Hello,
I appreciate your guide again,
That works great. It would be a creative method to out of concern of
one-way issue in VoIP networks. The new module based on this method
would be released in Kamailio project as soon.
Keeping an eye out for it.
Thanks.
With regards.Mojtaba
On Wed, Jun 19, 2019 at 11:20 AM Mojtaba <mespio@xxxxxxxxx> wrote:
>
> Hello,
> Absolutely of course, i used exactly the same way in my test-case. I
> added 200 entry in libnetfilter_conntrack for 200 concurrent call. In
> reality i have to extract the address of media stream for both
> endpoints in SIP-Proxy server then send them to user-space project in
> another machine over TCP connection. Here is what i do in test-case
> project. I have to change conntrack_create_nat.c like below:
>
> int i = 10000;
> int end = 30000
> int MAX_CALL = 200;
> int j = 10000 + (MAX_CALL*4-4);
> while(i<=j) {
>
> nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET);
> nfct_set_attr_u32(ct, ATTR_IPV4_SRC, inet_addr("192.168.133.140"));
> //endpoint A
> nfct_set_attr_u32(ct, ATTR_IPV4_DST, inet_addr("192.168.133.108"));
>
> //nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_TCP);
> nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_UDP);
> nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(6000));
> nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(i));
>
> nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY);
>
> //nfct_set_attr_u8(ct, ATTR_TCP_STATE, TCP_CONNTRACK_SYN_SENT);
> nfct_set_attr_u32(ct, ATTR_TIMEOUT, 200);
>
> nfct_set_attr_u32(ct, ATTR_SNAT_IPV4, inet_addr("192.168.133.108"));
> nfct_set_attr_u32(ct, ATTR_DNAT_IPV4,
> inet_addr("192.168.133.150")); //endpoint B
>
> nfct_set_attr_u16(ct, ATTR_SNAT_PORT, htons(i+2));
> nfct_set_attr_u16(ct, ATTR_DNAT_PORT, htons(6000));
>
> ret = nfct_query(h, NFCT_Q_CREATE, ct);
> i+=4;
> printf("TEST: create conntrack ");
> if (ret == -1)
> printf("(%d)(%s)\n", ret, strerror(errno));
> else
> printf("(OK)\n");
> }
>
> But I have to add a rule in IPTABLE to not add any conntrack entry by
> kernel, because as soos as the callee answer the call(received 200OK
> SIP MESSAGE), it will start to send it's media (RTP).In this regards
> it would create conntrack entry sooner than user-space.
> iptables -A INPUT -p udp --dport 10000:30000 -j DROP
> Is it right table to deny adding any conntrack entry or not?
> Anyway i appreciate your guide. I was in dilemma to used
> libnetfilter_conntrack or libnetfilter_queue. Thanks
> WIth Best Regards.Mojtaba
>
>
>
> On Tue, Jun 18, 2019 at 6:30 PM Florian Westphal <fw@xxxxxxxxx> wrote:
> >
> > Mojtaba <mespio@xxxxxxxxx> wrote:
> > > Then let me describe what i am doing.
> > > In VoIP networks, One of the ways to solve the one-way audio issue is
> > > TURN. In this case both endpoint have to send their media (voice as
> > > RTP) to server. In this conditions the server works as B2BUA. Because
> > > of the server is processing the media (get media from one hand and
> > > relay it to another hand), It usages a lot of resource of server. So I
> > > am implementing a new module to do this in kernel level. I test this
> > > idea in my laboratory by adding conntrack entry manually in server and
> > > all things works great. But i need to get more idea to do this
> > > project in best way and high performance, because the QoS very
> > > importance in VoIP networks. What is the best way? Let me know more
> > > about this.
> >
> > In that case I wonder why you need nfqueue at all.
> >
> > Isn't it enough for the proxy to inject a conntrack entry with the
> > expected endpoint addresses of the media stream?
> >
> > I would expect that your proxy consumes/reads the sdp messages from
> > the client already, or are you doing that via nfqueue?
> >
> > I would probably use tproxy+normal socket api for the signalling
> > packets and insert conntrack entries for the rtp/media streams
> > via libnetfilter_conntrack, this way, the media streams stay in kernel.
>
>
>
> --
> --Mojtaba Esfandiari.S
--
--Mojtaba Esfandiari.S
