Summary:ASTERISK-13010: Add netfilter functionality to asterisk to plumb NAT holes for RTP when running on NATting router
Reporter:Philip Prindeville (pprindeville)Labels:
Date Opened:2008-11-03 21:14:45.000-0600Date Closed:2011-06-07 14:03:04
Versions:Frequency of

* Asterisk is running on an "edge" device which is also the firewall/router,
* and NAT is being used for SIP endpoints behind the firewall/PBX,
* and SIP transport is being used for trunking/peering on the "outside" as well, such that INVITES pass "through" the Asterisk platform,

it might be useful to add logic where Asterisk plumbs NAT holes for the RTP stream, then modifies the SDP information in the SIP INVITE messages to reflect the external address and port #'s.


This may be accomplished with the libnetfilter_conntrack API.

Will port to Asterisk 1.6 once I've tested this in our Asterisk 1.4.21 production environment (based on Astlinux 0.6.1).
Comments:By: Russell Bryant (russell) 2008-11-03 21:30:28.000-0600

Is this a feature request, or are you saying that you are going to upload a patch?

By: Jason Parker (jparker) 2008-11-04 13:32:59.000-0600

Unfortunately, we won't be able to accept this contribution, based on the licensing of libnetfilter_conntrack (and all of netfilter).

If you were to somehow make all this live in a module outside of chan_sip.c/rtp.c, it could potentially be placed into asterisk-addons, but I suspect that will be very much non-trivial and likely not worth the effort.

By: Russell Bryant (russell) 2008-11-04 13:46:54.000-0600

If you'd like to discuss a potential architecture for doing this in a way that we could accept, let's talk on the asterisk-dev list.  Thanks!

By: Olle Johansson (oej) 2008-11-04 13:55:08.000-0600

I really think this is a cool idea and we had some discussions along these lines at Astridevcon. I know that John Todd wrote down a lot about the architecture we came up with, let's see if we can find that and discuss on the mailing list.

Thanks for wanting to contribute, let's solve these issues and get the functionality in there.

By: John Todd (jtodd) 2008-11-04 14:41:34.000-0600

For more thoughts that had been put forward, here's the outline of what I had come up with as a straw man.


This certainly isn't complete, but some of what you want is discussed in the content.  Perhaps you (pprindeville) could look at some of the code in the more liberally-licensed firewall stacks referenced in the Security-Framework document?  Or, alternately, this could just call an external routine via an API (license boundary) that adds/removes filters.

By: Philip Prindeville (pprindeville) 2009-11-05 15:59:48.000-0600

I'll start investigating this.

It might be possible to do this as a separate module which can then be built out-of-tree.

By: Olle Johansson (oej) 2010-04-03 09:22:02

I think we can base this on my NACL implementation moving forward.

By: Leif Madsen (lmadsen) 2010-05-18 13:36:23

Since this is a feature request without a patch then we'll have to close this issue, but if you feel like submitting a patch then please feel free to reopen it.