diff options
author | Patrick McHardy <kaber@trash.net> | 2008-03-25 20:22:37 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-03-25 20:22:37 -0700 |
commit | 33cb1e9a93312f0cdd34e0be2bc88e893ff96a33 (patch) | |
tree | 9692ef4590284acb93baccff502fce5a2853a410 | |
parent | 30f33e6dee80c6ded917f978e4f377d1069d519d (diff) | |
download | linux-stable-33cb1e9a93312f0cdd34e0be2bc88e893ff96a33.tar.gz linux-stable-33cb1e9a93312f0cdd34e0be2bc88e893ff96a33.tar.bz2 linux-stable-33cb1e9a93312f0cdd34e0be2bc88e893ff96a33.zip |
[NETFILTER]: nf_conntrack_sip: perform NAT after parsing
Perform NAT last after parsing the packet. This makes no difference
currently, but is needed when dealing with registrations to make
sure we seen the unNATed addresses.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/netfilter/nf_nat_sip.c | 3 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_sip.c | 19 |
2 files changed, 11 insertions, 11 deletions
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c index 5b4a5cd23f39..b44281011d6d 100644 --- a/net/ipv4/netfilter/nf_nat_sip.c +++ b/net/ipv4/netfilter/nf_nat_sip.c @@ -104,9 +104,6 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, union nf_inet_addr addr; __be16 port; - if (*datalen < strlen("SIP/2.0")) - return NF_ACCEPT; - /* Basic rules: requests and responses. */ if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) { if (ct_sip_parse_request(ct, *dptr, *datalen, diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index 1be949febab7..29a37d212695 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c @@ -700,6 +700,7 @@ static int sip_help(struct sk_buff *skb, { unsigned int dataoff, datalen; const char *dptr; + int ret; typeof(nf_nat_sip_hook) nf_nat_sip; /* No Data ? */ @@ -716,20 +717,22 @@ static int sip_help(struct sk_buff *skb, return NF_ACCEPT; } - nf_nat_sip = rcu_dereference(nf_nat_sip_hook); - if (nf_nat_sip && ct->status & IPS_NAT_MASK) { - if (!nf_nat_sip(skb, &dptr, &datalen)) - return NF_DROP; - } - datalen = skb->len - dataoff; if (datalen < strlen("SIP/2.0 200")) return NF_ACCEPT; if (strnicmp(dptr, "SIP/2.0 ", strlen("SIP/2.0 ")) != 0) - return process_sip_request(skb, &dptr, &datalen); + ret = process_sip_request(skb, &dptr, &datalen); else - return process_sip_response(skb, &dptr, &datalen); + ret = process_sip_response(skb, &dptr, &datalen); + + if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) { + nf_nat_sip = rcu_dereference(nf_nat_sip_hook); + if (nf_nat_sip && !nf_nat_sip(skb, &dptr, &datalen)) + ret = NF_DROP; + } + + return ret; } static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly; |