netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Nf_nat_h323 module not working with Panasonic VCs
@ 2021-07-24 15:53 Akshat Kakkar
  2021-07-25 20:41 ` Jozsef Kadlecsik
  2021-08-03 11:44 ` Jozsef Kadlecsik
  0 siblings, 2 replies; 14+ messages in thread
From: Akshat Kakkar @ 2021-07-24 15:53 UTC (permalink / raw)
  To: NetFilter

I have 2 vc endpoints VC1 (Make:Panasonic, IP:10.1.1.11),
VC2(make:Polycom,IP: 10.1.1.12) and 1 MCU (172.16.1.100).

There is a Linux firewall between VCs and MCU.

There is one to one nat configured for these 2 VCs (10.1.1.11  <-->
172.16.1.110, 10.1.1.12  <--> 172.16.1.120)
There is no natting for MCU IP as it is routable.

nf_nat_h323 and nf_conntrack_h323 module is enabled in the firewall.

When VC1 and VC2 initiate call to MCU, everything works fine. Video
call is successful for both VC1 and VC2. h245 IP address for tcp in
h225: CS connect packet is correctly replaced by the natted IP.

However, when there is a dial out from MCU to VCs (i.e. MCU initiate
call to the natted IP (i.e. 172.16.1.110 and 172.16.1.120 of VCs),
natting works fine but h245 IP address for tcp in h225:CS is replaced
correctly only for VC2 and not for VC1. For VC1, it is still its
actual IP (i.e. 10.1.1.12 and not 172.16.1.120).

Because of this, video call is successful only with VC2 and not with
VC1, when initiated from MCU. I tried with another panasonic VC
hardware, there was no change.

Further packet dump analysis showed that for VC1, there are 3 h225
packets (setup, call proceeding and alert) before Connect message but
for VC2 there are only 2 h225 packets (setup and alert) before connect
message.

Is there a bug in nf_nat_h323 module or am I missing something?

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Nf_nat_h323 module not working with Panasonic VCs
  2021-07-24 15:53 Nf_nat_h323 module not working with Panasonic VCs Akshat Kakkar
@ 2021-07-25 20:41 ` Jozsef Kadlecsik
  2021-07-26  6:50   ` Akshat Kakkar
  2021-08-03 11:44 ` Jozsef Kadlecsik
  1 sibling, 1 reply; 14+ messages in thread
From: Jozsef Kadlecsik @ 2021-07-25 20:41 UTC (permalink / raw)
  To: Akshat Kakkar; +Cc: NetFilter

Hello,

On Sat, 24 Jul 2021, Akshat Kakkar wrote:

> I have 2 vc endpoints VC1 (Make:Panasonic, IP:10.1.1.11), 
> VC2(make:Polycom,IP: 10.1.1.12) and 1 MCU (172.16.1.100).
> 
> There is a Linux firewall between VCs and MCU.
> 
> There is one to one nat configured for these 2 VCs (10.1.1.11  <-->
> 172.16.1.110, 10.1.1.12  <--> 172.16.1.120)
> There is no natting for MCU IP as it is routable.
> 
> nf_nat_h323 and nf_conntrack_h323 module is enabled in the firewall.
> 
> When VC1 and VC2 initiate call to MCU, everything works fine. Video
> call is successful for both VC1 and VC2. h245 IP address for tcp in
> h225: CS connect packet is correctly replaced by the natted IP.
> 
> However, when there is a dial out from MCU to VCs (i.e. MCU initiate
> call to the natted IP (i.e. 172.16.1.110 and 172.16.1.120 of VCs),
> natting works fine but h245 IP address for tcp in h225:CS is replaced
> correctly only for VC2 and not for VC1. For VC1, it is still its
> actual IP (i.e. 10.1.1.12 and not 172.16.1.120).
> 
> Because of this, video call is successful only with VC2 and not with
> VC1, when initiated from MCU. I tried with another panasonic VC
> hardware, there was no change.
> 
> Further packet dump analysis showed that for VC1, there are 3 h225
> packets (setup, call proceeding and alert) before Connect message but
> for VC2 there are only 2 h225 packets (setup and alert) before connect
> message.
> 
> Is there a bug in nf_nat_h323 module or am I missing something?

It can be a bug/incompatibility with the H.323 implementation in the 
Panasonic device. However, first I'd make sure the MCU does not use 
hostname for VC1 instead of its IP address. Hostnames in the calls are not 
supported.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Nf_nat_h323 module not working with Panasonic VCs
  2021-07-25 20:41 ` Jozsef Kadlecsik
@ 2021-07-26  6:50   ` Akshat Kakkar
  2021-07-26  7:43     ` Jozsef Kadlecsik
  0 siblings, 1 reply; 14+ messages in thread
From: Akshat Kakkar @ 2021-07-26  6:50 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: NetFilter

MCU is using IP only to dial to VC1 and not hostname.

I went through packet capture and find everything in line with the
standard. Just that it is sending "CS : Call Proceeding" packet which
is an optional packet but it is part of standard.
I can share pcap file if needed.

On Mon, Jul 26, 2021 at 2:11 AM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
>
> Hello,
>
> On Sat, 24 Jul 2021, Akshat Kakkar wrote:
>
> > I have 2 vc endpoints VC1 (Make:Panasonic, IP:10.1.1.11),
> > VC2(make:Polycom,IP: 10.1.1.12) and 1 MCU (172.16.1.100).
> >
> > There is a Linux firewall between VCs and MCU.
> >
> > There is one to one nat configured for these 2 VCs (10.1.1.11  <-->
> > 172.16.1.110, 10.1.1.12  <--> 172.16.1.120)
> > There is no natting for MCU IP as it is routable.
> >
> > nf_nat_h323 and nf_conntrack_h323 module is enabled in the firewall.
> >
> > When VC1 and VC2 initiate call to MCU, everything works fine. Video
> > call is successful for both VC1 and VC2. h245 IP address for tcp in
> > h225: CS connect packet is correctly replaced by the natted IP.
> >
> > However, when there is a dial out from MCU to VCs (i.e. MCU initiate
> > call to the natted IP (i.e. 172.16.1.110 and 172.16.1.120 of VCs),
> > natting works fine but h245 IP address for tcp in h225:CS is replaced
> > correctly only for VC2 and not for VC1. For VC1, it is still its
> > actual IP (i.e. 10.1.1.12 and not 172.16.1.120).
> >
> > Because of this, video call is successful only with VC2 and not with
> > VC1, when initiated from MCU. I tried with another panasonic VC
> > hardware, there was no change.
> >
> > Further packet dump analysis showed that for VC1, there are 3 h225
> > packets (setup, call proceeding and alert) before Connect message but
> > for VC2 there are only 2 h225 packets (setup and alert) before connect
> > message.
> >
> > Is there a bug in nf_nat_h323 module or am I missing something?
>
> It can be a bug/incompatibility with the H.323 implementation in the
> Panasonic device. However, first I'd make sure the MCU does not use
> hostname for VC1 instead of its IP address. Hostnames in the calls are not
> supported.
>
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> Address : Wigner Research Centre for Physics
>           H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Nf_nat_h323 module not working with Panasonic VCs
  2021-07-26  6:50   ` Akshat Kakkar
@ 2021-07-26  7:43     ` Jozsef Kadlecsik
  2021-07-27 13:32       ` Akshat Kakkar
  0 siblings, 1 reply; 14+ messages in thread
From: Jozsef Kadlecsik @ 2021-07-26  7:43 UTC (permalink / raw)
  To: Akshat Kakkar; +Cc: NetFilter

On Mon, 26 Jul 2021, Akshat Kakkar wrote:

> MCU is using IP only to dial to VC1 and not hostname.
> 
> I went through packet capture and find everything in line with the
> standard. Just that it is sending "CS : Call Proceeding" packet which
> is an optional packet but it is part of standard.
> I can share pcap file if needed.

Could you enable dynamic debugging in the kernel and enable it for the 
nf_conntrack_h323 module? Then please repeate the testing with the 
working and not working VCs and send the generated kernel debug log 
messages.

Best regards,
Jozsef 
> On Mon, Jul 26, 2021 at 2:11 AM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> >
> > Hello,
> >
> > On Sat, 24 Jul 2021, Akshat Kakkar wrote:
> >
> > > I have 2 vc endpoints VC1 (Make:Panasonic, IP:10.1.1.11),
> > > VC2(make:Polycom,IP: 10.1.1.12) and 1 MCU (172.16.1.100).
> > >
> > > There is a Linux firewall between VCs and MCU.
> > >
> > > There is one to one nat configured for these 2 VCs (10.1.1.11  <-->
> > > 172.16.1.110, 10.1.1.12  <--> 172.16.1.120)
> > > There is no natting for MCU IP as it is routable.
> > >
> > > nf_nat_h323 and nf_conntrack_h323 module is enabled in the firewall.
> > >
> > > When VC1 and VC2 initiate call to MCU, everything works fine. Video
> > > call is successful for both VC1 and VC2. h245 IP address for tcp in
> > > h225: CS connect packet is correctly replaced by the natted IP.
> > >
> > > However, when there is a dial out from MCU to VCs (i.e. MCU initiate
> > > call to the natted IP (i.e. 172.16.1.110 and 172.16.1.120 of VCs),
> > > natting works fine but h245 IP address for tcp in h225:CS is replaced
> > > correctly only for VC2 and not for VC1. For VC1, it is still its
> > > actual IP (i.e. 10.1.1.12 and not 172.16.1.120).
> > >
> > > Because of this, video call is successful only with VC2 and not with
> > > VC1, when initiated from MCU. I tried with another panasonic VC
> > > hardware, there was no change.
> > >
> > > Further packet dump analysis showed that for VC1, there are 3 h225
> > > packets (setup, call proceeding and alert) before Connect message but
> > > for VC2 there are only 2 h225 packets (setup and alert) before connect
> > > message.
> > >
> > > Is there a bug in nf_nat_h323 module or am I missing something?
> >
> > It can be a bug/incompatibility with the H.323 implementation in the
> > Panasonic device. However, first I'd make sure the MCU does not use
> > hostname for VC1 instead of its IP address. Hostnames in the calls are not
> > supported.
> >
> > Best regards,
> > Jozsef
> > -
> > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > Address : Wigner Research Centre for Physics
> >           H-1525 Budapest 114, POB. 49, Hungary
> 

-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Nf_nat_h323 module not working with Panasonic VCs
  2021-07-26  7:43     ` Jozsef Kadlecsik
@ 2021-07-27 13:32       ` Akshat Kakkar
  2021-08-02  8:42         ` Akshat Kakkar
  0 siblings, 1 reply; 14+ messages in thread
From: Akshat Kakkar @ 2021-07-27 13:32 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: NetFilter

Hi Jozsef,

For the VC which is working (i.e. VC2, IP:172.16.1.120) following are
the generated debug log:

[Jul27 17:29] nf_nat_q931: expect H.245 172.16.1.100:0->172.16.1.120:5516
[  +0.249944] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
[  +0.000021] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
[  +0.003265] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
[  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
[  +0.007606] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
[  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
[  +0.000010] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
[  +0.000004] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
[  +0.004337] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
[  +0.000010] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
[  +0.000007] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
[  +0.000007] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
[  +0.006028] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
[  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
[  +0.001171] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
[  +0.000008] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
[  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
[  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
[  +0.003261] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
[  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
[  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
[  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
[  +0.007889] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
[  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513


However, for the panasonic VC1 i.e. the VC which is having issue,
there are no debug log generated. absolutely nothing.

On Mon, Jul 26, 2021 at 1:13 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
>
> On Mon, 26 Jul 2021, Akshat Kakkar wrote:
>
> > MCU is using IP only to dial to VC1 and not hostname.
> >
> > I went through packet capture and find everything in line with the
> > standard. Just that it is sending "CS : Call Proceeding" packet which
> > is an optional packet but it is part of standard.
> > I can share pcap file if needed.
>
> Could you enable dynamic debugging in the kernel and enable it for the
> nf_conntrack_h323 module? Then please repeate the testing with the
> working and not working VCs and send the generated kernel debug log
> messages.
>
> Best regards,
> Jozsef
> > On Mon, Jul 26, 2021 at 2:11 AM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > >
> > > Hello,
> > >
> > > On Sat, 24 Jul 2021, Akshat Kakkar wrote:
> > >
> > > > I have 2 vc endpoints VC1 (Make:Panasonic, IP:10.1.1.11),
> > > > VC2(make:Polycom,IP: 10.1.1.12) and 1 MCU (172.16.1.100).
> > > >
> > > > There is a Linux firewall between VCs and MCU.
> > > >
> > > > There is one to one nat configured for these 2 VCs (10.1.1.11  <-->
> > > > 172.16.1.110, 10.1.1.12  <--> 172.16.1.120)
> > > > There is no natting for MCU IP as it is routable.
> > > >
> > > > nf_nat_h323 and nf_conntrack_h323 module is enabled in the firewall.
> > > >
> > > > When VC1 and VC2 initiate call to MCU, everything works fine. Video
> > > > call is successful for both VC1 and VC2. h245 IP address for tcp in
> > > > h225: CS connect packet is correctly replaced by the natted IP.
> > > >
> > > > However, when there is a dial out from MCU to VCs (i.e. MCU initiate
> > > > call to the natted IP (i.e. 172.16.1.110 and 172.16.1.120 of VCs),
> > > > natting works fine but h245 IP address for tcp in h225:CS is replaced
> > > > correctly only for VC2 and not for VC1. For VC1, it is still its
> > > > actual IP (i.e. 10.1.1.12 and not 172.16.1.120).
> > > >
> > > > Because of this, video call is successful only with VC2 and not with
> > > > VC1, when initiated from MCU. I tried with another panasonic VC
> > > > hardware, there was no change.
> > > >
> > > > Further packet dump analysis showed that for VC1, there are 3 h225
> > > > packets (setup, call proceeding and alert) before Connect message but
> > > > for VC2 there are only 2 h225 packets (setup and alert) before connect
> > > > message.
> > > >
> > > > Is there a bug in nf_nat_h323 module or am I missing something?
> > >
> > > It can be a bug/incompatibility with the H.323 implementation in the
> > > Panasonic device. However, first I'd make sure the MCU does not use
> > > hostname for VC1 instead of its IP address. Hostnames in the calls are not
> > > supported.
> > >
> > > Best regards,
> > > Jozsef
> > > -
> > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > Address : Wigner Research Centre for Physics
> > >           H-1525 Budapest 114, POB. 49, Hungary
> >
>
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> Address : Wigner Research Centre for Physics
>           H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Nf_nat_h323 module not working with Panasonic VCs
  2021-07-27 13:32       ` Akshat Kakkar
@ 2021-08-02  8:42         ` Akshat Kakkar
  2021-08-02 18:20           ` Jozsef Kadlecsik
  0 siblings, 1 reply; 14+ messages in thread
From: Akshat Kakkar @ 2021-08-02  8:42 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: NetFilter

Hi Jozsef,

Any idea how to go about?

On Tue, Jul 27, 2021 at 7:02 PM Akshat Kakkar <akshat.1984@gmail.com> wrote:
>
> Hi Jozsef,
>
> For the VC which is working (i.e. VC2, IP:172.16.1.120) following are
> the generated debug log:
>
> [Jul27 17:29] nf_nat_q931: expect H.245 172.16.1.100:0->172.16.1.120:5516
> [  +0.249944] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> [  +0.000021] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> [  +0.003265] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> [  +0.007606] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> [  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> [  +0.000010] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> [  +0.000004] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> [  +0.004337] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> [  +0.000010] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> [  +0.000007] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> [  +0.000007] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> [  +0.006028] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> [  +0.001171] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> [  +0.000008] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> [  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> [  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> [  +0.003261] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> [  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> [  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> [  +0.007889] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> [  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
>
>
> However, for the panasonic VC1 i.e. the VC which is having issue,
> there are no debug log generated. absolutely nothing.
>
> On Mon, Jul 26, 2021 at 1:13 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> >
> > On Mon, 26 Jul 2021, Akshat Kakkar wrote:
> >
> > > MCU is using IP only to dial to VC1 and not hostname.
> > >
> > > I went through packet capture and find everything in line with the
> > > standard. Just that it is sending "CS : Call Proceeding" packet which
> > > is an optional packet but it is part of standard.
> > > I can share pcap file if needed.
> >
> > Could you enable dynamic debugging in the kernel and enable it for the
> > nf_conntrack_h323 module? Then please repeate the testing with the
> > working and not working VCs and send the generated kernel debug log
> > messages.
> >
> > Best regards,
> > Jozsef
> > > On Mon, Jul 26, 2021 at 2:11 AM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > > >
> > > > Hello,
> > > >
> > > > On Sat, 24 Jul 2021, Akshat Kakkar wrote:
> > > >
> > > > > I have 2 vc endpoints VC1 (Make:Panasonic, IP:10.1.1.11),
> > > > > VC2(make:Polycom,IP: 10.1.1.12) and 1 MCU (172.16.1.100).
> > > > >
> > > > > There is a Linux firewall between VCs and MCU.
> > > > >
> > > > > There is one to one nat configured for these 2 VCs (10.1.1.11  <-->
> > > > > 172.16.1.110, 10.1.1.12  <--> 172.16.1.120)
> > > > > There is no natting for MCU IP as it is routable.
> > > > >
> > > > > nf_nat_h323 and nf_conntrack_h323 module is enabled in the firewall.
> > > > >
> > > > > When VC1 and VC2 initiate call to MCU, everything works fine. Video
> > > > > call is successful for both VC1 and VC2. h245 IP address for tcp in
> > > > > h225: CS connect packet is correctly replaced by the natted IP.
> > > > >
> > > > > However, when there is a dial out from MCU to VCs (i.e. MCU initiate
> > > > > call to the natted IP (i.e. 172.16.1.110 and 172.16.1.120 of VCs),
> > > > > natting works fine but h245 IP address for tcp in h225:CS is replaced
> > > > > correctly only for VC2 and not for VC1. For VC1, it is still its
> > > > > actual IP (i.e. 10.1.1.12 and not 172.16.1.120).
> > > > >
> > > > > Because of this, video call is successful only with VC2 and not with
> > > > > VC1, when initiated from MCU. I tried with another panasonic VC
> > > > > hardware, there was no change.
> > > > >
> > > > > Further packet dump analysis showed that for VC1, there are 3 h225
> > > > > packets (setup, call proceeding and alert) before Connect message but
> > > > > for VC2 there are only 2 h225 packets (setup and alert) before connect
> > > > > message.
> > > > >
> > > > > Is there a bug in nf_nat_h323 module or am I missing something?
> > > >
> > > > It can be a bug/incompatibility with the H.323 implementation in the
> > > > Panasonic device. However, first I'd make sure the MCU does not use
> > > > hostname for VC1 instead of its IP address. Hostnames in the calls are not
> > > > supported.
> > > >
> > > > Best regards,
> > > > Jozsef
> > > > -
> > > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > > Address : Wigner Research Centre for Physics
> > > >           H-1525 Budapest 114, POB. 49, Hungary
> > >
> >
> > -
> > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > Address : Wigner Research Centre for Physics
> >           H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Nf_nat_h323 module not working with Panasonic VCs
  2021-08-02  8:42         ` Akshat Kakkar
@ 2021-08-02 18:20           ` Jozsef Kadlecsik
  2021-08-03  6:33             ` Akshat Kakkar
  0 siblings, 1 reply; 14+ messages in thread
From: Jozsef Kadlecsik @ 2021-08-02 18:20 UTC (permalink / raw)
  To: Akshat Kakkar; +Cc: NetFilter

Hi Akshat,

On Mon, 2 Aug 2021, Akshat Kakkar wrote:

> > For the VC which is working (i.e. VC2, IP:172.16.1.120) following are
> > the generated debug log:

That can't be the full debug log, lines are missing/left out. What is the 
kernel version? Isn't there any output from the command

$ grep 'pr_debug("nf_ct_q931' net/netfilter/nf_conntrack_h323_main.c

> > [Jul27 17:29] nf_nat_q931: expect H.245 172.16.1.100:0->172.16.1.120:5516
> > [  +0.249944] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > [  +0.000021] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > [  +0.003265] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > [  +0.007606] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > [  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > [  +0.000010] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > [  +0.000004] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > [  +0.004337] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > [  +0.000010] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > [  +0.000007] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > [  +0.000007] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > [  +0.006028] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > [  +0.001171] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > [  +0.000008] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > [  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > [  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > [  +0.003261] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > [  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > [  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > [  +0.007889] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > [  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> >
> > However, for the panasonic VC1 i.e. the VC which is having issue,
> > there are no debug log generated. absolutely nothing.

Best regards,
Jozsef

> > On Mon, Jul 26, 2021 at 1:13 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > >
> > > On Mon, 26 Jul 2021, Akshat Kakkar wrote:
> > >
> > > > MCU is using IP only to dial to VC1 and not hostname.
> > > >
> > > > I went through packet capture and find everything in line with the
> > > > standard. Just that it is sending "CS : Call Proceeding" packet which
> > > > is an optional packet but it is part of standard.
> > > > I can share pcap file if needed.
> > >
> > > Could you enable dynamic debugging in the kernel and enable it for the
> > > nf_conntrack_h323 module? Then please repeate the testing with the
> > > working and not working VCs and send the generated kernel debug log
> > > messages.
> > >
> > > Best regards,
> > > Jozsef
> > > > On Mon, Jul 26, 2021 at 2:11 AM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > > > >
> > > > > Hello,
> > > > >
> > > > > On Sat, 24 Jul 2021, Akshat Kakkar wrote:
> > > > >
> > > > > > I have 2 vc endpoints VC1 (Make:Panasonic, IP:10.1.1.11),
> > > > > > VC2(make:Polycom,IP: 10.1.1.12) and 1 MCU (172.16.1.100).
> > > > > >
> > > > > > There is a Linux firewall between VCs and MCU.
> > > > > >
> > > > > > There is one to one nat configured for these 2 VCs (10.1.1.11  <-->
> > > > > > 172.16.1.110, 10.1.1.12  <--> 172.16.1.120)
> > > > > > There is no natting for MCU IP as it is routable.
> > > > > >
> > > > > > nf_nat_h323 and nf_conntrack_h323 module is enabled in the firewall.
> > > > > >
> > > > > > When VC1 and VC2 initiate call to MCU, everything works fine. Video
> > > > > > call is successful for both VC1 and VC2. h245 IP address for tcp in
> > > > > > h225: CS connect packet is correctly replaced by the natted IP.
> > > > > >
> > > > > > However, when there is a dial out from MCU to VCs (i.e. MCU initiate
> > > > > > call to the natted IP (i.e. 172.16.1.110 and 172.16.1.120 of VCs),
> > > > > > natting works fine but h245 IP address for tcp in h225:CS is replaced
> > > > > > correctly only for VC2 and not for VC1. For VC1, it is still its
> > > > > > actual IP (i.e. 10.1.1.12 and not 172.16.1.120).
> > > > > >
> > > > > > Because of this, video call is successful only with VC2 and not with
> > > > > > VC1, when initiated from MCU. I tried with another panasonic VC
> > > > > > hardware, there was no change.
> > > > > >
> > > > > > Further packet dump analysis showed that for VC1, there are 3 h225
> > > > > > packets (setup, call proceeding and alert) before Connect message but
> > > > > > for VC2 there are only 2 h225 packets (setup and alert) before connect
> > > > > > message.
> > > > > >
> > > > > > Is there a bug in nf_nat_h323 module or am I missing something?
> > > > >
> > > > > It can be a bug/incompatibility with the H.323 implementation in the
> > > > > Panasonic device. However, first I'd make sure the MCU does not use
> > > > > hostname for VC1 instead of its IP address. Hostnames in the calls are not
> > > > > supported.
> > > > >
> > > > > Best regards,
> > > > > Jozsef
> > > > > -
> > > > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > > > Address : Wigner Research Centre for Physics
> > > > >           H-1525 Budapest 114, POB. 49, Hungary
> > > >
> > >
> > > -
> > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > Address : Wigner Research Centre for Physics
> > >           H-1525 Budapest 114, POB. 49, Hungary
> 

-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Nf_nat_h323 module not working with Panasonic VCs
  2021-08-02 18:20           ` Jozsef Kadlecsik
@ 2021-08-03  6:33             ` Akshat Kakkar
  2021-08-03  7:30               ` Akshat Kakkar
  2021-08-03  8:03               ` Jozsef Kadlecsik
  0 siblings, 2 replies; 14+ messages in thread
From: Akshat Kakkar @ 2021-08-03  6:33 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: NetFilter

My kernel is 4.4.82. It may be demotivating, I know.

However, the logs shared by me, though very less, still shows clearly
that for Panasonic VC packets the module isn't treating this as a q931
packet (or cs:connect of h.225) and hence not processed.

As far as output of the command is concerned, there is no .c file with
that name.

when I try to find files having 323 in the name in /usr/src path using
following command

        find . -name *323*

Following is the output:
./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323.h
./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323_types.h
./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323_asn1.h
./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/i2c/lm8323.h
./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/rtc/drv/ds3234.h
./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/rtc/drv/ds3232.h
./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/nf/conntrack/h323.h
./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/nf/nat/h323.h
./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/cm3232.h


On Mon, Aug 2, 2021 at 11:50 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
>
> Hi Akshat,
>
> On Mon, 2 Aug 2021, Akshat Kakkar wrote:
>
> > > For the VC which is working (i.e. VC2, IP:172.16.1.120) following are
> > > the generated debug log:
>
> That can't be the full debug log, lines are missing/left out. What is the
> kernel version? Isn't there any output from the command
>
> $ grep 'pr_debug("nf_ct_q931' net/netfilter/nf_conntrack_h323_main.c
>
> > > [Jul27 17:29] nf_nat_q931: expect H.245 172.16.1.100:0->172.16.1.120:5516
> > > [  +0.249944] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > [  +0.000021] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > [  +0.003265] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > [  +0.007606] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > [  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > [  +0.000010] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > [  +0.000004] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > [  +0.004337] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > [  +0.000010] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > [  +0.000007] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > [  +0.000007] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > [  +0.006028] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > [  +0.001171] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > [  +0.000008] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > [  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > [  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > [  +0.003261] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > > [  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > [  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > > [  +0.007889] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > [  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > >
> > > However, for the panasonic VC1 i.e. the VC which is having issue,
> > > there are no debug log generated. absolutely nothing.
>
> Best regards,
> Jozsef
>
> > > On Mon, Jul 26, 2021 at 1:13 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > > >
> > > > On Mon, 26 Jul 2021, Akshat Kakkar wrote:
> > > >
> > > > > MCU is using IP only to dial to VC1 and not hostname.
> > > > >
> > > > > I went through packet capture and find everything in line with the
> > > > > standard. Just that it is sending "CS : Call Proceeding" packet which
> > > > > is an optional packet but it is part of standard.
> > > > > I can share pcap file if needed.
> > > >
> > > > Could you enable dynamic debugging in the kernel and enable it for the
> > > > nf_conntrack_h323 module? Then please repeate the testing with the
> > > > working and not working VCs and send the generated kernel debug log
> > > > messages.
> > > >
> > > > Best regards,
> > > > Jozsef
> > > > > On Mon, Jul 26, 2021 at 2:11 AM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > > On Sat, 24 Jul 2021, Akshat Kakkar wrote:
> > > > > >
> > > > > > > I have 2 vc endpoints VC1 (Make:Panasonic, IP:10.1.1.11),
> > > > > > > VC2(make:Polycom,IP: 10.1.1.12) and 1 MCU (172.16.1.100).
> > > > > > >
> > > > > > > There is a Linux firewall between VCs and MCU.
> > > > > > >
> > > > > > > There is one to one nat configured for these 2 VCs (10.1.1.11  <-->
> > > > > > > 172.16.1.110, 10.1.1.12  <--> 172.16.1.120)
> > > > > > > There is no natting for MCU IP as it is routable.
> > > > > > >
> > > > > > > nf_nat_h323 and nf_conntrack_h323 module is enabled in the firewall.
> > > > > > >
> > > > > > > When VC1 and VC2 initiate call to MCU, everything works fine. Video
> > > > > > > call is successful for both VC1 and VC2. h245 IP address for tcp in
> > > > > > > h225: CS connect packet is correctly replaced by the natted IP.
> > > > > > >
> > > > > > > However, when there is a dial out from MCU to VCs (i.e. MCU initiate
> > > > > > > call to the natted IP (i.e. 172.16.1.110 and 172.16.1.120 of VCs),
> > > > > > > natting works fine but h245 IP address for tcp in h225:CS is replaced
> > > > > > > correctly only for VC2 and not for VC1. For VC1, it is still its
> > > > > > > actual IP (i.e. 10.1.1.12 and not 172.16.1.120).
> > > > > > >
> > > > > > > Because of this, video call is successful only with VC2 and not with
> > > > > > > VC1, when initiated from MCU. I tried with another panasonic VC
> > > > > > > hardware, there was no change.
> > > > > > >
> > > > > > > Further packet dump analysis showed that for VC1, there are 3 h225
> > > > > > > packets (setup, call proceeding and alert) before Connect message but
> > > > > > > for VC2 there are only 2 h225 packets (setup and alert) before connect
> > > > > > > message.
> > > > > > >
> > > > > > > Is there a bug in nf_nat_h323 module or am I missing something?
> > > > > >
> > > > > > It can be a bug/incompatibility with the H.323 implementation in the
> > > > > > Panasonic device. However, first I'd make sure the MCU does not use
> > > > > > hostname for VC1 instead of its IP address. Hostnames in the calls are not
> > > > > > supported.
> > > > > >
> > > > > > Best regards,
> > > > > > Jozsef
> > > > > > -
> > > > > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > > > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > > > > Address : Wigner Research Centre for Physics
> > > > > >           H-1525 Budapest 114, POB. 49, Hungary
> > > > >
> > > >
> > > > -
> > > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > > Address : Wigner Research Centre for Physics
> > > >           H-1525 Budapest 114, POB. 49, Hungary
> >
>
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> Address : Wigner Research Centre for Physics
>           H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Nf_nat_h323 module not working with Panasonic VCs
  2021-08-03  6:33             ` Akshat Kakkar
@ 2021-08-03  7:30               ` Akshat Kakkar
  2021-08-03  8:07                 ` Jozsef Kadlecsik
  2021-08-03  8:03               ` Jozsef Kadlecsik
  1 sibling, 1 reply; 14+ messages in thread
From: Akshat Kakkar @ 2021-08-03  7:30 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: NetFilter

I feel the bug can be in this section :

/* If the calling party is on the same side of the forward-to party,
 * we don't need to track the second call
 */
static int callforward_do_filter(struct net *net,
const union nf_inet_addr *src,
const union nf_inet_addr *dst,
u_int8_t family)



... where it is wrongly assumed that the calling party is on the same
side of the forward-to party. In case of natting (like a virtual-ip)
and dial-out, the initial call will look to be on the same side but it
is after natting that forward-to party is known. In my case, the
initial call is from 172.16.1.100 to 172.16.1.120 which looks to be on
the same side. But after natting, it changes to 10.1.1.12 which is on
the other side i.e. it becomes a call from 172.16.1.100 to 10.1.1.12.

It's just a wild guess.

On Tue, Aug 3, 2021 at 12:03 PM Akshat Kakkar <akshat.1984@gmail.com> wrote:
>
> My kernel is 4.4.82. It may be demotivating, I know.
>
> However, the logs shared by me, though very less, still shows clearly
> that for Panasonic VC packets the module isn't treating this as a q931
> packet (or cs:connect of h.225) and hence not processed.
>
> As far as output of the command is concerned, there is no .c file with
> that name.
>
> when I try to find files having 323 in the name in /usr/src path using
> following command
>
>         find . -name *323*
>
> Following is the output:
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323.h
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323_types.h
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323_asn1.h
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/i2c/lm8323.h
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/rtc/drv/ds3234.h
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/rtc/drv/ds3232.h
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/nf/conntrack/h323.h
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/nf/nat/h323.h
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/cm3232.h
>
>
> On Mon, Aug 2, 2021 at 11:50 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> >
> > Hi Akshat,
> >
> > On Mon, 2 Aug 2021, Akshat Kakkar wrote:
> >
> > > > For the VC which is working (i.e. VC2, IP:172.16.1.120) following are
> > > > the generated debug log:
> >
> > That can't be the full debug log, lines are missing/left out. What is the
> > kernel version? Isn't there any output from the command
> >
> > $ grep 'pr_debug("nf_ct_q931' net/netfilter/nf_conntrack_h323_main.c
> >
> > > > [Jul27 17:29] nf_nat_q931: expect H.245 172.16.1.100:0->172.16.1.120:5516
> > > > [  +0.249944] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > > [  +0.000021] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > > [  +0.003265] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > > [  +0.007606] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > > [  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > > [  +0.000010] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > > [  +0.000004] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > > [  +0.004337] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > > [  +0.000010] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > > [  +0.000007] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > > [  +0.000007] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > > [  +0.006028] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > > [  +0.001171] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > > [  +0.000008] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > > [  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > > [  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > > [  +0.003261] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > > > [  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > > [  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > > > [  +0.007889] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > > [  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > > >
> > > > However, for the panasonic VC1 i.e. the VC which is having issue,
> > > > there are no debug log generated. absolutely nothing.
> >
> > Best regards,
> > Jozsef
> >
> > > > On Mon, Jul 26, 2021 at 1:13 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > > > >
> > > > > On Mon, 26 Jul 2021, Akshat Kakkar wrote:
> > > > >
> > > > > > MCU is using IP only to dial to VC1 and not hostname.
> > > > > >
> > > > > > I went through packet capture and find everything in line with the
> > > > > > standard. Just that it is sending "CS : Call Proceeding" packet which
> > > > > > is an optional packet but it is part of standard.
> > > > > > I can share pcap file if needed.
> > > > >
> > > > > Could you enable dynamic debugging in the kernel and enable it for the
> > > > > nf_conntrack_h323 module? Then please repeate the testing with the
> > > > > working and not working VCs and send the generated kernel debug log
> > > > > messages.
> > > > >
> > > > > Best regards,
> > > > > Jozsef
> > > > > > On Mon, Jul 26, 2021 at 2:11 AM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > > > > > >
> > > > > > > Hello,
> > > > > > >
> > > > > > > On Sat, 24 Jul 2021, Akshat Kakkar wrote:
> > > > > > >
> > > > > > > > I have 2 vc endpoints VC1 (Make:Panasonic, IP:10.1.1.11),
> > > > > > > > VC2(make:Polycom,IP: 10.1.1.12) and 1 MCU (172.16.1.100).
> > > > > > > >
> > > > > > > > There is a Linux firewall between VCs and MCU.
> > > > > > > >
> > > > > > > > There is one to one nat configured for these 2 VCs (10.1.1.11  <-->
> > > > > > > > 172.16.1.110, 10.1.1.12  <--> 172.16.1.120)
> > > > > > > > There is no natting for MCU IP as it is routable.
> > > > > > > >
> > > > > > > > nf_nat_h323 and nf_conntrack_h323 module is enabled in the firewall.
> > > > > > > >
> > > > > > > > When VC1 and VC2 initiate call to MCU, everything works fine. Video
> > > > > > > > call is successful for both VC1 and VC2. h245 IP address for tcp in
> > > > > > > > h225: CS connect packet is correctly replaced by the natted IP.
> > > > > > > >
> > > > > > > > However, when there is a dial out from MCU to VCs (i.e. MCU initiate
> > > > > > > > call to the natted IP (i.e. 172.16.1.110 and 172.16.1.120 of VCs),
> > > > > > > > natting works fine but h245 IP address for tcp in h225:CS is replaced
> > > > > > > > correctly only for VC2 and not for VC1. For VC1, it is still its
> > > > > > > > actual IP (i.e. 10.1.1.12 and not 172.16.1.120).
> > > > > > > >
> > > > > > > > Because of this, video call is successful only with VC2 and not with
> > > > > > > > VC1, when initiated from MCU. I tried with another panasonic VC
> > > > > > > > hardware, there was no change.
> > > > > > > >
> > > > > > > > Further packet dump analysis showed that for VC1, there are 3 h225
> > > > > > > > packets (setup, call proceeding and alert) before Connect message but
> > > > > > > > for VC2 there are only 2 h225 packets (setup and alert) before connect
> > > > > > > > message.
> > > > > > > >
> > > > > > > > Is there a bug in nf_nat_h323 module or am I missing something?
> > > > > > >
> > > > > > > It can be a bug/incompatibility with the H.323 implementation in the
> > > > > > > Panasonic device. However, first I'd make sure the MCU does not use
> > > > > > > hostname for VC1 instead of its IP address. Hostnames in the calls are not
> > > > > > > supported.
> > > > > > >
> > > > > > > Best regards,
> > > > > > > Jozsef
> > > > > > > -
> > > > > > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > > > > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > > > > > Address : Wigner Research Centre for Physics
> > > > > > >           H-1525 Budapest 114, POB. 49, Hungary
> > > > > >
> > > > >
> > > > > -
> > > > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > > > Address : Wigner Research Centre for Physics
> > > > >           H-1525 Budapest 114, POB. 49, Hungary
> > >
> >
> > -
> > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > Address : Wigner Research Centre for Physics
> >           H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Nf_nat_h323 module not working with Panasonic VCs
  2021-08-03  6:33             ` Akshat Kakkar
  2021-08-03  7:30               ` Akshat Kakkar
@ 2021-08-03  8:03               ` Jozsef Kadlecsik
  2021-08-03  8:04                 ` Akshat Kakkar
  1 sibling, 1 reply; 14+ messages in thread
From: Jozsef Kadlecsik @ 2021-08-03  8:03 UTC (permalink / raw)
  To: Akshat Kakkar; +Cc: NetFilter

On Tue, 3 Aug 2021, Akshat Kakkar wrote:

> My kernel is 4.4.82. It may be demotivating, I know.
> 
> However, the logs shared by me, though very less, still shows clearly
> that for Panasonic VC packets the module isn't treating this as a q931
> packet (or cs:connect of h.225) and hence not processed.
> 
> As far as output of the command is concerned, there is no .c file with
> that name.

Then do you have the full source code of the running kernel? Or do you 
have only the header files? At the moment I have got an 4.4.244 kernel 
tree and it does contain net/netfilter/nf_conntrack_h323_main.c.

Best regards,
Jozsef

> when I try to find files having 323 in the name in /usr/src path using
> following command
> 
>         find . -name *323*
> 
> Following is the output:
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323.h
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323_types.h
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323_asn1.h
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/i2c/lm8323.h
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/rtc/drv/ds3234.h
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/rtc/drv/ds3232.h
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/nf/conntrack/h323.h
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/nf/nat/h323.h
> ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/cm3232.h
> 
> 
> On Mon, Aug 2, 2021 at 11:50 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> >
> > Hi Akshat,
> >
> > On Mon, 2 Aug 2021, Akshat Kakkar wrote:
> >
> > > > For the VC which is working (i.e. VC2, IP:172.16.1.120) following are
> > > > the generated debug log:
> >
> > That can't be the full debug log, lines are missing/left out. What is the
> > kernel version? Isn't there any output from the command
> >
> > $ grep 'pr_debug("nf_ct_q931' net/netfilter/nf_conntrack_h323_main.c
> >
> > > > [Jul27 17:29] nf_nat_q931: expect H.245 172.16.1.100:0->172.16.1.120:5516
> > > > [  +0.249944] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > > [  +0.000021] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > > [  +0.003265] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > > [  +0.007606] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > > [  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > > [  +0.000010] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > > [  +0.000004] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > > [  +0.004337] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > > [  +0.000010] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > > [  +0.000007] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > > [  +0.000007] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > > [  +0.006028] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > > [  +0.001171] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > > [  +0.000008] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > > [  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > > [  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > > [  +0.003261] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > > > [  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > > [  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > > > [  +0.007889] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > > [  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > > >
> > > > However, for the panasonic VC1 i.e. the VC which is having issue,
> > > > there are no debug log generated. absolutely nothing.
> >
> > Best regards,
> > Jozsef
> >
> > > > On Mon, Jul 26, 2021 at 1:13 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > > > >
> > > > > On Mon, 26 Jul 2021, Akshat Kakkar wrote:
> > > > >
> > > > > > MCU is using IP only to dial to VC1 and not hostname.
> > > > > >
> > > > > > I went through packet capture and find everything in line with the
> > > > > > standard. Just that it is sending "CS : Call Proceeding" packet which
> > > > > > is an optional packet but it is part of standard.
> > > > > > I can share pcap file if needed.
> > > > >
> > > > > Could you enable dynamic debugging in the kernel and enable it for the
> > > > > nf_conntrack_h323 module? Then please repeate the testing with the
> > > > > working and not working VCs and send the generated kernel debug log
> > > > > messages.
> > > > >
> > > > > Best regards,
> > > > > Jozsef
> > > > > > On Mon, Jul 26, 2021 at 2:11 AM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > > > > > >
> > > > > > > Hello,
> > > > > > >
> > > > > > > On Sat, 24 Jul 2021, Akshat Kakkar wrote:
> > > > > > >
> > > > > > > > I have 2 vc endpoints VC1 (Make:Panasonic, IP:10.1.1.11),
> > > > > > > > VC2(make:Polycom,IP: 10.1.1.12) and 1 MCU (172.16.1.100).
> > > > > > > >
> > > > > > > > There is a Linux firewall between VCs and MCU.
> > > > > > > >
> > > > > > > > There is one to one nat configured for these 2 VCs (10.1.1.11  <-->
> > > > > > > > 172.16.1.110, 10.1.1.12  <--> 172.16.1.120)
> > > > > > > > There is no natting for MCU IP as it is routable.
> > > > > > > >
> > > > > > > > nf_nat_h323 and nf_conntrack_h323 module is enabled in the firewall.
> > > > > > > >
> > > > > > > > When VC1 and VC2 initiate call to MCU, everything works fine. Video
> > > > > > > > call is successful for both VC1 and VC2. h245 IP address for tcp in
> > > > > > > > h225: CS connect packet is correctly replaced by the natted IP.
> > > > > > > >
> > > > > > > > However, when there is a dial out from MCU to VCs (i.e. MCU initiate
> > > > > > > > call to the natted IP (i.e. 172.16.1.110 and 172.16.1.120 of VCs),
> > > > > > > > natting works fine but h245 IP address for tcp in h225:CS is replaced
> > > > > > > > correctly only for VC2 and not for VC1. For VC1, it is still its
> > > > > > > > actual IP (i.e. 10.1.1.12 and not 172.16.1.120).
> > > > > > > >
> > > > > > > > Because of this, video call is successful only with VC2 and not with
> > > > > > > > VC1, when initiated from MCU. I tried with another panasonic VC
> > > > > > > > hardware, there was no change.
> > > > > > > >
> > > > > > > > Further packet dump analysis showed that for VC1, there are 3 h225
> > > > > > > > packets (setup, call proceeding and alert) before Connect message but
> > > > > > > > for VC2 there are only 2 h225 packets (setup and alert) before connect
> > > > > > > > message.
> > > > > > > >
> > > > > > > > Is there a bug in nf_nat_h323 module or am I missing something?
> > > > > > >
> > > > > > > It can be a bug/incompatibility with the H.323 implementation in the
> > > > > > > Panasonic device. However, first I'd make sure the MCU does not use
> > > > > > > hostname for VC1 instead of its IP address. Hostnames in the calls are not
> > > > > > > supported.
> > > > > > >
> > > > > > > Best regards,
> > > > > > > Jozsef
> > > > > > > -
> > > > > > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > > > > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > > > > > Address : Wigner Research Centre for Physics
> > > > > > >           H-1525 Budapest 114, POB. 49, Hungary
> > > > > >
> > > > >
> > > > > -
> > > > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > > > Address : Wigner Research Centre for Physics
> > > > >           H-1525 Budapest 114, POB. 49, Hungary
> > >
> >
> > -
> > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > Address : Wigner Research Centre for Physics
> >           H-1525 Budapest 114, POB. 49, Hungary
> 

-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Nf_nat_h323 module not working with Panasonic VCs
  2021-08-03  8:03               ` Jozsef Kadlecsik
@ 2021-08-03  8:04                 ` Akshat Kakkar
  2021-08-03  8:06                   ` Akshat Kakkar
  0 siblings, 1 reply; 14+ messages in thread
From: Akshat Kakkar @ 2021-08-03  8:04 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: NetFilter

For me also its same. only header files.

On Tue, Aug 3, 2021 at 1:33 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
>
> On Tue, 3 Aug 2021, Akshat Kakkar wrote:
>
> > My kernel is 4.4.82. It may be demotivating, I know.
> >
> > However, the logs shared by me, though very less, still shows clearly
> > that for Panasonic VC packets the module isn't treating this as a q931
> > packet (or cs:connect of h.225) and hence not processed.
> >
> > As far as output of the command is concerned, there is no .c file with
> > that name.
>
> Then do you have the full source code of the running kernel? Or do you
> have only the header files? At the moment I have got an 4.4.244 kernel
> tree and it does contain net/netfilter/nf_conntrack_h323_main.c.
>
> Best regards,
> Jozsef
>
> > when I try to find files having 323 in the name in /usr/src path using
> > following command
> >
> >         find . -name *323*
> >
> > Following is the output:
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323.h
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323_types.h
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323_asn1.h
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/i2c/lm8323.h
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/rtc/drv/ds3234.h
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/rtc/drv/ds3232.h
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/nf/conntrack/h323.h
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/nf/nat/h323.h
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/cm3232.h
> >
> >
> > On Mon, Aug 2, 2021 at 11:50 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > >
> > > Hi Akshat,
> > >
> > > On Mon, 2 Aug 2021, Akshat Kakkar wrote:
> > >
> > > > > For the VC which is working (i.e. VC2, IP:172.16.1.120) following are
> > > > > the generated debug log:
> > >
> > > That can't be the full debug log, lines are missing/left out. What is the
> > > kernel version? Isn't there any output from the command
> > >
> > > $ grep 'pr_debug("nf_ct_q931' net/netfilter/nf_conntrack_h323_main.c
> > >
> > > > > [Jul27 17:29] nf_nat_q931: expect H.245 172.16.1.100:0->172.16.1.120:5516
> > > > > [  +0.249944] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > > > [  +0.000021] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > > > [  +0.003265] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > > > [  +0.007606] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > > > [  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > > > [  +0.000010] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > > > [  +0.000004] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > > > [  +0.004337] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > > > [  +0.000010] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > > > [  +0.000007] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > > > [  +0.000007] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > > > [  +0.006028] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > > > [  +0.001171] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > > > [  +0.000008] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > > > [  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > > > [  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > > > [  +0.003261] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > > > > [  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > > > [  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > > > > [  +0.007889] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > > > [  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > > > >
> > > > > However, for the panasonic VC1 i.e. the VC which is having issue,
> > > > > there are no debug log generated. absolutely nothing.
> > >
> > > Best regards,
> > > Jozsef
> > >
> > > > > On Mon, Jul 26, 2021 at 1:13 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > > > > >
> > > > > > On Mon, 26 Jul 2021, Akshat Kakkar wrote:
> > > > > >
> > > > > > > MCU is using IP only to dial to VC1 and not hostname.
> > > > > > >
> > > > > > > I went through packet capture and find everything in line with the
> > > > > > > standard. Just that it is sending "CS : Call Proceeding" packet which
> > > > > > > is an optional packet but it is part of standard.
> > > > > > > I can share pcap file if needed.
> > > > > >
> > > > > > Could you enable dynamic debugging in the kernel and enable it for the
> > > > > > nf_conntrack_h323 module? Then please repeate the testing with the
> > > > > > working and not working VCs and send the generated kernel debug log
> > > > > > messages.
> > > > > >
> > > > > > Best regards,
> > > > > > Jozsef
> > > > > > > On Mon, Jul 26, 2021 at 2:11 AM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > > > > > > >
> > > > > > > > Hello,
> > > > > > > >
> > > > > > > > On Sat, 24 Jul 2021, Akshat Kakkar wrote:
> > > > > > > >
> > > > > > > > > I have 2 vc endpoints VC1 (Make:Panasonic, IP:10.1.1.11),
> > > > > > > > > VC2(make:Polycom,IP: 10.1.1.12) and 1 MCU (172.16.1.100).
> > > > > > > > >
> > > > > > > > > There is a Linux firewall between VCs and MCU.
> > > > > > > > >
> > > > > > > > > There is one to one nat configured for these 2 VCs (10.1.1.11  <-->
> > > > > > > > > 172.16.1.110, 10.1.1.12  <--> 172.16.1.120)
> > > > > > > > > There is no natting for MCU IP as it is routable.
> > > > > > > > >
> > > > > > > > > nf_nat_h323 and nf_conntrack_h323 module is enabled in the firewall.
> > > > > > > > >
> > > > > > > > > When VC1 and VC2 initiate call to MCU, everything works fine. Video
> > > > > > > > > call is successful for both VC1 and VC2. h245 IP address for tcp in
> > > > > > > > > h225: CS connect packet is correctly replaced by the natted IP.
> > > > > > > > >
> > > > > > > > > However, when there is a dial out from MCU to VCs (i.e. MCU initiate
> > > > > > > > > call to the natted IP (i.e. 172.16.1.110 and 172.16.1.120 of VCs),
> > > > > > > > > natting works fine but h245 IP address for tcp in h225:CS is replaced
> > > > > > > > > correctly only for VC2 and not for VC1. For VC1, it is still its
> > > > > > > > > actual IP (i.e. 10.1.1.12 and not 172.16.1.120).
> > > > > > > > >
> > > > > > > > > Because of this, video call is successful only with VC2 and not with
> > > > > > > > > VC1, when initiated from MCU. I tried with another panasonic VC
> > > > > > > > > hardware, there was no change.
> > > > > > > > >
> > > > > > > > > Further packet dump analysis showed that for VC1, there are 3 h225
> > > > > > > > > packets (setup, call proceeding and alert) before Connect message but
> > > > > > > > > for VC2 there are only 2 h225 packets (setup and alert) before connect
> > > > > > > > > message.
> > > > > > > > >
> > > > > > > > > Is there a bug in nf_nat_h323 module or am I missing something?
> > > > > > > >
> > > > > > > > It can be a bug/incompatibility with the H.323 implementation in the
> > > > > > > > Panasonic device. However, first I'd make sure the MCU does not use
> > > > > > > > hostname for VC1 instead of its IP address. Hostnames in the calls are not
> > > > > > > > supported.
> > > > > > > >
> > > > > > > > Best regards,
> > > > > > > > Jozsef
> > > > > > > > -
> > > > > > > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > > > > > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > > > > > > Address : Wigner Research Centre for Physics
> > > > > > > >           H-1525 Budapest 114, POB. 49, Hungary
> > > > > > >
> > > > > >
> > > > > > -
> > > > > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > > > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > > > > Address : Wigner Research Centre for Physics
> > > > > >           H-1525 Budapest 114, POB. 49, Hungary
> > > >
> > >
> > > -
> > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > Address : Wigner Research Centre for Physics
> > >           H-1525 Budapest 114, POB. 49, Hungary
> >
>
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> Address : Wigner Research Centre for Physics
>           H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Nf_nat_h323 module not working with Panasonic VCs
  2021-08-03  8:04                 ` Akshat Kakkar
@ 2021-08-03  8:06                   ` Akshat Kakkar
  0 siblings, 0 replies; 14+ messages in thread
From: Akshat Kakkar @ 2021-08-03  8:06 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: NetFilter

I mean ... only header files. No c files.

On Tue, Aug 3, 2021 at 1:34 PM Akshat Kakkar <akshat.1984@gmail.com> wrote:
>
> For me also its same. only header files.
>
> On Tue, Aug 3, 2021 at 1:33 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> >
> > On Tue, 3 Aug 2021, Akshat Kakkar wrote:
> >
> > > My kernel is 4.4.82. It may be demotivating, I know.
> > >
> > > However, the logs shared by me, though very less, still shows clearly
> > > that for Panasonic VC packets the module isn't treating this as a q931
> > > packet (or cs:connect of h.225) and hence not processed.
> > >
> > > As far as output of the command is concerned, there is no .c file with
> > > that name.
> >
> > Then do you have the full source code of the running kernel? Or do you
> > have only the header files? At the moment I have got an 4.4.244 kernel
> > tree and it does contain net/netfilter/nf_conntrack_h323_main.c.
> >
> > Best regards,
> > Jozsef
> >
> > > when I try to find files having 323 in the name in /usr/src path using
> > > following command
> > >
> > >         find . -name *323*
> > >
> > > Following is the output:
> > > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323.h
> > > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323_types.h
> > > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323_asn1.h
> > > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/i2c/lm8323.h
> > > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/rtc/drv/ds3234.h
> > > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/rtc/drv/ds3232.h
> > > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/nf/conntrack/h323.h
> > > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/nf/nat/h323.h
> > > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/cm3232.h
> > >
> > >
> > > On Mon, Aug 2, 2021 at 11:50 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > > >
> > > > Hi Akshat,
> > > >
> > > > On Mon, 2 Aug 2021, Akshat Kakkar wrote:
> > > >
> > > > > > For the VC which is working (i.e. VC2, IP:172.16.1.120) following are
> > > > > > the generated debug log:
> > > >
> > > > That can't be the full debug log, lines are missing/left out. What is the
> > > > kernel version? Isn't there any output from the command
> > > >
> > > > $ grep 'pr_debug("nf_ct_q931' net/netfilter/nf_conntrack_h323_main.c
> > > >
> > > > > > [Jul27 17:29] nf_nat_q931: expect H.245 172.16.1.100:0->172.16.1.120:5516
> > > > > > [  +0.249944] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > > > > [  +0.000021] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > > > > [  +0.003265] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > > > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > > > > [  +0.007606] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > > > > [  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > > > > [  +0.000010] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > > > > [  +0.000004] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > > > > [  +0.004337] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > > > > [  +0.000010] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > > > > [  +0.000007] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > > > > [  +0.000007] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > > > > [  +0.006028] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > > > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > > > > [  +0.001171] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > > > > [  +0.000008] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > > > > [  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > > > > [  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > > > > [  +0.003261] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > > > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > > > > > [  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > > > > [  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > > > > > [  +0.007889] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > > > > [  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > > > > >
> > > > > > However, for the panasonic VC1 i.e. the VC which is having issue,
> > > > > > there are no debug log generated. absolutely nothing.
> > > >
> > > > Best regards,
> > > > Jozsef
> > > >
> > > > > > On Mon, Jul 26, 2021 at 1:13 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > > > > > >
> > > > > > > On Mon, 26 Jul 2021, Akshat Kakkar wrote:
> > > > > > >
> > > > > > > > MCU is using IP only to dial to VC1 and not hostname.
> > > > > > > >
> > > > > > > > I went through packet capture and find everything in line with the
> > > > > > > > standard. Just that it is sending "CS : Call Proceeding" packet which
> > > > > > > > is an optional packet but it is part of standard.
> > > > > > > > I can share pcap file if needed.
> > > > > > >
> > > > > > > Could you enable dynamic debugging in the kernel and enable it for the
> > > > > > > nf_conntrack_h323 module? Then please repeate the testing with the
> > > > > > > working and not working VCs and send the generated kernel debug log
> > > > > > > messages.
> > > > > > >
> > > > > > > Best regards,
> > > > > > > Jozsef
> > > > > > > > On Mon, Jul 26, 2021 at 2:11 AM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > > > > > > > >
> > > > > > > > > Hello,
> > > > > > > > >
> > > > > > > > > On Sat, 24 Jul 2021, Akshat Kakkar wrote:
> > > > > > > > >
> > > > > > > > > > I have 2 vc endpoints VC1 (Make:Panasonic, IP:10.1.1.11),
> > > > > > > > > > VC2(make:Polycom,IP: 10.1.1.12) and 1 MCU (172.16.1.100).
> > > > > > > > > >
> > > > > > > > > > There is a Linux firewall between VCs and MCU.
> > > > > > > > > >
> > > > > > > > > > There is one to one nat configured for these 2 VCs (10.1.1.11  <-->
> > > > > > > > > > 172.16.1.110, 10.1.1.12  <--> 172.16.1.120)
> > > > > > > > > > There is no natting for MCU IP as it is routable.
> > > > > > > > > >
> > > > > > > > > > nf_nat_h323 and nf_conntrack_h323 module is enabled in the firewall.
> > > > > > > > > >
> > > > > > > > > > When VC1 and VC2 initiate call to MCU, everything works fine. Video
> > > > > > > > > > call is successful for both VC1 and VC2. h245 IP address for tcp in
> > > > > > > > > > h225: CS connect packet is correctly replaced by the natted IP.
> > > > > > > > > >
> > > > > > > > > > However, when there is a dial out from MCU to VCs (i.e. MCU initiate
> > > > > > > > > > call to the natted IP (i.e. 172.16.1.110 and 172.16.1.120 of VCs),
> > > > > > > > > > natting works fine but h245 IP address for tcp in h225:CS is replaced
> > > > > > > > > > correctly only for VC2 and not for VC1. For VC1, it is still its
> > > > > > > > > > actual IP (i.e. 10.1.1.12 and not 172.16.1.120).
> > > > > > > > > >
> > > > > > > > > > Because of this, video call is successful only with VC2 and not with
> > > > > > > > > > VC1, when initiated from MCU. I tried with another panasonic VC
> > > > > > > > > > hardware, there was no change.
> > > > > > > > > >
> > > > > > > > > > Further packet dump analysis showed that for VC1, there are 3 h225
> > > > > > > > > > packets (setup, call proceeding and alert) before Connect message but
> > > > > > > > > > for VC2 there are only 2 h225 packets (setup and alert) before connect
> > > > > > > > > > message.
> > > > > > > > > >
> > > > > > > > > > Is there a bug in nf_nat_h323 module or am I missing something?
> > > > > > > > >
> > > > > > > > > It can be a bug/incompatibility with the H.323 implementation in the
> > > > > > > > > Panasonic device. However, first I'd make sure the MCU does not use
> > > > > > > > > hostname for VC1 instead of its IP address. Hostnames in the calls are not
> > > > > > > > > supported.
> > > > > > > > >
> > > > > > > > > Best regards,
> > > > > > > > > Jozsef
> > > > > > > > > -
> > > > > > > > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > > > > > > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > > > > > > > Address : Wigner Research Centre for Physics
> > > > > > > > >           H-1525 Budapest 114, POB. 49, Hungary
> > > > > > > >
> > > > > > >
> > > > > > > -
> > > > > > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > > > > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > > > > > Address : Wigner Research Centre for Physics
> > > > > > >           H-1525 Budapest 114, POB. 49, Hungary
> > > > >
> > > >
> > > > -
> > > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > > Address : Wigner Research Centre for Physics
> > > >           H-1525 Budapest 114, POB. 49, Hungary
> > >
> >
> > -
> > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > Address : Wigner Research Centre for Physics
> >           H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Nf_nat_h323 module not working with Panasonic VCs
  2021-08-03  7:30               ` Akshat Kakkar
@ 2021-08-03  8:07                 ` Jozsef Kadlecsik
  0 siblings, 0 replies; 14+ messages in thread
From: Jozsef Kadlecsik @ 2021-08-03  8:07 UTC (permalink / raw)
  To: Akshat Kakkar; +Cc: NetFilter

On Tue, 3 Aug 2021, Akshat Kakkar wrote:

> I feel the bug can be in this section :
> 
> /* If the calling party is on the same side of the forward-to party,
>  * we don't need to track the second call
>  */

Those lines are from net/netfilter/nf_conntrack_h323_main.c ...

> static int callforward_do_filter(struct net *net,
> const union nf_inet_addr *src,
> const union nf_inet_addr *dst,
> u_int8_t family)
>  
> ... where it is wrongly assumed that the calling party is on the same
> side of the forward-to party. In case of natting (like a virtual-ip)
> and dial-out, the initial call will look to be on the same side but it
> is after natting that forward-to party is known. In my case, the
> initial call is from 172.16.1.100 to 172.16.1.120 which looks to be on
> the same side. But after natting, it changes to 10.1.1.12 which is on
> the other side i.e. it becomes a call from 172.16.1.100 to 10.1.1.12.

According to your original mail

> I have 2 vc endpoints VC1 (Make:Panasonic, IP:10.1.1.11),
> VC2(make:Polycom,IP: 10.1.1.12) and 1 MCU (172.16.1.100).

the VCs share the same network. So if the comment above would be wrong,
then both VCs would not work.

Best regards,
Jozsef

> On Tue, Aug 3, 2021 at 12:03 PM Akshat Kakkar <akshat.1984@gmail.com> wrote:
> >
> > My kernel is 4.4.82. It may be demotivating, I know.
> >
> > However, the logs shared by me, though very less, still shows clearly
> > that for Panasonic VC packets the module isn't treating this as a q931
> > packet (or cs:connect of h.225) and hence not processed.
> >
> > As far as output of the command is concerned, there is no .c file with
> > that name.
> >
> > when I try to find files having 323 in the name in /usr/src path using
> > following command
> >
> >         find . -name *323*
> >
> > Following is the output:
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323.h
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323_types.h
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/netfilter/nf_conntrack_h323_asn1.h
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/linux/i2c/lm8323.h
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/rtc/drv/ds3234.h
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/rtc/drv/ds3232.h
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/nf/conntrack/h323.h
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/nf/nat/h323.h
> > ./kernels/4.4.82-1.el7.elrepo.x86_64/include/config/cm3232.h
> >
> >
> > On Mon, Aug 2, 2021 at 11:50 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > >
> > > Hi Akshat,
> > >
> > > On Mon, 2 Aug 2021, Akshat Kakkar wrote:
> > >
> > > > > For the VC which is working (i.e. VC2, IP:172.16.1.120) following are
> > > > > the generated debug log:
> > >
> > > That can't be the full debug log, lines are missing/left out. What is the
> > > kernel version? Isn't there any output from the command
> > >
> > > $ grep 'pr_debug("nf_ct_q931' net/netfilter/nf_conntrack_h323_main.c
> > >
> > > > > [Jul27 17:29] nf_nat_q931: expect H.245 172.16.1.100:0->172.16.1.120:5516
> > > > > [  +0.249944] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > > > [  +0.000021] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > > > [  +0.003265] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > > > [  +0.007606] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > > > [  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > > > [  +0.000010] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5506
> > > > > [  +0.000004] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5507
> > > > > [  +0.004337] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > > > [  +0.000010] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > > > [  +0.000007] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5508
> > > > > [  +0.000007] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5509
> > > > > [  +0.006028] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > > > [  +0.001171] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > > > [  +0.000008] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > > > [  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5510
> > > > > [  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5511
> > > > > [  +0.003261] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > > > [  +0.000011] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > > > > [  +0.000006] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > > > [  +0.000003] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > > > > [  +0.007889] nf_nat_h323: expect RTP 172.16.1.100:0->172.16.1.120:5512
> > > > > [  +0.000012] nf_nat_h323: expect RTCP 172.16.1.100:0->172.16.1.120:5513
> > > > >
> > > > > However, for the panasonic VC1 i.e. the VC which is having issue,
> > > > > there are no debug log generated. absolutely nothing.
> > >
> > > Best regards,
> > > Jozsef
> > >
> > > > > On Mon, Jul 26, 2021 at 1:13 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > > > > >
> > > > > > On Mon, 26 Jul 2021, Akshat Kakkar wrote:
> > > > > >
> > > > > > > MCU is using IP only to dial to VC1 and not hostname.
> > > > > > >
> > > > > > > I went through packet capture and find everything in line with the
> > > > > > > standard. Just that it is sending "CS : Call Proceeding" packet which
> > > > > > > is an optional packet but it is part of standard.
> > > > > > > I can share pcap file if needed.
> > > > > >
> > > > > > Could you enable dynamic debugging in the kernel and enable it for the
> > > > > > nf_conntrack_h323 module? Then please repeate the testing with the
> > > > > > working and not working VCs and send the generated kernel debug log
> > > > > > messages.
> > > > > >
> > > > > > Best regards,
> > > > > > Jozsef
> > > > > > > On Mon, Jul 26, 2021 at 2:11 AM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > > > > > > >
> > > > > > > > Hello,
> > > > > > > >
> > > > > > > > On Sat, 24 Jul 2021, Akshat Kakkar wrote:
> > > > > > > >
> > > > > > > > > I have 2 vc endpoints VC1 (Make:Panasonic, IP:10.1.1.11),
> > > > > > > > > VC2(make:Polycom,IP: 10.1.1.12) and 1 MCU (172.16.1.100).
> > > > > > > > >
> > > > > > > > > There is a Linux firewall between VCs and MCU.
> > > > > > > > >
> > > > > > > > > There is one to one nat configured for these 2 VCs (10.1.1.11  <-->
> > > > > > > > > 172.16.1.110, 10.1.1.12  <--> 172.16.1.120)
> > > > > > > > > There is no natting for MCU IP as it is routable.
> > > > > > > > >
> > > > > > > > > nf_nat_h323 and nf_conntrack_h323 module is enabled in the firewall.
> > > > > > > > >
> > > > > > > > > When VC1 and VC2 initiate call to MCU, everything works fine. Video
> > > > > > > > > call is successful for both VC1 and VC2. h245 IP address for tcp in
> > > > > > > > > h225: CS connect packet is correctly replaced by the natted IP.
> > > > > > > > >
> > > > > > > > > However, when there is a dial out from MCU to VCs (i.e. MCU initiate
> > > > > > > > > call to the natted IP (i.e. 172.16.1.110 and 172.16.1.120 of VCs),
> > > > > > > > > natting works fine but h245 IP address for tcp in h225:CS is replaced
> > > > > > > > > correctly only for VC2 and not for VC1. For VC1, it is still its
> > > > > > > > > actual IP (i.e. 10.1.1.12 and not 172.16.1.120).
> > > > > > > > >
> > > > > > > > > Because of this, video call is successful only with VC2 and not with
> > > > > > > > > VC1, when initiated from MCU. I tried with another panasonic VC
> > > > > > > > > hardware, there was no change.
> > > > > > > > >
> > > > > > > > > Further packet dump analysis showed that for VC1, there are 3 h225
> > > > > > > > > packets (setup, call proceeding and alert) before Connect message but
> > > > > > > > > for VC2 there are only 2 h225 packets (setup and alert) before connect
> > > > > > > > > message.
> > > > > > > > >
> > > > > > > > > Is there a bug in nf_nat_h323 module or am I missing something?
> > > > > > > >
> > > > > > > > It can be a bug/incompatibility with the H.323 implementation in the
> > > > > > > > Panasonic device. However, first I'd make sure the MCU does not use
> > > > > > > > hostname for VC1 instead of its IP address. Hostnames in the calls are not
> > > > > > > > supported.
> > > > > > > >
> > > > > > > > Best regards,
> > > > > > > > Jozsef
> > > > > > > > -
> > > > > > > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > > > > > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > > > > > > Address : Wigner Research Centre for Physics
> > > > > > > >           H-1525 Budapest 114, POB. 49, Hungary
> > > > > > >
> > > > > >
> > > > > > -
> > > > > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > > > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > > > > Address : Wigner Research Centre for Physics
> > > > > >           H-1525 Budapest 114, POB. 49, Hungary
> > > >
> > >
> > > -
> > > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
> > > PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
> > > Address : Wigner Research Centre for Physics
> > >           H-1525 Budapest 114, POB. 49, Hungary
> 

-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Nf_nat_h323 module not working with Panasonic VCs
  2021-07-24 15:53 Nf_nat_h323 module not working with Panasonic VCs Akshat Kakkar
  2021-07-25 20:41 ` Jozsef Kadlecsik
@ 2021-08-03 11:44 ` Jozsef Kadlecsik
  1 sibling, 0 replies; 14+ messages in thread
From: Jozsef Kadlecsik @ 2021-08-03 11:44 UTC (permalink / raw)
  To: Akshat Kakkar; +Cc: NetFilter

Hello Akshat,

On Sat, 24 Jul 2021, Akshat Kakkar wrote:

> However, when there is a dial out from MCU to VCs (i.e. MCU initiate
> call to the natted IP (i.e. 172.16.1.110 and 172.16.1.120 of VCs),
> natting works fine but h245 IP address for tcp in h225:CS is replaced
> correctly only for VC2 and not for VC1. For VC1, it is still its
> actual IP (i.e. 10.1.1.12 and not 172.16.1.120).
> 
> Because of this, video call is successful only with VC2 and not with
> VC1, when initiated from MCU. I tried with another panasonic VC
> hardware, there was no change.
> 
> Further packet dump analysis showed that for VC1, there are 3 h225
> packets (setup, call proceeding and alert) before Connect message but
> for VC2 there are only 2 h225 packets (setup and alert) before connect
> message.

Could you send me the full packet dump of both cases?

When the debugging is enabled, there should be debug lines in the kernel 
log for the VC1 case too. It's really strange that there isn't any.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2021-08-03 11:45 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-24 15:53 Nf_nat_h323 module not working with Panasonic VCs Akshat Kakkar
2021-07-25 20:41 ` Jozsef Kadlecsik
2021-07-26  6:50   ` Akshat Kakkar
2021-07-26  7:43     ` Jozsef Kadlecsik
2021-07-27 13:32       ` Akshat Kakkar
2021-08-02  8:42         ` Akshat Kakkar
2021-08-02 18:20           ` Jozsef Kadlecsik
2021-08-03  6:33             ` Akshat Kakkar
2021-08-03  7:30               ` Akshat Kakkar
2021-08-03  8:07                 ` Jozsef Kadlecsik
2021-08-03  8:03               ` Jozsef Kadlecsik
2021-08-03  8:04                 ` Akshat Kakkar
2021-08-03  8:06                   ` Akshat Kakkar
2021-08-03 11:44 ` Jozsef Kadlecsik

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).