Summary:ASTERISK-04000: [patch] fix peer matching for multiple peers at the same IP address in 'insecure' mode
Reporter:Kevin P. Fleming (kpfleming)Labels:
Date Opened:2005-04-27 12:15:33Date Closed:2011-06-07 14:10:18
Versions:Frequency of
Environment:Attachments:( 0) 4024HeadCommit.txt
( 1) sipportinvite.1-0.patch
Description:To clarify, here's the scenario:<br />
<br />
Insecure = very<br />
<br />
Peers behind NAT<br />
<br />
Peer-1 has IP port 5060<br />
Peer-2 has IP port 5061<br />
<br />
Call sent to * from the peer-2 ID. Call is processed and handled in * as Peer-1 or Peer-2 depending on match lookup in 'find_peer' which returns peer struct for the first addr_in match that is found.<br />
<br />
Either find_peer needs to lookup by 'peername' if available, or should compare ports.<br />
<br />
Right now, it is non-deterministic in its failure. If it were deterministic, it'd be a 'feature not a bug', but since it is non-deterministic, then surely its hard to claim * is doing the right thing.<br />
<br />
Comments:By: Kevin P. Fleming (kpfleming) 2005-04-27 12:16:07

Changes made directly in CVS, no patch present in bug.

By: damin (damin) 2005-05-02 15:33:08

Can we get an idea of what was changed in CVS head so that we can backport this to stable please? Like a diff of what changed?

By: Michael Jerris (mikej) 2005-06-02 00:09:42

Attached 4024HeadCommit.txt which is what was actually commited for this bug in head.  Drumkilla, this fixes a real bug but also changes a config option to work differently:

-;insecure=yes ; To match a peer based by IP address only and not peer name
-;insecure=very ; To allow registered hosts to call without re-authenticating
+;insecure=port ; Allow matching of peer by IP address without matching port number
+;insecure=invite ; Do not require authentication of incoming INVITEs
+;insecure=port,invite ; (both)

How would you like to handle this one in stable?

By: Russell Bryant (russell) 2005-07-07 17:16:58

I guess the best thing to do in this case is to support the new options since they fix an actual bug.  However, in the case of 1.0, we should support the old options and have them maintain their original behavior.

'yes' would be the same thing as 'port'
'very' is the same as 'port,invite'

However, the patch for 1.0 will be very different, mostly because of the transition to bit fields.

By: Russell Bryant (russell) 2005-07-07 18:36:19

Here it is!  I haven't tested it yet, and I would also like someone to review the code to check my sanity.  :)

By: Russell Bryant (russell) 2005-07-11 18:18:23

added to 1.0