Attachment 305158 Details for Bug 433661 – latest 2.6.18 ipv4 netfilter patch

[patch] latest 2.6.18 ipv4 netfilter patch

patch-2.6.18-nath323-1.5 (text/plain), 28.18 KB, created by Linda Wang on 2008-05-12 18:47:29 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Linda Wang

Created: 2008-05-12 18:47:29 UTC

Size: 28.18 KB

patch

obsolete

>diff -pruN linux-2.6.18.orig/include/linux/netfilter_ipv4/ip_conntrack_h323.h linux-2.6.18/include/linux/netfilter_ipv4/ip_conntrack_h323.h
>--- linux-2.6.18.orig/include/linux/netfilter_ipv4/ip_conntrack_h323.h	2006-09-19 23:42:06.000000000 -0400
>+++ linux-2.6.18/include/linux/netfilter_ipv4/ip_conntrack_h323.h	2006-11-16 00:02:44.000000000 -0500
>@@ -29,6 +29,7 @@ struct ip_ct_h323_master {
> 
> struct ip_conntrack_expect;
> 
>+extern int have_direct_route(u_int32_t src, u_int32_t dst);
> extern int get_h225_addr(unsigned char *data, TransportAddress * addr,
> 			 u_int32_t * ip, u_int16_t * port);
> extern void ip_conntrack_h245_expect(struct ip_conntrack *new,
>diff -pruN linux-2.6.18.orig/include/linux/netfilter_ipv4/ip_conntrack_helper_h323_types.h linux-2.6.18/include/linux/netfilter_ipv4/ip_conntrack_helper_h323_types.h
>--- linux-2.6.18.orig/include/linux/netfilter_ipv4/ip_conntrack_helper_h323_types.h	2006-09-19 23:42:06.000000000 -0400
>+++ linux-2.6.18/include/linux/netfilter_ipv4/ip_conntrack_helper_h323_types.h	2006-11-16 00:02:44.000000000 -0500
>@@ -1,4 +1,4 @@
>-/* Generated by Jing Min Zhao's ASN.1 parser, Apr 20 2006
>+/* Generated by Jing Min Zhao's ASN.1 parser, Nov 15 2006
>  *
>  * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
>  *
>@@ -352,23 +352,6 @@ typedef struct Alerting_UUIE {	/* SEQUEN
> 	Alerting_UUIE_fastStart fastStart;
> } Alerting_UUIE;
> 
>-typedef struct Information_UUIE_fastStart {	/* SEQUENCE OF */
>-	int count;
>-	OpenLogicalChannel item[30];
>-} Information_UUIE_fastStart;
>-
>-typedef struct Information_UUIE {	/* SEQUENCE */
>-	enum {
>-		eInformation_UUIE_callIdentifier = (1 << 31),
>-		eInformation_UUIE_tokens = (1 << 30),
>-		eInformation_UUIE_cryptoTokens = (1 << 29),
>-		eInformation_UUIE_fastStart = (1 << 28),
>-		eInformation_UUIE_fastConnectRefused = (1 << 27),
>-		eInformation_UUIE_circuitInfo = (1 << 26),
>-	} options;
>-	Information_UUIE_fastStart fastStart;
>-} Information_UUIE;
>-
> typedef struct FacilityReason {	/* CHOICE */
> 	enum {
> 		eFacilityReason_routeCallToGatekeeper,
>@@ -459,7 +442,6 @@ typedef struct H323_UU_PDU_h323_message_
> 		CallProceeding_UUIE callProceeding;
> 		Connect_UUIE connect;
> 		Alerting_UUIE alerting;
>-		Information_UUIE information;
> 		Facility_UUIE facility;
> 		Progress_UUIE progress;
> 	};
>@@ -549,6 +531,7 @@ typedef struct OpenLogicalChannelAck {	/
> 	} options;
> 	OpenLogicalChannelAck_reverseLogicalChannelParameters
> 	    reverseLogicalChannelParameters;
>+	NetworkAccessParameters separateStack;
> 	OpenLogicalChannelAck_forwardMultiplexAckParameters
> 	    forwardMultiplexAckParameters;
> } OpenLogicalChannelAck;
>diff -pruN linux-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c linux-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c
>--- linux-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c	2006-09-19 23:42:06.000000000 -0400
>+++ linux-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c	2006-11-16 00:02:44.000000000 -0500
>@@ -555,15 +555,6 @@ int decode_seq(bitstr_t * bs, field_t * 
> 
> 	/* Decode the extension components */
> 	for (opt = 0; opt < bmp2_len; opt++, i++, son++) {
>-		if (i < f->ub && son->attr & STOP) {
>-			PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ",
>-			      son->name);
>-			return H323_ERROR_STOP;
>-		}
>-
>-		if (!((0x80000000 >> opt) & bmp2))	/* Not present */
>-			continue;
>-
> 		/* Check Range */
> 		if (i >= f->ub) {	/* Newer Version? */
> 			CHECK_BOUND(bs, 2);
>@@ -573,6 +564,15 @@ int decode_seq(bitstr_t * bs, field_t * 
> 			continue;
> 		}
> 
>+		if (son->attr & STOP) {
>+			PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ",
>+			      son->name);
>+			return H323_ERROR_STOP;
>+		}
>+
>+		if (!((0x80000000 >> opt) & bmp2))	/* Not present */
>+			continue;
>+
> 		CHECK_BOUND(bs, 2);
> 		len = get_len(bs);
> 		CHECK_BOUND(bs, len);
>diff -pruN linux-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323.c linux-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323.c
>--- linux-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323.c	2006-09-19 23:42:06.000000000 -0400
>+++ linux-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323.c	2006-11-16 00:15:02.000000000 -0500
>@@ -35,15 +35,18 @@ static unsigned int default_rrq_ttl = 30
> module_param(default_rrq_ttl, uint, 0600);
> MODULE_PARM_DESC(default_rrq_ttl, "use this TTL if it's missing in RRQ");
> 
>-static int gkrouted_only = 1;
>-module_param(gkrouted_only, int, 0600);
>-MODULE_PARM_DESC(gkrouted_only, "only accept calls from gatekeeper");
>-
>-static int callforward_filter = 1;
>-module_param(callforward_filter, bool, 0600);
>-MODULE_PARM_DESC(callforward_filter, "only create call forwarding expectations "
>-		                     "if both endpoints are on different sides "
>-				     "(determined by routing information)");
>+static int safe_calling_mode = 0;
>+module_param(safe_calling_mode, int, 0600);
>+MODULE_PARM_DESC(safe_calling_mode, "setting safe_calling_mode to 1 disable "
>+		 "creating expectations for signals/media from arbitrary "
>+		 "endpoints");
>+
>+static char *internal_net = NULL;
>+static u_int32_t internal_net_addr = 0;
>+static u_int32_t internal_net_mask = 0;
>+module_param(internal_net, charp, 0600);
>+MODULE_PARM_DESC(internal_net, "specify your internal network using format "
>+		 "net/mask");
> 
> /* Hooks for NAT */
> int (*set_h245_addr_hook) (struct sk_buff ** pskb,
>@@ -101,6 +104,49 @@ static DEFINE_SPINLOCK(ip_h323_lock);
> static char *h323_buffer;
> 
> /****************************************************************************/
>+int have_direct_route(u_int32_t src, u_int32_t dst)
>+{
>+	struct flowi fl_src, fl_dst;
>+	struct rtable *rt_src, *rt_dst;
>+	int ret;
>+
>+	if (src == dst)
>+		return 1;
>+
>+	if (internal_net) {
>+		if (((src & internal_net_mask) == internal_net_addr) ==
>+		    ((dst & internal_net_mask) == internal_net_addr))
>+			return 1;
>+		return 0;
>+	}
>+
>+	fl_src = (struct flowi){.fl4_dst = src};
>+	fl_dst = (struct flowi){.fl4_dst = dst};
>+	ret = 0;
>+
>+	if (ip_route_output_key(&rt_dst, &fl_dst) != 0)
>+		goto out;
>+
>+	if (ip_route_output_key(&rt_src, &fl_src) != 0)
>+		goto out1;
>+
>+	if (rt_dst->u.dst.dev == rt_src->u.dst.dev &&
>+	    rt_dst->rt_src == rt_src->rt_src) {
>+		if ((rt_dst->u.dst.flags & DST_HOST) ||
>+		    (rt_src->u.dst.flags & DST_HOST) ||
>+		    (rt_dst->rt_gateway == rt_src->rt_gateway)) {
>+			ret = 1;
>+		}
>+	}
>+
>+	dst_release(&rt_src->u.dst);
>+      out1:
>+	dst_release(&rt_dst->u.dst);
>+      out:
>+	return ret;
>+}
>+
>+/****************************************************************************/
> static int get_tpkt_data(struct sk_buff **pskb, struct ip_conntrack *ct,
> 			 enum ip_conntrack_info ctinfo,
> 			 unsigned char **data, int *datalen, int *dataoff)
>@@ -239,22 +285,33 @@ static int expect_rtp_rtcp(struct sk_buf
> 	struct ip_conntrack_expect *rtcp_exp;
> 
> 	/* Read RTP or RTCP address */
>-	if (!get_h245_addr(*data, addr, &ip, &port) ||
>-	    ip != ct->tuplehash[dir].tuple.src.ip || port == 0)
>+	if (!get_h245_addr(*data, addr, &ip, &port) || port == 0)
> 		return 0;
> 
>+	/* H.323 signal proxy? */
>+	if (ip != ct->tuplehash[dir].tuple.src.ip) {
>+		DEBUGP("ip_ct_h323: H.323 signal proxy detected\n");
>+		/* The derived connections no need to go through firewall */
>+		if (have_direct_route(ct->tuplehash[!dir].tuple.src.ip, ip)) {
>+			DEBUGP("ip_ct_h323: proxied EP has direct route to "
>+			       "peer\n");
>+			return 0;
>+		}
>+	}
>+	
> 	/* RTP port is even */
> 	rtp_port = port & (~1);
> 
> 	/* Create expect for RTP */
> 	if ((rtp_exp = ip_conntrack_expect_alloc(ct)) == NULL)
> 		return -1;
>-	rtp_exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
>+	rtp_exp->tuple.src.ip = safe_calling_mode?
>+		ct->tuplehash[!dir].tuple.src.ip : 0;
> 	rtp_exp->tuple.src.u.udp.port = 0;
>-	rtp_exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
>+	rtp_exp->tuple.dst.ip = ip;
> 	rtp_exp->tuple.dst.u.udp.port = htons(rtp_port);
> 	rtp_exp->tuple.dst.protonum = IPPROTO_UDP;
>-	rtp_exp->mask.src.ip = 0xFFFFFFFF;
>+	rtp_exp->mask.src.ip = safe_calling_mode? 0xFFFFFFFF : 0;
> 	rtp_exp->mask.src.u.udp.port = 0;
> 	rtp_exp->mask.dst.ip = 0xFFFFFFFF;
> 	rtp_exp->mask.dst.u.udp.port = 0xFFFF;
>@@ -266,12 +323,13 @@ static int expect_rtp_rtcp(struct sk_buf
> 		ip_conntrack_expect_put(rtp_exp);
> 		return -1;
> 	}
>-	rtcp_exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
>+	rtcp_exp->tuple.src.ip = safe_calling_mode?
>+		ct->tuplehash[!dir].tuple.src.ip : 0;
> 	rtcp_exp->tuple.src.u.udp.port = 0;
>-	rtcp_exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
>+	rtcp_exp->tuple.dst.ip = ip;
> 	rtcp_exp->tuple.dst.u.udp.port = htons(rtp_port + 1);
> 	rtcp_exp->tuple.dst.protonum = IPPROTO_UDP;
>-	rtcp_exp->mask.src.ip = 0xFFFFFFFF;
>+	rtcp_exp->mask.src.ip = safe_calling_mode? 0xFFFFFFFF : 0;
> 	rtcp_exp->mask.src.u.udp.port = 0;
> 	rtcp_exp->mask.dst.ip = 0xFFFFFFFF;
> 	rtcp_exp->mask.dst.u.udp.port = 0xFFFF;
>@@ -330,19 +388,30 @@ static int expect_t120(struct sk_buff **
> 	struct ip_conntrack_expect *exp = NULL;
> 
> 	/* Read T.120 address */
>-	if (!get_h245_addr(*data, addr, &ip, &port) ||
>-	    ip != ct->tuplehash[dir].tuple.src.ip || port == 0)
>+	if (!get_h245_addr(*data, addr, &ip, &port) || port == 0)
> 		return 0;
> 
>+	/* H.323 signal proxy? */
>+	if (ip != ct->tuplehash[dir].tuple.src.ip) {
>+		DEBUGP("ip_ct_h323: H.323 signal proxy detected\n");
>+		/* The derived connections no need to go through firewall */
>+		if (have_direct_route(ct->tuplehash[!dir].tuple.src.ip, ip)) {
>+			DEBUGP("ip_ct_h323: proxied EP has direct route to "
>+			       "peer\n");
>+			return 0;
>+		}
>+	}
>+
> 	/* Create expect for T.120 connections */
> 	if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
> 		return -1;
>-	exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
>+	exp->tuple.src.ip = safe_calling_mode?
>+		ct->tuplehash[!dir].tuple.src.ip : 0;
> 	exp->tuple.src.u.tcp.port = 0;
>-	exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
>+	exp->tuple.dst.ip = ip;
> 	exp->tuple.dst.u.tcp.port = htons(port);
> 	exp->tuple.dst.protonum = IPPROTO_TCP;
>-	exp->mask.src.ip = 0xFFFFFFFF;
>+	exp->mask.src.ip = safe_calling_mode? 0xFFFFFFFF : 0;
> 	exp->mask.src.u.tcp.port = 0;
> 	exp->mask.dst.ip = 0xFFFFFFFF;
> 	exp->mask.dst.u.tcp.port = 0xFFFF;
>@@ -514,6 +583,16 @@ static int process_olca(struct sk_buff *
> 		}
> 	}
> 
>+	if ((olca->options & eOpenLogicalChannelAck_separateStack) &&
>+	    olca->separateStack.networkAddress.choice ==
>+	    eNetworkAccessParameters_networkAddress_localAreaAddress) {
>+		ret = expect_t120(pskb, ct, ctinfo, data, dataoff,
>+				  &olca->separateStack.networkAddress.
