| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Nov 2010 11:15:38 +0100 From: Patrick McHardy <kaber@...sh.net> To: Kevin Cernekee <cernekee@...il.com> CC: Eric Dumazet <eric.dumazet@...il.com>, "David S. Miller" <davem@...emloft.net>, Alexey Kuznetsov <kuznet@....inr.ac.ru>, "Pekka Savola (ipv6)" <pekkas@...core.fi>, James Morris <jmorris@...ei.org>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, netfilter-devel@...r.kernel.org, netfilter@...r.kernel.org, coreteam@...filter.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH/RFC] netfilter: nf_conntrack_sip: Handle quirky Cisco phones On 15.11.2010 04:01, Kevin Cernekee wrote: > On Sun, Nov 14, 2010 at 11:57 AM, Eric Dumazet <eric.dumazet@...il.com> wrote: >> Via: SIP/2.0/UDP 192.168.2.28:5060;branch=xxxxxxxx >> >> >> Maybe a fix would be to use this "5060" port, instead of hardcoding it >> like you did ? > > Just posted v2... appreciate the advice so far. > > My new code in process_sip_request() looks for an address match + port > mismatch between the IP source and the Via: header. This is how it > tries to detect whether we are talking directly to an afflicted Cisco > phone. If the address doesn't match, I assume the request is passing > through a non-SIP-aware NAT router so there is no special handling. > > Assuming we can reliably detect the "quirky phone" condition, is there > any way to just trick Netfilter into thinking the source port was 5060 > instead of 49xxx? 3/4ths of the patch could probably be eliminated if > we could overwrite the port number inside tuplehash. The problem in doing this is that further packets from port 49xxx wouldn't be recognized as belonging to the same connection. If another packet was sent to the same destination conntrack would treat it as a new connection, rewrite the source port number, notice the clash and drop the packet. The same problem exists with your current patch, packets from port 5060 to the same destination won't be recognized as belonging to the connection that sent the REGISTER and thus won't be able to modify the timeout or unregister. Basically we would need three-legged connections to handle this situation correctly. I've actually done some work to move one of the conntrack tuples to a ct_extend since in most situations (all except IPv4 NAT and ICMP packets) the tuples are symetrical and the second one can easily be derived, but I never managed to finish it - not sure what the problem was anymore, I'll see if I can still find those patches. With this we could simply attach a third tuple to a connection. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists