On Thu, 9 Aug 2012, Eric W. Biederman wrote:
kaber@xxxxxxxxx writes:
The following patches contain an updated version of IPv6 NAT against
Linus' current tree.
The series is organized as follows:
- Patches 01-03 contain bugfixes for SIP helper bugs/regressions
present in the current kernel
Why not just delete this code? The current best practices are to
disable ALGs for SIP. To the point in some circles people recommend
running SIP over TLS to avoid over helpful NAT ALGs.
And where can I read up on these best practices and how well they work?
In any case, these patches are all for the connection tracking helper,
which is needed unless you want to open up your firewall for every
possible RTP source, in which case you can simply disable it. Some people
are also using it to proritize RTP streams without any filtering.
Also, even if the NAT helper would not mangle packets, it is still needed
to adjust expectations. so incoming connections can go to the correct
destination. That is, direct RTP connections between two endpoints
that didn't have any direct signalling communication before
You can of course also proxy everything through your SIP provider
(including internal calls) and/or use STUN (which is unreliable under
Linux). I prefer not to.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
