 18:47:29 UTC
Size:
28.18 KB
patch
obsolete
>diff -pruN linux-2.6.18.orig/include/linux/netfilter_ipv4/ip_conntrack_h323.h linux-2.6.18/include/linux/netfilter_ipv4/ip_conntrack_h323.h >--- linux-2.6.18.orig/include/linux/netfilter_ipv4/ip_conntrack_h323.h 2006-09-19 23:42:06.000000000 -0400 >+++ linux-2.6.18/include/linux/netfilter_ipv4/ip_conntrack_h323.h 2006-11-16 00:02:44.000000000 -0500 >@@ -29,6 +29,7 @@ struct ip_ct_h323_master { > > struct ip_conntrack_expect; > >+extern int have_direct_route(u_int32_t src, u_int32_t dst); > extern int get_h225_addr(unsigned char *data, TransportAddress * addr, > u_int32_t * ip, u_int16_t * port); > extern void ip_conntrack_h245_expect(struct ip_conntrack *new, >diff -pruN linux-2.6.18.orig/include/linux/netfilter_ipv4/ip_conntrack_helper_h323_types.h linux-2.6.18/include/linux/netfilter_ipv4/ip_conntrack_helper_h323_types.h >--- linux-2.6.18.orig/include/linux/netfilter_ipv4/ip_conntrack_helper_h323_types.h 2006-09-19 23:42:06.000000000 -0400 >+++ linux-2.6.18/include/linux/netfilter_ipv4/ip_conntrack_helper_h323_types.h 2006-11-16 00:02:44.000000000 -0500 >@@ -1,4 +1,4 @@ >-/* Generated by Jing Min Zhao's ASN.1 parser, Apr 20 2006 >+/* Generated by Jing Min Zhao's ASN.1 parser, Nov 15 2006 > * > * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net> > * >@@ -352,23 +352,6 @@ typedef struct Alerting_UUIE { /* SEQUEN > Alerting_UUIE_fastStart fastStart; > } Alerting_UUIE; > >-typedef struct Information_UUIE_fastStart { /* SEQUENCE OF */ >- int count; >- OpenLogicalChannel item[30]; >-} Information_UUIE_fastStart; >- >-typedef struct Information_UUIE { /* SEQUENCE */ >- enum { >- eInformation_UUIE_callIdentifier = (1 << 31), >- eInformation_UUIE_tokens = (1 << 30), >- eInformation_UUIE_cryptoTokens = (1 << 29), >- eInformation_UUIE_fastStart = (1 << 28), >- eInformation_UUIE_fastConnectRefused = (1 << 27), >- eInformation_UUIE_circuitInfo = (1 << 26), >- } options; >- Information_UUIE_fastStart fastStart; >-} Information_UUIE; >- > typedef struct FacilityReason { /* CHOICE */ > enum { > eFacilityReason_routeCallToGatekeeper, >@@ -459,7 +442,6 @@ typedef struct H323_UU_PDU_h323_message_ > CallProceeding_UUIE callProceeding; > Connect_UUIE connect; > Alerting_UUIE alerting; >- Information_UUIE information; > Facility_UUIE facility; > Progress_UUIE progress; > }; >@@ -549,6 +531,7 @@ typedef struct OpenLogicalChannelAck { / > } options; > OpenLogicalChannelAck_reverseLogicalChannelParameters > reverseLogicalChannelParameters; >+ NetworkAccessParameters separateStack; > OpenLogicalChannelAck_forwardMultiplexAckParameters > forwardMultiplexAckParameters; > } OpenLogicalChannelAck; >diff -pruN linux-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c linux-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c >--- linux-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c 2006-09-19 23:42:06.000000000 -0400 >+++ linux-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c 2006-11-16 00:02:44.000000000 -0500 >@@ -555,15 +555,6 @@ int decode_seq(bitstr_t * bs, field_t * > > /* Decode the extension components */ > for (opt = 0; opt < bmp2_len; opt++, i++, son++) { >- if (i < f->ub && son->attr & STOP) { >- PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ", >- son->name); >- return H323_ERROR_STOP; >- } >- >- if (!((0x80000000 >> opt) & bmp2)) /* Not present */ >- continue; >- > /* Check Range */ > if (i >= f->ub) { /* Newer Version? */ > CHECK_BOUND(bs, 2); >@@ -573,6 +564,15 @@ int decode_seq(bitstr_t * bs, field_t * > continue; > } > >+ if (son->attr & STOP) { >+ PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ", >+ son->name); >+ return H323_ERROR_STOP; >+ } >+ >+ if (!((0x80000000 >> opt) & bmp2)) /* Not present */ >+ continue; >+ > CHECK_BOUND(bs, 2); > len = get_len(bs); > CHECK_BOUND(bs, len); >diff -pruN linux-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323.c linux-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323.c >--- linux-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323.c 2006-09-19 23:42:06.000000000 -0400 >+++ linux-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323.c 2006-11-16 00:15:02.000000000 -0500 >@@ -35,15 +35,18 @@ static unsigned int default_rrq_ttl = 30 > module_param(default_rrq_ttl, uint, 0600); > MODULE_PARM_DESC(default_rrq_ttl, "use this TTL if it's missing in RRQ"); > >-static int gkrouted_only = 1; >-module_param(gkrouted_only, int, 0600); >-MODULE_PARM_DESC(gkrouted_only, "only accept calls from gatekeeper"); >- >-static int callforward_filter = 1; >-module_param(callforward_filter, bool, 0600); >-MODULE_PARM_DESC(callforward_filter, "only create call forwarding expectations " >- "if both endpoints are on different sides " >- "(determined by routing information)"); >+static int safe_calling_mode = 0; >+module_param(safe_calling_mode, int, 0600); >+MODULE_PARM_DESC(safe_calling_mode, "setting safe_calling_mode to 1 disable " >+ "creating expectations for signals/media from arbitrary " >+ "endpoints"); >+ >+static char *internal_net = NULL; >+static u_int32_t internal_net_addr = 0; >+static u_int32_t internal_net_mask = 0; >+module_param(internal_net, charp, 0600); >+MODULE_PARM_DESC(internal_net, "specify your internal network using format " >+ "net/mask"); > > /* Hooks for NAT */ > int (*set_h245_addr_hook) (struct sk_buff ** pskb, >@@ -101,6 +104,49 @@ static DEFINE_SPINLOCK(ip_h323_lock); > static char *h323_buffer; > > /****************************************************************************/ >+int have_direct_route(u_int32_t src, u_int32_t dst) >+{ >+ struct flowi fl_src, fl_dst; >+ struct rtable *rt_src, *rt_dst; >+ int ret; >+ >+ if (src == dst) >+ return 1; >+ >+ if (internal_net) { >+ if (((src & internal_net_mask) == internal_net_addr) == >+ ((dst & internal_net_mask) == internal_net_addr)) >+ return 1; >+ return 0; >+ } >+ >+ fl_src = (struct flowi){.fl4_dst = src}; >+ fl_dst = (struct flowi){.fl4_dst = dst}; >+ ret = 0; >+ >+ if (ip_route_output_key(&rt_dst, &fl_dst) != 0) >+ goto out; >+ >+ if (ip_route_output_key(&rt_src, &fl_src) != 0) >+ goto out1; >+ >+ if (rt_dst->u.dst.dev == rt_src->u.dst.dev && >+ rt_dst->rt_src == rt_src->rt_src) { >+ if ((rt_dst->u.dst.flags & DST_HOST) || >+ (rt_src->u.dst.flags & DST_HOST) || >+ (rt_dst->rt_gateway == rt_src->rt_gateway)) { >+ ret = 1; >+ } >+ } >+ >+ dst_release(&rt_src->u.dst); >+ out1: >+ dst_release(&rt_dst->u.dst); >+ out: >+ return ret; >+} >+ >+/****************************************************************************/ > static int get_tpkt_data(struct sk_buff **pskb, struct ip_conntrack *ct, > enum ip_conntrack_info ctinfo, > unsigned char **data, int *datalen, int *dataoff) >@@ -239,22 +285,33 @@ static int expect_rtp_rtcp(struct sk_buf > struct ip_conntrack_expect *rtcp_exp; > > /* Read RTP or RTCP address */ >- if (!get_h245_addr(*data, addr, &ip, &port) || >- ip != ct->tuplehash[dir].tuple.src.ip || port == 0) >+ if (!get_h245_addr(*data, addr, &ip, &port) || port == 0) > return 0; > >+ /* H.323 signal proxy? */ >+ if (ip != ct->tuplehash[dir].tuple.src.ip) { >+ DEBUGP("ip_ct_h323: H.323 signal proxy detected\n"); >+ /* The derived connections no need to go through firewall */ >+ if (have_direct_route(ct->tuplehash[!dir].tuple.src.ip, ip)) { >+ DEBUGP("ip_ct_h323: proxied EP has direct route to " >+ "peer\n"); >+ return 0; >+ } >+ } >+ > /* RTP port is even */ > rtp_port = port & (~1); > > /* Create expect for RTP */ > if ((rtp_exp = ip_conntrack_expect_alloc(ct)) == NULL) > return -1; >- rtp_exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip; >+ rtp_exp->tuple.src.ip = safe_calling_mode? >+ ct->tuplehash[!dir].tuple.src.ip : 0; > rtp_exp->tuple.src.u.udp.port = 0; >- rtp_exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip; >+ rtp_exp->tuple.dst.ip = ip; > rtp_exp->tuple.dst.u.udp.port = htons(rtp_port); > rtp_exp->tuple.dst.protonum = IPPROTO_UDP; >- rtp_exp->mask.src.ip = 0xFFFFFFFF; >+ rtp_exp->mask.src.ip = safe_calling_mode? 0xFFFFFFFF : 0; > rtp_exp->mask.src.u.udp.port = 0; > rtp_exp->mask.dst.ip = 0xFFFFFFFF; > rtp_exp->mask.dst.u.udp.port = 0xFFFF; >@@ -266,12 +323,13 @@ static int expect_rtp_rtcp(struct sk_buf > ip_conntrack_expect_put(rtp_exp); > return -1; > } >- rtcp_exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip; >+ rtcp_exp->tuple.src.ip = safe_calling_mode? >+ ct->tuplehash[!dir].tuple.src.ip : 0; > rtcp_exp->tuple.src.u.udp.port = 0; >- rtcp_exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip; >+ rtcp_exp->tuple.dst.ip = ip; > rtcp_exp->tuple.dst.u.udp.port = htons(rtp_port + 1); > rtcp_exp->tuple.dst.protonum = IPPROTO_UDP; >- rtcp_exp->mask.src.ip = 0xFFFFFFFF; >+ rtcp_exp->mask.src.ip = safe_calling_mode? 0xFFFFFFFF : 0; > rtcp_exp->mask.src.u.udp.port = 0; > rtcp_exp->mask.dst.ip = 0xFFFFFFFF; > rtcp_exp->mask.dst.u.udp.port = 0xFFFF; >@@ -330,19 +388,30 @@ static int expect_t120(struct sk_buff ** > struct ip_conntrack_expect *exp = NULL; > > /* Read T.120 address */ >- if (!get_h245_addr(*data, addr, &ip, &port) || >- ip != ct->tuplehash[dir].tuple.src.ip || port == 0) >+ if (!get_h245_addr(*data, addr, &ip, &port) || port == 0) > return 0; > >+ /* H.323 signal proxy? */ >+ if (ip != ct->tuplehash[dir].tuple.src.ip) { >+ DEBUGP("ip_ct_h323: H.323 signal proxy detected\n"); >+ /* The derived connections no need to go through firewall */ >+ if (have_direct_route(ct->tuplehash[!dir].tuple.src.ip, ip)) { >+ DEBUGP("ip_ct_h323: proxied EP has direct route to " >+ "peer\n"); >+ return 0; >+ } >+ } >+ > /* Create expect for T.120 connections */ > if ((exp = ip_conntrack_expect_alloc(ct)) == NULL) > return -1; >- exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip; >+ exp->tuple.src.ip = safe_calling_mode? >+ ct->tuplehash[!dir].tuple.src.ip : 0; > exp->tuple.src.u.tcp.port = 0; >- exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip; >+ exp->tuple.dst.ip = ip; > exp->tuple.dst.u.tcp.port = htons(port); > exp->tuple.dst.protonum = IPPROTO_TCP; >- exp->mask.src.ip = 0xFFFFFFFF; >+ exp->mask.src.ip = safe_calling_mode? 0xFFFFFFFF : 0; > exp->mask.src.u.tcp.port = 0; > exp->mask.dst.ip = 0xFFFFFFFF; > exp->mask.dst.u.tcp.port = 0xFFFF; >@@ -514,6 +583,16 @@ static int process_olca(struct sk_buff * > } > } > >+ if ((olca->options & eOpenLogicalChannelAck_separateStack) && >+ olca->separateStack.networkAddress.choice == >+ eNetworkAccessParameters_networkAddress_localAreaAddress) { >+ ret = expect_t120(pskb, ct, ctinfo, data, dataoff, >+ &olca->separateStack.networkAddress. >+ localAreaAddress); >+ if (ret < 0) >+ return -1; >+ } >+ > return 0; > } > >@@ -610,7 +689,7 @@ static struct ip_conntrack_helper ip_con > .max_expected = H323_RTP_CHANNEL_MAX * 4 + 2 /* T.120 */ , > .timeout = 240, > .tuple = {.dst = {.protonum = IPPROTO_TCP}}, >- .mask = {.src = {.u = {0xFFFF}}, >+ .mask = {.src = {.u = {.tcp = {.port = 0xFFFF}}}, > .dst = {.protonum = 0xFF}}, > .help = h245_help > }; >@@ -653,19 +732,30 @@ static int expect_h245(struct sk_buff ** > struct ip_conntrack_expect *exp = NULL; > > /* Read h245Address */ >- if (!get_h225_addr(*data, addr, &ip, &port) || >- ip != ct->tuplehash[dir].tuple.src.ip || port == 0) >+ if (!get_h225_addr(*data, addr, &ip, &port) || port == 0) > return 0; >+ >+ /* H.323 signal proxy? */ >+ if (ip != ct->tuplehash[dir].tuple.src.ip) { >+ DEBUGP("ip_ct_h323: H.323 signal proxy detected\n"); >+ /* The derived connections no need to go through firewall */ >+ if (have_direct_route(ct->tuplehash[!dir].tuple.src.ip, ip)) { >+ DEBUGP("ip_ct_h323: proxied EP has direct route to " >+ "peer\n"); >+ return 0; >+ } >+ } > > /* Create expect for h245 connection */ > if ((exp = ip_conntrack_expect_alloc(ct)) == NULL) > return -1; >- exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip; >+ exp->tuple.src.ip = safe_calling_mode? >+ ct->tuplehash[!dir].tuple.src.ip : 0; > exp->tuple.src.u.tcp.port = 0; >- exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip; >+ exp->tuple.dst.ip = ip; > exp->tuple.dst.u.tcp.port = htons(port); > exp->tuple.dst.protonum = IPPROTO_TCP; >- exp->mask.src.ip = 0xFFFFFFFF; >+ exp->mask.src.ip = safe_calling_mode? 0xFFFFFFFF : 0; > exp->mask.src.u.tcp.port = 0; > exp->mask.dst.ip = 0xFFFFFFFF; > exp->mask.dst.u.tcp.port = 0xFFFF; >@@ -717,41 +807,24 @@ static int expect_callforwarding(struct > if (!get_h225_addr(*data, addr, &ip, &port) || port == 0) > return 0; > >- /* If the calling party is on the same side of the forward-to party, >+ /* If the calling party has direct route to the forward-to party, > * we don't need to track the second call */ >- if (callforward_filter) { >- struct rtable *rt1, *rt2; >- struct flowi fl1 = { >- .fl4_dst = ip, >- }; >- struct flowi fl2 = { >- .fl4_dst = ct->tuplehash[!dir].tuple.src.ip, >- }; >- >- if (ip_route_output_key(&rt1, &fl1) == 0) { >- if (ip_route_output_key(&rt2, &fl2) == 0) { >- if (rt1->rt_gateway == rt2->rt_gateway && >- rt1->u.dst.dev == rt2->u.dst.dev) >- ret = 1; >- dst_release(&rt2->u.dst); >- } >- dst_release(&rt1->u.dst); >- } >- if (ret) { >- DEBUGP("ip_ct_q931: Call Forwarding not tracked\n"); >- return 0; >- } >+ if (have_direct_route(ct->tuplehash[!dir].tuple.src.ip, ip)) { >+ DEBUGP("ip_ct_q931: caller has direct route to forward-to " >+ "EP\n"); >+ return 0; > } > > /* Create expect for the second call leg */ > if ((exp = ip_conntrack_expect_alloc(ct)) == NULL) > return -1; >- exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip; >+ exp->tuple.src.ip = safe_calling_mode? >+ ct->tuplehash[!dir].tuple.src.ip : 0; > exp->tuple.src.u.tcp.port = 0; > exp->tuple.dst.ip = ip; > exp->tuple.dst.u.tcp.port = htons(port); > exp->tuple.dst.protonum = IPPROTO_TCP; >- exp->mask.src.ip = 0xFFFFFFFF; >+ exp->mask.src.ip = safe_calling_mode? 0xFFFFFFFF : 0; > exp->mask.src.u.tcp.port = 0; > exp->mask.dst.ip = 0xFFFFFFFF; > exp->mask.dst.u.tcp.port = 0xFFFF; >@@ -943,30 +1016,6 @@ static int process_alerting(struct sk_bu > } > > /****************************************************************************/ >-static int process_information(struct sk_buff **pskb, >- struct ip_conntrack *ct, >- enum ip_conntrack_info ctinfo, >- unsigned char **data, int dataoff, >- Information_UUIE * info) >-{ >- int ret; >- int i; >- >- DEBUGP("ip_ct_q931: Information\n"); >- >- if (info->options & eInformation_UUIE_fastStart) { >- for (i = 0; i < info->fastStart.count; i++) { >- ret = process_olc(pskb, ct, ctinfo, data, dataoff, >- &info->fastStart.item[i]); >- if (ret < 0) >- return -1; >- } >- } >- >- return 0; >-} >- >-/****************************************************************************/ > static int process_facility(struct sk_buff **pskb, struct ip_conntrack *ct, > enum ip_conntrack_info ctinfo, > unsigned char **data, int dataoff, >@@ -1062,11 +1111,6 @@ static int process_q931(struct sk_buff * > ret = process_alerting(pskb, ct, ctinfo, data, dataoff, > &pdu->h323_message_body.alerting); > break; >- case eH323_UU_PDU_h323_message_body_information: >- ret = process_information(pskb, ct, ctinfo, data, dataoff, >- &pdu->h323_message_body. >- information); >- break; > case eH323_UU_PDU_h323_message_body_facility: > ret = process_facility(pskb, ct, ctinfo, data, dataoff, > &pdu->h323_message_body.facility); >@@ -1153,9 +1197,10 @@ static struct ip_conntrack_helper ip_con > .me = THIS_MODULE, > .max_expected = H323_RTP_CHANNEL_MAX * 4 + 4 /* T.120 and H.245 */ , > .timeout = 240, >- .tuple = {.src = {.u = {__constant_htons(Q931_PORT)}}, >+ .tuple = {.src = >+ {.u = {.tcp = {.port = __constant_htons(Q931_PORT)}}}, > .dst = {.protonum = IPPROTO_TCP}}, >- .mask = {.src = {.u = {0xFFFF}}, >+ .mask = {.src = {.u = {.tcp = {.port = 0xFFFF}}}, > .dst = {.protonum = 0xFF}}, > .help = q931_help > }; >@@ -1245,13 +1290,13 @@ static int expect_q931(struct sk_buff ** > /* Create expect for Q.931 */ > if ((exp = ip_conntrack_expect_alloc(ct)) == NULL) > return -1; >- exp->tuple.src.ip = gkrouted_only ? /* only accept calls from GK? */ >+ exp->tuple.src.ip = safe_calling_mode? /* only accept calls from GK? */ > ct->tuplehash[!dir].tuple.src.ip : 0; > exp->tuple.src.u.tcp.port = 0; > exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip; > exp->tuple.dst.u.tcp.port = htons(port); > exp->tuple.dst.protonum = IPPROTO_TCP; >- exp->mask.src.ip = gkrouted_only ? 0xFFFFFFFF : 0; >+ exp->mask.src.ip = safe_calling_mode? 0xFFFFFFFF : 0; > exp->mask.src.u.tcp.port = 0; > exp->mask.dst.ip = 0xFFFFFFFF; > exp->mask.dst.u.tcp.port = 0xFFFF; >@@ -1417,10 +1462,10 @@ static int process_rcf(struct sk_buff ** > DEBUGP > ("ip_ct_ras: set RAS connection timeout to %u seconds\n", > info->timeout); >- ip_ct_refresh_acct(ct, ctinfo, NULL, info->timeout * HZ); >+ ip_ct_refresh(ct, *pskb, info->timeout * HZ); > > /* Set expect timeout */ >- read_lock_bh(&ip_conntrack_lock); >+ write_lock_bh(&ip_conntrack_lock); > exp = find_expect(ct, ct->tuplehash[dir].tuple.dst.ip, > info->sig_port[!dir]); > if (exp) { >@@ -1433,8 +1478,9 @@ static int process_rcf(struct sk_buff ** > ntohs(exp->tuple.dst.u.tcp.port), > info->timeout); > set_expect_timeout(exp, info->timeout); >+ ip_conntrack_expect_put(exp); > } >- read_unlock_bh(&ip_conntrack_lock); >+ write_unlock_bh(&ip_conntrack_lock); > } > > return 0; >@@ -1465,7 +1511,7 @@ static int process_urq(struct sk_buff ** > info->sig_port[!dir] = 0; > > /* Give it 30 seconds for UCF or URJ */ >- ip_ct_refresh_acct(ct, ctinfo, NULL, 30 * HZ); >+ ip_ct_refresh(ct, *pskb, 30 * HZ); > > return 0; > } >@@ -1746,9 +1792,9 @@ static struct ip_conntrack_helper ip_con > .me = THIS_MODULE, > .max_expected = 32, > .timeout = 240, >- .tuple = {.src = {.u = {__constant_htons(RAS_PORT)}}, >+ .tuple = {.src = {.u = {.udp = {.port = __constant_htons(RAS_PORT)}}}, > .dst = {.protonum = IPPROTO_UDP}}, >- .mask = {.src = {.u = {0xFFFE}}, >+ .mask = {.src = {.u = {.udp = {.port = 0xFFFE}}}, > .dst = {.protonum = 0xFF}}, > .help = ras_help, > }; >@@ -1776,6 +1822,7 @@ static void fini(void) > static int __init init(void) > { > int ret; >+ char *p; > > h323_buffer = kmalloc(65536, GFP_KERNEL); > if (!h323_buffer) >@@ -1785,6 +1832,23 @@ static int __init init(void) > fini(); > return ret; > } >+ >+ if (internal_net) { >+ if ((p = strchr(internal_net, '/'))) >+ *p++ = 0; >+ if (isdigit(internal_net[0])) { >+ internal_net_addr = in_aton(internal_net); >+ if (p && isdigit(p[0])) >+ internal_net_mask = in_aton(p); >+ else >+ internal_net_mask = 0xffffffff; >+ internal_net_addr &= internal_net_mask; >+ } >+ DEBUGP("ip_ct_h323: internal_net = %u.