[NETFILTER]: nf_conntrack_sip: perform NAT after parsing
Perform NAT last after parsing the packet. This makes no difference
currently, but is needed when dealing with registrations to make
sure we seen the unNATed addresses.
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
---
commit bbec485758c30e4c7bc04dbc387ed9cea676bc24
tree bb37b6940482c64c306f55c1aec3fd8103e7c5a4
parent 607087bf4071e8b15660d0ef2dbed696697a4516
author Patrick McHardy <kaber@xxxxxxxxx> Tue, 25 Mar 2008 12:45:08 +0100
committer Patrick McHardy <kaber@xxxxxxxxx> Tue, 25 Mar 2008 14:09:56 +0100
net/ipv4/netfilter/nf_nat_sip.c | 3 ---
net/netfilter/nf_conntrack_sip.c | 19 +++++++++++--------
2 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index 5b4a5cd..b442810 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -104,9 +104,6 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
union nf_inet_addr addr;
__be16 port;
- if (*datalen < strlen("SIP/2.0"))
- return NF_ACCEPT;
-
/* Basic rules: requests and responses. */
if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
if (ct_sip_parse_request(ct, *dptr, *datalen,
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 1be949f..29a37d2 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -700,6 +700,7 @@ static int sip_help(struct sk_buff *skb,
{
unsigned int dataoff, datalen;
const char *dptr;
+ int ret;
typeof(nf_nat_sip_hook) nf_nat_sip;
/* No Data ? */
@@ -716,20 +717,22 @@ static int sip_help(struct sk_buff *skb,
return NF_ACCEPT;
}
- nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
- if (nf_nat_sip && ct->status & IPS_NAT_MASK) {
- if (!nf_nat_sip(skb, &dptr, &datalen))
- return NF_DROP;
- }
-
datalen = skb->len - dataoff;
if (datalen < strlen("SIP/2.0 200"))
return NF_ACCEPT;
if (strnicmp(dptr, "SIP/2.0 ", strlen("SIP/2.0 ")) != 0)
- return process_sip_request(skb, &dptr, &datalen);
+ ret = process_sip_request(skb, &dptr, &datalen);
else
- return process_sip_response(skb, &dptr, &datalen);
+ ret = process_sip_response(skb, &dptr, &datalen);
+
+ if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
+ nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
+ if (nf_nat_sip && !nf_nat_sip(skb, &dptr, &datalen))
+ ret = NF_DROP;
+ }
+
+ return ret;
}
static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly;
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
