ivozprovider icon indicating copy to clipboard operation
ivozprovider copied to clipboard

Published 20 hours ago verified publisher icon irontec

Kamailio, non-primary IP addresses and TCP connections

Open cruzccl opened this issue 6 years ago • 1 comments

In IvozProvider, both on standalone and on distributed installations, at least one of the Kamailio processes listens on a non-primary IP address:

  • Standalone: if using two IPs, one of them is non-primary.

  • Distributed: both Kamailios bind to virtual IPs managed by a cluster.

When Kamailio initiates a TCP connection (for both TCP and TLS transports), instead of using the TCP/TLS IP:PORT defined in corresponding listen directive, it asks the OS for a port. The OS replies with a IP:PORT of the primary IP and Kamailio warns:

<core> [core/tcp_main.c:1146]: tcp_do_connect(): could not find corresponding listening socket for A.B.C.D, using default...

This causes TCP connections with a source address different from the IP assigned to the proxy (which can lead to firewall problems in the other side).

tcp_reuse_port may skip this logic, but requires that the system on which Kamailio is running on supports SO_REUSEPORT..

Configurations affected by this issue:

  • KamTrunks: PeerServers using TCP or TLS transport protocols.
  • KamUsers: Friends with direct-connectivity using TCP or TLS.
  • KamUsers: Retail accounts with direct-connectivity using TCP or TLS.

Consequences:

In all the cases, if Kamailio is listening on a primary address, the connection uses an incorrect port. If running on a non-primary, uses both an incorrect IP and port.

cruzccl avatar Jun 07 '18 10:06 cruzccl 

[Match]
Name=lan

[Network]
DHCP=no
Address=10.136.3.19/24
DNS=8.8.8.8

[Route]
Destination=0.0.0.0/0
Gateway=10.136.3.18

[Route]
Destination=10.122.235.0/24
Gateway=10.136.3.18
PreferredSource=158.51.225.1

Where 158.51.225.1 IP address is configured on another interface. A similar config may be prepared using secondary IP. And then check route command output

[root@wc-0 ~]# ip route show
default via 10.136.3.18 dev lan proto bird metric 32 
10.122.235.0/24 via 10.136.3.18 dev lan proto static src 158.51.225.1 
10.136.3.0/24 dev lan proto kernel scope link src 10.136.3.19

That means new socket connections towards 10.122.235.0/24 will be initiated using a socket with a 158.51.225.1 IP address.

sergey-safarov avatar Oct 21 '22 10:10 sergey-safarov