mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-01 10:42:11 +00:00
netfilter: nf_conntrack_sip: fix expectation clash
When conntracks change during a dialog, SDP messages may be sent from different conntracks to establish expects with identical tuples. In this case expects conflict may be detected for the 2nd SDP message and end up with a process failure. The fixing here is to reuse an existing expect who has the same tuple for a different conntrack if any. Here are two scenarios for the case. 1) SERVER CPE | INVITE SDP | 5060 |<----------------------|5060 | 100 Trying | 5060 |---------------------->|5060 | 183 SDP | 5060 |---------------------->|5060 ===> Conntrack 1 | PRACK | 50601 |<----------------------|5060 | 200 OK (PRACK) | 50601 |---------------------->|5060 | 200 OK (INVITE) | 5060 |---------------------->|5060 | ACK | 50601 |<----------------------|5060 | | |<--- RTP stream ------>| | | | INVITE SDP (t38) | 50601 |---------------------->|5060 ===> Conntrack 2 With a certain configuration in the CPE, SIP messages "183 with SDP" and "re-INVITE with SDP t38" will go through the sip helper to create expects for RTP and RTCP. It is okay to create RTP and RTCP expects for "183", whose master connection source port is 5060, and destination port is 5060. In the "183" message, port in Contact header changes to 50601 (from the original 5060). So the following requests e.g. PRACK and ACK are sent to port 50601. It is a different conntrack (let call Conntrack 2) from the original INVITE (let call Conntrack 1) due to the port difference. In this example, after the call is established, there is RTP stream but no RTCP stream for Conntrack 1, so the RTP expect created upon "183" is cleared, and RTCP expect created for Conntrack 1 retains. When "re-INVITE with SDP t38" arrives to create RTP&RTCP expects, current ALG implementation will call nf_ct_expect_related() for RTP and RTCP. The expects tuples are identical to those for Conntrack 1. RTP expect for Conntrack 2 succeeds in creation as the one for Conntrack 1 has been removed. RTCP expect for Conntrack 2 fails in creation because it has idential tuples and 'conflict' with the one retained for Conntrack 1. And then result in a failure in processing of the re-INVITE. 2) SERVER A CPE | REGISTER | 5060 |<------------------| 5060 ==> CT1 | 200 | 5060 |------------------>| 5060 | | | INVITE SDP(1) | 5060 |<------------------| 5060 | 300(multi choice) | 5060 |------------------>| 5060 SERVER B | ACK | 5060 |<------------------| 5060 | INVITE SDP(2) | 5060 |-------------------->| 5060 ==> CT2 | 100 | 5060 |<--------------------| 5060 | 200(contact changes)| 5060 |<--------------------| 5060 | ACK | 5060 |-------------------->| 50601 ==> CT3 | | |<--- RTP stream ---->| | | | BYE | 5060 |<--------------------| 50601 | 200 | 5060 |-------------------->| 50601 | INVITE SDP(3) | 5060 |<------------------| 5060 ==> CT1 CPE sends an INVITE request(1) to Server A, and creates a RTP&RTCP expect pair for this Conntrack 1 (CT1). Server A responds 300 to redirect to Server B. The RTP&RTCP expect pairs created on CT1 are removed upon 300 response. CPE sends the INVITE request(2) to Server B, and creates an expect pair for the new conntrack (due to destination address difference), let call CT2. Server B changes the port to 50601 in 200 OK response, and the following requests ACK and BYE from CPE are sent to 50601. The call is established. There is RTP stream and no RTCP stream. So RTP expect is removed and RTCP expect for CT2 retains. As BYE request is sent from port 50601, it is another conntrack, let call CT3, different from CT2 due to the port difference. So the BYE request will not remove the RTCP expect for CT2. Then another outgoing call is made, with the same RTP port being used (not definitely but possibly). CPE firstly sends the INVITE request(3) to Server A, and tries to create a RTP&RTCP expect pairs for this CT1. In current ALG implementation, the RTCP expect for CT1 fails in creation because it 'conflicts' with the residual one for CT2. As a result the INVITE request fails to send. Signed-off-by: xiao ruizhu <katrina.xiaorz@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
b575b24b8e
commit
3c00fb0bf0
@ -76,6 +76,11 @@ struct nf_conntrack_expect_policy {
|
||||
#define NF_CT_EXPECT_CLASS_DEFAULT 0
|
||||
#define NF_CT_EXPECT_MAX_CNT 255
|
||||
|
||||
/* Allow to reuse expectations with the same tuples from different master
|
||||
* conntracks.
|
||||
*/
|
||||
#define NF_CT_EXP_F_SKIP_MASTER 0x1
|
||||
|
||||
int nf_conntrack_expect_pernet_init(struct net *net);
|
||||
void nf_conntrack_expect_pernet_fini(struct net *net);
|
||||
|
||||
@ -122,10 +127,11 @@ void nf_ct_expect_init(struct nf_conntrack_expect *, unsigned int, u_int8_t,
|
||||
u_int8_t, const __be16 *, const __be16 *);
|
||||
void nf_ct_expect_put(struct nf_conntrack_expect *exp);
|
||||
int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
|
||||
u32 portid, int report);
|
||||
static inline int nf_ct_expect_related(struct nf_conntrack_expect *expect)
|
||||
u32 portid, int report, unsigned int flags);
|
||||
static inline int nf_ct_expect_related(struct nf_conntrack_expect *expect,
|
||||
unsigned int flags)
|
||||
{
|
||||
return nf_ct_expect_related_report(expect, 0, 0);
|
||||
return nf_ct_expect_related_report(expect, 0, 0, flags);
|
||||
}
|
||||
|
||||
#endif /*_NF_CONNTRACK_EXPECT_H*/
|
||||
|
@ -221,11 +221,11 @@ static int nat_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
|
||||
int ret;
|
||||
|
||||
rtp_exp->tuple.dst.u.udp.port = htons(nated_port);
|
||||
ret = nf_ct_expect_related(rtp_exp);
|
||||
ret = nf_ct_expect_related(rtp_exp, 0);
|
||||
if (ret == 0) {
|
||||
rtcp_exp->tuple.dst.u.udp.port =
|
||||
htons(nated_port + 1);
|
||||
ret = nf_ct_expect_related(rtcp_exp);
|
||||
ret = nf_ct_expect_related(rtcp_exp, 0);
|
||||
if (ret == 0)
|
||||
break;
|
||||
else if (ret == -EBUSY) {
|
||||
@ -296,7 +296,7 @@ static int nat_t120(struct sk_buff *skb, struct nf_conn *ct,
|
||||
int ret;
|
||||
|
||||
exp->tuple.dst.u.tcp.port = htons(nated_port);
|
||||
ret = nf_ct_expect_related(exp);
|
||||
ret = nf_ct_expect_related(exp, 0);
|
||||
if (ret == 0)
|
||||
break;
|
||||
else if (ret != -EBUSY) {
|
||||
@ -352,7 +352,7 @@ static int nat_h245(struct sk_buff *skb, struct nf_conn *ct,
|
||||
int ret;
|
||||
|
||||
exp->tuple.dst.u.tcp.port = htons(nated_port);
|
||||
ret = nf_ct_expect_related(exp);
|
||||
ret = nf_ct_expect_related(exp, 0);
|
||||
if (ret == 0)
|
||||
break;
|
||||
else if (ret != -EBUSY) {
|
||||
@ -444,7 +444,7 @@ static int nat_q931(struct sk_buff *skb, struct nf_conn *ct,
|
||||
int ret;
|
||||
|
||||
exp->tuple.dst.u.tcp.port = htons(nated_port);
|
||||
ret = nf_ct_expect_related(exp);
|
||||
ret = nf_ct_expect_related(exp, 0);
|
||||
if (ret == 0)
|
||||
break;
|
||||
else if (ret != -EBUSY) {
|
||||
@ -537,7 +537,7 @@ static int nat_callforwarding(struct sk_buff *skb, struct nf_conn *ct,
|
||||
int ret;
|
||||
|
||||
exp->tuple.dst.u.tcp.port = htons(nated_port);
|
||||
ret = nf_ct_expect_related(exp);
|
||||
ret = nf_ct_expect_related(exp, 0);
|
||||
if (ret == 0)
|
||||
