Hello,
Absolutely of course, i used exactly the same way in my test-case. I
added 200 entry in libnetfilter_conntrack for 200 concurrent call. In
reality i have to extract the address of media stream for both
endpoints in SIP-Proxy server then send them to user-space project in
another machine over TCP connection. Here is what i do in test-case
project. I have to change conntrack_create_nat.c like below:
int i = 10000;
int end = 30000
int MAX_CALL = 200;
int j = 10000 + (MAX_CALL*4-4);
while(i<=j) {
nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET);
nfct_set_attr_u32(ct, ATTR_IPV4_SRC, inet_addr("192.168.133.140"));
//endpoint A
nfct_set_attr_u32(ct, ATTR_IPV4_DST, inet_addr("192.168.133.108"));
//nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_TCP);
nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_UDP);
nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(6000));
nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(i));
nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY);
//nfct_set_attr_u8(ct, ATTR_TCP_STATE, TCP_CONNTRACK_SYN_SENT);
nfct_set_attr_u32(ct, ATTR_TIMEOUT, 200);
nfct_set_attr_u32(ct, ATTR_SNAT_IPV4, inet_addr("192.168.133.108"));
nfct_set_attr_u32(ct, ATTR_DNAT_IPV4,
inet_addr("192.168.133.150")); //endpoint B
nfct_set_attr_u16(ct, ATTR_SNAT_PORT, htons(i+2));
nfct_set_attr_u16(ct, ATTR_DNAT_PORT, htons(6000));
ret = nfct_query(h, NFCT_Q_CREATE, ct);
i+=4;
printf("TEST: create conntrack ");
if (ret == -1)
printf("(%d)(%s)\n", ret, strerror(errno));
else
printf("(OK)\n");
}
But I have to add a rule in IPTABLE to not add any conntrack entry by
kernel, because as soos as the callee answer the call(received 200OK
SIP MESSAGE), it will start to send it's media (RTP).In this regards
it would create conntrack entry sooner than user-space.
iptables -A INPUT -p udp --dport 10000:30000 -j DROP
Is it right table to deny adding any conntrack entry or not?
Anyway i appreciate your guide. I was in dilemma to used
libnetfilter_conntrack or libnetfilter_queue. Thanks
WIth Best Regards.Mojtaba
On Tue, Jun 18, 2019 at 6:30 PM Florian Westphal <fw@xxxxxxxxx> wrote:
>
> Mojtaba <mespio@xxxxxxxxx> wrote:
> > Then let me describe what i am doing.
> > In VoIP networks, One of the ways to solve the one-way audio issue is
> > TURN. In this case both endpoint have to send their media (voice as
> > RTP) to server. In this conditions the server works as B2BUA. Because
> > of the server is processing the media (get media from one hand and
> > relay it to another hand), It usages a lot of resource of server. So I
> > am implementing a new module to do this in kernel level. I test this
> > idea in my laboratory by adding conntrack entry manually in server and
> > all things works great. But i need to get more idea to do this
> > project in best way and high performance, because the QoS very
> > importance in VoIP networks. What is the best way? Let me know more
> > about this.
>
> In that case I wonder why you need nfqueue at all.
>
> Isn't it enough for the proxy to inject a conntrack entry with the
> expected endpoint addresses of the media stream?
>
> I would expect that your proxy consumes/reads the sdp messages from
> the client already, or are you doing that via nfqueue?
>
> I would probably use tproxy+normal socket api for the signalling
> packets and insert conntrack entries for the rtp/media streams
> via libnetfilter_conntrack, this way, the media streams stay in kernel.
--
--Mojtaba Esfandiari.S