>+				  localAreaAddress);
>+		if (ret < 0)
>+			return -1;
>+	}
>+
> 	return 0;
> }
> 
>@@ -610,7 +689,7 @@ static struct ip_conntrack_helper ip_con
> 	.max_expected = H323_RTP_CHANNEL_MAX * 4 + 2 /* T.120 */ ,
> 	.timeout = 240,
> 	.tuple = {.dst = {.protonum = IPPROTO_TCP}},
>-	.mask = {.src = {.u = {0xFFFF}},
>+	.mask = {.src = {.u = {.tcp = {.port = 0xFFFF}}},
> 		 .dst = {.protonum = 0xFF}},
> 	.help = h245_help
> };
>@@ -653,19 +732,30 @@ static int expect_h245(struct sk_buff **
> 	struct ip_conntrack_expect *exp = NULL;
> 
> 	/* Read h245Address */
>-	if (!get_h225_addr(*data, addr, &ip, &port) ||
>-	    ip != ct->tuplehash[dir].tuple.src.ip || port == 0)
>+	if (!get_h225_addr(*data, addr, &ip, &port) || port == 0)
> 		return 0;
>+	
>+	/* H.323 signal proxy? */
>+	if (ip != ct->tuplehash[dir].tuple.src.ip) {
>+		DEBUGP("ip_ct_h323: H.323 signal proxy detected\n");
>+		/* The derived connections no need to go through firewall */
>+		if (have_direct_route(ct->tuplehash[!dir].tuple.src.ip, ip)) {
>+			DEBUGP("ip_ct_h323: proxied EP has direct route to "
>+			       "peer\n");
>+			return 0;
>+		}
>+	}
> 
> 	/* Create expect for h245 connection */
> 	if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
> 		return -1;
>-	exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
>+	exp->tuple.src.ip = safe_calling_mode?
>+		ct->tuplehash[!dir].tuple.src.ip : 0;
> 	exp->tuple.src.u.tcp.port = 0;
>-	exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
>+	exp->tuple.dst.ip = ip;
> 	exp->tuple.dst.u.tcp.port = htons(port);
> 	exp->tuple.dst.protonum = IPPROTO_TCP;
>-	exp->mask.src.ip = 0xFFFFFFFF;
>+	exp->mask.src.ip = safe_calling_mode? 0xFFFFFFFF : 0;
> 	exp->mask.src.u.tcp.port = 0;
> 	exp->mask.dst.ip = 0xFFFFFFFF;
> 	exp->mask.dst.u.tcp.port = 0xFFFF;
>@@ -717,41 +807,24 @@ static int expect_callforwarding(struct 
> 	if (!get_h225_addr(*data, addr, &ip, &port) || port == 0)
> 		return 0;
> 
>-	/* If the calling party is on the same side of the forward-to party,
>+	/* If the calling party has direct route to the forward-to party,
> 	 * we don't need to track the second call */
>-	if (callforward_filter) {
>-		struct rtable *rt1, *rt2;
>-		struct flowi fl1 = {
>-			.fl4_dst = ip,
>-		};
>-		struct flowi fl2 = {
>-			.fl4_dst = ct->tuplehash[!dir].tuple.src.ip,
>-		};
>-
>-		if (ip_route_output_key(&rt1, &fl1) == 0) {
>-			if (ip_route_output_key(&rt2, &fl2) == 0) {
>-				if (rt1->rt_gateway == rt2->rt_gateway &&
>-				    rt1->u.dst.dev  == rt2->u.dst.dev)
>-					ret = 1;
>-				dst_release(&rt2->u.dst);
>-			}
>-			dst_release(&rt1->u.dst);
>-		}
>-		if (ret) {
>-			DEBUGP("ip_ct_q931: Call Forwarding not tracked\n");
>-			return 0;
>-		}
>+	if (have_direct_route(ct->tuplehash[!dir].tuple.src.ip, ip)) {
>+		DEBUGP("ip_ct_q931: caller has direct route to forward-to "
>+		       "EP\n");
>+		return 0;
> 	}
> 
> 	/* Create expect for the second call leg */
> 	if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
> 		return -1;
>-	exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
>+	exp->tuple.src.ip = safe_calling_mode?
