Bug 965307 - SIP NAT problem in kernel 3.9
Summary: SIP NAT problem in kernel 3.9
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: fedora-kernel-networking
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-20 21:00 UTC by Fabrice Bellet
Modified: 2013-10-19 15:20 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-10-19 15:20:31 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Fabrice Bellet 2013-05-20 21:00:54 UTC 
Since kernel 3.9, NAT for SIP protocol seems to be broken for some SIP providers, with these error messages :


May 19 22:20:45 lxorgfr kernel: [   55.223319] nf_ct_sip: dropping packet: cannot NAT SIP message IN= OUT= SRC=212.27.52.5 DST=192.168.128.30 LEN=338 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=UDP SPT=5060 DPT=49027 LEN=318 

I think this problem has been introduced in nf_nat_sip.c, between v3.8 and v3.9 with this specific change:

@@ -222,6 +231,7 @@
                                        false);
                        if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
                                           poff, plen, buffer, buflen))
+                               nf_ct_helper_log(skb, ct, "cannot mangle received");                            return NF_DROP;
                }

This patch restores the correct logic:

--- nf_nat_sip.c.orig	2013-04-29 02:36:01.000000000 +0200
+++ nf_nat_sip.c	2013-05-20 22:46:47.270956349 +0200
@@ -230,9 +230,10 @@
 					&ct->tuplehash[!dir].tuple.src.u3,
 					false);
 			if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
-					   poff, plen, buffer, buflen))
+					   poff, plen, buffer, buflen)) {
 				nf_ct_helper_log(skb, ct, "cannot mangle received");
 				return NF_DROP;
+                        }
 		}
 
 		/* The rport= parameter (RFC 3581) contains the port number
Comment 1 Michele Baldessari 2013-09-03 22:05:07 UTC 
This is commit:
commit 5aed93875cd88502f04a0d4517b8a2d89a849773
Author: Balazs Peter Odor <balazs>
Date:   Sat Jun 22 19:24:43 2013 +0200

    netfilter: nf_nat_sip: fix mangling
    
    In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets)
    there were some missing brackets around the logging information, thus
    always returning drop.
    
    Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061
    
    Signed-off-by: Balazs Peter Odor <balazs>
    Signed-off-by: Pablo Neira Ayuso <pablo>


it was included in v3.10 and has not been backported in 3.9.x.

Fabrice, if you update to kernel-3.10.10-200.fc19.x86_64.rpm  it'll be included.

Thanks for the report,
Michele
Comment 2 Justin M. Forbes 2013-10-18 21:13:08 UTC 
*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 18 kernel bugs.

Fedora 18 has now been rebased to 3.11.4-101.fc18.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 19, and are still experiencing this issue, please change the version to Fedora 19.

If you experience different issues, please open a new bug report for those.
Comment 3 Fabrice Bellet 2013-10-19 15:20:31 UTC 
Yes, this bug is fixed with these newer kernels. So I close this bug report. Thanks!
Note You need to log in before you can comment on or make changes to this bug.