[netfilter-cvslog] r3842 - in trunk/patch-o-matic-ng/h323-conntrack-nat/linux-2.6.11: include/linux/netfilter_ipv4 net/ipv4/netfilter

laforge at netfilter.org laforge at netfilter.org
Sun Apr 10 20:49:19 CEST 2005


Author: laforge at netfilter.org
Date: 2005-04-10 20:49:18 +0200 (Sun, 10 Apr 2005)
New Revision: 3842

Removed:
   trunk/patch-o-matic-ng/h323-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack.h.ladd_3
Modified:
   trunk/patch-o-matic-ng/h323-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack_h323.h
   trunk/patch-o-matic-ng/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323.c
   trunk/patch-o-matic-ng/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_h323.c
Log:
incomplete 2.6.11 port.  Compiles, but is definitely non-functional, at least
for the NAT case.
TODO:
- add second hook for non-expect packets to conntrack helpers
- call h323_signal_address_fixup() from new conntrack hook
- correctly call ct and nat expectfn's


Deleted: trunk/patch-o-matic-ng/h323-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack.h.ladd_3
===================================================================
--- trunk/patch-o-matic-ng/h323-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack.h.ladd_3	2005-04-10 18:25:34 UTC (rev 3841)
+++ trunk/patch-o-matic-ng/h323-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack.h.ladd_3	2005-04-10 18:49:18 UTC (rev 3842)
@@ -1,2 +0,0 @@
-	/* insert conntrack helper private data (expect) here */
-	struct ip_ct_h225_expect exp_h225_info;

Modified: trunk/patch-o-matic-ng/h323-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack_h323.h
===================================================================
--- trunk/patch-o-matic-ng/h323-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack_h323.h	2005-04-10 18:25:34 UTC (rev 3841)
+++ trunk/patch-o-matic-ng/h323-conntrack-nat/linux-2.6.11/include/linux/netfilter_ipv4/ip_conntrack_h323.h	2005-04-10 18:49:18 UTC (rev 3842)
@@ -28,4 +28,12 @@
 #endif
 };
 
+struct ip_conntrack;
+struct ip_conntrack_expect;
+extern unsigned int (*ip_nat_h225_exp_hook)(struct ip_conntrack *ct,
+					    struct sk_buff **pskb, 
+					    enum ip_conntrack_info ctinfo,
+					    struct ip_ct_h225_expect *exp_info,
+					    struct ip_conntrack_expect *exp);
+
 #endif /* _IP_CONNTRACK_H323_H */

Modified: trunk/patch-o-matic-ng/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323.c
===================================================================
--- trunk/patch-o-matic-ng/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323.c	2005-04-10 18:25:34 UTC (rev 3841)
+++ trunk/patch-o-matic-ng/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_h323.c	2005-04-10 18:49:18 UTC (rev 3842)
@@ -2,6 +2,7 @@
  * H.323 'brute force' extension for H.323 connection tracking.
  * Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>
  * (c) 2005 Max Kellermann <max at duempel.org>
+ * (c) 2005 Harald Welte <laforge at netfilter.org>
  *
  * Based on ip_masq_h323.c for 2.2 kernels from CoRiTel, Sofia project.
  * (http://www.coritel.it/projects/sofia/nat/)
@@ -31,9 +32,13 @@
 static char h323_buffer[65536];
 static DECLARE_LOCK(h323_buffer_lock);
 
-DECLARE_LOCK(ip_h323_lock);
 struct module *ip_conntrack_h323 = THIS_MODULE;
 
+static unsigned int (*ip_nat_h225_exp_hook)(struct ip_conntrack *ct,
+					    struct sk_buff **pskb, 
+					    enum ip_conntrack_info ctinfo,
+					    struct ip_ct_h225_expect *exp_info,
+					    struct ip_conntrack_expect *exp);
 #if 0
 #define DEBUGP printk
 #else
@@ -41,11 +46,11 @@
 #endif
 
