[NETFILTER]: nf_conntrack_sip: perform NAT after parsing

Perform NAT last after parsing the packet. This makes no difference
currently, but is needed when dealing with registrations to make
sure we seen the unNATed addresses.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index 5b4a5cd..b442810 100644 (file)
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -104,9 +104,6 @@ static unsigned int ip_nat_sip(struct sk_buff *skb,
        union nf_inet_addr addr;
        __be16 port;
 
-       if (*datalen < strlen("SIP/2.0"))
-               return NF_ACCEPT;
-
        /* Basic rules: requests and responses. */
        if (strnicmp(*dptr, "SIP/2.0", strlen("SIP/2.0")) != 0) {
                if (ct_sip_parse_request(ct, *dptr, *datalen,

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 1be949f..29a37d2 100644 (file)
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -700,6 +700,7 @@ static int sip_help(struct sk_buff *skb,
 {
        unsigned int dataoff, datalen;
        const char *dptr;
+       int ret;
        typeof(nf_nat_sip_hook) nf_nat_sip;
 
        /* No Data ? */
@@ -716,20 +717,22 @@ static int sip_help(struct sk_buff *skb,
                return NF_ACCEPT;
        }
 
-       nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
-       if (nf_nat_sip && ct->status & IPS_NAT_MASK) {
-               if (!nf_nat_sip(skb, &dptr, &datalen))
-                       return NF_DROP;
-       }
-
        datalen = skb->len - dataoff;
        if (datalen < strlen("SIP/2.0 200"))
                return NF_ACCEPT;
 
        if (strnicmp(dptr, "SIP/2.0 ", strlen("SIP/2.0 ")) != 0)
-               return process_sip_request(skb, &dptr, &datalen);
+               ret = process_sip_request(skb, &dptr, &datalen);
        else
-               return process_sip_response(skb, &dptr, &datalen);
+               ret = process_sip_response(skb, &dptr, &datalen);
+
+       if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
+               nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
+               if (nf_nat_sip && !nf_nat_sip(skb, &dptr, &datalen))
+                       ret = NF_DROP;
+       }
+
+       return ret;
 }
 
 static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly;