Info about SIP conntrack module...

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

My VoIP provider recently split their server pool from one server to
a pools of servers.

My iptables rules (particulary: conntracking ones) stop working; my
rules was:

	root@vfwacpn1:~# iptables -vnL -t raw
	Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	  118 81333 CT         udp  --  ens18  *       10.172.0.0/21        0.0.0.0/0            match-set sip.messagenet.it_a dst multiport dports 5060,5061 CT helper sip
	  [...]

where 'sip.messagenet.it_a' is a set (ipset) with the IP of sip.messagenet.it
inside.


In this way, a typical SIP session was:

 root@vfwacpn1:/etc/network# tshark -ni ens18 -f 'host 10.172.1.7'
 Running as user "root" and group "root". This could be dangerous.
 Capturing on 'ens18'
    1 0.000000000 212.97.59.76 → 10.172.1.7   UDP 46 5061 → 5061 Len=4
    2 5.175179711 92:68:28:81:1e:9e → 9a:67:e6:c4:1f:ee ARP 42 Who has 10.172.1.7? Tell 10.172.1.254
    3 5.175692973 9a:67:e6:c4:1f:ee → 92:68:28:81:1e:9e ARP 42 10.172.1.7 is at 9a:67:e6:c4:1f:ee
    4 11.790186903   10.172.1.7 → 212.97.59.76 SIP 604 Request: OPTIONS sip:sip.messagenet.it | 
    5 11.809489686 212.97.59.76 → 10.172.1.7   SIP 666 Status: 200 OK | 
    6 15.786333503 212.97.59.76 → 10.172.1.7   SIP/SDP 1326 Request: INVITE sip:202@10.172.1.7:5061 | 
    7 15.789126709   10.172.1.7 → 212.97.59.76 SIP 812 Status: 100 Trying | 
    8 15.944411484   10.172.1.7 → 212.97.59.76 SIP 828 Status: 180 Ringing | 
    9 16.910168496 9a:67:e6:c4:1f:ee → 92:68:28:81:1e:9e ARP 42 Who has 10.172.1.254? Tell 10.172.1.7
   10 16.910202553 92:68:28:81:1e:9e → 9a:67:e6:c4:1f:ee ARP 42 10.172.1.254 is at 92:68:28:81:1e:9e
   11 25.103626405 212.97.59.76 → 10.172.1.7   UDP 46 5061 → 5061 Len=4
   12 41.793771381   10.172.1.7 → 212.97.59.76 SIP 764 Request: REGISTER sip:sip.messagenet.it:5061  (1 binding) | 
   13 41.813853175 212.97.59.76 → 10.172.1.7   SIP 732 Status: 200 OK  (1 binding) | 
   14 45.926054588   10.172.1.7 → 212.97.59.76 SIP/SDP 1235 Status: 200 OK | 
   15 45.953153763 212.97.59.76 → 10.172.1.7   SIP 652 Request: ACK sip:202@10.172.1.7:5061 | 
   16 46.428107261   10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq=27010, Time=160, Mark
   17 46.428260850 10.172.1.254 → 10.172.1.7   ICMP 102 Destination unreachable (Communication administratively filtered)
   18 46.448437789   10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq=27011, Time=320
   19 46.448571326 10.172.1.254 → 10.172.1.7   ICMP 102 Destination unreachable (Communication administratively filtered)
   20 46.468450353   10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq=27012, Time=480
   21 46.468561938 10.172.1.254 → 10.172.1.7   ICMP 102 Destination unreachable (Communication administratively filtered)
   22 46.488464348   10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq=27013, Time=640
   23 46.488576021 10.172.1.254 → 10.172.1.7   ICMP 102 Destination unreachable (Communication administratively filtered)
   24 46.508439908   10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq=27014, Time=800
   25 46.508545271 10.172.1.254 → 10.172.1.7   ICMP 102 Destination unreachable (Communication administratively filtered)
   26 46.528491436   10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq=27015, Time=960
   27 46.528580081 10.172.1.254 → 10.172.1.7   ICMP 102 Destination unreachable (Communication administratively filtered)


Note the SIP traffic to 212.97.59.76 AKA sip.messagenet.it, and the RTP
traffic to 193.227.104.40.


I've looked at conntrack helper sip options:

	root@vfwacpn1:~# modinfo nf_conntrack_sip
	filename:       /lib/modules/4.19.0-17-amd64/kernel/net/netfilter/nf_conntrack_sip.ko
	alias:          nfct-helper-sip
	alias:          ip_conntrack_sip
	description:    SIP connection tracking helper
	author:         Christian Hentschel <chentschel@xxxxxxxxxxxx>
	[...]
	parm:           ports:port numbers of SIP servers (array of ushort)
	parm:           sip_timeout:timeout for the master SIP session (uint)
	parm:           sip_direct_signalling:expect incoming calls from registrar only (default 1) (int)
	parm:           sip_direct_media:Expect Media streams between signalling endpoints only (default 1) (int)

and seems that 'sip_direct_signalling' and 'sip_direct_media', if
relaxed (put to 0) could be a solution.


But i've found some documentation on SIP conntrack module, but found
nothing.


Someone here have some feedback? Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux