[SR-Users] Selective rport behaviour
Daniel Tryba
d.tryba at pocos.nl
Thu Sep 22 16:55:04 CEST 2016
On Thu, Sep 22, 2016 at 09:58:33AM -0400, Alex Balashov wrote:
> Normally, we just force_rport() on all incoming requests so that we reply to
> the real source port of the request, since most endpoints on this
> installation are NAT'd.
>
> However, occasionally we run into a scenario where an ALG or misconfigured
> client incorrectly inserts an rport attribute into its topmost Via, and
> really expects to receive a response at the address/port indicated in the
> Via (i.e. 5060).
You can never trust "client" headers/devices IMHO. And I never had
problems with force_rport, so logically force_rport overrides anything
the "client" sends.
> Does Kamailio offer a means of dealing with these on a selective basis?
> Would refraining from calling force_rport() be enough? Or would it be
> necessary to set reply_to_via=1 as well, thus breaking symmetrical behaviour
> for the vast majority of the NAT'd endpoints?
>
> In other words, I'm not 100% clear on the following:
>
> 1) What impact does force_rport() have if an 'rport' attribute is sent by
> the client?
>
> In this case, there should be nothing to "force"; I assume that if the
> 'rport' attribute is placed by the client, then the proxy will return
> replies to the source port of the request even if force_rport() is not
> called, because that's the RFC 3581-compatible thing to do. Right?
force_rport sets the flag FL_FORCE_RPORT, and the helpful comments say the following:
* - if the original via contains rport / rport=something or msg->msg_flags
* FL_FORCE_RPORT is set (e.g. script force_rport() cmd) rport=src_port
* is added (over previous rport / as first via param or after received
* if no received was present and received is added too)
and
/* check if rport needs to be updated:
* - if FL_FORCE_RPORT is set add it (and del. any previous version)
* - if via already contains an rport add it and overwrite the previous
* rport value if present (if you don't want to overwrite the previous
* version remove the comments) */
> 2) Does reply_to_via=1 override the behaviour hypothesised in #1?
> 3) Does reply_to_via=1 override force_rport()?
force_rport seems to override any rport available in via, so reply_to_via
has no additional effects.
More information about the sr-users
mailing list