 /* FIXME: This should be in userspace.  Later. */
-static int h245_help(struct sk_buff *skb,
+static int h245_help(struct sk_buff **pskb,
 		     struct ip_conntrack *ct,
 		     enum ip_conntrack_info ctinfo)
 {
-	struct iphdr *iph = skb->nh.iph;
+	struct iphdr *iph = (*pskb)->nh.iph;
 	struct tcphdr _tcph, *tcph;
 	unsigned char *data;
 	unsigned char *data_limit;
@@ -53,7 +58,7 @@
 	int dir = CTINFO2DIR(ctinfo);
 	struct ip_ct_h225_master *info = &ct->help.ct_h225_info;
 	struct ip_conntrack_expect *exp;
-	struct ip_ct_h225_expect *exp_info;
+	struct ip_ct_h225_expect _h225e, *exp_info = &_h225e;
 	u_int16_t data_port;
 	u_int32_t data_ip;
 	unsigned int i;
@@ -66,7 +71,7 @@
 		return NF_ACCEPT;
 	}
 
-	tcph = skb_header_pointer(skb, skb->nh.iph->ihl*4,
+	tcph = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl*4,
 				  sizeof(_tcph), &_tcph);
 	if (tcph == NULL)
 		return NF_ACCEPT;
@@ -75,16 +80,16 @@
 		NIPQUAD(iph->saddr), ntohs(tcph->source),
 		NIPQUAD(iph->daddr), ntohs(tcph->dest));
 
-	dataoff = skb->nh.iph->ihl*4 + tcph->doff*4;
+	dataoff = (*pskb)->nh.iph->ihl*4 + tcph->doff*4;
 	/* No data? */
-	if (dataoff >= skb->len) {
-		DEBUGP("ct_h245_help: skblen = %u\n", skb->len);
+	if (dataoff >= (*pskb)->len) {
+		DEBUGP("ct_h245_help: skblen = %u\n", (*pskb)->len);
 		return NF_ACCEPT;
 	}
-	datalen = skb->len - dataoff;
+	datalen = (*pskb)->len - dataoff;
 
 	LOCK_BH(&h323_buffer_lock);
-	data = skb_header_pointer(skb, dataoff,
+	data = skb_header_pointer(*pskb, dataoff,
 				  datalen, h323_buffer);
 	BUG_ON(data == NULL);
 
@@ -107,16 +112,11 @@
 				goto out;
 			}
 
-			exp_info = &exp->help.exp_h225_info;
-
-			LOCK_BH(&ip_h323_lock);
 			info->is_h225 = H225_PORT + 1;
 			exp_info->port = data_port;
 			exp_info->dir = dir;
 			exp_info->offset = i;
 
-			exp->seq = ntohl(tcph->seq) + i;
-
 			exp->tuple = ((struct ip_conntrack_tuple)
 				{ { ct->tuplehash[!dir].tuple.src.ip,
 				    { 0 } },
@@ -125,14 +125,23 @@
 				    IPPROTO_UDP }});
 			exp->mask = ((struct ip_conntrack_tuple)
 				{ { 0xFFFFFFFF, { 0 } },
-				  { 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFFFF }});
+				  { 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFF }});
 
 			exp->expectfn = NULL;
 
-			/* Ignore failure; should only happen with NAT */
-			ip_conntrack_expect_related(exp, ct);
+			if (ip_nat_h225_exp_hook)
+				ret = ip_nat_h225_exp_hook(ct, pskb, 
+						ctinfo, exp_info, exp);
+			else {
+				if (ip_conntrack_expect_related(exp)) {
+					ip_conntrack_expect_free(exp);
+					ret = NF_DROP;
+				} else {
+					ret = NF_ACCEPT;
 
-			UNLOCK_BH(&ip_h323_lock);
+					DEBUGP("ct_h225_help: new H.245 requested %u.%u.%u.%u->%u.%u.%u.%u:%u\n", NIPQUAD(ct->tuplehash[!dir].tuple.src.ip), NIPQUAD(iph->saddr), ntohs(data_port));
+				}
+			}
 		}
 	}
 
@@ -145,31 +154,29 @@
 /* H.245 helper is not registered! */
 static struct ip_conntrack_helper h245 = {
 	.name = "H.245",
-	.flags = IP_CT_HELPER_F_REUSE_EXPECT,
 	.max_expected = 8,
 	.timeout = 240,
 	.tuple = { .dst = { .protonum = IPPROTO_TCP } },
 	.mask = { .src = { .u = { 0xFFFF } },
-		  .dst = { .protonum = 0xFFFF } },
+		  .dst = { .protonum = 0xFF } },
 	.help = h245_help
 };
 
-static int h225_expect(struct ip_conntrack *ct)
+static void h225_expect(struct ip_conntrack *ct,
+			struct ip_conntrack_expect *exp)
 {
 	WRITE_LOCK(&ip_conntrack_lock);
 	ct->helper = &h245;
 	DEBUGP("h225_expect: helper for %p added\n", ct);
 	WRITE_UNLOCK(&ip_conntrack_lock);
-
-	return NF_ACCEPT;	/* unused */
 }
 
 /* FIXME: This should be in userspace.  Later. */
-static int h225_help(struct sk_buff *skb,
+static int h225_help(struct sk_buff **pskb,
 		     struct ip_conntrack *ct,
 		     enum ip_conntrack_info ctinfo)
 {
-	struct iphdr *iph = skb->nh.iph;
+	struct iphdr *iph = (*pskb)->nh.iph;
 	struct tcphdr _tcph, *tcph;
 	unsigned char *data;
 	unsigned char *data_limit;
@@ -177,7 +184,7 @@
 	int dir = CTINFO2DIR(ctinfo);
 	struct ip_ct_h225_master *info = &ct->help.ct_h225_info;
 	struct ip_conntrack_expect *exp;
-	struct ip_ct_h225_expect *exp_info;
+	struct ip_ct_h225_expect _h225e, *exp_info = &_h225e;
 	u_int16_t data_port;
 	u_int32_t data_ip;
 	unsigned int i;
@@ -190,7 +197,7 @@
 		return NF_ACCEPT;
 	}
 
-	tcph = skb_header_pointer(skb, skb->nh.iph->ihl*4,
+	tcph = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl*4,
 				  sizeof(_tcph), &_tcph);
 	if (tcph == NULL)
 		return NF_ACCEPT;
@@ -199,16 +206,16 @@
 		NIPQUAD(iph->saddr), ntohs(tcph->source),
 		NIPQUAD(iph->daddr), ntohs(tcph->dest));
 
-	dataoff = skb->nh.iph->ihl*4 + tcph->doff*4;
+	dataoff = (*pskb)->nh.iph->ihl*4 + tcph->doff*4;
 	/* No data? */
-	if (dataoff >= skb->len) {
-		DEBUGP("ct_h225_help: skblen = %u\n", skb->len);
+	if (dataoff >= (*pskb)->len) {
+		DEBUGP("ct_h225_help: skblen = %u\n", (*pskb)->len);
 		return NF_ACCEPT;
 	}
-	datalen = skb->len - dataoff;
+	datalen = (*pskb)->len - dataoff;
 
 	LOCK_BH(&h323_buffer_lock);
-	data = skb_header_pointer(skb, dataoff,
+	data = skb_header_pointer(*pskb, dataoff,
 				  datalen, h323_buffer);
 	BUG_ON(data == NULL);
 
@@ -223,14 +230,13 @@
 				/* Signal address */
 				DEBUGP("ct_h225_help: sourceCallSignalAddress from %u.%u.%u.%u\n",
 					NIPQUAD(iph->saddr));
-				/* Update the H.225 info so that NAT can mangle the address/port
-				   even when we have no expected connection! */
+				/* Update the H.225 info so that NAT can mangle
+				 * the address/port even when we have no
+				 * expected connection! */
 #ifdef CONFIG_IP_NF_NAT_NEEDED
-				LOCK_BH(&ip_h323_lock);
 				info->dir = dir;
 				info->seq[IP_CT_DIR_ORIGINAL] = ntohl(tcph->seq) + i;
 				info->offset[IP_CT_DIR_ORIGINAL] = i;
-				UNLOCK_BH(&ip_h323_lock);
 #endif
 			} else {
 				/* update the H.225 info */
@@ -240,16 +246,11 @@
 					goto out;
 				}
 
-				exp_info = &exp->help.exp_h225_info;
-
-				LOCK_BH(&ip_h323_lock);
 				info->is_h225 = H225_PORT;
 				exp_info->port = data_port;
 				exp_info->dir = dir;
 				exp_info->offset = i;
 
-				exp->seq = ntohl(tcph->seq) + i;
-
 				exp->tuple = ((struct ip_conntrack_tuple)
 					{ { ct->tuplehash[!dir].tuple.src.ip,
 					    { 0 } },
@@ -258,18 +259,23 @@
 					    IPPROTO_TCP }});
 				exp->mask = ((struct ip_conntrack_tuple)
 					{ { 0xFFFFFFFF, { 0 } },
-					  { 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFFFF }});
+					  { 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFF }});
 
 				exp->expectfn = h225_expect;
 
-				/* Ignore failure */
-				ip_conntrack_expect_related(exp, ct);
+				if (ip_nat_h225_exp_hook)
+					ret = ip_nat_h225_exp_hook(ct, pskb, 
+							ctinfo, exp_info, exp);
+				else {
+					if (ip_conntrack_expect_related(exp)) {
+						ip_conntrack_expect_free(exp);
+						ret = NF_DROP;
+					} else {
+						ret = NF_ACCEPT;
 
-				DEBUGP("ct_h225_help: new H.245 requested %u.%u.%u.%u->%u.%u.%u.%u:%u\n",
-					NIPQUAD(ct->tuplehash[!dir].tuple.src.ip),
-					NIPQUAD(iph->saddr), ntohs(data_port));
-
-				UNLOCK_BH(&ip_h323_lock);
+						DEBUGP("ct_h225_help: new H.245 requested %u.%u.%u.%u->%u.%u.%u.%u:%u\n", NIPQUAD(ct->tuplehash[!dir].tuple.src.ip), NIPQUAD(iph->saddr), ntohs(data_port));
+					}
+				}
 			}
 #ifdef CONFIG_IP_NF_NAT_NEEDED
 		} else if (data_ip == iph->daddr) {
@@ -278,13 +284,12 @@
 				/* Signal address */
 				DEBUGP("ct_h225_help: destCallSignalAddress %u.%u.%u.%u\n",
 					NIPQUAD(iph->daddr));
-				/* Update the H.225 info so that NAT can mangle the address/port
-				   even when we have no expected connection! */
-				LOCK_BH(&ip_h323_lock);
+				/* Update the H.225 info so that NAT can mangle
+				 * the address/port even when we have no
+				 * expected connection! */
 				info->dir = dir;
 				info->seq[IP_CT_DIR_REPLY] = ntohl(tcph->seq) + i;
 				info->offset[IP_CT_DIR_REPLY] = i;
-				UNLOCK_BH(&ip_h323_lock);
 			}
 #endif
 		}
@@ -298,14 +303,13 @@
 
 static struct ip_conntrack_helper h225 = {
 	.name = "H.225",
-	.flags = IP_CT_HELPER_F_REUSE_EXPECT,
 	.me = THIS_MODULE,
 	.max_expected = 2,
 	.timeout = 240,
 	.tuple = { .src = { .u = { __constant_htons(H225_PORT) } },
 		   .dst = { .protonum = IPPROTO_TCP } },
 	.mask = { .src = { .u = { 0xFFFF } },
-		  .dst = { .protonum = 0xFFFF } },
+		  .dst = { .protonum = 0xFF } },
 	.help = h225_help
 };
 
@@ -320,9 +324,5 @@
 	ip_conntrack_helper_unregister(&h225);
 }
 
-EXPORT_SYMBOL(ip_h323_lock);
-
-PROVIDES_CONNTRACK(h225);
-PROVIDES_CONNTRACK(h245);
 module_init(init);
 module_exit(fini);

Modified: trunk/patch-o-matic-ng/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_h323.c
===================================================================
--- trunk/patch-o-matic-ng/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_h323.c	2005-04-10 18:25:34 UTC (rev 3841)
+++ trunk/patch-o-matic-ng/h323-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_h323.c	2005-04-10 18:49:18 UTC (rev 3842)
@@ -28,8 +28,6 @@
 MODULE_DESCRIPTION("H.323 'brute force' connection tracking module");
 MODULE_LICENSE("GPL");
 
-DECLARE_LOCK_EXTERN(ip_h323_lock);
-struct module *ip_nat_h323 = THIS_MODULE;
 
 #if 0
 #define DEBUGP printk
@@ -52,19 +50,6 @@
 				  unsigned int hooknum,
 				  struct sk_buff **pskb);
 
-static struct ip_nat_helper h245 = {
-	.list = { NULL, NULL },
-	.name = "H.245",
-	.flags = 0,
-	.me = THIS_MODULE,
-	.tuple = { { 0, { 0 } },
-		   { 0, { 0 }, IPPROTO_TCP } },
-	.mask = { { 0, { 0xFFFF } },
-		  { 0, { 0 }, 0xFFFF } },
-	.help = h225_nat_help,
-	.expect = h225_nat_expected
-};
-
 static unsigned int
 h225_nat_expected(struct sk_buff **pskb,
 		  unsigned int hooknum,
@@ -85,10 +70,9 @@
 	IP_NF_ASSERT(!(info->initialized & (1<<HOOK2MANIP(hooknum))));
 
 	DEBUGP("h225_nat_expected: We have a connection!\n");
-	master_info = &ct->master->expectant->help.ct_h225_info;
-	exp_info = &ct->master->help.exp_h225_info;
+	master_info = &ct->master->help.ct_h225_info;
+	//exp_info = &ct->master->help.exp_h225_info;
 
-	LOCK_BH(&ip_h323_lock);
 
 	DEBUGP("master: ");
 	DUMP_TUPLE(&master->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
@@ -110,7 +94,6 @@
 	}
 	port = exp_info->port;
 	is_h225 = master_info->is_h225 == H225_PORT;
-	UNLOCK_BH(&ip_h323_lock);
 
 	if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC)
 		newip = newsrcip;
@@ -137,7 +120,7 @@
 	if (is_h225) {
 		DEBUGP("h225_nat_expected: H.225, setting NAT helper for %p\n", ct);
 		/* NAT expectfn called with ip_nat_lock write-locked */
-		info->helper = &h245;
+		// FIXME: info->helper = &h245;
 	}
 	return ret;
 }
@@ -164,8 +147,6 @@
 	tcplen = (*pskb)->len - iph->ihl * 4;
 	datalen = tcplen - tcph->doff * 4;
 
-	MUST_BE_LOCKED(&ip_h323_lock);
-
 	DEBUGP("h323_signal_address_fixup: %s %s\n",
 		between(info->seq[IP_CT_DIR_ORIGINAL], ntohl(tcph->seq), ntohl(tcph->seq) + datalen)
 			? "yes" : "no",
@@ -223,10 +204,10 @@
 	return 1;
 }
 
-static int h323_data_fixup(struct ip_ct_h225_expect *info,
-			   struct ip_conntrack *ct,
+static unsigned int h323_data_fixup(struct ip_conntrack *ct,
 			   struct sk_buff **pskb,
 			   enum ip_conntrack_info ctinfo,
+			   struct ip_ct_h225_expect *info,
 			   struct ip_conntrack_expect *expect)
 {
 	struct {
@@ -247,23 +228,10 @@
 
 	tcplen = (*pskb)->len - iph->ihl * 4;
 
-	MUST_BE_LOCKED(&ip_h323_lock);
 	DEBUGP("h323_data_fixup: offset %u + 6 in %u\n", info->offset, tcplen);
 	DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
 	DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
 
-	if (!between(expect->seq + 6, ntohl(tcph->seq),
-		    ntohl(tcph->seq) + tcplen - tcph->doff * 4)) {
-		/* Partial retransmisison. It's a cracker being funky. */
-		if (net_ratelimit()) {
-			printk("H.323_NAT: partial packet %u/6 in %u/%u\n",
-			     expect->seq,
-			     ntohl(tcph->seq),
-			     ntohl(tcph->seq) + tcplen - tcph->doff * 4);
-		}
-		return 0;
-	}
-
 	/* Change address inside packet to match way we're mapping
 	   this connection. */
 	if (info->dir == IP_CT_DIR_REPLY) {
@@ -291,114 +259,72 @@
 	}
 
 	/* Try to get same port: if not, try to change it. */
-	for (newdata.port = ntohs(info->port); newdata.port != 0; newdata.port++) {
+	for (newdata.port = ntohs(info->port); newdata.port != 0; 
+	     newdata.port++) {
 		if (is_h225)
-			newtuple.dst.u.tcp.port = htons(newdata.port);
+			expect->tuple.dst.u.tcp.port = htons(newdata.port);
 		else
-			newtuple.dst.u.udp.port = htons(newdata.port);
+			expect->tuple.dst.u.udp.port = htons(newdata.port);
 