>+		ct->tuplehash[!dir].tuple.src.ip : 0;
> 	exp->tuple.src.u.tcp.port = 0;
> 	exp->tuple.dst.ip = ip;
> 	exp->tuple.dst.u.tcp.port = htons(port);
> 	exp->tuple.dst.protonum = IPPROTO_TCP;
>-	exp->mask.src.ip = 0xFFFFFFFF;
>+	exp->mask.src.ip = safe_calling_mode? 0xFFFFFFFF : 0;
> 	exp->mask.src.u.tcp.port = 0;
> 	exp->mask.dst.ip = 0xFFFFFFFF;
> 	exp->mask.dst.u.tcp.port = 0xFFFF;
>@@ -943,30 +1016,6 @@ static int process_alerting(struct sk_bu
> }
> 
> /****************************************************************************/
>-static int process_information(struct sk_buff **pskb,
>-			       struct ip_conntrack *ct,
>-			       enum ip_conntrack_info ctinfo,
>-			       unsigned char **data, int dataoff,
>-			       Information_UUIE * info)
>-{
>-	int ret;
>-	int i;
>-
>-	DEBUGP("ip_ct_q931: Information\n");
>-
>-	if (info->options & eInformation_UUIE_fastStart) {
>-		for (i = 0; i < info->fastStart.count; i++) {
>-			ret = process_olc(pskb, ct, ctinfo, data, dataoff,
>-					  &info->fastStart.item[i]);
>-			if (ret < 0)
>-				return -1;
>-		}
>-	}
>-
>-	return 0;
>-}
>-
>-/****************************************************************************/
> static int process_facility(struct sk_buff **pskb, struct ip_conntrack *ct,
> 			    enum ip_conntrack_info ctinfo,
> 			    unsigned char **data, int dataoff,
>@@ -1062,11 +1111,6 @@ static int process_q931(struct sk_buff *
> 		ret = process_alerting(pskb, ct, ctinfo, data, dataoff,
> 				       &pdu->h323_message_body.alerting);
> 		break;
>-	case eH323_UU_PDU_h323_message_body_information:
>-		ret = process_information(pskb, ct, ctinfo, data, dataoff,
>-					  &pdu->h323_message_body.
>-					  information);
>-		break;
> 	case eH323_UU_PDU_h323_message_body_facility:
> 		ret = process_facility(pskb, ct, ctinfo, data, dataoff,
> 				       &pdu->h323_message_body.facility);
>@@ -1153,9 +1197,10 @@ static struct ip_conntrack_helper ip_con
> 	.me = THIS_MODULE,
> 	.max_expected = H323_RTP_CHANNEL_MAX * 4 + 4 /* T.120 and H.245 */ ,
> 	.timeout = 240,
>-	.tuple = {.src = {.u = {__constant_htons(Q931_PORT)}},
>+	.tuple = {.src =
>+		  {.u = {.tcp = {.port = __constant_htons(Q931_PORT)}}},
> 		  .dst = {.protonum = IPPROTO_TCP}},
>-	.mask = {.src = {.u = {0xFFFF}},
>+	.mask = {.src = {.u = {.tcp = {.port = 0xFFFF}}},
> 		 .dst = {.protonum = 0xFF}},
> 	.help = q931_help
> };
>@@ -1245,13 +1290,13 @@ static int expect_q931(struct sk_buff **
> 	/* Create expect for Q.931 */
> 	if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
> 		return -1;
>-	exp->tuple.src.ip = gkrouted_only ?	/* only accept calls from GK? */
>+	exp->tuple.src.ip = safe_calling_mode?	/* only accept calls from GK? */
> 	    ct->tuplehash[!dir].tuple.src.ip : 0;
> 	exp->tuple.src.u.tcp.port = 0;
> 	exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
> 	exp->tuple.dst.u.tcp.port = htons(port);
> 	exp->tuple.dst.protonum = IPPROTO_TCP;
>-	exp->mask.src.ip = gkrouted_only ? 0xFFFFFFFF : 0;
>+	exp->mask.src.ip = safe_calling_mode? 0xFFFFFFFF : 0;
> 	exp->mask.src.u.tcp.port = 0;
> 	exp->mask.dst.ip = 0xFFFFFFFF;
> 	exp->mask.dst.u.tcp.port = 0xFFFF;
>@@ -1417,10 +1462,10 @@ static int process_rcf(struct sk_buff **
> 		DEBUGP
> 		    ("ip_ct_ras: set RAS connection timeout to %u seconds\n",
> 		     info->timeout);
>-		ip_ct_refresh_acct(ct, ctinfo, NULL, info->timeout * HZ);
>+		ip_ct_refresh(ct, *pskb, info->timeout * HZ);
> 
> 		/* Set expect timeout */
>-		read_lock_bh(&ip_conntrack_lock);
>+		write_lock_bh(&ip_conntrack_lock);
> 		exp = find_expect(ct, ct->tuplehash[dir].tuple.dst.ip,
> 				  info->sig_port[!dir]);
> 		if (exp) {
>@@ -1433,8 +1478,9 @@ static int process_rcf(struct sk_buff **
> 			       ntohs(exp->tuple.dst.u.tcp.port),
> 			       info->timeout);
> 			set_expect_timeout(exp, info->timeout);
>+			ip_conntrack_expect_put(exp);
> 		}
>-		read_unlock_bh(&ip_conntrack_lock);
>+		write_unlock_bh(&ip_conntrack_lock);
> 	}
> 
> 	return 0;
>@@ -1465,7 +1511,7 @@ static int process_urq(struct sk_buff **
> 	info->sig_port[!dir] = 0;
> 
> 	/* Give it 30 seconds for UCF or URJ */
>-	ip_ct_refresh_acct(ct, ctinfo, NULL, 30 * HZ);