break;
|
||||
else if (ret != -EBUSY) {
|
||||
|
@ -231,7 +231,7 @@ void ip_vs_nfct_expect_related(struct sk_buff *skb, struct nf_conn *ct,
|
||||
|
||||
IP_VS_DBG_BUF(7, "%s: ct=%p, expect tuple=" FMT_TUPLE "\n",
|
||||
__func__, ct, ARG_TUPLE(&exp->tuple));
|
||||
nf_ct_expect_related(exp);
|
||||
nf_ct_expect_related(exp, 0);
|
||||
nf_ct_expect_put(exp);
|
||||
}
|
||||
EXPORT_SYMBOL(ip_vs_nfct_expect_related);
|
||||
|
@ -159,7 +159,7 @@ static int amanda_help(struct sk_buff *skb,
|
||||
if (nf_nat_amanda && ct->status & IPS_NAT_MASK)
|
||||
ret = nf_nat_amanda(skb, ctinfo, protoff,
|
||||
off - dataoff, len, exp);
|
||||
else if (nf_ct_expect_related(exp) != 0) {
|
||||
else if (nf_ct_expect_related(exp, 0) != 0) {
|
||||
nf_ct_helper_log(skb, ct, "cannot add expectation");
|
||||
ret = NF_DROP;
|
||||
}
|
||||
|
@ -68,7 +68,7 @@ int nf_conntrack_broadcast_help(struct sk_buff *skb,
|
||||
exp->class = NF_CT_EXPECT_CLASS_DEFAULT;
|
||||
exp->helper = NULL;
|
||||
|
||||
nf_ct_expect_related(exp);
|
||||
nf_ct_expect_related(exp, 0);
|
||||
nf_ct_expect_put(exp);
|
||||
|
||||
nf_ct_refresh(ct, skb, timeout * HZ);
|
||||
|
@ -249,13 +249,22 @@ static inline int expect_clash(const struct nf_conntrack_expect *a,
|
||||
static inline int expect_matches(const struct nf_conntrack_expect *a,
|
||||
const struct nf_conntrack_expect *b)
|
||||
{
|
||||
return a->master == b->master &&
|
||||
nf_ct_tuple_equal(&a->tuple, &b->tuple) &&
|
||||
return nf_ct_tuple_equal(&a->tuple, &b->tuple) &&
|
||||
nf_ct_tuple_mask_equal(&a->mask, &b->mask) &&
|
||||
net_eq(nf_ct_net(a->master), nf_ct_net(b->master)) &&
|
||||
nf_ct_zone_equal_any(a->master, nf_ct_zone(b->master));
|
||||
}
|
||||
|
||||
static bool master_matches(const struct nf_conntrack_expect *a,
|
||||
const struct nf_conntrack_expect *b,
|
||||
unsigned int flags)
|
||||
{
|
||||
if (flags & NF_CT_EXP_F_SKIP_MASTER)
|
||||
return true;
|
||||
|
||||
return a->master == b->master;
|
||||
}
|
||||
|
||||
/* Generally a bad idea to call this: could have matched already. */
|
||||
void nf_ct_unexpect_related(struct nf_conntrack_expect *exp)
|
||||
{
|
||||
@ -399,7 +408,8 @@ static void evict_oldest_expect(struct nf_conn *master,
|
||||
nf_ct_remove_expect(last);
|
||||
}
|
||||
|
||||
static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
|
||||
static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect,
|
||||
unsigned int flags)
|
||||
{
|
||||
const struct nf_conntrack_expect_policy *p;
|
||||
struct nf_conntrack_expect *i;
|
||||
@ -417,8 +427,10 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
|
||||
}
|
||||
h = nf_ct_expect_dst_hash(net, &expect->tuple);
|
||||
hlist_for_each_entry_safe(i, next, &nf_ct_expect_hash[h], hnode) {
|
||||
if (expect_matches(i, expect)) {
|
||||
if (i->class != expect->class)
|
||||
if (master_matches(i, expect, flags) &&
|
||||
expect_matches(i, expect)) {
|
||||
if (i->class != expect->class ||
|
||||
i->master != expect->master)
|
||||
return -EALREADY;
|
||||
|
||||
if (nf_ct_remove_expect(i))
|
||||
@ -453,12 +465,12 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
|
||||
}
|
||||
|
||||
int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
|
||||
u32 portid, int report)
|
||||
u32 portid, int report, unsigned int flags)
|
||||
{
|
||||
int ret;
|
||||
|
||||
spin_lock_bh(&nf_conntrack_expect_lock);
|
||||
ret = __nf_ct_expect_check(expect);
|
||||
ret = __nf_ct_expect_check(expect, flags);
|
||||
if (ret < 0)
|
||||
goto out;
|
||||
|
||||
|
@ -525,7 +525,7 @@ static int help(struct sk_buff *skb,
|
||||
protoff, matchoff, matchlen, exp);
|
||||
else {
|
||||
/* Can't expect this? Best to drop packet now. */
|
||||
if (nf_ct_expect_related(exp) != 0) {
|
||||
if (nf_ct_expect_related(exp, 0) != 0) {
|
||||
nf_ct_helper_log(skb, ct, "cannot add expectation");
|
||||
ret = NF_DROP;
|
||||
} else
|
||||
|
@ -305,8 +305,8 @@ static int expect_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
|
||||
ret = nat_rtp_rtcp(skb, ct, ctinfo, protoff, data, dataoff,
|
||||
taddr, port, rtp_port, rtp_exp, rtcp_exp);
|
||||
} else { /* Conntrack only */
|
||||
if (nf_ct_expect_related(rtp_exp) == 0) {
|
||||
if (nf_ct_expect_related(rtcp_exp) == 0) {
|
||||
if (nf_ct_expect_related(rtp_exp, 0) == 0) {
|
||||
if (nf_ct_expect_related(rtcp_exp, 0) == 0) {
|
||||
pr_debug("nf_ct_h323: expect RTP ");
|
||||
nf_ct_dump_tuple(&rtp_exp->tuple);
|
||||
pr_debug("nf_ct_h323: expect RTCP ");
|
||||
@ -364,7 +364,7 @@ static int expect_t120(struct sk_buff *skb,
|
||||
ret = nat_t120(skb, ct, ctinfo, protoff, data, dataoff, taddr,
|
||||
port, exp);
|
||||
} else { /* Conntrack only */
|
||||
if (nf_ct_expect_related(exp) == 0) {
|
||||
if (nf_ct_expect_related(exp, 0) == 0) {
|
||||
pr_debug("nf_ct_h323: expect T.120 ");
|
||||
nf_ct_dump_tuple(&exp->tuple);
|
||||
} else
|
||||
@ -701,7 +701,7 @@ static int expect_h245(struct sk_buff *skb, struct nf_conn *ct,
|
||||
ret = nat_h245(skb, ct, ctinfo, protoff, data, dataoff, taddr,
|
||||
port, exp);
|
||||
} else { /* Conntrack only */
|
||||
if (nf_ct_expect_related(exp) == 0) {
|
||||
if (nf_ct_expect_related(exp, 0) == 0) {
|
||||
pr_debug("nf_ct_q931: expect H.245 ");
|
||||
nf_ct_dump_tuple(&exp->tuple);
|
||||
} else
|
||||
@ -825,7 +825,7 @@ static int expect_callforwarding(struct sk_buff *skb,
|
||||
protoff, data, dataoff,
|
||||
