lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 1 Sep 2009 14:10:33 +0200
From:	Andreas Jaggi <aj@...n.ch>
To:	Patrick McHardy <kaber@...sh.net>
Cc:	Mark Brown <broonie@...nsource.wolfsonmicro.com>,
	Jing Min Zhao <zhaojingmin@...rs.sourceforge.net>,
	netdev@...r.kernel.org
Subject: Re: H.245v10+ support in nf_conntrack_h323?

On Tue, Sep 01, 2009 at 01:25:22PM +0200, Patrick McHardy wrote:
> Mark Brown wrote:
> > I'd be surprised if the H.245 version were the source of your problems
> > here - the new protocol versions are backwards compatible and I don't
> > remember any changes in any of the stuff that's relevant for firewall
> > transit.
> 
> Good point. The helper should also log packets dropped due to parsing
> errors. If you don't get any messages, I'd suggest to use the iptables
> TRACE target to figure out where the packets are dropped exactly.

I'm quite confident that the H.245 parsing/handling is involved in the
packet dropping:
1. there are plenty of 'nf_ct_h245: packet dropped' messages
   (but no nf_ct_q931 or nf_ct_ras messages)
2. without nf_conntrack_h323 the videoconferencing works seamlessly
3. with nf_conntrack_h323 and a ...-j NOTRACK rule the videoconferencing
   works too

In our setup there is a LOG rule preceding any DROP or ACCEPT rule, and
there were no logentries for DROP rules showing up (only the nf_ct_h245:
packet dropped messages).
Would a TRACE rule provide more insight than this? (eg. by showing in
which part of the nf_conntrack_h323 code a packet is dropped?)

For me it looks like nf_conntrack_h323 is not only doing connection
tracking, but also doing protocol enforcement (by dropping packets which
do not correspond exactly to H.245v7).
Perhaps there should be a config option to disable the protocol
enforcement?

Andreas
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