>+	ip_ct_refresh(ct, *pskb, 30 * HZ);
> 
> 	return 0;
> }
>@@ -1746,9 +1792,9 @@ static struct ip_conntrack_helper ip_con
> 	.me = THIS_MODULE,
> 	.max_expected = 32,
> 	.timeout = 240,
>-	.tuple = {.src = {.u = {__constant_htons(RAS_PORT)}},
>+	.tuple = {.src = {.u = {.udp = {.port = __constant_htons(RAS_PORT)}}},
> 		  .dst = {.protonum = IPPROTO_UDP}},
>-	.mask = {.src = {.u = {0xFFFE}},
>+	.mask = {.src = {.u = {.udp = {.port = 0xFFFE}}},
> 		 .dst = {.protonum = 0xFF}},
> 	.help = ras_help,
> };
>@@ -1776,6 +1822,7 @@ static void fini(void)
> static int __init init(void)
> {
> 	int ret;
>+	char *p;
> 
> 	h323_buffer = kmalloc(65536, GFP_KERNEL);
> 	if (!h323_buffer)
>@@ -1785,6 +1832,23 @@ static int __init init(void)
> 		fini();
> 		return ret;
> 	}
>+
>+	if (internal_net) {
>+		if ((p = strchr(internal_net, '/')))
>+			*p++ = 0;
>+		if (isdigit(internal_net[0])) {
>+			internal_net_addr = in_aton(internal_net);
>+			if (p && isdigit(p[0]))
>+				internal_net_mask = in_aton(p);
>+			else
>+				internal_net_mask = 0xffffffff;
>+			internal_net_addr &= internal_net_mask;
>+		}
>+		DEBUGP("ip_ct_h323: internal_net = %u.%u.%u.%u/%u.%u.%u.%u\n",
>+		       NIPQUAD(internal_net_addr),
>+		       NIPQUAD(internal_net_mask));
>+	}
>+
> 	DEBUGP("ip_ct_h323: init success\n");
> 	return 0;
> }
>@@ -1793,6 +1857,7 @@ static int __init init(void)
> module_init(init);
> module_exit(fini);
> 
>+EXPORT_SYMBOL_GPL(have_direct_route);
> EXPORT_SYMBOL_GPL(get_h225_addr);
> EXPORT_SYMBOL_GPL(ip_conntrack_h245_expect);
> EXPORT_SYMBOL_GPL(ip_conntrack_q931_expect);
>diff -pruN linux-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323_types.c linux-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323_types.c
>--- linux-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323_types.c	2006-09-19 23:42:06.000000000 -0400
>+++ linux-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323_types.c	2006-11-16 00:02:44.000000000 -0500
>@@ -1,4 +1,4 @@
>-/* Generated by Jing Min Zhao's ASN.1 parser, Apr 20 2006
>+/* Generated by Jing Min Zhao's ASN.1 parser, Nov 15 2006
>  *
>  * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
>  *
>@@ -983,19 +983,12 @@ static field_t _Alerting_UUIE[] = {	/* S
> 	{FNAME("featureSet") SEQ, 3, 4, 4, SKIP | EXT | OPT, 0, NULL},
> };
> 
>-static field_t _Information_UUIE_fastStart[] = {	/* SEQUENCE OF */
>-	{FNAME("item") SEQ, 1, 3, 5, DECODE | OPEN | EXT,
>-	 sizeof(OpenLogicalChannel), _OpenLogicalChannel}
>-	,
>-};
>-
> static field_t _Information_UUIE[] = {	/* SEQUENCE */
> 	{FNAME("protocolIdentifier") OID, BYTE, 0, 0, SKIP, 0, NULL},
> 	{FNAME("callIdentifier") SEQ, 0, 1, 1, SKIP | EXT, 0, NULL},
> 	{FNAME("tokens") SEQOF, SEMI, 0, 0, SKIP | OPT, 0, NULL},
> 	{FNAME("cryptoTokens") SEQOF, SEMI, 0, 0, SKIP | OPT, 0, NULL},
>-	{FNAME("fastStart") SEQOF, SEMI, 0, 30, DECODE | OPT,
>-	 offsetof(Information_UUIE, fastStart), _Information_UUIE_fastStart},
>+	{FNAME("fastStart") SEQOF, SEMI, 0, 30, SKIP | OPT, 0, NULL},
> 	{FNAME("fastConnectRefused") NUL, FIXD, 0, 0, SKIP | OPT, 0, NULL},
> 	{FNAME("circuitInfo") SEQ, 3, 3, 3, SKIP | EXT | OPT, 0, NULL},
> };
>@@ -1342,9 +1335,7 @@ static field_t _H323_UU_PDU_h323_message
> 	 offsetof(H323_UU_PDU_h323_message_body, connect), _Connect_UUIE},
> 	{FNAME("alerting") SEQ, 1, 3, 17, DECODE | EXT,
> 	 offsetof(H323_UU_PDU_h323_message_body, alerting), _Alerting_UUIE},
>-	{FNAME("information") SEQ, 0, 1, 7, DECODE | EXT,
>-	 offsetof(H323_UU_PDU_h323_message_body, information),
>-	 _Information_UUIE},
>+	{FNAME("information") SEQ, 0, 1, 7, SKIP | EXT, 0, _Information_UUIE},
> 	{FNAME("releaseComplete") SEQ, 1, 2, 11, SKIP | EXT, 0,
> 	 _ReleaseComplete_UUIE},
> 	{FNAME("facility") SEQ, 3, 5, 21, DECODE | EXT,
>@@ -1429,7 +1420,9 @@ static field_t _OpenLogicalChannelAck[] 
> 	 DECODE | EXT | OPT, offsetof(OpenLogicalChannelAck,
> 				      reverseLogicalChannelParameters),
> 	 _OpenLogicalChannelAck_reverseLogicalChannelParameters},
>-	{FNAME("separateStack") SEQ, 2, 4, 5, SKIP | EXT | OPT, 0, NULL},
>+	{FNAME("separateStack") SEQ, 2, 4, 5, DECODE | EXT | OPT,
>+	 offsetof(OpenLogicalChannelAck, separateStack),
