[Bug 522] New: SIP helper(?) mangles packets even when inactive

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Fri Oct 6 18:46:29 CEST 2006 

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=522

           Summary: SIP helper(?) mangles packets even when inactive
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: x86_64
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: unknown
        AssignedTo: laforge at netfilter.org
        ReportedBy: kas at fi.muni.cz


I use a netfilter-based firewall (currently Fedora Core 5/x86_64 with three
gigabit NICs). The firewall does not use NAT, does not use conntrack-based rules
(-m state), and does not use the mangle rules. However, I have the conntrack
support compiled in, as I plan to move the firewall setup to the conntrack-based
configuration in the future. I have various helpers compiled in, including a SIP
helper.

Recently I had problems via SIP (ekiga client) to and from the outside world.
Using tcpdump I have discovered that when calling sip:user at ekiga.net, my
workstation sent all RTP traffic to the ekiga.net host, instead of the host
where the remote user has been logged in.

I ran cpdump on both my local workstation and on the external interface of my
firewall, while calling from the outside host to the internal network.
It seems that the firewall mangles the SIP Invite packet: when received from the
outside interface the request line reads "INVITE:
sip:yenya@<ip.address.of.my.workstation>:5064;transport=udp", while when
received by my workstation, it reads "INVITE:
sip:yenya at 213.186.62.145:5060;transport=udp" (the IP address here is the address
of the SIP server, ekiga.net).

After running "iptables -t raw -A PREROUTING -j NOTRACK" SIP calls work as
expected. But I think any helper (be it NAT or conntrack) shouldn't mangle
packets, unless the NAT is actually set up.

Details, including tcpdumps, available when requested. The kernel in question is
2.6.18.

-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list