[asterisk-users] netfilter conntrack mangling canreinvite?

John A. Sullivan III jsullivan at opensourcedevel.com
Wed Aug 26 21:12:31 CDT 2009 

On Tue, 2009-08-25 at 21:07 -0400, John A. Sullivan III wrote:
> Hello, all.  Since implementing an iptables firewall between the
> Asterisk PBX and several SIP phones, the Asterisk PBX ability to
> "reinvite" has been broken even when the phones are on the same network
> (i.e., no firewall between the phones).  We've been beating our heads
> against the wall thinking it was the complex rule set but it appears the
> issue is ip_conntrack_sip.
> 
> Before I drop another day into verifying this, may I ask if anyone else
> has had a similar problem and found a solution? It appears conntrack is
> rewriting the SDP so that the address is reverted to the PBX address.
> 
> Here are the relevant SDP portion of a reinvite captured on the PBX
> using tcpdump and displayed in Wireshark.  The PBX is at 172.x.x.8 and
> the phone is at 10.x.x.193:
> 
> Owner/Creator, Session Id (o): root 1417450700 1417450701 IN IP4
> 10.x.x.183
> Owner Address: 10.x.x.183
> Connection Information (c): IN IP4 10.x.x.183
> Connection Address: 10.x.x.183
> 
> Here is a similar sequence but captured from the phone itself:
> Owner/Creator, Session Id (o): root 595629021 595629022 IN IP4 172.x.x.8
> Owner Address: 172.x.x.8
> Connection Information (c): IN IP4 172.x.x.8
> Connection Address: 172.x.x.8
> 
> It would appear conntrack is incorrectly "fixed" the packet.
> 
> I noticed newer kernels have sip_direct_media and sip_direct_signalling
> options.  I don't know if those apply but they do not seem to be present
> in our CentOS 5.3 kernel.
> 
> I'll probably spend most of tomorrow confirming this hypothesis and
> investigating solutions so I'd be deeply appreciative for any
> time-saving advice.  Thanks - John
> 
The ip_nat_sip conntrack module was indeed the culprit.  Apparently this
can be fixed in newer kernels by setting the sip_direct_media=0 option
for ip_conntrack_sip in modprobe.conf.  However, since our CentOS 5.3
version of the kernel does not support this, we disabled ip_nat_sip and
returned responsibility for managing NAT to sip.conf.  Hope this helps
someone else - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

More information about the asterisk-users mailing list