From patchwork Wed Sep 2 08:05:16 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Jaggi X-Patchwork-Id: 32817 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@bilbo.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from ozlabs.org (ozlabs.org [203.10.76.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mx.ozlabs.org", Issuer "CA Cert Signing Authority" (verified OK)) by bilbo.ozlabs.org (Postfix) with ESMTPS id 115BBB7BFF for ; Wed, 2 Sep 2009 18:04:52 +1000 (EST) Received: by ozlabs.org (Postfix) id 007D1DDD0B; Wed, 2 Sep 2009 18:04:52 +1000 (EST) Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id 79EBFDDD04 for ; Wed, 2 Sep 2009 18:04:51 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752269AbZIBIEh (ORCPT ); Wed, 2 Sep 2009 04:04:37 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752118AbZIBIEg (ORCPT ); Wed, 2 Sep 2009 04:04:36 -0400 Received: from mail6.open.ch ([213.156.224.131]:21475 "EHLO mail6.open.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752113AbZIBIEf (ORCPT ); Wed, 2 Sep 2009 04:04:35 -0400 Received: from mail6.open.ch (localhost [127.0.0.1]) by mail6.open.ch (Mission Control Mail Router) with SMTP id 1317BBB002; Wed, 2 Sep 2009 10:04:37 +0200 (MEST) Received: from open.ch (unknown [213.156.228.35]) (using SSLv3 with cipher DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by mail6.open.ch (Mission Control Mail Router) with ESMTPS id D0A6ABB001; Wed, 2 Sep 2009 10:04:36 +0200 (MEST) Received: from urbino.open.ch ([213.156.228.87] verified) by open.ch (CommuniGate Pro SMTP 5.2.16) with ESMTP id 2898234; Wed, 02 Sep 2009 10:04:36 +0200 Received: by urbino.open.ch (Postfix, from userid 381) id C396F39628E; Wed, 2 Sep 2009 10:05:16 +0200 (CEST) Date: Wed, 2 Sep 2009 10:05:16 +0200 From: Andreas Jaggi To: Patrick McHardy Cc: Mark Brown , Jing Min Zhao , netdev@vger.kernel.org Subject: Re: H.245v10+ support in nf_conntrack_h323? Message-ID: <20090902080516.GA6766@urbino.open.ch> References: <20090901092910.GC11354@urbino.open.ch> <20090901100230.GA18651@sirena.org.uk> <4A9D04A2.60307@trash.net> <20090901121033.GA18731@urbino.open.ch> <4A9D11A3.5070809@trash.net> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <4A9D11A3.5070809@trash.net> Organization: Open Systems AG - http://www.open.ch User-Agent: Mutt/1.5.18 (2008-05-17) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Tue, Sep 01, 2009 at 02:20:51PM +0200, Patrick McHardy wrote: > Its unfortunately necessary to drop packets in some cases after parsing > errors when the helper might have already (partially) mangled the > packet. Do the helpers also mangle packets when there is no NAT involved? (in out setup we don't use NAT, btw) If they don't, would it be reasonable to return NF_ACCEPT when there is no NAT. For example like in the patch below? > You could try this patch in combination with ulogd and the pcap output > plugin to capture the packets which are dropped by the helper for > analysis. Unfortunately the videoconferencing system is currently not available for testing (and might be so for while). But I can have some tcpdumps from both sides of the Linux Gateway from which I can extract the packets that were dropped by the H.323 helper. Andreas --- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html --- a/net/netfilter/nf_conntrack_h323_main.c 2009-05-19 01:52:34.000000000 +0200 +++ b/net/netfilter/nf_conntrack_h323_main.c 2009-09-01 17:36:08.000000000 +0200 @@ -596,8 +596,12 @@ } /* Process H.245 signal */ - if (process_h245(skb, ct, ctinfo, &data, dataoff, &mscm) < 0) - goto drop; + if (process_h245(skb, ct, ctinfo, &data, dataoff, &mscm) < 0) { + if (ct->status & IPS_NAT_MASK) + goto drop; + else + break; + } } spin_unlock_bh(&nf_h323_lock); @@ -1141,8 +1145,12 @@ } /* Process Q.931 signal */ - if (process_q931(skb, ct, ctinfo, &data, dataoff, &q931) < 0) - goto drop; + if (process_q931(skb, ct, ctinfo, &data, dataoff, &q931) < 0) { + if (ct->status & IPS_NAT_MASK) + goto drop; + else + break; + } } spin_unlock_bh(&nf_h323_lock); @@ -1716,7 +1724,8 @@ } /* Process RAS message */ - if (process_ras(skb, ct, ctinfo, &data, &ras) < 0) + if ((process_ras(skb, ct, ctinfo, &data, &ras) < 0) && + (ct->status & IPS_NAT_MASK)) goto drop; accept: