| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Nov 2010 17:58:01 +0100 From: Patrick McHardy <kaber@...sh.net> To: Kevin Cernekee <cernekee@...il.com> CC: Eric Dumazet <eric.dumazet@...il.com>, "David S. Miller" <davem@...emloft.net>, Alexey Kuznetsov <kuznet@....inr.ac.ru>, "Pekka Savola (ipv6)" <pekkas@...core.fi>, James Morris <jmorris@...ei.org>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, netfilter-devel@...r.kernel.org, netfilter@...r.kernel.org, coreteam@...filter.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH/RFC] netfilter: nf_conntrack_sip: Handle quirky Cisco phones On 15.11.2010 17:46, Kevin Cernekee wrote: > On Mon, Nov 15, 2010 at 2:15 AM, Patrick McHardy <kaber@...sh.net> wrote: >> The problem in doing this is that further packets from port 49xxx >> wouldn't be recognized as belonging to the same connection. > > OK, makes sense. > >> The same problem exists with your current patch, packets from port >> 5060 to the same destination won't be recognized as belonging to the >> connection that sent the REGISTER and thus won't be able to modify the >> timeout or unregister. >> >> Basically we would need three-legged connections to handle this >> situation correctly. > > Just to clarify: the actual source port on a given device will be > EITHER a high-numbered port (Cisco) or 5060 (others). I have not come > across any devices that send from a "mix" of source ports, e.g. 49xxx > for REGISTER and then 5060 for INVITE. > >>>From what I have seen, subsequent SIP requests from the Cisco phone > are indeed getting associated with the original connection. My phone > is logging into two different SIP accounts, and each account seems to > use its own unique UDP source port for all control traffic (both > expecting replies on 5060). Could you provide a binary tcpdump (-w file -s0) of registration and a subsequent call please? > If Netfilter adds support for three-legged connections, will the third > leg show up in the tuplehash so I don't have to track it in the "help" > structure? Yes, basically by default all connections would only have a single tuplehash. The lookup would look up the tuple based on the packet and, if not found, reverse it and retry the lookup. When the tuples are asymetric (NAT and ICMP/ICMPv6) a second one would be added in the ct_extend area and would be added to the hash table as usual. For the SIP case, we could simply add a third one in a ct_extend area. Unfortunately I wasn't able to find my old patch so far. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists