On Fri, Apr 05, 2002 at 12:37:01PM -0600, Glover George wrote: > Am I right in understanding this logic behind doing connection tracking? > The first protocol involved that needs to be messed with is SIP. Does
I've been spending quite some time digging into SIP and thinking about possible solutiosn for conntrack/NAT support for this protocol. It's not as easy as you think. In certain fields of the SIP header, a hostname instead of an IP can be used. So how do you create an expectation for a hostname? Somebody would have to resolve the hostname into an IP address and then cause an expectation for this IP address. Stuff like that can't be done from within the kernel, so you'd need some support for an asynchronous DNS resolver in userspace. Furthermore, what about encrypted or authenticated SIP/SDP? You loose. Please try to read the available documentation. There is a Master thesis on how to NAT SIP/SDP, which proposes a specific way of implementation. The 'official' IETF approach on how to NAT SIP/SDP is that you have to run some SIP proxy, which communicates the to-be-opened port and NAT mappings over some protocol (formerly FCP, firewall configuration protocol) to the firewall. As this seems to be a broader task, the IETF has formed the MIDCOM working group, and FCP has been abandoned. Result: There is no well-defined clean method of SIP firewall/NAT traversal yet - and it will definitely take some more IETF drafts until MIDCOM will publish some standards. Please also see that SIP call scenarios can be farly complex. Signalling is regularly taking a different path than data packets. There's an IETF draft about 'example SIP call scenarios', which is about 260 pages. So in the end this is quite a bit of work, and can not be easily compared with any of the existing conntrack/nat helpers. There also need to be a few netfilter API changes in order to support SIP. Stuff like port reservations. And it also needs port reservations for two consecutive port numbers. Or in the case you have audio and video, four consecutive numbers, ... > Thanks guys. I'm hoping I can get a grasp on this as much as possible. > I see what I want to do, I just need to know more about the netfilter > architecture. BTW: Please don't full quote at the end, that's not considered good behaviour on any of the mailinglists I know - people have the full threads in their mailboxes and can navigate through them way more nicely. -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
