Hello, I was trying to use the RTSP conntrack patch from the netfilter's patch-o-matic extra repository, and incoming stream packets were not transferred from the "wan". The previous kernel I tried was 2.6.17, and this was working. After looking further, in my setup I have two servers with two different IP addresses, one doing RTSP, and the other sending the stream. I don't know why it was working on 2.6.17 (the source ip was defined in exp->tuple like here in 2.6.23) , maybe conntrack is stricter now. The IP address of the stream server is present in the "source" parameter of the "Transport" header in the reply to the "SETUP" request (this seems to be standard, see rfc2326 §12.39). Currently, we parse the SETUP request so we can't do "the right thing" in this case because we don't have the information. I hacked a small patch to allow any source IP address, it may be useful to people with the same use case (this lowers security since anyone is then able to send the stream) : --- 2.6.23-ori/net/netfilter/nf_conntrack_rtsp.c 2007-11-27 16:49:30.000000000 +0100 +++ 2.6.23/net/netfilter/nf_conntrack_rtsp.c 2008-01-18 09:23:28.000000000 +0100 @@ -61,6 +61,7 @@ static int num_ports = 0; static int max_outstanding = 8; static unsigned int setup_timeout = 300; +static int strict = 0; MODULE_AUTHOR("Tom Marshall <tmarshall at real.com>"); MODULE_DESCRIPTION("RTSP connection tracking module"); @@ -71,6 +72,8 @@ MODULE_PARM_DESC(max_outstanding, "max number of outstanding SETUP requests per RTSP session"); module_param(setup_timeout, int, 0400); MODULE_PARM_DESC(setup_timeout, "timeout on for unestablished data channels"); +module_param(strict, int, 0400); +MODULE_PARM_DESC(strict, "redirect the UDP stream only if the sender is the RTSP server"); static char *rtsp_buffer; static DEFINE_SPINLOCK(rtsp_buffer_lock); @@ -330,7 +333,8 @@ be_loport = htons(expinfo.loport); nf_ct_expect_init(exp, ct->tuplehash[!dir].tuple.src.l3num, - &ct->tuplehash[!dir].tuple.src.u3, &ct->tuplehash[!dir].tuple.dst.u3, + strict ? &ct->tuplehash[!dir].tuple.src.u3 : NULL, + &ct->tuplehash[!dir].tuple.dst.u3, IPPROTO_UDP, NULL, &be_loport); exp->master = ct; Reguards, -- Damien Thebault
--- 2.6.23-ori/net/netfilter/nf_conntrack_rtsp.c 2007-11-27 16:49:30.000000000 +0100 +++ 2.6.23/net/netfilter/nf_conntrack_rtsp.c 2008-01-18 09:23:28.000000000 +0100 @@ -61,6 +61,7 @@ static int num_ports = 0; static int max_outstanding = 8; static unsigned int setup_timeout = 300; +static int strict = 0; MODULE_AUTHOR("Tom Marshall <tmarshall at real.com>"); MODULE_DESCRIPTION("RTSP connection tracking module"); @@ -71,6 +72,8 @@ MODULE_PARM_DESC(max_outstanding, "max number of outstanding SETUP requests per RTSP session"); module_param(setup_timeout, int, 0400); MODULE_PARM_DESC(setup_timeout, "timeout on for unestablished data channels"); +module_param(strict, int, 0400); +MODULE_PARM_DESC(strict, "redirect the UDP stream only if the sender is the RTSP server"); static char *rtsp_buffer; static DEFINE_SPINLOCK(rtsp_buffer_lock); @@ -330,7 +333,8 @@ be_loport = htons(expinfo.loport); nf_ct_expect_init(exp, ct->tuplehash[!dir].tuple.src.l3num, - &ct->tuplehash[!dir].tuple.src.u3, &ct->tuplehash[!dir].tuple.dst.u3, + strict ? &ct->tuplehash[!dir].tuple.src.u3 : NULL, + &ct->tuplehash[!dir].tuple.dst.u3, IPPROTO_UDP, NULL, &be_loport); exp->master = ct;