conntrack_sip

conntrack_sip

[Andrew O. Zhukov]

ëernel 2.6.25.14-69.fc8
iptables-1.4.1.1-1.fc8.x86_64.rpm

followed trouble:

SIP gw                  Fedora               SipProxy      ásterisk
192.168.2.24   192.168.2.1 666.666.34.46  555.555.184.13  555.555.184.13

Sip proxy without RTP proxy for not nat cusomers. It considetate SIP GW 
as 666.666.34.46 and do not switch on RTP proxy.

call from SIP GW to Asterisk. Dump from FedorÁ:

U 2009/03/05 21:00:11.899191 555.555.184.13:5060 -> 192.168.2.24:5060
   SIP/2.0 183 Session Progress..Via: SIP/2.0/UDP 
555.555.184.13:5060;branch=z9hG4bK878912355;rport=1025..From: "212ua1" <sip
   :101563@xxx.com>;tag=66346232..To: 
<sip:2292694@xxx.com>;tag=as41f52f95..Call-ID: 
1295544592-5060-4@192.168.2.24..
.....
..Contact: <sip:2292694@555.555.184.2>..Content-Type: 
application/sdp..Content-Length: 263....v=0..o=root 277
   97 27797 IN IP4 555.555.184.2..s=session..c=IN IP4 555.555.184.2..t=0

---
180 Ringing without sdp
---

U 2009/03/05 21:00:20.753646 555.555.184.13:5060 -> 192.168.2.24:5060
   SIP/2.0 200 OK..Via: SIP/2.0/UDP 
555.555.184.13:5060;branch=z9hG4bK878912355;rport=1025..Record-Route: 
<sip:555.555.184.13;
   lr=on;ftag=66346232>..From: "212ua1" 
<sip:101563@xxx.com>;tag=66346232..To: 
<sip:2292694@xxx.com>;tag=as41f52f95..C
   all-ID: 1295544592-5060-4@192.168.2.24..CSeq: 31 INVITE..User-Agent: 
Telegroup Ukraine..Allow: INVITE, ACK, CANCEL, OPTIO
   NS, BYE, REFER, SUBSCRIBE, NOTIFY..Supported: replaces..Contact: 
<sip:2292694@555.555.184.2>..Content-Type: application/sd
   p..Content-Length: 265....v=0..o=root 27797 27798 IN IP4 
555.555.184.13..s=session..c=IN IP4 555.555.184.13..t=0 0..m=audio
    29444 RTP/AVP 18 101..a=rtpmap:18 G729/8000..a=fmtp:18 
annexb=no..a=rtpmap:101 telephone-event/8000..a=fmtp:101 0-16..a=
   silenceSupp:off - - - -..a=ptime:20..a=sendrecv..

in the "OK" message ásterisk ip addresses in SDP changed to the ip 
addresses of SipProxy by sip_conntrack. I can provide DUMP from the 
SipProxy and the complete set of dumps for developers.

Thanks in advance.


-- 
Andrew O. Zhukov
Telegroup Ukraine

conntrack modules in fedora

[Andrew O. Zhukov]

ëernel 2.6.25.14-69.fc8
iptables-1.4.1.1-1.fc8.x86_64.rpm

Is it somehow possible to switch off conntrack modules in this 
configuration.

conntrack_ftp Ánd conntrack_sip possible exclude by rmod, modprobe -r
lsmod don't show it. In iptables.config IPTABLES_MODULES=""
Multiple reload iptables and linux itself. No result.

In any case I can access outside passive ftp and
I see corrected SIP packets on the outside registar.

Any ideas?


-- 
Andrew O. Zhukov
Telegroup Ukraine

conntrack_sip bug

[Andrew O. Zhukov]

No answers from netfilter list.

I can exactly show the point where how this bug appeared include dumps 
from all points.


Andrew O. Zhukov пишет:
> Кernel 2.6.25.14-69.fc8
> iptables-1.4.1.1-1.fc8.x86_64.rpm
> 
> followed trouble:
> 
> SIP gw                  Fedora               SipProxy      Аsterisk
> 192.168.2.24   192.168.2.1 666.666.34.46  555.555.184.13  555.555.184.13
> 
> Sip proxy without RTP proxy for not nat cusomers. It considetate SIP GW 
> as 666.666.34.46 and do not switch on RTP proxy.
> 
> call from SIP GW to Asterisk. Dump from Fedorа:
> 
> U 2009/03/05 21:00:11.899191 555.555.184.13:5060 -> 192.168.2.24:5060
>   SIP/2.0 183 Session Progress..Via: SIP/2.0/UDP 
> 555.555.184.13:5060;branch=z9hG4bK878912355;rport=1025..From: "212ua1" <sip
>   :101563@xxx.com>;tag=66346232..To: 
> <sip:2292694@xxx.com>;tag=as41f52f95..Call-ID: 
> 1295544592-5060-4@192.168.2.24..
> .....
> ..Contact: <sip:2292694@555.555.184.2>..Content-Type: 
> application/sdp..Content-Length: 263....v=0..o=root 277
>   97 27797 IN IP4 555.555.184.2..s=session..c=IN IP4 555.555.184.2..t=0
> 
> ---
> 180 Ringing without sdp
> ---
> 
> U 2009/03/05 21:00:20.753646 555.555.184.13:5060 -> 192.168.2.24:5060
>   SIP/2.0 200 OK..Via: SIP/2.0/UDP 
> 555.555.184.13:5060;branch=z9hG4bK878912355;rport=1025..Record-Route: 
> <sip:555.555.184.13;
>   lr=on;ftag=66346232>..From: "212ua1" 
> <sip:101563@xxx.com>;tag=66346232..To: 
> <sip:2292694@xxx.com>;tag=as41f52f95..C
>   all-ID: 1295544592-5060-4@192.168.2.24..CSeq: 31 INVITE..User-Agent: 
> Telegroup Ukraine..Allow: INVITE, ACK, CANCEL, OPTIO
>   NS, BYE, REFER, SUBSCRIBE, NOTIFY..Supported: replaces..Contact: 
> <sip:2292694@555.555.184.2>..Content-Type: application/sd
>   p..Content-Length: 265....v=0..o=root 27797 27798 IN IP4 
> 555.555.184.13..s=session..c=IN IP4 555.555.184.13..t=0 0..m=audio
>    29444 RTP/AVP 18 101..a=rtpmap:18 G729/8000..a=fmtp:18 
> annexb=no..a=rtpmap:101 telephone-event/8000..a=fmtp:101 0-16..a=
>   silenceSupp:off - - - -..a=ptime:20..a=sendrecv..
> 
> in the "OK" message Аsterisk ip addresses in SDP changed to the ip 
> addresses of SipProxy by sip_conntrack. I can provide DUMP from the 
> SipProxy and the complete set of dumps for developers.
> 
> Thanks in advance.
> 
> 


-- 
Andrew O. Zhukov
Telegroup Ukraine
Technical director.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: conntrack_sip bug

[Patrick McHardy]

Andrew O. Zhukov wrote:
> No answers from netfilter list.
> 
> I can exactly show the point where how this bug appeared include dumps 
> from all points.
> 
> 
> Andrew O. Zhukov пишет:
>> Кernel 2.6.25.14-69.fc8
>> iptables-1.4.1.1-1.fc8.x86_64.rpm
>>
>> followed trouble:
>>
>> SIP gw                  Fedora               SipProxy      Аsterisk
>> 192.168.2.24   192.168.2.1 666.666.34.46  555.555.184.13  555.555.184.13
>>
>> Sip proxy without RTP proxy for not nat cusomers. It considetate SIP 
>> GW as 666.666.34.46 and do not switch on RTP proxy.
>>
>> call from SIP GW to Asterisk. Dump from Fedorа:
>>
>> U 2009/03/05 21:00:11.899191 555.555.184.13:5060 -> 192.168.2.24:5060
>>   SIP/2.0 183 Session Progress..Via: SIP/2.0/UDP 
>> 555.555.184.13:5060;branch=z9hG4bK878912355;rport=1025..From: "212ua1" 
>> <sip
>>   :101563@xxx.com>;tag=66346232..To: 
>> <sip:2292694@xxx.com>;tag=as41f52f95..Call-ID: 
>> 1295544592-5060-4@192.168.2.24..
>> .....
>> ..Contact: <sip:2292694@555.555.184.2>..Content-Type: 
>> application/sdp..Content-Length: 263....v=0..o=root 277
>>   97 27797 IN IP4 555.555.184.2..s=session..c=IN IP4 555.555.184.2..t=0
>>
>> ---
>> 180 Ringing without sdp
>> ---
>>
>> U 2009/03/05 21:00:20.753646 555.555.184.13:5060 -> 192.168.2.24:5060
>>   SIP/2.0 200 OK..Via: SIP/2.0/UDP 
>> 555.555.184.13:5060;branch=z9hG4bK878912355;rport=1025..Record-Route: 
>> <sip:555.555.184.13;
>>   lr=on;ftag=66346232>..From: "212ua1" 
>> <sip:101563@xxx.com>;tag=66346232..To: 
>> <sip:2292694@xxx.com>;tag=as41f52f95..C
>>   all-ID: 1295544592-5060-4@192.168.2.24..CSeq: 31 INVITE..User-Agent: 
>> Telegroup Ukraine..Allow: INVITE, ACK, CANCEL, OPTIO
>>   NS, BYE, REFER, SUBSCRIBE, NOTIFY..Supported: replaces..Contact: 
>> <sip:2292694@555.555.184.2>..Content-Type: application/sd
>>   p..Content-Length: 265....v=0..o=root 27797 27798 IN IP4 
>> 555.555.184.13..s=session..c=IN IP4 555.555.184.13..t=0 0..m=audio
>>    29444 RTP/AVP 18 101..a=rtpmap:18 G729/8000..a=fmtp:18 
>> annexb=no..a=rtpmap:101 telephone-event/8000..a=fmtp:101 0-16..a=
>>   silenceSupp:off - - - -..a=ptime:20..a=sendrecv..
>>
>> in the "OK" message Аsterisk ip addresses in SDP changed to the ip 
>> addresses of SipProxy by sip_conntrack. I can provide DUMP from the 
>> SipProxy and the complete set of dumps for developers.
>>
>> Thanks in advance.

There's a lot of addresses in there :) Could you please point to the
exact header which got rewritten incorrectly?

Also, please post the module parameters you're using when loading the
SIP conntrack/NAT modules.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: conntrack_sip bug

[Andrew O. Zhukov]

Patrick McHardy пишет:
> Andrew O. Zhukov wrote:
>> No answers from netfilter list.
>>
>> I can exactly show the point where how this bug appeared include dumps 
>> from all points.
>>
>>
>> Andrew O. Zhukov пишет:
>>> Кernel 2.6.25.14-69.fc8
>>> iptables-1.4.1.1-1.fc8.x86_64.rpm
>>>
>>> followed trouble:
>>>
>>> SIP gw                  Fedora               SipProxy      Аsterisk
>>> 192.168.2.24   192.168.2.1 666.666.34.46  555.555.184.13  555.555.184.13
>>>
>>> Sip proxy without RTP proxy for not nat cusomers. It considetate SIP 
>>> GW as 666.666.34.46 and do not switch on RTP proxy.
>>>
>>> call from SIP GW to Asterisk. Dump from Fedorа:
>>>
>>> U 2009/03/05 21:00:11.899191 555.555.184.13:5060 -> 192.168.2.24:5060
>>>   SIP/2.0 183 Session Progress..Via: SIP/2.0/UDP 
>>> 555.555.184.13:5060;branch=z9hG4bK878912355;rport=1025..From: 
>>> "212ua1" <sip
>>>   :101563@xxx.com>;tag=66346232..To: 
>>> <sip:2292694@xxx.com>;tag=as41f52f95..Call-ID: 
>>> 1295544592-5060-4@192.168.2.24..
>>> .....
>>> ..Contact: <sip:2292694@555.555.184.2>..Content-Type: 
>>> application/sdp..Content-Length: 263....v=0..o=root 277
>>>   97 27797 IN IP4 ___555.555.184.2_____..s=session..c=IN IP4 ___555.555.184.2_____..t=0

It's the real address of rtp stream

>>>
>>> ---
>>> 180 Ringing without sdp
>>> ---
>>>
>>> U 2009/03/05 21:00:20.753646 555.555.184.13:5060 -> 192.168.2.24:5060
>>>   SIP/2.0 200 OK..Via: SIP/2.0/UDP 
>>> 555.555.184.13:5060;branch=z9hG4bK878912355;rport=1025..Record-Route: 
>>> <sip:555.555.184.13;
>>>   lr=on;ftag=66346232>..From: "212ua1" 
>>> <sip:101563@xxx.com>;tag=66346232..To: 
>>> <sip:2292694@xxx.com>;tag=as41f52f95..C
>>>   all-ID: 1295544592-5060-4@192.168.2.24..CSeq: 31 
>>> INVITE..User-Agent: Telegroup Ukraine..Allow: INVITE, ACK, CANCEL, OPTIO
>>>   NS, BYE, REFER, SUBSCRIBE, NOTIFY..Supported: replaces..Contact: 
>>> <sip:2292694@555.555.184.2>..Content-Type: application/sd
>>>   p..Content-Length: 265....v=0..o=root 27797 27798 IN IP4 
>>> ______555.555.184.13___________..s=session..c=IN IP4 ___________555.555.184.13_________..t=0 0..m=audio

Here !!! You try to fix this packet. As the result inside GW send RTP to
555.555.184.13 instead  555.555.184.2

>>>    29444 RTP/AVP 18 101..a=rtpmap:18 G729/8000..a=fmtp:18 
>>> annexb=no..a=rtpmap:101 telephone-event/8000..a=fmtp:101 0-16..a=
>>>   silenceSupp:off - - - -..a=ptime:20..a=sendrecv..
>>>
>>> in the "OK" message Аsterisk ip addresses in SDP changed to the ip 
>>> addresses of SipProxy by sip_conntrack. I can provide DUMP from the 
>>> SipProxy and the complete set of dumps for developers.
>>>
>>> Thanks in advance.
> 
> There's a lot of addresses in there :) Could you please point to the
> exact header which got rewritten incorrectly?

I even find it in sources several minutes before send this post.

Look at nf_conntrack_sip.c
after comments
/* RTP info only in some SDP pkts */

You change SDP in outgoing and incoming packets. However, you have to do 
it only for outgoing. Otherwise, like in this example You'll have a 
trouble with RTP in connecttion over SIP Proxy without RTP Proxy.


> 
> Also, please post the module parameters you're using when loading the
> SIP conntrack/NAT modules.

Actually I do not load this module. It's default Fedora 8 package.
Even if I unload module using rmod , modprobe -r etc.. it continue
break packets... :(

> -- 
> To unsubscribe from this list: send the line "unsubscribe 
> netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 


-- 
Andrew O. Zhukov
Telegroup Ukraine
Technical director.
Phone 380-44-2308228
Cell 380-67-4017256
Fax 380-44-2386027
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: conntrack_sip bug

[Patrick McHardy]

Andrew O. Zhukov wrote:
> I even find it in sources several minutes before send this post.
> 
> Look at nf_conntrack_sip.c
> after comments
> /* RTP info only in some SDP pkts */

Ah I see :) That version is completely out of date and known to be broken.
2.6.26 includes a rewritten version that should work fine, please try
that or the 2.6.25 backport available at:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.25-sip.git