-		if (ip_conntrack_change_expect(expect, &newtuple) == 0)
+		if (ip_conntrack_expect_related(expect) == 0)
 			break;
 	}
 	if (newdata.port == 0) {
 		DEBUGP("h323_data_fixup: no free port found!\n");
-		return 0;
+		ip_conntrack_expect_free(expect);
+		return NF_DROP;
 	}
 
 	newdata.port = htons(newdata.port);
 
 	/* Modify the packet */
 	ret = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
-				       expect->seq - ntohl(tcph->seq),
+				       info->offset,
 				       sizeof(newdata),
 				       (const char*)&newdata, sizeof(newdata));
-	if (!ret)
-		return 0;
+	if (!ret) {
+		ip_conntrack_unexpect_related(expect);
+		return NF_DROP;
+	}
 
-	return 1;
+	return NF_ACCEPT;
 }
 
+#if 0
 static unsigned int h225_nat_help(struct ip_conntrack *ct,
+				  struct sk_buff **pskb,
 				  struct ip_conntrack_expect *exp,
-				  struct ip_nat_info *info,
-				  enum ip_conntrack_info ctinfo,
-				  unsigned int hooknum,
-				  struct sk_buff **pskb)
+				  struct ip_ct_h225_expect *exp_info,
+				  enum ip_conntrack_info ctinfo)
+				  
 {
-	int dir;
-	struct ip_ct_h225_expect *exp_info;
-
-	/* Only mangle things once: original direction in POST_ROUTING
-	   and reply direction on PRE_ROUTING. */
-	dir = CTINFO2DIR(ctinfo);
-	DEBUGP("nat_h323: dir %s at hook %s\n",
-	       dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY",
-	       hooknum == NF_IP_POST_ROUTING ? "POSTROUTING"
-	       : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING"
-	       : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???");
-	if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL)
-	      || (hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) {
-		DEBUGP("nat_h323: Not touching dir %s at hook %s\n",
-		       dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY",
-		       hooknum == NF_IP_POST_ROUTING ? "POSTROUTING"
-		       : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING"
-		       : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???");
-		return NF_ACCEPT;
-	}
-
 	if (!exp) {
-		LOCK_BH(&ip_h323_lock);
 		if (!h323_signal_address_fixup(ct, pskb, ctinfo)) {
-			UNLOCK_BH(&ip_h323_lock);
 			return NF_DROP;
 		}
-		UNLOCK_BH(&ip_h323_lock);
 		return NF_ACCEPT;
 	}
 
-	exp_info = &exp->help.exp_h225_info;
-
-	LOCK_BH(&ip_h323_lock);
 	if (!h323_data_fixup(exp_info, ct, pskb, ctinfo, exp)) {
-		UNLOCK_BH(&ip_h323_lock);
 		return NF_DROP;
 	}
-	UNLOCK_BH(&ip_h323_lock);
 
 	return NF_ACCEPT;
 }
+#endif
 
-static struct ip_nat_helper h225 = {
-	.list = { NULL, NULL },
-	.name = "H.225",
-	.flags = IP_NAT_HELPER_F_ALWAYS,
-	.me = THIS_MODULE,
-	.tuple = { { 0, { .tcp = { __constant_htons(H225_PORT) } } },
-		   { 0, { 0 }, IPPROTO_TCP } },
-	.mask = { { 0, { .tcp = { 0xFFFF } } },
-		  { 0, { 0 }, 0xFFFF } },
-	.help = h225_nat_help,
-	.expect = h225_nat_expected
-};
-
 static int __init init(void)
 {
-	int ret;
+	BUG_ON(ip_nat_h225_exp_hook);
+	ip_nat_h225_exp_hook = &h323_data_fixup;
 
-	ret = ip_nat_helper_register(&h225);
-
-	if (ret != 0)
-		printk("ip_nat_h323: cannot initialize the module!\n");
-
-	return ret;
+	return 0;
 }
 
 static void __exit fini(void)
 {
-	ip_nat_helper_unregister(&h225);
+	ip_nat_h225_exp_hook = NULL;
 }
 
-NEEDS_CONNTRACK(h225);
-NEEDS_CONNTRACK(h245);
 module_init(init);
 module_exit(fini);




More information about the netfilter-cvslog mailing list