nf_nat_sip & nf_conntrack_sip

nf_nat_sip & nf_conntrack_sip

[Jorge Bastos]

Howdy,

I use a program from my mobile company, to make call's in my PC, this
program uses SIP for the connection.
The problem is:

-When i have these two modules loaded, when the person from the other side
disconnects, the program doesn't end the call, plus, the call's go down
very often!!
-When none of this modules are loaded, everything works as expected when
the person from the other side disconnects, and no call dies (unless i get
of my internet connection).

Any guess? I can work without the modules as i am right now, i just want
to help if there's something wrong with the modules and help.

Jorge,

Re: nf_nat_sip & nf_conntrack_sip

[Patrick McHardy]

Jorge Bastos wrote:
> Howdy,
> 
> I use a program from my mobile company, to make call's in my PC, this
> program uses SIP for the connection.
> The problem is:
> 
> -When i have these two modules loaded, when the person from the other side
> disconnects, the program doesn't end the call, plus, the call's go down
> very often!!
> -When none of this modules are loaded, everything works as expected when
> the person from the other side disconnects, and no call dies (unless i get
> of my internet connection).
> 
> Any guess? I can work without the modules as i am right now, i just want
> to help if there's something wrong with the modules and help.

Which kernel version are you using? The versions before 2.6.26 are
known not to work properly. With later kernels you might have to
set the sip_direct_media/signalling options to 0.

Re: nf_nat_sip & nf_conntrack_sip

[Jorge Bastos]

>> Any guess? I can work without the modules as i am right now, i just want
>> to help if there's something wrong with the modules and help.
>
> Which kernel version are you using? The versions before 2.6.26 are
> known not to work properly. With later kernels you might have to
> set the sip_direct_media/signalling options to 0.

Hi Patrick,
kernel 2.6.30
Well, I'm going to test it with those parameters and let you know starting
next Monday.
One question, without the module everything works OK, the module are
really necessary? If so for what?

Jorge,

Re: nf_nat_sip & nf_conntrack_sip

[Jorge Bastos]

> Hi Patrick,
> kernel 2.6.30
> Well, I'm going to test it with those parameters and let you know starting
> next Monday.
> One question, without the module everything works OK, the module are
> really necessary? If so for what?

ok,
tested and when the person from the other side disconnect's the sessions
remains alive with the module loaded with:

/sbin/modprobe nf_nat_sip
/sbin/modprobe nf_conntrack_sip sip_direct_signalling=0 sip_direct_media=0

Re: nf_nat_sip & nf_conntrack_sip

[Patrick McHardy]

Jorge Bastos wrote:
>> Hi Patrick,
>> kernel 2.6.30
>> Well, I'm going to test it with those parameters and let you know starting
>> next Monday.
>> One question, without the module everything works OK, the module are
>> really necessary? If so for what?
> 
> ok,
> tested and when the person from the other side disconnect's the sessions
> remains alive with the module loaded with:

What does "remain alive" mean? If something is not working as expected,
please include a pcap dump of both before and after NAT.

> 
> /sbin/modprobe nf_nat_sip
> /sbin/modprobe nf_conntrack_sip sip_direct_signalling=0 sip_direct_media=0

This does not work, the nat module already pulls in the conntrack module
without parameters.

Re: nf_nat_sip & nf_conntrack_sip

[Jorge Bastos]

> What does "remain alive" mean? If something is not working as expected,
> please include a pcap dump of both before and after NAT.

I mean, when the person from the other side disconnects, the call doesn't
end.

>> /sbin/modprobe nf_nat_sip
>> /sbin/modprobe nf_conntrack_sip sip_direct_signalling=0
>> sip_direct_media=0
>
> This does not work, the nat module already pulls in the conntrack module
> without parameters.

ops!
Then i've been loading the nat modules in the wrong order, it should be
always:
1- nf_conntrack_??? options
2- nf_nat_???

correct?
I've loaded the modules in this order with the parameters and it's working
file now :)

Explain something to me if possible, why is the SIP module need if
everything works without it?

Jorge,

Re: nf_nat_sip & nf_conntrack_sip

[Patrick McHardy]

Jorge Bastos wrote:
>> What does "remain alive" mean? If something is not working as expected,
>> please include a pcap dump of both before and after NAT.
> 
> I mean, when the person from the other side disconnects, the call doesn't
> end.
> 
>>> /sbin/modprobe nf_nat_sip
>>> /sbin/modprobe nf_conntrack_sip sip_direct_signalling=0
>>> sip_direct_media=0
>> This does not work, the nat module already pulls in the conntrack module
>> without parameters.
> 
> ops!
> Then i've been loading the nat modules in the wrong order, it should be
> always:
> 1- nf_conntrack_??? options
> 2- nf_nat_???

Yes.

> correct?
> I've loaded the modules in this order with the parameters and it's working
> file now :)
> 
> Explain something to me if possible, why is the SIP module need if
> everything works without it?

Well, in that case you don't need it obviously :) In case you're using
NAT, I guess you're also using STUN or something similar. This does not
really work reliable with netfilter, although it might appear that way
most of the time.

Re: nf_nat_sip & nf_conntrack_sip

[Jorge Bastos]

>> Explain something to me if possible, why is the SIP module need if
>> everything works without it?
>
> Well, in that case you don't need it obviously :) In case you're using
> NAT, I guess you're also using STUN or something similar. This does not
> really work reliable with netfilter, although it might appear that way
> most of the time.

Well, this is on the machine that is doing NAT for local LAN, no STUN or
so :P
But it works fine with (with the parameters) or without the module.
Everything's solved! :P

Thanks, Jorge

Re: nf_nat_sip & nf_conntrack_sip

[Pascal Hambourg]

Hello,

Jorge Bastos a écrit :
>>> Explain something to me if possible, why is the SIP module need if
>>> everything works without it?
>>
>> Well, in that case you don't need it obviously :) In case you're using
>> NAT, I guess you're also using STUN or something similar. This does not
>> really work reliable with netfilter, although it might appear that way
>> most of the time.
> 
> Well, this is on the machine that is doing NAT for local LAN, no STUN or
> so :P

STUN is used by the clients, not NATs.

Re: nf_nat_sip & nf_conntrack_sip

[Jorge Bastos]

>> Well, this is on the machine that is doing NAT for local LAN, no STUN or
>> so :P
>
> STUN is used by the clients, not NATs.
> --

Oh i see,
Sorry for the "lame" questions but i'm not a big expert on the subject.

Jorge,

Re: nf_nat_sip & nf_conntrack_sip

[Jorge Bastos]

>> Then i've been loading the nat modules in the wrong order, it should be
>> always:
>> 1- nf_conntrack_??? options
>> 2- nf_nat_???
>
> Yes.
>
>> correct?
>> I've loaded the modules in this order with the parameters and it's
>> working
>> file now :)
>>
>> Explain something to me if possible, why is the SIP module need if
>> everything works without it?
>
> Well, in that case you don't need it obviously :) In case you're using
> NAT, I guess you're also using STUN or something similar. This does not
> really work reliable with netfilter, although it might appear that way
> most of the time.
>

Hi Patrick,
continuing this matter, after updating to 2.6.31-rc2-git4 (i needed 'cause
a fix for pty.c for PPTPD connections), loading the modules:

/sbin/modprobe nf_conntrack_sip sip_direct_signalling=0 sip_direct_media=0
/sbin/modprobe nf_nat_sip

When the other person disconnects from the other side, the call remains
active in my side.
Unloading the modules works as expected.
A bug?

Re: nf_nat_sip & nf_conntrack_sip

[Patrick McHardy]

Jorge Bastos wrote:
>>> Then i've been loading the nat modules in the wrong order, it should be
>>> always:
>>> 1- nf_conntrack_??? options
>>> 2- nf_nat_???
>> Yes.
>>
>>> correct?
>>> I've loaded the modules in this order with the parameters and it's
>>> working
>>> file now :)
>>>
>>> Explain something to me if possible, why is the SIP module need if
>>> everything works without it?
>> Well, in that case you don't need it obviously :) In case you're using
>> NAT, I guess you're also using STUN or something similar. This does not
>> really work reliable with netfilter, although it might appear that way
>> most of the time.
>>
> 
> Hi Patrick,
> continuing this matter, after updating to 2.6.31-rc2-git4 (i needed 'cause
> a fix for pty.c for PPTPD connections), loading the modules:
> 
> /sbin/modprobe nf_conntrack_sip sip_direct_signalling=0 sip_direct_media=0
> /sbin/modprobe nf_nat_sip
> 
> When the other person disconnects from the other side, the call remains
> active in my side.
> Unloading the modules works as expected.
> A bug?

What exactly do you mean with "remains active"? The expectations?

Re: nf_nat_sip & nf_conntrack_sip

[Jorge Bastos]

>> Hi Patrick,
>> continuing this matter, after updating to 2.6.31-rc2-git4 (i needed
>> 'cause
>> a fix for pty.c for PPTPD connections), loading the modules:
>>
>> /sbin/modprobe nf_conntrack_sip sip_direct_signalling=0
>> sip_direct_media=0
>> /sbin/modprobe nf_nat_sip
>>
>> When the other person disconnects from the other side, the call remains
>> active in my side.
>> Unloading the modules works as expected.
>> A bug?
>
> What exactly do you mean with "remains active"? The expectations?
>

Let me see if i can explain myself.
When I'm on a call, and the person for the other side ends the call, the
sessions remains active.
Without loadling the modules, it works fine.

Re: nf_nat_sip & nf_conntrack_sip

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 873 bytes --]

Jorge Bastos wrote:
>>> Hi Patrick,
>>> continuing this matter, after updating to 2.6.31-rc2-git4 (i needed
>>> 'cause
>>> a fix for pty.c for PPTPD connections), loading the modules:
>>>
>>> /sbin/modprobe nf_conntrack_sip sip_direct_signalling=0
>>> sip_direct_media=0
>>> /sbin/modprobe nf_nat_sip
>>>
>>> When the other person disconnects from the other side, the call remains
>>> active in my side.
>>> Unloading the modules works as expected.
>>> A bug?
>> What exactly do you mean with "remains active"? The expectations?
>>
> 
> Let me see if i can explain myself.
> When I'm on a call, and the person for the other side ends the call, the
> sessions remains active.
> Without loadling the modules, it works fine.

That sounds like some packets are dropped by the helper. You could
try this patch in combination with ulogd(2) to capture the packet
in pcap format.


[-- Attachment #2: x --]
[-- Type: text/plain, Size: 2194 bytes --]

commit 78384e4b2e7ddb21709b0d8abac0d37b060dd3b7
Author: Patrick McHardy <kaber@trash.net>
Date:   Fri Jul 10 14:16:57 2009 +0200

    netfilter: nf_conntrack: log packets dropped by helpers
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 7d2ead7..44fa394 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -26,6 +26,7 @@
 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
 #include <net/netfilter/nf_nat_helper.h>
 #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
+#include <net/netfilter/nf_log.h>
 
 int (*nf_nat_seq_adjust_hook)(struct sk_buff *skb,
 			      struct nf_conn *ct,
@@ -113,8 +114,11 @@ static unsigned int ipv4_confirm(unsigned int hooknum,
 
 	ret = helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
 			   ct, ctinfo);
-	if (ret != NF_ACCEPT)
+	if (ret != NF_ACCEPT) {
+		nf_log_packet(AF_INET, hooknum, skb, in, out, NULL,
+			      "nf_ct_%s: dropping packet", helper->name);
 		return ret;
+	}
 
 	if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status)) {
 		typeof(nf_nat_seq_adjust_hook) seq_adjust;
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 2a15c2d..6b76778 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -27,6 +27,7 @@
 #include <net/netfilter/nf_conntrack_l3proto.h>
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
+#include <net/netfilter/nf_log.h>
 
 static bool ipv6_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,
 			      struct nf_conntrack_tuple *tuple)
@@ -176,8 +177,11 @@ static unsigned int ipv6_confirm(unsigned int hooknum,
 	}
 
 	ret = helper->help(skb, protoff, ct, ctinfo);
-	if (ret != NF_ACCEPT)
+	if (ret != NF_ACCEPT) {
+		nf_log_packet(AF_INET6, hooknum, skb, in, out, NULL,
+			      "nf_ct_%s: dropping packet", helper->name);
 		return ret;
+	}
 out:
 	/* We've seen it coming out the other side: confirm it */
 	return nf_conntrack_confirm(skb);

Re: nf_nat_sip & nf_conntrack_sip

[Jorge Bastos]

>> Let me see if i can explain myself.
>> When I'm on a call, and the person for the other side ends the call, the
>> sessions remains active.
>> Without loadling the modules, it works fine.
>
> That sounds like some packets are dropped by the helper. You could
> try this patch in combination with ulogd(2) to capture the packet
> in pcap format.

Patrick,
I can test that, you just have to explain to me how to i get that pcap
file for you.
I have no idea how... i'm not familiar with that!
I'm going to patch kernel with your patch as you tell me howto get the
pcap file.

Jorge,