Hello! I registered sip helper like this w/ kernel 4.8.7: iptables -I OUTPUT -t raw -p udp -o ppp0 -s $MyInternetIP --dport 5060 --sport 5060 -j CT --helper sip or iptables -I PREROUTING -t raw -p udp -i ppp0 -d $MyInternetIP --dport 5060 --sport 5060 -j CT --helper sip Now, the rtp packets should be matched by (according [1]) iptables -I OUTPUT -p udp -o ppp0 -s $MyInternetIP -d 217.0.0.0/13 -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT or appropriate rule for incoming packages. This is true in *most* cases, but unfortunately *not always*. There are some situations where the following rule w/o sip helper condition unexpectedly matches and *not* the above one: iptables -I OUTPUT -p udp -o ppp0 -s $MyInternetIP -d 217.0.0.0/13 -m conntrack --ctstate RELATED -j ACCEPT Further more: This rule (e.g.) iptables -I INPUT 1 -p udp -i ppp0 -d $MyInternetIp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT matches *all* packages including the packages which are matched by the --helper sip - rule. Why does iptables behave like this? From my point of view and according documentation, the rule w/o sip helper condition should never match (for security reasons). How can I debug this behavior? Or is this the intended behavior and I missed something? I would be glad if somebody could clarify this behavior. Thanks, Juergen. [1] https://home.regit.org/netfilter-en/secure-use-of-helpers/ -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
