[Users] nat-rtpproxy.cfg

Tue Aug 22 10:52:28 CEST 2006


On 08/21/06 23:47, Mark Kent wrote:
> A few months ago I downloaded example config files, as a way to
> learning openser, but I'm not 100% sure where I got them.
>
> One of them has this header:
>
> # $Id: nat-rtpproxy.cfg 9 2005-08-19 15:30:55Z 
>    /CN=Greger V. Teigre/emailAddress=greger at onsip.org $
>
> I just found (re-found?) at onsip.org->downloads->Getting Started,
> a later version of nat-rtpproxy.cfg with this header:
>
> # $Id: nat-rtpproxy.cfg 51 2006-01-31 13:28:04Z 
>    /CN=Paul Hazlett/emailAddress=paul at onsip.org $
>
> and they appear different only in the loose_route handling:
>
> OLD:
>    if (loose_route()) {
>       if (has_totag() && (method=="INVITE" || method=="ACK")) {
>          if (nat_uac_test("19")) {
>             setflag(6);
>             force_rport();
>             fix_nated_contact();
>          };
>          force_rtp_proxy("l");
>       };
>       route(1);
>       break;
>    };
>
> NEW:
>    if (loose_route()) {
>       if ((method=="INVITE" || method=="REFER") && !has_totag()) {
>          sl_send_reply("403", "Forbidden");
>          break;
>       };
>
>       if (method=="INVITE") {
>          if (!proxy_authorize("","subscriber")) {
>             proxy_challenge("","0");
>             break;
>          } else if (!check_from()) {
>             sl_send_reply("403", "Use From=ID");
>             break;
>          };
>          consume_credentials();
>
>          if (nat_uac_test("19")) {
>             setflag(6);
>             force_rport();
>             fix_nated_contact();
>          };
>          force_rtp_proxy("l");
>       };
>       route(1);
>       break;
>    };
>
> Now, who wants to take a stab at explaining why this was changed?
>   
the newer version has improvements in security. The INVITEs are 
authenticated before being processed. Also, it does not allow INVITEs 
with Route headers (unless last route is the proxy) but no To tag.
> Why was ACK checked for in the old version and not the new?
> (my guess:  zero length message body messes with force_rtp_proxy)
>   
The ACK may contain body with SDP, and that has to be processed with 
nathelper. But most of the UA do not do so.

> Why does that INVITE logic appear in the new loose_route handler?
> What case does that handle that the later "if (method == INVITE)"
> doesn't handle?   Does this have something to do with re-INVITES?
>   
yes, those should be re-INVITEs.

Cheers,
Daniel


> For convenience, the two files are here:
>  http://a.mainstreet.net/nat-rtpproxy.5.0.cfg
>  http://a.mainstreet.net/nat-rtpproxy-2006.cfg 
>
> And do we openser people have our own set of sample config
> files somewhere on openser.org?
>   

> Thanks,
> -mark
>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>
>