%u.%u.%u/%u.%u.%u.%u\n", >+ NIPQUAD(internal_net_addr), >+ NIPQUAD(internal_net_mask)); >+ } >+ > DEBUGP("ip_ct_h323: init success\n"); > return 0; > } >@@ -1793,6 +1857,7 @@ static int __init init(void) > module_init(init); > module_exit(fini); > >+EXPORT_SYMBOL_GPL(have_direct_route); > EXPORT_SYMBOL_GPL(get_h225_addr); > EXPORT_SYMBOL_GPL(ip_conntrack_h245_expect); > EXPORT_SYMBOL_GPL(ip_conntrack_q931_expect); >diff -pruN linux-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323_types.c linux-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323_types.c >--- linux-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323_types.c 2006-09-19 23:42:06.000000000 -0400 >+++ linux-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323_types.c 2006-11-16 00:02:44.000000000 -0500 >@@ -1,4 +1,4 @@ >-/* Generated by Jing Min Zhao's ASN.1 parser, Apr 20 2006 >+/* Generated by Jing Min Zhao's ASN.1 parser, Nov 15 2006 > * > * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net> > * >@@ -983,19 +983,12 @@ static field_t _Alerting_UUIE[] = { /* S > {FNAME("featureSet") SEQ, 3, 4, 4, SKIP | EXT | OPT, 0, NULL}, > }; > >-static field_t _Information_UUIE_fastStart[] = { /* SEQUENCE OF */ >- {FNAME("item") SEQ, 1, 3, 5, DECODE | OPEN | EXT, >- sizeof(OpenLogicalChannel), _OpenLogicalChannel} >- , >-}; >- > static field_t _Information_UUIE[] = { /* SEQUENCE */ > {FNAME("protocolIdentifier") OID, BYTE, 0, 0, SKIP, 0, NULL}, > {FNAME("callIdentifier") SEQ, 0, 1, 1, SKIP | EXT, 0, NULL}, > {FNAME("tokens") SEQOF, SEMI, 0, 0, SKIP | OPT, 0, NULL}, > {FNAME("cryptoTokens") SEQOF, SEMI, 0, 0, SKIP | OPT, 0, NULL}, >- {FNAME("fastStart") SEQOF, SEMI, 0, 30, DECODE | OPT, >- offsetof(Information_UUIE, fastStart), _Information_UUIE_fastStart}, >+ {FNAME("fastStart") SEQOF, SEMI, 0, 30, SKIP | OPT, 0, NULL}, > {FNAME("fastConnectRefused") NUL, FIXD, 0, 0, SKIP | OPT, 0, NULL}, > {FNAME("circuitInfo") SEQ, 3, 3, 3, SKIP | EXT | OPT, 0, NULL}, > }; >@@ -1342,9 +1335,7 @@ static field_t _H323_UU_PDU_h323_message > offsetof(H323_UU_PDU_h323_message_body, connect), _Connect_UUIE}, > {FNAME("alerting") SEQ, 1, 3, 17, DECODE | EXT, > offsetof(H323_UU_PDU_h323_message_body, alerting), _Alerting_UUIE}, >- {FNAME("information") SEQ, 0, 1, 7, DECODE | EXT, >- offsetof(H323_UU_PDU_h323_message_body, information), >- _Information_UUIE}, >+ {FNAME("information") SEQ, 0, 1, 7, SKIP | EXT, 0, _Information_UUIE}, > {FNAME("releaseComplete") SEQ, 1, 2, 11, SKIP | EXT, 0, > _ReleaseComplete_UUIE}, > {FNAME("facility") SEQ, 3, 5, 21, DECODE | EXT, >@@ -1429,7 +1420,9 @@ static field_t _OpenLogicalChannelAck[] > DECODE | EXT | OPT, offsetof(OpenLogicalChannelAck, > reverseLogicalChannelParameters), > _OpenLogicalChannelAck_reverseLogicalChannelParameters}, >- {FNAME("separateStack") SEQ, 2, 4, 5, SKIP | EXT | OPT, 0, NULL}, >+ {FNAME("separateStack") SEQ, 2, 4, 5, DECODE | EXT | OPT, >+ offsetof(OpenLogicalChannelAck, separateStack), >+ _NetworkAccessParameters}, > {FNAME("forwardMultiplexAckParameters") CHOICE, 0, 1, 1, > DECODE | EXT | OPT, offsetof(OpenLogicalChannelAck, > forwardMultiplexAckParameters), >diff -pruN linux-2.6.18.orig/net/ipv4/netfilter/ip_nat_helper_h323.c linux-2.6.18/net/ipv4/netfilter/ip_nat_helper_h323.c >--- linux-2.6.18.orig/net/ipv4/netfilter/ip_nat_helper_h323.c 2006-09-19 23:42:06.000000000 -0400 >+++ linux-2.6.18/net/ipv4/netfilter/ip_nat_helper_h323.c 2006-11-16 00:02:44.000000000 -0500 >@@ -188,6 +188,27 @@ static int set_ras_addr(struct sk_buff * > } > > /****************************************************************************/ >+static void ip_nat_redirect(struct ip_conntrack *new, >+ struct ip_conntrack_expect *exp) >+{ >+ struct ip_nat_range range; >+ >+ /* This must be a fresh one. */ >+ BUG_ON(new->status & IPS_NAT_DONE_MASK); >+ >+ /* Change src to where ct comes from */ >+ range.flags = IP_NAT_RANGE_MAP_IPS; >+ range.min_ip = range.max_ip = new->tuplehash[exp->dir].tuple.src.ip; >+ ip_nat_setup_info(new, &range, NF_IP_POST_ROUTING); >+ >+ /* For DST manip, map ip:port here to where it's expected. */ >+ range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED); >+ range.min = range.max = exp->saved_proto; >+ range.min_ip = range.max_ip = exp->saved_ip; >+ ip_nat_setup_info(new, &range, NF_IP_PRE_ROUTING); >+} >+ >+/****************************************************************************/ > static int nat_rtp_rtcp(struct sk_buff **pskb, struct ip_conntrack *ct, > enum ip_conntrack_info ctinfo, > unsigned char **data, int dataoff, >@@ -202,11 +223,15 @@ static int nat_rtp_rtcp(struct sk_buff * > u_int16_t nated_port; > > /* Set expectations for NAT */ >+ rtp_exp->saved_ip = rtp_exp->tuple.dst.ip; > rtp_exp->saved_proto.udp.port = rtp_exp->tuple.dst.u.udp.port; >- rtp_exp->expectfn = ip_nat_follow_master; >+ rtp_exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip; >+ rtp_exp->expectfn = ip_nat_redirect; > rtp_exp->dir = !dir; >+ rtcp_exp->saved_ip = rtcp_exp->tuple.dst.ip; > rtcp_exp->saved_proto.udp.port = rtcp_exp->tuple.dst.u.udp.port; >- rtcp_exp->expectfn = ip_nat_follow_master; >+ rtcp_exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip; >+ rtcp_exp->expectfn = ip_nat_redirect; > rtcp_exp->dir = !dir; > > /* Lookup existing expects */ >@@ -292,8 +317,10 @@ static int nat_t120(struct sk_buff **psk > u_int16_t nated_port = port; > > /* Set expectations for NAT */ >+ exp->saved_ip = exp->tuple.dst.ip; > exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port; >- exp->expectfn = ip_nat_follow_master; >+ exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip; >+ exp->expectfn = ip_nat_redirect; > exp->dir = !dir; > > /* Try to get same port: if not, try to change it. */ >@@ -326,13 +353,13 @@ static int nat_t120(struct sk_buff **psk > /**************************************************************************** > * This conntrack expect function replaces ip_conntrack_h245_expect() > * which was set by ip_conntrack_helper_h323.c. It calls both >- * ip_nat_follow_master() and ip_conntrack_h245_expect() >+ * ip_nat_redirect() and ip_conntrack_h245_expect() > ****************************************************************************/ > static void ip_nat_h245_expect(struct ip_conntrack *new, >- struct ip_conntrack_expect *this) >+ struct ip_conntrack_expect *exp) > { >- ip_nat_follow_master(new, this); >- ip_conntrack_h245_expect(new, this); >+ ip_nat_redirect(new, exp); >+ ip_conntrack_h245_expect(new, exp); > } > > /****************************************************************************/ >@@ -347,7 +374,9 @@ static int nat_h245(struct sk_buff **psk > u_int16_t nated_port = port; > > /* Set expectations for NAT */ >+ exp->saved_ip = exp->tuple.dst.ip; > exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port; >+ exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip; > exp->expectfn = ip_nat_h245_expect; > exp->dir = !dir; > >@@ -392,36 +421,10 @@ static int nat_h245(struct sk_buff **psk > * which was set by ip_conntrack_helper_h323.c. > ****************************************************************************/ > static void ip_nat_q931_expect(struct ip_conntrack *new, >- struct ip_conntrack_expect *this) >+ struct ip_conntrack_expect *exp) > { >- struct ip_nat_range range; >- >- if (this->tuple.src.ip != 0) { /* Only accept calls from GK */ >- ip_nat_follow_master(new, this); >- goto out; >- } >- >- /* This must be a fresh one. */ >- BUG_ON(new->status & IPS_NAT_DONE_MASK); >- >- /* Change src to where master sends to */ >- range.flags = IP_NAT_RANGE_MAP_IPS; >- range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.ip; >- >- /* hook doesn't matter, but it has to do source manip */ >- ip_nat_setup_info(new, &range, NF_IP_POST_ROUTING); >- >- /* For DST manip, map port here to where it's expected. */ >- range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED); >- range.min = range.max = this->saved_proto; >- range.min_ip = range.max_ip = >- new->master->tuplehash[!this->dir].tuple.src.ip; >- >- /* hook doesn't matter, but it has to do destination manip */ >- ip_nat_setup_info(new, &range, NF_IP_PRE_ROUTING); >- >- out: >- ip_conntrack_q931_expect(new, this); >+ ip_nat_redirect(new, exp); >+ ip_conntrack_q931_expect(new, exp); > } > > /****************************************************************************/ >@@ -436,7 +439,9 @@ static int nat_q931(struct sk_buff **psk > u_int32_t ip; > > /* Set expectations for NAT */ >+ exp->saved_ip = exp->tuple.dst.ip; > exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port; >+ exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip; > exp->expectfn = ip_nat_q931_expect; > exp->dir = !dir; > >@@ -469,9 +474,9 @@ static int nat_q931(struct sk_buff **psk > if (idx > 0 && > get_h225_addr(*data, &addr[0], &ip, &port) && > (ntohl(ip) & 0xff000000) == 0x7f000000) { >- set_h225_addr_hook(pskb, data, 0, &addr[0], >- ct->tuplehash[!dir].tuple.dst.ip, >- info->sig_port[!dir]); >+ set_h225_addr(pskb, data, 0, &addr[0], >+ ct->tuplehash[!dir].tuple.dst.ip, >+ info->sig_port[!dir]); > } > } else { > ip_conntrack_unexpect_related(exp); >@@ -488,29 +493,10 @@ static int nat_q931(struct sk_buff **psk > > /****************************************************************************/ > static void ip_nat_callforwarding_expect(struct ip_conntrack *new, >- struct ip_conntrack_expect *this) >+ struct ip_conntrack_expect *exp) > { >- struct ip_nat_range range; >- >- /* This must be a fresh one. */ >- BUG_ON(new->status & IPS_NAT_DONE_MASK); >- >- /* Change src to where master sends to */ >- range.flags = IP_NAT_RANGE_MAP_IPS; >- range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.ip; >- >- /* hook doesn't matter, but it has to do source manip */ >- ip_nat_setup_info(new, &range, NF_IP_POST_ROUTING); >- >- /* For DST manip, map port here to where it's expected. */ >- range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED); >- range.min = range.max = this->saved_proto; >- range.min_ip = range.max_ip = this->saved_ip; >- >- /* hook doesn't matter, but it has to do destination manip */ >- ip_nat_setup_info(new, &range, NF_IP_PRE_ROUTING); >- >- ip_conntrack_q931_expect(new, this); >+ ip_nat_redirect(new, exp); >+ ip_conntrack_q931_expect(new, exp); > } > > /****************************************************************************/
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 433661
: 305158 |
309793