freeswitch
freeswitch copied to clipboard
ACL on incorrect IP address results in incorrect test on ACL
This problem has shown itself on WebRTC. WebRTC is moving to hide local IP address with mDNS hostnames. For example:
a=candidate:2492242602 1 udp 2113937151 b8c27db8-0cb1-4252-ba37-dc32d0ac1dce.local 55693 typ host generation 0 network-cost 999
Is a valid ICE candidate coming from CEF (Chrome) hiding the true IP4 local network (ref https://bloggeek.me/psa-mdns-and-local-ice-candidates-are-coming/).
Freeswitch is selecting this candidate incorrectly:
2020-06-17 17:46:48.077046 [WARNING] switch_core_media.c:4252 NO candidate ACL defined, Defaulting to wan.auto
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:4282 Save audio Candidate cid: 1 proto: udp type: host addr: b8c27db8-0cb1-4252-ba37-dc32d0ac1dce.local:55696
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:4282 Save audio Candidate cid: 1 proto: udp type: srflx addr: 82.19.197.210:55696
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:4327 Searching for rtp candidate.
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:4336 Choose rtp candidate, index 0, b8c27db8-0cb1-4252-ba37-dc32d0ac1dce.local:55696
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:4102 sofia/internal/[email protected] choosing family v4
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:4347 Choose same candidate, index 0, for rtcp based on rtcp-mux attribute b8c27db8-0cb1-4252-ba37-dc32d0ac1dce.local:55696
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:4399 setting remote audio ice addr to index 0 b8c27db8-0cb1-4252-ba37-dc32d0ac1dce.local:55696 based on candidate
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:4434 Setting remote rtcp audio addr to b8c27db8-0cb1-4252-ba37-dc32d0ac1dce.local:55696 based on candidate
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:5851 Set telephone-event payload to 126@8000
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:5909 sofia/internal/[email protected] Set 2833 dtmf send payload to 126 recv payload to 126
The simplest way to test this is using the acl command from Freeswitch:
acl 192.168.0.1 wan.auto
false
acl 8.8.8.8 wan.auto
true
acl b8c27db8-0cb1-4252-ba37-dc32d0ac1dce.local wan.auto
true
I would expect the final test to return false - which would also correct the ICE candidate selection.
any solution to this issue?
the built-in ACL wan.auto, check whether if IP is NOT private ip, if not return TRUE, you may try a workaround by define custom ACL and assign that to verto configuration file