Patches item #1671611, was opened at 2007-03-01 12:59 Message generated for change (Settings changed) made by bogdan_iancu You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=743022&aid=1671611&group_id=139143
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. >Category: modules >Group: ver devel Status: Open Resolution: None Priority: 5 Private: No Submitted By: Marcus Hunger (marcushunger) >Assigned to: Bogdan (bogdan_iancu) Summary: nathelper: udpping_from (forged udpping source_ip) Initial Comment: Hi, for some loadbalancing setups it might be interessting to spoof the natping's source-ip on multiple hosts so the pings would apear to come from the same host. I created a patch for that. It uses raw-sockets and works for me on linux. I am not sure, how portable this approach is, so some people might have a look on this to get it running on other platforms than linux. Best regards, Marcus ---------------------------------------------------------------------- Comment By: Marcus Hunger (marcushunger) Date: 2007-06-26 13:22 Message: Logged In: YES user_id=1704473 Originator: YES File Added: natping_bugfix.patch ---------------------------------------------------------------------- Comment By: Marcus Hunger (marcushunger) Date: 2007-06-13 11:14 Message: Logged In: YES user_id=1704473 Originator: YES Hi, I updated the patch. Now it enables the nathelper to select the source-ip from the last path-element so if you have different loadbalancers in front of your proxy, natpings were sent with their ip. Set udpping_from_path to 1 to use it. Also this patch allows you to send sipping-packets following the contacts path (as suggested in http://openser.org/pipermail/devel/2006-March/002143.html). The patch is against branch 1.2. File Added: natping.patch ---------------------------------------------------------------------- Comment By: Klaus Darilion (klaus_darilion) Date: 2007-03-23 09:26 Message: Logged In: YES user_id=1318360 Originator: NO Hi! I think this feature would also be interesting for stateless load balancers. E.g. if you only want to route the initial request via the load balancer and all other traffic directly via the selected proxy. The dispatcher forwards the request without adding a Via header and spoofing the clients source address. Then the proxy would reply directly to the client bypassing the loadbalancer. ---------------------------------------------------------------------- Comment By: Carsten Bock (carstenbock) Date: 2007-03-20 17:20 Message: Logged In: YES user_id=1488991 Originator: NO Hi Marcus, I agree, i also find your patch useful. Currently we forward the REGISTER to our loadbalancer to do the nat-pinging. I will be happy to skip this in the near future ;-) Carsten ---------------------------------------------------------------------- Comment By: Klaus Darilion (klaus_darilion) Date: 2007-03-12 11:16 Message: Logged In: YES user_id=1318360 Originator: NO Hi! What about adding raw-sockets in general, not only for nathelper. E.g. when using force-Send_socket and the socket does not exist, a raw socket is used with spoofed Ip address. +: nice feature for testing or HA setup -: easy spoofing for script kiddies ---------------------------------------------------------------------- Comment By: Marcus Hunger (marcushunger) Date: 2007-03-01 17:03 Message: Logged In: YES user_id=1704473 Originator: YES axlh, to 1) Sounds interesting but I see a trust issue when using path information. Somehow the right path-element would have to be chosen as source for the natpings. Another issue is that it seems quite hard for nathelper to obtain the path-information from usrloc. In the current implementation of nathelper's natping, all contacts are gathered from usrloc at once using get_all_ucontacts. The function does not deliver the contact's path, so an extra request to get_urecord would had to made for every contact. This increases the complexity of the operation and results in a slow-down. Another approach would be to modify get_all_ucontacts to additionally return the path but this would break compatibility. Any comments? to 2) The raw socket is created at initialisation-time and persists even after dropping privileges. So there's no problem. :-) Best regards, Marcus ---------------------------------------------------------------------- Comment By: axlh (axlh) Date: 2007-03-01 15:06 Message: Logged In: YES user_id=1212856 Originator: NO Nice patch. I like the idea, but see 2 issues with the current implementation: 1) configuring 1 fixed source_ip doesn't handle a cluster of loadbalancers. I suggest using the path info stored in the location table instead of the parameter. 2) raw sockets require root privileges. There should be some way for OpenSER to drop all other unneccesary privileges when run as root. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=743022&aid=1671611&group_id=139143 _______________________________________________ Devel mailing list Devel@openser.org http://openser.org/cgi-bin/mailman/listinfo/devel
