On Wed, Jul 01, 2009 at 02:03:40PM +0200, Patrick McHardy wrote: >> I have some problems understanding nf_conntrack_sip. I want to >> use it avoid having static entries for the rtp stream, as IMHO >> those should be catched by a RELATED rules when nf_conntrack_sip >> works properly. >> >> I have a machine with a pppoe interface connected to the >> internet, with asterisk running on it, and a small local network >> behind it on eth1, where I want to force sip traffic going >> through the local asterisk. >> >> Unfortunately it doesn't work as expected. I use vanilla kernel >> 2.6.30. My iptable rules that do not work look like this: >> >> Maybe I am missing something obvious, but I'd appreciate a hint. >> (yes, nf_conntrack_sip is loaded) > > Depending on how your SIP provider works, you might need to set the > sip_direct_signalling option to zero (in case signalling connections > can arrive from different addresses than the one registered with), > additionally you might need to set the sip_direct_media option to > 0 in case the RTP streams arrive from different addresses than the > signalling endpoint. I tried this. Actually, it makes things worse. Now Asterisk complains: [Jul 1 16:17:46] WARNING[20516]: chan_sip.c:1787 __sip_xmit: sip_xmit of 0x86f8de0 (len 384) to 217.10.79.9:5060 returned -1: Operation not permitted (Trying to register with sipgate.de; registration in parallel with tel.lu seems to work) nf_conntrack_sip without options on a trial incoming call however gives: # conntrack -E expect 180 proto=17 src=85.93.219.114 dst=212.88.133.153 sport=0 dport=7070 180 proto=17 src=85.93.219.114 dst=212.88.133.153 sport=0 dport=7071 (packet dump from asterisk) *CLI> sip debug SIP Debugging enabled The 'sip debug' command is deprecated and will be removed in a future release. Please use 'sip set debug' instead. *CLI> <--- SIP read from 85.93.219.114:5060 ---> INVITE sip:s@xxxxxxxxxxxxxx SIP/2.0 Record-Route: <sip:85.93.219.114;ftag=as73ca530c;lr=on> Via: SIP/2.0/UDP 85.93.219.114;branch=z9hG4bKbcd7.7f0d18e6.0 Via: SIP/2.0/UDP 85.93.219.122:5060;branch=z9hG4bK13c75fc4;rport=5060 Max-Forwards: 16 From: "Unknown" <sip:Unknown@xxxxxxxxxxxxx>;tag=as73ca530c To: <sip:20400371@xxxxxx> Contact: <sip:Unknown@xxxxxxxxxxxxx> Call-ID: 6b6bfb5c3eb6137532b36d216e8c9948@xxxxxxxxxxxxx CSeq: 102 INVITE User-Agent: Asterisk PBX 1.6.0.6 Date: Wed, 01 Jul 2009 14:23:10 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Supported: replaces, timer Content-Type: application/sdp Content-Length: 357 v=0 o=root 1551730590 1551730590 IN IP4 85.93.219.122 s=Asterisk PBX 1.6.0.6 c=IN IP4 85.93.219.122 t=0 0 m=audio 10316 RTP/AVP 8 0 97 3 101 a=rtpmap:8 PCMA/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:97 iLBC/8000 a=fmtp:97 mode=30 a=rtpmap:3 GSM/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=silenceSupp:off - - - - a=ptime:20 a=sendrecv <-------------> --- (16 headers 16 lines) --- Sending to 85.93.219.114 : 5060 (no NAT) Using INVITE request as basis request - 6b6bfb5c3eb6137532b36d216e8c9948@xxxxxxxxxxxxx Found peer 'tel.lu' Found RTP audio format 8 Found RTP audio format 0 Found RTP audio format 97 Found RTP audio format 3 Found RTP audio format 101 Peer audio RTP is at port 85.93.219.122:10316 Found audio description format PCMA for ID 8 Found audio description format PCMU for ID 0 Found audio description format iLBC for ID 97 Found audio description format GSM for ID 3 Found audio description format telephone-event for ID 101 Capabilities: us - 0x8000e (gsm|ulaw|alaw|h263), peer - audio=0x40e (gsm|ulaw|alaw|ilbc)/video=0x0 (nothing), combined - 0xe (gsm|ulaw|alaw) Non-codec capabilities (dtmf): us - 0x1 (telephone-event), peer - 0x1 (telephone-event), combined - 0x1 (telephone-event) Peer audio RTP is at port 85.93.219.122:10316 Looking for s in from-tellu (domain 212.88.133.153) list_route: hop: <sip:85.93.219.114;ftag=as73ca530c;lr=on> <--- Transmitting (no NAT) to 85.93.219.114:5060 ---> SIP/2.0 100 Trying Via: SIP/2.0/UDP 85.93.219.114;branch=z9hG4bKbcd7.7f0d18e6.0;received=85.93.219.114 Via: SIP/2.0/UDP 85.93.219.122:5060;branch=z9hG4bK13c75fc4;rport=5060 Record-Route: <sip:85.93.219.114;ftag=as73ca530c;lr=on> From: "Unknown" <sip:Unknown@xxxxxxxxxxxxx>;tag=as73ca530c To: <sip:20400371@xxxxxx> Call-ID: 6b6bfb5c3eb6137532b36d216e8c9948@xxxxxxxxxxxxx CSeq: 102 INVITE User-Agent: Asterisk PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Supported: replaces Contact: <sip:s@xxxxxxxxxxxxxx> Content-Length: 0 <--- Reliably Transmitting (no NAT) to 85.93.219.114:5060 ---> SIP/2.0 200 OK Via: SIP/2.0/UDP 85.93.219.114;branch=z9hG4bKbcd7.7f0d18e6.0;received=85.93.219.114 Via: SIP/2.0/UDP 85.93.219.122:5060;branch=z9hG4bK13c75fc4;rport=5060 Record-Route: <sip:85.93.219.114;ftag=as73ca530c;lr=on> From: "Unknown" <sip:Unknown@xxxxxxxxxxxxx>;tag=as73ca530c To: <sip:20400371@xxxxxx>;tag=as47e79d4b Call-ID: 6b6bfb5c3eb6137532b36d216e8c9948@xxxxxxxxxxxxx CSeq: 102 INVITE User-Agent: Asterisk PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Supported: replaces Contact: <sip:s@xxxxxxxxxxxxxx> Content-Type: application/sdp Content-Length: 234 v=0 o=root 20701 20701 IN IP4 212.88.133.153 s=session c=IN IP4 212.88.133.153 t=0 0 m=audio 7070 RTP/AVP 3 0 8 a=rtpmap:3 GSM/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 a=silenceSupp:off - - - - a=ptime:20 a=sendrecv At this moment, I have a connection, but no sound. <--- SIP read from 85.93.219.114:5060 ---> ACK sip:s@xxxxxxxxxxxxxx SIP/2.0 Record-Route: <sip:85.93.219.114;ftag=as73ca530c;lr=on> Via: SIP/2.0/UDP 85.93.219.114;branch=0 Via: SIP/2.0/UDP 85.93.219.122:5060;branch=z9hG4bK31206d61;rport=5060 Max-Forwards: 16 From: "Unknown" <sip:Unknown@xxxxxxxxxxxxx>;tag=as73ca530c To: <sip:20400371@xxxxxx>;tag=as47e79d4b Contact: <sip:Unknown@xxxxxxxxxxxxx> Call-ID: 6b6bfb5c3eb6137532b36d216e8c9948@xxxxxxxxxxxxx CSeq: 102 ACK User-Agent: Asterisk PBX 1.6.0.6 Content-Length: 0 <--- SIP read from 85.93.219.114:5060 ---> ACK sip:s@xxxxxxxxxxxxxx SIP/2.0 Record-Route: <sip:85.93.219.114;ftag=as73ca530c;lr=on> Via: SIP/2.0/UDP 85.93.219.114;branch=0 Via: SIP/2.0/UDP 85.93.219.122:5060;branch=z9hG4bK65d8099e;rport=5060 Max-Forwards: 16 From: "Unknown" <sip:Unknown@xxxxxxxxxxxxx>;tag=as73ca530c To: <sip:20400371@xxxxxx>;tag=as47e79d4b Contact: <sip:Unknown@xxxxxxxxxxxxx> Call-ID: 6b6bfb5c3eb6137532b36d216e8c9948@xxxxxxxxxxxxx CSeq: 102 ACK User-Agent: Asterisk PBX 1.6.0.6 Content-Length: 0 Reliably Transmitting (no NAT) to 85.93.219.114:5060: BYE sip:Unknown@xxxxxxxxxxxxx SIP/2.0 Via: SIP/2.0/UDP 212.88.133.153:5060;branch=z9hG4bK44ee4aa2;rport Route: <sip:85.93.219.114;ftag=as73ca530c;lr=on> From: <sip:20400371@xxxxxx>;tag=as47e79d4b To: "Unknown" <sip:Unknown@xxxxxxxxxxxxx>;tag=as73ca530c Call-ID: 6b6bfb5c3eb6137532b36d216e8c9948@xxxxxxxxxxxxx CSeq: 102 BYE User-Agent: Asterisk PBX Max-Forwards: 70 Content-Length: 0 --- <--- SIP read from 85.93.219.114:5060 ---> SIP/2.0 200 OK Via: SIP/2.0/UDP 212.88.133.153:5060;branch=z9hG4bK44ee4aa2;rport=5060 Record-Route: <sip:85.93.219.114;ftag=as47e79d4b;lr=on> From: <sip:20400371@xxxxxx>;tag=as47e79d4b To: "Unknown" <sip:Unknown@xxxxxxxxxxxxx>;tag=as73ca530c Call-ID: 6b6bfb5c3eb6137532b36d216e8c9948@xxxxxxxxxxxxx CSeq: 102 BYE User-Agent: Asterisk PBX 1.6.0.6 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Supported: replaces, timer Content-Length: 0 <-------------> --- (11 headers 0 lines) --- Bye, Joerg
Attachment:
signature.asc
Description: Digital signature
