First off, you are undoubtedly correct that I did not interpret what you were saying correctly. But it is pointless to call me names. Everyone here already knows that you know more about netfilter than I do, there is no point in using inflamatory language to make clear what was already known. I see now that there are two pairs of expectations set up (I only noticed one before), and the current option controls both. My intention was to control only one of them, but that's not what the patch I suggested would accomplish. I was thus wrong, ignorant, and incorrect. Surprised? I'm not. My intuition suggests that the ideal compromise is to split the sip_direct_media option into two options, one controlling the incoming media stream and the other controlling the outgoing media stream. This could work well because it is very rare for the internal host to be a pure SIP proxy (it is usually a client, no?) and it is very common for the external host to be a pure SIP proxy (such as a telco). It provides the possibility to allow arbitrary standard-conforming behavior by remote peers without exposing any host on the internal network that doesn't actually originate SIP packets. I'm obviously going to have to learn more about how expectations are converted into actual port forwarding assignments before I will be able to make a more concrete recommendation. Any comments are welcome as I embark on this quest. Expect a patch in a couple days. - Greg p.s., "troll" indicates a specific intention that does not apply here. Perhaps you meant "ignoramus"? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html