Hi Alin,
On Fri, Feb 15, 2019 at 02:20:14PM +0100, Alin Năstac wrote:
> On Fri, Feb 15, 2019 at 1:02 PM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
[...]
> > On Mon, Dec 24, 2018 at 08:15:19AM +0100, Alin Nastac wrote:
> > > When enabled, the sip_external_media logic will leave SDP
> > > payload untouched when it detects that interface towards INVITEd
> > > party is the same with the one towards media endpoint.
> > >
> > > The typical scenario for this logic is when a LAN SIP agent has more
> > > than one IP address (uses a different address for media streams than
> > > the one used on signalling stream) and it also forwards calls to a
> > > voice mailbox located on the WAN side. In such case sip_direct_media
> > > must be disabled (so normal calls could be handled by the SIP
> > > helper), but media streams that are not traversing this router must
> > > also be excluded from address translation (e.g. call forwards).
> >
> > This patch got stuck in my queue right before holidays. I'm very sorry
> > about that.
> >
> > Still one more question: Now that we have explicit helper assignment
> > via rule, and assuming automatic helper assignment is deprecated
> > (actually, disabled by default these days since it is unsecure [1]).
> >
> > Would it be possible to skip this via explicit ruleset policy?
>
> Parameters such as sip_direct_signalling and sip_external_media
> (latter being implemented in this patch) are global switches.
> I guess we can implement them as sip helper parameters configurable
> through the rule that enables the helper, but I haven't found yet a
> helper that has such parameters ("-j CT --helper xxx" rules don't
> allow passing any additional helper parameters). Probably their
> values will have to be stored in nf_ct_sip_master struct associated
> with the master conntrack.
Hm, I was wondering if we could restrict the rule that comes with "-j
CT --helper xxx" to skip these flows, but we need to inspect them to
classify them as media flow... right? Given you check for the route to
see if the media endpoint is reachable through the same interface, I'm
thinking if it's possible to make it from the policy side. If helper
is the only place where we can do this, that's fine too, I'm just
exploring :-).
Regarding what you mention above...
> For instance, ftp helper use such global switch called loose. How
> would you propose to pass the value of this parameter in a helper
> assignment rule?
In nft, these switches won't need to be global anymore, it's not yet
implemented but we already have a design for this. I'm going to add
this to the GSoC list idea, we're applying this year and it can be a
good task for someone.
Anyway, that would be away from the scope of your patch, so I would
take it as is and we will find anyone to revisit this to implement the
local switch idea.
Thanks!
