SIP conntrack defeating Asterisk canreinvite

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello, all.  Since implementing an iptables firewall between the
Asterisk PBX and several SIP phones, the Asterisk PBX ability to
"reinvite", i.e., to redirect the media stream from passing through the
PBX to be directly between the phones has been broken even when the
phones are on the same network (i.e., no firewall between the phones).
We've been beating our heads against the wall thinking it was the
complex rule set but it appears the issue is ip_conntrack_sip.

Before I drop another day into verifying this, may I ask if anyone else
has had a similar problem and found a solution?

The reinvite works by the Asterisk server sending a SIP invite after the
call has been set up. The new invite contains the address of the phone
in the SDP portion of the packet rather than the address of the PBX.
This should redirect the media stream to flow directly between the
phones.  However, it appears conntrack is rewriting the SDP so that the
address is reverted to the PBX address.

Here are the relevant SDP portion of a reinvite captured on the PBX
using tcpdump and displayed in Wireshark.  The PBX is at 172.x.x.8 and
the phone is at 10.x.x.193:

Owner/Creator, Session Id (o): root 1417450700 1417450701 IN IP4
10.68.6.183
Owner Address: 10.68.6.183
Connection Information (c): IN IP4 10.68.6.183
Connection Address: 10.68.6.183

Here is a similar sequence but captured from the phone itself:
Owner/Creator, Session Id (o): root 595629021 595629022 IN IP4
172.30.14.8
Owner Address: 172.30.14.8
Connection Information (c): IN IP4 172.30.14.8
Connection Address: 172.30.14.8

It would appear conntrack is incorrectly "fixed" the packet.

I noticed newer kernels have sip_direct_media and sip_direct_signalling
options.  I don't know if those apply but they do not seem to be present
in our CentOS 5.3 kernel.

I'll probably spend most of tomorrow confirming this hypothesis and
investigating solutions so I'd be deeply appreciative for any
time-saving advice.  Thanks - John

-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@xxxxxxxxxxxxxxxxxxx

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux