[asterisk-bugs] [JIRA] (ASTERISK-27248) [patch]external_media_address and external_signaling_address don't always honor localnet
Kevin Harwell (JIRA)
noreply at issues.asterisk.org
Wed Mar 4 09:41:25 CST 2020
[ https://issues.asterisk.org/jira/browse/ASTERISK-27248?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=249903#comment-249903 ]
Kevin Harwell edited comment on ASTERISK-27248 at 3/4/20 9:39 AM:
------------------------------------------------------------------
The changes in this issue causes local_net to not function correctly.
In Asterisk 11.10, local_net functioned correctly, in Asterisk 16.8.0 local_net does not function correctly. I traced the change to this issue.
Scenario: both Asterisk and phone1 are behind same NAT. phone2 is remotely behind nat. When configuring some unrelated ip subnet in local_net the remote phone2's audio is being send from Asterisk to the local ip of the remote phone2, which does not work. Disabling local_net makes the remote phone2 work.
When undoing ASTERISK-27248_undo.patch and configuring local_net to the network of phone1 all phones work. The local phone gets RTP from the local address of Asterisk, the remote phone gets audio to its external nat ip.
Remote phone with correct external media adress and working RTP
{noformat}
[Mar 4 14:16:25] DEBUG[31740]: res_pjsip_session.c:902 handle_negotiated_sdp_session_media: Applied negotiated SDP media stream 'audio' using audio SDP handler
[Mar 4 14:16:25] DEBUG[31740]: res_pjsip_session.c:3498 handle_outgoing_response: Method is INVITE, Response is 200 OK
[Mar 4 14:16:25] DEBUG[31740]: res_pjsip/pjsip_message_filter.c:288 filter_on_tx_message: Re-wrote Contact URI host/port to 172.17.32.36:5060 (this may be re-written again later)
[Mar 4 14:16:25] DEBUG[31740]: netsock2.c:170 ast_sockaddr_split_hostport: Splitting '198.51.100.50' into...
[Mar 4 14:16:25] DEBUG[31740]: netsock2.c:224 ast_sockaddr_split_hostport: ...host '198.51.100.50' and port ''.
[Mar 4 14:16:25] DEBUG[31740]: res_pjsip_nat.c:414 process_nat: Re-wrote Contact URI port to 5060
[Mar 4 14:16:25] DEBUG[31740]: netsock2.c:170 ast_sockaddr_split_hostport: Splitting '172.17.32.36' into...
[Mar 4 14:16:25] DEBUG[31740]: netsock2.c:224 ast_sockaddr_split_hostport: ...host '172.17.32.36' and port ''.
[Mar 4 14:16:25] DEBUG[31740]: res_pjsip_session.c:4338 session_outgoing_nat_hook: Setting external media address to 203.0.113.102
<--- Transmitting SIP response (880 bytes) to TCP:198.51.100.50:56924 --->
{noformat}
Local phone that is correctly identified as local with local_net=10.215.152.0/255.255.255.0
{noformat}
[Mar 4 14:19:47] DEBUG[31740]: res_pjsip_session.c:902 handle_negotiated_sdp_session_media: Applied negotiated SDP media stream 'audio' using audio SDP handler
[Mar 4 14:19:47] DEBUG[31740]: res_pjsip_session.c:3498 handle_outgoing_response: Method is INVITE, Response is 200 OK
[Mar 4 14:19:47] DEBUG[31740]: res_pjsip/pjsip_message_filter.c:288 filter_on_tx_message: Re-wrote Contact URI host/port to 172.17.32.36:5060 (this may be re-written again later)
[Mar 4 14:19:47] DEBUG[31740]: netsock2.c:170 ast_sockaddr_split_hostport: Splitting '10.215.152.3' into...
[Mar 4 14:19:47] DEBUG[31740]: netsock2.c:224 ast_sockaddr_split_hostport: ...host '10.215.152.3' and port ''.
[Mar 4 14:19:47] DEBUG[31740]: res_pjsip_nat.c:403 process_nat: Request is being sent to local address, skipping NAT manipulation
<--- Transmitting SIP response (797 bytes) to UDP:10.215.152.3:50611 --->
{noformat}
{noformat}
+ /* Reversed check here. We don't check the remote
+ * endpoint being in our local net, but whether our
+ * outgoing session IP is local. If it is, we'll do
+ * rewriting. No localnet configured? Always rewrite. */
{noformat}
Please reconsider checking the remote ip of the phone and not the outgoing session ip.
Relevant configuration:
{noformat}
[template-transport-ipv6](!)
;local_net=
;external_media_address=
;external_signaling_address=
[template-transport-ipv4](!)
local_net=10.215.152.0/255.255.255.0
external_media_address=203.0.113.102
external_signaling_address=203.0.113.102
[template-transport](!)
type=transport
external_signaling_port=5060
allow_reload=yes
symmetric_transport=yes
[transport-auto-udp6](template-transport,template-transport-ipv6)
protocol=udp
bind=::
[transport-auto-udp4](template-transport,template-transport-ipv4)
protocol=udp
bind=0.0.0.0
[transport-auto-tcp6](template-transport,template-transport-ipv6)
protocol=tcp
bind=::
[transport-auto-tcp4](template-transport,template-transport-ipv4)
protocol=tcp
bind=0.0.0.0
[user_defaults](!)
type = wizard
accepts_registrations = yes
sends_registrations = no
accepts_auth = yes
sends_auth = no
has_hint = yes
hint_context = hints
hint_application = Dial(PJSIP/${EXTEN})
endpoint/allow = !all,alaw,ulaw
endpoint/allow_subscribe = yes
endpoint/allow_transfer = yes
endpoint/context = uitbellen
endpoint/device_state_busy_at = 1
endpoint/direct_media = no
endpoint/direct_media_method = invite
endpoint/disable_direct_media_on_nat = yes
endpoint/force_rport = yes
endpoint/ice_support = no
endpoint/inband_progress = yes
endpoint/moh_suggest = default
endpoint/rewrite_contact = yes
endpoint/rtp_ipv6 = yes
endpoint/rtp_keepalive = 15
endpoint/rtp_timeout = 60
endpoint/rtp_timeout_hold = 14400
endpoint/rtp_symmetric = yes
endpoint/send_diversion = yes
endpoint/send_pai = no
endpoint/send_rpid = no
endpoint/subscribe_context = hints
endpoint/trust_id_inbound = no
endpoint/trust_id_outbound = no
endpoint/language = nl
endpoint/send_connected_line = true
endpoint/trust_connected_line = true
aor/qualify_frequency = 60
aor/authenticate_qualify = no
aor/max_contacts = 1
aor/remove_existing = yes
aor/minimum_expiration = 30
aor/support_path = yes
;(Mitel 6865i)
[2003](user_defaults)
aor/mailboxes=
inbound_auth/username=2003
inbound_auth/password=xxx
endpoint/dtmf_mode=auto
endpoint/call_group=
endpoint/pickup_group=
;Marc softphone ()
[2995](user_defaults)
aor/mailboxes=
inbound_auth/username=2995
inbound_auth/password=xxx
endpoint/call_group=
endpoint/pickup_group=
{noformat}
was (Author: marcreset):
The changes in this issue causes local_net to not function correctly.
In Asterisk 11.10, local_net functioned correctly, in Asterisk 16.8.0 local_net does not function correctly. I traced the change to this issue.
Scenario: both Asterisk and phone1 are behind same NAT. phone2 is remotely behind nat. When configuring some unrelated ip subnet in local_net the remote phone2's audio is being send from Asterisk to the local ip of the remote phone2, which does not work. Disabling local_net makes the remote phone2 work.
When undoing ASTERISK-27248_undo.patch and configuring local_net to the network of phone1 all phones work. The local phone gets RTP from the local address of Asterisk, the remote phone gets audio to its external nat ip.
Remote phone with correct external media adress and working RTP
{noformat}
[Mar 4 14:16:25] DEBUG[31740]: res_pjsip_session.c:902 handle_negotiated_sdp_session_media: Applied negotiated SDP media stream 'audio' using audio SDP handler
[Mar 4 14:16:25] DEBUG[31740]: res_pjsip_session.c:3498 handle_outgoing_response: Method is INVITE, Response is 200 OK
[Mar 4 14:16:25] DEBUG[31740]: res_pjsip/pjsip_message_filter.c:288 filter_on_tx_message: Re-wrote Contact URI host/port to 172.17.32.36:5060 (this may be re-written again later)
[Mar 4 14:16:25] DEBUG[31740]: netsock2.c:170 ast_sockaddr_split_hostport: Splitting '198.51.100.50' into...
[Mar 4 14:16:25] DEBUG[31740]: netsock2.c:224 ast_sockaddr_split_hostport: ...host '198.51.100.50' and port ''.
[Mar 4 14:16:25] DEBUG[31740]: res_pjsip_nat.c:414 process_nat: Re-wrote Contact URI port to 5060
[Mar 4 14:16:25] DEBUG[31740]: netsock2.c:170 ast_sockaddr_split_hostport: Splitting '172.17.32.36' into...
[Mar 4 14:16:25] DEBUG[31740]: netsock2.c:224 ast_sockaddr_split_hostport: ...host '172.17.32.36' and port ''.
[Mar 4 14:16:25] DEBUG[31740]: res_pjsip_session.c:4338 session_outgoing_nat_hook: Setting external media address to 203.0.113.102
<--- Transmitting SIP response (880 bytes) to TCP:198.51.100.50:56924 --->
{noformat}
Local phone that is correctly identified as local with local_net=10.215.152.0/255.255.255.0
{noformat}
[Mar 4 14:19:47] DEBUG[31740]: res_pjsip_session.c:902 handle_negotiated_sdp_session_media: Applied negotiated SDP media stream 'audio' using audio SDP handler
[Mar 4 14:19:47] DEBUG[31740]: res_pjsip_session.c:3498 handle_outgoing_response: Method is INVITE, Response is 200 OK
[Mar 4 14:19:47] DEBUG[31740]: res_pjsip/pjsip_message_filter.c:288 filter_on_tx_message: Re-wrote Contact URI host/port to 172.17.32.36:5060 (this may be re-written again later)
[Mar 4 14:19:47] DEBUG[31740]: netsock2.c:170 ast_sockaddr_split_hostport: Splitting '10.215.152.3' into...
[Mar 4 14:19:47] DEBUG[31740]: netsock2.c:224 ast_sockaddr_split_hostport: ...host '10.215.152.3' and port ''.
[Mar 4 14:19:47] DEBUG[31740]: res_pjsip_nat.c:403 process_nat: Request is being sent to local address, skipping NAT manipulation
<--- Transmitting SIP response (797 bytes) to UDP:10.215.152.3:50611 --->
{noformat}
+ /* Reversed check here. We don't check the remote
+ * endpoint being in our local net, but whether our
+ * outgoing session IP is local. If it is, we'll do
+ * rewriting. No localnet configured? Always rewrite. */
{noformat}
Please reconsider checking the remote ip of the phone and not the outgoing session ip.
Relevant configuration:
{noformat}
[template-transport-ipv6](!)
;local_net=
;external_media_address=
;external_signaling_address=
[template-transport-ipv4](!)
local_net=10.215.152.0/255.255.255.0
external_media_address=203.0.113.102
external_signaling_address=203.0.113.102
[template-transport](!)
type=transport
external_signaling_port=5060
allow_reload=yes
symmetric_transport=yes
[transport-auto-udp6](template-transport,template-transport-ipv6)
protocol=udp
bind=::
[transport-auto-udp4](template-transport,template-transport-ipv4)
protocol=udp
bind=0.0.0.0
[transport-auto-tcp6](template-transport,template-transport-ipv6)
protocol=tcp
bind=::
[transport-auto-tcp4](template-transport,template-transport-ipv4)
protocol=tcp
bind=0.0.0.0
[user_defaults](!)
type = wizard
accepts_registrations = yes
sends_registrations = no
accepts_auth = yes
sends_auth = no
has_hint = yes
hint_context = hints
hint_application = Dial(PJSIP/${EXTEN})
endpoint/allow = !all,alaw,ulaw
endpoint/allow_subscribe = yes
endpoint/allow_transfer = yes
endpoint/context = uitbellen
endpoint/device_state_busy_at = 1
endpoint/direct_media = no
endpoint/direct_media_method = invite
endpoint/disable_direct_media_on_nat = yes
endpoint/force_rport = yes
endpoint/ice_support = no
endpoint/inband_progress = yes
endpoint/moh_suggest = default
endpoint/rewrite_contact = yes
endpoint/rtp_ipv6 = yes
endpoint/rtp_keepalive = 15
endpoint/rtp_timeout = 60
endpoint/rtp_timeout_hold = 14400
endpoint/rtp_symmetric = yes
endpoint/send_diversion = yes
endpoint/send_pai = no
endpoint/send_rpid = no
endpoint/subscribe_context = hints
endpoint/trust_id_inbound = no
endpoint/trust_id_outbound = no
endpoint/language = nl
endpoint/send_connected_line = true
endpoint/trust_connected_line = true
aor/qualify_frequency = 60
aor/authenticate_qualify = no
aor/max_contacts = 1
aor/remove_existing = yes
aor/minimum_expiration = 30
aor/support_path = yes
;(Mitel 6865i)
[2003](user_defaults)
aor/mailboxes=
inbound_auth/username=2003
inbound_auth/password=xxx
endpoint/dtmf_mode=auto
endpoint/call_group=
endpoint/pickup_group=
;Marc softphone ()
[2995](user_defaults)
aor/mailboxes=
inbound_auth/username=2995
inbound_auth/password=xxx
endpoint/call_group=
endpoint/pickup_group=
{noformat}
> [patch]external_media_address and external_signaling_address don't always honor localnet
> ----------------------------------------------------------------------------------------
>
> Key: ASTERISK-27248
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-27248
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Channels/chan_pjsip
> Affects Versions: 13.17.1
> Reporter: Walter Doekes
> Labels: patch, pjsip
> Target Release: 13.18.0, 14.7.0, 15.1.0, 16.0.0
>
> Attachments: ASTERISK-27248.patch, ASTERISK-27248_undo.patch, ASTERISK-27248_undo_undo.patch
>
>
> Let's say I have this pjsip config:
> {noformat}
> external_signaling_address=127.1.1.1
> external_media_address=127.2.2.2
> {noformat}
> Then I want my outgoing invites to look like this:
> {noformat}
> INVITE sip:bob at DEST:9284;transport=UDP SIP/2.0
> Via: SIP/2.0/UDP 127.1.1.1:5060;rport;branch=z9hG4bKPjce5a5266-b624-4a52-b420-3648f073ec6d
> From: <sip:alice at SOURCE>;tag=904cc2dd-1f73-4d2c-b712-78c99761bc0f
> To: <sip:bob at SOURCE>
> Contact: <sip:asterisk at 127.1.1.1:5060>
> ...
> o=- 1018431938 1018431938 IN IP4 SOURCE
> s=Asterisk
> c=IN IP4 127.2.2.2
> {noformat}
> If I add an unrelated localnet setting, then it should not affect those values. For example:
> {noformat}
> local_net=127.255.255.255/32
> local_net=255.255.255.255/32
> {noformat}
> However, in Asterisk 13.17.1 it does differ, because of this code:
> {noformat}
> if (!transport_state->localnet
> || ast_apply_ha(transport_state->localnet, &addr) != AST_SENSE_ALLOW) {
> ast_debug(5, "Setting external media address to %s\n", ast_sockaddr_stringify_host(&transport_state->external_media_address));
> pj_strdup2(tdata->pool, &sdp->conn->addr, ast_sockaddr_stringify_host(&transport_state->external_media_address));
> }
> {noformat}
> The ha struct stores the values in (default) "deny" order: if it's *not* found, then it's ALLOWed. If it *is* found, it returns DENY.
> Thus:
> {noformat}
> ast_apply_ha(transport_state->localnet, &addr) == AST_SENSE_ALLOW)
> {noformat}
> means: it's NOT in the local net
> and:
> {noformat}
> ast_apply_ha(transport_state->localnet, &addr) != AST_SENSE_ALLOW)
> {noformat}
> means: it IS in the local net.
> Logically, you would have it return DENY if it's NOT in the list, and ALLOW if it's in the list, but that's not how ast_apply_ha() works.
> If we check the latest 13.x, we see this:
> {noformat}
> $ wgrep . -B1 -A3 localnet.*SENSE
> {noformat}
> {noformat}
> ./res/res_pjsip_session.c- if (!transport_state->localnet
> ./res/res_pjsip_session.c: || ast_apply_ha(transport_state->localnet, &addr) != AST_SENSE_ALLOW) {
> ./res/res_pjsip_session.c- ast_debug(5, "Setting external media address to %s\n", ast_sockaddr_stringify_host(&transport_state->external_media_address));
> ./res/res_pjsip_session.c- pj_strdup2(tdata->pool, &sdp->conn->addr, ast_sockaddr_stringify_host(&transport_state->external_media_address));
> ./res/res_pjsip_session.c- }
> {noformat}
> DENY -> is local -> setting media to external because local??
> {noformat}
> ./res/res_pjsip_nat.c- /* See if where we are sending this request is local or not, and if not that we can get a Contact URI to modify */
> ./res/res_pjsip_nat.c: if (ast_apply_ha(transport_state->localnet, &addr) != AST_SENSE_ALLOW) {
> ./res/res_pjsip_nat.c- ast_debug(5, "Request is being sent to local address, skipping NAT manipulation\n");
> ./res/res_pjsip_nat.c- return PJ_SUCCESS;
> ./res/res_pjsip_nat.c- }
> {noformat}
> DENY -> is local -> OK
> {noformat}
> ./res/res_pjsip_sdp_rtp.c- if (transport_state->localnet
> ./res/res_pjsip_sdp_rtp.c: && ast_apply_ha(transport_state->localnet, &addr) == AST_SENSE_ALLOW) {
> ./res/res_pjsip_sdp_rtp.c- return;
> ./res/res_pjsip_sdp_rtp.c- }
> ./res/res_pjsip_sdp_rtp.c- ast_debug(5, "Setting media address to %s\n", ast_sockaddr_stringify_host(&transport_state->external_media_address));
> {noformat}
> ALLOW -> is not local -> return -> not setting external IP because non-local??
> {noformat}
> ./res/res_pjsip_t38.c- if (transport_state->localnet
> ./res/res_pjsip_t38.c: && ast_apply_ha(transport_state->localnet, &addr) == AST_SENSE_ALLOW) {
> ./res/res_pjsip_t38.c- return;
> ./res/res_pjsip_t38.c- }
> ./res/res_pjsip_t38.c- ast_debug(5, "Setting media address to %s\n", ast_sockaddr_stringify_host(&transport_state->external_media_address));
> {noformat}
> ALLOW -> is not local -> return -> not setting external IP because non-local??
> It appears to me that 3/4 checks are wrong.
> I'd check the regression box, because a customer noticed this after 13.13.1, but I'm not sure how the changes interact. It appears that some of this was already broken before that change.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list