sr-users November 2022

sr-users@lists.kamailio.org

42 participants
57 discussions

Start a nNew thread

Re: [SR-Users] $Rp variable seems to contain wrong port

by Luis Azedo

have you tried to use $T_rpl($Rp) ?

2 years

$Rp variable seems to contain wrong port

by Ross McKillop

Hi All, At the risk of possibly dragging up an old thread (https://lists.kamailio.org/pipermail/sr-users/2021-June/112791.html <https://lists.kamailio.org/pipermail/sr-users/2021-June/112791.html>) I’m seeing unusual behaviour where $Rp is still showing what I think is the ‘wrong’ behaviour, but given Daniel’s reply on the earlier thread I want to be sure this isn’t the intended behaviour. The thread above confirms that $Rp is not taken from the IP layer but is intended to give the attribute of the listen socket associated with the SIP traffic, which is fine and what I’m expecting, but in my case it doesn’t seem to be working this way. (I’ve tried with and without tcp_reuse_port=yes and tcp_connection_match=1 too just in case one of the above parameters has changed this behaviour) If Kamailio listening on multiple ports e.g. listen=tcp:10.30.22.73:7701 listen=tcp:10.30.22.73:7702 listen=tcp:10.30.22.73:7703 listen=tls:10.30.22.73:7801 listen=tls:10.30.22.73:7802 listen=tls:10.30.22.73:7803 And I use $fs to force the socket of an outbound message to one of the above before t_relay() it works as expected (with tcp_reuse_port it originates from the given port number above, without that set it will originate from a different ephemeral port even to the same destination, so $fs is working as expected) Then, in reply_route{} I have a simple line to add the port it was received on to the headers (I’ve also tried with $RAp) append_hf("X-Rcvd-Port: $Rp\r\n”); In every case, the reply seems to contain the *first* port of the protocol type (so in the above example every TCP reply irrespective of whether it is to 7701/02/03 will show $Rp 7701, and every TLS reply will show 7801) Any advice or insight anyone can offer would be much appreciated. Thanks, Ross

2 years

Siptrace and Kamailio "stress" test

by Igor Olhovskiy

Hello, Found an interesting scenario, maybe something could be done here. I have a siptrace module configured like modparam("siptrace", "duplicate_uri", "sip:<MY_HOMER_SERVER>:9060") modparam("siptrace", "hep_mode_on", 1) modparam("siptrace", "trace_to_database", 0) modparam("siptrace", "trace_on", 1) modparam("siptrace", "hep_version", 3) modparam("siptrace", "trace_mode", 1) When Kamailio is under stress test (sipflood via OPTIONS/TLS), with this settings it transfers all flood to HOMER server. At some point Kamailio just stops accepting any new TLS connections. Turning off siptrace solves this issue. As I got, siptrace module is not changing protocol of the message (means not converting TCP/UDP) or so. Could it be possible, that at some point siptrace "eats" all TCP connections (especially if remote HOMER is down or not answering) which leads Kamailio to stop processing any new connections? And is it possible to send HEP traffic only via UDP to prevent this? Yes, sure other option is to trace only "legal" traffic -- Best regards, Ihor (Igor)

2 years

Pipelimit needs restart to reload values

by Duarte Rocha

Greetings, I've been using the pipelimit module and the pl_check function to control users rates in my proxy. if (!pl_check("$var(UserID)", "TAILDROP", "$var(UserRate)")) { pl_drop(); exit; } In this case $var(UserID) is the pipe and $var(UserRate) is the maximum rate. The value of the rate is retrieved on every call via query to a DB. If I change the UserRate value to 0 CPS on the DB calls are not rejected unless they go over 1 CPS. However, if I restart Kamailio all calls are correctly rejected. Why does this happen? Can I change this behaviour? Cheers, Duarte

2 years

Appending new branches via external means

by Alex Balashov

Hi, Is there a means of appending new branches from config script for a transaction which is already proceeding in the background, without using `tsilo`? That is to say, I have an async transaction which is resumed in an async worker and is t_relay()’d away to some destination. Meanwhile, I have learned about new destinations for it to try via an incoming registration, and would like to append additional parallel forking branches to that transaction, even though it is already proceeding. ts_append() does this for me; the issue I have is that it is mediated through a registrar, but I am not a registrar. My registrar is upstream, and my proxy is just a front-end to it. So, in essence, I require something like `tsilo` at a more general level, where contacts can be populated by some other mechanism rather than being learned via callbacks out of `usrloc`. Is there a way to accomplish this? Cheers, — Alex -- Alex Balashov | Principal | Evariste Systems LLC Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free) Web: http://www.evaristesys.com/, http://www.csrpswitch.com/

2 years

consume_credentials not working on PRACK?

by Benoit Panizzon

Hi List I noticed, that one of our CPE copies the Proxy-Authorization HF in almost all messages sent. As PRACK were not authenticated, those headers were potentially sent on to the destination disclosing the authentication username and realm. So assuming, if credentials are present, the client wishes them to be validated, I added: if (has_credentials("$fd")) { xlog("L_INFO", "$cfg(route): got $rm with credentials. Validate them!\n"); route(AUTH); } and in route[AUTH] I call: pv_auth_check() which returns 1 thus success upon which I use: if(!is_method("REGISTER|PUBLISH")) consume_credentials(); If the method is INVITE: Proxy-Authorization HF is removed by consume_credentials() if the method is PRACK: Proxy-Authorization HF is still present on the outbound leg. Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________

2 years

Authentication: Is it possible to ignore realm? How to avoice unnecessary challenge because of changed realm?

by Benoit Panizzon

Hi As mentioned in the last email, we have a CPE which adds credentials to any request so I would like to validate them. We use $rd as realm. Let's use example.com as example. During the initial INVITE, this works as expected. I try to only show the headers I think are relevant to the issue I face. INVITE sip:1234@example.com SIP/2.0 Proxy-Authorization: [...] realm="example.com" Contact: <sip:9876@192.168.1.1:5060> Authentication user in realm "example.com" == $rd is validated and accepted. The connection is establised: 200 OK From: <sip:9876@example.com>;tag=1 To: <sip:1234@example.com>;tag=2 Contact: <sip:1234@192.168.7.7:5060> The caller terminates the connection: BYE: sip:1234@192.168.7.7:5060 SIP/2.0 From: <sip:9876@example.com>;tag=1 To: <sip:1234@example.com>;tag=2 Proxy-Authorization: [...] realm="example.com" Performing: $var(authres) = pv_auth_check("$rd", "$avp(authsecret)", "0", "1"); fails wirh result -5 as there is no authsecret for realm "192.168.7.7" So an unnecessarey challenge is issued: SIP/2.0 407 Proxy Authentication Required To: <sip:1234@example.com> From: <sip:9876@example.com> CSeq: 3 BYE Proxy-Authenticate: Digest realm="192.168.7.7" To which the client replies with the changed realm: Proxy-Authorization: Digest username="****",realm="157.161.7.7",[...] and succeeds authentication. Is there a way to accept 'any' realm? Or to avoid this unnecessary change of realm just because the remote site submitted a domain realm in the contact header? Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________

2 years

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

sr-users November 2022