summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2008-03-25 20:22:37 -0700
committerDavid S. Miller <davem@davemloft.net>2008-03-25 20:22:37 -0700
commit33cb1e9a93312f0cdd34e0be2bc88e893ff96a33 (patch)
tree9692ef4590284acb93baccff502fce5a2853a410
parent30f33e6dee80c6ded917f978e4f377d1069d519d (diff)
downloadlinux-stable-33cb1e9a93312f0cdd34e0be2bc88e893ff96a33.tar.gz
linux-stable-33cb1e9a93312f0cdd34e0be2bc88e893ff96a33.tar.bz2
linux-stable-33cb1e9a93312f0cdd34e0be2bc88e893ff96a33.zip
[NETFILTER]: nf_conntrack_sip: perform NAT after parsing
Perform NAT last after parsing the packet. This makes no difference currently, but is needed when dealing with registrations to make sure we seen the unNATed addresses. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv4/netfilter/nf_nat_sip.c3
-rw-r--r--net/netfilter/nf_conntrack_sip.c19
2 files changed, 11 insertions, 11 deletions
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index 5b4a5cd23f39..b44281011d6d 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -104,9 +104,6 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
union nf_inet_addr addr;
__be16 port;
- if (*datalen < strlen("SIP/2.0"))
- return NF_ACCEPT;
-
/* Basic rules: requests and responses. */
if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
if (ct_sip_parse_request(ct, *dptr, *datalen,
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 1be949febab7..29a37d212695 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -700,6 +700,7 @@ static int sip_help(struct sk_buff *skb,
{
unsigned int dataoff, datalen;
const char *dptr;
+ int ret;
typeof(nf_nat_sip_hook) nf_nat_sip;
/* No Data ? */
@@ -716,20 +717,22 @@ static int sip_help(struct sk_buff *skb,
return NF_ACCEPT;
}
- nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
- if (nf_nat_sip && ct->status & IPS_NAT_MASK) {
- if (!nf_nat_sip(skb, &dptr, &datalen))
- return NF_DROP;
- }
-
datalen = skb->len - dataoff;
if (datalen < strlen("SIP/2.0 200"))
return NF_ACCEPT;
if (strnicmp(dptr, "SIP/2.0 ", strlen("SIP/2.0 ")) != 0)
- return process_sip_request(skb, &dptr, &datalen);
+ ret = process_sip_request(skb, &dptr, &datalen);
else
- return process_sip_response(skb, &dptr, &datalen);
+ ret = process_sip_response(skb, &dptr, &datalen);
+
+ if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
+ nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
+ if (nf_nat_sip && !nf_nat_sip(skb, &dptr, &datalen))
+ ret = NF_DROP;
+ }
+
+ return ret;
}
static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly;