Re: conntrack_sip bug

["Andrew O. Zhukov" <andre@xxxxxxxxxxxxxxxx>]

Patrick McHardy пишет:
> Andrew O. Zhukov wrote:
> > No answers from netfilter list.
> >
> > I can exactly show the point where how this bug appeared include dumps 
> > from all points.
> >
> >
> > Andrew O. Zhukov пишет:
> > > Кernel 2.6.25.14-69.fc8
> > > iptables-1.4.1.1-1.fc8.x86_64.rpm
> > >
> > > followed trouble:
> > >
> > > SIP gw                  Fedora               SipProxy      Аsterisk
> > > 192.168.2.24   192.168.2.1 666.666.34.46  555.555.184.13  555.555.184.13
> > >
> > > Sip proxy without RTP proxy for not nat cusomers. It considetate SIP 
> > > GW as 666.666.34.46 and do not switch on RTP proxy.
> > >
> > > call from SIP GW to Asterisk. Dump from Fedorа:
> > >
> > > U 2009/03/05 21:00:11.899191 555.555.184.13:5060 -> 192.168.2.24:5060
> > >   SIP/2.0 183 Session Progress..Via: SIP/2.0/UDP 
> > > 555.555.184.13:5060;branch=z9hG4bK878912355;rport=1025..From: 
> > > "212ua1" <sip
> > >   :101563@xxxxxxx>;tag=66346232..To: 
> > > <sip:2292694@xxxxxxx>;tag=as41f52f95..Call-ID: 
> > > 1295544592-5060-4@xxxxxxxxxxxxxx
> > > .....
> > > ..Contact: <sip:2292694@xxxxxxxxxxxxx>..Content-Type: 
> > > application/sdp..Content-Length: 263....v=0..o=root 277
> > >   97 27797 IN IP4 ___555.555.184.2_____..s=session..c=IN IP4 ___555.555.184.2_____..t=0

It's the real address of rtp stream

> > > ---
> > > 180 Ringing without sdp
> > > ---
> > >
> > > U 2009/03/05 21:00:20.753646 555.555.184.13:5060 -> 192.168.2.24:5060
> > >   SIP/2.0 200 OK..Via: SIP/2.0/UDP 
> > > 555.555.184.13:5060;branch=z9hG4bK878912355;rport=1025..Record-Route: 
> > > <sip:555.555.184.13;
> > >   lr=on;ftag=66346232>..From: "212ua1" 
> > > <sip:101563@xxxxxxx>;tag=66346232..To: 
> > > <sip:2292694@xxxxxxx>;tag=as41f52f95..C
> > >   all-ID: 1295544592-5060-4@xxxxxxxxxxxxxxxxxx: 31 
> > > INVITE..User-Agent: Telegroup Ukraine..Allow: INVITE, ACK, CANCEL, OPTIO
> > >   NS, BYE, REFER, SUBSCRIBE, NOTIFY..Supported: replaces..Contact: 
> > > <sip:2292694@xxxxxxxxxxxxx>..Content-Type: application/sd
> > >   p..Content-Length: 265....v=0..o=root 27797 27798 IN IP4 
> > > ______555.555.184.13___________..s=session..c=IN IP4 ___________555.555.184.13_________..t=0 0..m=audio

Here !!! You try to fix this packet. As the result inside GW send RTP to
555.555.184.13 instead  555.555.184.2

> > >    29444 RTP/AVP 18 101..a=rtpmap:18 G729/8000..a=fmtp:18 
> > > annexb=no..a=rtpmap:101 telephone-event/8000..a=fmtp:101 0-16..a=
> > >   silenceSupp:off - - - -..a=ptime:20..a=sendrecv..
> > >
> > > in the "OK" message Аsterisk ip addresses in SDP changed to the ip 
> > > addresses of SipProxy by sip_conntrack. I can provide DUMP from the 
> > > SipProxy and the complete set of dumps for developers.
> > >
> > > Thanks in advance.
>
> There's a lot of addresses in there :) Could you please point to the
> exact header which got rewritten incorrectly?

I even find it in sources several minutes before send this post.

Look at nf_conntrack_sip.c
after comments
/* RTP info only in some SDP pkts */

You change SDP in outgoing and incoming packets. However, you have to do 
it only for outgoing. Otherwise, like in this example You'll have a 
trouble with RTP in connecttion over SIP Proxy without RTP Proxy.


> Also, please post the module parameters you're using when loading the
> SIP conntrack/NAT modules.

Actually I do not load this module. It's default Fedora 8 package.
Even if I unload module using rmod , modprobe -r etc.. it continue
break packets... :(

> --
> To unsubscribe from this list: send the line "unsubscribe 
> netfilter-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


--
Andrew O. Zhukov
Telegroup Ukraine
Technical director.
Phone 380-44-2308228
Cell 380-67-4017256
Fax 380-44-2386027
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html