Hi
I am having strange behavior on local port assignment when proxying out locally generated request. Kamailio is 4.2.1 from git.
I use MI pua_subscribe to create subscription to be handled by external presence server.
In event_route[tm:local-request] I set $du to point back to proxy itself.
When request hits initial request_route, I add some headers, change request URI and prepare failure_route for later uac_auth() processing. So far so good and TLS packets are flying to correct destination.
Here is the trouble: when I observe outgoing TLS traffic with tcpdump, I can see that local source port is not following what I set with force_send_socket(). I tried to place force_send_socket() in request_route, branch_route, and tm:local-request, but it is always some random high port (>30000), never the intended one. I am trying to set it to same as my TLS listening socket.
Is my usage somehow incorrect? What should I try next to make Kamailio use constant source port?
Relevant config snippet below (IP address and domain part is obscured). --- mhomed=1 listen=udp:A.B.C.D:5041 listen=tls:A.B.C.D:5041
request_route { route(REQINIT); if ( blahblah... ) { $ru = "sip:" + $rU + "@domain.part.invalid;transport=tls"; $avp(uac_auth) = 0; route(PR_HDRS); route(PR_TRIGGERS); force_send_socket(A.B.C.D:5041); t_newtran(); route(RELAY); } } route[PR_HDRS] { remove_hf("User-Agent"); insert_hf("User-Agent: pua_subscribe\r\n","Call-ID"); } route[PR_TRIGGERS] { t_on_branch("PR_BRANCH"); t_on_failure("PR_FAILURE"); } branch_route[PR_BRANCH] { force_send_socket(A.B.C.D:5041); } failure_route[PR_FAILURE] { if ( $avp(uac_auth) == 0 && ($T_reply_code == 401 or $T_reply_code == 407) ) { uac_auth(); $avp(uac_auth) = 1; route(PR_TRIGGERS); route(RELAY); } } event_route [tm:local-request] { force_send_socket(A.B.C.D:5041); $du = "sip:A.B.C.D:5041"; } route[RELAY] { is from default config } ---
I found these recent commits, bugs and threads somehow relating to force_send_socket and tm:local-request:
http://sip-router.org/tracker/index.php?do=details&task_id=462 http://lists.sip-router.org/pipermail/sr-users/2014-August/084459.html
dbd8ea9b1fa216e59d4c36e2eb4b671202824259 http://lists.sip-router.org/pipermail/sr-dev/2014-September/024984.html
e404d123610b63ddd1c75d39667b373c40071eab http://lists.sip-router.org/pipermail/sr-dev/2014-September/024977.html
Some additional information:
OS is Linux Debian Wheezy 7.6 on amd64
pua_subscribe is launched like this: kamcmd mi pua_subscribe sip:+35812345789@A.B.C.D:5041 sip:myproxy.fqdn.invalid presence 3600
Mikko Lehto writes:
Here is the trouble: when I observe outgoing TLS traffic with tcpdump, I can see that local source port is not following what I set with force_send_socket(). I tried to place force_send_socket() in request_route, branch_route, and tm:local-request, but it is always some random high port (>30000), never the intended one. I am trying to set it to same as my TLS listening socket.
my understanding is that force_send_socket forces outbound connection to use a particular socket kamailio is listening at. it does not mean that source port would be the one of the listening socket. in case of tcp (and tls) the source port is always a random one. only the destination port can be predetermined.
-- juha
Juha Heinanen jh@tutpro.com:
in case of tcp (and tls) the source port is always a random one. only the destination port can be predetermined.
OK, thanks. I'll go with that then.
Actually I can see non-random port with TLS... ...but that's with Homer + sip_trace() captured traffic. I'll write another thread about that.
On 13/01/15 00:28, Mikko Lehto wrote:
Juha Heinanen jh@tutpro.com:
in case of tcp (and tls) the source port is always a random one. only the destination port can be predetermined.
OK, thanks. I'll go with that then.
Actually I can see non-random port with TLS... ...but that's with Homer + sip_trace() captured traffic. I'll write another thread about that.
I checked the code and there is a bind() to local socket before doing tcp connect(). That should preserve the source port of the local address (socket) Kamailio is listening on. However, it is not guaranteed that the OS can do that, if there is an overlap on (source ip, source port, destination ip, destination port) with another connection. From the code, a warning message should be printed in logs. It also depends on OS and kernel versions.
Apparently next link is a good article about (didn't have time to read it all):
- https://idea.popcount.org/2014-04-03-bind-before-connect/
Cheers, Daniel
-
Daniel-Constantin Mierla -
Juha Heinanen -
Mikko Lehto