1. 17 Jan, 2013 4 commits
    • Florian Westphal's avatar
      netfilter: ctnetlink: allow userspace to modify labels · 9b21f6a9
      Florian Westphal authored
      Add the ability to set/clear labels assigned to a conntrack
      via ctnetlink.
      
      To allow userspace to only alter specific bits, Pablo suggested to add
      a new CTA_LABELS_MASK attribute:
      
      The new set of active labels is then determined via
      
      active = (active & ~mask) ^ changeset
      
      i.e., the mask selects those bits in the existing set that should be
      changed.
      
      This follows the same method already used by MARK and CONNMARK targets.
      
      Omitting CTA_LABELS_MASK is the same as setting all bits in CTA_LABELS_MASK
      to 1: The existing set is replaced by the one from userspace.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      9b21f6a9
    • Florian Westphal's avatar
      netfilter: ctnetlink: deliver labels to userspace · 0ceabd83
      Florian Westphal authored
      Introduce CTA_LABELS attribute to send a bit-vector of currently active labels
      to userspace.
      
      Future patch will permit userspace to also set/delete active labels.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      0ceabd83
    • Florian Westphal's avatar
      netfilter: add connlabel conntrack extension · c539f017
      Florian Westphal authored
      similar to connmarks, except labels are bit-based; i.e.
      all labels may be attached to a flow at the same time.
      
      Up to 128 labels are supported.  Supporting more labels
      is possible, but requires increasing the ct offset delta
      from u8 to u16 type due to increased extension sizes.
      
      Mapping of bit-identifier to label name is done in userspace.
      
      The extension is enabled at run-time once "-m connlabel" netfilter
      rules are added.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c539f017
    • Kevin Cernekee's avatar
      netfilter: nf_ct_sip: support Cisco 7941/7945 IP phones · 7266507d
      Kevin Cernekee authored
      Most SIP devices use a source port of 5060/udp on SIP requests, so the
      response automatically comes back to port 5060:
      
          phone_ip:5060 -> proxy_ip:5060   REGISTER
          proxy_ip:5060 -> phone_ip:5060   100 Trying
      
      The newer Cisco IP phones, however, use a randomly chosen high source
      port for the SIP request but expect the response on port 5060:
      
          phone_ip:49173 -> proxy_ip:5060  REGISTER
          proxy_ip:5060 -> phone_ip:5060   100 Trying
      
      Standard Linux NAT, with or without nf_nat_sip, will send the reply back
      to port 49173, not 5060:
      
          phone_ip:49173 -> proxy_ip:5060  REGISTER
          proxy_ip:5060 -> phone_ip:49173  100 Trying
      
      But the phone is not listening on 49173, so it will never see the reply.
      
      This patch modifies nf_*_sip to work around this quirk by extracting
      the SIP response port from the Via: header, iff the source IP in the
      packet header matches the source IP in the SIP request.
      Signed-off-by: default avatarKevin Cernekee <cernekee@gmail.com>
      Acked-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Cc: Patrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7266507d
  2. 15 Jan, 2013 14 commits
  3. 14 Jan, 2013 22 commits