>+	 _NetworkAccessParameters},
> 	{FNAME("forwardMultiplexAckParameters") CHOICE, 0, 1, 1,
> 	 DECODE | EXT | OPT, offsetof(OpenLogicalChannelAck,
> 				      forwardMultiplexAckParameters),
>diff -pruN linux-2.6.18.orig/net/ipv4/netfilter/ip_nat_helper_h323.c linux-2.6.18/net/ipv4/netfilter/ip_nat_helper_h323.c
>--- linux-2.6.18.orig/net/ipv4/netfilter/ip_nat_helper_h323.c	2006-09-19 23:42:06.000000000 -0400
>+++ linux-2.6.18/net/ipv4/netfilter/ip_nat_helper_h323.c	2006-11-16 00:02:44.000000000 -0500
>@@ -188,6 +188,27 @@ static int set_ras_addr(struct sk_buff *
> }
> 
> /****************************************************************************/
>+static void ip_nat_redirect(struct ip_conntrack *new,
>+			    struct ip_conntrack_expect *exp)
>+{
>+	struct ip_nat_range range;
>+
>+	/* This must be a fresh one. */
>+	BUG_ON(new->status & IPS_NAT_DONE_MASK);
>+
>+	/* Change src to where ct comes from */
>+	range.flags = IP_NAT_RANGE_MAP_IPS;
>+	range.min_ip = range.max_ip = new->tuplehash[exp->dir].tuple.src.ip;
>+	ip_nat_setup_info(new, &range, NF_IP_POST_ROUTING);
>+
>+	/* For DST manip, map ip:port here to where it's expected. */
>+	range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
>+	range.min = range.max = exp->saved_proto;
>+	range.min_ip = range.max_ip = exp->saved_ip;
>+	ip_nat_setup_info(new, &range, NF_IP_PRE_ROUTING);
>+}
>+
>+/****************************************************************************/
> static int nat_rtp_rtcp(struct sk_buff **pskb, struct ip_conntrack *ct,
> 			enum ip_conntrack_info ctinfo,
> 			unsigned char **data, int dataoff,
>@@ -202,11 +223,15 @@ static int nat_rtp_rtcp(struct sk_buff *
> 	u_int16_t nated_port;
> 
> 	/* Set expectations for NAT */
>+	rtp_exp->saved_ip = rtp_exp->tuple.dst.ip;
> 	rtp_exp->saved_proto.udp.port = rtp_exp->tuple.dst.u.udp.port;
>-	rtp_exp->expectfn = ip_nat_follow_master;
>+	rtp_exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
>+	rtp_exp->expectfn = ip_nat_redirect;
> 	rtp_exp->dir = !dir;
>+	rtcp_exp->saved_ip = rtcp_exp->tuple.dst.ip;
> 	rtcp_exp->saved_proto.udp.port = rtcp_exp->tuple.dst.u.udp.port;
>-	rtcp_exp->expectfn = ip_nat_follow_master;
>+	rtcp_exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
>+	rtcp_exp->expectfn = ip_nat_redirect;
> 	rtcp_exp->dir = !dir;
> 
> 	/* Lookup existing expects */
>@@ -292,8 +317,10 @@ static int nat_t120(struct sk_buff **psk
> 	u_int16_t nated_port = port;
> 
> 	/* Set expectations for NAT */
>+	exp->saved_ip = exp->tuple.dst.ip;
> 	exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
>-	exp->expectfn = ip_nat_follow_master;
>+	exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
>+	exp->expectfn = ip_nat_redirect;
> 	exp->dir = !dir;
> 
> 	/* Try to get same port: if not, try to change it. */
>@@ -326,13 +353,13 @@ static int nat_t120(struct sk_buff **psk
> /****************************************************************************
>  * This conntrack expect function replaces ip_conntrack_h245_expect()
>  * which was set by ip_conntrack_helper_h323.c. It calls both
>- * ip_nat_follow_master() and ip_conntrack_h245_expect()
>+ * ip_nat_redirect() and ip_conntrack_h245_expect()
>  ****************************************************************************/
> static void ip_nat_h245_expect(struct ip_conntrack *new,
>-			       struct ip_conntrack_expect *this)
>+			       struct ip_conntrack_expect *exp)
> {
>-	ip_nat_follow_master(new, this);
>-	ip_conntrack_h245_expect(new, this);
>+	ip_nat_redirect(new, exp);
>+	ip_conntrack_h245_expect(new, exp);
> }
> 
> /****************************************************************************/
>@@ -347,7 +374,9 @@ static int nat_h245(struct sk_buff **psk
> 	u_int16_t nated_port = port;
> 
> 	/* Set expectations for NAT */
>+	exp->saved_ip = exp->tuple.dst.ip;
> 	exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
>+	exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
> 	exp->expectfn = ip_nat_h245_expect;
> 	exp->dir = !dir;
> 
>@@ -392,36 +421,10 @@ static int nat_h245(struct sk_buff **psk
>  * which was set by ip_conntrack_helper_h323.c.
