freeswitch icon indicating copy to clipboard operation
freeswitch copied to clipboard

Published 20 hours ago verified publisher icon signalwire

ACL on incorrect IP address results in incorrect test on ACL

Open tinpotnick opened this issue 4 years ago • 2 comments

This problem has shown itself on WebRTC. WebRTC is moving to hide local IP address with mDNS hostnames. For example:

a=candidate:2492242602 1 udp 2113937151 b8c27db8-0cb1-4252-ba37-dc32d0ac1dce.local 55693 typ host generation 0 network-cost 999

Is a valid ICE candidate coming from CEF (Chrome) hiding the true IP4 local network (ref https://bloggeek.me/psa-mdns-and-local-ice-candidates-are-coming/).

Freeswitch is selecting this candidate incorrectly:

2020-06-17 17:46:48.077046 [WARNING] switch_core_media.c:4252 NO candidate ACL defined, Defaulting to wan.auto
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:4282 Save audio Candidate cid: 1 proto: udp type: host addr: b8c27db8-0cb1-4252-ba37-dc32d0ac1dce.local:55696
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:4282 Save audio Candidate cid: 1 proto: udp type: srflx addr: 82.19.197.210:55696
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:4327 Searching for rtp candidate.
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:4336 Choose rtp candidate, index 0, b8c27db8-0cb1-4252-ba37-dc32d0ac1dce.local:55696
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:4102 sofia/internal/[email protected] choosing family v4
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:4347 Choose same candidate, index 0, for rtcp based on rtcp-mux attribute b8c27db8-0cb1-4252-ba37-dc32d0ac1dce.local:55696
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:4399 setting remote audio ice addr to index 0 b8c27db8-0cb1-4252-ba37-dc32d0ac1dce.local:55696 based on candidate
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:4434 Setting remote rtcp audio addr to b8c27db8-0cb1-4252-ba37-dc32d0ac1dce.local:55696 based on candidate
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:5851 Set telephone-event payload to 126@8000
2020-06-17 17:46:48.077046 [DEBUG] switch_core_media.c:5909 sofia/internal/[email protected] Set 2833 dtmf send payload to 126 recv payload to 126

The simplest way to test this is using the acl command from Freeswitch:

acl 192.168.0.1 wan.auto
false

acl 8.8.8.8 wan.auto
true

acl b8c27db8-0cb1-4252-ba37-dc32d0ac1dce.local wan.auto
true

I would expect the final test to return false - which would also correct the ICE candidate selection.

tinpotnick avatar Jun 17 '20 17:06 tinpotnick

any solution to this issue?

ROBERT-MCDOWELL avatar May 16 '22 18:05 ROBERT-MCDOWELL

the built-in ACL wan.auto, check whether if IP is NOT private ip, if not return TRUE, you may try a workaround by define custom ACL and assign that to verto configuration file

hnimminh avatar Jul 17 '22 16:07 hnimminh