Features Download
From: Patrick McHardy <kaber <at> trash.net>
Subject: [NETFILTER 00/32]: SIP conntrack/NAT enhancements
Newsgroups: gmane.comp.security.firewalls.netfilter.devel
Date: Thursday 28th February 2008 11:59:57 UTC (over 10 years ago)
I've forward ported and slightly reworked my SIP conntrack patches
in order to prepare them for upstream merging. They will most likely
see a few more minor changes before getting merged, but they're ready
for testing and review already.

A rough overview of the patches:

- Cleanups, minor fixes

- Expectation classes for isolating different expectation types from
  each other (audio/video/signalling/...)

- Parser fixes: proper SIP and SDP parsing, dealing with SIP's strange
  whitespace rules, case-sensitivity, etc.

- Parser enhancements: support for more message types containing SDP
  messages, support for parsing header and URI parameters

- Expectations for signalling and RTCP connections

- (Optional) wildcard RTP expectations for RTP streams that originate
  from other hosts than the registrar/proxy

- Multiple media channel support (used for audio and video for now)

- NAT enhancements: replacement of text-based address translation by
  binary address translation, support for properly updating rport=,
  received= and maddr= Via-header parameters, support for properly
  translating all Contact: addresses

- RTP routing optmization: makes RTP streams between two "internal"
  endpoints go directly without NAT (only works if the proxy doesn't
  also proxy the RTP streams).

For a full description check out the individual changelog entries.

The old (before forward porting) patches have been tested extensively
in multiple different setups, assuming no bugs have been introduced
during forward porting (everything *seems* to work fine) they should
make the SIP helper work significantly better with multiple endpoints
behind the firewall and with a wider range of clients.

In case someone wants to do some testing, the conntrack module has two
new parameters controlling whether expectations for signalling and
RTP connections are set up with wildcards or only between the two
sides of the connection:

- sip_direct_signalling (default 1): expect signalling connections only
  from registrar

- sip_direct_media (default 1): expect media streams only from remote
  side of the connection

Depending on the setup, the defaults might be too strict and need to
be changed to zero.

A git tree with these patches is available at:


Patches, testing and comments welcome :)

 include/linux/netfilter.h                     |    9 +
 include/linux/netfilter/nf_conntrack_amanda.h |    6 +
 include/linux/netfilter/nf_conntrack_ftp.h    |    6 +
 include/linux/netfilter/nf_conntrack_h323.h   |   18 +
 include/linux/netfilter/nf_conntrack_irc.h    |    6 +
 include/linux/netfilter/nf_conntrack_pptp.h   |    6 +
 include/linux/netfilter/nf_conntrack_sane.h   |    6 +
 include/linux/netfilter/nf_conntrack_sip.h    |  185 +++-
 include/linux/netfilter/nf_conntrack_tftp.h   |    6 +
 include/net/netfilter/nf_conntrack.h          |    7 +-
 include/net/netfilter/nf_conntrack_expect.h   |   20 +-
 include/net/netfilter/nf_conntrack_helper.h   |    5 +-
 include/net/netfilter/nf_conntrack_tuple.h    |   53 +-
 net/ipv4/netfilter/ipt_CLUSTERIP.c            |    2 +-
 net/ipv4/netfilter/nf_nat_sip.c               |  556 +++++++----
 net/ipv4/netfilter/nf_nat_snmp_basic.c        |   22 +-
 net/netfilter/nf_conntrack_amanda.c           |   18 +-
 net/netfilter/nf_conntrack_expect.c           |   81 +-
 net/netfilter/nf_conntrack_ftp.c              |   13 +-
 net/netfilter/nf_conntrack_h323_main.c        |   68 +-
 net/netfilter/nf_conntrack_helper.c           |    3 +-
 net/netfilter/nf_conntrack_irc.c              |   10 +-
 net/netfilter/nf_conntrack_netbios_ns.c       |   18 +-
 net/netfilter/nf_conntrack_pptp.c             |   17 +-
 net/netfilter/nf_conntrack_sane.c             |   14 +-
 net/netfilter/nf_conntrack_sip.c              | 1401
 net/netfilter/nf_conntrack_tftp.c             |   14 +-
 27 files changed, 1976 insertions(+), 594 deletions(-)

Patrick McHardy (32):
      [NETFILTER]: ipt_CLUSTERIP: fix non-existant macro-name
      [NETFILTER]: nf_conntrack: fix NF_CT_TUPLE_DUMP for IPv4
      [NETFILTER]: nf_conntrack_expect: constify nf_ct_expect_init
      [NETFILTER]: nf_conntrack_expect: show NF_CT_EXPECT_PERMANENT flag in
      [NETFILTER]: nf_conntrack_expect: support inactive expectations
      [NETFILTER]: nf_conntrack: introduce expectation classes and policies
      [NETFILTER]: Add nf_inet_addr_cmp()
      [NETFILTER]: nf_conntrack_sip: fix IPv6 address parsing
      [NETFILTER]: nf_nat_sip: fix NAT setup order
      [NETFILTER]: nf_conntrack_sip: fix some off-by-ones
      [NETFILTER]: nf_conntrack_sip: adjust dptr and datalen after packet
      [NETFILTER]: nf_conntrack_sip: remove redundant function arguments
      [NETFILTER]: nf_conntrack_sip: use strlen/strcmp
      [NETFILTER]: nf_conntrack_sip: add seperate SDP header parsing
      [NETFILTER]: nf_conntrack_sip: kill request URI "header" definitions
      [NETFILTER]: nf_conntrack_sip: parse SIP headers properly
      [NETFILTER]: nf_conntrack_sip: introduce SIP-URI parsing helper
      [NETFILTER]: nf_nat_sip: get rid of text based header translation
      [NETFILTER]: nf_conntrack_sip: move SDP parsing to seperate function
      [NETFILTER]: nf_conntrack_sip: support method specific
request/response handling
      [NETFILTER]: nf_conntrack_sip: perform NAT after parsing
      [NETFILTER]: nf_conntrack_sip: process ACK and PRACK methods
      [NETFILTER]: nf_conntrack_sip: flush expectations on call termination
      [NETFILTER]: nf_conntrack_sip: introduce URI and header parameter
parsing helpers
      [NETFILTER]: nf_nat_sip: translate all Via headers
      [NETFILTER]: nf_nat_sip: translate all Contact headers
      [NETFILTER]: nf_conntrack_sip: create signalling expectations
      [NETFILTER]: nf_conntrack_sip: allow media expectations with wildcard
source address
      [NETFILTER]: nf_conntrack_sip: create RTCP expectations
      [NETFILTER]: nf_nat_sip: split up SDP mangling
      [NETFILTER]: nf_conntrack_sip: support multiple media channels
      [NETFILTER]: nf_conntrack_sip: RTP routing optimization
To unsubscribe from this list: send the line "unsubscribe netfilter-devel"
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
CD: 2ms