>  ****************************************************************************/
> static void ip_nat_q931_expect(struct ip_conntrack *new,
>-			       struct ip_conntrack_expect *this)
>+			       struct ip_conntrack_expect *exp)
> {
>-	struct ip_nat_range range;
>-
>-	if (this->tuple.src.ip != 0) {	/* Only accept calls from GK */
>-		ip_nat_follow_master(new, this);
>-		goto out;
>-	}
>-
>-	/* This must be a fresh one. */
>-	BUG_ON(new->status & IPS_NAT_DONE_MASK);
>-
>-	/* Change src to where master sends to */
>-	range.flags = IP_NAT_RANGE_MAP_IPS;
>-	range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.ip;
>-
>-	/* hook doesn't matter, but it has to do source manip */
>-	ip_nat_setup_info(new, &range, NF_IP_POST_ROUTING);
>-
>-	/* For DST manip, map port here to where it's expected. */
>-	range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
>-	range.min = range.max = this->saved_proto;
>-	range.min_ip = range.max_ip =
>-	    new->master->tuplehash[!this->dir].tuple.src.ip;
>-
>-	/* hook doesn't matter, but it has to do destination manip */
>-	ip_nat_setup_info(new, &range, NF_IP_PRE_ROUTING);
>-
>-      out:
>-	ip_conntrack_q931_expect(new, this);
>+	ip_nat_redirect(new, exp);
>+	ip_conntrack_q931_expect(new, exp);
> }
> 
> /****************************************************************************/
>@@ -436,7 +439,9 @@ static int nat_q931(struct sk_buff **psk
> 	u_int32_t ip;
> 
> 	/* Set expectations for NAT */
>+	exp->saved_ip = exp->tuple.dst.ip;
> 	exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
>+	exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
> 	exp->expectfn = ip_nat_q931_expect;
> 	exp->dir = !dir;
> 
>@@ -469,9 +474,9 @@ static int nat_q931(struct sk_buff **psk
> 		if (idx > 0 &&
> 		    get_h225_addr(*data, &addr[0], &ip, &port) &&
> 		    (ntohl(ip) & 0xff000000) == 0x7f000000) {
>-			set_h225_addr_hook(pskb, data, 0, &addr[0],
>-					   ct->tuplehash[!dir].tuple.dst.ip,
>-					   info->sig_port[!dir]);
>+			set_h225_addr(pskb, data, 0, &addr[0],
>+				      ct->tuplehash[!dir].tuple.dst.ip,
>+				      info->sig_port[!dir]);
> 		}
> 	} else {
> 		ip_conntrack_unexpect_related(exp);
>@@ -488,29 +493,10 @@ static int nat_q931(struct sk_buff **psk
> 
> /****************************************************************************/
> static void ip_nat_callforwarding_expect(struct ip_conntrack *new,
>-					 struct ip_conntrack_expect *this)
>+					 struct ip_conntrack_expect *exp)
> {
>-	struct ip_nat_range range;
>-
>-	/* This must be a fresh one. */
>-	BUG_ON(new->status & IPS_NAT_DONE_MASK);
>-
>-	/* Change src to where master sends to */
>-	range.flags = IP_NAT_RANGE_MAP_IPS;
>-	range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.ip;
>-
>-	/* hook doesn't matter, but it has to do source manip */
>-	ip_nat_setup_info(new, &range, NF_IP_POST_ROUTING);
>-
>-	/* For DST manip, map port here to where it's expected. */
>-	range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
>-	range.min = range.max = this->saved_proto;
>-	range.min_ip = range.max_ip = this->saved_ip;
>-
>-	/* hook doesn't matter, but it has to do destination manip */
>-	ip_nat_setup_info(new, &range, NF_IP_PRE_ROUTING);
>-
>-	ip_conntrack_q931_expect(new, this);
>+	ip_nat_redirect(new, exp);
>+	ip_conntrack_q931_expect(new, exp);
> }
> 
> /****************************************************************************/

Actions: View | Diff

Attachments on bug 433661: 305158 | 309793