diff options
author | nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2012-12-27 22:59:51 +0000 |
---|---|---|
committer | nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2012-12-27 22:59:51 +0000 |
commit | 5e4cd8814198ac064a64aff924e26794b5047b85 (patch) | |
tree | 3210cc34c3ac79c89d2e180479d02b31caae1497 /target/linux/generic | |
parent | 73af5c02d51fdb5ff707650dcbd4ca2f61b119b8 (diff) |
kernel: remove the cisco SIP NAT patch, at least on 3.6 it crashes
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@34901 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'target/linux/generic')
-rw-r--r-- | target/linux/generic/patches-3.3/604-netfilter_cisco_794x_iphone.patch | 118 | ||||
-rw-r--r-- | target/linux/generic/patches-3.6/604-netfilter_cisco_794x_iphone.patch | 118 |
2 files changed, 0 insertions, 236 deletions
diff --git a/target/linux/generic/patches-3.3/604-netfilter_cisco_794x_iphone.patch b/target/linux/generic/patches-3.3/604-netfilter_cisco_794x_iphone.patch deleted file mode 100644 index 662a499d1..000000000 --- a/target/linux/generic/patches-3.3/604-netfilter_cisco_794x_iphone.patch +++ /dev/null @@ -1,118 +0,0 @@ ---- a/include/linux/netfilter/nf_conntrack_sip.h -+++ b/include/linux/netfilter/nf_conntrack_sip.h -@@ -2,12 +2,15 @@ - #define __NF_CONNTRACK_SIP_H__ - #ifdef __KERNEL__ - -+#include <linux/types.h> -+ - #define SIP_PORT 5060 - #define SIP_TIMEOUT 3600 - - struct nf_ct_sip_master { - unsigned int register_cseq; - unsigned int invite_cseq; -+ __be16 forced_dport; - }; - - enum sip_expectation_classes { ---- a/net/ipv4/netfilter/nf_nat_sip.c -+++ b/net/ipv4/netfilter/nf_nat_sip.c -@@ -73,6 +73,7 @@ static int map_addr(struct sk_buff *skb, - enum ip_conntrack_info ctinfo; - struct nf_conn *ct = nf_ct_get(skb, &ctinfo); - enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); -+ struct nf_conn_help *help = nfct_help(ct); - char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")]; - unsigned int buflen; - __be32 newaddr; -@@ -85,7 +86,8 @@ static int map_addr(struct sk_buff *skb, - } else if (ct->tuplehash[dir].tuple.dst.u3.ip == addr->ip && - ct->tuplehash[dir].tuple.dst.u.udp.port == port) { - newaddr = ct->tuplehash[!dir].tuple.src.u3.ip; -- newport = ct->tuplehash[!dir].tuple.src.u.udp.port; -+ newport = help->help.ct_sip_info.forced_dport ? : -+ ct->tuplehash[!dir].tuple.src.u.udp.port; - } else - return 1; - -@@ -121,6 +123,7 @@ static unsigned int ip_nat_sip(struct sk - enum ip_conntrack_info ctinfo; - struct nf_conn *ct = nf_ct_get(skb, &ctinfo); - enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); -+ struct nf_conn_help *help = nfct_help(ct); - unsigned int coff, matchoff, matchlen; - enum sip_header_types hdr; - union nf_inet_addr addr; -@@ -229,6 +232,20 @@ next: - !map_sip_addr(skb, dataoff, dptr, datalen, SIP_HDR_TO)) - return NF_DROP; - -+ /* Mangle destination port for Cisco phones, then fix up checksums */ -+ if (dir == IP_CT_DIR_REPLY && help->help.ct_sip_info.forced_dport) { -+ struct udphdr *uh; -+ -+ if (!skb_make_writable(skb, skb->len)) -+ return NF_DROP; -+ -+ uh = (struct udphdr *)(skb->data + ip_hdrlen(skb)); -+ uh->dest = help->help.ct_sip_info.forced_dport; -+ -+ if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, 0, 0, NULL, 0)) -+ return NF_DROP; -+ } -+ - return NF_ACCEPT; - } - -@@ -280,8 +297,10 @@ static unsigned int ip_nat_sip_expect(st - enum ip_conntrack_info ctinfo; - struct nf_conn *ct = nf_ct_get(skb, &ctinfo); - enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); -+ struct nf_conn_help *help = nfct_help(ct); - __be32 newip; - u_int16_t port; -+ __be16 srcport; - char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")]; - unsigned buflen; - -@@ -294,8 +313,9 @@ static unsigned int ip_nat_sip_expect(st - /* If the signalling port matches the connection's source port in the - * original direction, try to use the destination port in the opposite - * direction. */ -- if (exp->tuple.dst.u.udp.port == -- ct->tuplehash[dir].tuple.src.u.udp.port) -+ srcport = help->help.ct_sip_info.forced_dport ? : -+ ct->tuplehash[dir].tuple.src.u.udp.port; -+ if (exp->tuple.dst.u.udp.port == srcport) - port = ntohs(ct->tuplehash[!dir].tuple.dst.u.udp.port); - else - port = ntohs(exp->tuple.dst.u.udp.port); ---- a/net/netfilter/nf_conntrack_sip.c -+++ b/net/netfilter/nf_conntrack_sip.c -@@ -1363,8 +1363,25 @@ static int process_sip_request(struct sk - { - enum ip_conntrack_info ctinfo; - struct nf_conn *ct = nf_ct_get(skb, &ctinfo); -+ struct nf_conn_help *help = nfct_help(ct); -+ enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); - unsigned int matchoff, matchlen; - unsigned int cseq, i; -+ union nf_inet_addr addr; -+ __be16 port; -+ -+ /* Many Cisco IP phones use a high source port for SIP requests, but -+ * listen for the response on port 5060. If we are the local -+ * router for one of these phones, save the port number from the -+ * Via: header so that nf_nat_sip can redirect the responses to -+ * the correct port. -+ */ -+ if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, -+ SIP_HDR_VIA_UDP, NULL, &matchoff, -+ &matchlen, &addr, &port) > 0 && -+ port != ct->tuplehash[dir].tuple.src.u.udp.port && -+ nf_inet_addr_cmp(&addr, &ct->tuplehash[dir].tuple.src.u3)) -+ help->help.ct_sip_info.forced_dport = port; - - for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) { - const struct sip_handler *handler; diff --git a/target/linux/generic/patches-3.6/604-netfilter_cisco_794x_iphone.patch b/target/linux/generic/patches-3.6/604-netfilter_cisco_794x_iphone.patch deleted file mode 100644 index ee8ba1a66..000000000 --- a/target/linux/generic/patches-3.6/604-netfilter_cisco_794x_iphone.patch +++ /dev/null @@ -1,118 +0,0 @@ ---- a/include/linux/netfilter/nf_conntrack_sip.h -+++ b/include/linux/netfilter/nf_conntrack_sip.h -@@ -4,12 +4,15 @@ - - #include <net/netfilter/nf_conntrack_expect.h> - -+#include <linux/types.h> -+ - #define SIP_PORT 5060 - #define SIP_TIMEOUT 3600 - - struct nf_ct_sip_master { - unsigned int register_cseq; - unsigned int invite_cseq; -+ __be16 forced_dport; - }; - - enum sip_expectation_classes { ---- a/net/ipv4/netfilter/nf_nat_sip.c -+++ b/net/ipv4/netfilter/nf_nat_sip.c -@@ -73,6 +73,7 @@ static int map_addr(struct sk_buff *skb, - enum ip_conntrack_info ctinfo; - struct nf_conn *ct = nf_ct_get(skb, &ctinfo); - enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); -+ struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct); - char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")]; - unsigned int buflen; - __be32 newaddr; -@@ -85,7 +86,8 @@ static int map_addr(struct sk_buff *skb, - } else if (ct->tuplehash[dir].tuple.dst.u3.ip == addr->ip && - ct->tuplehash[dir].tuple.dst.u.udp.port == port) { - newaddr = ct->tuplehash[!dir].tuple.src.u3.ip; -- newport = ct->tuplehash[!dir].tuple.src.u.udp.port; -+ newport = ct_sip_info->forced_dport ? ct_sip_info->forced_dport : -+ ct->tuplehash[!dir].tuple.src.u.udp.port; - } else - return 1; - -@@ -121,6 +123,7 @@ static unsigned int ip_nat_sip(struct sk - enum ip_conntrack_info ctinfo; - struct nf_conn *ct = nf_ct_get(skb, &ctinfo); - enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); -+ struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct); - unsigned int coff, matchoff, matchlen; - enum sip_header_types hdr; - union nf_inet_addr addr; -@@ -230,6 +233,20 @@ next: - !map_sip_addr(skb, dataoff, dptr, datalen, SIP_HDR_TO)) - return NF_DROP; - -+ /* Mangle destination port for Cisco phones, then fix up checksums */ -+ if (dir == IP_CT_DIR_REPLY && ct_sip_info->forced_dport) { -+ struct udphdr *uh; -+ -+ if (!skb_make_writable(skb, skb->len)) -+ return NF_DROP; -+ -+ uh = (struct udphdr *)(skb->data + ip_hdrlen(skb)); -+ uh->dest = ct_sip_info->forced_dport; -+ -+ if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, 0, 0, NULL, 0)) -+ return NF_DROP; -+ } -+ - return NF_ACCEPT; - } - -@@ -281,8 +298,10 @@ static unsigned int ip_nat_sip_expect(st - enum ip_conntrack_info ctinfo; - struct nf_conn *ct = nf_ct_get(skb, &ctinfo); - enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); -+ struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct); - __be32 newip; - u_int16_t port; -+ __be16 srcport; - char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")]; - unsigned int buflen; - -@@ -295,8 +314,9 @@ static unsigned int ip_nat_sip_expect(st - /* If the signalling port matches the connection's source port in the - * original direction, try to use the destination port in the opposite - * direction. */ -- if (exp->tuple.dst.u.udp.port == -- ct->tuplehash[dir].tuple.src.u.udp.port) -+ srcport = ct_sip_info->forced_dport ? ct_sip_info->forced_dport : -+ ct->tuplehash[dir].tuple.src.u.udp.port; -+ if (exp->tuple.dst.u.udp.port == srcport) - port = ntohs(ct->tuplehash[!dir].tuple.dst.u.udp.port); - else - port = ntohs(exp->tuple.dst.u.udp.port); ---- a/net/netfilter/nf_conntrack_sip.c -+++ b/net/netfilter/nf_conntrack_sip.c -@@ -1416,8 +1416,25 @@ static int process_sip_request(struct sk - { - enum ip_conntrack_info ctinfo; - struct nf_conn *ct = nf_ct_get(skb, &ctinfo); -+ struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct); -+ enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); - unsigned int matchoff, matchlen; - unsigned int cseq, i; -+ union nf_inet_addr addr; -+ __be16 port; -+ -+ /* Many Cisco IP phones use a high source port for SIP requests, but -+ * listen for the response on port 5060. If we are the local -+ * router for one of these phones, save the port number from the -+ * Via: header so that nf_nat_sip can redirect the responses to -+ * the correct port. -+ */ -+ if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, -+ SIP_HDR_VIA_UDP, NULL, &matchoff, -+ &matchlen, &addr, &port) > 0 && -+ port != ct->tuplehash[dir].tuple.src.u.udp.port && -+ nf_inet_addr_cmp(&addr, &ct->tuplehash[dir].tuple.src.u3)) -+ ct_sip_info->forced_dport = port; - - for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) { - const struct sip_handler *handler; |