Hello,
this proves again my theory that best options one could get for contrack and selinux is to disable them completely ...
Anyhow, great that you reported back, I am sure it will help others over the time.
Cheers, Daniel
On 11/03/16 14:49, Sebastian Damm wrote:
Hi,
just to resolve this thread, we found the reason for the problem. It occurs, when we try sending out packets to a customer, which look identical to netfilter, at roughly the same time. Those could be for example forked calls to two extensions registered on the same device (a FRITZ Box for example). Then netfilter tries to insert the same packet into its conntrack table twice, causing a collision, leading to a rejection of one of the packets.
We played around with different kernels, without success. The errors kept on coming as long as the nf_conntrack module was loaded, even if there was no iptables rule using it.
The only solution right now seems to be a stateless firewall and unloading the module.
Best Regards, Sebastian
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users