taddr, port, exp);
|
||||
} else { /* Conntrack only */
|
||||
if (nf_ct_expect_related(exp) == 0) {
|
||||
if (nf_ct_expect_related(exp, 0) == 0) {
|
||||
pr_debug("nf_ct_q931: expect Call Forwarding ");
|
||||
nf_ct_dump_tuple(&exp->tuple);
|
||||
} else
|
||||
@ -1284,7 +1284,7 @@ static int expect_q931(struct sk_buff *skb, struct nf_conn *ct,
|
||||
ret = nat_q931(skb, ct, ctinfo, protoff, data,
|
||||
taddr, i, port, exp);
|
||||
} else { /* Conntrack only */
|
||||
if (nf_ct_expect_related(exp) == 0) {
|
||||
if (nf_ct_expect_related(exp, 0) == 0) {
|
||||
pr_debug("nf_ct_ras: expect Q.931 ");
|
||||
nf_ct_dump_tuple(&exp->tuple);
|
||||
|
||||
@ -1349,7 +1349,7 @@ static int process_gcf(struct sk_buff *skb, struct nf_conn *ct,
|
||||
IPPROTO_UDP, NULL, &port);
|
||||
exp->helper = nf_conntrack_helper_ras;
|
||||
|
||||
if (nf_ct_expect_related(exp) == 0) {
|
||||
if (nf_ct_expect_related(exp, 0) == 0) {
|
||||
pr_debug("nf_ct_ras: expect RAS ");
|
||||
nf_ct_dump_tuple(&exp->tuple);
|
||||
} else
|
||||
@ -1561,7 +1561,7 @@ static int process_acf(struct sk_buff *skb, struct nf_conn *ct,
|
||||
exp->flags = NF_CT_EXPECT_PERMANENT;
|
||||
exp->helper = nf_conntrack_helper_q931;
|
||||
|
||||
if (nf_ct_expect_related(exp) == 0) {
|
||||
if (nf_ct_expect_related(exp, 0) == 0) {
|
||||
pr_debug("nf_ct_ras: expect Q.931 ");
|
||||
nf_ct_dump_tuple(&exp->tuple);
|
||||
} else
|
||||
@ -1615,7 +1615,7 @@ static int process_lcf(struct sk_buff *skb, struct nf_conn *ct,
|
||||
exp->flags = NF_CT_EXPECT_PERMANENT;
|
||||
exp->helper = nf_conntrack_helper_q931;
|
||||
|
||||
if (nf_ct_expect_related(exp) == 0) {
|
||||
if (nf_ct_expect_related(exp, 0) == 0) {
|
||||
pr_debug("nf_ct_ras: expect Q.931 ");
|
||||
nf_ct_dump_tuple(&exp->tuple);
|
||||
} else
|
||||
|
@ -213,7 +213,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
|
||||
addr_beg_p - ib_ptr,
|
||||
addr_end_p - addr_beg_p,
|
||||
exp);
|
||||
else if (nf_ct_expect_related(exp) != 0) {
|
||||
else if (nf_ct_expect_related(exp, 0) != 0) {
|
||||
nf_ct_helper_log(skb, ct,
|
||||
"cannot add expectation");
|
||||
ret = NF_DROP;
|
||||
|
@ -2616,7 +2616,7 @@ ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
|
||||
if (IS_ERR(exp))
|
||||
return PTR_ERR(exp);
|
||||
|
||||
err = nf_ct_expect_related_report(exp, portid, report);
|
||||
err = nf_ct_expect_related_report(exp, portid, report, 0);
|
||||
nf_ct_expect_put(exp);
|
||||
return err;
|
||||
}
|
||||
@ -3367,7 +3367,7 @@ ctnetlink_create_expect(struct net *net,
|
||||
goto err_rcu;
|
||||
}
|
||||
|
||||
err = nf_ct_expect_related_report(exp, portid, report);
|
||||
err = nf_ct_expect_related_report(exp, portid, report, 0);
|
||||
nf_ct_expect_put(exp);
|
||||
err_rcu:
|
||||
rcu_read_unlock();
|
||||
|
@ -234,9 +234,9 @@ static int exp_gre(struct nf_conn *ct, __be16 callid, __be16 peer_callid)
|
||||
nf_nat_pptp_exp_gre = rcu_dereference(nf_nat_pptp_hook_exp_gre);
|
||||
if (nf_nat_pptp_exp_gre && ct->status & IPS_NAT_MASK)
|
||||
nf_nat_pptp_exp_gre(exp_orig, exp_reply);
|
||||
if (nf_ct_expect_related(exp_orig) != 0)
|
||||
if (nf_ct_expect_related(exp_orig, 0) != 0)
|
||||
goto out_put_both;
|
||||
if (nf_ct_expect_related(exp_reply) != 0)
|
||||
if (nf_ct_expect_related(exp_reply, 0) != 0)
|
||||
goto out_unexpect_orig;
|
||||
|
||||
/* Add GRE keymap entries */
|
||||
|
@ -153,7 +153,7 @@ static int help(struct sk_buff *skb,
|
||||
nf_ct_dump_tuple(&exp->tuple);
|
||||
|
||||
/* Can't expect this? Best to drop packet now. */
|
||||
if (nf_ct_expect_related(exp) != 0) {
|
||||
if (nf_ct_expect_related(exp, 0) != 0) {
|
||||
nf_ct_helper_log(skb, ct, "cannot add expectation");
|
||||
ret = NF_DROP;
|
||||
}
|
||||
|
@ -977,11 +977,15 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int protoff,
|
||||
/* -EALREADY handling works around end-points that send
|
||||
* SDP messages with identical port but different media type,
|
||||
* we pretend expectation was set up.
|
||||
* It also works in the case that SDP messages are sent with
|
||||
* identical expect tuples but for different master conntracks.
|
||||
*/
|
||||
int errp = nf_ct_expect_related(rtp_exp);
|
||||
int errp = nf_ct_expect_related(rtp_exp,
|
||||
NF_CT_EXP_F_SKIP_MASTER);
|
||||
|
||||
if (errp == 0 || errp == -EALREADY) {
|
||||
int errcp = nf_ct_expect_related(rtcp_exp);
|
||||
int errcp = nf_ct_expect_related(rtcp_exp,
|
||||
NF_CT_EXP_F_SKIP_MASTER);
|
||||
|
||||
if (errcp == 0 || errcp == -EALREADY)
|
||||
ret = NF_ACCEPT;
|
||||
@ -1296,7 +1300,7 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
|
||||
ret = hooks->expect(skb, protoff, dataoff, dptr, datalen,
|
||||
exp, matchoff, matchlen);
|
||||
else {
|
||||
if (nf_ct_expect_related(exp) != 0) {
|
||||
if (nf_ct_expect_related(exp, 0) != 0) {
|
||||
nf_ct_helper_log(skb, ct, "cannot add expectation");
|
||||
ret = NF_DROP;
|
||||
} else
|
||||
|
@ -78,7 +78,7 @@ static int tftp_help(struct sk_buff *skb,
|
||||
nf_nat_tftp = rcu_dereference(nf_nat_tftp_hook);
|
||||
if (nf_nat_tftp && ct->status & IPS_NAT_MASK)
|
||||
ret = nf_nat_tftp(skb, ctinfo, exp);
|
||||
else if (nf_ct_expect_related(exp) != 0) {
|
||||
else if (nf_ct_expect_related(exp, 0) != 0) {
|
||||
nf_ct_helper_log(skb, ct, "cannot add expectation");
|
||||
ret = NF_DROP;
|
||||
}
|
||||
|
@ -48,7 +48,7 @@ static unsigned int help(struct sk_buff *skb,
|
||||
int res;
|
||||
