Hi,
On Mon, May 21, 2018 at 02:33:28PM -0400, Sean Darcy wrote:
> Thanks for the reference.
>
> As I read it, flowtables is useful to efficently _forward_
> established packets to another machine, not to input. So it would not
> be useful at the asterisk server.
Yes, the flowtable provide a shortcut forwarding path, ideally only a
few of the initial packets in the flow go through the classic (slow)
forwarding path. While follow up packets will take this shortcut.
> I could use flowtables at the router if I can dnat the SIP packets
> that are not established. Like so ?
>
> table inet x {
> flowtable f {
> hook ingress priority 0 devices = { external, internal };
> }
> chain y {
> type filter hook forward priority 0; policy accept;
> ip protocol { udp, tcp } flow offload @f
> iifname "external" udp dport { iax, 5060-5063
> } counter dnat to $asterisk
> iifname "external" tcp dport 5060-5063 counter
> dnat to $asterisk
> counter
> }
> }
>
> If I'm correct, this will offload all established udp and tcp packets
> . Then it will dnat and forward the new SIP signalling packets
> {5060-5063}.
>
> Am I getting closer ?
Yes.
Only one thing: 'flow offload' needs to see packets in both
directions, so in case of RTP flows going in one single direction,
flow offload may not trigger.
This should be easy to fix by adding an option to the flowtable
configuration, if this is your case, I can have a look and cook a
patch for this.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
