A few months ago I downloaded example config files, as a way to learning openser, but I'm not 100% sure where I got them.
One of them has this header:
# $Id: nat-rtpproxy.cfg 9 2005-08-19 15:30:55Z /CN=Greger V. Teigre/emailAddress=greger@onsip.org $
I just found (re-found?) at onsip.org->downloads->Getting Started, a later version of nat-rtpproxy.cfg with this header:
# $Id: nat-rtpproxy.cfg 51 2006-01-31 13:28:04Z /CN=Paul Hazlett/emailAddress=paul@onsip.org $
and they appear different only in the loose_route handling:
OLD: if (loose_route()) { if (has_totag() && (method=="INVITE" || method=="ACK")) { if (nat_uac_test("19")) { setflag(6); force_rport(); fix_nated_contact(); }; force_rtp_proxy("l"); }; route(1); break; };
NEW: if (loose_route()) { if ((method=="INVITE" || method=="REFER") && !has_totag()) { sl_send_reply("403", "Forbidden"); break; };
if (method=="INVITE") { if (!proxy_authorize("","subscriber")) { proxy_challenge("","0"); break; } else if (!check_from()) { sl_send_reply("403", "Use From=ID"); break; }; consume_credentials();
if (nat_uac_test("19")) { setflag(6); force_rport(); fix_nated_contact(); }; force_rtp_proxy("l"); }; route(1); break; };
Now, who wants to take a stab at explaining why this was changed?
Why was ACK checked for in the old version and not the new? (my guess: zero length message body messes with force_rtp_proxy)
Why does that INVITE logic appear in the new loose_route handler? What case does that handle that the later "if (method == INVITE)" doesn't handle? Does this have something to do with re-INVITES?
For convenience, the two files are here: http://a.mainstreet.net/nat-rtpproxy.5.0.cfg http://a.mainstreet.net/nat-rtpproxy-2006.cfg
And do we openser people have our own set of sample config files somewhere on openser.org?
Thanks, -mark
On 08/21/06 23:47, Mark Kent wrote:
A few months ago I downloaded example config files, as a way to learning openser, but I'm not 100% sure where I got them.
One of them has this header:
# $Id: nat-rtpproxy.cfg 9 2005-08-19 15:30:55Z /CN=Greger V. Teigre/emailAddress=greger@onsip.org $
I just found (re-found?) at onsip.org->downloads->Getting Started, a later version of nat-rtpproxy.cfg with this header:
# $Id: nat-rtpproxy.cfg 51 2006-01-31 13:28:04Z /CN=Paul Hazlett/emailAddress=paul@onsip.org $
and they appear different only in the loose_route handling:
OLD: if (loose_route()) { if (has_totag() && (method=="INVITE" || method=="ACK")) { if (nat_uac_test("19")) { setflag(6); force_rport(); fix_nated_contact(); }; force_rtp_proxy("l"); }; route(1); break; };
NEW: if (loose_route()) { if ((method=="INVITE" || method=="REFER") && !has_totag()) { sl_send_reply("403", "Forbidden"); break; };
if (method=="INVITE") { if (!proxy_authorize("","subscriber")) { proxy_challenge("","0"); break; } else if (!check_from()) { sl_send_reply("403", "Use From=ID"); break; }; consume_credentials(); if (nat_uac_test("19")) { setflag(6); force_rport(); fix_nated_contact(); }; force_rtp_proxy("l"); }; route(1); break;};
Now, who wants to take a stab at explaining why this was changed?
the newer version has improvements in security. The INVITEs are authenticated before being processed. Also, it does not allow INVITEs with Route headers (unless last route is the proxy) but no To tag.
Why was ACK checked for in the old version and not the new? (my guess: zero length message body messes with force_rtp_proxy)
The ACK may contain body with SDP, and that has to be processed with nathelper. But most of the UA do not do so.
Why does that INVITE logic appear in the new loose_route handler? What case does that handle that the later "if (method == INVITE)" doesn't handle? Does this have something to do with re-INVITES?
yes, those should be re-INVITEs.
Cheers, Daniel
For convenience, the two files are here: http://a.mainstreet.net/nat-rtpproxy.5.0.cfg http://a.mainstreet.net/nat-rtpproxy-2006.cfg
And do we openser people have our own set of sample config files somewhere on openser.org?
Thanks, -mark
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
-
Daniel-Constantin Mierla -
Mark Kent