|
||||
exp->tuple.dst.u.tcp.port = htons(port);
|
||||
res = nf_ct_expect_related(exp);
|
||||
res = nf_ct_expect_related(exp, 0);
|
||||
if (res == 0)
|
||||
break;
|
||||
else if (res != -EBUSY) {
|
||||
|
@ -91,7 +91,7 @@ static unsigned int nf_nat_ftp(struct sk_buff *skb,
|
||||
int ret;
|
||||
|
||||
exp->tuple.dst.u.tcp.port = htons(port);
|
||||
ret = nf_ct_expect_related(exp);
|
||||
ret = nf_ct_expect_related(exp, 0);
|
||||
if (ret == 0)
|
||||
break;
|
||||
else if (ret != -EBUSY) {
|
||||
|
@ -53,7 +53,7 @@ static unsigned int help(struct sk_buff *skb,
|
||||
int ret;
|
||||
|
||||
exp->tuple.dst.u.tcp.port = htons(port);
|
||||
ret = nf_ct_expect_related(exp);
|
||||
ret = nf_ct_expect_related(exp, 0);
|
||||
if (ret == 0)
|
||||
break;
|
||||
else if (ret != -EBUSY) {
|
||||
|
@ -414,7 +414,7 @@ static unsigned int nf_nat_sip_expect(struct sk_buff *skb, unsigned int protoff,
|
||||
int ret;
|
||||
|
||||
exp->tuple.dst.u.udp.port = htons(port);
|
||||
ret = nf_ct_expect_related(exp);
|
||||
ret = nf_ct_expect_related(exp, NF_CT_EXP_F_SKIP_MASTER);
|
||||
if (ret == 0)
|
||||
break;
|
||||
else if (ret != -EBUSY) {
|
||||
@ -607,7 +607,8 @@ static unsigned int nf_nat_sdp_media(struct sk_buff *skb, unsigned int protoff,
|
||||
int ret;
|
||||
|
||||
rtp_exp->tuple.dst.u.udp.port = htons(port);
|
||||
ret = nf_ct_expect_related(rtp_exp);
|
||||
ret = nf_ct_expect_related(rtp_exp,
|
||||
NF_CT_EXP_F_SKIP_MASTER);
|
||||
if (ret == -EBUSY)
|
||||
continue;
|
||||
else if (ret < 0) {
|
||||
@ -615,7 +616,8 @@ static unsigned int nf_nat_sdp_media(struct sk_buff *skb, unsigned int protoff,
|
||||
break;
|
||||
}
|
||||
rtcp_exp->tuple.dst.u.udp.port = htons(port + 1);
|
||||
ret = nf_ct_expect_related(rtcp_exp);
|
||||
ret = nf_ct_expect_related(rtcp_exp,
|
||||
NF_CT_EXP_F_SKIP_MASTER);
|
||||
if (ret == 0)
|
||||
break;
|
||||
else if (ret == -EBUSY) {
|
||||
|
@ -30,7 +30,7 @@ static unsigned int help(struct sk_buff *skb,
|
||||
= ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port;
|
||||
exp->dir = IP_CT_DIR_REPLY;
|
||||
exp->expectfn = nf_nat_follow_master;
|
||||
if (nf_ct_expect_related(exp) != 0) {
|
||||
if (nf_ct_expect_related(exp, 0) != 0) {
|
||||
nf_ct_helper_log(skb, exp->master, "cannot add expectation");
|
||||
return NF_DROP;
|
||||
}
|
||||
|
@ -1252,7 +1252,7 @@ static void nft_ct_expect_obj_eval(struct nft_object *obj,
|
||||
priv->l4proto, NULL, &priv->dport);
|
||||
exp->timeout.expires = jiffies + priv->timeout * HZ;
|
||||
|
||||
if (nf_ct_expect_related(exp) != 0)
|
||||
if (nf_ct_expect_related(exp, 0) != 0)
|
||||
regs->verdict.code = NF_DROP;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user