Mailinglist Archive: opensuse-bugs (2150 mails)

< Previous Next >
[Bug 873717] New: nf_conntrack_sip: doesn't track SIP connections initiated from ports != 5060
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Tue, 15 Apr 2014 13:54:21 +0000
  • Message-id: <bug-873717-21960@http.bugzilla.novell.com/>

https://bugzilla.novell.com/show_bug.cgi?id=873717

https://bugzilla.novell.com/show_bug.cgi?id=873717#c0


Summary: nf_conntrack_sip: doesn't track SIP connections
initiated from ports != 5060
Classification: openSUSE
Product: openSUSE 12.3
Version: Final
Platform: All
OS/Version: openSUSE 12.3
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Kernel
AssignedTo: jeffm@xxxxxxxx
ReportedBy: jeffm@xxxxxxxx
QAContact: qa-bugs@xxxxxxx
Found By: Development
Blocker: ---


After a recent SIP client update, I couldn't connect to my provider any longer.

tcpdump would show the outgoing request but not the incoming one. It turns out
that the client had stopped initiating SIP requests from port 5060 and the
conntrack module wasn't establishing the mapping.

There was a patch added to the 3.9 kernel to address this and it applies
cleanly to the 3.7 kernel.

commit 7266507d89991fa1e989283e4e032c6d9357fe26
Author: Kevin Cernekee <cernekee@xxxxxxxxx>
Date: Mon Dec 17 18:33:58 2012 +0000

netfilter: nf_ct_sip: support Cisco 7941/7945 IP phones

Most SIP devices use a source port of 5060/udp on SIP requests, so the
response automatically comes back to port 5060:

phone_ip:5060 -> proxy_ip:5060 REGISTER
proxy_ip:5060 -> phone_ip:5060 100 Trying

The newer Cisco IP phones, however, use a randomly chosen high source
port for the SIP request but expect the response on port 5060:

phone_ip:49173 -> proxy_ip:5060 REGISTER
proxy_ip:5060 -> phone_ip:5060 100 Trying

Standard Linux NAT, with or without nf_nat_sip, will send the reply back
to port 49173, not 5060:

phone_ip:49173 -> proxy_ip:5060 REGISTER
proxy_ip:5060 -> phone_ip:49173 100 Trying

But the phone is not listening on 49173, so it will never see the reply.

This patch modifies nf_*_sip to work around this quirk by extracting
the SIP response port from the Via: header, iff the source IP in the
packet header matches the source IP in the SIP request.

Signed-off-by: Kevin Cernekee <cernekee@xxxxxxxxx>
Acked-by: Eric Dumazet <eric.dumazet@xxxxxxxxx>
Cc: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>

--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >
Follow Ups