[NETFILTER]: sip conntrack: better NAT handling
The NAT handling of the SIP helper has a few problems: - Request headers are only mangled in the reply direction, From/To headers not at all, which can lead to authentication failures with DNAT in case the authentication domain is the IP address - Contact headers in responses are only mangled for REGISTER responses - Headers may be mangled even though they contain addresses not participating in the connection, like alternative addresses - Packets are droppen when domain names are used where the helper expects IP addresses This patch takes a different approach, instead of fixed rules what field to mangle to what content, it adds symetric mapping of From/To/Via/Contact headers, which allows to deal properly with echoed addresses in responses and foreign addresses not belonging to the connection. Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
Patrick McHardy
committed by
David S. Miller
David S. Miller
parent
77a78dec48
commit
1b683b5512
@@ -6,7 +6,10 @@
|
||||
#define SIP_TIMEOUT 3600
|
||||
|
||||
enum sip_header_pos {
|
||||
POS_REQ_HEADER,
|
||||
POS_REG_REQ_URI,
|
||||
POS_REQ_URI,
|
||||
POS_FROM,
|
||||
POS_TO,
|
||||
POS_VIA,
|
||||
POS_CONTACT,
|
||||
POS_CONTENT,
|
||||
|
||||
Reference in New Issue
Block a user